void Download::Initialize (CFDataRef ticket,
SecureDownloadTrustSetupCallback setup,
void* setupContext,
SecureDownloadTrustEvaluateCallback evaluate,
void* evaluateContext)
{
// decode the ticket
SecCmsMessageRef cmsMessage = GetCmsMessageFromData (ticket);
// get a policy
SecPolicyRef policy = GetPolicy ();
// parse the CMS message
int contentLevelCount = SecCmsMessageContentLevelCount (cmsMessage);
SecCmsSignedDataRef signedData;
OSStatus result;
int i = 0;
while (i < contentLevelCount)
{
SecCmsContentInfoRef contentInfo = SecCmsMessageContentLevel (cmsMessage, i++);
SECOidTag contentTypeTag = SecCmsContentInfoGetContentTypeTag (contentInfo);
if (contentTypeTag != SEC_OID_PKCS7_SIGNED_DATA)
{
continue;
}
signedData = (SecCmsSignedDataRef) SecCmsContentInfoGetContent (contentInfo);
if (signedData == NULL)
{
MacOSError::throwMe (errSecureDownloadInvalidTicket);
}
// import the certificates found in the cms message
result = SecCmsSignedDataImportCerts (signedData, NULL, certUsageObjectSigner, true);
if (result != 0)
{
MacOSError::throwMe (errSecureDownloadInvalidTicket);
}
int numberOfSigners = SecCmsSignedDataSignerInfoCount (signedData);
int j;
if (numberOfSigners == 0) // no signers? This is a possible attack
{
MacOSError::throwMe (errSecureDownloadInvalidTicket);
}
for (j = 0; j < numberOfSigners; ++j)
{
SecTrustResultType resultType;
// do basic verification of the message
SecTrustRef trustRef;
result = SecCmsSignedDataVerifySignerInfo (signedData, j, NULL, policy, &trustRef);
// notify the user of the new trust ref
if (setup != NULL)
{
SecureDownloadTrustCallbackResult tcResult = setup (trustRef, setupContext);
switch (tcResult)
{
case kSecureDownloadDoNotEvaluateSigner:
continue;
case kSecureDownloadFailEvaluation:
MacOSError::throwMe (errSecureDownloadInvalidTicket);
case kSecureDownloadEvaluateSigner:
break;
}
}
if (result != 0)
{
MacOSError::throwMe (errSecureDownloadInvalidTicket);
}
result = SecTrustEvaluate (trustRef, &resultType);
if (result != noErr)
{
MacOSError::throwMe (errSecureDownloadInvalidTicket);
}
if (evaluate != NULL)
{
resultType = evaluate (trustRef, resultType, evaluateContext);
}
GoOrNoGo (resultType);
}
}
// extract the message
CSSM_DATA_PTR message = SecCmsMessageGetContent (cmsMessage);
CFDataRef ticketData = CFDataCreateWithBytesNoCopy (NULL, message->Data, message->Length, kCFAllocatorNull);
CheckCFThingForNULL (ticketData);
ParseTicket (ticketData);
// setup for hashing
CC_SHA256_Init (&mSHA256Context);
// clean up
CFRelease (ticketData);
SecCmsMessageDestroy (cmsMessage);
}
/*
* Obtain the status of a CMS message's signature. A CMS message can
* be signed my multiple signers; this function returns the status
* associated with signer 'n' as indicated by the signerIndex parameter.
*/
OSStatus CMSDecoderCopySignerStatus(
CMSDecoderRef cmsDecoder,
size_t signerIndex,
CFTypeRef policyOrArray,
Boolean evaluateSecTrust,
CMSSignerStatus *signerStatus, /* optional; RETURNED */
SecTrustRef *secTrust, /* optional; RETURNED */
OSStatus *certVerifyResultCode) /* optional; RETURNED */
{
if((cmsDecoder == NULL) || (cmsDecoder->decState != DS_Final)) {
return errSecParam;
}
/* initialize return values */
if(signerStatus) {
*signerStatus = kCMSSignerUnsigned;
}
if(secTrust) {
*secTrust = NULL;
}
if(certVerifyResultCode) {
*certVerifyResultCode = 0;
}
if(cmsDecoder->signedData == NULL) {
*signerStatus = kCMSSignerUnsigned; /* redundant, I know, but explicit */
return errSecSuccess;
}
ASSERT(cmsDecoder->numSigners > 0);
if(signerIndex >= cmsDecoder->numSigners) {
*signerStatus = kCMSSignerInvalidIndex;
return errSecSuccess;
}
if(!SecCmsSignedDataHasDigests(cmsDecoder->signedData)) {
*signerStatus = kCMSSignerNeedsDetachedContent;
return errSecSuccess;
}
/*
* OK, we should be able to verify this signerInfo.
