[apple/security.git] / libsecurity_apple_csp / lib / wrapKeyCms.cpp

/*
 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
 * 
 * The contents of this file constitute Original Code as defined in and are
 * subject to the Apple Public Source License Version 1.2 (the 'License').
 * You may not use this file except in compliance with the License. Please obtain
 * a copy of the License at http://www.apple.com/publicsource and read it before
 * using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
 * specific language governing rights and limitations under the License.
 */


//
// wrapKeyCms.cpp - wrap/unwrap key, CMS format 
//

#include "AppleCSPSession.h"
#include "AppleCSPUtils.h"
#include "AppleCSPKeys.h"
#include "cspdebugging.h"

/*
 *
 * Here is the algorithm implemented in this module:
 *
 * Note that DEK is the wrapping key,
 *
 * 1. PRIVATE_KEY_BYTES is the private data to be wrapped. It consists of the 
 *    following concatenation:
 *
 *    4-byte length of Descriptive Data, big-endian  |
 *    Descriptive Data |
 *    rawBlob.Data bytes
 * 
 * 2. Encrypt PRIVATE_KEY_BYTES using DEK (3DES) and IV in CBC mode with
 *    PKCS1 padding.  Call the ciphertext TEMP1
 * 
 * 3. Let TEMP2 = IV || TEMP1.
 * 
 * 4. Reverse the order of the octets in TEMP2 call the result TEMP3.
 * 
 * 5. Encrypt TEMP3 using DEK with an IV of 0x4adda22c79e82105 in CBC mode
 *    with PKCS1 padding call the result TEMP4.
 * 
 *    TEMP4 is wrappedKey.KeyData.
 */

/* true: cook up second CCHandle via a new HandleObject
 * false - OK to reuse a CCHandle */
#define USE_SECOND_CCHAND	0

/* false : make copy of incoming context before changing IV
 * true  : resuse OK */
#define REUSE_CONTEXT		1

/* lots'o'printfs in lieu of a debugger which works */
#define VERBOSE_DEBUG		0

static const uint8 magicCmsIv[] = 
	{ 0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05 };

#if		VERBOSE_DEBUG
static void dumpBuf(
	char				*title,
	const CSSM_DATA		*d,
	uint32 				maxLen)
{
	unsigned i;
	uint32 len;
	
	if(title) {
		printf("%s:  ", title);
	}
	if(d == NULL) {
		printf("NO DATA\n");
		return;
	}
	printf("Total Length: %d\n   ", d->Length);
	len = maxLen;
	if(d->Length < len) {
		len = d->Length;
	}
	for(i=0; i<len; i++) {
		printf("%02X ", d->Data[i]);
		if((i % 16) == 15) {
			printf("\n   ");
		}
	}
	printf("\n");
}
#else
#define dumpBuf(t, d, m)
#endif	/* VERBOSE_DEBUG */


/* serialize/deserialize uint32, big-endian. */
static void serializeUint32(uint32 i, uint8 *buf)
{
	*buf++ = (uint8)(i >> 24);
	*buf++ = (uint8)(i >> 16);
	*buf++ = (uint8)(i >> 8);
	*buf   = (uint8)i;
}

static uint32 deserializeUint32(const uint8 *buf) {
    	uint32 result;

    	result = ((uint32)buf[0] << 24) |
				 ((uint32)buf[1] << 16) |
				 ((uint32)buf[2] << 8)  |
				  (uint32)buf[3];
    	return result;
}

void AppleCSPSession::WrapKeyCms(
	CSSM_CC_HANDLE CCHandle,
	const Context &context,
	const AccessCredentials &AccessCred,
	const CssmKey &UnwrappedKey,
	CssmData &rawBlob,
	bool allocdRawBlob,			// callee has to free rawBlob
	const CssmData *DescriptiveData,
	CssmKey &WrappedKey,
	CSSM_PRIVILEGE Privilege)
{
	uint32 ddLen;
	CssmData PRIVATE_KEY_BYTES;
	#if		!REUSE_CONTEXT
	Context secondCtx(context.ContextType, context.AlgorithmType);
	secondCtx.copyFrom(context, privAllocator);
	#endif	/* REUSE_CONTEXT */
	
	/*
	 * 1. PRIVATE_KEY_BYTES is the private data to be wrapped. It consists of the 
	 *    following concatenation:
	 *
	 *    4-byte length of Descriptive Data, big-endian  |
	 *    Descriptive Data | 
	 *    rawBlob.Data bytes
	 */
	dumpBuf("wrap rawBlob", &rawBlob, 24);
	dumpBuf("wrap DescriptiveData", DescriptiveData, 24);
	
	if(DescriptiveData == NULL) {
		ddLen = 0;
	}
	else {
		ddLen = (uint32) DescriptiveData->Length;
	}
	size_t pkbLen = 4 +  ddLen + rawBlob.Length;
	setUpCssmData(PRIVATE_KEY_BYTES, pkbLen, privAllocator);
	uint8 *cp = PRIVATE_KEY_BYTES.Data;
	serializeUint32(ddLen, cp);
	cp += 4;
	if(ddLen != 0) {
		memcpy(cp, DescriptiveData->Data, ddLen);
		cp += ddLen;
	}
	memcpy(cp, rawBlob.Data, rawBlob.Length);
	dumpBuf("wrap PRIVATE_KEY_BYTES", &PRIVATE_KEY_BYTES, 48);
	
