static carray * mailstream_low_cfstream_get_certificate_chain(mailstream_low * s)
{
#if HAVE_CFNETWORK
struct mailstream_cfstream_data * cfstream_data;
unsigned int i;
carray * result;
cfstream_data = (struct mailstream_cfstream_data *) s->data;
SecTrustRef secTrust = (SecTrustRef)CFReadStreamCopyProperty(cfstream_data->readStream, kCFStreamPropertySSLPeerTrust);
if (secTrust == NULL)
return NULL;
CFIndex count = SecTrustGetCertificateCount(secTrust);
result = carray_new(4);
for(i = 0 ; i < count ; i ++) {
SecCertificateRef cert = (SecCertificateRef) SecTrustGetCertificateAtIndex(secTrust, i);
CFDataRef data = SecCertificateCopyData(cert);
CFIndex length = CFDataGetLength(data);
const UInt8 * bytes = CFDataGetBytePtr(data);
MMAPString * str = mmap_string_sized_new(length);
mmap_string_append_len(str, (char*) bytes, length);
carray_add(result, str, NULL);
CFRelease(data);
}
CFRelease(secTrust);
return result;
#else
return NULL;
#endif
}
int64_t AppleCryptoNative_X509ChainGetChainSize(SecTrustRef chain)
{
if (chain == NULL)
return -1;
return SecTrustGetCertificateCount(chain);
}
static void build_trust_chains(const void *key, const void *value,
void *context)
{
CFMutableDictionaryRef identity_dict = CFDictionaryCreateMutable(kCFAllocatorDefault,
0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
SecKeyRef private_key = NULL;
SecCertificateRef cert = NULL;
SecIdentityRef identity = NULL;
SecPolicyRef policy = NULL;
CFMutableArrayRef cert_chain = NULL, eval_chain = NULL;
SecTrustRef trust = NULL;
build_trust_chains_context * a_build_trust_chains_context = (build_trust_chains_context*)context;
CFDataRef key_bytes = CFDictionaryGetValue(value, CFSTR("key"));
require(key_bytes, out);
CFDataRef cert_bytes = CFDictionaryGetValue(value, CFSTR("cert"));
require(cert_bytes, out);
/* p12import only passes up rsa keys */
require (private_key = SecKeyCreateRSAPrivateKey(kCFAllocatorDefault,
CFDataGetBytePtr(key_bytes), CFDataGetLength(key_bytes),
kSecKeyEncodingPkcs1), out);
require(cert = SecCertificateCreateWithData(kCFAllocatorDefault, cert_bytes), out);
require(identity = SecIdentityCreate(kCFAllocatorDefault, cert, private_key), out);
CFDictionarySetValue(identity_dict, kSecImportItemIdentity, identity);
eval_chain = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
require(eval_chain, out);
CFArrayAppendValue(eval_chain, cert);
CFRange all_certs = { 0, CFArrayGetCount(a_build_trust_chains_context->certs) };
CFArrayAppendArray(eval_chain, a_build_trust_chains_context->certs, all_certs);
require(policy = SecPolicyCreateBasicX509(), out);
SecTrustResultType result;
SecTrustCreateWithCertificates(eval_chain, policy, &trust);
require(trust, out);
SecTrustEvaluate(trust, &result);
CFDictionarySetValue(identity_dict, kSecImportItemTrust, trust);
require(cert_chain = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks), out);
CFIndex cert_chain_length = SecTrustGetCertificateCount(trust);
int i;
for (i = 0; i < cert_chain_length; i++)
CFArrayAppendValue(cert_chain, SecTrustGetCertificateAtIndex(trust, i));
CFDictionarySetValue(identity_dict, kSecImportItemCertChain, cert_chain);
CFArrayAppendValue(a_build_trust_chains_context->identities, identity_dict);
out:
CFReleaseSafe(identity_dict);
CFReleaseSafe(identity);
CFReleaseSafe(private_key);
CFReleaseSafe(cert);
CFReleaseSafe(policy);
CFReleaseSafe(cert_chain);
CFReleaseSafe(eval_chain);
CFReleaseSafe(trust);
}
/* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
OSStatus SecTrustGetCssmResultCode(SecTrustRef trustRef, OSStatus *result)
{
/* bridge to support old functionality */
#if SECTRUST_DEPRECATION_WARNINGS
syslog(LOG_ERR, "WARNING: SecTrustGetCssmResultCode has been deprecated since 10.7, and will be removed in a future release. Please use SecTrustCopyProperties instead.");
#endif
if (!trustRef || !result) {
return errSecParam;
}
SecTrustResultType trustResult = kSecTrustResultInvalid;
(void) SecTrustGetTrustResult(trustRef, &trustResult);
if (trustResult == kSecTrustResultProceed || trustResult == kSecTrustResultUnspecified) {
if (result) { *result = 0; }
return errSecSuccess;
}
/* Development Software Update certs return a special error code when evaluated
* against the AppleSWUpdateSigning policy. See <rdar://27362805>. */
if (isSoftwareUpdateDevelopment(trustRef)) {
if (result) {
*result = CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT;
}
return errSecSuccess;
}
OSStatus cssmResultCode = errSecSuccess;
uint8_t resultCodePriority = 0xFF;
CFIndex ix, count = SecTrustGetCertificateCount(trustRef);
for (ix = 0; ix < count; ix++) {
unsigned int numStatusCodes;
CSSM_RETURN *statusCodes = NULL;
statusCodes = copyCssmStatusCodes(trustRef, (uint32_t)ix, &numStatusCodes);
if (statusCodes && numStatusCodes > 0) {
unsigned int statusIX;
for (statusIX = 0; statusIX < numStatusCodes; statusIX++) {
CSSM_RETURN currStatus = statusCodes[statusIX];
uint8_t currPriority = convertCssmResultToPriority(currStatus);
if (resultCodePriority > currPriority) {
cssmResultCode = currStatus;
resultCodePriority = currPriority;
}
}
}
if (statusCodes) { free(statusCodes); }
if (resultCodePriority == 1) { break; }
}
if (result) {
*result = cssmResultCode;
}
return errSecSuccess;
}
CFArrayRef SecTrustCopyProperties(SecTrustRef trust) {
/* OS X creates a completely different structure with one dictionary for each certificate */
CFIndex ix, count = SecTrustGetCertificateCount(trust);
CFMutableArrayRef properties = CFArrayCreateMutable(kCFAllocatorDefault, count,
&kCFTypeArrayCallBacks);
for (ix = 0; ix < count; ix++) {
CFMutableDictionaryRef certDict = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
/* Populate the certificate title */
SecCertificateRef cert = SecTrustGetCertificateAtIndex(trust, ix);
if (cert) {
CFStringRef subjectSummary = SecCertificateCopySubjectSummary(cert);
if (subjectSummary) {
CFDictionaryAddValue(certDict, kSecPropertyTypeTitle, subjectSummary);
CFRelease(subjectSummary);
}
}
/* Populate a revocation reason if the cert was revoked */
unsigned int numStatusCodes;
CSSM_RETURN *statusCodes = NULL;
statusCodes = copyCssmStatusCodes(trust, (uint32_t)ix, &numStatusCodes);
if (statusCodes) {
int32_t reason = statusCodes[numStatusCodes]; // stored at end of status codes array
if (reason > 0) {
CFNumberRef cfreason = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &reason);
if (cfreason) {
CFDictionarySetValue(certDict, kSecTrustRevocationReason, cfreason);
CFRelease(cfreason);
}
}
free(statusCodes);
}
/* Populate the error in the leaf dictionary */
if (ix == 0) {
OSStatus error = errSecSuccess;
(void)SecTrustGetCssmResultCode(trust, &error);
CFStringRef errorStr = SecCopyErrorMessageString(error, NULL);
if (errorStr) {
CFDictionarySetValue(certDict, kSecPropertyTypeError, errorStr);
CFRelease(errorStr);
}
}
CFArrayAppendValue(properties, certDict);
CFRelease(certDict);
}
return properties;
}
// Return the constructed certificate chain for this trust reference,
// making output certificates pointer-equivalent to any provided input
// certificates (where possible) for legacy behavioral compatibility.
