+/*
+ * Copyright (c) 2007-2008,2010 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * SecTrustSettings.c - Implement trust settings for certificates
+ */
+
+#include "SecTrustSettings.h"
+#include "SecTrustSettingsPriv.h"
+#include <Security/SecCertificatePriv.h>
+#include <AssertMacros.h>
+#include <pthread.h>
+#include <security_utilities/debugging.h>
+#include "SecBasePriv.h"
+#include <Security/SecInternal.h>
+#include <CoreFoundation/CFRuntime.h>
+
+#define trustSettingsDbg(args...) secdebug("trustSettings", ## args)
+#define trustSettingsEvalDbg(args...) secdebug("trustSettingsEval", ## args)
+
+#pragma mark -
+#pragma mark Static Functions
+
+#if 0
+/* Return a (hex)string representation of a CFDataRef. */
+static CFStringRef SecCopyHexStringFromData(CFDataRef data)
+{
+ CFIndex ix, length;
+ const UInt8 *bytes;
+ CFMutableStringRef string;
+
+ if (data) {
+ length = CFDataGetLength(data);
+ bytes = CFDataGetBytePtr(data);
+ } else {
+ length = 0;
+ bytes = NULL;
+ }
+ string = CFStringCreateMutable(kCFAllocatorDefault, length * 2);
+ for (ix = 0; ix < length; ++ix)
+ CFStringAppendFormat(string, NULL, CFSTR("%02X"), bytes[ix]);
+
+ return string;
+}
+#endif
+
+/* Return a CFDataRef representation of a (hex)string. */
+static CFDataRef SecCopyDataFromHexString(CFStringRef string) {
+ CFMutableDataRef data;
+ CFIndex ix, length;
+ UInt8 *bytes;
+
+ length = string ? CFStringGetLength(string) : 0;
+ if (length & 1) {
+ secwarning("Odd length string: %@ returning NULL", string);
+ return NULL;
+ }
+
+ data = CFDataCreateMutable(kCFAllocatorDefault, length / 2);
+ CFDataSetLength(data, length / 2);
+ bytes = CFDataGetMutableBytePtr(data);
+
+ CFStringInlineBuffer buf;
+ CFRange range = { 0, length };
+ CFStringInitInlineBuffer(string, &buf, range);
+ UInt8 lastv = 0;
+ for (ix = 0; ix < length; ++ix) {
+ UniChar c = CFStringGetCharacterFromInlineBuffer(&buf, ix);
+ UInt8 v;
+ if ('0' <= c && c <= '9')
+ v = c - '0';
+ else if ('A' <= c && c <= 'F')
+ v = c = 'A' + 10;
+ else if ('a' <= c && c <= 'a')
+ v = c = 'a' + 10;
+ else {
+ secwarning("Non hex string: %@ returning NULL", string);
+ CFRelease(data);
+ return NULL;
+ }
+ if (ix & 1) {
+ *bytes++ = (lastv << 4) + v;
+ } else {
+ lastv = v;
+ }
+ }
+
+ return data;
+}
+
+#if 0
+/*
+ * Obtain a string representing a cert's SHA1 digest. This string is
+ * the key used to look up per-cert trust settings in a TrustSettings record.
