--- /dev/null
+/*
+ * Copyright (c) 2000-2014 Apple Inc. All Rights Reserved.
+ *
+ * The contents of this file constitute Original Code as defined in and are
+ * subject to the Apple Public Source License Version 1.2 (the 'License').
+ * You may not use this file except in compliance with the License. Please obtain
+ * a copy of the License at http://www.apple.com/publicsource and read it before
+ * using this file.
+ *
+ * This Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
+ * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
+ * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
+ * specific language governing rights and limitations under the License.
+ */
+
+
+/*
+ policies.cpp - TP module policy implementation
+*/
+
+#include <Security/cssmtype.h>
+#include <Security/cssmapi.h>
+#include "tpPolicies.h"
+#include <Security/cssmerr.h>
+#include "tpdebugging.h"
+#include "certGroupUtils.h"
+#include <Security/x509defs.h>
+#include <Security/oidsalg.h>
+#include <Security/oidsattr.h>
+#include <Security/oidscert.h>
+#include <Security/certextensions.h>
+#include <Security/cssmapple.h>
+#include <Security/SecCertificate.h>
+#include <Security/SecCertificatePriv.h>
+#include <string.h>
+#include <ctype.h>
+#include <assert.h>
+#include <CoreFoundation/CFString.h>
+#include <CommonCrypto/CommonDigest.h>
+
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wunused-const-variable"
+
+/*
+ * Our private per-extension info. One of these per (understood) extension per
+ * cert.
+ */
+typedef struct {
+ CSSM_BOOL present;
+ CSSM_BOOL critical;
+ CE_Data *extnData; // mallocd by CL
+ CSSM_DATA *valToFree; // the data we pass to freeField()
+} iSignExtenInfo;
+
+/*
+ * Struct to keep track of info pertinent to one cert.
+ */
+typedef struct {
+
+ /* extensions we're interested in */
+ iSignExtenInfo authorityId;
+ iSignExtenInfo subjectId;
+ iSignExtenInfo keyUsage;
+ iSignExtenInfo extendKeyUsage;
+ iSignExtenInfo basicConstraints;
+ iSignExtenInfo netscapeCertType;
+ iSignExtenInfo subjectAltName;
+ iSignExtenInfo certPolicies;
+ iSignExtenInfo qualCertStatements;
+ iSignExtenInfo nameConstraints;
+ iSignExtenInfo policyMappings;
+ iSignExtenInfo policyConstraints;
+ iSignExtenInfo inhibitAnyPolicy;
+ iSignExtenInfo certificatePolicies;
+
+ /* flag indicating presence of CSSMOID_APPLE_EXTENSION_PASSBOOK_SIGNING */
+ CSSM_BOOL foundPassbookSigning;
+ /* flag indicating presence of CSSMOID_APPLE_EXTENSION_SYSINT2_INTERMEDIATE */
+ CSSM_BOOL foundAppleSysInt2Marker;
+ /* flag indicating presence of CSSMOID_APPLE_EXTENSION_SERVER_AUTHENTICATION */
+ CSSM_BOOL foundAppleServerAuthMarker;
+ /* flag indicating presence of CSSMOID_APPLE_EXTENSION_ESCROW_SERVICE */
+ CSSM_BOOL foundEscrowServiceMarker;
+ /* flag indicating presence of a critical extension we don't understand */
+ CSSM_BOOL foundUnknownCritical;
+ /* flag indicating that this certificate was signed with a known-broken algorithm */
+ CSSM_BOOL untrustedSigAlg;
+
+} iSignCertInfo;
+
+/*
+ * The list of Qualified Cert Statement statementIds we understand, even though
+ * we don't actually do anything with them; if these are found in a Qualified
+ * Cert Statement that's critical, we can truthfully say "yes we understand this".
+ */
+static const CSSM_OID_PTR knownQualifiedCertStatements[] =
+{
+ (const CSSM_OID_PTR)&CSSMOID_OID_QCS_SYNTAX_V1,
+ (const CSSM_OID_PTR)&CSSMOID_OID_QCS_SYNTAX_V2,
+ (const CSSM_OID_PTR)&CSSMOID_ETSI_QCS_QC_COMPLIANCE,
+ (const CSSM_OID_PTR)&CSSMOID_ETSI_QCS_QC_LIMIT_VALUE,
+ (const CSSM_OID_PTR)&CSSMOID_ETSI_QCS_QC_RETENTION,
+ (const CSSM_OID_PTR)&CSSMOID_ETSI_QCS_QC_SSCD
+};
+#define NUM_KNOWN_QUAL_CERT_STATEMENTS (sizeof(knownQualifiedCertStatements) / sizeof(CSSM_OID_PTR))
+
+static CSSM_RETURN tp_verifyMacAppStoreReceiptOpts(TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts, const iSignCertInfo *certInfo);
+
+static CSSM_RETURN tp_verifyPassbookSigningOpts(TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts, const iSignCertInfo *certInfo);
+
+bool certificatePoliciesContainsOID(const CE_CertPolicies *certPolicies, const CSSM_OID *oidToFind);
+
+#define kSecPolicySHA1Size 20
+static const UInt8 kAppleCASHA1[kSecPolicySHA1Size] = {
+ 0x61, 0x1E, 0x5B, 0x66, 0x2C, 0x59, 0x3A, 0x08, 0xFF, 0x58,
+ 0xD1, 0x4A, 0xE2, 0x24, 0x52, 0xD1, 0x98, 0xDF, 0x6C, 0x60
+};
+
+static const UInt8 kMobileRootSHA1[kSecPolicySHA1Size] = {
+ 0xBD, 0xD6, 0x7C, 0x34, 0xD0, 0xB2, 0x68, 0x5D, 0x31, 0x82,
+ 0xCD, 0x32, 0xCB, 0xF4, 0x54, 0x69, 0xA1, 0xF1, 0x6B, 0x09
+};
+
+static const UInt8 kAppleCorpCASHA1[kSecPolicySHA1Size] = {
+ 0xA1, 0x71, 0xDC, 0xDE, 0xE0, 0x8B, 0x1B, 0xAE, 0x30, 0xA1,
+ 0xAE, 0x6C, 0xC6, 0xD4, 0x03, 0x3B, 0xFD, 0xEF, 0x91, 0xCE
+};
+
+/*
+ * Certificate policy OIDs
+ */
+
+/* 2.5.29.32.0 */
+#define ANY_POLICY_OID OID_EXTENSION, 0x32, 0x00
+#define ANY_POLICY_OID_LEN OID_EXTENSION_LENGTH + 2
+
+/* 2.5.29.54 */
+#define INHIBIT_ANY_POLICY_OID OID_EXTENSION, 0x54
+#define INHIBIT_ANY_POLICY_OID_LEN OID_EXTENSION_LENGTH + 1
+
+/* 2.16.840.1.101.2.1 */
+#define US_DOD_INFOSEC 0x60, 0x86, 0x48, 0x01, 0x65, 0x02, 0x01
+#define US_DOD_INFOSEC_LEN 7
+
+/* 2.16.840.1.101.2.1.11.10 */
+#define PIV_AUTH_OID US_DOD_INFOSEC, 0x0B, 0x0A
+#define PIV_AUTH_OID_LEN US_DOD_INFOSEC_LEN + 2
+
+/* 2.16.840.1.101.2.1.11.20 */
+#define PIV_AUTH_2048_OID US_DOD_INFOSEC, 0x0B, 0x14
+#define PIV_AUTH_2048_OID_LEN US_DOD_INFOSEC_LEN + 2
+
+static const uint8 OID_ANY_POLICY[] = {ANY_POLICY_OID};
+const CSSM_OID CSSMOID_ANY_POLICY = {ANY_POLICY_OID_LEN, (uint8 *)OID_ANY_POLICY};
+static const uint8 OID_INHIBIT_ANY_POLICY[] = {INHIBIT_ANY_POLICY_OID};
+const CSSM_OID CSSMOID_INHIBIT_ANY_POLICY = {INHIBIT_ANY_POLICY_OID_LEN, (uint8 *)OID_INHIBIT_ANY_POLICY};
+static const uint8 OID_PIV_AUTH[] = {PIV_AUTH_OID};
+const CSSM_OID CSSMOID_PIV_AUTH = {PIV_AUTH_OID_LEN, (uint8 *)OID_PIV_AUTH};
+static const uint8 OID_PIV_AUTH_2048[] = {PIV_AUTH_2048_OID};
+const CSSM_OID CSSMOID_PIV_AUTH_2048 = {PIV_AUTH_2048_OID_LEN, (uint8 *)OID_PIV_AUTH_2048};
+
+static CSSM_RETURN tp_verifyAppleIDSharingOpts(TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts, // optional Common Name
+ const iSignCertInfo *certInfo);
+/*
+ * Setup a single iSignExtenInfo. Called once per known extension
+ * per cert.
+ */
+static CSSM_RETURN tpSetupExtension(
+ Allocator &alloc,
+ CSSM_DATA *extnData,
+ iSignExtenInfo *extnInfo) // which component of certInfo
+{
+ if(extnData->Length != sizeof(CSSM_X509_EXTENSION)) {
+ tpPolicyError("tpSetupExtension: malformed CSSM_FIELD");
+ return CSSMERR_TP_UNKNOWN_FORMAT;
+ }
+ CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)extnData->Data;
+ extnInfo->present = CSSM_TRUE;
+ extnInfo->critical = cssmExt->critical;
+ extnInfo->extnData = (CE_Data *)cssmExt->value.parsedValue;
+ extnInfo->valToFree = extnData;
+ return CSSM_OK;
+}
+
+/*
+ * Fetch a known extension, set up associated iSignExtenInfo if present.
+ */
+static CSSM_RETURN iSignFetchExtension(
+ Allocator &alloc,
+ TPCertInfo *tpCert,
+ const CSSM_OID *fieldOid, // which extension to fetch
+ iSignExtenInfo *extnInfo) // where the info goes
+{
+ CSSM_DATA_PTR fieldValue; // mallocd by CL
+ CSSM_RETURN crtn;
+
+ crtn = tpCert->fetchField(fieldOid, &fieldValue);
+ switch(crtn) {
+ case CSSM_OK:
+ break;
+ case CSSMERR_CL_NO_FIELD_VALUES:
+ /* field not present, OK */
+ return CSSM_OK;
+ default:
+ return crtn;
+ }
+ return tpSetupExtension(alloc,
+ fieldValue,
+ extnInfo);
+}
+
+/*
+ * This function performs a check of an extension marked 'critical'
+ * to see if it's one we understand. Returns CSSM_OK if the extension
+ * is acceptable, CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN if unknown.
+ */
+static CSSM_RETURN iSignVerifyCriticalExtension(
+ CSSM_X509_EXTENSION *cssmExt)
+{
+ if (!cssmExt || !cssmExt->extnId.Data)
+ return CSSMERR_TP_INVALID_FIELD_POINTER;
+
+ if (!cssmExt->critical)
+ return CSSM_OK;
+
+ /* FIXME: remove when policyConstraints NSS template is fixed */
+ if (!memcmp(cssmExt->extnId.Data, CSSMOID_PolicyConstraints.Data, CSSMOID_PolicyConstraints.Length))
+ return CSSM_OK;
+
+ if (cssmExt->extnId.Length > APPLE_EXTENSION_OID_LENGTH &&
+ !memcmp(cssmExt->extnId.Data, CSSMOID_APPLE_EXTENSION.Data, APPLE_EXTENSION_OID_LENGTH)) {
+ /* This extension's OID is under the appleCertificateExtensions arc */
+ return CSSM_OK;
+
+ }
+ return CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN;
+}
+
+/*
+ * Search for all unknown extensions. If we find one which is flagged critical,
+ * flag certInfo->foundUnknownCritical. Only returns error on gross errors.
+ */
+static CSSM_RETURN iSignSearchUnknownExtensions(
+ TPCertInfo *tpCert,
+ iSignCertInfo *certInfo)
+{
+ CSSM_RETURN crtn;
+ CSSM_DATA_PTR fieldValue = NULL;
+ CSSM_HANDLE searchHand = CSSM_INVALID_HANDLE;
+ uint32 numFields = 0;
+
+ certInfo->foundPassbookSigning = CSSM_FALSE;
+ certInfo->foundAppleSysInt2Marker = CSSM_FALSE;
+ certInfo->foundEscrowServiceMarker = CSSM_FALSE;
+
+ crtn = CSSM_CL_CertGetFirstCachedFieldValue(tpCert->clHand(),
+ tpCert->cacheHand(),
+ &CSSMOID_X509V3CertificateExtensionCStruct,
+ &searchHand,
+ &numFields,
+ &fieldValue);
+ switch(crtn) {
+ case CSSM_OK:
+ /* found one, proceed */
+ break;
+ case CSSMERR_CL_NO_FIELD_VALUES:
+ /* no unknown extensions present, OK */
+ return CSSM_OK;
+ default:
+ return crtn;
+ }
+
+ if(fieldValue->Length != sizeof(CSSM_X509_EXTENSION)) {
+ tpPolicyError("iSignSearchUnknownExtensions: malformed CSSM_FIELD");
+ return CSSMERR_TP_UNKNOWN_FORMAT;
+ }
+
+ CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)fieldValue->Data;
+ if (cssmExt->extnId.Length == APPLE_EXTENSION_CODE_SIGNING_LENGTH+1 &&
+ !memcmp(cssmExt->extnId.Data, CSSMOID_APPLE_EXTENSION_PASSBOOK_SIGNING.Data,
+ APPLE_EXTENSION_CODE_SIGNING_LENGTH+1)) {
+ /* this is the Passbook Signing extension */
+ certInfo->foundPassbookSigning = CSSM_TRUE;
+ }
+ if (cssmExt->extnId.Length == APPLE_EXTENSION_SYSINT2_INTERMEDIATE_LENGTH &&
+ !memcmp(cssmExt->extnId.Data, CSSMOID_APPLE_EXTENSION_SYSINT2_INTERMEDIATE.Data,
+ APPLE_EXTENSION_SYSINT2_INTERMEDIATE_LENGTH)) {
+ /* this is the Apple System Integration 2 Signing extension */
+ certInfo->foundAppleSysInt2Marker = CSSM_TRUE;
+ }
+ if (cssmExt->extnId.Length == APPLE_EXTENSION_ESCROW_SERVICE_LENGTH &&
+ !memcmp(cssmExt->extnId.Data, CSSMOID_APPLE_EXTENSION_ESCROW_SERVICE.Data,
+ APPLE_EXTENSION_ESCROW_SERVICE_LENGTH)) {
+ /* this is the Escrow Service Signing extension */
+ certInfo->foundEscrowServiceMarker = CSSM_TRUE;
+ }
+
+ if(iSignVerifyCriticalExtension(cssmExt) != CSSM_OK) {
+ /* BRRZAPP! Found an unknown extension marked critical */
+ certInfo->foundUnknownCritical = CSSM_TRUE;
+ goto fini;
+ }
+ CSSM_CL_FreeFieldValue(tpCert->clHand(),
+ &CSSMOID_X509V3CertificateExtensionCStruct,
+ fieldValue);
+ fieldValue = NULL;
+
+ /* process remaining unknown extensions */
+ for(unsigned i=1; i<numFields; i++) {
+ crtn = CSSM_CL_CertGetNextCachedFieldValue(tpCert->clHand(),
+ searchHand,
+ &fieldValue);
+ if(crtn) {
+ /* should never happen */
+ tpPolicyError("searchUnknownExtensions: GetNextCachedFieldValue"
+ "error");
+ break;
+ }
+ if(fieldValue->Length != sizeof(CSSM_X509_EXTENSION)) {
+ tpPolicyError("iSignSearchUnknownExtensions: "
+ "malformed CSSM_FIELD");
+ crtn = CSSMERR_TP_UNKNOWN_FORMAT;
+ break;
+ }
+
+ CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)fieldValue->Data;
+ if (cssmExt->extnId.Length == APPLE_EXTENSION_CODE_SIGNING_LENGTH+1 &&
+ !memcmp(cssmExt->extnId.Data, CSSMOID_APPLE_EXTENSION_PASSBOOK_SIGNING.Data,
+ APPLE_EXTENSION_CODE_SIGNING_LENGTH+1)) {
+ /* this is the Passbook Signing extension */
+ certInfo->foundPassbookSigning = CSSM_TRUE;
+ }
+ if (cssmExt->extnId.Length == APPLE_EXTENSION_SYSINT2_INTERMEDIATE_LENGTH &&
+ !memcmp(cssmExt->extnId.Data, CSSMOID_APPLE_EXTENSION_SYSINT2_INTERMEDIATE.Data,
+ APPLE_EXTENSION_SYSINT2_INTERMEDIATE_LENGTH)) {
+ /* this is the Apple System Integration 2 Signing extension */
+ certInfo->foundAppleSysInt2Marker = CSSM_TRUE;
+ }
+ if (cssmExt->extnId.Length == APPLE_EXTENSION_SERVER_AUTHENTICATION_LENGTH &&
+ !memcmp(cssmExt->extnId.Data, CSSMOID_APPLE_EXTENSION_SERVER_AUTHENTICATION.Data,
+ APPLE_EXTENSION_SERVER_AUTHENTICATION_LENGTH)) {
+ /* this is the Apple Server Authentication extension */
+ certInfo->foundAppleServerAuthMarker = CSSM_TRUE;
+ }
+ if (cssmExt->extnId.Length == APPLE_EXTENSION_ESCROW_SERVICE_LENGTH &&
+ !memcmp(cssmExt->extnId.Data, CSSMOID_APPLE_EXTENSION_ESCROW_SERVICE.Data,
+ APPLE_EXTENSION_ESCROW_SERVICE_LENGTH)) {
+ /* this is the Escrow Service Signing extension */
+ certInfo->foundEscrowServiceMarker = CSSM_TRUE;
+ }
+
+ if(iSignVerifyCriticalExtension(cssmExt) != CSSM_OK) {
+ /* BRRZAPP! Found an unknown extension marked critical */
+ certInfo->foundUnknownCritical = CSSM_TRUE;
+ break;
+ }
+ CSSM_CL_FreeFieldValue(tpCert->clHand(),
+ &CSSMOID_X509V3CertificateExtensionCStruct,
+ fieldValue);
+ fieldValue = NULL;
+ } /* for additional fields */
+
+fini:
+ if(fieldValue) {
+ CSSM_CL_FreeFieldValue(tpCert->clHand(),
+ &CSSMOID_X509V3CertificateExtensionCStruct,
+ fieldValue);
+ }
+ if(searchHand != CSSM_INVALID_HANDLE) {
+ CSSM_CL_CertAbortQuery(tpCert->clHand(), searchHand);
+ }
+ return crtn;
+}
+
+/*
+ * Check the signature algorithm. If it's known to be untrusted,
+ * flag certInfo->untrustedSigAlg.
