[apple/security.git] / libsecurityd / mig / ucsp.defs

//
// Copyright (c) 2001-2007 Apple Inc. All Rights Reserved.
//
// @APPLE_LICENSE_HEADER_START@
// 
// This file contains Original Code and/or Modifications of Original Code
// as defined in and that are subject to the Apple Public Source License
// Version 2.0 (the 'License'). You may not use this file except in
// compliance with the License. Please obtain a copy of the License at
// http://www.opensource.apple.com/apsl/ and read it before using this
// file.
// 
// The Original Code and all software distributed under the License are
// distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
// EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
// INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
// Please see the License for the specific language governing rights and
// limitations under the License.
// 
// @APPLE_LICENSE_HEADER_END@
//
// ucsp.defs - Mach RPC interface between SecurityServer and its clients
//
#include <mach/std_types.defs>
#include <mach/mach_types.defs>
#include "ss_types.defs"

subsystem ucsp 1000;
serverprefix ucsp_server_;
userprefix ucsp_client_;

import <securityd_client/ucsp_types.h>;


//
// Common argument profiles
//
#define UCSP_PORTS	requestport sport: mach_port_t; \
					replyport rport: mach_port_make_send_t; \
                    serveraudittoken sourceAudit: audit_token_t; \
					usersectoken securitydCreds: security_token_t; \
					out rcode: CSSM_RETURN


//
// Management and administrative functions
//
routine setup(UCSP_PORTS; in tport: mach_port_t; in info: SetupInfo; in FilePath: FilePath);
skip;		// was setupNew - no longer needed
routine setupThread(UCSP_PORTS; in tport: mach_port_t);


//
// Common database functions
//
routine authenticateDb(UCSP_PORTS; in db: IPCDbHandle; in accessType: CSSM_DB_ACCESS_TYPE; in accessCredentials: Data);
routine releaseDb(UCSP_PORTS; in db: IPCDbHandle);
routine getDbName(UCSP_PORTS; in db: IPCDbHandle; out name: FilePathOut);
routine setDbName(UCSP_PORTS; in db: IPCDbHandle; in name: FilePath);


//
// External database interface
//
routine openToken(UCSP_PORTS; in ssid: uint32; in name: FilePath;
	in accessCredentials: Data; out db: IPCDbHandle);
	
routine findFirst(UCSP_PORTS; in db: IPCDbHandle; in query: Data;
	in inAttributes : Data; out outAttributes: Data;
	in getData: boolean_t; out data: Data; out key: IPCKeyHandle; out search: IPCSearchHandle; out record: IPCRecordHandle);
routine findNext(UCSP_PORTS; in search: IPCSearchHandle;
	in inAttributes : Data; out outAttributes: Data;
	in getData: boolean_t; out data: Data; out key: IPCKeyHandle; out record: IPCRecordHandle);
routine findRecordHandle(UCSP_PORTS; in record: IPCRecordHandle;
	in inAttributes : Data; out outAttributes: Data;
	in getData: boolean_t; out data: Data; out key: IPCKeyHandle);
routine insertRecord(UCSP_PORTS; in db: IPCDbHandle; in recordType: CSSM_DB_RECORDTYPE;
	in attributes : Data; in data: Data; out record: IPCRecordHandle);
routine deleteRecord(UCSP_PORTS; in db: IPCDbHandle; in record: IPCRecordHandle);
routine modifyRecord(UCSP_PORTS; in db: IPCDbHandle; inout record: IPCRecordHandle; in recordType: CSSM_DB_RECORDTYPE;
	in attributes : Data; in setData: boolean_t; in data: Data;
	in modifyMode: CSSM_DB_MODIFY_MODE);
routine releaseSearch(UCSP_PORTS; in search: IPCSearchHandle);
routine releaseRecord(UCSP_PORTS; in record: IPCRecordHandle);