// Caller must release this array.
//
CFArrayRef SecTrustCopyConstructedChain(SecTrustRef trust)
{
CFMutableArrayRef certChain = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
CFIndex idx, count = SecTrustGetCertificateCount(trust);
for (idx=0; idx < count; idx++) {
SecCertificateRef certificate = SecTrustGetCertificateAtIndex(trust, idx);
if (certificate) {
CFArrayAppendValue(certChain, certificate);
}
}
// <rdar://24393060>
// Some callers make the assumption that the certificates in
// this chain are pointer-equivalent to ones they passed to the
// SecTrustCreateWithCertificates function. We'll maintain that
// behavior here for compatibility.
//
CFArrayRef inputCertArray = SecTrustCopyInputCertificates(trust);
CFArrayRef inputAnchorArray = SecTrustCopyInputAnchors(trust);
CFIndex inputCertIdx, inputCertCount = (inputCertArray) ? CFArrayGetCount(inputCertArray) : 0;
CFIndex inputAnchorIdx, inputAnchorCount = (inputAnchorArray) ? CFArrayGetCount(inputAnchorArray) : 0;
for (idx=0; idx < count; idx++) {
SecCertificateRef tmpCert = (SecCertificateRef) CFArrayGetValueAtIndex(certChain, idx);
if (tmpCert) {
SecCertificateRef matchCert = NULL;
for (inputCertIdx=0; inputCertIdx < inputCertCount && !matchCert; inputCertIdx++) {
SecCertificateRef inputCert = (SecCertificateRef) CFArrayGetValueAtIndex(inputCertArray, inputCertIdx);
if (inputCert && CFEqual(inputCert, tmpCert)) {
matchCert = inputCert;
}
}
for (inputAnchorIdx=0; inputAnchorIdx < inputAnchorCount && !matchCert; inputAnchorIdx++) {
SecCertificateRef inputAnchor = (SecCertificateRef) CFArrayGetValueAtIndex(inputAnchorArray, inputAnchorIdx);
if (inputAnchor && CFEqual(inputAnchor, tmpCert)) {
matchCert = inputAnchor;
}
}
if (matchCert) {
CFArraySetValueAtIndex(certChain, idx, matchCert);
}
}
}
if (inputCertArray) {
CFRelease(inputCertArray);
}
if (inputAnchorArray) {
CFRelease(inputAnchorArray);
}
return certChain;
}
static OSStatus
_EAPSecIdentityCreateCertificateTrustChain(SecIdentityRef identity,
CFArrayRef * ret_chain)
{
SecCertificateRef cert = NULL;
CFArrayRef certs;
SecPolicyRef policy = NULL;
OSStatus status;
SecTrustRef trust = NULL;
SecTrustResultType trust_result;
*ret_chain = NULL;
ok(policy = SecPolicyCreateBasicX509(), "SecPolicyCreateBasicX509");
ok_status(status = SecIdentityCopyCertificate(identity, &cert), "SecIdentityCopyCertificate");
certs = CFArrayCreate(NULL, (const void **)&cert,
1, &kCFTypeArrayCallBacks);
CFReleaseNull(cert);
ok_status(status = SecTrustCreateWithCertificates(certs, policy, &trust),
"SecTrustCreateWithCertificates");
CFReleaseNull(certs);
ok_status(status = SecTrustEvaluate(trust, &trust_result), "SecTrustEvaluate");
{
CFMutableArrayRef array;
CFIndex count = SecTrustGetCertificateCount(trust);
CFIndex i;
isnt(count, 0, "SecTrustGetCertificateCount is nonzero");
array = CFArrayCreateMutable(NULL, count, &kCFTypeArrayCallBacks);
for (i = 0; i < count; i++) {
SecCertificateRef s;
s = SecTrustGetCertificateAtIndex(trust, i);
CFArrayAppendValue(array, s);
}
*ret_chain = array;
}
CFReleaseNull(trust);
CFReleaseNull(policy);
return (status);
}
static CURLcode
darwinssl_connect_step3(struct connectdata *conn,
int sockindex)
{
struct SessionHandle *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CFStringRef server_cert_summary;
char server_cert_summary_c[128];
CFArrayRef server_certs;
SecCertificateRef server_cert;
OSStatus err;
CFIndex i, count;
SecTrustRef trust;
/* There is no step 3!
* Well, okay, if verbose mode is on, let's print the details of the
* server certificates. */
#if defined(__MAC_10_7) || defined(__IPHONE_5_0)
if(SecTrustGetCertificateCount != NULL) {
#pragma unused(server_certs)
err = SSLCopyPeerTrust(connssl->ssl_ctx, &trust);
if(err == noErr) {
count = SecTrustGetCertificateCount(trust);
for(i = 0L ; i < count ; i++) {
server_cert = SecTrustGetCertificateAtIndex(trust, i);
server_cert_summary = SecCertificateCopySubjectSummary(server_cert);
memset(server_cert_summary_c, 0, 128);
if(CFStringGetCString(server_cert_summary,
server_cert_summary_c,
128,
kCFStringEncodingUTF8)) {
infof(data, "Server certificate: %s\n", server_cert_summary_c);
}
CFRelease(server_cert_summary);
}
CFRelease(trust);
}
}
else {
#elif TARGET_OS_EMBEDDED == 0
#pragma unused(trust)
err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs);
if(err == noErr) {
count = CFArrayGetCount(server_certs);
for(i = 0L ; i < count ; i++) {
server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs, i);
server_cert_summary = SecCertificateCopySubjectSummary(server_cert);
memset(server_cert_summary_c, 0, 128);
if(CFStringGetCString(server_cert_summary,
server_cert_summary_c,
128,
kCFStringEncodingUTF8)) {
infof(data, "Server certificate: %s\n", server_cert_summary_c);
}
CFRelease(server_cert_summary);
}
CFRelease(server_certs);
}
#endif /* defined(__MAC_10_7) || defined(__IPHONE_5_0) */
#if defined(__MAC_10_7) || defined(__IPHONE_5_0)
}
#endif /* defined(__MAC_10_7) || defined(__IPHONE_5_0) */
connssl->connecting_state = ssl_connect_done;
return CURLE_OK;
}
int /* O - 1 on success, 0 on error */
cupsdStartTLS(cupsd_client_t *con) /* I - Client connection */
{
OSStatus error = 0; /* Error code */
SecTrustRef peerTrust; /* Peer certificates */
cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] Encrypting connection.",
con->number);
con->http->encryption = HTTP_ENCRYPTION_ALWAYS;
con->http->tls_credentials = copy_cdsa_certificate(con);
if (!con->http->tls_credentials)
{
/*
* No keychain (yet), make a self-signed certificate...
