+++ /dev/null
-/*
- * Copyright (c) 2002-2012 Apple Inc. All Rights Reserved.
- *
- * The contents of this file constitute Original Code as defined in and are
- * subject to the Apple Public Source License Version 1.2 (the 'License').
- * You may not use this file except in compliance with the License. Please obtain
- * a copy of the License at http://www.apple.com/publicsource and read it before
- * using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
- * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
- * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
- * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
- * specific language governing rights and limitations under the License.
- */
-
-
-/*
- * TPNetwork.h - LDAP, HTTP and (eventually) other network tools
- */
-
-#include "TPNetwork.h"
-#include "tpdebugging.h"
-#include "tpTime.h"
-#include "cuEnc64.h"
-#include <Security/cssmtype.h>
-#include <Security/cssmapple.h>
-#include <Security/oidscert.h>
-#include <security_utilities/logging.h>
-#include <security_ocspd/ocspdClient.h>
-
-#define CA_ISSUERS_OID OID_PKIX, 0x30, 0x02
-#define CA_ISSUERS_OID_LEN OID_PKIX_LENGTH + 2
-
-static const uint8 OID_CA_ISSUERS[] = {CA_ISSUERS_OID};
-const CSSM_OID CSSMOID_CA_ISSUERS = {CA_ISSUERS_OID_LEN, (uint8 *)OID_CA_ISSUERS};
-
-typedef enum {
- LT_Crl = 1,
- LT_Cert
-} LF_Type;
-
-static CSSM_RETURN tpDecodeCert(
- Allocator &alloc,
- CSSM_DATA &rtnBlob) // will be reallocated if needed
-{
- const unsigned char *inbuf = (const unsigned char *)rtnBlob.Data;
- unsigned inlen = (unsigned)rtnBlob.Length;
- unsigned char *outbuf = NULL;
- unsigned outlen = 0;
- CSSM_RETURN ortn = cuConvertPem(inbuf, inlen, &outbuf, &outlen);
-
- if(ortn == 0 && outbuf != NULL) {
- /* Decoded result needs to be malloc'd via input allocator */
- unsigned char *rtnP = (unsigned char *) alloc.malloc(outlen);
- if(rtnP != NULL) {
- memcpy(rtnP, outbuf, outlen);
- rtnBlob.Data = rtnP;
- rtnBlob.Length = outlen;
- }
- free(outbuf);
- alloc.free((void *)inbuf);
- }
- return ortn;
-}
-
-static CSSM_RETURN tpFetchViaNet(
- const CSSM_DATA &url,
- const CSSM_DATA *issuer, // optional
- LF_Type lfType,
- CSSM_TIMESTRING verifyTime, // CRL only
- Allocator &alloc,
- CSSM_DATA &rtnBlob) // mallocd and RETURNED
-{
- if(lfType == LT_Crl) {
- return ocspdCRLFetch(alloc, url, issuer,
- true, true, // cache r/w both enable
- verifyTime, rtnBlob);
- }
- else {
- CSSM_RETURN result = ocspdCertFetch(alloc, url, rtnBlob);
- if(result == CSSM_OK) {
- /* The data might be in PEM format; if so, convert it here */
- (void)tpDecodeCert(alloc, rtnBlob);
- }
- return result;
- }
-}
-
-static CSSM_RETURN tpCrlViaNet(
- const CSSM_DATA &url,
- const CSSM_DATA *issuer, // optional, only if cert and CRL have same issuer
- TPVerifyContext &vfyCtx,
- TPCertInfo &forCert, // for verifyWithContext
- TPCrlInfo *&rtnCrl)
-{
- TPCrlInfo *crl = NULL;
- CSSM_DATA crlData;
- CSSM_RETURN crtn;
- Allocator &alloc = Allocator::standard();
- char cssmTime[CSSM_TIME_STRLEN+1];
-
- rtnCrl = NULL;
-
- /* verifyTime: we want a CRL that's valid right now. */
- {
- StLock<Mutex> _(tpTimeLock());
- timeAtNowPlus(0, TIME_CSSM, cssmTime);
- }
-
- crtn = tpFetchViaNet(url, issuer, LT_Crl, cssmTime, alloc, crlData);
- if(crtn) {
- return crtn;
- }
- try {
- crl = new TPCrlInfo(vfyCtx.clHand,
- vfyCtx.cspHand,
- &crlData,
- TIC_CopyData,
- NULL); // verifyTime = Now
- }
- catch(...) {
- alloc.free(crlData.Data);
-
- /*
- * There is a slight possibility of recovering from this error. In case
- * the CRL came from disk cache, flush the cache and try to get the CRL
- * from the net.