//
// Internal database interface
//
routine createDb(UCSP_PORTS; out db: IPCDbHandle; in ident: Data;
    in accessCredentials: Data; in aclEntryPrototype: Data;
    in params: DBParameters);
skip;
#if 0
// should move here from below, next time we break compatibility for another reason
routine commitDbForSync(UCSP_PORTS; in srcDb: IPCDbHandle; in cloneDb: IPCDbHandle;
    out blob: DbBlob);
#endif
routine decodeDb(UCSP_PORTS; out db: IPCDbHandle; in ident: Data;
    in accessCredentials: Data; in blob: DbBlob);
routine encodeDb(UCSP_PORTS; in db: IPCDbHandle; out blob: DbBlob);
routine setDbParameters(UCSP_PORTS; in db: IPCDbHandle; in params: DBParameters);
routine getDbParameters(UCSP_PORTS; in db: IPCDbHandle; out params: DBParameters);
routine changePassphrase(UCSP_PORTS; in db: IPCDbHandle; 
	in accessCredentials: Data);
routine lockAll(UCSP_PORTS; in forSleep: boolean_t);
routine unlockDb(UCSP_PORTS; in db: IPCDbHandle);
routine unlockDbWithPassphrase(UCSP_PORTS; in db: IPCDbHandle; in passPhrase: Data);
routine isLocked(UCSP_PORTS; in db: IPCDbHandle; out locked: boolean_t);
	
//
// Key management
//
routine encodeKey(UCSP_PORTS; in key: IPCKeyHandle; out blob: KeyBlob;
    in wantUid: boolean_t; out uid: Data);
routine decodeKey(UCSP_PORTS; out key: IPCKeyHandle; out header: Data;
    in db: IPCDbHandle; in blob: KeyBlob);
// keychain synchronization
routine recodeKey(UCSP_PORTS; in oldDb: IPCDbHandle; in key: IPCKeyHandle; 
    in newDb: IPCDbHandle; out newBlob: KeyBlob);
routine releaseKey(UCSP_PORTS; in key: IPCKeyHandle);

routine queryKeySizeInBits(UCSP_PORTS; in key: IPCKeyHandle; out length: CSSM_KEY_SIZE);
routine getOutputSize(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
    in inputSize: uint32; in encrypt: boolean_t; out outputSize: uint32);

routine getKeyDigest(UCSP_PORTS; in key: IPCKeyHandle; out digest: Data);


//
// Cryptographic operations
//
routine generateSignature(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
    in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; out signature: Data);
routine verifySignature(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
	in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; in signature: Data);
routine generateMac(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
	in data: Data; out signature: Data);
routine verifyMac(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
	in data: Data; in signature: Data);

routine encrypt(UCSP_PORTS; in context: Data; in key: IPCKeyHandle; in clear: Data; out cipher: Data);
routine decrypt(UCSP_PORTS; in context: Data; in key: IPCKeyHandle; in cipher: Data; out clear: Data);

routine generateKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data;
	in accessCredentials: Data; in aclEntryPrototype: Data;
	in keyUsage: uint32; in keyAttrs: uint32; out key: IPCKeyHandle; out header: Data);
routine generateKeyPair(UCSP_PORTS; in db: IPCDbHandle; in context: Data;
	in accessCredentials: Data; in aclEntryPrototype: Data;
	in pubUsage: uint32; in pubAttrs: uint32; in privUsage: uint32; in privAttrs: uint32;
	out pubKey: IPCKeyHandle; out pubHeader: Data;
    out privKey: IPCKeyHandle; out privHeader: Data);

routine wrapKey(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
    in accessCredentials: Data; in keyToBeWrapped: IPCKeyHandle;
	in descriptiveData: Data; out wrappedKey: Data);
routine unwrapKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data; in key: IPCKeyHandle;
	in accessCredentials: Data; in aclEntryPrototype: Data;
	in publicKey: IPCKeyHandle; in wrappedKey: Data;
	in usage: uint32; in attributes: uint32; out data: Data; 
    out resultKey: IPCKeyHandle; out header: Data);

routine deriveKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data; in baseKey: IPCKeyHandle;
	in accessCredentials: Data; in aclEntryPrototype: Data;
    in paramInput: Data; out paramOutput: Data;
	in keyUsage: uint32; in keyAttrs: uint32; out key: IPCKeyHandle; out header: Data);

routine generateRandom(UCSP_PORTS; in ssid: uint32; in context: Data; out data: Data);


