# HG changeset patch # User Jens Alfke # Date 1244617083 25200 # Node ID 6856e071d25a4484723d7f889e25bafc184f705d # Parent 39fec79de6e85b629a9ede44c890f586fa642255 * More work on iPhone compatibility. * Restored the signature-verification code to MYCertInfo, which I'd removed earlier. I now need it to verify self-signed certs, since the Security framework won't do it for me. * Merged MYCertificate-iPhone.m into MYCertificate.m since there's more shared code now. diff -r 39fec79de6e8 -r 6856e071d25a MYCertificate-iPhone.m --- a/MYCertificate-iPhone.m Sun Jun 07 21:53:56 2009 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,107 +0,0 @@ -// -// MYCertificate-iPhone.m -// MYCrypto-iPhone -// -// Created by Jens Alfke on 3/30/09. -// Copyright 2009 Jens Alfke. All rights reserved. -// - -#import "MYCertificate.h" -#import "MYCertificateInfo.h" -#import "MYCrypto_Private.h" - -#if MYCRYPTO_USE_IPHONE_API - - -@implementation MYCertificate - - -+ (MYCertificate*) certificateWithCertificateRef: (SecCertificateRef)certificateRef { - return [[[self alloc] initWithCertificateRef: certificateRef] autorelease]; -} - -/** Creates a MYCertificate object for an existing Keychain certificate reference. */ -- (id) initWithCertificateRef: (SecCertificateRef)certificateRef { - self = [super initWithKeychainItemRef: (SecKeychainItemRef)certificateRef]; - if (self) { - _certificateRef = certificateRef; // superclass has already CFRetained it - } - return self; -} - -/** Creates a MYCertificate object from exported key data, but does not add it to any keychain. */ -- (id) initWithCertificateData: (NSData*)data -{ - SecCertificateRef certificateRef = SecCertificateCreateWithData(NULL, (CFDataRef)data); - self = [self initWithCertificateRef: certificateRef]; - CFRelease(certificateRef); - return self; -} - -- (void) dealloc -{ - [_info release]; - [super dealloc]; -} - - -- (BOOL)isEqualToCertificate:(MYCertificate*)cert { - return [self isEqual: cert] || [self.certificateData isEqual: cert.certificateData]; -} - -@synthesize certificateRef=_certificateRef; - -- (NSData*) certificateData { - CFDataRef data = SecCertificateCopyData(_certificateRef); - return data ?[(id)CFMakeCollectable(data) autorelease] :nil; -} - -- (MYPublicKey*) publicKey { - SecTrustRef trust = NULL; - SecPolicyRef policy = SecPolicyCreateBasicX509(); - OSStatus err = SecTrustCreateWithCertificates((CFArrayRef)$array((id)_certificateRef), - policy, - &trust); - CFRelease(policy); - if (!check(err,@"SecTrustCreateWithCertificates")) - return nil; - - MYPublicKey *key = nil; - SecKeyRef keyRef = SecTrustCopyPublicKey(trust); - if (keyRef) { - key = [[[MYPublicKey alloc] initWithKeyRef: keyRef] autorelease]; - CFRelease(keyRef); - } - CFRelease(trust); - return key; -} - -- (MYIdentity*) identity { - return [self.keychain identityWithDigest: self.publicKey.publicKeyDigest]; -} - - -- (MYCertificateInfo*) info { - if (!_info) { - NSError *error; - _info = [[MYCertificateInfo alloc] initWithCertificateData: self.certificateData - error: &error]; - if (!_info) - Warn(@"Couldn't parse certificate %@: %@", self, error); - } - return _info; -} - -- (NSString*) commonName { - CFStringRef name = SecCertificateCopySubjectSummary(_certificateRef); - return name ?[(id)CFMakeCollectable(name) autorelease] :nil; -} - -- (NSArray*) emailAddresses { - NSString *email = self.info.subject.emailAddress; - return email ?