--- /dev/null
+/*
+ * Copyright (c) 2002-2009,2011-2012,2014 Apple Inc. All Rights Reserved.
+ *
+ * The contents of this file constitute Original Code as defined in and are
+ * subject to the Apple Public Source License Version 1.2 (the 'License').
+ * You may not use this file except in compliance with the License. Please obtain
+ * a copy of the License at http://www.apple.com/publicsource and read it before
+ * using this file.
+ *
+ * This Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
+ * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
+ * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
+ * specific language governing rights and limitations under the License.
+ */
+
+
+/*
+ * TPDatabase.cpp - TP's DL/DB access functions.
+ *
+ */
+
+#include <Security/cssmtype.h>
+#include <Security/cssmapi.h>
+#include <security_cdsa_utilities/Schema.h> /* private API */
+#include <security_keychain/TrustKeychains.h> /* private SecTrustKeychainsGetMutex() */
+#include <Security/SecCertificatePriv.h> /* private SecInferLabelFromX509Name() */
+#include <Security/oidscert.h>
+#include "TPDatabase.h"
+#include "tpdebugging.h"
+#include "certGroupUtils.h"
+#include "TPCertInfo.h"
+#include "TPCrlInfo.h"
+#include "tpCrlVerify.h"
+#include "tpTime.h"
+
+
+/*
+ * Given a DL/DB, look up cert by subject name. Subsequent
+ * certs can be found using the returned result handle.
+ */
+static CSSM_DB_UNIQUE_RECORD_PTR tpCertLookup(
+ CSSM_DL_DB_HANDLE dlDb,
+ const CSSM_DATA *subjectName, // DER-encoded
+ CSSM_HANDLE_PTR resultHand, // RETURNED
+ CSSM_DATA_PTR cert) // RETURNED
+{
+ CSSM_QUERY query;
+ CSSM_SELECTION_PREDICATE predicate;
+ CSSM_DB_UNIQUE_RECORD_PTR record = NULL;
+
+ cert->Data = NULL;
+ cert->Length = 0;
+
+ /* SWAG until cert schema nailed down */
+ predicate.DbOperator = CSSM_DB_EQUAL;
+ predicate.Attribute.Info.AttributeNameFormat =
+ CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
+ predicate.Attribute.Info.Label.AttributeName = (char*) "Subject";
+ predicate.Attribute.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
+ predicate.Attribute.Value = const_cast<CSSM_DATA_PTR>(subjectName);
+ predicate.Attribute.NumberOfValues = 1;
+
+ query.RecordType = CSSM_DL_DB_RECORD_X509_CERTIFICATE;
+ query.Conjunctive = CSSM_DB_NONE;
+ query.NumSelectionPredicates = 1;
+ query.SelectionPredicate = &predicate;
+ query.QueryLimits.TimeLimit = 0; // FIXME - meaningful?
+ query.QueryLimits.SizeLimit = 1; // FIXME - meaningful?
+ query.QueryFlags = 0; // FIXME - used?
+
+ CSSM_DL_DataGetFirst(dlDb,
+ &query,
+ resultHand,
+ NULL, // don't fetch attributes
+ cert,
+ &record);
+
+ return record;
+}
+
+/*
+ * Search a list of DBs for a cert which verifies specified subject item.
+ * Just a boolean return - we found it, or not. If we did, we return
+ * TPCertInfo associated with the raw cert.
+ * A true partialIssuerKey on return indicates that caller must deal
+ * with partial public key processing later.
+ * If verifyCurrent is true, we will not return a cert which is not
+ * temporally valid; else we may well do so.
+ */
+TPCertInfo *tpDbFindIssuerCert(
+ Allocator &alloc,
+ CSSM_CL_HANDLE clHand,
+ CSSM_CSP_HANDLE cspHand,
+ const TPClItemInfo *subjectItem,
+ const CSSM_DL_DB_LIST *dbList,
+ const char *verifyTime, // may be NULL
+ bool &partialIssuerKey, // RETURNED
+ TPCertInfo *oldRoot)
+{
+ StLock<Mutex> _(SecTrustKeychainsGetMutex());
+
+ uint32 dbDex;
+ CSSM_HANDLE resultHand;
+ CSSM_DATA cert;
+ CSSM_DL_DB_HANDLE dlDb;
+ CSSM_DB_UNIQUE_RECORD_PTR record;
+ TPCertInfo *issuerCert = NULL;
+ bool foundIt;
+ TPCertInfo *expiredIssuer = NULL;
+ TPCertInfo *nonRootIssuer = NULL;
+
+ partialIssuerKey = false;
+ if(dbList == NULL) {
+ return NULL;
+ }
+ for(dbDex=0; dbDex<dbList->NumHandles; dbDex++) {
+ dlDb = dbList->DLDBHandle[dbDex];
+ cert.Data = NULL;
+ cert.Length = 0;
+ resultHand = 0;
+ record = tpCertLookup(dlDb,
+ subjectItem->issuerName(),
+ &resultHand,
+ &cert);
+ /* remember we have to:
+ * -- abort this query regardless, and
+ * -- free the CSSM_DATA cert regardless, and
+ * -- free the unique record if we don't use it
+ * (by placing it in issuerCert)...
