]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/SecTrustStatusCodes.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-58286.1.32.tar.gz
[apple/security.git] / OSX / sec / Security / SecTrustStatusCodes.c
1 /*
2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * SecTrustStatusCodes.c - map trust result details to status codes
24 *
25 */
26
27 #include <Security/SecTrustPriv.h>
28 #include <Security/SecInternal.h>
29 #include <Security/SecTrustStatusCodes.h>
30 #include <CoreFoundation/CoreFoundation.h>
31
32 struct resultmap_entry_s {
33 const CFStringRef checkstr;
34 const int32_t resultcode;
35 };
36 typedef struct resultmap_entry_s resultmap_entry_t;
37
38 const resultmap_entry_t resultmap[] = {
39 { CFSTR("SSLHostname"), 0x80012400, /* CSSMERR_APPLETP_HOSTNAME_MISMATCH */},
40 { CFSTR("email"), 0x80012418, /* CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND */},
41 { CFSTR("IssuerCommonName"), 0x8001243B /* CSSMERR_APPLETP_IDENTIFIER_MISSING */},
42 { CFSTR("SubjectCommonName"), 0x8001243B /* CSSMERR_APPLETP_IDENTIFIER_MISSING */},
43 { CFSTR("SubjectCommonNamePrefix"), 0x8001243B /* CSSMERR_APPLETP_IDENTIFIER_MISSING */},
44 { CFSTR("SubjectCommonNameTEST"), 0x8001243B /* CSSMERR_APPLETP_IDENTIFIER_MISSING */},
45 { CFSTR("SubjectOrganization"), 0x8001243B /* CSSMERR_APPLETP_IDENTIFIER_MISSING */},
46 { CFSTR("SubjectOrganizationalUnit"), 0x8001243B /* CSSMERR_APPLETP_IDENTIFIER_MISSING */},
47 { CFSTR("EAPTrustedServerNames"), 0x80012400 /* CSSMERR_APPLETP_HOSTNAME_MISMATCH */},
48 { CFSTR("CertificatePolicy"), 0x80012439 /* CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION */},
49 { CFSTR("KeyUsage"), 0x80012406 /* CSSMERR_APPLETP_INVALID_KEY_USAGE */},
50 { CFSTR("ExtendedKeyUsage"), 0x80012407 /* CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE */},
51 { CFSTR("BasicConstraints"), 0x80012402 /* CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS */},
52 { CFSTR("QualifiedCertStatements"), 0x80012438 /* CSSMERR_APPLETP_UNKNOWN_QUAL_CERT_STATEMENT */},
53 { CFSTR("IntermediateSPKISHA256"), 0x8001243B /* CSSMERR_APPLETP_IDENTIFIER_MISSING */},
54 { CFSTR("IntermediateEKU"), 0x80012407 /* CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE */},
55 { CFSTR("AnchorSHA1"), 0x8001212A /* CSSMERR_TP_NOT_TRUSTED */},
56 { CFSTR("AnchorSHA256"), 0x8001212A /* CSSMERR_TP_NOT_TRUSTED */},
57 { CFSTR("AnchorTrusted"), 0x8001212A /* CSSMERR_TP_NOT_TRUSTED */},
58 { CFSTR("AnchorApple"), 0x8001243C /* CSSMERR_APPLETP_CA_PIN_MISMATCH */},
59 { CFSTR("NonEmptySubject"), 0x80012437 /* CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT */},
60 { CFSTR("IdLinkage"), 0x80012404 /* CSSMERR_APPLETP_INVALID_AUTHORITY_ID */},
61 { CFSTR("WeakIntermediates"), 0x80012115 /* CSSMERR_TP_INVALID_CERTIFICATE */},
62 { CFSTR("WeakLeaf"), 0x80012115 /* CSSMERR_TP_INVALID_CERTIFICATE */},
63 { CFSTR("WeakRoot"), 0x80012115 /* CSSMERR_TP_INVALID_CERTIFICATE */},
64 { CFSTR("KeySize"), 0x80010918 /* CSSMERR_CSP_UNSUPPORTED_KEY_SIZE */},
65 { CFSTR("SignatureHashAlgorithms"), 0x80010913 /* CSSMERR_CSP_ALGID_MISMATCH */},
66 { CFSTR("SystemTrustedWeakHash"), 0x80010955 /* CSSMERR_CSP_INVALID_DIGEST_ALGORITHM */},
67 { CFSTR("CriticalExtensions"), 0x80012401 /* CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN */},
68 { CFSTR("ChainLength"), 0x80012409 /* CSSMERR_APPLETP_PATH_LEN_CONSTRAINT */},
69 { CFSTR("BasicCertificateProcessing"), 0x80012115 /* CSSMERR_TP_INVALID_CERTIFICATE */},
70 { CFSTR("ExtendedValidation"), 0x8001212A /* CSSMERR_TP_NOT_TRUSTED */},
