[apple/security.git] / OSX / libsecurity_keychain / lib / SecImport.cpp

/*
 * Copyright (c) 2004,2011-2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 *
 * SecImport.cpp - high-level facility for importing Sec layer objects.
 */

#include <Security/SecImportExport.h>
#include "SecExternalRep.h"
#include "SecImportExportPem.h"
#include "SecImportExportUtils.h"
#include <security_cdsa_utils/cuCdsaUtils.h>
#include <security_utilities/globalizer.h>
#include <Security/SecBase.h>

#define SecImpInferDbg(args...)	secinfo("SecImpInfer", ## args)

using namespace Security;
using namespace KeychainCore;

/*
 * Do our best to ensure that a SecImportRep's type and format are known.
 * A return of true means that both format and type (and, if the item
 * is a raw public or private key, the algorithm) are known.
 */
static bool impExpInferTypeAndFormat(
	SecImportRep		*rep,
	CFStringRef			fileStr,
	SecExternalFormat   inputFormat,
	SecExternalItemType	itemType)
{
	/* fill in blanks if caller knows them */
	if((rep->mExternType == kSecItemTypeUnknown) && (itemType != kSecItemTypeUnknown)) {
		rep->mExternType = itemType;
	}
	if((rep->mExternFormat == kSecFormatUnknown) && (inputFormat != kSecFormatUnknown)) {
		rep->mExternFormat = inputFormat;
	}

	/* some types can be inferred from format */
	if(rep->mExternType == kSecItemTypeUnknown) {
		SecExternalFormat format;
		if(rep->mExternFormat == kSecFormatUnknown) {
			/* caller specified */
			format = inputFormat;
		}
		else {
			/* maybe this is already set */
			format = rep->mExternFormat;
		}
		switch(format) {
			case kSecFormatUnknown:
				break;
			case kSecFormatPKCS7:
			case kSecFormatPKCS12:
			case kSecFormatPEMSequence:
			case kSecFormatNetscapeCertSequence:
				rep->mExternType = kSecItemTypeAggregate;
				break;
			case kSecFormatRawKey:
				rep->mExternType = kSecItemTypeSessionKey;
				break;
			case kSecFormatX509Cert:
				rep->mExternType = kSecItemTypeCertificate;
				break;
			case kSecFormatWrappedPKCS8:
			case kSecFormatWrappedOpenSSL:
			case kSecFormatWrappedSSH:
				rep->mExternType = kSecItemTypePrivateKey;
				break;
			case kSecFormatSSHv2:
				rep->mExternType = kSecItemTypePublicKey;
				break;
			case kSecFormatOpenSSL:
			case kSecFormatBSAFE:
			case kSecFormatWrappedLSH:
			default:
				/* can be private or session (right? */
				break;
		}
	}

	/* some formats can be inferred from type */
	if(rep->mExternFormat == kSecFormatUnknown) {
		SecExternalItemType thisType;
		if(rep->mExternType == kSecItemTypeUnknown) {
			/* caller specified */
			thisType = itemType;
		}
		else {
			/* maybe this is already set */
			thisType = rep->mExternType;
		}
		switch(thisType) {
			case kSecItemTypeCertificate:
				rep->mExternFormat = kSecFormatX509Cert;
				break;
			/* any others? */
			default:
				break;
		}
	}

	/*
	 * Wrapped private keys don't need algorithm
	 * Some formats implies algorithm
	 */
	bool isWrapped = false;
	switch(rep->mExternFormat) {
		case kSecFormatWrappedPKCS8:
		case kSecFormatWrappedOpenSSL:
		case kSecFormatWrappedLSH:
			isWrapped = true;
			break;
		case kSecFormatWrappedSSH:
			isWrapped = true;
			rep->mKeyAlg = CSSM_ALGID_RSA;
			break;
		case kSecFormatSSH:
			rep->mKeyAlg = CSSM_ALGID_RSA;
			break;
		default:
			break;
	}

