--- /dev/null
+/*
+ * Copyright (c) 2000-2001,2011-2014 Apple Inc. All Rights Reserved.
+ *
+ * The contents of this file constitute Original Code as defined in and are
+ * subject to the Apple Public Source License Version 1.2 (the 'License').
+ * You may not use this file except in compliance with the License. Please obtain
+ * a copy of the License at http://www.apple.com/publicsource and read it before
+ * using this file.
+ *
+ * This Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
+ * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
+ * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
+ * specific language governing rights and limitations under the License.
+ */
+
+
+/*
+ certGroupUtils.cpp
+*/
+
+#include <Security/cssmtype.h>
+#include <Security/cssmapi.h>
+#include <Security/x509defs.h>
+#include <Security/oidscert.h>
+#include <Security/oidsalg.h>
+#include <Security/cssmapple.h>
+#include <Security/SecAsn1Coder.h>
+#include <Security/keyTemplates.h>
+
+#include "certGroupUtils.h"
+#include "tpdebugging.h"
+#include "tpTime.h"
+
+#include <string.h> /* for memcmp */
+
+
+/*
+ * Copy one CSSM_DATA to another, mallocing destination.
+ */
+void tpCopyCssmData(
+ Allocator &alloc,
+ const CSSM_DATA *src,
+ CSSM_DATA_PTR dst)
+{
+ dst->Data = (uint8 *)alloc.malloc(src->Length);
+ dst->Length = src->Length;
+ memmove(dst->Data, src->Data, src->Length);
+}
+
+/*
+ * Malloc a CSSM_DATA, copy another one to it.
+ */
+CSSM_DATA_PTR tpMallocCopyCssmData(
+ Allocator &alloc,
+ const CSSM_DATA *src)
+{
+ CSSM_DATA_PTR dst = (CSSM_DATA_PTR)alloc.malloc(sizeof(CSSM_DATA));
+ tpCopyCssmData(alloc, src, dst);
+ return dst;
+}
+
+/*
+ * Free the data referenced by a CSSM data, and optionally, the struct itself.
+ */
+void tpFreeCssmData(
+ Allocator &alloc,
+ CSSM_DATA_PTR data,
+ CSSM_BOOL freeStruct)
+{
+ if(data == NULL) {
+ return;
+ }
+ if(data->Length != 0) {
+ tpFree(alloc, data->Data);
+ }
+ if(freeStruct) {
+ tpFree(alloc, data);
+ }
+ else {
+ data->Length = 0;
+ data->Data = NULL;
+ }
+}
+
+/*
+ * Compare two CSSM_DATAs, return CSSM_TRUE if identical.
+ */
+CSSM_BOOL tpCompareCssmData(
+ const CSSM_DATA *data1,
+ const CSSM_DATA *data2)
+{
+ if((data1 == NULL) || (data1->Data == NULL) ||
+ (data2 == NULL) || (data2->Data == NULL) ||
+ (data1->Length != data2->Length)) {
+ return CSSM_FALSE;
+ }
+ if(data1->Length != data2->Length) {
+ return CSSM_FALSE;
+ }
+ if(memcmp(data1->Data, data2->Data, data1->Length) == 0) {
+ return CSSM_TRUE;
+ }
+ else {
+ return CSSM_FALSE;
+ }
+}
+
+/*
+ * Free memory via specified plugin's app-level allocator
+ */
+void tpFreePluginMemory(
+ CSSM_HANDLE hand,
+ void *p)
+{
+ CSSM_API_MEMORY_FUNCS memFuncs;
+ CSSM_RETURN crtn = CSSM_GetAPIMemoryFunctions(hand, &memFuncs);
+ if(crtn) {
+ tpErrorLog("CSSM_GetAPIMemoryFunctions failure\n");
+ /* oh well, leak and continue */
+ return;
+ }
+ memFuncs.free_func(p, memFuncs.AllocRef);
+}
+
+/*
+ * Obtain the public key blob from a cert.
