]> git.saurik.com Git - apple/security.git/blame - OSX/libsecurity_keychain/lib/TokenLogin.cpp
projects / apple / security.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Security-59754.80.3.tar.gz
[apple/security.git] / OSX / libsecurity_keychain / lib / TokenLogin.cpp
CommitLineData
fa7225c8
A		 1/*
2 * Copyright (c) 2016 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24#include "TokenLogin.h"
25
26#include <Security/SecItem.h>
27#include <Security/SecItemPriv.h>
28#include <Security/SecKeyPriv.h>
29#include "SecBase64P.h"
30#include <Security/SecIdentity.h>
31#include <Security/SecCertificatePriv.h>
32#include <Security/SecKeychainPriv.h>
33#include <security_utilities/cfutilities.h>
34#include <libaks.h>
35#include <libaks_smartcard.h>
36
37extern "C" {
b54c578e 38#include <ctkclient/ctkclient.h>
fa7225c8
A		 39#include <coreauthd_spi.h>
40}
41
79b9da22
A		 42static os_log_t TOKEN_LOG_DEFAULT() {
43 static dispatch_once_t once;
44 static os_log_t log;
45 dispatch_once(&once, ^{ log = os_log_create("com.apple.security", "tokenlogin"); });
46 return log;
47};
48#define TL_LOG TOKEN_LOG_DEFAULT()
49
fa7225c8
A		 50#define kSecTokenLoginDomain CFSTR("com.apple.security.tokenlogin")
51
866f8763 52static CFStringRef CF_RETURNS_RETAINED cfDataToHex(CFDataRef bin)
fa7225c8
A		 53{
54 size_t len = CFDataGetLength(bin) * 2;
55 CFMutableStringRef str = CFStringCreateMutable(NULL, len);
56
57 static const char* digits[] = {"0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "A", "B", "C", "D", "E", "F"};
58
59 const uint8_t* data = CFDataGetBytePtr(bin);
60 for (size_t i = 0; i < CFDataGetLength(bin); i++) {
61 CFStringAppendCString(str, digits[data[i] >> 4], 1);
62 CFStringAppendCString(str, digits[data[i] & 0xf], 1);
63 }
64 return str;
65}
66
67static CFStringRef getPin(CFDictionaryRef context)
68{
69 if (!context) {
70 return NULL;
71 }
72
73 CFStringRef pin = (CFStringRef)CFDictionaryGetValue(context, kSecAttrService);
74 if (!pin || CFGetTypeID(pin) != CFStringGetTypeID()) {
75 return NULL;
76 }
77 return pin;
78}
79
80static CFStringRef getTokenId(CFDictionaryRef context)
81{
82 if (!context) {
83 return NULL;
84 }
85
86 CFStringRef tokenId = (CFStringRef)CFDictionaryGetValue(context, kSecAttrTokenID);
87 if (!tokenId || CFGetTypeID(tokenId) != CFStringGetTypeID()) {
79b9da22 88 os_log_debug(TL_LOG, "Invalid tokenId");
fa7225c8
A		 89 return NULL;
90 }
91 return tokenId;
92}
93
94static CFDataRef getPubKeyHash(CFDictionaryRef context)
95{
96 if (!context) {
97 return NULL;
98 }
99
100 CFDataRef pubKeyHash = (CFDataRef)CFDictionaryGetValue(context, kSecAttrPublicKeyHash);
101 if (!pubKeyHash || CFGetTypeID(pubKeyHash) != CFDataGetTypeID()) {
79b9da22 102 os_log_debug(TL_LOG, "Invalid pubkeyhash");
fa7225c8
A		 103 return NULL;
104 }
105 return pubKeyHash;
106}
107
108static CFDataRef getPubKeyHashWrap(CFDictionaryRef context)
109{
110 if (!context) {
111 return NULL;
112 }
113
114 CFDataRef pubKeyHashWrap = (CFDataRef)CFDictionaryGetValue(context, kSecAttrAccount);
115 if (!pubKeyHashWrap || CFGetTypeID(pubKeyHashWrap) != CFDataGetTypeID()) {
79b9da22 116 os_log_debug(TL_LOG, "Invalid pubkeyhashwrap");
fa7225c8
A		 117 return NULL;
118 }
