1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/MYCertGen.h Thu Apr 09 21:36:21 2009 -0700
1.3 @@ -0,0 +1,44 @@
1.4 +//
1.5 +// MYCertGen.h
1.6 +// MYCrypto
1.7 +//
1.8 +// Created by Jens Alfke on 4/3/09.
1.9 +// Copyright 2009 Jens Alfke. All rights reserved.
1.10 +//
1.11 +// Derived from ...
1.12 +
1.13 +#import <Foundation/Foundation.h>
1.14 +#import <Security/Security.h>
1.15 +
1.16 +@class MYPublicKey, MYPrivateKey, MYCertificate, MYIdentity;
1.17 +
1.18 +
1.19 +NSData* MYCertificateCreateTemplate(const CSSM_X509_NAME *subject, const CSSM_X509_NAME *issuer,
1.20 + NSDate *validFrom, NSDate *validTo,
1.21 + uint32_t serialNumber,
1.22 + const CSSM_X509_EXTENSION **extensions, unsigned nExtensions,
1.23 + MYPublicKey *publicKey,
1.24 + const CSSM_X509_ALGORITHM_IDENTIFIER *signingAlgorithm,
1.25 + CSSM_CL_HANDLE clHandle);
1.26 +
1.27 +NSData* MYCertificateSign(NSData *certificateTemplate,
1.28 + MYPrivateKey *privateKey,
1.29 + CSSM_ALGORITHMS signingAlgorithmID,
1.30 + CSSM_CL_HANDLE cssmCLHandle);
1.31 +
1.32 +MYCertificate *createCertificate(const CSSM_X509_NAME *subject, const CSSM_X509_NAME *issuer,
1.33 + NSDate *validFrom, NSDate *validTo,
1.34 + uint32_t serialNumber,
1.35 + const CSSM_X509_EXTENSION **extensions, unsigned nExtensions,
1.36 + MYPrivateKey *privateKey,
1.37 + const CSSM_X509_ALGORITHM_IDENTIFIER *signingAlgorithm,
1.38 + CSSM_ALGORITHMS signingAlgorithmID,
1.39 + CSSM_CL_HANDLE cssmCLHandle);
1.40 +
1.41 +CSSM_CL_HANDLE getCLHandle();
1.42 +
1.43 +
1.44 +MYCertificate* MYCertificateCreateSelfSigned(MYPrivateKey *privateKey,
1.45 + NSDictionary *attributes );
1.46 +MYIdentity* MYIdentityCreateSelfSigned(MYPrivateKey *privateKey,
1.47 + NSDictionary *attributes );
2.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
2.2 +++ b/MYCertGen.m Thu Apr 09 21:36:21 2009 -0700
2.3 @@ -0,0 +1,495 @@
2.4 +//
2.5 +// MYCertGen.m
2.6 +// MYCrypto
2.7 +//
2.8 +// Created by Jens Alfke on 4/3/09.
2.9 +// Copyright 2009 Jens Alfke. All rights reserved.
2.10 +//
2.11 +
2.12 +// Derived from ...
2.13 +
2.14 +//
2.15 +// CertificateGeneration.m
2.16 +// Keychain
2.17 +//
2.18 +// Created by Wade Tregaskis on Tue May 27 2003.
2.19 +//
2.20 +// Copyright (c) 2003 - 2007, Wade Tregaskis. All rights reserved.
2.21 +// Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
2.22 +// * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2.23 +// * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
2.24 +// * Neither the name of Wade Tregaskis nor the names of any other contributors may be used to endorse or promote products derived from this software without specific prior written permission.
2.25 +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
2.26 +
2.27 +#import "MYCertGen.h"
2.28 +#import "MYCrypto_Private.h"
2.29 +#import "MYIdentity.h"
2.30 +#import <Security/Security.h>
2.31 +
2.32 +
2.33 +
2.34 +static CSSM_X509_NAME* createNameList( NSDictionary *name );
2.35 +static CSSM_X509_TIME* timeForNSDate(NSDate *date);
2.36 +
2.37 +static NSData* NSDataFromDataNoCopy(CSSM_DATA data, BOOL freeWhenDone);
2.38 +
2.39 +static BOOL intToDER(uint32_t theInt, CSSM_DATA *data);
2.40 +
2.41 +
2.42 +
2.43 +NSData* MYCertificateCreateTemplate(const CSSM_X509_NAME *subject, const CSSM_X509_NAME *issuer,
2.44 + NSDate *validFrom, NSDate *validTo,
2.45 + uint32_t serialNumber,
2.46 + const CSSM_X509_EXTENSION **extensions, unsigned nExtensions,
2.47 + MYPublicKey *publicKey,
2.48 + const CSSM_X509_ALGORITHM_IDENTIFIER *signingAlgorithm,
2.49 + CSSM_CL_HANDLE clHandle)
2.50 +{
2.51 + CAssert(subject);
2.52 + CAssert(issuer);
2.53 + CAssert(publicKey);
2.54 + CAssert(signingAlgorithm);
2.55 + CAssert(clHandle);
2.56 +
2.57 + const CSSM_KEY *cssmPubKey = publicKey.cssmKey;
2.58 + if (cssmPubKey->KeyHeader.BlobType != CSSM_KEYBLOB_RAW) {
2.59 + cssmPubKey = publicKey._unwrappedCSSMKey;
2.60 + if (!cssmPubKey) {
2.61 + Warn(@"MYCertificateCreateTemplate: unable to unwrap public key %@", publicKey);
2.62 + return nil;
2.63 + }
2.64 + }
2.65 +
2.66 + uint32_t numberOfFields = 5; // always requires at least 5 user-supplied fields
2.67 + if (serialNumber)
2.68 + ++numberOfFields;
2.69 + if (validFrom)
2.70 + ++numberOfFields;
2.71 + if (validTo)
2.72 + ++numberOfFields;
2.73 + numberOfFields += nExtensions;
2.74 +
2.75 + CSSM_FIELD fields[numberOfFields];
2.76 +
2.77 + // now we fill in the fields appropriately
2.78 +
2.79 + uint32_t index = 0;
2.80 + fields[index].FieldOid = CSSMOID_X509V1Version;
2.81 + intToDER(2, &(fields[index++].FieldValue));
2.82 +
2.83 + if (serialNumber) {
2.84 + fields[index].FieldOid = CSSMOID_X509V1SerialNumber;
2.85 + intToDER(serialNumber, &fields[index].FieldValue);
2.86 + index++;
2.87 + }
2.88 +
2.89 + fields[index].FieldOid = CSSMOID_X509V1IssuerNameCStruct;
