// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/mac/keychain_reauthorize.h"
#import <Foundation/Foundation.h>
#include <Security/Security.h>
#include <algorithm>
#include <string>
#include <vector>
#include "base/basictypes.h"
#include "base/mac/foundation_util.h"
#include "base/mac/scoped_cftyperef.h"
#include "base/memory/scoped_ptr.h"
#include "base/metrics/histogram.h"
#include "base/strings/stringprintf.h"
#include "base/strings/sys_string_conversions.h"
#include "chrome/browser/mac/security_wrappers.h"
namespace chrome {
namespace {
// Returns the requirement string embedded within a SecTrustedApplicationRef,
// or an empty string on error.
std::string RequirementStringForApplication(
SecTrustedApplicationRef application);
// Returns the set of requirement strings that ought to be reauthorized. In a
// bundled application, the requirement string from |application| will also be
// added to the hard-coded list. This allows an at-launch reauthorization to
// re-reauthorize anything done by a previous at-update reauthorization.
// Although items reauthorized during the at-update step will work properly in
// every way, they contain a reference to the missing reauthorization stub
// executable from the disk image in the Keychain, resulting in no icon and
// a weird name like "com.google" (non-Canary) or "com.google.Chrome"
// (Canary). Because reauthorization is controlled by a preference that limits
// it to a single successful run at update and a single successful run at
// launch, protection already exists against perpetually reauthorizing items.
// This addition exists simply to make the Keychain Access UI match
// expectations.
std::vector<std::string> GetRequirementMatches(
SecTrustedApplicationRef application);
// Reauthorizes an ACL by examining all of the applications it names, and upon
// finding any whose requirement matches any element of requirement_matches,
// replaces them with this_application. At most one instance of
// this_application will be added to the ACL. Subsequent applications whose
// requirement matches any element of requirement_matches will be removed from
// the ACL. Only the ACL is changed, nothing is written to disk. Returns true
// if any reauthorization is performed and thus acl is modified, and false
// otherwise.
bool ReauthorizeACL(
SecACLRef acl,
const std::vector<std::string>& requirement_matches,
SecTrustedApplicationRef this_application);
// Reauthorizes a list of ACLs by calling ReauthorizeACL for each ACL in the
// list. Only the ACL list is changed, nothing is written to disk. Returns
// true if ReauthorizeTrue returns true for any ACL in acl_list, indicating
// that at least one ACL in acl_list was modified and thus at least one child
// child of acl_list was reauthorized.
bool ReauthorizeACLList(
CFArrayRef acl_list,
const std::vector<std::string>& requirement_matches,
SecTrustedApplicationRef this_application);
// Reauthorizes a SecKeychainItemRef by calling ReauthorizeACLList to perform
// reauthorization on all ACLs that it contains. Nothing is written to disk.
// If any reauthorization was performed, returns a CrSKeychainItemAndAccess
// object containing the item and its access information. Otherwise, returns
// NULL.
CrSKeychainItemAndAccess* KCItemToKCItemAndReauthorizedAccess(
SecKeychainItemRef item,
const std::vector<std::string>& requirement_matches,
SecTrustedApplicationRef this_application);
// Reauthorizes multiple Keychain items by calling
// KCItemToKCItemAndReauthorizedAccess for each item returned by a Keychain
// search. Nothing is written to disk. Reauthorized items are returned.
std::vector<CrSKeychainItemAndAccess> KCSearchToKCItemsAndReauthorizedAccesses(
SecKeychainSearchRef search,
const std::vector<std::string>& requirement_matches,
SecTrustedApplicationRef this_application);
// Given a SecKeychainAttributeList, strips out any zero-length attributes and
// returns a vector containing the remaining attributes.
std::vector<SecKeychainAttribute> KCAttributesWithoutZeroLength(
SecKeychainAttributeList* old_attribute_list);
// Given a CrSKeychainItemAndAccess that has had its access field
// reauthorized, places the reauthorized form into the Keychain by deleting
// the old item and replacing it with a new one whose access policy matches
// the reauthorized form. The new item is written to disk and becomes part of
// the Keychain, replacing what had been there previously.
