]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_ocspd/common/ocspdUtils.cpp
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57740.1.18.tar.gz
[apple/security.git] / OSX / libsecurity_ocspd / common / ocspdUtils.cpp
1 /*
2 * Copyright (c) 2000,2002,2011-2012,2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*
25 * ocspUtils.cpp - common utilities for OCSPD
26 */
27
28 #include "ocspdUtils.h"
29 #include "ocspdDebug.h"
30 #include <Security/cssmerr.h>
31 #include <Security/keyTemplates.h>
32 #include <CoreFoundation/CoreFoundation.h>
33
34 /*
35 * Compare two CSSM_DATAs, return CSSM_TRUE if identical.
36 */
37 CSSM_BOOL ocspdCompareCssmData(
38 const CSSM_DATA *data1,
39 const CSSM_DATA *data2)
40 {
41 if((data1 == NULL) || (data1->Data == NULL) ||
42 (data2 == NULL) || (data2->Data == NULL) ||
43 (data1->Length != data2->Length)) {
44 return CSSM_FALSE;
45 }
46 if(data1->Length != data2->Length) {
47 return CSSM_FALSE;
48 }
49 if(memcmp(data1->Data, data2->Data, data1->Length) == 0) {
50 return CSSM_TRUE;
51 }
52 else {
53 return CSSM_FALSE;
54 }
55 }
56
57 /*
58 * Convert a generalized time string, with a 4-digit year and no trailing
59 * fractional seconds or time zone info, to a CFAbsoluteTime. Returns
60 * NULL_TIME (0.0) on error.
61 */
62 static CFAbsoluteTime parseGenTime(
63 const uint8 *str,
64 uint32 len)
65 {
66 if((str == NULL) || (len == 0)) {
67 return NULL_TIME;
68 }
69
70 /* tolerate NULL terminated or not */
71 if(str[len - 1] == '\0') {
72 len--;
73 }
74 if(len < 4) {
75 return NULL_TIME;
76 }
77 char szTemp[5];
78 CFGregorianDate greg;
79 memset(&greg, 0, sizeof(greg));
80 const uint8 *cp = str;
81
82 /* YEAR */
83 szTemp[0] = *cp++;
84 szTemp[1] = *cp++;
85 szTemp[2] = *cp++;
86 szTemp[3] = *cp++;
87 szTemp[4] = '\0';
88 len -= 4;
89 greg.year = atoi(szTemp);
90
91 /* MONTH - CFGregorianDate ranges 1..12, just like the string */
92 if(len < 2) {
93 return NULL_TIME;
94 }
95 szTemp[0] = *cp++;
96 szTemp[1] = *cp++;
97 szTemp[2] = '\0';
98 len -= 2;
99 greg.month = atoi( szTemp );
100
101 /* DAY - 1..31 */
102 if(len < 2) {
103 return NULL_TIME;
104 }
105 szTemp[0] = *cp++;
106 szTemp[1] = *cp++;
107 szTemp[2] = '\0';
108 greg.day = atoi( szTemp );
109 len -= 2;
110
111 if(len >= 2) {
112 /* HOUR 0..23 */
113 szTemp[0] = *cp++;
114 szTemp[1] = *cp++;
115 szTemp[2] = '\0';
116 greg.hour = atoi( szTemp );
117 len -= 2;
118 }
119 if(len >= 2) {
120 /* MINUTE 0..59 */
121 szTemp[0] = *cp++;
122 szTemp[1] = *cp++;
123 szTemp[2] = '\0';
124 greg.minute = atoi( szTemp );
125 len -= 2;
126 }
127 if(len >= 2) {
128 /* SECOND 0..59 */
129 szTemp[0] = *cp++;
130 szTemp[1] = *cp++;
131 szTemp[2] = '\0';
132 greg.second = atoi( szTemp );
133 len -= 2;
134 }
135 return CFGregorianDateGetAbsoluteTime(greg, NULL);
136 }
137
138 /*
139 * Parse a GeneralizedTime string into a CFAbsoluteTime. Returns NULL on parse error.
140 * Fractional parts of a second are discarded.
