[apple/security.git] / OSX / libsecurity_keychain / lib / Item.h

/*
 * Copyright (c) 2000-2004,2011-2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


//
// Item.h
//
#ifndef _SECURITY_ITEM_H_
#define _SECURITY_ITEM_H_

#include <security_keychain/Keychains.h>
#include <security_keychain/PrimaryKey.h>
#include <security_cdsa_client/securestorage.h>
#include <security_keychain/Access.h>

namespace Security
{

using namespace CssmClient;

namespace KeychainCore
{
class Keychain;

class ItemImpl : public SecCFObject
{
public:
	SECCFFUNCTIONS_CREATABLE(ItemImpl, SecKeychainItemRef, gTypes().ItemImpl)

    static ItemImpl *required(SecKeychainItemRef ptr);
    static ItemImpl *optional(SecKeychainItemRef ptr);

    friend class Item;
	friend class KeychainImpl;
protected:

	// new item constructors
    ItemImpl(SecItemClass itemClass, OSType itemCreator, UInt32 length, const void* data, bool inhibitCheck = false);

	ItemImpl(SecItemClass itemClass, SecKeychainAttributeList *attrList, UInt32 length, const void* data);

	// db item constructor
    ItemImpl(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId);

	// PrimaryKey item constructor
    ItemImpl(const Keychain &keychain, const PrimaryKey &primaryKey);

public:

	static ItemImpl* make(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId);
	static ItemImpl* make(const Keychain &keychain, const PrimaryKey &primaryKey);

	ItemImpl(ItemImpl &item);

	// Return true if we got the attribute, false if we only got the actualLength.
	void getAttributeFrom(CssmDbAttributeData *data, SecKeychainAttribute &attr,  UInt32 *actualLength);
	void getClass(SecKeychainAttribute &attr,  UInt32 *actualLength);

	// For iOS keys
	void setPersistentRef(CFDataRef ref);
	// returns NULL for securityd keys, or the (non-NULL) persistent ref for iOS keys
	CFDataRef getPersistentRef();
	
	PrimaryKey addWithCopyInfo(Keychain &keychain, bool isCopy);
	Mutex* getMutexForObject() const;

    // Return true iff the item integrity has not been compromised.
    virtual bool checkIntegrity();
    bool checkIntegrity(AclBearer& key);
    static bool checkIntegrityFromDictionary(AclBearer& key, DbAttributes* dbAttributes);

protected:
	// Methods called by KeychainImpl;

	// Add the receiver to keychain
	virtual PrimaryKey add(Keychain &keychain);

    // Prepare a dbAttributes to extract all possible attributes with a call to
    // getContent.
    void fillDbAttributesFromSchema(DbAttributes& dbAttributes, CSSM_DB_RECORDTYPE recordType, Keychain keychain = NULL);

    // Get all current attributes of this item. This will call out to the
    // database (if there is one) and then overly the current pending updates.
    // You must delete the returned object.
    DbAttributes* getCurrentAttributes();

    // Return a canonical form of this item's attributes
    void encodeAttributes(CssmOwnedData &attributeBlob);

    // Return a canonical form of the attributes passed in
    static void encodeAttributesFromDictionary(CssmOwnedData &attributeBlob, DbAttributes* dbAttributes);

    // Return a canonical digest of the record type and attributes of the item
    void computeDigest(CssmOwnedData &sha2);

    // Return a canonical digest of the record type and attributes passed in
    static void computeDigestFromDictionary(CssmOwnedData &sha2, DbAttributes* dbAttributes);

	// Get the default value for an attribute
	static const CSSM_DATA &defaultAttributeValue(const CSSM_DB_ATTRIBUTE_INFO &info);

public:
    virtual ~ItemImpl();
    bool isPersistent();
    bool isModified();

	virtual void update();

	void aboutToDestruct();

	// put a copy of the item into a given keychain
	virtual Item copyTo(const Keychain &keychain, Access *newAccess = NULL);

    CSSM_DB_RECORDTYPE recordType();

	// Used for writing the record to the database.
    CssmClient::DbUniqueRecord dbUniqueRecord();
	const CssmClient::DbAttributes *modifiedAttributes();
	const CssmData *modifiedData();
	virtual void didModify(); // Forget any attributes and data we just wrote to the db