//
// ACL management
//
routine getOwner(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
	out proto: Data);
routine setOwner(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
	in accessCredentials: Data; in aclOwnerPrototype: Data);
routine getAcl(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
	in haveTag: boolean_t; in tag: CssmString;
	out count: uint32; out acls: Data);
routine changeAcl(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
	in accessCredentials: Data;
	in mode: CSSM_ACL_EDIT_MODE; in handle: IPCGenericHandle;
	in aclEntryInput: Data);

routine login(UCSP_PORTS; in accessCredentials: Data; in name: Data);
routine logout(UCSP_PORTS);


//
// Miscellanea
//
routine getStatistics(UCSP_PORTS; in ssid: uint32; out statistics: CSSM_CSP_OPERATIONAL_STATISTICS);
routine getTime(UCSP_PORTS; in ssid: uint32; in algorithm: CSSM_ALGORITHMS; out data: Data);
routine getCounter(UCSP_PORTS; in ssid: uint32; out data: Data);
routine selfVerify(UCSP_PORTS; in ssid: uint32);

routine cspPassThrough(UCSP_PORTS; in ssid: uint32; in id: uint32; in context: Data; in hKey: IPCKeyHandle;
	in inData: Data; out outData: Data);
routine dlPassThrough(UCSP_PORTS; in ssid: uint32; in id: uint32; in inData: Data; out outData: Data);


//
// Authorization subsystem
//
routine authorizationCreate(UCSP_PORTS; 
	in rights: Data;
	in flags: uint32;
	in environment: Data;
	out authorization: AuthorizationBlob);

routine authorizationRelease(UCSP_PORTS; in authorization: AuthorizationBlob;
	in flags: uint32);

routine authorizationCopyRights(UCSP_PORTS; in authorization: AuthorizationBlob;
	in rights: Data;
	in flags: uint32;
	in environment: Data;
	out result: Data);

routine authorizationCopyInfo(UCSP_PORTS; in authorization: AuthorizationBlob;
	in tag: AuthorizationString;
	out info: Data);

routine authorizationExternalize(UCSP_PORTS; in authorization: AuthorizationBlob;
	out form: AuthorizationExternalForm);

routine authorizationInternalize(UCSP_PORTS; in form: AuthorizationExternalForm;
	out authorization: AuthorizationBlob);


//
// Session management subsystem
//
skip;	// was getSessionInfo -- now kept by the kernel
skip;	// was setupSession -- now kept by the kernel
skip;	// was setSessionDistinguishedUid -- now kept by the kernel
skip;	// was getSessionDistinguishedUid -- now kept by the kernel
routine setSessionUserPrefs(UCSP_PORTS; in sessionId: SecuritySessionId; in userPrefs: Data);

//
// Notification subsystem
//
routine postNotification(UCSP_PORTS; in domain: uint32; in event: uint32; in data: Data;
	in sequence: uint32);


//
// Database key management
//
routine extractMasterKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data; in sourceDb: IPCDbHandle;
	in accessCredentials: Data; in aclEntryPrototype: Data;
	in keyUsage: uint32; in keyAttrs: uint32; out key: IPCKeyHandle; out header: Data);


//
// AuthorizationDB operations
//
routine authorizationdbGet(UCSP_PORTS; in rightname: AuthorizationString; out rightdefinition: Data);
routine authorizationdbSet(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString; in rightDefinition: Data);
routine authorizationdbRemove(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString);


