#include <Security/cssmtype.h>
#include <Security/cssmapi.h>
#include "tpPolicies.h"
#include <Security/oidsattr.h>
#include <Security/cssmerr.h>
#include "tpdebugging.h"
#include "rootCerts.h"
#include "certGroupUtils.h"
#include <Security/x509defs.h>
#include <Security/oidscert.h>
#include <Security/certextensions.h>
#include <Security/cssmapple.h>
#include <string.h>
#include <ctype.h>
#include <assert.h>
#include <CoreFoundation/CFString.h>
typedef struct {
CSSM_BOOL present;
CSSM_BOOL critical;
CE_Data *extnData; CSSM_DATA *valToFree; } iSignExtenInfo;
typedef struct {
iSignExtenInfo authorityId;
iSignExtenInfo subjectId;
iSignExtenInfo keyUsage;
iSignExtenInfo extendKeyUsage;
iSignExtenInfo basicConstraints;
iSignExtenInfo netscapeCertType;
iSignExtenInfo subjectAltName;
CSSM_BOOL foundUnknownCritical;
} iSignCertInfo;
static CSSM_RETURN tpSetupExtension(
Allocator &alloc,
CSSM_DATA *extnData,
iSignExtenInfo *extnInfo) {
if(extnData->Length != sizeof(CSSM_X509_EXTENSION)) {
tpPolicyError("tpSetupExtension: malformed CSSM_FIELD");
return CSSMERR_TP_UNKNOWN_FORMAT;
}
CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)extnData->Data;
extnInfo->present = CSSM_TRUE;
extnInfo->critical = cssmExt->critical;
extnInfo->extnData = (CE_Data *)cssmExt->value.parsedValue;
extnInfo->valToFree = extnData;
return CSSM_OK;
}
static CSSM_RETURN iSignFetchExtension(
Allocator &alloc,
TPCertInfo *tpCert,
const CSSM_OID *fieldOid, iSignExtenInfo *extnInfo) {
CSSM_DATA_PTR fieldValue; CSSM_RETURN crtn;
crtn = tpCert->fetchField(fieldOid, &fieldValue);
switch(crtn) {
case CSSM_OK:
break;
case CSSMERR_CL_NO_FIELD_VALUES:
return CSSM_OK;
default:
return crtn;
}
return tpSetupExtension(alloc,
fieldValue,
extnInfo);
}
static CSSM_RETURN iSignSearchUnknownExtensions(
TPCertInfo *tpCert,
iSignCertInfo *certInfo)
{
CSSM_RETURN crtn;
CSSM_DATA_PTR fieldValue = NULL;
CSSM_HANDLE searchHand = CSSM_INVALID_HANDLE;
uint32 numFields = 0;
crtn = CSSM_CL_CertGetFirstCachedFieldValue(tpCert->clHand(),
tpCert->cacheHand(),
&CSSMOID_X509V3CertificateExtensionCStruct,
&searchHand,
&numFields,
&fieldValue);
switch(crtn) {
case CSSM_OK:
break;
case CSSMERR_CL_NO_FIELD_VALUES:
return CSSM_OK;
default:
return crtn;
}
if(fieldValue->Length != sizeof(CSSM_X509_EXTENSION)) {
tpPolicyError("iSignSearchUnknownExtensions: malformed CSSM_FIELD");
return CSSMERR_TP_UNKNOWN_FORMAT;
}
CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)fieldValue->Data;
if(cssmExt->critical) {
certInfo->foundUnknownCritical = CSSM_TRUE;
goto fini;
}
CSSM_CL_FreeFieldValue(tpCert->clHand(),
&CSSMOID_X509V3CertificateExtensionCStruct,
fieldValue);
fieldValue = NULL;
for(unsigned i=1; i<numFields; i++) {
crtn = CSSM_CL_CertGetNextCachedFieldValue(tpCert->clHand(),
searchHand,
&fieldValue);
if(crtn) {
tpPolicyError("searchUnknownExtensions: GetNextCachedFieldValue"
"error");
break;
}
if(fieldValue->Length != sizeof(CSSM_X509_EXTENSION)) {
tpPolicyError("iSignSearchUnknownExtensions: "
"malformed CSSM_FIELD");
crtn = CSSMERR_TP_UNKNOWN_FORMAT;
break;
}
CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)fieldValue->Data;
if(cssmExt->critical) {
certInfo->foundUnknownCritical = CSSM_TRUE;
break;
}
CSSM_CL_FreeFieldValue(tpCert->clHand(),
&CSSMOID_X509V3CertificateExtensionCStruct,
fieldValue);
fieldValue = NULL;
}
fini:
if(fieldValue) {
CSSM_CL_FreeFieldValue(tpCert->clHand(),
&CSSMOID_X509V3CertificateExtensionCStruct,
fieldValue);
}
if(searchHand != CSSM_INVALID_HANDLE) {
CSSM_CL_CertAbortQuery(tpCert->clHand(), searchHand);
}
return crtn;
}
static CSSM_RETURN iSignGetCertInfo(
Allocator &alloc,
TPCertInfo *tpCert,
iSignCertInfo *certInfo)
{
CSSM_RETURN crtn;
crtn = iSignFetchExtension(alloc,
tpCert,
&CSSMOID_AuthorityKeyIdentifier,
&certInfo->authorityId);
if(crtn) {
return crtn;
}
crtn = iSignFetchExtension(alloc,
tpCert,
&CSSMOID_SubjectKeyIdentifier,
&certInfo->subjectId);
if(crtn) {
return crtn;
}
crtn = iSignFetchExtension(alloc,
tpCert,
&CSSMOID_KeyUsage,
&certInfo->keyUsage);
if(crtn) {
return crtn;
}
crtn = iSignFetchExtension(alloc,
tpCert,
&CSSMOID_ExtendedKeyUsage,
&certInfo->extendKeyUsage);
if(crtn) {
return crtn;
}
crtn = iSignFetchExtension(alloc,
tpCert,
&CSSMOID_BasicConstraints,
&certInfo->basicConstraints);
if(crtn) {
return crtn;
}
crtn = iSignFetchExtension(alloc,
tpCert,
&CSSMOID_NetscapeCertType,
&certInfo->netscapeCertType);
if(crtn) {
return crtn;
}
crtn = iSignFetchExtension(alloc,
