SecOCSPCache.c   [plain text]

/*
 * Copyright (c) 2009-2010,2012-2017 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 *  SecOCSPCache.c - securityd
 */

#include <CoreFoundation/CFUtilities.h>
#include <CoreFoundation/CFString.h>
#include <securityd/SecOCSPCache.h>
#include <securityd/SecTrustLoggingServer.h>
#include <utilities/debugging.h>
#include <Security/SecCertificateInternal.h>
#include <Security/SecFramework.h>
#include <Security/SecInternal.h>
#include <AssertMacros.h>
#include <stdlib.h>
#include <limits.h>
#include <sys/stat.h>
#include <asl.h>
#include "utilities/SecCFWrappers.h"
#include "utilities/SecDb.h"
#include "utilities/SecFileLocations.h"
#include "utilities/iOSforOSX.h"

/* Note that lastUsed is actually time of insert because we don't
   refresh lastUsed on each SELECT. */

#define flushSQL  CFSTR("DELETE FROM responses")
#define expireSQL  CFSTR("DELETE FROM responses WHERE expires<?")
#define insertResponseSQL  CFSTR("INSERT INTO responses " \
    "(ocspResponse,responderURI,expires,lastUsed) VALUES (?,?,?,?)")
#define insertLinkSQL  CFSTR("INSERT INTO ocsp (hashAlgorithm," \
    "issuerNameHash,issuerPubKeyHash,serialNum,responseId) VALUES (?,?,?,?,?)")
#define deleteResponseSQL  CFSTR("DELETE FROM responses WHERE responseId=?")
#define selectHashAlgorithmSQL  CFSTR("SELECT DISTINCT hashAlgorithm " \
    "FROM ocsp WHERE serialNum=?")
#define selectResponseSQL  CFSTR("SELECT ocspResponse,responseId FROM " \
    "responses WHERE lastUsed>? AND responseId=(SELECT responseId FROM ocsp WHERE " \
    "issuerNameHash=? AND issuerPubKeyHash=? AND serialNum=? AND hashAlgorithm=?)" \
    " ORDER BY expires DESC")

#define kSecOCSPCacheFileName CFSTR("ocspcache.sqlite3")


// MARK; -
// MARK: SecOCSPCacheDb

static SecDbRef SecOCSPCacheDbCreate(CFStringRef path) {
    return SecDbCreate(path, 0600, true, true, true, true, 1,
            ^bool (SecDbRef db, SecDbConnectionRef dbconn, bool didCreate, bool *callMeAgainForNextConnection, CFErrorRef *error) {
        __block bool ok = true;

        CFErrorRef localError = NULL;
        if (!SecDbWithSQL(dbconn, selectHashAlgorithmSQL /* expireSQL */, &localError, NULL) && CFErrorGetCode(localError) == SQLITE_ERROR) {
            /* SecDbWithSQL returns SQLITE_ERROR if the table we are preparing the above statement for doesn't exist. */
            ok &= SecDbTransaction(dbconn, kSecDbExclusiveTransactionType, error, ^(bool *commit) {
                ok &= SecDbExec(dbconn,
                    CFSTR("CREATE TABLE ocsp("
                          "issuerNameHash BLOB NOT NULL,"
                          "issuerPubKeyHash BLOB NOT NULL,"
                          "serialNum BLOB NOT NULL,"
                          "hashAlgorithm BLOB NOT NULL,"
                          "responseId INTEGER NOT NULL"
                          ");"
                          "CREATE INDEX iResponseId ON ocsp(responseId);"
                          "CREATE INDEX iserialNum ON ocsp(serialNum);"
                          "CREATE INDEX iSNumDAlg ON ocsp(serialNum,hashAlgorithm);"
                          "CREATE TABLE responses("
                          "responseId INTEGER PRIMARY KEY,"
                          "ocspResponse BLOB NOT NULL,"
                          "responderURI BLOB,"
                          "expires DOUBLE NOT NULL,"
                          "lastUsed DOUBLE NOT NULL"
                          ");"
                          "CREATE INDEX iexpires ON responses(expires);"
                          "CREATE TRIGGER tocspdel BEFORE DELETE ON responses FOR EACH ROW "
                          "BEGIN "
                          "DELETE FROM ocsp WHERE responseId=OLD.responseId;"
                          " END;"), error);
                *commit = ok;
            });
        }
        CFReleaseSafe(localError);
        if (!ok) {
            secerror("%s failed: %@", didCreate ? "Create" : "Open", error ? *error : NULL);
            CFIndex errCode = errSecInternalComponent;
            if (error && *error) {
                errCode = CFErrorGetCode(*error);
            }
            TrustdHealthAnalyticsLogErrorCodeForDatabase(TAOCSPCache,
                                                         didCreate ? TAOperationCreate : TAOperationOpen,
                                                         TAFatalError, errCode);
        }
        return ok;
    });
}

