[apple/security.git] / OSX / libsecurity_apple_x509_tp / lib / TPDatabase.cpp

/*
 * Copyright (c) 2002-2009,2011-2012,2014 Apple Inc. All Rights Reserved.
 *
 * The contents of this file constitute Original Code as defined in and are
 * subject to the Apple Public Source License Version 1.2 (the 'License').
 * You may not use this file except in compliance with the License. Please obtain
 * a copy of the License at http://www.apple.com/publicsource and read it before
 * using this file.
 *
 * This Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
 * specific language governing rights and limitations under the License.
 */


/*
 * TPDatabase.cpp - TP's DL/DB access functions.
 *
 */

#include <Security/cssmtype.h>
#include <Security/cssmapi.h>
#include <security_cdsa_utilities/Schema.h>		/* private API */
#include <security_keychain/TrustKeychains.h>	/* private SecTrustKeychainsGetMutex() */
#include <Security/SecCertificatePriv.h>		/* private SecInferLabelFromX509Name() */
#include <Security/oidscert.h>
#include "TPDatabase.h"
#include "tpdebugging.h"
#include "certGroupUtils.h"
#include "TPCertInfo.h"
#include "TPCrlInfo.h"
#include "tpCrlVerify.h"
#include "tpTime.h"


/*
 * Given a DL/DB, look up cert by subject name. Subsequent
 * certs can be found using the returned result handle.
 */
static CSSM_DB_UNIQUE_RECORD_PTR tpCertLookup(
	CSSM_DL_DB_HANDLE	dlDb,
	const CSSM_DATA		*subjectName,	// DER-encoded
	CSSM_HANDLE_PTR		resultHand,		// RETURNED
	CSSM_DATA_PTR		cert)			// RETURNED
{
	CSSM_QUERY						query;
	CSSM_SELECTION_PREDICATE		predicate;
	CSSM_DB_UNIQUE_RECORD_PTR		record = NULL;

	cert->Data = NULL;
	cert->Length = 0;

	/* SWAG until cert schema nailed down */
	predicate.DbOperator = CSSM_DB_EQUAL;
	predicate.Attribute.Info.AttributeNameFormat =
		CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
	predicate.Attribute.Info.Label.AttributeName = (char*) "Subject";
	predicate.Attribute.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
	predicate.Attribute.Value = const_cast<CSSM_DATA_PTR>(subjectName);
	predicate.Attribute.NumberOfValues = 1;

	query.RecordType = CSSM_DL_DB_RECORD_X509_CERTIFICATE;
	query.Conjunctive = CSSM_DB_NONE;
	query.NumSelectionPredicates = 1;
	query.SelectionPredicate = &predicate;
	query.QueryLimits.TimeLimit = 0;	// FIXME - meaningful?
	query.QueryLimits.SizeLimit = 1;	// FIXME - meaningful?
	query.QueryFlags = 0;				// FIXME - used?

	CSSM_DL_DataGetFirst(dlDb,
		&query,
		resultHand,
		NULL,				// don't fetch attributes
		cert,
		&record);

	return record;
}

/*
 * Search a list of DBs for a cert which verifies specified subject item.
 * Just a boolean return - we found it, or not. If we did, we return
 * TPCertInfo associated with the raw cert.
 * A true partialIssuerKey on return indicates that caller must deal
 * with partial public key processing later.
 * If verifyCurrent is true, we will not return a cert which is not
 * temporally valid; else we may well do so.
 */
TPCertInfo *tpDbFindIssuerCert(
	Allocator				&alloc,
	CSSM_CL_HANDLE			clHand,
	CSSM_CSP_HANDLE			cspHand,
	const TPClItemInfo		*subjectItem,
	const CSSM_DL_DB_LIST	*dbList,
	const char 				*verifyTime,		// may be NULL
	bool					&partialIssuerKey,	// RETURNED
    TPCertInfo              *oldRoot)
{
	StLock<Mutex> _(SecTrustKeychainsGetMutex());

	uint32						dbDex;
	CSSM_HANDLE					resultHand;
	CSSM_DATA					cert;
	CSSM_DL_DB_HANDLE			dlDb;
	CSSM_DB_UNIQUE_RECORD_PTR	record;
	TPCertInfo 					*issuerCert = NULL;
	bool 						foundIt;
	TPCertInfo					*expiredIssuer = NULL;
	TPCertInfo					*nonRootIssuer = NULL;

	partialIssuerKey = false;
	if(dbList == NULL) {
		return NULL;
	}
	for(dbDex=0; dbDex<dbList->NumHandles; dbDex++) {
		dlDb = dbList->DLDBHandle[dbDex];
		cert.Data = NULL;
		cert.Length = 0;
		resultHand = 0;
		record = tpCertLookup(dlDb,
			subjectItem->issuerName(),
			&resultHand,
			&cert);
		/* remember we have to:
		 * -- abort this query regardless, and
		 * -- free the CSSM_DATA cert regardless, and
		 * -- free the unique record if we don't use it
		 *    (by placing it in issuerCert)...
		 */
		if(record != NULL) {
			/* Found one */
			assert(cert.Data != NULL);
			tpDbDebug("tpDbFindIssuerCert: found cert record (1) %p", record);
			issuerCert = NULL;
			CSSM_RETURN crtn = CSSM_OK;
			try {
				issuerCert = new TPCertInfo(clHand, cspHand, &cert, TIC_CopyData, verifyTime);
			}
			catch(...) {
				crtn = CSSMERR_TP_INVALID_CERTIFICATE;
			}

			/* we're done with raw cert data */
			tpFreePluginMemory(dlDb.DLHandle, cert.Data);
			cert.Data = NULL;
			cert.Length = 0;

			/* Does it verify the subject cert? */
			if(crtn == CSSM_OK) {
				crtn = subjectItem->verifyWithIssuer(issuerCert);
			}

