--- /dev/null
+/*
+ * Copyright (c) 2001-2003,2011-2012,2014 Apple Inc. All Rights Reserved.
+ *
+ * The contents of this file constitute Original Code as defined in and are
+ * subject to the Apple Public Source License Version 1.2 (the 'License').
+ * You may not use this file except in compliance with the License. Please
+ * obtain a copy of the License at http://www.apple.com/publicsource and
+ * read it before using this file.
+ *
+ * This Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ */
+
+/*
+ File: cuCdsaUtils.cpp
+
+ Description: common CDSA access utilities
+
+ Author: dmitch
+*/
+
+#include "cuCdsaUtils.h"
+#include <stdlib.h>
+#include <stdio.h>
+#include <Security/SecCertificate.h>
+#include <Security/cssmapple.h> /* for cssmPerror() */
+#include <Security/oidsalg.h>
+#include <Security/TrustSettingsSchema.h>
+#include <strings.h>
+
+static CSSM_VERSION vers = {2, 0};
+static const CSSM_GUID testGuid = { 0xFADE, 0, 0, { 1,2,3,4,5,6,7,0 }};
+
+/*
+ * Standard app-level memory functions required by CDSA.
+ */
+void * cuAppMalloc (CSSM_SIZE size, void *allocRef) {
+ return( malloc(size) );
+}
+
+void cuAppFree (void *mem_ptr, void *allocRef) {
+ free(mem_ptr);
+ return;
+}
+
+void * cuAppRealloc (void *ptr, CSSM_SIZE size, void *allocRef) {
+ return( realloc( ptr, size ) );
+}
+
+void * cuAppCalloc (uint32 num, CSSM_SIZE size, void *allocRef) {
+ return( calloc( num, size ) );
+}
+
+static CSSM_API_MEMORY_FUNCS memFuncs = {
+ cuAppMalloc,
+ cuAppFree,
+ cuAppRealloc,
+ cuAppCalloc,
+ NULL
+ };
+
+CSSM_BOOL cuCompareCssmData(const CSSM_DATA *d1,
+ const CSSM_DATA *d2)
+{
+ if(d1->Length != d2->Length) {
+ return CSSM_FALSE;
+ }
+ if(memcmp(d1->Data, d2->Data, d1->Length)) {
+ return CSSM_FALSE;
+ }
+ return CSSM_TRUE;
+}
+
+/*
+ * Init CSSM; returns CSSM_FALSE on error. Reusable.
+ */
+static CSSM_BOOL cssmInitd = CSSM_FALSE;
+
+CSSM_BOOL cuCssmStartup()
+{
+ CSSM_RETURN crtn;
+ CSSM_PVC_MODE pvcPolicy = CSSM_PVC_NONE;
+
+ if(cssmInitd) {
+ return CSSM_TRUE;
+ }
+ crtn = CSSM_Init (&vers,
+ CSSM_PRIVILEGE_SCOPE_NONE,
+ &testGuid,
+ CSSM_KEY_HIERARCHY_NONE,
+ &pvcPolicy,
+ NULL /* reserved */);
+ if(crtn != CSSM_OK)
+ {
+ cuPrintError("CSSM_Init", crtn);
+ return CSSM_FALSE;
+ }
+ else {
+ cssmInitd = CSSM_TRUE;
+ return CSSM_TRUE;
+ }
+}
+
+/*
+ * Attach to CSP. Returns zero on error.
