strongswan/src/libstrongswan/plugins/keychain/keychain_creds.c

/*
 * Copyright (C) 2013 Martin Willi
 * Copyright (C) 2013 revosec AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "keychain_creds.h"

#include <utils/debug.h>
#include <credentials/sets/mem_cred.h>

#include <Security/Security.h>

typedef struct private_keychain_creds_t private_keychain_creds_t;

/**
 * Private data of an keychain_creds_t object.
 */
struct private_keychain_creds_t {

	/**
	 * Public keychain_creds_t interface.
	 */
	keychain_creds_t public;

	/**
	 * Active in-memory credential set
	 */
	mem_cred_t *set;
};

/**
 * Create a credential set loaded with certificates
 */
static mem_cred_t* load_creds(private_keychain_creds_t *this)
{
	mem_cred_t *set;
	OSStatus status;
	CFDictionaryRef query;
	CFArrayRef certs;
	const void* keys[] = {
		kSecReturnData,
		kSecMatchLimit,
		kSecClass,
		kSecAttrCanVerify,
		kSecMatchTrustedOnly,
	};
	const void* values[] = {
		kCFBooleanTrue,
		kSecMatchLimitAll,
		kSecClassCertificate,
		kCFBooleanTrue,
		kCFBooleanTrue,
	};
	int i;

	set = mem_cred_create();

	DBG1(DBG_CFG, "loading System certificates:");
	query = CFDictionaryCreate(NULL, keys, values, countof(keys),
							   &kCFTypeDictionaryKeyCallBacks,
							   &kCFTypeDictionaryValueCallBacks);
	if (query)
	{
		status = SecItemCopyMatching(query, (CFTypeRef*)&certs);
		CFRelease(query);
		if (status == errSecSuccess)
		{
			for (i = 0; i < CFArrayGetCount(certs); i++)
			{
				certificate_t *cert;
				CFDataRef data;
				chunk_t chunk;

				data = CFArrayGetValueAtIndex(certs, i);
				if (data)
				{
					chunk = chunk_create((char*)CFDataGetBytePtr(data),
										 CFDataGetLength(data));
					cert = lib->creds->create(lib->creds,
										CRED_CERTIFICATE, CERT_X509,
										BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
					if (cert)
					{
						DBG1(DBG_CFG, "  loaded '%Y'", cert->get_subject(cert));
						set->add_cert(set, TRUE, cert);
					}
				}
			}
			CFRelease(certs);
		}
	}
	return set;
}

METHOD(keychain_creds_t, destroy, void,
	private_keychain_creds_t *this)
{
	lib->credmgr->remove_set(lib->credmgr, &this->set->set);
	this->set->destroy(this->set);
	free(this);
}

/**
 * See header
 */
keychain_creds_t *keychain_creds_create()
{
	private_keychain_creds_t *this;

	INIT(this,
		.public = {
			.destroy = _destroy,
		},
	);

	this->set = load_creds(this);
	lib->credmgr->add_set(lib->credmgr, &this->set->set);

	return &this->public;
}
keychain: add a stub for a credential plugin using OS X Keychain Services 2013-04-29 09:19:57 +00:00			`/*`
			`* Copyright (C) 2013 Martin Willi`
			`* Copyright (C) 2013 revosec AG`
			`*`
			`* This program is free software; you can redistribute it and/or modify it`
			`* under the terms of the GNU General Public License as published by the`
			`* Free Software Foundation; either version 2 of the License, or (at your`
			`* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.`
			`*`
			`* This program is distributed in the hope that it will be useful, but`
			`* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY`
			`* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License`
			`* for more details.`
			`*/`

			`#include "keychain_creds.h"`

			`#include <utils/debug.h>`
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`#include <credentials/sets/mem_cred.h>`
keychain: add a stub for a credential plugin using OS X Keychain Services 2013-04-29 09:19:57 +00:00
keychain: support on-the-fly enumeration of trusted/untrusted certificates 2013-04-30 09:59:01 +00:00			`#include <Security/Security.h>`

keychain: add a stub for a credential plugin using OS X Keychain Services 2013-04-29 09:19:57 +00:00			`typedef struct private_keychain_creds_t private_keychain_creds_t;`

			`/**`
			`* Private data of an keychain_creds_t object.`
			`*/`
			`struct private_keychain_creds_t {`