2.90 + fields[index].FieldValue.Data = (uint8_t*)issuer;
2.91 + fields[index++].FieldValue.Length = sizeof(CSSM_X509_NAME);
2.92 +
2.93 + fields[index].FieldOid = CSSMOID_X509V1SubjectNameCStruct;
2.94 + fields[index].FieldValue.Data = (uint8_t*)subject;
2.95 + fields[index++].FieldValue.Length = sizeof(CSSM_X509_NAME);
2.96 +
2.97 + if (validFrom) {
2.98 + fields[index].FieldOid = CSSMOID_X509V1ValidityNotBefore;
2.99 + fields[index].FieldValue.Data = (uint8_t*)timeForNSDate(validFrom);
2.100 + fields[index++].FieldValue.Length = sizeof(CSSM_X509_TIME);
2.101 + }
2.102 +
2.103 + if (validTo) {
2.104 + fields[index].FieldOid = CSSMOID_X509V1ValidityNotAfter;
2.105 + fields[index].FieldValue.Data = (uint8_t*)timeForNSDate(validTo);
2.106 + fields[index++].FieldValue.Length = sizeof(CSSM_X509_TIME);
2.107 + }
2.108 +
2.109 + fields[index].FieldOid = CSSMOID_CSSMKeyStruct;
2.110 + fields[index].FieldValue.Data = (uint8_t*)cssmPubKey;
2.111 + fields[index++].FieldValue.Length = sizeof(CSSM_KEY);
2.112 +
2.113 + fields[index].FieldOid = CSSMOID_X509V1SignatureAlgorithmTBS;
2.114 + fields[index].FieldValue.Data = (uint8_t*)signingAlgorithm;
2.115 + fields[index++].FieldValue.Length = sizeof(CSSM_X509_ALGORITHM_IDENTIFIER);
2.116 +
2.117 + for (unsigned i=0; i<nExtensions; i++) {
2.118 + fields[index].FieldOid = extensions[i]->extnId;
2.119 + fields[index].FieldValue.Data = (uint8_t*)extensions[i];
2.120 + fields[index++].FieldValue.Length = sizeof(CSSM_X509_EXTENSION);
2.121 + }
2.122 + CAssert(index == numberOfFields);
2.123 +
2.124 + CSSM_DATA result = {};
2.125 + checkcssm(CSSM_CL_CertCreateTemplate(clHandle, numberOfFields, fields, &result),
2.126 + @"CSSM_CL_CertCreateTemplate");
2.127 + return NSDataFromDataNoCopy(result, YES);
2.128 +}
2.129 +
2.130 +
2.131 +NSData* MYCertificateSign(NSData *certificateTemplate,
2.132 + MYPrivateKey *privateKey,
2.133 + CSSM_ALGORITHMS signingAlgorithmID,
2.134 + CSSM_CL_HANDLE cssmCLHandle)
2.135 +{
2.136 +
2.137 + CAssert(certificateTemplate.length);
2.138 + CAssert(privateKey);
2.139 +
2.140 + NSData *signedCertificate = nil;
2.141 + CSSM_CC_HANDLE ccHandle = [privateKey _createSignatureContext: signingAlgorithmID];
2.142 + if (ccHandle) {
2.143 + CSSM_DATA rawCert = {certificateTemplate.length, (void*)certificateTemplate.bytes};
2.144 + CSSM_DATA signedResult = {};
2.145 + if (checkcssm(CSSM_CL_CertSign(cssmCLHandle, ccHandle, &rawCert, NULL, 0, &signedResult),
2.146 + @"CSSM_CL_CertSign")) {
2.147 + signedCertificate = NSDataFromDataNoCopy(signedResult, YES);
2.148 + checkcssm(CSSM_DeleteContext(ccHandle), @"CSSM_DeleteContext");
2.149 + }
2.150 + }
2.151 + return signedCertificate;
2.152 +}
2.153 +
2.154 +
2.155 +MYCertificate* MYCertificateCreateSelfSigned(MYPrivateKey *privateKey,
2.156 + NSDictionary *attributes )
2.157 +{
2.158 + // Extract attributes:
2.159 + NSMutableDictionary *subject = [[attributes mutableCopy] autorelease];
2.160 +
2.161 + unsigned serialNumber = [[attributes objectForKey: @"Serial Number"] unsignedIntValue];
2.162 + [subject removeObjectForKey: @"Serial Number"];
2.163 +
2.164 + NSDate *validFrom = [attributes objectForKey: @"Valid From"];
2.165 + [subject removeObjectForKey: @"Valid From"];
2.166 + NSDate *validTo = [attributes objectForKey: @"Valid To"];
2.167 + [subject removeObjectForKey: @"Valid To"];
2.168 +
2.169 + if (!serialNumber)
2.170 + serialNumber = 1;
2.171 + if (!validFrom)
2.172 + validFrom = [NSCalendarDate date];
2.173 + if (!validTo)
2.174 + validTo = [validFrom addTimeInterval: 60*60*24*366];
2.175 +
2.176 + const CSSM_X509_NAME *subjectStruct = createNameList(subject);
2.177 +
2.178 + // Create the key-usage extensions for the cert:
2.179 + UInt8 keyUsageBits[2] = {0x00,0xFC};
2.180 + // that's binary 111111000; see http://tools.ietf.org/html/rfc3280#section-4.2.1.3
2.181 + CSSM_X509_EXTENSION keyUsage = {
2.182 + CSSMOID_KeyUsage,
2.183 + true,
2.184 + CSSM_X509_DATAFORMAT_PARSED,
2.185 + {.parsedValue = &keyUsageBits}
2.186 + };
2.187 +
2.188 + // See http://tools.ietf.org/html/rfc3280#section-4.2.1.13
2.189 + struct ExtendedUsageList {
2.190 + UInt32 count;
2.191 + const CSSM_OID *oids;
2.192 + };
2.193 + CSSM_OID usageOids[2] = {CSSMOID_ServerAuth, CSSMOID_ClientAuth};
2.194 + struct ExtendedUsageList extUsageBits = {2, usageOids};
2.195 + CSSM_X509_EXTENSION extendedKeyUsage = {
2.196 + CSSMOID_ExtendedKeyUsage,
2.197 + true,
2.198 + CSSM_X509_DATAFORMAT_PARSED,
2.199 + {.parsedValue = &extUsageBits}
2.200 + };
2.201 +
2.202 + const CSSM_X509_EXTENSION* extensions[2] = {&keyUsage, &extendedKeyUsage};
2.203 +
2.204 + CSSM_X509_ALGORITHM_IDENTIFIER algorithmID = {.algorithm=CSSMOID_RSA};
2.205 + CSSM_CL_HANDLE cssmCLHandle = getCLHandle();
2.206 +
