| blob | 388d0fc41a93b81ba84d8565bec4996fbe0b31f7 |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <CommonCrypto/CommonDigest.h>
8 #include <CoreServices/CoreServices.h>
9 #include <Security/Security.h>
11 #include <string>
12 #include <vector>
33 // From 10.7.2 libsecurity_keychain-55035/lib/SecTrustPriv.h, for use with
34 // SecTrustCopyExtendedResult.
35 #ifndef kSecEVOrganizationName
37 #endif
46 CFDictionaryRef*);
61 }
62 }
63 }
77 // "Expired" and "not yet valid" collapse into a single status.
112 // We asked for a revocation check, but didn't get it.
116 // TODO(wtc): Should we add CERT_STATUS_WRONG_USAGE?
124 // Mapping UNSUPPORTED_KEY_SIZE to CERT_STATUS_WEAK_KEY is not strictly
125 // accurate, as the error may have been returned due to a key size
126 // that exceeded the maximum supported. However, within
127 // CertVerifyProcMac::VerifyInternal(), this code should only be
128 // encountered as a certificate status code, and only when the key size
129 // is smaller than the minimum required (1024 bits).
133 // Failure was due to something Chromium doesn't define a
134 // specific status for (such as basic constraints violation, or
135 // unknown critical extension)
139 }
140 }
141 }
143 // Creates a series of SecPolicyRefs to be added to a SecTrustRef used to
144 // validate a certificate for an SSL server. |hostname| contains the name of
145 // the SSL server that the certificate should be verified against. |flags| is
146 // a bitwise-OR of VerifyFlags that can further alter how trust is validated,
147 // such as how revocation is checked. If successful, returns noErr, and
148 // stores the resultant array of SecPolicyRefs in |policies|.
157 SecPolicyRef ssl_policy;
164 // Explicitly add revocation policies, in order to override system
165 // revocation checking policies and instead respect the application-level
166 // revocation preference.
170 local_policies);
176 }
178 // Stores the constructed certificate chain |cert_chain| and information about
179 // the signature algorithms used into |*verify_result|. If the leaf cert in
180 // |cert_chain| contains a weak (MD2, MD4, MD5, SHA-1) signature, stores that
181 // in |*leaf_is_weak|.
202 }
206 // The current certificate is either in the user's trusted store or is
207 // a root (self-signed) certificate. Ignore the signature algorithm for
208 // these certificates, as it is meaningless for security. We allow
209 // self-signed certificates (i == 0 & IS_ROOT), since we accept that
210 // any security assertions by such a cert are inherently meaningless.
212 }
223 // Match the behaviour of OS X system tools and defensively check that
224 // sizes are appropriate. This would indicate a critical failure of the
225 // OS X certificate library, but based on history, it is best to play it
226 // safe.
254 }
255 }
261 }
270 CSSM_DATA cert_data;
286 }
287 }
293 // We iterate from the root certificate down to the leaf, keeping track of
294 // the issuer's SPKI at each step.
300 CSSM_DATA cert_data;
305 }
312 }
319 }
325 }
347 }
348 }
351 }
353 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA
354 // that we recognise as a standard root.
355 // static
365 }
367 // Builds and evaluates a SecTrustRef for the certificate chain contained
368 // in |cert_array|, using the verification policies in |trust_policies|. On
369 // success, returns OK, and updates |trust_ref|, |trust_result|,
370 // |verified_chain|, and |chain_info| with the verification results. On
371 // failure, no output parameters are modified.
372 //
373 // Note: An OK return does not mean that |cert_array| is trusted, merely that
374 // verification was performed successfully.
375 //
376 // This function should only be called while the Mac Security Services lock is
377 // held.
379 CFArrayRef trust_policies,
396 }
398 CSSM_APPLE_TP_ACTION_DATA tp_action_data;
401 // Allow CSSM to download any missing intermediate certificates if an
402 // authorityInfoAccess extension or issuerAltName extension is present.
404 CSSM_TP_ACTION_TRUST_SETTINGS;
406 // Note: For EV certificates, the Apple TP will handle setting these flags
407 // as part of EV evaluation.
