SOSBackupSliceKeyBag.m [plain text]
/*
* Copyright (c) 2015-2017 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
// Our Header
#include <Security/SecureObjectSync/SOSBackupSliceKeyBag.h>
// Needed headers for implementation
#include "AssertMacros.h"
#include <utilities/SecCFWrappers.h>
#include <utilities/SecAKSWrappers.h>
#include <utilities/SecBuffer.h>
#include <utilities/SecCFError.h>
#include <utilities/der_set.h>
#include <utilities/der_plist_internal.h>
#include <Security/SecRandom.h>
#include <Security/SecureObjectSync/SOSPeerInfo.h>
#include <Security/SecureObjectSync/SOSPeerInfoCollections.h>
#include <Security/SecureObjectSync/SOSInternal.h>
#include <corecrypto/ccec.h>
#include <corecrypto/ccsha2.h>
#include <corecrypto/ccrng.h>
#include <limits.h>
#include "SecRecoveryKey.h"
#include "SOSKeyedPubKeyIdentifier.h"
#include "SOSInternal.h"
#include "SecADWrapper.h"
#include "SecCFAllocator.h"
CFStringRef bskbRkbgPrefix = CFSTR("RK");
//
// MARK: Type creation
//
CFGiblisFor(SOSBackupSliceKeyBag);
const int kAKSBagSecretLength = 32;
struct __OpaqueSOSBackupSliceKeyBag {
CFRuntimeBase _base;
CFDataRef aks_bag;
CFSetRef peers;
CFDictionaryRef wrapped_keys;
};
static void SOSBackupSliceKeyBagDestroy(CFTypeRef aObj) {
SOSBackupSliceKeyBagRef vb = (SOSBackupSliceKeyBagRef) aObj;
CFReleaseNull(vb->aks_bag);
CFReleaseNull(vb->peers);
CFReleaseNull(vb->wrapped_keys);
}
static CFSetRef SOSBackupSliceKeyBagCopyPeerNames(SOSBackupSliceKeyBagRef bksb) {
CFMutableSetRef retval = CFSetCreateMutableForCFTypes(kCFAllocatorDefault);
if(!retval) return NULL;
CFSetForEach(bksb->peers, ^(const void *value) {
SOSPeerInfoRef pi = (SOSPeerInfoRef) value;
CFSetAddValue(retval, SOSPeerInfoGetPeerName(pi));
});
return retval;
}
static CFStringRef SOSBackupSliceKeyBagCopyFormatDescription(CFTypeRef aObj, CFDictionaryRef formatOptions) {
SOSBackupSliceKeyBagRef vb = (SOSBackupSliceKeyBagRef) aObj;
CFMutableStringRef retval = CFStringCreateMutable(kCFAllocatorDefault, 0);
CFSetRef peerIDs = SOSBackupSliceKeyBagCopyPeerNames(vb);
CFStringSetPerformWithDescription(peerIDs, ^(CFStringRef description) {
CFStringAppendFormat(retval, NULL, CFSTR("<SOSBackupSliceKeyBag@ });
CFReleaseNull(peerIDs);
CFStringAppend(retval, CFSTR(">"));
return retval;
}
//
// MARK: Encode/Decode
//
const uint8_t* der_decode_BackupSliceKeyBag(CFAllocatorRef allocator,
SOSBackupSliceKeyBagRef* BackupSliceKeyBag, CFErrorRef *error,
const uint8_t* der, const uint8_t *der_end) {
if (der == NULL) return der;
const uint8_t *result = NULL;
SOSBackupSliceKeyBagRef vb = CFTypeAllocate(SOSBackupSliceKeyBag, struct __OpaqueSOSBackupSliceKeyBag, allocator);
require_quiet(SecAllocationError(vb, error, CFSTR("View bag allocation failed")), fail);
const uint8_t *sequence_end = NULL;
der = ccder_decode_sequence_tl(&sequence_end, der, der_end);
require_quiet(sequence_end == der_end, fail);
der = der_decode_data(kCFAllocatorDefault, kCFPropertyListImmutable, &vb->aks_bag, error, der, sequence_end);
vb->peers = SOSPeerInfoSetCreateFromArrayDER(kCFAllocatorDefault, &kSOSPeerSetCallbacks, error,
&der, der_end);
der = der_decode_dictionary(kCFAllocatorDefault, kCFPropertyListImmutable, &vb->wrapped_keys, error, der, sequence_end);
require_quiet(SecRequirementError(der == der_end, error, CFSTR("Extra space in sequence")), fail);
if (BackupSliceKeyBag)
CFTransferRetained(*BackupSliceKeyBag, vb);
result = der;
fail:
CFReleaseNull(vb);
return result;
}
size_t der_sizeof_BackupSliceKeyBag(SOSBackupSliceKeyBagRef BackupSliceKeyBag, CFErrorRef *error) {
size_t result = 0;
require_quiet(SecRequirementError(BackupSliceKeyBag != NULL, error, CFSTR("Null BackupSliceKeyBag")), fail);
require_quiet(BackupSliceKeyBag != NULL, fail); // this is redundant with what happens in SecRequirementError, but the analyzer can't understand that.
