[apple/ipsec.git] / ipsec-tools / racoon / crypto_cssm.c


/*
 * Copyright (c) 2001-2004 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * The contents of this file constitute Original Code as defined in and
 * are subject to the Apple Public Source License Version 1.1 (the
 * "License").  You may not use this file except in compliance with the
 * License.  Please obtain a copy of the License at
 * http://www.apple.com/publicsource and read it before using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
 * License for the specific language governing rights and limitations
 * under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


/*
 * Racoon module for verifying and signing certificates through Security
 * Framework and CSSM
 */

#include <Security/SecBase.h>
#include <Security/SecCertificate.h>
#include <Security/SecPolicy.h>
#include <Security/SecIdentity.h>
#include <Security/SecIdentityPriv.h>
#include <Security/SecIdentitySearch.h>
#include <Security/SecKeychain.h>
#include <Security/SecKeychainItem.h>
#include <Security/SecKeychainItemPriv.h>
#include <Security/SecKey.h>
#include <Security/SecKeyPriv.h>
#include <Security/SecTrust.h>
#include <Security/oidsalg.h>
#include <Security/cssmapi.h>
#include <Security/SecPolicySearch.h>
#include <CoreFoundation/CoreFoundation.h>
#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
#include "plog.h"
#include "debug.h"
#include "misc.h"

#include "crypto_cssm.h"


static OSStatus FindPolicy(const CSSM_OID *policyOID, SecPolicyRef *policyRef);
static OSStatus EvaluateCert(SecCertificateRef cert, CFTypeRef policyRef);
static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef);
static const char *GetSecurityErrorString(OSStatus err);


/*
 * Verify cert using security framework
 */
int crypto_cssm_check_x509cert(vchar_t *cert)
{
	OSStatus			status;
	SecCertificateRef	certRef = 0;
	CSSM_DATA			certData;
	CSSM_OID			ourPolicyOID = CSSMOID_APPLE_TP_IP_SEC; 
	SecPolicyRef		policyRef = 0;

	// create cert ref
	certData.Length = cert->l;
	certData.Data = (uint8 *)cert->v;
	status = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER,
		&certRef);
	if (status != noErr)
		goto end;
	
	// get our policy object
	status = FindPolicy(&ourPolicyOID, &policyRef);
	if (status != noErr)
		goto end;
		
	// setup policy options ???
	// no options used at present - verification of subjectAltName fields, etc.
	// are done elsewhere in racoon in oakley_check_certid()
	
	// evaluate cert
	status = EvaluateCert(certRef, policyRef);
	
	
end:

	if (certRef)
		CFRelease(certRef);
	if (policyRef)
		CFRelease(policyRef);
	
	if (status != noErr && status != -1) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"error %d %s.\n", status, GetSecurityErrorString(status));
		status = -1;
	}		
	return status;

}

/*
 * Encrypt a hash via CSSM using the private key in the keychain
 * from an identity.
 */
vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash)
{

	OSStatus						status;
	SecCertificateRef				certificateRef = NULL;
	SecIdentityRef 					identityRef = NULL;
	SecIdentitySearchRef			idSearchRef = NULL;
	SecKeychainRef 					keychainRef = NULL;
	SecKeyRef						privateKeyRef = NULL;
	const CSSM_KEY					*cssmKey = NULL;
	CSSM_CSP_HANDLE 				cspHandle = nil;
	CSSM_CC_HANDLE					cssmContextHandle = nil;
	const CSSM_ACCESS_CREDENTIALS	*credentials = NULL;
	//CSSM_SIZE						bytesEncrypted = 0;	//%%%%HWR fix this - need new headers on Leopard
	uint32							bytesEncrypted = 0;
	CSSM_DATA						clearData;
	CSSM_DATA						cipherData;
	CSSM_DATA						remData;
	CSSM_CONTEXT_ATTRIBUTE			newAttr;
	vchar_t							*sig = NULL;

	remData.Length = 0;
	remData.Data = 0;

	if (persistentCertRef) {			
		// get cert from keychain
		status = SecKeychainItemCopyFromPersistentReference(persistentCertRef, (SecKeychainItemRef*)&certificateRef);
		if (status != noErr)
			goto end;
	