			/*
			 * Handle temporal invalidity - if so and this is the first one
			 * we've seen, hold on to it while we search for better one.
			 */
			if((crtn == CSSM_OK) && (expiredIssuer == NULL)) {
				if(issuerCert->isExpired() || issuerCert->isNotValidYet()) {
					/*
					 * Exact value not important here, this just uniquely identifies
					 * this situation in the switch below.
					 */
					tpDbDebug("tpDbFindIssuerCert: holding expired cert (1)");
					crtn = CSSM_CERT_STATUS_EXPIRED;
					expiredIssuer = issuerCert;
					expiredIssuer->dlDbHandle(dlDb);
					expiredIssuer->uniqueRecord(record);
				}
			}
			/*
			 * Prefer a root over an intermediate issuer if we can get one
			 * (in case a cross-signed intermediate and root are both available)
			 */
			if((crtn == CSSM_OK) && (nonRootIssuer == NULL)) {
				if(!issuerCert->isSelfSigned()) {
					/*
					 * Exact value not important here, this just uniquely identifies
					 * this situation in the switch below.
					 */
					tpDbDebug("tpDbFindIssuerCert: holding non-root cert (1)");
					crtn = CSSM_CERT_STATUS_IS_ROOT;
					nonRootIssuer = issuerCert;
					nonRootIssuer->dlDbHandle(dlDb);
					nonRootIssuer->uniqueRecord(record);
				}
			}
			switch(crtn) {
				case CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE:
					partialIssuerKey = true;
					break;
                case CSSM_OK:
                    if((oldRoot == NULL) ||
                       !tp_CompareCerts(issuerCert->itemData(), oldRoot->itemData())) {
                        /* We found a new root cert which does not match the old one */
                        break;
                    }
                    /* else fall through to search for a different one */
				default:
					if(issuerCert != NULL) {
						/* either holding onto this cert, or done with it. */
						if(crtn != CSSM_CERT_STATUS_EXPIRED &&
						   crtn != CSSM_CERT_STATUS_IS_ROOT) {
							delete issuerCert;
							CSSM_DL_FreeUniqueRecord(dlDb, record);
						}
						issuerCert = NULL;
					}

					/*
					 * Continue searching this DB. Break on finding the holy
					 * grail or no more records found.
					 */
					for(;;) {
						cert.Data = NULL;
						cert.Length = 0;
						record = NULL;
						CSSM_RETURN crtn = CSSM_DL_DataGetNext(dlDb,
							resultHand,
							NULL,		// no attrs
							&cert,
							&record);
						if(crtn) {
							/* no more, done with this DB */
							assert(cert.Data == NULL);
							break;
						}
						assert(cert.Data != NULL);
						tpDbDebug("tpDbFindIssuerCert: found cert record (2) %p", record);

						/* found one - does it verify subject? */
						try {
							issuerCert = new TPCertInfo(clHand, cspHand, &cert, TIC_CopyData,
									verifyTime);
						}
						catch(...) {
							crtn = CSSMERR_TP_INVALID_CERTIFICATE;
						}
						/* we're done with raw cert data */
						tpFreePluginMemory(dlDb.DLHandle, cert.Data);
						cert.Data = NULL;
						cert.Length = 0;

						if(crtn == CSSM_OK) {
							crtn = subjectItem->verifyWithIssuer(issuerCert);
						}

						/* temporal validity check, again */
						if((crtn == CSSM_OK) && (expiredIssuer == NULL)) {
							if(issuerCert->isExpired() || issuerCert->isNotValidYet()) {
								tpDbDebug("tpDbFindIssuerCert: holding expired cert (2)");
								crtn = CSSM_CERT_STATUS_EXPIRED;
								expiredIssuer = issuerCert;
								expiredIssuer->dlDbHandle(dlDb);
								expiredIssuer->uniqueRecord(record);
							}
						}
						/* self-signed check, again */
						if((crtn == CSSM_OK) && (nonRootIssuer == NULL)) {
							if(!issuerCert->isSelfSigned()) {
								tpDbDebug("tpDbFindIssuerCert: holding non-root cert (2)");
								crtn = CSSM_CERT_STATUS_IS_ROOT;
								nonRootIssuer = issuerCert;
								nonRootIssuer->dlDbHandle(dlDb);
								nonRootIssuer->uniqueRecord(record);
							}
						}

						foundIt = false;
						switch(crtn) {
							case CSSM_OK:
                                /* duplicate check, again */
                                if((oldRoot == NULL) ||
                                   !tp_CompareCerts(issuerCert->itemData(), oldRoot->itemData())) {
                                    foundIt = true;
                                }
                                break;
							case CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE:
								partialIssuerKey = true;
								foundIt = true;
								break;
							default:
								break;
						}
						if(foundIt) {
							/* yes! */
							break;
						}
						if(issuerCert != NULL) {
							/* either holding onto this cert, or done with it. */
							if(crtn != CSSM_CERT_STATUS_EXPIRED &&
							   crtn != CSSM_CERT_STATUS_IS_ROOT) {
								delete issuerCert;
								CSSM_DL_FreeUniqueRecord(dlDb, record);
							}
							issuerCert = NULL;
						}
					} /* searching subsequent records */
			}	/* switch verify */

			if(record != NULL) {
				/* NULL record --> end of search --> DB auto-aborted */
				crtn = CSSM_DL_DataAbortQuery(dlDb, resultHand);
				assert(crtn == CSSM_OK);
			}
			if(issuerCert != NULL) {
				/* successful return */
				tpDbDebug("tpDbFindIssuer: returning record %p", record);
				issuerCert->dlDbHandle(dlDb);
				issuerCert->uniqueRecord(record);
				if(expiredIssuer != NULL) {
					/* We found a replacement */
					tpDbDebug("tpDbFindIssuer: discarding expired cert");
					expiredIssuer->freeUniqueRecord();
					delete expiredIssuer;
				}
				/* Avoid deleting the non-root cert if same as expired cert */
				if(nonRootIssuer != NULL && nonRootIssuer != expiredIssuer) {
					/* We found a replacement */
					tpDbDebug("tpDbFindIssuer: discarding non-root cert");
					nonRootIssuer->freeUniqueRecord();
					delete nonRootIssuer;
				}
				return issuerCert;
			}
		}	/* tpCertLookup, i.e., CSSM_DL_DataGetFirst, succeeded */
		else {
			assert(cert.Data == NULL);
			assert(resultHand == 0);
		}
	}	/* main loop searching dbList */