//
// Miscellaneous administrative calls
//
routine addCodeEquivalence(UCSP_PORTS; in oldCode: Data; in newCode: Data; in name: FilePath;
	in forSystem: boolean_t);
routine removeCodeEquivalence(UCSP_PORTS; in code: Data; in name: FilePath;
	in forSystem: boolean_t);
routine setAlternateSystemRoot(UCSP_PORTS; in path: FilePath);


//
// Subsidiary process (child) management.
// This call does NOT cause securityd-client activation.
//
simpleroutine childCheckIn(requestport sport: mach_port_t;
	in servicePort: mach_port_make_send_t; in task_port: mach_port_t);

#if 1
// This should move up to be with its buddies (see #if 0 above), but it won't move
// until we need to force an incompatible change for some other reason.
routine commitDbForSync(UCSP_PORTS; in srcDb: IPCDbHandle; in cloneDb: IPCDbHandle;
    out blob: DbBlob);
#endif


//
// Code Signing Hosting protocol part 1: registration services.
//
routine registerHosting(UCSP_PORTS;
	in hostingPort: mach_port_make_send_t; in flags: uint32);
routine hostingPort(UCSP_PORTS;
	in hostPid: pid_t; out hostingPort: mach_port_make_send_t);
routine setGuest(UCSP_PORTS; in guest: SecGuestRef; in flags: uint32);

//
// Code Signing Hosting protocol part 2: proxy services.
//
routine createGuest(UCSP_PORTS; in host: SecGuestRef; in status: uint32_t;
	in path: FilePath; in cdhash: HashData; in attributes: Data; in flags: uint32; out guest: SecGuestRef);
routine setGuestStatus(UCSP_PORTS; in guest: SecGuestRef;
	in status: uint32_t; in attributes: Data);
routine removeGuest(UCSP_PORTS; in host: SecGuestRef; in guest: SecGuestRef);

//
// Code Signing support calls
//
routine helpCheckLoad(UCSP_PORTS; in path: FilePath; in addType: uint32_t);

//
// Keychain Syncing setup support calls
//
routine recodeDbForSync(UCSP_PORTS; in dbToClone: IPCDbHandle; 
    in srcDb: IPCDbHandle; out newDb: IPCDbHandle);
routine authenticateDbsForSync(UCSP_PORTS; in ipcDbHandleArray: Data;
    in agentData: Data; out newDb: IPCDbHandle);

//
// Allows the client to verify that the server really is root.
//
routine verifyPrivileged(UCSP_PORTS);

//
// The original verifyPrivileged is subject to a Mach service in the middle attack (6986198).
//
routine verifyPrivileged2(UCSP_PORTS; out originPort: mach_port_make_send_t);

// Internal Database call additions
routine stashDb(UCSP_PORTS; in db: IPCDbHandle);
routine stashDbCheck(UCSP_PORTS; in db: IPCDbHandle);

