]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_keychain/lib/SecExport.cpp
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-59754.80.3.tar.gz
[apple/security.git] / OSX / libsecurity_keychain / lib / SecExport.cpp
1 /*
2 * Copyright (c) 2004,2011-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * SecExport.cpp - high-level facility for exporting Sec layer objects.
24 */
25
26 #include <Security/SecImportExport.h>
27 #include "SecImportExportAgg.h"
28 #include "SecImportExportPem.h"
29 #include "SecExternalRep.h"
30 #include "SecImportExportUtils.h"
31 #include <security_utilities/errors.h>
32 #include <Security/SecIdentity.h>
33 #include <Security/SecIdentityPriv.h>
34 #include <Security/SecItem.h>
35 #include <Security/SecBase.h>
36 #include <security_utilities/simulatecrash_assert.h>
37 using namespace Security;
38 using namespace KeychainCore;
39
40 /*
41 * Convert Sec item to one or two SecExportReps, append to exportReps array.
42 * The "one or two" clause exists for SecIdentityRefs, which we split into
43 * a cert and a key.
44 * Throws a MacOSError if incoming CFTypeRef is of type other than SecKeyRef,
45 * SecCertRef, or SecIdentityRef.
46 */
47 static void impExpAddToExportReps(
48 CFTypeRef thing, // Key, Cert, Identity
49 CFMutableArrayRef exportReps,
50 unsigned &numCerts, // IN/OUT - accumulated
51 unsigned &numKeys) // IN/OUT - accumulated
52 {
53 if(CFGetTypeID(thing) == SecIdentityGetTypeID()) {
54 /* special case for SecIdentities, creates two SecExportReps */
55 OSStatus ortn;
56 SecIdentityRef idRef = (SecIdentityRef)thing;
57 SecCertificateRef certRef;
58 SecKeyRef keyRef;
59 SecExportRep *rep;
60
61 /* cert */
62 SecImpExpDbg("impExpAddToExportReps: adding identity cert and key");
63 ortn = SecIdentityCopyCertificate(idRef, &certRef);
64 if(ortn) {
65 Security::MacOSError::throwMe(ortn);
66 }
67 rep = SecExportRep::vend(certRef);
68 CFArrayAppendValue(exportReps, rep);
69 CFRelease(certRef); // SecExportRep holds a reference
70 numCerts++;
71
72 /* private key */
73 ortn = SecIdentityCopyPrivateKey(idRef, &keyRef);
74 if(ortn) {
75 Security::MacOSError::throwMe(ortn);
76 }
77 rep = SecExportRep::vend(keyRef);
78 CFArrayAppendValue(exportReps, rep);
79 CFRelease(keyRef); // SecExportRep holds a reference
80 numKeys++;
81 }
82 else {
83 /* this throws if 'thing' is an unacceptable type */
84 SecExportRep *rep = SecExportRep::vend(thing);
85 SecImpExpDbg("impExpAddToExportReps: adding single type %d",
86 (int)rep->externType());
87 CFArrayAppendValue(exportReps, rep);
88 if(rep->externType() == kSecItemTypeCertificate) {
89 numCerts++;
90 }
91 else {
92 numKeys++;
