MYCrypto: MYKeychain.m@60e4cbbb5128 (annotated)

snej@0	1	//
snej@0	2	// MYKeychain.m
snej@0	3	// MYCrypto
snej@0	4	//
snej@0	5	// Created by Jens Alfke on 3/23/09.
snej@0	6	// Copyright 2009 Jens Alfke. All rights reserved.
snej@0	7	//
snej@0	8
snej@0	9	#import "MYKeychain.h"
snej@0	10	#import "MYCrypto_Private.h"
snej@0	11	#import "MYDigest.h"
snej@0	12
snej@0	13	#if !USE_IPHONE_API
snej@0	14
snej@0	15
snej@0	16	@interface MYKeyEnumerator : NSEnumerator
snej@0	17	{
snej@0	18	MYKeychain *_keychain;
snej@0	19	SecKeychainSearchRef _search;
snej@0	20	SecItemClass _itemClass;
snej@0	21	}
snej@0	22
snej@0	23	- (id) initWithKeychain: (MYKeychain*)keychain
snej@0	24	itemClass: (SecItemClass)itemClass
snej@0	25	attributes: (SecKeychainAttribute[])attributes
snej@0	26	count: (unsigned)count;
snej@0	27	@end
snej@0	28
snej@0	29
snej@0	30
snej@0	31	@implementation MYKeychain
snej@0	32
snej@0	33
snej@0	34	- (id) initWithKeychainRef: (SecKeychainRef)keychainRef
snej@0	35	{
snej@0	36	self = [super init];
snej@0	37	if (self != nil) {
snej@0	38	if (keychainRef) {
snej@0	39	CFRetain(keychainRef);
snej@0	40	_keychain = keychainRef;
snej@0	41	}
snej@0	42	}
snej@0	43	return self;
snej@0	44	}
snej@0	45
snej@0	46	+ (MYKeychain) _readableKeychainWithRef: (SecKeychainRef)keychainRef fromPath: (NSString)path {
snej@0	47	if (!keychainRef)
snej@0	48	return nil;
snej@0	49	SecKeychainStatus status;
snej@0	50	BOOL ok = check(SecKeychainGetStatus(keychainRef, &status), @"SecKeychainGetStatus");
snej@0	51	if (ok && !(status & kSecReadPermStatus)) {
snej@0	52	Warn(@"Can't open keychain at %@ : not readable (status=%i)", path,status);
snej@0	53	ok = NO;
snej@0	54	}
snej@0	55	MYKeychain *keychain = nil;
snej@0	56	if (ok)
snej@0	57	keychain = [[[self alloc] initWithKeychainRef: keychainRef] autorelease];
snej@0	58	CFRelease(keychainRef);
snej@0	59	return keychain;
snej@0	60	}
snej@0	61
snej@0	62	+ (MYKeychain) openKeychainAtPath: (NSString)path
snej@0	63	{
snej@0	64	Assert(path);
snej@0	65	SecKeychainRef keychainRef = NULL;
snej@0	66	if (!check(SecKeychainOpen(path.fileSystemRepresentation, &keychainRef), @"SecKeychainOpen"))
snej@0	67	return nil;
snej@0	68	return [self _readableKeychainWithRef: keychainRef fromPath: path];
snej@0	69	}
snej@0	70
snej@0	71	+ (MYKeychain) createKeychainAtPath: (NSString)path
snej@0	72	withPassword: (NSString*)password
snej@0	73	{
snej@0	74	Assert(path);
snej@0	75	const char *passwordStr = [password UTF8String];
snej@0	76	SecKeychainRef keychainRef = NULL;
snej@0	77	if (!check(SecKeychainCreate(path.fileSystemRepresentation,
snej@0	78	passwordStr ?strlen(passwordStr) :0,
snej@0	79	passwordStr,
snej@0	80	(password==nil),
snej@0	81	NULL,
snej@0	82	&keychainRef),
snej@0	83	@"SecKeychainCreate"))
snej@0	84	return nil;
snej@0	85	return [self _readableKeychainWithRef: keychainRef fromPath: path];
snej@0	86	}
snej@0	87
snej@0	88	- (BOOL) deleteKeychainFile {
snej@0	89	Assert(_keychain);
snej@0	90	return check(SecKeychainDelete(_keychain), @"SecKeychainDelete");
snej@0	91	}
snej@0	92
snej@0	93
snej@0	94	- (void) dealloc
snej@0	95	{
snej@0	96	if (_keychain) CFRelease(_keychain);
snej@0	97	[super dealloc];
snej@0	98	}
snej@0	99
snej@0	100
snej@0	101	+ (MYKeychain*) allKeychains
snej@0	102	{
snej@0	103	static MYKeychain *sAllKeychains;
snej@0	104	@synchronized(self) {
snej@0	105	if (!sAllKeychains)
snej@0	106	sAllKeychains = [[self alloc] initWithKeychainRef: nil];
snej@0	107	}
snej@0	108	return sAllKeychains;
snej@0	109	}
snej@0	110
snej@0	111
snej@0	112	+ (MYKeychain*) defaultKeychain
snej@0	113	{
snej@0	114	static MYKeychain *sDefaultKeychain;
snej@0	115	@synchronized(self) {
snej@0	116	if (!sDefaultKeychain) {
snej@0	117	SecKeychainRef kc = NULL;
snej@0	118	OSStatus err = SecKeychainCopyDomainDefault(kSecPreferencesDomainUser,&kc);
snej@0	119	#if TARGET_OS_IPHONE
snej@0	120	// In the simulator, an app is run in a sandbox that has no keychain by default.
