X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/80e2389990082500d76eb566d4946be3e786c3ef..d8f41ccd20de16f8ebe2ccc84d47bf1cb2b26bbb:/SecurityTests/cspxutils/utilLib/cspwrap.h diff --git a/SecurityTests/cspxutils/utilLib/cspwrap.h b/SecurityTests/cspxutils/utilLib/cspwrap.h new file mode 100644 index 00000000..73bb61cf --- /dev/null +++ b/SecurityTests/cspxutils/utilLib/cspwrap.h @@ -0,0 +1,454 @@ +/* Copyright (c) 1997,2003,2005-2006,2008 Apple Inc. + * + * cspwrap.h - wrappers to simplify access to CDSA + * + * Revision History + * ---------------- + * 3 May 2000 Doug Mitchell + * Ported to X/CDSA2. + * 12 Aug 1997 Doug Mitchell at Apple + * Created. + */ + +#ifndef _CSPWRAP_H_ +#define _CSPWRAP_H_ +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * Bug/feature workaround flags + */ + +/* + * Doing a WrapKey requires Access Creds, which should be + * optional. Looks like this is not a bug. + */ +#define WRAP_KEY_REQUIRES_CREDS 1 + +/* + * encrypt/decrypt - cook up a context handle + */ +CSSM_CC_HANDLE genCryptHandle(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, // CSSM_ALGID_FEED, etc. + uint32 mode, // CSSM_ALGMODE_CBC, etc. - only for symmetric algs + CSSM_PADDING padding, // CSSM_PADDING_PKCS1, etc. + const CSSM_KEY *key0, + const CSSM_KEY *key1, // for CSSM_ALGID_FEED only - must be the + // public key + const CSSM_DATA *iv, // optional + uint32 effectiveKeySizeInBits, // 0 means skip this attribute + uint32 rounds); // ditto +/* + * Key generation + */ +/* + * Specifying a keySize of CSP_KEY_SIZE_DEFAULT results in using the default + * key size for the specified algorithm. + */ +#define CSP_KEY_SIZE_DEFAULT 0 + +/* symmetric key sizes in bits */ +#define CSP_ASC_KEY_SIZE_DEFAULT (16 * 8) +#define CSP_DES_KEY_SIZE_DEFAULT (8 * 8) +#define CSP_DES3_KEY_SIZE_DEFAULT (24 * 8) +#define CSP_RC2_KEY_SIZE_DEFAULT (10 * 8) +#define CSP_RC4_KEY_SIZE_DEFAULT (10 * 8) +#define CSP_RC5_KEY_SIZE_DEFAULT (10 * 8) +#define CSP_AES_KEY_SIZE_DEFAULT 128 +#define CSP_BFISH_KEY_SIZE_DEFAULT 128 +#define CSP_CAST_KEY_SIZE_DEFAULT 128 +#define CSP_IDEA_KEY_SIZE_DEFAULT 128 /* fixed */ +#define CSP_HMAC_SHA_KEY_SIZE_DEFAULT (20 * 8) +#define CSP_HMAC_MD5_KEY_SIZE_DEFAULT (16 * 8) +#define CSP_NULL_CRYPT_KEY_SIZE_DEF (16 * 8) + +/* asymmetric key sizes in bits */ +/* note: we now use AI_RSAStrongKeyGen for RSA key pair + * generate; this requires at least 512 bits and also that + * the key size be a multiple of 16. */ +#define CSP_FEE_KEY_SIZE_DEFAULT 128 +#define CSP_ECDSA_KEY_SIZE_DEFAULT 256 +#define CSP_RSA_KEY_SIZE_DEFAULT 1024 /* min for SHA512/RSA */ +#define CSP_DSA_KEY_SIZE_DEFAULT 512 + +/* + * Generate key pair of arbitrary algorithm. + */ +extern CSSM_RETURN cspGenKeyPair(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, + const char *keyLabel, + unsigned keyLabelLen, + uint32 keySizeInBits, + CSSM_KEY_PTR pubKey, // mallocd by caller + CSSM_BOOL pubIsRef, // true - reference key, false - data + uint32 pubKeyUsage, // CSSM_KEYUSE_ENCRYPT, etc. + CSSM_KEYBLOB_FORMAT pubFormat, // Optional. Specify 0 or CSSM_KEYBLOB_RAW_FORMAT_NONE + // to get