+++ /dev/null
-/*
- * pubKeyTool.cpp - calculate public key hash of arbitrary keys and certs; derive
- * public key from a private key or a cert.
- */
-
-#include <stdlib.h>
-#include <strings.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <Security/Security.h>
-#include <security_cdsa_utils/cuFileIo.h>
-#include <security_cdsa_utils/cuCdsaUtils.h>
-#include "cspwrap.h"
-#include "common.h"
-
-static void usage(char **argv)
-{
- printf("usage: %s [options]\n", argv[0]);
- printf("Options:\n");
- printf(" -k priv_key_file -- private key file to read\n");
- printf(" -b pub_key_file -- public key file to read\n");
- printf(" -c cert_file -- cert file to read\n");
- printf(" -d -- print public key digest\n");
- printf(" -o out_file -- write public key to out_file\n");
- printf(" -f pkcs1|pkcs8|x509 -- input key format\n");
- printf(" -- default is PKCS8 for private key, PKCS1 for"
- " public\n");
- printf(" -K keychain -- import pub key to this keychain; workaround "
- "for Radar 4191851)\n");
- exit(1);
-}
-
-/* Convert raw key blob into a respectable CSSM_KEY. */
-static CSSM_RETURN inferCssmKey(
- const CSSM_DATA &keyBlob,
- bool isPrivKey,
- CSSM_KEYBLOB_FORMAT keyForm,
- CSSM_CSP_HANDLE cspHand,
- CSSM_KEY &outKey)
-{
- memset(&outKey, 0, sizeof(CSSM_KEY));
- outKey.KeyData = keyBlob;
- CSSM_KEYHEADER &hdr = outKey.KeyHeader;
- hdr.HeaderVersion = CSSM_KEYHEADER_VERSION;
- /* CspId blank */
- hdr.BlobType = CSSM_KEYBLOB_RAW;
- hdr.AlgorithmId = CSSM_ALGID_RSA;
- hdr.KeyAttr = CSSM_KEYATTR_EXTRACTABLE;
- hdr.Format = keyForm;
- hdr.KeyClass = isPrivKey ? CSSM_KEYCLASS_PRIVATE_KEY : CSSM_KEYCLASS_PUBLIC_KEY;
- hdr.KeyUsage = CSSM_KEYUSE_ANY;
- hdr.WrapAlgorithmId = CSSM_ALGID_NONE;
- hdr.WrapMode = CSSM_ALGMODE_NONE;
- /*
- * LogicalKeySizeInBits - ask the CSP
- */
- CSSM_KEY_SIZE keySize;
- CSSM_RETURN crtn;
- crtn = CSSM_QueryKeySizeInBits(cspHand, CSSM_INVALID_HANDLE, &outKey,
- &keySize);
- if(crtn) {
- cssmPerror("CSSM_QueryKeySizeInBits", crtn);
- return crtn;
- }
- hdr.LogicalKeySizeInBits = keySize.LogicalKeySizeInBits;
- return CSSM_OK;
-}
-
-/*
- * Given any key in either blob or reference format,
- * obtain the associated public key's SHA-1 hash.
- */
-static CSSM_RETURN keyDigest(
- CSSM_CSP_HANDLE cspHand,
- const CSSM_KEY *key,
- CSSM_DATA_PTR *hashData) /* struct and contents cuAppMalloc'd and RETURNED */
-{
- CSSM_CC_HANDLE ccHand;
- CSSM_RETURN crtn;
- CSSM_DATA_PTR dp;
-
- *hashData = NULL;
-
- /* validate input params */
- if((key == NULL) ||
- (hashData == NULL)) {
- printf("keyHash: bogus args\n");
- return CSSMERR_CSSM_INTERNAL_ERROR;
- }
-
- /* cook up a context for a passthrough op */
- crtn = CSSM_CSP_CreatePassThroughContext(cspHand,
- key,
- &ccHand);
- if(ccHand == 0) {
- cssmPerror("CSSM_CSP_CreatePassThroughContext", crtn);
- return crtn;
- }
-
- /* now it's up to the CSP */
- crtn = CSSM_CSP_PassThrough(ccHand,
- CSSM_APPLECSP_KEYDIGEST,
- NULL,
- (void **)&dp);
- if(crtn) {
- cssmPerror("CSSM_CSP_PassThrough(KEYDIGEST)", crtn);
- }
- else {
- *hashData = dp;
- crtn = CSSM_OK;
- }
- CSSM_DeleteContext(ccHand);
- return crtn;
-}
-
-/*
- * Here's a tricky one. Given a private key, obtain the correspoding public key.