+ */
+static CFStringRef SecTrustSettingsCertHashStrFromCert(
+ SecCertificateRef certRef)
+{
+ if (certRef == NULL) {
+ return NULL;
+ }
+
+ if(certRef == kSecTrustSettingsDefaultRootCertSetting) {
+ /* use this string instead of the cert hash as the dictionary key */
+ secdebug("trustsettings","DefaultSetting");
+ return kSecTrustRecordDefaultRootCert;
+ }
+
+ CFDataRef digest = SecCertificateGetSHA1Digest(certRef);
+ return SecCopyHexStringFromData(digest);
+}
+#endif
+
+#pragma mark -
+#pragma mark SecTrustSettings
+/********************************************************
+ ************** SecTrustSettings object *****************
+ ********************************************************/
+
+struct __SecTrustSettings {
+ CFRuntimeBase _base;
+
+ /* the overall parsed TrustSettings - may be NULL if this is trimmed */
+ CFDictionaryRef _propList;
+
+ /* and the main thing we work with, the dictionary of per-cert trust settings */
+ CFMutableDictionaryRef _trustDict;
+
+ /* version number of mPropDict */
+ SInt32 _dictVersion;
+
+ SecTrustSettingsDomain _domain;
+ bool _dirty; /* we've changed _trustDict since creation */
+};
+
+/* CFRuntime regsitration data. */
+static pthread_once_t kSecTrustSettingsRegisterClass = PTHREAD_ONCE_INIT;
+static CFTypeID kSecTrustSettingsTypeID = _kCFRuntimeNotATypeID;
+
+static void SecTrustSettingsDestroy(CFTypeRef cf) {
+ SecTrustSettingsRef ts = (SecTrustSettingsRef) cf;
+ CFReleaseSafe(ts->_propList);
+ CFReleaseSafe(ts->_trustDict);
+}
+
+static void SecTrustSettingsRegisterClass(void) {
+ static const CFRuntimeClass kSecTrustSettingsClass = {
+ 0, /* version */
+ "SecTrustSettings", /* class name */
+ NULL, /* init */
+ NULL, /* copy */
+ SecTrustSettingsDestroy, /* dealloc */
+ NULL, /* equal */
+ NULL, /* hash */
+ NULL, /* copyFormattingDesc */
+ NULL /* copyDebugDesc */
+ };
+
+ kSecTrustSettingsTypeID = _CFRuntimeRegisterClass(&kSecTrustSettingsClass);
+}
+
+/* SecTrustSettings API functions. */
+CFTypeID SecTrustSettingsGetTypeID(void) {
+ pthread_once(&kSecTrustSettingsRegisterClass, SecTrustSettingsRegisterClass);
+ return kSecTrustSettingsTypeID;
+}
+
+/* Make sure a presumed CFNumber can be converted to a 32-bit number */
+static bool tsIsGoodCfNum(CFNumberRef cfn, SInt32 *num)
+{
+ /* by convention */
+ if (cfn == NULL) {
+ *num = 0;
+ return true;
+ }
+ require(CFGetTypeID(cfn) == CFNumberGetTypeID(), errOut);
+ return CFNumberGetValue(cfn, kCFNumberSInt32Type, num);
+errOut:
+ return false;
+}
+
+static bool validateUsageConstraint(const void *value) {
+ CFDictionaryRef ucDict = (CFDictionaryRef)value;
+ require(CFGetTypeID(ucDict) == CFDictionaryGetTypeID(), errOut);
+
+ CFDataRef certPolicy = (CFDataRef)CFDictionaryGetValue(ucDict,
+ kSecTrustSettingsPolicy);
+ require(certPolicy && CFGetTypeID(certPolicy) == CFDataGetTypeID(), errOut);
+
+ CFStringRef certApp = (CFStringRef)CFDictionaryGetValue(ucDict,
+ kSecTrustSettingsApplication);
+ require(certApp && CFGetTypeID(certApp) == CFStringGetTypeID(), errOut);
+
+ CFStringRef policyStr = (CFStringRef)CFDictionaryGetValue(ucDict,
+ kSecTrustSettingsPolicyString);
+ require(policyStr && CFGetTypeID(policyStr) == CFStringGetTypeID(), errOut);
+
+ SInt32 dummy;
+ CFNumberRef allowedError = (CFNumberRef)CFDictionaryGetValue(ucDict,
+ kSecTrustSettingsAllowedError);
+ require(tsIsGoodCfNum(allowedError, &dummy), errOut);
+
+ CFNumberRef trustSettingsResult = (CFNumberRef)CFDictionaryGetValue(ucDict,
+ kSecTrustSettingsResult);
+ require(tsIsGoodCfNum(trustSettingsResult, &dummy), errOut);
+
+ CFNumberRef keyUsage = (CFNumberRef)CFDictionaryGetValue(ucDict,
+ kSecTrustSettingsKeyUsage);
+ require(tsIsGoodCfNum(keyUsage, &dummy), errOut);
+
+ return true;
+errOut:
+ return false;
+}
+
+static bool validateTrustSettingsArray(CFArrayRef usageConstraints) {
+ CFIndex ix, numConstraints = CFArrayGetCount(usageConstraints);
+ bool result = true;
+ for (ix = 0; ix < numConstraints; ++ix) {
+ if (!validateUsageConstraint(CFArrayGetValueAtIndex(usageConstraints, ix)))
+ result = false;
+ }
+ return result;
+}
+
+struct trustListContext {
+ CFMutableDictionaryRef dict;
+ SInt32 version;
+ bool trim;
+ OSStatus status;
+};
+
+static void trustListApplierFunction(const void *key, const void *value, void *context) {
+ CFStringRef digest = (CFStringRef)key;
+ CFDictionaryRef certDict = (CFDictionaryRef)value;
+ struct trustListContext *tlc = (struct trustListContext *)context;
+ CFDataRef newKey = NULL;
+ CFMutableDictionaryRef newDict = NULL;
+
+ /* Get the key. */
+ require(digest && CFGetTypeID(digest) == CFStringGetTypeID(), errOut);
+ /* Convert it to a CFDataRef. */
+ require(newKey = SecCopyDataFromHexString(digest), errOut);
+
+ /* get per-cert dictionary */
+ require(certDict && CFGetTypeID(certDict) == CFDictionaryGetTypeID(), errOut);
+
+ /* Create the to be inserted dictionary. */
+ require(newDict = CFDictionaryCreateMutable(kCFAllocatorDefault,
+ tlc->trim ? 1 : 4, &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks), errOut);
+
+ /* The certDict dictionary should have exactly four entries.
