| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/base/x509_util_mac.h" | |
| 6 | |
| 7 #include "base/logging.h" | |
| 8 #include "third_party/apple_apsl/cssmapplePriv.h" | |
| 9 | |
| 10 namespace net { | |
| 11 | |
| 12 namespace x509_util { | |
| 13 | |
| 14 namespace { | |
| 15 | |
| 16 // Creates a SecPolicyRef for the given OID, with optional value. | |
| 17 OSStatus CreatePolicy(const CSSM_OID* policy_oid, | |
| 18 void* option_data, | |
| 19 size_t option_length, | |
| 20 SecPolicyRef* policy) { | |
| 21 SecPolicySearchRef search; | |
| 22 OSStatus err = SecPolicySearchCreate(CSSM_CERT_X_509v3, policy_oid, NULL, | |
| 23 &search); | |
| 24 if (err) | |
| 25 return err; | |
| 26 err = SecPolicySearchCopyNext(search, policy); | |
| 27 CFRelease(search); | |
| 28 if (err) | |
| 29 return err; | |
| 30 | |
| 31 if (option_data) { | |
| 32 CSSM_DATA options_data = { | |
| 33 option_length, | |
| 34 reinterpret_cast<uint8_t*>(option_data) | |
| 35 }; | |
| 36 err = SecPolicySetValue(*policy, &options_data); | |
| 37 if (err) { | |
| 38 CFRelease(*policy); | |
| 39 return err; | |
| 40 } | |
| 41 } | |
| 42 return noErr; | |
| 43 } | |
| 44 | |
| 45 } // namespace | |
| 46 | |
| 47 | |
| 48 OSStatus CreateSSLClientPolicy(SecPolicyRef* policy) { | |
| 49 CSSM_APPLE_TP_SSL_OPTIONS tp_ssl_options; | |
| 50 memset(&tp_ssl_options, 0, sizeof(tp_ssl_options)); | |
| 51 tp_ssl_options.Version = CSSM_APPLE_TP_SSL_OPTS_VERSION; | |
| 52 tp_ssl_options.Flags |= CSSM_APPLE_TP_SSL_CLIENT; | |
| 53 | |
| 54 return CreatePolicy(&CSSMOID_APPLE_TP_SSL, &tp_ssl_options, | |
| 55 sizeof(tp_ssl_options), policy); | |
| 56 } | |
| 57 | |
| 58 OSStatus CreateSSLServerPolicy(const std::string& hostname, | |
| 59 SecPolicyRef* policy) { | |
| 60 CSSM_APPLE_TP_SSL_OPTIONS tp_ssl_options; | |
| 61 memset(&tp_ssl_options, 0, sizeof(tp_ssl_options)); | |
| 62 tp_ssl_options.Version = CSSM_APPLE_TP_SSL_OPTS_VERSION; | |
| 63 if (!hostname.empty()) { | |
| 64 tp_ssl_options.ServerName = hostname.data(); | |
| 65 tp_ssl_options.ServerNameLen = hostname.size(); | |
| 66 } | |
| 67 | |
| 68 return CreatePolicy(&CSSMOID_APPLE_TP_SSL, &tp_ssl_options, | |
| 69 sizeof(tp_ssl_options), policy); | |
| 70 } | |
| 71 | |
| 72 OSStatus CreateBasicX509Policy(SecPolicyRef* policy) { | |
| 73 return CreatePolicy(&CSSMOID_APPLE_X509_BASIC, NULL, 0, policy); | |
| 74 } | |
| 75 | |
| 76 OSStatus CreateRevocationPolicies(bool enable_revocation_checking, | |
| 77 bool enable_ev_checking, | |
| 78 CFMutableArrayRef policies) { | |
| 79 OSStatus status = noErr; | |
| 80 | |
| 81 // In order to bypass the system revocation checking settings, the | |
| 82 // SecTrustRef must have at least one revocation policy associated with it. | |
| 83 // Since it is not known prior to verification whether the Apple TP will | |
| 84 // consider a certificate as an EV candidate, the default policy used is a | |
| 85 // CRL policy, since it does not communicate over the network. | |
| 86 // If the TP believes the leaf is an EV cert, it will explicitly add an | |
| 87 // OCSP policy to perform the online checking, and if it doesn't believe | |
| 88 // that the leaf is EV, then the default CRL policy will effectively no-op. | |
