]> git.saurik.com Git - apple/security.git/blob - keychain/SecureObjectSync/SOSUserKeygen.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-59306.101.1.tar.gz
[apple/security.git] / keychain / SecureObjectSync / SOSUserKeygen.m
1 /*
2 * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 #include "keychain/SecureObjectSync/SOSUserKeygen.h"
26 #include <stdio.h>
27 #include <corecrypto/ccrng.h>
28 #include <corecrypto/ccrng_pbkdf2_prng.h>
29 #include <corecrypto/ccec.h>
30 #include <corecrypto/ccdigest.h>
31 #include <corecrypto/ccsha2.h>
32 #include <CommonCrypto/CommonRandomSPI.h>
33 #include <Security/SecKey.h>
34 #include <Security/SecKeyPriv.h>
35 #include <Security/SecFramework.h>
36 #include <utilities/SecCFWrappers.h>
37 #include <utilities/SecCFRelease.h>
38 #include <utilities/debugging.h>
39 #include <Security/SecureObjectSync/SOSCloudCircle.h>
40 #include "keychain/SecureObjectSync/SOSInternal.h"
41 #include "keychain/SecureObjectSync/SOSAccount.h"
42 #include <Security/SecFramework.h>
43 #include <Security/SecItem.h>
44 #include <utilities/der_plist.h>
45 #include <utilities/der_plist_internal.h>
46
47 #include <corecrypto/ccder.h>
48 #include <Security/oidsalg.h>
49
50 // A.2 PBKDF2
51 //
52 // The object identifier id-PBKDF2 identifies the PBKDF2 key derivation
53 // function (Section 5.2).
54 //
55 // id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
56 //
57 // The parameters field associated with this OID in an
58 // AlgorithmIdentifier shall have type PBKDF2-params:
59 //
60 // PBKDF2-params ::= SEQUENCE {
61 // salt CHOICE {
62 // specified OCTET STRING,
63 // otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
64 // },
65 // iterationCount INTEGER (1..MAX),
66 // keyLength INTEGER (1..MAX) OPTIONAL,
67 // prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT
68 // algid-hmacWithSHA1 }
69 //
70 // The fields of type PKDF2-params have the following meanings:
71
72
73 static size_t der_sizeof_SecAsn1Oid(const SecAsn1Oid* secasn_oid)
74 {
75 return ccder_sizeof(CCDER_OBJECT_IDENTIFIER, secasn_oid->Length);
76 }
77
78 static uint8_t *der_encode_SecAsn1Oid(const SecAsn1Oid* secasn_oid, const uint8_t *der, uint8_t *der_end)
79 {
80 return ccder_encode_tl(CCDER_OBJECT_IDENTIFIER, secasn_oid->Length, der,
81 ccder_encode_body(secasn_oid->Length, secasn_oid->Data, der, der_end));
82 }
83
84 static const uint8_t *der_expect_SecAsn1Oid(const SecAsn1Oid* secasn_oid, const uint8_t *der, const uint8_t *der_end)
85 {
86 size_t len = 0;
87 der = ccder_decode_tl(CCDER_OBJECT_IDENTIFIER, &len,
88 der, der_end);
89
90 if (secasn_oid->Length != len || memcmp(secasn_oid->Data, der, len) != 0)
91 der = NULL;
92 else
93 der += len;
94
95 return der;
96 }
97
98 static size_t der_sizeof_pbkdf2_params(size_t saltLen, const uint8_t *salt,
99 unsigned long iterationCount,
100 unsigned long keyLength)
101 {
102 size_t body_size = ccder_sizeof_raw_octet_string(saltLen)
103 + ccder_sizeof_uint64(iterationCount)
104 + ccder_sizeof_uint64(keyLength)
105 + der_sizeof_SecAsn1Oid(&CSSMOID_PKCS5_HMAC_SHA1);
106
107 return ccder_sizeof(CCDER_CONSTRUCTED_SEQUENCE, body_size);
108 }
109
110 static uint8_t *der_encode_pbkdf2_params(size_t saltLen, const uint8_t *salt,
111 unsigned long iterationCount,
112 unsigned long keyLength,
113 const uint8_t *der, uint8_t *der_end)
114 {
115 uint8_t* original_der_end = der_end;
116
117 return ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, original_der_end, der,
118 ccder_encode_raw_octet_string(saltLen, salt, der,
119 ccder_encode_uint64(iterationCount, der,
120 ccder_encode_uint64(keyLength, der,
121 der_encode_SecAsn1Oid(&CSSMOID_PKCS5_HMAC_SHA1, der, der_end)))));