require_quiet(SecRequirementError(BackupSliceKeyBag->aks_bag != NULL, error, CFSTR("null aks_bag in BackupSliceKeyBag")), fail);
require_quiet(BackupSliceKeyBag->aks_bag != NULL, fail); // this is redundant with what happens in SecRequirementError, but the analyzer can't understand that.
size_t bag_size = der_sizeof_data(BackupSliceKeyBag->aks_bag, error);
require_quiet(bag_size, fail);
size_t peers_size = SOSPeerInfoSetGetDEREncodedArraySize(BackupSliceKeyBag->peers, error);
require_quiet(peers_size, fail);
size_t wrapped_keys_size = der_sizeof_dictionary(BackupSliceKeyBag->wrapped_keys, error);
require_quiet(wrapped_keys_size, fail);
result = ccder_sizeof(CCDER_CONSTRUCTED_SEQUENCE, bag_size + peers_size + wrapped_keys_size);
fail:
return result;
}
uint8_t* der_encode_BackupSliceKeyBag(SOSBackupSliceKeyBagRef set, CFErrorRef *error,
const uint8_t *der, uint8_t *der_end) {
uint8_t *result = NULL;
if (der_end == NULL) return der_end;
require_quiet(SecRequirementError(set != NULL, error, CFSTR("Null set passed to encode")), fail);
require_quiet(set, fail); // Silence the NULL warning.
require_quiet(SecRequirementError(set->aks_bag != NULL, error, CFSTR("Null set passed to encode")), fail);
require_quiet(set->aks_bag, fail); // Silence the warning.
der_end = ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, der_end, der,
der_encode_data(set->aks_bag, error, der,
SOSPeerInfoSetEncodeToArrayDER(set->peers, error, der,
der_encode_dictionary(set->wrapped_keys, error, der, der_end))));
require_quiet(der_end == der, fail);
result = der_end;
fail:
return result;
}
SOSBackupSliceKeyBagRef SOSBackupSliceKeyBagCreateFromData(CFAllocatorRef allocator, CFDataRef data, CFErrorRef *error) {
SOSBackupSliceKeyBagRef result = NULL;
SOSBackupSliceKeyBagRef decodedBag = NULL;
const uint8_t *der = CFDataGetBytePtr(data);
const uint8_t *der_end = der + CFDataGetLength(data);
der = der_decode_BackupSliceKeyBag(allocator, &decodedBag, error, der, der_end);
require_quiet(SecRequirementError(der == der_end, error, CFSTR("Didn't consume all data supplied")), fail);
CFTransferRetained(result, decodedBag);
fail:
CFReleaseNull(decodedBag);
return result;
}
//
// MARK: Construction
//
bool SOSBSKBIsGoodBackupPublic(CFDataRef publicKey, CFErrorRef *error) {
bool result = false;
ccec_pub_ctx_decl_cp(SOSGetBackupKeyCurveParameters(), pub_key);
int cc_result = ccec_compact_import_pub(SOSGetBackupKeyCurveParameters(), CFDataGetLength(publicKey), CFDataGetBytePtr(publicKey), pub_key);
require_action_quiet(cc_result == 0, exit, SOSErrorCreate(kSOSErrorDecodeFailure, error, NULL, CFSTR("Unable to decode public key:
result = true;
exit:
return result;
}
static CFDataRef SOSCopyECWrapped(CFDataRef publicKey, CFDataRef secret, CFErrorRef *error) {
CFDataRef result = NULL;
