[thirdparty/cups.git] / scheduler / tls-darwin.c

/*
 * "$Id$"
 *
 *   TLS support code for the CUPS scheduler on OS X.
 *
 *   Copyright 2007-2013 by Apple Inc.
 *   Copyright 1997-2007 by Easy Software Products, all rights reserved.
 *
 *   These coded instructions, statements, and computer programs are the
 *   property of Apple Inc. and are protected by Federal copyright
 *   law.  Distribution and use rights are outlined in the file "LICENSE.txt"
 *   which should have been included with this file.  If this file is
 *   file is missing or damaged, see the license at "http://www.cups.org/".
 *
 * Contents:
 *
 *   cupsdEndTLS()	     - Shutdown a secure session with the client.
 *   cupsdStartTLS()	     - Start a secure session with the client.
 *   copy_cdsa_certificate() - Copy a SSL/TLS certificate from the System
 *			       keychain.
 *   make_certificate()      - Make a self-signed SSL/TLS certificate.
 */


/*
 * Local functions...
 */

static CFArrayRef	copy_cdsa_certificate(cupsd_client_t *con);
static int		make_certificate(cupsd_client_t *con);


/*
 * 'cupsdEndTLS()' - Shutdown a secure session with the client.
 */

int					/* O - 1 on success, 0 on error */
cupsdEndTLS(cupsd_client_t *con)	/* I - Client connection */
{
  while (SSLClose(con->http->tls) == errSSLWouldBlock)
    usleep(1000);

  CFRelease(con->http->tls);
  con->http->tls = NULL;

  if (con->http->tls_credentials)
    CFRelease(con->http->tls_credentials);

  return (1);
}


/*
 * 'cupsdStartTLS()' - Start a secure session with the client.
 */

int					/* O - 1 on success, 0 on error */
cupsdStartTLS(cupsd_client_t *con)	/* I - Client connection */
{
  OSStatus	error = 0;		/* Error code */
  SecTrustRef	peerTrust;		/* Peer certificates */


  cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] Encrypting connection.",
                  con->number);

  con->http->encryption = HTTP_ENCRYPTION_ALWAYS;

  con->http->tls_credentials = copy_cdsa_certificate(con);

  if (!con->http->tls_credentials)
  {
   /*
    * No keychain (yet), make a self-signed certificate...
    */

    if (make_certificate(con))
      con->http->tls_credentials = copy_cdsa_certificate(con);
  }

  if (!con->http->tls_credentials)
  {
    cupsdLogMessage(CUPSD_LOG_ERROR,
        	    "Could not find signing key in keychain \"%s\"",
		    ServerCertificate);
    error = errSSLBadConfiguration;
  }

  if (!error)
    con->http->tls = SSLCreateContext(kCFAllocatorDefault, kSSLServerSide,
                                     kSSLStreamType);

  if (!error)
    error = SSLSetIOFuncs(con->http->tls, _httpReadCDSA, _httpWriteCDSA);

  if (!error)
    error = SSLSetConnection(con->http->tls, HTTP(con));

  if (!error)
    error = SSLSetCertificate(con->http->tls, con->http->tls_credentials);

  if (!error)
  {
   /*
    * Perform SSL/TLS handshake
    */

    while ((error = SSLHandshake(con->http->tls)) == errSSLWouldBlock)
      usleep(1000);
  }

  if (error)
  {
    cupsdLogMessage(CUPSD_LOG_ERROR,
                    "Unable to encrypt connection from %s - %s (%d)",
                    con->http->hostname, cssmErrorString(error), (int)error);

    con->http->error  = error;
    con->http->status = HTTP_ERROR;

    if (con->http->tls)
    {
      CFRelease(con->http->tls);
      con->http->tls = NULL;
    }

    if (con->http->tls_credentials)
    {
      CFRelease(con->http->tls_credentials);
      con->http->tls_credentials = NULL;
    }

    return (0);
  }

  cupsdLogMessage(CUPSD_LOG_DEBUG, "Connection from %s now encrypted.",
                  con->http->hostname);

  if (!SSLCopyPeerTrust(con->http->tls, &peerTrust) && peerTrust)
  {
    cupsdLogMessage(CUPSD_LOG_DEBUG, "Received %d peer certificates.",
		    (int)SecTrustGetCertificateCount(peerTrust));
    CFRelease(peerTrust);
  }
  else
    cupsdLogMessage(CUPSD_LOG_DEBUG, "Received NO peer certificates.");

  return (1);
}


/*
 * 'copy_cdsa_certificate()' - Copy a SSL/TLS certificate from the System
 *                             keychain.
 */

static CFArrayRef				/* O - Array of certificates */
copy_cdsa_certificate(
    cupsd_client_t *con)			/* I - Client connection */
{
  OSStatus		err;		/* Error info */
  SecKeychainRef	keychain = NULL;/* Keychain reference */
  SecIdentitySearchRef	search = NULL;	/* Search reference */
  SecIdentityRef	identity = NULL;/* Identity */
  CFArrayRef		certificates = NULL;
					/* Certificate array */
  SecPolicyRef		policy = NULL;	/* Policy ref */
  CFStringRef		servername = NULL;
					/* Server name */
  CFMutableDictionaryRef query = NULL;	/* Query qualifiers */
  CFArrayRef		list = NULL;	/* Keychain list */
#    if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
  char			localname[1024];/* Local hostname */
#    endif /* HAVE_DNSSD || HAVE_AVAHI */