snej@0	121	// As a convenience, create one if necessary:
snej@0	122	if (err == errSecNoDefaultKeychain) {
snej@0	123	Log(@"No default keychain in simulator; creating one...");
snej@0	124	NSString *path = [NSSearchPathForDirectoriesInDomains(NSLibraryDirectory,
snej@0	125	NSUserDomainMask, YES) objectAtIndex: 0];
snej@0	126	path = [path stringByAppendingPathComponent: @"MYCrypto.keychain"];
snej@0	127	sDefaultKeychain = [[self createKeychainAtPath: path withPassword: nil] retain];
snej@0	128	Assert(sDefaultKeychain, @"Couldn't create default keychain");
snej@0	129	SecKeychainSetDomainDefault(kSecPreferencesDomainUser, sDefaultKeychain.keychainRef);
snej@0	130	Log(@"...created %@", sDefaultKeychain);
snej@0	131	return sDefaultKeychain;
snej@0	132	}
snej@0	133	#endif
snej@0	134	if (!check(err, @"SecKeychainCopyDefault"))
snej@0	135	kc = NULL;
snej@0	136
snej@0	137	Assert(kc, @"No default keychain");
snej@0	138	sDefaultKeychain = [[self alloc] initWithKeychainRef: kc];
snej@0	139	CFRelease(kc);
snej@0	140	}
snej@0	141	}
snej@0	142	return sDefaultKeychain;
snej@0	143	}
snej@0	144
snej@0	145
snej@0	146	- (id) copyWithZone: (NSZone*)zone {
snej@0	147	// It's not necessary to make copies of Keychain objects. This makes it more efficient
snej@0	148	// to use instances as NSDictionary keys or store them in NSSets.
snej@0	149	return [self retain];
snej@0	150	}
snej@0	151
snej@0	152	- (BOOL) isEqual: (id)obj {
snej@0	153	return (obj == self) \|\|
snej@0	154	([obj isKindOfClass: [MYKeychain class]] && CFEqual(_keychain, [obj keychainRef]));
snej@0	155	}
snej@0	156
snej@0	157
snej@0	158	- (SecKeychainRef) keychainRef {
snej@0	159	return _keychain;
snej@0	160	}
snej@0	161
snej@0	162
snej@0	163	- (SecKeychainRef) keychainRefOrDefault {
snej@0	164	if (_keychain)
snej@0	165	return _keychain;
snej@0	166	else
snej@0	167	return [[[self class] defaultKeychain] keychainRef];
snej@0	168	}
snej@0	169
snej@0	170
snej@0	171	- (NSString*) path {
snej@0	172	if (!_keychain)
snej@0	173	return nil;
snej@0	174	char pathBuf[PATH_MAX];
snej@0	175	UInt32 pathLen = sizeof(pathBuf);
snej@0	176	if (!check(SecKeychainGetPath(_keychain, &pathLen, pathBuf), @"SecKeychainGetPath"))
snej@0	177	return nil;
snej@0	178	return [[NSFileManager defaultManager] stringWithFileSystemRepresentation: pathBuf length: pathLen];
snej@0	179	}
snej@0	180
snej@0	181	- (NSString*) description {
snej@0	182	if (_keychain)
snej@0	183	return $sprintf(@"%@[%p, %@]", [self class], _keychain, self.path);
snej@0	184	else
snej@0	185	return $sprintf(@"%@[all]", [self class]);
snej@0	186	}
snej@0	187
snej@0	188
snej@0	189	#pragma mark -
snej@0	190	#pragma mark SEARCHING:
snej@0	191
snej@0	192
snej@0	193	- (MYKeychainItem*) itemOfClass: (SecItemClass)itemClass
snej@0	194	withDigest: (MYSHA1Digest*)pubKeyDigest
snej@0	195	{
snej@0	196	SecKeychainAttribute attr = {.tag= (itemClass==kSecCertificateItemClass ?kSecPublicKeyHashItemAttr :kSecKeyLabel),
snej@0	197	.length= pubKeyDigest.length,
snej@0	198	.data= (void*) pubKeyDigest.bytes};
snej@0	199	MYKeyEnumerator *e = [[MYKeyEnumerator alloc] initWithKeychain: self
snej@0	200	itemClass: itemClass
snej@0	201	attributes: &attr count: 1];