+ If we're trimming, all we need is the actual trust settings. */
+
+ /* issuer */
+ CFDataRef issuer = (CFDataRef)CFDictionaryGetValue(certDict,
+ kTrustRecordIssuer);
+ require(issuer && CFGetTypeID(issuer) == CFDataGetTypeID(), errOut);
+
+ /* serial number */
+ CFDataRef serial = (CFDataRef)CFDictionaryGetValue(certDict,
+ kTrustRecordSerialNumber);
+ require(serial && CFGetTypeID(serial) == CFDataGetTypeID(), errOut);
+
+ /* modification date */
+ CFDateRef modDate = (CFDateRef)CFDictionaryGetValue(certDict,
+ kTrustRecordModDate);
+ require(modDate && CFGetTypeID(modDate) == CFDateGetTypeID(), errOut);
+
+ /* If we are not trimming we copy these extra values as well. */
+ if (!tlc->trim) {
+ CFDictionaryAddValue(newDict, kTrustRecordIssuer, issuer);
+ CFDictionaryAddValue(newDict, kTrustRecordSerialNumber, serial);
+ CFDictionaryAddValue(newDict, kTrustRecordModDate, modDate);
+ }
+
+ /* The actual trust settings */
+ CFArrayRef trustSettings = (CFArrayRef)CFDictionaryGetValue(certDict,
+ kTrustRecordTrustSettings);
+ /* optional; this cert's entry is good */
+ if(trustSettings) {
+ require(CFGetTypeID(trustSettings) == CFArrayGetTypeID(), errOut);
+
+ /* Now validate the usageConstraint array contents */
+ require(validateTrustSettingsArray(trustSettings), errOut);
+
+ /* Add the trustSettings to the dict. */
+ CFDictionaryAddValue(newDict, kTrustRecordTrustSettings, trustSettings);
+ }
+
+ CFDictionaryAddValue(tlc->dict, newKey, newDict);
+ CFRelease(newKey);
+ CFRelease(newDict);
+
+ return;
+errOut:
+ CFReleaseSafe(newKey);
+ CFReleaseSafe(newDict);
+ tlc->status = errSecInvalidTrustSettings;
+}
+
+static OSStatus SecTrustSettingsValidate(SecTrustSettingsRef ts, bool trim) {
+ /* top level dictionary */
+ require(ts->_propList, errOut);
+ require(CFGetTypeID(ts->_propList) == CFDictionaryGetTypeID(), errOut);
+
+ /* That dictionary has two entries */
+ CFNumberRef cfVers = (CFNumberRef)CFDictionaryGetValue(ts->_propList, kTrustRecordVersion);
+ require(cfVers != NULL && CFGetTypeID(cfVers) == CFNumberGetTypeID(), errOut);
+ require(CFNumberGetValue(cfVers, kCFNumberSInt32Type, &ts->_dictVersion), errOut);
+ require((ts->_dictVersion <= kSecTrustRecordVersionCurrent) &&
+ (ts->_dictVersion != kSecTrustRecordVersionInvalid), errOut);
+
+ /* other backwards-compatibility handling done later, if needed, per _dictVersion */
+
+ require(ts->_trustDict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), errOut);
+
+ CFDictionaryRef trustList = (CFDictionaryRef)CFDictionaryGetValue(
+ ts->_propList, kTrustRecordTrustList);
+ require(trustList != NULL &&
+ CFGetTypeID(trustList) == CFDictionaryGetTypeID(), errOut);
+
+ /* Convert the per-cert entries from on disk to in memory format. */
+ struct trustListContext context = {
+ ts->_trustDict, ts->_dictVersion, trim, noErr
+ };
+ CFDictionaryApplyFunction(trustList, trustListApplierFunction, &context);
+
+ if (trim) {
+ /* we don't need the top-level dictionary any more */
+ CFRelease(ts->_propList);
+ ts->_propList = NULL;
+ }
+
+ return context.status;
+
+errOut:
+ return errSecInvalidTrustSettings;
+}
+
+OSStatus SecTrustSettingsCreateFromExternal(SecTrustSettingsDomain domain,
+ CFDataRef external, SecTrustSettingsRef *ts) {
