--- /dev/null
+/*
+ * Copyright (c) 2004,2011-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ *
+ * SecExport.cpp - high-level facility for exporting Sec layer objects.
+ */
+
+#include "SecImportExport.h"
+#include "SecImportExportAgg.h"
+#include "SecImportExportPem.h"
+#include "SecExternalRep.h"
+#include "SecImportExportUtils.h"
+#include <security_utilities/errors.h>
+#include <Security/SecIdentity.h>
+#include <Security/SecIdentityPriv.h>
+#include <Security/SecItem.h>
+#include <Security/SecBase.h>
+using namespace Security;
+using namespace KeychainCore;
+
+/*
+ * Convert Sec item to one or two SecExportReps, append to exportReps array.
+ * The "one or two" clause exists for SecIdentityRefs, which we split into
+ * a cert and a key.
+ * Throws a MacOSError if incoming CFTypeRef is of type other than SecKeyRef,
+ * SecCertRef, or SecIdentityRef.
+ */
+static void impExpAddToExportReps(
+ CFTypeRef thing, // Key, Cert, Identity
+ CFMutableArrayRef exportReps,
+ unsigned &numCerts, // IN/OUT - accumulated
+ unsigned &numKeys) // IN/OUT - accumulated
+{
+ if(CFGetTypeID(thing) == SecIdentityGetTypeID()) {
+ /* special case for SecIdentities, creates two SecExportReps */
+ OSStatus ortn;
+ SecIdentityRef idRef = (SecIdentityRef)thing;
+ SecCertificateRef certRef;
+ SecKeyRef keyRef;
+ SecExportRep *rep;
+
+ /* cert */
+ SecImpExpDbg("impExpAddToExportReps: adding identity cert and key");
+ ortn = SecIdentityCopyCertificate(idRef, &certRef);
+ if(ortn) {
+ Security::MacOSError::throwMe(ortn);
+ }
+ rep = SecExportRep::vend(certRef);
+ CFArrayAppendValue(exportReps, rep);
+ CFRelease(certRef); // SecExportRep holds a reference
+ numCerts++;
+
+ /* private key */
+ ortn = SecIdentityCopyPrivateKey(idRef, &keyRef);
+ if(ortn) {
+ Security::MacOSError::throwMe(ortn);
+ }
+ rep = SecExportRep::vend(keyRef);
+ CFArrayAppendValue(exportReps, rep);
+ CFRelease(keyRef); // SecExportRep holds a reference
+ numKeys++;
+ }
+ else {
+ /* this throws if 'thing' is an unacceptable type */
+ SecExportRep *rep = SecExportRep::vend(thing);
+ SecImpExpDbg("impExpAddToExportReps: adding single type %d",
+ (int)rep->externType());
+ CFArrayAppendValue(exportReps, rep);
+ if(rep->externType() == kSecItemTypeCertificate) {
+ numCerts++;
+ }
+ else {
+ numKeys++;
+ }
+ }
+}
+
+#pragma mark --- public export function ---
+
+OSStatus SecKeychainItemExport(
+ CFTypeRef keychainItemOrArray,
+ SecExternalFormat outputFormat, // a SecExternalFormat
+ SecItemImportExportFlags flags, // kSecItemPemArmour, etc.
