| | 1 | /* |
| | 2 | * Copyright (c) 2004,2011-2014 Apple Inc. All Rights Reserved. |
| | 3 | * |
| | 4 | * @APPLE_LICENSE_HEADER_START@ |
| | 5 | * |
| | 6 | * This file contains Original Code and/or Modifications of Original Code |
| | 7 | * as defined in and that are subject to the Apple Public Source License |
| | 8 | * Version 2.0 (the 'License'). You may not use this file except in |
| | 9 | * compliance with the License. Please obtain a copy of the License at |
| | 10 | * http://www.opensource.apple.com/apsl/ and read it before using this |
| | 11 | * file. |
| | 12 | * |
| | 13 | * The Original Code and all software distributed under the License are |
| | 14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
| | 15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
| | 16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
| | 17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
| | 18 | * Please see the License for the specific language governing rights and |
| | 19 | * limitations under the License. |
| | 20 | * |
| | 21 | * @APPLE_LICENSE_HEADER_END@ |
| | 22 | * |
| | 23 | * SecExport.cpp - high-level facility for exporting Sec layer objects. |
| | 24 | */ |
| | 25 | |
| | 26 | #include <Security/SecImportExport.h> |
| | 27 | #include "SecImportExportAgg.h" |
| | 28 | #include "SecImportExportPem.h" |
| | 29 | #include "SecExternalRep.h" |
| | 30 | #include "SecImportExportUtils.h" |
| | 31 | #include <security_utilities/errors.h> |
| | 32 | #include <Security/SecIdentity.h> |
| | 33 | #include <Security/SecIdentityPriv.h> |
| | 34 | #include <Security/SecItem.h> |
| | 35 | #include <Security/SecBase.h> |
| | 36 | #include <security_utilities/simulatecrash_assert.h> |
| | 37 | using namespace Security; |
| | 38 | using namespace KeychainCore; |
| | 39 | |
| | 40 | /* |
| | 41 | * Convert Sec item to one or two SecExportReps, append to exportReps array. |
| | 42 | * The "one or two" clause exists for SecIdentityRefs, which we split into |
| | 43 | * a cert and a key. |
| | 44 | * Throws a MacOSError if incoming CFTypeRef is of type other than SecKeyRef, |
| | 45 | * SecCertRef, or SecIdentityRef. |
| | 46 | */ |
| | 47 | static void impExpAddToExportReps( |
| | 48 | CFTypeRef thing, // Key, Cert, Identity |
| | 49 | CFMutableArrayRef exportReps, |
| | 50 | unsigned &numCerts, // IN/OUT - accumulated |
| | 51 | unsigned &numKeys) // IN/OUT - accumulated |
| | 52 | { |
| | 53 | if(CFGetTypeID(thing) == SecIdentityGetTypeID()) { |
| | 54 | /* special case for SecIdentities, creates two SecExportReps */ |
| | 55 | OSStatus ortn; |
| | 56 | SecIdentityRef idRef = (SecIdentityRef)thing; |
| | 57 | SecCertificateRef certRef; |
| | 58 | SecKeyRef keyRef; |
| | 59 | SecExportRep *rep; |
| | 60 | |
| | 61 | /* cert */ |
| | 62 | SecImpExpDbg("impExpAddToExportReps: adding identity cert and key"); |
| | 63 | ortn = SecIdentityCopyCertificate(idRef, &certRef); |
| | 64 | if(ortn) { |
| | 65 | Security::MacOSError::throwMe(ortn); |
| | 66 | } |
| | 67 | rep = SecExportRep::vend(certRef); |
| | 68 | CFArrayAppendValue(exportReps, rep); |
| | 69 | CFRelease(certRef); // SecExportRep holds a reference |
| | 70 | numCerts++; |
| | 71 | |
| | 72 | /* private key */ |
| | 73 | ortn = SecIdentityCopyPrivateKey(idRef, &keyRef); |
| | 74 | if(ortn) { |
| | 75 | Security::MacOSError::throwMe(ortn); |
