Keychain/SecFileVaultCert.h

   1 /*
   2  * Copyright (c) 2003 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * The contents of this file constitute Original Code as defined in and are
   5  * subject to the Apple Public Source License Version 1.2 (the 'License').
   6  * You may not use this file except in compliance with the License. Please
   7  * obtain a copy of the License at http://www.apple.com/publicsource and
   8  * read it before using this file.
   9  *
  10  * This Original Code and all software distributed under the License are
  11  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  12  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  13  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  14  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  15  * Please see the License for the specific language governing rights and
  16  * limitations under the License.
  17  */
  18 /*
  19  * SecFileVaultCert.h
  20  */
  21
  22 #ifndef _SEC_FILEVAULTCERT_H_
  23 #define _SEC_FILEVAULTCERT_H_
  24
  25 #include <Security/Security.h>
  26 #include <CoreFoundation/CoreFoundation.h>
  27
  28 #include <Security/SecBase.h>
  29 #include <CoreFoundation/CFURL.h>
  30
  31 class SecFileVaultCert
  32 {
  33 public:
  34     SecFileVaultCert();
  35     ~SecFileVaultCert();
  36
  37     OSStatus createPair(CFStringRef hostName,CFStringRef userName,SecKeychainRef kcRef, CFDataRef *cert);
  38
  39 private:
  40
  41     OSStatus generateKeyPair(
  42         CSSM_CSP_HANDLE         cspHand,
  43         CSSM_DL_DB_HANDLE       dlDbHand,
  44         CSSM_ALGORITHMS         keyAlg,                         // e.g., CSSM_ALGID_RSA
  45         uint32                          keySizeInBits,
  46         const char                      *keyLabel,                      // C string
  47         CSSM_KEY_PTR            *pubKeyPtr,                     // mallocd, created, RETURNED
  48         CSSM_KEY_PTR            *privKeyPtr);
  49
  50     OSStatus createRootCert(
  51         CSSM_TP_HANDLE          tpHand,
  52         CSSM_CL_HANDLE          clHand,
  53         CSSM_CSP_HANDLE         cspHand,
  54         CSSM_KEY_PTR            subjPubKey,
  55         CSSM_KEY_PTR            signerPrivKey,
  56         const char                      *hostName,                      // CSSMOID_CommonName
  57         const char                      *userName,                      // CSSMOID_Description
  58         CSSM_ALGORITHMS         sigAlg,
  59         const CSSM_OID          *sigOid,
  60         CSSM_DATA_PTR           certData);                      // mallocd and RETURNED
  61         void printError(const char *errDescription,const char *errLocation,OSStatus crtn);
  62         void randUint32(uint32 &u);
  63
  64     CSSM_RETURN refKeyToRaw(
  65         CSSM_CSP_HANDLE cspHand,
  66         const CSSM_KEY  *refKey,
  67         CSSM_KEY_PTR    rawKey);
  68
  69     CSSM_RETURN setPubKeyHash(
  70         CSSM_CSP_HANDLE         cspHand,
  71         CSSM_DL_DB_HANDLE       dlDbHand,
  72         const CSSM_KEY          *pubOrPrivKey,  // to get hash; raw or ref/CSPDL
  73         const char                      *keyLabel);             // look up by this
  74 };
  75
  76 #pragma mark ----- Certificate Management -----
  77
  78 /*
  79  * Create a key pair and a self-signed certificate. The private key and
  80  * the cert are stored in the specified keychain; a copy of the cert is
  81  * also returned.
  82  *
  83  * Arguments
  84  * ---------
  85  *
  86  * hostName : The name of this host, e.g., "crypto.apple.com". This
  87  *              must match exactly the string later passed as peerHostName
  88  *              to SR_SecureTransportConfigure() (see below). This must be
  89  *              convertable     to an ASCII C string.
  90  *
  91  * userName : e.g., "James P. Sullivan". Must be convertable to an
  92  *              ASCII C string.
  93  *
  94  * keychainName : the keychain where the certificate will be stored.
  95  *
  96  * cert : the root cert which can be distributed to peers (where it will be
  97  *              imported via SR_CertificateImport(), below). This is not sensitive
  98  *              data; it can be bandied about freely. Caller must CFRelease this.
  99  */
 100 OSStatus SR_CertificateAndKeyCreate(
 101         CFStringRef     hostName,
 102         CFStringRef             userName,
 103         SecKeychainRef  keychain,
 104         CFDataRef               *cert);                         // RETURNED
 105
 106 /*
 107  * Import a peer's certificate into specified keychain.
 108  */
 109 OSStatus SR_CertificateImport(
 110         SecKeychainRef  keychain,
 111         CFDataRef               cert);
 112
 113 #pragma mark ----- Operating parameters -----
 114
 115 /*
 116  * These are some constants which are used in the SecRendezvous
 117  * library. Clients of the library don't have to know about these,
 118  * but they might be useful or interesting.
 119  */
 120
 121 /*
 122  * The two TLS ciphersuites we support - the first one for
 123  * authenticated connections, the second for unauthenticated.
 124  *
 125  * Subsequent to calling SR_SecureTransportConfigure(), an app
 126  * can determine which of these ciphersuites was actually
 127  * negotiated by calling SSLGetNegotiatedCipher().
 128  */
 129 #define SR_CIPHER_AUTHENTICATED         SSL_RSA_WITH_RC4_128_SHA
 130 #define SR_CIPHER_UNAUTHENTICATED       SSL_DH_anon_WITH_RC4_128_MD5
 131
 132 /*
 133  * Parameters used to create key pairs and certificates in
 134  * SR_CertificateAndKeyCreate().
 135  */
 136 #define SR_KEY_ALGORITHM                        CSSM_ALGID_RSA
 137 #define SR_KEY_SIZE_IN_BITS                     1024
 138
 139 /*
 140  * The CSSM_ALGORITHMS and OID values defining the signature
 141  * algorithm in the generated certificate.
 142  */
 143 #define SR_CERT_SIGNATURE_ALGORITHM     CSSM_ALGID_SHA1WithRSA
 144 #define SR_CERT_SIGNATURE_ALG_OID       CSSMOID_SHA1WithRSA
 145
 146 #endif  /* _SEC_FILEVAULTCERT_H_ */
 147