[apple/security.git] / AppleX509CL / DecodedCert.cpp

/*
 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
 * 
 * The contents of this file constitute Original Code as defined in and are
 * subject to the Apple Public Source License Version 1.2 (the 'License').
 * You may not use this file except in compliance with the License. Please obtain
 * a copy of the License at http://www.apple.com/publicsource and read it before
 * using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
 * specific language governing rights and limitations under the License.
 */


/*
 * DecodedCert.cpp - object representing a snacc-decoded cert, with extensions
 * parsed and decoded (still in snacc format).
 *
 * Created 9/1/2000 by Doug Mitchell. 
 * Copyright (c) 2000 by Apple Computer. 
 */

#include "DecodedCert.h"
#include "SnaccUtils.h"
#include "cldebugging.h"
#include "AppleX509CLSession.h"
#include "CSPAttacher.h"
#include <Security/cdsaUtils.h>
#include <Security/cssmapple.h>

DecodedCert::DecodedCert(
	AppleX509CLSession	&session)
	: alloc(session),
	  mSession(session)
{
	certificateToSign = new CertificateToSign;
	reset();
}

/* one-shot constructor, decoding from DER-encoded data */
DecodedCert::DecodedCert(
	AppleX509CLSession	&session,
	const CssmData 	&encodedCert)
	: alloc(session),
	  mSession(session)
{
	reset();
	SC_decodeAsnObj(encodedCert, *this);
	decodeExtensions();
	mState = CS_DecodedCert;
}
		
DecodedCert::~DecodedCert()
{
	/* free all extensions */
	unsigned dex;
	
	for(dex=0; dex<mNumExtensions; dex++) {
		DecodedExten *exten = &mExtensions[dex];
		delete exten->extnId;
		delete exten->snaccObj;
	}
	alloc.free(mExtensions);
	reset();
}
	
/* decode TBSCert and its extensions */
void DecodedCert::decodeTbs(
	const CssmData	&encodedTbs)
{
	CASSERT(mState == CS_Empty);
	CASSERT(certificateToSign != NULL);
	try {
		SC_decodeAsnObj(encodedTbs, *certificateToSign);
	}
	catch (...) {
		errorLog0("decodeTbs: tbs.BDec failure\n");
		/* FIXME - leave in bad state? delete and clear? let's be cautious...*/
		delete certificateToSign;
		certificateToSign = new CertificateToSign;
	}
	decodeExtensions();
	mState = CS_DecodedTBS;
}

/*
 * FIXME : how to determine max encoding size at run time!?
 */
#define MAX_TEMPLATE_SIZE	(8 * 1024)

/* encode TBS component; only called from CertCreateTemplate */
void DecodedCert::encodeTbs(
	CssmOwnedData	&encodedTbs)
{
	encodeExtensions();
	CASSERT(mState == CS_Building);
	if(certificateToSign == NULL) {
		errorLog0("DecodedCert::encodeTbs: no TBS\n");
		CssmError::throwMe(CSSMERR_CL_INTERNAL_ERROR);
	}
	
	/* enforce required fields - could go deeper, maybe we should */
	if((certificateToSign->signature == NULL) ||
	   (certificateToSign->issuer == NULL) ||
	   (certificateToSign->validity == NULL) ||
	   (certificateToSign->subject == NULL) ||
	   (certificateToSign->subjectPublicKeyInfo == NULL)) {
		errorLog0("DecodedCert::encodeTbs: incomplete TBS\n");
		/* an odd, undocumented error return */
		CssmError::throwMe(CSSMERR_CL_NO_FIELD_VALUES);
	}
	SC_encodeAsnObj(*certificateToSign, encodedTbs, MAX_TEMPLATE_SIZE);
}