*/
if (make_certificate(con))
con->http->tls_credentials = copy_cdsa_certificate(con);
}
if (!con->http->tls_credentials)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Could not find signing key in keychain \"%s\"",
ServerCertificate);
error = errSSLBadConfiguration;
}
if (!error)
con->http->tls = SSLCreateContext(kCFAllocatorDefault, kSSLServerSide,
kSSLStreamType);
if (!error)
error = SSLSetIOFuncs(con->http->tls, _httpReadCDSA, _httpWriteCDSA);
if (!error)
error = SSLSetConnection(con->http->tls, HTTP(con));
if (!error)
error = SSLSetCertificate(con->http->tls, con->http->tls_credentials);
if (!error)
{
/*
* Perform SSL/TLS handshake
*/
while ((error = SSLHandshake(con->http->tls)) == errSSLWouldBlock)
usleep(1000);
}
if (error)
{
cupsdLogMessage(CUPSD_LOG_ERROR,
"Unable to encrypt connection from %s - %s (%d)",
con->http->hostname, cssmErrorString(error), (int)error);
con->http->error = error;
con->http->status = HTTP_ERROR;
if (con->http->tls)
{
CFRelease(con->http->tls);
con->http->tls = NULL;
}
if (con->http->tls_credentials)
{
CFRelease(con->http->tls_credentials);
con->http->tls_credentials = NULL;
}
return (0);
}
cupsdLogMessage(CUPSD_LOG_DEBUG, "Connection from %s now encrypted.",
con->http->hostname);
if (!SSLCopyPeerTrust(con->http->tls, &peerTrust) && peerTrust)
{
cupsdLogMessage(CUPSD_LOG_DEBUG, "Received %d peer certificates.",
(int)SecTrustGetCertificateCount(peerTrust));
CFRelease(peerTrust);
}
else
cupsdLogMessage(CUPSD_LOG_DEBUG, "Received NO peer certificates.");
return (1);
}
static int st_validateServerCertificate (vlc_tls_t *session, const char *hostname) {
int result = -1;
vlc_tls_sys_t *sys = session->sys;
SecCertificateRef leaf_cert = NULL;
SecTrustRef trust = NULL;
OSStatus ret = SSLCopyPeerTrust (sys->p_context, &trust);
if (ret != noErr || trust == NULL) {
msg_Err(session, "error getting certifictate chain");
return -1;
}
CFStringRef cfHostname = CFStringCreateWithCString(kCFAllocatorDefault,
hostname,
kCFStringEncodingUTF8);
/* enable default root / anchor certificates */
ret = SecTrustSetAnchorCertificates (trust, NULL);
if (ret != noErr) {
msg_Err(session, "error setting anchor certificates");
result = -1;
goto out;
}
SecTrustResultType trust_eval_result = 0;
ret = SecTrustEvaluate(trust, &trust_eval_result);
if(ret != noErr) {
msg_Err(session, "error calling SecTrustEvaluate");
result = -1;
goto out;
}
switch (trust_eval_result) {
case kSecTrustResultUnspecified:
case kSecTrustResultProceed:
msg_Dbg(session, "cerfificate verification successful, result is %d", trust_eval_result);
result = 0;
goto out;
case kSecTrustResultRecoverableTrustFailure:
case kSecTrustResultDeny:
default:
msg_Warn(session, "cerfificate verification failed, result is %d", trust_eval_result);
}
/* get leaf certificate */
/* SSLCopyPeerCertificates is only available on OSX 10.5 or later */
#if !TARGET_OS_IPHONE
CFArrayRef cert_chain = NULL;
ret = SSLCopyPeerCertificates (sys->p_context, &cert_chain);
if (ret != noErr || !cert_chain) {
result = -1;
goto out;
}
if (CFArrayGetCount (cert_chain) == 0) {
CFRelease (cert_chain);
result = -1;
goto out;
}
leaf_cert = (SecCertificateRef)CFArrayGetValueAtIndex (cert_chain, 0);
CFRetain (leaf_cert);
CFRelease (cert_chain);
#else
/* SecTrustGetCertificateAtIndex is only available on 10.7 or iOS */
if (SecTrustGetCertificateCount (trust) == 0) {
result = -1;
goto out;
}
leaf_cert = SecTrustGetCertificateAtIndex (trust, 0);
CFRetain (leaf_cert);
#endif
/* check if leaf already accepted */
CFIndex max = CFArrayGetCount (sys->p_cred->whitelist);
for (CFIndex i = 0; i < max; ++i) {
CFDictionaryRef dict = CFArrayGetValueAtIndex (sys->p_cred->whitelist, i);
CFStringRef knownHost = (CFStringRef)CFDictionaryGetValue (dict, cfKeyHost);
SecCertificateRef knownCert = (SecCertificateRef)CFDictionaryGetValue (dict, cfKeyCertificate);
if (!knownHost || !knownCert)
continue;
if (CFEqual (knownHost, cfHostname) && CFEqual (knownCert, leaf_cert)) {
msg_Warn(session, "certificate already accepted, continuing");
result = 0;
goto out;
}
}
/* We do not show more certificate details yet because there is no proper API to get
a summary of the certificate. SecCertificateCopySubjectSummary is the only method
available on iOS and 10.6. More promising API functions such as
SecCertificateCopyLongDescription also print out the subject only, more or less.
But only showing the certificate subject is of no real help for the user.
We could use SecCertificateCopyValues, but then we need to parse all OID values for
ourself. This is too mad for just printing information the user will never check
anyway.
*/
const char *msg = N_("You attempted to reach %s. "
"However the security certificate presented by the server "
"is unknown and could not be authenticated by any trusted "
"Certification Authority. "
"This problem may be caused by a configuration error "
"or an attempt to breach your security or your privacy.\n\n"
"If in doubt, abort now.\n");
int answer = dialog_Question (session, _("Insecure site"), vlc_gettext (msg),
_("Abort"), _("Accept certificate temporarily"), NULL, hostname);
if(answer == 2) {
msg_Warn(session, "Proceeding despite of failed certificate validation");
/* save leaf certificate in whitelist */
const void *keys[] = {cfKeyHost, cfKeyCertificate};
const void *values[] = {cfHostname, leaf_cert};
CFDictionaryRef dict = CFDictionaryCreate (kCFAllocatorDefault,
keys, values, 2,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if(!dict) {
msg_Err (session, "error creating dict");
result = -1;
goto out;
}
CFArrayAppendValue (sys->p_cred->whitelist, dict);
CFRelease (dict);
result = 0;
goto out;
} else {
result = -1;
goto out;
}
out:
CFRelease (trust);
if (cfHostname)
CFRelease (cfHostname);
if (leaf_cert)
CFRelease (leaf_cert);
return result;
}
int mailstream_cfstream_set_ssl_enabled(mailstream * s, int ssl_enabled)
{
#if HAVE_CFNETWORK
struct mailstream_cfstream_data * cfstream_data;
int r;
cfstream_data = (struct mailstream_cfstream_data *) s->low->data;
cfstream_data->ssl_enabled = ssl_enabled;
if (ssl_enabled) {
CFMutableDictionaryRef settings;
settings = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
switch (cfstream_data->ssl_level) {
case MAILSTREAM_CFSTREAM_SSL_LEVEL_NONE:
CFDictionarySetValue(settings, kCFStreamSSLLevel, kCFStreamSocketSecurityLevelNone);
break;
case MAILSTREAM_CFSTREAM_SSL_LEVEL_SSLv2:
CFDictionarySetValue(settings, kCFStreamSSLLevel, kCFStreamSocketSecurityLevelSSLv2);
break;
case MAILSTREAM_CFSTREAM_SSL_LEVEL_SSLv3:
CFDictionarySetValue(settings, kCFStreamSSLLevel, kCFStreamSocketSecurityLevelSSLv3);
break;
case MAILSTREAM_CFSTREAM_SSL_LEVEL_TLSv1:
CFDictionarySetValue(settings, kCFStreamSSLLevel, kCFStreamSocketSecurityLevelTLSv1);
break;
case MAILSTREAM_CFSTREAM_SSL_LEVEL_NEGOCIATED_SSL:
CFDictionarySetValue(settings, kCFStreamSSLLevel, kCFStreamSocketSecurityLevelNegotiatedSSL);
break;
}
if ((cfstream_data->ssl_certificate_verification_mask & MAILSTREAM_CFSTREAM_SSL_ALLOWS_EXPIRED_CERTIFICATES) != 0) {
CFDictionarySetValue(settings, kCFStreamSSLAllowsExpiredCertificates, kCFBooleanTrue);
}
if ((cfstream_data->ssl_certificate_verification_mask & MAILSTREAM_CFSTREAM_SSL_ALLOWS_EXPIRED_ROOTS) != 0) {
CFDictionarySetValue(settings, kCFStreamSSLAllowsExpiredRoots, kCFBooleanTrue);
}
if ((cfstream_data->ssl_certificate_verification_mask & MAILSTREAM_CFSTREAM_SSL_ALLOWS_ANY_ROOT) != 0) {
CFDictionarySetValue(settings, kCFStreamSSLAllowsAnyRoot, kCFBooleanTrue);
}
if ((cfstream_data->ssl_certificate_verification_mask & MAILSTREAM_CFSTREAM_SSL_DISABLE_VALIDATES_CERTIFICATE_CHAIN) != 0) {
CFDictionarySetValue(settings, kCFStreamSSLValidatesCertificateChain, kCFBooleanFalse);
}
CFReadStreamSetProperty(cfstream_data->readStream, kCFStreamPropertySSLSettings, settings);
CFWriteStreamSetProperty(cfstream_data->writeStream, kCFStreamPropertySSLSettings, settings);
CFRelease(settings);
}
else {
CFMutableDictionaryRef settings;
settings = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(settings, kCFStreamSSLLevel, kCFStreamSocketSecurityLevelNone);
CFReadStreamSetProperty(cfstream_data->readStream, kCFStreamPropertySSLSettings, settings);
CFWriteStreamSetProperty(cfstream_data->writeStream, kCFStreamPropertySSLSettings, settings);
CFRelease(settings);
//fprintf(stderr, "is not ssl\n");
}
// We need to investigate more about how to establish a STARTTLS connection.
