Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 1 | /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ |
Davide Pesavento | def60f1 | 2017-09-17 17:26:07 -0400 | [diff] [blame] | 2 | /* |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 3 | * Copyright (c) 2013-2018 Regents of the University of California. |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 4 | * |
| 5 | * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions). |
| 6 | * |
| 7 | * ndn-cxx library is free software: you can redistribute it and/or modify it under the |
| 8 | * terms of the GNU Lesser General Public License as published by the Free Software |
| 9 | * Foundation, either version 3 of the License, or (at your option) any later version. |
| 10 | * |
| 11 | * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY |
| 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A |
| 13 | * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. |
| 14 | * |
| 15 | * You should have received copies of the GNU General Public License and GNU Lesser |
| 16 | * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see |
| 17 | * <http://www.gnu.org/licenses/>. |
| 18 | * |
| 19 | * See AUTHORS.md for complete list of ndn-cxx authors and contributors. |
| 20 | */ |
| 21 | |
| 22 | #include "back-end-osx.hpp" |
| 23 | #include "key-handle-osx.hpp" |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 24 | #include "tpm.hpp" |
Davide Pesavento | ff3bf2c | 2017-10-05 00:14:27 -0400 | [diff] [blame] | 25 | #include "../transform/private-key.hpp" |
Davide Pesavento | 13fffa3 | 2018-09-30 16:21:33 -0400 | [diff] [blame] | 26 | #include "../../encoding/buffer-stream.hpp" |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 27 | #include "../../util/cf-string-osx.hpp" |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 28 | |
Davide Pesavento | ff3bf2c | 2017-10-05 00:14:27 -0400 | [diff] [blame] | 29 | #include <Security/Security.h> |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 30 | #include <cstring> |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 31 | |
| 32 | namespace ndn { |
| 33 | namespace security { |
| 34 | namespace tpm { |
| 35 | |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 36 | namespace cfstring = util::cfstring; |
Junxiao Shi | 0b1b467 | 2017-07-02 22:02:31 -0700 | [diff] [blame] | 37 | using util::CFReleaser; |
| 38 | |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 39 | class BackEndOsx::Impl |
| 40 | { |
| 41 | public: |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 42 | SecKeychainRef keyChainRef; |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 43 | bool isTerminalMode = false; |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 44 | }; |
| 45 | |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 46 | static CFReleaser<CFDataRef> |
| 47 | makeCFDataNoCopy(const uint8_t* buf, size_t buflen) |
| 48 | { |
| 49 | return CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, buf, buflen, kCFAllocatorNull); |
| 50 | } |
| 51 | |
| 52 | static CFReleaser<CFMutableDictionaryRef> |
| 53 | makeCFMutableDictionary() |
| 54 | { |
| 55 | return CFDictionaryCreateMutable(kCFAllocatorDefault, 0, |
| 56 | &kCFTypeDictionaryKeyCallBacks, |
| 57 | &kCFTypeDictionaryValueCallBacks); |
| 58 | } |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 59 | |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 60 | static std::string |
| 61 | getErrorMessage(OSStatus status) |
| 62 | { |
| 63 | CFReleaser<CFStringRef> msg = SecCopyErrorMessageString(status, nullptr); |
| 64 | if (msg != nullptr) |
| 65 | return cfstring::toStdString(msg.get()); |
| 66 | else |
| 67 | return "<no error message>"; |
| 68 | } |
| 69 | |
| 70 | static std::string |
| 71 | getFailureReason(CFErrorRef err) |
| 72 | { |
| 73 | CFReleaser<CFStringRef> reason = CFErrorCopyFailureReason(err); |
| 74 | if (reason != nullptr) |
| 75 | return cfstring::toStdString(reason.get()); |
| 76 | else |
| 77 | return "<unknown reason>"; |
| 78 | } |
| 79 | |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 80 | static CFTypeRef |
| 81 | getAsymKeyType(KeyType keyType) |
| 82 | { |
| 83 | switch (keyType) { |
| 84 | case KeyType::RSA: |
| 85 | return kSecAttrKeyTypeRSA; |