409 // Require a positive result from an OCSP responder or a CRL (or both)
410 // for every certificate in the chain. The Apple TP automatically
411 // excludes the self-signed root from this requirement. If a certificate
412 // is missing both a crlDistributionPoints extension and an
413 // authorityInfoAccess extension with an OCSP responder URL, then we
414 // will get a kSecTrustResultRecoverableTrustFailure back from
415 // SecTrustEvaluate(), with a
416 // CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK error code. In that case,
417 // we'll set our own result to include
418 // CERT_STATUS_NO_REVOCATION_MECHANISM. If one or both extensions are
419 // present, and a check fails (server unavailable, OCSP retry later,
420 // signature mismatch), then we'll set our own result to include
421 // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION.
424 // Note, even if revocation checking is disabled, SecTrustEvaluate() will
425 // modify the OCSP options so as to attempt OCSP checking if it believes a
426 // certificate may chain to an EV root. However, because network fetches
427 // are disabled in CreateTrustPolicies() when revocation checking is
428 // disabled, these will only go against the local cache.
429 }
431 CFDataRef action_data_ref =
439 action_data_ref);
443 // Verify the certificate. A non-zero result from SecTrustGetResult()
444 // indicates that some fatal error occurred and the chain couldn't be
445 // processed, not that the chain contains no errors. We need to examine the
446 // output of SecTrustGetResult() to determine that.
447 SecTrustResultType tmp_trust_result;
464 }
474 }
488 // Create and configure a SecTrustRef, which takes our certificate(s)
489 // and our SSL SecPolicyRef. SecTrustCreateWithCertificates() takes an
490 // array of certificates, the first of which is the certificate we're
491 // verifying, and the subsequent (optional) certificates are used for
492 // chain building.
496 // Serialize all calls that may use the Keychain, to work around various
497 // issues in OS X 10.6+ with multi-threaded access to Security.framework.
507 // OS X lacks proper path discovery; it will take the input certs and never
508 // backtrack the graph attempting to discover valid paths.
509 // This can create issues in some situations:
510 // - When OS X changes the trust store, there may be a chain
511 // A -> B -> C -> D
512 // where OS X trusts D (on some versions) and trusts C (on some versions).
513 // If a server supplies a chain A, B, C (cross-signed by D), then this chain
514 // will successfully validate on systems that trust D, but fail for systems
515 // that trust C. If the server supplies a chain of A -> B, then it forces
516 // all clients to fetch C (via AIA) if they trust D, and not all clients
517 // (notably, Firefox and Android) will do this, thus breaking them.
518 // An example of this is the Verizon Business Services root - GTE CyberTrust
519 // and Baltimore CyberTrust roots represent old and new roots that cause
520 // issues depending on which version of OS X being used.
521 //
522 // - A server may be (misconfigured) to send an expired intermediate
523 // certificate. On platforms with path discovery, the graph traversal
524 // will back up to immediately before this intermediate, and then
525 // attempt an AIA fetch or retrieval from local store. However, OS X
526 // does not do this, and thus prevents access. While this is ostensibly
527 // a server misconfiguration issue, the fact that it works on other
528 // platforms is a jarring inconsistency for users.
529 //
530 // - When OS X trusts both C and D (simultaneously), it's possible that the
531 // version of C signed by D is signed using a weak algorithm (e.g. SHA-1),
532 // while the version of C in the trust store's signature doesn't matter.
533 // Since a 'strong' chain exists, it would be desirable to prefer this
534 // chain.
535 //
536 // - A variant of the above example, it may be that the version of B sent by
537 // the server is signed using a weak algorithm, but the version of B
538 // present in the AIA of A is signed using a strong algorithm. Since a
539 // 'strong' chain exists, it would be desirable to prefer this chain.
540 //
541 // Because of this, the code below first attempts to validate the peer's
542 // identity using the supplied chain. If it is not trusted (e.g. the OS only
543 // trusts C, but the version of C signed by D was sent, and D is not trusted),
544 // or if it contains a weak chain, it will begin lopping off certificates
545 // from the end of the chain and attempting to verify. If a stronger, trusted
546 // chain is found, it is used, otherwise, the algorithm continues until only
547 // the peer's certificate remains.
548 //
549 // This does cause a performance hit for these users, but only in cases where
550 // OS X is building weaker chains than desired, or when it would otherwise
551 // fail the connection.
