1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "chrome/browser/mac/security_wrappers.h" 6 7 #include "base/mac/foundation_util.h" 8 #include "base/mac/mac_logging.h" 9 10 extern "C" { 11 OSStatus SecTrustedApplicationCopyRequirement( 12 SecTrustedApplicationRef application, 13 SecRequirementRef* requirement); 14 } // extern "C" 15 16 namespace chrome { 17 18 ScopedSecKeychainSetUserInteractionAllowed:: 19 ScopedSecKeychainSetUserInteractionAllowed(Boolean allowed) { 20 OSStatus status = SecKeychainGetUserInteractionAllowed(&old_allowed_); 21 if (status != errSecSuccess) { 22 OSSTATUS_LOG(ERROR, status); 23 old_allowed_ = TRUE; 24 } 25 26 status = SecKeychainSetUserInteractionAllowed(allowed); 27 if (status != errSecSuccess) { 28 OSSTATUS_LOG(ERROR, status); 29 } 30 } 31 32 ScopedSecKeychainSetUserInteractionAllowed:: 33 ~ScopedSecKeychainSetUserInteractionAllowed() { 34 OSStatus status = SecKeychainSetUserInteractionAllowed(old_allowed_); 35 if (status != errSecSuccess) { 36 OSSTATUS_LOG(ERROR, status); 37 } 38 } 39 40 CrSKeychainItemAndAccess::CrSKeychainItemAndAccess(SecKeychainItemRef item, 41 SecAccessRef access) 42 : item_(item), 43 access_(access) { 44 // These CFRetain calls aren't leaks. They're balanced by an implicit 45 // CFRelease at destruction because the fields are of type ScopedCFTypeRef. 46 // These fields are retained on construction (unlike the typical 47 // ScopedCFTypeRef pattern) because this class is intended for use as an STL 48 // type adapter to keep two related objects together, and thus must 49 // implement proper reference counting in the methods required for STL 50 // container use. This class and is not intended to act as a scoper for the 51 // underlying objects in user code. For that, just use ScopedCFTypeRef. 52 CFRetain(item_); 53 CFRetain(access_); 54 } 55 56 CrSKeychainItemAndAccess::CrSKeychainItemAndAccess( 57 const CrSKeychainItemAndAccess& that) 58 : item_(that.item_.get()), 59 access_(that.access_.get()) { 60 // See the comment above in the two-argument constructor. 61 CFRetain(item_); 62 CFRetain(access_); 63 } 64 65 CrSKeychainItemAndAccess::~CrSKeychainItemAndAccess() { 66 } 67 68 void CrSKeychainItemAndAccess::operator=(const CrSKeychainItemAndAccess& that) { 69 // See the comment above in the two-argument constructor. 70 CFRetain(that.item_); 71 item_.reset(that.item_); 72 73 CFRetain(that.access_); 74 access_.reset(that.access_); 75 } 76 77 CrSACLSimpleContents::CrSACLSimpleContents() { 78 } 79 80 CrSACLSimpleContents::~CrSACLSimpleContents() { 81 } 82 83 ScopedSecKeychainAttributeInfo::ScopedSecKeychainAttributeInfo( 84 SecKeychainAttributeInfo* attribute_info) 85 : attribute_info_(attribute_info) { 86 } 87 88 ScopedSecKeychainAttributeInfo::~ScopedSecKeychainAttributeInfo() { 89 OSStatus status = SecKeychainFreeAttributeInfo(attribute_info_); 90 if (status != errSecSuccess) { 91 OSSTATUS_LOG(ERROR, status); 92 } 93 } 94 95 ScopedCrSKeychainItemAttributesAndData::ScopedCrSKeychainItemAttributesAndData( 96 CrSKeychainItemAttributesAndData* attributes_and_data) 97 : attributes_and_data_(attributes_and_data) { 98 } 99 100 ScopedCrSKeychainItemAttributesAndData:: 101 ~ScopedCrSKeychainItemAttributesAndData() { 102 if (attributes_and_data_.get()) { 103 CrSKeychainItemFreeAttributesAndData( 104 attributes_and_data_->attribute_list, attributes_and_data_->data); 105 } 106 } 107 108 SecKeychainSearchRef CrSKeychainSearchCreateFromAttributes( 109 CFTypeRef keychain_or_array, 110 SecItemClass item_class, 111 const SecKeychainAttributeList* attribute_list) { 112 SecKeychainSearchRef search; 113 OSStatus status = SecKeychainSearchCreateFromAttributes(keychain_or_array, 114 item_class, 115 attribute_list, 116 &search); 117 if (status != errSecSuccess) { 118 OSSTATUS_LOG(ERROR, status); 119 return NULL; 120 } 121 122 return search; 123 } 124 125 