[apple/security.git] / OSX / libsecurity_apple_csp / lib / pkcs12Derive.cpp

/*
 * Copyright (c) 2003,2011-2012,2014 Apple Inc. All Rights Reserved.
 * 
 * The contents of this file constitute Original Code as defined in and are
 * subject to the Apple Public Source License Version 1.2 (the 'License').
 * You may not use this file except in compliance with the License. Please 
 * obtain a copy of the License at http://www.apple.com/publicsource and 
 * read it before using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 
 * Please see the License for the specific language governing rights and 
 * limitations under the License.
 */
/*
 * pkcs12Derive.cpp - PKCS12 PBE routine
 *
 */

#include <Security/cssmapple.h>
#include <openssl/bn_legacy.h>
#include "pbkdDigest.h"

#include "pkcs12Derive.h"
#include "AppleCSPUtils.h"
#include "AppleCSPContext.h"

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <security_utilities/simulatecrash_assert.h>
#include <security_asn1/SecNssCoder.h>

#include <CoreFoundation/CoreFoundation.h>

/* specify which flavor of bits to generate */
typedef enum {
	PBE_ID_Key 	= 1,
	PBE_ID_IV  	= 2,
	PBE_ID_MAC	= 3
} P12_PBE_ID;	
  
/*
 * Create a "string" (in the loose p12 notation) of specified length 
 * from the concatention of copies of the specified input string.
 */
static unsigned char *p12StrCat(
	const unsigned char *inStr,
	unsigned inStrLen,
	SecNssCoder &coder,
	unsigned outLen,
	unsigned char *outStr = NULL)	// if not present, we malloc
{
	if(outStr == NULL) {
		outStr = (unsigned char *)coder.malloc(outLen);
	}
	unsigned toMove = outLen;
	unsigned char *outp = outStr;
	while(toMove) {
		unsigned thisMove = inStrLen;
		if(thisMove > toMove) {
			thisMove = toMove;
		}
		memmove(outp, inStr, thisMove);
		toMove -= thisMove;
		outp   += thisMove;
	}
	return outStr;
}

/*
 * PBE generator per PKCS12 v.1 section B.2.
 */
static CSSM_RETURN p12PbeGen(
	const CSSM_DATA		&pwd,			// unicode, double null terminated
	const uint8 		*salt,
	unsigned 			saltLen,
	unsigned 			iterCount,
	P12_PBE_ID 			pbeId,
	CSSM_ALGORITHMS 	hashAlg,		// MS5 or SHA1 only
	SecNssCoder			&coder,			// for temp allocs
	/* result goes here, mallocd by caller */
	uint8 				*outbuf,	
	unsigned 			outbufLen)
{
	CSSM_RETURN ourRtn = CSSM_OK;
	unsigned unipassLen = (unsigned)pwd.Length;
	unsigned char *unipass = pwd.Data;
	int irtn;
	
	/*
	 * all variables of the form p12_<XXX> represent <XXX> from the 
	 * PKCS12 spec. E.g., p12_u is u, the length of the digest output.
	 * Only difference here is: all of our sizes are in BYTES, not
	 * bits. 
	 */
	unsigned p12_r = iterCount;
	unsigned p12_n = outbufLen;

	unsigned p12_u;					// hash output size
	unsigned p12_v;					// hash block size
	unsigned char *p12_P = NULL;	// catted passwords
	unsigned char *p12_S = NULL;	// catted salts
	
	switch(hashAlg) {
		case CSSM_ALGID_MD5:
			p12_u = kMD5DigestSize;
			p12_v = kMD5BlockSize;
			break;
		case CSSM_ALGID_SHA1:
			p12_u = kSHA1DigestSize;
			p12_v = kSHA1BlockSize;
			break;
		default:
			return CSSMERR_CSP_INVALID_ALGORITHM;
	}
	
	/* 
	 * 1. Construct a string, D (the diversifier), by 
	 *    concatenating v/8 copies of ID.
	 */
	unsigned char *p12_D = NULL;		// diversifier
	p12_D = (unsigned char *)coder.malloc(p12_v);
	for(unsigned dex=0; dex<p12_v; dex++) {
		p12_D[dex] = (unsigned char)pbeId;
	}
	