	if(nonRootIssuer != NULL) {
		/* didn't find root issuer, so use this one */
		tpDbDebug("tpDbFindIssuer: taking non-root issuer cert, record %p",
			nonRootIssuer->uniqueRecord());
		if(expiredIssuer != NULL && expiredIssuer != nonRootIssuer) {
			expiredIssuer->freeUniqueRecord();
			delete expiredIssuer;
		}
		return nonRootIssuer;
	}

	if(expiredIssuer != NULL) {
		/* OK, we'll take this one */
		tpDbDebug("tpDbFindIssuer: taking expired cert after all, record %p",
			expiredIssuer->uniqueRecord());
		return expiredIssuer;
	}
	/* issuer not found */
	return NULL;
}

/*
 * Given a DL/DB, look up CRL by issuer name and validity time.
 * Subsequent CRLs can be found using the returned result handle.
 */
#define SEARCH_BY_DATE		1

static CSSM_DB_UNIQUE_RECORD_PTR tpCrlLookup(
	CSSM_DL_DB_HANDLE	dlDb,
	const CSSM_DATA		*issuerName,	// DER-encoded
	CSSM_TIMESTRING 	verifyTime,		// may be NULL, implies "now"
	CSSM_HANDLE_PTR		resultHand,		// RETURNED
	CSSM_DATA_PTR		crl)			// RETURNED
{
	CSSM_QUERY						query;
	CSSM_SELECTION_PREDICATE		pred[3];
	CSSM_DB_UNIQUE_RECORD_PTR		record = NULL;
	char							timeStr[CSSM_TIME_STRLEN + 1];

	crl->Data = NULL;
	crl->Length = 0;

	/* Three predicates...first, the issuer name */
	pred[0].DbOperator = CSSM_DB_EQUAL;
	pred[0].Attribute.Info.AttributeNameFormat =
		CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
	pred[0].Attribute.Info.Label.AttributeName = (char*) "Issuer";
	pred[0].Attribute.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
	pred[0].Attribute.Value = const_cast<CSSM_DATA_PTR>(issuerName);
	pred[0].Attribute.NumberOfValues = 1;

	/* now before/after. Cook up an appropriate time string. */
	if(verifyTime != NULL) {
		/* Caller spec'd tolerate any format */
		int rtn = tpTimeToCssmTimestring(verifyTime, (unsigned)strlen(verifyTime), timeStr);
		if(rtn) {
			tpErrorLog("tpCrlLookup: Invalid VerifyTime string\n");
			return NULL;
		}
	}
	else {
		/* right now */
		StLock<Mutex> _(tpTimeLock());
		timeAtNowPlus(0, TIME_CSSM, timeStr);
	}
	CSSM_DATA timeData;
	timeData.Data = (uint8 *)timeStr;
	timeData.Length = CSSM_TIME_STRLEN;

	#if SEARCH_BY_DATE
	pred[1].DbOperator = CSSM_DB_LESS_THAN;
	pred[1].Attribute.Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
	pred[1].Attribute.Info.Label.AttributeName = (char*) "NextUpdate";
	pred[1].Attribute.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
	pred[1].Attribute.Value = &timeData;
	pred[1].Attribute.NumberOfValues = 1;

	pred[2].DbOperator = CSSM_DB_GREATER_THAN;
	pred[2].Attribute.Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
	pred[2].Attribute.Info.Label.AttributeName = (char*) "ThisUpdate";
	pred[2].Attribute.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
	pred[2].Attribute.Value = &timeData;
	pred[2].Attribute.NumberOfValues = 1;
	#endif

	query.RecordType = CSSM_DL_DB_RECORD_X509_CRL;
	query.Conjunctive = CSSM_DB_AND;
	#if SEARCH_BY_DATE
	query.NumSelectionPredicates = 3;
	#else
	query.NumSelectionPredicates = 1;
	#endif
	query.SelectionPredicate = pred;
	query.QueryLimits.TimeLimit = 0;	// FIXME - meaningful?
	query.QueryLimits.SizeLimit = 1;	// FIXME - meaningful?
	query.QueryFlags = 0;				// FIXME - used?

	CSSM_DL_DataGetFirst(dlDb,
		&query,
		resultHand,
		NULL,				// don't fetch attributes
		crl,
		&record);
	return record;
}

/*
 * Search a list of DBs for a CRL from the specified issuer and (optional)
 * TPVerifyContext.verifyTime.
 * Just a boolean return - we found it, or not. If we did, we return a
 * TPCrlInfo which has been verified with the specified TPVerifyContext.
 */
TPCrlInfo *tpDbFindIssuerCrl(
	TPVerifyContext		&vfyCtx,
	const CSSM_DATA		&issuer,
	TPCertInfo			&forCert)
{
	StLock<Mutex> _(SecTrustKeychainsGetMutex());

	uint32						dbDex;
	CSSM_HANDLE					resultHand;
	CSSM_DATA					crl;
	CSSM_DL_DB_HANDLE			dlDb;
	CSSM_DB_UNIQUE_RECORD_PTR	record;
	TPCrlInfo 					*issuerCrl = NULL;
	CSSM_DL_DB_LIST_PTR 		dbList = vfyCtx.dbList;
	CSSM_RETURN					crtn;

	if(dbList == NULL) {
		return NULL;
	}
	for(dbDex=0; dbDex<dbList->NumHandles; dbDex++) {
		dlDb = dbList->DLDBHandle[dbDex];
		crl.Data = NULL;
		crl.Length = 0;
		record = tpCrlLookup(dlDb,
			&issuer,
			vfyCtx.verifyTime,
			&resultHand,
			&crl);
		/* remember we have to:
		 * -- abort this query regardless, and
		 * -- free the CSSM_DATA crl regardless, and
		 * -- free the unique record if we don't use it
		 *    (by placing it in issuerCert)...
		 */
		if(record != NULL) {
			/* Found one */
			assert(crl.Data != NULL);
			issuerCrl = new TPCrlInfo(vfyCtx.clHand,
				vfyCtx.cspHand,
				&crl,
				TIC_CopyData,
				vfyCtx.verifyTime);
			/* we're done with raw CRL data */
			/* FIXME this assumes that vfyCtx.alloc is the same as the
			 * allocator associated with DlDB...OK? */
			tpFreeCssmData(vfyCtx.alloc, &crl, CSSM_FALSE);
			crl.Data = NULL;
			crl.Length = 0;

