+/*
+ * Copyright (c) 2002-2004,2011-2012,2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+* TrustRevocation.cpp - private revocation policy manipulation
+*/
+
+#include <security_keychain/Trust.h>
+#include <security_utilities/cfutilities.h>
+#include <security_utilities/simpleprefs.h>
+#include <CoreFoundation/CFData.h>
+#include "SecBridge.h"
+#include <Security/cssmapplePriv.h>
+#include <Security/oidsalg.h>
+
+/*
+ * These may go into an SPI header for the SecTrust object.
+ */
+typedef enum {
+ /* this revocation policy disabled */
+ kSecDisabled,
+ /* try, but tolerate inability to complete */
+ kSecBestAttempt,
+ /* require successful revocation check if certificate indicates
+ * the policy is supported */
+ kSecRequireIfPresentInCertificate,
+ /* require for every cert */
+ kSecRequireForAllCertificates
+} SecRevocationPolicyStyle;
+
+using namespace KeychainCore;
+
+/*
+ * Given an app-specified array of Policies, determine if at least one of them
+ * matches the given policy OID.
+ */
+bool Trust::policySpecified(CFArrayRef policies, const CSSM_OID &inOid)
+{
+ if(policies == NULL) {
+ return false;
+ }
+ CFIndex numPolicies = CFArrayGetCount(policies);
+ for(CFIndex dex=0; dex<numPolicies; dex++) {
+ SecPolicyRef secPol = (SecPolicyRef)CFArrayGetValueAtIndex(policies, dex);
+ SecPointer<Policy> pol = Policy::required(SecPolicyRef(secPol));
+ const CssmOid &oid = pol->oid();
+ if(oid == CssmOid::overlay(inOid)) {
+ return true;
+ }
+ }
+ return false;
+}
+
+/*
+ * Given an app-specified array of Policies, determine if at least one of them
+ * is an explicit revocation policy.
+ */
+bool Trust::revocationPolicySpecified(CFArrayRef policies)
+{
+ if(policies == NULL) {
+ return false;
+ }
+ CFIndex numPolicies = CFArrayGetCount(policies);
+ for(CFIndex dex=0; dex<numPolicies; dex++) {
+ SecPolicyRef secPol = (SecPolicyRef)CFArrayGetValueAtIndex(policies, dex);
+ SecPointer<Policy> pol = Policy::required(SecPolicyRef(secPol));
+ const CssmOid &oid = pol->oid();
+ if(oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL)) {
+ return true;
+ }
+ if(oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP)) {
+ return true;
+ }
+ }
+ return false;
+}
+
+/*
+ * Replace a unified revocation policy instance in the mPolicies array
+ * with specific instances of the OCSP and/or CRL policies which the TP
+ * module understands. Returns a (possibly) modified copy of the mPolicies
+ * array, which the caller is responsible for releasing.
+ */
+CFMutableArrayRef Trust::convertRevocationPolicy(
+ uint32 &numAdded,
+ Allocator &alloc)
+{
+ numAdded = 0;
+ if (!mPolicies) {
+ return NULL;
+ }
+ CFIndex numPolicies = CFArrayGetCount(mPolicies);
+ CFAllocatorRef allocator = CFGetAllocator(mPolicies);
+ CFMutableArrayRef policies = CFArrayCreateMutableCopy(allocator, numPolicies, mPolicies);
+ SecPolicyRef revPolicy = NULL;
+ for(CFIndex dex=0; dex<numPolicies; dex++) {
+ SecPolicyRef secPol = (SecPolicyRef)CFArrayGetValueAtIndex(policies, dex);
+ SecPointer<Policy> pol = Policy::required(SecPolicyRef(secPol));
+ const CssmOid &oid = pol->oid();