- */
- tpDebug(" bad CRL; flushing from cache and retrying");
- ocspdCRLFlush(url);
- crtn = tpFetchViaNet(url, issuer, LT_Crl, cssmTime, alloc, crlData);
- if(crtn == CSSM_OK) {
- try {
- crl = new TPCrlInfo(vfyCtx.clHand,
- vfyCtx.cspHand,
- &crlData,
- TIC_CopyData,
- NULL);
- tpDebug(" RECOVERY: good CRL obtained from net");
- }
- catch(...) {
- alloc.free(crlData.Data);
- tpDebug(" bad CRL; recovery FAILED (1)");
- return CSSMERR_APPLETP_CRL_NOT_FOUND;
- }
- }
- else {
- /* it was in cache but we can't find it on the net */
- tpDebug(" bad CRL; recovery FAILED (2)");
- return CSSMERR_APPLETP_CRL_NOT_FOUND;
- }
- }
- alloc.free(crlData.Data);
-
- /*
- * Full CRL verify.
- * The verify time in the TPVerifyContext is the time at which various
- * entities (CRL and its own cert chain) are to be verified; that's
- * NULL for "right now". The current vfyCtx.verifyTime is the time at
- * which the cert's revocation status to be determined; this call to
- * verifyWithContextNow() doesn't do that.
- */
- crtn = crl->verifyWithContextNow(vfyCtx, &forCert);
- if(crtn == CSSM_OK) {
- crl->uri(url);
- }
- else {
- delete crl;
- crl = NULL;
- }
- rtnCrl = crl;
- return crtn;
-}
-
-static CSSM_RETURN tpIssuerCertViaNet(
- const CSSM_DATA &url,
- CSSM_CL_HANDLE clHand,
- CSSM_CSP_HANDLE cspHand,
- const char *verifyTime,
- TPCertInfo &subject,
- TPCertInfo *&rtnCert)
-{
- TPCertInfo *issuer = NULL;
- CSSM_DATA certData;
- CSSM_RETURN crtn;
- Allocator &alloc = Allocator::standard();
-
- crtn = tpFetchViaNet(url, NULL, LT_Cert, NULL, alloc, certData);
- if(crtn) {
- tpErrorLog("tpIssuerCertViaNet: net fetch failed\n");
- return CSSMERR_APPLETP_CERT_NOT_FOUND_FROM_ISSUER;
- }
- try {
- issuer = new TPCertInfo(clHand,
- cspHand,
- &certData,
- TIC_CopyData,
- verifyTime);
- }
- catch(...) {
- tpErrorLog("tpIssuerCertViaNet: bad cert via net fetch\n");
- alloc.free(certData.Data);
- rtnCert = NULL;
- return CSSMERR_APPLETP_BAD_CERT_FROM_ISSUER;
- }
- alloc.free(certData.Data);
-
- /* subject/issuer match? */
- if(!issuer->isIssuerOf(subject)) {
- tpErrorLog("tpIssuerCertViaNet: wrong issuer cert via net fetch\n");
- crtn = CSSMERR_APPLETP_BAD_CERT_FROM_ISSUER;
- }
- else {
- /* yep, do a sig verify */
- crtn = subject.verifyWithIssuer(issuer);
- if(crtn) {
- tpErrorLog("tpIssuerCertViaNet: sig verify fail for cert via net "
- "fetch\n");
- crtn = CSSMERR_APPLETP_BAD_CERT_FROM_ISSUER;
- }
- }
- if(crtn) {
- assert(issuer != NULL);
- delete issuer;
- issuer = NULL;
- }
- rtnCert = issuer;
- return crtn;
-}
-
-/*
- * Fetch a CRL or a cert via a GeneralNames.
- * Shared by cert and CRL code to avoid duplicating GeneralNames traversal
- * code, despite the awkward interface for this function.
