[apple/security.git] / OSX / libsecurity_keychain / lib / TrustItem.cpp

/*
 * Copyright (c) 2002-2004,2011,2014 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

//
// TrustStore.h - Abstract interface to permanent user trust assignments
//
#include <security_keychain/TrustItem.h>
#include <security_cdsa_utilities/Schema.h>
#include <security_keychain/SecCFTypes.h>

#include <security_asn1/secasn1.h>
#include <security_asn1/SecNssCoder.h>
#include <Security/oidscert.h>


namespace Security {
namespace KeychainCore {


//
// Construct a UserTrustItem from attributes and initial content
//
UserTrustItem::UserTrustItem(Certificate *cert, Policy *policy, const TrustData &trustData) :
	ItemImpl((SecItemClass)CSSM_DL_DB_RECORD_USER_TRUST,
		reinterpret_cast<SecKeychainAttributeList *>(NULL),
		UInt32(sizeof(trustData)),
		reinterpret_cast<const void *>(&trustData)),
	mCertificate(cert), mPolicy(policy)
{
	secinfo("usertrust", "%p create(%p,%p) = %d",
		this, cert, policy, SecTrustUserSetting(trustData.trust));
}


//
// Destroy it
//
UserTrustItem::~UserTrustItem() 
{
	secinfo("usertrust", "%p destroyed", this);
}


//
// Retrieve the trust value from a UserTrustItem
//
UserTrustItem::TrustData UserTrustItem::trust()
{
	StLock<Mutex>_(mMutex);
	CssmDataContainer data;
	getData(data);
	if (data.length() != sizeof(TrustData))
		MacOSError::throwMe(errSecInvalidTrustSetting);
	return *data.interpretedAs<TrustData>();
}


//
// Add item to keychain
//
PrimaryKey UserTrustItem::add(Keychain &keychain)
{
	StLock<Mutex>_(mMutex);
	// If we already have a Keychain we can't be added.
	if (mKeychain)
		MacOSError::throwMe(errSecDuplicateItem);

	populateAttributes();

	CSSM_DB_RECORDTYPE recordType = mDbAttributes->recordType();

	Db db(keychain->database());
	// add the item to the (regular) db
	try
	{
		mUniqueId = db->insert(recordType, mDbAttributes.get(), mData.get());
		secinfo("usertrust", "%p inserted", this);
	}
	catch (const CssmError &e)
	{
		if (e.osStatus() != CSSMERR_DL_INVALID_RECORDTYPE)
			throw;

		// Create the trust relation and try again.
		secinfo("usertrust", "adding schema relation for user trusts");
		db->createRelation(CSSM_DL_DB_RECORD_USER_TRUST, "CSSM_DL_DB_RECORD_USER_TRUST",
			Schema::UserTrustSchemaAttributeCount,
			Schema::UserTrustSchemaAttributeList,
			Schema::UserTrustSchemaIndexCount,
			Schema::UserTrustSchemaIndexList);
		keychain->keychainSchema()->didCreateRelation(
			CSSM_DL_DB_RECORD_USER_TRUST,
			"CSSM_DL_DB_RECORD_USER_TRUST",
			Schema::UserTrustSchemaAttributeCount,
			Schema::UserTrustSchemaAttributeList,
			Schema::UserTrustSchemaIndexCount,
			Schema::UserTrustSchemaIndexList);

		mUniqueId = db->insert(recordType, mDbAttributes.get(), mData.get());
		secinfo("usertrust", "%p inserted now", this);
	}

	mPrimaryKey = keychain->makePrimaryKey(recordType, mUniqueId);
    mKeychain = keychain;
	return mPrimaryKey;
}


void UserTrustItem::populateAttributes()
{
	StLock<Mutex>_(mMutex);
	CssmAutoData encodedIndex(Allocator::standard());
	makeCertIndex(mCertificate, encodedIndex);
	const CssmOid &policyOid = mPolicy->oid();

	mDbAttributes->add(Schema::attributeInfo(kSecTrustCertAttr), encodedIndex.get());
	mDbAttributes->add(Schema::attributeInfo(kSecTrustPolicyAttr), policyOid);
}


//
// An ad-hoc hold-and-destroy accessor for a single-valued certificate field
//
class CertField {
public:
	CertField(Certificate *cert, const CSSM_OID &inField)
		: certificate(cert), field(inField)
	{ mData = certificate->copyFirstFieldValue(field); }
		
