+++ /dev/null
-/*
- * Copyright (c) 2004,2011-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- *
- * SecImportExportUtils.cpp - misc. utilities for import/export module
- */
-
-#include "SecImportExportUtils.h"
-#include "SecImportExportAgg.h"
-#include "SecImportExportCrypto.h"
-#include "SecIdentityPriv.h"
-#include "SecItem.h"
-#include <security_cdsa_utils/cuCdsaUtils.h>
-#include <Security/SecBase.h>
-#pragma mark --- Debug support ---
-
-#ifndef NDEBUG
-
-const char *impExpExtFormatStr(
- SecExternalFormat format)
-{
- switch(format) {
- case kSecFormatUnknown: return "kSecFormatUnknown";
- case kSecFormatOpenSSL: return "kSecFormatOpenSSL";
- case kSecFormatSSH: return "kSecFormatSSH";
- case kSecFormatBSAFE: return "kSecFormatBSAFE";
- case kSecFormatRawKey: return "kSecFormatRawKey";
- case kSecFormatWrappedPKCS8: return "kSecFormatWrappedPKCS8";
- case kSecFormatWrappedOpenSSL: return "kSecFormatWrappedOpenSSL";
- case kSecFormatWrappedSSH: return "kSecFormatWrappedSSH";
- case kSecFormatWrappedLSH: return "kSecFormatWrappedLSH";
- case kSecFormatX509Cert: return "kSecFormatX509Cert";
- case kSecFormatPEMSequence: return "kSecFormatPEMSequence";
- case kSecFormatPKCS7: return "kSecFormatPKCS7";
- case kSecFormatPKCS12: return "kSecFormatPKCS12";
- case kSecFormatNetscapeCertSequence: return "kSecFormatNetscapeCertSequence";
- default: return "UNKNOWN FORMAT ENUM";
- }
-}
-
-const char *impExpExtItemTypeStr(
- SecExternalItemType itemType)
-{
- switch(itemType) {
- case kSecItemTypeUnknown: return "kSecItemTypeUnknown";
- case kSecItemTypePrivateKey: return "kSecItemTypePrivateKey";
- case kSecItemTypePublicKey: return "kSecItemTypePublicKey";
- case kSecItemTypeSessionKey: return "kSecItemTypeSessionKey";
- case kSecItemTypeCertificate: return "kSecItemTypeCertificate";
- case kSecItemTypeAggregate: return "kSecItemTypeAggregate";
- default: return "UNKNOWN ITEM TYPE ENUM";
- }
-}
-#endif /* NDEBUG */
-
-/*
- * Parse file extension and attempt to map it to format and type. Returns true
- * on success.
- */
-bool impExpImportParseFileExten(
- CFStringRef fstr,
- SecExternalFormat *inputFormat, // RETURNED
- SecExternalItemType *itemType) // RETURNED
-{
- if(fstr == NULL) {
- /* nothing to work with */
- return false;
- }
- if(CFStringHasSuffix(fstr, CFSTR(".cer")) ||
- CFStringHasSuffix(fstr, CFSTR(".crt"))) {
- *inputFormat = kSecFormatX509Cert;
- *itemType = kSecItemTypeCertificate;
- SecImpInferDbg("Inferring kSecFormatX509Cert from file name");
- return true;
- }
- if(CFStringHasSuffix(fstr, CFSTR(".p12")) ||
- CFStringHasSuffix(fstr, CFSTR(".pfx"))) {
- *inputFormat = kSecFormatPKCS12;
- *itemType = kSecItemTypeAggregate;
- SecImpInferDbg("Inferring kSecFormatPKCS12 from file name");
- return true;
- }
-
- /* Get extension, look for key indicators as substrings */
- CFURLRef url = CFURLCreateWithString(NULL, fstr, NULL);
- if(url == NULL) {
- SecImpInferDbg("impExpImportParseFileExten: error creating URL");
- return false;
- }
- CFStringRef exten = CFURLCopyPathExtension(url);
- CFRelease(url);
- if(exten == NULL) {
- /* no extension, app probably passed in only an extension */
- exten = fstr;
- CFRetain(exten);
- }
- bool ortn = false;
- CFRange cfr;
- cfr = CFStringFind(exten, CFSTR("p7"), kCFCompareCaseInsensitive);
