-/*
- * Copyright (c) 2000-2004,2011-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * SecImportExportPkcs8.cpp - support for generating and parsing/decoding
- * private keys in PKCS8 format.
- *
- * The current version (as of March 12 2004) can parse and decode every
- * PKCS8 blob generated by openssl with the exception of those using
- * double DES encryption. This has been verified by actually generating
- * those blobs with openssl and decoding them here.
- *
- * PLEASE: don't even *think* about changing a single line of code here
- * without verifying the results against the full import/export regression
- * test in SecurityTests/clxutils/importExport.
- *
- */
-
-#include <Security/SecImportExport.h>
-#include "SecImportExportPkcs8.h"
-#include "SecPkcs8Templates.h"
-#include "SecImportExportUtils.h"
-#include "SecImportExportCrypto.h"
-#include <security_pkcs12/pkcs12Utils.h>
-#include <security_pkcs12/pkcs12Crypto.h>
-#include <security_asn1/SecNssCoder.h>
-#include <Security/keyTemplates.h>
-#include <Security/SecAsn1Templates.h>
-#include <Security/secasn1t.h>
-#include <security_asn1/nssUtils.h>
-#include <security_utilities/debugging.h>
-#include <security_utilities/devrandom.h>
-#include <Security/oidsalg.h>
-#include <Security/SecKeyPriv.h>
-#include <security_cdsa_utils/cuCdsaUtils.h>
-#include <openssl/pem.h>
-#include <assert.h>
-#include <Security/SecBase.h>
-
-#define SecPkcs8Dbg(args...) secdebug("SecPkcs8", ## args)
-
-#pragma mark --- PKCS5 v1.5 Key Derivation ---
-
-/*
- * PKCS5 v1.5. Caller has gleaned everything except salt,
- * iterationCount, and IV from the AlgId.algorithm OID.
- *
- * We get salt and iteration count from the incoming alg params.
- * IV is derived along with the unwrapping key from the passphrase.
- */
-static CSSM_RETURN pkcs5_v15_genKey(
- CSSM_CSP_HANDLE cspHand,
- SecNssCoder &coder,
- const SecKeyImportExportParameters *keyParams,
- const CSSM_DATA ¶mData,
- CSSM_ALGORITHMS keyAlg,
- CSSM_ALGORITHMS pbeHashAlg,
- uint32 keySizeInBits,
- uint32 blockSizeInBytes,
- impExpKeyUnwrapParams *unwrapParams)
-{
- CSSM_KEY *passKey = NULL;
- CFDataRef cfPhrase = NULL;
- CSSM_RETURN crtn;
- OSStatus ortn;
- CSSM_CRYPTO_DATA seed;
- CSSM_CC_HANDLE ccHand = 0;
- CSSM_ACCESS_CREDENTIALS creds;
-
-
- /* passphrase or passkey? */
- ortn = impExpPassphraseCommon(keyParams, cspHand, SPF_Data, VP_Import,
- (CFTypeRef *)&cfPhrase, &passKey);
- if(ortn) {
- return ortn;
- }
- /* subsequent errors to errOut: */
-
- memset(&seed, 0, sizeof(seed));
- if(cfPhrase != NULL) {
- size_t len = CFDataGetLength(cfPhrase);
- coder.allocItem(seed.Param, len);
- memmove(seed.Param.Data, CFDataGetBytePtr(cfPhrase), len);
- CFRelease(cfPhrase);
- }
-
- /* hash algorithm --> PBE alg for CSP */
- CSSM_ALGORITHMS pbeAlg;
- switch(pbeHashAlg) {
- case CSSM_ALGID_MD2:
- pbeAlg = CSSM_ALGID_PKCS5_PBKDF1_MD2;
- break;
- case CSSM_ALGID_MD5:
- pbeAlg = CSSM_ALGID_PKCS5_PBKDF1_MD5;
- break;
- case CSSM_ALGID_SHA1:
- pbeAlg = CSSM_ALGID_PKCS5_PBKDF1_SHA1;
- break;
- default:
- /* really shouldn't happen - pbeHashAlg was inferred by
- * pkcsOidToParams() */
- SecPkcs8Dbg("PKCS8: PKCS5 v1/5 bogus hash alg");
- crtn = CSSMERR_CSP_INTERNAL_ERROR;
- goto errOut;
- }
-
- /* Salt and iteration count from alg parameters */
- impExpPKCS5_PBE_Parameters pbeParams;
- memset(&pbeParams, 0, sizeof(pbeParams));
- if(coder.decodeItem(paramData, impExpPKCS5_PBE_ParametersTemplate, &pbeParams)) {
- SecPkcs8Dbg("PKCS8: PKCS5 v1.5 pbeParams decode error");
- crtn = errSecUnknownFormat;
- goto errOut;
- }
- uint32 iterCount;
- if(!p12DataToInt(pbeParams.iterations, iterCount)) {
- SecPkcs8Dbg("PKCS8: bad PKCS5 v1.5 iteration count");
- crtn = errSecUnknownFormat;
- goto errOut;
- }
-
- /* ask for hard coded 8 bytes of IV */
- coder.allocItem(unwrapParams->iv, 8);
-
- memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
- crtn = CSSM_CSP_CreateDeriveKeyContext(cspHand,
- pbeAlg,
- keyAlg,
- keySizeInBits,
