OSX/sec/securityd/SecCAIssuerRequest.c

   1 /*
   2  * Copyright (c) 2009-2016 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*
  25  * SecCAIssuerRequest.c - asynchronous CAIssuer request fetching engine.
  26  */
  27
  28
  29 #include "SecCAIssuerRequest.h"
  30 #include "SecCAIssuerCache.h"
  31
  32 #include <Security/SecInternal.h>
  33 #include <Security/SecCMS.h>
  34 #include <CoreFoundation/CFURL.h>
  35 #include <CFNetwork/CFHTTPMessage.h>
  36 #include <utilities/debugging.h>
  37 #include <Security/SecCertificateInternal.h>
  38 #include <securityd/asynchttp.h>
  39 #include <stdlib.h>
  40
  41 #define MAX_CA_ISSUERS 3
  42 #define CA_ISSUERS_REQUEST_THRESHOLD 10
  43
  44
  45 /* CA Issuer lookup code. */
  46
  47 typedef struct SecCAIssuerRequest *SecCAIssuerRequestRef;
  48 struct SecCAIssuerRequest {
  49     asynchttp_t http;   /* Must be first field. */
  50     SecCertificateRef certificate;
  51     CFArrayRef issuers; /* NONRETAINED */
  52     CFIndex issuerIX;
  53     void *context;
  54     void (*callback)(void *, CFArrayRef);
  55 };
  56
  57 static void SecCAIssuerRequestRelease(SecCAIssuerRequestRef request) {
  58     CFRelease(request->certificate);
  59     asynchttp_free(&request->http);
  60     free(request);
  61 }
  62
  63 static bool SecCAIssuerRequestIssue(SecCAIssuerRequestRef request) {
  64     CFIndex count = CFArrayGetCount(request->issuers);
  65     if (count >= CA_ISSUERS_REQUEST_THRESHOLD) {
  66         secnotice("caissuer", "too many caIssuer entries (%ld)", (long)count);
  67         request->callback(request->context, NULL);
  68         SecCAIssuerRequestRelease(request);
  69         return true;
  70     }
  71     while (request->issuerIX < count && request->issuerIX < MAX_CA_ISSUERS) {
  72         CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers,
  73                                                  request->issuerIX++);
  74         CFStringRef scheme = CFURLCopyScheme(issuer);
  75         if (scheme) {
  76             if (CFEqual(CFSTR("http"), scheme)) {
  77                 CFHTTPMessageRef msg = CFHTTPMessageCreateRequest(kCFAllocatorDefault,
  78                                                                   CFSTR("GET"), issuer, kCFHTTPVersion1_1);
  79                 if (msg) {
  80                     secinfo("caissuer", "%@", msg);
  81                     bool done = asynchttp_request(msg, 0, &request->http);
  82                     CFRelease(msg);
  83                     if (done == false) {
  84                         CFRelease(scheme);
  85                         return done;
  86                     }
  87                 }
  88                 secdebug("caissuer", "failed to get %@", issuer);
  89             } else {
  90                 secnotice("caissuer", "skipping unsupported uri %@", issuer);
  91             }
  92             CFRelease(scheme);
  93         }
  94     }
  95
  96     /* No more issuers left to try, we're done. */
  97     secdebug("caissuer", "no request issued");
  98     request->callback(request->context, NULL);
  99     SecCAIssuerRequestRelease(request);
 100     return true;
 101 }
 102
 103 /* Releases parent unconditionally, and return a CFArrayRef containing
 104    parent if the normalized subject of parent matches the normalized issuer
 105    of certificate. */
 106 static CF_RETURNS_RETAINED CFArrayRef SecCAIssuerConvertToParents(SecCertificateRef certificate,
 107     SecCertificateRef CF_CONSUMED parent) {
 108     CFDataRef nic = SecCertificateGetNormalizedIssuerContent(certificate);
 109     CFArrayRef parents = NULL;
 110     if (parent) {
 111         CFDataRef parent_nic = SecCertificateGetNormalizedSubjectContent(parent);
 112         if (nic && parent_nic && CFEqual(nic, parent_nic)) {
 113             const void *ventry = parent;
 114             parents = CFArrayCreate(NULL, &ventry, 1, &kCFTypeArrayCallBacks);
 115         }
 116         CFRelease(parent);
 117     }
 118     return parents;
 119 }
 120
 121 #define SECONDS_PER_DAY (86400.0)
 122 static void SecCAIssuerRequestCompleted(asynchttp_t *http,
 123     CFTimeInterval maxAge) {
 124     /* Cast depends on http being first field in struct SecCAIssuerRequest. */
