--- /dev/null
+/*
+ * Copyright (c) 2000-2001,2011-2014 Apple Inc. All Rights Reserved.
+ *
+ * The contents of this file constitute Original Code as defined in and are
+ * subject to the Apple Public Source License Version 1.2 (the 'License').
+ * You may not use this file except in compliance with the License. Please obtain
+ * a copy of the License at http://www.apple.com/publicsource and read it before
+ * using this file.
+ *
+ * This Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
+ * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
+ * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
+ * specific language governing rights and limitations under the License.
+ */
+
+
+/*
+ * tpCertGroup.cpp - Cert group functions (construct, verify)
+ */
+
+#include "AppleTPSession.h"
+#include "certGroupUtils.h"
+#include "TPCertInfo.h"
+#include "TPCrlInfo.h"
+#include "tpCertAllowList.h"
+#include "tpPolicies.h"
+#include "tpdebugging.h"
+#include "tpCrlVerify.h"
+#include <Security/oidsalg.h>
+#include <Security/cssmapple.h>
+
+/*
+ * This is a temporary hack to allow verification of PKINIT server certs
+ * which are self-signed and not in the system anchors list. If the self-
+ * signed cert is in a magic keychain (whose location is not published),
+ * we'll allow it as if it were indeed a full-fledged anchor cert.
+ */
+#define TP_PKINIT_SERVER_HACK 1
+#if TP_PKINIT_SERVER_HACK
+
+#include <Security/SecKeychain.h>
+#include <Security/SecKeychainSearch.h>
+#include <Security/SecCertificate.h>
+#include <Security/oidscert.h>
+#include <sys/types.h>
+#include <pwd.h>
+
+#define CFRELEASE(cf) if(cf) { CFRelease(cf); }
+
+/*
+ * Returns true if we are to allow/trust the specified
+ * cert as a PKINIT-only anchor.
+ */
+static bool tpCheckPkinitServerCert(
+ TPCertGroup &certGroup)
+{
+ /*
+ * Basic requirement: exactly one cert, self-signed.
+ * The numCerts == 1 requirement might change...
+ */
+ unsigned numCerts = certGroup.numCerts();
+ if(numCerts != 1) {
+ tpDebug("tpCheckPkinitServerCert: too many certs");
+ return false;
+ }
+ /* end of chain... */
+ TPCertInfo *theCert = certGroup.certAtIndex(numCerts - 1);
+ if(!theCert->isSelfSigned()) {
+ tpDebug("tpCheckPkinitServerCert: 1 cert, not self-signed");
+ return false;
+ }
+ const CSSM_DATA *subjectName = theCert->subjectName();
+
+ /*
+ * Open the magic keychain.
+ * We're going up and over the Sec layer here, not generally
+ * kosher, but this is a hack.
+ */
+ OSStatus ortn;
+ SecKeychainRef kcRef = NULL;
+ string fullPathName;
+ const char *homeDir = getenv("HOME");
+ if (homeDir == NULL)
+ {
+ // If $HOME is unset get the current user's home directory
+ // from the passwd file.
+ uid_t uid = geteuid();
+ if (!uid) uid = getuid();
+ struct passwd *pw = getpwuid(uid);
+ if (!pw) {
+ return false;
+ }
+ homeDir = pw->pw_dir;
+ }
+ fullPathName = homeDir;
+ fullPathName += "/Library/Application Support/PKINIT/TrustedServers.keychain";
+ ortn = SecKeychainOpen(fullPathName.c_str(), &kcRef);
+ if(ortn) {
+ tpDebug("tpCheckPkinitServerCert: keychain not found (1)");
+ return false;
+ }
+ /* subsequent errors to errOut: */
+
+ bool ourRtn = false;
+ SecKeychainStatus kcStatus;
+ CSSM_DATA_PTR subjSerial = NULL;
+ CSSM_RETURN crtn;
+ SecKeychainSearchRef srchRef = NULL;
+ SecKeychainAttributeList attrList;
+ SecKeychainAttribute attrs[2];
+ SecKeychainItemRef foundItem = NULL;
+
+ ortn = SecKeychainGetStatus(kcRef, &kcStatus);
+ if(ortn) {
+ tpDebug("tpCheckPkinitServerCert: keychain not found (2)");
+ goto errOut;
+ }
+
+ /*
+ * We already have this cert's normalized name; get its
+ * serial number.