$array(email) :nil; -} - -@end - -#endif MYCRYPTO_USE_IPHONE_API diff -r 39fec79de6e8 -r 6856e071d25a MYCertificate.h --- a/MYCertificate.h Sun Jun 07 21:53:56 2009 -0700 +++ b/MYCertificate.h Tue Jun 09 23:58:03 2009 -0700 @@ -55,6 +55,9 @@ /** The list (if any) of the subject's email addresses. */ @property (readonly) NSArray *emailAddresses; +- (SecTrustResultType) evaluateTrustWithPolicy: (SecPolicyRef)policy; +- (SecTrustResultType) evaluateTrust; + /** @name Mac-Only * Functionality not available on iPhone. @@ -80,21 +83,24 @@ /** @name Expert */ //@{ -#if !TARGET_OS_IPHONE + (SecPolicyRef) X509Policy; + (SecPolicyRef) SSLPolicy; + +#if !TARGET_OS_IPHONE + (SecPolicyRef) SMIMEPolicy; - (CSSM_CERT_TYPE) certificateType; - (NSArray*) trustSettings; - (BOOL) setUserTrust: (SecTrustUserSetting)trustSetting; +#endif -#endif //@} @end +NSString* MYTrustResultDescribe( SecTrustResultType result ); +#if !TARGET_OS_IPHONE NSString* MYPolicyGetName( SecPolicyRef policy ); NSString* MYTrustDescribe( SecTrustRef trust ); -NSString* MYTrustResultDescribe( SecTrustResultType result ); +#endif diff -r 39fec79de6e8 -r 6856e071d25a MYCertificate.m --- a/MYCertificate.m Sun Jun 07 21:53:56 2009 -0700 +++ b/MYCertificate.m Tue Jun 09 23:58:03 2009 -0700 @@ -13,8 +13,6 @@ #import "MYCertificateInfo.h" #import "MYErrorUtils.h" -#if !MYCRYPTO_USE_IPHONE_API - @implementation MYCertificate @@ -34,28 +32,51 @@ /** Creates a MYCertificate object from exported key data, but does not add it to any keychain. */ - (id) initWithCertificateData: (NSData*)data +#if !MYCRYPTO_USE_IPHONE_API type: (CSSM_CERT_TYPE) type encoding: (CSSM_CERT_ENCODING) encoding +#endif { Assert(data); + SecCertificateRef certificateRef = NULL; +#if MYCRYPTO_USE_IPHONE_API + certificateRef = SecCertificateCreateWithData(NULL, (CFDataRef)data); +#else CSSM_DATA cssmData = {.Data=(void*)data.bytes, .Length=data.length}; - SecCertificateRef certificateRef = NULL; if (!check(SecCertificateCreateFromData(&cssmData, type, encoding, &certificateRef), - @"SecCertificateCreateFromData")) { + @"SecCertificateCreateFromData")) + certificateRef = NULL; +#endif + if (!certificateRef) { [self release]; return nil; } self = [self initWithCertificateRef: certificateRef]; CFRelease(certificateRef); + + // If the cert is self-signed, verify its signature. Apple's frameworks don't do this, + // even the SecTrust API; if the signature doesn't verify, they just assume it could be + // signed by a different cert. Seems like a bad decision to me, so I'll add the check: + MYCertificateInfo *info = self.info; + if (info.isRoot) { + Log(@"Verifying self-signed certificate %@ ...", self); + if (![info verifySignatureWithKey: self.publicKey]) { + Log(@"Self-signed cert failed signature verification (%@)", self); + [self release]; + return nil; + } + } + return self; } +#if !MYCRYPTO_USE_IPHONE_API - (id) initWithCertificateData: (NSData*)data { return [self initWithCertificateData: data type: CSSM_CERT_X_509v3 encoding: CSSM_CERT_ENCODING_BER]; } - +#endif - (void) dealloc { [_info release]; @@ -78,6 +99,7 @@ } +#if !TARGET_OS_IPHONE + (MYCertificate*) preferredCertificateForName: (NSString*)name { SecCertificateRef certRef = NULL; if (!check(SecCertificateCopyPreference((CFStringRef)name, 0, &certRef), @@ -90,23 +112,49 @@ return check(SecCertificateSetPreference(_certificateRef, (CFStringRef)name, 0, NULL), @"SecCertificateSetPreference"); } +#endif TARGET_OS_IPHONE @synthesize certificateRef=_certificateRef; - (NSData*) certificateData { +#if MYCRYPTO_USE_IPHONE_API + CFDataRef data = SecCertificateCopyData(_certificateRef); + return data ?