+ */
+CSSM_DATA_PTR tp_CertGetPublicKey(
+ TPCertInfo *cert,
+ CSSM_DATA_PTR *valueToFree) // used in tp_CertFreePublicKey
+{
+ CSSM_RETURN crtn;
+ CSSM_DATA_PTR val;
+ CSSM_X509_SUBJECT_PUBLIC_KEY_INFO *keyInfo;
+
+ *valueToFree = NULL;
+ crtn = cert->fetchField(&CSSMOID_X509V1SubjectPublicKeyCStruct, &val);
+ if(crtn) {
+ tpErrorLog("Error on CSSM_CL_CertGetFirstFieldValue(PublicKeyCStruct)\n");
+ return NULL;
+ }
+ *valueToFree = val;
+ keyInfo = (CSSM_X509_SUBJECT_PUBLIC_KEY_INFO *)val->Data;
+ return &keyInfo->subjectPublicKey;
+}
+
+void tp_CertFreePublicKey(
+ CSSM_CL_HANDLE clHand,
+ CSSM_DATA_PTR value)
+{
+ CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SubjectPublicKeyCStruct, value);
+}
+
+/*
+ * Obtain signature algorithm info from a cert.
+ */
+CSSM_X509_ALGORITHM_IDENTIFIER_PTR tp_CertGetAlgId(
+ TPCertInfo *cert,
+ CSSM_DATA_PTR *valueToFree) // used in tp_CertFreeAlgId
+{
+ CSSM_RETURN crtn;
+ CSSM_DATA_PTR val;
+
+ *valueToFree = NULL;
+ crtn = cert->fetchField(&CSSMOID_X509V1SignatureAlgorithm, &val);
+ if(crtn) {
+ tpErrorLog("Error on fetchField(CSSMOID_X509V1SignatureAlgorithm)\n");
+ return NULL;
+ }
+ *valueToFree = val;
+ return (CSSM_X509_ALGORITHM_IDENTIFIER_PTR)val->Data;
+}
+
+void tp_CertFreeAlgId(
+ CSSM_CL_HANDLE clHand,
+ CSSM_DATA_PTR value)
+{
+ CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SignatureAlgorithm, value);
+}
+
+/*
+ * Determine if two certs - passed in encoded form - are equivalent.
+ */
+CSSM_BOOL tp_CompareCerts(
+ const CSSM_DATA *cert1,
+ const CSSM_DATA *cert2)
+{
+ return tpCompareCssmData(cert1, cert2);
+}
+
+/*
+ * Convert a C string to lower case in place. NULL terminator not needed.
+ */
+void tpToLower(
+ char *str,
+ unsigned strLen)
+{
+ for(unsigned i=0; i<strLen; i++) {
+ *str = tolower(*str);
+ str++;
+ }
+}
+
+/*
+ * Normalize an RFC822 addr-spec. This consists of converting
+ * all characters following the '@' character to lower case.
+ * A true normalizeAll results in lower-casing all characters
+ * (e.g. for iChat).
+ */
+void tpNormalizeAddrSpec(
+ char *addr,
+ unsigned addrLen,
+ bool normalizeAll)
+{
+ if (addr == NULL) {
+ tpPolicyError("tpNormalizeAddrSpec: bad addr");
+ return;
+ }
+ if(!normalizeAll) {
+ while((addrLen != 0) && (*addr != '@')) {
+ addr++;
+ addrLen--;
+ }
+ if(addrLen == 0) {
+ tpPolicyError("tpNormalizeAddrSpec: bad addr-spec");
+ return;
+ }
+ }
+ tpToLower(addr, addrLen);
+}
+
+/***
+ *** dnsName compare support.
+ *** Please do not make any changes to this code without talking to
+ *** dmitch about updating (if necessary) and running (always)
+ *** regression tests which specifically test this logic.
+ ***/
+
+/*
+ * Max length of a distinguished name component (label) we handle.
+ * Various RFCs spec this out at 63 bytes; we're just allocating space
+ * for these on the stack, so why not cut some slack.
