1 | /* $Id: RTCrStoreCreateSnapshotById-darwin.cpp 57582 2015-08-29 00:19:37Z vboxsync $ */
2 | /** @file
3 | * IPRT - RTCrStoreCreateSnapshotById, Darwin.
4 | */
5 |
6 | /*
7 | * Copyright (C) 2006-2015 Oracle Corporation
8 | *
9 | * This file is part of VirtualBox Open Source Edition (OSE), as
10 | * available from http://www.virtualbox.org. This file is free software;
11 | * you can redistribute it and/or modify it under the terms of the GNU
12 | * General Public License (GPL) as published by the Free Software
13 | * Foundation, in version 2 as it comes in the "COPYING" file of the
14 | * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 | * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 | *
17 | * The contents of this file may alternatively be used under the terms
18 | * of the Common Development and Distribution License Version 1.0
19 | * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 | * VirtualBox OSE distribution, in which case the provisions of the
21 | * CDDL are applicable instead of those of the GPL.
22 | *
23 | * You may elect to license modified versions of this file under the
24 | * terms and conditions of either the GPL or the CDDL or both.
25 | */
26 |
27 |
28 | /*********************************************************************************************************************************
29 | * Header Files *
30 | *********************************************************************************************************************************/
31 | #include <iprt/crypto/store.h>
32 | #include "internal/iprt.h"
33 |
34 | #include <iprt/assert.h>
35 | #include <iprt/err.h>
36 | #include <iprt/file.h>
37 |
38 | /* HACK ALERT! Shut up those deprecated messages on SecKeychainSearchCreateFromAttributes and SecKeychainSearchCopyNext. */
39 | #include <CoreFoundation/CoreFoundation.h>
42 |
43 | #include <Security/Security.h>
44 |
45 |
46 | /**
47 | * Checks the trust settings of the certificate.
48 | *
49 | * @returns true if not out-right distructed, otherwise false.
50 | * @param hCert The certificate.
51 | * @param enmTrustDomain The trust settings domain to check relative to.
52 | */
53 | static bool rtCrStoreIsDarwinCertTrustworthy(SecCertificateRef hCert, SecTrustSettingsDomain enmTrustDomain)
54 | {
55 | bool fResult = true;
56 | CFArrayRef hTrustSettings;
57 | OSStatus orc = SecTrustSettingsCopyTrustSettings(hCert, enmTrustDomain, &hTrustSettings);
58 | if (orc == noErr)
59 | {
60 | CFIndex const cTrustSettings = CFArrayGetCount(hTrustSettings);
61 | for (CFIndex i = 0; i < cTrustSettings; i++)
62 | {
63 | CFDictionaryRef hDict = (CFDictionaryRef)CFArrayGetValueAtIndex(hTrustSettings, i);
64 | AssertStmt(CFGetTypeID(hDict) == CFDictionaryGetTypeID(), continue);
65 |
66 | CFNumberRef hNum = (CFNumberRef)CFDictionaryGetValue(hDict, kSecTrustSettingsResult);
67 | if (hNum)
68 | {
69 | AssertStmt(CFGetTypeID(hNum) == CFNumberGetTypeID(), continue);
70 | SInt32 iNum;
71 | if (CFNumberGetValue(hNum, kCFNumberSInt32Type, &iNum))
72 | {
73 | if (iNum == kSecTrustSettingsResultDeny)
74 | {
75 | fResult = false;
76 | break;
77 | }
78 | }
79 | /* No need to release hNum (get rule). */
80 | }
81 | /* No need to release hDict (get rule). */
82 | }
83 | CFRelease(hTrustSettings);
84 | }
85 | else if (orc != errSecItemNotFound)
86 | {
87 | AssertFailed();
88 | fResult = false;
89 | }
90 | return fResult;
91 | }
92 |
93 |
94 | static int rtCrStoreAddCertsFromNativeKeychain(RTCRSTORE hStore, SecKeychainRef hKeychain, SecTrustSettingsDomain enmTrustDomain,
95 | int rc, PRTERRINFO pErrInfo)
96 | {
97 | /*
98 | * Enumerate the certificates in the keychain.
99 | */
100 | SecKeychainSearchRef hSearch;
101 | OSStatus orc = SecKeychainSearchCreateFromAttributes(hKeychain, kSecCertificateItemClass, NULL, &hSearch);
102 | if (orc == noErr)
103 | {
104 | SecKeychainItemRef hItem;
105 | while ((orc = SecKeychainSearchCopyNext(hSearch, &hItem)) == noErr)
106 | {
107 | Assert(CFGetTypeID(hItem) == SecCertificateGetTypeID());
108 | SecCertificateRef hCert = (SecCertificateRef)hItem;
109 |
110 | /*
111 | * Check if the current certificate is at all trusted, skip it if it's isn't.
112 | */
113 | if (rtCrStoreIsDarwinCertTrustworthy(hCert, enmTrustDomain))
114 | {
115 | /*
116 | * Get the certificate data.