+ */
+ crtn = theCert->fetchField(&CSSMOID_X509V1SerialNumber, &subjSerial);
+ if(crtn) {
+ /* should never happen */
+ tpDebug("tpCheckPkinitServerCert: error fetching serial number");
+ goto errOut;
+ }
+
+ attrs[0].tag = kSecSubjectItemAttr;
+ attrs[0].length = (UInt32)subjectName->Length;
+ attrs[0].data = subjectName->Data;
+ attrs[1].tag = kSecSerialNumberItemAttr;
+ attrs[1].length = (UInt32)subjSerial->Length;
+ attrs[1].data = subjSerial->Data;
+ attrList.count = 2;
+ attrList.attr = attrs;
+
+ ortn = SecKeychainSearchCreateFromAttributes(kcRef,
+ kSecCertificateItemClass,
+ &attrList,
+ &srchRef);
+ if(ortn) {
+ tpDebug("tpCheckPkinitServerCert: search failure");
+ goto errOut;
+ }
+ for(;;) {
+ ortn = SecKeychainSearchCopyNext(srchRef, &foundItem);
+ if(ortn) {
+ tpDebug("tpCheckPkinitServerCert: end search");
+ break;
+ }
+
+ /* found a matching cert; do byte-for-byte compare */
+ CSSM_DATA certData;
+ ortn = SecCertificateGetData((SecCertificateRef)foundItem, &certData);
+ if(ortn) {
+ tpDebug("tpCheckPkinitServerCert: SecCertificateGetData failure");
+ continue;
+ }
+ if(tpCompareCssmData(&certData, theCert->itemData())){
+ tpDebug("tpCheckPkinitServerCert: FOUND CERT");
+ ourRtn = true;
+ break;
+ }
+ tpDebug("tpCheckPkinitServerCert: skipping matching cert");
+ CFRelease(foundItem);
+ foundItem = NULL;
+ }
+errOut:
+ CFRELEASE(kcRef);
+ CFRELEASE(srchRef);
+ CFRELEASE(foundItem);
+ if(subjSerial != NULL) {
+ theCert->freeField(&CSSMOID_X509V1SerialNumber, subjSerial);
+ }
+ return ourRtn;
+}
+#endif /* TP_PKINIT_SERVER_HACK */
+
+/*-----------------------------------------------------------------------------
+ * CertGroupConstruct
+ *
+ * Description:
+ * This function returns a pointer to a mallocd CSSM_CERTGROUP which
+ * refers to a mallocd list of raw ordered X.509 certs which verify back as
+ * far as the TP is able to go. The first cert of the returned list is the
+ * subject cert. The TP will attempt to search thru the DBs passed in
+ * DBList in order to complete the chain. The chain is completed when a
+ * self-signed (root) cert is found in the chain. The root cert may be
+ * present in the input CertGroupFrag, or it may have been obtained from
+ * one of the DBs passed in DBList. It is not an error if no root cert is
+ * found.
+ *
+ * The error conditions are:
+ * -- The first cert of CertGroupFrag is an invalid cert. NULL is returned,
+ * err = CSSM_TP_INVALID_CERTIFICATE.
+ * -- The root cert (if found) fails to verify. Valid certgroup is returned,
+ * err = CSSMERR_TP_VERIFICATION_FAILURE.
+ * -- Any cert in the (possibly partially) constructed chain has expired or
+ * isn't valid yet, err = CSSMERR_TP_CERT_EXPIRED or
+ * CSSMERR_TP_CERT_NOT_VALID_YET. A CertGroup is returned.
+ * -- CSSMERR_TP_CERT_EXPIRED and CSSMERR_TP_CERT_NOT_VALID_YET. If one of these
+ * conditions obtains for the first (leaf) cert, the function throws this
+ * error immediately and the outgoing cert group is empty. For subsequent certs,
+ * the temporal validity of a cert is only tested AFTER a cert successfully
+ * meets the cert chaining criteria (subject/issuer match and signature
+ * verify). A cert in a chain with this error is not added to the outgoing
+ * cert group.
+ * -- the usual errors like bad handle or memory failure.
+ *
+ * Parameters:
+ * Two handles - to an open CL and CSP. The CSP must be capable of
+ * dealing with the signature algorithms used by the certs. The CL must be
+ * an X.509-savvy CL.
+ *
+ * CertGroupFrag, an unordered array of raw X.509 certs in the form of a
+ * CSSM_CERTGROUP_PTR. The first cert of this list is the subject cert
+ * which is eventually to be verified. The other certs can be in any order
+ * and may not even have any relevance to the cert chain being constructed.
+ * They may also be invalid certs.
+ *
+ * DBList, a list of DB/DL handles which may contain certs necessary to
+ * complete the desired cert chain. (Not currently implemented.)
+ *
+ *---------------------------------------------------------------------------*/
+
+/* public version */
+void AppleTPSession::CertGroupConstruct(CSSM_CL_HANDLE clHand,
+ CSSM_CSP_HANDLE cspHand,
+ const CSSM_DL_DB_LIST &DBList,
+ const void *ConstructParams,
+ const CSSM_CERTGROUP &CertGroupFrag,
+ CSSM_CERTGROUP_PTR &CertGroup)
+{
+ TPCertGroup outCertGroup(*this, TGO_Caller);
+ TPCertGroup inCertGroup(CertGroupFrag,
+ clHand,
+ cspHand,
+ *this,
+ NULL, // cssmTimeStr
+ true, // firstCertMustBeValid
+ TGO_Group);
+
+ /* set up for disposal of TPCertInfos created by CertGroupConstructPriv */
+ TPCertGroup gatheredCerts(*this, TGO_Group);
+
+ CSSM_RETURN constructReturn = CSSM_OK;
+ CSSM_APPLE_TP_ACTION_FLAGS actionFlags = 0;
+ CSSM_BOOL verifiedToRoot; // not used
+ CSSM_BOOL verifiedToAnchor; // not used
+ CSSM_BOOL verifiedViaTrustSetting; // not used
+
+ try {
+ CertGroupConstructPriv(clHand,
+ cspHand,
+ inCertGroup,
+ &DBList,
+ NULL, // cssmTimeStr
+ /* no anchors */
+ 0, NULL,
+ actionFlags,
+ /* no user trust */
+ NULL, NULL, 0, 0,
+ gatheredCerts,
+ verifiedToRoot,
+ verifiedToAnchor,
+ verifiedViaTrustSetting,
+ outCertGroup);
+ }
+ catch(const CssmError &cerr) {
+ constructReturn = cerr.error;
+ /* abort if no certs found */
+ if(outCertGroup.numCerts() == 0) {
+ CssmError::throwMe(constructReturn);
+ }
+ }
+ CertGroup = outCertGroup.buildCssmCertGroup();
+ /* caller of this function never gets evidence... */
+ outCertGroup.freeDbRecords();
+
+ if(constructReturn) {
+ CssmError::throwMe(constructReturn);
+ }
+}
+
+
+/*
+ * Private version of CertGroupConstruct, used by CertGroupConstruct and
+ * CertGroupVerify. Populates a TP-style TPCertGroup for further processing.
