--- /dev/null
+/*
+ * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+//
+// CertificateRequest.cpp
+//
+#include <security_keychain/CertificateRequest.h>
+#include <Security/oidsalg.h>
+#include <Security/SecKey.h>
+#include <Security/SecKeyPriv.h>
+#include <Security/cssmapi.h>
+#include <string.h>
+#include <dotMacTp.h>
+#include <Security/oidsattr.h>
+#include <security_utilities/simpleprefs.h>
+#include <SecBase.h>
+
+/* one top-level prefs file for all of .mac cert requests */
+#define DOT_MAC_REQ_PREFS "com.apple.security.certreq"
+
+/*
+ * Within that dictionary is a set of per-policy dictionaries; the key in the
+ * top-level prefs for these dictionaries is the raw policy OID data encoded
+ * as an ASCII string.
+ *
+ * Within one per-policy dictionary exists a number of per-user dictionaries,
+ * with the username key as a string. Note that this user name, the one passed to the
+ * .mac server, does NOT have to have any relation to the current Unix user name; one
+ * Unix user can have multiple .mac accounts.
+ *
+ *
+ * Within the per-policy, per user dictionary are these two values, both stored
+ * as raw data (CFData) blobs.
+ */
+#define DOT_MAC_REF_ID_KEY "refId"
+#define DOT_MAC_CERT_KEY "certificate"
+
+/* Domain for .mac cert requests */
+#define DOT_MAC_DOMAIN_KEY "domain"
+#define DOT_MAC_DOMAIN "mac.com"
+
+/* Hosts for .mac cert requests */
+#define DOT_MAC_MGMT_HOST "certmgmt"
+#define DOT_MAC_INFO_HOST "certinfo"
+
+/*
+ * Compare two CSSM_DATAs (or two CSSM_OIDs), return true if identical.
+ */
+static
+bool nssCompareCssmData(
+ const CSSM_DATA *data1,
+ const CSSM_DATA *data2)
+{
+ if((data1 == NULL) || (data1->Data == NULL) ||
+ (data2 == NULL) || (data2->Data == NULL) ||
+ (data1->Length != data2->Length)) {
+ return false;
+ }
+ if(data1->Length != data2->Length) {
+ return false;
+ }
+ if(memcmp(data1->Data, data2->Data, data1->Length) == 0) {
+ return true;
+ }
+ else {
+ return false;
+ }
+}
+
+/* any nonzero value means true */
+static bool attrBoolValue(
+ const SecCertificateRequestAttribute *attr)
+{
+ if((attr->value.Data != NULL) &&
+ (attr->value.Length != 0) &&
+ (attr->value.Data[0] != 0)) {
+ return true;
+ }
+ else {
+ return false;
+ }
+}
+
+static void tokenizeName(
+ const CSSM_DATA *inName, /* required */
+ CSSM_DATA *outName, /* required */
+ CSSM_DATA *outDomain) /* optional */
+{
+ if (!inName || !outName) return;
+ CSSM_SIZE idx = 0;
+ CSSM_SIZE stopIdx = inName->Length;
+ uint8 *p = inName->Data;
+ *outName = *inName;
+ if (outDomain) {
+ outDomain->Length = idx;
+ outDomain->Data = p;
+ }
+ if (!p) return;
+ while (idx < stopIdx) {
+ if (*p++ == '@') {
+ outName->Length = idx;
+ if (outDomain) {
+ outDomain->Length = inName->Length - (idx + 1);
+ outDomain->Data = p;
+ }
+ break;
+ }
+ idx++;
+ }
+}
+
+using namespace KeychainCore;
+
+CertificateRequest::CertificateRequest(const CSSM_OID &policy,
+ CSSM_CERT_TYPE certificateType,
+ CSSM_TP_AUTHORITY_REQUEST_TYPE requestType,
+ SecKeyRef privateKeyItemRef,