// For now, wait until we get the certificate chain.
while (1) {
r = wait_runloop(s->low, STATE_WAIT_SSL);
if (r != WAIT_RUNLOOP_EXIT_NO_ERROR) {
return -1;
}
if (cfstream_data->writeSSLResult < 0)
return -1;
if (cfstream_data->readSSLResult < 0)
return -1;
SecTrustRef secTrust = (SecTrustRef)CFReadStreamCopyProperty(cfstream_data->readStream, kCFStreamPropertySSLPeerTrust);
if (secTrust == NULL) {
// No trust, wait more.
continue;
}
CFIndex count = SecTrustGetCertificateCount(secTrust);
CFRelease(secTrust);
if (count == 0) {
// No certificates, wait more.
continue;
}
break;
}
return 0;
#else
return -1;
#endif
}
static CURLcode
darwinssl_connect_step3(struct connectdata *conn,
int sockindex)
{
struct SessionHandle *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CFStringRef server_cert_summary;
char server_cert_summary_c[128];
CFArrayRef server_certs;
SecCertificateRef server_cert;
OSStatus err;
CFIndex i, count;
SecTrustRef trust;
/* There is no step 3!
* Well, okay, if verbose mode is on, let's print the details of the
* server certificates. */
#if defined(__MAC_10_7) || defined(__IPHONE_5_0)
#if (TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)
#pragma unused(server_certs)
err = SSLCopyPeerTrust(connssl->ssl_ctx, &trust);
if(err == noErr) {
count = SecTrustGetCertificateCount(trust);
for(i = 0L ; i < count ; i++) {
server_cert = SecTrustGetCertificateAtIndex(trust, i);
server_cert_summary = SecCertificateCopySubjectSummary(server_cert);
memset(server_cert_summary_c, 0, 128);
if(CFStringGetCString(server_cert_summary,
server_cert_summary_c,
128,
kCFStringEncodingUTF8)) {
infof(data, "Server certificate: %s\n", server_cert_summary_c);
}
CFRelease(server_cert_summary);
}
CFRelease(trust);
}
#else
/* SSLCopyPeerCertificates() is deprecated as of Mountain Lion.
The function SecTrustGetCertificateAtIndex() is officially present
in Lion, but it is unfortunately also present in Snow Leopard as
private API and doesn't work as expected. So we have to look for
a different symbol to make sure this code is only executed under
Lion or later. */
if(SecTrustEvaluateAsync != NULL) {
#pragma unused(server_certs)
err = SSLCopyPeerTrust(connssl->ssl_ctx, &trust);
if(err == noErr) {
count = SecTrustGetCertificateCount(trust);
for(i = 0L ; i < count ; i++) {
server_cert = SecTrustGetCertificateAtIndex(trust, i);
server_cert_summary =
SecCertificateCopyLongDescription(NULL, server_cert, NULL);
memset(server_cert_summary_c, 0, 128);
if(CFStringGetCString(server_cert_summary,
server_cert_summary_c,
128,
kCFStringEncodingUTF8)) {
infof(data, "Server certificate: %s\n", server_cert_summary_c);
}
CFRelease(server_cert_summary);
}
CFRelease(trust);
}
}
else {
err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs);
if(err == noErr) {
count = CFArrayGetCount(server_certs);
for(i = 0L ; i < count ; i++) {
server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs,
i);
server_cert_summary = SecCertificateCopySubjectSummary(server_cert);
memset(server_cert_summary_c, 0, 128);
if(CFStringGetCString(server_cert_summary,
server_cert_summary_c,
128,
kCFStringEncodingUTF8)) {
infof(data, "Server certificate: %s\n", server_cert_summary_c);
}
CFRelease(server_cert_summary);
}
CFRelease(server_certs);
}
}
#endif /* (TARGET_OS_EMBEDDED || TARGET_OS_IPHONE) */
#else
#pragma unused(trust)
err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs);
if(err == noErr) {
count = CFArrayGetCount(server_certs);
for(i = 0L ; i < count ; i++) {
server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs, i);
server_cert_summary = SecCertificateCopySubjectSummary(server_cert);
memset(server_cert_summary_c, 0, 128);
if(CFStringGetCString(server_cert_summary,
server_cert_summary_c,
128,
kCFStringEncodingUTF8)) {
infof(data, "Server certificate: %s\n", server_cert_summary_c);
}
CFRelease(server_cert_summary);
}
CFRelease(server_certs);
}
#endif /* defined(__MAC_10_7) || defined(__IPHONE_5_0) */
connssl->connecting_state = ssl_connect_done;
return CURLE_OK;
}
//
// Here is where backward compatibility gets ugly. CSSM_TP_APPLE_EVIDENCE_INFO does not exist
// in the unified SecTrust world. Unfortunately, some clients are still calling legacy APIs
// (e.g. SecTrustGetResult) and grubbing through the info for StatusBits and StatusCodes.
// SecTrustGetEvidenceInfo builds the legacy evidence info structure as needed, and returns
// a pointer to it. The evidence data is allocated here and set in the _legacy_* fields
// of the TSecTrust; the trust object subsequently owns it. The returned pointer is expected
// to be valid for the lifetime of the SecTrustRef, or until the trust parameters are changed,
// which would force re-evaluation.
//
static CSSM_TP_APPLE_EVIDENCE_INFO *
SecTrustGetEvidenceInfo(SecTrustRef trust)
{
TSecTrust *secTrust = (TSecTrust *)trust;
if (!secTrust) {
return NULL;
}
if (secTrust->_trustResult != kSecTrustResultInvalid &&
secTrust->_legacy_info_array) {
// we've already got valid evidence info, return it now.
return (CSSM_TP_APPLE_EVIDENCE_INFO *)secTrust->_legacy_info_array;
}
// Getting the count implicitly evaluates the chain if necessary.
