[apple/security.git] / OSX / libsecurity_keychain / lib / KeyItem.h

/*
 * Copyright (c) 2002-2011,2013 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

//
// KeyItem.h
//
#ifndef _SECURITY_KEYITEM_H_
#define _SECURITY_KEYITEM_H_

#include <security_keychain/Item.h>
#include <Security/SecKeyPriv.h>

namespace Security
{

namespace KeychainCore
{

class KeyItem : public ItemImpl
{
	NOCOPY(KeyItem)
public:
	SECCFFUNCTIONS_BASE(KeyItem, SecKeyRef)

    // SecKeyRef is now provided by iOS implementation, so we have to hack standard accessors normally defined by
    // SECCFUNCTIONS macro to retarget SecKeyRef to foreign object instead of normal way through SecCFObject.
    static KeyItem *required(SecKeyRef ptr);
    static KeyItem *optional(SecKeyRef ptr);
    operator CFTypeRef() const _NOEXCEPT;
    static SecCFObject *fromSecKeyRef(CFTypeRef ref);
    void attachSecKeyRef() const;
    void initializeWithSecKeyRef(SecKeyRef ref);

private:
    // This weak backpointer to owning SecKeyRef instance (which is created by iOS SecKey code).
    mutable SecKeyRef mWeakSecKeyRef;

	// db item constructor
private:
    KeyItem(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId);

	// PrimaryKey item constructor
    KeyItem(const Keychain &keychain, const PrimaryKey &primaryKey);

public:
	static KeyItem* make(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId);
	static KeyItem* make(const Keychain &keychain, const PrimaryKey &primaryKey);
	
	KeyItem(KeyItem &keyItem);

	KeyItem(const CssmClient::Key &key);

    virtual ~KeyItem();

	virtual void update();
	virtual Item copyTo(const Keychain &keychain, Access *newAccess = NULL);
	virtual Item importTo(const Keychain &keychain, Access *newAccess = NULL, SecKeychainAttributeList *attrList = NULL);
	virtual void didModify();

	CssmClient::SSDbUniqueRecord ssDbUniqueRecord();
	CssmClient::Key &key();
	CssmClient::CSP csp();

    // Returns the header of the unverified key (without checking integrity). This will skip ACL checks, but don't trust the data very much.
    // Can't return a reference, because maybe the unverified key will get released upon return.
    CssmKey::Header unverifiedKeyHeader();

	const CSSM_X509_ALGORITHM_IDENTIFIER& algorithmIdentifier();
	unsigned int strengthInBits(const CSSM_X509_ALGORITHM_IDENTIFIER *algid);
    CssmClient::Key publicKey();

	const AccessCredentials *getCredentials(
		CSSM_ACL_AUTHORIZATION_TAG operation,
		SecCredentialType credentialType);

	bool operator == (KeyItem &other);

	static void createPair(
		Keychain keychain,
        CSSM_ALGORITHMS algorithm,
        uint32 keySizeInBits,
        CSSM_CC_HANDLE contextHandle,
        CSSM_KEYUSE publicKeyUsage,
        uint32 publicKeyAttr,
        CSSM_KEYUSE privateKeyUsage,
        uint32 privateKeyAttr,
        SecPointer<Access> initialAccess,
        SecPointer<KeyItem> &outPublicKey, 
        SecPointer<KeyItem> &outPrivateKey);

	static void importPair(
		Keychain keychain,
		const CSSM_KEY &publicCssmKey,
		const CSSM_KEY &privateCssmKey,
        SecPointer<Access> initialAccess,
        SecPointer<KeyItem> &outPublicKey, 
        SecPointer<KeyItem> &outPrivateKey);

	static SecPointer<KeyItem> generate(
		Keychain keychain,
		CSSM_ALGORITHMS algorithm,
		uint32 keySizeInBits,
		CSSM_CC_HANDLE contextHandle,
		CSSM_KEYUSE keyUsage,
		uint32 keyAttr,
		SecPointer<Access> initialAccess);

	static SecPointer<KeyItem> generateWithAttributes(
		const SecKeychainAttributeList *attrList,
		Keychain keychain,
		CSSM_ALGORITHMS algorithm,
		uint32 keySizeInBits,
		CSSM_CC_HANDLE contextHandle,
		CSSM_KEYUSE keyUsage,
		uint32 keyAttr,
		SecPointer<Access> initialAccess);

	virtual const CssmData &itemID();
	
	virtual CFHashCode hash();

    virtual void setIntegrity(bool force = false);
    virtual bool checkIntegrity();