SecKeychainItemRef CrSKeychainSearchCopyNext(SecKeychainSearchRef search) { 126 if (!search) { 127 return NULL; 128 } 129 130 SecKeychainItemRef item; 131 OSStatus status = SecKeychainSearchCopyNext(search, &item); 132 if (status != errSecSuccess) { 133 if (status != errSecItemNotFound) { 134 OSSTATUS_LOG(ERROR, status); 135 } 136 return NULL; 137 } 138 139 return item; 140 } 141 142 void CrSKeychainItemFreeAttributesAndData( 143 SecKeychainAttributeList* attribute_list, 144 void* data) { 145 OSStatus status = SecKeychainItemFreeAttributesAndData(attribute_list, data); 146 if (status != errSecSuccess) { 147 OSSTATUS_LOG(ERROR, status); 148 } 149 } 150 151 bool CrSKeychainItemTestAccess(SecKeychainItemRef item) { 152 UInt32 length; 153 void* data; 154 OSStatus status = SecKeychainItemCopyAttributesAndData(item, 155 NULL, 156 NULL, 157 NULL, 158 &length, 159 &data); 160 if (status != errSecSuccess) { 161 if (status != errSecAuthFailed) { 162 OSSTATUS_LOG(ERROR, status); 163 } 164 return false; 165 } 166 167 CrSKeychainItemFreeAttributesAndData(NULL, data); 168 169 return true; 170 } 171 172 SecAccessRef CrSKeychainItemCopyAccess(SecKeychainItemRef item) { 173 SecAccessRef access; 174 OSStatus status = SecKeychainItemCopyAccess(item, &access); 175 if (status != errSecSuccess) { 176 if (status != errSecNoAccessForItem && status != errSecAuthFailed) { 177 OSSTATUS_LOG(ERROR, status); 178 } 179 return NULL; 180 } 181 182 return access; 183 } 184 185 CFArrayRef CrSAccessCopyACLList(SecAccessRef access) { 186 if (!access) { 187 return NULL; 188 } 189 190 CFArrayRef acl_list; 191 OSStatus status = SecAccessCopyACLList(access, &acl_list); 192 if (status != errSecSuccess) { 193 OSSTATUS_LOG(ERROR, status); 194 return NULL; 195 } 196 197 return acl_list; 198 } 199 200 CrSACLSimpleContents* CrSACLCopySimpleContents(SecACLRef acl) { 201 if (!acl) { 202 return NULL; 203 } 204 205 scoped_ptr<CrSACLSimpleContents> acl_simple_contents( 206 new CrSACLSimpleContents()); 207 CFArrayRef application_list; 208 CFStringRef description; 209 OSStatus status = 210 SecACLCopySimpleContents(acl, 211 &application_list, 212 &description, 213 &acl_simple_contents->prompt_selector); 214 if (status != errSecSuccess) { 215 if (status != errSecACLNotSimple) { 216 OSSTATUS_LOG(ERROR, status); 217 } 218 return NULL; 219 } 220 221 acl_simple_contents->application_list.reset(application_list); 222 acl_simple_contents->description.reset(description); 223 224 return acl_simple_contents.release(); 225 } 226 227 SecRequirementRef CrSTrustedApplicationCopyRequirement( 228 SecTrustedApplicationRef application) { 229 if (!application) { 230 return NULL; 231 } 232 233 SecRequirementRef requirement; 234 OSStatus status = SecTrustedApplicationCopyRequirement(application, 235 &requirement); 236 if (status != errSecSuccess) { 237 OSSTATUS_LOG(ERROR, status); 238 return NULL; 239 } 240 241 return requirement; 242 } 243 244 CFStringRef CrSRequirementCopyString(SecRequirementRef requirement, 245 SecCSFlags flags) { 246 if (!requirement) { 247 return NULL; 248 } 249 250 CFStringRef requirement_string; 251 OSStatus status = SecRequirementCopyString(requirement, 252 flags, 253 &requirement_string); 254 if (status != errSecSuccess) { 255 OSSTATUS_LOG(ERROR, status); 256 return NULL; 257 } 258 259 return requirement_string; 260 } 261 262 SecTrustedApplicationRef CrSTrustedApplicationCreateFromPath(const char* path) { 263 SecTrustedApplicationRef application; 264 OSStatus status = SecTrustedApplicationCreateFromPath(path, &application); 265 if (status != errSecSuccess) { 266 OSSTATUS_LOG(ERROR, status); 267 return NULL; 268 } 269 270 return application; 271 } 272 273 bool CrSACLSetSimpleContents(SecACLRef acl, 274 const CrSACLSimpleContents& acl_simple_contents) { 275 OSStatus status = 276 SecACLSetSimpleContents(acl, 277 acl_simple_contents.application_list, 