- */
-static CSSM_RETURN tpFetchViaGeneralNames(
- const CE_GeneralNames *names,
- TPCertInfo &forCert,
- const CSSM_DATA *issuer, // optional, and only for CRLs
- TPVerifyContext *verifyContext, // only for CRLs
- CSSM_CL_HANDLE clHand, // only for certs
- CSSM_CSP_HANDLE cspHand, // only for certs
- const char *verifyTime, // optional
- /* exactly one must be non-NULL, that one is returned */
- TPCertInfo **certInfo,
- TPCrlInfo **crlInfo)
-{
- assert(certInfo || crlInfo);
- assert(!certInfo || !crlInfo);
- CSSM_RETURN crtn;
-
- for(unsigned nameDex=0; nameDex<names->numNames; nameDex++) {
- CE_GeneralName *name = &names->generalName[nameDex];
- switch(name->nameType) {
- case GNT_URI:
- if(name->name.Length < 5) {
- continue;
- }
- if(strncmp((char *)name->name.Data, "ldap:", 5) &&
- strncmp((char *)name->name.Data, "http:", 5) &&
- strncmp((char *)name->name.Data, "https:", 6)) {
- /* eventually handle other schemes here */
- continue;
- }
- if(certInfo) {
- tpDebug(" fetching cert via net");
- crtn = tpIssuerCertViaNet(name->name,
- clHand,
- cspHand,
- verifyTime,
- forCert,
- *certInfo);
- }
- else {
- tpDebug(" fetching CRL via net");
- assert(verifyContext != NULL);
- crtn = tpCrlViaNet(name->name,
- issuer,
- *verifyContext,
- forCert,
- *crlInfo);
- }
- switch(crtn) {
- case CSSM_OK:
- case CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE: // caller handles
- return crtn;
- default:
- break;
- }
- /* not found/no good; try again */
- break;
- default:
- tpCrlDebug(" tpFetchCrlFromNet: unknown"
- "nameType (%u)", (unsigned)name->nameType);
- break;
- } /* switch nameType */
- } /* for each name */
- if(certInfo) {
- return CSSMERR_TP_CERTGROUP_INCOMPLETE;
- }
- else {
- return CSSMERR_APPLETP_CRL_NOT_FOUND;
- }
-}
-
-/*
- * Fetch CRL(s) from specified cert if the cert has a cRlDistributionPoint
- * extension.
- *
- * Return values:
- * CSSM_OK - found and returned fully verified CRL
- * CSSMERR_APPLETP_CRL_NOT_FOUND - no CRL in cRlDistributionPoint
- * Anything else - gross error, typically from last LDAP/HTTP attempt
- *
- * FIXME - this whole mechanism sort of falls apart if verifyContext.verifyTime
- * is non-NULL. How are we supposed to get the CRL which was valid at
- * a specified time in the past?
- */
-CSSM_RETURN tpFetchCrlFromNet(
- TPCertInfo &cert,
- TPVerifyContext &vfyCtx,
- TPCrlInfo *&crl) // RETURNED
-{
- /* does the cert have a cRlDistributionPoint? */
- CSSM_DATA_PTR fieldValue; // mallocd by CL
-
- CSSM_RETURN crtn = cert.fetchField(&CSSMOID_CrlDistributionPoints,
- &fieldValue);
- switch(crtn) {
- case CSSM_OK:
- break;
- case CSSMERR_CL_NO_FIELD_VALUES:
- /* field not present */
- return CSSMERR_APPLETP_CRL_NOT_FOUND;
- default:
- /* gross error */
- return crtn;
- }
- if(fieldValue->Length != sizeof(CSSM_X509_EXTENSION)) {
- tpErrorLog("tpFetchCrlFromNet: malformed CSSM_FIELD");
- return CSSMERR_TP_UNKNOWN_FORMAT;
- }
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)fieldValue->Data;
- CE_CRLDistPointsSyntax *dps =
- (CE_CRLDistPointsSyntax *)cssmExt->value.parsedValue;
- TPCrlInfo *rtnCrl = NULL;
-
- /* default return if we don't find anything */
- crtn = CSSMERR_APPLETP_CRL_NOT_FOUND;
- for(unsigned dex=0; dex<dps->numDistPoints; dex++) {
- CE_CRLDistributionPoint *dp = &dps->distPoints[dex];
- if(dp->distPointName == NULL) {
- continue;
- }
- /*
- * FIXME if this uses an indirect CRL, we need to follow the
- * crlIssuer field... TBD.
- */
- switch(dp->distPointName->nameType) {
- case CE_CDNT_NameRelativeToCrlIssuer:
- /* not yet */
- tpErrorLog("tpFetchCrlFromNet: "
- "CE_CDNT_NameRelativeToCrlIssuer not implemented\n");
- break;
-
- case CE_CDNT_FullName:
- {
- /*
- * Since we don't support indirect CRLs (yet), we always pass
- * the cert-to-be-verified's issuer as the CRL issuer for
- * cache lookup.