ccec_pub_ctx_decl_cp(SOSGetBackupKeyCurveParameters(), pub_key);
int cc_result = ccec_compact_import_pub(SOSGetBackupKeyCurveParameters(), CFDataGetLength(publicKey), CFDataGetBytePtr(publicKey), pub_key);
require_action_quiet(cc_result == 0, exit, SOSErrorCreate(kSOSErrorDecodeFailure, error, NULL, CFSTR("Unable to decode public key:
result = SOSCopyECWrappedData(pub_key, secret, error);
exit:
return result;
}
static CFDictionaryRef SOSBackupSliceKeyBagCopyWrappedKeys(SOSBackupSliceKeyBagRef vb, CFDataRef secret, CFDictionaryRef additionalKeys, CFErrorRef *error) {
CFDictionaryRef result = NULL;
CFMutableDictionaryRef wrappedKeys = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
__block bool success = true;
CFSetForEach(vb->peers, ^(const void *value) {
SOSPeerInfoRef pi = (SOSPeerInfoRef) value;
if (isSOSPeerInfo(pi)) {
CFStringRef id = SOSPeerInfoGetPeerID(pi);
CFDataRef backupKey = SOSPeerInfoCopyBackupKey(pi);
if (backupKey) {
CFErrorRef wrapError = NULL;
CFDataRef wrappedKey = SOSCopyECWrapped(backupKey, secret, &wrapError);
if (wrappedKey) {
CFDictionaryAddValue(wrappedKeys, id, wrappedKey);
CFDataPerformWithHexString(backupKey, ^(CFStringRef backupKeyString) {
CFDataPerformWithHexString(wrappedKey, ^(CFStringRef wrappedKeyString) {
secnotice("bskb", "Add for id: });
});
} else {
CFDataPerformWithHexString(backupKey, ^(CFStringRef backupKeyString) {
secnotice("bskb", "Failed at id: });
CFErrorPropagate(wrapError, error);
success = false;
}
CFReleaseNull(wrappedKey);
CFReleaseNull(backupKey);
} else {
secnotice("bskb", "Skipping id }
}
});
CFDictionaryForEach(additionalKeys, ^(const void *key, const void *value) {
CFStringRef prefix = asString(key, NULL);
CFDataRef backupKey = asData(value, NULL);
if (backupKey) {
CFDataRef wrappedKey = NULL;
CFErrorRef localError = NULL;
CFStringRef id = SOSKeyedPubKeyIdentifierCreateWithData(prefix, backupKey);
require_quiet(id, done);
wrappedKey = SOSCopyECWrapped(backupKey, secret, &localError);
require_quiet(wrappedKey, done);
CFDictionaryAddValue(wrappedKeys, id, wrappedKey);
done:
if (!localError) {
CFDataPerformWithHexString(backupKey, ^(CFStringRef backupKeyString) {
CFDataPerformWithHexString(wrappedKey, ^(CFStringRef wrappedKeyString) {
secnotice("bskb", "Add for bk: });
});
} else {
CFDataPerformWithHexString(backupKey, ^(CFStringRef backupKeyString) {
secnotice("bskb", "Failed at bk: });
CFErrorPropagate(localError, error);
success = false;
}
CFReleaseNull(wrappedKey);
CFReleaseNull(id);
} else {
secnotice("bskb", "Skipping }
});
if (success)
CFTransferRetained(result, wrappedKeys);
CFReleaseNull(wrappedKeys);
return result;
}
static bool SOSBackupSliceKeyBagCreateBackupBag(SOSBackupSliceKeyBagRef vb, CFDictionaryRef/*CFDataRef*/ additionalKeys, CFErrorRef* error) {
CFReleaseNull(vb->aks_bag);
// Choose a random key.