  cupsdLogMessage(CUPSD_LOG_DEBUG,
                  "copy_cdsa_certificate: Looking for certs for \"%s\".",
		  con->servername);

  if ((err = SecKeychainOpen(ServerCertificate, &keychain)))
  {
    cupsdLogMessage(CUPSD_LOG_ERROR, "Cannot open keychain \"%s\" - %s (%d)",
	            ServerCertificate, cssmErrorString(err), (int)err);
    goto cleanup;
  }

  servername = CFStringCreateWithCString(kCFAllocatorDefault, con->servername,
					 kCFStringEncodingUTF8);

  policy = SecPolicyCreateSSL(1, servername);

  if (servername)
    CFRelease(servername);

  if (!policy)
  {
    cupsdLogMessage(CUPSD_LOG_ERROR, "Cannot create ssl policy reference");
    goto cleanup;
  }

  if (!(query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
					  &kCFTypeDictionaryKeyCallBacks,
					  &kCFTypeDictionaryValueCallBacks)))
  {
    cupsdLogMessage(CUPSD_LOG_ERROR, "Cannot create query dictionary");
    goto cleanup;
  }

  list = CFArrayCreate(kCFAllocatorDefault, (const void **)&keychain, 1,
                       &kCFTypeArrayCallBacks);

  CFDictionaryAddValue(query, kSecClass, kSecClassIdentity);
  CFDictionaryAddValue(query, kSecMatchPolicy, policy);
  CFDictionaryAddValue(query, kSecReturnRef, kCFBooleanTrue);
  CFDictionaryAddValue(query, kSecMatchLimit, kSecMatchLimitOne);
  CFDictionaryAddValue(query, kSecMatchSearchList, list);

  CFRelease(list);

  err = SecItemCopyMatching(query, (CFTypeRef *)&identity);

#    if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
  if (err && DNSSDHostName)
  {
   /*
    * Search for the connection server name failed; try the DNS-SD .local
    * hostname instead...
    */

    snprintf(localname, sizeof(localname), "%s.local", DNSSDHostName);

    cupsdLogMessage(CUPSD_LOG_DEBUG,
		    "copy_cdsa_certificate: Looking for certs for \"%s\".",
		    localname);

    servername = CFStringCreateWithCString(kCFAllocatorDefault, localname,
					   kCFStringEncodingUTF8);

    CFRelease(policy);

    policy = SecPolicyCreateSSL(1, servername);

    if (servername)
      CFRelease(servername);

    if (!policy)
    {
      cupsdLogMessage(CUPSD_LOG_ERROR, "Cannot create ssl policy reference");
      goto cleanup;
    }

    CFDictionarySetValue(query, kSecMatchPolicy, policy);

    err = SecItemCopyMatching(query, (CFTypeRef *)&identity);
  }
#    endif /* HAVE_DNSSD || HAVE_AVAHI */

  if (err)
  {
    cupsdLogMessage(CUPSD_LOG_DEBUG,
		    "Cannot find signing key in keychain \"%s\": %s (%d)",
		    ServerCertificate, cssmErrorString(err), (int)err);
    goto cleanup;
  }

  if (CFGetTypeID(identity) != SecIdentityGetTypeID())
  {
    cupsdLogMessage(CUPSD_LOG_ERROR, "SecIdentity CFTypeID failure.");
    goto cleanup;
  }

  if ((certificates = CFArrayCreate(NULL, (const void **)&identity,
				  1, &kCFTypeArrayCallBacks)) == NULL)
  {
    cupsdLogMessage(CUPSD_LOG_ERROR, "Cannot create certificate array");
    goto cleanup;
  }

  cleanup :

  if (keychain)
    CFRelease(keychain);
  if (search)
    CFRelease(search);
  if (identity)
    CFRelease(identity);

  if (policy)
    CFRelease(policy);
  if (query)
    CFRelease(query);

  return (certificates);
}


/*
 * 'make_certificate()' - Make a self-signed SSL/TLS certificate.
 */

static int				/* O - 1 on success, 0 on failure */
make_certificate(cupsd_client_t *con)	/* I - Client connection */
{
#    ifdef HAVE_SECGENERATESELFSIGNEDCERTIFICATE
  int			status = 0;	/* Return status */
  OSStatus		err;		/* Error code (if any) */
#  if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
  char			localname[1024];/* Local hostname */
#  endif /* HAVE_DNSSD || HAVE_AVAHI */
  const char		*servername;	/* Name of server in cert */
  CFStringRef		cfservername = NULL;
					/* CF string for server name */
  SecIdentityRef	ident = NULL;	/* Identity */
  SecKeyRef		publicKey = NULL,
					/* Public key */
			privateKey = NULL;
					/* Private key */
  CFMutableDictionaryRef keyParams = NULL;
					/* Key generation parameters */


  cupsdLogMessage(CUPSD_LOG_INFO,
                  "Generating SSL server key and certificate.");