+ SecKeyRef publicKeyItemRef,
+ const SecCertificateRequestAttributeList *attributeList,
+ bool isNew /* = true */)
+ : mAlloc(Allocator::standard()),
+ mTP(gGuidAppleDotMacTP),
+ mCL(gGuidAppleX509CL),
+ mPolicy(mAlloc, policy.Data, policy.Length),
+ mCertType(certificateType),
+ mReqType(requestType),
+ mPrivKey(NULL),
+ mPubKey(NULL),
+ mEstTime(0),
+ mRefId(mAlloc),
+ mCertState(isNew ? CRS_New : CRS_Reconstructed),
+ mCertData(mAlloc),
+ mUserName(mAlloc),
+ mPassword(mAlloc),
+ mHostName(mAlloc),
+ mDomain(mAlloc),
+ mDoRenew(false),
+ mIsAsync(false),
+ mMutex(Mutex::recursive)
+{
+ StLock<Mutex>_(mMutex);
+ certReqDbg("CertificateRequest construct");
+
+ /* Validate policy OID. */
+ if(!(nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_IDENTITY, &policy) ||
+ nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_EMAIL_SIGN, &policy) ||
+ nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_EMAIL_ENCRYPT, &policy) ||
+ nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_SHARED_SERVICES, &policy))) {
+ certReqDbg("CertificateRequest(): unknown policy oid");
+ MacOSError::throwMe(errSecParam);
+ }
+ if(privateKeyItemRef) {
+ mPrivKey = privateKeyItemRef;
+ CFRetain(mPrivKey);
+ }
+ if(publicKeyItemRef) {
+ mPubKey = publicKeyItemRef;
+ CFRetain(mPubKey);
+ }
+
+ /* parse attr array */
+ if(attributeList == NULL) {
+ return;
+ }
+
+ bool doPendingRequest = false;
+ for(unsigned dex=0; dex<attributeList->count; dex++) {
+ const SecCertificateRequestAttribute *attr = &attributeList->attr[dex];
+
+ if((attr->oid.Data == NULL) || (attr->value.Data == NULL)) {
+ MacOSError::throwMe(errSecParam);
+ }
+ if(nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_VALUE_USERNAME, &attr->oid)) {
+ CSSM_DATA userName = { 0, NULL };
+ CSSM_DATA domainName = { 0, NULL };
+ tokenizeName(&attr->value, &userName, &domainName);
+ if (!domainName.Length || !domainName.Data) {
+ domainName.Length = strlen(DOT_MAC_DOMAIN);
+ domainName.Data = (uint8*) DOT_MAC_DOMAIN;
+ }
+ mUserName.copy(userName);
+ mDomain.copy(domainName);
+ }
+ else if(nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_VALUE_PASSWORD, &attr->oid)) {
+ mPassword.copy(attr->value);
+ }
+ else if(nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_VALUE_HOSTNAME, &attr->oid)) {
+ mHostName.copy(attr->value);
+ }
+ else if(nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_VALUE_RENEW, &attr->oid)) {
+ /*
+ * any nonzero value means true
+ * FIXME: this is deprecated, Treadstone doesn't allow this. Reject this
+ * request? Ignore?
+ */
+ mDoRenew = attrBoolValue(attr);
+ }
+ else if(nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_VALUE_ASYNC, &attr->oid)) {
+ /* any nonzero value means true */
+ mIsAsync = attrBoolValue(attr);
+ }
+ else if(nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_VALUE_IS_PENDING, &attr->oid)) {
+ /* any nonzero value means true */
+ doPendingRequest = attrBoolValue(attr);
+ }
+
+ else {
+ certReqDbg("CertificateRequest(): unknown name/value oid");
+ MacOSError::throwMe(errSecParam);
