5 // Created by Jens Alfke on 4/7/09.
6 // Copyright 2009 Jens Alfke. All rights reserved.
9 #import "MYPrivateKey.h"
10 #import "MYCrypto_Private.h"
13 #import <CommonCrypto/CommonDigest.h>
16 @implementation MYPrivateKey
19 - (id) initWithKeyRef: (SecKeyRef)privateKey
21 self = [super initWithKeyRef: privateKey];
23 // No public key given, so look it up:
24 MYSHA1Digest *digest = self._keyDigest;
26 _publicKey = [[self.keychain publicKeyWithDigest: digest] retain];
28 // The matching public key won't turn up if it's embedded in a certificate;
29 // I'd have to search for certs if I wanted to look that up. Skip it for now.
30 Log(@"MYPrivateKey(%p): Couldn't find matching public key for private key! digest=%@",
40 - (id) _initWithKeyRef: (SecKeyRef)privateKey
41 publicKey: (MYPublicKey*)publicKey
44 self = [super initWithKeyRef: privateKey];
46 _publicKey = [publicKey retain];
51 - (id) initWithKeyRef: (SecKeyRef)privateKey
52 publicKeyRef: (SecKeyRef)publicKeyRef
54 MYPublicKey *publicKey = [[MYPublicKey alloc] initWithKeyRef: publicKeyRef];
55 self = [self _initWithKeyRef: privateKey publicKey: publicKey];
60 - (id) _initWithKeyRef: (SecKeyRef)privateKey
61 publicKeyData: (NSData*)pubKeyData
62 forKeychain: (SecKeychainRef)keychain
68 MYPublicKey *pubKey = [[MYPublicKey alloc] _initWithKeyData: pubKeyData forKeychain: keychain];
73 self = [super initWithKeyRef: privateKey];
77 [pubKey removeFromKeychain];
86 // The public API for this is in MYKeychain.
87 - (id) _initWithKeyData: (NSData*)privKeyData
88 publicKeyData: (NSData*)pubKeyData
89 forKeychain: (SecKeychainRef)keychain
90 alertTitle: (NSString*)title
91 alertPrompt: (NSString*)prompt
93 // Try to import the private key first, since the user might cancel the passphrase alert.
94 SecKeyImportExportParameters params = {
95 .flags = kSecKeySecurePassphrase,
96 .alertTitle = (CFStringRef) title,
97 .alertPrompt = (CFStringRef) prompt
99 SecKeyRef privateKey = importKey(privKeyData,kSecItemTypePrivateKey,keychain,¶ms);
100 return [self _initWithKeyRef: privateKey publicKeyData: pubKeyData forKeychain: keychain];
103 // This method is for testing, so unit-tests don't require user intervention.
104 // It's deliberately not made public, to discourage clients from trying to manage the passphrases
105 // themselves (this is less secure than letting the Security agent do it.)
106 - (id) _initWithKeyData: (NSData*)privKeyData
107 publicKeyData: (NSData*)pubKeyData
108 forKeychain: (SecKeychainRef)keychain
109 passphrase: (NSString*)passphrase
111 SecKeyImportExportParameters params = {
112 .passphrase = (CFStringRef) passphrase,
114 SecKeyRef privateKey = importKey(privKeyData,kSecItemTypePrivateKey,keychain,¶ms);
115 return [self _initWithKeyRef: privateKey publicKeyData: pubKeyData forKeychain: keychain];
119 - (MYIdentity*) createSelfSignedIdentityWithAttributes: (NSDictionary*)attributes {
120 return MYIdentityCreateSelfSigned(self, attributes);
129 [_publicKey release];
134 + (MYPrivateKey*) _generateRSAKeyPairOfSize: (unsigned)keySize
135 inKeychain: (MYKeychain*)keychain
137 Assert( keySize == 512 || keySize == 1024 || keySize == 2048, @"Unsupported key size %u", keySize );
138 SecKeyRef pubKey=NULL, privKey=NULL;
141 #if MYCRYPTO_USE_IPHONE_API
142 NSDictionary *pubKeyAttrs = $dict({(id)kSecAttrIsPermanent, $true});
143 NSDictionary *privKeyAttrs = $dict({(id)kSecAttrIsPermanent, $true});
144 NSDictionary *keyAttrs = $dict( {(id)kSecAttrKeyType, (id)kSecAttrKeyTypeRSA},
145 {(id)kSecAttrKeySizeInBits, $object(keySize)},
146 {(id)kSecPublicKeyAttrs, pubKeyAttrs},
147 {(id)kSecPrivateKeyAttrs, privKeyAttrs} );
148 err = SecKeyGeneratePair((CFDictionaryRef)keyAttrs,&pubKey,&privKey);
150 err = SecKeyCreatePair(keychain.keychainRefOrDefault,
