/[resiprocate]/branches/b-directory-reorg/sip/resiprocate/MacSecurity.cxx
ViewVC logotype

Contents of /branches/b-directory-reorg/sip/resiprocate/MacSecurity.cxx

Parent Directory Parent Directory | Revision Log Revision Log


Revision 5271 - (show annotations) (download)
Thu Aug 18 23:43:07 2005 UTC (14 years, 3 months ago) by jason
File size: 6997 byte(s)
new directory reorg proposal
1 #include "resiprocate/MacSecurity.hxx"
2 #include "resiprocate/os/Logger.hxx"
3
4 #include <CoreFoundation/CoreFoundation.h>
5 #include <Security/Security.h>
6
7 #include <openssl/e_os2.h>
8 #include <openssl/evp.h>
9 #include <openssl/crypto.h>
10 #include <openssl/err.h>
11 #include <openssl/pem.h>
12 #include <openssl/pkcs7.h>
13 #include <openssl/ossl_typ.h>
14 #include <openssl/x509.h>
15 #include <openssl/x509v3.h>
16 #include <openssl/ssl.h>
17
18 using namespace resip;
19 using namespace std;
20
21 #define RESIPROCATE_SUBSYSTEM Subsystem::SIP
22
23 int verifyCallback(int iInCode, X509_STORE_CTX *pInStore);
24
25 void
26 MacSecurity::preload()
27 {
28 // TODO: this needs to be refactored with WinSecurity.cxx
29 X509_STORE_set_verify_cb_func(mRootCerts, verifyCallback);
30
31 // load the root certificates
32 getCerts();
33 }
34
35 // Opens a search handle to certificates store in
36 // the X509Anchors keychain
37 KeychainHandle
38 MacSecurity::openSystemCertStore()
39 {
40 OSStatus status = noErr;
41
42 // The ROOT certificates we're interested in are stored
43 // in the X509Anchors keychain
44
45 // NOTE: instead of hardcoding the "/System" portion of the path
46 // we could retrieve it using ::FSFindFolder instead. But it
47 // doesn't seem useful right now.
48 SecKeychainRef systemCertsKeyChain;
49 status = ::SecKeychainOpen(
50 "/System/Library/Keychains/X509Anchors",
51 &systemCertsKeyChain
52 );
53
54 if (status != noErr)
55 {
56 ErrLog( << "X509Anchors keychain could not be opened");
57 assert(0);
58 return NULL;
59 }
60
61 // Create a handle to search that iterates over root certificates
62 // in the X509Anchors keychain
63
64 SecKeychainSearchRef searchReference = nil;
65 status = ::SecKeychainSearchCreateFromAttributes(
66 systemCertsKeyChain,
67 kSecCertificateItemClass,
68 NULL,
69 &searchReference
70 );
71
72 // Now that we have the search handle we don't need an explicit
73 // reference to the keychain
74
75 ::CFRelease(systemCertsKeyChain);
76
77 if (status != noErr)
78 {
79 ErrLog( << "System certificate store cannot be opened");
80 assert(0);
81 return NULL;
82 }
83
84 InfoLog( << "System certificate store opened");
85 return searchReference;
86 }
87
88 void
89 MacSecurity::closeCertifStore(KeychainHandle searchReference)
90 {
91 if (NULL == searchReference)
92 return;
93
94 ::CFRelease(searchReference);
95 }
96
97 void
98 MacSecurity::getCerts()
99 {
100 SecKeychainSearchRef searchReference = NULL;
101 searchReference = (SecKeychainSearchRef) openSystemCertStore();
102
103 // nothing to do, error already reported
104 if (searchReference == NULL)
105 return;
106
107 // iterate over each certificate
108 for (;;)
109 {
110 OSStatus status = noErr;
111 SecKeychainItemRef itemRef = nil;
112
113 // get the next certificate in the search
114 status = ::SecKeychainSearchCopyNext(
115 searchReference,
116 &itemRef
117 );
118 if (status == errSecItemNotFound)
119 {
120 // no more certificates left
121 break;
122 }
123
124 // get data from the certificate
125 if (status == noErr)
126 {
127 void *data;
128 UInt32 dataSize;
129 status = ::SecKeychainItemCopyAttributesAndData(
130 itemRef,
131 NULL,
132 NULL,
133 NULL,
134 &dataSize,
135 &data
136 );
137
138 if (status == noErr && data != NULL)
139 {
140 Data certDER(Data::Borrow, (const char*)data, dataSize);
