[apple/security.git] / OSX / libsecurity_pkcs12 / lib / SecPkcs12.h

/*
 * Copyright (c) 2003-2004,2011,2014 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */
 
/*******************************************************************
 * 
 * SecPkcs12.h
 *
 * This module is an implementation of the logic required to create 
 * and parse PKCS12 "blobs", known as PFXs in PKCS12 lingo. The user
 * of this module need not know anything about the details of 
 * PKCS12 PFX construction. All one needs to know at this level
 * is that a PKCS12 PFX is a collection of the following items:
 *
 * -- Zero or more certificates
 * -- Zero or more Certficate Revocation Lists (CRLs)
 * -- Zero or more private keys. (If this number is zero, using this
 *    module is probably not what you want to do)
 * -- Zero or more other opaque types, not understood or parsed
 *    by this module.
 *
 * Each individual component of a PFX contains zero or more
 * attributes; commonly the only two such attributes used in 
 * the PKCS12 world are "FriendlyName", a Unicode string, and 
 * "LocalKeyId", an opaque data blob which serves solely to tie
 * a specific cert to a specific key in the context of this specific
 * PFX.
 * 
 * Individual components of a PKCS12 PFX are typically encrypted with
 * a key derived from a user-supplied passphrase. The entire PFX
 * is protected with a MAC whose key is also derived from a user-
 * supplied passphrase. Typically these two passphrases are identical
 * but they don't have to be. 
 *
 * There are a number of options and modes which, while described in 
 * the PKCS12 spec and provided for in the interface in this file,
 * are rarely if ever used. The following is a description of the 
 * actual, typical, real-world use of this module.
 *
 * Decoding a PKCS12 blob
 * ----------------------
 *
 * 1. App creates a SecPkcs12CoderRef via SecPkcs12CoderCreate().
 * 
 * 2. App specifies supplies a (small) number of options such as
 *    passphrase(s) and SecKeychainRefs. 
 * 
 * 3. App calls SecPkcs12Decode(), providing the raw PKCS12 PFX 
 *    blob which is to be decoded. This performs all of the actual 
 *    decoding and decryption.
 *
 * 4. At this point the app optionally obtains the resulting 
 *    components by a set of calls which return individual 
 *    certs, CRLS, and keys.
 *
 * 5. Also, per the configuration performed in step 2, individual 
 *    components (certs, keys) found in the PFX have been added 
 *    to a specified keychain, rendering step 4 superfluous. 
 *
 *
 * Creating a PKCS12 blob
 * ----------------------
 *
 * 1. App creates a SecPkcs12CoderRef via SecPkcs12CoderCreate().
 *
 * 2. App specifies supplies a (small) number of options such as
 *    passphrase(s).
 * 
 * 3. App makes a set of calls which add individual components such 
 *    as certs, CRLs, and private keys. A high-level call, 
 *    SecPkcs12ExportKeychainItems(), allow the specification of 
 *    all components to be exported at once.
 *
 * 4. App calls SecPkcs12Encode(), which does all of the required
 *    encryption and encoding. The result is an exportable PKCS12
 *    PFX blob. 
 */
 
#ifndef	_SEC_PKCS12_H_
#define _SEC_PKCS12_H_

#include <CoreFoundation/CoreFoundation.h>
#include <Security/Security.h>

#ifdef __cplusplus
extern "C" {
#endif

/*
 * Opaque handle for a PKCS12 encoder/decoder.
 */
typedef void 	*SecPkcs12CoderRef;

#pragma mark --- SecPkcs12CoderRef create/destroy ---

/*
 * Basic SecPkcs12CoderRef create/destroy.
 */
OSStatus SecPkcs12CoderCreate(
	SecPkcs12CoderRef	*coder);		// RETURNED
	
/*
 * Destroy object created in SecPkcs12CoderCreate.
 */
OSStatus SecPkcs12CoderRelease(
	SecPkcs12CoderRef	coder);	

#pragma mark --- High-level API ---

/*
 * Keychain associated with encode/decode. 
 * Client must call exactly one of { SecPkcs12SetKeychain(),
 * SecPkcs12SetCspHandle() } for both encoding and decoding. 
 * If SecPkcs12SetCspHandle() is used, components which are
 * obtained during decode are ephemeral (i.e., they are not 
 * stored anywhere and only have a lifetime which is the same as
 * the lifetime of the SecPkcs12CoderRef). 
 */
OSStatus SecPkcs12SetKeychain(
	SecPkcs12CoderRef		coder,
	SecKeychainRef			keychain);
	
/* 
 * Required iff SecPkcs12SetKeychain() is not called.
 */
OSStatus SecPkcs12SetCspHandle(
	SecPkcs12CoderRef		coder,
	CSSM_CSP_HANDLE			cspHandle);


/*
 * PKCS12 allows for separate passphrases for encryption and for
 * verification (via MAC). Typically, in the real world, one
 * passphrase is used for both; we provide the means to set them
 * separately.
 *
 * Passphrases can be specified directly as CFStringRefs, or as 
 * CSSM_KEYs which represent secure passphrases obtained by the 
 * SecurityServer. This latter method is preferred since the 
 * plaintext passphrase never appears in the app's address space.
 * Passphrases expressed in this manner are referred to as 
 * PassKeys.
 *
 * If one passphrase is to be used for both encryption and 
 * verification, use one of these two function to set it.
 */
OSStatus SecPkcs12SetMACPassphrase(
	SecPkcs12CoderRef	coder,
	CFStringRef			passphrase);
	