	/*
	 * 2. Concatenate copies of the salt together to create 
	 *    a string S of length v * ceil(s/v) bits (the final copy 
	 *    of the salt may be truncated to create S). Note that if 
	 *    the salt is the empty string, then so is S.
	 */
	unsigned p12_Slen = p12_v * ((saltLen + p12_v - 1) / p12_v);
	if(p12_Slen) {
		p12_S = p12StrCat(salt, saltLen, coder, p12_Slen);
	}
	
	 
	/* 
	 * 3. Concatenate copies of the password together to create 
	 *    a string P of length v * ceil(p/v) bits (the final copy of 
	 *    the password may be truncated to create P). Note that 
	 *    if the password is the empty string, then so is P.
	 */
	unsigned p12_Plen = p12_v * ((unipassLen + p12_v - 1) / p12_v);
	if(p12_Plen) {
		p12_P = p12StrCat(unipass, unipassLen, coder, p12_Plen);
	}
	
	/*
	 * 4. Set I= S||P to be the concatenation of S and P.
	 */
	unsigned char *p12_I = 
		(unsigned char *)coder.malloc(p12_Slen + p12_Plen);
	memmove(p12_I, p12_S, p12_Slen);
	if(p12_Plen) {
		memmove(p12_I + p12_Slen, p12_P, p12_Plen);
	}
	
	/*
	 * 5. Set c = ceil(n/u). 
	 */
	unsigned p12_c = (p12_n + p12_u - 1) / p12_u;
	
	/* allocate c hash-output-size bufs */
	unsigned char *p12_A = (unsigned char *)coder.malloc(p12_c * p12_u);

	/* one reusable hash object */
	DigestCtx ourDigest;
	DigestCtx *hashHand = &ourDigest;

	/* reused inside the loop */
	unsigned char *p12_B = (unsigned char *)coder.malloc(p12_v + 1);
	BIGNUM *Ij = BN_new();
	BIGNUM *Bpl1 = BN_new();
	
	/*
	 * 6. For i=1, 2, ..., p12_c, do the following:
	 */
	for(unsigned p12_i=0; p12_i<p12_c; p12_i++) {
		unsigned char *p12_AsubI = p12_A + (p12_i * p12_u);
		
		/* 
		 * a) Set A[i] = H**r(D||I). (i.e. the rth hash of D||I, 
		 *    H(H(H(...H(D||I))))
		 */
		irtn = DigestCtxInit(hashHand, hashAlg); 
		if(!irtn) {
			ourRtn = CSSMERR_CSP_INTERNAL_ERROR;
			break;
		}
		DigestCtxUpdate(hashHand, p12_D, p12_v); 
		DigestCtxUpdate(hashHand, p12_I, p12_Slen + p12_Plen);
		DigestCtxFinal(hashHand, p12_AsubI); 

		for(unsigned iter=1; iter<p12_r; iter++) {
			irtn = DigestCtxInit(hashHand, hashAlg);
			if(!irtn) {
				ourRtn = CSSMERR_CSP_INTERNAL_ERROR;
				break;
			}
			DigestCtxUpdate(hashHand, p12_AsubI, p12_u);
			DigestCtxFinal(hashHand, p12_AsubI);
		}
		
		/*
		 * b) Concatenate copies of A[i] to create a string B of 
		 *    length v bits (the final copy of A[i]i may be truncated 
		 *    to create B).
		 */
		p12StrCat(p12_AsubI, p12_u, coder, p12_v, p12_B);
		
		/*
		 * c) Treating I as a concatenation I[0], I[1], ..., 
		 *    I[k-1] of v-bit blocks, where k = ceil(s/v) + ceil(p/v),
		 *    modify I by setting I[j]=(I[j]+B+1) mod (2 ** v)
		 *    for each j.
		 *
		 * Copied from PKCS12_key_gen_uni() from openssl...
		 */
		/* Work out B + 1 first then can use B as tmp space */
		BN_bin2bn (p12_B, p12_v, Bpl1);
		BN_add_word (Bpl1, 1);
		unsigned Ilen = p12_Slen + p12_Plen;
		
