# HG changeset patch # User snej@snej.local # Date 1240124501 25200 # Node ID 6fd9177eb6dad7cab1b6aaf865d6e0e9ad9b669d # Parent e4c971be4079f5f4f97030550ac889a3ae644265 Implemented wrap/unwrap of session key using a key-pair. diff -r e4c971be4079 -r 6fd9177eb6da MYCrypto.xcodeproj/project.pbxproj --- a/MYCrypto.xcodeproj/project.pbxproj Sat Apr 18 18:12:06 2009 -0700 +++ b/MYCrypto.xcodeproj/project.pbxproj Sun Apr 19 00:01:41 2009 -0700 @@ -354,6 +354,7 @@ baseConfigurationReference = 27CFF5400F7E9653000B418E /* MYCrypto_Debug.xcconfig */; buildSettings = { ALWAYS_SEARCH_USER_PATHS = NO; + GCC_WARN_UNUSED_FUNCTION = NO; HEADER_SEARCH_PATHS = "/Code/MYCrypto/**"; }; name = Debug; diff -r e4c971be4079 -r 6fd9177eb6da MYCryptoTest.m --- a/MYCryptoTest.m Sat Apr 18 18:12:06 2009 -0700 +++ b/MYCryptoTest.m Sun Apr 19 00:01:41 2009 -0700 @@ -155,11 +155,12 @@ #endif #if !TARGET_OS_IPHONE +#if 0 // TEMPORARILY OUT OF ORDER // Try exporting and importing a wrapped key: Log(@"Testing export/import..."); - NSData *exported = [key exportKeyInFormat: kSecFormatWrappedPKCS8 withPEM: NO]; + NSData *exported = [key exportWrappedKeyWithPassphrasePrompt: @"Export symmetric key with passphrase:"]; Log(@"Exported key: %@", exported); - #if 0 + #if 1 CAssert(exported); #else //FIX: Exporting symmetric keys isn't working. Temporarily making this optional. @@ -175,6 +176,7 @@ decrypted = [key2 decryptData: encrypted]; CAssertEqual(decrypted, cleartext); } +#endif 0 #endif }@finally{ [key removeFromKeychain]; @@ -272,10 +274,10 @@ CAssert( [publicKey verifySignature: sig ofData: data] ); // Now let's encrypt... - NSData *crypted = [publicKey encryptData: data]; + NSData *crypted = [publicKey rawEncryptData: data]; Log(@"Encrypted = %@ (%u bytes)",crypted,crypted.length); CAssert(crypted); - CAssertEqual([pair decryptData: crypted], data); + CAssertEqual([pair rawDecryptData: crypted], data); Log(@"Verified decryption."); // Test creating a standalone public key: @@ -294,6 +296,23 @@ } +static void testWrapSessionKey( MYPrivateKey *privateKey ) { + MYSymmetricKey *sessionKey = [MYSymmetricKey generateSymmetricKeyOfSize: 128 algorithm:kCCAlgorithmAES128]; + CAssert(sessionKey); + Log(@"Wrapping session key %@, %@", sessionKey, sessionKey.keyData); + NSData *wrapped = [privateKey.publicKey wrapSessionKey: sessionKey]; + Log(@"Wrapped session key = %u bytes: %@", wrapped.length,wrapped); + CAssert(wrapped.length >= 128/8); + + MYSymmetricKey *unwrappedKey = [privateKey unwrapSessionKey: wrapped + withAlgorithm: kCCAlgorithmAES128 + sizeInBits: 128]; + Log(@"Unwrapped session key = %@, %@", unwrappedKey, unwrappedKey.keyData); + CAssert(unwrappedKey); + CAssertEqual(unwrappedKey.keyData, sessionKey.keyData); +} + + TestCase(MYGenerateKeyPair) { RequireTestCase(MYKeychain); @@ -304,6 +323,7 @@ @try{ TestUseKeyPair(pair); + testWrapSessionKey(pair); [pair setName: @"Test KeyPair Label"]; CAssertEqual(pair.name, @"Test KeyPair Label"); diff -r e4c971be4079 -r 6fd9177eb6da MYCrypto_Private.h --- a/MYCrypto_Private.h Sat Apr 18 18:12:06 