	/* Are we there yet? */
	bool done = true;
	if((rep->mExternType   == kSecItemTypeUnknown) ||
	   (rep->mExternFormat == kSecFormatUnknown)) {
		done = false;
	}
	if(done) {
		switch(rep->mExternType) {
			case kSecItemTypePrivateKey:
			case kSecItemTypePublicKey:
				if(!isWrapped && (rep->mKeyAlg == CSSM_ALGID_NONE)) {
					/* gotta know this too */
					done = false;
				}
				break;
			default:
				break;
		}
	}
	if(!done) {
		/* infer from filename if possible */
		done = impExpImportParseFileExten(fileStr, &rep->mExternFormat,
			&rep->mExternType);
	}
	if(done) {
	   return true;
	}

	/* invoke black magic: try decoding various forms */
	return impExpImportGuessByExamination(rep->mExternal, &rep->mExternFormat,
		&rep->mExternType, &rep->mKeyAlg);
}

class CSPDLMaker
{
protected:
	CSSM_CSP_HANDLE mHandle;
    RecursiveMutex mMutex;

public:
	CSPDLMaker() : mHandle(cuCspStartup(CSSM_FALSE)) {}
	operator CSSM_CSP_HANDLE() {return mHandle;}
};

static ModuleNexus<CSPDLMaker> gCSPHandle;

OSStatus SecKeychainItemImport(
	CFDataRef							importedData,
	CFStringRef							fileNameOrExtension,	// optional
	SecExternalFormat					*inputFormat,			// optional, IN/OUT
	SecExternalItemType					*itemType,				// optional, IN/OUT
	SecItemImportExportFlags			flags,
	const SecKeyImportExportParameters  *keyParams,				// optional
	SecKeychainRef						importKeychain,			// optional
	CFArrayRef							*outItems)				/* optional */
{
	BEGIN_IMP_EXP_SECAPI

	bool				isPem;
	OSStatus			ortn = errSecSuccess;
	OSStatus			pem_ortn = errSecSuccess;
	SecImportRep		*rep = NULL;
	SecExternalFormat   callerInputFormat;
	SecExternalItemType callerItemType;
	CSSM_CSP_HANDLE		cspHand = 0;
	CFIndex				dex;
	CFStringRef			ourFileStr = NULL;

	if((importedData == NULL) || (CFDataGetLength(importedData) == 0)) {
		return errSecParam;
	}
	/* all other args are optional */

	if(inputFormat) {
		callerInputFormat = *inputFormat;
	}
	else {
		callerInputFormat = kSecFormatUnknown;
	}
	if(itemType) {
		callerItemType = *itemType;
	}
	else {
		callerItemType = kSecItemTypeUnknown;
	}

	CFIndex numReps = 0;
	SecExternalFormat tempFormat = callerInputFormat;
	SecExternalItemType tempType = callerItemType;
	ImpPrivKeyImportState keyImportState = PIS_NoLimit;

	CFMutableArrayRef importReps = CFArrayCreateMutable(NULL, 0, NULL);
	CFMutableArrayRef createdKcItems = CFArrayCreateMutable(NULL, 0,
		&kCFTypeArrayCallBacks);
	/* subsequent errors to errOut: */

	/*
	 * importedData --> one or more SecImportReps.
	 * Note successful PEM decode can override caller's inputFormat and/or itemType.
	 */
	pem_ortn = impExpParsePemToImportRefs(importedData, importReps, &isPem);
	/* remember how PEM decode failed, but continue to examine other possibilities */
	if(!isPem) {
		/* incoming blob is one binary item, type possibly unknown */
		rep = new SecImportRep(importedData, callerItemType, callerInputFormat,
			CSSM_ALGID_NONE);
		CFArrayAppendValue(importReps, rep);
		if(fileNameOrExtension) {
			ourFileStr = fileNameOrExtension;
			CFRetain(ourFileStr);
		}
	}
	else {
		/*
		 * Strip off possible .pem extension in case there's another one in
		 * front of it
		 */
		assert(CFArrayGetCount(importReps) >= 1);
		if(fileNameOrExtension) {
			if(CFStringHasSuffix(fileNameOrExtension, CFSTR(".pem"))) {
				ourFileStr = impExpImportDeleteExtension(fileNameOrExtension);
			}
			else {
				ourFileStr = fileNameOrExtension;
				CFRetain(ourFileStr);
			}
		}
	}