#  if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
  if (con->servername && isdigit(con->servername[0] & 255) && DNSSDHostName)
  {
    snprintf(localname, sizeof(localname), "%s.local", DNSSDHostName);
    servername = localname;
  }
  else
#  endif /* HAVE_DNSSD || HAVE_AVAHI */
  servername = con->servername;

  cfservername = CFStringCreateWithCString(kCFAllocatorDefault, servername,
                                           kCFStringEncodingUTF8);
  if (!cfservername)
    goto cleanup;

 /*
  * Create a public/private key pair...
  */

  keyParams = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
					&kCFTypeDictionaryKeyCallBacks,
					&kCFTypeDictionaryValueCallBacks);
  if (!keyParams)
    goto cleanup;

  CFDictionaryAddValue(keyParams, kSecAttrKeyType, kSecAttrKeyTypeRSA);
  CFDictionaryAddValue(keyParams, kSecAttrKeySizeInBits, CFSTR("2048"));
  CFDictionaryAddValue(keyParams, kSecAttrLabel,
                       CFSTR("CUPS Self-Signed Certificate"));

  err = SecKeyGeneratePair(keyParams, &publicKey, &privateKey);
  if (err != noErr)
  {
    cupsdLogMessage(CUPSD_LOG_DEBUG, "SecKeyGeneratePair returned %ld.",
                    (long)err);
    goto cleanup;
  }

 /*
  * Create a self-signed certificate using the public/private key pair...
  */

  CFIndex	usageInt = kSecKeyUsageAll;
  CFNumberRef	usage = CFNumberCreate(alloc, kCFNumberCFIndexType, &usageInt);
  CFDictionaryRef certParams = CFDictionaryCreateMutable(kCFAllocatorDefault,
                                   kSecCSRBasicContraintsPathLen, CFINT(0),
                                   kSecSubjectAltName, cfservername,
                                   kSecCertificateKeyUsage, usage,
                                   NULL, NULL);
  CFRelease(usage);
        
  const void	*ca_o[] = { kSecOidOrganization, CFSTR("") };
  const void	*ca_cn[] = { kSecOidCommonName, cfservername };
  CFArrayRef	ca_o_dn = CFArrayCreate(kCFAllocatorDefault, ca_o, 2, NULL);
  CFArrayRef	ca_cn_dn = CFArrayCreate(kCFAllocatorDefault, ca_cn, 2, NULL);
  const void	*ca_dn_array[2];

  ca_dn_array[0] = CFArrayCreate(kCFAllocatorDefault, (const void **)&ca_o_dn,
                                 1, NULL);
  ca_dn_array[1] = CFArrayCreate(kCFAllocatorDefault, (const void **)&ca_cn_dn,
                                 1, NULL);

  CFArrayRef	subject = CFArrayCreate(kCFAllocatorDefault, ca_dn_array, 2,
                                        NULL);
  SecCertificateRef cert = SecGenerateSelfSignedCertificate(subject, certParams,
                                                            publicKey,
                                                            privateKey);
  CFRelease(subject);
  CFRelease(certParams);

  if (!cert)
  {
    cupsdLogMessage(CUPSD_LOG_DEBUG, "SecGenerateSelfSignedCertificate failed.");
    goto cleanup;
  }

  ident = SecIdentityCreate(kCFAllocatorDefault, cert, privateKey);

  if (ident)
    cupsdLogMessage(CUPSD_LOG_INFO,
                    "Created SSL server certificate file \"%s\".",
		    ServerCertificate);

 /*
  * Cleanup and return...
  */

cleanup:

  if (cfservername)
    CFRelease(cfservername);

  if (keyParams)
    CFRelease(keyParams);

  if (ident)
    CFRelease(ident);

  if (cert)
    CFRelease(cert);

  if (publicKey)
    CFRelease(publicKey);

  if (privateKey)
    CFRelease(publicKey);

  if (!status)
    cupsdLogMessage(CUPSD_LOG_ERROR,
                    "Unable to create SSL server key and certificate.");

  return (status);

#    else /* !HAVE_SECGENERATESELFSIGNEDCERTIFICATE */
  int		pid,			/* Process ID of command */
		status;			/* Status of command */
  char		command[1024],		/* Command */
		*argv[4],		/* Command-line arguments */
		*envp[MAX_ENV + 1],	/* Environment variables */
		keychain[1024],		/* Keychain argument */
		infofile[1024],		/* Type-in information for cert */
#      if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
		localname[1024],	/* Local hostname */
#      endif /* HAVE_DNSSD || HAVE_AVAHI */
		*servername;		/* Name of server in cert */
  cups_file_t	*fp;			/* Seed/info file */
  int		infofd;			/* Info file descriptor */


#      if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
  if (con->servername && isdigit(con->servername[0] & 255) && DNSSDHostName)
  {
    snprintf(localname, sizeof(localname), "%s.local", DNSSDHostName);
    servername = localname;
  }
  else
#      endif /* HAVE_DNSSD || HAVE_AVAHI */
    servername = con->servername;

 /*
  * Run the "certtool" command to generate a self-signed certificate...
  */

  if (!cupsFileFind("certtool", getenv("PATH"), 1, command, sizeof(command)))
  {
    cupsdLogMessage(CUPSD_LOG_ERROR,
                    "No SSL certificate and certtool command not found.");
    return (0);
  }

