+++ /dev/null
-/*
- * crlNetwork.cpp - Network support for crlTool
- */
-
-#include "crlNetwork.h"
-#include <CoreFoundation/CoreFoundation.h>
-#include <CoreServices/CoreServices.h>
-#include <security_cdsa_utils/cuEnc64.h>
-#include <stdlib.h>
-#include <Security/cssmapple.h>
-#include <LDAP/ldap.h>
-
-#define ocspdErrorLog(args...) printf(args)
-
-#pragma mark ----- LDAP fetch -----
-
-/*
- * LDAP attribute names, used if not present in URI.
- */
-#define LDAP_ATTR_CERT "cacertificate;binary"
-#define LDAP_ATTR_CRL "certificaterevocationlist;binary"
-
-/*
- * Default LDAP options.
- */
-#define LDAP_REFERRAL_DEFAULT LDAP_OPT_ON
-
-static CSSM_RETURN ldapRtnToCssm(
- int rtn)
-{
- switch(rtn) {
- case LDAP_SERVER_DOWN:
- case LDAP_TIMEOUT:
- case LDAP_CONNECT_ERROR:
- return CSSMERR_APPLETP_CRL_SERVER_DOWN;
- case LDAP_PARAM_ERROR:
- case LDAP_FILTER_ERROR:
- return CSSMERR_APPLETP_CRL_BAD_URI;
- default:
- return CSSMERR_APPLETP_CRL_NOT_FOUND;
- }
-}
-
-static CSSM_RETURN ldapFetch(
- const CSSM_DATA &url,
- LF_Type lfType,
- CSSM_DATA &fetched) // mallocd and RETURNED
-{
- BerValue **value = NULL;
- LDAPURLDesc *urlDesc = NULL;
- int rtn;
- LDAPMessage *msg = NULL;
- LDAP *ldap = NULL;
- LDAPMessage *entry = NULL;
- bool mallocdString = false;
- char *urlStr;
- int numEntries;
- CSSM_RETURN ourRtn = CSSM_OK;
- /* attr input to ldap_search_s() */
- char *attrArray[2];
- char **attrArrayP = NULL;
-
- /* don't assume URL string is NULL terminated */
- if(url.Data[url.Length - 1] == '\0') {
- urlStr = (char *)url.Data;
- }
- else {
- urlStr = (char *)malloc(url.Length + 1);
- memmove(urlStr, url.Data, url.Length);
- urlStr[url.Length] = '\0';
- mallocdString = true;
- }
-
- /* break up the URL into something usable */
- rtn = ldap_url_parse(urlStr, &urlDesc);
- if(rtn) {
- ocspdErrorLog("ldap_url_parse returned %d", rtn);
- return CSSMERR_APPLETP_CRL_BAD_URI;
- }
-
- /*
- * Determine what attr we're looking for.
- */
- if((urlDesc->lud_attrs != NULL) && // attrs present in URL
- (urlDesc->lud_attrs[0] != NULL) && // at least one attr present
- (urlDesc->lud_attrs[1] == NULL)) {
- /*
- * Exactly one attr present in the caller-specified URL;
- * assume that this is exactly what we want.
- */
- attrArrayP = &urlDesc->lud_attrs[0];
- }
- else {
- /* use caller-specified attr */
- switch(lfType) {
- case LT_Crl:
- attrArray[0] = (char *)LDAP_ATTR_CRL;
- break;
- case LT_Cert:
- attrArray[0] = (char *)LDAP_ATTR_CERT;
- break;
- default:
- printf("***ldapFetch screwup: bogus lfType (%d)\n",
- (int)lfType);
- return CSSMERR_CSSM_INTERNAL_ERROR;
- }
- attrArray[1] = NULL;
- attrArrayP = &attrArray[0];
- }
-
- /* establish connection */
- rtn = ldap_initialize(&ldap, urlStr);
- if(rtn) {
- ocspdErrorLog("ldap_initialize returned %d\n", rtn);
- return ldapRtnToCssm(rtn);
- }
- /* subsequent errors to cleanup: */
- rtn = ldap_simple_bind_s(ldap, NULL, NULL);
- if(rtn) {
- ocspdErrorLog("ldap_simple_bind_s returned %d\n", rtn);
- ourRtn = ldapRtnToCssm(rtn);
- goto cleanup;
- }
-
- rtn = ldap_set_option(ldap, LDAP_OPT_REFERRALS, LDAP_REFERRAL_DEFAULT);
- if(rtn) {
- ocspdErrorLog("ldap_set_option(referrals) returned %d\n", rtn);
- ourRtn = ldapRtnToCssm(rtn);
- goto cleanup;
- }
-
- rtn = ldap_search_s(
- ldap,
- urlDesc->lud_dn,
- LDAP_SCOPE_SUBTREE,
- urlDesc->lud_filter,
- urlDesc->lud_attrs,
- 0, // attrsonly
- &msg);
- if(rtn) {
- ocspdErrorLog("ldap_search_s returned %d\n", rtn);
- ourRtn = ldapRtnToCssm(rtn);
- goto cleanup;
- }
-
- /*
- * We require exactly one entry (for now).
