Jeff Thompson | 2747dc0 | 2013-10-04 19:11:34 -0700 | [diff] [blame] | 1 | /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */ |
| 2 | /** |
| 3 | * Copyright (C) 2013 Regents of the University of California. |
| 4 | * @author: Yingdi Yu <yingdi@cs.ucla.edu> |
| 5 | * See COPYING for copyright and distribution information. |
| 6 | */ |
| 7 | |
Alexander Afanasyev | 1950885 | 2014-01-29 01:01:51 -0800 | [diff] [blame] | 8 | #include "sec-tpm-osx.hpp" |
| 9 | |
| 10 | #include "security/public-key.hpp" |
| 11 | #include "util/logging.hpp" |
Jeff Thompson | 2747dc0 | 2013-10-04 19:11:34 -0700 | [diff] [blame] | 12 | |
| 13 | #include <fstream> |
| 14 | #include <sstream> |
Yingdi Yu | 2b2b479 | 2014-02-04 16:27:07 -0800 | [diff] [blame^] | 15 | #include <pwd.h> |
| 16 | #include <unistd.h> |
| 17 | #include <stdlib.h> |
| 18 | #include <string.h> |
Jeff Thompson | 2747dc0 | 2013-10-04 19:11:34 -0700 | [diff] [blame] | 19 | |
Alexander Afanasyev | 04b22a9 | 2014-01-05 22:40:17 -0800 | [diff] [blame] | 20 | #include <CoreFoundation/CoreFoundation.h> |
| 21 | #include <Security/Security.h> |
| 22 | #include <CoreServices/CoreServices.h> |
Jeff Thompson | 2747dc0 | 2013-10-04 19:11:34 -0700 | [diff] [blame] | 23 | |
| 24 | using namespace std; |
Jeff Thompson | 2747dc0 | 2013-10-04 19:11:34 -0700 | [diff] [blame] | 25 | |
Yingdi Yu | 8758158 | 2014-01-14 14:28:39 -0800 | [diff] [blame] | 26 | INIT_LOGGER("SecTpmOsx"); |
Jeff Thompson | 2747dc0 | 2013-10-04 19:11:34 -0700 | [diff] [blame] | 27 | |
| 28 | namespace ndn |
| 29 | { |
Yingdi Yu | 2b2b479 | 2014-02-04 16:27:07 -0800 | [diff] [blame^] | 30 | class SecTpmOsx::Impl { |
| 31 | public: |
| 32 | Impl() |
| 33 | {} |
Alexander Afanasyev | 04b22a9 | 2014-01-05 22:40:17 -0800 | [diff] [blame] | 34 | |
Yingdi Yu | 2b2b479 | 2014-02-04 16:27:07 -0800 | [diff] [blame^] | 35 | /** |
| 36 | * @brief Convert NDN name of a key to internal name of the key. |
| 37 | * |
| 38 | * @param keyName the NDN name of the key |
| 39 | * @param keyClass the class of the key |
| 40 | * @return the internal key name |
| 41 | */ |
| 42 | std::string |
| 43 | toInternalKeyName(const Name & keyName, KeyClass keyClass); |
Alexander Afanasyev | 04b22a9 | 2014-01-05 22:40:17 -0800 | [diff] [blame] | 44 | |
Yingdi Yu | 2b2b479 | 2014-02-04 16:27:07 -0800 | [diff] [blame^] | 45 | /** |
| 46 | * @brief Get key. |
| 47 | * @param keyName the name of the key |
| 48 | * @param keyClass the class of the key |
| 49 | * @returns pointer to the key |
| 50 | */ |
| 51 | SecKeychainItemRef |
| 52 | getKey(const Name & keyName, KeyClass keyClass); |
Alexander Afanasyev | 04b22a9 | 2014-01-05 22:40:17 -0800 | [diff] [blame] | 53 | |
Yingdi Yu | 2b2b479 | 2014-02-04 16:27:07 -0800 | [diff] [blame^] | 54 | /** |
| 55 | * convert keyType to MAC OS symmetric key key type |
| 56 | * @param keyType |
| 57 | * @returns MAC OS key type |
| 58 | */ |
Yingdi Yu | 8758158 | 2014-01-14 14:28:39 -0800 | [diff] [blame] | 59 | const CFTypeRef |
Yingdi Yu | 2b2b479 | 2014-02-04 16:27:07 -0800 | [diff] [blame^] | 60 | getSymKeyType(KeyType keyType); |
| 61 | |
| 62 | /** |
| 63 | * convert keyType to MAC OS asymmetirc key type |
| 64 | * @param keyType |
| 65 | * @returns MAC OS key type |
| 66 | */ |
Yingdi Yu | 8758158 | 2014-01-14 14:28:39 -0800 | [diff] [blame] | 67 | const CFTypeRef |
