]> git.saurik.com Git - apple/security.git/blob - keychain/ot/OTBottledPeer.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-58286.51.6.tar.gz
[apple/security.git] / keychain / ot / OTBottledPeer.m
1 /*
2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #import "OTBottledPeer.h"
25
26 #if OCTAGON
27 #import <SecurityFoundation/SFEncryptionOperation.h>
28 #import <SecurityFoundation/SFSigningOperation.h>
29 #import <SecurityFoundation/SFDigestOperation.h>
30 #import <SecurityFoundation/SFKey.h>
31 #import <SecurityFoundation/SFKey_Private.h>
32
33 #import <Security/SecKeyPriv.h>
34
35 #import <corecrypto/cchkdf.h>
36 #import <corecrypto/ccsha2.h>
37 #import <corecrypto/ccec.h>
38
39 #import <utilities/debugging.h>
40
41 #import <CommonCrypto/CommonRandomSPI.h>
42
43 #import "OTBottle.h"
44 #import "OTBottleContents.h"
45 #import "OTDefines.h"
46 #import "OTPrivateKey.h"
47 #import "OTPrivateKey+SF.h"
48 #import "OTAuthenticatedCiphertext.h"
49 #import "OTAuthenticatedCiphertext+SF.h"
50 #import "SFPublicKey+SPKI.h"
51
52 @interface OTBottledPeer ()
53
54 @property (nonatomic, strong) NSString* peerID;
55 @property (nonatomic, strong) NSString* spID;
56 @property (nonatomic, strong) SFECKeyPair* peerSigningKey;
57 @property (nonatomic, strong) SFECKeyPair* peerEncryptionKey;
58 @property (nonatomic, strong) NSData* data;
59
60 @end
61
62 @implementation OTBottledPeer
63
64 + (SFAuthenticatedEncryptionOperation *) encryptionOperation
65 {
66 SFAESKeySpecifier *keySpecifier = [[SFAESKeySpecifier alloc] initWithBitSize:SFAESKeyBitSize256];
67 return [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:keySpecifier];
68 }
69
70 // Given a peer's details including private key material, and
71 // the keys generated from the escrow secret, encrypt the peer private keys,
72 // make a bottled peer object and serialize it into data.
73 - (nullable instancetype) initWithPeerID:(NSString * _Nullable)peerID
74 spID:(NSString * _Nullable)spID
75 peerSigningKey:(SFECKeyPair *)peerSigningKey
76 peerEncryptionKey:(SFECKeyPair *)peerEncryptionKey
77 escrowKeys:(OTEscrowKeys *)escrowKeys
78 error:(NSError**)error
79 {
80 self = [super init];
81 if (self) {
82 // Serialize the peer private keys into "contents"
83 OTBottleContents *contentsObj = [[OTBottleContents alloc] init];
84 contentsObj.peerSigningPrivKey = [OTPrivateKey fromECKeyPair:peerSigningKey];
85 contentsObj.peerEncryptionPrivKey = [OTPrivateKey fromECKeyPair:peerEncryptionKey];
86 NSData *clearContentsData = contentsObj.data;
87
88 // Encrypt the contents
89 SFAuthenticatedEncryptionOperation *op = [OTBottledPeer encryptionOperation];
90 SFAuthenticatedCiphertext* cipher = [op encrypt:clearContentsData withKey:escrowKeys.symmetricKey error:error];
91 if (!cipher) {
92 return nil;
93 }
94
95 // Serialize the whole thing
96 OTBottle *obj = [[OTBottle alloc] init];
97 obj.peerID = peerID;
98 obj.spID = spID;
99 obj.escrowedSigningSPKI = [escrowKeys.signingKey.publicKey asSPKI];
100 obj.escrowedEncryptionSPKI = [escrowKeys.encryptionKey.publicKey asSPKI];
101 obj.peerSigningSPKI = [peerSigningKey.publicKey asSPKI];
102 obj.peerEncryptionSPKI = [peerEncryptionKey.publicKey asSPKI];
103 obj.contents = [OTAuthenticatedCiphertext fromSFAuthenticatedCiphertext:cipher];
104
105 _peerID = [peerID copy];
106 _spID = [spID copy];
107 _peerSigningKey = peerSigningKey;
108 _peerEncryptionKey = peerEncryptionKey;
109 _data = obj.data;
110 }
111 return self;
112 }
113
114 // Deserialize a bottle and decrypt the contents (peer keys)
115 // using the keys generated from the escrow secret.