tpCert,
&CSSMOID_SubjectAltName,
&certInfo->subjectAltName);
if(crtn) {
return crtn;
}
return iSignSearchUnknownExtensions(tpCert, certInfo);
}
static void iSignFreeCertInfo(
CSSM_CL_HANDLE clHand,
iSignCertInfo *certInfo)
{
if(certInfo->authorityId.present) {
CSSM_CL_FreeFieldValue(clHand, &CSSMOID_AuthorityKeyIdentifier,
certInfo->authorityId.valToFree);
}
if(certInfo->subjectId.present) {
CSSM_CL_FreeFieldValue(clHand, &CSSMOID_SubjectKeyIdentifier,
certInfo->subjectId.valToFree);
}
if(certInfo->keyUsage.present) {
CSSM_CL_FreeFieldValue(clHand, &CSSMOID_KeyUsage,
certInfo->keyUsage.valToFree);
}
if(certInfo->extendKeyUsage.present) {
CSSM_CL_FreeFieldValue(clHand, &CSSMOID_ExtendedKeyUsage,
certInfo->extendKeyUsage.valToFree);
}
if(certInfo->basicConstraints.present) {
CSSM_CL_FreeFieldValue(clHand, &CSSMOID_BasicConstraints,
certInfo->basicConstraints.valToFree);
}
if(certInfo->netscapeCertType.present) {
CSSM_CL_FreeFieldValue(clHand, &CSSMOID_NetscapeCertType,
certInfo->netscapeCertType.valToFree);
}
if(certInfo->subjectAltName.present) {
CSSM_CL_FreeFieldValue(clHand, &CSSMOID_SubjectAltName,
certInfo->subjectAltName.valToFree);
}
}
typedef enum {
SN_CommonName, SN_Email } SubjSubjNameSearchType;
static CSSM_BOOL tpCompareSubjectName(
TPCertInfo &cert,
SubjSubjNameSearchType searchType,
bool normalizeAll, const char *callerStr, uint32 callerStrLen,
bool &fieldFound)
{
char *certName = NULL; uint32 certNameLen = 0;
CSSM_DATA_PTR subjNameData = NULL;
CSSM_RETURN crtn;
CSSM_BOOL ourRtn = CSSM_FALSE;
const CSSM_OID *oidSrch;
fieldFound = false;
switch(searchType) {
case SN_CommonName:
oidSrch = &CSSMOID_CommonName;
break;
case SN_Email:
oidSrch = &CSSMOID_EmailAddress;
break;
default:
assert(0);
return CSSM_FALSE;
}
crtn = cert.fetchField(&CSSMOID_X509V1SubjectNameCStruct, &subjNameData);
if(crtn) {
tpPolicyError("tp_verifySslOpts: error retrieving subject name");
return CSSM_FALSE;
}
CSSM_X509_NAME_PTR x509name = (CSSM_X509_NAME_PTR)subjNameData->Data;
if((x509name == NULL) || (subjNameData->Length != sizeof(CSSM_X509_NAME))) {
tpPolicyError("tp_verifySslOpts: malformed CSSM_X509_NAME");
cert.freeField(&CSSMOID_X509V1SubjectNameCStruct, subjNameData);
return CSSM_FALSE;
}
CSSM_X509_TYPE_VALUE_PAIR *ptvp;
CSSM_X509_RDN_PTR rdnp;
unsigned rdnDex;
unsigned pairDex;
for(rdnDex=0; rdnDex<x509name->numberOfRDNs; rdnDex++) {
rdnp = &x509name->RelativeDistinguishedName[rdnDex];
for(pairDex=0; pairDex<rdnp->numberOfPairs; pairDex++) {
ptvp = &rdnp->AttributeTypeAndValue[pairDex];
if(tpCompareOids(&ptvp->type, oidSrch)) {
fieldFound = true;
certName = (char *)ptvp->value.Data;
certNameLen = ptvp->value.Length;
switch(searchType) {
case SN_CommonName:
{
CFStringBuiltInEncodings encoding;
CFDataRef cfd = NULL;
bool doConvert = false;
switch(ptvp->valueType) {
case BER_TAG_T61_STRING:
encoding = kCFStringEncodingISOLatin1;
doConvert = true;
break;
case BER_TAG_PKIX_BMP_STRING:
encoding = kCFStringEncodingUnicode;
doConvert = true;
break;
default:
break;
}
if(doConvert) {
cfd = CFDataCreate(NULL, (UInt8 *)certName, certNameLen);
if(cfd == NULL) {
break;
}
CFStringRef cfStr = CFStringCreateFromExternalRepresentation(
NULL, cfd, encoding);
CFRelease(cfd);
if(cfStr == NULL) {
tpPolicyError("tpCompareSubjectName: bad str (1)");
break;
}
cfd = CFStringCreateExternalRepresentation(NULL,
cfStr, kCFStringEncodingASCII, 0);
CFRelease(cfStr);
if(cfd == NULL) {
tpPolicyError("tpCompareSubjectName: bad str (2)");
break;
}
certNameLen = CFDataGetLength(cfd);
certName = (char *)CFDataGetBytePtr(cfd);
}
ourRtn = tpCompareHostNames(callerStr, callerStrLen,
certName, certNameLen);
if(doConvert) {
assert(cfd != NULL);
CFRelease(cfd);
}
break;
}
case SN_Email:
ourRtn = tpCompareEmailAddr(callerStr, callerStrLen,
certName, certNameLen, normalizeAll);
break;
}
if(ourRtn) {
break;
}
}
}
if(ourRtn) {
break;
}
}
cert.freeField(&CSSMOID_X509V1SubjectNameCStruct, subjNameData);
return ourRtn;
}
static CSSM_BOOL tpCompIpAddrStr(
const char *str,
unsigned strLen,
const CSSM_DATA *numeric)
{
const char *cp = str;
const char *nextDot;
char buf[100];
if((numeric == NULL) || (numeric->Length == 0) || (str == NULL)) {
return CSSM_FALSE;
}
if(cp[strLen - 1] == '\0') {
strLen--;
}
for(unsigned dex=0; dex<numeric->Length; dex++) {
const char *lastChar = cp + strLen;
nextDot = cp + 1;
for( ; nextDot<lastChar; nextDot++) {
if(*nextDot == '.') {
break;
}
}
if(nextDot == lastChar) {