+ * This only throws CSSM-style exceptions in the following cases:
+ *
+ * -- input parameter errors
+ * -- the first (leaf) cert is bad (doesn't parse, expired, not valid yet).
+ * -- root found but it doesn't self-verify
+ *
+ * All other cert-related errors simply result in the bad cert being ignored.
+ * Other exceptions are gross system errors like malloc failure.
+ */
+void AppleTPSession::CertGroupConstructPriv(CSSM_CL_HANDLE clHand,
+ CSSM_CSP_HANDLE cspHand,
+ TPCertGroup &inCertGroup,
+ const CSSM_DL_DB_LIST *DBList, // optional here
+ const char *cssmTimeStr, // optional
+
+ /* trusted anchors, optional */
+ /* FIXME - maybe this should be a TPCertGroup */
+ uint32 numAnchorCerts,
+ const CSSM_DATA *anchorCerts,
+
+ /* CSSM_TP_ACTION_FETCH_CERT_FROM_NET, CSSM_TP_ACTION_TRUST_SETTINGS */
+ CSSM_APPLE_TP_ACTION_FLAGS actionFlags,
+
+ /* optional user trust parameters */
+ const CSSM_OID *policyOid,
+ const char *policyStr,
+ uint32 policyStrLen,
+ SecTrustSettingsKeyUsage keyUse,
+
+ /*
+ * Certs to be freed by caller (i.e., TPCertInfo which we allocate
+ * as a result of using a cert from anchorCerts or dbList) are added
+ * to this group.
+ */
+ TPCertGroup &certsToBeFreed,
+
+ /* returned */
+ CSSM_BOOL &verifiedToRoot, // end of chain self-verifies
+ CSSM_BOOL &verifiedToAnchor, // end of chain in anchors
+ CSSM_BOOL &verifiedViaTrustSetting, // chain ends per User Trust setting
+ TPCertGroup &outCertGroup) // RETURNED
+{
+ TPCertInfo *subjectCert; // the one we're working on
+ CSSM_RETURN outErr = CSSM_OK;
+
+ /* this'll be the first subject cert in the main loop */
+ subjectCert = inCertGroup.certAtIndex(0);
+
+ /* Append leaf cert to outCertGroup */
+ outCertGroup.appendCert(subjectCert);
+ subjectCert->isLeaf(true);
+ subjectCert->isFromInputCerts(true);
+ outCertGroup.setAllUnused();
+ subjectCert->used(true);
+
+ outErr = outCertGroup.buildCertGroup(
+ *subjectCert,
+ &inCertGroup,
+ DBList,
+ clHand,
+ cspHand,
+ cssmTimeStr,
+ numAnchorCerts,
+ anchorCerts,
+ certsToBeFreed,
+ &certsToBeFreed, // gatheredCerts to accumulate net/DB fetches
+ CSSM_TRUE, // subjectIsInGroup - enables root check on
+ // subject cert
+ actionFlags,
+ policyOid,
+ policyStr,
+ policyStrLen,
+ keyUse,
+
+ verifiedToRoot,
+ verifiedToAnchor,
+ verifiedViaTrustSetting);
+ if(outErr) {
+ CssmError::throwMe(outErr);
+ }
+}
+
+/*
+ * Map a policy OID to one of the standard (non-revocation) policies.
+ * Returns true if it's a standard policy.
