+/*
+ * Copyright (c) 2003-2004,2006,2008,2012,2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ *
+ * key_create.c
+ */
+
+#include "key_create.h"
+
+#include "keychain_utilities.h"
+#include "security_tool.h"
+
+#include <CoreFoundation/CFDateFormatter.h>
+#include <CoreFoundation/CFString.h>
+#include <Security/SecAccess.h>
+#include <Security/SecKey.h>
+#include <Security/SecKeychainItem.h>
+#include <Security/SecTrustedApplication.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+
+static int
+do_key_create_pair(const char *keychainName, SecAccessRef access, CSSM_ALGORITHMS algorithm, uint32 keySizeInBits, CFAbsoluteTime from_time, CFAbsoluteTime to_time, Boolean print_hash)
+{
+ SecKeychainRef keychain = NULL;
+ OSStatus status;
+ int result = 0;
+ CSSM_CC_HANDLE contextHandle = 0;
+ CSSM_KEYUSE publicKeyUsage = CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_VERIFY | CSSM_KEYUSE_WRAP | CSSM_KEYUSE_DERIVE;
+ uint32 publicKeyAttr = CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_EXTRACTABLE;
+ CSSM_KEYUSE privateKeyUsage = CSSM_KEYUSE_DECRYPT | CSSM_KEYUSE_SIGN | CSSM_KEYUSE_UNWRAP | CSSM_KEYUSE_DERIVE;
+ uint32 privateKeyAttr = CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_SENSITIVE | CSSM_KEYATTR_EXTRACTABLE;
+ SecKeyRef publicKey = NULL;
+ SecKeyRef privateKey = NULL;
+ SecKeychainAttributeList *attrList = NULL;
+
+ if (keychainName)
+ {
+ keychain = keychain_open(keychainName);
+ if (!keychain)
+ {
+ result = 1;
+ goto loser;
+ }
+ }
+
+ status = SecKeyCreatePair(keychain, algorithm, keySizeInBits, contextHandle,
+ publicKeyUsage,
+ publicKeyAttr,
+ privateKeyUsage,
+ privateKeyAttr,
+ access,
+ &publicKey,
+ &privateKey);
+ if (status)
+ {
+ sec_error("SecKeyCreatePair %s: %s", keychainName ? keychainName : "<NULL>", sec_errstr(status));
+ result = 1;
+ goto loser;
+ }
+
+ if (print_hash)
+ {
+ SecItemClass itemClass = 0;
+ UInt32 tag = 0x00000006;
+ UInt32 format = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
+ SecKeychainAttributeInfo info = { 1, &tag, &format };
+
+ status = SecKeychainItemCopyAttributesAndData((SecKeychainItemRef)privateKey, &info, &itemClass, &attrList, NULL, NULL);
+ if (status)
+ {
+ sec_perror("SecKeychainItemCopyAttributesAndData", status);
+ result = 1;
+ goto loser;
+ }
+
+ if (info.count != attrList->count)
+ {
+ sec_error("info count: %ld != attribute count: %ld", info.count, attrList->count);
+ result = 1;
+ goto loser;
+ }
+
+ if (tag != attrList->attr[0].tag)
+ {
+ sec_error("attribute info tag: %ld != attribute tag: %ld", tag, attrList->attr[0].tag);
+ result = 1;
+ goto loser;
+ }
+
+ print_buffer_pem(stdout, "PUBLIC KEY HASH", attrList->attr[0].length, attrList->attr[0].data);
+ }
+
+loser:
+ if (attrList)
+ {
+ status = SecKeychainItemFreeAttributesAndData(attrList, NULL);
+ if (status)
+ sec_perror("SecKeychainItemFreeAttributesAndData", status);
+ }
+
+ if (keychain)
+ CFRelease(keychain);
+ if (publicKey)
+ CFRelease(publicKey);
+ if (privateKey)
+ CFRelease(privateKey);
+
+ return result;
+}
+
+static int
+parse_algorithm(const char *name, CSSM_ALGORITHMS *algorithm)
+{
+ size_t len = strlen(name);
+
+ if (!strncmp("rsa", name, len))