the default format. + CSSM_KEY_PTR privKey, // mallocd by caller - always returned as ref + CSSM_BOOL privIsRef, // true - reference key, false - data + uint32 privKeyUsage, // CSSM_KEYUSE_DECRYPT, etc. + CSSM_KEYBLOB_FORMAT privFormat, // optional 0 ==> default + CSSM_BOOL genSeed); // FEE only. True: we generate seed and CSP + // will hash it. False: CSP generates random + // seed. + +/* + * Generate FEE key pair with optional primeType, curveType, and seed (password) data. + */ +extern CSSM_RETURN cspGenFEEKeyPair(CSSM_CSP_HANDLE cspHand, + const char *keyLabel, + unsigned keyLabelLen, + uint32 keySize, // in bits + uint32 primeType, // CSSM_FEE_PRIME_TYPE_MERSENNE, etc. + uint32 curveType, // CSSM_FEE_CURVE_TYPE_MONTGOMERY, etc. + CSSM_KEY_PTR pubKey, // mallocd by caller + CSSM_BOOL pubIsRef, // true - reference key, false - data + uint32 pubKeyUsage, // CSSM_KEYUSE_ENCRYPT, etc. + CSSM_KEYBLOB_FORMAT pubFormat, // Optional. Specify 0 or CSSM_KEYBLOB_RAW_FORMAT_NONE + // to get the default format. + CSSM_KEY_PTR privKey, // mallocd by caller + CSSM_BOOL privIsRef, // true - reference key, false - data + uint32 privKeyUsage, // CSSM_KEYUSE_DECRYPT, etc. + CSSM_KEYBLOB_FORMAT privFormat, // optional 0 ==> default + const CSSM_DATA *seedData); // Present: CSP will hash this for private data. + // NULL: CSP generates random seed. + +/* + * Generate DSA key pair with optional generateAlgParams. + */ +extern CSSM_RETURN cspGenDSAKeyPair(CSSM_CSP_HANDLE cspHand, + const char *keyLabel, + unsigned keyLabelLen, + uint32 keySize, // in bits + CSSM_KEY_PTR pubKey, // mallocd by caller + CSSM_BOOL pubIsRef, // true - reference key, false - data + uint32 pubKeyUsage, // CSSM_KEYUSE_ENCRYPT, etc. + CSSM_KEYBLOB_FORMAT pubFormat, // Optional. Specify 0 or CSSM_KEYBLOB_RAW_FORMAT_NONE + // to get the default format. + CSSM_KEY_PTR privKey, // mallocd by caller + CSSM_BOOL privIsRef, // true - reference key, false - data + uint32 privKeyUsage, // CSSM_KEYUSE_DECRYPT, etc. + CSSM_KEYBLOB_FORMAT privFormat, // Optional. Specify 0 or CSSM_KEYBLOB_RAW_FORMAT_NONE + // to get the default format. + CSSM_BOOL genParams, + CSSM_DATA_PTR paramData); // optional + +/* + * Create a symmetric key. + */ +extern CSSM_KEY_PTR cspGenSymKey(CSSM_CSP_HANDLE cspHand, + uint32 alg, + const char *keyLabel, + unsigned keyLabelLen, + uint32 keyUsage, // CSSM_KEYUSE_ENCRYPT, etc. + uint32 keySizeInBits, + CSSM_BOOL refKey); // true - reference key, false - data + +/* + * Derive symmetric key using PBE. + */ +CSSM_KEY_PTR cspDeriveKey(CSSM_CSP_HANDLE cspHand, + uint32 deriveAlg, // CSSM_ALGID_MD5_PBE, etc. + uint32 keyAlg, // CSSM_ALGID_RC5, etc. + const char *keyLabel, + unsigned keyLabelLen, + uint32 keyUsage, // CSSM_KEYUSE_ENCRYPT, etc. + uint32 keySizeInBits, + CSSM_BOOL isRefKey, + CSSM_DATA_PTR password, // in PKCS-5 lingo + CSSM_DATA_PTR salt, // ditto + uint32 iterationCnt, // ditto + CSSM_DATA_PTR initVector); // mallocd & RETURNED + +/* + * Encrypt/Decrypt - these work for both symmetric and asymmetric algorithms. + */ +CSSM_RETURN cspEncrypt(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, // CSSM_ALGID_FEED, etc. + uint32 