+++ /dev/null
-/*
- * Copyright (c) 2000,2002,2011-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * ocspdClient.cpp - Client interface to OCSP helper daemon
- */
-
-#include "ocspdClient.h"
-#include "ocspdTypes.h"
-#include "ocspdDebug.h"
-#include <Security/cssmapple.h>
-#include <security_utilities/threading.h>
-#include <security_utilities/mach++.h>
-#include <security_utilities/unix++.h>
-#include <security_ocspd/ocspd.h> /* MIG interface */
-#include <Security/SecBase.h>
-class ocspdGlobals
-{
-public:
- ocspdGlobals();
- ~ocspdGlobals();
- mach_port_t serverPort();
-private:
- UnixPlusPlus::ForkMonitor mForkMonitor;
- MachPlusPlus::Port mServerPort;
- Mutex mLock;
-};
-
-ocspdGlobals::ocspdGlobals()
- : mServerPort(0)
-{
- /* nothing here, the real work is done in serverPort() */
-}
-
-ocspdGlobals::~ocspdGlobals()
-{
- /* I don't believe this should ever execute */
-}
-
-mach_port_t ocspdGlobals::serverPort()
-{
- StLock<Mutex> _(mLock);
-
- // Guard against fork-without-exec. If we are the child of a fork
- // (that has not exec'ed), our apparent connection to SecurityServer
- // is just a mirage, and we better reset it.
- mach_port_t rtnPort = mServerPort.port();
- if (mForkMonitor()) {
- rtnPort = 0;
- }
- if(rtnPort != 0) {
- return rtnPort;
- }
-
- const char *serverName = NULL;
- #ifndef NDEBUG
- serverName = getenv(OCSPD_BOOTSTRAP_ENV);
- #endif
- if(serverName == NULL) {
- serverName = (char*) OCSPD_BOOTSTRAP_NAME;
- }
- try {
- mServerPort = MachPlusPlus::Bootstrap().lookup2(serverName);
- }
- catch(...) {
- ocspdErrorLog("ocspdGlobals: error contacting server\n");
- throw;
- }
- return mServerPort;
-}
-
-static ModuleNexus<ocspdGlobals> OcspdGlobals;
-
-/*
- * Perform network fetch of an OCSP response. Result is not verified in any
- * way.
- */
-CSSM_RETURN ocspdFetch(
- Allocator &alloc,
- const CSSM_DATA &ocspdReq, // DER-encoded SecAsn1OCSPDRequests
- CSSM_DATA &ocspdResp) // DER-encoded kSecAsn1OCSPDReplies
-{
- mach_port_t serverPort = 0;
- kern_return_t krtn;
- unsigned char *rtnData = NULL;
- unsigned rtnLen = 0;
-
- try {
- serverPort = OcspdGlobals().serverPort();
- }
- catch(...) {
- ocspdErrorLog("ocspdFetch: OCSPD server error\n");
- return CSSMERR_TP_INTERNAL_ERROR;
- }
-
- krtn = ocsp_client_ocspdFetch(serverPort, ocspdReq.Data, (mach_msg_type_number_t)ocspdReq.Length,
- (void **)&rtnData, &rtnLen);
- if(krtn) {
- ocspdErrorLog("ocspdFetch: RPC returned %d\n", krtn);
- return CSSMERR_APPLETP_OCSP_UNAVAILABLE;
- }
- if((rtnData == NULL) || (rtnLen == 0)) {
- ocspdErrorLog("ocspdFetch: RPC returned NULL data\n");
- return CSSMERR_APPLETP_OCSP_UNAVAILABLE;
- }
- ocspdResp.Data = (uint8 *)alloc.malloc(rtnLen);
- ocspdResp.Length = rtnLen;
- memmove(ocspdResp.Data, rtnData, rtnLen);
- mig_deallocate((vm_address_t)rtnData, rtnLen);
- return CSSM_OK;
-}
-
-/*
- * Flush all responses associated with specifed CertID from cache.
- */
-CSSM_RETURN ocspdCacheFlush(
- const CSSM_DATA &certID)
-{
- mach_port_t serverPort = 0;
- kern_return_t krtn;
-
- try {
- serverPort = OcspdGlobals().serverPort();
- }
- catch(...) {
- ocspdErrorLog("ocspdCacheFlush: OCSPD server error\n");
- return CSSMERR_TP_INTERNAL_ERROR;
- }
- krtn = ocsp_client_ocspdCacheFlush(serverPort, certID.Data, (mach_msg_type_number_t)certID.Length);
- if(krtn) {
- ocspdErrorLog("ocspdCacheFlush: RPC returned %d\n", krtn);
- return CSSMERR_APPLETP_OCSP_UNAVAILABLE;
- }
- return CSSM_OK;
-}
-
-/*
- * Flush stale entries from cache.