| | 76 | } |
| | 77 | rep = SecExportRep::vend(keyRef); |
| | 78 | CFArrayAppendValue(exportReps, rep); |
| | 79 | CFRelease(keyRef); // SecExportRep holds a reference |
| | 80 | numKeys++; |
| | 81 | } |
| | 82 | else { |
| | 83 | /* this throws if 'thing' is an unacceptable type */ |
| | 84 | SecExportRep *rep = SecExportRep::vend(thing); |
| | 85 | SecImpExpDbg("impExpAddToExportReps: adding single type %d", |
| | 86 | (int)rep->externType()); |
| | 87 | CFArrayAppendValue(exportReps, rep); |
| | 88 | if(rep->externType() == kSecItemTypeCertificate) { |
| | 89 | numCerts++; |
| | 90 | } |
| | 91 | else { |
| | 92 | numKeys++; |
| | 93 | } |
| | 94 | } |
| | 95 | } |
| | 96 | |
| | 97 | #pragma mark --- public export function --- |
| | 98 | |
| | 99 | OSStatus SecKeychainItemExport( |
| | 100 | CFTypeRef keychainItemOrArray, |
| | 101 | SecExternalFormat outputFormat, // a SecExternalFormat |
| | 102 | SecItemImportExportFlags flags, // kSecItemPemArmour, etc. |
| | 103 | const SecKeyImportExportParameters *keyParams, // optional |
| | 104 | CFDataRef *exportedData) // external representation |
| | 105 | // returned here |
| | 106 | { |
| | 107 | BEGIN_IMP_EXP_SECAPI |
| | 108 | |
| | 109 | /* some basic input validation */ |
| | 110 | if(keychainItemOrArray == NULL) { |
| | 111 | return errSecParam; |
| | 112 | } |
| | 113 | if(keyParams != NULL) { |
| | 114 | /* can't specify explicit passphrase and ask for secure one */ |
| | 115 | if( (keyParams->passphrase != NULL) && |
| | 116 | ((keyParams->flags & kSecKeySecurePassphrase) != 0)) { |
| | 117 | return errSecParam; |
| | 118 | } |
| | 119 | } |
| | 120 | |
| | 121 | unsigned numKeys = 0; |
| | 122 | unsigned numCerts = 0; |
| | 123 | unsigned numTotalExports = 0; |
| | 124 | OSStatus ortn = errSecSuccess; |
| | 125 | SecExportRep *rep = NULL; // common temp variable |
| | 126 | CFMutableDataRef outputData = NULL; |
| | 127 | const char *pemHeader = "UNKNOWN"; |
| | 128 | |
| | 129 | /* convert keychainItemOrArray to CFArray of SecExportReps */ |
| | 130 | CFMutableArrayRef exportReps = CFArrayCreateMutable(NULL, 0, NULL); |
| | 131 | /* subsequent errors to errOut: */ |
| | 132 | |
| | 133 | try { |
| | 134 | if(CFGetTypeID(keychainItemOrArray) == CFArrayGetTypeID()) { |
| | 135 | CFArrayRef arr = (CFArrayRef)keychainItemOrArray; |
| | 136 | CFIndex arraySize = CFArrayGetCount(arr); |
| | 137 | for(CFIndex dex=0; dex<arraySize; dex++) { |
| | 138 | impExpAddToExportReps(CFArrayGetValueAtIndex(arr, dex), |
| | 139 | exportReps, numCerts, numKeys); |
| | 140 | } |
| | 141 | } |
| | 142 | else { |
| | 143 | impExpAddToExportReps(keychainItemOrArray, exportReps, numCerts, numKeys); |
| | 144 | } |
| | 145 | } |
| | 146 | catch(const Security::MacOSError osErr) { |
| | 147 | ortn = osErr.error; |
| | 148 | goto errOut; |
| | 149 | } |
| | 150 | catch(...) { |
| | 151 | ortn = errSecParam; |
| | 152 | goto errOut; |
| | 153 | } |
| | 154 | numTotalExports = (unsigned int)CFArrayGetCount(exportReps); |
| | 155 | assert((numCerts + numKeys) == numTotalExports); |
| | 156 | if((numTotalExports > 1) && (outputFormat == kSecFormatUnknown)) { |
| | 157 | /* default aggregate format is PEM sequence */ |
| | 158 | outputFormat = kSecFormatPEMSequence; |
| | 159 | } |
| | 160 | |
| | 161 | /* |
