summaryrefslogtreecommitdiffstats
path: root/common
diff options
context:
space:
mode:
Diffstat (limited to 'common')
-rw-r--r--common/Makefile.am29
-rw-r--r--common/debug.c174
-rw-r--r--common/debug.h53
-rw-r--r--common/userpref.c1172
-rw-r--r--common/userpref.h89
5 files changed, 1517 insertions, 0 deletions
diff --git a/common/Makefile.am b/common/Makefile.am
new file mode 100644
index 0000000..ba7ed9c
--- /dev/null
+++ b/common/Makefile.am
@@ -0,0 +1,29 @@
1AM_CPPFLAGS = \
2 -I$(top_srcdir)/include \
3 -I$(top_srcdir)
4
5AM_CFLAGS = \
6 $(GLOBAL_CFLAGS) \
7 $(ssl_lib_CFLAGS) \
8 $(LFS_CFLAGS) \
9 $(libusbmuxd_CFLAGS) \
10 $(limd_glue_CFLAGS) \
11 $(libplist_CFLAGS)
12
13AM_LDFLAGS = \
14 $(ssl_lib_LIBS) \
15 ${libpthread_LIBS} \
16 $(libusbmuxd_LIBS) \
17 $(limd_glue_LIBS) \
18 $(libplist_LIBS)
19
20noinst_LTLIBRARIES = libinternalcommon.la
21libinternalcommon_la_LIBADD =
22libinternalcommon_la_LDFLAGS = $(AM_LDFLAGS) -no-undefined
23libinternalcommon_la_SOURCES = \
24 debug.c debug.h \
25 userpref.c userpref.h
26
27if WIN32
28libinternalcommon_la_LIBADD += -lole32 -lws2_32
29endif
diff --git a/common/debug.c b/common/debug.c
new file mode 100644
index 0000000..7a593fc
--- /dev/null
+++ b/common/debug.c
@@ -0,0 +1,174 @@
1/*
2 * debug.c
3 * contains utilitary functions for debugging
4 *
5 * Copyright (c) 2008 Jonathan Beck All Rights Reserved.
6 * Copyright (c) 2010 Martin S. All Rights Reserved.
7 *
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation; either
11 * version 2.1 of the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21 */
22
23#ifdef HAVE_CONFIG_H
24#include <config.h>
25#endif
26#include <stdarg.h>
27#define _GNU_SOURCE 1
28#define __USE_GNU 1
29#include <stdio.h>
30#include <stdint.h>
31#include <stdlib.h>
32#include <time.h>
33#ifndef _WIN32
34#include <sys/time.h>
35#endif
36
37#include "src/idevice.h"
38#include "debug.h"
39#include "libimobiledevice/libimobiledevice.h"
40
41#ifndef STRIP_DEBUG_CODE
42#include "asprintf.h"
43#endif
44
45static int debug_level;
46
47void internal_set_debug_level(int level)
48{
49 debug_level = level;
50}
51
52#define MAX_PRINT_LEN (16*1024)
53
54#ifndef STRIP_DEBUG_CODE
55static void debug_print_line(const char *func, const char *file, int line, const char *buffer)
56{
57 char str_time[24];
58#ifdef _WIN32
59 SYSTEMTIME lt;
60 GetLocalTime(&lt);
61 snprintf(str_time, 24, "%02d:%02d:%02d.%03d", lt.wHour, lt.wMinute, lt.wSecond, lt.wMilliseconds);
62#else
63#ifdef HAVE_GETTIMEOFDAY
64 struct timeval tv;
65 struct tm *tp;
66 gettimeofday(&tv, NULL);
67#ifdef HAVE_LOCALTIME_R
68 struct tm tp_;
69 tp = localtime_r(&tv.tv_sec, &tp_);
70#else
71 tp = localtime(&tv.tv_sec);
72#endif
73 strftime(str_time, 9, "%H:%M:%S", tp);
74 snprintf(str_time+8, 10, ".%03d", (int)tv.tv_usec/1000);
75#else
76 time_t the_time;
77 time(&the_time);
78 strftime(str_time, 15, "%H:%M:%S", localtime (&the_time));
79#endif
80#endif
81 fprintf(stderr, "%s %s:%d %s(): %s\n", str_time, file, line, func, buffer);
82}
83#endif
84
85void debug_info_real(const char *func, const char *file, int line, const char *format, ...)
86{
87#ifndef STRIP_DEBUG_CODE
88 va_list args;
89 char *buffer = NULL;
90
91 if (!debug_level)
92 return;
93
94 /* run the real fprintf */
95 va_start(args, format);
96 if(vasprintf(&buffer, format, args)<0){}
97 va_end(args);
98
99 debug_print_line(func, file, line, buffer);
100
101 free(buffer);
102#endif
103}
104
105void debug_buffer(const char *data, const int length)
106{
107#ifndef STRIP_DEBUG_CODE
108 int i;
109 int j;
110 unsigned char c;
111
112 if (debug_level) {
113 for (i = 0; i < length; i += 16) {
114 fprintf(stderr, "%04x: ", i);
115 for (j = 0; j < 16; j++) {
116 if (i + j >= length) {
117 fprintf(stderr, " ");
118 continue;
119 }
120 fprintf(stderr, "%02x ", *(data + i + j) & 0xff);
121 }
122 fprintf(stderr, " | ");
123 for (j = 0; j < 16; j++) {
124 if (i + j >= length)
125 break;
126 c = *(data + i + j);
127 if ((c < 32) || (c > 127)) {
128 fprintf(stderr, ".");
129 continue;
130 }
131 fprintf(stderr, "%c", c);
132 }
133 fprintf(stderr, "\n");
134 }
135 fprintf(stderr, "\n");
136 }
137#endif
138}
139
140void debug_buffer_to_file(const char *file, const char *data, const int length)
141{
142#ifndef STRIP_DEBUG_CODE
143 if (debug_level) {
144 FILE *f = fopen(file, "wb");
145 fwrite(data, 1, length, f);
146 fflush(f);
147 fclose(f);
148 }
149#endif
150}
151
152void debug_plist_real(const char *func, const char *file, int line, plist_t plist)
153{
154#ifndef STRIP_DEBUG_CODE
155 if (!plist)
156 return;
157
158 char *buffer = NULL;
159 uint32_t length = 0;
160 plist_to_xml(plist, &buffer, &length);
161
162 /* get rid of ending newline as one is already added in the debug line */
163 if (buffer[length-1] == '\n')
164 buffer[length-1] = '\0';
165
166 if (length <= MAX_PRINT_LEN)
167 debug_info_real(func, file, line, "printing %i bytes plist:\n%s", length, buffer);
168 else
169 debug_info_real(func, file, line, "supress printing %i bytes plist...\n", length);
170
171 free(buffer);
172#endif
173}
174
diff --git a/common/debug.h b/common/debug.h
new file mode 100644
index 0000000..882072d
--- /dev/null
+++ b/common/debug.h
@@ -0,0 +1,53 @@
1/*
2 * debug.h
3 * contains utilitary functions for debugging
4 *
5 * Copyright (c) 2008 Jonathan Beck All Rights Reserved.
6 * Copyright (c) 2010 Martin S. All Rights Reserved.
7 *
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation; either
11 * version 2.1 of the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21 */
22
23#ifndef __DEBUG_H
24#define __DEBUG_H
25
26#include <plist/plist.h>
27
28#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && !defined(STRIP_DEBUG_CODE)
29#define debug_info(...) debug_info_real (__func__, __FILE__, __LINE__, __VA_ARGS__)
30#define debug_plist(a) debug_plist_real (__func__, __FILE__, __LINE__, a)
31#elif defined(__GNUC__) && __GNUC__ >= 3 && !defined(STRIP_DEBUG_CODE)
32#define debug_info(...) debug_info_real (__FUNCTION__, __FILE__, __LINE__, __VA_ARGS__)
33#define debug_plist(a) debug_plist_real (__FUNCTION__, __FILE__, __LINE__, a)
34#else
35#define debug_info(...)