		for (unsigned j = 0; j < Ilen; j+=p12_v) {
			BN_bin2bn (p12_I + j, p12_v, Ij);
			BN_add (Ij, Ij, Bpl1);
			BN_bn2bin (Ij, p12_B);
			unsigned Ijlen = BN_num_bytes (Ij);
			/* If more than 2^(v*8) - 1 cut off MSB */
			if (Ijlen > p12_v) {
				BN_bn2bin (Ij, p12_B);
				memcpy (p12_I + j, p12_B + 1, p12_v);
			/* If less than v bytes pad with zeroes */
			} else if (Ijlen < p12_v) {
				memset(p12_I + j, 0, p12_v - Ijlen);
				BN_bn2bin(Ij, p12_I + j + p12_v - Ijlen); 
			} else BN_bn2bin (Ij, p12_I + j);
		}
	}	
	 
	if(ourRtn == CSSM_OK) {	
		/*
		 * 7. Concatenate A[1], A[2], ..., A[c] together to form a 
		 *    pseudo-random bit string, A.
		 *
		 * 8. Use the first n bits of A as the output of this entire 
		 *    process.
		 */
		memmove(outbuf, p12_A, outbufLen);
	}
	
	/* clear all these strings */
	if(p12_D) {
		memset(p12_D, 0, p12_v);
	}
	if(p12_S) {
		memset(p12_S, 0, p12_Slen);
	}
	if(p12_P) {
		memset(p12_P, 0, p12_Plen);
	}
	if(p12_I) {
		memset(p12_I, 0, p12_Slen + p12_Plen);
	}
	if(p12_A) {
		memset(p12_A, 0, p12_c * p12_u);
	}
	if(p12_B) {
		memset(p12_B, 0, p12_v);
	}
	if(hashHand) {
		DigestCtxFree(hashHand);
	}
	BN_free(Bpl1);
	BN_free(Ij);
	return ourRtn;
}

/*
 * Public P12 derive key function, called out from 
 * AppleCSPSession::DeriveKey()
 *
 * On input:
 * ---------
 * Context parameters:
 *    	Salt
 *		Iteration Count
 *		CSSM_CRYPTO_DATA.Param - Unicode passphrase, double-NULL terminated
 *		Algorithm - CSSM_ALGID_PKCS12_PBE_{ENCR,MAC}
 * Passed explicitly from DeriveKey():
 *		CSSM_DATA Param - IN/OUT - optional IV - caller mallocs space to
 *			tell us to generate an IV. The param itself is not 
 *			optional; the presence or absence of allocated data in it
 *			is our IV indicator (present/absent as well as size)
 *		KeyData - mallocd by caller, we fill in keyData->Length bytes
 */
void DeriveKey_PKCS12 (
	const Context &context,
	AppleCSPSession	&session,
	const CssmData &Param,			// other's public key
	CSSM_DATA *keyData)				// mallocd by caller
									// we fill in keyData->Length bytes
{
	SecNssCoder tmpCoder;
	
	/*
	 * According to the spec, both passphrase and salt are optional.
	 * Get them from context if they're present. In practical terms
	 * the user really should supply a passphrase either in the 
	 * seed attribute (as a Unicode passphrase) or as the BaseKey
	 * as a CSSM_ALGID_SECURE_PASSPHRASE key). 
	 */
	CSSM_DATA pwd = {0, NULL};
	CSSM_DATA appPwd = {0, NULL};
	CssmCryptoData *cryptData = 
		context.get<CssmCryptoData>(CSSM_ATTRIBUTE_SEED);
	if((cryptData != NULL) && (cryptData->Param.Length != 0)) {
		appPwd = cryptData->Param;
	}
	else {
		/* Get pwd from base key */
		CssmKey *passKey = context.get<CssmKey>(CSSM_ATTRIBUTE_KEY);
		if (passKey != NULL) {
			AppleCSPContext::symmetricKeyBits(context, session,
				CSSM_ALGID_SECURE_PASSPHRASE, CSSM_KEYUSE_DERIVE, 
				appPwd.Data, appPwd.Length);
		}
	}
	if(appPwd.Data) {
		/*
		 * The incoming passphrase is a UTF8 encoded enternal representation
		 * of a CFString. Convert to CFString and obtain the unicode characters
		 * from the string.
		 */
		CFDataRef cfData = CFDataCreate(NULL, appPwd.Data, appPwd.Length);
		CFStringRef cfStr = CFStringCreateFromExternalRepresentation(NULL,
			cfData, kCFStringEncodingUTF8);
        if (cfData)
            CFRelease(cfData);
		if(cfStr == NULL) {
			CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_SEED);
		}
		