OSStatus SecPkcs12SetMACPassKey(
	SecPkcs12CoderRef	coder,
	const CSSM_KEY		*passKey);
	
/*
 * Specify separate passphrase for encrypt/decrypt.
 */
OSStatus SecPkcs12SetCryptPassphrase(
	SecPkcs12CoderRef	coder,
	CFStringRef			passphrase);
 
OSStatus SecPkcs12SetCryptPassKey(
	SecPkcs12CoderRef	coder,
	const CSSM_KEY		*passKey);
 
/*
 * Prior to decoding a PFX, client can specify whether individual
 * components (certificates, CRLs, and keys) get stored in the 
 * keychain specified via SecPkcs12SetKeychain().
 */
enum {
	kSecImportCertificates	= 0x0001,
	kSecImportCRLs			= 0x0002,
	kSecImportKeys			= 0x0004,
};

typedef UInt32 SecPkcs12ImportFlags;

OSStatus SecPkcs12SetImportToKeychain(
	SecPkcs12CoderRef			coder,
	SecPkcs12ImportFlags		flags);

OSStatus SecPkcs12GetImportToKeychain(
	SecPkcs12CoderRef			coder,
	SecPkcs12ImportFlags		*flags);		// RETURNED
	
/*
 * Specify individual SecKeychainItemRef to export, prior to encoding.
 * The items argument is a CFArray containing any number of each 
 * of the following SecKeychainItemRef objects:
 *
 *		SecKeyRef
 *		SecCertificateRef
 *		...and others, in the future.
 */
OSStatus SecPkcs12ExportKeychainItems(
	SecPkcs12CoderRef			coder,
	CFArrayRef					items);

/*
 * Specify additional optional imported private key attributes: 
 * -- a SecAccessRef; default is the default ACL. Passing NULL here 
 *    results in private keys being created with no ACL.
 * -- CSSM_KEYUSE; default is CSSM_KEYUSE_ANY. 
 * -- CSSM_KEYATTR_FLAGS; default is CSSM_KEYATTR_RETURN_REF | 
 *    CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_SENSITIVE, plus
 *    CSSM_KEYATTR_PERMANENT if importing to a keychain
 */
OSStatus SecPkcs12SetAccess(
	SecPkcs12CoderRef		coder,
	SecAccessRef			access);
	
OSStatus SecPkcs12SetKeyUsage(
	SecPkcs12CoderRef		coder,
	CSSM_KEYUSE				keyUsage);
	
OSStatus SecPkcs12SetKeyAttrs(
	SecPkcs12CoderRef		coder,
	CSSM_KEYATTR_FLAGS		keyAttrs);
	
/*
 * Parse and decode.
 */
OSStatus SecPkcs12Decode(
	SecPkcs12CoderRef		coder,
	CFDataRef				pfx);
	
/* 
 * This the final step to create an encoded PKCS12 PFX blob.
 * This called after initial configuration of the SecPkcs12CoderRef,
 * and either specifying items to export via either 
 * SecPkcs12ExportKeychainItems() or some number of SecPkcs12Add* 
 * function calls, described below.
 *
 * The result is a DER-encoded PFX in PKCS12 lingo.
 */
OSStatus SecPkcs12Encode(
	SecPkcs12CoderRef		coder,
	CFDataRef				*pfx);			// RETURNED


/*
 * Opaque handle for optional attributes associated with any 
 * component of a SecPkcs12CoderRef.
 *
 * The use of SecPkcs12AttrsRefs is optional and in fact, in the real 
 * world, rare. Their appearance in this API is just for completeness
 * and to allow access to all "legal" PKCS12 options. 
 *
 * We define the type here to allow use elsewhere in this
 * interface; actual SecPkcs12AttrsRef manipulation functions
 * are described later in this header. 
 */
typedef void 	*SecPkcs12AttrsRef;

#pragma mark --- Decoder Functions ---

/*
 * Subsequent to decoding, obtain the components.
 * These functions can also be used as "getter" functions while encoding.
 *
 * Certificates:
 */
OSStatus SecPkcs12CertificateCount(
	SecPkcs12CoderRef		coder,
	CFIndex					*numCerts);		// RETURNED
	
OSStatus SecPkcs12CopyCertificate(
	SecPkcs12CoderRef		coder,
	CFIndex					certNum,
	SecCertificateRef		*cert,			// RETURNED
	CFStringRef				*friendlyName,	// optional, RETURNED
	CFDataRef				*localKeyId,	// optional, RETURNED
	SecPkcs12AttrsRef		*attrs);		// optional, RETURNED
	
/*
 * CRLs. The might change if a SecCrl type is defined elsewhere.
 * We'll typedef it here to preserve the semantics of this function.
 */
typedef CFDataRef	SecCrlRef;

OSStatus SecPkcs12CrlCount(
	SecPkcs12CoderRef		coder,
	CFIndex					*numCrls);		// RETURNED
	