+ */
+CSSM_CSP_HANDLE cuCspStartup(
+ CSSM_BOOL bareCsp) // true ==> CSP, false ==> CSP/DL
+{
+ CSSM_CSP_HANDLE cspHand;
+ CSSM_RETURN crtn;
+ const CSSM_GUID *guid;
+
+ /* common CSSM init */
+ if(cuCssmStartup() == CSSM_FALSE) {
+ return 0;
+ }
+ if(bareCsp) {
+ guid = &gGuidAppleCSP;
+ }
+ else {
+ guid = &gGuidAppleCSPDL;
+ }
+ crtn = CSSM_ModuleLoad(guid,
+ CSSM_KEY_HIERARCHY_NONE,
+ NULL, // eventHandler
+ NULL); // AppNotifyCallbackCtx
+ if(crtn) {
+ cuPrintError("CSSM_ModuleLoad()", crtn);
+ return 0;
+ }
+ crtn = CSSM_ModuleAttach (guid,
+ &vers,
+ &memFuncs, // memFuncs
+ 0, // SubserviceID
+ CSSM_SERVICE_CSP,
+ 0, // AttachFlags
+ CSSM_KEY_HIERARCHY_NONE,
+ NULL, // FunctionTable
+ 0, // NumFuncTable
+ NULL, // reserved
+ &cspHand);
+ if(crtn) {
+ cuPrintError("CSSM_ModuleAttach()", crtn);
+ return 0;
+ }
+ return cspHand;
+}
+
+/* Attach to DL side of CSPDL */
+CSSM_DL_HANDLE cuDlStartup()
+{
+ CSSM_DL_HANDLE dlHand = 0;
+ CSSM_RETURN crtn;
+
+ if(cuCssmStartup() == CSSM_FALSE) {
+ return 0;
+ }
+ crtn = CSSM_ModuleLoad(&gGuidAppleCSPDL,
+ CSSM_KEY_HIERARCHY_NONE,
+ NULL, // eventHandler
+ NULL); // AppNotifyCallbackCtx
+ if(crtn) {
+ cuPrintError("CSSM_ModuleLoad(Apple CSPDL)", crtn);
+ return 0;
+ }
+ crtn = CSSM_ModuleAttach (&gGuidAppleCSPDL,
+ &vers,
+ &memFuncs, // memFuncs
+ 0, // SubserviceID
+ CSSM_SERVICE_DL,
+ 0, // AttachFlags
+ CSSM_KEY_HIERARCHY_NONE,
+ NULL, // FunctionTable
+ 0, // NumFuncTable
+ NULL, // reserved
+ &dlHand);
+ if(crtn) {
+ cuPrintError("CSSM_ModuleAttach(Apple CSPDL)", crtn);
+ return 0;
+ }
+ return dlHand;
+}
+
+CSSM_CL_HANDLE cuClStartup()
+{
+ CSSM_CL_HANDLE clHand;
+ CSSM_RETURN crtn;
+
+ if(cuCssmStartup() == CSSM_FALSE) {
+ return 0;
+ }
+ crtn = CSSM_ModuleLoad(&gGuidAppleX509CL,
+ CSSM_KEY_HIERARCHY_NONE,
+ NULL, // eventHandler
+ NULL); // AppNotifyCallbackCtx
+ if(crtn) {
+ cuPrintError("CSSM_ModuleLoad(AppleCL)", crtn);
+ return 0;
+ }
+ crtn = CSSM_ModuleAttach (&gGuidAppleX509CL,
+ &vers,
+ &memFuncs, // memFuncs
+ 0, // SubserviceID
+ CSSM_SERVICE_CL, // SubserviceFlags - Where is this used?
+ 0, // AttachFlags
+ CSSM_KEY_HIERARCHY_NONE,
+ NULL, // FunctionTable
+ 0, // NumFuncTable
+ NULL, // reserved
+ &clHand);
+ if(crtn) {
+ cuPrintError("CSSM_ModuleAttach(AppleCL)", crtn);
+ return 0;
+ }
+ else {
+ return clHand;
+ }
+}
+
+CSSM_TP_HANDLE cuTpStartup()
+{
+ CSSM_TP_HANDLE tpHand;
+ CSSM_RETURN crtn;
+
+ if(cuCssmStartup() == CSSM_FALSE) {
+ return 0;
+ }
+ crtn = CSSM_ModuleLoad(&gGuidAppleX509TP,
