/*
* Find private key by label, modify its Label attr to be the
* hash of the associated public key.
* Also optionally re-sets the key's PrintName attribute; used to reset
* this attr from the random label we create when first unwrap it
* to the friendly name we find later after parsing attributes.
* Detection of a duplicate key when updating the key's attributes
* results in a lookup of the original key and returning it in
* foundKey.
*/
CSSM_RETURN p12SetPubKeyHash(
CSSM_CSP_HANDLE cspHand, // where the key lives
CSSM_DL_DB_HANDLE dlDbHand, // ditto
CSSM_DATA &keyLabel, // for DB lookup
CSSM_DATA_PTR newPrintName, // optional
SecNssCoder &coder, // for mallocing newLabel
CSSM_DATA &newLabel, // RETURNED with label as hash
CSSM_KEY_PTR &foundKey) // RETURNED
{
CSSM_QUERY query;
CSSM_SELECTION_PREDICATE predicate;
CSSM_DB_UNIQUE_RECORD_PTR record = NULL;
CSSM_RETURN crtn;
CSSM_HANDLE resultHand = 0;
CSSM_DATA keyData = {0, NULL};
CSSM_CC_HANDLE ccHand = 0;
CSSM_KEY_PTR privKey = NULL;
CSSM_DATA_PTR keyDigest = NULL;
assert(cspHand != 0);
query.RecordType = CSSM_DL_DB_RECORD_PRIVATE_KEY;
query.Conjunctive = CSSM_DB_NONE;
query.NumSelectionPredicates = 1;
predicate.DbOperator = CSSM_DB_EQUAL;
predicate.Attribute.Info.AttributeNameFormat =
CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
predicate.Attribute.Info.Label.AttributeName =
(char*) P12_KEY_ATTR_LABEL_AND_HASH;
predicate.Attribute.Info.AttributeFormat =
CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
/* hope this cast is OK */
predicate.Attribute.Value = &keyLabel;
query.SelectionPredicate = &predicate;
query.QueryLimits.TimeLimit = 0; // FIXME - meaningful?
query.QueryLimits.SizeLimit = 1; // FIXME - meaningful?
query.QueryFlags = CSSM_QUERY_RETURN_DATA;
/* build Record attribute with one or two attrs */
CSSM_DB_RECORD_ATTRIBUTE_DATA recordAttrs;
CSSM_DB_ATTRIBUTE_DATA attr[2];
attr[0].Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
attr[0].Info.Label.AttributeName = (char*) P12_KEY_ATTR_LABEL_AND_HASH;
attr[0].Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
if(newPrintName) {
attr[1].Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
attr[1].Info.Label.AttributeName = (char*) P12_KEY_ATTR_PRINT_NAME;
attr[1].Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
}
recordAttrs.DataRecordType = CSSM_DL_DB_RECORD_PRIVATE_KEY;
recordAttrs.NumberOfAttributes = newPrintName ? 2 : 1;
recordAttrs.AttributeData = attr;
crtn = CSSM_DL_DataGetFirst(dlDbHand,
&query,
&resultHand,
&recordAttrs,
&keyData, // theData
&record);
/* abort only on success */
if(crtn != CSSM_OK) {
p12LogCssmError("CSSM_DL_DataGetFirst", crtn);
p12ErrorLog("***p12SetPubKeyHash: can't find private key\n");
return crtn;
}
/* subsequent errors to errOut: */
if(keyData.Data == NULL) {
p12ErrorLog("***p12SetPubKeyHash: private key lookup failure\n");
crtn = CSSMERR_CSSM_INTERNAL_ERROR;
goto errOut;
}
privKey = (CSSM_KEY_PTR)keyData.Data;
/* public key hash via passthrough - works on any key, any CSP/CSPDL.... */
/*
* Warning! This relies on the current default ACL meaning "allow this
* current app to access this private key" since we created the key.
*/
crtn = CSSM_CSP_CreatePassThroughContext(cspHand, privKey, &ccHand);
if(crtn) {
p12LogCssmError("CSSM_CSP_CreatePassThroughContext", crtn);
goto errOut;
}
crtn = CSSM_CSP_PassThrough(ccHand,
CSSM_APPLECSP_KEYDIGEST,
NULL,
(void **)&keyDigest);
if(crtn) {
p12LogCssmError("CSSM_CSP_PassThrough", crtn);
goto errOut;
}
/*
* Replace Label attr data with hash.
* NOTE: the module which allocated this attribute data - a DL -
* was loaded and attached by out client layer, not by us. Thus
* we can't use the memory allocator functions *we* used when
* attaching to the CSP - we have to use the ones
* which the client registered with the DL.
