[apple/security.git] / securityd / src / localkey.cpp

/*
 * Copyright (c) 2000-2001,2004,2006-2008 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


//
// localkey - Key objects that store a local CSSM key object
//
#include "localkey.h"
#include "server.h"
#include "database.h"
#include <security_cdsa_utilities/acl_any.h>


//
// Create a Key from an explicit CssmKey.
//
LocalKey::LocalKey(Database &db, const CssmKey &newKey, CSSM_KEYATTR_FLAGS moreAttributes)
	: Key(db), mDigest(Server::csp().allocator())
{
	mValidKey = true;
	setup(newKey, moreAttributes);
    secdebug("SSkey", "%p (handle %#x) created from key alg=%u use=0x%x attr=0x%x db=%p",
        this, handle(), mKey.header().algorithm(), mKey.header().usage(), mAttributes, &db);
}


LocalKey::LocalKey(Database &db, CSSM_KEYATTR_FLAGS attributes)
	: Key(db), mValidKey(false), mAttributes(attributes), mDigest(Server::csp().allocator())
{
}


//
// Set up the CssmKey part of this Key according to instructions.
//
void LocalKey::setup(const CssmKey &newKey, CSSM_KEYATTR_FLAGS moreAttributes)
{
	mKey = CssmClient::Key(Server::csp(), newKey, false);
    CssmKey::Header &header = mKey->header();
    
	// copy key header
	header = newKey.header();
    mAttributes = (header.attributes() & ~forcedAttributes) | moreAttributes;
	
	// apply initial values of derived attributes (these are all in managedAttributes)
    if (!(mAttributes & CSSM_KEYATTR_EXTRACTABLE))
        mAttributes |= CSSM_KEYATTR_NEVER_EXTRACTABLE;
    if (mAttributes & CSSM_KEYATTR_SENSITIVE)
        mAttributes |= CSSM_KEYATTR_ALWAYS_SENSITIVE;

    // verify internal/external attribute separation
    assert((header.attributes() & managedAttributes) == forcedAttributes);
}


LocalKey::~LocalKey()
{
    secdebug("SSkey", "%p destroyed", this);
}


void LocalKey::setOwner(const AclEntryPrototype *owner)
{
	// establish initial ACL; reinterpret empty (null-list) owner as NULL for resilence's sake
	if (owner && !owner->subject().empty())
		acl().cssmSetInitial(*owner);					// specified
	else
		acl().cssmSetInitial(new AnyAclSubject());		// defaulted
}


LocalDatabase &LocalKey::database() const
{
	return referent<LocalDatabase>();
}


//
// Retrieve the actual CssmKey value for the key object.
// This will decode its blob if needed (and appropriate).
//
CssmClient::Key LocalKey::keyValue()
{
	StLock<Mutex> _(*this);
    if (!mValidKey) {
		getKey();
		mValidKey = true;
	}
    return mKey;
}


//
// Return external key attributees
//
CSSM_KEYATTR_FLAGS LocalKey::attributes()
{
	return mAttributes;
}


//
// Return a key's handle and header in external form
//
void LocalKey::returnKey(U32HandleObject::Handle &h, CssmKey::Header &hdr)
{
	StLock<Mutex> _(*this);

    // return handle
    h = this->handle();
	
	// obtain the key header, from the valid key or the blob if no valid key
	if (mValidKey) {
		hdr = mKey.header();
	} else {
		getHeader(hdr);
	}
    
    // adjust for external attributes
	hdr.clearAttribute(forcedAttributes);
    hdr.setAttribute(mAttributes);
}


//
// Generate the canonical key digest.
// This is defined by a CSP feature that we invoke here.
//
const CssmData &LocalKey::canonicalDigest()
{
	StLock<Mutex> _(*this);
	if (!mDigest) {
		CssmClient::PassThrough ctx(Server::csp());
		ctx.key(keyValue());
		CssmData *digest = NULL;
		ctx(CSSM_APPLECSP_KEYDIGEST, (const void *)NULL, &digest);
		assert(digest);
		mDigest.set(*digest);	// takes ownership of digest data
		Server::csp().allocator().free(digest);	// the CssmData itself
	}
	return mDigest.get();
}


//
// Default getKey/getHeader calls - should never be called
//
void LocalKey::getKey()
{
	assert(false);
}

void LocalKey::getHeader(CssmKey::Header &)
{
	assert(false);
}


//
// Form a KeySpec with checking and masking
//
LocalKey::KeySpec::KeySpec(CSSM_KEYUSE usage, CSSM_KEYATTR_FLAGS attrs)
	: CssmClient::KeySpec(usage, (attrs & ~managedAttributes) | forcedAttributes)
{
	if (attrs & generatedAttributes)
		CssmError::throwMe(CSSMERR_CSP_INVALID_KEYATTR_MASK);
}

