1 // Copyright 2023 Google LLC. 2 // Licensed under the Apache License, Version 2.0 (the "License"); 3 // you may not use this file except in compliance with the License. 4 // You may obtain a copy of the License at 5 // 6 // https://www.apache.org/licenses/LICENSE-2.0 7 // 8 // Unless required by applicable law or agreed to in writing, software 9 // distributed under the License is distributed on an "AS IS" BASIS, 10 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 // See the License for the specific language governing permissions and 12 // limitations under the License. 13 14 //go:build darwin && cgo 15 // +build darwin,cgo 16 17 // Package darwin contains a darwin-specific client for accessing the keychain APIs directly, 18 // bypassing the RPC mechanism of the universal client. 19 package darwin 20 21 import ( 22 "crypto" 23 "io" 24 25 "github.com/googleapis/enterprise-certificate-proxy/internal/signer/darwin/keychain" 26 ) 27 28 // SecureKey is a public wrapper for the internal keychain implementation. 29 type SecureKey struct { 30 key *keychain.Key 31 } 32 33 // CertificateChain returns the SecureKey's raw X509 cert chain. This contains the public key. 34 func (sk *SecureKey) CertificateChain() [][]byte { 35 return sk.key.CertificateChain() 36 } 37 38 // Public returns the public key for this SecureKey. 39 func (sk *SecureKey) Public() crypto.PublicKey { 40 return sk.key.Public() 41 } 42 43 // Sign signs a message digest, using the specified signer opts. Implements crypto.Signer interface. 44 func (sk *SecureKey) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signed []byte, err error) { 45 return sk.key.Sign(nil, digest, opts) 46 } 47 48 // Encrypt encrypts a plaintext msg into ciphertext, using the specified encrypt opts. 49 func (sk *SecureKey) Encrypt(_ io.Reader, msg []byte, opts any) (ciphertext []byte, err error) { 50 return sk.key.Encrypt(msg, opts) 51 } 52 53 // Decrypt decrypts a ciphertext msg into plaintext, using the specified decrypter opts. Implements crypto.Decrypter interface. 54 func (sk *SecureKey) Decrypt(_ io.Reader, msg []byte, opts crypto.DecrypterOpts) (plaintext []byte, err error) { 55 return sk.key.Decrypt(msg, opts) 56 } 57 58 // Close frees up resources associated with the underlying key. 59 func (sk *SecureKey) Close() { 60 sk.key.Close() 61 } 62 63 // NewSecureKey returns a handle to the first available certificate and private key pair in 64 // the MacOS Keychain matching the issuer CN filter. This includes both the current login keychain 65 // for the user as well as the system keychain. 66 func NewSecureKey(issuerCN string) (*SecureKey, error) { 67 k, err := keychain.Cred(issuerCN) 68 if err != nil { 69 return nil, err 70 } 71 return &SecureKey{key: k}, nil 72 } 73