]> git.saurik.com Git - apple/security.git/blob - TODO
Security-57740.60.18.tar.gz
[apple/security.git] / TODO
1
2 === Advanced CFErrorRef usage ===
3
4 Make SecError a macro with an extra argument (formatOptions) and make the arguments proper CFStringRef
5 CFCopyDescription takes formatOptions as well, which it passes down to us.
6 Make sure we plumb though formatOptions everywhere
7 Have every cftype implement a proper copyDescriotion function that looks at a kSecDebugFormatOption key and use it to do debug printing.
8 Have the CFGiblis macros automatically implement copyDebugDescription function that calls
9
10
11 == Content Protection ==
12
13 * Notice that the system keystore is unavailible during upgrade and
14 fail without removing old keychain since it won't work after an
15 upgrade either.
16
17 * cert table should be AlwaysAvailable + migratable...
18
19 ====
20
21 * security export - dump all classes and caches in unencrypted plist
22 genp, inet, cert, keys, ocsp, cair, crls.
23 security export genp, inet, cert, keys, ocsp, cair
24
25 * security dh command should support decodePEM.
26
27 == TESTCASES ==
28
29 SSL EKU:
30 Test ssl server and ssl client against certs with proper and wrong EKU. Also
31 test this for EV certs.
32 IPSEC EKU:
33 Add some ipsec certs with proper ipsec eku extensions and without them and
34 ensure that the ipsec policy rejects (done in si-20-sectrust) and accepts
35 each kind as it should.
36
37 == AUDIT of securityd_server_request ==
38
39 in_args are a valid plist.
40
41 sec_item_add_id
42 _SecItemAdd() argument 1 is a dictionary, but its contents have not been checked.
43 sec_item_copy_matching_id
44 _SecItemCopyMatching() argument 1 is a dictionary, but its contents have not been checked.
45 sec_item_delete_id
46 _SecItemDelete() argument 1 is a dictionary, but its contents have not been checked.
47 sec_item_update_id
48 _SecItemUpdate() argument 1 and 2 are dictionaries, but their contents have not been checked.
49 sec_trust_store_contains_id (ok)
50 SecTrustStoreForDomainName() argument 1 is a string of any length (might be 0).
51 SecTrustStoreContainsCertificateWithDigest() argument 1 might be NULL, argument 2 is a data of any length (might be 0).
52 sec_trust_store_set_trust_settings_id (ok)
53 SecCertificateCreateWithData() argument 2 is a data of any length (might be 0) (done)
54 _SecTrustStoreSetTrustSettings() argument 1 might be NULL, argument 3 is either NULL, a dictionary or an array, but its contents have not been checked.
55 sec_trust_store_remove_certificate_id (ok)
56 SecTrustStoreRemoveCertificateWithDigest() argument 2 is a data of any length (might be 0) an its bound to a statement in sqlite.
57 sec_delete_all_id (ok)
58 Audit done (args_in not used and its value is ignored).
59 sec_trust_evaluate_id
60 SecTrustServerEvaluateAsync() argument 1 is a dictionary, but its contents have not been checked.
61 The options field of each policy provided ends up in policy->_options unchecked, so every access
62 of policy->_options in SecPolicyServer.c needs to be sanitized.
63 sec_restore_keychain (ok)
64 Audit done (args_in not used and its value is ignored).
65
66 == GENERAL ==
67
68 Function naming conventions:
69 - Use Sec@@@Finalaize only if the function does not free the thing it's finalizing.
70 - use Sec@@@Destroy otherwise.
71
72 Move EVRoots.plist and system TrustStore.sqlite3 into perfect hashtable inside securityd.
73
74 Stop using framework relative resources in securityd since it uses a few kb of ram just to get to them.
75
76 Change the interfaces to securityd to use real argument lists and do all the encoding/decoding inside client.c and server.c.
77
78 Remove SecCertificateCreate() now that <rdar://problem/5701851> iap submits a binary is fixed.
79
80 SecKeyRawSign/SecKeyRawVerify should get better error codes.
81
82 == OCSP ==
83
84 Consider calling int sqlite3_release_memory(int); (after committing outstanding transactions); when we are low on ram.
85
86 change api to asynchttp.h to take 2 arguments, a boolean flag to use http GET is the URL size is less than 256 bytes, two dictionary arguments of header name,values pairs to add to the GET and POST requests. If only GET is present GET will always be used, if only POST is present only POST will be used. If both are present, we use GET only if the URL size is less than 256 bytes and POST otherwise. The callback should have a CFHTTPMessage() argument, which will go away when the callback returns.
87
88 When receiving a stale response refetch by adding a Cache-Control: no-cache header.
89 Implement a timeout and retry count (perhaps after timeout go to next responder, but possibly retry responders again if they all timeout).
90 If id-pkix-ocsp-nocheck is not present in the responder cert, check revocation status of the responder cert itself (probably via crls, otherwise watch out for infinite recursion).
91
92 Verify responder cert chain. (done)
93 Verify singleResponse validity at usage time. (done)
94 Verify signature of response. (done)
95 Verify responder id. (done)
96
97 == SSL Policy ==
98
99 Check extended keyUsage and keyUsage of leaf.
100
101 == Snowbird ==
102
103 Priority 2
104
105 <rdar://problem/4831694> Implement DSA using libGiants
106 <rdar://problem/4831689> Add support for DSA ciphersuites in SecureTransport
107 <rdar://problem/4831710> Implement DSS (DSA) Support for SecKeys
108 <rdar://problem/4831700> Add support for DSS (DSA) signed certificates
109
110 <rdar://problem/4831731> Support CRL Fetching and caching
111 <rdar://problem/4831751> Support URL based certificate issuer fetching
112
113 <rdar://problem/4831794> Suite B support for Blackberry feature parody
114
115 == ==
116
117 * Trust settings dialog (P2 for P3)
118 * Trust settings ui (P2 for P3)
119
120 === Later ===
121
122 * SecItemDelete for identities should be server-side so it's done in an exclusive transaction
123
124 * SecKeyRef for DH public/private keys (P3)
125 * AES support
126 - SecKey AES support?
127
128
129 Notes on TrustStore trustsettings db.
130
131 // Version table has one record
132 CREATE TABLE version(version INTEGER);
133 CREATE TABLE cert{sha1 BLOB(20) UNIQUE PRIMARY KEY,subj BLOB,cert BLOB,mdat REAL);
134 CREATE INDEX isubj ON cert(subj);
135 CREATE TABLE trust(sha1 BLOB(20) UNIQUE PRIMARY KEY,
136 domain INTEGER,
137 policy BLOB,
138 application BLOB,
139 keyUsage INTEGER(4),
140 policyString TEXT,
141 allowedError INTEGER,
142 result INTEGER(1)
143 )
144
145 SELECT domain,policyString,allowedError,result FROM trust WHERE
146 (sha1=? OR sha1=defaut) AND
147 domain=? AND
148 (policy=? OR policy ISNULL) AND
149 (application=? OR application ISNULL) AND
150 (keyUsage&?)
151 ORDER BY COLLATE domain DESC;
152
153 BEGIN EXCLUSIVE;
154 INSERT OR REPLACE INTO cert(sha1,subj,cert,mdat)VALUES(?,?,?,?);
155 DELETE FROM trust WHERE sha1=? AND domain=?
156 INSERT INTO trust(sha1,domain,
157 policy,application,keyUsage,policyString,allowedError,result)
158 VALUES(?,?,?,?,?,?,?,?);
159
160 To adopt libdispatch in SecTrustServer.c, we should make a queue per builder.
161 That builders queue can then have
162 The chain builder will look something like
163 dispatch_async(queue, builder, SecPathBuilderNext);
164 inside SecPathBuilderNext we dispatch_async(queue, builder, state);
165 where state is whatever the new state to be run is.