void WriteKCItemAndReauthorizedAccess(
const CrSKeychainItemAndAccess& item_and_reauthorized_access);
// Given a vector of CrSKeychainItemAndAccess objects, places the reauthorized
// forms of all of them into the Keychain by calling
// WriteKCItemAndReauthorizedAccess for each. The new items are written to
// disk and become part of the Keychain, replacing what had been there
// previously.
void WriteKCItemsAndReauthorizedAccesses(
const std::vector<CrSKeychainItemAndAccess>&
items_and_reauthorized_accesses);
} // namespace
void KeychainReauthorize() {
ScopedSecKeychainSetUserInteractionAllowed user_interaction_allowed(FALSE);
// Apple's documentation (Keychain Services Reference, Constants/Mac OS X
// Keychain Services API Constants/Keychain Item Class Constants) says to
// use CSSM_DL_DB_RECORD_ALL_KEYS, but that doesn't work.
// CSSM_DL_DB_RECORD_ANY (as used by SecurityTool's keychain-dump) does
// work.
base::ScopedCFTypeRef<SecKeychainSearchRef> search(
CrSKeychainSearchCreateFromAttributes(NULL, CSSM_DL_DB_RECORD_ANY, NULL));
base::ScopedCFTypeRef<SecTrustedApplicationRef> this_application(
CrSTrustedApplicationCreateFromPath(NULL));
std::vector<std::string> requirement_matches =
GetRequirementMatches(this_application);
std::vector<CrSKeychainItemAndAccess> items_and_reauthorized_accesses =
KCSearchToKCItemsAndReauthorizedAccesses(search,
requirement_matches,
this_application);
WriteKCItemsAndReauthorizedAccesses(items_and_reauthorized_accesses);
}
void KeychainReauthorizeIfNeeded(NSString* pref_key, int max_tries) {
NSUserDefaults* user_defaults = [NSUserDefaults standardUserDefaults];
int pref_value = [user_defaults integerForKey:pref_key];
if (pref_value < max_tries) {
if (pref_value > 0) {
// Logs the number of previous tries that didn't complete.
if (base::mac::AmIBundled()) {
UMA_HISTOGRAM_COUNTS("OSX.KeychainReauthorizeIfNeeded", pref_value);
} else {
UMA_HISTOGRAM_COUNTS("OSX.KeychainReauthorizeIfNeededAtUpdate",
pref_value);
}
}
++pref_value;
[user_defaults setInteger:pref_value forKey:pref_key];
[user_defaults synchronize];
KeychainReauthorize();
[user_defaults setInteger:max_tries forKey:pref_key];
NSString* success_pref_key = [pref_key stringByAppendingString:@"Success"];
[user_defaults setBool:YES forKey:success_pref_key];
[user_defaults synchronize];
// Logs the try number (1, 2) that succeeded.
if (base::mac::AmIBundled()) {
UMA_HISTOGRAM_COUNTS("OSX.KeychainReauthorizeIfNeededSuccess",
pref_value);
} else {
UMA_HISTOGRAM_COUNTS("OSX.KeychainReauthorizeIfNeededAtUpdateSuccess",
pref_value);
}
}
}
namespace {
std::string RequirementStringForApplication(
SecTrustedApplicationRef application) {
base::ScopedCFTypeRef<SecRequirementRef> requirement(
CrSTrustedApplicationCopyRequirement(application));
base::ScopedCFTypeRef<CFStringRef> requirement_string_cf(
CrSRequirementCopyString(requirement, kSecCSDefaultFlags));
if (!requirement_string_cf) {
return std::string();
}
std::string requirement_string =
base::SysCFStringRefToUTF8(requirement_string_cf);
return requirement_string;
}
std::vector<std::string> GetRequirementMatches(
SecTrustedApplicationRef application) {
// See the designated requirement for a signed released build:
// codesign -d -r- "Google Chrome.app"
//
// Export the certificates from a signed released build:
// codesign -v --extract-certificates=/tmp/cert. "Google Chrome.app"
// (The extracted leaf certificate is at /tmp/cert.0; intermediates and root
// are at successive numbers.)
