OSX/sec/securityd/SecTrustStoreServer.m

   1 /*
   2  * Copyright (c) 2018 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #include <AssertMacros.h>
  25 #import <Foundation/Foundation.h>
  26 #include <stdatomic.h>
  27 #include <notify.h>
  28 #include <Security/Security.h>
  29 #include <Security/SecTrustSettingsPriv.h>
  30 #include <Security/SecPolicyPriv.h>
  31 #include <utilities/SecFileLocations.h>
  32 #include <utilities/SecCFWrappers.h>
  33 #import "OTATrustUtilities.h"
  34 #include "SecTrustStoreServer.h"
  35
  36 typedef bool(*exceptionsArrayValueChecker)(id _Nonnull obj);
  37
  38 static bool checkDomainsValuesCompliance(id _Nonnull obj) {
  39     if (![obj isKindOfClass:[NSString class]]) {
  40         return false;
  41     }
  42     if (SecDNSIsTLD((__bridge CFStringRef)obj)) {
  43         return false;
  44     }
  45     return true;
  46 }
  47
  48 static bool checkCAsValuesCompliance(id _Nonnull obj) {
  49     if (![obj isKindOfClass:[NSDictionary class]]) {
  50         return false;
  51     }
  52     if (2 != [(NSDictionary*)obj count]) {
  53         return false;
  54     }
  55     if (nil == ((NSDictionary*)obj)[(__bridge NSString*)kSecCTExceptionsHashAlgorithmKey] ||
  56         nil == ((NSDictionary*)obj)[(__bridge NSString*)kSecCTExceptionsSPKIHashKey]) {
  57         return false;
  58     }
  59     if (![((NSDictionary*)obj)[(__bridge NSString*)kSecCTExceptionsHashAlgorithmKey] isKindOfClass:[NSString class]] ||
  60         ![((NSDictionary*)obj)[(__bridge NSString*)kSecCTExceptionsSPKIHashKey] isKindOfClass:[NSData class]]) {
  61         return false;
  62     }
  63     if (![((NSDictionary*)obj)[(__bridge NSString*)kSecCTExceptionsHashAlgorithmKey] isEqualToString:@"sha256"]) {
  64         return false;
  65     }
  66     return true;
  67 }
  68
  69 static bool checkExceptionsValues(NSString *key, id value, exceptionsArrayValueChecker checker, CFErrorRef *error) {
  70     if (![value isKindOfClass:[NSArray class]]) {
  71         return SecError(errSecParam, error, CFSTR("value for %@ is not an array in exceptions dictionary"), key);
  72     }
  73
  74     __block bool result = true;
  75     [(NSArray*)value enumerateObjectsUsingBlock:^(id  _Nonnull obj, NSUInteger idx, BOOL * _Nonnull stop) {
  76         if (!checker(obj)) {
  77             result = SecError(errSecParam, error, CFSTR("value %lu for %@ is not the expected type"), (unsigned long)idx, key);
  78             *stop = true;
  79         }
  80     }];
  81     return result;
  82 }
  83
  84 static bool checkInputExceptionsAndSetAppExceptions(NSDictionary *inExceptions, NSMutableDictionary *appExceptions, CFErrorRef *error) {
  85     __block bool result = true;
  86     [inExceptions enumerateKeysAndObjectsUsingBlock:^(NSString *_Nonnull key, id  _Nonnull obj, BOOL * _Nonnull stop) {
  87         if ([key isEqualToString:(__bridge NSString*)kSecCTExceptionsDomainsKey]) {
  88             if (!checkExceptionsValues(key, obj, checkDomainsValuesCompliance, error)) {
  89                 *stop = YES;
  90                 result = false;
  91                 return;
  92             }
  93         } else if ([key isEqualToString:(__bridge NSString*)kSecCTExceptionsCAsKey]) {
  94             if (!checkExceptionsValues(key, obj, checkCAsValuesCompliance, error)) {
  95                 *stop = YES;
  96                 result = false;