+ if(oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION)) {
+ CFRetain(secPol);
+ if (revPolicy)
+ CFRelease(revPolicy);
+ revPolicy = secPol;
+ CFArrayRemoveValueAtIndex(policies, dex--);
+ numPolicies--;
+ }
+ }
+ if(!revPolicy) {
+ CFRelease(policies);
+ return NULL;
+ }
+
+ SecPointer<Policy> ocspPolicy;
+ SecPointer<Policy> crlPolicy;
+
+ // fetch policy value
+ CFOptionFlags policyFlags = kSecRevocationUseAnyAvailableMethod;
+ CSSM_DATA policyValue = { 0, NULL };
+ try {
+ policyValue = Policy::required(revPolicy)->value();
+ }
+ catch (...) {
+ policyValue.Data = NULL;
+ }
+ if (policyValue.Data) {
+ policyFlags = (CFOptionFlags) *((CFOptionFlags*)policyValue.Data);
+ }
+ if (mNetworkPolicy == useNetworkDisabled) {
+ policyFlags = 0 | kSecRevocationNetworkAccessDisabled;
+ }
+ CFRelease(revPolicy); // all done with this policy reference
+
+ if (policyFlags & kSecRevocationOCSPMethod) {
+ /* cook up a new Policy object */
+ ocspPolicy = new Policy(mTP, CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP));
+ CSSM_APPLE_TP_OCSP_OPT_FLAGS ocspFlags = CSSM_TP_ACTION_OCSP_SUFFICIENT;
+ if (policyFlags & kSecRevocationRequirePositiveResponse) {
+ ocspFlags |= CSSM_TP_ACTION_OCSP_REQUIRE_IF_RESP_PRESENT;
+ }
+ CSSM_APPLE_TP_OCSP_OPTIONS opts;
+ memset(&opts, 0, sizeof(opts));
+ opts.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION;
+ opts.Flags = ocspFlags;
+
+ /* Policy manages its own copy of this data */
+ CSSM_DATA optData = {sizeof(opts), (uint8 *)&opts};
+ ocspPolicy->value() = optData;
+
+ /* Policies array retains the Policy object */
+ CFArrayAppendValue(policies, ocspPolicy->handle(false));
+ numAdded++;
+ }
+ if (policyFlags & kSecRevocationCRLMethod) {
+ /* cook up a new Policy object */
+ crlPolicy = new Policy(mTP, CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL));
+ CSSM_APPLE_TP_CRL_OPT_FLAGS crlFlags = 0;
+ if (policyFlags & kSecRevocationRequirePositiveResponse) {
+ crlFlags |= CSSM_TP_ACTION_REQUIRE_CRL_IF_PRESENT;
+ }
+ CSSM_APPLE_TP_CRL_OPTIONS opts;
+ memset(&opts, 0, sizeof(opts));
+ opts.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
+ opts.CrlFlags = crlFlags;
+
+ /* Policy manages its own copy of this data */
+ CSSM_DATA optData = {sizeof(opts), (uint8 *)&opts};
+ crlPolicy->value() = optData;
+
+ /* Policies array retains the Policy object */
+ CFArrayAppendValue(policies, crlPolicy->handle(false));
+ numAdded++;
+ }
+ return policies;
+}
+
+static SecRevocationPolicyStyle parseRevStyle(CFStringRef val)
+{
+ if(CFEqual(val, kSecRevocationOff)) {
+ return kSecDisabled;
+ }
+ else if(CFEqual(val, kSecRevocationBestAttempt)) {
+ return kSecBestAttempt;
+ }
+ else if(CFEqual(val, kSecRevocationRequireIfPresent)) {
+ return kSecRequireIfPresentInCertificate;
+ }
+ else if(CFEqual(val, kSecRevocationRequireForAll)) {
+ return kSecRequireForAllCertificates;
+ }
+ else {
+ return kSecDisabled;
+ }
+}
+
+CFDictionaryRef Trust::defaultRevocationSettings()
+{
+ /*
+ defaults read ~/Library/Preferences/com.apple.security.revocation
+ {
+ CRLStyle = BestAttempt;
+ CRLSufficientPerCert = 1;