mode, // CSSM_ALGMODE_CBC, etc. - only for + // symmetric algs + CSSM_PADDING padding, // CSSM_PADDING_PKCS1, etc. + const CSSM_KEY *key, // public or session key + const CSSM_KEY *pubKey, // for CSSM_ALGID_{FEED,FEECFILE} only + uint32 effectiveKeySizeInBits, // 0 means skip this attribute + uint32 rounds, // ditto + const CSSM_DATA *iv, // init vector, optional + const CSSM_DATA *ptext, + CSSM_DATA_PTR ctext, // RETURNED + CSSM_BOOL mallocCtext); + +CSSM_RETURN cspStagedEncrypt(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, // CSSM_ALGID_FEED, etc. + uint32 mode, // CSSM_ALGMODE_CBC, etc. - only for + // symmetric algs + CSSM_PADDING padding, // CSSM_PADDING_PKCS1, etc. + const CSSM_KEY *key, // public or session key + const CSSM_KEY *pubKey, // for CSSM_ALGID_{FEED,FEECFILE} only + uint32 effectiveKeySizeInBits, // 0 means skip this attribute + uint32 cipherBlockSize, // ditto, block size in bytes + uint32 rounds, // ditto + const CSSM_DATA *iv, // init vector, optional + const CSSM_DATA *ptext, + CSSM_DATA_PTR ctext, // RETURNED, we malloc + CSSM_BOOL multiUpdates); // false:single update, true:multi updates + +CSSM_RETURN cspDecrypt(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, // CSSM_ALGID_FEED, etc. + uint32 mode, // CSSM_ALGMODE_CBC, etc. - only for + // symmetric algs + CSSM_PADDING padding, // CSSM_PADDING_PKCS1, etc. + const CSSM_KEY *key, // private or session key + const CSSM_KEY *pubKey, // for CSSM_ALGID_{FEED,FEECFILE} only + uint32 effectiveKeySizeInBits, // 0 means skip this attribute + uint32 rounds, // ditto + const CSSM_DATA *iv, // init vector, optional + const CSSM_DATA *ctext, + CSSM_DATA_PTR ptext, // RETURNED + CSSM_BOOL mallocPtext); + +CSSM_RETURN cspStagedDecrypt(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, // CSSM_ALGID_FEED, etc. + uint32 mode, // CSSM_ALGMODE_CBC, etc. - only for + // symmetric algs + CSSM_PADDING padding, // CSSM_PADDING_PKCS1, etc. + const CSSM_KEY *key, // private or session key + const CSSM_KEY *pubKey, // for CSSM_ALGID_{FEED,FEECFILE} only + uint32 effectiveKeySizeInBits, // 0 means skip this attribute + uint32 cipherBlockSize, // ditto, block size in bytes + uint32 rounds, // ditto + const CSSM_DATA *iv, // init vector, optional + const CSSM_DATA *ctext, + CSSM_DATA_PTR ptext, // RETURNED, we malloc + CSSM_BOOL multiUpdates); // false:single update, true:multi updates + +/* + * Signature routines + */ +CSSM_RETURN cspSign(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, // CSSM_ALGID_FEE_MD5, etc. + CSSM_KEY_PTR key, // private key + const CSSM_DATA *text, + CSSM_DATA_PTR sig); // RETURNED +CSSM_RETURN cspStagedSign(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, // CSSM_ALGID_FEE_MD5, etc. + CSSM_KEY_PTR key, // private key + const CSSM_DATA *text, + CSSM_BOOL multiUpdates, // false:single update, true:multi updates + CSSM_DATA_PTR sig); // RETURNED +CSSM_RETURN cspSigVerify(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, // CSSM_ALGID_FEE_MD5, etc. + CSSM_KEY_PTR key, // public key + const CSSM_DATA *text, + const