Initial commit.

Author: kgreenek

.gitignore

@@ -0,0 +1,22 @@
+# Created by https://www.gitignore.io
+
+### Swift ###
+# Xcode
+#
+build/
+*.pbxuser
+!default.pbxuser
+*.mode1v3
+!default.mode1v3
+*.mode2v3
+!default.mode2v3
+*.perspectivev3
+!default.perspectivev3
+xcuserdata
+*.xccheckout
+*.moved-aside
+DerivedData
+*.hmap
+*.ipa
+*.xcuserstate
+.DS_Store

README.md

@@ -0,0 +1,12 @@
+# SecureDataKit
+SecureDataKit is a library for storing sensitive data such as private keys. It has two primary classes: SecureData and OSKeyChainSecureDataStore (which implements the SecureDataStore protocol).
+
+SecureData
+============
+The SecureData object is used for storing sensitive data securely in memory. It ensures that the memory will automatically be cleared when the object is deallocated so an attacker can't try to read the memory after it has been freed. It also prevents the memory from being paged to disk.
+
+OSKeyChainSecureDataStore
+============
+The OSKeyChainSecureDataStore class is used to easily persist sensitive data such as private keys to the keychain. The keychain is a tool provided by the operating system. It stores the data on a secure enclave so it is nearly impossible for attackers to access it.
+
+More information about the Apple keychain can be found here: https://developer.apple.com/library/mac/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html

SecureDataKit.xcodeproj/project.pbxproj

@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>en</string>
+	<key>CFBundleExecutable</key>
+	<string>$(EXECUTABLE_NAME)</string>
+	<key>CFBundleIdentifier</key>
+	<string>com.BitcoinSwift.$(PRODUCT_NAME:rfc1034identifier)</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>$(PRODUCT_NAME)</string>
+	<key>CFBundlePackageType</key>
+	<string>FMWK</string>
+	<key>CFBundleShortVersionString</key>
+	<string>1.0</string>
+	<key>CFBundleSignature</key>
+	<string>????</string>
+	<key>CFBundleVersion</key>
+	<string>$(CURRENT_PROJECT_VERSION)</string>
+	<key>NSHumanReadableCopyright</key>
+	<string>Copyright © 2015 Kevin Greene. All rights reserved.</string>
+	<key>NSPrincipalClass</key>
+	<string></string>
+</dict>
+</plist>

SecureDataKit.xcodeproj/project.xcworkspace/contents.xcworkspacedata

@@ -0,0 +1,17 @@
+//
+//  MemoryLockController.h
+//  SecureDataKit
+//
+//  Created by Kevin Greene on 1/3/15.
+//  Copyright (c) 2015 DoubleSha. All rights reserved.
+//
+
+#import <Foundation/Foundation.h>
+
+@interface MemoryLockController : NSObject
+
++ (MemoryLockController *)instance;
+- (void)lockMemory:(void *)ptr size:(int)size;
+- (void)unlockMemory:(void *)ptr size:(int)size;
+
+@end