2.207 + // Now create the certificate request and sign it:
2.208 + NSData *template, *signedCertificate = nil;
2.209 +
2.210 + template = MYCertificateCreateTemplate(subjectStruct, subjectStruct, // issuer==subject (self-signed)
2.211 + validFrom, validTo,
2.212 + serialNumber,
2.213 + extensions, 2,
2.214 + privateKey.publicKey,
2.215 + &algorithmID,
2.216 + cssmCLHandle);
2.217 + if (!template)
2.218 + return nil;
2.219 +
2.220 + signedCertificate = MYCertificateSign(template,
2.221 + privateKey,
2.222 + CSSM_ALGID_SHA1WithRSA,
2.223 + cssmCLHandle);
2.224 + if (!signedCertificate)
2.225 + return nil;
2.226 +
2.227 + return [[[MYCertificate alloc] initWithCertificateData: signedCertificate
2.228 + type: CSSM_CERT_UNKNOWN
2.229 + encoding: CSSM_CERT_ENCODING_UNKNOWN] autorelease];
2.230 +}
2.231 +
2.232 +
2.233 +
2.234 +MYIdentity* MYIdentityCreateSelfSigned(MYPrivateKey *privateKey,
2.235 + NSDictionary *attributes )
2.236 +{
2.237 + MYCertificate *cert = MYCertificateCreateSelfSigned(privateKey, attributes);
2.238 + if (!cert)
2.239 + return nil;
2.240 + if (![privateKey.keychain addCertificate: cert])
2.241 + return nil;
2.242 + MYIdentity *identity = [[[MYIdentity alloc] initWithCertificateRef: cert.certificateRef] autorelease];
2.243 + CAssert(identity);
2.244 + return identity;
2.245 +}
2.246 +
2.247 +
2.248 +
2.249 +#pragma mark -
2.250 +#pragma mark HELPER FUNCTIONS:
2.251 +
2.252 +
2.253 +static void* mallocAutoreleased( size_t size ) {
2.254 + NSMutableData *data = [NSMutableData dataWithLength: size];
2.255 + return data.mutableBytes;
2.256 +}
2.257 +
2.258 +#define callocAutoreleasedArray(TYPE,N) (TYPE*)mallocAutoreleased( sizeof(TYPE) * (N) )
2.259 +
2.260 +
2.261 +/*
2.262 + CSSM_X509_NAME:
2.263 + uint32 numberOfRDNs;
2.264 + CSSM_X509_RDN_PTR RelativeDistinguishedName:
2.265 + uint32 numberOfPairs;
2.266 + CSSM_X509_TYPE_VALUE_PAIR_PTR AttributeTypeAndValue:
2.267 + CSSM_OID type;
2.268 + CSSM_BER_TAG valueType; // The Tag to be used when this value is BER encoded
2.269 + CSSM_DATA value;
2.270 +*/
2.271 +
2.272 +
2.273 +static CSSM_X509_NAME* createNameList( NSDictionary *name ) {
2.274 + static NSArray *sNameKeys;
2.275 + static CSSM_OID sNameOIDs[7];
2.276 + if (!sNameKeys) {
2.277 + sNameKeys = [$array(@"Common Name", @"Surname", @"Description", @"Name", @"Given Name",
2.278 + @"Email Address", @"Unstructured Name") retain];
2.279 + sNameOIDs[0] = CSSMOID_CommonName;
2.280 + sNameOIDs[1] = CSSMOID_Surname;
2.281 + sNameOIDs[2] = CSSMOID_Description;
2.282 + sNameOIDs[3] = CSSMOID_Name;
2.283 + sNameOIDs[4] = CSSMOID_GivenName;
2.284 + sNameOIDs[5] = CSSMOID_EmailAddress;
2.285 + sNameOIDs[6] = CSSMOID_UnstructuredName;
2.286 + }
2.287 +
2.288 + unsigned n = name.count;
2.289 + CAssert(n>0);
2.290 + CSSM_X509_RDN *rdns = callocAutoreleasedArray(CSSM_X509_RDN, name.count);
2.291 + CSSM_X509_RDN *rdn = &rdns[0];
2.292 + CSSM_X509_TYPE_VALUE_PAIR *pairs = callocAutoreleasedArray(CSSM_X509_TYPE_VALUE_PAIR, n);
2.293 + CSSM_X509_TYPE_VALUE_PAIR *pair = &pairs[0];
2.294 + for (NSString *key in name) {
2.295 + NSString *value = [name objectForKey: key];
2.296 + unsigned index = [sNameKeys indexOfObject: key];
2.297 + CAssert(index!=NSNotFound, @"X509 name key '%@' not supported'", key);
2.298 + rdn->numberOfPairs = 1;
2.299 + rdn->AttributeTypeAndValue = pair;
2.300 + pair->type = sNameOIDs[index];
2.301 + pair->valueType = BER_TAG_PRINTABLE_STRING;
2.302 + pair->value.Data = (void*) value.UTF8String;
2.303 + pair->value.Length = strlen((char*)pair->value.Data);
2.304 + rdn++;
2.305 + pair++;
2.306 + }
2.307 + CSSM_X509_NAME *outName = callocAutoreleasedArray(CSSM_X509_NAME,1);
2.308 + outName->numberOfRDNs = n;
2.309 + outName->RelativeDistinguishedName = rdns;
2.310 + return outName;
2.311 +}
2.312 +
2.313 +
2.314 +#pragma mark -
2.315 +#pragma mark HELPER FUNCTIONS (from Keychain.framework)
2.316 +
2.317 +
2.318 +static CSSM_X509_TIME* timeForNSDate(NSDate *date) {
2.319 + CAssert(date);
2.320 +
2.321 + NSCalendarDate *dateGMT = [NSCalendarDate dateWithTimeIntervalSinceReferenceDate:
2.322 + date.timeIntervalSinceReferenceDate];
2.323 + [dateGMT setTimeZone:[NSTimeZone timeZoneForSecondsFromGMT:0]];
2.324 +
2.325 + /* RFC 2549:
2.326 +
2.327 + 4.1.2.5.2 GeneralizedTime
2.328 +
2.329 + The generalized time type, GeneralizedTime, is a standard ASN.1 type
2.330 + for variable precision representation of time. Optionally, the
2.331 + GeneralizedTime field can include a representation of the time
2.332 + differential between local and Greenwich Mean Time.
2.333 +
2.334 + For the purposes of this profile, GeneralizedTime values MUST be
2.335 + expressed Greenwich Mean Time (Zulu) and MUST include seconds (i.e.,
2.336 + times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero.