- if(cfr.length != 0) {
- *inputFormat = kSecFormatPKCS7;
- *itemType = kSecItemTypeAggregate;
- SecImpInferDbg("Inferring kSecFormatPKCS7 from file name");
- ortn = true;
- }
- if(!ortn) {
- cfr = CFStringFind(exten, CFSTR("p8"), kCFCompareCaseInsensitive);
- if(cfr.length != 0) {
- *inputFormat = kSecFormatWrappedPKCS8;
- *itemType = kSecItemTypePrivateKey;
- SecImpInferDbg("Inferring kSecFormatPKCS8 from file name");
- ortn = true;
- }
- }
- CFRelease(exten);
- return ortn;
-}
-
-/* do a [NSString stringByDeletingPathExtension] equivalent */
-CFStringRef impExpImportDeleteExtension(
- CFStringRef fileStr)
-{
- CFDataRef fileStrData = CFStringCreateExternalRepresentation(NULL, fileStr,
- kCFStringEncodingUTF8, 0);
- if(fileStrData == NULL) {
- return NULL;
- }
-
- CFURLRef urlRef = CFURLCreateFromFileSystemRepresentation(NULL,
- CFDataGetBytePtr(fileStrData), CFDataGetLength(fileStrData), false);
- if(urlRef == NULL) {
- CFRelease(fileStrData);
- return NULL;
- }
- CFURLRef rtnUrl = CFURLCreateCopyDeletingPathExtension(NULL, urlRef);
- CFStringRef rtnStr = NULL;
- CFRelease(urlRef);
- if(rtnUrl) {
- rtnStr = CFURLGetString(rtnUrl);
- CFRetain(rtnStr);
- CFRelease(rtnUrl);
- }
- CFRelease(fileStrData);
- return rtnStr;
-}
-
-#pragma mark --- mapping of external format to CDSA formats ---
-
-/*
- * For the record, here is the mapping of SecExternalFormat, algorithm, and key
- * class to CSSM-style key format (CSSM_KEYBLOB_FORMAT -
- * CSSM_KEYBLOB_RAW_FORMAT_X509, etc). The entries in the table are the
- * last component of a CSSM_KEYBLOB_FORMAT. Format kSecFormatUnknown means
- * "default for specified class and algorithm", which is currently the
- * same as kSecFormatOpenSSL.
- *
- * algorithm/class
- * RSA DSA DH
- * ---------------- ---------------- ----------------
- * SecExternalFormat priv pub priv pub priv pub
- * ----------------- ------- ------- ------- ------- ------- -------
- * kSecFormatOpenSSL PKCS1 X509 OPENSSL X509 PKCS3 X509
- * kSecFormatBSAFE PKCS8 PKCS1 FIPS186 FIPS186 PKCS8 not supported
- * kSecFormatUnknown PKCS1 X509 OPENSSL X509 PKCS3 X509
- * kSecFormatSSH SSH SSH n/s n/s n/s n/s
- * kSecFormatSSHv2 n/s SSH2 n/s SSH2 n/s n/s
- *
- * The only external format supported for ECDSA and ECDH keys is kSecFormatOpenSSL,
- * which translates to OPENSSL for private keys and X509 for public keys.
- */
-
-/* Arrays expressing the above table. */
-
-/* l.s. dimension is pub/priv for one alg */
-typedef struct {
- CSSM_KEYBLOB_FORMAT priv;
- CSSM_KEYBLOB_FORMAT pub;
-} algForms;
-
-/*
- * indices into array of algForms defining all algs' formats for a given
- * SecExternalFormat
- */
-#define SIE_ALG_RSA 0
-#define SIE_ALG_DSA 1
-#define SIE_ALG_DH 2
-#define SIE_ALG_ECDSA 3
-#define SIE_ALG_LAST SIE_ALG_ECDSA
-#define SIE_NUM_ALGS (SIE_ALG_LAST + 1)
-
-/* kSecFormatOpenSSL */
-static algForms opensslAlgForms[SIE_NUM_ALGS] =
-{
- { CSSM_KEYBLOB_RAW_FORMAT_PKCS1, CSSM_KEYBLOB_RAW_FORMAT_X509 }, // RSA
- { CSSM_KEYBLOB_RAW_FORMAT_OPENSSL, CSSM_KEYBLOB_RAW_FORMAT_X509 }, // DSA
- { CSSM_KEYBLOB_RAW_FORMAT_PKCS3, CSSM_KEYBLOB_RAW_FORMAT_X509 }, // D-H
- { CSSM_KEYBLOB_RAW_FORMAT_OPENSSL, CSSM_KEYBLOB_RAW_FORMAT_X509 }, // ECDSA
-};
-
-/* kSecFormatBSAFE */
-static algForms bsafeAlgForms[SIE_NUM_ALGS] =
-{
