[apple/security.git] / sec / securityd / SecOCSPRequest.c

/*
 * Copyright (c) 2008-2009 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * SecOCSPRequest.c - Trust policies dealing with certificate revocation.
 */

#include <securityd/SecOCSPRequest.h>
#include <Security/SecCertificateInternal.h>
#include <AssertMacros.h>
#include <utilities/debugging.h>
#include <security_asn1/SecAsn1Coder.h>
#include <security_asn1/ocspTemplates.h>
#include <security_asn1/oidsalg.h>
#include <security_asn1/oidsocsp.h>
#include <CommonCrypto/CommonDigest.h>
#include <stdlib.h>
#include "SecInternal.h"

/*
   OCSPRequest     ::=     SEQUENCE {
       tbsRequest                  TBSRequest,
       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }

   TBSRequest      ::=     SEQUENCE {
       version             [0]     EXPLICIT Version DEFAULT v1,
       requestorName       [1]     EXPLICIT GeneralName OPTIONAL,
       requestList                 SEQUENCE OF Request,
       requestExtensions   [2]     EXPLICIT Extensions OPTIONAL }

   Signature       ::=     SEQUENCE {
       signatureAlgorithm      AlgorithmIdentifier,
       signature               BIT STRING,
       certs               [0] EXPLICIT SEQUENCE OF Certificate
   OPTIONAL}

   Version         ::=             INTEGER  {  v1(0) }

   Request         ::=     SEQUENCE {
       reqCert                     CertID,
       singleRequestExtensions     [0] EXPLICIT Extensions OPTIONAL }

   CertID          ::=     SEQUENCE {
       hashAlgorithm       AlgorithmIdentifier,
       issuerNameHash      OCTET STRING, -- Hash of Issuer's DN
       issuerKeyHash       OCTET STRING, -- Hash of Issuers public key
       serialNumber        CertificateSerialNumber }
 */
static CFDataRef _SecOCSPRequestCopyDEREncoding(SecOCSPRequestRef this) {
	/* fields obtained from issuer */
	SecAsn1OCSPSignedRequest	signedReq = {};
	SecAsn1OCSPTbsRequest		*tbs = &signedReq.tbsRequest;
	SecAsn1OCSPRequest			singleReq = {};
	SecAsn1OCSPCertID			*certId = &singleReq.reqCert;
	SecAsn1OCSPRequest			*reqArray[2] = { &singleReq, NULL };
	uint8_t						version = 0;
	SecAsn1Item					vers = {1, &version};
    CFDataRef                   der = NULL;
    SecAsn1CoderRef             coder = NULL;
    CFDataRef                   issuerNameDigest;
    CFDataRef                   serial;
    CFDataRef                   issuerPubKeyDigest;


    /* algId refers to the hash we'll perform in issuer name and key */
    certId->algId.algorithm = CSSMOID_SHA1;
    /* preencoded DER NULL */
    static uint8_t nullParam[2] = {5, 0};
	certId->algId.parameters.Data = nullParam;
	certId->algId.parameters.Length = sizeof(nullParam);

    /* @@@ Change this from using SecCertificateCopyIssuerSHA1Digest() /
       SecCertificateCopyPublicKeySHA1Digest() to
       SecCertificateCopyIssuerSequence() / SecCertificateGetPublicKeyData()
       and call SecDigestCreate here instead. */
    issuerNameDigest = SecCertificateCopyIssuerSHA1Digest(this->certificate);
    serial = SecCertificateCopySerialNumber(this->certificate);
    issuerPubKeyDigest = SecCertificateCopyPublicKeySHA1Digest(this->issuer);

	/* build the CertID from those components */
	certId->issuerNameHash.Length = CC_SHA1_DIGEST_LENGTH;
	certId->issuerNameHash.Data = (uint8_t *)CFDataGetBytePtr(issuerNameDigest);
	certId->issuerPubKeyHash.Length = CC_SHA1_DIGEST_LENGTH;
	certId->issuerPubKeyHash.Data = (uint8_t *)CFDataGetBytePtr(issuerPubKeyDigest);
	certId->serialNumber.Length = CFDataGetLength(serial);
	certId->serialNumber.Data = (uint8_t *)CFDataGetBytePtr(serial);

