VirtualBox

source: vbox/trunk/src/VBox/Runtime/r3/darwin/RTCrStoreCreateSnapshotById-darwin.cpp@ 81106

Last change on this file since 81106 was 76553, checked in by vboxsync, 6 years ago

scm --update-copyright-year

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 9.5 KB
Line 
1/* $Id: RTCrStoreCreateSnapshotById-darwin.cpp 76553 2019-01-01 01:45:53Z vboxsync $ */
2/** @file
3 * IPRT - RTCrStoreCreateSnapshotById, Darwin.
4 */
5
6/*
7 * Copyright (C) 2006-2019 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#include <iprt/crypto/store.h>
32#include "internal/iprt.h"
33
34#include <iprt/assert.h>
35#include <iprt/err.h>
36#include <iprt/file.h>
37
38/* HACK ALERT! Shut up those deprecated messages on SecKeychainSearchCreateFromAttributes and SecKeychainSearchCopyNext. */
39#include <CoreFoundation/CoreFoundation.h>
40#undef DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
41#define DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
42
43#include <Security/Security.h>
44
45
46/**
47 * Checks the trust settings of the certificate.
48 *
49 * @returns true if not out-right distructed, otherwise false.
50 * @param hCert The certificate.
51 * @param enmTrustDomain The trust settings domain to check relative to.
52 */
53static bool rtCrStoreIsDarwinCertTrustworthy(SecCertificateRef hCert, SecTrustSettingsDomain enmTrustDomain)
54{
55 bool fResult = true;
56 CFArrayRef hTrustSettings;
57 OSStatus orc = SecTrustSettingsCopyTrustSettings(hCert, enmTrustDomain, &hTrustSettings);
58 if (orc == noErr)
59 {
60 CFIndex const cTrustSettings = CFArrayGetCount(hTrustSettings);
61 for (CFIndex i = 0; i < cTrustSettings; i++)
62 {
63 CFDictionaryRef hDict = (CFDictionaryRef)CFArrayGetValueAtIndex(hTrustSettings, i);
64 AssertContinue(CFGetTypeID(hDict) == CFDictionaryGetTypeID());
65
66 CFNumberRef hNum = (CFNumberRef)CFDictionaryGetValue(hDict, kSecTrustSettingsResult);
67 if (hNum)
68 {
69 AssertContinue(CFGetTypeID(hNum) == CFNumberGetTypeID());
70 SInt32 iNum;
71 if (CFNumberGetValue(hNum, kCFNumberSInt32Type, &iNum))
72 {
73 if (iNum == kSecTrustSettingsResultDeny)
74 {
75 fResult = false;
76 break;
77 }
78 }
79 /* No need to release hNum (get rule). */
80 }
81 /* No need to release hDict (get rule). */
82 }
83 CFRelease(hTrustSettings);
84 }
85 else if (orc != errSecItemNotFound)
86 {
87 AssertFailed();
88 fResult = false;
89 }
90 return fResult;
91}
92
93
94static int rtCrStoreAddCertsFromNativeKeychain(RTCRSTORE hStore, SecKeychainRef hKeychain, SecTrustSettingsDomain enmTrustDomain,
95 int rc, PRTERRINFO pErrInfo)
96{
97 /*
98 * Enumerate the certificates in the keychain.
99 */
100 SecKeychainSearchRef hSearch;
101 OSStatus orc = SecKeychainSearchCreateFromAttributes(hKeychain, kSecCertificateItemClass, NULL, &hSearch);
102 if (orc == noErr)
103 {
104 SecKeychainItemRef hItem;
105 while ((orc = SecKeychainSearchCopyNext(hSearch, &hItem)) == noErr)
106 {
107 Assert(CFGetTypeID(hItem) == SecCertificateGetTypeID());
108 SecCertificateRef hCert = (SecCertificateRef)hItem;
109
110 /*
111 * Check if the current certificate is at all trusted, skip it if it's isn't.
112 */
113 if (rtCrStoreIsDarwinCertTrustworthy(hCert, enmTrustDomain))
114 {
115 /*
116 * Get the certificate data.
117 */
118 CFDataRef hEncodedCert = SecCertificateCopyData(hCert);
119 Assert(hEncodedCert);
120 if (hEncodedCert)
121 {
122 CFIndex cbEncoded = CFDataGetLength(hEncodedCert);
123 const uint8_t *pbEncoded = CFDataGetBytePtr(hEncodedCert);
124
125 RTERRINFOSTATIC StaticErrInfo;
126 int rc2 = RTCrStoreCertAddEncoded(hStore, RTCRCERTCTX_F_ENC_X509_DER | RTCRCERTCTX_F_ADD_IF_NOT_FOUND,
127 pbEncoded, cbEncoded, RTErrInfoInitStatic(&StaticErrInfo));
128 if (RT_FAILURE(rc2))