if(dex != (numeric->Length - 1)) {
return CSSM_FALSE;
}
}
else if(dex == (numeric->Length - 1)) {
return CSSM_FALSE;
}
unsigned digLen = nextDot - cp;
if(digLen >= sizeof(buf)) {
return CSSM_FALSE;
}
memmove(buf, cp, digLen);
buf[digLen] = '\0';
digLen++;
cp += digLen;
strLen -= digLen;
int digVal = atoi(buf);
if(digVal != numeric->Data[dex]) {
return CSSM_FALSE;
}
}
return CSSM_TRUE;
}
typedef enum {
SAN_HostName,
SAN_Email
} SubjAltNameSearchType;
static CSSM_BOOL tpCompareSubjectAltName(
const iSignExtenInfo &subjAltNameInfo,
const char *appStr, uint32 appStrLen,
SubjAltNameSearchType searchType,
bool normalizeAll, bool &dnsNameFound, bool &emailFound) {
dnsNameFound = false;
emailFound = false;
if(!subjAltNameInfo.present) {
return CSSM_FALSE;
}
CE_GeneralNames *names = &subjAltNameInfo.extnData->subjectAltName;
CSSM_BOOL ourRtn = CSSM_FALSE;
char *certName;
unsigned certNameLen;
for(unsigned dex=0; dex<names->numNames; dex++) {
CE_GeneralName *name = &names->generalName[dex];
switch(searchType) {
case SAN_HostName:
switch(name->nameType) {
case GNT_IPAddress:
if(appStr == NULL) {
break;
}
ourRtn = tpCompIpAddrStr(appStr, appStrLen, &name->name);
break;
case GNT_DNSName:
if(name->berEncoded) {
tpErrorLog("tpCompareSubjectAltName: malformed "
"CE_GeneralName (1)\n");
break;
}
certName = (char *)name->name.Data;
if(certName == NULL) {
tpErrorLog("tpCompareSubjectAltName: malformed "
"CE_GeneralName (2)\n");
break;
}
certNameLen = name->name.Length;
dnsNameFound = true;
if(appStr != NULL) {
ourRtn = tpCompareHostNames(appStr, appStrLen,
certName, certNameLen);
}
break;
default:
break;
}
break;
case SAN_Email:
if(name->nameType != GNT_RFC822Name) {
break;
}
certName = (char *)name->name.Data;
if(certName == NULL) {
tpErrorLog("tpCompareSubjectAltName: malformed "
"GNT_RFC822Name\n");
break;
}
certNameLen = name->name.Length;
emailFound = true;
if(appStr != NULL) {
ourRtn = tpCompareEmailAddr(appStr, appStrLen, certName,
certNameLen, normalizeAll);
}
break;
}
if(ourRtn) {
break;
}
}
return ourRtn;
}
static CSSM_BOOL tpIsNumeric(
const char *hostName,
unsigned hostNameLen)
{
if(hostName[hostNameLen - 1] == '\0') {
hostNameLen--;
}
for(unsigned i=0; i<hostNameLen; i++) {
char c = *hostName++;
if(isdigit(c)) {
continue;
}
if(c != '.') {
return CSSM_FALSE;
}
}
return CSSM_TRUE;
}
static CFStringRef tpTvpToCfString(
const CSSM_X509_TYPE_VALUE_PAIR *tvp)
{
CFStringBuiltInEncodings encoding;
switch(tvp->valueType) {
case BER_TAG_T61_STRING:
encoding = kCFStringEncodingISOLatin1;
break;
case BER_TAG_PKIX_BMP_STRING:
encoding = kCFStringEncodingUnicode;
break;
case BER_TAG_PRINTABLE_STRING:
case BER_TAG_IA5_STRING:
case BER_TAG_PKIX_UTF8_STRING:
encoding = kCFStringEncodingUTF8;
break;
default:
return NULL;
}
CFDataRef cfd = CFDataCreate(NULL, tvp->value.Data, tvp->value.Length);
if(cfd == NULL) {
return NULL;
}
CFStringRef cfStr = CFStringCreateFromExternalRepresentation(NULL, cfd, encoding);
CFRelease(cfd);
return cfStr;
}
static bool tpCompareTvpToCfString(
const CSSM_X509_TYPE_VALUE_PAIR *tvp,
CFStringRef refStr,
CFOptionFlags flags) {
CFStringRef cfStr = tpTvpToCfString(tvp);
if(cfStr == NULL) {
return false;
}
CFComparisonResult res = CFStringCompare(refStr, cfStr, flags);
CFRelease(cfStr);
if(res == kCFCompareEqualTo) {
return true;
}
else {
return false;
}
}
static bool tpCompareIChatHandleName(
TPCertInfo &cert,
const char *iChatHandle, uint32 iChatHandleLen)
{
CSSM_DATA_PTR subjNameData = NULL; CSSM_RETURN crtn;
bool ourRtn = false;
CSSM_X509_NAME_PTR x509name;
CSSM_X509_TYPE_VALUE_PAIR *ptvp;
CSSM_X509_RDN_PTR rdnp;
unsigned rdnDex;
unsigned pairDex;
CSSM_BOOL commonNameMatch = CSSM_FALSE; CSSM_BOOL orgUnitMatch = CSSM_FALSE; CSSM_BOOL orgMatch = CSSM_FALSE;
if(iChatHandle[iChatHandleLen - 1] == '\0') {
iChatHandleLen--;
}
CFDataRef cfd = CFDataCreate(NULL, (const UInt8 *)iChatHandle, iChatHandleLen);
if(cfd == NULL) {
return false;
}
CFStringRef handleStr = CFStringCreateFromExternalRepresentation(NULL, cfd,
kCFStringEncodingUTF8);
CFRelease(cfd);
if(handleStr == NULL) {
tpPolicyError("tpCompareIChatHandleName: bad incoming handle (1)");
return false;
}
CFRange whereIsAt;
whereIsAt = CFStringFind(handleStr, CFSTR("@"), 0);
if(whereIsAt.length == 0) {
tpPolicyError("tpCompareIChatHandleName: bad incoming handle: no @");
CFRelease(handleStr);
return false;
}
CFRange r = {0, whereIsAt.location};
CFStringRef iChatName = CFStringCreateWithSubstring(NULL, handleStr, r);
