1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/MYKeychain.m Sat Apr 04 22:56:13 2009 -0700
1.3 @@ -0,0 +1,443 @@
1.4 +//
1.5 +// MYKeychain.m
1.6 +// MYCrypto
1.7 +//
1.8 +// Created by Jens Alfke on 3/23/09.
1.9 +// Copyright 2009 Jens Alfke. All rights reserved.
1.10 +//
1.11 +
1.12 +#import "MYKeychain.h"
1.13 +#import "MYCrypto_Private.h"
1.14 +#import "MYDigest.h"
1.15 +
1.16 +#if !USE_IPHONE_API
1.17 +
1.18 +
1.19 +@interface MYKeyEnumerator : NSEnumerator
1.20 +{
1.21 + MYKeychain *_keychain;
1.22 + SecKeychainSearchRef _search;
1.23 + SecItemClass _itemClass;
1.24 +}
1.25 +
1.26 +- (id) initWithKeychain: (MYKeychain*)keychain
1.27 + itemClass: (SecItemClass)itemClass
1.28 + attributes: (SecKeychainAttribute[])attributes
1.29 + count: (unsigned)count;
1.30 +@end
1.31 +
1.32 +
1.33 +
1.34 +@implementation MYKeychain
1.35 +
1.36 +
1.37 +- (id) initWithKeychainRef: (SecKeychainRef)keychainRef
1.38 +{
1.39 + self = [super init];
1.40 + if (self != nil) {
1.41 + if (keychainRef) {
1.42 + CFRetain(keychainRef);
1.43 + _keychain = keychainRef;
1.44 + }
1.45 + }
1.46 + return self;
1.47 +}
1.48 +
1.49 ++ (MYKeychain*) _readableKeychainWithRef: (SecKeychainRef)keychainRef fromPath: (NSString*)path {
1.50 + if (!keychainRef)
1.51 + return nil;
1.52 + SecKeychainStatus status;
1.53 + BOOL ok = check(SecKeychainGetStatus(keychainRef, &status), @"SecKeychainGetStatus");
1.54 + if (ok && !(status & kSecReadPermStatus)) {
1.55 + Warn(@"Can't open keychain at %@ : not readable (status=%i)", path,status);
1.56 + ok = NO;
1.57 + }
1.58 + MYKeychain *keychain = nil;
1.59 + if (ok)
1.60 + keychain = [[[self alloc] initWithKeychainRef: keychainRef] autorelease];
1.61 + CFRelease(keychainRef);
1.62 + return keychain;
1.63 +}
1.64 +
1.65 ++ (MYKeychain*) openKeychainAtPath: (NSString*)path
1.66 +{
1.67 + Assert(path);
1.68 + SecKeychainRef keychainRef = NULL;
1.69 + if (!check(SecKeychainOpen(path.fileSystemRepresentation, &keychainRef), @"SecKeychainOpen"))
1.70 + return nil;
1.71 + return [self _readableKeychainWithRef: keychainRef fromPath: path];
1.72 +}
1.73 +
1.74 ++ (MYKeychain*) createKeychainAtPath: (NSString*)path
1.75 + withPassword: (NSString*)password
1.76 +{
1.77 + Assert(path);
1.78 + const char *passwordStr = [password UTF8String];
1.79 + SecKeychainRef keychainRef = NULL;
1.80 + if (!check(SecKeychainCreate(path.fileSystemRepresentation,
1.81 + passwordStr ?strlen(passwordStr) :0,
1.82 + passwordStr,
1.83 + (password==nil),
1.84 + NULL,
1.85 + &keychainRef),
1.86 + @"SecKeychainCreate"))
1.87 + return nil;
1.88 + return [self _readableKeychainWithRef: keychainRef fromPath: path];
1.89 +}
1.90 +
1.91 +- (BOOL) deleteKeychainFile {
1.92 + Assert(_keychain);
1.93 + return check(SecKeychainDelete(_keychain), @"SecKeychainDelete");
1.94 +}
1.95 +
1.96 +
1.97 +- (void) dealloc
1.98 +{
1.99 + if (_keychain) CFRelease(_keychain);
1.100 + [super dealloc];
1.101 +}
1.102 +
1.103 +
1.104 ++ (MYKeychain*) allKeychains
1.105 +{
1.106 + static MYKeychain *sAllKeychains;
1.107 + @synchronized(self) {
1.108 + if (!sAllKeychains)
1.109 + sAllKeychains = [[self alloc] initWithKeychainRef: nil];
1.110 + }
1.111 + return sAllKeychains;
1.112 +}
1.113 +
1.114 +
1.115 ++ (MYKeychain*) defaultKeychain
1.116 +{
1.117 + static MYKeychain *sDefaultKeychain;
1.118 + @synchronized(self) {
1.119 + if (!sDefaultKeychain) {
1.120 + SecKeychainRef kc = NULL;
1.121 + OSStatus err = SecKeychainCopyDomainDefault(kSecPreferencesDomainUser,&kc);
1.122 +#if TARGET_OS_IPHONE
1.123 + // In the simulator, an app is run in a sandbox that has no keychain by default.