		// get keychain ref where cert is contained
		status = SecKeychainItemCopyKeychain((SecKeychainItemRef)certificateRef, &keychainRef);
		if (status != noErr)
			goto end;
	
		// get identity from the certificate
		status = SecIdentityCreateWithCertificate(keychainRef, certificateRef, &identityRef);
		if (status != noErr)
			goto end;	
			
	} else {
		// copy system keychain
		status = CopySystemKeychain(&keychainRef);
		if (status != noErr)
			goto end;

		// serach for first identity in system keychain
		status = SecIdentitySearchCreate(keychainRef, CSSM_KEYUSE_SIGN, &idSearchRef);
		if (status != noErr)
			goto end;
		
		status = SecIdentitySearchCopyNext(idSearchRef, &identityRef);
		if (status != noErr)
			goto end;

		// get certificate from identity
		status = SecIdentityCopyCertificate(identityRef, &certificateRef);
		if (status != noErr)
			goto end;
	}
	
					
	// get private key from identity
	status = SecIdentityCopyPrivateKey(identityRef, &privateKeyRef);
	if (status != noErr)
		goto end;
		
	// get CSSM_KEY pointer from key ref
	status = SecKeyGetCSSMKey(privateKeyRef, &cssmKey);
	if (status != noErr)
		goto end;
		
	// get CSSM CSP handle
	status = SecKeychainGetCSPHandle(keychainRef, &cspHandle);
	if (status != noErr)
		goto end;
		
	// create CSSM credentials to unlock private key for encryption - no UI to be used
	status = SecKeyGetCredentials(privateKeyRef, CSSM_ACL_AUTHORIZATION_ENCRYPT,
				kSecCredentialTypeNoUI, &credentials);
	if (status != noErr)
		goto end;	

	// create asymmetric context for encryption
	status = CSSM_CSP_CreateAsymmetricContext(cspHandle, CSSM_ALGID_RSA, credentials, cssmKey, 
			CSSM_PADDING_PKCS1, &cssmContextHandle);
	if (status != noErr)
		goto end;
		
	// add mode attribute to use private key for encryption
	newAttr.AttributeType     = CSSM_ATTRIBUTE_MODE;
	newAttr.AttributeLength   = sizeof(uint32);
	newAttr.Attribute.Data    = (CSSM_DATA_PTR)CSSM_ALGMODE_PRIVATE_KEY;
	status = CSSM_UpdateContextAttributes(cssmContextHandle, 1, &newAttr);
	if(status != noErr)
		goto end;
			
	// and finally - encrypt data
	clearData.Length = hash->l;
	clearData.Data = (uint8 *)hash->v;
	cipherData.Length = 0;
	cipherData.Data = NULL;
	status = CSSM_EncryptData(cssmContextHandle, &clearData, 1, &cipherData, 1, &bytesEncrypted, 
						&remData);
	if (status != noErr)
		goto end;
	
	if (remData.Length != 0) {	// something didn't go right - should be zero
		status = -1;
		plog(LLV_ERROR, LOCATION, NULL, 
			"unencrypted data remaining after encrypting hash.\n");
		goto end;
	}

	// alloc buffer for result
	sig = vmalloc(0);
	if (sig == NULL)
		goto end;
		
	sig->l = cipherData.Length;
	sig->v = (caddr_t)cipherData.Data;
		
end:
	if (certificateRef)
		CFRelease(certificateRef);
	if (keychainRef)
		CFRelease(keychainRef);
	if (identityRef)
		CFRelease(identityRef);
	if (privateKeyRef)
		CFRelease(privateKeyRef);
	if (idSearchRef)
		CFRelease(idSearchRef);
	if (cssmContextHandle)
		CSSM_DeleteContext(cssmContextHandle);
	if (status != noErr) {
		if (sig) {
			vfree(sig);
			sig = NULL;
		}
	}

	if (status != noErr && status != -1) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"error %d %s.\n", status, GetSecurityErrorString(status));
		status = -1;
	}			
	return sig;
	
}


/*
 * Retrieve a cert from the keychain
 */
vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef)
{