* I think we have to do the SecCmsSignedDataVerifySignerInfo first
* in order get all the cert pieces into place before returning them
* to the caller.
*/
SecTrustRef theTrust = NULL;
OSStatus vfyRtn = SecCmsSignedDataVerifySignerInfo(cmsDecoder->signedData,
(int)signerIndex,
/*
* FIXME this cast should not be necessary, but libsecurity_smime
* declares this argument as a SecKeychainRef
*/
(SecKeychainRef)cmsDecoder->keychainOrArray,
policyOrArray,
&theTrust);
/* Subsequent errors to errOut: */
/*
* NOTE the smime lib did NOT evaluate that SecTrust - it only does
* SecTrustEvaluate() if we don't ask for a copy.
*
* FIXME deal with multitudes of status returns here...for now, proceed with
* obtaining components the caller wants and assume that a nonzero vfyRtn
* means "bad signature".
*/
OSStatus ortn = errSecSuccess;
SecTrustResultType secTrustResult;
CSSM_RETURN tpVfyStatus = CSSM_OK;
OSStatus evalRtn;
if(secTrust != NULL) {
*secTrust = theTrust;
/* we'll release our reference at the end */
if (theTrust)
CFRetain(theTrust);
}
SecCmsSignerInfoRef signerInfo =
SecCmsSignedDataGetSignerInfo(cmsDecoder->signedData, (int)signerIndex);
if(signerInfo == NULL) {
/* should never happen */
ASSERT(0);
dprintf("CMSDecoderCopySignerStatus: no signerInfo\n");
ortn = errSecInternalComponent;
goto errOut;
}
/* now do the actual cert verify */
if(evaluateSecTrust) {
evalRtn = SecTrustEvaluate(theTrust, &secTrustResult);
if(evalRtn) {
/* should never happen */
CSSM_PERROR("SecTrustEvaluate", evalRtn);
dprintf("CMSDecoderCopySignerStatus: SecTrustEvaluate error\n");
ortn = errSecInternalComponent;
goto errOut;
}
switch(secTrustResult) {
case kSecTrustResultUnspecified:
/* cert chain valid, no special UserTrust assignments */
case kSecTrustResultProceed:
/* cert chain valid AND user explicitly trusts this */
break;
case kSecTrustResultDeny:
tpVfyStatus = CSSMERR_APPLETP_TRUST_SETTING_DENY;
break;
case kSecTrustResultConfirm:
dprintf("SecTrustEvaluate reported confirm\n");
tpVfyStatus = CSSMERR_TP_NOT_TRUSTED;
break;
default:
{
/* get low-level TP error */
OSStatus tpStatus;
ortn = SecTrustGetCssmResultCode(theTrust, &tpStatus);
if(ortn) {
CSSM_PERROR("SecTrustGetCssmResultCode", ortn);
}
else {
tpVfyStatus = tpStatus;
}
CSSM_PERROR("TP status after SecTrustEvaluate", tpVfyStatus);
break;
}
} /* switch(secTrustResult) */
} /* evaluateSecTrust true */
if(certVerifyResultCode != NULL) {
*certVerifyResultCode = tpVfyStatus;
}
/* cook up global status based on vfyRtn and tpVfyStatus */
if(signerStatus != NULL) {
if((vfyRtn == errSecSuccess) && (tpVfyStatus == CSSM_OK)) {
*signerStatus = kCMSSignerValid;
}
else if(vfyRtn != errSecSuccess) {
/* this could mean other things, but for now... */
*signerStatus = kCMSSignerInvalidSignature;
}
else {
*signerStatus = kCMSSignerInvalidCert;
}
}
errOut:
CFRELEASE(theTrust);
return ortn;
}