-/*
- * Copyright (c) 2002-2003,2011-2012,2014 Apple Inc. All Rights Reserved.
- *
- * The contents of this file constitute Original Code as defined in and are
- * subject to the Apple Public Source License Version 1.2 (the 'License').
- * You may not use this file except in compliance with the License.
- * Please obtain a copy of the License at http://www.apple.com/publicsource
- * and read it before using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights
- * and limitations under the License.
- */
-
-/*
- File: cuDbUtils.cpp
-
- Description: CDSA DB access utilities
-
- Author: dmitch
-*/
-
-#include "cuCdsaUtils.h"
-#include "cuTimeStr.h"
-#include "cuDbUtils.h"
-#include "cuPrintCert.h"
-#include <stdlib.h>
-#include <stdio.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecCertificatePriv.h> /* private SecInferLabelFromX509Name() */
-#include <Security/cssmapple.h> /* for cssmPerror() */
-#include <Security/oidscert.h>
-#include <Security/oidscrl.h>
-#include <Security/oidsattr.h>
-#include <strings.h>
-#include <security_cdsa_utilities/Schema.h> /* private API */
-
-#ifndef NDEBUG
-#define dprintf(args...) printf(args)
-#else
-#define dprintf(args...)
-#endif
-
-/*
- * Add a certificate to an open DLDB.
- */
-CSSM_RETURN cuAddCertToDb(
- CSSM_DL_DB_HANDLE dlDbHand,
- const CSSM_DATA *cert,
- CSSM_CERT_TYPE certType,
- CSSM_CERT_ENCODING certEncoding,
- const char *printName, // C string
- const CSSM_DATA *publicKeyHash)
-{
- CSSM_DB_ATTRIBUTE_DATA attrs[6];
- CSSM_DB_RECORD_ATTRIBUTE_DATA recordAttrs;
- CSSM_DB_ATTRIBUTE_DATA_PTR attr = &attrs[0];
- CSSM_DATA certTypeData;
- CSSM_DATA certEncData;
- CSSM_DATA printNameData;
- CSSM_RETURN crtn;
- CSSM_DB_UNIQUE_RECORD_PTR recordPtr;
-
- /* issuer and serial number required, fake 'em */
- CSSM_DATA issuer = {6, (uint8 *)"issuer"};
- CSSM_DATA serial = {6, (uint8 *)"serial"};
-
- /* we spec six attributes, skipping alias */
- certTypeData.Data = (uint8 *)&certType;
- certTypeData.Length = sizeof(CSSM_CERT_TYPE);
- certEncData.Data = (uint8 *)&certEncoding;
- certEncData.Length = sizeof(CSSM_CERT_ENCODING);
- printNameData.Data = (uint8 *)printName;
- printNameData.Length = strlen(printName) + 1;
-
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "CertType";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_UINT32;
- attr->NumberOfValues = 1;
- attr->Value = &certTypeData;
-
- attr++;
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "CertEncoding";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_UINT32;
- attr->NumberOfValues = 1;
- attr->Value = &certEncData;
-
- attr++;
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "PrintName";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
- attr->NumberOfValues = 1;
- attr->Value = &printNameData;
-
- attr++;
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "PublicKeyHash";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
- attr->NumberOfValues = 1;
- attr->Value = (CSSM_DATA_PTR)publicKeyHash;
-
- attr++;
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "Issuer";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
- attr->NumberOfValues = 1;
- attr->Value = &issuer;
-
- attr++;
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "SerialNumber";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
- attr->NumberOfValues = 1;
- attr->Value = &serial;
-
- recordAttrs.DataRecordType = CSSM_DL_DB_RECORD_X509_CERTIFICATE;
- recordAttrs.SemanticInformation = 0;
- recordAttrs.NumberOfAttributes = 6;
- recordAttrs.AttributeData = attrs;
-
- crtn = CSSM_DL_DataInsert(dlDbHand,
- CSSM_DL_DB_RECORD_X509_CERTIFICATE,
- &recordAttrs,
- cert,
- &recordPtr);
- if(crtn) {
- cuPrintError("CSSM_DL_DataInsert", crtn);
- }
- else {
- CSSM_DL_FreeUniqueRecord(dlDbHand, recordPtr);
- }
- return crtn;
-}
-
-static CSSM_RETURN cuAddCrlSchema(
- CSSM_DL_DB_HANDLE dlDbHand);
-
-static void cuInferCrlLabel(
- const CSSM_X509_NAME *x509Name,
- CSSM_DATA *label) // not mallocd; contents are from the x509Name
-{
- /* use private API for common "infer label" logic */
- const CSSM_DATA *printValue = SecInferLabelFromX509Name(x509Name);
- if(printValue == NULL) {
- /* punt! */
- label->Data = (uint8 *)"X509 CRL";
- label->Length = 8;
- }
- else {
- *label = *printValue;
- }
-}
-
-/*
- * Search extensions for specified OID, assumed to have underlying
- * value type of uint32; returns the value and true if found.
- */
-static bool cuSearchNumericExtension(
- const CSSM_X509_EXTENSIONS *extens,
- const CSSM_OID *oid,
- uint32 *val)
-{
- for(uint32 dex=0; dex<extens->numberOfExtensions; dex++) {
- const CSSM_X509_EXTENSION *exten = &extens->extensions[dex];
- if(!cuCompareOid(&exten->extnId, oid)) {
- continue;
- }
- if(exten->format != CSSM_X509_DATAFORMAT_PARSED) {
- dprintf("***Malformed extension\n");
- continue;
- }
- *val = *((uint32 *)exten->value.parsedValue);
- return true;
- }
- return false;
-}
-
-/*
- * Add a CRL to an existing DL/DB.
- */
-#define MAX_CRL_ATTRS 9
-
-CSSM_RETURN cuAddCrlToDb(
- CSSM_DL_DB_HANDLE dlDbHand,
- CSSM_CL_HANDLE clHand,
- const CSSM_DATA *crl,
- const CSSM_DATA *URI) // optional
-{
- CSSM_DB_ATTRIBUTE_DATA attrs[MAX_CRL_ATTRS];
- CSSM_DB_RECORD_ATTRIBUTE_DATA recordAttrs;
- CSSM_DB_ATTRIBUTE_DATA_PTR attr = &attrs[0];
- CSSM_DATA crlTypeData;
- CSSM_DATA crlEncData;
- CSSM_DATA printNameData;
- CSSM_RETURN crtn;
- CSSM_DB_UNIQUE_RECORD_PTR recordPtr;
- CSSM_DATA_PTR issuer = NULL; // mallocd by CL
- CSSM_DATA_PTR crlValue = NULL; // ditto
- uint32 numFields;
- CSSM_HANDLE result;
- CSSM_CRL_ENCODING crlEnc = CSSM_CRL_ENCODING_DER;
- const CSSM_X509_SIGNED_CRL *signedCrl;
- const CSSM_X509_TBS_CERTLIST *tbsCrl;
- CSSM_CRL_TYPE crlType;
- CSSM_DATA thisUpdateData = {0, NULL};
- CSSM_DATA nextUpdateData = {0, NULL};
- char *thisUpdate = NULL;
- char *nextUpdate = NULL;
- unsigned timeLen;
- uint32 crlNumber;
- uint32 deltaCrlNumber;
- CSSM_DATA crlNumberData;
- CSSM_DATA deltaCrlNumberData;
- bool crlNumberPresent = false;
- bool deltaCrlPresent = false;
- CSSM_DATA attrUri;
-
- /* get normalized issuer name as Issuer attr */
- crtn = CSSM_CL_CrlGetFirstFieldValue(clHand,
- crl,
- &CSSMOID_X509V1IssuerName,
- &result,
- &numFields,
- &issuer);
- if(crtn) {
- cuPrintError("CSSM_CL_CrlGetFirstFieldValue(Issuer)", crtn);
- return crtn;
- }
- CSSM_CL_CrlAbortQuery(clHand, result);
-
- /* get parsed CRL from the CL */
- crtn = CSSM_CL_CrlGetFirstFieldValue(clHand,
- crl,
- &CSSMOID_X509V2CRLSignedCrlCStruct,
- &result,
- &numFields,
- &crlValue);
- if(crtn) {
- cuPrintError("CSSM_CL_CrlGetFirstFieldValue(Issuer)", crtn);
- goto errOut;
- }
- CSSM_CL_CrlAbortQuery(clHand, result);
- if(crlValue == NULL) {
- dprintf("***CSSM_CL_CrlGetFirstFieldValue: value error (1)\n");
- crtn = CSSMERR_CL_INVALID_CRL_POINTER;
- goto errOut;
- }
- if((crlValue->Data == NULL) ||
- (crlValue->Length != sizeof(CSSM_X509_SIGNED_CRL))) {
- dprintf("***CSSM_CL_CrlGetFirstFieldValue: value error (2)\n");
- crtn = CSSMERR_CL_INVALID_CRL_POINTER;
- goto errOut;
- }
- signedCrl = (const CSSM_X509_SIGNED_CRL *)crlValue->Data;
- tbsCrl = &signedCrl->tbsCertList;
-