| 89 // This behaviour is used to implement EV-only revocation checking. | |
| 90 if (enable_ev_checking || enable_revocation_checking) { | |
| 91 CSSM_APPLE_TP_CRL_OPTIONS tp_crl_options; | |
| 92 memset(&tp_crl_options, 0, sizeof(tp_crl_options)); | |
| 93 tp_crl_options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION; | |
| 94 // Only allow network CRL fetches if the caller explicitly requests | |
| 95 // online revocation checking. Note that, as of OS X 10.7.2, the system | |
| 96 // will set force this flag on according to system policies, so | |
| 97 // online revocation checks cannot be completely disabled. | |
| 98 if (enable_revocation_checking) | |
| 99 tp_crl_options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET; | |
| 100 | |
| 101 SecPolicyRef crl_policy; | |
| 102 status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_CRL, &tp_crl_options, | |
| 103 sizeof(tp_crl_options), &crl_policy); | |
| 104 if (status) | |
| 105 return status; | |
| 106 CFArrayAppendValue(policies, crl_policy); | |
| 107 CFRelease(crl_policy); | |
| 108 } | |
| 109 | |
| 110 // If revocation checking is explicitly enabled, then add an OCSP policy | |
| 111 // and allow network access. If both revocation checking and EV checking | |
| 112 // are disabled, then the added OCSP policy will be prevented from | |
| 113 // accessing the network. This is done because the TP will force an OCSP | |
| 114 // policy to be present when it believes the certificate is EV. If network | |
| 115 // fetching was not explicitly disabled, then it would be as if | |
| 116 // enable_ev_checking was always set to true. | |
| 117 if (enable_revocation_checking || !enable_ev_checking) { | |
| 118 CSSM_APPLE_TP_OCSP_OPTIONS tp_ocsp_options; | |
| 119 memset(&tp_ocsp_options, 0, sizeof(tp_ocsp_options)); | |
| 120 tp_ocsp_options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION; | |
| 121 | |
| 122 if (enable_revocation_checking) { | |
| 123 // The default for the OCSP policy is to fetch responses via the network, | |
| 124 // unlike the CRL policy default. The policy is further modified to | |
| 125 // prefer OCSP over CRLs, if both are specified on the certificate. This | |
| 126 // is because an OCSP response is both sufficient and typically | |
| 127 // significantly smaller than the CRL counterpart. | |
| 128 tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT; | |
| 129 } else { | |
| 130 // Effectively disable OCSP checking by making it impossible to get an | |
| 131 // OCSP response. Even if the Apple TP forces OCSP, no checking will | |
| 132 // be able to succeed. If this happens, the Apple TP will report an error | |
| 133 // that OCSP was unavailable, but this will be handled and suppressed in | |
| 134 // X509Certificate::Verify(). | |
| 135 tp_ocsp_options.Flags = CSSM_TP_ACTION_OCSP_DISABLE_NET | | |
| 136 CSSM_TP_ACTION_OCSP_CACHE_READ_DISABLE; | |
| 137 } | |
| 138 | |
| 139 SecPolicyRef ocsp_policy; | |
| 140 status = CreatePolicy(&CSSMOID_APPLE_TP_REVOCATION_OCSP, &tp_ocsp_options, | |
| 141 sizeof(tp_ocsp_options), &ocsp_policy); | |
| 142 if (status) | |
| 143 return status; | |
| 144 CFArrayAppendValue(policies, ocsp_policy); | |
| 145 CFRelease(ocsp_policy); | |
