1/* 2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved. 3 * 4 * The contents of this file constitute Original Code as defined in and are 5 * subject to the Apple Public Source License Version 1.2 (the 'License'). 6 * You may not use this file except in compliance with the License. Please obtain 7 * a copy of the License at http://www.apple.com/publicsource and read it before 8 * using this file. 9 * 10 * This Original Code and all software distributed under the License are 11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS 12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT 13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the 15 * specific language governing rights and limitations under the License. 16 */ 17 18 19/* 20 * AppleTPSession.h - TP session functions. 21 * 22 * Created 10/5/2000 by Doug Mitchell. 23 */ 24 25#ifndef _H_APPLE_TP_SESSION 26#define _H_APPLE_TP_SESSION 27 28#include <security_cdsa_plugin/TPsession.h> 29#include "TPCertInfo.h" 30 31#define REALLOC_WORKAROUND 0 32#if REALLOC_WORKAROUND 33#include <string.h> 34#endif 35 36class AppleTPSession : public TPPluginSession { 37 38public: 39 40 AppleTPSession( 41 CSSM_MODULE_HANDLE theHandle, 42 CssmPlugin &plug, 43 const CSSM_VERSION &version, 44 uint32 subserviceId, 45 CSSM_SERVICE_TYPE subserviceType, 46 CSSM_ATTACH_FLAGS attachFlags, 47 const CSSM_UPCALLS &upcalls); 48 49 ~AppleTPSession(); 50 51 #if REALLOC_WORKAROUND 52 void *realloc(void *oldp, size_t size) { 53 void *newp = malloc(size); 54 memmove(newp, oldp, size); 55 free(oldp); 56 return newp; 57 } 58 #endif /* REALLOC_WORKAROUND */ 59 60 /* methods declared in TPabstractSession.h */ 61 void CertCreateTemplate(CSSM_CL_HANDLE CLHandle, 62 uint32 NumberOfFields, 63 const CSSM_FIELD CertFields[], 64 CssmData &CertTemplate); 65 void CrlVerify(CSSM_CL_HANDLE CLHandle, 66 CSSM_CSP_HANDLE CSPHandle, 67 const CSSM_ENCODED_CRL &CrlToBeVerified, 68 const CSSM_CERTGROUP &SignerCertGroup, 69 const CSSM_TP_VERIFY_CONTEXT *VerifyContext, 70 CSSM_TP_VERIFY_CONTEXT_RESULT *RevokerVerifyResult); 71 void CertReclaimKey(const CSSM_CERTGROUP &CertGroup, 72 uint32 CertIndex, 73 CSSM_LONG_HANDLE KeyCacheHandle, 74 CSSM_CSP_HANDLE CSPHandle, 75 const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry); 76 void CertGroupVerify(CSSM_CL_HANDLE CLHandle, 77 CSSM_CSP_HANDLE CSPHandle, 78 const CSSM_CERTGROUP &CertGroupToBeVerified, 79 const CSSM_TP_VERIFY_CONTEXT *VerifyContext, 80 CSSM_TP_VERIFY_CONTEXT_RESULT_PTR VerifyContextResult); 81 void CertGroupConstruct(CSSM_CL_HANDLE CLHandle, 82 CSSM_CSP_HANDLE CSPHandle, 83 const CSSM_DL_DB_LIST &DBList, 84 const void *ConstructParams, 85 const CSSM_CERTGROUP &CertGroupFrag, 86 CSSM_CERTGROUP_PTR &CertGroup); 87 void CertSign(CSSM_CL_HANDLE CLHandle, 88 CSSM_CC_HANDLE CCHandle, 89 const CssmData &CertTemplateToBeSigned, 90 const CSSM_CERTGROUP &SignerCertGroup, 91 const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext, 92 CSSM_TP_VERIFY_CONTEXT_RESULT *SignerVerifyResult, 93 CssmData &SignedCert); 94 void TupleGroupToCertGroup(CSSM_CL_HANDLE CLHandle, 95 const CSSM_TUPLEGROUP &TupleGroup, 96 CSSM_CERTGROUP_PTR &CertTemplates); 97 void ReceiveConfirmation(const CssmData &ReferenceIdentifier, 98 CSSM_TP_CONFIRM_RESPONSE_PTR &Responses, 99 sint32 &ElapsedTime); 100 void PassThrough(CSSM_CL_HANDLE CLHandle, 101 CSSM_CC_HANDLE CCHandle, 102 const CSSM_DL_DB_LIST *DBList, 103 uint32 PassThroughId, 104 const void *InputParams, 105 void **OutputParams); 106 void CertRemoveFromCrlTemplate(CSSM_CL_HANDLE CLHandle, 107 CSSM_CSP_HANDLE CSPHandle, 108 const CssmData *OldCrlTemplate, 109 const CSSM_CERTGROUP &CertGroupToBeRemoved, 110 const CSSM_CERTGROUP &RevokerCertGroup, 111 const CSSM_TP_VERIFY_CONTEXT &RevokerVerifyContext, 112 CSSM_TP_VERIFY_CONTEXT_RESULT &RevokerVerifyResult, 113 CssmData &NewCrlTemplate); 114 void CertRevoke(CSSM_CL_HANDLE CLHandle, 115 CSSM_CSP_HANDLE CSPHandle, 116 const CssmData *OldCrlTemplate, 117 const CSSM_CERTGROUP &CertGroupToBeRevoked, 118 const CSSM_CERTGROUP &RevokerCertGroup, 119 const CSSM_TP_VERIFY_CONTEXT &RevokerVerifyContext, 120 CSSM_TP_VERIFY_CONTEXT_RESULT &RevokerVerifyResult, 121 CSSM_TP_CERTCHANGE_REASON Reason, 122 CssmData &NewCrlTemplate); 123 void CertReclaimAbort(CSSM_LONG_HANDLE KeyCacheHandle); 124 void CrlCreateTemplate(CSSM_CL_HANDLE CLHandle, 125 uint32 NumberOfFields, 126 const CSSM_FIELD CrlFields[], 127 CssmData &NewCrlTemplate); 128 void CertGroupToTupleGroup(CSSM_CL_HANDLE CLHandle, 129 const CSSM_CERTGROUP &CertGroup, 130 CSSM_TUPLEGROUP_PTR &TupleGroup); 131 void SubmitCredRequest(const CSSM_TP_AUTHORITY_ID *PreferredAuthority, 132 CSSM_TP_AUTHORITY_REQUEST_TYPE RequestType, 133 const CSSM_TP_REQUEST_SET &RequestInput, 134 const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthContext, 135 sint32 &EstimatedTime, 136 CssmData &ReferenceIdentifier); 137 void FormRequest(const CSSM_TP_AUTHORITY_ID *PreferredAuthority, 138 CSSM_TP_FORM_TYPE FormType, 139 CssmData &BlankForm); 140 void CrlSign(CSSM_CL_HANDLE CLHandle, 141 CSSM_CC_HANDLE CCHandle, 142 const CSSM_ENCODED_CRL &CrlToBeSigned, 143 const CSSM_CERTGROUP &SignerCertGroup, 144 const CSSM_TP_VERIFY_CONTEXT *SignerVerifyContext, 145 CSSM_TP_VERIFY_CONTEXT_RESULT *SignerVerifyResult, 146 CssmData &SignedCrl); 147 void CertGroupPrune(CSSM_CL_HANDLE CLHandle, 148 const CSSM_DL_DB_LIST &DBList, 149 const CSSM_CERTGROUP &OrderedCertGroup, 150 CSSM_CERTGROUP_PTR &PrunedCertGroup); 151 void ApplyCrlToDb(CSSM_CL_HANDLE CLHandle, 152 CSSM_CSP_HANDLE CSPHandle, 153 const CSSM_ENCODED_CRL &CrlToBeApplied, 154 const CSSM_CERTGROUP &SignerCertGroup, 155 const CSSM_TP_VERIFY_CONTEXT *ApplyCrlVerifyContext, 156 CSSM_TP_VERIFY_CONTEXT_RESULT &ApplyCrlVerifyResult); 157 void CertGetAllTemplateFields(CSSM_CL_HANDLE CLHandle, 158 const CssmData &CertTemplate, 159 uint32 &NumberOfFields, 160 CSSM_FIELD_PTR &CertFields); 161 void ConfirmCredResult(const CssmData &ReferenceIdentifier, 162 const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthCredentials, 163 const CSSM_TP_CONFIRM_RESPONSE &Responses, 164 const CSSM_TP_AUTHORITY_ID *PreferredAuthority); 165 void FormSubmit(CSSM_TP_FORM_TYPE FormType, 166 const CssmData &Form, 167 const CSSM_TP_AUTHORITY_ID *ClearanceAuthority, 168 const CSSM_TP_AUTHORITY_ID *RepresentedAuthority, 169 AccessCredentials *Credentials); 170 void RetrieveCredResult(const CssmData &ReferenceIdentifier, 