129 {
130 if (RTErrInfoIsSet(&StaticErrInfo.Core))
131 RTErrInfoAddF(pErrInfo, -rc2, " %s", StaticErrInfo.Core.pszMsg);
132 else
133 RTErrInfoAddF(pErrInfo, -rc2, " %Rrc adding cert", rc2);
134 rc = -rc2;
135 }
136
137 CFRelease(hEncodedCert);
138 }
139 }
140
141 CFRelease(hItem);
142 }
143 if (orc != errSecItemNotFound)
144 rc = RTErrInfoAddF(pErrInfo, -VERR_SEARCH_ERROR,
145 " SecKeychainSearchCopyNext failed with %#x", orc);
146 CFRelease(hSearch);
147 }
148 else
149 rc = RTErrInfoAddF(pErrInfo, -VERR_SEARCH_ERROR,
150 " SecKeychainSearchCreateFromAttributes failed with %#x", orc);
151 return rc;
152}
153
154
155static int rtCrStoreAddCertsFromNativeKeychainFile(RTCRSTORE hStore, const char *pszKeychain,
156 SecTrustSettingsDomain enmTrustDomain,
157 int rc, PRTERRINFO pErrInfo)
158{
159 /*
160 * Open the keychain and call common worker to do the job.
161 */
162 SecKeychainRef hKeychain;
163 OSStatus orc = SecKeychainOpen(pszKeychain, &hKeychain);
164 if (orc == noErr)
165 {
166 rc = rtCrStoreAddCertsFromNativeKeychain(hStore, hKeychain, enmTrustDomain, rc, pErrInfo);
167
168 CFRelease(hKeychain);
169 }
170 else if (RTFileExists(pszKeychain))
171 rc = RTErrInfoAddF(pErrInfo, -VERR_OPEN_FAILED, " SecKeychainOpen failed with %#x on '%s'", orc, pszKeychain);
172 return rc;
173}
174
175
176static int rtCrStoreAddCertsFromNativeKeystoreDomain(RTCRSTORE hStore, SecPreferencesDomain enmDomain,
177 SecTrustSettingsDomain enmTrustDomain,
178 int rc, PRTERRINFO pErrInfo)
179{
180 /*
181 * Get a list of keystores for this domain and call common worker on each.
182 */
183 CFArrayRef hKeychains;
184 OSStatus orc = SecKeychainCopyDomainSearchList(enmDomain, &hKeychains);
185 if (orc == noErr)
186 {
187 CFIndex const cEntries = CFArrayGetCount(hKeychains);
188 for (CFIndex i = 0; i < cEntries; i++)
189 {
190 SecKeychainRef hKeychain = (SecKeychainRef)CFArrayGetValueAtIndex(hKeychains, i);
191 Assert(CFGetTypeID(hKeychain) == SecKeychainGetTypeID());
192 CFRetain(hKeychain);
193
194 rc = rtCrStoreAddCertsFromNativeKeychain(hStore, hKeychain, enmTrustDomain, rc, pErrInfo);
195
196 CFRelease(hKeychain);
197 }
198
199 CFRelease(hKeychains);
200 }
201 else
202 rc = RTErrInfoAddF(pErrInfo, -VERR_SEARCH_ERROR,
203 " SecKeychainCopyDomainSearchList failed with %#x on %d", orc, enmDomain);
204 return rc;
205}
206
207
208RTDECL(int) RTCrStoreCreateSnapshotById(PRTCRSTORE phStore, RTCRSTOREID enmStoreId, PRTERRINFO pErrInfo)
209{
210 AssertReturn(enmStoreId > RTCRSTOREID_INVALID && enmStoreId < RTCRSTOREID_END, VERR_INVALID_PARAMETER);
211
212 /*
213 * Create an empty in-memory store.
214 */
215 RTCRSTORE hStore;
216 int rc = RTCrStoreCreateInMem(&hStore, 128);
217 if (RT_SUCCESS(rc))
218 {
219 *phStore = hStore;
220
221 /*
222 * Load the certificates corresponding to the given virtual store ID.
223 */
224 switch (enmStoreId)
225 {
226 case RTCRSTOREID_USER_TRUSTED_CAS_AND_CERTIFICATES:
227 rc = rtCrStoreAddCertsFromNativeKeystoreDomain(hStore, kSecPreferencesDomainUser,
228 kSecTrustSettingsDomainUser, rc, pErrInfo);
229 break;
230
231 case RTCRSTOREID_SYSTEM_TRUSTED_CAS_AND_CERTIFICATES:
232 rc = rtCrStoreAddCertsFromNativeKeystoreDomain(hStore, kSecPreferencesDomainSystem,
233 kSecTrustSettingsDomainSystem, rc, pErrInfo);
234 rc = rtCrStoreAddCertsFromNativeKeychainFile(hStore,
235 "/System/Library/Keychains/SystemRootCertificates.keychain",
236 kSecTrustSettingsDomainSystem, rc, pErrInfo);
237 break;
238
239 default:
240 AssertFailed(); /* implement me */
241 }
242 }
243 else
244 RTErrInfoSet(pErrInfo, rc, "RTCrStoreCreateInMem failed");
245 return rc;
246}
247RT_EXPORT_SYMBOL(RTCrStoreCreateSnapshotById);
248
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette