2  * Copyright (c) 2002-2015 Apple Inc. All Rights Reserved. 
   4  * @APPLE_LICENSE_HEADER_START@ 
   6  * This file contains Original Code and/or Modifications of Original Code 
   7  * as defined in and that are subject to the Apple Public Source License 
   8  * Version 2.0 (the 'License'). You may not use this file except in 
   9  * compliance with the License. Please obtain a copy of the License at 
  10  * http://www.opensource.apple.com/apsl/ and read it before using this 
  13  * The Original Code and all software distributed under the License are 
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 
  18  * Please see the License for the specific language governing rights and 
  19  * limitations under the License. 
  21  * @APPLE_LICENSE_HEADER_END@ 
  27 #include <security_keychain/Trust.h> 
  28 #include <security_keychain/TrustSettingsSchema.h> 
  29 #include <security_cdsa_utilities/cssmdates.h> 
  30 #include <security_utilities/cfutilities.h> 
  31 #include <CoreFoundation/CoreFoundation.h> 
  32 #include <Security/SecCertificate.h> 
  33 #include <Security/SecTrust.h> 
  34 #include "SecBridge.h" 
  35 #include "TrustAdditions.h" 
  36 #include "TrustKeychains.h" 
  37 #include <security_cdsa_client/dlclient.h> 
  38 #include <security_keychain/Keychains.h> 
  41 using namespace Security
; 
  42 using namespace KeychainCore
; 
  45 // Translate CFDataRef to CssmData. The output shares the input's buffer. 
  47 static inline CssmData 
cfData(CFDataRef data
) 
  49     return CssmData(const_cast<UInt8 
*>(CFDataGetBytePtr(data
)), 
  50         CFDataGetLength(data
)); 
  54 // Convert a SecPointer to a CF object. 
  56 static SecCertificateRef
 
  57 convert(const SecPointer
<Certificate
> &certificate
) 
  63 // For now, we use a global TrustStore 
  65 ModuleNexus
<TrustStore
> Trust::gStore
; 
  67 #pragma mark -- TrustKeychains -- 
  70 // Singleton maintaining open references to standard system keychains, 
  71 // to avoid having them be opened anew every time SecTrust is used. 
  74 static ModuleNexus
<TrustKeychains
> trustKeychains
; 
  75 static ModuleNexus
<RecursiveMutex
> trustKeychainsMutex
; 
  77 extern "C" bool GetServerMode(); 
  79 TrustKeychains::TrustKeychains() : 
  80         mRootStoreHandle(nullCSSMDLDBHandle
), 
  81         mSystem(globals().storageManager
.make(ADMIN_CERT_STORE_PATH
, false)) 
  83         if (GetServerMode()) // in server mode?  Don't go through StorageManager to make a keychain 
  85                 mRootStoreDL 
= new DL(gGuidAppleFileDL
), 
  86                 mRootStoreDb 
= new Db(*mRootStoreDL
, SYSTEM_ROOT_STORE_PATH
), 
  87         mRootStore 
= new Keychain(*mRootStoreDb
); 
  93                 mRootStore 
= new Keychain(globals().storageManager
.make(SYSTEM_ROOT_STORE_PATH
, false)); 
  95     (*mRootStore
)->database()->activate(); 
  96     mRootStoreHandle 
= (*mRootStore
)->database()->handle(); 
  99 TrustKeychains::~TrustKeychains() { 
 114 RecursiveMutex
& SecTrustKeychainsGetMutex() 
 116         return trustKeychainsMutex(); 
 119 #pragma mark -- Trust -- 
 121 // Construct a Trust object with suitable defaults. 
 122 // Use setters for additional arguments before calling evaluate(). 
 124 Trust::Trust(CFTypeRef certificates
, CFTypeRef policies
) 
 125     : mTP(gGuidAppleX509TP
), mAction(CSSM_TP_ACTION_DEFAULT
), 
 126       mCerts(cfArrayize(certificates
)), mPolicies(cfArrayize(policies
)), 
 127       mSearchLibs(NULL
), mSearchLibsSet(false), mResult(kSecTrustResultInvalid
), 
 128       mUsingTrustSettings(false), mAnchorPolicy(useAnchorsDefault
), mMutex(Mutex::recursive
) 
 131                 mPolicies
.take(CFArrayCreateMutable(NULL
, 0, &kCFTypeArrayCallBacks
)); 
 137 // Clean up a Trust object 
 151 // Get searchLibs (a vector of Keychain objects); 
 152 // normally initialized to default search list 
 154 StorageManager::KeychainList
& Trust::searchLibs(bool init
) 
 157                 mSearchLibs 
= new StorageManager::KeychainList
; 
 159                         globals().storageManager
.getSearchList(*mSearchLibs
); 
 167 // Set searchLibs to provided vector of Keychain objects 
 169 void Trust::searchLibs(StorageManager::KeychainList 
&libs
) 
 171         searchLibs(false) = libs
; 
 172         mSearchLibsSet 
= true; 
 177 // Retrieve the last TP evaluation result, if any 
 179 CSSM_TP_VERIFY_CONTEXT_RESULT_PTR 
Trust::cssmResult() 
 181         if (mResult 
== kSecTrustResultInvalid
) 
 182                 MacOSError::throwMe(errSecTrustNotAvailable
); 
 187 // SecCertificateRef -> CssmData 
 189 CssmData 
cfCertificateData(SecCertificateRef certificate
) 
 191     return Certificate::required(certificate
)->data(); 
 194 // SecPolicyRef -> CssmField (CFDataRef/NULL or oid/value of a SecPolicy) 
 196 CssmField 
cfField(SecPolicyRef item
) 
 198         SecPointer
<Policy
> policy 
= Policy::required(SecPolicyRef(item
)); 
 199     return CssmField(policy
->oid(), policy
->value()); 
 202 // SecKeychain -> CssmDlDbHandle 
 205 CSSM_DL_DB_HANDLE 
cfKeychain(SecKeychainRef ref
) 
 207         Keychain keychain 
= KeychainImpl::required(ref
); 
 208         return keychain
->database()->handle(); 
 213 void showCertSKID(const void *value
, void *context
); 
 217 // Here's the big "E" - evaluation. 
