| blob | c0eb0683ffaf2704641960d6b7b1756295c1bd61 |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
7 #include <CommonCrypto/CommonDigest.h>
8 #include <CoreServices/CoreServices.h>
9 #include <Security/Security.h>
11 #include <string>
12 #include <vector>
33 // From 10.7.2 libsecurity_keychain-55035/lib/SecTrustPriv.h, for use with
34 // SecTrustCopyExtendedResult.
35 #ifndef kSecEVOrganizationName
37 #endif
46 CFDictionaryRef*);
61 }
62 }
63 }
77 // "Expired" and "not yet valid" collapse into a single status.
112 // We asked for a revocation check, but didn't get it.
116 // TODO(wtc): Should we add CERT_STATUS_WRONG_USAGE?
124 // Mapping UNSUPPORTED_KEY_SIZE to CERT_STATUS_WEAK_KEY is not strictly
125 // accurate, as the error may have been returned due to a key size
126 // that exceeded the maximum supported. However, within
127 // CertVerifyProcMac::VerifyInternal(), this code should only be
128 // encountered as a certificate status code, and only when the key size
129 // is smaller than the minimum required (1024 bits).
133 // Failure was due to something Chromium doesn't define a
134 // specific status for (such as basic constraints violation, or
135 // unknown critical extension)
139 }
140 }
141 }
143 // Creates a series of SecPolicyRefs to be added to a SecTrustRef used to
144 // validate a certificate for an SSL server. |hostname| contains the name of
145 // the SSL server that the certificate should be verified against. |flags| is
146 // a bitwise-OR of VerifyFlags that can further alter how trust is validated,
147 // such as how revocation is checked. If successful, returns noErr, and
148 // stores the resultant array of SecPolicyRefs in |policies|.
157 SecPolicyRef ssl_policy;
164 // Explicitly add revocation policies, in order to override system
165 // revocation checking policies and instead respect the application-level
166 // revocation preference.
170 local_policies);
176 }
178 // Stores the constructed certificate chain |cert_chain| and information about
179 // the signature algorithms used into |*verify_result|. If the leaf cert in
180 // |cert_chain| contains a weak (MD2, MD4, MD5, SHA-1) signature, stores that
181 // in |*leaf_is_weak|. |cert_chain| must not be empty.
203 }
207 // The current certificate is either in the user's trusted store or is
208 // a root (self-signed) certificate. Ignore the signature algorithm for
209 // these certificates, as it is meaningless for security. We allow
210 // self-signed certificates (i == 0 & IS_ROOT), since we accept that
211 // any security assertions by such a cert are inherently meaningless.
213 }
224 // Match the behaviour of OS X system tools and defensively check that
225 // sizes are appropriate. This would indicate a critical failure of the
226 // OS X certificate library, but based on history, it is best to play it
227 // safe.
255 }
256 }
260 }
264 }
273 CSSM_DATA cert_data;
289 }
290 }
296 // We iterate from the root certificate down to the leaf, keeping track of
297 // the issuer's SPKI at each step.
303 CSSM_DATA cert_data;
308 }
315 }
322 }
328 }
350 }
351 }
354 }
356 // IsIssuedByKnownRoot returns true if the given chain is rooted at a root CA
357 // that we recognise as a standard root.
358 // static
368 }
370 // Builds and evaluates a SecTrustRef for the certificate chain contained
371 // in |cert_array|, using the verification policies in |trust_policies|. On
372 // success, returns OK, and updates |trust_ref|, |trust_result|,
373 // |verified_chain|, and |chain_info| with the verification results. On
374 // failure, no output parameters are modified.
375 //
376 // Note: An OK return does not mean that |cert_array| is trusted, merely that
377 // verification was performed successfully.
378 //
379 // This function should only be called while the Mac Security Services lock is
380 // held.
382 CFArrayRef trust_policies,
399 }
401 CSSM_APPLE_TP_ACTION_DATA tp_action_data;
404 // Allow CSSM to download any missing intermediate certificates if an
405 // authorityInfoAccess extension or issuerAltName extension is present.
407 CSSM_TP_ACTION_TRUST_SETTINGS;
409 // Note: For EV certificates, the Apple TP will handle setting these flags
410 // as part of EV evaluation.