+ OCSPStyle = BestAttempt;
+ OCSPSufficientPerCert = 1;
+ RevocationFirst = OCSP;
+ }
+ */
+ const void *keys[] = {
+ kSecRevocationCrlStyle,
+ kSecRevocationCRLSufficientPerCert,
+ kSecRevocationOcspStyle,
+ kSecRevocationOCSPSufficientPerCert,
+ kSecRevocationWhichFirst
+ };
+ const void *values[] = {
+ kSecRevocationBestAttempt,
+ kCFBooleanTrue,
+ kSecRevocationBestAttempt,
+ kCFBooleanTrue,
+ kSecRevocationOcspFirst
+ };
+
+ return CFDictionaryCreate(kCFAllocatorDefault, keys,
+ values, sizeof(keys) / sizeof(*keys),
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+}
+
+CFMutableArrayRef Trust::addPreferenceRevocationPolicies(
+ bool ocspEnabledOnBestAttempt,
+ bool crlEnabledOnBestAttempt,
+ uint32 &numAdded,
+ Allocator &alloc)
+{
+ numAdded = 0;
+
+ /* any per-user prefs? */
+ Dictionary* pd = Dictionary::CreateDictionary(kSecRevocationDomain, Dictionary::US_User, true);
+ if (pd)
+ {
+ if (!pd->dict()) {
+ delete pd;
+ pd = NULL;
+ }
+ }
+
+ if(pd == NULL)
+ {
+ pd = Dictionary::CreateDictionary(kSecRevocationDomain, Dictionary::US_System, true);
+ if (!pd->dict()) {
+ delete pd;
+ pd = NULL;
+ }
+ }
+
+ if(pd == NULL)
+ {
+ CFDictionaryRef tempDict = defaultRevocationSettings();
+ if (tempDict == NULL)
+ return NULL;
+
+ pd = new Dictionary(tempDict);
+ CFRelease(tempDict);
+ }
+
+ auto_ptr<Dictionary> prefsDict(pd);
+
+ bool doOcsp = false;
+ bool doCrl = false;
+ CFStringRef val;
+ SecRevocationPolicyStyle ocspStyle = kSecBestAttempt;
+ SecRevocationPolicyStyle crlStyle = kSecBestAttempt;
+ SecPointer<Policy> ocspPolicy;
+ SecPointer<Policy> crlPolicy;
+
+ /* Are any revocation policies enabled? */
+ val = prefsDict->getStringValue(kSecRevocationOcspStyle);
+ if(val != NULL) {
+ ocspStyle = parseRevStyle(val);
+ if(ocspStyle != kSecDisabled) {
+ doOcsp = true;
+ }
+ if(ocspStyle == kSecBestAttempt) {
+ doOcsp = ocspEnabledOnBestAttempt;
+ }
+ }
+ val = prefsDict->getStringValue(kSecRevocationCrlStyle);
+ if(val != NULL) {
+ crlStyle = parseRevStyle(val);
+ if(crlStyle != kSecDisabled) {
+ doCrl = true;
+ }
+ if(crlStyle == kSecBestAttempt) {
+ doCrl = crlEnabledOnBestAttempt;
+ }
+ }
+
+ if(!doCrl && !doOcsp) {
+ return NULL;
+ }
+
+ /* which policy first? */
+ bool ocspFirst = true; // default if both present
+ if(doCrl && doOcsp) {
+ val = prefsDict->getStringValue(kSecRevocationWhichFirst);
+ if((val != NULL) && CFEqual(val, kSecRevocationCrlFirst)) {
+ ocspFirst = false;
+ }
+ }
+
+ /* Must have at least one caller-specified policy
+ * (if they didn't specify any, it's a no-op evaluation, and if they wanted
+ * revocation checking only, that policy would already be in mPolicies) */
+ if (!mPolicies || !CFArrayGetCount(mPolicies))
+ return NULL;
+
+ /* We're adding something to mPolicies, so make a copy we can work with */
+ CFMutableArrayRef policies = CFArrayCreateMutableCopy(NULL, 0, mPolicies);
+ if(policies == NULL) {
+ throw std::bad_alloc();
+ }
+
+ if(doOcsp) {
+ /* Cook up a new Policy object */
+ ocspPolicy = new Policy(mTP, CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP));
+ CSSM_APPLE_TP_OCSP_OPTIONS opts;