	/*
	 * Ensure we know type and format (and, for raw keys, algorithm) of each item.
	 */
	numReps = CFArrayGetCount(importReps);
	if(numReps > 1) {
		/*
		 * Incoming kSecFormatPEMSequence, caller specs are useless now.
		 * Hopefully the PEM parsing disclosed the info we'll need.
		 */
		if(ourFileStr) {
			CFRelease(ourFileStr);
			ourFileStr = NULL;
		}
		tempFormat = kSecFormatUnknown;
		tempType = kSecItemTypeUnknown;
	}
	for(dex=0; dex<numReps; dex++) {
		rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, dex);
		bool ok = impExpInferTypeAndFormat(rep, ourFileStr, tempFormat, tempType);
		if(!ok) {
			ortn = errSecUnknownFormat;
			goto errOut;
		}
	}

	/* Get a CSPDL handle, somehow, as convenience for lower level code */
	if(importKeychain != NULL) {
		ortn = SecKeychainGetCSPHandle(importKeychain, &cspHand);
		if(ortn) {
			goto errOut;
		}
	}
	else {
		cspHand = gCSPHandle();
	}

	if(keyParams && (keyParams->flags & kSecKeyImportOnlyOne)) {
		keyImportState = PIS_AllowOne;
	}

	/* Everything looks good: Go */
	for(CFIndex dex=0; dex<numReps; dex++) {
		rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, dex);
		ortn = rep->importRep(importKeychain, cspHand, flags, keyParams,
			keyImportState, createdKcItems);
		if(ortn) {
			goto errOut;
		}
	}

	/* Give as much info to caller as we can even if we got an error on import */
	if(inputFormat != NULL) {
		if(numReps > 1) {
			assert(isPem);
			*inputFormat = kSecFormatPEMSequence;
		}
		else {
			/* format from sole item in importReps */
			assert(numReps != 0);
			rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, 0);
			*inputFormat = rep->mExternFormat;
		}
	}
	if(itemType != NULL) {
		if(numReps > 1) {
			assert(isPem);
			*itemType = kSecItemTypeAggregate;
		}
		else {
			/* itemType from sole item in importReps */
			assert(numReps != 0);
			rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, 0);
			*itemType = rep->mExternType;
		}
	}
	if((ortn == errSecSuccess) && (outItems != NULL)) {
		/* return the array */
		*outItems = createdKcItems;
		createdKcItems = NULL;
	}
	/* else caller doesn't want SecKeychainItemsRefs; we'll release below */

errOut:
	if(createdKcItems) {
		CFRelease(createdKcItems);
	}
	if(importReps != NULL) {
		/* CFArray of our own classes, no auto release */
		CFIndex num = CFArrayGetCount(importReps);
		for(dex=0; dex<num; dex++) {
			rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, dex);
			delete rep;
		}
		CFRelease(importReps);
	}
	if(ourFileStr) {
		CFRelease(ourFileStr);
	}
	if(ortn) {
		/* error occurred importing non-PEM representation */
		return SecKeychainErrFromOSStatus(ortn);
	}
	if(pem_ortn == errSecUnsupportedFormat && numReps == 0) {
		/* error occurred importing as PEM, and no other rep was imported */
		return SecKeychainErrFromOSStatus(pem_ortn);
	}
	return errSecSuccess;

	END_IMP_EXP_SECAPI
}

OSStatus SecItemImport(
	CFDataRef							importedData,
	CFStringRef							fileNameOrExtension,	/* optional */
	SecExternalFormat					*inputFormat,			/* optional, IN/OUT */
	SecExternalItemType					*itemType,				/* optional, IN/OUT */
	SecItemImportExportFlags			flags,
	const SecItemImportExportKeyParameters  *keyParams,				/* optional */
	SecKeychainRef						importKeychain,			/* optional */
	CFArrayRef							*outItems)
{

