OSX/sec/securityd/SecCAIssuerRequest.c

   1 /*
   2  * Copyright (c) 2009-2016 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*
  25  * SecCAIssuerRequest.c - asynchronous CAIssuer request fetching engine.
  26  */
  27
  28
  29 #include "SecCAIssuerRequest.h"
  30 #include "SecCAIssuerCache.h"
  31
  32 #include <Security/SecInternal.h>
  33 #include <Security/SecCMS.h>
  34 #include <CoreFoundation/CFURL.h>
  35 #include <CFNetwork/CFHTTPMessage.h>
  36 #include <utilities/debugging.h>
  37 #include <Security/SecCertificateInternal.h>
  38 #include <securityd/asynchttp.h>
  39 #include <stdlib.h>
  40
  41 #define MAX_CA_ISSUERS 3
  42 #define CA_ISSUERS_REQUEST_THRESHOLD 10
  43
  44
  45 /* CA Issuer lookup code. */
  46
  47 typedef struct SecCAIssuerRequest *SecCAIssuerRequestRef;
  48 struct SecCAIssuerRequest {
  49     asynchttp_t http;   /* Must be first field. */
  50     SecCertificateRef certificate;
  51     CFArrayRef issuers; /* NONRETAINED */
  52     CFIndex issuerIX;
  53     void *context;
  54     void (*callback)(void *, CFArrayRef);
  55 };
  56
  57 static void SecCAIssuerRequestRelease(SecCAIssuerRequestRef request) {
  58     CFRelease(request->certificate);
  59     asynchttp_free(&request->http);
  60     free(request);
  61 }
  62
  63 static bool SecCAIssuerRequestIssue(SecCAIssuerRequestRef request) {
  64     CFIndex count = CFArrayGetCount(request->issuers);
  65     if (count >= CA_ISSUERS_REQUEST_THRESHOLD) {
  66         secnotice("caissuer", "too many caIssuer entries (%ld)", (long)count);
  67         request->callback(request->context, NULL);
  68         SecCAIssuerRequestRelease(request);
  69         return true;
  70     }
  71     while (request->issuerIX < count && request->issuerIX < MAX_CA_ISSUERS) {
  72         CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers,
  73                                                  request->issuerIX++);
  74         CFStringRef scheme = CFURLCopyScheme(issuer);
  75         if (scheme) {
  76             if (CFEqual(CFSTR("http"), scheme)) {
  77                 CFHTTPMessageRef msg = CFHTTPMessageCreateRequest(kCFAllocatorDefault,
  78                                                                   CFSTR("GET"), issuer, kCFHTTPVersion1_1);
  79                 if (msg) {
  80                     secinfo("caissuer", "%@", msg);
  81                     bool done = asynchttp_request(msg, 0, &request->http);
  82                     CFRelease(msg);
  83                     if (done == false) {
  84                         CFRelease(scheme);
  85                         return done;
  86                     }
  87                 }
  88                 secdebug("caissuer", "failed to get %@", issuer);
  89             } else {
  90                 secnotice("caissuer", "skipping unsupported uri %@", issuer);
  91             }
  92             CFRelease(scheme);
  93         }
  94     }
  95
  96     /* No more issuers left to try, we're done. */
  97     secdebug("caissuer", "no request issued");
  98     request->callback(request->context, NULL);
  99     SecCAIssuerRequestRelease(request);
 100     return true;
 101 }
 102
 103 /* Releases parent unconditionally, and return a CFArrayRef containing
 104    parent if the normalized subject of parent matches the normalized issuer
 105    of certificate. */
 106 static CFArrayRef SecCAIssuerConvertToParents(SecCertificateRef certificate,
 107     SecCertificateRef parent) {
 108     CFDataRef nic = SecCertificateGetNormalizedIssuerContent(certificate);
 109     CFArrayRef parents = NULL;
 110     if (parent) {
 111         CFDataRef parent_nic = SecCertificateGetNormalizedSubjectContent(parent);
 112         if (nic && parent_nic && CFEqual(nic, parent_nic)) {
 113             const void *ventry = parent;
 114             parents = CFArrayCreate(NULL, &ventry, 1, &kCFTypeArrayCallBacks);
 115         }
 116         CFRelease(parent);
 117     }
 118     return parents;
 119 }
 120
 121 #define SECONDS_PER_DAY (86400.0)
 122 static void SecCAIssuerRequestCompleted(asynchttp_t *http,
 123     CFTimeInterval maxAge) {
 124     /* Cast depends on http being first field in struct SecCAIssuerRequest. */