- { CSSM_KEYBLOB_RAW_FORMAT_PKCS8, CSSM_KEYBLOB_RAW_FORMAT_PKCS1 }, // RSA
- { CSSM_KEYBLOB_RAW_FORMAT_FIPS186, CSSM_KEYBLOB_RAW_FORMAT_FIPS186 }, // DSA
- { CSSM_KEYBLOB_RAW_FORMAT_PKCS8, CSSM_KEYBLOB_RAW_FORMAT_NONE }, // D-H
- { CSSM_KEYBLOB_RAW_FORMAT_NONE, CSSM_KEYBLOB_RAW_FORMAT_NONE }, // ECDSA not supported
-};
-
-/* kSecFormatSSH (v1) */
-static algForms ssh1AlgForms[SIE_NUM_ALGS] =
-{
- { CSSM_KEYBLOB_RAW_FORMAT_OPENSSH, CSSM_KEYBLOB_RAW_FORMAT_OPENSSH }, // RSA only
- { CSSM_KEYBLOB_RAW_FORMAT_NONE, CSSM_KEYBLOB_RAW_FORMAT_NONE }, // DSA not supported
- { CSSM_KEYBLOB_RAW_FORMAT_NONE, CSSM_KEYBLOB_RAW_FORMAT_NONE }, // D-H not supported
- { CSSM_KEYBLOB_RAW_FORMAT_NONE, CSSM_KEYBLOB_RAW_FORMAT_NONE }, // ECDSA not supported
-};
-
-/* kSecFormatSSHv2 */
-static algForms ssh2AlgForms[SIE_NUM_ALGS] =
-{
- { CSSM_KEYBLOB_RAW_FORMAT_NONE, CSSM_KEYBLOB_RAW_FORMAT_OPENSSH2 }, // RSA - public only
- { CSSM_KEYBLOB_RAW_FORMAT_NONE, CSSM_KEYBLOB_RAW_FORMAT_OPENSSH2 }, // DSA - public only
- { CSSM_KEYBLOB_RAW_FORMAT_NONE, CSSM_KEYBLOB_RAW_FORMAT_NONE }, // D-H not supported
- { CSSM_KEYBLOB_RAW_FORMAT_NONE, CSSM_KEYBLOB_RAW_FORMAT_NONE }, // ECDSA not supported
-};
-
-/*
- * This routine performs a lookup into the above 3-dimensional array to
- * map {algorithm, class, SecExternalFormat} to a CSSM_KEYBLOB_FORMAT.
- * Returns errSecUnsupportedFormat in the rare appropriate case.
- */
-OSStatus impExpKeyForm(
- SecExternalFormat externForm,
- SecExternalItemType itemType,
- CSSM_ALGORITHMS alg,
- CSSM_KEYBLOB_FORMAT *cssmForm, // RETURNED
- CSSM_KEYCLASS *cssmClass) // RETRUNED
-{
- if(itemType == kSecItemTypeSessionKey) {
- /* special trivial case */
- /* FIXME ensure caller hasn't specified bogus format */
- *cssmForm = CSSM_KEYBLOB_RAW_FORMAT_NONE;
- *cssmClass = CSSM_KEYCLASS_SESSION_KEY;
- return errSecSuccess;
- }
- if(externForm == kSecFormatUnknown) {
- /* default is openssl */
- externForm = kSecFormatOpenSSL;
- }
-
- unsigned algDex;
- switch(alg) {
- case CSSM_ALGID_RSA:
- algDex = SIE_ALG_RSA;
- break;
- case CSSM_ALGID_DSA:
- algDex = SIE_ALG_DSA;
- break;
- case CSSM_ALGID_DH:
- algDex = SIE_ALG_DH;
- break;
- case CSSM_ALGID_ECDSA:
- algDex = SIE_ALG_ECDSA;
- break;
- default:
- return CSSMERR_CSP_INVALID_ALGORITHM;
- }
- const algForms *forms;
- switch(externForm) {
- case kSecFormatOpenSSL:
- forms = opensslAlgForms;
- break;
- case kSecFormatBSAFE:
- forms = bsafeAlgForms;
- break;
- case kSecFormatSSH:
- forms = ssh1AlgForms;
- break;
- case kSecFormatSSHv2:
- forms = ssh2AlgForms;
- break;
- default:
- return errSecUnsupportedFormat;
- }
- CSSM_KEYBLOB_FORMAT form = CSSM_KEYBLOB_RAW_FORMAT_NONE;
- switch(itemType) {
- case kSecItemTypePrivateKey:
- form = forms[algDex].priv;
- *cssmClass = CSSM_KEYCLASS_PRIVATE_KEY;
- break;
- case kSecItemTypePublicKey:
- form = forms[algDex].pub;
- *cssmClass = CSSM_KEYCLASS_PUBLIC_KEY;
- break;
- default:
- return errSecUnsupportedFormat;
- }
- if(form == CSSM_KEYBLOB_RAW_FORMAT_NONE) {
- /* not in the tables - abort */
- return errSecUnsupportedFormat;
- }
- else {
- *cssmForm = form;
- return errSecSuccess;
- }
-}
-
-/*
- * Given a raw key blob and zero to three known parameters (type, format,
- * algorithm), figure out all parameters. Used for private and public keys.
