+++ /dev/null
-/*
- * Copyright (c) 2000-2013 Apple Inc. All Rights Reserved.
- *
- * The contents of this file constitute Original Code as defined in and are
- * subject to the Apple Public Source License Version 1.2 (the 'License').
- * You may not use this file except in compliance with the License. Please obtain
- * a copy of the License at http://www.apple.com/publicsource and read it before
- * using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
- * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
- * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
- * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
- * specific language governing rights and limitations under the License.
- */
-
-
-/*
- * TPCertInfo.h - TP's private certificate info and cert group classes
- */
-
-#ifndef _TP_CERT_INFO_H_
-#define _TP_CERT_INFO_H_
-
-#include <Security/cssm.h>
-#include <Security/SecTrust.h>
-#include <Security/SecTrustSettings.h>
-#include <security_utilities/alloc.h>
-#include <security_utilities/threading.h>
-#include <security_utilities/globalizer.h>
-#include <CoreFoundation/CFDate.h>
-
-/* protects TP-wide access to time() and gmtime() */
-extern ModuleNexus<Mutex> tpTimeLock;
-
-/*
- * Prototypes for functions which are isomorphic between certs and CRLs at the
- * CL API.
- */
-typedef CSSM_RETURN (*clGetFirstFieldFcn)(
- CSSM_CL_HANDLE CLHandle,
- CSSM_HANDLE ItemHandle, // cached cert or CRL
- const CSSM_OID *ItemField,
- CSSM_HANDLE_PTR ResultsHandle,
- uint32 *NumberOfMatchedFields,
- CSSM_DATA_PTR *Value);
-typedef CSSM_RETURN (*clAbortQueryFcn)(
- CSSM_CL_HANDLE CLHandle,
- CSSM_HANDLE ResultsHandle); // from clGetFirstFieldFcn
-typedef CSSM_RETURN (*clCacheItemFcn)(
- CSSM_CL_HANDLE CLHandle,
- const CSSM_DATA *Item, // raw cert or CRL
- CSSM_HANDLE_PTR CertHandle);
-typedef CSSM_RETURN (*clAbortCacheFcn)(
- CSSM_CL_HANDLE CLHandle,
- CSSM_HANDLE ItemHandle); // from clCacheItemFcn
-typedef CSSM_RETURN (*clItemVfyFcn)(
- CSSM_CL_HANDLE CLHandle,
- CSSM_CC_HANDLE CCHandle,
- const CSSM_DATA *CrlOrCertToBeVerified,
- const CSSM_DATA *SignerCert,
- const CSSM_FIELD *VerifyScope,
- uint32 ScopeSize);
-
-typedef struct {
- /* CL/cert-specific functions */
- clGetFirstFieldFcn getField;
- clAbortQueryFcn abortQuery;
- clCacheItemFcn cacheItem;
- clAbortCacheFcn abortCache;
- clItemVfyFcn itemVerify;
- /* CL/cert-specific OIDs */
- const CSSM_OID *notBeforeOid;
- const CSSM_OID *notAfterOid;
- /* CL/cert specific errors */
- CSSM_RETURN invalidItemRtn; // CSSMERR_TP_INVALID_{CERT,CRL}_POINTER
- CSSM_RETURN expiredRtn;
- CSSM_RETURN notValidYetRtn;
-} TPClItemCalls;
-
-class TPCertInfo;
-
-/*
- * On construction of a TPClItemInfo, specifies whether or not to
- * copy the incoming item data (in which we free it upon destruction)
- * or to use caller's data as is (in which case the caller maintains
- * the data).
- */
-typedef enum {
- TIC_None = 0, // never used
- TIC_NoCopy, // caller maintains
- TIC_CopyData // we copy and free
-} TPItemCopy;
-
-/*
- * State of a cert's mIsRoot flag. We do signature self-verify on demand.