+ *algorithm = CSSM_ALGID_RSA;
+ else if (!strncmp("dsa", name, len))
+ *algorithm = CSSM_ALGID_DSA;
+ else if (!strncmp("dh", name, len))
+ *algorithm = CSSM_ALGID_DH;
+ else if (!strncmp("fee", name, len))
+ *algorithm = CSSM_ALGID_FEE;
+ else
+ {
+ sec_error("Invalid algorithm: %s", name);
+ return SHOW_USAGE_MESSAGE;
+ }
+
+ return 0;
+}
+
+static int
+parse_time(const char *time, CFAbsoluteTime *ptime)
+{
+ CFDateFormatterRef formatter = CFDateFormatterCreate(NULL, NULL, kCFDateFormatterShortStyle, kCFDateFormatterShortStyle);
+ CFStringRef time_string = CFStringCreateWithCString(NULL, time, kCFStringEncodingUTF8);
+ int result = 0;
+ if (!CFDateFormatterGetAbsoluteTimeFromString(formatter, time_string, NULL, ptime))
+ {
+ sec_error("%s is not a valid date", time);
+ result = 1;
+ }
+ if (formatter)
+ CFRelease(formatter);
+ if (time_string)
+ CFRelease(time_string);
+ return result;
+}
+
+int
+key_create_pair(int argc, char * const *argv)
+{
+ const char *keychainName = NULL;
+ CSSM_ALGORITHMS algorithm = CSSM_ALGID_RSA;
+ uint32 keySizeInBits = 512;
+ int ch, result = 0;
+ OSStatus status;
+ Boolean always_allow = FALSE;
+ Boolean print_hash = FALSE;
+ CFAbsoluteTime from_time = 0.0, to_time = 0.0;
+ double days = 0.0;
+ SecAccessRef access = NULL;
+ CFMutableArrayRef trusted_list = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ CFStringRef description = NULL;
+
+/*
+ { "create-keypair", key_create_pair,
+ "[-a alg] [-s size] [-f date] [-t date] [-d days] [-k keychain] [-A|-T appPath] description\n"
+ " -a Use alg as the algorithm, can be rsa, dh, dsa or fee (default rsa)\n"
+ " -s Specify the keysize in bits (default 512)\n"
+ " -f Make a key valid from the specified date\n"
+ " -t Make a key valid to the specified date\n"
+ " -d Make a key valid for the number of days specified from now\n"
+ " -k Use the specified keychain rather than the default\n"
+ " -H Print the public key hash attribute\n"
+ " -A Allow any application to access without warning\n"
+ " -T Allow the application specified to access without warning (multiple -T options are allowed)\n"
+ "If no options are provided, ask the user interactively.",
+*/
+
+ while ((ch = getopt(argc, argv, "a:s:f:t:d:k:AHT:h")) != -1)
+ {
+ switch (ch)
+ {
+ case 'a':
+ result = parse_algorithm(optarg, &algorithm);
+ if (result)
+ goto loser;
+ break;
+ case 's':
+ keySizeInBits = atoi(optarg);
+ break;
+ case 'k':
+ keychainName = optarg;
+ break;
+ case 'A':
+ always_allow = TRUE;
+ break;
+ case 'H':
+ print_hash = TRUE;
+ break;
+ case 'T':
+ {
+ if (optarg[0])
+ {
+ SecTrustedApplicationRef app = NULL;
+ status = SecTrustedApplicationCreateFromPath(optarg, &app);
+ if (status)
+ {
+ sec_error("SecTrustedApplicationCreateFromPath %s: %s", optarg, sec_errstr(status));
+ result = 1;
+ goto loser;
+ }
+
+ CFArrayAppendValue(trusted_list, app);
+ CFRelease(app);
+ }
+ break;
+ }
+ case 'f':
+ result = parse_time(optarg, &from_time);
+ if (result)
+ goto loser;
+ break;
+ case 't':
+ result = parse_time(optarg, &to_time);
+ if (result)
+ goto loser;
+ break;
+ case 'd':
+ days = atof(optarg);
+ if (days < 1)
+ {
+ result = 2;
+ goto loser;
+ }
+ from_time = CFAbsoluteTimeGetCurrent();