if(iChatName == NULL) {
tpPolicyError("tpCompareIChatHandleName: bad incoming handle (2)");
CFRelease(handleStr);
return false;
}
r.location = whereIsAt.location + 1; r.length = CFStringGetLength(handleStr) - r.location;
CFStringRef iChatDomain = CFStringCreateWithSubstring(NULL, handleStr, r);
CFRelease(handleStr);
if(iChatDomain == NULL) {
tpPolicyError("tpCompareIChatHandleName: bad incoming handle (3)");
CFRelease(iChatName);
return false;
}
crtn = cert.fetchField(&CSSMOID_X509V1SubjectNameCStruct, &subjNameData);
if(crtn) {
tpPolicyError("tpCompareIChatHandleName: error retrieving subject name");
goto errOut;
}
x509name = (CSSM_X509_NAME_PTR)subjNameData->Data;
if((x509name == NULL) || (subjNameData->Length != sizeof(CSSM_X509_NAME))) {
tpPolicyError("tpCompareIChatHandleName: malformed CSSM_X509_NAME");
goto errOut;
}
for(rdnDex=0; rdnDex<x509name->numberOfRDNs; rdnDex++) {
rdnp = &x509name->RelativeDistinguishedName[rdnDex];
for(pairDex=0; pairDex<rdnp->numberOfPairs; pairDex++) {
ptvp = &rdnp->AttributeTypeAndValue[pairDex];
if(!commonNameMatch &&
tpCompareOids(&ptvp->type, &CSSMOID_CommonName) &&
tpCompareTvpToCfString(ptvp, iChatName, kCFCompareCaseInsensitive)) {
commonNameMatch = CSSM_TRUE;
}
if(!orgUnitMatch &&
tpCompareOids(&ptvp->type, &CSSMOID_OrganizationalUnitName) &&
tpCompareTvpToCfString(ptvp, iChatDomain, kCFCompareCaseInsensitive)) {
orgUnitMatch = CSSM_TRUE;
}
if(!orgMatch &&
tpCompareOids(&ptvp->type, &CSSMOID_OrganizationName) &&
tpCompareTvpToCfString(ptvp, CFSTR("Apple Computer, Inc."), 0)) {
orgMatch = CSSM_TRUE;
}
if(commonNameMatch && orgUnitMatch && orgMatch) {
ourRtn = true;
goto errOut;
}
}
}
errOut:
cert.freeField(&CSSMOID_X509V1SubjectNameCStruct, subjNameData);
CFRelease(iChatName);
CFRelease(iChatDomain);
return ourRtn;
}
static CSSM_RETURN tp_verifySslOpts(
TPCertGroup &certGroup,
const CSSM_DATA *sslFieldOpts,
const iSignCertInfo &leafCertInfo)
{
CSSM_APPLE_TP_SSL_OPTIONS *sslOpts = NULL;
unsigned hostNameLen = 0;
const char *serverName = NULL;
TPCertInfo *leaf = certGroup.certAtIndex(0);
assert(leaf != NULL);
if((sslFieldOpts != NULL) && (sslFieldOpts->Data != NULL)) {
sslOpts = (CSSM_APPLE_TP_SSL_OPTIONS *)sslFieldOpts->Data;
switch(sslOpts->Version) {
case CSSM_APPLE_TP_SSL_OPTS_VERSION:
if(sslFieldOpts->Length != sizeof(CSSM_APPLE_TP_SSL_OPTIONS)) {
return CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
}
break;
default:
return CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
}
hostNameLen = sslOpts->ServerNameLen;
serverName = sslOpts->ServerName;
}
if(hostNameLen != 0) {
if(serverName == NULL) {
return CSSMERR_TP_INVALID_POINTER;
}
char *hostName = (char *)certGroup.alloc().malloc(hostNameLen);
memmove(hostName, serverName, hostNameLen);
tpToLower(hostName, hostNameLen);
CSSM_BOOL match = CSSM_FALSE;
bool dnsNameFound = false;
bool dummy;
match = tpCompareSubjectAltName(leafCertInfo.subjectAltName,
hostName, hostNameLen,
SAN_HostName, false, dnsNameFound, dummy);
if(!match && !dnsNameFound && !tpIsNumeric(hostName, hostNameLen)) {
bool fieldFound;
match = tpCompareSubjectName(*leaf, SN_CommonName, false, hostName, hostNameLen,
fieldFound);
}
certGroup.alloc().free(hostName);
if(!match) {
leaf->addStatusCode(CSSMERR_APPLETP_HOSTNAME_MISMATCH);
return CSSMERR_APPLETP_HOSTNAME_MISMATCH;
}
}
const iSignExtenInfo &ekuInfo = leafCertInfo.extendKeyUsage;
if(ekuInfo.present) {
bool foundGoodEku = false;
bool isServer = true;
CE_ExtendedKeyUsage *eku = (CE_ExtendedKeyUsage *)ekuInfo.extnData;
assert(eku != NULL);
const CSSM_OID *extUse = &CSSMOID_ServerAuth;
if((sslOpts != NULL) &&
(sslOpts->Version > 0) &&
(sslOpts->Flags & CSSM_APPLE_TP_SSL_CLIENT)) {
extUse = &CSSMOID_ClientAuth;
isServer = false;
}
for(unsigned i=0; i<eku->numPurposes; i++) {
const CSSM_OID *purpose = &eku->purposes[i];
if(tpCompareOids(purpose, extUse)) {
foundGoodEku = true;
break;
}
if(tpCompareOids(purpose, &CSSMOID_ExtendedKeyUsageAny)) {
foundGoodEku = true;
break;
}
if(isServer) {
if(tpCompareOids(purpose, &CSSMOID_NetscapeSGC)) {
foundGoodEku = true;
break;
}
if(tpCompareOids(purpose, &CSSMOID_MicrosoftSGC)) {
foundGoodEku = true;
break;
}
}
}
if(!foundGoodEku) {
leaf->addStatusCode(CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE);
return CSSMERR_TP_VERIFY_ACTION_FAILED;
}
}
return CSSM_OK;
}
#define CE_CIPHER_MASK (~(CE_KU_EncipherOnly | CE_KU_DecipherOnly))
static CSSM_RETURN tp_verifySmimeOpts(