+ memset(&opts, 0, sizeof(opts));
+ opts.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION;
+
+ /* Now fill in the OCSP-related blanks */
+ switch(ocspStyle) {
+ case kSecDisabled:
+ assert(0);
+ break;
+ case kSecBestAttempt:
+ /* default, nothing to set */
+ break;
+ case kSecRequireIfPresentInCertificate:
+ opts.Flags |= CSSM_TP_ACTION_OCSP_REQUIRE_IF_RESP_PRESENT;
+ break;
+ case kSecRequireForAllCertificates:
+ opts.Flags |= CSSM_TP_ACTION_OCSP_REQUIRE_PER_CERT;
+ break;
+ }
+
+ if(prefsDict->getBoolValue(kSecRevocationOCSPSufficientPerCert)) {
+ opts.Flags |= CSSM_TP_ACTION_OCSP_SUFFICIENT;
+ }
+
+ val = prefsDict->getStringValue(kSecOCSPLocalResponder);
+ if(val != NULL) {
+ CFDataRef cfData = CFStringCreateExternalRepresentation(NULL,
+ val, kCFStringEncodingUTF8, 0);
+ CFIndex len = CFDataGetLength(cfData);
+ opts.LocalResponder = (CSSM_DATA_PTR)alloc.malloc(sizeof(CSSM_DATA));
+ opts.LocalResponder->Data = (uint8 *)alloc.malloc(len);
+ opts.LocalResponder->Length = len;
+ memmove(opts.LocalResponder->Data, CFDataGetBytePtr(cfData), len);
+ CFRelease(cfData);
+ }
+
+ /* Policy manages its own copy of this data */
+ CSSM_DATA optData = {sizeof(opts), (uint8 *)&opts};
+ ocspPolicy->value() = optData;
+ numAdded++;
+ }
+
+ if(doCrl) {
+ /* Cook up a new Policy object */
+ crlPolicy = new Policy(mTP, CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL));
+ CSSM_APPLE_TP_CRL_OPTIONS opts;
+ memset(&opts, 0, sizeof(opts));
+ opts.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
+
+ /* Now fill in the CRL-related blanks */
+ opts.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET; // default true
+ switch(crlStyle) {
+ case kSecDisabled:
+ assert(0);
+ break;
+ case kSecBestAttempt:
+ /* default, nothing to set */
+ break;
+ case kSecRequireIfPresentInCertificate:
+ opts.CrlFlags |= CSSM_TP_ACTION_REQUIRE_CRL_IF_PRESENT;
+ break;
+ case kSecRequireForAllCertificates:
+ opts.CrlFlags |= CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT;
+ break;
+ }
+ if(prefsDict->getBoolValue(kSecRevocationCRLSufficientPerCert)) {
+ opts.CrlFlags |= CSSM_TP_ACTION_CRL_SUFFICIENT;
+ }
+
+ /* Policy manages its own copy of this data */
+ CSSM_DATA optData = {sizeof(opts), (uint8 *)&opts};
+ crlPolicy->value() = optData;
+ numAdded++;
+ }
+
+ /* append in order */
+ if(doOcsp) {
+ if(doCrl) {
+ if(ocspFirst) {
+ /* these SecCFObject go away when the policies array does */
+ CFArrayAppendValue(policies, ocspPolicy->handle(false));
+ CFArrayAppendValue(policies, crlPolicy->handle(false));
+ }
+ else {
+ CFArrayAppendValue(policies, crlPolicy->handle(false));
+ CFArrayAppendValue(policies, ocspPolicy->handle(false));
+ }
+ }
+ else {
+ CFArrayAppendValue(policies, ocspPolicy->handle(false));
+ }
+
+ }
+ else if(doCrl) {
+ CFArrayAppendValue(policies, crlPolicy->handle(false));
+ }
+ return policies;
+}
+
+/*
+ * Called when we created the last numAdded Policies in the specified Policy array
+ * (only frees the policy data associated with the extra policies that we inserted;
+ * this does not free the policies array itself.)
