2 * Copyright (c) 2000,2002,2011-2012,2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 * ocspUtils.cpp - common utilities for OCSPD
28 #include "ocspdUtils.h"
29 #include "ocspdDebug.h"
30 #include <Security/cssmerr.h>
31 #include <Security/keyTemplates.h>
32 #include <CoreFoundation/CoreFoundation.h>
35 * Compare two CSSM_DATAs, return CSSM_TRUE if identical.
37 CSSM_BOOL
ocspdCompareCssmData(
38 const CSSM_DATA
*data1
,
39 const CSSM_DATA
*data2
)
41 if((data1
== NULL
) || (data1
->Data
== NULL
) ||
42 (data2
== NULL
) || (data2
->Data
== NULL
) ||
43 (data1
->Length
!= data2
->Length
)) {
46 if(data1
->Length
!= data2
->Length
) {
49 if(memcmp(data1
->Data
, data2
->Data
, data1
->Length
) == 0) {
58 * Convert a generalized time string, with a 4-digit year and no trailing
59 * fractional seconds or time zone info, to a CFAbsoluteTime. Returns
60 * NULL_TIME (0.0) on error.
62 static CFAbsoluteTime
parseGenTime(
66 if((str
== NULL
) || (len
== 0)) {
70 /* tolerate NULL terminated or not */
71 if(str
[len
- 1] == '\0') {
79 memset(&greg
, 0, sizeof(greg
));
80 const uint8
*cp
= str
;
89 greg
.year
= atoi(szTemp
);
91 /* MONTH - CFGregorianDate ranges 1..12, just like the string */
99 greg
.month
= atoi( szTemp
);
108 greg
.day
= atoi( szTemp
);
116 greg
.hour
= atoi( szTemp
);
124 greg
.minute
= atoi( szTemp
);
132 greg
.second
= atoi( szTemp
);
135 return CFGregorianDateGetAbsoluteTime(greg
, NULL
);
139 * Parse a GeneralizedTime string into a CFAbsoluteTime. Returns NULL on parse error.
140 * Fractional parts of a second are discarded.
142 CFAbsoluteTime
genTimeToCFAbsTime(
143 const CSSM_DATA
*strData
)
145 if((strData
== NULL
) || (strData
->Data
== NULL
) || (strData
->Length
== 0)) {
149 uint8
*timeStr
= strData
->Data
;
150 size_t timeStrLen
= strData
->Length
;
152 /* tolerate NULL terminated or not */
153 if(timeStr
[timeStrLen
- 1] == '\0') {
157 /* start with a fresh editable copy */
158 uint8
*str
= (uint8
*)malloc(timeStrLen
);
162 * If there is a decimal point, strip it and all trailing digits off
164 const uint8
*inCp
= timeStr
;
166 int foundDecimal
= 0;
167 int minutesOffset
= 0;
169 bool minusOffset
= false;
171 size_t toGo
= timeStrLen
;
176 /* only legal once */ {
183 /* skip the decimal point... */
190 /* then all subsequent contiguous digits */
191 while(isdigit(*inCp
) && (toGo
!= 0)) {
195 } /* decimal point processing */
196 else if((*inCp
== '+') || (*inCp
== '-')) {
197 /* Time zone offset - handle 2 or 4 chars */
198 if((toGo
!= 2) & (toGo
!= 4)) {
206 hoursOffset
= (10 * (inCp
[0] - '0')) + (inCp
[1] - '0');
209 minutesOffset
= (10 * (inCp
[0] - '0')) + (inCp
[1] - '0');
220 if(strLen
>= 1 && str
[strLen
- 1] == 'Z') {
225 CFAbsoluteTime absTime
;
226 absTime
= parseGenTime(str
, strLen
);
228 if(absTime
== NULL_TIME
) {
232 /* post processing needed? */
234 /* Nope, string was in GMT */
237 if((minutesOffset
!= 0) || (hoursOffset
!= 0)) {
238 /* string contained explicit offset from GMT */
240 absTime
-= (minutesOffset
* 60);
241 absTime
-= (hoursOffset
* 3600);
244 absTime
+= (minutesOffset
* 60);
245 absTime
+= (hoursOffset
* 3600);
249 /* implciit offset = local */
250 CFTimeInterval tzDelta
;
251 CFTimeZoneRef localZone
= CFTimeZoneCopySystem();
252 tzDelta
= CFTimeZoneGetSecondsFromGMT (localZone
, CFAbsoluteTimeGetCurrent());
253 CFRelease(localZone
);
260 * Convert CFAbsoluteTime to generalized time string, GMT format (4 digit year,
261 * trailing 'Z'). Caller allocated the output which is GENERAL_TIME_STRLEN+1 bytes.
