2 * Copyright (c) 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #ifdef HAVE_FRAMEWORK_SECURITY
38 #include <Security/Security.h>
40 /* Missing function decls in pre Leopard */
41 #ifdef NEED_SECKEYGETCSPHANDLE_PROTO
42 OSStatus
SecKeyGetCSPHandle(SecKeyRef
, CSSM_CSP_HANDLE
*);
43 OSStatus
SecKeyGetCredentials(SecKeyRef
, CSSM_ACL_AUTHORIZATION_TAG
,
44 int, const CSSM_ACCESS_CREDENTIALS
**);
45 #define kSecCredentialTypeDefault 0
50 getAttribute(SecKeychainItemRef itemRef
, SecItemAttr item
,
51 SecKeychainAttributeList
**attrs
)
53 SecKeychainAttributeInfo attrInfo
;
54 UInt32 attrFormat
= 0;
61 attrInfo
.format
= &attrFormat
;
63 ret
= SecKeychainItemCopyAttributesAndData(itemRef
, &attrInfo
, NULL
,
76 SecKeychainItemRef item
;
82 kc_rsa_public_encrypt(int flen
,
83 const unsigned char *from
,
92 kc_rsa_public_decrypt(int flen
,
93 const unsigned char *from
,
103 kc_rsa_private_encrypt(int flen
,
104 const unsigned char *from
,
109 struct kc_rsa
*kc
= RSA_get_app_data(rsa
);
113 const CSSM_ACCESS_CREDENTIALS
*creds
;
114 SecKeyRef privKeyRef
= (SecKeyRef
)kc
->item
;
115 CSSM_CSP_HANDLE cspHandle
;
116 const CSSM_KEY
*cssmKey
;
117 CSSM_CC_HANDLE sigHandle
= 0;
121 if (padding
!= RSA_PKCS1_PADDING
)
124 cret
= SecKeyGetCSSMKey(privKeyRef
, &cssmKey
);
127 cret
= SecKeyGetCSPHandle(privKeyRef
, &cspHandle
);
130 ret
= SecKeyGetCredentials(privKeyRef
, CSSM_ACL_AUTHORIZATION_SIGN
,
131 kSecCredentialTypeDefault
, &creds
);
134 ret
= CSSM_CSP_CreateSignatureContext(cspHandle
, CSSM_ALGID_RSA
,
135 creds
, cssmKey
, &sigHandle
);
138 in
.Data
= (uint8
*)from
;
141 sig
.Data
= (uint8
*)to
;
142 sig
.Length
= kc
->keysize
;
144 cret
= CSSM_SignData(sigHandle
, &in
, 1, CSSM_ALGID_NONE
, &sig
);
146 /* cssmErrorString(cret); */
152 CSSM_DeleteContext(sigHandle
);
158 kc_rsa_private_decrypt(int flen
, const unsigned char *from
, unsigned char *to
,
159 RSA
* rsa
, int padding
)
161 struct kc_rsa
*kc
= RSA_get_app_data(rsa
);
165 const CSSM_ACCESS_CREDENTIALS
*creds
;
166 SecKeyRef privKeyRef
= (SecKeyRef
)kc
->item
;
167 CSSM_CSP_HANDLE cspHandle
;
168 const CSSM_KEY
*cssmKey
;
169 CSSM_CC_HANDLE handle
= 0;
170 CSSM_DATA out
, in
, rem
;
172 CSSM_SIZE outlen
= 0;
175 if (padding
!= RSA_PKCS1_PADDING
)
178 cret
= SecKeyGetCSSMKey(privKeyRef
, &cssmKey
);
181 cret
= SecKeyGetCSPHandle(privKeyRef
, &cspHandle
);
184 ret
= SecKeyGetCredentials(privKeyRef
, CSSM_ACL_AUTHORIZATION_DECRYPT
,
185 kSecCredentialTypeDefault
, &creds
);
189 ret
= CSSM_CSP_CreateAsymmetricContext (cspHandle
,
197 in
.Data
= (uint8
*)from
;
200 out
.Data
= (uint8
*)to
;
201 out
.Length
= kc
->keysize
;
203 rem
.Data
= (uint8
*)remdata
;
204 rem
.Length
= sizeof(remdata