	OSStatus				status;
	CSSM_DATA				cssmData;
	vchar_t					*cert = NULL;
	SecIdentityRef 			identityRef = NULL;
	SecIdentitySearchRef	idSearchRef = NULL;
	SecKeychainRef 			keychainRef = NULL;
	SecCertificateRef		certificateRef = NULL;


	// get cert ref
	if (persistentCertRef) {
		status = SecKeychainItemCopyFromPersistentReference(persistentCertRef, (SecKeychainItemRef*)&certificateRef);
		if (status != noErr)
			goto end;
	} else {
		// copy system keychain
		status = CopySystemKeychain(&keychainRef);
		if (status != noErr)
			goto end;

		// find first identity in system keychain
		status = SecIdentitySearchCreate(keychainRef, CSSM_KEYUSE_SIGN, &idSearchRef);
		if (status != noErr)
			goto end;
		
		status = SecIdentitySearchCopyNext(idSearchRef, &identityRef);
		if (status != noErr)
			goto end;

		// get certificate from identity
		status = SecIdentityCopyCertificate(identityRef, &certificateRef);
		if (status != noErr)
			goto end;
		
	}
		
	// get certificate data
	cssmData.Length = 0;
	cssmData.Data = NULL;
	status = SecCertificateGetData(certificateRef, &cssmData);
	if (status != noErr)
		goto end;
		
	if (cssmData.Length == 0)
		goto end;
	
	cert = vmalloc(cssmData.Length);
	if (cert == NULL)
		goto end;	
	
	// cssmData struct just points to the data
	// data must be copied to be returned
	memcpy(cert->v, cssmData.Data, cssmData.Length);	
		
end:
	if (certificateRef)
		CFRelease(certificateRef);
	if (identityRef)
		CFRelease(identityRef);
	if (idSearchRef)
		CFRelease(idSearchRef);
	if (keychainRef)
		CFRelease(keychainRef);

	if (status != noErr && status != -1) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"error %d %s.\n", status, GetSecurityErrorString(status));
		status = -1;
	}			
	return cert;

}


/*
 * Find a policy ref by OID
 */
static OSStatus FindPolicy(const CSSM_OID *policyOID, SecPolicyRef *policyRef)
{
	
	OSStatus			status;
	SecPolicySearchRef	searchRef = nil;
	
	status = SecPolicySearchCreate(CSSM_CERT_X_509v3, policyOID, NULL, &searchRef);
	if (status != noErr)
		goto end;
		
	status = SecPolicySearchCopyNext(searchRef, policyRef);
	
end:
	if (searchRef)
		CFRelease(searchRef);

	if (status != noErr) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"error %d %s.\n", status, GetSecurityErrorString(status));
		status = -1;
	}			
	return status;
}
		

/*
 * Evaluate the trust of a cert using the policy provided
 */
static OSStatus EvaluateCert(SecCertificateRef cert, CFTypeRef policyRef)
{
	OSStatus					status;
	SecTrustRef					trustRef = 0;
	SecTrustResultType 			evalResult;
	
	SecCertificateRef			evalCertArray[1] = { cert };
	
	CFArrayRef			cfCertRef = CFArrayCreate((CFAllocatorRef) NULL, (void*)evalCertArray, 1,
										&kCFTypeArrayCallBacks);
										
	if (!cfCertRef) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"unable to create CFArray.\n");		
		return -1;
	}
		
	status = SecTrustCreateWithCertificates(cfCertRef, policyRef, &trustRef);
	if (status != noErr)
		goto end;
		
	status = SecTrustEvaluate(trustRef, &evalResult);
	if (status != noErr)
		goto end;
	
	if (evalResult != kSecTrustResultProceed && evalResult != kSecTrustResultUnspecified) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"error evaluating certificate.\n");
		status = -1;
	}
			
	
end:
	if (cfCertRef)
		CFRelease(cfCertRef);
	if (trustRef)
		CFRelease(trustRef);

	if (status != noErr && status != -1) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"error %d %s.\n", status, GetSecurityErrorString(status));
		status = -1;
	}			
	return status;
}


/*
 * Copy the system keychain
 */
static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef)
{

	OSStatus status;

	status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem);
	if (status != noErr)
		goto end;

	status = SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem, keychainRef);
	
end:

	if (status != noErr) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"error %d %s.\n", status, GetSecurityErrorString(status));
		status = -1;
	}			
	return status;