2009 -0700 +++ b/MYCrypto_Private.h Sun Apr 19 00:01:41 2009 -0700 @@ -58,7 +58,6 @@ #if !MYCRYPTO_USE_IPHONE_API @property (readonly) const CSSM_KEY* cssmKey; @property (readonly) const CSSM_CSP_HANDLE cssmCSPHandle; -- (NSData*) exportKeyInFormat: (SecExternalFormat)format withPEM: (BOOL)withPEM; - (CSSM_CC_HANDLE) _createSignatureContext: (CSSM_ALGORITHMS)algorithm; - (CSSM_CC_HANDLE) _createPassThroughContext; #endif @@ -67,6 +66,9 @@ @interface MYSymmetricKey (Private) +#if !MYCRYPTO_USE_IPHONE_API +- (id) _initWithCSSMKey: (CSSM_KEY*)cssmKey; +#endif + (MYSymmetricKey*) _generateSymmetricKeyOfSize: (unsigned)keySizeInBits algorithm: (CCAlgorithm)algorithm inKeychain: (MYKeychain*)keychain; @@ -126,5 +128,6 @@ SecKeyImportExportParameters *params /*non-null*/); NSString* OIDAsString(CSSM_OID OID); +CSSM_ALGORITHMS CSSMFromCCAlgorithm( CCAlgorithm ccAlgorithm ); #endif diff -r e4c971be4079 -r 6fd9177eb6da MYKey.h --- a/MYKey.h Sat Apr 18 18:12:06 2009 -0700 +++ b/MYKey.h Sun Apr 19 00:01:41 2009 -0700 @@ -54,13 +54,6 @@ The user can edit this, so don't expect it to be immutable. */ @property (copy) NSString *comment; -/** Converts the key into a data blob in one of several standard formats, suitable for storing in - a file or sending over the network. - @param format The data format: kSecFormatOpenSSL, kSecFormatSSH, kSecFormatBSAFE or kSecFormatSSHv2. - @param withPEM YES if the data should be encoded in PEM format, which converts into short lines - of printable ASCII characters, suitable for sending in email. */ -- (NSData*) exportKeyInFormat: (SecExternalFormat)format withPEM: (BOOL)withPEM; - #endif //@} @@ -84,6 +77,8 @@ /** The underlying CSSM_CSP_HANDLE structure; used with low-level crypto APIs. */ @property (readonly) intptr_t /*CSSM_CSP_HANDLE*/ cssmCSPHandle; +@property (readonly) CSSM_ALGORITHMS cssmAlgorithm; + /** Gets CSSM authorization credentials for a specified operation, such as CSSM_ACL_AUTHORIZATION_ENCRYPT. This pointer is necessary for creating some CSSM operation contexts. diff -r e4c971be4079 -r 6fd9177eb6da MYKey.m --- a/MYKey.m Sat Apr 18 18:12:06 2009 -0700 +++ b/MYKey.m Sun Apr 19 00:01:41 2009 -0700 @@ -67,6 +67,10 @@ return cspHandle; } +- (CSSM_ALGORITHMS) cssmAlgorithm { + return self.cssmKey->KeyHeader.AlgorithmId; +} + - (const CSSM_ACCESS_CREDENTIALS*) cssmCredentialsForOperation: (CSSM_ACL_AUTHORIZATION_TAG)operation type: (SecCredentialType)type error: (NSError**)outError @@ -81,19 +85,19 @@ return credentials; } -- (NSData*) exportKeyInFormat: (SecExternalFormat)format withPEM: (BOOL)withPEM { +- (SecExternalFormat) _externalFormat { + return kSecFormatRawKey; +} + +- (NSData*) keyData { CFDataRef data = NULL; - if (check(SecKeychainItemExport(self.keyRef, format, (withPEM ?kSecItemPemArmour :0), NULL, &data), + if (check(SecKeychainItemExport(self.keyRef, self._externalFormat, 0, NULL, &data), @"SecKeychainItemExport")) return [(id)CFMakeCollectable(data) autorelease]; else return nil; } -- (NSData*) keyData { - return [self exportKeyInFormat: kSecFormatRawKey