| 86 | case KeyType::EC: |
| 87 | return kSecAttrKeyTypeECDSA; |
| 88 | default: |
| 89 | BOOST_THROW_EXCEPTION(Tpm::Error("Unsupported key type")); |
| 90 | } |
| 91 | } |
| 92 | |
| 93 | static CFTypeRef |
| 94 | getDigestAlgorithm(DigestAlgorithm digestAlgo) |
| 95 | { |
| 96 | switch (digestAlgo) { |
Davide Pesavento | def60f1 | 2017-09-17 17:26:07 -0400 | [diff] [blame] | 97 | case DigestAlgorithm::SHA224: |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 98 | case DigestAlgorithm::SHA256: |
Davide Pesavento | def60f1 | 2017-09-17 17:26:07 -0400 | [diff] [blame] | 99 | case DigestAlgorithm::SHA384: |
| 100 | case DigestAlgorithm::SHA512: |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 101 | return kSecDigestSHA2; |
| 102 | default: |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 103 | return nullptr; |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 104 | } |
| 105 | } |
| 106 | |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 107 | static int |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 108 | getDigestSize(DigestAlgorithm digestAlgo) |
| 109 | { |
| 110 | switch (digestAlgo) { |
Davide Pesavento | def60f1 | 2017-09-17 17:26:07 -0400 | [diff] [blame] | 111 | case DigestAlgorithm::SHA224: |
| 112 | return 224; |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 113 | case DigestAlgorithm::SHA256: |
| 114 | return 256; |
Davide Pesavento | def60f1 | 2017-09-17 17:26:07 -0400 | [diff] [blame] | 115 | case DigestAlgorithm::SHA384: |
| 116 | return 384; |
| 117 | case DigestAlgorithm::SHA512: |
| 118 | return 512; |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 119 | default: |
| 120 | return -1; |
| 121 | } |
| 122 | } |
| 123 | |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 124 | /** |
| 125 | * @brief Get reference to private key with name @p keyName. |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 126 | */ |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 127 | static KeyRefOsx |
| 128 | getKeyRef(const Name& keyName) |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 129 | { |
| 130 | auto keyLabel = cfstring::fromStdString(keyName.toUri()); |
| 131 | |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 132 | auto query = makeCFMutableDictionary(); |
| 133 | CFDictionaryAddValue(query.get(), kSecClass, kSecClassKey); |
| 134 | CFDictionaryAddValue(query.get(), kSecAttrKeyClass, kSecAttrKeyClassPrivate); |
| 135 | CFDictionaryAddValue(query.get(), kSecAttrLabel, keyLabel.get()); |
| 136 | CFDictionaryAddValue(query.get(), kSecReturnRef, kCFBooleanTrue); |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 137 | |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 138 | KeyRefOsx keyRef; |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 139 | // C-style cast is used as per Apple convention |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 140 | OSStatus res = SecItemCopyMatching(query.get(), (CFTypeRef*)&keyRef.get()); |
| 141 | keyRef.retain(); |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 142 | |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 143 | if (res == errSecSuccess) { |
| 144 | return keyRef; |
| 145 | } |
| 146 | else if (res == errSecItemNotFound) { |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 147 | return nullptr; |
| 148 | } |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 149 | else { |
| 150 | BOOST_THROW_EXCEPTION(BackEnd::Error("Key lookup in keychain failed: " + getErrorMessage(res))); |
| 151 | } |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 152 | } |
| 153 | |
Davide Pesavento | 13fffa3 | 2018-09-30 16:21:33 -0400 | [diff] [blame] | 154 | /** |
| 155 | * @brief Export a private key from the Keychain to @p outKey |
| 156 | */ |
| 157 | static void |
| 158 | exportItem(const KeyRefOsx& keyRef, transform::PrivateKey& outKey) |
| 159 | { |
| 160 | // use a temporary password for PKCS8 encoding |
| 161 | const char pw[] = "correct horse battery staple"; |
| 162 | auto passphrase = cfstring::fromBuffer(reinterpret_cast<const uint8_t*>(pw), std::strlen(pw)); |
| 163 | |
| 164 | SecItemImportExportKeyParameters keyParams; |
| 165 | std::memset(&keyParams, 0, sizeof(keyParams)); |
| 166 | keyParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION; |