 218 // We build most of the CSSM-layer input structures dynamically right here; 
 219 // they will auto-destruct when we're done. The output structures are kept 
 220 // around (in our data members) for later analysis. 
 221 // Note that evaluate() can be called repeatedly, so we must be careful to 
 222 // dispose of prior results. 
 224 void Trust::evaluate(bool disableEV
) 
 226         bool isEVCandidate
=false; 
 227         // begin evaluation block with stack-based mutex 
 229         StLock
<Mutex
>_(mMutex
); 
 230         // if we have evaluated before, release prior result 
 233         // determine whether the leaf certificate is an EV candidate 
 234         CFArrayRef allowedAnchors 
= NULL
; 
 236                 allowedAnchors 
= allowedEVRootsForLeafCertificate(mCerts
); 
 237                 isEVCandidate 
= (allowedAnchors 
!= NULL
); 
 239         CFArrayRef filteredCerts 
= NULL
; 
 241                 secinfo("evTrust", "Trust::evaluate() certificate is EV candidate"); 
 242                 filteredCerts 
= potentialEVChainWithCertificates(mCerts
); 
 243                 mCerts 
= filteredCerts
; 
 245                 secinfo("evTrust", "Trust::evaluate() performing standard evaluation"); 
 247                         filteredCerts 
= CFArrayCreateMutableCopy(NULL
, 0, mCerts
); 
 250                         allowedAnchors 
= CFArrayCreateMutableCopy(NULL
, 0, mAnchors
); 
 253         // retain these certs as long as we potentially could have results involving them 
 254         // (note that assignment to a CFRef type performs an implicit retain) 
 255         mAllowedAnchors 
= allowedAnchors
; 
 256         mFilteredCerts 
= filteredCerts
; 
 259                 CFRelease(allowedAnchors
); 
 261                 CFRelease(filteredCerts
); 
 265                 secinfo("trusteval", "Trust::evaluate: anchors: %ld", CFArrayGetCount(mAllowedAnchors
)); 
 267                 CFArrayApplyFunction(mAllowedAnchors
, CFRangeMake(0, CFArrayGetCount(mAllowedAnchors
)), showCertSKID
, NULL
); 
 271         // set default search list from user's default, if caller did not explicitly supply it 
 272         if(!mSearchLibsSet
) { 
 273                 globals().storageManager
.getSearchList(searchLibs()); 
 274                 mSearchLibsSet 
= true; 
 277     // build the target cert group 
 278     CFToVector
<CssmData
, SecCertificateRef
, cfCertificateData
> subjects(mFilteredCerts
); 
 279     CertGroup 
subjectCertGroup(CSSM_CERT_X_509v3
, 
 280             CSSM_CERT_ENCODING_BER
, CSSM_CERTGROUP_DATA
); 
 281     subjectCertGroup
.count() = subjects
; 
 282     subjectCertGroup
.blobCerts() = subjects
; 
 284     // build a TP_VERIFY_CONTEXT, a veritable nightmare of a data structure 
 285     TPBuildVerifyContext 
context(mAction
); 
 288          * Guarantee *some* action data... 
 289          * NOTE this only works with the local X509 TP. When this module can deal 
 290          * with other TPs, this must be revisited. 
