1/* 2 * Copyright (c) 2000-2001,2011,2014 Apple Inc. All Rights Reserved. 3 * 4 * The contents of this file constitute Original Code as defined in and are 5 * subject to the Apple Public Source License Version 1.2 (the 'License'). 6 * You may not use this file except in compliance with the License. Please obtain 7 * a copy of the License at http://www.apple.com/publicsource and read it before 8 * using this file. 9 * 10 * This Original Code and all software distributed under the License are 11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS 12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT 13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the 15 * specific language governing rights and limitations under the License. 16 */ 17 18 19/* 20 * AppleTPSession.h - TP session functions. 21 * 22 */ 23 24#ifndef _H_APPLE_TP_SESSION 25#define _H_APPLE_TP_SESSION 26 27#include <security_cdsa_plugin/TPsession.h> 28#include "TPCertInfo.h" 29 30#define REALLOC_WORKAROUND 0 31#if REALLOC_WORKAROUND 32#include <string.h> 33#endif 34 35class AppleTPSession : public TPPluginSession { 36 37public: 38 39 AppleTPSession( 40 CSSM_MODULE_HANDLE theHandle, 41 CssmPlugin &plug, 42 const CSSM_VERSION &version, 43 uint32 subserviceId, 44 CSSM_SERVICE_TYPE subserviceType, 45 CSSM_ATTACH_FLAGS attachFlags, 46 const CSSM_UPCALLS &upcalls); 47 48 ~AppleTPSession(); 49 50 #if REALLOC_WORKAROUND 51 void *realloc(void *oldp, size_t size) { 52 void *newp = malloc(size); 53 memmove(newp, oldp, size); 54 free(oldp); 55 return newp; 56 } 57 #endif /* REALLOC_WORKAROUND */ 58 59 /* methods declared in TPabstractSession.h */ 60 void CertCreateTemplate(CSSM_CL_HANDLE CLHandle, 61 uint32 NumberOfFields, 62 const CSSM_FIELD CertFields[], 63 CssmData &CertTemplate); 64 void CrlVerify(CSSM_CL_HANDLE CLHandle, 65 CSSM_CSP_HANDLE CSPHandle, 66 const CSSM_ENCODED_CRL &CrlToBeVerified, 67 const CSSM_CERTGROUP &SignerCertGroup, 68 const CSSM_TP_VERIFY_CONTEXT *VerifyContext, 69 CSSM_TP_VERIFY_CONTEXT_RESULT *RevokerVerifyResult); 70 void CertReclaimKey(const CSSM_CERTGROUP &CertGroup, 71 uint32 CertIndex, 72 CSSM_LONG_HANDLE KeyCacheHandle, 73 CSSM_CSP_HANDLE CSPHandle, 74 const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry); 75 void CertGroupVerify(CSSM_CL_HANDLE CLHandle, 76 CSSM_CSP_HANDLE CSPHandle, 77 const CSSM_CERTGROUP &CertGroupToBeVerified, 78 const CSSM_TP_VERIFY_CONTEXT *VerifyContext, 79 CSSM_TP_VERIFY_CONTEXT_RESULT_PTR VerifyContextResult); 80 void CertGroupConstruct(CSSM_CL_HANDLE CLHandle, 81 CSSM_CSP_HANDLE CSPHandle, 82 const CSSM_DL_DB_LIST &DBList, 83 const void *ConstructParams, 84 const CSSM_CERTGROUP &CertGroupFrag, 85 CSSM_CERTGROUP_PTR &CertGroup); 86 void CertSign(CSSM_CL_HANDLE CLHandle, 87 CSSM_CC_HANDLE CCHandle, 88 const CssmData &CertTemplateToBeSigned, 89 const CSSM_CERTGROUP &SignerCertGroup, 90 const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext, 91 CSSM_TP_VERIFY_CONTEXT_RESULT *SignerVerifyResult, 92 CssmData &SignedCert); 93 void TupleGroupToCertGroup(CSSM_CL_HANDLE CLHandle, 94 const CSSM_TUPLEGROUP &TupleGroup, 95 CSSM_CERTGROUP_PTR &CertTemplates); 96 void ReceiveConfirmation(const CssmData &ReferenceIdentifier, 97 