//
// Show some information about the exported certificates:
// openssl x509 -inform DER -in /tmp/cert.0 -noout -text -fingerprint
// (The "SHA1 Fingerprint" value printed by -fingerprint should match the
// hash used in a codesign designated requirement after allowing for obvious
// formatting differences.)
const char* const kIdentifierMatches[] = {
#if defined(GOOGLE_CHROME_BUILD)
"com.google.Chrome",
"com.google.Chrome.canary",
#else
"org.chromium.Chromium",
#endif
};
const char* const kLeafCertificateHashMatches[] = {
// Only official released builds of Google Chrome have ever been signed
// (with a certificate that anyone knows about or cares about).
#if defined(GOOGLE_CHROME_BUILD)
// This is the new certificate that has not yet been used to sign Chrome,
// but will be. Once used, the reauthorization code will become obsolete
// until it's needed for some other purpose in the future.
// Subject: UID=EQHXZ8M8AV, CN=Developer ID Application: Google Inc.,
// OU=EQHXZ8M8AV, O=Google Inc., C=US
// Issuer: CN=Developer ID Certification Authority,
// OU=Apple Certification Authority, O=Apple Inc., C=US
// Validity: 2012-04-26 14:10:10 UTC to 2017-04-27 14:10:10 UTC
// "85cee8254216185620ddc8851c7a9fc4dfe120ef",
// This certificate was used on 2011-12-20 and 2011-12-21, but the "since
// 2010-07-19" one below was restored afterwards as an interim fix to the
// Keychain authorization problem. See http://crbug.com/108238 and
// http://crbug.com/62605.
// Subject: C=US, ST=California, L=Mountain View, O=Google Inc,
// OU=Digital ID Class 3 - Java Object Signing, CN=Google Inc
// Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
// OU=Terms of use at https://www.verisign.com/rpa (c)10,
// CN=VeriSign Class 3 Code Signing 2010 CA
// Validity: 2011-11-14 00:00:00 UTC to 2014-11-13 23:59:59 UTC
"06c92bec3bbf32068cb9208563d004169448ee21",
// This certificate has been used since 2010-07-19, except for the brief
// period when the certificate above was used.
// Subject: C=US, ST=California, L=Mountain View, O=Google Inc,
// OU=Digital ID Class 3 - Java Object Signing, CN=Google Inc
// Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
// OU=Terms of use at https://www.verisign.com/rpa (c)09,
// CN=VeriSign Class 3 Code Signing 2009-2 CA
// Validity: 2010-02-22 00:00:00 UTC to 2012-02-22 23:59:59 UTC
"9481882581d8178db8b1649c0eaa4f9eb11288f0",
// This certificate was used for all public Chrome releases prior to
// 2010-07-19.
// Subject: C=US, ST=California, L=Mountain View, O=Google Inc,
// OU=Digital ID Class 3 - Netscape Object Signing, CN=Google Inc
// Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
// OU=Terms of use at https://www.verisign.com/rpa (c)04,
// CN=VeriSign Class 3 Code Signing 2004 CA
// Validity: 2007-06-19 00:00:00 UTC to 2010-06-18 23:59:59 UTC
"fe5008fe0da7a2033816752d6eafe95214f5a7e1",
#endif
};
std::vector<std::string> requirement_matches;
requirement_matches.reserve(arraysize(kIdentifierMatches) *
ARRAYSIZE_UNSAFE(kLeafCertificateHashMatches));
for (size_t identifier_index = 0;
identifier_index < arraysize(kIdentifierMatches);
++identifier_index) {
for (size_t leaf_certificate_hash_index = 0;
leaf_certificate_hash_index <
ARRAYSIZE_UNSAFE(kLeafCertificateHashMatches);
++leaf_certificate_hash_index) {
requirement_matches.push_back(base::StringPrintf(
"identifier \"%s\" and certificate leaf = H\"%s\"",
kIdentifierMatches[identifier_index],
kLeafCertificateHashMatches[leaf_certificate_hash_index]));
}
}
if (application && base::mac::AmIBundled()) {