);
206 cret
= CSSM_DecryptData(handle
, &in
, 1, &out
, 1, &outlen
, &rem
);
208 /* cssmErrorString(cret); */
214 CSSM_DeleteContext(handle
);
220 kc_rsa_init(RSA
*rsa
)
226 kc_rsa_finish(RSA
*rsa
)
228 struct kc_rsa
*kc_rsa
= RSA_get_app_data(rsa
);
229 CFRelease(kc_rsa
->item
);
230 memset(kc_rsa
, 0, sizeof(*kc_rsa
));
235 static const RSA_METHOD kc_rsa_pkcs1_method
= {
236 "hx509 Keychain PKCS#1 RSA",
237 kc_rsa_public_encrypt
,
238 kc_rsa_public_decrypt
,
239 kc_rsa_private_encrypt
,
240 kc_rsa_private_decrypt
,
252 set_private_key(hx509_context context
,
253 SecKeychainItemRef itemRef
,
257 hx509_private_key key
;
261 ret
= _hx509_private_key_init(&key
, NULL
, NULL
);
265 kc
= calloc(1, sizeof(*kc
));
267 _hx509_abort("out of memory");
273 _hx509_abort("out of memory");
275 /* Argh, fake modulus since OpenSSL API is on crack */
277 SecKeychainAttributeList
*attrs
= NULL
;
282 if (rsa
->n
== NULL
) abort();
284 ret
= getAttribute(itemRef
, kSecKeyKeySizeInBits
, &attrs
);
287 size
= *(uint32_t *)attrs
->attr
[0].data
;
288 SecKeychainItemFreeAttributesAndData(attrs
, NULL
);
290 kc
->keysize
= (size
+ 7) / 8;
292 data
= malloc(kc
->keysize
);
293 memset(data
, 0xe0, kc
->keysize
);
294 BN_bin2bn(data
, kc
->keysize
, rsa
->n
);
299 RSA_set_method(rsa
, &kc_rsa_pkcs1_method
);
300 ret
= RSA_set_app_data(rsa
, kc
);
302 _hx509_abort("RSA_set_app_data");
304 _hx509_private_key_assign_rsa(key
, rsa
);
305 _hx509_cert_assign_key(cert
, key
);
316 SecKeychainRef keychain
;
320 keychain_init(hx509_context context
,
321 hx509_certs certs
, void **data
, int flags
,
322 const char *residue
, hx509_lock lock
)
324 struct ks_keychain
*ctx
;
326 ctx
= calloc(1, sizeof(*ctx
));
328 hx509_clear_error_string(context
);
333 if (strcasecmp(residue
, "system-anchors") == 0) {
335 } else if (strncasecmp(residue
, "FILE:", 5) == 0) {
338 ret
= SecKeychainOpen(residue
+ 5, &ctx
->keychain
);
340 hx509_set_error_string(context
, 0, ENOENT
,
341 "Failed to open %s", residue
);
345 hx509_set_error_string(context
, 0, ENOENT
,
346 "Unknown subtype %s", residue
);
360 keychain_free(hx509_certs certs
, void *data
)
362 struct ks_keychain
*ctx
= data
;
364 CFRelease(ctx
->keychain
);
365 memset(ctx
, 0, sizeof(*ctx
));
377 SecKeychainSearchRef searchRef
;
381 keychain_iter_start(hx509_context context
,
382 hx509_certs certs
, void *data
, void **cursor
)
384 struct ks_keychain
*ctx
= data
;
387 iter
= calloc(1, sizeof(*iter
));
389 hx509_set_error_string(context
, 0, ENOMEM
, "out of memory");
398 ret
= hx509_certs_init(context
, "MEMORY:ks-file-create",
399 0, NULL
, &iter
->certs
);
405 ret
= SecTrustCopyAnchorCertificates(&anchors
);
407 hx509_certs_free(&iter
