Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / 1349d2d72edad85e0fc264818543d7683de31a49 / . / src / security / sec-tpm-osx.cpp
blob: 04445c3e789cfdd0e876ab3a881e43376f5d5049 [file] [log] [blame]
Alexander Afanasyevc169a812014-05-20 20:37:29 -0400[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]2/**
Alexander Afanasyevaf99f462015-01-19 21:43:09 -0800[diff] [blame]3 * Copyright (c) 2013-2015 Regents of the University of California.
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -0700[diff] [blame]4 *
5 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -0700[diff] [blame]6 *
Alexander Afanasyevc169a812014-05-20 20:37:29 -0400[diff] [blame]7 * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8 * terms of the GNU Lesser General Public License as published by the Free Software
9 * Foundation, either version 3 of the License, or (at your option) any later version.
10 *
11 * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License and GNU Lesser
16 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17 * <http://www.gnu.org/licenses/>.
18 *
19 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -0700[diff] [blame]20 *
21 * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]22 */
23
Alexander Afanasyev19508852014-01-29 01:01:51 -0800[diff] [blame]24#include "sec-tpm-osx.hpp"
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700[diff] [blame]25#include "public-key.hpp"
Alexander Afanasyev07113802015-01-15 19:14:36 -0800[diff] [blame]26
Alexander Afanasyev258ec2b2014-05-14 16:15:37 -0700[diff] [blame]27#include "../encoding/oid.hpp"
28#include "../encoding/buffer-stream.hpp"
Junxiao Shi482ccc52014-03-31 13:05:24 -0700[diff] [blame]29#include "cryptopp.hpp"
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]30
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]31#include <pwd.h>
32#include <unistd.h>
33#include <stdlib.h>
34#include <string.h>
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]35
Alexander Afanasyev1c6976d2014-07-13 11:40:50 -0700[diff] [blame]36#include <boost/lexical_cast.hpp>
37
Alexander Afanasyev04b22a92014-01-05 22:40:17 -0800[diff] [blame]38#include <CoreFoundation/CoreFoundation.h>
39#include <Security/Security.h>
Yingdi Yu4b752752014-02-18 12:24:03 -0800[diff] [blame]40#include <Security/SecRandom.h>
Alexander Afanasyev04b22a92014-01-05 22:40:17 -0800[diff] [blame]41#include <CoreServices/CoreServices.h>
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]42
Alexander Afanasyev59d67a52014-04-03 16:09:31 -0700[diff] [blame]43#include <Security/SecDigestTransform.h>
44
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]45namespace ndn {
46
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]47using std::string;
48
Alexander Afanasyev07113802015-01-15 19:14:36 -0800[diff] [blame]49const std::string SecTpmOsx::SCHEME("tpm-osxkeychain");
Yingdi Yu41546342014-11-30 23:37:53 -0800[diff] [blame]50
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]51/**
52 * @brief Helper class to wrap CoreFoundation object pointers
53 *
54 * The class is similar in spirit to shared_ptr, but uses CoreFoundation
55 * mechanisms to retain/release object.
56 *
57 * Original implementation by Christopher Hunt and it was borrowed from
58 * http://www.cocoabuilder.com/archive/cocoa/130776-auto-cfrelease-and.html
59 */
60template<class T>
61class CFReleaser
62{
63public:
64 //////////////////////////////
65 // Construction/destruction //
66
67 CFReleaser()
68 : m_typeRef(0)
69 {
70 }
71
72 CFReleaser(const T& typeRef)
73 : m_typeRef(typeRef)
74 {
75 }
76
77 CFReleaser(const CFReleaser& inReleaser)
78 : m_typeRef(0)
79 {
80 retain(inReleaser.m_typeRef);
81 }
82
83 CFReleaser&
84 operator=(const T& typeRef)
85 {
86 if (typeRef != m_typeRef) {
87 release();
88 m_typeRef = typeRef;
89 }
90 return *this;
91 }
92
93 CFReleaser&
94 operator=(const CFReleaser& inReleaser)
95 {
96 retain(inReleaser.m_typeRef);
97 return *this;
98 }
99
100 ~CFReleaser()
101 {
102 release();
103 }
104
105 ////////////
106 // Access //
107
108 // operator const T&() const
109 // {
110 // return m_typeRef;
111 // }
112
113 // operator T&()
114 // {
115 // return m_typeRef;
116 // }
117
118 const T&
119 get() const
120 {
121 return m_typeRef;
122 }
123
124 T&
125 get()
126 {
127 return m_typeRef;
128 }
129
130 ///////////////////
131 // Miscellaneous //
132
133 void
134 retain(const T& typeRef)
135 {
136 if (typeRef != 0) {
137 CFRetain(typeRef);
138 }
139 release();
140 m_typeRef = typeRef;
141 }
142
143 void release()
144 {
145 if (m_typeRef != 0) {
146 CFRelease(m_typeRef);
147 m_typeRef = 0;
148 }
149 };
150
151private:
152 T m_typeRef;
153};
154
155
Alexander Afanasyev2a7f7202014-04-23 14:25:29 -0700[diff] [blame]156class SecTpmOsx::Impl
157{
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]158public:
159 Impl()
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]160 : m_passwordSet(false)
161 , m_inTerminal(false)
Alexander Afanasyev2a7f7202014-04-23 14:25:29 -0700[diff] [blame]162 {
163 }
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]164
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]165 /**
166 * @brief Convert NDN name of a key to internal name of the key.
167 *
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]168 * @return the internal key name
169 */
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]170 std::string
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]171 toInternalKeyName(const Name& keyName, KeyClass keyClass);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]172
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]173 /**
174 * @brief Get key.