+ */
+void Trust::freeAddedRevocationPolicyData(
+ CFArrayRef policies,
+ uint32 numAdded,
+ Allocator &alloc)
+{
+ uint32 numPolicies = (uint32)CFArrayGetCount(policies);
+ if(numPolicies < numAdded) {
+ /* should never happen - throw? */
+ assert(0);
+ return;
+ }
+ for(unsigned dex=numPolicies-numAdded; dex<numPolicies; dex++) {
+ SecPolicyRef secPol = (SecPolicyRef)CFArrayGetValueAtIndex(policies, dex);
+ //SecPointer<Policy> pol = Policy::required(SecPolicyRef(secPol));
+ Policy *pol = Policy::required(secPol);
+ const CssmOid &oid = pol->oid(); // required
+ const CssmData &optData = pol->value(); // optional
+
+ if(optData.Data) {
+ if(oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL)) {
+ /* currently no CRL-specific policy data */
+ }
+ else if(oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP)) {
+ CSSM_APPLE_TP_OCSP_OPTIONS *opts = (CSSM_APPLE_TP_OCSP_OPTIONS *)optData.Data;
+ if(opts->LocalResponder != NULL) {
+ if(opts->LocalResponder->Data != NULL) {
+ alloc.free(opts->LocalResponder->Data);
+ }
+ alloc.free(opts->LocalResponder);
+ }
+ }
+ // managed by Policy alloc.free(optData.Data);
+ }
+ }
+}
+
+/*
+ * Comparator function to correctly order revocation policies.
+ */
+static CFComparisonResult compareRevocationPolicies(
+ const void *policy1,
+ const void *policy2,
+ void *context)
+{
+ SecPointer<Policy> pol1 = Policy::required(SecPolicyRef(policy1));
+ SecPointer<Policy> pol2 = Policy::required(SecPolicyRef(policy2));
+ const CssmOid &oid1 = pol1->oid();
+ const CssmOid &oid2 = pol2->oid();
+ if(oid1 == oid2) {
+ return kCFCompareEqualTo;
+ }
+ bool ocspFirst = true;
+ if(context != NULL && CFEqual((CFBooleanRef)context, kCFBooleanFalse)) {
+ ocspFirst = false;
+ }
+ const CssmOid lastRevocationOid = (ocspFirst) ?
+ CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL) :
+ CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP);
+ const CssmOid firstRevocationOid = (ocspFirst) ?
+ CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP) :
+ CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL);
+ if(oid1 == lastRevocationOid) {
+ /* should be ordered last, after all other policies */
+ return kCFCompareGreaterThan;
+ }
+ if(oid1 == firstRevocationOid) {
+ /* should be ordered after any policy except lastRevocationOid */
+ if(oid2 == lastRevocationOid) {
+ return kCFCompareLessThan;
+ }
+ return kCFCompareGreaterThan;
+ }
+ /* normal policy in first position, anything else in second position */
+ return kCFCompareLessThan;
+}
+
+/*
+ * This method reorders any revocation policies which may be present
+ * in the provided array so they are at the end and evaluated last.
+ */
+void Trust::orderRevocationPolicies(
+ CFMutableArrayRef policies)
+{
+ if(!policies || CFGetTypeID(policies) != CFArrayGetTypeID()) {
+ return;
+ }
+ /* check revocation prefs to determine which policy goes first */
+ CFBooleanRef ocspFirst = kCFBooleanTrue;
+ Dictionary* pd = Dictionary::CreateDictionary(kSecRevocationDomain, Dictionary::US_User, true);
+ if (pd) {
+ if (!pd->dict()) {
+ delete pd;
+ } else {
+ auto_ptr<Dictionary> prefsDict(pd);
+ CFStringRef val = prefsDict->getStringValue(kSecRevocationWhichFirst);
+ if((val != NULL) && CFEqual(val, kSecRevocationCrlFirst)) {
+ ocspFirst = kCFBooleanFalse;