snej@0	202	MYKeychainItem *item = e.nextObject;
snej@0	203	[e release];
snej@0	204	return item;
snej@0	205	}
snej@0	206
snej@0	207	- (MYPublicKey) publicKeyWithDigest: (MYSHA1Digest)pubKeyDigest {
snej@0	208	return (MYPublicKey*) [self itemOfClass: kSecPublicKeyItemClass withDigest: pubKeyDigest];
snej@0	209	}
snej@0	210
snej@0	211	- (NSEnumerator*) enumeratePublicKeys {
snej@0	212	return [[[MYKeyEnumerator alloc] initWithKeychain: self
snej@0	213	itemClass: kSecPublicKeyItemClass
snej@0	214	attributes: NULL count: 0] autorelease];
snej@0	215	}
snej@0	216
snej@0	217	- (NSEnumerator) publicKeysWithAlias: (NSString)alias {
snej@0	218	NSData *utf8 = [alias dataUsingEncoding: NSUTF8StringEncoding];
snej@0	219	SecKeychainAttribute attr = {.tag=kSecKeyAlias, .length=utf8.length, .data=(void*)utf8.bytes};
snej@0	220	return [[[MYKeyEnumerator alloc] initWithKeychain: self
snej@0	221	itemClass: kSecPublicKeyItemClass
snej@0	222	attributes: &attr count: 1] autorelease];
snej@0	223	}
snej@0	224
snej@0	225
snej@0	226	- (MYKeyPair) keyPairWithDigest: (MYSHA1Digest)pubKeyDigest {
snej@0	227	return (MYKeyPair*) [self itemOfClass: kSecPrivateKeyItemClass withDigest: pubKeyDigest];
snej@0	228	}
snej@0	229
snej@0	230	- (NSEnumerator*) enumerateKeyPairs {
snej@0	231	return [[[MYKeyEnumerator alloc] initWithKeychain: self
snej@0	232	itemClass: kSecPrivateKeyItemClass
snej@0	233	attributes: NULL count: 0] autorelease];
snej@0	234	}
snej@0	235
snej@0	236	- (MYCertificate) certificateWithDigest: (MYSHA1Digest)pubKeyDigest {
snej@0	237	return (MYCertificate*) [self itemOfClass: kSecCertificateItemClass withDigest: pubKeyDigest];
snej@0	238	}
snej@0	239
snej@0	240	- (NSEnumerator*) enumerateCertificates {
snej@0	241	return [[[MYKeyEnumerator alloc] initWithKeychain: self
snej@0	242	itemClass: kSecCertificateItemClass
snej@0	243	attributes: NULL count: 0] autorelease];
snej@0	244	}
snej@0	245
snej@0	246	- (NSEnumerator*) enumerateSymmetricKeys {
snej@0	247	return [[[MYKeyEnumerator alloc] initWithKeychain: self
snej@0	248	itemClass: kSecSymmetricKeyItemClass
snej@0	249	attributes: NULL count: 0] autorelease];
snej@0	250	}
snej@0	251
snej@0	252	- (NSEnumerator) symmetricKeysWithAlias: (NSString)alias {
snej@0	253	NSData *utf8 = [alias dataUsingEncoding: NSUTF8StringEncoding];
snej@0	254	SecKeychainAttribute attr = {.tag=kSecKeyAlias, .length=utf8.length, .data=(void*)utf8.bytes};
snej@0	255	return [[[MYKeyEnumerator alloc] initWithKeychain: self
snej@0	256	itemClass: kSecSymmetricKeyItemClass
snej@0	257	attributes: &attr count: 1] autorelease];
snej@0	258	}
snej@0	259
snej@0	260
snej@0	261
snej@0	262	#pragma mark -
snej@0	263	#pragma mark IMPORT:
snej@0	264
snej@0	265
snej@0	266	- (MYPublicKey) importPublicKey: (NSData)keyData {
snej@0	267	return [[[MYPublicKey alloc] _initWithKeyData: keyData
snej@0	268	forKeychain: self.keychainRefOrDefault]
snej@0	269	autorelease];
snej@0	270	}
snej@0	271
snej@0	272	- (MYKeyPair) importPublicKey: (NSData)pubKeyData
snej@0	273	privateKey: (NSData*)privKeyData
snej@0	274	alertTitle: (NSString*)title
snej@0	275	alertPrompt: (NSString*)prompt {
snej@0	276	return [[[MYKeyPair alloc] _initWithPublicKeyData: pubKeyData
snej@0	277	privateKeyData: privKeyData