SecureDataKit/Info.plist

@@ -0,0 +1,84 @@
+//
+//  MemoryLockController.m
+//  SecureDataKit
+//
+//  Created by Kevin Greene on 1/3/15.
+//  Copyright (c) 2015 DoubleSha. All rights reserved.
+//
+
+#import "MemoryLockController.h"
+
+#import <sys/mman.h>
+#import <sys/unistd.h>
+
+@interface MemoryLockController()
+
+// Stores how many references there are to each locked page. Keyed by the memory address of a given
+// page. When there are 0 references to a page, the page is unlocked and removed from
+// lockedPageRefs.
+@property(nonatomic, strong) NSMutableDictionary *lockedPageRefs;
+@property(nonatomic, assign) size_t pageSize;
+@property(nonatomic, assign) size_t pageMask;
+
+@end
+
+@implementation MemoryLockController
+
+- (instancetype)init {
+  self = [super init];
+  if (self) {
+    _lockedPageRefs = [[NSMutableDictionary alloc] init];
+    _pageSize = getpagesize();
+    NSAssert(!(_pageSize & (_pageSize - 1)), @"Page size must be a power of two (%zu)", _pageSize);
+    _pageMask = ~(_pageSize - 1);
+  }
+  return self;
+}
+
++ (MemoryLockController *)instance {
+  static MemoryLockController *instance = nil;
+  static dispatch_once_t onceToken = 0;
+  dispatch_once(&onceToken, ^{
+    instance = [[self alloc] init];
+  });
+  return instance;
+}
+
+- (void)lockMemory:(void *)ptr size:(int)size {
+  NSAssert(size >= 0, @"Cannot lock memory with negative size %d", size);
+  if (size == 0) {
+    return;
+  }
+  size_t ptrAddr = (size_t) ptr;
+  size_t startPageAddr = ptrAddr & _pageMask;
+  size_t endPageAddr = (ptrAddr + size - 1) & _pageMask;
+  for (size_t pageAddr = startPageAddr; pageAddr <= endPageAddr; pageAddr += _pageSize) {
+    NSValue *page = [NSValue valueWithPointer:(void *) pageAddr];
+    NSNumber *refCount = _lockedPageRefs[page];
+    if (refCount == nil) {
+      mlock((void *) pageAddr, _pageSize);
+      _lockedPageRefs[page] = [NSNumber numberWithInt:1];
+    } else {
+      _lockedPageRefs[page] = [NSNumber numberWithInt:(refCount.intValue + 1)];
+    }
+  }
+}
+
+- (void)unlockMemory:(void *)ptr size:(int)size {
+  NSAssert(size >= 0, @"Cannot lock memory with negative size %d", size);
+  if (size == 0) {
+    return;
+  }
+  size_t ptrAddr = (size_t) ptr;
+  size_t startPageAddr = ptrAddr & _pageMask;
+  size_t endPageAddr = (ptrAddr + size - 1) & _pageMask;
+  for (size_t pageAddr = startPageAddr; pageAddr <= endPageAddr; pageAddr += _pageSize) {
+    NSValue *page = [NSValue valueWithPointer:(void *) pageAddr];
+    NSNumber *refCount = _lockedPageRefs[page];
+    NSAssert(refCount != nil, @"Asymmetric call to unlockMemory");
+    munlock((void *) pageAddr, _pageSize);
+    _lockedPageRefs[page] = [NSNumber numberWithInt:(refCount.intValue - 1)];
+  }
+}
+
+@end

SecureDataKit/MemoryLockController.h

@@ -0,0 +1,63 @@
+//
+//  OSKeyChainSecureDataStore.swift
+//  SecureDataKit
+//
+//  Created by Kevin Greene on 1/27/15.
+//  Copyright (c) 2015 DoubleSha. All rights reserved.
+//
+
+import Foundation
+import Security
+
+/// Stores the data using the OSX/iOS secure keychain service.
+public class OSKeyChainSecureDataStore: SecureDataStore {
+
+  /// The name for your service. This should be a unique value, such as "com.mycompany.myapp".
+  public let service: String
+
+  public init(service: String) {
+    self.service = service
+  }
+
+  public func dataForKey(key: String) -> SecureData? {
+    var query = NSMutableDictionary()
+    query.setObject("\(kSecClassGenericPassword)", forKey: "\(kSecClass)")
+    query.setObject(service, forKey: "\(kSecAttrService)")
+    query.setObject(key, forKey: "\(kSecAttrAccount)")
+    query.setObject(true, forKey: "\(kSecReturnData)")
+    var result = UnsafeMutablePointer<Unmanaged<AnyObject>?>.alloc(1)
+    result.initialize(nil)
+    let status = SecItemCopyMatching(query, result)
+    if status == errSecItemNotFound {
+      return nil
+    }
+    if status != noErr {
+      return nil
+    }
+    let data = result.memory!.takeUnretainedValue() as! NSData
+    let secureData = SecureData(data: data)
+    result.dealloc(1)
+    return secureData
+  }
+
+  public func saveData(data: SecureData, forKey key: String) -> Bool {
+    precondition(dataForKey(key) == nil, "SecureData already exists with for key \(key)")
+    var item = NSMutableDictionary()
+    // This prevents the key from being copied to Apple servers.
+    item.setObject("\(kSecAttrAccessibleWhenUnlockedThisDeviceOnly)",
+                   forKey: "\(kSecAttrAccessible)")
+    item.setObject("\(kSecClassGenericPassword)", forKey: "\(kSecClass)")
+    item.setObject(service, forKey: "\(kSecAttrService)")
+    item.setObject(key, forKey: "\(kSecAttrAccount)")
+    item.setObject(data.data, forKey: "\(kSecValueData)")
+    return SecItemAdd(item, nil) == noErr
+  }
+
+  public func deleteDataForKey(key: String) -> Bool {
+    var query = NSMutableDictionary()
+    query.setObject("\(kSecClassGenericPassword)", forKey: "\(kSecClass)")
+    query.setObject(service, forKey: "\(kSecAttrService)")
+    query.setObject(key, forKey: "\(kSecAttrAccount)")
+    return SecItemDelete(query) == noErr
+  }
+}