+ to_time = from_time + days * 86400.0;
+ break;
+ case '?':
+ default:
+ return SHOW_USAGE_MESSAGE;
+ }
+ }
+
+ argc -= optind;
+ argv += optind;
+
+ if (argc == 1)
+ {
+ if (*argv[0] == '\0')
+ {
+ result = 2;
+ goto loser;
+ }
+ description = CFStringCreateWithCString(NULL, argv[0], kCFStringEncodingUTF8);
+ }
+ else if (argc != 0)
+ return SHOW_USAGE_MESSAGE;
+ else
+ description = CFStringCreateWithCString(NULL, "<key>", kCFStringEncodingUTF8);
+
+ if (always_allow)
+ {
+ status = SecAccessCreate(description, NULL, &access);
+ if (status)
+ {
+ sec_perror("SecAccessCreate", status);
+ result = 1;
+ }
+ }
+ else
+ {
+ status = SecAccessCreate(description, trusted_list, &access);
+ if (status)
+ {
+ sec_perror("SecAccessCreate", status);
+ result = 1;
+ }
+ }
+
+ if (result)
+ goto loser;
+
+ result = do_key_create_pair(keychainName, access, algorithm, keySizeInBits, from_time, to_time, print_hash);
+
+loser:
+ if (description)
+ CFRelease(description);
+ if (trusted_list)
+ CFRelease(trusted_list);
+ if (access)
+ CFRelease(access);
+
+ return result;
+}
+
+#if 0
+static OSStatus
+createCertCsr(
+ CSSM_TP_HANDLE tpHand, // eventually, a SecKeychainRef
+ CSSM_CL_HANDLE clHand,
+ CSSM_CSP_HANDLE cspHand,
+ SecKeyRef subjPubKey,
+ SecKeyRef signerPrivKey,
+ CSSM_ALGORITHMS sigAlg,
+ const CSSM_OID *sigOid,
+ /*
+ * Issuer's RDN is obtained from the issuer cert, if present, or is
+ * assumed to be the same as the subject name (i.e., we're creating
+ * a self-signed root cert).
+ */
+ CSSM_BOOL useAllDefaults,
+ CSSM_DATA_PTR csrData) // CSR: mallocd and RETURNED
+{
+ CE_DataAndType exts[2];
+ CE_DataAndType *extp = exts;
+ unsigned numExts;
+
+ CSSM_DATA refId; // mallocd by CSSM_TP_SubmitCredRequest
+ CSSM_APPLE_TP_CERT_REQUEST certReq;
+ CSSM_TP_REQUEST_SET reqSet;
+ sint32 estTime;
+ CSSM_BOOL confirmRequired;
+ CSSM_TP_RESULT_SET_PTR resultSet;
+ CSSM_ENCODED_CERT *encCert;
+ CSSM_APPLE_TP_NAME_OID subjectNames[MAX_NAMES];
+ uint32 numNames;
+ CSSM_TP_CALLERAUTH_CONTEXT CallerAuthContext;
+ CSSM_FIELD policyId;
+
+ /* Note a lot of the CSSM_APPLE_TP_CERT_REQUEST fields are not
+ * used for the createCsr option, but we'll fill in as much as is practical
+ * for either case.
+ */
+ numExts = 0;
+
+ char challengeBuf[400];
+ if(useAllDefaults) {
+ strcpy(challengeBuf, ZDEF_CHALLENGE);
+ }
+ else {
+ while(1) {
+ getStringWithPrompt("Enter challenge string: ",
+ challengeBuf, sizeof(challengeBuf));
+ if(challengeBuf[0] != '\0') {
+ break;
+ }
+ }
+ }
+ certReq.challengeString = challengeBuf;
+
+ /* name array, get from user. */
+ if(useAllDefaults) {
+ subjectNames[0].string = ZDEF_COMMON_NAME;
+ subjectNames[0].oid = &CSSMOID_CommonName;
+ subjectNames[1].string = ZDEF_ORG_NAME;
+ subjectNames[1].oid = &CSSMOID_OrganizationName;
+ subjectNames[2].string = ZDEF_COUNTRY;
+ subjectNames[2].oid = &CSSMOID_CountryName;
+ subjectNames[3].string = ZDEF_STATE;
+ subjectNames[3].oid = &CSSMOID_StateProvinceName;
+ numNames = 4;
+ }
+ else {
+ getNameOids(subjectNames, &numNames);
+ }
+
+ /* certReq */
+ certReq.cspHand = cspHand;
+ certReq.clHand = clHand;
+ certReq.serialNumber = 0x12345678; // TBD - random? From user?
