]> git.saurik.com Git - apple/security.git/blob - OSX/sec/securityd/SecCAIssuerRequest.c
Security-57740.51.3.tar.gz
[apple/security.git] / OSX / sec / securityd / SecCAIssuerRequest.c
1 /*
2 * Copyright (c) 2009-2016 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*
25 * SecCAIssuerRequest.c - asynchronous CAIssuer request fetching engine.
26 */
27
28
29 #include "SecCAIssuerRequest.h"
30 #include "SecCAIssuerCache.h"
31
32 #include <Security/SecInternal.h>
33 #include <Security/SecCMS.h>
34 #include <CoreFoundation/CFURL.h>
35 #include <CFNetwork/CFHTTPMessage.h>
36 #include <utilities/debugging.h>
37 #include <Security/SecCertificateInternal.h>
38 #include <securityd/asynchttp.h>
39 #include <stdlib.h>
40
41 #define MAX_CA_ISSUERS 3
42 #define CA_ISSUERS_REQUEST_THRESHOLD 10
43
44
45 /* CA Issuer lookup code. */
46
47 typedef struct SecCAIssuerRequest *SecCAIssuerRequestRef;
48 struct SecCAIssuerRequest {
49 asynchttp_t http; /* Must be first field. */
50 SecCertificateRef certificate;
51 CFArrayRef issuers; /* NONRETAINED */
52 CFIndex issuerIX;
53 void *context;
54 void (*callback)(void *, CFArrayRef);
55 };
56
57 static void SecCAIssuerRequestRelease(SecCAIssuerRequestRef request) {
58 CFRelease(request->certificate);
59 asynchttp_free(&request->http);
60 free(request);
61 }
62
63 static bool SecCAIssuerRequestIssue(SecCAIssuerRequestRef request) {
64 CFIndex count = CFArrayGetCount(request->issuers);
65 if (count >= CA_ISSUERS_REQUEST_THRESHOLD) {
66 secnotice("caissuer", "too many caIssuer entries (%ld)", (long)count);
67 request->callback(request->context, NULL);
68 SecCAIssuerRequestRelease(request);
69 return true;
70 }
71 while (request->issuerIX < count && request->issuerIX < MAX_CA_ISSUERS) {
72 CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers,
73 request->issuerIX++);
74 CFStringRef scheme = CFURLCopyScheme(issuer);
75 if (scheme) {
76 if (CFEqual(CFSTR("http"), scheme)) {
77 CFHTTPMessageRef msg = CFHTTPMessageCreateRequest(kCFAllocatorDefault,
78 CFSTR("GET"), issuer, kCFHTTPVersion1_1);
79 if (msg) {
80 secinfo("caissuer", "%@", msg);
81 bool done = asynchttp_request(msg, 0, &request->http);
82 CFRelease(msg);
83 if (done == false) {
84 CFRelease(scheme);
85 return done;
86 }
87 }
88 secdebug("caissuer", "failed to get %@", issuer);
89 } else {
90 secnotice("caissuer", "skipping unsupported uri %@", issuer);
91 }
92 CFRelease(scheme);
93 }
94 }
95
96 /* No more issuers left to try, we're done. */
97 secdebug("caissuer", "no request issued");
98 request->callback(request->context, NULL);
99 SecCAIssuerRequestRelease(request);
100 return true;
101 }
102
103 /* Releases parent unconditionally, and return a CFArrayRef containing
104 parent if the normalized subject of parent matches the normalized issuer
105 of certificate. */
106 static CF_RETURNS_RETAINED CFArrayRef SecCAIssuerConvertToParents(SecCertificateRef certificate,
107 SecCertificateRef CF_CONSUMED parent) {
108 CFDataRef nic = SecCertificateGetNormalizedIssuerContent(certificate);
109 CFArrayRef parents = NULL;
110 if (parent) {
111 CFDataRef parent_nic = SecCertificateGetNormalizedSubjectContent(parent);
112 if (nic && parent_nic && CFEqual(nic, parent_nic)) {
113 const void *ventry = parent;
114 parents = CFArrayCreate(NULL, &ventry, 1, &kCFTypeArrayCallBacks);
115 }
116 CFRelease(parent);
117 }
118 return parents;
119 }
120
121 #define SECONDS_PER_DAY (86400.0)