OSStatus SecPkcs12CopyCrl(
	SecPkcs12CoderRef		coder,
	CFIndex					crlNum,
	SecCrlRef				*crl,			// RETURNED
	CFStringRef				*friendlyName,	// optional, RETURNED
	CFDataRef				*localKeyId,	// optional, RETURNED
	SecPkcs12AttrsRef		*attrs);		// optional, RETURNED
 
/*
 * Private keys.
 */
OSStatus SecPkcs12PrivateKeyCount(
	SecPkcs12CoderRef		coder,
	CFIndex					*numKeys);		// RETURNED
	
/* currently not implemented : use SecPkcs12GetCssmPrivateKey() */
OSStatus SecPkcs12CopyPrivateKey(
	SecPkcs12CoderRef		coder,
	CFIndex					keyNum,
	SecKeyRef				*privateKey,	// RETURNED
	CFStringRef				*friendlyName,	// optional, RETURNED
	CFDataRef				*localKeyId,	// optional, RETURNED
	SecPkcs12AttrsRef		*attrs);		// optional, RETURNED

/*
 * The CSSM_KEY_PTR returned by this function has a lifetime 
 * which is the same as the SecPkcs12CoderRef which created it.
 */
OSStatus SecPkcs12GetCssmPrivateKey(
	SecPkcs12CoderRef		coder,
	CFIndex					keyNum,
	CSSM_KEY_PTR			*privateKey,	// RETURNED
	CFStringRef				*friendlyName,	// optional, RETURNED
	CFDataRef				*localKeyId,	// optional, RETURNED
	SecPkcs12AttrsRef		*attrs);		// optional, RETURNED

/*
 * Catch-all for other components not currently understood
 * or supported by this library. An "opaque blob" component 
 * is identified by an OID and is obtained as an opaque data 
 * blob.
 */
OSStatus SecPkcs12OpaqueBlobCount(
	SecPkcs12CoderRef		coder,
	CFIndex					*numBlobs);		// RETURNED
	
OSStatus SecPkcs12CopyOpaqueBlob(
	SecPkcs12CoderRef		coder,
	CFIndex					blobNum,
	CFDataRef				*blobOid,		// RETURNED
	CFDataRef				*opaqueBlob,	// RETURNED
	CFStringRef				*friendlyName,	// optional, RETURNED
	CFDataRef				*localKeyId,	// optional, RETURNED
	SecPkcs12AttrsRef		*attrs);		// optional, RETURNED

#pragma mark --- Encoder Functions ---

/*
 * Add individual components. "Getter" functions are available
 * as described above (under "Functions used for decoding").
 */
OSStatus SecPkcs12AddCertificate(
	SecPkcs12CoderRef		coder,
	SecCertificateRef		cert,			
	CFStringRef				friendlyName,	// optional
	CFDataRef				localKeyId,		// optional
	SecPkcs12AttrsRef		attrs);			// optional
	
OSStatus SecPkcs12AddCrl(
	SecPkcs12CoderRef		coder,
	SecCrlRef				crl,			
	CFStringRef				friendlyName,	// optional
	CFDataRef				localKeyId,		// optional
	SecPkcs12AttrsRef		attrs);			// optional
	
OSStatus SecPkcs12AddPrivateKey(
	SecPkcs12CoderRef		coder,
	SecKeyRef				privateKey,			
	CFStringRef				friendlyName,	// optional
	CFDataRef				localKeyId,		// optional
	SecPkcs12AttrsRef		attrs);			// optional

OSStatus SecPkcs12AddOpaqueBlob(
	SecPkcs12CoderRef		coder,
	CFDataRef				blobOid,	
	CFDataRef				opaqueBlob,
	CFStringRef				friendlyName,	// optional
	CFDataRef				localKeyId,		// optional
	SecPkcs12AttrsRef		attrs);			// optional


#pragma mark --- Optional Functions ---

/************************************************************
 *** Optional, rarely used SecPkcs12CoderRef manipulation ***
 ************************************************************/
 
/***
 *** SecPkcs12AttrsRef manipulation. Optional and in fact expected to 
 *** be rarely used, if ever. 
 ***/
 
/*
 * A SecPkcs12AttrsRef is an opaque handle referring to an aribtrary
 * collection of OID/value pairs which can be attached to any 
 * component of a SecPkcs12CoderRef. OIDs and values are expressed
 * as CFDataRefs. Each OID can have associated with it an arbitrary 
 * number of values. 
 */
 
/*
 * Create/destroy.
 */
OSStatus SecPkcs12AttrsCreate(
	SecPkcs12AttrsRef	*attrs);		// RETURNED

OSStatus SecPkcs12AttrsRelease(
	SecPkcs12AttrsRef	attrs);

/*
 * Add an OID/value set to an existing SecPkcs12AttrsRef.
 * Values are a CFArray containing an arbitrary number of 
 * CFDataRefs. 
 */
OSStatus SecPkcs12AttrsAddAttr(
	SecPkcs12AttrsRef	attrs,
	CFDataRef			attrOid,
	CFArrayRef			attrValues);	// an array of CFDataRefs
	
OSStatus SecPkcs12AttrCount(
	SecPkcs12AttrsRef	attrs,
	CFIndex				*numAttrs);		// RETURNED

/* 
 * Obtain n'th oid/value set from an existing SecPkcs12AttrsRef.
 */
OSStatus SecPkcs12AttrsGetAttr(
	SecPkcs12AttrsRef	attrs,
	CFIndex				attrNum,
	CFDataRef			*attrOid,		// RETURNED
	CFArrayRef			*attrValues);	// RETURNED
	
