-
Notifications
You must be signed in to change notification settings - Fork 4
/
PPRSA.m
245 lines (203 loc) · 7.84 KB
/
PPRSA.m
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
//
// PPRSA.m
// medcalc-3
//
// Created by Pascal Pfiffner on 8/22/15.
//
#import "PPRSA.h"
NSString * const PPRSAErrorDomain = @"PPRSAErrorDomain";
const uint32_t PPRSA_PADDING = kSecPaddingPKCS1;
@interface PPRSA () {
SecKeyRef publicKey;
SecKeyRef privateKey;
}
@end
@implementation PPRSA
#pragma mark - Key Loading
- (BOOL)loadPublicKeyFromBundledCertificate:(NSString *)name error:(NSError **)error {
NSURL *url = [[NSBundle mainBundle] URLForResource:name withExtension:@"crt"];
if (url) {
NSData *certData = [NSData dataWithContentsOfURL:url];
if (certData) {
SecKeyRef public = [self publicKeyFromData:certData error:error];
if (public) {
if (publicKey) {
CFRelease(publicKey);
}
publicKey = public;
return YES;
}
}
else if (error) {
*error = [NSError errorWithDomain:PPRSAErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: @"Failed to read bundled public key data"}];
}
}
else if (error) {
NSString *message = [NSString stringWithFormat:@"Bundled certificate named «%@.crt» not found", name];
*error = [NSError errorWithDomain:PPRSAErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: message}];
}
return NO;
}
- (SecKeyRef)publicKeyFromData:(NSData *)data error:(NSError **)error {
SecCertificateRef certificate = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)data);
if (certificate) {
SecPolicyRef policy = SecPolicyCreateBasicX509();
SecTrustRef trust;
OSStatus status = SecTrustCreateWithCertificates(certificate, policy, &trust);
CFRelease(certificate);
CFRelease(policy);
if (errSecSuccess == status) {
SecKeyRef key = SecTrustCopyPublicKey(trust);
CFRelease(trust);
return key;
}
if (error) {
NSString *message = [self errorMessageForCode:status message:@"Failed to establish trust with certificate"];
*error = [NSError errorWithDomain:PPRSAErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: message}];
}
}
else if (error) {
*error = [NSError errorWithDomain:PPRSAErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: @"Failed to create certificate"}];
}
return NULL;
}
- (BOOL)loadPrivateKeyFromBundledP12:(NSString *)name password:(NSString *)password error:(NSError **)error {
NSURL *url = [[NSBundle mainBundle] URLForResource:name withExtension:@"p12"];
if (url) {
NSData *certData = [NSData dataWithContentsOfURL:url];
if (certData) {
//NSLog(@"PRIVATE KEY DATA Base64: %@", [certData base64EncodedStringWithOptions:0]);
return [self loadPrivateKeyFromP12Data:certData password:password error:error];
}
else if (error) {
*error = [NSError errorWithDomain:PPRSAErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: @"Failed to read bundled private key data"}];
}
}
else if (error) {
NSString *message = [NSString stringWithFormat:@"Bundled private key file named «%@.p12» not found", name];
*error = [NSError errorWithDomain:PPRSAErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: message}];
}
return NO;
}
- (BOOL)loadPrivateKeyFromP12Data:(NSData *)certData password:(NSString *)password error:(NSError **)error {
NSParameterAssert(certData);
SecKeyRef private = [self privateKeyFromData:certData withPassword:password error:error];
if (private) {
if (privateKey) {
CFRelease(privateKey);
}
privateKey = private;
return YES;
}
return NO;
}
- (SecKeyRef)privateKeyFromData:(NSData *)keyData withPassword:(NSString *)password error:(NSError **)error {
SecKeyRef privateKeyRef = NULL;
NSDictionary *options = @{(__bridge id)kSecImportExportPassphrase: password};
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
OSStatus status = SecPKCS12Import((__bridge CFDataRef)keyData, (__bridge CFDictionaryRef)options, &items);
if (status == noErr && CFArrayGetCount(items) > 0) {
CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);
SecIdentityRef identity = (SecIdentityRef)CFDictionaryGetValue(identityDict, kSecImportItemIdentity);
status = SecIdentityCopyPrivateKey(identity, &privateKeyRef);
if (status != noErr) {
privateKeyRef = NULL;
if (error) {
NSString *message = [self errorMessageForCode:status message:@"Failed to copy private key"];
*error = [NSError errorWithDomain:PPRSAErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: message}];
}
}
}
else if (error) {
NSString *message = [self errorMessageForCode:status message:@"Failed to import P12 data"];
*error = [NSError errorWithDomain:PPRSAErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: message}];
}
CFRelease(items);
return privateKeyRef;
}
#pragma mark - Encryption
- (BOOL)hasPublicKey {
return NULL != publicKey;
}
- (NSData *)encryptData:(NSData *)plainData error:(NSError **)error {
if (NULL == publicKey) {
if (error) {
*error = [NSError errorWithDomain:PPRSAErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: @"No public key has been loaded, cannot encrypt"}];
}
return nil;
}
SecKeyRef key = publicKey;
size_t cipherBufferSize = SecKeyGetBlockSize(key);
size_t maxSize = cipherBufferSize - 11; // valid for PKCS1 padding only!