119 return pubKeyHashWrap;
120}
121
7fb2cbd2 122static OSStatus privKeyForPubKeyHashWrap(CFDictionaryRef context, SecKeyRef *privKey, CFTypeRef *laCtx)
fa7225c8 123{
79b9da22
A		 124 if (!context) {
125 os_log_error(TL_LOG, "private key for pubkeyhash wrong params");
126 return errSecParam;
127 }
fa7225c8
A		 128
129 CFRef<CFMutableDictionaryRef> tokenAttributes = makeCFMutableDictionary(1, kSecAttrTokenID, getTokenId(context));
130 CFRef<CFErrorRef> error;
131
132 CFStringRef pin = getPin(context);
133 if (pin) {
ecaf5866 134 CFRef<CFTypeRef> LAContext = LACreateNewContextWithACMContext(NULL, error.take());
fa7225c8 135 if (!LAContext) {
7fb2cbd2 136 os_log_error(TL_LOG, "Failed to LA Context: %{public}@", error.get());
fa7225c8
A		 137 return errSecParam;
138 }
139 if (laCtx)
140 *laCtx = (CFTypeRef)CFRetain(LAContext);
141 CFRef<CFDataRef> externalizedContext = LACopyACMContext(LAContext, error.take());
142 if (!externalizedContext) {
7fb2cbd2 143 os_log_error(TL_LOG, "Failed to get externalized context: %{public}@", error.get());
fa7225c8
A		 144 return errSecParam;
145 }
146 CFDictionarySetValue(tokenAttributes, kSecUseCredentialReference, externalizedContext.get());
147 CFDictionarySetValue(tokenAttributes, CFSTR("PIN"), pin);
148 }
149
150 CFRef<TKTokenRef> token = TKTokenCreate(tokenAttributes, error.take());
151 if (!token) {
7fb2cbd2 152 os_log_error(TL_LOG, "Failed to create token: %{public}@", error.get());
fa7225c8
A		 153 return errSecParam;
154 }
155
156 CFRef<CFArrayRef> identities = TKTokenCopyIdentities(token, TKTokenKeyUsageAny, error.take());
157 if (!identities || !CFArrayGetCount(identities)) {
7fb2cbd2 158 os_log_error(TL_LOG, "No identities found for token: %{public}@", error.get());
fa7225c8
A		 159 return errSecParam;
160 }
161
07691282
A		 162 CFDataRef desiredHash = getPubKeyHashWrap(context);
163 if (!desiredHash) {
164 os_log_error(TL_LOG, "No wrap key in context");
165 return errSecParam;
166 }
167
fa7225c8
A		 168 CFIndex idx, count = CFArrayGetCount(identities);
169 for (idx = 0; idx < count; ++idx) {
170 SecIdentityRef identity = (SecIdentityRef)CFArrayGetValueAtIndex(identities, idx);
171 CFRef<SecCertificateRef> certificate;
172 OSStatus result = SecIdentityCopyCertificate(identity, certificate.take());
173 if (result != errSecSuccess) {
79b9da22 174 os_log_error(TL_LOG, "Failed to get certificate for identity: %d", (int) result);
fa7225c8
A		 175 continue;
176 }
177
178 CFRef<CFDataRef> identityHash = SecCertificateCopyPublicKeySHA1Digest(certificate);
179 if (identityHash && CFEqual(desiredHash, identityHash)) {
180 result = SecIdentityCopyPrivateKey(identity, privKey);
181 if (result != errSecSuccess) {
79b9da22 182 os_log_error(TL_LOG, "Failed to get identity private key: %d", (int) result);
fa7225c8
A		 183 }
184 return result;
185 }
186 }
187
188 return errSecParam;
189}
190
191OSStatus TokenLoginGetContext(const void *base64TokenLoginData, UInt32 base64TokenLoginDataLength, CFDictionaryRef *context)
192{
79b9da22
A		 193 if (!base64TokenLoginData || !context) {
194 os_log_error(TL_LOG, "Get login context - wrong params");
195 return errSecParam;
196 }
fa7225c8
A		 197
198 // Token data are base64 encoded in password.