			/* and we're done with the record */
			CSSM_DL_FreeUniqueRecord(dlDb, record);

			/* Does it verify with specified context? */
			crtn = issuerCrl->verifyWithContextNow(vfyCtx, &forCert);
			if(crtn) {

				delete issuerCrl;
				issuerCrl = NULL;

				/*
				 * Verify fail. Continue searching this DB. Break on
				 * finding the holy grail or no more records found.
				 */
				for(;;) {
					crl.Data = NULL;
					crl.Length = 0;
					crtn = CSSM_DL_DataGetNext(dlDb,
						resultHand,
						NULL,		// no attrs
						&crl,
						&record);
					if(crtn) {
						/* no more, done with this DB */
						assert(crl.Data == NULL);
						break;
					}
					assert(crl.Data != NULL);

					/* found one - is it any good? */
					issuerCrl = new TPCrlInfo(vfyCtx.clHand,
						vfyCtx.cspHand,
						&crl,
						TIC_CopyData,
						vfyCtx.verifyTime);
					/* we're done with raw CRL data */
					/* FIXME this assumes that vfyCtx.alloc is the same as the
					* allocator associated with DlDB...OK? */
					tpFreeCssmData(vfyCtx.alloc, &crl, CSSM_FALSE);
					crl.Data = NULL;
					crl.Length = 0;

					CSSM_DL_FreeUniqueRecord(dlDb, record);

					crtn = issuerCrl->verifyWithContextNow(vfyCtx, &forCert);
					if(crtn == CSSM_OK) {
						/* yes! */
						break;
					}
					delete issuerCrl;
					issuerCrl = NULL;
				} /* searching subsequent records */
			}	/* verify fail */
			/* else success! */

			if(issuerCrl != NULL) {
				/* successful return */
				CSSM_DL_DataAbortQuery(dlDb, resultHand);
				tpDebug("tpDbFindIssuerCrl: found CRL record %p", record);
				return issuerCrl;
			}
		}	/* tpCrlLookup, i.e., CSSM_DL_DataGetFirst, succeeded */
		else {
			assert(crl.Data == NULL);
		}
		/* in any case, abort the query for this db */
		CSSM_DL_DataAbortQuery(dlDb, resultHand);

