966bba02bb
Former-commit-id: bb0468d0f257ff100aa895eb5fe583fb5dfbf900
357 lines
9.6 KiB
C#
357 lines
9.6 KiB
C#
#if SECURITY_DEP && MONO_FEATURE_APPLETLS
|
|
//
|
|
// Items.cs: Implements the KeyChain query access APIs
|
|
//
|
|
// We use strong types and a helper SecQuery class to simplify the
|
|
// creation of the dictionary used to query the Keychain
|
|
//
|
|
// Authors:
|
|
// Miguel de Icaza
|
|
// Sebastien Pouliot
|
|
//
|
|
// Copyright 2010 Novell, Inc
|
|
// Copyright 2011-2016 Xamarin Inc
|
|
//
|
|
// Permission is hereby granted, free of charge, to any person obtaining
|
|
// a copy of this software and associated documentation files (the
|
|
// "Software"), to deal in the Software without restriction, including
|
|
// without limitation the rights to use, copy, modify, merge, publish,
|
|
// distribute, sublicense, and/or sell copies of the Software, and to
|
|
// permit persons to whom the Software is furnished to do so, subject to
|
|
// the following conditions:
|
|
//
|
|
// The above copyright notice and this permission notice shall be
|
|
// included in all copies or substantial portions of the Software.
|
|
//
|
|
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
//
|
|
using System;
|
|
using System.Collections;
|
|
using System.Runtime.InteropServices;
|
|
using ObjCRuntimeInternal;
|
|
using Mono.Net;
|
|
|
|
namespace Mono.AppleTls {
|
|
|
|
enum SecKind {
|
|
Identity,
|
|
Certificate
|
|
}
|
|
|
|
#if MONOTOUCH
|
|
static class SecKeyChain {
|
|
#else
|
|
class SecKeyChain : INativeObject, IDisposable {
|
|
#endif
|
|
internal static readonly IntPtr MatchLimitAll;
|
|
internal static readonly IntPtr MatchLimitOne;
|
|
internal static readonly IntPtr MatchLimit;
|
|
|
|
#if !MONOTOUCH
|
|
IntPtr handle;
|
|
|
|
internal SecKeyChain (IntPtr handle, bool owns = false)
|
|
{
|
|
if (handle == IntPtr.Zero)
|
|
throw new ArgumentException ("Invalid handle");
|
|
|
|
this.handle = handle;
|
|
if (!owns)
|
|
CFObject.CFRetain (handle);
|
|
}
|
|
#endif
|
|
|
|
static SecKeyChain ()
|
|
{
|
|
var handle = CFObject.dlopen (AppleTlsContext.SecurityLibrary, 0);
|
|
if (handle == IntPtr.Zero)
|
|
return;
|
|
|
|
try {
|
|
MatchLimit = CFObject.GetIntPtr (handle, "kSecMatchLimit");
|
|
MatchLimitAll = CFObject.GetIntPtr (handle, "kSecMatchLimitAll");
|
|
MatchLimitOne = CFObject.GetIntPtr (handle, "kSecMatchLimitOne");
|
|
} finally {
|
|
CFObject.dlclose (handle);
|
|
}
|
|
}
|
|
|
|
public static SecIdentity FindIdentity (SecCertificate certificate, bool throwOnError = false)
|
|
{
|
|
if (certificate == null)
|
|
throw new ArgumentNullException ("certificate");
|
|
var identity = FindIdentity (cert => SecCertificate.Equals (certificate, cert));
|
|
if (!throwOnError || identity != null)
|
|
return identity;
|
|
|
|
throw new InvalidOperationException (string.Format ("Could not find SecIdentity for certificate '{0}' in keychain.", certificate.SubjectSummary));
|
|
}
|
|
|
|
static SecIdentity FindIdentity (Predicate<SecCertificate> filter)
|
|
{
|
|
/*
|
|
* Unfortunately, SecItemCopyMatching() does not allow any search
|
|
* filters when looking up an identity.
|
|
*
|
|
* The following lookup will return all identities from the keychain -
|
|
* we then need need to find the right one.