Yingdi Yu | 2b2b479 | 2014-02-04 16:27:07 -0800 | [diff] [blame^] | 68 | getAsymKeyType(KeyType keyType); |
| 69 | |
| 70 | /** |
| 71 | * convert keyClass to MAC OS key class |
| 72 | * @param keyClass |
| 73 | * @returns MAC OS key class |
| 74 | */ |
Yingdi Yu | 8758158 | 2014-01-14 14:28:39 -0800 | [diff] [blame] | 75 | const CFTypeRef |
Yingdi Yu | 2b2b479 | 2014-02-04 16:27:07 -0800 | [diff] [blame^] | 76 | getKeyClass(KeyClass keyClass); |
| 77 | |
| 78 | /** |
| 79 | * convert digestAlgo to MAC OS algorithm id |
| 80 | * @param digestAlgo |
| 81 | * @returns MAC OS algorithm id |
| 82 | */ |
Yingdi Yu | 8758158 | 2014-01-14 14:28:39 -0800 | [diff] [blame] | 83 | const CFStringRef |
Yingdi Yu | 2b2b479 | 2014-02-04 16:27:07 -0800 | [diff] [blame^] | 84 | getDigestAlgorithm(DigestAlgorithm digestAlgo); |
| 85 | |
| 86 | /** |
| 87 | * get the digest size of the corresponding algorithm |
| 88 | * @param digestAlgo the digest algorithm |
| 89 | * @return digest size |
| 90 | */ |
| 91 | long |
| 92 | getDigestSize(DigestAlgorithm digestAlgo); |
| 93 | |
| 94 | bool |
| 95 | getPassWord(string& password, string target); |
| 96 | |
| 97 | /////////////////////////////////////////////// |
| 98 | // everything here is public, including data // |
| 99 | /////////////////////////////////////////////// |
| 100 | public: |
| 101 | SecKeychainRef m_keyChainRef; |
| 102 | }; |
| 103 | |
| 104 | |
| 105 | SecTpmOsx::SecTpmOsx() |
| 106 | : m_impl(new Impl) |
| 107 | { |
| 108 | OSStatus res = SecKeychainCopyDefault(&m_impl->m_keyChainRef); |
| 109 | |
| 110 | |
| 111 | if (res == errSecNoDefaultKeychain) //If no default key chain, create one. |
| 112 | { |
| 113 | //Get the password for the new key chain. |
| 114 | string keyChainName("ndnroot.keychain"); |
| 115 | cerr << "No Default KeyChain! Create " << keyChainName << ":" << endl; |
| 116 | string password; |
| 117 | while(!m_impl->getPassWord(password, keyChainName)) |
| 118 | { |
| 119 | cerr << "Password mismatch!" << endl; |
| 120 | } |
| 121 | |
| 122 | //Create the key chain |
| 123 | res = SecKeychainCreate(keyChainName.c_str(), //Keychain path |
| 124 | password.size(), //Keychain password length |
| 125 | password.c_str(), //Keychain password |
| 126 | false, //User prompt |
| 127 | NULL, //Initial access of Keychain |
| 128 | &m_impl->m_keyChainRef); //Keychain reference |
| 129 | |
| 130 | if(res == errSecSuccess) |
| 131 | cerr << keyChainName << " has been created!" << endl; |
| 132 | else |
| 133 | { |
| 134 | char* pw = const_cast<char*>(password.c_str()); |
| 135 | memset(pw, 0, password.size()); |
| 136 | throw Error("No default keychain!"); |
| 137 | } |
| 138 | |
| 139 | //Unlock the default key chain |
| 140 | SecKeychainUnlock(m_impl->m_keyChainRef, |
| 141 | password.size(), |
| 142 | password.c_str(), |
| 143 | true); |
| 144 | |
| 145 | char* pw = const_cast<char*>(password.c_str()); |
| 146 | memset(pw, 0, password.size()); |
| 147 | |
| 148 | return; |
| 149 | } |
| 150 | |
| 151 | //If the default key chain exists, check if it is unlocked |
| 152 | SecKeychainStatus keychainStatus; |
| 153 | res = SecKeychainGetStatus(m_impl->m_keyChainRef, &keychainStatus); |
| 154 | if(kSecUnlockStateStatus & keychainStatus) |
| 155 | return; |
| 156 | |
| 157 | |
| 158 | //If the default key chain is locked, unlock the key chain |