+ */
+static void iSignCheckSignatureAlgorithm(
+ TPCertInfo *tpCert,
+ iSignCertInfo *certInfo)
+{
+ CSSM_X509_ALGORITHM_IDENTIFIER *algId = NULL;
+ CSSM_DATA_PTR valueToFree = NULL;
+
+ algId = tp_CertGetAlgId(tpCert, &valueToFree);
+ if(!algId ||
+ tpCompareCssmData(&algId->algorithm, &CSSMOID_MD2) ||
+ tpCompareCssmData(&algId->algorithm, &CSSMOID_MD2WithRSA) ||
+ tpCompareCssmData(&algId->algorithm, &CSSMOID_MD5) ||
+ tpCompareCssmData(&algId->algorithm, &CSSMOID_MD5WithRSA) ) {
+ certInfo->untrustedSigAlg = CSSM_TRUE;
+ } else {
+ certInfo->untrustedSigAlg = CSSM_FALSE;
+ }
+
+ if (valueToFree) {
+ tp_CertFreeAlgId(tpCert->clHand(), valueToFree);
+ }
+}
+
+/*
+ * Given a TPCertInfo, fetch the associated iSignCertInfo fields.
+ * Returns CSSM_FAIL on error.
+ */
+static CSSM_RETURN iSignGetCertInfo(
+ Allocator &alloc,
+ TPCertInfo *tpCert,
+ iSignCertInfo *certInfo)
+{
+ CSSM_RETURN crtn;
+
+ /* first grind thru the extensions we're interested in */
+ crtn = iSignFetchExtension(alloc,
+ tpCert,
+ &CSSMOID_AuthorityKeyIdentifier,
+ &certInfo->authorityId);
+ if(crtn) {
+ return crtn;
+ }
+ crtn = iSignFetchExtension(alloc,
+ tpCert,
+ &CSSMOID_SubjectKeyIdentifier,
+ &certInfo->subjectId);
+ if(crtn) {
+ return crtn;
+ }
+ crtn = iSignFetchExtension(alloc,
+ tpCert,
+ &CSSMOID_KeyUsage,
+ &certInfo->keyUsage);
+ if(crtn) {
+ return crtn;
+ }
+ crtn = iSignFetchExtension(alloc,
+ tpCert,
+ &CSSMOID_ExtendedKeyUsage,
+ &certInfo->extendKeyUsage);
+ if(crtn) {
+ return crtn;
+ }
+ crtn = iSignFetchExtension(alloc,
+ tpCert,
+ &CSSMOID_BasicConstraints,
+ &certInfo->basicConstraints);
+ if(crtn) {
+ return crtn;
+ }
+ crtn = iSignFetchExtension(alloc,
+ tpCert,
+ &CSSMOID_NetscapeCertType,
+ &certInfo->netscapeCertType);
+ if(crtn) {
+ return crtn;
+ }
+ crtn = iSignFetchExtension(alloc,
+ tpCert,
+ &CSSMOID_SubjectAltName,
+ &certInfo->subjectAltName);
+ if(crtn) {
+ return crtn;
+ }
+ crtn = iSignFetchExtension(alloc,
+ tpCert,
+ &CSSMOID_CertificatePolicies,
+ &certInfo->certPolicies);
+ if(crtn) {
+ return crtn;
+ }
+ crtn = iSignFetchExtension(alloc,
+ tpCert,
+ &CSSMOID_QC_Statements,
+ &certInfo->qualCertStatements);
+ if(crtn) {
+ return crtn;
+ }
+ crtn = iSignFetchExtension(alloc,
+ tpCert,
+ &CSSMOID_NameConstraints,
+ &certInfo->nameConstraints);
+ if(crtn) {
+ return crtn;
+ }
+ crtn = iSignFetchExtension(alloc,
+ tpCert,
+ &CSSMOID_PolicyMappings,
+ &certInfo->policyMappings);
+ if(crtn) {
+ return crtn;
+ }
+ crtn = iSignFetchExtension(alloc,
+ tpCert,
+ &CSSMOID_PolicyConstraints,
+ &certInfo->policyConstraints);
+ if(crtn) {
+ return crtn;
+ }
+ crtn = iSignFetchExtension(alloc,
+ tpCert,
+ &CSSMOID_InhibitAnyPolicy,
+ &certInfo->inhibitAnyPolicy);
+ if(crtn) {
+ return crtn;
+ }
+ crtn = iSignFetchExtension(alloc,
+ tpCert,
+ &CSSMOID_CertificatePolicies,
+ &certInfo->certificatePolicies);
+ if(crtn) {
+ return crtn;
+ }
+
+ /* check signature algorithm field */
+ iSignCheckSignatureAlgorithm(tpCert, certInfo);
+
+ /* now look for extensions we don't understand - the only thing we're interested
+ * in is the critical flag. */
+ return iSignSearchUnknownExtensions(tpCert, certInfo);
+}
+
+/*
+ * Free (via CL) the fields allocated in iSignGetCertInfo().
+ */
+static void iSignFreeCertInfo(
+ CSSM_CL_HANDLE clHand,
+ iSignCertInfo *certInfo)
+{
+ if(certInfo->authorityId.present) {
+ CSSM_CL_FreeFieldValue(clHand, &CSSMOID_AuthorityKeyIdentifier,
+ certInfo->authorityId.valToFree);
+ }
+ if(certInfo->subjectId.present) {
+ CSSM_CL_FreeFieldValue(clHand, &CSSMOID_SubjectKeyIdentifier,
+ certInfo->subjectId.valToFree);
+ }
+ if(certInfo->keyUsage.present) {
+ CSSM_CL_FreeFieldValue(clHand, &CSSMOID_KeyUsage,
+ certInfo->keyUsage.valToFree);
+ }
+ if(certInfo->extendKeyUsage.present) {
+ CSSM_CL_FreeFieldValue(clHand, &CSSMOID_ExtendedKeyUsage,
+ certInfo->extendKeyUsage.valToFree);
+ }
+ if(certInfo->basicConstraints.present) {
+ CSSM_CL_FreeFieldValue(clHand, &CSSMOID_BasicConstraints,
+ certInfo->basicConstraints.valToFree);
+ }
+ if(certInfo->netscapeCertType.present) {
+ CSSM_CL_FreeFieldValue(clHand, &CSSMOID_NetscapeCertType,
+ certInfo->netscapeCertType.valToFree);
+ }
+ if(certInfo->subjectAltName.present) {
+ CSSM_CL_FreeFieldValue(clHand, &CSSMOID_SubjectAltName,
+ certInfo->subjectAltName.valToFree);
+ }
+ if(certInfo->certPolicies.present) {
+ CSSM_CL_FreeFieldValue(clHand, &CSSMOID_CertificatePolicies,
+ certInfo->certPolicies.valToFree);
+ }
+// if(certInfo->policyConstraints.present) {
+// CSSM_CL_FreeFieldValue(clHand, &CSSMOID_PolicyConstraints,
+// certInfo->policyConstraints.valToFree);
+// }
+ if(certInfo->qualCertStatements.present) {
+ CSSM_CL_FreeFieldValue(clHand, &CSSMOID_QC_Statements,
+ certInfo->qualCertStatements.valToFree);
+ }
+ if(certInfo->certificatePolicies.present) {
+ CSSM_CL_FreeFieldValue(clHand, &CSSMOID_CertificatePolicies,
+ certInfo->certificatePolicies.valToFree);
+ }
+}
+
+/*
+ * See if cert's Subject.{commonName,EmailAddress} matches caller-specified
+ * string. Returns CSSM_TRUE if match, else returns CSSM_FALSE.
+ * Also indicates whether *any* of the specified fields were found, regardless
+ * of match state.
+ */
+typedef enum {
+ SN_CommonName, // CSSMOID_CommonName, host name format
+ SN_Email, // CSSMOID_EmailAddress
+ SN_UserID, // CSSMOID_UserID
+ SN_OrgUnit // CSSMOID_OrganizationalUnitName
+} SubjSubjNameSearchType;
+
+static CSSM_BOOL tpCompareSubjectName(
+ TPCertInfo &cert,
+ SubjSubjNameSearchType searchType,
+ bool normalizeAll, // for SN_Email case: lower-case all of
+ // the cert's value, not just the portion
+ // after the '@'
+ const char *callerStr, // already tpToLower'd
+ uint32 callerStrLen,
+ bool &fieldFound)
+{
+ char *certName = NULL; // from cert's subject name
+ uint32 certNameLen = 0;
+ CSSM_DATA_PTR subjNameData = NULL;
+ CSSM_RETURN crtn;
+ CSSM_BOOL ourRtn = CSSM_FALSE;
+ const CSSM_OID *oidSrch;
+
+ const char x500_userid_oid[] = { 0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x01 };
+ CSSM_OID X500_UserID_OID = { sizeof(x500_userid_oid), (uint8*)x500_userid_oid };
+
+ fieldFound = false;
+ switch(searchType) {
+ case SN_CommonName:
+ oidSrch = &CSSMOID_CommonName;
+ break;
+ case SN_Email:
+ oidSrch = &CSSMOID_EmailAddress;
+ break;
+ case SN_UserID:
+ oidSrch = &X500_UserID_OID;
+ break;
+ case SN_OrgUnit:
+ oidSrch = &CSSMOID_OrganizationalUnitName;
+ break;
+ default:
+ assert(0);
+ return CSSM_FALSE;
+ }
+ crtn = cert.fetchField(&CSSMOID_X509V1SubjectNameCStruct, &subjNameData);
+ if(crtn) {
+ /* should never happen, we shouldn't be here if there is no subject */
+ tpPolicyError("tpCompareSubjectName: error retrieving subject name");
+ return CSSM_FALSE;
+ }
+ CSSM_X509_NAME_PTR x509name = (CSSM_X509_NAME_PTR)subjNameData->Data;
+ if((x509name == NULL) || (subjNameData->Length != sizeof(CSSM_X509_NAME))) {
+ tpPolicyError("tpCompareSubjectName: malformed CSSM_X509_NAME");
+ cert.freeField(&CSSMOID_X509V1SubjectNameCStruct, subjNameData);
+ return CSSM_FALSE;
+ }
+
+ /* Now grunge thru the X509 name looking for a common name */
+ CSSM_X509_TYPE_VALUE_PAIR *ptvp;
+ CSSM_X509_RDN_PTR rdnp;
+ unsigned rdnDex;
+ unsigned pairDex;
+
+ for(rdnDex=0; rdnDex<x509name->numberOfRDNs; rdnDex++) {
+ rdnp = &x509name->RelativeDistinguishedName[rdnDex];
+ for(pairDex=0; pairDex<rdnp->numberOfPairs; pairDex++) {
+ ptvp = &rdnp->AttributeTypeAndValue[pairDex];
+ if(tpCompareOids(&ptvp->type, oidSrch)) {
+ fieldFound = true;
+ certName = (char *)ptvp->value.Data;
+ certNameLen = (uint32)ptvp->value.Length;
+ switch(searchType) {
+ case SN_CommonName:
+ {
+ /* handle odd encodings that we need to convert to 8-bit */
+ CFStringBuiltInEncodings encoding;
+ CFDataRef cfd = NULL;
+ bool doConvert = false;
+ switch(ptvp->valueType) {
+ case BER_TAG_T61_STRING:
+ /* a.k.a. Teletex */
+ encoding = kCFStringEncodingISOLatin1;
+ doConvert = true;
+ break;
+ case BER_TAG_PKIX_BMP_STRING:
+ encoding = kCFStringEncodingUnicode;
+ doConvert = true;
+ break;
+ /*
+ * All others - either take as is, or let it fail due to
+ * illegal/incomprehensible format
+ */
+ default:
+ break;
+ }
+ if(doConvert) {
+ /* raw data ==> CFString */
+ cfd = CFDataCreate(NULL, (UInt8 *)certName, certNameLen);
+ if(cfd == NULL) {
+ /* try next component */
+ break;
+ }
+ CFStringRef cfStr = CFStringCreateFromExternalRepresentation(
+ NULL, cfd, encoding);
+ CFRelease(cfd);
+ if(cfStr == NULL) {
+ tpPolicyError("tpCompareSubjectName: bad str (1)");
+ break;
+ }
+
+ /* CFString ==> straight ASCII */
+ cfd = CFStringCreateExternalRepresentation(NULL,
+ cfStr, kCFStringEncodingASCII, 0);
+ CFRelease(cfStr);
+ if(cfd == NULL) {
+ tpPolicyError("tpCompareSubjectName: bad str (2)");
+ break;
+ }
+ certNameLen = (uint32)CFDataGetLength(cfd);
+ certName = (char *)CFDataGetBytePtr(cfd);
+ }
+ ourRtn = tpCompareHostNames(callerStr, callerStrLen,
+ certName, certNameLen);
+ if(doConvert) {
+ assert(cfd != NULL);
+ CFRelease(cfd);
+ }
+ break;
+ }
+ case SN_Email:
+ ourRtn = tpCompareEmailAddr(callerStr, callerStrLen,
+ certName, certNameLen, normalizeAll);
+ break;
+ case SN_UserID:
+ case SN_OrgUnit:
+ /* exact match only here, for now */
+ ourRtn = ((callerStrLen == certNameLen) &&
+ !memcmp(callerStr, certName, certNameLen)) ?
+ CSSM_TRUE : CSSM_FALSE;
+ break;
+ }
+ if(ourRtn) {
+ /* success */
+ break;
+ }
+ /* else keep going, maybe there's another common name */
+ }
+ }
+ if(ourRtn) {
+ break;
+ }
+ }
+ cert.freeField(&CSSMOID_X509V1SubjectNameCStruct, subjNameData);
+ return ourRtn;
+}
+
+/*
+ * Compare ASCII form of an IP address to a CSSM_DATA containing
+ * the IP address's numeric components. Returns true on match.
