forked from Silverfish/proton-bridge
157 lines
4.6 KiB
Go
157 lines
4.6 KiB
Go
// Copyright (c) 2023 Proton AG
|
|
//
|
|
// This file is part of Proton Mail Bridge.
|
|
//
|
|
// Proton Mail Bridge is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// Proton Mail Bridge is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU General Public License
|
|
// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
package certs
|
|
|
|
/*
|
|
#cgo CFLAGS: -x objective-c
|
|
#cgo LDFLAGS: -framework Foundation -framework Security
|
|
#import <Foundation/Foundation.h>
|
|
#import <Security/Security.h>
|
|
|
|
|
|
int installTrustedCert(char const *bytes, unsigned long long length) {
|
|
if (length == 0) {
|
|
return errSecInvalidData;
|
|
}
|
|
|
|
NSData *der = [NSData dataWithBytes:bytes length:length];
|
|
|
|
// Step 1. Import the certificate in the keychain.
|
|
SecCertificateRef cert = SecCertificateCreateWithData(NULL, (CFDataRef) der);
|
|
NSDictionary* addQuery = @{
|
|
(id)kSecValueRef: (__bridge id) cert,
|
|
(id)kSecClass: (id)kSecClassCertificate,
|
|
};
|
|
|
|
OSStatus status = SecItemAdd((__bridge CFDictionaryRef) addQuery, NULL);
|
|
if ((errSecSuccess != status) && (errSecDuplicateItem != status)) {
|
|
CFRelease(cert);
|
|
return status;
|
|
}
|
|
|
|
// Step 2. Set the trust for the certificate.
|
|
SecPolicyRef policy = SecPolicyCreateSSL(true, NULL); // we limit our trust to SSL
|
|
NSDictionary *trustSettings = @{
|
|
(id)kSecTrustSettingsResult: [NSNumber numberWithInt:kSecTrustSettingsResultTrustRoot],
|
|
(id)kSecTrustSettingsPolicy: (__bridge id) policy,
|
|
};
|
|
status = SecTrustSettingsSetTrustSettings(cert, kSecTrustSettingsDomainAdmin, (__bridge CFTypeRef)(trustSettings));
|
|
CFRelease(policy);
|
|
CFRelease(cert);
|
|
|
|
return status;
|
|
}
|
|
|
|
|
|
int removeTrustedCert(char const *bytes, unsigned long long length) {
|
|
if (0 == length) {
|
|
return errSecInvalidData;
|
|
}
|
|
|
|
NSData *der = [NSData dataWithBytes: bytes length: length];
|
|
SecCertificateRef cert = SecCertificateCreateWithData(NULL, (CFDataRef) der);
|
|
|
|
// Step 1. Unset the trust for the certificate.
|
|
SecPolicyRef policy = SecPolicyCreateSSL(true, NULL);
|
|
NSDictionary * trustSettings = @{
|
|
(id)kSecTrustSettingsResult: [NSNumber numberWithInt:kSecTrustSettingsResultUnspecified],
|
|
(id)kSecTrustSettingsPolicy: (__bridge id) policy,
|
|
};
|
|
OSStatus status = SecTrustSettingsSetTrustSettings(cert, kSecTrustSettingsDomainAdmin, (__bridge CFTypeRef)(trustSettings));
|
|
CFRelease(policy);
|
|
if (errSecSuccess != status) {
|
|
CFRelease(cert);
|
|
return status;
|
|
}
|
|
|
|
// Step 2. Remove the certificate from the keychain.
|
|
NSDictionary *query = @{ (id)kSecClass: (id)kSecClassCertificate,
|
|
(id)kSecMatchItemList: @[(__bridge id)cert],
|
|
(id)kSecMatchLimit: (id)kSecMatchLimitOne,
|
|
};
|
|
status = SecItemDelete((__bridge CFDictionaryRef) query);
|
|
|
|
CFRelease(cert);
|
|
return status;
|
|
}
|
|
*/
|
|
import "C"
|
|
|
|
import (
|
|
"encoding/pem"
|
|
"errors"
|
|
"fmt"
|
|
"unsafe"
|
|
)
|
|
|
|
// some of the error codes returned by Apple's Security framework.
|
|
const (
|
|
errSecSuccess = 0
|
|
errAuthorizationCanceled = -60006
|
|
)
|
|
|
|
// certPEMToDER converts a certificate in PEM format to DER format, which is the format required by Apple's Security framework.
|
|
func certPEMToDER(certPEM []byte) ([]byte, error) {
|
|
block, left := pem.Decode(certPEM)
|
|
if block == nil {
|
|
return []byte{}, errors.New("invalid PEM certificate")
|
|
}
|
|
|
|
if len(left) > 0 {
|
|
return []byte{}, errors.New("trailing data found at the end of a PEM certificate")
|
|
}
|
|
|
|
return block.Bytes, nil
|
|
}
|
|
|
|
func installCert(certPEM []byte) error {
|
|
certDER, err := certPEMToDER(certPEM)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
p := C.CBytes(certDER)
|
|
defer C.free(unsafe.Pointer(p)) //nolint:unconvert
|
|
|
|
errCode := C.installTrustedCert((*C.char)(p), (C.ulonglong)(len(certDER)))
|
|
switch errCode {
|
|
case errSecSuccess:
|
|
return nil
|
|
case errAuthorizationCanceled:
|
|
return fmt.Errorf("the user cancelled the authorization dialog")
|
|
default:
|
|
return fmt.Errorf("could not install certification into keychain (error %v)", errCode)
|
|
}
|
|
}
|
|
|
|
func uninstallCert(certPEM []byte) error {
|
|
certDER, err := certPEMToDER(certPEM)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
p := C.CBytes(certDER)
|
|
defer C.free(unsafe.Pointer(p)) //nolint:unconvert
|
|
|
|
if errCode := C.removeTrustedCert((*C.char)(p), (C.ulonglong)(len(certDER))); errCode != 0 {
|
|
return fmt.Errorf("could not install certificate from keychain (error %v)", errCode)
|
|
}
|
|
|
|
return nil
|
|
}
|