]> git.saurik.com Git - apple/security.git/blob - keychain/ot/OTBottledPeer.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-59306.11.20.tar.gz
[apple/security.git] / keychain / ot / OTBottledPeer.m
1 /*
2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #import "OTBottledPeer.h"
25
26 #if OCTAGON
27 #import <SecurityFoundation/SFEncryptionOperation.h>
28 #import <SecurityFoundation/SFSigningOperation.h>
29 #import <SecurityFoundation/SFDigestOperation.h>
30 #import <SecurityFoundation/SFKey.h>
31 #import <SecurityFoundation/SFKey_Private.h>
32
33 #import <Security/SecKeyPriv.h>
34
35 #import <corecrypto/cchkdf.h>
36 #import <corecrypto/ccsha2.h>
37 #import <corecrypto/ccec.h>
38
39 #import <utilities/debugging.h>
40
41 #import <CommonCrypto/CommonRandomSPI.h>
42
43 #if 0
44 #import "OTBottle.h"
45 #import "OTBottleContents.h"
46 #endif
47
48 #import "OTDefines.h"
49 #import "OTPrivateKey.h"
50 #import "OTPrivateKey+SF.h"
51 #import "OTAuthenticatedCiphertext.h"
52 #import "OTAuthenticatedCiphertext+SF.h"
53
54 @interface OTBottledPeer ()
55
56 @property (nonatomic, strong) NSString* peerID;
57 @property (nonatomic, strong) NSString* spID;
58 @property (nonatomic, strong) SFECKeyPair* peerSigningKey;
59 @property (nonatomic, strong) SFECKeyPair* peerEncryptionKey;
60 @property (nonatomic, strong) NSData* data;
61
62 @end
63
64 @implementation OTBottledPeer
65
66 + (SFAuthenticatedEncryptionOperation *) encryptionOperation
67 {
68 SFAESKeySpecifier *keySpecifier = [[SFAESKeySpecifier alloc] initWithBitSize:SFAESKeyBitSize256];
69 return [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:keySpecifier];
70 }
71
72 // Given a peer's details including private key material, and
73 // the keys generated from the escrow secret, encrypt the peer private keys,
74 // make a bottled peer object and serialize it into data.
75 - (nullable instancetype) initWithPeerID:(NSString * _Nullable)peerID
76 spID:(NSString * _Nullable)spID
77 peerSigningKey:(SFECKeyPair *)peerSigningKey
78 peerEncryptionKey:(SFECKeyPair *)peerEncryptionKey
79 escrowKeys:(OTEscrowKeys *)escrowKeys
80 error:(NSError**)error
81 {
82 self = [super init];
83 if (self) {
84 #if 0
85 // Serialize the peer private keys into "contents"
86 OTBottleContents *contentsObj = [[OTBottleContents alloc] init];
87 contentsObj.peerSigningPrivKey = [OTPrivateKey fromECKeyPair:peerSigningKey];
88 contentsObj.peerEncryptionPrivKey = [OTPrivateKey fromECKeyPair:peerEncryptionKey];
89 NSData *clearContentsData = contentsObj.data;
90
91 // Encrypt the contents
92 SFAuthenticatedEncryptionOperation *op = [OTBottledPeer encryptionOperation];
93 SFAuthenticatedCiphertext* cipher = [op encrypt:clearContentsData withKey:escrowKeys.symmetricKey error:error];
94 if (!cipher) {
95 return nil;
96 }
97
98 // Serialize the whole thing
99 OTBottle *obj = [[OTBottle alloc] init];
100 obj.peerID = peerID;
101 obj.spID = spID;
102 obj.escrowedSigningSPKI = [escrowKeys.signingKey.publicKey encodeSubjectPublicKeyInfo];
103 obj.escrowedEncryptionSPKI = [escrowKeys.encryptionKey.publicKey encodeSubjectPublicKeyInfo];
104 obj.peerSigningSPKI = [peerSigningKey.publicKey encodeSubjectPublicKeyInfo];
105 obj.peerEncryptionSPKI = [peerEncryptionKey.publicKey encodeSubjectPublicKeyInfo];
106 obj.contents = [OTAuthenticatedCiphertext fromSFAuthenticatedCiphertext:cipher];
107
108 _peerID = [peerID copy];
109 _spID = [spID copy];
110 _peerSigningKey = peerSigningKey;
111 _peerEncryptionKey = peerEncryptionKey;
112 _data = obj.data;
113 #endif
114 }
115 return self;
116 }
117
118 // Deserialize a bottle and decrypt the contents (peer keys)
119 // using the keys generated from the escrow secret.