+ */
+static CSSM_BOOL tpCompIpAddrStr(
+ const char *str,
+ unsigned strLen,
+ const CSSM_DATA *numeric)
+{
+ const char *cp = str;
+ const char *nextDot;
+ char buf[100];
+
+ if((numeric == NULL) || (numeric->Length == 0) || (str == NULL)) {
+ return CSSM_FALSE;
+ }
+ if(cp[strLen - 1] == '\0') {
+ /* ignore NULL terminator */
+ strLen--;
+ }
+ for(unsigned dex=0; dex<numeric->Length; dex++) {
+ /* cp points to start of current string digit */
+ /* find next dot */
+ const char *lastChar = cp + strLen;
+ nextDot = cp + 1;
+ for( ; nextDot<lastChar; nextDot++) {
+ if(*nextDot == '.') {
+ break;
+ }
+ }
+ if(nextDot == lastChar) {
+ /* legal and required on last digit */
+ if(dex != (numeric->Length - 1)) {
+ return CSSM_FALSE;
+ }
+ }
+ else if(dex == (numeric->Length - 1)) {
+ return CSSM_FALSE;
+ }
+ ptrdiff_t digLen = nextDot - cp;
+ if(digLen >= sizeof(buf)) {
+ /* preposterous */
+ return CSSM_FALSE;
+ }
+ memmove(buf, cp, digLen);
+ buf[digLen] = '\0';
+ /* incr digLen to include the next dot */
+ digLen++;
+ cp += digLen;
+ strLen -= digLen;
+ int digVal = atoi(buf);
+ if(digVal != numeric->Data[dex]) {
+ return CSSM_FALSE;
+ }
+ }
+ return CSSM_TRUE;
+}
+
+/*
+ * See if cert's subjectAltName contains an element matching caller-specified
+ * string, hostname, in the following forms:
+ *
+ * SAN_HostName : dnsName, iPAddress
+ * SAN_Email : RFC822Name
+ *
+ * Returns CSSM_TRUE if match, else returns CSSM_FALSE.
+ *
+ * Also indicates whether or not a dnsName (search type HostName) or
+ * RFC822Name (search type SAM_Email) was found, regardless of result
+ * of comparison.
+ *
+ * The appStr/appStrLen args are optional - if NULL/0, only the
+ * search for dnsName/RFC822Name is done.
+ */
+typedef enum {
+ SAN_HostName,
+ SAN_Email
+} SubjAltNameSearchType;
+
+static CSSM_BOOL tpCompareSubjectAltName(
+ const iSignExtenInfo &subjAltNameInfo,
+ const char *appStr, // caller has lower-cased as appropriate
+ uint32 appStrLen,
+ SubjAltNameSearchType searchType,
+ bool normalizeAll, // for SAN_Email case: lower-case all of
+ // the cert's value, not just the portion
+ // after the '@'
+ bool &dnsNameFound, // RETURNED, SAN_HostName case
+ bool &emailFound) // RETURNED, SAN_Email case
+{
+ dnsNameFound = false;
+ emailFound = false;
+ if(!subjAltNameInfo.present) {
+ /* common failure, no subjectAltName found */
+ return CSSM_FALSE;
+ }
+
+ CE_GeneralNames *names = &subjAltNameInfo.extnData->subjectAltName;
+ CSSM_BOOL ourRtn = CSSM_FALSE;
+ char *certName;
+ uint32 certNameLen;
+
+ /* Search thru the CE_GeneralNames looking for the appropriate attribute */
+ for(unsigned dex=0; dex<names->numNames; dex++) {
+ CE_GeneralName *name = &names->generalName[dex];
+ switch(searchType) {
+ case SAN_HostName:
+ switch(name->nameType) {
+ case GNT_IPAddress:
+ if(appStr == NULL) {
+ /* nothing to do here */
+ break;
+ }
+ ourRtn = tpCompIpAddrStr(appStr, appStrLen, &name->name);
+ break;
+
+ case GNT_DNSName:
+ if(name->berEncoded) {
+ tpErrorLog("tpCompareSubjectAltName: malformed "
+ "CE_GeneralName (1)\n");
+ break;
+ }
+ certName = (char *)name->name.Data;
+ if(certName == NULL) {
+ tpErrorLog("tpCompareSubjectAltName: malformed "
+ "CE_GeneralName (2)\n");
+ break;
+ }
+ certNameLen = (uint32)(name->name.Length);
+ dnsNameFound = true;
+ if(appStr != NULL) {
+ /* skip if caller passed in NULL */
+ ourRtn = tpCompareHostNames(appStr, appStrLen,
+ certName, certNameLen);
+ }
+ break;
+
+ default:
+ /* not interested, proceed to next name */
+ break;
+ }
+ break; /* from case HostName */
+
+ case SAN_Email:
+ if(name->nameType != GNT_RFC822Name) {
+ /* not interested */
+ break;
+ }
+ certName = (char *)name->name.Data;
+ if(certName == NULL) {
+ tpErrorLog("tpCompareSubjectAltName: malformed "
+ "GNT_RFC822Name\n");
+ break;
+ }
+ certNameLen = (uint32)(name->name.Length);
+ emailFound = true;
+ if(appStr != NULL) {
+ ourRtn = tpCompareEmailAddr(appStr, appStrLen, certName,
+ certNameLen, normalizeAll);
+ }
+ break;
+ }
+ if(ourRtn) {
+ /* success */
+ break;
+ }
+ }
+ return ourRtn;
+}
+
+/* is host name in the form of a.b.c.d, where a,b,c, and d are digits? */
+static CSSM_BOOL tpIsNumeric(
+ const char *hostName,
+ unsigned hostNameLen)
+{
+ if(hostName[hostNameLen - 1] == '\0') {
+ /* ignore NULL terminator */
+ hostNameLen--;
+ }
+ for(unsigned i=0; i<hostNameLen; i++) {
+ char c = *hostName++;
+ if(isdigit(c)) {
+ continue;
+ }
+ if(c != '.') {
+ return CSSM_FALSE;
+ }
+ }
+ return CSSM_TRUE;
+}
+
+/*
+ * Convert a typed string represented by a CSSM_X509_TYPE_VALUE_PAIR to a
+ * CFStringRef. Caller owns and must release the result. NULL return means
+ * unconvertible input "string".
+ */
+static CFStringRef tpTvpToCfString(
+ const CSSM_X509_TYPE_VALUE_PAIR *tvp)
+{
+ CFStringBuiltInEncodings encoding;
+ switch(tvp->valueType) {
+ case BER_TAG_T61_STRING:
+ /* a.k.a. Teletex */
+ encoding = kCFStringEncodingISOLatin1;
+ break;
+ case BER_TAG_PKIX_BMP_STRING:
+ encoding = kCFStringEncodingUnicode;
+ break;
+ case BER_TAG_PRINTABLE_STRING:
+ case BER_TAG_IA5_STRING:
+ case BER_TAG_PKIX_UTF8_STRING:
+ encoding = kCFStringEncodingUTF8;
+ break;
+ default:
+ return NULL;
+ }
+
+ /* raw data ==> CFString */
+ CFDataRef cfd = CFDataCreate(NULL, tvp->value.Data, tvp->value.Length);
+ if(cfd == NULL) {
+ return NULL;
+ }
+ CFStringRef cfStr = CFStringCreateFromExternalRepresentation(NULL, cfd, encoding);
+ CFRelease(cfd);
+ return cfStr;
+}
+
+/*
+ * Compare a CFString and a string represented by a CSSM_X509_TYPE_VALUE_PAIR.
+ * Returns CSSM_TRUE if they are equal.
+ */
+static bool tpCompareTvpToCfString(
+ const CSSM_X509_TYPE_VALUE_PAIR *tvp,
+ CFStringRef refStr,
+ CFOptionFlags flags) // e.g., kCFCompareCaseInsensitive
+{
+ CFStringRef cfStr = tpTvpToCfString(tvp);
+ if(cfStr == NULL) {
+ return false;
+ }
+ CFComparisonResult res = CFStringCompare(refStr, cfStr, flags);
+ CFRelease(cfStr);
+ if(res == kCFCompareEqualTo) {
+ return true;
+ }
+ else {
+ return false;
+ }
+}
+
+/*
+ * Given one iSignCertInfo, determine whether or not the specified
+ * EKU OID, or - optionally - CSSMOID_ExtendedKeyUsageAny - is present.
+ * Returns true if so, else false.
+ */
+static bool tpVerifyEKU(
+ const iSignCertInfo &certInfo,
+ const CSSM_OID &ekuOid,
+ bool ekuAnyOK) // if true, CSSMOID_ExtendedKeyUsageAny counts as "found"
+{
+ if(!certInfo.extendKeyUsage.present) {
+ return false;
+ }
+ CE_ExtendedKeyUsage *eku = &certInfo.extendKeyUsage.extnData->extendedKeyUsage;
+ assert(eku != NULL);
+
+ for(unsigned i=0; i<eku->numPurposes; i++) {
+ const CSSM_OID *foundEku = &eku->purposes[i];
+ if(tpCompareOids(foundEku, &ekuOid)) {
+ return true;
+ }
+ if(ekuAnyOK && tpCompareOids(foundEku, &CSSMOID_ExtendedKeyUsageAny)) {
+ return true;
+ }
+ }
+ return false;
+}
+
+/*
+ * Given one iSignCertInfo, determine whether or not the specified
+ * Certificate Policy OID, or - optionally - CSSMOID_ANY_POLICY - is present.
+ * Returns true if so, else false.
+ */
+static bool tpVerifyCPE(
+ const iSignCertInfo &certInfo,
+ const CSSM_OID &cpOid,
+ bool anyPolicyOK) // if true, CSSMOID_ANY_POLICY counts as "found"
+{
+ if(!certInfo.certPolicies.present) {
+ return false;
+ }
+ CE_CertPolicies *cp = &certInfo.certPolicies.extnData->certPolicies;
+ assert(cp != NULL);
+
+ for(unsigned i=0; i<cp->numPolicies; i++) {
+ const CE_PolicyInformation *foundPolicy = &cp->policies[i];
+ if(tpCompareOids(&foundPolicy->certPolicyId, &cpOid)) {
+ return true;
+ }
+ if(anyPolicyOK && tpCompareOids(&foundPolicy->certPolicyId, &CSSMOID_ANY_POLICY)) {
+ return true;
+ }
+ }
+ return false;
+}
+
+/*
+ * Verify iChat handle. We search for a matching (case-insensitive) string
+ * comprised of:
+ *
+ * -- name component ("dmitch") from subject name's CommonName
+ * -- implicit '@'
+ * -- domain name from subject name's organizationalUnit
+ *
+ * Plus we require an Organization component of "Apple Computer, Inc." or "Apple Inc."
+ */
+static bool tpCompareIChatHandleName(
+ TPCertInfo &cert,
+ const char *iChatHandle, // UTF8
+ uint32 iChatHandleLen)
+{
+ CSSM_DATA_PTR subjNameData = NULL; // from fetchField
+ CSSM_RETURN crtn;
+ bool ourRtn = false;
+ CSSM_X509_NAME_PTR x509name;
+ CSSM_X509_TYPE_VALUE_PAIR *ptvp;
+ CSSM_X509_RDN_PTR rdnp;
+ unsigned rdnDex;
+ unsigned pairDex;
+
+ /* search until all of these are true */
+ CSSM_BOOL commonNameMatch = CSSM_FALSE; // name before '@'
+ CSSM_BOOL orgUnitMatch = CSSM_FALSE; // domain after '@
+ CSSM_BOOL orgMatch = CSSM_FALSE; // Apple Computer, Inc. (or Apple Inc.)
+
+ /*
+ * incoming UTF8 handle ==> two components.
+ * First convert to CFString.
+ */
+ if(iChatHandle[iChatHandleLen - 1] == '\0') {
+ /* avoid NULL when creating CFStrings */
+ iChatHandleLen--;
+ }
+ CFDataRef cfd = CFDataCreate(NULL, (const UInt8 *)iChatHandle, iChatHandleLen);
+ if(cfd == NULL) {
+ return false;
+ }
+ CFStringRef handleStr = CFStringCreateFromExternalRepresentation(NULL, cfd,
+ kCFStringEncodingUTF8);
+ CFRelease(cfd);
+ if(handleStr == NULL) {
+ tpPolicyError("tpCompareIChatHandleName: bad incoming handle (1)");
+ return false;
+ }
+
+ /*
+ * Find the '@' delimiter
+ */
+ CFRange whereIsAt;
+ whereIsAt = CFStringFind(handleStr, CFSTR("@"), 0);
+ if(whereIsAt.length == 0) {
+ tpPolicyError("tpCompareIChatHandleName: bad incoming handle: no @");
+ CFRelease(handleStr);
+ return false;
+ }
+
+ /*
+ * Two components, before and after delimiter
+ */
+ CFRange r = {0, whereIsAt.location};
+ CFStringRef iChatName = CFStringCreateWithSubstring(NULL, handleStr, r);
+ if(iChatName == NULL) {
+ tpPolicyError("tpCompareIChatHandleName: bad incoming handle (2)");
+ CFRelease(handleStr);
+ return false;
+ }
+ r.location = whereIsAt.location + 1; // after the '@'
+ r.length = CFStringGetLength(handleStr) - r.location;
+ CFStringRef iChatDomain = CFStringCreateWithSubstring(NULL, handleStr, r);
+ CFRelease(handleStr);
+ if(iChatDomain == NULL) {
+ tpPolicyError("tpCompareIChatHandleName: bad incoming handle (3)");
+ CFRelease(iChatName);
+ return false;
+ }
+ /* subsequent errors to errOut: */
+
+ /* get subject name in CSSM form, all subsequent ops work on that */
+ crtn = cert.fetchField(&CSSMOID_X509V1SubjectNameCStruct, &subjNameData);
+ if(crtn) {
+ /* should never happen, we shouldn't be here if there is no subject */
+ tpPolicyError("tpCompareIChatHandleName: error retrieving subject name");
+ goto errOut;
+ }
+
+ x509name = (CSSM_X509_NAME_PTR)subjNameData->Data;
+ if((x509name == NULL) || (subjNameData->Length != sizeof(CSSM_X509_NAME))) {
+ tpPolicyError("tpCompareIChatHandleName: malformed CSSM_X509_NAME");
+ goto errOut;
+ }
+
+ /* Now grunge thru the X509 name looking for three fields */
+
+ for(rdnDex=0; rdnDex<x509name->numberOfRDNs; rdnDex++) {
+ rdnp = &x509name->RelativeDistinguishedName[rdnDex];
+ for(pairDex=0; pairDex<rdnp->numberOfPairs; pairDex++) {
+ ptvp = &rdnp->AttributeTypeAndValue[pairDex];
+ if(!commonNameMatch &&
+ tpCompareOids(&ptvp->type, &CSSMOID_CommonName) &&
+ tpCompareTvpToCfString(ptvp, iChatName, kCFCompareCaseInsensitive)) {
+ commonNameMatch = CSSM_TRUE;
+ }
+
+ if(!orgUnitMatch &&
+ tpCompareOids(&ptvp->type, &CSSMOID_OrganizationalUnitName) &&
+ tpCompareTvpToCfString(ptvp, iChatDomain, kCFCompareCaseInsensitive)) {
+ orgUnitMatch = CSSM_TRUE;
+ }
+
+ if(!orgMatch &&
+ tpCompareOids(&ptvp->type, &CSSMOID_OrganizationName) &&
+ /* this one is case sensitive */
+ (tpCompareTvpToCfString(ptvp, CFSTR("Apple Computer, Inc."), 0) ||
+ tpCompareTvpToCfString(ptvp, CFSTR("Apple Inc."), 0))) {
+ orgMatch = CSSM_TRUE;
+ }
+
+ if(commonNameMatch && orgUnitMatch && orgMatch) {
+ /* TA DA */
+ ourRtn = true;
+ goto errOut;
+ }
+ }
+ }
+errOut:
+ cert.freeField(&CSSMOID_X509V1SubjectNameCStruct, subjNameData);
+ CFRelease(iChatName);
+ CFRelease(iChatDomain);
+ return ourRtn;
+}
+
+/*
+ * Verify SSL options. Currently this just consists of matching the
+ * leaf cert's subject common name against the caller's (optional)
+ * server name.