| 159 | bool locked = true; |
| 160 | while(locked) |
| 161 | { |
| 162 | const char* fmt = "Password to unlock the default keychain: "; |
| 163 | char* password = NULL; |
| 164 | password = getpass(fmt); |
| 165 | |
| 166 | if (!password) |
| 167 | { |
| 168 | memset(password, 0, strlen(password)); |
| 169 | continue; |
| 170 | } |
| 171 | |
| 172 | res = SecKeychainUnlock(m_impl->m_keyChainRef, |
| 173 | strlen(password), |
| 174 | password, |
| 175 | true); |
| 176 | |
| 177 | memset(password, 0, strlen(password)); |
| 178 | |
| 179 | if(res == errSecSuccess) |
| 180 | locked = false; |
| 181 | } |
| 182 | } |
| 183 | |
| 184 | SecTpmOsx::~SecTpmOsx(){ |
| 185 | //TODO: implement |
| 186 | } |
| 187 | |
| 188 | void |
| 189 | SecTpmOsx::generateKeyPairInTpm(const Name & keyName, KeyType keyType, int keySize) |
| 190 | { |
| 191 | |
| 192 | if(doesKeyExistInTpm(keyName, KEY_CLASS_PUBLIC)){ |
| 193 | _LOG_DEBUG("keyName has existed"); |
| 194 | throw Error("keyName has existed"); |
| 195 | } |
| 196 | |
| 197 | string keyNameUri = m_impl->toInternalKeyName(keyName, KEY_CLASS_PUBLIC); |
| 198 | |
| 199 | SecKeyRef publicKey, privateKey; |
| 200 | |
| 201 | CFStringRef keyLabel = CFStringCreateWithCString(NULL, |
| 202 | keyNameUri.c_str(), |
| 203 | kCFStringEncodingUTF8); |
| 204 | |
| 205 | CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(NULL, |
| 206 | 3, |
| 207 | &kCFTypeDictionaryKeyCallBacks, |
| 208 | NULL); |
| 209 | |
| 210 | CFDictionaryAddValue(attrDict, kSecAttrKeyType, m_impl->getAsymKeyType(keyType)); |
| 211 | CFDictionaryAddValue(attrDict, kSecAttrKeySizeInBits, CFNumberCreate(NULL, kCFNumberIntType, &keySize)); |
| 212 | CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel); |
| 213 | |
| 214 | OSStatus res = SecKeyGeneratePair((CFDictionaryRef)attrDict, &publicKey, &privateKey); |
| 215 | |
| 216 | CFRelease(publicKey); |
| 217 | CFRelease(privateKey); |
| 218 | |
| 219 | if (res != errSecSuccess){ |
| 220 | _LOG_DEBUG("Fail to create a key pair: " << res); |
| 221 | throw Error("Fail to create a key pair"); |
| 222 | } |
| 223 | } |
| 224 | |
| 225 | void |
| 226 | SecTpmOsx::deleteKeyPairInTpm(const Name &keyName) |
| 227 | { |
| 228 | string keyNameUri = keyName.toUri(); |
| 229 | |
| 230 | CFStringRef keyLabel = CFStringCreateWithCString(NULL, |
| 231 | keyNameUri.c_str(), |
| 232 | kCFStringEncodingUTF8); |
| 233 | |
| 234 | CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(NULL, |
| 235 | 5, |
| 236 | &kCFTypeDictionaryKeyCallBacks, |
| 237 | NULL); |
| 238 | |
| 239 | CFDictionaryAddValue(attrDict, kSecClass, kSecClassKey); |
| 240 | CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel); |
| 241 | CFDictionaryAddValue(attrDict, kSecMatchLimit, kSecMatchLimitAll); |
| 242 | |
| 243 | OSStatus res = SecItemDelete((CFDictionaryRef) attrDict); |
| 244 | |
| 245 | if(res != errSecSuccess) |
| 246 | _LOG_DEBUG("Fail to find the key!"); |
| 247 | } |
| 248 | |
| 249 | void |
| 250 | SecTpmOsx::generateSymmetricKeyInTpm(const Name & keyName, KeyType keyType, int keySize) |
| 251 | { |
| 252 | |
| 253 | if(doesKeyExistInTpm(keyName, KEY_CLASS_SYMMETRIC)) |
| 254 | throw Error("keyName has existed!"); |
| 255 | |
| 256 | string keyNameUri = m_impl->toInternalKeyName(keyName, KEY_CLASS_SYMMETRIC); |
| 257 | |
| 258 | CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(kCFAllocatorDefault, |