- &creds,
- passKey, // BaseKey
- iterCount,
- &pbeParams.salt,
- &seed,
- &ccHand);
- if(crtn) {
- SecPkcs8Dbg("PKCS8: PKCS5 v2 CSSM_CSP_CreateDeriveKeyContext failure");
- goto errOut;
- }
-
- memset(unwrapParams->unwrappingKey, 0, sizeof(CSSM_KEY));
-
- CSSM_DATA dummyLabel;
- dummyLabel.Data = (uint8 *)"temp unwrap key";
- dummyLabel.Length = strlen((char *)dummyLabel.Data);
-
- crtn = CSSM_DeriveKey(ccHand,
- &unwrapParams->iv, // IV returned in in/out Param
- CSSM_KEYUSE_ANY,
- /* not extractable even for the short time this key lives */
- CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_SENSITIVE,
- &dummyLabel,
- NULL, // cred and acl
- unwrapParams->unwrappingKey);
- if(crtn) {
- SecPkcs8Dbg("PKCS8: PKCS5 v1.5 CSSM_DeriveKey failure");
- }
-errOut:
- if(ccHand != 0) {
- CSSM_DeleteContext(ccHand);
- }
- if(passKey != NULL) {
- CSSM_FreeKey(cspHand, NULL, passKey, CSSM_FALSE);
- free(passKey);
- }
- return crtn;
-}
-
-#pragma mark --- PKCS5 v2.0 Key Derivation ---
-
-/*
- * PKCS5 v2.0 has different means of encoding algorithm parameters,
- * depending on the encryption algorithm.
- */
-/*
- * Obtain encryption parameters for PKCS5 v2.0, DES and DES3 variants.
- */
-static OSStatus pkcs5_DES_params(
- const CSSM_DATA ¶mData, // encryptionScheme.parameters
- CSSM_OID *encrOid,
- impExpKeyUnwrapParams *unwrapParams,
- CSSM_ALGORITHMS *keyAlg, // RETURNED
- uint32 *keySizeInBits, // IN/OUT (returned if 0 on entry)
- SecNssCoder &coder)
-{
- /* Params is iv as OCTET STRING */
- if(coder.decodeItem(paramData, kSecAsn1OctetStringTemplate, &unwrapParams->iv)) {
- SecPkcs8Dbg("PKCS8: PKCS5 v2 DES init vector decode error");
- return errSecUnknownFormat;
- }
- if(nssCompareCssmData(encrOid, &CSSMOID_PKCS5_DES_EDE3_CBC)) {
- *keyAlg = CSSM_ALGID_3DES_3KEY;
- unwrapParams->encrAlg = CSSM_ALGID_3DES_3KEY_EDE;
- if(*keySizeInBits == 0) {
- *keySizeInBits = 3 * 64;
- }
- }
- else {
- *keyAlg = CSSM_ALGID_DES;
- unwrapParams->encrAlg = CSSM_ALGID_DES;
- if(*keySizeInBits == 0) {
- *keySizeInBits = 64;
- }
- }
- unwrapParams->encrPad = CSSM_PADDING_PKCS7;
- unwrapParams->encrMode = CSSM_ALGMODE_CBCPadIV8;
- return errSecSuccess;
-}
-
-/*
- * Obtain encryption parameters for PKCS5 v2.0, RC2 variant.
- */
-static OSStatus pkcs5_RC2_params(
- const CSSM_DATA ¶mData, // encryptionScheme.parameters
- impExpKeyUnwrapParams *unwrapParams,
- CSSM_ALGORITHMS *keyAlg, // RETURNED
- uint32 *keySizeInBits, // IN/OUT (returned if 0 on entry)
- SecNssCoder &coder)
-{
- /* Params is impExpPKCS5_RC2Params */
- impExpPKCS5_RC2Params rc2Params;
- memset(&rc2Params, 0, sizeof(rc2Params));
- if(coder.decodeItem(paramData, impExpPKCS5_RC2ParamsTemplate, &rc2Params)) {
- SecPkcs8Dbg("PKCS8: PKCS5 v2 RC2 params decode error");
- return errSecUnknownFormat;
- }
-
- *keyAlg = CSSM_ALGID_RC2;
- unwrapParams->encrAlg = CSSM_ALGID_RC2;
- unwrapParams->encrPad = CSSM_PADDING_PKCS7;
- unwrapParams->encrMode = CSSM_ALGMODE_CBCPadIV8;
-
- /* the version actually maps to effective key size like this */
- /* I swear all of this is in the PKCS5 v2.0 spec */
- unwrapParams->effectiveKeySizeInBits = 32; // default
- if(rc2Params.version.Data) {
- uint32 v;
- if(!p12DataToInt(rc2Params.version, v)) {
- SecPkcs8Dbg("PKCS8: bad PKCS5 rc2Params.version");
- return errSecUnknownFormat;
- }
- switch(v) {
- case 160:
- unwrapParams->effectiveKeySizeInBits = 40;
- break;
- case 120:
- unwrapParams->effectiveKeySizeInBits = 64;
- break;
- case 58:
- unwrapParams->effectiveKeySizeInBits = 128;
- break;
- default:
- if(v >= 256) {
- unwrapParams->effectiveKeySizeInBits = v;
- }
- else {
- /* not in the spec, use as zero */
- }
- break;
- }
- }
- unwrapParams->iv = rc2Params.iv;
-
- /* the PKCS5 spec does not give a default for the RC2 key size */
- if(*keySizeInBits == 0) {
- SecPkcs8Dbg("PKCS8: NO RC2 DEFAULT KEYSIZE!");
- return errSecUnknownFormat;
- }
- return errSecSuccess;
-}
-
-/*
- * Infer encryption parameters for PKCS5 v2.0, RC5 variant.
