+++ /dev/null
-/*
- * clearPubKeyTest.cpp
- *
- * Test CSSM_KEYATTR_PUBLIC_KEY_ENCRYPT. This cannot be run on a handsoff environment;
- * it forces Keychain unlock dialogs.
- */
-
-#include <stdlib.h>
-#include <strings.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <Security/Security.h>
-#include "cspwrap.h"
-#include "common.h"
-
-#define KEYCHAIN_NAME "/tmp/clearPubKey.keychain"
-#define KEYCHAIN_PWD "pwd"
-#define KEY_ALG CSSM_ALGID_RSA
-#define KEYSIZE 1024
-#define ENCRALG CSSM_ALGID_RSA
-
-static void usage(char **argv)
-{
- printf("usage: %s -v(erbose)\n", argv[0]);
- exit(1);
-}
-
-static void printNoDialog()
-{
- printf("*** If you get a keychain unlock dialog here the test is failing ***\n");
-}
-
-static void printExpectDialog()
-{
- printf("*** You MUST get a keychain unlock dialog here (password = '%s') ***\n",
- KEYCHAIN_PWD);
-}
-
-static bool didGetDialog()
-{
- fpurge(stdin);
- printf("Enter 'y' if you just got a keychain unlock dialog: ");
- if(getchar() == 'y') {
- return 1;
- }
- printf("***Well, you really should have. Test failed.\n");
- return 0;
-}
-
-static void verboseDisp(bool verbose, const char *str)
-{
- if(verbose) {
- printf("...%s\n", str);
- }
-}
-
-/* generate key pair, optionally storing the public key in encrypted form */
-static int genKeyPair(
- bool pubKeyIsEncrypted,
- SecKeychainRef kcRef,
- SecKeyRef *pubKeyRef,
- SecKeyRef *privKeyRef)
-{
- /* gather keygen args */
- CSSM_ALGORITHMS keyAlg = KEY_ALG;
- uint32 keySizeInBits = KEYSIZE;
- CSSM_KEYUSE pubKeyUsage = CSSM_KEYUSE_ANY;
- uint32 pubKeyAttr = CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_PERMANENT;
- if(pubKeyIsEncrypted) {
- pubKeyAttr |= CSSM_KEYATTR_PUBLIC_KEY_ENCRYPT;
- }
- CSSM_KEYUSE privKeyUsage = CSSM_KEYUSE_ANY;
- uint32 privKeyAttr = CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE |
- CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_SENSITIVE;
-
- OSStatus ortn = SecKeyCreatePair(kcRef, keyAlg, keySizeInBits, 0,
- pubKeyUsage, pubKeyAttr,
- privKeyUsage, privKeyAttr,
- NULL, // default initial access for now
- pubKeyRef, privKeyRef);
- if(ortn) {
- cssmPerror("SecKeyCreatePair", ortn);
- return 1;
- }
- return 0;
-}
-
-/* encrypt something with a public key */
-static int pubKeyEncrypt(
- SecKeyRef pubKeyRef)
-{
- const CSSM_KEY *cssmKey;
- OSStatus ortn;
- CSSM_CSP_HANDLE cspHand;
-
- ortn = SecKeyGetCSSMKey(pubKeyRef, &cssmKey);
- if(ortn) {
- cssmPerror("SecKeyGetCSSMKey", ortn);
- return -1;
- }
- ortn = SecKeyGetCSPHandle(pubKeyRef, &cspHand);
- if(ortn) {
- cssmPerror("SecKeyGetCSPHandle", ortn);
- return -1;
- }
-
- char *ptext = "something to encrypt";
- CSSM_DATA ptextData = {strlen(ptext), (uint8 *)ptext};
- CSSM_DATA ctextData = { 0, NULL };
- CSSM_RETURN crtn;
-
- crtn = cspEncrypt(cspHand, CSSM_ALGID_RSA,
- 0, CSSM_PADDING_PKCS1, // mode/pad
- cssmKey, NULL,
- 0, 0, // effect/rounds
- NULL, // IV
- &ptextData, &ctextData, CSSM_FALSE);
- if(crtn) {
- return -1;
- }
- /* slighyly hazardous, allocated by CSPDL's allocator */
- free(ctextData.Data);
- return 0;
-}
-
-int main(int argc, char **argv)
-{
- bool verbose = false;
-
- int arg;
- while ((arg = getopt(argc, argv, "vh")) != -1) {
- switch (arg) {
- case 'v':
- verbose = true;
- break;
- case 'h':
- usage(argv);
- }
- }
- if(optind != argc) {
- usage(argv);
- }
-
- printNoDialog();
-
- /* initial setup */
- verboseDisp(verbose, "deleting keychain");
- unlink(KEYCHAIN_NAME);
-
- verboseDisp(verbose, "creating keychain");
- SecKeychainRef kcRef = NULL;
- OSStatus ortn = SecKeychainCreate(KEYCHAIN_NAME,
- strlen(KEYCHAIN_PWD), KEYCHAIN_PWD,
- false, NULL, &kcRef);
- if(ortn) {
- cssmPerror("SecKeychainCreate", ortn);
- exit(1);
- }
-
- /*
- * 1. Generate key pair with cleartext public key.