	SecKeyImportExportParameters* oldStructPtr = NULL;
	SecKeyImportExportParameters oldStruct;
	memset(&oldStruct, 0, sizeof(oldStruct));


	if (NULL != keyParams)
	{
		if (ConvertSecKeyImportExportParametersToSecImportExportKeyParameters(NULL,
			keyParams, &oldStruct))
		{
			oldStructPtr = &oldStruct;
		}
	}

	return SecKeychainItemImport(importedData, fileNameOrExtension, inputFormat,
		itemType, flags, oldStructPtr, importKeychain, outItems);
}
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2004,2011-2014 Apple Inc. All Rights Reserved.
427c49bc	3	*
b1ab9ed8	4	* @APPLE_LICENSE_HEADER_START@
d8f41ccd	5	*
b1ab9ed8 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
d8f41ccd	12	*
b1ab9ed8 A	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
d8f41ccd	20	*
b1ab9ed8 A	21	* @APPLE_LICENSE_HEADER_END@
b1ab9ed8 A	22	*
427c49bc	23	* SecImport.cpp - high-level facility for importing Sec layer objects.
b1ab9ed8 A	24	*/
b1ab9ed8 A	25
6b200bc3	26	#include <Security/SecImportExport.h>
b1ab9ed8 A	27	#include "SecExternalRep.h"
	28	#include "SecImportExportPem.h"
	29	#include "SecImportExportUtils.h"
	30	#include <security_cdsa_utils/cuCdsaUtils.h>
	31	#include <security_utilities/globalizer.h>
427c49bc	32	#include <Security/SecBase.h>
b1ab9ed8	33
fa7225c8	34	#define SecImpInferDbg(args...) secinfo("SecImpInfer", ## args)
b1ab9ed8 A	35
	36	using namespace Security;
	37	using namespace KeychainCore;
	38
	39	/*
	40	* Do our best to ensure that a SecImportRep's type and format are known.
	41	* A return of true means that both format and type (and, if the item
427c49bc	42	* is a raw public or private key, the algorithm) are known.
b1ab9ed8 A	43	*/
	44	static bool impExpInferTypeAndFormat(
	45	SecImportRep *rep,
427c49bc	46	CFStringRef fileStr,
b1ab9ed8 A	47	SecExternalFormat inputFormat,
	48	SecExternalItemType itemType)
	49	{
	50	/* fill in blanks if caller knows them */
	51	if((rep->mExternType == kSecItemTypeUnknown) && (itemType != kSecItemTypeUnknown)) {
	52	rep->mExternType = itemType;
	53	}
	54	if((rep->mExternFormat == kSecFormatUnknown) && (inputFormat != kSecFormatUnknown)) {
	55	rep->mExternFormat = inputFormat;
	56	}
	57
	58	/* some types can be inferred from format */
	59	if(rep->mExternType == kSecItemTypeUnknown) {
	60	SecExternalFormat format;
	61	if(rep->mExternFormat == kSecFormatUnknown) {
	62	/* caller specified */
	63	format = inputFormat;
	64	}
	65	else {
	66	/* maybe this is already set */
	67	format = rep->mExternFormat;
	68	}
	69	switch(format) {
	70	case kSecFormatUnknown:
	71	break;
	72	case kSecFormatPKCS7:
427c49bc	73	case kSecFormatPKCS12:
b1ab9ed8 A	74	case kSecFormatPEMSequence:
	75	case kSecFormatNetscapeCertSequence:
	76	rep->mExternType = kSecItemTypeAggregate;
	77	break;
	78	case kSecFormatRawKey:
	79	rep->mExternType = kSecItemTypeSessionKey;
	80	break;
427c49bc	81	case kSecFormatX509Cert:
b1ab9ed8 A	82	rep->mExternType = kSecItemTypeCertificate;
	83	break;
	84	case kSecFormatWrappedPKCS8:
	85	case kSecFormatWrappedOpenSSL:
	86	case kSecFormatWrappedSSH:
	87	rep->mExternType = kSecItemTypePrivateKey;
	88	break;
	89	case kSecFormatSSHv2:
	90	rep->mExternType = kSecItemTypePublicKey;
	91	break;
	92	case kSecFormatOpenSSL:
	93	case kSecFormatBSAFE:
	94	case kSecFormatWrappedLSH:
	95	default:
	96	/* can be private or session (right? */
	97	break;
	98	}
	99	}
427c49bc	100
b1ab9ed8 A	101	/* some formats can be inferred from type */
	102	if(rep->mExternFormat == kSecFormatUnknown) {
	103	SecExternalItemType thisType;
	104	if(rep->mExternType == kSecItemTypeUnknown) {
	105	/* caller specified */
	106	thisType = itemType;
	107	}
	108	else {
	109	/* maybe this is already set */
	110	thisType = rep->mExternType;
	111	}
	112	switch(thisType) {
	113	case kSecItemTypeCertificate:
	114	rep->mExternFormat = kSecFormatX509Cert;
	115	break;
	116	/* any others? */
	117	default:
	118	break;
	119	}
	120	}
427c49bc A	121
	122	/*
	123	* Wrapped private keys don't need algorithm
b1ab9ed8 A	124	* Some formats implies algorithm
	125	*/
	126	bool isWrapped = false;
	127	switch(rep->mExternFormat) {
	128	case kSecFormatWrappedPKCS8:
	129	case kSecFormatWrappedOpenSSL:
	130	case kSecFormatWrappedLSH:
	131	isWrapped = true;
	132	break;
	133	case kSecFormatWrappedSSH:
	134	isWrapped = true;
	135	rep->mKeyAlg = CSSM_ALGID_RSA;
	136	break;
	137	case kSecFormatSSH:
	138	rep->mKeyAlg = CSSM_ALGID_RSA;
	139	break;
	140	default:
	141	break;
	142	}
427c49bc	143
b1ab9ed8 A	144	/* Are we there yet? */
	145	bool done = true;
	146	if((rep->mExternType == kSecItemTypeUnknown) \|\|
	147	(rep->mExternFormat == kSecFormatUnknown)) {
	148	done = false;
	149	}
	150	if(done) {
	151	switch(rep->mExternType) {
	152	case kSecItemTypePrivateKey:
	153	case kSecItemTypePublicKey:
	154	if(!isWrapped && (rep->mKeyAlg == CSSM_ALGID_NONE)) {
	155	/* gotta know this too */
	156	done = false;
	157	}
	158	break;
	159	default:
	160	break;
	161	}
	162	}
	163	if(!done) {
	164	/* infer from filename if possible */
427c49bc	165	done = impExpImportParseFileExten(fileStr, &rep->mExternFormat,
b1ab9ed8 A	166	&rep->mExternType);
	167	}
	168	if(done) {
	169	return true;
	170	}
	171
	172	/* invoke black magic: try decoding various forms */
	173	return impExpImportGuessByExamination(rep->mExternal, &rep->mExternFormat,
427c49bc	174	&rep->mExternType, &rep->mKeyAlg);
b1ab9ed8	175	}
427c49bc	176
b1ab9ed8 A	177	class CSPDLMaker
	178	{
	179	protected:
	180	CSSM_CSP_HANDLE mHandle;
427c49bc	181	RecursiveMutex mMutex;
b1ab9ed8 A	182
	183	public:
	184	CSPDLMaker() : mHandle(cuCspStartup(CSSM_FALSE)) {}
	185	operator CSSM_CSP_HANDLE() {return mHandle;}
	186	};
	187
	188	static ModuleNexus<CSPDLMaker> gCSPHandle;
	189
	190	OSStatus SecKeychainItemImport(
	191	CFDataRef importedData,
	192	CFStringRef fileNameOrExtension, // optional
	193	SecExternalFormat *inputFormat, // optional, IN/OUT
	194	SecExternalItemType *itemType, // optional, IN/OUT
427c49bc	195	SecItemImportExportFlags flags,
b1ab9ed8 A	196	const SecKeyImportExportParameters *keyParams, // optional
	197	SecKeychainRef importKeychain, // optional
	198	CFArrayRef outItems) / optional */
	199	{
	200	BEGIN_IMP_EXP_SECAPI
427c49bc	201
b1ab9ed8	202	bool isPem;
427c49bc A	203	OSStatus ortn = errSecSuccess;
427c49bc A	204	OSStatus pem_ortn = errSecSuccess;
b1ab9ed8 A	205	SecImportRep *rep = NULL;
	206	SecExternalFormat callerInputFormat;
	207	SecExternalItemType callerItemType;
	208	CSSM_CSP_HANDLE cspHand = 0;
	209	CFIndex dex;
	210	CFStringRef ourFileStr = NULL;
427c49bc	211