412 // Require a positive result from an OCSP responder or a CRL (or both)
413 // for every certificate in the chain. The Apple TP automatically
414 // excludes the self-signed root from this requirement. If a certificate
415 // is missing both a crlDistributionPoints extension and an
416 // authorityInfoAccess extension with an OCSP responder URL, then we
417 // will get a kSecTrustResultRecoverableTrustFailure back from
418 // SecTrustEvaluate(), with a
419 // CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK error code. In that case,
420 // we'll set our own result to include
421 // CERT_STATUS_NO_REVOCATION_MECHANISM. If one or both extensions are
422 // present, and a check fails (server unavailable, OCSP retry later,
423 // signature mismatch), then we'll set our own result to include
424 // CERT_STATUS_UNABLE_TO_CHECK_REVOCATION.
427 // Note, even if revocation checking is disabled, SecTrustEvaluate() will
428 // modify the OCSP options so as to attempt OCSP checking if it believes a
429 // certificate may chain to an EV root. However, because network fetches
430 // are disabled in CreateTrustPolicies() when revocation checking is
431 // disabled, these will only go against the local cache.
432 }
434 CFDataRef action_data_ref =
442 action_data_ref);
446 // Verify the certificate. A non-zero result from SecTrustGetResult()
447 // indicates that some fatal error occurred and the chain couldn't be
448 // processed, not that the chain contains no errors. We need to examine the
449 // output of SecTrustGetResult() to determine that.
450 SecTrustResultType tmp_trust_result;
467 }
477 }
480 // TODO(rsleevi): Plumb an OCSP response into the Mac system library.
481 // https://crbug.com/430714
483 }
498 // Create and configure a SecTrustRef, which takes our certificate(s)
499 // and our SSL SecPolicyRef. SecTrustCreateWithCertificates() takes an
500 // array of certificates, the first of which is the certificate we're
501 // verifying, and the subsequent (optional) certificates are used for
502 // chain building.
506 // Serialize all calls that may use the Keychain, to work around various
507 // issues in OS X 10.6+ with multi-threaded access to Security.framework.
517 // OS X lacks proper path discovery; it will take the input certs and never
518 // backtrack the graph attempting to discover valid paths.
519 // This can create issues in some situations:
520 // - When OS X changes the trust store, there may be a chain
521 // A -> B -> C -> D
522 // where OS X trusts D (on some versions) and trusts C (on some versions).
523 // If a server supplies a chain A, B, C (cross-signed by D), then this chain
524 // will successfully validate on systems that trust D, but fail for systems
525 // that trust C. If the server supplies a chain of A -> B, then it forces
526 // all clients to fetch C (via AIA) if they trust D, and not all clients
527 // (notably, Firefox and Android) will do this, thus breaking them.
528 // An example of this is the Verizon Business Services root - GTE CyberTrust
529 // and Baltimore CyberTrust roots represent old and new roots that cause
530 // issues depending on which version of OS X being used.
531 //
532 // - A server may be (misconfigured) to send an expired intermediate
533 // certificate. On platforms with path discovery, the graph traversal
534 // will back up to immediately before this intermediate, and then
535 // attempt an AIA fetch or retrieval from local store. However, OS X
536 // does not do this, and thus prevents access. While this is ostensibly
537 // a server misconfiguration issue, the fact that it works on other
538 // platforms is a jarring inconsistency for users.
539 //
540 // - When OS X trusts both C and D (simultaneously), it's possible that the
541 // version of C signed by D is signed using a weak algorithm (e.g. SHA-1),
542 // while the version of C in the trust store's signature doesn't matter.
543 // Since a 'strong' chain exists, it would be desirable to prefer this
544 // chain.
545 //
546 // - A variant of the above example, it may be that the version of B sent by
547 // the server is signed using a weak algorithm, but the version of B
548 // present in the AIA of A is signed using a strong algorithm. Since a
549 // 'strong' chain exists, it would be desirable to prefer this chain.
550 //
551 // Because of this, the code below first attempts to validate the peer's
552 // identity using the supplied chain. If it is not trusted (e.g. the OS only
553 // trusts C, but the version of C signed by D was sent, and D is not trusted),
554 // or if it contains a weak chain, it will begin lopping off certificates
555 // from the end of the chain and attempting to verify. If a stronger, trusted
556 // chain is found, it is used, otherwise, the algorithm continues until only
557 // the peer's certificate remains.
558 //
559 // This does cause a performance hit for these users, but only in cases where
560 // OS X is building weaker chains than desired, or when it would otherwise
561 // fail the connection.