1.124 + // As a convenience, create one if necessary:
1.125 + if (err == errSecNoDefaultKeychain) {
1.126 + Log(@"No default keychain in simulator; creating one...");
1.127 + NSString *path = [NSSearchPathForDirectoriesInDomains(NSLibraryDirectory,
1.128 + NSUserDomainMask, YES) objectAtIndex: 0];
1.129 + path = [path stringByAppendingPathComponent: @"MYCrypto.keychain"];
1.130 + sDefaultKeychain = [[self createKeychainAtPath: path withPassword: nil] retain];
1.131 + Assert(sDefaultKeychain, @"Couldn't create default keychain");
1.132 + SecKeychainSetDomainDefault(kSecPreferencesDomainUser, sDefaultKeychain.keychainRef);
1.133 + Log(@"...created %@", sDefaultKeychain);
1.134 + return sDefaultKeychain;
1.135 + }
1.136 +#endif
1.137 + if (!check(err, @"SecKeychainCopyDefault"))
1.138 + kc = NULL;
1.139 +
1.140 + Assert(kc, @"No default keychain");
1.141 + sDefaultKeychain = [[self alloc] initWithKeychainRef: kc];
1.142 + CFRelease(kc);
1.143 + }
1.144 + }
1.145 + return sDefaultKeychain;
1.146 +}
1.147 +
1.148 +
1.149 +- (id) copyWithZone: (NSZone*)zone {
1.150 + // It's not necessary to make copies of Keychain objects. This makes it more efficient
1.151 + // to use instances as NSDictionary keys or store them in NSSets.
1.152 + return [self retain];
1.153 +}
1.154 +
1.155 +- (BOOL) isEqual: (id)obj {
1.156 + return (obj == self) ||
1.157 + ([obj isKindOfClass: [MYKeychain class]] && CFEqual(_keychain, [obj keychainRef]));
1.158 +}
1.159 +
1.160 +
1.161 +- (SecKeychainRef) keychainRef {
1.162 + return _keychain;
1.163 +}
1.164 +
1.165 +
1.166 +- (SecKeychainRef) keychainRefOrDefault {
1.167 + if (_keychain)
1.168 + return _keychain;
1.169 + else
1.170 + return [[[self class] defaultKeychain] keychainRef];
1.171 +}
1.172 +
1.173 +
1.174 +- (NSString*) path {
1.175 + if (!_keychain)
1.176 + return nil;
1.177 + char pathBuf[PATH_MAX];
1.178 + UInt32 pathLen = sizeof(pathBuf);
1.179 + if (!check(SecKeychainGetPath(_keychain, &pathLen, pathBuf), @"SecKeychainGetPath"))
1.180 + return nil;
1.181 + return [[NSFileManager defaultManager] stringWithFileSystemRepresentation: pathBuf length: pathLen];
1.182 +}
1.183 +
1.184 +- (NSString*) description {
1.185 + if (_keychain)
1.186 + return $sprintf(@"%@[%p, %@]", [self class], _keychain, self.path);
1.187 + else
1.188 + return $sprintf(@"%@[all]", [self class]);
1.189 +}
1.190 +
1.191 +
1.192 +#pragma mark -
1.193 +#pragma mark SEARCHING:
1.194 +
1.195 +
1.196 +- (MYKeychainItem*) itemOfClass: (SecItemClass)itemClass
1.197 + withDigest: (MYSHA1Digest*)pubKeyDigest
1.198 +{
1.199 + SecKeychainAttribute attr = {.tag= (itemClass==kSecCertificateItemClass ?kSecPublicKeyHashItemAttr :kSecKeyLabel),
1.200 + .length= pubKeyDigest.length,
1.201 + .data= (void*) pubKeyDigest.bytes};
1.202 + MYKeyEnumerator *e = [[MYKeyEnumerator alloc] initWithKeychain: self
1.203 + itemClass: itemClass
1.204 + attributes: &attr count: 1];