- * All info contained in encryptionScheme.parameters.
- */
-static OSStatus pkcs5_RC5_params(
- const CSSM_DATA ¶mData, // encryptionScheme.parameters
- impExpKeyUnwrapParams *unwrapParams,
- CSSM_ALGORITHMS *keyAlg, // RETURNED
- uint32 *keySizeInBits, // IN/OUT (returned if 0 on entry)
- SecNssCoder &coder)
-{
- /* Params is a impExpPKCS5_RC5Params */
- impExpPKCS5_RC5Params rc5Params;
- memset(&rc5Params, 0, sizeof(rc5Params));
- if(coder.decodeItem(paramData, impExpPKCS5_RC5ParamsTemplate, &rc5Params)) {
- SecPkcs8Dbg("PKCS8: PKCS5 v2 RC5 params decode error");
- return errSecUnknownFormat;
- }
-
- *keyAlg = CSSM_ALGID_RC5;
- unwrapParams->encrAlg = CSSM_ALGID_RC5;
- unwrapParams->encrPad = CSSM_PADDING_PKCS7;
- unwrapParams->encrMode = CSSM_ALGMODE_CBCPadIV8;
-
- if(rc5Params.rounds.Data) {
- if(!p12DataToInt(rc5Params.rounds, unwrapParams->rounds)) {
- SecPkcs8Dbg("PKCS8: bad PKCS5 rc5Params.rounds");
- return errSecUnknownFormat;
- }
- }
- if(rc5Params.blockSizeInBits.Data) {
- if(!p12DataToInt(rc5Params.blockSizeInBits, unwrapParams->blockSizeInBits)) {
- SecPkcs8Dbg("PKCS8: bad PKCS5 rc5Params.blockSizeInBits");
- return errSecUnknownFormat;
- }
- }
-
- /* Spec says default iv is zeroes */
- unwrapParams->iv = rc5Params.iv;
- if(unwrapParams->iv.Length == 0) {
- uint32 len = unwrapParams->blockSizeInBits / 8;
- coder.allocItem(unwrapParams->iv, len);
- memset(unwrapParams->iv.Data, 0, len);
- }
-
- /*
- * Spec does not give a default for key RC5 size, and openssl doesn't
- * support RC5 for PKCS8.
- */
- if(*keySizeInBits == 0) {
- SecPkcs8Dbg("PKCS8: NO RC5 DEFAULT KEYSIZE!");
- return errSecUnknownFormat;
- }
- return errSecSuccess;
-}
-
-/*
- * Common code to derive a wrap/unwrap key using PBKDF2 (i.e., using PKCS5 v2.0
- * key derivation). Caller must CSSM_FreeKey when done.
- */
-static CSSM_RETURN pbkdf2DeriveKey(
- CSSM_CSP_HANDLE cspHand,
- SecNssCoder &coder,
- CSSM_ALGORITHMS keyAlg,
- uint32 keySizeInBits,
- uint32 iterationCount,
- const CSSM_DATA &salt,
- const SecKeyImportExportParameters *keyParams, // required
- impExpVerifyPhrase verifyPhrase, // for secure passphrase
- CSSM_KEY_PTR symKey) // RETURNED
-{
- CSSM_KEY *passKey = NULL;
- CFDataRef cfPhrase = NULL;
- CSSM_PKCS5_PBKDF2_PARAMS pbeParams;
- CSSM_RETURN crtn;
- OSStatus ortn;
- CSSM_DATA dummyLabel;
- CSSM_DATA pbeData;
- uint32 keyAttr;
- CSSM_CC_HANDLE ccHand = 0;
- CSSM_ACCESS_CREDENTIALS creds;
-
- memset(&pbeParams, 0, sizeof(pbeParams));
-
- /* passphrase or passkey? */
- ortn = impExpPassphraseCommon(keyParams, cspHand, SPF_Data, verifyPhrase,
- (CFTypeRef *)&cfPhrase, &passKey);
- if(ortn) {
- return ortn;
- }
- /* subsequent errors to errOut: */
-
- if(cfPhrase != NULL) {
- size_t len = CFDataGetLength(cfPhrase);
- coder.allocItem(pbeParams.Passphrase, len);
- memmove(pbeParams.Passphrase.Data,
- CFDataGetBytePtr(cfPhrase), len);
- CFRelease(cfPhrase);
- }
-
- memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