- /* CrlType inferred from version */
- if(tbsCrl->version.Length == 0) {
- /* should never happen... */
- crlType = CSSM_CRL_TYPE_X_509v1;
- }
- else {
- uint8 vers = tbsCrl->version.Data[tbsCrl->version.Length - 1];
- switch(vers) {
- case 0:
- crlType = CSSM_CRL_TYPE_X_509v1;
- break;
- case 1:
- crlType = CSSM_CRL_TYPE_X_509v2;
- break;
- default:
- dprintf("***Unknown version in CRL (%u)\n", vers);
- crlType = CSSM_CRL_TYPE_X_509v1;
- break;
- }
- }
- crlTypeData.Data = (uint8 *)&crlType;
- crlTypeData.Length = sizeof(CSSM_CRL_TYPE);
- /* encoding more-or-less assumed here */
- crlEncData.Data = (uint8 *)&crlEnc;
- crlEncData.Length = sizeof(CSSM_CRL_ENCODING);
-
- /* printName inferred from issuer */
- cuInferCrlLabel(&tbsCrl->issuer, &printNameData);
-
- /* cook up CSSM_TIMESTRING versions of this/next update */
- thisUpdate = cuX509TimeToCssmTimestring(&tbsCrl->thisUpdate, &timeLen);
- if(thisUpdate == NULL) {
- dprintf("***Badly formatted thisUpdate\n");
- }
- else {
- thisUpdateData.Data = (uint8 *)thisUpdate;
- thisUpdateData.Length = timeLen;
- }
- if(tbsCrl->nextUpdate.time.Data != NULL) {
- nextUpdate = cuX509TimeToCssmTimestring(&tbsCrl->nextUpdate, &timeLen);
- if(nextUpdate == NULL) {
- dprintf("***Badly formatted nextUpdate\n");
- }
- else {
- nextUpdateData.Data = (uint8 *)nextUpdate;
- nextUpdateData.Length = timeLen;
- }
- }
- else {
- /*
- * NextUpdate not present; fake it by using "virtual end of time"
- */
- CSSM_X509_TIME tempTime = { 0, // timeType, not used
- { strlen(CSSM_APPLE_CRL_END_OF_TIME),
- (uint8 *)CSSM_APPLE_CRL_END_OF_TIME} };
- nextUpdate = cuX509TimeToCssmTimestring(&tempTime, &timeLen);
- nextUpdateData.Data = (uint8 *)nextUpdate;
- nextUpdateData.Length = CSSM_TIME_STRLEN;
- }
-
- /* optional CrlNumber and DeltaCrlNumber */
- if(cuSearchNumericExtension(&tbsCrl->extensions,
- &CSSMOID_CrlNumber,
- &crlNumber)) {
- crlNumberData.Data = (uint8 *)&crlNumber;
- crlNumberData.Length = sizeof(uint32);
- crlNumberPresent = true;
- }
- if(cuSearchNumericExtension(&tbsCrl->extensions,
- &CSSMOID_DeltaCrlIndicator,
- &deltaCrlNumber)) {
- deltaCrlNumberData.Data = (uint8 *)&deltaCrlNumber;
- deltaCrlNumberData.Length = sizeof(uint32);
- deltaCrlPresent = true;
- }
-
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "CrlType";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_UINT32;
- attr->NumberOfValues = 1;
- attr->Value = &crlTypeData;
- attr++;
-
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "CrlEncoding";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_UINT32;
- attr->NumberOfValues = 1;
- attr->Value = &crlEncData;
- attr++;
-
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "PrintName";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