122 }
123
124 static const uint8_t *der_decode_pbkdf2_params(size_t *saltLen, const uint8_t **salt,
125 unsigned long *iterationCount,
126 unsigned long *keyLength,
127 const uint8_t *der, const uint8_t *der_end)
128 {
129 const uint8_t * body_end = NULL;
130 der = ccder_decode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, &body_end, der, der_end);
131
132 if (body_end != der_end)
133 der = NULL;
134
135 size_t salt_size = 0;
136 const uint8_t *salt_bytes = NULL;
137
138 der = ccder_decode_tl(CCDER_OCTET_STRING, &salt_size, der, body_end);
139 salt_bytes = der;
140 der += salt_size;
141
142 uint64_t iteration_count = 0;
143 uint64_t key_len = 0;
144 der = ccder_decode_uint64(&iteration_count, der, body_end);
145 if (iteration_count > UINT32_MAX)
146 der = NULL;
147
148 der = ccder_decode_uint64(&key_len, der, body_end);
149 if (key_len > UINT32_MAX)
150 der = NULL;
151
152 der = der_expect_SecAsn1Oid(&CSSMOID_PKCS5_HMAC_SHA1, der, body_end);
153
154 if (der) {
155 if (salt)
156 *salt = salt_bytes;
157 if (saltLen)
158 *saltLen = salt_size;
159 if (iterationCount)
160 *iterationCount = (unsigned long)iteration_count;
161 if (keyLength)
162 *keyLength = (unsigned long) key_len;
163 }
164
165 return der;
166 }
167
168
169 static SecKeyRef ccec2SecKey(ccec_full_ctx_t fk)
170 {
171 size_t export_size = ccec_x963_export_size(1, ccec_ctx_pub(fk));
172 uint8_t export_keybytes[export_size];
173 ccec_x963_export(1, export_keybytes, fk);
174 CFDataRef exportedkey = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, export_keybytes, export_size, kCFAllocatorNull);
175
176 CFDictionaryRef keyattributes = CFDictionaryCreateForCFTypes(kCFAllocatorDefault,
177 kSecValueData, exportedkey,
178 kSecAttrKeyType, kSecAttrKeyTypeEC,
179 kSecAttrKeyClass, kSecAttrKeyClassPrivate,
180 NULL);
181
182 SecKeyRef retval = SecKeyCreateFromAttributeDictionary(keyattributes);
183
184 CFRelease(keyattributes);
185 CFRelease(exportedkey);
186 cc_clear(export_size, export_keybytes);
187 return retval;
188 }
189
190 #define SALTMAX 16
191 #define ITERATIONMIN 50000
192
193 CFDataRef SOSUserKeyCreateGenerateParameters(CFErrorRef *error) {
194 size_t saltlen = SALTMAX;
195 uint8_t salt[saltlen];
196
197 size_t iterations = ITERATIONMIN;
198 size_t keysize = 256;
199
200 if(CCRandomCopyBytes(kCCRandomDefault, salt, sizeof(salt)) != kCCSuccess) {
201 SOSCreateError(kSOSErrorProcessingFailure, CFSTR("CCRandomCopyBytes failed"), NULL, error);
202 return NULL;
203 }
204
205 CFMutableDataRef result = CFDataCreateMutable(kCFAllocatorDefault, 0);
206 CFDataSetLength(result, der_sizeof_pbkdf2_params(saltlen, salt, iterations, keysize));
207
208 uint8_t * encode = der_encode_pbkdf2_params(saltlen, salt, iterations, keysize,
209 CFDataGetBytePtr(result),
210 CFDataGetMutableBytePtr(result) + CFDataGetLength(result));
211
212 if (!encode)
213 CFReleaseNull(result);
214
215 if (result) {
216 secnotice("circleOps", "Created new parameters: iterations %zd, keysize %zd: %@", iterations, keysize, result);
217 }
218
219 return result;
220 }
221
222 SecKeyRef SOSUserKeygen(CFDataRef password, CFDataRef parameters, CFErrorRef *error)
223 {
224 size_t saltlen;
225 const uint8_t *salt = NULL;
226
227 size_t iterations = 0;
228 size_t keysize = 0;
229
230 const uint8_t *der = CFDataGetBytePtr(parameters);
231 const uint8_t *der_end = der + CFDataGetLength(parameters);
232
233 der = der_decode_pbkdf2_params(&saltlen, &salt, &iterations, &keysize, der, der_end);
234
235 if (der == NULL) {
236 SOSCreateErrorWithFormat(kSOSErrorDecodeFailure, NULL, error, NULL,
237 CFSTR("Bad paramter encoding, got: %@"), parameters);
238 return NULL;
239 }
240 if (keysize != 256) {