+ certReq.numSubjectNames = numNames;
+ certReq.subjectNames = subjectNames;
+
+ /* TBD - if we're passed in a signing cert, certReq.issuerNameX509 will
+ * be obtained from that cert. For now we specify "self-signed" cert
+ * by not providing an issuer name at all. */
+ certReq.numIssuerNames = 0; // root for now
+ certReq.issuerNames = NULL;
+ certReq.issuerNameX509 = NULL;
+ certReq.certPublicKey = subjPubKey;
+ certReq.issuerPrivateKey = signerPrivKey;
+ certReq.signatureAlg = sigAlg;
+ certReq.signatureOid = *sigOid;
+ certReq.notBefore = 0; // TBD - from user
+ certReq.notAfter = 60 * 60 * 24 * 30; // seconds from now
+ certReq.numExtensions = numExts;
+ certReq.extensions = exts;
+
+ reqSet.NumberOfRequests = 1;
+ reqSet.Requests = &certReq;
+
+ /* a CSSM_TP_CALLERAUTH_CONTEXT to specify an OID */
+ memset(&CallerAuthContext, 0, sizeof(CSSM_TP_CALLERAUTH_CONTEXT));
+ memset(&policyId, 0, sizeof(CSSM_FIELD));
+ policyId.FieldOid = CSSMOID_APPLE_TP_CSR_GEN;
+ CallerAuthContext.Policy.NumberOfPolicyIds = 1;
+ CallerAuthContext.Policy.PolicyIds = &policyId;
+
+ CSSM_RETURN crtn = CSSM_TP_SubmitCredRequest(tpHand,
+ NULL, // PreferredAuthority
+ CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
+ &reqSet,
+ &CallerAuthContext,
+ &estTime,
+ &refId);
+
+ /* before proceeding, free resources allocated thus far */
+ if(!useAllDefaults) {
+ freeNameOids(subjectNames, numNames);
+ }
+
+ if(crtn) {
+ printError("***Error submitting credential request","CSSM_TP_SubmitCredRequest",crtn);
+ return crtn;
+ }
+ crtn = CSSM_TP_RetrieveCredResult(tpHand,
+ &refId,
+ NULL, // CallerAuthCredentials
+ &estTime,
+ &confirmRequired,
+ &resultSet);
+ if(crtn) {
+ printError("***Error retreiving credential request","CSSM_TP_RetrieveCredResult",crtn);
+ return crtn;
+ }
+ if(resultSet == NULL) {
+ printf("***CSSM_TP_RetrieveCredResult returned NULL result set.\n");
+ return ioErr;
+ }
+ encCert = (CSSM_ENCODED_CERT *)resultSet->Results;
+ *csrData = encCert->CertBlob;
+
+ /* free resources allocated by TP */
+ APP_FREE(refId.Data);
+ APP_FREE(encCert);
+ APP_FREE(resultSet);
+ return noErr;
+}
+#endif
+
+#if 0
+/* this was added in Michael's integration of PR-3420772, but this is an unimplemented command */
+
+int
+csr_create(int argc, char * const *argv)
+{
+ int result = 0;
+ int ch;
+ const char *keychainName = NULL;
+ CSSM_ALGORITHMS algorithm = CSSM_ALGID_RSA;
+ uint32 keySizeInBits = 512;
+ OSStatus status;
+ Boolean always_allow = FALSE;
+ CFAbsoluteTime from_time = 0.0, to_time = 0.0;
+ double days = 0.0;
+ SecAccessRef access = NULL;
+ CFMutableArrayRef trusted_list = NULL;
+ CFStringRef description = NULL;
+
+/*
+ { "create-keypair", key_create_pair,
+ "[-a alg] [-s size] [-f date] [-t date] [-d days] [-k keychain] [-u sdux] [-c challenge] description\n"
+ " [-k keychain] [-u sewx] description\n"