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]175 *
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]176 * @returns pointer to the key
177 */
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]178 CFReleaser<SecKeychainItemRef>
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]179 getKey(const Name& keyName, KeyClass keyClass);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]180
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]181 /**
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]182 * @brief Convert keyType to MAC OS symmetric key key type
183 *
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]184 * @returns MAC OS key type
185 */
Alexander Afanasyev24b75c82014-05-31 15:59:31 +0300[diff] [blame]186 CFTypeRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]187 getSymKeyType(KeyType keyType);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]188
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]189 /**
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]190 * @brief Convert keyType to MAC OS asymmetirc key type
191 *
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]192 * @returns MAC OS key type
193 */
Alexander Afanasyev24b75c82014-05-31 15:59:31 +0300[diff] [blame]194 CFTypeRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]195 getAsymKeyType(KeyType keyType);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]196
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]197 /**
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]198 * @brief Convert keyClass to MAC OS key class
199 *
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]200 * @returns MAC OS key class
201 */
Alexander Afanasyev24b75c82014-05-31 15:59:31 +0300[diff] [blame]202 CFTypeRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]203 getKeyClass(KeyClass keyClass);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]204
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]205 /**
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]206 * @brief Convert digestAlgo to MAC OS algorithm id
207 *
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]208 * @returns MAC OS algorithm id
209 */
Alexander Afanasyev24b75c82014-05-31 15:59:31 +0300[diff] [blame]210 CFStringRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]211 getDigestAlgorithm(DigestAlgorithm digestAlgo);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]212
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]213 /**
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]214 * @brief Get the digest size of the corresponding algorithm
215 *
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]216 * @return digest size
217 */
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]218 long
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]219 getDigestSize(DigestAlgorithm digestAlgo);
220
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]221 ///////////////////////////////////////////////
222 // everything here is public, including data //
223 ///////////////////////////////////////////////
224public:
225 SecKeychainRef m_keyChainRef;
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]226 bool m_passwordSet;
227 string m_password;
228 bool m_inTerminal;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]229};
230
Yingdi Yu41546342014-11-30 23:37:53 -0800[diff] [blame]231SecTpmOsx::SecTpmOsx(const std::string& location)
232 : SecTpm(location)
233 , m_impl(new Impl)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]234{
Yingdi Yu41546342014-11-30 23:37:53 -0800[diff] [blame]235 // TODO: add location support
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]236 if (m_impl->m_inTerminal)
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]237 SecKeychainSetUserInteractionAllowed(false);
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]238 else
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]239 SecKeychainSetUserInteractionAllowed(true);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]240
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]241 OSStatus res = SecKeychainCopyDefault(&m_impl->m_keyChainRef);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]242
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]243 if (res == errSecNoDefaultKeychain) //If no default key chain, create one.
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]244 BOOST_THROW_EXCEPTION(Error("No default keychain, please create one first"));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]245}
246
Yingdi Yu41546342014-11-30 23:37:53 -0800[diff] [blame]247SecTpmOsx::~SecTpmOsx()
248{
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]249}
250
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]251void
252SecTpmOsx::setTpmPassword(const uint8_t* password, size_t passwordLength)
253{
254 m_impl->m_passwordSet = true;
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]255 std::fill(m_impl->m_password.begin(), m_impl->m_password.end(), 0);
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]256 m_impl->m_password.clear();
257 m_impl->m_password.append(reinterpret_cast<const char*>(password), passwordLength);
258}
259
260void
261SecTpmOsx::resetTpmPassword()
262{
263 m_impl->m_passwordSet = false;
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]264 std::fill(m_impl->m_password.begin(), m_impl->m_password.end(), 0);
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]265 m_impl->m_password.clear();
266}
267
268void
269SecTpmOsx::setInTerminal(bool inTerminal)
270{
271 m_impl->m_inTerminal = inTerminal;
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]272 if (inTerminal)
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]273 SecKeychainSetUserInteractionAllowed(false);
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]274 else
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]275 SecKeychainSetUserInteractionAllowed(true);
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]276}
277
278bool
Alexander Afanasyev770827c2014-05-13 17:42:55 -0700[diff] [blame]279SecTpmOsx::getInTerminal() const
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]280{
281 return m_impl->m_inTerminal;
282}
283
284bool
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700[diff] [blame]285SecTpmOsx::isLocked()
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]286{
287 SecKeychainStatus keychainStatus;
288
289 OSStatus res = SecKeychainGetStatus(m_impl->m_keyChainRef, &keychainStatus);
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]290 if (res != errSecSuccess)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]291 return true;
292 else
293 return ((kSecUnlockStateStatus & keychainStatus) == 0);
294}
295
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]296bool
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]297SecTpmOsx::unlockTpm(const char* password, size_t passwordLength, bool usePassword)
298{
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]299 OSStatus res;
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]300
301 // If the default key chain is already unlocked, return immediately.
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700[diff] [blame]302 if (!isLocked())
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]303 return true;
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]304
305 // If the default key chain is locked, unlock the key chain.
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]306 if (usePassword)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]307 {
308 // Use the supplied password.
309 res = SecKeychainUnlock(m_impl->m_keyChainRef,
310 passwordLength,
311 password,
312 true);
313 }
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]314 else if (m_impl->m_passwordSet)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]315 {
316 // If no password supplied, then use the configured password if exists.
317 SecKeychainUnlock(m_impl->m_keyChainRef,
318 m_impl->m_password.size(),
319 m_impl->m_password.c_str(),
320 true);
321 }
Alexander Afanasyevcf3a6672015-02-01 20:33:22 -0800[diff] [blame]322#ifdef NDN_CXX_HAVE_GETPASS
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]323 else if (m_impl->m_inTerminal)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]324 {
325 // If no configured password, get password from terminal if inTerminal set.
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700[diff] [blame]326 bool isLocked = true;
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]327 const char* fmt = "Password to unlock the default keychain: ";
328 int count = 0;
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]329
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700[diff] [blame]330 while (isLocked)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]331 {
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]332 if (count > 2)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]333 break;
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]334
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]335 char* getPassword = 0;
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]336 getPassword = getpass(fmt);
337 count++;
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]338
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]339 if (!getPassword)
340 continue;
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]341
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]342 res = SecKeychainUnlock(m_impl->m_keyChainRef,
343 strlen(getPassword),
344 getPassword,
345 true);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]346
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]347 memset(getPassword, 0, strlen(getPassword));
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]348
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]349 if (res == errSecSuccess)
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]350 break;
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]351 }
352 }
Alexander Afanasyevcf3a6672015-02-01 20:33:22 -0800[diff] [blame]353#endif // NDN_CXX_HAVE_GETPASS
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]354 else
355 {
356 // If inTerminal is not set, get the password from GUI.
