+/*
+ * p12GetPassKey.h - get a CSSM_ALGID_SECURE_PASSPHRASE key for encode/decode
+ */
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+#include "p12GetPassKey.h"
+#include <CoreServices.framework/Frameworks/CarbonCore.framework/Headers/MacErrors.h>
+#include <Security/cssmapple.h>
+#include <utilLib/cspwrap.h>
+
+/* when true, simulate secure passphrase in CSPDL */
+#define SIMULATE_PASSPHRASE 1
+
+/*
+ * Safe gets().
+ * -- guaranteed no buffer overflow
+ * -- guaranteed NULL-terminated string
+ * -- handles empty string (i.e., response is just CR) properly
+ */
+void getString(
+ char *buf,
+ unsigned bufSize)
+{
+ unsigned dex;
+ char c;
+ char *cp = buf;
+
+ for(dex=0; dex<bufSize-1; dex++) {
+ c = getchar();
+ if (c == EOF) {
+ break;
+ }
+
+ if(!isprint(c)) {
+ break;
+ }
+ switch(c) {
+ case '\n':
+ case '\r':
+ goto done;
+ default:
+ *cp++ = c;
+ }
+ }
+done:
+ *cp = '\0';
+}
+
+OSStatus p12GetPassKey(
+ CSSM_CSP_HANDLE cspHand,
+ GPK_Type gpkType,
+ bool isRawCsp,
+ CSSM_KEY *passKey) // RETURNED
+{
+ if(isRawCsp || SIMULATE_PASSPHRASE) {
+ char passphrase[512];
+
+ if(gpkType == GPK_Decode) {
+ printf("Enter passphrase for PKCS12 Decode: ");
+ }
+ else {
+ printf("Enter passphrase for PKCS12 Encode: ");
+ }
+ getString(passphrase, 512);
+
+ /* cook up a raw key with passphrase as data */
+ unsigned phraseLen = strlen(passphrase);
+ CSSM_KEY rawKey;
+ memset(&rawKey, 0, sizeof(CSSM_KEY));
+ CSSM_KEYHEADER &hdr = rawKey.KeyHeader;
+ hdr.HeaderVersion = CSSM_KEYHEADER_VERSION;
+ hdr.BlobType = CSSM_KEYBLOB_RAW;
+ hdr.Format = CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING;
+ hdr.AlgorithmId = CSSM_ALGID_SECURE_PASSPHRASE;
+ hdr.KeyClass = CSSM_KEYCLASS_SESSION_KEY;
+ hdr.LogicalKeySizeInBits = phraseLen * 2 * 8;
+ hdr.KeyAttr = CSSM_KEYATTR_MODIFIABLE | CSSM_KEYATTR_EXTRACTABLE;
+ hdr.KeyUsage = CSSM_KEYUSE_DERIVE;
+
+ #if 0
+ /* data = Unicode version of C string passphrase, bigendian */
+ rawKey.KeyData.Length = phraseLen * 2;
+ rawKey.KeyData.Data = (uint8 *)malloc(phraseLen * 2);
+ const char *cpIn = passphrase;
+ char *cpOut = (char *)rawKey.KeyData.Data;
+
+ for(unsigned dex=0; dex<phraseLen; dex++) {
+ *cpOut++ = 0;
+ *cpOut++ = *cpIn++;
+ }
+ #else
+
+ /* data = external representation of CFString */
+ CFStringRef cfStr = CFStringCreateWithCString(NULL, passphrase,
+ kCFStringEncodingASCII);
+ CFDataRef cfData = CFStringCreateExternalRepresentation(NULL,
+ cfStr, kCFStringEncodingUnicode, 0);
+ unsigned keyLen = CFDataGetLength(cfData);
+ rawKey.KeyData.Length = keyLen;
+ rawKey.KeyData.Data = (uint8 *)malloc(keyLen);
+ memmove(rawKey.KeyData.Data, CFDataGetBytePtr(cfData), keyLen);
+ CFRelease(cfData);
+ CFRelease(cfStr);
+ hdr.LogicalKeySizeInBits = keyLen * 8;
+ #endif
+ CSSM_DATA descrData = {0, NULL};
+
+ /* NULL unwrap to make a ref key */
+ CSSM_RETURN crtn = cspUnwrapKey(cspHand,
+ &rawKey,
+ NULL, // wrappingKey
+ CSSM_ALGID_NONE,
+ 0, 0, 0, // mode, pad, vector
+ passKey,
+ &descrData,
+ "someLabel",
+ 9); // labelLen
+ if(crtn) {
+ printf("***Error doing NULL wrap of passKey.\n");
+ return crtn;
+ }
+ return crtn;
+ }
+ else {
+ printf("SS does not support secure passphrase yet.");
+ /*
+ * TBD: do a DeriveKey
+ */
+ return unimpErr;
+ }
+}
projects / apple / security.git / blobdiff