PerformWithBufferAndClear(kAKSBagSecretLength, ^(size_t size, uint8_t *buffer) {
CFDataRef secret = NULL;
require_quiet(SecError(SecRandomCopyBytes(kSecRandomDefault, size, buffer), error, CFSTR("SecRandom falied!")), fail);
secret = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, buffer, size, kCFAllocatorNull);
CFAssignRetained(vb->wrapped_keys, SOSBackupSliceKeyBagCopyWrappedKeys(vb, secret, additionalKeys, error));
CFAssignRetained(vb->aks_bag, SecAKSCopyBackupBagWithSecret(size, buffer, error));
fail:
CFReleaseSafe(secret);
});
return vb->aks_bag != NULL;
}
CFDataRef SOSBSKBCopyEncoded(SOSBackupSliceKeyBagRef BackupSliceKeyBag, CFErrorRef* error) {
CFDataRef result = NULL;
CFMutableDataRef encoded = NULL;
size_t encodedSize = der_sizeof_BackupSliceKeyBag(BackupSliceKeyBag, error);
require_quiet(encodedSize, fail);
encoded = CFDataCreateMutableWithScratch(kCFAllocatorDefault, encodedSize);
require_quiet(SecAllocationError(encoded, error, CFSTR("Faild to create scratch")), fail);
uint8_t *encode_to = CFDataGetMutableBytePtr(encoded);
uint8_t *encode_to_end = encode_to + CFDataGetLength(encoded);
require_quiet(encode_to == der_encode_BackupSliceKeyBag(BackupSliceKeyBag, error, encode_to, encode_to_end), fail);
CFTransferRetained(result, encoded);
fail:
CFReleaseSafe(encoded);
return result;
}
static CFSetRef SOSBackupSliceKeyBagCreatePeerSet(CFAllocatorRef allocator, CFSetRef peers) {
CFMutableSetRef result = CFSetCreateMutableForSOSPeerInfosByID(allocator);
CFSetForEach(peers, ^(const void *value) {
CFSetAddValue(result, value);
});
return result;
}
SOSBackupSliceKeyBagRef SOSBackupSliceKeyBagCreate(CFAllocatorRef allocator, CFSetRef peers, CFErrorRef* error) {
CFMutableDictionaryRef additionalKeys = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault);
SOSBackupSliceKeyBagRef result = SOSBackupSliceKeyBagCreateWithAdditionalKeys(allocator, peers, additionalKeys, NULL);
CFReleaseNull(additionalKeys);
return result;
}
SOSBackupSliceKeyBagRef SOSBackupSliceKeyBagCreateWithAdditionalKeys(CFAllocatorRef allocator,
CFSetRef /*SOSPeerInfoRef*/ peers,
CFDictionaryRef /*CFStringRef (prefix) CFDataRef (keydata) */ additionalKeys,
CFErrorRef* error) {
SOSBackupSliceKeyBagRef result = NULL;
SOSBackupSliceKeyBagRef vb = CFTypeAllocate(SOSBackupSliceKeyBag, struct __OpaqueSOSBackupSliceKeyBag, allocator);
require_quiet(SecAllocationError(vb, error, CFSTR("View bag allocation failed")), fail);
require_quiet(SecRequirementError(CFSetGetCount(peers) > 0, error, CFSTR("Need peers")), fail);
vb->peers = SOSBackupSliceKeyBagCreatePeerSet(allocator, peers);
vb->wrapped_keys = CFDictionaryCreateMutableForCFTypes(allocator);
require_quiet(SOSBackupSliceKeyBagCreateBackupBag(vb, additionalKeys, error), fail);
CFTransferRetained(result, vb);
fail:
CFReleaseNull(vb);
return result;
}
SOSBackupSliceKeyBagRef SOSBackupSliceKeyBagCreateDirect(CFAllocatorRef allocator, CFDataRef aks_bag, CFErrorRef *error)
{
SOSBackupSliceKeyBagRef result = NULL;
SOSBackupSliceKeyBagRef vb = CFTypeAllocate(SOSBackupSliceKeyBag, struct __OpaqueSOSBackupSliceKeyBag, allocator);
require_quiet(SecAllocationError(vb, error, CFSTR("View bag allocation failed")), fail);
require_quiet(SecRequirementError(aks_bag, error, CFSTR("Need aks bag")), fail);
