// Takes the "context" policies to extract the revocation and apply it to timeStamp.
CFArrayRef
SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray)
{
/* can't use SECAPI macros, since this function does not return OSStatus */
CFArrayRef resultPolicyArray=NULL;
try {
// Set default policy
CFRef<CFArrayRef> policyArray = cfArrayize(policyOrArray);
CFRef<SecPolicyRef> defaultPolicy = SecPolicyCreateWithOID(kSecPolicyAppleTimeStamping);
CFRef<CFMutableArrayRef> appleTimeStampingPolicies = makeCFMutableArray(1,defaultPolicy.get());
// Parse the policy and add revocation related ones
CFIndex numPolicies = CFArrayGetCount(policyArray);
for(CFIndex dex=0; dex<numPolicies; dex++) {
SecPolicyRef secPol = (SecPolicyRef)CFArrayGetValueAtIndex(policyArray, dex);
SecPointer<Policy> pol = Policy::required(SecPolicyRef(secPol));
const CssmOid &oid = pol->oid();
if ((oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION))
|| (oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL))
|| (oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP)))
{
CFArrayAppendValue(appleTimeStampingPolicies, secPol);
}
}
// Transfer of ownership
resultPolicyArray=appleTimeStampingPolicies.yield();
}
catch (...) {
CFReleaseNull(resultPolicyArray);
};
return resultPolicyArray;
}
static CFArrayRef copyCertChainFromSignature(xar_signature_t sig)
{
unsigned count = xar_signature_get_x509certificate_count(sig);
CFRef<CFMutableArrayRef> certs = makeCFMutableArray(0);
for (unsigned ix = 0; ix < count; ix++) {
const uint8_t *data;
uint32_t length;
if (xar_signature_get_x509certificate_data(sig, ix, &data, &length) == 0) {
CFTempData cdata(data, length);
CFRef<SecCertificateRef> cert = SecCertificateCreateWithData(NULL, cdata);
CFArrayAppendValue(certs, cert.get());
}
}
return certs.yield();
}
CFDictionaryRef PolicyEngine::find(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context)
{
SQLite::Statement query(*this);
selectRules(query, "SELECT scan_authority.id, scan_authority.type, scan_authority.requirement, scan_authority.allow, scan_authority.label, scan_authority.priority, scan_authority.remarks, scan_authority.expires, scan_authority.disabled, bookmarkhints.bookmark FROM scan_authority LEFT OUTER JOIN bookmarkhints ON scan_authority.id = bookmarkhints.authority",
"scan_authority", target, type, flags, context,
" ORDER BY priority DESC");
CFRef<CFMutableArrayRef> found = makeCFMutableArray(0);
while (query.nextRow()) {
SQLite::int64 id = query[0];
int type = int(query[1]);
const char *requirement = query[2];
int allow = int(query[3]);
const char *label = query[4];
double priority = query[5];
const char *remarks = query[6];
double expires = query[7];
int disabled = int(query[8]);
CFRef<CFDataRef> bookmark = query[9].data();
CFRef<CFMutableDictionaryRef> rule = makeCFMutableDictionary(5,
kSecAssessmentRuleKeyID, CFTempNumber(id).get(),
kSecAssessmentRuleKeyType, CFRef<CFStringRef>(typeNameFor(type)).get(),
kSecAssessmentRuleKeyRequirement, CFTempString(requirement).get(),
kSecAssessmentRuleKeyAllow, allow ? kCFBooleanTrue : kCFBooleanFalse,
kSecAssessmentRuleKeyPriority, CFTempNumber(priority).get()
);
if (label)
CFDictionaryAddValue(rule, kSecAssessmentRuleKeyLabel, CFTempString(label));
if (remarks)
CFDictionaryAddValue(rule, kSecAssessmentRuleKeyRemarks, CFTempString(remarks));
if (expires != never)
CFDictionaryAddValue(rule, kSecAssessmentRuleKeyExpires, CFRef<CFDateRef>(julianToDate(expires)));
if (disabled)
CFDictionaryAddValue(rule, kSecAssessmentRuleKeyDisabled, CFTempNumber(disabled));
if (bookmark)
CFDictionaryAddValue(rule, kSecAssessmentRuleKeyBookmark, bookmark);
CFArrayAppendValue(found, rule);
}
if (CFArrayGetCount(found) == 0)
MacOSError::throwMe(errSecCSNoMatches);
return cfmake<CFDictionaryRef>("{%O=%O}", kSecAssessmentUpdateKeyFound, found.get());
}
