key_create.c   [plain text]

/*
 * Copyright (c) 2003-2004,2006,2008,2012,2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 *
 * key_create.c
 */

#include "key_create.h"

#include "keychain_utilities.h"
#include "security_tool.h"

#include <CoreFoundation/CFDateFormatter.h>
#include <CoreFoundation/CFString.h>
#include <Security/SecAccess.h>
#include <Security/SecKey.h>
#include <Security/SecKeychainItem.h>
#include <Security/SecTrustedApplication.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>


static int
do_key_create_pair(const char *keychainName, SecAccessRef access, CSSM_ALGORITHMS algorithm, uint32 keySizeInBits, CFAbsoluteTime from_time, CFAbsoluteTime to_time, Boolean print_hash)
{
	SecKeychainRef keychain = NULL;
	OSStatus status;
	int result = 0;
	CSSM_CC_HANDLE contextHandle = 0;
	CSSM_KEYUSE publicKeyUsage = CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_VERIFY | CSSM_KEYUSE_WRAP | CSSM_KEYUSE_DERIVE;
	uint32 publicKeyAttr = CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_EXTRACTABLE;
	CSSM_KEYUSE privateKeyUsage = CSSM_KEYUSE_DECRYPT | CSSM_KEYUSE_SIGN | CSSM_KEYUSE_UNWRAP | CSSM_KEYUSE_DERIVE;
	uint32 privateKeyAttr = CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_SENSITIVE | CSSM_KEYATTR_EXTRACTABLE;
	SecKeyRef publicKey = NULL;
	SecKeyRef privateKey = NULL;
	SecKeychainAttributeList *attrList = NULL;

	if (keychainName)
	{
		keychain = keychain_open(keychainName);
		if (!keychain)
		{
			result = 1;
			goto loser;
		}
	}

	status = SecKeyCreatePair(keychain, algorithm, keySizeInBits, contextHandle,
        publicKeyUsage,
        publicKeyAttr,
        privateKeyUsage,
        privateKeyAttr,
        access,
        &publicKey,
        &privateKey);
	if (status)
	{
		sec_error("SecKeyCreatePair %s: %s", keychainName ? keychainName : "<NULL>", sec_errstr(status));
		result = 1;
		goto loser;
	}

	if (print_hash)
	{
		SecItemClass itemClass = 0;
		UInt32 tag = 0x00000006;
		UInt32 format = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
		SecKeychainAttributeInfo info = { 1, &tag, &format };

		status = SecKeychainItemCopyAttributesAndData((SecKeychainItemRef)privateKey, &info, &itemClass, &attrList, NULL, NULL);
		if (status)
		{
			sec_perror("SecKeychainItemCopyAttributesAndData", status);
			result = 1;
			goto loser;
		}

		if (info.count != attrList->count)
		{
			sec_error("info count: %ld != attribute count: %ld", info.count, attrList->count);
			result = 1;
			goto loser;
		}

		if (tag != attrList->attr[0].tag)
		{
			sec_error("attribute info tag: %ld != attribute tag: %ld", tag, attrList->attr[0].tag);
			result = 1;
			goto loser;
		}

		print_buffer_pem(stdout, "PUBLIC KEY HASH", attrList->attr[0].length, attrList->attr[0].data);
	}

loser:
	if (attrList)
	{
		status = SecKeychainItemFreeAttributesAndData(attrList, NULL);
		if (status)
			sec_perror("SecKeychainItemFreeAttributesAndData", status);
	}

	if (keychain)
		CFRelease(keychain);
	if (publicKey)
		CFRelease(publicKey);
	if (privateKey)
		CFRelease(privateKey);

	return result;
}

static int
parse_algorithm(const char *name, CSSM_ALGORITHMS *algorithm)
{
	size_t len = strlen(name);

	if (!strncmp("rsa", name, len))
		*algorithm = CSSM_ALGID_RSA;
	else if (!strncmp("dsa", name, len))
		*algorithm = CSSM_ALGID_DSA;
	else if (!strncmp("dh", name, len))
		*algorithm = CSSM_ALGID_DH;
	else if (!strncmp("fee", name, len))
		*algorithm = CSSM_ALGID_FEE;
	else
	{
		sec_error("Invalid algorithm: %s", name);
		return SHOW_USAGE_MESSAGE;
	}

	return 0;
}

static int
parse_time(const char *time, CFAbsoluteTime *ptime)
{
    CFDateFormatterRef formatter = CFDateFormatterCreate(NULL, NULL, kCFDateFormatterShortStyle, kCFDateFormatterShortStyle);
	CFStringRef time_string = CFStringCreateWithCString(NULL, time, kCFStringEncodingUTF8);
	int result = 0;
	if (!CFDateFormatterGetAbsoluteTimeFromString(formatter, time_string, NULL, ptime))
	{
		sec_error("%s is not a valid date", time);
		result = 1;
	}
    if (formatter)
        CFRelease(formatter);
    if (time_string)
        CFRelease(time_string);
	return result;
}

