show_certificates.c [plain text]
#include <TargetConditionals.h>
#if TARGET_OS_EMBEDDED
#include "SecurityCommands.h"
#include "security.h"
#include "SecurityTool/print_cert.h"
#include "SecBase64.h"
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#include <SecurityTool/tool_errors.h>
#include <Security/SecItem.h>
#include <CoreFoundation/CFArray.h>
#include <CoreFoundation/CFDate.h>
#include <CoreFoundation/CFNumber.h>
#include <CoreFoundation/CFString.h>
#include <Security/SecCertificatePriv.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrustPriv.h>
#include <Security/SecInternal.h>
#include <Security/SecTrustStore.h>
#include <Security/SecTrustSettings.h>
#include <SecurityTool/readline.h>
#include <utilities/SecCFWrappers.h>
#include "keychain_util.h"
typedef uint32_t SecProtocolType;
typedef uint32_t SecAuthenticationType;
static void show_cert_eval(CFArrayRef certs, bool verbose) {
SecPolicyRef policy = SecPolicyCreateSSL(true, NULL);
SecTrustRef trust = NULL;
SecTrustCreateWithCertificates(certs, policy, &trust);
SecTrustResultType trustResult;
const char *trustResults[] = {
"invalid",
"proceed",
"confirm",
"deny",
"unspecified",
"recoverable trust failure",
"fatal trust failure",
"other error",
};
(void) SecTrustEvaluate(trust, &trustResult);
printf("* trust: %s *\n", trustResults[trustResult]);
CFArrayRef properties = SecTrustCopyProperties(trust);
print_plist(properties);
CFReleaseNull(properties);
CFIndex ix, count = SecTrustGetCertificateCount(trust);
for (ix = 0; ix < count; ++ix) {
printf("* cert %ld summary properties *\n", ix);
properties = SecTrustCopySummaryPropertiesAtIndex(trust, ix);
print_plist(properties);
CFReleaseNull(properties);
if (verbose) {
printf("* cert %ld detail properties *\n", ix);
properties = SecTrustCopyDetailedPropertiesAtIndex(trust, ix);
print_plist(properties);
CFReleaseNull(properties);
}
}
CFDictionaryRef info = SecTrustCopyInfo(trust);
if (info) {
printf("* info *\n");
CFShow(info);
CFReleaseNull(info);
}
CFReleaseNull(policy);
}
static size_t print_buffer_pem(FILE *stream, const char *pem_name, size_t length,
const uint8_t *bytes) {
size_t pem_name_len = strlen(pem_name);
size_t b64_len = SecBase64Encode2(NULL, length, NULL, 0,
kSecB64_F_LINE_LEN_USE_PARAM, 64, NULL);
char *buffer = malloc(33 + 2 * pem_name_len + b64_len);
char *p = buffer;
p += sprintf(buffer, "-----BEGIN %s-----\n", pem_name);
SecBase64Result result;
p += SecBase64Encode2(bytes, length, p, b64_len,\
kSecB64_F_LINE_LEN_USE_PARAM, 64, &result);
if (result) {
free(buffer);
return result;
}
p += sprintf(p, "\n-----END %s-----\n", pem_name);
size_t res = fwrite(buffer, 1, p - buffer, stream);
fflush(stream);
bzero(buffer, p - buffer);
free(buffer);
return res;
}
int keychain_show_certificates(int argc, char * const *argv)
{
int ch, result = 0;
bool output_subject = false;
bool verbose = false;
bool trust_eval = false;
bool keychain_certs = false;
bool output_pem = false;
bool output_finger_print = false;
CFMutableArrayRef certs = NULL;
CFMutableDictionaryRef query = CFDictionaryCreateMutable(0, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
while ((ch = getopt(argc, argv, "kfq:pstv")) != -1)
{
switch (ch)
{
case 'k':
keychain_certs = true;
break;
case 'p':
output_pem = true;
break;
case 's':
output_subject = true;
break;
case 'v':
verbose = true;
break;
case 't':
trust_eval = true;
break;
case 'f':
output_finger_print = true;
break;
case 'q':
if (!keychain_query_parse_cstring(query, optarg)) {
CFReleaseNull(query);
return 1;
}
keychain_certs = true;
break;
case '?':
default:
return SHOW_USAGE_MESSAGE;
}
}
argc -= optind;
argv += optind;
if ((keychain_certs && argc > 0) || (!keychain_certs && argc < 1))
result = 2;
if (trust_eval)
certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
CFArrayRef kc_certs = NULL;
int arg;
if (keychain_certs) {
for (arg = 0; arg < argc; ++arg) {
if (!keychain_query_parse_cstring(query, argv[arg])) {
CFReleaseSafe(query);
CFReleaseSafe(certs);
return 1;
}
}
CFDictionarySetValue(query, kSecClass, kSecClassCertificate);
CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll);
CFDictionarySetValue(query, kSecReturnRef, kCFBooleanTrue);
CFTypeRef results;
if (!SecItemCopyMatching(query, &results)) {
kc_certs = results;
argc = (int) CFArrayGetCount(kc_certs);
}
}
for (arg = 0; arg < argc; ++arg) {
SecCertificateRef cert = NULL;
if (keychain_certs) {
cert = (SecCertificateRef)CFArrayGetValueAtIndex(kc_certs, arg);
} else {
CFDataRef data = copyFileContents(argv[arg]);
if (data) {
cert = SecCertificateCreateWithData(
kCFAllocatorDefault, data);
if (!cert) {
cert = SecCertificateCreateWithPEM(kCFAllocatorDefault, data);
}
CFRelease(data);
} else {
result = 1;
}
}
if (cert) {
if (!keychain_certs) {
printf(
"*******************************************************\n"
"%s\n"
"*******************************************************\n"
, argv[arg]);
}
if (trust_eval) {
if (keychain_certs) {
CFArraySetValueAtIndex(certs, 0, cert);
show_cert_eval(certs, verbose);
} else {
CFArrayAppendValue(certs, cert);
}
} else {
if (verbose) {
print_cert(cert, verbose);
} else if (output_subject) {
CFStringRef subject = SecCertificateCopySubjectString(cert);
if (subject) {
CFStringWriteToFileWithNewline(subject, stdout);
CFRelease(subject);
}
} else if (!output_pem) {
print_cert(cert, verbose);
}
}
if (output_finger_print) {
CFDataRef key_fingerprint = SecCertificateCopyPublicKeySHA1Digest(cert);
if (key_fingerprint) {
int i;
CFIndex j = CFDataGetLength(key_fingerprint);
const uint8_t *byte = CFDataGetBytePtr(key_fingerprint);
fprintf(stdout, "Key fingerprint:");
for (i = 0; i < j; i++) {
fprintf(stdout, " %02X", byte[i]);
}
fprintf(stdout, "\n");
}
CFReleaseSafe(key_fingerprint);
}
if (output_pem) {
print_buffer_pem(stdout, "CERTIFICATE",
SecCertificateGetLength(cert),
SecCertificateGetBytePtr(cert));
}
if (!keychain_certs) {
CFRelease(cert);
}
} else {
result = 1;
fprintf(stderr, "file %s: does not contain a valid certificate",
argv[arg]);
}
}
if (trust_eval && !keychain_certs)
show_cert_eval(certs, verbose);
CFReleaseSafe(kc_certs);
CFReleaseSafe(certs);
return result;
}
static bool isSettingWithResult(CFDictionaryRef setting, SecTrustSettingsResult result) {
CFNumberRef value = CFDictionaryGetValue(setting, kSecTrustSettingsResult);
if (!isNumberOfType(value, kCFNumberSInt64Type)) {
return false;
}
int64_t setting_result = 0;
if (!CFNumberGetValue(value, kCFNumberSInt64Type, &setting_result) ||
(setting_result != result)) {
return false;
}
return true;
}
static bool isUnconstrainedSettingWithResult(CFDictionaryRef setting, SecTrustSettingsResult result) {
if (!isDictionary(setting) || (CFDictionaryGetCount(setting) != 1)) {
return false;
}
return isSettingWithResult(setting, result);
}
static bool isDenyTrustSetting(CFArrayRef trust_settings) {
if (CFArrayGetCount(trust_settings) != 1) {
return false;
}
return isUnconstrainedSettingWithResult(CFArrayGetValueAtIndex(trust_settings, 0),
kSecTrustSettingsResultDeny);
}
static bool isPartialSSLTrustSetting(CFArrayRef trust_settings) {
if (CFArrayGetCount(trust_settings) != 2) {
return false;
}
if (!isUnconstrainedSettingWithResult(CFArrayGetValueAtIndex(trust_settings, 1),
kSecTrustSettingsResultTrustRoot) &&
!isUnconstrainedSettingWithResult(CFArrayGetValueAtIndex(trust_settings, 1),
kSecTrustSettingsResultTrustAsRoot)) {
return false;
}
CFDictionaryRef setting = CFArrayGetValueAtIndex(trust_settings, 0);
