int
hx509_certs_find(hx509_context context,
hx509_certs certs,
const hx509_query *q,
hx509_cert *r)
{
hx509_cursor cursor;
hx509_cert c;
int ret;
*r = NULL;
_hx509_query_statistic(context, 0, q);
if (certs->ops->query)
return (*certs->ops->query)(context, certs, certs->ops_data, q, r);
ret = hx509_certs_start_seq(context, certs, &cursor);
if (ret)
return ret;
c = NULL;
while (1) {
ret = hx509_certs_next_cert(context, certs, cursor, &c);
if (ret)
break;
if (c == NULL)
break;
if (_hx509_query_match_cert(context, q, c)) {
*r = c;
break;
}
hx509_cert_free(c);
}
hx509_certs_end_seq(context, certs, cursor);
if (ret)
return ret;
if (c == NULL) {
hx509_clear_error_string(context);
return HX509_CERT_NOT_FOUND;
}
return 0;
}
static int
keychain_query(hx509_context context,
hx509_certs certs,
void *data,
const hx509_query *query,
hx509_cert *retcert)
{
CFArrayRef identities = NULL;
hx509_cert cert = NULL;
CFIndex n, count;
int ret;
int kdcLookupHack = 0;
/*
* First to course filtering using security framework ....
*/
#define FASTER_FLAGS (HX509_QUERY_MATCH_PERSISTENT|HX509_QUERY_PRIVATE_KEY)
if ((query->match & FASTER_FLAGS) == 0)
return HX509_UNIMPLEMENTED_OPERATION;
CFMutableDictionaryRef secQuery = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
/*
* XXX this is so broken, SecItem doesn't find the kdc certificte,
* and kdc certificates happend to be searched by friendly name,
* so find that and mundge on the structure.
*/
if ((query->match & HX509_QUERY_MATCH_FRIENDLY_NAME) &&
(query->match & HX509_QUERY_PRIVATE_KEY) &&
strcmp(query->friendlyname, "O=System Identity,CN=com.apple.kerberos.kdc") == 0)
{
((hx509_query *)query)->match &= ~HX509_QUERY_PRIVATE_KEY;
kdcLookupHack = 1;
}
if (kdcLookupHack || (query->match & HX509_QUERY_MATCH_PERSISTENT)) {
CFDictionaryAddValue(secQuery, kSecClass, kSecClassCertificate);
} else
CFDictionaryAddValue(secQuery, kSecClass, kSecClassIdentity);
CFDictionaryAddValue(secQuery, kSecReturnRef, kCFBooleanTrue);
CFDictionaryAddValue(secQuery, kSecMatchLimit, kSecMatchLimitAll);
if (query->match & HX509_QUERY_MATCH_PERSISTENT) {
CFDataRef refdata = CFDataCreateWithBytesNoCopy(NULL, query->persistent->data, query->persistent->length, kCFAllocatorNull);
CFDictionaryAddValue(secQuery, kSecValuePersistentRef, refdata);
CFRelease(refdata);
}
OSStatus status = SecItemCopyMatching(secQuery, (CFTypeRef *)&identities);
CFRelease(secQuery);
if (status || identities == NULL) {
hx509_clear_error_string(context);
return HX509_CERT_NOT_FOUND;
}
heim_assert(CFArrayGetTypeID() == CFGetTypeID(identities), "return value not an array");
/*
* ... now do hx509 filtering
*/
count = CFArrayGetCount(identities);
for (n = 0; n < count; n++) {
CFTypeRef secitem = (CFTypeRef)CFArrayGetValueAtIndex(identities, n);
#ifndef __APPLE_TARGET_EMBEDDED__
if (query->match & HX509_QUERY_MATCH_PERSISTENT) {
SecIdentityRef other = NULL;
OSStatus osret;
osret = SecIdentityCreateWithCertificate(NULL, (SecCertificateRef)secitem, &other);
if (osret == noErr) {
ret = hx509_cert_init_SecFramework(context, (void *)other, &cert);
CFRelease(other);
if (ret)
continue;
} else {
ret = hx509_cert_init_SecFramework(context, (void *)secitem, &cert);
if (ret)
continue;
}
} else
#endif
{
ret = hx509_cert_init_SecFramework(context, (void *)secitem, &cert);
if (ret)
continue;
}
if (_hx509_query_match_cert(context, query, cert)) {
#ifndef __APPLE_TARGET_EMBEDDED__
/* certtool/keychain doesn't glue togheter the cert with keys for system keys */
if (kdcLookupHack) {
SecIdentityRef other = NULL;
OSStatus osret;
osret = SecIdentityCreateWithCertificate(NULL, (SecCertificateRef)secitem, &other);
if (osret == noErr) {
hx509_cert_free(cert);
ret = hx509_cert_init_SecFramework(context, other, &cert);
CFRelease(other);
if (ret)
continue;
}
}
#endif
*retcert = cert;
break;
}
hx509_cert_free(cert);
}
if (kdcLookupHack)
((hx509_query *)query)->match |= HX509_QUERY_PRIVATE_KEY;
CFRelease(identities);
if (*retcert == NULL) {
hx509_clear_error_string(context);
return HX509_CERT_NOT_FOUND;
}
return 0;
}