- */
- numEntries = ldap_count_entries(ldap, msg);
- if(numEntries != 1) {
- ocspdErrorLog("tpCrlViaLdap: numEntries %d\n", numEntries);
- ourRtn = CSSMERR_APPLETP_CRL_NOT_FOUND;
- goto cleanup;
- }
-
- entry = ldap_first_entry(ldap, msg);
- value = ldap_get_values_len(ldap, msg, attrArrayP[0]);
- if(value == NULL) {
- ocspdErrorLog("Error on ldap_get_values_len\n");
- ourRtn = CSSMERR_APPLETP_CRL_NOT_FOUND;
- goto cleanup;
- }
-
- fetched.Length = value[0]->bv_len;
- fetched.Data = (uint8 *)malloc(fetched.Length);
- memmove(fetched.Data, value[0]->bv_val, fetched.Length);
-
- ldap_value_free_len(value);
- ourRtn = CSSM_OK;
-cleanup:
- if(msg) {
- ldap_msgfree(msg);
- }
- if(mallocdString) {
- free(urlStr);
- }
- ldap_free_urldesc(urlDesc);
- rtn = ldap_unbind(ldap);
- if(rtn) {
- ocspdErrorLog("Error %d on ldap_unbind\n", rtn);
- /* oh well */
- }
- return ourRtn;
-}
-
-#pragma mark ----- HTTP fetch via GET -----
-
-/* fetch via HTTP */
-static CSSM_RETURN httpFetch(
- const CSSM_DATA &url,
- CSSM_DATA &fetched) // mallocd in alloc space and RETURNED
-{
- /* trim off possible NULL terminator */
- CSSM_DATA theUrl = url;
- if(theUrl.Data[theUrl.Length - 1] == '\0') {
- theUrl.Length--;
- }
- CFURLRef cfUrl = CFURLCreateWithBytes(NULL,
- theUrl.Data, theUrl.Length,
- kCFStringEncodingUTF8, // right?
- //kCFStringEncodingASCII, // right?
- NULL); // this is absolute path
- if(cfUrl == NULL) {
- ocspdErrorLog("CFURLCreateWithBytes returned NULL\n");
- return CSSMERR_APPLETP_CRL_BAD_URI;
- }
- CFDataRef urlData = NULL;
- SInt32 errorCode;
- Boolean brtn = CFURLCreateDataAndPropertiesFromResource(NULL,
- cfUrl,
- &urlData,
- NULL, // no properties
- NULL,
- &errorCode);
- CFRelease(cfUrl);
- if(!brtn) {
- ocspdErrorLog("CFURLCreateDataAndPropertiesFromResource err: %d\n",
- (int)errorCode);
- if(urlData) {
- return CSSMERR_APPLETP_NETWORK_FAILURE;
- }
- }
- if(urlData == NULL) {
- ocspdErrorLog("CFURLCreateDataAndPropertiesFromResource: no data\n");
- return CSSMERR_APPLETP_NETWORK_FAILURE;
- }
- CFIndex len = CFDataGetLength(urlData);
- fetched.Data = (uint8 *)malloc(len);
- fetched.Length = len;
- memmove(fetched.Data, CFDataGetBytePtr(urlData), len);
- CFRelease(urlData);
- return CSSM_OK;
-}
-
-/* Fetch cert or CRL from net, we figure out the schema */
-CSSM_RETURN crlNetFetch(
- const CSSM_DATA *url,
- LF_Type lfType,
- CSSM_DATA *fetched) // mallocd in alloc space and RETURNED
-{
- if(url->Length < 5) {
- return CSSMERR_APPLETP_CRL_BAD_URI;
- }
- if(!strncmp((char *)url->Data, "ldap:", 5)) {
- return ldapFetch(*url, lfType, *fetched);
- }
- if(!strncmp((char *)url->Data, "http:", 5) ||
- !strncmp((char *)url->Data, "https:", 6)) {
- return httpFetch(*url, *fetched);
- }
- return CSSMERR_APPLETP_CRL_BAD_URI;
-}
-
projects / apple / security.git / blobdiff