	/* 2. Encrypt PRIVATE_KEY_BYTES using DEK (3DES) and IV in CBC mode with
     *    PKCS1 padding.  Call the ciphertext TEMP1
	 *
	 * We'll just use the caller's context for this. Maybe we should 
	 * validate mode, padding, IV?
	 */
	CssmData TEMP1;
	CSSM_SIZE bytesEncrypted;
	CssmData remData;
	EncryptData(CCHandle,
		context,
		&PRIVATE_KEY_BYTES,	// ClearBufs[]
		1,					// ClearBufCount
		&TEMP1,				// CipherBufs[],
		1,					// CipherBufCount,
		bytesEncrypted,
		remData,
		Privilege);
	
	// I'm not 100% sure about this....
	assert(remData.Length == 0);
	TEMP1.Length = bytesEncrypted;
	dumpBuf("wrap TEMP1", &TEMP1, 48);
	
	/* 
	 * 3. Let TEMP2 = IV || TEMP1.
	 */
	CssmData TEMP2;
	CssmData &IV = context.get<CssmData>(CSSM_ATTRIBUTE_INIT_VECTOR, 
				CSSMERR_CSP_MISSING_ATTR_INIT_VECTOR);
	setUpCssmData(TEMP2, IV.Length + TEMP1.Length, privAllocator);
	memcpy(TEMP2.Data, IV.Data, IV.Length);
	memcpy(TEMP2.Data + IV.Length, TEMP1.Data, TEMP1.Length);
	dumpBuf("wrap TEMP2", &TEMP2, 56);
	
	
	/* 
	 * 4. Reverse the order of the octets in TEMP2 call the result 
	 *    TEMP3.
	 */
	CssmData TEMP3;
	setUpCssmData(TEMP3, TEMP2.Length, privAllocator);
	uint8 *cp2 = TEMP2.Data + TEMP2.Length - 1;
	cp = TEMP3.Data;
	for(uint32 i=0; i<TEMP2.Length; i++) {
		*cp++ = *cp2--;
	} 
	dumpBuf("wrap TEMP3", &TEMP3, 64);

	/* 
     * 5. Encrypt TEMP3 using DEK with an IV of 0x4adda22c79e82105 in CBC mode
	 *    with PKCS1 padding call the result TEMP4.
	 * 
	 *    TEMP4 is wrappedKey.KeyData.
	 *
	 * This is the tricky part - we're going to use the caller's context
	 * again, but we're going to modify the IV. 
	 * We're assuming here that the IV we got via context.get<CssmData>
	 * actually is in the context and not a copy!
	 */
	#if		REUSE_CONTEXT
	CssmData &IV2 = context.get<CssmData>(CSSM_ATTRIBUTE_INIT_VECTOR, 
				CSSMERR_CSP_MISSING_ATTR_INIT_VECTOR);
	#else
	CssmData &IV2 = secondCtx.get<CssmData>(CSSM_ATTRIBUTE_INIT_VECTOR, 
				CSSMERR_CSP_MISSING_ATTR_INIT_VECTOR);
	#endif	/* REUSE_CONTEXT */
	
	uint8 *savedIV = IV2.Data;
	CSSM_SIZE savedIVLen = IV2.Length;
	IV2.Data = (uint8 *)magicCmsIv;
	IV2.Length = 8;
	CssmData &outBlob = CssmData::overlay(WrappedKey.KeyData);
	outBlob.Length = 0;
	outBlob.Data = NULL;
	try {
		EncryptData(CCHandle,
			#if		REUSE_CONTEXT
			context,
			#else
			secondCtx,
			#endif	/* REUSE_CONTEXT */
			
			&TEMP3,	// ClearBufs[]
			1,					// ClearBufCount
			&outBlob,			// CipherBufs[],
			1,					// CipherBufCount,
			bytesEncrypted,
			remData,
			Privilege);
	}
	catch (...) {
		IV2.Data = savedIV;
		IV2.Length = savedIVLen;
		throw;		// and leak
	}
	IV2.Data = savedIV;
	IV2.Length = savedIVLen;

	// I'm not 100% sure about this....
	assert(remData.Length == 0);
	outBlob.Length = bytesEncrypted;
	dumpBuf("wrap outBlob", &outBlob, 64);
	