CFIndex idx, count = SecTrustGetCertificateCount(trust);
CFArrayRef inputCertArray = SecTrustCopyInputCertificates(trust);
CFArrayRef inputAnchorArray = SecTrustCopyInputAnchors(trust);
CFIndex inputCertIdx, inputCertCount = (inputCertArray) ? CFArrayGetCount(inputCertArray) : 0;
CFIndex inputAnchorIdx, inputAnchorCount = (inputAnchorArray) ? CFArrayGetCount(inputAnchorArray) : 0;
CSSM_TP_APPLE_EVIDENCE_INFO *infoArray = (CSSM_TP_APPLE_EVIDENCE_INFO *)calloc(count, sizeof(CSSM_TP_APPLE_EVIDENCE_INFO));
CSSM_RETURN *statusArray = NULL;
unsigned int numStatusCodes = 0;
// Set status codes for each certificate in the constructed chain
for (idx=0; idx < count; idx++) {
SecCertificateRef cert = SecTrustGetCertificateAtIndex(trust, idx);
if (!cert) {
continue;
}
CSSM_TP_APPLE_EVIDENCE_INFO *evInfo = &infoArray[idx];
/* first the booleans (StatusBits flags) */
CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
if (secTrust->_verifyDate) {
now = CFDateGetAbsoluteTime(secTrust->_verifyDate);
}
CFAbsoluteTime na = SecCertificateNotValidAfter(cert);
if (na < now) {
evInfo->StatusBits |= CSSM_CERT_STATUS_EXPIRED;
}
CFAbsoluteTime nb = SecCertificateNotValidBefore(cert);
if (nb > now) {
evInfo->StatusBits |= CSSM_CERT_STATUS_NOT_VALID_YET;
}
for (inputAnchorIdx=0; inputAnchorIdx < inputAnchorCount; inputAnchorIdx++) {
SecCertificateRef inputAnchor = (SecCertificateRef) CFArrayGetValueAtIndex(inputAnchorArray, inputAnchorIdx);
if (inputAnchor && CFEqual(inputAnchor, cert)) {
evInfo->StatusBits |= CSSM_CERT_STATUS_IS_IN_ANCHORS;
break;
}
}
for (inputCertIdx=0; inputCertIdx < inputCertCount; inputCertIdx++) {
SecCertificateRef inputCert = (SecCertificateRef) CFArrayGetValueAtIndex(inputCertArray, inputCertIdx);
if (inputCert && CFEqual(inputCert, cert)) {
evInfo->StatusBits |= CSSM_CERT_STATUS_IS_IN_INPUT_CERTS;
break;
}
}
/* See if there are trust settings for this certificate. */
CFStringRef hashStr = SecTrustSettingsCertHashStrFromCert(cert);
bool foundMatch = false;
bool foundAny = false;
CSSM_RETURN *errors = NULL;
uint32 errorCount = 0;
OSStatus status = 0;
SecTrustSettingsDomain foundDomain = kSecTrustSettingsDomainUser;
SecTrustSettingsResult foundResult = kSecTrustSettingsResultInvalid;
bool isSelfSigned = false;
if ((count - 1) == idx) {
// Only the last cert in the chain needs to be considered
Boolean selfSigned;
status = SecCertificateIsSelfSigned(cert, &selfSigned);
isSelfSigned = (status) ? false : ((selfSigned) ? true : false);
if (isSelfSigned) {
evInfo->StatusBits |= CSSM_CERT_STATUS_IS_ROOT;
}
}
// STU: rdar://25554967
// %%% need to get policyOID, policyString, and keyUsage here!
status = SecTrustSettingsEvaluateCert(
hashStr, /* certHashStr */
NULL, /* policyOID (optional) */
NULL, /* policyString (optional) */
0, /* policyStringLen */
0, /* keyUsage */
isSelfSigned, /* isRootCert */
&foundDomain, /* foundDomain */
&errors, /* allowedErrors -- MUST FREE */
&errorCount, /* numAllowedErrors */
&foundResult, /* resultType */
&foundMatch, /* foundMatchingEntry */
&foundAny); /* foundAnyEntry */
if (status == errSecSuccess) {
if (foundMatch) {
switch (foundResult) {
case kSecTrustSettingsResultTrustRoot:
case kSecTrustSettingsResultTrustAsRoot:
/* these two can be disambiguated by IS_ROOT */
evInfo->StatusBits |= CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST;
break;
case kSecTrustSettingsResultDeny:
evInfo->StatusBits |= CSSM_CERT_STATUS_TRUST_SETTINGS_DENY;
break;
case kSecTrustSettingsResultUnspecified:
case kSecTrustSettingsResultInvalid:
default:
break;
}
}
}
if (errors) {
free(errors);
}
if (hashStr) {
CFRelease(hashStr);
}
unsigned int numCodes=0;
CSSM_RETURN *statusCodes = copyCssmStatusCodes(trust, (unsigned int)idx, &numCodes);
if (statusCodes) {
// Realloc space for these status codes at end of our status codes block.
// Two important things to note:
// 1. the actual length is numCodes+1 because copyCssmStatusCodes
// allocates one more element at the end for the CrlReason value.
// 2. realloc may cause the pointer to move, which means we will
// need to fix up the StatusCodes fields after we're done with this loop.
unsigned int totalStatusCodes = numStatusCodes + numCodes + 1;
statusArray = (CSSM_RETURN *)realloc(statusArray, totalStatusCodes * sizeof(CSSM_RETURN));
evInfo->StatusCodes = &statusArray[numStatusCodes];
evInfo->NumStatusCodes = numCodes;
// Copy the new codes (plus one) into place
for (unsigned int cpix = 0; cpix <= numCodes; cpix++) {
evInfo->StatusCodes[cpix] = statusCodes[cpix];
}
numStatusCodes = totalStatusCodes;
free(statusCodes);
}
if(evInfo->StatusBits & (CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST |
CSSM_CERT_STATUS_TRUST_SETTINGS_DENY |
CSSM_CERT_STATUS_TRUST_SETTINGS_IGNORED_ERROR)) {
/* Something noteworthy happened involving TrustSettings */
uint32 whichDomain = 0;
switch(foundDomain) {
case kSecTrustSettingsDomainUser:
whichDomain = CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_USER;
break;
case kSecTrustSettingsDomainAdmin:
whichDomain = CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_ADMIN;
break;
case kSecTrustSettingsDomainSystem:
whichDomain = CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_SYSTEM;
break;
}
evInfo->StatusBits |= whichDomain;
}
/* index into raw cert group or AnchorCerts depending on IS_IN_ANCHORS */
//evInfo->Index = certInfo->index();
/* nonzero if cert came from a DLDB */
//evInfo->DlDbHandle = certInfo->dlDbHandle();
//evInfo->UniqueRecord = certInfo->uniqueRecord();
}
// Now that all the status codes have been allocated in a contiguous block,
// refresh the StatusCodes pointer in each array element.