+ }
+ }
+ if(mCertState == CRS_Reconstructed) {
+ /* see if we have a refId or maybe even a cert in prefs */
+ retrieveResults();
+ if(mCertData.data() != NULL) {
+ mCertState = CRS_HaveCert;
+ }
+ else if(mRefId.data() != NULL) {
+ mCertState = CRS_HaveRefId;
+ }
+ else if(doPendingRequest) {
+ /* ask the server if there's a request pending */
+ postPendingRequest();
+ /* NOT REACHED - that always throws */
+ }
+ else {
+ certReqDbg("CertificateRequest(): nothing in prefs");
+ /* Nothing found in prefs; nothing to go by */
+ MacOSError::throwMe(errSecItemNotFound);
+ }
+ }
+}
+
+CertificateRequest::~CertificateRequest() throw()
+{
+ StLock<Mutex>_(mMutex);
+ certReqDbg("CertificateRequest destruct");
+
+ if(mPrivKey) {
+ CFRelease(mPrivKey);
+ }
+ if(mPubKey) {
+ CFRelease(mPubKey);
+ }
+}
+
+#pragma mark ----- cert request submit -----
+
+void CertificateRequest::submit(
+ sint32 *estimatedTime)
+{
+ StLock<Mutex>_(mMutex);
+ CSSM_DATA &policy = mPolicy.get();
+ if(nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_IDENTITY, &policy) ||
+ nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_EMAIL_SIGN, &policy) ||
+ nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_EMAIL_ENCRYPT, &policy) ||
+ nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_SHARED_SERVICES, &policy)) {
+ return submitDotMac(estimatedTime);
+ }
+ else {
+ /* shouldn't be here, we already validated policy in constructor */
+ assert(0);
+ certReqDbg("CertificateRequest::submit(): bad policy");
+ MacOSError::throwMe(errSecParam);
+ }
+}
+
+void CertificateRequest::submitDotMac(
+ sint32 *estimatedTime)
+{
+ StLock<Mutex>_(mMutex);
+ CSSM_RETURN crtn;
+ CSSM_TP_AUTHORITY_ID tpAuthority;
+ CSSM_TP_AUTHORITY_ID *tpAuthPtr = NULL;
+ CSSM_NET_ADDRESS tpNetAddrs;
+ CSSM_APPLE_DOTMAC_TP_CERT_REQUEST certReq;
+ CSSM_TP_REQUEST_SET reqSet;
+ CSSM_CSP_HANDLE cspHand = 0;
+ CSSM_X509_TYPE_VALUE_PAIR tvp;
+ CSSM_TP_CALLERAUTH_CONTEXT callerAuth;
+ CSSM_FIELD policyField;
+ CSSM_DATA refId = {0, NULL};
+ const CSSM_KEY *privKey;
+ const CSSM_KEY *pubKey;
+ OSStatus ortn;
+
+ if(mCertState != CRS_New) {
+ certReqDbg("CertificateRequest: can only submit a new request");
+ MacOSError::throwMe(errSecParam);
+ }
+ if((mUserName.data() == NULL) || (mPassword.data() == NULL)) {
+ certReqDbg("CertificateRequest: user name and password required");
+ MacOSError::throwMe(errSecParam);
+ }
+
+ /* get keys and CSP handle in CSSM terms */
+ if((mPrivKey == NULL) || (mPubKey == NULL)) {
+ certReqDbg("CertificateRequest: pub and priv keys required");
+ MacOSError::throwMe(errSecParam);
+ }
+ ortn = SecKeyGetCSSMKey(mPrivKey, &privKey);
+ if(ortn) {
+ MacOSError::throwMe(ortn);
+ }
+ ortn = SecKeyGetCSSMKey(mPubKey, &pubKey);
+ if(ortn) {
+ MacOSError::throwMe(ortn);
+ }
+ ortn = SecKeyGetCSPHandle(mPrivKey, &cspHand);
+ if(ortn) {
+ MacOSError::throwMe(ortn);
+ }
+
+ /*
+ * CSSM_X509_TYPE_VALUE_PAIR_PTR - one pair for now.
+ * Caller passes in user name like "johnsmith"; in the CSR,
+ * we write "johnsmith@mac.com".