357 SecKeychainUnlock(m_impl->m_keyChainRef, 0, 0, false);
358 }
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]359
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700[diff] [blame]360 return !isLocked();
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]361}
362
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]363void
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]364SecTpmOsx::generateKeyPairInTpmInternal(const Name& keyName,
365 const KeyParams& params,
366 bool needRetry)
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]367{
368
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]369 if (doesKeyExistInTpm(keyName, KEY_CLASS_PUBLIC))
370 {
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]371 BOOST_THROW_EXCEPTION(Error("keyName already exists"));
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]372 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]373
374 string keyNameUri = m_impl->toInternalKeyName(keyName, KEY_CLASS_PUBLIC);
375
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]376 CFReleaser<CFStringRef> keyLabel =
377 CFStringCreateWithCString(0,
378 keyNameUri.c_str(),
379 kCFStringEncodingUTF8);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]380
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]381 CFReleaser<CFMutableDictionaryRef> attrDict =
382 CFDictionaryCreateMutable(0,
383 3,
384 &kCFTypeDictionaryKeyCallBacks,
385 0);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]386
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]387 KeyType keyType = params.getKeyType();
388 uint32_t keySize;
389 switch (keyType)
390 {
391 case KEY_TYPE_RSA:
392 {
393 const RsaKeyParams& rsaParams = static_cast<const RsaKeyParams&>(params);
394 keySize = rsaParams.getKeySize();
395 break;
396 }
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]397 case KEY_TYPE_ECDSA:
398 {
399 const EcdsaKeyParams& ecdsaParams = static_cast<const EcdsaKeyParams&>(params);
400 keySize = ecdsaParams.getKeySize();
401 break;
402 }
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]403 default:
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]404 BOOST_THROW_EXCEPTION(Error("Fail to create a key pair: Unsupported key type"));
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]405 }
406
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]407 CFReleaser<CFNumberRef> cfKeySize = CFNumberCreate(0, kCFNumberIntType, &keySize);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]408
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]409 CFDictionaryAddValue(attrDict.get(), kSecAttrKeyType, m_impl->getAsymKeyType(keyType));
410 CFDictionaryAddValue(attrDict.get(), kSecAttrKeySizeInBits, cfKeySize.get());
411 CFDictionaryAddValue(attrDict.get(), kSecAttrLabel, keyLabel.get());
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]412
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]413 CFReleaser<SecKeyRef> publicKey, privateKey;
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]414 // C-style cast is used as per Apple convention
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]415 OSStatus res = SecKeyGeneratePair((CFDictionaryRef)attrDict.get(),
416 &publicKey.get(), &privateKey.get());
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]417
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]418 if (res == errSecSuccess)
Alexander Afanasyev60c86812014-02-20 15:19:33 -0800[diff] [blame]419 {
Alexander Afanasyev60c86812014-02-20 15:19:33 -0800[diff] [blame]420 return;
421 }
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]422
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]423 if (res == errSecAuthFailed && !needRetry)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]424 {
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]425 if (unlockTpm(0, 0, false))
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]426 generateKeyPairInTpmInternal(keyName, params, true);
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]427 else
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]428 BOOST_THROW_EXCEPTION(Error("Fail to unlock the keychain"));
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]429 }
430 else
431 {
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]432 BOOST_THROW_EXCEPTION(Error("Fail to create a key pair"));
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]433 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]434}
435
436void
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]437SecTpmOsx::deleteKeyPairInTpmInternal(const Name& keyName, bool needRetry)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]438{
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]439 CFReleaser<CFStringRef> keyLabel =
440 CFStringCreateWithCString(0,
441 keyName.toUri().c_str(),
442 kCFStringEncodingUTF8);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]443
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]444 CFReleaser<CFMutableDictionaryRef> searchDict =
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]445 CFDictionaryCreateMutable(0, 5,
446 &kCFTypeDictionaryKeyCallBacks,
447 &kCFTypeDictionaryValueCallBacks);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]448
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]449 CFDictionaryAddValue(searchDict.get(), kSecClass, kSecClassKey);
450 CFDictionaryAddValue(searchDict.get(), kSecAttrLabel, keyLabel.get());
451 CFDictionaryAddValue(searchDict.get(), kSecMatchLimit, kSecMatchLimitAll);
452 OSStatus res = SecItemDelete(searchDict.get());
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]453
454 if (res == errSecSuccess)
455 return;
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]456
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]457 if (res == errSecAuthFailed && !needRetry)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]458 {
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]459 if (unlockTpm(0, 0, false))
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]460 deleteKeyPairInTpmInternal(keyName, true);
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]461 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]462}
463
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]464void
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]465SecTpmOsx::generateSymmetricKeyInTpm(const Name& keyName, const KeyParams& params)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]466{
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]467 BOOST_THROW_EXCEPTION(Error("SecTpmOsx::generateSymmetricKeyInTpm is not supported"));
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]468 // if (doesKeyExistInTpm(keyName, KEY_CLASS_SYMMETRIC))
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]469 // throw Error("keyName has existed!");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]470
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]471 // string keyNameUri = m_impl->toInternalKeyName(keyName, KEY_CLASS_SYMMETRIC);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]472
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]473 // CFReleaser<CFMutableDictionaryRef> attrDict =
474 // CFDictionaryCreateMutable(kCFAllocatorDefault,
475 // 0,
476 // &kCFTypeDictionaryKeyCallBacks,
477 // &kCFTypeDictionaryValueCallBacks);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]478
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]479 // CFReleaser<CFStringRef> keyLabel =
480 // CFStringCreateWithCString(0,
481 // keyNameUri.c_str(),
482 // kCFStringEncodingUTF8);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]483