		/* convert unicode to chars with an extra double-NULL */
		CFIndex len = CFStringGetLength(cfStr);
		tmpCoder.allocItem(pwd, sizeof(UniChar) * (len + 1));
		unsigned char *cp = pwd.Data;
		UniChar uc = 0;
		for(CFIndex dex=0; dex<len; dex++) {
			uc = CFStringGetCharacterAtIndex(cfStr, dex);
			*cp++ = uc >> 8;
			*cp++ = uc & 0xff;
		}
		/* CFString tends to include a NULL at the end; add it if it's not there */
		if(uc == 0) {
			if(pwd.Length < 2) {
				CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_SEED);
			}
			pwd.Length -= 2;
		}
		else {
			*cp++ = 0;
			*cp++ = 0;
		}
        if (cfStr)
            CFRelease(cfStr);
	}

	/* salt from context */
	uint32 saltLen = 0;
	uint8  *salt = NULL;
	CssmData *csalt = context.get<CssmData>(CSSM_ATTRIBUTE_SALT);
	if(csalt) {
		salt = csalt->Data;
		saltLen = (uint32)csalt->Length;
	}
	
	/* 
	 * Iteration count, from context, required.
	 * The spec's ASN1 definition says this is optional with a default
	 * of one but that's a BER encode/decode issue. Here we require
	 * a nonzero value.
	 */
	uint32 iterCount = context.getInt(CSSM_ATTRIBUTE_ITERATION_COUNT,
		CSSMERR_CSP_MISSING_ATTR_ITERATION_COUNT);
	if(iterCount == 0) {
		CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_ITERATION_COUNT);
	}

	/* 
	 * Algorithm determines which of {PBE_ID_Key,PBE_ID_MAC} we now
	 * generate. We'll also do an optional PBE_ID_IV later.
	 */
	P12_PBE_ID pbeId = PBE_ID_Key;
	switch(context.algorithm()) {
		case CSSM_ALGID_PKCS12_PBE_ENCR:
			pbeId = PBE_ID_Key;
			break;
		case CSSM_ALGID_PKCS12_PBE_MAC:
			pbeId = PBE_ID_MAC;
			break;
		default:
			/* really should not be here */
			assert(0);
			CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
	}
	
	/* Go */
	CSSM_RETURN crtn = p12PbeGen(pwd,
		salt, saltLen,
		iterCount,
		pbeId,
		CSSM_ALGID_SHA1,			// all we support for now
		tmpCoder,
		keyData->Data,
		(unsigned)keyData->Length);
	if(crtn) {
		CssmError::throwMe(crtn);
	}
	