- crtn = CSSM_CSP_CreateDeriveKeyContext(cspHand,
- CSSM_ALGID_PKCS5_PBKDF2,
- keyAlg,
- keySizeInBits,
- &creds,
- passKey, // BaseKey
- iterationCount,
- &salt,
- NULL, // seed
- &ccHand);
- if(crtn) {
- SecPkcs8Dbg("PKCS8: PKCS5 v2 CSSM_CSP_CreateDeriveKeyContext failure");
- goto errOut;
- }
-
- memset(symKey, 0, sizeof(CSSM_KEY));
-
- /* not extractable even for the short time this key lives */
- keyAttr = CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_SENSITIVE;
- dummyLabel.Data = (uint8 *)"temp unwrap key";
- dummyLabel.Length = strlen((char *)dummyLabel.Data);
-
- pbeParams.PseudoRandomFunction = CSSM_PKCS5_PBKDF2_PRF_HMAC_SHA1;
- pbeData.Data = (uint8 *)&pbeParams;
- pbeData.Length = sizeof(pbeParams);
- crtn = CSSM_DeriveKey(ccHand,
- &pbeData,
- CSSM_KEYUSE_ANY,
- keyAttr,
- &dummyLabel,
- NULL, // cred and acl
- symKey);
- if(crtn) {
- SecPkcs8Dbg("PKCS8: PKCS5 v2 CSSM_DeriveKey failure");
- }
-errOut:
- if(ccHand != 0) {
- CSSM_DeleteContext(ccHand);
- }
- if(passKey != NULL) {
- CSSM_FreeKey(cspHand, NULL, passKey, CSSM_FALSE);
- free(passKey);
- }
- return crtn;
-}
-
-/*
- * Obtain PKCS5, v.2.0 key derivation and encryption parameters and
- * derive the key. This one obtains all of the crypt parameters
- * from the top-level AlgId.Params. What a mess.
- */
-static CSSM_RETURN pkcs5_v2_genKey(
- CSSM_CSP_HANDLE cspHand,
- SecNssCoder &coder,
- const CSSM_DATA ¶mData,
- const SecKeyImportExportParameters *keyParams,
- impExpKeyUnwrapParams *unwrapParams)
-{
- SecPkcs8Dbg("PKCS8: generating PKCS5 v2.0 key");
-
- CSSM_ALGORITHMS keyAlg = CSSM_ALGID_NONE;
- uint32 prf = 0; // CSSM_PKCS5_PBKDF2_PRF_HMAC_SHA1...
-
- /* caller should check */
- assert(keyParams != NULL);
-
- /* AlgId.Params --> impExpPKCS5_PBES2_Params */
- if(paramData.Length == 0) {
- SecPkcs8Dbg("PKCS8: empty PKCS5 v2 pbes2Params");
- return errSecUnknownFormat;
- }
- impExpPKCS5_PBES2_Params pbes2Params;
- memset(&pbes2Params, 0, sizeof(pbes2Params));
- if(coder.decodeItem(paramData, impExpPKCS5_PBES2_ParamsTemplate, &pbes2Params)) {
- SecPkcs8Dbg("PKCS8: PKCS5 v2 pbes2Params decode error");
- return errSecUnknownFormat;
- }
-
- /*
- * As far as I know the keyDerivationFunc OID must be id-PBKDF2
- */
- if(!nssCompareCssmData(&pbes2Params.keyDerivationFunc.algorithm,
- &CSSMOID_PKCS5_PBKDF2)) {
- SecPkcs8Dbg("PKCS8: PKCS5 v2 unexpected keyDerivationFunc alg");
- return errSecUnknownFormat;
- }
-
- /*
- * The params of the keyDerivationFunc algId are an encoded
- * impExpPKCS5_PBKDF2_Params.
- */
- impExpPKCS5_PBKDF2_Params pbkdf2Params;
- memset(&pbkdf2Params, 0, sizeof(pbkdf2Params));
- if(coder.decodeItem(pbes2Params.keyDerivationFunc.parameters,
- impExpPKCS5_PBKDF2_ParamsTemplate, &pbkdf2Params)) {
- SecPkcs8Dbg("PKCS8: PKCS5 v2 pbkdf2Params decode error");
- return errSecUnknownFormat;
- }
-
- /*
- * Salt and iteration count from the impExpPKCS5_PBKDF2_Params (ignoring the
- * possible CHOICE for salt source).
