[apple/security.git] / keychain / ckks / CKKSItem.m

/*
 * Copyright (c) 2016 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

#include <AssertMacros.h>

#import <Foundation/Foundation.h>
#import "CKKSItem.h"
#import "CKKSSIV.h"

#include <utilities/SecDb.h>
#include <securityd/SecDbItem.h>
#include <securityd/SecItemSchema.h>

#if OCTAGON

#import <CloudKit/CloudKit.h>
#import <CloudKit/CloudKit_Private.h>

@implementation CKKSItem

- (instancetype) initWithCKRecord: (CKRecord*) record {
    if(self = [super initWithCKRecord: record]) {
    }
    return self;
}

- (instancetype) initCopyingCKKSItem: (CKKSItem*) item {
    if(self = [super initWithCKRecordType: item.ckRecordType encodedCKRecord:item.encodedCKRecord zoneID:item.zoneID]) {
        _uuid = item.uuid;
        _parentKeyUUID = item.parentKeyUUID;
        _generationCount = item.generationCount;
        _encitem = item.encitem;
        _wrappedkey = item.wrappedkey;
        _encver = item.encver;

        _plaintextPCSServiceIdentifier = item.plaintextPCSServiceIdentifier;
        _plaintextPCSPublicKey         = item.plaintextPCSPublicKey;
        _plaintextPCSPublicIdentity    = item.plaintextPCSPublicIdentity;
    }
    return self;
}

- (instancetype) initWithUUID: (NSString*) uuid
                parentKeyUUID: (NSString*) parentKeyUUID
                       zoneID: (CKRecordZoneID*) zoneID
{
    return [self initWithUUID:uuid
                parentKeyUUID:parentKeyUUID
                       zoneID:zoneID
              encodedCKRecord:nil
                      encItem:nil
                   wrappedkey:nil
              generationCount:0
                       encver:CKKSItemEncryptionVersionNone];
}

- (instancetype) initWithUUID: (NSString*) uuid
                parentKeyUUID: (NSString*) parentKeyUUID
                       zoneID: (CKRecordZoneID*) zoneID
                      encItem: (NSData*) encitem
                   wrappedkey: (CKKSWrappedAESSIVKey*) wrappedkey
              generationCount: (NSUInteger) genCount
                       encver: (NSUInteger) encver
{
    return [self initWithUUID:uuid
                parentKeyUUID:parentKeyUUID
                       zoneID:zoneID
              encodedCKRecord:nil
                      encItem:encitem
                   wrappedkey:wrappedkey
              generationCount:genCount
                       encver:encver];
}

- (instancetype) initWithUUID: (NSString*) uuid
                parentKeyUUID: (NSString*) parentKeyUUID
                       zoneID: (CKRecordZoneID*)zoneID
              encodedCKRecord: (NSData*) encodedrecord
                      encItem: (NSData*) encitem
                   wrappedkey: (CKKSWrappedAESSIVKey*) wrappedkey
              generationCount: (NSUInteger) genCount
                       encver: (NSUInteger) encver
{
    return [self initWithUUID:uuid
                parentKeyUUID:parentKeyUUID
                       zoneID:zoneID
              encodedCKRecord:encodedrecord
                      encItem:encitem
                   wrappedkey:wrappedkey
              generationCount:genCount
                       encver:encver
plaintextPCSServiceIdentifier:nil
        plaintextPCSPublicKey:nil
   plaintextPCSPublicIdentity:nil];
}

- (instancetype) initWithUUID: (NSString*) uuid
                parentKeyUUID: (NSString*) parentKeyUUID
                       zoneID: (CKRecordZoneID*)zoneID
              encodedCKRecord: (NSData*) encodedrecord
                      encItem: (NSData*) encitem
                   wrappedkey: (CKKSWrappedAESSIVKey*) wrappedkey
              generationCount: (NSUInteger) genCount
                       encver: (NSUInteger) encver
plaintextPCSServiceIdentifier: (NSNumber*) pcsServiceIdentifier
        plaintextPCSPublicKey: (NSData*) pcsPublicKey
   plaintextPCSPublicIdentity: (NSData*) pcsPublicIdentity
{
    if(self = [super initWithCKRecordType: SecCKRecordItemType encodedCKRecord:encodedrecord zoneID:zoneID]) {
        _uuid = uuid;
        _parentKeyUUID = parentKeyUUID;
        _generationCount = genCount;
        self.encitem = encitem;
        _wrappedkey = wrappedkey;
        _encver = encver;

        _plaintextPCSServiceIdentifier = pcsServiceIdentifier;
        _plaintextPCSPublicKey = pcsPublicKey;
        _plaintextPCSPublicIdentity = pcsPublicIdentity;
    }

    return self;
}

- (BOOL)isEqual: (id) object {
    if(![object isKindOfClass:[CKKSItem class]]) {
        return NO;
    }

    CKKSItem* obj = (CKKSItem*) object;

    return ([self.uuid isEqual: obj.uuid] &&
            [self.parentKeyUUID isEqual: obj.parentKeyUUID] &&
            [self.zoneID isEqual: obj.zoneID] &&
            ((self.encitem == nil && obj.encitem == nil) || ([self.encitem isEqual: obj.encitem])) &&
            [self.wrappedkey isEqual: obj.wrappedkey] &&
            self.generationCount == obj.generationCount &&
            self.encver == obj.encver &&
            true) ? YES : NO;
}

#pragma mark - CKRecord handling

- (NSString*) CKRecordName {
    return self.uuid;
}

- (void) setFromCKRecord: (CKRecord*) record {
    if(![record.recordType isEqual: SecCKRecordItemType]) {
        @throw [NSException
                exceptionWithName:@"WrongCKRecordTypeException"
                reason:[NSString stringWithFormat: @"CKRecordType (%@) was not %@", record.recordType, SecCKRecordItemType]
                userInfo:nil];
    }

    [self setStoredCKRecord:record];

