+++ /dev/null
-/*
- * Copyright (c) 2004,2011,2013-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- *
- * SecExternalRep.cpp - private class representing an external representation of
- * a SecKeychainItemRef, used by SecImportExport.h
- */
-
-#include "SecExternalRep.h"
-#include "SecImportExportPem.h"
-#include "SecImportExportAgg.h"
-#include "SecImportExportUtils.h"
-#include "SecImportExportPkcs8.h"
-#include "SecImportExportCrypto.h"
-#include "SecImportExportOpenSSH.h"
-#include <security_utilities/errors.h>
-#include <Security/SecBase.h>
-#include <Security/SecKeyPriv.h>
-#include <Security/SecCertificate.h>
-#include <Security/cssmapi.h>
-
-using namespace Security;
-using namespace KeychainCore;
-
-
-#pragma mark --- SecExportRep Subclasses seen only by SecExportRep::vend() ---
-
-namespace SecExport {
-
-class Key : public SecExportRep
-{
- friend class SecExportRep;
-protected:
- Key(
- CFTypeRef kcItemRef);
- ~Key();
- OSStatus exportRep(
- SecExternalFormat format,
- SecItemImportExportFlags flags,
- const SecKeyImportExportParameters *keyParams, // optional
- CFMutableDataRef outData, // data appended here
- const char **pemHeader); // e.g., "RSA PUBLIC KEY"
-
-private:
- CSSM_ALGORITHMS mKeyAlg;
- const CSSM_KEY *mCssmKey;
-};
-
-class Cert : public SecExportRep
-{
- friend class SecExportRep;
-protected:
- Cert(
- CFTypeRef kcItemRef);
- ~Cert();
- OSStatus exportRep(
- SecExternalFormat format,
- SecItemImportExportFlags flags,
- const SecKeyImportExportParameters *keyParams, // optional
- CFMutableDataRef outData, // data appended here
- const char **pemHeader); // e.g., "CERTIFICATE"
-};
-
-} /* namespace SecExport */
-
-#pragma mark --- SecExportRep: Representation of an internal object on export ---
-
-SecExportRep::SecExportRep(
- CFTypeRef kcItemRef) :
- mKcItem((SecKeychainItemRef)kcItemRef),
- mPemParamLines(NULL)
-{
- CFRetain(mKcItem);
-}
-
-SecExportRep::~SecExportRep()
-{
- if(mKcItem) {
- CFRelease(mKcItem);
- }
- if(mPemParamLines) {
- CFRelease(mPemParamLines);
- }
-}
-
-SecExportRep::SecExportRep() {
- MacOSError::throwMe(errSecInvalidItemRef);
-}
-
-/* must be implemented by subclass */
-OSStatus SecExportRep::exportRep(
- SecExternalFormat format,
- SecItemImportExportFlags flags,
- const SecKeyImportExportParameters *keyParams, // optional
- CFMutableDataRef outData, // data appended here
- const char **pemHeader) // e.g., "X509 CERTIFICATE"
-{
- MacOSError::throwMe(errSecInvalidItemRef);
-}
-
-/*
- * Sole public means of obtaining a SecExportRep object. In fact only instances
- * of subclasses are vended but caller does not know that.
- *
- * Gleans SecExternalItemType from incoming type, throws MacOSError if
- * incoming type is bogus.
- *
- * Vended object holds a reference to kcItem for its lifetime.
- */
-SecExportRep *SecExportRep::vend(
- CFTypeRef kcItemRef)
-{
- CFTypeID itemType = CFGetTypeID(kcItemRef);
- if(itemType == SecCertificateGetTypeID()) {
- return new SecExport::Cert(kcItemRef);
- }
- else if(itemType == SecKeyGetTypeID()) {
- return new SecExport::Key(kcItemRef);
- }
- else {
- MacOSError::throwMe(errSecInvalidItemRef);
- }
-}
-
-#pragma mark --- Key External rep ---
-
-SecExport::Key::Key(
- CFTypeRef kcItemRef) :
- SecExportRep(kcItemRef)
-{
-
- /* figure out if it's public, private, or session */
- OSStatus ortn;
- ortn = SecKeyGetCSSMKey((SecKeyRef)kcItemRef, &mCssmKey);
- if(ortn) {
- SecImpExpDbg("SecKeyGetCSSMKey failure in SecExportRep::Key()");
- MacOSError::throwMe(ortn);
- }
- switch(mCssmKey->KeyHeader.KeyClass) {
- case CSSM_KEYCLASS_PUBLIC_KEY:
- mExternType = kSecItemTypePublicKey;
- SecImpExpDbg("SecExportRep::Key(): SET_PubKey");
- break;
- case CSSM_KEYCLASS_PRIVATE_KEY:
- mExternType = kSecItemTypePrivateKey;
- SecImpExpDbg("SecExportRep::Key(): SET_PrivKey");
- break;
- case CSSM_KEYCLASS_SESSION_KEY:
- mExternType = kSecItemTypeSessionKey;
- SecImpExpDbg("SecExportRep::Key(): SET_SessionKey");
- break;
- default:
- SecImpExpDbg("SecExportRep::Key(): invalid KeyClass (%lu)",
- (unsigned long)mCssmKey->KeyHeader.KeyClass);
- MacOSError::throwMe(errSecInvalidItemRef);
- }
- mKeyAlg = mCssmKey->KeyHeader.AlgorithmId;
-}
-
-SecExport::Key::~Key()
-{
- /* nothing for now */
-}
-
-/*
- * The heart of this class: cook up external representation, appending to
- * existing CFMutableDataRef.
