[apple/network_cmds.git] / racoon.tproj / crypto_cssm.c


/*
 * Copyright (c) 2001-2004 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * The contents of this file constitute Original Code as defined in and
 * are subject to the Apple Public Source License Version 1.1 (the
 * "License").  You may not use this file except in compliance with the
 * License.  Please obtain a copy of the License at
 * http://www.apple.com/publicsource and read it before using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
 * License for the specific language governing rights and limitations
 * under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


/*
 * Racoon module for verifying and signing certificates through Security
 * Framework and CSSM
 */

#include <Security/SecBase.h>
#include <Security/SecCertificate.h>
#include <Security/SecPolicy.h>
#include <Security/SecIdentity.h>
#include <Security/SecIdentityPriv.h>
#include <Security/SecIdentitySearch.h>
#include <Security/SecKeychain.h>
#include <Security/SecKeychainItem.h>
#include <Security/SecKeychainItemPriv.h>
#include <Security/SecKey.h>
#include <Security/SecKeyPriv.h>
#include <Security/SecTrust.h>
#include <Security/oidsalg.h>
#include <Security/cssmapi.h>
#include <Security/SecPolicySearch.h>
#include <CoreFoundation/CoreFoundation.h>
#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
#include "plog.h"
#include "debug.h"
#include "misc.h"

#include "crypto_cssm.h"


static OSStatus FindPolicy(const CSSM_OID *policyOID, SecPolicyRef *policyRef);
static OSStatus EvaluateCert(SecCertificateRef cert, CFTypeRef policyRef);
static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef);
static const char *GetSecurityErrorString(OSStatus err);


/*
 * Verify cert using security framework
 */
int crypto_cssm_check_x509cert(vchar_t *cert)
{
	OSStatus			status;
	SecCertificateRef	certRef = 0;
	CSSM_DATA			certData;
	CSSM_OID			ourPolicyOID = CSSMOID_APPLE_TP_IP_SEC; 
	SecPolicyRef		policyRef = 0;

	// create cert ref
	certData.Length = cert->l;
	certData.Data = cert->v;
	status = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER,
		&certRef);
	if (status != noErr)
		goto end;
	
	// get our policy object
	status = FindPolicy(&ourPolicyOID, &policyRef);
	if (status != noErr)
		goto end;
		
	// setup policy options ???
	// no options used at present - verification of subjectAltName fields, etc.
	// are done elsewhere in racoon in oakley_check_certid()
	
	// evaluate cert
	status = EvaluateCert(certRef, policyRef);
	
	
end:

	if (certRef)
		CFRelease(certRef);
	if (policyRef)
		CFRelease(policyRef);
	
	if (status != noErr && status != -1) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"error %d %s.\n", status, GetSecurityErrorString(status));
		status = -1;
	}		
	return status;

}

/*
 * Encrypt a hash via CSSM using the private key in the keychain
 * from an identity.
 */
vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash)
{

	OSStatus						status;
	SecCertificateRef				certificateRef = NULL;
	SecIdentityRef 					identityRef = NULL;
	SecIdentitySearchRef			idSearchRef = NULL;
	SecKeychainRef 					keychainRef = NULL;
	SecKeyRef						privateKeyRef = NULL;
	const CSSM_KEY					*cssmKey = NULL;
	CSSM_CSP_HANDLE 				cspHandle = nil;
	CSSM_CC_HANDLE					cssmContextHandle = nil;
	const CSSM_ACCESS_CREDENTIALS	*credentials = NULL;
	uint32							bytesEncrypted = 0;
	CSSM_DATA						clearData;
	CSSM_DATA						cipherData;
	CSSM_DATA						remData;
	CSSM_CONTEXT_ATTRIBUTE			newAttr;
	vchar_t							*sig = NULL;

	remData.Length = 0;
	remData.Data = 0;

	if (persistentCertRef) {			
		// get cert from keychain
		status = SecKeychainItemCopyFromPersistentReference(persistentCertRef, (SecKeychainItemRef*)&certificateRef);
		if (status != noErr)
			goto end;
	