	/* outgoing header */
	WrappedKey.KeyHeader.BlobType = CSSM_KEYBLOB_WRAPPED;
	// OK to be zero or not present 
	WrappedKey.KeyHeader.WrapMode = context.getInt(CSSM_ATTRIBUTE_MODE);
	WrappedKey.KeyHeader.Format = CSSM_KEYBLOB_WRAPPED_FORMAT_APPLE_CUSTOM;
	
	/* free resources */
	freeCssmData(PRIVATE_KEY_BYTES, privAllocator);
	freeCssmData(TEMP1, normAllocator);		// alloc via encrypt
	freeCssmData(TEMP2, privAllocator); 
	freeCssmData(TEMP3, privAllocator); 
	if(allocdRawBlob) {
		/* our caller mallocd this when dereferencing a ref key */
		freeCssmData(rawBlob, privAllocator);
	}
}

/* note we expect an IV present in the context though we don't use it
 * FIXME - we should figure out how to add this attribute at this level
 */
 
/* safety trap - don't try to malloc anything bigger than this - we get 
 * sizes from the processed bit stream.... */
#define MAX_MALLOC_SIZE		0x10000

void AppleCSPSession::UnwrapKeyCms(
	CSSM_CC_HANDLE CCHandle,
	const Context &Context,
	const CssmKey &WrappedKey,
	const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
	CssmKey &UnwrappedKey,
	CssmData &DescriptiveData,
	CSSM_PRIVILEGE Privilege,
	cspKeyStorage keyStorage)
{
	/*
	 * In reverse order, the steps from wrap...
	 * 
     * 5. Encrypt TEMP3 using DEK with an IV of 0x4adda22c79e82105 in CBC mode
	 *    with PKCS1 padding call the result TEMP4.
	 * 
	 *    TEMP4 is wrappedKey.KeyData.
	 */
	const CssmData &wrappedBlob = CssmData::overlay(WrappedKey.KeyData);
	dumpBuf("unwrap inBlob", &wrappedBlob, 64);
	CssmData &IV1 = Context.get<CssmData>(CSSM_ATTRIBUTE_INIT_VECTOR, 
				CSSMERR_CSP_MISSING_ATTR_INIT_VECTOR);
	uint8 *savedIV = IV1.Data;
	CSSM_SIZE savedIvLen = IV1.Length;
	IV1.Data = (uint8 *)magicCmsIv;
	IV1.Length = 8;
	CssmData TEMP3;
	CSSM_SIZE bytesDecrypted;
	CssmData remData;
	
	try {
		DecryptData(CCHandle,
			Context,
			&wrappedBlob,		// CipherBufs[],
			1,					// CipherBufCount,
			&TEMP3,				// ClearBufs[]
			1,					// ClearBufCount
			bytesDecrypted,
			remData,
			Privilege);
	}
	catch(...) {
		IV1.Data = savedIV;
		IV1.Length = savedIvLen;
		throw;
	}
	IV1.Data = savedIV;
	IV1.Length = savedIvLen;
	// I'm not 100% sure about this....
	assert(remData.Length == 0);
	TEMP3.Length = bytesDecrypted;
	dumpBuf("unwrap TEMP3", &TEMP3, 64);
	
	/* 
	 * 4. Reverse the order of the octets in TEMP2 call the result 
	 *    TEMP3.
	 *
	 * i.e., TEMP2 := reverse(TEMP3)
	 */
	CssmData TEMP2;
	setUpCssmData(TEMP2, TEMP3.Length, privAllocator);
	uint8 *src = TEMP3.Data + TEMP3.Length - 1;
	uint8 *dst = TEMP2.Data;
	for(uint32 i=0; i<TEMP2.Length; i++) {
		*dst++ = *src--;
	} 
	dumpBuf("unwrap TEMP2", &TEMP2, 64);

	/* 
	 * 3. Let TEMP2 = IV || TEMP1.
	 *
	 * IV2 is first 8 bytes of TEMP2, remainder is TEMP1 
	 */
	if(TEMP2.Length <= 8) {
		dprintf0("UnwrapKeyCms: short TEMP2\n");
		CssmError::throwMe(CSSMERR_CSP_INVALID_KEY);
	}
	CssmData IV2;
	CssmData TEMP1;
	setUpCssmData(IV2, 8, privAllocator);
	setUpCssmData(TEMP1, TEMP2.Length - 8, privAllocator);
	memcpy(IV2.Data, TEMP2.Data, 8);
	memcpy(TEMP1.Data, TEMP2.Data + 8, TEMP1.Length);
	dumpBuf("unwrap TEMP1", &TEMP1, 48);

