[apple/security.git] / OSX / libsecurity_apple_x509_tp / lib / tpCertAllowList.c

/*
 * Copyright (c) 2015 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * tpCertAllowList.c - List of allowed certificates without a trusted root
 */


#include <stdlib.h>
#include <strings.h>

#include "certGroupUtils.h"
#include "TPCertInfo.h"
#include "TPCrlInfo.h"
#include "tpPolicies.h"
#include "tpdebugging.h"
#include "tpCrlVerify.h"

#include <Security/oidsalg.h>
#include <Security/cssmapple.h>
#include "tpCertAllowList.h"
#include <Security/SecBase.h>
#include <CommonCrypto/CommonDigest.h>
#include <CommonCrypto/CommonDigestSPI.h>
#include <CoreFoundation/CFError.h>
#include <CoreFoundation/CFDictionary.h>


static CFStringRef kSecSystemTrustStoreBundlePath = CFSTR("/System/Library/Security/Certificates.bundle");

static CFURLRef SecSystemTrustStoreCopyResourceURL(CFStringRef resourceName,
						   CFStringRef resourceType, CFStringRef subDirName)
{
	CFURLRef rsrcUrl = NULL;
	CFBundleRef bundle = NULL;
	
	CFURLRef bundleUrl = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, kSecSystemTrustStoreBundlePath, kCFURLPOSIXPathStyle, true);
	if (bundleUrl) {
		bundle = CFBundleCreate(kCFAllocatorDefault, bundleUrl);
		CFRelease(bundleUrl);
	}
	
	if (bundle) {
		rsrcUrl = CFBundleCopyResourceURL(bundle, resourceName, resourceType, subDirName);
		if (!rsrcUrl) {
			tpDebug("resource: not found");
		}
		CFRelease(bundle);
	}
	
	return rsrcUrl;
}

static CFDataRef SecSystemTrustStoreCopyResourceContents(CFStringRef resourceName,
							 CFStringRef resourceType, CFStringRef subDirName)
{
	CFURLRef url = SecSystemTrustStoreCopyResourceURL(resourceName, resourceType, subDirName);
	CFDataRef data = NULL;
	if (url) {
		SInt32 error;
		if (!CFURLCreateDataAndPropertiesFromResource(kCFAllocatorDefault,
							      url, &data, NULL, NULL, &error)) {
			tpDebug("Allow list read: %ld", (long) error);
		}
		CFRelease(url);
	}
	return data;
}

static CFDictionaryRef InitializeAllowList()
{
	CFDataRef xmlData = NULL;
	// Use the file in the system trust store bundle
	xmlData = SecSystemTrustStoreCopyResourceContents(CFSTR("Allowed"), CFSTR("plist"), NULL);
	
	CFPropertyListRef allowList = NULL;
	if (xmlData) {
		allowList = CFPropertyListCreateWithData(kCFAllocatorDefault, xmlData, kCFPropertyListImmutable, NULL, NULL);
		CFRelease(xmlData);
	}
	
	if (allowList && (CFGetTypeID(allowList) == CFDictionaryGetTypeID())) {
		return (CFDictionaryRef) allowList;
	} else {
		if (allowList)
			CFRelease(allowList);
		return NULL;
	}
}

/* helper functions borrowed from SecCFWrappers */
static inline CFComparisonResult CFDataCompare(CFDataRef left, CFDataRef right)
{
	const size_t left_size = CFDataGetLength(left);
	const size_t right_size = CFDataGetLength(right);
	const size_t shortest = (left_size <= right_size) ? left_size : right_size;
	
	int comparison = memcmp(CFDataGetBytePtr(left), CFDataGetBytePtr(right), shortest);
	
	if (comparison > 0 || (comparison == 0 && left_size > right_size))
		return kCFCompareGreaterThan;
	else if (comparison < 0 || (comparison == 0 && left_size < right_size))
		return kCFCompareLessThan;
	else
		return kCFCompareEqualTo;
}

static inline void CFStringAppendHexData(CFMutableStringRef s, CFDataRef data) {
	const uint8_t *bytes = CFDataGetBytePtr(data);
	CFIndex len = CFDataGetLength(data);
	for (CFIndex ix = 0; ix < len; ++ix) {
		CFStringAppendFormat(s, 0, CFSTR("%02X"), bytes[ix]);
	}
}

static inline CF_RETURNS_RETAINED CFStringRef CFDataCopyHexString(CFDataRef data) {
	CFMutableStringRef hexString = CFStringCreateMutable(kCFAllocatorDefault, 2 * CFDataGetLength(data));
	CFStringAppendHexData(hexString, data);
	return hexString;
}