+ */
+ tvp.type = CSSMOID_CommonName;
+ tvp.valueType = BER_TAG_PKIX_UTF8_STRING;
+ CssmAutoData fullUserName(mAlloc);
+ size_t nameLen = mUserName.length();
+ size_t domainLen = mDomain.length();
+ fullUserName.malloc(nameLen + 1 + domainLen);
+ tvp.value = fullUserName.get();
+ memmove(tvp.value.Data, mUserName.data(), nameLen);
+ memmove(tvp.value.Data + nameLen, "@", 1);
+ memmove(tvp.value.Data + nameLen + 1, mDomain.data(), domainLen);
+
+ /* Fill in the CSSM_APPLE_DOTMAC_TP_CERT_REQUEST */
+ memset(&certReq, 0, sizeof(certReq));
+ certReq.version = CSSM_DOT_MAC_TP_REQ_VERSION;
+ certReq.cspHand = cspHand;
+ certReq.clHand = mCL->handle();
+ certReq.numTypeValuePairs = 1;
+ certReq.typeValuePairs = &tvp;
+ certReq.publicKey = const_cast<CSSM_KEY_PTR>(pubKey);
+ certReq.privateKey = const_cast<CSSM_KEY_PTR>(privKey);
+ certReq.userName = mUserName.get();
+ certReq.password = mPassword.get();
+ if(mDoRenew) {
+ certReq.flags |= CSSM_DOTMAC_TP_SIGN_RENEW;
+ }
+ /* we don't deal with CSR here, input or output */
+
+ /* now the rest of the args for CSSM_TP_SubmitCredRequest() */
+ reqSet.Requests = &certReq;
+ reqSet.NumberOfRequests = 1;
+ policyField.FieldOid = mPolicy;
+ policyField.FieldValue.Data = NULL;
+ policyField.FieldValue.Length = 0;
+ memset(&callerAuth, 0, sizeof(callerAuth));
+ callerAuth.Policy.NumberOfPolicyIds = 1;
+ callerAuth.Policy.PolicyIds = &policyField;
+ ortn = SecKeyGetCredentials(mPrivKey,
+ CSSM_ACL_AUTHORIZATION_SIGN,
+ kSecCredentialTypeDefault,
+ const_cast<const CSSM_ACCESS_CREDENTIALS **>(&callerAuth.CallerCredentials));
+ if(ortn) {
+ certReqDbg("CertificateRequest: SecKeyGetCredentials error");
+ MacOSError::throwMe(ortn);
+ }
+
+ CssmAutoData hostName(mAlloc);
+ tpAuthority.AuthorityCert = NULL;
+ tpAuthority.AuthorityLocation = &tpNetAddrs;
+ tpNetAddrs.AddressType = CSSM_ADDR_NAME;
+ if(mHostName.data() != NULL) {
+ tpNetAddrs.Address = mHostName.get();
+ } else {
+ unsigned hostLen = strlen(DOT_MAC_MGMT_HOST);
+ hostName.malloc(hostLen + 1 + domainLen);
+ tpNetAddrs.Address = hostName.get();
+ memmove(tpNetAddrs.Address.Data, DOT_MAC_MGMT_HOST, hostLen);
+ memmove(tpNetAddrs.Address.Data + hostLen, ".", 1);
+ memmove(tpNetAddrs.Address.Data + hostLen + 1, mDomain.data(), domainLen);
+ }
+ tpAuthPtr = &tpAuthority;
+
+ /* go */
+ crtn = CSSM_TP_SubmitCredRequest(mTP->handle(),
+ tpAuthPtr,
+ CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
+ &reqSet,
+ &callerAuth,
+ &mEstTime,
+ &refId); // CSSM_DATA_PTR ReferenceIdentifier
+
+ /* handle return, store results */
+ switch(crtn) {
+ case CSSM_OK:
+ /* refID is a cert, we have to store it in prefs for later retrieval. */
+ certReqDbg("submitDotMac: full success, storing cert");
+ if(!mIsAsync) {
+ /* store in prefs if not running in async mode */
+ ortn = storeResults(NULL, &refId);
+ if(ortn) {
+ crtn = ortn;
+ }
+ }
+ /* but keep a local copy too */
+ mCertData.copy(refId);
+ mCertState = CRS_HaveCert;
+ if(estimatedTime) {
+ /* it's ready right now */
+ *estimatedTime = 0;
+ }
+ break;
+
+ case CSSMERR_APPLE_DOTMAC_REQ_QUEUED:
+ /* refID is the blob we use in CSSM_TP_RetrieveCredResult() */
+ certReqDbg("submitDotMac: queued, storing refId");
+ mRefId.copy(refId);
+ /* return success - this crtn is not visible at API */
+ crtn = CSSM_OK;
+ if(!mIsAsync) {
+ /* store in prefs if not running in async mode */
+ ortn = storeResults(&refId, NULL);
+ if(ortn) {
+ crtn = ortn;
+ }
+ }
+ mCertState = CRS_HaveRefId;
+ if(estimatedTime) {
+ *estimatedTime = mEstTime;
+ }
+ break;
+
+ case CSSMERR_APPLE_DOTMAC_REQ_REDIRECT:
+ /* refID is a URL, caller obtains via getReturnData() */
+ certReqDbg("submitDotMac: redirect");
+ mRefId.copy(refId);
+ mCertState = CRS_HaveOtherData;
+ break;
+
+ default:
+ /* all others are fatal errors, thrown below */
+ break;
+ }
+ if(refId.Data) {
+ /* mallocd on our behalf by TP */
+ free(refId.Data);
+ }
+ if(crtn) {
+ CssmError::throwMe(crtn);
+ }
+}
+
+#pragma mark ----- cert request get result -----
+
+void CertificateRequest::getResult(
+ sint32 *estimatedTime, // optional
+ CssmData &certData)
+{
+ StLock<Mutex>_(mMutex);
+ CSSM_DATA &policy = mPolicy.get();
+ if(nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_IDENTITY, &policy) ||
+ nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_EMAIL_SIGN, &policy) ||
+ nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_EMAIL_ENCRYPT, &policy) ||
+ nssCompareCssmData(&CSSMOID_DOTMAC_CERT_REQ_SHARED_SERVICES, &policy)) {
+ return getResultDotMac(estimatedTime, certData);
+ }
+ else {
+ /* shouldn't be here, we already validated policy in constructor */
+ assert(0);
+ certReqDbg("CertificateRequest::getResult(): bad policy");
+ MacOSError::throwMe(errSecParam);
+ }
+}
+
+void CertificateRequest::getResultDotMac(
+ sint32 *estimatedTime, // optional
+ CssmData &certData)
+{
+ StLock<Mutex>_(mMutex);
+ switch(mCertState) {
+ case CRS_HaveCert:
+ /* trivial case, we already have what caller is looking for */
+ certReqDbg("getResultDotMac: have the cert right now");
+ assert(mCertData.data() != NULL);
+ certData = mCertData.get();
+ if(estimatedTime) {
+ *estimatedTime = 0;
+ }
+ break;
+ case CRS_HaveRefId:
+ {
+ /* ping the server */
+ certReqDbg("getResultDotMac: CRS_HaveRefId; polling server");
+ assert(mRefId.data() != NULL);
+ CSSM_BOOL ConfirmationRequired;
+ CSSM_TP_RESULT_SET_PTR resultSet = NULL;
+ CSSM_RETURN crtn;
+
+ crtn = CSSM_TP_RetrieveCredResult(mTP->handle(),
+ &mRefId.get(),
+ NULL, // CallerAuthCredentials
+ &mEstTime,
+ &ConfirmationRequired,
+ &resultSet);
+ switch(crtn) {
+ case CSSM_OK:
+ break;
+ case CSSMERR_TP_CERT_NOT_VALID_YET:
+ /*
+ * By convention, this means "not ready yet".
+ * The dot mac server does not have a way of telling us the
+ * estimated time on a straight lookup like this (we only get
+ * an estimated completion time on the initial request), so we
+ * fake it.
+ */
+ certReqDbg("getResultDotMac: polled server, not ready yet");
+ if(estimatedTime) {
+ *estimatedTime = (mEstTime) ? mEstTime : 1;
+ }
+ MacOSError::throwMe(CSSMERR_APPLE_DOTMAC_REQ_IS_PENDING);
+ default:
+ certReqDbg("CSSM_TP_RetrieveCredResult error");
+ CssmError::throwMe(crtn);
+ }
+ if(resultSet == NULL) {
+ certReqDbg("***CSSM_TP_RetrieveCredResult OK, but no result set");
+ MacOSError::throwMe(errSecInternalComponent);
+ }
+ if(resultSet->NumberOfResults != 1) {
+ certReqDbg("***CSSM_TP_RetrieveCredResult OK, NumberOfResults (%lu)",
+ (unsigned long)resultSet->NumberOfResults);
+ MacOSError::throwMe(errSecInternalComponent);
+ }
+ if(resultSet->Results == NULL) {
+ certReqDbg("***CSSM_TP_RetrieveCredResult OK, but empty result set");
+ MacOSError::throwMe(errSecInternalComponent);
+ }
+ certReqDbg("getResultDotMac: polled server, SUCCESS");
+ CSSM_DATA_PTR result = (CSSM_DATA_PTR)resultSet->Results;
+ if(result->Data == NULL) {
+ certReqDbg("***CSSM_TP_RetrieveCredResult OK, but empty result");
+ MacOSError::throwMe(errSecInternalComponent);
+ }
+ mCertData.copy(*result);
+ certData = mCertData.get();
+ mCertState = CRS_HaveCert;
+ if(estimatedTime) {
+ *estimatedTime = 0;
+ }
+
+ /*
+ * Free the stuff allocated on our behalf by TP.