[(id)CFMakeCollectable(data) autorelease] :nil; +#else CSSM_DATA cssmData; if (!check(SecCertificateGetData(_certificateRef, &cssmData), @"SecCertificateGetData")) return nil; return [NSData dataWithBytes: cssmData.Data length: cssmData.Length]; +#endif } - (MYPublicKey*) publicKey { SecKeyRef keyRef = NULL; +#if MYCRYPTO_USE_IPHONE_API + SecTrustRef trust = NULL; + SecPolicyRef policy = SecPolicyCreateBasicX509(); + OSStatus err = SecTrustCreateWithCertificates((CFArrayRef)$array((id)_certificateRef), + policy, + &trust); + CFRelease(policy); + if (!check(err,@"SecTrustCreateWithCertificates")) + return nil; + SecTrustResultType result; + if (!check(SecTrustEvaluate(trust, &result), @"SecTrustEvaluate")) { + CFRelease(trust); + return nil; + } + keyRef = SecTrustCopyPublicKey(trust); + CFRelease(trust); +#else if (!check(SecCertificateCopyPublicKey(_certificateRef, &keyRef), @"SecCertificateCopyPublicKey") || !keyRef) return nil; +#endif + if (!keyRef) + return nil; MYPublicKey *key = [[[MYPublicKey alloc] initWithKeyRef: keyRef] autorelease]; CFRelease(keyRef); return key; @@ -129,18 +177,27 @@ - (NSString*) commonName { CFStringRef name = NULL; +#if MYCRYPTO_USE_IPHONE_API + name = SecCertificateCopySubjectSummary(_certificateRef); +#else if (!check(SecCertificateCopyCommonName(_certificateRef, &name), - @"SecCertificateCopyCommonName") || !name) + @"SecCertificateCopyCommonName")) return nil; - return [(id)CFMakeCollectable(name) autorelease]; +#endif + return name ?[NSMakeCollectable(name) autorelease] :nil; } - (NSArray*) emailAddresses { +#if MYCRYPTO_USE_IPHONE_API + NSString *email = self.info.subject.emailAddress; + return email ?$array(email) :nil; +#else CFArrayRef addrs = NULL; if (!check(SecCertificateCopyEmailAddresses(_certificateRef, &addrs), @"SecCertificateCopyEmailAddresses") || !addrs) return nil; return [(id)CFMakeCollectable(addrs) autorelease]; +#endif } @@ -148,6 +205,37 @@ #pragma mark TRUST/POLICY STUFF: +- (SecTrustResultType) evaluateTrustWithPolicy: (SecPolicyRef)policy { + SecTrustRef trust; + if (!check(SecTrustCreateWithCertificates((CFArrayRef)$array((id)_certificateRef), policy, &trust), + @"SecTrustCreateWithCertificates")) + return kSecTrustResultOtherError; + SecTrustResultType result; + if (!check(SecTrustEvaluate(trust, &result), @"SecTrustEvaluate")) + result = kSecTrustResultOtherError; + +#if 0 + // This is just to log details: + CSSM_TP_APPLE_EVIDENCE_INFO *status; + CFArrayRef certChain; + if (check(SecTrustGetResult(trust, &result, &certChain, &status), @"SecTrustGetResult")) { + Log(@"evaluateTrust: result=%@, bits=%X, certChain=%@", MYTrustResultDescribe(result),status->StatusBits, certChain); + for (unsigned i=0; iNumStatusCodes; i++) + Log(@" #%i: %X", i, status->StatusCodes[i]); + CFRelease(certChain); + } +#endif + + CFRelease(trust); + return result; +} + +- (SecTrustResultType) evaluateTrust { + return [self evaluateTrustWithPolicy: [[self class] X509Policy]]; +} + + +#if !MYCRYPTO_USE_IPHONE_API + (SecPolicyRef) policyForOID: (CSSM_OID) policyOID { SecPolicySearchRef search; if (!check(SecPolicySearchCreate(CSSM_CERT_X_509v3, &policyOID, NULL, &search), @@ -159,29 +247,41 @@ CFRelease(search); return policy; } +#endif + (SecPolicyRef) X509Policy { static SecPolicyRef sX509Policy = NULL; - if (!sX509Policy) + if (!sX509Policy) { +#if MYCRYPTO_USE_IPHONE_API + sX509Policy = SecPolicyCreateBasicX509(); +#else sX509Policy = [self policyForOID: CSSMOID_APPLE_X509_BASIC]; +#endif + } return sX509Policy; } + (SecPolicyRef) SSLPolicy { static SecPolicyRef sSSLPolicy = NULL; - if (!sSSLPolicy) + if (!sSSLPolicy) { +#if MYCRYPTO_USE_IPHONE_API + sSSLPolicy = SecPolicyCreateSSL(NO,NULL); +#else sSSLPolicy = [self policyForOID: CSSMOID_APPLE_TP_SSL]; +#endif + } return sSSLPolicy; } +#if !TARGET_OS_IPHONE + (SecPolicyRef) SMIMEPolicy { static SecPolicyRef sSMIMEPolicy = NULL; - if (!sSMIMEPolicy) + if (!sSMIMEPolicy) { sSMIMEPolicy = [self policyForOID: CSSMOID_APPLE_TP_SMIME]; + } return sSMIMEPolicy; } - - (CSSM_CERT_TYPE) certificateType { CSSM_CERT_TYPE type = CSSM_CERT_UNKNOWN; if (!check(SecCertificateGetType(_certificateRef, &type), @"SecCertificateGetType")) @@ -212,19 +312,12 @@ } else return paramErr; } +#endif @end -NSString* MYPolicyGetName( SecPolicyRef policy ) { - if (!policy) - return @"(null)"; - CSSM_OID oid = {}; - SecPolicyGetOID(policy, &oid); - return $sprintf(@"SecPolicy[%@]", OIDAsString(oid)); -} - NSString* MYTrustResultDescribe( SecTrustResultType result ) { static NSString* const kTrustResultNames[kSecTrustResultOtherError+1] = { @"Invalid", @@ -243,6 +336,15 @@ } +#if !TARGET_OS_IPHONE +NSString* MYPolicyGetName( SecPolicyRef policy ) { + if (!policy) + return @"(null)"; + CSSM_OID oid = {}; + SecPolicyGetOID(policy, &oid); + return $sprintf(@"SecPolicy[%@]", OIDAsString(oid)); +} + NSString* MYTrustDescribe( SecTrustRef trust ) { SecTrustResultType result; CFArrayRef certChain=NULL; @@ -275,9 +377,10 @@ return result; } } +#endif - +#if !TARGET_OS_IPHONE TestCase(Trust) { Log(@"X.509 policy = %@", MYPolicyGetName([MYCertificate X509Policy])); Log(@" SSL policy = %@", MYPolicyGetName([MYCertificate SSLPolicy])); @@ -288,9 +391,7 @@ Log(@"---- %@ = %@", cert, settings); } } - - -#endif !MYCRYPTO_USE_IPHONE_API +#endif diff -r 39fec79de6e8 -r 6856e071d25a MYCertificateInfo.h --- a/MYCertificateInfo.h Sun Jun 07 21:53:56 2009 -0700 +++ b/MYCertificateInfo.h Tue Jun 09 23:58:03 2009 -0700 @@ -14,6 +14,7 @@ { @private NSArray *_root; + NSData *_data; } /** Initialize by parsing X.509 certificate data. @@ -35,6 +36,10 @@ /** Returns YES if the issuer is the same as the subject. (Aka a "self-signed" certificate.) */ @property (readonly) BOOL isRoot; +/** Verifies the certificate's signature, using the given public key. + If the certificate is root/self-signed, use the cert's own subject public key. */ +- (BOOL) verifySignatureWithKey: (MYPublicKey*)issuerPublicKey; + @end diff -r 39fec79de6e8 -r 6856e071d25a MYCertificateInfo.m --- a/MYCertificateInfo.m Sun Jun 07 21:53:56 2009 -0700 +++ b/MYCertificateInfo.m Tue Jun 09 23:58:03 2009 -0700 @@ -107,12 +107,17 @@ return nil; } - return [self initWithRoot: root]; + self = [self initWithRoot: root]; + if (self) { + _data = [data copy]; + } + return self; } - (void) dealloc { [_root release]; + [_data release]; [super dealloc]; } @@ -157,6 +162,42 @@ return [[[MYPublicKey alloc] initWithKeyData: keyData.bits] autorelease]; } +- (NSData*) signedData { + if (!_data) + return nil; + // The root object is a sequence; we want to extract the 1st object of that sequence. + const UInt8 *certStart = _data.bytes; + const UInt8 *start = MYBERGetContents(_data, nil); + if (!start) return nil; + size_t length = MYBERGetLength([NSData dataWithBytesNoCopy: (void*)start + length: _data.length - (start-certStart) + freeWhenDone: NO], + NULL); + if (length==0) + return nil; + return [NSData dataWithBytes: start length: (start + length - certStart)]; +} + +- (MYOID*) signatureAlgorithmID { + return $castIf(MYOID, $atIf($castIf(NSArray,$atIf(_root,1)), 0)); +} + +- (NSData*) signature { + id signature = $atIf(_root,2); + if ([signature isKindOfClass: [MYBitString class]]) + signature = [signature bits]; + return $castIf(NSData,signature); +} + +- (BOOL) verifySignatureWithKey: (MYPublicKey*)issuerPublicKey { + if (!