+ */
+#define MAX_DNS_COMP_LEN 128
+
+/*
+ * Obtain the next component from a DNS Name.
+ * Caller mallocs outBuf, size >= MAX_DNS_COMP_LEN.
+ * Returns true if a component was found.
+ */
+static bool tpNextDnsComp(
+ const char *inBuf,
+ uint32 &inBufLen, // IN/OUT
+ char *outBuf, // component RETURNED here
+ uint32 &outBufLen) // RETURNED length of component
+{
+ outBufLen = 0;
+ if(inBufLen == 0) {
+ return false;
+ }
+
+ /* skip over leading '.' */
+ if(*inBuf == '.') {
+ inBuf++;
+ if(--inBufLen == 0) {
+ return false;
+ }
+ }
+
+ /* copy chars until out of data or next '.' found */
+ do {
+ if(*inBuf == '.') {
+ break;
+ }
+ *outBuf++ = *inBuf++;
+ inBufLen--;
+ outBufLen++;
+ if(outBufLen >= MAX_DNS_COMP_LEN) {
+ /* abort */
+ break;
+ }
+ } while(inBufLen != 0);
+ if(outBufLen) {
+ return true;
+ }
+ else {
+ return false;
+ }
+}
+
+/*
+ * Find location of specified substring in given bigstring. Returns
+ * pointer to start of substring in bigstring, else returns NULL.
+ */
+static const char *tpSubStr(
+ const char *bigstr,
+ uint32 bigstrLen,
+ const char *substr,
+ uint32 substrLen)
+{
+ /* stop searching substrLen chars before end of bigstr */
+ const char *endBigStr = bigstr + bigstrLen - substrLen;
+ for( ; bigstr <= endBigStr; ) {
+ if(*bigstr == *substr) {
+ /* first char match - remainder? */
+ if(substrLen == 1) {
+ /* don't count on memcmp(a,b,0) */
+ return bigstr;
+ }
+ if(!memcmp(bigstr+1, substr+1, substrLen - 1)) {
+ return bigstr;
+ }
+ }
+ bigstr++;
+ }
+ return NULL;
+}
+
+/*
+ * Compare two DNS components, with full wildcard check. We assume
+ * that no '.' chars exist (per the processing performed in
+ * tpNextDnsComp()). Returns CSSM_TRUE on match, else CSSM_FALSE.
+ */
+static CSSM_BOOL tpCompareComps(
+ const char *hostComp, // no wildcards
+ uint32 hostCompLen,
+ const char *certComp, // wildcards OK here
+ uint32 certCompLen)
+{
+ const char *endCertComp = certComp + certCompLen;
+ const char *endHostComp = hostComp + hostCompLen;
+ do {
+ /* wild card in cert name? */
+ const char *wildCard = tpSubStr(certComp, certCompLen,
+ "*", 1);
+ if(wildCard == NULL) {
+ /* no, require perfect literal match right now */
+ if((hostCompLen == certCompLen) &&
+ !memcmp(hostComp, certComp, certCompLen)) {
+ return CSSM_TRUE;
+ }
+ else {
+ return CSSM_FALSE;
+ }
+ }
+
+ if(wildCard != certComp) {
+ /*
+ * Require literal match of hostComp with certComp
+ * up until (but not including) the wildcard
+ */
+ ptrdiff_t subStrLen = wildCard - certComp;
+ if(subStrLen > hostCompLen) {
+ /* out of host name chars */
+ return CSSM_FALSE;
+ }
+ if(memcmp(certComp, hostComp, subStrLen)) {
+ return CSSM_FALSE;
+ }
+ /* OK, skip over substring */
+ hostComp += subStrLen;
+ hostCompLen -= subStrLen;
+ /* start parsing at the wildcard itself */
+ certComp = wildCard;
+ certCompLen -= subStrLen;
+ continue;
+ }
+
+ /*
+ * Currently looking at a wildcard.