vb->aks_bag = CFRetainSafe(aks_bag);
vb->peers = CFSetCreateMutableForSOSPeerInfosByID(allocator);
vb->wrapped_keys = CFDictionaryCreateMutableForCFTypes(allocator);
CFTransferRetained(result, vb);
fail:
CFReleaseNull(vb);
return result;
}
//
// MARK: Use
//
bool SOSBSKBIsDirect(SOSBackupSliceKeyBagRef backupSliceKeyBag)
{
return 0 == CFSetGetCount(backupSliceKeyBag->peers);
}
CFDataRef SOSBSKBCopyAKSBag(SOSBackupSliceKeyBagRef backupSliceKeyBag, CFErrorRef* error)
{
return CFRetainSafe(backupSliceKeyBag->aks_bag);
}
CFSetRef SOSBSKBGetPeers(SOSBackupSliceKeyBagRef backupSliceKeyBag){
return backupSliceKeyBag->peers;
}
int SOSBSKBCountPeers(SOSBackupSliceKeyBagRef backupSliceKeyBag) {
return (backupSliceKeyBag->peers) ? (int) CFSetGetCount(backupSliceKeyBag->peers): 0;
}
bool SOSBSKBPeerIsInKeyBag(SOSBackupSliceKeyBagRef backupSliceKeyBag, SOSPeerInfoRef pi) {
return CFSetGetValue(backupSliceKeyBag->peers, pi) != NULL;
}
bool SOSBKSBKeyIsInKeyBag(SOSBackupSliceKeyBagRef backupSliceKeyBag, CFDataRef publicKey) {
bool result = false;
CFStringRef keyID = SOSCopyIDOfDataBuffer(publicKey, NULL);
require_quiet(keyID, done);
result = CFDictionaryContainsKey(backupSliceKeyBag->wrapped_keys, keyID);
done:
CFReleaseSafe(keyID);
return result;
}
bool SOSBKSBPrefixedKeyIsInKeyBag(SOSBackupSliceKeyBagRef backupSliceKeyBag, CFStringRef prefix, CFDataRef publicKey) {
bool result = false;
CFStringRef kpkid = SOSKeyedPubKeyIdentifierCreateWithData(prefix, publicKey);
require_quiet(kpkid, done);
result = CFDictionaryContainsKey(backupSliceKeyBag->wrapped_keys, kpkid);
done:
CFReleaseSafe(kpkid);
return result;
}
bskb_keybag_handle_t SOSBSKBLoadLocked(SOSBackupSliceKeyBagRef backupSliceKeyBag,
CFErrorRef *error)
{
#if !TARGET_HAS_KEYSTORE
return bad_keybag_handle;
#else
keybag_handle_t result = bad_keybag_handle;
keybag_handle_t bag_handle = bad_keybag_handle;
require_quiet(SecRequirementError(backupSliceKeyBag->aks_bag, error,
CFSTR("No aks bag to load")), exit);
require_quiet(SecRequirementError(CFDataGetLength(backupSliceKeyBag->aks_bag) < INT_MAX, error,
CFSTR("No aks bag to load")), exit);
kern_return_t aks_result;
aks_result = aks_load_bag(CFDataGetBytePtr(backupSliceKeyBag->aks_bag),
(int) CFDataGetLength(backupSliceKeyBag->aks_bag),
&bag_handle);
require_quiet(SecKernError(aks_result, error,
CFSTR("aks_load_bag failed:
result = bag_handle;
bag_handle = bad_keybag_handle;
exit:
if (bag_handle != bad_keybag_handle) {
(void) aks_unload_bag(bag_handle);
}
return result;
#endif
}
static keybag_handle_t SOSBSKBLoadAndUnlockBagWithSecret(SOSBackupSliceKeyBagRef backupSliceKeyBag,
size_t secretSize, const uint8_t *secret,
CFErrorRef *error)
{
#if !TARGET_HAS_KEYSTORE
return bad_keybag_handle;
#else
keybag_handle_t result = bad_keybag_handle;
keybag_handle_t bag_handle = bad_keybag_handle;
require_quiet(SecRequirementError(backupSliceKeyBag->aks_bag, error,
CFSTR("No aks bag to load")), exit);
require_quiet(SecRequirementError(CFDataGetLength(backupSliceKeyBag->aks_bag) < INT_MAX, error,
CFSTR("No aks bag to load")), exit);
require_quiet(SecRequirementError(secretSize <= INT_MAX, error,
CFSTR("secret too big")), exit);
kern_return_t aks_result;
aks_result = aks_load_bag(CFDataGetBytePtr(backupSliceKeyBag->aks_bag),
(int) CFDataGetLength(backupSliceKeyBag->aks_bag),