CSSM_TP_CONFIRM_RESPONSE_PTR &Responses, 98 sint32 &ElapsedTime); 99 void PassThrough(CSSM_CL_HANDLE CLHandle, 100 CSSM_CC_HANDLE CCHandle, 101 const CSSM_DL_DB_LIST *DBList, 102 uint32 PassThroughId, 103 const void *InputParams, 104 void **OutputParams); 105 void CertRemoveFromCrlTemplate(CSSM_CL_HANDLE CLHandle, 106 CSSM_CSP_HANDLE CSPHandle, 107 const CssmData *OldCrlTemplate, 108 const CSSM_CERTGROUP &CertGroupToBeRemoved, 109 const CSSM_CERTGROUP &RevokerCertGroup, 110 const CSSM_TP_VERIFY_CONTEXT &RevokerVerifyContext, 111 CSSM_TP_VERIFY_CONTEXT_RESULT &RevokerVerifyResult, 112 CssmData &NewCrlTemplate); 113 void CertRevoke(CSSM_CL_HANDLE CLHandle, 114 CSSM_CSP_HANDLE CSPHandle, 115 const CssmData *OldCrlTemplate, 116 const CSSM_CERTGROUP &CertGroupToBeRevoked, 117 const CSSM_CERTGROUP &RevokerCertGroup, 118 const CSSM_TP_VERIFY_CONTEXT &RevokerVerifyContext, 119 CSSM_TP_VERIFY_CONTEXT_RESULT &RevokerVerifyResult, 120 CSSM_TP_CERTCHANGE_REASON Reason, 121 CssmData &NewCrlTemplate); 122 void CertReclaimAbort(CSSM_LONG_HANDLE KeyCacheHandle); 123 void CrlCreateTemplate(CSSM_CL_HANDLE CLHandle, 124 uint32 NumberOfFields, 125 const CSSM_FIELD CrlFields[], 126 CssmData &NewCrlTemplate); 127 void CertGroupToTupleGroup(CSSM_CL_HANDLE CLHandle, 128 const CSSM_CERTGROUP &CertGroup, 129 CSSM_TUPLEGROUP_PTR &TupleGroup); 130 void SubmitCredRequest(const CSSM_TP_AUTHORITY_ID *PreferredAuthority, 131 CSSM_TP_AUTHORITY_REQUEST_TYPE RequestType, 132 const CSSM_TP_REQUEST_SET &RequestInput, 133 const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthContext, 134 sint32 &EstimatedTime, 135 CssmData &ReferenceIdentifier); 136 void FormRequest(const CSSM_TP_AUTHORITY_ID *PreferredAuthority, 137 CSSM_TP_FORM_TYPE FormType, 138 CssmData &BlankForm); 139 void CrlSign(CSSM_CL_HANDLE CLHandle, 140 CSSM_CC_HANDLE CCHandle, 141 const CSSM_ENCODED_CRL &CrlToBeSigned, 142 const CSSM_CERTGROUP &SignerCertGroup, 143 const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext, 144 CSSM_TP_VERIFY_CONTEXT_RESULT *SignerVerifyResult, 145 CssmData &SignedCrl); 146 void CertGroupPrune(CSSM_CL_HANDLE CLHandle, 147 const CSSM_DL_DB_LIST &DBList, 148 const CSSM_CERTGROUP &OrderedCertGroup, 149 CSSM_CERTGROUP_PTR &PrunedCertGroup); 150 void ApplyCrlToDb(CSSM_CL_HANDLE CLHandle, 151 CSSM_CSP_HANDLE CSPHandle, 152 const CSSM_ENCODED_CRL &CrlToBeApplied, 153 const CSSM_CERTGROUP &SignerCertGroup, 154 const CSSM_TP_VERIFY_CONTEXT *ApplyCrlVerifyContext, 155 CSSM_TP_VERIFY_CONTEXT_RESULT &ApplyCrlVerifyResult); 156 void CertGetAllTemplateFields(CSSM_CL_HANDLE CLHandle, 157 const CssmData &CertTemplate, 158 uint32 &NumberOfFields, 159 CSSM_FIELD_PTR &CertFields); 160 void ConfirmCredResult(const CssmData &ReferenceIdentifier, 161 const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthCredentials, 162 const CSSM_TP_CONFIRM_RESPONSE &Responses, 163 const CSSM_TP_AUTHORITY_ID *PreferredAuthority); 164 void FormSubmit(CSSM_TP_FORM_TYPE FormType, 165 const CssmData &Form, 166 const CSSM_TP_AUTHORITY_ID *ClearanceAuthority, 167 const CSSM_TP_AUTHORITY_ID *RepresentedAuthority, 168 AccessCredentials *Credentials); 169 void RetrieveCredResult(const CssmData &ReferenceIdentifier, 170 