| 167 | keyParams.passphrase = passphrase.get(); |
| 168 | |
| 169 | CFReleaser<CFDataRef> exportedKey; |
| 170 | OSStatus res = SecItemExport(keyRef.get(), // secItemOrArray |
| 171 | kSecFormatWrappedPKCS8, // outputFormat |
| 172 | 0, // flags |
| 173 | &keyParams, // keyParams |
| 174 | &exportedKey.get()); // exportedData |
| 175 | |
| 176 | if (res != errSecSuccess) { |
| 177 | BOOST_THROW_EXCEPTION(BackEnd::Error("Failed to export private key: "s + getErrorMessage(res))); |
| 178 | } |
| 179 | |
| 180 | outKey.loadPkcs8(CFDataGetBytePtr(exportedKey.get()), CFDataGetLength(exportedKey.get()), |
| 181 | pw, std::strlen(pw)); |
| 182 | } |
| 183 | |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 184 | BackEndOsx::BackEndOsx(const std::string&) |
Davide Pesavento | def60f1 | 2017-09-17 17:26:07 -0400 | [diff] [blame] | 185 | : m_impl(make_unique<Impl>()) |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 186 | { |
| 187 | SecKeychainSetUserInteractionAllowed(!m_impl->isTerminalMode); |
| 188 | |
| 189 | OSStatus res = SecKeychainCopyDefault(&m_impl->keyChainRef); |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 190 | if (res == errSecNoDefaultKeychain) { |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 191 | BOOST_THROW_EXCEPTION(Error("No default keychain, create one first")); |
| 192 | } |
| 193 | } |
| 194 | |
| 195 | BackEndOsx::~BackEndOsx() = default; |
| 196 | |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 197 | const std::string& |
| 198 | BackEndOsx::getScheme() |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 199 | { |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 200 | static std::string scheme = "tpm-osxkeychain"; |
| 201 | return scheme; |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 202 | } |
| 203 | |
| 204 | bool |
| 205 | BackEndOsx::isTerminalMode() const |
| 206 | { |
| 207 | return m_impl->isTerminalMode; |
| 208 | } |
| 209 | |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 210 | void |
| 211 | BackEndOsx::setTerminalMode(bool isTerminal) const |
| 212 | { |
| 213 | m_impl->isTerminalMode = isTerminal; |
| 214 | SecKeychainSetUserInteractionAllowed(!isTerminal); |
| 215 | } |
| 216 | |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 217 | bool |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 218 | BackEndOsx::isTpmLocked() const |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 219 | { |
| 220 | SecKeychainStatus keychainStatus; |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 221 | OSStatus res = SecKeychainGetStatus(m_impl->keyChainRef, &keychainStatus); |
| 222 | if (res != errSecSuccess) |
| 223 | return true; |
| 224 | else |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 225 | return (kSecUnlockStateStatus & keychainStatus) == 0; |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 226 | } |
| 227 | |
| 228 | bool |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 229 | BackEndOsx::unlockTpm(const char* pw, size_t pwLen) const |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 230 | { |
| 231 | // If the default key chain is already unlocked, return immediately. |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 232 | if (!isTpmLocked()) |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 233 | return true; |
| 234 | |
| 235 | if (m_impl->isTerminalMode) { |
| 236 | // Use the supplied password. |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 237 | SecKeychainUnlock(m_impl->keyChainRef, pwLen, pw, true); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 238 | } |
| 239 | else { |
| 240 | // If inTerminal is not set, get the password from GUI. |
| 241 | SecKeychainUnlock(m_impl->keyChainRef, 0, nullptr, false); |
| 242 | } |
| 243 | |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 244 | return !isTpmLocked(); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 245 | } |
| 246 | |
| 247 | ConstBufferPtr |
Davide Pesavento | ff3bf2c | 2017-10-05 00:14:27 -0400 | [diff] [blame] | 248 | BackEndOsx::sign(const KeyRefOsx& key, DigestAlgorithm digestAlgo, const uint8_t* buf, size_t size) |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 249 | { |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 250 | CFReleaser<CFErrorRef> error; |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 251 | CFReleaser<SecTransformRef> signer = SecSignTransformCreate(key.get(), &error.get()); |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 252 | if (signer == nullptr) { |