	}	/* main loop searching dbList */

	/* issuer not found */
	return NULL;
}
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd A	2	* Copyright (c) 2002-2009,2011-2012,2014 Apple Inc. All Rights Reserved.
d8f41ccd A	3	*
b1ab9ed8 A	4	* The contents of this file constitute Original Code as defined in and are
	5	* subject to the Apple Public Source License Version 1.2 (the 'License').
	6	* You may not use this file except in compliance with the License. Please obtain
	7	* a copy of the License at http://www.apple.com/publicsource and read it before
	8	* using this file.
d8f41ccd	9	*
b1ab9ed8 A	10	* This Original Code and all software distributed under the License are
	11	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
	12	* OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
	13	* LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
	14	* PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
	15	* specific language governing rights and limitations under the License.
	16	*/
	17
	18
	19	/*
	20	* TPDatabase.cpp - TP's DL/DB access functions.
	21	*
b1ab9ed8 A	22	*/
	23
	24	#include <Security/cssmtype.h>
d8f41ccd	25	#include <Security/cssmapi.h>
b1ab9ed8 A	26	#include <security_cdsa_utilities/Schema.h> /* private API */
	27	#include <security_keychain/TrustKeychains.h> /* private SecTrustKeychainsGetMutex() */
	28	#include <Security/SecCertificatePriv.h> /* private SecInferLabelFromX509Name() */
	29	#include <Security/oidscert.h>
	30	#include "TPDatabase.h"
	31	#include "tpdebugging.h"
	32	#include "certGroupUtils.h"
	33	#include "TPCertInfo.h"
	34	#include "TPCrlInfo.h"
	35	#include "tpCrlVerify.h"
	36	#include "tpTime.h"
	37
	38
	39	/*
	40	* Given a DL/DB, look up cert by subject name. Subsequent
	41	* certs can be found using the returned result handle.
	42	*/
	43	static CSSM_DB_UNIQUE_RECORD_PTR tpCertLookup(
	44	CSSM_DL_DB_HANDLE dlDb,
	45	const CSSM_DATA *subjectName, // DER-encoded
	46	CSSM_HANDLE_PTR resultHand, // RETURNED
	47	CSSM_DATA_PTR cert) // RETURNED
	48	{
	49	CSSM_QUERY query;
d8f41ccd	50	CSSM_SELECTION_PREDICATE predicate;
b1ab9ed8	51	CSSM_DB_UNIQUE_RECORD_PTR record = NULL;
d8f41ccd	52
b1ab9ed8 A	53	cert->Data = NULL;
b1ab9ed8 A	54	cert->Length = 0;
d8f41ccd	55
b1ab9ed8 A	56	/* SWAG until cert schema nailed down */
b1ab9ed8 A	57	predicate.DbOperator = CSSM_DB_EQUAL;
d8f41ccd	58	predicate.Attribute.Info.AttributeNameFormat =
b1ab9ed8 A	59	CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
	60	predicate.Attribute.Info.Label.AttributeName = (char*) "Subject";
	61	predicate.Attribute.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
	62	predicate.Attribute.Value = const_cast<CSSM_DATA_PTR>(subjectName);
	63	predicate.Attribute.NumberOfValues = 1;
d8f41ccd	64
b1ab9ed8 A	65	query.RecordType = CSSM_DL_DB_RECORD_X509_CERTIFICATE;
	66	query.Conjunctive = CSSM_DB_NONE;
	67	query.NumSelectionPredicates = 1;
	68	query.SelectionPredicate = &predicate;
	69	query.QueryLimits.TimeLimit = 0; // FIXME - meaningful?
	70	query.QueryLimits.SizeLimit = 1; // FIXME - meaningful?
	71	query.QueryFlags = 0; // FIXME - used?
d8f41ccd	72
b1ab9ed8 A	73	CSSM_DL_DataGetFirst(dlDb,
	74	&query,
	75	resultHand,
	76	NULL, // don't fetch attributes
	77	cert,
	78	&record);
	79
	80	return record;
	81	}
	82
	83	/*
d8f41ccd	84	* Search a list of DBs for a cert which verifies specified subject item.
b1ab9ed8	85	* Just a boolean return - we found it, or not. If we did, we return
d8f41ccd	86	* TPCertInfo associated with the raw cert.
b1ab9ed8	87	* A true partialIssuerKey on return indicates that caller must deal
d8f41ccd	88	* with partial public key processing later.
b1ab9ed8	89	* If verifyCurrent is true, we will not return a cert which is not
d8f41ccd	90	* temporally valid; else we may well do so.
b1ab9ed8 A	91	*/
	92	TPCertInfo *tpDbFindIssuerCert(
	93	Allocator &alloc,
	94	CSSM_CL_HANDLE clHand,
	95	CSSM_CSP_HANDLE cspHand,
	96	const TPClItemInfo *subjectItem,
	97	const CSSM_DL_DB_LIST *dbList,
	98	const char *verifyTime, // may be NULL
60c433a9 A	99	bool &partialIssuerKey, // RETURNED
60c433a9 A	100	TPCertInfo *oldRoot)
b1ab9ed8 A	101	{
	102	StLock<Mutex> _(SecTrustKeychainsGetMutex());
	103
	104	uint32 dbDex;
	105	CSSM_HANDLE resultHand;
d8f41ccd	106	CSSM_DATA cert;
b1ab9ed8 A	107	CSSM_DL_DB_HANDLE dlDb;
	108	CSSM_DB_UNIQUE_RECORD_PTR record;
	109	TPCertInfo *issuerCert = NULL;
	110	bool foundIt;
	111	TPCertInfo *expiredIssuer = NULL;
d8f41ccd A	112	TPCertInfo *nonRootIssuer = NULL;
d8f41ccd A	113
b1ab9ed8 A	114	partialIssuerKey = false;
	115	if(dbList == NULL) {
	116	return NULL;
	117	}
	118	for(dbDex=0; dbDex<dbList->NumHandles; dbDex++) {
	119	dlDb = dbList->DLDBHandle[dbDex];
	120	cert.Data = NULL;
	121	cert.Length = 0;
	122	resultHand = 0;
	123	record = tpCertLookup(dlDb,
	124	subjectItem->issuerName(),
	125	&resultHand,
	126	&cert);
d8f41ccd A	127	/* remember we have to:
	128	* -- abort this query regardless, and
	129	* -- free the CSSM_DATA cert regardless, and
