projects / apple / security.git / blame
| Commit | Line | Data |
|---|---|---|
| b1ab9ed8 | 1 | /* |
| d8f41ccd | 2 | * Copyright (c) 2000-2013 Apple Inc. All Rights Reserved. |
| 4d3cab3d | 3 | * |
| b1ab9ed8 A |
4 | * The contents of this file constitute Original Code as defined in and are |
| 5 | * subject to the Apple Public Source License Version 1.2 (the 'License'). | |
| 6 | * You may not use this file except in compliance with the License. Please obtain | |
| 7 | * a copy of the License at http://www.apple.com/publicsource and read it before | |
| 8 | * using this file. | |
| 4d3cab3d | 9 | * |
| b1ab9ed8 A |
10 | * This Original Code and all software distributed under the License are |
| 11 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS | |
| 12 | * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT | |
| 13 | * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR | |
| 14 | * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the | |
| 15 | * specific language governing rights and limitations under the License. | |
| 16 | */ | |
| 17 | ||
| 18 | ||
| 19 | /* | |
| 20 | * TPCertInfo.h - TP's private certificate info and cert group classes | |
| 21 | */ | |
| 4d3cab3d | 22 | |
| b1ab9ed8 A |
23 | #ifndef _TP_CERT_INFO_H_ |
| 24 | #define _TP_CERT_INFO_H_ | |
| 25 | ||
| 26 | #include <Security/cssm.h> | |
| 27 | #include <Security/SecTrust.h> | |
| 28 | #include <Security/SecTrustSettings.h> | |
| 29 | #include <security_utilities/alloc.h> | |
| 30 | #include <security_utilities/threading.h> | |
| 31 | #include <security_utilities/globalizer.h> | |
| 32 | #include <CoreFoundation/CFDate.h> | |
| 33 | ||
| 34 | /* protects TP-wide access to time() and gmtime() */ | |
| 35 | extern ModuleNexus<Mutex> tpTimeLock; | |
| 36 | ||
| 4d3cab3d | 37 | /* |
| b1ab9ed8 A |
38 | * Prototypes for functions which are isomorphic between certs and CRLs at the |
| 39 | * CL API. | |
| 40 | */ | |
| 41 | typedef CSSM_RETURN (*clGetFirstFieldFcn)( | |
| 42 | CSSM_CL_HANDLE CLHandle, | |
| 43 | CSSM_HANDLE ItemHandle, // cached cert or CRL | |
| 44 | const CSSM_OID *ItemField, | |
| 45 | CSSM_HANDLE_PTR ResultsHandle, | |
| 46 | uint32 *NumberOfMatchedFields, | |
| 47 | CSSM_DATA_PTR *Value); | |
| 48 | typedef CSSM_RETURN (*clAbortQueryFcn)( | |
| 49 | CSSM_CL_HANDLE CLHandle, | |
| 50 | CSSM_HANDLE ResultsHandle); // from clGetFirstFieldFcn | |
| 51 | typedef CSSM_RETURN (*clCacheItemFcn)( | |
| 52 | CSSM_CL_HANDLE CLHandle, | |
| 53 | const CSSM_DATA *Item, // raw cert or CRL | |
| 54 | CSSM_HANDLE_PTR CertHandle); | |
| 55 | typedef CSSM_RETURN (*clAbortCacheFcn)( | |
| 56 | CSSM_CL_HANDLE CLHandle, | |
| 57 | CSSM_HANDLE ItemHandle); // from clCacheItemFcn | |
| 58 | typedef CSSM_RETURN (*clItemVfyFcn)( | |
| 59 | CSSM_CL_HANDLE CLHandle, | |
| 60 | CSSM_CC_HANDLE CCHandle, | |
| 61 | const CSSM_DATA *CrlOrCertToBeVerified, | |
| 62 | const CSSM_DATA *SignerCert, | |
| 63 | const CSSM_FIELD *VerifyScope, | |
| 64 | uint32 ScopeSize); | |
| 65 | ||
| 66 | typedef struct { | |
| 67 | /* CL/cert-specific functions */ | |
| 68 | clGetFirstFieldFcn getField; | |
| 69 | clAbortQueryFcn abortQuery; | |
| 70 | clCacheItemFcn cacheItem; | |
| 71 | clAbortCacheFcn abortCache; | |
| 72 | clItemVfyFcn itemVerify; | |
| 73 | /* CL/cert-specific OIDs */ | |
| 74 | const CSSM_OID *notBeforeOid; | |
| 75 | const CSSM_OID *notAfterOid; | |
| 76 | /* CL/cert specific errors */ | |
| 77 | CSSM_RETURN invalidItemRtn; // CSSMERR_TP_INVALID_{CERT,CRL}_POINTER | |
| 4d3cab3d | 78 | CSSM_RETURN expiredRtn; |
| b1ab9ed8 A |