		// get keychain ref where cert is contained
		status = SecKeychainItemCopyKeychain((SecKeychainItemRef)certificateRef, &keychainRef);
		if (status != noErr)
			goto end;
	
		// get identity from the certificate
		status = SecIdentityCreateWithCertificate(keychainRef, certificateRef, &identityRef);
		if (status != noErr)
			goto end;	
			
	} else {
		// copy system keychain
		status = CopySystemKeychain(&keychainRef);
		if (status != noErr)
			goto end;

		// serach for first identity in system keychain
		status = SecIdentitySearchCreate(keychainRef, CSSM_KEYUSE_SIGN, &idSearchRef);
		if (status != noErr)
			goto end;
		
		status = SecIdentitySearchCopyNext(idSearchRef, &identityRef);
		if (status != noErr)
			goto end;

		// get certificate from identity
		status = SecIdentityCopyCertificate(identityRef, &certificateRef);
		if (status != noErr)
			goto end;
	}
	
					
	// get private key from identity
	status = SecIdentityCopyPrivateKey(identityRef, &privateKeyRef);
	if (status != noErr)
		goto end;
		
	// get CSSM_KEY pointer from key ref
	status = SecKeyGetCSSMKey(privateKeyRef, &cssmKey);
	if (status != noErr)
		goto end;
		
	// get CSSM CSP handle
	status = SecKeychainGetCSPHandle(keychainRef, &cspHandle);
	if (status != noErr)
		goto end;
		
	// create CSSM credentials to unlock private key for encryption - no UI to be used
	status = SecKeyGetCredentials(privateKeyRef, CSSM_ACL_AUTHORIZATION_ENCRYPT,
				kSecCredentialTypeNoUI, &credentials);
	if (status != noErr)
		goto end;	

	// create asymmetric context for encryption
	status = CSSM_CSP_CreateAsymmetricContext(cspHandle, CSSM_ALGID_RSA, credentials, cssmKey, 
			CSSM_PADDING_PKCS1, &cssmContextHandle);
	if (status != noErr)
		goto end;
		
	// add mode attribute to use private key for encryption
	newAttr.AttributeType     = CSSM_ATTRIBUTE_MODE;
	newAttr.AttributeLength   = sizeof(uint32);
	newAttr.Attribute.Data    = (CSSM_DATA_PTR)CSSM_ALGMODE_PRIVATE_KEY;
	status = CSSM_UpdateContextAttributes(cssmContextHandle, 1, &newAttr);
	if(status != noErr)
		goto end;
			
	// and finally - encrypt data
	clearData.Length = hash->l;
	clearData.Data = hash->v;
	cipherData.Length = 0;
	cipherData.Data = NULL;
	status = CSSM_EncryptData(cssmContextHandle, &clearData, 1, &cipherData, 1, &bytesEncrypted, 
						&remData);
	if (status != noErr)
		goto end;
	
	if (remData.Length != 0) {	// something didn't go right - should be zero
		status = -1;
		plog(LLV_ERROR, LOCATION, NULL, 
			"unencrypted data remaining after encrypting hash.\n");
		goto end;
	}

	// alloc buffer for result
	sig = vmalloc(cipherData.Length);
	if (sig == NULL)
		goto end;
		
	sig->v = cipherData.Data;
		
end:
	if (certificateRef)
		CFRelease(certificateRef);
	if (keychainRef)
		CFRelease(keychainRef);
	if (identityRef)
		CFRelease(identityRef);
	if (privateKeyRef)
		CFRelease(privateKeyRef);
	if (idSearchRef)
		CFRelease(idSearchRef);
	if (cssmContextHandle)
		CSSM_DeleteContext(cssmContextHandle);
	if (status != noErr) {
		if (sig) {
			vfree(sig);
			sig = NULL;
		}
	}

	if (status != noErr && status != -1) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"error %d %s.\n", status, GetSecurityErrorString(status));
		status = -1;
	}			
	return sig;
	
}


/*
 * Retrieve a cert from the keychain
 */
vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef)
{

	OSStatus				status;
	CSSM_DATA				cssmData;
	vchar_t					*cert = NULL;
	SecIdentityRef 			identityRef = NULL;
	SecIdentitySearchRef	idSearchRef = NULL;
	SecKeychainRef 			keychainRef = NULL;
	SecCertificateRef		certificateRef = NULL;