const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthCredentials, 171 sint32 &EstimatedTime, 172 CSSM_BOOL &ConfirmationRequired, 173 CSSM_TP_RESULT_SET_PTR &RetrieveOutput); 174 175private: 176 void CertGroupConstructPriv(CSSM_CL_HANDLE clHand, 177 CSSM_CSP_HANDLE cspHand, 178 TPCertGroup &inCertGroup, 179 const CSSM_DL_DB_LIST *DBList, // optional here 180 const char *cssmTimeStr, // optional 181 uint32 numAnchorCerts, // optional 182 const CSSM_DATA *anchorCerts, 183 184 /* CSSM_TP_ACTION_FETCH_CERT_FROM_NET, CSSM_TP_ACTION_TRUST_SETTINGS */ 185 CSSM_APPLE_TP_ACTION_FLAGS actionFlags, 186 187 /* optional user trust parameters */ 188 const CSSM_OID *policyOid, 189 const char *policyStr, 190 uint32 policyStrLen, 191 CSSM_KEYUSE keyUse, 192 193 /* 194 * Certs to be freed by caller (i.e., TPCertInfo which we allocate 195 * as a result of using a cert from anchorCerts of dbList) are added 196 * to this group. 197 */ 198 TPCertGroup &certsToBeFreed, 199 200 /* returned */ 201 CSSM_BOOL &verifiedToRoot, // end of chain self-verifies 202 CSSM_BOOL &verifiedToAnchor, // end of chain in anchors 203 CSSM_BOOL &verifiedViaTrustSetting, // chain ends per Trust Setting 204 TPCertGroup &outCertGroup); // RETURNED 205 206 /* in tpCredRequest.cp */ 207 CSSM_X509_NAME * buildX509Name(const CSSM_APPLE_TP_NAME_OID *nameArray, 208 unsigned numNames); 209 void freeX509Name(CSSM_X509_NAME *top); 210 CSSM_X509_TIME *buildX509Time(unsigned secondsFromNow); 211 void freeX509Time(CSSM_X509_TIME *xtime); 212 void refKeyToRaw( 213 CSSM_CSP_HANDLE cspHand, 214 const CSSM_KEY *refKey, 215 CSSM_KEY_PTR rawKey); 216 void makeCertTemplate( 217 /* required */ 218 CSSM_CL_HANDLE clHand, 219 CSSM_CSP_HANDLE cspHand, // for converting ref to raw key 220 uint32 serialNumber, 221 const CSSM_X509_NAME *issuerName, 222 const CSSM_X509_NAME *subjectName, 223 const CSSM_X509_TIME *notBefore, 224 const CSSM_X509_TIME *notAfter, 225 const CSSM_KEY *subjectPubKey, 226 const CSSM_OID &sigOid, // e.g., CSSMOID_SHA1WithRSA 227 /* optional */ 228 const CSSM_DATA *subjectUniqueId, 229 const CSSM_DATA *issuerUniqueId, 230 CSSM_X509_EXTENSION *extensions, 231 unsigned numExtensions, 232 CSSM_DATA_PTR &rawCert); 233 234 void SubmitCsrRequest( 235 const CSSM_TP_REQUEST_SET &RequestInput, 236 const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthContext, 237 sint32 &EstimatedTime, 238 CssmData &ReferenceIdentifier); 239 240 /* 241 * Per-session storage of SubmitCredRequest results. 242 * 243 * A TpCredHandle is just an address of a cert, cast to a CSSM_INTPTR. It's 244 * what ReferenceIdentifier.Data points to. 245 */ 246 typedef CSSM_INTPTR TpCredHandle; 247 typedef std::map<TpCredHandle, 248 const CSSM_DATA * /* the actual cert */ > credMap; 249 credMap tpCredMap; 250 Mutex tpCredMapLock; 251 252 /* given a cert and a ReferenceIdentifier, fill in ReferenceIdentifier and 253 * add it and the cert to tpCredMap. */ 254 void addCertToMap( 255 const CSSM_DATA *cert, 256 CSSM_DATA_PTR refId); 257 258 /* given a ReferenceIdentifier, obtain associated cert and remove from the map */ 259 CSSM_DATA_PTR getCertFromMap( 260 const CSSM_DATA *refId); 261 262}; 263 264#endif /* _H_APPLE_TP_SESSION */ 265