Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / 4b8c6a20bbc8207e7044da000c4af1ffeea07717 / . / src / security / sec-tpm-osx.cpp
blob: d06cefef0a8aa8d3b5e7b73257e1d802dee5f05a [file] [log] [blame]
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
2/**
3 * Copyright (C) 2013 Regents of the University of California.
4 * @author: Yingdi Yu <yingdi@cs.ucla.edu>
5 * See COPYING for copyright and distribution information.
6 */
7
Alexander Afanasyeve2dcdfd2014-02-07 15:53:28 -0800[diff] [blame]8#include "common.hpp"
9
Alexander Afanasyev19508852014-01-29 01:01:51 -0800[diff] [blame]10#include "sec-tpm-osx.hpp"
11
12#include "security/public-key.hpp"
Junxiao Shi482ccc52014-03-31 13:05:24 -0700[diff] [blame]13#include "cryptopp.hpp"
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]14
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]15#include <pwd.h>
16#include <unistd.h>
17#include <stdlib.h>
18#include <string.h>
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]19
Alexander Afanasyev04b22a92014-01-05 22:40:17 -0800[diff] [blame]20#include <CoreFoundation/CoreFoundation.h>
21#include <Security/Security.h>
Yingdi Yu4b752752014-02-18 12:24:03 -0800[diff] [blame]22#include <Security/SecRandom.h>
Alexander Afanasyev04b22a92014-01-05 22:40:17 -0800[diff] [blame]23#include <CoreServices/CoreServices.h>
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]24
Alexander Afanasyev59d67a52014-04-03 16:09:31 -0700[diff] [blame]25#include <Security/SecDigestTransform.h>
26
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]27using namespace std;
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]28
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]29namespace ndn {
30
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]31class SecTpmOsx::Impl {
32public:
33 Impl()
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]34 : m_passwordSet(false)
35 , m_inTerminal(false)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]36 {}
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]37
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]38 /**
39 * @brief Convert NDN name of a key to internal name of the key.
40 *
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]41 * @param keyName
42 * @param keyClass
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]43 * @return the internal key name
44 */
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]45 std::string
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]46 toInternalKeyName(const Name& keyName, KeyClass keyClass);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]47
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]48 /**
49 * @brief Get key.
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]50 *
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]51 * @param keyName
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]52 * @param keyClass
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]53 * @returns pointer to the key
54 */
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]55 SecKeychainItemRef
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]56 getKey(const Name& keyName, KeyClass keyClass);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]57
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]58 /**
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]59 * @brief Convert keyType to MAC OS symmetric key key type
60 *
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]61 * @param keyType
62 * @returns MAC OS key type
63 */
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]64 const CFTypeRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]65 getSymKeyType(KeyType keyType);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]66
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]67 /**
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]68 * @brief Convert keyType to MAC OS asymmetirc key type
69 *
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]70 * @param keyType
71 * @returns MAC OS key type
72 */
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]73 const CFTypeRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]74 getAsymKeyType(KeyType keyType);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]75
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]76 /**
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]77 * @brief Convert keyClass to MAC OS key class
78 *
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]79 * @param keyClass
80 * @returns MAC OS key class
81 */
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]82 const CFTypeRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]83 getKeyClass(KeyClass keyClass);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]84
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]85 /**
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]86 * @brief Convert digestAlgo to MAC OS algorithm id
87 *
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]88 * @param digestAlgo
89 * @returns MAC OS algorithm id
90 */
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]91 const CFStringRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]92 getDigestAlgorithm(DigestAlgorithm digestAlgo);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]93
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]94 /**
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]95 * @brief Get the digest size of the corresponding algorithm
96 *
97 * @param digestAlgo
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]98 * @return digest size
99 */
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]100 long
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]101 getDigestSize(DigestAlgorithm digestAlgo);
102
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]103 ///////////////////////////////////////////////
104 // everything here is public, including data //
105 ///////////////////////////////////////////////
106public:
107 SecKeychainRef m_keyChainRef;
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]108 bool m_passwordSet;
109 string m_password;
110 bool m_inTerminal;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]111};
112
113
114SecTpmOsx::SecTpmOsx()
115 : m_impl(new Impl)
116{
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]117 if (m_impl->m_inTerminal)
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]118 SecKeychainSetUserInteractionAllowed(false);
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]119 else
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]120 SecKeychainSetUserInteractionAllowed(true);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]121
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]122 OSStatus res = SecKeychainCopyDefault(&m_impl->m_keyChainRef);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]123
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]124 if (res == errSecNoDefaultKeychain) //If no default key chain, create one.