	/* 
	 * 2. Encrypt PRIVATE_KEY_BYTES using DEK (3DES) and IV in CBC mode with
     *    PKCS1 padding.  Call the ciphertext TEMP1
	 *
	 * i.e., decrypt TEMP1 to get PRIVATE_KEY_BYTES. Use IV2, not caller's 
	 * IV. We already saved caller's IV in savediV and savedIvLen.
	 */
	IV1 = IV2;
	CssmData PRIVATE_KEY_BYTES;
	try {
		DecryptData(CCHandle,
			Context,
			&TEMP1,				// CipherBufs[],
			1,					// CipherBufCount,
			&PRIVATE_KEY_BYTES,	// ClearBufs[]
			1,					// ClearBufCount
			bytesDecrypted,
			remData,
			Privilege);
	}
	catch(...) {
		IV1.Data = savedIV;
		IV1.Length = savedIvLen;
		throw;
	}
	IV1.Data = savedIV;
	// I'm not 100% sure about this....
	assert(remData.Length == 0);
	PRIVATE_KEY_BYTES.Length = bytesDecrypted;
	dumpBuf("unwrap PRIVATE_KEY_BYTES", &PRIVATE_KEY_BYTES, 64);

	/*
	 * 1. PRIVATE_KEY_BYTES is the private data to be wrapped. It consists of the 
	 *    following concatenation:
	 *
	 *    4-byte length of Descriptive Data, big-endian  |
	 *    Descriptive Data | 
	 *    rawBlob.Data bytes
	 */
	if(PRIVATE_KEY_BYTES.Length < 4) {
		dprintf0("UnwrapKeyCms: short PRIVATE_KEY_BYTES\n");
		CssmError::throwMe(CSSMERR_CSP_INVALID_KEY);
	}
	uint8 *cp1 = PRIVATE_KEY_BYTES.Data;
	uint32 ddLen = deserializeUint32(cp1);
	cp1 += 4;
	if(ddLen > MAX_MALLOC_SIZE) {
		dprintf0("UnwrapKeyCms: preposterous ddLen in PRIVATE_KEY_BYTES\n");
		CssmError::throwMe(CSSMERR_CSP_INVALID_KEY);
	}
	setUpCssmData(DescriptiveData, ddLen, normAllocator);
	memcpy(DescriptiveData.Data, cp1, ddLen);
	cp1 += ddLen;
	size_t outBlobLen = PRIVATE_KEY_BYTES.Length - ddLen - 4;
	if(ddLen > MAX_MALLOC_SIZE) {
		dprintf0("UnwrapKeyCms: preposterous outBlobLen in PRIVATE_KEY_BYTES\n");
		CssmError::throwMe(CSSMERR_CSP_INVALID_KEY);
	}
	CssmData &outBlob = CssmData::overlay(UnwrappedKey.KeyData);
	setUpCssmData(outBlob, outBlobLen, normAllocator);
	memcpy(outBlob.Data, cp1, outBlobLen);

	/* set up outgoing header */
	UnwrappedKey.KeyHeader.BlobType = CSSM_KEYBLOB_RAW;
	UnwrappedKey.KeyHeader.Format   = inferFormat(UnwrappedKey);

	/* 
	 * Cook up a BinaryKey if caller wants a reference key.
	 */
	if(keyStorage == CKS_Ref) {
		BinaryKey *binKey = NULL;
		CSPKeyInfoProvider *provider = infoProvider(UnwrappedKey);
		/* optional parameter-bearing key */
		CssmKey *paramKey = Context.get<CssmKey>(CSSM_ATTRIBUTE_PARAM_KEY);
		provider->CssmKeyToBinary(paramKey, UnwrappedKey.KeyHeader.KeyAttr, &binKey);
		addRefKey(*binKey, UnwrappedKey);
		delete provider;
	}
	/* free resources */
	freeCssmData(PRIVATE_KEY_BYTES, normAllocator);	// alloc via decrypt
	freeCssmData(TEMP1, privAllocator);		
	freeCssmData(IV2, privAllocator);		
	freeCssmData(TEMP2, privAllocator); 
	freeCssmData(TEMP3, normAllocator);		// via decrypt 