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]484 // CFReleaser<CFNumberRef> cfKeySize = CFNumberCreate(0, kCFNumberIntType, &keySize);
485
486 // CFDictionaryAddValue(attrDict.get(), kSecAttrKeyType, m_impl->getSymKeyType(keyType));
487 // CFDictionaryAddValue(attrDict.get(), kSecAttrKeySizeInBits, cfKeySize.get());
488 // CFDictionaryAddValue(attrDict.get(), kSecAttrIsPermanent, kCFBooleanTrue);
489 // CFDictionaryAddValue(attrDict.get(), kSecAttrLabel, keyLabel.get());
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]490
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]491 // CFErrorRef error = 0;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]492
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]493 // SecKeyRef symmetricKey = SecKeyGenerateSymmetric(attrDict, &error);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]494
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]495 // if (error)
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]496 // throw Error("Fail to create a symmetric key");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]497}
498
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]499shared_ptr<PublicKey>
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]500SecTpmOsx::getPublicKeyFromTpm(const Name& keyName)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]501{
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]502 CFReleaser<SecKeychainItemRef> publicKey = m_impl->getKey(keyName, KEY_CLASS_PUBLIC);
503 if (publicKey.get() == 0)
504 {
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]505 BOOST_THROW_EXCEPTION(Error("Requested public key [" + keyName.toUri() + "] does not exist "
506 "in OSX Keychain"));
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]507 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]508
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]509 CFReleaser<CFDataRef> exportedKey;
510 OSStatus res = SecItemExport(publicKey.get(),
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]511 kSecFormatOpenSSL,
512 0,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]513 0,
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]514 &exportedKey.get());
Alexander Afanasyev60c86812014-02-20 15:19:33 -0800[diff] [blame]515 if (res != errSecSuccess)
516 {
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]517 BOOST_THROW_EXCEPTION(Error("Cannot export requested public key from OSX Keychain"));
Alexander Afanasyev60c86812014-02-20 15:19:33 -0800[diff] [blame]518 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]519
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]520 shared_ptr<PublicKey> key = make_shared<PublicKey>(CFDataGetBytePtr(exportedKey.get()),
521 CFDataGetLength(exportedKey.get()));
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]522 return key;
523}
524
Yingdi Yu41546342014-11-30 23:37:53 -0800[diff] [blame]525std::string
526SecTpmOsx::getScheme()
527{
528 return SCHEME;
529}
530
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]531ConstBufferPtr
Yingdi Yu5e96e002014-04-23 18:32:15 -0700[diff] [blame]532SecTpmOsx::exportPrivateKeyPkcs8FromTpmInternal(const Name& keyName, bool needRetry)
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]533{
534 using namespace CryptoPP;
535
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]536 CFReleaser<SecKeychainItemRef> privateKey = m_impl->getKey(keyName, KEY_CLASS_PRIVATE);
537 if (privateKey.get() == 0)
538 {
539 /// @todo Can this happen because of keychain is locked?
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]540 BOOST_THROW_EXCEPTION(Error("Private key [" + keyName.toUri() + "] does not exist "
541 "in OSX Keychain"));
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]542 }
543
Yingdi Yu9d9d5992014-06-25 12:25:16 -0700[diff] [blame]544 shared_ptr<PublicKey> publicKey = getPublicKeyFromTpm(keyName);
545
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]546 CFReleaser<CFDataRef> exportedKey;
547 OSStatus res = SecItemExport(privateKey.get(),
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]548 kSecFormatOpenSSL,
549 0,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]550 0,
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]551 &exportedKey.get());
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]552
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]553 if (res != errSecSuccess)
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]554 {
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]555 if (res == errSecAuthFailed && !needRetry)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]556 {
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]557 if (unlockTpm(0, 0, false))
Yingdi Yu5e96e002014-04-23 18:32:15 -0700[diff] [blame]558 return exportPrivateKeyPkcs8FromTpmInternal(keyName, true);
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]559 else
560 return shared_ptr<Buffer>();
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]561 }
562 else
563 return shared_ptr<Buffer>();
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]564 }
565
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]566 uint32_t version = 0;
Yingdi Yu9d9d5992014-06-25 12:25:16 -0700[diff] [blame]567 OID algorithm;
568 bool hasParameters = false;
569 OID algorithmParameter;
570 switch (publicKey->getKeyType()) {
571 case KEY_TYPE_RSA:
572 {
573 algorithm = oid::RSA; // "RSA encryption"
574 hasParameters = false;
575 break;
576 }
577 case KEY_TYPE_ECDSA:
578 {
579 // "ECDSA encryption"
580 StringSource src(publicKey->get().buf(), publicKey->get().size(), true);
581 BERSequenceDecoder subjectPublicKeyInfo(src);
582 {
583 BERSequenceDecoder algorithmInfo(subjectPublicKeyInfo);
584 {
585 algorithm.decode(algorithmInfo);
586 algorithmParameter.decode(algorithmInfo);
587 }
588 }
589 hasParameters = true;
590 break;
591 }
592 default:
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]593 BOOST_THROW_EXCEPTION(Error("Unsupported key type" +
594 boost::lexical_cast<std::string>(publicKey->getKeyType())));
Yingdi Yu9d9d5992014-06-25 12:25:16 -0700[diff] [blame]595 }
596
597 OBufferStream pkcs8Os;
598 FileSink sink(pkcs8Os);
599
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]600 SecByteBlock rawKeyBits;
601 // PrivateKeyInfo ::= SEQUENCE {
602 // version INTEGER,
603 // privateKeyAlgorithm SEQUENCE,
604 // privateKey OCTECT STRING}
605 DERSequenceEncoder privateKeyInfo(sink);
606 {
607 DEREncodeUnsigned<uint32_t>(privateKeyInfo, version, INTEGER);
608 DERSequenceEncoder privateKeyAlgorithm(privateKeyInfo);
609 {
610 algorithm.encode(privateKeyAlgorithm);
Yingdi Yu9d9d5992014-06-25 12:25:16 -0700[diff] [blame]611 if (hasParameters)
612 algorithmParameter.encode(privateKeyAlgorithm);
613 else
614 DEREncodeNull(privateKeyAlgorithm);
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]615 }
616 privateKeyAlgorithm.MessageEnd();
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]617 DEREncodeOctetString(privateKeyInfo,
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]618 CFDataGetBytePtr(exportedKey.get()),
619 CFDataGetLength(exportedKey.get()));
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]620 }
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]621 privateKeyInfo.MessageEnd();
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]622
Yingdi Yu9d9d5992014-06-25 12:25:16 -0700[diff] [blame]623 return pkcs8Os.buf();
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]624}
625
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]626#ifdef __GNUC__
627#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6)
628#pragma GCC diagnostic push