36#define debug_plist(a)
37#endif
38
39void debug_info_real(const char *func,
40 const char *file,
41 int line,
42 const char *format, ...);
43
44void debug_buffer(const char *data, const int length);
45void debug_buffer_to_file(const char *file, const char *data, const int length);
46void debug_plist_real(const char *func,
47 const char *file,
48 int line,
49 plist_t plist);
50
51void internal_set_debug_level(int level);
52
53#endif
diff --git a/common/userpref.c b/common/userpref.c
new file mode 100644
index 0000000..76945e1
--- /dev/null
+++ b/common/userpref.c
@@ -0,0 +1,1172 @@
1/*
2 * userpref.c
3 * contains methods to access user specific certificates IDs and more.
4 *
5 * Copyright (c) 2013-2021 Nikias Bassen, All Rights Reserved.
6 * Copyright (c) 2013-2014 Martin Szulecki All Rights Reserved.
7 * Copyright (c) 2008 Jonathan Beck All Rights Reserved.
8 *
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
22 */
23
24#ifdef HAVE_CONFIG_H
25#include <config.h>
26#endif
27
28#include <stdio.h>
29#include <stdint.h>
30#include <stdlib.h>
31#include <string.h>
32#include <errno.h>
33
34#ifdef HAVE_SYS_TYPES_H
35#include <sys/types.h>
36#endif
37#include <dirent.h>
38#ifndef _WIN32
39#include <pwd.h>
40#include <unistd.h>
41#include <libgen.h>
42#include <sys/stat.h>
43#endif
44#include <usbmuxd.h>
45#if defined(HAVE_OPENSSL)
46#include <openssl/bn.h>
47#include <openssl/pem.h>
48#include <openssl/rsa.h>
49#include <openssl/x509.h>
50#include <openssl/x509v3.h>
51#if OPENSSL_VERSION_NUMBER < 0x1010000fL || \
52 (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L))
53#define X509_set1_notBefore X509_set_notBefore
54#define X509_set1_notAfter X509_set_notAfter
55#endif
56#elif defined(HAVE_GNUTLS)
57#include <gnutls/gnutls.h>
58#include <gnutls/crypto.h>
59#include <gnutls/x509.h>
60#include <gcrypt.h>
61#include <libtasn1.h>
62#elif defined(HAVE_MBEDTLS)
63#include <mbedtls/ssl.h>
64#include <mbedtls/entropy.h>
65#include <mbedtls/ctr_drbg.h>
66#include <mbedtls/asn1write.h>
67#include <mbedtls/oid.h>
68#else
69#error No supported TLS/SSL library enabled
70#endif
71
72#ifdef _WIN32
73#include <shlobj.h>
74#endif
75
76#ifndef ETIMEDOUT
77#define ETIMEDOUT 138
78#endif
79
80#include <libimobiledevice/libimobiledevice.h>
81#include <libimobiledevice-glue/utils.h>
82
83#include "userpref.h"
84#include "debug.h"
85
86#if defined(HAVE_GNUTLS)
87const ASN1_ARRAY_TYPE pkcs1_asn1_tab[] = {
88 {"PKCS1", 536872976, 0},
89 {0, 1073741836, 0},
90 {"RSAPublicKey", 536870917, 0},
91 {"modulus", 1073741827, 0},
92 {"publicExponent", 3, 0},
93 {0, 0, 0}
94};
95#endif
96
97#ifdef _WIN32
98#define DIR_SEP '\\'
99#define DIR_SEP_S "\\"
100#else
101#define DIR_SEP '/'
102#define DIR_SEP_S "/"
103#endif
104
105#define USERPREF_CONFIG_EXTENSION ".plist"
106
107#ifdef _WIN32
108#define USERPREF_CONFIG_DIR "Apple"DIR_SEP_S"Lockdown"
109#else
110#define USERPREF_CONFIG_DIR "lockdown"
111#endif
112
113#define USERPREF_CONFIG_FILE "SystemConfiguration"USERPREF_CONFIG_EXTENSION
114
115static char *__config_dir = NULL;
116
117#ifdef _WIN32
118static char *userpref_utf16_to_utf8(wchar_t *unistr, long len, long *items_read, long *items_written)
119{
120 if (!unistr || (len <= 0)) return NULL;
121 char *outbuf = (char*)malloc(3*(len+1));
122 int p = 0;
123 int i = 0;
124
125 wchar_t wc;
126
127 while (i < len) {
128 wc = unistr[i++];
129 if (wc >= 0x800) {
130 outbuf[p++] = (char)(0xE0 + ((wc >> 12) & 0xF));
131 outbuf[p++] = (char)(0x80 + ((wc >> 6) & 0x3F));
132 outbuf[p++] = (char)(0x80 + (wc & 0x3F));
133 } else if (wc >= 0x80) {
134 outbuf[p++] = (char)(0xC0 + ((wc >> 6) & 0x1F));
135 outbuf[p++] = (char)(0x80 + (wc & 0x3F));
136 } else {
137 outbuf[p++] = (char)(wc & 0x7F);
138 }
139 }
140 if (items_read) {
141 *items_read = i;
142 }
143 if (items_written) {
144 *items_written = p;
145 }
146 outbuf[p] = 0;
147
148 return outbuf;
149}
150#endif
151
152const char *userpref_get_config_dir()
153{
154 char *base_config_dir = NULL;
155
156 if (__config_dir)
157 return __config_dir;
158
159#ifdef _WIN32
160 wchar_t path[MAX_PATH+1];
161 HRESULT hr;
162 LPITEMIDLIST pidl = NULL;
163 BOOL b = FALSE;
164
165 hr = SHGetSpecialFolderLocation (NULL, CSIDL_COMMON_APPDATA, &pidl);
166 if (hr == S_OK) {
167 b = SHGetPathFromIDListW (pidl, path);
168 if (b) {
169 base_config_dir = userpref_utf16_to_utf8 (path, wcslen(path), NULL, NULL);
170 CoTaskMemFree (pidl);
171 }
172 }
173#else
174#ifdef __APPLE__
175 base_config_dir = strdup("/var/db");
176#else
177 base_config_dir = strdup("/var/lib");
178#endif
179#endif
180 __config_dir = string_concat(base_config_dir, DIR_SEP_S, USERPREF_CONFIG_DIR, NULL);
181
182 if (__config_dir) {
183 int i = strlen(__config_dir)-1;
184 while ((i > 0) && (__config_dir[i] == DIR_SEP)) {
185 __config_dir[i--] = '\0';
186 }
187 }
188
189 free(base_config_dir);
190
191 debug_info("initialized config_dir to %s", __config_dir);
192
193 return __config_dir;
194}
195
196/**
197 * Reads the SystemBUID from a previously generated configuration file.
198 *
199 * @note It is the responsibility of the calling function to free the returned system_buid.
200 * @param system_buid A pointer that will be set to a newly allocated string containing the
201 * SystemBUID upon successful return.
202 * @return 0 if the SystemBUID has been successfully retrieved or < 0 otherwise.
203 */
204int userpref_read_system_buid(char **system_buid)
205{
206 int res = usbmuxd_read_buid(system_buid);
207 if (res == 0) {
208 debug_info("using %s as %s", *system_buid, USERPREF_SYSTEM_BUID_KEY);
209 } else {
210 debug_info("could not read system buid, error %d", res);
211 }
212 return res;
213}
214
215/**
216 * Fills a list with UDIDs of devices that have been connected to this
217 * system before, i.e. for which a public key file exists.