    _uuid = [[record recordID] recordName];
    self.parentKeyUUID = [record[SecCKRecordParentKeyRefKey] recordID].recordName;
    self.encitem = record[SecCKRecordDataKey];
    self.wrappedkey = [[CKKSWrappedAESSIVKey alloc] initWithBase64: record[SecCKRecordWrappedKeyKey]];
    self.generationCount = [record[SecCKRecordGenerationCountKey] unsignedIntegerValue];
    self.encver = [record[SecCKRecordEncryptionVersionKey] unsignedIntegerValue];

    self.plaintextPCSServiceIdentifier = record[SecCKRecordPCSServiceIdentifier];
    self.plaintextPCSPublicKey         = record[SecCKRecordPCSPublicKey];
    self.plaintextPCSPublicIdentity    = record[SecCKRecordPCSPublicIdentity];
}

+ (void)setOSVersionInRecord: (CKRecord*) record {
#ifdef PLATFORM
    // Use complicated macro magic to get the string value passed in as preprocessor define PLATFORM.
#define PLATFORM_VALUE(f) #f
#define PLATFORM_OBJCSTR(f) @PLATFORM_VALUE(f)
    NSString* platform = (PLATFORM_OBJCSTR(PLATFORM));
#undef PLATFORM_OBJCSTR
#undef PLATFORM_VALUE
#else
    NSString* platform = "unknown";
#warning No PLATFORM defined; why?
#endif
    NSString* osversion = [[NSProcessInfo processInfo]operatingSystemVersionString];

    // subtly improve osversion (but it's okay if that does nothing)
    NSString* finalversion = [platform stringByAppendingString: [osversion stringByReplacingOccurrencesOfString:@"Version" withString:@""]];
    record[SecCKRecordVersionKey] = finalversion;
}

- (CKRecord*) updateCKRecord: (CKRecord*) record zoneID: (CKRecordZoneID*) zoneID {
    if(![record.recordType isEqual: SecCKRecordItemType]) {
        @throw [NSException
                exceptionWithName:@"WrongCKRecordTypeException"
                reason:[NSString stringWithFormat: @"CKRecordType (%@) was not %@", record.recordType, SecCKRecordItemType]
                userInfo:nil];
    }

    // Items must have a wrapping key.
    record[SecCKRecordParentKeyRefKey] = [[CKReference alloc] initWithRecordID: [[CKRecordID alloc] initWithRecordName: self.parentKeyUUID zoneID: zoneID] action: CKReferenceActionValidate];

    [CKKSItem setOSVersionInRecord: record];

    record[SecCKRecordDataKey] = self.encitem;
    record[SecCKRecordWrappedKeyKey] = [self.wrappedkey base64WrappedKey];
    record[SecCKRecordGenerationCountKey] = [NSNumber numberWithInteger:self.generationCount];
    // TODO: if the record's generation count is already higher than ours, that's a problem.
    record[SecCKRecordEncryptionVersionKey] = [NSNumber numberWithInteger:self.encver];

    // Add unencrypted fields
    record[SecCKRecordPCSServiceIdentifier] = self.plaintextPCSServiceIdentifier;
    record[SecCKRecordPCSPublicKey]         = self.plaintextPCSPublicKey;
    record[SecCKRecordPCSPublicIdentity]    = self.plaintextPCSPublicIdentity;

    return record;
}


- (bool) matchesCKRecord: (CKRecord*) record {
    if(![record.recordType isEqual: SecCKRecordItemType]) {
        return false;
    }

    // We only really care about the data, the wrapped key, the generation count, and the parent key.
    // Note that since all of those things are included as authenticated data into the AES-SIV ciphertext, we could just
    // compare that. However, check 'em all.
    if(![record.recordID.recordName isEqualToString: self.uuid]) {
        secinfo("ckksitem", "UUID does not match");
        return false;
    }

    if(![[record[SecCKRecordParentKeyRefKey] recordID].recordName isEqualToString: self.parentKeyUUID]) {
        secinfo("ckksitem", "wrapping key reference does not match");
        return false;
    }

    if(![record[SecCKRecordGenerationCountKey] isEqual: [NSNumber numberWithInteger:self.generationCount]]) {
        secinfo("ckksitem", "SecCKRecordGenerationCountKey does not match");
        return false;
    }

    if(![record[SecCKRecordWrappedKeyKey] isEqual: [self.wrappedkey base64WrappedKey]]) {
        secinfo("ckksitem", "SecCKRecordWrappedKeyKey does not match");
        return false;
    }

    if(![record[SecCKRecordDataKey] isEqual: self.encitem]) {
        secinfo("ckksitem", "SecCKRecordDataKey does not match");
        return false;
    }

    // Compare plaintext records, too
    // Why is obj-c nullable equality so difficult?
    if(!((record[SecCKRecordPCSServiceIdentifier] == nil && self.plaintextPCSServiceIdentifier == nil) ||
          [record[SecCKRecordPCSServiceIdentifier] isEqual: self.plaintextPCSServiceIdentifier])) {
        secinfo("ckksitem", "SecCKRecordPCSServiceIdentifier does not match");
        return false;
    }

    if(!((record[SecCKRecordPCSPublicKey] == nil && self.plaintextPCSPublicKey == nil) ||
          [record[SecCKRecordPCSPublicKey] isEqual: self.plaintextPCSPublicKey])) {
        secinfo("ckksitem", "SecCKRecordPCSPublicKey does not match");
        return false;
    }

    if(!((record[SecCKRecordPCSPublicIdentity] == nil && self.plaintextPCSPublicIdentity == nil) ||
          [record[SecCKRecordPCSPublicIdentity] isEqual: self.plaintextPCSPublicIdentity])) {
        secinfo("ckksitem", "SecCKRecordPCSPublicIdentity does not match");
        return false;
    }

    return true;
}

// Generates the list of 'authenticated data' to go along with this item, and optionally adds in unknown, future fields received from CloudKit
- (NSDictionary<NSString*, NSData*>*)makeAuthenticatedDataDictionaryUpdatingCKKSItem:(CKKSItem*) olditem encryptionVersion:(SecCKKSItemEncryptionVersion)encversion {
    switch(encversion) {
        case CKKSItemEncryptionVersion1:
            return [self makeAuthenticatedDataDictionaryUpdatingCKKSItemEncVer1];
        case CKKSItemEncryptionVersion2:
            return [self makeAuthenticatedDataDictionaryUpdatingCKKSItemEncVer2:olditem];
        default:
            @throw [NSException
                    exceptionWithName:@"WrongEncryptionVersionException"
                    reason:[NSString stringWithFormat: @"%d is not a known encryption version", (int)encversion]
                    userInfo:nil];
    }
}