routine verifyKeyStorePassphrase(UCSP_PORTS; in retries: uint32_t);
routine resetKeyStorePassphrase(UCSP_PORTS; in passPhrase: Data);
routine changeKeyStorePassphrase(UCSP_PORTS);
Commit	Line	Data
b1ab9ed8 A	1	//
	2	// Copyright (c) 2001-2007 Apple Inc. All Rights Reserved.
	3	//
	4	// @APPLE_LICENSE_HEADER_START@
	5	//
	6	// This file contains Original Code and/or Modifications of Original Code
	7	// as defined in and that are subject to the Apple Public Source License
	8	// Version 2.0 (the 'License'). You may not use this file except in
	9	// compliance with the License. Please obtain a copy of the License at
	10	// http://www.opensource.apple.com/apsl/ and read it before using this
	11	// file.
	12	//
	13	// The Original Code and all software distributed under the License are
	14	// distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	// EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	// INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	// FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	// Please see the License for the specific language governing rights and
	19	// limitations under the License.
	20	//
	21	// @APPLE_LICENSE_HEADER_END@
	22	//
	23	// ucsp.defs - Mach RPC interface between SecurityServer and its clients
	24	//
	25	#include <mach/std_types.defs>
	26	#include <mach/mach_types.defs>
	27	#include "ss_types.defs"
	28
	29	subsystem ucsp 1000;
	30	serverprefix ucsp_server_;
	31	userprefix ucsp_client_;
	32
	33	import <securityd_client/ucsp_types.h>;
	34
	35
	36	//
	37	// Common argument profiles
	38	//
	39	#define UCSP_PORTS requestport sport: mach_port_t; \
	40	replyport rport: mach_port_make_send_t; \
	41	serveraudittoken sourceAudit: audit_token_t; \
	42	usersectoken securitydCreds: security_token_t; \
	43	out rcode: CSSM_RETURN
	44
	45
	46	//
	47	// Management and administrative functions
	48	//
	49	routine setup(UCSP_PORTS; in tport: mach_port_t; in info: SetupInfo; in FilePath: FilePath);
	50	skip; // was setupNew - no longer needed
	51	routine setupThread(UCSP_PORTS; in tport: mach_port_t);
	52
	53
	54	//
	55	// Common database functions
	56	//
	57	routine authenticateDb(UCSP_PORTS; in db: IPCDbHandle; in accessType: CSSM_DB_ACCESS_TYPE; in accessCredentials: Data);
	58	routine releaseDb(UCSP_PORTS; in db: IPCDbHandle);
	59	routine getDbName(UCSP_PORTS; in db: IPCDbHandle; out name: FilePathOut);
	60	routine setDbName(UCSP_PORTS; in db: IPCDbHandle; in name: FilePath);
	61
	62
	63	//
	64	// External database interface
65	//
66	routine openToken(UCSP_PORTS; in ssid: uint32; in name: FilePath;
67	in accessCredentials: Data; out db: IPCDbHandle);
68
69	routine findFirst(UCSP_PORTS; in db: IPCDbHandle; in query: Data;
70	in inAttributes : Data; out outAttributes: Data;
71	in getData: boolean_t; out data: Data; out key: IPCKeyHandle; out search: IPCSearchHandle; out record: IPCRecordHandle);
72	routine findNext(UCSP_PORTS; in search: IPCSearchHandle;
73	in inAttributes : Data; out outAttributes: Data;
74	in getData: boolean_t; out data: Data; out key: IPCKeyHandle; out record: IPCRecordHandle);
75	routine findRecordHandle(UCSP_PORTS; in record: IPCRecordHandle;
76	in inAttributes : Data; out outAttributes: Data;
77	in getData: boolean_t; out data: Data; out key: IPCKeyHandle);
78	routine insertRecord(UCSP_PORTS; in db: IPCDbHandle; in recordType: CSSM_DB_RECORDTYPE;
79	in attributes : Data; in data: Data; out record: IPCRecordHandle);
80	routine deleteRecord(UCSP_PORTS; in db: IPCDbHandle; in record: IPCRecordHandle);
81	routine modifyRecord(UCSP_PORTS; in db: IPCDbHandle; inout record: IPCRecordHandle; in recordType: CSSM_DB_RECORDTYPE;
82	in attributes : Data; in setData: boolean_t; in data: Data;
