/* * userpref.c * contains methods to access user specific certificates IDs and more. * * Copyright (c) 2013 Martin Szulecki All Rights Reserved. * Copyright (c) 2008 Jonathan Beck All Rights Reserved. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ #ifdef HAVE_CONFIG_H #include #endif #include #include #include #include #ifdef HAVE_SYS_TYPES_H #include #endif #ifndef WIN32 #include #endif #include #include #ifdef HAVE_OPENSSL #include #include #include #include #else #include #include #include #endif #include #include #include #include #ifdef WIN32 #include #endif #include "userpref.h" #include "debug.h" #include "utils.h" #ifndef HAVE_OPENSSL const ASN1_ARRAY_TYPE pkcs1_asn1_tab[] = { {"PKCS1", 536872976, 0}, {0, 1073741836, 0}, {"RSAPublicKey", 536870917, 0}, {"modulus", 1073741827, 0}, {"publicExponent", 3, 0}, {0, 0, 0} }; #endif #ifdef WIN32 #define DIR_SEP '\\' #define DIR_SEP_S "\\" #else #define DIR_SEP '/' #define DIR_SEP_S "/" #endif #define USERPREF_CONFIG_EXTENSION ".plist" #ifdef WIN32 #define USERPREF_CONFIG_DIR "Apple"DIR_SEP_S"Lockdown" #else #define USERPREF_CONFIG_DIR "lockdown" #endif #define USERPREF_CONFIG_FILE "SystemConfiguration"USERPREF_CONFIG_EXTENSION static char *__config_dir = NULL; #ifdef WIN32 static char *userpref_utf16_to_utf8(wchar_t *unistr, long len, long *items_read, long *items_written) { if (!unistr || (len <= 0)) return NULL; char *outbuf = (char*)malloc(3*(len+1)); int p = 0; int i = 0; wchar_t wc; while (i < len) { wc = unistr[i++]; if (wc >= 0x800) { outbuf[p++] = (char)(0xE0 + ((wc >> 12) & 0xF)); outbuf[p++] = (char)(0x80 + ((wc >> 6) & 0x3F)); outbuf[p++] = (char)(0x80 + (wc & 0x3F)); } else if (wc >= 0x80) { outbuf[p++] = (char)(0xC0 + ((wc >> 6) & 0x1F)); outbuf[p++] = (char)(0x80 + (wc & 0x3F)); } else { outbuf[p++] = (char)(wc & 0x7F); } } if (items_read) { *items_read = i; } if (items_written) { *items_written = p; } outbuf[p] = 0; return outbuf; } #endif const char *userpref_get_config_dir() { char *base_config_dir = NULL; if (__config_dir) return __config_dir; #ifdef WIN32 wchar_t path[MAX_PATH+1]; HRESULT hr; LPITEMIDLIST pidl = NULL; BOOL b = FALSE; hr = SHGetSpecialFolderLocation (NULL, CSIDL_COMMON_APPDATA, &pidl); if (hr == S_OK) { b = SHGetPathFromIDListW (pidl, path); if (b) { base_config_dir = userpref_utf16_to_utf8 (path, wcslen(path), NULL, NULL); CoTaskMemFree (pidl); } } #else #ifdef __APPLE__ base_config_dir = strdup("/var/db"); #else base_config_dir = strdup("/var/lib"); #endif #endif __config_dir = string_concat(base_config_dir, DIR_SEP_S, USERPREF_CONFIG_DIR, NULL); if (__config_dir) { int i = strlen(__config_dir)-1; while ((i > 0) && (__config_dir[i] == DIR_SEP)) { __config_dir[i--] = '\0'; } } free(base_config_dir); debug_info("initialized config_dir to %s", __config_dir); return __config_dir; } /** * Reads the BUID from a previously generated configuration file. * * @note It is the responsibility of the calling function to free the returned system_buid * @param system_buid A null terminated string containing a valid SystemBUID. * @return 1 if the system buid could be retrieved or 0 otherwise. */ int userpref_read_system_buid(char **system_buid) { int res = usbmuxd_read_buid(system_buid); debug_info("using %s as %s", *system_buid, USERPREF_SYSTEM_BUID_KEY); return res; } /** * Determines whether this device has been connected to this system before. * * @param udid The device UDID as given by the device. * * @return 1 if the device has been connected previously to this configuration * or 0 otherwise. */ int userpref_has_pair_record(const char *udid) { int ret = 0; const char *config_path = NULL; char *config_file = NULL; struct stat st; if (!udid) return 