- */
-OSStatus SecExport::Key::exportRep(
- SecExternalFormat format,
- SecItemImportExportFlags flags,
- const SecKeyImportExportParameters *keyParams, // optional
- CFMutableDataRef outData, // data appended here
- const char **pemHeader)// e.g., "X509 CERTIFICATE"
-{
- assert(outData != NULL);
- assert(mKcItem != NULL);
- assert(mCssmKey != NULL);
-
- /*
- * Currently only OpsnSSH formats allow for a DescriptiveData field
- * in either wrapped or NULL wrap forms. (In OpenSSH parlance this is
- * the 'comment' field). Infer the DescriptiveData to be embedded
- * in the exported key from the item's PrintName attribute.
- */
- CssmAutoData descrData(Allocator::standard());
- switch(format) {
- case kSecFormatSSH:
- case kSecFormatSSHv2:
- case kSecFormatWrappedSSH:
- impExpOpensshInferDescData((SecKeyRef)mKcItem, descrData);
- break;
- default:
- break;
- }
-
- /*
- * Handle wrapped key formats.
- */
- switch(format) {
- case kSecFormatWrappedPKCS8:
- return impExpPkcs8Export((SecKeyRef)mKcItem, flags, keyParams,
- outData, pemHeader);
- case kSecFormatWrappedOpenSSL:
- return impExpWrappedKeyOpenSslExport((SecKeyRef)mKcItem, flags, keyParams,
- outData, pemHeader, &mPemParamLines);
- case kSecFormatWrappedSSH:
- return impExpWrappedOpenSSHExport((SecKeyRef)mKcItem, flags, keyParams,
- descrData, outData);
- case kSecFormatWrappedLSH:
- return errSecUnsupportedFormat;
- default:
- break;
- }
-
- /*
- * Remaining formats just do a NULL key wrap. Figure out the appropriate
- * CDSA-specific format and wrap parameters.
- */
- OSStatus ortn = errSecSuccess;
- CSSM_KEYBLOB_FORMAT blobForm;
-
- switch(mExternType) {
- case kSecItemTypePublicKey:
- switch(mKeyAlg) {
- case CSSM_ALGID_RSA:
- *pemHeader = PEM_STRING_RSA_PUBLIC;
- break;
- case CSSM_ALGID_DH:
- *pemHeader = PEM_STRING_DH_PUBLIC;
- break;
- case CSSM_ALGID_DSA:
- *pemHeader = PEM_STRING_DSA_PUBLIC;
- break;
- case CSSM_ALGID_ECDSA:
- *pemHeader = PEM_STRING_ECDSA_PUBLIC;
- break;
- default:
- SecImpExpDbg("SecExportRep::exportRep unknown public key alg %lu",
- (unsigned long)mKeyAlg);
- return errSecUnsupportedFormat;
- } /* end switch(mKeyAlg) */
- break; /* from case externType kSecItemTypePublicKey */
-
- case kSecItemTypePrivateKey:
- switch(mKeyAlg) {
- case CSSM_ALGID_RSA:
- *pemHeader = PEM_STRING_RSA;
- break;
- case CSSM_ALGID_DH:
- *pemHeader = PEM_STRING_DH_PRIVATE;
- break;
- case CSSM_ALGID_DSA:
- *pemHeader = PEM_STRING_DSA;
- break;
- case CSSM_ALGID_ECDSA:
- *pemHeader = PEM_STRING_ECDSA_PRIVATE;
- break;
- default:
- SecImpExpDbg("SecExportRep::exportRep unknown private key alg "
- "%lu", (unsigned long)mKeyAlg);
- return errSecUnsupportedFormat;
- } /* end switch(mKeyAlg) */
- break; /* from case externType kSecItemTypePrivateKey */
-
- case kSecItemTypeSessionKey:
- *pemHeader = PEM_STRING_SESSION;
- break;
- default:
- assert(0);
- return errSecInvalidItemRef;
- } /* switch(mExternType) */
-