218 *
219 * @param list A pointer to a char** initially pointing to NULL that will
220 * hold a newly allocated list of UDIDs upon successful return.
221 * The caller is responsible for freeing the memory. Note that if
222 * no public key file was found the list has to be freed too as it
223 * points to a terminating NULL element.
224 * @param count The number of UDIDs found. This parameter can be NULL if it
225 * is not required.
226 *
227 * @return USERPREF_E_SUCCESS on success, or USERPREF_E_INVALID_ARG if the
228 * list parameter is not pointing to NULL.
229 */
230userpref_error_t userpref_get_paired_udids(char ***list, unsigned int *count)
231{
232 DIR *config_dir;
233 const char *config_path = NULL;
234 unsigned int found = 0;
235
236 if (!list || (list && *list)) {
237 debug_info("ERROR: The list parameter needs to point to NULL!");
238 return USERPREF_E_INVALID_ARG;
239 }
240
241 if (count) {
242 *count = 0;
243 }
244 *list = (char**)malloc(sizeof(char*));
245
246 config_path = userpref_get_config_dir();
247 config_dir = opendir(config_path);
248 if (config_dir) {
249 struct dirent *entry;
250 while ((entry = readdir(config_dir))) {
251 if (strcmp(entry->d_name, USERPREF_CONFIG_FILE) == 0) {
252 /* ignore SystemConfiguration.plist */
253 continue;
254 }
255 char *ext = strrchr(entry->d_name, '.');
256 if (ext && (strcmp(ext, USERPREF_CONFIG_EXTENSION) == 0)) {
257 size_t len = strlen(entry->d_name) - strlen(USERPREF_CONFIG_EXTENSION);
258 char **newlist = (char**)realloc(*list, sizeof(char*) * (found+2));
259 if (!newlist) {
260 fprintf(stderr, "ERROR: Out of memory\n");
261 break;
262 }
263 *list = newlist;
264 char *tmp = (char*)malloc(len+1);
265 if (tmp) {
266 strncpy(tmp, entry->d_name, len);
267 tmp[len] = '\0';
268 }
269 (*list)[found] = tmp;
270 if (!tmp) {
271 fprintf(stderr, "ERROR: Out of memory\n");
272 break;
273 }
274 found++;
275 }
276 }
277 closedir(config_dir);
278 }
279 (*list)[found] = NULL;
280
281 if (count) {
282 *count = found;
283 }
284
285 return USERPREF_E_SUCCESS;
286}
287
288/**
289 * Save a pair record for a device.
290 *
291 * @param udid The device UDID as given by the device
292 * @param device_id The usbmux device id (handle) of the connected device, or 0
293 * @param pair_record The pair record to save
294 *
295 * @return 1 on success and 0 if no device record is given or if it has already
296 * been saved previously.
297 */
298userpref_error_t userpref_save_pair_record(const char *udid, uint32_t device_id, plist_t pair_record)
299{
300 char* record_data = NULL;
301 uint32_t record_size = 0;
302
303 plist_to_bin(pair_record, &record_data, &record_size);
304
305 int res = usbmuxd_save_pair_record_with_device_id(udid, device_id, record_data, record_size);
306
307 free(record_data);
308
309 return res == 0 ? USERPREF_E_SUCCESS: USERPREF_E_UNKNOWN_ERROR;
310}
311
312/**
313 * Read a pair record for a device.
314 *
315 * @param udid The device UDID as given by the device
316 * @param pair_record The pair record to read
317 *
318 * @return USERPREF_E_SUCCESS on success,
319 * USERPREF_E_NOENT if no pairing record was found,
320 * USERPREF_E_READ_ERROR if retrieving the pairing record from usbmuxd failed,
321 * or USERPREF_E_INVALID_CONF otherwise.
322 */
323userpref_error_t userpref_read_pair_record(const char *udid, plist_t *pair_record)
324{
325 char* record_data = NULL;
326 uint32_t record_size = 0;
327
328 int res = usbmuxd_read_pair_record(udid, &record_data, &record_size);
329 if (res < 0) {
330 free(record_data);
331 switch (-res) {
332 case ENOENT:
333 return USERPREF_E_NOENT;
334 case ETIMEDOUT:
335 return USERPREF_E_READ_ERROR;
336 default:
337 return USERPREF_E_INVALID_CONF;
338 }
339 }
340
341 *pair_record = NULL;
342 plist_from_memory(record_data, record_size, pair_record, NULL);
343 free(record_data);
344
345 if (!*pair_record) {
346 debug_info("Failed to parse pairing record");
347 return USERPREF_E_INVALID_CONF;
348 }
349 return USERPREF_E_SUCCESS;
350}
351
352/**
353 * Remove the pairing record stored for a device from this host.
354 *
355 * @param udid The udid of the device
356 *
357 * @return USERPREF_E_SUCCESS on success.
358 */
359userpref_error_t userpref_delete_pair_record(const char *udid)
360{
361 int res = usbmuxd_delete_pair_record(udid);
362
363 return res == 0 ? USERPREF_E_SUCCESS: USERPREF_E_UNKNOWN_ERROR;
364}
365
366#if defined(HAVE_OPENSSL)
367static int X509_add_ext_helper(X509 *cert, int nid, char *value)
368{
369 X509_EXTENSION *ex;
370 X509V3_CTX ctx;
371
372 /* No configuration database */
373 X509V3_set_ctx_nodb(&ctx);
374
375 X509V3_set_ctx(&ctx, NULL, cert, NULL, NULL, 0);
376 ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
377 if (!ex) {
378 debug_info("ERROR: X509V3_EXT_conf_nid(%d, %s) failed", nid, value);
379 return 0;
380 }
381
382 X509_add_ext(cert, ex, -1);
383 X509_EXTENSION_free(ex);
384
385 return 1;
386}
387#elif defined(HAVE_MBEDTLS)
388static int _mbedtls_x509write_crt_set_basic_constraints_critical(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen)
389{
390 int ret;
391 unsigned char buf[9];
392 unsigned char *c = buf + sizeof(buf);
393 size_t len = 0;
394
395 memset( buf, 0, sizeof(buf) );
396
397 if (is_ca && max_pathlen > 127)
398 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
399
400 if (is_ca) {
401 if (max_pathlen >= 0) {
402 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, max_pathlen ) );
403 }
404 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( &c, buf, 1 ) );
405 }
406
407 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
408 MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
409
410 return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS, MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ), 1, buf + sizeof(buf) - len, len );
411}
412#endif
413
414/**
415 * Private function to generate required private keys and certificates.