629#endif // __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6)
630#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
631#endif // __GNUC__
632
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]633bool
Yingdi Yu5e96e002014-04-23 18:32:15 -0700[diff] [blame]634SecTpmOsx::importPrivateKeyPkcs8IntoTpmInternal(const Name& keyName,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]635 const uint8_t* buf, size_t size,
636 bool needRetry)
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]637{
638 using namespace CryptoPP;
639
640 StringSource privateKeySource(buf, size, true);
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]641 SecByteBlock rawKeyBits;
642 // PrivateKeyInfo ::= SEQUENCE {
643 // INTEGER,
644 // SEQUENCE,
645 // OCTECT STRING}
646 BERSequenceDecoder privateKeyInfo(privateKeySource);
647 {
Yingdi Yu9d9d5992014-06-25 12:25:16 -0700[diff] [blame]648 uint32_t versionNum;
649 BERDecodeUnsigned<uint32_t>(privateKeyInfo, versionNum, INTEGER);
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]650 BERSequenceDecoder sequenceDecoder(privateKeyInfo);
651 {
Yingdi Yu9d9d5992014-06-25 12:25:16 -0700[diff] [blame]652 OID keyTypeOID;
653 keyTypeOID.decode(sequenceDecoder);
654
655 if (keyTypeOID == oid::RSA)
656 BERDecodeNull(sequenceDecoder);
657 else if (keyTypeOID == oid::ECDSA)
658 {
659 OID parameterOID;
660 parameterOID.decode(sequenceDecoder);
661 }
662 else
663 return false; // Unsupported key type;
664
665
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]666 }
667 BERDecodeOctetString(privateKeyInfo, rawKeyBits);
668 }
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]669 privateKeyInfo.MessageEnd();
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]670
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]671 CFReleaser<CFDataRef> importedKey = CFDataCreateWithBytesNoCopy(0,
672 rawKeyBits.BytePtr(),
673 rawKeyBits.size(),
674 kCFAllocatorNull);
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]675
676 SecExternalFormat externalFormat = kSecFormatOpenSSL;
677 SecExternalItemType externalType = kSecItemTypePrivateKey;
678 SecKeyImportExportParameters keyParams;
679 memset(&keyParams, 0, sizeof(keyParams));
680 keyParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
681 keyParams.keyAttributes = CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_PERMANENT;
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]682 CFReleaser<SecAccessRef> access;
683 CFReleaser<CFStringRef> keyLabel = CFStringCreateWithCString(0,
684 keyName.toUri().c_str(),
685 kCFStringEncodingUTF8);
686 SecAccessCreate(keyLabel.get(), 0, &access.get());
687 keyParams.accessRef = access.get();
688 CFReleaser<CFArrayRef> outItems;
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]689
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]690#ifdef __clang__
Junxiao Shi482ccc52014-03-31 13:05:24 -0700[diff] [blame]691#pragma clang diagnostic push
692#pragma clang diagnostic ignored "-Wdeprecated-declarations"
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]693#endif // __clang__
694
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]695 OSStatus res = SecKeychainItemImport(importedKey.get(),
696 0,
697 &externalFormat,
698 &externalType,
699 0,
700 &keyParams,
701 m_impl->m_keyChainRef,
702 &outItems.get());
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]703
704#ifdef __clang__
Junxiao Shi482ccc52014-03-31 13:05:24 -0700[diff] [blame]705#pragma clang diagnostic pop
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]706#endif // __clang__
707
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]708 if (res != errSecSuccess)
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]709 {
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]710 if (res == errSecAuthFailed && !needRetry)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]711 {
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]712 if (unlockTpm(0, 0, false))
Yingdi Yu5e96e002014-04-23 18:32:15 -0700[diff] [blame]713 return importPrivateKeyPkcs8IntoTpmInternal(keyName, buf, size, true);
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]714 else
715 return false;
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]716 }
717 else
718 return false;
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]719 }
720
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]721 // C-style cast is used as per Apple convention
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]722 SecKeychainItemRef privateKey = (SecKeychainItemRef)CFArrayGetValueAtIndex(outItems.get(), 0);
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]723 SecKeychainAttribute attrs[1]; // maximum number of attributes
724 SecKeychainAttributeList attrList = { 0, attrs };
725 string keyUri = keyName.toUri();
726 {
727 attrs[attrList.count].tag = kSecKeyPrintName;
728 attrs[attrList.count].length = keyUri.size();
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]729 attrs[attrList.count].data = const_cast<char*>(keyUri.c_str());
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]730 attrList.count++;
731 }
732
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]733 res = SecKeychainItemModifyAttributesAndData(privateKey,
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]734 &attrList,
735 0,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]736 0);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]737
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]738 if (res != errSecSuccess)
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]739 {
740 return false;
741 }
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]742
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]743 return true;
744}
745
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]746#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6)
747#pragma GCC diagnostic pop
748#endif // __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 6)
749
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]750bool
751SecTpmOsx::importPublicKeyPkcs1IntoTpm(const Name& keyName, const uint8_t* buf, size_t size)
752{
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]753 CFReleaser<CFDataRef> importedKey = CFDataCreateWithBytesNoCopy(0,
754 buf,
755 size,
756 kCFAllocatorNull);
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]757
758 SecExternalFormat externalFormat = kSecFormatOpenSSL;
759 SecExternalItemType externalType = kSecItemTypePublicKey;
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]760 CFReleaser<CFArrayRef> outItems;
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]761
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]762 OSStatus res = SecItemImport(importedKey.get(),
763 0,
764 &externalFormat,
765 &externalType,
766 0,
767 0,
768 m_impl->m_keyChainRef,
769 &outItems.get());
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]770
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]771 if (res != errSecSuccess)
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]772 return false;
773
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]774 // C-style cast is used as per Apple convention
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]775 SecKeychainItemRef publicKey = (SecKeychainItemRef)CFArrayGetValueAtIndex(outItems.get(), 0);
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]776 SecKeychainAttribute attrs[1]; // maximum number of attributes
777 SecKeychainAttributeList attrList = { 0, attrs };
778 string keyUri = keyName.toUri();
779 {
780 attrs[attrList.count].tag = kSecKeyPrintName;
781 attrs[attrList.count].length = keyUri.size();