- * This uses a private key blob format that's used internally in the CSP
- * to generate key digests.
- */
-
-/*
- * this magic const copied from BinaryKey.h
- */
-#define CSSM_KEYBLOB_RAW_FORMAT_DIGEST \
- (CSSM_KEYBLOB_RAW_FORMAT_VENDOR_DEFINED + 0x12345)
-
-static CSSM_RETURN pubKeyFromPrivKey(
- CSSM_CSP_HANDLE cspHand,
- const CSSM_KEY *privKey, // assumed to be raw format
- CSSM_KEY *pubKey)
-{
- /* first convert to reference key */
- CSSM_KEY refKey;
- CSSM_RETURN crtn;
- crtn = cspRawKeyToRef(cspHand, privKey, &refKey);
- if(crtn) {
- return crtn;
- }
-
- /* now a NULL wrap with the magic format attribute */
- CSSM_CC_HANDLE ccHand;
- CSSM_ACCESS_CREDENTIALS creds;
- CSSM_DATA descData = {0, 0};
-
- crtn = CSSM_CSP_CreateSymmetricContext(cspHand,
- CSSM_ALGID_NONE,
- CSSM_ALGMODE_NONE,
- NULL, // passPhrase,
- NULL, // key
- NULL, // initVector,
- CSSM_PADDING_NONE,
- NULL, // Reserved
- &ccHand);
- if(crtn) {
- cssmPerror("CSSM_CSP_CreateSymmetricContext", crtn);
- return crtn;
- }
- crtn = AddContextAttribute(ccHand,
- /*
- * The output of the WrapKey is a private key as far as the CSP is
- * concerned, at the level that this attribute is used anyway....
- */
- CSSM_ATTRIBUTE_PRIVATE_KEY_FORMAT,
- sizeof(uint32),
- CAT_Uint32,
- NULL,
- CSSM_KEYBLOB_RAW_FORMAT_DIGEST);
- if(crtn) {
- cssmPerror("CSSM_CSP_CreateSymmetricContext", crtn);
- goto errOut;
- }
- memset(pubKey, 0, sizeof(CSSM_KEY));
- memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
- crtn = CSSM_WrapKey(ccHand,
- &creds,
- &refKey,
- &descData,
- pubKey);
- if(crtn) {
- cssmPerror("CSSM_WrapKey", crtn);
- goto errOut;
- }
-
- /* now: presto chango - don't do this at home! */
- pubKey->KeyHeader.KeyClass = CSSM_KEYCLASS_PUBLIC_KEY;
-errOut:
- CSSM_FreeKey(cspHand, NULL, &refKey, CSSM_FALSE);
- CSSM_DeleteContext(ccHand);
- return crtn;
-}
-
-/*
- * Import a key into a DLDB.