}


/* 
 * Return string representation of Security-related OSStatus.
 */
const char *
GetSecurityErrorString(OSStatus err)
{
    switch(err) {
		case noErr:
			return "noErr";
		case memFullErr:
			return "memFullErr";
		case paramErr:
			return "paramErr";
		case unimpErr:
			return "unimpErr";
	
		/* SecBase.h: */
		case errSecNotAvailable:
			return "errSecNotAvailable";
		case errSecReadOnly:
			return "errSecReadOnly";
		case errSecAuthFailed:
			return "errSecAuthFailed";
		case errSecNoSuchKeychain:
			return "errSecNoSuchKeychain";
		case errSecInvalidKeychain:
			return "errSecInvalidKeychain";
		case errSecDuplicateKeychain:
			return "errSecDuplicateKeychain";
		case errSecDuplicateCallback:
			return "errSecDuplicateCallback";
		case errSecInvalidCallback:
			return "errSecInvalidCallback";
		case errSecDuplicateItem:
			return "errSecDuplicateItem";
		case errSecItemNotFound:
			return "errSecItemNotFound";
		case errSecBufferTooSmall:
			return "errSecBufferTooSmall";
		case errSecDataTooLarge:
			return "errSecDataTooLarge";
		case errSecNoSuchAttr:
			return "errSecNoSuchAttr";
		case errSecInvalidItemRef:
			return "errSecInvalidItemRef";
		case errSecInvalidSearchRef:
			return "errSecInvalidSearchRef";
		case errSecNoSuchClass:
			return "errSecNoSuchClass";
		case errSecNoDefaultKeychain:
			return "errSecNoDefaultKeychain";
		case errSecInteractionNotAllowed:
			return "errSecInteractionNotAllowed";
		case errSecReadOnlyAttr:
			return "errSecReadOnlyAttr";
		case errSecWrongSecVersion:
			return "errSecWrongSecVersion";
		case errSecKeySizeNotAllowed:
			return "errSecKeySizeNotAllowed";
		case errSecNoStorageModule:
			return "errSecNoStorageModule";
		case errSecNoCertificateModule:
			return "errSecNoCertificateModule";
		case errSecNoPolicyModule:
			return "errSecNoPolicyModule";
		case errSecInteractionRequired:
			return "errSecInteractionRequired";
		case errSecDataNotAvailable:
			return "errSecDataNotAvailable";
		case errSecDataNotModifiable:
			return "errSecDataNotModifiable";
		case errSecCreateChainFailed:
			return "errSecCreateChainFailed";
		case errSecACLNotSimple:
			return "errSecACLNotSimple";
		case errSecPolicyNotFound:
			return "errSecPolicyNotFound";
		case errSecInvalidTrustSetting:
			return "errSecInvalidTrustSetting";
		case errSecNoAccessForItem:
			return "errSecNoAccessForItem";
		case errSecInvalidOwnerEdit:
			return "errSecInvalidOwnerEdit";
		default:
			return "<unknown>";
    }
}
Commit	Line	Data
52b7d2ce A	1
	2	/*
	3	* Copyright (c) 2001-2004 Apple Computer, Inc. All rights reserved.
	4	*
	5	* @APPLE_LICENSE_HEADER_START@
	6	*
	7	* The contents of this file constitute Original Code as defined in and
	8	* are subject to the Apple Public Source License Version 1.1 (the
	9	* "License"). You may not use this file except in compliance with the
	10	* License. Please obtain a copy of the License at
	11	* http://www.apple.com/publicsource and read it before using this file.
	12	*
	13	* This Original Code and all software distributed under the License are
	14	* distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
	18	* License for the specific language governing rights and limitations
	19	* under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	/*
	26	* Racoon module for verifying and signing certificates through Security
	27	* Framework and CSSM
	28	*/
	29
	30	#include <Security/SecBase.h>
	31	#include <Security/SecCertificate.h>
