--- /dev/null
+//
+// SOSRingConcordanceTrust.c
+// sec
+//
+// Created by Richard Murphy on 3/15/15.
+//
+//
+
+#include <AssertMacros.h>
+
+#include "keychain/SecureObjectSync/SOSInternal.h"
+#include "keychain/SecureObjectSync/SOSPeer.h"
+#include "keychain/SecureObjectSync/SOSPeerInfoInternal.h"
+#include "keychain/SecureObjectSync/SOSPeerInfoCollections.h"
+#include "keychain/SecureObjectSync/SOSCircle.h"
+#include <Security/SecFramework.h>
+
+#include <Security/SecKey.h>
+#include <Security/SecKeyPriv.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+#include <utilities/SecCFWrappers.h>
+
+//#include "ckdUtilities.h"
+
+#include <corecrypto/ccder.h>
+#include <corecrypto/ccdigest.h>
+#include <corecrypto/ccsha2.h>
+
+
+#include <utilities/der_plist.h>
+#include <utilities/der_plist_internal.h>
+#include <corecrypto/ccder.h>
+#include <utilities/der_date.h>
+
+#include <stdlib.h>
+#include <assert.h>
+
+#include "SOSRing.h"
+#include "SOSRingUtils.h"
+
+static inline CFDictionaryRef SOSPeerInfoDictionaryCreate(CFSetRef peers) {
+ size_t n = CFSetGetCount(peers);
+ SOSPeerInfoRef peerInfos[n];
+ CFStringRef peerIDs[n];
+ CFSetGetValues(peers, (const void **) peerInfos);
+ for(size_t i = 0; i < n; i++) peerIDs[i] = SOSPeerInfoGetPeerID(peerInfos[i]);
+ return CFDictionaryCreate(NULL, (const void **)peerIDs, (const void **)peerInfos, n, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+}
+
+static inline SOSConcordanceStatus CheckPeerStatus(CFStringRef peerID, SOSPeerInfoRef peer, SOSRingRef ring, SecKeyRef userPub, CFErrorRef *error) {
+ SOSConcordanceStatus result = kSOSConcordanceNoPeer;
+ SecKeyRef pubKey = NULL;
+
+ require_action_quiet(peer, exit, result = kSOSConcordanceNoPeer);
+ pubKey = SOSPeerInfoCopyPubKey(peer, error);
+ require_quiet(pubKey, exit);
+ require_action_quiet(SOSRingHasPeerID(ring, peerID), exit, result = kSOSConcordanceNoPeer);
+ require_action_quiet(SOSPeerInfoApplicationVerify(peer, userPub, NULL), exit, result = kSOSConcordanceNoPeer);
+ require_action_quiet(SOSRingVerifySignatureExists(ring, pubKey, error), exit, result = kSOSConcordanceNoPeerSig);
+ require_action_quiet(SOSRingVerify(ring, pubKey, error), exit, result = kSOSConcordanceBadPeerSig);
+
+ result = kSOSConcordanceTrusted;
+
+exit:
+ CFReleaseNull(pubKey);
+ return result;
+}
+
+static inline SOSConcordanceStatus CombineStatus(SOSConcordanceStatus status1, SOSConcordanceStatus status2)
+{
+ if (status1 == kSOSConcordanceTrusted || status2 == kSOSConcordanceTrusted)
+ return kSOSConcordanceTrusted;
+
+ if (status1 == kSOSConcordanceBadPeerSig || status2 == kSOSConcordanceBadPeerSig)
+ return kSOSConcordanceBadPeerSig;
+
+ if (status1 == kSOSConcordanceNoPeerSig || status2 == kSOSConcordanceNoPeerSig)
+ return kSOSConcordanceNoPeerSig;
+
+ return status1;
+}
+
+SOSConcordanceStatus GetSignersStatus(CFSetRef peers, SOSRingRef signersRing, SOSRingRef statusRing,
+ SecKeyRef userPubkey, CFStringRef excludePeerID, CFErrorRef *error) {
+ CFDictionaryRef ringPeerInfos = SOSPeerInfoDictionaryCreate(peers);
+ __block SOSConcordanceStatus status = kSOSConcordanceNoPeer;
+ SOSRingForEachPeerID(signersRing, ^(CFStringRef peerID) {
+ SOSPeerInfoRef pi = (SOSPeerInfoRef) CFDictionaryGetValue(ringPeerInfos, peerID);
+ SOSConcordanceStatus peerStatus = CheckPeerStatus(peerID, pi, statusRing, userPubkey, error);
+
+ secnotice("ring", "concordance-signer-status: %@ -> %d", peerID, peerStatus);
+
+ if (peerStatus == kSOSConcordanceNoPeerSig &&