$equal(self.signatureAlgorithmID, kRSAWithSHA1AlgorithmID)) + return NO; + NSData *signedData = self.signedData; + NSData *signature = self.signature; + return signedData && signature && [issuerPublicKey verifySignature: signature ofData: signedData]; +} + + @end @@ -364,28 +405,45 @@ CAssert(subject.commonName); // Now go through MYCertificate: + Log(@"Creating a MYCertificate from the data..."); MYCertificate *cert = [[MYCertificate alloc] initWithCertificateData: certData]; + Log(@"MYCertificate = %@", cert); CAssert(cert); CAssertEqual(cert.info, pcert); + Log(@"Trust = %@", MYTrustResultDescribe([cert evaluateTrust])); return pcert; } -static MYCertificateInfo* testCert(NSString *filename, BOOL selfSigned) { +static NSData* readTestFile(NSString *filename) { #if TARGET_OS_IPHONE filename = [[NSBundle mainBundle] pathForResource: filename ofType: @"cer"]; #else filename = [[@"../../Tests/" stringByAppendingPathComponent: filename] stringByAppendingPathExtension: @"cer"]; #endif - Log(@"--- Creating MYCertificateInfo from %@", filename); - return testCertData([NSData dataWithContentsOfFile: filename], selfSigned); + Log(@"--- Testing certificate file %@", filename); + NSData *data = [NSData dataWithContentsOfFile: filename]; + CAssert(data, @"Couldn't read file %@", filename); + return data; +} + +static MYCertificateInfo* testCert(NSString *filename, BOOL selfSigned) { + return testCertData(readTestFile(filename), selfSigned); } TestCase(ParsedCert) { testCert(@"selfsigned", YES); testCert(@"iphonedev", NO); + + // Now test a self-signed cert with a bad signature: + MYCertificate *cert = [[MYCertificate alloc] initWithCertificateData: readTestFile(@"selfsigned_altered")]; + Log(@"MYCertificate = %@", cert); + CAssertNil(cert); + + Log(@"Checking /tmp/generated.cer"); + testCertData([NSData dataWithContentsOfFile: @"/tmp/generated.cer"], YES);//TEMP } @@ -418,7 +476,11 @@ CAssert(certData); CAssertNil(error); CAssert(certData); -#if !TARGET_OS_IPHONE +#if TARGET_OS_IPHONE + NSString *path = [@"/tmp/generated.cer" stringByStandardizingPath]; //TEMP + CAssert([certData writeToFile: path atomically: YES]); + Log(@"Wrote generated cert to %@",path); +#else [certData writeToFile: @"../../Tests/generated.cer" atomically: YES]; #endif MYCertificateInfo *pcert2 = testCertData(certData, YES); diff -r 39fec79de6e8 -r 6856e071d25a MYCrypto-iPhone.xcodeproj/project.pbxproj --- a/MYCrypto-iPhone.xcodeproj/project.pbxproj Sun Jun 07 21:53:56 2009 -0700 +++ b/MYCrypto-iPhone.xcodeproj/project.pbxproj Tue Jun 09 23:58:03 2009 -0700 @@ -12,7 +12,6 @@ 1D60589F0D05DD5A006BFB54 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 1D30AB110D05D00D00671497 /* Foundation.framework */; }; 1DF5F4E00D08C38300B7A737 /* UIKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 1DF5F4DF0D08C38300B7A737 /* UIKit.framework */; }; 27059CF30F8F0F9200A8422F /* MYIdentity.m in Sources */ = {isa = PBXBuildFile; fileRef = 27059CF20F8F0F9200A8422F /* MYIdentity.m */; }; - 273391CD0F81EC70009414D9 /* MYCertificate-iPhone.m in Sources */ = {isa = PBXBuildFile; fileRef = 273391CC0F81EC70009414D9 /* MYCertificate-iPhone.m */; }; 273392120F8283B8009414D9 /* MYKeychain-iPhone.m in Sources */ = {isa = PBXBuildFile; fileRef = 273392110F8283B8009414D9 /* MYKeychain-iPhone.m */; }; 274110090F99234100AD413F /* MYSymmetricKey-iPhone.m in Sources */ = {isa = PBXBuildFile; fileRef = 274110080F99234100AD413F /* MYSymmetricKey-iPhone.m */; }; 2748607F0F8D5E0600FE617B /* MYPrivateKey.m in Sources */ = {isa = PBXBuildFile; fileRef = 2748607E0F8D5E0600FE617B /* MYPrivateKey.m */; }; @@ -20,6 +19,7 @@ 275D9FF00FD8795300D85A86 /* MYBERParser.m in Sources */ = {isa = PBXBuildFile; fileRef = 275D9FE80FD8795300D85A86 /* MYBERParser.m */; }; 275D9FF10FD8795300D85A86 /* MYDEREncoder.m in Sources */ = {isa = PBXBuildFile; fileRef = 275D9FEA0FD8795300D85A86 /* MYDEREncoder.m */; }; 275D9FF20FD8795300D85A86 /* MYOID.m in Sources */ = {isa = PBXBuildFile; fileRef = 275D9FEC0FD8795300D85A86 /* MYOID.m */; }; + 275ED90F0FDF8C22006A371D /* selfsigned_altered.cer in Resources */ = {isa = PBXBuildFile; fileRef = 275ED90E0FDF8C22006A371D /* selfsigned_altered.cer */; }; 276FB13F0F84090900CB326E /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 276FB13E0F84090900CB326E /* Security.framework */; }; 276FB16E0F84152B00CB326E /* MYCryptoTest.m in Sources */ = {isa = PBXBuildFile; fileRef = 276FB16D0F84152B00CB326E /* MYCryptoTest.m */; }; 276FB3190F856AA700CB326E /* MYPublicKey.m in Sources */ = {isa = PBXBuildFile; fileRef = 276FB3180F856AA700CB326E /* MYPublicKey.m */; }; @@ -54,7 +54,6 @@ 1DF5F4DF0D08C38300B7A737 /* UIKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = UIKit.framework; path = System/Library/Frameworks/UIKit.framework; sourceTree = SDKROOT; }; 27059CF10F8F0F8E00A8422F /* MYIdentity.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MYIdentity.h; sourceTree = ""; }; 27059CF20F8F0F9200A8422F /* MYIdentity.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = MYIdentity.m; sourceTree = ""; }; - 273391CC0F81EC70009414D9 /* MYCertificate-iPhone.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "MYCertificate-iPhone.m"; sourceTree = ""; }; 273392110F8283B8009414D9 /* MYKeychain-iPhone.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "MYKeychain-iPhone.m"; sourceTree = ""; }; 274110080F99234100AD413F /* MYSymmetricKey-iPhone.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "MYSymmetricKey-iPhone.m"; sourceTree = ""; }; 2748607D0F8D5DF200FE617B /* MYPrivateKey.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MYPrivateKey.h; sourceTree = ""; }; @@ -67,6 +66,7 @@ 275D9FEA0FD8795300D85A86 /* MYDEREncoder.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = MYDEREncoder.m; sourceTree = ""; }; 275D9FEB0FD8795300D85A86 /* MYOID.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MYOID.h; sourceTree = ""; }; 275D9FEC0FD8795300D85A86 /* MYOID.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = MYOID.m; sourceTree = ""; }; + 275ED90E0FDF8C22006A371D /* selfsigned_altered.cer */ = {isa = PBXFileReference; lastKnownFileType = file; name = selfsigned_altered.cer; path = Tests/selfsigned_altered.cer; sourceTree = ""; }; 276FB13E0F84090900CB326E /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = System/Library/Frameworks/Security.framework; sourceTree = SDKROOT; }; 276FB16D0F84152B00CB326E /* MYCryptoTest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = MYCryptoTest.m; sourceTree = ""; }; 276FB3180F856AA700CB326E /* MYPublicKey.