&bag_handle);
require_quiet(SecKernError(aks_result, error,
CFSTR("aks_load_bag failed:
aks_result = aks_unlock_bag(bag_handle, secret, (int) secretSize);
require_quiet(SecKernError(aks_result, error,
CFSTR("failed to unlock bag:
result = bag_handle;
bag_handle = bad_keybag_handle;
exit:
if (bag_handle != bad_keybag_handle) {
(void) aks_unload_bag(bag_handle);
}
return result;
#endif
}
keybag_handle_t SOSBSKBLoadAndUnlockWithPeerIDAndSecret(SOSBackupSliceKeyBagRef backupSliceKeyBag,
CFStringRef peerID, CFDataRef peerSecret,
CFErrorRef *error)
{
__block keybag_handle_t result = bad_keybag_handle;
CFDataRef lookedUpData = CFDictionaryGetValue(backupSliceKeyBag->wrapped_keys, peerID);
require_quiet(SecRequirementError(lookedUpData != NULL, error, CFSTR("
require_quiet(SOSPerformWithDeviceBackupFullKey(SOSGetBackupKeyCurveParameters(), peerSecret, error, ^(ccec_full_ctx_t fullKey) {
SOSPerformWithUnwrappedData(fullKey, lookedUpData, error, ^(size_t size, uint8_t *buffer) {
result = SOSBSKBLoadAndUnlockBagWithSecret(backupSliceKeyBag, size, buffer, error);
});
}), exit);
exit:
return result;
}
keybag_handle_t SOSBSKBLoadAndUnlockWithPeerSecret(SOSBackupSliceKeyBagRef backupSliceKeyBag,
SOSPeerInfoRef peer, CFDataRef peerSecret,
CFErrorRef *error)
{
return SOSBSKBLoadAndUnlockWithPeerIDAndSecret(backupSliceKeyBag, SOSPeerInfoGetPeerID(peer), peerSecret, error);
}
keybag_handle_t SOSBSKBLoadAndUnlockWithDirectSecret(SOSBackupSliceKeyBagRef backupSliceKeyBag,
CFDataRef secret,
CFErrorRef *error)
{
keybag_handle_t result = bad_keybag_handle;
require_quiet(SecRequirementError(SOSBSKBIsDirect(backupSliceKeyBag), error, CFSTR("Not direct bag")), exit);
result = SOSBSKBLoadAndUnlockBagWithSecret(backupSliceKeyBag,
CFDataGetLength(secret),
CFDataGetBytePtr(secret),
error);
exit:
return result;
}
#include "SecRecoveryKey.h"
static bool SOSPerformWithRecoveryKeyFullKey(CFDataRef wrappingSecret, CFErrorRef *error, void (^operation)(ccec_full_ctx_t fullKey, CFStringRef keyID)) {
bool result = false;
CFStringRef keyID = NULL;
NSError *nserror = NULL;
SecRecoveryKey *sRecKey = NULL;
NSData* fullKeyBytes = NULL;
NSData* pubKeyBytes = NULL;
CFStringRef restoreKeySecret = CFStringCreateWithBytes(SecCFAllocatorZeroize(), CFDataGetBytePtr(wrappingSecret), CFDataGetLength(wrappingSecret), kCFStringEncodingUTF8, false);
require_action_quiet(restoreKeySecret, errOut, SOSErrorCreate(kSOSErrorDecodeFailure, error, NULL, CFSTR("Unable to create key string from data.")));
sRecKey = SecRKCreateRecoveryKeyWithError((__bridge NSString *)(restoreKeySecret), &nserror);
if(!sRecKey) {
if (error)
*error = (CFErrorRef)CFBridgingRetain(nserror);
goto errOut;
}
require_action_quiet(sRecKey, errOut, SOSErrorCreate(kSOSErrorDecodeFailure, error, NULL, CFSTR("Unable to create recovery key from string.")));
fullKeyBytes = SecRKCopyBackupFullKey(sRecKey);
pubKeyBytes = SecRKCopyBackupPublicKey(sRecKey);
require_action_quiet(fullKeyBytes && pubKeyBytes, errOut, SOSErrorCreate(kSOSErrorDecodeFailure, error, NULL, CFSTR("Unable to get recovery key public and private keys.")));
keyID = SOSCopyIDOfDataBuffer(((__bridge CFDataRef) pubKeyBytes), error);
require_quiet(keyID, errOut);
{
size_t keysize = ccec_compact_import_priv_size(CFDataGetLength((__bridge CFDataRef)fullKeyBytes));
