/*
 * Author: Landon Fuller <landonf@plausiblelabs.com>
 * Copyright (c) 2008-2013 Plausible Labs Cooperative, Inc.
 * All rights reserved.
 *
 * Permission is hereby granted, free of charge, to any person
 * obtaining a copy of this software and associated documentation
 * files (the "Software"), to deal in the Software without
 * restriction, including without limitation the rights to use,
 * copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the
 * Software is furnished to do so, subject to the following
 * conditions:
 *
 * The above copyright notice and this permission notice shall be
 * included in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
 * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
 * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
 * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 * OTHER DEALINGS IN THE SOFTWARE.
 */

#import <Foundation/Foundation.h>
#import <Security/Security.h>

#import <unistd.h>
#import <stdio.h>

#import "compat.h"

/* A wrapper class that may be used to pass configuration through the
 * FSEvent callback API */
@interface MPCertSyncConfig : NSObject {
@public
    BOOL userAnchors;
    NSString *outputFile;
}
@end

@implementation MPCertSyncConfig
- (void) dealloc {
    [outputFile release];
    [super dealloc];
}
@end

/**
 * Add CoreFoundation object to the current autorelease pool.
 *
 * @param cfObj Object to add to the current autorelease pool.
 */
CFTypeRef PLCFAutorelease (CFTypeRef cfObj) {
    return [(id)cfObj autorelease];
}

int nsvfprintf (FILE *stream, NSString *format, va_list args) {
    int retval;

    NSString *str;
    str = (NSString *) CFStringCreateWithFormatAndArguments(NULL, NULL, (CFStringRef) format, args);
    retval = fprintf(stream, "%s", [str UTF8String]);
    [str release];

    return retval;
}

int nsfprintf (FILE *stream, NSString *format, ...) {
    va_list ap;
    int retval;

    va_start(ap, format);
    {
        retval = nsvfprintf(stream, format, ap);
    }
    va_end(ap);

    return retval;
}

int nsprintf (NSString *format, ...) {
    va_list ap;
    int retval;

    va_start(ap, format);
    {
        retval = nsvfprintf(stderr, format, ap);
    }
    va_end(ap);

    return retval;
}

/**
 * Wrapper method to retrieve the common name (CN) given a @code SecCertificateRef. If retrieving
 * the CN isn't supported on this platform, returns @code NO, otherwise @code YES and points the
 * given string ref @a subject to a string containing the common name. If an error occurs, subject
 * is a NULL reference and *subjectError contains more information about the type of failure.
 *
 * @param cert A SecCertificateRef to the certificate for which the CN should be retrieved
 * @param subject A pointer to a CFStringRef that will hold the CN if the retrieval is successful.
 * @param subjectError A pointer to an NSError* that will hold an error message if an error occurs.
 * @return BOOL indicating whether this system supports retrieving CNs from certificates
 */
static BOOL GetCertSubject(SecCertificateRef cert, CFStringRef *subject, NSError **subjectError) {
    if (SecCertificateCopyShortDescription != NULL /* 10.7 */) {
        *subject = PLCFAutorelease(SecCertificateCopyShortDescription(NULL, cert, (CFErrorRef *) subjectError));
        return YES;
    }

    if (SecCertificateCopySubjectSummary   != NULL /* 10.6 */) {
        *subject = PLCFAutorelease(SecCertificateCopySubjectSummary(cert));
        return YES;
    }

    if (SecCertificateCopyCommonName       != NULL /* 10.5 */) {
        OSStatus err;
        if ((err = SecCertificateCopyCommonName(cert, subject)) == errSecSuccess && *subject != NULL) {
            PLCFAutorelease(*subject);
            return YES;
        }

        /* In the case that the CN is simply unavailable, provide a more useful error code */
        if (err == errSecSuccess) {
            err = errSecNoSuchAttr;
        }