snej@0	278	forKeychain: self.keychainRefOrDefault
snej@0	279	alertTitle: (NSString*)title
snej@0	280	alertPrompt: (NSString*)prompt]
snej@0	281	autorelease];
snej@0	282	}
snej@0	283
snej@0	284	- (MYKeyPair) importPublicKey: (NSData)pubKeyData
snej@0	285	privateKey: (NSData*)privKeyData
snej@0	286	{
snej@0	287	return [self importPublicKey: pubKeyData privateKey: privKeyData
snej@0	288	alertTitle: @"Import Private Key"
snej@0	289	alertPrompt: @"To import your saved private key, please re-enter the "
snej@0	290	"passphrase you used when you exported it."];
snej@0	291	}
snej@0	292
snej@0	293	- (MYCertificate) importCertificate: (NSData)data
snej@0	294	type: (CSSM_CERT_TYPE) type
snej@0	295	encoding: (CSSM_CERT_ENCODING) encoding;
snej@0	296	{
snej@0	297	MYCertificate *cert = [[[MYCertificate alloc] initWithCertificateData: data
snej@0	298	type: type
snej@0	299	encoding: encoding]
snej@0	300	autorelease];
snej@0	301	if (cert) {
snej@0	302	if (!check(SecCertificateAddToKeychain(cert.certificateRef, self.keychainRefOrDefault),
snej@0	303	@"SecCertificateAddToKeychain"))
snej@0	304	cert = nil;
snej@0	305	}
snej@0	306	return cert;
snej@0	307	}
snej@0	308
snej@0	309	- (MYCertificate) importCertificate: (NSData)data {
snej@0	310	return [self importCertificate: data
snej@0	311	type: CSSM_CERT_X_509v3
snej@0	312	encoding: CSSM_CERT_ENCODING_BER];
snej@0	313	}
snej@0	314
snej@0	315
snej@0	316	- (MYSymmetricKey*) generateSymmetricKeyOfSize: (unsigned)keySizeInBits
snej@0	317	algorithm: (CCAlgorithm)algorithm
snej@0	318	{
snej@0	319	return [MYSymmetricKey _generateSymmetricKeyOfSize: keySizeInBits
snej@0	320	algorithm: algorithm inKeychain: self];
snej@0	321	}
snej@0	322
snej@0	323	- (MYKeyPair*) generateRSAKeyPairOfSize: (unsigned)keySize {
snej@0	324	return [MYKeyPair _generateRSAKeyPairOfSize: keySize inKeychain: self.keychainRefOrDefault];
snej@0	325	}
snej@0	326
snej@0	327
snej@0	328	- (CSSM_CSP_HANDLE) CSPHandle {
snej@0	329	CSSM_CSP_HANDLE cspHandle = 0;
snej@0	330	Assert(check(SecKeychainGetCSPHandle(self.keychainRefOrDefault, &cspHandle), @"SecKeychainGetCSPHandle"));
snej@0	331	return cspHandle;
snej@0	332	}
snej@0	333
snej@0	334
snej@0	335	@end
snej@0	336
snej@0	337
snej@0	338
snej@0	339	#pragma mark -
snej@0	340	@implementation MYKeyEnumerator
snej@0	341
snej@0	342	- (id) initWithKeychain: (MYKeychain*)keychain
snej@0	343	itemClass: (SecItemClass)itemClass
snej@0	344	attributes: (SecKeychainAttribute[])attributes
snej@0	345	count: (unsigned)count {
snej@0	346	self = [super init];
snej@0	347	if (self) {
snej@0	348	_keychain = [keychain retain];
snej@0	349	_itemClass = itemClass;
snej@0	350	SecKeychainAttributeList list = {.count=count, .attr=attributes};
snej@0	351	if (!check(SecKeychainSearchCreateFromAttributes(keychain.keychainRef,
snej@0	352	itemClass,
snej@0	353	&list,
snej@0	354	&_search),
snej@0	355	@"SecKeychainSearchCreateFromAttributes")) {
snej@0	356	[self release];
snej@0	357	return nil;
snej@0	358	}
snej@0	359	}
snej@0	360	return self;
snej@0	361	}
snej@0	362
snej@0	363	- (void) dealloc
snej@0	364	{
snej@0	365	[_keychain release];
snej@0	366	if (_search) CFRelease(_search);
snej@0	367	[super dealloc];
snej@0	368	}