/***
 *** Integrity and Privacy Modes
 ***/
 
/*
 * PKCS12 allows for two different modes for each of {privacy,
 * integrity}. Each of these can be implemented via password
 * or public key. Per the PKCS12 spec, all four combinations
 * of these modes are legal. In the current version of this
 * library, only password privacy and integrity modes are 
 * implemented. These functions are defined here for the 
 * completeness of the API and need never be called by users of
 * the current implementation.
 */
typedef enum {
	kSecPkcs12ModeUnknown,		// uninitialized
	kSecPkcs12ModePassword,
	kSecPkcs12ModePublicKey
} SecPkcs12Mode;
 
OSStatus SecPkcs12SetIntegrityMode(
	SecPkcs12CoderRef	coder,
	SecPkcs12Mode		mode);
	
OSStatus SecPkcs12GetIntegrityMode(
	SecPkcs12CoderRef	coder,
	SecPkcs12Mode		*mode);			// RETURNED
	
OSStatus SecPkcs12SetPrivacyMode(
	SecPkcs12CoderRef	coder,
	SecPkcs12Mode		mode);
	
OSStatus SecPkcs12GetPrivacyMode(
	SecPkcs12CoderRef	coder,
	SecPkcs12Mode		*mode);			// RETURNED
	
/***
 *** Encryption algorithms
 ***/

/*
 * Each individual component of a PKCS12 PFX can be encrypted with
 * a different encryption algorithm. Typically, Certs and CRLs are 
 * all encrypted with one weak algorithm, and private keys are 
 * encrypted with a stronger algorithm. 
 *
 * The following functions allow the app to specify, during encoding,
 * the encryption algorithms to use for the different kinds of 
 * components. These are optional; this library provides appropriate
 * defaults for these algorithms.
 */
OSStatus SecPkcs12SetKeyEncryptionAlg(
	SecPkcs12CoderRef	coder,
	CFDataRef			encryptionAlg);
	
OSStatus SecPkcs12SetCertCrlEncryptionAlg(
	SecPkcs12CoderRef	coder,
	CFDataRef			encryptionAlg);
	
/*
 * Along with an encryption algorithm is an iteration count used for
 * deriving keys. All of these are optional; reasonable defaults
 * are provided. 
 *
 * NOTE: salt is not visible at this API. During encoding, 
 * random values of salt are generated by this module.
 */
OSStatus SecPkcs12SetKeyEncryptionIterCount(
	SecPkcs12CoderRef	coder,
	unsigned			iterCount);

OSStatus SecPkcs12SetCertCrlEncryptionIterCount(
	SecPkcs12CoderRef	coder,
	unsigned			iterCount);

OSStatus SecPkcs12SetMacIterCount(
	SecPkcs12CoderRef	coder,
	unsigned			iterCount);

/*
 * "Getter" versions of the above. During decryption, the values
 * returned here refer to the *first* such element found (e.g.,
 * the encryption algorithm for the first key). 
 */
OSStatus SecPkcs12CopyKeyEncryptionAlg(
	SecPkcs12CoderRef	coder,
	CFDataRef			*encryptionAlg);		// RETURNED
	
OSStatus SecPkcs12CopyCertCrlEncryptionAlg(
	SecPkcs12CoderRef	coder,
	CFDataRef			*encryptionAlg);		// RETURNED
	
OSStatus SecPkcs12CopyKeyEncryptionIterCount(
	SecPkcs12CoderRef	coder,
	unsigned			*iterCount);			// RETURNED

OSStatus SecPkcs12CopyCertCrlEncryptionIterCount(
	SecPkcs12CoderRef	coder,
	unsigned			*iterCount);			// RETURNED
	
OSStatus SecPkcs12CopyMacIterCount(
	SecPkcs12CoderRef	coder,
	unsigned			*iterCount);			// RETURNED
	
/*
 * Avoid importing multiple private keys. Primarily for use by 
 * SecKeychainItemImport(). Behavior depends on the foundOneKey
 * argument, which indicates whether the current high-level import
 * has already imported at least one key. If foundOneKey is true,
 * SecPkcs12Decode() will return errSecMultiplePrivKeys upon
 * the detection of *any* private keys in the incoming PFX.
 * If foundOneKey is false, SecPkcs12Decode() will return 
 * errSecMultiplePrivKeys if more than one private key is 
 * found in the incoming PFX.
 */
OSStatus SecPkcs12LimitPrivateKeyImport(
	SecPkcs12CoderRef	coder,
	bool				foundOneKey);
	