2.337 + GeneralizedTime values MUST NOT include fractional seconds. */
2.338 +
2.339 + CSSM_X509_TIME *result = mallocAutoreleased(sizeof(CSSM_X509_TIME));
2.340 + result->timeType = BER_TAG_GENERALIZED_TIME;
2.341 + result->time.Length = 15;
2.342 + result->time.Data = mallocAutoreleased(16);
2.343 + [[dateGMT descriptionWithCalendarFormat:@"%Y%m%d%H%M%SZ"] getCString: (char*)(result->time.Data)
2.344 + maxLength: 16
2.345 + encoding: NSASCIIStringEncoding];
2.346 + return result;
2.347 +}
2.348 +
2.349 +
2.350 +static NSData* NSDataFromDataNoCopy(CSSM_DATA data, BOOL freeWhenDone) {
2.351 + if (data.Data)
2.352 + return [NSData dataWithBytesNoCopy:data.Data length:data.Length freeWhenDone: freeWhenDone];
2.353 + else
2.354 + return nil;
2.355 +}
2.356 +
2.357 +
2.358 +static BOOL intToDER(uint32_t theInt, CSSM_DATA *data) {
2.359 + CAssert(data);
2.360 + data->Length = 0;
2.361 +
2.362 + if (theInt < 0x100) {
2.363 + data->Data = (uint8_t*)malloc(1);
2.364 +
2.365 + if (NULL != data->Data) {
2.366 + data->Length = 1;
2.367 +
2.368 + data->Data[0] = (unsigned char)(theInt);
2.369 + }
2.370 + } else if (theInt < 0x10000) {
2.371 + data->Data = (uint8_t*)malloc(2);
2.372 +
2.373 + if (NULL != data->Data) {
2.374 + data->Length = 2;
2.375 +
2.376 + data->Data[0] = (unsigned char)(theInt >> 8);
2.377 + data->Data[1] = (unsigned char)(theInt);
2.378 + }
2.379 + } else if (theInt < 0x1000000) {
2.380 + data->Data = (uint8_t*)malloc(3);
2.381 +
2.382 + if (NULL != data->Data) {
2.383 + data->Length = 3;
2.384 +
2.385 + data->Data[0] = (unsigned char)(theInt >> 16);
2.386 + data->Data[1] = (unsigned char)(theInt >> 8);
2.387 + data->Data[2] = (unsigned char)(theInt);
2.388 + }
2.389 + } else {
2.390 + data->Data = (uint8_t*)malloc(4);
2.391 +
2.392 + if (NULL != data->Data) {
2.393 + data->Length = 4;
2.394 +
2.395 + data->Data[0] = (unsigned char)(theInt >> 24);
2.396 + data->Data[1] = (unsigned char)(theInt >> 16);
2.397 + data->Data[2] = (unsigned char)(theInt >> 8);
2.398 + data->Data[3] = (unsigned char)(theInt);
2.399 + }
2.400 + }
2.401 +
2.402 + return (NULL != data->Data);
2.403 +}
2.404 +
2.405 +
2.406 +
2.407 +#pragma mark -
2.408 +#pragma mark HELPER FUNCTIONS (from Apple's source code):
2.409 +
2.410 +
2.411 +// From Apple's cuCdsaUtils.cpp, in libsecurity_cdsa_utils:
2.412 +
2.413 +
2.414 +/*
2.415 + * Standard app-level memory functions required by CDSA.
2.416 + */
2.417 +static void * cuAppMalloc (CSSM_SIZE size, void *allocRef) {return( malloc(size) );}
2.418 +static void cuAppFree (void *mem_ptr, void *allocRef) {free(mem_ptr);}
2.419 +static void * cuAppRealloc (void *ptr, CSSM_SIZE size, void *allocRef) {return( realloc( ptr, size ) );}
2.420 +static void * cuAppCalloc (uint32 num, CSSM_SIZE size, void *allocRef) {return( calloc( num, size ) );}
2.421 +
2.422 +static CSSM_VERSION vers = {2, 0};
2.423 +static CSSM_API_MEMORY_FUNCS memFuncs = {
2.424 + cuAppMalloc,
2.425 + cuAppFree,
2.426 + cuAppRealloc,
2.427 + cuAppCalloc,
2.428 + NULL
2.429 +};
2.430 +
2.431 +static CSSM_CL_HANDLE cuClStartup()
2.432 +{
2.433 + CSSM_CL_HANDLE clHand;
2.434 +
2.435 + if (!checkcssm(CSSM_ModuleLoad(&gGuidAppleX509CL,
2.436 + CSSM_KEY_HIERARCHY_NONE,
2.437 + NULL, // eventHandler
2.438 + NULL), @"CSSM_ModuleLoad"))
2.439 + return 0;
2.440 + if (!checkcssm(CSSM_ModuleAttach(&gGuidAppleX509CL,
2.441 + &vers,
2.442 + &memFuncs, // memFuncs
2.443 + 0, // SubserviceID
2.444 + CSSM_SERVICE_CL, // SubserviceFlags - Where is this used?
2.445 + 0, // AttachFlags
2.446 + CSSM_KEY_HIERARCHY_NONE,
2.447 + NULL, // FunctionTable
2.448 + 0, // NumFuncTable
2.449 + NULL, // reserved
2.450 + &clHand), @"CSSM_ModuleAttach"))
2.451 + return 0;
2.452 + return clHand;
2.453 +}
2.454 +
2.455 +CSSM_CL_HANDLE getCLHandle() {
2.456 + static CSSM_CL_HANDLE sCLHandle = 0;
2.457 + if (!sCLHandle)
2.458 + sCLHandle = cuClStartup();
2.459 + return sCLHandle;
2.460 +}
2.461 +
2.462 +
2.463 +#pragma mark -
2.464 +#pragma mark TEST CASE:
2.465 +
2.466 +
2.467 +TestCase(MYCertGen) {
2.468 + CSSM_CL_HANDLE cl = getCLHandle();
2.469 + Log(@"CSSM_CL_HANDLE = %p", cl);
2.470 + CAssert(cl);
2.471 +
2.472 + MYKeychain *keychain = [MYKeychain allKeychains];
2.473 + Log(@"Looking for a key pair...");
2.474 + MYPrivateKey *privateKey = [[keychain enumeratePrivateKeys] nextObject];
2.475 + Log(@"Using key pair { %@, %@ }", privateKey, privateKey.publicKey);
2.476 +
2.477 + Log(@"...creating cert...");
2.478 +
2.479 + MYCertificate *cert = MYCertificateCreateSelfSigned(privateKey,
2.480 + $dict(
2.481 + {@"Common Name", @"waldo"},
2.482 + {@"Given Name", @"Waldo"},
2.483 + {@"Surname", @"Widdershins"},
2.484 + {@"Email Address", @"waldo@example.com"},
2.485 + {@"Description", @"Just a fictitious person"},
2.486 + ));
2.487 + Log(@"Cert = %@", cert);
2.488 + CAssert(cert);
2.489 +
2.490 + Log(@"Cert name = %@", cert.commonName);
2.491 + Log(@"Cert email = %@", cert.emailAddresses);
2.492 + Log(@"Cert pub key = %@", cert.publicKey);
2.493 + CAssertEqual(cert.commonName, @"waldo");