if (maxSize < plainData.length) {
if (error) {
NSString *message = [NSString stringWithFormat:@"Too much data, cannot encrypt. Max %lu byte, have %lu", (unsigned long)maxSize, (unsigned long)plainData.length];
*error = [NSError errorWithDomain:PPRSAErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: message}];
}
return nil;
}
NSMutableData *buffer = [NSMutableData dataWithLength:cipherBufferSize];
uint8_t *cipherBufferPointer = buffer.mutableBytes;
size_t cipherBufferResultSize = cipherBufferSize;
// encrypt data
OSStatus status = SecKeyEncrypt(key, PPRSA_PADDING, plainData.bytes, plainData.length, cipherBufferPointer, &cipherBufferResultSize);
if (noErr == status) {
return [buffer copy];
}
if (error) {
NSString *message = [self errorMessageForCode:status message:@"Failed to encrypt data"];
*error = [NSError errorWithDomain:PPRSAErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: message}];
}
return nil;
}
#pragma mark - Decryption
- (BOOL)hasPrivateKey {
return NULL != privateKey;
}
- (NSData *)decryptData:(NSData *)encData error:(NSError **)error {
if (NULL == privateKey) {
if (error) {
*error = [NSError errorWithDomain:PPRSAErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: @"No private key has been loaded, cannot decrypt"}];
}
return nil;
}
SecKeyRef key = privateKey;
size_t plainBufferSize = SecKeyGetBlockSize(key);
NSMutableData *buffer = [NSMutableData dataWithLength:plainBufferSize];
uint8_t *plainBufferPointer = buffer.mutableBytes;
size_t plainBufferResultSize = plainBufferSize;
// decrypt data
OSStatus status = SecKeyDecrypt(key, PPRSA_PADDING, encData.bytes, encData.length, plainBufferPointer, &plainBufferResultSize);
if (noErr == status) {
return [buffer copy];
}
if (error) {
NSString *message = [self errorMessageForCode:status message:@"Failed to decrypt data"];
*error = [NSError errorWithDomain:PPRSAErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey: message}];
}
return nil;
}
#pragma mark - Utilities
+ (NSString *)randomStringOfLength:(NSUInteger)length {
NSString *alphabet = @"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXZY0123456789@%#$^_.*-+/=";
NSMutableString *s = [NSMutableString stringWithCapacity:length];
for (NSUInteger i = 0U; i < length; i++) {
u_int32_t r = arc4random() % [alphabet length];
unichar c = [alphabet characterAtIndex:r];
[s appendFormat:@"%C", c];
}
return [s copy];
}
- (NSString * __nonnull)errorMessageForCode:(OSStatus)code message:(NSString *)message {
NSString *explanation = nil;
switch (code) {
case errSecAuthFailed:
explanation = @"wrong password";
break;
case errSSLCrypto:
explanation = @"invalid encryption";
break;
}
return [NSString stringWithFormat:@"%@: %@", message, explanation ?: [NSString stringWithFormat:@"Error code %d", (int)code]];
}
@end