- */
- CSSM_DATA salt = pbkdf2Params.salt;
- uint32 iterCount;
- if(!p12DataToInt(pbkdf2Params.iterationCount, iterCount)) {
- SecPkcs8Dbg("PKCS8: bad PKCS5 v2 iteration count");
- return errSecUnknownFormat;
- }
-
- /*
- * Key size optional, use defaults per alg (later) if it's not there
- */
- uint32 keySizeInBits = 0;
- if(pbkdf2Params.keyLengthInBytes.Data) {
- uint32 keyLengthInBytes;
- if(!p12DataToInt(pbkdf2Params.keyLengthInBytes, keyLengthInBytes)) {
- SecPkcs8Dbg("PKCS8: bad PKCS5 v2 key size");
- return errSecUnknownFormat;
- }
- keySizeInBits = keyLengthInBytes * 8;
- }
- /* else we'll infer key size from the encryption algorithm */
-
- /* prf optional, but if it's there it better be CSSMOID_PKCS5_HMAC_SHA1 */
- if(pbkdf2Params.prf.Data) {
- if(!nssCompareCssmData(&pbkdf2Params.prf, &CSSMOID_PKCS5_HMAC_SHA1)) {
- SecPkcs8Dbg("PKCS8: PKCS5 v2 unexpected prf OID");
- return errSecUnknownFormat;
- }
- }
- prf = CSSM_PKCS5_PBKDF2_PRF_HMAC_SHA1;
-
- /*
- * Now process the encryptionScheme, which is even messier - the algParams
- * varies per encryption algorithm.
- */
- CSSM_X509_ALGORITHM_IDENTIFIER &encrScheme = pbes2Params.encryptionScheme;
- CSSM_OID *encrOid = &encrScheme.algorithm;
- OSStatus ortn;
- CSSM_DATA &encrParam = encrScheme.parameters;
-
- if(nssCompareCssmData(encrOid, &CSSMOID_PKCS5_DES_EDE3_CBC) ||
- nssCompareCssmData(encrOid, &CSSMOID_DES_CBC)) {
- ortn = pkcs5_DES_params(encrParam, encrOid, unwrapParams, &keyAlg,
- &keySizeInBits, coder);
- if(ortn) {
- return ortn;
- }
- }
- else if(nssCompareCssmData(encrOid, &CSSMOID_PKCS5_RC2_CBC)) {
- ortn = pkcs5_RC2_params(encrParam, unwrapParams, &keyAlg,
- &keySizeInBits, coder);
- if(ortn) {
- return ortn;
- }
- }
- else if(nssCompareCssmData(encrOid, &CSSMOID_PKCS5_RC5_CBC)) {
- ortn = pkcs5_RC5_params(encrParam, unwrapParams, &keyAlg,
- &keySizeInBits, coder);
- if(ortn) {
- return ortn;
- }
- }
- else {
- SecPkcs8Dbg("PKCS8: PKCS5 v2 unknown encrScheme.algorithm");
- return errSecUnknownFormat;
- }
-
- /* We should be ready to go */
- assert(keyAlg != CSSM_ALGID_NONE);
- assert(unwrapParams->encrAlg != CSSM_ALGID_NONE);
-
- /* use all the stuff we just figured out to derive a symmetric decryption key */
- return pbkdf2DeriveKey(cspHand, coder,
- keyAlg, keySizeInBits,
- iterCount, salt,
- keyParams,
- VP_Import,
- unwrapParams->unwrappingKey);
-}
-
-#pragma mark --- PKCS12 Key Derivation ---
-
-/*
- * PKCS12 style key derivation. Caller has gleaned everything except
- * salt, iterationCount, and IV from the AlgId.algorithm OID.
- *
- * We get salt and iteration count from the incoming alg params.
- * IV is derived along with the unwrapping key from the passphrase.
- */
-static CSSM_RETURN pkcs12_genKey(
- CSSM_CSP_HANDLE cspHand,
- SecNssCoder &coder,
- const SecKeyImportExportParameters *keyParams,
- const CSSM_DATA ¶mData, // from algID
- CSSM_ALGORITHMS keyAlg, // valid on entry
- CSSM_ALGORITHMS pbeHashAlg, // valid on entry
- uint32 keySizeInBits, // valid on entry
- uint32 blockSizeInBytes, // for IV
- impExpKeyUnwrapParams *unwrapParams)
-{
- SecPkcs8Dbg("PKCS8: generating PKCS12 key");
-
- assert(keyAlg != CSSM_ALGID_NONE);
- assert(pbeHashAlg != CSSM_ALGID_NONE);
- assert(keySizeInBits != 0);
-
- /* get iteration count, salt from alg params */
- NSS_P12_PBE_Params pbeParams;
-
- if(paramData.Length == 0) {
- SecPkcs8Dbg("PKCS8: empty P12 pbeParams");
- return errSecUnknownFormat;
- }
- memset(&pbeParams, 0, sizeof(pbeParams));
- if(coder.decodeItem(paramData, NSS_P12_PBE_ParamsTemplate, &pbeParams)) {
- SecPkcs8Dbg("PKCS8: P12 pbeParams decode error");