 125     SecCAIssuerRequestRef request = (SecCAIssuerRequestRef)http;
 126     CFDataRef data = (request->http.response ?
 127         CFHTTPMessageCopyBody(request->http.response) : NULL);
 128     if (data) {
 129         /* RFC5280 4.2.2.1:
 130         "accessLocation MUST be a uniformResourceIdentifier and the URI
 131         MUST point to either a single DER encoded certificate as speci-
 132         fied in [RFC2585] or a collection of certificates in a BER or
 133         DER encoded "certs-only" CMS message as specified in [RFC2797]." */
 134
 135         /* DER-encoded certificate */
 136         SecCertificateRef parent = SecCertificateCreateWithData(NULL, data);
 137
 138         /* "certs-only" CMS Message */
 139         if (!parent) {
 140             CFArrayRef certificates = NULL;
 141             certificates = SecCMSCertificatesOnlyMessageCopyCertificates(data);
 142             /* @@@ Technically these can have more than one certificate */
 143             if (certificates && CFArrayGetCount(certificates) == 1) {
 144                 parent = CFRetainSafe((SecCertificateRef)CFArrayGetValueAtIndex(certificates, 0));
 145             }
 146             CFReleaseNull(certificates);
 147         }
 148
 149         /* Retry in case the certificate is in PEM format. Some CAs
 150          incorrectly return a PEM encoded cert, despite RFC 5280 4.2.2.1 */
 151         if (!parent) {
 152             parent = SecCertificateCreateWithPEM(NULL, data);
 153         }
 154         CFRelease(data);
 155         if (parent) {
 156             /* We keep responses in the cache for at least 7 days, or longer
 157              if the http response tells us to keep it around for more. */
 158             if (maxAge < SECONDS_PER_DAY * 7)
 159                 maxAge = SECONDS_PER_DAY * 7;
 160             CFAbsoluteTime expires = CFAbsoluteTimeGetCurrent() + maxAge;
 161             CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers,
 162                                                      request->issuerIX - 1);
 163             SecCAIssuerCacheAddCertificate(parent, issuer, expires);
 164             CFArrayRef parents = SecCAIssuerConvertToParents(
 165                 request->certificate, parent); /* note: this releases parent */
 166             if (parents) {
 167                 secdebug("caissuer", "response: %@ good", http->response);
 168                 request->callback(request->context, parents);
 169                 CFRelease(parents);
 170                 SecCAIssuerRequestRelease(request);
 171                 return;
 172             }
 173         }
 174     }
 175
 176     secdebug("caissuer", "response: %@ not parent, trying next caissuer",
 177         http->response);
 178     /* We're re-using this http object, so we need to free all the old memory. */
 179     asynchttp_free(&request->http);
 180     SecCAIssuerRequestIssue(request);
 181 }
 182
 183 static CFArrayRef SecCAIssuerRequestCacheCopyParents(SecCertificateRef cert,
 184     CFArrayRef issuers) {
 185     CFIndex ix = 0, ex = CFArrayGetCount(issuers);
 186     for (;ix < ex; ++ix) {
 187         CFURLRef issuer = CFArrayGetValueAtIndex(issuers, ix);
 188         CFStringRef scheme = CFURLCopyScheme(issuer);
 189         if (scheme) {
 190             if (CFEqual(CFSTR("http"), scheme)) {
 191                 CFArrayRef parents = SecCAIssuerConvertToParents(cert,
 192                     SecCAIssuerCacheCopyMatching(issuer));
 193                 if (parents) {
 194                     secdebug("caissuer", "cache hit, for %@ no request issued", issuer);
 195                     CFRelease(scheme);
 196                     return parents;
 197                 }
 198             }
 199             CFRelease(scheme);
 200         }
 201     }
 202     return NULL;
 203 }
 204
 205 bool SecCAIssuerCopyParents(SecCertificateRef certificate, dispatch_queue_t queue,
 206     void *context, void (*callback)(void *, CFArrayRef)) {
 207     CFArrayRef issuers = SecCertificateGetCAIssuers(certificate);
 208     if (!issuers) {
 209         /* certificate has no caissuer urls, we're done. */
 210         callback(context, NULL);
 211         return true;
 212     }
 213
 214     CFArrayRef parents = SecCAIssuerRequestCacheCopyParents(certificate, issuers);
 215     if (parents) {
 216         callback(context, parents);
 217         CFReleaseSafe(parents);
 218         return true;
 219     }
 220
 221     /* Cache miss, let's issue a network request. */
 222     SecCAIssuerRequestRef request =
 223         (SecCAIssuerRequestRef)calloc(1, sizeof(*request));
 224     request->http.queue = queue;
 225     request->http.completed = SecCAIssuerRequestCompleted;
 226     CFRetain(certificate);
 227     request->certificate = certificate;
 228     request->issuers = issuers;
 229     request->issuerIX = 0;
 230     request->context = context;
 231     request->callback = callback;
 232
 233     return SecCAIssuerRequestIssue(request);
 234 }
 235