+++ /dev/null
-/*
- * Copyright (c) 2003-2005,2008 Apple Inc. All Rights Reserved.
- *
- * The contents of this file constitute Original Code as defined in and are
- * subject to the Apple Public Source License Version 1.2 (the 'License').
- * You may not use this file except in compliance with the License. Please
- * obtain a copy of the License at http://www.apple.com/publicsource and
- * read it before using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- */
-
-/*
- * dbCert.cpp - import a possibly bad cert along with its private key
- */
-
-#include "dbCert.h"
-#include <Security/Security.h>
-#include <security_cdsa_utils/cuFileIo.h>
-#include <security_cdsa_utils/cuDbUtils.h>
-#include <security_cdsa_utils/cuCdsaUtils.h>
-#include <security_cdsa_utils/cuPem.h>
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-/* Copied from clxutils/clAppUtils/tpUtils */
-/* defined in SecKeychainAPIPriv.h */
-static const int kSecAliasItemAttr = 'alis';
-
-/* Macro to declare a CSSM_DB_SCHEMA_ATTRIBUTE_INFO */
-#define SCHEMA_ATTR_INFO(id, name, type) \
- { id, (char *)name, {0, NULL}, CSSM_DB_ATTRIBUTE_FORMAT_ ## type }
-
-/* Too bad we can't get this from inside of the Security framework. */
-static CSSM_DB_SCHEMA_ATTRIBUTE_INFO certSchemaAttrInfo[] =
-{
- SCHEMA_ATTR_INFO(kSecCertTypeItemAttr, "CertType", UINT32),
- SCHEMA_ATTR_INFO(kSecCertEncodingItemAttr, "CertEncoding", UINT32),
- SCHEMA_ATTR_INFO(kSecLabelItemAttr, "PrintName", BLOB),
- SCHEMA_ATTR_INFO(kSecAliasItemAttr, "Alias", BLOB),
- SCHEMA_ATTR_INFO(kSecSubjectItemAttr, "Subject", BLOB),
- SCHEMA_ATTR_INFO(kSecIssuerItemAttr, "Issuer", BLOB),
- SCHEMA_ATTR_INFO(kSecSerialNumberItemAttr, "SerialNumber", BLOB),
- SCHEMA_ATTR_INFO(kSecSubjectKeyIdentifierItemAttr, "SubjectKeyIdentifier", BLOB),
- SCHEMA_ATTR_INFO(kSecPublicKeyHashItemAttr, "PublicKeyHash", BLOB)
-};
-#define NUM_CERT_SCHEMA_ATTRS \
- (sizeof(certSchemaAttrInfo) / sizeof(CSSM_DB_SCHEMA_ATTRIBUTE_INFO))
-
-/* Macro to declare a CSSM_DB_SCHEMA_INDEX_INFO */
-#define SCHEMA_INDEX_INFO(id, indexNum, indexType) \
- { id, CSSM_DB_INDEX_ ## indexType, CSSM_DB_INDEX_ON_ATTRIBUTE }
-
-
-static CSSM_DB_SCHEMA_INDEX_INFO certSchemaIndices[] =
-{
- SCHEMA_INDEX_INFO(kSecCertTypeItemAttr, 0, UNIQUE),
- SCHEMA_INDEX_INFO(kSecIssuerItemAttr, 0, UNIQUE),
- SCHEMA_INDEX_INFO(kSecSerialNumberItemAttr, 0, UNIQUE),
- SCHEMA_INDEX_INFO(kSecCertTypeItemAttr, 1, NONUNIQUE),
- SCHEMA_INDEX_INFO(kSecSubjectItemAttr, 2, NONUNIQUE),
- SCHEMA_INDEX_INFO(kSecIssuerItemAttr, 3, NONUNIQUE),
- SCHEMA_INDEX_INFO(kSecSerialNumberItemAttr, 4, NONUNIQUE),
- SCHEMA_INDEX_INFO(kSecSubjectKeyIdentifierItemAttr, 5, NONUNIQUE),
- SCHEMA_INDEX_INFO(kSecPublicKeyHashItemAttr, 6, NONUNIQUE)
-};
-#define NUM_CERT_INDICES \
- (sizeof(certSchemaIndices) / sizeof(CSSM_DB_SCHEMA_INDEX_INFO))
-
-
-CSSM_RETURN tpAddCertSchema(
- CSSM_DL_DB_HANDLE dlDbHand)
-{
- return CSSM_DL_CreateRelation(dlDbHand,
- CSSM_DL_DB_RECORD_X509_CERTIFICATE,
- "CSSM_DL_DB_RECORD_X509_CERTIFICATE",
- NUM_CERT_SCHEMA_ATTRS,
- certSchemaAttrInfo,
- NUM_CERT_INDICES,
- certSchemaIndices);
-}
-
-
-/* copied verbatim from certTool */
-
-/*
- * Find private key by label, modify its Label attr to be the
- * hash of the associated public key.