	/* Build top level request with one entry in requestList, no signature,
       and no optional extensions. */
	tbs->version = &vers;
	tbs->requestList = reqArray;

	/* Encode the request. */
    require_noerr(SecAsn1CoderCreate(&coder), errOut);
    SecAsn1Item encoded;
	require_noerr(SecAsn1EncodeItem(coder, &signedReq,
        kSecAsn1OCSPSignedRequestTemplate, &encoded), errOut);
    der = CFDataCreate(kCFAllocatorDefault, encoded.Data,
        encoded.Length);

errOut:
    if (coder)
        SecAsn1CoderRelease(coder);
    CFReleaseSafe(issuerNameDigest);
    CFReleaseSafe(serial);
    CFReleaseSafe(issuerPubKeyDigest);

    return der;
}

SecOCSPRequestRef SecOCSPRequestCreate(SecCertificateRef certificate,
    SecCertificateRef issuer) {
    SecOCSPRequestRef this;
    require(this = (SecOCSPRequestRef)calloc(1, sizeof(struct __SecOCSPRequest)),
        errOut);
    this->certificate = certificate;
    this->issuer = issuer;

    return this;
errOut:
    if (this) {
        SecOCSPRequestFinalize(this);
    }
    return NULL;
}

CFDataRef SecOCSPRequestGetDER(SecOCSPRequestRef this) {
    CFDataRef der = this->der;
    if (!der) {
        this->der = der = _SecOCSPRequestCopyDEREncoding(this);
    }
    return der;
}