SecureDataKit/MemoryLockController.m

@@ -0,0 +1,27 @@
+//
+//  SecureData+swift.swift
+//  SecureDataKit
+//
+//  Created by Kevin Greene on 12/30/14.
+//  Copyright (c) 2014 DoubleSha. All rights reserved.
+//
+
+import Foundation
+
+public func ==(left: SecureData, right: SecureData) -> Bool {
+  return left.mutableData == right.mutableData
+}
+
+extension SecureData: Equatable {
+
+  public subscript(subRange: Range<Int>) -> SecureData {
+    precondition(subRange.startIndex >= 0 && subRange.startIndex < mutableData.length)
+    precondition(subRange.endIndex > subRange.startIndex &&
+        subRange.endIndex <= mutableData.length)
+    let length = subRange.endIndex - subRange.startIndex
+    let range = NSRange(location: subRange.startIndex, length: length)
+    var subData = SecureData(length: UInt(length))
+    memcpy(subData.mutableBytes, mutableBytes.advancedBy(subRange.startIndex), length)
+    return subData
+  }
+}

SecureDataKit/OSKeyChainSecureDataStore.swift

@@ -0,0 +1,36 @@
+//
+//  SecureData.h
+//  SecureDataKit
+//
+//  Created by Kevin Greene on 1/11/15.
+//  Copyright (c) 2015 DoubleSha. All rights reserved.
+//
+
+#import <Foundation/Foundation.h>
+
+/// A wrapper around NSMutableData that uses the SecureAllocator to allocate memory.
+///
+/// The memory associated with a SecureData object is automatically cleared when deallocated, and
+/// the memory is also prevented from being paged to disk.
+///
+/// NOTE: Your application is only allowed a maximum of 64kb of secure data, so it is important to
+/// allocate a limited number of SecureData objects at a time, and any SecureData objects you create
+/// should be as short-lived as possible.
+@interface SecureData : NSObject
+
+@property(nonatomic, readonly) NSData *data;
+@property(nonatomic, readonly) NSMutableData *mutableData;
+@property(nonatomic, readonly) const void *bytes;
+@property(nonatomic, readonly) void *mutableBytes;
+@property(nonatomic, readonly) NSUInteger length;
+
+- (instancetype)init;
+- (instancetype)initWithLength:(NSUInteger)length;
+- (instancetype)initWithData:(NSData *)data;
+- (instancetype)initWithBytes:(const void *)bytes length:(NSUInteger)length;
+
+- (void)appendBytes:(const void *)bytes length:(NSUInteger)length;
+- (void)appendData:(NSData *)data;
+- (void)appendSecureData:(SecureData *)secureData;
+
+@end