71 { CFSTR("Revocation"), 0x8001210C /* CSSMERR_TP_CERT_REVOKED */},
72 { CFSTR("RevocationResponseRequired"), 0x80012423 /* CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK */},
73 { CFSTR("CertificateTransparency"), 0x8001212A /* CSSMERR_TP_NOT_TRUSTED */},
74 { CFSTR("BlackListedLeaf"), 0x8001210C /* CSSMERR_TP_CERT_REVOKED */},
75 { CFSTR("GrayListedLeaf"), 0x8001212A /* CSSMERR_TP_NOT_TRUSTED */},
76 { CFSTR("GrayListedKey"), 0x8001212A /* CSSMERR_TP_NOT_TRUSTED */},
77 { CFSTR("BlackListedKey"), 0x8001210C /* CSSMERR_TP_CERT_REVOKED */},
78 { CFSTR("CheckLeafMarkerOid"), 0x80012439 /* CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION */},
79 { CFSTR("CheckLeafMarkerOidNoValueCheck"), 0x80012439 /* CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION */},
80 { CFSTR("CheckIntermediateMarkerOid"), 0x80012439 /* CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION */},
81 { CFSTR("UsageConstraints"), 0x80012436 /* CSSMERR_APPLETP_TRUST_SETTING_DENY */},
82 { CFSTR("NotValidBefore"), 0x8001210B /* CSSMERR_TP_CERT_NOT_VALID_YET */},
83 { CFSTR("ValidIntermediates"), 0x8001210A /* CSSMERR_TP_CERT_EXPIRED */},
84 { CFSTR("ValidLeaf"), 0x8001210A /* CSSMERR_TP_CERT_EXPIRED */},
85 { CFSTR("ValidRoot"), 0x8001210A /* CSSMERR_TP_CERT_EXPIRED */},
86 };
87
88 //
89 // Returns a malloced array of SInt32 values, with the length in numStatusCodes,
90 // for the certificate specified by chain index in the given SecTrustRef.
91 //
92 // To match legacy behavior, the array actually allocates one element more than the
93 // value of numStatusCodes; if the certificate is revoked, the additional element
94 // at the end contains the CrlReason value.
95 //
96 // Caller must free the returned pointer.
97 //
98 SInt32 *SecTrustCopyStatusCodes(SecTrustRef trust,
99 CFIndex index, CFIndex *numStatusCodes)
100 {
101 if (!trust || !numStatusCodes) {
102 return NULL;
103 }
104 *numStatusCodes = 0;
105 CFArrayRef details = SecTrustCopyFilteredDetails(trust);
106 CFIndex chainLength = (details) ? CFArrayGetCount(details) : 0;
107 if (!(index < chainLength)) {
108 CFReleaseSafe(details);
109 return NULL;
110 }
111 CFDictionaryRef detail = (CFDictionaryRef)CFArrayGetValueAtIndex(details, index);
112 CFIndex ix, detailCount = CFDictionaryGetCount(detail);
113 *numStatusCodes = (unsigned int)detailCount;
114
115 // Allocate one more entry than we need; this is used to store a CrlReason
116 // at the end of the array.
117 SInt32 *statusCodes = (SInt32*)malloc((detailCount+1) * sizeof(SInt32));
118 statusCodes[*numStatusCodes] = 0;
119
120 const unsigned int resultmaplen = sizeof(resultmap) / sizeof(resultmap_entry_t);
121 const void *keys[detailCount];
122 CFDictionaryGetKeysAndValues(detail, &keys[0], NULL);
123 for (ix = 0; ix < detailCount; ix++) {
124 CFStringRef key = (CFStringRef)keys[ix];
125 SInt32 statusCode = 0;
126 for (unsigned int mapix = 0; mapix < resultmaplen; mapix++) {
127 CFStringRef str = (CFStringRef) resultmap[mapix].checkstr;
128 if (CFStringCompare(str, key, 0) == kCFCompareEqualTo) {
129 statusCode = (SInt32) resultmap[mapix].resultcode;
130 break;
131 }
132 }
133 if (statusCode == (SInt32)0x8001210C) { /* CSSMERR_TP_CERT_REVOKED */
134 SInt32 reason;
135 CFNumberRef number = (CFNumberRef)CFDictionaryGetValue(detail, key);
136 if (number && CFNumberGetValue(number, kCFNumberSInt32Type, &reason)) {
137 statusCodes[*numStatusCodes] = (SInt32)reason;
138 }
139 }
140 statusCodes[ix] = statusCode;
141 }
142
143 CFReleaseSafe(details);
144 return statusCodes;
145 }
mirror of Security