// Takes the "context" policies to extract the revocation and apply it to timeStamp. CFArrayRef SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray) { /* can't use SECAPI macros, since this function does not return OSStatus */ CFArrayRef resultPolicyArray=NULL; try { // Set default policy CFRef<CFArrayRef> policyArray = cfArrayize(policyOrArray); CFRef<SecPolicyRef> defaultPolicy = SecPolicyCreateWithOID(kSecPolicyAppleTimeStamping); CFRef<CFMutableArrayRef> appleTimeStampingPolicies = makeCFMutableArray(1,defaultPolicy.get()); // Parse the policy and add revocation related ones CFIndex numPolicies = CFArrayGetCount(policyArray); for(CFIndex dex=0; dex<numPolicies; dex++) { SecPolicyRef secPol = (SecPolicyRef)CFArrayGetValueAtIndex(policyArray, dex); SecPointer<Policy> pol = Policy::required(SecPolicyRef(secPol)); const CssmOid &oid = pol->oid(); if ((oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION)) || (oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL)) || (oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP))) { CFArrayAppendValue(appleTimeStampingPolicies, secPol); } } // Transfer of ownership resultPolicyArray=appleTimeStampingPolicies.yield(); } catch (...) { CFReleaseNull(resultPolicyArray); }; return resultPolicyArray; }
static CFArrayRef copyCertChainFromSignature(xar_signature_t sig) { unsigned count = xar_signature_get_x509certificate_count(sig); CFRef<CFMutableArrayRef> certs = makeCFMutableArray(0); for (unsigned ix = 0; ix < count; ix++) { const uint8_t *data; uint32_t length; if (xar_signature_get_x509certificate_data(sig, ix, &data, &length) == 0) { CFTempData cdata(data, length); CFRef<SecCertificateRef> cert = SecCertificateCreateWithData(NULL, cdata); CFArrayAppendValue(certs, cert.get()); } } return certs.yield(); }
CFDictionaryRef PolicyEngine::find(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context) { SQLite::Statement query(*this); selectRules(query, "SELECT scan_authority.id, scan_authority.type, scan_authority.requirement, scan_authority.allow, scan_authority.label, scan_authority.priority, scan_authority.remarks, scan_authority.expires, scan_authority.disabled, bookmarkhints.bookmark FROM scan_authority LEFT OUTER JOIN bookmarkhints ON scan_authority.id = bookmarkhints.authority", "scan_authority", target, type, flags, context, " ORDER BY priority DESC"); CFRef<CFMutableArrayRef> found = makeCFMutableArray(0); while (query.nextRow()) { SQLite::int64 id = query[0]; int type = int(query[1]); const char *requirement = query[2]; int allow = int(query[3]); const char *label = query[4]; double priority = query[5]; const char *remarks = query[6]; double expires = query[7]; int disabled = int(query[8]); CFRef<CFDataRef> bookmark = query[9].data(); CFRef<CFMutableDictionaryRef> rule = makeCFMutableDictionary(5, kSecAssessmentRuleKeyID, CFTempNumber(id).get(), kSecAssessmentRuleKeyType, CFRef<CFStringRef>(typeNameFor(type)).get(), kSecAssessmentRuleKeyRequirement, CFTempString(requirement).get(), kSecAssessmentRuleKeyAllow, allow ? kCFBooleanTrue : kCFBooleanFalse, kSecAssessmentRuleKeyPriority, CFTempNumber(priority).get() ); if (label) CFDictionaryAddValue(rule, kSecAssessmentRuleKeyLabel, CFTempString(label)); if (remarks) CFDictionaryAddValue(rule, kSecAssessmentRuleKeyRemarks, CFTempString(remarks)); if (expires != never) CFDictionaryAddValue(rule, kSecAssessmentRuleKeyExpires, CFRef<CFDateRef>(julianToDate(expires))); if (disabled) CFDictionaryAddValue(rule, kSecAssessmentRuleKeyDisabled, CFTempNumber(disabled)); if (bookmark) CFDictionaryAddValue(rule, kSecAssessmentRuleKeyBookmark, bookmark); CFArrayAppendValue(found, rule); } if (CFArrayGetCount(found) == 0) MacOSError::throwMe(errSecCSNoMatches); return cfmake<CFDictionaryRef>("{%O=%O}", kSecAssessmentUpdateKeyFound, found.get()); }