// MARK; -
// MARK: SecOCSPCache

typedef struct __SecOCSPCache *SecOCSPCacheRef;
struct __SecOCSPCache {
	SecDbRef db;
};

static dispatch_once_t kSecOCSPCacheOnce;
static SecOCSPCacheRef kSecOCSPCache = NULL;

static SecOCSPCacheRef SecOCSPCacheCreate(CFStringRef db_name) {
	SecOCSPCacheRef this;

	require(this = (SecOCSPCacheRef)malloc(sizeof(struct __SecOCSPCache)), errOut);
    require(this->db = SecOCSPCacheDbCreate(db_name), errOut);

	return this;

errOut:
	if (this) {
        CFReleaseSafe(this->db);
		free(this);
	}

	return NULL;
}

static CFStringRef SecOCSPCacheCopyPath(void) {
    CFStringRef ocspRelPath = kSecOCSPCacheFileName;
#if TARGET_OS_IPHONE
    CFURLRef ocspURL = SecCopyURLForFileInKeychainDirectory(ocspRelPath);
    if (!ocspURL) {
        ocspURL = SecCopyURLForFileInUserCacheDirectory(ocspRelPath);
    }
#else
    /* macOS caches should be in user cache dir */
    CFURLRef ocspURL = SecCopyURLForFileInUserCacheDirectory(ocspRelPath);
#endif
    CFStringRef ocspPath = NULL;
    if (ocspURL) {
        ocspPath = CFURLCopyFileSystemPath(ocspURL, kCFURLPOSIXPathStyle);
        CFRelease(ocspURL);
    }
    return ocspPath;
}

static void SecOCSPCacheWith(void(^cacheJob)(SecOCSPCacheRef cache)) {
    dispatch_once(&kSecOCSPCacheOnce, ^{
        CFStringRef dbPath = SecOCSPCacheCopyPath();
        if (dbPath) {
            kSecOCSPCache = SecOCSPCacheCreate(dbPath);
            CFRelease(dbPath);
        }
    });
    // Do pre job run work here (cancel idle timers etc.)
    cacheJob(kSecOCSPCache);
    // Do post job run work here (gc timer, etc.)
}

static bool _SecOCSPCacheExpireWithTransaction(SecDbConnectionRef dbconn, CFAbsoluteTime now, CFErrorRef *error) {
    //if (now > nextExpireTime)
    {
        return SecDbWithSQL(dbconn, expireSQL, error, ^bool(sqlite3_stmt *expire) {
            return SecDbBindDouble(expire, 1, now, error) &&
            SecDbStep(dbconn, expire, error, NULL);
        });
        // TODO: Write now + expireDelay to nextExpireTime;
        // currently we try to expire entries on each cache write
    }
}

/* Instance implementation. */

static void _SecOCSPCacheReplaceResponse(SecOCSPCacheRef this,
    SecOCSPResponseRef oldResponse, SecOCSPResponseRef ocspResponse,
    CFURLRef localResponderURI, CFAbsoluteTime verifyTime) {
    secdebug("ocspcache", "adding response from %@", localResponderURI);
    /* responses.ocspResponse */

