+++ /dev/null
-/*
- * Copyright (c) 2004,2011-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- *
- * SecImportExportPem.cpp - private PEM routines for SecImportExport
- */
-
-#include "SecImportExportPem.h"
-#include "SecExternalRep.h"
-#include "SecImportExportUtils.h"
-#include <security_cdsa_utils/cuEnc64.h>
-#include <security_cdsa_utils/cuPem.h>
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-
-/*
- * Text parsing routines.
- *
- * Search incoming text for specified string. Does not assume inText is
- * NULL terminated. Returns pointer to start of found string in inText.
- */
-static const char *findStr(
- const char *inText,
- unsigned inTextLen,
- const char *str) // NULL terminated - search for this
-{
- /* probably not the hottest string search algorithm... */
- const char *cp;
- unsigned srchStrLen = (unsigned)strlen(str);
- char c = str[0];
-
- /* last char * we can search in inText for start of str */
- const char *endCp = inText + inTextLen - srchStrLen;
-
- for(cp=inText; cp<=endCp; cp++) {
- if(*cp == c) {
- if(!memcmp(cp, str, srchStrLen)) {
- return cp;
- }
- }
- }
- return NULL;
-}
-
-/*
- * Obtain one line from current text. Returns a mallocd, NULL-terminated string
- * which caller must free(). Also returns the number of chars consumed including
- * the returned chars PLUS EOL terminators (\n and/or \r).
- *
- * ALWAYS returns a mallocd string if there is ANY data remaining per the
- * incoming inTextLen. Returns NULL if inTextLen is zero.
- */
-static const char *getLine(
- const char *inText,
- unsigned inTextLen, // RETURNED
- unsigned *consumed) // RETURNED
-
-{
- *consumed = 0;
- const char *cp = inText;
- const char *newline = NULL; // if we found a newline, this points to the first one
-
- while(inTextLen) {
- char c = *cp;
- if((c == '\r') || (c == '\n')) {
- if(newline == NULL) {
- /* first newline */
- newline = cp;
- }
- }
- else if(newline != NULL) {
- /* non newline after newline, done */
- break;
- }
- (*consumed)++;
- inTextLen--;
- cp++;
- }
- unsigned linelen;
- if(newline) {
- linelen = (unsigned)(newline - inText);
- }
- else {
- linelen = *consumed;
- }
- char *rtn = (char *)malloc(linelen + 1);
- memmove(rtn, inText, linelen);
- rtn[linelen] = 0;
- return rtn;
-}
-
-/*
- * Table to facilitate conversion of known PEM header strings to
- * the things we know about.
- */
-typedef struct {
- const char *pemStr; // e.g. PEM_STRING_X509, "CERTIFICATE"
- SecExternalItemType itemType;
- SecExternalFormat format;
- CSSM_ALGORITHMS keyAlg;
-} PemHeader;
-
-#define NOALG CSSM_ALGID_NONE
-
-static const PemHeader PemHeaders[] =
-{
- /* from openssl/pem.h standard header */
- { PEM_STRING_X509_OLD, kSecItemTypeCertificate, kSecFormatX509Cert, NOALG},
- { PEM_STRING_X509, kSecItemTypeCertificate, kSecFormatX509Cert, NOALG },
- { PEM_STRING_EVP_PKEY, kSecItemTypePrivateKey, kSecFormatOpenSSL, NOALG},
- { PEM_STRING_PUBLIC, kSecItemTypePublicKey, kSecFormatOpenSSL, NOALG },
- { PEM_STRING_RSA, kSecItemTypePrivateKey, kSecFormatOpenSSL, CSSM_ALGID_RSA },
- { PEM_STRING_RSA_PUBLIC, kSecItemTypePublicKey, kSecFormatOpenSSL, CSSM_ALGID_RSA },
- { PEM_STRING_DSA, kSecItemTypePrivateKey, kSecFormatOpenSSL, CSSM_ALGID_DSA },
- { PEM_STRING_DSA_PUBLIC, kSecItemTypePublicKey, kSecFormatOpenSSL, CSSM_ALGID_DSA },
- { PEM_STRING_PKCS7, kSecItemTypeAggregate, kSecFormatPKCS7, NOALG },
- { PEM_STRING_PKCS8, kSecItemTypePrivateKey, kSecFormatWrappedPKCS8, NOALG },
- { PEM_STRING_PKCS8INF, kSecItemTypePrivateKey, kSecFormatUnknown, NOALG },
- /* we define these */
- { PEM_STRING_DH_PUBLIC, kSecItemTypePublicKey, kSecFormatOpenSSL, CSSM_ALGID_DH },
- { PEM_STRING_DH_PRIVATE, kSecItemTypePrivateKey, kSecFormatOpenSSL, CSSM_ALGID_DH },
- { PEM_STRING_PKCS12, kSecItemTypeAggregate, kSecFormatPKCS12, NOALG },
- { PEM_STRING_SESSION, kSecItemTypeSessionKey, kSecFormatRawKey, NOALG },
- { PEM_STRING_ECDSA_PUBLIC, kSecItemTypePublicKey, kSecFormatOpenSSL, CSSM_ALGID_ECDSA },
- { PEM_STRING_ECDSA_PRIVATE, kSecItemTypePrivateKey, kSecFormatOpenSSL, CSSM_ALGID_ECDSA }
-};
-#define NUM_PEM_HEADERS (sizeof(PemHeaders) / sizeof(PemHeader))
-
-/*
- * PEM decode incoming data which we've previously determined to contain
- * exactly one reasonably well formed PEM blob (it has no more than one
- * START and END line - though it may have none - and is all ASCII).