	32	#include <Security/SecPolicy.h>
	33	#include <Security/SecIdentity.h>
	34	#include <Security/SecIdentityPriv.h>
	35	#include <Security/SecIdentitySearch.h>
	36	#include <Security/SecKeychain.h>
	37	#include <Security/SecKeychainItem.h>
	38	#include <Security/SecKeychainItemPriv.h>
	39	#include <Security/SecKey.h>
	40	#include <Security/SecKeyPriv.h>
	41	#include <Security/SecTrust.h>
	42	#include <Security/oidsalg.h>
	43	#include <Security/cssmapi.h>
	44	#include <Security/SecPolicySearch.h>
	45	#include <CoreFoundation/CoreFoundation.h>
	46	#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
	47	#include "plog.h"
	48	#include "debug.h"
	49	#include "misc.h"
	50
	51	#include "crypto_cssm.h"
	52
	53
	54
	55	static OSStatus FindPolicy(const CSSM_OID policyOID, SecPolicyRef policyRef);
	56	static OSStatus EvaluateCert(SecCertificateRef cert, CFTypeRef policyRef);
	57	static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef);
	58	static const char *GetSecurityErrorString(OSStatus err);
	59
	60
	61	/*
	62	* Verify cert using security framework
	63	*/
	64	int crypto_cssm_check_x509cert(vchar_t *cert)
65	{
66	OSStatus status;
67	SecCertificateRef certRef = 0;
68	CSSM_DATA certData;
69	CSSM_OID ourPolicyOID = CSSMOID_APPLE_TP_IP_SEC;
70	SecPolicyRef policyRef = 0;
71
72	// create cert ref
73	certData.Length = cert->l;
74	certData.Data = (uint8 *)cert->v;
75	status = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER,
76	&certRef);
77	if (status != noErr)
78	goto end;
79
80	// get our policy object
81	status = FindPolicy(&ourPolicyOID, &policyRef);
82	if (status != noErr)
83	goto end;
84
85	// setup policy options ???
86	// no options used at present - verification of subjectAltName fields, etc.
87	// are done elsewhere in racoon in oakley_check_certid()
88
89	// evaluate cert
90	status = EvaluateCert(certRef, policyRef);
91
92
93	end:
94
95	if (certRef)
96	CFRelease(certRef);
97	if (policyRef)
98	CFRelease(policyRef);
99
100	if (status != noErr && status != -1) {
101	plog(LLV_ERROR, LOCATION, NULL,
102	"error %d %s.\n", status, GetSecurityErrorString(status));
103	status = -1;
104	}
105	return status;
106
107	}
108
109	/*
110	* Encrypt a hash via CSSM using the private key in the keychain
111	* from an identity.
112	*/
113	vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash)
114	{
115
116	OSStatus status;
117	SecCertificateRef certificateRef = NULL;
118	SecIdentityRef identityRef = NULL;
119	SecIdentitySearchRef idSearchRef = NULL;
120	SecKeychainRef keychainRef = NULL;
121	SecKeyRef privateKeyRef = NULL;
122	const CSSM_KEY *cssmKey = NULL;
123	CSSM_CSP_HANDLE cspHandle = nil;
124	CSSM_CC_HANDLE cssmContextHandle = nil;
125	const CSSM_ACCESS_CREDENTIALS *credentials = NULL;
126	//CSSM_SIZE bytesEncrypted = 0; //%%%%HWR fix this - need new headers on Leopard
127	uint32 bytesEncrypted = 0;
128	CSSM_DATA clearData;
129	CSSM_DATA cipherData;
130	CSSM_DATA remData;
131	CSSM_CONTEXT_ATTRIBUTE newAttr;
132	vchar_t *sig = NULL;
133
134	remData.Length = 0;
135	remData.Data = 0;
136
137	if (persistentCertRef) {
138	// get cert from keychain
139	status = SecKeychainItemCopyFromPersistentReference(persistentCertRef, (SecKeychainItemRef*)&certificateRef);
140	if (status != noErr)
141	goto end;
142
143	// get keychain ref where cert is contained
144	status = SecKeychainItemCopyKeychain((SecKeychainItemRef)certificateRef, &keychainRef);
145	if (status != noErr)
146	goto end;
147
148	// get identity from the certificate