| 259 | 0, |
| 260 | &kCFTypeDictionaryKeyCallBacks, |
| 261 | &kCFTypeDictionaryValueCallBacks); |
| 262 | |
| 263 | CFStringRef keyLabel = CFStringCreateWithCString(NULL, |
| 264 | keyNameUri.c_str(), |
| 265 | kCFStringEncodingUTF8); |
| 266 | |
| 267 | CFDictionaryAddValue(attrDict, kSecAttrKeyType, m_impl->getSymKeyType(keyType)); |
| 268 | CFDictionaryAddValue(attrDict, kSecAttrKeySizeInBits, CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &keySize)); |
| 269 | CFDictionaryAddValue(attrDict, kSecAttrIsPermanent, kCFBooleanTrue); |
| 270 | CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel); |
| 271 | |
| 272 | CFErrorRef error = NULL; |
| 273 | |
| 274 | SecKeyRef symmetricKey = SecKeyGenerateSymmetric(attrDict, &error); |
| 275 | |
| 276 | if (error) |
| 277 | throw Error("Fail to create a symmetric key"); |
| 278 | } |
| 279 | |
| 280 | ptr_lib::shared_ptr<PublicKey> |
| 281 | SecTpmOsx::getPublicKeyFromTpm(const Name & keyName) |
| 282 | { |
| 283 | _LOG_TRACE("OSXPrivateKeyStorage::getPublickey"); |
| 284 | |
| 285 | SecKeychainItemRef publicKey = m_impl->getKey(keyName, KEY_CLASS_PUBLIC); |
| 286 | |
| 287 | CFDataRef exportedKey; |
| 288 | |
| 289 | OSStatus res = SecItemExport(publicKey, |
| 290 | kSecFormatOpenSSL, |
| 291 | 0, |
| 292 | NULL, |
| 293 | &exportedKey); |
| 294 | |
| 295 | return ptr_lib::make_shared<PublicKey>(CFDataGetBytePtr(exportedKey), CFDataGetLength(exportedKey)); |
| 296 | } |
| 297 | |
| 298 | Block |
| 299 | SecTpmOsx::signInTpm(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm) |
| 300 | { |
| 301 | _LOG_TRACE("OSXPrivateKeyStorage::Sign"); |
| 302 | |
| 303 | CFDataRef dataRef = CFDataCreateWithBytesNoCopy(NULL, |
| 304 | data, |
| 305 | dataLength, |
| 306 | kCFAllocatorNull |
| 307 | ); |
| 308 | |
| 309 | SecKeyRef privateKey = (SecKeyRef)m_impl->getKey(keyName, KEY_CLASS_PRIVATE); |
| 310 | |
| 311 | CFErrorRef error; |
| 312 | SecTransformRef signer = SecSignTransformCreate((SecKeyRef)privateKey, &error); |
| 313 | if (error) throw Error("Fail to create signer"); |
| 314 | |
| 315 | // Set input |
| 316 | Boolean set_res = SecTransformSetAttribute(signer, |
| 317 | kSecTransformInputAttributeName, |
| 318 | dataRef, |
| 319 | &error); |
| 320 | if (error) throw Error("Fail to configure input of signer"); |
| 321 | |
| 322 | // Enable use of padding |
| 323 | SecTransformSetAttribute( |
| 324 | signer, |
| 325 | kSecPaddingKey, |
| 326 | kSecPaddingPKCS1Key, |
| 327 | &error); |
| 328 | if (error) throw Error("Fail to configure digest algorithm of signer"); |
| 329 | |
| 330 | // Set padding type |
| 331 | set_res = SecTransformSetAttribute(signer, |
| 332 | kSecDigestTypeAttribute, |
| 333 | m_impl->getDigestAlgorithm(digestAlgorithm), |
| 334 | &error); |
| 335 | if (error) throw Error("Fail to configure digest algorithm of signer"); |
| 336 | |
| 337 | // Set padding attribute |
| 338 | long digestSize = m_impl->getDigestSize(digestAlgorithm); |
| 339 | set_res = SecTransformSetAttribute(signer, |
| 340 | kSecDigestLengthAttribute, |
| 341 | CFNumberCreate(NULL, kCFNumberLongType, &digestSize), |
| 342 | &error); |
| 343 | if (error) throw Error("Fail to configure digest size of signer"); |
| 344 | |
| 345 | // Actually sign |
| 346 | CFDataRef signature = (CFDataRef) SecTransformExecute(signer, &error); |