- */
-static CSSM_RETURN setPubKeyHash(
- CSSM_CSP_HANDLE cspHand,
- CSSM_DL_DB_HANDLE dlDbHand,
- const char *keyLabel, // look up by this
- CSSM_DATA *rtnKeyDigest) // optionally RETURNED, if so,
- // caller owns and must cuAppFree
-{
- CSSM_QUERY query;
- CSSM_SELECTION_PREDICATE predicate;
- CSSM_DB_UNIQUE_RECORD_PTR record = NULL;
- CSSM_RETURN crtn;
- CSSM_DATA labelData;
- CSSM_HANDLE resultHand;
-
- labelData.Data = (uint8 *)keyLabel;
- labelData.Length = strlen(keyLabel) + 1; // incl. NULL
- query.RecordType = CSSM_DL_DB_RECORD_PRIVATE_KEY;
- query.Conjunctive = CSSM_DB_NONE;
- query.NumSelectionPredicates = 1;
- predicate.DbOperator = CSSM_DB_EQUAL;
-
- predicate.Attribute.Info.AttributeNameFormat =
- CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- predicate.Attribute.Info.Label.AttributeName = (char *)"Label";
- predicate.Attribute.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
- /* hope this cast is OK */
- predicate.Attribute.Value = &labelData;
- query.SelectionPredicate = &predicate;
-
- query.QueryLimits.TimeLimit = 0; // FIXME - meaningful?
- query.QueryLimits.SizeLimit = 1; // FIXME - meaningful?
- query.QueryFlags = 0; // CSSM_QUERY_RETURN_DATA; // FIXME - used?
-
- /* build Record attribute with one attr */
- CSSM_DB_RECORD_ATTRIBUTE_DATA recordAttrs;
- CSSM_DB_ATTRIBUTE_DATA attr;
- attr.Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr.Info.Label.AttributeName = (char *)"Label";
- attr.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
-
- recordAttrs.DataRecordType = CSSM_DL_DB_RECORD_PRIVATE_KEY;
- recordAttrs.NumberOfAttributes = 1;
- recordAttrs.AttributeData = &attr;
-
- CSSM_DATA recordData = {0, NULL};
- crtn = CSSM_DL_DataGetFirst(dlDbHand,
- &query,
- &resultHand,
- &recordAttrs,
- &recordData,
- &record);
- /* abort only on success */
- if(crtn != CSSM_OK) {
- cuPrintError("CSSM_DL_DataGetFirst", crtn);
- return crtn;
- }
-
- CSSM_KEY_PTR keyToDigest = (CSSM_KEY_PTR)recordData.Data;
- CSSM_DATA_PTR keyDigest = NULL;
- CSSM_CC_HANDLE ccHand;
- crtn = CSSM_CSP_CreatePassThroughContext(cspHand,
- keyToDigest,
- &ccHand);
- if(crtn) {
- cuPrintError("CSSM_CSP_CreatePassThroughContext", crtn);
- return crtn;
- }
- crtn = CSSM_CSP_PassThrough(ccHand,
- CSSM_APPLECSP_KEYDIGEST,
- NULL,
- (void **)&keyDigest);
- if(crtn) {
- cuPrintError("CSSM_CSP_PassThrough(PUBKEYHASH)", crtn);
- return -1;
- }
- CSSM_FreeKey(cspHand, NULL, keyToDigest, CSSM_FALSE);
- CSSM_DeleteContext(ccHand);
-
- /*
- * Replace Label attr data with hash.
- * NOTE: the module which allocated this attribute data - a DL -
- * was loaded and attached by the Sec layer, not by us. Thus
- * we can't use the memory allocator functions *we* used when
- * attaching to the CSPDL - we have to use the ones
- * which the Sec layer registered with the DL.