CSSM_DATA *sig, + CSSM_RETURN expectResult); // expected result is verify failure + // CSSM_OK - expect success +CSSM_RETURN cspStagedSigVerify(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, // CSSM_ALGID_FEE_MD5, etc. + CSSM_KEY_PTR key, // private key + const CSSM_DATA *text, + const CSSM_DATA *sig, + CSSM_BOOL multiUpdates, // false:single update, true:multi updates + CSSM_RETURN expectResult); // expected result is verify failure + // CSSM_OK - expect success + +/* + * MAC routines + */ +CSSM_RETURN cspGenMac(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, // CSSM_ALGID_DES, etc. + CSSM_KEY_PTR key, // session key + const CSSM_DATA *text, + CSSM_DATA_PTR mac); // RETURNED +CSSM_RETURN cspStagedGenMac(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, // CSSM_ALGID_FEE_MD5, etc. + CSSM_KEY_PTR key, // private key + const CSSM_DATA *text, + CSSM_BOOL mallocMac, // if true and digest->Length = 0, we'll + // malloc + CSSM_BOOL multiUpdates, // false:single update, true:multi updates + CSSM_DATA_PTR mac); // RETURNED +CSSM_RETURN cspMacVerify(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, + CSSM_KEY_PTR key, // public key + const CSSM_DATA *text, + const CSSM_DATA_PTR mac, + CSSM_RETURN expectResult); +CSSM_RETURN cspStagedMacVerify(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, + CSSM_KEY_PTR key, // private key + const CSSM_DATA *text, + const CSSM_DATA_PTR mac, + CSSM_BOOL multiUpdates, // false:single update, true:multi updates + CSSM_RETURN expectResult); + +/* + * Digest functions + */ +CSSM_RETURN cspDigest(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, // CSSM_ALGID_MD5, etc. + CSSM_BOOL mallocDigest, // if true and digest->Length = 0, we'll malloc + const CSSM_DATA *text, + CSSM_DATA_PTR digest); +CSSM_RETURN cspStagedDigest(CSSM_CSP_HANDLE cspHand, + uint32 algorithm, // CSSM_ALGID_MD5, etc. + CSSM_BOOL mallocDigest, // if true and digest->Length = 0, we'll malloc + CSSM_BOOL multiUpdates, // false:single update, true:multi updates + const CSSM_DATA *text, + CSSM_DATA_PTR digest); +CSSM_RETURN cspFreeKey(CSSM_CSP_HANDLE cspHand, + CSSM_KEY_PTR key); + +/* + * Perform FEE Key exchange via CSSM_DeriveKey. + */ +CSSM_RETURN cspFeeKeyExchange(CSSM_CSP_HANDLE cspHand, + CSSM_KEY_PTR privKey, + CSSM_KEY_PTR pubKey, + CSSM_KEY_PTR derivedKey, // mallocd by caller + + /* remaining fields apply to derivedKey */ + uint32 keyAlg, + const char *keyLabel, + unsigned keyLabelLen, + uint32 keyUsage, // CSSM_KEYUSE_ENCRYPT, etc. + uint32 keySizeInBits); + +/* + * wrap/unwrap key functions. + */ +CSSM_RETURN cspWrapKey(CSSM_CSP_HANDLE cspHand, + const CSSM_KEY *unwrappedKey, + const CSSM_KEY *wrappingKey, + CSSM_ALGORITHMS wrapAlg, + CSSM_ENCRYPT_MODE wrapMode, + CSSM_KEYBLOB_FORMAT wrapFormat, // NONE, PKCS7, PKCS8 + CSSM_PADDING wrapPad, + CSSM_DATA_PTR initVector, // for some wrapping algs + CSSM_DATA_PTR descrData, // optional + CSSM_KEY_PTR wrappedKey); // RETURNED +CSSM_RETURN cspUnwrapKey(CSSM_CSP_HANDLE cspHand, + const CSSM_KEY *wrappedKey, + const CSSM_KEY *unwrappingKey, + CSSM_ALGORITHMS unwrapAlg, + CSSM_ENCRYPT_MODE