 /*
  * Create a file with the certificate information fields...
  *
  * Note: This assumes that the default questions are asked by the certtool
  * command...
  */

  if ((fp = cupsTempFile2(infofile, sizeof(infofile))) == NULL)
  {
    cupsdLogMessage(CUPSD_LOG_ERROR,
                    "Unable to create certificate information file %s - %s",
                    infofile, strerror(errno));
    return (0);
  }

  cupsFilePrintf(fp,
                 "%s\n"			/* Enter key and certificate label */
                 "r\n"			/* Generate RSA key pair */
                 "2048\n"		/* Key size in bits */
                 "y\n"			/* OK (y = yes) */
                 "b\n"			/* Usage (b=signing/encryption) */
                 "s\n"			/* Sign with SHA1 */
                 "y\n"			/* OK (y = yes) */
                 "%s\n"			/* Common name */
                 "\n"			/* Country (default) */
                 "\n"			/* Organization (default) */
                 "\n"			/* Organizational unit (default) */
                 "\n"			/* State/Province (default) */
                 "%s\n"			/* Email address */
                 "y\n",			/* OK (y = yes) */
        	 servername, servername, ServerAdmin);
  cupsFileClose(fp);

  cupsdLogMessage(CUPSD_LOG_INFO,
                  "Generating SSL server key and certificate.");

  snprintf(keychain, sizeof(keychain), "k=%s", ServerCertificate);

  argv[0] = "certtool";
  argv[1] = "c";
  argv[2] = keychain;
  argv[3] = NULL;

  cupsdLoadEnv(envp, MAX_ENV);

  infofd = open(infofile, O_RDONLY);

  if (!cupsdStartProcess(command, argv, envp, infofd, -1, -1, -1, -1, 1, NULL,
                         NULL, &pid))
  {
    close(infofd);
    unlink(infofile);
    return (0);
  }

  close(infofd);
  unlink(infofile);

  while (waitpid(pid, &status, 0) < 0)
    if (errno != EINTR)
    {
      status = 1;
      break;
    }

  cupsdFinishProcess(pid, command, sizeof(command), NULL);

  if (status)
  {
    if (WIFEXITED(status))
      cupsdLogMessage(CUPSD_LOG_ERROR,
                      "Unable to create SSL server key and certificate - "
		      "the certtool command stopped with status %d.",
	              WEXITSTATUS(status));
    else
      cupsdLogMessage(CUPSD_LOG_ERROR,
                      "Unable to create SSL server key and certificate - "
		      "the certtool command crashed on signal %d.",
	              WTERMSIG(status));
  }
  else
  {
    cupsdLogMessage(CUPSD_LOG_INFO,
                    "Created SSL server certificate file \"%s\".",
		    ServerCertificate);
  }

