[apple/security.git] / OSX / libsecurityd / lib / ssblob.cpp

/*
 * Copyright (c) 2000-2004,2006,2011,2014 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


//
// ssclient - SecurityServer client interface library
//
#include "ssblob.h"
#include <utilities/SecCFRelease.h>

namespace Security {
namespace SecurityServer {

uint32 CommonBlob::getCurrentVersion() {
    uint32 ret = version_MacOS_10_0;
    // If the integrity protections are turned on, use version_partition.
    // else, use version_MacOS_10_0.
    CFTypeRef integrity = (CFNumberRef)CFPreferencesCopyValue(CFSTR("KeychainIntegrity"), CFSTR("com.apple.security"), kCFPreferencesAnyUser, kCFPreferencesCurrentHost);
    if (integrity && CFGetTypeID(integrity) == CFBooleanGetTypeID()) {
        bool integrityProtections = CFBooleanGetValue((CFBooleanRef)integrity);

        if(integrityProtections) {
            secnotice("integrity", "creating a partition keychain; global is on");
            ret = version_partition;
        } else {
            secnotice("integrity", "creating a old-style keychain; global is off");
            ret = version_MacOS_10_0;
        }
    } else {
        secnotice("integrity", "global integrity not set, defaulting to on");
        ret = version_partition;
    }
    CFReleaseSafe(integrity);

    return ret;
}

uint32 CommonBlob::getCurrentVersionForDb(const char* dbName) {
    // Currently, the scheme is as follows:
    //   in ~/Library/Keychains:
    //     version_partition
    //   Elsewhere:
    //     version_MacOS_10_0`

    if(pathInHomeLibraryKeychains(dbName)) {
        return CommonBlob::getCurrentVersion();
    }

    secnotice("integrity", "outside ~/Library/Keychains/; creating a old-style keychain");
    return version_MacOS_10_0;
}

bool CommonBlob::pathInHomeLibraryKeychains(const string& path) {
    // We need to check if this path is in Some User's ~/Library/Keychains directory.
    // At this level, there's no great way of discovering what's actually a
    // user's home directory, so instead let's look for anything under
    // ./Library/Keychains/ that isn't /Library/Keychains or /System/Library/Keychains.

    string libraryKeychains = "/Library/Keychains";
    string systemLibraryKeychains = "/System/Library/Keychains";

    bool inALibraryKeychains = (string::npos != path.find(libraryKeychains));
    bool inRootLibraryKeychains = (0 == path.find(libraryKeychains));
    bool inSystemLibraryKeychains = (0 == path.find(systemLibraryKeychains));

    return (inALibraryKeychains && !inRootLibraryKeychains && !inSystemLibraryKeychains);
}

void CommonBlob::initialize()
{
    magic = magicNumber;

    this->blobVersion = getCurrentVersion();
}

//
// Initialize the blob header for a given version
//
void CommonBlob::initialize(uint32 version)
{
    magic = magicNumber;

    secinfo("integrity", "creating a keychain with version %d", version);
    this->blobVersion = version;
}


//
// Verify the blob header for basic sane-ness.
//
bool CommonBlob::isValid() const
{
	return magic == magicNumber;
}

void CommonBlob::validate(CSSM_RETURN failureCode) const
{
    if (!isValid())
        CssmError::throwMe(failureCode);
}

/*
 * This string is placed in KeyBlob.blobSignature to indicate a cleartext
 * public key.
 */
static const char clearPubKeySig[] = "Cleartext public key";

bool KeyBlob::isClearText()
{
	return (memcmp(blobSignature, clearPubKeySig, 
		sizeof(blobSignature)) == 0);
}

void KeyBlob::setClearTextSignature()
{
	memmove(blobSignature, clearPubKeySig, sizeof(blobSignature));
}

//
// Implementation of a "system keychain unlock key store"
//
SystemKeychainKey::SystemKeychainKey(const char *path)
: mPath(path), mValid(false)
{
    // explicitly set up a key header for a raw 3DES key
    CssmKey::Header &hdr = mKey.header();
    hdr.blobType(CSSM_KEYBLOB_RAW);
    hdr.blobFormat(CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING);
    hdr.keyClass(CSSM_KEYCLASS_SESSION_KEY);
    hdr.algorithm(CSSM_ALGID_3DES_3KEY_EDE);
    hdr.KeyAttr = 0;
    hdr.KeyUsage = CSSM_KEYUSE_ANY;
    mKey = CssmData::wrap(mBlob.masterKey);
}