  97                 return;
  98             }
  99         } else {
 100             result = SecError(errSecParam, error, CFSTR("unknown key (%@) in exceptions dictionary"), key);
 101             *stop = YES;
 102             result = false;
 103             return;
 104         }
 105         if ([(NSArray*)obj count] == 0) {
 106             [appExceptions removeObjectForKey:key];
 107         } else {
 108             appExceptions[key] = obj;
 109         }
 110     }];
 111     return result;
 112 }
 113
 114 static _Atomic bool gHasCTExceptions = false;
 115 #define kSecCTExceptionsChanged "com.apple.trustd.ct.exceptions-changed"
 116
 117 bool _SecTrustStoreSetCTExceptions(CFStringRef appID, CFDictionaryRef exceptions, CFErrorRef *error)  {
 118     if (!SecOTAPKIIsSystemTrustd()) {
 119         return SecError(errSecWrPerm, error, CFSTR("Unable to write CT exceptions from user agent"));
 120     }
 121
 122     if (!appID) {
 123         return SecError(errSecParam, error, CFSTR("application-identifier required to set exceptions"));
 124     }
 125
 126     @autoreleasepool {
 127 #if TARGET_OS_IPHONE
 128         NSURL *keychainsDirectory = CFBridgingRelease(SecCopyURLForFileInKeychainDirectory(nil));
 129 #else
 130         NSURL *keychainsDirectory = [NSURL fileURLWithFileSystemRepresentation:"/Library/Keychains/" isDirectory:YES relativeToURL:nil];
 131 #endif
 132         NSURL *ctExceptionsFile = [keychainsDirectory URLByAppendingPathComponent:@"CTExceptions.plist"];
 133         NSMutableDictionary *allExceptions = [NSMutableDictionary dictionaryWithContentsOfURL:ctExceptionsFile];
 134         NSMutableDictionary *appExceptions = NULL;
 135         if (allExceptions && allExceptions[(__bridge NSString*)appID]) {
 136             appExceptions = [allExceptions[(__bridge NSString*)appID] mutableCopy];
 137         } else {
 138             appExceptions = [NSMutableDictionary dictionary];
 139             if (!allExceptions) {
 140                 allExceptions =  [NSMutableDictionary dictionary];
 141             }
 142         }
 143
 144         if (exceptions && (CFDictionaryGetCount(exceptions) > 0)) {
 145             NSDictionary *inExceptions = (__bridge NSDictionary*)exceptions;
 146             if (!checkInputExceptionsAndSetAppExceptions(inExceptions, appExceptions, error)) {
 147                 return false;
 148             }
 149         }
 150
 151         if (!exceptions || [appExceptions count] == 0) {
 152             [allExceptions removeObjectForKey:(__bridge NSString*)appID];
 153         } else {
 154             allExceptions[(__bridge NSString*)appID] = appExceptions;
 155         }
 156
 157         NSError *nserror = nil;
 158         if (![allExceptions writeToURL:ctExceptionsFile error:&nserror] && error) {
 159             *error = CFRetainSafe((__bridge CFErrorRef)nserror);
 160             return false;
 161         }
 162         atomic_store(&gHasCTExceptions, [allExceptions count] != 0);
 163         notify_post(kSecCTExceptionsChanged);
 164         return true;
 165     }
 166 }
 167
 168 CFDictionaryRef _SecTrustStoreCopyCTExceptions(CFStringRef appID, CFErrorRef *error) {
 169     @autoreleasepool {
 170         static int notify_token = 0;
 171         int check = 0;
 172         if (!SecOTAPKIIsSystemTrustd()) {
 173             /* Check whether we got a notification. If we didn't, and there are no exceptions set, return NULL.