->certs
);
409 hx509_set_error_string(context
, 0, ENOMEM
,
410 "Can't get trust anchors from Keychain");
413 for (i
= 0; i
< CFArrayGetCount(anchors
); i
++) {
414 SecCertificateRef cr
;
418 cr
= (SecCertificateRef
)CFArrayGetValueAtIndex(anchors
, i
);
420 SecCertificateGetData(cr
, &cssm
);
422 ret
= hx509_cert_init_data(context
, cssm
.Data
, cssm
.Length
, &cert
);
426 ret
= hx509_certs_add(context
, iter
->certs
, cert
);
427 hx509_cert_free(cert
);
434 ret
= hx509_certs_start_seq(context
, iter
->certs
, &iter
->cursor
);
436 hx509_certs_free(&iter
->certs
);
443 ret
= SecKeychainSearchCreateFromAttributes(ctx
->keychain
,
444 kSecCertificateItemClass
,
449 hx509_set_error_string(context
, 0, ret
,
450 "Failed to start search for attributes");
464 keychain_iter(hx509_context context
,
465 hx509_certs certs
, void *data
, void *cursor
, hx509_cert
*cert
)
467 SecKeychainAttributeList
*attrs
= NULL
;
468 SecKeychainAttributeInfo attrInfo
;
469 UInt32 attrFormat
[1] = { 0 };
470 SecKeychainItemRef itemRef
;
472 struct iter
*iter
= cursor
;
478 return hx509_certs_next_cert(context
, iter
->certs
, iter
->cursor
, cert
);
482 ret
= SecKeychainSearchCopyNext(iter
->searchRef
, &itemRef
);
483 if (ret
== errSecItemNotFound
)
489 * Pick out certificate and matching "keyid"
492 item
[0] = kSecPublicKeyHashItemAttr
;
496 attrInfo
.format
= attrFormat
;
498 ret
= SecKeychainItemCopyAttributesAndData(itemRef
, &attrInfo
, NULL
,
503 ret
= hx509_cert_init_data(context
, ptr
, len
, cert
);
508 * Find related private key if there is one by looking at
509 * kSecPublicKeyHashItemAttr == kSecKeyLabel
512 SecKeychainSearchRef search
;
513 SecKeychainAttribute attrKeyid
;
514 SecKeychainAttributeList attrList
;
516 attrKeyid
.tag
= kSecKeyLabel
;
517 attrKeyid
.length
= attrs
->attr
[0].length
;
518 attrKeyid
.data
= attrs
->attr
[0].data
;
521 attrList
.attr
= &attrKeyid
;
523 ret
= SecKeychainSearchCreateFromAttributes(NULL
,
524 CSSM_DL_DB_RECORD_PRIVATE_KEY
,
532 ret
= SecKeychainSearchCopyNext(search
, &itemRef
);
534 if (ret
== errSecItemNotFound
) {
541 set_private_key(context
, itemRef
, *cert
);
545 SecKeychainItemFreeAttributesAndData(attrs
, ptr
);
555 keychain_iter_end(hx509_context context
,
560 struct iter
*iter
= cursor
;
563 hx509_certs_end_seq(context
, iter
->certs
, iter
->cursor
);
564 hx509_certs_free(&iter
->certs
);
566 CFRelease(iter
->searchRef
);
569 memset(iter
, 0, sizeof(*iter
));
578 struct hx509_keyset_ops keyset_keychain
= {
591 #endif /* HAVE_FRAMEWORK_SECURITY */
598 _hx509_ks_keychain_register(hx509_context context
)
600 #ifdef HAVE_FRAMEWORK_SECURITY
601 _hx509_ks_register(context
, &keyset_keychain
);