93 }
94 }
95 }
96
97 #pragma mark --- public export function ---
98
99 OSStatus SecKeychainItemExport(
100 CFTypeRef keychainItemOrArray,
101 SecExternalFormat outputFormat, // a SecExternalFormat
102 SecItemImportExportFlags flags, // kSecItemPemArmour, etc.
103 const SecKeyImportExportParameters *keyParams, // optional
104 CFDataRef *exportedData) // external representation
105 // returned here
106 {
107 BEGIN_IMP_EXP_SECAPI
108
109 /* some basic input validation */
110 if(keychainItemOrArray == NULL) {
111 return errSecParam;
112 }
113 if(keyParams != NULL) {
114 /* can't specify explicit passphrase and ask for secure one */
115 if( (keyParams->passphrase != NULL) &&
116 ((keyParams->flags & kSecKeySecurePassphrase) != 0)) {
117 return errSecParam;
118 }
119 }
120
121 unsigned numKeys = 0;
122 unsigned numCerts = 0;
123 unsigned numTotalExports = 0;
124 OSStatus ortn = errSecSuccess;
125 SecExportRep *rep = NULL; // common temp variable
126 CFMutableDataRef outputData = NULL;
127 const char *pemHeader = "UNKNOWN";
128
129 /* convert keychainItemOrArray to CFArray of SecExportReps */
130 CFMutableArrayRef exportReps = CFArrayCreateMutable(NULL, 0, NULL);
131 /* subsequent errors to errOut: */
132
133 try {
134 if(CFGetTypeID(keychainItemOrArray) == CFArrayGetTypeID()) {
135 CFArrayRef arr = (CFArrayRef)keychainItemOrArray;
136 CFIndex arraySize = CFArrayGetCount(arr);
137 for(CFIndex dex=0; dex<arraySize; dex++) {
138 impExpAddToExportReps(CFArrayGetValueAtIndex(arr, dex),
139 exportReps, numCerts, numKeys);
140 }
141 }
142 else {
143 impExpAddToExportReps(keychainItemOrArray, exportReps, numCerts, numKeys);
144 }
145 }
146 catch(const Security::MacOSError osErr) {
147 ortn = osErr.error;
148 goto errOut;
149 }
150 catch(...) {
151 ortn = errSecParam;
152 goto errOut;
153 }
154 numTotalExports = (unsigned int)CFArrayGetCount(exportReps);
155 assert((numCerts + numKeys) == numTotalExports);
156 if((numTotalExports > 1) && (outputFormat == kSecFormatUnknown)) {
157 /* default aggregate format is PEM sequence */
158 outputFormat = kSecFormatPEMSequence;
159 }
160
161 /*
162 * Break out to SecExternalFormat-specific code, appending all data to outputData
163 */
164 outputData = CFDataCreateMutable(NULL, 0);
165 switch(outputFormat) {
166 case kSecFormatPKCS7:
167 ortn = impExpPkcs7Export(exportReps, flags, keyParams, outputData);
168 pemHeader = PEM_STRING_PKCS7;
169 break;
170 case kSecFormatPKCS12:
171 ortn = impExpPkcs12Export(exportReps, flags, keyParams, outputData);
172 pemHeader = PEM_STRING_PKCS12;
173 break;
174 case kSecFormatPEMSequence:
175 {
176 /*
177 * A bit of a special case. Create an intermediate DER encoding
178 * of each SecExportRef, in the default format for that item;
179 * PEM encode the result, and append the PEM encoding to
180 * outputData.
181 */
182 CFIndex numReps = CFArrayGetCount(exportReps);
183 for(CFIndex dex=0; dex<numReps; dex++) {
184
185 rep = (SecExportRep *)CFArrayGetValueAtIndex(exportReps, dex);
186
187 /* default DER encoding */
188 CFMutableDataRef tmpData = CFDataCreateMutable(NULL, 0);
189 ortn = rep->exportRep(kSecFormatUnknown, flags, keyParams,
190 tmpData, &pemHeader);
191 if(ortn) {
192 SecImpExpDbg("ItemExport: releasing tmpData %p", tmpData);
193 CFRelease(tmpData);
194 goto errOut;
195 }
196
197 /* PEM to accumulating output */
198 assert(rep->pemParamLines() == NULL);
199 ortn = impExpPemEncodeExportRep((CFDataRef)tmpData,
200 pemHeader, NULL, /* no pemParamLines, right? */
201 outputData);
202 CFRelease(tmpData);
203 if(ortn) {
204 goto errOut;
205 }
206 }
207 break;
208 }
209
210 /* Enumerate remainder explicitly for clarity; all are single-item forms */