- /* Map our external params to CDSA blob format */
- CSSM_KEYCLASS keyClass;
- ortn = impExpKeyForm(format, mExternType, mKeyAlg, &blobForm, &keyClass);
- if(ortn) {
- return ortn;
- }
-
- /* Specify format of null-wrapped key */
- CSSM_ATTRIBUTE_TYPE formatAttrType = CSSM_ATTRIBUTE_NONE;
- switch(mExternType) {
- case kSecItemTypePrivateKey:
- formatAttrType = CSSM_ATTRIBUTE_PRIVATE_KEY_FORMAT;
- break;
- case kSecItemTypePublicKey:
- formatAttrType = CSSM_ATTRIBUTE_PUBLIC_KEY_FORMAT;
- break;
- /* symmetric key doesn't have a format */
- default:
- break;
- }
-
- CSSM_CSP_HANDLE cspHand;
- ortn = SecKeyGetCSPHandle((SecKeyRef)mKcItem, &cspHand);
- if(ortn) {
- SecImpExpDbg("SecExportRep::exportRep SecKeyGetCSPHandle error");
- return ortn;
- }
-
- /* perform the NULL wrap --> wrapped Key */
- CSSM_KEY wrappedKey;
- memset(&wrappedKey, 0, sizeof(wrappedKey));
- const CSSM_DATA &dd = descrData;
- ortn = impExpExportKeyCommon(cspHand,
- (SecKeyRef)mKcItem,
- NULL, // wrappingKey not used for NULL
- &wrappedKey, // destination
- CSSM_ALGID_NONE,
- CSSM_ALGMODE_NONE,
- CSSM_PADDING_NONE,
- CSSM_KEYBLOB_WRAPPED_FORMAT_NONE,
- formatAttrType,
- blobForm,
- &dd, // descriptiveData
- NULL); // IV
-
- if(ortn == CSSM_OK) {
- /* pass key data back to caller */
- CFDataAppendBytes(outData, wrappedKey.KeyData.Data, wrappedKey.KeyData.Length);
- }
- CSSM_FreeKey(cspHand, NULL, &wrappedKey, CSSM_FALSE);
- return ortn;
-}
-
-#pragma mark --- Certificate External rep ---
-
-SecExport::Cert::Cert(
- CFTypeRef kcItemRef) :
- SecExportRep(kcItemRef)
-{
- mExternType = kSecItemTypeCertificate;
-}
-
-SecExport::Cert::~Cert()
-{
- /* nothing for now */
-}
-
-/*
- * The heart of this class: cook up external representation, appending to
- * existing CFMutableDataRef.
- */
-OSStatus SecExport::Cert::exportRep(
- SecExternalFormat format,
- SecItemImportExportFlags flags,
- const SecKeyImportExportParameters *keyParams, // optional
- CFMutableDataRef outData, // data appended here
- const char **pemHeader)// e.g., "X509 CERTIFICATE"
-{
- assert(outData != NULL);
- assert(mKcItem != NULL);
-
- switch(format) {
- case kSecFormatUnknown: // default
- case kSecFormatX509Cert: // currently, only supported format
- break;
- default:
- SecImpExpDbg("SecExportRep::exportRep unsupported format for cert");
- return errSecUnsupportedFormat;
- }
-
- CFDataRef cdata = SecCertificateCopyData((SecCertificateRef)mKcItem);
- if(!cdata) {
- SecImpExpDbg("SecExportRep::exportRep SecCertificateGetData error");
- return errSecUnsupportedFormat;
- }
-
- CFDataAppendBytes(outData, CFDataGetBytePtr(cdata), CFDataGetLength(cdata));
- CFRelease(cdata);
- *pemHeader = PEM_STRING_X509;
- return errSecSuccess;
-}
-
-#pragma mark --- SecImportRep: Representation of an external object on import ---
-
-/*
- * for import, when we have the external representation.
- * All arguments except for the CFDataRef are optional (i.e., "unknown"
- * is legal).