416 *
417 * @param pair_record a #PLIST_DICT that will be filled with the keys
418 * and certificates
419 * @param public_key the public key to use (device public key)
420 *
421 * @return 1 if keys were successfully generated, 0 otherwise
422 */
423userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_data_t public_key, unsigned int device_version)
424{
425 userpref_error_t ret = USERPREF_E_SSL_ERROR;
426
427 key_data_t dev_cert_pem = { NULL, 0 };
428 key_data_t root_key_pem = { NULL, 0 };
429 key_data_t root_cert_pem = { NULL, 0 };
430 key_data_t host_key_pem = { NULL, 0 };
431 key_data_t host_cert_pem = { NULL, 0 };
432
433 if (!pair_record || !public_key.data)
434 return USERPREF_E_INVALID_ARG;
435
436 debug_info("Generating keys and certificates...");
437
438#if defined(HAVE_OPENSSL)
439#if OPENSSL_VERSION_NUMBER >= 0x30000000L
440 EVP_PKEY* root_pkey = EVP_RSA_gen(2048);
441 EVP_PKEY* host_pkey = EVP_RSA_gen(2048);
442#else
443 BIGNUM *e = BN_new();
444 RSA* root_keypair = RSA_new();
445 RSA* host_keypair = RSA_new();
446
447 BN_set_word(e, 65537);
448
449 RSA_generate_key_ex(root_keypair, 2048, e, NULL);
450 RSA_generate_key_ex(host_keypair, 2048, e, NULL);
451
452 BN_free(e);
453
454 EVP_PKEY* root_pkey = EVP_PKEY_new();
455 EVP_PKEY_assign_RSA(root_pkey, root_keypair);
456
457 EVP_PKEY* host_pkey = EVP_PKEY_new();
458 EVP_PKEY_assign_RSA(host_pkey, host_keypair);
459#endif
460
461 /* generate root certificate */
462 X509* root_cert = X509_new();
463 {
464 /* set serial number */
465 ASN1_INTEGER* sn = ASN1_INTEGER_new();
466 ASN1_INTEGER_set(sn, 0);
467 X509_set_serialNumber(root_cert, sn);
468 ASN1_INTEGER_free(sn);
469
470 /* set version */
471 X509_set_version(root_cert, 2);
472
473 /* set x509v3 basic constraints */
474 X509_add_ext_helper(root_cert, NID_basic_constraints, (char*)"critical,CA:TRUE");
475
476 /* set key validity */
477 ASN1_TIME* asn1time = ASN1_TIME_new();
478 ASN1_TIME_set(asn1time, time(NULL));
479 X509_set1_notBefore(root_cert, asn1time);
480 ASN1_TIME_set(asn1time, time(NULL) + (60 * 60 * 24 * 365 * 10));
481 X509_set1_notAfter(root_cert, asn1time);
482 ASN1_TIME_free(asn1time);
483
484 /* use root public key for root cert */
485 X509_set_pubkey(root_cert, root_pkey);
486
487 /* sign root cert with root private key */
488 X509_sign(root_cert, root_pkey, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? EVP_sha1() : EVP_sha256());
489 }
490
491 /* create host certificate */
492 X509* host_cert = X509_new();
493 {
494 /* set serial number */
495 ASN1_INTEGER* sn = ASN1_INTEGER_new();
496 ASN1_INTEGER_set(sn, 0);
497 X509_set_serialNumber(host_cert, sn);
498 ASN1_INTEGER_free(sn);
499
500 /* set version */
501 X509_set_version(host_cert, 2);
502
503 /* set x509v3 basic constraints */
504 X509_add_ext_helper(host_cert, NID_basic_constraints, (char*)"critical,CA:FALSE");
505
506 /* set x509v3 key usage */
507 X509_add_ext_helper(host_cert, NID_key_usage, (char*)"critical,digitalSignature,keyEncipherment");
508
509 /* set key validity */
510 ASN1_TIME* asn1time = ASN1_TIME_new();
511 ASN1_TIME_set(asn1time, time(NULL));
512 X509_set1_notBefore(host_cert, asn1time);
513 ASN1_TIME_set(asn1time, time(NULL) + (60 * 60 * 24 * 365 * 10));
514 X509_set1_notAfter(host_cert, asn1time);
515 ASN1_TIME_free(asn1time);
516
517 /* use host public key for host cert */
518 X509_set_pubkey(host_cert, host_pkey);
519
520 /* sign host cert with root private key */
521 X509_sign(host_cert, root_pkey, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? EVP_sha1() : EVP_sha256());
522 }
523
524 if (root_cert && root_pkey && host_cert && host_pkey) {
525 BIO* membp;
526 char *bdata;
527
528 membp = BIO_new(BIO_s_mem());
529 if (PEM_write_bio_X509(membp, root_cert) > 0) {
530 root_cert_pem.size = BIO_get_mem_data(membp, &bdata);
531 root_cert_pem.data = (unsigned char*)malloc(root_cert_pem.size);
532 if (root_cert_pem.data) {
533 memcpy(root_cert_pem.data, bdata, root_cert_pem.size);
534 }
535 BIO_free(membp);
536 membp = NULL;
537 }
538 membp = BIO_new(BIO_s_mem());
539 if (PEM_write_bio_PrivateKey(membp, root_pkey, NULL, NULL, 0, 0, NULL) > 0) {
540 root_key_pem.size = BIO_get_mem_data(membp, &bdata);
541 root_key_pem.data = (unsigned char*)malloc(root_key_pem.size);
542 if (root_key_pem.data) {
543 memcpy(root_key_pem.data, bdata, root_key_pem.size);
544 }
545 BIO_free(membp);
546 membp = NULL;
547 }
548 membp = BIO_new(BIO_s_mem());
549 if (PEM_write_bio_X509(membp, host_cert) > 0) {
550 host_cert_pem.size = BIO_get_mem_data(membp, &bdata);
551 host_cert_pem.data = (unsigned char*)malloc(host_cert_pem.size);
552 if (host_cert_pem.data) {
553 memcpy(host_cert_pem.data, bdata, host_cert_pem.size);
554 }
555 BIO_free(membp);
556 membp = NULL;
557 }
558 membp = BIO_new(BIO_s_mem());
559 if (PEM_write_bio_PrivateKey(membp, host_pkey, NULL, NULL, 0, 0, NULL) > 0) {
560 host_key_pem.size = BIO_get_mem_data(membp, &bdata);
561 host_key_pem.data = (unsigned char*)malloc(host_key_pem.size);
562 if (host_key_pem.data) {
563 memcpy(host_key_pem.data, bdata, host_key_pem.size);
564 }
565 BIO_free(membp);
566 membp = NULL;
567 }
568 }
569
570 EVP_PKEY *pubkey = NULL;
571 {
572 BIO *membp = BIO_new_mem_buf(public_key.data, public_key.size);
573#if OPENSSL_VERSION_NUMBER >= 0x30000000L
574 if (!PEM_read_bio_PUBKEY(membp, &pubkey, NULL, NULL)) {
575 debug_info("WARNING: Could not read public key");
576 }
577#else
578 RSA *rsa_pubkey = NULL;
579 if (!PEM_read_bio_RSAPublicKey(membp, &rsa_pubkey, NULL, NULL)) {
580 debug_info("WARNING: Could not read public key");
581 } else {
582 pubkey = EVP_PKEY_new();
583 EVP_PKEY_assign_RSA(pubkey, rsa_pubkey);
584 }
585#endif
586 BIO_free(membp);
587 }
588
589 X509* dev_cert = X509_new();
590 if (pubkey && dev_cert) {
591 /* generate device certificate */
592 ASN1_INTEGER* sn = ASN1_INTEGER_new();
593 ASN1_INTEGER_set(sn, 0);
594 X509_set_serialNumber(dev_cert, sn);
595 ASN1_INTEGER_free(sn);
596 X509_set_version(dev_cert, 2);
597
598 X509_add_ext_helper(dev_cert, NID_basic_constraints, (char*)"critical,CA:FALSE");
599
600 ASN1_TIME* asn1time = ASN1_TIME_new();
601 ASN1_TIME_set(asn1time, time(NULL));
602 X509_set1_notBefore(dev_cert, asn1time);
603 ASN1_TIME_set(asn1time, time(NULL) + (60 * 60 * 24 * 365 * 10));
604 X509_set1_notAfter(dev_cert, asn1time);
605 ASN1_TIME_free(asn1time);
606