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]782 attrs[attrList.count].data = const_cast<char*>(keyUri.c_str());
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]783 attrList.count++;
784 }
785
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]786 res = SecKeychainItemModifyAttributesAndData(publicKey,
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]787 &attrList,
788 0,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]789 0);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]790
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]791 if (res != errSecSuccess)
Alexander Afanasyev60c86812014-02-20 15:19:33 -0800[diff] [blame]792 return false;
793
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]794 return true;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]795}
796
797Block
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]798SecTpmOsx::signInTpmInternal(const uint8_t* data, size_t dataLength,
799 const Name& keyName, DigestAlgorithm digestAlgorithm, bool needRetry)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]800{
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]801 CFReleaser<CFDataRef> dataRef = CFDataCreateWithBytesNoCopy(0,
802 data,
803 dataLength,
804 kCFAllocatorNull);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]805
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]806 CFReleaser<SecKeychainItemRef> privateKey = m_impl->getKey(keyName, KEY_CLASS_PRIVATE);
807 if (privateKey.get() == 0)
808 {
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]809 BOOST_THROW_EXCEPTION(Error("Private key [" + keyName.toUri() + "] does not exist "
810 "in OSX Keychain"));
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]811 }
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]812
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]813 CFReleaser<CFErrorRef> error;
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]814 // C-style cast is used as per Apple convention
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]815 CFReleaser<SecTransformRef> signer = SecSignTransformCreate((SecKeyRef)privateKey.get(),
816 &error.get());
817 if (error.get() != 0)
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]818 BOOST_THROW_EXCEPTION(Error("Fail to create signer"));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]819
820 // Set input
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]821 SecTransformSetAttribute(signer.get(),
822 kSecTransformInputAttributeName,
823 dataRef.get(),
824 &error.get());
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]825 if (error.get() != 0)
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]826 BOOST_THROW_EXCEPTION(Error("Fail to configure input of signer"));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]827
828 // Enable use of padding
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]829 SecTransformSetAttribute(signer.get(),
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]830 kSecPaddingKey,
831 kSecPaddingPKCS1Key,
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]832 &error.get());
833 if (error.get() != 0)
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]834 BOOST_THROW_EXCEPTION(Error("Fail to configure digest algorithm of signer"));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]835
836 // Set padding type
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]837 SecTransformSetAttribute(signer.get(),
838 kSecDigestTypeAttribute,
839 m_impl->getDigestAlgorithm(digestAlgorithm),
840 &error.get());
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]841 if (error.get() != 0)
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]842 BOOST_THROW_EXCEPTION(Error("Fail to configure digest algorithm of signer"));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]843
844 // Set padding attribute
845 long digestSize = m_impl->getDigestSize(digestAlgorithm);
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]846 CFReleaser<CFNumberRef> cfDigestSize = CFNumberCreate(0, kCFNumberLongType, &digestSize);
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]847 SecTransformSetAttribute(signer.get(),
848 kSecDigestLengthAttribute,
849 cfDigestSize.get(),
850 &error.get());
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]851 if (error.get() != 0)
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]852 BOOST_THROW_EXCEPTION(Error("Fail to configure digest size of signer"));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]853
854 // Actually sign
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]855 // C-style cast is used as per Apple convention
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]856 CFReleaser<CFDataRef> signature = (CFDataRef)SecTransformExecute(signer.get(), &error.get());
857 if (error.get() != 0)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]858 {
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]859 if (!needRetry)
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]860 {
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]861 if (unlockTpm(0, 0, false))
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]862 return signInTpmInternal(data, dataLength, keyName, digestAlgorithm, true);
863 else
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]864 BOOST_THROW_EXCEPTION(Error("Fail to unlock the keychain"));
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]865 }
866 else
867 {
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]868 CFShow(error.get());
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]869 BOOST_THROW_EXCEPTION(Error("Fail to sign data"));
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]870 }
871 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]872
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]873 if (signature.get() == 0)
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]874 BOOST_THROW_EXCEPTION(Error("Signature is NULL!\n"));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]875
Steve DiBenedetto54ce6682014-07-22 13:22:57 -0600[diff] [blame]876 return Block(tlv::SignatureValue,
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]877 make_shared<Buffer>(CFDataGetBytePtr(signature.get()),
878 CFDataGetLength(signature.get())));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]879}
880
881ConstBufferPtr
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]882SecTpmOsx::decryptInTpm(const uint8_t* data, size_t dataLength, const Name& keyName, bool sym)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]883{
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]884 BOOST_THROW_EXCEPTION(Error("SecTpmOsx::decryptInTpm is not supported"));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]885
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]886 // KeyClass keyClass;
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]887 // if (sym)
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]888 // keyClass = KEY_CLASS_SYMMETRIC;
889 // else
890 // keyClass = KEY_CLASS_PRIVATE;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]891
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]892 // CFDataRef dataRef = CFDataCreate(0,
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]893 // reinterpret_cast<const unsigned char*>(data),
894 // dataLength
895 // );
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]896
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]897 // CFReleaser<SecKeyRef> decryptKey = (SecKeyRef)m_impl->getKey(keyName, keyClass);
898 // if (decryptKey.get() == 0)
899 // {
900 // /// @todo Can this happen because of keychain is locked?