- */
-typedef enum {
- TRS_Unknown, // initial state
- TRS_NamesMatch, // subject == issuer, but no sig verify yet
- TRS_NotRoot, // subject != issuer, OR sig verify failed
- TRS_IsRoot // it's a root
-} TPRootState;
-
-/*
- * Base class for TPCertInfo and TPCrlInfo. Encapsulates caching of
- * an entity within the CL, field lookup/free, and signature verify,
- * all of which use similar functions at the CL API.
- */
-class TPClItemInfo
-{
- NOCOPY(TPClItemInfo)
-public:
- TPClItemInfo(
- CSSM_CL_HANDLE clHand,
- CSSM_CSP_HANDLE cspHand,
- const TPClItemCalls &clCalls,
- const CSSM_DATA *itemData,
- TPItemCopy copyItemData,
- const char *verifyTime); // may be NULL
-
- ~TPClItemInfo();
- void releaseResources();
-
- /*
- * Fetch arbitrary field from cached item.
- * Only should be used when caller is sure there is either zero or one
- * of the requested fields present in the cert.
- */
- CSSM_RETURN fetchField(
- const CSSM_OID *fieldOid,
- CSSM_DATA_PTR *fieldData); // mallocd by CL and RETURNED
-
- /* free arbitrary field obtained from fetchField() */
- CSSM_RETURN freeField(
- const CSSM_OID *fieldOid,
- CSSM_DATA_PTR fieldData);
-
- /*
- * Verify with an issuer cert - works on certs and CRLs.
- * Issuer/subject name match already performed by caller.
- * May return CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE without
- * performing a signature op, in which case it is the caller's
- * resposibility to complete this operation later when
- * sufficient information is available.
- *
- * Optional paramCert is used to provide parameters when issuer
- * has a partial public key.
- */
- CSSM_RETURN verifyWithIssuer(
- TPCertInfo *issuerCert,
- TPCertInfo *paramCert = NULL) const;
-
- /* accessors */
- CSSM_CL_HANDLE clHand() const { return mClHand; }
- CSSM_CSP_HANDLE cspHand() const { return mCspHand; }
- CSSM_HANDLE cacheHand() const { return mCacheHand; }
- const CSSM_DATA *itemData() const { return mItemData; }
- const CSSM_DATA *issuerName() const { return mIssuerName; };
- const CSSM_DATA *subjectKeyID() const { return mSubjectKeyID; };
- const CSSM_DATA *authorityKeyID() const { return mAuthorityKeyID; };
- unsigned index() const { return mIndex; }
- void index(unsigned dex) { mIndex = dex; }
- bool isExpired() { return mIsExpired; }
- bool isNotValidYet() { return mIsNotValidYet; }
-
- /*
- * Calculate validity (not before/after). Returns
- * CSSMERR_{TP_CERT,APPLETP_CRL}_NOT_VALID_YET
- * CSSMERR_xxx_T_EXPIRED
- * CSSM_OK
- * CSSMERR_xxx_INVALID_CERT_POINTER, other "bogus cert" errors
- */
- CSSM_RETURN calculateCurrent(
- const char *verifyString = NULL);
-
-private:
-
- /* Tell CL to parse and cache the item */
- CSSM_RETURN cacheItem(
- const CSSM_DATA *itemData,
- TPItemCopy copyItemData);
-
-
- /* fetch not before/after fields */
- void fetchNotBeforeAfter();
-
- CSSM_CL_HANDLE mClHand; // always valid
- CSSM_CSP_HANDLE mCspHand; // always valid
- const TPClItemCalls &mClCalls;
- bool mWeOwnTheData; // if true, we have to free
- // mCertData
- /* following are valid subsequent to cacheItem(), generally
- * called by subclass's constructor */
- CSSM_HANDLE mCacheHand;
- CSSM_DATA_PTR mIssuerName;
- CSSM_DATA_PTR mSubjectKeyID;
- CSSM_DATA_PTR mAuthorityKeyID;
- CSSM_DATA_PTR mItemData;
- CSSM_ALGORITHMS mSigAlg;
-
- /* calculated implicitly at construction */
- CFDateRef mNotBefore;
- CFDateRef mNotAfter;
-
- /* also calculated at construction, but can be recalculated at will */
- bool mIsExpired;
- bool mIsNotValidYet;
-
- unsigned mIndex;
-};
-
-/*
- * Class representing one certificate. The raw cert data usually comes from
- * a client (via incoming cert groups in CertGroupConstruct() and
- * CertGroupVerify()); in this case, we don't own the raw data and
- * don't copy or free it. Caller can optionally specify that we copy
- * (and own and eventually free) the raw cert data. Currently this is
- * done when we find a cert in a DlDb or from the net. The constructor throws
- * on any error (bad cert data); subsequent to successful construction, no CSSM
- * errors are thrown and it's guaranteed that the cert is basically good and
- * successfully cached in the CL, and that we have a locally cached subject
- * and issuer name (in normalized encoded format).