+ */
+static CSSM_RETURN tp_verifySslOpts(
+ TPPolicy policy,
+ TPCertGroup &certGroup,
+ const CSSM_DATA *sslFieldOpts,
+ const iSignCertInfo *certInfo) // all certs, size certGroup.numCerts()
+{
+ const iSignCertInfo &leafCertInfo = certInfo[0];
+ CSSM_APPLE_TP_SSL_OPTIONS *sslOpts = NULL;
+ unsigned hostNameLen = 0;
+ const char *serverName = NULL;
+ TPCertInfo *leaf = certGroup.certAtIndex(0);
+ assert(leaf != NULL);
+
+ /* CSSM_APPLE_TP_SSL_OPTIONS is optional */
+ if((sslFieldOpts != NULL) && (sslFieldOpts->Data != NULL)) {
+ sslOpts = (CSSM_APPLE_TP_SSL_OPTIONS *)sslFieldOpts->Data;
+ switch(sslOpts->Version) {
+ case CSSM_APPLE_TP_SSL_OPTS_VERSION:
+ if(sslFieldOpts->Length != sizeof(CSSM_APPLE_TP_SSL_OPTIONS)) {
+ return CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ }
+ break;
+ /* handle backwards compatibility here if necessary */
+ default:
+ return CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ }
+ hostNameLen = sslOpts->ServerNameLen;
+ serverName = sslOpts->ServerName;
+ }
+
+ /* host name check is optional */
+ if(hostNameLen != 0) {
+ if(serverName == NULL) {
+ return CSSMERR_TP_INVALID_POINTER;
+ }
+
+ /* convert caller's hostname string to lower case */
+ char *hostName = (char *)certGroup.alloc().malloc(hostNameLen);
+ memmove(hostName, serverName, hostNameLen);
+ tpToLower(hostName, hostNameLen);
+
+ CSSM_BOOL match = CSSM_FALSE;
+
+ /* First check subjectAltName... */
+ bool dnsNameFound = false;
+ bool dummy;
+ match = tpCompareSubjectAltName(leafCertInfo.subjectAltName,
+ hostName, hostNameLen,
+ SAN_HostName, false, dnsNameFound, dummy);
+
+ /*
+ * Then common name, if
+ * -- no match from subjectAltName, AND
+ * -- dnsName was NOT found, AND
+ * -- hostName is not strictly numeric form (1.2.3.4)
+ */
+ if(!match && !dnsNameFound && !tpIsNumeric(hostName, hostNameLen)) {
+ bool fieldFound;
+ match = tpCompareSubjectName(*leaf, SN_CommonName, false, hostName, hostNameLen,
+ fieldFound);
+ }
+
+ /*
+ * Limit allowed domains for specific anchors
+ */
+ CSSM_BOOL domainMatch = CSSM_TRUE;
+ if(match) {
+ TPCertInfo *tpCert = certGroup.lastCert();
+ if (tpCert) {
+ const CSSM_DATA *certData = tpCert->itemData();
+ unsigned char digest[CC_SHA1_DIGEST_LENGTH];
+ CC_SHA1(certData->Data, (CC_LONG)certData->Length, digest);
+ if (!memcmp(digest, kAppleCorpCASHA1, sizeof(digest))) {
+ const char *dnlist[] = { "apple.com", "icloud.com" };
+ unsigned int idx, dncount=2;
+ domainMatch = CSSM_FALSE;
+ for(idx=0;idx<dncount;idx++) {
+ uint32 len=(uint32)strlen(dnlist[idx]);
+ char *domainName=(char*)certGroup.alloc().malloc(len);
+ memmove(domainName, (char*)dnlist[idx], len);
+ if(tpCompareDomainSuffix(hostName, hostNameLen,
+ domainName, len)) {
+ domainMatch = CSSM_TRUE;
+ }
+ certGroup.alloc().free(domainName);
+ if (domainMatch) {
+ break;
+ }
+ }
+ }
+ }
+ }
+
+ certGroup.alloc().free(hostName);
+ if(!match) {
+ if(leaf->addStatusCode(CSSMERR_APPLETP_HOSTNAME_MISMATCH)) {
+ return CSSMERR_APPLETP_HOSTNAME_MISMATCH;
+ }
+ }
+ if(!domainMatch) {
+ if(leaf->addStatusCode(CSSMERR_APPLETP_CA_PIN_MISMATCH)) {
+ return CSSMERR_APPLETP_CA_PIN_MISMATCH;
+ }
+ }
+ }
+
+ /*
+ * Ensure that, if an extendedKeyUsage extension is present in the
+ * leaf, that either anyExtendedKeyUsage or the appropriate
+ * CSSMOID_{Server,Client}Auth, or a SeverGatedCrypto usage is present.
+ */
+ const iSignExtenInfo &ekuInfo = leafCertInfo.extendKeyUsage;
+ if(ekuInfo.present) {
+ bool foundGoodEku = false;
+ bool isServer = true;
+ CE_ExtendedKeyUsage *eku = (CE_ExtendedKeyUsage *)ekuInfo.extnData;
+ assert(eku != NULL);
+
+ /*
+ * Determine appropriate extended key usage; default is SSL server
+ */
+ const CSSM_OID *extUse = &CSSMOID_ServerAuth;
+ if((sslOpts != NULL) && /* optional, default server side */
+ (sslOpts->Version > 0) && /* this was added in struct version 1 */
+ (sslOpts->Flags & CSSM_APPLE_TP_SSL_CLIENT)) {
+ extUse = &CSSMOID_ClientAuth;
+ isServer = false;
+ }
+
+ /* search for that one or for "any" indicator */
+ for(unsigned i=0; i<eku->numPurposes; i++) {
+ const CSSM_OID *purpose = &eku->purposes[i];
+ if(tpCompareOids(purpose, extUse)) {
+ foundGoodEku = true;
+ break;
+ }
+ if(tpCompareOids(purpose, &CSSMOID_ExtendedKeyUsageAny)) {
+ foundGoodEku = true;
+ break;
+ }
+ if((policy == kTP_IPSec) && (tpCompareOids(purpose, &CSSMOID_EKU_IPSec))) {
+ foundGoodEku = true;
+ break;
+ }
+ if(isServer) {
+ /* server gated crypto: server side only */
+ if(tpCompareOids(purpose, &CSSMOID_NetscapeSGC)) {
+ foundGoodEku = true;
+ break;
+ }
+ if(tpCompareOids(purpose, &CSSMOID_MicrosoftSGC)) {
+ foundGoodEku = true;
+ break;
+ }
+ }
+ }
+ if(!foundGoodEku) {
+ if(leaf->addStatusCode(CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE)) {
+ return CSSMERR_TP_VERIFY_ACTION_FAILED;
+ }
+ }
+ }
+
+ /*
+ * Check for additional options flag (2nd lowest bit set) which indicates
+ * we must be issued by an Apple intermediate with a particular extension.
+ * (This flag is set by SecPolicyCreateAppleSSLService in SecPolicy.cpp.)
+ */
+ if((sslOpts != NULL) &&
+ (sslOpts->Version > 0) && /* this was added in struct version 1 */
+ (sslOpts->Flags & 0x00000002)) {
+
+ if (certGroup.numCerts() > 1) {
+ const iSignCertInfo *isCertInfo = &certInfo[1];
+ if (!(isCertInfo->foundAppleServerAuthMarker == CSSM_TRUE)) {
+ TPCertInfo *tpCert = certGroup.certAtIndex(1);
+ tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION);
+ return CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ }
+ }
+ else {
+ /* we only have the leaf? */
+ if(leaf->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION)) {
+ return CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ }
+ }
+ }
+ return CSSM_OK;
+}
+
+/*
+ * Verify SMIME and iChat options.
+ * This deals with both S/MIME and iChat policies; within the iChat domain it
+ * deals with Apple-specific .mac certs as well as what we call "generic AIM"
+ * certs, as used in the Windows AIM client.
+ */
+#define CE_CIPHER_MASK (~(CE_KU_EncipherOnly | CE_KU_DecipherOnly))
+
+static CSSM_RETURN tp_verifySmimeOpts(
+ TPPolicy policy,
+ TPCertGroup &certGroup,
+ const CSSM_DATA *smimeFieldOpts,
+ const iSignCertInfo *certInfo) // all certs, size certGroup.numCerts()
+{
+ const iSignCertInfo &leafCertInfo = certInfo[0];
+ bool iChat = (policy == kTP_iChat) ? true : false;
+ /*
+ * The CSSM_APPLE_TP_SMIME_OPTIONS pointer is optional as is everything in it.
+ */
+ CSSM_APPLE_TP_SMIME_OPTIONS *smimeOpts = NULL;
+ if(smimeFieldOpts != NULL) {
+ smimeOpts = (CSSM_APPLE_TP_SMIME_OPTIONS *)smimeFieldOpts->Data;
+ }
+ if(smimeOpts != NULL) {
+ switch(smimeOpts->Version) {
+ case CSSM_APPLE_TP_SMIME_OPTS_VERSION:
+ if(smimeFieldOpts->Length !=
+ sizeof(CSSM_APPLE_TP_SMIME_OPTIONS)) {
+ return CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ }
+ break;
+ /* handle backwards compatibility here if necessary */
+ default:
+ return CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ }
+ }
+
+ TPCertInfo *leaf = certGroup.certAtIndex(0);
+ assert(leaf != NULL);
+
+ /* Verify optional email address, a.k.a. handle for iChat policy */
+ unsigned emailLen = 0;
+ if(smimeOpts != NULL) {
+ emailLen = smimeOpts->SenderEmailLen;
+ }
+
+ bool match = false;
+ bool emailFoundInSAN = false;
+ bool iChatHandleFound = false; /* indicates a genuine Apple iChat cert */
+ bool emailFoundInDN = false;
+ if(emailLen != 0) {
+ if(smimeOpts->SenderEmail == NULL) {
+ return CSSMERR_TP_INVALID_POINTER;
+ }
+
+ /* iChat - first try the Apple custom format */
+ if(iChat) {
+ iChatHandleFound = tpCompareIChatHandleName(*leaf, smimeOpts->SenderEmail,
+ emailLen);
+ if(iChatHandleFound) {
+ match = true;
+ }
+
+ }
+
+ if(!match) {
+ /*
+ * normalize caller's email string
+ * SMIME - lowercase only the portion after '@'
+ * iChat - lowercase all of it
+ */
+ char *email = (char *)certGroup.alloc().malloc(emailLen);
+ memmove(email, smimeOpts->SenderEmail, emailLen);
+ tpNormalizeAddrSpec(email, emailLen, iChat);
+
+
+ /*
+ * First check subjectAltName. The emailFound bool indicates
+ * that *some* email address was found, regardless of a match
+ * condition.
+ */
+ bool dummy;
+ match = tpCompareSubjectAltName(leafCertInfo.subjectAltName,
+ email, emailLen,
+ SAN_Email, iChat, dummy, emailFoundInSAN);
+
+ /*
+ * Then subject DN, CSSMOID_EmailAddress, if no match from
+ * subjectAltName. In this case the whole email address is
+ * case insensitive (RFC 3280, section 4.1.2.6), so
+ * renormalize.
+ */
+ if(!match) {
+ tpNormalizeAddrSpec(email, emailLen, true);
+ match = tpCompareSubjectName(*leaf, SN_Email, true, email, emailLen,
+ emailFoundInDN);
+ }
+ certGroup.alloc().free(email);
+
+ /*
+ * Error here if no match found but there was indeed *some*
+ * email address in the cert.
+ */
+ if(!match && (emailFoundInSAN || emailFoundInDN)) {
+ if(leaf->addStatusCode(CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND)) {
+ tpPolicyError("SMIME email addrs in cert but no match");
+ return CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND;
+ }
+ }
+ }
+
+ /*
+ * iChat only: error if app specified email address but there was
+ * none in the cert.
+ */
+ if(iChat && !emailFoundInSAN && !emailFoundInDN && !iChatHandleFound) {
+ if(leaf->addStatusCode(CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS)) {
+ tpPolicyError("iChat: no email address or handle in cert");
+ return CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS;
+ }
+ }
+ }
+
+ /*
+ * Going by the letter of the law, here's what RFC 2632 has to say
+ * about the legality of an empty Subject Name:
+ *
+ * ...the subject DN in a user's (i.e. end-entity) certificate MAY
+ * be an empty SEQUENCE in which case the subjectAltName extension
+ * will include the subject's identifier and MUST be marked as
+ * critical.
+ *
+ * OK, first examine the leaf cert's subject name.
+ */
+ CSSM_RETURN crtn;
+ CSSM_DATA_PTR subjNameData = NULL;
+ const iSignExtenInfo &kuInfo = leafCertInfo.keyUsage;
+ const iSignExtenInfo &ekuInfo = leafCertInfo.extendKeyUsage;
+ const CSSM_X509_NAME *x509Name = NULL;
+
+ if(iChat) {
+ /* empty subject name processing is S/MIME only */
+ goto checkEku;
+ }
+
+ crtn = leaf->fetchField(&CSSMOID_X509V1SubjectNameCStruct, &subjNameData);
+ if(crtn) {
+ /* This should really never happen */
+ tpPolicyError("SMIME policy: error fetching subjectName");
+ leaf->addStatusCode(CSSMERR_TP_INVALID_CERTIFICATE);
+ return CSSMERR_TP_INVALID_CERTIFICATE;
+ }
+ /* must do a leaf->freeField(&CSSMOID_X509V1SubjectNameCStruct on exit */
+
+ x509Name = (const CSSM_X509_NAME *)subjNameData->Data;
+ if(x509Name->numberOfRDNs == 0) {
+ /*
+ * Empty subject name. If we haven't already seen a valid
+ * email address in the subject alternate name (by looking
+ * for a specific address specified by app), try to find
+ * one now.
+ */
+ if(!emailFoundInSAN && // haven't found one, and
+ (emailLen == 0)) { // didn't even look yet
+ bool dummy;
+ tpCompareSubjectAltName(leafCertInfo.subjectAltName,
+ NULL, 0, // email, emailLen,
+ SAN_Email, false, dummy,
+ emailFoundInSAN); // the variable we're updating
+ }
+ if(!emailFoundInSAN) {
+ tpPolicyError("SMIME policy fail: empty subject name and "
+ "no Email Addrs in SubjectAltName");
+ if(leaf->addStatusCode(CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS)) {
+ leaf->freeField(&CSSMOID_X509V1SubjectNameCStruct, subjNameData);
+ return CSSMERR_TP_VERIFY_ACTION_FAILED;
+ }
+ else {
+ /* have to skip the next block */
+ goto postSAN;
+ }
+ }
+
+ /*
+ * One more thing: this leaf must indeed have a subjAltName
+ * extension and it must be critical. We would not have gotten this
+ * far if the subjAltName extension was not actually present....
+ */
+ assert(leafCertInfo.subjectAltName.present);
+ if(!leafCertInfo.subjectAltName.critical) {
+ tpPolicyError("SMIME policy fail: empty subject name and "
+ "no Email Addrs in SubjectAltName");
+ if(leaf->addStatusCode(CSSMERR_APPLETP_SMIME_SUBJ_ALT_NAME_NOT_CRIT)) {
+ leaf->freeField(&CSSMOID_X509V1SubjectNameCStruct, subjNameData);
+ return CSSMERR_TP_VERIFY_ACTION_FAILED;
+ }
+ }
+ }
+postSAN:
+ leaf->freeField(&CSSMOID_X509V1SubjectNameCStruct, subjNameData);
+
+ /*
+ * Enforce the usage of the key associated with the leaf cert.
+ * Cert's KeyUsage must be a superset of what the app is trying to do.
+ * Note the {en,de}cipherOnly flags are handled separately....
+ */
+ if(kuInfo.present && (smimeOpts != NULL)) {
+ CE_KeyUsage certKu = *((CE_KeyUsage *)kuInfo.extnData);
+ CE_KeyUsage appKu = smimeOpts->IntendedUsage;
+ CE_KeyUsage intersection = certKu & appKu;
+ if((intersection & CE_CIPHER_MASK) != (appKu & CE_CIPHER_MASK)) {
+ tpPolicyError("SMIME KeyUsage err: appKu 0x%x certKu 0x%x",
+ appKu, certKu);
+ if(leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_KEY_USE)) {
+ return CSSMERR_TP_VERIFY_ACTION_FAILED;
+ }
+ }
+
+ /* Now the en/de cipher only bits - for keyAgreement only */
+ if(appKu & CE_KU_KeyAgreement) {
+ /*
+ * 1. App wants to use this for key agreement; it must
+ * say what it wants to do with the derived key.
+ * In this context, the app's XXXonly bit means that
+ * it wants to use the key for that op - not necessarliy
+ * "only".
+ */
+ if((appKu & (CE_KU_EncipherOnly | CE_KU_DecipherOnly)) == 0) {
+ tpPolicyError("SMIME KeyUsage err: KeyAgreement with "
+ "no Encipher or Decipher");
+ if(leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_KEY_USE)) {
+ return CSSMERR_TP_VERIFY_ACTION_FAILED;
+ }
+ }
+
+ /*
+ * 2. If cert restricts to encipher only make sure the
+ * app isn't trying to decipher.
+ */
+ if((certKu & CE_KU_EncipherOnly) &&
+ (appKu & CE_KU_DecipherOnly)) {
+ tpPolicyError("SMIME KeyUsage err: cert EncipherOnly, "
+ "app wants to decipher");
+ if(leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_KEY_USE)) {
+ return CSSMERR_TP_VERIFY_ACTION_FAILED;
+ }
+ }
+
+ /*
+ * 3. If cert restricts to decipher only make sure the
+ * app isn't trying to encipher.