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]125 throw Error("No default keychain, create one first!");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]126}
127
128SecTpmOsx::~SecTpmOsx(){
129 //TODO: implement
130}
131
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]132void
133SecTpmOsx::setTpmPassword(const uint8_t* password, size_t passwordLength)
134{
135 m_impl->m_passwordSet = true;
136 memset(const_cast<char*>(m_impl->m_password.c_str()), 0, m_impl->m_password.size());
137 m_impl->m_password.clear();
138 m_impl->m_password.append(reinterpret_cast<const char*>(password), passwordLength);
139}
140
141void
142SecTpmOsx::resetTpmPassword()
143{
144 m_impl->m_passwordSet = false;
145 memset(const_cast<char*>(m_impl->m_password.c_str()), 0, m_impl->m_password.size());
146 m_impl->m_password.clear();
147}
148
149void
150SecTpmOsx::setInTerminal(bool inTerminal)
151{
152 m_impl->m_inTerminal = inTerminal;
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]153 if (inTerminal)
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]154 SecKeychainSetUserInteractionAllowed(false);
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]155 else
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]156 SecKeychainSetUserInteractionAllowed(true);
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]157}
158
159bool
160SecTpmOsx::getInTerminal()
161{
162 return m_impl->m_inTerminal;
163}
164
165bool
166SecTpmOsx::locked()
167{
168 SecKeychainStatus keychainStatus;
169
170 OSStatus res = SecKeychainGetStatus(m_impl->m_keyChainRef, &keychainStatus);
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]171 if (res != errSecSuccess)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]172 return true;
173 else
174 return ((kSecUnlockStateStatus & keychainStatus) == 0);
175}
176
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]177bool
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]178SecTpmOsx::unlockTpm(const char* password, size_t passwordLength, bool usePassword)
179{
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]180 OSStatus res;
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]181
182 // If the default key chain is already unlocked, return immediately.
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]183 if (!locked())
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]184 return true;
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]185
186 // If the default key chain is locked, unlock the key chain.
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]187 if (usePassword)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]188 {
189 // Use the supplied password.
190 res = SecKeychainUnlock(m_impl->m_keyChainRef,
191 passwordLength,
192 password,
193 true);
194 }
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]195 else if (m_impl->m_passwordSet)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]196 {
197 // If no password supplied, then use the configured password if exists.
198 SecKeychainUnlock(m_impl->m_keyChainRef,
199 m_impl->m_password.size(),
200 m_impl->m_password.c_str(),
201 true);
202 }
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]203 else if (m_impl->m_inTerminal)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]204 {
205 // If no configured password, get password from terminal if inTerminal set.
206 bool locked = true;
207 const char* fmt = "Password to unlock the default keychain: ";
208 int count = 0;
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]209
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]210 while(locked)
211 {
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]212 if (count > 2)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]213 break;
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]214
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]215 char* getPassword = 0;
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]216 getPassword = getpass(fmt);
217 count++;
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]218
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]219 if (!getPassword)
220 continue;
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]221
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]222 res = SecKeychainUnlock(m_impl->m_keyChainRef,
223 strlen(getPassword),
224 getPassword,
225 true);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]226
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]227 memset(getPassword, 0, strlen(getPassword));
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]228
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]229 if (res == errSecSuccess)
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]230 break;
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]231 }
232 }
233 else
234 {
235 // If inTerminal is not set, get the password from GUI.