79 | CSSM_RETURN notValidYetRtn; |
| 80 | } TPClItemCalls; | |
| 81 | ||
| 82 | class TPCertInfo; | |
| 83 | ||
| 84 | /* | |
| 4d3cab3d | 85 | * On construction of a TPClItemInfo, specifies whether or not to |
| b1ab9ed8 | 86 | * copy the incoming item data (in which we free it upon destruction) |
| 4d3cab3d | 87 | * or to use caller's data as is (in which case the caller maintains |
| b1ab9ed8 A |
88 | * the data). |
| 89 | */ | |
| 90 | typedef enum { | |
| 91 | TIC_None = 0, // never used | |
| 92 | TIC_NoCopy, // caller maintains | |
| 93 | TIC_CopyData // we copy and free | |
| 94 | } TPItemCopy; | |
| 4d3cab3d | 95 | |
| b1ab9ed8 A |
96 | /* |
| 97 | * State of a cert's mIsRoot flag. We do signature self-verify on demand. | |
| 98 | */ | |
| 99 | typedef enum { | |
| 100 | TRS_Unknown, // initial state | |
| 101 | TRS_NamesMatch, // subject == issuer, but no sig verify yet | |
| 102 | TRS_NotRoot, // subject != issuer, OR sig verify failed | |
| 103 | TRS_IsRoot // it's a root | |
| 104 | } TPRootState; | |
| 105 | ||
| 106 | /* | |
| 4d3cab3d | 107 | * Base class for TPCertInfo and TPCrlInfo. Encapsulates caching of |
| b1ab9ed8 A |
108 | * an entity within the CL, field lookup/free, and signature verify, |
| 109 | * all of which use similar functions at the CL API. | |
| 110 | */ | |
| 111 | class TPClItemInfo | |
| 112 | { | |
| 113 | NOCOPY(TPClItemInfo) | |
| 114 | public: | |
| 115 | TPClItemInfo( | |
| 116 | CSSM_CL_HANDLE clHand, | |
| 117 | CSSM_CSP_HANDLE cspHand, | |
| 118 | const TPClItemCalls &clCalls, | |
| 119 | const CSSM_DATA *itemData, | |
| 4d3cab3d | 120 | TPItemCopy copyItemData, |
| b1ab9ed8 | 121 | const char *verifyTime); // may be NULL |
| 4d3cab3d | 122 | |
| b1ab9ed8 A |
123 | ~TPClItemInfo(); |
| 124 | void releaseResources(); | |
| 4d3cab3d A |
125 | |
| 126 | /* | |
| b1ab9ed8 A |
127 | * Fetch arbitrary field from cached item. |
| 128 | * Only should be used when caller is sure there is either zero or one | |
| 129 | * of the requested fields present in the cert. | |
| 130 | */ | |
| 131 | CSSM_RETURN fetchField( | |
| 132 | const CSSM_OID *fieldOid, | |
| 133 | CSSM_DATA_PTR *fieldData); // mallocd by CL and RETURNED | |
| 134 | ||
| 135 | /* free arbitrary field obtained from fetchField() */ | |
| 4d3cab3d | 136 | CSSM_RETURN freeField( |
| b1ab9ed8 A |
137 | const CSSM_OID *fieldOid, |
| 138 | CSSM_DATA_PTR fieldData); | |
| 139 | ||
| 4d3cab3d | 140 | /* |
| b1ab9ed8 A |
141 | * Verify with an issuer cert - works on certs and CRLs. |
| 142 | * Issuer/subject name match already performed by caller. | |
| 143 | * May return CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE without | |
| 4d3cab3d A |
144 | * performing a signature op, in which case it is the caller's |
| 145 | * resposibility to complete this operation later when | |
| b1ab9ed8 A |
146 | * sufficient information is available. |
| 147 | * | |
| 148 | * Optional paramCert is used to provide parameters when issuer | |
| 149 | * has a partial public key. | |
| 150 | */ | |
| 151 | CSSM_RETURN verifyWithIssuer( | |
| 152 | TPCertInfo *issuerCert, | |
| 153 | TPCertInfo *paramCert = NULL) const; | |
| 154 | ||
| 155 | /* accessors */ | |
| 156 | CSSM_CL_HANDLE clHand() const { return mClHand; } | |
| 157 | CSSM_CSP_HANDLE cspHand() const { return mCspHand; } | |
| 158 | CSSM_HANDLE cacheHand() const { return mCacheHand; } | |
| 159 | const CSSM_DATA *itemData() const { return mItemData; } | |
| 4d3cab3d A |
160 | const CSSM_DATA *issuerName() const { return mIssuerName; }; |
| 161 | const CSSM_DATA *subjectKeyID() const { return mSubjectKeyID; }; | |
