5 // Created by Jens Alfke on 3/23/09.
6 // Copyright 2009 Jens Alfke. All rights reserved.
10 #import "MYCrypto_Private.h"
16 @interface MYKeyEnumerator : NSEnumerator
18 MYKeychain *_keychain;
19 SecKeychainSearchRef _search;
20 SecItemClass _itemClass;
23 - (id) initWithKeychain: (MYKeychain*)keychain
24 itemClass: (SecItemClass)itemClass
25 attributes: (SecKeychainAttribute[])attributes
26 count: (unsigned)count;
31 @implementation MYKeychain
34 - (id) initWithKeychainRef: (SecKeychainRef)keychainRef
39 CFRetain(keychainRef);
40 _keychain = keychainRef;
46 + (MYKeychain*) _readableKeychainWithRef: (SecKeychainRef)keychainRef fromPath: (NSString*)path {
49 SecKeychainStatus status;
50 BOOL ok = check(SecKeychainGetStatus(keychainRef, &status), @"SecKeychainGetStatus");
51 if (ok && !(status & kSecReadPermStatus)) {
52 Warn(@"Can't open keychain at %@ : not readable (status=%i)", path,status);
55 MYKeychain *keychain = nil;
57 keychain = [[[self alloc] initWithKeychainRef: keychainRef] autorelease];
58 CFRelease(keychainRef);
62 + (MYKeychain*) openKeychainAtPath: (NSString*)path
65 SecKeychainRef keychainRef = NULL;
66 if (!check(SecKeychainOpen(path.fileSystemRepresentation, &keychainRef), @"SecKeychainOpen"))
68 return [self _readableKeychainWithRef: keychainRef fromPath: path];
71 + (MYKeychain*) createKeychainAtPath: (NSString*)path
72 withPassword: (NSString*)password
75 const char *passwordStr = [password UTF8String];
76 SecKeychainRef keychainRef = NULL;
77 if (!check(SecKeychainCreate(path.fileSystemRepresentation,
78 passwordStr ?strlen(passwordStr) :0,
83 @"SecKeychainCreate"))
85 return [self _readableKeychainWithRef: keychainRef fromPath: path];
88 - (BOOL) deleteKeychainFile {
90 return check(SecKeychainDelete(_keychain), @"SecKeychainDelete");
96 if (_keychain) CFRelease(_keychain);
101 + (MYKeychain*) allKeychains
103 static MYKeychain *sAllKeychains;
104 @synchronized(self) {
106 sAllKeychains = [[self alloc] initWithKeychainRef: nil];
108 return sAllKeychains;
112 + (MYKeychain*) defaultKeychain
114 static MYKeychain *sDefaultKeychain;
115 @synchronized(self) {
116 if (!sDefaultKeychain) {
117 SecKeychainRef kc = NULL;
118 OSStatus err = SecKeychainCopyDomainDefault(kSecPreferencesDomainUser,&kc);
120 // In the simulator, an app is run in a sandbox that has no keychain by default.
121 // As a convenience, create one if necessary:
122 if (err == errSecNoDefaultKeychain) {
123 Log(@"No default keychain in simulator; creating one...");
124 NSString *path = [NSSearchPathForDirectoriesInDomains(NSLibraryDirectory,
125 NSUserDomainMask, YES) objectAtIndex: 0];
126 path = [path stringByAppendingPathComponent: @"MYCrypto.keychain"];
127 sDefaultKeychain = [[self createKeychainAtPath: path withPassword: nil] retain];
128 Assert(sDefaultKeychain, @"Couldn't create default keychain");
129 SecKeychainSetDomainDefault(kSecPreferencesDomainUser, sDefaultKeychain.keychainRef);
130 Log(@"...created %@", sDefaultKeychain);
131 return sDefaultKeychain;
134 if (!check(err, @"SecKeychainCopyDefault"))
137 Assert(kc, @"No default keychain");
138 sDefaultKeychain = [[self alloc] initWithKeychainRef: kc];
142 return sDefaultKeychain;
146 - (id) copyWithZone: (NSZone*)zone {
147 // It's not necessary to make copies of Keychain objects. This makes it more efficient
148 // to use instances as NSDictionary keys or store them in NSSets.