- */
- CSSM_API_MEMORY_FUNCS memFuncs;
- crtn = CSSM_GetAPIMemoryFunctions(dlDbHand.DLHandle, &memFuncs);
- if(crtn) {
- cuPrintError("CSSM_GetAPIMemoryFunctions(DLHandle)", crtn);
- /* oh well, leak and continue */
- }
- else {
- memFuncs.free_func(attr.Value->Data, memFuncs.AllocRef);
- memFuncs.free_func(attr.Value, memFuncs.AllocRef);
- }
- attr.Value = keyDigest;
-
- /* modify key attributes */
- crtn = CSSM_DL_DataModify(dlDbHand,
- CSSM_DL_DB_RECORD_PRIVATE_KEY,
- record,
- &recordAttrs,
- NULL, // DataToBeModified
- CSSM_DB_MODIFY_ATTRIBUTE_REPLACE);
- if(crtn) {
- cuPrintError("CSSM_DL_DataModify(PUBKEYHASH)", crtn);
- return crtn;
- }
- crtn = CSSM_DL_DataAbortQuery(dlDbHand, resultHand);
- if(crtn) {
- cuPrintError("CSSM_DL_DataAbortQuery", crtn);
- /* let's keep going in this case */
- }
- crtn = CSSM_DL_FreeUniqueRecord(dlDbHand, record);
- if(crtn) {
- cuPrintError("CSSM_DL_FreeUniqueRecord", crtn);
- /* let's keep going in this case */
- crtn = CSSM_OK;
- }
-
- /* free resources */
- if(rtnKeyDigest) {
- *rtnKeyDigest = *keyDigest;
- }
- else {
- cuAppFree(keyDigest->Data, NULL);
- /* FIXME - don't we have to free keyDigest itself? */
- }
- return CSSM_OK;
-}
-
-static CSSM_RETURN importPrivateKey(
- CSSM_DL_DB_HANDLE dlDbHand,
- CSSM_CSP_HANDLE cspHand,
- const char *privKeyFileName,
- CSSM_ALGORITHMS keyAlg,
- CSSM_BOOL pemFormat, // of the file
- CSSM_KEYBLOB_FORMAT keyFormat, // of the key blob itself, NONE means
- // use default
- CSSM_DATA *keyHash) // OPTIONALLY RETURNED - if so, caller
- // owns and must cuAppFree()
-{
- unsigned char *derKey = NULL;
- unsigned derKeyLen;
- unsigned char *pemKey = NULL;
- unsigned pemKeyLen;
- CSSM_KEY wrappedKey;
- CSSM_KEY unwrappedKey;
- CSSM_ACCESS_CREDENTIALS creds;
- CSSM_CC_HANDLE ccHand = 0;
- CSSM_RETURN crtn;
- CSSM_DATA labelData;
- CSSM_KEYHEADER_PTR hdr = &wrappedKey.KeyHeader;
- CSSM_DATA descData = {0, NULL};
- CSSM_CSP_HANDLE rawCspHand = 0;
- const char *privKeyLabel = NULL;
-
- /*
- * Validate specified format for clarity
- */
- switch(keyAlg) {
- case CSSM_ALGID_RSA:
- switch(keyFormat) {
- case CSSM_KEYBLOB_RAW_FORMAT_NONE:
- keyFormat = CSSM_KEYBLOB_RAW_FORMAT_PKCS1; // default
- break;
- case CSSM_KEYBLOB_RAW_FORMAT_PKCS1:
- case CSSM_KEYBLOB_RAW_FORMAT_PKCS8:
- break;
- default:
- printf("***RSA Private key must be in PKCS1 or PKCS8 "
- "format\n");
- return CSSMERR_CSSM_INTERNAL_ERROR;
- }
- privKeyLabel = "Imported RSA key";
- break;
- case CSSM_ALGID_DSA:
- switch(keyFormat) {
- case CSSM_KEYBLOB_RAW_FORMAT_NONE:
- keyFormat = CSSM_KEYBLOB_RAW_FORMAT_OPENSSL;
- // default
- break;
- case CSSM_KEYBLOB_RAW_FORMAT_FIPS186:
- case CSSM_KEYBLOB_RAW_FORMAT_OPENSSL:
- case CSSM_KEYBLOB_RAW_FORMAT_PKCS8:
- break;
- default:
- printf("***DSA Private key must be in openssl, FIPS186, "
- "or PKCS8 format\n");
- return CSSMERR_CSSM_INTERNAL_ERROR;
- }
- privKeyLabel = "Imported DSA key";
- break;