+ */
+ if((certKu & CE_KU_DecipherOnly) &&
+ (appKu & CE_KU_EncipherOnly)) {
+ tpPolicyError("SMIME KeyUsage err: cert DecipherOnly, "
+ "app wants to encipher");
+ if(leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_KEY_USE)) {
+ return CSSMERR_TP_VERIFY_ACTION_FAILED;
+ }
+ }
+ }
+ }
+
+ /*
+ * Extended Key Use verification, which is different for the two policies.
+ */
+checkEku:
+ if(iChat && !ekuInfo.present) {
+ /*
+ * iChat: whether generic AIM cert or Apple .mac/iChat cert, we must have an
+ * extended key use extension.
+ */
+ tpPolicyError("iChat: No extended Key Use");
+ if(leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE)) {
+ return CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE;
+ }
+ }
+
+ if(!iChatHandleFound) {
+ /*
+ * S/MIME and generic AIM certs when evaluating iChat policy.
+ * Look for either emailProtection or anyExtendedKeyUsage usages.
+ *
+ * S/MIME : the whole extension is optional.
+ * iChat : extension must be there (which we've already covered, above)
+ * and we must find one of those extensions.
+ */
+ if(ekuInfo.present) {
+ bool foundGoodEku = false;
+ CE_ExtendedKeyUsage *eku = (CE_ExtendedKeyUsage *)ekuInfo.extnData;
+ assert(eku != NULL);
+ for(unsigned i=0; i<eku->numPurposes; i++) {
+ if(tpCompareOids(&eku->purposes[i], &CSSMOID_EmailProtection)) {
+ foundGoodEku = true;
+ break;
+ }
+ if(tpCompareOids(&eku->purposes[i], &CSSMOID_ExtendedKeyUsageAny)) {
+ foundGoodEku = true;
+ break;
+ }
+ }
+ if(!foundGoodEku) {
+ tpPolicyError("iChat/SMIME: No appropriate extended Key Use");
+ if(leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE)) {
+ return CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE;
+ }
+ }
+ }
+ }
+ else {
+ /*
+ * Apple iChat cert. Look for anyExtendedKeyUsage, iChatSigning,
+ * ichatEncrypting - the latter of two which can optionally be
+ * required by app.
+ */
+ assert(iChat); /* or we could not have even looked for an iChat style handle */
+ assert(ekuInfo.present); /* checked above */
+ bool foundAnyEku = false;
+ bool foundIChatSign = false;
+ bool foundISignEncrypt = false;
+ CE_ExtendedKeyUsage *eku = (CE_ExtendedKeyUsage *)ekuInfo.extnData;
+ assert(eku != NULL);
+
+ for(unsigned i=0; i<eku->numPurposes; i++) {
+ if(tpCompareOids(&eku->purposes[i],
+ &CSSMOID_APPLE_EKU_ICHAT_SIGNING)) {
+ foundIChatSign = true;
+ }
+ else if(tpCompareOids(&eku->purposes[i],
+ &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION)) {
+ foundISignEncrypt = true;
+ }
+ else if(tpCompareOids(&eku->purposes[i], &CSSMOID_ExtendedKeyUsageAny)) {
+ foundAnyEku = true;
+ }
+ }
+
+ if(!foundAnyEku && !foundISignEncrypt && !foundIChatSign) {
+ /* No go - no acceptable uses found */
+ tpPolicyError("iChat: No valid extended Key Uses found");
+ if(leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE)) {
+ return CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE;
+ }
+ }
+
+ /* check for specifically required uses */
+ if((smimeOpts != NULL) && (smimeOpts->IntendedUsage != 0)) {
+ if(smimeOpts->IntendedUsage & CE_KU_DigitalSignature) {
+ if(!foundIChatSign) {
+ tpPolicyError("iChat: ICHAT_SIGNING required, but missing");
+ if(leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE)) {
+ return CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE;
+ }
+ }
+ }
+ if(smimeOpts->IntendedUsage & CE_KU_DataEncipherment) {
+ if(!foundISignEncrypt) {
+ tpPolicyError("iChat: ICHAT_ENCRYPT required, but missing");
+ if(leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE)) {
+ return CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE;
+ }
+ }
+ }
+ } /* checking IntendedUsage */
+ } /* iChat cert format */
+
+ return CSSM_OK;
+}
+
+/*
+ * Verify Apple SW Update signing (was Apple Code Signing, pre-Leopard) options.
+ *
+ * -- Must have one intermediate cert
+ * -- intermediate must have basic constraints with path length 0
+ * -- intermediate has CSSMOID_APPLE_EKU_CODE_SIGNING EKU
+ * -- leaf cert has either CODE_SIGNING or CODE_SIGN_DEVELOPMENT EKU (the latter of
+ * which triggers a CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT error)
+ */
+static CSSM_RETURN tp_verifySWUpdateSigningOpts(
+ TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts, // currently unused
+ const iSignCertInfo *certInfo) // all certs, size certGroup.numCerts()
+{
+ unsigned numCerts = certGroup.numCerts();
+ const iSignCertInfo *isCertInfo;
+ TPCertInfo *tpCert;
+// const CE_BasicConstraints *bc; // currently unused
+ CE_ExtendedKeyUsage *eku;
+ CSSM_RETURN crtn = CSSM_OK;
+
+ if(numCerts != 3) {
+ if(!certGroup.isAllowedError(CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH)) {
+ tpPolicyError("tp_verifySWUpdateSigningOpts: numCerts %u", numCerts);
+ return CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH;
+ }
+ else if(numCerts < 3) {
+ /* this error allowed, but no intermediate...check leaf */
+ goto checkLeaf;
+ }
+ }
+
+ /* verify intermediate cert */
+ isCertInfo = &certInfo[1];
+ tpCert = certGroup.certAtIndex(1);
+
+ if(!isCertInfo->basicConstraints.present) {
+ tpPolicyError("tp_verifySWUpdateSigningOpts: no basicConstraints in intermediate");
+ if(tpCert->addStatusCode(CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS)) {
+ return CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS;
+ }
+ }
+
+ /* ExtendedKeyUse required, one legal value */
+ if(!isCertInfo->extendKeyUsage.present) {
+ tpPolicyError("tp_verifySWUpdateSigningOpts: no extendedKeyUse in intermediate");
+ if(tpCert->addStatusCode(CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE)) {
+ return CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE;
+ }
+ else {
+ goto checkLeaf;
+ }
+ }
+
+ eku = &isCertInfo->extendKeyUsage.extnData->extendedKeyUsage;
+ assert(eku != NULL);
+ if(eku->numPurposes != 1) {
+ tpPolicyError("tp_verifySWUpdateSigningOpts: bad eku->numPurposes in intermediate (%lu)",
+ (unsigned long)eku->numPurposes);
+ if(tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE)) {
+ return CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
+ }
+ else if(eku->numPurposes == 0) {
+ /* ignore that error but no EKU - skip EKU check */
+ goto checkLeaf;
+ }
+ /* else ignore error and we have an intermediate EKU; proceed */
+ }
+
+ if(!tpCompareOids(&eku->purposes[0], &CSSMOID_APPLE_EKU_CODE_SIGNING)) {
+ tpPolicyError("tp_verifySWUpdateSigningOpts: bad EKU");
+ if(tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE)) {
+ crtn = CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
+ }
+ }
+
+checkLeaf:
+
+ /* verify leaf cert */
+ isCertInfo = &certInfo[0];
+ tpCert = certGroup.certAtIndex(0);
+ if(!isCertInfo->extendKeyUsage.present) {
+ tpPolicyError("tp_verifySWUpdateSigningOpts: no extendedKeyUse in leaf");
+ if(tpCert->addStatusCode(CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE)) {
+ return crtn ? crtn : CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE;
+ }
+ else {
+ /* have to skip remainder */
+ return CSSM_OK;
+ }
+ }
+
+ eku = &isCertInfo->extendKeyUsage.extnData->extendedKeyUsage;
+ assert(eku != NULL);
+ if(eku->numPurposes != 1) {
+ tpPolicyError("tp_verifySWUpdateSigningOpts: bad eku->numPurposes (%lu)",
+ (unsigned long)eku->numPurposes);
+ if(tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE)) {
+ if(crtn == CSSM_OK) {
+ crtn = CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
+ }
+ }
+ return crtn;
+ }
+ if(!tpCompareOids(&eku->purposes[0], &CSSMOID_APPLE_EKU_CODE_SIGNING)) {
+ if(tpCompareOids(&eku->purposes[0], &CSSMOID_APPLE_EKU_CODE_SIGNING_DEV)) {
+ tpPolicyError("tp_verifySWUpdateSigningOpts: DEVELOPMENT cert");
+ if(tpCert->addStatusCode(CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT)) {
+ if(crtn == CSSM_OK) {
+ crtn = CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT;
+ }
+ }
+ }
+ else {
+ tpPolicyError("tp_verifySWUpdateSigningOpts: bad EKU in leaf");
+ if(tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE)) {
+ if(crtn == CSSM_OK) {
+ crtn = CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
+ }
+ }
+ }
+ }
+
+ return crtn;
+}
+
+/*
+ * Verify Apple Resource Signing options.
+ *
+ * -- leaf cert must have CSSMOID_APPLE_EKU_RESOURCE_SIGNING EKU
+ * -- chain length must be >= 2
+ * -- mainline code already verified that leaf KeyUsage = digitalSignature (only)
+ */
+static CSSM_RETURN tp_verifyResourceSigningOpts(
+ TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts, // currently unused
+ const iSignCertInfo *certInfo) // all certs, size certGroup.numCerts()
+{
+ unsigned numCerts = certGroup.numCerts();
+ if(numCerts < 2) {
+ if(!certGroup.isAllowedError(CSSMERR_APPLETP_RS_BAD_CERT_CHAIN_LENGTH)) {
+ tpPolicyError("tp_verifyResourceSigningOpts: numCerts %u", numCerts);
+ return CSSMERR_APPLETP_RS_BAD_CERT_CHAIN_LENGTH;
+ }
+ }
+ const iSignCertInfo &leafCert = certInfo[0];
+ TPCertInfo *leaf = certGroup.certAtIndex(0);
+
+ /* leaf ExtendedKeyUse required, one legal value */
+ if(!tpVerifyEKU(leafCert, CSSMOID_APPLE_EKU_RESOURCE_SIGNING, false)) {
+ tpPolicyError("tp_verifyResourceSigningOpts: no RESOURCE_SIGNING EKU");
+ if(leaf->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE)) {
+ return CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
+ }
+ }
+
+ return CSSM_OK;
+}
+
+/*
+ * Common code for Apple Code Signing and Apple Package Signing.
+ * For now we just require an RFC3280-style CodeSigning EKU in the leaf
+ * for both policies.
+ */
+static CSSM_RETURN tp_verifyCodePkgSignOpts(
+ TPPolicy policy,
+ TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts, // currently unused
+ const iSignCertInfo *certInfo) // all certs, size certGroup.numCerts()
+{
+ const iSignCertInfo &leafCert = certInfo[0];
+
+ /* leaf ExtendedKeyUse required, one legal value */
+ if(!tpVerifyEKU(leafCert, CSSMOID_ExtendedUseCodeSigning, false)) {
+ TPCertInfo *leaf = certGroup.certAtIndex(0);
+ tpPolicyError("tp_verifyCodePkgSignOpts: no CodeSigning EKU");
+ if(leaf->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE)) {
+ return CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
+ }
+ }
+
+ return CSSM_OK;
+
+}
+
+/*
+ * Verify MacAppStore receipt verification policy options.
+ *
+ * -- Must have one intermediate cert
+ * -- intermediate must be the FairPlay intermediate
+ * -- leaf cert has the CSSMOID_APPLE_EXTENSION_MACAPPSTORE_RECEIPT marker extension
+ */
+static CSSM_RETURN tp_verifyMacAppStoreReceiptOpts(
+ TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts, // currently unused
+ const iSignCertInfo *certInfo) // all certs, size certGroup.numCerts()
+{
+ unsigned numCerts = certGroup.numCerts();
+ if (numCerts < 3)
+ {
+ if (!certGroup.isAllowedError(CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH))
+ {
+ tpPolicyError("tp_verifyMacAppStoreReceiptOpts: numCerts %u", numCerts);
+ return CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH;
+ }
+ }
+
+ const iSignCertInfo *isCertInfo;
+ TPCertInfo *tpCert;
+
+ /* verify intermediate cert */
+ isCertInfo = &certInfo[1];
+ tpCert = certGroup.certAtIndex(1);
+
+ if (!isCertInfo->basicConstraints.present)
+ {
+ tpPolicyError("tp_verifyAppleIDSharingOpts: no basicConstraints in intermediate");
+ if (tpCert->addStatusCode(CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS))
+ return CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS;
+ }
+
+ // Now check the leaf
+ isCertInfo = &certInfo[0];
+ tpCert = certGroup.certAtIndex(0);
+ if (certInfo->certificatePolicies.present)
+ {
+ // syslog(LOG_ERR, "tp_verifyMacAppStoreReceiptOpts: found certificatePolicies");
+ const CE_CertPolicies *certPolicies =
+ &isCertInfo->certificatePolicies.extnData->certPolicies;
+ if (!certificatePoliciesContainsOID(certPolicies, &CSSMOID_MACAPPSTORE_RECEIPT_CERT_POLICY))
+ if (tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION))
+ return CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ }
+ else
+ {
+ // syslog(LOG_ERR, "tp_verifyMacAppStoreReceiptOpts: no certificatePolicies present"); // DEBUG
+ tpPolicyError("tp_verifyMacAppStoreReceiptOpts: no certificatePolicies present in leaf");
+ if (tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION))
+ return CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ }
+
+ return CSSM_OK;
+}
+
+bool certificatePoliciesContainsOID(const CE_CertPolicies *certPolicies, const CSSM_OID *oidToFind)
+{
+ // returns true if the given OID is present in the cert policies
+
+ if (!certPolicies || !oidToFind)
+ return false;
+
+ const uint32 maxIndex = 100; // sanity check
+ for (uint32 policyIndex = 0; policyIndex < certPolicies->numPolicies && policyIndex < maxIndex; policyIndex++)
+ {
+ CE_PolicyInformation *certPolicyInfo = &certPolicies->policies[policyIndex];
+ CSSM_OID_PTR oid = &certPolicyInfo->certPolicyId;
+ if (oid && tpCompareOids(oid, oidToFind)) // found it
+ return true;
+ }
+
+ return false;
+}
+
+
+/*
+ * Verify Apple ID Sharing options.
+ *
+ * -- Do basic cert validation (OCSP-based certs)
+ * -- Validate that the cert is an Apple ID sharing cert:
+ * has a custom extension: OID: Apple ID Sharing Certificate ( 1 2 840 113635 100 4 7 )
+ * (CSSMOID_APPLE_EXTENSION_APPLEID_SHARING)
+ * EKU should have both client and server authentication
+ * chains to the "Apple Application Integration Certification Authority" intermediate
+ * -- optionally has a client-specified common name, which is the Apple ID account's UUID.
+
+ * -- Must have one intermediate cert ("Apple Application Integration Certification Authority")
+ * -- intermediate must have basic constraints with path length 0
+ * -- intermediate has CSSMOID_APPLE_EXTENSION_AAI_INTERMEDIATE extension (OID 1 2 840 113635 100 6 2 3)
+ OR APPLE_EXTENSION_AAI_INTERMEDIATE_2
+ */
+
+static CSSM_RETURN tp_verifyAppleIDSharingOpts(TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts, // optional Common Name
+ const iSignCertInfo *certInfo) // all certs, size certGroup.numCerts()
+{
+ unsigned numCerts = certGroup.numCerts();
+ const iSignCertInfo *isCertInfo;
+ TPCertInfo *tpCert;
+ // const CE_BasicConstraints *bc; // currently unused
+ CE_ExtendedKeyUsage *eku;
+ CSSM_RETURN crtn = CSSM_OK;
+ unsigned int serverNameLen = 0;
+ const char *serverName = NULL;
+
+ // The CSSM_APPLE_TP_SMIME_OPTIONS pointer is optional as is everything in it.