141 */
142 CFAbsoluteTime genTimeToCFAbsTime(
143 const CSSM_DATA *strData)
144 {
145 if((strData == NULL) || (strData->Data == NULL) || (strData->Length == 0)) {
146 return NULL_TIME;
147 }
148
149 uint8 *timeStr = strData->Data;
150 size_t timeStrLen = strData->Length;
151
152 /* tolerate NULL terminated or not */
153 if(timeStr[timeStrLen - 1] == '\0') {
154 timeStrLen--;
155 }
156
157 /* start with a fresh editable copy */
158 uint8 *str = (uint8 *)malloc(timeStrLen);
159 uint32 strLen = 0;
160
161 /*
162 * If there is a decimal point, strip it and all trailing digits off
163 */
164 const uint8 *inCp = timeStr;
165 uint8 *outCp = str;
166 int foundDecimal = 0;
167 int minutesOffset = 0;
168 int hoursOffset = 0;
169 bool minusOffset = false;
170 bool isGMT = false;
171 size_t toGo = timeStrLen;
172
173 do {
174 if(*inCp == '.') {
175 if(foundDecimal) {
176 /* only legal once */ {
177 free(str);
178 return NULL_TIME;
179 }
180 }
181 foundDecimal++;
182
183 /* skip the decimal point... */
184 inCp++;
185 toGo--;
186 if(toGo == 0) {
187 /* all done */
188 break;
189 }
190 /* then all subsequent contiguous digits */
191 while(isdigit(*inCp) && (toGo != 0)) {
192 inCp++;
193 toGo--;
194 }
195 } /* decimal point processing */
196 else if((*inCp == '+') || (*inCp == '-')) {
197 /* Time zone offset - handle 2 or 4 chars */
198 if((toGo != 2) & (toGo != 4)) {
199 free(str);
200 return NULL_TIME;
201 }
202 if(*inCp == '-') {
203 minusOffset = true;
204 }
205 inCp++;
206 hoursOffset = (10 * (inCp[0] - '0')) + (inCp[1] - '0');
207 toGo -= 2;
208 if(toGo) {
209 minutesOffset = (10 * (inCp[0] - '0')) + (inCp[1] - '0');
210 toGo -= 2;
211 }
212 }
213 else {
214 *outCp++ = *inCp++;
215 strLen++;
216 toGo--;
217 }
218 } while(toGo != 0);
219
220 if(str[strLen - 1] == 'Z') {
221 isGMT = true;
222 strLen--;
223 }
224
225 CFAbsoluteTime absTime;
226 absTime = parseGenTime(str, strLen);
227 free(str);
228 if(absTime == NULL_TIME) {
229 return NULL_TIME;
230 }
231
232 /* post processing needed? */
233 if(isGMT) {
234 /* Nope, string was in GMT */
235 return absTime;
236 }
237 if((minutesOffset != 0) || (hoursOffset != 0)) {
238 /* string contained explicit offset from GMT */
239 if(minusOffset) {
240 absTime -= (minutesOffset * 60);
241 absTime -= (hoursOffset * 3600);
242 }
243 else {
244 absTime += (minutesOffset * 60);
245 absTime += (hoursOffset * 3600);
246 }
247 }
248 else {
249 /* implciit offset = local */
250 CFTimeInterval tzDelta;
251 CFTimeZoneRef localZone = CFTimeZoneCopySystem();
252 tzDelta = CFTimeZoneGetSecondsFromGMT (localZone, CFAbsoluteTimeGetCurrent());
253 CFRelease(localZone);
254 absTime += tzDelta;
255 }
256 return absTime;
257 }
258
259 /*
260 * Convert CFAbsoluteTime to generalized time string, GMT format (4 digit year,
261 * trailing 'Z'). Caller allocated the output which is GENERAL_TIME_STRLEN+1 bytes.
262 */
263 void cfAbsTimeToGgenTime(
264 CFAbsoluteTime absTime,
265 char *genTime)
266 {
267 /* time zone = GMT */
268 CFTimeZoneRef tz = CFTimeZoneCreateWithTimeIntervalFromGMT(NULL, 0.0);
269 CFGregorianDate greg = CFAbsoluteTimeGetGregorianDate(absTime, tz);
270 int seconds = (int)greg.second;
271 sprintf(genTime, "%04d%02d%02d%02d%02d%02dZ",
272 (int)greg.year, greg.month, greg.day, greg.hour,
273 greg.minute, seconds);
274 }
275
276 void ocspdSha1(
277 const void *data,
278 CC_LONG len,
279 unsigned char *md) // allocd by caller, CC_SHA1_DIGEST_LENGTH bytes
280 {
281 CC_SHA1_CTX ctx;
282 CC_SHA1_Init(&ctx);
283 CC_SHA1_Update(&ctx, data, len);
284 CC_SHA1_Final(md, &ctx);
285 }
286
287 void ocspdMD5(
288 const void *data,
289 CC_LONG len,
290 unsigned char *md) // allocd by caller, CC_MD5_DIGEST_LENGTH bytes
291 {
292 CC_MD5_CTX ctx;
293 CC_MD5_Init(&ctx);
294 CC_MD5_Update(&ctx, data, len);
295 CC_MD5_Final(md, &ctx);
296 }
297
298 void ocspdMD4(
299 const void *data,
300 CC_LONG len,
301 unsigned char *md) // allocd by caller, CC_MD4_DIGEST_LENGTH bytes
302 {
303 CC_MD4_CTX ctx;
304 CC_MD4_Init(&ctx);
305 CC_MD4_Update(&ctx, data, len);
306 CC_MD4_Final(md, &ctx);
307 }
308
309 void ocspdSHA256(
310 const void *data,
311 CC_LONG len,
312 unsigned char *md) // allocd by caller, CC_SHA256_DIGEST_LENGTH bytes
313 {
314 CC_SHA256_CTX ctx;
315 CC_SHA256_Init(&ctx);
316 CC_SHA256_Update(&ctx, data, len);
317 CC_SHA256_Final(md, &ctx);
318 }
319
320 /*
321 * How many items in a NULL-terminated array of pointers?
