--- /dev/null
+/*
+ * Copyright (c) 2002-2012 Apple Inc. All Rights Reserved.
+ *
+ * The contents of this file constitute Original Code as defined in and are
+ * subject to the Apple Public Source License Version 1.2 (the 'License').
+ * You may not use this file except in compliance with the License. Please obtain
+ * a copy of the License at http://www.apple.com/publicsource and read it before
+ * using this file.
+ *
+ * This Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
+ * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
+ * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
+ * specific language governing rights and limitations under the License.
+ */
+
+
+/*
+ * tpCrlVerify.cpp - routines to verify CRLs and to verify certs against CRLs.
+ */
+
+#include "tpCrlVerify.h"
+#include "TPCertInfo.h"
+#include "TPCrlInfo.h"
+#include "tpOcspVerify.h"
+#include "tpdebugging.h"
+#include "TPNetwork.h"
+#include "TPDatabase.h"
+#include <CommonCrypto/CommonDigest.h>
+#include <Security/oidscert.h>
+#include <security_ocspd/ocspdClient.h>
+#include <security_utilities/globalizer.h>
+#include <security_utilities/threading.h>
+#include <security_cdsa_utilities/cssmerrors.h>
+#include <sys/stat.h>
+
+/* general purpose, switch to policy-specific code based on TPVerifyContext.policy */
+CSSM_RETURN tpRevocationPolicyVerify(
+ TPVerifyContext &tpVerifyContext,
+ TPCertGroup &certGroup)
+{
+ switch(tpVerifyContext.policy) {
+ case kRevokeNone:
+ return CSSM_OK;
+ case kRevokeCrlBasic:
+ return tpVerifyCertGroupWithCrls(tpVerifyContext, certGroup);
+ case kRevokeOcsp:
+ return tpVerifyCertGroupWithOCSP(tpVerifyContext, certGroup);
+ default:
+ assert(0);
+ return CSSMERR_TP_INTERNAL_ERROR;
+ }
+}
+
+/*
+ * For now, a process-wide memory resident CRL cache.
+ * We are responsible for deleting the CRLs which get added to this
+ * cache. Currently the only time we add a CRL to this cache is
+ * when we fetch one from the net. We ref count CRLs in this cache
+ * to allow multi-threaded access.
+ * Entries do not persist past the tpVerifyCertGroupWithCrls() in
+ * which they were created unless another thread in the same
+ * process snags a refcount (also from tpVerifyCertGroupWithCrls()).
+ * I.e. when cert verification is complete the cache will be empty.
+ * This is a change from Tiger and previous. CRLs get pretty big,
+ * up to a megabyte or so, and it's just not worth it to keep those
+ * around in memory. (OCSP responses, which are much smaller than
+ * CRLs, are indeed cached in memory. See tpOcspCache.cpp.)
+ */
+class TPCRLCache : private TPCrlGroup
+{
+public:
+ TPCRLCache();
+ ~TPCRLCache() { }
+ TPCrlInfo *search(
+ TPCertInfo &cert,
+ TPVerifyContext &vfyCtx);
+ void add(
+ TPCrlInfo &crl);
+ void remove(
+ TPCrlInfo &crl);
+ void release(
+ TPCrlInfo &crl);
+
+private:
+ /* Protects ref count of all members of the cache */
+ Mutex mLock;
+};
+
+TPCRLCache::TPCRLCache()
+ : TPCrlGroup(Allocator::standard(), TGO_Group)
+{
+
+}
+
+TPCrlInfo *TPCRLCache::search(
+ TPCertInfo &cert,
+ TPVerifyContext &vfyCtx)
+{
+ StLock<Mutex> _(mLock);
+ TPCrlInfo *crl = findCrlForCert(cert);
+ if(crl) {
+ /* reevaluate validity */
+ crl->calculateCurrent(vfyCtx.verifyTime);
+ crl->mRefCount++;
+ tpCrlDebug("TPCRLCache hit");
+ }
+ else {
+ tpCrlDebug("TPCRLCache miss");
+ }
+ return crl;
+}
+
+/* bumps ref count - caller is going to be using the CRL */
+void TPCRLCache::add(
+ TPCrlInfo &crl)
+{
+ StLock<Mutex> _(mLock);
+ tpCrlDebug("TPCRLCache add");
+ crl.mRefCount++;
+ appendCrl(crl);
+}
+
+/* delete and remove from cache if refCount zero */
+void TPCRLCache::release(
+ TPCrlInfo &crl)
+{
+ StLock<Mutex> _(mLock);
+ assert(crl.mRefCount > 0);
+ crl.mRefCount--;
+ if(crl.mRefCount == 0) {
+ tpCrlDebug("TPCRLCache release; deleting");
+ removeCrl(crl);
+ delete &crl;
+ }
+ else {
+ tpCrlDebug("TPCRLCache release; in use");
+ }
+}
+
+static ModuleNexus<TPCRLCache> tpGlobalCrlCache;
+
+/*
+ * Find CRL for specified cert. Only returns a fully verified CRL.