| | 162 | * Break out to SecExternalFormat-specific code, appending all data to outputData |
| | 163 | */ |
| | 164 | outputData = CFDataCreateMutable(NULL, 0); |
| | 165 | switch(outputFormat) { |
| | 166 | case kSecFormatPKCS7: |
| | 167 | ortn = impExpPkcs7Export(exportReps, flags, keyParams, outputData); |
| | 168 | pemHeader = PEM_STRING_PKCS7; |
| | 169 | break; |
| | 170 | case kSecFormatPKCS12: |
| | 171 | ortn = impExpPkcs12Export(exportReps, flags, keyParams, outputData); |
| | 172 | pemHeader = PEM_STRING_PKCS12; |
| | 173 | break; |
| | 174 | case kSecFormatPEMSequence: |
| | 175 | { |
| | 176 | /* |
| | 177 | * A bit of a special case. Create an intermediate DER encoding |
| | 178 | * of each SecExportRef, in the default format for that item; |
| | 179 | * PEM encode the result, and append the PEM encoding to |
| | 180 | * outputData. |
| | 181 | */ |
| | 182 | CFIndex numReps = CFArrayGetCount(exportReps); |
| | 183 | for(CFIndex dex=0; dex<numReps; dex++) { |
| | 184 | |
| | 185 | rep = (SecExportRep *)CFArrayGetValueAtIndex(exportReps, dex); |
| | 186 | |
| | 187 | /* default DER encoding */ |
| | 188 | CFMutableDataRef tmpData = CFDataCreateMutable(NULL, 0); |
| | 189 | ortn = rep->exportRep(kSecFormatUnknown, flags, keyParams, |
| | 190 | tmpData, &pemHeader); |
| | 191 | if(ortn) { |
| | 192 | SecImpExpDbg("ItemExport: releasing tmpData %p", tmpData); |
| | 193 | CFRelease(tmpData); |
| | 194 | goto errOut; |
| | 195 | } |
| | 196 | |
| | 197 | /* PEM to accumulating output */ |
| | 198 | assert(rep->pemParamLines() == NULL); |
| | 199 | ortn = impExpPemEncodeExportRep((CFDataRef)tmpData, |
| | 200 | pemHeader, NULL, /* no pemParamLines, right? */ |
| | 201 | outputData); |
| | 202 | CFRelease(tmpData); |
| | 203 | if(ortn) { |
| | 204 | goto errOut; |
| | 205 | } |
| | 206 | } |
| | 207 | break; |
| | 208 | } |
| | 209 | |
| | 210 | /* Enumerate remainder explicitly for clarity; all are single-item forms */ |
| | 211 | case kSecFormatOpenSSL: |
| | 212 | case kSecFormatSSH: |
| | 213 | case kSecFormatSSHv2: |
| | 214 | case kSecFormatBSAFE: |
| | 215 | case kSecFormatRawKey: |
| | 216 | case kSecFormatWrappedPKCS8: |
| | 217 | case kSecFormatWrappedOpenSSL: |
| | 218 | case kSecFormatWrappedSSH: |
| | 219 | case kSecFormatWrappedLSH: |
| | 220 | case kSecFormatX509Cert: |
| | 221 | case kSecFormatUnknown: // i.e., default, handled by SecExportRep |
| | 222 | { |
| | 223 | unsigned foundCount = 0; |
| | 224 | |
| | 225 | /* verify that we have exactly one of specified item */ |
| | 226 | if(outputFormat == kSecFormatX509Cert) { |
| | 227 | foundCount = numCerts; |
| | 228 | } |
| | 229 | else if(outputFormat == kSecFormatUnknown) { |
| | 230 | /* can't go wrong */ |
| | 231 | foundCount = numTotalExports; |
| | 232 | } |
| | 233 | else { |
| | 234 | foundCount = numKeys; |
| | 235 | } |
| | 236 | if((numTotalExports != 1) || (foundCount != 1)) { |
| | 237 | SecImpExpDbg("Export single item format with other than one item"); |
| | 238 | ortn = errSecParam; |
| | 239 | goto errOut; |
| | 240 | } |
| | 241 | assert(CFArrayGetCount(exportReps) == 1); |
| | 242 | rep = (SecExportRep *)CFArrayGetValueAtIndex(exportReps, 0); |
| | 243 | ortn = rep->exportRep(outputFormat, flags, |
| | 244 | keyParams, outputData, &pemHeader); |
| | 245 | break; |
| | 246 | } |
| | 247 | default: |