SystemKeychainKey::~SystemKeychainKey()
{
}

bool SystemKeychainKey::matches(const DbBlob::Signature &signature)
{
    return update() && signature == mBlob.signature;
}

CssmKey& SystemKeychainKey::key()
{
    if(!mValid) {
        update();
    }
    return mKey;
}

bool SystemKeychainKey::update()
{
    // if we checked recently, just assume it's okay
    if (mValid && mUpdateThreshold > Time::now())
        return mValid;

    // check the file
    struct stat st;
    if (::stat(mPath.c_str(), &st)) {
        // something wrong with the file; can't use it
        mUpdateThreshold = Time::now() + Time::Interval(checkDelay);
        return mValid = false;
    }
    if (mValid && Time::Absolute(st.st_mtimespec) == mCachedDate)
        return true;
    mUpdateThreshold = Time::now() + Time::Interval(checkDelay);

    try {
        secnotice("syskc", "reading system unlock record from %s", mPath.c_str());
        UnixPlusPlus::AutoFileDesc fd(mPath, O_RDONLY);
        if (fd.read(mBlob) != sizeof(mBlob))
            return false;
        if (mBlob.isValid()) {
            mCachedDate = st.st_mtimespec;
            return mValid = true;
        } else
            return mValid = false;
    } catch (...) {
        secnotice("syskc", "system unlock record not available");
        return false;
    }
}