901 // throw Error("Decruption key [" + ??? + "] does not exist in OSX Keychain");
902 // }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]903
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]904 // CFErrorRef error;
905 // SecTransformRef decrypt = SecDecryptTransformCreate(decryptKey, &error);
906 // if (error) throw Error("Fail to create decrypt");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]907
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]908 // Boolean set_res = SecTransformSetAttribute(decrypt,
909 // kSecTransformInputAttributeName,
910 // dataRef,
911 // &error);
912 // if (error) throw Error("Fail to configure decrypt");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]913
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]914 // CFDataRef output = (CFDataRef) SecTransformExecute(decrypt, &error);
915 // if (error)
916 // {
917 // CFShow(error);
918 // throw Error("Fail to decrypt data");
919 // }
920 // if (!output) throw Error("Output is NULL!\n");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]921
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]922 // return make_shared<Buffer>(CFDataGetBytePtr(output), CFDataGetLength(output));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]923}
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]924
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]925void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700[diff] [blame]926SecTpmOsx::addAppToAcl(const Name& keyName, KeyClass keyClass, const string& appPath, AclType acl)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]927{
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]928 if (keyClass == KEY_CLASS_PRIVATE && acl == ACL_TYPE_PRIVATE)
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]929 {
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]930 CFReleaser<SecKeychainItemRef> privateKey = m_impl->getKey(keyName, keyClass);
931 if (privateKey.get() == 0)
932 {
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]933 BOOST_THROW_EXCEPTION(Error("Private key [" + keyName.toUri() + "] does not exist "
934 "in OSX Keychain"));
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]935 }
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]936
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]937 CFReleaser<SecAccessRef> accRef;
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]938 SecKeychainItemCopyAccess(privateKey.get(), &accRef.get());
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]939
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]940 CFReleaser<CFArrayRef> signACL = SecAccessCopyMatchingACLList(accRef.get(),
941 kSecACLAuthorizationSign);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]942
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]943 // C-style cast is used as per Apple convention
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]944 SecACLRef aclRef = (SecACLRef)CFArrayGetValueAtIndex(signACL.get(), 0);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]945
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]946 CFReleaser<CFArrayRef> appList;
947 CFReleaser<CFStringRef> description;
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]948 SecKeychainPromptSelector promptSelector;
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]949 SecACLCopyContents(aclRef,
950 &appList.get(),
951 &description.get(),
952 &promptSelector);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]953
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]954 CFReleaser<CFMutableArrayRef> newAppList = CFArrayCreateMutableCopy(0,
955 0,
956 appList.get());
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]957
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]958 CFReleaser<SecTrustedApplicationRef> trustedApp;
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]959 SecTrustedApplicationCreateFromPath(appPath.c_str(),
960 &trustedApp.get());
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]961
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]962 CFArrayAppendValue(newAppList.get(), trustedApp.get());
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]963
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]964 SecACLSetContents(aclRef,
965 newAppList.get(),
966 description.get(),
967 promptSelector);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]968
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]969 SecKeychainItemSetAccess(privateKey.get(), accRef.get());
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]970 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]971}
972
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]973ConstBufferPtr
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]974SecTpmOsx::encryptInTpm(const uint8_t* data, size_t dataLength, const Name& keyName, bool sym)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]975{
Spyridon Mastorakis0d2ed2e2015-07-27 19:09:12 -0700[diff] [blame]976 BOOST_THROW_EXCEPTION(Error("SecTpmOsx::encryptInTpm is not supported"));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]977
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]978 // KeyClass keyClass;
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]979 // if (sym)
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]980 // keyClass = KEY_CLASS_SYMMETRIC;
981 // else
982 // keyClass = KEY_CLASS_PUBLIC;
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]983
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]984 // CFDataRef dataRef = CFDataCreate(0,
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]985 // reinterpret_cast<const unsigned char*>(data),
986 // dataLength
987 // );
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]988
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]989 // CFReleaser<SecKeyRef> encryptKey = (SecKeyRef)m_impl->getKey(keyName, keyClass);
990 // if (encryptKey.get() == 0)
991 // {
992 // throw Error("Encryption key [" + ???? + "] does not exist in OSX Keychain");
993 // }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]994
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]995 // CFErrorRef error;
996 // SecTransformRef encrypt = SecEncryptTransformCreate(encryptKey, &error);
997 // if (error) throw Error("Fail to create encrypt");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]998
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]999 // Boolean set_res = SecTransformSetAttribute(encrypt,
1000 // kSecTransformInputAttributeName,
1001 // dataRef,
1002 // &error);
1003 // if (error) throw Error("Fail to configure encrypt");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1004
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]1005 // CFDataRef output = (CFDataRef) SecTransformExecute(encrypt, &error);
1006 // if (error) throw Error("Fail to encrypt data");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1007
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]1008 // if (!output) throw Error("Output is NULL!\n");
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1009
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]1010 // return make_shared<Buffer> (CFDataGetBytePtr(output), CFDataGetLength(output));
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1011}
1012
1013bool
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]1014SecTpmOsx::doesKeyExistInTpm(const Name& keyName, KeyClass keyClass)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1015{
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1016 string keyNameUri = m_impl->toInternalKeyName(keyName, keyClass);
1017
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]1018 CFReleaser<CFStringRef> keyLabel = CFStringCreateWithCString(0,
1019 keyNameUri.c_str(),