TPPolicy policy,
TPCertGroup &certGroup,
const CSSM_DATA *smimeFieldOpts,
const iSignCertInfo &leafCertInfo)
{
bool iChat = (policy == kTP_iChat) ? true : false;
CSSM_APPLE_TP_SMIME_OPTIONS *smimeOpts = NULL;
if(smimeFieldOpts != NULL) {
smimeOpts = (CSSM_APPLE_TP_SMIME_OPTIONS *)smimeFieldOpts->Data;
}
if(smimeOpts != NULL) {
switch(smimeOpts->Version) {
case CSSM_APPLE_TP_SMIME_OPTS_VERSION:
if(smimeFieldOpts->Length !=
sizeof(CSSM_APPLE_TP_SMIME_OPTIONS)) {
return CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
}
break;
default:
return CSSMERR_TP_INVALID_POLICY_IDENTIFIERS;
}
}
TPCertInfo *leaf = certGroup.certAtIndex(0);
assert(leaf != NULL);
unsigned emailLen = 0;
if(smimeOpts != NULL) {
emailLen = smimeOpts->SenderEmailLen;
}
bool match = false;
bool emailFoundInSAN = false;
bool iChatHandleFound = false;
bool emailFoundInDN = false;
if(emailLen != 0) {
if(smimeOpts->SenderEmail == NULL) {
return CSSMERR_TP_INVALID_POINTER;
}
if(iChat) {
iChatHandleFound = tpCompareIChatHandleName(*leaf, smimeOpts->SenderEmail,
emailLen);
if(iChatHandleFound) {
match = true;
}
}
if(!match) {
char *email = (char *)certGroup.alloc().malloc(emailLen);
memmove(email, smimeOpts->SenderEmail, emailLen);
tpNormalizeAddrSpec(email, emailLen, iChat);
bool dummy;
match = tpCompareSubjectAltName(leafCertInfo.subjectAltName,
email, emailLen,
SAN_Email, iChat, dummy, emailFoundInSAN);
if(!match) {
match = tpCompareSubjectName(*leaf, SN_Email, iChat, email, emailLen,
emailFoundInDN);
}
certGroup.alloc().free(email);
if(!match && (emailFoundInSAN || emailFoundInDN)) {
leaf->addStatusCode(CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND);
tpPolicyError("SMIME email addrs in cert but no match");
return CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND;
}
}
if(iChat && !emailFoundInSAN && !emailFoundInDN && !iChatHandleFound) {
leaf->addStatusCode(CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS);
tpPolicyError("iChat: no email address or handle in cert");
return CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS;
}
}
CSSM_RETURN crtn;
CSSM_DATA_PTR subjNameData = NULL;
const iSignExtenInfo &kuInfo = leafCertInfo.keyUsage;
const iSignExtenInfo &ekuInfo = leafCertInfo.extendKeyUsage;
const CSSM_X509_NAME *x509Name = NULL;
if(iChat) {
goto checkEku;
}
crtn = leaf->fetchField(&CSSMOID_X509V1SubjectNameCStruct, &subjNameData);
if(crtn) {
tpPolicyError("SMIME policy: error fetching subjectName");
leaf->addStatusCode(CSSMERR_TP_INVALID_CERTIFICATE);
return CSSMERR_TP_INVALID_CERTIFICATE;
}
x509Name = (const CSSM_X509_NAME *)subjNameData->Data;
if(x509Name->numberOfRDNs == 0) {
if(!emailFoundInSAN && (emailLen == 0)) { bool dummy;
tpCompareSubjectAltName(leafCertInfo.subjectAltName,
NULL, 0, SAN_Email, false, dummy,
emailFoundInSAN); }
if(!emailFoundInSAN) {
tpPolicyError("SMIME policy fail: empty subject name and "
"no Email Addrs in SubjectAltName");
leaf->addStatusCode(CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS);
leaf->freeField(&CSSMOID_X509V1SubjectNameCStruct, subjNameData);
return CSSMERR_TP_VERIFY_ACTION_FAILED;
}
assert(leafCertInfo.subjectAltName.present);
if(!leafCertInfo.subjectAltName.critical) {
tpPolicyError("SMIME policy fail: empty subject name and "
"no Email Addrs in SubjectAltName");
leaf->addStatusCode(CSSMERR_APPLETP_SMIME_SUBJ_ALT_NAME_NOT_CRIT);
leaf->freeField(&CSSMOID_X509V1SubjectNameCStruct, subjNameData);
return CSSMERR_TP_VERIFY_ACTION_FAILED;
}
}
leaf->freeField(&CSSMOID_X509V1SubjectNameCStruct, subjNameData);
if(kuInfo.present && (smimeOpts != NULL)) {
CE_KeyUsage certKu = *((CE_KeyUsage *)kuInfo.extnData);
CE_KeyUsage appKu = smimeOpts->IntendedUsage;
CE_KeyUsage intersection = certKu & appKu;
if((intersection & CE_CIPHER_MASK) != (appKu & CE_CIPHER_MASK)) {
tpPolicyError("SMIME KeyUsage err: appKu 0x%x certKu 0x%x",
appKu, certKu);
leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_KEY_USE);
return CSSMERR_TP_VERIFY_ACTION_FAILED;
}
if(appKu & CE_KU_KeyAgreement) {
if((appKu & (CE_KU_EncipherOnly | CE_KU_DecipherOnly)) == 0) {
tpPolicyError("SMIME KeyUsage err: KeyAgreement with "
"no Encipher or Decipher");
leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_KEY_USE);
return CSSMERR_TP_VERIFY_ACTION_FAILED;
}
if((certKu & CE_KU_EncipherOnly) &&
(appKu & CE_KU_DecipherOnly)) {
tpPolicyError("SMIME KeyUsage err: cert EncipherOnly, "
"app wants to decipher");
leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_KEY_USE);