	// get cert ref
	if (persistentCertRef) {
		status = SecKeychainItemCopyFromPersistentReference(persistentCertRef, (SecKeychainItemRef*)&certificateRef);
		if (status != noErr)
			goto end;
	} else {
		// copy system keychain
		status = CopySystemKeychain(&keychainRef);
		if (status != noErr)
			goto end;

		// find first identity in system keychain
		status = SecIdentitySearchCreate(keychainRef, CSSM_KEYUSE_SIGN, &idSearchRef);
		if (status != noErr)
			goto end;
		
		status = SecIdentitySearchCopyNext(idSearchRef, &identityRef);
		if (status != noErr)
			goto end;

		// get certificate from identity
		status = SecIdentityCopyCertificate(identityRef, &certificateRef);
		if (status != noErr)
			goto end;
		
	}
		
	// get certificate data
	cssmData.Length = 0;
	cssmData.Data = NULL;
	status = SecCertificateGetData(certificateRef, &cssmData);
	if (status != noErr)
		goto end;
		
	if (cssmData.Length == 0)
		goto end;
	
	cert = vmalloc(cssmData.Length);
	if (cert == NULL)
		goto end;	
	
	// cssmData struct just points to the data
	// data must be copied to be returned
	memcpy(cert->v, cssmData.Data, cssmData.Length);	
		
end:
	if (certificateRef)
		CFRelease(certificateRef);
	if (identityRef)
		CFRelease(identityRef);
	if (idSearchRef)
		CFRelease(idSearchRef);
	if (keychainRef)
		CFRelease(keychainRef);

	if (status != noErr && status != -1) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"error %d %s.\n", status, GetSecurityErrorString(status));
		status = -1;
	}			
	return cert;

}


/*
 * Find a policy ref by OID
 */
static OSStatus FindPolicy(const CSSM_OID *policyOID, SecPolicyRef *policyRef)
{
	
	OSStatus			status;
	SecPolicySearchRef	searchRef = nil;
	
	status = SecPolicySearchCreate(CSSM_CERT_X_509v3, policyOID, NULL, &searchRef);
	if (status != noErr)
		goto end;
		
	status = SecPolicySearchCopyNext(searchRef, policyRef);
	
end:
	if (searchRef)
		CFRelease(searchRef);

	if (status != noErr) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"error %d %s.\n", status, GetSecurityErrorString(status));
		status = -1;
	}			
	return status;
}
		

/*
 * Evaluate the trust of a cert using the policy provided
 */
static OSStatus EvaluateCert(SecCertificateRef cert, CFTypeRef policyRef)
{
	OSStatus					status;
	SecTrustRef					trustRef = 0;
	SecTrustResultType 			evalResult;
	
	SecCertificateRef			evalCertArray[1] = { cert };
	
	CFArrayRef			cfCertRef = CFArrayCreate((CFAllocatorRef) NULL, (void*)evalCertArray, 1,
										&kCFTypeArrayCallBacks);
										
	if (!cfCertRef) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"unable to create CFArray.\n");		
		return -1;
	}
		
	status = SecTrustCreateWithCertificates(cfCertRef, policyRef, &trustRef);
	if (status != noErr)
		goto end;
		
	status = SecTrustEvaluate(trustRef, &evalResult);
	if (status != noErr)
		goto end;
	
	if (evalResult != kSecTrustResultProceed && evalResult != kSecTrustResultUnspecified) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"error evaluating certificate.\n");
		status = -1;
	}
			
	
end:
	if (cfCertRef)
		CFRelease(cfCertRef);
	if (trustRef)
		CFRelease(trustRef);

	if (status != noErr && status != -1) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"error %d %s.\n", status, GetSecurityErrorString(status));
		status = -1;
	}			
	return status;
}


/*
 * Copy the system keychain
 */
static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef)
{

	OSStatus status;

	status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem);
	if (status != noErr)
		goto end;

	status = SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem, keychainRef);
	
end:

	if (status != noErr) {
		plog(LLV_ERROR, LOCATION, NULL, 
			"error %d %s.\n", status, GetSecurityErrorString(status));
		status = -1;
	}			
	return status;