- */
-static CSSM_RETURN importToDlDb(
- CSSM_CSP_HANDLE cspHand,
- CSSM_DL_DB_HANDLE_PTR dlDbHand,
- const CSSM_KEY *rawPubKey,
- CSSM_DATA_PTR labelData,
- CSSM_KEY_PTR importedKey)
-{
- CSSM_CC_HANDLE ccHand = 0;
- CSSM_RETURN crtn;
- uint32 keyAttr;
- CSSM_ACCESS_CREDENTIALS creds;
- CSSM_CONTEXT_ATTRIBUTE newAttr;
- CSSM_DATA descData = {0, 0};
-
- memset(importedKey, 0, sizeof(CSSM_KEY));
- memset(&creds, 0, sizeof(CSSM_ACCESS_CREDENTIALS));
- crtn = CSSM_CSP_CreateSymmetricContext(cspHand,
- CSSM_ALGID_NONE,
- CSSM_ALGMODE_NONE,
- &creds,
- NULL, // unwrappingKey
- NULL, // initVector
- CSSM_PADDING_NONE,
- 0, // Params
- &ccHand);
- if(crtn) {
- cssmPerror("CSSM_CSP_CreateSymmetricContext", crtn);
- return crtn;
- }
- keyAttr = CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_PERMANENT;
-
- /* Add DLDB to context */
- newAttr.AttributeType = CSSM_ATTRIBUTE_DL_DB_HANDLE;
- newAttr.AttributeLength = sizeof(CSSM_ATTRIBUTE_DL_DB_HANDLE);
- newAttr.Attribute.Data = (CSSM_DATA_PTR)dlDbHand;
- crtn = CSSM_UpdateContextAttributes(ccHand, 1, &newAttr);
- if(crtn) {
- cssmPerror("CSSM_UpdateContextAttributes", crtn);
- goto errOut;
- }
-
- /* import */
- crtn = CSSM_UnwrapKey(ccHand,
- NULL, // PublicKey
- rawPubKey,
- CSSM_KEYUSE_ANY,
- keyAttr,
- labelData,
- NULL, // CredAndAclEntry
- importedKey,
- &descData); // required
- if(crtn) {
- cssmPerror("CSSM_UnwrapKey", crtn);
- }
-errOut:
- if(ccHand) {
- CSSM_DeleteContext(ccHand);
- }
- return crtn;
-}
-
-/*
- * Free memory via specified plugin's app-level allocator
- */
-void impExpFreeCssmMemory(
- CSSM_HANDLE hand,
- void *p)
-{
- CSSM_API_MEMORY_FUNCS memFuncs;
- CSSM_RETURN crtn = CSSM_GetAPIMemoryFunctions(hand, &memFuncs);
- if(crtn) {
- return;
- }
- memFuncs.free_func(p, memFuncs.AllocRef);
-}
-
-/*
- * Key attrribute names and values.
- *
- * This is where the public key hash goes.
- */
-#define SEC_KEY_HASH_ATTR_NAME "Label"
-
-/*
- * This is where the publicly visible name goes.
- */
-#define SEC_KEY_PRINT_NAME_ATTR_NAME "PrintName"
-
-/*
- * Look up public key by label
- * Set label to new specified label (SHA1 digest)
- * Set print name to new specified user-visible name
- */
-static CSSM_RETURN setPubKeyLabel(
- CSSM_CSP_HANDLE cspHand, // where the key lives
- CSSM_DL_DB_HANDLE *dlDbHand, // ditto
- const CSSM_DATA *existKeyLabel, // existing label, a random string, for lookup
- const CSSM_DATA *keyDigest, // SHA1 digest, the new label
- const CSSM_DATA *newPrintName) // new user-visible name
-{
- CSSM_QUERY query;
- CSSM_SELECTION_PREDICATE predicate;
- CSSM_DB_UNIQUE_RECORD_PTR record = NULL;
- CSSM_RETURN crtn;
- CSSM_HANDLE resultHand = 0;
-
- /*
- * Look up the key in the DL.
- */
- query.RecordType = CSSM_DL_DB_RECORD_PUBLIC_KEY;
- query.Conjunctive = CSSM_DB_NONE;
- query.NumSelectionPredicates = 1;
- predicate.DbOperator = CSSM_DB_EQUAL;
-
- predicate.Attribute.Info.AttributeNameFormat =
- CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- predicate.Attribute.Info.Label.AttributeName = (char *)"Label";
- predicate.Attribute.Info.AttributeFormat =
- CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
- /* hope this cast is OK */
- predicate.Attribute.Value = (CSSM_DATA_PTR)existKeyLabel;
- query.SelectionPredicate = &predicate;
-
- query.QueryLimits.TimeLimit = 0; // FIXME - meaningful?
- query.QueryLimits.SizeLimit = 1; // FIXME - meaningful?
- query.QueryFlags = 0; // CSSM_QUERY_RETURN_DATA; // FIXME - used?