CSSM_RETURN tpCheckCertificateAllowList(TPCertGroup &certGroup) {
	CSSM_RETURN result = CSSMERR_TP_NOT_TRUSTED;
	unsigned numCerts = certGroup.numCerts();
	int i;
	CFRange range;
	CFArrayRef allowedCerts = NULL;
	
	TPCertInfo *last = certGroup.lastCert();
	if (!last) {
		return result;
	}
	
	/* parse authority key ID from certificate that would have been signed by a distrusted root */
	const CSSM_DATA *authKeyID = last->authorityKeyID();
	if (!authKeyID || !authKeyID->Data) {
		return result;
	}
	
	CSSM_X509_EXTENSION *ake = (CSSM_X509_EXTENSION *)authKeyID->Data;
	if (!ake || ake->format != CSSM_X509_DATAFORMAT_PARSED) {
		return result;
	}
	
	const CE_AuthorityKeyID *akid = (CE_AuthorityKeyID *)ake->value.parsedValue;
	if (!akid || !akid->keyIdentifierPresent) {
		return result;
	}

	CFDataRef akData = CFDataCreate(kCFAllocatorDefault, akid->keyIdentifier.Data, akid->keyIdentifier.Length);
	CFStringRef akString = CFDataCopyHexString(akData);
	
	/* search allow list for allowed certs for this distrusted root */
	CFDictionaryRef allowList = InitializeAllowList();
	if (NULL == allowList) {
		goto errout;
	}

	allowedCerts = (CFArrayRef)CFDictionaryGetValue(allowList, akString);
	if (!allowedCerts || !CFArrayGetCount(allowedCerts)) {
		goto errout;
	}
	
	/* found some allowed certificates: check whether a certificate in this chain is present */
	range = CFRangeMake(0, CFArrayGetCount(allowedCerts));
	for (i = 0; i < numCerts; i++) {
		TPCertInfo *cert = certGroup.certAtIndex(i);
		UInt8 hashBytes[CC_SHA256_DIGEST_LENGTH] = {0};
		
		const CSSM_DATA *certData = cert->itemData();
		if (!certData || !certData->Data || (certData->Length <= 0)) {
			goto errout;
		}
		
		int err = CCDigest(kCCDigestSHA256, certData->Data, certData->Length, hashBytes);
		if (err) {
			goto errout;
		}
		
		CFDataRef hashData = CFDataCreate(kCFAllocatorDefault, hashBytes, sizeof(hashBytes));
		
		CFIndex position = CFArrayBSearchValues(allowedCerts, range, hashData, (CFComparatorFunction)CFDataCompare, NULL);
		if (position < CFArrayGetCount(allowedCerts)) {
			CFDataRef possibleMatch = (CFDataRef) CFArrayGetValueAtIndex(allowedCerts, position);
			if (!CFDataCompare(hashData, possibleMatch)) {
				//this cert is in the allowlist
				result = CSSM_OK;
			}
		}
		CFRelease(hashData);
	}
	