607 X509_set_pubkey(dev_cert, pubkey);
608
609 X509_add_ext_helper(dev_cert, NID_subject_key_identifier, (char*)"hash");
610 X509_add_ext_helper(dev_cert, NID_key_usage, (char*)"critical,digitalSignature,keyEncipherment");
611
612 /* sign device certificate with root private key */
613 if (X509_sign(dev_cert, root_pkey, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? EVP_sha1() : EVP_sha256())) {
614 /* if signing succeeded, export in PEM format */
615 BIO* membp = BIO_new(BIO_s_mem());
616 if (PEM_write_bio_X509(membp, dev_cert) > 0) {
617 char *bdata = NULL;
618 dev_cert_pem.size = BIO_get_mem_data(membp, &bdata);
619 dev_cert_pem.data = (unsigned char*)malloc(dev_cert_pem.size);
620 if (dev_cert_pem.data) {
621 memcpy(dev_cert_pem.data, bdata, dev_cert_pem.size);
622 }
623 BIO_free(membp);
624 membp = NULL;
625 }
626 } else {
627 debug_info("ERROR: Signing device certificate with root private key failed!");
628 }
629 }
630
631 X509_free(dev_cert);
632
633 EVP_PKEY_free(pubkey);
634 EVP_PKEY_free(root_pkey);
635 EVP_PKEY_free(host_pkey);
636
637 X509_free(host_cert);
638 X509_free(root_cert);
639#elif defined(HAVE_GNUTLS)
640 gnutls_x509_privkey_t root_privkey;
641 gnutls_x509_crt_t root_cert;
642 gnutls_x509_privkey_t host_privkey;
643 gnutls_x509_crt_t host_cert;
644
645 /* use less secure random to speed up key generation */
646 gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM);
647
648 gnutls_x509_privkey_init(&root_privkey);
649 gnutls_x509_privkey_init(&host_privkey);
650
651 gnutls_x509_crt_init(&root_cert);
652 gnutls_x509_crt_init(&host_cert);
653
654 /* generate root key */
655 gnutls_x509_privkey_generate(root_privkey, GNUTLS_PK_RSA, 2048, 0);
656 gnutls_x509_privkey_generate(host_privkey, GNUTLS_PK_RSA, 2048, 0);
657
658 /* generate certificates */
659 gnutls_x509_crt_set_key(root_cert, root_privkey);
660 gnutls_x509_crt_set_serial(root_cert, "\x01", 1);
661 gnutls_x509_crt_set_version(root_cert, 3);
662 gnutls_x509_crt_set_ca_status(root_cert, 1);
663 gnutls_x509_crt_set_activation_time(root_cert, time(NULL));
664 gnutls_x509_crt_set_expiration_time(root_cert, time(NULL) + (60 * 60 * 24 * 365 * 10));
665 gnutls_x509_crt_sign2(root_cert, root_cert, root_privkey, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? GNUTLS_DIG_SHA1 : GNUTLS_DIG_SHA256, 0);
666
667 gnutls_x509_crt_set_key(host_cert, host_privkey);
668 gnutls_x509_crt_set_serial(host_cert, "\x01", 1);
669 gnutls_x509_crt_set_version(host_cert, 3);
670 gnutls_x509_crt_set_ca_status(host_cert, 0);
671 gnutls_x509_crt_set_key_usage(host_cert, GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_DIGITAL_SIGNATURE);
672 gnutls_x509_crt_set_activation_time(host_cert, time(NULL));
673 gnutls_x509_crt_set_expiration_time(host_cert, time(NULL) + (60 * 60 * 24 * 365 * 10));
674 gnutls_x509_crt_sign2(host_cert, root_cert, root_privkey, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? GNUTLS_DIG_SHA1 : GNUTLS_DIG_SHA256, 0);
675
676 /* export to PEM format */
677 size_t root_key_export_size = 0;
678 size_t host_key_export_size = 0;
679
680 gnutls_x509_privkey_export(root_privkey, GNUTLS_X509_FMT_PEM, NULL, &root_key_export_size);
681 gnutls_x509_privkey_export(host_privkey, GNUTLS_X509_FMT_PEM, NULL, &host_key_export_size);
682
683 root_key_pem.data = gnutls_malloc(root_key_export_size);
684 host_key_pem.data = gnutls_malloc(host_key_export_size);
685
686 gnutls_x509_privkey_export(root_privkey, GNUTLS_X509_FMT_PEM, root_key_pem.data, &root_key_export_size);
687 root_key_pem.size = root_key_export_size;
688 gnutls_x509_privkey_export(host_privkey, GNUTLS_X509_FMT_PEM, host_key_pem.data, &host_key_export_size);
689 host_key_pem.size = host_key_export_size;
690
691 size_t root_cert_export_size = 0;
692 size_t host_cert_export_size = 0;
693
694 gnutls_x509_crt_export(root_cert, GNUTLS_X509_FMT_PEM, NULL, &root_cert_export_size);
695 gnutls_x509_crt_export(host_cert, GNUTLS_X509_FMT_PEM, NULL, &host_cert_export_size);
696
697 root_cert_pem.data = gnutls_malloc(root_cert_export_size);
698 host_cert_pem.data = gnutls_malloc(host_cert_export_size);
699
700 gnutls_x509_crt_export(root_cert, GNUTLS_X509_FMT_PEM, root_cert_pem.data, &root_cert_export_size);
701 root_cert_pem.size = root_cert_export_size;
702 gnutls_x509_crt_export(host_cert, GNUTLS_X509_FMT_PEM, host_cert_pem.data, &host_cert_export_size);
703 host_cert_pem.size = host_cert_export_size;
704
705 gnutls_datum_t modulus = { NULL, 0 };
706 gnutls_datum_t exponent = { NULL, 0 };
707
708 /* now decode the PEM encoded key */
709 gnutls_datum_t der_pub_key = { NULL, 0 };
710 int gnutls_error = gnutls_pem_base64_decode_alloc("RSA PUBLIC KEY", &public_key, &der_pub_key);
711 if (GNUTLS_E_SUCCESS == gnutls_error) {
712 /* initalize asn.1 parser */
713 ASN1_TYPE pkcs1 = ASN1_TYPE_EMPTY;
714 if (ASN1_SUCCESS == asn1_array2tree(pkcs1_asn1_tab, &pkcs1, NULL)) {
715
716 ASN1_TYPE asn1_pub_key = ASN1_TYPE_EMPTY;
717 asn1_create_element(pkcs1, "PKCS1.RSAPublicKey", &asn1_pub_key);
718
719 if (ASN1_SUCCESS == asn1_der_decoding(&asn1_pub_key, der_pub_key.data, der_pub_key.size, NULL)) {
720
721 /* get size to read */
722 int ret1 = asn1_read_value(asn1_pub_key, "modulus", NULL, (int*)&modulus.size);
723 int ret2 = asn1_read_value(asn1_pub_key, "publicExponent", NULL, (int*)&exponent.size);
724
725 modulus.data = gnutls_malloc(modulus.size);
726 exponent.data = gnutls_malloc(exponent.size);
727
728 ret1 = asn1_read_value(asn1_pub_key, "modulus", modulus.data, (int*)&modulus.size);
729 ret2 = asn1_read_value(asn1_pub_key, "publicExponent", exponent.data, (int*)&exponent.size);
730 if (ret1 != ASN1_SUCCESS || ret2 != ASN1_SUCCESS) {
731 gnutls_free(modulus.data);
732 modulus.data = NULL;
733 modulus.size = 0;
734 gnutls_free(exponent.data);
735 exponent.data = NULL;
736 exponent.size = 0;
737 }
738 }
739 if (asn1_pub_key)
740 asn1_delete_structure(&asn1_pub_key);
741 }
742 if (pkcs1)
743 asn1_delete_structure(&pkcs1);
744 } else {
745 debug_info("ERROR: Could not parse public key: %s", gnutls_strerror(gnutls_error));
746 }
747
748 /* generate device certificate */
749 if (modulus.data && 0 != modulus.size && exponent.data && 0 != exponent.size) {
750
751 gnutls_datum_t prime_p = { (unsigned char*)"\x00\xca\x4a\x03\x13\xdf\x9d\x7a\xfd", 9 };
752 gnutls_datum_t prime_q = { (unsigned char*)"\x00\xf2\xff\xe0\x15\xd1\x60\x37\x63", 9 };