- */
-class TPCertInfo : public TPClItemInfo
-{
- NOCOPY(TPCertInfo)
-public:
- /*
- * No default constructor - this is the only way.
- * This caches the cert and fetches subjectName and issuerName
- * to ensure the incoming certData is well-constructed.
- */
- TPCertInfo(
- CSSM_CL_HANDLE clHand,
- CSSM_CSP_HANDLE cspHand,
- const CSSM_DATA *certData,
- TPItemCopy copyCertData,
-
- const char *verifyTime); // may be NULL
-
- /* frees mSubjectName, mIssuerName, mCacheHand via mClHand */
- ~TPCertInfo();
-
- /* accessors */
- const CSSM_DATA *subjectName();
-
- bool isSelfSigned(bool avoidVerify = false);
-
- bool isAnchor() { return mIsAnchor; }
- void isAnchor(bool a) { mIsAnchor = a; }
- bool isFromNet() { return mIsFromNet; }
- void isFromNet(bool n) { mIsFromNet = n; };
- bool isFromInputCerts() { return mIsFromInputCerts; }
- void isFromInputCerts(bool i) { mIsFromInputCerts = i; }
- unsigned numStatusCodes() { return mNumStatusCodes; }
- CSSM_RETURN *statusCodes() { return mStatusCodes; }
- CSSM_DL_DB_HANDLE dlDbHandle() { return mDlDbHandle; }
- void dlDbHandle(CSSM_DL_DB_HANDLE hand)
- { mDlDbHandle = hand; }
- CSSM_DB_UNIQUE_RECORD_PTR uniqueRecord()
- { return mUniqueRecord; }
- void uniqueRecord(CSSM_DB_UNIQUE_RECORD_PTR rec)
- { mUniqueRecord = rec; }
- CSSM_KEY_PTR pubKey() { return mPublicKey; }
- bool used() { return mUsed; }
- void used(bool u) { mUsed = u; }
- bool isLeaf() { return mIsLeaf; }
- void isLeaf(bool l) { mIsLeaf = l; }
-
- SecTrustSettingsDomain trustSettingsDomain() { return mTrustSettingsDomain; }
- SecTrustSettingsResult trustSettingsResult() { return mTrustSettingsResult; }
- bool ignoredError() { return mIgnoredError; }
-
- /* true means "verification terminated due to user trust setting" */
- bool trustSettingsFound();
- /*
- * Am I the issuer of the specified subject item? Returns true if so.
- * Works for subject certs as well as CRLs.
- */
- bool isIssuerOf(
- const TPClItemInfo &subject);
-
- /*
- * Does my subject key id match the authority key id of the specified
- * subject item? Returns true if so.
- */
- bool isAuthorityKeyOf(
- const TPClItemInfo &subject);
-
- /*
- * Add error status to mStatusCodes[]. Check to see if the
- * added status is allowed per mAllowedErrs; if not return true.
- * Returns false of the status *is* an allowed error.
- */
- bool addStatusCode(
- CSSM_RETURN code);
-
- /*
- * See if the specified error status is in the mStatusCodes array.
- */
- bool hasStatusCode(
- CSSM_RETURN code);
-
- /*
- * See if the specified error status is allowed (return false) or
- * fatal (return true) per mAllowedErrs[].