- * Ensure we can use the public key when keychain is locked with no
- * user interaction.
- */
-
- /* generate key pair, cleartext public key */
- verboseDisp(verbose, "creating key pair, cleartext public key");
- SecKeyRef pubKeyRef = NULL;
- SecKeyRef privKeyRef = NULL;
- if(genKeyPair(false, kcRef, &pubKeyRef, &privKeyRef)) {
- exit(1);
- }
-
- /* Use generated cleartext public key with locked keychain */
- verboseDisp(verbose, "locking keychain, exporting public key");
- SecKeychainLock(kcRef);
- CFDataRef exportData = NULL;
- ortn = SecKeychainItemExport(pubKeyRef, kSecFormatOpenSSL, 0, NULL, &exportData);
- if(ortn) {
- cssmPerror("SecKeychainCreate", ortn);
- exit(1);
- }
- CFRelease(exportData);
-
- verboseDisp(verbose, "locking keychain, encrypting with public key");
- SecKeychainLock(kcRef);
- if(pubKeyEncrypt(pubKeyRef)) {
- exit(1);
- }
-
- /* reset */
- verboseDisp(verbose, "deleting keys");
- ortn = SecKeychainItemDelete((SecKeychainItemRef)pubKeyRef);
- if(ortn) {
- cssmPerror("SecKeychainItemDelete", ortn);
- exit(1);
- }
- ortn = SecKeychainItemDelete((SecKeychainItemRef)privKeyRef);
- if(ortn) {
- cssmPerror("SecKeychainItemDelete", ortn);
- exit(1);
- }
- CFRelease(pubKeyRef);
- CFRelease(privKeyRef);
-
- /*
- * 2. Generate key pair with encrypted public key.
- * Ensure that user interaction is required when we use the public key
- * when keychain is locked.
- */
-
- verboseDisp(verbose, "programmatically unlocking keychain");
- ortn = SecKeychainUnlock(kcRef, strlen(KEYCHAIN_PWD), KEYCHAIN_PWD, TRUE);
- if(ortn) {
- cssmPerror("SecKeychainItemDelete", ortn);
- exit(1);
- }
-
- /* generate key pair, encrypted public key */
- verboseDisp(verbose, "creating key pair, encrypted public key");
- if(genKeyPair(true, kcRef, &pubKeyRef, &privKeyRef)) {
- exit(1);
- }
-
- /* Use generated encrypted public key with locked keychain */
- verboseDisp(verbose, "locking keychain, exporting public key");
- SecKeychainLock(kcRef);
- printExpectDialog();
- ortn = SecKeychainItemExport(pubKeyRef, kSecFormatOpenSSL, 0, NULL, &exportData);
- if(ortn) {
- cssmPerror("SecKeychainCreate", ortn);
- exit(1);
- }
- /* we'll use that exported blob later to test import */
- if(!didGetDialog()) {
- exit(1);
- }
-
- verboseDisp(verbose, "locking keychain, encrypting with public key");
- SecKeychainLock(kcRef);
- printExpectDialog();
- if(pubKeyEncrypt(pubKeyRef)) {
- exit(1);
- }
- if(!didGetDialog()) {
- exit(1);
- }
-
- /* reset */
- printNoDialog();
- verboseDisp(verbose, "locking keychain");
- SecKeychainLock(kcRef);
- verboseDisp(verbose, "deleting keys");
- ortn = SecKeychainItemDelete((SecKeychainItemRef)pubKeyRef);
- if(ortn) {
- cssmPerror("SecKeychainItemDelete", ortn);
- exit(1);
- }
- ortn = SecKeychainItemDelete((SecKeychainItemRef)privKeyRef);
- if(ortn) {
- cssmPerror("SecKeychainItemDelete", ortn);
- exit(1);
- }
- CFRelease(pubKeyRef);
- CFRelease(privKeyRef);
-
- /*
- * 3. Import public key, storing in cleartext. Ensure that the import
- * doesn't require unlock, and ensure we can use the public key
- * when keychain is locked with no user interaction.