+ CSSM_KEY_HIERARCHY_NONE,
+ NULL, // eventHandler
+ NULL); // AppNotifyCallbackCtx
+ if(crtn) {
+ cuPrintError("CSSM_ModuleLoad(AppleTP)", crtn);
+ return 0;
+ }
+ crtn = CSSM_ModuleAttach (&gGuidAppleX509TP,
+ &vers,
+ &memFuncs, // memFuncs
+ 0, // SubserviceID
+ CSSM_SERVICE_TP, // SubserviceFlags
+ 0, // AttachFlags
+ CSSM_KEY_HIERARCHY_NONE,
+ NULL, // FunctionTable
+ 0, // NumFuncTable
+ NULL, // reserved
+ &tpHand);
+ if(crtn) {
+ cuPrintError("CSSM_ModuleAttach(AppleTP)", crtn);
+ return 0;
+ }
+ else {
+ return tpHand;
+ }
+}
+
+/* detach and unload */
+CSSM_RETURN cuCspDetachUnload(
+ CSSM_CSP_HANDLE cspHand,
+ CSSM_BOOL bareCsp) // true ==> CSP, false ==> CSP/DL
+{
+ CSSM_RETURN crtn = CSSM_ModuleDetach(cspHand);
+ if(crtn) {
+ return crtn;
+ }
+ const CSSM_GUID *guid;
+ if(bareCsp) {
+ guid = &gGuidAppleCSP;
+ }
+ else {
+ guid = &gGuidAppleCSPDL;
+ }
+ return CSSM_ModuleUnload(guid, NULL, NULL);
+}
+
+CSSM_RETURN cuClDetachUnload(
+ CSSM_CL_HANDLE clHand)
+{
+ CSSM_RETURN crtn = CSSM_ModuleDetach(clHand);
+ if(crtn) {
+ return crtn;
+ }
+ return CSSM_ModuleUnload(&gGuidAppleX509CL, NULL, NULL);
+
+}
+
+CSSM_RETURN cuDlDetachUnload(
+ CSSM_DL_HANDLE dlHand)
+{
+ CSSM_RETURN crtn = CSSM_ModuleDetach(dlHand);
+ if(crtn) {
+ return crtn;
+ }
+ return CSSM_ModuleUnload(&gGuidAppleCSPDL, NULL, NULL);
+
+}
+CSSM_RETURN cuTpDetachUnload(
+ CSSM_TP_HANDLE tpHand)
+{
+ CSSM_RETURN crtn = CSSM_ModuleDetach(tpHand);
+ if(crtn) {
+ return crtn;
+ }
+ return CSSM_ModuleUnload(&gGuidAppleX509TP, NULL, NULL);
+
+}
+
+/*
+ * open a DB, ensure it's empty.
+ */
+CSSM_DB_HANDLE cuDbStartup(
+ CSSM_DL_HANDLE dlHand, // from dlStartup()
+ const char *dbName)
+{
+ CSSM_DB_HANDLE dbHand = 0;
+ CSSM_RETURN crtn;
+ CSSM_DBINFO dbInfo;
+
+ /* first delete possible existing DB, ignore error */
+ crtn = CSSM_DL_DbDelete(dlHand, dbName, NULL, NULL);
+ switch(crtn) {
+ /* only allowed error is "no such file" */
+ case CSSM_OK:
+ case CSSMERR_DL_DATASTORE_DOESNOT_EXIST:
+ break;
+ default:
+ cuPrintError("CSSM_DL_DbDelete", crtn);
+ return 0;
+ }
+
+ memset(&dbInfo, 0, sizeof(CSSM_DBINFO));
+
+ /* now create it */
+ crtn = CSSM_DL_DbCreate(dlHand,
+ dbName,
+ NULL, // DbLocation
+ &dbInfo,
+ // &Security::KeychainCore::Schema::DBInfo,
+ CSSM_DB_ACCESS_PRIVILEGED,
+ NULL, // CredAndAclEntry
+ NULL, // OpenParameters
+ &dbHand);
+ if(crtn) {
+ cuPrintError("CSSM_DL_DbCreate", crtn);
+ }
+ return dbHand;
+}
+
+/*
+ * Attach to existing DB or create an empty new one.