1.205 + MYKeychainItem *item = e.nextObject;
1.206 + [e release];
1.207 + return item;
1.208 +}
1.209 +
1.210 +- (MYPublicKey*) publicKeyWithDigest: (MYSHA1Digest*)pubKeyDigest {
1.211 + return (MYPublicKey*) [self itemOfClass: kSecPublicKeyItemClass withDigest: pubKeyDigest];
1.212 +}
1.213 +
1.214 +- (NSEnumerator*) enumeratePublicKeys {
1.215 + return [[[MYKeyEnumerator alloc] initWithKeychain: self
1.216 + itemClass: kSecPublicKeyItemClass
1.217 + attributes: NULL count: 0] autorelease];
1.218 +}
1.219 +
1.220 +- (NSEnumerator*) publicKeysWithAlias: (NSString*)alias {
1.221 + NSData *utf8 = [alias dataUsingEncoding: NSUTF8StringEncoding];
1.222 + SecKeychainAttribute attr = {.tag=kSecKeyAlias, .length=utf8.length, .data=(void*)utf8.bytes};
1.223 + return [[[MYKeyEnumerator alloc] initWithKeychain: self
1.224 + itemClass: kSecPublicKeyItemClass
1.225 + attributes: &attr count: 1] autorelease];
1.226 +}
1.227 +
1.228 +
1.229 +- (MYKeyPair*) keyPairWithDigest: (MYSHA1Digest*)pubKeyDigest {
1.230 + return (MYKeyPair*) [self itemOfClass: kSecPrivateKeyItemClass withDigest: pubKeyDigest];
1.231 +}
1.232 +
1.233 +- (NSEnumerator*) enumerateKeyPairs {
1.234 + return [[[MYKeyEnumerator alloc] initWithKeychain: self
1.235 + itemClass: kSecPrivateKeyItemClass
1.236 + attributes: NULL count: 0] autorelease];
1.237 +}
1.238 +
1.239 +- (MYCertificate*) certificateWithDigest: (MYSHA1Digest*)pubKeyDigest {
1.240 + return (MYCertificate*) [self itemOfClass: kSecCertificateItemClass withDigest: pubKeyDigest];
1.241 +}
1.242 +
1.243 +- (NSEnumerator*) enumerateCertificates {
1.244 + return [[[MYKeyEnumerator alloc] initWithKeychain: self
1.245 + itemClass: kSecCertificateItemClass
1.246 + attributes: NULL count: 0] autorelease];
1.247 +}
1.248 +
1.249 +- (NSEnumerator*) enumerateSymmetricKeys {
1.250 + return [[[MYKeyEnumerator alloc] initWithKeychain: self
1.251 + itemClass: kSecSymmetricKeyItemClass
1.252 + attributes: NULL count: 0] autorelease];
1.253 +}
1.254 +
1.255 +- (NSEnumerator*) symmetricKeysWithAlias: (NSString*)alias {
1.256 + NSData *utf8 = [alias dataUsingEncoding: NSUTF8StringEncoding];
1.257 + SecKeychainAttribute attr = {.tag=kSecKeyAlias, .length=utf8.length, .data=(void*)utf8.bytes};
1.258 + return [[[MYKeyEnumerator alloc] initWithKeychain: self
1.259 + itemClass: kSecSymmetricKeyItemClass
1.260 + attributes: &attr count: 1] autorelease];
1.261 +}
1.262 +
1.263 +
1.264 +
1.265 +#pragma mark -
1.266 +#pragma mark IMPORT:
1.267 +
1.268 +
1.269 +- (MYPublicKey*) importPublicKey: (NSData*)keyData {
1.270 + return [[[MYPublicKey alloc] _initWithKeyData: keyData
1.271 + forKeychain: self.keychainRefOrDefault]
1.272 + autorelease];
1.273 +}
1.274 +
1.275 +- (MYKeyPair*) importPublicKey: (NSData*)pubKeyData
1.276 + privateKey: (NSData*)privKeyData
1.277 + alertTitle: (NSString*)title
1.278 + alertPrompt: (NSString*)prompt {