errout:
	if (akString)
		CFRelease(akString);
	if (akData)
		CFRelease(akData);
	if (allowList)
		CFRelease(allowList);
	return result;
}
Commit	Line	Data
5c19dc3a A	1	/*
	2	* Copyright (c) 2015 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*
	25	* tpCertAllowList.c - List of allowed certificates without a trusted root
	26	*/
	27
	28
	29	#include <stdlib.h>
	30	#include <strings.h>
	31
	32	#include "certGroupUtils.h"
	33	#include "TPCertInfo.h"
	34	#include "TPCrlInfo.h"
	35	#include "tpPolicies.h"
	36	#include "tpdebugging.h"
	37	#include "tpCrlVerify.h"
	38
	39	#include <Security/oidsalg.h>
	40	#include <Security/cssmapple.h>
	41	#include "tpCertAllowList.h"
	42	#include <Security/SecBase.h>
	43	#include <CommonCrypto/CommonDigest.h>
	44	#include <CommonCrypto/CommonDigestSPI.h>
	45	#include <CoreFoundation/CFError.h>
	46	#include <CoreFoundation/CFDictionary.h>
	47
	48
	49	static CFStringRef kSecSystemTrustStoreBundlePath = CFSTR("/System/Library/Security/Certificates.bundle");
	50
	51	static CFURLRef SecSystemTrustStoreCopyResourceURL(CFStringRef resourceName,
	52	CFStringRef resourceType, CFStringRef subDirName)
	53	{
	54	CFURLRef rsrcUrl = NULL;
	55	CFBundleRef bundle = NULL;
	56
	57	CFURLRef bundleUrl = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, kSecSystemTrustStoreBundlePath, kCFURLPOSIXPathStyle, true);
	58	if (bundleUrl) {
	59	bundle = CFBundleCreate(kCFAllocatorDefault, bundleUrl);
	60	CFRelease(bundleUrl);
	61	}
	62
	63	if (bundle) {
	64	rsrcUrl = CFBundleCopyResourceURL(bundle, resourceName, resourceType, subDirName);
65	if (!rsrcUrl) {
66	tpDebug("resource: not found");
67	}
68	CFRelease(bundle);
69	}
70
71	return rsrcUrl;
72	}
73
74	static CFDataRef SecSystemTrustStoreCopyResourceContents(CFStringRef resourceName,
75	CFStringRef resourceType, CFStringRef subDirName)
76	{
77	CFURLRef url = SecSystemTrustStoreCopyResourceURL(resourceName, resourceType, subDirName);
78	CFDataRef data = NULL;
79	if (url) {
80	SInt32 error;
81	if (!CFURLCreateDataAndPropertiesFromResource(kCFAllocatorDefault,
82	url, &data, NULL, NULL, &error)) {
83	tpDebug("Allow list read: %ld", (long) error);
84	}
85	CFRelease(url);
86	}
87	return data;
88	}
89
90	static CFDictionaryRef InitializeAllowList()
91	{
92	CFDataRef xmlData = NULL;
93	// Use the file in the system trust store bundle
94	xmlData = SecSystemTrustStoreCopyResourceContents(CFSTR("Allowed"), CFSTR("plist"), NULL);
95
96	CFPropertyListRef allowList = NULL;
97	if (xmlData) {
98	allowList = CFPropertyListCreateWithData(kCFAllocatorDefault, xmlData, kCFPropertyListImmutable, NULL, NULL);
99	CFRelease(xmlData);
100	}
101
102	if (allowList && (CFGetTypeID(allowList) == CFDictionaryGetTypeID())) {
103	return (CFDictionaryRef) allowList;
104	} else {
105	if (allowList)
106	CFRelease(allowList);
107	return NULL;
108	}
109	}
110
111	/* helper functions borrowed from SecCFWrappers */
112	static inline CFComparisonResult CFDataCompare(CFDataRef left, CFDataRef right)
113	{
114	const size_t left_size = CFDataGetLength(left);
115	const size_t right_size = CFDataGetLength(right);
116	const size_t shortest = (left_size <= right_size) ? left_size : right_size;
117
118	int comparison = memcmp(CFDataGetBytePtr(left), CFDataGetBytePtr(right), shortest);
119
120	if (comparison > 0 \|\| (comparison == 0 && left_size > right_size))
121	return kCFCompareGreaterThan;