+ (CFEqualSafe(SOSPeerInfoGetPeerID(pi), excludePeerID) || SOSPeerInfoIsCloudIdentity(pi)))
+ peerStatus = kSOSConcordanceNoPeer;
+
+ status = CombineStatus(status, peerStatus);
+ });
+
+ return status;
+}
+
+
+SOSConcordanceStatus GetSignersStatus_Transitive(CFSetRef peers, SOSRingRef signersRing, SOSRingRef statusRing,
+ SecKeyRef userPubkey, CFStringRef excludePeerID, CFErrorRef *error) {
+ __block SOSConcordanceStatus status = kSOSConcordanceNoPeer;
+
+ CFSetForEach(peers, ^(const void *value) {
+ SOSPeerInfoRef pi = (SOSPeerInfoRef) value;
+ CFStringRef peerID = SOSPeerInfoGetPeerID(pi);
+ if(SOSRingHasPeerWithID(statusRing, peerID, NULL)) {
+ SOSConcordanceStatus peerStatus = CheckPeerStatus(peerID, pi, statusRing, userPubkey, error);
+
+ if (peerStatus == kSOSConcordanceNoPeerSig &&
+ (CFEqualSafe(SOSPeerInfoGetPeerID(pi), excludePeerID) || SOSPeerInfoIsCloudIdentity(pi)))
+ peerStatus = kSOSConcordanceNoPeer;
+
+ status = CombineStatus(status, peerStatus);
+ }
+ });
+
+ return status;
+}
+
+
+SOSConcordanceStatus SOSRingUserKeyConcordanceTrust(SOSFullPeerInfoRef me, CFSetRef peers, SOSRingRef knownRing, SOSRingRef proposedRing,
+ SecKeyRef knownPubkey, SecKeyRef userPubkey,
+ CFStringRef excludePeerID, CFErrorRef *error) {
+ if(userPubkey == NULL) {
+ SOSCreateError(kSOSErrorPublicKeyAbsent, CFSTR("Concordance with no public key"), NULL, error);
+ return kSOSConcordanceNoUserKey;
+ }
+
+ if (SOSRingIsEmpty_Internal(proposedRing)) {
+ return kSOSConcordanceTrusted;
+ }
+
+ if(!SOSRingVerifySignatureExists(proposedRing, userPubkey, error)) {
+ SOSCreateError(kSOSErrorBadSignature, CFSTR("No public signature"), (error != NULL) ? *error : NULL, error);
+ return kSOSConcordanceNoUserSig;
+ }
+
+ if(!SOSRingVerify(proposedRing, userPubkey, error)) {
+ SOSCreateError(kSOSErrorBadSignature, CFSTR("Bad public signature"), (error != NULL) ? *error : NULL, error);
+ return kSOSConcordanceBadUserSig;
+ }
+
+ if (SOSRingIsEmpty_Internal(knownRing) || SOSRingIsOffering_Internal(proposedRing)) {
+ return GetSignersStatus(peers, proposedRing, proposedRing, userPubkey, NULL, error);
+ }
+
+ if(SOSRingIsOlderGeneration(proposedRing, knownRing)) {
+ SOSCreateError(kSOSErrorReplay, CFSTR("Bad generation"), NULL, error);
+ return kSOSConcordanceGenOld;
+ }
+
+ if(knownPubkey == NULL) knownPubkey = userPubkey;
+ if(!SOSRingVerify(knownRing, knownPubkey, error)) knownPubkey = userPubkey;
+ return GetSignersStatus(peers, knownRing, proposedRing, knownPubkey, CFSTR("novalue"), error);
+}
+
+
+SOSConcordanceStatus SOSRingPeerKeyConcordanceTrust(SOSFullPeerInfoRef me, CFSetRef peers, SOSRingRef knownRing, SOSRingRef proposedRing,
+ __unused SecKeyRef knownPubkey, SecKeyRef userPubkey,
+ CFStringRef excludePeerID, CFErrorRef *error) {
+ if(userPubkey == NULL) {
+ SOSCreateError(kSOSErrorPublicKeyAbsent, CFSTR("Concordance with no public key - need to validate application"), NULL, error);
+ return kSOSConcordanceNoUserKey;
+ }
+
+ if (SOSRingIsEmpty_Internal(proposedRing)) {
+ secnotice("ring", "ring empty -> trusted");
+ return kSOSConcordanceTrusted;
+ }
+
+ if (SOSRingIsEmpty_Internal(knownRing) || SOSRingIsOffering_Internal(proposedRing)) {
+ return GetSignersStatus(peers, proposedRing, proposedRing, userPubkey, NULL, error);
+ }
+
+ if(SOSRingIsOlderGeneration(proposedRing, knownRing)) {
+ SOSCreateError(kSOSErrorReplay, CFSTR("Bad generation"), NULL, error);
+ return kSOSConcordanceGenOld;
+ }
+ return GetSignersStatus(peers, knownRing, proposedRing, userPubkey, excludePeerID, error);
+}
projects / apple / security.git / blobdiff