-
- /* build Record attribute with two attrs */
- CSSM_DB_RECORD_ATTRIBUTE_DATA recordAttrs;
- CSSM_DB_ATTRIBUTE_DATA attr[2];
-
- attr[0].Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr[0].Info.Label.AttributeName = (char *)SEC_KEY_HASH_ATTR_NAME;
- attr[0].Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
- attr[1].Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
- attr[1].Info.Label.AttributeName = (char *)SEC_KEY_PRINT_NAME_ATTR_NAME;
- attr[1].Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
-
- recordAttrs.DataRecordType = CSSM_DL_DB_RECORD_PUBLIC_KEY;
- recordAttrs.NumberOfAttributes = 2;
- recordAttrs.AttributeData = attr;
-
- crtn = CSSM_DL_DataGetFirst(*dlDbHand,
- &query,
- &resultHand,
- &recordAttrs,
- NULL, // theData
- &record);
- /* abort only on success */
- if(crtn != CSSM_OK) {
- cssmPerror("CSSM_DL_DataGetFirst", crtn);
- goto errOut;
- }
-
- /*
- * Update existing attr data.
- * NOTE: the module which allocated this attribute data - a DL -
- * was loaded and attached by the keychain layer, not by us. Thus
- * we can't use the memory allocator functions *we* used when
- * attaching to the CSP - we have to use the ones
- * which the client registered with the DL.
- */
- impExpFreeCssmMemory(dlDbHand->DLHandle, attr[0].Value->Data);
- impExpFreeCssmMemory(dlDbHand->DLHandle, attr[0].Value);
- impExpFreeCssmMemory(dlDbHand->DLHandle, attr[1].Value->Data);
- impExpFreeCssmMemory(dlDbHand->DLHandle, attr[1].Value);
- attr[0].Value = const_cast<CSSM_DATA *>(keyDigest);
- attr[1].Value = const_cast<CSSM_DATA *>(newPrintName);
-
- crtn = CSSM_DL_DataModify(*dlDbHand,
- CSSM_DL_DB_RECORD_PUBLIC_KEY,
- record,
- &recordAttrs,
- NULL, // DataToBeModified
- CSSM_DB_MODIFY_ATTRIBUTE_REPLACE);
- if(crtn) {
- cssmPerror("CSSM_DL_DataModify", crtn);
- }
-errOut:
- /* free resources */
- if(resultHand) {
- CSSM_DL_DataAbortQuery(*dlDbHand, resultHand);
- }
- if(record) {
- CSSM_DL_FreeUniqueRecord(*dlDbHand, record);
- }
- return crtn;
-}
-
-#define SHA1_LABEL_LEN 20
-#define IMPORTED_KEY_NAME "Imported Public Key"
-
-/*
- * Import a public key into a keychain, with proper Label attribute setting.
- * A workaround for Radar 4191851.
- */
-static int pubKeyImport(
- const char *kcName,
- const CSSM_KEY *pubKey,
- CSSM_CSP_HANDLE rawCspHand) /* raw CSP handle for calculating digest */
-{
- CSSM_CSP_HANDLE cspHand;
- CSSM_DL_DB_HANDLE dlDbHand;
- OSStatus ortn;
- CSSM_RETURN crtn;
- SecKeychainRef kcRef = NULL;
- int ourRtn = 0;
- CSSM_DATA_PTR digest = NULL;
- CSSM_KEY importedKey;
- CSSM_DATA newPrintName =
- { (uint32)strlen(IMPORTED_KEY_NAME), (uint8 *)IMPORTED_KEY_NAME};
-
- /* NULL unwrap stuff */
- uint8 tempLabel[SHA1_LABEL_LEN];
- CSSM_DATA labelData = {SHA1_LABEL_LEN, tempLabel};
-
- ortn = SecKeychainOpen(kcName, &kcRef);
- if(ortn) {
- cssmPerror("SecKeychainOpen", ortn);
- return -1;
- }
- /* subsequent errors to errOut: */
-
- /* Get CSSM handles */
- ortn = SecKeychainGetCSPHandle(kcRef, &cspHand);
- if(ortn) {