0; /* first get config file */ config_path = userpref_get_config_dir(); config_file = string_concat(config_path, DIR_SEP_S, udid, USERPREF_CONFIG_EXTENSION, NULL); if ((stat(config_file, &st) == 0) && S_ISREG(st.st_mode)) ret = 1; free(config_file); return ret; } /** * Fills a list with UDIDs of devices that have been connected to this * system before, i.e. for which a public key file exists. * * @param list A pointer to a char** initially pointing to NULL that will * hold a newly allocated list of UDIDs upon successful return. * The caller is responsible for freeing the memory. Note that if * no public key file was found the list has to be freed too as it * points to a terminating NULL element. * @param count The number of UDIDs found. This parameter can be NULL if it * is not required. * * @return USERPREF_E_SUCCESS on success, or USERPREF_E_INVALID_ARG if the * list parameter is not pointing to NULL. */ userpref_error_t userpref_get_paired_udids(char ***list, unsigned int *count) { struct slist_t { char *name; void *next; }; DIR *config_dir; const char *config_path = NULL; struct slist_t *udids = NULL; unsigned int i; unsigned int found = 0; if (!list || (list && *list)) { debug_info("ERROR: The list parameter needs to point to NULL!"); return USERPREF_E_INVALID_ARG; } if (count) { *count = 0; } config_path = userpref_get_config_dir(); config_dir = opendir(config_path); if (config_dir) { struct dirent *entry; struct slist_t *listp = udids; while ((entry = readdir(config_dir))) { char *ext = strstr(entry->d_name, USERPREF_CONFIG_EXTENSION); if (ext && ((ext - entry->d_name) == 40) && (strlen(entry->d_name) == (40 + strlen(ext)))) { struct slist_t *ne = (struct slist_t*)malloc(sizeof(struct slist_t)); ne->name = (char*)malloc(41); strncpy(ne->name, entry->d_name, 40); ne->name[40] = 0; ne->next = NULL; if (!listp) { listp = ne; udids = listp; } else { listp->next = ne; listp = listp->next; } found++; } } closedir(config_dir); } *list = (char**)malloc(sizeof(char*) * (found+1)); i = 0; while (udids) { (*list)[i++] = udids->name; struct slist_t *old = udids; udids = udids->next; free(old); } (*list)[i] = NULL; if (count) { *count = found; } return USERPREF_E_SUCCESS; } /** * Save a pair record for a device. * * @param udid The device UDID as given by the device * @param pair_record The pair record to save * * @return 1 on success and 0 if no device record is given or if it has already * been saved previously. */ userpref_error_t userpref_save_pair_record(const char *udid, plist_t pair_record) { char* record_data = NULL; uint32_t record_size = 0; plist_to_bin(pair_record, &record_data, &record_size); int res = usbmuxd_save_pair_record(udid, record_data, record_size); free(record_data); return res == 0 ? USERPREF_E_SUCCESS: USERPREF_E_UNKNOWN_ERROR; } /** * Read a pair record for a device. * * @param udid The device UDID as given by the device * @param pair_record The pair record to read * * @return 1 on success and 0 if no device record is given or if it has already * been saved previously. */ userpref_error_t userpref_read_pair_record(const char *udid, plist_t *pair_record) { char* record_data = NULL; uint32_t record_size = 0; int res = usbmuxd_read_pair_record(udid, &record_data, &record_size); if (res < 0) { if (record_data) free(record_data); return USERPREF_E_INVALID_CONF; } *pair_record = NULL; if (memcmp(record_data, "bplist00", 8) == 0) { plist_from_bin(record_data, record_size, pair_record); } else { plist_from_xml(record_data, record_size, pair_record); } free(record_data); return res == 0 ? USERPREF_E_SUCCESS: USERPREF_E_UNKNOWN_ERROR; } /** * Remove the pairing record stored for a device from this host. * * @param udid The udid