SecCAIssuerRequest.c [plain text]
#include "SecCAIssuerRequest.h"
#include "SecCAIssuerCache.h"
#include <Security/SecInternal.h>
#include <Security/SecCMS.h>
#include <CoreFoundation/CFURL.h>
#include <CFNetwork/CFHTTPMessage.h>
#include <utilities/debugging.h>
#include <Security/SecCertificateInternal.h>
#include <securityd/asynchttp.h>
#include <securityd/SecTrustServer.h>
#include <stdlib.h>
#include <mach/mach_time.h>
#define MAX_CA_ISSUERS 3
#define CA_ISSUERS_REQUEST_THRESHOLD 10
typedef struct SecCAIssuerRequest *SecCAIssuerRequestRef;
struct SecCAIssuerRequest {
asynchttp_t http;
SecCertificateRef certificate;
CFArrayRef issuers;
CFIndex issuerIX;
void *context;
void (*callback)(void *, CFArrayRef);
};
static void SecCAIssuerRequestRelease(SecCAIssuerRequestRef request) {
CFRelease(request->certificate);
asynchttp_free(&request->http);
free(request);
}
static bool SecCAIssuerRequestIssue(SecCAIssuerRequestRef request) {
CFIndex count = CFArrayGetCount(request->issuers);
if (count >= CA_ISSUERS_REQUEST_THRESHOLD) {
secnotice("caissuer", "too many caIssuer entries (%ld)", (long)count);
request->callback(request->context, NULL);
SecCAIssuerRequestRelease(request);
return true;
}
SecPathBuilderRef builder = (SecPathBuilderRef)request->context;
TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(builder);
while (request->issuerIX < count && request->issuerIX < MAX_CA_ISSUERS) {
CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers,
request->issuerIX++);
CFStringRef scheme = CFURLCopyScheme(issuer);
if (scheme) {
if (CFEqual(CFSTR("http"), scheme)) {
CFHTTPMessageRef msg = CFHTTPMessageCreateRequest(kCFAllocatorDefault,
CFSTR("GET"), issuer, kCFHTTPVersion1_1);
if (msg) {
secinfo("caissuer", "%@", msg);
bool done = asynchttp_request(msg, 0, &request->http);
if (analytics) {
analytics->ca_issuer_fetches++;
}
CFRelease(msg);
if (done == false) {
CFRelease(scheme);
return done;
}
}
secdebug("caissuer", "failed to get %@", issuer);
} else {
secnotice("caissuer", "skipping unsupported uri %@", issuer);
}
CFRelease(scheme);
}
}
secdebug("caissuer", "no request issued");
request->callback(request->context, NULL);
SecCAIssuerRequestRelease(request);
return true;
}
static CF_RETURNS_RETAINED CFArrayRef SecCAIssuerConvertToParents(SecCertificateRef certificate,
SecCertificateRef CF_CONSUMED parent) {
CFDataRef nic = SecCertificateGetNormalizedIssuerContent(certificate);
CFArrayRef parents = NULL;
if (parent) {
CFDataRef parent_nic = SecCertificateGetNormalizedSubjectContent(parent);
if (nic && parent_nic && CFEqual(nic, parent_nic)) {
const void *ventry = parent;
parents = CFArrayCreate(NULL, &ventry, 1, &kCFTypeArrayCallBacks);
}
CFRelease(parent);
}
return parents;
}
#define SECONDS_PER_DAY (86400.0)
static void SecCAIssuerRequestCompleted(asynchttp_t *http,
CFTimeInterval maxAge) {
SecCAIssuerRequestRef request = (SecCAIssuerRequestRef)http;
SecPathBuilderRef builder = (SecPathBuilderRef)request->context;
TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(builder);
if (analytics) {
analytics->ca_issuer_fetch_time += (mach_absolute_time() - http->start_time);
}
CFDataRef data = (request->http.response ?
CFHTTPMessageCopyBody(request->http.response) : NULL);
if (data) {
SecCertificateRef parent = SecCertificateCreateWithData(NULL, data);
if (!parent) {
CFArrayRef certificates = NULL;
certificates = SecCMSCertificatesOnlyMessageCopyCertificates(data);
if (certificates && CFArrayGetCount(certificates) >= 1) {
parent = CFRetainSafe((SecCertificateRef)CFArrayGetValueAtIndex(certificates, 0));
} else if (certificates && CFArrayGetCount(certificates) > 1) {
if (analytics) {
analytics->ca_issuer_multiple_certs = true;
}
}
CFReleaseNull(certificates);
}
if (!parent) {
parent = SecCertificateCreateWithPEM(NULL, data);
}
CFRelease(data);
if (parent) {
if (maxAge < SECONDS_PER_DAY * 7)
maxAge = SECONDS_PER_DAY * 7;
CFAbsoluteTime expires = CFAbsoluteTimeGetCurrent() + maxAge;
CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers,
request->issuerIX - 1);
SecCAIssuerCacheAddCertificate(parent, issuer, expires);
CFArrayRef parents = SecCAIssuerConvertToParents(
request->certificate, parent);
if (parents) {
secdebug("caissuer", "response: %@ good", http->response);
request->callback(request->context, parents);
CFRelease(parents);
SecCAIssuerRequestRelease(request);
return;
}
} else if (analytics) {
analytics->ca_issuer_unsupported_data = true;
}
} else if (analytics) {
analytics->ca_issuer_fetch_failed++;
}
secdebug("caissuer", "response: %@ not parent, trying next caissuer",
http->response);
asynchttp_free(&request->http);
SecCAIssuerRequestIssue(request);
}
static CFArrayRef SecCAIssuerRequestCacheCopyParents(SecCertificateRef cert,
CFArrayRef issuers) {
CFIndex ix = 0, ex = CFArrayGetCount(issuers);
for (;ix < ex; ++ix) {
CFURLRef issuer = CFArrayGetValueAtIndex(issuers, ix);
CFStringRef scheme = CFURLCopyScheme(issuer);
if (scheme) {
if (CFEqual(CFSTR("http"), scheme)) {
CFArrayRef parents = SecCAIssuerConvertToParents(cert,
SecCAIssuerCacheCopyMatching(issuer));
if (parents) {
secdebug("caissuer", "cache hit, for %@ no request issued", issuer);
CFRelease(scheme);
return parents;
}
}
CFRelease(scheme);
}
}
return NULL;
}
bool SecCAIssuerCopyParents(SecCertificateRef certificate, dispatch_queue_t queue,
void *context, void (*callback)(void *, CFArrayRef)) {
CFArrayRef issuers = SecCertificateGetCAIssuers(certificate);
if (!issuers) {
callback(context, NULL);
return true;
}
SecPathBuilderRef builder = (SecPathBuilderRef)context;
TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(builder);
CFArrayRef parents = SecCAIssuerRequestCacheCopyParents(certificate, issuers);
if (parents) {
if (analytics) {
analytics->ca_issuer_cache_hit = true;
}
callback(context, parents);
CFReleaseSafe(parents);
return true;
}
if (analytics) {
analytics->ca_issuer_network = true;
}
SecCAIssuerRequestRef request =
(SecCAIssuerRequestRef)calloc(1, sizeof(*request));
request->http.queue = queue;
request->http.completed = SecCAIssuerRequestCompleted;
CFRetain(certificate);
request->certificate = certificate;
request->issuers = issuers;
request->issuerIX = 0;
request->context = context;
request->callback = callback;
return SecCAIssuerRequestIssue(request);
}