    // TODO: Update a latestProducedAt value using date in new entry, to ensure forward movement of time.
    // Set "now" to the new producedAt we are receiving here if localTime is before this date.
    // In addition whenever we run though here, check to see if "now" is more than past
    // the nextCacheExpireDate and expire the cache if it is.
    CFDataRef responseData = SecOCSPResponseGetData(ocspResponse);
    __block CFErrorRef localError = NULL;
    __block bool ok = true;
    ok &= SecDbPerformWrite(this->db, &localError, ^(SecDbConnectionRef dbconn) {
        ok &= SecDbTransaction(dbconn, kSecDbExclusiveTransactionType, &localError, ^(bool *commit) {
            __block sqlite3_int64 responseId;
            if (oldResponse && (responseId = SecOCSPResponseGetID(oldResponse)) >= 0) {
                ok &= SecDbWithSQL(dbconn, deleteResponseSQL, &localError, ^bool(sqlite3_stmt *deleteResponse) {
                    ok &= SecDbBindInt64(deleteResponse, 1, responseId, &localError);
                    /* Execute the delete statement. */
                    ok &= SecDbStep(dbconn, deleteResponse, &localError, NULL);
                    return ok;
                });
            }

            ok &= SecDbWithSQL(dbconn, insertResponseSQL, &localError, ^bool(sqlite3_stmt *insertResponse) {
                ok &= SecDbBindBlob(insertResponse, 1,
                                    CFDataGetBytePtr(responseData),
                                    CFDataGetLength(responseData),
                                    SQLITE_TRANSIENT, &localError);

                /* responses.responderURI */
                if (ok) {
                    CFDataRef uriData = NULL;
                    if (localResponderURI) {
                        uriData = CFURLCreateData(kCFAllocatorDefault, localResponderURI,
                                                  kCFStringEncodingUTF8, false);
                    }
                    if (uriData) {
                        ok = SecDbBindBlob(insertResponse, 2,
                                           CFDataGetBytePtr(uriData),
                                           CFDataGetLength(uriData),
                                           SQLITE_TRANSIENT, &localError);
                        CFRelease(uriData);
                    } else {
                        // Since we use SecDbClearBindings this shouldn't be needed.
                        //ok = SecDbBindNull(insertResponse, 2, &localError);
                    }
                }
                /* responses.expires */
                ok &= SecDbBindDouble(insertResponse, 3,
                                      SecOCSPResponseGetExpirationTime(ocspResponse),
                                      &localError);
                /* responses.lastUsed */
                ok &= SecDbBindDouble(insertResponse, 4,
                                      verifyTime,
                                      &localError);

                /* Execute the insert statement. */
                ok &= SecDbStep(dbconn, insertResponse, &localError, NULL);

                responseId = sqlite3_last_insert_rowid(SecDbHandle(dbconn));
                return ok;
            });

            /* Now add a link record for every singleResponse in the ocspResponse. */
            ok &= SecDbWithSQL(dbconn, insertLinkSQL, &localError, ^bool(sqlite3_stmt *insertLink) {
                SecAsn1OCSPSingleResponse **responses;
                for (responses = ocspResponse->responseData.responses;
                     *responses; ++responses) {
                    SecAsn1OCSPSingleResponse *resp = *responses;
                    SecAsn1OCSPCertID *certId = &resp->certID;
                    ok &= SecDbBindBlob(insertLink, 1,
                                        certId->algId.algorithm.Data,
                                        certId->algId.algorithm.Length,
                                        SQLITE_TRANSIENT, &localError);
                    ok &= SecDbBindBlob(insertLink, 2,
                                        certId->issuerNameHash.Data,
                                        certId->issuerNameHash.Length,
                                        SQLITE_TRANSIENT, &localError);
                    ok &= SecDbBindBlob(insertLink, 3,
                                        certId->issuerPubKeyHash.Data,
                                        certId->issuerPubKeyHash.Length,
                                        SQLITE_TRANSIENT, &localError);
                    ok &= SecDbBindBlob(insertLink, 4,
                                        certId->serialNumber.Data,
                                        certId->serialNumber.Length,
                                        SQLITE_TRANSIENT, &localError);
                    ok &= SecDbBindInt64(insertLink, 5, responseId, &localError);

