+++ /dev/null
-/*
- * Copyright (c) 2002,2011,2014 Apple Inc. All Rights Reserved.
- *
- * The contents of this file constitute Original Code as defined in and are
- * subject to the Apple Public Source License Version 1.2 (the 'License').
- * You may not use this file except in compliance with the License. Please obtain
- * a copy of the License at http://www.apple.com/publicsource and read it before
- * using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
- * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
- * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
- * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
- * specific language governing rights and limitations under the License.
- */
-
-
-/*
- * tpCredRequest.cpp - credential request functions SubmitCredRequest,
- * RetrieveCredResult
- *
- */
-
-#include "AppleTPSession.h"
-#include "certGroupUtils.h"
-#include "tpdebugging.h"
-#include "tpTime.h"
-#include <Security/oidsalg.h>
-#include <Security/oidsattr.h>
-#include <Security/oidscert.h>
-#include <Security/cssmapple.h>
-#include <security_utilities/debugging.h>
-#include <Security/cssmapple.h>
-#include <assert.h>
-
-#define tpCredDebug(args...) secdebug("tpCred", ## args)
-
-/*
- * Build up a CSSM_X509_NAME from an arbitrary list of name/OID pairs.
- * We do one a/v pair per RDN.
- */
-CSSM_X509_NAME * AppleTPSession::buildX509Name(
- const CSSM_APPLE_TP_NAME_OID *nameArray,
- unsigned numNames)
-{
- CSSM_X509_NAME *top = (CSSM_X509_NAME *)malloc(sizeof(CSSM_X509_NAME));
- top->numberOfRDNs = numNames;
- if(numNames == 0) {
- /* legal! */
- top->RelativeDistinguishedName = NULL;
- return top;
- }
- top->RelativeDistinguishedName =
- (CSSM_X509_RDN_PTR)malloc(sizeof(CSSM_X509_RDN) * numNames);
- CSSM_X509_RDN_PTR rdn;
- const CSSM_APPLE_TP_NAME_OID *nameOid;
- unsigned nameDex;
- for(nameDex=0; nameDex<numNames; nameDex++) {
- rdn = &top->RelativeDistinguishedName[nameDex];
- nameOid = &nameArray[nameDex];
- rdn->numberOfPairs = 1;
- rdn->AttributeTypeAndValue = (CSSM_X509_TYPE_VALUE_PAIR_PTR)
- malloc(sizeof(CSSM_X509_TYPE_VALUE_PAIR));
- CSSM_X509_TYPE_VALUE_PAIR_PTR atvp = rdn->AttributeTypeAndValue;
- tpCopyCssmData(*this, nameOid->oid, &atvp->type);
- atvp->value.Length = strlen(nameOid->string);
- if(tpCompareOids(&CSSMOID_CountryName, nameOid->oid)) {
- /*
- * Country handled differently per RFC 3280 - must be printable,
- * max of two characters in length
- */
- if(atvp->value.Length > 2) {
- CssmError::throwMe(CSSMERR_TP_INVALID_DATA);
- }
- for(unsigned dex=0; dex<atvp->value.Length; dex++) {
- int c = nameOid->string[dex];
- if(!isprint(c) || (c == EOF)) {
- CssmError::throwMe(CSSMERR_TP_INVALID_DATA);
- }
- }
- atvp->valueType = BER_TAG_PRINTABLE_STRING;
- }
- /* other special cases per RFC 3280 */
- else if(tpCompareOids(&CSSMOID_DNQualifier, nameOid->oid)) {
- atvp->valueType = BER_TAG_PRINTABLE_STRING;
- }
- else if(tpCompareOids(&CSSMOID_SerialNumber, nameOid->oid)) {
- atvp->valueType = BER_TAG_PRINTABLE_STRING;
- }
- else if(tpCompareOids(&CSSMOID_EmailAddress, nameOid->oid)) {
- atvp->valueType = BER_TAG_IA5_STRING;
- }
- else {
- /* Default type */
- atvp->valueType = BER_TAG_PKIX_UTF8_STRING;
- }
- atvp->value.Data = (uint8 *)malloc(atvp->value.Length);
- memmove(atvp->value.Data, nameOid->string, atvp->value.Length);
- }
- return top;
-}
-
-/* free the CSSM_X509_NAME obtained from buildX509Name */
-void AppleTPSession::freeX509Name(
- CSSM_X509_NAME *top)
-{
- if(top == NULL) {
- return;
- }
- unsigned nameDex;
- CSSM_X509_RDN_PTR rdn;
- for(nameDex=0; nameDex<top->numberOfRDNs; nameDex++) {
- rdn = &top->RelativeDistinguishedName[nameDex];
- if(rdn->AttributeTypeAndValue) {
- for(unsigned aDex=0; aDex<rdn->numberOfPairs; aDex++) {
- CSSM_X509_TYPE_VALUE_PAIR_PTR atvp =
- &rdn->AttributeTypeAndValue[aDex];
- free(atvp->type.Data);
- free(atvp->value.Data);
- }
- free(rdn->AttributeTypeAndValue);
- }
- }
- free(top->RelativeDistinguishedName);
- free(top);
-}
-
-/* Obtain a CSSM_X509_TIME representing "now" plus specified seconds */
-
-/*
- * Although RFC 2459, *the* spec for X509 certs, allows for not before/after
- * times to be expressed in ther generalized (4-digit year) or UTC (2-digit year
- * with implied century rollover), IE 5 on Mac will not accept the generalized
- * format.