2.494 + CAssertEqual(cert.emailAddresses, $array(@"waldo@example.com"));
2.495 + CAssertEqual(cert.publicKey.publicKeyDigest, privateKey.publicKeyDigest);
2.496 +
2.497 + [cert.certificateData writeToFile: @"/tmp/MYCryptoTest.cer" atomically: NO];
2.498 +}
3.1 --- a/MYCrypto.xcodeproj/project.pbxproj Wed Apr 08 16:30:52 2009 -0700
3.2 +++ b/MYCrypto.xcodeproj/project.pbxproj Thu Apr 09 21:36:21 2009 -0700
3.3 @@ -8,6 +8,8 @@
3.4
3.5 /* Begin PBXBuildFile section */
3.6 270B879F0F8C565000C56781 /* MYPrivateKey.m in Sources */ = {isa = PBXBuildFile; fileRef = 270B879E0F8C565000C56781 /* MYPrivateKey.m */; };
3.7 + 274861D50F8E4B5200FE617B /* MYCertGen.m in Sources */ = {isa = PBXBuildFile; fileRef = 27A42ECD0F8689D30063D362 /* MYCertGen.m */; };
3.8 + 274863A20F8EF39400FE617B /* MYIdentity.m in Sources */ = {isa = PBXBuildFile; fileRef = 274863A10F8EF39400FE617B /* MYIdentity.m */; };
3.9 27A42CBF0F8578B40063D362 /* MYCryptoTest.m in Sources */ = {isa = PBXBuildFile; fileRef = 27A42CBE0F8578B40063D362 /* MYCryptoTest.m */; };
3.10 27A42D1E0F8586CE0063D362 /* MYKey.m in Sources */ = {isa = PBXBuildFile; fileRef = 27E822A10F81C5660019BE60 /* MYKey.m */; };
3.11 27A42D420F858ED80063D362 /* MYSymmetricKey.m in Sources */ = {isa = PBXBuildFile; fileRef = 27A42D410F858ED80063D362 /* MYSymmetricKey.m */; };
3.12 @@ -45,6 +47,8 @@
3.13 270B879D0F8C565000C56781 /* MYPrivateKey.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MYPrivateKey.h; sourceTree = "<group>"; };
3.14 270B879E0F8C565000C56781 /* MYPrivateKey.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = MYPrivateKey.m; sourceTree = "<group>"; };
3.15 2748604D0F8D5C4C00FE617B /* MYCrypto_Release.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = MYCrypto_Release.xcconfig; sourceTree = "<group>"; };
3.16 + 274863A00F8EF39400FE617B /* MYIdentity.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MYIdentity.h; sourceTree = "<group>"; };
3.17 + 274863A10F8EF39400FE617B /* MYIdentity.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = MYIdentity.m; sourceTree = "<group>"; };
3.18 27A42CBE0F8578B40063D362 /* MYCryptoTest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = MYCryptoTest.m; sourceTree = "<group>"; };
3.19 27A42D400F858ED80063D362 /* MYSymmetricKey.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MYSymmetricKey.h; sourceTree = "<group>"; };
3.20 27A42D410F858ED80063D362 /* MYSymmetricKey.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = MYSymmetricKey.m; sourceTree = "<group>"; };
3.21 @@ -104,6 +108,7 @@
3.22 isa = PBXGroup;
3.23 children = (
3.24 08FB7795FE84155DC02AAC07 /* Source */,
3.25 + 274861440F8D757600FE617B /* Certificate Generation */,
3.26 270B881C0F8D055A00C56781 /* Internal */,
3.27 27CFF4CC0F7E86E8000B418E /* MYUtilities */,
3.28 C6859EA2029092E104C91782 /* Documentation */,
3.29 @@ -124,6 +129,8 @@
3.30 27CFF4B40F7E8535000B418E /* MYCryptor.m */,
3.31 27CFF4BF0F7E8535000B418E /* MYDigest.h */,
3.32 27CFF4C00F7E8535000B418E /* MYDigest.m */,
3.33 + 274863A00F8EF39400FE617B /* MYIdentity.h */,
3.34 + 274863A10F8EF39400FE617B /* MYIdentity.m */,
3.35 27E822A00F81C5660019BE60 /* MYKey.h */,
3.36 27E822A10F81C5660019BE60 /* MYKey.m */,
3.37 27CFF4B50F7E8535000B418E /* MYKeychain.h */,
3.38 @@ -137,8 +144,6 @@
3.39 27A42D400F858ED80063D362 /* MYSymmetricKey.h */,
3.40 27A42D410F858ED80063D362 /* MYSymmetricKey.m */,
3.41 27AAD97B0F892A0D0064DD7C /* MYCryptoConfig.h */,
3.42 - 27A42ECC0F8689D30063D362 /* MYCertGen.h */,
3.43 - 27A42ECD0F8689D30063D362 /* MYCertGen.m */,
3.44 27EAF0390F8B2D700091AF95 /* README.textile */,
3.45 );
3.46 name = Source;
3.47 @@ -173,6 +178,15 @@
3.48 name = Internal;
3.49 sourceTree = "<group>";
3.50 };
3.51 + 274861440F8D757600FE617B /* Certificate Generation */ = {
3.52 + isa = PBXGroup;
3.53 + children = (
3.54 + 27A42ECC0F8689D30063D362 /* MYCertGen.h */,
3.55 + 27A42ECD0F8689D30063D362 /* MYCertGen.m */,
3.56 + );
3.57 + name = "Certificate Generation";
3.58 + sourceTree = "<group>";
3.59 + };
3.60 27CFF4CC0F7E86E8000B418E /* MYUtilities */ = {
3.61 isa = PBXGroup;
3.62 children = (
3.63 @@ -275,6 +289,8 @@
3.64 27A42D1E0F8586CE0063D362 /* MYKey.m in Sources */,
3.65 27A42D420F858ED80063D362 /* MYSymmetricKey.m in Sources */,
3.66 270B879F0F8C565000C56781 /* MYPrivateKey.m in Sources */,
3.67 + 274861D50F8E4B5200FE617B /* MYCertGen.m in Sources */,
3.68 + 274863A20F8EF39400FE617B /* MYIdentity.m in Sources */,
3.69 );
3.70 runOnlyForDeploymentPostprocessing = 0;
3.71 };
3.72 @@ -303,6 +319,8 @@
3.73 isa = XCBuildConfiguration;
3.74 baseConfigurationReference = 27CFF5400F7E9653000B418E /* MYCrypto_Debug.xcconfig */;
3.75 buildSettings = {
3.76 + ALWAYS_SEARCH_USER_PATHS = NO;
3.77 + HEADER_SEARCH_PATHS = "/Code/MYCrypto/**";
3.78 };
3.79 name = Debug;
3.80 };
3.81 @@ -310,6 +328,8 @@
3.82 isa = XCBuildConfiguration;
3.83 baseConfigurationReference = 2748604D0F8D5C4C00FE617B /* MYCrypto_Release.xcconfig */;
3.84 buildSettings = {
3.85 + ALWAYS_SEARCH_USER_PATHS = NO;
3.86 + HEADER_SEARCH_PATHS = "/Code/MYCrypto/**";