1020 kCFStringEncodingUTF8);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]1021
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]1022 CFReleaser<CFMutableDictionaryRef> attrDict =
1023 CFDictionaryCreateMutable(0,
1024 4,
1025 &kCFTypeDictionaryKeyCallBacks,
1026 0);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1027
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]1028 CFDictionaryAddValue(attrDict.get(), kSecClass, kSecClassKey);
1029 // CFDictionaryAddValue(attrDict.get(), kSecAttrKeyClass, m_impl->getKeyClass(keyClass));
1030 CFDictionaryAddValue(attrDict.get(), kSecAttrLabel, keyLabel.get());
1031 CFDictionaryAddValue(attrDict.get(), kSecReturnRef, kCFBooleanTrue);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]1032
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]1033 CFReleaser<SecKeychainItemRef> itemRef;
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]1034 // C-style cast is used as per Apple convention
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]1035 OSStatus res = SecItemCopyMatching((CFDictionaryRef)attrDict.get(), (CFTypeRef*)&itemRef.get());
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]1036
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]1037 if (res == errSecSuccess)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1038 return true;
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]1039 else
1040 return false;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1041
1042}
1043
Yingdi Yu4b752752014-02-18 12:24:03 -0800[diff] [blame]1044bool
1045SecTpmOsx::generateRandomBlock(uint8_t* res, size_t size)
1046{
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]1047 return SecRandomCopyBytes(kSecRandomDefault, size, res) == 0;
Yingdi Yu4b752752014-02-18 12:24:03 -0800[diff] [blame]1048}
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1049
1050////////////////////////////////
1051// OSXPrivateKeyStorage::Impl //
1052////////////////////////////////
1053
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]1054CFReleaser<SecKeychainItemRef>
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]1055SecTpmOsx::Impl::getKey(const Name& keyName, KeyClass keyClass)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1056{
1057 string keyNameUri = toInternalKeyName(keyName, keyClass);
1058
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]1059 CFReleaser<CFStringRef> keyLabel = CFStringCreateWithCString(0,
1060 keyNameUri.c_str(),
1061 kCFStringEncodingUTF8);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]1062
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]1063 CFReleaser<CFMutableDictionaryRef> attrDict =
1064 CFDictionaryCreateMutable(0,
1065 5,
1066 &kCFTypeDictionaryKeyCallBacks,
1067 0);
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1068
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]1069 CFDictionaryAddValue(attrDict.get(), kSecClass, kSecClassKey);
1070 CFDictionaryAddValue(attrDict.get(), kSecAttrLabel, keyLabel.get());
1071 CFDictionaryAddValue(attrDict.get(), kSecAttrKeyClass, getKeyClass(keyClass));
1072 CFDictionaryAddValue(attrDict.get(), kSecReturnRef, kCFBooleanTrue);
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]1073
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]1074 CFReleaser<SecKeychainItemRef> keyItem;
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]1075 // C-style cast is used as per Apple convention
Alexander Afanasyevf82d13a2014-04-30 14:30:19 -0700[diff] [blame]1076 OSStatus res = SecItemCopyMatching((CFDictionaryRef)attrDict.get(), (CFTypeRef*)&keyItem.get());
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]1077
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]1078 if (res != errSecSuccess)
1079 return 0;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1080 else
1081 return keyItem;
1082}
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]1083
1084string
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]1085SecTpmOsx::Impl::toInternalKeyName(const Name& keyName, KeyClass keyClass)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1086{
1087 string keyUri = keyName.toUri();
1088
Alexander Afanasyevfdbfc6d2014-04-14 15:12:11 -0700[diff] [blame]1089 if (KEY_CLASS_SYMMETRIC == keyClass)
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1090 return keyUri + "/symmetric";
1091 else
1092 return keyUri;
1093}
1094
Alexander Afanasyev24b75c82014-05-31 15:59:31 +0300[diff] [blame]1095CFTypeRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1096SecTpmOsx::Impl::getAsymKeyType(KeyType keyType)
1097{
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]1098 switch (keyType) {
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1099 case KEY_TYPE_RSA:
1100 return kSecAttrKeyTypeRSA;
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]1101 case KEY_TYPE_ECDSA:
1102 return kSecAttrKeyTypeECDSA;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1103 default:
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]1104 return 0;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1105 }
1106}
1107
Alexander Afanasyev24b75c82014-05-31 15:59:31 +0300[diff] [blame]1108CFTypeRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1109SecTpmOsx::Impl::getSymKeyType(KeyType keyType)
1110{
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]1111 switch (keyType) {
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1112 case KEY_TYPE_AES:
1113 return kSecAttrKeyTypeAES;
1114 default:
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]1115 return 0;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1116 }
1117}
1118
Alexander Afanasyev24b75c82014-05-31 15:59:31 +0300[diff] [blame]1119CFTypeRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1120SecTpmOsx::Impl::getKeyClass(KeyClass keyClass)
1121{
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]1122 switch (keyClass) {
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1123 case KEY_CLASS_PRIVATE:
1124 return kSecAttrKeyClassPrivate;
1125 case KEY_CLASS_PUBLIC:
1126 return kSecAttrKeyClassPublic;
1127 case KEY_CLASS_SYMMETRIC:
1128 return kSecAttrKeyClassSymmetric;
1129 default:
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]1130 return 0;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1131 }
1132}
1133
Alexander Afanasyev24b75c82014-05-31 15:59:31 +0300[diff] [blame]1134CFStringRef
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1135SecTpmOsx::Impl::getDigestAlgorithm(DigestAlgorithm digestAlgo)
1136{
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]1137 switch (digestAlgo) {
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1138 case DIGEST_ALGORITHM_SHA256:
1139 return kSecDigestSHA2;
1140 default:
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]1141 return 0;
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]1142 }
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1143}
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]1144
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]1145long
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1146SecTpmOsx::Impl::getDigestSize(DigestAlgorithm digestAlgo)
1147{
Yingdi Yu7036ce22014-06-19 18:53:37 -0700[diff] [blame]1148 switch (digestAlgo) {
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1149 case DIGEST_ALGORITHM_SHA256:
1150 return 256;
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1151 default:
Yingdi Yu2b2b4792014-02-04 16:27:07 -0800[diff] [blame]1152 return -1;
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]1153 }
Jeff Thompson2747dc02013-10-04 19:11:34 -0700[diff] [blame]1154}
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]1155
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]1156} // namespace ndn