- *
- * Returned SecImportRep may or may not have a known type and format and
- * (if it is a key) algorithm.
- */
-static OSStatus impExpImportSinglePEM(
- const char *currCp,
- unsigned lenToGo,
- CFMutableArrayRef importReps) // output appended here
-{
- unsigned consumed;
- const char *currLine = NULL; // mallocd by getLine()
- const char *lastCp = currCp;
- CFMutableArrayRef pemParamLines = NULL;
- OSStatus ortn = errSecSuccess;
- CFDataRef cdata = NULL;
- Security::KeychainCore::SecImportRep *rep = NULL;
- const char *start64;
- unsigned base64Len;
- const char *end64;
- unsigned char *decData;
- unsigned decDataLen;
-
- /* we try to glean these from the header, but it's not fatal if we can not */
- SecExternalFormat format = kSecFormatUnknown;
- SecExternalItemType itemType = kSecItemTypeUnknown;
- CSSM_ALGORITHMS keyAlg = CSSM_ALGID_NONE;
-
- /* search to START line, parse it to get type/format/alg */
- const char *startLine = findStr(currCp, lenToGo, "-----BEGIN");
- if(startLine != NULL) {
- /* possibly skip over leading garbage */
- consumed = (unsigned)(startLine - currCp);
- lenToGo -= consumed;
- currCp = startLine;
-
- /* get C string of START line */
- currLine = getLine(startLine, lenToGo, &consumed);
- if(currLine == NULL) {
- /* somehow got here with no data */
- assert(lenToGo == 0);
- SecImpInferDbg("impExpImportSinglePEM empty data");
- ortn = errSecUnsupportedFormat;
- goto errOut;
- }
- assert(consumed <= lenToGo);
- currCp += consumed;
- lenToGo -= consumed;
-
- /*
- * Search currLine for known PEM header strings.
- * It is not an error if we don't recognize this
- * header.
- */
- for(unsigned dex=0; dex<NUM_PEM_HEADERS; dex++) {
- const PemHeader *ph = &PemHeaders[dex];
- if(!strstr(currLine, ph->pemStr)) {
- continue;
- }
- /* found one! */
- format = ph->format;
- itemType = ph->itemType;
- keyAlg = ph->keyAlg;
- break;
- }
-
- free((void *)currLine);
- }
-
- /*
- * Skip empty lines. Save all lines containing ':' (used by openssl
- * to specify key wrapping parameters). These will be saved in
- * outgoing SecImportReps' pemParamLines.
- */
- for( ; ; ) {
- currLine = getLine(currCp, lenToGo, &consumed);
- if(currLine == NULL || currCp == lastCp) {
- /* out of data (unable to advance to next line) */
- SecImpInferDbg("impExpImportSinglePEM out of data");
- if (currLine) free((void *)currLine);
- ortn = errSecUnsupportedFormat;
- goto errOut;
- }
- lastCp = currCp;
-
- bool skipThis = false;
- unsigned lineLen = (unsigned)strlen(currLine);
- if(lineLen == 0) {
- /* empty line */
- skipThis = true;
- }
- if(strchr(currLine, ':')) {
- /*
- * Save this PEM header info. Used for traditional openssl
- * wrapped keys to indicate IV.