578 // If the chain is empty, it cannot be trusted or have recoverable
579 // errors.
583 CertVerifyResult temp_verify_result;
590 }
591 // Set the result to the current chain if:
592 // - This is the first verification attempt. This ensures that if
593 // everything is awful (e.g. it may just be an untrusted cert), that
594 // what is reported is exactly what was sent by the server
595 // - If the current chain is trusted, and the old chain was not trusted,
596 // then prefer this chain. This ensures that if there is at least a
597 // valid path to a trust anchor, it's preferred over reporting an error.
598 // - If the current chain is trusted, and the old chain is trusted, but
599 // the old chain contained weak algorithms while the current chain only
600 // contains strong algorithms, then prefer the current chain over the
601 // old chain.
602 //
603 // Note: If the leaf certificate itself is weak, then the only
604 // consideration is whether or not there is a trusted chain. That's
605 // because no amount of path discovery will fix a weak leaf.
615 }
616 // Short-circuit when a current, trusted chain is found.
620 }
632 }
634 // As of Security Update 2012-002/OS X 10.7.4, when an RSA key < 1024 bits
635 // is encountered, CSSM returns CSSMERR_TP_VERIFY_ACTION_FAILED and adds
636 // CSSMERR_CSP_UNSUPPORTED_KEY_SIZE as a certificate status. Avoid mapping
637 // the CSSMERR_TP_VERIFY_ACTION_FAILED to CERT_STATUS_INVALID if the only
638 // error was due to an unsupported key size.
642 // Evaluate the results
643 OSStatus cssm_result;
647 // Certificate chain is valid and trusted ("unspecified" indicates that
648 // the user has not explicitly set a trust setting)
651 // According to SecTrust.h, kSecTrustResultConfirm isn't returned on 10.5+,
652 // and it is marked deprecated in the 10.9 SDK.
654 // Certificate chain is explicitly untrusted.
659 // Certificate chain has a failure that can be overridden by the user.
667 }
668 // Walk the chain of error codes in the CSSM_TP_APPLE_EVIDENCE_INFO
669 // structure which can catch multiple errors from each certificate.
680 }
684 // As of OS X 10.9, attempting to verify a certificate chain that
685 // contains a weak signature algorithm (MD2, MD5) in an intermediate
686 // or leaf cert will be treated as a (recoverable) policy validation
687 // failure, with the status code CSSMERR_TP_INVALID_CERTIFICATE
688 // added to the Status Codes. Don't treat this code as an invalid
689 // certificate; instead, map it to a weak key. Any truly invalid
690 // certificates will have the major error (cssm_result) set to
691 // CSSMERR_TP_INVALID_CERTIFICATE, rather than
692 // CSSMERR_TP_VERIFY_ACTION_FAILED.
696 CSSMERR_TP_INVALID_CERTIFICATE) {
704 }
706 }
707 }
709 // If CSSMERR_TP_VERIFY_ACTION_FAILED wasn't returned due to a weak
710 // key, map it back to an appropriate error code.
712 }
717 }
728 }
730 }
732 // Perform hostname verification independent of SecTrustEvaluate. In order to
733 // do so, mask off any reported name errors first.
738 }
740 // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be
741 // compatible with Windows, which in turn implements this behavior to be
742 // compatible with WinHTTP, which doesn't report this error (bug 3004).
752 // Determine the certificate's EV status using SecTrustCopyExtendedResult(),
753 // which is an internal/private API function added in OS X 10.5.7.
754 // Note: "ExtendedResult" means extended validation results.
755 CFBundleRef bundle =
758 SecTrustCopyExtendedResultFuncPtr copy_extended_result =
768 // In 10.7.3, SecTrustCopyExtendedResult returns noErr and populates
769 // ev_dict even for non-EV certificates, but only EV certificates
770 // will cause ev_dict to contain kSecEVOrganizationName. In previous
771 // releases, SecTrustCopyExtendedResult would only return noErr and
772 // populate ev_dict for EV certificates, but would always include
773 // kSecEVOrganizationName in that case, so checking for this key is
774 // appropriate for all known versions of SecTrustCopyExtendedResult.
775 // The actual organization name is unneeded here and can be accessed
776 // through other means. All that matters here is the OS' conception
777 // of whether or not the certificate is EV.
779 kSecEVOrganizationName)) {
783 }
784 }
785 }
786 }
787 }
790 }