166 where today we invoke the client callback and free the builder in
167 SecPathBuilderStep(), that will be replaced by doing it in the level
168 that today sets builder->state to NULL, which of course just doesn't
169 dispatch any new blocks since invoking the callback completes the API.
170 If we want to allow the caller to use dispatch himself (for sending
171 the reply on a reply queue of some kind that can reschedule jobs when
172 a port_notify_send_ok (or whatever it's called) is received.
173 If async io is done it uses a dispatch_source to run (or it can use a
174 plain cfrunloop callback if the callback are low latency). when the
175 async io operation has completed succesfully a callback is invoked,
176 this callback then pushes the new state onto the queue using
177 dispatch_async(queue, builder, builder->state);
178 so the new state runs after we return from the callback.
179
180 IO can be on the global hi priority queue if it's truely async.
181 Since only one runnable job is ever posted on a queue at a time for a
182 given request, all of the job can be run on the high (dispatching new
183 requests) normal (request handeling) and low (signature
184 verification).
185 priority global queues as we see fit.
186 If multiple requests where received, they would end up being
187 executed round robin on a single core, or in parallel on multi core
188 machines, since each request would get queued by the dispatcher as they
189 arrived, and then jobs for the queues would add their next job to the end
190 of the queue behind the other one again.
191
192 During parts of the code where we write to a databsse or read from a
193 database both of which could potentially block, we need to see if
194 sqlite3 has async APIs otherwise we might end up having to serialize all
195 db accesses to a single serial queue, which stops us from taking advantage
196 of the multiple reader / single writer paradigm. We just might have to
197 create a sqlite3 io thread or threads.
198
199 #if 0
200 /* Idea sketch for state_engine to replace SecPathBuilderStep() one. */
201
202 /* State engine api */
203 typedef struct state_engine_s state_engine_t;
204 typedef void(*state_engine_function_t)(void *);
205 #ifdef __BLOCKS__
206 typedef void(^state_engine_block_t)(void);
207 void state_engine_init(state_engine_t *engine, state_engine_block_t completed);
208 void state_engine_next(state_engine_t *engine, state_engine_block_t state);
209 #endif
210 void state_engine_init_f(state_engine_t *engine,
211 void *context, state_engine_function_t completed);
212
213 void state_engine_next_f(state_engine_t *engine,
214 void *context, state_engine_function_t state);
215 bool state_engine_step(state_engine_t **engine);
216 void state_engine_push(state_engine_t **engine, state_engine_t *child);
217
218 /* Complete engine, return parent, . */
219 state_engine_t *state_engine_pop(state_engine_t *engine);
220
221 /* State engine spi */
222 struct state_engine_s {
223 state_engine_t *parent;
224 void *completed;
225 state_engine_function_t completed_f;
226 void *state;
227 state_engine_function_t state_f;
228 };
229
230 //static state_engine_t *current_engine;
231
232 void state_engine_next_f(state_engine_t *engine,
233 void *state, state_engine_function_t state_f) {
234 engine->state_f = state_f;
235 engine->state = state;
236 }
237
238 bool state_engine_step(state_engine_t **engine) {
239 if (!engine)
240 return false;
241 for (;;) {
242 if (!*engine)
243 return false;
244 if (!(*engine)->state_f) {
245 *engine = state_engine_pop(*engine);
246 } else {
247 (*engine)->state_f((*engine)->state);
248 }
249 }
250 }
251
252 void state_engine_push(state_engine_t **engine,
253 state_engine_t *child) {
254 child->parent = *engine;
255 *engine = child;
256 }
257
258 state_engine_t *state_engine_pop(state_engine_t *engine) {
259 state_engine_t *parent = engine->parent;
260 if (engine->completed_f)
261 engine->completed_f(engine->completed);
262
263 return parent;
264 }
265
266 #endif