- */
-#define TP_FOUR_DIGIT_YEAR 0
-#if TP_FOUR_DIGIT_YEAR
-#define TP_TIME_FORMAT TIME_GEN
-#define TP_TIME_TAG BER_TAG_GENERALIZED_TIME
-#else
-#define TP_TIME_FORMAT TIME_UTC
-#define TP_TIME_TAG BER_TAG_UTC_TIME
-#endif /* TP_FOUR_DIGIT_YEAR */
-
-CSSM_X509_TIME * AppleTPSession::buildX509Time(
- unsigned secondsFromNow)
-{
- CSSM_X509_TIME *xtime = (CSSM_X509_TIME *)malloc(sizeof(CSSM_X509_TIME));
- xtime->timeType = TP_TIME_TAG;
- char *ts = (char *)malloc(GENERALIZED_TIME_STRLEN + 1);
- {
- StLock<Mutex> _(tpTimeLock());
- timeAtNowPlus(secondsFromNow, TP_TIME_FORMAT, ts);
- }
- xtime->time.Data = (uint8 *)ts;
- xtime->time.Length = strlen(ts);
- return xtime;
-}
-
-/* Free CSSM_X509_TIME obtained in buildX509Time */
-void AppleTPSession::freeX509Time(
- CSSM_X509_TIME *xtime)
-{
- if(xtime == NULL) {
- return;
- }
- free((char *)xtime->time.Data);
- free(xtime);
-}
-
-/*
- * Cook up a CSSM_DATA with specified integer, DER style (minimum number of
- * bytes, big-endian).
- */
-static void intToDER(
- CSSM_INTPTR theInt,
- CSSM_DATA &DER_Data,
- Allocator &alloc)
-{
- /*
- * Calculate length in bytes of encoded integer, minimum length of 1.
- */
- DER_Data.Length = 1;
- uintptr_t unsignedInt = (uintptr_t)theInt;
- while(unsignedInt > 0xff) {
- DER_Data.Length++;
- unsignedInt >>= 8;
- }
-
- /*
- * DER encoding requires top bit to be zero, else it's a negative number.
- * Even though we're passing around integers as CSSM_INTPTR, they really are
- * always unsigned.
- * unsignedInt contains the m.s. byte of theInt in its l.s. byte.