| 162 | const CSSM_DATA *authorityKeyID() const { return mAuthorityKeyID; }; | |
| 163 | unsigned index() const { return mIndex; } | |
| b1ab9ed8 A |
164 | void index(unsigned dex) { mIndex = dex; } |
| 165 | bool isExpired() { return mIsExpired; } | |
| 166 | bool isNotValidYet() { return mIsNotValidYet; } | |
| 4d3cab3d A |
167 | |
| 168 | /* | |
| 169 | * Calculate validity (not before/after). Returns | |
| b1ab9ed8 A |
170 | * CSSMERR_{TP_CERT,APPLETP_CRL}_NOT_VALID_YET |
| 171 | * CSSMERR_xxx_T_EXPIRED | |
| 172 | * CSSM_OK | |
| 173 | * CSSMERR_xxx_INVALID_CERT_POINTER, other "bogus cert" errors | |
| 174 | */ | |
| 175 | CSSM_RETURN calculateCurrent( | |
| 176 | const char *verifyString = NULL); | |
| 4d3cab3d | 177 | |
| b1ab9ed8 A |
178 | private: |
| 179 | ||
| 180 | /* Tell CL to parse and cache the item */ | |
| 181 | CSSM_RETURN cacheItem( | |
| 182 | const CSSM_DATA *itemData, | |
| 4d3cab3d A |
183 | TPItemCopy copyItemData); |
| 184 | ||
| 185 | ||
| b1ab9ed8 A |
186 | /* fetch not before/after fields */ |
| 187 | void fetchNotBeforeAfter(); | |
| 4d3cab3d | 188 | |
| b1ab9ed8 A |
189 | CSSM_CL_HANDLE mClHand; // always valid |
| 190 | CSSM_CSP_HANDLE mCspHand; // always valid | |
| 191 | const TPClItemCalls &mClCalls; | |
| 4d3cab3d | 192 | bool mWeOwnTheData; // if true, we have to free |
| b1ab9ed8 | 193 | // mCertData |
| 4d3cab3d | 194 | /* following are valid subsequent to cacheItem(), generally |
| b1ab9ed8 | 195 | * called by subclass's constructor */ |
| 4d3cab3d | 196 | CSSM_HANDLE mCacheHand; |
| b1ab9ed8 | 197 | CSSM_DATA_PTR mIssuerName; |
| 4d3cab3d A |
198 | CSSM_DATA_PTR mSubjectKeyID; |
| 199 | CSSM_DATA_PTR mAuthorityKeyID; | |
| 200 | CSSM_DATA_PTR mItemData; | |
| b1ab9ed8 A |
201 | CSSM_ALGORITHMS mSigAlg; |
| 202 | ||
| 203 | /* calculated implicitly at construction */ | |
| 204 | CFDateRef mNotBefore; | |
| 205 | CFDateRef mNotAfter; | |
| 4d3cab3d | 206 | |
| b1ab9ed8 A |
207 | /* also calculated at construction, but can be recalculated at will */ |
| 208 | bool mIsExpired; | |
| 209 | bool mIsNotValidYet; | |
| 4d3cab3d | 210 | |
| b1ab9ed8 A |
211 | unsigned mIndex; |
| 212 | }; | |
| 213 | ||
| 214 | /* | |
| 215 | * Class representing one certificate. The raw cert data usually comes from | |
| 4d3cab3d A |
216 | * a client (via incoming cert groups in CertGroupConstruct() and |
| 217 | * CertGroupVerify()); in this case, we don't own the raw data and | |
| 218 | * don't copy or free it. Caller can optionally specify that we copy | |
| 219 | * (and own and eventually free) the raw cert data. Currently this is | |
| 220 | * done when we find a cert in a DlDb or from the net. The constructor throws | |
| 221 | * on any error (bad cert data); subsequent to successful construction, no CSSM | |
| 222 | * errors are thrown and it's guaranteed that the cert is basically good and | |
| 223 | * successfully cached in the CL, and that we have a locally cached subject | |
| 224 | * and issuer name (in normalized encoded format). | |
| 225 | */ | |
| b1ab9ed8 A |
226 | class TPCertInfo : public TPClItemInfo |
| 227 | { | |
| 228 | NOCOPY(TPCertInfo) | |
| 229 | public: | |
| 4d3cab3d | 230 | /* |
| b1ab9ed8 A |
231 | * No default constructor - this is the only way. |
| 232 | * This caches the cert and fetches subjectName and issuerName | |
| 233 | * to ensure the incoming certData is well-constructed. | |
| 234 | */ | |
| 235 | TPCertInfo( | |
| 236 | CSSM_CL_HANDLE clHand, | |
| 237 | CSSM_CSP_HANDLE cspHand, | |
| 238 | const CSSM_DATA *certData, | |