 292         CSSM_APPLE_TP_ACTION_DATA localActionData
; 
 293         memset(&localActionData
, 0, sizeof(localActionData
)); 
 294         CssmData 
localActionCData((uint8 
*)&localActionData
, sizeof(localActionData
)); 
 295         CSSM_APPLE_TP_ACTION_DATA 
*actionDataP 
= &localActionData
; 
 297                 context
.actionData() = cfData(mActionData
); 
 298                 actionDataP 
= (CSSM_APPLE_TP_ACTION_DATA 
*)context
.actionData().data(); 
 301                 context
.actionData() = localActionCData
; 
 304         bool hasSSLPolicy 
= policySpecified(mPolicies
, CSSMOID_APPLE_TP_SSL
); 
 305         bool hasEAPPolicy 
= policySpecified(mPolicies
, CSSMOID_APPLE_TP_EAP
); 
 308                 // always check trust settings if caller did not provide explicit trust anchors 
 309                 actionDataP
->ActionFlags 
|= CSSM_TP_ACTION_TRUST_SETTINGS
; 
 312         if (mNetworkPolicy 
== useNetworkDefault
) { 
 314                         // enable network cert fetch for SSL only: <rdar://7422356> 
 315                         actionDataP
->ActionFlags 
|= CSSM_TP_ACTION_FETCH_CERT_FROM_NET
; 
 318         else if (mNetworkPolicy 
== useNetworkEnabled
) 
 319                 actionDataP
->ActionFlags 
|= CSSM_TP_ACTION_FETCH_CERT_FROM_NET
; 
 320         else if (mNetworkPolicy 
== useNetworkDisabled
) 
 321                 actionDataP
->ActionFlags 
&= ~(CSSM_TP_ACTION_FETCH_CERT_FROM_NET
); 
 323         if (policySpecified(mPolicies
, CSSMOID_APPLE_TP_ESCROW_SERVICE
)) { 
 324                 // ignore expiration dates, per rdar://21943474 
 325                 actionDataP
->ActionFlags 
|= (CSSM_TP_ACTION_ALLOW_EXPIRED 
| 
 326                         CSSM_TP_ACTION_ALLOW_EXPIRED_ROOT
); 
 330          * Policies (one at least, please). 
 331          * For revocation policies, see if any have been explicitly specified... 
 333         CFMutableArrayRef allPolicies 
= NULL
; 
 334         uint32 numRevocationAdded 
= 0; 
 335         bool requirePerCert 
= (actionDataP
->ActionFlags 
& CSSM_TP_ACTION_REQUIRE_REV_PER_CERT
); 
 337         // If a new unified revocation policy was explicitly specified, 
 338         // convert into old-style individual OCSP and CRL policies. 
 339         // Note that the caller could configure revocation policy options 
 340         // to explicitly disable both methods, so 0 policies might be added, 
 341         // in which case we must no longer consider the cert an EV candidate. 
 343         allPolicies 
= convertRevocationPolicy(numRevocationAdded
, context
.allocator
); 
 345                 // caller has explicitly set the revocation policy they want to use 
 346                 secinfo("evTrust", "Trust::evaluate() using explicit revocation policy (%d)", 
 348                 if (numRevocationAdded 
== 0) 
 349                         isEVCandidate 
= false; 
 351         else if (mAnchors 
&& (CFArrayGetCount(mAnchors
)==0) && (searchLibs().size()==0)) { 
 352                 // caller explicitly provided empty anchors and no keychain list, 
 353                 // and did not explicitly specify the revocation policy; 
 354                 // override global revocation check setting for this evaluation 
 355                 secinfo("evTrust", "Trust::evaluate() has empty anchors and no keychains"); 
 356                 allPolicies 
= NULL
; // use only mPolicies 
 357                 isEVCandidate 
= false; 
 359         else if (isEVCandidate 
|| requirePerCert
) { 
 360                 // force revocation checking for this evaluation 
 361                 secinfo("evTrust", "Trust::evaluate() forcing OCSP/CRL revocation check"); 
 362                 allPolicies 
= forceRevocationPolicies(true, requirePerCert
, 
 363                         numRevocationAdded
, context
.allocator
, requirePerCert
); 
 365         else if(!(revocationPolicySpecified(mPolicies
))) { 
 366                 // none specified in mPolicies; try preferences 
 367                 allPolicies 
= addPreferenceRevocationPolicies(!(hasSSLPolicy 
|| hasEAPPolicy
), 
 368                         !(hasSSLPolicy 
|| hasEAPPolicy
), numRevocationAdded
, context
.allocator
); 
 370         if (allPolicies 
== NULL
) { 
 371                 // use mPolicies; no revocation checking will be performed 
 372                 secinfo("evTrust", "Trust::evaluate() will not perform revocation check"); 
 373                 CFIndex numPolicies 
= CFArrayGetCount(mPolicies
); 
 374                 CFAllocatorRef allocator 
= CFGetAllocator(mPolicies
); 
 375                 allPolicies 
= CFArrayCreateMutableCopy(allocator
, numPolicies
, mPolicies
); 
 377         orderRevocationPolicies(allPolicies
); 
 378     CFToVector
<CssmField
, SecPolicyRef
, cfField
> policies(allPolicies
); 
 380         // error exit here if empty policies are not supported 
 381     if (policies
.empty()) 
 382         MacOSError::throwMe(CSSMERR_TP_INVALID_POLICY_IDENTIFIERS
); 
 384     context
.setPolicies(policies
, policies
); 
 386         // anchor certificates (if caller provides them, or if cert requires EV) 
 387         CFCopyRef
<CFArrayRef
> anchors(mAllowedAnchors
); 
 388         CFToVector
<CssmData
, SecCertificateRef
, cfCertificateData
> roots(anchors
); 
 390                 // no anchor certificates were provided; 
 391                 // built-in anchors will be trusted unless explicitly disabled. 
 392                 mUsingTrustSettings 
= (mAnchorPolicy 
< useAnchorsOnly
); 
 393                 secinfo("userTrust", "Trust::evaluate() %s", 
 394                                  (mUsingTrustSettings
) ? "using UserTrust" : "has no trusted anchors!"); 
 397                 // anchor certificates were provided; 
 398                 // built-in anchors will NOT also be trusted unless explicitly enabled. 