- */
- if(unsignedInt & 0x80) {
- DER_Data.Length++;
- }
-
- DER_Data.Data = (uint8 *)alloc.malloc(DER_Data.Length);
- uint8 *dst = DER_Data.Data + DER_Data.Length - 1;
- unsignedInt = (uintptr_t)theInt;
- for(unsigned dex=0; dex<DER_Data.Length; dex++) {
- *dst-- = unsignedInt & 0xff;
- /* this shifts off to zero if we're adding a zero at the top */
- unsignedInt >>= 8;
- }
-}
-
-/* The reverse of the above. */
-static CSSM_INTPTR DERToInt(
- const CSSM_DATA &DER_Data)
-{
- CSSM_INTPTR rtn = 0;
- uint8 *bp = DER_Data.Data;
- for(unsigned dex=0; dex<DER_Data.Length; dex++) {
- rtn <<= 8;
- rtn |= *bp++;
- }
- return rtn;
-}
-
-/* Convert a reference key to a raw key. */
-void AppleTPSession::refKeyToRaw(
- CSSM_CSP_HANDLE cspHand,
- const CSSM_KEY *refKey,
- CSSM_KEY_PTR rawKey) // RETURNED
-{
- CSSM_CC_HANDLE ccHand;
- CSSM_RETURN crtn;
- CSSM_ACCESS_CREDENTIALS creds;
-
- memset(rawKey, 0, sizeof(CSSM_KEY));
- memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
- crtn = CSSM_CSP_CreateSymmetricContext(cspHand,
- CSSM_ALGID_NONE,
- CSSM_ALGMODE_NONE,
- &creds, // passPhrase
- NULL, // wrapping key
- NULL, // init vector
- CSSM_PADDING_NONE, // Padding
- 0, // Params
- &ccHand);
- if(crtn) {
- tpCredDebug("AppleTPSession::refKeyToRaw: context err");
- CssmError::throwMe(crtn);
- }
-
- crtn = CSSM_WrapKey(ccHand,
- &creds,
- refKey,
- NULL, // DescriptiveData
- rawKey);
- if(crtn != CSSM_OK) {
- tpCredDebug("AppleTPSession::refKeyToRaw: wrapKey err");
- CssmError::throwMe(crtn);
- }
- CSSM_DeleteContext(ccHand);
-}
-
-
-/*
- * Cook up an unsigned cert.
- * This is just a wrapper for CSSM_CL_CertCreateTemplate().
- */
-void AppleTPSession::makeCertTemplate(
- /* required */
- CSSM_CL_HANDLE clHand,
- CSSM_CSP_HANDLE cspHand, // for converting ref to raw key
- uint32 serialNumber,
- const CSSM_X509_NAME *issuerName,
- const CSSM_X509_NAME *subjectName,
- const CSSM_X509_TIME *notBefore,
- const CSSM_X509_TIME *notAfter,
- const CSSM_KEY *subjectPubKey,
- const CSSM_OID &sigOid, // e.g., CSSMOID_SHA1WithRSA
- /* optional */
- const CSSM_DATA *subjectUniqueId,
- const CSSM_DATA *issuerUniqueId,
- CSSM_X509_EXTENSION *extensions,
- unsigned numExtensions,
- CSSM_DATA_PTR &rawCert)
-{
- CSSM_FIELD *certTemp;
- unsigned fieldDex = 0; // index into certTemp
- CSSM_DATA serialDER = {0, NULL}; // serial number, DER format
- CSSM_DATA versionDER = {0, NULL};
- unsigned extNum;
- CSSM_X509_ALGORITHM_IDENTIFIER algId;
- const CSSM_KEY *actPubKey;
- CSSM_KEY rawPubKey;
- CSSM_BOOL freeRawKey = CSSM_FALSE;
-
- rawCert = NULL;
-
- /*
- * Set Signature Algorithm OID and parameters
- */
- algId.algorithm = sigOid;
-
- /* NULL params - skip for ECDSA */
- CSSM_ALGORITHMS algorithmType = 0;
- cssmOidToAlg(&sigOid, &algorithmType);
- switch(algorithmType) {
- case CSSM_ALGID_SHA1WithECDSA:
- case CSSM_ALGID_SHA224WithECDSA:
- case CSSM_ALGID_SHA256WithECDSA:
- case CSSM_ALGID_SHA384WithECDSA:
- case CSSM_ALGID_SHA512WithECDSA:
- case CSSM_ALGID_ECDSA_SPECIFIED:
- algId.parameters.Data = NULL;
- algId.parameters.Length = 0;
- break;
- default:
- static const uint8 encNull[2] = { SEC_ASN1_NULL, 0 };
- CSSM_DATA encNullData;
- encNullData.Data = (uint8 *)encNull;
- encNullData.Length = 2;
-
- algId.parameters = encNullData;
- break;
- }
-
-
- /*
- * Convert possible ref public key to raw format as required by CL.