149 return [self retain];
152 - (BOOL) isEqual: (id)obj {
153 return (obj == self) ||
154 ([obj isKindOfClass: [MYKeychain class]] && CFEqual(_keychain, [obj keychainRef]));
158 - (SecKeychainRef) keychainRef {
163 - (SecKeychainRef) keychainRefOrDefault {
167 return [[[self class] defaultKeychain] keychainRef];
174 char pathBuf[PATH_MAX];
175 UInt32 pathLen = sizeof(pathBuf);
176 if (!check(SecKeychainGetPath(_keychain, &pathLen, pathBuf), @"SecKeychainGetPath"))
178 return [[NSFileManager defaultManager] stringWithFileSystemRepresentation: pathBuf length: pathLen];
181 - (NSString*) description {
183 return $sprintf(@"%@[%p, %@]", [self class], _keychain, self.path);
185 return $sprintf(@"%@[all]", [self class]);
190 #pragma mark SEARCHING:
193 - (MYKeychainItem*) itemOfClass: (SecItemClass)itemClass
194 withDigest: (MYSHA1Digest*)pubKeyDigest
196 SecKeychainAttribute attr = {.tag= (itemClass==kSecCertificateItemClass ?kSecPublicKeyHashItemAttr :kSecKeyLabel),
197 .length= pubKeyDigest.length,
198 .data= (void*) pubKeyDigest.bytes};
199 MYKeyEnumerator *e = [[MYKeyEnumerator alloc] initWithKeychain: self
201 attributes: &attr count: 1];
202 MYKeychainItem *item = e.nextObject;
207 - (MYPublicKey*) publicKeyWithDigest: (MYSHA1Digest*)pubKeyDigest {
208 return (MYPublicKey*) [self itemOfClass: kSecPublicKeyItemClass withDigest: pubKeyDigest];
211 - (NSEnumerator*) enumeratePublicKeys {
212 return [[[MYKeyEnumerator alloc] initWithKeychain: self
213 itemClass: kSecPublicKeyItemClass
214 attributes: NULL count: 0] autorelease];
217 - (NSEnumerator*) publicKeysWithAlias: (NSString*)alias {
218 NSData *utf8 = [alias dataUsingEncoding: NSUTF8StringEncoding];
219 SecKeychainAttribute attr = {.tag=kSecKeyAlias, .length=utf8.length, .data=(void*)utf8.bytes};
220 return [[[MYKeyEnumerator alloc] initWithKeychain: self
221 itemClass: kSecPublicKeyItemClass
222 attributes: &attr count: 1] autorelease];
226 - (MYKeyPair*) keyPairWithDigest: (MYSHA1Digest*)pubKeyDigest {
227 return (MYKeyPair*) [self itemOfClass: kSecPrivateKeyItemClass withDigest: pubKeyDigest];
230 - (NSEnumerator*) enumerateKeyPairs {
231 return [[[MYKeyEnumerator alloc] initWithKeychain: self
232 itemClass: kSecPrivateKeyItemClass
233 attributes: NULL count: 0] autorelease];
236 - (MYCertificate*) certificateWithDigest: (MYSHA1Digest*)pubKeyDigest {
237 return (MYCertificate*) [self itemOfClass: kSecCertificateItemClass withDigest: pubKeyDigest];
240 - (NSEnumerator*) enumerateCertificates {
241 return [[[MYKeyEnumerator alloc] initWithKeychain: self
242 itemClass: kSecCertificateItemClass
243 attributes: NULL count: 0] autorelease];
246 - (NSEnumerator*) enumerateSymmetricKeys {
247 return [[[MYKeyEnumerator alloc] initWithKeychain: self
248 itemClass: kSecSymmetricKeyItemClass
249 attributes: NULL count: 0] autorelease];
252 - (NSEnumerator*) symmetricKeysWithAlias: (NSString*)alias {
253 NSData *utf8 = [alias dataUsingEncoding: NSUTF8StringEncoding];
254 SecKeychainAttribute attr = {.tag=kSecKeyAlias, .length=utf8.length, .data=(void*)utf8.bytes};
255 return [[[MYKeyEnumerator alloc] initWithKeychain: self
256 itemClass: kSecSymmetricKeyItemClass
257 attributes: &attr count: 1] autorelease];
266 - (MYPublicKey*) importPublicKey: (NSData*)keyData {
267 return [[[MYPublicKey alloc] _initWithKeyData: keyData
268 forKeychain: self.keychainRefOrDefault]
272 - (MYKeyPair*) importPublicKey: (NSData*)pubKeyData
273 privateKey: (NSData*)privKeyData
274 alertTitle: (NSString*)title
275 alertPrompt: (NSString*)prompt {
276 return [[[MYKeyPair alloc] _initWithPublicKeyData: pubKeyData
277 privateKeyData: privKeyData
278 forKeychain: self.keychainRefOrDefault
279 alertTitle: (NSString*)title
280 alertPrompt: (NSString*)prompt]
284 - (MYKeyPair*) importPublicKey: (NSData*)pubKeyData
285 privateKey: (NSData*)privKeyData