+ *
+ * Find substring in hostComp which matches from the char after
+ * the wildcard up to whichever of these comes next:
+ *
+ * -- end of certComp
+ * -- another wildcard
+ */
+ wildCard++;
+ if(wildCard == endCertComp) {
+ /*
+ * -- Wild card at end of cert's DNS
+ * -- nothing else to match - rest of hostComp is the wildcard
+ * match
+ * -- done, success
+ */
+ return CSSM_TRUE;
+ }
+
+ const char *afterSubStr; // in certComp
+ afterSubStr = tpSubStr(wildCard, (uint32)(endCertComp - wildCard),
+ "*", 1);
+ if(afterSubStr == NULL) {
+ /* no more wildcards - use end of certComp */
+ afterSubStr = endCertComp;
+ }
+ uint32 subStrLen = (uint32)(afterSubStr - wildCard);
+ const char *foundSub = tpSubStr(hostComp, hostCompLen,
+ wildCard, subStrLen);
+ if(foundSub == NULL) {
+ /* No match of explicit chars */
+ return CSSM_FALSE;
+ }
+
+ /* found it - skip past this substring */
+ hostComp = foundSub + subStrLen;
+ hostCompLen = (uint32)(endHostComp - hostComp);
+ certComp = afterSubStr;
+ certCompLen = (uint32)(endCertComp - afterSubStr);
+
+ } while((hostCompLen != 0) || (certCompLen != 0));
+ if((hostCompLen == 0) && (certCompLen == 0)) {
+ return CSSM_TRUE;
+ }
+ else {
+ /* end of one but not the other */
+ return CSSM_FALSE;
+ }
+}
+
+/*
+ * Compare hostname, is presented to the TP in
+ * CSSM_APPLE_TP_SSL_OPTIONS.ServerName, to a server name obtained
+ * from the server's cert (i.e., from subjectAltName or commonName).
+ * Limited wildcard checking is performed here.
+ *
+ * The incoming hostname is assumed to have been processed by tpToLower();
+ * we'll perform that processing on certName here.
+ *
+ * Trailing '.' characters in both host names will be ignored per Radar 3996792.
+ *
+ * Returns CSSM_TRUE on match, else CSSM_FALSE.
+ */
+CSSM_BOOL tpCompareHostNames(
+ const char *hostName, // spec'd by app, tpToLower'd
+ uint32 hostNameLen,
+ char *certName, // from cert, we tpToLower
+ uint32 certNameLen)
+{
+ tpToLower(certName, certNameLen);
+
+ /* tolerate optional NULL terminators for both */
+ if(hostNameLen && (hostName[hostNameLen - 1] == '\0')) {
+ hostNameLen--;
+ }
+ if(certNameLen && (certName[certNameLen - 1] == '\0')) {
+ certNameLen--;
+ }
+
+ if((hostNameLen == 0) || (certNameLen == 0)) {
+ /* trivial case with at least one empty name */
+ if(hostNameLen == certNameLen) {
+ return CSSM_TRUE;
+ }
+ else {
+ return CSSM_FALSE;
+ }
+ }
+
+ /* trim off trailing dots */
+ if(hostName[hostNameLen - 1] == '.') {
+ hostNameLen--;
+ }
+ if(certName[certNameLen - 1] == '.') {
+ certNameLen--;
+ }
+
+ /* Case 1: exact match */
+ if((certNameLen == hostNameLen) &&
+ !memcmp(certName, hostName, certNameLen)) {
+ return CSSM_TRUE;
+ }
+
+ /*
+ * Case 2: Compare one component at a time, handling wildcards in
+ * cert's server name. The characters implicitly matched by a
+ * wildcard span only one component of a dnsName.