236 SecKeychainUnlock(m_impl->m_keyChainRef, 0, 0, false);
237 }
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]238
239 return !locked();
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]240}
241
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]242void
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]243SecTpmOsx::generateKeyPairInTpmInternal(const Name& keyName, KeyType keyType,
244 int keySize, bool needRetry)
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]245{
246
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]247 if (doesKeyExistInTpm(keyName, KEY_CLASS_PUBLIC))
248 {
249 throw Error("keyName has existed");
250 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]251
252 string keyNameUri = m_impl->toInternalKeyName(keyName, KEY_CLASS_PUBLIC);
253
254 SecKeyRef publicKey, privateKey;
255
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]256 CFStringRef keyLabel = CFStringCreateWithCString(0,
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]257 keyNameUri.c_str(),
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]258 kCFStringEncodingUTF8);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]259
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]260 CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(0,
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]261 3,
262 &kCFTypeDictionaryKeyCallBacks,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]263 0);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]264
265 CFDictionaryAddValue(attrDict, kSecAttrKeyType, m_impl->getAsymKeyType(keyType));
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]266 CFDictionaryAddValue(attrDict, kSecAttrKeySizeInBits, CFNumberCreate(0,
267 kCFNumberIntType,
268 &keySize));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]269 CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
270
271 OSStatus res = SecKeyGeneratePair((CFDictionaryRef)attrDict, &publicKey, &privateKey);
272
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]273 if (res == errSecSuccess)
Alexander Afanasyev60c86812014-02-20 15:19:33 -0800[diff] [blame]274 {
275 CFRelease(publicKey);
276 CFRelease(privateKey);
277 return;
278 }
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]279
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]280 if (res == errSecAuthFailed && !needRetry)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]281 {
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]282 if (unlockTpm(0, 0, false))
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]283 generateKeyPairInTpmInternal(keyName, keyType, keySize, true);
284 else
285 throw Error("Fail to unlock the keychain");
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]286 }
287 else
288 {
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]289 throw Error("Fail to create a key pair");
290 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]291}
292
293void
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]294SecTpmOsx::deleteKeyPairInTpmInternal(const Name& keyName, bool needRetry)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]295{
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]296 CFStringRef keyLabel = CFStringCreateWithCString(0,
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]297 keyName.toUri().c_str(),
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]298 kCFStringEncodingUTF8);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]299
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]300 CFMutableDictionaryRef searchDict =
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]301 CFDictionaryCreateMutable(0, 5,
302 &kCFTypeDictionaryKeyCallBacks,
303 &kCFTypeDictionaryValueCallBacks);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]304
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]305 CFDictionaryAddValue(searchDict, kSecClass, kSecClassKey);
306 CFDictionaryAddValue(searchDict, kSecAttrLabel, keyLabel);
307 CFDictionaryAddValue(searchDict, kSecMatchLimit, kSecMatchLimitAll);
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]308 OSStatus res = SecItemDelete(searchDict);
309
310 if (res == errSecSuccess)
311 return;
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]312
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]313 if (res == errSecAuthFailed && !needRetry)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]314 {
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]315 if (unlockTpm(0, 0, false))
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]316 deleteKeyPairInTpmInternal(keyName, true);
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]317 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]318}
319
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]320void
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]321SecTpmOsx::generateSymmetricKeyInTpm(const Name& keyName, KeyType keyType, int keySize)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]322{
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]323 throw Error("SecTpmOsx::generateSymmetricKeyInTpm is not supported");
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]324 // if (doesKeyExistInTpm(keyName, KEY_CLASS_SYMMETRIC))
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]325 // throw Error("keyName has existed!");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]326
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]327 // string keyNameUri = m_impl->toInternalKeyName(keyName, KEY_CLASS_SYMMETRIC);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]328
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]329 // CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(kCFAllocatorDefault,
330 // 0,
331 // &kCFTypeDictionaryKeyCallBacks,
332 // &kCFTypeDictionaryValueCallBacks);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]333
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]334 // CFStringRef keyLabel = CFStringCreateWithCString(0,
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]335 // keyNameUri.c_str(),
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]336 // kCFStringEncodingUTF8);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]337
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]338 // CFDictionaryAddValue(attrDict, kSecAttrKeyType, m_impl->getSymKeyType(keyType));