                    /* Execute the insert statement. */
                    ok &= SecDbStep(dbconn, insertLink, &localError, NULL);
                    ok &= SecDbReset(insertLink, &localError);
                }
                return ok;
            });

            // Remove expired entries here.
            // TODO: Consider only doing this once per 24 hours or something.
            ok &= _SecOCSPCacheExpireWithTransaction(dbconn, verifyTime, &localError);
            if (!ok)
                *commit = false;
        });
    });
    if (!ok) {
        secerror("_SecOCSPCacheAddResponse failed: %@", localError);
        TrustdHealthAnalyticsLogErrorCodeForDatabase(TAOCSPCache, TAOperationWrite, TAFatalError,
                                                     localError ? CFErrorGetCode(localError) : errSecInternalComponent);
        CFReleaseNull(localError);
    }
    CFReleaseSafe(localError);
}

static SecOCSPResponseRef _SecOCSPCacheCopyMatching(SecOCSPCacheRef this,
    SecOCSPRequestRef request, CFURLRef responderURI, CFAbsoluteTime minInsertTime) {
    const DERItem *publicKey;
    CFDataRef issuer = NULL;
    CFDataRef serial = NULL;
    __block SecOCSPResponseRef response = NULL;
    __block CFErrorRef localError = NULL;
    __block bool ok = true;

    require(publicKey = SecCertificateGetPublicKeyData(request->issuer), errOut);
    require(issuer = SecCertificateCopyIssuerSequence(request->certificate), errOut);
    require(serial = SecCertificateCopySerialNumberData(request->certificate, NULL), errOut);

    ok &= SecDbPerformRead(this->db, &localError, ^(SecDbConnectionRef dbconn) {
        ok &= SecDbWithSQL(dbconn, selectHashAlgorithmSQL, &localError, ^bool(sqlite3_stmt *selectHash) {
            ok = SecDbBindBlob(selectHash, 1, CFDataGetBytePtr(serial), CFDataGetLength(serial), SQLITE_TRANSIENT, &localError);
            ok &= SecDbStep(dbconn, selectHash, &localError, ^(bool *stopHash) {
                SecAsn1Oid algorithm;
                algorithm.Data = (uint8_t *)sqlite3_column_blob(selectHash, 0);
                algorithm.Length = sqlite3_column_bytes(selectHash, 0);

                /* Calculate the issuerKey and issuerName digests using the returned
                 hashAlgorithm. */
                CFDataRef issuerNameHash = SecDigestCreate(kCFAllocatorDefault,
                                                           &algorithm, NULL, CFDataGetBytePtr(issuer), CFDataGetLength(issuer));
                CFDataRef issuerPubKeyHash = SecDigestCreate(kCFAllocatorDefault,
                                                             &algorithm, NULL, publicKey->data, publicKey->length);

                if (issuerNameHash && issuerPubKeyHash && ok) ok &= SecDbWithSQL(dbconn, selectResponseSQL, &localError, ^bool(sqlite3_stmt *selectResponse) {
                    /* Now we have the serial, algorithm, issuerNameHash and
                     issuerPubKeyHash so let's lookup the db entry. */
                    ok &= SecDbBindDouble(selectResponse, 1, minInsertTime, &localError);
                    ok &= SecDbBindBlob(selectResponse, 2, CFDataGetBytePtr(issuerNameHash),
                                        CFDataGetLength(issuerNameHash), SQLITE_TRANSIENT, &localError);
                    ok &= SecDbBindBlob(selectResponse, 3, CFDataGetBytePtr(issuerPubKeyHash),
                                        CFDataGetLength(issuerPubKeyHash), SQLITE_TRANSIENT, &localError);
                    ok &= SecDbBindBlob(selectResponse, 4, CFDataGetBytePtr(serial),
                                        CFDataGetLength(serial), SQLITE_TRANSIENT, &localError);
                    ok &= SecDbBindBlob(selectResponse, 5, algorithm.Data,
                                        algorithm.Length, SQLITE_TRANSIENT, &localError);
                    ok &= SecDbStep(dbconn, selectResponse, &localError, ^(bool *stopResponse) {
                        /* Found an entry! */
                        secdebug("ocspcache", "found cached response");
                        CFDataRef resp = CFDataCreate(kCFAllocatorDefault,
                                                      sqlite3_column_blob(selectResponse, 0),
                                                      sqlite3_column_bytes(selectResponse, 0));
                        sqlite3_int64 responseID = sqlite3_column_int64(selectResponse, 1);
                        if (resp) {
                            SecOCSPResponseRef new_response = SecOCSPResponseCreateWithID(resp, responseID);
                            if (response) {
                                if (SecOCSPResponseProducedAt(response) < SecOCSPResponseProducedAt(new_response)) {
                                    SecOCSPResponseFinalize(response);
                                    response = new_response;
                                } else {
                                    SecOCSPResponseFinalize(new_response);
                                }
                            } else {
                                response = new_response;
                            }
                            CFRelease(resp);
                        }
                    });
                    return ok;
                });