+ */
+ do {
+ /* get next component from each dnsName */
+ char hostComp[MAX_DNS_COMP_LEN];
+ char certComp[MAX_DNS_COMP_LEN];
+ uint32 hostCompLen;
+ uint32 certCompLen;
+
+ bool foundHost = tpNextDnsComp(hostName, hostNameLen,
+ hostComp, hostCompLen);
+ bool foundCert = tpNextDnsComp(certName, certNameLen,
+ certComp, certCompLen);
+ if(foundHost != foundCert) {
+ /* unequal number of components */
+ tpPolicyError("tpCompareHostNames: wildcard mismatch (1)");
+ return CSSM_FALSE;
+ }
+ if(!foundHost) {
+ /* normal successful termination */
+ return CSSM_TRUE;
+ }
+
+ /* compare individual components */
+ if(!tpCompareComps(hostComp, hostCompLen,
+ certComp, certCompLen)) {
+ tpPolicyError("tpCompareHostNames: wildcard mismatch (2)");
+ return CSSM_FALSE;
+ }
+
+ /* skip over this component
+ * (note: since tpNextDnsComp will first skip over a leading '.',
+ * we must make sure to skip over it here as well.)
+ */
+ if(*hostName == '.') hostName++;
+ hostName += hostCompLen;
+ if(*certName == '.') certName++;
+ certName += certCompLen;
+ } while(1);
+ /* NOT REACHED */
+ //assert(0):
+ return CSSM_FALSE;
+}
+
+/*
+ * Compare email address, is presented to the TP in
+ * CSSM_APPLE_TP_SMIME_OPTIONS.SenderEmail, to a string obtained
+ * from the sender's cert (i.e., from subjectAltName or Subject DN).
+ *
+ * Returns CSSM_TRUE on match, else CSSM_FALSE.
+ *
+ * Incoming appEmail string has already been tpNormalizeAddrSpec'd.
+ * We do that for certEmail string here.
+ */
+CSSM_BOOL tpCompareEmailAddr(
+ const char *appEmail, // spec'd by app, normalized
+ uint32 appEmailLen,
+ char *certEmail, // from cert, we normalize
+ uint32 certEmailLen,
+ bool normalizeAll) // true : lower-case all certEmail characters
+
+{
+ tpNormalizeAddrSpec(certEmail, certEmailLen, normalizeAll);
+
+ /* tolerate optional NULL terminators for both */
+ if(appEmailLen > 0 && appEmail[appEmailLen - 1] == '\0') {
+ appEmailLen--;
+ }
+ if(certEmailLen > 0 && certEmail[certEmailLen - 1] == '\0') {
+ certEmailLen--;
+ }
+ if((certEmailLen == appEmailLen) &&
+ !memcmp(certEmail, appEmail, certEmailLen)) {
+ return CSSM_TRUE;
+ }
+ else {
+ /* mismatch */
+ tpPolicyError("tpCompareEmailAddr: app/cert email addrs mismatch");
+ return CSSM_FALSE;
+ }
+}
+
+/*
+ * Check whether the provided hostName has a domainName suffix.
+ * This function does not process wildcards, and allows hostName to match
+ * any subdomain level of the provided domainName.
+ *
+ * To match, the last domainNameLen chars of hostName must equal domainName,
+ * and the character immediately preceding domainName in hostName (if any)
+ * must be a dot. This means that domainName 'bar.com' will match hostName
+ * values 'host.bar.com' or 'host.sub.bar.com', but not 'host.foobar.com'.
+ *
+ * The incoming hostname is assumed to have been processed by tpToLower();
+ * we'll perform that processing on domainName here.
+ *
+ * Trailing '.' characters in both host names will be ignored per Radar 3996792.
+ *
+ * Returns CSSM_TRUE on match, else CSSM_FALSE.