}


/* 
 * Return string representation of Security-related OSStatus.
 */
const char *
GetSecurityErrorString(OSStatus err)
{
    switch(err) {
		case noErr:
			return "noErr";
		case memFullErr:
			return "memFullErr";
		case paramErr:
			return "paramErr";
		case unimpErr:
			return "unimpErr";
	
		/* SecBase.h: */
		case errSecNotAvailable:
			return "errSecNotAvailable";
		case errSecReadOnly:
			return "errSecReadOnly";
		case errSecAuthFailed:
			return "errSecAuthFailed";
		case errSecNoSuchKeychain:
			return "errSecNoSuchKeychain";
		case errSecInvalidKeychain:
			return "errSecInvalidKeychain";
		case errSecDuplicateKeychain:
			return "errSecDuplicateKeychain";
		case errSecDuplicateCallback:
			return "errSecDuplicateCallback";
		case errSecInvalidCallback:
			return "errSecInvalidCallback";
		case errSecDuplicateItem:
			return "errSecDuplicateItem";
		case errSecItemNotFound:
			return "errSecItemNotFound";
		case errSecBufferTooSmall:
			return "errSecBufferTooSmall";
		case errSecDataTooLarge:
			return "errSecDataTooLarge";
		case errSecNoSuchAttr:
			return "errSecNoSuchAttr";
		case errSecInvalidItemRef:
			return "errSecInvalidItemRef";
		case errSecInvalidSearchRef:
			return "errSecInvalidSearchRef";
		case errSecNoSuchClass:
			return "errSecNoSuchClass";
		case errSecNoDefaultKeychain:
			return "errSecNoDefaultKeychain";
		case errSecInteractionNotAllowed:
			return "errSecInteractionNotAllowed";
		case errSecReadOnlyAttr:
			return "errSecReadOnlyAttr";
		case errSecWrongSecVersion:
			return "errSecWrongSecVersion";
		case errSecKeySizeNotAllowed:
			return "errSecKeySizeNotAllowed";
		case errSecNoStorageModule:
			return "errSecNoStorageModule";
		case errSecNoCertificateModule:
			return "errSecNoCertificateModule";
		case errSecNoPolicyModule:
			return "errSecNoPolicyModule";
		case errSecInteractionRequired:
			return "errSecInteractionRequired";
		case errSecDataNotAvailable:
			return "errSecDataNotAvailable";
		case errSecDataNotModifiable:
			return "errSecDataNotModifiable";
		case errSecCreateChainFailed:
			return "errSecCreateChainFailed";
		case errSecACLNotSimple:
			return "errSecACLNotSimple";
		case errSecPolicyNotFound:
			return "errSecPolicyNotFound";
		case errSecInvalidTrustSetting:
			return "errSecInvalidTrustSetting";
		case errSecNoAccessForItem:
			return "errSecNoAccessForItem";
		case errSecInvalidOwnerEdit:
			return "errSecInvalidOwnerEdit";
		default:
			return "<unknown>";
    }
}
Commit	Line	Data
2b484d24 A	1
	2	/*
	3	* Copyright (c) 2001-2004 Apple Computer, Inc. All rights reserved.
	4	*
	5	* @APPLE_LICENSE_HEADER_START@
	6	*
	7	* The contents of this file constitute Original Code as defined in and
	8	* are subject to the Apple Public Source License Version 1.1 (the
	9	* "License"). You may not use this file except in compliance with the
	10	* License. Please obtain a copy of the License at
	11	* http://www.apple.com/publicsource and read it before using this file.
	12	*
	13	* This Original Code and all software distributed under the License are
	14	* distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
	18	* License for the specific language governing rights and limitations
	19	* under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	/*
	26	* Racoon module for verifying and signing certificates through Security
	27	* Framework and CSSM
	28	*/
	29
	30	#include <Security/SecBase.h>