122 static void SecCAIssuerRequestCompleted(asynchttp_t *http,
123 CFTimeInterval maxAge) {
124 /* Cast depends on http being first field in struct SecCAIssuerRequest. */
125 SecCAIssuerRequestRef request = (SecCAIssuerRequestRef)http;
126 CFDataRef data = (request->http.response ?
127 CFHTTPMessageCopyBody(request->http.response) : NULL);
128 if (data) {
129 /* RFC5280 4.2.2.1:
130 "accessLocation MUST be a uniformResourceIdentifier and the URI
131 MUST point to either a single DER encoded certificate as speci-
132 fied in [RFC2585] or a collection of certificates in a BER or
133 DER encoded "certs-only" CMS message as specified in [RFC2797]." */
134
135 /* DER-encoded certificate */
136 SecCertificateRef parent = SecCertificateCreateWithData(NULL, data);
137
138 /* "certs-only" CMS Message */
139 if (!parent) {
140 CFArrayRef certificates = NULL;
141 certificates = SecCMSCertificatesOnlyMessageCopyCertificates(data);
142 /* @@@ Technically these can have more than one certificate */
143 if (certificates && CFArrayGetCount(certificates) == 1) {
144 parent = CFRetainSafe((SecCertificateRef)CFArrayGetValueAtIndex(certificates, 0));
145 }
146 CFReleaseNull(certificates);
147 }
148
149 /* Retry in case the certificate is in PEM format. Some CAs
150 incorrectly return a PEM encoded cert, despite RFC 5280 4.2.2.1 */
151 if (!parent) {
152 parent = SecCertificateCreateWithPEM(NULL, data);
153 }
154 CFRelease(data);
155 if (parent) {
156 /* We keep responses in the cache for at least 7 days, or longer
157 if the http response tells us to keep it around for more. */
158 if (maxAge < SECONDS_PER_DAY * 7)
159 maxAge = SECONDS_PER_DAY * 7;
160 CFAbsoluteTime expires = CFAbsoluteTimeGetCurrent() + maxAge;
161 CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers,
162 request->issuerIX - 1);
163 SecCAIssuerCacheAddCertificate(parent, issuer, expires);
164 CFArrayRef parents = SecCAIssuerConvertToParents(
165 request->certificate, parent); /* note: this releases parent */
166 if (parents) {
167 secdebug("caissuer", "response: %@ good", http->response);
168 request->callback(request->context, parents);
169 CFRelease(parents);
170 SecCAIssuerRequestRelease(request);
171 return;
172 }
173 }
174 }
175
176 secdebug("caissuer", "response: %@ not parent, trying next caissuer",
177 http->response);
178 SecCAIssuerRequestIssue(request);
179 }
180
181 static CFArrayRef SecCAIssuerRequestCacheCopyParents(SecCertificateRef cert,
182 CFArrayRef issuers) {
183 CFIndex ix = 0, ex = CFArrayGetCount(issuers);
184 for (;ix < ex; ++ix) {
185 CFURLRef issuer = CFArrayGetValueAtIndex(issuers, ix);
186 CFStringRef scheme = CFURLCopyScheme(issuer);
187 if (scheme) {
188 if (CFEqual(CFSTR("http"), scheme)) {
189 CFArrayRef parents = SecCAIssuerConvertToParents(cert,
190 SecCAIssuerCacheCopyMatching(issuer));
191 if (parents) {
192 secdebug("caissuer", "cache hit, for %@ no request issued", issuer);
193 CFRelease(scheme);
194 return parents;
195 }
196 }
197 CFRelease(scheme);
198 }
199 }
200 return NULL;
201 }
202
203 bool SecCAIssuerCopyParents(SecCertificateRef certificate, dispatch_queue_t queue,
204 void *context, void (*callback)(void *, CFArrayRef)) {
205 CFArrayRef issuers = SecCertificateGetCAIssuers(certificate);
206 if (!issuers) {
207 /* certificate has no caissuer urls, we're done. */
208 callback(context, NULL);
209 return true;
210 }
211
212 CFArrayRef parents = SecCAIssuerRequestCacheCopyParents(certificate, issuers);
213 if (parents) {
214 callback(context, parents);
215 CFReleaseSafe(parents);
216 return true;
217 }
218
219 /* Cache miss, let's issue a network request. */
220 SecCAIssuerRequestRef request =
221 (SecCAIssuerRequestRef)calloc(1, sizeof(*request));
222 request->http.queue = queue;
223 request->http.completed = SecCAIssuerRequestCompleted;
224 CFRetain(certificate);
225 request->certificate = certificate;
226 request->issuers = issuers;
227 request->issuerIX = 0;
228 request->context = context;
229 request->callback = callback;
230
231 return SecCAIssuerRequestIssue(request);
232 }
233