	130	* -- free the unique record if we don't use it
b1ab9ed8 A	131	* (by placing it in issuerCert)...
	132	*/
	133	if(record != NULL) {
	134	/* Found one */
	135	assert(cert.Data != NULL);
d8f41ccd	136	tpDbDebug("tpDbFindIssuerCert: found cert record (1) %p", record);
b1ab9ed8 A	137	issuerCert = NULL;
	138	CSSM_RETURN crtn = CSSM_OK;
	139	try {
	140	issuerCert = new TPCertInfo(clHand, cspHand, &cert, TIC_CopyData, verifyTime);
	141	}
	142	catch(...) {
	143	crtn = CSSMERR_TP_INVALID_CERTIFICATE;
	144	}
	145
	146	/* we're done with raw cert data */
	147	tpFreePluginMemory(dlDb.DLHandle, cert.Data);
	148	cert.Data = NULL;
	149	cert.Length = 0;
d8f41ccd	150
b1ab9ed8 A	151	/* Does it verify the subject cert? */
	152	if(crtn == CSSM_OK) {
	153	crtn = subjectItem->verifyWithIssuer(issuerCert);
	154	}
d8f41ccd	155
b1ab9ed8	156	/*
d8f41ccd	157	* Handle temporal invalidity - if so and this is the first one
b1ab9ed8 A	158	* we've seen, hold on to it while we search for better one.
	159	*/
	160	if((crtn == CSSM_OK) && (expiredIssuer == NULL)) {
	161	if(issuerCert->isExpired() \|\| issuerCert->isNotValidYet()) {
d8f41ccd A	162	/*
d8f41ccd A	163	* Exact value not important here, this just uniquely identifies
b1ab9ed8 A	164	* this situation in the switch below.
	165	*/
	166	tpDbDebug("tpDbFindIssuerCert: holding expired cert (1)");
	167	crtn = CSSM_CERT_STATUS_EXPIRED;
	168	expiredIssuer = issuerCert;
	169	expiredIssuer->dlDbHandle(dlDb);
	170	expiredIssuer->uniqueRecord(record);
	171	}
	172	}
d8f41ccd A	173	/*
	174	* Prefer a root over an intermediate issuer if we can get one
	175	* (in case a cross-signed intermediate and root are both available)
	176	*/
	177	if((crtn == CSSM_OK) && (nonRootIssuer == NULL)) {
	178	if(!issuerCert->isSelfSigned()) {
	179	/*
	180	* Exact value not important here, this just uniquely identifies
	181	* this situation in the switch below.
	182	*/
	183	tpDbDebug("tpDbFindIssuerCert: holding non-root cert (1)");
	184	crtn = CSSM_CERT_STATUS_IS_ROOT;
	185	nonRootIssuer = issuerCert;
	186	nonRootIssuer->dlDbHandle(dlDb);
	187	nonRootIssuer->uniqueRecord(record);
	188	}
	189	}
b1ab9ed8	190	switch(crtn) {
b1ab9ed8 A	191	case CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE:
	192	partialIssuerKey = true;
	193	break;
60c433a9 A	194	case CSSM_OK:
	195	if((oldRoot == NULL) \|\|
	196	!tp_CompareCerts(issuerCert->itemData(), oldRoot->itemData())) {
	197	/* We found a new root cert which does not match the old one */
	198	break;
	199	}
	200	/* else fall through to search for a different one */
b1ab9ed8	201	default:
d8f41ccd A	202	if(issuerCert != NULL) {
	203	/* either holding onto this cert, or done with it. */
	204	if(crtn != CSSM_CERT_STATUS_EXPIRED &&
	205	crtn != CSSM_CERT_STATUS_IS_ROOT) {
	206	delete issuerCert;
	207	CSSM_DL_FreeUniqueRecord(dlDb, record);
	208	}
	209	issuerCert = NULL;
b1ab9ed8	210	}
d8f41ccd	211
b1ab9ed8	212	/*
d8f41ccd A	213	* Continue searching this DB. Break on finding the holy
d8f41ccd A	214	* grail or no more records found.
b1ab9ed8 A	215	*/
	216	for(;;) {
	217	cert.Data = NULL;
	218	cert.Length = 0;
	219	record = NULL;
d8f41ccd	220	CSSM_RETURN crtn = CSSM_DL_DataGetNext(dlDb,
b1ab9ed8	221	resultHand,
d8f41ccd	222	NULL, // no attrs
b1ab9ed8 A	223	&cert,
	224	&record);
	225	if(crtn) {
	226	/* no more, done with this DB */
	227	assert(cert.Data == NULL);
	228	break;
	229	}
	230	assert(cert.Data != NULL);
d8f41ccd A	231	tpDbDebug("tpDbFindIssuerCert: found cert record (2) %p", record);
d8f41ccd A	232
b1ab9ed8 A	233	/* found one - does it verify subject? */
b1ab9ed8 A	234	try {
d8f41ccd	235	issuerCert = new TPCertInfo(clHand, cspHand, &cert, TIC_CopyData,
b1ab9ed8 A	236	verifyTime);
	237	}
	238	catch(...) {
	239	crtn = CSSMERR_TP_INVALID_CERTIFICATE;
	240	}
	241	/* we're done with raw cert data */
	242	tpFreePluginMemory(dlDb.DLHandle, cert.Data);
	243	cert.Data = NULL;
	244	cert.Length = 0;
d8f41ccd	245
b1ab9ed8 A	246	if(crtn == CSSM_OK) {
	247	crtn = subjectItem->verifyWithIssuer(issuerCert);
	248	}
	249
	250	/* temporal validity check, again */
	251	if((crtn == CSSM_OK) && (expiredIssuer == NULL)) {
	252	if(issuerCert->isExpired() \|\| issuerCert->isNotValidYet()) {
	253	tpDbDebug("tpDbFindIssuerCert: holding expired cert (2)");
	254	crtn = CSSM_CERT_STATUS_EXPIRED;
	255	expiredIssuer = issuerCert;
	256	expiredIssuer->dlDbHandle(dlDb);
	257	expiredIssuer->uniqueRecord(record);
	258	}
	259	}
d8f41ccd A	260	/* self-signed check, again */
	261	if((crtn == CSSM_OK) && (nonRootIssuer == NULL)) {
	262	if(!issuerCert->isSelfSigned()) {
	263	tpDbDebug("tpDbFindIssuerCert: holding non-root cert (2)");
	264	crtn = CSSM_CERT_STATUS_IS_ROOT;
	265	nonRootIssuer = issuerCert;
	266	nonRootIssuer->dlDbHandle(dlDb);
	267	nonRootIssuer->uniqueRecord(record);
	268	}
	269	}
b1ab9ed8 A	270
	271	foundIt = false;
	272	switch(crtn) {
	273	case CSSM_OK:
60c433a9 A	274	/* duplicate check, again */
	275	if((oldRoot == NULL) \|\|