+ */
+CSSM_DB_HANDLE cuDbStartupByName(CSSM_DL_HANDLE dlHand,
+ char *dbName,
+ CSSM_BOOL doCreate,
+ CSSM_BOOL quiet)
+{
+ CSSM_RETURN crtn;
+ CSSM_DB_HANDLE dbHand;
+
+ /* try open existing DB in either case */
+
+ crtn = CSSM_DL_DbOpen(dlHand,
+ dbName,
+ NULL, // DbLocation
+ CSSM_DB_ACCESS_READ | CSSM_DB_ACCESS_WRITE,
+ NULL, // CSSM_ACCESS_CREDENTIALS *AccessCred
+ NULL, // void *OpenParameters
+ &dbHand);
+ if(crtn == CSSM_OK) {
+ return dbHand;
+ }
+ if(!doCreate) {
+ if(!quiet) {
+ printf("***no such data base (%s)\n", dbName);
+ cuPrintError("CSSM_DL_DbOpen", crtn);
+ }
+ return 0;
+ }
+ /* have to create one */
+ return cuDbStartup(dlHand, dbName);
+}
+
+/*
+ * Given a context specified via a CSSM_CC_HANDLE, add a new
+ * CSSM_CONTEXT_ATTRIBUTE to the context as specified by AttributeType,
+ * AttributeLength, and an untyped pointer.
+ */
+static
+CSSM_RETURN cuAddContextAttribute(CSSM_CC_HANDLE CCHandle,
+ uint32 AttributeType,
+ uint32 AttributeLength,
+ const void *AttributePtr)
+{
+ CSSM_CONTEXT_ATTRIBUTE newAttr;
+ CSSM_RETURN crtn;
+
+ newAttr.AttributeType = AttributeType;
+ newAttr.AttributeLength = AttributeLength;
+ newAttr.Attribute.Data = (CSSM_DATA_PTR)AttributePtr;
+ crtn = CSSM_UpdateContextAttributes(CCHandle, 1, &newAttr);
+ if(crtn) {
+ cuPrintError("CSSM_UpdateContextAttributes", crtn);
+ }
+ return crtn;
+}
+
+
+/*
+ * Derive symmetric key.
+ * Note in the X CSP, we never return an IV.
+ */
+CSSM_RETURN cuCspDeriveKey(CSSM_CSP_HANDLE cspHand,
+ uint32 keyAlg, // CSSM_ALGID_RC5, etc.
+ const char *keyLabel,
+ unsigned keyLabelLen,
+ uint32 keyUsage, // CSSM_KEYUSE_ENCRYPT, etc.
+ uint32 keySizeInBits,
+ CSSM_DATA_PTR password, // in PKCS-5 lingo
+ CSSM_DATA_PTR salt, // ditto
+ uint32 iterationCnt, // ditto
+ CSSM_KEY_PTR key)
+{
+ CSSM_RETURN crtn;
+ CSSM_CC_HANDLE ccHand;
+ uint32 keyAttr;
+ CSSM_DATA dummyLabel;
+ CSSM_PKCS5_PBKDF2_PARAMS pbeParams;
+ CSSM_DATA pbeData;
+ CSSM_ACCESS_CREDENTIALS creds;
+
+ memset(key, 0, sizeof(CSSM_KEY));
+ memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
+ crtn = CSSM_CSP_CreateDeriveKeyContext(cspHand,
+ CSSM_ALGID_PKCS5_PBKDF2,
+ keyAlg,
+ keySizeInBits,
+ &creds,
+ NULL, // BaseKey
+ iterationCnt,
+ salt,
+ NULL, // seed
+ &ccHand);
+ if(crtn) {
+ cuPrintError("CSSM_CSP_CreateDeriveKeyContext", crtn);
+ return crtn;
+ }
+ keyAttr = CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_RETURN_REF |
+ CSSM_KEYATTR_SENSITIVE;
+ dummyLabel.Length = keyLabelLen;
+ dummyLabel.Data = (uint8 *)keyLabel;
+
+ /* passing in password is pretty strange....*/
+ pbeParams.Passphrase = *password;
+ pbeParams.PseudoRandomFunction = CSSM_PKCS5_PBKDF2_PRF_HMAC_SHA1;
+ pbeData.Data = (uint8 *)&pbeParams;
+ pbeData.Length = sizeof(pbeParams);
+ crtn = CSSM_DeriveKey(ccHand,
+ &pbeData,
+ keyUsage,
+ keyAttr,
+ &dummyLabel,
+ NULL, // cred and acl
+ key);
+ if(crtn) {
+ cuPrintError("CSSM_DeriveKey", crtn);
+ return crtn;
+ }
+ crtn = CSSM_DeleteContext(ccHand);
+ if(crtn) {
+ cuPrintError("CSSM_DeleteContext", crtn);
+ }
+ return crtn;
+}
+
+/*
+ * Generate key pair of arbitrary algorithm.