83	in modifyMode: CSSM_DB_MODIFY_MODE);
84	routine releaseSearch(UCSP_PORTS; in search: IPCSearchHandle);
85	routine releaseRecord(UCSP_PORTS; in record: IPCRecordHandle);
86
87
88
89	//
90	// Internal database interface
91	//
92	routine createDb(UCSP_PORTS; out db: IPCDbHandle; in ident: Data;
93	in accessCredentials: Data; in aclEntryPrototype: Data;
94	in params: DBParameters);
95	skip;
96	#if 0
97	// should move here from below, next time we break compatibility for another reason
98	routine commitDbForSync(UCSP_PORTS; in srcDb: IPCDbHandle; in cloneDb: IPCDbHandle;
99	out blob: DbBlob);
100	#endif
101	routine decodeDb(UCSP_PORTS; out db: IPCDbHandle; in ident: Data;
102	in accessCredentials: Data; in blob: DbBlob);
103	routine encodeDb(UCSP_PORTS; in db: IPCDbHandle; out blob: DbBlob);
104	routine setDbParameters(UCSP_PORTS; in db: IPCDbHandle; in params: DBParameters);
105	routine getDbParameters(UCSP_PORTS; in db: IPCDbHandle; out params: DBParameters);
106	routine changePassphrase(UCSP_PORTS; in db: IPCDbHandle;
107	in accessCredentials: Data);
108	routine lockAll(UCSP_PORTS; in forSleep: boolean_t);
109	routine unlockDb(UCSP_PORTS; in db: IPCDbHandle);
110	routine unlockDbWithPassphrase(UCSP_PORTS; in db: IPCDbHandle; in passPhrase: Data);
111	routine isLocked(UCSP_PORTS; in db: IPCDbHandle; out locked: boolean_t);
b1ab9ed8 A	112
	113	//
	114	// Key management
	115	//
	116	routine encodeKey(UCSP_PORTS; in key: IPCKeyHandle; out blob: KeyBlob;
	117	in wantUid: boolean_t; out uid: Data);
	118	routine decodeKey(UCSP_PORTS; out key: IPCKeyHandle; out header: Data;
	119	in db: IPCDbHandle; in blob: KeyBlob);
	120	// keychain synchronization
	121	routine recodeKey(UCSP_PORTS; in oldDb: IPCDbHandle; in key: IPCKeyHandle;
	122	in newDb: IPCDbHandle; out newBlob: KeyBlob);
	123	routine releaseKey(UCSP_PORTS; in key: IPCKeyHandle);
	124
	125	routine queryKeySizeInBits(UCSP_PORTS; in key: IPCKeyHandle; out length: CSSM_KEY_SIZE);
	126	routine getOutputSize(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
	127	in inputSize: uint32; in encrypt: boolean_t; out outputSize: uint32);
	128
	129	routine getKeyDigest(UCSP_PORTS; in key: IPCKeyHandle; out digest: Data);
	130
	131
	132	//
	133	// Cryptographic operations
	134	//
	135	routine generateSignature(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
	136	in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; out signature: Data);
	137	routine verifySignature(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
	138	in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; in signature: Data);
	139	routine generateMac(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
	140	in data: Data; out signature: Data);
	141	routine verifyMac(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
	142	in data: Data; in signature: Data);
	143
	144	routine encrypt(UCSP_PORTS; in context: Data; in key: IPCKeyHandle; in clear: Data; out cipher: Data);
	145	routine decrypt(UCSP_PORTS; in context: Data; in key: IPCKeyHandle; in cipher: Data; out clear: Data);
	146
	147	routine generateKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data;
	148	in accessCredentials: Data; in aclEntryPrototype: Data;
	149	in keyUsage: uint32; in keyAttrs: uint32; out key: IPCKeyHandle; out header: Data);
	150	routine generateKeyPair(UCSP_PORTS; in db: IPCDbHandle; in context: Data;
	151	in accessCredentials: Data; in aclEntryPrototype: Data;
	152	in pubUsage: uint32; in pubAttrs: uint32; in privUsage: uint32; in privAttrs: uint32;
	153	out pubKey: IPCKeyHandle; out pubHeader: Data;
	154	out privKey: IPCKeyHandle; out privHeader: Data);
	155