+ */
+static bool checkPolicyOid(
+ const CSSM_OID &oid,
+ TPPolicy &tpPolicy) /* RETURNED */
+{
+ if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_SSL)) {
+ tpPolicy = kTP_SSL;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_X509_BASIC)) {
+ tpPolicy = kTPx509Basic;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_SMIME)) {
+ tpPolicy = kTP_SMIME;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_EAP)) {
+ tpPolicy = kTP_EAP;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_SW_UPDATE_SIGNING)) {
+ /* note: this was CSSMOID_APPLE_TP_CODE_SIGN until 8/15/06 */
+ tpPolicy = kTP_SWUpdateSign;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_RESOURCE_SIGN)) {
+ tpPolicy = kTP_ResourceSign;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_IP_SEC)) {
+ tpPolicy = kTP_IPSec;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_ICHAT)) {
+ tpPolicy = kTP_iChat;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_ISIGN)) {
+ tpPolicy = kTPiSign;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_PKINIT_CLIENT)) {
+ tpPolicy = kTP_PKINIT_Client;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_PKINIT_SERVER)) {
+ tpPolicy = kTP_PKINIT_Server;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_CODE_SIGNING)) {
+ tpPolicy = kTP_CodeSigning;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_PACKAGE_SIGNING)) {
+ tpPolicy = kTP_PackageSigning;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_MACAPPSTORE_RECEIPT)) {
+ tpPolicy = kTP_MacAppStoreRec;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_APPLEID_SHARING)) {
+ tpPolicy = kTP_AppleIDSharing;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_TIMESTAMPING)) {
+ tpPolicy = kTP_TimeStamping;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_PASSBOOK_SIGNING)) {
+ tpPolicy = kTP_PassbookSigning;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_MOBILE_STORE)) {
+ tpPolicy = kTP_MobileStore;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_TEST_MOBILE_STORE)) {
+ tpPolicy = kTP_TestMobileStore;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_ESCROW_SERVICE)) {
+ tpPolicy = kTP_EscrowService;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_PROFILE_SIGNING)) {
+ tpPolicy = kTP_ProfileSigning;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_QA_PROFILE_SIGNING)) {
+ tpPolicy = kTP_QAProfileSigning;
+ return true;
+ }
+ else if(tpCompareOids(&oid, &CSSMOID_APPLE_TP_PCS_ESCROW_SERVICE)) {
+ tpPolicy = kTP_PCSEscrowService;
+ return true;
+ }
+ return false;
+}
+
+/*-----------------------------------------------------------------------------
+ * CertGroupVerify
+ *
+ * Description:
+ * -- Construct a cert chain using TP_CertGroupConstruct.
+ * -- Attempt to verify that cert chain against one of the known
+ * good certs passed in AnchorCerts.
+ * -- Optionally enforces additional policies (TBD) when verifying the cert chain.
+ * -- Optionally returns the entire cert chain constructed in
+ * TP_CertGroupConstruct and here, all the way to an anchor cert or as
+ * far as we were able to go, in *Evidence.
+ *
+ * Parameters:
+ * Two handles - to an open CL and CSP. The CSP must be capable of
+ * dealing with the signature algorithms used by the certs. The CL must be
+ * an X.509-savvy CL.
+ *
+ * RawCerts, an unordered array of raw certs in the form of a
+ * CSSM_CERTGROUP_PTR. The first cert of this list is the subject cert
+ * which is eventually to be verified. The other certs can be in any order
+ * and may not even have any relevance to the cert chain being constructed.
+ * They may also be invalid certs.
+ *
+ * DBList, a list of DB/DL handles which may contain certs necessary to
+ * complete the desired cert chain. (Currently not implemented.)
+ *
+ * AnchorCerts, a list of known trusted certs.
+ * NumberOfAnchorCerts, size of AnchorCerts array.
+ *
+ * PolicyIdentifiers, Optional policy OID. NULL indicates default
+ * X.509 trust policy.
+ *
+ * Supported Policies:
+ * CSSMOID_APPLE_ISIGN
+ * CSSMOID_APPLE_X509_BASIC
+ *
+ * For both of these, the associated FieldValue must be {0, NULL},
+ *
+ * NumberOfPolicyIdentifiers, size of PolicyIdentifiers array, must be
+ * zero or one.
+ *
+ * All other arguments must be zero/NULL.
+ *
+ * Returns:
+ * CSSM_OK : cert chain verified all the way back to an AnchorCert.
+ * CSSMERR_TP_INVALID_ANCHOR_CERT : In this case, the cert chain
+ * was validated back to a self-signed (root) cert found in either
+ * CertToBeVerified or in one of the DBs in DBList, but that root cert
+ * was *NOT* found in the AnchorCert list.
+ * CSSMERR_TP_NOT_TRUSTED: no root cert was found and no AnchorCert
+ * verified the end of the constructed cert chain.
+ * CSSMERR_TP_VERIFICATION_FAILURE: a root cert was found which does
+ * not self-verify.
+ * CSSMERR_TP_VERIFY_ACTION_FAILED: indicates a failure of the requested
+ * policy action.
+ * CSSMERR_TP_INVALID_CERTIFICATE: indicates a bad leaf cert.
+ * CSSMERR_TP_INVALID_REQUEST_INPUTS : no incoming VerifyContext.
+ * CSSMERR_TP_CERT_EXPIRED and CSSMERR_TP_CERT_NOT_VALID_YET: see comments
+ * for CertGroupConstruct.
+ * CSSMERR_TP_CERTIFICATE_CANT_OPERATE : issuer cert was found with a partial
+ * public key, rendering full verification impossible.
+ * CSSMERR_TP_INVALID_CERT_AUTHORITY : issuer cert was found with a partial
+ * public key and which failed to perform subsequent signature
+ * verification.