+ * FIXME - are we sure CssmClient is using alloc, free, etc.?
+ */
+ free(result->Data);
+ free(result);
+ free(resultSet);
+ break;
+ }
+ default:
+ /* what do we do with this? */
+ certReqDbg("CertificateRequest::getResultDotMac(): bad state");
+ MacOSError::throwMe(errSecInternalComponent);
+ }
+
+ /*
+ * One more thing: once we pass a cert back to caller, we erase
+ * the record of this transaction from prefs.
+ */
+ assert(mCertData.data() != NULL);
+ assert(mCertData.data() == certData.Data);
+ removeResults();
+}
+
+/*
+ * Obtain policy/error specific return data blob. We own the data, it's
+ * not copied.
+ */
+void CertificateRequest::getReturnData(
+ CssmData &rtnData)
+{
+ StLock<Mutex>_(mMutex);
+ rtnData = mRefId.get();
+}
+
+#pragma mark ----- preferences support -----
+
+/* Current user as CFString, for use as key in per-policy dictionary */
+CFStringRef CertificateRequest::createUserKey()
+{
+ StLock<Mutex>_(mMutex);
+ return CFStringCreateWithBytes(NULL, (UInt8 *)mUserName.data(), mUserName.length(),
+ kCFStringEncodingUTF8, false);
+}
+
+#define MAX_OID_LEN 2048 // way big... */
+
+/* current policy as CFString, for use as key in prefs dictionary */
+CFStringRef CertificateRequest::createPolicyKey()
+{
+ StLock<Mutex>_(mMutex);
+ char oidstr[MAX_OID_LEN];
+ unsigned char *inp = (unsigned char *)mPolicy.data();
+ char *outp = oidstr;
+ CFIndex len = mPolicy.length();
+ for(CFIndex dex=0; dex<len; dex++) {
+ sprintf(outp, "%02X ", *inp++);
+ outp += 3;
+ }
+ return CFStringCreateWithBytes(NULL, (UInt8 *)oidstr, len * 3,
+ kCFStringEncodingUTF8, false);
+}
+
+/*
+ * Store cert data or refId in prefs. If both are NULL, delete the
+ * user dictionary entry from the policy dictionary if there, and then
+ * delete the policy dictionary if it's empty.
+ */
+OSStatus CertificateRequest::storeResults(
+ const CSSM_DATA *refId, // optional, for queued requests
+ const CSSM_DATA *certData) // optional, for immediate completion
+{
+ StLock<Mutex>_(mMutex);
+ assert(mPolicy.data() != NULL);
+ assert(mUserName.data() != NULL);
+ assert(mDomain.data() != NULL);
+
+ bool deleteEntry = ((refId == NULL) && (certData == NULL));
+
+ /* get a mutable copy of the existing prefs, or a fresh empty one */
+ MutableDictionary *prefsDict = MutableDictionary::CreateMutableDictionary(DOT_MAC_REQ_PREFS, Dictionary::US_User);
+ if (prefsDict == NULL)
+ {
+ prefsDict = new MutableDictionary();
+ }
+
+ /* get a mutable copy of the dictionary for this policy, or a fresh empty one */
+ CFStringRef policyKey = createPolicyKey();
+ MutableDictionary *policyDict = prefsDict->copyMutableDictValue(policyKey);
+
+ CFStringRef userKey = createUserKey();
+ if(deleteEntry) {
+ /* remove user dictionary from this policy dictionary */