 399                 mUsingTrustSettings 
= (mAnchorPolicy 
== useAnchorsAndBuiltIns
); 
 400                 secinfo("userTrust", "Trust::evaluate() using %s %s anchors", 
 401                                  (mUsingTrustSettings
) ? "UserTrust AND" : "only", 
 402                                  (isEVCandidate
) ? "EV" : "caller"); 
 403                 context
.anchors(roots
, roots
); 
 406         // dlDbList (keychain list) 
 407         vector
<CSSM_DL_DB_HANDLE
> dlDbList
; 
 409                 StLock
<Mutex
> _(SecTrustKeychainsGetMutex()); 
 410                 StorageManager::KeychainList
& list 
= searchLibs(); 
 411                 for (StorageManager::KeychainList::const_iterator it 
= list
.begin(); 
 412                                 it 
!= list
.end(); it
++) 
 416                                 // For the purpose of looking up intermediate certificates to establish trust, 
 417                                 // do not include the network-based LDAP or DotMac pseudo-keychains. (The only 
 418                                 // time the network should be consulted for certificates is if there is an AIA 
 419                                 // extension with a specific URL, which will be handled by the TP code.) 
 420                                 CSSM_DL_DB_HANDLE dldbHandle 
= (*it
)->database()->handle(); 
 421                                 if (dldbHandle
.DLHandle
) { 
 423                                         CSSM_RETURN crtn 
= CSSM_GetModuleGUIDFromHandle(dldbHandle
.DLHandle
, &guid
); 
 424                                         if (crtn 
== CSSM_OK
) { 
 425                                                 if ((memcmp(&guid
, &gGuidAppleLDAPDL
, sizeof(CSSM_GUID
))==0) || 
 426                                                         (memcmp(&guid
, &gGuidAppleDotMacDL
, sizeof(CSSM_GUID
))==0)) { 
 427                                                         continue; // don't add to dlDbList 
 431                                 // This DB is OK to search for intermediate certificates. 
 432                                 dlDbList
.push_back(dldbHandle
); 
 438                 if(mUsingTrustSettings
) { 
 439                         /* Append system anchors for use with Trust Settings */ 
 441                 CSSM_DL_DB_HANDLE rootStoreHandle 
= trustKeychains().rootStoreHandle(); 
 442                 if (rootStoreHandle
.DBHandle
) 
 443                     dlDbList
.push_back(rootStoreHandle
); 
 444                                 actionDataP
->ActionFlags 
|= CSSM_TP_ACTION_TRUST_SETTINGS
; 
 447                                 // no root store or system keychain; don't use trust settings but continue 
 448                                 mUsingTrustSettings 
= false; 
 451                 CSSM_DL_DB_HANDLE systemKcHandle 
= trustKeychains().systemKcHandle(); 
 452                 if (systemKcHandle
.DBHandle
) 
 453                     dlDbList
.push_back(systemKcHandle
); 
 456                                 /* Oh well, at least we got the root store DB */ 
 459                 context
.setDlDbList((uint32
)dlDbList
.size(), &dlDbList
[0]); 
 465         CssmUniformDate(static_cast<CFDateRef
>(mVerifyTime
)).convertTo( 
 466                         timeString
, sizeof(timeString
)); 
 467         context
.time(timeString
); 
 470         // to avoid keychain open/close thrashing, hold a copy of the search list 
 471         StorageManager::KeychainList 
*holdSearchList 
= NULL
; 
 472         if (searchLibs().size() > 0) { 
 473                 holdSearchList 
= new StorageManager::KeychainList
; 
 474                 globals().storageManager
.getSearchList(*holdSearchList
); 
 479         mTP
->certGroupVerify(subjectCertGroup
, context
, &mTpResult
); 
 480         mTpReturn 
= errSecSuccess
; 
 481     } catch (CommonError 
&err
) { 
 482         mTpReturn 
= err
.osStatus(); 
 483         secinfo("trusteval", "certGroupVerify exception: %d", (int)mTpReturn
); 
 485     mResult 
= diagnoseOutcome(); 
 487     // see if we can use the evidence 
 488     if (mTpResult
.count() > 0 
 489             && mTpResult
[0].form() == CSSM_EVIDENCE_FORM_APPLE_HEADER
 
 490             && mTpResult
[0].as
<CSSM_TP_APPLE_EVIDENCE_HEADER
>()->Version 
== CSSM_TP_APPLE_EVIDENCE_VERSION
 
 491             && mTpResult
.count() == 3 
 492             && mTpResult
[1].form() == CSSM_EVIDENCE_FORM_APPLE_CERTGROUP
 
 493             && mTpResult
[2].form() == CSSM_EVIDENCE_FORM_APPLE_CERT_INFO
) { 
 494         evaluateUserTrust(*mTpResult
[1].as
<CertGroup
>(), 
 495             mTpResult
[2].as
<CSSM_TP_APPLE_EVIDENCE_INFO
>(), anchors
); 
 497         // unexpected evidence information. Can't use it 
 498         secinfo("trusteval", "unexpected evidence ignored"); 
 501         /* do post-processing for the evaluated certificate chain */ 
 502         CFArrayRef fullChain 
= makeCFArrayFrom(convert
, mCertChain
); 
 503         CFDictionaryRef etResult 
= extendedTrustResults(fullChain
, mResult
, mTpReturn
, isEVCandidate
); 
 504         mExtendedResult 
= etResult
; // assignment to CFRef type is an implicit retain 
 509                 CFRelease(fullChain
); 
 513                 /* clean up revocation policies we created implicitly */ 
 514                 if(numRevocationAdded
) { 
 515                         freeAddedRevocationPolicyData(allPolicies
, numRevocationAdded
, context
.allocator
); 
 517                 CFRelease(allPolicies
); 
 520         if (holdSearchList
) { 
 521                 delete holdSearchList
; 
 522                 holdSearchList 
= NULL
; 
 524         } // end evaluation block with mutex; releases all temporary allocations in this scope 
 527         if (isEVCandidate 
&& mResult 
== kSecTrustResultRecoverableTrustFailure 
&& 
 528                 (mTpReturn 
== CSSMERR_TP_NOT_TRUSTED 
|| isRevocationServerMetaError(mTpReturn
))) { 
 529                 // re-do the evaluation, this time disabling EV 
 534 // CSSM_RETURN values that map to kSecTrustResultRecoverableTrustFailure. 