+ " -a Look for key with alg as the algorithm, can be rsa, dh, dsa or fee (default rsa)\n"
+ " -s Look for key with keysize in bits\n"
+ " -c Add challenge to the key as a challange string\n"
+ " -f Look for a key at least valid from the specified date\n"
+ " -t Look for a key at least valid to the specified date\n"
+ " -d Look for a key at least valid for the number of days specified from now\n"
+ " -u Look for a key with the specified usage flags (s)igning (d)ecryption (u)nwrapping e(x)change\n"
+ " -k Look in specified keychain rather than the default search list\n"
+ "If no options are provided ask the user interactively",
+*/
+
+ while ((ch = getopt(argc, argv, "a:s:f:t:d:k:AT:h")) != -1)
+ {
+ switch (ch)
+ {
+ case 'a':
+ result = parse_algorithm(optarg, &algorithm);
+ if (result)
+ goto loser;
+ break;
+ case 's':
+ keySizeInBits = atoi(optarg);
+ break;
+ case 'k':
+ keychainName = optarg;
+ break;
+ case 'A':
+ always_allow = TRUE;
+ break;
+ case 'T':
+ {
+ if (!trusted_list)
+ {
+ trusted_list = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ }
+
+ if (optarg[0])
+ {
+ SecTrustedApplicationRef app = NULL;
+ status = SecTrustedApplicationCreateFromPath(optarg, &app);
+ if (status)
+ {
+ sec_error("SecTrustedApplicationCreateFromPath %s: %s", optarg, sec_errstr(status));
+ result = 1;
+ goto loser;
+ }
+
+ CFArrayAppendValue(trusted_list, app);
+ CFRelease(app);
+ break;
+ }
+ }
+ case 'f':
+ result = parse_time(optarg, &from_time);
+ if (result)
+ goto loser;
+ break;
+ case 't':
+ result = parse_time(optarg, &to_time);
+ if (result)
+ goto loser;
+ break;
+ case 'd':
+ days = atof(optarg);
+ if (days < 1)
+ {
+ result = 2;
+ goto loser;
+ }
+ from_time = CFAbsoluteTimeGetCurrent();
+ to_time = from_time + days * 86400.0;
+ break;
+ case '?':
+ default:
+ return SHOW_USAGE_MESSAGE;
+ }
+ }
+
+ argc -= optind;
+ argv += optind;
+
+ if (argc == 1)
+ {
+ if (*argv[0] == '\0')
+ {
+ result = 2;
+ goto loser;
+ }
+ description = CFStringCreateWithCString(NULL, argv[0], kCFStringEncodingUTF8);
+ }
+ else if (argc != 0)
+ return SHOW_USAGE_MESSAGE;
+ else
+ description = CFStringCreateWithCString(NULL, "<key>", kCFStringEncodingUTF8);
+
+ if (always_allow)
+ {
+ status = SecAccessCreate(description, NULL, &access);
+ if (status)
+ {
+ sec_perror("SecAccessCreate", status);
+ result = 1;
+ }
+ // @@@ Make the acl always allow now.
+ }
+ else
+ {
+ status = SecAccessCreate(description, trusted_list, &access);
+ if (status)
+ {
+ sec_perror("SecAccessCreate", status);
+ result = 1;
+ }
+ }
+
+ if (result)
+ goto loser;
+
+ result = do_csr_create(keychainName, access, algorithm, keySizeInBits, from_time, to_time);
+
+loser:
+ if (description)
+ CFRelease(description);
+ if (trusted_list)
+ CFRelease(trusted_list);
+ if (access)
+ CFRelease(access);
+
+ return result;
+}
+#endif
projects / apple / security.git / blobdiff