+ }
+ }
+ }
+#if POLICIES_DEBUG
+ CFShow(policies); // before sort
+ CFArraySortValues(policies, CFRangeMake(0, CFArrayGetCount(policies)), compareRevocationPolicies, (void*)ocspFirst);
+ CFShow(policies); // after sort, to see what changed
+ // check that policy order is what we expect
+ CFIndex numPolicies = CFArrayGetCount(policies);
+ for(CFIndex dex=0; dex<numPolicies; dex++) {
+ SecPolicyRef secPol = (SecPolicyRef)CFArrayGetValueAtIndex(policies, dex);
+ SecPointer<Policy> pol = Policy::required(SecPolicyRef(secPol));
+ const CssmOid &oid = pol->oid();
+ if(oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP)) {
+ CFStringRef s = CFStringCreateWithFormat(NULL, NULL, CFSTR("idx %d = OCSP"), dex);
+ CFShow(s);
+ CFRelease(s);
+ }
+ else if(oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL)) {
+ CFStringRef s = CFStringCreateWithFormat(NULL, NULL, CFSTR("idx %d = CRL"), dex);
+ CFShow(s);
+ CFRelease(s);
+ }
+ else {
+ CFStringRef s = CFStringCreateWithFormat(NULL, NULL, CFSTR("idx %d = normal"), dex);
+ CFShow(s);
+ CFRelease(s);
+ }
+ }
+#else
+ CFArraySortValues(policies, CFRangeMake(0, CFArrayGetCount(policies)), compareRevocationPolicies, (void*)ocspFirst);
+#endif
+}
+
+/*
+ * This method returns a copy of the mPolicies array which ensures that
+ * revocation checking (preferably OCSP, otherwise CRL) will be attempted.
+ *
+ * If OCSP is already in the mPolicies array, this makes sure the
+ * CSSM_TP_ACTION_OCSP_REQUIRE_IF_RESP_PRESENT and CSSM_TP_ACTION_OCSP_SUFFICIENT
+ * flags are set. If it's not already in the array, a new policy object is added.
+ *
+ * If CRL is already in the mPolicies array, this makes sure the
+ * CSSM_TP_ACTION_FETCH_CRL_FROM_NET and CSSM_TP_ACTION_CRL_SUFFICIENT flags are
+ * set. If it's not already in the array, a new policy object is added.
+ *
+ * Caller is responsible for releasing the returned policies array.
+ */
+CFMutableArrayRef Trust::forceRevocationPolicies(
+ bool ocspEnabled,
+ bool crlEnabled,
+ uint32 &numAdded,
+ Allocator &alloc,
+ bool requirePerCert)
+{
+ SecPointer<Policy> ocspPolicy;
+ SecPointer<Policy> crlPolicy;
+ CSSM_APPLE_TP_OCSP_OPT_FLAGS ocspFlags;
+ CSSM_APPLE_TP_CRL_OPT_FLAGS crlFlags;
+ bool hasOcspPolicy = false;
+ bool hasCrlPolicy = false;
+ numAdded = 0;
+
+ ocspFlags = CSSM_TP_ACTION_OCSP_SUFFICIENT;
+ crlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET | CSSM_TP_ACTION_CRL_SUFFICIENT;
+ if (requirePerCert) {
+ ocspFlags |= CSSM_TP_ACTION_OCSP_REQUIRE_IF_RESP_PRESENT;
+ crlFlags |= CSSM_TP_ACTION_REQUIRE_CRL_IF_PRESENT;
+ }
+
+ CFIndex numPolicies = (mPolicies) ? CFArrayGetCount(mPolicies) : 0;
+ for(CFIndex dex=0; dex<numPolicies; dex++) {
+ SecPolicyRef secPol = (SecPolicyRef)CFArrayGetValueAtIndex(mPolicies, dex);
+ SecPointer<Policy> pol = Policy::required(SecPolicyRef(secPol));
+ const CssmOid &oid = pol->oid();
+ const CssmData &optData = pol->value();
+ if(oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP)) {
+ // make sure OCSP options are set correctly
+ CSSM_APPLE_TP_OCSP_OPTIONS *opts = (CSSM_APPLE_TP_OCSP_OPTIONS *)optData.Data;
+ if (opts) {
+ opts->Flags |= ocspFlags;
+ } else {
+ CSSM_APPLE_TP_OCSP_OPTIONS newOpts;
+ memset(&newOpts, 0, sizeof(newOpts));
+ newOpts.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION;