+ * Cert-specific errors such as CSSMERR_APPLETP_CRL_NOT_FOUND will be added
+ * to cert's return codes.
+ */
+static CSSM_RETURN tpFindCrlForCert(
+ TPCertInfo &subject,
+ TPCrlInfo *&foundCrl, // RETURNED
+ TPVerifyContext &vfyCtx)
+{
+
+ tpCrlDebug("tpFindCrlForCert top");
+ TPCrlInfo *crl = NULL;
+ foundCrl = NULL;
+ CSSM_APPLE_TP_CRL_OPT_FLAGS crlOptFlags = 0;
+
+ if(vfyCtx.crlOpts) {
+ crlOptFlags = vfyCtx.crlOpts->CrlFlags;
+ }
+
+ /* Search inputCrls for a CRL for subject cert */
+ if(vfyCtx.inputCrls != NULL) {
+ crl = vfyCtx.inputCrls->findCrlForCert(subject);
+ if(crl && (crl->verifyWithContextNow(vfyCtx, &subject) == CSSM_OK)) {
+ foundCrl = crl;
+ crl->mFromWhere = CFW_InGroup;
+ tpCrlDebug(" ...CRL found in CrlGroup");
+ return CSSM_OK;
+ }
+ }
+
+ /* local process-wide cache */
+ crl = tpGlobalCrlCache().search(subject, vfyCtx);
+ if(crl) {
+ tpCrlDebug("...tpFindCrlForCert found CRL in cache, calling verifyWithContext");
+ if(crl->verifyWithContextNow(vfyCtx, &subject) == CSSM_OK) {
+ foundCrl = crl;
+ crl->mFromWhere = CFW_LocalCache;
+ tpCrlDebug(" ...CRL found in local cache");
+ return CSSM_OK;
+ }
+ else {
+ tpGlobalCrlCache().release(*crl);
+ }
+ }
+
+ /*
+ * Try DL/DB.
+ * Note tpDbFindIssuerCrl() returns a verified CRL.
+ */
+ crl = tpDbFindIssuerCrl(vfyCtx, *subject.issuerName(), subject);
+ if(crl) {
+ foundCrl = crl;
+ crl->mFromWhere = CFW_DlDb;
+ tpCrlDebug(" ...CRL found in DlDb");
+ return CSSM_OK;
+ }
+
+ /* Last resort: try net if enabled */
+ CSSM_RETURN crtn = CSSMERR_APPLETP_CRL_NOT_FOUND;
+ crl = NULL;
+ if(crlOptFlags & CSSM_TP_ACTION_FETCH_CRL_FROM_NET) {
+ crtn = tpFetchCrlFromNet(subject, vfyCtx, crl);
+ }
+
+ if(crtn) {
+ tpCrlDebug(" ...tpFindCrlForCert: CRL not found");
+ if(subject.addStatusCode(crtn)) {
+ return crtn;
+ }
+ else {
+ return CSSM_OK;
+ }
+ }
+
+ /* got one from net - add to global cache */
+ assert(crl != NULL);
+ tpGlobalCrlCache().add(*crl);
+ crl->mFromWhere = CFW_Net;
+ tpCrlDebug(" ...CRL found from net");
+
+ foundCrl = crl;
+ return CSSM_OK;
+}
+
+/*
+ * Dispose of a CRL obtained from tpFindCrlForCert().
+ */
+static void tpDisposeCrl(
+ TPCrlInfo &crl,
+ TPVerifyContext &vfyCtx)
+{
+ switch(crl.mFromWhere) {
+ case CFW_Nowhere:
+ default:
+ assert(0);
+ CssmError::throwMe(CSSMERR_TP_INTERNAL_ERROR);
+ case CFW_InGroup:
+ /* nothing to do, handled by TPCrlGroup */
+ return;
+ case CFW_DlDb:
+ /* cooked up specially for this call */
+ delete &crl;
+ return;
+ case CFW_LocalCache: // cache hit
+ case CFW_Net: // fetched from net & added to cache
+ tpGlobalCrlCache().release(crl);
+ return;
+ /* probably others */
+ }
+}
+
+/*
+ * Does this cert have a CrlDistributionPoints extension? We don't parse it, we
+ * just tell the caller whether or not it has one.