| 146 } | |
| 147 | |
| 148 return status; | |
| 149 } | |
| 150 | |
| 151 CSSMFieldValue::CSSMFieldValue() | |
| 152 : cl_handle_(CSSM_INVALID_HANDLE), | |
| 153 oid_(NULL), | |
| 154 field_(NULL) { | |
| 155 } | |
| 156 CSSMFieldValue::CSSMFieldValue(CSSM_CL_HANDLE cl_handle, | |
| 157 const CSSM_OID* oid, | |
| 158 CSSM_DATA_PTR field) | |
| 159 : cl_handle_(cl_handle), | |
| 160 oid_(const_cast<CSSM_OID_PTR>(oid)), | |
| 161 field_(field) { | |
| 162 } | |
| 163 | |
| 164 CSSMFieldValue::~CSSMFieldValue() { | |
| 165 Reset(CSSM_INVALID_HANDLE, NULL, NULL); | |
| 166 } | |
| 167 | |
| 168 void CSSMFieldValue::Reset(CSSM_CL_HANDLE cl_handle, | |
| 169 CSSM_OID_PTR oid, | |
| 170 CSSM_DATA_PTR field) { | |
| 171 if (cl_handle_ && oid_ && field_) | |
| 172 CSSM_CL_FreeFieldValue(cl_handle_, oid_, field_); | |
| 173 cl_handle_ = cl_handle; | |
| 174 oid_ = oid; | |
| 175 field_ = field; | |
| 176 } | |
| 177 | |
| 178 CSSMCachedCertificate::CSSMCachedCertificate() | |
| 179 : cl_handle_(CSSM_INVALID_HANDLE), | |
| 180 cached_cert_handle_(CSSM_INVALID_HANDLE) { | |
| 181 } | |
| 182 CSSMCachedCertificate::~CSSMCachedCertificate() { | |
| 183 if (cl_handle_ && cached_cert_handle_) | |
| 184 CSSM_CL_CertAbortCache(cl_handle_, cached_cert_handle_); | |
| 185 } | |
| 186 | |
| 187 OSStatus CSSMCachedCertificate::Init(SecCertificateRef os_cert_handle) { | |
| 188 DCHECK(!cl_handle_ && !cached_cert_handle_); | |
| 189 DCHECK(os_cert_handle); | |
| 190 CSSM_DATA cert_data; | |
| 191 OSStatus status = SecCertificateGetData(os_cert_handle, &cert_data); | |
| 192 if (status) | |
| 193 return status; | |
| 194 status = SecCertificateGetCLHandle(os_cert_handle, &cl_handle_); | |
| 195 if (status) { | |
| 196 DCHECK(!cl_handle_); | |
| 197 return status; | |
| 198 } | |
| 199 | |
| 200 status = CSSM_CL_CertCache(cl_handle_, &cert_data, &cached_cert_handle_); | |
| 201 if (status) | |
| 202 DCHECK(!cached_cert_handle_); | |
| 203 return status; | |
| 204 } | |
| 205 | |
| 206 OSStatus CSSMCachedCertificate::GetField(const CSSM_OID* field_oid, | |
| 207 CSSMFieldValue* field) const { | |
| 208 DCHECK(cl_handle_); | |
| 209 DCHECK(cached_cert_handle_); | |
| 210 | |
| 211 CSSM_OID_PTR oid = const_cast<CSSM_OID_PTR>(field_oid); | |
| 212 CSSM_DATA_PTR field_ptr = NULL; | |
| 213 CSSM_HANDLE results_handle = CSSM_INVALID_HANDLE; | |
| 214 uint32 field_value_count = 0; | |
| 215 CSSM_RETURN status = CSSM_CL_CertGetFirstCachedFieldValue( | |
| 216 cl_handle_, cached_cert_handle_, oid, &results_handle, | |
| 217 &field_value_count, &field_ptr); | |
| 218 if (status) | |
| 219 return status; | |
| 220 | |
| 221 // Note: |field_value_count| may be > 1, indicating that more than one | |
| 222 // value is present. This may happen with extensions, but for current | |
| 223 // usages, only the first value is returned. | |
| 224 CSSM_CL_CertAbortQuery(cl_handle_, results_handle); | |
| 225 field->Reset(cl_handle_, oid, field_ptr); | |
| 226 return CSSM_OK; | |
| 227 } | |
| 228 | |
| 229 } // namespace x509_util | |
| 230 | |
| 231 } // namespace net | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 13006020:
net: extract net/cert out of net/base (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src