+/*
+ * Copyright (c) 2002,2011-2012,2014 Apple Inc. All Rights Reserved.
+ *
+ * The contents of this file constitute Original Code as defined in and are
+ * subject to the Apple Public Source License Version 1.2 (the 'License').
+ * You may not use this file except in compliance with the License. Please obtain
+ * a copy of the License at http://www.apple.com/publicsource and read it before
+ * using this file.
+ *
+ * This Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
+ * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
+ * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
+ * specific language governing rights and limitations under the License.
+ */
+
+
+/*
+ * DecodedItem.cpp - class representing the common portions of
+ * NSS-format decoded certs and CRLs, with extensions parsed and
+ * decoded (still in NSS format).
+ */
+
+#include "DecodedItem.h"
+#include "cldebugging.h"
+#include "AppleX509CLSession.h"
+#include "CSPAttacher.h"
+#include "CLFieldsCommon.h"
+#include "clNssUtils.h"
+#include "clNameUtils.h"
+#include <security_asn1/SecAsn1Types.h>
+#include <Security/cssmapple.h>
+#include <Security/oidscert.h>
+
+#define MIN_EXTENSIONS 4 // initial size of *mExtensions
+
+DecodedExten::DecodedExten(
+ const CSSM_OID &extnId, // copied
+ bool critical,
+ void *nssObj, // NSS_KeyUsage, NSS_BasicConstraints,
+ // etc. NOT COPIED, exists in same
+ // memory space as coder
+ bool berEncoded, // indicates unknown extension which we
+ // do not BER-decode when parsing a cert
+ const SecAsn1Template *templ, // to decode/encode if !berEncoded
+ SecNssCoder &coder, // all local allocs from here
+ const CSSM_DATA *rawExtn) // NSS_CertExtension.value, copied to
+ // mRawExtn
+ : mCritical(critical),
+ mNssObj(nssObj),
+ mBerEncoded(berEncoded),
+ mTempl(templ),
+ mCoder(coder),
+ mRawExtn(NULL)
+{
+ coder.allocCopyItem(extnId, mExtnId);
+ if(rawExtn) {
+ mRawExtn = (CSSM_DATA *)coder.malloc(sizeof(CSSM_DATA));
+ coder.allocCopyItem(*rawExtn, *mRawExtn);
+ }
+}
+
+DecodedExten::~DecodedExten()
+{
+ /* the only stuff we allocated was in the coder pool and will be freed
+ * when coder is freed */
+}
+
+/*
+ * Given a fully encoded BER object, create a CSSM_X509EXT_TAGandVALUE
+ * representing it. We malloc the CSSM_X509EXT_TAGandVALUE itself using
+ * specified allocator, but the referent (in CSSM_X509EXT_TAGandVALUE.value)
+ * merely points to data inside the berValue.
+ */
+CSSM_X509EXT_TAGandVALUE *DecodedExten::createTagAndValue(
+ const CSSM_DATA &berValue,
+ Allocator &alloc) const
+{
+ if((berValue.Data == NULL) || (berValue.Length == 0)) {
+ return NULL;
+ }
+ CSSM_X509EXT_TAGandVALUE *tv = (CSSM_X509EXT_TAGandVALUE *)
+ alloc.malloc(sizeof(CSSM_X509EXT_TAGandVALUE));
+
+ // Important: by the time we get called, the extension data
+ // has already been deconstructed, and the raw value we are
+ // handed in berValue does not include ASN.1 type or length.
+ // Since createTagAndValue is only called in the case where
+ // the contents are unknown (and thus opaque), always treat
+ // as an octet string.
+
+ tv->type = SEC_ASN1_OCTET_STRING;
+ tv->value.Length = berValue.Length;
+ tv->value.Data = berValue.Data;
+ return tv;
+
+#if 0
+ tv->type = berValue.Data[0];
+
+ /*
+ * length of length is variable; ASN spec says it can actually be up to
+ * 127 bytes, but we only have room for 32 bits!
