+++ /dev/null
-/*
- * Copyright (c) 2003-2004,2011-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * pkcs12Keychain.h - P12Coder keychain-related functions.
- */
-
-#include "pkcs12Coder.h"
-#include "pkcs12Templates.h"
-#include "pkcs12Utils.h"
-#include "pkcs12Debug.h"
-#include "pkcs12Crypto.h"
-#include <Security/cssmerr.h>
-#include <security_cdsa_utils/cuDbUtils.h> // cuAddCrlToDb()
-#include <security_asn1/nssUtils.h>
-#include <security_cdsa_utilities/KeySchema.h> /* private API */
-#include <security_keychain/SecImportExportCrypto.h> /* private API */
-
-/*
- * Store the results of a successful decode in app-specified
- * keychain per mImportFlags. Also assign public key hash attributes to any
- * private keys found.
- */
-void P12Coder::storeDecodeResults()
-{
- assert(mKeychain != NULL);
- assert(mDlDbHand.DLHandle != 0);
- if(mImportFlags & kSecImportKeys) {
- setPrivateKeyHashes();
- }
- if(mImportFlags & kSecImportCertificates) {
- for(unsigned dex=0; dex<numCerts(); dex++) {
- P12CertBag *certBag = mCerts[dex];
- SecCertificateRef secCert = certBag->getSecCert();
- OSStatus ortn = SecCertificateAddToKeychain(secCert, mKeychain);
- CFRelease(secCert);
- switch(ortn) {
- case errSecSuccess: // normal
- p12DecodeLog("cert added to keychain");
- break;
- case errSecDuplicateItem: // dup cert, OK< skip
- p12DecodeLog("skipping dup cert");
- break;
- default:
- p12ErrorLog("SecCertificateAddToKeychain failure\n");
- MacOSError::throwMe(ortn);
- }
- }
- }
-
- if(mImportFlags & kSecImportCRLs) {
- for(unsigned dex=0; dex<numCrls(); dex++) {
- P12CrlBag *crlBag = mCrls[dex];
- CSSM_RETURN crtn = cuAddCrlToDb(mDlDbHand,
- clHand(),
- &crlBag->crlData(),
- NULL); // no URI known
- switch(crtn) {
- case CSSM_OK: // normal
- p12DecodeLog("CRL added to keychain");
- break;
- case CSSMERR_DL_INVALID_UNIQUE_INDEX_DATA: // dup, ignore
- p12DecodeLog("skipping dup CRL");
- break;
- default:
- p12LogCssmError("Error adding CRL to keychain", crtn);
- CssmError::throwMe(crtn);
- }
- }
- }
-
- /* If all of that succeeded, post notification for imported keys */
- if(mImportFlags & kSecImportKeys) {
- notifyKeyImport();
- }
-}
-
-/*
- * Assign appropriate public key hash attribute to each
- * private key.
- */
-void P12Coder::setPrivateKeyHashes()
-{
- CSSM_KEY_PTR newKey;
-
- for(unsigned dex=0; dex<numKeys(); dex++) {
- P12KeyBag *keyBag = mKeys[dex];
-
- CSSM_DATA newLabel = {0, NULL};
- CFStringRef friendlyName = keyBag->friendlyName();
- newKey = NULL;
- CSSM_RETURN crtn = p12SetPubKeyHash(mCspHand,
- mDlDbHand,
- keyBag->label(),
- p12StringToUtf8(friendlyName, mCoder),
- mCoder,
- newLabel,
- newKey);
- if(friendlyName) {
- CFRelease(friendlyName);
- }
- switch(crtn) {
- case CSSM_OK:
- /* update key's label in case we have to delete on error */
- keyBag->setLabel(newLabel);
- p12DecodeLog("set pub key hash for private key");
- break;
- case CSSMERR_DL_INVALID_UNIQUE_INDEX_DATA:
- /*
- * Special case: update keyBag's CSSM_KEY and proceed without error
- */
- p12DecodeLog("ignoring dup private key");
- assert(newKey != NULL);
- keyBag->setKey(newKey);
- keyBag->dupKey(true);
- /* update key's label in case we have to delete on error */
- keyBag->setLabel(newLabel);
- break;
- default:
- p12ErrorLog("p12SetPubKeyHash failure\n");
- CssmError::throwMe(crtn);
- }
- }
-}
-
-/*
- * Post keychain notification for imported keys.