ccec_const_cp_t cp = ccec_curve_for_length_lookup(keysize, ccec_cp_256(), ccec_cp_384(), ccec_cp_521());
ccec_full_ctx_decl_cp(cp, fullKey);
int res = ccec_compact_import_priv(cp, CFDataGetLength((__bridge CFDataRef)fullKeyBytes), CFDataGetBytePtr((__bridge CFDataRef)fullKeyBytes), fullKey);
if(res == 0) {
operation(fullKey, keyID);
result = true;
ccec_full_ctx_clear_cp(cp, fullKey);
}
}
if(!result) SOSErrorCreate(kSOSErrorProcessingFailure, error, NULL, CFSTR("Unable to perform crypto operation from fullKeyBytes."));
errOut:
CFReleaseNull(keyID);
CFReleaseNull(restoreKeySecret);
return result;
}
bskb_keybag_handle_t SOSBSKBLoadAndUnlockWithWrappingSecret(SOSBackupSliceKeyBagRef backupSliceKeyBag,
CFDataRef wrappingSecret,
CFErrorRef *error) {
__block keybag_handle_t result = bad_keybag_handle;
CFDataRef lookedUpData = SOSBSKBCopyRecoveryKey(backupSliceKeyBag);
require_quiet(SecRequirementError(lookedUpData != NULL, error, CFSTR("no recovery key found in
SOSPerformWithRecoveryKeyFullKey(wrappingSecret, error, ^(ccec_full_ctx_t fullKey, CFStringRef keyID) {
SOSPerformWithUnwrappedData(fullKey, lookedUpData, error, ^(size_t size, uint8_t *buffer) {
result = SOSBSKBLoadAndUnlockBagWithSecret(backupSliceKeyBag, size, buffer, error);
});
});
errOut:
CFReleaseSafe(lookedUpData);
return result;
}
// fixed for <rdar://problem/30918831> CrashTracer: secdtests at secdtests: SOSBSKBCopyAdditionalKeysWithPrefix
static CFDictionaryRef SOSBSKBCopyAdditionalKeysWithPrefix(CFAllocatorRef allocator, SOSBackupSliceKeyBagRef bskb, CFStringRef prefix) {
if(!bskb || !bskb->wrapped_keys) return NULL;
CFMutableDictionaryRef retval = CFDictionaryCreateMutableForCFTypes(allocator);
if(!retval) return NULL;
CFDictionaryForEach(bskb->wrapped_keys, ^(const void *key, const void *value) {
CFStringRef kpkid = asString(key, NULL);
CFDataRef keyData = asData(value, NULL);
if(kpkid && keyData && SOSKeyedPubKeyIdentifierIsPrefixed(kpkid)) {
CFStringRef idPrefix = SOSKeyedPubKeyIdentifierCopyPrefix(kpkid);
if(CFEqualSafe(idPrefix, prefix)) {
CFDictionaryAddValue(retval, kpkid, keyData);
}
CFReleaseNull(idPrefix);
}
});
return retval;
}
static bool SOSBSKBHasPrefixedKey(SOSBackupSliceKeyBagRef bskb, CFStringRef prefix) {
CFDictionaryRef keyDict = SOSBSKBCopyAdditionalKeysWithPrefix(kCFAllocatorDefault, bskb, prefix);
bool haveKeys = keyDict && CFDictionaryGetCount(keyDict) > 0;
CFReleaseNull(keyDict);
return haveKeys;
}
CFDataRef SOSBSKBCopyRecoveryKey(SOSBackupSliceKeyBagRef bskb) {
CFDictionaryRef keyDict = SOSBSKBCopyAdditionalKeysWithPrefix(kCFAllocatorDefault, bskb, bskbRkbgPrefix);
if(!keyDict) return NULL;
if(CFDictionaryGetCount(keyDict) == 1) {
__block CFDataRef keyData = NULL;
CFDictionaryForEach(keyDict, ^(const void *key, const void *value) {
keyData = asData(value, NULL);
});
return CFDataCreateCopy(kCFAllocatorDefault, keyData);
}
CFReleaseNull(keyDict);
return NULL;
}
bool SOSBSKBHasRecoveryKey(SOSBackupSliceKeyBagRef bskb) {
if(!bskb) return false;
if(SOSBSKBHasPrefixedKey(bskb, bskbRkbgPrefix)) return true;
// old way for RecoveryKeys
int keyCount = (bskb->wrapped_keys != NULL) ? (int) CFDictionaryGetCount(bskb->wrapped_keys): 0;
int peerCount = SOSBSKBCountPeers(bskb);
return !SOSBSKBIsDirect(bskb) && ((keyCount - peerCount) > 0);
}