| 253 | BOOST_THROW_EXCEPTION(Error("Failed to create sign transform: " + getFailureReason(error.get()))); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 254 | } |
| 255 | |
| 256 | // Set input |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 257 | auto data = makeCFDataNoCopy(buf, size); |
| 258 | SecTransformSetAttribute(signer.get(), kSecTransformInputAttributeName, data.get(), &error.get()); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 259 | if (error != nullptr) { |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 260 | BOOST_THROW_EXCEPTION(Error("Failed to configure input of sign transform: " + |
| 261 | getFailureReason(error.get()))); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 262 | } |
| 263 | |
| 264 | // Enable use of padding |
| 265 | SecTransformSetAttribute(signer.get(), kSecPaddingKey, kSecPaddingPKCS1Key, &error.get()); |
| 266 | if (error != nullptr) { |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 267 | BOOST_THROW_EXCEPTION(Error("Failed to configure padding of sign transform: " + |
| 268 | getFailureReason(error.get()))); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 269 | } |
| 270 | |
Davide Pesavento | ff3bf2c | 2017-10-05 00:14:27 -0400 | [diff] [blame] | 271 | // Set digest type |
| 272 | SecTransformSetAttribute(signer.get(), kSecDigestTypeAttribute, getDigestAlgorithm(digestAlgo), &error.get()); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 273 | if (error != nullptr) { |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 274 | BOOST_THROW_EXCEPTION(Error("Failed to configure digest type of sign transform: " + |
| 275 | getFailureReason(error.get()))); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 276 | } |
| 277 | |
Davide Pesavento | ff3bf2c | 2017-10-05 00:14:27 -0400 | [diff] [blame] | 278 | // Set digest length |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 279 | int digestSize = getDigestSize(digestAlgo); |
| 280 | CFReleaser<CFNumberRef> cfDigestSize = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &digestSize); |
Davide Pesavento | ff3bf2c | 2017-10-05 00:14:27 -0400 | [diff] [blame] | 281 | SecTransformSetAttribute(signer.get(), kSecDigestLengthAttribute, cfDigestSize.get(), &error.get()); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 282 | if (error != nullptr) { |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 283 | BOOST_THROW_EXCEPTION(Error("Failed to configure digest length of sign transform: " + |
| 284 | getFailureReason(error.get()))); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 285 | } |
Davide Pesavento | ff3bf2c | 2017-10-05 00:14:27 -0400 | [diff] [blame] | 286 | |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 287 | // Actually sign |
| 288 | // C-style cast is used as per Apple convention |
| 289 | CFReleaser<CFDataRef> signature = (CFDataRef)SecTransformExecute(signer.get(), &error.get()); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 290 | if (signature == nullptr) { |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 291 | BOOST_THROW_EXCEPTION(Error("Failed to sign data: " + getFailureReason(error.get()))); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 292 | } |
| 293 | |
| 294 | return make_shared<Buffer>(CFDataGetBytePtr(signature.get()), CFDataGetLength(signature.get())); |
| 295 | } |
| 296 | |
| 297 | ConstBufferPtr |
Davide Pesavento | ff3bf2c | 2017-10-05 00:14:27 -0400 | [diff] [blame] | 298 | BackEndOsx::decrypt(const KeyRefOsx& key, const uint8_t* cipherText, size_t cipherSize) |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 299 | { |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 300 | CFReleaser<CFErrorRef> error; |
| 301 | CFReleaser<SecTransformRef> decryptor = SecDecryptTransformCreate(key.get(), &error.get()); |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 302 | if (decryptor == nullptr) { |
| 303 | BOOST_THROW_EXCEPTION(Error("Failed to create decrypt transform: " + getFailureReason(error.get()))); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 304 | } |