+ */
+ if(record != NULL) {
+ /* Found one */
+ assert(cert.Data != NULL);
+ tpDbDebug("tpDbFindIssuerCert: found cert record (1) %p", record);
+ issuerCert = NULL;
+ CSSM_RETURN crtn = CSSM_OK;
+ try {
+ issuerCert = new TPCertInfo(clHand, cspHand, &cert, TIC_CopyData, verifyTime);
+ }
+ catch(...) {
+ crtn = CSSMERR_TP_INVALID_CERTIFICATE;
+ }
+
+ /* we're done with raw cert data */
+ tpFreePluginMemory(dlDb.DLHandle, cert.Data);
+ cert.Data = NULL;
+ cert.Length = 0;
+
+ /* Does it verify the subject cert? */
+ if(crtn == CSSM_OK) {
+ crtn = subjectItem->verifyWithIssuer(issuerCert);
+ }
+
+ /*
+ * Handle temporal invalidity - if so and this is the first one
+ * we've seen, hold on to it while we search for better one.
+ */
+ if((crtn == CSSM_OK) && (expiredIssuer == NULL)) {
+ if(issuerCert->isExpired() || issuerCert->isNotValidYet()) {
+ /*
+ * Exact value not important here, this just uniquely identifies
+ * this situation in the switch below.
+ */
+ tpDbDebug("tpDbFindIssuerCert: holding expired cert (1)");
+ crtn = CSSM_CERT_STATUS_EXPIRED;
+ expiredIssuer = issuerCert;
+ expiredIssuer->dlDbHandle(dlDb);
+ expiredIssuer->uniqueRecord(record);
+ }
+ }
+ /*
+ * Prefer a root over an intermediate issuer if we can get one
+ * (in case a cross-signed intermediate and root are both available)
+ */
+ if((crtn == CSSM_OK) && (nonRootIssuer == NULL)) {
+ if(!issuerCert->isSelfSigned()) {
+ /*
+ * Exact value not important here, this just uniquely identifies
+ * this situation in the switch below.
+ */
+ tpDbDebug("tpDbFindIssuerCert: holding non-root cert (1)");
+ crtn = CSSM_CERT_STATUS_IS_ROOT;
+ nonRootIssuer = issuerCert;
+ nonRootIssuer->dlDbHandle(dlDb);
+ nonRootIssuer->uniqueRecord(record);
+ }
+ }
+ switch(crtn) {
+ case CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE:
+ partialIssuerKey = true;
+ break;
+ case CSSM_OK:
+ if((oldRoot == NULL) ||
+ !tp_CompareCerts(issuerCert->itemData(), oldRoot->itemData())) {
+ /* We found a new root cert which does not match the old one */
+ break;
+ }
+ /* else fall through to search for a different one */
+ default:
+ if(issuerCert != NULL) {
+ /* either holding onto this cert, or done with it. */
+ if(crtn != CSSM_CERT_STATUS_EXPIRED &&
+ crtn != CSSM_CERT_STATUS_IS_ROOT) {
+ delete issuerCert;
+ CSSM_DL_FreeUniqueRecord(dlDb, record);
+ }
+ issuerCert = NULL;
+ }
+
+ /*
+ * Continue searching this DB. Break on finding the holy
+ * grail or no more records found.