void SecOCSPRequestFinalize(SecOCSPRequestRef this) {
    CFReleaseSafe(this->der);
    free(this);
}
Commit	Line	Data
b1ab9ed8 A	1	/*
	2	* Copyright (c) 2008-2009 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*
	25	* SecOCSPRequest.c - Trust policies dealing with certificate revocation.
	26	*/
	27
	28	#include <securityd/SecOCSPRequest.h>
	29	#include <Security/SecCertificateInternal.h>
	30	#include <AssertMacros.h>
427c49bc	31	#include <utilities/debugging.h>
b1ab9ed8 A	32	#include <security_asn1/SecAsn1Coder.h>
	33	#include <security_asn1/ocspTemplates.h>
	34	#include <security_asn1/oidsalg.h>
	35	#include <security_asn1/oidsocsp.h>
	36	#include <CommonCrypto/CommonDigest.h>
	37	#include <stdlib.h>
	38	#include "SecInternal.h"
	39
	40	/*
	41	OCSPRequest ::= SEQUENCE {
	42	tbsRequest TBSRequest,
	43	optionalSignature [0] EXPLICIT Signature OPTIONAL }
	44
	45	TBSRequest ::= SEQUENCE {
	46	version [0] EXPLICIT Version DEFAULT v1,
	47	requestorName [1] EXPLICIT GeneralName OPTIONAL,
	48	requestList SEQUENCE OF Request,
	49	requestExtensions [2] EXPLICIT Extensions OPTIONAL }
	50
	51	Signature ::= SEQUENCE {
	52	signatureAlgorithm AlgorithmIdentifier,
	53	signature BIT STRING,
	54	certs [0] EXPLICIT SEQUENCE OF Certificate
	55	OPTIONAL}
	56
	57	Version ::= INTEGER { v1(0) }
	58
	59	Request ::= SEQUENCE {
	60	reqCert CertID,
	61	singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
	62
	63	CertID ::= SEQUENCE {
	64	hashAlgorithm AlgorithmIdentifier,
	65	issuerNameHash OCTET STRING, -- Hash of Issuer's DN
	66	issuerKeyHash OCTET STRING, -- Hash of Issuers public key
	67	serialNumber CertificateSerialNumber }
	68	*/
	69	static CFDataRef _SecOCSPRequestCopyDEREncoding(SecOCSPRequestRef this) {
	70	/* fields obtained from issuer */
	71	SecAsn1OCSPSignedRequest signedReq = {};
	72	SecAsn1OCSPTbsRequest *tbs = &signedReq.tbsRequest;
	73	SecAsn1OCSPRequest singleReq = {};
	74	SecAsn1OCSPCertID *certId = &singleReq.reqCert;
	75	SecAsn1OCSPRequest *reqArray[2] = { &singleReq, NULL };
	76	uint8_t version = 0;
	77	SecAsn1Item vers = {1, &version};
	78	CFDataRef der = NULL;
	79	SecAsn1CoderRef coder = NULL;
	80	CFDataRef issuerNameDigest;
	81	CFDataRef serial;
	82	CFDataRef issuerPubKeyDigest;
	83
	84
	85	/* algId refers to the hash we'll perform in issuer name and key */
	86	certId->algId.algorithm = CSSMOID_SHA1;
	87	/* preencoded DER NULL */
	88	static uint8_t nullParam[2] = {5, 0};
	89	certId->algId.parameters.Data = nullParam;
	90	certId->algId.parameters.Length = sizeof(nullParam);
	91
	92	/* @@@ Change this from using SecCertificateCopyIssuerSHA1Digest() /
	93	SecCertificateCopyPublicKeySHA1Digest() to
	94	SecCertificateCopyIssuerSequence() / SecCertificateGetPublicKeyData()
	95	and call SecDigestCreate here instead. */
96	issuerNameDigest = SecCertificateCopyIssuerSHA1Digest(this->certificate);
97	serial = SecCertificateCopySerialNumber(this->certificate);
98	issuerPubKeyDigest = SecCertificateCopyPublicKeySHA1Digest(this->issuer);
99
100	/* build the CertID from those components */
101	certId->issuerNameHash.Length = CC_SHA1_DIGEST_LENGTH;
102	certId->issuerNameHash.Data = (uint8_t *)CFDataGetBytePtr(issuerNameDigest);
103	certId->issuerPubKeyHash.Length = CC_SHA1_DIGEST_LENGTH;
104	certId->issuerPubKeyHash.Data = (uint8_t *)CFDataGetBytePtr(issuerPubKeyDigest);
105	certId->serialNumber.Length = CFDataGetLength(serial);
106	certId->serialNumber.Data = (uint8_t *)CFDataGetBytePtr(serial);
107
108	/* Build top level request with one entry in requestList, no signature,
109	and no optional extensions. */
110	tbs->version = &vers;
111	tbs->requestList = reqArray;
112
113	/* Encode the request. */
114	require_noerr(SecAsn1CoderCreate(&coder), errOut);
115	SecAsn1Item encoded;
116	require_noerr(SecAsn1EncodeItem(coder, &signedReq,
117	kSecAsn1OCSPSignedRequestTemplate, &encoded), errOut);
118	der = CFDataCreate(kCFAllocatorDefault, encoded.Data,
119	encoded.Length);
120
121	errOut:
122	if (coder)
123	SecAsn1CoderRelease(coder);
124	CFReleaseSafe(issuerNameDigest);
125	CFReleaseSafe(serial);
126	CFReleaseSafe(issuerPubKeyDigest);
127
128	return der;
129	}
130
131	SecOCSPRequestRef SecOCSPRequestCreate(SecCertificateRef certificate,
132	SecCertificateRef issuer) {
133	SecOCSPRequestRef this;
134	require(this = (SecOCSPRequestRef)calloc(1, sizeof(struct __SecOCSPRequest)),
135	errOut);
136	this->certificate = certificate;
137	this->issuer = issuer;
138
139	return this;
140	errOut:
141	if (this) {
142	SecOCSPRequestFinalize(this);
143	}
144	return NULL;
145	}
146
147	CFDataRef SecOCSPRequestGetDER(SecOCSPRequestRef this) {
148	CFDataRef der = this->der;
149	if (!der) {
150	this->der = der = _SecOCSPRequestCopyDEREncoding(this);
151	}
152	return der;
153	}
154
155	void SecOCSPRequestFinalize(SecOCSPRequestRef this) {
156	CFReleaseSafe(this->der);
157	free(this);
158	}
159