- return errSecUnknownFormat;
- }
-
- uint32 iterCount = 0;
- if(!p12DataToInt(pbeParams.iterations, iterCount)) {
- SecPkcs8Dbg("PKCS8: bad P12 iteration count");
- return errSecUnknownFormat;
- }
-
- /* passphrase or passkey? */
- CSSM_KEY *passKey = NULL;
- CFStringRef phraseStr = NULL;
- CSSM_DATA phraseData = {0, NULL};
- CSSM_DATA *phraseDataP = NULL;
- OSStatus ortn;
- CSSM_RETURN crtn;
-
- assert(keyParams != NULL);
-
- ortn = impExpPassphraseCommon(keyParams, cspHand, SPF_String, VP_Import,
- (CFTypeRef *)&phraseStr, &passKey);
- if(ortn) {
- return ortn;
- }
- /* subsequent errors to errOut: */
-
- if(phraseStr != NULL) {
- /* convert to CSSM_DATA for use with p12KeyGen() */
- try {
- p12ImportPassPhrase(phraseStr, coder, phraseData);
- }
- catch(...) {
- SecPkcs8Dbg("PKCS8: p12ImportPassPhrase threw");
- crtn = errSecAllocate;
- goto errOut;
- }
- CFRelease(phraseStr);
- phraseDataP = &phraseData;
- }
-
- /* use p12 module to cook up the key and IV */
- if(blockSizeInBytes) {
- coder.allocItem(unwrapParams->iv, blockSizeInBytes);
- }
- crtn = p12KeyGen(cspHand,
- *unwrapParams->unwrappingKey,
- true, // isForEncr
- keyAlg,
- pbeHashAlg,
- keySizeInBits,
- iterCount,
- pbeParams.salt,
- phraseDataP,
- passKey,
- unwrapParams->iv);
- if(crtn) {
- SecPkcs8Dbg("PKCS8: p12KeyGen failed");
- }
-errOut:
- if(passKey != NULL) {
- CSSM_FreeKey(cspHand, NULL, passKey, CSSM_FALSE);
- free(passKey);
- }
- return crtn;
-}
-
-#pragma mark --- Public PKCS8 import function ---
-
-/*
- * Called out from SecImportRep::importWrappedKey().
- * If cspHand is provided instead of importKeychain, the CSP
- * handle MUST be for the CSPDL, not for the raw CSP.
- */
-OSStatus impExpPkcs8Import(
- CFDataRef inData,
- SecKeychainRef importKeychain, // optional
- CSSM_CSP_HANDLE cspHand, // required
- SecItemImportExportFlags flags,
- const SecKeyImportExportParameters *keyParams, // REQUIRED for unwrap
- CFMutableArrayRef outArray) // optional, append here
-{
- CSSM_KEY wrappedKey;
- CSSM_KEYHEADER &hdr = wrappedKey.KeyHeader;
- CSSM_RETURN crtn = CSSM_OK;
-
- /* key derivation and encryption parameters gleaned from alg ID */
- impExpKeyUnwrapParams unwrapParams;
- memset(&unwrapParams, 0, sizeof(unwrapParams));
- CSSM_ALGORITHMS keyAlg = CSSM_ALGID_NONE;
- CSSM_ALGORITHMS pbeHashAlg = CSSM_ALGID_NONE; // SHA1 or MD5
- uint32 keySizeInBits;
- uint32 blockSizeInBytes;
- PKCS_Which pkcs = PW_None;
-
- if( (keyParams == NULL) ||
- ( (keyParams->passphrase == NULL) &&
- !(keyParams->flags & kSecKeySecurePassphrase) ) ) {
- /* passphrase mandatory */
- return errSecPassphraseRequired;
- }
- assert(cspHand != 0);
-
- /*
- * Top-level decode
- */
- SecNssCoder coder;
- NSS_EncryptedPrivateKeyInfo encrPrivKeyInfo;
-
- memset(&encrPrivKeyInfo, 0, sizeof(encrPrivKeyInfo));
- if(coder.decode(CFDataGetBytePtr(inData),
- CFDataGetLength(inData),
- kSecAsn1EncryptedPrivateKeyInfoTemplate, &encrPrivKeyInfo)) {
- SecImpExpDbg("impExpPkcs8Import: error decoding top-level encrPrivKeyInfo");
- return errSecUnknownFormat;
- }
-
- /*
- * The algorithm OID of that top-level struct is the key piece of info
- * for now...
- */
- bool found = false;
- found = pkcsOidToParams(&encrPrivKeyInfo.algorithm.algorithm,
- keyAlg, unwrapParams.encrAlg, pbeHashAlg, keySizeInBits, blockSizeInBytes,
- unwrapParams.encrPad, unwrapParams.encrMode, pkcs);
- if(!found) {
- SecImpExpDbg("impExpPkcs8Import: unknown OID in top-level encrPrivKeyInfo");
- return errSecUnknownFormat;
- }
-
- /*
- * Each PBE method has its own way of filling in the remaining gaps
- * in impExpKeyUnwrapParams and generating a key.