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]339 // CFDictionaryAddValue(attrDict, kSecAttrKeySizeInBits, CFNumberCreate(kCFAllocatorDefault,
340 // kCFNumberSInt32Type,
341 // &keySize));
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]342 // CFDictionaryAddValue(attrDict, kSecAttrIsPermanent, kCFBooleanTrue);
343 // CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]344
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]345 // CFErrorRef error = 0;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]346
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]347 // SecKeyRef symmetricKey = SecKeyGenerateSymmetric(attrDict, &error);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]348
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]349 // if (error)
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]350 // throw Error("Fail to create a symmetric key");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]351}
352
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]353shared_ptr<PublicKey>
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]354SecTpmOsx::getPublicKeyFromTpm(const Name& keyName)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]355{
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]356 SecKeychainItemRef publicKey = m_impl->getKey(keyName, KEY_CLASS_PUBLIC);
357
358 CFDataRef exportedKey;
359
360 OSStatus res = SecItemExport(publicKey,
361 kSecFormatOpenSSL,
362 0,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]363 0,
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]364 &exportedKey);
Alexander Afanasyev60c86812014-02-20 15:19:33 -0800[diff] [blame]365 if (res != errSecSuccess)
366 {
367 throw Error("Cannot export requested public key from OSX Keychain");
368 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]369
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]370 shared_ptr<PublicKey> key = make_shared<PublicKey>(CFDataGetBytePtr(exportedKey),
371 CFDataGetLength(exportedKey));
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]372 CFRelease(exportedKey);
373 return key;
374}
375
376ConstBufferPtr
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]377SecTpmOsx::exportPrivateKeyPkcs1FromTpmInternal(const Name& keyName, bool needRetry)
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]378{
379 using namespace CryptoPP;
380
381 SecKeychainItemRef privateKey = m_impl->getKey(keyName, KEY_CLASS_PRIVATE);
382 CFDataRef exportedKey;
383 OSStatus res = SecItemExport(privateKey,
384 kSecFormatOpenSSL,
385 0,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]386 0,
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]387 &exportedKey);
388
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]389 if (res != errSecSuccess)
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]390 {
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]391 if (res == errSecAuthFailed && !needRetry)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]392 {
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]393 if (unlockTpm(0, 0, false))
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]394 return exportPrivateKeyPkcs1FromTpmInternal(keyName, true);
395 else
396 return shared_ptr<Buffer>();
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]397 }
398 else
399 return shared_ptr<Buffer>();
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]400 }
401
402 OBufferStream pkcs1Os;
403 FileSink sink(pkcs1Os);
404
405 uint32_t version = 0;
406 OID algorithm("1.2.840.113549.1.1.1");
407 SecByteBlock rawKeyBits;
408 // PrivateKeyInfo ::= SEQUENCE {
409 // version INTEGER,
410 // privateKeyAlgorithm SEQUENCE,
411 // privateKey OCTECT STRING}
412 DERSequenceEncoder privateKeyInfo(sink);
413 {
414 DEREncodeUnsigned<uint32_t>(privateKeyInfo, version, INTEGER);
415 DERSequenceEncoder privateKeyAlgorithm(privateKeyInfo);
416 {
417 algorithm.encode(privateKeyAlgorithm);
418 DEREncodeNull(privateKeyAlgorithm);
419 }
420 privateKeyAlgorithm.MessageEnd();
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]421 DEREncodeOctetString(privateKeyInfo,
422 CFDataGetBytePtr(exportedKey),
423 CFDataGetLength(exportedKey));
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]424 }
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]425 privateKeyInfo.MessageEnd();
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]426
427 CFRelease(exportedKey);
428 return pkcs1Os.buf();
429}
430
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]431#ifdef __GNUC__
432#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6)
433#pragma GCC diagnostic push
434#endif // __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6)
435#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
436#endif // __GNUC__
437
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]438bool
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]439SecTpmOsx::importPrivateKeyPkcs1IntoTpmInternal(const Name& keyName,
440 const uint8_t* buf, size_t size,
441 bool needRetry)
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]442{
443 using namespace CryptoPP;
444
445 StringSource privateKeySource(buf, size, true);
446 uint32_t tmpNum;
447 OID tmpOID;
448 SecByteBlock rawKeyBits;
449 // PrivateKeyInfo ::= SEQUENCE {
450 // INTEGER,
451 // SEQUENCE,
452 // OCTECT STRING}
453 BERSequenceDecoder privateKeyInfo(privateKeySource);
454 {
455 BERDecodeUnsigned<uint32_t>(privateKeyInfo, tmpNum, INTEGER);
456 BERSequenceDecoder sequenceDecoder(privateKeyInfo);
457 {
458 tmpOID.decode(sequenceDecoder);
459 BERDecodeNull(sequenceDecoder);
460 }
461 BERDecodeOctetString(privateKeyInfo, rawKeyBits);
462 }
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]463 privateKeyInfo.MessageEnd();
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]464
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]465 CFDataRef importedKey = CFDataCreateWithBytesNoCopy(0,
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]466 rawKeyBits.BytePtr(),
467 rawKeyBits.size(),
468 kCFAllocatorNull);
469
470 SecExternalFormat externalFormat = kSecFormatOpenSSL;
471 SecExternalItemType externalType = kSecItemTypePrivateKey;
472 SecKeyImportExportParameters keyParams;