/*
 * Cook up CSSM_KEYUSE, gleaning as much as possible from
 * (optional) extensions. If no applicable extensions available,
 * we'll just return CSSM_KEYUSE_ANY.
 *
 * Note that the standard KeyUsage flags involving 'signing' translate
 * to verify since we're only dealing with public keys. 
 */
CSSM_KEYUSE DecodedCert::inferKeyUsage() const
{
	CSSM_KEYUSE keyUse = 0;
	DecodedExten *decodedExten;
	uint32 numFields;
	
	decodedExten = findDecodedExt(id_ce_keyUsage, false, 0, numFields);
	if(decodedExten) {
		KeyUsage *ku = dynamic_cast<KeyUsage *>(decodedExten->snaccObj);
		if(ku == NULL) {
			errorLog0("inferKeyUsage: dynamic_cast failure(1)\n");
			CssmError::throwMe(CSSMERR_CL_INTERNAL_ERROR);
		}
		if(ku->GetBit(KeyUsage::digitalSignature)) {
			keyUse |= CSSM_KEYUSE_VERIFY;
		}
		if(ku->GetBit(KeyUsage::nonRepudiation)) {
			keyUse |= CSSM_KEYUSE_VERIFY;
		}
		if(ku->GetBit(KeyUsage::keyEncipherment)) {
			keyUse |= CSSM_KEYUSE_WRAP;
		}
		if(ku->GetBit(KeyUsage::keyAgreement)) {
			keyUse |= CSSM_KEYUSE_DERIVE;
		}
		if(ku->GetBit(KeyUsage::keyCertSign)) {
			keyUse |= CSSM_KEYUSE_VERIFY;
		}
		if(ku->GetBit(KeyUsage::cRLSign)) {
			keyUse |= CSSM_KEYUSE_VERIFY;
		}
		if(ku->GetBit(KeyUsage::dataEncipherment)) {
			keyUse |= CSSM_KEYUSE_ENCRYPT;
		}
	}
	decodedExten = findDecodedExt(id_ce_extKeyUsage, false, 0, numFields);
	if(decodedExten) {
		ExtKeyUsageSyntax *eku = 
			dynamic_cast<ExtKeyUsageSyntax *>(decodedExten->snaccObj);
		if(eku == NULL) {
			errorLog0("inferKeyUsage: dynamic_cast failure(2)\n");
			CssmError::throwMe(CSSMERR_CL_INTERNAL_ERROR);
		}
		unsigned numOids = eku->Count();
		eku->SetCurrToFirst();
		unsigned oidDex;
		for(oidDex=0; oidDex<numOids; oidDex++) {
			KeyPurposeId *purp = eku->Curr();
			if(*purp == id_kp_codeSigning) {
				keyUse |= CSSM_KEYUSE_VERIFY;
			}
			/* I don't think the other purposes are useful... */
			eku->GoNext();
		}
	}
	if(keyUse == 0) {
		/* Nothing found; take the default. */
		keyUse = CSSM_KEYUSE_ANY;
	}
	return keyUse;
}