+ CFAllocatorRef allocator = kCFAllocatorDefault;
+ CFIndex size = sizeof(struct __SecTrustSettings);
+ SecTrustSettingsRef result;
+
+ require(result = (SecTrustSettingsRef)_CFRuntimeCreateInstance(allocator,
+ SecTrustSettingsGetTypeID(), size - sizeof(CFRuntimeBase), 0), errOut);
+
+ CFStringRef errorString = NULL;
+ CFPropertyListRef plist = CFPropertyListCreateFromXMLData(
+ kCFAllocatorDefault, external, kCFPropertyListImmutable, &errorString);
+ if (!plist) {
+ secwarning("CFPropertyListCreateFromXMLData: %@", errorString);
+ CFReleaseSafe(errorString);
+ goto errOut;
+ }
+
+ result->_propList = plist;
+ result->_trustDict = NULL;
+ SecTrustSettingsValidate(result, false);
+
+ *ts = result;
+
+ return noErr;
+
+errOut:
+ return errSecInvalidTrustSettings;
+}
+
+SecTrustSettingsRef SecTrustSettingsCreate(SecTrustSettingsDomain domain,
+ bool create, bool trim) {
+ CFAllocatorRef allocator = kCFAllocatorDefault;
+ CFIndex size = sizeof(struct __SecTrustSettings);
+ SecTrustSettingsRef result =
+ (SecTrustSettingsRef)_CFRuntimeCreateInstance(allocator,
+ SecTrustSettingsGetTypeID(), size - sizeof(CFRuntimeBase), 0);
+ if (!result)
+ return NULL;
+
+ //result->_data = NULL;
+
+ return result;
+}
+
+CFDataRef SecTrustSettingsCopyExternal(SecTrustSettingsRef ts) {
+ /* Transform the internal represantation of the trustSettings to an
+ external form. */
+ // @@@ SecTrustSettingsUpdatePropertyList(SecTrustSettingsRef ts);
+ CFDataRef xmlData;
+ verify(xmlData = CFPropertyListCreateXMLData(kCFAllocatorDefault,
+ ts->_propList));
+ return xmlData;
+}
+
+void SecTrustSettingsSet(SecCertificateRef certRef,
+ CFTypeRef trustSettingsDictOrArray) {
+}
+
+
+
+#pragma mark -
+#pragma mark SPI functions
+
+
+/*
+ * Fundamental routine used by TP to ascertain status of one cert.
+ *
+ * Returns true in *foundMatchingEntry if a trust setting matching
+ * specific constraints was found for the cert. Returns true in
+ * *foundAnyEntry if any entry was found for the cert, even if it
+ * did not match the specified constraints. The TP uses this to
+ * optimize for the case where a cert is being evaluated for
+ * one type of usage, and then later for another type. If
+ * foundAnyEntry is false, the second evaluation need not occur.
+ *
+ * Returns the domain in which a setting was found in *foundDomain.
+ *
+ * Allowed errors applying to the specified cert evaluation
+ * are returned in a mallocd array in *allowedErrors and must
+ * be freed by caller.
+ *
+ * The design of the entire TrustSettings module is centered around
+ * optimizing the performance of this routine (security concerns
+ * aside, that is). It's why the per-cert dictionaries are stored
+ * as a dictionary, keyed off of the cert hash. It's why TrustSettings
+ * are cached in memory by tsGetGlobalTrustSettings(), and why those
+ * cached TrustSettings objects are 'trimmed' of dictionary fields
+ * which are not needed to verify a cert.
+ *
+ * The API functions which are used to manipulate Trust Settings
+ * are called infrequently and need not be particularly fast since
+ * they result in user interaction for authentication. Thus they do
+ * not use cached TrustSettings as this function does.
