]> git.saurik.com Git - apple/security.git/blob - OSX/sec/securityd/SecCAIssuerRequest.c
Security-57740.1.18.tar.gz
[apple/security.git] / OSX / sec / securityd / SecCAIssuerRequest.c
1 /*
2 * Copyright (c) 2009-2016 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 /*
25 * SecCAIssuerRequest.c - asynchronous CAIssuer request fetching engine.
26 */
27
28
29 #include "SecCAIssuerRequest.h"
30 #include "SecCAIssuerCache.h"
31
32 #include <Security/SecInternal.h>
33 #include <Security/SecCMS.h>
34 #include <CoreFoundation/CFURL.h>
35 #include <CFNetwork/CFHTTPMessage.h>
36 #include <utilities/debugging.h>
37 #include <Security/SecCertificateInternal.h>
38 #include <securityd/asynchttp.h>
39 #include <stdlib.h>
40
41 /* CA Issuer lookup code. */
42
43 typedef struct SecCAIssuerRequest *SecCAIssuerRequestRef;
44 struct SecCAIssuerRequest {
45 asynchttp_t http; /* Must be first field. */
46 SecCertificateRef certificate;
47 CFArrayRef issuers; /* NONRETAINED */
48 CFIndex issuerIX;
49 void *context;
50 void (*callback)(void *, CFArrayRef);
51 };
52
53 static void SecCAIssuerRequestRelease(SecCAIssuerRequestRef request) {
54 CFRelease(request->certificate);
55 asynchttp_free(&request->http);
56 free(request);
57 }
58
59 static bool SecCAIssuerRequestIssue(SecCAIssuerRequestRef request) {
60 while (request->issuerIX < CFArrayGetCount(request->issuers)) {
61 CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers,
62 request->issuerIX++);
63 CFStringRef scheme = CFURLCopyScheme(issuer);
64 if (scheme) {
65 if (CFEqual(CFSTR("http"), scheme)) {
66 CFHTTPMessageRef msg = CFHTTPMessageCreateRequest(kCFAllocatorDefault,
67 CFSTR("GET"), issuer, kCFHTTPVersion1_1);
68 if (msg) {
69 secinfo("caissuer", "%@", msg);
70 bool done = asynchttp_request(msg, 0, &request->http);
71 CFRelease(msg);
72 if (done == false) {
73 CFRelease(scheme);
74 return done;
75 }
76 }
77 secdebug("caissuer", "failed to get %@", issuer);
78 } else {
79 secnotice("caissuer", "skipping unsupported uri %@", issuer);
80 }
81 CFRelease(scheme);
82 }
83 }
84
85 /* No more issuers left to try, we're done. */
86 secdebug("caissuer", "no request issued");
87 request->callback(request->context, NULL);
88 SecCAIssuerRequestRelease(request);
89 return true;
90 }
91
92 /* Releases parent unconditionally, and return a CFArrayRef containing
93 parent if the normalized subject of parent matches the normalized issuer
94 of certificate. */
95 static CFArrayRef SecCAIssuerConvertToParents(SecCertificateRef certificate,
96 SecCertificateRef parent) {
97 CFDataRef nic = SecCertificateGetNormalizedIssuerContent(certificate);
98 CFArrayRef parents = NULL;
99 if (parent) {
100 CFDataRef parent_nic = SecCertificateGetNormalizedSubjectContent(parent);
101 if (nic && parent_nic && CFEqual(nic, parent_nic)) {
102 const void *ventry = parent;
103 parents = CFArrayCreate(NULL, &ventry, 1, &kCFTypeArrayCallBacks);
104 }
105 CFRelease(parent);
106 }
107 return parents;
108 }
109
110 #define SECONDS_PER_DAY (86400.0)