149	status = SecIdentityCreateWithCertificate(keychainRef, certificateRef, &identityRef);
150	if (status != noErr)
151	goto end;
152
153	} else {
154	// copy system keychain
155	status = CopySystemKeychain(&keychainRef);
156	if (status != noErr)
157	goto end;
158
159	// serach for first identity in system keychain
160	status = SecIdentitySearchCreate(keychainRef, CSSM_KEYUSE_SIGN, &idSearchRef);
161	if (status != noErr)
162	goto end;
163
164	status = SecIdentitySearchCopyNext(idSearchRef, &identityRef);
165	if (status != noErr)
166	goto end;
167
168	// get certificate from identity
169	status = SecIdentityCopyCertificate(identityRef, &certificateRef);
170	if (status != noErr)
171	goto end;
172	}
173
174
175	// get private key from identity
176	status = SecIdentityCopyPrivateKey(identityRef, &privateKeyRef);
177	if (status != noErr)
178	goto end;
179
180	// get CSSM_KEY pointer from key ref
181	status = SecKeyGetCSSMKey(privateKeyRef, &cssmKey);
182	if (status != noErr)
183	goto end;
184
185	// get CSSM CSP handle
186	status = SecKeychainGetCSPHandle(keychainRef, &cspHandle);
187	if (status != noErr)
188	goto end;
189
190	// create CSSM credentials to unlock private key for encryption - no UI to be used
191	status = SecKeyGetCredentials(privateKeyRef, CSSM_ACL_AUTHORIZATION_ENCRYPT,
192	kSecCredentialTypeNoUI, &credentials);
193	if (status != noErr)
194	goto end;
195
196	// create asymmetric context for encryption
197	status = CSSM_CSP_CreateAsymmetricContext(cspHandle, CSSM_ALGID_RSA, credentials, cssmKey,
198	CSSM_PADDING_PKCS1, &cssmContextHandle);
199	if (status != noErr)
200	goto end;
201
202	// add mode attribute to use private key for encryption
203	newAttr.AttributeType = CSSM_ATTRIBUTE_MODE;
204	newAttr.AttributeLength = sizeof(uint32);
205	newAttr.Attribute.Data = (CSSM_DATA_PTR)CSSM_ALGMODE_PRIVATE_KEY;
206	status = CSSM_UpdateContextAttributes(cssmContextHandle, 1, &newAttr);
207	if(status != noErr)
208	goto end;
209
210	// and finally - encrypt data
211	clearData.Length = hash->l;
212	clearData.Data = (uint8 *)hash->v;
213	cipherData.Length = 0;
214	cipherData.Data = NULL;
215	status = CSSM_EncryptData(cssmContextHandle, &clearData, 1, &cipherData, 1, &bytesEncrypted,
216	&remData);
217	if (status != noErr)
218	goto end;
219
220	if (remData.Length != 0) { // something didn't go right - should be zero
221	status = -1;
222	plog(LLV_ERROR, LOCATION, NULL,
223	"unencrypted data remaining after encrypting hash.\n");
224	goto end;
225	}
226
227	// alloc buffer for result
228	sig = vmalloc(0);
229	if (sig == NULL)
230	goto end;
231
232	sig->l = cipherData.Length;
233	sig->v = (caddr_t)cipherData.Data;
234
235	end:
236	if (certificateRef)
237	CFRelease(certificateRef);
238	if (keychainRef)
239	CFRelease(keychainRef);
240	if (identityRef)
241	CFRelease(identityRef);
242	if (privateKeyRef)
243	CFRelease(privateKeyRef);
244	if (idSearchRef)
245	CFRelease(idSearchRef);
246	if (cssmContextHandle)
247	CSSM_DeleteContext(cssmContextHandle);
248	if (status != noErr) {
249	if (sig) {
250	vfree(sig);
251	sig = NULL;
252	}
253	}
254
255	if (status != noErr && status != -1) {
256	plog(LLV_ERROR, LOCATION, NULL,
257	"error %d %s.\n", status, GetSecurityErrorString(status));
258	status = -1;
259	}
260	return sig;
261
262	}
263
264
265	/*
266	* Retrieve a cert from the keychain
267	*/
268	vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef)
269	{
270
271	OSStatus status;
272	CSSM_DATA cssmData;
