Session_CRL.cpp   [plain text]

/*
 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
 * 
 * The contents of this file constitute Original Code as defined in and are
 * subject to the Apple Public Source License Version 1.2 (the 'License').
 * You may not use this file except in compliance with the License. Please obtain
 * a copy of the License at http://www.apple.com/publicsource and read it before
 * using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
 * specific language governing rights and limitations under the License.
 */


//
// Apple X.509 CRL-related session functions.
//

#include "AppleX509CLSession.h"
#include "clNssUtils.h"
#include "clNameUtils.h"

void
AppleX509CLSession::CrlDescribeFormat(
	uint32 &NumberOfFields,
	CSSM_OID_PTR &OidList)
{
	DecodedCrl::describeFormat(*this, NumberOfFields, OidList);
}


void
AppleX509CLSession::CrlGetAllFields(
	const CssmData &Crl,
	uint32 &NumberOfCrlFields,
	CSSM_FIELD_PTR &CrlFields)
{
	class DecodedCrl decodedCrl(*this, Crl);
	decodedCrl.getAllParsedCrlFields(NumberOfCrlFields, CrlFields);
}


CSSM_HANDLE
AppleX509CLSession::CrlGetFirstFieldValue(
	const CssmData &Crl,
	const CssmData &CrlField,
	uint32 &NumberOfMatchedFields,
	CSSM_DATA_PTR &Value)
{
	NumberOfMatchedFields = 0;
	Value = NULL;
	CssmAutoData aData(*this);
	
	DecodedCrl *decodedCrl = new DecodedCrl(*this, Crl);
	uint32 numMatches;
	
	/* this returns false if field not there, throws on bad OID */
	bool brtn;
	try {
		brtn = decodedCrl->getCrlFieldData(CrlField, 
			0, 				// index
			numMatches, 
			aData);
	}
	catch (...) {
		delete decodedCrl;
		throw;
	}
	if(!brtn) {
		delete decodedCrl;
		return CSSM_INVALID_HANDLE;
	}

	/* cook up a CLCachedCRL, stash it in cache */
	CLCachedCRL *cachedCrl = new CLCachedCRL(*decodedCrl);
	cacheMap.addEntry(*cachedCrl, cachedCrl->handle());
	
	/* cook up a CLQuery, stash it */
	CLQuery *query = new CLQuery(
		CLQ_CRL, 
		CrlField, 
		numMatches,
		false,				// isFromCache
		cachedCrl->handle());
	queryMap.addEntry(*query, query->handle());
	
	/* success - copy field data to outgoing Value */
	Value = (CSSM_DATA_PTR)malloc(sizeof(CSSM_DATA));
	*Value = aData.release();
	NumberOfMatchedFields = numMatches;
	return query->handle();
}

	
bool
AppleX509CLSession::CrlGetNextFieldValue(
	CSSM_HANDLE ResultsHandle,
	CSSM_DATA_PTR &Value)
{
	/* fetch & validate the query */
	CLQuery *query = queryMap.lookupEntry(ResultsHandle);
	if(query == NULL) {
		CssmError::throwMe(CSSMERR_CL_INVALID_RESULTS_HANDLE);
	}
	if(query->queryType() != CLQ_CRL) {
		clErrorLog("CrlGetNextFieldValue: bad queryType (%d)", 
			(int)query->queryType());
		CssmError::throwMe(CSSMERR_CL_INVALID_RESULTS_HANDLE);
	}
	if(query->nextIndex() >= query->numFields()) {
		return false;
	}

	/* fetch the associated cached CRL */
	CLCachedCRL *cachedCrl = lookupCachedCRL(query->cachedObject());
	uint32 dummy;
	CssmAutoData aData(*this);
	if(!cachedCrl->crl().getCrlFieldData(query->fieldId(), 
		query->nextIndex(), 
		dummy,
		aData))  {
		return false;
	}
		
	/* success - copy field data to outgoing Value */
	Value = (CSSM_DATA_PTR)malloc(sizeof(CSSM_DATA));
	*Value = aData.release();
	query->incrementIndex();
	return true;
}


void
AppleX509CLSession::IsCertInCrl(
	const CssmData &Cert,
	const CssmData &Crl,
	CSSM_BOOL &CertFound)
{
	/* 
	 * Decode the two entities. Note that doing it this way incurs
	 * the unnecessary (for our purposes) overhead of decoding
	 * extensions, but doing it this way is so spiffy that I can't 
	 * resist.
	 */
	DecodedCert decodedCert(*this, Cert);
	DecodedCrl  decodedCrl(*this, Crl);

	NSS_TBSCertificate &tbsCert = decodedCert.mCert.tbs;
	NSS_TBSCrl &tbsCrl = decodedCrl.mCrl.tbs;
	
	/* trivial case - empty CRL */
	unsigned numCrlEntries = 
		clNssArraySize((const void **)tbsCrl.revokedCerts);
	if(numCrlEntries == 0) {
		clFieldLog("IsCertInCrl: empty CRL");
		CertFound = CSSM_FALSE;
		return;
	}
	
	/* 
	 * Get normalized and encoded versions of issuer names. 
	 * Since the decoded entities are local, we can normalize in place.
	 */
	CssmAutoData encCertIssuer(*this);
	CssmAutoData encCrlIssuer(*this);
	try {
		/* snag a handy temp allocator */
		SecNssCoder &coder = decodedCert.coder();
		CL_normalizeX509NameNSS(tbsCert.issuer, coder);
		PRErrorCode prtn = SecNssEncodeItemOdata(&tbsCert.issuer, 
			kSecAsn1NameTemplate, encCertIssuer);
		if(prtn) {
			CssmError::throwMe(CSSMERR_CL_MEMORY_ERROR);
		}
			
		CL_normalizeX509NameNSS(tbsCrl.issuer, coder);
		prtn = SecNssEncodeItemOdata(&tbsCrl.issuer, 
			kSecAsn1NameTemplate, encCrlIssuer);
		if(prtn) {
			CssmError::throwMe(CSSMERR_CL_MEMORY_ERROR);
		}
	}
	catch(...) {
		clFieldLog("IsCertInCrl: normalize failure");
		throw;
	}
	
	/* issuer names match? */
	CertFound = CSSM_FALSE;
	if(encCertIssuer.get() != encCrlIssuer.get()) {
		clFieldLog("IsCertInCrl: issuer name mismatch");
		return;
	}
	
	/* is this cert's serial number in the CRL? */
	CSSM_DATA &certSerial = tbsCert.serialNumber;
	for(unsigned dex=0; dex<numCrlEntries; dex++) {
		NSS_RevokedCert *revokedCert = tbsCrl.revokedCerts[dex];
		assert(revokedCert != NULL);
		CSSM_DATA &revokedSerial = revokedCert->userCertificate;
		if(clCompareCssmData(&certSerial, &revokedSerial)) {
			/* success */ 
			CertFound = CSSM_TRUE;
			break;
		}
	}
}

#pragma mark --- Cached ---
	
void
AppleX509CLSession::CrlCache(
	const CssmData &Crl,
	CSSM_HANDLE &CrlHandle)
{
	DecodedCrl *decodedCrl = new DecodedCrl(*this, Crl);
	
	/* cook up a CLCachedCRL, stash it in cache */
	CLCachedCRL *cachedCrl = new CLCachedCRL(*decodedCrl);
	cacheMap.addEntry(*cachedCrl, cachedCrl->handle());
	CrlHandle = cachedCrl->handle();
}

/* 
 * FIXME - CrlRecordIndex not supported, it'll require mods to 
 * the DecodedCrl::getCrlFieldData mechanism
 */
CSSM_HANDLE
AppleX509CLSession::CrlGetFirstCachedFieldValue(
	CSSM_HANDLE CrlHandle,
	const CssmData *CrlRecordIndex,
	const CssmData &CrlField,
	uint32 &NumberOfMatchedFields,
	CSSM_DATA_PTR &Value)
{
	if(CrlRecordIndex != NULL) {
		/* not yet */
		CssmError::throwMe(CSSMERR_CL_INVALID_CRL_INDEX);
	}
	
	/* fetch the associated cached CRL */
	CLCachedCRL *cachedCrl = lookupCachedCRL(CrlHandle);
	if(cachedCrl == NULL) {
		CssmError::throwMe(CSSMERR_CL_INVALID_CACHE_HANDLE);
	}
	
	CssmAutoData aData(*this);
	uint32 numMatches;

	/* this returns false if field not there, throws on bad OID */
	if(!cachedCrl->crl().getCrlFieldData(CrlField, 
			0, 				// index
			numMatches, 
			aData)) {
		return CSSM_INVALID_HANDLE;
	}

	/* cook up a CLQuery, stash it */
	CLQuery *query = new CLQuery(
		CLQ_CRL, 
		CrlField, 
		numMatches,
		true,				// isFromCache
		cachedCrl->handle());
	queryMap.addEntry(*query, query->handle());
	
	/* success - copy field data to outgoing Value */
	Value = (CSSM_DATA_PTR)malloc(sizeof(CSSM_DATA));
	*Value = aData.release();
	NumberOfMatchedFields = numMatches;
	return query->handle();
}


bool
AppleX509CLSession::CrlGetNextCachedFieldValue(
	CSSM_HANDLE ResultsHandle,
	CSSM_DATA_PTR &Value)
{
	/* Identical to, so just call... */
	return CrlGetNextFieldValue(ResultsHandle, Value);
}


void
AppleX509CLSession::IsCertInCachedCrl(
	const CssmData &Cert,
	CSSM_HANDLE CrlHandle,
	CSSM_BOOL &CertFound,
	CssmData &CrlRecordIndex)
{
	unimplemented();
}


void
AppleX509CLSession::CrlAbortCache(
	CSSM_HANDLE CrlHandle)
{
	/* fetch the associated cached CRL, remove from map, delete it */
	CLCachedCRL *cachedCrl = lookupCachedCRL(CrlHandle);
	if(cachedCrl == NULL) {
		CssmError::throwMe(CSSMERR_CL_INVALID_CACHE_HANDLE);
	}
	cacheMap.removeEntry(cachedCrl->handle());
	delete cachedCrl;
}


void
AppleX509CLSession::CrlAbortQuery(
	CSSM_HANDLE ResultsHandle)
{
	/* fetch & validate the query */
	CLQuery *query = queryMap.lookupEntry(ResultsHandle);
	if(query == NULL) {
		CssmError::throwMe(CSSMERR_CL_INVALID_RESULTS_HANDLE);
	}
	if(query->queryType() != CLQ_CRL) {
		clErrorLog("CrlAbortQuery: bad queryType (%d)", (int)query->queryType());
		CssmError::throwMe(CSSMERR_CL_INVALID_RESULTS_HANDLE);
	}

	if(!query->fromCache()) {
		/* the associated cached CRL was created just for this query; dispose */
		CLCachedCRL *cachedCrl = lookupCachedCRL(query->cachedObject());
		if(cachedCrl == NULL) {
			/* should never happen */
			CssmError::throwMe(CSSMERR_CL_INTERNAL_ERROR);
		}
		cacheMap.removeEntry(cachedCrl->handle());
		delete cachedCrl;
	}
	queryMap.removeEntry(query->handle());
	delete query;
}

#pragma mark --- Template ---

void
AppleX509CLSession::CrlCreateTemplate(
	uint32 NumberOfFields,
	const CSSM_FIELD *CrlTemplate,
	CssmData &NewCrl)
{
	unimplemented();
}


void
AppleX509CLSession::CrlSetFields(
	uint32 NumberOfFields,
	const CSSM_FIELD *CrlTemplate,
	const CssmData &OldCrl,
	CssmData &ModifiedCrl)
{
	unimplemented();
}


void
AppleX509CLSession::CrlAddCert(
	CSSM_CC_HANDLE CCHandle,
	const CssmData &Cert,
	uint32 NumberOfFields,
	const CSSM_FIELD CrlEntryFields[],
	const CssmData &OldCrl,
	CssmData &NewCrl)
{
	unimplemented();
}


void
AppleX509CLSession::CrlRemoveCert(
	const CssmData &Cert,
	const CssmData &OldCrl,
	CssmData &NewCrl)
{
	unimplemented();
}


void
AppleX509CLSession::CrlGetAllCachedRecordFields(
	CSSM_HANDLE CrlHandle,
	const CssmData &CrlRecordIndex,
	uint32 &NumberOfFields,
	CSSM_FIELD_PTR &CrlFields)
{
	unimplemented();
}

/* 
 * These are functionally identical to the corresponding
 * Cert functions.
 */
void
AppleX509CLSession::CrlVerifyWithKey(
	CSSM_CC_HANDLE CCHandle,
	const CssmData &CrlToBeVerified)
{
	CertVerifyWithKey(CCHandle, CrlToBeVerified);
}


void
AppleX509CLSession::CrlVerify(
	CSSM_CC_HANDLE CCHandle,
	const CssmData &CrlToBeVerified,
	const CssmData *SignerCert,
	const CSSM_FIELD *VerifyScope,
	uint32 ScopeSize)
{
	CertVerify(CCHandle, CrlToBeVerified, SignerCert, VerifyScope, 
		ScopeSize);
}

void
AppleX509CLSession::CrlSign(
	CSSM_CC_HANDLE CCHandle,
	const CssmData &UnsignedCrl,
	const CSSM_FIELD *SignScope,
	uint32 ScopeSize,
	CssmData &SignedCrl)
{
	unimplemented();
}