111 static void SecCAIssuerRequestCompleted(asynchttp_t *http,
112 CFTimeInterval maxAge) {
113 /* Cast depends on http being first field in struct SecCAIssuerRequest. */
114 SecCAIssuerRequestRef request = (SecCAIssuerRequestRef)http;
115 CFDataRef data = (request->http.response ?
116 CFHTTPMessageCopyBody(request->http.response) : NULL);
117 if (data) {
118 /* RFC5280 4.2.2.1:
119 "accessLocation MUST be a uniformResourceIdentifier and the URI
120 MUST point to either a single DER encoded certificate as speci-
121 fied in [RFC2585] or a collection of certificates in a BER or
122 DER encoded "certs-only" CMS message as specified in [RFC2797]." */
123
124 /* DER-encoded certificate */
125 SecCertificateRef parent = SecCertificateCreateWithData(NULL, data);
126
127 /* "certs-only" CMS Message */
128 if (!parent) {
129 CFArrayRef certificates = NULL;
130 certificates = SecCMSCertificatesOnlyMessageCopyCertificates(data);
131 if (certificates && CFArrayGetCount(certificates) == 1) {
132 parent = (SecCertificateRef)CFRetainSafe(CFArrayGetValueAtIndex(certificates, 0));
133 }
134 CFReleaseNull(certificates);
135 }
136
137 /* Retry in case the certificate is in PEM format. Some CAs
138 incorrectly return a PEM encoded cert, despite RFC 5280 4.2.2.1 */
139 if (!parent) {
140 parent = SecCertificateCreateWithPEM(NULL, data);
141 }
142 CFRelease(data);
143 if (parent) {
144 /* We keep responses in the cache for at least 7 days, or longer
145 if the http response tells us to keep it around for more. */
146 if (maxAge < SECONDS_PER_DAY * 7)
147 maxAge = SECONDS_PER_DAY * 7;
148 CFAbsoluteTime expires = CFAbsoluteTimeGetCurrent() + maxAge;
149 CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers,
150 request->issuerIX - 1);
151 SecCAIssuerCacheAddCertificate(parent, issuer, expires);
152 CFArrayRef parents = SecCAIssuerConvertToParents(
153 request->certificate, parent); /* note: this releases parent */
154 if (parents) {
155 secdebug("caissuer", "response: %@ good", http->response);
156 request->callback(request->context, parents);
157 CFRelease(parents);
158 SecCAIssuerRequestRelease(request);
159 return;
160 }
161 }
162 }
163
164 secdebug("caissuer", "response: %@ not parent, trying next caissuer",
165 http->response);
166 SecCAIssuerRequestIssue(request);
167 }
168
169 static CFArrayRef SecCAIssuerRequestCacheCopyParents(SecCertificateRef cert,
170 CFArrayRef issuers) {
171 CFIndex ix = 0, ex = CFArrayGetCount(issuers);
172 for (;ix < ex; ++ix) {
173 CFURLRef issuer = CFArrayGetValueAtIndex(issuers, ix);
174 CFStringRef scheme = CFURLCopyScheme(issuer);
175 if (scheme) {
176 if (CFEqual(CFSTR("http"), scheme)) {
177 CFArrayRef parents = SecCAIssuerConvertToParents(cert,
178 SecCAIssuerCacheCopyMatching(issuer));
179 if (parents) {
180 secdebug("caissuer", "cache hit, for %@ no request issued", issuer);
181 CFRelease(scheme);
182 return parents;
183 }
184 }
185 CFRelease(scheme);
186 }
187 }
188 return NULL;
189 }
190
191 bool SecCAIssuerCopyParents(SecCertificateRef certificate, dispatch_queue_t queue,
192 void *context, void (*callback)(void *, CFArrayRef)) {
193 CFArrayRef issuers = SecCertificateGetCAIssuers(certificate);
194 if (!issuers) {
195 /* certificate has no caissuer urls, we're done. */
196 callback(context, NULL);
197 return true;
198 }
199
200 CFArrayRef parents = SecCAIssuerRequestCacheCopyParents(certificate, issuers);
201 if (parents) {
202 callback(context, parents);
203 CFReleaseSafe(parents);
204 return true;
205 }
206
207 /* Cache miss, let's issue a network request. */
208 SecCAIssuerRequestRef request =
209 (SecCAIssuerRequestRef)calloc(1, sizeof(*request));
210 request->http.queue = queue;
211 request->http.completed = SecCAIssuerRequestCompleted;
212 CFRetain(certificate);
213 request->certificate = certificate;
214 request->issuers = issuers;
215 request->issuerIX = 0;
216 request->context = context;
217 request->callback = callback;
218
219 return SecCAIssuerRequestIssue(request);
220 }
221