322 */
323 unsigned ocspdArraySize(
324 const void **array)
325 {
326 unsigned count = 0;
327 if (array) {
328 while (*array++) {
329 count++;
330 }
331 }
332 return count;
333 }
334
335 /* Fill out a CSSM_DATA with the subset of public key bytes from the given
336 * CSSM_KEY_PTR which should be hashed to produce the issuerKeyHash field
337 * of a CertID in an OCSP request.
338 *
339 * For RSA keys, this simply copies the input key pointer and length.
340 * For EC keys, we need to further deconstruct the SubjectPublicKeyInfo
341 * to obtain the key bytes (i.e. curve point) for hashing.
342 *
343 * Returns CSSM_OK on success, or non-zero error if the bytes could not
344 * be retrieved.
345 */
346 CSSM_RETURN ocspdGetPublicKeyBytes(
347 SecAsn1CoderRef coder, // optional
348 CSSM_KEY_PTR publicKey, // input public key
349 CSSM_DATA &publicKeyBytes) // filled in by this function
350 {
351 CSSM_RETURN crtn = CSSM_OK;
352 SecAsn1CoderRef _coder = NULL;
353
354 if(publicKey == NULL) {
355 crtn = CSSMERR_CSP_INVALID_KEY_POINTER;
356 goto exit;
357 }
358
359 if(coder == NULL) {
360 crtn = SecAsn1CoderCreate(&_coder);
361 if(crtn) {
362 goto exit;
363 }
364 coder = _coder;
365 }
366
367 publicKeyBytes.Length = publicKey->KeyData.Length;
368 publicKeyBytes.Data = publicKey->KeyData.Data;
369
370 if(publicKey->KeyHeader.AlgorithmId == CSSM_ALGID_ECDSA) {
371 /*
372 * For an EC key, publicKey->KeyData is a SubjectPublicKeyInfo
373 * ASN.1 sequence that includes the algorithm identifier.
374 * We only want to return the bit string portion of the key here.
375 */
376 SecAsn1PubKeyInfo pkinfo;
377 memset(&pkinfo, 0, sizeof(pkinfo));
378 if(SecAsn1Decode(coder,
379 publicKey->KeyData.Data,
380 publicKey->KeyData.Length,
381 kSecAsn1SubjectPublicKeyInfoTemplate,
382 &pkinfo) == 0) {
383 if(pkinfo.subjectPublicKey.Length &&
384 pkinfo.subjectPublicKey.Data) {
385 publicKeyBytes.Length = pkinfo.subjectPublicKey.Length >> 3;
386 publicKeyBytes.Data = pkinfo.subjectPublicKey.Data;
387 /*
388 * Important: if we allocated the SecAsn1Coder, the memory
389 * being pointed to by pkinfo.subjectPublicKey.Data will be
390 * deallocated when the coder is released below. We want to
391 * point to the identical data inside the caller's public key,
392 * now that the decoder has identified it for us.
393 */
394 if(publicKeyBytes.Length <= publicKey->KeyData.Length) {
395 publicKeyBytes.Data = (uint8*)((uintptr_t)publicKey->KeyData.Data +
396 (publicKey->KeyData.Length - publicKeyBytes.Length));
397 goto exit;
398 }
399 /* intentional fallthrough to error exit */
400 }
401 ocspdErrorLog("ocspdGetPublicKeyBytes: invalid SecAsn1PubKeyInfo\n");
402 crtn = CSSMERR_CSP_INVALID_KEY_POINTER;
403 }
404 else {
405 /* Unable to decode using kSecAsn1SubjectPublicKeyInfoTemplate.
406 * This may or may not be an error; just return the unchanged key.
407 */
408 ocspdErrorLog("ocspdGetPublicKeyBytes: unable to decode SubjectPublicKeyInfo\n");
409 }
410 }
411
412 exit:
413 if(_coder) {
414 SecAsn1CoderRelease(_coder);
415 }
416 return crtn;
417 }
mirror of Security