473 memset(&keyParams, 0, sizeof(keyParams));
474 keyParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
475 keyParams.keyAttributes = CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_PERMANENT;
476 SecAccessRef access;
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]477 CFStringRef keyLabel = CFStringCreateWithCString(0,
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]478 keyName.toUri().c_str(),
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]479 kCFStringEncodingUTF8);
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]480 SecAccessCreate(keyLabel, 0, &access);
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]481 keyParams.accessRef = access;
482 CFArrayRef outItems;
483
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]484#ifdef __clang__
Junxiao Shi482ccc52014-03-31 13:05:24 -0700[diff] [blame]485#pragma clang diagnostic push
486#pragma clang diagnostic ignored "-Wdeprecated-declarations"
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]487#endif // __clang__
488
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]489 OSStatus res = SecKeychainItemImport (importedKey,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]490 0,
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]491 &externalFormat,
492 &externalType,
493 0,
494 &keyParams,
495 m_impl->m_keyChainRef,
496 &outItems);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]497
498#ifdef __clang__
Junxiao Shi482ccc52014-03-31 13:05:24 -0700[diff] [blame]499#pragma clang diagnostic pop
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]500#endif // __clang__
501
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]502 if (res != errSecSuccess)
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]503 {
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]504 if (res == errSecAuthFailed && !needRetry)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]505 {
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]506 if (unlockTpm(0, 0, false))
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]507 return importPrivateKeyPkcs1IntoTpmInternal(keyName, buf, size, true);
508 else
509 return false;
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]510 }
511 else
512 return false;
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]513 }
514
515 SecKeychainItemRef privateKey = (SecKeychainItemRef)CFArrayGetValueAtIndex(outItems, 0);
516 SecKeychainAttribute attrs[1]; // maximum number of attributes
517 SecKeychainAttributeList attrList = { 0, attrs };
518 string keyUri = keyName.toUri();
519 {
520 attrs[attrList.count].tag = kSecKeyPrintName;
521 attrs[attrList.count].length = keyUri.size();
522 attrs[attrList.count].data = (void *)keyUri.c_str();
523 attrList.count++;
524 }
525
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]526 res = SecKeychainItemModifyAttributesAndData(privateKey,
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]527 &attrList,
528 0,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]529 0);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]530
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]531 if (res != errSecSuccess)
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]532 {
533 return false;
534 }
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]535
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]536 CFRelease(importedKey);
537 return true;
538}
539
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]540#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6)
541#pragma GCC diagnostic pop
542#endif // __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6)
543
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]544bool
545SecTpmOsx::importPublicKeyPkcs1IntoTpm(const Name& keyName, const uint8_t* buf, size_t size)
546{
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]547 CFDataRef importedKey = CFDataCreateWithBytesNoCopy(0,
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]548 buf,
549 size,
550 kCFAllocatorNull);
551
552 SecExternalFormat externalFormat = kSecFormatOpenSSL;
553 SecExternalItemType externalType = kSecItemTypePublicKey;
554 CFArrayRef outItems;
555
556 OSStatus res = SecItemImport (importedKey,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]557 0,
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]558 &externalFormat,
559 &externalType,
560 0,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]561 0,
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]562 m_impl->m_keyChainRef,
563 &outItems);
564
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]565 if (res != errSecSuccess)
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]566 return false;
567
568 SecKeychainItemRef publicKey = (SecKeychainItemRef)CFArrayGetValueAtIndex(outItems, 0);
569 SecKeychainAttribute attrs[1]; // maximum number of attributes
570 SecKeychainAttributeList attrList = { 0, attrs };
571 string keyUri = keyName.toUri();
572 {
573 attrs[attrList.count].tag = kSecKeyPrintName;
574 attrs[attrList.count].length = keyUri.size();
575 attrs[attrList.count].data = (void *)keyUri.c_str();
576 attrList.count++;
577 }
578
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]579 res = SecKeychainItemModifyAttributesAndData(publicKey,
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]580 &attrList,
581 0,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]582 0);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]583
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]584 if (res != errSecSuccess)
Alexander Afanasyev60c86812014-02-20 15:19:33 -0800[diff] [blame]585 return false;
586
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]587 CFRelease(importedKey);
588 return true;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]589}
590
591Block
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]592SecTpmOsx::signInTpmInternal(const uint8_t* data, size_t dataLength,
593 const Name& keyName, DigestAlgorithm digestAlgorithm, bool needRetry)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]594{
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]595 CFDataRef dataRef = CFDataCreateWithBytesNoCopy(0,
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]596 data,
597 dataLength,