+ */
+static bool tpCertHasCrlDistPt(
+ TPCertInfo &cert)
+{
+ CSSM_DATA_PTR fieldValue;
+ CSSM_RETURN crtn = cert.fetchField(&CSSMOID_CrlDistributionPoints, &fieldValue);
+ if(crtn) {
+ return false;
+ }
+ else {
+ cert.freeField(&CSSMOID_CrlDistributionPoints, fieldValue);
+ return true;
+ }
+}
+
+/*
+ * Get current CRL status for a certificate and its issuers.
+ *
+ * Possible results:
+ *
+ * CSSM_OK (we have a valid CRL; certificate is not revoked)
+ * CSSMERR_TP_CERT_REVOKED (we have a valid CRL; certificate is revoked)
+ * CSSMERR_APPLETP_NETWORK_FAILURE (CRL not available, download in progress)
+ * CSSMERR_APPLETP_CRL_NOT_FOUND (CRL not available, and not being fetched)
+ * CSSMERR_TP_INTERNAL_ERROR (unexpected error)
+ *
+ * Note that ocspdCRLStatus does NOT wait for the CRL to be downloaded before
+ * returning, nor does it initiate a CRL download.
+ */
+static
+CSSM_RETURN tpGetCrlStatusForCert(
+ TPCertInfo &subject,
+ const CSSM_DATA &issuers)
+{
+ CSSM_DATA *serialNumber=NULL;
+ CSSM_RETURN crtn = subject.fetchField(&CSSMOID_X509V1SerialNumber, &serialNumber);
+ if(crtn || !serialNumber) {
+ return CSSMERR_TP_INTERNAL_ERROR;
+ }
+ crtn = ocspdCRLStatus(*serialNumber, issuers, subject.issuerName(), NULL);
+ subject.freeField(&CSSMOID_X509V1SerialNumber, serialNumber);
+ return crtn;
+}
+
+/*
+ * Perform CRL verification on a cert group.
+ * The cert group has already passed basic issuer/subject and signature
+ * verification. The status of the incoming CRLs is completely unknown.
+ *
+ * FIXME - No mechanism to get CRLs from net with non-NULL verifyTime.
+ * How are we supposed to get the CRL which was valid at a specified
+ * time in the past?
+ */
+CSSM_RETURN tpVerifyCertGroupWithCrls(
+ TPVerifyContext &vfyCtx,
+ TPCertGroup &certGroup) // to be verified
+{
+ CSSM_RETURN crtn;
+ CSSM_RETURN ourRtn = CSSM_OK;
+
+ assert(vfyCtx.clHand != 0);
+ assert(vfyCtx.policy == kRevokeCrlBasic);
+ tpCrlDebug("tpVerifyCertGroupWithCrls numCerts %u", certGroup.numCerts());
+ CSSM_DATA issuers = { 0, NULL };
+ CSSM_APPLE_TP_CRL_OPT_FLAGS optFlags = 0;
+ if(vfyCtx.crlOpts != NULL) {
+ optFlags = vfyCtx.crlOpts->CrlFlags;
+ }
+
+ /* found & verified CRLs we need to release */
+ TPCrlGroup foundCrls(vfyCtx.alloc, TGO_Caller);
+
+ try {
+
+ unsigned certDex;
+ TPCrlInfo *crl = NULL;
+
+ /* get issuers as PEM-encoded data blob; we need to release */
+ certGroup.encodeIssuers(issuers);
+
+ /* main loop, verify each cert */
+ for(certDex=0; certDex<certGroup.numCerts(); certDex++) {
+ TPCertInfo *cert = certGroup.certAtIndex(certDex);
+
+ tpCrlDebug("...verifying %s cert %u",
+ cert->isAnchor() ? "anchor " : "", cert->index());
+ if(cert->isSelfSigned() || cert->trustSettingsFound()) {
+ /* CRL meaningless for a root or trusted cert */
+ continue;
+ }
+ if(cert->revokeCheckComplete()) {
+ /* Another revocation policy claimed that this cert is good to go */
+ tpCrlDebug(" ...cert at index %u revokeCheckComplete; skipping",
+ cert->index());
+ continue;
+ }
+ crl = NULL;
+ do {
+ /* first, see if we have CRL status available for this cert */
+ crtn = tpGetCrlStatusForCert(*cert, issuers);
+ tpCrlDebug("...tpGetCrlStatusForCert: %u", crtn);
+ if(crtn == CSSM_OK) {