- */
-void P12Coder::notifyKeyImport()
-{
- if(mKeychain == NULL) {
- /* Can't notify if user only gave us DLDB */
- return;
- }
- for(unsigned dex=0; dex<numKeys(); dex++) {
- P12KeyBag *keyBag = mKeys[dex];
- if(keyBag->dupKey()) {
- /* no notification for keys we merely looked up */
- continue;
- }
- CssmData &labelData = CssmData::overlay(keyBag->label());
- OSStatus ortn = impExpKeyNotify(mKeychain, labelData, *keyBag->key());
- if(ortn) {
- p12ErrorLog("notifyKeyImport: impExpKeyNotify returned %ld\n", (unsigned long)ortn);
- MacOSError::throwMe(ortn);
- }
- }
-}
-
-/*
- * Given a P12KeyBag, find a matching P12CertBag. Keys and certs
- * "match" if their localKeyIds match. Returns NULL if not found.
- */
-P12CertBag *P12Coder::findCertForKey(
- P12KeyBag *keyBag)
-{
- assert(keyBag != NULL);
- CSSM_DATA &keyKeyId = keyBag->localKeyIdCssm();
-
- for(unsigned dex=0; dex<numCerts(); dex++) {
- P12CertBag *certBag = mCerts[dex];
- CSSM_DATA &certKeyId = certBag->localKeyIdCssm();
- if(nssCompareCssmData(&keyKeyId, &certKeyId)) {
- p12DecodeLog("findCertForKey SUCCESS");
- return certBag;
- }
- }
- p12DecodeLog("findCertForKey FAILURE");
- return NULL;
-}
-
-/*
- * Export items specified as SecKeychainItemRefs.
- */
-void P12Coder::exportKeychainItems(
- CFArrayRef items)
-{
- assert(items != NULL);
- CFIndex numItems = CFArrayGetCount(items);
- for(CFIndex dex=0; dex<numItems; dex++) {
- const void *item = CFArrayGetValueAtIndex(items, dex);
- if(item == NULL) {
- p12ErrorLog("exportKeychainItems: NULL item\n");
- MacOSError::throwMe(errSecParam);
- }
- CFTypeID itemType = CFGetTypeID(item);
- if(itemType == SecCertificateGetTypeID()) {
- addSecCert((SecCertificateRef)item);
- }
- else if(itemType == SecKeyGetTypeID()) {
- addSecKey((SecKeyRef)item);
- }
- else {
- p12ErrorLog("exportKeychainItems: unknown item\n");
- MacOSError::throwMe(errSecParam);
- }
- }
-}
-
-/*
- * Gross kludge to work around the fact that SecKeyRefs have no attributes which
- * are visible at the Sec layer. Not only are the attribute names we happen
- * to know about (Label, PrintName) not publically visible anywhere in the
- * system, but the *format* of the attr names for SecKeyRefs differs from
- * the format of all other SecKeychainItems (NAME_AS_STRING for SecKeys,
- * NAME_AS_INTEGER for everything else).
- *
- * So. We use the privately accessible schema definition table for
- * keys to map from the attr name strings we happen to know about to a
- * totally private name-as-int index which we can then use in the
- * SecKeychainItemCopyAttributesAndData mechanism.
- *
- * This will go away if SecKeyRef defines its actual attrs as strings, AND
- * the SecKeychainSearch mechanism knows to specify attr names for SecKeyRefs
- * as strings rather than integers.