+ if (fieldOpts && fieldOpts->Data)
+ {
+ CSSM_APPLE_TP_SSL_OPTIONS *sslOpts = (CSSM_APPLE_TP_SSL_OPTIONS *)fieldOpts->Data;
+ switch (sslOpts->Version)
+ {
+ case CSSM_APPLE_TP_SSL_OPTS_VERSION:
+ if (fieldOpts->Length != sizeof(CSSM_APPLE_TP_SSL_OPTIONS))
+ return CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ break;
+ /* handle backwards compatibility here if necessary */
+ default:
+ return CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ }
+ serverNameLen = sslOpts->ServerNameLen;
+ serverName = sslOpts->ServerName;
+ }
+
+ //------------------------------------------------------------------------
+
+ if (numCerts != 3)
+ {
+ if (!certGroup.isAllowedError(CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH))
+ {
+ tpPolicyError("tp_verifyAppleIDSharingOpts: numCerts %u", numCerts);
+ return CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH;
+ }
+ else
+ if (numCerts < 3)
+ {
+ /* this error allowed, but no intermediate...check leaf */
+ goto checkLeaf;
+ }
+ }
+
+ /* verify intermediate cert */
+ isCertInfo = &certInfo[1];
+ tpCert = certGroup.certAtIndex(1);
+
+ if (!isCertInfo->basicConstraints.present)
+ {
+ tpPolicyError("tp_verifyAppleIDSharingOpts: no basicConstraints in intermediate");
+ if (tpCert->addStatusCode(CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS))
+ return CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS;
+ }
+
+checkLeaf:
+
+ /* verify leaf cert */
+ isCertInfo = &certInfo[0];
+ tpCert = certGroup.certAtIndex(0);
+
+ /* host name check is optional */
+ if (serverNameLen != 0)
+ {
+ if (serverName == NULL)
+ return CSSMERR_TP_INVALID_POINTER;
+
+ /* convert caller's hostname string to lower case */
+ char *hostName = (char *)certGroup.alloc().malloc(serverNameLen);
+ memmove(hostName, serverName, serverNameLen);
+ tpToLower(hostName, serverNameLen);
+
+ /* Check common name... */
+
+ bool fieldFound;
+ CSSM_BOOL match = tpCompareSubjectName(*tpCert, SN_CommonName, false, hostName,
+ serverNameLen, fieldFound);
+
+ certGroup.alloc().free(hostName);
+ if (!match && tpCert->addStatusCode(CSSMERR_APPLETP_HOSTNAME_MISMATCH))
+ return CSSMERR_APPLETP_HOSTNAME_MISMATCH;
+ }
+
+ if (certInfo->certificatePolicies.present)
+ {
+ const CE_CertPolicies *certPolicies =
+ &isCertInfo->certificatePolicies.extnData->certPolicies;
+ if (!certificatePoliciesContainsOID(certPolicies, &CSSMOID_APPLEID_SHARING_CERT_POLICY))
+ if (tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION))
+ return CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ }
+ else
+ if (tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION))
+ return CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+
+ if (!isCertInfo->extendKeyUsage.present)
+ {
+ tpPolicyError("tp_verifyAppleIDSharingOpts: no extendedKeyUse in leaf");
+ if (tpCert->addStatusCode(CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE))
+ return crtn ? crtn : CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE;
+
+ /* have to skip remainder */
+ return CSSM_OK;
+ }
+
+ // Check that certificate can do Client and Server Authentication (EKU)
+ eku = &isCertInfo->extendKeyUsage.extnData->extendedKeyUsage;
+ assert(eku != NULL);
+ if(eku->numPurposes != 2)
+ {
+ tpPolicyError("tp_verifyAppleIDSharingOpts: bad eku->numPurposes (%lu)",
+ (unsigned long)eku->numPurposes);
+ if (tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE))
+ {
+ if (crtn == CSSM_OK)
+ crtn = CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
+ }
+ return crtn;
+ }
+ bool canDoClientAuth = false, canDoServerAuth = false, ekuError = false;
+ for (int ix=0;ix<2;ix++)
+ {
+ if (tpCompareOids(&eku->purposes[ix], &CSSMOID_ClientAuth))
+ canDoClientAuth = true;
+ else
+ if (tpCompareOids(&eku->purposes[ix], &CSSMOID_ServerAuth))
+ canDoServerAuth = true;
+ else
+ {
+ ekuError = true;
+ break;
+ }
+ }
+
+ if (!(canDoClientAuth && canDoServerAuth))
+ ekuError = true;
+ if (ekuError)
+ {
+ tpPolicyError("tp_verifyAppleIDSharingOpts: bad EKU in leaf");
+ if (tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE))
+ {
+ if (crtn == CSSM_OK)
+ crtn = CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
+ }
+ }
+
+ return crtn;
+}
+
+/*
+ * Verify Time Stamping (RFC3161) policy options.
+ *
+ * -- Leaf must contain Extended Key Usage (EKU), marked critical
+ * -- The EKU must contain the id-kp-timeStamping purpose and no other
+ */
+static CSSM_RETURN tp_verifyTimeStampingOpts(TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts, // currently unused
+ const iSignCertInfo *certInfo) // all certs, size certGroup.numCerts()
+{
+ //unsigned numCerts = certGroup.numCerts();
+ const iSignCertInfo *isCertInfo;
+ TPCertInfo *tpCert;
+ CE_ExtendedKeyUsage *eku;
+
+ isCertInfo = &certInfo[0];
+ tpCert = certGroup.certAtIndex(0);
+
+ if (!isCertInfo->extendKeyUsage.present)
+ {
+ tpPolicyError("tp_verifyTimeStampingOpts: no extendedKeyUse in leaf");
+ tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION);
+ return CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ }
+
+ if(!isCertInfo->extendKeyUsage.critical)
+ {
+ tpPolicyError("tp_verifyTimeStampingOpts: extended key usage !critical");
+ tpCert->addStatusCode(CSSMERR_APPLETP_EXT_KEYUSAGE_NOT_CRITICAL);
+ return CSSMERR_APPLETP_EXT_KEYUSAGE_NOT_CRITICAL;
+ }
+
+ eku = &isCertInfo->extendKeyUsage.extnData->extendedKeyUsage;
+ assert(eku != NULL);
+
+ if(eku->numPurposes != 1)
+ {
+ tpPolicyError("tp_verifyTimeStampingOpts: bad eku->numPurposes (%lu)",
+ (unsigned long)eku->numPurposes);
+ tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE);
+ return CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
+ }
+
+ if(!tpCompareOids(&eku->purposes[0], &CSSMOID_TimeStamping))
+ {
+ tpPolicyError("tp_verifyTimeStampingOpts: TimeStamping purpose not found");
+ tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE);
+ return CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
+ }
+
+ return CSSM_OK;
+}
+
+/*
+ * Verify Passbook Signing policy options.
+ *
+ * -- Do basic cert validation (OCSP-based certs)
+ * -- Chains to the Apple root CA
+ * -- Has custom marker extension (1.2.840.113635.100.6.1.16)
+ * (CSSMOID_APPLE_EXTENSION_PASSBOOK_SIGNING)
+ * -- EKU contains Passbook Signing purpose (1.2.840.113635.100.4.14)
+ * (CSSMOID_APPLE_EKU_PASSBOOK_SIGNING)
+ * -- UID field of Subject must contain provided card signer string
+ * -- OU field of Subject must contain provided team identifier string
+ */
+static CSSM_RETURN tp_verifyPassbookSigningOpts(TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts,
+ const iSignCertInfo *certInfo) // all certs, size certGroup.numCerts()
+{
+ unsigned numCerts = certGroup.numCerts();
+ const iSignCertInfo *isCertInfo;
+ TPCertInfo *tpCert;
+ CE_ExtendedKeyUsage *eku;
+ CSSM_RETURN crtn = CSSM_OK;
+ unsigned int nameLen = 0;
+ const char *name = NULL;
+ char *p, *signerName = NULL, *teamIdentifier = NULL;
+ bool found;
+
+ isCertInfo = &certInfo[0];
+ tpCert = certGroup.certAtIndex(0);
+
+ /* The CSSM_APPLE_TP_SMIME_OPTIONS pointer is required. */
+ if (!fieldOpts || !fieldOpts->Data)
+ return CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ else {
+ CSSM_APPLE_TP_SMIME_OPTIONS *opts = (CSSM_APPLE_TP_SMIME_OPTIONS *)fieldOpts->Data;
+ switch (opts->Version)
+ {
+ case CSSM_APPLE_TP_SMIME_OPTS_VERSION:
+ if (fieldOpts->Length != sizeof(CSSM_APPLE_TP_SMIME_OPTIONS))
+ return CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ break;
+ /* handle backwards compatibility here if necessary */
+ default:
+ return CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
+ }
+ nameLen = opts->SenderEmailLen;
+ name = opts->SenderEmail;
+ if (!name || !nameLen)
+ return CSSMERR_APPLETP_IDENTIFIER_MISSING;
+ }
+
+ /* Split the provided name into signer name and team identifier
+ * (allocates memory, which must be freed at end) */
+ signerName = (char *)certGroup.alloc().malloc(nameLen);
+ teamIdentifier = (char *)certGroup.alloc().malloc(nameLen);
+ memmove(signerName, name, nameLen);
+ teamIdentifier[0] = '\0';
+ if ((p = strchr(signerName, '\t')) != NULL) {
+ *p++ = '\0';
+ memmove(teamIdentifier, p, strlen(p)+1);
+ }
+
+ /* Check signer name in UID field */
+ if (CSSM_FALSE == tpCompareSubjectName(*tpCert,
+ SN_UserID, false, signerName, (unsigned int)strlen(signerName), found)) {
+ tpPolicyError("tp_verifyPassbookSigningOpts: signer name not in subject UID field");
+ tpCert->addStatusCode(CSSMERR_APPLETP_IDENTIFIER_MISSING);
+ crtn = CSSMERR_APPLETP_IDENTIFIER_MISSING;
+ goto cleanup;
+ }
+
+ /* Check team identifier in OU field */
+ if (CSSM_FALSE == tpCompareSubjectName(*tpCert,
+ SN_OrgUnit, false, teamIdentifier, (unsigned int)strlen(teamIdentifier), found)) {
+ tpPolicyError("tp_verifyPassbookSigningOpts: team identifier not in subject OU field");
+ tpCert->addStatusCode(CSSMERR_APPLETP_IDENTIFIER_MISSING);
+ crtn = CSSMERR_APPLETP_IDENTIFIER_MISSING;
+ goto cleanup;
+ }
+
+ /* Check that EKU extension is present */
+ if (!isCertInfo->extendKeyUsage.present) {
+ tpPolicyError("tp_verifyPassbookSigningOpts: no extendedKeyUse in leaf");
+ tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION);
+ crtn = CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ goto cleanup;
+ }
+
+ /* Check that EKU contains Passbook Signing purpose */
+ eku = &isCertInfo->extendKeyUsage.extnData->extendedKeyUsage;
+ assert(eku != NULL);
+ found = false;
+ for (int ix=0;ix<eku->numPurposes;ix++) {
+ if (tpCompareOids(&eku->purposes[ix], &CSSMOID_APPLE_EKU_PASSBOOK_SIGNING)) {
+ found = true;
+ break;
+ }
+ }
+ if (!found) {
+ tpPolicyError("tp_verifyPassbookSigningOpts: Passbook Signing purpose not found");
+ tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE);
+ crtn = CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
+ goto cleanup;
+ }
+
+ /* Check that Passbook Signing marker extension is present */
+ if (!(isCertInfo->foundPassbookSigning == CSSM_TRUE)) {
+ tpPolicyError("tp_verifyPassbookSigningOpts: no Passbook Signing extension in leaf");
+ tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION);
+ crtn = CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ goto cleanup;
+ }
+
+ /* Check that cert chain is anchored by the Apple Root CA */
+ if (numCerts < 3) {
+ tpPolicyError("tp_verifyPassbookSigningOpts: numCerts %u", numCerts);
+ crtn = CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH;
+ goto cleanup;
+ }
+ else {
+ tpCert = certGroup.certAtIndex(numCerts-1);
+ const CSSM_DATA *certData = tpCert->itemData();
+ unsigned char digest[CC_SHA1_DIGEST_LENGTH];
+ CC_SHA1(certData->Data, (CC_LONG)certData->Length, digest);
+ if (memcmp(digest, kAppleCASHA1, sizeof(digest))) {
+ tpPolicyError("tp_verifyPassbookSigningOpts: invalid anchor for policy");
+ tpCert->addStatusCode(CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH);
+ crtn = CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH;
+ goto cleanup;
+ }
+ }
+
+cleanup:
+ if (signerName)
+ certGroup.alloc().free(signerName);
+ if (teamIdentifier)
+ certGroup.alloc().free(teamIdentifier);
+
+ return crtn;
+}
+
+/*
+ * Verify Mobile Store policy options.
+ *
+ * -- Do basic cert validation.
+ * -- Chain length must be exactly 3.
+ * -- Must chain to known Mobile Store root.
+ * -- Intermediate must have CSSMOID_APPLE_EXTENSION_SYSINT2_INTERMEDIATE marker
+ * (1.2.840.113635.100.6.2.10)
+ * -- Key usage in leaf certificate must be Digital Signature.
+ * -- Leaf has certificatePolicies extension with appropriate policy:
+ * (1.2.840.113635.100.5.12) if testPolicy is false
+ * (1.2.840.113635.100.5.12.1) if testPolicy is true
+ */
+static CSSM_RETURN tp_verifyMobileStoreSigningOpts(TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts,
+ const iSignCertInfo *certInfo, // all certs, size certGroup.numCerts()
+ bool testPolicy)
+{
+ unsigned numCerts = certGroup.numCerts();
+ const iSignCertInfo *isCertInfo;
+ TPCertInfo *tpCert;
+ CE_KeyUsage ku;
+ CSSM_RETURN crtn = CSSM_OK;
+
+ isCertInfo = &certInfo[0];
+ tpCert = certGroup.certAtIndex(0);
+
+ /* Check that KU extension is present */
+ if (!isCertInfo->keyUsage.present) {
+ tpPolicyError("tp_verifyMobileStoreSigningOpts: no keyUsage in leaf");
+ tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION);
+ crtn = CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ goto cleanup;
+ }
+
+ /* Check that KU contains Digital Signature usage */
+ ku = isCertInfo->keyUsage.extnData->keyUsage;
+ if (!(ku & CE_KU_DigitalSignature)) {
+ tpPolicyError("tp_verifyMobileStoreSigningOpts: DigitalSignature usage not found");
+ tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_KEY_USAGE);
+ crtn = CSSMERR_APPLETP_INVALID_KEY_USAGE;
+ goto cleanup;
+ }
+
+ /* Check that Mobile Store Signing certicate policy is present in leaf */
+ if (isCertInfo->certificatePolicies.present)
+ {
+ const CE_CertPolicies *certPolicies =
+ &isCertInfo->certificatePolicies.extnData->certPolicies;
+ const CSSM_OID *policyOID = (testPolicy) ?
+ &CSSMOID_TEST_MOBILE_STORE_SIGNING_POLICY :
+ &CSSMOID_MOBILE_STORE_SIGNING_POLICY;
+ if (!certificatePoliciesContainsOID(certPolicies, policyOID))
+ if (tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION))
+ return CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ }
+ else
+ {
+ tpPolicyError("tp_verifyMobileStoreSigningOpts: no certificatePolicies present in leaf");
+ if (tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION))
+ return CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ }
+
+ /* Check that cert chain length is 3 */
+ if (numCerts != 3) {
+ tpPolicyError("tp_verifyMobileStoreSigningOpts: numCerts %u", numCerts);
+ crtn = CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH;
+ goto cleanup;
+ }
+
+ /* Check that cert chain is anchored by a known root */
+ {
+ tpCert = certGroup.certAtIndex(numCerts-1);
+ const CSSM_DATA *certData = tpCert->itemData();
+ unsigned char digest[CC_SHA1_DIGEST_LENGTH];
+ CC_SHA1(certData->Data, (CC_LONG)certData->Length, digest);
+ if (memcmp(digest, kMobileRootSHA1, sizeof(digest))) {
+ tpPolicyError("tp_verifyMobileStoreSigningOpts: invalid anchor for policy");
+ tpCert->addStatusCode(CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH);
+ crtn = CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH;
+ goto cleanup;
+ }
+ }
+
+ /* Check that Apple System Integration 2 marker extension is present in intermediate */
+ isCertInfo = &certInfo[1];
+ tpCert = certGroup.certAtIndex(1);
+ if (!(isCertInfo->foundAppleSysInt2Marker == CSSM_TRUE)) {
+ tpPolicyError("tp_verifyMobileStoreSigningOpts: intermediate marker extension not found");
+ tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION);
+ crtn = CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ goto cleanup;
+ }
+
+cleanup:
+ return crtn;
+}
+
+/*
+ * Verify Escrow Service policy options.
+ *
+ * -- Chain length must be exactly 2.
+ * -- Must be issued by known escrow root.
+ * -- Key usage in leaf certificate must be Key Encipherment.