+ *---------------------------------------------------------------------------*/
+
+void AppleTPSession::CertGroupVerify(CSSM_CL_HANDLE clHand,
+ CSSM_CSP_HANDLE cspHand,
+ const CSSM_CERTGROUP &CertGroupToBeVerified,
+ const CSSM_TP_VERIFY_CONTEXT *VerifyContext,
+ CSSM_TP_VERIFY_CONTEXT_RESULT_PTR VerifyContextResult)
+{
+ CSSM_BOOL verifiedToRoot = CSSM_FALSE;
+ CSSM_BOOL verifiedToAnchor = CSSM_FALSE;
+ CSSM_BOOL verifiedViaTrustSetting = CSSM_FALSE;
+ CSSM_RETURN constructReturn = CSSM_OK;
+ CSSM_RETURN policyReturn = CSSM_OK;
+ const CSSM_TP_CALLERAUTH_CONTEXT *cred;
+ /* declare volatile as compiler workaround to avoid caching in CR4 */
+ const CSSM_APPLE_TP_ACTION_DATA * volatile actionData = NULL;
+ CSSM_TIMESTRING cssmTimeStr;
+ CSSM_APPLE_TP_ACTION_FLAGS actionFlags = 0;
+ CSSM_TP_STOP_ON tpStopOn = 0;
+
+ /* keep track of whether we did policy checking; if not, we do defaults */
+ bool didCertPolicy = false;
+ bool didRevokePolicy = false;
+
+ /* user trust parameters */
+ CSSM_OID utNullPolicy = {0, NULL};
+ const CSSM_OID *utPolicyOid = NULL;
+ const char *utPolicyStr = NULL;
+ uint32 utPolicyStrLen = 0;
+ SecTrustSettingsKeyUsage utKeyUse = 0;
+ bool utTrustSettingEnabled = false;
+
+ if(VerifyContextResult) {
+ memset(VerifyContextResult, 0, sizeof(*VerifyContextResult));
+ }
+
+ /* verify input args, skipping the ones checked by CertGroupConstruct */
+ if((VerifyContext == NULL) || (VerifyContext->Cred == NULL)) {
+ /* the spec says that this is optional but we require it */
+ CssmError::throwMe(CSSMERR_TP_INVALID_REQUEST_INPUTS);
+ }
+ cred = VerifyContext->Cred;
+
+ /* Optional ActionData affecting all policies */
+ actionData = (CSSM_APPLE_TP_ACTION_DATA * volatile)VerifyContext->ActionData.Data;
+ if(actionData != NULL) {
+ switch(actionData->Version) {
+ case CSSM_APPLE_TP_ACTION_VERSION:
+ if(VerifyContext->ActionData.Length !=
+ sizeof(CSSM_APPLE_TP_ACTION_DATA)) {
+ CssmError::throwMe(CSSMERR_TP_INVALID_ACTION_DATA);
+ }
+ break;
+ /* handle backwards versions here if we ever go beyond version 0 */
+ default:
+ CssmError::throwMe(CSSMERR_TP_INVALID_ACTION_DATA);
+ }
+ actionFlags = actionData->ActionFlags;
+ if(actionFlags & CSSM_TP_ACTION_TRUST_SETTINGS) {
+ utTrustSettingEnabled = true;
+ }
+ }
+
+ /* optional, may be NULL */
+ cssmTimeStr = cred->VerifyTime;
+
+ tpStopOn = cred->VerificationAbortOn;
+ switch(tpStopOn) {
+ /* the only two we support */
+ case CSSM_TP_STOP_ON_NONE:
+ case CSSM_TP_STOP_ON_FIRST_FAIL:
+ break;
+ /* default maps to stop on first fail */
+ case CSSM_TP_STOP_ON_POLICY:
+ tpStopOn = CSSM_TP_STOP_ON_FIRST_FAIL;
+ break;
+ default:
+ CssmError::throwMe(CSSMERR_TP_INVALID_STOP_ON_POLICY);
+ }
+
+ /* now the args we can't deal with */
+ if(cred->CallerCredentials != NULL) {
+ CssmError::throwMe(CSSMERR_TP_INVALID_CALLERAUTH_CONTEXT_POINTER);
+ }
+ /* ...any others? */
+
+ /* set up for optional user trust evaluation */
+ if(utTrustSettingEnabled) {
+ const CSSM_TP_POLICYINFO *pinfo = &cred->Policy;
+ TPPolicy utPolicy = kTPx509Basic;
+
+ /* default policy OID in case caller hasn't specified one */
+ utPolicyOid = &utNullPolicy;
+ if(pinfo->NumberOfPolicyIds == 0) {
+ tpTrustSettingsDbg("CertGroupVerify: User trust enabled but no policies (1)");
+ /* keep going, I guess - no policy-specific info - use kTPx509Basic */
+ }
+ else {
+ CSSM_FIELD_PTR utPolicyField = &pinfo->PolicyIds[0];
+ utPolicyOid = &utPolicyField->FieldOid;
+ bool foundPolicy = checkPolicyOid(*utPolicyOid, utPolicy);
+ if(!foundPolicy) {
+ tpTrustSettingsDbg("CertGroupVerify: User trust enabled but no policies");
+ /* keep going, I guess - no policy-specific info - use kTPx509Basic */
+ }
+ else {