	31	#include <Security/SecCertificate.h>
	32	#include <Security/SecPolicy.h>
	33	#include <Security/SecIdentity.h>
	34	#include <Security/SecIdentityPriv.h>
	35	#include <Security/SecIdentitySearch.h>
	36	#include <Security/SecKeychain.h>
	37	#include <Security/SecKeychainItem.h>
	38	#include <Security/SecKeychainItemPriv.h>
	39	#include <Security/SecKey.h>
	40	#include <Security/SecKeyPriv.h>
	41	#include <Security/SecTrust.h>
	42	#include <Security/oidsalg.h>
	43	#include <Security/cssmapi.h>
	44	#include <Security/SecPolicySearch.h>
	45	#include <CoreFoundation/CoreFoundation.h>
	46	#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
	47	#include "plog.h"
	48	#include "debug.h"
	49	#include "misc.h"
	50
	51	#include "crypto_cssm.h"
	52
	53
	54
	55	static OSStatus FindPolicy(const CSSM_OID policyOID, SecPolicyRef policyRef);
	56	static OSStatus EvaluateCert(SecCertificateRef cert, CFTypeRef policyRef);
	57	static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef);
	58	static const char *GetSecurityErrorString(OSStatus err);
	59
	60
	61	/*
	62	* Verify cert using security framework
	63	*/
	64	int crypto_cssm_check_x509cert(vchar_t *cert)
65	{
66	OSStatus status;
67	SecCertificateRef certRef = 0;
68	CSSM_DATA certData;
69	CSSM_OID ourPolicyOID = CSSMOID_APPLE_TP_IP_SEC;
70	SecPolicyRef policyRef = 0;
71
72	// create cert ref
73	certData.Length = cert->l;
74	certData.Data = cert->v;
75	status = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER,
76	&certRef);
77	if (status != noErr)
78	goto end;
79
80	// get our policy object
81	status = FindPolicy(&ourPolicyOID, &policyRef);
82	if (status != noErr)
83	goto end;
84
85	// setup policy options ???
86	// no options used at present - verification of subjectAltName fields, etc.
87	// are done elsewhere in racoon in oakley_check_certid()
88
89	// evaluate cert
90	status = EvaluateCert(certRef, policyRef);
91
92
93	end:
94
95	if (certRef)
96	CFRelease(certRef);
97	if (policyRef)
98	CFRelease(policyRef);
99
100	if (status != noErr && status != -1) {
101	plog(LLV_ERROR, LOCATION, NULL,
102	"error %d %s.\n", status, GetSecurityErrorString(status));
103	status = -1;
104	}
105	return status;
106
107	}
108
109	/*
110	* Encrypt a hash via CSSM using the private key in the keychain
111	* from an identity.
112	*/
113	vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash)
114	{
115
116	OSStatus status;
117	SecCertificateRef certificateRef = NULL;
118	SecIdentityRef identityRef = NULL;
119	SecIdentitySearchRef idSearchRef = NULL;
120	SecKeychainRef keychainRef = NULL;
121	SecKeyRef privateKeyRef = NULL;
122	const CSSM_KEY *cssmKey = NULL;
123	CSSM_CSP_HANDLE cspHandle = nil;
124	CSSM_CC_HANDLE cssmContextHandle = nil;
125	const CSSM_ACCESS_CREDENTIALS *credentials = NULL;
126	uint32 bytesEncrypted = 0;
127	CSSM_DATA clearData;
128	CSSM_DATA cipherData;
129	CSSM_DATA remData;
130	CSSM_CONTEXT_ATTRIBUTE newAttr;
131	vchar_t *sig = NULL;
132
133	remData.Length = 0;
134	remData.Data = 0;
135
136	if (persistentCertRef) {
137	// get cert from keychain
138	status = SecKeychainItemCopyFromPersistentReference(persistentCertRef, (SecKeychainItemRef*)&certificateRef);
139	if (status != noErr)
140	goto end;
141
142	// get keychain ref where cert is contained
143	status = SecKeychainItemCopyKeychain((SecKeychainItemRef)certificateRef, &keychainRef);
144	if (status != noErr)
145	goto end;
146
147	// get identity from the certificate