- */
- switch(subjectPubKey->KeyHeader.BlobType) {
- case CSSM_KEYBLOB_RAW:
- actPubKey = subjectPubKey;
- break;
- case CSSM_KEYBLOB_REFERENCE:
- refKeyToRaw(cspHand, subjectPubKey, &rawPubKey);
- actPubKey = &rawPubKey;
- freeRawKey = CSSM_TRUE;
- break;
- default:
- tpCredDebug("CSSM_CL_CertCreateTemplate: bad key blob type (%u)",
- (unsigned)subjectPubKey->KeyHeader.BlobType);
- CssmError::throwMe(CSSMERR_TP_INVALID_REQUEST_INPUTS);
- }
-
-
- /*
- * version, always 2 (X509v3)
- * serialNumber thru subjectPubKey
- */
- unsigned numFields = 8 + numExtensions;
- if(subjectUniqueId) {
- numFields++;
- }
- if(issuerUniqueId) {
- numFields++;
- }
-
- certTemp = (CSSM_FIELD *)malloc(sizeof(CSSM_FIELD) * numFields);
-
-
- /* version */
- intToDER(2, versionDER, *this);
- certTemp[fieldDex].FieldOid = CSSMOID_X509V1Version;
- certTemp[fieldDex++].FieldValue = versionDER;
-
- /* serial number */
- intToDER(serialNumber, serialDER, *this);
- certTemp[fieldDex].FieldOid = CSSMOID_X509V1SerialNumber;
- certTemp[fieldDex++].FieldValue = serialDER;
-
- /* subject and issuer name */
- certTemp[fieldDex].FieldOid = CSSMOID_X509V1IssuerNameCStruct;
- certTemp[fieldDex].FieldValue.Data = (uint8 *)issuerName;
- certTemp[fieldDex++].FieldValue.Length = sizeof(CSSM_X509_NAME);
-
- certTemp[fieldDex].FieldOid = CSSMOID_X509V1SubjectNameCStruct;
- certTemp[fieldDex].FieldValue.Data = (uint8 *)subjectName;
- certTemp[fieldDex++].FieldValue.Length = sizeof(CSSM_X509_NAME);
-
- /* not before/after */
- certTemp[fieldDex].FieldOid = CSSMOID_X509V1ValidityNotBefore;
- certTemp[fieldDex].FieldValue.Data = (uint8 *)notBefore;
- certTemp[fieldDex++].FieldValue.Length = sizeof(CSSM_X509_TIME);
-
- certTemp[fieldDex].FieldOid = CSSMOID_X509V1ValidityNotAfter;
- certTemp[fieldDex].FieldValue.Data = (uint8 *)notAfter;
- certTemp[fieldDex++].FieldValue.Length = sizeof(CSSM_X509_TIME);
-
- /* the subject key */
- certTemp[fieldDex].FieldOid = CSSMOID_CSSMKeyStruct;
- certTemp[fieldDex].FieldValue.Data = (uint8 *)actPubKey;
- certTemp[fieldDex++].FieldValue.Length = sizeof(CSSM_KEY);
-
- /* signature algorithm */
- certTemp[fieldDex].FieldOid = CSSMOID_X509V1SignatureAlgorithmTBS;
- certTemp[fieldDex].FieldValue.Data = (uint8 *)&algId;
- certTemp[fieldDex++].FieldValue.Length = sizeof(CSSM_X509_ALGORITHM_IDENTIFIER);
-
- /* subject/issuer unique IDs */
- if(subjectUniqueId != 0) {
- certTemp[fieldDex].FieldOid = CSSMOID_X509V1CertificateSubjectUniqueId;
- certTemp[fieldDex++].FieldValue = *subjectUniqueId;
- }
- if(issuerUniqueId != 0) {
- certTemp[fieldDex].FieldOid = CSSMOID_X509V1CertificateIssuerUniqueId;
- certTemp[fieldDex++].FieldValue = *issuerUniqueId;
- }
-
- for(extNum=0; extNum<numExtensions; extNum++) {
- CSSM_X509_EXTENSION_PTR ext = &extensions[extNum];
- if(ext->format == CSSM_X509_DATAFORMAT_PARSED) {
- certTemp[fieldDex].FieldOid = ext->extnId;
- }
- else {
- certTemp[fieldDex].FieldOid = CSSMOID_X509V3CertificateExtensionCStruct;
- }
- certTemp[fieldDex].FieldValue.Data = (uint8 *)ext;
- certTemp[fieldDex++].FieldValue.Length = sizeof(CSSM_X509_EXTENSION);
- }
- assert(fieldDex == numFields);
-
- /*
- * OK, here we go
- */
- rawCert = (CSSM_DATA_PTR)malloc(sizeof(CSSM_DATA));