199 size_t dataLen = SecBase64Decode((const char *)base64TokenLoginData, base64TokenLoginDataLength, NULL, 0);
200 if (!dataLen) {
79b9da22 201 os_log_debug(TL_LOG, "Invalid base64 encoded token data");
fa7225c8
A		 202 return errSecParam;
203 }
204
205 CFRef<CFMutableDataRef> data = CFDataCreateMutable(kCFAllocatorDefault, dataLen);
206 dataLen = SecBase64Decode((const char *)base64TokenLoginData, base64TokenLoginDataLength, CFDataGetMutableBytePtr(data), dataLen);
207 if (!dataLen) {
79b9da22 208 os_log_error(TL_LOG, "Invalid base64 encoded token data");
fa7225c8
A		 209 return errSecParam;
210 }
211 CFDataSetLength(data, dataLen);
212
213 // Content of the password consists of a serialized dictionary containing token ID, PIN, wrap key hash etc.
214 CFRef<CFErrorRef> error;
215 *context = (CFDictionaryRef)CFPropertyListCreateWithData(kCFAllocatorDefault,
216 data,
217 kCFPropertyListImmutable,
218 NULL,
219 error.take());
220 if (!*context || CFGetTypeID(*context) != CFDictionaryGetTypeID()) {
7fb2cbd2 221 os_log_error(TL_LOG, "Invalid token login data property list, %{public}@", error.get());
fa7225c8
A		 222 return errSecParam;
223 }
224
225 if (!getPin(*context) || !getTokenId(*context) || !getPubKeyHash(*context) || !getPubKeyHashWrap(*context)) {
7fb2cbd2 226 os_log_error(TL_LOG, "Invalid token login data context, %{public}@", error.get());
fa7225c8
A		 227 return errSecParam;
228 }
229
230 return errSecSuccess;
231}
232
233OSStatus TokenLoginGetUnlockKey(CFDictionaryRef context, CFDataRef *unlockKey)
234{
79b9da22
A		 235 if (!context || !unlockKey) {
236 os_log_error(TL_LOG, "Get unlock key - wrong params");
237 return errSecParam;
238 }
7fb2cbd2
A		 239
240 CFRef<CFDictionaryRef> loginData;
fa7225c8
A		 241 OSStatus result = TokenLoginGetLoginData(context, loginData.take());
242 if (result != errSecSuccess) {
79b9da22 243 os_log_error(TL_LOG, "Failed to get login data: %d", (int)result);
fa7225c8
A		 244 return result;
245 }
246
247 CFDataRef wrappedUnlockKey = (CFDataRef)CFDictionaryGetValue(loginData, kSecValueData);
248 if (!wrappedUnlockKey) {
79b9da22 249 os_log_error(TL_LOG, "Wrapped unlock key not found in unlock key data");
fa7225c8
A		 250 return errSecParam;
251 }
252 SecKeyAlgorithm algorithm = (SecKeyAlgorithm)CFDictionaryGetValue(loginData, kSecAttrService);
253 if (!algorithm) {
79b9da22 254 os_log_error(TL_LOG, "Algorithm not found in unlock key data");
fa7225c8
A		 255 return errSecParam;
256 }
7fb2cbd2
A		 257 CFDataRef pubKeyHashWrapFromPlist = (CFDataRef)CFDictionaryGetValue(loginData, kSecAttrPublicKeyHash);
258 if (pubKeyHashWrapFromPlist == NULL) {
259 os_log_error(TL_LOG, "Failed to get wrapkey for unlock key data");
260 return errSecInternal;
261 }
fa7225c8 262
7fb2cbd2
A		 263 CFRef<CFDictionaryRef> ctx = makeCFDictionary(3,
264 kSecAttrTokenID, getTokenId(context),
265 kSecAttrService, getPin(context),
266 kSecAttrAccount, pubKeyHashWrapFromPlist
267 );
268
fa7225c8
A		 269 CFRef<SecKeyRef> privKey;
270 CFRef<CFTypeRef> LAContext;
7fb2cbd2 271 result = privKeyForPubKeyHashWrap(ctx, privKey.take(), LAContext.take());
fa7225c8 272 if (result != errSecSuccess) {
7fb2cbd2 273 os_log_error(TL_LOG, "Failed to get private key for public key hash %{public}@: %d", pubKeyHashWrapFromPlist, (int)result);
fa7225c8
A		 274 return result;