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]598 kCFAllocatorNull);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]599
600 SecKeyRef privateKey = (SecKeyRef)m_impl->getKey(keyName, KEY_CLASS_PRIVATE);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]601
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]602 CFErrorRef error;
603 SecTransformRef signer = SecSignTransformCreate((SecKeyRef)privateKey, &error);
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]604 if (error)
605 throw Error("Fail to create signer");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]606
607 // Set input
608 Boolean set_res = SecTransformSetAttribute(signer,
609 kSecTransformInputAttributeName,
610 dataRef,
611 &error);
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]612 if (error)
613 throw Error("Fail to configure input of signer");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]614
615 // Enable use of padding
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]616 SecTransformSetAttribute(signer,
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]617 kSecPaddingKey,
618 kSecPaddingPKCS1Key,
619 &error);
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]620 if (error)
621 throw Error("Fail to configure digest algorithm of signer");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]622
623 // Set padding type
624 set_res = SecTransformSetAttribute(signer,
625 kSecDigestTypeAttribute,
626 m_impl->getDigestAlgorithm(digestAlgorithm),
627 &error);
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]628 if (error)
629 throw Error("Fail to configure digest algorithm of signer");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]630
631 // Set padding attribute
632 long digestSize = m_impl->getDigestSize(digestAlgorithm);
633 set_res = SecTransformSetAttribute(signer,
634 kSecDigestLengthAttribute,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]635 CFNumberCreate(0, kCFNumberLongType, &digestSize),
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]636 &error);
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]637 if (error)
638 throw Error("Fail to configure digest size of signer");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]639
640 // Actually sign
641 CFDataRef signature = (CFDataRef) SecTransformExecute(signer, &error);
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]642 if (error)
643 {
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]644 if (!needRetry)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]645 {
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]646 if (unlockTpm(0, 0, false))
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]647 return signInTpmInternal(data, dataLength, keyName, digestAlgorithm, true);
648 else
649 throw Error("Fail to unlock the keychain");
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]650 }
651 else
652 {
653 CFShow(error);
654 throw Error("Fail to sign data");
655 }
656 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]657
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]658 if (!signature)
659 throw Error("Signature is NULL!\n");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]660
661 return Block(Tlv::SignatureValue,
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]662 make_shared<Buffer>(CFDataGetBytePtr(signature), CFDataGetLength(signature)));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]663}
664
665ConstBufferPtr
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]666SecTpmOsx::decryptInTpm(const uint8_t* data, size_t dataLength, const Name& keyName, bool sym)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]667{
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]668 throw Error("SecTpmOsx::decryptInTpm is not supported");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]669
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]670 // KeyClass keyClass;
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]671 // if (sym)
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]672 // keyClass = KEY_CLASS_SYMMETRIC;
673 // else
674 // keyClass = KEY_CLASS_PRIVATE;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]675
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]676 // CFDataRef dataRef = CFDataCreate(0,
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]677 // reinterpret_cast<const unsigned char*>(data),
678 // dataLength
679 // );
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]680
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]681 // SecKeyRef decryptKey = (SecKeyRef)m_impl->getKey(keyName, keyClass);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]682
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]683 // CFErrorRef error;
684 // SecTransformRef decrypt = SecDecryptTransformCreate(decryptKey, &error);
685 // if (error) throw Error("Fail to create decrypt");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]686
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]687 // Boolean set_res = SecTransformSetAttribute(decrypt,
688 // kSecTransformInputAttributeName,
689 // dataRef,
690 // &error);
691 // if (error) throw Error("Fail to configure decrypt");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]692
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]693 // CFDataRef output = (CFDataRef) SecTransformExecute(decrypt, &error);
694 // if (error)
695 // {
696 // CFShow(error);
697 // throw Error("Fail to decrypt data");
698 // }
699 // if (!output) throw Error("Output is NULL!\n");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]700
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]701 // return make_shared<Buffer>(CFDataGetBytePtr(output), CFDataGetLength(output));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]702}
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]703
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]704void
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]705SecTpmOsx::addAppToACL(const Name& keyName, KeyClass keyClass, const string& appPath, AclType acl)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]706{
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]707 if (keyClass == KEY_CLASS_PRIVATE && acl == ACL_TYPE_PRIVATE)
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]708 {
