Skip to content

Commit

Permalink
Snakecase
Browse files Browse the repository at this point in the history
  • Loading branch information
@timja
timja committed Jan 22, 2025
1 parent 91869ce commit 7da430c
Showing 1 changed file with 57 additions and 58 deletions.
115 changes: 57 additions & 58 deletions src/crypto/crypto_context.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -239,7 +239,7 @@ enum class TrustStatus {
DISTRUSTED
};

bool IsSelfSigned(X509* cert) {
bool isSelfIssued(X509* cert) {
auto subject = X509_get_subject_name(cert);
auto issuer = X509_get_issuer_name(cert);

Expand All @@ -253,7 +253,7 @@ bool IsSelfSigned(X509* cert) {
// See https://chromium.googlesource.com/chromium/src/+/HEAD/LICENSE for
// details.
TrustStatus IsTrustDictionaryTrustedForPolicy(CFDictionaryRef trust_dict,
bool isSelfIssued) {
bool is_self_issued) {
// Trust settings may be scoped to a single application
// skip as this is not supported
if (CFDictionaryContainsKey(trust_dict, kSecTrustSettingsApplication)) {
Expand All @@ -274,17 +274,17 @@ TrustStatus IsTrustDictionaryTrustedForPolicy(CFDictionaryRef trust_dict,
// |kSecPolicyAppleSSL|. If there is no kSecTrustSettingsPolicy key, it's
// considered a match for all policies.
if (CFDictionaryContainsKey(trust_dict, kSecTrustSettingsPolicy)) {
SecPolicyRef policy_ref = (SecPolicyRef) CFDictionaryGetValue(
trust_dict, kSecTrustSettingsPolicy);
SecPolicyRef policy_ref =
(SecPolicyRef)CFDictionaryGetValue(trust_dict, kSecTrustSettingsPolicy);
if (!policy_ref) {
return TrustStatus::UNSPECIFIED;
}

CFDictionaryRef policy_dict(SecPolicyCopyProperties(policy_ref));

// kSecPolicyOid is guaranteed to be present in the policy dictionary.
CFStringRef policy_oid = (CFStringRef) CFDictionaryGetValue(
policy_dict, kSecPolicyOid);
CFStringRef policy_oid =
(CFStringRef)CFDictionaryGetValue(policy_dict, kSecPolicyOid);

if (!CFEqual(policy_oid, kSecPolicyAppleSSL)) {
return TrustStatus::UNSPECIFIED;
Expand Down Expand Up @@ -317,7 +317,7 @@ TrustStatus IsTrustDictionaryTrustedForPolicy(CFDictionaryRef trust_dict,
// if using the platform APIs, and may require supporting MD5 signature
// algorithms on some older OSX versions or locally added roots, which is
// undesirable in the built-in signature verifier.
if (isSelfIssued) {
if (is_self_issued) {
return trust_settings_result == kSecTrustSettingsResultTrustRoot ||
trust_settings_result == kSecTrustSettingsResultTrustAsRoot
? TrustStatus::TRUSTED
Expand All @@ -333,26 +333,24 @@ TrustStatus IsTrustDictionaryTrustedForPolicy(CFDictionaryRef trust_dict,
return TrustStatus::UNSPECIFIED;
}

TrustStatus IsTrustSettingsTrustedForPolicy(CFArrayRef trustSettings,
bool isSelfIssued) {
// The trustSettings parameter can return a valid but empty CFArrayRef.
TrustStatus IsTrustSettingsTrustedForPolicy(CFArrayRef trust_settings,
bool is_self_issued) {
// The trust_settings parameter can return a valid but empty CFArrayRef.
// This empty trust-settings array means “always trust this certificate”
// with an overall trust setting for the certificate of
// kSecTrustSettingsResultTrustRoot
if (CFArrayGetCount(trustSettings) == 0) {
if (isSelfIssued) {
if (CFArrayGetCount(trust_settings) == 0) {
if (is_self_issued) {
return TrustStatus::TRUSTED;
}
}

CFIndex trustSettingsCount = CFArrayGetCount(trustSettings);

for (CFIndex i = 0; i < trustSettingsCount; ++i) {
for (CFIndex i = 0; i < CFArrayGetCount(trust_settings); ++i) {
CFDictionaryRef trust_dict = reinterpret_cast<CFDictionaryRef>(
const_cast<void*>(CFArrayGetValueAtIndex(trustSettings, i)));
const_cast<void*>(CFArrayGetValueAtIndex(trust_settings, i)));

TrustStatus trust =
IsTrustDictionaryTrustedForPolicy(trust_dict, isSelfIssued);
IsTrustDictionaryTrustedForPolicy(trust_dict, is_self_issued);

if (trust == TrustStatus::DISTRUSTED || trust == TrustStatus::TRUSTED) {
return trust;
Expand All @@ -362,129 +360,130 @@ TrustStatus IsTrustSettingsTrustedForPolicy(CFArrayRef trustSettings,
}

bool IsCertificateTrustValid(SecCertificateRef ref) {
SecTrustRef secTrust = nullptr;
CFMutableArrayRef subjCerts =
SecTrustRef sec_trust = nullptr;
CFMutableArrayRef subj_certs =
CFArrayCreateMutable(nullptr, 1, &kCFTypeArrayCallBacks);
CFArraySetValueAtIndex(subjCerts, 0, ref);
CFArraySetValueAtIndex(subj_certs, 0, ref);