- rawCert->Data = NULL;
- rawCert->Length = 0;
- CSSM_RETURN crtn = CSSM_CL_CertCreateTemplate(clHand,
- fieldDex,
- certTemp,
- rawCert);
- if(crtn) {
- tpCredDebug("CSSM_CL_CertCreateTemplate returned %ld", (long)crtn);
- free(rawCert->Data);
- free(rawCert);
- rawCert = NULL;
- }
-
- /* free the stuff we mallocd to get here */
- free(serialDER.Data);
- free(versionDER.Data);
- free(certTemp);
- if(freeRawKey) {
- tpFreeCssmData(*this, &rawPubKey.KeyData, CSSM_FALSE);
- }
- if(crtn) {
- CssmError::throwMe(crtn);
- }
-}
-
-/* given a cert and a ReferenceIdentifier, fill in ReferenceIdentifier and
- * add it and the cert to tpCredMap. */
-void AppleTPSession::addCertToMap(
- const CSSM_DATA *cert,
- CSSM_DATA_PTR refId)
-{
- StLock<Mutex> _(tpCredMapLock);
-
- TpCredHandle hand = reinterpret_cast<TpCredHandle>(cert);
- intToDER(hand, *refId, *this);
- tpCredMap[hand] = cert;
-}
-
-/* given a ReferenceIdentifier, obtain associated cert and remove from the map */
-CSSM_DATA_PTR AppleTPSession::getCertFromMap(
- const CSSM_DATA *refId)
-{
- StLock<Mutex> _(tpCredMapLock);
- CSSM_DATA_PTR rtn = NULL;
-
- if((refId == NULL) || (refId->Data == NULL)) {
- return NULL;
- }
- TpCredHandle hand = DERToInt(*refId);
- credMap::iterator it = tpCredMap.find(hand);
- if(it == tpCredMap.end()) {
- return NULL;
- }
- rtn = const_cast<CSSM_DATA *>(it->second);
- tpCredMap.erase(hand);
- return rtn;
-}
-
-/*
- * SubmitCredRequest, CSR form.
- */
-void AppleTPSession::SubmitCsrRequest(
- const CSSM_TP_REQUEST_SET &RequestInput,
- const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthContext,
- sint32 &EstimatedTime, // RETURNED
- CssmData &ReferenceIdentifier) // RETURNED
-{
- CSSM_DATA_PTR csrPtr = NULL;
- CSSM_CC_HANDLE sigHand = 0;
- CSSM_APPLE_CL_CSR_REQUEST csrReq;
-
- memset(&csrReq, 0, sizeof(csrReq));
-
- /* for now we're using the same struct for input as the the normal
- * X509 cert request. */
- CSSM_APPLE_TP_CERT_REQUEST *certReq =
- (CSSM_APPLE_TP_CERT_REQUEST *)RequestInput.Requests;
- if((certReq->cspHand == 0) ||
- (certReq->clHand == 0) ||
- (certReq->certPublicKey == NULL) ||
- (certReq->issuerPrivateKey == NULL) ||
- (certReq->signatureOid.Data == NULL)) {
- CssmError::throwMe(CSSMERR_TP_INVALID_REQUEST_INPUTS);
- }
-
- /* convert ref public key to raw per CL requirements */
- const CSSM_KEY *subjectPubKey = certReq->certPublicKey;
- const CSSM_KEY *actPubKey = NULL;
- CSSM_BOOL freeRawKey = CSSM_FALSE;
- CSSM_KEY rawPubKey;
-
- switch(subjectPubKey->KeyHeader.BlobType) {
- case CSSM_KEYBLOB_RAW:
- actPubKey = subjectPubKey;
- break;
- case CSSM_KEYBLOB_REFERENCE:
- refKeyToRaw(certReq->cspHand, subjectPubKey, &rawPubKey);
- actPubKey = &rawPubKey;
- freeRawKey = CSSM_TRUE;
- break;
- default:
- tpCredDebug("SubmitCsrRequest: bad key blob type (%u)",
- (unsigned)subjectPubKey->KeyHeader.BlobType);
- CssmError::throwMe(CSSMERR_TP_INVALID_REQUEST_INPUTS);
- }
-
- /* cook up a CL-passthrough-specific request */
- csrReq.subjectNameX509 = buildX509Name(certReq->subjectNames,
- certReq->numSubjectNames);
- csrReq.signatureAlg = certReq->signatureAlg;
- csrReq.signatureOid = certReq->signatureOid;
- csrReq.cspHand = certReq->cspHand;
- csrReq.subjectPublicKey = actPubKey;