564 CertVerifyResult temp_verify_result;
575 // Set the result to the current chain if:
576 // - This is the first verification attempt. This ensures that if
577 // everything is awful (e.g. it may just be an untrusted cert), that
578 // what is reported is exactly what was sent by the server
579 // - If the current chain is trusted, and the old chain was not trusted,
580 // then prefer this chain. This ensures that if there is at least a
581 // valid path to a trust anchor, it's preferred over reporting an error.
582 // - If the current chain is trusted, and the old chain is trusted, but
583 // the old chain contained weak algorithms while the current chain only
584 // contains strong algorithms, then prefer the current chain over the
585 // old chain.
586 //
587 // Note: If the leaf certificate itself is weak, then the only
588 // consideration is whether or not there is a trusted chain. That's
589 // because no amount of path discovery will fix a weak leaf.
599 }
600 // Short-circuit when a current, trusted chain is found.
604 }
616 // As of Security Update 2012-002/OS X 10.7.4, when an RSA key < 1024 bits
617 // is encountered, CSSM returns CSSMERR_TP_VERIFY_ACTION_FAILED and adds
618 // CSSMERR_CSP_UNSUPPORTED_KEY_SIZE as a certificate status. Avoid mapping
619 // the CSSMERR_TP_VERIFY_ACTION_FAILED to CERT_STATUS_INVALID if the only
620 // error was due to an unsupported key size.
624 // Evaluate the results
625 OSStatus cssm_result;
629 // Certificate chain is valid and trusted ("unspecified" indicates that
630 // the user has not explicitly set a trust setting)
633 // According to SecTrust.h, kSecTrustResultConfirm isn't returned on 10.5+,
634 // and it is marked deprecated in the 10.9 SDK.
636 // Certificate chain is explicitly untrusted.
641 // Certificate chain has a failure that can be overridden by the user.
649 }
650 // Walk the chain of error codes in the CSSM_TP_APPLE_EVIDENCE_INFO
651 // structure which can catch multiple errors from each certificate.
662 }
666 // As of OS X 10.9, attempting to verify a certificate chain that
667 // contains a weak signature algorithm (MD2, MD5) in an intermediate
668 // or leaf cert will be treated as a (recoverable) policy validation
669 // failure, with the status code CSSMERR_TP_INVALID_CERTIFICATE
670 // added to the Status Codes. Don't treat this code as an invalid
671 // certificate; instead, map it to a weak key. Any truly invalid
672 // certificates will have the major error (cssm_result) set to
673 // CSSMERR_TP_INVALID_CERTIFICATE, rather than
674 // CSSMERR_TP_VERIFY_ACTION_FAILED.
678 CSSMERR_TP_INVALID_CERTIFICATE) {
686 }
688 }
689 }
691 // If CSSMERR_TP_VERIFY_ACTION_FAILED wasn't returned due to a weak
692 // key, map it back to an appropriate error code.
694 }
699 }
710 }
712 }
714 // Perform hostname verification independent of SecTrustEvaluate. In order to
715 // do so, mask off any reported name errors first.
720 }
722 // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be
723 // compatible with Windows, which in turn implements this behavior to be
724 // compatible with WinHTTP, which doesn't report this error (bug 3004).
734 // Determine the certificate's EV status using SecTrustCopyExtendedResult(),
735 // which is an internal/private API function added in OS X 10.5.7.
736 // Note: "ExtendedResult" means extended validation results.
737 CFBundleRef bundle =
740 SecTrustCopyExtendedResultFuncPtr copy_extended_result =
750 // In 10.7.3, SecTrustCopyExtendedResult returns noErr and populates
751 // ev_dict even for non-EV certificates, but only EV certificates
752 // will cause ev_dict to contain kSecEVOrganizationName. In previous
753 // releases, SecTrustCopyExtendedResult would only return noErr and
754 // populate ev_dict for EV certificates, but would always include
755 // kSecEVOrganizationName in that case, so checking for this key is
756 // appropriate for all known versions of SecTrustCopyExtendedResult.
757 // The actual organization name is unneeded here and can be accessed
758 // through other means. All that matters here is the OS' conception
759 // of whether or not the certificate is EV.
761 kSecEVOrganizationName)) {
765 }
766 }
767 }
768 }
769 }
772 }