SecPolicyRef policy = SecPolicyCreateBasicX509();
OSStatus ortn = SecTrustCreateWithCertificates(subjCerts, policy, &secTrust);
OSStatus ortn =
SecTrustCreateWithCertificates(subj_certs, policy, &sec_trust);
bool result = false;
if (ortn) {
/* should never happen */
} else {
result = SecTrustEvaluateWithError(secTrust, nullptr);
result = SecTrustEvaluateWithError(sec_trust, nullptr);
}

if (policy) {
CFRelease(policy);
}
if (secTrust) {
CFRelease(secTrust);
if (sec_trust) {
CFRelease(sec_trust);
}
if (subjCerts) {
CFRelease(subjCerts);
if (subj_certs) {
CFRelease(subj_certs);
}
return result;
}

bool IsCertificateTrustedForPolicy(X509* cert, SecCertificateRef ref) {
OSStatus err;

bool trustEvaluated = false;
bool isSelfSigned = IsSelfSigned(cert);
bool trust_evaluated = false;
bool is_self_issued = isSelfIssued(cert);

// Evaluate user trust domain, then admin. User settings can override
// admin (and both override the system domain, but we don't check that).
for (const auto& trust_domain :
{kSecTrustSettingsDomainUser, kSecTrustSettingsDomainAdmin}) {
CFArrayRef trustSettings;
err = SecTrustSettingsCopyTrustSettings(ref, trust_domain, &trustSettings);
CFArrayRef trust_settings;
err = SecTrustSettingsCopyTrustSettings(ref, trust_domain, &trust_settings);

if (err == errSecSuccess && trustSettings != nullptr) {
if (err == errSecSuccess && trust_settings != nullptr) {
TrustStatus result =
IsTrustSettingsTrustedForPolicy(trustSettings, isSelfSigned);
IsTrustSettingsTrustedForPolicy(trust_settings, is_self_issued);
if (result != TrustStatus::UNSPECIFIED) {
CFRelease(trustSettings);
CFRelease(trust_settings);
return result == TrustStatus::TRUSTED;
}
}

// An empty trust settings array isn’t the same as no trust settings,
// where the trustSettings parameter returns NULL.
// where the trust_settings parameter returns NULL.
// No trust-settings array means
// “this certificate must be verifiable using a known trusted certificate”.
if (trustSettings == nullptr && !trustEvaluated) {
if (trust_settings == nullptr && !trust_evaluated) {
bool result = IsCertificateTrustValid(ref);
if (result) {
return true;
}
// no point re-evaluating this in the admin domain
trustEvaluated = true;
} else if (trustSettings) {
CFRelease(trustSettings);
trust_evaluated = true;
} else if (trust_settings) {
CFRelease(trust_settings);
}
}
return false;
}

void ReadMacOSKeychainCertificates(
std::vector<std::string>* system_root_certificates) {
CFTypeRef searchKeys[] = {kSecClass, kSecMatchLimit, kSecReturnRef};
CFTypeRef searchValues[] = {
CFTypeRef search_keys[] = {kSecClass, kSecMatchLimit, kSecReturnRef};
CFTypeRef search_values[] = {
kSecClassCertificate, kSecMatchLimitAll, kCFBooleanTrue};
CFDictionaryRef search = CFDictionaryCreate(kCFAllocatorDefault,
searchKeys,
searchValues,
search_keys,
search_values,
3,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);

CFArrayRef currAnchors = nullptr;
CFArrayRef curr_anchors = nullptr;
OSStatus ortn =
SecItemCopyMatching(search, reinterpret_cast<CFTypeRef*>(&currAnchors));
SecItemCopyMatching(search, reinterpret_cast<CFTypeRef*>(&curr_anchors));
CFRelease(search);

if (ortn) {
fprintf(stderr, "ERROR: SecItemCopyMatching failed %d\n", ortn);
}

CFIndex count = CFArrayGetCount(currAnchors);
CFIndex count = CFArrayGetCount(curr_anchors);

std::vector<X509*> system_root_certificates_X509;
for (int i = 0; i < count; ++i) {
SecCertificateRef certRef = reinterpret_cast<SecCertificateRef>(
const_cast<void*>(CFArrayGetValueAtIndex(currAnchors, i)));
SecCertificateRef cert_ref = reinterpret_cast<SecCertificateRef>(
const_cast<void*>(CFArrayGetValueAtIndex(curr_anchors, i)));

CFDataRef derData = SecCertificateCopyData(certRef);
if (!derData) {
CFDataRef der_data = SecCertificateCopyData(cert_ref);
if (!der_data) {
fprintf(stderr, "ERROR: SecCertificateCopyData failed\n");
continue;
}
auto dataBufferPointer = CFDataGetBytePtr(derData);
auto data_buffer_pointer = CFDataGetBytePtr(der_data);

X509* cert =
d2i_X509(nullptr, &dataBufferPointer, CFDataGetLength(derData));
CFRelease(derData);
bool isValid = IsCertificateTrustedForPolicy(cert, certRef);
if (isValid) {
d2i_X509(nullptr, &data_buffer_pointer, CFDataGetLength(der_data));
CFRelease(der_data);
bool is_valid = IsCertificateTrustedForPolicy(cert, cert_ref);
if (is_valid) {
system_root_certificates_X509.emplace_back(cert);
}
}
CFRelease(currAnchors);
CFRelease(curr_anchors);

for (size_t i = 0; i < system_root_certificates_X509.size(); i++) {
ncrypto::X509View x509_view(system_root_certificates_X509[i]);

auto pemBio = x509_view.toPEM();
if (!pemBio) {
auto pem_bio = x509_view.toPEM();
if (!pem_bio) {
fprintf(stderr,
"Warning: converting system certificate to PEM format failed\n");
continue;
}

char* pem_data = nullptr;
auto pem_size = BIO_get_mem_data(pemBio.get(), &pem_data);
auto pem_size = BIO_get_mem_data(pem_bio.get(), &pem_data);
if (pem_size <= 0 || !pem_data) {
fprintf(
stderr,
Expand Down

0 comments on commit 7da430c

Please sign in to comment.