- (NSDictionary<NSString*, NSData*>*)makeAuthenticatedDataDictionaryUpdatingCKKSItemEncVer1 {
    NSMutableDictionary<NSString*, NSData*>* authenticatedData = [[NSMutableDictionary alloc] init];

    authenticatedData[@"UUID"] = [self.uuid dataUsingEncoding: NSUTF8StringEncoding];
    authenticatedData[SecCKRecordWrappedKeyKey] = [self.parentKeyUUID dataUsingEncoding: NSUTF8StringEncoding];

    uint64_t genCount64 = OSSwapHostToLittleConstInt64(self.generationCount);
    authenticatedData[SecCKRecordGenerationCountKey] = [NSData dataWithBytes:&genCount64 length:sizeof(genCount64)];

    uint64_t encver = OSSwapHostToLittleConstInt64((uint64_t)self.encver);
    authenticatedData[SecCKRecordEncryptionVersionKey] = [NSData dataWithBytes:&encver length:sizeof(encver)];

    // In v1, don't authenticate the plaintext PCS fields
    authenticatedData[SecCKRecordPCSServiceIdentifier] = nil;
    authenticatedData[SecCKRecordPCSPublicKey]         = nil;
    authenticatedData[SecCKRecordPCSPublicIdentity]    = nil;

    return authenticatedData;
}

- (NSDictionary<NSString*, NSData*>*)makeAuthenticatedDataDictionaryUpdatingCKKSItemEncVer2:(CKKSItem*) olditem {
    NSMutableDictionary<NSString*, NSData*>* authenticatedData = [[NSMutableDictionary alloc] init];

    authenticatedData[@"UUID"] = [self.uuid dataUsingEncoding: NSUTF8StringEncoding];
    authenticatedData[SecCKRecordWrappedKeyKey] = [self.parentKeyUUID dataUsingEncoding: NSUTF8StringEncoding];

    uint64_t genCount64 = OSSwapHostToLittleConstInt64(self.generationCount);
    authenticatedData[SecCKRecordGenerationCountKey] = [NSData dataWithBytes:&genCount64 length:sizeof(genCount64)];

    uint64_t encver = OSSwapHostToLittleConstInt64((uint64_t)self.encver);
    authenticatedData[SecCKRecordEncryptionVersionKey] = [NSData dataWithBytes:&encver length:sizeof(encver)];

    // v2 authenticates the PCS fields too
    if(self.plaintextPCSServiceIdentifier) {
        uint64_t pcsServiceIdentifier = OSSwapHostToLittleConstInt64([self.plaintextPCSServiceIdentifier unsignedLongValue]);
        authenticatedData[SecCKRecordPCSServiceIdentifier] = [NSData dataWithBytes:&pcsServiceIdentifier length:sizeof(pcsServiceIdentifier)];
    }
    authenticatedData[SecCKRecordPCSPublicKey]         = self.plaintextPCSPublicKey;
    authenticatedData[SecCKRecordPCSPublicIdentity]    = self.plaintextPCSPublicIdentity;

    // Iterate through the fields in the old CKKSItem. If we don't recognize any of them, add them to the authenticated data.
    if(olditem) {
        CKRecord* record = olditem.storedCKRecord;
        if(record) {
            for(NSString* key in record.allKeys) {
                if([key isEqualToString:@"UUID"] ||
                   [key isEqualToString:SecCKRecordVersionKey] ||
                   [key isEqualToString:SecCKRecordDataKey] ||
                   [key isEqualToString:SecCKRecordWrappedKeyKey] ||
                   [key isEqualToString:SecCKRecordGenerationCountKey] ||
                   [key isEqualToString:SecCKRecordEncryptionVersionKey] ||
                   [key isEqualToString:SecCKRecordPCSServiceIdentifier] ||
                   [key isEqualToString:SecCKRecordPCSPublicKey] ||
                   [key isEqualToString:SecCKRecordPCSPublicIdentity]) {
                    // This version of CKKS knows about this data field. Ignore them with prejudice.
                    continue;
                }

                if([key hasPrefix:@"server_"]) {
                    // Ignore all fields prefixed by "server_"
                    continue;
                }

                id obj = record[key];

                // Skip CKReferences, NSArray, CLLocation, and CKAsset.
                if([obj isKindOfClass: [NSString class]]) {
                    // Add an NSString.
                    authenticatedData[key] = [obj dataUsingEncoding: NSUTF8StringEncoding];
                } else if([obj isKindOfClass: [NSData class]]) {
                    // Add an NSData
                    authenticatedData[key] = [obj copy];
                } else if([obj isKindOfClass:[NSDate class]]) {
                    // Add an NSDate
                    NSISO8601DateFormatter *formatter = [[NSISO8601DateFormatter alloc] init];
                    NSString* str = [formatter stringForObjectValue: obj];

                    authenticatedData[key] = [str dataUsingEncoding: NSUTF8StringEncoding];
                } else if([obj isKindOfClass: [NSNumber class]]) {
                    // Add an NSNumber
                    uint64_t n64 = OSSwapHostToLittleConstInt64([obj unsignedLongLongValue]);
                    authenticatedData[key] = [NSData dataWithBytes:&n64 length:sizeof(n64)];
                }
            }

        }
    }

    // TODO: add unauth'ed field name here

    return authenticatedData;
}

#pragma mark - Utility

- (NSString*)description {
    return [NSString stringWithFormat: @"<%@: %@>", NSStringFromClass([self class]), self.uuid];
}

