2 * Copyright (c) 2009-2016 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 * SecCAIssuerRequest.c - asynchronous CAIssuer request fetching engine.
29 #include "SecCAIssuerRequest.h"
30 #include "SecCAIssuerCache.h"
32 #include <Security/SecInternal.h>
33 #include <Security/SecCMS.h>
34 #include <CoreFoundation/CFURL.h>
35 #include <CFNetwork/CFHTTPMessage.h>
36 #include <utilities/debugging.h>
37 #include <Security/SecCertificateInternal.h>
38 #include <securityd/asynchttp.h>
41 #define MAX_CA_ISSUERS 3
42 #define CA_ISSUERS_REQUEST_THRESHOLD 10
45 /* CA Issuer lookup code. */
47 typedef struct SecCAIssuerRequest
*SecCAIssuerRequestRef
;
48 struct SecCAIssuerRequest
{
49 asynchttp_t http
; /* Must be first field. */
50 SecCertificateRef certificate
;
51 CFArrayRef issuers
; /* NONRETAINED */
54 void (*callback
)(void *, CFArrayRef
);
57 static void SecCAIssuerRequestRelease(SecCAIssuerRequestRef request
) {
58 CFRelease(request
->certificate
);
59 asynchttp_free(&request
->http
);
63 static bool SecCAIssuerRequestIssue(SecCAIssuerRequestRef request
) {
64 CFIndex count
= CFArrayGetCount(request
->issuers
);
65 if (count
>= CA_ISSUERS_REQUEST_THRESHOLD
) {
66 secnotice("caissuer", "too many caIssuer entries (%ld)", (long)count
);
67 request
->callback(request
->context
, NULL
);
68 SecCAIssuerRequestRelease(request
);
71 while (request
->issuerIX
< count
&& request
->issuerIX
< MAX_CA_ISSUERS
) {
72 CFURLRef issuer
= CFArrayGetValueAtIndex(request
->issuers
,
74 CFStringRef scheme
= CFURLCopyScheme(issuer
);
76 if (CFEqual(CFSTR("http"), scheme
)) {
77 CFHTTPMessageRef msg
= CFHTTPMessageCreateRequest(kCFAllocatorDefault
,
78 CFSTR("GET"), issuer
, kCFHTTPVersion1_1
);
80 secinfo("caissuer", "%@", msg
);
81 bool done
= asynchttp_request(msg
, 0, &request
->http
);
88 secdebug("caissuer", "failed to get %@", issuer
);
90 secnotice("caissuer", "skipping unsupported uri %@", issuer
);
96 /* No more issuers left to try, we're done. */
97 secdebug("caissuer", "no request issued");
98 request
->callback(request
->context
, NULL
);
99 SecCAIssuerRequestRelease(request
);
103 /* Releases parent unconditionally, and return a CFArrayRef containing
104 parent if the normalized subject of parent matches the normalized issuer
106 static CF_RETURNS_RETAINED CFArrayRef
SecCAIssuerConvertToParents(SecCertificateRef certificate
,
107 SecCertificateRef CF_CONSUMED parent
) {
108 CFDataRef nic
= SecCertificateGetNormalizedIssuerContent(certificate
);
109 CFArrayRef parents
= NULL
;
111 CFDataRef parent_nic
= SecCertificateGetNormalizedSubjectContent(parent
);
112 if (nic
&& parent_nic
&& CFEqual(nic
, parent_nic
)) {
113 const void *ventry
= parent
;
114 parents
= CFArrayCreate(NULL
, &ventry
, 1, &kCFTypeArrayCallBacks
);
121 #define SECONDS_PER_DAY (86400.0)
122 static void SecCAIssuerRequestCompleted(asynchttp_t
*http
,
123 CFTimeInterval maxAge
) {
124 /* Cast depends on http being first field in struct SecCAIssuerRequest. */
125 SecCAIssuerRequestRef request
= (SecCAIssuerRequestRef
)http
;
126 CFDataRef data
= (request
->http
.response
?