	/* 
	 * Optional IV - makes no sense if we just did PBE_ID_MAC, but why
	 * bother restricting?
	 */
	if(Param.Data) {
		crtn = p12PbeGen(pwd,
			salt, saltLen,
			iterCount,
			PBE_ID_IV,
			CSSM_ALGID_SHA1,			// all we support for now
			tmpCoder,
			Param.Data,
			(unsigned)Param.Length);
		if(crtn) {
			CssmError::throwMe(crtn);
		}
	}
}
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2003,2011-2012,2014 Apple Inc. All Rights Reserved.
b1ab9ed8 A	3	*
	4	* The contents of this file constitute Original Code as defined in and are
	5	* subject to the Apple Public Source License Version 1.2 (the 'License').
	6	* You may not use this file except in compliance with the License. Please
	7	* obtain a copy of the License at http://www.apple.com/publicsource and
	8	* read it before using this file.
	9	*
	10	* This Original Code and all software distributed under the License are
	11	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	12	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	13	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	14	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	15	* Please see the License for the specific language governing rights and
	16	* limitations under the License.
	17	*/
	18	/*
	19	* pkcs12Derive.cpp - PKCS12 PBE routine
	20	*
b1ab9ed8 A	21	*/
	22
	23	#include <Security/cssmapple.h>
6b200bc3 A	24	#include <openssl/bn_legacy.h>
6b200bc3 A	25	#include "pbkdDigest.h"
b1ab9ed8 A	26
	27	#include "pkcs12Derive.h"
	28	#include "AppleCSPUtils.h"
	29	#include "AppleCSPContext.h"
	30
	31	#include <string.h>
	32	#include <stdlib.h>
	33	#include <stdio.h>
d64be36e	34	#include <security_utilities/simulatecrash_assert.h>
b1ab9ed8 A	35	#include <security_asn1/SecNssCoder.h>
	36
	37	#include <CoreFoundation/CoreFoundation.h>
	38
	39	/* specify which flavor of bits to generate */
	40	typedef enum {
	41	PBE_ID_Key = 1,
	42	PBE_ID_IV = 2,
	43	PBE_ID_MAC = 3
	44	} P12_PBE_ID;
	45
	46	/*
	47	* Create a "string" (in the loose p12 notation) of specified length
	48	* from the concatention of copies of the specified input string.
	49	*/
	50	static unsigned char *p12StrCat(
	51	const unsigned char *inStr,
	52	unsigned inStrLen,
	53	SecNssCoder &coder,
	54	unsigned outLen,
	55	unsigned char *outStr = NULL) // if not present, we malloc
	56	{
	57	if(outStr == NULL) {
	58	outStr = (unsigned char *)coder.malloc(outLen);
	59	}
	60	unsigned toMove = outLen;
	61	unsigned char *outp = outStr;
	62	while(toMove) {
	63	unsigned thisMove = inStrLen;
	64	if(thisMove > toMove) {
	65	thisMove = toMove;
	66	}
	67	memmove(outp, inStr, thisMove);
	68	toMove -= thisMove;
	69	outp += thisMove;
	70	}
	71	return outStr;
	72	}
	73
	74	/*
	75	* PBE generator per PKCS12 v.1 section B.2.
	76	*/
	77	static CSSM_RETURN p12PbeGen(
	78	const CSSM_DATA &pwd, // unicode, double null terminated
	79	const uint8 *salt,
	80	unsigned saltLen,
	81	unsigned iterCount,
	82	P12_PBE_ID pbeId,
	83	CSSM_ALGORITHMS hashAlg, // MS5 or SHA1 only
	84	SecNssCoder &coder, // for temp allocs
	85	/* result goes here, mallocd by caller */
	86	uint8 *outbuf,
	87	unsigned outbufLen)
	88	{
	89	CSSM_RETURN ourRtn = CSSM_OK;
427c49bc	90	unsigned unipassLen = (unsigned)pwd.Length;
b1ab9ed8 A	91	unsigned char *unipass = pwd.Data;
	92	int irtn;
	93
	94	/*
	95	* all variables of the form p12_<XXX> represent <XXX> from the
	96	* PKCS12 spec. E.g., p12_u is u, the length of the digest output.