}
Commit	Line	Data
b1ab9ed8 A	1	/*
	2	* Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
	3	*
	4	* The contents of this file constitute Original Code as defined in and are
	5	* subject to the Apple Public Source License Version 1.2 (the 'License').
	6	* You may not use this file except in compliance with the License. Please obtain
	7	* a copy of the License at http://www.apple.com/publicsource and read it before
	8	* using this file.
	9	*
	10	* This Original Code and all software distributed under the License are
	11	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
	12	* OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
	13	* LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
	14	* PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
	15	* specific language governing rights and limitations under the License.
	16	*/
	17
	18
	19	//
	20	// wrapKeyCms.cpp - wrap/unwrap key, CMS format
	21	//
	22
	23	#include "AppleCSPSession.h"
	24	#include "AppleCSPUtils.h"
	25	#include "AppleCSPKeys.h"
	26	#include "cspdebugging.h"
	27
	28	/*
	29	*
	30	* Here is the algorithm implemented in this module:
	31	*
	32	* Note that DEK is the wrapping key,
	33	*
	34	* 1. PRIVATE_KEY_BYTES is the private data to be wrapped. It consists of the
	35	* following concatenation:
	36	*
	37	* 4-byte length of Descriptive Data, big-endian \|
	38	* Descriptive Data \|
	39	* rawBlob.Data bytes
	40	*
	41	* 2. Encrypt PRIVATE_KEY_BYTES using DEK (3DES) and IV in CBC mode with
	42	* PKCS1 padding. Call the ciphertext TEMP1
	43	*
	44	* 3. Let TEMP2 = IV \|\| TEMP1.
	45	*
	46	* 4. Reverse the order of the octets in TEMP2 call the result TEMP3.
	47	*
	48	* 5. Encrypt TEMP3 using DEK with an IV of 0x4adda22c79e82105 in CBC mode
	49	* with PKCS1 padding call the result TEMP4.
	50	*
	51	* TEMP4 is wrappedKey.KeyData.
	52	*/
	53
	54	/* true: cook up second CCHandle via a new HandleObject
	55	* false - OK to reuse a CCHandle */
	56	#define USE_SECOND_CCHAND 0
	57
	58	/* false : make copy of incoming context before changing IV
	59	* true : resuse OK */
	60	#define REUSE_CONTEXT 1
	61
	62	/* lots'o'printfs in lieu of a debugger which works */
	63	#define VERBOSE_DEBUG 0
	64
65	static const uint8 magicCmsIv[] =
66	{ 0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05 };
67
68	#if VERBOSE_DEBUG
69	static void dumpBuf(
70	char *title,
71	const CSSM_DATA *d,
72	uint32 maxLen)
73	{
74	unsigned i;
75	uint32 len;
76
77	if(title) {
78	printf("%s: ", title);
79	}
80	if(d == NULL) {
81	printf("NO DATA\n");
82	return;
83	}
84	printf("Total Length: %d\n ", d->Length);
85	len = maxLen;
86	if(d->Length < len) {
87	len = d->Length;
88	}
89	for(i=0; i<len; i++) {
90	printf("%02X ", d->Data[i]);
91	if((i % 16) == 15) {
92	printf("\n ");
93	}
94	}
95	printf("\n");
96	}
97	#else
98	#define dumpBuf(t, d, m)
99	#endif /* VERBOSE_DEBUG */
100
101
102	/* serialize/deserialize uint32, big-endian. */
103	static void serializeUint32(uint32 i, uint8 *buf)
104	{
105	*buf++ = (uint8)(i >> 24);
106	*buf++ = (uint8)(i >> 16);
107	*buf++ = (uint8)(i >> 8);
108	*buf = (uint8)i;
109	}
110
111	static uint32 deserializeUint32(const uint8 *buf) {
112	uint32 result;
113
114	result = ((uint32)buf[0] << 24) \|
115	((uint32)buf[1] << 16) \|
116	((uint32)buf[2] << 8) \|
117	(uint32)buf[3];
118	return result;
119	}
120
121	void AppleCSPSession::WrapKeyCms(
122	CSSM_CC_HANDLE CCHandle,
123	const Context &context,
124	const AccessCredentials &AccessCred,
125	const CssmKey &UnwrappedKey,
126	CssmData &rawBlob,
127	bool allocdRawBlob, // callee has to free rawBlob
128	const CssmData *DescriptiveData,