275 }
276
277 CFRef<SecKeyRef> pubKey = SecKeyCopyPublicKey(privKey);
278 if (!pubKey) {
79b9da22 279 os_log_error(TL_LOG, "Failed to get public key from private key");
fa7225c8
A		 280 return errSecParam;
281 }
282 CFRef<CFErrorRef> error;
283 *unlockKey = SecKeyCreateDecryptedData(privKey,
284 algorithm,
285 wrappedUnlockKey,
286 error.take());
287 if (!*unlockKey) {
7fb2cbd2 288 os_log_error(TL_LOG, "Failed to unwrap unlock key: %{public}@", error.get());
fa7225c8
A		 289 return errSecDecode;
290 }
291
292 // we need to re-wrap already unwrapped data to avoid capturing and reusing communication with the smartcard
293 CFRef<CFDataRef> reWrappedUnlockKey = SecKeyCreateEncryptedData(pubKey, algorithm, *unlockKey, error.take());
294 if (!reWrappedUnlockKey) {
7fb2cbd2 295 os_log_error(TL_LOG, "Failed to rewrap unlock key: %{public}@", error.get());
fa7225c8
A		 296 TokenLoginDeleteUnlockData(getPubKeyHash(context));
297 return errSecParam;
298 }
299
300 CFRef<CFMutableDictionaryRef> newDict = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 4, loginData);
301 if (newDict) {
302 CFDictionarySetValue(newDict, kSecValueData, reWrappedUnlockKey);
303 TokenLoginStoreUnlockData(context, newDict);
304 }
305
306 return errSecSuccess;
307}
308
309OSStatus TokenLoginGetLoginData(CFDictionaryRef context, CFDictionaryRef *loginData)
310{
79b9da22
A		 311 if (!loginData || !context) {
312 os_log_error(TL_LOG, "Get login data - wrong params");
313 return errSecParam;
314 }
fa7225c8
A		 315
316 CFRef<CFStringRef> pubKeyHashHex = cfDataToHex(getPubKeyHash(context));
79b9da22 317
fa7225c8
A		 318 CFPreferencesSynchronize(kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
319 CFRef<CFDataRef> storedData = (CFDataRef)CFPreferencesCopyValue(pubKeyHashHex, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
79b9da22 320 if (!storedData) {
b54c578e 321 // this is not an error, might be a normal situation if the value does not exist
79b9da22 322 os_log_debug(TL_LOG, "Failed to read token login plist");
fa7225c8
A		 323 return errSecIO;
324 }
325
326 CFRef<CFErrorRef> error;
327 *loginData = (CFDictionaryRef)CFPropertyListCreateWithData(kCFAllocatorDefault,
328 storedData,
329 kCFPropertyListImmutable,
330 NULL,
331 error.take());
332 if (!*loginData || CFGetTypeID(*loginData) != CFDictionaryGetTypeID()) {
7fb2cbd2 333 os_log_error(TL_LOG, "Failed to deserialize unlock key data: %{public}@", error.get());
fa7225c8
A		 334 return errSecParam;
335 }
336
337 return errSecSuccess;
338}
339
b04fe171
A		 340OSStatus TokenLoginGetPin(CFDictionaryRef context, CFStringRef *pin)
341{
342 if (!pin || !context) {
343 return errSecParam;
344 }
345 *pin = getPin(context);
346
347 return errSecSuccess;
348}
349
350OSStatus TokenLoginUpdateUnlockData(CFDictionaryRef context, CFStringRef password)
fa7225c8 351{
79b9da22
A		 352 if (!context) {
353 os_log_error(TL_LOG, "Updating unlock data - wrong params");
354 return errSecParam;
355 }
fa7225c8
A		 356
357 CFRef<SecKeychainRef> loginKeychain;
358 OSStatus result = SecKeychainCopyLogin(loginKeychain.take());
359 if (result != errSecSuccess) {
79b9da22 360 os_log_error(TL_LOG, "Failed to get user keychain: %d", (int) result);
fa7225c8
A		 361 return result;
362 }
363