122	else if (comparison < 0 \|\| (comparison == 0 && left_size < right_size))
123	return kCFCompareLessThan;
124	else
125	return kCFCompareEqualTo;
126	}
127
128	static inline void CFStringAppendHexData(CFMutableStringRef s, CFDataRef data) {
129	const uint8_t *bytes = CFDataGetBytePtr(data);
130	CFIndex len = CFDataGetLength(data);
131	for (CFIndex ix = 0; ix < len; ++ix) {
132	CFStringAppendFormat(s, 0, CFSTR("%02X"), bytes[ix]);
133	}
134	}
135
136	static inline CF_RETURNS_RETAINED CFStringRef CFDataCopyHexString(CFDataRef data) {
137	CFMutableStringRef hexString = CFStringCreateMutable(kCFAllocatorDefault, 2 * CFDataGetLength(data));
138	CFStringAppendHexData(hexString, data);
139	return hexString;
140	}
141
142	CSSM_RETURN tpCheckCertificateAllowList(TPCertGroup &certGroup) {
143	CSSM_RETURN result = CSSMERR_TP_NOT_TRUSTED;
144	unsigned numCerts = certGroup.numCerts();
145	int i;
146	CFRange range;
147	CFArrayRef allowedCerts = NULL;
148
149	TPCertInfo *last = certGroup.lastCert();
150	if (!last) {
151	return result;
152	}
153
154	/* parse authority key ID from certificate that would have been signed by a distrusted root */
155	const CSSM_DATA *authKeyID = last->authorityKeyID();
156	if (!authKeyID \|\| !authKeyID->Data) {
157	return result;
158	}
159
160	CSSM_X509_EXTENSION ake = (CSSM_X509_EXTENSION )authKeyID->Data;
161	if (!ake \|\| ake->format != CSSM_X509_DATAFORMAT_PARSED) {
162	return result;
163	}
164
165	const CE_AuthorityKeyID akid = (CE_AuthorityKeyID )ake->value.parsedValue;
166	if (!akid \|\| !akid->keyIdentifierPresent) {
167	return result;
168	}
169
170	CFDataRef akData = CFDataCreate(kCFAllocatorDefault, akid->keyIdentifier.Data, akid->keyIdentifier.Length);
171	CFStringRef akString = CFDataCopyHexString(akData);
172
173	/* search allow list for allowed certs for this distrusted root */
174	CFDictionaryRef allowList = InitializeAllowList();
175	if (NULL == allowList) {
176	goto errout;
177	}
178
179	allowedCerts = (CFArrayRef)CFDictionaryGetValue(allowList, akString);
180	if (!allowedCerts \|\| !CFArrayGetCount(allowedCerts)) {
181	goto errout;
182	}
183
184	/* found some allowed certificates: check whether a certificate in this chain is present */
185	range = CFRangeMake(0, CFArrayGetCount(allowedCerts));
186	for (i = 0; i < numCerts; i++) {
187	TPCertInfo *cert = certGroup.certAtIndex(i);
188	UInt8 hashBytes[CC_SHA256_DIGEST_LENGTH] = {0};
189
190	const CSSM_DATA *certData = cert->itemData();
191	if (!certData \|\| !certData->Data \|\| (certData->Length <= 0)) {
192	goto errout;
193	}
194
195	int err = CCDigest(kCCDigestSHA256, certData->Data, certData->Length, hashBytes);
196	if (err) {
197	goto errout;
198	}
199
200	CFDataRef hashData = CFDataCreate(kCFAllocatorDefault, hashBytes, sizeof(hashBytes));
201
202	CFIndex position = CFArrayBSearchValues(allowedCerts, range, hashData, (CFComparatorFunction)CFDataCompare, NULL);
203	if (position < CFArrayGetCount(allowedCerts)) {
204	CFDataRef possibleMatch = (CFDataRef) CFArrayGetValueAtIndex(allowedCerts, position);
205	if (!CFDataCompare(hashData, possibleMatch)) {
206	//this cert is in the allowlist
207	result = CSSM_OK;
208	}
209	}
210	CFRelease(hashData);
211	}
212
213	errout:
214	if (akString)
215	CFRelease(akString);
216	if (akData)
217	CFRelease(akData);
218	if (allowList)
219	CFRelease(allowList);
220	return result;
221	}
222