+ */
+ const uint8 *lp = berValue.Data + 1;
+ uint8 len1 = *lp;
+ if((len1 & 0x80) == 0) {
+ /* short form */
+ tv->value.Length = len1;
+ tv->value.Data = const_cast<uint8 *>(lp + 1);
+ return tv;
+ }
+
+ unsigned numLenBytes = len1 & 0x7f;
+ if(numLenBytes > 4) {
+ clErrorLog("createTagAndValue: impossible length of length (%u)\n", numLenBytes);
+ alloc.free(tv);
+ CssmError::throwMe(CSSMERR_CL_UNKNOWN_FORMAT);
+ }
+
+ uint32 len = 0;
+ lp++; // points to first length byte
+ for(uint32 dex=0; dex<numLenBytes; dex++) {
+ len <<= 8;
+ len += *lp;
+ lp++;
+ }
+ tv->value.Length = len;
+ tv->value.Data = const_cast<uint8 *>(lp);
+ return tv;
+#endif
+}
+
+/*
+ * Convert this extension to a CSSM_X509_EXTENSION, in the specified
+ * (app-level) alloc space, after its contents have
+ * been converted to a native CDSA object (CE_KeyUsage, etc.).
+ */
+void DecodedExten::convertToCdsa(
+ void *cdsaObj, // e.g. CE_KeyUsage
+ // CSSM_DATA_PTR for berEncoded
+ CSSM_X509_EXTENSION_PTR cssmExt, // contents RETURNED
+ Allocator &alloc) const
+{
+ clAllocCopyData(alloc, mExtnId, cssmExt->extnId);
+ cssmExt->critical = mCritical ? CSSM_TRUE : CSSM_FALSE;
+
+ /*
+ * in either case copy the raw extension data if we have it (we may not
+ * have it if this was created via setField).
+ */
+ if(mRawExtn) {
+ clAllocCopyData(alloc, *mRawExtn, cssmExt->BERvalue);
+ }
+ else {
+ cssmExt->BERvalue.Data = NULL;
+ cssmExt->BERvalue.Length = 0;
+ }
+ if(mBerEncoded) {
+ /* an extension we never parsed or understood */
+ assert(cdsaObj == NULL);
+ cssmExt->format = CSSM_X509_DATAFORMAT_ENCODED;
+ cssmExt->value.tagAndValue = createTagAndValue(cssmExt->BERvalue, alloc);
+ }
+ else {
+ /* caller sees parsed version plus raw BER-encoded bytes */
+ assert(cdsaObj != NULL);
+ cssmExt->format = CSSM_X509_DATAFORMAT_PARSED;
+ /* in app alloc's space, mallocd by getField*() */
+ cssmExt->value.parsedValue = cdsaObj;
+ }
+}
+
+/*
+ * Convert a DecodedExten to a CSSM_X509_EXTENSION. This includes
+ * the mapping of the extnId to a known CDSA type and type and doing the
+ * actual NSS-to-CDSA conversion. At the time this function is
+ * called, the DecodedExten either has a valid mNssObj, or it's an
+ * unknown extension type in which case mNssObj is an AsnOcts containing
+ * the opaquely DER-encoded extension value.
+ *
+ * Currently only used when decoding a CRL and converting it en masse
+ * to CDSA.
+ */
+template<class NssType, class CdsaType>
+void nssToCssm(
+ const DecodedExten &decodedExt,
+ NssType *&nssObj, // RETURNED
+ CdsaType *&cdsaObj, // mallocd and RETURNED
+ Allocator &alloc)
+{
+ nssObj = (NssType *)(decodedExt.nssObj());
+ assert(nssObj != NULL);
+ cdsaObj = (CdsaType *)alloc.malloc(sizeof(CdsaType));
+ memset(cdsaObj, 0, sizeof(CdsaType));
+}
+
+void DecodedExten::parse(
+ CSSM_X509_EXTENSION_PTR cssmExt, // mallocd by caller, RETURNED
+ Allocator &alloc) const
+{
+ void *vCdsaObj = NULL;
+ if(mBerEncoded) {
+ /* non-understood extension */
+ convertToCdsa(NULL, cssmExt, alloc);
+ return;
+ }
+ if(clCompareCssmData(&mExtnId, &CSSMOID_AuthorityKeyIdentifier)) {
+ CE_AuthorityKeyID *cdsaObj;
+ NSS_AuthorityKeyId *nssObj;