b04fe171 364 return SecKeychainStoreUnlockKeyWithPubKeyHash(getPubKeyHash(context), getTokenId(context), getPubKeyHashWrap(context), loginKeychain, password);
fa7225c8
A		 365}
366
367OSStatus TokenLoginCreateLoginData(CFStringRef tokenId, CFDataRef pubKeyHash, CFDataRef pubKeyHashWrap, CFDataRef unlockKey, CFDataRef scBlob)
368{
79b9da22
A		 369 if (!tokenId || !pubKeyHash || !pubKeyHashWrap || !unlockKey || !scBlob) {
370 os_log_error(TL_LOG, "Create login data - wrong params");
371 return errSecParam;
372 }
fa7225c8
A		 373
374 CFRef<CFDictionaryRef> ctx = makeCFDictionary(3,
375 kSecAttrTokenID, tokenId,
376 kSecAttrPublicKeyHash, pubKeyHash,
377 kSecAttrAccount, pubKeyHashWrap
378 );
379 CFRef<SecKeyRef> privKey;
7fb2cbd2 380 OSStatus result = privKeyForPubKeyHashWrap(ctx, privKey.take(), NULL);
fa7225c8 381 if (result != errSecSuccess) {
7fb2cbd2 382 os_log_error(TL_LOG, "Failed to get private key for public key hash %{public}@: %d", pubKeyHashWrap, (int)result);
fa7225c8
A		 383 return result;
384 }
385
386 CFRef<SecKeyRef> pubKey = SecKeyCopyPublicKey(privKey);
387 if (!pubKey) {
79b9da22 388 os_log_error(TL_LOG, "Failed to get public key from private key");
fa7225c8
A		 389 return errSecParam;
390 }
391
392 SecKeyAlgorithm algorithms[] = {
393 kSecKeyAlgorithmECIESEncryptionStandardX963SHA512AESGCM,
394 kSecKeyAlgorithmECIESEncryptionStandardX963SHA384AESGCM,
395 kSecKeyAlgorithmECIESEncryptionStandardX963SHA256AESGCM,
396 kSecKeyAlgorithmECIESEncryptionStandardX963SHA224AESGCM,
397 kSecKeyAlgorithmECIESEncryptionStandardX963SHA1AESGCM,
398 kSecKeyAlgorithmRSAEncryptionOAEPSHA512AESGCM,
399 kSecKeyAlgorithmRSAEncryptionOAEPSHA384AESGCM,
400 kSecKeyAlgorithmRSAEncryptionOAEPSHA256AESGCM,
401 kSecKeyAlgorithmRSAEncryptionOAEPSHA224AESGCM,
402 kSecKeyAlgorithmRSAEncryptionOAEPSHA1AESGCM
403 };
404
405 SecKeyAlgorithm algorithm = NULL;
406 for (size_t i = 0; i < sizeof(algorithms) / sizeof(*algorithms); i++) {
407 if (SecKeyIsAlgorithmSupported(pubKey, kSecKeyOperationTypeEncrypt, algorithms[i])
408 && SecKeyIsAlgorithmSupported(privKey, kSecKeyOperationTypeDecrypt, algorithms[i])) {
409 algorithm = algorithms[i];
410 break;
411 }
412 }
413 if (algorithm == NULL) {
79b9da22 414 os_log_error(TL_LOG, "Failed to find supported wrap algorithm");
fa7225c8
A		 415 return errSecParam;
416 }
417
418 CFRef<CFErrorRef> error;
419 CFRef<CFDataRef> wrappedUnlockKey = SecKeyCreateEncryptedData(pubKey, algorithm, unlockKey, error.take());
420 if (!wrappedUnlockKey) {
7fb2cbd2 421 os_log_error(TL_LOG, "Failed to wrap unlock key: %{public}@", error.get());
fa7225c8
A		 422 return errSecParam;
423 }
424
425 CFRef<CFDictionaryRef> loginData = makeCFDictionary(4,
426 kSecAttrService, algorithm,
427 kSecAttrPublicKeyHash, pubKeyHashWrap,
428 kSecValueData, wrappedUnlockKey.get(),
429 kSecClassKey, scBlob
430 );
431 return TokenLoginStoreUnlockData(ctx, loginData);
432}
433
434OSStatus TokenLoginStoreUnlockData(CFDictionaryRef context, CFDictionaryRef loginData)
435{
7fb2cbd2 436 os_log_debug(TL_LOG, "Storing unlock data");
fa7225c8
A		 437
438 CFRef<CFErrorRef> error;
439 CFRef<CFDataRef> data = CFPropertyListCreateData(kCFAllocatorDefault,
440 loginData,
441 kCFPropertyListBinaryFormat_v1_0,
442 0,
443 error.take());
444 if (!data) {
7fb2cbd2 445 os_log_error(TL_LOG, "Failed to create unlock data: %{public}@", error.get());
fa7225c8