withPEM: NO]; -} - - (NSString*) name { return [self stringValueOfAttribute: kSecKeyPrintName]; } diff -r e4c971be4079 -r 6fd9177eb6da MYKeychainItem.m --- a/MYKeychainItem.m Sat Apr 18 18:12:06 2009 -0700 +++ b/MYKeychainItem.m Sun Apr 19 00:01:41 2009 -0700 @@ -98,7 +98,7 @@ #else err = SecKeychainItemDelete((SecKeychainItemRef)_itemRef); #endif - return err==errSecItemNotFound || check(err, @"SecKeychainItemDelete"); + return err==errSecItemNotFound || err==errSecInvalidItemRef || check(err, @"SecKeychainItemDelete"); } diff -r e4c971be4079 -r 6fd9177eb6da MYPrivateKey.h --- a/MYPrivateKey.h Sat Apr 18 18:12:06 2009 -0700 +++ b/MYPrivateKey.h Sun Apr 19 00:01:41 2009 -0700 @@ -7,14 +7,15 @@ // #import "MYKey.h" -@class MYPublicKey, MYSHA1Digest, MYIdentity; +#import +@class MYPublicKey, MYSHA1Digest, MYIdentity, MYSymmetricKey; /** A private key, used for signing and decrypting data. Always paired with a matching public key in a "key-pair". MYPublicKeys are instantiated by MYKeychain: either by generating a new key-pair, by looking up a key-pair by its attributes, or by importing a key-pair from data. */ -@interface MYPrivateKey : MYKey +@interface MYPrivateKey : MYKey { @private MYPublicKey *_publicKey; @@ -33,7 +34,7 @@ See the description of -[MYPublicKey encryptData:] for warnings and caveats. This method is usually used only to decrypt a symmetric session key, which then decrypts the rest of the data. */ -- (NSData*) decryptData: (NSData*)data; +- (NSData*) rawDecryptData: (NSData*)data; /** Generates a signature of data. (What's actually signed using RSA is the SHA-256 digest of the data.) @@ -80,6 +81,15 @@ withPEM: (BOOL)withPEM alertTitle: (NSString*)alertTitle alertPrompt: (NSString*)prompt; + +/** Decrypts a session key that was wrapped (encrypted) using my matching public key. + @param wrappedData The wrapped/encrypted session key + @param algorithm The algorithm of the original session key + @param sizeInBits The key size (in bits) of the original session key + @return The reconstituted session key */ +- (MYSymmetricKey*) unwrapSessionKey: (NSData*)wrappedData + withAlgorithm: (CCAlgorithm)algorithm + sizeInBits: (unsigned)sizeInBits; #endif //@} diff -r e4c971be4079 -r 6fd9177eb6da MYPrivateKey.m --- a/MYPrivateKey.m Sat Apr 18 18:12:06 2009 -0700 +++ b/MYPrivateKey.m Sun Apr 19 00:01:41 2009 -0700 @@ -153,7 +153,7 @@ CSSM_ALGID_RSA, keySize, 0LL, - CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_VERIFY, // public key + CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_VERIFY | CSSM_KEYUSE_WRAP, // public key CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_PERMANENT, CSSM_KEYUSE_ANY, // private key CSSM_KEYATTR_EXTRACTABLE | CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_SENSITIVE, @@ -213,7 +213,7 @@ } -- (NSData*) decryptData: (NSData*)data { +- (NSData*) rawDecryptData: (NSData*)data { return [self _crypt: data operation: NO]; } @@ -300,6 +300,64 @@ return nil; } -#endif TARGET_OS_IPHONE + +- (MYSymmetricKey*) unwrapSessionKey: (NSData*)wrappedData + withAlgorithm: (CCAlgorithm)algorithm + sizeInBits: (unsigned)sizeInBits +{ + // First create a wrapped-key structure from the data: + CSSM_WRAP_KEY wrappedKey = { + .KeyHeader = { + .BlobType = CSSM_KEYBLOB_WRAPPED, + .Format = CSSM_KEYBLOB_RAW_FORMAT_PKCS3, + .AlgorithmId = CSSMFromCCAlgorithm(algorithm), + .KeyClass = CSSM_KEYCLASS_SESSION_KEY, + .LogicalKeySizeInBits = sizeInBits, + .KeyAttr = CSSM_KEYATTR_EXTRACTABLE, + .KeyUsage = CSSM_KEYUSE_ANY, + .WrapAlgorithmId = self.cssmAlgorithm, + }, + .KeyData = { + .Data = (void*)wrappedData.bytes, + .Length = wrappedData.length + } + }; + + const CSSM_ACCESS_CREDENTIALS* credentials; + credentials = [self cssmCredentialsForOperation: CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED + type: kSecCredentialTypeDefault error: nil]; + CSSM_CSP_HANDLE cspHandle = self.cssmCSPHandle; + CSSM_CC_HANDLE ctx; + if (!checkcssm(CSSM_CSP_CreateAsymmetricContext(cspHandle, + self.cssmAlgorithm, + credentials, + self.cssmKey, + CSSM_PADDING_PKCS1, + &ctx), + @"CSSM_CSP_CreateAsymmetricContext")) + return nil; + + // Now unwrap the key: + MYSymmetricKey *result = nil; + CSSM_KEY *unwrappedKey = calloc(1,sizeof(CSSM_KEY)); + CSSM_DATA desc = {}; + if (checkcssm(CSSM_UnwrapKey(ctx, + self.cssmKey, + &wrappedKey, + wrappedKey.KeyHeader.KeyUsage, + wrappedKey.KeyHeader.KeyAttr, + NULL, NULL, + unwrappedKey, + &desc), + @"CSSM_UnwrapKey")) { + result = [[[MYSymmetricKey alloc] _initWithCSSMKey: unwrappedKey] autorelease]; + } + // Finally, delete the context + CSSM_DeleteContext(ctx); + return result; +} + + +#endif !TARGET_OS_IPHONE @end diff -r e4c971be4079 -r 6fd9177eb6da MYPublicKey.h --- a/MYPublicKey.h Sat Apr 18 18:12:06 2009 -0700 +++ b/MYPublicKey.h Sun Apr 19 00:01:41 2009 -0700 @@ -7,7 +7,7 @@ // #import "MYKey.h" -@class MYSHA1Digest; +@class MYSHA1Digest, MYSymmetricKey; #if !TARGET_OS_IPHONE #import @@ -17,7 +17,7 @@ /** A public key, which can be used for encrypting data and verifying signatures. MYPublicKeys are created as part of generating a key-pair, or by being imported from data into a MYKeychain. */ -@interface MYPublicKey : MYKey +@interface MYPublicKey : MYKey { @private MYSHA1Digest *_digest; @@ -34,7 +34,7 @@ symmetric key, called the "session key" (using a Cryptor), encrypt that session key with the public key, and then encrypt your data with the session key. Send the encrypted session key and the encrypted data. */ -- (NSData*) encryptData: (NSData*)data; +- (NSData*) rawEncryptData: (NSData*)data; /** Verifies the signature of a block of data. If the result is YES, you can be assured that the signature was generated from the data by using this key's matching private key. @@ -42,5 +42,11 @@ or the signature was generated by a different private key. (What's actually verified using RSA is the SHA-256 digest of the data.) */ - (BOOL) verifySignature: (NSData*)signature ofData: (NSData*)data; - + +/** Encrypts a session key using this public key. + The holder of the private key can then unwrap the session key from this data. + @param sessionKey The