- (NSString*)debugDescription {
    return [NSString stringWithFormat: @"<%@: %@ %p>", NSStringFromClass([self class]), self.uuid, self];
}

- (instancetype)copyWithZone:(NSZone *)zone {
    CKKSItem *itemCopy = [super copyWithZone:zone];
    itemCopy->_uuid = _uuid;
    itemCopy->_parentKeyUUID = _parentKeyUUID;
    itemCopy->_encitem = _encitem;
    itemCopy->_wrappedkey = _wrappedkey;
    itemCopy->_generationCount = _generationCount;
    itemCopy->_encver = _encver;
    return itemCopy;
}

#pragma mark - Getters/Setters

- (NSString*) base64Item {
    return [self.encitem base64EncodedStringWithOptions:0];
}

- (void) setBase64Item: (NSString*) base64Item {
    _encitem = [[NSData alloc] initWithBase64EncodedString: base64Item options:0];
}

#pragma mark - CKKSSQLDatabaseObject helpers

// Note that CKKSItems are not intended to be saved directly, and so CKKSItem does not implement sqlTable.
// You must subclass CKKSItem to have this work correctly, although you can call back up into this class to use these if you like.

+ (NSArray<NSString*>*)sqlColumns {
    return @[@"UUID", @"parentKeyUUID", @"ckzone", @"encitem", @"wrappedkey", @"gencount", @"encver", @"ckrecord",
             @"pcss", @"pcsk", @"pcsi"];
}

- (NSDictionary<NSString*,NSString*>*)whereClauseToFindSelf {
    return @{@"UUID": self.uuid, @"ckzone":self.zoneID.zoneName};
}

- (NSDictionary<NSString*,NSString*>*)sqlValues {
    return @{@"UUID": self.uuid,
             @"parentKeyUUID": self.parentKeyUUID,
             @"ckzone":  CKKSNilToNSNull(self.zoneID.zoneName),
             @"encitem": self.base64encitem,
             @"wrappedkey": [self.wrappedkey base64WrappedKey],
             @"gencount": [NSNumber numberWithInteger:self.generationCount],
             @"encver": [NSNumber numberWithInteger:self.encver],
             @"ckrecord": CKKSNilToNSNull([self.encodedCKRecord base64EncodedStringWithOptions:0]),
             @"pcss": CKKSNilToNSNull(self.plaintextPCSServiceIdentifier),
             @"pcsk": CKKSNilToNSNull([self.plaintextPCSPublicKey base64EncodedStringWithOptions:0]),
             @"pcsi": CKKSNilToNSNull([self.plaintextPCSPublicIdentity base64EncodedStringWithOptions:0])};
}

+ (instancetype)fromDatabaseRow: (NSDictionary*) row {
    return [[CKKSItem alloc] initWithUUID:row[@"UUID"]
                            parentKeyUUID:row[@"parentKeyUUID"]
                                   zoneID:[[CKRecordZoneID alloc] initWithZoneName: row[@"ckzone"] ownerName:CKCurrentUserDefaultName]
                          encodedCKRecord:CKKSUnbase64NullableString(row[@"ckrecord"])
                                  encItem:CKKSUnbase64NullableString(row[@"encitem"])
                               wrappedkey:CKKSIsNull(row[@"wrappedkey"]) ? nil : [[CKKSWrappedAESSIVKey alloc] initWithBase64: row[@"wrappedkey"]]
                          generationCount:[row[@"gencount"] integerValue]
                                   encver:[row[@"encver"] integerValue]
            plaintextPCSServiceIdentifier:CKKSIsNull(row[@"pcss"]) ? nil : [NSNumber numberWithInteger: [row[@"pcss"] integerValue]]
                    plaintextPCSPublicKey:CKKSUnbase64NullableString(row[@"pcsk"])
               plaintextPCSPublicIdentity:CKKSUnbase64NullableString(row[@"pcsi"])
            ];
}

@end

#pragma mark - CK-Aware Database Helpers

@implementation CKKSSQLDatabaseObject (CKKSZoneExtras)

+ (NSArray<NSString*>*) allUUIDs:  (NSError * __autoreleasing *) error {
    __block NSMutableArray* uuids = [[NSMutableArray alloc] init];

    [CKKSSQLDatabaseObject queryDatabaseTable: [self sqlTable]
                                        where: nil
                                      columns: @[@"UUID"]
                                      groupBy: nil
                                      orderBy:nil
                                        limit: -1
                                   processRow: ^(NSDictionary* row) {
                                       [uuids addObject: row[@"UUID"]];
                                   }
                                        error: error];
    return uuids;
}

+ (NSArray*) all:(CKRecordZoneID*) zoneID error: (NSError * __autoreleasing *) error {
    return [self allWhere: @{@"ckzone": CKKSNilToNSNull(zoneID.zoneName)} error:error];
}

+ (bool) deleteAll:(CKRecordZoneID*) zoneID error: (NSError * __autoreleasing *) error {
    bool ok = [CKKSSQLDatabaseObject deleteFromTable:[self sqlTable] where: @{@"ckzone":CKKSNilToNSNull(zoneID.zoneName)} connection:nil error: error];

    if(ok) {
        secdebug("ckksitem", "Deleted all %@", self);
    } else {
        secdebug("ckksitem", "Couldn't delete all %@: %@", self, error ? *error : @"unknown");
    }
    return ok;
}