return CSSMERR_TP_VERIFY_ACTION_FAILED;
}
if((certKu & CE_KU_DecipherOnly) &&
(appKu & CE_KU_EncipherOnly)) {
tpPolicyError("SMIME KeyUsage err: cert DecipherOnly, "
"app wants to encipher");
leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_KEY_USE);
return CSSMERR_TP_VERIFY_ACTION_FAILED;
}
}
}
checkEku:
if(iChat && !ekuInfo.present) {
tpPolicyError("iChat: No extended Key Use");
leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_KEY_USE);
return CSSMERR_APPLETP_SMIME_BAD_KEY_USE;
}
if(!iChatHandleFound) {
if(ekuInfo.present) {
bool foundGoodEku = false;
CE_ExtendedKeyUsage *eku = (CE_ExtendedKeyUsage *)ekuInfo.extnData;
assert(eku != NULL);
for(unsigned i=0; i<eku->numPurposes; i++) {
if(tpCompareOids(&eku->purposes[i], &CSSMOID_EmailProtection)) {
foundGoodEku = true;
break;
}
if(tpCompareOids(&eku->purposes[i], &CSSMOID_ExtendedKeyUsageAny)) {
foundGoodEku = true;
break;
}
}
if(!foundGoodEku) {
tpPolicyError("iChat/SMIME: No appropriate extended Key Use");
leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE);
return CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE;
}
}
}
else {
assert(iChat);
assert(ekuInfo.present);
bool foundAnyEku = false;
bool foundIChatSign = false;
bool foundISignEncrypt = false;
CE_ExtendedKeyUsage *eku = (CE_ExtendedKeyUsage *)ekuInfo.extnData;
assert(eku != NULL);
for(unsigned i=0; i<eku->numPurposes; i++) {
if(tpCompareOids(&eku->purposes[i],
&CSSMOID_APPLE_EKU_ICHAT_SIGNING)) {
foundIChatSign = true;
}
else if(tpCompareOids(&eku->purposes[i],
&CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION)) {
foundISignEncrypt = true;
}
else if(tpCompareOids(&eku->purposes[i], &CSSMOID_ExtendedKeyUsageAny)) {
foundAnyEku = true;
}
}
if(!foundAnyEku && !foundISignEncrypt && !foundIChatSign) {
tpPolicyError("iChat: No valid extended Key Uses found");
leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_KEY_USE);
return CSSMERR_APPLETP_SMIME_BAD_KEY_USE;
}
if((smimeOpts != NULL) && (smimeOpts->IntendedUsage != 0)) {
if(smimeOpts->IntendedUsage & CE_KU_DigitalSignature) {
if(!foundIChatSign) {
tpPolicyError("iChat: ICHAT_SIGNING required, but missing");
leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_KEY_USE);
return CSSMERR_APPLETP_SMIME_BAD_KEY_USE;
}
}
if(smimeOpts->IntendedUsage & CE_KU_DataEncipherment) {
if(!foundISignEncrypt) {
tpPolicyError("iChat: ICHAT_ENCRYPT required, but missing");
leaf->addStatusCode(CSSMERR_APPLETP_SMIME_BAD_KEY_USE);
return CSSMERR_APPLETP_SMIME_BAD_KEY_USE;
}
}
}
}
return CSSM_OK;
}
static CSSM_RETURN tp_verifyCodeSigningOpts(
TPCertGroup &certGroup,
const CSSM_DATA *fieldOpts, const iSignCertInfo *certInfo) {
unsigned numCerts = certGroup.numCerts();
if(numCerts != 3) {
tpPolicyError("tp_verifyCodeSigningOpts: numCerts %u", numCerts);
return CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH;
}
const iSignCertInfo *isCertInfo = &certInfo[1];
TPCertInfo *tpCert = certGroup.certAtIndex(1);
if(!isCertInfo->basicConstraints.present) {
tpPolicyError("tp_verifyCodeSigningOpts: no basicConstraints in intermediate");
tpCert->addStatusCode(CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS);
return CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS;
}
const CE_BasicConstraints *bc = &isCertInfo->basicConstraints.extnData->basicConstraints;
assert(bc != NULL);
assert(bc->cA);
if(!bc->pathLenConstraintPresent || (bc->pathLenConstraint != 0)) {
tpPolicyError("tp_verifyCodeSigningOpts: bad pathLengthConstraint in intermediate");
tpCert->addStatusCode(CSSMERR_APPLETP_CS_BAD_PATH_LENGTH);
return CSSMERR_APPLETP_CS_BAD_PATH_LENGTH;
}
if(!isCertInfo->extendKeyUsage.present) {
tpPolicyError("tp_verifyCodeSigningOpts: no extendedKeyUse in intermediate");
tpCert->addStatusCode(CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE);
return CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE;
}
CE_ExtendedKeyUsage *eku = &isCertInfo->extendKeyUsage.extnData->extendedKeyUsage;
assert(eku != NULL);
if(eku->numPurposes != 1) {
tpPolicyError("tp_verifyCodeSigningOpts: bad eku->numPurposes in intermediate (%lu)",
eku->numPurposes);
tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE);
return CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
}
CSSM_RETURN crtn = CSSM_OK;
if(!tpCompareOids(&eku->purposes[0], &CSSMOID_APPLE_EKU_CODE_SIGNING)) {
tpPolicyError("tp_verifyCodeSigningOpts: bad EKU");
tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE);
crtn = CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
}
isCertInfo = &certInfo[0];
tpCert = certGroup.certAtIndex(0);
if(!isCertInfo->extendKeyUsage.present) {
tpPolicyError("tp_verifyCodeSigningOpts: no extendedKeyUse in leaf");
tpCert->addStatusCode(CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE);
return crtn ? crtn : CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE;
}
eku = &isCertInfo->extendKeyUsage.extnData->extendedKeyUsage;
assert(eku != NULL);
if(eku->numPurposes != 1) {
tpPolicyError("tp_verifyCodeSigningOpts: bad eku->numPurposes (%lu)",
eku->numPurposes);
tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE);
if(crtn == CSSM_OK) {
crtn = CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
}
}
if(!tpCompareOids(&eku->purposes[0], &CSSMOID_APPLE_EKU_CODE_SIGNING)) {
if(tpCompareOids(&eku->purposes[0], &CSSMOID_APPLE_EKU_CODE_SIGNING_DEV)) {
tpPolicyError("tp_verifyCodeSigningOpts: DEVELOPMENT cert");
tpCert->addStatusCode(CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT);
if(crtn == CSSM_OK) {
crtn = CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT;
}
}
else {
tpPolicyError("tp_verifyCodeSigningOpts: bad EKU in leaf");
tpCert->addStatusCode(CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE);
if(crtn == CSSM_OK) {
crtn = CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE;
}
}
}
return crtn;
}
#define BASIC_CONSTRAINTS_MUST_BE_CRITICAL 0
#define EXTENDED_KEY_USAGE_REQUIRED_FOR_LEAF 0
#define SUBJECT_ALT_NAME_REQUIRED_FOR_LEAF 0
#define KEY_USAGE_REQUIRED_FOR_ROOT 0
#define SMIME_KEY_USAGE_MUST_BE_CRITICAL 0
CSSM_RETURN tp_policyVerify(
TPPolicy policy,
Allocator &alloc,
CSSM_CL_HANDLE clHand,
CSSM_CSP_HANDLE cspHand,
TPCertGroup *certGroup,
CSSM_BOOL verifiedToRoot, CSSM_APPLE_TP_ACTION_FLAGS actionFlags,
const CSSM_DATA *policyFieldData, void *policyOpts) {
iSignCertInfo *certInfo = NULL;
uint32 numCerts;
iSignCertInfo *thisCertInfo;
uint16 expUsage;
uint16 actUsage;
unsigned certDex;
CSSM_BOOL cA = CSSM_FALSE; bool isLeaf; bool isRoot; CE_ExtendedKeyUsage *extendUsage;
CE_AuthorityKeyID *authorityId;
CSSM_RETURN outErr = CSSM_OK; CSSM_BOOL policyFail = CSSM_FALSE; CSSM_RETURN policyError = CSSM_OK;
if(policy == kTPDefault) {
return CSSM_OK;
}
if(certGroup == NULL) {
return CSSMERR_TP_INVALID_CERTGROUP;
}
numCerts = certGroup->numCerts();
if(numCerts == 0) {
return CSSMERR_TP_INVALID_CERTGROUP;
}
if(policy == kTPiSign) {
if(!verifiedToRoot) {
return CSSMERR_TP_VERIFY_ACTION_FAILED;
}
if(numCerts <= 1) {
return CSSMERR_TP_VERIFY_ACTION_FAILED;
}
}
certInfo = (iSignCertInfo *)tpCalloc(alloc, numCerts, sizeof(iSignCertInfo));
for(certDex=0; certDex<numCerts; certDex++) {
if(iSignGetCertInfo(alloc,
certGroup->certAtIndex(certDex),
&certInfo[certDex])) {
(certGroup->certAtIndex(certDex))->addStatusCode(
CSSMERR_TP_INVALID_CERTIFICATE);
outErr = CSSMERR_TP_INVALID_CERTIFICATE;
goto errOut;
}
}
for(certDex=0; certDex<numCerts; certDex++) {
thisCertInfo = &certInfo[certDex];
TPCertInfo *thisTpCertInfo = certGroup->certAtIndex(certDex);
if(thisCertInfo->foundUnknownCritical) {
tpPolicyError("tp_policyVerify: critical flag in unknown extension");
thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN);
policyFail = CSSM_TRUE;
}
isLeaf = thisTpCertInfo->isLeaf();
isRoot = thisTpCertInfo->isSelfSigned();
if(!thisCertInfo->basicConstraints.present) {
if(isLeaf) {
cA = CSSM_FALSE;
}
else if(isRoot) {
cA = CSSM_TRUE;
}
else {
switch(policy) {
default:
cA = CSSM_FALSE;
break;
case kTPiSign:
tpPolicyError("tp_policyVerify: no "
"basicConstraints");
policyFail = CSSM_TRUE;
thisTpCertInfo->addStatusCode(
CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS);
break;
}
}
}
else {
#if BASIC_CONSTRAINTS_MUST_BE_CRITICAL
if(!thisCertInfo->basicConstraints.critical) {
tpPolicyError("tp_policyVerify: basicConstraints marked "
"not critical");
policyFail = CSSM_TRUE;
thisTpCertInfo->addStatusCode(CSSMERR_TP_VERIFY_ACTION_FAILED);
}
#endif
const CE_BasicConstraints *bcp =
&thisCertInfo->basicConstraints.extnData->basicConstraints;
cA = bcp->cA;
if(!isLeaf && cA && bcp->pathLenConstraintPresent) {
if(certDex > (bcp->pathLenConstraint + 1)) {
tpPolicyError("tp_policyVerify: pathLenConstraint "
"exceeded");
policyFail = CSSM_TRUE;
thisTpCertInfo->addStatusCode(
CSSMERR_APPLETP_PATH_LEN_CONSTRAINT);
}
}
}
if(isLeaf) {
if(cA && !isRoot &&
!(actionFlags & CSSM_TP_ACTION_LEAF_IS_CA)) {