  return (!status);
#    endif /* HAVE_SECGENERATESELFSIGNEDCERTIFICATE */
}


/*
 * End of "$Id$".
 */
Commit	Line	Data
82cc1f9a MS	1	/*
	2	* "$Id$"
	3	*
	4	* TLS support code for the CUPS scheduler on OS X.
	5	*
e1578ed9	6	* Copyright 2007-2013 by Apple Inc.
82cc1f9a MS	7	* Copyright 1997-2007 by Easy Software Products, all rights reserved.
	8	*
	9	* These coded instructions, statements, and computer programs are the
	10	* property of Apple Inc. and are protected by Federal copyright
	11	* law. Distribution and use rights are outlined in the file "LICENSE.txt"
	12	* which should have been included with this file. If this file is
	13	* file is missing or damaged, see the license at "http://www.cups.org/".
	14	*
	15	* Contents:
	16	*
	17	* cupsdEndTLS() - Shutdown a secure session with the client.
	18	* cupsdStartTLS() - Start a secure session with the client.
	19	* copy_cdsa_certificate() - Copy a SSL/TLS certificate from the System
	20	* keychain.
	21	* make_certificate() - Make a self-signed SSL/TLS certificate.
	22	*/
	23
	24
	25	/*
	26	* Local functions...
	27	*/
	28
	29	static CFArrayRef copy_cdsa_certificate(cupsd_client_t *con);
	30	static int make_certificate(cupsd_client_t *con);
	31
	32
	33	/*
	34	* 'cupsdEndTLS()' - Shutdown a secure session with the client.
	35	*/
	36
	37	int /* O - 1 on success, 0 on error */
	38	cupsdEndTLS(cupsd_client_t con) / I - Client connection */
	39	{
996acce8	40	while (SSLClose(con->http->tls) == errSSLWouldBlock)
82cc1f9a MS	41	usleep(1000);
82cc1f9a MS	42
996acce8 MS	43	CFRelease(con->http->tls);
996acce8 MS	44	con->http->tls = NULL;
82cc1f9a	45
996acce8 MS	46	if (con->http->tls_credentials)
996acce8 MS	47	CFRelease(con->http->tls_credentials);
82cc1f9a MS	48
	49	return (1);
	50	}
	51
	52
	53	/*
	54	* 'cupsdStartTLS()' - Start a secure session with the client.
	55	*/
	56
	57	int /* O - 1 on success, 0 on error */
	58	cupsdStartTLS(cupsd_client_t con) / I - Client connection */
	59	{
	60	OSStatus error = 0; /* Error code */
cb7f98ee	61	SecTrustRef peerTrust; /* Peer certificates */
82cc1f9a MS	62
	63
	64	cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] Encrypting connection.",
996acce8	65	con->number);
82cc1f9a	66
5ec1fd3d MS	67	con->http->encryption = HTTP_ENCRYPTION_ALWAYS;
5ec1fd3d MS	68
996acce8	69	con->http->tls_credentials = copy_cdsa_certificate(con);
82cc1f9a	70
996acce8	71	if (!con->http->tls_credentials)
82cc1f9a MS	72	{
	73	/*
	74	* No keychain (yet), make a self-signed certificate...
	75	*/
	76
	77	if (make_certificate(con))
996acce8	78	con->http->tls_credentials = copy_cdsa_certificate(con);
82cc1f9a MS	79	}
82cc1f9a MS	80
996acce8	81	if (!con->http->tls_credentials)
82cc1f9a MS	82	{
	83	cupsdLogMessage(CUPSD_LOG_ERROR,
	84	"Could not find signing key in keychain \"%s\"",
	85	ServerCertificate);
	86	error = errSSLBadConfiguration;
	87	}
	88
	89	if (!error)
996acce8	90	con->http->tls = SSLCreateContext(kCFAllocatorDefault, kSSLServerSide,
cb7f98ee	91	kSSLStreamType);
82cc1f9a MS	92
82cc1f9a MS	93	if (!error)
996acce8	94	error = SSLSetIOFuncs(con->http->tls, _httpReadCDSA, _httpWriteCDSA);
82cc1f9a MS	95
82cc1f9a MS	96	if (!error)
996acce8	97	error = SSLSetConnection(con->http->tls, HTTP(con));
82cc1f9a	98
82cc1f9a	99	if (!error)
996acce8	100	error = SSLSetCertificate(con->http->tls, con->http->tls_credentials);
82cc1f9a MS	101
	102	if (!error)
	103	{
	104	/*
	105	* Perform SSL/TLS handshake
	106	*/
	107
996acce8	108	while ((error = SSLHandshake(con->http->tls)) == errSSLWouldBlock)
82cc1f9a MS	109	usleep(1000);
	110	}
	111
	112	if (error)
	113	{
	114	cupsdLogMessage(CUPSD_LOG_ERROR,
	115	"Unable to encrypt connection from %s - %s (%d)",
996acce8	116	con->http->hostname, cssmErrorString(error), (int)error);
82cc1f9a	117
996acce8 MS	118	con->http->error = error;
996acce8 MS	119	con->http->status = HTTP_ERROR;
82cc1f9a	120
996acce8	121	if (con->http->tls)
82cc1f9a	122	{
996acce8 MS	123	CFRelease(con->http->tls);
996acce8 MS	124	con->http->tls = NULL;
82cc1f9a MS	125	}
82cc1f9a MS	126
996acce8	127	if (con->http->tls_credentials)
82cc1f9a	128	{
996acce8 MS	129	CFRelease(con->http->tls_credentials);
996acce8 MS	130	con->http->tls_credentials = NULL;
82cc1f9a MS	131	}
	132
	133	return (0);
	134	}
	135
	136	cupsdLogMessage(CUPSD_LOG_DEBUG, "Connection from %s now encrypted.",
996acce8	137	con->http->hostname);
82cc1f9a	138