	156	routine wrapKey(UCSP_PORTS; in context: Data; in key: IPCKeyHandle;
	157	in accessCredentials: Data; in keyToBeWrapped: IPCKeyHandle;
	158	in descriptiveData: Data; out wrappedKey: Data);
	159	routine unwrapKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data; in key: IPCKeyHandle;
	160	in accessCredentials: Data; in aclEntryPrototype: Data;
	161	in publicKey: IPCKeyHandle; in wrappedKey: Data;
	162	in usage: uint32; in attributes: uint32; out data: Data;
	163	out resultKey: IPCKeyHandle; out header: Data);
	164
	165	routine deriveKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data; in baseKey: IPCKeyHandle;
	166	in accessCredentials: Data; in aclEntryPrototype: Data;
	167	in paramInput: Data; out paramOutput: Data;
	168	in keyUsage: uint32; in keyAttrs: uint32; out key: IPCKeyHandle; out header: Data);
	169
	170	routine generateRandom(UCSP_PORTS; in ssid: uint32; in context: Data; out data: Data);
	171
	172
	173	//
	174	// ACL management
	175	//
176	routine getOwner(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
177	out proto: Data);
178	routine setOwner(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
179	in accessCredentials: Data; in aclOwnerPrototype: Data);
180	routine getAcl(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
181	in haveTag: boolean_t; in tag: CssmString;
182	out count: uint32; out acls: Data);
183	routine changeAcl(UCSP_PORTS; in kind: AclKind; in key: IPCGenericHandle;
184	in accessCredentials: Data;
185	in mode: CSSM_ACL_EDIT_MODE; in handle: IPCGenericHandle;
186	in aclEntryInput: Data);
187
188	routine login(UCSP_PORTS; in accessCredentials: Data; in name: Data);
189	routine logout(UCSP_PORTS);
190
191
192	//
193	// Miscellanea
194	//
195	routine getStatistics(UCSP_PORTS; in ssid: uint32; out statistics: CSSM_CSP_OPERATIONAL_STATISTICS);
196	routine getTime(UCSP_PORTS; in ssid: uint32; in algorithm: CSSM_ALGORITHMS; out data: Data);
197	routine getCounter(UCSP_PORTS; in ssid: uint32; out data: Data);
198	routine selfVerify(UCSP_PORTS; in ssid: uint32);
199
200	routine cspPassThrough(UCSP_PORTS; in ssid: uint32; in id: uint32; in context: Data; in hKey: IPCKeyHandle;
201	in inData: Data; out outData: Data);
202	routine dlPassThrough(UCSP_PORTS; in ssid: uint32; in id: uint32; in inData: Data; out outData: Data);
203
204
205	//
206	// Authorization subsystem
207	//
208	routine authorizationCreate(UCSP_PORTS;
209	in rights: Data;
210	in flags: uint32;
211	in environment: Data;
212	out authorization: AuthorizationBlob);
213
214	routine authorizationRelease(UCSP_PORTS; in authorization: AuthorizationBlob;
215	in flags: uint32);
216
217	routine authorizationCopyRights(UCSP_PORTS; in authorization: AuthorizationBlob;
218	in rights: Data;
219	in flags: uint32;
220	in environment: Data;
221	out result: Data);
222
223	routine authorizationCopyInfo(UCSP_PORTS; in authorization: AuthorizationBlob;
224	in tag: AuthorizationString;
225	out info: Data);
226
227	routine authorizationExternalize(UCSP_PORTS; in authorization: AuthorizationBlob;
228	out form: AuthorizationExternalForm);
229
230	routine authorizationInternalize(UCSP_PORTS; in form: AuthorizationExternalForm;
231	out authorization: AuthorizationBlob);
232
233
234	//
235	// Session management subsystem
236	//
237	skip; // was getSessionInfo -- now kept by the kernel
238	skip; // was setupSession -- now kept by the kernel
239	skip; // was setSessionDistinguishedUid -- now kept by the kernel
240	skip; // was getSessionDistinguishedUid -- now kept by the kernel
241	routine setSessionUserPrefs(UCSP_PORTS; in sessionId: SecuritySessionId; in userPrefs: Data);
242
243	//
244	// Notification subsystem
245	//