| 305 | |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 306 | auto data = makeCFDataNoCopy(cipherText, cipherSize); |
| 307 | SecTransformSetAttribute(decryptor.get(), kSecTransformInputAttributeName, data.get(), &error.get()); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 308 | if (error != nullptr) { |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 309 | BOOST_THROW_EXCEPTION(Error("Failed to configure input of decrypt transform: " + |
| 310 | getFailureReason(error.get()))); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 311 | } |
| 312 | |
| 313 | SecTransformSetAttribute(decryptor.get(), kSecPaddingKey, kSecPaddingOAEPKey, &error.get()); |
| 314 | if (error != nullptr) { |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 315 | BOOST_THROW_EXCEPTION(Error("Failed to configure padding of decrypt transform: " + |
| 316 | getFailureReason(error.get()))); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 317 | } |
| 318 | |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 319 | // C-style cast is used as per Apple convention |
| 320 | CFReleaser<CFDataRef> plainText = (CFDataRef)SecTransformExecute(decryptor.get(), &error.get()); |
| 321 | if (plainText == nullptr) { |
| 322 | BOOST_THROW_EXCEPTION(Error("Failed to decrypt data: " + getFailureReason(error.get()))); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 323 | } |
| 324 | |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 325 | return make_shared<Buffer>(CFDataGetBytePtr(plainText.get()), CFDataGetLength(plainText.get())); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 326 | } |
| 327 | |
| 328 | ConstBufferPtr |
Davide Pesavento | ff3bf2c | 2017-10-05 00:14:27 -0400 | [diff] [blame] | 329 | BackEndOsx::derivePublicKey(const KeyRefOsx& key) |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 330 | { |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 331 | transform::PrivateKey privateKey; |
Davide Pesavento | 13fffa3 | 2018-09-30 16:21:33 -0400 | [diff] [blame] | 332 | exportItem(key, privateKey); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 333 | return privateKey.derivePublicKey(); |
| 334 | } |
| 335 | |
| 336 | bool |
| 337 | BackEndOsx::doHasKey(const Name& keyName) const |
| 338 | { |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 339 | return getKeyRef(keyName) != nullptr; |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 340 | } |
| 341 | |
| 342 | unique_ptr<KeyHandle> |
| 343 | BackEndOsx::doGetKeyHandle(const Name& keyName) const |
| 344 | { |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 345 | KeyRefOsx keyRef = getKeyRef(keyName); |
| 346 | if (keyRef == nullptr) { |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 347 | return nullptr; |
| 348 | } |
| 349 | |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 350 | return make_unique<KeyHandleOsx>(keyRef.get()); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 351 | } |
| 352 | |
| 353 | unique_ptr<KeyHandle> |
| 354 | BackEndOsx::doCreateKey(const Name& identityName, const KeyParams& params) |
| 355 | { |
| 356 | KeyType keyType = params.getKeyType(); |
| 357 | uint32_t keySize; |
| 358 | switch (keyType) { |
| 359 | case KeyType::RSA: { |
| 360 | const RsaKeyParams& rsaParams = static_cast<const RsaKeyParams&>(params); |
| 361 | keySize = rsaParams.getKeySize(); |
| 362 | break; |
| 363 | } |
| 364 | case KeyType::EC: { |
Spyridon Mastorakis | 1ece2e3 | 2015-08-27 18:52:21 -0700 | [diff] [blame] | 365 | const EcKeyParams& ecParams = static_cast<const EcKeyParams&>(params); |
| 366 | keySize = ecParams.getKeySize(); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 367 | break; |
| 368 | } |
| 369 | default: { |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 370 | BOOST_THROW_EXCEPTION(Tpm::Error("Failed to generate key pair: Unsupported key type")); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 371 | } |
| 372 | } |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 373 | CFReleaser<CFNumberRef> cfKeySize = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &keySize); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 374 | |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 375 | auto attrDict = makeCFMutableDictionary(); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 376 | CFDictionaryAddValue(attrDict.get(), kSecAttrKeyType, getAsymKeyType(keyType)); |