753 gnutls_datum_t coeff = { (unsigned char*)"\x32\x07\xf1\x68\x57\xdf\x9a\xf4", 8 };
754
755 gnutls_x509_privkey_t fake_privkey;
756 gnutls_x509_crt_t dev_cert;
757
758 gnutls_x509_privkey_init(&fake_privkey);
759 gnutls_x509_crt_init(&dev_cert);
760
761 gnutls_error = gnutls_x509_privkey_import_rsa_raw(fake_privkey, &modulus, &exponent, &exponent, &prime_p, &prime_q, &coeff);
762 if (GNUTLS_E_SUCCESS == gnutls_error) {
763 /* now generate device certificate */
764 gnutls_x509_crt_set_key(dev_cert, fake_privkey);
765 gnutls_x509_crt_set_serial(dev_cert, "\x01", 1);
766 gnutls_x509_crt_set_version(dev_cert, 3);
767 gnutls_x509_crt_set_ca_status(dev_cert, 0);
768 gnutls_x509_crt_set_activation_time(dev_cert, time(NULL));
769 gnutls_x509_crt_set_expiration_time(dev_cert, time(NULL) + (60 * 60 * 24 * 365 * 10));
770
771 /* use custom hash generation for compatibility with the "Apple ecosystem" */
772 const gnutls_digest_algorithm_t dig_sha = (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? GNUTLS_DIG_SHA1 : GNUTLS_DIG_SHA256;
773 size_t hash_size = gnutls_hash_get_len(dig_sha);
774 unsigned char hash[hash_size];
775 if (gnutls_hash_fast(dig_sha, der_pub_key.data, der_pub_key.size, (unsigned char*)&hash) < 0) {
776 debug_info("ERROR: Failed to generate SHA for public key");
777 } else {
778 gnutls_x509_crt_set_subject_key_id(dev_cert, hash, hash_size);
779 }
780
781 gnutls_x509_crt_set_key_usage(dev_cert, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT);
782 gnutls_error = gnutls_x509_crt_sign2(dev_cert, root_cert, root_privkey, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? GNUTLS_DIG_SHA1 : GNUTLS_DIG_SHA256, 0);
783 if (GNUTLS_E_SUCCESS == gnutls_error) {
784 /* if everything went well, export in PEM format */
785 size_t export_size = 0;
786 gnutls_x509_crt_export(dev_cert, GNUTLS_X509_FMT_PEM, NULL, &export_size);
787 dev_cert_pem.data = gnutls_malloc(export_size);
788 gnutls_x509_crt_export(dev_cert, GNUTLS_X509_FMT_PEM, dev_cert_pem.data, &export_size);
789 dev_cert_pem.size = export_size;
790 } else {
791 debug_info("ERROR: Signing device certificate with root private key failed: %s", gnutls_strerror(gnutls_error));
792 }
793 } else {
794 debug_info("ERROR: Failed to import RSA key data: %s", gnutls_strerror(gnutls_error));
795 }
796 gnutls_x509_crt_deinit(dev_cert);
797 gnutls_x509_privkey_deinit(fake_privkey);
798 }
799
800 gnutls_x509_crt_deinit(root_cert);
801 gnutls_x509_crt_deinit(host_cert);
802 gnutls_x509_privkey_deinit(root_privkey);
803 gnutls_x509_privkey_deinit(host_privkey);
804
805 gnutls_free(modulus.data);
806 gnutls_free(exponent.data);
807
808 gnutls_free(der_pub_key.data);
809#elif defined(HAVE_MBEDTLS)
810 time_t now = time(NULL);
811 struct tm* timestamp = gmtime(&now);
812 char notbefore[16];
813 strftime(notbefore, sizeof(notbefore), "%Y%m%d%H%M%S", timestamp);
814 time_t then = now + 60 * 60 * 24 * 365 * 10;
815 char notafter[16];
816 timestamp = gmtime(&then);
817 strftime(notafter, sizeof(notafter), "%Y%m%d%H%M%S", timestamp);
818
819 mbedtls_mpi sn;
820 mbedtls_mpi_init(&sn);
821 mbedtls_mpi_lset(&sn, 1); /* 0 doesn't work, so we have to use 1 (like GnuTLS) */
822
823 mbedtls_ctr_drbg_context ctr_drbg;
824 mbedtls_ctr_drbg_init(&ctr_drbg);
825
826 mbedtls_pk_context root_pkey;
827 mbedtls_pk_init(&root_pkey);
828
829 mbedtls_pk_context host_pkey;
830 mbedtls_pk_init(&host_pkey);
831
832 mbedtls_pk_context dev_public_key;
833 mbedtls_pk_init(&dev_public_key);
834
835 mbedtls_entropy_context entropy;
836 mbedtls_entropy_init(&entropy);
837
838 mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)"limd", 4);
839
840 /* ----- root key & cert ----- */
841 ret = mbedtls_pk_setup(&root_pkey, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
842 if (ret != 0) {
843 debug_info("mbedtls_pk_setup returned -0x%04x", -ret);
844 goto cleanup;
845 }
846
847 ret = mbedtls_rsa_gen_key(mbedtls_pk_rsa(root_pkey), mbedtls_ctr_drbg_random, &ctr_drbg, 2048, 65537);
848 if (ret != 0) {
849 debug_info("mbedtls_rsa_gen_key returned -0x%04x", -ret);
850 goto cleanup;
851 }
852
853 mbedtls_x509write_cert cert;
854 mbedtls_x509write_crt_init(&cert);
855
856 /* set serial number */
857 mbedtls_x509write_crt_set_serial(&cert, &sn);
858
859 /* set version */
860 mbedtls_x509write_crt_set_version(&cert, 2);
861
862 /* set x509v3 basic constraints */
863 _mbedtls_x509write_crt_set_basic_constraints_critical(&cert, 1, -1);
864
865 /* use root public key for root cert */
866 mbedtls_x509write_crt_set_subject_key(&cert, &root_pkey);
867
868 /* set x509v3 subject key identifier */
869 mbedtls_x509write_crt_set_subject_key_identifier(&cert);
870
871 /* set key validity */
872 mbedtls_x509write_crt_set_validity(&cert, notbefore, notafter);
873
874 /* sign root cert with root private key */
875 mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey);
876 mbedtls_x509write_crt_set_md_alg(&cert, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? MBEDTLS_MD_SHA1 : MBEDTLS_MD_SHA256);
877
878 unsigned char outbuf[16384];
879
880 /* write root private key */
881 mbedtls_pk_write_key_pem(&root_pkey, outbuf, sizeof(outbuf));
882 root_key_pem.size = strlen((const char*)outbuf);
883 root_key_pem.data = malloc(root_key_pem.size+1);
884 memcpy(root_key_pem.data, outbuf, root_key_pem.size);
885 root_key_pem.data[root_key_pem.size] = '\0';
886
887 /* write root certificate */
888 mbedtls_x509write_crt_pem(&cert, outbuf, sizeof(outbuf), mbedtls_ctr_drbg_random, &ctr_drbg);
889 root_cert_pem.size = strlen((const char*)outbuf);
890 root_cert_pem.data = malloc(root_cert_pem.size+1);
891 memcpy(root_cert_pem.data, outbuf, root_cert_pem.size);
892 root_cert_pem.data[root_cert_pem.size] = '\0';
893
894 mbedtls_x509write_crt_free(&cert);
895
896
897 /* ----- host key & cert ----- */
898 ret = mbedtls_pk_setup(&host_pkey, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA));
899 if (ret != 0) {
900 debug_info("mbedtls_pk_setup returned -0x%04x", -ret);
901 goto cleanup;
902 }
903
904 ret = mbedtls_rsa_gen_key(mbedtls_pk_rsa(host_pkey), mbedtls_ctr_drbg_random, &ctr_drbg, 2048, 65537);
905 if (ret != 0) {
906 debug_info("mbedtls_rsa_gen_key returned -0x%04x", -ret);
907 goto cleanup;
908 }
909
910 mbedtls_x509write_crt_init(&cert);
911
912 /* set serial number */
913 mbedtls_x509write_crt_set_serial(&cert, &sn);
914
