]> git.saurik.com Git - apple/security.git/blobdiff - OSX/sec/Security/SecImportExport.c
projects / apple / security.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security-57336.1.9.tar.gz
[apple/security.git] / OSX / sec / Security / SecImportExport.c
diff --git a/OSX/sec/Security/SecImportExport.c b/OSX/sec/Security/SecImportExport.c
new file mode 100644 (file)
index 0000000..0c4b416
--- /dev/null
+++ b/OSX/sec/Security/SecImportExport.c
@@ -0,0 +1,172 @@
+/*
+ * Copyright (c) 2007-2008,2012-2013 Apple Inc. All Rights Reserved.
+ * 
+ * @APPLE_LICENSE_HEADER_START@
+ * 
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ * 
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <Security/SecBase.h>
+#include <Security/SecBasePriv.h>
+#include <Security/SecItem.h>
+#include <Security/SecRSAKey.h>
+#include <Security/SecECKey.h>
+#include <Security/SecCertificate.h>
+#include <Security/SecIdentityPriv.h>
+#include <Security/SecPolicy.h>
+#include <Security/SecTrust.h>
+#include <Security/SecInternal.h>
+#include <libDER/oidsPriv.h>
+
+#include <AssertMacros.h>
+
+#include "p12import.h"
+#include "SecImportExport.h"
+
+const CFStringRef kSecImportExportPassphrase = CFSTR("passphrase");
+const CFStringRef kSecImportItemLabel = CFSTR("label");
+const CFStringRef kSecImportItemKeyID = CFSTR("keyid");
+const CFStringRef kSecImportItemTrust = CFSTR("trust");
+const CFStringRef kSecImportItemCertChain = CFSTR("chain");
+const CFStringRef kSecImportItemIdentity = CFSTR("identity");
+
+
+static void collect_certs(const void *key, const void *value, void *context)
+{
+    if (!CFDictionaryContainsKey(value, CFSTR("key"))) {
+        CFDataRef cert_bytes = CFDictionaryGetValue(value, CFSTR("cert"));
+        if (!cert_bytes)
+            return;
+        SecCertificateRef cert = 
+            SecCertificateCreateWithData(kCFAllocatorDefault, cert_bytes);
+        if (!cert)
+            return;
+        CFMutableArrayRef cert_array = (CFMutableArrayRef)context;
+        CFArrayAppendValue(cert_array, cert);
+        CFRelease(cert);
+    }
+}
+
+typedef struct {
+    CFMutableArrayRef identities;
+    CFArrayRef certs;
+} build_trust_chains_context;
+
+static void build_trust_chains(const void *key, const void *value, 
+    void *context)
+{
+    CFMutableDictionaryRef identity_dict = CFDictionaryCreateMutable(kCFAllocatorDefault, 
+        0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+    SecKeyRef private_key = NULL;
+    SecCertificateRef cert = NULL;
+    SecIdentityRef identity = NULL;
+    SecPolicyRef policy = NULL;
+    CFMutableArrayRef cert_chain = NULL, eval_chain = NULL;
+    SecTrustRef trust = NULL;
+    build_trust_chains_context * a_build_trust_chains_context = (build_trust_chains_context*)context;
+
+    CFDataRef key_bytes = CFDictionaryGetValue(value, CFSTR("key"));
+    require(key_bytes, out);
+    CFDataRef cert_bytes = CFDictionaryGetValue(value, CFSTR("cert"));
+    require(cert_bytes, out);
+    CFDataRef algoid_bytes = CFDictionaryGetValue(value, CFSTR("algid"));
+
+
+    DERItem algorithm = { (DERByte *)CFDataGetBytePtr(algoid_bytes), CFDataGetLength(algoid_bytes) };
+    if (DEROidCompare(&oidEcPubKey, &algorithm)) {
+        require (private_key = SecKeyCreateECPrivateKey(kCFAllocatorDefault,
+                                                         CFDataGetBytePtr(key_bytes), CFDataGetLength(key_bytes),
+                                                         kSecKeyEncodingPkcs1), out);
+    } else if (DEROidCompare(&oidRsa, &algorithm)) {
+        require (private_key = SecKeyCreateRSAPrivateKey(kCFAllocatorDefault,
+                                                         CFDataGetBytePtr(key_bytes), CFDataGetLength(key_bytes),
+                                                         kSecKeyEncodingPkcs1), out);
+    } else {
+        goto out;
+    }
+
+    require(cert = SecCertificateCreateWithData(kCFAllocatorDefault, cert_bytes), out);
+    require(identity = SecIdentityCreate(kCFAllocatorDefault, cert, private_key), out);
+    CFDictionarySetValue(identity_dict, kSecImportItemIdentity, identity);
+    
+    eval_chain = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+    require(eval_chain, out);
+    CFArrayAppendValue(eval_chain, cert);
+    CFRange all_certs = { 0, CFArrayGetCount(a_build_trust_chains_context->certs) };
+    CFArrayAppendArray(eval_chain, a_build_trust_chains_context->certs, all_certs);
+    require(policy = SecPolicyCreateBasicX509(), out);
+    SecTrustResultType result;
+    SecTrustCreateWithCertificates(eval_chain, policy, &trust);
+    require(trust, out);
+    SecTrustEvaluate(trust, &result);
+    CFDictionarySetValue(identity_dict, kSecImportItemTrust, trust);
+    
+    require(cert_chain = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks), out);
+    CFIndex cert_chain_length = SecTrustGetCertificateCount(trust);
+    int i;
+    for (i = 0; i < cert_chain_length; i++)
+        CFArrayAppendValue(cert_chain, SecTrustGetCertificateAtIndex(trust, i));
+    CFDictionarySetValue(identity_dict, kSecImportItemCertChain, cert_chain);
+    
+    CFArrayAppendValue(a_build_trust_chains_context->identities, identity_dict);
+out:
+    CFReleaseSafe(identity_dict);
+    CFReleaseSafe(identity);
+    CFReleaseSafe(private_key);
+    CFReleaseSafe(cert);
+    CFReleaseSafe(policy);
+    CFReleaseSafe(cert_chain);
+    CFReleaseSafe(eval_chain);
+    CFReleaseSafe(trust);
+}
+
+OSStatus SecPKCS12Import(CFDataRef pkcs12_data, CFDictionaryRef options, CFArrayRef *items)
+{
+    pkcs12_context context = {};
+    SecAsn1CoderCreate(&context.coder);
+    if (options)
+        context.passphrase = CFDictionaryGetValue(options, kSecImportExportPassphrase);
+    context.items = CFDictionaryCreateMutable(kCFAllocatorDefault, 
+        0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+    int status = p12decode(&context, pkcs12_data);
+    if (!status) {
+        CFMutableArrayRef certs = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+        CFDictionaryApplyFunction(context.items, collect_certs, certs);
+
+        CFMutableArrayRef identities = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+        build_trust_chains_context a_build_trust_chains_context = { identities, certs };
+        CFDictionaryApplyFunction(context.items, build_trust_chains, &a_build_trust_chains_context);
+        CFReleaseSafe(certs);
+        
+        /* ignoring certs that weren't picked up as part of the certchain for found keys */
+        
+        *items = identities;
+    }
+
+    CFReleaseSafe(context.items);
+    SecAsn1CoderRelease(context.coder);
+    
+    switch (status) {
+    case p12_noErr: return errSecSuccess;
+    case p12_passwordErr: return errSecAuthFailed;
+    case p12_decodeErr: return errSecDecode;
+    default: return errSecInternal;
+    };
+    return errSecSuccess;
+}
+
mirror of Security