+ */
+ for(;;) {
+ cert.Data = NULL;
+ cert.Length = 0;
+ record = NULL;
+ CSSM_RETURN crtn = CSSM_DL_DataGetNext(dlDb,
+ resultHand,
+ NULL, // no attrs
+ &cert,
+ &record);
+ if(crtn) {
+ /* no more, done with this DB */
+ assert(cert.Data == NULL);
+ break;
+ }
+ assert(cert.Data != NULL);
+ tpDbDebug("tpDbFindIssuerCert: found cert record (2) %p", record);
+
+ /* found one - does it verify subject? */
+ try {
+ issuerCert = new TPCertInfo(clHand, cspHand, &cert, TIC_CopyData,
+ verifyTime);
+ }
+ catch(...) {
+ crtn = CSSMERR_TP_INVALID_CERTIFICATE;
+ }
+ /* we're done with raw cert data */
+ tpFreePluginMemory(dlDb.DLHandle, cert.Data);
+ cert.Data = NULL;
+ cert.Length = 0;
+
+ if(crtn == CSSM_OK) {
+ crtn = subjectItem->verifyWithIssuer(issuerCert);
+ }
+
+ /* temporal validity check, again */
+ if((crtn == CSSM_OK) && (expiredIssuer == NULL)) {
+ if(issuerCert->isExpired() || issuerCert->isNotValidYet()) {
+ tpDbDebug("tpDbFindIssuerCert: holding expired cert (2)");
+ crtn = CSSM_CERT_STATUS_EXPIRED;
+ expiredIssuer = issuerCert;
+ expiredIssuer->dlDbHandle(dlDb);
+ expiredIssuer->uniqueRecord(record);
+ }
+ }
+ /* self-signed check, again */
+ if((crtn == CSSM_OK) && (nonRootIssuer == NULL)) {
+ if(!issuerCert->isSelfSigned()) {
+ tpDbDebug("tpDbFindIssuerCert: holding non-root cert (2)");
+ crtn = CSSM_CERT_STATUS_IS_ROOT;
+ nonRootIssuer = issuerCert;
+ nonRootIssuer->dlDbHandle(dlDb);
+ nonRootIssuer->uniqueRecord(record);
+ }
+ }
+
+ foundIt = false;
+ switch(crtn) {
+ case CSSM_OK:
+ /* duplicate check, again */
+ if((oldRoot == NULL) ||
+ !tp_CompareCerts(issuerCert->itemData(), oldRoot->itemData())) {
+ foundIt = true;
+ }
+ break;
+ case CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE:
+ partialIssuerKey = true;
+ foundIt = true;
+ break;
+ default:
+ break;
+ }
+ if(foundIt) {
+ /* yes! */
+ break;
+ }
+ if(issuerCert != NULL) {
+ /* either holding onto this cert, or done with it. */
+ if(crtn != CSSM_CERT_STATUS_EXPIRED &&
+ crtn != CSSM_CERT_STATUS_IS_ROOT) {
+ delete issuerCert;
+ CSSM_DL_FreeUniqueRecord(dlDb, record);
+ }
+ issuerCert = NULL;
+ }
+ } /* searching subsequent records */
+ } /* switch verify */
+
+ if(record != NULL) {
+ /* NULL record --> end of search --> DB auto-aborted */
+ crtn = CSSM_DL_DataAbortQuery(dlDb, resultHand);
+ assert(crtn == CSSM_OK);
+ }
+ if(issuerCert != NULL) {
+ /* successful return */
+ tpDbDebug("tpDbFindIssuer: returning record %p", record);
+ issuerCert->dlDbHandle(dlDb);
+ issuerCert->uniqueRecord(record);
+ if(expiredIssuer != NULL) {
+ /* We found a replacement */
+ tpDbDebug("tpDbFindIssuer: discarding expired cert");
+ expiredIssuer->freeUniqueRecord();
+ delete expiredIssuer;
+ }
+ /* Avoid deleting the non-root cert if same as expired cert */
+ if(nonRootIssuer != NULL && nonRootIssuer != expiredIssuer) {
+ /* We found a replacement */
+ tpDbDebug("tpDbFindIssuer: discarding non-root cert");
+ nonRootIssuer->freeUniqueRecord();
+ delete nonRootIssuer;
+ }
+ return issuerCert;
+ }
+ } /* tpCertLookup, i.e., CSSM_DL_DataGetFirst, succeeded */
+ else {
+ assert(cert.Data == NULL);
+ assert(resultHand == 0);
+ }
+ } /* main loop searching dbList */
+
+ if(nonRootIssuer != NULL) {
+ /* didn't find root issuer, so use this one */
+ tpDbDebug("tpDbFindIssuer: taking non-root issuer cert, record %p",
+ nonRootIssuer->uniqueRecord());
+ if(expiredIssuer != NULL && expiredIssuer != nonRootIssuer) {
+ expiredIssuer->freeUniqueRecord();
+ delete expiredIssuer;
+ }
+ return nonRootIssuer;
+ }
+
+ if(expiredIssuer != NULL) {
+ /* OK, we'll take this one */
+ tpDbDebug("tpDbFindIssuer: taking expired cert after all, record %p",
+ expiredIssuer->uniqueRecord());
+ return expiredIssuer;
+ }
+ /* issuer not found */
+ return NULL;
+}
+
+/*
+ * Given a DL/DB, look up CRL by issuer name and validity time.