    // Call this function to remove the integrity and partition_id ACLs from
    // this item. You're not supposed to be able to do this, so force the issue
    // by providing credentials to this keychain.
    virtual void removeIntegrity(const AccessCredentials *cred);

    static void modifyUniqueId(Keychain keychain, SSDb ssDb, DbUniqueRecord& uniqueId, DbAttributes& newDbAttributes, CSSM_DB_RECORDTYPE recordType);

protected:
	virtual PrimaryKey add(Keychain &keychain);
private:
    CssmClient::Key unverifiedKey();

	CssmClient::Key mKey;
	const CSSM_X509_ALGORITHM_IDENTIFIER *algid;
	CssmAutoData mPubKeyHash;
    CssmClient::Key mPublicKey;
};

} // end namespace KeychainCore

} // end namespace Security

class CDSASecKey : public __SecKey {
public:
    static Security::KeychainCore::KeyItem *keyItem(SecKeyRef key) {
        CDSASecKey *cdsaKey = static_cast<CDSASecKey *>(key);
        return static_cast<Security::KeychainCore::KeyItem *>(cdsaKey->key);
    }
    SecCredentialType credentialType;
    Mutex *cdsaKeyMutex;
};

#endif // !_SECURITY_KEYITEM_H_
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2002-2011,2013 Apple Inc. All Rights Reserved.
b1ab9ed8 A	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	//
	25	// KeyItem.h
	26	//
	27	#ifndef _SECURITY_KEYITEM_H_
	28	#define _SECURITY_KEYITEM_H_
	29
	30	#include <security_keychain/Item.h>
	31	#include <Security/SecKeyPriv.h>
	32
	33	namespace Security
	34	{
	35
	36	namespace KeychainCore
	37	{
	38
	39	class KeyItem : public ItemImpl
	40	{
	41	NOCOPY(KeyItem)
	42	public:
fa7225c8 A	43	SECCFFUNCTIONS_BASE(KeyItem, SecKeyRef)
	44
	45	// SecKeyRef is now provided by iOS implementation, so we have to hack standard accessors normally defined by
	46	// SECCFUNCTIONS macro to retarget SecKeyRef to foreign object instead of normal way through SecCFObject.
	47	static KeyItem *required(SecKeyRef ptr);
	48	static KeyItem *optional(SecKeyRef ptr);
d64be36e	49	operator CFTypeRef() const _NOEXCEPT;
fa7225c8 A	50	static SecCFObject *fromSecKeyRef(CFTypeRef ref);
	51	void attachSecKeyRef() const;
	52	void initializeWithSecKeyRef(SecKeyRef ref);
	53
	54	private:
	55	// This weak backpointer to owning SecKeyRef instance (which is created by iOS SecKey code).
	56	mutable SecKeyRef mWeakSecKeyRef;
b1ab9ed8 A	57
	58	// db item constructor
	59	private:
	60	KeyItem(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId);
	61
	62	// PrimaryKey item constructor
	63	KeyItem(const Keychain &keychain, const PrimaryKey &primaryKey);
	64
	65	public:
	66	static KeyItem* make(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId);
	67	static KeyItem* make(const Keychain &keychain, const PrimaryKey &primaryKey);
	68
	69	KeyItem(KeyItem &keyItem);
	70
	71	KeyItem(const CssmClient::Key &key);
	72
c2a06e24	73	virtual ~KeyItem();
b1ab9ed8 A	74
	75	virtual void update();
	76	virtual Item copyTo(const Keychain &keychain, Access *newAccess = NULL);
	77	virtual Item importTo(const Keychain &keychain, Access newAccess = NULL, SecKeychainAttributeList attrList = NULL);
	78	virtual void didModify();
	79
	80	CssmClient::SSDbUniqueRecord ssDbUniqueRecord();
	81	CssmClient::Key &key();
	82	CssmClient::CSP csp();
	83
fa7225c8 A	84	// Returns the header of the unverified key (without checking integrity). This will skip ACL checks, but don't trust the data very much.