tpPolicyError("tp_policyVerify: cA true for leaf");
policyFail = CSSM_TRUE;
thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_CA);
}
} else if(!cA) {
tpPolicyError("tp_policyVerify: cA false for non-leaf");
policyFail = CSSM_TRUE;
thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_CA);
}
if((policy == kTPiSign) && thisCertInfo->authorityId.present) {
if(isRoot) {
tpPolicyError("tp_policyVerify: authorityId in root");
policyFail = CSSM_TRUE;
thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_AUTHORITY_ID);
}
if(thisCertInfo->authorityId.critical) {
tpPolicyError("tp_policyVerify: authorityId marked "
"critical");
policyFail = CSSM_TRUE;
thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_AUTHORITY_ID);
}
}
if(thisCertInfo->subjectId.present) {
if((policy == kTPiSign) && thisCertInfo->subjectId.critical) {
tpPolicyError("tp_policyVerify: subjectId marked critical");
policyFail = CSSM_TRUE;
thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_SUBJECT_ID);
}
}
if(thisCertInfo->keyUsage.present) {
if(isLeaf) {
switch(policy) {
case kTPiSign:
case kTP_CodeSign:
expUsage = CE_KU_DigitalSignature;
break;
case kCrlPolicy:
expUsage = CE_KU_CRLSign;
break;
default:
expUsage = thisCertInfo->keyUsage.extnData->keyUsage;
break;
}
}
else {
expUsage = CE_KU_KeyCertSign;
}
actUsage = thisCertInfo->keyUsage.extnData->keyUsage;
if(!(actUsage & expUsage)) {
tpPolicyError("tp_policyVerify: bad keyUsage (leaf %s; "
"usage 0x%x)",
(certDex == 0) ? "TRUE" : "FALSE", actUsage);
policyFail = CSSM_TRUE;
thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_KEY_USAGE);
}
#if 0
if((policy == kTP_SMIME) && !thisCertInfo->keyUsage.critical) {
if(SMIME_KEY_USAGE_MUST_BE_CRITICAL || isLeaf || isRoot) {
tpPolicyError("tp_policyVerify: key usage, !critical, SMIME");
policyFail = CSSM_TRUE;
thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_SMIME_KEYUSAGE_NOT_CRITICAL);
}
}
#endif
}
else if(policy == kTPiSign) {
if(isLeaf && thisCertInfo->netscapeCertType.present) {
CE_NetscapeCertType ct =
thisCertInfo->netscapeCertType.extnData->netscapeCertType;
if(!(ct & CE_NCT_ObjSign)) {
tpPolicyError("tp_policyVerify: netscape-cert-type, "
"!ObjectSign");
policyFail = CSSM_TRUE;
thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_KEY_USAGE);
}
}
else if(!isRoot) {
tpPolicyError("tp_policyVerify: !isRoot, no keyUsage, "
"!(leaf and netscapeCertType)");
policyFail = CSSM_TRUE;
thisTpCertInfo->addStatusCode(CSSMERR_APPLETP_INVALID_KEY_USAGE);
}
}
}
if((policy == kTPiSign) && certInfo[0].extendKeyUsage.present) {
extendUsage = &certInfo[0].extendKeyUsage.extnData->extendedKeyUsage;
if(extendUsage->numPurposes != 1) {
tpPolicyError("tp_policyVerify: bad extendUsage->numPurposes "
"(%d)",
(int)extendUsage->numPurposes);
policyFail = CSSM_TRUE;
(certGroup->certAtIndex(0))->addStatusCode(
CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE);
}
if(!tpCompareOids(extendUsage->purposes,
&CSSMOID_ExtendedUseCodeSigning)) {
tpPolicyError("tp_policyVerify: bad extendKeyUsage");
policyFail = CSSM_TRUE;
(certGroup->certAtIndex(0))->addStatusCode(
CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE);
}
}
for(certDex=0; certDex<(numCerts-1); certDex++) {
if(!certInfo[certDex].authorityId.present ||
!certInfo[certDex+1].subjectId.present) {
continue;
}
authorityId = &certInfo[certDex].authorityId.extnData->authorityKeyID;
if(!authorityId->keyIdentifierPresent) {
continue;
}
if(!tpCompareCssmData(&authorityId->keyIdentifier,
&certInfo[certDex+1].subjectId.extnData->subjectKeyID)) {
tpPolicyError("tp_policyVerify: bad key ID linkage");
policyFail = CSSM_TRUE;
(certGroup->certAtIndex(certDex))->addStatusCode(
CSSMERR_APPLETP_INVALID_ID_LINKAGE);
}
}
switch(policy) {
case kTP_SSL:
case kTP_EAP:
case kTP_IPSec:
policyError = tp_verifySslOpts(*certGroup, policyFieldData, certInfo[0]);
break;
case kTP_iChat:
tpDebug("iChat policy");
case kTP_SMIME:
policyError = tp_verifySmimeOpts(policy, *certGroup, policyFieldData,
certInfo[0]);
break;
case kTP_CodeSign:
policyError = tp_verifyCodeSigningOpts(*certGroup, policyFieldData, certInfo);
break;
default:
break;
}
if(outErr == CSSM_OK) {
if(policyError != CSSM_OK) {
outErr = policyError;
}
else if(policyFail) {
outErr = CSSMERR_TP_VERIFY_ACTION_FAILED;
}
}
errOut:
for(certDex=0; certDex<numCerts; certDex++) {
thisCertInfo = &certInfo[certDex];
iSignFreeCertInfo(clHand, thisCertInfo);
}
tpFree(alloc, certInfo);
return outErr;
}