bool SystemKeychainKey::valid()
{
    update();
    return mValid;
}


} // end namespace SecurityServer

} // end namespace Security
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2000-2004,2006,2011,2014 Apple Inc. All Rights Reserved.
b1ab9ed8 A	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	//
	26	// ssclient - SecurityServer client interface library
	27	//
	28	#include "ssblob.h"
6b200bc3	29	#include <utilities/SecCFRelease.h>
b1ab9ed8 A	30
	31	namespace Security {
	32	namespace SecurityServer {
	33
e3d460c9	34	uint32 CommonBlob::getCurrentVersion() {
fa7225c8 A	35	uint32 ret = version_MacOS_10_0;
	36	// If the integrity protections are turned on, use version_partition.
	37	// else, use version_MacOS_10_0.
	38	CFTypeRef integrity = (CFNumberRef)CFPreferencesCopyValue(CFSTR("KeychainIntegrity"), CFSTR("com.apple.security"), kCFPreferencesAnyUser, kCFPreferencesCurrentHost);
	39	if (integrity && CFGetTypeID(integrity) == CFBooleanGetTypeID()) {
	40	bool integrityProtections = CFBooleanGetValue((CFBooleanRef)integrity);
	41
	42	if(integrityProtections) {
	43	secnotice("integrity", "creating a partition keychain; global is on");
	44	ret = version_partition;
	45	} else {
	46	secnotice("integrity", "creating a old-style keychain; global is off");
	47	ret = version_MacOS_10_0;
	48	}
e3d460c9	49	} else {
fa7225c8 A	50	secnotice("integrity", "global integrity not set, defaulting to on");
fa7225c8 A	51	ret = version_partition;
e3d460c9	52	}
6b200bc3	53	CFReleaseSafe(integrity);
e3d460c9	54
fa7225c8	55	return ret;
e3d460c9 A	56	}
e3d460c9 A	57
fa7225c8 A	58	uint32 CommonBlob::getCurrentVersionForDb(const char* dbName) {
	59	// Currently, the scheme is as follows:
	60	// in ~/Library/Keychains:
	61	// version_partition
	62	// Elsewhere:
	63	// version_MacOS_10_0`
	64
	65	if(pathInHomeLibraryKeychains(dbName)) {
	66	return CommonBlob::getCurrentVersion();
	67	}
	68
	69	secnotice("integrity", "outside ~/Library/Keychains/; creating a old-style keychain");
	70	return version_MacOS_10_0;
	71	}
	72
	73	bool CommonBlob::pathInHomeLibraryKeychains(const string& path) {
	74	// We need to check if this path is in Some User's ~/Library/Keychains directory.
	75	// At this level, there's no great way of discovering what's actually a
	76	// user's home directory, so instead let's look for anything under
	77	// ./Library/Keychains/ that isn't /Library/Keychains or /System/Library/Keychains.
	78
	79	string libraryKeychains = "/Library/Keychains";
	80	string systemLibraryKeychains = "/System/Library/Keychains";
	81
	82	bool inALibraryKeychains = (string::npos != path.find(libraryKeychains));
	83	bool inRootLibraryKeychains = (0 == path.find(libraryKeychains));
	84	bool inSystemLibraryKeychains = (0 == path.find(systemLibraryKeychains));
	85
	86	return (inALibraryKeychains && !inRootLibraryKeychains && !inSystemLibraryKeychains);
	87	}
e3d460c9 A	88
	89	void CommonBlob::initialize()
	90	{
	91	magic = magicNumber;
	92
	93	this->blobVersion = getCurrentVersion();
	94	}
b1ab9ed8 A	95
	96	//
	97	// Initialize the blob header for a given version
	98	//
	99	void CommonBlob::initialize(uint32 version)
	100	{
	101	magic = magicNumber;
e3d460c9	102
b04fe171	103	secinfo("integrity", "creating a keychain with version %d", version);
b1ab9ed8 A	104	this->blobVersion = version;
	105	}
	106
	107
	108	//
	109	// Verify the blob header for basic sane-ness.
	110	//
	111	bool CommonBlob::isValid() const
	112	{
	113	return magic == magicNumber;
	114	}
	115
	116	void CommonBlob::validate(CSSM_RETURN failureCode) const
	117	{
	118	if (!isValid())
	119	CssmError::throwMe(failureCode);
	120	}
	121
	122	/*
	123	* This string is placed in KeyBlob.blobSignature to indicate a cleartext
	124	* public key.
	125	*/
	126	static const char clearPubKeySig[] = "Cleartext public key";
	127
	128	bool KeyBlob::isClearText()
	129	{
	130	return (memcmp(blobSignature, clearPubKeySig,
	131	sizeof(blobSignature)) == 0);
	132	}
	133
	134	void KeyBlob::setClearTextSignature()
	135	{
	136	memmove(blobSignature, clearPubKeySig, sizeof(blobSignature));
	137	}
fa7225c8 A	138
	139	//
	140	// Implementation of a "system keychain unlock key store"
	141	//
	142	SystemKeychainKey::SystemKeychainKey(const char *path)
	143	: mPath(path), mValid(false)
	144	{
	145	// explicitly set up a key header for a raw 3DES key
	146	CssmKey::Header &hdr = mKey.header();
	147	hdr.blobType(CSSM_KEYBLOB_RAW);
	148	hdr.blobFormat(CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING);
	149	hdr.keyClass(CSSM_KEYCLASS_SESSION_KEY);
	150	hdr.algorithm(CSSM_ALGID_3DES_3KEY_EDE);
	151	hdr.KeyAttr = 0;
	152	hdr.KeyUsage = CSSM_KEYUSE_ANY;
	153	mKey = CssmData::wrap(mBlob.masterKey);
	154	}
	155
	156	SystemKeychainKey::~SystemKeychainKey()
	157	{
	158	}
	159
	160	bool SystemKeychainKey::matches(const DbBlob::Signature &signature)
	161	{
	162	return update() && signature == mBlob.signature;
	163	}
	164
	165	CssmKey& SystemKeychainKey::key()
	166	{
	167	if(!mValid) {
	168	update();
	169	}
	170	return mKey;
	171	}
	172
	173	bool SystemKeychainKey::update()
	174	{
	175	// if we checked recently, just assume it's okay
	176	if (mValid && mUpdateThreshold > Time::now())
	177	return mValid;
	178
	179	// check the file
	180	struct stat st;
	181	if (::stat(mPath.c_str(), &st)) {
	182	// something wrong with the file; can't use it
	183	mUpdateThreshold = Time::now() + Time::Interval(checkDelay);
	184	return mValid = false;
	185	}
	186	if (mValid && Time::Absolute(st.st_mtimespec) == mCachedDate)
	187	return true;
	188	mUpdateThreshold = Time::now() + Time::Interval(checkDelay);
	189
	190	try {
	191	secnotice("syskc", "reading system unlock record from %s", mPath.c_str());
	192	UnixPlusPlus::AutoFileDesc fd(mPath, O_RDONLY);
	193	if (fd.read(mBlob) != sizeof(mBlob))
	194	return false;
	195	if (mBlob.isValid()) {
	196	mCachedDate = st.st_mtimespec;
	197	return mValid = true;
	198	} else
	199	return mValid = false;
	200	} catch (...) {
	201	secnotice("syskc", "system unlock record not available");
202	return false;
203	}
204	}
205
206	bool SystemKeychainKey::valid()
207	{
208	update();
209	return mValid;
210	}
b1ab9ed8 A	211
	212
	213	} // end namespace SecurityServer
	214
	215	} // end namespace Security