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = MYPublicKey.m; sourceTree = ""; }; @@ -161,6 +161,7 @@ 275D9FEC0FD8795300D85A86 /* MYOID.m */, 27958CA10FDB5F8F00095275 /* iphonedev.cer */, 27958CA20FDB5F8F00095275 /* selfsigned.cer */, + 275ED90E0FDF8C22006A371D /* selfsigned_altered.cer */, ); name = Certificates; sourceTree = ""; @@ -180,7 +181,6 @@ 27AAD9710F8927DB0064DD7C /* MYCryptoConfig.h */, 27E8230C0F81D56E0019BE60 /* MYCertificate.h */, 276FB34A0F856CA400CB326E /* MYCertificate.m */, - 273391CC0F81EC70009414D9 /* MYCertificate-iPhone.m */, 27059CF10F8F0F8E00A8422F /* MYIdentity.h */, 27059CF20F8F0F9200A8422F /* MYIdentity.m */, 27E823100F81D56E0019BE60 /* MYKey.h */, @@ -299,6 +299,7 @@ 27E8233C0F81D5760019BE60 /* MYError_CSSMErrorDomain.strings in Resources */, 27958CA30FDB5F8F00095275 /* iphonedev.cer in Resources */, 27958CA40FDB5F8F00095275 /* selfsigned.cer in Resources */, + 275ED90F0FDF8C22006A371D /* selfsigned_altered.cer in Resources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -318,7 +319,6 @@ 27E823390F81D5760019BE60 /* Logging.m in Sources */, 27E8233A0F81D5760019BE60 /* Test.m in Sources */, 27E8233B0F81D5760019BE60 /* MYErrorUtils.m in Sources */, - 273391CD0F81EC70009414D9 /* MYCertificate-iPhone.m in Sources */, 273392120F8283B8009414D9 /* MYKeychain-iPhone.m in Sources */, 276FB16E0F84152B00CB326E /* MYCryptoTest.m in Sources */, 276FB3190F856AA700CB326E /* MYPublicKey.m in Sources */, diff -r 39fec79de6e8 -r 6856e071d25a MYKey-iPhone.m --- a/MYKey-iPhone.m Sun Jun 07 21:53:56 2009 -0700 +++ b/MYKey-iPhone.m Tue Jun 09 23:58:03 2009 -0700 @@ -59,7 +59,7 @@ - (id) initWithKeyRef: (SecKeyRef)key { - return [super initWithKeychainItemRef: (SecKeychainItemRef)key]; + return [self initWithKeychainItemRef: (SecKeychainItemRef)key]; } @@ -114,7 +114,8 @@ return nil; else { Assert(data!=NULL); - return [(id)CFMakeCollectable(data) autorelease]; + _keyData = NSMakeCollectable(data); + return _keyData; } // The format of this data is not documented. There's been some reverse-engineering: // https://devforums.apple.com/message/32089#32089 @@ -147,9 +148,7 @@ - (BOOL) setValue: (NSString*)value ofAttribute: (SecKeychainAttrType)attribute { if (!value) value = (id)[NSNull null]; - NSDictionary *query = $dict( {(id)kSecClass, (id)kSecClassKey}, - {(id)kSecAttrKeyClass, (id)self.keyClass}, - {(id)kSecMatchItemList, self._itemList} ); + NSDictionary *query = $dict( {(id)kSecValueRef, (id)self.keyRef} ); NSDictionary *attrs = $dict( {(id)attribute, value} ); return check(SecItemUpdate((CFDictionaryRef)query, (CFDictionaryRef)attrs), @"SecItemUpdate"); } diff -r 39fec79de6e8 -r 6856e071d25a MYKey.h --- a/MYKey.h Sun Jun 07 21:53:56 2009 -0700 +++ b/MYKey.h Tue Jun 09 23:58:03 2009 -0700 @@ -29,6 +29,7 @@ Concrete subclasses are MYSymmetricKey and MYPublicKey. */ @interface MYKey : MYKeychainItem { + @private NSData *_keyData; } diff -r 39fec79de6e8 -r 6856e071d25a MYKeychain-iPhone.m --- a/MYKeychain-iPhone.m Sun Jun 07 21:53:56 2009 -0700 +++ b/MYKeychain-iPhone.m Tue Jun 09 23:58:03 2009 -0700 @@ -220,6 +220,22 @@ } +- (BOOL) _verifyPublicKeyRef: (MYKeychainItemRef)itemRef { + // Enumerating the keychain sometimes returns public-key refs that give not-found errors + // when you try to use them for anything. As a workaround, detect these early on before + // even creating a MYPublicKey: + NSDictionary *info = $dict({(id)kSecValueRef, (id)itemRef}, + {(id)kSecReturnAttributes, $true}); + CFDictionaryRef attrs = NULL; + OSStatus err = SecItemCopyMatching((CFDictionaryRef)info, (CFTypeRef*)&attrs); + if (attrs) CFRelease(attrs); + if (err == errSecItemNotFound) { + Log(@"MYKeyEnumerator: Ignoring bogus(?) key with ref %p", itemRef); + return NO; + } else + return YES; +} + - (id) nextObject { if (!