	97	* Only difference here is: all of our sizes are in BYTES, not
	98	* bits.
	99	*/
	100	unsigned p12_r = iterCount;
	101	unsigned p12_n = outbufLen;
	102
	103	unsigned p12_u; // hash output size
	104	unsigned p12_v; // hash block size
	105	unsigned char *p12_P = NULL; // catted passwords
	106	unsigned char *p12_S = NULL; // catted salts
	107
	108	switch(hashAlg) {
	109	case CSSM_ALGID_MD5:
	110	p12_u = kMD5DigestSize;
	111	p12_v = kMD5BlockSize;
	112	break;
	113	case CSSM_ALGID_SHA1:
	114	p12_u = kSHA1DigestSize;
	115	p12_v = kSHA1BlockSize;
	116	break;
	117	default:
	118	return CSSMERR_CSP_INVALID_ALGORITHM;
	119	}
	120
	121	/*
	122	* 1. Construct a string, D (the diversifier), by
	123	* concatenating v/8 copies of ID.
	124	*/
	125	unsigned char *p12_D = NULL; // diversifier
	126	p12_D = (unsigned char *)coder.malloc(p12_v);
	127	for(unsigned dex=0; dex<p12_v; dex++) {
	128	p12_D[dex] = (unsigned char)pbeId;
	129	}
	130
	131	/*
	132	* 2. Concatenate copies of the salt together to create
	133	* a string S of length v * ceil(s/v) bits (the final copy
	134	* of the salt may be truncated to create S). Note that if
	135	* the salt is the empty string, then so is S.
	136	*/
	137	unsigned p12_Slen = p12_v * ((saltLen + p12_v - 1) / p12_v);
	138	if(p12_Slen) {
	139	p12_S = p12StrCat(salt, saltLen, coder, p12_Slen);
	140	}
	141
	142
	143	/*
	144	* 3. Concatenate copies of the password together to create
	145	* a string P of length v * ceil(p/v) bits (the final copy of
	146	* the password may be truncated to create P). Note that
	147	* if the password is the empty string, then so is P.
	148	*/
	149	unsigned p12_Plen = p12_v * ((unipassLen + p12_v - 1) / p12_v);
	150	if(p12_Plen) {
	151	p12_P = p12StrCat(unipass, unipassLen, coder, p12_Plen);
	152	}
	153
	154	/*
155	* 4. Set I= S\|\|P to be the concatenation of S and P.
156	*/
157	unsigned char *p12_I =
158	(unsigned char *)coder.malloc(p12_Slen + p12_Plen);
159	memmove(p12_I, p12_S, p12_Slen);
160	if(p12_Plen) {
161	memmove(p12_I + p12_Slen, p12_P, p12_Plen);
162	}
163
164	/*
165	* 5. Set c = ceil(n/u).
166	*/
167	unsigned p12_c = (p12_n + p12_u - 1) / p12_u;
168
169	/* allocate c hash-output-size bufs */
170	unsigned char p12_A = (unsigned char )coder.malloc(p12_c * p12_u);
171
172	/* one reusable hash object */
173	DigestCtx ourDigest;
174	DigestCtx *hashHand = &ourDigest;
427c49bc	175
b1ab9ed8 A	176	/* reused inside the loop */
	177	unsigned char p12_B = (unsigned char )coder.malloc(p12_v + 1);
	178	BIGNUM *Ij = BN_new();
	179	BIGNUM *Bpl1 = BN_new();
	180
	181	/*
	182	* 6. For i=1, 2, ..., p12_c, do the following:
	183	*/
	184	for(unsigned p12_i=0; p12_i<p12_c; p12_i++) {
	185	unsigned char p12_AsubI = p12_A + (p12_i p12_u);
	186
	187	/*
	188	* a) Set A[i] = H**r(D\|\|I). (i.e. the rth hash of D\|\|I,
	189	* H(H(H(...H(D\|\|I))))
	190	*/
	191	irtn = DigestCtxInit(hashHand, hashAlg);
	192	if(!irtn) {
	193	ourRtn = CSSMERR_CSP_INTERNAL_ERROR;
	194	break;
	195	}
	196	DigestCtxUpdate(hashHand, p12_D, p12_v);
	197	DigestCtxUpdate(hashHand, p12_I, p12_Slen + p12_Plen);
	198	DigestCtxFinal(hashHand, p12_AsubI);
	199
	200	for(unsigned iter=1; iter<p12_r; iter++) {
	201	irtn = DigestCtxInit(hashHand, hashAlg);
	202	if(!irtn) {
	203	ourRtn = CSSMERR_CSP_INTERNAL_ERROR;
	204	break;
	205	}
	206	DigestCtxUpdate(hashHand, p12_AsubI, p12_u);
	207	DigestCtxFinal(hashHand, p12_AsubI);
	208	}
	209
	210	/*
	211	* b) Concatenate copies of A[i] to create a string B of