| 4d3cab3d A |
239 | TPItemCopy copyCertData, |
| 240 | ||
| b1ab9ed8 | 241 | const char *verifyTime); // may be NULL |
| 4d3cab3d | 242 | |
| b1ab9ed8 A |
243 | /* frees mSubjectName, mIssuerName, mCacheHand via mClHand */ |
| 244 | ~TPCertInfo(); | |
| 4d3cab3d | 245 | |
| b1ab9ed8 A |
246 | /* accessors */ |
| 247 | const CSSM_DATA *subjectName(); | |
| 248 | ||
| 249 | bool isSelfSigned(bool avoidVerify = false); | |
| 250 | ||
| 251 | bool isAnchor() { return mIsAnchor; } | |
| 252 | void isAnchor(bool a) { mIsAnchor = a; } | |
| 253 | bool isFromNet() { return mIsFromNet; } | |
| 254 | void isFromNet(bool n) { mIsFromNet = n; }; | |
| 255 | bool isFromInputCerts() { return mIsFromInputCerts; } | |
| 256 | void isFromInputCerts(bool i) { mIsFromInputCerts = i; } | |
| 257 | unsigned numStatusCodes() { return mNumStatusCodes; } | |
| 258 | CSSM_RETURN *statusCodes() { return mStatusCodes; } | |
| 5c19dc3a A |
259 | sint32 crlReason() { return mCrlReason; } |
| 260 | void crlReason(sint32 r) { mCrlReason = r; } | |
| b1ab9ed8 A |
261 | CSSM_DL_DB_HANDLE dlDbHandle() { return mDlDbHandle; } |
| 262 | void dlDbHandle(CSSM_DL_DB_HANDLE hand) | |
| 263 | { mDlDbHandle = hand; } | |
| 264 | CSSM_DB_UNIQUE_RECORD_PTR uniqueRecord() | |
| 265 | { return mUniqueRecord; } | |
| 266 | void uniqueRecord(CSSM_DB_UNIQUE_RECORD_PTR rec) | |
| 267 | { mUniqueRecord = rec; } | |
| 268 | CSSM_KEY_PTR pubKey() { return mPublicKey; } | |
| 269 | bool used() { return mUsed; } | |
| 270 | void used(bool u) { mUsed = u; } | |
| 271 | bool isLeaf() { return mIsLeaf; } | |
| 272 | void isLeaf(bool l) { mIsLeaf = l; } | |
| 273 | ||
| 274 | SecTrustSettingsDomain trustSettingsDomain() { return mTrustSettingsDomain; } | |
| 275 | SecTrustSettingsResult trustSettingsResult() { return mTrustSettingsResult; } | |
| 276 | bool ignoredError() { return mIgnoredError; } | |
| 4d3cab3d | 277 | |
| b1ab9ed8 A |
278 | /* true means "verification terminated due to user trust setting" */ |
| 279 | bool trustSettingsFound(); | |
| 280 | /* | |
| 281 | * Am I the issuer of the specified subject item? Returns true if so. | |
| 4d3cab3d | 282 | * Works for subject certs as well as CRLs. |
| b1ab9ed8 A |
283 | */ |
| 284 | bool isIssuerOf( | |
| 285 | const TPClItemInfo &subject); | |
| 4d3cab3d A |
286 | |
| 287 | /* | |
| 288 | * Does my subject key id match the authority key id of the specified | |
| 289 | * subject item? Returns true if so. | |
| 290 | */ | |
| 291 | bool isAuthorityKeyOf( | |
| 292 | const TPClItemInfo &subject); | |
| 293 | ||
| 294 | /* | |
| b1ab9ed8 A |
295 | * Add error status to mStatusCodes[]. Check to see if the |
| 296 | * added status is allowed per mAllowedErrs; if not return true. | |
| 297 | * Returns false of the status *is* an allowed error. | |
| 298 | */ | |
| 299 | bool addStatusCode( | |
| 300 | CSSM_RETURN code); | |
| 301 | ||
| 302 | /* | |
| 303 | * See if the specified error status is in the mStatusCodes array. | |
| 304 | */ | |
| 305 | bool hasStatusCode( | |
| 306 | CSSM_RETURN code); | |
| 307 | ||
| 4d3cab3d | 308 | /* |
| b1ab9ed8 A |
309 | * See if the specified error status is allowed (return false) or |
| 310 | * fatal (return true) per mAllowedErrs[]. | |
| 311 | */ | |
| 312 | bool isStatusFatal( | |
| 313 | CSSM_RETURN code); | |
| 4d3cab3d A |
314 | |
| 315 | /* | |
| b1ab9ed8 A |
316 | * Indicate whether this cert's public key is a CSSM_KEYATTR_PARTIAL |
| 317 | * key. | |
| 318 | */ | |
| 319 | bool hasPartialKey(); | |
| 320 | ||
| 321 | /* Indicate whether this cert should be explicitly rejected. | |