numStatusCodes = 0;
for (idx=0; idx < count; idx++) {
CSSM_TP_APPLE_EVIDENCE_INFO *evInfo = &infoArray[idx];
evInfo->StatusCodes = &statusArray[numStatusCodes];
numStatusCodes += evInfo->NumStatusCodes + 1;
}
secTrust->_legacy_info_array = infoArray;
secTrust->_legacy_status_array = statusArray;
if (inputCertArray) {
CFRelease(inputCertArray);
}
if (inputAnchorArray) {
CFRelease(inputAnchorArray);
}
return (CSSM_TP_APPLE_EVIDENCE_INFO *)secTrust->_legacy_info_array;
}
static carray * mailstream_low_cfstream_get_certificate_chain(mailstream_low * s)
{
#if HAVE_CFNETWORK
struct mailstream_cfstream_data * cfstream_data;
unsigned int i;
carray * result;
CFArrayRef certs;
CFIndex count;
cfstream_data = (struct mailstream_cfstream_data *) s->data;
SecTrustRef secTrust = (SecTrustRef)CFReadStreamCopyProperty(cfstream_data->readStream, kCFStreamPropertySSLPeerTrust);
if (secTrust) {
// SecTrustEvaluate() needs to be called before SecTrustGetCertificateCount() in Mac OS X <= 10.8
SecTrustEvaluate(secTrust, NULL);
count = SecTrustGetCertificateCount(secTrust);
result = carray_new(4);
for(i = 0 ; i < count ; i ++) {
SecCertificateRef cert = (SecCertificateRef) SecTrustGetCertificateAtIndex(secTrust, i);
CFDataRef data = SecCertificateCopyData(cert);
if (data == NULL) {
carray_free(result);
CFRelease(secTrust);
return NULL;
}
CFIndex length = CFDataGetLength(data);
const UInt8 * bytes = CFDataGetBytePtr(data);
MMAPString * str = mmap_string_sized_new(length);
mmap_string_append_len(str, (char*) bytes, length);
carray_add(result, str, NULL);
CFRelease(data);
}
CFRelease(secTrust);
}
else {
certs = CFReadStreamCopyProperty(cfstream_data->readStream, kCFStreamPropertySSLPeerCertificates);
if (certs) {
count = CFArrayGetCount(certs);
result = carray_new(4);
for(i = 0 ; i < count ; i ++) {
SecCertificateRef cert = (SecCertificateRef) CFArrayGetValueAtIndex(certs, i);
CFDataRef data = SecCertificateCopyData(cert);
if (data == NULL) {
carray_free(result);
CFRelease(certs);
return NULL;
}
CFIndex length = CFDataGetLength(data);
const UInt8 * bytes = CFDataGetBytePtr(data);
MMAPString * str = mmap_string_sized_new(length);
mmap_string_append_len(str, (char*) bytes, length);
carray_add(result, str, NULL);
CFRelease(data);
}
CFRelease(certs);
}
else {
return NULL;
}
}
return result;
#else
return NULL;
#endif
}
static void
filter_exception(const void *key, const void *value, void *context)
{
SecExceptionFilterContext *ctx = (SecExceptionFilterContext *)context;
if (!ctx) { return; }
SecTrustOptionFlags options = ctx->flags;
CFMutableDictionaryRef filteredException = ctx->filteredException;
CFStringRef keystr = (CFStringRef)key;
if (ctx->oldException && CFDictionaryContainsKey(ctx->oldException, key)) {
// Keep existing exception in filtered dictionary, regardless of options
CFDictionaryAddValue(filteredException, key, CFDictionaryGetValue(ctx->oldException, key));
return;
}
bool allowed = false;
if (CFEqual(keystr, CFSTR("SHA1Digest"))) {
allowed = true; // this key is informational and always permitted
}
else if (CFEqual(keystr, CFSTR("NotValidBefore"))) {
allowed = ((options & kSecTrustOptionAllowExpired) != 0);
}
else if (CFEqual(keystr, CFSTR("ValidLeaf"))) {
allowed = ((options & kSecTrustOptionAllowExpired) != 0);
}
else if (CFEqual(keystr, CFSTR("ValidIntermediates"))) {
allowed = ((options & kSecTrustOptionAllowExpired) != 0);
}
else if (CFEqual(keystr, CFSTR("ValidRoot"))) {
if (((options & kSecTrustOptionAllowExpired) != 0) ||
((options & kSecTrustOptionAllowExpiredRoot) != 0)) {
allowed = true;
}
}
else if (CFEqual(keystr, CFSTR("AnchorTrusted"))) {
bool implicitAnchors = ((options & kSecTrustOptionImplicitAnchors) != 0);
// Implicit anchors option only filters exceptions for self-signed certs
if (implicitAnchors && ctx->trustRef &&
(ctx->certIX < SecTrustGetCertificateCount(ctx->trustRef))) {
Boolean isSelfSigned = false;
SecCertificateRef cert = SecTrustGetCertificateAtIndex(ctx->trustRef, ctx->certIX);
if (cert && (errSecSuccess == SecCertificateIsSelfSigned(cert, &isSelfSigned)) &&
isSelfSigned) {
allowed = true;
}
}
}
else if (CFEqual(keystr, CFSTR("KeyUsage")) ||
CFEqual(keystr, CFSTR("ExtendedKeyUsage")) ||
CFEqual(keystr, CFSTR("BasicConstraints")) ||
CFEqual(keystr, CFSTR("NonEmptySubject")) ||
CFEqual(keystr, CFSTR("IdLinkage"))) {
// Cannot override these exceptions
allowed = false;
}
else {
// Unhandled exceptions should not be overridden,
// but we want to know which ones we're missing
char *cstr = CFStringToCString(keystr);
syslog(LOG_ERR, "Unfiltered exception: %s", (cstr) ? cstr : "<NULL>");
if (cstr) { free(cstr); }
allowed = false;
}
if (allowed) {
CFDictionaryAddValue(filteredException, key, value);
}
}
/*
* Convert a keychain name (which may be NULL) into the CFArrayRef required
* by SSLSetCertificate. This is a bare-bones example of this operation,
* since it requires and assumes that there is exactly one SecIdentity
* in the keychain - i.e., there is exactly one matching cert/private key
* pair. A real world server would probably search a keychain for a SecIdentity
* matching some specific criteria.
*/
CFArrayRef getSslCerts(
const char *kcName, // may be NULL, i.e., use default
bool encryptOnly,
bool completeCertChain,
const char *anchorFile, // optional trusted anchor
SecKeychainRef *pKcRef) // RETURNED
{
#if 0
SecKeychainRef kcRef = nil;
OSStatus ortn;
*pKcRef = nil;
/* pick a keychain */
if(kcName) {
ortn = SecKeychainOpen(kcName, &kcRef);
if(ortn) {
printf("SecKeychainOpen returned %d.\n", (int)ortn);
printf("Cannot open keychain at %s. Aborting.\n", kcName);
return NULL;
}
}
else {
/* use default keychain */
ortn = SecKeychainCopyDefault(&kcRef);
if(ortn) {
printf("SecKeychainCopyDefault returned %d; aborting.\n", (int)ortn);
return nil;
}
}
*pKcRef = kcRef;
return sslKcRefToCertArray(kcRef, encryptOnly, completeCertChain, anchorFile);
#else
SecCertificateRef cert = NULL;
SecIdentityRef identity = NULL;
CFMutableArrayRef certificates = NULL, result = NULL;
CFMutableDictionaryRef certQuery = NULL, keyQuery = NULL, keyResult = NULL;
SecTrustRef trust = NULL;
SecKeyRef key = NULL;
CFTypeRef pkdigest = NULL;
// Find the first private key in the keychain and return both it's
// attributes and a ref to it.
require(keyQuery = CFDictionaryCreateMutable(NULL, 0, NULL, NULL), errOut);
CFDictionaryAddValue(keyQuery, kSecClass, kSecClassKey);
CFDictionaryAddValue(keyQuery, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
CFDictionaryAddValue(keyQuery, kSecReturnRef, kCFBooleanTrue);
CFDictionaryAddValue(keyQuery, kSecReturnAttributes, kCFBooleanTrue);
require_noerr(SecItemCopyMatching(keyQuery, (CFTypeRef *)&keyResult),
errOut);
require(key = (SecKeyRef)CFDictionaryGetValue(keyResult, kSecValueRef),
errOut);
require(pkdigest = CFDictionaryGetValue(keyResult, kSecAttrApplicationLabel),
errOut);
// Find the first certificate that has the same public key hash as the
// returned private key and return it as a ref.
require(certQuery = CFDictionaryCreateMutable(NULL, 0, NULL, NULL), errOut);
CFDictionaryAddValue(certQuery, kSecClass, kSecClassCertificate);
CFDictionaryAddValue(certQuery, kSecAttrPublicKeyHash, pkdigest);
CFDictionaryAddValue(certQuery, kSecReturnRef, kCFBooleanTrue);
require_noerr(SecItemCopyMatching(certQuery, (CFTypeRef *)&cert), errOut);
// Create an identity from the key and certificate.
require(identity = SecIdentityCreate(NULL, cert, key), errOut);
// Build a (partial) certificate chain from cert
require(certificates = CFArrayCreateMutable(NULL, 0,
&kCFTypeArrayCallBacks), errOut);
CFArrayAppendValue(certificates, cert);
require_noerr(SecTrustCreateWithCertificates(certificates, NULL, &trust),
errOut);
SecTrustResultType tresult;
require_noerr(SecTrustEvaluate(trust, &tresult), errOut);
CFIndex certCount, ix;
// We need at least 1 certificate
require(certCount = SecTrustGetCertificateCount(trust), errOut);
// Build a result where element 0 is the identity and the other elements
// are the certs in the chain starting at the first intermediate up to the
// anchor, if we found one, or as far as we were able to build the chain
// if not.
require(result = CFArrayCreateMutable(NULL, certCount, &kCFTypeArrayCallBacks),
errOut);
// We are commited to returning a result now, so do not use require below
// this line without setting result to NULL again.