+ */
+CSSM_BOOL tpCompareDomainSuffix(
+ const char *hostName, // spec'd by app, tpToLower'd
+ uint32 hostNameLen,
+ char *domainName, // we tpToLower
+ uint32 domainNameLen)
+{
+ tpToLower(domainName, domainNameLen);
+
+ /* tolerate optional NULL terminators for both */
+ if(hostNameLen && (hostName[hostNameLen - 1] == '\0')) {
+ hostNameLen--;
+ }
+ if(domainNameLen && (domainName[domainNameLen - 1] == '\0')) {
+ domainNameLen--;
+ }
+
+ if((hostNameLen == 0) || (domainNameLen == 0)) {
+ /* trivial case with at least one empty name */
+ if(hostNameLen == domainNameLen) {
+ return CSSM_TRUE;
+ }
+ else {
+ return CSSM_FALSE;
+ }
+ }
+
+ /* trim off trailing dots */
+ if(hostName[hostNameLen - 1] == '.') {
+ hostNameLen--;
+ }
+ if(domainName[domainNameLen - 1] == '.') {
+ domainNameLen--;
+ }
+
+ /* trim off leading dot in suffix, if present */
+ if((domainNameLen > 0) && (domainName[0] == '.')) {
+ domainName++;
+ domainNameLen--;
+ }
+
+ if(hostNameLen < domainNameLen) {
+ return CSSM_FALSE;
+ }
+
+ if(memcmp(hostName+(hostNameLen-domainNameLen),domainName,domainNameLen)) {
+ return CSSM_FALSE;
+ }
+
+ /* require a dot prior to domain suffix, unless host == domain */
+ if(hostNameLen > domainNameLen) {
+ if(hostName[hostNameLen-(domainNameLen+1)] != '.') {
+ return CSSM_FALSE;
+ }
+ }
+
+ return CSSM_TRUE;
+}
+
+/*
+ * Following a CSSMOID_ECDSA_WithSpecified algorithm is an encoded
+ * ECDSA_SigAlgParams containing the digest algorithm OID. Decode and return
+ * a unified ECDSA/digest alg (e.g. CSSM_ALGID_SHA512WithECDSA).
+ * Returns nonzero on error.
+ */
+int decodeECDSA_SigAlgParams(
+ const CSSM_DATA *params,
+ CSSM_ALGORITHMS *cssmAlg) /* RETURNED */
+{
+ SecAsn1CoderRef coder = NULL;
+ if(SecAsn1CoderCreate(&coder)) {
+ tpErrorLog("***Error in SecAsn1CoderCreate()\n");
+ return -1;
+ }
+ CSSM_X509_ALGORITHM_IDENTIFIER algParams;
+ memset(&algParams, 0, sizeof(algParams));
+ int ourRtn = 0;
+ bool algFound = false;
+ if(SecAsn1DecodeData(coder, params, kSecAsn1AlgorithmIDTemplate,
+ &algParams)) {
+ tpErrorLog("***Error decoding CSSM_X509_ALGORITHM_IDENTIFIER\n");
+ ourRtn = -1;
+ goto errOut;
+ }
+ CSSM_ALGORITHMS digestAlg;
+ algFound = cssmOidToAlg(&algParams.algorithm, &digestAlg);
+ if(!algFound) {
+ tpErrorLog("***Unknown algorithm in CSSM_X509_ALGORITHM_IDENTIFIER\n");
+ ourRtn = -1;
+ goto errOut;
+ }
+ switch(digestAlg) {
+ case CSSM_ALGID_SHA1:
+ *cssmAlg = CSSM_ALGID_SHA1WithECDSA;
+ break;
+ case CSSM_ALGID_SHA224:
+ *cssmAlg = CSSM_ALGID_SHA224WithECDSA;
+ break;
+ case CSSM_ALGID_SHA256:
+ *cssmAlg = CSSM_ALGID_SHA256WithECDSA;
+ break;
+ case CSSM_ALGID_SHA384:
+ *cssmAlg = CSSM_ALGID_SHA384WithECDSA;
+ break;
+ case CSSM_ALGID_SHA512:
+ *cssmAlg = CSSM_ALGID_SHA512WithECDSA;
+ break;
+ default:
+ tpErrorLog("***Unknown algorithm in ECDSA_SigAlgParams\n");
+ ourRtn = -1;
+ }
+errOut:
+ SecAsn1CoderRelease(coder);
+ return ourRtn;
+}
+
projects / apple / security.git / blobdiff