rootCerts.cpp   [plain text]

/*
 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
 * 
 * The contents of this file constitute Original Code as defined in and are
 * subject to the Apple Public Source License Version 1.2 (the 'License').
 * You may not use this file except in compliance with the License. Please 
 * obtain a copy of the License at http://www.apple.com/publicsource and 
 * read it before using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS
 * FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please 
 * see the License for the specific language governing rights and 
 * limitations under the License.
 */


/*
	File:		rootCerts.cp

	Contains:	Bridge between SecTrustGetCSSMAnchorCertificates() and 
	            TP's internally cached tpRootCert array.

	Written by:	Doug Mitchell. 

	Copyright:	Copyright 2002 by Apple Computer, Inc., all rights reserved.

*/

#include "rootCerts.h"
#include "certGroupUtils.h"
#include <Security/Trust.h>
#include <Security/TrustStore.h>
#include <Security/debugging.h>
#include <Security/oidscert.h>

/* static in TPRootStore */
ModuleNexus<TPRootStore> TPRootStore::tpGlobalRoots;

TPRootStore::~TPRootStore()
{
	/* 
	 * Technically this never gets called because the only instance
	 * of a TPRootStore is via tpGlobalRoots. Freeing mRootCerts
	 * here really doesn't accomplish anything.
	 */
}

const tpRootCert *TPRootStore::rootCerts(
	CSSM_CL_HANDLE clHand,
	unsigned &numRootCerts)
{
	StLock<Mutex> _(mLock);
	if(mRootCerts) {
		numRootCerts = mNumRootCerts;
		return mRootCerts;
	}
	
	CssmAllocator &alloc(CssmAllocator::standard());
	CertGroup roots;
	tpRootCert *tpRoots = NULL;		// copy to mRootCerts on success
	unsigned numTpRoots = 0;
	
	try {
		/* Obtain system-wide root certs in blob format */
		Security::KeychainCore::TrustStore &trustStore = 
			Security::KeychainCore::Trust::gStore();
		trustStore.getCssmRootCertificates(roots);
		if(roots.type() != CSSM_CERTGROUP_DATA) {
			debug("tpAnchor", "Bad certGroup Type (%d)\n",
				(int)roots.type());
			return NULL;
		}
		numTpRoots = roots.count();
		if(numTpRoots == 0) {
			debug("tpAnchor", "empty certGroup\n");
			return NULL;
		}
		
		/* set up tpRoots array, one for each cert in the group */
		tpRoots = 
			(tpRootCert *)alloc.malloc(numTpRoots * sizeof(tpRootCert));
		memset(tpRoots, 0, numTpRoots * sizeof(tpRootCert));
		for(uint32 certNum=0; certNum<numTpRoots; certNum++) {
			tpRootCert *tpRoot = &tpRoots[certNum];
			const CSSM_DATA *certData = &((roots.blobCerts())[certNum]);
			
			/* extract normalized subject name */
			CSSM_DATA *field;
			CSSM_HANDLE ResultsHandle;
			uint32 numFields;
			CSSM_RETURN crtn;
			crtn = CSSM_CL_CertGetFirstFieldValue(
				clHand,
				certData,
				&CSSMOID_X509V1SubjectName,
				&ResultsHandle,
				&numFields,
				&field);
			if(crtn) {
				debug("tpAnchor", "GetFirstFieldValue error on cert %u",
					(unsigned)certNum);
				continue;
			}
			CSSM_CL_CertAbortQuery(clHand, ResultsHandle);
			tpCopyCssmData(alloc, field, &tpRoot->subjectName);
			CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SubjectName, 
				field);
				
			/* extract public key info - the blob and key size in bits */
			CSSM_KEY_PTR key;
			crtn = CSSM_CL_CertGetKeyInfo(clHand, certData, &key);
			if(crtn) {
				debug("tpAnchor", "CSSM_CL_CertGetKeyInfo error on cert %u",
					(unsigned)certNum);
				/* clear out this tpRoot? */
				continue;
			}
			tpCopyCssmData(alloc, &key->KeyData, &tpRoot->publicKey);
			tpRoot->keySize = key->KeyHeader.LogicalKeySizeInBits;
			
			/* A hole in the CDSA API: there is no free function at the
			 * CL API for this key. It got mallocd with clHand's
			 * allocator....
			 */
			CSSM_API_MEMORY_FUNCS memFuncs;
			crtn = CSSM_GetAPIMemoryFunctions(clHand, &memFuncs);
			if(crtn) {
				debug("tpAnchor", "CSSM_GetAPIMemoryFunctions error");
				/* Oh well.. */
				continue;
			}
			memFuncs.free_func(key->KeyData.Data, memFuncs.AllocRef);
			memFuncs.free_func(key, memFuncs.AllocRef);
		}	/* main loop */
	}
	catch(...) {
		/* TBD */
		return NULL;
	}
	mNumRootCerts = numTpRoots;
	numRootCerts = mNumRootCerts;
	mRootCerts = tpRoots;
	return mRootCerts;
}