/*
 * Obtain a CSSM_KEY from a decoded cert, inferring as much as we can
 * from required fields (subjectPublicKeyInfo) and extensions (for 
 * KeyUse).
 */
CSSM_KEY_PTR DecodedCert::extractCSSMKey(
	CssmAllocator		&alloc)	const
{
	CASSERT(certificateToSign != NULL);
	SubjectPublicKeyInfo *snaccKeyInfo = certificateToSign->subjectPublicKeyInfo;
	if((snaccKeyInfo == NULL) ||
	   (snaccKeyInfo->algorithm == NULL)) {
		CssmError::throwMe(CSSMERR_CL_NO_FIELD_VALUES);
	}
	return CL_extractCSSMKey(*snaccKeyInfo, alloc, this);
}
Commit	Line	Data
bac41a7b A	1	/*
	2	* Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
	3	*
	4	* The contents of this file constitute Original Code as defined in and are
	5	* subject to the Apple Public Source License Version 1.2 (the 'License').
	6	* You may not use this file except in compliance with the License. Please obtain
	7	* a copy of the License at http://www.apple.com/publicsource and read it before
	8	* using this file.
	9	*
	10	* This Original Code and all software distributed under the License are
	11	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
	12	* OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
	13	* LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
	14	* PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
	15	* specific language governing rights and limitations under the License.
	16	*/
	17
	18
	19	/*
	20	* DecodedCert.cpp - object representing a snacc-decoded cert, with extensions
	21	* parsed and decoded (still in snacc format).
	22	*
	23	* Created 9/1/2000 by Doug Mitchell.
	24	* Copyright (c) 2000 by Apple Computer.
	25	*/
	26
	27	#include "DecodedCert.h"
	28	#include "SnaccUtils.h"
	29	#include "cldebugging.h"
	30	#include "AppleX509CLSession.h"
	31	#include "CSPAttacher.h"
	32	#include <Security/cdsaUtils.h>
	33	#include <Security/cssmapple.h>
	34
	35	DecodedCert::DecodedCert(
	36	AppleX509CLSession &session)
29654253	37	: alloc(session),
bac41a7b A	38	mSession(session)
	39	{
	40	certificateToSign = new CertificateToSign;
	41	reset();
	42	}
	43
	44	/* one-shot constructor, decoding from DER-encoded data */
	45	DecodedCert::DecodedCert(
	46	AppleX509CLSession &session,
	47	const CssmData &encodedCert)
29654253	48	: alloc(session),
bac41a7b A	49	mSession(session)
	50	{
	51	reset();
	52	SC_decodeAsnObj(encodedCert, *this);
	53	decodeExtensions();
	54	mState = CS_DecodedCert;
	55	}
	56
	57	DecodedCert::~DecodedCert()
	58	{
	59	/* free all extensions */
	60	unsigned dex;
	61
	62	for(dex=0; dex<mNumExtensions; dex++) {
	63	DecodedExten *exten = &mExtensions[dex];
	64	delete exten->extnId;
	65	delete exten->snaccObj;
	66	}
	67	alloc.free(mExtensions);
	68	reset();
	69	}
	70
	71	/* decode TBSCert and its extensions */
	72	void DecodedCert::decodeTbs(
	73	const CssmData &encodedTbs)
	74	{
	75	CASSERT(mState == CS_Empty);
	76	CASSERT(certificateToSign != NULL);
	77	try {
	78	SC_decodeAsnObj(encodedTbs, *certificateToSign);
	79	}
	80	catch (...) {
	81	errorLog0("decodeTbs: tbs.BDec failure\n");
	82	/* FIXME - leave in bad state? delete and clear? let's be cautious...*/
	83	delete certificateToSign;
	84	certificateToSign = new CertificateToSign;
	85	}
	86	decodeExtensions();
	87	mState = CS_DecodedTBS;
	88	}
	89
	90	/*
	91	* FIXME : how to determine max encoding size at run time!?
	92	*/
	93	#define MAX_TEMPLATE_SIZE (8 * 1024)
	94
	95	/* encode TBS component; only called from CertCreateTemplate */
	96	void DecodedCert::encodeTbs(
	97	CssmOwnedData &encodedTbs)
	98	{
	99	encodeExtensions();
