source: trunk/dports/security/certsync/files/certsync.m @ 106042

Last change on this file since 106042 was 106042, checked in by landonf@…, 4 years ago

Add support for automatically regenerating the output file when the system keychain or trust settings are modified.

File size: 12.8 KB
Line 
1/*
2 * Author: Landon Fuller <landonf@plausiblelabs.com>
3 * Copyright (c) 2008-2013 Plausible Labs Cooperative, Inc.
4 * All rights reserved.
5 *
6 * Permission is hereby granted, free of charge, to any person
7 * obtaining a copy of this software and associated documentation
8 * files (the "Software"), to deal in the Software without
9 * restriction, including without limitation the rights to use,
10 * copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the
12 * Software is furnished to do so, subject to the following
13 * conditions:
14 *
15 * The above copyright notice and this permission notice shall be
16 * included in all copies or substantial portions of the Software.
17 *
18 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
19 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
20 * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
21 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
22 * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
23 * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
24 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
25 * OTHER DEALINGS IN THE SOFTWARE.
26 */
27
28#import <Foundation/Foundation.h>
29#import <AvailabilityMacros.h>
30
31#import <unistd.h>
32#import <stdio.h>
33
34#import <objc/message.h>
35
36/* A wrapper class that may be used to pass configuration through the
37 * FSEvent callback API */
38@interface MPCertSyncConfig : NSObject {
39@public
40    BOOL userAnchors;
41    NSString *outputFile;
42}
43@end
44
45@implementation MPCertSyncConfig
46- (void) dealloc {
47    [outputFile release];
48    [super dealloc];
49}
50@end
51
52/**
53 * Add CoreFoundation object to the current autorelease pool.
54 *
55 * @param cfObj Object to add to the current autorelease pool.
56 */
57CFTypeRef PLCFAutorelease (CFTypeRef cfObj) {
58    /* ARC forbids the use of @selector(autorelease), so we have to get creative */
59    static SEL autorelease;
60    static dispatch_once_t pred;
61    dispatch_once(&pred, ^{
62        autorelease = sel_getUid("autorelease");
63    });
64   
65    /* Cast and hand-dispatch */
66    return ((CFTypeRef (*)(CFTypeRef, SEL)) objc_msgSend)(cfObj, autorelease);
67}
68
69int nsvfprintf (FILE *stream, NSString *format, va_list args) {
70    int retval;
71   
72    NSString *str;
73    str = (NSString *) CFStringCreateWithFormatAndArguments(NULL, NULL, (CFStringRef) format, args);
74    retval = fprintf(stream, "%s", [str UTF8String]);
75    [str release];
76   
77    return retval;
78}
79
80int nsfprintf (FILE *stream, NSString *format, ...) {
81    va_list ap;
82    int retval;
83   
84    va_start(ap, format);
85    {
86        retval = nsvfprintf(stream, format, ap);
87    }
88    va_end(ap);
89   
90    return retval;
91}
92
93int nsprintf (NSString *format, ...) {
94    va_list ap;
95    int retval;
96   
97    va_start(ap, format);
98    {
99        retval = nsvfprintf(stderr, format, ap);
100    }
101    va_end(ap);
102   
103    return retval;
104}
105
106/**
107 * Fetch all trusted roots for the given @a domain.
108 *
109 * @param domain The trust domain to query.
110 * @param outError On error, will contain an NSError instance describing the failure.
111 *
112 * @return Returns a (possibly empty) array of certificates on success, nil on failure.