287 return [self importPublicKey: pubKeyData privateKey: privKeyData
288 alertTitle: @"Import Private Key"
289 alertPrompt: @"To import your saved private key, please re-enter the "
290 "passphrase you used when you exported it."];
293 - (MYCertificate*) importCertificate: (NSData*)data
294 type: (CSSM_CERT_TYPE) type
295 encoding: (CSSM_CERT_ENCODING) encoding;
297 MYCertificate *cert = [[[MYCertificate alloc] initWithCertificateData: data
302 if (!check(SecCertificateAddToKeychain(cert.certificateRef, self.keychainRefOrDefault),
303 @"SecCertificateAddToKeychain"))
309 - (MYCertificate*) importCertificate: (NSData*)data {
310 return [self importCertificate: data
311 type: CSSM_CERT_X_509v3
312 encoding: CSSM_CERT_ENCODING_BER];
316 - (MYSymmetricKey*) generateSymmetricKeyOfSize: (unsigned)keySizeInBits
317 algorithm: (CCAlgorithm)algorithm
319 return [MYSymmetricKey _generateSymmetricKeyOfSize: keySizeInBits
320 algorithm: algorithm inKeychain: self];
323 - (MYKeyPair*) generateRSAKeyPairOfSize: (unsigned)keySize {
324 return [MYKeyPair _generateRSAKeyPairOfSize: keySize inKeychain: self.keychainRefOrDefault];
328 - (CSSM_CSP_HANDLE) CSPHandle {
329 CSSM_CSP_HANDLE cspHandle = 0;
330 Assert(check(SecKeychainGetCSPHandle(self.keychainRefOrDefault, &cspHandle), @"SecKeychainGetCSPHandle"));
340 @implementation MYKeyEnumerator
342 - (id) initWithKeychain: (MYKeychain*)keychain
343 itemClass: (SecItemClass)itemClass
344 attributes: (SecKeychainAttribute[])attributes
345 count: (unsigned)count {
348 _keychain = [keychain retain];
349 _itemClass = itemClass;
350 SecKeychainAttributeList list = {.count=count, .attr=attributes};
351 if (!check(SecKeychainSearchCreateFromAttributes(keychain.keychainRef,
355 @"SecKeychainSearchCreateFromAttributes")) {
366 if (_search) CFRelease(_search);
374 MYPublicKey *key = nil;
376 SecKeychainItemRef found = NULL;
377 OSStatus err = SecKeychainSearchCopyNext(_search, &found);
379 if (err != errSecItemNotFound)
380 check(err,@"SecKeychainSearchCopyNext");
386 switch (_itemClass) {
387 case kSecPrivateKeyItemClass: {
388 MYSHA1Digest *digest = [MYPublicKey _digestOfKey: (SecKeyRef)found];
390 MYPublicKey *publicKey = [_keychain publicKeyWithDigest: digest];
392 key = [[[MYKeyPair alloc] initWithPublicKeyRef: publicKey.keyRef
393 privateKeyRef: (SecKeyRef)found]
396 // The matching public key won't turn up if it's embedded in a certificate;
397 // I'd have to search for certs if I wanted to look that up. Skip it for now.
398 //Warn(@"Couldn't find matching public key for private key! digest=%@",digest);
403 case kSecCertificateItemClass:
404 key = [[[MYCertificate alloc] initWithCertificateRef: (SecCertificateRef)found] autorelease];
406 case kSecPublicKeyItemClass:
407 key = [[[MYPublicKey alloc] initWithKeyRef: (SecKeyRef)found] autorelease];
419 #endif !USE_IPHONE_API
424 Copyright (c) 2009, Jens Alfke <jens@mooseyard.com>. All rights reserved.
426 Redistribution and use in source and binary forms, with or without modification, are permitted
427 provided that the following conditions are met:
429 * Redistributions of source code must retain the above copyright notice, this list of conditions
430 and the following disclaimer.
431 * Redistributions in binary form must reproduce the above copyright notice, this list of conditions
432 and the following disclaimer in the documentation and/or other materials provided with the
435 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
436 IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
437 FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRI-
438 BUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
439 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
440 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
441 CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
442 THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.