	85	// Can't return a reference, because maybe the unverified key will get released upon return.
	86	CssmKey::Header unverifiedKeyHeader();
	87
b1ab9ed8 A	88	const CSSM_X509_ALGORITHM_IDENTIFIER& algorithmIdentifier();
b1ab9ed8 A	89	unsigned int strengthInBits(const CSSM_X509_ALGORITHM_IDENTIFIER *algid);
fa7225c8	90	CssmClient::Key publicKey();
b1ab9ed8 A	91
	92	const AccessCredentials *getCredentials(
	93	CSSM_ACL_AUTHORIZATION_TAG operation,
	94	SecCredentialType credentialType);
	95
	96	bool operator == (KeyItem &other);
	97
	98	static void createPair(
	99	Keychain keychain,
	100	CSSM_ALGORITHMS algorithm,
	101	uint32 keySizeInBits,
	102	CSSM_CC_HANDLE contextHandle,
	103	CSSM_KEYUSE publicKeyUsage,
	104	uint32 publicKeyAttr,
	105	CSSM_KEYUSE privateKeyUsage,
	106	uint32 privateKeyAttr,
	107	SecPointer<Access> initialAccess,
	108	SecPointer<KeyItem> &outPublicKey,
	109	SecPointer<KeyItem> &outPrivateKey);
	110
	111	static void importPair(
	112	Keychain keychain,
	113	const CSSM_KEY &publicCssmKey,
	114	const CSSM_KEY &privateCssmKey,
	115	SecPointer<Access> initialAccess,
	116	SecPointer<KeyItem> &outPublicKey,
	117	SecPointer<KeyItem> &outPrivateKey);
	118
	119	static SecPointer<KeyItem> generate(
	120	Keychain keychain,
	121	CSSM_ALGORITHMS algorithm,
	122	uint32 keySizeInBits,
	123	CSSM_CC_HANDLE contextHandle,
	124	CSSM_KEYUSE keyUsage,
	125	uint32 keyAttr,
	126	SecPointer<Access> initialAccess);
	127
	128	static SecPointer<KeyItem> generateWithAttributes(
	129	const SecKeychainAttributeList *attrList,
	130	Keychain keychain,
	131	CSSM_ALGORITHMS algorithm,
	132	uint32 keySizeInBits,
	133	CSSM_CC_HANDLE contextHandle,
	134	CSSM_KEYUSE keyUsage,
	135	uint32 keyAttr,
	136	SecPointer<Access> initialAccess);
	137
	138	virtual const CssmData &itemID();
	139
427c49bc	140	virtual CFHashCode hash();
b1ab9ed8	141
e3d460c9 A	142	virtual void setIntegrity(bool force = false);
	143	virtual bool checkIntegrity();
	144
fa7225c8 A	145	// Call this function to remove the integrity and partition_id ACLs from
	146	// this item. You're not supposed to be able to do this, so force the issue
	147	// by providing credentials to this keychain.
	148	virtual void removeIntegrity(const AccessCredentials *cred);
	149
e3d460c9 A	150	static void modifyUniqueId(Keychain keychain, SSDb ssDb, DbUniqueRecord& uniqueId, DbAttributes& newDbAttributes, CSSM_DB_RECORDTYPE recordType);
e3d460c9 A	151
b1ab9ed8 A	152	protected:
	153	virtual PrimaryKey add(Keychain &keychain);
	154	private:
fa7225c8 A	155	CssmClient::Key unverifiedKey();
fa7225c8 A	156
b1ab9ed8 A	157	CssmClient::Key mKey;
	158	const CSSM_X509_ALGORITHM_IDENTIFIER *algid;
	159	CssmAutoData mPubKeyHash;
fa7225c8	160	CssmClient::Key mPublicKey;
b1ab9ed8 A	161	};
	162
	163	} // end namespace KeychainCore
	164
	165	} // end namespace Security
	166
b54c578e A	167	class CDSASecKey : public __SecKey {
	168	public:
	169	static Security::KeychainCore::KeyItem *keyItem(SecKeyRef key) {
	170	CDSASecKey cdsaKey = static_cast<CDSASecKey >(key);
	171	return static_cast<Security::KeychainCore::KeyItem *>(cdsaKey->key);
	172	}
b04fe171	173	SecCredentialType credentialType;
79b9da22	174	Mutex *cdsaKeyMutex;
fa7225c8 A	175	};
fa7225c8 A	176
b1ab9ed8	177	#endif // !_SECURITY_KEYITEM_H_