- */
- CE_GeneralNames *names = dp->distPointName->dpn.fullName;
- crtn = tpFetchViaGeneralNames(names,
- cert,
- cert.issuerName(),
- &vfyCtx,
- 0, // clHand, use the one in vfyCtx
- 0, // cspHand, ditto
- vfyCtx.verifyTime,
- NULL,
- &rtnCrl);
- break;
- } /* CE_CDNT_FullName */
-
- default:
- /* not yet */
- tpErrorLog("tpFetchCrlFromNet: "
- "unknown distPointName->nameType (%u)\n",
- (unsigned)dp->distPointName->nameType);
- break;
- } /* switch distPointName->nameType */
- if(crtn == CSSM_OK) {
- /* i.e., tpFetchViaGeneralNames SUCCEEDED */
- break;
- }
- } /* for each distPoints */
-
- cert.freeField(&CSSMOID_CrlDistributionPoints, fieldValue);
- if(crtn == CSSM_OK) {
- assert(rtnCrl != NULL);
- crl = rtnCrl;
- }
- return crtn;
-}
-
-/*
- * Fetch issuer cert of specified cert if the cert has an issuerAltName
- * with a URI. If non-NULL cert is returned, it has passed subject/issuer
- * name comparison and signature verification with target cert.
- *
- * Return values:
- * CSSM_OK - found and returned issuer cert
- * CSSMERR_TP_CERTGROUP_INCOMPLETE - no URL in issuerAltName
- * CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE - found and returned issuer
- * cert, but signature verification needs subsequent retry.
- * Anything else - gross error, typically from last LDAP/HTTP attempt
- */
-CSSM_RETURN tpFetchIssuerFromNet(
- TPCertInfo &subject,
- CSSM_CL_HANDLE clHand,
- CSSM_CSP_HANDLE cspHand,
- const char *verifyTime,
- TPCertInfo *&issuer) // RETURNED
-{
- CSSM_OID_PTR fieldOid = NULL;
- CSSM_DATA_PTR fieldValue = NULL; // mallocd by CL
- CSSM_RETURN crtn;
- bool hasAIA = false;
-
- /* look for the Authority Info Access extension first */
- fieldOid = (CSSM_OID_PTR)&CSSMOID_AuthorityInfoAccess;
- crtn = subject.fetchField(fieldOid,
- &fieldValue);
- hasAIA = (crtn == CSSM_OK);
- if (!hasAIA) {
- /* fall back to Issuer Alternative Name extension */
- fieldOid = (CSSM_OID_PTR)&CSSMOID_IssuerAltName;
- crtn = subject.fetchField(fieldOid,
- &fieldValue);
- }
- switch(crtn) {
- case CSSM_OK:
- break;
- case CSSMERR_CL_NO_FIELD_VALUES:
- /* field not present */
- return CSSMERR_TP_CERTGROUP_INCOMPLETE;
- default:
- /* gross error */
- return crtn;
- }
- if(fieldValue->Length != sizeof(CSSM_X509_EXTENSION)) {
- tpPolicyError("tpFetchIssuerFromNet: malformed CSSM_FIELD");
- return CSSMERR_TP_UNKNOWN_FORMAT;
- }
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)fieldValue->Data;
- CE_GeneralNames *names = (CE_GeneralNames *)cssmExt->value.parsedValue;
- TPCertInfo *rtnCert = NULL;
- if (hasAIA) { /* authority info access */
- CE_AuthorityInfoAccess *access = (CE_AuthorityInfoAccess *)cssmExt->value.parsedValue;
- for (uint32 index = 0; access && index < access->numAccessDescriptions; index++) {
- CE_AccessDescription *accessDesc = &access->accessDescriptions[index];
- CSSM_OID_PTR methodOid = (CSSM_OID_PTR)&accessDesc->accessMethod;
- /* look for the CA Issuers method */
- if(methodOid->Data != NULL && methodOid->Length == CSSMOID_CA_ISSUERS.Length &&
- !memcmp(methodOid->Data, CSSMOID_CA_ISSUERS.Data, methodOid->Length)) {
- CE_GeneralNames aiaNames = { 1, &accessDesc->accessLocation };
- /* attempt to fetch cert from named location */
- crtn = tpFetchViaGeneralNames(&aiaNames,
- subject,
- NULL, // issuer - not used
- NULL, // verifyContext
- clHand,
- cspHand,
- verifyTime,
- &rtnCert,
- NULL);
- if (crtn == CSSM_OK ||
- crtn == CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE) {
- break; // got one
- }
- }
- }
- subject.freeField(fieldOid, fieldValue);
- }
- else { /* issuer alt name */
- crtn = tpFetchViaGeneralNames(names,
- subject,
- NULL, // issuer - not used
- NULL, // verifyContext
- clHand,
- cspHand,
- verifyTime,
- &rtnCert,
- NULL);
- subject.freeField(fieldOid, fieldValue);
- }
- switch(crtn) {
- case CSSM_OK:
- case CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE:
- issuer = rtnCert;
- break;
- default:
- break;
- }
- return crtn;
-}
-
-
projects / apple / security.git / blobdiff