3.87 };
3.88 name = Release;
3.89 };
4.1 --- a/MYCryptoTest.m Wed Apr 08 16:30:52 2009 -0700
4.2 +++ b/MYCryptoTest.m Thu Apr 09 21:36:21 2009 -0700
4.3 @@ -10,6 +10,7 @@
4.4 #import "MYPrivateKey.h"
4.5 #import "MYKeychain.h"
4.6 #import "MYDigest.h"
4.7 +#import "MYIdentity.h"
4.8 #import "MYCrypto_Private.h"
4.9
4.10
4.11 @@ -71,6 +72,19 @@
4.12 }
4.13 }
4.14
4.15 +TestCase(EnumerateIdentities) {
4.16 + RequireTestCase(MYKeychain);
4.17 + NSEnumerator *e = [[MYKeychain allKeychains] enumerateIdentities];
4.18 + Log(@"Enumerator = %@", e);
4.19 + CAssert(e);
4.20 + for (MYIdentity *ident in e) {
4.21 + Log(@"Found %@ -- name=%@, emails=(%@), key=%@",
4.22 + ident, ident.commonName,
4.23 + [ident.emailAddresses componentsJoinedByString: @", "],
4.24 + ident.privateKey);
4.25 + }
4.26 +}
4.27 +
4.28
4.29 #pragma mark -
4.30 #pragma mark SYMMETRIC KEYS:
5.1 --- a/MYCrypto_Private.h Wed Apr 08 16:30:52 2009 -0700
5.2 +++ b/MYCrypto_Private.h Thu Apr 09 21:36:21 2009 -0700
5.3 @@ -74,12 +74,17 @@
5.4
5.5 @interface MYPublicKey (Private)
5.6 - (BOOL) setValue: (NSString*)valueStr ofAttribute: (SecKeychainAttrType)attr;
5.7 +#if !TARGET_OS_IPHONE
5.8 +- (CSSM_WRAP_KEY*) _unwrappedCSSMKey;
5.9 +#endif
5.10 @end
5.11
5.12
5.13 @interface MYPrivateKey (Private)
5.14 + (MYPrivateKey*) _generateRSAKeyPairOfSize: (unsigned)keySize
5.15 inKeychain: (MYKeychain*)keychain;
5.16 +- (id) _initWithKeyRef: (SecKeyRef)privateKey
5.17 + publicKey: (MYPublicKey*)publicKey;
5.18 - (id) _initWithKeyData: (NSData*)privKeyData
5.19 publicKeyData: (NSData*)pubKeyData
5.20 forKeychain: (SecKeychainRef)keychain
6.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
6.2 +++ b/MYIdentity.h Thu Apr 09 21:36:21 2009 -0700
6.3 @@ -0,0 +1,33 @@
6.4 +//
6.5 +// MYIdentity.h
6.6 +// MYCrypto
6.7 +//
6.8 +// Created by Jens Alfke on 4/9/09.
6.9 +// Copyright 2009 Jens Alfke. All rights reserved.
6.10 +//
6.11 +
6.12 +#import "MYCertificate.h"
6.13 +@class MYPrivateKey;
6.14 +
6.15 +
6.16 +/** An Identity represents a certificate with an associated private key. */
6.17 +@interface MYIdentity : MYCertificate
6.18 +{
6.19 + @private
6.20 + SecIdentityRef _identityRef;
6.21 +}
6.22 +
6.23 +/** Initializes a MYIdentity given an existing SecIdentityRef. */
6.24 +- (id) initWithIdentityRef: (SecIdentityRef)identityRef;
6.25 +
6.26 +/** The identity's associated private key. */
6.27 +@property (readonly) MYPrivateKey *privateKey;
6.28 +
6.29 +/** Returns the identity that's been set as the preferred one for the given name, or nil. */
6.30 ++ (MYIdentity*) preferredIdentityForName: (NSString*)name;
6.31 +
6.32 +/** Registers this identity as the preferred one for the given name,
6.33 + for later lookup using +preferredIdentityForName:. */
6.34 +- (BOOL) makePreferredIdentityForName: (NSString*)name;
6.35 +
6.36 +@end
7.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
7.2 +++ b/MYIdentity.m Thu Apr 09 21:36:21 2009 -0700
7.3 @@ -0,0 +1,85 @@
7.4 +//
7.5 +// MYIdentity.m
7.6 +// MYCrypto
7.7 +//
7.8 +// Created by Jens Alfke on 4/9/09.
7.9 +// Copyright 2009 Jens Alfke. All rights reserved.
7.10 +//
7.11 +
7.12 +#import "MYIdentity.h"
7.13 +#import "MYCrypto_Private.h"
7.14 +
7.15 +
7.16 +@implementation MYIdentity
7.17 +
7.18 +
7.19 +- (id) initWithIdentityRef: (SecIdentityRef)identityRef {
7.20 + Assert(identityRef);
7.21 + SecCertificateRef certificateRef;
7.22 + if (!check(SecIdentityCopyCertificate(identityRef, &certificateRef), @"SecIdentityCopyCertificate")) {
7.23 + [self release];
7.24 + return nil;
7.25 + }
7.26 + self = [super initWithCertificateRef: certificateRef];
7.27 + if (self) {
7.28 + _identityRef = identityRef;
7.29 + CFRetain(identityRef);
7.30 + }
7.31 + CFRelease(certificateRef);
7.32 + return self;
7.33 +}
7.34 +
7.35 +
7.36 +- (id) initWithCertificateRef: (SecCertificateRef)certificateRef {
7.37 + self = [super initWithCertificateRef: certificateRef];
7.38 + if (self) {
7.39 + if (!check(SecIdentityCreateWithCertificate(NULL, certificateRef, &_identityRef),
7.40 + @"SecIdentityCreateWithCertificate")) {
7.41 + [self release];
7.42 + return nil;
7.43 + }
7.44 + }
7.45 + return self;
7.46 +}
7.47 +
7.48 +- (void) dealloc
7.49 +{
7.50 + if (_identityRef) CFRelease(_identityRef);
7.51 + [super dealloc];
7.52 +}
7.53 +
7.54 +- (void) finalize
7.55 +{
7.56 + if (_identityRef) CFRelease(_identityRef);
7.57 + [super finalize];
7.58 +}
7.59 +
7.60 +
7.61 +- (MYPrivateKey*) privateKey {
7.62 + SecKeyRef keyRef = NULL;
7.63 + if (!check(SecIdentityCopyPrivateKey(_identityRef, &keyRef), @"SecIdentityCopyPrivateKey"))
7.64 + return NULL;
7.65 + MYPrivateKey *privateKey = [[MYPrivateKey alloc] _initWithKeyRef: keyRef
7.66 + publicKey: self.publicKey];
7.67 + CFRelease(keyRef);
7.68 + return [privateKey autorelease];
7.69 +}
7.70 +
7.71 +
7.72 ++ (MYIdentity*) preferredIdentityForName: (NSString*)name
7.73 +{
7.74 + Assert(name);
7.75 + SecIdentityRef identityRef;
7.76 + if (!check(SecIdentityCopyPreference((CFStringRef)name, 0, NULL, &identityRef),