        NSDictionary *userInfo = [NSDictionary dictionaryWithObjectsAndKeys: @"SecCertificateCopyCommonName() failed", NSLocalizedDescriptionKey, nil];
        *subjectError = [NSError errorWithDomain: NSOSStatusErrorDomain code: err userInfo: userInfo];
        *subject = NULL;

        return YES;
    }

    /* <= 10.4 */
    return NO;
}

/**
 * Verify that the root certificate is trusted by the system; this filters out
 * certificates that are (1) expired, or (2) in the system keychain but marked
 * as untrusted by a system administrator (or user).
 *
 * @param cert A @code SecCertificateRef representing a certificate to be
 *             checked.
 *
 * @return Returns a BOOL indicating that the certificate is trusted (@code
 *         YES), or not (@code NO).
 */
static BOOL ValidateSystemTrust(SecCertificateRef cert) {
    OSStatus err;

    /* Create a new trust evaluation instance */
    SecTrustRef trust;
    {
        SecPolicyRef policy;
        if (SecPolicyCreateBasicX509 != NULL) /* >= 10.6 */ {
            policy = SecPolicyCreateBasicX509();
        } else /* < 10.6 */ {
            SecPolicySearchRef searchRef = NULL;
            const CSSM_OID *policyOID = &CSSMOID_APPLE_X509_BASIC;

            if ((err = SecPolicySearchCreate(CSSM_CERT_X_509v3, policyOID, NULL, &searchRef)) != errSecSuccess) {
                cssmPerror("SecPolicySearchCreate", err);
                return NO;
            }
            if ((err = SecPolicySearchCopyNext(searchRef, &policy))) {
                cssmPerror("SecPolicySearchCopyNext", err);
                return NO;
            }
        }

        if ((err = SecTrustCreateWithCertificates((CFTypeRef) cert, policy, &trust)) != errSecSuccess) {
            /* Shouldn't happen */
            nsfprintf(stderr, @"Failed to create SecTrustRef: %d\n", err);
            CFRelease(policy);
            return NO;
        }

        CFRelease(policy);
    }

    /* Allow verifying root certificates (which would otherwise be an error).
     * Without this, intermediates added as roots aren't exported. */
    {
        CSSM_APPLE_TP_ACTION_FLAGS actionFlags = CSSM_TP_ACTION_LEAF_IS_CA;
        CSSM_APPLE_TP_ACTION_DATA actionData;
        CFDataRef cfActionData = NULL;

        memset(&actionData, 0, sizeof(actionData));
        actionData.Version = CSSM_APPLE_TP_ACTION_VERSION;
        actionData.ActionFlags = actionFlags;
        cfActionData = CFDataCreate(NULL, (UInt8 *) &actionData, sizeof(actionData));
        if ((err = SecTrustSetParameters(trust, CSSM_TP_ACTION_DEFAULT, cfActionData))) {
            nsfprintf(stderr, @"Failed to set SecTrustParameters: %d\n", err);
            CFRelease(cfActionData);
            return NO;
        }
        CFRelease(cfActionData);
    }

    /* Evaluate the certificate trust */
    SecTrustResultType rt;
    if ((err = SecTrustEvaluate(trust, &rt)) != errSecSuccess) {
        nsfprintf(stderr, @"SecTrustEvaluate() failed: %d\n", err);
        CFRelease(trust);
        return NO;
    }

    CFRelease(trust);

    /* Check the result */
    switch (rt) {
        case kSecTrustResultUnspecified:
            /* Reached a trusted root */
        case kSecTrustResultProceed:
            /* User explicitly trusts */
            return YES;

        case kSecTrustResultDeny:
            /* User explicitly distrusts */
#if defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED < __MAC_10_7
        case kSecTrustResultConfirm:
            /* The user previously chose to ask for permission when this
             * certificate is used. This is no longer used on modern OS X. */
#endif
            //nsfprintf(stderr, @"Marked as untrustable!\n");
            return NO;

        case kSecTrustResultRecoverableTrustFailure:
            /* The chain as-is isn't trusted, but it could be trusted with some
             * minor change (such as ignoring expired certs or adding an
             * additional anchor). For certsync this likely means the cert was
             * expired, which means we don't want to export it. */
            return NO;

        case kSecTrustResultFatalTrustFailure:
            /* The chain is defective (e.g., ill-formatted). Don't export this. */
            return NO;

        default:
            /* Untrusted */
            nsfprintf(stderr, @"rt = %d\n", rt);
            cssmPerror("CSSM verify error", err);
            return NO;
    }
}