| 322 | */ | |
| 323 | bool shouldReject(); | |
| 324 | ||
| 325 | /* | |
| 326 | * Flag to indicate that at least one revocation policy has successfully | |
| 4d3cab3d | 327 | * achieved a positive verification of the cert. |
| b1ab9ed8 A |
328 | */ |
| 329 | bool revokeCheckGood() { return mRevCheckGood; } | |
| 330 | void revokeCheckGood(bool b) { mRevCheckGood = b; } | |
| 4d3cab3d | 331 | |
| b1ab9ed8 A |
332 | /* |
| 333 | * Flag to indicate "I have successfully been checked for revocation | |
| 4d3cab3d A |
334 | * status and the per-policy action data indicates that I need not be |
| 335 | * checked again by any other revocation policy". E.g., | |
| b1ab9ed8 | 336 | * CSSM_TP_ACTION_CRL_SUFFICIENT is set and CRL revocation checking |
| 4d3cab3d | 337 | * was successful for this cert. |
| b1ab9ed8 A |
338 | */ |
| 339 | bool revokeCheckComplete() { return mRevCheckComplete; } | |
| 340 | void revokeCheckComplete(bool b) { mRevCheckComplete = b; } | |
| 4d3cab3d | 341 | |
| b1ab9ed8 A |
342 | /* |
| 343 | * Evaluate user trust; returns true if positive match found - i.e., | |
| 4d3cab3d | 344 | * cert chain construction is done. |
| b1ab9ed8 | 345 | * The foundEntry return value indicates that *some* entry was found for |
| 4d3cab3d | 346 | * the cert, regardless of the trust setting evaluation. |
| b1ab9ed8 A |
347 | */ |
| 348 | OSStatus evaluateTrustSettings( | |
| 349 | const CSSM_OID &policyOid, | |
| 350 | const char *policyString, // optional | |
| 351 | uint32 policyStringLen, | |
| 352 | SecTrustSettingsKeyUsage keyUse, // optional | |
| 353 | bool *foundMatchingEntry, | |
| 354 | bool *foundEntry); // RETURNED | |
| 4d3cab3d | 355 | |
| b1ab9ed8 | 356 | bool hasEmptySubjectName(); |
| 4d3cab3d | 357 | |
| b1ab9ed8 A |
358 | /* Free mUniqueRecord if it exists */ |
| 359 | void freeUniqueRecord(); | |
| 4d3cab3d | 360 | |
| b1ab9ed8 A |
361 | private: |
| 362 | /* obtained from CL at construction */ | |
| 363 | CSSM_DATA_PTR mSubjectName; // always valid | |
| 364 | CSSM_DATA_PTR mPublicKeyData; // mPublicKey obtained from this field | |
| 365 | CSSM_KEY_PTR mPublicKey; | |
| 4d3cab3d | 366 | |
| b1ab9ed8 A |
367 | /* maintained by caller, default at constructor 0/false */ |
| 368 | bool mIsAnchor; | |
| 369 | bool mIsFromInputCerts; | |
| 370 | bool mIsFromNet; | |
| 371 | unsigned mNumStatusCodes; | |
| 372 | CSSM_RETURN *mStatusCodes; | |
| 5c19dc3a | 373 | sint32 mCrlReason; |
| b1ab9ed8 A |
374 | CSSM_DL_DB_HANDLE mDlDbHandle; |
| 375 | CSSM_DB_UNIQUE_RECORD_PTR mUniqueRecord; | |
| 4d3cab3d | 376 | bool mUsed; // e.g., used in current loop |
| b1ab9ed8 A |
377 | bool mIsLeaf; // first in chain |
| 378 | TPRootState mIsRoot; // subject == issuer | |
| 379 | bool mRevCheckGood; // >= 1 revoke check good | |
| 380 | bool mRevCheckComplete; // no more revoke checking needed | |
| 4d3cab3d A |
381 | |
| 382 | /* | |
| b1ab9ed8 A |
383 | * When true, we've already called SecTrustSettingsEvaluateCert, |
| 384 | * and the cached results are in following member vars. | |
| 385 | */ | |
| 386 | bool mTrustSettingsEvaluated; | |
| 387 | ||
| 388 | /* result of trust settings evaluation */ | |
| 389 | SecTrustSettingsDomain mTrustSettingsDomain; | |
| 390 | SecTrustSettingsResult mTrustSettingsResult; | |
| 391 | bool mTrustSettingsFoundAnyEntry; | |
| 392 | bool mTrustSettingsFoundMatchingEntry; | |
| 4d3cab3d | 393 | |
| b1ab9ed8 A |
394 | /* allowed errors obtained from SecTrustSettingsEvaluateCert() */ |
| 395 | CSSM_RETURN *mAllowedErrs; | |
| 396 | uint32 mNumAllowedErrs; | |
| 4d3cab3d | 397 | |