+ /* get policy-specific info */
+ tp_policyTrustSettingParams(utPolicy, &utPolicyField->FieldValue,
+ &utPolicyStr, &utPolicyStrLen, &utKeyUse);
+ }
+ }
+ }
+
+ /* get verified (possibly partial) outCertGroup - error is fatal */
+ /* BUT: we still return partial evidence if asked to...from now on. */
+ TPCertGroup outCertGroup(*this,
+ TGO_Caller); // certs are owned by inCertGroup
+ TPCertGroup inCertGroup(CertGroupToBeVerified, clHand, cspHand, *this,
+ cssmTimeStr, // optional 'this' time
+ true, // firstCertMustBeValid
+ TGO_Group);
+
+ /* set up for disposal of TPCertInfos created by CertGroupConstructPriv */
+ TPCertGroup gatheredCerts(*this, TGO_Group);
+
+ try {
+ CertGroupConstructPriv(
+ clHand,
+ cspHand,
+ inCertGroup,
+ cred->DBList,
+ cssmTimeStr,
+ cred->NumberOfAnchorCerts,
+ cred->AnchorCerts,
+ actionFlags,
+ utPolicyOid,
+ utPolicyStr,
+ utPolicyStrLen,
+ utKeyUse,
+ gatheredCerts,
+ verifiedToRoot,
+ verifiedToAnchor,
+ verifiedViaTrustSetting,
+ outCertGroup);
+ }
+ catch(const CssmError &cerr) {
+ constructReturn = cerr.error;
+ /* abort if no certs found */
+ if(outCertGroup.numCerts() == 0) {
+ CssmError::throwMe(constructReturn);
+ }
+ /* else press on, collecting as much info as we can */
+ }
+ /* others are way fatal */
+ assert(outCertGroup.numCerts() >= 1);
+
+ /* Infer interim status from return values */
+ switch(constructReturn) {
+ /* these values do not get overridden */
+ case CSSMERR_TP_CERTIFICATE_CANT_OPERATE:
+ case CSSMERR_TP_INVALID_CERT_AUTHORITY:
+ case CSSMERR_APPLETP_TRUST_SETTING_DENY:
+ case errSecInvalidTrustSettings:
+ break;
+ default:
+ /* infer status from these values... */
+ if(verifiedToAnchor || verifiedViaTrustSetting) {
+ /* full success; anchor doesn't have to be root */
+ constructReturn = CSSM_OK;
+ }
+ else if(verifiedToRoot) {
+ if(actionFlags & CSSM_TP_ACTION_IMPLICIT_ANCHORS) {
+ constructReturn = CSSM_OK;
+ }
+ else {
+ /* verified to root which is not an anchor */
+ constructReturn = CSSMERR_TP_INVALID_ANCHOR_CERT;
+ }
+ }
+ else {
+ /* partial chain, no root, not verifiable by anchor */
+ constructReturn = CSSMERR_TP_NOT_TRUSTED;
+ }
+
+ /*
+ * Those errors can be allowed, cert-chain-wide, per individual
+ * certs' allowedErrors
+ */
+ if((constructReturn != CSSM_OK) &&
+ outCertGroup.isAllowedError(constructReturn)) {
+ constructReturn = CSSM_OK;
+ }
+
+ /*
+ * Allow non-trusted root if whitelist check permits
+ */
+ if (constructReturn == CSSMERR_TP_NOT_TRUSTED) {
+ constructReturn = tpCheckCertificateAllowList(outCertGroup);
+ }
+ break;
+ }
+
+ /*
+ * Parameters passed to tp_policyVerify() and which vary per policy
+ * in the loop below
+ */
+ TPPolicy tpPolicy;
+ const CSSM_APPLE_TP_SSL_OPTIONS *sslOpts;
+ CSSM_RETURN thisPolicyRtn = CSSM_OK; // returned from tp_policyVerify()
+
+ /* common CRL verify parameters */
+ TPCrlGroup *crlGroup = NULL;
+ try {
+ crlGroup = new TPCrlGroup(&VerifyContext->Crls,
+ clHand, cspHand,
+ *this, // alloc
+ NULL, // cssmTimeStr - we want CRLs that are valid 'now'
+ TGO_Group);
+ }
+ catch(const CssmError &cerr) {
+ CSSM_RETURN cr = cerr.error;
+ /* I don't see a straightforward way to report this error,
+ * other than adding it to the leaf cert's status... */
+ outCertGroup.certAtIndex(0)->addStatusCode(cr);
+ tpDebug("CertGroupVerify: error constructing CrlGroup; continuing\n");
+ }
+ /* others are way fatal */
+
+ TPVerifyContext revokeVfyContext(*this,
+ clHand,
+ cspHand,
+ cssmTimeStr,
+ cred->NumberOfAnchorCerts,
+ cred->AnchorCerts,
+ &inCertGroup,
+ crlGroup,
+ /*
+ * This may consist of certs gathered from the net (which is the purpose
+ * of this argument) and from DLDBs (a side-effect optimization).