241 SOSCreateErrorWithFormat(kSOSErrorUnsupported, NULL, error, NULL,
242 CFSTR("Key size not supported, requested %zd."), keysize);
243 return NULL;
244 }
245 if (saltlen < 4) {
246 SOSCreateErrorWithFormat(kSOSErrorUnsupported, NULL, error, NULL,
247 CFSTR("Salt length not supported, requested %zd."), saltlen);
248 return NULL;
249 }
250 if (iterations < ITERATIONMIN) {
251 SOSCreateErrorWithFormat(kSOSErrorUnsupported, NULL, error, NULL,
252 CFSTR("Too few iterations, params suggested %zd."), iterations);
253 return NULL;
254 }
255
256 const uint8_t *password_bytes = CFDataGetBytePtr(password);
257 size_t password_length = CFDataGetLength(password);
258
259 ccec_const_cp_t cp = ccec_get_cp(keysize);
260 ccec_full_ctx_decl_cp(cp, tmpkey);
261
262 secnotice("circleOps", "Generating key for: iterations %zd, keysize %zd: %@", iterations, keysize, parameters);
263
264 size_t drbg_output_size=128;
265 uint8_t drbg_output[drbg_output_size];
266 ccpbkdf2_hmac(ccsha256_di(), password_length, password_bytes,
267 saltlen, salt,
268 iterations,
269 drbg_output_size, drbg_output);
270
271 int rngError = 0;
272 int keyError = -1;
273 struct ccrng_state *rng = ccrng(&rngError);
274 if(rng) {
275 keyError=ccec_generate_key_deterministic(cp, drbg_output_size, drbg_output, rng, CCEC_GENKEY_DETERMINISTIC_LEGACY, tmpkey);
276 cc_clear(drbg_output_size, drbg_output);
277 }
278
279 if(!rng || keyError != 0) {
280 SOSCreateError(kSOSErrorProcessingFailure, CFSTR("Keygen failed"), NULL, error);
281 return NULL;
282 }
283
284 return ccec2SecKey(tmpkey);
285 }
286
287 void debugDumpUserParameters(CFStringRef message, CFDataRef parameters)
288 {
289 CFStringRef keyparm = UserParametersDescription(parameters);
290 if (keyparm == NULL) {
291 secnotice("circleOps", "failed to decode pbkdf2 params");
292 return;
293 }
294 secnotice("circleOps", "%@ %@]", message, keyparm);
295 CFReleaseNull(keyparm);
296 }
297
298 CF_RETURNS_RETAINED CFStringRef UserParametersDescription(CFDataRef parameters){
299
300 __block CFStringRef description = NULL;
301 CFDataRef newParameters = NULL;
302 SecKeyRef newKey = NULL;
303
304 CFErrorRef error = NULL;
305 const uint8_t *parse_end = der_decode_cloud_parameters(kCFAllocatorDefault, kSecECDSAAlgorithmID,
306 &newKey, &newParameters, &error,
307 CFDataGetBytePtr(parameters), CFDataGetPastEndPtr(parameters));
308
309 if (parse_end != CFDataGetPastEndPtr(parameters)){
310 secdebug("circleOps", "failed to decode cloud parameters");
311 CFReleaseNull(newParameters);
312 CFReleaseNull(newKey);
313 return NULL;
314 }
315
316 size_t saltlen = 0;
317 const uint8_t *salt = NULL;
318
319 size_t iterations = 0;
320 size_t keysize = 0;
321
322 const uint8_t *der = CFDataGetBytePtr(newParameters);
323 const uint8_t *der_end = der + CFDataGetLength(newParameters);
324
325 der = der_decode_pbkdf2_params(&saltlen, &salt, &iterations, &keysize, der, der_end);
326 if (der != NULL) {
327 secdebug("circleOps", "failed to decode pbkdf2 params");
328 CFReleaseNull(newParameters);
329 CFReleaseNull(newKey);
330 return NULL;
331 }
332
333 CFStringRef userPubKeyID = SOSCopyIDOfKeyWithLength(newKey, 8, NULL);
334
335 BufferPerformWithHexString(salt, 4, ^(CFStringRef saltHex) { // Only dump 4 bytes worth of salthex
336 CFDataPerformWithHexString(newParameters, ^(CFStringRef parametersHex) {
337 description = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("<Params: iter: %zd, size: %zd, salt: %@> <keyid: %@>"), iterations, keysize, saltHex, userPubKeyID);
338 });
339 });
340
341 CFReleaseNull(newParameters);
342 CFReleaseNull(newKey);
343 CFReleaseNull(userPubKeyID);
344
345 return description;
346 }
347
mirror of Security