5 // Created by Jens Alfke on 3/21/09.
6 // Copyright 2009 Jens Alfke. All rights reserved.
10 #import "MYCrypto_Private.h"
11 #import <CommonCrypto/CommonDigest.h>
18 @implementation MYKeyPair
21 + (MYKeyPair*) _generateRSAKeyPairOfSize: (unsigned)keySize
22 inKeychain: (SecKeychainRef)keychain {
23 Assert( keySize == 512 || keySize == 1024 || keySize == 2048, @"Unsupported key size %u", keySize );
24 SecKeyRef pubKey=NULL, privKey=NULL;
26 err = SecKeyCreatePair(keychain, CSSM_ALGID_RSA, keySize, 0LL,
27 CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_VERIFY, // public key
28 CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_PERMANENT,
29 CSSM_KEYUSE_DECRYPT | CSSM_KEYUSE_SIGN, // private key
30 CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_SENSITIVE | CSSM_KEYATTR_PERMANENT,
33 if (!check(err, @"SecKeyCreatePair")) {
36 return [[[self alloc] initWithPublicKeyRef: pubKey privateKeyRef: privKey] autorelease];
40 - (id) initWithPublicKeyRef: (SecKeyRef)publicKey privateKeyRef: (SecKeyRef)privateKey {
41 self = [super initWithKeyRef: publicKey];
43 NSParameterAssert(privateKey);
44 _privateKey = (SecKeyRef) CFRetain(privateKey);
49 - (id) _initWithPublicKeyData: (NSData*)pubKeyData
50 privateKey: (SecKeyRef)privateKey
51 forKeychain: (SecKeychainRef)keychain {
56 self = [self _initWithKeyData: pubKeyData forKeychain: keychain];
58 _privateKey = privateKey;
60 SecKeychainItemDelete((SecKeychainItemRef)privateKey);
61 CFRelease(privateKey);
67 // The public API for this is in MYKeychain.
68 - (id) _initWithPublicKeyData: (NSData*)pubKeyData
69 privateKeyData: (NSData*)privKeyData
70 forKeychain: (SecKeychainRef)keychain
71 alertTitle: (NSString*)title
72 alertPrompt: (NSString*)prompt
74 // Try to import the private key first, since the user might cancel the passphrase alert.
75 SecKeyImportExportParameters params = {
76 .flags = kSecKeySecurePassphrase,
77 .alertTitle = (CFStringRef) title,
78 .alertPrompt = (CFStringRef) prompt
80 SecKeyRef privateKey = importKey(privKeyData,kSecItemTypePrivateKey,keychain,¶ms);
81 return [self _initWithPublicKeyData: pubKeyData privateKey: privateKey forKeychain: keychain];
84 // This method is for testing, so unit-tests don't require user intervention.
85 // It's deliberately not made public, to discourage clients from trying to manage the passphrases
86 // themselves (this is less secure than letting the Security agent do it.)
87 - (id) _initWithPublicKeyData: (NSData*)pubKeyData
88 privateKeyData: (NSData*)privKeyData
89 forKeychain: (SecKeychainRef)keychain
90 passphrase: (NSString*)passphrase
92 SecKeyImportExportParameters params = {
93 .passphrase = (CFStringRef) passphrase,
95 SecKeyRef privateKey = importKey(privKeyData,kSecItemTypePrivateKey,keychain,¶ms);
96 return [self _initWithPublicKeyData: pubKeyData privateKey: privateKey forKeychain: keychain];
102 if (_privateKey) CFRelease(_privateKey);
108 // Ensure that a KeyPair doesn't hash the same as its corresponding PublicKey:
109 return super.hash ^ 0xFFFFFFFF;
113 - (MYPublicKey*) asPublicKey {
114 return [[[MYPublicKey alloc] initWithKeyRef: self.keyRef] autorelease];
118 - (NSData*) exportPrivateKeyInFormat: (SecExternalFormat)format
119 withPEM: (BOOL)withPEM
120 alertTitle: (NSString*)title
121 alertPrompt: (NSString*)prompt
123 SecKeyImportExportParameters params = {
124 .version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION,
125 .flags = kSecKeySecurePassphrase,
126 .alertTitle = (CFStringRef)title,
127 .alertPrompt = (CFStringRef)prompt
129 CFDataRef data = NULL;
130 if (check(SecKeychainItemExport(_privateKey, //$array((id)_publicKey,(id)_privateKey),
131 format, (withPEM ?kSecItemPemArmour :0),
133 @"SecKeychainItemExport"))
134 return [(id)CFMakeCollectable(data) autorelease];
139 - (NSData*) exportPrivateKey {
140 return [self exportPrivateKeyInFormat: kSecFormatWrappedOpenSSL withPEM: YES
141 alertTitle: @"Export Private Key"
142 alertPrompt: @"Enter a passphrase to protect the private-key file.\n"
143 "You will need to re-enter the passphrase later when importing the key from this file, "
144 "so keep it in a safe place."];
145 //FIX: Should make these messages localizable.
149 - (NSData*) _exportPrivateKeyInFormat: (SecExternalFormat)format
150 withPEM: (BOOL)withPEM
151 passphrase: (NSString*)passphrase
153 SecKeyImportExportParameters params = {
154 .version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION,
155 .passphrase = (CFStringRef)passphrase
157 CFDataRef data = NULL;
158 if (check(SecKeychainItemExport(_privateKey,
159 format, (withPEM ?kSecItemPemArmour :0),
161 @"SecKeychainItemExport"))
162 return [(id)CFMakeCollectable(data) autorelease];
167 - (BOOL) removeFromKeychain {
168 return check(SecKeychainItemDelete((SecKeychainItemRef)_privateKey), @"delete private key")
169 && [super removeFromKeychain];
173 - (SecKeyRef) privateKeyRef {
178 - (NSData*) decryptData: (NSData*)data {
179 return _crypt(_privateKey,data,kCCDecrypt);
183 - (NSData*) signData: (NSData*)data {
185 uint8_t digest[CC_SHA256_DIGEST_LENGTH];
186 CC_SHA256(data.bytes,data.length, digest);
188 NSData *signature = nil;
189 CSSM_CC_HANDLE ccHandle = cssmCreateSignatureContext(_privateKey);
190 if (!ccHandle) return nil;
191 CSSM_DATA original = {data.length, (void*)data.bytes};
192 CSSM_DATA result = {0,NULL};
193 if (checkcssm(CSSM_SignData(ccHandle, &original, 1, CSSM_ALGID_NONE, &result), @"CSSM_SignData"))
194 signature = [NSData dataWithBytesNoCopy: result.Data length: result.Length
196 CSSM_DeleteContext(ccHandle);
201 - (BOOL) setValue: (NSString*)valueStr ofAttribute: (SecKeychainAttrType)attr {
202 return [super setValue: valueStr ofAttribute: attr]
203 && [[self class] _setAttribute: attr
204 ofItem: (SecKeychainItemRef)_privateKey
205 stringValue: valueStr];
212 #endif !USE_IPHONE_API
218 Copyright (c) 2009, Jens Alfke <jens@mooseyard.com>. All rights reserved.
220 Redistribution and use in source and binary forms, with or without modification, are permitted
221 provided that the following conditions are met:
223 * Redistributions of source code must retain the above copyright notice, this list of conditions
224 and the following disclaimer.
225 * Redistributions in binary form must reproduce the above copyright notice, this list of conditions
226 and the following disclaimer in the documentation and/or other materials provided with the
229 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
230 IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
231 FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRI-
232 BUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
233 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
234 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
235 CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
236 THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.