- */
-SecImportRep::SecImportRep(
- CFDataRef external,
- SecExternalItemType externType, // may be unknown
- SecExternalFormat externFormat, // may be unknown
- CSSM_ALGORITHMS keyAlg, // may be unknown, CSSM_ALGID_NONE
- CFArrayRef pemParamLines /* = NULL */ ) :
- mPrintName(NULL),
- mExternal(external),
- mExternType(externType),
- mExternFormat(externFormat),
- mKeyAlg(keyAlg),
- mPemParamLines(pemParamLines)
-{
- CFRetain(mExternal);
-}
-
-SecImportRep::~SecImportRep()
-{
- if(mPrintName) {
- free(mPrintName);
- }
- if(mExternal) {
- CFRelease(mExternal);
- }
- if(mPemParamLines) {
- CFRelease(mPemParamLines);
- }
-}
-
-/*
- * Convert to one or more SecItemRefs and/or import to keychain.
- * The cspHand handle MUST be a CSPDL handle, not a raw CSP handle.
- */
-OSStatus SecImportRep::importRep(
- SecKeychainRef importKeychain, // optional
- CSSM_CSP_HANDLE cspHand, // required
- SecItemImportExportFlags flags,
- const SecKeyImportExportParameters *keyParams, // optional
- ImpPrivKeyImportState &keyImportState, // IN/OUT
- CFMutableArrayRef outArray) // optional, append here
-{
- /* caller must have sorted this out by now */
- assert((mExternType != kSecItemTypeUnknown) &&
- (mExternFormat != kSecFormatUnknown));
-
- /* app could conceivably botch these with crafty PEM hacking */
- if((mExternal == NULL) || (CFDataGetLength(mExternal) == 0)) {
- return errSecParam;
- }
-
- /* handle the easy ones first */
- switch(mExternFormat) {
- case kSecFormatPKCS12:
- return impExpPkcs12Import(mExternal, flags, keyParams,
- keyImportState, importKeychain, cspHand, outArray);
- case kSecFormatX509Cert:
- case kSecFormatPKCS7:
- {
- OSStatus rx = impExpPkcs7Import(mExternal, flags, keyParams, importKeychain,
- outArray);
- if (rx == errSecUnknownFormat)
- {
- CSSM_DATA cdata;
- cdata.Data = (uint8 *)CFDataGetBytePtr(mExternal);
- cdata.Length = (CSSM_SIZE)CFDataGetLength(mExternal);
- return impExpImportCertCommon(&cdata, importKeychain, outArray);
- }
- return rx;
- }
- case kSecFormatNetscapeCertSequence:
- return impExpNetscapeCertImport(mExternal, flags, keyParams, importKeychain,
- outArray);
- default:
- break;
- }
-
- if((mExternType == kSecItemTypeCertificate) ||
- (mExternType == kSecItemTypeAggregate)) {
- SecImpExpDbg("SecImportRep::importRep screwup");
- return errSecUnimplemented;
- }
-
- /*
- * All that's left: keys.
- */
- if((mExternType == kSecItemTypePrivateKey) && (keyImportState == PIS_NoMore)) {
- /* multi key import against caller's wishes */
- return errSecMultiplePrivKeys;
- }
-
- /* optionally infer PrintName attribute */
- switch(mExternFormat) {
- case kSecFormatSSH:
- case kSecFormatWrappedSSH:
- case kSecFormatSSHv2:
- mPrintName = impExpOpensshInferPrintName(mExternal, mExternType, mExternFormat);
- break;
- default:
- /* use defaults */
- break;
- }
-
- OSStatus ortn = errSecSuccess;
-
- switch(mExternFormat) {
- case kSecFormatOpenSSL:
- case kSecFormatSSH:
- case kSecFormatSSHv2:
- case kSecFormatBSAFE:
- case kSecFormatRawKey:
- if(mExternal != NULL || CFDataGetLength(mExternal) != 0){
- ortn = impExpImportRawKey(mExternal, mExternFormat, mExternType,
- mKeyAlg, importKeychain, cspHand, flags, keyParams, mPrintName, outArray);
- }
- else{
- MacOSError::throwMe(errSecUnsupportedKeySize);
- }
- break;
- case kSecFormatWrappedPKCS8:
- ortn = impExpPkcs8Import(mExternal, importKeychain, cspHand, flags,
- keyParams, outArray);
- break;
- case kSecFormatWrappedOpenSSL:
- ortn = importWrappedKeyOpenssl(importKeychain, cspHand, flags, keyParams,
- outArray);
- break;
- case kSecFormatWrappedSSH:
- ortn = impExpWrappedOpenSSHImport(mExternal, importKeychain, cspHand,
- flags, keyParams, mPrintName, outArray);
- break;
- case kSecFormatWrappedLSH:
- default:
- return errSecUnknownFormat;
- }
- if((ortn == errSecSuccess) && (keyImportState == PIS_AllowOne)) {
- /* reached our limit */
- keyImportState = PIS_NoMore;
- }
- return ortn;
-}
-
projects / apple / security.git / blobdiff