- */
- bool isStatusFatal(
- CSSM_RETURN code);
-
- /*
- * Indicate whether this cert's public key is a CSSM_KEYATTR_PARTIAL
- * key.
- */
- bool hasPartialKey();
-
- /* Indicate whether this cert should be explicitly rejected.
- */
- bool shouldReject();
-
- /*
- * Flag to indicate that at least one revocation policy has successfully
- * achieved a positive verification of the cert.
- */
- bool revokeCheckGood() { return mRevCheckGood; }
- void revokeCheckGood(bool b) { mRevCheckGood = b; }
-
- /*
- * Flag to indicate "I have successfully been checked for revocation
- * status and the per-policy action data indicates that I need not be
- * checked again by any other revocation policy". E.g.,
- * CSSM_TP_ACTION_CRL_SUFFICIENT is set and CRL revocation checking
- * was successful for this cert.
- */
- bool revokeCheckComplete() { return mRevCheckComplete; }
- void revokeCheckComplete(bool b) { mRevCheckComplete = b; }
-
- /*
- * Evaluate user trust; returns true if positive match found - i.e.,
- * cert chain construction is done.
- * The foundEntry return value indicates that *some* entry was found for
- * the cert, regardless of the trust setting evaluation.
- */
- OSStatus evaluateTrustSettings(
- const CSSM_OID &policyOid,
- const char *policyString, // optional
- uint32 policyStringLen,
- SecTrustSettingsKeyUsage keyUse, // optional
- bool *foundMatchingEntry,
- bool *foundEntry); // RETURNED
-
- bool hasEmptySubjectName();
-
- /* Free mUniqueRecord if it exists */
- void freeUniqueRecord();
-
-private:
- /* obtained from CL at construction */
- CSSM_DATA_PTR mSubjectName; // always valid
- CSSM_DATA_PTR mPublicKeyData; // mPublicKey obtained from this field
- CSSM_KEY_PTR mPublicKey;
-
- /* maintained by caller, default at constructor 0/false */
- bool mIsAnchor;
- bool mIsFromInputCerts;
- bool mIsFromNet;
- unsigned mNumStatusCodes;
- CSSM_RETURN *mStatusCodes;
- CSSM_DL_DB_HANDLE mDlDbHandle;
- CSSM_DB_UNIQUE_RECORD_PTR mUniqueRecord;
- bool mUsed; // e.g., used in current loop
- bool mIsLeaf; // first in chain
- TPRootState mIsRoot; // subject == issuer
- bool mRevCheckGood; // >= 1 revoke check good
- bool mRevCheckComplete; // no more revoke checking needed
-
- /*
- * When true, we've already called SecTrustSettingsEvaluateCert,
- * and the cached results are in following member vars.
- */
- bool mTrustSettingsEvaluated;
-
- /* result of trust settings evaluation */
- SecTrustSettingsDomain mTrustSettingsDomain;
- SecTrustSettingsResult mTrustSettingsResult;
- bool mTrustSettingsFoundAnyEntry;
- bool mTrustSettingsFoundMatchingEntry;
-
- /* allowed errors obtained from SecTrustSettingsEvaluateCert() */
- CSSM_RETURN *mAllowedErrs;
- uint32 mNumAllowedErrs;
-
- /* we actually ignored one of mAllowedErrors[] */
- bool mIgnoredError;
-
- /* key usage for which mTrustSettingsResult was evaluated */
- SecTrustSettingsKeyUsage mTrustSettingsKeyUsage;
-
- /* for SecTrustSettingsEvaluateCert() */
- CFStringRef mCertHashStr;
-
- void releaseResources();
-};
-
-/* Describe who owns the items in a TP{Cert,Crl}Group */
-typedef enum {
- TGO_None = 0, // not used
- TGO_Group, // TP{Cert,Crl}Group owns the items
- TGO_Caller // caller owns the items
-} TPGroupOwner;
-
-/*
- * TP's private Cert Group class. Provides a list of TPCertInfo pointers,
- * to which caller can append additional elements, access an element at
- * an arbitrary position, and remove an element at an arbitrary position.