915 /* set version */
916 mbedtls_x509write_crt_set_version(&cert, 2);
917
918 /* set x509v3 basic constraints */
919 _mbedtls_x509write_crt_set_basic_constraints_critical(&cert, 0, -1);
920
921 /* use host public key for host cert */
922 mbedtls_x509write_crt_set_subject_key(&cert, &host_pkey);
923
924 /* set x509v3 subject key identifier */
925 mbedtls_x509write_crt_set_subject_key_identifier(&cert);
926
927 /* set x509v3 key usage */
928 mbedtls_x509write_crt_set_key_usage(&cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_ENCIPHERMENT);
929
930 /* set key validity */
931 mbedtls_x509write_crt_set_validity(&cert, notbefore, notafter);
932
933 /* sign host cert with root private key */
934 mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey);
935 mbedtls_x509write_crt_set_md_alg(&cert, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? MBEDTLS_MD_SHA1 : MBEDTLS_MD_SHA256);
936
937 /* write host private key */
938 mbedtls_pk_write_key_pem(&host_pkey, outbuf, sizeof(outbuf));
939 host_key_pem.size = strlen((const char*)outbuf);
940 host_key_pem.data = malloc(host_key_pem.size+1);
941 memcpy(host_key_pem.data, outbuf, host_key_pem.size);
942 host_key_pem.data[host_key_pem.size] = '\0';
943
944 /* write host certificate */
945 mbedtls_x509write_crt_pem(&cert, outbuf, sizeof(outbuf), mbedtls_ctr_drbg_random, &ctr_drbg);
946 host_cert_pem.size = strlen((const char*)outbuf);
947 host_cert_pem.data = malloc(host_cert_pem.size+1);
948 memcpy(host_cert_pem.data, outbuf, host_cert_pem.size);
949 host_cert_pem.data[host_cert_pem.size] = '\0';
950
951 mbedtls_x509write_crt_free(&cert);
952
953
954 /* ----- device certificate ----- */
955 unsigned char* pubkey_data = malloc(public_key.size+1);
956 if (!pubkey_data) {
957 debug_info("malloc() failed\n");
958 goto cleanup;
959 }
960 memcpy(pubkey_data, public_key.data, public_key.size);
961 pubkey_data[public_key.size] = '\0';
962
963 int pr = mbedtls_pk_parse_public_key(&dev_public_key, pubkey_data, public_key.size+1);
964 free(pubkey_data);
965 if (pr != 0) {
966 debug_info("Failed to read device public key: -0x%x\n", -pr);
967 goto cleanup;
968 }
969
970 mbedtls_x509write_crt_init(&cert);
971
972 /* set serial number */
973 mbedtls_x509write_crt_set_serial(&cert, &sn);
974
975 /* set version */
976 mbedtls_x509write_crt_set_version(&cert, 2);
977
978 /* set x509v3 basic constraints */
979 _mbedtls_x509write_crt_set_basic_constraints_critical(&cert, 0, -1);
980
981 /* use root public key for dev cert subject key */
982 mbedtls_x509write_crt_set_subject_key(&cert, &dev_public_key);
983
984 /* set x509v3 subject key identifier */
985 mbedtls_x509write_crt_set_subject_key_identifier(&cert);
986
987 /* set x509v3 key usage */
988 mbedtls_x509write_crt_set_key_usage(&cert, MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_ENCIPHERMENT);
989
990 /* set key validity */
991 mbedtls_x509write_crt_set_validity(&cert, notbefore, notafter);
992
993 /* sign device certificate with root private key */
994 mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey);
995 mbedtls_x509write_crt_set_md_alg(&cert, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? MBEDTLS_MD_SHA1 : MBEDTLS_MD_SHA256);
996
997 /* write device certificate */
998 mbedtls_x509write_crt_pem(&cert, outbuf, sizeof(outbuf), mbedtls_ctr_drbg_random, &ctr_drbg);
999 dev_cert_pem.size = strlen((const char*)outbuf);
1000 dev_cert_pem.data = malloc(dev_cert_pem.size+1);
1001 memcpy(dev_cert_pem.data, outbuf, dev_cert_pem.size);
1002 dev_cert_pem.data[dev_cert_pem.size] = '\0';
1003
1004 mbedtls_x509write_crt_free(&cert);
1005
1006 /* cleanup */
1007cleanup:
1008 mbedtls_mpi_free(&sn);
1009 mbedtls_pk_free(&dev_public_key);
1010 mbedtls_entropy_free(&entropy);
1011 mbedtls_pk_free(&host_pkey);
1012 mbedtls_pk_free(&root_pkey);
1013 mbedtls_ctr_drbg_free(&ctr_drbg);
1014#endif
1015
1016 /* make sure that we have all we need */
1017 if (root_cert_pem.data && 0 != root_cert_pem.size
1018 && root_key_pem.data && 0 != root_key_pem.size
1019 && host_cert_pem.data && 0 != host_cert_pem.size
1020 && host_key_pem.data && 0 != host_key_pem.size
1021 && dev_cert_pem.data && 0 != dev_cert_pem.size) {
1022 /* now set keys and certificates */
1023 pair_record_set_item_from_key_data(pair_record, USERPREF_DEVICE_CERTIFICATE_KEY, &dev_cert_pem);
1024 pair_record_set_item_from_key_data(pair_record, USERPREF_HOST_PRIVATE_KEY_KEY, &host_key_pem);
1025 pair_record_set_item_from_key_data(pair_record, USERPREF_HOST_CERTIFICATE_KEY, &host_cert_pem);
1026 pair_record_set_item_from_key_data(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, &root_key_pem);
1027 pair_record_set_item_from_key_data(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, &root_cert_pem);
1028 ret = USERPREF_E_SUCCESS;
1029 }
1030
1031 free(dev_cert_pem.data);
1032 free(root_key_pem.data);
1033 free(root_cert_pem.data);
1034 free(host_key_pem.data);
1035 free(host_cert_pem.data);
1036
1037 return ret;
1038}
1039
1040/**
1041 * Private function which import the given key into a gnutls structure.
1042 *
1043 * @param name The name of the private key to import.
1044 * @param key the gnutls key structure.
1045 *
1046 * @return 1 if the key was successfully imported.
1047 */
1048#if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS)
1049userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const char* name, key_data_t* key)
1050#elif defined(HAVE_GNUTLS)
1051userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const char* name, gnutls_x509_privkey_t key)
1052#endif
1053{
1054#if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS)
1055 if (!key)
1056 return USERPREF_E_SUCCESS;
1057#endif
1058 userpref_error_t ret = USERPREF_E_INVALID_CONF;
1059
1060#if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS)
1061 ret = pair_record_get_item_as_key_data(pair_record, name, key);
1062#elif defined(HAVE_GNUTLS)
1063 key_data_t pem = { NULL, 0 };
1064 ret = pair_record_get_item_as_key_data(pair_record, name, &pem);
1065 if (ret == USERPREF_E_SUCCESS && GNUTLS_E_SUCCESS == gnutls_x509_privkey_import(key, &pem, GNUTLS_X509_FMT_PEM))
1066 ret = USERPREF_E_SUCCESS;
1067 else
1068 ret = USERPREF_E_SSL_ERROR;
1069
1070 if (pem.data)
1071 free(pem.data);
1072#endif
1073 return ret;
1074}
1075
1076/**
1077 * Private function which import the given certificate into a gnutls structure.