 174              * Otherwise, we need to read from disk */
 175             uint32_t check_status = notify_check(notify_token, &check);
 176             if (check_status == NOTIFY_STATUS_OK && check == 0 && !atomic_load(&gHasCTExceptions)) {
 177                 return NULL;
 178             }
 179         } else {
 180             if (!atomic_load(&gHasCTExceptions)) {
 181                 return NULL;
 182             }
 183         }
 184
 185 #if TARGET_OS_IPHONE
 186         NSURL *keychainsDirectory = CFBridgingRelease(SecCopyURLForFileInKeychainDirectory(nil));
 187 #else
 188         NSURL *keychainsDirectory = [NSURL fileURLWithFileSystemRepresentation:"/Library/Keychains/" isDirectory:YES relativeToURL:nil];
 189 #endif
 190         NSURL *ctExceptionsFile = [keychainsDirectory URLByAppendingPathComponent:@"CTExceptions.plist"];
 191         NSDictionary <NSString*,NSDictionary*> *allExceptions = [NSDictionary dictionaryWithContentsOfURL:ctExceptionsFile];
 192
 193         /* Set us up for not reading the disk when there are never exceptions */
 194         static dispatch_once_t onceToken;
 195         dispatch_once(&onceToken, ^{
 196             atomic_init(&gHasCTExceptions, allExceptions && [allExceptions count] == 0);
 197             if (!SecOTAPKIIsSystemTrustd()) {
 198                 uint32_t status = notify_register_check(kSecCTExceptionsChanged, &notify_token);
 199                 if (status == NOTIFY_STATUS_OK) {
 200                     status = notify_check(notify_token, NULL);
 201                 }
 202                 if (status != NOTIFY_STATUS_OK) {
 203                     secerror("failed to establish notification for CT exceptions: %ud", status);
 204                     notify_cancel(notify_token);
 205                     notify_token = 0;
 206                 }
 207             }
 208         });
 209
 210         if (!allExceptions || [allExceptions count] == 0) {
 211             atomic_store(&gHasCTExceptions, false);
 212             return NULL;
 213         }
 214
 215         /* If the caller specified an appID, return only the exceptions for that appID */
 216         if (appID) {
 217             return CFBridgingRetain(allExceptions[(__bridge NSString*)appID]);
 218         }
 219
 220         /* Otherwise, combine all the exceptions into one array */
 221         NSMutableArray *domainExceptions = [NSMutableArray array];
 222         NSMutableArray *caExceptions = [NSMutableArray array];
 223         [allExceptions enumerateKeysAndObjectsUsingBlock:^(NSString * _Nonnull __unused key, NSDictionary * _Nonnull appExceptions,
 224                                                            BOOL * _Nonnull __unused stop) {
 225             if (appExceptions[(__bridge NSString*)kSecCTExceptionsDomainsKey] &&
 226                 checkExceptionsValues((__bridge NSString*)kSecCTExceptionsDomainsKey, appExceptions[(__bridge NSString*)kSecCTExceptionsDomainsKey],
 227                                       checkDomainsValuesCompliance, error)) {
 228                 [domainExceptions addObjectsFromArray:appExceptions[(__bridge NSString*)kSecCTExceptionsDomainsKey]];
 229             }
 230             if (appExceptions[(__bridge NSString*)kSecCTExceptionsCAsKey] &&
 231                 checkExceptionsValues((__bridge NSString*)kSecCTExceptionsCAsKey, appExceptions[(__bridge NSString*)kSecCTExceptionsCAsKey],
 232                                       checkCAsValuesCompliance, error)) {
 233                 [caExceptions addObjectsFromArray:appExceptions[(__bridge NSString*)kSecCTExceptionsCAsKey]];
 234             }
 235         }];
 236         NSMutableDictionary *exceptions = [NSMutableDictionary dictionaryWithCapacity:2];
 237         if ([domainExceptions count] > 0) {
 238             exceptions[(__bridge NSString*)kSecCTExceptionsDomainsKey] = domainExceptions;
 239         }
 240         if ([caExceptions count] > 0) {
 241             exceptions[(__bridge NSString*)kSecCTExceptionsCAsKey] = caExceptions;
 242         }
 243         if ([exceptions count] > 0) {
 244             atomic_store(&gHasCTExceptions, true);
 245             return CFBridgingRetain(exceptions);
 246         }
 247         return NULL;
 248     }
 249 }