trusted_cert_dump.c
1 /* 2 * Copyright (c) 2003-2009,2012,2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 * 23 * trusted_cert_dump.c 24 */ 25 26 #include "security_tool.h" 27 28 #include "trusted_cert_dump.h" 29 #include "trusted_cert_utils.h" 30 31 #include <errno.h> 32 #include <unistd.h> 33 #include <Security/Security.h> 34 #include <Security/cssmapple.h> 35 #include <Security/SecTrustSettings.h> 36 #include <Security/oidsalg.h> 37 #include <security_cdsa_utils/cuFileIo.h> 38 #include <CoreFoundation/CoreFoundation.h> 39 40 /* 41 * Display a Trust Settings array as obtained from 42 * SecTrustSettingsCopyTrustSettings(). 43 */ 44 static int displayTrustSettings( 45 CFArrayRef trustSettings) 46 { 47 /* must always be there though it may be empty */ 48 if(trustSettings == NULL) { 49 fprintf(stderr, "***displayTrustSettings: missing trust settings array"); 50 return -1; 51 } 52 if(CFGetTypeID(trustSettings) != CFArrayGetTypeID()) { 53 fprintf(stderr, "***displayTrustSettings: malformed trust settings array"); 54 return -1; 55 } 56 57 int ourRtn = 0; 58 CFIndex numUseConstraints = CFArrayGetCount(trustSettings); 59 indentIncr(); 60 indent(); printf("Number of trust settings : %ld\n", (long)numUseConstraints); 61 OSStatus ortn; 62 SecPolicyRef certPolicy; 63 SecTrustedApplicationRef certApp; 64 CFDictionaryRef ucDict; 65 CFStringRef policyStr; 66 CFNumberRef cfNum; 67 CFIndex ucDex; 68 69 /* grind thru the trust settings dictionaries */ 70 for(ucDex=0; ucDex<numUseConstraints; ucDex++) { 71 indent(); printf("Trust Setting %ld:\n", (long)ucDex); 72 indentIncr(); 73 74 ucDict = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings, ucDex); 75 if(CFGetTypeID(ucDict) != CFDictionaryGetTypeID()) { 76 fprintf(stderr, "***displayTrustSettings: malformed usage constraints dictionary"); 77 ourRtn = -1; 78 goto nextAp; 79 } 80 81 /* policy - optional */ 82 certPolicy = (SecPolicyRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsPolicy); 83 if(certPolicy != NULL) { 84 if(CFGetTypeID(certPolicy) != SecPolicyGetTypeID()) { 85 fprintf(stderr, "***displayTrustSettings: malformed certPolicy"); 86 ourRtn = -1; 87 goto nextAp; 88 } 89 CSSM_OID policyOid; 90 ortn = SecPolicyGetOID(certPolicy, &policyOid); 91 if(ortn) { 92 cssmPerror("SecPolicyGetOID", ortn); 93 ourRtn = -1; 94 goto nextAp; 95 } 96 indent(); printf("Policy OID : %s\n", 97 oidToOidString(&policyOid)); 98 } 99 100 /* app - optional */ 101 certApp = (SecTrustedApplicationRef)CFDictionaryGetValue(ucDict, 102 kSecTrustSettingsApplication); 103 if(certApp != NULL) { 104 if(CFGetTypeID(certApp) != SecTrustedApplicationGetTypeID()) { 105 fprintf(stderr, "***displayTrustSettings: malformed certApp"); 106 ourRtn = -1; 107 goto nextAp; 108 } 109 CFDataRef appPath = NULL; 110 ortn = SecTrustedApplicationCopyData(certApp, &appPath); 111 if(ortn) { 112 cssmPerror("SecTrustedApplicationCopyData", ortn); 113 ourRtn = -1; 114 goto nextAp; 115 } 116 indent(); printf("Application : %s", CFDataGetBytePtr(appPath)); 117 printf("\n"); 118 CFRelease(appPath); 119 } 120 121 /* policy string */ 122 policyStr = (CFStringRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsPolicyString); 123 if(policyStr != NULL) { 124 