148	status = SecIdentityCreateWithCertificate(keychainRef, certificateRef, &identityRef);
149	if (status != noErr)
150	goto end;
151
152	} else {
153	// copy system keychain
154	status = CopySystemKeychain(&keychainRef);
155	if (status != noErr)
156	goto end;
157
158	// serach for first identity in system keychain
159	status = SecIdentitySearchCreate(keychainRef, CSSM_KEYUSE_SIGN, &idSearchRef);
160	if (status != noErr)
161	goto end;
162
163	status = SecIdentitySearchCopyNext(idSearchRef, &identityRef);
164	if (status != noErr)
165	goto end;
166
167	// get certificate from identity
168	status = SecIdentityCopyCertificate(identityRef, &certificateRef);
169	if (status != noErr)
170	goto end;
171	}
172
173
174	// get private key from identity
175	status = SecIdentityCopyPrivateKey(identityRef, &privateKeyRef);
176	if (status != noErr)
177	goto end;
178
179	// get CSSM_KEY pointer from key ref
180	status = SecKeyGetCSSMKey(privateKeyRef, &cssmKey);
181	if (status != noErr)
182	goto end;
183
184	// get CSSM CSP handle
185	status = SecKeychainGetCSPHandle(keychainRef, &cspHandle);
186	if (status != noErr)
187	goto end;
188
189	// create CSSM credentials to unlock private key for encryption - no UI to be used
190	status = SecKeyGetCredentials(privateKeyRef, CSSM_ACL_AUTHORIZATION_ENCRYPT,
191	kSecCredentialTypeNoUI, &credentials);
192	if (status != noErr)
193	goto end;
194
195	// create asymmetric context for encryption
196	status = CSSM_CSP_CreateAsymmetricContext(cspHandle, CSSM_ALGID_RSA, credentials, cssmKey,
197	CSSM_PADDING_PKCS1, &cssmContextHandle);
198	if (status != noErr)
199	goto end;
200
201	// add mode attribute to use private key for encryption
202	newAttr.AttributeType = CSSM_ATTRIBUTE_MODE;
203	newAttr.AttributeLength = sizeof(uint32);
204	newAttr.Attribute.Data = (CSSM_DATA_PTR)CSSM_ALGMODE_PRIVATE_KEY;
205	status = CSSM_UpdateContextAttributes(cssmContextHandle, 1, &newAttr);
206	if(status != noErr)
207	goto end;
208
209	// and finally - encrypt data
210	clearData.Length = hash->l;
211	clearData.Data = hash->v;
212	cipherData.Length = 0;
213	cipherData.Data = NULL;
214	status = CSSM_EncryptData(cssmContextHandle, &clearData, 1, &cipherData, 1, &bytesEncrypted,
215	&remData);
216	if (status != noErr)
217	goto end;
218
219	if (remData.Length != 0) { // something didn't go right - should be zero
220	status = -1;
221	plog(LLV_ERROR, LOCATION, NULL,
222	"unencrypted data remaining after encrypting hash.\n");
223	goto end;
224	}
225
226	// alloc buffer for result
227	sig = vmalloc(cipherData.Length);
228	if (sig == NULL)
229	goto end;
230
231	sig->v = cipherData.Data;
232
233	end:
234	if (certificateRef)
235	CFRelease(certificateRef);
236	if (keychainRef)
237	CFRelease(keychainRef);
238	if (identityRef)
239	CFRelease(identityRef);
240	if (privateKeyRef)
241	CFRelease(privateKeyRef);
242	if (idSearchRef)
243	CFRelease(idSearchRef);
244	if (cssmContextHandle)
245	CSSM_DeleteContext(cssmContextHandle);
246	if (status != noErr) {
247	if (sig) {
248	vfree(sig);
249	sig = NULL;
250	}
251	}
252
253	if (status != noErr && status != -1) {
254	plog(LLV_ERROR, LOCATION, NULL,
255	"error %d %s.\n", status, GetSecurityErrorString(status));
256	status = -1;
257	}
258	return sig;
259
260	}
261
262
263	/*
264	* Retrieve a cert from the keychain
265	*/
266	vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef)
267	{
268
269	OSStatus status;
270	CSSM_DATA cssmData;
271	vchar_t *cert = NULL;