- */
-static bool impExpGuessKeyParams(
- CFDataRef keyData,
- SecExternalFormat *externForm, // IN/OUT
- SecExternalItemType *itemType, // IN/OUT
- CSSM_ALGORITHMS *keyAlg) // IN/OUT
-{
- /* CSSM alg list: RSA, DSA, DH, ECDSA */
- CSSM_ALGORITHMS minAlg = CSSM_ALGID_RSA;
- CSSM_ALGORITHMS maxAlg = CSSM_ALGID_ECDSA;
- SecExternalFormat minForm = kSecFormatOpenSSL; // then SSH, BSAFE, then...
- SecExternalFormat maxForm = kSecFormatSSHv2;
- SecExternalItemType minType = kSecItemTypePrivateKey; // just two
- SecExternalItemType maxType = kSecItemTypePublicKey;
-
-
- if(keyData == NULL || CFDataGetLength(keyData) == 0){
- MacOSError::throwMe(errSecUnsupportedKeySize);
- }
-
- switch(*externForm) {
- case kSecFormatUnknown:
- break; // run through all formats
- case kSecFormatOpenSSL:
- case kSecFormatSSH:
- case kSecFormatSSHv2:
- case kSecFormatBSAFE:
- minForm = maxForm = *externForm; // just test this one
- break;
- default:
- return false;
- }
- switch(*itemType) {
- case kSecItemTypeUnknown:
- break;
- case kSecItemTypePrivateKey:
- case kSecItemTypePublicKey:
- minType = maxType = *itemType;
- break;
- default:
- return false;
- }
- switch(*keyAlg) {
- case CSSM_ALGID_NONE:
- break;
- case CSSM_ALGID_RSA:
- case CSSM_ALGID_DSA:
- case CSSM_ALGID_DH:
- case CSSM_ALGID_ECDSA:
- minAlg = maxAlg = *keyAlg;
- break;
- default:
- return false;
- }
-
- CSSM_ALGORITHMS theAlg;
- SecExternalFormat theForm;
- SecExternalItemType theType;
- CSSM_CSP_HANDLE cspHand = cuCspStartup(CSSM_TRUE);
- if(cspHand == 0) {
- return CSSMERR_CSSM_ADDIN_LOAD_FAILED;
- }
-
- /*
- * Iterate through all set of enabled {alg, type, format}.
- * We do not assume that any of the enums are sequential hence this
- * odd iteration algorithm....
- */
- bool ourRtn = false;
- for(theAlg=minAlg; ; ) {
- for(theForm=minForm; ; ) {
- for(theType=minType; ; ) {
-
- /* do super lightweight null unwrap to parse */
- OSStatus ortn = impExpImportRawKey(keyData,
- theForm, theType, theAlg,
- NULL, // no keychain
- cspHand,
- 0, // no flags
- NULL, // no key params
- NULL, // no printName
- NULL); // no returned items
- if(ortn == errSecSuccess) {
- *externForm = theForm;
- *itemType = theType;
- *keyAlg = theAlg;
- ourRtn = true;
- goto done;
- }
-
- /* next type or break if we're done */
- if(theType == maxType) {
- break;
- }
- else switch(theType) {
- case kSecItemTypePrivateKey:
- theType = kSecItemTypePublicKey;
- break;
- default:
- assert(0);
- ourRtn = false;
- goto done;
- }
- } /* for each class/type */
-
- /* next format or break if we're done */
- if(theForm == maxForm) {
- break;
- }
- else switch(theForm) {
- case kSecFormatOpenSSL:
- theForm = kSecFormatSSH;
- break;
- case kSecFormatSSH:
- theForm = kSecFormatBSAFE;
- break;
- case kSecFormatBSAFE:
- theForm = kSecFormatSSHv2;
- break;
- default:
- assert(0);
- ourRtn = false;
- goto done;
- }
- } /* for each format */
-
- /* next alg or break if we're done */
- if(theAlg == maxAlg) {
- break;
- }
- else switch(theAlg) {
- case CSSM_ALGID_RSA:
- theAlg = CSSM_ALGID_DSA;
- break;
- case CSSM_ALGID_DSA:
- theAlg = CSSM_ALGID_DH;
- break;
- case CSSM_ALGID_DH:
- theAlg = CSSM_ALGID_ECDSA;
- break;
- default:
- /* i.e. CSSM_ALGID_ECDSA, we already broke at theAlg == maxAlg */
- assert(0);
- ourRtn = false;
- goto done;
- }
- } /* for each alg */
-done:
- cuCspDetachUnload(cspHand, CSSM_TRUE);
- return ourRtn;
-}
-
-/*
- * Guess an incoming blob's type, format and (for keys only) algorithm
- * by examining its contents. Returns true on success, in which case
- * *inputFormat, *itemType, and *keyAlg are all valid. Caller optionally
- * passes in valid values any number of these as a clue.