| b1ab9ed8 A |
398 | /* we actually ignored one of mAllowedErrors[] */ |
| 399 | bool mIgnoredError; | |
| 400 | ||
| 401 | /* key usage for which mTrustSettingsResult was evaluated */ | |
| 402 | SecTrustSettingsKeyUsage mTrustSettingsKeyUsage; | |
| 4d3cab3d | 403 | |
| b1ab9ed8 | 404 | /* for SecTrustSettingsEvaluateCert() */ |
| 4d3cab3d A |
405 | CFStringRef mCertHashStr; |
| 406 | ||
| b1ab9ed8 A |
407 | void releaseResources(); |
| 408 | }; | |
| 409 | ||
| 410 | /* Describe who owns the items in a TP{Cert,Crl}Group */ | |
| 411 | typedef enum { | |
| 412 | TGO_None = 0, // not used | |
| 413 | TGO_Group, // TP{Cert,Crl}Group owns the items | |
| 414 | TGO_Caller // caller owns the items | |
| 415 | } TPGroupOwner; | |
| 416 | ||
| 417 | /* | |
| 418 | * TP's private Cert Group class. Provides a list of TPCertInfo pointers, | |
| 419 | * to which caller can append additional elements, access an element at | |
| 420 | * an arbitrary position, and remove an element at an arbitrary position. | |
| 421 | */ | |
| 422 | class TPCertGroup | |
| 423 | { | |
| 424 | NOCOPY(TPCertGroup) | |
| 425 | public: | |
| 426 | /* | |
| 427 | * No default constructor. | |
| 428 | * This one creates an empty TPCertGroup. | |
| 429 | */ | |
| 430 | TPCertGroup( | |
| 431 | Allocator &alloc, | |
| 432 | TPGroupOwner whoOwns); // if TGO_Group, we delete | |
| 4d3cab3d | 433 | |
| b1ab9ed8 A |
434 | /* |
| 435 | * Construct from unordered, untrusted CSSM_CERTGROUP. Resulting | |
| 436 | * TPCertInfos are more or less in the same order as the incoming | |
| 437 | * certs, though incoming certs are discarded if they don't parse. | |
| 4d3cab3d | 438 | * No verification of any sort is performed. |
| b1ab9ed8 A |
439 | */ |
| 440 | TPCertGroup( | |
| 441 | const CSSM_CERTGROUP &CertGroupFrag, | |
| 442 | CSSM_CL_HANDLE clHand, | |
| 443 | CSSM_CSP_HANDLE cspHand, | |
| 444 | Allocator &alloc, | |
| 445 | const char *verifyString, // may be NULL | |
| 446 | bool firstCertMustBeValid, | |
| 4d3cab3d A |
447 | TPGroupOwner whoOwns); |
| 448 | ||
| b1ab9ed8 A |
449 | /* |
| 450 | * Deletes all TPCertInfo's. | |
| 451 | */ | |
| 452 | ~TPCertGroup(); | |
| 4d3cab3d | 453 | |
| b1ab9ed8 | 454 | /* |
| 4d3cab3d | 455 | * Construct ordered, verified cert chain from a variety of inputs. |
| b1ab9ed8 A |
456 | * Time validity is ignored and needs to be checked by caller (it's |
| 457 | * stored in each TPCertInfo we add to ourself during construction). | |
| 4d3cab3d | 458 | * The only error returned is CSSMERR_APPLETP_INVALID_ROOT, meaning |
| b1ab9ed8 A |
459 | * we verified back to a supposed root cert which did not in fact |
| 460 | * self-verify. Other interesting status is returned via the | |
| 4d3cab3d | 461 | * verifiedToRoot and verifiedToAnchor flags. |
| b1ab9ed8 | 462 | * |
| 4d3cab3d A |
463 | * NOTE: is it the caller's responsibility to call setAllUnused() |
| 464 | * for both incoming cert groups (inCertGroup and gatheredCerts). | |
| 465 | * We don't do that here because we may call ourself recursively. | |
| b1ab9ed8 A |
466 | * |
| 467 | * subjectItem may or may not be in the cert group (currently, it | |
| 4d3cab3d A |
468 | * is in the group if it's a cert and it's not if it's a CRL, but |
| 469 | * we don't rely on that). | |
| b1ab9ed8 A |
470 | */ |
| 471 | CSSM_RETURN buildCertGroup( | |
| 472 | const TPClItemInfo &subjectItem, // Cert or CRL | |
| 473 | TPCertGroup *inCertGroup, // optional | |
| 474 | const CSSM_DL_DB_LIST *dbList, // optional | |
| 475 | CSSM_CL_HANDLE clHand, | |
| 476 | CSSM_CSP_HANDLE cspHand, | |