+ policyDict->removeValue(userKey);
+ }
+ else {
+ /* get a mutable copy of the dictionary for this user, or a fresh empty one */
+ MutableDictionary *userDict = policyDict->copyMutableDictValue(userKey);
+
+ CFStringRef domainKey = CFStringCreateWithBytes(NULL, (UInt8 *)mDomain.data(), mDomain.length(), kCFStringEncodingUTF8, false);
+ userDict->setValue(CFSTR(DOT_MAC_DOMAIN_KEY), domainKey);
+ CFRelease(domainKey);
+
+ /* write refId and/or cert --> user dictionary */
+ if(refId) {
+ userDict->setDataValue(CFSTR(DOT_MAC_REF_ID_KEY), refId->Data, refId->Length);
+ }
+ if(certData) {
+ userDict->setDataValue(CFSTR(DOT_MAC_CERT_KEY), certData->Data, certData->Length);
+ }
+
+ /* new user dictionary --> policy dictionary */
+ policyDict->setValue(userKey, userDict->dict());
+ delete userDict;
+ }
+ CFRelease(userKey);
+
+ /* new policy dictionary to prefs dictionary, or nuke it */
+ if(policyDict->count() == 0) {
+ prefsDict->removeValue(policyKey);
+ }
+ else {
+ prefsDict->setValue(policyKey, policyDict->dict());
+ }
+ CFRelease(policyKey);
+ delete policyDict;
+
+ /* prefs --> disk */
+ OSStatus ortn = errSecSuccess;
+ if(!prefsDict->writePlistToPrefs(DOT_MAC_REQ_PREFS, Dictionary::US_User)) {
+ certReqDbg("storeResults: error writing prefs to disk");
+ ortn = errSecIO;
+ }
+ delete prefsDict;
+ return ortn;
+}
+
+/*
+ * Attempt to fetch mCertData or mRefId from preferences.
+ */
+void CertificateRequest::retrieveResults()
+{
+ StLock<Mutex>_(mMutex);
+ assert(mPolicy.data() != NULL);
+ assert(mUserName.data() != NULL);
+
+ /* get the .mac cert prefs as a dictionary */
+ Dictionary *pd = Dictionary::CreateDictionary(DOT_MAC_REQ_PREFS, Dictionary::US_User);
+ if (pd == NULL)
+ {
+ certReqDbg("retrieveResults: no prefs found");
+ return;
+ }
+
+ auto_ptr<Dictionary> prefsDict(pd);
+
+ /* get dictionary for current policy */
+ CFStringRef policyKey = createPolicyKey();
+ Dictionary *policyDict = prefsDict->copyDictValue(policyKey);
+ CFRelease(policyKey);
+ if(policyDict != NULL) {
+ /* dictionary for user */
+ CFStringRef userKey = createUserKey();
+ Dictionary *userDict = policyDict->copyDictValue(userKey);
+ if(userDict != NULL) {
+ /* is there a cert in there? */
+ CFDataRef val = userDict->getDataValue(CFSTR(DOT_MAC_CERT_KEY));
+ if(val) {
+ mCertData.copy(CFDataGetBytePtr(val), CFDataGetLength(val));
+ }
+
+ /* how about refId? */
+ val = userDict->getDataValue(CFSTR(DOT_MAC_REF_ID_KEY));
+ if(val) {
+ mRefId.copy(CFDataGetBytePtr(val), CFDataGetLength(val));
+ }
+ delete userDict;
+ }
+ CFRelease(userKey);
+ delete policyDict;
+ }
+}
+
+/*
+ * Remove all trace of current policy/user. Called when we successfully transferred
+ * the cert back to caller.
