+++ /dev/null
-/*
- * Copyright (c) 2004,2011-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- *
- * SecImport.cpp - high-level facility for importing Sec layer objects.
- */
-
-#include "SecImportExport.h"
-#include "SecExternalRep.h"
-#include "SecImportExportPem.h"
-#include "SecImportExportUtils.h"
-#include <security_cdsa_utils/cuCdsaUtils.h>
-#include <security_utilities/globalizer.h>
-#include <Security/SecBase.h>
-
-#define SecImpInferDbg(args...) secdebug("SecImpInfer", ## args)
-
-using namespace Security;
-using namespace KeychainCore;
-
-/*
- * Do our best to ensure that a SecImportRep's type and format are known.
- * A return of true means that both format and type (and, if the item
- * is a raw public or private key, the algorithm) are known.
- */
-static bool impExpInferTypeAndFormat(
- SecImportRep *rep,
- CFStringRef fileStr,
- SecExternalFormat inputFormat,
- SecExternalItemType itemType)
-{
- /* fill in blanks if caller knows them */
- if((rep->mExternType == kSecItemTypeUnknown) && (itemType != kSecItemTypeUnknown)) {
- rep->mExternType = itemType;
- }
- if((rep->mExternFormat == kSecFormatUnknown) && (inputFormat != kSecFormatUnknown)) {
- rep->mExternFormat = inputFormat;
- }
-
- /* some types can be inferred from format */
- if(rep->mExternType == kSecItemTypeUnknown) {
- SecExternalFormat format;
- if(rep->mExternFormat == kSecFormatUnknown) {
- /* caller specified */
- format = inputFormat;
- }
- else {
- /* maybe this is already set */
- format = rep->mExternFormat;
- }
- switch(format) {
- case kSecFormatUnknown:
- break;
- case kSecFormatPKCS7:
- case kSecFormatPKCS12:
- case kSecFormatPEMSequence:
- case kSecFormatNetscapeCertSequence:
- rep->mExternType = kSecItemTypeAggregate;
- break;
- case kSecFormatRawKey:
- rep->mExternType = kSecItemTypeSessionKey;
- break;
- case kSecFormatX509Cert:
- rep->mExternType = kSecItemTypeCertificate;
- break;
- case kSecFormatWrappedPKCS8:
- case kSecFormatWrappedOpenSSL:
- case kSecFormatWrappedSSH:
- rep->mExternType = kSecItemTypePrivateKey;
- break;
- case kSecFormatSSHv2:
- rep->mExternType = kSecItemTypePublicKey;
- break;
- case kSecFormatOpenSSL:
- case kSecFormatBSAFE:
- case kSecFormatWrappedLSH:
- default:
- /* can be private or session (right? */
- break;
- }
- }
-
- /* some formats can be inferred from type */
- if(rep->mExternFormat == kSecFormatUnknown) {
- SecExternalItemType thisType;
- if(rep->mExternType == kSecItemTypeUnknown) {
- /* caller specified */
- thisType = itemType;
- }
- else {
- /* maybe this is already set */
- thisType = rep->mExternType;
- }
- switch(thisType) {
- case kSecItemTypeCertificate:
- rep->mExternFormat = kSecFormatX509Cert;
- break;
- /* any others? */
- default:
- break;
- }
- }
-
- /*
- * Wrapped private keys don't need algorithm
- * Some formats implies algorithm
- */
- bool isWrapped = false;
- switch(rep->mExternFormat) {
- case kSecFormatWrappedPKCS8:
- case kSecFormatWrappedOpenSSL:
- case kSecFormatWrappedLSH:
- isWrapped = true;
- break;
- case kSecFormatWrappedSSH:
- isWrapped = true;
- rep->mKeyAlg = CSSM_ALGID_RSA;
- break;
- case kSecFormatSSH:
- rep->mKeyAlg = CSSM_ALGID_RSA;
- break;
- default:
- break;
- }
-
- /* Are we there yet? */
- bool done = true;
- if((rep->mExternType == kSecItemTypeUnknown) ||
- (rep->mExternFormat == kSecFormatUnknown)) {
- done = false;
- }
- if(done) {
- switch(rep->mExternType) {
- case kSecItemTypePrivateKey:
- case kSecItemTypePublicKey:
- if(!isWrapped && (rep->mKeyAlg == CSSM_ALGID_NONE)) {
- /* gotta know this too */
- done = false;
- }
- break;
- default:
- break;
- }
- }
- if(!done) {
- /* infer from filename if possible */
- done = impExpImportParseFileExten(fileStr, &rep->mExternFormat,
- &rep->mExternType);
- }
- if(done) {
- return true;
- }
-
- /* invoke black magic: try decoding various forms */
- return impExpImportGuessByExamination(rep->mExternal, &rep->mExternFormat,
- &rep->mExternType, &rep->mKeyAlg);
-}
-
-class CSPDLMaker
-{
-protected:
- CSSM_CSP_HANDLE mHandle;
- RecursiveMutex mMutex;
-
-public:
- CSPDLMaker() : mHandle(cuCspStartup(CSSM_FALSE)) {}
- operator CSSM_CSP_HANDLE() {return mHandle;}
-};
-
-static ModuleNexus<CSPDLMaker> gCSPHandle;
-
-OSStatus SecKeychainItemImport(
- CFDataRef importedData,
- CFStringRef fileNameOrExtension, // optional
- SecExternalFormat *inputFormat, // optional, IN/OUT
- SecExternalItemType *itemType, // optional, IN/OUT
- SecItemImportExportFlags flags,
- const SecKeyImportExportParameters *keyParams, // optional
- SecKeychainRef importKeychain, // optional
- CFArrayRef *outItems) /* optional */
-{
- BEGIN_IMP_EXP_SECAPI
-
- bool isPem;
- OSStatus ortn = errSecSuccess;
- OSStatus pem_ortn = errSecSuccess;
- SecImportRep *rep = NULL;
- SecExternalFormat callerInputFormat;
- SecExternalItemType callerItemType;
- CSSM_CSP_HANDLE cspHand = 0;
- CFIndex dex;
- CFStringRef ourFileStr = NULL;
-
- if((importedData == NULL) || (CFDataGetLength(importedData) == 0)) {
- return errSecParam;
- }
- /* all other args are optional */
-
- if(inputFormat) {
- callerInputFormat = *inputFormat;
- }
- else {
- callerInputFormat = kSecFormatUnknown;
- }
- if(itemType) {
- callerItemType = *itemType;
- }
- else {
- callerItemType = kSecItemTypeUnknown;
- }
-
- CFIndex numReps = 0;
- SecExternalFormat tempFormat = callerInputFormat;
- SecExternalItemType tempType = callerItemType;
- ImpPrivKeyImportState keyImportState = PIS_NoLimit;
-
- CFMutableArrayRef importReps = CFArrayCreateMutable(NULL, 0, NULL);
- CFMutableArrayRef createdKcItems = CFArrayCreateMutable(NULL, 0,
- &kCFTypeArrayCallBacks);
- /* subsequent errors to errOut: */
-
- /*
- * importedData --> one or more SecImportReps.
- * Note successful PEM decode can override caller's inputFormat and/or itemType.
- */
- pem_ortn = impExpParsePemToImportRefs(importedData, importReps, &isPem);
- /* remember how PEM decode failed, but continue to examine other possibilities */
- if(!isPem) {
- /* incoming blob is one binary item, type possibly unknown */
- rep = new SecImportRep(importedData, callerItemType, callerInputFormat,
- CSSM_ALGID_NONE);
- CFArrayAppendValue(importReps, rep);
- if(fileNameOrExtension) {
- ourFileStr = fileNameOrExtension;
- CFRetain(ourFileStr);
- }
- }
- else {
- /*
- * Strip off possible .pem extension in case there's another one in
- * front of it
- */
- assert(CFArrayGetCount(importReps) >= 1);
- if(fileNameOrExtension) {
- if(CFStringHasSuffix(fileNameOrExtension, CFSTR(".pem"))) {
- ourFileStr = impExpImportDeleteExtension(fileNameOrExtension);
- }
- else {
- ourFileStr = fileNameOrExtension;
- CFRetain(ourFileStr);
- }
- }
- }
-
- /*
- * Ensure we know type and format (and, for raw keys, algorithm) of each item.
- */
- numReps = CFArrayGetCount(importReps);
- if(numReps > 1) {
- /*
- * Incoming kSecFormatPEMSequence, caller specs are useless now.