| 347 | if (error) { |
| 348 | CFShow(error); |
| 349 | throw Error("Fail to sign data"); |
| 350 | } |
| 351 | |
| 352 | if (!signature) throw Error("Signature is NULL!\n"); |
| 353 | |
| 354 | return Block(Tlv::SignatureValue, |
| 355 | ptr_lib::make_shared<Buffer>(CFDataGetBytePtr(signature), CFDataGetLength(signature))); |
| 356 | } |
| 357 | |
| 358 | ConstBufferPtr |
| 359 | SecTpmOsx::decryptInTpm(const Name & keyName, const uint8_t* data, size_t dataLength, bool sym) |
| 360 | { |
| 361 | _LOG_TRACE("OSXPrivateKeyStorage::Decrypt"); |
| 362 | |
| 363 | KeyClass keyClass; |
| 364 | if(sym) |
| 365 | keyClass = KEY_CLASS_SYMMETRIC; |
| 366 | else |
| 367 | keyClass = KEY_CLASS_PRIVATE; |
| 368 | |
| 369 | CFDataRef dataRef = CFDataCreate(NULL, |
| 370 | reinterpret_cast<const unsigned char*>(data), |
| 371 | dataLength |
| 372 | ); |
| 373 | |
| 374 | // _LOG_DEBUG("CreateData"); |
| 375 | |
| 376 | SecKeyRef decryptKey = (SecKeyRef)m_impl->getKey(keyName, keyClass); |
| 377 | |
| 378 | // _LOG_DEBUG("GetKey"); |
| 379 | |
| 380 | CFErrorRef error; |
| 381 | SecTransformRef decrypt = SecDecryptTransformCreate(decryptKey, &error); |
| 382 | if (error) throw Error("Fail to create decrypt"); |
| 383 | |
| 384 | Boolean set_res = SecTransformSetAttribute(decrypt, |
| 385 | kSecTransformInputAttributeName, |
| 386 | dataRef, |
| 387 | &error); |
| 388 | if (error) throw Error("Fail to configure decrypt"); |
| 389 | |
| 390 | CFDataRef output = (CFDataRef) SecTransformExecute(decrypt, &error); |
| 391 | if (error) |
| 392 | { |
| 393 | CFShow(error); |
| 394 | throw Error("Fail to decrypt data"); |
| 395 | } |
| 396 | if (!output) throw Error("Output is NULL!\n"); |
| 397 | |
| 398 | return ptr_lib::make_shared<Buffer>(CFDataGetBytePtr(output), CFDataGetLength(output)); |
| 399 | } |
| 400 | |
| 401 | bool |
| 402 | SecTpmOsx::setACL(const Name & keyName, KeyClass keyClass, int acl, const string & appPath) |
| 403 | { |
| 404 | SecKeychainItemRef privateKey = m_impl->getKey(keyName, keyClass); |
| 405 | |
| 406 | SecAccessRef accRef; |
| 407 | OSStatus acc_res = SecKeychainItemCopyAccess(privateKey, &accRef); |
| 408 | |
| 409 | CFArrayRef signACL = SecAccessCopyMatchingACLList(accRef, |
| 410 | kSecACLAuthorizationSign); |
| 411 | |
| 412 | SecACLRef aclRef = (SecACLRef) CFArrayGetValueAtIndex(signACL, 0); |
| 413 | |
| 414 | CFArrayRef appList; |
| 415 | CFStringRef description; |
| 416 | SecKeychainPromptSelector promptSelector; |
| 417 | OSStatus acl_res = SecACLCopyContents(aclRef, |
| 418 | &appList, |
| 419 | &description, |
| 420 | &promptSelector); |
| 421 | |
| 422 | CFMutableArrayRef newAppList = CFArrayCreateMutableCopy(NULL, |
| 423 | 0, |
| 424 | appList); |
| 425 | |
| 426 | SecTrustedApplicationRef trustedApp; |
| 427 | acl_res = SecTrustedApplicationCreateFromPath(appPath.c_str(), |
| 428 | &trustedApp); |
| 429 | |
| 430 | CFArrayAppendValue(newAppList, trustedApp); |
| 431 | |
| 432 | |
| 433 | CFArrayRef authList = SecACLCopyAuthorizations(aclRef); |
| 434 | |
| 435 | acl_res = SecACLRemove(aclRef); |
| 436 | |
| 437 | SecACLRef newACL; |
| 438 | acl_res = SecACLCreateWithSimpleContents(accRef, |
| 439 | newAppList, |
| 440 | description, |
| 441 | promptSelector, |
| 442 | &newACL); |
| 443 | |
| 444 | acl_res = SecACLUpdateAuthorizations(newACL, authList); |
| 445 | |