of the device * * @return USERPREF_E_SUCCESS on success. */ userpref_error_t userpref_delete_pair_record(const char *udid) { int res = usbmuxd_delete_pair_record(udid); return res == 0 ? USERPREF_E_SUCCESS: USERPREF_E_UNKNOWN_ERROR; } #ifdef HAVE_OPENSSL static int X509_add_ext_helper(X509 *cert, int nid, char *value) { X509_EXTENSION *ex; X509V3_CTX ctx; /* No configuration database */ X509V3_set_ctx_nodb(&ctx); X509V3_set_ctx(&ctx, NULL, cert, NULL, NULL, 0); ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value); if (!ex) { debug_info("ERROR: X509V3_EXT_conf_nid(%d, %s) failed", nid, value); return 0; } X509_add_ext(cert, ex, -1); X509_EXTENSION_free(ex); return 1; } #endif /** * Private function which generate private keys and certificates. * * @return 1 if keys were successfully generated, 0 otherwise */ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record) { userpref_error_t ret = USERPREF_E_SSL_ERROR; key_data_t root_key_pem = { NULL, 0 }; key_data_t root_cert_pem = { NULL, 0 }; key_data_t host_key_pem = { NULL, 0 }; key_data_t host_cert_pem = { NULL, 0 }; debug_info("Generating keys and certificates..."); #ifdef HAVE_OPENSSL BIGNUM *e = BN_new(); RSA* root_keypair = RSA_new(); RSA* host_keypair = RSA_new(); BN_set_word(e, 65537); RSA_generate_key_ex(root_keypair, 2048, e, NULL); RSA_generate_key_ex(host_keypair, 2048, e, NULL); BN_free(e); EVP_PKEY* root_pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(root_pkey, root_keypair); EVP_PKEY* host_pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(host_pkey, host_keypair); /* generate root certificate */ X509* root_cert = X509_new(); { /* set serial number */ ASN1_INTEGER* sn = ASN1_INTEGER_new(); ASN1_INTEGER_set(sn, 0); X509_set_serialNumber(root_cert, sn); ASN1_INTEGER_free(sn); /* set version */ X509_set_version(root_cert, 2); /* set x509v3 basic constraints */ X509_add_ext_helper(root_cert, NID_basic_constraints, (char*)"critical,CA:TRUE"); /* set key validity */ ASN1_TIME* asn1time = ASN1_TIME_new(); ASN1_TIME_set(asn1time, time(NULL)); X509_set_notBefore(root_cert, asn1time); ASN1_TIME_set(asn1time, time(NULL) + (60 * 60 * 24 * 365 * 10)); X509_set_notAfter(root_cert, asn1time); ASN1_TIME_free(asn1time); /* use root public key for root cert */ X509_set_pubkey(root_cert, root_pkey); /* sign root cert with root private key */ X509_sign(root_cert, root_pkey, EVP_sha1()); } /* create host certificate */ X509* host_cert = X509_new(); { /* set serial number */ ASN1_INTEGER* sn = ASN1_INTEGER_new(); ASN1_INTEGER_set(sn, 0); X509_set_serialNumber(host_cert, sn); ASN1_INTEGER_free(sn); /* set version */ X509_set_version(host_cert, 2); /* set x509v3 basic constraints */ X509_add_ext_helper(host_cert, NID_basic_constraints, (char*)"critical,CA:FALSE"); /* set x509v3 key usage */ X509_add_ext_helper(host_cert, NID_key_usage, (char*)"critical,digitalSignature,keyEncipherment"); /* set key validity */ ASN1_TIME* asn1time = ASN1_TIME_new(); ASN1_TIME_set(asn1time, time(NULL)); X509_set_notBefore(host_cert, asn1time); ASN1_TIME_set(asn1time, time(NULL) + (60 * 60 * 24 * 365 * 10)); X509_set_notAfter(host_cert, asn1time); ASN1_TIME_free(asn1time); /* use host public key for host cert */ X509_set_pubkey(host_cert, host_pkey); /* sign host cert with root private key */ X509_sign(host_cert, root_pkey, EVP_sha1()); } if (root_cert && root_pkey && host_cert && host_pkey) { BIO* membp; char *bdata; membp = BIO_new(BIO_s_mem()); if (PEM_write_bio_X509(membp, root_cert) > 0) { root_cert_pem.size = BIO_get_mem_data(membp, &bdata); root_cert_pem.data = (unsigned char*)malloc(root_cert_pem.size); if (root_cert_pem.data) { memcpy(root_cert_pem.data, bdata, root_cert_pem.size); } BIO_free(membp); membp = NULL; } membp = BIO_new(BIO_s_mem()); if (PEM_write_bio_PrivateKey(membp, root_pkey, NULL, NULL, 0, 0, NULL) > 0) { root_key_pem.size = BIO_get_mem_data(membp, &bdata); root_key_pem.data = (unsigned char*)malloc(root_key_pem.size); if (root_key_pem.data) { memcpy(root_key_pem.data, bdata, root_key_pem.size); } BIO_free(membp); membp = NULL; } membp = BIO_new(BIO_s_mem()); if (PEM_write_bio_X509(membp, host_cert) > 0) { host_cert_pem.size = BIO_get_mem_data(membp, &bdata); host_cert_pem.data = (unsigned char*)malloc(host_cert_pem.size); if (host_cert_pem.data) { memcpy(host_cert_pem.data, bdata, host_cert_pem.size); } BIO_free(membp); membp = NULL; } membp = BIO_new(BIO_s_mem()); if (PEM_write_bio_PrivateKey(membp, host_pkey, NULL, NULL, 0, 0, NULL) > 0) { host_key_pem.size = BIO_get_mem_data(membp, &bdata); host_key_pem.data = (unsigned char*)malloc(host_key_pem.size); if (host_key_pem.data) { memcpy(host_key_pem.data, bdata, host_key_pem.size); } BIO_free(membp); membp = NULL; } } EVP_PKEY_free(root_pkey); EVP_PKEY_free(host_pkey); X509_free(host_cert); X509_free(root_cert); #else gnutls_x509_privkey_t root_privkey; gnutls_x509_crt_t root_cert; gnutls_x509_privkey_t host_privkey; gnutls_x509_crt_t host_cert; gnutls_global_deinit(); gnutls_global_init(); /* use less secure random to speed up key generation */ gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM); gnutls_x509_privkey_init(&root_privkey); gnutls_x509_privkey_init(&host_privkey); gnutls_x509_crt_init(&root_cert); gnutls_x509_crt_init(&host_cert); /* generate root key */ gnutls_x509_privkey_generate(root_privkey, GNUTLS_PK_RSA, 2048, 0); gnutls_x509_privkey_generate(host_privkey, GNUTLS_PK_RSA, 2048, 0); /* generate certificates */ gnutls_x509_crt_set_key(root_cert, root_privkey); gnutls_x509_crt_set_serial(root_cert, "\x00", 1); gnutls_x509_crt_set_version(root_cert, 3); gnutls_x509_crt_set_ca_status(root_cert, 1); gnutls_x509_crt_set_activation_time(root_cert, time(NULL)); gnutls_x509_crt_set_expiration_time(root_cert, time(NULL) + (60 * 60 * 24 * 365 * 10)); gnutls_x509_crt_sign(root_cert, root_cert, root_privkey); gnutls_x509_crt_set_key(host_cert, host_privkey); gnutls_x509_crt_set_serial(host_cert, "\x00", 1); gnutls_x509_crt_set_version(host_cert, 3); gnutls_x509_crt_set_ca_status(host_cert, 0); gnutls_x509_crt_set_key_usage(host_cert, GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_DIGITAL_SIGNATURE); gnutls_x509_crt_set_activation_time(host_cert, time(NULL)); gnutls_x509_crt_set_expiration_time(host_cert, time(NULL) + (60 * 60 * 24 * 365 * 10)); gnutls_x509_crt_sign(host_cert, root_cert, root_privkey); /* export to PEM format */ size_t root_key_export_size = 0; size_t host_key_export_size = 0; gnutls_x509_privkey_export(root_privkey, GNUTLS_X509_FMT_PEM, NULL, &root_key_export_size); gnutls_x509_privkey_export(host_privkey, GNUTLS_X509_FMT_PEM, NULL, &host_key_export_size); root_key_pem.data = gnutls_malloc(root_key_export_size); host_key_pem.data = gnutls_malloc(host_key_export_size); gnutls_x509_privkey_export(root_privkey, GNUTLS_X509_FMT_PEM, root_key_pem.data, &root_key_export_size); root_key_pem.size = root_key_export_size; gnutls_x509_privkey_export(host_privkey, GNUTLS_X509_FMT_PEM, host_key_pem.data, &host_key_export_size); host_key_pem.size = host_key_export_size; size_t root_cert_export_size = 0; size_t host_cert_export_size = 0; gnutls_x509_crt_export(root_cert, GNUTLS_X509_FMT_PEM, NULL, &root_cert_export_size); gnutls_x509_crt_export(host_cert, GNUTLS_X509_FMT_PEM, NULL, &host_cert_export_size); root_cert_pem.data = gnutls_malloc(root_cert_export_size); host_cert_pem.data = gnutls_malloc(host_cert_export_size); gnutls_x509_crt_export(root_cert, GNUTLS_X509_FMT_PEM, root_cert_pem.data, &root_cert_export_size); root_cert_pem.size = root_cert_export_size; gnutls_x509_crt_export(host_cert, GNUTLS_X509_FMT_PEM, host_cert_pem.data, &host_cert_export_size); host_cert_pem.size = host_cert_export_size; /* restore gnutls env */ gnutls_global_deinit(); gnutls_global_init(); #endif if (NULL != root_cert_pem.data && 0 != root_cert_pem.size && NULL != host_cert_pem.data && 0 != host_cert_pem.size) ret = USERPREF_E_SUCCESS; /* now set keys and certificates */ pair_record_set_item_from_key_data(pair_record, USERPREF_HOST_PRIVATE_KEY_KEY, &host_key_pem); pair_record_set_item_from_key_data(pair_record, USERPREF_HOST_CERTIFICATE_KEY, &root_cert_pem); pair_record_set_item_from_key_data(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, &root_key_pem); pair_record_set_item_from_key_data(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, &host_cert_pem); if (root_key_pem.data) free(root_key_pem.data); if (root_cert_pem.data) free(root_cert_pem.data); if (host_key_pem.data) free(host_key_pem.data); if (host_cert_pem.data) free(host_cert_pem.data); return ret; } /** * Generates the device certificate from the public key as well as the host * and root certificates. * * @param pair_record The pair record to use for lookup of key pairs * @param public_key The public key of the device to use for generation. * * @return USERPREF_E_SUCCESS on success, USERPREF_E_INVALID_ARG when a * parameter is NULL, USERPREF_E_INVALID_CONF if the internal configuration * system failed, USERPREF_E_SSL_ERROR if the certificates could not be * generated */ userpref_error_t pair_record_generate_from_device_public_key(plist_t pair_record, key_data_t public_key) { if (!pair_record || !public_key.data) return USERPREF_E_INVALID_ARG; userpref_error_t uret = USERPREF_E_UNKNOWN_ERROR; #ifdef HAVE_OPENSSL BIO *membio = BIO_new_mem_buf(public_key.data, public_key.size); RSA *pubkey = NULL; if (!PEM_read_bio_RSAPublicKey(membio, &pubkey, NULL, NULL)) { debug_info("Could not read public key"); } BIO_free(membio); /* now generate certificates */ key_data_t root_privkey, host_privkey; key_data_t root_cert, host_cert; X509* dev_cert = X509_new(); root_cert.data = NULL; root_cert.size = 0; host_cert.data = NULL; host_cert.size = 0; root_privkey.data = NULL; root_privkey.size = 0; host_privkey.data = NULL; host_privkey.size = 0; uret = pair_record_import_crt_with_name(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, &root_cert); uret = pair_record_import_crt_with_name(pair_record, USERPREF_HOST_CERTIFICATE_KEY, &host_cert); uret = pair_record_import_key_with_name(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, &root_privkey); uret = pair_record_import_key_with_name(pair_record, USERPREF_HOST_PRIVATE_KEY_KEY, &host_privkey); if (USERPREF_E_SUCCESS == uret) { /* generate device certificate */ ASN1_INTEGER* sn = ASN1_INTEGER_new(); ASN1_INTEGER_set(sn, 0); X509_set_serialNumber(dev_cert, sn); ASN1_INTEGER_free(sn); X509_set_version(dev_cert, 2); X509_add_ext_helper(dev_cert, NID_basic_constraints, (char*)"critical,CA:FALSE"); ASN1_TIME* asn1time = ASN1_TIME_new(); ASN1_TIME_set(asn1time, time(NULL)); X509_set_notBefore(dev_cert, asn1time); ASN1_TIME_set(asn1time, time(NULL) + (60 * 60 * 24 * 365 * 10)); X509_set_notAfter(dev_cert, asn1time); ASN1_TIME_free(asn1time); /* read root certificate */ BIO* membp; X509* rootCert = NULL; membp = BIO_new_mem_buf(root_cert.data, root_cert.size); PEM_read_bio_X509(membp, &rootCert, NULL, NULL); BIO_free(membp); if (!rootCert) { debug_info("Could not read RootCertificate"); } else { debug_info("RootCertificate