std::string application_requirement =
RequirementStringForApplication(application);
requirement_matches.push_back(application_requirement);
}
return requirement_matches;
}
std::vector<CrSKeychainItemAndAccess> KCSearchToKCItemsAndReauthorizedAccesses(
SecKeychainSearchRef search,
const std::vector<std::string>& requirement_matches,
SecTrustedApplicationRef this_application) {
std::vector<CrSKeychainItemAndAccess> items_and_accesses;
base::ScopedCFTypeRef<SecKeychainItemRef> item;
while (item.reset(CrSKeychainSearchCopyNext(search)), item) {
scoped_ptr<CrSKeychainItemAndAccess> item_and_access(
KCItemToKCItemAndReauthorizedAccess(item,
requirement_matches,
this_application));
if (item_and_access.get()) {
items_and_accesses.push_back(*item_and_access);
}
}
return items_and_accesses;
}
CrSKeychainItemAndAccess* KCItemToKCItemAndReauthorizedAccess(
SecKeychainItemRef item,
const std::vector<std::string>& requirement_matches,
SecTrustedApplicationRef this_application) {
if (!CrSKeychainItemTestAccess(item)) {
return NULL;
}
base::ScopedCFTypeRef<SecAccessRef> access(CrSKeychainItemCopyAccess(item));
base::ScopedCFTypeRef<CFArrayRef> acl_list(CrSAccessCopyACLList(access));
if (!acl_list) {
return NULL;
}
bool acl_list_modified = ReauthorizeACLList(acl_list,
requirement_matches,
this_application);
if (!acl_list_modified) {
return NULL;
}
return new CrSKeychainItemAndAccess(item, access);
}
bool ReauthorizeACLList(
CFArrayRef acl_list,
const std::vector<std::string>& requirement_matches,
SecTrustedApplicationRef this_application) {
bool acl_list_modified = false;
CFIndex acl_count = CFArrayGetCount(acl_list);
for (CFIndex acl_index = 0; acl_index < acl_count; ++acl_index) {
SecACLRef acl = base::mac::CFCast<SecACLRef>(
CFArrayGetValueAtIndex(acl_list, acl_index));
if (!acl) {
continue;
}
if (ReauthorizeACL(acl, requirement_matches, this_application)) {
acl_list_modified = true;
}
}
return acl_list_modified;
}
bool ReauthorizeACL(
SecACLRef acl,
const std::vector<std::string>& requirement_matches,
SecTrustedApplicationRef this_application) {
scoped_ptr<CrSACLSimpleContents> acl_simple_contents(
CrSACLCopySimpleContents(acl));
if (!acl_simple_contents.get() ||
!acl_simple_contents->application_list) {
return false;
}
CFMutableArrayRef application_list_mutable = NULL;
bool added_this_application = false;
CFIndex application_count =
CFArrayGetCount(acl_simple_contents->application_list);
for (CFIndex application_index = 0;
application_index < application_count;
++application_index) {
SecTrustedApplicationRef application =
base::mac::CFCast<SecTrustedApplicationRef>(
CFArrayGetValueAtIndex(acl_simple_contents->application_list,
application_index));
std::string requirement_string =
RequirementStringForApplication(application);
if (requirement_string.empty()) {
continue;
}
if (std::find(requirement_matches.begin(),
requirement_matches.end(),
requirement_string) != requirement_matches.end()) {
if (!application_list_mutable) {
application_list_mutable =
CFArrayCreateMutableCopy(NULL,
application_count,
acl_simple_contents->application_list);
acl_simple_contents->application_list.reset(
application_list_mutable);
}
if (!added_this_application) {
CFArraySetValueAtIndex(application_list_mutable,
application_index,
this_application);
added_this_application = true;
} else {
// Even though it's more bookkeeping to walk a list in the forward
// direction when there are removals, it's done here anyway to
// keep this_application at the position of the first match.