| 446 | acc_res = SecKeychainItemSetAccess(privateKey, accRef); |
| 447 | |
| 448 | return true; |
| 449 | } |
| 450 | |
| 451 | // bool |
| 452 | // OSXPrivateKeyStorage::verifyData(const Name & keyName, const Blob & pData, const Blob & pSig, DigestAlgorithm digestAlgo) |
| 453 | // { |
| 454 | // _LOG_TRACE("OSXPrivateKeyStorage::Verify"); |
| 455 | |
| 456 | // CFDataRef dataRef = CFDataCreate(NULL, |
| 457 | // reinterpret_cast<const unsigned char*>(pData.buf()), |
| 458 | // pData.size()); |
| 459 | |
| 460 | // CFDataRef sigRef = CFDataCreate(NULL, |
| 461 | // reinterpret_cast<const unsigned char*>(pSig.buf()), |
| 462 | // pSig.size()); |
| 463 | |
| 464 | // SecKeyRef publicKey = (SecKeyRef)m_impl->getKey(keyName, KEY_CLASS_PUBLIC); |
| 465 | |
| 466 | // CFErrorRef error; |
| 467 | // SecTransformRef verifier = SecVerifyTransformCreate(publicKey, sigRef, &error); |
| 468 | // if (error) throw Error("Fail to create verifier"); |
| 469 | |
| 470 | // Boolean set_res = SecTransformSetAttribute(verifier, |
| 471 | // kSecTransformInputAttributeName, |
| 472 | // dataRef, |
| 473 | // &error); |
| 474 | // if (error) throw Error("Fail to configure input of verifier"); |
| 475 | |
| 476 | // set_res = SecTransformSetAttribute(verifier, |
| 477 | // kSecDigestTypeAttribute, |
| 478 | // m_impl->getDigestAlgorithm(digestAlgo), |
| 479 | // &error); |
| 480 | // if (error) throw Error("Fail to configure digest algorithm of verifier"); |
| 481 | |
| 482 | // long digestSize = m_impl->getDigestSize(digestAlgo); |
| 483 | // set_res = SecTransformSetAttribute(verifier, |
| 484 | // kSecDigestLengthAttribute, |
| 485 | // CFNumberCreate(NULL, kCFNumberLongType, &digestSize), |
| 486 | // &error); |
| 487 | // if (error) throw Error("Fail to configure digest size of verifier"); |
| 488 | |
| 489 | // CFBooleanRef result = (CFBooleanRef) SecTransformExecute(verifier, &error); |
| 490 | // if (error) throw Error("Fail to verify data"); |
| 491 | |
| 492 | // if (result == kCFBooleanTrue) |
| 493 | // return true; |
| 494 | // else |
| 495 | // return false; |
| 496 | // } |
| 497 | |
| 498 | ConstBufferPtr |
| 499 | SecTpmOsx::encryptInTpm(const Name & keyName, const uint8_t* data, size_t dataLength, bool sym) |
| 500 | { |
| 501 | _LOG_TRACE("OSXPrivateKeyStorage::Encrypt"); |
| 502 | |
| 503 | KeyClass keyClass; |
| 504 | if(sym) |
| 505 | keyClass = KEY_CLASS_SYMMETRIC; |
| 506 | else |
| 507 | keyClass = KEY_CLASS_PUBLIC; |
| 508 | |
| 509 | CFDataRef dataRef = CFDataCreate(NULL, |
| 510 | reinterpret_cast<const unsigned char*>(data), |
| 511 | dataLength |
| 512 | ); |
| 513 | |
| 514 | SecKeyRef encryptKey = (SecKeyRef)m_impl->getKey(keyName, keyClass); |
| 515 | |
| 516 | CFErrorRef error; |
| 517 | SecTransformRef encrypt = SecEncryptTransformCreate(encryptKey, &error); |
| 518 | if (error) throw Error("Fail to create encrypt"); |
| 519 | |
| 520 | Boolean set_res = SecTransformSetAttribute(encrypt, |
| 521 | kSecTransformInputAttributeName, |
| 522 | dataRef, |
| 523 | &error); |
| 524 | if (error) throw Error("Fail to configure encrypt"); |
| 525 | |
| 526 | CFDataRef output = (CFDataRef) SecTransformExecute(encrypt, &error); |
| 527 | if (error) throw Error("Fail to encrypt data"); |
| 528 | |
| 529 | if (!output) throw Error("Output is NULL!\n"); |
| 530 | |