+ */
+
+/* CSP DL currently does not perform DSA generate params; let CSP do it implicitly */
+#define DO_DSA_GEN_PARAMS 0
+
+CSSM_RETURN cuCspGenKeyPair(CSSM_CSP_HANDLE cspHand,
+ CSSM_DL_DB_HANDLE *dlDbHand, // optional
+ uint32 algorithm,
+ const char *keyLabel,
+ unsigned keyLabelLen,
+ uint32 keySize, // in bits
+ CSSM_KEY_PTR pubKey, // mallocd by caller
+ CSSM_KEYUSE pubKeyUsage, // CSSM_KEYUSE_ENCRYPT, etc.
+ CSSM_KEYATTR_FLAGS pubAttrs, // CSSM_KEYATTR_EXTRACTABLE, etc.
+ CSSM_KEY_PTR privKey, // mallocd by caller
+ CSSM_KEYUSE privKeyUsage, // CSSM_KEYUSE_DECRYPT, etc.
+ CSSM_KEYATTR_FLAGS privAttrs) // CSSM_KEYATTR_EXTRACTABLE, etc.
+{
+ CSSM_RETURN crtn;
+ CSSM_RETURN ocrtn;
+ CSSM_CC_HANDLE ccHand;
+ CSSM_DATA keyLabelData;
+
+ keyLabelData.Data = (uint8 *)keyLabel,
+ keyLabelData.Length = keyLabelLen;
+ memset(pubKey, 0, sizeof(CSSM_KEY));
+ memset(privKey, 0, sizeof(CSSM_KEY));
+
+ crtn = CSSM_CSP_CreateKeyGenContext(cspHand,
+ algorithm,
+ keySize,
+ NULL, // Seed
+ NULL, // Salt
+ NULL, // StartDate
+ NULL, // EndDate
+ NULL, // Params
+ &ccHand);
+ if(crtn) {
+ cuPrintError("CSSM_CSP_CreateKeyGenContext", crtn);
+ return crtn;
+ }
+
+ /* post-context-create algorithm-specific stuff */
+ switch(algorithm) {
+ #if DO_DSA_GEN_PARAMS
+ case CSSM_ALGID_DSA:
+ /*
+ * extra step - generate params - this just adds some
+ * info to the context
+ */
+ {
+ CSSM_DATA dummy = {0, NULL};
+ crtn = CSSM_GenerateAlgorithmParams(ccHand,
+ keySize, &dummy);
+ if(crtn) {
+ cuPrintError("CSSM_GenerateAlgorithmParams", crtn);
+ CSSM_DeleteContext(ccHand);
+ return crtn;
+ }
+ cuAppFree(dummy.Data, NULL);
+ }
+ break;
+ #endif /* DO_DSA_GEN_PARAMS */
+ default:
+ break;
+ }
+
+ /* optionally specify DL/DB storage location */
+ if(dlDbHand) {
+ crtn = cuAddContextAttribute(ccHand,
+ CSSM_ATTRIBUTE_DL_DB_HANDLE,
+ sizeof(CSSM_ATTRIBUTE_DL_DB_HANDLE),
+ dlDbHand);
+ if(crtn) {
+ CSSM_DeleteContext(ccHand);
+ return crtn;
+ }
+ }
+ ocrtn = CSSM_GenerateKeyPair(ccHand,
+ pubKeyUsage,
+ pubAttrs,
+ &keyLabelData,
+ pubKey,
+ privKeyUsage,
+ privAttrs,
+ &keyLabelData, // same labels
+ NULL, // CredAndAclEntry
+ privKey);
+ if(ocrtn) {
+ cuPrintError("CSSM_GenerateKeyPair", ocrtn);
+ }
+ crtn = CSSM_DeleteContext(ccHand);
+ if(crtn) {
+ cuPrintError("CSSM_DeleteContext", crtn);
+ if(ocrtn == CSSM_OK) {
+ /* error on CSSM_GenerateKeyPair takes precedence */
+ ocrtn = crtn;
+ }
+ }
+ return ocrtn;
+}
+
+
+/*
+ * Add a certificate to an open Keychain.