| 477 | const char *verifyString, // optional, for establishing | |
| 478 | // validity of new TPCertInfos | |
| 479 | /* trusted anchors, optional */ | |
| 480 | /* FIXME - maybe this should be a TPCertGroup */ | |
| 481 | uint32 numAnchorCerts, | |
| 482 | const CSSM_DATA *anchorCerts, | |
| 4d3cab3d A |
483 | |
| 484 | /* | |
| b1ab9ed8 A |
485 | * Certs to be freed by caller (i.e., TPCertInfo which we allocate |
| 486 | * as a result of using a cert from anchorCerts or dbList) are added | |
| 487 | * to this group. | |
| 488 | */ | |
| 489 | TPCertGroup &certsToBeFreed, | |
| 4d3cab3d | 490 | |
| b1ab9ed8 A |
491 | /* |
| 492 | * Other certificates gathered during the course of this operation, | |
| 493 | * currently consisting of certs fetched from DBs and from the net. | |
| 494 | * This is not used when called by AppleTPSession::CertGroupConstructPriv; | |
| 495 | * it's an optimization for the case when we're building a cert group | |
| 496 | * for TPCrlInfo::verifyWithContext - we avoid re-fetching certs from | |
| 497 | * the net which are needed to verify both the subject cert and a CRL. | |
| 498 | */ | |
| 499 | TPCertGroup *gatheredCerts, | |
| 4d3cab3d | 500 | |
| b1ab9ed8 A |
501 | /* |
| 502 | * Indicates that subjectItem is a cert in this cert group. | |
| 4d3cab3d | 503 | * If true, that cert will be tested for "root-ness", including |
| b1ab9ed8 A |
504 | * -- subject/issuer compare |
| 505 | * -- signature self-verify | |
| 506 | * -- anchor compare | |
| 507 | */ | |
| 508 | CSSM_BOOL subjectIsInGroup, | |
| 4d3cab3d A |
509 | |
| 510 | /* currently, only CSSM_TP_ACTION_FETCH_CERT_FROM_NET and | |
| b1ab9ed8 A |
511 | * CSSM_TP_ACTION_TRUST_SETTINGS are interesting */ |
| 512 | CSSM_APPLE_TP_ACTION_FLAGS actionFlags, | |
| 4d3cab3d | 513 | |
| b1ab9ed8 A |
514 | /* CSSM_TP_ACTION_TRUST_SETTINGS parameters */ |
| 515 | const CSSM_OID *policyOid, | |
| 516 | const char *policyStr, | |
| 517 | uint32 policyStrLen, | |
| 518 | SecTrustSettingsKeyUsage leafKeyUse, | |
| 519 | ||
| 520 | /* returned */ | |
| 521 | CSSM_BOOL &verifiedToRoot, // end of chain self-verifies | |
| 522 | CSSM_BOOL &verifiedToAnchor, // end of chain in anchors | |
| 523 | CSSM_BOOL &verifiedViaTrustSettings); // chain ends per User Trust setting | |
| 4d3cab3d | 524 | |
| b1ab9ed8 A |
525 | /* add/remove/access TPTCertInfo's. */ |
| 526 | void appendCert( | |
| 527 | TPCertInfo *certInfo); // appends to end of mCertInfo | |
| 528 | TPCertInfo *certAtIndex( | |
| 529 | unsigned index); | |
| 530 | TPCertInfo *removeCertAtIndex( | |
| 4d3cab3d | 531 | unsigned index); // doesn't delete the cert, just |
| b1ab9ed8 | 532 | // removes it from our list |
| 4d3cab3d | 533 | unsigned numCerts() const // how many do we have? |
| b1ab9ed8 | 534 | { return mNumCerts; } |
| 4d3cab3d A |
535 | |
| 536 | /* | |
| b1ab9ed8 A |
537 | * Convenience accessors for first and last cert, only valid when we have |
| 538 | * at least one cert. | |
| 539 | */ | |
| 540 | TPCertInfo *firstCert(); | |
| 541 | TPCertInfo *lastCert(); | |
| 4d3cab3d | 542 | |
| b1ab9ed8 A |
543 | /* build a CSSM_CERTGROUP corresponding with our mCertInfo */ |
| 544 | CSSM_CERTGROUP_PTR buildCssmCertGroup(); | |
| 545 | ||
| 546 | /* build a CSSM_TP_APPLE_EVIDENCE_INFO array corresponding with our | |
| 547 | * mCertInfo */ | |
| 548 | CSSM_TP_APPLE_EVIDENCE_INFO *buildCssmEvidenceInfo(); | |
| 4d3cab3d | 549 | |
| b1ab9ed8 A |
550 | /* Given a status for basic construction of a cert group and a status |
| 551 | * of (optional) policy verification, plus the implicit notBefore/notAfter | |