709 SecKeychainItemRef privateKey = m_impl->getKey(keyName, keyClass);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]710
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]711 SecAccessRef accRef;
712 OSStatus acc_res = SecKeychainItemCopyAccess(privateKey, &accRef);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]713
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]714 CFArrayRef signACL = SecAccessCopyMatchingACLList(accRef,
715 kSecACLAuthorizationSign);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]716
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]717 SecACLRef aclRef = (SecACLRef) CFArrayGetValueAtIndex(signACL, 0);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]718
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]719 CFArrayRef appList;
720 CFStringRef description;
721 SecKeychainPromptSelector promptSelector;
722 OSStatus acl_res = SecACLCopyContents(aclRef,
723 &appList,
724 &description,
725 &promptSelector);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]726
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]727 CFMutableArrayRef newAppList = CFArrayCreateMutableCopy(0,
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]728 0,
729 appList);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]730
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]731 SecTrustedApplicationRef trustedApp;
732 acl_res = SecTrustedApplicationCreateFromPath(appPath.c_str(),
733 &trustedApp);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]734
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]735 CFArrayAppendValue(newAppList, trustedApp);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]736
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]737 acl_res = SecACLSetContents(aclRef,
738 newAppList,
739 description,
740 promptSelector);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]741
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]742 acc_res = SecKeychainItemSetAccess(privateKey, accRef);
743 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]744}
745
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]746ConstBufferPtr
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]747SecTpmOsx::encryptInTpm(const uint8_t* data, size_t dataLength, const Name& keyName, bool sym)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]748{
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]749 throw Error("SecTpmOsx::encryptInTpm is not supported");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]750
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]751 // KeyClass keyClass;
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]752 // if (sym)
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]753 // keyClass = KEY_CLASS_SYMMETRIC;
754 // else
755 // keyClass = KEY_CLASS_PUBLIC;
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]756
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]757 // CFDataRef dataRef = CFDataCreate(0,
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]758 // reinterpret_cast<const unsigned char*>(data),
759 // dataLength
760 // );
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]761
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]762 // SecKeyRef encryptKey = (SecKeyRef)m_impl->getKey(keyName, keyClass);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]763
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]764 // CFErrorRef error;
765 // SecTransformRef encrypt = SecEncryptTransformCreate(encryptKey, &error);
766 // if (error) throw Error("Fail to create encrypt");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]767
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]768 // Boolean set_res = SecTransformSetAttribute(encrypt,
769 // kSecTransformInputAttributeName,
770 // dataRef,
771 // &error);
772 // if (error) throw Error("Fail to configure encrypt");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]773
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]774 // CFDataRef output = (CFDataRef) SecTransformExecute(encrypt, &error);
775 // if (error) throw Error("Fail to encrypt data");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]776
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]777 // if (!output) throw Error("Output is NULL!\n");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]778
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]779 // return make_shared<Buffer> (CFDataGetBytePtr(output), CFDataGetLength(output));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]780}
781
782bool
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]783SecTpmOsx::doesKeyExistInTpm(const Name& keyName, KeyClass keyClass)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]784{
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]785 string keyNameUri = m_impl->toInternalKeyName(keyName, keyClass);
786
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]787 CFStringRef keyLabel = CFStringCreateWithCString(0,
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]788 keyNameUri.c_str(),
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]789 kCFStringEncodingUTF8);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]790
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]791 CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(0,
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]792 4,
793 &kCFTypeDictionaryKeyCallBacks,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]794 0);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]795
796 CFDictionaryAddValue(attrDict, kSecClass, kSecClassKey);
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]797 // CFDictionaryAddValue(attrDict, kSecAttrKeyClass, m_impl->getKeyClass(keyClass));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]798 CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
799 CFDictionaryAddValue(attrDict, kSecReturnRef, kCFBooleanTrue);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]800
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]801 SecKeychainItemRef itemRef;
802 OSStatus res = SecItemCopyMatching((CFDictionaryRef)attrDict, (CFTypeRef*)&itemRef);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]803