+ */
+CSSM_RETURN cuAddCertToKC(
+ SecKeychainRef keychain,
+ const CSSM_DATA *cert,
+ CSSM_CERT_TYPE certType,
+ CSSM_CERT_ENCODING certEncoding,
+ const char *printName, // C string
+ const CSSM_DATA *keyLabel) // ??
+{
+ SecCertificateRef certificate;
+
+ OSStatus rslt = SecCertificateCreateFromData(cert, certType, certEncoding, &certificate);
+ if (!rslt)
+ {
+ rslt = SecCertificateAddToKeychain(certificate, keychain);
+ CFRelease(certificate);
+ }
+
+ return rslt;
+}
+
+/*
+ * Convert a CSSM_DATA_PTR, referring to a DER-encoded int, to an
+ * unsigned.
+ */
+unsigned cuDER_ToInt(const CSSM_DATA *DER_Data)
+{
+ uint32 rtn = 0;
+ unsigned i = 0;
+
+ while(i < DER_Data->Length) {
+ rtn |= DER_Data->Data[i];
+ if(++i == DER_Data->Length) {
+ break;
+ }
+ rtn <<= 8;
+ }
+ return rtn;
+}
+
+/*
+ * Log CSSM error.
+ */
+void cuPrintError(const char *op, CSSM_RETURN err)
+{
+ cssmPerror(op, err);
+}
+
+/*
+ * Verify a CRL against system anchors and intermediate certs.
+ */
+CSSM_RETURN cuCrlVerify(
+ CSSM_TP_HANDLE tpHand,
+ CSSM_CL_HANDLE clHand,
+ CSSM_CSP_HANDLE cspHand,
+ const CSSM_DATA *crlData,
+ CSSM_DL_DB_HANDLE_PTR certKeychain, // intermediate certs
+ const CSSM_DATA *anchors, // optional - if NULL, use Trust Settings
+ uint32 anchorCount)
+{
+ /* main job is building a CSSM_TP_VERIFY_CONTEXT and its components */
+ CSSM_TP_VERIFY_CONTEXT vfyCtx;
+ CSSM_TP_CALLERAUTH_CONTEXT authCtx;
+
+ memset(&vfyCtx, 0, sizeof(CSSM_TP_VERIFY_CONTEXT));
+ memset(&authCtx, 0, sizeof(CSSM_TP_CALLERAUTH_CONTEXT));
+
+ /* CSSM_TP_CALLERAUTH_CONTEXT components */
+ /*
+ typedef struct cssm_tp_callerauth_context {
+ CSSM_TP_POLICYINFO Policy;
+ CSSM_TIMESTRING VerifyTime;
+ CSSM_TP_STOP_ON VerificationAbortOn;
+ CSSM_TP_VERIFICATION_RESULTS_CALLBACK CallbackWithVerifiedCert;
+ uint32 NumberOfAnchorCerts;
+ CSSM_DATA_PTR AnchorCerts;
+ CSSM_DL_DB_LIST_PTR DBList;
+ CSSM_ACCESS_CREDENTIALS_PTR CallerCredentials;
+ } CSSM_TP_CALLERAUTH_CONTEXT, *CSSM_TP_CALLERAUTH_CONTEXT_PTR;
+ */
+ CSSM_FIELD policyId;
+ CSSM_APPLE_TP_CRL_OPTIONS crlOpts;
+ policyId.FieldOid = CSSMOID_APPLE_TP_REVOCATION_CRL;
+ policyId.FieldValue.Data = (uint8 *)&crlOpts;
+ policyId.FieldValue.Length = sizeof(crlOpts);
+ crlOpts.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
+ /* perhaps this should be user-specifiable */
+ crlOpts.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET;
+ crlOpts.crlStore = NULL;
+
+ authCtx.Policy.NumberOfPolicyIds = 1;
+ authCtx.Policy.PolicyIds = &policyId;
+ authCtx.Policy.PolicyControl = NULL;
+
+ authCtx.VerifyTime = NULL;
+ authCtx.VerificationAbortOn = CSSM_TP_STOP_ON_POLICY;
+ authCtx.CallbackWithVerifiedCert = NULL;
+
+ /* anchors */