A		 446 return errSecInternal;
447 }
448 CFRef<CFStringRef> pubKeyHashHex = cfDataToHex(getPubKeyHash(context));
7fb2cbd2 449 os_log_debug(TL_LOG, "Pubkeyhash %@", pubKeyHashHex.get());
79b9da22
A		 450
451 CFPreferencesSetValue(pubKeyHashHex, data, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
7fb2cbd2 452 os_log_debug(TL_LOG, "Pubkeyhash %@", pubKeyHashHex.get());
79b9da22 453
fa7225c8
A		 454 CFPreferencesSynchronize(kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
455 CFRef<CFDataRef> storedData = (CFDataRef)CFPreferencesCopyValue(pubKeyHashHex, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
7fb2cbd2 456 os_log_debug(TL_LOG, "Stored data %@", storedData.get());
fa7225c8
A		 457
458 if (!storedData || !CFEqual(storedData, data)) {
79b9da22 459 os_log_error(TL_LOG, "Failed to write token login plist");
fa7225c8
A		 460 return errSecIO;
461 }
7fb2cbd2 462 os_log_debug(TL_LOG, "Original data %@. Everything is OK", data.get());
fa7225c8
A		 463
464 return errSecSuccess;
465}
466
467OSStatus TokenLoginDeleteUnlockData(CFDataRef pubKeyHash)
468{
469 CFRef<CFStringRef> pubKeyHashHex = cfDataToHex(pubKeyHash);
470 CFPreferencesSetValue(pubKeyHashHex, NULL, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
471 CFPreferencesSynchronize(kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
472 CFRef<CFDataRef> storedData = (CFDataRef)CFPreferencesCopyValue(pubKeyHashHex, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost);
473
474 if (storedData) {
79b9da22 475 os_log_error(TL_LOG, "Failed to remove unlock data");
fa7225c8
A		 476 return errSecIO;
477 }
478
479 return errSecSuccess;
480}
481
482OSStatus TokenLoginGetScBlob(CFDataRef pubKeyHashWrap, CFStringRef tokenId, CFStringRef password, CFDataRef *scBlob)
483{
484 if (scBlob == NULL || password == NULL || pubKeyHashWrap == NULL || tokenId == NULL) {
79b9da22 485 os_log_error(TL_LOG, "TokenLoginGetScBlob wrong params");
fa7225c8
A		 486 return errSecParam;
487 }
488
489 CFRef<CFDictionaryRef> ctx = makeCFDictionary(2,
490 kSecAttrTokenID, tokenId,
491 kSecAttrAccount, pubKeyHashWrap
492 );
493
494 CFRef<SecKeyRef> privKey;
7fb2cbd2 495 OSStatus retval = privKeyForPubKeyHashWrap(ctx, privKey.take(), NULL);
fa7225c8 496 if (retval != errSecSuccess) {
7fb2cbd2 497 os_log_error(TL_LOG, "TokenLoginGetScBlob failed to get private key for public key hash %{public}@: %d", pubKeyHashWrap, (int)retval);
fa7225c8
A		 498 return retval;
499 }
500
501 CFRef<SecKeyRef> pubKey = SecKeyCopyPublicKey(privKey);
502 if (!pubKey) {
79b9da22 503 os_log_error(TL_LOG, "TokenLoginGetScBlob no pubkey");
fa7225c8
A		 504 return errSecInternal;
505 }
506
507 CFRef<CFDictionaryRef> attributes = SecKeyCopyAttributes(pubKey);
508 if (!attributes) {
79b9da22 509 os_log_error(TL_LOG, "TokenLoginGetScBlob no attributes");
fa7225c8
A		 510 return errSecInternal;
511 }
512
513 aks_smartcard_mode_t mode;
514 CFRef<CFStringRef> type = (CFStringRef)CFDictionaryGetValue(attributes, kSecAttrKeyType);
515 if (CFEqual(type, kSecAttrKeyTypeRSA))
516 mode = AKS_SMARTCARD_MODE_RSA;
517 else if (CFEqual(type, kSecAttrKeyTypeEC))
518 mode = AKS_SMARTCARD_MODE_ECDH;
519 else {
79b9da22 520 os_log_error(TL_LOG, "TokenLoginGetScBlob bad type");
fa7225c8
A		 521 return errSecNotAvailable;
522 }
523