- csrReq.subjectPrivateKey = certReq->issuerPrivateKey;
- csrReq.challengeString = certReq->challengeString;
-
- /* A crypto handle to pass to the CL */
- CSSM_RETURN crtn;
- crtn = CSSM_CSP_CreateSignatureContext(certReq->cspHand,
- certReq->signatureAlg,
- (CallerAuthContext ? CallerAuthContext->CallerCredentials : NULL),
- certReq->issuerPrivateKey,
- &sigHand);
- if(crtn) {
- tpCredDebug("CSSM_CSP_CreateSignatureContext returned %ld", (long)crtn);
- goto abort;
- }
-
- /* down to the CL to do the actual work */
- crtn = CSSM_CL_PassThrough(certReq->clHand,
- sigHand,
- CSSM_APPLEX509CL_OBTAIN_CSR,
- &csrReq,
- (void **)&csrPtr);
- if(crtn) {
- tpCredDebug("CSSM_CL_PassThrough returned %ld", (long)crtn);
- goto abort;
- }
-
- /* save it for retrieval by RetrieveCredResult */
- addCertToMap(csrPtr, &ReferenceIdentifier);
- EstimatedTime = 0;
-
-abort:
- /* free local resources */
- if(csrReq.subjectNameX509) {
- freeX509Name(csrReq.subjectNameX509);
- }
- if(sigHand) {
- CSSM_DeleteContext(sigHand);
- }
- if(freeRawKey) {
- tpFreeCssmData(*this, &rawPubKey.KeyData, CSSM_FALSE);
- }
- if(crtn) {
- CssmError::throwMe(crtn);
- }
-}
-
-/*
- * Submit cred (cert) request. Currently the only form of request we
- * handle is the basis "sign this cert with key right now", with policy OI
- * CSSMOID_APPLE_TP_LOCAL_CERT_GEN.
- */
-void AppleTPSession::SubmitCredRequest(
- const CSSM_TP_AUTHORITY_ID *PreferredAuthority,
- CSSM_TP_AUTHORITY_REQUEST_TYPE RequestType,
- const CSSM_TP_REQUEST_SET &RequestInput,
- const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthContext,
- sint32 &EstimatedTime,
- CssmData &ReferenceIdentifier)
-{
- /* free all of these on return if non-NULL */
- CSSM_DATA_PTR certTemplate = NULL;
- CSSM_X509_TIME_PTR notBeforeX509 = NULL;
- CSSM_X509_TIME_PTR notAfterX509 = NULL;
- CSSM_X509_NAME_PTR subjectX509 = NULL;
- CSSM_X509_NAME_PTR issuerX509 = NULL;
- CSSM_X509_EXTENSION_PTR extens509 = NULL;
- CSSM_CC_HANDLE sigContext = 0;
-
- /* this gets saved on success */
- CSSM_DATA_PTR signedCert = NULL;
-
- /* validate rather limited set of input args */
- if(PreferredAuthority != NULL) {
- CssmError::throwMe(CSSMERR_TP_INVALID_AUTHORITY);
- }
- if(RequestType != CSSM_TP_AUTHORITY_REQUEST_CERTISSUE) {
- CssmError::throwMe(CSSMERR_TP_UNSUPPORTED_SERVICE);
- }
- if(CallerAuthContext == NULL) {
- CssmError::throwMe(CSSMERR_TP_INVALID_CALLERAUTH_CONTEXT_POINTER);
- }
- if((RequestInput.NumberOfRequests != 1) ||
- (RequestInput.Requests == NULL)) {
- CssmError::throwMe(CSSMERR_TP_INVALID_REQUEST_INPUTS);
- }
-
- /* Apple-specific args */
- const CSSM_TP_POLICYINFO *tpPolicy = &CallerAuthContext->Policy;
- if((tpPolicy->NumberOfPolicyIds != 1) ||
- (tpPolicy->PolicyIds == NULL)) {
- CssmError::throwMe(CSSMERR_TP_INVALID_CALLERAUTH_CONTEXT_POINTER);
- }
- if(tpCompareCssmData(&tpPolicy->PolicyIds->FieldOid,
- &CSSMOID_APPLE_TP_CSR_GEN)) {
- /* break out to CSR-specific code */
- SubmitCsrRequest(RequestInput, CallerAuthContext, EstimatedTime, ReferenceIdentifier);
- return;
- }
- else if(!tpCompareCssmData(&tpPolicy->PolicyIds->FieldOid,
- &CSSMOID_APPLE_TP_LOCAL_CERT_GEN)) {
- CssmError::throwMe(CSSMERR_TP_INVALID_POLICY_IDENTIFIERS);