- */
-static OSStatus attrNameToInt(
- const char *name,
- UInt32 *attrInt)
-{
- const CSSM_DB_SCHEMA_ATTRIBUTE_INFO *attrList =
- KeySchema::KeySchemaAttributeList;
- unsigned numAttrs = KeySchema::KeySchemaAttributeCount;
- for(unsigned dex=0; dex<numAttrs; dex++) {
- const CSSM_DB_SCHEMA_ATTRIBUTE_INFO *info = &attrList[dex];
- if(!strcmp(name, info->AttributeName)) {
- *attrInt = info->AttributeId;
- return errSecSuccess;
- }
- }
- return errSecParam;
-}
-
-void P12Coder::addSecKey(
- SecKeyRef keyRef)
-{
- /* get the cert's attrs (not data) */
-
- /*
- * Convert the attr name strings we happen to know about to
- * unknowable name-as-int values.
- */
- UInt32 printNameTag;
- OSStatus ortn = attrNameToInt(P12_KEY_ATTR_PRINT_NAME, &printNameTag);
- if(ortn) {
- p12ErrorLog("addSecKey: problem looking up key attr name\n");
- MacOSError::throwMe(ortn);
- }
- UInt32 labelHashTag;
- ortn = attrNameToInt(P12_KEY_ATTR_LABEL_AND_HASH, &labelHashTag);
- if(ortn) {
- p12ErrorLog("addSecKey: problem looking up key attr name\n");
- MacOSError::throwMe(ortn);
- }
-
- UInt32 tags[2];
- tags[0] = printNameTag;
- tags[1] = labelHashTag;
-
- /* I don't know what the format field is for */
- SecKeychainAttributeInfo attrInfo;
- attrInfo.count = 2;
- attrInfo.tag = tags;
- attrInfo.format = NULL; // ???
-
- /* FIXME header says this is an IN/OUT param, but it's not */
- SecKeychainAttributeList *attrList = NULL;
-
- ortn = SecKeychainItemCopyAttributesAndData(
- (SecKeychainItemRef)keyRef,
- &attrInfo,
- NULL, // itemClass
- &attrList,
- NULL, // don't need the data
- NULL);
- if(ortn) {
- p12ErrorLog("addSecKey: SecKeychainItemCopyAttributesAndData "
- "error\n");
- MacOSError::throwMe(ortn);
- }
-
- /* Snag the attrs, convert to something useful */
- CFStringRef friendName = NULL;
- CFDataRef localKeyId = NULL;
- for(unsigned i=0; i<attrList->count; i++) {
- SecKeychainAttribute *attr = &attrList->attr[i];
- if(attr->tag == printNameTag) {
- friendName = CFStringCreateWithBytes(NULL,
- (UInt8 *)attr->data, attr->length,
- kCFStringEncodingUTF8, false);
- }
- else if(attr->tag == labelHashTag) {
- localKeyId = CFDataCreate(NULL, (UInt8 *)attr->data, attr->length);
- }
- else {
- p12ErrorLog("addSecKey: unexpected attr tag\n");
- MacOSError::throwMe(errSecParam);
-
- }
- }
-
- /*
- * Infer the CSP associated with this key.
- * FIXME: this should be an attribute of the SecKeyRef itself,
- * not inferred from the keychain it happens to be living on
- * (SecKeyRefs should not have to be attached to Keychains at
- * this point).