loaded"); EVP_PKEY* pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, pubkey); X509_set_pubkey(dev_cert, pkey); EVP_PKEY_free(pkey); X509_free(rootCert); } X509_add_ext_helper(dev_cert, NID_subject_key_identifier, (char*)"hash"); X509_add_ext_helper(dev_cert, NID_key_usage, (char*)"critical,digitalSignature,keyEncipherment"); /* read root private key */ EVP_PKEY* rootPriv = NULL; membp = BIO_new_mem_buf(root_privkey.data, root_privkey.size); PEM_read_bio_PrivateKey(membp, &rootPriv, NULL, NULL); BIO_free(membp); if (!rootPriv) { debug_info("Could not read RootPrivateKey"); } else { debug_info("RootPrivateKey loaded"); if (X509_sign(dev_cert, rootPriv, EVP_sha1())) { uret = USERPREF_E_SUCCESS; } else { debug_info("signing failed"); } EVP_PKEY_free(rootPriv); } if (USERPREF_E_SUCCESS == uret) { /* if everything went well, export in PEM format */ key_data_t pem_root_cert = { NULL, 0 }; key_data_t pem_host_cert = { NULL, 0 }; uret = pair_record_import_crt_with_name(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, &pem_root_cert); uret = pair_record_import_crt_with_name(pair_record, USERPREF_HOST_CERTIFICATE_KEY, &pem_host_cert); if (USERPREF_E_SUCCESS == uret) { /* set new keys and certs in pair record */ membp = BIO_new(BIO_s_mem()); if (membp && PEM_write_bio_X509(membp, dev_cert) > 0) { void *datap; int size = BIO_get_mem_data(membp, &datap); plist_dict_set_item(pair_record, USERPREF_DEVICE_CERTIFICATE_KEY, plist_new_data(datap, size)); } if (membp) BIO_free(membp); plist_dict_set_item(pair_record, USERPREF_HOST_CERTIFICATE_KEY, plist_new_data((char*)pem_host_cert.data, pem_host_cert.size)); plist_dict_set_item(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, plist_new_data((char*)pem_root_cert.data, pem_root_cert.size)); plist_dict_set_item(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, plist_new_data((char*)root_privkey.data, root_privkey.size)); plist_dict_set_item(pair_record, USERPREF_HOST_PRIVATE_KEY_KEY, plist_new_data((char*)host_privkey.data, host_privkey.size)); free(pem_root_cert.data); free(pem_host_cert.data); } } } X509V3_EXT_cleanup(); X509_free(dev_cert); if (root_cert.data) free(root_cert.data); if (host_cert.data) free(host_cert.data); if (root_privkey.data) free(root_privkey.data); if (host_privkey.data) free(host_privkey.data); #else gnutls_datum_t modulus = { NULL, 0 }; gnutls_datum_t exponent = { NULL, 0 }; /* now decode the PEM encoded key */ gnutls_datum_t der_pub_key; if (GNUTLS_E_SUCCESS == gnutls_pem_base64_decode_alloc("RSA PUBLIC KEY", &public_key, &der_pub_key)) { /* initalize asn.1 parser */ ASN1_TYPE pkcs1 = ASN1_TYPE_EMPTY; if (ASN1_SUCCESS == asn1_array2tree(pkcs1_asn1_tab, &pkcs1, NULL)) { ASN1_TYPE asn1_pub_key = ASN1_TYPE_EMPTY; asn1_create_element(pkcs1, "PKCS1.RSAPublicKey", &asn1_pub_key); if (ASN1_SUCCESS == asn1_der_decoding(&asn1_pub_key, der_pub_key.data, der_pub_key.size, NULL)) { /* get size to read */ int ret1 = asn1_read_value(asn1_pub_key, "modulus", NULL, (int*)&modulus.size); int ret2 = asn1_read_value(asn1_pub_key, "publicExponent", NULL, (int*)&exponent.size); modulus.data = gnutls_malloc(modulus.size); exponent.data = gnutls_malloc(exponent.size); ret1 = asn1_read_value(asn1_pub_key, "modulus", modulus.data, (int*)&modulus.size); ret2 = asn1_read_value(asn1_pub_key, "publicExponent", exponent.data, (int*)&exponent.size); if (ASN1_SUCCESS == ret1 && ASN1_SUCCESS == ret2) uret = USERPREF_E_SUCCESS; } if (asn1_pub_key) asn1_delete_structure(&asn1_pub_key); } if (pkcs1) asn1_delete_structure(&pkcs1); } /* now generate certificates */ if (USERPREF_E_SUCCESS == uret && 0 != modulus.size && 0 != exponent.size) { gnutls_global_init(); gnutls_datum_t essentially_null = { (unsigned