if (!isDictionary(setting) || (CFDictionaryGetCount(setting) < 2)) {
return false;
}
if (!isSettingWithResult(setting, kSecTrustSettingsResultUnspecified)) {
return false;
}
if (!CFEqualSafe(CFDictionaryGetValue(setting, kSecTrustSettingsPolicy), kSecPolicyAppleSSL)) {
return false;
}
return true;
}
int trust_store_show_certificates(int argc, char * const *argv)
{
int ch, result = 0;
bool output_subject = false;
bool verbose = false;
bool trust_settings = false;
bool output_pem = false;
bool output_finger_print = false;
bool output_keyid = false;
CFArrayRef certs = NULL;
while ((ch = getopt(argc, argv, "fpstvk")) != -1)
{
switch (ch)
{
case 'p':
output_pem = true;
break;
case 's':
output_subject = true;
break;
case 'v':
verbose = true;
break;
case 't':
trust_settings = true;
break;
case 'f':
output_finger_print = true;
break;
case 'k':
output_keyid = true;
break;
case '?':
default:
return SHOW_USAGE_MESSAGE;
}
}
if(SecTrustStoreCopyAll(SecTrustStoreForDomain(kSecTrustStoreDomainUser),
&certs) || !certs) {
fprintf(stderr, "failed to get trust store contents for user\n");
return 1;
}
CFIndex ix, count = CFArrayGetCount(certs);
if (count) printf("*******************************************************\n");
for (ix = 0; ix < count; ix++) {
CFArrayRef certSettingsPair = NULL;
CFDataRef certData = NULL;
SecCertificateRef cert = NULL;
certSettingsPair = CFArrayGetValueAtIndex(certs, ix);
certData = (CFDataRef)CFArrayGetValueAtIndex(certSettingsPair, 0);
cert = SecCertificateCreateWithData(kCFAllocatorDefault, certData);
if (!cert) {
fprintf(stderr, "failed to get cert at %ld\n",ix);
return 1;
}
if (verbose) {
print_cert(cert, verbose);
} else if (output_subject) {
CFStringRef subject = SecCertificateCopySubjectString(cert);
if (subject) {
CFStringWriteToFileWithNewline(subject, stdout);
CFRelease(subject);
}
} else if (output_pem) {
print_buffer_pem(stdout, "CERTIFICATE",
SecCertificateGetLength(cert),
SecCertificateGetBytePtr(cert));
} else {
print_cert(cert, verbose);
}
if (output_keyid) {
CFDataRef key_fingerprint = SecCertificateCopyPublicKeySHA1Digest(cert);
if (key_fingerprint) {
int i;
CFIndex j = CFDataGetLength(key_fingerprint);
const uint8_t *byte = CFDataGetBytePtr(key_fingerprint);
fprintf(stdout, "Keyid:");
for (i = 0; i < j; i++) {
fprintf(stdout, " %02X", byte[i]);
}
fprintf(stdout, "\n");
}
CFReleaseSafe(key_fingerprint);
}
if (output_finger_print) {
CFDataRef fingerprint = SecCertificateGetSHA1Digest(cert);
if (fingerprint) {
int i;
CFIndex j = CFDataGetLength(fingerprint);
const uint8_t *byte = CFDataGetBytePtr(fingerprint);
fprintf(stdout, "Fingerprint:");
for (i = 0; i < j; i++) {
fprintf(stdout, " %02X", byte[i]);
}
fprintf(stdout, "\n");
}
}
if (trust_settings) {
CFPropertyListRef trust_settings = NULL;
trust_settings = CFArrayGetValueAtIndex(certSettingsPair, 1);
if (trust_settings && CFGetTypeID(trust_settings) != CFArrayGetTypeID()) {
fprintf(stderr, "failed to get trust settings for cert %ld\n", ix);
CFReleaseNull(cert);
return 1;
}
if (CFArrayGetCount(trust_settings) == 0) {
fprintf(stdout, "Full trust enabled\n");
} else if (isDenyTrustSetting(trust_settings)) {
fprintf(stdout, "Administrator blacklisted\n");
} else if (isPartialSSLTrustSetting(trust_settings)) {
fprintf(stdout, "Partial trust enabled\n");
} else {
CFStringRef settings = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@"), trust_settings);
if (settings) {
char *settingsStr = CFStringToCString(settings);
if (settingsStr) {
fprintf(stdout, "Unknown trust settings:\n%s\n", settingsStr);
free(settingsStr);
}
CFRelease(settings);
}
}
}
printf("*******************************************************\n");
CFReleaseNull(cert);
}
CFRelease(certs);
return result;
}
#endif // TARGET_OS_EMBEDDED