	276	!tp_CompareCerts(issuerCert->itemData(), oldRoot->itemData())) {
	277	foundIt = true;
	278	}
	279	break;
b1ab9ed8 A	280	case CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE:
	281	partialIssuerKey = true;
	282	foundIt = true;
	283	break;
	284	default:
	285	break;
	286	}
	287	if(foundIt) {
	288	/* yes! */
	289	break;
	290	}
d8f41ccd A	291	if(issuerCert != NULL) {
	292	/* either holding onto this cert, or done with it. */
	293	if(crtn != CSSM_CERT_STATUS_EXPIRED &&
	294	crtn != CSSM_CERT_STATUS_IS_ROOT) {
	295	delete issuerCert;
	296	CSSM_DL_FreeUniqueRecord(dlDb, record);
	297	}
	298	issuerCert = NULL;
b1ab9ed8	299	}
b1ab9ed8 A	300	} /* searching subsequent records */
	301	} /* switch verify */
	302
	303	if(record != NULL) {
	304	/* NULL record --> end of search --> DB auto-aborted */
	305	crtn = CSSM_DL_DataAbortQuery(dlDb, resultHand);
	306	assert(crtn == CSSM_OK);
	307	}
	308	if(issuerCert != NULL) {
	309	/* successful return */
	310	tpDbDebug("tpDbFindIssuer: returning record %p", record);
	311	issuerCert->dlDbHandle(dlDb);
	312	issuerCert->uniqueRecord(record);
	313	if(expiredIssuer != NULL) {
	314	/* We found a replacement */
	315	tpDbDebug("tpDbFindIssuer: discarding expired cert");
	316	expiredIssuer->freeUniqueRecord();
	317	delete expiredIssuer;
	318	}
d8f41ccd A	319	/* Avoid deleting the non-root cert if same as expired cert */
	320	if(nonRootIssuer != NULL && nonRootIssuer != expiredIssuer) {
	321	/* We found a replacement */
	322	tpDbDebug("tpDbFindIssuer: discarding non-root cert");
	323	nonRootIssuer->freeUniqueRecord();
	324	delete nonRootIssuer;
	325	}
b1ab9ed8 A	326	return issuerCert;
	327	}
	328	} /* tpCertLookup, i.e., CSSM_DL_DataGetFirst, succeeded */
	329	else {
	330	assert(cert.Data == NULL);
	331	assert(resultHand == 0);
	332	}
	333	} /* main loop searching dbList */
	334
d8f41ccd A	335	if(nonRootIssuer != NULL) {
	336	/* didn't find root issuer, so use this one */
	337	tpDbDebug("tpDbFindIssuer: taking non-root issuer cert, record %p",
	338	nonRootIssuer->uniqueRecord());
	339	if(expiredIssuer != NULL && expiredIssuer != nonRootIssuer) {
	340	expiredIssuer->freeUniqueRecord();
	341	delete expiredIssuer;
	342	}
	343	return nonRootIssuer;
	344	}
	345
b1ab9ed8 A	346	if(expiredIssuer != NULL) {
b1ab9ed8 A	347	/* OK, we'll take this one */
d8f41ccd	348	tpDbDebug("tpDbFindIssuer: taking expired cert after all, record %p",
b1ab9ed8 A	349	expiredIssuer->uniqueRecord());
	350	return expiredIssuer;
	351	}
	352	/* issuer not found */
	353	return NULL;
	354	}
	355
	356	/*
d8f41ccd A	357	* Given a DL/DB, look up CRL by issuer name and validity time.
d8f41ccd A	358	* Subsequent CRLs can be found using the returned result handle.
b1ab9ed8 A	359	*/
	360	#define SEARCH_BY_DATE 1
	361
	362	static CSSM_DB_UNIQUE_RECORD_PTR tpCrlLookup(
	363	CSSM_DL_DB_HANDLE dlDb,
	364	const CSSM_DATA *issuerName, // DER-encoded
	365	CSSM_TIMESTRING verifyTime, // may be NULL, implies "now"
	366	CSSM_HANDLE_PTR resultHand, // RETURNED
	367	CSSM_DATA_PTR crl) // RETURNED
	368	{
	369	CSSM_QUERY query;
d8f41ccd	370	CSSM_SELECTION_PREDICATE pred[3];
b1ab9ed8 A	371	CSSM_DB_UNIQUE_RECORD_PTR record = NULL;
b1ab9ed8 A	372	char timeStr[CSSM_TIME_STRLEN + 1];
d8f41ccd	373
b1ab9ed8 A	374	crl->Data = NULL;
b1ab9ed8 A	375	crl->Length = 0;
d8f41ccd	376
b1ab9ed8 A	377	/* Three predicates...first, the issuer name */
b1ab9ed8 A	378	pred[0].DbOperator = CSSM_DB_EQUAL;
d8f41ccd	379	pred[0].Attribute.Info.AttributeNameFormat =
b1ab9ed8 A	380	CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
	381	pred[0].Attribute.Info.Label.AttributeName = (char*) "Issuer";
	382	pred[0].Attribute.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
	383	pred[0].Attribute.Value = const_cast<CSSM_DATA_PTR>(issuerName);
	384	pred[0].Attribute.NumberOfValues = 1;
d8f41ccd	385
b1ab9ed8 A	386	/* now before/after. Cook up an appropriate time string. */
	387	if(verifyTime != NULL) {
	388	/* Caller spec'd tolerate any format */
427c49bc	389	int rtn = tpTimeToCssmTimestring(verifyTime, (unsigned)strlen(verifyTime), timeStr);
b1ab9ed8 A	390	if(rtn) {
	391	tpErrorLog("tpCrlLookup: Invalid VerifyTime string\n");
	392	return NULL;
	393	}
	394	}
	395	else {
	396	/* right now */
	397	StLock<Mutex> _(tpTimeLock());
	398	timeAtNowPlus(0, TIME_CSSM, timeStr);
	399	}
	400	CSSM_DATA timeData;
	401	timeData.Data = (uint8 *)timeStr;
	402	timeData.Length = CSSM_TIME_STRLEN;
d8f41ccd	403
b1ab9ed8 A	404	#if SEARCH_BY_DATE
	405	pred[1].DbOperator = CSSM_DB_LESS_THAN;
	406	pred[1].Attribute.Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
	407	pred[1].Attribute.Info.Label.AttributeName = (char*) "NextUpdate";
	408	pred[1].Attribute.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
	409	pred[1].Attribute.Value = &timeData;
	410	pred[1].Attribute.NumberOfValues = 1;
d8f41ccd	411
b1ab9ed8 A	412	pred[2].DbOperator = CSSM_DB_GREATER_THAN;
	413	pred[2].Attribute.Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