	212	* length v bits (the final copy of A[i]i may be truncated
	213	* to create B).
	214	*/
	215	p12StrCat(p12_AsubI, p12_u, coder, p12_v, p12_B);
	216
	217	/*
	218	* c) Treating I as a concatenation I[0], I[1], ...,
	219	* I[k-1] of v-bit blocks, where k = ceil(s/v) + ceil(p/v),
	220	* modify I by setting I[j]=(I[j]+B+1) mod (2 ** v)
	221	* for each j.
	222	*
	223	* Copied from PKCS12_key_gen_uni() from openssl...
	224	*/
	225	/* Work out B + 1 first then can use B as tmp space */
	226	BN_bin2bn (p12_B, p12_v, Bpl1);
	227	BN_add_word (Bpl1, 1);
	228	unsigned Ilen = p12_Slen + p12_Plen;
	229
	230	for (unsigned j = 0; j < Ilen; j+=p12_v) {
	231	BN_bin2bn (p12_I + j, p12_v, Ij);
	232	BN_add (Ij, Ij, Bpl1);
	233	BN_bn2bin (Ij, p12_B);
	234	unsigned Ijlen = BN_num_bytes (Ij);
	235	/* If more than 2^(v8) - 1 cut off MSB /
	236	if (Ijlen > p12_v) {
	237	BN_bn2bin (Ij, p12_B);
	238	memcpy (p12_I + j, p12_B + 1, p12_v);
	239	/* If less than v bytes pad with zeroes */
240	} else if (Ijlen < p12_v) {
241	memset(p12_I + j, 0, p12_v - Ijlen);
242	BN_bn2bin(Ij, p12_I + j + p12_v - Ijlen);
243	} else BN_bn2bin (Ij, p12_I + j);
244	}
245	}
246
247	if(ourRtn == CSSM_OK) {
248	/*
249	* 7. Concatenate A[1], A[2], ..., A[c] together to form a
250	* pseudo-random bit string, A.
251	*
252	* 8. Use the first n bits of A as the output of this entire
253	* process.
254	*/
255	memmove(outbuf, p12_A, outbufLen);
256	}
257
258	/* clear all these strings */
259	if(p12_D) {
260	memset(p12_D, 0, p12_v);
261	}
262	if(p12_S) {
263	memset(p12_S, 0, p12_Slen);
264	}
265	if(p12_P) {
266	memset(p12_P, 0, p12_Plen);
267	}
268	if(p12_I) {
269	memset(p12_I, 0, p12_Slen + p12_Plen);
270	}
271	if(p12_A) {
272	memset(p12_A, 0, p12_c * p12_u);
273	}
274	if(p12_B) {
275	memset(p12_B, 0, p12_v);
276	}
277	if(hashHand) {
278	DigestCtxFree(hashHand);
279	}
280	BN_free(Bpl1);
281	BN_free(Ij);
282	return ourRtn;
283	}
284
285	/*
286	* Public P12 derive key function, called out from
287	* AppleCSPSession::DeriveKey()
288	*
289	* On input:
290	* ---------
291	* Context parameters:
292	* Salt
293	* Iteration Count
294	* CSSM_CRYPTO_DATA.Param - Unicode passphrase, double-NULL terminated
295	* Algorithm - CSSM_ALGID_PKCS12_PBE_{ENCR,MAC}
296	* Passed explicitly from DeriveKey():
297	* CSSM_DATA Param - IN/OUT - optional IV - caller mallocs space to
298	* tell us to generate an IV. The param itself is not
299	* optional; the presence or absence of allocated data in it
300	* is our IV indicator (present/absent as well as size)
301	* KeyData - mallocd by caller, we fill in keyData->Length bytes
302	*/
303	void DeriveKey_PKCS12 (
304	const Context &context,
305	AppleCSPSession &session,
306	const CssmData &Param, // other's public key
307	CSSM_DATA *keyData) // mallocd by caller
308	// we fill in keyData->Length bytes
309	{
310	SecNssCoder tmpCoder;
311
312	/*
313	* According to the spec, both passphrase and salt are optional.
314	* Get them from context if they're present. In practical terms
315	* the user really should supply a passphrase either in the
316	* seed attribute (as a Unicode passphrase) or as the BaseKey
317	* as a CSSM_ALGID_SECURE_PASSPHRASE key).
318	*/
319	CSSM_DATA pwd = {0, NULL};
320	CSSM_DATA appPwd = {0, NULL};
321	CssmCryptoData *cryptData =
322	context.get<CssmCryptoData>(CSSM_ATTRIBUTE_SEED);
323	if((cryptData != NULL) && (cryptData->Param.Length != 0)) {
324	appPwd = cryptData->Param;
325	}
326	else {
327	/* Get pwd from base key */