char*)strdup("abababababababab"), strlen("abababababababab") }; gnutls_x509_privkey_t fake_privkey, root_privkey, host_privkey; gnutls_x509_crt_t dev_cert, root_cert, host_cert; gnutls_x509_privkey_init(&fake_privkey); gnutls_x509_privkey_init(&root_privkey); gnutls_x509_privkey_init(&host_privkey); gnutls_x509_crt_init(&dev_cert); gnutls_x509_crt_init(&root_cert); gnutls_x509_crt_init(&host_cert); if (GNUTLS_E_SUCCESS == gnutls_x509_privkey_import_rsa_raw(fake_privkey, &modulus, &exponent, &essentially_null, &essentially_null, &essentially_null, &essentially_null)) { uret = pair_record_import_crt_with_name(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, root_cert); uret = pair_record_import_crt_with_name(pair_record, USERPREF_HOST_CERTIFICATE_KEY, host_cert); uret = pair_record_import_key_with_name(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, root_privkey); uret = pair_record_import_key_with_name(pair_record, USERPREF_HOST_PRIVATE_KEY_KEY, host_privkey); if (USERPREF_E_SUCCESS == uret) { /* generate device certificate */ gnutls_x509_crt_set_key(dev_cert, fake_privkey); gnutls_x509_crt_set_serial(dev_cert, "\x00", 1); gnutls_x509_crt_set_version(dev_cert, 3); gnutls_x509_crt_set_ca_status(dev_cert, 0); gnutls_x509_crt_set_activation_time(dev_cert, time(NULL)); gnutls_x509_crt_set_expiration_time(dev_cert, time(NULL) + (60 * 60 * 24 * 365 * 10)); /* use custom hash generation for compatibility with the "Apple ecosystem" */ const gnutls_digest_algorithm_t dig_sha1 = GNUTLS_DIG_SHA1; size_t hash_size = gnutls_hash_get_len(dig_sha1); unsigned char hash[hash_size]; if (gnutls_hash_fast(dig_sha1, der_pub_key.data, der_pub_key.size, (unsigned char*)&hash) < 0) { debug_info("ERROR: Failed to generate SHA1 for public key"); } else { gnutls_x509_crt_set_subject_key_id(dev_cert, hash, hash_size); } gnutls_x509_crt_set_key_usage(dev_cert, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT); gnutls_x509_crt_sign(dev_cert, root_cert, root_privkey); if (LOCKDOWN_E_SUCCESS == ret) { /* if everything went well, export in PEM format */ size_t export_size = 0; gnutls_datum_t dev_pem = { NULL, 0 }; gnutls_x509_crt_export(dev_cert, GNUTLS_X509_FMT_PEM, NULL, &export_size); dev_pem.data = gnutls_malloc(export_size); gnutls_x509_crt_export(dev_cert, GNUTLS_X509_FMT_PEM, dev_pem.data, &export_size); dev_pem.size = export_size; gnutls_datum_t pem_root_cert = { NULL, 0 }; gnutls_datum_t pem_host_cert = { NULL, 0 }; uret = pair_record_import_crt_with_name(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, &pem_root_cert); uret = pair_record_import_crt_with_name(pair_record, USERPREF_HOST_CERTIFICATE_KEY, &pem_host_cert); if (USERPREF_E_SUCCESS == uret) { /* set new keys and certs in pair record */ plist_dict_set_item(pair_record, USERPREF_DEVICE_CERTIFICATE_KEY, plist_new_data(dev_pem.data, dev_pem.size)); plist_dict_set_item(pair_record, USERPREF_HOST_CERTIFICATE_KEY, plist_new_data(pem_host_cert.data, pem_host_cert.size)); plist_dict_set_item(pair_record, USERPREF_ROOT_CERTIFICATE_KEY, plist_new_data(pem_root_cert.data, pem_root_cert.size)); plist_dict_set_item(pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY, plist_new_data(root_privkey.data, root_privkey.size)); plist_dict_set_item(pair_record, USERPREF_HOST_PRIVATE_KEY_KEY, plist_new_data(host_privkey.data, host_privkey.size)); gnutls_free(pem_root_cert.data); gnutls_free(pem_host_cert.data); if (dev_pem.data) gnutls_free(dev_pem.data); } } } } if (essentially_null.data) free(essentially_null.data); gnutls_x509_crt_deinit(dev_cert); gnutls_x509_crt_deinit(root_cert); gnutls_x509_crt_deinit(host_cert); gnutls_x509_privkey_deinit(fake_privkey); gnutls_x509_privkey_deinit(root_privkey); gnutls_x509_privkey_deinit(host_privkey); } gnutls_free(modulus.data); gnutls_free(exponent.data); gnutls_free(der_pub_key.data); #endif