|
|
*/
|
|
using (var record = new SecRecord (SecKind.Identity)) {
|
|
SecStatusCode status;
|
|
var result = SecKeyChain.QueryAsReference (record, -1, out status);
|
|
if (status != SecStatusCode.Success || result == null)
|
|
return null;
|
|
|
|
for (int i = 0; i < result.Length; i++) {
|
|
var identity = (SecIdentity)result [i];
|
|
if (filter (identity.Certificate))
|
|
return identity;
|
|
}
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
static INativeObject [] QueryAsReference (SecRecord query, int max, out SecStatusCode result)
|
|
{
|
|
if (query == null) {
|
|
result = SecStatusCode.Param;
|
|
return null;
|
|
}
|
|
|
|
using (var copy = query.QueryDict.MutableCopy ()) {
|
|
copy.SetValue (CFBoolean.True.Handle, SecItem.ReturnRef);
|
|
SetLimit (copy, max);
|
|
return QueryAsReference (copy, out result);
|
|
}
|
|
}
|
|
|
|
static INativeObject [] QueryAsReference (CFDictionary query, out SecStatusCode result)
|
|
{
|
|
if (query == null) {
|
|
result = SecStatusCode.Param;
|
|
return null;
|
|
}
|
|
|
|
IntPtr ptr;
|
|
result = SecItem.SecItemCopyMatching (query.Handle, out ptr);
|
|
if (result == SecStatusCode.Success && ptr != IntPtr.Zero) {
|
|
var array = CFArray.ArrayFromHandle<INativeObject> (ptr, p => {
|
|
IntPtr cfType = CFType.GetTypeID (p);
|
|
if (cfType == SecCertificate.GetTypeID ())
|
|
return new SecCertificate (p, true);
|
|
if (cfType == SecKey.GetTypeID ())
|
|
return new SecKey (p, true);
|
|
if (cfType == SecIdentity.GetTypeID ())
|
|
return new SecIdentity (p, true);
|
|
throw new Exception (String.Format ("Unexpected type: 0x{0:x}", cfType));
|
|
});
|
|
return array;
|
|
}
|
|
return null;
|
|
}
|
|
|
|
internal static CFNumber SetLimit (CFMutableDictionary dict, int max)
|
|
{
|
|
CFNumber n = null;
|
|
IntPtr val;
|
|
if (max == -1)
|
|
val = MatchLimitAll;
|
|
else if (max == 1)
|
|
val = MatchLimitOne;
|
|
else {
|
|
n = CFNumber.FromInt32 (max);
|
|
val = n.Handle;
|
|
}
|
|
|
|
dict.SetValue (val, SecKeyChain.MatchLimit);
|
|
return n;
|
|
}
|
|
|
|
#if !MONOTOUCH
|
|
[DllImport (AppleTlsContext.SecurityLibrary)]
|
|
extern static /* OSStatus */ SecStatusCode SecKeychainCreate (/* const char * */ IntPtr pathName, uint passwordLength, /* const void * */ IntPtr password,
|
|
bool promptUser, /* SecAccessRef */ IntPtr initialAccess,
|
|
/* SecKeychainRef _Nullable * */ out IntPtr keychain);
|
|
|
|
internal static SecKeyChain Create (string pathName, string password)
|
|
{
|
|
IntPtr handle;
|
|
var pathNamePtr = Marshal.StringToHGlobalAnsi (pathName);
|
|
var passwordPtr = Marshal.StringToHGlobalAnsi (password);
|
|
var result = SecKeychainCreate (pathNamePtr, (uint)password.Length, passwordPtr, false, IntPtr.Zero, out handle);
|
|
if (result != SecStatusCode.Success)
|
|
throw new InvalidOperationException (result.ToString ());
|
|
return new SecKeyChain (handle, true);
|
|
}
|
|
|
|
[DllImport (AppleTlsContext.SecurityLibrary)]
|
|
extern static /* OSStatus */ SecStatusCode SecKeychainOpen (/* const char * */ IntPtr pathName, /* SecKeychainRef _Nullable * */ out IntPtr keychain);
|
|
|
|
internal static SecKeyChain Open (string pathName)
|
|
{
|
|
IntPtr handle;
|
|
IntPtr pathNamePtr = IntPtr.Zero;
|
|
try {
|
|
pathNamePtr = Marshal.StringToHGlobalAnsi (pathName);
|
|
var result = SecKeychainOpen (pathNamePtr, out handle);
|
|
if (result != SecStatusCode.Success)