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]804 if (res == errSecSuccess)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]805 return true;
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]806 else
807 return false;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]808
809}
810
Yingdi Yu4b752752014-02-18 12:24:03 -0800[diff] [blame]811bool
812SecTpmOsx::generateRandomBlock(uint8_t* res, size_t size)
813{
814 return (SecRandomCopyBytes(kSecRandomDefault, size, res) == 0);
815}
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]816
817////////////////////////////////
818// OSXPrivateKeyStorage::Impl //
819////////////////////////////////
820
821SecKeychainItemRef
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]822SecTpmOsx::Impl::getKey(const Name& keyName, KeyClass keyClass)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]823{
824 string keyNameUri = toInternalKeyName(keyName, keyClass);
825
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]826 CFStringRef keyLabel = CFStringCreateWithCString(0,
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]827 keyNameUri.c_str(),
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]828 kCFStringEncodingUTF8);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]829
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]830 CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(0,
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]831 5,
832 &kCFTypeDictionaryKeyCallBacks,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]833 0);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]834
835 CFDictionaryAddValue(attrDict, kSecClass, kSecClassKey);
836 CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
837 CFDictionaryAddValue(attrDict, kSecAttrKeyClass, getKeyClass(keyClass));
838 CFDictionaryAddValue(attrDict, kSecReturnRef, kCFBooleanTrue);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]839
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]840 SecKeychainItemRef keyItem;
841
842 OSStatus res = SecItemCopyMatching((CFDictionaryRef) attrDict, (CFTypeRef*)&keyItem);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]843
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]844 if (res != errSecSuccess)
845 return 0;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]846 else
847 return keyItem;
848}
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]849
850string
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]851SecTpmOsx::Impl::toInternalKeyName(const Name& keyName, KeyClass keyClass)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]852{
853 string keyUri = keyName.toUri();
854
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]855 if (KEY_CLASS_SYMMETRIC == keyClass)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]856 return keyUri + "/symmetric";
857 else
858 return keyUri;
859}
860
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]861const CFTypeRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]862SecTpmOsx::Impl::getAsymKeyType(KeyType keyType)
863{
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]864 switch (keyType){
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]865 case KEY_TYPE_RSA:
866 return kSecAttrKeyTypeRSA;
867 default:
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]868 return 0;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]869 }
870}
871
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]872const CFTypeRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]873SecTpmOsx::Impl::getSymKeyType(KeyType keyType)
874{
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]875 switch (keyType){
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]876 case KEY_TYPE_AES:
877 return kSecAttrKeyTypeAES;
878 default:
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]879 return 0;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]880 }
881}
882
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]883const CFTypeRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]884SecTpmOsx::Impl::getKeyClass(KeyClass keyClass)
885{
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]886 switch (keyClass){
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]887 case KEY_CLASS_PRIVATE:
888 return kSecAttrKeyClassPrivate;
889 case KEY_CLASS_PUBLIC:
890 return kSecAttrKeyClassPublic;
891 case KEY_CLASS_SYMMETRIC:
892 return kSecAttrKeyClassSymmetric;
893 default:
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]894 return 0;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]895 }
896}
897
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]898const CFStringRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]899SecTpmOsx::Impl::getDigestAlgorithm(DigestAlgorithm digestAlgo)
900{
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]901 switch (digestAlgo){
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]902 // case DIGEST_MD2:
903 // return kSecDigestMD2;
904 // case DIGEST_MD5:
905 // return kSecDigestMD5;
906 // case DIGEST_SHA1:
907 // return kSecDigestSHA1;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]908 case DIGEST_ALGORITHM_SHA256:
909 return kSecDigestSHA2;
910 default:
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame^]911 return 0;
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]912 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]913}
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]914
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]915long
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]916SecTpmOsx::Impl::getDigestSize(DigestAlgorithm digestAlgo)
917{
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]918 switch (digestAlgo){
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]919 case DIGEST_ALGORITHM_SHA256:
920 return 256;
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]921 // case DIGEST_SHA1:
922 // case DIGEST_MD2:
923 // case DIGEST_MD5:
924 // return 0;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]925 default:
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]926 return -1;
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]927 }
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]928}
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]929
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]930} // namespace ndn