 535 static const CSSM_RETURN recoverableErrors
[] = 
 537         CSSMERR_TP_INVALID_ANCHOR_CERT
, 
 538         CSSMERR_TP_NOT_TRUSTED
, 
 539         CSSMERR_TP_VERIFICATION_FAILURE
, 
 540         CSSMERR_TP_VERIFY_ACTION_FAILED
, 
 541         CSSMERR_TP_INVALID_REQUEST_INPUTS
, 
 542         CSSMERR_TP_CERT_EXPIRED
, 
 543         CSSMERR_TP_CERT_NOT_VALID_YET
, 
 544         CSSMERR_TP_CERTIFICATE_CANT_OPERATE
, 
 545         CSSMERR_TP_INVALID_CERT_AUTHORITY
, 
 546         CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK
, 
 547         CSSMERR_APPLETP_HOSTNAME_MISMATCH
, 
 548         CSSMERR_TP_VERIFY_ACTION_FAILED
, 
 549         CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND
, 
 550         CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS
, 
 551         CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE
, 
 552         CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH
, 
 553         CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS
, 
 554         CSSMERR_APPLETP_CS_BAD_PATH_LENGTH
, 
 555         CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE
, 
 556         CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE
, 
 557         CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT
, 
 558         CSSMERR_APPLETP_RS_BAD_CERT_CHAIN_LENGTH
, 
 559         CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN
, 
 560         CSSMERR_APPLETP_CRL_NOT_FOUND
, 
 561         CSSMERR_APPLETP_CRL_SERVER_DOWN
, 
 562         CSSMERR_APPLETP_CRL_NOT_VALID_YET
, 
 563         CSSMERR_APPLETP_OCSP_UNAVAILABLE
, 
 564         CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK
, 
 565         CSSMERR_APPLETP_NETWORK_FAILURE
, 
 566         CSSMERR_APPLETP_OCSP_RESP_TRY_LATER
, 
 567         CSSMERR_APPLETP_IDENTIFIER_MISSING
, 
 569 #define NUM_RECOVERABLE_ERRORS  (sizeof(recoverableErrors) / sizeof(CSSM_RETURN)) 
 572 // Classify the TP outcome in terms of a SecTrustResultType 
 574 SecTrustResultType 
Trust::diagnoseOutcome() 
 576         StLock
<Mutex
>_(mMutex
); 
 578         uint32 chainLength 
= 0; 
 579         if (mTpResult
.count() == 3 && 
 580                 mTpResult
[1].form() == CSSM_EVIDENCE_FORM_APPLE_CERTGROUP 
&& 
 581                 mTpResult
[2].form() == CSSM_EVIDENCE_FORM_APPLE_CERT_INFO
) 
 583                 const CertGroup 
&chain 
= *mTpResult
[1].as
<CertGroup
>(); 
 584                 chainLength 
= chain
.count(); 
 588     case errSecSuccess
:                                                                 // peachy 
 589                 if (mUsingTrustSettings
) 
 593                                 const CSSM_TP_APPLE_EVIDENCE_INFO 
*infoList 
= mTpResult
[2].as
<CSSM_TP_APPLE_EVIDENCE_INFO
>(); 
 594                                 const TPEvidenceInfo 
&info 
= TPEvidenceInfo::overlay(infoList
[chainLength
-1]); 
 595                                 const CSSM_TP_APPLE_CERT_STATUS resultCertStatus 
= info
.status(); 
 596                                 bool hasUserDomainTrust 
= ((resultCertStatus 
& CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST
) && 
 597                                                 (resultCertStatus 
& CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_USER
)); 
 598                                 bool hasAdminDomainTrust 
= ((resultCertStatus 
& CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST
) && 
 599                                                 (resultCertStatus 
& CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_ADMIN
)); 
 600                                 if (hasUserDomainTrust 
|| hasAdminDomainTrust
) 
 602                                         return kSecTrustResultProceed
;          // explicitly allowed 
 606                 return kSecTrustResultUnspecified
;              // cert evaluates OK 
 607     case CSSMERR_TP_INVALID_CERTIFICATE
:                // bad certificate 
 608         return kSecTrustResultFatalTrustFailure
; 
 609         case CSSMERR_APPLETP_TRUST_SETTING_DENY
:        // authoritative denial 
 610                 return kSecTrustResultDeny
; 
 615         // a known list of returns maps to kSecTrustResultRecoverableTrustFailure 
 616         const CSSM_RETURN 
*errp
=recoverableErrors
; 
 617         for(unsigned dex
=0; dex
<NUM_RECOVERABLE_ERRORS
; dex
++, errp
++) { 
 618                 if(*errp 
== mTpReturn
) { 
 619                         return kSecTrustResultRecoverableTrustFailure
; 
 622         return kSecTrustResultOtherError
;                       // unknown 
 627 // Assuming a good evidence chain, check user trust 
 628 // settings and set mResult accordingly. 