113 */
114static NSArray *certificatesForTrustDomain (SecTrustSettingsDomain domain, NSError **outError) {
115    NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
116    CFArrayRef certs = nil;
117    OSStatus err;
118   
119    /* Fetch all certificates in the given domain */
120    err = SecTrustSettingsCopyCertificates(domain, &certs);
121    if (err == errSecSuccess) {
122        PLCFAutorelease(certs);
123    } else if (err == errSecNoTrustSettings ) {
124        /* No data */
125       
126        [pool release];
127        return [NSArray array];
128    } else if (err != errSecSuccess) {
129        /* Lookup failed */
130        if (outError != NULL)
131            *outError = [NSError errorWithDomain: NSOSStatusErrorDomain code: err userInfo:nil];
132       
133        [pool release];
134        return nil;
135    }
136   
137    /* Extract trusted roots */
138    NSMutableArray *results = [NSMutableArray arrayWithCapacity: CFArrayGetCount(certs)];
139    for (id certObj in (NSArray *) certs) {
140        SecCertificateRef cert = (SecCertificateRef) certObj;
141       
142        /* Fetch the trust settings */
143        CFArrayRef trustSettings = nil;
144        err = SecTrustSettingsCopyTrustSettings(cert, domain, &trustSettings);
145        if (err != errSecSuccess) {
146            /* Shouldn't happen */
147            nsfprintf(stderr, @"Failed to fetch trust settings\n");
148            continue;
149        } else {
150            PLCFAutorelease(trustSettings);
151        }
152       
153        /* If empty, trust for everything (as per the Security Framework documentation) */
154        if (CFArrayGetCount(trustSettings) == 0) {
155            [results addObject: certObj];
156        } else {
157            /* Otherwise, walk the properties and evaluate the trust settings result */
158            for (NSDictionary *trustProps in (NSArray *) trustSettings) {
159                CFNumberRef settingsResultNum;
160                SInt32 settingsResult;
161               
162                settingsResultNum = (CFNumberRef) [trustProps objectForKey: (id) kSecTrustSettingsResult];
163                CFNumberGetValue(settingsResultNum, kCFNumberSInt32Type, &settingsResult);
164               
165                /* If a root, add to the result set */
166                if (settingsResult == kSecTrustSettingsResultTrustRoot || settingsResult == kSecTrustSettingsResultTrustAsRoot) {
167                    [results addObject: certObj];
168                    break;
169                }
170            }
171        }
172    }
173
174    [results retain];
175    [pool release];
176    return [results autorelease];
177}
178
179static int exportCertificates (BOOL userAnchors, NSString *outputFile) {
180    NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
181
182    /*
183     * Fetch all certificates
184     */
185   
186    NSMutableArray *anchors = [NSMutableArray array];
187    NSArray *result;
188    NSError *error;
189   
190    /* Current user */
191    if (userAnchors) {
192        result = certificatesForTrustDomain(kSecTrustSettingsDomainUser, &error);
193        if (result != nil) {
194            [anchors addObjectsFromArray: result];
195        } else {
196            nsfprintf(stderr, @"Failed to fetch user anchors: %@\n", error);
197            [pool release];
198            return EXIT_FAILURE;
199        }
200    }
201   
202    /* Admin */
203    result = certificatesForTrustDomain(kSecTrustSettingsDomainAdmin, &error);
204    if (result != nil) {
205        [anchors addObjectsFromArray: result];
206    } else {
207        nsfprintf(stderr, @"Failed to fetch admin anchors: %@\n", error);
208        [pool release];
209        return EXIT_FAILURE;
210    }
211   
212    /* System */
213    result = certificatesForTrustDomain(kSecTrustSettingsDomainSystem, &error);
214    if (result != nil) {
215        [anchors addObjectsFromArray: result];
216    } else {
217        nsfprintf(stderr, @"Failed to fetch system anchors: %@\n", error);
218        [pool release];
219        return EXIT_FAILURE;
220    }
221   
222    for (id certObj in result) {
223        CFErrorRef cferror = NULL;
224        CFStringRef subject;
225
226#if MAC_OS_X_VERSION_MAX_ALLOWED > MAC_OS_X_VERSION_10_6
227        if (SecCertificateCopyShortDescription != NULL) {
228            subject = PLCFAutorelease(SecCertificateCopyShortDescription(NULL, (SecCertificateRef) certObj, &cferror));
229        } else {
230            subject = PLCFAutorelease(SecCertificateCopySubjectSummary((SecCertificateRef) certObj));
231        }
232#else
233        subject = PLCFAutorelease(SecCertificateCopySubjectSummary((SecCertificateRef) certObj));
234#endif
235
236        if (subject == NULL) {
237            nsfprintf(stderr, @"Failed to extract certificate description: %@\n", cferror);
238            [pool release];
239            return EXIT_FAILURE;
240        } else {
241            nsfprintf(stderr, @"Extracting %@\n", subject);
242        }
243    }
244   
245    /*
246     * Perform export
247     */
248    CFDataRef pemData;
249    OSStatus err;
250   
251    /* Prefer the non-deprecated SecItemExport on Mac OS X >= 10.7. We use an ifdef to keep the code buildable with earlier SDKs, too. */
252#if MAC_OS_X_VERSION_MAX_ALLOWED > MAC_OS_X_VERSION_10_6