328	CssmKey *passKey = context.get<CssmKey>(CSSM_ATTRIBUTE_KEY);
329	if (passKey != NULL) {
330	AppleCSPContext::symmetricKeyBits(context, session,
331	CSSM_ALGID_SECURE_PASSPHRASE, CSSM_KEYUSE_DERIVE,
332	appPwd.Data, appPwd.Length);
333	}
334	}
335	if(appPwd.Data) {
336	/*
337	* The incoming passphrase is a UTF8 encoded enternal representation
338	* of a CFString. Convert to CFString and obtain the unicode characters
339	* from the string.
340	*/
341	CFDataRef cfData = CFDataCreate(NULL, appPwd.Data, appPwd.Length);
342	CFStringRef cfStr = CFStringCreateFromExternalRepresentation(NULL,
343	cfData, kCFStringEncodingUTF8);
344	if (cfData)
345	CFRelease(cfData);
346	if(cfStr == NULL) {
347	CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_SEED);
348	}
349
350	/* convert unicode to chars with an extra double-NULL */
427c49bc	351	CFIndex len = CFStringGetLength(cfStr);
b1ab9ed8 A	352	tmpCoder.allocItem(pwd, sizeof(UniChar) * (len + 1));
	353	unsigned char *cp = pwd.Data;
	354	UniChar uc = 0;
427c49bc	355	for(CFIndex dex=0; dex<len; dex++) {
b1ab9ed8 A	356	uc = CFStringGetCharacterAtIndex(cfStr, dex);
	357	*cp++ = uc >> 8;
	358	*cp++ = uc & 0xff;
	359	}
	360	/* CFString tends to include a NULL at the end; add it if it's not there */
	361	if(uc == 0) {
	362	if(pwd.Length < 2) {
	363	CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_SEED);
	364	}
	365	pwd.Length -= 2;
	366	}
	367	else {
	368	*cp++ = 0;
	369	*cp++ = 0;
	370	}
	371	if (cfStr)
	372	CFRelease(cfStr);
	373	}
	374
	375	/* salt from context */
	376	uint32 saltLen = 0;
	377	uint8 *salt = NULL;
	378	CssmData *csalt = context.get<CssmData>(CSSM_ATTRIBUTE_SALT);
	379	if(csalt) {
	380	salt = csalt->Data;
427c49bc	381	saltLen = (uint32)csalt->Length;
b1ab9ed8 A	382	}
	383
	384	/*
	385	* Iteration count, from context, required.
	386	* The spec's ASN1 definition says this is optional with a default
	387	* of one but that's a BER encode/decode issue. Here we require
	388	* a nonzero value.
	389	*/
	390	uint32 iterCount = context.getInt(CSSM_ATTRIBUTE_ITERATION_COUNT,
	391	CSSMERR_CSP_MISSING_ATTR_ITERATION_COUNT);
	392	if(iterCount == 0) {
	393	CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_ITERATION_COUNT);
	394	}
	395
	396	/*
	397	* Algorithm determines which of {PBE_ID_Key,PBE_ID_MAC} we now
	398	* generate. We'll also do an optional PBE_ID_IV later.
	399	*/
	400	P12_PBE_ID pbeId = PBE_ID_Key;
	401	switch(context.algorithm()) {
	402	case CSSM_ALGID_PKCS12_PBE_ENCR:
	403	pbeId = PBE_ID_Key;
	404	break;
	405	case CSSM_ALGID_PKCS12_PBE_MAC:
	406	pbeId = PBE_ID_MAC;
	407	break;
	408	default:
	409	/* really should not be here */
	410	assert(0);
	411	CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
	412	}
	413
	414	/* Go */
	415	CSSM_RETURN crtn = p12PbeGen(pwd,
	416	salt, saltLen,
	417	iterCount,
	418	pbeId,
	419	CSSM_ALGID_SHA1, // all we support for now
	420	tmpCoder,
	421	keyData->Data,
427c49bc	422	(unsigned)keyData->Length);
b1ab9ed8 A	423	if(crtn) {
	424	CssmError::throwMe(crtn);
	425	}
	426
	427	/*
	428	* Optional IV - makes no sense if we just did PBE_ID_MAC, but why
	429	* bother restricting?
	430	*/
	431	if(Param.Data) {
	432	crtn = p12PbeGen(pwd,
	433	salt, saltLen,
	434	iterCount,
	435	PBE_ID_IV,
	436	CSSM_ALGID_SHA1, // all we support for now
	437	tmpCoder,
	438	Param.Data,
427c49bc	439	(unsigned)Param.Length);
b1ab9ed8 A	440	if(crtn) {
	441	CssmError::throwMe(crtn);
	442	}
	443	}
	444	}
	445