| 4d3cab3d | 552 | * status in the certs, calculate a global return code. This just |
| b1ab9ed8 A |
553 | * encapsulates a policy for CertGroupConstruct and CertGroupVerify. |
| 554 | */ | |
| 555 | CSSM_RETURN getReturnCode( | |
| 556 | CSSM_RETURN constructStatus, | |
| 557 | CSSM_RETURN policyStatus, | |
| 558 | CSSM_APPLE_TP_ACTION_FLAGS actionFlags); | |
| 4d3cab3d | 559 | |
| b1ab9ed8 A |
560 | Allocator |
| 561 | &alloc() {return mAlloc; } | |
| 4d3cab3d | 562 | |
| b1ab9ed8 A |
563 | /* set all TPCertInfo.mUsed flags false */ |
| 564 | void setAllUnused(); | |
| 565 | ||
| 566 | /* free records obtained from DBs */ | |
| 567 | void freeDbRecords(); | |
| 568 | ||
| 4d3cab3d | 569 | /* |
| b1ab9ed8 A |
570 | * See if the specified error status is allowed (return true) or |
| 571 | * fatal (return false) per each cert's mAllowedErrs[]. Returns | |
| 4d3cab3d | 572 | * true if any cert returns false for its isStatusFatal() call. |
| b1ab9ed8 A |
573 | * The list of errors which can apply to cert-chain-wide allowedErrors |
| 574 | * is right here; if the incoming error is not in that list, we | |
| 575 | * return false. If the incoming error code is CSSM_OK we return | |
| 4d3cab3d | 576 | * true as a convenience for our callers. |
| b1ab9ed8 A |
577 | */ |
| 578 | bool isAllowedError( | |
| 579 | CSSM_RETURN code); | |
| 4d3cab3d A |
580 | |
| 581 | /* | |
| b1ab9ed8 A |
582 | * Determine if we already have the specified cert in this group. |
| 583 | */ | |
| 584 | bool isInGroup(TPCertInfo &certInfo); | |
| 585 | ||
| 586 | /* | |
| 587 | * Given a constructed cert group, encode all the issuers | |
| 588 | * (i.e. chain minus the leaf, unless numCerts() is 1) as a PEM data blob. | |
| 589 | * Caller is responsible for freeing the data. | |
| 590 | */ | |
| 591 | void encodeIssuers(CSSM_DATA &issuers); | |
| 4d3cab3d | 592 | |
| b1ab9ed8 | 593 | private: |
| 4d3cab3d A |
594 | |
| 595 | /* | |
| 596 | * Search unused incoming certs to find an issuer of specified | |
| b1ab9ed8 | 597 | * cert or CRL. |
| 4d3cab3d | 598 | * WARNING this assumes a valied "used" state for all certs |
| b1ab9ed8 A |
599 | * in this group. |
| 600 | * If partialIssuerKey is true on return, caller must re-verify signature | |
| 4d3cab3d A |
601 | * of subject later when sufficient info is available. |
| 602 | */ | |
| b1ab9ed8 A |
603 | TPCertInfo *findIssuerForCertOrCrl( |
| 604 | const TPClItemInfo &subject, | |
| 605 | bool &partialIssuerKey); | |
| 606 | ||
| 4d3cab3d | 607 | /* |
| b1ab9ed8 A |
608 | * Called from buildCertGroup as final processing of a constructed |
| 609 | * group when CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE has been | |
| 610 | * detected. Perform partial public key processing. | |
| 611 | * Returns: | |
| 612 | * CSSMERR_TP_CERTIFICATE_CANT_OPERATE - can't complete partial key | |
| 4d3cab3d | 613 | * CSSMERR_TP_INVALID_CERT_AUTHORITY - sig verify failed with |
| b1ab9ed8 A |
614 | * (supposedly) completed partial key |
| 615 | */ | |
| 616 | CSSM_RETURN verifyWithPartialKeys( | |
| 617 | const TPClItemInfo &subjectItem); // Cert or CRL | |
| 4d3cab3d | 618 | |
| b1ab9ed8 A |
619 | Allocator &mAlloc; |
| 620 | TPCertInfo **mCertInfo; // just an array of pointers | |
| 621 | unsigned mNumCerts; // valid certs in certInfo | |
| 622 | unsigned mSizeofCertInfo; // mallocd space in certInfo | |
| 4d3cab3d | 623 | TPGroupOwner mWhoOwns; // if TGO_Group, we delete certs |
| b1ab9ed8 A |
624 | // upon destruction |
| 625 | }; | |
| 626 | #endif /* _TP_CERT_INFO_H_ */ |