+ */
+OSStatus SecTrustSettingsEvaluateCertificate(
+ SecCertificateRef certificate,
+ SecPolicyRef policy,
+ SecTrustSettingsKeyUsage keyUsage, /* optional */
+ bool isSelfSignedCert, /* for checking default setting */
+ /* RETURNED values */
+ SecTrustSettingsDomain *foundDomain,
+ CFArrayRef *allowedErrors, /* RETURNED */
+ SecTrustSettingsResult *resultType, /* RETURNED */
+ bool *foundMatchingEntry,/* RETURNED */
+ bool *foundAnyEntry) /* RETURNED */
+{
+#if 0
+ BEGIN_RCSAPI
+
+ StLock<Mutex> _(sutCacheLock());
+
+ TS_REQUIRED(certHashStr)
+ TS_REQUIRED(foundDomain)
+ TS_REQUIRED(allowedErrors)
+ TS_REQUIRED(numAllowedErrors)
+ TS_REQUIRED(resultType)
+ TS_REQUIRED(foundMatchingEntry)
+ TS_REQUIRED(foundMatchingEntry)
+
+ /* ensure a NULL_terminated string */
+ auto_array<char> polStr;
+ if(policyString != NULL) {
+ polStr.allocate(policyStringLen + 1);
+ memmove(polStr.get(), policyString, policyStringLen);
+ if(policyString[policyStringLen - 1] != '\0') {
+ (polStr.get())[policyStringLen] = '\0';
+ }
+ }
+
+ /* initial condition - this can grow if we inspect multiple TrustSettings */
+ *allowedErrors = NULL;
+ *numAllowedErrors = 0;
+
+ /*
+ * This loop relies on the ordering of the SecTrustSettingsDomain enum:
+ * search user first, then admin, then system.
+ */
+ assert(kSecTrustSettingsDomainAdmin == (kSecTrustSettingsDomainUser + 1));
+ assert(kSecTrustSettingsDomainSystem == (kSecTrustSettingsDomainAdmin + 1));
+ bool foundAny = false;
+ for(unsigned domain=kSecTrustSettingsDomainUser;
+ domain<=kSecTrustSettingsDomainSystem;
+ domain++) {
+ TrustSettings *ts = tsGetGlobalTrustSettings(domain);
+ if(ts == NULL) {
+ continue;
+ }
+
+ /* validate cert returns true if matching entry was found */
+ bool foundAnyHere = false;
+ bool found = ts->evaluateCert(certHashStr, policyOID,
+ polStr.get(), keyUsage, isRootCert,
+ allowedErrors, numAllowedErrors, resultType, &foundAnyHere);
+
+ if(found) {
+ /*
+ * Note this, even though we may overwrite it later if this
+ * is an Unspecified entry and we find a definitive entry
+ * later
+ */
+ *foundDomain = domain;
+ }
+ if(found && (*resultType != kSecTrustSettingsResultUnspecified)) {
+ trustSettingsDbg("SecTrustSettingsEvaluateCert: found in domain %d", domain);
+ *foundAnyEntry = true;
+ *foundMatchingEntry = true;
+ return noErr;
+ }
+ foundAny |= foundAnyHere;
+ }
+ trustSettingsDbg("SecTrustSettingsEvaluateCert: NOT FOUND");
+ *foundAnyEntry = foundAny;
+ *foundMatchingEntry = false;
+ return noErr;
+ END_RCSAPI
+#endif
+ return noErr;
+}
+
+/*
+ * Add a cert's TrustSettings to a non-persistent TrustSettings record.
+ * No locking or cache flushing here; it's all local to the TrustSettings
+ * we construct here.
+ */
+OSStatus SecTrustSettingsSetTrustSettingsExternal(
+ CFDataRef settingsIn, /* optional */
+ SecCertificateRef certRef, /* optional */
+ CFTypeRef trustSettingsDictOrArray, /* optional */
+ CFDataRef *settingsOut) /* RETURNED */
+{
+ SecTrustSettingsRef ts = NULL;
+ OSStatus status;
+
+ require_noerr(status = SecTrustSettingsCreateFromExternal(
+ kSecTrustSettingsDomainMemory, settingsIn, &ts), errOut);
+ SecTrustSettingsSet(certRef, trustSettingsDictOrArray);
+ *settingsOut = SecTrustSettingsCopyExternal(ts);
+
+errOut:
+ CFReleaseSafe(ts);
+ return status;
+}
projects / apple / security.git / blobdiff