253    if (SecItemExport != NULL) {
254        err = SecItemExport((CFArrayRef) anchors, kSecFormatPEMSequence, kSecItemPemArmour, NULL, &pemData);
255    } else {
256        err = SecKeychainItemExport((CFArrayRef) anchors, kSecFormatPEMSequence, kSecItemPemArmour, NULL, &pemData);
257    }
258#else
259    err = SecKeychainItemExport((CFArrayRef) anchors, kSecFormatPEMSequence, kSecItemPemArmour, NULL, &pemData);
260#endif
261    PLCFAutorelease(pemData);
262
263    if (err != errSecSuccess) {
264        nsfprintf(stderr, @"Failed to export certificates: %@\n", [NSError errorWithDomain: NSOSStatusErrorDomain code: err userInfo:nil]);
265        [pool release];
266        return EXIT_FAILURE;
267    }
268
269    if (outputFile == nil) {
270        NSString *str = [[[NSString alloc] initWithData: (NSData *) pemData encoding:NSUTF8StringEncoding] autorelease];
271        nsfprintf(stdout, @"%@", str);
272    } else {
273        if (![(NSData *) pemData writeToFile: outputFile options: NSDataWritingAtomic error: &error]) {
274            nsfprintf(stderr, @"Failed to write to pem output file: %@\n", error);
275            [pool release];
276            return EXIT_FAILURE;
277        }
278    }
279   
280    [pool release];
281    return EXIT_SUCCESS;
282}
283
284static void usage (const char *progname) {
285    fprintf(stderr, "Usage: %s [-u] [-o <output file>]\n", progname);
286    fprintf(stderr, "\t-u\t\t\tInclude the current user's anchor certificates.\n");
287    fprintf(stderr, "\t-s\t\t\tDo not exit; observe the system keychain(s) for changes and update the output file accordingly.");
288    fprintf(stderr, "\t-o <output file>\tWrite the PEM certificates to the target file, rather than stdout\n");
289}
290
291static void certsync_keychain_cb (ConstFSEventStreamRef streamRef, void *clientCallBackInfo, size_t numEvents, void *eventPaths, const FSEventStreamEventFlags eventFlags[], const FSEventStreamEventId eventIds[])
292{
293    MPCertSyncConfig *config = (MPCertSyncConfig *) clientCallBackInfo;
294
295    int ret;
296    if ((ret = exportCertificates(config->userAnchors, config->outputFile)) != EXIT_SUCCESS)
297        exit(ret);
298}
299
300int main (int argc, char * const argv[]) {
301    NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
302
303    /* Parse the command line arguments */
304    BOOL userAnchors = NO;
305    BOOL runServer = NO;
306    NSString *outputFile = nil;
307   
308    int ch;
309    while ((ch = getopt(argc, argv, "hsuo:")) != -1) {
310        switch (ch) {
311            case 'u':
312                userAnchors = YES;
313                break;
314               
315            case 's':
316                runServer = YES;
317                break;
318               
319            case 'o':
320                outputFile = [NSString stringWithUTF8String: optarg];
321                break;
322
323            case 'h':
324                usage(argv[0]);
325                exit(EXIT_SUCCESS);
326
327            default:
328                usage(argv[0]);
329                exit(EXIT_FAILURE);
330        }
331    }
332    argc -= optind;
333    argv += optind;
334   
335    /* Perform single-shot export  */
336    if (!runServer)
337        return exportCertificates(userAnchors, outputFile);
338   
339    /* Formulate the list of directories to observe; We use FSEvents rather than SecKeychainAddCallback(), as during testing the keychain
340     * API never actually fired a callback for the target keychains. */
341    NSSearchPathDomainMask searchPathDomains = NSLocalDomainMask|NSSystemDomainMask;
342    if (userAnchors)
343        searchPathDomains |= NSUserDomainMask;
344
345    NSArray *libraryDirectories = NSSearchPathForDirectoriesInDomains(NSAllLibrariesDirectory, searchPathDomains, YES);
346    NSMutableArray *keychainDirectories = [NSMutableArray arrayWithCapacity: [libraryDirectories count]];
347    for (NSString *dir in libraryDirectories) {
348        [keychainDirectories addObject: [dir stringByAppendingPathComponent: @"Keychains"]];
349        [keychainDirectories addObject: [dir stringByAppendingPathComponent: @"Security/Trust Settings"]];
350    }
351
352    /* Configure the listener */
353    FSEventStreamRef eventStream;
354    MPCertSyncConfig *config = [[[MPCertSyncConfig alloc] init] autorelease];
355    config->userAnchors = userAnchors;
356    config->outputFile = [outputFile retain];
357
358    FSEventStreamContext ctx = {
359        .version = 0,
360        .info = config,
361        .retain = CFRetain,
362        .release = CFRelease,
363        .copyDescription = CFCopyDescription
364    };
365    eventStream = FSEventStreamCreate(NULL, certsync_keychain_cb, &ctx, (CFArrayRef)keychainDirectories, kFSEventStreamEventIdSinceNow, 0.0, kFSEventStreamCreateFlagUseCFTypes);
366    FSEventStreamScheduleWithRunLoop(eventStream, CFRunLoopGetCurrent(), kCFRunLoopCommonModes);
367    FSEventStreamStart(eventStream);
368
369    /* Perform an initial one-shot export, and then run forever */
370    int ret;
371    if ((ret = exportCertificates(userAnchors, outputFile)) != EXIT_SUCCESS)
372        return EXIT_FAILURE;
373   
374    CFRunLoopRun();
375
376    FSEventStreamRelease(eventStream);
377    [pool release];
378
379    return EXIT_SUCCESS;
380}
381
Note: See TracBrowser for help on using the repository browser.