@end

#endif
Commit	Line	Data
866f8763 A	1	/*
	2	* Copyright (c) 2016 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	#include <AssertMacros.h>
	25
	26	#import <Foundation/Foundation.h>
	27	#import "CKKSItem.h"
	28	#import "CKKSSIV.h"
	29
	30	#include <utilities/SecDb.h>
	31	#include <securityd/SecDbItem.h>
	32	#include <securityd/SecItemSchema.h>
	33
	34	#if OCTAGON
	35
	36	#import <CloudKit/CloudKit.h>
	37	#import <CloudKit/CloudKit_Private.h>
	38
	39	@implementation CKKSItem
	40
	41	- (instancetype) initWithCKRecord: (CKRecord*) record {
	42	if(self = [super initWithCKRecord: record]) {
	43	}
	44	return self;
	45	}
	46
	47	- (instancetype) initCopyingCKKSItem: (CKKSItem*) item {
	48	if(self = [super initWithCKRecordType: item.ckRecordType encodedCKRecord:item.encodedCKRecord zoneID:item.zoneID]) {
	49	_uuid = item.uuid;
	50	_parentKeyUUID = item.parentKeyUUID;
	51	_generationCount = item.generationCount;
	52	_encitem = item.encitem;
	53	_wrappedkey = item.wrappedkey;
	54	_encver = item.encver;
	55
	56	_plaintextPCSServiceIdentifier = item.plaintextPCSServiceIdentifier;
	57	_plaintextPCSPublicKey = item.plaintextPCSPublicKey;
	58	_plaintextPCSPublicIdentity = item.plaintextPCSPublicIdentity;
	59	}
	60	return self;
	61	}
	62
	63	- (instancetype) initWithUUID: (NSString*) uuid
	64	parentKeyUUID: (NSString*) parentKeyUUID
65	zoneID: (CKRecordZoneID*) zoneID
66	{
67	return [self initWithUUID:uuid
68	parentKeyUUID:parentKeyUUID
69	zoneID:zoneID
70	encodedCKRecord:nil
71	encItem:nil
72	wrappedkey:nil
73	generationCount:0
74	encver:CKKSItemEncryptionVersionNone];
75	}
76
77	- (instancetype) initWithUUID: (NSString*) uuid
78	parentKeyUUID: (NSString*) parentKeyUUID
79	zoneID: (CKRecordZoneID*) zoneID
80	encItem: (NSData*) encitem
81	wrappedkey: (CKKSWrappedAESSIVKey*) wrappedkey
82	generationCount: (NSUInteger) genCount
83	encver: (NSUInteger) encver
84	{
85	return [self initWithUUID:uuid
86	parentKeyUUID:parentKeyUUID
87	zoneID:zoneID
88	encodedCKRecord:nil
89	encItem:encitem
90	wrappedkey:wrappedkey
91	generationCount:genCount
92	encver:encver];
93	}
94
95	- (instancetype) initWithUUID: (NSString*) uuid
96	parentKeyUUID: (NSString*) parentKeyUUID
97	zoneID: (CKRecordZoneID*)zoneID
98	encodedCKRecord: (NSData*) encodedrecord
99	encItem: (NSData*) encitem
100	wrappedkey: (CKKSWrappedAESSIVKey*) wrappedkey
101	generationCount: (NSUInteger) genCount
102	encver: (NSUInteger) encver
103	{
104	return [self initWithUUID:uuid
105	parentKeyUUID:parentKeyUUID
106	zoneID:zoneID
107	encodedCKRecord:encodedrecord
108	encItem:encitem
109	wrappedkey:wrappedkey
110	generationCount:genCount
111	encver:encver
112	plaintextPCSServiceIdentifier:nil
113	plaintextPCSPublicKey:nil
114	plaintextPCSPublicIdentity:nil];
115	}
116
117	- (instancetype) initWithUUID: (NSString*) uuid
118	parentKeyUUID: (NSString*) parentKeyUUID
119	zoneID: (CKRecordZoneID*)zoneID
120	encodedCKRecord: (NSData*) encodedrecord
121	encItem: (NSData*) encitem
122	wrappedkey: (CKKSWrappedAESSIVKey*) wrappedkey
123	generationCount: (NSUInteger) genCount
124	encver: (NSUInteger) encver
125	plaintextPCSServiceIdentifier: (NSNumber*) pcsServiceIdentifier
126	plaintextPCSPublicKey: (NSData*) pcsPublicKey
127	plaintextPCSPublicIdentity: (NSData*) pcsPublicIdentity
128	{
129	if(self = [super initWithCKRecordType: SecCKRecordItemType encodedCKRecord:encodedrecord zoneID:zoneID]) {
130	_uuid = uuid;
131	_parentKeyUUID = parentKeyUUID;
132	_generationCount = genCount;
133	self.encitem = encitem;
134	_wrappedkey = wrappedkey;
135	_encver = encver;
136
137	_plaintextPCSServiceIdentifier = pcsServiceIdentifier;
138	_plaintextPCSPublicKey = pcsPublicKey;
139	_plaintextPCSPublicIdentity = pcsPublicIdentity;
140	}
141
142	return self;
143	}
144
145	- (BOOL)isEqual: (id) object {
146	if(![object isKindOfClass:[CKKSItem class]]) {
147	return NO;
148	}
149
150	CKKSItem* obj = (CKKSItem*) object;
151
152	return ([self.uuid isEqual: obj.uuid] &&
153	[self.parentKeyUUID isEqual: obj.parentKeyUUID] &&
154	[self.zoneID isEqual: obj.zoneID] &&
155	((self.encitem == nil && obj.encitem == nil) \|\| ([self.encitem isEqual: obj.encitem])) &&
156	[self.wrappedkey isEqual: obj.wrappedkey] &&
157	self.generationCount == obj.generationCount &&
158	self.encver == obj.encver &&
159	true) ? YES : NO;
160	}
161
162	#pragma mark - CKRecord handling
163
164	- (NSString*) CKRecordName {
165	return self.uuid;
166	}
167
168	- (void) setFromCKRecord: (CKRecord*) record {
169	if(![record.recordType isEqual: SecCKRecordItemType]) {
170	@throw [NSException
171	exceptionWithName:@"WrongCKRecordTypeException"
172	reason:[NSString stringWithFormat: @"CKRecordType (%@) was not %@", record.recordType, SecCKRecordItemType]
173	userInfo:nil];
174	}
175
176	[self setStoredCKRecord:record];
177
178	_uuid = [[record recordID] recordName];
179	self.parentKeyUUID = [record[SecCKRecordParentKeyRefKey] recordID].recordName;