| 377 | CFDictionaryAddValue(attrDict.get(), kSecAttrKeySizeInBits, cfKeySize.get()); |
| 378 | |
| 379 | KeyRefOsx publicKey, privateKey; |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 380 | OSStatus res = SecKeyGeneratePair(attrDict.get(), &publicKey.get(), &privateKey.get()); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 381 | publicKey.retain(); |
| 382 | privateKey.retain(); |
| 383 | |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 384 | if (res != errSecSuccess) { |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 385 | BOOST_THROW_EXCEPTION(Error("Failed to generate key pair: " + getErrorMessage(res))); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 386 | } |
| 387 | |
Davide Pesavento | ff3bf2c | 2017-10-05 00:14:27 -0400 | [diff] [blame] | 388 | unique_ptr<KeyHandle> keyHandle = make_unique<KeyHandleOsx>(privateKey.get()); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 389 | setKeyName(*keyHandle, identityName, params); |
| 390 | |
| 391 | SecKeychainAttribute attrs[1]; // maximum number of attributes |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 392 | SecKeychainAttributeList attrList = {0, attrs}; |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 393 | std::string keyUri = keyHandle->getKeyName().toUri(); |
| 394 | { |
| 395 | attrs[attrList.count].tag = kSecKeyPrintName; |
| 396 | attrs[attrList.count].length = keyUri.size(); |
| 397 | attrs[attrList.count].data = const_cast<char*>(keyUri.data()); |
| 398 | attrList.count++; |
| 399 | } |
| 400 | |
| 401 | SecKeychainItemModifyAttributesAndData((SecKeychainItemRef)privateKey.get(), &attrList, 0, nullptr); |
| 402 | SecKeychainItemModifyAttributesAndData((SecKeychainItemRef)publicKey.get(), &attrList, 0, nullptr); |
| 403 | |
| 404 | return keyHandle; |
| 405 | } |
| 406 | |
| 407 | void |
| 408 | BackEndOsx::doDeleteKey(const Name& keyName) |
| 409 | { |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 410 | auto keyLabel = cfstring::fromStdString(keyName.toUri()); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 411 | |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 412 | auto query = makeCFMutableDictionary(); |
| 413 | CFDictionaryAddValue(query.get(), kSecClass, kSecClassKey); |
| 414 | CFDictionaryAddValue(query.get(), kSecAttrLabel, keyLabel.get()); |
| 415 | CFDictionaryAddValue(query.get(), kSecMatchLimit, kSecMatchLimitAll); |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 416 | |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 417 | OSStatus res = SecItemDelete(query.get()); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 418 | |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 419 | if (res != errSecSuccess && res != errSecItemNotFound) { |
| 420 | BOOST_THROW_EXCEPTION(Error("Failed to delete key pair: " + getErrorMessage(res))); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 421 | } |
| 422 | } |
| 423 | |
| 424 | ConstBufferPtr |
| 425 | BackEndOsx::doExportKey(const Name& keyName, const char* pw, size_t pwLen) |
| 426 | { |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 427 | KeyRefOsx keychainItem = getKeyRef(keyName); |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 428 | if (keychainItem == nullptr) { |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 429 | BOOST_THROW_EXCEPTION(Error("Failed to export private key: " + getErrorMessage(errSecItemNotFound))); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 430 | } |
| 431 | |
Davide Pesavento | 13fffa3 | 2018-09-30 16:21:33 -0400 | [diff] [blame] | 432 | transform::PrivateKey exportedKey; |
| 433 | OBufferStream pkcs8; |
| 434 | try { |
| 435 | exportItem(keychainItem, exportedKey); |
| 436 | exportedKey.savePkcs8(pkcs8, pw, pwLen); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 437 | } |
Davide Pesavento | 13fffa3 | 2018-09-30 16:21:33 -0400 | [diff] [blame] | 438 | catch (const transform::PrivateKey::Error& e) { |
| 439 | BOOST_THROW_EXCEPTION(Error("Failed to export private key: "s + e.what())); |
| 440 | } |