	100	CASSERT(mState == CS_Building);
	101	if(certificateToSign == NULL) {
	102	errorLog0("DecodedCert::encodeTbs: no TBS\n");
	103	CssmError::throwMe(CSSMERR_CL_INTERNAL_ERROR);
	104	}
	105
	106	/* enforce required fields - could go deeper, maybe we should */
	107	if((certificateToSign->signature == NULL) \|\|
	108	(certificateToSign->issuer == NULL) \|\|
	109	(certificateToSign->validity == NULL) \|\|
	110	(certificateToSign->subject == NULL) \|\|
	111	(certificateToSign->subjectPublicKeyInfo == NULL)) {
	112	errorLog0("DecodedCert::encodeTbs: incomplete TBS\n");
113	/* an odd, undocumented error return */
114	CssmError::throwMe(CSSMERR_CL_NO_FIELD_VALUES);
115	}
116	SC_encodeAsnObj(*certificateToSign, encodedTbs, MAX_TEMPLATE_SIZE);
117	}
118
119	/*
120	* Cook up CSSM_KEYUSE, gleaning as much as possible from
121	* (optional) extensions. If no applicable extensions available,
122	* we'll just return CSSM_KEYUSE_ANY.
123	*
124	* Note that the standard KeyUsage flags involving 'signing' translate
125	* to verify since we're only dealing with public keys.
126	*/
127	CSSM_KEYUSE DecodedCert::inferKeyUsage() const
128	{
129	CSSM_KEYUSE keyUse = 0;
130	DecodedExten *decodedExten;
131	uint32 numFields;
132
133	decodedExten = findDecodedExt(id_ce_keyUsage, false, 0, numFields);
134	if(decodedExten) {
135	KeyUsage ku = dynamic_cast<KeyUsage >(decodedExten->snaccObj);
136	if(ku == NULL) {
137	errorLog0("inferKeyUsage: dynamic_cast failure(1)\n");
138	CssmError::throwMe(CSSMERR_CL_INTERNAL_ERROR);
139	}
140	if(ku->GetBit(KeyUsage::digitalSignature)) {
141	keyUse \|= CSSM_KEYUSE_VERIFY;
142	}
143	if(ku->GetBit(KeyUsage::nonRepudiation)) {
144	keyUse \|= CSSM_KEYUSE_VERIFY;
145	}
146	if(ku->GetBit(KeyUsage::keyEncipherment)) {
147	keyUse \|= CSSM_KEYUSE_WRAP;
148	}
149	if(ku->GetBit(KeyUsage::keyAgreement)) {
150	keyUse \|= CSSM_KEYUSE_DERIVE;
151	}
152	if(ku->GetBit(KeyUsage::keyCertSign)) {
153	keyUse \|= CSSM_KEYUSE_VERIFY;
154	}
155	if(ku->GetBit(KeyUsage::cRLSign)) {
156	keyUse \|= CSSM_KEYUSE_VERIFY;
157	}
158	if(ku->GetBit(KeyUsage::dataEncipherment)) {
159	keyUse \|= CSSM_KEYUSE_ENCRYPT;
160	}
161	}
162	decodedExten = findDecodedExt(id_ce_extKeyUsage, false, 0, numFields);
163	if(decodedExten) {
164	ExtKeyUsageSyntax *eku =
165	dynamic_cast<ExtKeyUsageSyntax *>(decodedExten->snaccObj);
166	if(eku == NULL) {
167	errorLog0("inferKeyUsage: dynamic_cast failure(2)\n");
168	CssmError::throwMe(CSSMERR_CL_INTERNAL_ERROR);
169	}
170	unsigned numOids = eku->Count();
171	eku->SetCurrToFirst();
172	unsigned oidDex;
173	for(oidDex=0; oidDex<numOids; oidDex++) {
174	KeyPurposeId *purp = eku->Curr();
175	if(*purp == id_kp_codeSigning) {
176	keyUse \|= CSSM_KEYUSE_VERIFY;
177	}
178	/* I don't think the other purposes are useful... */
179	eku->GoNext();
180	}
181	}
182	if(keyUse == 0) {
183	/* Nothing found; take the default. */
184	keyUse = CSSM_KEYUSE_ANY;
185	}
186	return keyUse;
187	}
188
189	/*
190	* Obtain a CSSM_KEY from a decoded cert, inferring as much as we can
191	* from required fields (subjectPublicKeyInfo) and extensions (for
192	* KeyUse).
193	*/
194	CSSM_KEY_PTR DecodedCert::extractCSSMKey(
195	CssmAllocator &alloc) const
196	{
197	CASSERT(certificateToSign != NULL);
198	SubjectPublicKeyInfo *snaccKeyInfo = certificateToSign->subjectPublicKeyInfo;
199	if((snaccKeyInfo == NULL) \|\|
200	(snaccKeyInfo->algorithm == NULL)) {
201	CssmError::throwMe(CSSMERR_CL_NO_FIELD_VALUES);
202	}
29654253	203	return CL_extractCSSMKey(*snaccKeyInfo, alloc, this);
bac41a7b A	204	}
bac41a7b A	205