180	self.encitem = record[SecCKRecordDataKey];
181	self.wrappedkey = [[CKKSWrappedAESSIVKey alloc] initWithBase64: record[SecCKRecordWrappedKeyKey]];
182	self.generationCount = [record[SecCKRecordGenerationCountKey] unsignedIntegerValue];
183	self.encver = [record[SecCKRecordEncryptionVersionKey] unsignedIntegerValue];
184
185	self.plaintextPCSServiceIdentifier = record[SecCKRecordPCSServiceIdentifier];
186	self.plaintextPCSPublicKey = record[SecCKRecordPCSPublicKey];
187	self.plaintextPCSPublicIdentity = record[SecCKRecordPCSPublicIdentity];
188	}
189
190	+ (void)setOSVersionInRecord: (CKRecord*) record {
191	#ifdef PLATFORM
192	// Use complicated macro magic to get the string value passed in as preprocessor define PLATFORM.
193	#define PLATFORM_VALUE(f) #f
194	#define PLATFORM_OBJCSTR(f) @PLATFORM_VALUE(f)
195	NSString* platform = (PLATFORM_OBJCSTR(PLATFORM));
196	#undef PLATFORM_OBJCSTR
197	#undef PLATFORM_VALUE
198	#else
199	NSString* platform = "unknown";
200	#warning No PLATFORM defined; why?
201	#endif
202	NSString* osversion = [[NSProcessInfo processInfo]operatingSystemVersionString];
203
204	// subtly improve osversion (but it's okay if that does nothing)
205	NSString* finalversion = [platform stringByAppendingString: [osversion stringByReplacingOccurrencesOfString:@"Version" withString:@""]];
206	record[SecCKRecordVersionKey] = finalversion;
207	}
208
209	- (CKRecord) updateCKRecord: (CKRecord) record zoneID: (CKRecordZoneID*) zoneID {
210	if(![record.recordType isEqual: SecCKRecordItemType]) {
211	@throw [NSException
212	exceptionWithName:@"WrongCKRecordTypeException"
213	reason:[NSString stringWithFormat: @"CKRecordType (%@) was not %@", record.recordType, SecCKRecordItemType]
214	userInfo:nil];
215	}
216
217	// Items must have a wrapping key.
218	record[SecCKRecordParentKeyRefKey] = [[CKReference alloc] initWithRecordID: [[CKRecordID alloc] initWithRecordName: self.parentKeyUUID zoneID: zoneID] action: CKReferenceActionValidate];
219
220	[CKKSItem setOSVersionInRecord: record];
221
222	record[SecCKRecordDataKey] = self.encitem;
223	record[SecCKRecordWrappedKeyKey] = [self.wrappedkey base64WrappedKey];
224	record[SecCKRecordGenerationCountKey] = [NSNumber numberWithInteger:self.generationCount];
225	// TODO: if the record's generation count is already higher than ours, that's a problem.
226	record[SecCKRecordEncryptionVersionKey] = [NSNumber numberWithInteger:self.encver];
227
228	// Add unencrypted fields
229	record[SecCKRecordPCSServiceIdentifier] = self.plaintextPCSServiceIdentifier;
230	record[SecCKRecordPCSPublicKey] = self.plaintextPCSPublicKey;
231	record[SecCKRecordPCSPublicIdentity] = self.plaintextPCSPublicIdentity;
232
233	return record;
234	}
235
236
237	- (bool) matchesCKRecord: (CKRecord*) record {
238	if(![record.recordType isEqual: SecCKRecordItemType]) {
239	return false;
240	}
241
242	// We only really care about the data, the wrapped key, the generation count, and the parent key.
243	// Note that since all of those things are included as authenticated data into the AES-SIV ciphertext, we could just
244	// compare that. However, check 'em all.
245	if(![record.recordID.recordName isEqualToString: self.uuid]) {
246	secinfo("ckksitem", "UUID does not match");
247	return false;
248	}
249
250	if(![[record[SecCKRecordParentKeyRefKey] recordID].recordName isEqualToString: self.parentKeyUUID]) {
251	secinfo("ckksitem", "wrapping key reference does not match");
252	return false;
253	}
254
255	if(![record[SecCKRecordGenerationCountKey] isEqual: [NSNumber numberWithInteger:self.generationCount]]) {
256	secinfo("ckksitem", "SecCKRecordGenerationCountKey does not match");
257	return false;
258	}
259
260	if(![record[SecCKRecordWrappedKeyKey] isEqual: [self.wrappedkey base64WrappedKey]]) {
261	secinfo("ckksitem", "SecCKRecordWrappedKeyKey does not match");
262	return false;
263	}
264
265	if(![record[SecCKRecordDataKey] isEqual: self.encitem]) {
266	secinfo("ckksitem", "SecCKRecordDataKey does not match");
267	return false;
268	}
269
270	// Compare plaintext records, too
271	// Why is obj-c nullable equality so difficult?
272	if(!((record[SecCKRecordPCSServiceIdentifier] == nil && self.plaintextPCSServiceIdentifier == nil) \|\|
273	[record[SecCKRecordPCSServiceIdentifier] isEqual: self.plaintextPCSServiceIdentifier])) {
274	secinfo("ckksitem", "SecCKRecordPCSServiceIdentifier does not match");
275	return false;
276	}
277
278	if(!((record[SecCKRecordPCSPublicKey] == nil && self.plaintextPCSPublicKey == nil) \|\|
279	[record[SecCKRecordPCSPublicKey] isEqual: self.plaintextPCSPublicKey])) {
280	secinfo("ckksitem", "SecCKRecordPCSPublicKey does not match");
281	return false;
282	}
283
284	if(!((record[SecCKRecordPCSPublicIdentity] == nil && self.plaintextPCSPublicIdentity == nil) \|\|
285	[record[SecCKRecordPCSPublicIdentity] isEqual: self.plaintextPCSPublicIdentity])) {