- }
-
- CSSM_APPLE_TP_CERT_REQUEST *certReq =
- (CSSM_APPLE_TP_CERT_REQUEST *)RequestInput.Requests;
- if((certReq->cspHand == 0) ||
- (certReq->clHand == 0) ||
- (certReq->certPublicKey == NULL) ||
- (certReq->issuerPrivateKey == NULL)) {
- CssmError::throwMe(CSSMERR_TP_INVALID_REQUEST_INPUTS);
- }
- if((certReq->numExtensions != 0) & (certReq->extensions == NULL)) {
- CssmError::throwMe(CSSMERR_TP_INVALID_POINTER);
- }
-
- CSSM_RETURN ourRtn = CSSM_OK;
-
- try {
- /* convert caller's friendly names and times to CDSA style */
- subjectX509 = buildX509Name(certReq->subjectNames, certReq->numSubjectNames);
- if(certReq->issuerNames != NULL) {
- issuerX509 = buildX509Name(certReq->issuerNames, certReq->numIssuerNames);
- }
- else if(certReq->issuerNameX509) {
- /* caller obtained this from an existing signer's cert */
- issuerX509 = certReq->issuerNameX509;
- }
- else {
- /* self-signed */
- issuerX509 = subjectX509;
- }
- notBeforeX509 = buildX509Time(certReq->notBefore);
- notAfterX509 = buildX509Time(certReq->notAfter);
-
- if(certReq->numExtensions != 0) {
- /* convert extensions array from CE_DataAndType to CSSM_X509_EXTENSION */
- extens509 = (CSSM_X509_EXTENSION *)malloc(sizeof(CSSM_X509_EXTENSION) *
- certReq->numExtensions);
- memset(extens509, 0, sizeof(CSSM_X509_EXTENSION) *
- certReq->numExtensions);
- for(unsigned dex=0; dex<certReq->numExtensions; dex++) {
- CSSM_X509_EXTENSION *extn = &extens509[dex];
- CE_DataAndType *cdt = &certReq->extensions[dex];
- void *parsedValue;
- CSSM_OID extnId;
-
- switch(cdt->type) {
- case DT_AuthorityKeyID:
- parsedValue = &cdt->extension.authorityKeyID;
- extnId = CSSMOID_AuthorityKeyIdentifier;
- break;
- case DT_SubjectKeyID:
- parsedValue = &cdt->extension.subjectKeyID;
- extnId = CSSMOID_SubjectKeyIdentifier;
- break;
- case DT_KeyUsage:
- parsedValue = &cdt->extension.keyUsage;
- extnId = CSSMOID_KeyUsage;
- break;
- case DT_SubjectAltName:
- parsedValue = &cdt->extension.subjectAltName;
- extnId = CSSMOID_SubjectAltName;
- break;
- case DT_IssuerAltName:
- parsedValue = &cdt->extension.issuerAltName;
- extnId = CSSMOID_IssuerAltName;
- break;
- case DT_ExtendedKeyUsage:
- parsedValue = &cdt->extension.extendedKeyUsage;
- extnId = CSSMOID_ExtendedKeyUsage;
- break;
- case DT_BasicConstraints:
- parsedValue = &cdt->extension.basicConstraints;
- extnId = CSSMOID_BasicConstraints;
- break;
- case DT_CertPolicies:
- parsedValue = &cdt->extension.certPolicies;
- extnId = CSSMOID_CertificatePolicies;
- break;
- case DT_NetscapeCertType:
- parsedValue = &cdt->extension.netscapeCertType;
- extnId = CSSMOID_NetscapeCertType;
- break;
- case DT_CrlDistributionPoints:
- parsedValue = &cdt->extension.crlDistPoints;
- extnId = CSSMOID_CrlDistributionPoints;
- break;
- case DT_AuthorityInfoAccess:
- parsedValue = &cdt->extension.authorityInfoAccess;
- extnId = CSSMOID_AuthorityInfoAccess;
- break;
- case DT_Other:
- default:
- tpCredDebug("SubmitCredRequest: DT_Other not supported");
- CssmError::throwMe(CSSMERR_TP_UNKNOWN_TAG);
- // NOT REACHED
- }
- extn->extnId = extnId;
- extn->critical = cdt->critical;
- extn->format = CSSM_X509_DATAFORMAT_PARSED;
- extn->value.parsedValue = parsedValue;
- extn->BERvalue.Data = NULL;