b1ab9ed8	212	if((importedData == NULL) \|\| (CFDataGetLength(importedData) == 0)) {
427c49bc	213	return errSecParam;
b1ab9ed8 A	214	}
b1ab9ed8 A	215	/* all other args are optional */
427c49bc	216
b1ab9ed8 A	217	if(inputFormat) {
	218	callerInputFormat = *inputFormat;
	219	}
	220	else {
	221	callerInputFormat = kSecFormatUnknown;
	222	}
	223	if(itemType) {
	224	callerItemType = *itemType;
	225	}
	226	else {
	227	callerItemType = kSecItemTypeUnknown;
	228	}
427c49bc	229
b1ab9ed8 A	230	CFIndex numReps = 0;
	231	SecExternalFormat tempFormat = callerInputFormat;
	232	SecExternalItemType tempType = callerItemType;
	233	ImpPrivKeyImportState keyImportState = PIS_NoLimit;
	234
	235	CFMutableArrayRef importReps = CFArrayCreateMutable(NULL, 0, NULL);
427c49bc	236	CFMutableArrayRef createdKcItems = CFArrayCreateMutable(NULL, 0,
b1ab9ed8 A	237	&kCFTypeArrayCallBacks);
b1ab9ed8 A	238	/* subsequent errors to errOut: */
427c49bc A	239
427c49bc A	240	/*
b1ab9ed8 A	241	* importedData --> one or more SecImportReps.
	242	* Note successful PEM decode can override caller's inputFormat and/or itemType.
	243	*/
	244	pem_ortn = impExpParsePemToImportRefs(importedData, importReps, &isPem);
	245	/* remember how PEM decode failed, but continue to examine other possibilities */
	246	if(!isPem) {
	247	/* incoming blob is one binary item, type possibly unknown */
	248	rep = new SecImportRep(importedData, callerItemType, callerInputFormat,
	249	CSSM_ALGID_NONE);
	250	CFArrayAppendValue(importReps, rep);
	251	if(fileNameOrExtension) {
	252	ourFileStr = fileNameOrExtension;
	253	CFRetain(ourFileStr);
	254	}
	255	}
	256	else {
427c49bc A	257	/*
	258	* Strip off possible .pem extension in case there's another one in
	259	* front of it
b1ab9ed8 A	260	*/
	261	assert(CFArrayGetCount(importReps) >= 1);
	262	if(fileNameOrExtension) {
	263	if(CFStringHasSuffix(fileNameOrExtension, CFSTR(".pem"))) {
	264	ourFileStr = impExpImportDeleteExtension(fileNameOrExtension);
	265	}
	266	else {
	267	ourFileStr = fileNameOrExtension;
	268	CFRetain(ourFileStr);
	269	}
	270	}
	271	}
427c49bc A	272
	273	/*
	274	* Ensure we know type and format (and, for raw keys, algorithm) of each item.
b1ab9ed8	275	*/
427c49bc	276	numReps = CFArrayGetCount(importReps);
b1ab9ed8	277	if(numReps > 1) {
427c49bc	278	/*
b1ab9ed8 A	279	* Incoming kSecFormatPEMSequence, caller specs are useless now.
	280	* Hopefully the PEM parsing disclosed the info we'll need.
	281	*/
	282	if(ourFileStr) {
	283	CFRelease(ourFileStr);
	284	ourFileStr = NULL;
	285	}
	286	tempFormat = kSecFormatUnknown;
	287	tempType = kSecItemTypeUnknown;
	288	}
	289	for(dex=0; dex<numReps; dex++) {
	290	rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, dex);
	291	bool ok = impExpInferTypeAndFormat(rep, ourFileStr, tempFormat, tempType);
	292	if(!ok) {
	293	ortn = errSecUnknownFormat;
	294	goto errOut;
	295	}
	296	}
	297
	298	/* Get a CSPDL handle, somehow, as convenience for lower level code */
	299	if(importKeychain != NULL) {
	300	ortn = SecKeychainGetCSPHandle(importKeychain, &cspHand);
	301	if(ortn) {
	302	goto errOut;
	303	}
	304	}
	305	else {
	306	cspHand = gCSPHandle();
	307	}
427c49bc	308
b1ab9ed8 A	309	if(keyParams && (keyParams->flags & kSecKeyImportOnlyOne)) {
	310	keyImportState = PIS_AllowOne;