	~CertField() { certificate->releaseFieldValue(field, mData); }
	
	Certificate * const certificate;
	const CSSM_OID &field;
	
	operator bool () const { return mData && mData->Data; }
	CssmData &data() const { return CssmData::overlay(*mData); }

private:
	CSSM_DATA_PTR mData;
};


//
// Construct a trust item index.
// This is an ASN.1 sequence of issuer and serial number.
//
struct IssuerAndSN {
    CSSM_DATA issuer;
    CSSM_DATA serial;
};

static const SecAsn1Template issuerAndSNTemplate[] = {
	{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(IssuerAndSN) },
	{ SEC_ASN1_OCTET_STRING, offsetof(IssuerAndSN, issuer) },
	{ SEC_ASN1_OCTET_STRING, offsetof(IssuerAndSN, serial) },
	{ 0 }
};

void UserTrustItem::makeCertIndex(Certificate *cert, CssmOwnedData &encodedIndex)
{
	CertField issuer(cert, CSSMOID_X509V1IssuerName);
	CertField serial(cert, CSSMOID_X509V1SerialNumber);
	IssuerAndSN index;
	index.issuer = issuer.data();
	index.serial = serial.data();
	if (SecNssEncodeItemOdata(&index, issuerAndSNTemplate, encodedIndex))
		CssmError::throwMe(CSSMERR_CSP_MEMORY_ERROR);
}