- case CSSM_ALGID_DH:
- switch(keyFormat) {
- case CSSM_KEYBLOB_RAW_FORMAT_NONE:
- keyFormat = CSSM_KEYBLOB_RAW_FORMAT_PKCS8; // default
- break;
- case CSSM_KEYBLOB_RAW_FORMAT_PKCS8:
- break;
- default:
- printf("***Diffie-Hellman Private key must be in"
- "PKCS8 format.\n");
- return CSSMERR_CSSM_INTERNAL_ERROR;
- }
- privKeyLabel = "Imported Diffie-Hellman key";
- break;
- }
- if(readFile(privKeyFileName, &pemKey, &pemKeyLen)) {
- printf("***Error reading private key from file %s. Aborting.\n",
- privKeyFileName);
- return CSSMERR_CSSM_INTERNAL_ERROR;
- }
- /* subsequent errors to done: */
- if(pemFormat) {
- int rtn = pemDecode(pemKey, pemKeyLen, &derKey, &derKeyLen);
- if(rtn) {
- printf("***%s: Bad PEM formatting. Aborting.\n",
- privKeyFileName);
- crtn = CSSMERR_CSP_INVALID_KEY;
- goto done;
- }
- }
- else {
- derKey = pemKey;
- derKeyLen = pemKeyLen;
- }
-
- /* importing a raw key into the CSPDL involves a NULL unwrap */
- memset(&unwrappedKey, 0, sizeof(CSSM_KEY));
- memset(&wrappedKey, 0, sizeof(CSSM_KEY));
-
- /* set up the imported key to look like a CSSM_KEY */
- hdr->HeaderVersion = CSSM_KEYHEADER_VERSION;
- hdr->BlobType = CSSM_KEYBLOB_RAW;
- hdr->AlgorithmId = keyAlg;
- hdr->KeyClass = CSSM_KEYCLASS_PRIVATE_KEY;
- hdr->KeyAttr = CSSM_KEYATTR_EXTRACTABLE;
- hdr->KeyUsage = CSSM_KEYUSE_ANY;
- hdr->Format = keyFormat;
- wrappedKey.KeyData.Data = derKey;
- wrappedKey.KeyData.Length = derKeyLen;
-
- /* get key size in bits from raw CSP */
- rawCspHand = cuCspStartup(CSSM_TRUE);
- if(rawCspHand == 0) {
- printf("***Error attaching to CSP. Aborting.\n");
- crtn = CSSMERR_CSSM_INTERNAL_ERROR;
- goto done;
- }
- CSSM_KEY_SIZE keySize;
- crtn = CSSM_QueryKeySizeInBits(rawCspHand, CSSM_INVALID_HANDLE, &wrappedKey, &keySize);
- if(crtn) {
- cuPrintError("CSSM_QueryKeySizeInBits",crtn);
- goto done;
- }
- hdr->LogicalKeySizeInBits = keySize.LogicalKeySizeInBits;
-
- memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
- crtn = CSSM_CSP_CreateSymmetricContext(cspHand,
- CSSM_ALGID_NONE, // unwrapAlg
- CSSM_ALGMODE_NONE, // unwrapMode
- &creds,
- NULL, // unwrappingKey
- NULL, // initVector
- CSSM_PADDING_NONE, // unwrapPad
- 0, // Params
- &ccHand);
- if(crtn) {
- cuPrintError("CSSM_CSP_CreateSymmetricContext", crtn);
- goto done;
- }
-
- /* add DL/DB to context */
- CSSM_CONTEXT_ATTRIBUTE newAttr;
- newAttr.AttributeType = CSSM_ATTRIBUTE_DL_DB_HANDLE;
- newAttr.AttributeLength = sizeof(CSSM_DL_DB_HANDLE);
- newAttr.Attribute.Data = (CSSM_DATA_PTR)&dlDbHand;
- crtn = CSSM_UpdateContextAttributes(ccHand, 1, &newAttr);
- if(crtn) {
- cuPrintError("CSSM_UpdateContextAttributes", crtn);
- goto done;
- }
-
- /* do the NULL unwrap */
- labelData.Data = (uint8 *)privKeyLabel;
- labelData.Length = strlen(privKeyLabel) + 1;
- crtn = CSSM_UnwrapKey(ccHand,
- NULL, // PublicKey
- &wrappedKey,
- CSSM_KEYUSE_ANY,
- CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_PERMANENT |