+ const SecKeyImportExportParameters *keyParams, // optional
+ CFDataRef *exportedData) // external representation
+ // returned here
+{
+ BEGIN_IMP_EXP_SECAPI
+
+ /* some basic input validation */
+ if(keychainItemOrArray == NULL) {
+ return errSecParam;
+ }
+ if(keyParams != NULL) {
+ /* can't specify explicit passphrase and ask for secure one */
+ if( (keyParams->passphrase != NULL) &&
+ ((keyParams->flags & kSecKeySecurePassphrase) != 0)) {
+ return errSecParam;
+ }
+ }
+
+ unsigned numKeys = 0;
+ unsigned numCerts = 0;
+ unsigned numTotalExports = 0;
+ OSStatus ortn = errSecSuccess;
+ SecExportRep *rep = NULL; // common temp variable
+ CFMutableDataRef outputData = NULL;
+ const char *pemHeader = "UNKNOWN";
+
+ /* convert keychainItemOrArray to CFArray of SecExportReps */
+ CFMutableArrayRef exportReps = CFArrayCreateMutable(NULL, 0, NULL);
+ /* subsequent errors to errOut: */
+
+ try {
+ if(CFGetTypeID(keychainItemOrArray) == CFArrayGetTypeID()) {
+ CFArrayRef arr = (CFArrayRef)keychainItemOrArray;
+ CFIndex arraySize = CFArrayGetCount(arr);
+ for(CFIndex dex=0; dex<arraySize; dex++) {
+ impExpAddToExportReps(CFArrayGetValueAtIndex(arr, dex),
+ exportReps, numCerts, numKeys);
+ }
+ }
+ else {
+ impExpAddToExportReps(keychainItemOrArray, exportReps, numCerts, numKeys);
+ }
+ }
+ catch(const Security::MacOSError osErr) {
+ ortn = osErr.error;
+ goto errOut;
+ }
+ catch(...) {
+ ortn = errSecParam;
+ goto errOut;
+ }
+ numTotalExports = (unsigned int)CFArrayGetCount(exportReps);
+ assert((numCerts + numKeys) == numTotalExports);
+ if((numTotalExports > 1) && (outputFormat == kSecFormatUnknown)) {
+ /* default aggregate format is PEM sequence */
+ outputFormat = kSecFormatPEMSequence;
+ }
+
+ /*
+ * Break out to SecExternalFormat-specific code, appending all data to outputData
+ */
+ outputData = CFDataCreateMutable(NULL, 0);
+ switch(outputFormat) {
+ case kSecFormatPKCS7:
+ ortn = impExpPkcs7Export(exportReps, flags, keyParams, outputData);
+ pemHeader = PEM_STRING_PKCS7;
+ break;
+ case kSecFormatPKCS12:
+ ortn = impExpPkcs12Export(exportReps, flags, keyParams, outputData);
+ pemHeader = PEM_STRING_PKCS12;
+ break;
+ case kSecFormatPEMSequence:
+ {
+ /*
+ * A bit of a special case. Create an intermediate DER encoding
+ * of each SecExportRef, in the default format for that item;
+ * PEM encode the result, and append the PEM encoding to
+ * outputData.
+ */
+ CFIndex numReps = CFArrayGetCount(exportReps);
+ for(CFIndex dex=0; dex<numReps; dex++) {
+
+ rep = (SecExportRep *)CFArrayGetValueAtIndex(exportReps, dex);
+
+ /* default DER encoding */
+ CFMutableDataRef tmpData = CFDataCreateMutable(NULL, 0);
+ ortn = rep->exportRep(kSecFormatUnknown, flags, keyParams,
+ tmpData, &pemHeader);
+ if(ortn) {
+ SecImpExpDbg("ItemExport: releasing tmpData %p", tmpData);
+ CFRelease(tmpData);
+ goto errOut;
+ }
+
+ /* PEM to accumulating output */
+ assert(rep->pemParamLines() == NULL);
+ ortn = impExpPemEncodeExportRep((CFDataRef)tmpData,
+ pemHeader, NULL, /* no pemParamLines, right? */
+ outputData);
+ CFRelease(tmpData);
+ if(ortn) {
+ goto errOut;
+ }
+ }
+ break;
+ }
+
+ /* Enumerate remainder explicitly for clarity; all are single-item forms */
+ case kSecFormatOpenSSL:
+ case kSecFormatSSH:
+ case kSecFormatSSHv2:
+ case kSecFormatBSAFE:
+ case kSecFormatRawKey:
+ case kSecFormatWrappedPKCS8:
+ case kSecFormatWrappedOpenSSL:
+ case kSecFormatWrappedSSH:
+ case kSecFormatWrappedLSH:
+ case kSecFormatX509Cert:
+ case kSecFormatUnknown: // i.e., default, handled by SecExportRep
+ {
+ unsigned foundCount = 0;
+
+ /* verify that we have exactly one of specified item */
+ if(outputFormat == kSecFormatX509Cert) {
+ foundCount = numCerts;
+ }
+ else if(outputFormat == kSecFormatUnknown) {
+ /* can't go wrong */
+ foundCount = numTotalExports;
+ }
+ else {
+ foundCount = numKeys;
+ }
+ if((numTotalExports != 1) || (foundCount != 1)) {
+ SecImpExpDbg("Export single item format with other than one item");
+ ortn = errSecParam;
+ goto errOut;
+ }
+ assert(CFArrayGetCount(exportReps) == 1);
+ rep = (SecExportRep *)CFArrayGetValueAtIndex(exportReps, 0);
+ ortn = rep->exportRep(outputFormat, flags,
+ keyParams, outputData, &pemHeader);
+ break;
+ }
+ default:
+ SecImpExpDbg("SecKeychainItemExport: bad format (%u)",
+ (unsigned)outputFormat);
+ ortn = errSecParam;
+ goto errOut;
+ }
+
+ /*
+ * Final step: possible PEM encode. Skip for kSecFormatPEMSequence (in which
+ * case outputData is all ready to ship out to the caller); mandatory
+ * if exportRep has a non-NULL pemParamLines (which can only happen if we're
+ * exporting a single item).
+ */
+ if(ortn == errSecSuccess) {
+ if(outputFormat == kSecFormatPEMSequence) {
+ *exportedData = outputData;
+ outputData = NULL;
+ }
+ else {
+ rep = (SecExportRep *)CFArrayGetValueAtIndex(exportReps, 0);
+ if((flags & kSecItemPemArmour) || (rep->pemParamLines() != NULL)) {
+ /* PEM encode a single item */
+ CFMutableDataRef tmpData = CFDataCreateMutable(NULL, 0);
+ ortn = impExpPemEncodeExportRep((CFDataRef)outputData, pemHeader,
+ rep->pemParamLines(), tmpData);
+ CFRelease(outputData); // done with this
+ outputData = NULL;
+ *exportedData = tmpData; // caller gets PEM
+ }
+ else {
+ *exportedData = outputData;
+ outputData = NULL;
+ }
+ }
+ }
+errOut:
+ if(exportReps != NULL) {
+ /* CFArray of our own classes, no auto release */
+ CFIndex num = CFArrayGetCount(exportReps);
+ for(CFIndex dex=0; dex<num; dex++) {
+ rep = (SecExportRep *)CFArrayGetValueAtIndex(exportReps, dex);
+ delete rep;
+ }
+ CFRelease(exportReps);
+ }
+ if(outputData != NULL) {
+ CFRelease(outputData);
+ outputData = NULL;
+ }
+ if(ortn) {
+ return SecKeychainErrFromOSStatus(ortn);
+ }
+ else {
+ return errSecSuccess;
+ }
+
+ END_IMP_EXP_SECAPI
+}
+
+
+OSStatus SecItemExport(CFTypeRef secItemOrArray, SecExternalFormat outputFormat,
+ SecItemImportExportFlags flags, /* kSecItemPemArmor, etc. */
+ const SecItemImportExportKeyParameters *keyParams, /* optional */
+ CFDataRef *exportedData)
+{
+ SecKeyImportExportParameters* oldStructPtr = NULL;
+ SecKeyImportExportParameters oldStruct;
+ memset(&oldStruct, 0, sizeof(oldStruct));
+
+ if (NULL != keyParams)
+ {
+
+ SecKeyRef tempKey = NULL;
+
+ if (SecKeyGetTypeID() == CFGetTypeID(secItemOrArray))
+ {
+ tempKey = (SecKeyRef)secItemOrArray;
+ }
+
+ if (ConvertSecKeyImportExportParametersToSecImportExportKeyParameters(tempKey,
+ keyParams, &oldStruct))
+ {
+ oldStructPtr = &oldStruct;
+ }
+ }
+
+ return SecKeychainItemExport(secItemOrArray, outputFormat, flags, oldStructPtr, exportedData);
+}
+
+
+
+
+
+
+
projects / apple / security.git / blobdiff