	311	}
427c49bc A	312
427c49bc A	313	/* Everything looks good: Go */
b1ab9ed8 A	314	for(CFIndex dex=0; dex<numReps; dex++) {
b1ab9ed8 A	315	rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, dex);
427c49bc	316	ortn = rep->importRep(importKeychain, cspHand, flags, keyParams,
b1ab9ed8 A	317	keyImportState, createdKcItems);
	318	if(ortn) {
	319	goto errOut;
	320	}
	321	}
	322
	323	/* Give as much info to caller as we can even if we got an error on import */
	324	if(inputFormat != NULL) {
	325	if(numReps > 1) {
	326	assert(isPem);
	327	*inputFormat = kSecFormatPEMSequence;
	328	}
	329	else {
	330	/* format from sole item in importReps */
	331	assert(numReps != 0);
	332	rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, 0);
	333	*inputFormat = rep->mExternFormat;
	334	}
	335	}
	336	if(itemType != NULL) {
	337	if(numReps > 1) {
	338	assert(isPem);
	339	*itemType = kSecItemTypeAggregate;
	340	}
	341	else {
	342	/* itemType from sole item in importReps */
	343	assert(numReps != 0);
	344	rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, 0);
	345	*itemType = rep->mExternType;
	346	}
	347	}
427c49bc	348	if((ortn == errSecSuccess) && (outItems != NULL)) {
b1ab9ed8 A	349	/* return the array */
	350	*outItems = createdKcItems;
	351	createdKcItems = NULL;
	352	}
	353	/* else caller doesn't want SecKeychainItemsRefs; we'll release below */
	354
	355	errOut:
	356	if(createdKcItems) {
	357	CFRelease(createdKcItems);
	358	}
	359	if(importReps != NULL) {
	360	/* CFArray of our own classes, no auto release */
	361	CFIndex num = CFArrayGetCount(importReps);
	362	for(dex=0; dex<num; dex++) {
	363	rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, dex);
	364	delete rep;
	365	}
	366	CFRelease(importReps);
	367	}
	368	if(ourFileStr) {
	369	CFRelease(ourFileStr);
	370	}
	371	if(ortn) {
	372	/* error occurred importing non-PEM representation */
	373	return SecKeychainErrFromOSStatus(ortn);
	374	}
	375	if(pem_ortn == errSecUnsupportedFormat && numReps == 0) {
	376	/* error occurred importing as PEM, and no other rep was imported */
	377	return SecKeychainErrFromOSStatus(pem_ortn);
	378	}
427c49bc A	379	return errSecSuccess;
427c49bc A	380
b1ab9ed8 A	381	END_IMP_EXP_SECAPI
	382	}
	383
	384	OSStatus SecItemImport(
	385	CFDataRef importedData,
	386	CFStringRef fileNameOrExtension, /* optional */
	387	SecExternalFormat inputFormat, / optional, IN/OUT */
	388	SecExternalItemType itemType, / optional, IN/OUT */
427c49bc	389	SecItemImportExportFlags flags,
b1ab9ed8 A	390	const SecItemImportExportKeyParameters keyParams, / optional */
	391	SecKeychainRef importKeychain, /* optional */
	392	CFArrayRef *outItems)
	393	{
427c49bc	394
b1ab9ed8 A	395	SecKeyImportExportParameters* oldStructPtr = NULL;
	396	SecKeyImportExportParameters oldStruct;
	397	memset(&oldStruct, 0, sizeof(oldStruct));
427c49bc A	398
427c49bc A	399
b1ab9ed8 A	400	if (NULL != keyParams)
	401	{
	402	if (ConvertSecKeyImportExportParametersToSecImportExportKeyParameters(NULL,
	403	keyParams, &oldStruct))
	404	{
	405	oldStructPtr = &oldStruct;
	406	}
	407	}
427c49bc A	408
427c49bc A	409	return SecKeychainItemImport(importedData, fileNameOrExtension, inputFormat,
b1ab9ed8 A	410	itemType, flags, oldStructPtr, importKeychain, outItems);
	411	}
	412