- cssmPerror("SecKeychainGetCSPHandle", ortn);
- ourRtn = -1;
- goto errOut;
- }
- ortn = SecKeychainGetDLDBHandle(kcRef, &dlDbHand);
- if(ortn) {
- cssmPerror("SecKeychainGetCSPHandle", ortn);
- ourRtn = -1;
- goto errOut;
- }
-
- /* public key hash from raw CSP */
- crtn = keyDigest(rawCspHand, pubKey, &digest);
- if(crtn) {
- ourRtn = -1;
- goto errOut;
- }
-
- /* random label for initial storage and later retrieval */
- appGetRandomBytes(tempLabel, SHA1_LABEL_LEN);
-
- /* import the key into the keychain's DLDB */
- memset(&importedKey, 0, sizeof(CSSM_KEY));
- crtn = importToDlDb(cspHand, &dlDbHand, pubKey, &labelData, &importedKey);
- if(crtn) {
- ourRtn = -1;
- goto errOut;
- }
-
- /* don't need this */
- CSSM_FreeKey(cspHand, NULL, &importedKey, CSSM_FALSE);
-
- /* update the label and printName attributes */
- crtn = setPubKeyLabel(cspHand, &dlDbHand, &labelData, digest, &newPrintName);
- if(crtn) {
- ourRtn = -1;
- }
-errOut:
- CFRelease(kcRef);
- if(digest) {
- APP_FREE(digest->Data);
- APP_FREE(digest);
- }
- return ourRtn;
-}
-
-int main(int argc, char **argv)
-{
- char *privKeyFile = NULL;
- char *pubKeyFile = NULL;
- char *certFile = NULL;
- char *outFile = NULL;
- bool printDigest = false;
- CSSM_KEYBLOB_FORMAT keyForm = CSSM_KEYBLOB_RAW_FORMAT_NONE;
- char *kcName = NULL;
-
- if(argc < 3) {
- usage(argv);
- }
- extern char *optarg;
- int arg;
- while ((arg = getopt(argc, argv, "k:b:c:do:f:K:h")) != -1) {
- switch (arg) {
- case 'k':
- privKeyFile = optarg;
- break;
- case 'b':
- pubKeyFile = optarg;
- break;
- case 'c':
- certFile = optarg;
- break;
- case 'd':
- printDigest = true;
- break;
- case 'o':
- outFile = optarg;
- break;
- case 'f':
- if(!strcmp("pkcs1", optarg)) {
- keyForm = CSSM_KEYBLOB_RAW_FORMAT_PKCS1;
- }
- else if(!strcmp("pkcs8", optarg)) {
- keyForm = CSSM_KEYBLOB_RAW_FORMAT_PKCS8;
- }
- else if(!strcmp("x509", optarg)) {
- keyForm = CSSM_KEYBLOB_RAW_FORMAT_X509;
- }
- break;
- case 'K':
- kcName = optarg;
- break;
- case 'h':
- usage(argv);
- }
- }
- if(optind != argc) {
- usage(argv);
- }
-
- CSSM_DATA privKeyBlob = {0, NULL};
- CSSM_DATA pubKeyBlob = {0, NULL};
- CSSM_KEY thePrivKey; // constructed
- CSSM_KEY thePubKey; // null-wrapped
- CSSM_KEY_PTR pubKey = NULL;
- CSSM_KEY_PTR privKey = NULL;
- CSSM_RETURN crtn;
- CSSM_CL_HANDLE clHand = 0;
- CSSM_CSP_HANDLE cspHand = cuCspStartup(CSSM_TRUE);
-
- /* gather input */
- if(privKeyFile) {
- /* key blob from a file ==> a private CSSM_KEY */
-
- if(pubKeyFile || certFile) {
- printf("****Specify exactly one of {cert_file, priv_key_file, "
- "pub_key_file}.\n");
- exit(1);
- }
- unsigned len;
- if(readFile(privKeyFile, &privKeyBlob.Data, &len)) {
- printf("***Error reading private key from %s. Aborting.\n", privKeyFile);
- exit(1);
- }
- privKeyBlob.Length = len;
- if(keyForm == CSSM_KEYBLOB_RAW_FORMAT_NONE) {
- /* default for private keys */
- keyForm = CSSM_KEYBLOB_RAW_FORMAT_PKCS8;
- }
- crtn = inferCssmKey(privKeyBlob, true, keyForm, cspHand, thePrivKey);
- if(crtn) {