int
key_create_pair(int argc, char * const *argv)
{
	const char *keychainName = NULL;
	CSSM_ALGORITHMS algorithm = CSSM_ALGID_RSA;
	uint32 keySizeInBits = 512;
	int ch, result = 0;
	OSStatus status;
	Boolean always_allow = FALSE;
	Boolean print_hash = FALSE;
	CFAbsoluteTime from_time = 0.0, to_time = 0.0;
	double days = 0.0;
	SecAccessRef access = NULL;
	CFMutableArrayRef trusted_list = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
	CFStringRef description = NULL;

/*
    { "create-keypair", key_create_pair,
	  "[-a alg] [-s size] [-f date] [-t date] [-d days] [-k keychain] [-A|-T appPath] description\n"
	  "    -a  Use alg as the algorithm, can be rsa, dh, dsa or fee (default rsa)\n"
	  "    -s  Specify the keysize in bits (default 512)\n"
	  "    -f  Make a key valid from the specified date\n"
	  "    -t  Make a key valid to the specified date\n"
	  "    -d  Make a key valid for the number of days specified from now\n"
	  "    -k  Use the specified keychain rather than the default\n"
	  "    -H  Print the public key hash attribute\n"
	  "    -A  Allow any application to access without warning\n"
	  "    -T  Allow the application specified to access without warning (multiple -T options are allowed)\n"
	  "If no options are provided, ask the user interactively.",
*/

    while ((ch = getopt(argc, argv, "a:s:f:t:d:k:AHT:h")) != -1)
	{
		switch  (ch)
		{
        case 'a':
			result = parse_algorithm(optarg, &algorithm);
			if (result)
				goto loser;
			break;
        case 's':
			keySizeInBits = atoi(optarg);
			break;
		case 'k':
			keychainName = optarg;
			break;
		case 'A':
			always_allow = TRUE;
			break;
		case 'H':
			print_hash = TRUE;
			break;
		case 'T':
		{
			if (optarg[0])
			{
				SecTrustedApplicationRef app = NULL;
				status = SecTrustedApplicationCreateFromPath(optarg, &app);
				if (status)
				{
					sec_error("SecTrustedApplicationCreateFromPath %s: %s", optarg, sec_errstr(status));
					result = 1;
					goto loser;
				}

				CFArrayAppendValue(trusted_list, app);
				CFRelease(app);
			}
			break;
		}
		case 'f':
			 result = parse_time(optarg, &from_time);
			if (result)
				goto loser;
			break;
		case 't':
			 result = parse_time(optarg, &to_time);
			if (result)
				goto loser;
			break;
		case 'd':
			days = atof(optarg);
			if (days < 1)
			{
				result = 2;
				goto loser;
			}
			from_time = CFAbsoluteTimeGetCurrent();
			to_time = from_time + days * 86400.0;
			break;
		case '?':
		default:
			return SHOW_USAGE_MESSAGE;
		}
	}

	argc -= optind;
	argv += optind;

	if (argc == 1)
	{
		if (*argv[0] == '\0')
		{
			result = 2;
			goto loser;
		}
		description  = CFStringCreateWithCString(NULL, argv[0], kCFStringEncodingUTF8);
	}
	else if (argc != 0)
		return SHOW_USAGE_MESSAGE;
	else
		description = CFStringCreateWithCString(NULL, "<key>", kCFStringEncodingUTF8);

	if (always_allow)
	{
		status = SecAccessCreate(description, NULL, &access);
		if (status)
		{
			sec_perror("SecAccessCreate", status);
			result = 1;
		}
	}
	else
	{
		status = SecAccessCreate(description, trusted_list, &access);
		if (status)
		{
			sec_perror("SecAccessCreate", status);
			result = 1;
		}
	}

	if (result)
		goto loser;

	result = do_key_create_pair(keychainName, access, algorithm, keySizeInBits, from_time, to_time, print_hash);

loser:
	if (description)
		CFRelease(description);
	if (trusted_list)
		CFRelease(trusted_list);
	if (access)
		CFRelease(access);

	return result;
}

#if 0
static OSStatus
createCertCsr(
	CSSM_TP_HANDLE		tpHand,				// eventually, a SecKeychainRef
	CSSM_CL_HANDLE		clHand,
	CSSM_CSP_HANDLE		cspHand,
	SecKeyRef			subjPubKey,
	SecKeyRef			signerPrivKey,
	CSSM_ALGORITHMS 	sigAlg,
	const CSSM_OID		*sigOid,
	/*
	 * Issuer's RDN is obtained from the issuer cert, if present, or is
	 * assumed to be the same as the subject name (i.e., we're creating
	 * a self-signed root cert).
	 */
	CSSM_BOOL			useAllDefaults,
	CSSM_DATA_PTR		csrData)			// CSR: mallocd and RETURNED
{
	CE_DataAndType 				exts[2];
	CE_DataAndType 				*extp = exts;
	unsigned					numExts;