+ tpCrlDebug("tpVerifyCertGroupWithCrls: cert %u verified by local .crl\n",
+ cert->index());
+ cert->revokeCheckGood(true);
+ if(optFlags & CSSM_TP_ACTION_CRL_SUFFICIENT) {
+ /* no more revocation checking necessary for this cert */
+ cert->revokeCheckComplete(true);
+ }
+ break;
+ }
+ if(crtn == CSSMERR_TP_CERT_REVOKED) {
+ tpCrlDebug("tpVerifyCertGroupWithCrls: cert %u revoked in local .crl\n",
+ cert->index());
+ cert->addStatusCode(crtn);
+ break;
+ }
+ if(crtn == CSSMERR_APPLETP_NETWORK_FAILURE) {
+ /* crl is being fetched from net, but we don't have it yet */
+ if((optFlags & CSSM_TP_ACTION_REQUIRE_CRL_IF_PRESENT) &&
+ tpCertHasCrlDistPt(*cert)) {
+ /* crl is required; we don't have it yet, so we fail */
+ tpCrlDebug(" ...cert %u: REQUIRE_CRL_IF_PRESENT abort",
+ cert->index());
+ break;
+ }
+ /* "Best Attempt" case, so give the cert a pass for now */
+ tpCrlDebug(" ...cert %u: no CRL; tolerating", cert->index());
+ crtn = CSSM_OK;
+ break;
+ }
+ /* all other CRL status results: try to fetch the CRL */
+
+ /* find a CRL for this cert by hook or crook */
+ crtn = tpFindCrlForCert(*cert, crl, vfyCtx);
+ if(crtn) {
+ /* tpFindCrlForCert may have simply caused ocspd to start
+ * downloading a CRL asynchronously; depending on the speed
+ * of the network and the CRL size, this may return 0 bytes
+ * of data with a CSSMERR_APPLETP_NETWORK_FAILURE result.
+ * We won't know the actual revocation result until the
+ * next time we call tpGetCrlStatusForCert after the full
+ * CRL has been downloaded successfully.
+ */
+ if(optFlags & CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT) {
+ tpCrlDebug(" ...cert %u: REQUIRE_CRL_PER_CERT abort",
+ cert->index());
+ break;
+ }
+ if((optFlags & CSSM_TP_ACTION_REQUIRE_CRL_IF_PRESENT) &&
+ tpCertHasCrlDistPt(*cert)) {
+ tpCrlDebug(" ...cert %u: REQUIRE_CRL_IF_PRESENT abort",
+ cert->index());
+ break;
+ }
+ /*
+ * This is the only place where "Best Attempt" tolerates an error
+ */
+ tpCrlDebug(" ...cert %u: no CRL; tolerating", cert->index());
+ crtn = CSSM_OK;
+ assert(crl == NULL);
+ break;
+ }
+
+ /* Keep track; we'll release all when done. */
+ assert(crl != NULL);
+ foundCrls.appendCrl(*crl);
+
+ /* revoked? */
+ crtn = crl->isCertRevoked(*cert, vfyCtx.verifyTime);
+ if(crtn) {
+ break;
+ }
+ tpCrlDebug(" ...cert %u VERIFIED by CRL", cert->index());
+ cert->revokeCheckGood(true);
+ if(optFlags & CSSM_TP_ACTION_CRL_SUFFICIENT) {
+ /* no more revocation checking necessary for this cert */
+ cert->revokeCheckComplete(true);
+ }
+ } while(0);
+
+ /* done processing one cert */
+ if(crtn) {
+ tpCrlDebug(" ...cert at index %u FAILED crl vfy",
+ cert->index());
+ if(ourRtn == CSSM_OK) {
+ ourRtn = crtn;
+ }
+ /* continue on to next cert */
+ } /* error on one cert */
+ } /* for each cert */
+ }
+ catch(const CssmError &cerr) {
+ if(ourRtn == CSSM_OK) {
+ ourRtn = cerr.error;
+ }
+ }
+ /* other exceptions fatal */
+
+ /* release all found CRLs */
+ for(unsigned dex=0; dex<foundCrls.numCrls(); dex++) {
+ TPCrlInfo *crl = foundCrls.crlAtIndex(dex);
+ assert(crl != NULL);
+ tpDisposeCrl(*crl, vfyCtx);
+ }
+ /* release issuers */
+ if(issuers.Data) {
+ free(issuers.Data);
+ }
+ return ourRtn;
+}
+
projects / apple / security.git / blobdiff