263 void cfAbsTimeToGgenTime(
264 CFAbsoluteTime absTime
,
267 /* time zone = GMT */
268 CFTimeZoneRef tz
= CFTimeZoneCreateWithTimeIntervalFromGMT(NULL
, 0.0);
269 CFGregorianDate greg
= CFAbsoluteTimeGetGregorianDate(absTime
, tz
);
272 int seconds
= (int)greg
.second
;
273 sprintf(genTime
, "%04d%02d%02d%02d%02d%02dZ",
274 (int)greg
.year
, greg
.month
, greg
.day
, greg
.hour
,
275 greg
.minute
, seconds
);
281 unsigned char *md
) // allocd by caller, CC_SHA1_DIGEST_LENGTH bytes
285 CC_SHA1_Update(&ctx
, data
, len
);
286 CC_SHA1_Final(md
, &ctx
);
292 unsigned char *md
) // allocd by caller, CC_MD5_DIGEST_LENGTH bytes
296 CC_MD5_Update(&ctx
, data
, len
);
297 CC_MD5_Final(md
, &ctx
);
303 unsigned char *md
) // allocd by caller, CC_MD4_DIGEST_LENGTH bytes
307 CC_MD4_Update(&ctx
, data
, len
);
308 CC_MD4_Final(md
, &ctx
);
314 unsigned char *md
) // allocd by caller, CC_SHA256_DIGEST_LENGTH bytes
317 CC_SHA256_Init(&ctx
);
318 CC_SHA256_Update(&ctx
, data
, len
);
319 CC_SHA256_Final(md
, &ctx
);
323 * How many items in a NULL-terminated array of pointers?
325 unsigned ocspdArraySize(
337 /* Fill out a CSSM_DATA with the subset of public key bytes from the given
338 * CSSM_KEY_PTR which should be hashed to produce the issuerKeyHash field
339 * of a CertID in an OCSP request.
341 * For RSA keys, this simply copies the input key pointer and length.
342 * For EC keys, we need to further deconstruct the SubjectPublicKeyInfo
343 * to obtain the key bytes (i.e. curve point) for hashing.
345 * Returns CSSM_OK on success, or non-zero error if the bytes could not
348 CSSM_RETURN
ocspdGetPublicKeyBytes(
349 SecAsn1CoderRef coder
, // optional
350 CSSM_KEY_PTR publicKey
, // input public key
351 CSSM_DATA
&publicKeyBytes
) // filled in by this function
353 CSSM_RETURN crtn
= CSSM_OK
;
354 SecAsn1CoderRef _coder
= NULL
;
356 if(publicKey
== NULL
) {
357 crtn
= CSSMERR_CSP_INVALID_KEY_POINTER
;
362 crtn
= SecAsn1CoderCreate(&_coder
);
369 publicKeyBytes
.Length
= publicKey
->KeyData
.Length
;
370 publicKeyBytes
.Data
= publicKey
->KeyData
.Data
;
372 if(publicKey
->KeyHeader
.AlgorithmId
== CSSM_ALGID_ECDSA
) {
374 * For an EC key, publicKey->KeyData is a SubjectPublicKeyInfo
375 * ASN.1 sequence that includes the algorithm identifier.
376 * We only want to return the bit string portion of the key here.
378 SecAsn1PubKeyInfo pkinfo
;
379 memset(&pkinfo
, 0, sizeof(pkinfo
));
380 if(SecAsn1Decode(coder
,
381 publicKey
->KeyData
.Data
,
382 publicKey
->KeyData
.Length
,
383 kSecAsn1SubjectPublicKeyInfoTemplate
,
385 if(pkinfo
.subjectPublicKey
.Length
&&
386 pkinfo
.subjectPublicKey
.Data
) {
387 publicKeyBytes
.Length
= pkinfo
.subjectPublicKey
.Length
>> 3;
388 publicKeyBytes
.Data
= pkinfo
.subjectPublicKey
.Data
;
390 * Important: if we allocated the SecAsn1Coder, the memory
391 * being pointed to by pkinfo.subjectPublicKey.Data will be
392 * deallocated when the coder is released below. We want to
393 * point to the identical data inside the caller's public key,
394 * now that the decoder has identified it for us.
396 if(publicKeyBytes
.Length
<= publicKey
->KeyData
.Length
) {
397 publicKeyBytes
.Data
= (uint8
*)((uintptr_t)publicKey
->KeyData
.Data
+
398 (publicKey
->KeyData
.Length
- publicKeyBytes
.Length
));
401 /* intentional fallthrough to error exit */
403 ocspdErrorLog("ocspdGetPublicKeyBytes: invalid SecAsn1PubKeyInfo\n");
404 crtn
= CSSMERR_CSP_INVALID_KEY_POINTER
;
407 /* Unable to decode using kSecAsn1SubjectPublicKeyInfoTemplate.
408 * This may or may not be an error; just return the unchanged key.
410 ocspdErrorLog("ocspdGetPublicKeyBytes: unable to decode SubjectPublicKeyInfo\n");
416 SecAsn1CoderRelease(_coder
);