- */
-class TPCertGroup
-{
- NOCOPY(TPCertGroup)
-public:
- /*
- * No default constructor.
- * This one creates an empty TPCertGroup.
- */
- TPCertGroup(
- Allocator &alloc,
- TPGroupOwner whoOwns); // if TGO_Group, we delete
-
- /*
- * Construct from unordered, untrusted CSSM_CERTGROUP. Resulting
- * TPCertInfos are more or less in the same order as the incoming
- * certs, though incoming certs are discarded if they don't parse.
- * No verification of any sort is performed.
- */
- TPCertGroup(
- const CSSM_CERTGROUP &CertGroupFrag,
- CSSM_CL_HANDLE clHand,
- CSSM_CSP_HANDLE cspHand,
- Allocator &alloc,
- const char *verifyString, // may be NULL
- bool firstCertMustBeValid,
- TPGroupOwner whoOwns);
-
- /*
- * Deletes all TPCertInfo's.
- */
- ~TPCertGroup();
-
- /*
- * Construct ordered, verified cert chain from a variety of inputs.
- * Time validity is ignored and needs to be checked by caller (it's
- * stored in each TPCertInfo we add to ourself during construction).
- * The only error returned is CSSMERR_APPLETP_INVALID_ROOT, meaning
- * we verified back to a supposed root cert which did not in fact
- * self-verify. Other interesting status is returned via the
- * verifiedToRoot and verifiedToAnchor flags.
- *
- * NOTE: is it the caller's responsibility to call setAllUnused()
- * for both incoming cert groups (inCertGroup and gatheredCerts).
- * We don't do that here because we may call ourself recursively.
- *
- * subjectItem may or may not be in the cert group (currently, it
- * is in the group if it's a cert and it's not if it's a CRL, but
- * we don't rely on that).
- */
- CSSM_RETURN buildCertGroup(
- const TPClItemInfo &subjectItem, // Cert or CRL
- TPCertGroup *inCertGroup, // optional
- const CSSM_DL_DB_LIST *dbList, // optional
- CSSM_CL_HANDLE clHand,
- CSSM_CSP_HANDLE cspHand,
- const char *verifyString, // optional, for establishing
- // validity of new TPCertInfos
- /* trusted anchors, optional */
- /* FIXME - maybe this should be a TPCertGroup */
- uint32 numAnchorCerts,
- const CSSM_DATA *anchorCerts,
-
- /*
- * Certs to be freed by caller (i.e., TPCertInfo which we allocate
- * as a result of using a cert from anchorCerts or dbList) are added
- * to this group.
- */
- TPCertGroup &certsToBeFreed,
-
- /*
- * Other certificates gathered during the course of this operation,
- * currently consisting of certs fetched from DBs and from the net.
- * This is not used when called by AppleTPSession::CertGroupConstructPriv;
- * it's an optimization for the case when we're building a cert group
- * for TPCrlInfo::verifyWithContext - we avoid re-fetching certs from
- * the net which are needed to verify both the subject cert and a CRL.
- */
- TPCertGroup *gatheredCerts,
-
- /*
- * Indicates that subjectItem is a cert in this cert group.
- * If true, that cert will be tested for "root-ness", including
- * -- subject/issuer compare
- * -- signature self-verify
- * -- anchor compare
- */
- CSSM_BOOL subjectIsInGroup,
-
- /* currently, only CSSM_TP_ACTION_FETCH_CERT_FROM_NET and
- * CSSM_TP_ACTION_TRUST_SETTINGS are interesting */
- CSSM_APPLE_TP_ACTION_FLAGS actionFlags,
-
- /* CSSM_TP_ACTION_TRUST_SETTINGS parameters */
- const CSSM_OID *policyOid,
- const char *policyStr,
- uint32 policyStrLen,
- SecTrustSettingsKeyUsage leafKeyUse,
-
- /* returned */
- CSSM_BOOL &verifiedToRoot, // end of chain self-verifies
- CSSM_BOOL &verifiedToAnchor, // end of chain in anchors
- CSSM_BOOL &verifiedViaTrustSettings); // chain ends per User Trust setting
-
- /* add/remove/access TPTCertInfo's. */
- void appendCert(
- TPCertInfo *certInfo); // appends to end of mCertInfo
- TPCertInfo *certAtIndex(
- unsigned index);
- TPCertInfo *removeCertAtIndex(
- unsigned index); // doesn't delete the cert, just
- // removes it from our list
- unsigned numCerts() const // how many do we have?