 125     SecCAIssuerRequestRef request = (SecCAIssuerRequestRef)http;
 126     CFDataRef data = (request->http.response ?
 127         CFHTTPMessageCopyBody(request->http.response) : NULL);
 128     if (data) {
 129         /* RFC5280 4.2.2.1:
 130         "accessLocation MUST be a uniformResourceIdentifier and the URI
 131         MUST point to either a single DER encoded certificate as speci-
 132         fied in [RFC2585] or a collection of certificates in a BER or
 133         DER encoded "certs-only" CMS message as specified in [RFC2797]." */
 134
 135         /* DER-encoded certificate */
 136         SecCertificateRef parent = SecCertificateCreateWithData(NULL, data);
 137
 138         /* "certs-only" CMS Message */
 139         if (!parent) {
 140             CFArrayRef certificates = NULL;
 141             certificates = SecCMSCertificatesOnlyMessageCopyCertificates(data);
 142             if (certificates && CFArrayGetCount(certificates) == 1) {
 143                 parent = (SecCertificateRef)CFRetainSafe(CFArrayGetValueAtIndex(certificates, 0));
 144             }
 145             CFReleaseNull(certificates);
 146         }
 147
 148         /* Retry in case the certificate is in PEM format. Some CAs
 149          incorrectly return a PEM encoded cert, despite RFC 5280 4.2.2.1 */
 150         if (!parent) {
 151             parent = SecCertificateCreateWithPEM(NULL, data);
 152         }
 153         CFRelease(data);
 154         if (parent) {
 155             /* We keep responses in the cache for at least 7 days, or longer
 156              if the http response tells us to keep it around for more. */
 157             if (maxAge < SECONDS_PER_DAY * 7)
 158                 maxAge = SECONDS_PER_DAY * 7;
 159             CFAbsoluteTime expires = CFAbsoluteTimeGetCurrent() + maxAge;
 160             CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers,
 161                                                      request->issuerIX - 1);
 162             SecCAIssuerCacheAddCertificate(parent, issuer, expires);
 163             CFArrayRef parents = SecCAIssuerConvertToParents(
 164                 request->certificate, parent); /* note: this releases parent */
 165             if (parents) {
 166                 secdebug("caissuer", "response: %@ good", http->response);
 167                 request->callback(request->context, parents);
 168                 CFRelease(parents);
 169                 SecCAIssuerRequestRelease(request);
 170                 return;
 171             }
 172         }
 173     }
 174
 175     secdebug("caissuer", "response: %@ not parent, trying next caissuer",
 176         http->response);
 177     SecCAIssuerRequestIssue(request);
 178 }
 179
 180 static CFArrayRef SecCAIssuerRequestCacheCopyParents(SecCertificateRef cert,
 181     CFArrayRef issuers) {
 182     CFIndex ix = 0, ex = CFArrayGetCount(issuers);
 183     for (;ix < ex; ++ix) {
 184         CFURLRef issuer = CFArrayGetValueAtIndex(issuers, ix);
 185         CFStringRef scheme = CFURLCopyScheme(issuer);
 186         if (scheme) {
 187             if (CFEqual(CFSTR("http"), scheme)) {
 188                 CFArrayRef parents = SecCAIssuerConvertToParents(cert,
 189                     SecCAIssuerCacheCopyMatching(issuer));
 190                 if (parents) {
 191                     secdebug("caissuer", "cache hit, for %@ no request issued", issuer);
 192                     CFRelease(scheme);
 193                     return parents;
 194                 }
 195             }
 196             CFRelease(scheme);
 197         }
 198     }
 199     return NULL;
 200 }
 201
 202 bool SecCAIssuerCopyParents(SecCertificateRef certificate, dispatch_queue_t queue,
 203     void *context, void (*callback)(void *, CFArrayRef)) {
 204     CFArrayRef issuers = SecCertificateGetCAIssuers(certificate);
 205     if (!issuers) {
 206         /* certificate has no caissuer urls, we're done. */
 207         callback(context, NULL);
 208         return true;
 209     }
 210
 211     CFArrayRef parents = SecCAIssuerRequestCacheCopyParents(certificate, issuers);
 212     if (parents) {
 213         callback(context, parents);
 214         CFReleaseSafe(parents);
 215         return true;
 216     }
 217
 218     /* Cache miss, let's issue a network request. */
 219     SecCAIssuerRequestRef request =
 220         (SecCAIssuerRequestRef)calloc(1, sizeof(*request));
 221     request->http.queue = queue;
 222     request->http.completed = SecCAIssuerRequestCompleted;
 223     CFRetain(certificate);
 224     request->certificate = certificate;
 225     request->issuers = issuers;
 226     request->issuerIX = 0;
 227     request->context = context;
 228     request->callback = callback;
 229
 230     return SecCAIssuerRequestIssue(request);
 231 }
 232