[rt-commit] r167 - /redwax-tool/trunk/redwax_keychain.c
rt-commit at redwax.eu
rt-commit at redwax.eu
Mon Jan 29 22:32:56 CET 2024
Author: minfrin at redwax.eu
Date: Mon Jan 29 22:32:55 2024
New Revision: 167
Log:
Match the --keychain-in parameter to the path of the keychain.
Modified:
redwax-tool/trunk/redwax_keychain.c
Modified: redwax-tool/trunk/redwax_keychain.c
==============================================================================
--- redwax-tool/trunk/redwax_keychain.c (original)
+++ redwax-tool/trunk/redwax_keychain.c Mon Jan 29 22:32:55 2024
@@ -37,6 +37,7 @@
typedef struct {
unsigned int in:1;
+ SecKeychainRef keychain;
} keychain_config_t;
typedef struct {
@@ -85,41 +86,128 @@
}
static apr_status_t redwax_keychain_complete_keychain_in(redwax_tool_t *r,
- const char *url, apr_hash_t *urls)
-{
+ const char *url, apr_hash_t *paths)
+{
+ SecPreferencesDomain domains[] = { kSecPreferencesDomainUser,
+ kSecPreferencesDomainSystem, kSecPreferencesDomainCommon,
+ kSecPreferencesDomainDynamic };
+
+ OSStatus err;
+
+ CFArrayRef searchList = NULL;
+
+ CFIndex count;
+ CFIndex i, j;
+
+ apr_hash_set(paths, "*", APR_HASH_KEY_STRING, "*");
+
+ for (i = 0; i < (sizeof(domains) / sizeof(SecPreferencesDomain)); i++) {
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+ err = SecKeychainCopyDomainSearchList(domains[i], &searchList);
+#pragma GCC diagnostic pop
+
+ count = CFArrayGetCount(searchList);
+
+ for (j = 0; j < count; j++) {
+
+ const char *name;
+ char buffer[1024];
+ UInt32 len = sizeof(buffer);
+
+ SecKeychainRef kref = (SecKeychainRef) CFArrayGetValueAtIndex(searchList, j);
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+ err = SecKeychainGetPath(kref, &len, buffer);
+#pragma GCC diagnostic pop
+
+ if (err == errSecSuccess) {
+
+ name = apr_pstrndup(r->pool, buffer, len);
+
+ apr_hash_set(paths, name, APR_HASH_KEY_STRING, name);
+
+ }
+
+ }
+
+ }
+
return OK;
}
-static apr_status_t redwax_keychain_process_certificates(redwax_tool_t *r,
- const char *name)
-{
+static apr_status_t redwax_keychain_process_certificates(redwax_tool_t *r)
+{
+ CFDictionaryRef query;
CFTypeRef certs = NULL;
CFIndex count;
CFIndex i;
- CFStringRef keys[] = {
- kSecClass,
- kSecMatchLimit,
- kSecReturnRef
- };
-
- CFTypeRef values[] = {
- kSecClassCertificate,
- kSecMatchLimitAll,
- kCFBooleanTrue
- };
-
- CFDictionaryRef query = CFDictionaryCreate(
- NULL,
- (const void **) keys,
- values,
- sizeof(keys) / sizeof(keys[0]),
- &kCFTypeDictionaryKeyCallBacks,
- &kCFTypeDictionaryValueCallBacks
- );
-
- OSStatus err = SecItemCopyMatching(query, &certs);
+ OSStatus err;
+
+ keychain_config_t *config;
+
+ config = redwax_get_module_config(r->per_module, &keychain_module);
+
+ if (!config->keychain) {
+
+ CFStringRef keys[] = {
+ kSecClass,
+ kSecMatchLimit,
+ kSecReturnRef
+ };
+
+ CFTypeRef values[] = {
+ kSecClassCertificate,
+ kSecMatchLimitAll,
+ kCFBooleanTrue
+ };
+
+ query = CFDictionaryCreate(
+ NULL,
+ (const void **) keys,
+ values,
+ sizeof(keys) / sizeof(keys[0]),
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks
+ );
+
+ }
+ else {
+
+ CFStringRef keys[] = {
+ kSecClass,
+ kSecMatchLimit,
+ kSecUseKeychain,
+ kSecReturnRef
+ };
+
+ CFTypeRef values[] = {
+ kSecClassCertificate,
+ kSecMatchLimitAll,
+ config->keychain,
+ kCFBooleanTrue
+ };
+
+ query = CFDictionaryCreate(
+ NULL,
+ (const void **) keys,
+ values,
+ sizeof(keys) / sizeof(keys[0]),
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks
+ );
+
+ }
+
+ // SecKeychainRef keychain = NULL;
+ // kSecUseKeychain - search by keychain
+
+
+ err = SecItemCopyMatching(query, &certs);
if (err != errSecSuccess) {
CFStringRef error = SecCopyErrorMessageString(err, NULL);
@@ -221,8 +309,7 @@
return APR_SUCCESS;
}
-static apr_status_t redwax_keychain_process_trusted(redwax_tool_t *r,
- const char *name)
+static apr_status_t redwax_keychain_process_trusted(redwax_tool_t *r)
{
CFArrayRef trusted = NULL;
@@ -311,8 +398,7 @@
*
* The current mechanism pulls keys in the search_key hook.
*/
-static apr_status_t redwax_keychain_process_keys(redwax_tool_t *r,
- const char *name)
+static apr_status_t redwax_keychain_process_keys(redwax_tool_t *r)
{
CFTypeRef keys = NULL;
@@ -498,16 +584,67 @@
config->in = 1;
- if (APR_SUCCESS != (status = redwax_keychain_process_certificates(r, name))) {
+ if (strcmp(name, "*")) {
+
+ SecPreferencesDomain domains[] = { kSecPreferencesDomainUser,
+ kSecPreferencesDomainSystem, kSecPreferencesDomainCommon,
+ kSecPreferencesDomainDynamic };
+
+ OSStatus err;
+
+ CFArrayRef searchList = NULL;
+
+ CFIndex count;
+ CFIndex i, j;
+
+ for (i = 0; i < (sizeof(domains) / sizeof(SecPreferencesDomain)); i++) {
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+ err = SecKeychainCopyDomainSearchList(domains[i], &searchList);
+#pragma GCC diagnostic pop
+
+ count = CFArrayGetCount(searchList);
+
+ for (j = 0; j < count; j++) {
+
+ char buffer[1024];
+ UInt32 len = sizeof(buffer);
+
+ SecKeychainRef kref = (SecKeychainRef) CFArrayGetValueAtIndex(searchList, j);
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+ err = SecKeychainGetPath(kref, &len, buffer);
+#pragma GCC diagnostic pop
+
+ if (err == errSecSuccess && !strncmp(name, buffer, sizeof(buffer))) {
+
+ config->keychain = kref;
+
+ goto found;
+ }
+
+ }
+
+ }
+
+ redwax_print_error(r, "keychain-in: name '%s' not recognised, use '*' for all.\n", name);
+ return APR_EINVAL;
+ }
+
+found:
+
+ if (APR_SUCCESS != (status = redwax_keychain_process_certificates(r))) {
return status;
}
- if (APR_SUCCESS != (status = redwax_keychain_process_trusted(r, name))) {
+ if (APR_SUCCESS != (status = redwax_keychain_process_trusted(r))) {
return status;
}
#if 0
- if (APR_SUCCESS != (status = redwax_keychain_process_keys(r, name))) {
+ if (APR_SUCCESS != (status = redwax_keychain_process_keys(r))) {
return status;
}
#endif
More information about the rt-commit
mailing list