 630 void Trust::evaluateUserTrust(const CertGroup 
&chain
, 
 631     const CSSM_TP_APPLE_EVIDENCE_INFO 
*infoList
, CFCopyRef
<CFArrayRef
> anchors
) 
 633         StLock
<Mutex
>_(mMutex
); 
 634     // extract cert chain as Certificate objects 
 635     mCertChain
.resize(chain
.count()); 
 636     for (uint32 n 
= 0; n 
< mCertChain
.size(); n
++) { 
 637         const TPEvidenceInfo 
&info 
= TPEvidenceInfo::overlay(infoList
[n
]); 
 638         if (info
.recordId()) { 
 639                         Keychain keychain 
= keychainByDLDb(info
.DlDbHandle
); 
 640                         DbUniqueRecord 
uniqueId(keychain
->database()->newDbUniqueRecord()); 
 641                         secinfo("trusteval", "evidence %lu from keychain \"%s\"", (unsigned long)n
, keychain
->name()); 
 642                         *static_cast<CSSM_DB_UNIQUE_RECORD_PTR 
*>(uniqueId
) = info
.UniqueRecord
; 
 643                         uniqueId
->activate(); // transfers ownership 
 644                         Item ii 
= keychain
->item(CSSM_DL_DB_RECORD_X509_CERTIFICATE
, uniqueId
); 
 645                         Certificate
* cert 
= dynamic_cast<Certificate
*>(ii
.get()); 
 647                                 CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER
); 
 649                         mCertChain
[n
] = cert
; 
 650         } else if (info
.status(CSSM_CERT_STATUS_IS_IN_INPUT_CERTS
)) { 
 651             secinfo("trusteval", "evidence %lu from input cert %lu", (unsigned long)n
, (unsigned long)info
.index()); 
 652             assert(info
.index() < uint32(CFArrayGetCount(mCerts
))); 
 653             SecCertificateRef cert 
= SecCertificateRef(CFArrayGetValueAtIndex(mCerts
, 
 655             mCertChain
[n
] = Certificate::required(cert
); 
 656         } else if (info
.status(CSSM_CERT_STATUS_IS_IN_ANCHORS
)) { 
 657             secinfo("trusteval", "evidence %lu from anchor cert %lu", (unsigned long)n
, (unsigned long)info
.index()); 
 658             assert(info
.index() < uint32(CFArrayGetCount(anchors
))); 
 659             SecCertificateRef cert 
= SecCertificateRef(CFArrayGetValueAtIndex(anchors
, 
 661             mCertChain
[n
] = Certificate::required(cert
); 
 663             // unknown source; make a new Certificate for it 
 664             secinfo("trusteval", "evidence %lu from unknown source", (unsigned long)n
); 
 666                 new Certificate(chain
.blobCerts()[n
], 
 667                                         CSSM_CERT_X_509v3
, CSSM_CERT_ENCODING_BER
); 
 671     // now walk the chain, leaf-to-root, checking for user settings 
 672         TrustStore 
&store 
= gStore(); 
 673         SecPointer
<Policy
> policy 
= (CFArrayGetCount(mPolicies
)) ? 
 674                 Policy::required(SecPolicyRef(CFArrayGetValueAtIndex(mPolicies
, 0))) : NULL
; 
 675         for (mResultIndex 
= 0; 
 676                         mResult 
== kSecTrustResultUnspecified 
&& mResultIndex 
< mCertChain
.size() && policy
; 
 678                 if (!mCertChain
[mResultIndex
]) { 
 682                 mResult 
= store
.find(mCertChain
[mResultIndex
], policy
, searchLibs()); 
 683                 secinfo("trusteval", "trustResult=%d from cert %d", (int)mResult
, (int)mResultIndex
); 
 689 // Release TP evidence information. 
 690 // This information is severely under-defined by CSSM, so we proceed 
 692 //  (a) If the evidence matches an Apple-defined pattern, use specific 
 693 //      knowledge of that format. 
 694 //  (b) Otherwise, assume that the void * are flat blocks of memory. 
