2013-04-29 09:19:57 +00:00
|
|
|
/*
|
|
|
|
|
* Copyright (C) 2013 Martin Willi
|
|
|
|
|
* Copyright (C) 2013 revosec AG
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
|
* for more details.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "keychain_creds.h"
|
|
|
|
|
|
|
|
|
|
#include <utils/debug.h>
|
2013-04-30 12:50:48 +00:00
|
|
|
#include <credentials/sets/mem_cred.h>
|
2013-05-01 08:38:46 +00:00
|
|
|
#include <processing/jobs/callback_job.h>
|
2013-04-29 09:19:57 +00:00
|
|
|
|
2013-04-30 09:59:01 +00:00
|
|
|
#include <Security/Security.h>
|
|
|
|
|
|
2013-04-30 13:33:42 +00:00
|
|
|
/**
|
2013-05-01 08:37:49 +00:00
|
|
|
* System Roots keychain
|
2013-04-30 13:33:42 +00:00
|
|
|
*/
|
|
|
|
|
#define SYSTEM_ROOTS "/System/Library/Keychains/SystemRootCertificates.keychain"
|
|
|
|
|
|
2013-05-01 08:37:49 +00:00
|
|
|
/**
|
|
|
|
|
* System keychain
|
|
|
|
|
*/
|
|
|
|
|
#define SYSTEM "/Library/Keychains/System.keychain"
|
|
|
|
|
|
2013-04-29 09:19:57 +00:00
|
|
|
typedef struct private_keychain_creds_t private_keychain_creds_t;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Private data of an keychain_creds_t object.
|
|
|
|
|
*/
|
|
|
|
|
struct private_keychain_creds_t {
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Public keychain_creds_t interface.
|
|
|
|
|
*/
|
|
|
|
|
keychain_creds_t public;
|
2013-04-30 12:50:48 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Active in-memory credential set
|
|
|
|
|
*/
|
|
|
|
|
mem_cred_t *set;
|
2013-04-30 13:33:42 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* System roots credential set
|
|
|
|
|
*/
|
|
|
|
|
mem_cred_t *roots;
|
2013-05-01 08:38:46 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Run loop of event monitoring thread
|
|
|
|
|
*/
|
|
|
|
|
CFRunLoopRef loop;
|
2013-04-29 09:19:57 +00:00
|
|
|
};
|
|
|
|
|
|
2013-04-30 13:33:42 +00:00
|
|
|
/**
|
2013-05-01 08:37:49 +00:00
|
|
|
* Load a credential sets with certificates from a keychain path
|
2013-04-30 13:33:42 +00:00
|
|
|
*/
|
2013-05-01 08:37:49 +00:00
|
|
|
static mem_cred_t* load_certs(private_keychain_creds_t *this, char *path)
|
2013-04-30 13:33:42 +00:00
|
|
|
{
|
|
|
|
|
SecKeychainRef keychain;
|
|
|
|
|
SecKeychainSearchRef search;
|
|
|
|
|
SecKeychainItemRef item;
|
|
|
|
|
mem_cred_t *set;
|
|
|
|
|
OSStatus status;
|
2013-07-31 09:36:55 +00:00
|
|
|
int loaded = 0;
|
2013-04-30 13:33:42 +00:00
|
|
|
|
|
|
|
|
set = mem_cred_create();
|
|
|
|
|
|
2013-07-31 09:36:55 +00:00
|
|
|
DBG2(DBG_CFG, "loading certificates from %s:", path);
|
2013-05-01 08:37:49 +00:00
|
|
|
status = SecKeychainOpen(path, &keychain);
|
2013-04-30 13:33:42 +00:00
|
|
|
if (status == errSecSuccess)
|
|
|
|
|
{
|
|
|
|
|
status = SecKeychainSearchCreateFromAttributes(keychain,
|
|
|
|
|
kSecCertificateItemClass, NULL, &search);
|
|
|
|
|
if (status == errSecSuccess)
|
|
|
|
|
{
|
|
|
|
|
while (SecKeychainSearchCopyNext(search, &item) == errSecSuccess)
|
|
|
|
|
{
|
|
|
|
|
certificate_t *cert;
|
|
|
|
|
UInt32 len;
|
|
|
|
|
void *data;
|
|
|
|
|
|
|
|
|
|
if (SecKeychainItemCopyAttributesAndData(item, NULL, NULL, NULL,
|
|
|
|
|
&len, &data) == errSecSuccess)
|
|
|
|
|
{
|
|
|
|
|
cert = lib->creds->create(lib->creds,
|
|
|
|
|
CRED_CERTIFICATE, CERT_X509,
|
|
|
|
|
BUILD_BLOB_ASN1_DER, chunk_create(data, len),
|
|
|
|
|
BUILD_END);
|
|
|
|
|
if (cert)
|
|
|
|
|
{
|
2013-07-31 09:36:55 +00:00
|
|
|
DBG2(DBG_CFG, " loaded '%Y'", cert->get_subject(cert));
|
2013-04-30 13:33:42 +00:00
|
|
|
set->add_cert(set, TRUE, cert);
|
2013-07-31 09:36:55 +00:00
|
|
|
loaded++;
|
2013-04-30 13:33:42 +00:00
|
|
|
}
|
|
|
|
|
SecKeychainItemFreeAttributesAndData(NULL, data);
|
|
|