snej@0	369
snej@0	370
snej@0	371	- (id) nextObject {
snej@0	372	if (!_search)
snej@0	373	return nil;
snej@0	374	MYPublicKey *key = nil;
snej@0	375	do{
snej@0	376	SecKeychainItemRef found = NULL;
snej@0	377	OSStatus err = SecKeychainSearchCopyNext(_search, &found);
snej@0	378	if (err \|\| !found) {
snej@0	379	if (err != errSecItemNotFound)
snej@0	380	check(err,@"SecKeychainSearchCopyNext");
snej@0	381	CFRelease(_search);
snej@0	382	_search = NULL;
snej@0	383	return nil;
snej@0	384	}
snej@0	385
snej@0	386	switch (_itemClass) {
snej@0	387	case kSecPrivateKeyItemClass: {
snej@0	388	MYSHA1Digest *digest = [MYPublicKey _digestOfKey: (SecKeyRef)found];
snej@0	389	if (digest) {
snej@0	390	MYPublicKey *publicKey = [_keychain publicKeyWithDigest: digest];
snej@0	391	if (publicKey)
snej@0	392	key = [[[MYKeyPair alloc] initWithPublicKeyRef: publicKey.keyRef
snej@0	393	privateKeyRef: (SecKeyRef)found]
snej@0	394	autorelease];
snej@0	395	else {
snej@0	396	// The matching public key won't turn up if it's embedded in a certificate;
snej@0	397	// I'd have to search for certs if I wanted to look that up. Skip it for now.
snej@0	398	//Warn(@"Couldn't find matching public key for private key! digest=%@",digest);
snej@0	399	}
snej@0	400	}
snej@0	401	break;
snej@0	402	}
snej@0	403	case kSecCertificateItemClass:
snej@0	404	key = [[[MYCertificate alloc] initWithCertificateRef: (SecCertificateRef)found] autorelease];
snej@0	405	break;
snej@0	406	case kSecPublicKeyItemClass:
snej@0	407	key = [[[MYPublicKey alloc] initWithKeyRef: (SecKeyRef)found] autorelease];
snej@0	408	break;
snej@0	409	}
snej@0	410	CFRelease(found);
snej@0	411	} while (key==nil);
snej@0	412	return key;
snej@0	413	}
snej@0	414
snej@0	415
snej@0	416	@end
snej@0	417
snej@0	418
snej@0	419	#endif !USE_IPHONE_API
snej@0	420
snej@0	421
snej@0	422
snej@0	423	/*
snej@0	424	Copyright (c) 2009, Jens Alfke <jens@mooseyard.com>. All rights reserved.
snej@0	425
snej@0	426	Redistribution and use in source and binary forms, with or without modification, are permitted
snej@0	427	provided that the following conditions are met:
snej@0	428
snej@0	429	* Redistributions of source code must retain the above copyright notice, this list of conditions
snej@0	430	and the following disclaimer.
snej@0	431	* Redistributions in binary form must reproduce the above copyright notice, this list of conditions
snej@0	432	and the following disclaimer in the documentation and/or other materials provided with the
snej@0	433	distribution.
snej@0	434
snej@0	435	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
snej@0	436	IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
snej@0	437	FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRI-
snej@0	438	BUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
snej@0	439	(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
snej@0	440	PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
snej@0	441	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
snej@0	442	THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
snej@0	443	*/

author	snej@snej.local
	Sat Apr 04 22:56:13 2009 -0700 (2009-04-04)
changeset 1	60e4cbbb5128
child 2	8982b8fada63
permissions	-rw-r--r--