 696 void Trust::releaseTPEvidence(TPVerifyResult 
&result
, Allocator 
&allocator
) 
 698         if (result
.count() > 0) {       // something to do 
 699                 if (result
[0].form() == CSSM_EVIDENCE_FORM_APPLE_HEADER
) { 
 700                         // Apple defined evidence form -- use intimate knowledge 
 701                         if (result
[0].as
<CSSM_TP_APPLE_EVIDENCE_HEADER
>()->Version 
== CSSM_TP_APPLE_EVIDENCE_VERSION
 
 702                                 && result
.count() == 3 
 703                                 && result
[1].form() == CSSM_EVIDENCE_FORM_APPLE_CERTGROUP
 
 704                                 && result
[2].form() == CSSM_EVIDENCE_FORM_APPLE_CERT_INFO
) { 
 706                                 CertGroup
& certs 
= *result
[1].as
<CertGroup
>(); 
 707                                 CSSM_TP_APPLE_EVIDENCE_INFO 
*evidence 
= result
[2].as
<CSSM_TP_APPLE_EVIDENCE_INFO
>(); 
 708                                 uint32 count 
= certs
.count(); 
 709                                 allocator
.free(result
[0].data());       // just a struct 
 710                                 certs
.destroy(allocator
);               // certgroup contents 
 711                                 allocator
.free(result
[1].data());       // the CertGroup itself 
 712                                 for (uint32 n 
= 0; n 
< count
; n
++) 
 713                                         allocator
.free(evidence
[n
].StatusCodes
); 
 714                                 allocator
.free(result
[2].data());       // array of (flat) info structs 
 716                                 secinfo("trusteval", "unrecognized Apple TP evidence format"); 
 717                                 // drop it -- better leak than kill 
 720                         // unknown format -- blindly assume flat blobs 
 721                         secinfo("trusteval", "destroying unknown TP evidence format"); 
 722                         for (uint32 n 
= 0; n 
< result
.count(); n
++) 
 724                                 allocator
.free(result
[n
].data()); 
 728                 allocator
.free (result
.Evidence
); 
 734 // Clear evaluation results unless state is initial (invalid) 
 736 void Trust::clearResults() 
 738         StLock
<Mutex
>_(mMutex
); 
 739         if (mResult 
!= kSecTrustResultInvalid
) { 
 740                 releaseTPEvidence(mTpResult
, mTP
.allocator()); 
 741                 mResult 
= kSecTrustResultInvalid
; 
 742                 mExtendedResult 
= NULL
; 
 748 // Build evidence information 
 750 void Trust::buildEvidence(CFArrayRef 
&certChain
, TPEvidenceInfo 
* &statusChain
) 
 752         StLock
<Mutex
>_(mMutex
); 
 753         if (mResult 
== kSecTrustResultInvalid
) 
 754                 MacOSError::throwMe(errSecTrustNotAvailable
); 
 755     certChain 
= mEvidenceReturned 
= 
 756         makeCFArrayFrom(convert
, mCertChain
); 
 757         if(mTpResult
.count() >= 3) { 
 758                 statusChain 
= mTpResult
[2].as
<TPEvidenceInfo
>(); 
 767 // Return extended result dictionary 
 769 void Trust::extendedResult(CFDictionaryRef 
&result
) 
 771         if (mResult 
== kSecTrustResultInvalid
) 
 772                 MacOSError::throwMe(errSecTrustNotAvailable
); 
 774                 CFRetain(mExtendedResult
); // retain before handing out to caller 
 775     result 
= mExtendedResult
; 
 780 // Return properties array (a CFDictionaryRef for each certificate in chain) 
 782 CFArrayRef 
Trust::properties() 
 784         // Builds and returns an array which the caller must release. 
 785         StLock
<Mutex
>_(mMutex
); 
 786         CFMutableArrayRef properties 
= CFArrayCreateMutable(NULL
, 0, 
 787                 &kCFTypeArrayCallBacks
); 
 788         if (mResult 
== kSecTrustResultInvalid
) // chain not built or evaluated 
 791         /* Get evidence pointer */ 
 792         CSSM_TP_APPLE_EVIDENCE_INFO 
*evidence 
= NULL
; 
 793         uint32 evidenceChainLen 
= 0; 
 794         if (mTpResult
.count() > 0) { 
 795                 if (mTpResult
[0].form() == CSSM_EVIDENCE_FORM_APPLE_HEADER
) { 
 796                         if (mTpResult
[0].as
<CSSM_TP_APPLE_EVIDENCE_HEADER
>()->Version 
== CSSM_TP_APPLE_EVIDENCE_VERSION
 
 797                                 && mTpResult
.count() == 3 
 798                                 && mTpResult
[1].form() == CSSM_EVIDENCE_FORM_APPLE_CERTGROUP
 
 799                                 && mTpResult
[2].form() == CSSM_EVIDENCE_FORM_APPLE_CERT_INFO
) { 
 801                                 CertGroup
& certs 
= *mTpResult
[1].as
<CertGroup
>(); 
 802                                 evidence 
= mTpResult
[2].as
<CSSM_TP_APPLE_EVIDENCE_INFO
>(); 
 803                                 evidenceChainLen 
= certs
.count(); 
 808         // Walk the chain from leaf to anchor, building properties dictionaries 
 809         for (uint32 idx
=0; idx 
< mCertChain
.size(); idx
++) { 
 810                 CFMutableDictionaryRef dict 
= CFDictionaryCreateMutable(NULL
, 0, 
 811                         &kCFTypeDictionaryKeyCallBacks
, &kCFTypeDictionaryValueCallBacks
); 
 813                         CFStringRef title 
= NULL
; 
 814                         mCertChain
[idx
]->inferLabel(false, &title
); 
 816                                 CFDictionarySetValue(dict
, (const void *)kSecPropertyTypeTitle
, (const void *)title
); 
 819                         if (idx 
== 0 && mTpReturn 
!= errSecSuccess
) { 
 820                                 CFStringRef error 
= SecCopyErrorMessageString(mTpReturn
, NULL
); 
 822                                         CFDictionarySetValue(dict
, (const void *)kSecPropertyTypeError
, (const void *)error
); 
 826                         if (idx 
< evidenceChainLen
) { 
 827                                 uint32 numCodes 
= evidence
[idx
].NumStatusCodes
; 
 828                                 sint32 reason 
= evidence
[idx
].StatusCodes
[numCodes
]; // stored at end of status codes array 
 830                                         CFNumberRef cfreason 
= CFNumberCreate(kCFAllocatorDefault
, kCFNumberSInt32Type
, &reason
); 
 832                                                 CFDictionarySetValue(dict
, (const void *)kSecTrustRevocationReason
, (const void *)cfreason
); 
 837                         CFArrayAppendValue(properties
, (const void *)dict
); 
 846 // Return dictionary of evaluation results 
 848 CFDictionaryRef 
Trust::results() 
 850         // Builds and returns a dictionary which the caller must release. 