117 | */
118 | CFDataRef hEncodedCert = SecCertificateCopyData(hCert);
119 | Assert(hEncodedCert);
120 | if (hEncodedCert)
121 | {
122 | CFIndex cbEncoded = CFDataGetLength(hEncodedCert);
123 | const uint8_t *pbEncoded = CFDataGetBytePtr(hEncodedCert);
124 |
125 | RTERRINFOSTATIC StaticErrInfo;
126 | int rc2 = RTCrStoreCertAddEncoded(hStore, RTCRCERTCTX_F_ENC_X509_DER | RTCRCERTCTX_F_ADD_IF_NOT_FOUND,
127 | pbEncoded, cbEncoded, RTErrInfoInitStatic(&StaticErrInfo));
128 | if (RT_FAILURE(rc2))
129 | {
130 | if (RTErrInfoIsSet(&StaticErrInfo.Core))
131 | RTErrInfoAddF(pErrInfo, -rc2, " %s", StaticErrInfo.Core.pszMsg);
132 | else
133 | RTErrInfoAddF(pErrInfo, -rc2, " %Rrc adding cert", rc2);
134 | rc = -rc2;
135 | }
136 |
137 | CFRelease(hEncodedCert);
138 | }
139 | }
140 |
141 | CFRelease(hItem);
142 | }
143 | if (orc != errSecItemNotFound)
144 | rc = RTErrInfoAddF(pErrInfo, -VERR_SEARCH_ERROR,
145 | " SecKeychainSearchCopyNext failed with %#x", orc);
146 | CFRelease(hSearch);
147 | }
148 | else
149 | rc = RTErrInfoAddF(pErrInfo, -VERR_SEARCH_ERROR,
150 | " SecKeychainSearchCreateFromAttributes failed with %#x", orc);
151 | return rc;
152 | }
153 |
154 |
155 | static int rtCrStoreAddCertsFromNativeKeychainFile(RTCRSTORE hStore, const char *pszKeychain,
156 | SecTrustSettingsDomain enmTrustDomain,
157 | int rc, PRTERRINFO pErrInfo)
158 | {
159 | /*
160 | * Open the keychain and call common worker to do the job.
161 | */
162 | SecKeychainRef hKeychain;
163 | OSStatus orc = SecKeychainOpen(pszKeychain, &hKeychain);
164 | if (orc == noErr)
165 | {
166 | rc = rtCrStoreAddCertsFromNativeKeychain(hStore, hKeychain, enmTrustDomain, rc, pErrInfo);
167 |
168 | CFRelease(hKeychain);
169 | }
170 | else if (RTFileExists(pszKeychain))
171 | rc = RTErrInfoAddF(pErrInfo, -VERR_OPEN_FAILED, " SecKeychainOpen failed with %#x on '%s'", orc, pszKeychain);
172 | return rc;
173 | }
174 |
175 |
176 | static int rtCrStoreAddCertsFromNativeKeystoreDomain(RTCRSTORE hStore, SecPreferencesDomain enmDomain,
177 | SecTrustSettingsDomain enmTrustDomain,
178 | int rc, PRTERRINFO pErrInfo)
179 | {
180 | /*
181 | * Get a list of keystores for this domain and call common worker on each.
182 | */
183 | CFArrayRef hKeychains;
184 | OSStatus orc = SecKeychainCopyDomainSearchList(enmDomain, &hKeychains);
185 | if (orc == noErr)
186 | {
187 | CFIndex const cEntries = CFArrayGetCount(hKeychains);
188 | for (CFIndex i = 0; i < cEntries; i++)
189 | {
190 | SecKeychainRef hKeychain = (SecKeychainRef)CFArrayGetValueAtIndex(hKeychains, i);
191 | Assert(CFGetTypeID(hKeychain) == SecKeychainGetTypeID());
192 | CFRetain(hKeychain);
193 |
194 | rc = rtCrStoreAddCertsFromNativeKeychain(hStore, hKeychain, enmTrustDomain, rc, pErrInfo);
195 |
196 | CFRelease(hKeychain);
197 | }
198 |
199 | CFRelease(hKeychains);
200 | }
201 | else
202 | rc = RTErrInfoAddF(pErrInfo, -VERR_SEARCH_ERROR,
203 | " SecKeychainCopyDomainSearchList failed with %#x on %d", orc, enmDomain);
204 | return rc;
205 | }
206 |
207 |
208 | RTDECL(int) RTCrStoreCreateSnapshotById(PRTCRSTORE phStore, RTCRSTOREID enmStoreId, PRTERRINFO pErrInfo)
209 | {
211 |
212 | /*
213 | * Create an empty in-memory store.
214 | */
215 | RTCRSTORE hStore;
216 | int rc = RTCrStoreCreateInMem(&hStore, 128);
217 | if (RT_SUCCESS(rc))
218 | {
219 | *phStore = hStore;
220 |
221 | /*
222 | * Load the certificates corresponding to the given virtual store ID.
223 | */
224 | switch (enmStoreId)
225 | {
227 | rc = rtCrStoreAddCertsFromNativeKeystoreDomain(hStore, kSecPreferencesDomainUser,
228 | kSecTrustSettingsDomainUser, rc, pErrInfo);
229 | break;
230 |
232 | rc = rtCrStoreAddCertsFromNativeKeystoreDomain(hStore, kSecPreferencesDomainSystem,
233 | kSecTrustSettingsDomainSystem, rc, pErrInfo);
234 | rc = rtCrStoreAddCertsFromNativeKeychainFile(hStore,
235 | "/System/Library/Keychains/SystemRootCertificates.keychain",
236 | kSecTrustSettingsDomainSystem, rc, pErrInfo);
237 | break;
238 |
239 | default:
240 | AssertFailed(); /* implement me */
241 | }
242 | }
243 | else
244 | RTErrInfoSet(pErrInfo, rc, "RTCrStoreCreateInMem failed");
245 | return rc;
246 | }
247 | RT_EXPORT_SYMBOL(RTCrStoreCreateSnapshotById);
248 |
249 |