- */
- SecImpInferDbg("import PEM: param line %s", currLine);
- CFStringRef cfStr = CFStringCreateWithCString(NULL, currLine,
- kCFStringEncodingASCII);
- if(pemParamLines == NULL) {
- /* first param line */
- pemParamLines = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
-
- /*
- * If it says "ENCRYPTED" and this is a private key,
- * flag the fact that it's wrapped in openssl format
- */
- if(strstr(currLine, "ENCRYPTED")) {
- if((format == kSecFormatOpenSSL) &&
- (itemType == kSecItemTypePrivateKey)) {
- format = kSecFormatWrappedOpenSSL;
- }
- }
- }
- CFArrayAppendValue(pemParamLines, cfStr);
- CFRelease(cfStr); // array owns it
- skipThis = true;
- }
- free((void *)currLine);
- if(!skipThis) {
- /* looks like good stuff; process */
- break;
- }
- /* skip this line */
- assert(consumed <= lenToGo);
- currCp += consumed;
- lenToGo -= consumed;
- }
- if(lenToGo <= 2) {
- SecImpInferDbg("impExpImportSinglePEM no valid base64 data");
- ortn = errSecUnsupportedFormat;
- goto errOut;
- }
-
- /*
- * currCP points to start of base64 data - mark it and search for end line.
- * We skip everything after the end line.
- */
- start64 = currCp;
- base64Len = lenToGo; // if no END
- end64 = findStr(currCp, lenToGo, "-----END");
- if(end64 != NULL) {
- if(end64 == start64) {
- /* Empty, nothing between START and END */
- SecImpInferDbg("impExpImportSinglePEM no base64 between terminators");
- ortn = errSecUnsupportedFormat;
- goto errOut;
- }
- base64Len = (unsigned)(end64 - start64);
- }
- /* else no END, no reason to complain about that as long as base64 decode works OK */
-
- /* Base 64 decode */
- decData = cuDec64((const unsigned char *)start64, base64Len, &decDataLen);
- if(decData == NULL) {
- SecImpInferDbg("impExpImportSinglePEM bad base64 data");
- ortn = errSecUnsupportedFormat;
- goto errOut;
- }
-
- cdata = CFDataCreate(NULL, decData, decDataLen);
- free((void *)decData);
- rep = new Security::KeychainCore::SecImportRep(cdata, itemType, format, keyAlg,
- pemParamLines);
- CFArrayAppendValue(importReps, rep);
- CFRelease(cdata); // SecImportRep holds ref
- return errSecSuccess;
-
-errOut:
- if(pemParamLines != NULL) {
- CFRelease(pemParamLines);
- }
- return ortn;
-}
-
-/*
- * PEM decode incoming data, appending SecImportRep's to specified array.
- * Returned SecImportReps may or may not have a known type and format and
- * (if they are keys) algorithm.
- */
-OSStatus impExpParsePemToImportRefs(
- CFDataRef importedData,
- CFMutableArrayRef importReps, // output appended here
- bool *isPem) // true means we think it was PEM regardless of
- // final return code
-{
- /*
- * First task: is this PEM or at least base64 encoded?
- */
- const char *currCp = (const char *)CFDataGetBytePtr(importedData);
- const char *cp = currCp;
- unsigned lenToGo = (unsigned)CFDataGetLength(importedData);
- OSStatus ortn;
-
- *isPem = false;
- unsigned dex;
- bool allBlanks = true;
-
- for(dex=0; dex<lenToGo; dex++, cp++) {
- if (!isspace(*cp)) {
- // it's not a space. Is it a non-ascii character?
- if (!isascii(*cp)) {
- return errSecSuccess;
- }
-
- // is it a control character?