- extn->BERvalue.Length = 0;
- } /* for each extension */
- } /* converting extensions */
-
- /* cook up the unsigned template */
- makeCertTemplate(certReq->clHand,
- certReq->cspHand,
- certReq->serialNumber,
- issuerX509,
- subjectX509,
- notBeforeX509,
- notAfterX509,
- certReq->certPublicKey,
- certReq->signatureOid,
- NULL, // subjectUniqueID, not used here (yet)
- NULL, // issuerUniqueId
- extens509,
- certReq->numExtensions,
- certTemplate);
-
- /* create signature context */
- ourRtn = CSSM_CSP_CreateSignatureContext(certReq->cspHand,
- certReq->signatureAlg,
- (CallerAuthContext ? CallerAuthContext->CallerCredentials : NULL),
- certReq->issuerPrivateKey,
- &sigContext);
- if(ourRtn) {
- tpCredDebug("CSSM_CSP_CreateSignatureContext returned %ld", (long)ourRtn);
- CssmError::throwMe(ourRtn);
- }
-
- signedCert = (CSSM_DATA_PTR)malloc(sizeof(CSSM_DATA));
- signedCert->Data = NULL;
- signedCert->Length = 0;
- ourRtn = CSSM_CL_CertSign(certReq->clHand,
- sigContext,
- certTemplate, // CertToBeSigned
- NULL, // SignScope
- 0, // ScopeSize,
- signedCert);
- if(ourRtn) {
- tpCredDebug("CSSM_CL_CertSign returned %ld", (long)ourRtn);
- CssmError::throwMe(ourRtn);
- }
-
- /* save it for retrieval by RetrieveCredResult */
- addCertToMap(signedCert, &ReferenceIdentifier);
- EstimatedTime = 0;
- }
- catch (const CssmError &cerr) {
- tpCredDebug("SubmitCredRequest: CSSM error %ld", (long)cerr.error);
- ourRtn = cerr.error;
- }
- catch(...) {
- tpCredDebug("SubmitCredRequest: unknown exception");
- ourRtn = CSSMERR_TP_INTERNAL_ERROR; // ??
- }
-
- /* free reources */
- tpFreeCssmData(*this, certTemplate, CSSM_TRUE);
- freeX509Name(subjectX509);
- if(certReq->issuerNames) {
- freeX509Name(issuerX509);
- }
- /* else same as subject */
- freeX509Time(notBeforeX509);
- freeX509Time(notAfterX509);
- if(extens509) {
- free(extens509);
- }
- if(sigContext != 0) {
- CSSM_DeleteContext(sigContext);
- }
- if(ourRtn) {
- CssmError::throwMe(ourRtn);
- }
-}
-
-void AppleTPSession::RetrieveCredResult(
- const CssmData &ReferenceIdentifier,
- const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthCredentials,
- sint32 &EstimatedTime,
- CSSM_BOOL &ConfirmationRequired,
- CSSM_TP_RESULT_SET_PTR &RetrieveOutput)
-{
- CSSM_DATA *cert = getCertFromMap(&ReferenceIdentifier);
-
- if(cert == NULL) {
- tpCredDebug("RetrieveCredResult: refId not found");
- CssmError::throwMe(CSSMERR_TP_INVALID_IDENTIFIER);
- }
-
- /* CSSM_TP_RESULT_SET.Results points to a CSSM_ENCODED_CERT */
- CSSM_ENCODED_CERT *encCert = (CSSM_ENCODED_CERT *)malloc(sizeof(CSSM_ENCODED_CERT));
- encCert->CertType = CSSM_CERT_X_509v3;
- encCert->CertEncoding = CSSM_CERT_ENCODING_DER;
-
- /*
- * caller must free all three:
- * CSSM_TP_RESULT_SET_PTR RetrieveOutput
- * RetrieveOutput->Results (CSSM_ENCODED_CERT *encCert)
- * encCert->CertBlob.Data (the actual cert)
- * We free:
- * cert -- mallocd in SubmitCredRequest
- */
- encCert->CertBlob = *cert;
- RetrieveOutput = (CSSM_TP_RESULT_SET_PTR)malloc(
- sizeof(CSSM_TP_RESULT_SET));
- RetrieveOutput->Results = encCert;
- RetrieveOutput->NumberOfResults = 1;
- ConfirmationRequired = CSSM_FALSE;
- free(cert);
- EstimatedTime = 0;
-}
projects / apple / security.git / blobdiff