+ */
+ gatheredCerts,
+ cred->DBList,
+ kRevokeNone, // policy
+ actionFlags,
+ NULL, // CRL options
+ NULL, // OCSP options
+ utPolicyOid,
+ utPolicyStr,
+ utPolicyStrLen,
+ utKeyUse);
+
+ /* true if we're to execute tp_policyVerify at end of loop */
+ bool doPolicyVerify;
+ /* true if we're to execute a revocation policy at end of loop */
+ bool doRevocationPolicy;
+
+ /* grind thru each policy */
+ for(uint32 polDex=0; polDex<cred->Policy.NumberOfPolicyIds; polDex++) {
+ if(cred->Policy.PolicyIds == NULL) {
+ policyReturn = CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ break;
+ }
+ CSSM_FIELD_PTR policyId = &cred->Policy.PolicyIds[polDex];
+ const CSSM_DATA *fieldVal = &policyId->FieldValue;
+ const CSSM_OID *oid = &policyId->FieldOid;
+ thisPolicyRtn = CSSM_OK;
+ doPolicyVerify = false;
+ doRevocationPolicy = false;
+ sslOpts = NULL;
+
+ /* first the basic cert policies */
+ doPolicyVerify = checkPolicyOid(*oid, tpPolicy);
+ if(doPolicyVerify) {
+ /* some basic checks... */
+ bool policyAbort = false;
+ switch(tpPolicy) {
+ case kTPx509Basic:
+ case kTPiSign:
+ case kTP_PKINIT_Client:
+ case kTP_PKINIT_Server:
+ if(fieldVal->Data != NULL) {
+ policyReturn = CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ policyAbort = true;
+ break;
+ }
+ break;
+ default:
+ break;
+ }
+ if(policyAbort) {
+ break;
+ }
+ #if TP_PKINIT_SERVER_HACK
+ if(tpPolicy == kTP_PKINIT_Server) {
+ /* possible override of "root not in anchors" */
+ if(constructReturn == CSSMERR_TP_INVALID_ANCHOR_CERT) {
+ if(tpCheckPkinitServerCert(outCertGroup)) {
+ constructReturn = CSSM_OK;
+ }
+ }
+ }
+ #endif /* TP_PKINIT_SERVER_HACK */
+ }
+
+ /*
+ * Now revocation policies. Note some fields in revokeVfyContext can
+ * accumulate across multiple policy calls, e.g., signerCerts.
+ */
+ else if(tpCompareOids(oid, &CSSMOID_APPLE_TP_REVOCATION_CRL)) {
+ /* CRL-specific options */
+ const CSSM_APPLE_TP_CRL_OPTIONS *crlOpts;
+ crlOpts = (CSSM_APPLE_TP_CRL_OPTIONS *)fieldVal->Data;
+ thisPolicyRtn = CSSM_OK;
+ if(crlOpts != NULL) {
+ switch(crlOpts->Version) {
+ case CSSM_APPLE_TP_CRL_OPTS_VERSION:
+ if(fieldVal->Length !=
+ sizeof(CSSM_APPLE_TP_CRL_OPTIONS)) {
+ thisPolicyRtn =
+ CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ break;
+ }
+ break;
+ /* handle backwards compatibility here if necessary */
+ default:
+ thisPolicyRtn = CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ break;
+ }
+ if(thisPolicyRtn != CSSM_OK) {
+ policyReturn = thisPolicyRtn;
+ break;
+ }
+ }
+ revokeVfyContext.policy = kRevokeCrlBasic;
+ revokeVfyContext.crlOpts = crlOpts;
+ doRevocationPolicy = true;
+ }
+ else if(tpCompareOids(oid, &CSSMOID_APPLE_TP_REVOCATION_OCSP)) {
+ /* OCSP-specific options */
+ const CSSM_APPLE_TP_OCSP_OPTIONS *ocspOpts;
+ ocspOpts = (CSSM_APPLE_TP_OCSP_OPTIONS *)fieldVal->Data;
+ thisPolicyRtn = CSSM_OK;
+ if(ocspOpts != NULL) {
+ switch(ocspOpts->Version) {
+ case CSSM_APPLE_TP_OCSP_OPTS_VERSION:
+ if(fieldVal->Length !=
+ sizeof(CSSM_APPLE_TP_OCSP_OPTIONS)) {
+ thisPolicyRtn =
+ CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ break;
+ }
+ break;
+ /* handle backwards compatibility here if necessary */
+ default:
+ thisPolicyRtn = CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ break;
+ }
+ if(thisPolicyRtn != CSSM_OK) {
+ policyReturn = thisPolicyRtn;
+ break;
+ }
+ }
+ revokeVfyContext.policy = kRevokeOcsp;
+ revokeVfyContext.ocspOpts = ocspOpts;
+ doRevocationPolicy = true;
+ }
+ /* etc. - add more policies here */
+ else {
+ /* unknown TP policy OID */
+ policyReturn = CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ break;
+ }
+
+ /* common cert policy call */
+ if(doPolicyVerify) {
+ assert(!doRevocationPolicy); // one at a time
+ thisPolicyRtn = tp_policyVerify(tpPolicy,
+ *this,
+ clHand,
+ cspHand,
+ &outCertGroup,
+ verifiedToRoot,
+ verifiedViaTrustSetting,
+ actionFlags,
+ fieldVal,
+ cred->Policy.PolicyControl); // not currently used
+ didCertPolicy = true;
+ }
+ /* common revocation policy call */
+ if(doRevocationPolicy) {
+ assert(!doPolicyVerify); // one at a time
+ thisPolicyRtn = tpRevocationPolicyVerify(revokeVfyContext, outCertGroup);
+ didRevokePolicy = true;
+ }
+ /* See if possible error is allowed, cert-chain-wide. */
+ if((thisPolicyRtn != CSSM_OK) &&
+ outCertGroup.isAllowedError(thisPolicyRtn)) {
+ thisPolicyRtn = CSSM_OK;
+ }
+ if(thisPolicyRtn) {
+ /* Now remember the error if it's the first policy
+ * error we've seen. */
+ if(policyReturn == CSSM_OK) {
+ policyReturn = thisPolicyRtn;
+ }
+ /* Keep going? */
+ if(tpStopOn == CSSM_TP_STOP_ON_FIRST_FAIL) {
+ /* Nope; we're done with policy evaluation */
+ break;
+ }
+ }
+ } /* for each policy */
+
+ /*
+ * Upon completion of the above loop, perform default policy ops if
+ * appropriate.