286	secinfo("ckksitem", "SecCKRecordPCSPublicIdentity does not match");
287	return false;
288	}
289
290	return true;
291	}
292
293	// Generates the list of 'authenticated data' to go along with this item, and optionally adds in unknown, future fields received from CloudKit
294	- (NSDictionary<NSString, NSData>)makeAuthenticatedDataDictionaryUpdatingCKKSItem:(CKKSItem) olditem encryptionVersion:(SecCKKSItemEncryptionVersion)encversion {
295	switch(encversion) {
296	case CKKSItemEncryptionVersion1:
297	return [self makeAuthenticatedDataDictionaryUpdatingCKKSItemEncVer1];
298	case CKKSItemEncryptionVersion2:
299	return [self makeAuthenticatedDataDictionaryUpdatingCKKSItemEncVer2:olditem];
300	default:
301	@throw [NSException
302	exceptionWithName:@"WrongEncryptionVersionException"
303	reason:[NSString stringWithFormat: @"%d is not a known encryption version", (int)encversion]
304	userInfo:nil];
305	}
306	}
307
308	- (NSDictionary<NSString, NSData>*)makeAuthenticatedDataDictionaryUpdatingCKKSItemEncVer1 {
309	NSMutableDictionary<NSString, NSData>* authenticatedData = [[NSMutableDictionary alloc] init];
310
311	authenticatedData[@"UUID"] = [self.uuid dataUsingEncoding: NSUTF8StringEncoding];
312	authenticatedData[SecCKRecordWrappedKeyKey] = [self.parentKeyUUID dataUsingEncoding: NSUTF8StringEncoding];
313
314	uint64_t genCount64 = OSSwapHostToLittleConstInt64(self.generationCount);
315	authenticatedData[SecCKRecordGenerationCountKey] = [NSData dataWithBytes:&genCount64 length:sizeof(genCount64)];
316
317	uint64_t encver = OSSwapHostToLittleConstInt64((uint64_t)self.encver);
318	authenticatedData[SecCKRecordEncryptionVersionKey] = [NSData dataWithBytes:&encver length:sizeof(encver)];
319
320	// In v1, don't authenticate the plaintext PCS fields
321	authenticatedData[SecCKRecordPCSServiceIdentifier] = nil;
322	authenticatedData[SecCKRecordPCSPublicKey] = nil;
323	authenticatedData[SecCKRecordPCSPublicIdentity] = nil;
324
325	return authenticatedData;
326	}
327
328	- (NSDictionary<NSString, NSData>)makeAuthenticatedDataDictionaryUpdatingCKKSItemEncVer2:(CKKSItem) olditem {
329	NSMutableDictionary<NSString, NSData>* authenticatedData = [[NSMutableDictionary alloc] init];
330
331	authenticatedData[@"UUID"] = [self.uuid dataUsingEncoding: NSUTF8StringEncoding];
332	authenticatedData[SecCKRecordWrappedKeyKey] = [self.parentKeyUUID dataUsingEncoding: NSUTF8StringEncoding];
333
334	uint64_t genCount64 = OSSwapHostToLittleConstInt64(self.generationCount);
335	authenticatedData[SecCKRecordGenerationCountKey] = [NSData dataWithBytes:&genCount64 length:sizeof(genCount64)];
336
337	uint64_t encver = OSSwapHostToLittleConstInt64((uint64_t)self.encver);
338	authenticatedData[SecCKRecordEncryptionVersionKey] = [NSData dataWithBytes:&encver length:sizeof(encver)];
339
340	// v2 authenticates the PCS fields too
341	if(self.plaintextPCSServiceIdentifier) {
342	uint64_t pcsServiceIdentifier = OSSwapHostToLittleConstInt64([self.plaintextPCSServiceIdentifier unsignedLongValue]);
343	authenticatedData[SecCKRecordPCSServiceIdentifier] = [NSData dataWithBytes:&pcsServiceIdentifier length:sizeof(pcsServiceIdentifier)];
344	}
345	authenticatedData[SecCKRecordPCSPublicKey] = self.plaintextPCSPublicKey;
346	authenticatedData[SecCKRecordPCSPublicIdentity] = self.plaintextPCSPublicIdentity;
347
348	// Iterate through the fields in the old CKKSItem. If we don't recognize any of them, add them to the authenticated data.
349	if(olditem) {
350	CKRecord* record = olditem.storedCKRecord;
351	if(record) {
352	for(NSString* key in record.allKeys) {
353	if([key isEqualToString:@"UUID"] \|\|
354	[key isEqualToString:SecCKRecordVersionKey] \|\|
355	[key isEqualToString:SecCKRecordDataKey] \|\|
356	[key isEqualToString:SecCKRecordWrappedKeyKey] \|\|
357	[key isEqualToString:SecCKRecordGenerationCountKey] \|\|
358	[key isEqualToString:SecCKRecordEncryptionVersionKey] \|\|
359	[key isEqualToString:SecCKRecordPCSServiceIdentifier] \|\|
360	[key isEqualToString:SecCKRecordPCSPublicKey] \|\|
361	[key isEqualToString:SecCKRecordPCSPublicIdentity]) {
362	// This version of CKKS knows about this data field. Ignore them with prejudice.
363	continue;
364	}
365
366	if([key hasPrefix:@"server_"]) {
367	// Ignore all fields prefixed by "server_"
368	continue;
369	}
370
371	id obj = record[key];
372
373	// Skip CKReferences, NSArray, CLLocation, and CKAsset.
374	if([obj isKindOfClass: [NSString class]]) {
375	// Add an NSString.
376	authenticatedData[key] = [obj dataUsingEncoding: NSUTF8StringEncoding];
377	} else if([obj isKindOfClass: [NSData class]]) {
378	// Add an NSData
379	authenticatedData[key] = [obj copy];
380	} else if([obj isKindOfClass:[NSDate class]]) {
381	// Add an NSDate
382	NSISO8601DateFormatter *formatter = [[NSISO8601DateFormatter alloc] init];
383	NSString* str = [formatter stringForObjectValue: obj];