CFArrayRemoveValueAtIndex(application_list_mutable,
application_index);
--application_index;
--application_count;
}
}
}
if (!application_list_mutable) {
return false;
}
if (!CrSACLSetSimpleContents(acl, *acl_simple_contents.get())) {
return false;
}
return true;
}
void WriteKCItemsAndReauthorizedAccesses(
const std::vector<CrSKeychainItemAndAccess>&
items_and_reauthorized_accesses) {
for (std::vector<CrSKeychainItemAndAccess>::const_iterator iterator =
items_and_reauthorized_accesses.begin();
iterator != items_and_reauthorized_accesses.end();
++iterator) {
WriteKCItemAndReauthorizedAccess(*iterator);
}
}
void WriteKCItemAndReauthorizedAccess(
const CrSKeychainItemAndAccess& item_and_reauthorized_access) {
SecKeychainItemRef old_item = item_and_reauthorized_access.item();
base::ScopedCFTypeRef<SecKeychainRef> keychain(
CrSKeychainItemCopyKeychain(old_item));
ScopedCrSKeychainItemAttributesAndData old_attributes_and_data(
CrSKeychainItemCopyAttributesAndData(keychain, old_item));
if (!old_attributes_and_data.get()) {
return;
}
// CrSKeychainItemCreateFromContent (SecKeychainItemCreateFromContent)
// returns errKCNoSuchAttr (errSecNoSuchAttr) when asked to add an item of
// type kSecPrivateKeyItemClass. This would happen after the original
// private key was deleted, resulting in data loss. I can't figure out how
// SecKeychainItemCreateFromContent wants private keys added. Skip them,
// only doing the reauthorization for Keychain item types known to work,
// the item types expected to be used by most users and those that are
// synced. See http://crbug.com/130738 and
// http://lists.apple.com/archives/apple-cdsa/2006/Jan/msg00025.html .
switch (old_attributes_and_data.item_class()) {
case kSecInternetPasswordItemClass:
case kSecGenericPasswordItemClass:
break;
default:
return;
}
// SecKeychainItemCreateFromContent fails if any attribute is zero-length,
// but old_attributes_and_data can contain zero-length attributes. Create
// a new attribute list devoid of zero-length attributes.
//
// This is awkward: only the logic to build the
// std::vector<SecKeychainAttribute> is in KCAttributesWithoutZeroLength
// because the storage used for the new attribute list (the vector) needs to
// persist through the lifetime of this function.
// KCAttributesWithoutZeroLength doesn't return a
// CrSKeychainItemAttributesAndData (which could be held here in a
// ScopedCrSKeychainItemAttributesAndData) because it's more convenient to
// build the attribute list using std::vector and point the data at the copy
// in old_attributes_and_data, thus making nothing in new_attributes a
// strongly-held reference.
std::vector<SecKeychainAttribute> new_attributes =
KCAttributesWithoutZeroLength(old_attributes_and_data.attribute_list());
SecKeychainAttributeList new_attribute_list;
new_attribute_list.count = new_attributes.size();
new_attribute_list.attr =
new_attribute_list.count ? &new_attributes[0] : NULL;
CrSKeychainItemAttributesAndData new_attributes_and_data =
*old_attributes_and_data.get();
new_attributes_and_data.attribute_list = &new_attribute_list;
// Delete the item last, to give everything else above a chance to bail
// out early, and to ensure that the old item is still present while it
// may still be used by the above code.
if (!CrSKeychainItemDelete(old_item)) {
return;
}
base::ScopedCFTypeRef<SecKeychainItemRef> new_item(
CrSKeychainItemCreateFromContent(new_attributes_and_data,
keychain,
item_and_reauthorized_access.access()));
}
std::vector<SecKeychainAttribute> KCAttributesWithoutZeroLength(
SecKeychainAttributeList* old_attribute_list) {
UInt32 old_attribute_count = old_attribute_list->count;
std::vector<SecKeychainAttribute> new_attributes;
new_attributes.reserve(old_attribute_count);
for (UInt32 old_attribute_index = 0;
old_attribute_index < old_attribute_count;
++old_attribute_index) {
SecKeychainAttribute* attribute =
&old_attribute_list->attr[old_attribute_index];
if (attribute->length) {
new_attributes.push_back(*attribute);
}
}
return new_attributes;
}
} // namespace
} // namespace chrome