129	CssmKey &WrappedKey,
130	CSSM_PRIVILEGE Privilege)
131	{
132	uint32 ddLen;
133	CssmData PRIVATE_KEY_BYTES;
134	#if !REUSE_CONTEXT
135	Context secondCtx(context.ContextType, context.AlgorithmType);
136	secondCtx.copyFrom(context, privAllocator);
137	#endif /* REUSE_CONTEXT */
138
139	/*
140	* 1. PRIVATE_KEY_BYTES is the private data to be wrapped. It consists of the
141	* following concatenation:
142	*
143	* 4-byte length of Descriptive Data, big-endian \|
144	* Descriptive Data \|
145	* rawBlob.Data bytes
146	*/
147	dumpBuf("wrap rawBlob", &rawBlob, 24);
148	dumpBuf("wrap DescriptiveData", DescriptiveData, 24);
149
150	if(DescriptiveData == NULL) {
151	ddLen = 0;
152	}
153	else {
427c49bc	154	ddLen = (uint32) DescriptiveData->Length;
b1ab9ed8	155	}
427c49bc	156	size_t pkbLen = 4 + ddLen + rawBlob.Length;
b1ab9ed8 A	157	setUpCssmData(PRIVATE_KEY_BYTES, pkbLen, privAllocator);
	158	uint8 *cp = PRIVATE_KEY_BYTES.Data;
	159	serializeUint32(ddLen, cp);
	160	cp += 4;
	161	if(ddLen != 0) {
	162	memcpy(cp, DescriptiveData->Data, ddLen);
	163	cp += ddLen;
	164	}
	165	memcpy(cp, rawBlob.Data, rawBlob.Length);
	166	dumpBuf("wrap PRIVATE_KEY_BYTES", &PRIVATE_KEY_BYTES, 48);
	167
	168	/* 2. Encrypt PRIVATE_KEY_BYTES using DEK (3DES) and IV in CBC mode with
	169	* PKCS1 padding. Call the ciphertext TEMP1
	170	*
	171	* We'll just use the caller's context for this. Maybe we should
	172	* validate mode, padding, IV?
	173	*/
	174	CssmData TEMP1;
	175	CSSM_SIZE bytesEncrypted;
	176	CssmData remData;
	177	EncryptData(CCHandle,
	178	context,
	179	&PRIVATE_KEY_BYTES, // ClearBufs[]
	180	1, // ClearBufCount
	181	&TEMP1, // CipherBufs[],
	182	1, // CipherBufCount,
	183	bytesEncrypted,
	184	remData,
	185	Privilege);
	186
	187	// I'm not 100% sure about this....
	188	assert(remData.Length == 0);
	189	TEMP1.Length = bytesEncrypted;
	190	dumpBuf("wrap TEMP1", &TEMP1, 48);
	191
	192	/*
	193	* 3. Let TEMP2 = IV \|\| TEMP1.
	194	*/
	195	CssmData TEMP2;
	196	CssmData &IV = context.get<CssmData>(CSSM_ATTRIBUTE_INIT_VECTOR,
	197	CSSMERR_CSP_MISSING_ATTR_INIT_VECTOR);
	198	setUpCssmData(TEMP2, IV.Length + TEMP1.Length, privAllocator);
	199	memcpy(TEMP2.Data, IV.Data, IV.Length);
	200	memcpy(TEMP2.Data + IV.Length, TEMP1.Data, TEMP1.Length);
	201	dumpBuf("wrap TEMP2", &TEMP2, 56);
	202
	203
	204	/*
	205	* 4. Reverse the order of the octets in TEMP2 call the result
	206	* TEMP3.
	207	*/
	208	CssmData TEMP3;
	209	setUpCssmData(TEMP3, TEMP2.Length, privAllocator);
	210	uint8 *cp2 = TEMP2.Data + TEMP2.Length - 1;
	211	cp = TEMP3.Data;
	212	for(uint32 i=0; i<TEMP2.Length; i++) {
	213	cp++ = cp2--;
	214	}
	215	dumpBuf("wrap TEMP3", &TEMP3, 64);
	216
	217	/*
	218	* 5. Encrypt TEMP3 using DEK with an IV of 0x4adda22c79e82105 in CBC mode
	219	* with PKCS1 padding call the result TEMP4.
	220	*
221	* TEMP4 is wrappedKey.KeyData.
222	*
223	* This is the tricky part - we're going to use the caller's context
224	* again, but we're going to modify the IV.
225	* We're assuming here that the IV we got via context.get<CssmData>
226	* actually is in the context and not a copy!
227	*/
228	#if REUSE_CONTEXT
229	CssmData &IV2 = context.get<CssmData>(CSSM_ATTRIBUTE_INIT_VECTOR,
230	CSSMERR_CSP_MISSING_ATTR_INIT_VECTOR);
231	#else
232	CssmData &IV2 = secondCtx.get<CssmData>(CSSM_ATTRIBUTE_INIT_VECTOR,
233	CSSMERR_CSP_MISSING_ATTR_INIT_VECTOR);
234	#endif /* REUSE_CONTEXT */
235
236	uint8 *savedIV = IV2.Data;
427c49bc	237	CSSM_SIZE savedIVLen = IV2.Length;
b1ab9ed8 A	238	IV2.Data = (uint8 *)magicCmsIv;
	239	IV2.Length = 8;
	240	CssmData &outBlob = CssmData::overlay(WrappedKey.KeyData);