272	SecIdentityRef identityRef = NULL;
273	SecIdentitySearchRef idSearchRef = NULL;
274	SecKeychainRef keychainRef = NULL;
275	SecCertificateRef certificateRef = NULL;
276
277
278	// get cert ref
279	if (persistentCertRef) {
280	status = SecKeychainItemCopyFromPersistentReference(persistentCertRef, (SecKeychainItemRef*)&certificateRef);
281	if (status != noErr)
282	goto end;
283	} else {
284	// copy system keychain
285	status = CopySystemKeychain(&keychainRef);
286	if (status != noErr)
287	goto end;
288
289	// find first identity in system keychain
290	status = SecIdentitySearchCreate(keychainRef, CSSM_KEYUSE_SIGN, &idSearchRef);
291	if (status != noErr)
292	goto end;
293
294	status = SecIdentitySearchCopyNext(idSearchRef, &identityRef);
295	if (status != noErr)
296	goto end;
297
298	// get certificate from identity
299	status = SecIdentityCopyCertificate(identityRef, &certificateRef);
300	if (status != noErr)
301	goto end;
302
303	}
304
305	// get certificate data
306	cssmData.Length = 0;
307	cssmData.Data = NULL;
308	status = SecCertificateGetData(certificateRef, &cssmData);
309	if (status != noErr)
310	goto end;
311
312	if (cssmData.Length == 0)
313	goto end;
314
315	cert = vmalloc(cssmData.Length);
316	if (cert == NULL)
317	goto end;
318
319	// cssmData struct just points to the data
320	// data must be copied to be returned
321	memcpy(cert->v, cssmData.Data, cssmData.Length);
322
323	end:
324	if (certificateRef)
325	CFRelease(certificateRef);
326	if (identityRef)
327	CFRelease(identityRef);
328	if (idSearchRef)
329	CFRelease(idSearchRef);
330	if (keychainRef)
331	CFRelease(keychainRef);
332
333	if (status != noErr && status != -1) {
334	plog(LLV_ERROR, LOCATION, NULL,
335	"error %d %s.\n", status, GetSecurityErrorString(status));
336	status = -1;
337	}
338	return cert;
339
340	}
341
342
343	/*
344	* Find a policy ref by OID
345	*/
346	static OSStatus FindPolicy(const CSSM_OID policyOID, SecPolicyRef policyRef)
347	{
348
349	OSStatus status;
350	SecPolicySearchRef searchRef = nil;
351
352	status = SecPolicySearchCreate(CSSM_CERT_X_509v3, policyOID, NULL, &searchRef);
353	if (status != noErr)
354	goto end;
355
356	status = SecPolicySearchCopyNext(searchRef, policyRef);
357
358	end:
359	if (searchRef)
360	CFRelease(searchRef);
361
362	if (status != noErr) {
363	plog(LLV_ERROR, LOCATION, NULL,
364	"error %d %s.\n", status, GetSecurityErrorString(status));
365	status = -1;
366	}
367	return status;
368	}
369
370
371	/*
372	* Evaluate the trust of a cert using the policy provided
373	*/
374	static OSStatus EvaluateCert(SecCertificateRef cert, CFTypeRef policyRef)
375	{
376	OSStatus status;
377	SecTrustRef trustRef = 0;
378	SecTrustResultType evalResult;
379
380	SecCertificateRef evalCertArray[1] = { cert };
381
382	CFArrayRef cfCertRef = CFArrayCreate((CFAllocatorRef) NULL, (void*)evalCertArray, 1,
383	&kCFTypeArrayCallBacks);
384
385	if (!cfCertRef) {
386	plog(LLV_ERROR, LOCATION, NULL,
387	"unable to create CFArray.\n");
388	return -1;
389	}
390
391	status = SecTrustCreateWithCertificates(cfCertRef, policyRef, &trustRef);
392	if (status != noErr)
393	goto end;
394
395	status = SecTrustEvaluate(trustRef, &evalResult);
396	if (status != noErr)
397	goto end;
398
399	if (evalResult != kSecTrustResultProceed && evalResult != kSecTrustResultUnspecified) {
400	plog(LLV_ERROR, LOCATION, NULL,
401	"error evaluating certificate.\n");
402	status = -1;
403	}
404
405
406	end:
407	if (cfCertRef)