unwrapMode, + CSSM_PADDING unwrapPad, + CSSM_DATA_PTR initVector, // for some wrapping algs + CSSM_KEY_PTR unwrappedKey, // RETURNED + CSSM_DATA_PTR descrData, // required + const char *keyLabel, + unsigned keyLabelLen); + +/* generate a random and reasonable key size in bits for specified CSSM algorithm */ +typedef enum { + OT_Sign, + OT_Encrypt, + OT_KeyExch +} opType; + +#define MAX_KEY_SIZE_RC245_BYTES 64 /* max bytes, RC2, RC4, RC5 */ + +uint32 randKeySizeBits(uint32 alg, opType op); +uint32 cspDefaultKeySize(uint32 alg); + +/* + * Generate random key size, primeType, curveType for FEE key for specified op. + */ +void randFeeKeyParams( + CSSM_ALGORITHMS alg, // ALGID_FEED, CSSM_ALGID_FEE_MD5, etc. + uint32 *keySizeInBits, // RETURNED + uint32 *primeType, // CSSM_FEE_PRIME_TYPE_xxx, RETURNED + uint32 *curveType); // CSSM_FEE_CURVE_TYPE_xxx, RETURNED + +/* + * Obtain strings for primeType and curveType. + */ +const char *primeTypeStr(uint32 primeType); +const char *curveTypeStr(uint32 curveType); + +/* + * Given any key in either blob or reference format, + * obtain the associated SHA-1 hash. + */ +CSSM_RETURN cspKeyHash( + CSSM_CSP_HANDLE cspHand, + const CSSM_KEY_PTR key, /* public key */ + CSSM_DATA_PTR *hashData); /* hash mallocd and RETURNED here */ + +/* wrap ref key --> raw key */ +CSSM_RETURN cspRefKeyToRaw( + CSSM_CSP_HANDLE cspHand, + const CSSM_KEY *refKey, + CSSM_KEY_PTR rawKey); // init'd and RETURNED + +/* + * Convert ref key to raw key with specified format. + */ +CSSM_RETURN cspRefKeyToRawWithFormat( + CSSM_CSP_HANDLE cspHand, + const CSSM_KEY *refKey, + CSSM_KEYBLOB_FORMAT format, + CSSM_KEY_PTR rawKey); // init'd and RETURNED + +/* unwrap raw key --> ref */ +CSSM_RETURN cspRawKeyToRef( + CSSM_CSP_HANDLE cspHand, + const CSSM_KEY *rawKey, + CSSM_KEY_PTR refKey); // init'd and RETURNED + +/* + * Cook up a symmetric key with specified key bits and other + * params. Currently the CSPDL can only deal with reference keys except when + * doing wrap/unwrap, so we manually cook up a raw key, then we null-unwrap it. + */ +CSSM_RETURN cspGenSymKeyWithBits( + CSSM_CSP_HANDLE cspHand, + CSSM_ALGORITHMS keyAlg, + CSSM_KEYUSE keyUsage, + const CSSM_DATA *keyBits, + unsigned keySizeInBytes, + CSSM_KEY_PTR refKey); // init'd and RETURNED + +/* + * Add a DL/DB handle to a crypto context. + */ +CSSM_RETURN cspAddDlDbToContext( + CSSM_CC_HANDLE ccHand, + CSSM_DL_HANDLE dlHand, + CSSM_DB_HANDLE dbHand); + +/* + * Look up a key by label and type. + */ +typedef enum { + CKT_Public = 1, + CKT_Private = 2, + CKT_Session = 3 + /* any others? */ +} CT_KeyType; + +CSSM_KEY_PTR cspLookUpKeyByLabel( + CSSM_DL_HANDLE dlHand, + CSSM_DB_HANDLE dbHand, + const CSSM_DATA *labelData, + CT_KeyType keyType); + +/* + * Delete and free a key + */ +CSSM_RETURN cspDeleteKey( + CSSM_CSP_HANDLE cspHand, // for free + CSSM_DL_HANDLE dlHand, // for delete + CSSM_DB_HANDLE dbHand, // ditto + const CSSM_DATA *labelData, + CSSM_KEY_PTR key); + +// temp hack +#define CSSM_ALGID_FEECFILE (CSSM_ALGID_VENDOR_DEFINED + 102) + +#ifdef __cplusplus +} +#endif +#endif /* _CSPWRAP_H_ */