	241	outBlob.Length = 0;
	242	outBlob.Data = NULL;
	243	try {
	244	EncryptData(CCHandle,
	245	#if REUSE_CONTEXT
	246	context,
	247	#else
	248	secondCtx,
	249	#endif /* REUSE_CONTEXT */
	250
	251	&TEMP3, // ClearBufs[]
	252	1, // ClearBufCount
	253	&outBlob, // CipherBufs[],
	254	1, // CipherBufCount,
	255	bytesEncrypted,
	256	remData,
	257	Privilege);
	258	}
	259	catch (...) {
	260	IV2.Data = savedIV;
	261	IV2.Length = savedIVLen;
	262	throw; // and leak
	263	}
	264	IV2.Data = savedIV;
	265	IV2.Length = savedIVLen;
	266
	267	// I'm not 100% sure about this....
	268	assert(remData.Length == 0);
	269	outBlob.Length = bytesEncrypted;
	270	dumpBuf("wrap outBlob", &outBlob, 64);
	271
	272	/* outgoing header */
	273	WrappedKey.KeyHeader.BlobType = CSSM_KEYBLOB_WRAPPED;
	274	// OK to be zero or not present
	275	WrappedKey.KeyHeader.WrapMode = context.getInt(CSSM_ATTRIBUTE_MODE);
	276	WrappedKey.KeyHeader.Format = CSSM_KEYBLOB_WRAPPED_FORMAT_APPLE_CUSTOM;
	277
	278	/* free resources */
	279	freeCssmData(PRIVATE_KEY_BYTES, privAllocator);
	280	freeCssmData(TEMP1, normAllocator); // alloc via encrypt
	281	freeCssmData(TEMP2, privAllocator);
	282	freeCssmData(TEMP3, privAllocator);
	283	if(allocdRawBlob) {
	284	/* our caller mallocd this when dereferencing a ref key */
	285	freeCssmData(rawBlob, privAllocator);
	286	}
	287	}
	288
	289	/* note we expect an IV present in the context though we don't use it
	290	* FIXME - we should figure out how to add this attribute at this level
	291	*/
	292
	293	/* safety trap - don't try to malloc anything bigger than this - we get
	294	* sizes from the processed bit stream.... */
	295	#define MAX_MALLOC_SIZE 0x10000
	296
	297	void AppleCSPSession::UnwrapKeyCms(
	298	CSSM_CC_HANDLE CCHandle,
	299	const Context &Context,
	300	const CssmKey &WrappedKey,
	301	const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
302	CssmKey &UnwrappedKey,
303	CssmData &DescriptiveData,
304	CSSM_PRIVILEGE Privilege,
305	cspKeyStorage keyStorage)
306	{
307	/*
308	* In reverse order, the steps from wrap...
309	*
310	* 5. Encrypt TEMP3 using DEK with an IV of 0x4adda22c79e82105 in CBC mode
311	* with PKCS1 padding call the result TEMP4.
312	*
313	* TEMP4 is wrappedKey.KeyData.
314	*/
315	const CssmData &wrappedBlob = CssmData::overlay(WrappedKey.KeyData);
316	dumpBuf("unwrap inBlob", &wrappedBlob, 64);
317	CssmData &IV1 = Context.get<CssmData>(CSSM_ATTRIBUTE_INIT_VECTOR,
318	CSSMERR_CSP_MISSING_ATTR_INIT_VECTOR);
319	uint8 *savedIV = IV1.Data;
427c49bc	320	CSSM_SIZE savedIvLen = IV1.Length;
b1ab9ed8 A	321	IV1.Data = (uint8 *)magicCmsIv;
	322	IV1.Length = 8;
	323	CssmData TEMP3;
	324	CSSM_SIZE bytesDecrypted;
	325	CssmData remData;
	326
	327	try {
	328	DecryptData(CCHandle,
	329	Context,
	330	&wrappedBlob, // CipherBufs[],
	331	1, // CipherBufCount,
	332	&TEMP3, // ClearBufs[]
	333	1, // ClearBufCount
	334	bytesDecrypted,
	335	remData,
	336	Privilege);
	337	}
	338	catch(...) {
	339	IV1.Data = savedIV;
	340	IV1.Length = savedIvLen;
	341	throw;
	342	}
	343	IV1.Data = savedIV;
	344	IV1.Length = savedIvLen;
	345	// I'm not 100% sure about this....
	346	assert(remData.Length == 0);
	347	TEMP3.Length = bytesDecrypted;
	348	dumpBuf("unwrap TEMP3", &TEMP3, 64);
	349
	350	/*
	351	* 4. Reverse the order of the octets in TEMP2 call the result
	352	* TEMP3.
	353	*
	354	* i.e., TEMP2 := reverse(TEMP3)
	355	*/
	356	CssmData TEMP2;
	357	setUpCssmData(TEMP2, TEMP3.Length, privAllocator);
	358	uint8 *src = TEMP3.Data + TEMP3.Length - 1;
	359	uint8 *dst = TEMP2.Data;
	360	for(uint32 i=0; i<TEMP2.Length; i++) {