- */
-bool impExpImportGuessByExamination(
- CFDataRef inData,
- SecExternalFormat *inputFormat, // may be kSecFormatUnknown on entry
- SecExternalItemType *itemType, // may be kSecItemTypeUnknown on entry
- CSSM_ALGORITHMS *keyAlg) // CSSM_ALGID_NONE - unknown
-{
- if( ( (*inputFormat == kSecFormatUnknown) ||
- (*inputFormat == kSecFormatX509Cert)
- ) &&
- ( (*itemType == kSecItemTypeUnknown) ||
- (*itemType == kSecItemTypeCertificate) ) ) {
- /*
- * See if it parses as a cert
- */
- CSSM_CL_HANDLE clHand = cuClStartup();
- if(clHand == 0) {
- return CSSMERR_CSSM_ADDIN_LOAD_FAILED;
- }
- CSSM_HANDLE cacheHand;
- CSSM_RETURN crtn;
- CSSM_DATA cdata = { CFDataGetLength(inData),
- (uint8 *)CFDataGetBytePtr(inData) };
- crtn = CSSM_CL_CertCache(clHand, &cdata, &cacheHand);
- bool brtn = false;
- if(crtn == CSSM_OK) {
- *inputFormat = kSecFormatX509Cert;
- *itemType = kSecItemTypeCertificate;
- SecImpInferDbg("Inferred kSecFormatX509Cert via CL");
- CSSM_CL_CertAbortCache(clHand, cacheHand);
- brtn = true;
- }
- cuClDetachUnload(clHand);
- if(brtn) {
- return true;
- }
- }
- /* TBD: need way to inquire of P12 lib if this is a valid-looking PFX */
-
- if( ( (*inputFormat == kSecFormatUnknown) ||
- (*inputFormat == kSecFormatNetscapeCertSequence)
- ) &&
- ( (*itemType == kSecItemTypeUnknown) ||
- (*itemType == kSecItemTypeAggregate) ) ) {
- /* See if it's a netscape cert sequence */
- CSSM_RETURN crtn = impExpNetscapeCertImport(inData, 0, NULL, NULL, NULL);
- if(crtn == CSSM_OK) {
- *inputFormat = kSecFormatNetscapeCertSequence;
- *itemType = kSecItemTypeAggregate;
- SecImpInferDbg("Inferred netscape-cert-sequence by decoding");
- return true;
- }
- }
-
- /* See if it's a key */
- return impExpGuessKeyParams(inData, inputFormat, itemType, keyAlg);
-}
-
-#pragma mark --- Key Import support ---
-
-/*
- * Given a context specified via a CSSM_CC_HANDLE, add a new
- * CSSM_CONTEXT_ATTRIBUTE to the context as specified by AttributeType,
- * AttributeLength, and an untyped pointer.
- */
-CSSM_RETURN impExpAddContextAttribute(CSSM_CC_HANDLE CCHandle,
- uint32 AttributeType,
- uint32 AttributeLength,
- const void *AttributePtr)
-{
- CSSM_CONTEXT_ATTRIBUTE newAttr;
-
- newAttr.AttributeType = AttributeType;
- newAttr.AttributeLength = AttributeLength;
- newAttr.Attribute.Data = (CSSM_DATA_PTR)AttributePtr;
- return CSSM_UpdateContextAttributes(CCHandle, 1, &newAttr);
-}
-
-/*
- * Free memory via specified plugin's app-level allocator
- */
-void impExpFreeCssmMemory(
- CSSM_HANDLE hand,
- void *p)
-{
- CSSM_API_MEMORY_FUNCS memFuncs;
- CSSM_RETURN crtn = CSSM_GetAPIMemoryFunctions(hand, &memFuncs);
- if(crtn) {
- return;
- }
- memFuncs.free_func(p, memFuncs.AllocRef);
-}
-
-/*
- * Calculate digest of any CSSM_KEY. Unlike older implementations
- * of this logic, you can actually calculate the public key hash
- * on any class of key, any format, raw CSP or CSPDL (though if
- * you're using the CSPDL, the key has to be a reference key
- * in that CSPDL session).
- *
- * Caller must free keyDigest->Data using impExpFreeCssmMemory() since
- * this is allocated by the CSP's app-specified allocator.
- */
-CSSM_RETURN impExpKeyDigest(
- CSSM_CSP_HANDLE cspHand,
- CSSM_KEY_PTR key,
- CSSM_DATA_PTR keyDigest) // contents allocd and RETURNED
-{
- CSSM_DATA_PTR localDigest;
- CSSM_CC_HANDLE ccHand;
-
- CSSM_RETURN crtn = CSSM_CSP_CreatePassThroughContext(cspHand,
- key,
- &ccHand);
- if(crtn) {
- return crtn;
- }
- crtn = CSSM_CSP_PassThrough(ccHand,
- CSSM_APPLECSP_KEYDIGEST,
- NULL,
- (void **)&localDigest);
- if(crtn) {
- SecImpExpDbg("CSSM_CSP_PassThrough(KEY_DIGEST) failure");
- }
- else {
- /*
- * Give caller the Data referent and we'll free the
- * CSSM_DATA struct itswelf.