/**
 * Fetch all trusted roots for the given @a domain.
 *
 * @param domain The trust domain to query.
 * @param outError On error, will contain an NSError instance describing the failure.
 *
 * @return Returns a (possibly empty) array of certificates on success, nil on failure.
 */
static NSArray *certificatesForTrustDomain (SecTrustSettingsDomain domain, NSError **outError) {
    NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
    NSMutableArray *trusted = nil;
    CFArrayRef certs = nil;
    OSStatus err;

    /* Mac OS X >= 10.5 provides SecTrustSettingsCopyCertificates() */
    if (SecTrustSettingsCopyCertificates != NULL) {
        /* Fetch all certificates in the given domain */
        err = SecTrustSettingsCopyCertificates(domain, &certs);
        if (err == errSecSuccess) {
            PLCFAutorelease(certs);
        } else if (err == errSecNoTrustSettings) {
            /* No data */

            [pool release];
            return [NSArray array];
        } else if (err != errSecSuccess) {
            /* Lookup failed */
            if (outError != NULL)
                *outError = [[NSError errorWithDomain: NSOSStatusErrorDomain code: err userInfo:nil] retain];

            [pool release];
            [*outError autorelease];
            return nil;
        }

        /* Extract trusted roots */
        trusted = [NSMutableArray arrayWithCapacity: CFArrayGetCount(certs)];

        NSEnumerator *resultEnumerator = [(NSArray *)certs objectEnumerator];
        id certObj;
        while ((certObj = [resultEnumerator nextObject]) != nil) {
            SecCertificateRef cert = (SecCertificateRef) certObj;

            /* Fetch the trust settings */
            CFArrayRef trustSettings = nil;
            err = SecTrustSettingsCopyTrustSettings(cert, domain, &trustSettings);
            if (err != errSecSuccess) {
                /* Shouldn't happen */
                nsfprintf(stderr, @"Failed to fetch trust settings\n");
                continue;
            } else {
                PLCFAutorelease(trustSettings);
            }

            /* If empty, trust for everything (as per the Security Framework documentation) */
            if (CFArrayGetCount(trustSettings) == 0) {
                [trusted addObject: certObj];
            } else {
                /* Otherwise, walk the properties and evaluate the trust settings result */
                NSEnumerator *trustEnumerator = [(NSArray *)trustSettings objectEnumerator];
                NSDictionary *trustProps;
                while ((trustProps = [trustEnumerator nextObject]) != nil) {
                    CFNumberRef settingsResultNum;
                    SInt32 settingsResult;

                    settingsResultNum = (CFNumberRef) [trustProps objectForKey: (id) kSecTrustSettingsResult];
                    if (settingsResultNum == nil) {
                        /* "If this key is not present, a default value of kSecTrustSettingsResultTrustRoot is assumed." */
                        settingsResult = kSecTrustSettingsResultTrustRoot;
                    } else {
                        CFNumberGetValue(settingsResultNum, kCFNumberSInt32Type, &settingsResult);
                    }

                    /* If a root, add to the result set */
                    if (settingsResult == kSecTrustSettingsResultTrustRoot || settingsResult == kSecTrustSettingsResultTrustAsRoot) {
                        [trusted addObject: certObj];
                        break;
                    }
                }
            }
        }
    } else {
        /* Fetch all certificates in the given domain */
        err = SecTrustCopyAnchorCertificates(&certs);
        if (err == noErr) {
            PLCFAutorelease(certs);
        } else if (err == errSecTrustNotAvailable) {
            /* No data */
            [pool release];
            return [NSArray array];
        } else if (err != noErr) {
            /* Lookup failed */
            if (outError != NULL)
                *outError = [[NSError errorWithDomain: NSOSStatusErrorDomain code: err userInfo:nil] retain];