211 case kSecFormatOpenSSL:
212 case kSecFormatSSH:
213 case kSecFormatSSHv2:
214 case kSecFormatBSAFE:
215 case kSecFormatRawKey:
216 case kSecFormatWrappedPKCS8:
217 case kSecFormatWrappedOpenSSL:
218 case kSecFormatWrappedSSH:
219 case kSecFormatWrappedLSH:
220 case kSecFormatX509Cert:
221 case kSecFormatUnknown: // i.e., default, handled by SecExportRep
222 {
223 unsigned foundCount = 0;
224
225 /* verify that we have exactly one of specified item */
226 if(outputFormat == kSecFormatX509Cert) {
227 foundCount = numCerts;
228 }
229 else if(outputFormat == kSecFormatUnknown) {
230 /* can't go wrong */
231 foundCount = numTotalExports;
232 }
233 else {
234 foundCount = numKeys;
235 }
236 if((numTotalExports != 1) || (foundCount != 1)) {
237 SecImpExpDbg("Export single item format with other than one item");
238 ortn = errSecParam;
239 goto errOut;
240 }
241 assert(CFArrayGetCount(exportReps) == 1);
242 rep = (SecExportRep *)CFArrayGetValueAtIndex(exportReps, 0);
243 ortn = rep->exportRep(outputFormat, flags,
244 keyParams, outputData, &pemHeader);
245 break;
246 }
247 default:
248 SecImpExpDbg("SecKeychainItemExport: bad format (%u)",
249 (unsigned)outputFormat);
250 ortn = errSecParam;
251 goto errOut;
252 }
253
254 /*
255 * Final step: possible PEM encode. Skip for kSecFormatPEMSequence (in which
256 * case outputData is all ready to ship out to the caller); mandatory
257 * if exportRep has a non-NULL pemParamLines (which can only happen if we're
258 * exporting a single item).
259 */
260 if(ortn == errSecSuccess) {
261 if(outputFormat == kSecFormatPEMSequence) {
262 *exportedData = outputData;
263 outputData = NULL;
264 }
265 else {
266 rep = (SecExportRep *)CFArrayGetValueAtIndex(exportReps, 0);
267 if((flags & kSecItemPemArmour) || (rep->pemParamLines() != NULL)) {
268 /* PEM encode a single item */
269 CFMutableDataRef tmpData = CFDataCreateMutable(NULL, 0);
270 ortn = impExpPemEncodeExportRep((CFDataRef)outputData, pemHeader,
271 rep->pemParamLines(), tmpData);
272 CFRelease(outputData); // done with this
273 outputData = NULL;
274 *exportedData = tmpData; // caller gets PEM
275 }
276 else {
277 *exportedData = outputData;
278 outputData = NULL;
279 }
280 }
281 }
282 errOut:
283 if(exportReps != NULL) {
284 /* CFArray of our own classes, no auto release */
285 CFIndex num = CFArrayGetCount(exportReps);
286 for(CFIndex dex=0; dex<num; dex++) {
287 rep = (SecExportRep *)CFArrayGetValueAtIndex(exportReps, dex);
288 delete rep;
289 }
290 CFRelease(exportReps);
291 }
292 if(outputData != NULL) {
293 CFRelease(outputData);
294 outputData = NULL;
295 }
296 if(ortn) {
297 return SecKeychainErrFromOSStatus(ortn);
298 }
299 else {
300 return errSecSuccess;
301 }
302
303 END_IMP_EXP_SECAPI
304 }
305
306
307 OSStatus SecItemExport(CFTypeRef secItemOrArray, SecExternalFormat outputFormat,
308 SecItemImportExportFlags flags, /* kSecItemPemArmor, etc. */
309 const SecItemImportExportKeyParameters *keyParams, /* optional */
310 CFDataRef *exportedData)
311 {
312 SecKeyImportExportParameters* oldStructPtr = NULL;
313 SecKeyImportExportParameters oldStruct;
314 memset(&oldStruct, 0, sizeof(oldStruct));
315
316 if (NULL != keyParams)
317 {
318
319 SecKeyRef tempKey = NULL;
320
321 if (SecKeyGetTypeID() == CFGetTypeID(secItemOrArray))
322 {
323 tempKey = (SecKeyRef)secItemOrArray;
324 }
325
326 if (ConvertSecKeyImportExportParametersToSecImportExportKeyParameters(tempKey,
327 keyParams, &oldStruct))
328 {
329 oldStructPtr = &oldStruct;
330 }
331 }
332
333 return SecKeychainItemExport(secItemOrArray, outputFormat, flags, oldStructPtr, exportedData);
334 }
335
336
337
338
339
340
341
mirror of Security