+ nssToCssm<NSS_AuthorityKeyId, CE_AuthorityKeyID>(
+ *this,
+ nssObj,
+ cdsaObj,
+ alloc);
+ CL_nssAuthorityKeyIdToCssm(*nssObj, *cdsaObj, mCoder, alloc);
+ vCdsaObj = cdsaObj;
+ }
+ /* same encoding (uint32) for all of these: */
+ else if(clCompareCssmData(&mExtnId, &CSSMOID_CrlNumber) ||
+ clCompareCssmData(&mExtnId, &CSSMOID_DeltaCrlIndicator) ||
+ clCompareCssmData(&mExtnId, &CSSMOID_CrlReason)) {
+ CE_CrlNumber *cdsaObj;
+ CSSM_DATA *nssObj;
+ nssToCssm<CSSM_DATA, CE_CrlNumber>(
+ *this,
+ nssObj,
+ cdsaObj,
+ alloc);
+ CSSM_RETURN toThrow;
+ if(clCompareCssmData(&mExtnId, &CSSMOID_CrlReason)) {
+ toThrow = CSSMERR_CL_INVALID_CRL_POINTER;
+ }
+ else {
+ /* tolerate crlNumber > 4 bytes */
+ toThrow = CSSM_OK;
+ }
+ *cdsaObj = clDataToInt(*nssObj, toThrow);
+ vCdsaObj = cdsaObj;
+ }
+ /* same encoding (GeneralNames) for all of these: */
+ else if(clCompareCssmData(&mExtnId, &CSSMOID_IssuerAltName) ||
+ clCompareCssmData(&mExtnId, &CSSMOID_SubjectAltName) ||
+ clCompareCssmData(&mExtnId, &CSSMOID_CertIssuer)) {
+ CE_GeneralNames *cdsaObj;
+ NSS_GeneralNames *nssObj;
+ nssToCssm<NSS_GeneralNames, CE_GeneralNames>(
+ *this,
+ nssObj,
+ cdsaObj,
+ alloc);
+ CL_nssGeneralNamesToCssm(*nssObj, *cdsaObj, mCoder, alloc);
+ vCdsaObj = cdsaObj;
+ }
+ else if(clCompareCssmData(&mExtnId, &CSSMOID_IssuingDistributionPoint)) {
+ CE_IssuingDistributionPoint *cdsaObj;
+ NSS_IssuingDistributionPoint *nssObj;
+ nssToCssm<NSS_IssuingDistributionPoint, CE_IssuingDistributionPoint>(
+ *this,
+ nssObj,
+ cdsaObj,
+ alloc);
+ CL_nssIssuingDistPointToCssm(nssObj, cdsaObj, mCoder, alloc);
+ vCdsaObj = cdsaObj;
+ }
+ /*
+ <rdar://problem/9580989> CrashTracer: [USER] 48 crashes in WebProcess at ...
+ This code should not normally be executed, since it seems from RFC5280 that
+ CSSMOID_IssuingDistributionPoint is the correct extension to use.
+ */
+ else if(clCompareCssmData(&mExtnId, &CSSMOID_CrlDistributionPoints)) {
+ CE_CRLDistPointsSyntax *cdsaObj;
+ NSS_CRLDistributionPoints *nssObj;
+ nssToCssm<NSS_CRLDistributionPoints, CE_CRLDistPointsSyntax>(
+ *this,
+ nssObj,
+ cdsaObj,
+ alloc);
+ CL_nssDistPointsToCssm((const NSS_CRLDistributionPoints&)*nssObj, *cdsaObj, mCoder, alloc);
+ vCdsaObj = cdsaObj;
+ }
+ /*
+ * cert entry extensions
+ */
+ else if(clCompareCssmData(&mExtnId, &CSSMOID_HoldInstructionCode)) {
+ /* value is just an OID */
+ CSSM_OID *cdsaObj;
+ CSSM_DATA *nssObj;
+ nssToCssm<CSSM_DATA, CSSM_OID>(
+ *this,
+ nssObj,
+ cdsaObj,
+ alloc);
+ clAllocCopyData(alloc, *nssObj, *cdsaObj);
+ vCdsaObj = cdsaObj;
+ }
+ else if(clCompareCssmData(&mExtnId, &CSSMOID_InvalidityDate)) {
+ /* GeneralizedTime */
+ CSSM_DATA *cdsaObj;
+ CSSM_DATA *nssObj;
+ nssToCssm<CSSM_DATA, CSSM_DATA>(
+ *this,
+ nssObj,
+ cdsaObj,
+ alloc);
+ clAllocCopyData(alloc, *nssObj, *cdsaObj);
+ vCdsaObj = cdsaObj;
+ }
+ else {
+ /* if we get here, this routine is not keeping up with
+ * clOidToNssInfo() */
+ // assert(0);
+ CssmError::throwMe(CSSMERR_CL_INTERNAL_ERROR);
+ }
+ convertToCdsa(vCdsaObj, cssmExt, alloc);
+}
+
+
+#pragma mark ------ DecodedExtensions ------
+
+/*
+ * A variable-size array of DecodedExtens.