return uret; } /** * Private function which import the given key into a gnutls structure. * * @param name The name of the private key to import. * @param key the gnutls key structure. * * @return 1 if the key was successfully imported. */ #ifdef HAVE_OPENSSL userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const char* name, key_data_t* key) #else userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const char* name, gnutls_x509_privkey_t key) #endif { #ifdef HAVE_OPENSSL if (!key) return USERPREF_E_SUCCESS; #endif userpref_error_t ret = USERPREF_E_INVALID_CONF; #ifdef HAVE_OPENSSL ret = pair_record_get_item_as_key_data(pair_record, name, key); #else key_data_t pem = { NULL, 0 }; ret = pair_record_get_item_as_key_data(pair_record, name, pem); if (ret == USERPREF_E_SUCCESS && GNUTLS_E_SUCCESS == gnutls_x509_privkey_import(key, &pem, GNUTLS_X509_FMT_PEM)) ret = USERPREF_E_SUCCESS; else ret = USERPREF_E_SSL_ERROR; if (pem.data) free(pem.data); #endif return ret; } /** * Private function which import the given certificate into a gnutls structure. * * @param name The name of the certificate to import. * @param cert the gnutls certificate structure. * * @return IDEVICE_E_SUCCESS if the certificate was successfully imported. */ #ifdef HAVE_OPENSSL userpref_error_t pair_record_import_crt_with_name(plist_t pair_record, const char* name, key_data_t* cert) #else userpref_error_t pair_record_import_crt_with_name(plist_t pair_record, const char* name, gnutls_x509_crt_t cert) #endif { #ifdef HAVE_OPENSSL if (!cert) return USERPREF_E_SUCCESS; #endif userpref_error_t ret = USERPREF_E_INVALID_CONF; #ifdef HAVE_OPENSSL ret = pair_record_get_item_as_key_data(pair_record, name, cert); #else key_data_t pem = { NULL, 0 }; ret = pair_record_get_item_as_key_data(pair_record, name, pem); if (ret == USERPREF_E_SUCCESS && GNUTLS_E_SUCCESS == gnutls_x509_crt_import(cert, &pem, GNUTLS_X509_FMT_PEM)) ret = USERPREF_E_SUCCESS; else ret = USERPREF_E_SSL_ERROR; if (pem.data) free(pem.data); #endif return ret; } userpref_error_t pair_record_get_host_id(plist_t pair_record, char** host_id) { plist_t node = plist_dict_get_item(pair_record, USERPREF_HOST_ID_KEY); if (node && plist_get_node_type(node) == PLIST_STRING) { plist_get_string_val(node, host_id); } return USERPREF_E_SUCCESS; } userpref_error_t pair_record_set_host_id(plist_t pair_record, const char* host_id) { plist_dict_set_item(pair_record, USERPREF_HOST_ID_KEY, plist_new_string(host_id)); return USERPREF_E_SUCCESS; } userpref_error_t pair_record_get_item_as_key_data(plist_t pair_record, const char* name, key_data_t *value) { if (!pair_record || !value) return USERPREF_E_INVALID_ARG; userpref_error_t ret = USERPREF_E_SUCCESS; char* buffer = NULL; uint64_t length = 0; plist_t node = plist_dict_get_item(pair_record, name); if (node && plist_get_node_type(node) == PLIST_DATA) { plist_get_data_val(node, &buffer, &length); value->data = (unsigned char*)malloc(length); memcpy(value->data, buffer, length); value->size = length; free(buffer); buffer = NULL; } else { ret = USERPREF_E_INVALID_CONF; } if (buffer) free(buffer); return ret; } userpref_error_t pair_record_set_item_from_key_data(plist_t pair_record, const char* name, key_data_t *value) { userpref_error_t ret = USERPREF_E_SUCCESS; if (!pair_record || !value) { return USERPREF_E_INVALID_ARG; } /* remove any existing item */ if (plist_dict_get_item(pair_record, name)) { plist_dict_remove_item(pair_record, name); } /* set new item */ plist_dict_set_item(pair_record, name, plist_new_data((char*)value->data, value->size)); return ret; }