 851         StLock
<Mutex
>_(mMutex
); 
 852         CFMutableDictionaryRef results 
= CFDictionaryCreateMutable(NULL
, 0, 
 853                         &kCFTypeDictionaryKeyCallBacks
, &kCFTypeDictionaryValueCallBacks
); 
 855         // kSecTrustResultValue 
 856         CFNumberRef numValue 
= CFNumberCreate(NULL
, kCFNumberSInt32Type
, &mResult
); 
 858                 CFDictionarySetValue(results
, (const void *)kSecTrustResultValue
, (const void *)numValue
); 
 861         if (mResult 
== kSecTrustResultInvalid 
|| !mExtendedResult
) 
 862                 return results
; // we have nothing more to add 
 864         // kSecTrustEvaluationDate 
 865         CFTypeRef evaluationDate
; 
 866         if (CFDictionaryGetValueIfPresent(mExtendedResult
, kSecTrustEvaluationDate
, &evaluationDate
)) 
 867                 CFDictionarySetValue(results
, (const void *)kSecTrustEvaluationDate
, (const void *)evaluationDate
); 
 869         // kSecTrustExtendedValidation, kSecTrustOrganizationName 
 870         CFTypeRef organizationName
; 
 871         if (CFDictionaryGetValueIfPresent(mExtendedResult
, kSecEVOrganizationName
, &organizationName
)) { 
 872                 CFDictionarySetValue(results
, (const void *)kSecTrustOrganizationName
, (const void *)organizationName
); 
 873                 CFDictionarySetValue(results
, (const void *)kSecTrustExtendedValidation
, (const void *)kCFBooleanTrue
); 
 876         // kSecTrustRevocationChecked, kSecTrustRevocationValidUntilDate 
 877         CFTypeRef expirationDate
; 
 878         if (CFDictionaryGetValueIfPresent(mExtendedResult
, kSecTrustExpirationDate
, &expirationDate
)) { 
 879                 CFDictionarySetValue(results
, (const void *)kSecTrustRevocationValidUntilDate
, (const void *)expirationDate
); 
 880                 CFDictionarySetValue(results
, (const void *)kSecTrustRevocationChecked
, (const void *)kCFBooleanTrue
); 
 888 //* =========================================================================== 
 889 //* We need a way to compare two CSSM_DL_DB_HANDLEs WITHOUT using a operator 
 891 //* =========================================================================== 
 893 bool Compare_CSSM_DL_DB_HANDLE(const CSSM_DL_DB_HANDLE 
&h1
, const CSSM_DL_DB_HANDLE 
&h2
) 
 895     return (h1
.DLHandle 
== h2
.DLHandle 
&& h1
.DBHandle 
== h2
.DBHandle
); 
 901 // Given a DL_DB_HANDLE, locate the Keychain object (from the search list) 
 903 Keychain 
Trust::keychainByDLDb(const CSSM_DL_DB_HANDLE 
&handle
) 
 905         StLock
<Mutex
>_(mMutex
); 
 906         StorageManager::KeychainList
& list 
= searchLibs(); 
 907         for (StorageManager::KeychainList::const_iterator it 
= list
.begin(); 
 908                         it 
!= list
.end(); it
++) 
 913                         if (Compare_CSSM_DL_DB_HANDLE((*it
)->database()->handle(), handle
)) 
 920         if(mUsingTrustSettings
) { 
 922                         if(Compare_CSSM_DL_DB_HANDLE(trustKeychains().rootStoreHandle(), handle
)) { 
 923                                 return trustKeychains().rootStore(); 
 925                         if(Compare_CSSM_DL_DB_HANDLE(trustKeychains().systemKcHandle(), handle
)) { 
 926                                 return trustKeychains().systemKc(); 
 930                         /* one of those is missing; proceed */ 
 934         // could not find in search list - internal error 
 936         // we now throw an error here rather than assert and silently fail.  That way our application won't crash... 
 937         MacOSError::throwMe(errSecInternal
);