273	vchar_t *cert = NULL;
274	SecIdentityRef identityRef = NULL;
275	SecIdentitySearchRef idSearchRef = NULL;
276	SecKeychainRef keychainRef = NULL;
277	SecCertificateRef certificateRef = NULL;
278
279
280	// get cert ref
281	if (persistentCertRef) {
282	status = SecKeychainItemCopyFromPersistentReference(persistentCertRef, (SecKeychainItemRef*)&certificateRef);
283	if (status != noErr)
284	goto end;
285	} else {
286	// copy system keychain
287	status = CopySystemKeychain(&keychainRef);
288	if (status != noErr)
289	goto end;
290
291	// find first identity in system keychain
292	status = SecIdentitySearchCreate(keychainRef, CSSM_KEYUSE_SIGN, &idSearchRef);
293	if (status != noErr)
294	goto end;
295
296	status = SecIdentitySearchCopyNext(idSearchRef, &identityRef);
297	if (status != noErr)
298	goto end;
299
300	// get certificate from identity
301	status = SecIdentityCopyCertificate(identityRef, &certificateRef);
302	if (status != noErr)
303	goto end;
304
305	}
306
307	// get certificate data
308	cssmData.Length = 0;
309	cssmData.Data = NULL;
310	status = SecCertificateGetData(certificateRef, &cssmData);
311	if (status != noErr)
312	goto end;
313
314	if (cssmData.Length == 0)
315	goto end;
316
317	cert = vmalloc(cssmData.Length);
318	if (cert == NULL)
319	goto end;
320
321	// cssmData struct just points to the data
322	// data must be copied to be returned
323	memcpy(cert->v, cssmData.Data, cssmData.Length);
324
325	end:
326	if (certificateRef)
327	CFRelease(certificateRef);
328	if (identityRef)
329	CFRelease(identityRef);
330	if (idSearchRef)
331	CFRelease(idSearchRef);
332	if (keychainRef)
333	CFRelease(keychainRef);
334
335	if (status != noErr && status != -1) {
336	plog(LLV_ERROR, LOCATION, NULL,
337	"error %d %s.\n", status, GetSecurityErrorString(status));
338	status = -1;
339	}
340	return cert;
341
342	}
343
344
345	/*
346	* Find a policy ref by OID
347	*/
348	static OSStatus FindPolicy(const CSSM_OID policyOID, SecPolicyRef policyRef)
349	{
350
351	OSStatus status;
352	SecPolicySearchRef searchRef = nil;
353
354	status = SecPolicySearchCreate(CSSM_CERT_X_509v3, policyOID, NULL, &searchRef);
355	if (status != noErr)
356	goto end;
357
358	status = SecPolicySearchCopyNext(searchRef, policyRef);
359
360	end:
361	if (searchRef)
362	CFRelease(searchRef);
363
364	if (status != noErr) {
365	plog(LLV_ERROR, LOCATION, NULL,
366	"error %d %s.\n", status, GetSecurityErrorString(status));
367	status = -1;
368	}
369	return status;
370	}
371
372
373	/*
374	* Evaluate the trust of a cert using the policy provided
375	*/
376	static OSStatus EvaluateCert(SecCertificateRef cert, CFTypeRef policyRef)
377	{
378	OSStatus status;
379	SecTrustRef trustRef = 0;
380	SecTrustResultType evalResult;
381
382	SecCertificateRef evalCertArray[1] = { cert };
383
384	CFArrayRef cfCertRef = CFArrayCreate((CFAllocatorRef) NULL, (void*)evalCertArray, 1,
385	&kCFTypeArrayCallBacks);
386
387	if (!cfCertRef) {
388	plog(LLV_ERROR, LOCATION, NULL,
389	"unable to create CFArray.\n");
390	return -1;
391	}
392
393	status = SecTrustCreateWithCertificates(cfCertRef, policyRef, &trustRef);
394	if (status != noErr)
395	goto end;
396
397	status = SecTrustEvaluate(trustRef, &evalResult);
398	if (status != noErr)
399	goto end;
400
401	if (evalResult != kSecTrustResultProceed && evalResult != kSecTrustResultUnspecified) {
402	plog(LLV_ERROR, LOCATION, NULL,
403	"error evaluating certificate.\n");
404	status = -1;
405	}
406
407
408	end:
409	if (cfCertRef)
410	CFRelease(cfCertRef);
411	if (trustRef)
412	CFRelease(trustRef);
413
414	if (status != noErr && status != -1) {
415	plog(LLV_ERROR, LOCATION, NULL,
416	"error %d %s.\n", status, GetSecurityErrorString(status));
417	status = -1;
418	}
419	return status;
420	}
421
422
423	/*
424	* Copy the system keychain
425	*/
426	static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef)
427	{
428
429	OSStatus status;
430
431	status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem);
432	if (status != noErr)
433	goto end;
434
435	status = SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem, keychainRef);
436
437	end:
438
439	if (status != noErr) {
440	plog(LLV_ERROR, LOCATION, NULL,
441	"error %d %s.\n", status, GetSecurityErrorString(status));
442	status = -1;
443	}
444	return status;
445
446	}
447
448
449	/*
450	* Return string representation of Security-related OSStatus.
451	*/
452	const char *
453	GetSecurityErrorString(OSStatus err)
454	{
455	switch(err) {
456	case noErr:
457	return "noErr";
458	case memFullErr:
459	return "memFullErr";
460	case paramErr:
461	return "paramErr";
462	case unimpErr:
463	return "unimpErr";
464
465	/* SecBase.h: */
466	case errSecNotAvailable:
467	return "errSecNotAvailable";
468	case errSecReadOnly:
469	return "errSecReadOnly";
470	case errSecAuthFailed:
471	return "errSecAuthFailed";
472	case errSecNoSuchKeychain:
473	return "errSecNoSuchKeychain";
474	case errSecInvalidKeychain:
475	return "errSecInvalidKeychain";
476	case errSecDuplicateKeychain:
477	return "errSecDuplicateKeychain";
478	case errSecDuplicateCallback:
479	return "errSecDuplicateCallback";
480	case errSecInvalidCallback:
481	return "errSecInvalidCallback";
482	case errSecDuplicateItem:
483	return "errSecDuplicateItem";
484	case errSecItemNotFound:
485	return "errSecItemNotFound";
486	case errSecBufferTooSmall:
487	return "errSecBufferTooSmall";
488	case errSecDataTooLarge:
489	return "errSecDataTooLarge";
490	case errSecNoSuchAttr:
491	return "errSecNoSuchAttr";
492	case errSecInvalidItemRef:
493	return "errSecInvalidItemRef";
494	case errSecInvalidSearchRef:
495	return "errSecInvalidSearchRef";
496	case errSecNoSuchClass:
497	return "errSecNoSuchClass";
498	case errSecNoDefaultKeychain:
499	return "errSecNoDefaultKeychain";
500	case errSecInteractionNotAllowed:
501	return "errSecInteractionNotAllowed";
502	case errSecReadOnlyAttr:
503	return "errSecReadOnlyAttr";
504	case errSecWrongSecVersion:
505	return "errSecWrongSecVersion";
506	case errSecKeySizeNotAllowed:
507	return "errSecKeySizeNotAllowed";
508	case errSecNoStorageModule:
509	return "errSecNoStorageModule";
510	case errSecNoCertificateModule:
511	return "errSecNoCertificateModule";
512	case errSecNoPolicyModule:
513	return "errSecNoPolicyModule";
514	case errSecInteractionRequired:
515	return "errSecInteractionRequired";
516	case errSecDataNotAvailable:
517	return "errSecDataNotAvailable";
518	case errSecDataNotModifiable:
519	return "errSecDataNotModifiable";
520	case errSecCreateChainFailed:
521	return "errSecCreateChainFailed";
522	case errSecACLNotSimple:
523	return "errSecACLNotSimple";
524	case errSecPolicyNotFound:
525	return "errSecPolicyNotFound";
526	case errSecInvalidTrustSetting:
527	return "errSecInvalidTrustSetting";
528	case errSecNoAccessForItem:
529	return "errSecNoAccessForItem";
530	case errSecInvalidOwnerEdit:
531	return "errSecInvalidOwnerEdit";
532	default:
533	return "<unknown>";
534	}
535	}
536