- attr->NumberOfValues = 1;
- attr->Value = &printNameData;
- attr++;
-
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "Issuer";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
- attr->NumberOfValues = 1;
- attr->Value = issuer;
- attr++;
-
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "ThisUpdate";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
- attr->NumberOfValues = 1;
- attr->Value = &thisUpdateData;
- attr++;
-
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "NextUpdate";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
- attr->NumberOfValues = 1;
- attr->Value = &nextUpdateData;
- attr++;
-
- /* now the optional attributes */
- if(crlNumberPresent) {
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "CrlNumber";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_UINT32;
- attr->NumberOfValues = 1;
- attr->Value = &crlNumberData;
- attr++;
- }
- if(deltaCrlPresent) {
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "DeltaCrlNumber";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_UINT32;
- attr->NumberOfValues = 1;
- attr->Value = &deltaCrlNumberData;
- attr++;
- }
- if(URI) {
- /* ensure URI string does not contain NULL */
- attrUri = *URI;
- if((attrUri.Length != 0) &&
- (attrUri.Data[attrUri.Length - 1] == 0)) {
- attrUri.Length--;
- }
- attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr->Info.Label.AttributeName = (char*) "URI";
- attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
- attr->NumberOfValues = 1;
- attr->Value = &attrUri;
- attr++;
- }
- recordAttrs.DataRecordType = CSSM_DL_DB_RECORD_X509_CRL;
- recordAttrs.SemanticInformation = 0;
- recordAttrs.NumberOfAttributes = (uint32)(attr - attrs);
- recordAttrs.AttributeData = attrs;
-
- crtn = CSSM_DL_DataInsert(dlDbHand,
- CSSM_DL_DB_RECORD_X509_CRL,
- &recordAttrs,
- crl,
- &recordPtr);
- if(crtn == CSSMERR_DL_INVALID_RECORDTYPE) {
- /* gross hack of inserting this "new" schema that Keychain didn't specify */
- crtn = cuAddCrlSchema(dlDbHand);
- if(crtn == CSSM_OK) {
- /* Retry with a fully capable DLDB */
- crtn = CSSM_DL_DataInsert(dlDbHand,
- CSSM_DL_DB_RECORD_X509_CRL,
- &recordAttrs,
- crl,
- &recordPtr);
- }
- }
- if(crtn == CSSM_OK) {
- CSSM_DL_FreeUniqueRecord(dlDbHand, recordPtr);
- }
-
-errOut:
- /* free all the stuff we allocated to get here */
- if(issuer) {
- CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1IssuerName, issuer);
- }
- if(crlValue) {
- CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V2CRLSignedCrlCStruct, crlValue);
- }
- if(thisUpdate) {
- free(thisUpdate);
- }
- if(nextUpdate) {
- free(nextUpdate);
- }
- return crtn;
-}
-
-
-/*
- * Update an existing DLDB to be CRL-capable.