CFArrayAppendValue(result, identity);
for (ix = 1; ix < certCount; ++ix) {
CFArrayAppendValue(result, SecTrustGetCertificateAtIndex(trust, ix));
}
errOut:
CFReleaseSafe(trust);
CFReleaseSafe(certificates);
CFReleaseSafe(identity);
CFReleaseSafe(cert);
CFReleaseSafe(certQuery);
CFReleaseSafe(keyResult);
CFReleaseSafe(keyQuery);
return result;
#endif
}
/* Test basic add delete update copy matching stuff. */
static void tests(void)
{
SecTrustRef trust;
SecCertificateRef cert0, cert1;
isnt(cert0 = SecCertificateCreateWithBytes(NULL, _c0, sizeof(_c0)),
NULL, "create cert0");
isnt(cert1 = SecCertificateCreateWithBytes(NULL, _c1, sizeof(_c1)),
NULL, "create cert1");
const void *v_certs[] = {
cert0,
cert1
};
SecPolicyRef policy = SecPolicyCreateSSL(false, NULL);
CFArrayRef certs = CFArrayCreate(NULL, v_certs,
array_size(v_certs), NULL);
/* SecTrustCreateWithCertificates using single cert. */
ok_status(SecTrustCreateWithCertificates(cert0, policy, &trust),
"create trust with single cert0");
is(SecTrustGetCertificateCount(trust), 1, "cert count is 1");
is(SecTrustGetCertificateAtIndex(trust, 0), cert0, "cert 0 is leaf");
CFReleaseNull(trust);
/* SecTrustCreateWithCertificates failures. */
is_status(SecTrustCreateWithCertificates(kCFBooleanTrue, policy, &trust),
errSecParam, "create trust with boolean instead of cert");
is_status(SecTrustCreateWithCertificates(cert0, kCFBooleanTrue, &trust),
errSecParam, "create trust with boolean instead of policy");
/* SecTrustCreateWithCertificates using array of certs. */
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
/* NOTE: prior to <rdar://11810677 SecTrustGetCertificateCount would return 1 at this point.
* Now, however, we do an implicit SecTrustEvaluate to build the chain if it has not yet been
* evaluated, so we now expect the full chain length.
*/
is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
is(SecTrustGetCertificateAtIndex(trust, 0), cert0, "cert 0 is leaf");
/* Jan 1st 2006. */
CFDateRef date = CFDateCreate(NULL, 157680000.0);
ok_status(SecTrustSetVerifyDate(trust, date), "set date");
is(SecTrustGetVerifyTime(trust), 157680000.0, "get date");
SecTrustResultType trustResult;
SKIP: {
#ifdef NO_SERVER
skip("Can't fail to connect to securityd in NO_SERVER mode", 4, false);
#endif
// Test Restore OS environment
SecServerSetMachServiceName("com.apple.security.doesn't-exist");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust without securityd running");
is_status(trustResult, kSecTrustResultInvalid, "trustResult is kSecTrustResultInvalid");
is(SecTrustGetCertificateCount(trust), 1, "cert count is 1 without securityd running");
SecKeyRef pubKey = NULL;
ok(pubKey = SecTrustCopyPublicKey(trust), "copy public key without securityd running");
CFReleaseNull(pubKey);
SecServerSetMachServiceName(NULL);
// End of Restore OS environment tests
}
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
is_status(trustResult, kSecTrustResultUnspecified,
"trustResult is kSecTrustResultUnspecified");
is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
CFDataRef c0_serial = CFDataCreate(NULL, _c0_serial, sizeof(_c0_serial));
CFDataRef serial;
ok(serial = SecCertificateCopySerialNumber(cert0), "copy cert0 serial");
ok(CFEqual(c0_serial, serial), "serial matches");
CFArrayRef anchors = CFArrayCreate(NULL, (const void **)&cert1, 1, &kCFTypeArrayCallBacks);
ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
CFReleaseSafe(anchors);
anchors = CFArrayCreate(NULL, NULL, 0, NULL);
ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set empty anchors list");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
"trust is kSecTrustResultRecoverableTrustFailure");
ok_status(SecTrustSetAnchorCertificatesOnly(trust, false), "trust passed in anchors and system anchors");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
ok_status(SecTrustSetAnchorCertificatesOnly(trust, true), "only trust passed in anchors (default)");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
"trust is kSecTrustResultRecoverableTrustFailure");
/* Test cert_1 intermididate from the keychain. */
CFReleaseSafe(trust);
ok_status(SecTrustCreateWithCertificates(cert0, policy, &trust),
"create trust with single cert0");
ok_status(SecTrustSetVerifyDate(trust, date), "set date");
// Add cert1
CFDictionaryRef query = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
kSecClass, kSecClassCertificate, kSecValueRef, cert1, NULL);
ok_status(SecItemAdd(query, NULL), "add cert1 to keychain");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
// Cleanup added cert1.