+ * Subsequent CRLs can be found using the returned result handle.
+ */
+#define SEARCH_BY_DATE 1
+
+static CSSM_DB_UNIQUE_RECORD_PTR tpCrlLookup(
+ CSSM_DL_DB_HANDLE dlDb,
+ const CSSM_DATA *issuerName, // DER-encoded
+ CSSM_TIMESTRING verifyTime, // may be NULL, implies "now"
+ CSSM_HANDLE_PTR resultHand, // RETURNED
+ CSSM_DATA_PTR crl) // RETURNED
+{
+ CSSM_QUERY query;
+ CSSM_SELECTION_PREDICATE pred[3];
+ CSSM_DB_UNIQUE_RECORD_PTR record = NULL;
+ char timeStr[CSSM_TIME_STRLEN + 1];
+
+ crl->Data = NULL;
+ crl->Length = 0;
+
+ /* Three predicates...first, the issuer name */
+ pred[0].DbOperator = CSSM_DB_EQUAL;
+ pred[0].Attribute.Info.AttributeNameFormat =
+ CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
+ pred[0].Attribute.Info.Label.AttributeName = (char*) "Issuer";
+ pred[0].Attribute.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
+ pred[0].Attribute.Value = const_cast<CSSM_DATA_PTR>(issuerName);
+ pred[0].Attribute.NumberOfValues = 1;
+
+ /* now before/after. Cook up an appropriate time string. */
+ if(verifyTime != NULL) {
+ /* Caller spec'd tolerate any format */
+ int rtn = tpTimeToCssmTimestring(verifyTime, (unsigned)strlen(verifyTime), timeStr);
+ if(rtn) {
+ tpErrorLog("tpCrlLookup: Invalid VerifyTime string\n");
+ return NULL;
+ }
+ }
+ else {
+ /* right now */
+ StLock<Mutex> _(tpTimeLock());
+ timeAtNowPlus(0, TIME_CSSM, timeStr);
+ }
+ CSSM_DATA timeData;
+ timeData.Data = (uint8 *)timeStr;
+ timeData.Length = CSSM_TIME_STRLEN;
+
+ #if SEARCH_BY_DATE
+ pred[1].DbOperator = CSSM_DB_LESS_THAN;
+ pred[1].Attribute.Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
+ pred[1].Attribute.Info.Label.AttributeName = (char*) "NextUpdate";
+ pred[1].Attribute.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
+ pred[1].Attribute.Value = &timeData;
+ pred[1].Attribute.NumberOfValues = 1;
+
+ pred[2].DbOperator = CSSM_DB_GREATER_THAN;
+ pred[2].Attribute.Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
+ pred[2].Attribute.Info.Label.AttributeName = (char*) "ThisUpdate";
+ pred[2].Attribute.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
+ pred[2].Attribute.Value = &timeData;
+ pred[2].Attribute.NumberOfValues = 1;
+ #endif
+
+ query.RecordType = CSSM_DL_DB_RECORD_X509_CRL;
+ query.Conjunctive = CSSM_DB_AND;
+ #if SEARCH_BY_DATE
+ query.NumSelectionPredicates = 3;
+ #else
+ query.NumSelectionPredicates = 1;
+ #endif
+ query.SelectionPredicate = pred;
+ query.QueryLimits.TimeLimit = 0; // FIXME - meaningful?
+ query.QueryLimits.SizeLimit = 1; // FIXME - meaningful?
+ query.QueryFlags = 0; // FIXME - used?
+
+ CSSM_DL_DataGetFirst(dlDb,
+ &query,
+ resultHand,
+ NULL, // don't fetch attributes
+ crl,
+ &record);
+ return record;
+}
+
+/*
+ * Search a list of DBs for a CRL from the specified issuer and (optional)
+ * TPVerifyContext.verifyTime.
+ * Just a boolean return - we found it, or not. If we did, we return a
+ * TPCrlInfo which has been verified with the specified TPVerifyContext.