996acce8	139	if (!SSLCopyPeerTrust(con->http->tls, &peerTrust) && peerTrust)
82cc1f9a	140	{
e1578ed9	141	cupsdLogMessage(CUPSD_LOG_DEBUG, "Received %d peer certificates.",
cb7f98ee MS	142	(int)SecTrustGetCertificateCount(peerTrust));
cb7f98ee MS	143	CFRelease(peerTrust);
82cc1f9a MS	144	}
82cc1f9a MS	145	else
e1578ed9	146	cupsdLogMessage(CUPSD_LOG_DEBUG, "Received NO peer certificates.");
82cc1f9a MS	147
	148	return (1);
	149	}
	150
	151
	152	/*
	153	* 'copy_cdsa_certificate()' - Copy a SSL/TLS certificate from the System
	154	* keychain.
	155	*/
	156
	157	static CFArrayRef /* O - Array of certificates */
	158	copy_cdsa_certificate(
	159	cupsd_client_t con) / I - Client connection */
	160	{
	161	OSStatus err; /* Error info */
	162	SecKeychainRef keychain = NULL;/* Keychain reference */
	163	SecIdentitySearchRef search = NULL; /* Search reference */
	164	SecIdentityRef identity = NULL;/* Identity */
	165	CFArrayRef certificates = NULL;
	166	/* Certificate array */
82cc1f9a MS	167	SecPolicyRef policy = NULL; /* Policy ref */
	168	CFStringRef servername = NULL;
	169	/* Server name */
	170	CFMutableDictionaryRef query = NULL; /* Query qualifiers */
	171	CFArrayRef list = NULL; /* Keychain list */
a29fd7dd	172	# if defined(HAVE_DNSSD) \|\| defined(HAVE_AVAHI)
82cc1f9a	173	char localname[1024];/* Local hostname */
a29fd7dd	174	# endif /* HAVE_DNSSD \|\| HAVE_AVAHI */
82cc1f9a MS	175
	176
	177	cupsdLogMessage(CUPSD_LOG_DEBUG,
e1578ed9	178	"copy_cdsa_certificate: Looking for certs for \"%s\".",
82cc1f9a MS	179	con->servername);
	180
	181	if ((err = SecKeychainOpen(ServerCertificate, &keychain)))
	182	{
	183	cupsdLogMessage(CUPSD_LOG_ERROR, "Cannot open keychain \"%s\" - %s (%d)",
	184	ServerCertificate, cssmErrorString(err), (int)err);
	185	goto cleanup;
	186	}
	187
82cc1f9a MS	188	servername = CFStringCreateWithCString(kCFAllocatorDefault, con->servername,
	189	kCFStringEncodingUTF8);
	190
	191	policy = SecPolicyCreateSSL(1, servername);
	192
	193	if (servername)
	194	CFRelease(servername);
	195
	196	if (!policy)
	197	{
	198	cupsdLogMessage(CUPSD_LOG_ERROR, "Cannot create ssl policy reference");
	199	goto cleanup;
	200	}
	201
	202	if (!(query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
	203	&kCFTypeDictionaryKeyCallBacks,
	204	&kCFTypeDictionaryValueCallBacks)))
	205	{
	206	cupsdLogMessage(CUPSD_LOG_ERROR, "Cannot create query dictionary");
	207	goto cleanup;
	208	}
	209
	210	list = CFArrayCreate(kCFAllocatorDefault, (const void **)&keychain, 1,
	211	&kCFTypeArrayCallBacks);
	212
	213	CFDictionaryAddValue(query, kSecClass, kSecClassIdentity);
	214	CFDictionaryAddValue(query, kSecMatchPolicy, policy);
	215	CFDictionaryAddValue(query, kSecReturnRef, kCFBooleanTrue);
	216	CFDictionaryAddValue(query, kSecMatchLimit, kSecMatchLimitOne);
	217	CFDictionaryAddValue(query, kSecMatchSearchList, list);
	218
	219	CFRelease(list);
	220
	221	err = SecItemCopyMatching(query, (CFTypeRef *)&identity);
	222
a29fd7dd	223	# if defined(HAVE_DNSSD) \|\| defined(HAVE_AVAHI)
82cc1f9a MS	224	if (err && DNSSDHostName)
	225	{
	226	/*
	227	* Search for the connection server name failed; try the DNS-SD .local
	228	* hostname instead...
	229	*/
	230
	231	snprintf(localname, sizeof(localname), "%s.local", DNSSDHostName);
	232
	233	cupsdLogMessage(CUPSD_LOG_DEBUG,
e1578ed9	234	"copy_cdsa_certificate: Looking for certs for \"%s\".",
82cc1f9a MS	235	localname);
	236
	237	servername = CFStringCreateWithCString(kCFAllocatorDefault, localname,
	238	kCFStringEncodingUTF8);
	239
	240	CFRelease(policy);
	241
	242	policy = SecPolicyCreateSSL(1, servername);
	243
	244	if (servername)
	245	CFRelease(servername);
	246
	247	if (!policy)
	248	{
	249	cupsdLogMessage(CUPSD_LOG_ERROR, "Cannot create ssl policy reference");
	250	goto cleanup;
	251	}
	252
	253	CFDictionarySetValue(query, kSecMatchPolicy, policy);
	254
	255	err = SecItemCopyMatching(query, (CFTypeRef *)&identity);
	256	}
a29fd7dd	257	# endif /* HAVE_DNSSD \|\| HAVE_AVAHI */
82cc1f9a MS	258
	259	if (err)
	260	{
	261	cupsdLogMessage(CUPSD_LOG_DEBUG,
	262	"Cannot find signing key in keychain \"%s\": %s (%d)",
	263	ServerCertificate, cssmErrorString(err), (int)err);
	264	goto cleanup;
	265	}
	266
82cc1f9a MS	267	if (CFGetTypeID(identity) != SecIdentityGetTypeID())
82cc1f9a MS	268	{
e1578ed9	269	cupsdLogMessage(CUPSD_LOG_ERROR, "SecIdentity CFTypeID failure.");
82cc1f9a MS	270	goto cleanup;
	271	}
	272