- */
-
- printNoDialog();
- verboseDisp(verbose, "locking keychain");
- SecKeychainLock(kcRef);
-
- /* import public key - default is in the clear */
- verboseDisp(verbose, "importing public key, store in the clear (default)");
- CFArrayRef outArray = NULL;
- SecExternalFormat format = kSecFormatOpenSSL;
- SecExternalItemType type = kSecItemTypePublicKey;
- ortn = SecKeychainItemImport(exportData,
- NULL, &format, &type,
- 0, NULL,
- kcRef, &outArray);
- if(ortn) {
- cssmPerror("SecKeychainItemImport", ortn);
- exit(1);
- }
- CFRelease(exportData);
- if(CFArrayGetCount(outArray) != 1) {
- printf("***Unexpected outArray size (%ld) after import\n",
- (long)CFArrayGetCount(outArray));
- exit(1);
- }
- pubKeyRef = (SecKeyRef)CFArrayGetValueAtIndex(outArray, 0);
- if(CFGetTypeID(pubKeyRef) != SecKeyGetTypeID()) {
- printf("***Unexpected item type after import\n");
- exit(1);
- }
-
- /* Use imported cleartext public key with locked keychain */
- verboseDisp(verbose, "locking keychain, exporting public key");
- SecKeychainLock(kcRef);
- exportData = NULL;
- ortn = SecKeychainItemExport(pubKeyRef, kSecFormatOpenSSL, 0, NULL, &exportData);
- if(ortn) {
- cssmPerror("SecKeychainItemExport", ortn);
- exit(1);
- }
- /* we'll use exportData again */
-
- verboseDisp(verbose, "locking keychain, encrypting with public key");
- SecKeychainLock(kcRef);
- if(pubKeyEncrypt(pubKeyRef)) {
- exit(1);
- }
-
- /* reset */
- verboseDisp(verbose, "deleting key");
- ortn = SecKeychainItemDelete((SecKeychainItemRef)pubKeyRef);
- if(ortn) {
- cssmPerror("SecKeychainItemDelete", ortn);
- exit(1);
- }
- CFRelease(pubKeyRef);
-
- /*
- * Import public key, storing in encrypted form.
- * Ensure that user interaction is required when we use the public key
- * when keychain is locked.
- */
-
- /* import public key, encrypted in the keychain */
- SecKeyImportExportParameters impExpParams;
- memset(&impExpParams, 0, sizeof(impExpParams));
- impExpParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
- impExpParams.keyAttributes = CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE |
- CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_PUBLIC_KEY_ENCRYPT;
- verboseDisp(verbose, "importing public key, store encrypted");
- printExpectDialog();
- outArray = NULL;
- format = kSecFormatOpenSSL;
- type = kSecItemTypePublicKey;
- ortn = SecKeychainItemImport(exportData,
- NULL, &format, &type,
- 0, &impExpParams,
- kcRef, &outArray);
- if(ortn) {
- cssmPerror("SecKeychainItemImport", ortn);
- exit(1);
- }
- if(!didGetDialog()) {
- exit(1);
- }
- CFRelease(exportData);
- if(CFArrayGetCount(outArray) != 1) {
- printf("***Unexpected outArray size (%ld) after import\n",
- (long)CFArrayGetCount(outArray));
- exit(1);
- }
- pubKeyRef = (SecKeyRef)CFArrayGetValueAtIndex(outArray, 0);
- if(CFGetTypeID(pubKeyRef) != SecKeyGetTypeID()) {
- printf("***Unexpected item type after import\n");
- exit(1);
- }
-
- /* Use imported encrypted public key with locked keychain */
- verboseDisp(verbose, "locking keychain, exporting public key");
- SecKeychainLock(kcRef);
- printExpectDialog();
- ortn = SecKeychainItemExport(pubKeyRef, kSecFormatOpenSSL, 0, NULL, &exportData);
- if(ortn) {
- cssmPerror("SecKeychainItemExport", ortn);
- exit(1);
- }
- if(!didGetDialog()) {
- exit(1);
- }
- CFRelease(exportData);
-
- verboseDisp(verbose, "locking keychain, encrypting with public key");
- SecKeychainLock(kcRef);
- printExpectDialog();
- if(pubKeyEncrypt(pubKeyRef)) {
- exit(1);
- }
- if(!didGetDialog()) {
- exit(1);
- }
-
- SecKeychainDelete(kcRef);
- printf("...test succeeded.\n");
- return 0;
-}
projects / apple / security.git / blobdiff