void QueryRepresentatorTest::testSymbolTable() {
setUpData();
CPPUNIT_ASSERT_EQUAL(3, QueryRepresentator::getSize());
SymbolTable table1 = QueryRepresentator::getSymbolTable(0);
SymbolTable table2 = QueryRepresentator::getSymbolTable(1);
SymbolTable table3 = QueryRepresentator::getSymbolTable(2);
CPPUNIT_ASSERT_EQUAL(1, table1.getSize());
CPPUNIT_ASSERT_EQUAL(KEYWORD_STMT, table1.getType(0));
CPPUNIT_ASSERT("s1"==table1.getName(0));
CPPUNIT_ASSERT_EQUAL(2, table2.getSize());
CPPUNIT_ASSERT_EQUAL(KEYWORD_STMT, table2.getType(0));
CPPUNIT_ASSERT("s1"==table2.getName(0));
CPPUNIT_ASSERT_EQUAL(KEYWORD_VAR, table2.getType(1));
CPPUNIT_ASSERT("x"==table2.getName(1));
CPPUNIT_ASSERT_EQUAL(2, table3.getSize());
CPPUNIT_ASSERT_EQUAL(KEYWORD_STMT, table3.getType(0));
CPPUNIT_ASSERT("s1"==table3.getName(0));
CPPUNIT_ASSERT_EQUAL(KEYWORD_WHILE, table3.getType(1));
CPPUNIT_ASSERT("w"==table3.getName(1));
}
void AppleCSPSession::DeriveKey_PBKDF2(
const Context &context,
const CssmData &Param,
CSSM_DATA *keyData)
{
/* validate algorithm-specific arguments */
/* Param must point to a CSSM_PKCS5_PBKDF2_PARAMS */
if(Param.Length != sizeof(CSSM_PKCS5_PBKDF2_PARAMS)) {
errorLog0("DeriveKey_PBKDF2: Param wrong size\n");
CssmError::throwMe(CSSMERR_CSP_INVALID_INPUT_POINTER);
}
const CSSM_PKCS5_PBKDF2_PARAMS *pbkdf2Params =
reinterpret_cast<const CSSM_PKCS5_PBKDF2_PARAMS *>(Param.Data);
if(pbkdf2Params == NULL) {
errorLog0("DeriveKey_PBKDF2: null Param.Data\n");
CssmError::throwMe(CSSMERR_CSP_INVALID_DATA);
}
/* Get passphrase from either baseKey or from CSSM_PKCS5_PBKDF2_PARAMS */
CssmKey *passKey = context.get<CssmKey>(CSSM_ATTRIBUTE_KEY);
CSSM_SIZE passphraseLen = 0;
uint8 *passphrase = NULL;
if(passKey != NULL) {
AppleCSPContext::symmetricKeyBits(context, *this,
CSSM_ALGID_SECURE_PASSPHRASE, CSSM_KEYUSE_DERIVE,
passphrase, passphraseLen);
}
else {
passphraseLen = pbkdf2Params->Passphrase.Length;
passphrase = pbkdf2Params->Passphrase.Data;
}
#if !ALLOW_ZERO_PASSWORD
/* passphrase required */
if(passphrase == NULL) {
errorLog0("DeriveKey_PBKDF2: null Passphrase\n");
CssmError::throwMe(CSSMERR_CSP_INVALID_DATA);
}
if(passphraseLen == 0) {
/* FIXME - enforce minimum length? */
errorLog0("DeriveKey_PBKDF2: zero length passphrase\n");
CssmError::throwMe(CSSMERR_CSP_INVALID_INPUT_POINTER);
}
#endif /* ALLOW_ZERO_PASSWORD */
if(pbkdf2Params->PseudoRandomFunction !=
CSSM_PKCS5_PBKDF2_PRF_HMAC_SHA1) {
errorLog0("DeriveKey_PBKDF2: invalid PRF\n");
CssmError::throwMe(CSSMERR_CSP_INVALID_ALGORITHM);
}
/* salt, from context, required */
CssmData salt = context.get<CssmData>(CSSM_ATTRIBUTE_SALT,
CSSMERR_CSP_MISSING_ATTR_SALT);
if((salt.Data == NULL) || (salt.Length < PBKDF2_MIN_SALT)) {
CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_SALT);
}
/* iteration count, from context, required */
uint32 iterCount = context.getInt(CSSM_ATTRIBUTE_ITERATION_COUNT,
CSSMERR_CSP_MISSING_ATTR_ITERATION_COUNT);
if(iterCount < PBKDF2_MIN_ITER_CNT) {
CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_ITERATION_COUNT);
}
/*
* allocate a temp buffer, length
* = MAX (hLen, saltLen + 4) + 2 * hLen
* = MAX (kSHA1DigestSize, saltLen + 4) + 2 * kSHA1DigestSize
*/
size_t tempLen = salt.Length + 4;
if(tempLen < kSHA1DigestSize) {
tempLen = kSHA1DigestSize;
}
tempLen += (2 * kSHA1DigestSize);
CSSM_DATA tempData = {0, NULL};
setUpData(tempData, tempLen, privAllocator);
/* go */
pbkdf2 (hmacsha1,
kSHA1DigestSize,
passphrase, (uint32)passphraseLen,
salt.Data, (uint32)salt.Length,
iterCount,
keyData->Data, (uint32)keyData->Length,
tempData.Data);
freeData(&tempData, privAllocator, false);
}
/*
* Member function initially declared for CSPAbstractPluginSession;
* we're overriding the null version in CSPFullPluginSession.