+ */
+TPCrlInfo *tpDbFindIssuerCrl(
+ TPVerifyContext &vfyCtx,
+ const CSSM_DATA &issuer,
+ TPCertInfo &forCert)
+{
+ StLock<Mutex> _(SecTrustKeychainsGetMutex());
+
+ uint32 dbDex;
+ CSSM_HANDLE resultHand;
+ CSSM_DATA crl;
+ CSSM_DL_DB_HANDLE dlDb;
+ CSSM_DB_UNIQUE_RECORD_PTR record;
+ TPCrlInfo *issuerCrl = NULL;
+ CSSM_DL_DB_LIST_PTR dbList = vfyCtx.dbList;
+ CSSM_RETURN crtn;
+
+ if(dbList == NULL) {
+ return NULL;
+ }
+ for(dbDex=0; dbDex<dbList->NumHandles; dbDex++) {
+ dlDb = dbList->DLDBHandle[dbDex];
+ crl.Data = NULL;
+ crl.Length = 0;
+ record = tpCrlLookup(dlDb,
+ &issuer,
+ vfyCtx.verifyTime,
+ &resultHand,
+ &crl);
+ /* remember we have to:
+ * -- abort this query regardless, and
+ * -- free the CSSM_DATA crl regardless, and
+ * -- free the unique record if we don't use it
+ * (by placing it in issuerCert)...
+ */
+ if(record != NULL) {
+ /* Found one */
+ assert(crl.Data != NULL);
+ issuerCrl = new TPCrlInfo(vfyCtx.clHand,
+ vfyCtx.cspHand,
+ &crl,
+ TIC_CopyData,
+ vfyCtx.verifyTime);
+ /* we're done with raw CRL data */
+ /* FIXME this assumes that vfyCtx.alloc is the same as the
+ * allocator associated with DlDB...OK? */
+ tpFreeCssmData(vfyCtx.alloc, &crl, CSSM_FALSE);
+ crl.Data = NULL;
+ crl.Length = 0;
+
+ /* and we're done with the record */
+ CSSM_DL_FreeUniqueRecord(dlDb, record);
+
+ /* Does it verify with specified context? */
+ crtn = issuerCrl->verifyWithContextNow(vfyCtx, &forCert);
+ if(crtn) {
+
+ delete issuerCrl;
+ issuerCrl = NULL;
+
+ /*
+ * Verify fail. Continue searching this DB. Break on
+ * finding the holy grail or no more records found.
+ */
+ for(;;) {
+ crl.Data = NULL;
+ crl.Length = 0;
+ crtn = CSSM_DL_DataGetNext(dlDb,
+ resultHand,
+ NULL, // no attrs
+ &crl,
+ &record);
+ if(crtn) {
+ /* no more, done with this DB */
+ assert(crl.Data == NULL);
+ break;
+ }
+ assert(crl.Data != NULL);
+
+ /* found one - is it any good? */
+ issuerCrl = new TPCrlInfo(vfyCtx.clHand,
+ vfyCtx.cspHand,
+ &crl,
+ TIC_CopyData,
+ vfyCtx.verifyTime);
+ /* we're done with raw CRL data */
+ /* FIXME this assumes that vfyCtx.alloc is the same as the
+ * allocator associated with DlDB...OK? */
+ tpFreeCssmData(vfyCtx.alloc, &crl, CSSM_FALSE);
+ crl.Data = NULL;
+ crl.Length = 0;
+
+ CSSM_DL_FreeUniqueRecord(dlDb, record);
+
+ crtn = issuerCrl->verifyWithContextNow(vfyCtx, &forCert);
+ if(crtn == CSSM_OK) {
+ /* yes! */
+ break;
+ }
+ delete issuerCrl;
+ issuerCrl = NULL;
+ } /* searching subsequent records */
+ } /* verify fail */
+ /* else success! */
+
+ if(issuerCrl != NULL) {
+ /* successful return */
+ CSSM_DL_DataAbortQuery(dlDb, resultHand);
+ tpDebug("tpDbFindIssuerCrl: found CRL record %p", record);
+ return issuerCrl;
+ }
+ } /* tpCrlLookup, i.e., CSSM_DL_DataGetFirst, succeeded */
+ else {
+ assert(crl.Data == NULL);
+ }
+ /* in any case, abort the query for this db */
+ CSSM_DL_DataAbortQuery(dlDb, resultHand);
+
+ } /* main loop searching dbList */
+
+ /* issuer not found */
+ return NULL;
+}
+
projects / apple / security.git / blobdiff