141 addCertDER(BaseSecurity::RootCert, NULL, certDER, false);
142
143 status = ::SecKeychainItemFreeAttributesAndData(NULL, data);
144 }
145 }
146
147 // free the certificate handle
148 if (itemRef != NULL)
149 ::CFRelease(itemRef);
150
151 if (status != noErr)
152 {
153 // there was an error loading the certificate
154 ErrLog( << "Couldn't load certificate, error code: " << status);
155 assert(0);
156 }
157 }
158
159 closeCertifStore(searchReference);
160 }
161
162 // TODO: this needs to be refactored with WinSecurity.cxx
163 int
164 verifyCallback(int iInCode, X509_STORE_CTX *pInStore)
165 {
166 char cBuf1[500];
167 char cBuf2[500];
168 X509 *pErrCert;
169 int iErr = 0;
170 int iDepth = 0;
171 pErrCert = X509_STORE_CTX_get_current_cert(pInStore);
172 iErr = X509_STORE_CTX_get_error(pInStore);
173 iDepth = X509_STORE_CTX_get_error_depth(pInStore);
174
175 if (NULL != pErrCert)
176 X509_NAME_oneline(X509_get_subject_name(pErrCert),cBuf1,256);
177
178 sprintf(cBuf2,"depth=%d %s\n",iDepth,cBuf1);
179 if(!iInCode)
180 {
181 memset(cBuf2, 0, sizeof(cBuf2) );
182 sprintf(cBuf2, "\n Error %s", X509_verify_cert_error_string(pInStore->error) );
183 }
184
185 return iInCode;
186 }
187 /* ====================================================================
188 * The Vovida Software License, Version 1.0
189 *
190 * Copyright (c) 2000 Vovida Networks, Inc. All rights reserved.
191 *
192 * Redistribution and use in source and binary forms, with or without
193 * modification, are permitted provided that the following conditions
194 * are met:
195 *
196 * 1. Redistributions of source code must retain the above copyright
197 * notice, this list of conditions and the following disclaimer.
198 *
199 * 2. Redistributions in binary form must reproduce the above copyright
200 * notice, this list of conditions and the following disclaimer in
201 * the documentation and/or other materials provided with the
202 * distribution.
203 *
204 * 3. The names "VOCAL", "Vovida Open Communication Application Library",
205 * and "Vovida Open Communication Application Library (VOCAL)" must
206 * not be used to endorse or promote products derived from this
207 * software without prior written permission. For written
208 * permission, please contact vocal@vovida.org.
209 *
210 * 4. Products derived from this software may not be called "VOCAL", nor
211 * may "VOCAL" appear in their name, without prior written
212 * permission of Vovida Networks, Inc.
213 *
214 * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED
215 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
216 * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND
217 * NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT SHALL VOVIDA
218 * NETWORKS, INC. OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT DAMAGES
219 * IN EXCESS OF $1,000, NOR FOR ANY INDIRECT, INCIDENTAL, SPECIAL,
220 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
221 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
222 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
223 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
224 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
225 * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
226 * DAMAGE.
227 *
228 * ====================================================================
229 *
230 * This software consists of voluntary contributions made by Vovida
231 * Networks, Inc. and many individuals on behalf of Vovida Networks,
232 * Inc. For more information on Vovida Networks, Inc., please see
233 * <http://www.vovida.org/>.
234 *
235 */

Properties

Name Value
svn:eol-style LF

webmaster AT resiprocate DOT org
ViewVC Help
Powered by ViewVC 1.1.27