	CSSM_DATA					refId;		// mallocd by CSSM_TP_SubmitCredRequest
	CSSM_APPLE_TP_CERT_REQUEST	certReq;
	CSSM_TP_REQUEST_SET			reqSet;
	sint32						estTime;
	CSSM_BOOL					confirmRequired;
	CSSM_TP_RESULT_SET_PTR		resultSet;
	CSSM_ENCODED_CERT			*encCert;
	CSSM_APPLE_TP_NAME_OID		subjectNames[MAX_NAMES];
	uint32						numNames;
	CSSM_TP_CALLERAUTH_CONTEXT 	CallerAuthContext;
	CSSM_FIELD					policyId;

	/* Note a lot of the CSSM_APPLE_TP_CERT_REQUEST fields are not
	 * used for the createCsr option, but we'll fill in as much as is practical
	 * for either case.
	 */
	numExts = 0;

	char challengeBuf[400];
	if(useAllDefaults) {
		strcpy(challengeBuf, ZDEF_CHALLENGE);
	}
	else {
		while(1) {
			getStringWithPrompt("Enter challenge string: ",
				challengeBuf, sizeof(challengeBuf));
			if(challengeBuf[0] != '\0') {
				break;
			}
		}
	}
	certReq.challengeString = challengeBuf;

	/* name array, get from user. */
	if(useAllDefaults) {
		subjectNames[0].string 	= ZDEF_COMMON_NAME;
		subjectNames[0].oid 	= &CSSMOID_CommonName;
		subjectNames[1].string	= ZDEF_ORG_NAME;
		subjectNames[1].oid 	= &CSSMOID_OrganizationName;
		subjectNames[2].string	= ZDEF_COUNTRY;
		subjectNames[2].oid 	= &CSSMOID_CountryName;
		subjectNames[3].string	= ZDEF_STATE;
		subjectNames[3].oid 	= &CSSMOID_StateProvinceName;
		numNames = 4;
	}
	else {
		getNameOids(subjectNames, &numNames);
	}

	/* certReq */
	certReq.cspHand = cspHand;
	certReq.clHand = clHand;
	certReq.serialNumber = 0x12345678;		// TBD - random? From user?
	certReq.numSubjectNames = numNames;
	certReq.subjectNames = subjectNames;

	/* TBD - if we're passed in a signing cert, certReq.issuerNameX509 will
	 * be obtained from that cert. For now we specify "self-signed" cert
	 * by not providing an issuer name at all. */
	certReq.numIssuerNames = 0;				// root for now
	certReq.issuerNames = NULL;
	certReq.issuerNameX509 = NULL;
	certReq.certPublicKey = subjPubKey;
	certReq.issuerPrivateKey = signerPrivKey;
	certReq.signatureAlg = sigAlg;
	certReq.signatureOid = *sigOid;
	certReq.notBefore = 0;					// TBD - from user
	certReq.notAfter = 60 * 60 * 24 * 30;	// seconds from now
	certReq.numExtensions = numExts;
	certReq.extensions = exts;

	reqSet.NumberOfRequests = 1;
	reqSet.Requests = &certReq;

	/* a CSSM_TP_CALLERAUTH_CONTEXT to specify an OID */
	memset(&CallerAuthContext, 0, sizeof(CSSM_TP_CALLERAUTH_CONTEXT));
	memset(&policyId, 0, sizeof(CSSM_FIELD));
	policyId.FieldOid = CSSMOID_APPLE_TP_CSR_GEN;
	CallerAuthContext.Policy.NumberOfPolicyIds = 1;
	CallerAuthContext.Policy.PolicyIds = &policyId;

	CSSM_RETURN crtn = CSSM_TP_SubmitCredRequest(tpHand,
		NULL,				// PreferredAuthority
		CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
		&reqSet,
		&CallerAuthContext,
		&estTime,
		&refId);

	/* before proceeding, free resources allocated thus far */
	if(!useAllDefaults) {
		freeNameOids(subjectNames, numNames);
	}

	if(crtn) {
		printError("***Error submitting credential request","CSSM_TP_SubmitCredRequest",crtn);
		return crtn;
	}
	crtn = CSSM_TP_RetrieveCredResult(tpHand,
		&refId,
		NULL,				// CallerAuthCredentials
		&estTime,
		&confirmRequired,
		&resultSet);
	if(crtn) {
		printError("***Error retreiving credential request","CSSM_TP_RetrieveCredResult",crtn);
		return crtn;
	}
	if(resultSet == NULL) {
		printf("***CSSM_TP_RetrieveCredResult returned NULL result set.\n");
		return ioErr;
	}
	encCert = (CSSM_ENCODED_CERT *)resultSet->Results;
	*csrData = encCert->CertBlob;