- */
- *keyDigest = *localDigest;
- impExpFreeCssmMemory(cspHand, localDigest);
- }
- CSSM_DeleteContext(ccHand);
- return crtn;
-}
-
-
-/*
- * Given a CFTypeRef passphrase which may be a CFDataRef or a CFStringRef,
- * return a refcounted CFStringRef suitable for use with the PKCS12 library.
- * PKCS12 passphrases in CFData format must be UTF8 encoded.
- */
-OSStatus impExpPassphraseToCFString(
- CFTypeRef passin,
- CFStringRef *passout) // may be the same as passin, but refcounted
-{
- if(CFGetTypeID(passin) == CFStringGetTypeID()) {
- CFStringRef passInStr = (CFStringRef)passin;
- CFRetain(passInStr);
- *passout = passInStr;
- return errSecSuccess;
- }
- else if(CFGetTypeID(passin) == CFDataGetTypeID()) {
- CFDataRef cfData = (CFDataRef)passin;
- CFIndex len = CFDataGetLength(cfData);
- CFStringRef cfStr = CFStringCreateWithBytes(NULL,
- CFDataGetBytePtr(cfData), len, kCFStringEncodingUTF8, true);
- if(cfStr == NULL) {
- SecImpExpDbg("Passphrase not in UTF8 format");
- return errSecParam;
- }
- *passout = cfStr;
- return errSecSuccess;
- }
- else {
- SecImpExpDbg("Passphrase not CFData or CFString");
- return errSecParam;
- }
-}
-
-/*
- * Given a CFTypeRef passphrase which may be a CFDataRef or a CFStringRef,
- * return a refcounted CFDataRef whose bytes are suitable for use with
- * PKCS5 (v1.5 and v2.0) key derivation.
- */
-OSStatus impExpPassphraseToCFData(
- CFTypeRef passin,
- CFDataRef *passout) // may be the same as passin, but refcounted
-{
- if(CFGetTypeID(passin) == CFDataGetTypeID()) {
- CFDataRef passInData = (CFDataRef)passin;
- CFRetain(passInData);
- *passout = passInData;
- return errSecSuccess;
- }
- else if(CFGetTypeID(passin) == CFStringGetTypeID()) {
- CFStringRef passInStr = (CFStringRef)passin;
- CFDataRef outData;
- outData = CFStringCreateExternalRepresentation(NULL,
- passInStr,
- kCFStringEncodingUTF8,
- 0); // lossByte 0 ==> no loss allowed
- if(outData == NULL) {
- /* Well try with lossy conversion */
- SecImpExpDbg("Trying lossy conversion of CFString passphrase to UTF8");
- outData = CFStringCreateExternalRepresentation(NULL,
- passInStr,
- kCFStringEncodingUTF8,
- 1);
- if(outData == NULL) {
- SecImpExpDbg("Failure on conversion of CFString passphrase to UTF8");
- /* what do we do now, Batman? */
- return errSecParam;
- }
- }
- *passout = outData;
- return errSecSuccess;
- }
- else {
- SecImpExpDbg("Passphrase not CFData or CFString");
- return errSecParam;
- }
-}
-
-/*
-* Add a CFString to a crypto context handle.
-*/
-static CSSM_RETURN impExpAddStringAttr(
- CSSM_CC_HANDLE ccHand,
- CFStringRef str,
- CSSM_ATTRIBUTE_TYPE attrType)
-{
- /* CFStrings are passed as external rep in UTF8 encoding by convention */
- CFDataRef outData;
- outData = CFStringCreateExternalRepresentation(NULL,
- str, kCFStringEncodingUTF8, 0); // lossByte 0 ==> no loss allowed
- if(outData == NULL) {
- SecImpExpDbg("impExpAddStringAttr: bad string format");
- return errSecParam;
- }
-
- CSSM_DATA attrData;
- attrData.Data = (uint8 *)CFDataGetBytePtr(outData);
- attrData.Length = CFDataGetLength(outData);
- CSSM_RETURN crtn = impExpAddContextAttribute(ccHand, attrType, sizeof(CSSM_DATA),
- &attrData);
- CFRelease(outData);
- if(crtn) {
- SecImpExpDbg("impExpAddStringAttr: CSSM_UpdateContextAttributes error");
- }
- return crtn;
-}
-
-/*
- * Generate a secure passphrase key. Caller must eventually CSSM_FreeKey the result.