- { return mNumCerts; }
-
- /*
- * Convenience accessors for first and last cert, only valid when we have
- * at least one cert.
- */
- TPCertInfo *firstCert();
- TPCertInfo *lastCert();
-
- /* build a CSSM_CERTGROUP corresponding with our mCertInfo */
- CSSM_CERTGROUP_PTR buildCssmCertGroup();
-
- /* build a CSSM_TP_APPLE_EVIDENCE_INFO array corresponding with our
- * mCertInfo */
- CSSM_TP_APPLE_EVIDENCE_INFO *buildCssmEvidenceInfo();
-
- /* Given a status for basic construction of a cert group and a status
- * of (optional) policy verification, plus the implicit notBefore/notAfter
- * status in the certs, calculate a global return code. This just
- * encapsulates a policy for CertGroupConstruct and CertGroupVerify.
- */
- CSSM_RETURN getReturnCode(
- CSSM_RETURN constructStatus,
- CSSM_RETURN policyStatus,
- CSSM_APPLE_TP_ACTION_FLAGS actionFlags);
-
- Allocator
- &alloc() {return mAlloc; }
-
- /* set all TPCertInfo.mUsed flags false */
- void setAllUnused();
-
- /* free records obtained from DBs */
- void freeDbRecords();
-
- /*
- * See if the specified error status is allowed (return true) or
- * fatal (return false) per each cert's mAllowedErrs[]. Returns
- * true if any cert returns false for its isStatusFatal() call.
- * The list of errors which can apply to cert-chain-wide allowedErrors
- * is right here; if the incoming error is not in that list, we
- * return false. If the incoming error code is CSSM_OK we return
- * true as a convenience for our callers.
- */
- bool isAllowedError(
- CSSM_RETURN code);
-
- /*
- * Determine if we already have the specified cert in this group.
- */
- bool isInGroup(TPCertInfo &certInfo);
-
- /*
- * Given a constructed cert group, encode all the issuers
- * (i.e. chain minus the leaf, unless numCerts() is 1) as a PEM data blob.
- * Caller is responsible for freeing the data.
- */
- void encodeIssuers(CSSM_DATA &issuers);
-
-private:
-
- /*
- * Search unused incoming certs to find an issuer of specified
- * cert or CRL.
- * WARNING this assumes a valied "used" state for all certs
- * in this group.
- * If partialIssuerKey is true on return, caller must re-verify signature
- * of subject later when sufficient info is available.
- */
- TPCertInfo *findIssuerForCertOrCrl(
- const TPClItemInfo &subject,
- bool &partialIssuerKey);
-
- /*
- * Called from buildCertGroup as final processing of a constructed
- * group when CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE has been
- * detected. Perform partial public key processing.
- * Returns:
- * CSSMERR_TP_CERTIFICATE_CANT_OPERATE - can't complete partial key
- * CSSMERR_TP_INVALID_CERT_AUTHORITY - sig verify failed with
- * (supposedly) completed partial key
- */
- CSSM_RETURN verifyWithPartialKeys(
- const TPClItemInfo &subjectItem); // Cert or CRL
-
- Allocator &mAlloc;
- TPCertInfo **mCertInfo; // just an array of pointers
- unsigned mNumCerts; // valid certs in certInfo
- unsigned mSizeofCertInfo; // mallocd space in certInfo
- TPGroupOwner mWhoOwns; // if TGO_Group, we delete certs
- // upon destruction
-};
-#endif /* _TP_CERT_INFO_H_ */
projects / apple / security.git / blobdiff