120 - (nullable instancetype) initWithData:(NSData *)data
121 escrowKeys:(OTEscrowKeys *)escrowKeys
122 error:(NSError**)error
123 {
124 self = [super init];
125 if (self) {
126 #if 0
127 NSError* localError =nil;
128 // Deserialize the whole thing
129 OTBottle *obj = [[OTBottle alloc] initWithData:data];
130 if (!obj) {
131 secerror("octagon: failed to deserialize data into OTBottle");
132 if(error){
133 *error = [NSError errorWithDomain:OctagonErrorDomain code:OTErrorDeserializationFailure userInfo:@{NSLocalizedDescriptionKey: @"Failed to deserialize bottle peer"}];
134 }
135 return nil;
136
137
138 // Decrypt contents
139 SFAuthenticatedEncryptionOperation *op = [OTBottledPeer encryptionOperation];
140 SFAuthenticatedCiphertext* ciphertext = [obj.contents asSFAuthenticatedCiphertext];
141 NSData* clearContentsData = [op decrypt:ciphertext withKey:escrowKeys.symmetricKey error:&localError];
142 if (!clearContentsData || clearContentsData.length == 0) {
143 secerror("octagon: could not decrypt bottle contents: %@", localError);
144 if(error){
145 *error = localError;
146 }
147 return nil;
148 }
149
150 // Deserialize contents into private peer keys
151 OTBottleContents *contentsObj = [[OTBottleContents alloc] initWithData:clearContentsData];
152 if (!contentsObj) {
153 secerror("octagon: could not deserialize bottle contents");
154 if(error){
155 *error = [NSError errorWithDomain:OctagonErrorDomain code:OTErrorDeserializationFailure userInfo:@{NSLocalizedDescriptionKey: @"Failed to deserialize bottle contents"}];
156 }
157 return nil;
158 }
159
160 _peerID = obj.peerID;
161 _spID = obj.spID;
162 if (self.keyType != OTPrivateKey_KeyType_EC_NIST_CURVES) {
163 return nil;
164 }
165 return [[SFECKeyPair alloc] initWithSecKey:[EscrowKeys createSecKey:self.keyData]];
166
167 _peerSigningKey = [contentsObj.peerSigningPrivKey asECKeyPair];
168 _peerEncryptionKey = [contentsObj.peerEncryptionPrivKey asECKeyPair];
169 if (!_peerSigningKey || !_peerEncryptionKey) {
170 secerror("octagon: could not get private EC keys from bottle contents");
171 if(error){
172 *error = [NSError errorWithDomain:OctagonErrorDomain code:OTErrorPrivateKeyFailure userInfo:@{NSLocalizedDescriptionKey: @"Failed to instantiate octagon peer keys"}];
173 }
174 return nil;
175 }
176 _data = [data copy];
177
178 SFECPublicKey *peerSigningPubKey = [SFECPublicKey keyWithSubjectPublicKeyInfo:obj.peerSigningSPKI];
179 SFECPublicKey *peerEncryptionPubKey = [SFECPublicKey keyWithSubjectPublicKeyInfo:obj.peerEncryptionSPKI];
180
181 // Check the private keys match the public keys
182 if (![_peerSigningKey.publicKey isEqual:peerSigningPubKey]) {
183 secerror("octagon: public and private peer signing keys do not match");
184 if(error){
185 *error = [NSError errorWithDomain:OctagonErrorDomain code:OTErrorPrivateKeyFailure userInfo:@{NSLocalizedDescriptionKey: @"public and private peer signing keys do not match"}];
186 }
187 return nil;
188 }
189 if (![_peerEncryptionKey.publicKey isEqual:peerEncryptionPubKey]) {
190 secerror("octagon: public and private peer encryption keys do not match");
191 if(error){
192 *error = [NSError errorWithDomain:OctagonErrorDomain code:OTErrorPrivateKeyFailure userInfo:@{NSLocalizedDescriptionKey: @"public and private peer encryption keys do not match"}];
193 }
194 return nil;
195 }
196 #endif
197 }
198 return self;
199 }
200
201 @end
202
203 #endif
204
205
mirror of Security