524 CFRef<CFDataRef> publicBytes = SecKeyCopyExternalRepresentation(pubKey, NULL);
525 if (!publicBytes) {
79b9da22 526 os_log_error(TL_LOG, "TokenLoginGetScBlob cannot get public bytes");
fa7225c8
A		 527 return retval;
528 }
529
530 CFIndex maxLength = CFStringGetMaximumSizeForEncoding(CFStringGetLength(password), kCFStringEncodingUTF8) + 1;
531 char* buf = (char*)malloc(maxLength);
532 if (buf == NULL) {
79b9da22 533 os_log_error(TL_LOG, "TokenLoginGetScBlob no mem for buffer");
fa7225c8
A		 534 return retval;
535 }
536
537 if (CFStringGetCString(password, buf, maxLength, kCFStringEncodingUTF8) == FALSE) {
79b9da22 538 os_log_error(TL_LOG, "TokenLoginGetScBlob no pwd cstr");
fa7225c8
A		 539 free(buf);
540 return retval;
541 }
542
543 void *sc_blob = NULL;
544 size_t sc_len = 0;
545 aks_smartcard_unregister(session_keybag_handle); // just to be sure no previous registration exist
546 kern_return_t aks_retval = aks_smartcard_register(session_keybag_handle, (uint8_t *)buf, strlen(buf), mode, (uint8_t *)CFDataGetBytePtr(publicBytes), (size_t)CFDataGetLength(publicBytes), &sc_blob, &sc_len);
547 free(buf);
79b9da22 548 os_log_debug(TL_LOG, "TokenLoginGetScBlob register result %d", aks_retval);
fa7225c8
A		 549
550 if (sc_blob) {
551 *scBlob = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)sc_blob, (CFIndex)sc_len);
552 free(sc_blob);
553 }
554 return aks_retval;
555}
556
07691282 557// context = data wrapped in password variable, loginData = dictionary from stored plist
fa7225c8
A		 558OSStatus TokenLoginUnlockKeybag(CFDictionaryRef context, CFDictionaryRef loginData)
559{
560 if (!loginData || !context) {
561 return errSecParam;
562 }
563
564 CFDataRef scBlob = (CFDataRef)CFDictionaryGetValue(loginData, kSecClassKey);
565 if (scBlob == NULL) {
79b9da22 566 os_log_error(TL_LOG, "Failed to get scblob");
fa7225c8
A		 567 return errSecInternal;
568 }
569
7fb2cbd2
A		 570 CFDataRef pubKeyHashWrapFromPlist = (CFDataRef)CFDictionaryGetValue(loginData, kSecAttrPublicKeyHash);
571 if (pubKeyHashWrapFromPlist == NULL) {
07691282
A		 572 os_log_error(TL_LOG, "Failed to get wrapkey");
573 return errSecInternal;
574 }
575
7fb2cbd2 576 CFRef<CFDictionaryRef> ctx = makeCFDictionary(3,
07691282
A		 577 kSecAttrTokenID, getTokenId(context),
578 kSecAttrService, getPin(context),
7fb2cbd2 579 kSecAttrAccount, pubKeyHashWrapFromPlist
07691282
A		 580 );
581
fa7225c8
A		 582 CFRef<CFErrorRef> error;
583 CFRef<SecKeyRef> privKey;
584 CFRef<CFTypeRef> LAContext;
7fb2cbd2 585 OSStatus retval = privKeyForPubKeyHashWrap(ctx, privKey.take(), LAContext.take());
fa7225c8 586 if (retval != errSecSuccess) {
7fb2cbd2 587 os_log_error(TL_LOG, "Failed to get private key for public key hash %{public}@: %d", pubKeyHashWrapFromPlist, (int)retval);
fa7225c8
A		 588 return retval;
589 }
590
591 CFRef<SecKeyRef> pubKey = SecKeyCopyPublicKey(privKey);
592 if (!pubKey) {
79b9da22 593 os_log_error(TL_LOG, "Failed to get pubkey");
fa7225c8
A		 594 return retval;
595 }
596
597 CFRef<CFDictionaryRef> attributes = SecKeyCopyAttributes(pubKey);
598 if (!attributes) {
79b9da22 599 os_log_error(TL_LOG, "TokenLoginUnlockKeybag no attributes");
fa7225c8
A		 600 return errSecInternal;
601 }
602
603 aks_smartcard_mode_t mode;
604 CFStringRef type = (CFStringRef)CFDictionaryGetValue(attributes, kSecAttrKeyType);
605 if (CFEqual(type, kSecAttrKeyTypeRSA))