*/
freeCssmMemory(dlDbHand.DLHandle, attr[0].Value->Data);
freeCssmMemory(dlDbHand.DLHandle, attr[0].Value);
if(newPrintName) {
freeCssmMemory(dlDbHand.DLHandle, attr[1].Value->Data);
freeCssmMemory(dlDbHand.DLHandle, attr[1].Value);
}
/* modify key attributes */
attr[0].Value = keyDigest;
if(newPrintName) {
attr[1].Value = newPrintName;
}
crtn = CSSM_DL_DataModify(dlDbHand,
CSSM_DL_DB_RECORD_PRIVATE_KEY,
record,
&recordAttrs,
NULL, // DataToBeModified
CSSM_DB_MODIFY_ATTRIBUTE_REPLACE);
switch(crtn) {
case CSSM_OK:
/* give caller the key's new label */
coder.allocCopyItem(*keyDigest, newLabel);
break;
default:
p12LogCssmError("CSSM_DL_DataModify", crtn);
break;
case CSSMERR_DL_INVALID_UNIQUE_INDEX_DATA:
{
/*
* Special case: dup private key. The label we just tried to modify is
* the public key hash so we can be confident that this really is a dup.
* Delete it, look up the original, and return the original to caller.
*/
CSSM_RETURN drtn = CSSM_DL_DataDelete(dlDbHand, record);
if(drtn) {
p12LogCssmError("CSSM_DL_DataDelete on dup key", drtn);
crtn = drtn;
break;
}
/* Free items created in last search */
CSSM_DL_DataAbortQuery(dlDbHand, resultHand);
resultHand = 0;
CSSM_DL_FreeUniqueRecord(dlDbHand, record);
record = NULL;
/* lookup by label as public key hash this time */
predicate.Attribute.Value = keyDigest;
drtn = CSSM_DL_DataGetFirst(dlDbHand,
&query,
&resultHand,
NULL, // no attrs this time
&keyData,
&record);
if(drtn) {
p12LogCssmError("CSSM_DL_DataGetFirst on original key", crtn);
crtn = drtn;
break;
}
foundKey = (CSSM_KEY_PTR)keyData.Data;
/* give caller the key's actual label */
coder.allocCopyItem(*keyDigest, newLabel);
break;
}
}
errOut:
/* free resources */
if(resultHand) {
CSSM_DL_DataAbortQuery(dlDbHand, resultHand);
}
if(record) {
CSSM_DL_FreeUniqueRecord(dlDbHand, record);
}
if(ccHand) {
CSSM_DeleteContext(ccHand);
}
if(privKey) {
/* key created by the CSPDL */
CSSM_FreeKey(cspHand, NULL, privKey, CSSM_FALSE);
freeCssmMemory(dlDbHand.DLHandle, privKey);
}
if(keyDigest) {
/* mallocd by someone else's CSP */
freeCssmMemory(cspHand, keyDigest->Data);
freeCssmMemory(cspHand, keyDigest);
}
return crtn;
}
/*
* Find private key by label, modify its Label attr to be the
* hash of the associated public key.
*/
static CSSM_RETURN setPubKeyHash(
CSSM_CSP_HANDLE cspHand,
CSSM_DL_DB_HANDLE dlDbHand,
const CSSM_KEY *pubOrPrivKey, // to get hash; raw or ref/CSPDL
const char *keyLabel) // look up by this
{
CSSM_QUERY query;
CSSM_SELECTION_PREDICATE predicate;
CSSM_DB_UNIQUE_RECORD_PTR record = NULL;
CSSM_RETURN crtn;
CSSM_DATA labelData;
CSSM_HANDLE resultHand;
labelData.Data = (uint8 *)keyLabel;
labelData.Length = strlen(keyLabel) + 1; // incl. NULL
query.RecordType = CSSM_DL_DB_RECORD_PRIVATE_KEY;
query.Conjunctive = CSSM_DB_NONE;
query.NumSelectionPredicates = 1;
predicate.DbOperator = CSSM_DB_EQUAL;
predicate.Attribute.Info.AttributeNameFormat =
CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
predicate.Attribute.Info.Label.AttributeName = "Label";
predicate.Attribute.Info.AttributeFormat =
CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
predicate.Attribute.Value = &labelData;
query.SelectionPredicate = &predicate;
query.QueryLimits.TimeLimit = 0;
query.QueryLimits.SizeLimit = 1;
query.QueryFlags = 0;
/* build Record attribute with one attr */
CSSM_DB_RECORD_ATTRIBUTE_DATA recordAttrs;
CSSM_DB_ATTRIBUTE_DATA attr;
attr.Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
attr.Info.Label.AttributeName = "Label";
attr.Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
recordAttrs.DataRecordType = CSSM_DL_DB_RECORD_PRIVATE_KEY;
recordAttrs.NumberOfAttributes = 1;
recordAttrs.AttributeData = &attr;
crtn = CSSM_DL_DataGetFirst(dlDbHand,
&query,
&resultHand,
&recordAttrs,
NULL, // hopefully optional ...theData,
&record);
/* abort only on success */
if(crtn != CSSM_OK) {
sec_error("CSSM_DL_DataGetFirst: setPubKeyHash: can't find private key: %s", sec_errstr(crtn));
return crtn;
}
/*
* If specified key is a ref key, do NULL unwrap for use with raw CSP.