if(CFGetTypeID(policyStr) != CFStringGetTypeID()) { 125 fprintf(stderr, "***displayTrustSettings: malformed policyStr"); 126 ourRtn = -1; 127 goto nextAp; 128 } 129 indent(); printf("Policy String : "); 130 printCfStr(policyStr); printf("\n"); 131 } 132 133 /* Allowed error */ 134 cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsAllowedError); 135 if(cfNum != NULL) { 136 if(CFGetTypeID(cfNum) != CFNumberGetTypeID()) { 137 fprintf(stderr, "***displayTrustSettings: malformed allowedError"); 138 ourRtn = -1; 139 goto nextAp; 140 } 141 indent(); printf("Allowed Error : "); 142 printCssmErr(cfNum); printf("\n"); 143 } 144 145 /* ResultType */ 146 cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsResult); 147 if(cfNum != NULL) { 148 if(CFGetTypeID(cfNum) != CFNumberGetTypeID()) { 149 fprintf(stderr, "***displayTrustSettings: malformed ResultType"); 150 ourRtn = -1; 151 goto nextAp; 152 } 153 indent(); printf("Result Type : "); 154 printResultType(cfNum); printf("\n"); 155 } 156 157 /* key usage */ 158 cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsKeyUsage); 159 if(cfNum != NULL) { 160 if(CFGetTypeID(cfNum) != CFNumberGetTypeID()) { 161 fprintf(stderr, "***displayTrustSettings: malformed keyUsage"); 162 ourRtn = -1; 163 goto nextAp; 164 } 165 indent(); printf("Key Usage : "); 166 printKeyUsage(cfNum); printf("\n"); 167 } 168 169 nextAp: 170 indentDecr(); 171 } 172 indentDecr(); 173 return ourRtn; 174 } 175 176 int 177 trusted_cert_dump(int argc, char * const *argv) 178 { 179 CFArrayRef certArray = NULL; 180 OSStatus ortn = noErr; 181 CFIndex numCerts; 182 CFIndex dex; 183 CFArrayRef trustSettings; 184 int ourRtn = 0; 185 SecTrustSettingsDomain domain = kSecTrustSettingsDomainUser; 186 187 extern char *optarg; 188 extern int optind; 189 int arg; 190 191 optind = 1; 192 while ((arg = getopt(argc, argv, "sdh")) != -1) { 193 switch (arg) { 194 case 's': 195 domain = kSecTrustSettingsDomainSystem; 196 break; 197 case 'd': 198 domain = kSecTrustSettingsDomainAdmin; 199 break; 200 default: 201 case 'h': 202 return SHOW_USAGE_MESSAGE; 203 } 204 } 205 206 if(optind != argc) { 207 return SHOW_USAGE_MESSAGE; 208 } 209 210 ortn = SecTrustSettingsCopyCertificates(domain, &certArray); 211 if(ortn) { 212 cssmPerror("SecTrustSettingsCopyCertificates", ortn); 213 return 1; 214 } 215 numCerts = CFArrayGetCount(certArray); 216 printf("Number of trusted certs = %ld\n", (long)numCerts); 217 218 for(dex=0; dex<numCerts; dex++) { 219 SecCertificateRef certRef = 220 (SecCertificateRef)CFArrayGetValueAtIndex(certArray, dex); 221 if(CFGetTypeID(certRef) != SecCertificateGetTypeID()) { 222 fprintf(stderr, "***Bad CFGetTypeID for cert %ld\n", (long)dex); 223 ourRtn = -1; 224 break; 225 } 226 227 /* always print the cert's label */ 228 printf("Cert %ld: ", dex); 229 printCertLabel(certRef); 230 printf("\n"); 231 232 /* see if the cert has any usage constraints (it should!) */ 233 ortn = SecTrustSettingsCopyTrustSettings(certRef, domain, &trustSettings); 234 if(ortn) { 235 cssmPerror("SecTrustSettingsCopyTrustSettings", ortn); 236 ourRtn = -1; 237 continue; 238 } 239 if(displayTrustSettings(trustSettings)) { 240 ourRtn = -1; 241 } 242 } 243 CFRelease(certArray); 244 245 return ourRtn; 246 }