246	routine postNotification(UCSP_PORTS; in domain: uint32; in event: uint32; in data: Data;
247	in sequence: uint32);
248
249
250	//
251	// Database key management
252	//
253	routine extractMasterKey(UCSP_PORTS; in db: IPCDbHandle; in context: Data; in sourceDb: IPCDbHandle;
254	in accessCredentials: Data; in aclEntryPrototype: Data;
255	in keyUsage: uint32; in keyAttrs: uint32; out key: IPCKeyHandle; out header: Data);
256
257
258	//
259	// AuthorizationDB operations
260	//
261	routine authorizationdbGet(UCSP_PORTS; in rightname: AuthorizationString; out rightdefinition: Data);
262	routine authorizationdbSet(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString; in rightDefinition: Data);
263	routine authorizationdbRemove(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString);
264
265
266	//
267	// Miscellaneous administrative calls
268	//
269	routine addCodeEquivalence(UCSP_PORTS; in oldCode: Data; in newCode: Data; in name: FilePath;
270	in forSystem: boolean_t);
271	routine removeCodeEquivalence(UCSP_PORTS; in code: Data; in name: FilePath;
272	in forSystem: boolean_t);
273	routine setAlternateSystemRoot(UCSP_PORTS; in path: FilePath);
274
275
276	//
277	// Subsidiary process (child) management.
278	// This call does NOT cause securityd-client activation.
279	//
280	simpleroutine childCheckIn(requestport sport: mach_port_t;
281	in servicePort: mach_port_make_send_t; in task_port: mach_port_t);
282
283	#if 1
284	// This should move up to be with its buddies (see #if 0 above), but it won't move
285	// until we need to force an incompatible change for some other reason.
286	routine commitDbForSync(UCSP_PORTS; in srcDb: IPCDbHandle; in cloneDb: IPCDbHandle;
287	out blob: DbBlob);
288	#endif
289
290
291	//
292	// Code Signing Hosting protocol part 1: registration services.
293	//
294	routine registerHosting(UCSP_PORTS;
295	in hostingPort: mach_port_make_send_t; in flags: uint32);
296	routine hostingPort(UCSP_PORTS;
297	in hostPid: pid_t; out hostingPort: mach_port_make_send_t);
298	routine setGuest(UCSP_PORTS; in guest: SecGuestRef; in flags: uint32);
299
300	//
301	// Code Signing Hosting protocol part 2: proxy services.
302	//
303	routine createGuest(UCSP_PORTS; in host: SecGuestRef; in status: uint32_t;
304	in path: FilePath; in cdhash: HashData; in attributes: Data; in flags: uint32; out guest: SecGuestRef);
305	routine setGuestStatus(UCSP_PORTS; in guest: SecGuestRef;
306	in status: uint32_t; in attributes: Data);
307	routine removeGuest(UCSP_PORTS; in host: SecGuestRef; in guest: SecGuestRef);
308
309	//
310	// Code Signing support calls
311	//
312	routine helpCheckLoad(UCSP_PORTS; in path: FilePath; in addType: uint32_t);
313
314	//
315	// Keychain Syncing setup support calls
316	//
317	routine recodeDbForSync(UCSP_PORTS; in dbToClone: IPCDbHandle;
318	in srcDb: IPCDbHandle; out newDb: IPCDbHandle);
319	routine authenticateDbsForSync(UCSP_PORTS; in ipcDbHandleArray: Data;
320	in agentData: Data; out newDb: IPCDbHandle);
321
322	//
323	// Allows the client to verify that the server really is root.
324	//
325	routine verifyPrivileged(UCSP_PORTS);
326
327	//
328	// The original verifyPrivileged is subject to a Mach service in the middle attack (6986198).
329	//
330	routine verifyPrivileged2(UCSP_PORTS; out originPort: mach_port_make_send_t);
427c49bc A	331
	332	// Internal Database call additions
	333	routine stashDb(UCSP_PORTS; in db: IPCDbHandle);
	334	routine stashDbCheck(UCSP_PORTS; in db: IPCDbHandle);
	335
	336	routine verifyKeyStorePassphrase(UCSP_PORTS; in retries: uint32_t);
	337	routine resetKeyStorePassphrase(UCSP_PORTS; in passPhrase: Data);
	338	routine changeKeyStorePassphrase(UCSP_PORTS);