* If the CSPDL and SecurityServer support the key digest passthrough
* this is unnecessary.
*/
CSSM_KEY rawKeyToDigest;
if(pubOrPrivKey->KeyHeader.BlobType == CSSM_KEYBLOB_REFERENCE) {
crtn = refKeyToRaw(cspHand, pubOrPrivKey, &rawKeyToDigest);
if(crtn) {
sec_error("setPubKeyHash: Error converting public key to raw format: %s", sec_errstr(crtn));
return crtn;
}
}
else {
/* use as is */
rawKeyToDigest = *pubOrPrivKey;
}
/* connect to raw CSP */
CSSM_CSP_HANDLE rawCspHand = srCspStartup(CSSM_TRUE);
if(rawCspHand == 0) {
printf("***Error connecting to raw CSP; aborting.\n");
return -1;
}
/* calculate hash of pub key from private or public part */
CSSM_DATA_PTR keyDigest = NULL;
CSSM_CC_HANDLE ccHand;
crtn = CSSM_CSP_CreatePassThroughContext(rawCspHand,
&rawKeyToDigest,
&ccHand);
if(ccHand == 0) {
sec_error("CSSM_CSP_CreatePassThroughContext: Error calculating public key hash. Aborting: %s", sec_errstr(crtn));
return -1;
}
crtn = CSSM_CSP_PassThrough(ccHand,
CSSM_APPLECSP_KEYDIGEST,
NULL,
(void **)&keyDigest);
if(crtn) {
sec_error("CSSM_CSP_PassThrough(PUBKEYHASH): Error calculating public key hash. Aborting: %s", sec_errstr(crtn));
return crtn;
}
if(pubOrPrivKey->KeyHeader.BlobType == CSSM_KEYBLOB_REFERENCE) {
/* created in refKeyToRaw().... */
CSSM_FreeKey(cspHand, NULL, &rawKeyToDigest, CSSM_FALSE);
}
CSSM_DeleteContext(ccHand);
CSSM_ModuleDetach(rawCspHand);
/*
* Replace Label attr data with hash.
* NOTE: the module which allocated this attribute data - a DL -
* was loaded and attached by the Sec layer, not by us. Thus
* we can't use the memory allocator functions *we* used when
* attaching to the CSPDL - we have to use the ones
* which the Sec layer registered with the DL.
*/
CSSM_API_MEMORY_FUNCS memFuncs;
crtn = CSSM_GetAPIMemoryFunctions(dlDbHand.DLHandle, &memFuncs);
if(crtn) {
sec_error("CSSM_GetAPIMemoryFunctions(DLHandle): Error: %s", sec_errstr(crtn));
/* oh well, leak and continue */
}
else {
memFuncs.free_func(attr.Value->Data, memFuncs.AllocRef);
memFuncs.free_func(attr.Value, memFuncs.AllocRef);
}
attr.Value = keyDigest;
/* modify key attributes */
crtn = CSSM_DL_DataModify(dlDbHand,
CSSM_DL_DB_RECORD_PRIVATE_KEY,
record,
&recordAttrs,
NULL, // DataToBeModified
CSSM_DB_MODIFY_ATTRIBUTE_REPLACE);
if(crtn) {
sec_error("CSSM_DL_DataModify(PUBKEYHASH): Error setting public key hash. Aborting: %s", sec_errstr(crtn));
return crtn;
}
crtn = CSSM_DL_DataAbortQuery(dlDbHand, resultHand);
if(crtn) {
sec_error("CSSM_DL_DataAbortQuery: Error while stopping query: %s", sec_errstr(crtn));
/* let's keep going in this case */
}
crtn = CSSM_DL_FreeUniqueRecord(dlDbHand, record);
if(crtn) {
sec_error("CSSM_DL_FreeUniqueRecord: Error while freeing record: %s", sec_errstr(crtn));
/* let's keep going in this case */
crtn = CSSM_OK;
}
/* free resources */
if (keyDigest)
{
srAppFree(keyDigest->Data, NULL);
srAppFree(keyDigest, NULL);
}
return CSSM_OK;
}