            [pool release];
            [*outError autorelease];
            return nil;
        }

        /* All certs are trusted */
        trusted = [[(NSArray *) certs mutableCopy] autorelease];
        CFRelease(certs);
    }

    /*
     * Filter out any trusted certificates that can not actually be used in verification; eg, they are expired.
     *
     * There are cases where CAs have issued new certificates using identical public keys, and the expired
     * and current CA certificates are both included in the list of trusted certificates. In such a case,
     * OpenSSL will use either of the two certificates; if that happens to be the expired certificate,
     * validation will fail.
     *
     * This step ensures that we exclude any expired or known-unusable certificates.
     *
     * We enumerate a copy of the array so that we can safely modify the original during enumeration.
     */
    NSEnumerator *trustedEnumerator = [[[trusted copy] autorelease] objectEnumerator];
    id certObj;
    while ((certObj = [trustedEnumerator nextObject]) != nil) {
        /* If self-trust validation fails, the certificate is expired or otherwise not useable */
        if (!ValidateSystemTrust((SecCertificateRef) certObj)) {
            NSError *subjectError = NULL;
            CFStringRef subject = NULL;

            if (GetCertSubject((SecCertificateRef) certObj, &subject, &subjectError)) {
                if (subject != NULL) {
                    nsfprintf(stderr, @"Removing untrusted certificate: %@\n", subject);
                } else {
                    nsfprintf(stderr, @"Failed to extract certificate description for untrusted certificate: %@\n", subjectError);
                }
            }
            [trusted removeObject: certObj];
        }
    }

    [trusted retain];
    [pool release];
    return [trusted autorelease];
}

static int exportCertificates (BOOL userAnchors, NSString *outputFile) {
    NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];

    /*
     * Fetch all certificates
     */

    NSMutableArray *anchors = [NSMutableArray array];
    NSArray *result;
    NSError *error;
    OSStatus err;

    /* Current user */
    if (userAnchors) {
        /* Set the keychain preference domain to user, this causes
         * ValidateSystemTrust to use the user's keychain */
        if ((err = SecKeychainSetPreferenceDomain(kSecPreferencesDomainUser)) != errSecSuccess) {
            if (SecCopyErrorMessageString != NULL) {
                /* >= 10.5 */
                CFStringRef errMsg = PLCFAutorelease(SecCopyErrorMessageString(err, NULL));
                nsfprintf(stderr, @"Failed to set keychain preference domain: %@\n", errMsg);
            } else {
                /* <= 10.4 */
                nsfprintf(stderr, @"Failed to set keychain preference domain: %d\n", err);
            }

            [pool release];
            return EXIT_FAILURE;
        }

        result = certificatesForTrustDomain(kSecTrustSettingsDomainUser, &error);
        if (result != nil) {
            [anchors addObjectsFromArray: result];
        } else {
            nsfprintf(stderr, @"Failed to fetch user anchors: %@\n", error);
            [pool release];
            return EXIT_FAILURE;
        }
    }

    /* Admin & System */
    /* Causes ValidateSystemTrust to ignore the user's keychain */
    if ((err = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem)) != errSecSuccess) {
        if (SecCopyErrorMessageString != NULL) {
            /* >= 10.5 */
            CFStringRef errMsg = PLCFAutorelease(SecCopyErrorMessageString(err, NULL));
            nsfprintf(stderr, @"Failed to set keychain preference domain: %@\n", errMsg);
        } else {
            /* <= 10.4 */
            nsfprintf(stderr, @"Failed to set keychain preference domain: %d\n", err);
        }