+ * Used for storing cert and CRL extensions as well as per-CRL-entry
+ * extensions.
+ */
+DecodedExtensions::DecodedExtensions(
+ SecNssCoder &coder,
+ Allocator &alloc)
+ : mCoder(coder),
+ mAlloc(alloc),
+ mExtensions(NULL),
+ mNumExtensions(0),
+ mSizeofExtensions(0)
+{
+
+}
+
+DecodedExtensions::~DecodedExtensions()
+{
+ for(unsigned i=0; i<mNumExtensions; i++) {
+ assert(mExtensions[i] != NULL);
+ delete mExtensions[i];
+ }
+ mAlloc.free(mExtensions);
+ mExtensions = NULL;
+ mNumExtensions = 0;
+ mSizeofExtensions = 0;
+}
+
+
+/*
+ * Initialize by decoding a NSS-style NSS_CertExtension array.
+ * This involves figuring out what kind of object is represented in the
+ * octet string in the extension, decoding it, and appending the resulting
+ * NSS object to mExtensions in the form of a DecodedExten.
+ *
+ * Called when decoding either a cert or a CRL (for caching it or
+ * getting its fields) or a cert template (only via
+ * CertGetAllTemplateFields()).
+ */
+void DecodedExtensions::decodeFromNss(
+ NSS_CertExtension **extensions)
+{
+ if(extensions == NULL) {
+ /* OK, no extensions present */
+ return;
+ }
+ unsigned numExtens = clNssArraySize((const void **)extensions);
+
+ /* traverse extension list */
+ for(unsigned dex=0; dex<numExtens; dex++) {
+ NSS_CertExtension *nssExten = extensions[dex];
+
+ /*
+ * For this extension->extnId, cook up an appropriate
+ * NSS-specific type (NSS_KeyUsage, etc.);
+ */
+ CSSM_DATA &rawExtn = nssExten->value;
+ bool berEncoded = false;
+ bool found; // we understand this OID
+ unsigned nssObjLen; // size of associated NSS object
+ const SecAsn1Template *templ = NULL; // template for decoding
+ void *nssObj = NULL; // decode destination
+ found = clOidToNssInfo(nssExten->extnId, nssObjLen, templ);
+ if(!found) {
+ /*
+ * We don't know how to deal with this.
+ */
+ berEncoded = true;
+ }
+ else {
+ /*
+ * Create NSS-style object specific to this extension, just
+ * by knowing its length and ASN template.
+ * Decode the extensions's extnValue into that object. We don't
+ * have to know what kind of object it is anymore.
+ */
+ assert(templ != NULL);
+ nssObj = mCoder.malloc(nssObjLen);
+ memset(nssObj, 0, nssObjLen);
+ PRErrorCode prtn;
+ prtn = mCoder.decodeItem(rawExtn, templ, nssObj);
+ if(prtn) {
+ /*
+ * FIXME - what do we do here? For now flag it
+ * as an non-understood extension...
+ */
+ clErrorLog("decodeExtensions: extension decode error\n");
+ nssObj = NULL;
+ berEncoded = true;
+ }
+ }
+ if((nssObj != NULL) || berEncoded) {
+ /* append if the decode was successful */
+ addExtension(nssExten->extnId,
+ clNssBoolToCssm(nssExten->critical),
+ nssObj,
+ berEncoded,
+ templ,
+ &rawExtn);
+ }
+ }
+}
+
+/*
+ * Encode into a NSS-style Extensions.
+ *
+ * Each extension object, currently stored as some AsnType subclass,
+ * is BER-encoded and the result is stored as an octet string
+ * (AsnOcts) in a new Extension object in the TBS.
+ *
+ * Called from {Crl,Cert}CreateTemplate via encode{Tbs,Cts}().