| 441 | return pkcs8.buf(); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 442 | } |
| 443 | |
| 444 | void |
| 445 | BackEndOsx::doImportKey(const Name& keyName, const uint8_t* buf, size_t size, |
| 446 | const char* pw, size_t pwLen) |
| 447 | { |
Davide Pesavento | 13fffa3 | 2018-09-30 16:21:33 -0400 | [diff] [blame] | 448 | transform::PrivateKey privKey; |
| 449 | OBufferStream pkcs1; |
| 450 | try { |
| 451 | // do the PKCS8 decoding ourselves, see bug #4450 |
| 452 | privKey.loadPkcs8(buf, size, pw, pwLen); |
| 453 | privKey.savePkcs1(pkcs1); |
| 454 | } |
| 455 | catch (const transform::PrivateKey::Error& e) { |
| 456 | BOOST_THROW_EXCEPTION(Error("Failed to import private key: "s + e.what())); |
| 457 | } |
| 458 | auto keyToImport = makeCFDataNoCopy(pkcs1.buf()->data(), pkcs1.buf()->size()); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 459 | |
Davide Pesavento | 13fffa3 | 2018-09-30 16:21:33 -0400 | [diff] [blame] | 460 | SecExternalFormat externalFormat = kSecFormatOpenSSL; |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 461 | SecExternalItemType externalType = kSecItemTypePrivateKey; |
| 462 | |
Davide Pesavento | 13fffa3 | 2018-09-30 16:21:33 -0400 | [diff] [blame] | 463 | auto keyUri = keyName.toUri(); |
| 464 | auto keyLabel = cfstring::fromStdString(keyUri); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 465 | CFReleaser<SecAccessRef> access; |
Davide Pesavento | 13fffa3 | 2018-09-30 16:21:33 -0400 | [diff] [blame] | 466 | OSStatus res = SecAccessCreate(keyLabel.get(), // descriptor |
| 467 | nullptr, // trustedlist (null == trust only the calling app) |
| 468 | &access.get()); // accessRef |
| 469 | |
| 470 | if (res != errSecSuccess) { |
| 471 | BOOST_THROW_EXCEPTION(Error("Failed to import private key: " + getErrorMessage(res))); |
| 472 | } |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 473 | |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 474 | SecItemImportExportKeyParameters keyParams; |
| 475 | std::memset(&keyParams, 0, sizeof(keyParams)); |
| 476 | keyParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION; |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 477 | keyParams.accessRef = access.get(); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 478 | |
| 479 | CFReleaser<CFArrayRef> outItems; |
Davide Pesavento | 13fffa3 | 2018-09-30 16:21:33 -0400 | [diff] [blame] | 480 | res = SecItemImport(keyToImport.get(), // importedData |
| 481 | nullptr, // fileNameOrExtension |
| 482 | &externalFormat, // inputFormat |
| 483 | &externalType, // itemType |
| 484 | 0, // flags |
| 485 | &keyParams, // keyParams |
| 486 | m_impl->keyChainRef, // importKeychain |
| 487 | &outItems.get()); // outItems |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 488 | |
| 489 | if (res != errSecSuccess) { |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 490 | BOOST_THROW_EXCEPTION(Error("Failed to import private key: " + getErrorMessage(res))); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 491 | } |
| 492 | |
| 493 | // C-style cast is used as per Apple convention |
Davide Pesavento | 13fffa3 | 2018-09-30 16:21:33 -0400 | [diff] [blame] | 494 | SecKeychainItemRef keychainItem = (SecKeychainItemRef)CFArrayGetValueAtIndex(outItems.get(), 0); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 495 | SecKeychainAttribute attrs[1]; // maximum number of attributes |
Davide Pesavento | fbda933 | 2018-09-02 16:42:33 -0400 | [diff] [blame] | 496 | SecKeychainAttributeList attrList = {0, attrs}; |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 497 | { |
| 498 | attrs[attrList.count].tag = kSecKeyPrintName; |
| 499 | attrs[attrList.count].length = keyUri.size(); |
Davide Pesavento | ff3bf2c | 2017-10-05 00:14:27 -0400 | [diff] [blame] | 500 | attrs[attrList.count].data = const_cast<char*>(keyUri.data()); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 501 | attrList.count++; |
| 502 | } |
Davide Pesavento | 13fffa3 | 2018-09-30 16:21:33 -0400 | [diff] [blame] | 503 | SecKeychainItemModifyAttributesAndData(keychainItem, &attrList, 0, nullptr); |
Yingdi Yu | 0b60e7a | 2015-07-16 21:05:11 -0700 | [diff] [blame] | 504 | } |
| 505 | |
| 506 | } // namespace tpm |
| 507 | } // namespace security |
| 508 | } // namespace ndn |