        [pool release];
        return EXIT_FAILURE;
    }

    /* Admin */
    result = certificatesForTrustDomain(kSecTrustSettingsDomainAdmin, &error);
    if (result != nil) {
        [anchors addObjectsFromArray: result];
    } else {
        nsfprintf(stderr, @"Failed to fetch admin anchors: %@\n", error);
        [pool release];
        return EXIT_FAILURE;
    }

    /* System */
    result = certificatesForTrustDomain(kSecTrustSettingsDomainSystem, &error);
    if (result != nil) {
        [anchors addObjectsFromArray: result];
    } else {
        nsfprintf(stderr, @"Failed to fetch system anchors: %@\n", error);
        [pool release];
        return EXIT_FAILURE;
    }

    NSEnumerator *resultEnumerator = [anchors objectEnumerator];
    id certObj;
    while ((certObj = [resultEnumerator nextObject]) != nil) {
        NSError *subjectError = NULL;
        CFStringRef subject = NULL;

        if (GetCertSubject((SecCertificateRef) certObj, &subject, &subjectError)) {
            if (subject != NULL) {
                nsfprintf(stderr, @"Found %@\n", subject);
            } else {
                nsfprintf(stderr, @"Failed to extract certificate description: %@\n", subjectError);
            }
        }
    }

    /*
     * Perform export
     */
    CFDataRef pemData;

    /* Prefer the non-deprecated SecItemExport on Mac OS X >= 10.7. We use an ifdef to keep the code buildable with earlier SDKs, too. */
    nsfprintf(stderr, @"Exporting certificates from the keychain\n");
    if (SecItemExport != NULL) {
        err = SecItemExport((CFArrayRef) anchors, kSecFormatPEMSequence, kSecItemPemArmour, NULL, &pemData);
    } else {
        err = SecKeychainItemExport((CFArrayRef) anchors, kSecFormatPEMSequence, kSecItemPemArmour, NULL, &pemData);
    }
    PLCFAutorelease(pemData);

    if (err != errSecSuccess) {
        nsfprintf(stderr, @"Failed to export certificates: %@\n", [NSError errorWithDomain: NSOSStatusErrorDomain code: err userInfo:nil]);
        [pool release];
        return EXIT_FAILURE;
    }

    nsfprintf(stderr, @"Writing exported certificates\n");
    if (outputFile == nil) {
        NSString *str = [[[NSString alloc] initWithData: (NSData *) pemData encoding:NSUTF8StringEncoding] autorelease];
        nsfprintf(stdout, @"%@", str);
    } else {
        if (![(NSData *) pemData writeToFile: outputFile options: NSDataWritingAtomic error: &error]) {
            nsfprintf(stderr, @"Failed to write to pem output file: %@\n", error);
            [pool release];
            return EXIT_FAILURE;
        }
    }

    [pool release];
    return EXIT_SUCCESS;
}

static void usage (const char *progname) {
    fprintf(stderr, "Usage: %s [-u] [-o <output file>]\n", progname);
    fprintf(stderr, "\t-u\t\t\tInclude the current user's anchor certificates.\n");
    fprintf(stderr, "\t-o <output file>\tWrite the PEM certificates to the target file, rather than stdout\n");
}

int main (int argc, char * const argv[]) {
    NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];

    /* Parse the command line arguments */
    BOOL userAnchors = NO;
    NSString *outputFile = nil;

    int ch;
    while ((ch = getopt(argc, argv, "hsuo:")) != -1) {
        switch (ch) {
            case 'u':
                userAnchors = YES;
                break;

            case 'o':
                outputFile = [NSString stringWithUTF8String: optarg];
                break;

            case 'h':
                usage(argv[0]);
                exit(EXIT_SUCCESS);

            default:
                usage(argv[0]);
                exit(EXIT_FAILURE);
        }
    }
    argc -= optind;
    argv += optind;

    /* Perform export  */
    int result = exportCertificates(userAnchors, outputFile);

    [pool release];
    return result;
}