408	CFRelease(cfCertRef);
409	if (trustRef)
410	CFRelease(trustRef);
411
412	if (status != noErr && status != -1) {
413	plog(LLV_ERROR, LOCATION, NULL,
414	"error %d %s.\n", status, GetSecurityErrorString(status));
415	status = -1;
416	}
417	return status;
418	}
419
420
421	/*
422	* Copy the system keychain
423	*/
424	static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef)
425	{
426
427	OSStatus status;
428
429	status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem);
430	if (status != noErr)
431	goto end;
432
433	status = SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem, keychainRef);
434
435	end:
436
437	if (status != noErr) {
438	plog(LLV_ERROR, LOCATION, NULL,
439	"error %d %s.\n", status, GetSecurityErrorString(status));
440	status = -1;
441	}
442	return status;
443
444	}
445
446
447	/*
448	* Return string representation of Security-related OSStatus.
449	*/
450	const char *
451	GetSecurityErrorString(OSStatus err)
452	{
453	switch(err) {
454	case noErr:
455	return "noErr";
456	case memFullErr:
457	return "memFullErr";
458	case paramErr:
459	return "paramErr";
460	case unimpErr:
461	return "unimpErr";
462
463	/* SecBase.h: */
464	case errSecNotAvailable:
465	return "errSecNotAvailable";
466	case errSecReadOnly:
467	return "errSecReadOnly";
468	case errSecAuthFailed:
469	return "errSecAuthFailed";
470	case errSecNoSuchKeychain:
471	return "errSecNoSuchKeychain";
472	case errSecInvalidKeychain:
473	return "errSecInvalidKeychain";
474	case errSecDuplicateKeychain:
475	return "errSecDuplicateKeychain";
476	case errSecDuplicateCallback:
477	return "errSecDuplicateCallback";
478	case errSecInvalidCallback:
479	return "errSecInvalidCallback";
480	case errSecDuplicateItem:
481	return "errSecDuplicateItem";
482	case errSecItemNotFound:
483	return "errSecItemNotFound";
484	case errSecBufferTooSmall:
485	return "errSecBufferTooSmall";
486	case errSecDataTooLarge:
487	return "errSecDataTooLarge";
488	case errSecNoSuchAttr:
489	return "errSecNoSuchAttr";
490	case errSecInvalidItemRef:
491	return "errSecInvalidItemRef";
492	case errSecInvalidSearchRef:
493	return "errSecInvalidSearchRef";
494	case errSecNoSuchClass:
495	return "errSecNoSuchClass";
496	case errSecNoDefaultKeychain:
497	return "errSecNoDefaultKeychain";
498	case errSecInteractionNotAllowed:
499	return "errSecInteractionNotAllowed";
500	case errSecReadOnlyAttr:
501	return "errSecReadOnlyAttr";
502	case errSecWrongSecVersion:
503	return "errSecWrongSecVersion";
504	case errSecKeySizeNotAllowed:
505	return "errSecKeySizeNotAllowed";
506	case errSecNoStorageModule:
507	return "errSecNoStorageModule";
508	case errSecNoCertificateModule:
509	return "errSecNoCertificateModule";
510	case errSecNoPolicyModule:
511	return "errSecNoPolicyModule";
512	case errSecInteractionRequired:
513	return "errSecInteractionRequired";
514	case errSecDataNotAvailable:
515	return "errSecDataNotAvailable";
516	case errSecDataNotModifiable:
517	return "errSecDataNotModifiable";
518	case errSecCreateChainFailed:
519	return "errSecCreateChainFailed";
520	case errSecACLNotSimple:
521	return "errSecACLNotSimple";
522	case errSecPolicyNotFound:
523	return "errSecPolicyNotFound";
524	case errSecInvalidTrustSetting:
525	return "errSecInvalidTrustSetting";
526	case errSecNoAccessForItem:
527	return "errSecNoAccessForItem";
528	case errSecInvalidOwnerEdit:
529	return "errSecInvalidOwnerEdit";
530	default:
531	return "<unknown>";
532	}
533	}
534