			`/**`
			`* Public keychain_creds_t interface.`
			`*/`
			`keychain_creds_t public;`
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00
			`/**`
			`* Active in-memory credential set`
			`*/`
			`mem_cred_t *set;`
keychain: add a stub for a credential plugin using OS X Keychain Services 2013-04-29 09:19:57 +00:00			`};`

keychain: support on-the-fly enumeration of trusted/untrusted certificates 2013-04-30 09:59:01 +00:00			`/**`
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`* Create a credential set loaded with certificates`
keychain: support on-the-fly enumeration of trusted/untrusted certificates 2013-04-30 09:59:01 +00:00			`*/`
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`static mem_cred_t* load_creds(private_keychain_creds_t *this)`
keychain: support on-the-fly enumeration of trusted/untrusted certificates 2013-04-30 09:59:01 +00:00			`{`
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`mem_cred_t *set;`
keychain: support on-the-fly enumeration of trusted/untrusted certificates 2013-04-30 09:59:01 +00:00			`OSStatus status;`
			`CFDictionaryRef query;`
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`CFArrayRef certs;`
keychain: support on-the-fly enumeration of trusted/untrusted certificates 2013-04-30 09:59:01 +00:00			`const void* keys[] = {`
			`kSecReturnData,`
			`kSecMatchLimit,`
			`kSecClass,`
			`kSecAttrCanVerify,`
			`kSecMatchTrustedOnly,`
			`};`
			`const void* values[] = {`
			`kCFBooleanTrue,`
			`kSecMatchLimitAll,`
			`kSecClassCertificate,`
			`kCFBooleanTrue,`
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`kCFBooleanTrue,`
keychain: support on-the-fly enumeration of trusted/untrusted certificates 2013-04-30 09:59:01 +00:00			`};`
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`int i;`

			`set = mem_cred_create();`
keychain: support on-the-fly enumeration of trusted/untrusted certificates 2013-04-30 09:59:01 +00:00
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`DBG1(DBG_CFG, "loading System certificates:");`
			`query = CFDictionaryCreate(NULL, keys, values, countof(keys),`
			`&kCFTypeDictionaryKeyCallBacks,`
			`&kCFTypeDictionaryValueCallBacks);`
			`if (query)`
keychain: support on-the-fly enumeration of trusted/untrusted certificates 2013-04-30 09:59:01 +00:00			`{`
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`status = SecItemCopyMatching(query, (CFTypeRef*)&certs);`
			`CFRelease(query);`
			`if (status == errSecSuccess)`
keychain: support on-the-fly enumeration of trusted/untrusted certificates 2013-04-30 09:59:01 +00:00			`{`
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`for (i = 0; i < CFArrayGetCount(certs); i++)`
keychain: support on-the-fly enumeration of trusted/untrusted certificates 2013-04-30 09:59:01 +00:00			`{`
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`certificate_t *cert;`
			`CFDataRef data;`
			`chunk_t chunk;`

			`data = CFArrayGetValueAtIndex(certs, i);`
			`if (data)`
			`{`
			`chunk = chunk_create((char*)CFDataGetBytePtr(data),`
			`CFDataGetLength(data));`
			`cert = lib->creds->create(lib->creds,`
			`CRED_CERTIFICATE, CERT_X509,`
			`BUILD_BLOB_ASN1_DER, chunk, BUILD_END);`
			`if (cert)`
			`{`
			`DBG1(DBG_CFG, " loaded '%Y'", cert->get_subject(cert));`
			`set->add_cert(set, TRUE, cert);`
			`}`
			`}`
keychain: support on-the-fly enumeration of trusted/untrusted certificates 2013-04-30 09:59:01 +00:00			`}`
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`CFRelease(certs);`
keychain: support on-the-fly enumeration of trusted/untrusted certificates 2013-04-30 09:59:01 +00:00			`}`
			`}`
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`return set;`
keychain: add a stub for a credential plugin using OS X Keychain Services 2013-04-29 09:19:57 +00:00			`}`

			`METHOD(keychain_creds_t, destroy, void,`
			`private_keychain_creds_t *this)`
			`{`
keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`lib->credmgr->remove_set(lib->credmgr, &this->set->set);`
			`this->set->destroy(this->set);`
keychain: add a stub for a credential plugin using OS X Keychain Services 2013-04-29 09:19:57 +00:00			`free(this);`
			`}`

			`/**`
			`* See header`
			`*/`
			`keychain_creds_t *keychain_creds_create()`
			`{`
			`private_keychain_creds_t *this;`

			`INIT(this,`
			`.public = {`
			`.destroy = _destroy,`
			`},`
			`);`

keychain: load certificates only once during startup, improving performance 2013-04-30 12:50:48 +00:00			`this->set = load_creds(this);`
			`lib->credmgr->add_set(lib->credmgr, &this->set->set);`

keychain: add a stub for a credential plugin using OS X Keychain Services 2013-04-29 09:19:57 +00:00			`return &this->public;`
			`}`