]> git.saurik.com Git - apple/security.git/blob - OSX/sec/securityd/SecOCSPCache.h
Security-57740.60.18.tar.gz
[apple/security.git] / OSX / sec / securityd / SecOCSPCache.h
1 /*
2 * Copyright (c) 2009-2010,2012-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 */
24
25 /*!
26 @header SecOCSPCache
27 The functions provided in SecOCSPCache.h provide an interface to
28 an OCSP caching module.
29 */
30
31 #ifndef _SECURITY_SECOCSPCACHE_H_
32 #define _SECURITY_SECOCSPCACHE_H_
33
34 #include <securityd/SecOCSPRequest.h>
35 #include <securityd/SecOCSPResponse.h>
36 #include <CoreFoundation/CFURL.h>
37
38 __BEGIN_DECLS
39
40
41 void SecOCSPCacheReplaceResponse(SecOCSPResponseRef old_response,
42 SecOCSPResponseRef response, CFURLRef localResponderURI, CFAbsoluteTime verifyTime);
43
44 SecOCSPResponseRef SecOCSPCacheCopyMatching(SecOCSPRequestRef request,
45 CFURLRef localResponderURI /* may be NULL */);
46
47 SecOCSPResponseRef SecOCSPCacheCopyMatchingWithMinInsertTime(SecOCSPRequestRef request,
48 CFURLRef localResponderURI, CFAbsoluteTime minInsertTime);
49
50 __END_DECLS
51
52 #endif /* _SECURITY_SECOCSPCACHE_H_ */
53
54 #if 0
55 /*
56 Experation policy assumptions:
57 - We never check revocation status of anchors, whether they be system anchors,
58 passed in anchors or anchors hardcoded in a policy.
59 - Revocation information is cached for positive reponses for a limited time.
60 - Revocation information can be cached for negative reponses for an unlimited time.
61 - Revocation information need never be kept around after the certificate has expired (unless we still check after the cert has expired like we were talking about for EERI).
62 - Revocation information records that are used and still valid should be kept longer.
63 - We can set an upper limit in number of records (or certificates) in the cache.
64 - We can set an upper limit on total space consumed by the cache.
65 Questions:
66 - Remember bad server responses too? some ocsp responders required signed requests which we don't support, so we could consider caching the 6 (Not Authorized or something) response.
67
68 Data needed per type of revocation record to implement this policy.
69
70 Caching policy:
71 - Deleting cache should not be user option.
72 - Cache should surrvive backups.
73 - Negative caching as long as possible.
74
75 CRL certificate stati:
76 unspecified, keyCompromise, cACompromise,
77 affiliationChanged, superseded, cessationOfOperation,
78 certificateHold, removeFromCRL, privilegeWithdrawn,
79 aACompromise, the special value UNREVOKED, or the special
80 value UNDETERMINED. This variable is initialized to the
81 special value UNREVOKED.
82
83 CRL Timestamp values:
84 - thisUpdate
85 - nextUpdate (optional but not really 5280 says CAs must provide it even though ASN.1 is optional)
86 (no producedAt in CRLs, that's what thisUpdate is by definition it seems).
87
88
89 OCSP Timestamp values:
90 thisUpdate = May 1, 2005 01:00:00 GMT
91 nextUpdate = May 3, 2005 01:00:00 GMT (optional abscence means update available any time)
92 productedAt = May 1, 2005 01:00:00 GMT
93
94 PER CERTIFICATE RETURN in INFO
95
96 Revocation object used: OCSP Response, mapping from
97 reasons-> (CRL + most current delta CRL), Error Object (with status code).
98 -- good
99 -- revoked
100 -- unknown
101
102 other exceptions (unsigned responses):
103 -- malformedRequest
104 -- internalError
105 -- tryLater
106 -- sigRequired
107 -- unauthorized (5019 The response "unauthorized" is returned in cases where the client
108 is not authorized to make this query to this server or the server
109 is not capable of responding authoritatively. (Expired certs might get this answer too))
110
111
112 CRL signer chain rules:
113 1) Must use same anchor as cert itself.
114 This implies that we can only cache the validity of a leaf or intermediate certificate for CRL checking based on the mapping:
115 (certificate, path anchor, use_deltas) -> Revocation_status (unspecified, keyCompromise, cACompromise,
116 affiliationChanged, superseded, cessationOfOperation,certificateHold, removeFromCRL, privilegeWithdrawn,aACompromise, UNREVOKED, UNDETERMINED).
117
118 OCSP signer chain rules:
119 (Wikipedia confirmed in rfc): The key that signs a response need not be the same key that signed the certificate. The certificate's issuer may delegate another authority to be the OCSP responder. In this case, the responder's certificate (the one that is used to sign the response) must be issued by the issuer of the certificate in question, and must include a certain extension that marks it as an OCSP signing authority (more precisely, an extended key usage extension with the OID {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) keyPurpose(3) ocspSigning(9)})
120
121 rfc text of the wikipedia: Therefore, a certificate's issuer MUST either sign the OCSP
122 responses itself or it MUST explicitly designate this authority to
123 another entity. OCSP signing delegation SHALL be designated by the
124 inclusion of id-kp-OCSPSigning in an extendedKeyUsage certificate
125 extension included in the OCSP response signer's certificate. This
126 certificate MUST be issued directly by the CA that issued the
127 certificate in question.