#ifdef __cplusplus
}
#endif

#endif	/* _SEC_PKCS12_H_ */
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2003-2004,2011,2014 Apple Inc. All Rights Reserved.
b1ab9ed8 A	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*******************************************************************
	25	*
	26	* SecPkcs12.h
	27	*
	28	* This module is an implementation of the logic required to create
	29	* and parse PKCS12 "blobs", known as PFXs in PKCS12 lingo. The user
	30	* of this module need not know anything about the details of
	31	* PKCS12 PFX construction. All one needs to know at this level
	32	* is that a PKCS12 PFX is a collection of the following items:
	33	*
	34	* -- Zero or more certificates
	35	* -- Zero or more Certficate Revocation Lists (CRLs)
	36	* -- Zero or more private keys. (If this number is zero, using this
	37	* module is probably not what you want to do)
	38	* -- Zero or more other opaque types, not understood or parsed
	39	* by this module.
	40	*
	41	* Each individual component of a PFX contains zero or more
	42	* attributes; commonly the only two such attributes used in
	43	* the PKCS12 world are "FriendlyName", a Unicode string, and
	44	* "LocalKeyId", an opaque data blob which serves solely to tie
	45	* a specific cert to a specific key in the context of this specific
	46	* PFX.
	47	*
	48	* Individual components of a PKCS12 PFX are typically encrypted with
	49	* a key derived from a user-supplied passphrase. The entire PFX
	50	* is protected with a MAC whose key is also derived from a user-
	51	* supplied passphrase. Typically these two passphrases are identical
	52	* but they don't have to be.
	53	*
	54	* There are a number of options and modes which, while described in
	55	* the PKCS12 spec and provided for in the interface in this file,
	56	* are rarely if ever used. The following is a description of the
	57	* actual, typical, real-world use of this module.
	58	*
	59	* Decoding a PKCS12 blob
	60	* ----------------------
	61	*
	62	* 1. App creates a SecPkcs12CoderRef via SecPkcs12CoderCreate().
	63	*
	64	* 2. App specifies supplies a (small) number of options such as
	65	* passphrase(s) and SecKeychainRefs.
	66	*
67	* 3. App calls SecPkcs12Decode(), providing the raw PKCS12 PFX
68	* blob which is to be decoded. This performs all of the actual
69	* decoding and decryption.
70	*
71	* 4. At this point the app optionally obtains the resulting
72	* components by a set of calls which return individual
73	* certs, CRLS, and keys.
74	*
75	* 5. Also, per the configuration performed in step 2, individual
76	* components (certs, keys) found in the PFX have been added
77	* to a specified keychain, rendering step 4 superfluous.
78	*
79	*
80	* Creating a PKCS12 blob
81	* ----------------------
82	*
83	* 1. App creates a SecPkcs12CoderRef via SecPkcs12CoderCreate().
84	*
85	* 2. App specifies supplies a (small) number of options such as
86	* passphrase(s).
87	*
88	* 3. App makes a set of calls which add individual components such
89	* as certs, CRLs, and private keys. A high-level call,
90	* SecPkcs12ExportKeychainItems(), allow the specification of
91	* all components to be exported at once.
92	*
93	* 4. App calls SecPkcs12Encode(), which does all of the required
94	* encryption and encoding. The result is an exportable PKCS12
95	* PFX blob.
96	*/
97
98	#ifndef _SEC_PKCS12_H_
99	#define _SEC_PKCS12_H_
100
101	#include <CoreFoundation/CoreFoundation.h>
102	#include <Security/Security.h>
103
104	#ifdef __cplusplus
105	extern "C" {
106	#endif
107
108	/*
109	* Opaque handle for a PKCS12 encoder/decoder.
110	*/
111	typedef void *SecPkcs12CoderRef;
112
113	#pragma mark --- SecPkcs12CoderRef create/destroy ---
114
115	/*
116	* Basic SecPkcs12CoderRef create/destroy.
117	*/
118	OSStatus SecPkcs12CoderCreate(
119	SecPkcs12CoderRef *coder); // RETURNED
120
121	/*
122	* Destroy object created in SecPkcs12CoderCreate.
123	*/
124	OSStatus SecPkcs12CoderRelease(
125	SecPkcs12CoderRef coder);
126
127	#pragma mark --- High-level API ---
128
129	/*
130	* Keychain associated with encode/decode.
131	* Client must call exactly one of { SecPkcs12SetKeychain(),
132	* SecPkcs12SetCspHandle() } for both encoding and decoding.
133	* If SecPkcs12SetCspHandle() is used, components which are
134	* obtained during decode are ephemeral (i.e., they are not
135	* stored anywhere and only have a lifetime which is the same as
136	* the lifetime of the SecPkcs12CoderRef).
137	*/
138	OSStatus SecPkcs12SetKeychain(
139	SecPkcs12CoderRef coder,
140	SecKeychainRef keychain);
141
142	/*