127 CFHTTPMessageCopyBody(request
->http
.response
) : NULL
);
130 "accessLocation MUST be a uniformResourceIdentifier and the URI
131 MUST point to either a single DER encoded certificate as speci-
132 fied in [RFC2585] or a collection of certificates in a BER or
133 DER encoded "certs-only" CMS message as specified in [RFC2797]." */
135 /* DER-encoded certificate */
136 SecCertificateRef parent
= SecCertificateCreateWithData(NULL
, data
);
138 /* "certs-only" CMS Message */
140 CFArrayRef certificates
= NULL
;
141 certificates
= SecCMSCertificatesOnlyMessageCopyCertificates(data
);
142 /* @@@ Technically these can have more than one certificate */
143 if (certificates
&& CFArrayGetCount(certificates
) == 1) {
144 parent
= CFRetainSafe((SecCertificateRef
)CFArrayGetValueAtIndex(certificates
, 0));
146 CFReleaseNull(certificates
);
149 /* Retry in case the certificate is in PEM format. Some CAs
150 incorrectly return a PEM encoded cert, despite RFC 5280 4.2.2.1 */
152 parent
= SecCertificateCreateWithPEM(NULL
, data
);
156 /* We keep responses in the cache for at least 7 days, or longer
157 if the http response tells us to keep it around for more. */
158 if (maxAge
< SECONDS_PER_DAY
* 7)
159 maxAge
= SECONDS_PER_DAY
* 7;
160 CFAbsoluteTime expires
= CFAbsoluteTimeGetCurrent() + maxAge
;
161 CFURLRef issuer
= CFArrayGetValueAtIndex(request
->issuers
,
162 request
->issuerIX
- 1);
163 SecCAIssuerCacheAddCertificate(parent
, issuer
, expires
);
164 CFArrayRef parents
= SecCAIssuerConvertToParents(
165 request
->certificate
, parent
); /* note: this releases parent */
167 secdebug("caissuer", "response: %@ good", http
->response
);
168 request
->callback(request
->context
, parents
);
170 SecCAIssuerRequestRelease(request
);
176 secdebug("caissuer", "response: %@ not parent, trying next caissuer",
178 SecCAIssuerRequestIssue(request
);
181 static CFArrayRef
SecCAIssuerRequestCacheCopyParents(SecCertificateRef cert
,
182 CFArrayRef issuers
) {
183 CFIndex ix
= 0, ex
= CFArrayGetCount(issuers
);
184 for (;ix
< ex
; ++ix
) {
185 CFURLRef issuer
= CFArrayGetValueAtIndex(issuers
, ix
);
186 CFStringRef scheme
= CFURLCopyScheme(issuer
);
188 if (CFEqual(CFSTR("http"), scheme
)) {
189 CFArrayRef parents
= SecCAIssuerConvertToParents(cert
,
190 SecCAIssuerCacheCopyMatching(issuer
));
192 secdebug("caissuer", "cache hit, for %@ no request issued", issuer
);
203 bool SecCAIssuerCopyParents(SecCertificateRef certificate
, dispatch_queue_t queue
,
204 void *context
, void (*callback
)(void *, CFArrayRef
)) {
205 CFArrayRef issuers
= SecCertificateGetCAIssuers(certificate
);
207 /* certificate has no caissuer urls, we're done. */
208 callback(context
, NULL
);
212 CFArrayRef parents
= SecCAIssuerRequestCacheCopyParents(certificate
, issuers
);
214 callback(context
, parents
);
215 CFReleaseSafe(parents
);
219 /* Cache miss, let's issue a network request. */
220 SecCAIssuerRequestRef request
=
221 (SecCAIssuerRequestRef
)calloc(1, sizeof(*request
));
222 request
->http
.queue
= queue
;
223 request
->http
.completed
= SecCAIssuerRequestCompleted
;
224 CFRetain(certificate
);
225 request
->certificate
= certificate
;
226 request
->issuers
= issuers
;
227 request
->issuerIX
= 0;
228 request
->context
= context
;
229 request
->callback
= callback
;
231 return SecCAIssuerRequestIssue(request
);