| 531 | return ptr_lib::make_shared<Buffer> (CFDataGetBytePtr(output), CFDataGetLength(output)); |
| 532 | } |
| 533 | |
| 534 | bool |
| 535 | SecTpmOsx::doesKeyExistInTpm(const Name & keyName, KeyClass keyClass) |
| 536 | { |
| 537 | _LOG_TRACE("OSXPrivateKeyStorage::doesKeyExist"); |
| 538 | |
| 539 | string keyNameUri = m_impl->toInternalKeyName(keyName, keyClass); |
| 540 | |
| 541 | CFStringRef keyLabel = CFStringCreateWithCString(NULL, |
| 542 | keyNameUri.c_str(), |
| 543 | kCFStringEncodingUTF8); |
| 544 | |
| 545 | CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(NULL, |
| 546 | 4, |
| 547 | &kCFTypeDictionaryKeyCallBacks, |
| 548 | NULL); |
| 549 | |
| 550 | CFDictionaryAddValue(attrDict, kSecClass, kSecClassKey); |
| 551 | CFDictionaryAddValue(attrDict, kSecAttrKeyClass, m_impl->getKeyClass(keyClass)); |
| 552 | CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel); |
| 553 | CFDictionaryAddValue(attrDict, kSecReturnRef, kCFBooleanTrue); |
| 554 | |
| 555 | SecKeychainItemRef itemRef; |
| 556 | OSStatus res = SecItemCopyMatching((CFDictionaryRef)attrDict, (CFTypeRef*)&itemRef); |
| 557 | |
| 558 | if(res == errSecItemNotFound) |
| 559 | return false; |
| 560 | else |
| 561 | return true; |
| 562 | |
| 563 | } |
| 564 | |
| 565 | |
| 566 | //////////////////////////////// |
| 567 | // OSXPrivateKeyStorage::Impl // |
| 568 | //////////////////////////////// |
| 569 | |
| 570 | SecKeychainItemRef |
| 571 | SecTpmOsx::Impl::getKey(const Name & keyName, KeyClass keyClass) |
| 572 | { |
| 573 | string keyNameUri = toInternalKeyName(keyName, keyClass); |
| 574 | |
| 575 | CFStringRef keyLabel = CFStringCreateWithCString(NULL, |
| 576 | keyNameUri.c_str(), |
| 577 | kCFStringEncodingUTF8); |
| 578 | |
| 579 | CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(NULL, |
| 580 | 5, |
| 581 | &kCFTypeDictionaryKeyCallBacks, |
| 582 | NULL); |
| 583 | |
| 584 | CFDictionaryAddValue(attrDict, kSecClass, kSecClassKey); |
| 585 | CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel); |
| 586 | CFDictionaryAddValue(attrDict, kSecAttrKeyClass, getKeyClass(keyClass)); |
| 587 | CFDictionaryAddValue(attrDict, kSecReturnRef, kCFBooleanTrue); |
| 588 | |
| 589 | SecKeychainItemRef keyItem; |
| 590 | |
| 591 | OSStatus res = SecItemCopyMatching((CFDictionaryRef) attrDict, (CFTypeRef*)&keyItem); |
| 592 | |
| 593 | if(res != errSecSuccess){ |
| 594 | _LOG_DEBUG("Fail to find the key!"); |
| 595 | return NULL; |
| 596 | } |
| 597 | else |
| 598 | return keyItem; |
| 599 | } |
| 600 | |
| 601 | string |
| 602 | SecTpmOsx::Impl::toInternalKeyName(const Name & keyName, KeyClass keyClass) |
| 603 | { |
| 604 | string keyUri = keyName.toUri(); |
| 605 | |
| 606 | if(KEY_CLASS_SYMMETRIC == keyClass) |
| 607 | return keyUri + "/symmetric"; |
| 608 | else |
| 609 | return keyUri; |
| 610 | } |
| 611 | |
| 612 | const CFTypeRef |
| 613 | SecTpmOsx::Impl::getAsymKeyType(KeyType keyType) |
| 614 | { |
| 615 | switch(keyType){ |
| 616 | case KEY_TYPE_RSA: |
| 617 | return kSecAttrKeyTypeRSA; |
| 618 | default: |
| 619 | _LOG_DEBUG("Unrecognized key type!") |
| 620 | return NULL; |
| 621 | } |
| 622 | } |
| 623 | |
| 624 | const CFTypeRef |
| 625 | SecTpmOsx::Impl::getSymKeyType(KeyType keyType) |
| 626 | { |
| 627 | switch(keyType){ |
| 628 | case KEY_TYPE_AES: |
| 629 | return kSecAttrKeyTypeAES; |
| 630 | default: |