	273	if ((certificates = CFArrayCreate(NULL, (const void **)&identity,
	274	1, &kCFTypeArrayCallBacks)) == NULL)
	275	{
	276	cupsdLogMessage(CUPSD_LOG_ERROR, "Cannot create certificate array");
	277	goto cleanup;
	278	}
	279
	280	cleanup :
	281
	282	if (keychain)
	283	CFRelease(keychain);
	284	if (search)
	285	CFRelease(search);
	286	if (identity)
	287	CFRelease(identity);
	288
82cc1f9a MS	289	if (policy)
	290	CFRelease(policy);
	291	if (query)
	292	CFRelease(query);
82cc1f9a MS	293
	294	return (certificates);
	295	}
	296
	297
	298	/*
	299	* 'make_certificate()' - Make a self-signed SSL/TLS certificate.
	300	*/
	301
	302	static int /* O - 1 on success, 0 on failure */
	303	make_certificate(cupsd_client_t con) / I - Client connection */
	304	{
e1578ed9 MS	305	# ifdef HAVE_SECGENERATESELFSIGNEDCERTIFICATE
	306	int status = 0; /* Return status */
	307	OSStatus err; /* Error code (if any) */
	308	# if defined(HAVE_DNSSD) \|\| defined(HAVE_AVAHI)
	309	char localname[1024];/* Local hostname */
	310	# endif /* HAVE_DNSSD \|\| HAVE_AVAHI */
	311	const char servername; / Name of server in cert */
	312	CFStringRef cfservername = NULL;
	313	/* CF string for server name */
	314	SecIdentityRef ident = NULL; /* Identity */
	315	SecKeyRef publicKey = NULL,
	316	/* Public key */
	317	privateKey = NULL;
	318	/* Private key */
	319	CFMutableDictionaryRef keyParams = NULL;
	320	/* Key generation parameters */
	321
	322
	323	cupsdLogMessage(CUPSD_LOG_INFO,
	324	"Generating SSL server key and certificate.");
	325
	326	# if defined(HAVE_DNSSD) \|\| defined(HAVE_AVAHI)
	327	if (con->servername && isdigit(con->servername[0] & 255) && DNSSDHostName)
	328	{
	329	snprintf(localname, sizeof(localname), "%s.local", DNSSDHostName);
	330	servername = localname;
	331	}
	332	else
	333	# endif /* HAVE_DNSSD \|\| HAVE_AVAHI */
	334	servername = con->servername;
	335
	336	cfservername = CFStringCreateWithCString(kCFAllocatorDefault, servername,
	337	kCFStringEncodingUTF8);
	338	if (!cfservername)
	339	goto cleanup;
	340
	341	/*
	342	* Create a public/private key pair...
	343	*/
	344
	345	keyParams = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
	346	&kCFTypeDictionaryKeyCallBacks,
	347	&kCFTypeDictionaryValueCallBacks);
	348	if (!keyParams)
	349	goto cleanup;
	350
	351	CFDictionaryAddValue(keyParams, kSecAttrKeyType, kSecAttrKeyTypeRSA);
	352	CFDictionaryAddValue(keyParams, kSecAttrKeySizeInBits, CFSTR("2048"));
	353	CFDictionaryAddValue(keyParams, kSecAttrLabel,
	354	CFSTR("CUPS Self-Signed Certificate"));
	355
	356	err = SecKeyGeneratePair(keyParams, &publicKey, &privateKey);
	357	if (err != noErr)
	358	{
	359	cupsdLogMessage(CUPSD_LOG_DEBUG, "SecKeyGeneratePair returned %ld.",
	360	(long)err);
	361	goto cleanup;
	362	}
	363
	364	/*
	365	* Create a self-signed certificate using the public/private key pair...
	366	*/
	367
	368	CFIndex usageInt = kSecKeyUsageAll;
369	CFNumberRef usage = CFNumberCreate(alloc, kCFNumberCFIndexType, &usageInt);
370	CFDictionaryRef certParams = CFDictionaryCreateMutable(kCFAllocatorDefault,
371	kSecCSRBasicContraintsPathLen, CFINT(0),
372	kSecSubjectAltName, cfservername,
373	kSecCertificateKeyUsage, usage,
374	NULL, NULL);
375	CFRelease(usage);
376
377	const void *ca_o[] = { kSecOidOrganization, CFSTR("") };
378	const void *ca_cn[] = { kSecOidCommonName, cfservername };
379	CFArrayRef ca_o_dn = CFArrayCreate(kCFAllocatorDefault, ca_o, 2, NULL);
380	CFArrayRef ca_cn_dn = CFArrayCreate(kCFAllocatorDefault, ca_cn, 2, NULL);
381	const void *ca_dn_array[2];
382
383	ca_dn_array[0] = CFArrayCreate(kCFAllocatorDefault, (const void **)&ca_o_dn,
384	1, NULL);
385	ca_dn_array[1] = CFArrayCreate(kCFAllocatorDefault, (const void **)&ca_cn_dn,
386	1, NULL);
387
388	CFArrayRef subject = CFArrayCreate(kCFAllocatorDefault, ca_dn_array, 2,
389	NULL);
390	SecCertificateRef cert = SecGenerateSelfSignedCertificate(subject, certParams,
391	publicKey,
392	privateKey);
393	CFRelease(subject);
394	CFRelease(certParams);
395
396	if (!cert)
397	{
398	cupsdLogMessage(CUPSD_LOG_DEBUG, "SecGenerateSelfSignedCertificate failed.");
399	goto cleanup;
400	}
401
402	ident = SecIdentityCreate(kCFAllocatorDefault, cert, privateKey);
403
404	if (ident)
405	cupsdLogMessage(CUPSD_LOG_INFO,
406	"Created SSL server certificate file \"%s\".",
407	ServerCertificate);
408
409	/*
410	* Cleanup and return...
411	*/
412
413	cleanup:
414
415	if (cfservername)