+ */
+ if((policyReturn == CSSM_OK) || (tpStopOn == CSSM_TP_STOP_ON_NONE)) {
+ if(!didCertPolicy) {
+ policyReturn = tp_policyVerify(kTPDefault,
+ *this,
+ clHand,
+ cspHand,
+ &outCertGroup,
+ verifiedToRoot,
+ verifiedViaTrustSetting,
+ actionFlags,
+ NULL, // policyFieldData
+ cred->Policy.PolicyControl); // not currently used
+ /* See if error is allowed, cert-chain-wide. */
+ if((policyReturn != CSSM_OK) &&
+ outCertGroup.isAllowedError(policyReturn)) {
+ policyReturn = CSSM_OK;
+ }
+ }
+ if( !didRevokePolicy && // no revoke policy yet
+ ( (policyReturn == CSSM_OK || // default cert policy OK
+ (tpStopOn == CSSM_TP_STOP_ON_NONE)) // keep going anyway
+ )
+ ) {
+ revokeVfyContext.policy = TP_CRL_POLICY_DEFAULT;
+ CSSM_RETURN thisPolicyRtn = tpRevocationPolicyVerify(revokeVfyContext,
+ outCertGroup);
+ if((thisPolicyRtn != CSSM_OK) &&
+ outCertGroup.isAllowedError(thisPolicyRtn)) {
+ thisPolicyRtn = CSSM_OK;
+ }
+ if((thisPolicyRtn != CSSM_OK) && (policyReturn == CSSM_OK)) {
+ policyReturn = thisPolicyRtn;
+ }
+
+ }
+ } /* default policy opts */
+
+ delete crlGroup;
+
+ /* return evidence - i.e., constructed chain - if asked to */
+ if(VerifyContextResult != NULL) {
+ /*
+ * VerifyContextResult->Evidence[0] : CSSM_TP_APPLE_EVIDENCE_HEADER
+ * VerifyContextResult->Evidence[1] : CSSM_CERTGROUP
+ * VerifyContextResult->Evidence[2] : CSSM_TP_APPLE_EVIDENCE_INFO
+ */
+ VerifyContextResult->NumberOfEvidences = 3;
+ VerifyContextResult->Evidence =
+ (CSSM_EVIDENCE_PTR)calloc(3, sizeof(CSSM_EVIDENCE));
+
+ CSSM_TP_APPLE_EVIDENCE_HEADER *hdr =
+ (CSSM_TP_APPLE_EVIDENCE_HEADER *)malloc(
+ sizeof(CSSM_TP_APPLE_EVIDENCE_HEADER));
+ hdr->Version = CSSM_TP_APPLE_EVIDENCE_VERSION;
+ CSSM_EVIDENCE_PTR ev = &VerifyContextResult->Evidence[0];
+ ev->EvidenceForm = CSSM_EVIDENCE_FORM_APPLE_HEADER;
+ ev->Evidence = hdr;
+
+ ev = &VerifyContextResult->Evidence[1];
+ ev->EvidenceForm = CSSM_EVIDENCE_FORM_APPLE_CERTGROUP;
+ ev->Evidence = outCertGroup.buildCssmCertGroup();
+
+ ev = &VerifyContextResult->Evidence[2];
+ ev->EvidenceForm = CSSM_EVIDENCE_FORM_APPLE_CERT_INFO;
+ ev->Evidence = outCertGroup.buildCssmEvidenceInfo();
+ }
+ else {
+ /* caller responsible for freeing these if they are for evidence.... */
+ outCertGroup.freeDbRecords();
+ }
+ CSSM_RETURN outErr = outCertGroup.getReturnCode(constructReturn, policyReturn,
+ actionFlags);
+
+ if(outErr) {
+ CssmError::throwMe(outErr);
+ }
+}
+
+
projects / apple / security.git / blobdiff