_results) return nil; @@ -229,7 +245,8 @@ if (_itemClass == kSecAttrKeyClassPrivate) { _currentObject = [[MYPrivateKey alloc] initWithKeyRef: (SecKeyRef)found]; } else if (_itemClass == kSecAttrKeyClassPublic) { - _currentObject = [[MYPublicKey alloc] initWithKeyRef: (SecKeyRef)found]; + if ([self _verifyPublicKeyRef: found]) + _currentObject = [[MYPublicKey alloc] initWithKeyRef: (SecKeyRef)found]; } else if (_itemClass == kSecAttrKeyClassSymmetric) { _currentObject = [[MYSymmetricKey alloc] initWithKeyRef: (SecKeyRef)found]; } else if (_itemClass == kSecClassCertificate) { diff -r 39fec79de6e8 -r 6856e071d25a MYKeychainItem.m --- a/MYKeychainItem.m Sun Jun 07 21:53:56 2009 -0700 +++ b/MYKeychainItem.m Tue Jun 09 23:58:03 2009 -0700 @@ -68,13 +68,6 @@ return $array((id)_itemRef); } -#if MYCRYPTO_USE_IPHONE_API -- (CFDictionaryRef) asQuery { - return (CFDictionaryRef) $dict( {(id)kSecClass, (id)kSecClassKey},//FIX - {(id)kSecMatchItemList, self._itemList} ); -} -#endif - - (MYKeychain*) keychain { #if MYCRYPTO_USE_IPHONE_API @@ -95,7 +88,7 @@ - (BOOL) removeFromKeychain { OSStatus err; #if MYCRYPTO_USE_IPHONE_API - err = SecItemDelete(self.asQuery); + err = SecItemDelete((CFDictionaryRef) $dict( {(id)kSecValueRef, (id)_itemRef} )); #else err = SecKeychainItemDelete((SecKeychainItemRef)_itemRef); if (err==errSecInvalidItemRef) @@ -127,8 +120,7 @@ + (NSData*) _getAttribute: (SecKeychainAttrType)attr ofItem: (MYKeychainItemRef)item { NSData *value = nil; #if MYCRYPTO_USE_IPHONE_API - NSDictionary *info = $dict( {(id)kSecClass, (id)kSecClassKey}, - {(id)kSecMatchItemList, $array((id)item)}, + NSDictionary *info = $dict( {(id)kSecValueRef, (id)item}, {(id)kSecReturnAttributes, $true} ); CFDictionaryRef attrs; if (!check(SecItemCopyMatching((CFDictionaryRef)info, (CFTypeRef*)&attrs), @"SecItemCopyMatching")) @@ -182,9 +174,7 @@ { #if MYCRYPTO_USE_IPHONE_API id value = stringValue ?(id)stringValue :(id)[NSNull null]; - NSDictionary *query = $dict({(id)kSecClass, (id)kSecClassKey}, - {(id)kSecAttrKeyType, (id)attr}, - {(id)kSecMatchItemList, $array((id)item)}); + NSDictionary *query = $dict({(id)kSecValueRef, (id)item}); NSDictionary *attrs = $dict({(id)attr, value}); return check(SecItemUpdate((CFDictionaryRef)query, (CFDictionaryRef)attrs), @"SecItemUpdate"); diff -r 39fec79de6e8 -r 6856e071d25a MYPrivateKey.m --- a/MYPrivateKey.m Sun Jun 07 21:53:56 2009 -0700 +++ b/MYPrivateKey.m Tue Jun 09 23:58:03 2009 -0700 @@ -178,8 +178,16 @@ - (MYSHA1Digest*) _keyDigest { if (_publicKey) return _publicKey.publicKeyDigest; - else - return [MYSHA1Digest digestFromDigestData: [self _attribute: kSecAttrApplicationLabel]]; + else { + NSData *digestData; +#if MYCRYPTO_USE_IPHONE_API + digestData = [self _attribute: kSecAttrApplicationLabel]; +#else + digestData = [[self class] _getAttribute: kSecKeyLabel + ofItem: (SecKeychainItemRef)self.keyRef]; +#endif + return [MYSHA1Digest digestFromDigestData: digestData]; + } } - (MYSHA1Digest*) publicKeyDigest { diff -r 39fec79de6e8 -r 6856e071d25a MYPublicKey.m --- a/MYPublicKey.m Sun Jun 07 21:53:56 2009 -0700 +++ b/MYPublicKey.m Tue Jun 09 23:58:03 2009 -0700 @@ -29,7 +29,6 @@ return [self initWithKeyData: keyData]; } - - (void) dealloc { [_digest release]; @@ -48,10 +47,6 @@ - (SecExternalItemType) keyType { return kSecAttrKeyTypeRSA; } - -- (MYSHA1Digest*) _keyDigest { - return (MYSHA1Digest*) [MYSHA1Digest digestFromDigestData: [self _attribute: kSecAttrApplicationLabel]]; -} #endif - (NSUInteger)hash { diff -r 39fec79de6e8 -r 6856e071d25a Tests/generated.cer Binary file Tests/generated.cer has changed diff -r 39fec79de6e8 -r 6856e071d25a Tests/selfsigned_altered.cer Binary file Tests/selfsigned_altered.cer has changed