1078 *
1079 * @param name The name of the certificate to import.
1080 * @param cert the gnutls certificate structure.
1081 *
1082 * @return IDEVICE_E_SUCCESS if the certificate was successfully imported.
1083 */
1084#if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS)
1085userpref_error_t pair_record_import_crt_with_name(plist_t pair_record, const char* name, key_data_t* cert)
1086#else
1087userpref_error_t pair_record_import_crt_with_name(plist_t pair_record, const char* name, gnutls_x509_crt_t cert)
1088#endif
1089{
1090#if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS)
1091 if (!cert)
1092 return USERPREF_E_SUCCESS;
1093#endif
1094 userpref_error_t ret = USERPREF_E_INVALID_CONF;
1095
1096#if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS)
1097 ret = pair_record_get_item_as_key_data(pair_record, name, cert);
1098#elif defined(HAVE_GNUTLS)
1099 key_data_t pem = { NULL, 0 };
1100 ret = pair_record_get_item_as_key_data(pair_record, name, &pem);
1101 if (ret == USERPREF_E_SUCCESS && GNUTLS_E_SUCCESS == gnutls_x509_crt_import(cert, &pem, GNUTLS_X509_FMT_PEM))
1102 ret = USERPREF_E_SUCCESS;
1103 else
1104 ret = USERPREF_E_SSL_ERROR;
1105
1106 if (pem.data)
1107 free(pem.data);
1108#endif
1109 return ret;
1110}
1111
1112userpref_error_t pair_record_get_host_id(plist_t pair_record, char** host_id)
1113{
1114 plist_t node = plist_dict_get_item(pair_record, USERPREF_HOST_ID_KEY);
1115
1116 if (node && plist_get_node_type(node) == PLIST_STRING) {
1117 plist_get_string_val(node, host_id);
1118 }
1119
1120 return USERPREF_E_SUCCESS;
1121}
1122
1123userpref_error_t pair_record_set_host_id(plist_t pair_record, const char* host_id)
1124{
1125 plist_dict_set_item(pair_record, USERPREF_HOST_ID_KEY, plist_new_string(host_id));
1126
1127 return USERPREF_E_SUCCESS;
1128}
1129
1130userpref_error_t pair_record_get_item_as_key_data(plist_t pair_record, const char* name, key_data_t *value)
1131{
1132 if (!pair_record || !value)
1133 return USERPREF_E_INVALID_ARG;
1134
1135 userpref_error_t ret = USERPREF_E_SUCCESS;
1136 char* buffer = NULL;
1137 uint64_t length = 0;
1138
1139 plist_t node = plist_dict_get_item(pair_record, name);
1140
1141 if (node && plist_get_node_type(node) == PLIST_DATA) {
1142 plist_get_data_val(node, &buffer, &length);
1143 value->data = (unsigned char*)malloc(length+1);
1144 memcpy(value->data, buffer, length);
1145 value->data[length] = '\0';
1146 value->size = length+1;
1147 free(buffer);
1148 buffer = NULL;
1149 } else {
1150 ret = USERPREF_E_INVALID_CONF;
1151 }
1152
1153 if (buffer)
1154 free(buffer);
1155
1156 return ret;
1157}
1158
1159userpref_error_t pair_record_set_item_from_key_data(plist_t pair_record, const char* name, key_data_t *value)
1160{
1161 userpref_error_t ret = USERPREF_E_SUCCESS;
1162
1163 if (!pair_record || !value) {
1164 return USERPREF_E_INVALID_ARG;
1165 }
1166
1167 /* set new item */
1168 plist_dict_set_item(pair_record, name, plist_new_data((char*)value->data, value->size));
1169
1170 return ret;
1171}
1172
diff --git a/common/userpref.h b/common/userpref.h
new file mode 100644
index 0000000..9a1832c
--- /dev/null
+++ b/common/userpref.h
@@ -0,0 +1,89 @@
1/*
2 * userpref.h
3 * contains methods to access user specific certificates IDs and more.
4 *
5 * Copyright (c) 2013-2014 Martin Szulecki All Rights Reserved.
6 * Copyright (c) 2008 Jonathan Beck All Rights Reserved.
7 *
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation; either
11 * version 2.1 of the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21 */
22
23#ifndef __USERPREF_H
24#define __USERPREF_H
25
26#ifdef HAVE_CONFIG_H
27#include <config.h>
28#endif
29
30#if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS)
31typedef struct {
32 unsigned char *data;
33 unsigned int size;
34} key_data_t;
35#else
36#include <gnutls/gnutls.h>
37typedef gnutls_datum_t key_data_t;
38#endif
39
40#include <stdint.h>
41#include <plist/plist.h>
42
43#define USERPREF_DEVICE_CERTIFICATE_KEY "DeviceCertificate"
44#define USERPREF_ESCROW_BAG_KEY "EscrowBag"
45#define USERPREF_HOST_CERTIFICATE_KEY "HostCertificate"
46#define USERPREF_ROOT_CERTIFICATE_KEY "RootCertificate"
47#define USERPREF_HOST_PRIVATE_KEY_KEY "HostPrivateKey"
48#define USERPREF_ROOT_PRIVATE_KEY_KEY "RootPrivateKey"
49#define USERPREF_HOST_ID_KEY "HostID"
50#define USERPREF_SYSTEM_BUID_KEY "SystemBUID"
51#define USERPREF_WIFI_MAC_ADDRESS_KEY "WiFiMACAddress"
52
53/** Error Codes */
54typedef enum {
55 USERPREF_E_SUCCESS = 0,
56 USERPREF_E_INVALID_ARG = -1,
57 USERPREF_E_NOENT = -2,
58 USERPREF_E_INVALID_CONF = -3,
59 USERPREF_E_SSL_ERROR = -4,
60 USERPREF_E_READ_ERROR = -5,
61 USERPREF_E_WRITE_ERROR = -6,
62 USERPREF_E_UNKNOWN_ERROR = -256
63} userpref_error_t;
64
65const char *userpref_get_config_dir(void);
66int userpref_read_system_buid(char **system_buid);
67userpref_error_t userpref_read_pair_record(const char *udid, plist_t *pair_record);
68userpref_error_t userpref_save_pair_record(const char *udid, uint32_t device_id, plist_t pair_record);
69userpref_error_t userpref_delete_pair_record(const char *udid);
70
71userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_data_t public_key, unsigned int device_version);
72#if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS)
73userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const char* name, key_data_t* key);
74userpref_error_t pair_record_import_crt_with_name(plist_t pair_record, const char* name, key_data_t* cert);
75#else
76userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const char* name, gnutls_x509_privkey_t key);
77userpref_error_t pair_record_import_crt_with_name(plist_t pair_record, const char* name, gnutls_x509_crt_t cert);
78#endif
79
80userpref_error_t pair_record_get_host_id(plist_t pair_record, char** host_id);
81userpref_error_t pair_record_set_host_id(plist_t pair_record, const char* host_id);
82userpref_error_t pair_record_get_item_as_key_data(plist_t pair_record, const char* name, key_data_t *value);
83userpref_error_t pair_record_set_item_from_key_data(plist_t pair_record, const char* name, key_data_t *value);
84
85/* deprecated */
86userpref_error_t userpref_get_paired_udids(char ***list, unsigned int *count);
87int userpref_has_pair_record(const char *udid);
88
89#endif
© 2009-2020 sukimashita.com - Generated by cgit - Icons from Tango - Uses Google Analytics