- */
-CSSM_RETURN ocspdCacheFlushStale()
-{
- mach_port_t serverPort = 0;
- kern_return_t krtn;
-
- try {
- serverPort = OcspdGlobals().serverPort();
- }
- catch(...) {
- ocspdErrorLog("ocspdCacheFlush: OCSPD server error\n");
- return CSSMERR_TP_INTERNAL_ERROR;
- }
- krtn = ocsp_client_ocspdCacheFlushStale(serverPort);
- if(krtn) {
- ocspdErrorLog("ocsp_client_ocspdCacheFlushStale: RPC returned %d\n", krtn);
- return (CSSM_RETURN)krtn;
- }
- return CSSM_OK;
-}
-
-/*
- * fetch a certificate from the net.
- */
-CSSM_RETURN ocspdCertFetch(
- Allocator &alloc,
- const CSSM_DATA &certURL,
- CSSM_DATA &certData) // mallocd via alloc and RETURNED
-{
- mach_port_t serverPort = 0;
- kern_return_t krtn;
- unsigned char *rtnData = NULL;
- unsigned rtnLen = 0;
-
- try {
- serverPort = OcspdGlobals().serverPort();
- }
- catch(...) {
- ocspdErrorLog("ocspdCertFetch: OCSPD server error\n");
- return CSSMERR_TP_INTERNAL_ERROR;
- }
-
- krtn = ocsp_client_certFetch(serverPort, certURL.Data, (mach_msg_type_number_t)certURL.Length,
- (void **)&rtnData, &rtnLen);
- if(krtn) {
- ocspdErrorLog("ocspdCertFetch: RPC returned %d\n", krtn);
- return CSSMERR_APPLETP_NETWORK_FAILURE;
- }
-
- if((rtnData == NULL) || (rtnLen == 0)) {
- ocspdErrorLog("ocspdCertFetch: RPC returned NULL data\n");
- return CSSMERR_APPLETP_CERT_NOT_FOUND_FROM_ISSUER;
- }
- certData.Data = (uint8 *)alloc.malloc(rtnLen);
- certData.Length = rtnLen;
- memmove(certData.Data, rtnData, rtnLen);
- mig_deallocate((vm_address_t)rtnData, rtnLen);
- return CSSM_OK;
-}
-
-/*
- * Fetch a CRL from net with optional cache lookup and store.
- * verifyTime only used for cache lookup.
- */
-CSSM_RETURN ocspdCRLFetch(
- Allocator &alloc,
- const CSSM_DATA &crlURL,
- const CSSM_DATA *crlIssuer, // optional
- bool cacheReadEnable,
- bool cacheWriteEnable,
- CSSM_TIMESTRING verifyTime,
- CSSM_DATA &crlData) // mallocd via alloc and RETURNED
-{
- mach_port_t serverPort = 0;
- kern_return_t krtn;
- unsigned char *rtnData = NULL;
- unsigned rtnLen = 0;
-
- if(verifyTime == NULL) {
- ocspdErrorLog("ocspdCRLFetch: verifyTime NOT OPTIONAL\n");
- return CSSMERR_TP_INTERNAL_ERROR;
- }
- try {
- serverPort = OcspdGlobals().serverPort();
- }
- catch(...) {
- ocspdErrorLog("ocspdCRLFetch: OCSPD server error\n");
- return CSSMERR_TP_INTERNAL_ERROR;
- }
-
- krtn = ocsp_client_crlFetch(serverPort, crlURL.Data, (mach_msg_type_number_t)crlURL.Length,
- crlIssuer ? crlIssuer->Data : NULL, crlIssuer ? (mach_msg_type_number_t)crlIssuer->Length : 0,
- cacheReadEnable, cacheWriteEnable,
- verifyTime, (mach_msg_type_number_t)strlen(verifyTime),
- (void **)&rtnData, &rtnLen);
- if(krtn) {
- ocspdErrorLog("ocspdCRLFetch: RPC returned %d\n", krtn);
- return CSSMERR_APPLETP_NETWORK_FAILURE;
- }
-
- if((rtnData == NULL) || (rtnLen == 0)) {
- ocspdErrorLog("ocspdCRLFetch: RPC returned NULL data\n");
- return CSSMERR_APPLETP_CRL_NOT_FOUND;
- }
- crlData.Data = (uint8 *)alloc.malloc(rtnLen);
- crlData.Length = rtnLen;
- memmove(crlData.Data, rtnData, rtnLen);
- mig_deallocate((vm_address_t)rtnData, rtnLen);
- return CSSM_OK;
-}
-
-
-/*
- * Get CRL status for given serial number and issuing entity
- */
-CSSM_RETURN ocspdCRLStatus(
- const CSSM_DATA &serialNumber,
- const CSSM_DATA &issuers,
- const CSSM_DATA *crlIssuer, // optional if URL is supplied
- const CSSM_DATA *crlURL) // optional if issuer is supplied
-{
- mach_port_t serverPort = 0;
- kern_return_t krtn;
-
- if(!crlIssuer && !crlURL) {
- ocspdErrorLog("ocspdCRLStatus: either an issuer or URL is required\n");
- return CSSMERR_TP_INTERNAL_ERROR;
- }
- try {
- serverPort = OcspdGlobals().serverPort();
- }
- catch(...) {
- ocspdErrorLog("ocspdCRLStatus: OCSPD server error\n");
- return CSSMERR_TP_INTERNAL_ERROR;
- }
-
- krtn = ocsp_client_crlStatus(serverPort,
- serialNumber.Data, (mach_msg_type_number_t)serialNumber.Length,
- issuers.Data, (mach_msg_type_number_t)issuers.Length,
- crlIssuer ? crlIssuer->Data : NULL, crlIssuer ? (mach_msg_type_number_t)crlIssuer->Length : 0,
- crlURL ? crlURL->Data : NULL, crlURL ? (mach_msg_type_number_t)crlURL->Length : 0);
-
- return krtn;
-}
-
-/*
- * Refresh the CRL cache.