                CFReleaseSafe(issuerNameHash);
                CFReleaseSafe(issuerPubKeyHash);
            });
            return ok;
        });
    });

errOut:
    CFReleaseSafe(serial);
    CFReleaseSafe(issuer);

    if (!ok || localError) {
        secerror("ocsp cache lookup failed: %@", localError);
        if (response) {
            SecOCSPResponseFinalize(response);
            response = NULL;
        }
        TrustdHealthAnalyticsLogErrorCodeForDatabase(TAOCSPCache, TAOperationRead, TAFatalError,
                                                     localError ? CFErrorGetCode(localError) : errSecInternalComponent);
    }
    CFReleaseSafe(localError);

    secdebug("ocspcache", "returning %s", (response ? "cached response" : "NULL"));

    return response;
}

static bool _SecOCSPCacheFlush(SecOCSPCacheRef cache, CFErrorRef *error) {
    __block CFErrorRef localError = NULL;
    __block bool ok = true;

    ok &= SecDbPerformWrite(cache->db, &localError, ^(SecDbConnectionRef dbconn) {
        ok &= SecDbExec(dbconn, flushSQL, &localError);
    });
    if (!ok || localError) {
        TrustdHealthAnalyticsLogErrorCodeForDatabase(TAOCSPCache, TAOperationWrite, TAFatalError,
                                                     localError ? CFErrorGetCode(localError) : errSecInternalComponent);
    }
    (void) CFErrorPropagate(localError, error);

    return ok;
}


/* Public API */

void SecOCSPCacheReplaceResponse(SecOCSPResponseRef old_response, SecOCSPResponseRef response,
    CFURLRef localResponderURI, CFAbsoluteTime verifyTime) {
    SecOCSPCacheWith(^(SecOCSPCacheRef cache) {
        _SecOCSPCacheReplaceResponse(cache, old_response, response, localResponderURI, verifyTime);
    });
}

SecOCSPResponseRef SecOCSPCacheCopyMatching(SecOCSPRequestRef request,
    CFURLRef localResponderURI /* may be NULL */) {
    __block SecOCSPResponseRef response = NULL;
    SecOCSPCacheWith(^(SecOCSPCacheRef cache) {
        response = _SecOCSPCacheCopyMatching(cache, request, localResponderURI, 0.0);
    });
    return response;
}

SecOCSPResponseRef SecOCSPCacheCopyMatchingWithMinInsertTime(SecOCSPRequestRef request,
    CFURLRef localResponderURI, CFAbsoluteTime minInsertTime) {
    __block SecOCSPResponseRef response = NULL;
    SecOCSPCacheWith(^(SecOCSPCacheRef cache) {
        response = _SecOCSPCacheCopyMatching(cache, request, localResponderURI, minInsertTime);
    });
    return response;
}

bool SecOCSPCacheFlush(CFErrorRef *error) {
    __block bool result = false;
    SecOCSPCacheWith(^(SecOCSPCacheRef cache) {
        result = _SecOCSPCacheFlush(cache, error);
    });
    return result;
}