143	* Required iff SecPkcs12SetKeychain() is not called.
144	*/
145	OSStatus SecPkcs12SetCspHandle(
146	SecPkcs12CoderRef coder,
147	CSSM_CSP_HANDLE cspHandle);
148
149
150	/*
151	* PKCS12 allows for separate passphrases for encryption and for
152	* verification (via MAC). Typically, in the real world, one
153	* passphrase is used for both; we provide the means to set them
154	* separately.
155	*
156	* Passphrases can be specified directly as CFStringRefs, or as
157	* CSSM_KEYs which represent secure passphrases obtained by the
158	* SecurityServer. This latter method is preferred since the
159	* plaintext passphrase never appears in the app's address space.
160	* Passphrases expressed in this manner are referred to as
161	* PassKeys.
162	*
163	* If one passphrase is to be used for both encryption and
164	* verification, use one of these two function to set it.
165	*/
166	OSStatus SecPkcs12SetMACPassphrase(
167	SecPkcs12CoderRef coder,
168	CFStringRef passphrase);
169
170	OSStatus SecPkcs12SetMACPassKey(
171	SecPkcs12CoderRef coder,
172	const CSSM_KEY *passKey);
173
174	/*
175	* Specify separate passphrase for encrypt/decrypt.
176	*/
177	OSStatus SecPkcs12SetCryptPassphrase(
178	SecPkcs12CoderRef coder,
179	CFStringRef passphrase);
180
181	OSStatus SecPkcs12SetCryptPassKey(
182	SecPkcs12CoderRef coder,
183	const CSSM_KEY *passKey);
184
185	/*
186	* Prior to decoding a PFX, client can specify whether individual
187	* components (certificates, CRLs, and keys) get stored in the
188	* keychain specified via SecPkcs12SetKeychain().
189	*/
190	enum {
191	kSecImportCertificates = 0x0001,
192	kSecImportCRLs = 0x0002,
193	kSecImportKeys = 0x0004,
194	};
195
196	typedef UInt32 SecPkcs12ImportFlags;
197
198	OSStatus SecPkcs12SetImportToKeychain(
199	SecPkcs12CoderRef coder,
200	SecPkcs12ImportFlags flags);
201
202	OSStatus SecPkcs12GetImportToKeychain(
203	SecPkcs12CoderRef coder,
204	SecPkcs12ImportFlags *flags); // RETURNED
205
206	/*
207	* Specify individual SecKeychainItemRef to export, prior to encoding.
208	* The items argument is a CFArray containing any number of each
209	* of the following SecKeychainItemRef objects:
210	*
211	* SecKeyRef
212	* SecCertificateRef
213	* ...and others, in the future.
214	*/
215	OSStatus SecPkcs12ExportKeychainItems(
216	SecPkcs12CoderRef coder,
217	CFArrayRef items);
218
219	/*
220	* Specify additional optional imported private key attributes:
221	* -- a SecAccessRef; default is the default ACL. Passing NULL here
222	* results in private keys being created with no ACL.
223	* -- CSSM_KEYUSE; default is CSSM_KEYUSE_ANY.
224	* -- CSSM_KEYATTR_FLAGS; default is CSSM_KEYATTR_RETURN_REF \|
225	* CSSM_KEYATTR_EXTRACTABLE \| CSSM_KEYATTR_SENSITIVE, plus
226	* CSSM_KEYATTR_PERMANENT if importing to a keychain
227	*/
228	OSStatus SecPkcs12SetAccess(
229	SecPkcs12CoderRef coder,
230	SecAccessRef access);
231
232	OSStatus SecPkcs12SetKeyUsage(
233	SecPkcs12CoderRef coder,
234	CSSM_KEYUSE keyUsage);
235
236	OSStatus SecPkcs12SetKeyAttrs(
237	SecPkcs12CoderRef coder,
238	CSSM_KEYATTR_FLAGS keyAttrs);
239
240	/*
241	* Parse and decode.
242	*/
243	OSStatus SecPkcs12Decode(
244	SecPkcs12CoderRef coder,
245	CFDataRef pfx);
246
247	/*
248	* This the final step to create an encoded PKCS12 PFX blob.
249	* This called after initial configuration of the SecPkcs12CoderRef,
250	* and either specifying items to export via either
251	* SecPkcs12ExportKeychainItems() or some number of SecPkcs12Add*
252	* function calls, described below.
253	*
254	* The result is a DER-encoded PFX in PKCS12 lingo.
255	*/
256	OSStatus SecPkcs12Encode(
257	SecPkcs12CoderRef coder,
258	CFDataRef *pfx); // RETURNED
259
260
261	/*
262	* Opaque handle for optional attributes associated with any
263	* component of a SecPkcs12CoderRef.
264	*
265	* The use of SecPkcs12AttrsRefs is optional and in fact, in the real
266	* world, rare. Their appearance in this API is just for completeness
267	* and to allow access to all "legal" PKCS12 options.
268	*
269	* We define the type here to allow use elsewhere in this
270	* interface; actual SecPkcs12AttrsRef manipulation functions
271	* are described later in this header.
272	*/
273	typedef void *SecPkcs12AttrsRef;
274
275	#pragma mark --- Decoder Functions ---
276
277	/*
278	* Subsequent to decoding, obtain the components.
279	* These functions can also be used as "getter" functions while encoding.
280	*
281	* Certificates:
282	*/
283	OSStatus SecPkcs12CertificateCount(
284	SecPkcs12CoderRef coder,
285	CFIndex *numCerts); // RETURNED
286