384
385	authenticatedData[key] = [str dataUsingEncoding: NSUTF8StringEncoding];
386	} else if([obj isKindOfClass: [NSNumber class]]) {
387	// Add an NSNumber
388	uint64_t n64 = OSSwapHostToLittleConstInt64([obj unsignedLongLongValue]);
389	authenticatedData[key] = [NSData dataWithBytes:&n64 length:sizeof(n64)];
390	}
391	}
392
393	}
394	}
395
396	// TODO: add unauth'ed field name here
397
398	return authenticatedData;
399	}
400
401	#pragma mark - Utility
402
403	- (NSString*)description {
404	return [NSString stringWithFormat: @"<%@: %@>", NSStringFromClass([self class]), self.uuid];
405	}
406
407	- (NSString*)debugDescription {
408	return [NSString stringWithFormat: @"<%@: %@ %p>", NSStringFromClass([self class]), self.uuid, self];
409	}
410
411	- (instancetype)copyWithZone:(NSZone *)zone {
412	CKKSItem *itemCopy = [super copyWithZone:zone];
413	itemCopy->_uuid = _uuid;
414	itemCopy->_parentKeyUUID = _parentKeyUUID;
415	itemCopy->_encitem = _encitem;
416	itemCopy->_wrappedkey = _wrappedkey;
417	itemCopy->_generationCount = _generationCount;
418	itemCopy->_encver = _encver;
419	return itemCopy;
420	}
421
422	#pragma mark - Getters/Setters
423
424	- (NSString*) base64Item {
425	return [self.encitem base64EncodedStringWithOptions:0];
426	}
427
428	- (void) setBase64Item: (NSString*) base64Item {
429	_encitem = [[NSData alloc] initWithBase64EncodedString: base64Item options:0];
430	}
431
432	#pragma mark - CKKSSQLDatabaseObject helpers
433
434	// Note that CKKSItems are not intended to be saved directly, and so CKKSItem does not implement sqlTable.
435	// You must subclass CKKSItem to have this work correctly, although you can call back up into this class to use these if you like.
436
437	+ (NSArray<NSString>)sqlColumns {
438	return @[@"UUID", @"parentKeyUUID", @"ckzone", @"encitem", @"wrappedkey", @"gencount", @"encver", @"ckrecord",
439	@"pcss", @"pcsk", @"pcsi"];
440	}
441
442	- (NSDictionary<NSString,NSString>*)whereClauseToFindSelf {
443	return @{@"UUID": self.uuid, @"ckzone":self.zoneID.zoneName};
444	}
445
446	- (NSDictionary<NSString,NSString>*)sqlValues {
447	return @{@"UUID": self.uuid,
448	@"parentKeyUUID": self.parentKeyUUID,
449	@"ckzone": CKKSNilToNSNull(self.zoneID.zoneName),
450	@"encitem": self.base64encitem,
451	@"wrappedkey": [self.wrappedkey base64WrappedKey],
452	@"gencount": [NSNumber numberWithInteger:self.generationCount],
453	@"encver": [NSNumber numberWithInteger:self.encver],
454	@"ckrecord": CKKSNilToNSNull([self.encodedCKRecord base64EncodedStringWithOptions:0]),
455	@"pcss": CKKSNilToNSNull(self.plaintextPCSServiceIdentifier),
456	@"pcsk": CKKSNilToNSNull([self.plaintextPCSPublicKey base64EncodedStringWithOptions:0]),
457	@"pcsi": CKKSNilToNSNull([self.plaintextPCSPublicIdentity base64EncodedStringWithOptions:0])};
458	}
459
460	+ (instancetype)fromDatabaseRow: (NSDictionary*) row {
461	return [[CKKSItem alloc] initWithUUID:row[@"UUID"]
462	parentKeyUUID:row[@"parentKeyUUID"]
463	zoneID:[[CKRecordZoneID alloc] initWithZoneName: row[@"ckzone"] ownerName:CKCurrentUserDefaultName]
464	encodedCKRecord:CKKSUnbase64NullableString(row[@"ckrecord"])
465	encItem:CKKSUnbase64NullableString(row[@"encitem"])
466	wrappedkey:CKKSIsNull(row[@"wrappedkey"]) ? nil : [[CKKSWrappedAESSIVKey alloc] initWithBase64: row[@"wrappedkey"]]
467	generationCount:[row[@"gencount"] integerValue]
468	encver:[row[@"encver"] integerValue]
469	plaintextPCSServiceIdentifier:CKKSIsNull(row[@"pcss"]) ? nil : [NSNumber numberWithInteger: [row[@"pcss"] integerValue]]
470	plaintextPCSPublicKey:CKKSUnbase64NullableString(row[@"pcsk"])
471	plaintextPCSPublicIdentity:CKKSUnbase64NullableString(row[@"pcsi"])
472	];
473	}
474
475	@end
476
477	#pragma mark - CK-Aware Database Helpers
478
479	@implementation CKKSSQLDatabaseObject (CKKSZoneExtras)
480
481	+ (NSArray<NSString>) allUUIDs: (NSError * __autoreleasing *) error {
482	__block NSMutableArray* uuids = [[NSMutableArray alloc] init];
483
484	[CKKSSQLDatabaseObject queryDatabaseTable: [self sqlTable]
485	where: nil
486	columns: @[@"UUID"]
487	groupBy: nil
488	orderBy:nil
489	limit: -1
490	processRow: ^(NSDictionary* row) {
491	[uuids addObject: row[@"UUID"]];
492	}
493	error: error];
494	return uuids;
495	}
496
497	+ (NSArray) all:(CKRecordZoneID) zoneID error: (NSError * __autoreleasing *) error {
498	return [self allWhere: @{@"ckzone": CKKSNilToNSNull(zoneID.zoneName)} error:error];
499	}
500
501	+ (bool) deleteAll:(CKRecordZoneID) zoneID error: (NSError __autoreleasing *) error {
502	bool ok = [CKKSSQLDatabaseObject deleteFromTable:[self sqlTable] where: @{@"ckzone":CKKSNilToNSNull(zoneID.zoneName)} connection:nil error: error];
503
504	if(ok) {
505	secdebug("ckksitem", "Deleted all %@", self);
506	} else {
507	secdebug("ckksitem", "Couldn't delete all %@: %@", self, error ? *error : @"unknown");
508	}
509	return ok;
510	}
511
512	@end
513
514	#endif