- */
- SecKeychainRef kcRef;
- ortn = SecKeychainItemCopyKeychain((SecKeychainItemRef)keyRef, &kcRef);
- if(ortn) {
- p12ErrorLog("addSecKey: SecKeychainItemCopyKeychain returned %d\n", (int)ortn);
- MacOSError::throwMe(ortn);
- }
- CSSM_CSP_HANDLE cspHand;
- ortn = SecKeychainGetCSPHandle(kcRef, &cspHand);
- if(ortn) {
- p12ErrorLog("addSecKey: SecKeychainGetCSPHandle returned %d\n", (int)ortn);
- MacOSError::throwMe(ortn);
- }
- CFRelease(kcRef);
-
- /* and the CSSM_KEY itself */
- const CSSM_KEY *cssmKey;
- ortn = SecKeyGetCSSMKey(keyRef, &cssmKey);
- if(ortn) {
- p12ErrorLog("addSecKey: SecKeyGetCSSMKey returned %d\n", (int)ortn);
- MacOSError::throwMe(ortn);
- }
-
- /* Cook up a key bag and save it */
- P12KeyBag *keyBag = new P12KeyBag(cssmKey,
- cspHand,
- friendName, localKeyId,
- NULL, // other attrs
- mCoder,
- keyRef);
- addKey(keyBag);
- SecKeychainItemFreeAttributesAndData(attrList, NULL);
- if(friendName) {
- CFRelease(friendName);
- }
- if(localKeyId) {
- CFRelease(localKeyId);
- }
-}
-
-void P12Coder::addSecCert(
- SecCertificateRef certRef)
-{
- /* get the cert's attrs and data */
- /* I don't know what the format field is for */
- SecKeychainAttributeInfo attrInfo;
- attrInfo.count = 2;
- UInt32 tags[2] = {kSecLabelItemAttr, kSecPublicKeyHashItemAttr};
- attrInfo.tag = tags;
- attrInfo.format = NULL; // ???
-
- /* FIXME header says this is an IN/OUT param, but it's not */
- SecKeychainAttributeList *attrList = NULL;
- UInt32 certLen;
- void *certData;
-
- OSStatus ortn = SecKeychainItemCopyAttributesAndData(
- (SecKeychainItemRef)certRef,
- &attrInfo,
- NULL, // itemClass
- &attrList,
- &certLen,
- &certData);
- if(ortn) {
- p12ErrorLog("addSecCert: SecKeychainItemCopyAttributesAndData "
- "error\n");
- MacOSError::throwMe(ortn);
- }
-
- /* Snag the attrs, convert to something useful */
- CFStringRef friendName = NULL;
- CFDataRef localKeyId = NULL;
- for(unsigned i=0; i<attrList->count; i++) {
- SecKeychainAttribute *attr = &attrList->attr[i];
- switch(attr->tag) {
- case kSecPublicKeyHashItemAttr:
- localKeyId = CFDataCreate(NULL, (UInt8 *)attr->data, attr->length);
- break;
- case kSecLabelItemAttr:
- /* FIXME: always in UTF8? */
- friendName = CFStringCreateWithBytes(NULL,
- (UInt8 *)attr->data, attr->length, kCFStringEncodingUTF8,
- false);
- break;
- default:
- p12ErrorLog("addSecCert: unexpected attr tag\n");
- MacOSError::throwMe(errSecParam);
-
- }
- }
-
- /* Cook up a cert bag and save it */
- CSSM_DATA cData = {certLen, (uint8 *)certData};
- P12CertBag *certBag = new P12CertBag(CT_X509, cData, friendName,
- localKeyId, NULL, mCoder);
- addCert(certBag);
- SecKeychainItemFreeAttributesAndData(attrList, certData);
- if(friendName) {
- CFRelease(friendName);
- }
- if(localKeyId) {
- CFRelease(localKeyId);
- }
-}
-
-/*
- * Delete anything stored in a keychain during decode, called on
- * decode error.
- * Currently the only thing we have to deal with is private keys,
- * since certs and CRLs don't get stored until the end of a successful
- * decode.
- */
-void P12Coder::deleteDecodedItems()
-{
- if(!(mImportFlags & kSecImportKeys)) {
- /* no keys stored, done */
- return;
- }
- if(mDlDbHand.DLHandle == 0) {
- /* no keychain, done */
- return;
- }
-
- unsigned nKeys = numKeys();
- for(unsigned dex=0; dex<nKeys; dex++) {
- P12KeyBag *keyBag = mKeys[dex];
- p12DeleteKey(mDlDbHand, keyBag->label());
- }
-
-}
-
projects / apple / security.git / blobdiff