|
|
}
|
|
|
|
|
CFRelease(item);
|
|
|
|
|
}
|
|
|
|
|
CFRelease(search);
|
|
|
|
|
}
|
|
|
|
|
CFRelease(keychain);
|
|
|
|
|
}
|
2013-07-31 09:36:55 +00:00
|
|
|
DBG1(DBG_CFG, "loaded %d certificates from %s", loaded, path);
|
2013-04-30 13:33:42 +00:00
|
|
|
return set;
|
|
|
|
|
}
|
|
|
|
|
|
2013-05-01 08:38:46 +00:00
|
|
|
/**
|
|
|
|
|
* Callback function reloading keychain on changes
|
|
|
|
|
*/
|
|
|
|
|
static OSStatus keychain_cb(SecKeychainEvent keychainEvent,
|
|
|
|
|
SecKeychainCallbackInfo *info,
|
|
|
|
|
private_keychain_creds_t *this)
|
|
|
|
|
{
|
|
|
|
|
mem_cred_t *new;
|
|
|
|
|
|
|
|
|
|
DBG1(DBG_CFG, "received keychain event, reloading credentials");
|
|
|
|
|
|
|
|
|
|
/* register new before removing old */
|
|
|
|
|
new = load_certs(this, SYSTEM);
|
|
|
|
|
lib->credmgr->add_set(lib->credmgr, &new->set);
|
|
|
|
|
lib->credmgr->remove_set(lib->credmgr, &this->set->set);
|
|
|
|
|
|
2013-05-01 09:14:16 +00:00
|
|
|
lib->credmgr->flush_cache(lib->credmgr, CERT_X509);
|
|
|
|
|
|
2013-05-01 08:38:46 +00:00
|
|
|
this->set->destroy(this->set);
|
|
|
|
|
this->set = new;
|
|
|
|
|
|
|
|
|
|
return errSecSuccess;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Wait for changes in the keychain and handle them
|
|
|
|
|
*/
|
|
|
|
|
static job_requeue_t monitor_changes(private_keychain_creds_t *this)
|
|
|
|
|
{
|
|
|
|
|
if (SecKeychainAddCallback((SecKeychainCallback)keychain_cb,
|
|
|
|
|
kSecAddEventMask | kSecDeleteEventMask |
|
|
|
|
|
kSecUpdateEventMask | kSecTrustSettingsChangedEventMask,
|
|
|
|
|
this) == errSecSuccess)
|
|
|
|
|
{
|
|
|
|
|
this->loop = CFRunLoopGetCurrent();
|
|
|
|
|
|
2021-06-25 09:32:29 +00:00
|
|
|
/* does not return until canceled */
|
2013-05-01 08:38:46 +00:00
|
|
|
CFRunLoopRun();
|
|
|
|
|
|
|
|
|
|
this->loop = NULL;
|
|
|
|
|
SecKeychainRemoveCallback((SecKeychainCallback)keychain_cb);
|
|
|
|
|
}
|
|
|
|
|
return JOB_REQUEUE_NONE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Cancel the monitoring thread in its RunLoop
|
|
|
|
|
*/
|
|
|
|
|
static bool cancel_monitor(private_keychain_creds_t *this)
|
|
|
|
|
{
|
|
|
|
|
if (this->loop)
|
|
|
|
|
{
|
|
|
|
|
CFRunLoopStop(this->loop);
|
|
|
|
|
}
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
2013-04-29 09:19:57 +00:00
|
|
|
METHOD(keychain_creds_t, destroy, void,
|
|
|
|
|
private_keychain_creds_t *this)
|
|
|
|
|
{
|
2013-04-30 12:50:48 +00:00
|
|
|
lib->credmgr->remove_set(lib->credmgr, &this->set->set);
|
2013-04-30 13:33:42 +00:00
|
|
|
lib->credmgr->remove_set(lib->credmgr, &this->roots->set);
|
2013-04-30 12:50:48 +00:00
|
|
|
this->set->destroy(this->set);
|
2013-04-30 13:33:42 +00:00
|
|
|
this->roots->destroy(this->roots);
|
2013-04-29 09:19:57 +00:00
|
|
|
free(this);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* See header
|
|
|
|
|
*/
|
|
|
|
|
keychain_creds_t *keychain_creds_create()
|
|
|
|
|
{
|
|
|
|
|
private_keychain_creds_t *this;
|
|
|
|
|
|
|
|
|
|
INIT(this,
|
|
|
|
|
.public = {
|
|
|
|
|
.destroy = _destroy,
|
|
|
|
|
},
|
|
|
|
|
);
|
|
|
|
|
|
2013-05-01 08:37:49 +00:00
|
|
|
this->roots = load_certs(this, SYSTEM_ROOTS);
|
|
|
|
|
this->set = load_certs(this, SYSTEM);
|
2013-04-30 13:33:42 +00:00
|
|
|
|
|
|
|
|
lib->credmgr->add_set(lib->credmgr, &this->roots->set);
|
2013-04-30 12:50:48 +00:00
|
|
|
lib->credmgr->add_set(lib->credmgr, &this->set->set);
|
|
|
|
|
|
2013-05-01 08:38:46 +00:00
|
|
|
lib->processor->queue_job(lib->processor,
|
|
|
|
|
(job_t*)callback_job_create_with_prio((void*)monitor_changes,
|
|
|
|
|
this, NULL, (void*)cancel_monitor, JOB_PRIO_CRITICAL));
|
|
|
|
|
|
2013-04-29 09:19:57 +00:00
|
|
|
return &this->public;
|
|
|
|
|
}
|