| | 248 | SecImpExpDbg("SecKeychainItemExport: bad format (%u)", |
| | 249 | (unsigned)outputFormat); |
| | 250 | ortn = errSecParam; |
| | 251 | goto errOut; |
| | 252 | } |
| | 253 | |
| | 254 | /* |
| | 255 | * Final step: possible PEM encode. Skip for kSecFormatPEMSequence (in which |
| | 256 | * case outputData is all ready to ship out to the caller); mandatory |
| | 257 | * if exportRep has a non-NULL pemParamLines (which can only happen if we're |
| | 258 | * exporting a single item). |
| | 259 | */ |
| | 260 | if(ortn == errSecSuccess) { |
| | 261 | if(outputFormat == kSecFormatPEMSequence) { |
| | 262 | *exportedData = outputData; |
| | 263 | outputData = NULL; |
| | 264 | } |
| | 265 | else { |
| | 266 | rep = (SecExportRep *)CFArrayGetValueAtIndex(exportReps, 0); |
| | 267 | if((flags & kSecItemPemArmour) || (rep->pemParamLines() != NULL)) { |
| | 268 | /* PEM encode a single item */ |
| | 269 | CFMutableDataRef tmpData = CFDataCreateMutable(NULL, 0); |
| | 270 | ortn = impExpPemEncodeExportRep((CFDataRef)outputData, pemHeader, |
| | 271 | rep->pemParamLines(), tmpData); |
| | 272 | CFRelease(outputData); // done with this |
| | 273 | outputData = NULL; |
| | 274 | *exportedData = tmpData; // caller gets PEM |
| | 275 | } |
| | 276 | else { |
| | 277 | *exportedData = outputData; |
| | 278 | outputData = NULL; |
| | 279 | } |
| | 280 | } |
| | 281 | } |
| | 282 | errOut: |
| | 283 | if(exportReps != NULL) { |
| | 284 | /* CFArray of our own classes, no auto release */ |
| | 285 | CFIndex num = CFArrayGetCount(exportReps); |
| | 286 | for(CFIndex dex=0; dex<num; dex++) { |
| | 287 | rep = (SecExportRep *)CFArrayGetValueAtIndex(exportReps, dex); |
| | 288 | delete rep; |
| | 289 | } |
| | 290 | CFRelease(exportReps); |
| | 291 | } |
| | 292 | if(outputData != NULL) { |
| | 293 | CFRelease(outputData); |
| | 294 | outputData = NULL; |
| | 295 | } |
| | 296 | if(ortn) { |
| | 297 | return SecKeychainErrFromOSStatus(ortn); |
| | 298 | } |
| | 299 | else { |
| | 300 | return errSecSuccess; |
| | 301 | } |
| | 302 | |
| | 303 | END_IMP_EXP_SECAPI |
| | 304 | } |
| | 305 | |
| | 306 | |
| | 307 | OSStatus SecItemExport(CFTypeRef secItemOrArray, SecExternalFormat outputFormat, |
| | 308 | SecItemImportExportFlags flags, /* kSecItemPemArmor, etc. */ |
| | 309 | const SecItemImportExportKeyParameters *keyParams, /* optional */ |
| | 310 | CFDataRef *exportedData) |
| | 311 | { |
| | 312 | SecKeyImportExportParameters* oldStructPtr = NULL; |
| | 313 | SecKeyImportExportParameters oldStruct; |
| | 314 | memset(&oldStruct, 0, sizeof(oldStruct)); |
| | 315 | |
| | 316 | if (NULL != keyParams) |
| | 317 | { |
| | 318 | |
| | 319 | SecKeyRef tempKey = NULL; |
| | 320 | |
| | 321 | if (SecKeyGetTypeID() == CFGetTypeID(secItemOrArray)) |
| | 322 | { |
| | 323 | tempKey = (SecKeyRef)secItemOrArray; |
| | 324 | } |
| | 325 | |
| | 326 | if (ConvertSecKeyImportExportParametersToSecImportExportKeyParameters(tempKey, |
| | 327 | keyParams, &oldStruct)) |
| | 328 | { |
| | 329 | oldStructPtr = &oldStruct; |
| | 330 | } |
| | 331 | } |
| | 332 | |
| | 333 | return SecKeychainItemExport(secItemOrArray, outputFormat, flags, oldStructPtr, exportedData); |
| | 334 | } |
| | 335 | |
| | 336 | |
| | 337 | |
| | 338 | |
| | 339 | |
| | 340 | |
| | 341 | |
projects / apple / security.git / blame_incremental