278 acl_simple_contents.description, 279 &acl_simple_contents.prompt_selector); 280 if (status != errSecSuccess) { 281 OSSTATUS_LOG(ERROR, status); 282 return false; 283 } 284 285 return true; 286 } 287 288 SecKeychainRef CrSKeychainItemCopyKeychain(SecKeychainItemRef item) { 289 SecKeychainRef keychain; 290 OSStatus status = SecKeychainItemCopyKeychain(item, &keychain); 291 if (status != errSecSuccess) { 292 OSSTATUS_LOG(ERROR, status); 293 return NULL; 294 } 295 296 return keychain; 297 } 298 299 SecKeychainAttributeInfo* CrSKeychainAttributeInfoForItemID( 300 SecKeychainRef keychain, 301 UInt32 item_id) { 302 SecKeychainAttributeInfo* attribute_info; 303 OSStatus status = SecKeychainAttributeInfoForItemID(keychain, 304 item_id, 305 &attribute_info); 306 if (status != errSecSuccess) { 307 OSSTATUS_LOG(ERROR, status); 308 return NULL; 309 } 310 311 return attribute_info; 312 } 313 314 CrSKeychainItemAttributesAndData* CrSKeychainItemCopyAttributesAndData( 315 SecKeychainRef keychain, 316 SecKeychainItemRef item) { 317 ScopedCrSKeychainItemAttributesAndData attributes_and_data( 318 new CrSKeychainItemAttributesAndData()); 319 OSStatus status = 320 SecKeychainItemCopyAttributesAndData(item, 321 NULL, 322 attributes_and_data.item_class_ptr(), 323 NULL, 324 NULL, 325 NULL); 326 if (status != errSecSuccess) { 327 OSSTATUS_LOG(ERROR, status); 328 return NULL; 329 } 330 331 // This looks really weird, but it's right. See 10.7.3 332 // libsecurity_keychain-55044 lib/SecItem.cpp 333 // _CreateAttributesDictionaryFromKeyItem and 10.7.3 SecurityTool-55002 334 // keychain_utilities.c print_keychain_item_attributes. 335 UInt32 item_id; 336 switch (attributes_and_data.item_class()) { 337 case kSecInternetPasswordItemClass: 338 item_id = CSSM_DL_DB_RECORD_INTERNET_PASSWORD; 339 break; 340 case kSecGenericPasswordItemClass: 341 item_id = CSSM_DL_DB_RECORD_GENERIC_PASSWORD; 342 break; 343 // kSecInternetPasswordItemClass is marked as deprecated in the 10.9 sdk, 344 // but the files in libsecurity_keychain from 10.7 referenced above still 345 // use it. Also see rdar://14281375 / 346 // http://openradar.appspot.com/radar?id=3143412 . 347 #pragma clang diagnostic push 348 #pragma clang diagnostic ignored "-Wdeprecated-declarations" 349 case kSecAppleSharePasswordItemClass: 350 #pragma clang diagnostic pop 351 item_id = CSSM_DL_DB_RECORD_APPLESHARE_PASSWORD; 352 break; 353 default: 354 item_id = attributes_and_data.item_class(); 355 break; 356 } 357 358 ScopedSecKeychainAttributeInfo attribute_info( 359 CrSKeychainAttributeInfoForItemID(keychain, item_id)); 360 if (!attribute_info) { 361 return NULL; 362 } 363 364 status = SecKeychainItemCopyAttributesAndData( 365 item, 366 attribute_info, 367 attributes_and_data.item_class_ptr(), 368 attributes_and_data.attribute_list_ptr(), 369 attributes_and_data.length_ptr(), 370 attributes_and_data.data_ptr()); 371 if (status != errSecSuccess) { 372 OSSTATUS_LOG(ERROR, status); 373 return NULL; 374 } 375 376 return attributes_and_data.release(); 377 } 378 379 bool CrSKeychainItemDelete(SecKeychainItemRef item) { 380 OSStatus status = SecKeychainItemDelete(item); 381 if (status != errSecSuccess) { 382 OSSTATUS_LOG(ERROR, status); 383 return false; 384 } 385 386 return true; 387 } 388 389 SecKeychainItemRef CrSKeychainItemCreateFromContent( 390 const CrSKeychainItemAttributesAndData& attributes_and_data, 391 SecKeychainRef keychain, 392 SecAccessRef access) { 393 SecKeychainItemRef item; 394 OSStatus status = 395 SecKeychainItemCreateFromContent(attributes_and_data.item_class, 396 attributes_and_data.attribute_list, 397 attributes_and_data.length, 398 attributes_and_data.data, 399 keychain, 400 access, 401 &item); 402 if (status != errSecSuccess) { 403 OSSTATUS_LOG(ERROR, status); 404 return NULL; 405 } 406 407 return item; 408 } 409 410 } // namespace chrome 411