- */
- CSSM_KEY unwrappingKey;
- memset(&unwrappingKey, 0, sizeof(unwrappingKey));
- unwrapParams.unwrappingKey = &unwrappingKey;
- CSSM_DATA ¶mData = encrPrivKeyInfo.algorithm.parameters;
-
- switch(pkcs) {
- case PW_PKCS5_v1_5:
- /* we have everything except iv, iterations, salt */
- crtn = pkcs5_v15_genKey(cspHand, coder, keyParams, paramData,
- keyAlg, pbeHashAlg, keySizeInBits, blockSizeInBytes,
- &unwrapParams);
- break;
-
- case PW_PKCS5_v2:
- /* obtain everything, including iv, from alg params */
- crtn = pkcs5_v2_genKey(cspHand, coder, paramData, keyParams, &unwrapParams);
- break;
- case PW_PKCS12:
- /* we have everything except iv, iterations, salt */
- crtn = pkcs12_genKey(cspHand, coder, keyParams, paramData,
- keyAlg, pbeHashAlg, keySizeInBits, blockSizeInBytes,
- &unwrapParams);
- break;
- case PW_None:
- /* satisfy compiler */
- assert(0);
- return errSecUnknownFormat;
- }
- if(crtn) {
- SecPkcs8Dbg("PKCS8: key derivation failed");
- return crtn;
- }
-
- /* we should be ready to rock'n'roll no matter how we got here */
- assert(unwrapParams.encrAlg != CSSM_ALGID_NONE);
- assert(unwrappingKey.KeyData.Data != NULL);
- assert(unwrappingKey.KeyHeader.AlgorithmId != CSSM_ALGID_NONE);
-
- /* set up key to unwrap */
- memset(&wrappedKey, 0, sizeof(CSSM_KEY));
- hdr.HeaderVersion = CSSM_KEYHEADER_VERSION;
- /* CspId : don't care */
- hdr.BlobType = CSSM_KEYBLOB_WRAPPED;
- hdr.Format = CSSM_KEYBLOB_WRAPPED_FORMAT_PKCS8;
- /* AlgorithmId : inferred by CSP */
- hdr.AlgorithmId = CSSM_ALGID_NONE;
- hdr.KeyClass = CSSM_KEYCLASS_PRIVATE_KEY;
- /* LogicalKeySizeInBits : calculated by CSP during unwrap */
- hdr.KeyAttr = CSSM_KEYATTR_EXTRACTABLE;
- hdr.KeyUsage = CSSM_KEYUSE_ANY;
-
- wrappedKey.KeyData = encrPrivKeyInfo.encryptedData;
-
- crtn = impExpImportKeyCommon(
- &wrappedKey,
- importKeychain,
- cspHand,
- flags,
- keyParams,
- &unwrapParams,
- NULL, // default label
- outArray);
- CSSM_FreeKey(cspHand, NULL, &unwrappingKey, CSSM_FALSE);
- return crtn;
-}
-
-#pragma mark --- Public PKCS8 export function ---
-
-#define PKCS5_V2_SALT_LEN 8
-#define PKCS5_V2_ITERATIONS 2048
-#define PKCS5_V2_DES_IV_SIZE 8
-
-/*
- * Unlike impExpPkcs8Import(), which can handle every PBE algorithm in the spec
- * and implemented by openssl, this one has a fixed PBE and encryption scheme.
- * We do not provide a means at the API for the client to specify these.
- *
- * We generate blobs with triple DES encryption, with PKCS5 v2.0 key
- * derivation.
- */
-OSStatus impExpPkcs8Export(
- SecKeyRef secKey,
- SecItemImportExportFlags flags,
- const SecKeyImportExportParameters *keyParams, // optional
- CFMutableDataRef outData, // output appended here
- const char **pemHeader)
-{
- DevRandomGenerator rng;
- SecNssCoder coder;
- impExpPKCS5_PBES2_Params pbes2Params;
- CSSM_X509_ALGORITHM_IDENTIFIER &keyDeriveAlgId = pbes2Params.keyDerivationFunc;
- CSSM_ATTRIBUTE_TYPE formatAttrType = CSSM_ATTRIBUTE_NONE;
- CSSM_KEYBLOB_FORMAT blobForm = CSSM_KEYBLOB_RAW_FORMAT_NONE;
- const CSSM_KEY *cssmKey;
-
- if(keyParams == NULL) {
- return errSecParam;
- }
- assert(secKey != NULL);
- assert(outData != NULL);
-
- memset(&pbes2Params, 0, sizeof(pbes2Params));
-
- /*
- * keyDeriveAlgId
- * parameters is an encoded impExpPKCS5_PBKDF2_Params
- * We generate random salt
- */
- keyDeriveAlgId.algorithm = CSSMOID_PKCS5_PBKDF2;
- impExpPKCS5_PBKDF2_Params pbkdf2Params;
- memset(&pbkdf2Params, 0, sizeof(pbkdf2Params));
- coder.allocItem(pbkdf2Params.salt, PKCS5_V2_SALT_LEN);
- rng.random(pbkdf2Params.salt.Data, PKCS5_V2_SALT_LEN);
- p12IntToData(PKCS5_V2_ITERATIONS, pbkdf2Params.iterationCount, coder);
- /* leave pbkdf2Params.keyLengthInBytes NULL for default */
- /* openssl can't handle this, which is the default value:
- pbkdf2Params.prf = CSSMOID_PKCS5_HMAC_SHA1;
- */
-
- coder.encodeItem(&pbkdf2Params, impExpPKCS5_PBKDF2_ParamsTemplate,
- keyDeriveAlgId.parameters);
-
- /*
- * encryptionScheme
- * parameters is an encoded OCTET STRING containing the (random) IV
- */
- CSSM_X509_ALGORITHM_IDENTIFIER &encrScheme = pbes2Params.encryptionScheme;
- encrScheme.algorithm = CSSMOID_PKCS5_DES_EDE3_CBC;
- CSSM_DATA rawIv = {0, NULL};
- coder.allocItem(rawIv, PKCS5_V2_DES_IV_SIZE);
- rng.random(rawIv.Data, PKCS5_V2_DES_IV_SIZE);
-
- coder.encodeItem(&rawIv, kSecAsn1OctetStringTemplate,
- encrScheme.parameters);
-
- /*
- * Top level NSS_EncryptedPrivateKeyInfo, whose parameters is the encoded
- * impExpPKCS5_PBES2_Params.