128
129 rfc: If ocsp signing cert has id-pkix-ocsp-nocheck extension we don't check it's revocation status.
130
131 (certificate, direct issuer certificate) -> Revocation_status good (UNREVOKED) revoked revocationTime, CRLReason (unspecified, keyCompromise, cACompromise,affiliationChanged, superseded, cessationOfOperation,certificateHold, removeFromCRL, privilegeWithdrawn,aACompromise) unknown (UNDETERMINED).
132
133 ocsp CertID ::= SEQUENCE {
134 hashAlgorithm AlgorithmIdentifier,
135 issuerNameHash OCTET STRING, -- Hash of Issuer's DN
136 issuerKeyHash OCTET STRING, -- Hash of Issuers public key
137 serialNumber CertificateSerialNumber }
138 )
139
140 In order to accomadate the responder using a different hashAlgorithm than we used in the request we need to recalc these from the cert itself.
141
142 If all we have is a list of ocspresponses without knowing where they came from, we have to calculate the hashes of our issuerName and issuerKey for each hashAlgorithm we have cached ocsp responses for (optionally after limiting our candidates to those with matching serialNumbers first).
143
144 SELECT from ocsp_cache hashAlgorithm WHERE serialNumber = <SERIAL>
145
146 for hix = 0 hix < hashAlgorithms.count
147 ALG(hix).id = hashAlgorithms(hix)
148
149 SELECT from ocsp_cache response WHERE serialNumber = <SERIAL> hashAlgorithm = ALG(hix).id issuerNameHash = ALG(hix).hash(issuer) issuerKeyHash = ALG(hix).hash(key)
150
151
152
153
154
155
156 Notes for Matt:
157 - ttl in amfi cache (to force recheck when ocsp response is invalid)?
158 - Periodic check before launch to remove in band waiting for ocsp response?
159
160 Notes on Nonces in ocsp request and responses. Only ask for nonce if we think server supports it (no way to know today). Fall back on time based validity checking if reponse has no nonce, even if we asked for one
161
162 Note on CRL checking and experation and retries of OCSP checking.
163 Clients MAY attempt to retrieve the CRL if no
164 OCSPResponse is received from the responder after a locally
165 configured timeout and number of retries..
166
167
168
169 CRL/OCSP cache design idea:
170
171 revocation status table:
172
173 rowid certhash issuer-rowid lastUsed thisUpdate producedAt nextUpdate revocationTime revocationStatus
174
175 cacheAddOCSP(path, index_of_cert_resp_is_for, ocspResp)
176 cacheAddCRLStatus(path, index_of_cert_in_path, nextUpdate, revocationTime, revocationStatus)
177 (revocationTime, revocationStatus) = cacheLookupStatus(path, ix)
178
179 Return a list of parent certificate hashes for the current leaf. If a result is returned, we have a candiate path leading up to an anchor, for which we already trust the signature in the chain and revocation information has been checked.
180
181 CFArrayRef cacheSuggestParentsHashesFor(cert)
182
183 for crl based status root must match root of path. For ocsp status issuer must match issuer of leaf in path
184
185 presence in the cache means cert chain leading to an anchor is valid, and signed properly and trusted by the ocsp or crl policy, revocation status for cert is valid until the time indicated by nextUpdate. Cert chain itself may or may not be valid but that's checked by the policy engine.
186
187 If a chain isn't properly signed or fails to satisfy the crl policy, it should not be in the cache.
188
189 ocsp cache
190
191 rowid ocspResponse (responder) lastUsed nextUpdate
192
193 hashAlgorithm->(issuerNameHash,issuerKeyHash,serialNumber)->response
194
195
196 crl cache ()
197
198 crlDistributionPoint (reasons) crl thisUpdate nextUpdate isDelta
199
200
201 crlEntry cache table
202 (certHash anchorHash) crlIssuer revocationStatus revocationTime expires lastUsed
203 crlTable
204 (crlIssuer anchorHash distributionPointURL?) crl sigVerified expires
205 ocspEntry cache table
206 (certHash parentHash ocspReponderID) hashAlg revocationStatus revocationTime expires lastUsed
207 ocspTable
208 ((hashAlg, pubKeyHash, issuerHash, serialNum) anchorHash) ocspResponse sigVerified expires
209
210 or
211 cert cache table
212 (certHash parentHash anchorHash) crlEntryID ocspID
213
214 crlEntry cache table
215 (crlEntryID anchorHash) crlIssuer revocationStatus revocationTime
216
217 crlIssuerTable
218 (crlIssuer anchorHash) crl sigVerified
219
220 ocsp table
221 (ocspID) ocspResponse
222
223
224 but so does caching the raw response as a link to a blob table containing crls
225 and ocsp-responses
226 But also cache the revocationStatus for a (cert,parent) or (cert,anchor) via
227 a link to a cached ocspResponse or revocationStatus and revocationTime entry from crl
228 */
229
230 #endif