- CSSM_KEYATTR_SENSITIVE |CSSM_KEYATTR_EXTRACTABLE,
- &labelData,
- NULL, // CredAndAclEntry
- &unwrappedKey,
- &descData); // required
- if(crtn != CSSM_OK) {
- cuPrintError("CSSM_UnwrapKey", crtn);
- goto done;
- }
-
- /* one more thing: bind this private key to its public key */
- crtn = setPubKeyHash(cspHand, dlDbHand, privKeyLabel, keyHash);
-
- /* We don't need the unwrapped key any more */
- CSSM_FreeKey(cspHand,
- NULL, // access cred
- &unwrappedKey,
- CSSM_FALSE); // delete
-
-done:
- if(ccHand) {
- CSSM_DeleteContext(ccHand);
- }
- if(derKey) {
- free(derKey); // mallocd by readFile() */
- }
- if(pemFormat && pemKey) {
- free(pemKey);
- }
- if(rawCspHand) {
- CSSM_ModuleDetach(rawCspHand);
- }
- return crtn;
-}
-
-
-CSSM_RETURN importBadCert(
- CSSM_DL_HANDLE dlHand,
- const char *dbFileName,
- const char *certFile,
- const char *keyFile,
- CSSM_ALGORITHMS keyAlg,
- CSSM_BOOL pemFormat, // of the file
- CSSM_KEYBLOB_FORMAT keyFormat, // of the key blob itself, NONE means
- // use default
- CSSM_BOOL verbose)
-{
- CSSM_DL_DB_HANDLE dlDbHand = {dlHand, 0};
- CSSM_RETURN crtn;
- CSSM_DATA keyDigest = {0, NULL};
- CSSM_DATA certData = {0, NULL};
- unsigned len;
-
- CSSM_CSP_HANDLE cspHand = cuCspStartup(CSSM_FALSE);
- if(cspHand == 0) {
- printf("***Error attaching to CSPDL. Aborting.\n");
- return CSSMERR_CSSM_ADDIN_LOAD_FAILED;
- }
-
- /*
- * 1. Open the (already existing) DB.
- */
- dlDbHand.DBHandle = cuDbStartupByName(dlHand,
- (char *)dbFileName, // bogus non-const prototype
- CSSM_FALSE, // do NOT create it
- CSSM_FALSE); // quiet
- if(dlDbHand.DBHandle == 0) {
- printf("Error opening %s. Aborting.\n", dbFileName);
- return CSSMERR_DL_DATASTORE_DOESNOT_EXIST;
- }
-
- /*
- * Import key to DB, snagging its key digest along the way.
- */
- crtn = importPrivateKey(dlDbHand, cspHand,
- keyFile, keyAlg, pemFormat, keyFormat,
- &keyDigest);
- if(crtn) {
- printf("***Error importing key %s. Aborting.\n", keyFile);
- goto errOut;
- }
-
- /*
- * Now the cert.
- */
- if(readFile(certFile, &certData.Data, &len)) {
- printf("***Error reading cert from %s. Aborting.\n", certFile);
- goto errOut;
- }
- certData.Length = len;
- crtn = cuAddCertToDb(dlDbHand, &certData,
- CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER,
- certFile, // printName
- &keyDigest);
- if(crtn == CSSMERR_DL_INVALID_RECORDTYPE) {
- /* virgin DB, no cert schema: add schema and retry */
- crtn = tpAddCertSchema(dlDbHand);
- if(crtn == CSSM_OK) {
- crtn = cuAddCertToDb(dlDbHand, &certData,
- CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER,
- certFile, // printName
- &keyDigest);
- }
- }
- if(crtn) {
- printf("***Error importing cert %s. Aborting.\n", certFile);
- }
-errOut:
- if(keyDigest.Data) {
- cuAppFree(keyDigest.Data, NULL);
- }
- if(dlDbHand.DBHandle) {
- CSSM_DL_DbClose(dlDbHand);
- }
- if(certData.Data) {
- free(certData.Data);
- }
- return crtn;
-}
projects / apple / security.git / blobdiff