]> git.saurik.com Git - apple/security.git/blob - OSX/sec/securityd/SecCAIssuerRequest.c
Security-57337.40.85.tar.gz
[apple/security.git] / OSX / sec / securityd / SecCAIssuerRequest.c
1 /*
2 * Copyright (c) 2009-2016 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*
25 * SecCAIssuerRequest.c - asynchronous CAIssuer request fetching engine.
26 */
27
28
29 #include "SecCAIssuerRequest.h"
30 #include "SecCAIssuerCache.h"
31
32 #include <Security/SecInternal.h>
33 #include <CoreFoundation/CFURL.h>
34 #include <CFNetwork/CFHTTPMessage.h>
35 #include <utilities/debugging.h>
36 #include <Security/SecCertificateInternal.h>
37 #include <securityd/asynchttp.h>
38 #include <stdlib.h>
39
40 /* CA Issuer lookup code. */
41
42 typedef struct SecCAIssuerRequest *SecCAIssuerRequestRef;
43 struct SecCAIssuerRequest {
44 asynchttp_t http; /* Must be first field. */
45 SecCertificateRef certificate;
46 CFArrayRef issuers; /* NONRETAINED */
47 CFIndex issuerIX;
48 void *context;
49 void (*callback)(void *, CFArrayRef);
50 };
51
52 static void SecCAIssuerRequestRelease(SecCAIssuerRequestRef request) {
53 CFRelease(request->certificate);
54 asynchttp_free(&request->http);
55 free(request);
56 }
57
58 static bool SecCAIssuerRequestIssue(SecCAIssuerRequestRef request) {
59 while (request->issuerIX < CFArrayGetCount(request->issuers)) {
60 CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers,
61 request->issuerIX++);
62 CFStringRef scheme = CFURLCopyScheme(issuer);
63 if (scheme) {
64 if (CFEqual(CFSTR("http"), scheme)) {
65 CFHTTPMessageRef msg = CFHTTPMessageCreateRequest(kCFAllocatorDefault,
66 CFSTR("GET"), issuer, kCFHTTPVersion1_1);
67 if (msg) {
68 secdebug("caissuer", "%@", msg);
69 bool done = asynchttp_request(msg, &request->http);
70 CFRelease(msg);
71 if (done == false) {
72 CFRelease(scheme);
73 return done;
74 }
75 }
76 secdebug("caissuer", "failed to get %@", issuer);
77 } else {
78 secdebug("caissuer", "skipping unsupported uri %@", issuer);
79 }
80 CFRelease(scheme);
81 }
82 }
83
84 /* No more issuers left to try, we're done. */
85 secdebug("caissuer", "no request issued");
86 request->callback(request->context, NULL);
87 SecCAIssuerRequestRelease(request);
88 return true;
89 }
90
91 /* Releases parent unconditionally, and return a CFArrayRef containing
92 parent if the normalized subject of parent matches the normalized issuer
93 of certificate. */
94 static CFArrayRef SecCAIssuerConvertToParents(SecCertificateRef certificate,
95 SecCertificateRef parent) {
96 CFDataRef nic = SecCertificateGetNormalizedIssuerContent(certificate);
97 CFArrayRef parents = NULL;
98 if (parent) {
99 CFDataRef parent_nic = SecCertificateGetNormalizedSubjectContent(parent);
100 if (nic && parent_nic && CFEqual(nic, parent_nic)) {
101 const void *ventry = parent;
102 parents = CFArrayCreate(NULL, &ventry, 1, &kCFTypeArrayCallBacks);
103 }
104 CFRelease(parent);
105 }
106 return parents;
107 }
108
109 #define SECONDS_PER_DAY (86400.0)
110 static void SecCAIssuerRequestCompleted(asynchttp_t *http,
111 CFTimeInterval maxAge) {
112 /* Cast depends on http being first field in struct SecCAIssuerRequest. */
113 SecCAIssuerRequestRef request = (SecCAIssuerRequestRef)http;
114 CFDataRef data = (request->http.response ?
115 CFHTTPMessageCopyBody(request->http.response) : NULL);
116 if (data) {
117 SecCertificateRef parent = SecCertificateCreateWithData(NULL, data);
118 CFRelease(data);
119 if (parent) {
120 /* We keep responses in the cache for at least 7 days, or longer
121 if the http response tells us to keep it around for more. */
122 if (maxAge < SECONDS_PER_DAY * 7)
123 maxAge = SECONDS_PER_DAY * 7;
124 CFAbsoluteTime expires = CFAbsoluteTimeGetCurrent() + maxAge;
125 CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers,
126 request->issuerIX - 1);
127 SecCAIssuerCacheAddCertificate(parent, issuer, expires);
128 CFArrayRef parents = SecCAIssuerConvertToParents(
129 request->certificate, parent);
130 if (parents) {
131 secdebug("caissuer", "response: %@ good", http->response);
132 request->callback(request->context, parents);
133 CFRelease(parents);
134 SecCAIssuerRequestRelease(request);
135 return;
136 }
137 }
138 }
139
140 secdebug("caissuer", "response: %@ not parent, trying next caissuer",
141 http->response);
142 SecCAIssuerRequestIssue(request);
143 }
144
145 static CFArrayRef SecCAIssuerRequestCacheCopyParents(SecCertificateRef cert,
146 CFArrayRef issuers) {
147 CFIndex ix = 0, ex = CFArrayGetCount(issuers);
148 for (;ix < ex; ++ix) {
149 CFURLRef issuer = CFArrayGetValueAtIndex(issuers, ix);
150 CFStringRef scheme = CFURLCopyScheme(issuer);
151 if (scheme) {
152 if (CFEqual(CFSTR("http"), scheme)) {
153 CFArrayRef parents = SecCAIssuerConvertToParents(cert,
154 SecCAIssuerCacheCopyMatching(issuer));
155 if (parents) {
156 secdebug("caissuer", "cache hit, for %@ no request issued", issuer);
157 CFRelease(scheme);
158 return parents;
159 }
160 }
161 CFRelease(scheme);
162 }
163 }
164 return NULL;
165 }
166
167 bool SecCAIssuerCopyParents(SecCertificateRef certificate, dispatch_queue_t queue,
168 void *context, void (*callback)(void *, CFArrayRef)) {
169 CFArrayRef issuers = SecCertificateGetCAIssuers(certificate);
170 if (!issuers) {
171 /* certificate has no caissuer urls, we're done. */
172 callback(context, NULL);
173 return true;
174 }
175
176 CFArrayRef parents = SecCAIssuerRequestCacheCopyParents(certificate, issuers);
177 if (parents) {
178 callback(context, parents);
179 CFReleaseSafe(parents);
180 return true;
181 }
182
183 /* Cache miss, let's issue a network request. */
184 SecCAIssuerRequestRef request =
185 (SecCAIssuerRequestRef)calloc(1, sizeof(*request));
186 request->http.queue = queue;
187 request->http.completed = SecCAIssuerRequestCompleted;
188 CFRetain(certificate);
189 request->certificate = certificate;
190 request->issuers = issuers;
191 request->issuerIX = 0;
192 request->context = context;
193 request->callback = callback;
194
195 return SecCAIssuerRequestIssue(request);
196 }
197