+ * -- Leaf has CSSMOID_APPLE_EXTENSION_ESCROW_SERVICE_MARKER extension
+ * (1.2.840.113635.100.6.23.1)
+ */
+static CSSM_RETURN tp_verifyEscrowServiceCommon(TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts,
+ const iSignCertInfo *certInfo, // all certs, size certGroup.numCerts()
+ SecCertificateEscrowRootType rootType)
+{
+ unsigned numCerts = certGroup.numCerts();
+ const iSignCertInfo *isCertInfo;
+ TPCertInfo *tpCert;
+ CE_KeyUsage ku;
+ CSSM_RETURN crtn = CSSM_OK;
+
+ isCertInfo = &certInfo[0];
+ tpCert = certGroup.certAtIndex(0);
+
+ /* Check that KU extension is present */
+ if (!isCertInfo->keyUsage.present) {
+ tpPolicyError("tp_verifyEscrowServiceCommon: no keyUsage in leaf");
+ tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION);
+ crtn = CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ goto cleanup;
+ }
+
+ /* Check that KU contains Key Encipherment usage */
+ ku = isCertInfo->keyUsage.extnData->keyUsage;
+ if (!(ku & CE_KU_KeyEncipherment)) {
+ tpPolicyError("tp_verifyEscrowServiceCommon: KeyEncipherment usage not found");
+ tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_KEY_USAGE);
+ crtn = CSSMERR_APPLETP_INVALID_KEY_USAGE;
+ goto cleanup;
+ }
+
+ /* Check that Escrow Service marker extension is present */
+ if (!(isCertInfo->foundEscrowServiceMarker == CSSM_TRUE)) {
+ tpPolicyError("tp_verifyEscrowServiceCommon: no Escrow Service extension in leaf");
+ tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION);
+ crtn = CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ goto cleanup;
+ }
+
+ /* Check that cert chain length is 2 */
+ if (numCerts != 2) {
+ tpPolicyError("tp_verifyEscrowServiceCommon: numCerts %u", numCerts);
+ crtn = CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH;
+ goto cleanup;
+ }
+
+ /* Check that cert chain is anchored by a known root */
+ {
+ tpCert = certGroup.certAtIndex(numCerts-1);
+ const CSSM_DATA *certData = tpCert->itemData();
+ bool anchorMatch = false;
+ SecCertificateRef anchor = NULL;
+ OSStatus status = SecCertificateCreateFromData(certData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER, &anchor);
+ if (!status) {
+ CFArrayRef anchors = SecCertificateCopyEscrowRoots(rootType);
+ CFIndex idx, count = (anchors) ? CFArrayGetCount(anchors) : 0;
+ for (idx = 0; idx < count; idx++) {
+ SecCertificateRef cert = (SecCertificateRef) CFArrayGetValueAtIndex(anchors, idx);
+ if (cert && CFEqual(cert, anchor)) {
+ anchorMatch = true;
+ break;
+ }
+ }
+ if (anchors)
+ CFRelease(anchors);
+ }
+ if (anchor)
+ CFRelease(anchor);
+
+ if (!anchorMatch) {
+ tpPolicyError("tp_verifyEscrowServiceCommon: invalid anchor for policy");
+ tpCert->addStatusCode(CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH);
+ crtn = CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH;
+ goto cleanup;
+ }
+ }
+
+cleanup:
+ return crtn;
+}
+
+static CSSM_RETURN tp_verifyEscrowServiceSigningOpts(TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts,
+ const iSignCertInfo *certInfo) // all certs, size certGroup.numCerts()
+{
+ return tp_verifyEscrowServiceCommon(certGroup, fieldOpts, certInfo, kSecCertificateProductionEscrowRoot);
+}
+
+static CSSM_RETURN tp_verifyPCSEscrowServiceSigningOpts(TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts,
+ const iSignCertInfo *certInfo) // all certs, size certGroup.numCerts()
+{
+ return tp_verifyEscrowServiceCommon(certGroup, fieldOpts, certInfo, kSecCertificateProductionPCSEscrowRoot);
+}
+
+/*
+ * Verify Configuration Profile Signing policy options.
+ *
+ * -- Do basic cert validation (OCSP-based certs)
+ * -- Chains to the Apple root CA
+ * -- Leaf has EKU extension with appropriate purpose:
+ * (1.2.840.113635.100.4.16) if testPolicy is false
+ * (1.2.840.113635.100.4.17) if testPolicy is true
+ */
+static CSSM_RETURN tp_verifyProfileSigningOpts(TPCertGroup &certGroup,
+ const CSSM_DATA *fieldOpts,
+ const iSignCertInfo *certInfo, // all certs, size certGroup.numCerts()
+ bool testPolicy)
+{
+ unsigned numCerts = certGroup.numCerts();
+ const iSignCertInfo *isCertInfo;
+ TPCertInfo *tpCert;
+ CE_ExtendedKeyUsage *eku;
+ CSSM_RETURN crtn = CSSM_OK;
+ bool found;
+
+ isCertInfo = &certInfo[0];
+ tpCert = certGroup.certAtIndex(0);
+
+ /* Check that EKU extension is present */
+ if (!isCertInfo->extendKeyUsage.present) {
+ tpPolicyError("tp_verifyProfileSigningOpts: no extendedKeyUse in leaf");
+ tpCert->addStatusCode(CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION);
+ crtn = CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION;
+ goto cleanup;
+ }
+
+ /* Check that EKU contains appropriate Profile Signing purpose */
+ eku = &isCertInfo->extendKeyUsage.extnData->extendedKeyUsage;
+ assert(eku != NULL);
+ found = false;
+ for (int ix=0;ix<eku->numPurposes;ix++) {
+ if (tpCompareOids(&eku->purposes[ix], (testPolicy) ?
+ &CSSMOID_APPLE_EKU_QA_PROFILE_SIGNING :
+ &CSSMOID_APPLE_EKU_PROFILE_SIGNING)) {
+ found = true;
+ break;
+ }
+ }
+ if (!found) {
+ tpPolicyError("tp_verifyProfileSigningOpts: Profile Signing purpose not found");
+ tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE);
+ crtn = CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
+ goto cleanup;
+ }
+
+ /* Check that cert chain is anchored by the Apple Root CA */
+ if (numCerts < 3) {
+ tpPolicyError("tp_verifyProfileSigningOpts: numCerts %u", numCerts);
+ crtn = CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH;
+ goto cleanup;
+ }
+ else {
+ tpCert = certGroup.certAtIndex(numCerts-1);
+ const CSSM_DATA *certData = tpCert->itemData();
+ unsigned char digest[CC_SHA1_DIGEST_LENGTH];
+ CC_SHA1(certData->Data, (CC_LONG)certData->Length, digest);
+ if (memcmp(digest, kAppleCASHA1, sizeof(digest))) {
+ tpPolicyError("tp_verifyProfileSigningOpts: invalid anchor for policy");
+ tpCert->addStatusCode(CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH);
+ crtn = CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH;
+ goto cleanup;
+ }
+ }
+
+cleanup:
+ return crtn;
+}
+
+/*
+ * RFC2459 says basicConstraints must be flagged critical for
+ * CA certs, but Verisign doesn't work that way.
+ */
+#define BASIC_CONSTRAINTS_MUST_BE_CRITICAL 0
+
+/*
+ * TP iSign spec says Extended Key Usage required for leaf certs,
+ * but Verisign doesn't work that way.
+ */
+#define EXTENDED_KEY_USAGE_REQUIRED_FOR_LEAF 0
+
+/*
+ * TP iSign spec says Subject Alternate Name required for leaf certs,
+ * but Verisign doesn't work that way.
+ */
+#define SUBJECT_ALT_NAME_REQUIRED_FOR_LEAF 0
+
+/*
+ * TP iSign spec originally required KeyUsage for all certs, but
+ * Verisign doesn't have that in their roots.
+ */
+#define KEY_USAGE_REQUIRED_FOR_ROOT 0
+
+/*
+ * RFC 2632, "S/MIME Version 3 Certificate Handling", section
+ * 4.4.2, says that KeyUsage extensions MUST be flagged critical,
+ * but Thawte's intermediate cert (common name "Thawte Personal
+ * Freemail Issuing CA") does not meet this requirement.
+ */
+#define SMIME_KEY_USAGE_MUST_BE_CRITICAL 0
+
+/*
+ * Public routine to perform TP verification on a constructed
+ * cert group.
+ * Returns CSSM_OK on success.
+ * Assumes the chain has passed basic subject/issuer verification. First cert of
+ * incoming certGroup is end-entity (leaf).
+ *
+ * Per-policy details:
+ * iSign: Assumes that last cert in incoming certGroup is a root cert.
+ * Also assumes a cert group of more than one cert.
+ * kTPx509Basic: CertGroup of length one allowed.
+ */
+CSSM_RETURN tp_policyVerify(
+ TPPolicy policy,
+ Allocator &alloc,
+ CSSM_CL_HANDLE clHand,
+ CSSM_CSP_HANDLE cspHand,
+ TPCertGroup *certGroup,
+ CSSM_BOOL verifiedToRoot, // last cert is good root
+ CSSM_BOOL verifiedViaTrustSetting, // last cert verified via
+ // user trust
+ CSSM_APPLE_TP_ACTION_FLAGS actionFlags,
+ const CSSM_DATA *policyFieldData, // optional
+ void *policyOpts) // future options
+{
+ iSignCertInfo *certInfo = NULL;
+ uint32 numCerts;
+ iSignCertInfo *thisCertInfo;
+ uint16 expUsage;
+ uint16 actUsage;
+ unsigned certDex;
+ CSSM_BOOL cA = CSSM_FALSE; // init for compiler warning
+ bool isLeaf; // end entity
+ bool isRoot; // root cert
+ CE_ExtendedKeyUsage *extendUsage;
+ CE_AuthorityKeyID *authorityId;
+ CSSM_KEY_PTR pubKey;
+ CSSM_RETURN outErr = CSSM_OK; // for gross, non-policy errors
+ CSSM_BOOL policyFail = CSSM_FALSE;// generic CSSMERR_TP_VERIFY_ACTION_FAILED
+ CSSM_RETURN policyError = CSSM_OK; // policy-specific failure
+
+ /* First, kTPDefault is a nop here */
+ if(policy == kTPDefault) {
+ return CSSM_OK;
+ }
+
+ if(certGroup == NULL) {
+ return CSSMERR_TP_INVALID_CERTGROUP;
+ }
+ numCerts = certGroup->numCerts();
+ if(numCerts == 0) {
+ return CSSMERR_TP_INVALID_CERTGROUP;
+ }
+ if(policy == kTPiSign) {
+ if(!verifiedToRoot) {
+ /* no way, this requires a root cert */
+ return CSSMERR_TP_VERIFY_ACTION_FAILED;
+ }
+ if(numCerts <= 1) {
+ /* nope, not for iSign */
+ return CSSMERR_TP_VERIFY_ACTION_FAILED;
+ }
+ }
+
+ /* cook up an iSignCertInfo array */
+ certInfo = (iSignCertInfo *)tpCalloc(alloc, numCerts, sizeof(iSignCertInfo));
+ /* subsequent errors to errOut: */
+
+ /* fill it with interesting info from parsed certs */
+ for(certDex=0; certDex<numCerts; certDex++) {
+ if(iSignGetCertInfo(alloc,
+ certGroup->certAtIndex(certDex),
+ &certInfo[certDex])) {
+ (certGroup->certAtIndex(certDex))->addStatusCode(
+ CSSMERR_TP_INVALID_CERTIFICATE);
+ /* this one is fatal (and can't ignore) */
+ outErr = CSSMERR_TP_INVALID_CERTIFICATE;
+ goto errOut;
+ }
+ }
+
+ /*
+ * OK, the heart of TP enforcement.
+ */
+ for(certDex=0; certDex<numCerts; certDex++) {
+ thisCertInfo = &certInfo[certDex];
+ TPCertInfo *thisTpCertInfo = certGroup->certAtIndex(certDex);
+
+ /*
+ * First check for presence of required extensions and
+ * critical extensions we don't understand.
+ */
+ if(thisCertInfo->foundUnknownCritical) {
+ /* illegal for all policies */
+ tpPolicyError("tp_policyVerify: critical flag in unknown extension");
+ if(thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+
+ /*
+ * Check for unsupported key length, per <rdar://6892837>
+ */
+ if((pubKey=thisTpCertInfo->pubKey()) != NULL) {
+ CSSM_KEYHEADER *keyHdr = &pubKey->KeyHeader;
+ if(keyHdr->AlgorithmId == CSSM_ALGID_RSA && keyHdr->LogicalKeySizeInBits < 1024) {
+ tpPolicyError("tp_policyVerify: RSA key size too small");
+ if(thisTpCertInfo->addStatusCode(CSSMERR_CSP_UNSUPPORTED_KEY_SIZE)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ }
+
+ /*
+ * Note it's possible for both of these to be true, for a chain
+ * of length one (kTPx509Basic, kCrlPolicy only!)
+ * FIXME: should this code work if the last cert in the chain is NOT a root?
+ */
+ isLeaf = thisTpCertInfo->isLeaf();
+ isRoot = thisTpCertInfo->isSelfSigned(true);
+
+ /*
+ * BasicConstraints.cA
+ * iSign: required in all but leaf and root,
+ * for which it is optional (with default values of false
+ * for leaf and true for root).
+ * all others: always optional, default of false for leaf and
+ * true for others
+ * All: cA must be false for leaf, true for others
+ */
+ if(!thisCertInfo->basicConstraints.present) {
+ /*
+ * No basicConstraints present; infer a cA value if appropriate.
+ */
+ if(isLeaf) {
+ /* cool, use default; note that kTPx509Basic with
+ * certGroup length of one may take this case */
+ cA = CSSM_FALSE;
+ }
+ else if(isRoot) {
+ /* cool, use default */
+ cA = CSSM_TRUE;
+ }
+ else {
+ switch(policy) {
+ default:
+ /*
+ * not present, not leaf, not root....
+ * ....RFC2459 says this can not be a CA
+ */
+ cA = CSSM_FALSE;
+ break;
+ case kTPiSign:
+ /* required for iSign in this position */
+ tpPolicyError("tp_policyVerify: no "
+ "basicConstraints");
+ if(thisTpCertInfo->addStatusCode(
+ CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS)) {
+ policyFail = CSSM_TRUE;
+ }
+ break;
+ }
+ }
+ } /* inferred a default value */
+ else {
+ /* basicConstraints present */
+ #if BASIC_CONSTRAINTS_MUST_BE_CRITICAL
+ /* disabled for verisign compatibility */
+ if(!thisCertInfo->basicConstraints.critical) {
+ /* per RFC 2459 */
+ tpPolicyError("tp_policyVerify: basicConstraints marked "
+ "not critical");
+ if(thisTpCertInfo->addStatusCode(CSSMERR_TP_VERIFY_ACTION_FAILED)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ #endif /* BASIC_CONSTRAINTS_MUST_BE_CRITICAL */
+
+ const CE_BasicConstraints *bcp =
+ &thisCertInfo->basicConstraints.extnData->basicConstraints;
+
+ cA = bcp->cA;
+
+ /* Verify pathLenConstraint if present */
+ if(!isLeaf && // leaf, certDex=0, don't care
+ cA && // p.l.c. only valid for CAs
+ bcp->pathLenConstraintPresent) { // present?
+ /*
+ * pathLenConstraint=0 legal for certDex 1 only
+ * pathLenConstraint=1 legal for certDex {1,2}
+ * etc.
+ */
+ if(certDex > (bcp->pathLenConstraint + 1)) {
+ tpPolicyError("tp_policyVerify: pathLenConstraint "
+ "exceeded");
+ if(thisTpCertInfo->addStatusCode(
+ CSSMERR_APPLETP_PATH_LEN_CONSTRAINT)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ }
+ }
+
+ if(isLeaf) {
+ /*
+ * Special cases to allow a chain of length 1, leaf and root
+ * both true, and for caller to override the "leaf can't be a CA"
+ * requirement when a CA cert is explicitly being evaluated as the
+ * leaf.
+ */
+ if(cA && !isRoot &&
+ !(actionFlags & CSSM_TP_ACTION_LEAF_IS_CA)) {
+ tpPolicyError("tp_policyVerify: cA true for leaf");
+ if(thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_CA)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ } else if(!cA) {
+ tpPolicyError("tp_policyVerify: cA false for non-leaf");
+ if(thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_CA)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+
+ /*
+ * Authority Key Identifier optional
+ * iSign : only allowed in !root.
+ * If present, must not be critical.
+ * all others : ignored (though used later for chain verification)
+ */
+ if((policy == kTPiSign) && thisCertInfo->authorityId.present) {
+ if(isRoot) {
+ tpPolicyError("tp_policyVerify: authorityId in root");
+ if(thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_AUTHORITY_ID)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ if(thisCertInfo->authorityId.critical) {
+ /* illegal per RFC 2459 */
+ tpPolicyError("tp_policyVerify: authorityId marked "
+ "critical");
+ if(thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_AUTHORITY_ID)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ }
+
+ /*
+ * Subject Key Identifier optional
+ * iSign : can't be critical.