LocalKey::KeySpec::KeySpec(CSSM_KEYUSE usage, CSSM_KEYATTR_FLAGS attrs, const CssmData &label)
	: CssmClient::KeySpec(usage, (attrs & ~managedAttributes) | forcedAttributes, label)
{
	if (attrs & generatedAttributes)
		CssmError::throwMe(CSSMERR_CSP_INVALID_KEYATTR_MASK);
}
Commit	Line	Data
d8f41ccd A	1	/*
	2	* Copyright (c) 2000-2001,2004,2006-2008 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	//
	26	// localkey - Key objects that store a local CSSM key object
	27	//
	28	#include "localkey.h"
	29	#include "server.h"
	30	#include "database.h"
	31	#include <security_cdsa_utilities/acl_any.h>
	32
	33
	34	//
	35	// Create a Key from an explicit CssmKey.
	36	//
	37	LocalKey::LocalKey(Database &db, const CssmKey &newKey, CSSM_KEYATTR_FLAGS moreAttributes)
	38	: Key(db), mDigest(Server::csp().allocator())
	39	{
	40	mValidKey = true;
	41	setup(newKey, moreAttributes);
	42	secdebug("SSkey", "%p (handle %#x) created from key alg=%u use=0x%x attr=0x%x db=%p",
	43	this, handle(), mKey.header().algorithm(), mKey.header().usage(), mAttributes, &db);
	44	}
	45
	46
	47	LocalKey::LocalKey(Database &db, CSSM_KEYATTR_FLAGS attributes)
	48	: Key(db), mValidKey(false), mAttributes(attributes), mDigest(Server::csp().allocator())
	49	{
	50	}
	51
	52
	53	//
	54	// Set up the CssmKey part of this Key according to instructions.
	55	//
	56	void LocalKey::setup(const CssmKey &newKey, CSSM_KEYATTR_FLAGS moreAttributes)
	57	{
	58	mKey = CssmClient::Key(Server::csp(), newKey, false);
	59	CssmKey::Header &header = mKey->header();
	60
	61	// copy key header
	62	header = newKey.header();
	63	mAttributes = (header.attributes() & ~forcedAttributes) \| moreAttributes;
	64
65	// apply initial values of derived attributes (these are all in managedAttributes)
66	if (!(mAttributes & CSSM_KEYATTR_EXTRACTABLE))
67	mAttributes \|= CSSM_KEYATTR_NEVER_EXTRACTABLE;
68	if (mAttributes & CSSM_KEYATTR_SENSITIVE)
69	mAttributes \|= CSSM_KEYATTR_ALWAYS_SENSITIVE;
70
71	// verify internal/external attribute separation
72	assert((header.attributes() & managedAttributes) == forcedAttributes);
73	}
74
75
76	LocalKey::~LocalKey()
77	{
78	secdebug("SSkey", "%p destroyed", this);
79	}
80
81
82	void LocalKey::setOwner(const AclEntryPrototype *owner)
83	{
84	// establish initial ACL; reinterpret empty (null-list) owner as NULL for resilence's sake
85	if (owner && !owner->subject().empty())
86	acl().cssmSetInitial(*owner); // specified
87	else
88	acl().cssmSetInitial(new AnyAclSubject()); // defaulted
89	}
90
91
92	LocalDatabase &LocalKey::database() const
93	{
94	return referent<LocalDatabase>();
95	}
96
97
98	//
99	// Retrieve the actual CssmKey value for the key object.
100	// This will decode its blob if needed (and appropriate).
101	//
102	CssmClient::Key LocalKey::keyValue()
103	{
104	StLock<Mutex> _(*this);
105	if (!mValidKey) {
106	getKey();
107	mValidKey = true;
108	}
109	return mKey;
110	}
111
112
113	//
114	// Return external key attributees
115	//
116	CSSM_KEYATTR_FLAGS LocalKey::attributes()
117	{
118	return mAttributes;
119	}
120
121
122	//
123	// Return a key's handle and header in external form
124	//
125	void LocalKey::returnKey(U32HandleObject::Handle &h, CssmKey::Header &hdr)
126	{
127	StLock<Mutex> _(*this);
128
129	// return handle
130	h = this->handle();
131
132	// obtain the key header, from the valid key or the blob if no valid key
133	if (mValidKey) {
134	hdr = mKey.header();
135	} else {
136	getHeader(hdr);
137	}
138
139	// adjust for external attributes
140	hdr.clearAttribute(forcedAttributes);
141	hdr.setAttribute(mAttributes);
142	}
143
144
145	//
146	// Generate the canonical key digest.
147	// This is defined by a CSP feature that we invoke here.
148	//
149	const CssmData &LocalKey::canonicalDigest()
150	{
151	StLock<Mutex> _(*this);
152	if (!mDigest) {
153	CssmClient::PassThrough ctx(Server::csp());
154	ctx.key(keyValue());
155	CssmData *digest = NULL;
156	ctx(CSSM_APPLECSP_KEYDIGEST, (const void *)NULL, &digest);
157	assert(digest);
158	mDigest.set(*digest); // takes ownership of digest data
159	Server::csp().allocator().free(digest); // the CssmData itself
160	}
161	return mDigest.get();
162	}
163
164
165	//
166	// Default getKey/getHeader calls - should never be called
167	//
168	void LocalKey::getKey()
169	{
170	assert(false);
171	}
172
173	void LocalKey::getHeader(CssmKey::Header &)
174	{
175	assert(false);
176	}
177
178
179	//
180	// Form a KeySpec with checking and masking
181	//
182	LocalKey::KeySpec::KeySpec(CSSM_KEYUSE usage, CSSM_KEYATTR_FLAGS attrs)
183	: CssmClient::KeySpec(usage, (attrs & ~managedAttributes) \| forcedAttributes)
184	{
185	if (attrs & generatedAttributes)
186	CssmError::throwMe(CSSMERR_CSP_INVALID_KEYATTR_MASK);
187	}
188
189	LocalKey::KeySpec::KeySpec(CSSM_KEYUSE usage, CSSM_KEYATTR_FLAGS attrs, const CssmData &label)
190	: CssmClient::KeySpec(usage, (attrs & ~managedAttributes) \| forcedAttributes, label)
191	{
192	if (attrs & generatedAttributes)
193	CssmError::throwMe(CSSMERR_CSP_INVALID_KEYATTR_MASK);
194	}