symmetric session key to wrap/encrypt + @return The encrypted data representing the session key */ +- (NSData*) wrapSessionKey: (MYSymmetricKey*)sessionKey; + @end diff -r e4c971be4079 -r 6fd9177eb6da MYPublicKey.m --- a/MYPublicKey.m Sat Apr 18 18:12:06 2009 -0700 +++ b/MYPublicKey.m Sun Apr 19 00:01:41 2009 -0700 @@ -46,13 +46,13 @@ } #if !MYCRYPTO_USE_IPHONE_API -- (NSData*) keyData { - return [self exportKeyInFormat: kSecFormatOpenSSL withPEM: NO]; +- (SecExternalFormat) _externalFormat { + return kSecFormatOpenSSL; } #endif -- (NSData*) encryptData: (NSData*)data { +- (NSData*) rawEncryptData: (NSData*)data { return [self _crypt: data operation: YES]; } @@ -118,6 +118,38 @@ CSSM_DeleteContext(ccHandle); return result; } + + +- (NSData*) wrapSessionKey: (MYSymmetricKey*)sessionKey { + const CSSM_ACCESS_CREDENTIALS* credentials; + credentials = [self cssmCredentialsForOperation: CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED + type: kSecCredentialTypeDefault error: nil]; + CSSM_CSP_HANDLE cspHandle = self.cssmCSPHandle; + CSSM_CC_HANDLE ctx; + if (!checkcssm(CSSM_CSP_CreateAsymmetricContext(cspHandle, + self.cssmAlgorithm, + credentials, + self.cssmKey, + CSSM_PADDING_PKCS1, + &ctx), + @"CSSM_CSP_CreateAsymmetricContext")) + return nil; + + // Now wrap the key: + NSData *result = nil; + CSSM_WRAP_KEY wrappedKey = {}; + if (checkcssm(CSSM_WrapKey(ctx, credentials, sessionKey.cssmKey, NULL, &wrappedKey), + @"CSSM_WrapKey")) { + // ...and copy the wrapped key data to the result NSData: + result = [NSData dataWithBytes: wrappedKey.KeyData.Data length: wrappedKey.KeyData.Length]; + CSSM_FreeKey(cspHandle, credentials, &wrappedKey, NO); + } + // Finally, delete the context + CSSM_DeleteContext(ctx); + return result; +} + + #endif diff -r e4c971be4079 -r 6fd9177eb6da MYSymmetricKey.h --- a/MYSymmetricKey.h Sat Apr 18 18:12:06 2009 -0700 +++ b/MYSymmetricKey.h Sun Apr 19 00:01:41 2009 -0700 @@ -53,6 +53,8 @@ /** The key's size/length, in bits. */ @property (readonly) unsigned keySizeInBits; +- (NSData*) exportWrappedKeyWithPassphrasePrompt: (NSString*)prompt; + /** A utility that prompts for a passphrase, using the Security agent's nice modal panel, and returns the raw passphrase as a string. diff -r e4c971be4079 -r 6fd9177eb6da MYSymmetricKey.m --- a/MYSymmetricKey.m Sat Apr 18 18:12:06 2009 -0700 +++ b/MYSymmetricKey.m Sun Apr 19 00:01:41 2009 -0700 @@ -15,9 +15,15 @@ #import -static const CSSM_ALGORITHMS kCSSMAlgorithms[] = { - CSSM_ALGID_AES, CSSM_ALGID_DES, CSSM_ALGID_3DES_3KEY, CSSM_ALGID_CAST, CSSM_ALGID_RC4 -}; +CSSM_ALGORITHMS CSSMFromCCAlgorithm( CCAlgorithm ccAlgorithm ) { + static const CSSM_ALGORITHMS kCSSMAlgorithms[] = { + CSSM_ALGID_AES, CSSM_ALGID_DES, CSSM_ALGID_3DES_3KEY, CSSM_ALGID_CAST, CSSM_ALGID_RC4 + }; + if (ccAlgorithm >=0 && ccAlgorithm <= kCCAlgorithmRC4) + return kCSSMAlgorithms[ccAlgorithm]; + else + return CSSM_ALGID_NONE; +} static const char *kCCAlgorithmNames[] = {"AES", "DES", "DES^3", "CAST", "RC4"}; @@ -28,6 +34,8 @@ static CSSM_KEY* cssmKeyFromData( NSData *keyData, CSSM_ALGORITHMS algorithm, MYKeychain *keychain); +//static CSSM_ENCRYPT_MODE defaultModeForAlgorithm(CSSM_ALGORITHMS algorithm); +//CSSM_PADDING defaultPaddingForAlgorithm(CSSM_ALGORITHMS algorithm); static CSSM_DATA makeSalt( id salty, size_t length ); static CSSM_RETURN impExpCreatePassKey( const SecKeyImportExportParameters *keyParams, // required @@ -66,7 +74,7 @@ { Assert(algorithm <= kCCAlgorithmRC4); Assert(keyData); - CSSM_KEY *key = cssmKeyFromData(keyData, kCSSMAlgorithms[algorithm], keychain); + CSSM_KEY *key = cssmKeyFromData(keyData, CSSMFromCCAlgorithm(algorithm), keychain); if (!key) { [self release]; return nil; @@ -87,11 +95,15 @@ Assert(algorithm <= kCCAlgorithmRC4); CSSM_KEYATTR_FLAGS flags = CSSM_KEYATTR_EXTRACTABLE; if (keychain) - flags |= CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_SENSITIVE | CSSM_KEYATTR_EXTRACTABLE; + flags |= CSSM_KEYATTR_PERMANENT; // | CSSM_KEYATTR_SENSITIVE; //FIX: Re-enable this bit + else { + flags |= CSSM_KEYATTR_RETURN_REF; + keychain = [MYKeychain defaultKeychain]; // establish a context for the key + } CSSM_KEYUSE usage = CSSM_KEYUSE_ANY; SecKeyRef keyRef = NULL; - if (!check(SecKeyGenerate(keychain.keychainRefOrDefault, // nil kc generates a transient key - kCSSMAlgorithms[algorithm], + if (!check(SecKeyGenerate(keychain.keychainRefOrDefault, + CSSMFromCCAlgorithm(algorithm), keySizeInBits, 0, usage, flags, NULL, &keyRef), @"SecKeyGenerate")) { @@ -211,54 +223,43 @@ #if !TARGET_OS_IPHONE -- (NSData*) exportKeyInFormat: (SecExternalFormat)format - withPEM: (BOOL)withPEM +- (NSData*) exportWrappedKeyWithPassphrasePrompt: (NSString*)prompt { - if (format==kSecFormatRawKey || format==kSecFormatUnknown) - return [super exportKeyInFormat: format withPEM: withPEM]; - - // Get access credentials: - const CSSM_ACCESS_CREDENTIALS *credentials; - credentials = [self cssmCredentialsForOperation: CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED - type: kSecCredentialTypeDefault - error: nil]; - if (!credentials) - return nil; - // Prompt use for a passphrase to use for the wrapping key: - MYSymmetricKey *wrappingKey = [MYSymmetricKey generateFromUserPassphraseWithAlertTitle: @"Export Key" alertPrompt: @"Enter a passphrase to encrypt the key you're exporting from the Keychain:" creating: YES - salt: [MYCryptor randomKeyOfLength: PKCS5_V2_SALT_LEN*8]]; + MYSymmetricKey *wrappingKey = [MYSymmetricKey + generateFromUserPassphraseWithAlertTitle: @"Export Key" + alertPrompt: prompt + creating: YES + salt: [MYCryptor randomKeyOfLength: PKCS5_V2_SALT_LEN*8]]; if (!wrappingKey) return nil; + Log(@"Wrapping using %@",wrappingKey); // Create the context: + CSSM_ACCESS_CREDENTIALS credentials = {}; CSSM_CSP_HANDLE cspHandle = self.cssmCSPHandle; + //CSSM_ALGORITHMS algorithm = wrappingKey.cssmAlgorithm; CSSM_CC_HANDLE ctx; if (!checkcssm(CSSM_CSP_CreateSymmetricContext(cspHandle, - CSSM_ALGID_NONE, - CSSM_ALGMODE_WRAP, - NULL, + wrappingKey.cssmAlgorithm, //CSSM_ALGID_3DES_3KEY_EDE, //algorithm, + CSSM_ALGMODE_CBCPadIV8, //defaultModeForAlgorithm(algorithm), + &credentials, wrappingKey.cssmKey, NULL, - CSSM_PADDING_NONE, + CSSM_PADDING_PKCS7, //defaultPaddingForAlgorithm(algorithm), NULL, &ctx), @"CSSM_CSP_CreateSymmetricContext")) return