1.279 + return [[[MYKeyPair alloc] _initWithPublicKeyData: pubKeyData
1.280 + privateKeyData: privKeyData
1.281 + forKeychain: self.keychainRefOrDefault
1.282 + alertTitle: (NSString*)title
1.283 + alertPrompt: (NSString*)prompt]
1.284 + autorelease];
1.285 +}
1.286 +
1.287 +- (MYKeyPair*) importPublicKey: (NSData*)pubKeyData
1.288 + privateKey: (NSData*)privKeyData
1.289 +{
1.290 + return [self importPublicKey: pubKeyData privateKey: privKeyData
1.291 + alertTitle: @"Import Private Key"
1.292 + alertPrompt: @"To import your saved private key, please re-enter the "
1.293 + "passphrase you used when you exported it."];
1.294 +}
1.295 +
1.296 +- (MYCertificate*) importCertificate: (NSData*)data
1.297 + type: (CSSM_CERT_TYPE) type
1.298 + encoding: (CSSM_CERT_ENCODING) encoding;
1.299 +{
1.300 + MYCertificate *cert = [[[MYCertificate alloc] initWithCertificateData: data
1.301 + type: type
1.302 + encoding: encoding]
1.303 + autorelease];
1.304 + if (cert) {
1.305 + if (!check(SecCertificateAddToKeychain(cert.certificateRef, self.keychainRefOrDefault),
1.306 + @"SecCertificateAddToKeychain"))
1.307 + cert = nil;
1.308 + }
1.309 + return cert;
1.310 +}
1.311 +
1.312 +- (MYCertificate*) importCertificate: (NSData*)data {
1.313 + return [self importCertificate: data
1.314 + type: CSSM_CERT_X_509v3
1.315 + encoding: CSSM_CERT_ENCODING_BER];
1.316 +}
1.317 +
1.318 +
1.319 +- (MYSymmetricKey*) generateSymmetricKeyOfSize: (unsigned)keySizeInBits
1.320 + algorithm: (CCAlgorithm)algorithm
1.321 +{
1.322 + return [MYSymmetricKey _generateSymmetricKeyOfSize: keySizeInBits
1.323 + algorithm: algorithm inKeychain: self];
1.324 +}
1.325 +
1.326 +- (MYKeyPair*) generateRSAKeyPairOfSize: (unsigned)keySize {
1.327 + return [MYKeyPair _generateRSAKeyPairOfSize: keySize inKeychain: self.keychainRefOrDefault];
1.328 +}
1.329 +
1.330 +
1.331 +- (CSSM_CSP_HANDLE) CSPHandle {
1.332 + CSSM_CSP_HANDLE cspHandle = 0;
1.333 + Assert(check(SecKeychainGetCSPHandle(self.keychainRefOrDefault, &cspHandle), @"SecKeychainGetCSPHandle"));
1.334 + return cspHandle;
1.335 +}
1.336 +
1.337 +
1.338 +@end
1.339 +
1.340 +
1.341 +
1.342 +#pragma mark -
1.343 +@implementation MYKeyEnumerator
1.344 +
1.345 +- (id) initWithKeychain: (MYKeychain*)keychain
1.346 + itemClass: (SecItemClass)itemClass
1.347 + attributes: (SecKeychainAttribute[])attributes
1.348 + count: (unsigned)count {
1.349 + self = [super init];
1.350 + if (self) {
1.351 + _keychain = [keychain retain];
1.352 + _itemClass = itemClass;
1.353 + SecKeychainAttributeList list = {.count=count, .attr=attributes};
1.354 + if (!check(SecKeychainSearchCreateFromAttributes(keychain.keychainRef,
1.355 + itemClass,
1.356 + &list,
1.357 + &_search),
1.358 + @"SecKeychainSearchCreateFromAttributes")) {
1.359 + [self release];
1.360 + return nil;
1.361 + }
1.362 + }
1.363 + return self;
1.364 +}
1.365 +
1.366 +- (void) dealloc
1.367 +{
