/* new in 10.7 */
SecPolicyRef
SecPolicyCreateWithOID(CFTypeRef policyOID)
{
// for now, we only accept the policy constants that are defined in SecPolicy.h
CFStringRef oidStr = (CFStringRef)policyOID;
CSSM_OID *oidPtr = NULL;
SecPolicyRef policy = NULL;
if (!oidStr) {
return policy;
}
struct oidmap_entry_t {
const CFTypeRef oidstr;
const SecAsn1Oid *oidptr;
};
const oidmap_entry_t oidmap[] = {
{ kSecPolicyAppleX509Basic, &CSSMOID_APPLE_X509_BASIC },
{ kSecPolicyAppleSSL, &CSSMOID_APPLE_TP_SSL },
{ kSecPolicyAppleSMIME, &CSSMOID_APPLE_TP_SMIME },
{ kSecPolicyAppleEAP, &CSSMOID_APPLE_TP_EAP },
{ kSecPolicyAppleIPsec, &CSSMOID_APPLE_TP_IP_SEC },
{ kSecPolicyAppleiChat, &CSSMOID_APPLE_TP_ICHAT },
{ kSecPolicyApplePKINITClient, &CSSMOID_APPLE_TP_PKINIT_CLIENT },
{ kSecPolicyApplePKINITServer, &CSSMOID_APPLE_TP_PKINIT_SERVER },
{ kSecPolicyAppleCodeSigning, &CSSMOID_APPLE_TP_CODE_SIGNING },
{ kSecPolicyMacAppStoreReceipt, &CSSMOID_APPLE_TP_MACAPPSTORE_RECEIPT },
{ kSecPolicyAppleIDValidation, &CSSMOID_APPLE_TP_APPLEID_SHARING },
{ kSecPolicyAppleTimeStamping, &CSSMOID_APPLE_TP_TIMESTAMPING },
{ kSecPolicyAppleRevocation, &CSSMOID_APPLE_TP_REVOCATION },
{ kSecPolicyApplePassbookSigning, &CSSMOID_APPLE_TP_PASSBOOK_SIGNING },
{ kSecPolicyAppleMobileStore, &CSSMOID_APPLE_TP_MOBILE_STORE },
{ kSecPolicyAppleEscrowService, &CSSMOID_APPLE_TP_ESCROW_SERVICE },
{ kSecPolicyAppleProfileSigner, &CSSMOID_APPLE_TP_PROFILE_SIGNING },
{ kSecPolicyAppleQAProfileSigner, &CSSMOID_APPLE_TP_QA_PROFILE_SIGNING },
{ kSecPolicyAppleTestMobileStore, &CSSMOID_APPLE_TP_TEST_MOBILE_STORE },
{ kSecPolicyApplePCSEscrowService, &CSSMOID_APPLE_TP_PCS_ESCROW_SERVICE },
};
unsigned int i, oidmaplen = sizeof(oidmap) / sizeof(oidmap_entry_t);
for (i=0; i<oidmaplen; i++) {
CFStringRef str = (CFStringRef) oidmap[i].oidstr;
if (CFStringCompare(str, oidStr, 0) == kCFCompareEqualTo) {
oidPtr = (CSSM_OID*)oidmap[i].oidptr;
break;
}
}
if (CFEqual(oidStr, kSecPolicyAppleServerAuthentication)) {
return SecPolicyCreateAppleSSLService(NULL);
}
if (oidPtr) {
SecPolicySearchRef policySearch = NULL;
OSStatus status = SecPolicySearchCreate(CSSM_CERT_X_509v3, oidPtr, NULL, &policySearch);
if (!status && policySearch) {
status = SecPolicySearchCopyNext(policySearch, &policy);
CFRelease(policySearch);
}
if (!policy && CFEqual(policyOID, kSecPolicyAppleRevocation)) {
policy = SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod);
}
if (!policy) {
policy = SecPolicyCreateWithSecAsn1Oid((SecAsn1Oid*)oidPtr);
}
}
return policy;
}
static void tests(void)
{
SecTrustRef trust;
SecCertificateRef cert0, cert1;
isnt(cert0 = SecCertificateCreateWithBytes(NULL, WWDR_NoRevInfo, sizeof(WWDR_NoRevInfo)),
NULL, "create leaf");
isnt(cert1 = SecCertificateCreateWithBytes(NULL, WWDR_CA, sizeof(WWDR_CA)),
NULL, "create intermediate");
CFMutableArrayRef certs = CFArrayCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeArrayCallBacks);
CFArrayAppendValue(certs, cert0);
CFArrayAppendValue(certs, cert1);
/* at this point, we should have an OCSP responder for the WWDR-issued leaf cert,
* even though the leaf itself doesn't contain any revocation info.
*/
CFArrayRef ocspResponders = SecCertificateGetOCSPResponders(cert0);
ok(ocspResponders != NULL, "synthesized OCSP responder successfully");
SecPolicyRef signingPolicy = SecPolicyCreateCodeSigning();
SecPolicyRef ocspPolicy = SecPolicyCreateRevocation();
const void *v_policies[] = { signingPolicy, ocspPolicy };
CFArrayRef policies = CFArrayCreate(NULL, v_policies,
sizeof(v_policies) / sizeof(*v_policies), &kCFTypeArrayCallBacks);
CFRelease(signingPolicy);
CFRelease(ocspPolicy);
ok_status(SecTrustCreateWithCertificates(certs, policies, &trust),
"create trust");
/* Aug 1st 2012. */
CFGregorianDate g_date = { 2012, 8, 1, 12, 0, 0 }; // Aug 1 2012 12:00 PM
CFDateRef date = CFDateCreate(kCFAllocatorDefault,
CFGregorianDateGetAbsoluteTime(g_date, NULL));
#if 0
/* will we trust the OCSP response for a verify date in the past?? */
ok_status(SecTrustSetVerifyDate(trust, date), "set date");
#else
ok_status(errSecSuccess, "using current date");
#endif
SecTrustResultType trustResult;
ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
/* The cert should either be reported as revoked (until Jan 13 2013),
* or as expired (after Jan 13 2013). That means its trust result value
* should be 5 (kSecTrustResultRecoverableTrustFailure) or greater.
*/
ok(trustResult >= kSecTrustResultRecoverableTrustFailure,
"trustResult must report a failure, cert is either expired or revoked");
#if 0
fprintf(stderr, "=== trustResult %lu\n", trustResult);
CFStringRef errStr = SecTrustCopyFailureDescription(trust);
CFShow(errStr);
#endif
CFReleaseSafe(trust);
CFReleaseSafe(policies);
CFReleaseSafe(certs);
CFReleaseSafe(cert0);
CFReleaseSafe(cert1);
CFReleaseSafe(date);
}
SecPolicyRef AppleCryptoNative_X509ChainCreateRevocationPolicy()
{
return SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod | kSecRevocationRequirePositiveResponse);
}