- */
- NSS_EncryptedPrivateKeyInfo encrPrivKeyInfo;
- memset(&encrPrivKeyInfo, 0, sizeof(encrPrivKeyInfo));
- CSSM_X509_ALGORITHM_IDENTIFIER &topAlgId = encrPrivKeyInfo.algorithm;
- topAlgId.algorithm = CSSMOID_PKCS5_PBES2;
- coder.encodeItem(&pbes2Params, impExpPKCS5_PBES2_ParamsTemplate,
- topAlgId.parameters);
-
- /*
- * Now all we have to do is generate the encrypted key data itself.
- * When doing a WrapKey op in PKCS8 form, the CSP gives us the
- * NSS_EncryptedPrivateKeyInfo.encryptedData values.
- */
-
- /* we need a CSPDL handle - try to get it from the key */
- CSSM_CSP_HANDLE cspdlHand = 0;
- OSStatus ortn;
- bool releaseCspHand = false;
- CSSM_DATA encodedKeyInfo = {0, NULL};
-
- ortn = SecKeyGetCSPHandle(secKey, &cspdlHand);
- if(ortn) {
- cspdlHand = cuCspStartup(CSSM_FALSE);
- if(cspdlHand == 0) {
- return CSSMERR_CSSM_ADDIN_LOAD_FAILED;
- }
- releaseCspHand = true;
- }
- /* subsequent errors to errOut: */
-
- /* get wrapping key from parameters we just set up */
- CSSM_KEY wrappingKey;
- memset(&wrappingKey, 0, sizeof(CSSM_KEY));
- CSSM_RETURN crtn = pbkdf2DeriveKey(cspdlHand, coder,
- CSSM_ALGID_3DES_3KEY, 3 * 64,
- PKCS5_V2_ITERATIONS, pbkdf2Params.salt,
- keyParams,
- VP_Export,
- &wrappingKey);
- if(crtn) {
- goto errOut;
- }
-
- /*
- * Special case for DSA, ECDSA: specify that the raw blob, pre-encrypt, is in
- * the PKCS8 PrivateKeyInfo format that openssl understands. The
- * default is BSAFE.
- */
- crtn = SecKeyGetCSSMKey(secKey, &cssmKey);
- if(crtn) {
- SecImpExpDbg("impExpPkcs8Export SecKeyGetCSSMKey error");
- goto errOut;
- }
- switch(cssmKey->KeyHeader.AlgorithmId) {
- case CSSM_ALGID_DSA:
- case CSSM_ALGID_ECDSA:
- formatAttrType = CSSM_ATTRIBUTE_PRIVATE_KEY_FORMAT;
- blobForm = CSSM_KEYBLOB_RAW_FORMAT_PKCS8;
- break;
- default:
- break;
- }
-
- /* GO */
- CSSM_KEY wrappedKey;
- memset(&wrappedKey, 0, sizeof(CSSM_KEY));
-
- crtn = impExpExportKeyCommon(cspdlHand, secKey, &wrappingKey, &wrappedKey,
- CSSM_ALGID_3DES_3KEY_EDE, CSSM_ALGMODE_CBCPadIV8, CSSM_PADDING_PKCS7,
- CSSM_KEYBLOB_WRAPPED_FORMAT_PKCS8, formatAttrType, blobForm, NULL, &rawIv);
- if(crtn) {
- goto errOut;
- }
-
- /*
- * OK... *that* wrapped key's data goes into the top-level
- * NSS_EncryptedPrivateKeyInfo, which we then encode; the caller
- * gets the result of that encoding.
- */
- encrPrivKeyInfo.encryptedData = wrappedKey.KeyData;
- coder.encodeItem(&encrPrivKeyInfo, kSecAsn1EncryptedPrivateKeyInfoTemplate,
- encodedKeyInfo);
-
- CFDataAppendBytes(outData, encodedKeyInfo.Data, encodedKeyInfo.Length);
- CSSM_FreeKey(cspdlHand, NULL, &wrappedKey, CSSM_FALSE);
-
- *pemHeader = PEM_STRING_PKCS8;
-
-errOut:
- if(wrappingKey.KeyData.Data) {
- CSSM_FreeKey(cspdlHand, NULL, &wrappingKey, CSSM_FALSE);
- }
- if(releaseCspHand) {
- cuCspDetachUnload(cspdlHand, CSSM_FALSE);
- }
- return crtn;
-}
projects / apple / security.git / blobdiff