} // end namespace KeychainCore
} // end namespace Security
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2002-2004,2011,2014 Apple Inc. All Rights Reserved.
b1ab9ed8 A	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	//
	25	// TrustStore.h - Abstract interface to permanent user trust assignments
	26	//
	27	#include <security_keychain/TrustItem.h>
	28	#include <security_cdsa_utilities/Schema.h>
	29	#include <security_keychain/SecCFTypes.h>
	30
	31	#include <security_asn1/secasn1.h>
	32	#include <security_asn1/SecNssCoder.h>
	33	#include <Security/oidscert.h>
	34
	35
	36	namespace Security {
	37	namespace KeychainCore {
	38
	39
	40	//
	41	// Construct a UserTrustItem from attributes and initial content
	42	//
	43	UserTrustItem::UserTrustItem(Certificate cert, Policy policy, const TrustData &trustData) :
6b200bc3	44	ItemImpl((SecItemClass)CSSM_DL_DB_RECORD_USER_TRUST,
b1ab9ed8 A	45	reinterpret_cast<SecKeychainAttributeList *>(NULL),
	46	UInt32(sizeof(trustData)),
	47	reinterpret_cast<const void *>(&trustData)),
	48	mCertificate(cert), mPolicy(policy)
	49	{
fa7225c8	50	secinfo("usertrust", "%p create(%p,%p) = %d",
b1ab9ed8 A	51	this, cert, policy, SecTrustUserSetting(trustData.trust));
	52	}
	53
	54
	55	//
	56	// Destroy it
	57	//
	58	UserTrustItem::~UserTrustItem()
	59	{
fa7225c8	60	secinfo("usertrust", "%p destroyed", this);
b1ab9ed8 A	61	}
	62
	63
	64	//
	65	// Retrieve the trust value from a UserTrustItem
	66	//
	67	UserTrustItem::TrustData UserTrustItem::trust()
	68	{
	69	StLock<Mutex>_(mMutex);
	70	CssmDataContainer data;
	71	getData(data);
	72	if (data.length() != sizeof(TrustData))
	73	MacOSError::throwMe(errSecInvalidTrustSetting);
	74	return *data.interpretedAs<TrustData>();
	75	}
	76
	77
	78	//
	79	// Add item to keychain
	80	//
	81	PrimaryKey UserTrustItem::add(Keychain &keychain)
	82	{
	83	StLock<Mutex>_(mMutex);
	84	// If we already have a Keychain we can't be added.
	85	if (mKeychain)
	86	MacOSError::throwMe(errSecDuplicateItem);
	87
	88	populateAttributes();
	89
	90	CSSM_DB_RECORDTYPE recordType = mDbAttributes->recordType();
	91
	92	Db db(keychain->database());
	93	// add the item to the (regular) db
	94	try
	95	{
	96	mUniqueId = db->insert(recordType, mDbAttributes.get(), mData.get());
fa7225c8	97	secinfo("usertrust", "%p inserted", this);
b1ab9ed8 A	98	}
	99	catch (const CssmError &e)
	100	{
	101	if (e.osStatus() != CSSMERR_DL_INVALID_RECORDTYPE)
	102	throw;
	103
	104	// Create the trust relation and try again.
fa7225c8	105	secinfo("usertrust", "adding schema relation for user trusts");
b1ab9ed8 A	106	db->createRelation(CSSM_DL_DB_RECORD_USER_TRUST, "CSSM_DL_DB_RECORD_USER_TRUST",
	107	Schema::UserTrustSchemaAttributeCount,
	108	Schema::UserTrustSchemaAttributeList,
	109	Schema::UserTrustSchemaIndexCount,
	110	Schema::UserTrustSchemaIndexList);
	111	keychain->keychainSchema()->didCreateRelation(
	112	CSSM_DL_DB_RECORD_USER_TRUST,
	113	"CSSM_DL_DB_RECORD_USER_TRUST",
	114	Schema::UserTrustSchemaAttributeCount,
	115	Schema::UserTrustSchemaAttributeList,
	116	Schema::UserTrustSchemaIndexCount,
	117	Schema::UserTrustSchemaIndexList);
	118
	119	mUniqueId = db->insert(recordType, mDbAttributes.get(), mData.get());
fa7225c8	120	secinfo("usertrust", "%p inserted now", this);
b1ab9ed8 A	121	}
	122
	123	mPrimaryKey = keychain->makePrimaryKey(recordType, mUniqueId);
	124	mKeychain = keychain;
	125	return mPrimaryKey;
	126	}
	127
	128
	129	void UserTrustItem::populateAttributes()
	130	{
	131	StLock<Mutex>_(mMutex);
	132	CssmAutoData encodedIndex(Allocator::standard());
	133	makeCertIndex(mCertificate, encodedIndex);
	134	const CssmOid &policyOid = mPolicy->oid();
	135
	136	mDbAttributes->add(Schema::attributeInfo(kSecTrustCertAttr), encodedIndex.get());
	137	mDbAttributes->add(Schema::attributeInfo(kSecTrustPolicyAttr), policyOid);
	138	}
	139
	140
	141	//
	142	// An ad-hoc hold-and-destroy accessor for a single-valued certificate field
	143	//
	144	class CertField {
	145	public:
	146	CertField(Certificate *cert, const CSSM_OID &inField)
	147	: certificate(cert), field(inField)
	148	{ mData = certificate->copyFirstFieldValue(field); }
	149
	150	~CertField() { certificate->releaseFieldValue(field, mData); }
	151
	152	Certificate * const certificate;
	153	const CSSM_OID &field;
	154
	155	operator bool () const { return mData && mData->Data; }
	156	CssmData &data() const { return CssmData::overlay(*mData); }
	157
	158	private:
	159	CSSM_DATA_PTR mData;
	160	};
	161
	162
	163	//
	164	// Construct a trust item index.
	165	// This is an ASN.1 sequence of issuer and serial number.
	166	//
	167	struct IssuerAndSN {
	168	CSSM_DATA issuer;
	169	CSSM_DATA serial;
	170	};
	171
	172	static const SecAsn1Template issuerAndSNTemplate[] = {
	173	{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(IssuerAndSN) },
	174	{ SEC_ASN1_OCTET_STRING, offsetof(IssuerAndSN, issuer) },
	175	{ SEC_ASN1_OCTET_STRING, offsetof(IssuerAndSN, serial) },
	176	{ 0 }
	177	};
	178
	179	void UserTrustItem::makeCertIndex(Certificate *cert, CssmOwnedData &encodedIndex)
	180	{
	181	CertField issuer(cert, CSSMOID_X509V1IssuerName);
	182	CertField serial(cert, CSSMOID_X509V1SerialNumber);
	183	IssuerAndSN index;
	184	index.issuer = issuer.data();
185	index.serial = serial.data();
186	if (SecNssEncodeItemOdata(&index, issuerAndSNTemplate, encodedIndex))
187	CssmError::throwMe(CSSMERR_CSP_MEMORY_ERROR);
188	}
189
190
191	} // end namespace KeychainCore
192	} // end namespace Security