1.368 + [_keychain release];
1.369 + if (_search) CFRelease(_search);
1.370 + [super dealloc];
1.371 +}
1.372 +
1.373 +
1.374 +- (id) nextObject {
1.375 + if (!_search)
1.376 + return nil;
1.377 + MYPublicKey *key = nil;
1.378 + do{
1.379 + SecKeychainItemRef found = NULL;
1.380 + OSStatus err = SecKeychainSearchCopyNext(_search, &found);
1.381 + if (err || !found) {
1.382 + if (err != errSecItemNotFound)
1.383 + check(err,@"SecKeychainSearchCopyNext");
1.384 + CFRelease(_search);
1.385 + _search = NULL;
1.386 + return nil;
1.387 + }
1.388 +
1.389 + switch (_itemClass) {
1.390 + case kSecPrivateKeyItemClass: {
1.391 + MYSHA1Digest *digest = [MYPublicKey _digestOfKey: (SecKeyRef)found];
1.392 + if (digest) {
1.393 + MYPublicKey *publicKey = [_keychain publicKeyWithDigest: digest];
1.394 + if (publicKey)
1.395 + key = [[[MYKeyPair alloc] initWithPublicKeyRef: publicKey.keyRef
1.396 + privateKeyRef: (SecKeyRef)found]
1.397 + autorelease];
1.398 + else {
1.399 + // The matching public key won't turn up if it's embedded in a certificate;
1.400 + // I'd have to search for certs if I wanted to look that up. Skip it for now.
1.401 + //Warn(@"Couldn't find matching public key for private key! digest=%@",digest);
1.402 + }
1.403 + }
1.404 + break;
1.405 + }
1.406 + case kSecCertificateItemClass:
1.407 + key = [[[MYCertificate alloc] initWithCertificateRef: (SecCertificateRef)found] autorelease];
1.408 + break;
1.409 + case kSecPublicKeyItemClass:
1.410 + key = [[[MYPublicKey alloc] initWithKeyRef: (SecKeyRef)found] autorelease];
1.411 + break;
1.412 + }
1.413 + CFRelease(found);
1.414 + } while (key==nil);
1.415 + return key;
1.416 +}
1.417 +
1.418 +
1.419 +@end
1.420 +
1.421 +
1.422 +#endif !USE_IPHONE_API
1.423 +
1.424 +
1.425 +
1.426 +/*
1.427 + Copyright (c) 2009, Jens Alfke <jens@mooseyard.com>. All rights reserved.
1.428 +
1.429 + Redistribution and use in source and binary forms, with or without modification, are permitted
1.430 + provided that the following conditions are met:
1.431 +
1.432 + * Redistributions of source code must retain the above copyright notice, this list of conditions
1.433 + and the following disclaimer.
1.434 + * Redistributions in binary form must reproduce the above copyright notice, this list of conditions
1.435 + and the following disclaimer in the documentation and/or other materials provided with the
1.436 + distribution.
1.437 +
1.438 + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
1.439 + IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
1.440 + FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRI-
1.441 + BUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
1.442 + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
1.443 + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
1.444 + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
1.445 + THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.446 + */