- */
-static CSSM_RETURN cuAddCrlSchema(
- CSSM_DL_DB_HANDLE dlDbHand)
-{
- return CSSM_DL_CreateRelation(dlDbHand,
- CSSM_DL_DB_RECORD_X509_CRL,
- "CSSM_DL_DB_RECORD_X509_CRL",
- Security::KeychainCore::Schema::X509CrlSchemaAttributeCount,
- Security::KeychainCore::Schema::X509CrlSchemaAttributeList,
- Security::KeychainCore::Schema::X509CrlSchemaIndexCount,
- Security::KeychainCore::Schema::X509CrlSchemaIndexList);
-}
-
-/*
- * Search DB for all records of type CRL or cert, calling appropriate
- * parse/print routine for each record.
- */
-CSSM_RETURN cuDumpCrlsCerts(
- CSSM_DL_DB_HANDLE dlDbHand,
- CSSM_CL_HANDLE clHand,
- CSSM_BOOL isCert,
- unsigned &numItems, // returned
- CSSM_BOOL verbose)
-{
- CSSM_QUERY query;
- CSSM_DB_UNIQUE_RECORD_PTR record = NULL;
- CSSM_HANDLE resultHand;
- CSSM_RETURN crtn;
- CSSM_DATA certCrl;
- const char *itemStr;
-
- numItems = 0;
- itemStr = isCert ? "Certificate" : "CRL";
-
- /* just search by recordType, no predicates, no attributes */
- if(isCert) {
- query.RecordType = CSSM_DL_DB_RECORD_X509_CERTIFICATE;
- }
- else {
- query.RecordType = CSSM_DL_DB_RECORD_X509_CRL;
- }
- query.Conjunctive = CSSM_DB_NONE;
- query.NumSelectionPredicates = 0;
- query.SelectionPredicate = NULL;
- query.QueryLimits.TimeLimit = 0; // FIXME - meaningful?
- query.QueryLimits.SizeLimit = 1; // FIXME - meaningful?
- query.QueryFlags = 0; // CSSM_QUERY_RETURN_DATA...FIXME - used?
-
- certCrl.Data = NULL;
- certCrl.Length = 0;
- crtn = CSSM_DL_DataGetFirst(dlDbHand,
- &query,
- &resultHand,
- NULL, // no attrs
- &certCrl,
- &record);
- switch(crtn) {
- case CSSM_OK:
- break; // proceed
- case CSSMERR_DL_ENDOFDATA:
- /* no data, otherwise OK */
- return CSSM_OK;
- case CSSMERR_DL_INVALID_RECORDTYPE:
- /* invalid record type just means "this hasn't been set up
- * for certs yet". */
- return crtn;
- default:
- cuPrintError("DataGetFirst", crtn);
- return crtn;
- }
-
- /* got one; print it */
- dprintf("%s %u:\n", itemStr, numItems);
- if(isCert) {
- printCert(certCrl.Data, (unsigned)certCrl.Length, verbose);
- }
- else {
- printCrl(certCrl.Data, (unsigned)certCrl.Length, verbose);
- }
- CSSM_DL_FreeUniqueRecord(dlDbHand, record);
- APP_FREE(certCrl.Data);
- certCrl.Data = NULL;
- certCrl.Length = 0;
- numItems++;
-
- /* get the rest */
- for(;;) {
- crtn = CSSM_DL_DataGetNext(dlDbHand,
- resultHand,
- NULL,
- &certCrl,
- &record);
- switch(crtn) {
- case CSSM_OK:
- dprintf("%s %u:\n", itemStr, numItems);
- if(isCert) {
- printCert(certCrl.Data, (unsigned)certCrl.Length, verbose);
- }
- else {
- printCrl(certCrl.Data, (unsigned)certCrl.Length, verbose);
- }
- CSSM_DL_FreeUniqueRecord(dlDbHand, record);
- APP_FREE(certCrl.Data);
- certCrl.Data = NULL;
- certCrl.Length = 0;
- numItems++;
- break; // and go again
- case CSSMERR_DL_ENDOFDATA:
- /* normal termination */
- return CSSM_OK;
- default:
- cuPrintError("DataGetNext", crtn);
- return crtn;
- }
- }
- /* NOT REACHED */
-}
-
projects / apple / security.git / blobdiff