+ */
+void CertificateRequest::removeResults()
+{
+ StLock<Mutex>_(mMutex);
+ assert(mPolicy.data() != NULL);
+ assert(mUserName.data() != NULL);
+ storeResults(NULL, NULL);
+}
+
+/*
+ * Have the TP ping the server to see of there's a request pending for the current
+ * user. Always throws: either
+ * CSSMERR_APPLE_DOTMAC_REQ_IS_PENDING -- request pending
+ * CSSMERR_APPLE_DOTMAC_NO_REQ_PENDING -- no request pending
+ * errSecParam -- no user, no password
+ * other gross errors, e.g. errSecIO for server connection failure
+ *
+ * The distinguishing features about this TP request are:
+ *
+ * policy OID = CSSMOID_DOTMAC_CERT_REQ_{IDENTITY,EMAIL_SIGN,EMAIL_ENCRYPT,SHARED_SERVICES}
+ * CSSM_TP_AUTHORITY_REQUEST_TYPE = CSSM_TP_AUTHORITY_REQUEST_CERTLOOKUP
+ * CSSM_APPLE_DOTMAC_TP_CERT_REQUEST.flags = CSSM_DOTMAC_TP_IS_REQ_PENDING
+ * must have userName and password
+ * hostname optional as usual
+ */
+void CertificateRequest::postPendingRequest()
+{
+ StLock<Mutex>_(mMutex);
+ CSSM_RETURN crtn;
+ CSSM_TP_AUTHORITY_ID tpAuthority;
+ CSSM_TP_AUTHORITY_ID *tpAuthPtr = NULL;
+ CSSM_NET_ADDRESS tpNetAddrs;
+ CSSM_APPLE_DOTMAC_TP_CERT_REQUEST certReq;
+ CSSM_TP_REQUEST_SET reqSet;
+ CSSM_TP_CALLERAUTH_CONTEXT callerAuth;
+ CSSM_FIELD policyField;
+ CSSM_DATA refId = {0, NULL};
+
+ assert(mCertState == CRS_Reconstructed);
+ if((mUserName.data() == NULL) || (mPassword.data() == NULL)) {
+ certReqDbg("postPendingRequest: user name and password required");
+ MacOSError::throwMe(errSecParam);
+ }
+
+ /* Fill in the CSSM_APPLE_DOTMAC_TP_CERT_REQUEST */
+ memset(&certReq, 0, sizeof(certReq));
+ certReq.version = CSSM_DOT_MAC_TP_REQ_VERSION;
+ certReq.userName = mUserName.get();
+ certReq.password = mPassword.get();
+ certReq.flags = CSSM_DOTMAC_TP_IS_REQ_PENDING;
+
+ /* now the rest of the args for CSSM_TP_SubmitCredRequest() */
+ reqSet.Requests = &certReq;
+ reqSet.NumberOfRequests = 1;
+ /*
+ * This OID actually doesn't matter - right? This RPC doesn't know about
+ * which request we seek...
+ */
+ policyField.FieldOid = mPolicy;
+ policyField.FieldValue.Data = NULL;
+ policyField.FieldValue.Length = 0;
+ memset(&callerAuth, 0, sizeof(callerAuth));
+ callerAuth.Policy.NumberOfPolicyIds = 1;
+ callerAuth.Policy.PolicyIds = &policyField;
+ /* no other creds here */
+
+ if(mHostName.data() != NULL) {
+ tpAuthority.AuthorityCert = NULL;
+ tpAuthority.AuthorityLocation = &tpNetAddrs;
+ tpNetAddrs.AddressType = CSSM_ADDR_NAME;
+ tpNetAddrs.Address = mHostName.get();
+ tpAuthPtr = &tpAuthority;
+ }
+
+ /* go */
+ crtn = CSSM_TP_SubmitCredRequest(mTP->handle(),
+ tpAuthPtr,
+ CSSM_TP_AUTHORITY_REQUEST_CERTLOOKUP,
+ &reqSet,
+ &callerAuth,
+ &mEstTime,
+ &refId); // CSSM_DATA_PTR ReferenceIdentifier
+
+ if(refId.Data) {
+ /* shouldn't be any but just in case.... */
+ free(refId.Data);
+ }
+ switch(crtn) {
+ case CSSMERR_APPLE_DOTMAC_REQ_IS_PENDING:
+ certReqDbg("postPendingRequest: REQ_IS_PENDING");
+ break;
+ case CSSMERR_APPLE_DOTMAC_NO_REQ_PENDING:
+ certReqDbg("postPendingRequest: NO_REQ_PENDING");
+ break;
+ case CSSM_OK:
+ /* should never happen */
+ certReqDbg("postPendingRequest: unexpected success!");
+ crtn = errSecInternalComponent;
+ break;
+ default:
+ certReqDbg("postPendingRequest: unexpected rtn %lu", (unsigned long)crtn);
+ break;
+ }
+ CssmError::throwMe(crtn);
+}
+
projects / apple / security.git / blobdiff