+ */
+void DecodedExtensions::encodeToNss(
+ NSS_CertExtension **&extensions)
+{
+ assert(extensions == NULL);
+
+ if(mNumExtensions == 0) {
+ /* no extensions, no error */
+ return;
+ }
+
+ /* malloc a NULL_terminated array of NSS_CertExtension pointers */
+ unsigned len = (mNumExtensions + 1) * sizeof(NSS_CertExtension *);
+ extensions = (NSS_CertExtension **)mCoder.malloc(len);
+ memset(extensions, 0, len);
+
+ /* grind thru our DecodedExtens, creating an NSS_CertExtension for
+ * each one */
+ for(unsigned extenDex=0; extenDex<mNumExtensions; extenDex++) {
+ NSS_CertExtension *thisNssExten =
+ (NSS_CertExtension *)mCoder.malloc(sizeof(NSS_CertExtension));
+ memset(thisNssExten, 0, sizeof(NSS_CertExtension));
+ extensions[extenDex] = thisNssExten;
+
+ const DecodedExten *decodedExt = getExtension(extenDex);
+
+ /* BER-encode the extension object if appropriate */
+ if(decodedExt->berEncoded()) {
+ /* unknown extension type, it's already encoded */
+ const CSSM_DATA *srcBer = (const CSSM_DATA *)decodedExt->rawExtn();
+ assert(srcBer != NULL);
+ mCoder.allocCopyItem(*srcBer, thisNssExten->value);
+ }
+ else {
+ PRErrorCode prtn;
+ prtn = mCoder.encodeItem(decodedExt->nssObj(),
+ decodedExt->templ(), thisNssExten->value);
+ if(prtn) {
+ clErrorLog("encodeToNss: extension encode error");
+ CssmError::throwMe(CSSMERR_CL_INTERNAL_ERROR);
+ }
+ }
+ ArenaAllocator arenaAlloc(mCoder);
+ if(decodedExt->critical()) {
+ /* optional, default false */
+ clCssmBoolToNss(CSSM_TRUE, thisNssExten->critical, arenaAlloc);
+ }
+ mCoder.allocCopyItem(decodedExt->extnId(), thisNssExten->extnId);
+ }
+}
+
+/* add/retrieve entries */
+void DecodedExtensions::addExtension(
+ const CSSM_OID &extnId, // copied
+ bool critical,
+ void *nssObj, // NSS_KeyUsage, NSS_BasicConstraints,
+ // etc. NOT COPIED, exists in same
+ // memory space as coder
+ bool berEncoded, // indicates unknown extension which we
+ // do not BER-decode when parsing a cert
+ const SecAsn1Template *templ, // required if !berEncoded
+ const CSSM_DATA *rawExtn) // NSS_CertExtension.value, copied,
+ // optional (not present during a
+ // SetField op)
+{
+ if(mNumExtensions == mSizeofExtensions) {
+ /* expand by doubling, or initial malloc */
+ mSizeofExtensions = mNumExtensions ?
+ (2 * mNumExtensions) : MIN_EXTENSIONS;
+ mExtensions = (DecodedExten **)mAlloc.realloc(
+ mExtensions, mSizeofExtensions * sizeof(DecodedExten));
+ }
+ mExtensions[mNumExtensions++] = new DecodedExten(extnId,
+ critical, nssObj, berEncoded, templ, mCoder, rawExtn);
+}
+
+const DecodedExten *DecodedExtensions::getExtension(
+ unsigned extenDex) const
+{
+ assert(extenDex < mNumExtensions);
+ return mExtensions[extenDex];
+}
+
+/* Convert to CSSM_X509_EXTENSIONS */
+/* Currently only used when decoding a CRL and converting it en masse
+ * to CDSA */
+void DecodedExtensions::convertToCdsa(
+ CSSM_X509_EXTENSIONS &cssmExtens,
+ Allocator &alloc) const
+{
+ memset(&cssmExtens, 0, sizeof(cssmExtens));
+ if(mNumExtensions == 0) {
+ return;
+ }
+ cssmExtens.extensions = (CSSM_X509_EXTENSION_PTR)alloc.malloc(
+ sizeof(CSSM_X509_EXTENSION) * mNumExtensions);
+ memset(cssmExtens.extensions, 0,
+ sizeof(CSSM_X509_EXTENSION) * mNumExtensions);
+ cssmExtens.numberOfExtensions = mNumExtensions;
+ for(unsigned dex=0; dex<mNumExtensions; dex++) {
+ try {
+ getExtension(dex)->parse(&cssmExtens.extensions[dex], alloc);
+ }
+ catch(...) {
+ /* FIXME - what now? */
+ clFieldLog("DecodedExtensions:convertToCdsa: extension "
+ "decode error");
+ }
+ }
+}
+
projects / apple / security.git / blobdiff