- * Hopefully the PEM parsing disclosed the info we'll need.
- */
- if(ourFileStr) {
- CFRelease(ourFileStr);
- ourFileStr = NULL;
- }
- tempFormat = kSecFormatUnknown;
- tempType = kSecItemTypeUnknown;
- }
- for(dex=0; dex<numReps; dex++) {
- rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, dex);
- bool ok = impExpInferTypeAndFormat(rep, ourFileStr, tempFormat, tempType);
- if(!ok) {
- ortn = errSecUnknownFormat;
- goto errOut;
- }
- }
-
- /* Get a CSPDL handle, somehow, as convenience for lower level code */
- if(importKeychain != NULL) {
- ortn = SecKeychainGetCSPHandle(importKeychain, &cspHand);
- if(ortn) {
- goto errOut;
- }
- }
- else {
- cspHand = gCSPHandle();
- }
-
- if(keyParams && (keyParams->flags & kSecKeyImportOnlyOne)) {
- keyImportState = PIS_AllowOne;
- }
-
- /* Everything looks good: Go */
- for(CFIndex dex=0; dex<numReps; dex++) {
- rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, dex);
- ortn = rep->importRep(importKeychain, cspHand, flags, keyParams,
- keyImportState, createdKcItems);
- if(ortn) {
- goto errOut;
- }
- }
-
- /* Give as much info to caller as we can even if we got an error on import */
- if(inputFormat != NULL) {
- if(numReps > 1) {
- assert(isPem);
- *inputFormat = kSecFormatPEMSequence;
- }
- else {
- /* format from sole item in importReps */
- assert(numReps != 0);
- rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, 0);
- *inputFormat = rep->mExternFormat;
- }
- }
- if(itemType != NULL) {
- if(numReps > 1) {
- assert(isPem);
- *itemType = kSecItemTypeAggregate;
- }
- else {
- /* itemType from sole item in importReps */
- assert(numReps != 0);
- rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, 0);
- *itemType = rep->mExternType;
- }
- }
- if((ortn == errSecSuccess) && (outItems != NULL)) {
- /* return the array */
- *outItems = createdKcItems;
- createdKcItems = NULL;
- }
- /* else caller doesn't want SecKeychainItemsRefs; we'll release below */
-
-errOut:
- if(createdKcItems) {
- CFRelease(createdKcItems);
- }
- if(importReps != NULL) {
- /* CFArray of our own classes, no auto release */
- CFIndex num = CFArrayGetCount(importReps);
- for(dex=0; dex<num; dex++) {
- rep = (SecImportRep *)CFArrayGetValueAtIndex(importReps, dex);
- delete rep;
- }
- CFRelease(importReps);
- }
- if(ourFileStr) {
- CFRelease(ourFileStr);
- }
- if(ortn) {
- /* error occurred importing non-PEM representation */
- return SecKeychainErrFromOSStatus(ortn);
- }
- if(pem_ortn == errSecUnsupportedFormat && numReps == 0) {
- /* error occurred importing as PEM, and no other rep was imported */
- return SecKeychainErrFromOSStatus(pem_ortn);
- }
- return errSecSuccess;
-
- END_IMP_EXP_SECAPI
-}
-
-OSStatus SecItemImport(
- CFDataRef importedData,
- CFStringRef fileNameOrExtension, /* optional */
- SecExternalFormat *inputFormat, /* optional, IN/OUT */
- SecExternalItemType *itemType, /* optional, IN/OUT */
- SecItemImportExportFlags flags,
- const SecItemImportExportKeyParameters *keyParams, /* optional */
- SecKeychainRef importKeychain, /* optional */
- CFArrayRef *outItems)
-{
-
- SecKeyImportExportParameters* oldStructPtr = NULL;
- SecKeyImportExportParameters oldStruct;
- memset(&oldStruct, 0, sizeof(oldStruct));
-
-
- if (NULL != keyParams)
- {
- if (ConvertSecKeyImportExportParametersToSecImportExportKeyParameters(NULL,
- keyParams, &oldStruct))
- {
- oldStructPtr = &oldStruct;
- }
- }
-
- return SecKeychainItemImport(importedData, fileNameOrExtension, inputFormat,
- itemType, flags, oldStructPtr, importKeychain, outItems);
-}
-
projects / apple / security.git / blobdiff