- if (iscntrl(*cp))
- {
- return errSecSuccess;
- }
-
- // no, mark that an acceptable character was encountered and keep going
- allBlanks = false;
- }
- }
-
- if (allBlanks)
- {
- return errSecSuccess;
- }
-
- /* search for START line */
- const char *startLine = findStr(currCp, lenToGo, "-----BEGIN");
- if(startLine == NULL) {
- /* Assume one item, raw base64 */
- SecImpInferDbg("impExpParsePemToImportRefs no PEM headers, assuming raw base64");
- ortn = impExpImportSinglePEM(currCp, lenToGo, importReps);
- if(ortn == errSecSuccess) {
- *isPem = true;
- }
- return ortn;
- }
-
- /* break up input into chunks between START and END lines */
- ortn = errSecSuccess;
- bool gotSomePem = false;
- do {
- /* get to beginning of START line */
- startLine = findStr(currCp, lenToGo, "-----BEGIN");
- if(startLine == NULL) {
- break;
- }
- unsigned consumed = (unsigned)(startLine - currCp);
- assert(consumed <= lenToGo);
- lenToGo -= consumed;
- currCp += consumed;
-
- /* get to beginning of END line */
- const char *endLine = findStr(currCp+10, lenToGo, "-----END");
- unsigned toDecode = lenToGo;
- if(endLine) {
- consumed = (unsigned)(endLine - startLine);
- assert(consumed <= lenToGo);
- currCp += consumed;
- lenToGo -= consumed;
-
- /* find end of END line */
- const char *tmpLine = getLine(endLine, lenToGo, &consumed);
- assert((tmpLine != NULL) && (tmpLine[0] != 0));
- /* don't decode the terminators */
- toDecode = (unsigned)(endLine - startLine + strlen(tmpLine));
- free((void *)tmpLine);
-
- /* skip past END line and newlines */
- assert(consumed <= lenToGo);
- currCp += consumed;
- lenToGo -= consumed;
- }
- else {
- /* no END line, we'll allow that - decode to end of file */
- lenToGo = 0;
- }
-
- ortn = impExpImportSinglePEM(startLine, toDecode, importReps);
- if(ortn) {
- break;
- }
- gotSomePem = true;
- } while(lenToGo != 0);
- if(ortn == errSecSuccess) {
- if(gotSomePem) {
- *isPem = true;
- }
- else {
- SecImpInferDbg("impExpParsePemToImportRefs empty at EOF, no PEM found");
- ortn = kSecFormatUnknown;
- }
- }
- return ortn;
-}
-
-
-/*
- * PEM encode a single SecExportRep's data, appending to a CFData.
- */
-OSStatus impExpPemEncodeExportRep(
- CFDataRef derData,
- const char *pemHeader,
- CFArrayRef pemParamLines, // optional
- CFMutableDataRef outData)
-{
- unsigned char *enc;
- unsigned encLen;
-
- char headerLine[200];
- if(strlen(pemHeader) > 150) {
- return errSecParam;
- }
-
- /* First base64 encode */
- enc = cuEnc64WithLines(CFDataGetBytePtr(derData), (unsigned)CFDataGetLength(derData),
- 64, &encLen);
- if(enc == NULL) {
- /* malloc error is actually the only known failure */
- SecImpExpDbg("impExpPemEncodeExportRep: cuEnc64WithLines failure");
- return errSecAllocate;
- }
-
- /* strip off trailing NULL */
- if((encLen != 0) && (enc[encLen - 1] == '\0')) {
- encLen--;
- }
- sprintf(headerLine, "-----BEGIN %s-----\n", pemHeader);
- CFDataAppendBytes(outData, (const UInt8 *)headerLine, strlen(headerLine));
-
- /* optional PEM parameters lines (currently used for openssl wrap format only) */
- if(pemParamLines != NULL) {
- CFIndex numLines = CFArrayGetCount(pemParamLines);
- for(CFIndex dex=0; dex<numLines; dex++) {
- CFStringRef cfStr =
- (CFStringRef)CFArrayGetValueAtIndex(pemParamLines, dex);
- char cStr[512];
- UInt8 nl = '\n';
- if(!CFStringGetCString(cfStr, cStr, sizeof(cStr),
- kCFStringEncodingASCII)) {
- /*
- * Should never happen; this module created this CFString
- * from a C string with ASCII encoding. Keep going, though
- * this is probably fatal to the exported representation.
- */
- SecImpExpDbg("impExpPemEncodeExportRep: pemParamLine screwup");
- continue;
- }
- CFDataAppendBytes(outData, (const UInt8 *)cStr, strlen(cStr));
- CFDataAppendBytes(outData, &nl, 1);
- }
- }
- CFDataAppendBytes(outData, enc, encLen);
- sprintf(headerLine, "-----END %s-----\n", pemHeader);
- CFDataAppendBytes(outData, (const UInt8 *)headerLine, strlen(headerLine));
- free((void *)enc);
- return errSecSuccess;
-}
-
projects / apple / security.git / blobdiff