154 CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_VERIFY, // public key
155 CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_PERMANENT,
156 CSSM_KEYUSE_DECRYPT | CSSM_KEYUSE_SIGN, // private key
157 CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_SENSITIVE | CSSM_KEYATTR_PERMANENT,
158 NULL, // SecAccessRef
161 if (!check(err, @"SecKeyCreatePair")) {
164 return [[[self alloc] initWithKeyRef: privKey publicKeyRef: pubKey] autorelease];
169 #pragma mark ACCESSORS:
172 - (NSString*) description {
173 return $sprintf(@"%@[%@]", [self class], self.publicKeyDigest.abbreviatedHexString);
176 @synthesize publicKey=_publicKey;
178 - (MYSHA1Digest*) publicKeyDigest {
179 return _publicKey.publicKeyDigest;
182 - (SecExternalItemType) keyType {
183 #if MYCRYPTO_USE_IPHONE_API
184 return kSecAttrKeyClassPublic;
186 return kSecItemTypePrivateKey;
190 - (NSData *) keyData {
191 [NSException raise: NSGenericException format: @"Can't access keyData of a PrivateKey"];
195 - (BOOL) setValue: (NSString*)valueStr ofAttribute: (SecKeychainAttrType)attr {
196 return [super setValue: valueStr ofAttribute: attr]
197 && [_publicKey setValue: valueStr ofAttribute: attr];
202 #pragma mark OPERATIONS:
205 - (BOOL) removeFromKeychain {
206 return [super removeFromKeychain]
207 && [_publicKey removeFromKeychain];
211 - (NSData*) decryptData: (NSData*)data {
212 return [self _crypt: data operation: NO];
216 - (NSData*) signData: (NSData*)data {
218 #if MYCRYPTO_USE_IPHONE_API
219 uint8_t digest[CC_SHA1_DIGEST_LENGTH];
220 CC_SHA1(data.bytes,data.length, digest);
222 size_t sigLen = 1024;
223 uint8_t sigBuf[sigLen];
224 OSStatus err = SecKeyRawSign(self.keyRef, kSecPaddingPKCS1SHA1,
225 digest,sizeof(digest), //data.bytes, data.length,
228 Warn(@"SecKeyRawSign failed: %i",err);
231 return [NSData dataWithBytes: sigBuf length: sigLen];
233 NSData *signature = nil;
234 CSSM_CC_HANDLE ccHandle = [self _createSignatureContext: CSSM_ALGID_SHA256WithRSA];
235 if (!ccHandle) return nil;
236 CSSM_DATA original = {data.length, (void*)data.bytes};
237 CSSM_DATA result = {0,NULL};
238 if (checkcssm(CSSM_SignData(ccHandle, &original, 1, CSSM_ALGID_NONE, &result), @"CSSM_SignData"))
239 signature = [NSData dataWithBytesNoCopy: result.Data length: result.Length
241 CSSM_DeleteContext(ccHandle);
247 #if !TARGET_OS_IPHONE
249 - (NSData*) exportKeyInFormat: (SecExternalFormat)format
250 withPEM: (BOOL)withPEM
251 alertTitle: (NSString*)title
252 alertPrompt: (NSString*)prompt
254 SecKeyImportExportParameters params = {
255 .version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION,
256 .flags = kSecKeySecurePassphrase,
257 .alertTitle = (CFStringRef)title,
258 .alertPrompt = (CFStringRef)prompt
260 CFDataRef data = NULL;
261 if (check(SecKeychainItemExport(self.keyRef,
262 format, (withPEM ?kSecItemPemArmour :0),
264 @"SecKeychainItemExport"))
265 return [(id)CFMakeCollectable(data) autorelease];
270 - (NSData*) exportKey {
271 return [self exportKeyInFormat: kSecFormatWrappedOpenSSL withPEM: YES
272 alertTitle: @"Export Private Key"
273 alertPrompt: @"Enter a passphrase to protect the private-key file.\n"
274 "You will need to re-enter the passphrase later when importing the key from this file, "
275 "so keep it in a safe place."];
276 //FIX: Should make these messages localizable.
280 - (NSData*) _exportKeyInFormat: (SecExternalFormat)format
281 withPEM: (BOOL)withPEM
282 passphrase: (NSString*)passphrase
284 SecKeyImportExportParameters params = {
285 .version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION,
286 .passphrase = (CFStringRef)passphrase
288 CFDataRef data = NULL;
289 if (check(SecKeychainItemExport(self.keyRef,
290 format, (withPEM ?kSecItemPemArmour :0),
292 @"SecKeychainItemExport"))
293 return [(id)CFMakeCollectable(data) autorelease];
298 #endif TARGET_OS_IPHONE