7.77 + @"SecIdentityCopyPreference"))
7.78 + return nil;
7.79 + return identityRef ?[[[self alloc] initWithIdentityRef: identityRef] autorelease] :nil;
7.80 +}
7.81 +
7.82 +- (BOOL) makePreferredIdentityForName: (NSString*)name {
7.83 + Assert(name);
7.84 + return check(SecIdentitySetPreference(_identityRef, (CFStringRef)name, 0),
7.85 + @"SecIdentitySetPreference");
7.86 +}
7.87 +
7.88 +@end
8.1 --- a/MYKeychain.h Wed Apr 08 16:30:52 2009 -0700
8.2 +++ b/MYKeychain.h Thu Apr 09 21:36:21 2009 -0700
8.3 @@ -56,6 +56,9 @@
8.4
8.5 #pragma mark CERTIFICATES:
8.6
8.7 +/** Adds a certificate to this keychain. (It must not already belong to a keychain.) */
8.8 +- (BOOL) addCertificate: (MYCertificate*)certificate;
8.9 +
8.10 /** Imports a certificate into the keychain, given its external representation. */
8.11 - (MYCertificate*) importCertificate: (NSData*)data;
8.12
8.13 @@ -67,6 +70,9 @@
8.14 /** Enumerates all certificates in the keychain. */
8.15 - (NSEnumerator*) enumerateCertificates;
8.16
8.17 +/** Enumerates all identities in the keychain. */
8.18 +- (NSEnumerator*) enumerateIdentities;
8.19 +
8.20 #pragma mark KEY-PAIRS:
8.21
8.22 /** Generates a new RSA key-pair and adds both keys to the keychain.
8.23 @@ -110,16 +116,16 @@
8.24 Since the private key data is wrapped (encrypted), the Security agent will prompt the user to enter
8.25 the passphrase. */
8.26 - (MYPrivateKey*) importPublicKey: (NSData*)pubKeyData
8.27 - privateKey: (NSData*)privKeyData;
8.28 + privateKey: (NSData*)privKeyData;
8.29
8.30 /** Imports a key-pair into the keychain, given the external representations
8.31 of both the public and private keys.
8.32 Since the private key data is wrapped (encrypted), the Security agent will prompt the user to enter
8.33 the passphrase. You can specify the title and prompt message for this alert panel. */
8.34 - (MYPrivateKey*) importPublicKey: (NSData*)pubKeyData
8.35 - privateKey: (NSData*)privKeyData
8.36 - alertTitle: (NSString*)title
8.37 - alertPrompt: (NSString*)prompt;
8.38 + privateKey: (NSData*)privKeyData
8.39 + alertTitle: (NSString*)title
8.40 + alertPrompt: (NSString*)prompt;
8.41
8.42 /** Imports a certificate into the keychain, given its external representation. */
8.43 - (MYCertificate*) importCertificate: (NSData*)data
9.1 --- a/MYKeychain.m Wed Apr 08 16:30:52 2009 -0700
9.2 +++ b/MYKeychain.m Thu Apr 09 21:36:21 2009 -0700
9.3 @@ -9,12 +9,15 @@
9.4 #import "MYKeychain.h"
9.5 #import "MYCrypto_Private.h"
9.6 #import "MYDigest.h"
9.7 +#import "MYIdentity.h"
9.8 +
9.9
9.10 #if !MYCRYPTO_USE_IPHONE_API
9.11
9.12
9.13 @interface MYKeyEnumerator : NSEnumerator
9.14 {
9.15 + @private
9.16 MYKeychain *_keychain;
9.17 SecKeychainSearchRef _search;
9.18 SecItemClass _itemClass;
9.19 @@ -27,6 +30,17 @@
9.20 @end
9.21
9.22
9.23 +@interface MYIdentityEnumerator : NSEnumerator
9.24 +{
9.25 + @private
9.26 + SecIdentitySearchRef _searchRef;
9.27 +}
9.28 +
9.29 +- (id) initWithKeychain: (MYKeychain*)keychain;
9.30 +@end
9.31 +
9.32 +
9.33 +
9.34
9.35 @implementation MYKeychain
9.36
9.37 @@ -249,6 +263,10 @@
9.38 attributes: NULL count: 0] autorelease];
9.39 }
9.40
9.41 +- (NSEnumerator*) enumerateIdentities {
9.42 + return [[[MYIdentityEnumerator alloc] initWithKeychain: self] autorelease];
9.43 +}
9.44 +
9.45 - (NSEnumerator*) enumerateSymmetricKeys {
9.46 return [[[MYKeyEnumerator alloc] initWithKeychain: self
9.47 itemClass: kSecSymmetricKeyItemClass
9.48 @@ -318,6 +336,12 @@
9.49 encoding: CSSM_CERT_ENCODING_BER];
9.50 }
9.51
9.52 +- (BOOL) addCertificate: (MYCertificate*)certificate {
9.53 + Assert(certificate);
9.54 + return check(SecCertificateAddToKeychain(certificate.certificateRef, self.keychainRefOrDefault),
9.55 + @"SecCertificateAddToKeychain");
9.56 +}
9.57 +
9.58
9.59 - (MYSymmetricKey*) generateSymmetricKeyOfSize: (unsigned)keySizeInBits
9.60 algorithm: (CCAlgorithm)algorithm
9.61 @@ -413,6 +437,31 @@
9.62 return key;
9.63 }
9.64
9.65 +@end
9.66 +
9.67 +
9.68 +
9.69 +@implementation MYIdentityEnumerator
9.70 +
9.71 +- (id) initWithKeychain: (MYKeychain*)keychain {
9.72 + self = [super init];
9.73 + if (self) {
9.74 + if (!check(SecIdentitySearchCreate(keychain.keychainRef, 0, &_searchRef),
9.75 + @"SecIdentitySearchCreate")) {
9.76 + [self release];
9.77 + return nil;
9.78 + }
9.79 + }
9.80 + return self;
9.81 +}
9.82 +
9.83 +- (id) nextObject {
9.84 + SecIdentityRef identityRef = NULL;
9.85 + OSStatus err = SecIdentitySearchCopyNext(_searchRef, &identityRef);
9.86 + if (err==errKCItemNotFound || !check(err, @"SecIdentitySearchCopyNext"))
9.87 + return nil;
9.88 + return [[[MYIdentity alloc] initWithIdentityRef: identityRef] autorelease];
9.89 +}
9.90
9.91 @end
9.92
10.1 --- a/MYPrivateKey.h Wed Apr 08 16:30:52 2009 -0700
10.2 +++ b/MYPrivateKey.h Thu Apr 09 21:36:21 2009 -0700
10.3 @@ -7,7 +7,7 @@
10.4 //
10.5
10.6 #import "MYKey.h"
10.7 -@class MYPublicKey, MYSHA1Digest;
10.8 +@class MYPublicKey, MYSHA1Digest, MYIdentity;
10.9
10.10
10.11 /** A private key, used for signing and decrypting data.