287	OSStatus SecPkcs12CopyCertificate(
288	SecPkcs12CoderRef coder,
289	CFIndex certNum,
290	SecCertificateRef *cert, // RETURNED
291	CFStringRef *friendlyName, // optional, RETURNED
292	CFDataRef *localKeyId, // optional, RETURNED
293	SecPkcs12AttrsRef *attrs); // optional, RETURNED
294
295	/*
296	* CRLs. The might change if a SecCrl type is defined elsewhere.
297	* We'll typedef it here to preserve the semantics of this function.
298	*/
299	typedef CFDataRef SecCrlRef;
300
301	OSStatus SecPkcs12CrlCount(
302	SecPkcs12CoderRef coder,
303	CFIndex *numCrls); // RETURNED
304
305	OSStatus SecPkcs12CopyCrl(
306	SecPkcs12CoderRef coder,
307	CFIndex crlNum,
308	SecCrlRef *crl, // RETURNED
309	CFStringRef *friendlyName, // optional, RETURNED
310	CFDataRef *localKeyId, // optional, RETURNED
311	SecPkcs12AttrsRef *attrs); // optional, RETURNED
312
313	/*
314	* Private keys.
315	*/
316	OSStatus SecPkcs12PrivateKeyCount(
317	SecPkcs12CoderRef coder,
318	CFIndex *numKeys); // RETURNED
319
320	/* currently not implemented : use SecPkcs12GetCssmPrivateKey() */
321	OSStatus SecPkcs12CopyPrivateKey(
322	SecPkcs12CoderRef coder,
323	CFIndex keyNum,
324	SecKeyRef *privateKey, // RETURNED
325	CFStringRef *friendlyName, // optional, RETURNED
326	CFDataRef *localKeyId, // optional, RETURNED
327	SecPkcs12AttrsRef *attrs); // optional, RETURNED
328
329	/*
330	* The CSSM_KEY_PTR returned by this function has a lifetime
331	* which is the same as the SecPkcs12CoderRef which created it.
332	*/
333	OSStatus SecPkcs12GetCssmPrivateKey(
334	SecPkcs12CoderRef coder,
335	CFIndex keyNum,
336	CSSM_KEY_PTR *privateKey, // RETURNED
337	CFStringRef *friendlyName, // optional, RETURNED
338	CFDataRef *localKeyId, // optional, RETURNED
339	SecPkcs12AttrsRef *attrs); // optional, RETURNED
340
341	/*
342	* Catch-all for other components not currently understood
343	* or supported by this library. An "opaque blob" component
344	* is identified by an OID and is obtained as an opaque data
345	* blob.
346	*/
347	OSStatus SecPkcs12OpaqueBlobCount(
348	SecPkcs12CoderRef coder,
349	CFIndex *numBlobs); // RETURNED
350
351	OSStatus SecPkcs12CopyOpaqueBlob(
352	SecPkcs12CoderRef coder,
353	CFIndex blobNum,
354	CFDataRef *blobOid, // RETURNED
355	CFDataRef *opaqueBlob, // RETURNED
356	CFStringRef *friendlyName, // optional, RETURNED
357	CFDataRef *localKeyId, // optional, RETURNED
358	SecPkcs12AttrsRef *attrs); // optional, RETURNED
359
360	#pragma mark --- Encoder Functions ---
361
362	/*
363	* Add individual components. "Getter" functions are available
364	* as described above (under "Functions used for decoding").
365	*/
366	OSStatus SecPkcs12AddCertificate(
367	SecPkcs12CoderRef coder,
368	SecCertificateRef cert,
369	CFStringRef friendlyName, // optional
370	CFDataRef localKeyId, // optional
371	SecPkcs12AttrsRef attrs); // optional
372
373	OSStatus SecPkcs12AddCrl(
374	SecPkcs12CoderRef coder,
375	SecCrlRef crl,
376	CFStringRef friendlyName, // optional
377	CFDataRef localKeyId, // optional
378	SecPkcs12AttrsRef attrs); // optional
379
380	OSStatus SecPkcs12AddPrivateKey(
381	SecPkcs12CoderRef coder,
382	SecKeyRef privateKey,
383	CFStringRef friendlyName, // optional
384	CFDataRef localKeyId, // optional
385	SecPkcs12AttrsRef attrs); // optional
386
387	OSStatus SecPkcs12AddOpaqueBlob(
388	SecPkcs12CoderRef coder,
389	CFDataRef blobOid,
390	CFDataRef opaqueBlob,
391	CFStringRef friendlyName, // optional
392	CFDataRef localKeyId, // optional
393	SecPkcs12AttrsRef attrs); // optional
394
395
396	#pragma mark --- Optional Functions ---
397
398	/************************************************************
399	* Optional, rarely used SecPkcs12CoderRef manipulation *
400	************************************************************/
401
402	/***
403	*** SecPkcs12AttrsRef manipulation. Optional and in fact expected to
404	*** be rarely used, if ever.
405	***/
406
407	/*
408	* A SecPkcs12AttrsRef is an opaque handle referring to an aribtrary
409	* collection of OID/value pairs which can be attached to any
410	* component of a SecPkcs12CoderRef. OIDs and values are expressed
411	* as CFDataRefs. Each OID can have associated with it an arbitrary
412	* number of values.
413	*/
414
415	/*
416	* Create/destroy.
417	*/
418	OSStatus SecPkcs12AttrsCreate(
419	SecPkcs12AttrsRef *attrs); // RETURNED
420
421	OSStatus SecPkcs12AttrsRelease(
422	SecPkcs12AttrsRef attrs);
423
424	/*
425	* Add an OID/value set to an existing SecPkcs12AttrsRef.
426	* Values are a CFArray containing an arbitrary number of
427	* CFDataRefs.
428	*/