ok_status(SecItemDelete(query), "remove cert1 from keychain");
CFReleaseSafe(query);
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
/* Set certs to be the xedge2 leaf. */
CFReleaseSafe(certs);
const void *cert_xedge2;
isnt(cert_xedge2 = SecCertificateCreateWithBytes(NULL, xedge2_certificate,
sizeof(xedge2_certificate)), NULL, "create cert_xedge2");
certs = CFArrayCreate(NULL, &cert_xedge2, 1, NULL);
CFReleaseSafe(trust);
CFReleaseSafe(policy);
CFReleaseSafe(date);
bool server = true;
policy = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
"create trust for ssl server xedge2.apple.com");
/* Jan 1st 2009. */
date = CFDateCreate(NULL, 252288000.0);
ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
CFReleaseSafe(trust);
CFReleaseSafe(policy);
server = false;
policy = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
"create trust for ssl client xedge2.apple.com");
ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
"trust is kSecTrustResultRecoverableTrustFailure");
CFReleaseSafe(trust);
CFReleaseSafe(policy);
server = true;
policy = SecPolicyCreateIPSec(server, CFSTR("xedge2.apple.com"));
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
"create trust for ip server xedge2.apple.com");
ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
#if 0
/* Although this shouldn't be a valid ipsec cert, since we no longer
check for ekus in the ipsec policy it is. */
is_status(trustResult, kSecTrustResultRecoverableTrustFailure,
"trust is kSecTrustResultRecoverableTrustFailure");
#else
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
#endif
CFReleaseSafe(trust);
CFReleaseSafe(policy);
server = true;
policy = SecPolicyCreateSSL(server, CFSTR("nowhere.com"));
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
"create trust for ssl server nowhere.com");
SecPolicyRef replacementPolicy = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
SecTrustSetPolicies(trust, replacementPolicy);
CFReleaseSafe(replacementPolicy);
ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
CFReleaseSafe(trust);
CFReleaseSafe(policy);
server = true;
policy = SecPolicyCreateSSL(server, CFSTR("nowhere.com"));
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
"create trust for ssl server nowhere.com");
SecPolicyRef replacementPolicy2 = SecPolicyCreateSSL(server, CFSTR("xedge2.apple.com"));
CFArrayRef replacementPolicies = CFArrayCreate(kCFAllocatorDefault, (CFTypeRef*)&replacementPolicy2, 1, &kCFTypeArrayCallBacks);
SecTrustSetPolicies(trust, replacementPolicies);
CFReleaseSafe(replacementPolicy2);
CFReleaseSafe(replacementPolicies);
ok_status(SecTrustSetVerifyDate(trust, date), "set xedge2 trust date to Jan 1st 2009");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate xedge2 trust");
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
/* Test self signed ssl cert with cert itself set as anchor. */
CFReleaseSafe(trust);
CFReleaseSafe(policy);
CFReleaseSafe(certs);
CFReleaseSafe(date);
const void *garthc2;
server = true;
isnt(garthc2 = SecCertificateCreateWithBytes(NULL, garthc2_certificate,
sizeof(garthc2_certificate)), NULL, "create garthc2");
certs = CFArrayCreate(NULL, &garthc2, 1, NULL);
policy = SecPolicyCreateSSL(server, CFSTR("garthc2.apple.com"));
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
"create trust for ip server garthc2.apple.com");
date = CFDateCreate(NULL, 269568000.0);
ok_status(SecTrustSetVerifyDate(trust, date),
"set garthc2 trust date to Aug 2009");
ok_status(SecTrustSetAnchorCertificates(trust, certs),
"set garthc2 as anchor");
ok_status(SecTrustEvaluate(trust, &trustResult),
"evaluate self signed cert with cert as anchor");
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
CFReleaseSafe(garthc2);
CFReleaseSafe(cert_xedge2);
CFReleaseSafe(anchors);
CFReleaseSafe(trust);
CFReleaseSafe(serial);
CFReleaseSafe(c0_serial);
CFReleaseSafe(policy);
CFReleaseSafe(certs);
CFReleaseSafe(cert0);
CFReleaseSafe(cert1);
CFReleaseSafe(date);
/* Test prt_forest_fi */
const void *prt_forest_fi;
isnt(prt_forest_fi = SecCertificateCreateWithBytes(NULL, prt_forest_fi_certificate,
sizeof(prt_forest_fi_certificate)), NULL, "create prt_forest_fi");
isnt(certs = CFArrayCreate(NULL, &prt_forest_fi, 1, NULL), NULL, "failed to create cert array");
policy = SecPolicyCreateSSL(false, CFSTR("owa.prt-forest.fi"));
ok_status(SecTrustCreateWithCertificates(certs, policy, &trust),
"create trust for ip client owa.prt-forest.fi");
date = CFDateCreate(NULL, 391578321.0);
ok_status(SecTrustSetVerifyDate(trust, date),
"set owa.prt-forest.fi trust date to May 2013");
SecKeyRef pubkey = SecTrustCopyPublicKey(trust);
is(pubkey, NULL, "pubkey returned");
CFReleaseSafe(certs);
CFReleaseNull(prt_forest_fi);
CFReleaseNull(policy);
CFReleaseNull(trust);
CFReleaseNull(pubkey);
CFReleaseNull(date);
}
bool Connection::readHandshake()
{
log_trace("Connection::readHandshake");
std::streambuf* sb = _ios->rdbuf();
if( ! sb)
return true;
_maxImport = sb->in_avail();
_wantRead = false;
_isReading = true;
OSStatus status = SSLHandshake(_context);
_isReading = false;
log_debug("SSLHandshake returns " << status);
if( status == noErr )
{
log_debug("SSL handshake completed");
_connected = true;
return false;
}
#ifdef PT_IOS
if(status == errSSLPeerAuthCompleted)
#else
if(status == errSSLServerAuthCompleted)
#endif
{
log_debug("authenticating peer");
if( _ctx->verifyMode() != NoVerify )
{
log_debug("evaluating trust");
SecTrustRef trust = NULL;
SSLCopyPeerTrust(_context, &trust);
CFArrayRef caArr = _ctx->impl()->caCertificates();
SecTrustSetAnchorCertificates(trust, caArr);
SecTrustSetAnchorCertificatesOnly(trust, true);
SecTrustResultType result;
OSStatus evalErr = SecTrustEvaluate(trust, &result);
if(evalErr)
throw HandshakeFailed("SSL handshake failed");
CFIndex count = SecTrustGetCertificateCount(trust);
log_debug("SecTrustEvaluate: " << result << " certs: " << count);
if(trust)
CFRelease(trust);
// if peer presented no certificate, SecTrustGetCertificateCount
// should return 0. If we require one because AlwaysVerify is
// set, the handshake is considered to be failed
if(_ctx->verifyMode() == AlwaysVerify && count == 0)
throw HandshakeFailed("SSL handshake failed");
if( (result != kSecTrustResultProceed) &&
(result != kSecTrustResultUnspecified) )
throw HandshakeFailed("SSL handshake failed");
log_debug("authentication successful");
}
return readHandshake();
}
if( status != errSSLWouldBlock )
{
throw HandshakeFailed("SSL handshake failed");
}
return _wantRead;
}
/* Test basic add delete update copy matching stuff. */
static void tests(void)
{
SecTrustRef trust;
SecCertificateRef iAP1CA, iAP2CA, leaf0, leaf1;
isnt(iAP1CA = SecCertificateCreateWithBytes(NULL, _iAP1CA, sizeof(_iAP1CA)),
NULL, "create iAP1CA");
isnt(iAP2CA = SecCertificateCreateWithBytes(NULL, _iAP2CA, sizeof(_iAP2CA)),
NULL, "create iAP2CA");
isnt(leaf0 = SecCertificateCreateWithBytes(NULL, _leaf0, sizeof(_leaf0)),
NULL, "create leaf0");
isnt(leaf1 = SecCertificateCreateWithBytes(NULL, _leaf1, sizeof(_leaf1)),
NULL, "create leaf1");
{
// temporarily grab some stack space and fill it with 0xFF;
// when we exit this scope, the stack pointer should shrink but leave the memory filled.
// this tests for a stack overflow bug inside SecPolicyCreateiAP (rdar://16056248)
char buf[2048];
memset(buf, 0xFF, sizeof(buf));
}
SecPolicyRef policy = SecPolicyCreateiAP();
const void *v_anchors[] = {
iAP1CA,
iAP2CA
};
CFArrayRef anchors = CFArrayCreate(NULL, v_anchors,
array_size(v_anchors), NULL);
CFArrayRef certs0 = CFArrayCreate(NULL, (const void **)&leaf0, 1, NULL);
CFArrayRef certs1 = CFArrayCreate(NULL, (const void **)&leaf1, 1, NULL);
ok_status(SecTrustCreateWithCertificates(certs0, policy, &trust), "create trust for leaf0");
ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
/* Jan 1st 2008. */
CFDateRef date = CFDateCreate(NULL, 220752000.0);
ok_status(SecTrustSetVerifyDate(trust, date), "set date");
SecTrustResultType trustResult;
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
is(SecTrustGetCertificateCount(trust), 2, "cert count is 2");
CFReleaseSafe(trust);
ok_status(SecTrustCreateWithCertificates(certs1, policy, &trust), "create trust for leaf1");
ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors");
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
TODO:
{
todo("We need the actual iAP1 intermediate");
is_status(trustResult, kSecTrustResultUnspecified,
"trust is kSecTrustResultUnspecified");
}
CFReleaseSafe(anchors);
CFReleaseSafe(certs1);
CFReleaseSafe(certs0);
CFReleaseSafe(trust);
CFReleaseSafe(policy);
CFReleaseSafe(leaf0);
CFReleaseSafe(leaf1);
CFReleaseSafe(iAP1CA);
CFReleaseSafe(iAP2CA);
CFReleaseSafe(date);
}