	/* free resources allocated by TP */
	APP_FREE(refId.Data);
	APP_FREE(encCert);
	APP_FREE(resultSet);
	return noErr;
}
#endif

#if 0
/* this was added in Michael's integration of PR-3420772, but this is an unimplemented command */

int
csr_create(int argc, char * const *argv)
{
	int result = 0;
	int ch;
	const char *keychainName = NULL;
	CSSM_ALGORITHMS algorithm = CSSM_ALGID_RSA;
	uint32 keySizeInBits = 512;
	OSStatus status;
	Boolean always_allow = FALSE;
	CFAbsoluteTime from_time = 0.0, to_time = 0.0;
	double days = 0.0;
	SecAccessRef access = NULL;
	CFMutableArrayRef trusted_list = NULL;
	CFStringRef description = NULL;

/*
    { "create-keypair", key_create_pair,
	  "[-a alg] [-s size] [-f date] [-t date] [-d days] [-k keychain] [-u sdux] [-c challenge] description\n"
	  " [-k keychain] [-u sewx] description\n"
	  "    -a  Look for key with alg as the algorithm, can be rsa, dh, dsa or fee (default rsa)\n"
	  "    -s  Look for key with keysize in bits\n"
	  "    -c  Add challenge to the key as a challange string\n"
	  "    -f  Look for a key at least valid from the specified date\n"
	  "    -t  Look for a key at least valid to the specified date\n"
	  "    -d  Look for a key at least valid for the number of days specified from now\n"
	  "	   -u  Look for a key with the specified usage flags (s)igning (d)ecryption (u)nwrapping e(x)change\n"
	  "    -k  Look in specified keychain rather than the default search list\n"
	  "If no options are provided ask the user interactively",
*/

    while ((ch = getopt(argc, argv, "a:s:f:t:d:k:AT:h")) != -1)
	{
		switch  (ch)
		{
        case 'a':
			result = parse_algorithm(optarg, &algorithm);
			if (result)
				goto loser;
			break;
        case 's':
			keySizeInBits = atoi(optarg);
			break;
		case 'k':
			keychainName = optarg;
			break;
		case 'A':
			always_allow = TRUE;
			break;
		case 'T':
		{
			if (!trusted_list)
			{
				trusted_list = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
			}

			if (optarg[0])
			{
				SecTrustedApplicationRef app = NULL;
				status = SecTrustedApplicationCreateFromPath(optarg, &app);
				if (status)
				{
					sec_error("SecTrustedApplicationCreateFromPath %s: %s", optarg, sec_errstr(status));
					result = 1;
					goto loser;
				}

				CFArrayAppendValue(trusted_list, app);
				CFRelease(app);
				break;
			}
		}
		case 'f':
			 result = parse_time(optarg, &from_time);
			if (result)
				goto loser;
			break;
		case 't':
			 result = parse_time(optarg, &to_time);
			if (result)
				goto loser;
			break;
		case 'd':
			days = atof(optarg);
			if (days < 1)
			{
				result = 2;
				goto loser;
			}
			from_time = CFAbsoluteTimeGetCurrent();
			to_time = from_time + days * 86400.0;
			break;
		case '?':
		default:
			return SHOW_USAGE_MESSAGE;
		}
	}

	argc -= optind;
	argv += optind;

	if (argc == 1)
	{
		if (*argv[0] == '\0')
		{
			result = 2;
			goto loser;
		}
		description  = CFStringCreateWithCString(NULL, argv[0], kCFStringEncodingUTF8);
	}
	else if (argc != 0)
		return SHOW_USAGE_MESSAGE;
	else
		description = CFStringCreateWithCString(NULL, "<key>", kCFStringEncodingUTF8);

	if (always_allow)
	{
		status = SecAccessCreate(description, NULL, &access);
		if (status)
		{
			sec_perror("SecAccessCreate", status);
			result = 1;
		}
		// @@@ Make the acl always allow now.
	}
	else
	{
		status = SecAccessCreate(description, trusted_list, &access);
		if (status)
		{
			sec_perror("SecAccessCreate", status);
			result = 1;
		}
	}

	if (result)
		goto loser;

	result = do_csr_create(keychainName, access, algorithm, keySizeInBits, from_time, to_time);

loser:
	if (description)
		CFRelease(description);
	if (trusted_list)
		CFRelease(trusted_list);
	if (access)
		CFRelease(access);

	return result;
}
#endif