- */
-static CSSM_RETURN impExpCreatePassKey(
- const SecKeyImportExportParameters *keyParams, // required
- CSSM_CSP_HANDLE cspHand, // MUST be CSPDL
- impExpVerifyPhrase verifyPhrase, // for secure passphrase
- CSSM_KEY_PTR *passKey) // mallocd and RETURNED
-{
- CSSM_RETURN crtn;
- CSSM_CC_HANDLE ccHand;
- uint32 verifyAttr;
- CSSM_DATA dummyLabel;
- CSSM_KEY_PTR ourKey = NULL;
-
- SecImpExpDbg("Generating secure passphrase key");
- ourKey = (CSSM_KEY_PTR)malloc(sizeof(CSSM_KEY));
- if(ourKey == NULL) {
- return errSecAllocate;
- }
- memset(ourKey, 0, sizeof(CSSM_KEY));
-
- crtn = CSSM_CSP_CreateKeyGenContext(cspHand,
- CSSM_ALGID_SECURE_PASSPHRASE,
- 4, // keySizeInBits must be non zero
- NULL, // Seed
- NULL, // Salt
- NULL, // StartDate
- NULL, // EndDate
- NULL, // Params
- &ccHand);
- if(crtn) {
- SecImpExpDbg("impExpCreatePassKey: CSSM_CSP_CreateKeyGenContext error");
- return crtn;
- }
- /* subsequent errors to errOut: */
-
- /* additional context attributes specific to this type of key gen */
- assert(keyParams != NULL); // or we wouldn't be here
- if(keyParams->alertTitle != NULL) {
- crtn = impExpAddStringAttr(ccHand, keyParams->alertTitle,
- CSSM_ATTRIBUTE_ALERT_TITLE);
- if(crtn) {
- goto errOut;
- }
- }
- if(keyParams->alertPrompt != NULL) {
- crtn = impExpAddStringAttr(ccHand, keyParams->alertPrompt,
- CSSM_ATTRIBUTE_PROMPT);
- if(crtn) {
- goto errOut;
- }
- }
- verifyAttr = (verifyPhrase == VP_Export) ? 1 : 0;
- crtn = impExpAddContextAttribute(ccHand, CSSM_ATTRIBUTE_VERIFY_PASSPHRASE,
- sizeof(uint32), (const void *)((size_t) verifyAttr));
- if(crtn) {
- SecImpExpDbg("impExpCreatePassKey: CSSM_UpdateContextAttributes error");
- goto errOut;
- }
-
- dummyLabel.Data = (uint8 *)"Secure Passphrase";
- dummyLabel.Length = strlen((char *)dummyLabel.Data);
-
- crtn = CSSM_GenerateKey(ccHand,
- CSSM_KEYUSE_ANY,
- CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_SENSITIVE,
- &dummyLabel,
- NULL, // ACL
- ourKey);
- if(crtn) {
- SecImpExpDbg("impExpCreatePassKey: CSSM_GenerateKey error");
- }
-errOut:
- CSSM_DeleteContext(ccHand);
- if(crtn == CSSM_OK) {
- *passKey = ourKey;
- }
- else if(ourKey != NULL) {
- free(ourKey);
- }
- return crtn;
-}
-
-/*
- * Obtain passphrase, given a SecKeyImportExportParameters.
- *
- * Passphrase comes from one of two places: app-specified, in
- * SecKeyImportExportParameters.passphrase (either as CFStringRef
- * or CFDataRef); or via the secure passphrase mechanism.
- *
- * Passphrase is returned in AT MOST one of two forms:
- *
- * -- Secure passphrase is returned as a CSSM_KEY_PTR, which the
- * caller must CSSM_FreeKey later as well as free()ing the actual
- * CSSM_KEY_PTR.
- * -- CFTypeRef for app-supplied passphrases. This can be one of
- * two types:
- *
- * -- CFStringRef, for use with P12
- * -- CFDataRef, for more general use (e.g. for PKCS5).
- *
- * In either case the caller must CFRelease the result.
- */
-OSStatus impExpPassphraseCommon(
- const SecKeyImportExportParameters *keyParams,
- CSSM_CSP_HANDLE cspHand, // MUST be CSPDL, for passKey generation
- impExpPassphraseForm phraseForm,
- impExpVerifyPhrase verifyPhrase, // for secure passphrase
- CFTypeRef *phrase, // RETURNED, or
- CSSM_KEY_PTR *passKey) // mallocd and RETURNED
-{
- assert(keyParams != NULL);
-
- /* Give precedence to secure passphrase */
- if(keyParams->flags & kSecKeySecurePassphrase) {
- assert(passKey != NULL);
- return impExpCreatePassKey(keyParams, cspHand, verifyPhrase, passKey);
- }
- else if(keyParams->passphrase != NULL) {
- CFTypeRef phraseOut;
- OSStatus ortn;
- assert(phrase != NULL);
- switch(phraseForm) {
- case SPF_String:
- ortn = impExpPassphraseToCFString(keyParams->passphrase,
- (CFStringRef *)&phraseOut);
- break;
- case SPF_Data:
- ortn = impExpPassphraseToCFData(keyParams->passphrase,
- (CFDataRef *)&phraseOut);
- break;
- default:
- /* only called internally */
- assert(0);
- ortn = errSecParam;
- }
- if(ortn == errSecSuccess) {
- *phrase = phraseOut;
- }
- return ortn;
- }
- else {
- return errSecPassphraseRequired;
- }
-}
-
-static void ToggleKeyAttribute(
- CFArrayRef keyAttrs,
- CFTypeRef attr,
- CSSM_KEYATTR_FLAGS mask,
- CSSM_KEYATTR_FLAGS &result)
-{
- // If the keyAttrs array contains the given attribute,
- // set the corresponding keyattr flags, otherwise clear them.