606 mode = AKS_SMARTCARD_MODE_RSA;
607 else if (CFEqual(type, kSecAttrKeyTypeEC))
608 mode = AKS_SMARTCARD_MODE_ECDH;
609 else {
79b9da22 610 os_log_error(TL_LOG, "TokenLoginUnlockKeybag bad type");
fa7225c8
A		 611 return errSecNotAvailable;
612 }
613
614 void *scChallenge = NULL;
615 size_t scChallengeLen = 0;
616 int res = aks_smartcard_request_unlock(session_keybag_handle, (uint8_t *)CFDataGetBytePtr(scBlob), (size_t)CFDataGetLength(scBlob), &scChallenge, &scChallengeLen);
617 if (res != 0) {
79b9da22 618 os_log_error(TL_LOG, "TokenLoginUnlockKeybag cannot request unlock: %x", res);
fa7225c8
A		 619 return errSecInternal;
620 }
621 const void *scUsk = NULL;
622 size_t scUskLen = 0;
623 res = aks_smartcard_get_sc_usk(scChallenge, scChallengeLen, &scUsk, &scUskLen);
624
625 if (res != 0 || scUsk == NULL) {
626 free(scChallenge);
79b9da22 627 os_log_error(TL_LOG, "TokenLoginUnlockKeybag cannot get usk: %x", res);
fa7225c8
A		 628 return errSecInternal;
629 }
630
631 CFRef<CFTypeRef> wrappedUsk;
632 if (mode == AKS_SMARTCARD_MODE_ECDH) {
633 const void *ecPub = NULL;
634 size_t ecPubLen = 0;
635 res = aks_smartcard_get_ec_pub(scChallenge, scChallengeLen, &ecPub, &ecPubLen);
636 if (res != 0 || ecPub == NULL) {
637 free(scChallenge);
79b9da22 638 os_log_error(TL_LOG, "TokenLoginUnlockKeybag cannot get ecpub: %x", res);
fa7225c8
A		 639 return errSecInternal;
640 }
641 wrappedUsk = CFDataCreateMutable(kCFAllocatorDefault, ecPubLen + scUskLen);
642 if (!wrappedUsk) {
643 free(scChallenge);
79b9da22 644 os_log_error(TL_LOG, "TokenLoginUnlockKeybag no mem for ecpubusk");
fa7225c8
A		 645 return errSecInternal;
646 }
647 CFDataAppendBytes((CFMutableDataRef)wrappedUsk.get(), (const UInt8 *)ecPub, (CFIndex)ecPubLen);
648 CFDataAppendBytes((CFMutableDataRef)wrappedUsk.get(), (const UInt8 *)scUsk, (CFIndex)scUskLen);
649 } else {
650 wrappedUsk = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)scUsk, (CFIndex)scUskLen);
651 }
652 free(scChallenge);
653 // decrypt Usk with SC
654 CFRef<CFDataRef> unwrappedUsk = SecKeyCreateDecryptedData(privKey,
655 mode == AKS_SMARTCARD_MODE_RSA ? kSecKeyAlgorithmRSAEncryptionOAEPSHA256 : kSecKeyAlgorithmECIESEncryptionAKSSmartCard,
656 (CFDataRef)wrappedUsk.get(),
657 error.take());
658 if (!unwrappedUsk) {
07691282 659 os_log_error(TL_LOG, "TokenLoginUnlockKeybag failed to unwrap blob: %{public}@", error.get());
fa7225c8
A		 660 return errSecInternal;
661 }
662
663 void *scNewBlob = NULL;
664 size_t scNewLen = 0;
665 res = aks_smartcard_unlock(session_keybag_handle, (uint8_t *)CFDataGetBytePtr(scBlob), (size_t)CFDataGetLength(scBlob), (uint8_t *)CFDataGetBytePtr(unwrappedUsk), (size_t)CFDataGetLength(unwrappedUsk), &scNewBlob, &scNewLen);
666 if (scNewBlob) {
667 CFRef<CFDataRef> newBlobData = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)scNewBlob, (CFIndex)scNewLen);
668 free(scNewBlob);
669 CFRef<CFMutableDictionaryRef> newDict = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 4, loginData);
670 if (newDict) {
671 CFDictionarySetValue(newDict, kSecClassKey, newBlobData.get());
672 TokenLoginStoreUnlockData(context, newDict);
673 }
79b9da22
A		 674 } else {
675 os_log_error(TL_LOG, "TokenLoginUnlockKeybag no new scblob received: %d", res);
676 }
fa7225c8
A		 677 return res;
678}
mirror of Security