*
* We'll generate any type of key (for now).
*/
void AppleCSPSession::DeriveKey(
CSSM_CC_HANDLE CCHandle,
const Context &context,
CssmData &Param,
uint32 KeyUsage,
uint32 KeyAttr,
const CssmData *KeyLabel,
const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry,
CssmKey &DerivedKey)
{
/* validate input args, common to all algorithms */
switch(context.algorithm()) {
case CSSM_ALGID_PKCS5_PBKDF2:
case CSSM_ALGID_DH:
case CSSM_ALGID_PKCS12_PBE_ENCR:
case CSSM_ALGID_PKCS12_PBE_MAC:
case CSSM_ALGID_PKCS5_PBKDF1_MD5:
case CSSM_ALGID_PKCS5_PBKDF1_MD2:
case CSSM_ALGID_PKCS5_PBKDF1_SHA1:
case CSSM_ALGID_PBE_OPENSSL_MD5:
case CSSM_ALGID_OPENSSH1:
#if CRYPTKIT_CSP_ENABLE
case CSSM_ALGID_ECDH:
case CSSM_ALGID_ECDH_X963_KDF:
#endif
break;
/* maybe more here, later */
default:
CssmError::throwMe(CSSMERR_CSP_INVALID_ALGORITHM);
}
DerivedKey.KeyData.Data = NULL;
DerivedKey.KeyData.Length = 0;
cspKeyStorage keyStorage = cspParseKeyAttr(CKT_Session, KeyAttr);
cspValidateKeyUsageBits(CKT_Session, KeyUsage);
/* outgoing key type, required (though any algorithm is OK) */
uint32 keyType = context.getInt(CSSM_ATTRIBUTE_KEY_TYPE,
CSSMERR_CSP_MISSING_ATTR_KEY_TYPE);
/* outgoing key size, required - any nonzero value is OK */
uint32 reqKeySize = context.getInt(
CSSM_ATTRIBUTE_KEY_LENGTH,
CSSMERR_CSP_MISSING_ATTR_KEY_LENGTH);
/* cook up a place to put the key data */
uint32 keySizeInBytes = (reqKeySize + 7) / 8;
SymmetricBinaryKey *binKey = NULL;
CSSM_DATA_PTR keyData = NULL;
switch(keyStorage) {
case CKS_None:
/* no way */
CssmError::throwMe(CSSMERR_CSP_INVALID_KEYATTR_MASK);
case CKS_Ref:
/* cook up a symmetric binary key */
binKey = new SymmetricBinaryKey(reqKeySize);
keyData = &binKey->mKeyData;
break;
case CKS_Data:
/* key bytes --> caller's cssmKey */
keyData = &DerivedKey.KeyData;
setUpData(*keyData, keySizeInBytes,
normAllocator);
break;
}
/* break off to algorithm-specific code, whose job it is
* to fill in keyData->Data with keyData->Length bytes */
switch(context.algorithm()) {
case CSSM_ALGID_PKCS5_PBKDF2:
DeriveKey_PBKDF2(context,
Param,
keyData);
break;
case CSSM_ALGID_DH:
DeriveKey_DH(context,
Param,
keyData,
*this);
break;
case CSSM_ALGID_PKCS12_PBE_ENCR:
case CSSM_ALGID_PKCS12_PBE_MAC:
DeriveKey_PKCS12(context,
*this,
Param,
keyData);
break;
case CSSM_ALGID_PKCS5_PBKDF1_MD5:
case CSSM_ALGID_PKCS5_PBKDF1_MD2:
case CSSM_ALGID_PKCS5_PBKDF1_SHA1:
case CSSM_ALGID_PBE_OPENSSL_MD5:
DeriveKey_PKCS5_V1_5(context,
context.algorithm(),
Param,
keyData);
break;
case CSSM_ALGID_OPENSSH1:
DeriveKey_OpenSSH1(context,
context.algorithm(),
Param,
keyData);
break;
#if CRYPTKIT_CSP_ENABLE
case CSSM_ALGID_ECDH:
case CSSM_ALGID_ECDH_X963_KDF:
CryptKit::DeriveKey_ECDH(context,
context.algorithm(),
Param,
keyData,
*this);
break;
#endif
/* maybe more here, later */
default:
assert(0);
}
/* set up outgoing header */
KeyAttr &= ~KEY_ATTR_RETURN_MASK;
CSSM_KEYHEADER &hdr = DerivedKey.KeyHeader;
setKeyHeader(hdr,
plugin.myGuid(),
keyType,
CSSM_KEYCLASS_SESSION_KEY,
KeyAttr,
KeyUsage);
/* handle derived size < requested size, legal for Diffie-Hellman */
hdr.LogicalKeySizeInBits = (uint32)(keyData->Length * 8);
if(keyStorage == CKS_Ref) {
/* store and convert to ref key */
addRefKey(*binKey, DerivedKey);
}
else {
/* Raw data */
hdr.BlobType = CSSM_KEYBLOB_RAW;
hdr.Format = CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING;
}
}