- */
-CSSM_RETURN ocspdCRLRefresh(
- unsigned staleDays,
- unsigned expireOverlapSeconds,
- bool purgeAll,
- bool fullCryptoVerify)
-{
- mach_port_t serverPort = 0;
- kern_return_t krtn;
- try {
- serverPort = OcspdGlobals().serverPort();
- }
- catch(...) {
- ocspdErrorLog("ocspdCRLRefresh: OCSPD server error\n");
- return CSSMERR_TP_INTERNAL_ERROR;
- }
-
- krtn = ocsp_client_crlRefresh(serverPort, staleDays, expireOverlapSeconds,
- purgeAll, fullCryptoVerify);
- if(krtn) {
- ocspdErrorLog("ocspdCRLRefresh: RPC returned %d\n", krtn);
- return CSSMERR_APPLETP_NETWORK_FAILURE;
- }
-
- return CSSM_OK;
-}
-
-/*
- * Flush all CRLs obtained from specified URL from cache. Called by client when
- * *it* detects a bad CRL.
- */
-CSSM_RETURN ocspdCRLFlush(
- const CSSM_DATA &crlURL)
-{
- mach_port_t serverPort = 0;
- kern_return_t krtn;
-
- try {
- serverPort = OcspdGlobals().serverPort();
- }
- catch(...) {
- ocspdErrorLog("ocspdCRLFlush: OCSPD server error\n");
- return CSSMERR_TP_INTERNAL_ERROR;
- }
-
- krtn = ocsp_client_crlFlush(serverPort, crlURL.Data, (mach_msg_type_number_t)crlURL.Length);
- if(krtn) {
- ocspdErrorLog("ocspdCRLFlush: RPC returned %d\n", krtn);
- return CSSMERR_APPLETP_NETWORK_FAILURE;
- }
- return CSSM_OK;
-}
-
-/*
- * Obtain TrustSettings.
- */
-OSStatus ocspdTrustSettingsRead(
- Allocator &alloc,
- SecTrustSettingsDomain domain,
- CSSM_DATA &trustSettings) // mallocd via alloc and RETURNED
-{
- mach_port_t serverPort = 0;
- kern_return_t krtn;
- unsigned char *rtnData = NULL;
- unsigned rtnLen = 0;
- OSStatus ortn;
-
- try {
- serverPort = OcspdGlobals().serverPort();
- }
- catch(...) {
- ocspdErrorLog("ocspdTrustSettingsRead: OCSPD server error\n");
- return errSecInternalComponent;
- }
-
- krtn = ocsp_client_trustSettingsRead(serverPort, domain,
- (void **)&rtnData, &rtnLen, &ortn);
- if(krtn) {
- ocspdErrorLog("ocspdTrustSettingsRead: RPC returned %d\n", krtn);
- return errSecNotAvailable;
- }
- if(ortn) {
- /* e.g., errSecNoUserTrustRecord */
- return ortn;
- }
- if((rtnData == NULL) || (rtnLen == 0)) {
- ocspdErrorLog("ocspdTrustSettingsRead: RPC returned NULL data\n");
- return errSecItemNotFound;
- }
- trustSettings.Data = (uint8 *)alloc.malloc(rtnLen);
- trustSettings.Length = rtnLen;
- memmove(trustSettings.Data, rtnData, rtnLen);
- mig_deallocate((vm_address_t)rtnData, rtnLen);
- return errSecSuccess;
-}
-
-/*
- * Write TrustSettings to disk. Results in authentication dialog.
- */
-OSStatus ocspdTrustSettingsWrite(
- SecTrustSettingsDomain domain,
- const CSSM_DATA &authBlob,
- const CSSM_DATA &trustSettings)
-{
- mach_port_t serverPort = 0;
- mach_port_t clientPort = 0;
- kern_return_t krtn;
- OSStatus ortn;
-
- try {
- serverPort = OcspdGlobals().serverPort();
- clientPort = MachPlusPlus::Bootstrap();
- }
- catch(...) {
- ocspdErrorLog("ocspdTrustSettingsWrite: OCSPD server error\n");
- return errSecInternalComponent;
- }
-
- krtn = ocsp_client_trustSettingsWrite(serverPort, clientPort, domain,
- authBlob.Data, (mach_msg_type_number_t)authBlob.Length,
- trustSettings.Data, (mach_msg_type_number_t)trustSettings.Length,
- &ortn);
- if(krtn) {
- ocspdErrorLog("ocspdTrustSettingsWrite: RPC returned %d\n", krtn);
- return errSecInternalComponent;
- }
- return ortn;
-}
projects / apple / security.git / blobdiff