	414	pred[2].Attribute.Info.Label.AttributeName = (char*) "ThisUpdate";
	415	pred[2].Attribute.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
	416	pred[2].Attribute.Value = &timeData;
	417	pred[2].Attribute.NumberOfValues = 1;
	418	#endif
d8f41ccd	419
b1ab9ed8 A	420	query.RecordType = CSSM_DL_DB_RECORD_X509_CRL;
	421	query.Conjunctive = CSSM_DB_AND;
	422	#if SEARCH_BY_DATE
	423	query.NumSelectionPredicates = 3;
	424	#else
	425	query.NumSelectionPredicates = 1;
	426	#endif
	427	query.SelectionPredicate = pred;
	428	query.QueryLimits.TimeLimit = 0; // FIXME - meaningful?
	429	query.QueryLimits.SizeLimit = 1; // FIXME - meaningful?
	430	query.QueryFlags = 0; // FIXME - used?
d8f41ccd	431
b1ab9ed8 A	432	CSSM_DL_DataGetFirst(dlDb,
	433	&query,
	434	resultHand,
	435	NULL, // don't fetch attributes
	436	crl,
	437	&record);
	438	return record;
	439	}
	440
	441	/*
d8f41ccd A	442	* Search a list of DBs for a CRL from the specified issuer and (optional)
d8f41ccd A	443	* TPVerifyContext.verifyTime.
b1ab9ed8 A	444	* Just a boolean return - we found it, or not. If we did, we return a
	445	* TPCrlInfo which has been verified with the specified TPVerifyContext.
	446	*/
	447	TPCrlInfo *tpDbFindIssuerCrl(
	448	TPVerifyContext &vfyCtx,
	449	const CSSM_DATA &issuer,
	450	TPCertInfo &forCert)
	451	{
	452	StLock<Mutex> _(SecTrustKeychainsGetMutex());
	453
	454	uint32 dbDex;
	455	CSSM_HANDLE resultHand;
d8f41ccd	456	CSSM_DATA crl;
b1ab9ed8 A	457	CSSM_DL_DB_HANDLE dlDb;
	458	CSSM_DB_UNIQUE_RECORD_PTR record;
	459	TPCrlInfo *issuerCrl = NULL;
	460	CSSM_DL_DB_LIST_PTR dbList = vfyCtx.dbList;
	461	CSSM_RETURN crtn;
d8f41ccd	462
b1ab9ed8 A	463	if(dbList == NULL) {
	464	return NULL;
	465	}
	466	for(dbDex=0; dbDex<dbList->NumHandles; dbDex++) {
	467	dlDb = dbList->DLDBHandle[dbDex];
	468	crl.Data = NULL;
	469	crl.Length = 0;
	470	record = tpCrlLookup(dlDb,
	471	&issuer,
	472	vfyCtx.verifyTime,
	473	&resultHand,
	474	&crl);
d8f41ccd A	475	/* remember we have to:
	476	* -- abort this query regardless, and
	477	* -- free the CSSM_DATA crl regardless, and
	478	* -- free the unique record if we don't use it
b1ab9ed8 A	479	* (by placing it in issuerCert)...
	480	*/
	481	if(record != NULL) {
	482	/* Found one */
	483	assert(crl.Data != NULL);
d8f41ccd	484	issuerCrl = new TPCrlInfo(vfyCtx.clHand,
b1ab9ed8	485	vfyCtx.cspHand,
d8f41ccd A	486	&crl,
d8f41ccd A	487	TIC_CopyData,
b1ab9ed8 A	488	vfyCtx.verifyTime);
b1ab9ed8 A	489	/* we're done with raw CRL data */
d8f41ccd	490	/* FIXME this assumes that vfyCtx.alloc is the same as the
b1ab9ed8 A	491	* allocator associated with DlDB...OK? */
	492	tpFreeCssmData(vfyCtx.alloc, &crl, CSSM_FALSE);
	493	crl.Data = NULL;
	494	crl.Length = 0;
d8f41ccd	495
b1ab9ed8 A	496	/* and we're done with the record */
b1ab9ed8 A	497	CSSM_DL_FreeUniqueRecord(dlDb, record);
d8f41ccd	498
b1ab9ed8 A	499	/* Does it verify with specified context? */
	500	crtn = issuerCrl->verifyWithContextNow(vfyCtx, &forCert);
	501	if(crtn) {
d8f41ccd	502
b1ab9ed8 A	503	delete issuerCrl;
b1ab9ed8 A	504	issuerCrl = NULL;
d8f41ccd	505
b1ab9ed8	506	/*
d8f41ccd A	507	* Verify fail. Continue searching this DB. Break on
d8f41ccd A	508	* finding the holy grail or no more records found.
b1ab9ed8 A	509	*/
	510	for(;;) {
	511	crl.Data = NULL;
	512	crl.Length = 0;
d8f41ccd	513	crtn = CSSM_DL_DataGetNext(dlDb,
b1ab9ed8	514	resultHand,
d8f41ccd	515	NULL, // no attrs
b1ab9ed8 A	516	&crl,
	517	&record);
	518	if(crtn) {
	519	/* no more, done with this DB */
	520	assert(crl.Data == NULL);
	521	break;
	522	}
	523	assert(crl.Data != NULL);
d8f41ccd	524
b1ab9ed8	525	/* found one - is it any good? */
d8f41ccd	526	issuerCrl = new TPCrlInfo(vfyCtx.clHand,
b1ab9ed8	527	vfyCtx.cspHand,
d8f41ccd A	528	&crl,
d8f41ccd A	529	TIC_CopyData,
b1ab9ed8 A	530	vfyCtx.verifyTime);
b1ab9ed8 A	531	/* we're done with raw CRL data */
d8f41ccd	532	/* FIXME this assumes that vfyCtx.alloc is the same as the
b1ab9ed8 A	533	* allocator associated with DlDB...OK? */
	534	tpFreeCssmData(vfyCtx.alloc, &crl, CSSM_FALSE);
	535	crl.Data = NULL;
	536	crl.Length = 0;
	537
	538	CSSM_DL_FreeUniqueRecord(dlDb, record);
	539
	540	crtn = issuerCrl->verifyWithContextNow(vfyCtx, &forCert);
	541	if(crtn == CSSM_OK) {
	542	/* yes! */
	543	break;
	544	}
	545	delete issuerCrl;
	546	issuerCrl = NULL;
	547	} /* searching subsequent records */
	548	} /* verify fail */
	549	/* else success! */
	550
	551	if(issuerCrl != NULL) {
	552	/* successful return */
	553	CSSM_DL_DataAbortQuery(dlDb, resultHand);
	554	tpDebug("tpDbFindIssuerCrl: found CRL record %p", record);
	555	return issuerCrl;
	556	}
	557	} /* tpCrlLookup, i.e., CSSM_DL_DataGetFirst, succeeded */
	558	else {
	559	assert(crl.Data == NULL);
	560	}
	561	/* in any case, abort the query for this db */
	562	CSSM_DL_DataAbortQuery(dlDb, resultHand);
d8f41ccd	563
b1ab9ed8 A	564	} /* main loop searching dbList */
	565
	566	/* issuer not found */
	567	return NULL;
	568	}
	569