+ newOpts.Flags = ocspFlags;
+ CSSM_DATA optData = {sizeof(newOpts), (uint8 *)&newOpts};
+ pol->value() = optData;
+ }
+ hasOcspPolicy = true;
+ }
+ else if(oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL)) {
+ // make sure CRL options are set correctly
+ CSSM_APPLE_TP_CRL_OPTIONS *opts = (CSSM_APPLE_TP_CRL_OPTIONS *)optData.Data;
+ if (opts) {
+ opts->CrlFlags |= crlFlags;
+ } else {
+ CSSM_APPLE_TP_CRL_OPTIONS newOpts;
+ memset(&newOpts, 0, sizeof(newOpts));
+ newOpts.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
+ newOpts.CrlFlags = crlFlags;
+ CSSM_DATA optData = {sizeof(newOpts), (uint8 *)&newOpts};
+ pol->value() = optData;
+ }
+ hasCrlPolicy = true;
+ }
+ }
+
+ /* We're potentially adding something to mPolicies, so make a copy we can work with */
+ CFMutableArrayRef policies = CFArrayCreateMutableCopy(NULL, 0, mPolicies);
+ if(policies == NULL) {
+ throw std::bad_alloc();
+ }
+
+ if(!hasOcspPolicy && ocspEnabled) {
+ /* Cook up a new Policy object */
+ ocspPolicy = new Policy(mTP, CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP));
+ CSSM_APPLE_TP_OCSP_OPTIONS opts;
+ memset(&opts, 0, sizeof(opts));
+ opts.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION;
+ opts.Flags = ocspFlags;
+
+ /* Check prefs dict for local responder info */
+ Dictionary *prefsDict = NULL;
+ try { /* per-user prefs */
+ prefsDict = Dictionary::CreateDictionary(kSecRevocationDomain, Dictionary::US_User, true);
+ if (!prefsDict->dict()) {
+ delete prefsDict;
+ prefsDict = NULL;
+ }
+ }
+ catch(...) {}
+ if(prefsDict == NULL) {
+ try { /* system prefs */
+ prefsDict = Dictionary::CreateDictionary(kSecRevocationDomain, Dictionary::US_System, true);
+ if (!prefsDict->dict()) {
+ delete prefsDict;
+ prefsDict = NULL;
+ }
+ }
+ catch(...) {}
+ }
+ if(prefsDict != NULL) {
+ CFStringRef val = prefsDict->getStringValue(kSecOCSPLocalResponder);
+ if(val != NULL) {
+ CFDataRef cfData = CFStringCreateExternalRepresentation(NULL,
+ val, kCFStringEncodingUTF8, 0);
+ CFIndex len = CFDataGetLength(cfData);
+ opts.LocalResponder = (CSSM_DATA_PTR)alloc.malloc(sizeof(CSSM_DATA));
+ opts.LocalResponder->Data = (uint8 *)alloc.malloc(len);
+ opts.LocalResponder->Length = len;
+ memmove(opts.LocalResponder->Data, CFDataGetBytePtr(cfData), len);
+ CFRelease(cfData);
+ }
+ }
+
+ /* Policy manages its own copy of the options data */
+ CSSM_DATA optData = {sizeof(opts), (uint8 *)&opts};
+ ocspPolicy->value() = optData;
+
+ /* Policies array retains the Policy object */
+ CFArrayAppendValue(policies, ocspPolicy->handle(false));
+ numAdded++;
+
+ if(prefsDict != NULL)
+ delete prefsDict;
+ }
+
+ if(!hasCrlPolicy && crlEnabled) {
+ /* Cook up a new Policy object */
+ crlPolicy = new Policy(mTP, CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL));
+ CSSM_APPLE_TP_CRL_OPTIONS opts;
+ memset(&opts, 0, sizeof(opts));
+ opts.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
+ opts.CrlFlags = crlFlags;
+
+ /* Policy manages its own copy of this data */
+ CSSM_DATA optData = {sizeof(opts), (uint8 *)&opts};
+ crlPolicy->value() = optData;
+
+ /* Policies array retains the Policy object */
+ CFArrayAppendValue(policies, crlPolicy->handle(false));
+ numAdded++;
+ }
+
+ return policies;
+}
projects / apple / security.git / blobdiff