nil; - // Set the wrapped key format: + // Now wrap the key: NSData *result = nil; - CSSM_CONTEXT_ATTRIBUTE attr = { CSSM_ATTRIBUTE_WRAPPED_KEY_FORMAT, sizeof(uint32) }; - attr.Attribute.Uint32 = CSSM_KEYBLOB_WRAPPED_FORMAT_PKCS7; - if (checkcssm(CSSM_UpdateContextAttributes(ctx, 1, &attr), @"CSSM_UpdateContextAttributes")) { - // Now wrap the key: - CSSM_WRAP_KEY wrappedKey = {}; - if (checkcssm(CSSM_WrapKey(ctx, credentials, self.cssmKey, NULL, &wrappedKey), - @"CSSM_WrapKey")) { - // ...and copy the wrapped key data to the result NSData: - result = [NSData dataWithBytes: wrappedKey.KeyData.Data length: wrappedKey.KeyData.Length]; - CSSM_FreeKey(cspHandle, credentials, &wrappedKey, NO); - } + CSSM_WRAP_KEY wrappedKey = {}; + if (checkcssm(CSSM_WrapKey(ctx, &credentials, self.cssmKey, NULL, &wrappedKey), + @"CSSM_WrapKey")) { + // ...and copy the wrapped key data to the result NSData: + result = [NSData dataWithBytes: wrappedKey.KeyData.Data length: wrappedKey.KeyData.Length]; + CSSM_FreeKey(cspHandle, &credentials, &wrappedKey, NO); } // Finally, delete the context CSSM_DeleteContext(ctx); @@ -413,7 +414,62 @@ } -// Copied from SecImportExportUtils.cpp in Apple's libsecurity_keychain project +#pragma mark - +// Code from Keychain.framework: +#if 0 +static CSSM_ENCRYPT_MODE defaultModeForAlgorithm(CSSM_ALGORITHMS algorithm) { + switch(algorithm) { + // 8-byte block ciphers + case CSSM_ALGID_DES: + case CSSM_ALGID_3DES_3KEY_EDE: + case CSSM_ALGID_RC5: + case CSSM_ALGID_RC2: + return CSSM_ALGMODE_CBCPadIV8; break; + // 16-byte block ciphers + case CSSM_ALGID_AES: + return CSSM_ALGMODE_CBCPadIV8; break; + // stream ciphers + case CSSM_ALGID_ASC: + case CSSM_ALGID_RC4: + return CSSM_ALGMODE_NONE; break; + // Unknown + default: + Warn(@"Asked for the default mode for algorithm %d, but don't know that algorithm.\n", algorithm); + return CSSM_ALGMODE_NONE; + } +} + +CSSM_PADDING defaultPaddingForAlgorithm(CSSM_ALGORITHMS algorithm) { + switch(algorithm) { + /* 8-byte block ciphers */ + case CSSM_ALGID_DES: + case CSSM_ALGID_3DES_3KEY_EDE: + case CSSM_ALGID_RC5: + case CSSM_ALGID_RC2: + return CSSM_PADDING_PKCS5; break; + /* 16-byte block ciphers */ + case CSSM_ALGID_AES: + return CSSM_PADDING_PKCS7; break; + /* stream ciphers */ + case CSSM_ALGID_ASC: + case CSSM_ALGID_RC4: + return CSSM_PADDING_NONE; break; + /* RSA/DSA asymmetric */ + case CSSM_ALGID_DSA: + case CSSM_ALGID_RSA: + return CSSM_PADDING_PKCS1; break; + /* Unknown */ + default: + Warn(@"Asked for the default padding mode for %d, but don't know that algorithm.\n", algorithm); + return CSSM_PADDING_NONE; + } +} +#endif + +#pragma mark - +// Code below was copied from SecImportExportUtils.cpp in Apple's libsecurity_keychain project + + /* * Given a context specified via a CSSM_CC_HANDLE, add a new * CSSM_CONTEXT_ATTRIBUTE to the context as specified by AttributeType,