429	OSStatus SecPkcs12AttrsAddAttr(
430	SecPkcs12AttrsRef attrs,
431	CFDataRef attrOid,
432	CFArrayRef attrValues); // an array of CFDataRefs
433
434	OSStatus SecPkcs12AttrCount(
435	SecPkcs12AttrsRef attrs,
436	CFIndex *numAttrs); // RETURNED
437
438	/*
439	* Obtain n'th oid/value set from an existing SecPkcs12AttrsRef.
440	*/
441	OSStatus SecPkcs12AttrsGetAttr(
442	SecPkcs12AttrsRef attrs,
443	CFIndex attrNum,
444	CFDataRef *attrOid, // RETURNED
445	CFArrayRef *attrValues); // RETURNED
446
447	/***
448	*** Integrity and Privacy Modes
449	***/
450
451	/*
452	* PKCS12 allows for two different modes for each of {privacy,
453	* integrity}. Each of these can be implemented via password
454	* or public key. Per the PKCS12 spec, all four combinations
455	* of these modes are legal. In the current version of this
456	* library, only password privacy and integrity modes are
457	* implemented. These functions are defined here for the
458	* completeness of the API and need never be called by users of
459	* the current implementation.
460	*/
461	typedef enum {
462	kSecPkcs12ModeUnknown, // uninitialized
463	kSecPkcs12ModePassword,
464	kSecPkcs12ModePublicKey
465	} SecPkcs12Mode;
466
467	OSStatus SecPkcs12SetIntegrityMode(
468	SecPkcs12CoderRef coder,
469	SecPkcs12Mode mode);
470
471	OSStatus SecPkcs12GetIntegrityMode(
472	SecPkcs12CoderRef coder,
473	SecPkcs12Mode *mode); // RETURNED
474
475	OSStatus SecPkcs12SetPrivacyMode(
476	SecPkcs12CoderRef coder,
477	SecPkcs12Mode mode);
478
479	OSStatus SecPkcs12GetPrivacyMode(
480	SecPkcs12CoderRef coder,
481	SecPkcs12Mode *mode); // RETURNED
482
483	/***
484	*** Encryption algorithms
485	***/
486
487	/*
488	* Each individual component of a PKCS12 PFX can be encrypted with
489	* a different encryption algorithm. Typically, Certs and CRLs are
490	* all encrypted with one weak algorithm, and private keys are
491	* encrypted with a stronger algorithm.
492	*
493	* The following functions allow the app to specify, during encoding,
494	* the encryption algorithms to use for the different kinds of
495	* components. These are optional; this library provides appropriate
496	* defaults for these algorithms.
497	*/
498	OSStatus SecPkcs12SetKeyEncryptionAlg(
499	SecPkcs12CoderRef coder,
500	CFDataRef encryptionAlg);
501
502	OSStatus SecPkcs12SetCertCrlEncryptionAlg(
503	SecPkcs12CoderRef coder,
504	CFDataRef encryptionAlg);
505
506	/*
507	* Along with an encryption algorithm is an iteration count used for
508	* deriving keys. All of these are optional; reasonable defaults
509	* are provided.
510	*
511	* NOTE: salt is not visible at this API. During encoding,
512	* random values of salt are generated by this module.
513	*/
514	OSStatus SecPkcs12SetKeyEncryptionIterCount(
515	SecPkcs12CoderRef coder,
516	unsigned iterCount);
517
518	OSStatus SecPkcs12SetCertCrlEncryptionIterCount(
519	SecPkcs12CoderRef coder,
520	unsigned iterCount);
521
522	OSStatus SecPkcs12SetMacIterCount(
523	SecPkcs12CoderRef coder,
524	unsigned iterCount);
525
526	/*
527	* "Getter" versions of the above. During decryption, the values
528	* returned here refer to the first such element found (e.g.,
529	* the encryption algorithm for the first key).
530	*/
531	OSStatus SecPkcs12CopyKeyEncryptionAlg(
532	SecPkcs12CoderRef coder,
533	CFDataRef *encryptionAlg); // RETURNED
534
535	OSStatus SecPkcs12CopyCertCrlEncryptionAlg(
536	SecPkcs12CoderRef coder,
537	CFDataRef *encryptionAlg); // RETURNED
538
539	OSStatus SecPkcs12CopyKeyEncryptionIterCount(
540	SecPkcs12CoderRef coder,
541	unsigned *iterCount); // RETURNED
542
543	OSStatus SecPkcs12CopyCertCrlEncryptionIterCount(
544	SecPkcs12CoderRef coder,
545	unsigned *iterCount); // RETURNED
546
547	OSStatus SecPkcs12CopyMacIterCount(
548	SecPkcs12CoderRef coder,
549	unsigned *iterCount); // RETURNED
550
551	/*
552	* Avoid importing multiple private keys. Primarily for use by
553	* SecKeychainItemImport(). Behavior depends on the foundOneKey
554	* argument, which indicates whether the current high-level import
555	* has already imported at least one key. If foundOneKey is true,
556	* SecPkcs12Decode() will return errSecMultiplePrivKeys upon
557	* the detection of any private keys in the incoming PFX.
558	* If foundOneKey is false, SecPkcs12Decode() will return
559	* errSecMultiplePrivKeys if more than one private key is
560	* found in the incoming PFX.
561	*/
562	OSStatus SecPkcs12LimitPrivateKeyImport(
563	SecPkcs12CoderRef coder,
564	bool foundOneKey);
565
566	#ifdef __cplusplus
567	}
568	#endif
569
570	#endif /* _SEC_PKCS12_H_ */
571