171 const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthCredentials, 172 sint32 &EstimatedTime, 173 CSSM_BOOL &ConfirmationRequired, 174 CSSM_TP_RESULT_SET_PTR &RetrieveOutput); 175 176private: 177 void CertGroupConstructPriv(CSSM_CL_HANDLE clHand, 178 CSSM_CSP_HANDLE cspHand, 179 TPCertGroup &inCertGroup, 180 const CSSM_DL_DB_LIST *DBList, // optional here 181 const char *cssmTimeStr, // optional 182 uint32 numAnchorCerts, // optional 183 const CSSM_DATA *anchorCerts, 184 185 /* CSSM_TP_ACTION_FETCH_CERT_FROM_NET, CSSM_TP_ACTION_TRUST_SETTINGS */ 186 CSSM_APPLE_TP_ACTION_FLAGS actionFlags, 187 188 /* optional user trust parameters */ 189 const CSSM_OID *policyOid, 190 const char *policyStr, 191 uint32 policyStrLen, 192 CSSM_KEYUSE keyUse, 193 194 /* 195 * Certs to be freed by caller (i.e., TPCertInfo which we allocate 196 * as a result of using a cert from anchorCerts of dbList) are added 197 * to this group. 198 */ 199 TPCertGroup &certsToBeFreed, 200 201 /* returned */ 202 CSSM_BOOL &verifiedToRoot, // end of chain self-verifies 203 CSSM_BOOL &verifiedToAnchor, // end of chain in anchors 204 CSSM_BOOL &verifiedViaTrustSetting, // chain ends per Trust Setting 205 TPCertGroup &outCertGroup); // RETURNED 206 207 /* in tpCredRequest.cp */ 208 CSSM_X509_NAME * buildX509Name(const CSSM_APPLE_TP_NAME_OID *nameArray, 209 unsigned numNames); 210 void freeX509Name(CSSM_X509_NAME *top); 211 CSSM_X509_TIME *buildX509Time(unsigned secondsFromNow); 212 void freeX509Time(CSSM_X509_TIME *xtime); 213 void refKeyToRaw( 214 CSSM_CSP_HANDLE cspHand, 215 const CSSM_KEY *refKey, 216 CSSM_KEY_PTR rawKey); 217 void makeCertTemplate( 218 /* required */ 219 CSSM_CL_HANDLE clHand, 220 CSSM_CSP_HANDLE cspHand, // for converting ref to raw key 221 uint32 serialNumber, 222 const CSSM_X509_NAME *issuerName, 223 const CSSM_X509_NAME *subjectName, 224 const CSSM_X509_TIME *notBefore, 225 const CSSM_X509_TIME *notAfter, 226 const CSSM_KEY *subjectPubKey, 227 const CSSM_OID &sigOid, // e.g., CSSMOID_SHA1WithRSA 228 /* optional */ 229 const CSSM_DATA *subjectUniqueId, 230 const CSSM_DATA *issuerUniqueId, 231 CSSM_X509_EXTENSION *extensions, 232 unsigned numExtensions, 233 CSSM_DATA_PTR &rawCert); 234 235 void SubmitCsrRequest( 236 const CSSM_TP_REQUEST_SET &RequestInput, 237 const CSSM_TP_CALLERAUTH_CONTEXT *CallerAuthContext, 238 sint32 &EstimatedTime, 239 CssmData &ReferenceIdentifier); 240 241 /* 242 * Per-session storage of SubmitCredRequest results. 243 * 244 * A TpCredHandle is just an address of a cert, cast to a CSSM_INTPTR. It's 245 * what ReferenceIdentifier.Data points to. 246 */ 247 typedef CSSM_INTPTR TpCredHandle; 248 typedef std::map<TpCredHandle, 249 const CSSM_DATA * /* the actual cert */ > credMap; 250 credMap tpCredMap; 251 Mutex tpCredMapLock; 252 253 /* given a cert and a ReferenceIdentifier, fill in ReferenceIdentifier and 254 * add it and the cert to tpCredMap. */ 255 void addCertToMap( 256 const CSSM_DATA *cert, 257 CSSM_DATA_PTR refId); 258 259 /* given a ReferenceIdentifier, obtain associated cert and remove from the map */ 260 CSSM_DATA_PTR getCertFromMap( 261 const CSSM_DATA *refId); 262 263}; 264 265#endif /* _H_APPLE_TP_SESSION */ 266