| 631 | _LOG_DEBUG("Unrecognized key type!") |
| 632 | return NULL; |
| 633 | } |
| 634 | } |
| 635 | |
| 636 | const CFTypeRef |
| 637 | SecTpmOsx::Impl::getKeyClass(KeyClass keyClass) |
| 638 | { |
| 639 | switch(keyClass){ |
| 640 | case KEY_CLASS_PRIVATE: |
| 641 | return kSecAttrKeyClassPrivate; |
| 642 | case KEY_CLASS_PUBLIC: |
| 643 | return kSecAttrKeyClassPublic; |
| 644 | case KEY_CLASS_SYMMETRIC: |
| 645 | return kSecAttrKeyClassSymmetric; |
| 646 | default: |
| 647 | _LOG_DEBUG("Unrecognized key class!"); |
| 648 | return NULL; |
| 649 | } |
| 650 | } |
| 651 | |
| 652 | const CFStringRef |
| 653 | SecTpmOsx::Impl::getDigestAlgorithm(DigestAlgorithm digestAlgo) |
| 654 | { |
| 655 | switch(digestAlgo){ |
Jeff Thompson | 2747dc0 | 2013-10-04 19:11:34 -0700 | [diff] [blame] | 656 | // case DIGEST_MD2: |
| 657 | // return kSecDigestMD2; |
| 658 | // case DIGEST_MD5: |
| 659 | // return kSecDigestMD5; |
| 660 | // case DIGEST_SHA1: |
| 661 | // return kSecDigestSHA1; |
Yingdi Yu | 2b2b479 | 2014-02-04 16:27:07 -0800 | [diff] [blame^] | 662 | case DIGEST_ALGORITHM_SHA256: |
| 663 | return kSecDigestSHA2; |
| 664 | default: |
| 665 | _LOG_DEBUG("Unrecognized digest algorithm!"); |
| 666 | return NULL; |
Jeff Thompson | 2747dc0 | 2013-10-04 19:11:34 -0700 | [diff] [blame] | 667 | } |
Yingdi Yu | 2b2b479 | 2014-02-04 16:27:07 -0800 | [diff] [blame^] | 668 | } |
Jeff Thompson | 2747dc0 | 2013-10-04 19:11:34 -0700 | [diff] [blame] | 669 | |
Yingdi Yu | 2b2b479 | 2014-02-04 16:27:07 -0800 | [diff] [blame^] | 670 | long |
| 671 | SecTpmOsx::Impl::getDigestSize(DigestAlgorithm digestAlgo) |
| 672 | { |
| 673 | switch(digestAlgo){ |
| 674 | case DIGEST_ALGORITHM_SHA256: |
| 675 | return 256; |
Jeff Thompson | 2747dc0 | 2013-10-04 19:11:34 -0700 | [diff] [blame] | 676 | // case DIGEST_SHA1: |
| 677 | // case DIGEST_MD2: |
| 678 | // case DIGEST_MD5: |
| 679 | // return 0; |
Yingdi Yu | 2b2b479 | 2014-02-04 16:27:07 -0800 | [diff] [blame^] | 680 | default: |
| 681 | _LOG_DEBUG("Unrecognized digest algorithm! Unknown digest size"); |
| 682 | return -1; |
Jeff Thompson | 2747dc0 | 2013-10-04 19:11:34 -0700 | [diff] [blame] | 683 | } |
Jeff Thompson | 2747dc0 | 2013-10-04 19:11:34 -0700 | [diff] [blame] | 684 | } |
Yingdi Yu | 2b2b479 | 2014-02-04 16:27:07 -0800 | [diff] [blame^] | 685 | |
| 686 | bool |
| 687 | SecTpmOsx::Impl::getPassWord(string& password, string target) |
| 688 | { |
| 689 | int result = false; |
| 690 | |
| 691 | string prompt1 = "Password for " + target + ":"; |
| 692 | string prompt2 = "Confirm password for " + target + ":"; |
| 693 | char* pw0 = NULL; |
| 694 | |
| 695 | pw0 = getpass(prompt1.c_str()); |
| 696 | if(!pw0) |
| 697 | return false; |
| 698 | string password1 = pw0; |
| 699 | memset(pw0, 0, strlen(pw0)); |
| 700 | |
| 701 | pw0 = getpass(prompt2.c_str()); |
| 702 | if(!pw0) |
| 703 | { |
| 704 | char* pw1 = const_cast<char*>(password1.c_str()); |
| 705 | memset(pw1, 0, password1.size()); |
| 706 | return false; |
| 707 | } |
| 708 | |
| 709 | if(!password1.compare(pw0)) |
| 710 | { |
| 711 | result = true; |
| 712 | password.swap(password1); |
| 713 | } |
| 714 | |
| 715 | char* pw1 = const_cast<char*>(password1.c_str()); |
| 716 | memset(pw1, 0, password1.size()); |
| 717 | memset(pw0, 0, strlen(pw0)); |
| 718 | return result; |
| 719 | } |
| 720 | |
| 721 | }// ndn |