+ * all others : ignored (though used later for chain verification)
+ */
+ if(thisCertInfo->subjectId.present) {
+ if((policy == kTPiSign) && thisCertInfo->subjectId.critical) {
+ tpPolicyError("tp_policyVerify: subjectId marked critical");
+ if(thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_SUBJECT_ID)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ }
+
+ /*
+ * Key Usage optional except required as noted
+ * iSign : required for non-root/non-leaf
+ * Leaf cert : if present, usage = digitalSignature
+ * Exception : if leaf, and keyUsage not present,
+ * netscape-cert-type must be present, with
+ * Object Signing bit set
+ * kCrlPolicy : Leaf: usage = CRLSign
+ * kTP_SMIME : if present, must be critical
+ * kTP_SWUpdateSign, kTP_ResourceSign, kTP_CodeSigning, kTP_PackageSigning : Leaf :
+ usage = digitalSignature
+ * all others : non-leaf : usage = keyCertSign
+ * Leaf : don't care
+ */
+ if(thisCertInfo->keyUsage.present) {
+ /*
+ * Leaf cert:
+ * iSign and *Signing: usage = digitalSignature
+ * all others : don't care
+ * Others: usage = keyCertSign
+ * We only require that one bit to be set, we ignore others.
+ */
+ if(isLeaf) {
+ switch(policy) {
+ case kTPiSign:
+ case kTP_SWUpdateSign:
+ case kTP_ResourceSign:
+ case kTP_CodeSigning:
+ case kTP_PackageSigning:
+ expUsage = CE_KU_DigitalSignature;
+ break;
+ case kCrlPolicy:
+ /* if present, this bit must be set */
+ expUsage = CE_KU_CRLSign;
+ break;
+ default:
+ /* accept whatever's there */
+ expUsage = thisCertInfo->keyUsage.extnData->keyUsage;
+ break;
+ }
+ }
+ else {
+ /* !leaf: this is true for all policies */
+ expUsage = CE_KU_KeyCertSign;
+ }
+ actUsage = thisCertInfo->keyUsage.extnData->keyUsage;
+ if(!(actUsage & expUsage)) {
+ tpPolicyError("tp_policyVerify: bad keyUsage (leaf %s; "
+ "usage 0x%x)",
+ (certDex == 0) ? "TRUE" : "FALSE", actUsage);
+ if(thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_KEY_USAGE)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+
+ #if 0
+ /*
+ * Radar 3523221 renders this whole check obsolete, but I'm leaving
+ * the code here to document its conspicuous functional absence.
+ */
+ if((policy == kTP_SMIME) && !thisCertInfo->keyUsage.critical) {
+ /*
+ * Per Radar 3410245, allow this for intermediate certs.
+ */
+ if(SMIME_KEY_USAGE_MUST_BE_CRITICAL || isLeaf || isRoot) {
+ tpPolicyError("tp_policyVerify: key usage, !critical, SMIME");
+ if(thisTpCertInfo->addStatusCode(
+ CSSMERR_APPLETP_SMIME_KEYUSAGE_NOT_CRITICAL)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ }
+ #endif
+ }
+ else if(policy == kTPiSign) {
+ /*
+ * iSign requires keyUsage present for non root OR
+ * netscape-cert-type/ObjectSigning for leaf
+ */
+ if(isLeaf && thisCertInfo->netscapeCertType.present) {
+ CE_NetscapeCertType ct =
+ thisCertInfo->netscapeCertType.extnData->netscapeCertType;
+
+ if(!(ct & CE_NCT_ObjSign)) {
+ tpPolicyError("tp_policyVerify: netscape-cert-type, "
+ "!ObjectSign");
+ if(thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_KEY_USAGE)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ }
+ else if(!isRoot) {
+ tpPolicyError("tp_policyVerify: !isRoot, no keyUsage, "
+ "!(leaf and netscapeCertType)");
+ if(thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_KEY_USAGE)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ }
+
+ /*
+ * RFC 3280, 4.1.2.6, says that an empty subject name can only appear in a
+ * leaf cert, and only if subjectAltName is present and marked critical.
+ */
+ if(isLeaf && thisTpCertInfo->hasEmptySubjectName()) {
+ bool badEmptySubject = false;
+ if(actionFlags & CSSM_TP_ACTION_LEAF_IS_CA) {
+ /*
+ * True when evaluating a CA cert as well as when
+ * evaluating a CRL's cert chain. Note the odd case of a CRL's
+ * signer having an empty subject matching an empty issuer
+ * in the CRL. That'll be caught here.
+ */
+ badEmptySubject = true;
+ }
+ else if(!thisCertInfo->subjectAltName.present || /* no subjectAltName */
+ !thisCertInfo->subjectAltName.critical) { /* not critical */
+ badEmptySubject = true;
+ }
+ if(badEmptySubject) {
+ tpPolicyError("tp_policyVerify: bad empty subject");
+ if(thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ }
+
+ /*
+ * RFC 3739: if this cert has a Qualified Cert Statements extension, and
+ * it's Critical, make sure we understand all of the extension's statementIds.
+ */
+ if(thisCertInfo->qualCertStatements.present &&
+ thisCertInfo->qualCertStatements.critical) {
+ CE_QC_Statements *qcss =
+ &thisCertInfo->qualCertStatements.extnData->qualifiedCertStatements;
+ uint32 numQcs = qcss->numQCStatements;
+ for(unsigned qdex=0; qdex<numQcs; qdex++) {
+ CSSM_OID_PTR qid = &qcss->qcStatements[qdex].statementId;
+ bool ok = false;
+ for(unsigned kdex=0; kdex<NUM_KNOWN_QUAL_CERT_STATEMENTS; kdex++) {
+ if(tpCompareCssmData(qid, knownQualifiedCertStatements[kdex])) {
+ ok = true;
+ break;
+ }
+ }
+ if(!ok) {
+ if(thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_UNKNOWN_QUAL_CERT_STATEMENT)) {
+ policyFail = CSSM_TRUE;
+ break;
+ }
+ }
+ }
+ } /* critical Qualified Cert Statement */
+
+ /*
+ * Certificate Policies extension validation, per section 1.2 of:
+ * http://iase.disa.mil/pki/dod_cp_v10_final_2_mar_09_signed.pdf
+ */
+ if (tpVerifyCPE(*thisCertInfo, CSSMOID_PIV_AUTH, false) ||
+ tpVerifyCPE(*thisCertInfo, CSSMOID_PIV_AUTH_2048, false)) {
+ /*
+ * Certificate asserts one of the PIV-Auth Certificate Policy OIDs;
+ * check the required Key Usage extension for compliance.
+ *
+ * Leaf cert:
+ * usage = digitalSignature (only; no other bits asserted)
+ * Others:
+ * usage = keyCertSign (required; other bits ignored)
+ */
+ if(thisCertInfo->keyUsage.present) {
+ actUsage = thisCertInfo->keyUsage.extnData->keyUsage;
+ } else {
+ /* No key usage! Policy fail. */
+ actUsage = 0;
+ }
+ if(!(actionFlags & CSSM_TP_ACTION_LEAF_IS_CA) && (certDex == 0)) {
+ expUsage = CE_KU_DigitalSignature;
+ } else {
+ expUsage = actUsage | CE_KU_KeyCertSign;
+ }
+ if(!(actUsage == expUsage)) {
+ tpPolicyError("tp_policyVerify: bad keyUsage for PIV-Auth policy (leaf %s; "
+ "usage 0x%x)",
+ (certDex == 0) ? "TRUE" : "FALSE", actUsage);
+ if(thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_KEY_USAGE)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ } /* Certificate Policies */
+
+
+ } /* for certDex, checking presence of extensions */
+
+ /*
+ * Special case checking for leaf (end entity) cert
+ *
+ * iSign only: Extended key usage, optional for leaf,
+ * value CSSMOID_ExtendedUseCodeSigning
+ */
+ if((policy == kTPiSign) && certInfo[0].extendKeyUsage.present) {
+ extendUsage = &certInfo[0].extendKeyUsage.extnData->extendedKeyUsage;
+ if(extendUsage->numPurposes != 1) {
+ tpPolicyError("tp_policyVerify: bad extendUsage->numPurposes "
+ "(%d)",
+ (int)extendUsage->numPurposes);
+ if((certGroup->certAtIndex(0))->addStatusCode(
+ CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ if(!tpCompareOids(extendUsage->purposes,
+ &CSSMOID_ExtendedUseCodeSigning)) {
+ tpPolicyError("tp_policyVerify: bad extendKeyUsage");
+ if((certGroup->certAtIndex(0))->addStatusCode(
+ CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ }
+
+ /*
+ * Verify authorityId-->subjectId linkage.
+ * All optional - skip if needed fields not present.
+ * Also, always skip last (root) cert.
+ */
+ for(certDex=0; certDex<(numCerts-1); certDex++) {
+ if(!certInfo[certDex].authorityId.present ||
+ !certInfo[certDex+1].subjectId.present) {
+ continue;
+ }
+ authorityId = &certInfo[certDex].authorityId.extnData->authorityKeyID;
+ if(!authorityId->keyIdentifierPresent) {
+ /* we only know how to compare keyIdentifier */
+ continue;
+ }
+ if(!tpCompareCssmData(&authorityId->keyIdentifier,
+ &certInfo[certDex+1].subjectId.extnData->subjectKeyID)) {
+ tpPolicyError("tp_policyVerify: bad key ID linkage");
+ if((certGroup->certAtIndex(certDex))->addStatusCode(
+ CSSMERR_APPLETP_INVALID_ID_LINKAGE)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ }
+
+ /*
+ * Check signature algorithm on all non-root certs,
+ * reject if known to be untrusted
+ */
+ for(certDex=0; certDex<(numCerts-1); certDex++) {
+ if(certInfo[certDex].untrustedSigAlg) {
+ tpPolicyError("tp_policyVerify: untrusted signature algorithm");
+ if((certGroup->certAtIndex(certDex))->addStatusCode(
+ CSSMERR_TP_INVALID_CERTIFICATE)) {
+ policyFail = CSSM_TRUE;
+ }
+ }
+ }
+
+ /* specific per-policy checking */
+ switch(policy) {
+ case kTP_SSL:
+ case kTP_EAP:
+ case kTP_IPSec:
+ /*
+ * SSL, EAP, IPSec: optionally verify common name; all are identical
+ * other than their names.
+ * FIXME - should this be before or after the root cert test? How can
+ * we return both errors?
+ */
+ policyError = tp_verifySslOpts(policy, *certGroup, policyFieldData, certInfo);
+ break;
+
+ case kTP_iChat:
+ tpDebug("iChat policy");
+ /* fall thru */
+ case kTP_SMIME:
+ policyError = tp_verifySmimeOpts(policy, *certGroup, policyFieldData, certInfo);
+ break;
+ case kTP_SWUpdateSign:
+ policyError = tp_verifySWUpdateSigningOpts(*certGroup, policyFieldData, certInfo);
+ break;
+ case kTP_ResourceSign:
+ policyError = tp_verifyResourceSigningOpts(*certGroup, policyFieldData, certInfo);
+ break;
+ case kTP_CodeSigning:
+ case kTP_PackageSigning:
+ policyError = tp_verifyCodePkgSignOpts(policy, *certGroup, policyFieldData, certInfo);
+ break;
+ case kTP_MacAppStoreRec:
+ policyError = tp_verifyMacAppStoreReceiptOpts(*certGroup, policyFieldData, certInfo);
+ break;
+ case kTP_AppleIDSharing:
+ policyError = tp_verifyAppleIDSharingOpts(*certGroup, policyFieldData, certInfo);
+ break;
+ case kTP_TimeStamping:
+ policyError = tp_verifyTimeStampingOpts(*certGroup, policyFieldData, certInfo);
+ break;
+ case kTP_PassbookSigning:
+ policyError = tp_verifyPassbookSigningOpts(*certGroup, policyFieldData, certInfo);
+ break;
+ case kTP_MobileStore:
+ policyError = tp_verifyMobileStoreSigningOpts(*certGroup, policyFieldData, certInfo, false);
+ break;
+ case kTP_TestMobileStore:
+ policyError = tp_verifyMobileStoreSigningOpts(*certGroup, policyFieldData, certInfo, true);
+ break;
+ case kTP_EscrowService:
+ policyError = tp_verifyEscrowServiceSigningOpts(*certGroup, policyFieldData, certInfo);
+ break;
+ case kTP_ProfileSigning:
+ policyError = tp_verifyProfileSigningOpts(*certGroup, policyFieldData, certInfo, false);
+ break;
+ case kTP_QAProfileSigning:
+ policyError = tp_verifyProfileSigningOpts(*certGroup, policyFieldData, certInfo, true);
+ break;
+ case kTP_PCSEscrowService:
+ policyError = tp_verifyPCSEscrowServiceSigningOpts(*certGroup, policyFieldData, certInfo);
+ break;
+ case kTPx509Basic:
+ case kTPiSign:
+ case kCrlPolicy:
+ case kTP_PKINIT_Client:
+ default:
+ break;
+
+ }
+
+ if(outErr == CSSM_OK) {
+ /* policy-specific error takes precedence here */
+ if(policyError != CSSM_OK) {
+ outErr = policyError;
+ }
+ else if(policyFail) {
+ /* plain vanilla error return from this module */
+ outErr = CSSMERR_TP_VERIFY_ACTION_FAILED;
+ }
+ }
+errOut:
+ /* free resources */
+ for(certDex=0; certDex<numCerts; certDex++) {
+ thisCertInfo = &certInfo[certDex];
+ iSignFreeCertInfo(clHand, thisCertInfo);
+ }
+ tpFree(alloc, certInfo);
+ return outErr;
+}
+
+/*
+ * Obtain policy-specific User Trust parameters
+ */
+void tp_policyTrustSettingParams(
+ TPPolicy policy,
+ const CSSM_DATA *policyData, // optional
+ /* returned values - not mallocd */
+ const char **policyStr,
+ uint32 *policyStrLen,
+ SecTrustSettingsKeyUsage *keyUse)
+{
+ /* default values */
+ *policyStr = NULL;
+ *keyUse = kSecTrustSettingsKeyUseAny;
+
+ if((policyData == NULL) || (policyData->Data == NULL)) {
+ /* currently, no further action possible */
+ return;
+ }
+ switch(policy) {
+ case kTP_SSL:
+ case kTP_EAP:
+ case kTP_IPSec:
+ {
+ if(policyData->Length != sizeof(CSSM_APPLE_TP_SSL_OPTIONS)) {
+ /* this error will be caught later */
+ return;
+ }
+ CSSM_APPLE_TP_SSL_OPTIONS *sslOpts =
+ (CSSM_APPLE_TP_SSL_OPTIONS *)policyData->Data;
+ *policyStr = sslOpts->ServerName;
+ *policyStrLen = sslOpts->ServerNameLen;
+ if(sslOpts->Flags & CSSM_APPLE_TP_SSL_CLIENT) {
+ /*
+ * Client signs with its priv key. Server end,
+ * which (also) verifies the client cert, verifies.
+ */
+ *keyUse = kSecTrustSettingsKeyUseSignature;
+ }
+ else {
+ /* server decrypts */
+ *keyUse = kSecTrustSettingsKeyUseEnDecryptKey;
+ }
+ return;
+ }
+
+ case kTP_iChat:
+ case kTP_SMIME:
+ {
+ if(policyData->Length != sizeof(CSSM_APPLE_TP_SMIME_OPTIONS)) {
+ /* this error will be caught later */
+ return;
+ }
+ CSSM_APPLE_TP_SMIME_OPTIONS *smimeOpts =
+ (CSSM_APPLE_TP_SMIME_OPTIONS *)policyData->Data;
+ *policyStr = smimeOpts->SenderEmail;
+ *policyStrLen = smimeOpts->SenderEmailLen;
+ SecTrustSettingsKeyUsage ku = 0;
+ CE_KeyUsage smimeKu = smimeOpts->IntendedUsage;
+ if(smimeKu & (CE_KU_DigitalSignature | CE_KU_KeyCertSign | CE_KU_CRLSign)) {
+ ku |= kSecTrustSettingsKeyUseSignature;
+ }
+ if(smimeKu & (CE_KU_KeyEncipherment | CE_KU_DataEncipherment)) {
+ ku |= kSecTrustSettingsKeyUseEnDecryptKey;
+ }
+ *keyUse = ku;
+ return;
+ }
+
+ default:
+ /* no other options */
+ return;
+ }
+}
+
+#pragma clang diagnostic pop
projects / apple / security.git / blobdiff