+ authCtx.NumberOfAnchorCerts = anchorCount;
+ authCtx.AnchorCerts = const_cast<CSSM_DATA_PTR>(anchors);
+
+ /* DBList of intermediate certs, plus possible System.keychain and
+ * system roots */
+ CSSM_DL_DB_HANDLE handles[3];
+ unsigned numDbs = 0;
+ CSSM_DL_HANDLE dlHand = 0;
+ if(certKeychain != NULL) {
+ handles[0] = *certKeychain;
+ numDbs++;
+ }
+ if(anchors == NULL) {
+ /* Trust Settings requires two more DBs */
+ if(numDbs == 0) {
+ /* new DL handle */
+ dlHand = cuDlStartup();
+ handles[numDbs].DLHandle = dlHand;
+ handles[numDbs + 1].DLHandle = dlHand;
+ }
+ else {
+ /* use the same one passed in for certKeychain */
+ handles[numDbs].DLHandle = handles[0].DLHandle;
+ handles[numDbs + 1].DLHandle = handles[0].DLHandle;
+ }
+ handles[numDbs].DBHandle = cuDbStartupByName(handles[numDbs].DLHandle,
+ (char*) ADMIN_CERT_STORE_PATH, CSSM_FALSE, CSSM_TRUE);
+ numDbs++;
+
+ handles[numDbs].DBHandle = cuDbStartupByName(handles[numDbs].DLHandle,
+ (char*) SYSTEM_ROOT_STORE_PATH, CSSM_FALSE, CSSM_TRUE);
+ numDbs++;
+ }
+ CSSM_DL_DB_LIST dlDbList;
+ dlDbList.DLDBHandle = handles;
+ dlDbList.NumHandles = numDbs;
+
+ authCtx.DBList = &dlDbList;
+ authCtx.CallerCredentials = NULL;
+
+ /* CSSM_TP_VERIFY_CONTEXT */
+ vfyCtx.ActionData.Data = NULL;
+ vfyCtx.ActionData.Length = 0;
+ vfyCtx.Action = CSSM_TP_ACTION_DEFAULT;
+ vfyCtx.Cred = &authCtx;
+
+ /* CSSM_APPLE_TP_ACTION_DATA */
+ CSSM_APPLE_TP_ACTION_DATA tpAction;
+ if(anchors == NULL) {
+ /* enable Trust Settings */
+ tpAction.Version = CSSM_APPLE_TP_ACTION_VERSION;
+ tpAction.ActionFlags = CSSM_TP_ACTION_TRUST_SETTINGS;
+ vfyCtx.ActionData.Data = (uint8 *)&tpAction;
+ vfyCtx.ActionData.Length = sizeof(tpAction);
+ }
+
+ /* cook up CSSM_ENCODED_CRL */
+ CSSM_ENCODED_CRL encCrl;
+ encCrl.CrlType = CSSM_CRL_TYPE_X_509v2;
+ encCrl.CrlEncoding = CSSM_CRL_ENCODING_DER;
+ encCrl.CrlBlob = *crlData;
+
+ /* CDSA API requires a SignerCertGroup; for us, all the certs are in
+ * certKeyChain... */
+ CSSM_CERTGROUP certGroup;
+ certGroup.CertType = CSSM_CERT_X_509v1;
+ certGroup.CertEncoding = CSSM_CERT_ENCODING_DER;
+ certGroup.NumCerts = 0;
+ certGroup.GroupList.CertList = NULL;
+ certGroup.CertGroupType = CSSM_CERTGROUP_DATA;
+
+ CSSM_RETURN crtn = CSSM_TP_CrlVerify(tpHand,
+ clHand,
+ cspHand,
+ &encCrl,
+ &certGroup,
+ &vfyCtx,
+ NULL); // RevokerVerifyResult
+ if(crtn) {
+ cuPrintError("CSSM_TP_CrlVerify", crtn);
+ }
+ if(anchors == NULL) {
+ /* close the DBs and maybe the DL we opened */
+ unsigned dexToClose = (certKeychain == NULL) ? 0 : 1;
+ CSSM_DL_DbClose(handles[dexToClose++]);
+ CSSM_DL_DbClose(handles[dexToClose]);
+ if(dlHand != 0) {
+ cuDlDetachUnload(dlHand);
+ }
+ }
+ return crtn;
+}
+
projects / apple / security.git / blobdiff