- goto errOut;
- }
- privKey = &thePrivKey;
- }
- if(pubKeyFile) {
- /* key blob from a file ==> a public CSSM_KEY */
-
- if(privKeyFile || certFile) {
- printf("****Specify exactly one of {cert_file, priv_key_file, "
- "pub_key_file}.\n");
- exit(1);
- }
-
- unsigned len;
- if(readFile(pubKeyFile, &pubKeyBlob.Data, &len)) {
- printf("***Error reading public key from %s. Aborting.\n", pubKeyFile);
- exit(1);
- }
- pubKeyBlob.Length = len;
- if(keyForm == CSSM_KEYBLOB_RAW_FORMAT_NONE) {
- /* default for public keys */
- keyForm = CSSM_KEYBLOB_RAW_FORMAT_PKCS1;
- }
- crtn = inferCssmKey(pubKeyBlob, false, keyForm, cspHand, thePubKey);
- if(crtn) {
- goto errOut;
- }
- pubKey = &thePubKey;
- }
- if(certFile) {
- /* cert from a file ==> a public CSSM_KEY */
-
- if(privKeyFile || pubKeyFile) {
- printf("****Specify exactly one of {cert_file, priv_key_file, "
- "pub_key_file}.\n");
- exit(1);
- }
-
- CSSM_DATA certData = {0, NULL};
- unsigned len;
- if(readFile(certFile, &certData.Data, &len)) {
- printf("***Error reading cert from %s. Aborting.\n", certFile);
- exit(1);
- }
- certData.Length = len;
-
- /* Extract public key - that's what we will be using later */
- clHand = cuClStartup();
- crtn = CSSM_CL_CertGetKeyInfo(clHand, &certData, &pubKey);
- if(crtn) {
- cssmPerror("CSSM_CL_CertGetKeyInfo", crtn);
- goto errOut;
- }
- }
-
- /* now do something useful */
- if(printDigest) {
- CSSM_KEY_PTR theKey = privKey;
- if(theKey == NULL) {
- /* maybe we got public key from a cert */
- theKey = pubKey;
- }
- if(theKey == NULL) {
- printf("***Can't calculate digest because I don't have a key or a clue.\n");
- goto errOut;
- }
- CSSM_DATA_PTR dig = NULL;
- crtn = keyDigest(cspHand, theKey, &dig);
- if(crtn) {
- printf("Sorry, can't get the digest for this key.\n");
- goto errOut;
- }
- if((dig == NULL) || (dig->Length == 0)) {
- printf("Screwup calculating digest.\n");
- goto errOut;
- }
- printf("Key Digest:\n");
- for(unsigned dex=0; dex<dig->Length; dex++) {
- printf("%02X ", dig->Data[dex]);
- }
- printf("\n");
- APP_FREE(dig->Data);
- APP_FREE(dig);
- }
-
- if(outFile || kcName) {
- /* get a public key if we don't already have one */
- if(pubKey == NULL) {
- if(privKey == NULL) {
- printf("***PubKey file name specified but no privKey or cert. "
- "Aborting.\n");
- goto errOut;
- }
- crtn = pubKeyFromPrivKey(cspHand, privKey, &thePubKey);
- if(crtn) {
- goto errOut;
- }
- pubKey = &thePubKey;
- }
- }
- if(outFile) {
- if(writeFile(outFile, pubKey->KeyData.Data, pubKey->KeyData.Length)) {
- printf("***Error writing to %s.\n", outFile);
- }
- else {
- printf("...%lu bytes written to %s.\n", pubKey->KeyData.Length, outFile);
- }
- }
- if(kcName) {
- if(pubKeyImport(kcName, pubKey, cspHand) == 0) {
- printf("....public key %s imported to %s\n", pubKeyFile, kcName);
- }
- else {
- printf("***Error importing public key %s to %s\n", pubKeyFile, kcName);
- }
- }
-errOut:
- /* clean up here if you must */
- return 0;
-}
projects / apple / security.git / blobdiff