	361	dst++ = src--;
	362	}
	363	dumpBuf("unwrap TEMP2", &TEMP2, 64);
	364
	365	/*
	366	* 3. Let TEMP2 = IV \|\| TEMP1.
	367	*
	368	* IV2 is first 8 bytes of TEMP2, remainder is TEMP1
	369	*/
	370	if(TEMP2.Length <= 8) {
	371	dprintf0("UnwrapKeyCms: short TEMP2\n");
	372	CssmError::throwMe(CSSMERR_CSP_INVALID_KEY);
	373	}
	374	CssmData IV2;
	375	CssmData TEMP1;
	376	setUpCssmData(IV2, 8, privAllocator);
	377	setUpCssmData(TEMP1, TEMP2.Length - 8, privAllocator);
	378	memcpy(IV2.Data, TEMP2.Data, 8);
	379	memcpy(TEMP1.Data, TEMP2.Data + 8, TEMP1.Length);
	380	dumpBuf("unwrap TEMP1", &TEMP1, 48);
	381
	382	/*
	383	* 2. Encrypt PRIVATE_KEY_BYTES using DEK (3DES) and IV in CBC mode with
	384	* PKCS1 padding. Call the ciphertext TEMP1
385	*
386	* i.e., decrypt TEMP1 to get PRIVATE_KEY_BYTES. Use IV2, not caller's
387	* IV. We already saved caller's IV in savediV and savedIvLen.
388	*/
389	IV1 = IV2;
390	CssmData PRIVATE_KEY_BYTES;
391	try {
392	DecryptData(CCHandle,
393	Context,
394	&TEMP1, // CipherBufs[],
395	1, // CipherBufCount,
396	&PRIVATE_KEY_BYTES, // ClearBufs[]
397	1, // ClearBufCount
398	bytesDecrypted,
399	remData,
400	Privilege);
401	}
402	catch(...) {
403	IV1.Data = savedIV;
404	IV1.Length = savedIvLen;
405	throw;
406	}
407	IV1.Data = savedIV;
408	// I'm not 100% sure about this....
409	assert(remData.Length == 0);
410	PRIVATE_KEY_BYTES.Length = bytesDecrypted;
411	dumpBuf("unwrap PRIVATE_KEY_BYTES", &PRIVATE_KEY_BYTES, 64);
412
413	/*
414	* 1. PRIVATE_KEY_BYTES is the private data to be wrapped. It consists of the
415	* following concatenation:
416	*
417	* 4-byte length of Descriptive Data, big-endian \|
418	* Descriptive Data \|
419	* rawBlob.Data bytes
420	*/
421	if(PRIVATE_KEY_BYTES.Length < 4) {
422	dprintf0("UnwrapKeyCms: short PRIVATE_KEY_BYTES\n");
423	CssmError::throwMe(CSSMERR_CSP_INVALID_KEY);
424	}
425	uint8 *cp1 = PRIVATE_KEY_BYTES.Data;
426	uint32 ddLen = deserializeUint32(cp1);
427	cp1 += 4;
428	if(ddLen > MAX_MALLOC_SIZE) {
429	dprintf0("UnwrapKeyCms: preposterous ddLen in PRIVATE_KEY_BYTES\n");
430	CssmError::throwMe(CSSMERR_CSP_INVALID_KEY);
431	}
432	setUpCssmData(DescriptiveData, ddLen, normAllocator);
433	memcpy(DescriptiveData.Data, cp1, ddLen);
434	cp1 += ddLen;
427c49bc	435	size_t outBlobLen = PRIVATE_KEY_BYTES.Length - ddLen - 4;
b1ab9ed8 A	436	if(ddLen > MAX_MALLOC_SIZE) {
	437	dprintf0("UnwrapKeyCms: preposterous outBlobLen in PRIVATE_KEY_BYTES\n");
	438	CssmError::throwMe(CSSMERR_CSP_INVALID_KEY);
	439	}
	440	CssmData &outBlob = CssmData::overlay(UnwrappedKey.KeyData);
	441	setUpCssmData(outBlob, outBlobLen, normAllocator);
	442	memcpy(outBlob.Data, cp1, outBlobLen);
	443
	444	/* set up outgoing header */
	445	UnwrappedKey.KeyHeader.BlobType = CSSM_KEYBLOB_RAW;
	446	UnwrappedKey.KeyHeader.Format = inferFormat(UnwrappedKey);
	447
	448	/*
	449	* Cook up a BinaryKey if caller wants a reference key.
	450	*/
	451	if(keyStorage == CKS_Ref) {
	452	BinaryKey *binKey = NULL;
	453	CSPKeyInfoProvider *provider = infoProvider(UnwrappedKey);
	454	/* optional parameter-bearing key */
	455	CssmKey *paramKey = Context.get<CssmKey>(CSSM_ATTRIBUTE_PARAM_KEY);
	456	provider->CssmKeyToBinary(paramKey, UnwrappedKey.KeyHeader.KeyAttr, &binKey);
	457	addRefKey(*binKey, UnwrappedKey);
	458	delete provider;
	459	}
	460	/* free resources */
	461	freeCssmData(PRIVATE_KEY_BYTES, normAllocator); // alloc via decrypt
	462	freeCssmData(TEMP1, privAllocator);
	463	freeCssmData(IV2, privAllocator);
	464	freeCssmData(TEMP2, privAllocator);
	465	freeCssmData(TEMP3, normAllocator); // via decrypt
	466
	467	}
	468