416	CFRelease(cfservername);
417
418	if (keyParams)
419	CFRelease(keyParams);
420
421	if (ident)
422	CFRelease(ident);
423
424	if (cert)
425	CFRelease(cert);
426
427	if (publicKey)
428	CFRelease(publicKey);
429
430	if (privateKey)
431	CFRelease(publicKey);
432
433	if (!status)
434	cupsdLogMessage(CUPSD_LOG_ERROR,
435	"Unable to create SSL server key and certificate.");
436
437	return (status);
438
439	# else /* !HAVE_SECGENERATESELFSIGNEDCERTIFICATE */
82cc1f9a MS	440	int pid, /* Process ID of command */
	441	status; /* Status of command */
	442	char command[1024], /* Command */
	443	argv[4], / Command-line arguments */
	444	envp[MAX_ENV + 1], / Environment variables */
	445	keychain[1024], /* Keychain argument */
	446	infofile[1024], /* Type-in information for cert */
e1578ed9	447	# if defined(HAVE_DNSSD) \|\| defined(HAVE_AVAHI)
82cc1f9a	448	localname[1024], /* Local hostname */
e1578ed9	449	# endif /* HAVE_DNSSD \|\| HAVE_AVAHI */
82cc1f9a MS	450	servername; / Name of server in cert */
	451	cups_file_t fp; / Seed/info file */
	452	int infofd; /* Info file descriptor */
	453
	454
e1578ed9	455	# if defined(HAVE_DNSSD) \|\| defined(HAVE_AVAHI)
82cc1f9a MS	456	if (con->servername && isdigit(con->servername[0] & 255) && DNSSDHostName)
	457	{
	458	snprintf(localname, sizeof(localname), "%s.local", DNSSDHostName);
	459	servername = localname;
	460	}
	461	else
e1578ed9	462	# endif /* HAVE_DNSSD \|\| HAVE_AVAHI */
82cc1f9a MS	463	servername = con->servername;
	464
	465	/*
	466	* Run the "certtool" command to generate a self-signed certificate...
	467	*/
	468
	469	if (!cupsFileFind("certtool", getenv("PATH"), 1, command, sizeof(command)))
	470	{
	471	cupsdLogMessage(CUPSD_LOG_ERROR,
e1578ed9	472	"No SSL certificate and certtool command not found.");
82cc1f9a MS	473	return (0);
	474	}
	475
	476	/*
	477	* Create a file with the certificate information fields...
	478	*
	479	* Note: This assumes that the default questions are asked by the certtool
	480	* command...
	481	*/
	482
	483	if ((fp = cupsTempFile2(infofile, sizeof(infofile))) == NULL)
	484	{
	485	cupsdLogMessage(CUPSD_LOG_ERROR,
	486	"Unable to create certificate information file %s - %s",
	487	infofile, strerror(errno));
	488	return (0);
	489	}
	490
	491	cupsFilePrintf(fp,
	492	"%s\n" /* Enter key and certificate label */
	493	"r\n" /* Generate RSA key pair */
	494	"2048\n" /* Key size in bits */
	495	"y\n" /* OK (y = yes) */
	496	"b\n" /* Usage (b=signing/encryption) */
	497	"s\n" /* Sign with SHA1 */
	498	"y\n" /* OK (y = yes) */
	499	"%s\n" /* Common name */
	500	"\n" /* Country (default) */
	501	"\n" /* Organization (default) */
	502	"\n" /* Organizational unit (default) */
	503	"\n" /* State/Province (default) */
	504	"%s\n" /* Email address */
	505	"y\n", /* OK (y = yes) */
	506	servername, servername, ServerAdmin);
	507	cupsFileClose(fp);
	508
	509	cupsdLogMessage(CUPSD_LOG_INFO,
e1578ed9	510	"Generating SSL server key and certificate.");
82cc1f9a MS	511
	512	snprintf(keychain, sizeof(keychain), "k=%s", ServerCertificate);
	513
	514	argv[0] = "certtool";
	515	argv[1] = "c";
	516	argv[2] = keychain;
	517	argv[3] = NULL;
	518
	519	cupsdLoadEnv(envp, MAX_ENV);
	520
	521	infofd = open(infofile, O_RDONLY);
	522
	523	if (!cupsdStartProcess(command, argv, envp, infofd, -1, -1, -1, -1, 1, NULL,
	524	NULL, &pid))
	525	{
	526	close(infofd);
	527	unlink(infofile);
	528	return (0);
	529	}
	530
	531	close(infofd);
	532	unlink(infofile);
	533
	534	while (waitpid(pid, &status, 0) < 0)
	535	if (errno != EINTR)
	536	{
	537	status = 1;
	538	break;
	539	}
	540
	541	cupsdFinishProcess(pid, command, sizeof(command), NULL);
	542
	543	if (status)
	544	{
	545	if (WIFEXITED(status))
	546	cupsdLogMessage(CUPSD_LOG_ERROR,
	547	"Unable to create SSL server key and certificate - "
e1578ed9	548	"the certtool command stopped with status %d.",
82cc1f9a MS	549	WEXITSTATUS(status));
	550	else
	551	cupsdLogMessage(CUPSD_LOG_ERROR,
	552	"Unable to create SSL server key and certificate - "
e1578ed9	553	"the certtool command crashed on signal %d.",
82cc1f9a MS	554	WTERMSIG(status));
	555	}
	556	else
	557	{
	558	cupsdLogMessage(CUPSD_LOG_INFO,
e1578ed9	559	"Created SSL server certificate file \"%s\".",
82cc1f9a MS	560	ServerCertificate);
	561	}
	562
	563	return (!status);
e1578ed9	564	# endif /* HAVE_SECGENERATESELFSIGNEDCERTIFICATE */
82cc1f9a MS	565	}
	566
	567
	568	/*
	569	* End of "$Id$".
	570	*/