|
|
throw new InvalidOperationException (result.ToString ());
|
|
return new SecKeyChain (handle, true);
|
|
} finally {
|
|
if (pathNamePtr != IntPtr.Zero)
|
|
Marshal.FreeHGlobal (pathNamePtr);
|
|
}
|
|
}
|
|
|
|
internal static SecKeyChain OpenSystemRootCertificates ()
|
|
{
|
|
return Open ("/System/Library/Keychains/SystemRootCertificates.keychain");
|
|
}
|
|
|
|
~SecKeyChain ()
|
|
{
|
|
Dispose (false);
|
|
}
|
|
|
|
public IntPtr Handle {
|
|
get {
|
|
return handle;
|
|
}
|
|
}
|
|
|
|
public void Dispose ()
|
|
{
|
|
Dispose (true);
|
|
GC.SuppressFinalize (this);
|
|
}
|
|
|
|
protected virtual void Dispose (bool disposing)
|
|
{
|
|
if (handle != IntPtr.Zero) {
|
|
CFObject.CFRelease (handle);
|
|
handle = IntPtr.Zero;
|
|
}
|
|
}
|
|
#endif
|
|
}
|
|
|
|
class SecRecord : IDisposable {
|
|
|
|
internal static readonly IntPtr SecClassKey;
|
|
static SecRecord ()
|
|
{
|
|
var handle = CFObject.dlopen (AppleTlsContext.SecurityLibrary, 0);
|
|
if (handle == IntPtr.Zero)
|
|
return;
|
|
|
|
try {
|
|
SecClassKey = CFObject.GetIntPtr (handle, "kSecClass");
|
|
} finally {
|
|
CFObject.dlclose (handle);
|
|
}
|
|
}
|
|
|
|
CFMutableDictionary _queryDict;
|
|
internal CFMutableDictionary QueryDict {
|
|
get {
|
|
return _queryDict;
|
|
}
|
|
}
|
|
|
|
internal void SetValue (IntPtr key, IntPtr value)
|
|
{
|
|
_queryDict.SetValue (key, value);
|
|
}
|
|
|
|
public SecRecord (SecKind secKind)
|
|
{
|
|
var kind = SecClass.FromSecKind (secKind);
|
|
_queryDict = CFMutableDictionary.Create ();
|
|
_queryDict.SetValue (SecClassKey, kind);
|
|
}
|
|
|
|
public void Dispose ()
|
|
{
|
|
Dispose (true);
|
|
GC.SuppressFinalize (this);
|
|
}
|
|
|
|
protected virtual void Dispose (bool disposing)
|
|
{
|
|
if (_queryDict != null){
|
|
if (disposing){
|
|
_queryDict.Dispose ();
|
|
_queryDict = null;
|
|
}
|
|
}
|
|
}
|
|
|
|
~SecRecord ()
|
|
{
|
|
Dispose (false);
|
|
}
|
|
}
|
|
|
|
partial class SecItem {
|
|
public static readonly IntPtr ReturnRef;
|
|
public static readonly IntPtr MatchSearchList;
|
|
|
|
static SecItem ()
|
|
{
|
|
var handle = CFObject.dlopen (AppleTlsContext.SecurityLibrary, 0);
|
|
if (handle == IntPtr.Zero)
|
|
return;
|
|
|
|
try {
|
|
ReturnRef = CFObject.GetIntPtr (handle, "kSecReturnRef");
|
|
MatchSearchList = CFObject.GetIntPtr (handle, "kSecMatchSearchList");
|
|
} finally {
|
|
CFObject.dlclose (handle);
|
|
}
|
|
}
|
|
|
|
[DllImport (AppleTlsContext.SecurityLibrary)]
|
|
internal extern static SecStatusCode SecItemCopyMatching (/* CFDictionaryRef */ IntPtr query, /* CFTypeRef* */ out IntPtr result);
|
|
}
|
|
|
|
static partial class SecClass {
|
|
|
|
public static readonly IntPtr Identity;
|
|
public static readonly IntPtr Certificate;
|
|
|
|
static SecClass ()
|
|
{
|
|
var handle = CFObject.dlopen (AppleTlsContext.SecurityLibrary, 0);
|
|
if (handle == IntPtr.Zero)
|
|
return;
|
|
|
|
try {
|
|
Identity = CFObject.GetIntPtr (handle, "kSecClassIdentity");
|
|
Certificate = CFObject.GetIntPtr (handle, "kSecClassCertificate");
|
|
} finally {
|
|
CFObject.dlclose (handle);
|
|
}
|
|
}
|
|
|
|
public static IntPtr FromSecKind (SecKind secKind)
|
|
{
|
|
switch (secKind){
|
|
case SecKind.Identity:
|
|
return Identity;
|
|
case SecKind.Certificate:
|
|
return Certificate;
|
|
default:
|
|
throw new ArgumentException ("secKind");
|
|
}
|
|
}
|
|
}
|
|
}
|
|
#endif
|