10.12 @@ -48,6 +48,12 @@
10.13 //@{
10.14 #if !TARGET_OS_IPHONE
10.15
10.16 +/** Creates a self-signed identity certificate using this key-pair.
10.17 + The attributes describe the certificate's metadata, including its expiration date and the
10.18 + subject's name. Keys for the dictionary are given below; the only mandatory one is
10.19 + kMYIdentityCommonNameKey. */
10.20 +- (MYIdentity*) createSelfSignedIdentityWithAttributes: (NSDictionary*)attributes;
10.21 +
10.22 /** Exports the private key as a data blob, so that it can be stored as a backup, or transferred
10.23 to another computer. Since the key is sensitive, it must be exported in encrypted form
10.24 using a user-chosen passphrase. This method will display a standard alert panel, run by
10.25 @@ -75,3 +81,14 @@
10.26 //@}
10.27
10.28 @end
10.29 +
10.30 +
10.31 +/* Attribute keys for creating identities: */
10.32 +#define kMYIdentityCommonNameKey @"Common Name" // NSString. Required!
10.33 +#define kMYIdentityGivenNameKey @"Given Name"
10.34 +#define kMYIdentitySurnameKey @"Surname"
10.35 +#define kMYIdentityDescriptionKey @"Description"
10.36 +#define kMYIdentityEmailAddressKey @"Email Address"
10.37 +#define kMYIdentityValidFromKey @"Valid From" // NSDate. Defaults to the current date/time
10.38 +#define kMYIdentityValidToKey @"Valid To" // NSDate. Defaults to one year from ValidFrom
10.39 +#define kMYIdentitySerialNumberKey @"Serial Number" // NSNumber. Defaults to 1
11.1 --- a/MYPrivateKey.m Wed Apr 08 16:30:52 2009 -0700
11.2 +++ b/MYPrivateKey.m Thu Apr 09 21:36:21 2009 -0700
11.3 @@ -9,6 +9,7 @@
11.4 #import "MYPrivateKey.h"
11.5 #import "MYCrypto_Private.h"
11.6 #import "MYDigest.h"
11.7 +#import "MYCertGen.h"
11.8 #import <CommonCrypto/CommonDigest.h>
11.9
11.10
11.11 @@ -114,6 +115,12 @@
11.12 return [self _initWithKeyRef: privateKey publicKeyData: pubKeyData forKeychain: keychain];
11.13 }
11.14
11.15 +
11.16 +- (MYIdentity*) createSelfSignedIdentityWithAttributes: (NSDictionary*)attributes {
11.17 + return MYIdentityCreateSelfSigned(self, attributes);
11.18 +}
11.19 +
11.20 +
11.21 #endif
11.22
11.23
12.1 --- a/MYPublicKey.m Wed Apr 08 16:30:52 2009 -0700
12.2 +++ b/MYPublicKey.m Thu Apr 09 21:36:21 2009 -0700
12.3 @@ -85,6 +85,42 @@
12.4 }
12.5
12.6
12.7 +#if !TARGET_OS_IPHONE
12.8 +- (CSSM_WRAP_KEY*) _unwrappedCSSMKey {
12.9 + const CSSM_KEY *key = self.cssmKey;
12.10 +
12.11 + if (key->KeyHeader.BlobType == CSSM_KEYBLOB_WRAPPED) {
12.12 + Warn(@"Key is already wrapped.\n");
12.13 + return NULL;
12.14 + }
12.15 +
12.16 + if (key->KeyHeader.KeyClass != CSSM_KEYCLASS_PUBLIC_KEY)
12.17 + Warn(@"Warning: Null wrapping a non-public key - this is a dangerous operation.\n");
12.18 +
12.19 + const CSSM_ACCESS_CREDENTIALS* credentials;
12.20 + credentials = [self cssmCredentialsForOperation: CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED
12.21 + type: kSecCredentialTypeDefault error: nil];
12.22 + CSSM_CC_HANDLE ccHandle;
12.23 + if (!checkcssm(CSSM_CSP_CreateSymmetricContext(self.cssmCSPHandle,
12.24 + CSSM_ALGID_NONE, CSSM_ALGMODE_WRAP,
12.25 + NULL, NULL, NULL,
12.26 + CSSM_PADDING_NONE, NULL,
12.27 + &ccHandle),
12.28 + @"CSSM_CSP_CreateSymmetricContext"))
12.29 + return NULL;
12.30 +
12.31 + CSSM_WRAP_KEY *result = malloc(sizeof(CSSM_WRAP_KEY));
12.32 + if (!checkcssm(CSSM_WrapKey(ccHandle, credentials, key, NULL, result),
12.33 + @"CSSM_WrapKey")) {
12.34 + free(result);
12.35 + result = NULL;
12.36 + }
12.37 + CSSM_DeleteContext(ccHandle);
12.38 + return result;
12.39 +}
12.40 +#endif
12.41 +
12.42 +
12.43 @end
12.44
12.45
13.1 --- a/MYSymmetricKey.m Wed Apr 08 16:30:52 2009 -0700
13.2 +++ b/MYSymmetricKey.m Thu Apr 09 21:36:21 2009 -0700
13.3 @@ -68,7 +68,6 @@
13.4 [self release];
13.5 return nil;
13.6 }
13.7 - Log(@"SecItemAdd returned %@", keyRef);//TEMP
13.8 Assert(keyRef, @"SecItemAdd didn't return anything");
13.9 #else
13.10 Assert(NO,@"Unimplemented"); //FIX
14.1 --- a/README.textile Wed Apr 08 16:30:52 2009 -0700
14.2 +++ b/README.textile Thu Apr 09 21:36:21 2009 -0700
14.3 @@ -12,7 +12,7 @@
14.4 "*Keychain*":http://developer.apple.com/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html#//apple_ref/doc/uid/TP30000897-CH204-TP9
14.5 and *CSSM* APIs, which are notoriously hard to use, as well as *CommonCrypto*, which is easier but quite limited.
14.6
14.7 -MYCrypto gives you easy object-oriented interfaces to
14.8 +MYCrypto gives you easy object-oriented interfaces to:
14.9
14.10 * Symmmetric cryptography (session keys and password-based encryption)
14.11 * Asymmetric cryptography (public and private keys; digital signatures)