116 - (nullable instancetype) initWithData:(NSData *)data
117 escrowKeys:(OTEscrowKeys *)escrowKeys
118 error:(NSError**)error
119 {
120 self = [super init];
121 if (self) {
122 NSError* localError =nil;
123
124 // Deserialize the whole thing
125 OTBottle *obj = [[OTBottle alloc] initWithData:data];
126 if (!obj) {
127 secerror("octagon: failed to deserialize data into OTBottle");
128 if(error){
129 *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorDeserializationFailure userInfo:@{NSLocalizedDescriptionKey: @"Failed to deserialize bottle peer"}];
130 }
131 return nil;
132 }
133
134 // Decrypt contents
135 SFAuthenticatedEncryptionOperation *op = [OTBottledPeer encryptionOperation];
136 SFAuthenticatedCiphertext* ciphertext = [obj.contents asSFAuthenticatedCiphertext];
137 NSData* clearContentsData = [op decrypt:ciphertext withKey:escrowKeys.symmetricKey error:&localError];
138 if (!clearContentsData || clearContentsData.length == 0) {
139 secerror("octagon: could not decrypt bottle contents: %@", localError);
140 if(error){
141 *error = localError;
142 }
143 return nil;
144 }
145
146 // Deserialize contents into private peer keys
147 OTBottleContents *contentsObj = [[OTBottleContents alloc] initWithData:clearContentsData];
148 if (!contentsObj) {
149 secerror("octagon: could not deserialize bottle contents");
150 if(error){
151 *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorDeserializationFailure userInfo:@{NSLocalizedDescriptionKey: @"Failed to deserialize bottle contents"}];
152 }
153 return nil;
154 }
155
156 _peerID = obj.peerID;
157 _spID = obj.spID;
158 _peerSigningKey = [contentsObj.peerSigningPrivKey asECKeyPair];
159 _peerEncryptionKey = [contentsObj.peerEncryptionPrivKey asECKeyPair];
160 if (!_peerSigningKey || !_peerEncryptionKey) {
161 secerror("octagon: could not get private EC keys from bottle contents");
162 if(error){
163 *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorPrivateKeyFailure userInfo:@{NSLocalizedDescriptionKey: @"Failed to instantiate octagon peer keys"}];
164 }
165 return nil;
166 }
167 _data = [data copy];
168
169 SFECPublicKey *peerSigningPubKey = [SFECPublicKey fromSPKI:obj.peerSigningSPKI];
170 SFECPublicKey *peerEncryptionPubKey = [SFECPublicKey fromSPKI:obj.peerEncryptionSPKI];
171
172 // Check the private keys match the public keys
173 if (![_peerSigningKey.publicKey isEqual:peerSigningPubKey]) {
174 secerror("octagon: public and private peer signing keys do not match");
175 if(error){
176 *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorPrivateKeyFailure userInfo:@{NSLocalizedDescriptionKey: @"public and private peer signing keys do not match"}];
177 }
178 return nil;
179 }
180 if (![_peerEncryptionKey.publicKey isEqual:peerEncryptionPubKey]) {
181 secerror("octagon: public and private peer encryption keys do not match");
182 if(error){
183 *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorPrivateKeyFailure userInfo:@{NSLocalizedDescriptionKey: @"public and private peer encryption keys do not match"}];
184 }
185 return nil;
186 }
187
188 }
189 return self;
190 }
191
192 @end
193
194 #endif
195
196
mirror of Security