- // (Note: caller verifies that keyAttrs is not NULL.)
- CFIndex numItems = CFArrayGetCount(keyAttrs);
- result &= ~(mask);
- if (numItems > 0) {
- CFRange range = CFRangeMake(0, numItems);
- if (CFArrayContainsValue(keyAttrs, range, attr))
- result |= mask;
- }
-}
-
-CSSM_KEYATTR_FLAGS ConvertArrayToKeyAttributes(SecKeyRef aKey, CFArrayRef keyAttrs)
-{
- CSSM_KEYATTR_FLAGS result = CSSM_KEYATTR_RETURN_DEFAULT;
-
- if (aKey) {
- const CSSM_KEY* cssmKey = NULL;
- if (errSecSuccess == SecKeyGetCSSMKey(aKey, &cssmKey))
- result = cssmKey->KeyHeader.KeyAttr;
- }
-
- if (!keyAttrs)
- return result;
-
- CFMutableArrayRef attrs = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFIndex idx, count = CFArrayGetCount(keyAttrs);
- for (idx=0; idx<count; idx++) {
- CFTypeRef attr = (CFTypeRef) CFArrayGetValueAtIndex(keyAttrs, idx);
- if (attr && (CFNumberGetTypeID() == CFGetTypeID(attr))) {
- // Convert numeric CSSM keyattr values to equivalent attribute constants
- uint32 value;
- if (CFNumberGetValue((CFNumberRef)attr, kCFNumberSInt32Type, &value)) {
- switch (value) {
- case CSSM_KEYATTR_SENSITIVE:
- attr = kSecAttrIsSensitive;
- break;
- case CSSM_KEYATTR_EXTRACTABLE:
- attr = kSecAttrIsExtractable;
- break;
- case CSSM_KEYATTR_PERMANENT:
- attr = kSecAttrIsPermanent;
- break;
- default:
- attr = NULL;
- break;
- }
- }
- }
- if (attr)
- CFArrayAppendValue(attrs, attr);
- }
-
- // Set key attribute flag in result if present in the array, otherwise clear
- ToggleKeyAttribute(attrs, kSecAttrIsSensitive, CSSM_KEYATTR_SENSITIVE, result);
- ToggleKeyAttribute(attrs, kSecAttrIsExtractable, CSSM_KEYATTR_EXTRACTABLE, result);
- ToggleKeyAttribute(attrs, kSecAttrIsPermanent, CSSM_KEYATTR_PERMANENT, result);
-
- // if caller specified an attributes array which omitted kSecAttrIsExtractable,
- // this implies the sensitive attribute; force it on so that at least one bit
- // is set. If our result is 0, this is indistinguishable from the case where
- // no key attributes were specified, causing a default bitmask to be used
- // in subsequent import code.
-
- if (0==(result & CSSM_KEYATTR_EXTRACTABLE))
- result |= CSSM_KEYATTR_SENSITIVE;
-
- CFRelease(attrs);
- return result;
-}
-
-Boolean ConvertSecKeyImportExportParametersToSecImportExportKeyParameters(SecKeyRef aKey,
- const SecItemImportExportKeyParameters* newPtr, SecKeyImportExportParameters* oldPtr)
-{
- Boolean result = false;
-
- if (NULL != oldPtr && NULL != newPtr)
- {
- oldPtr->version = newPtr->version;
- oldPtr->flags = newPtr->flags;
- oldPtr->passphrase = newPtr->passphrase;
- oldPtr->alertTitle = newPtr->alertTitle;
- oldPtr->alertPrompt = newPtr->alertPrompt;
- oldPtr->accessRef = newPtr->accessRef;
- oldPtr->keyUsage = ConvertArrayToKeyUsage(newPtr->keyUsage);
- oldPtr->keyAttributes = ConvertArrayToKeyAttributes(aKey, newPtr->keyAttributes);
- result = true;
- }
- return result;
-}
-
projects / apple / security.git / blobdiff