	Keychain keychain();
	PrimaryKey primaryKey();
	bool operator < (const ItemImpl &other);

	void getAttribute(SecKeychainAttribute& attr,  UInt32 *actualLength);
	void getData(CssmDataContainer& outData);

	void modifyContent(const SecKeychainAttributeList *attrList, UInt32 dataLength, const void *inData);
	void getContent(SecItemClass *itemClass, SecKeychainAttributeList *attrList, UInt32 *length, void **outData);
	static void freeContent(SecKeychainAttributeList *attrList, void *data);
	static void freeAttributesAndData(SecKeychainAttributeList *attrList, void *data);

	void getAttributesAndData(SecKeychainAttributeInfo *info, SecItemClass *itemClass,
							  SecKeychainAttributeList **attrList, UInt32 *length, void **outData);
	void modifyAttributesAndData(const SecKeychainAttributeList *attrList, UInt32 dataLength, const void *inData);

	void setAttribute(SecKeychainAttribute& attr);
	void setAttribute(const CssmDbAttributeInfo &info, const CssmPolyData &data);
	void setData(UInt32 length,const void *data);
	void setAccess(Access *newAccess);
	void copyRecordIdentifier(CSSM_DATA &data);
	SSGroup group();

    void getContent(DbAttributes *dbAttributes, CssmDataContainer *itemData);
    void getLocalContent(SecKeychainAttributeList *attributeList, UInt32 *outLength, void **outData);

    bool useSecureStorage(const CssmClient::Db &db);
	virtual void willRead();

    // create a persistent reference to this item
    void copyPersistentReference(CFDataRef &outDataRef, bool isSecIdentityRef=false);
	static Item makeFromPersistentReference(const CFDataRef persistentRef, bool *isIdentityRef=NULL);

	// for keychain syncing
	void doNotEncrypt () {mDoNotEncrypt = true;}

	// for posting events on this item
	void postItemEvent (SecKeychainEvent theEvent);

	// Only call these functions while holding globals().apiLock.
	bool inCache() const throw() { return mInCache; }
	void inCache(bool inCache) throw() { mInCache = inCache; }

	/* For binding to extended attributes. */
	virtual const CssmData &itemID();

	/* Overrides for SecCFObject methods */
	bool equal(SecCFObject &other);
    virtual CFHashCode hash();
	
    bool mayDelete();
    
protected:

    /* Saves the item with a new SSGroup and ACL. If you pass in an old SSGroup,
     * the ACL will be copied from the old group, and the old group deleted. */
    void updateSSGroup(Db& db, CSSM_DB_RECORDTYPE recordType, CssmDataContainer* data, Keychain keychain = NULL, SecPointer<Access> access = NULL);

    // Helper function to abstract out error handling. Does not report any errors.
    void deleteSSGroup(SSGroup & ssgroup, const AccessCredentials* nullCred);

    void doChange(Keychain keychain, CSSM_DB_RECORDTYPE recordType, void (^tryChange) () );

    // Add integrity acl entry to access.
    void addIntegrity(Access &access, bool force = false);

    // Set the integrity of this item to whatever my attributes are now
    // If force, then perform this even if the underlying keychain claims to not
    // support it. (This is needed because during an upgrade, the underlying
    // keychain is confused about its actual version until it's written to disk.)
    virtual void setIntegrity(bool force = false);

    // Set the integrity of this bearer to be whatever my attributes are now
    virtual void setIntegrity(AclBearer &bearer, bool force = false);

    // Call this function to remove the integrity and partition_id ACLs from
    // this item. You're not supposed to be able to do this, so force the issue
    // by providing credentials to this keychain.
    virtual void removeIntegrity(const AccessCredentials *cred);
    virtual void removeIntegrity(AclBearer &bearer, const AccessCredentials *cred);

	// new item members
	RefPointer<CssmDataContainer> mData;
	auto_ptr<CssmClient::DbAttributes> mDbAttributes;
	SecPointer<Access> mAccess;

	// db item members
	CssmClient::DbUniqueRecord mUniqueId;
	Keychain mKeychain;
	PrimaryKey mPrimaryKey;

	// non-NULL only for secd items (managed by secd, not securityd)
	CFDataRef secd_PersistentRef;

private:
	// keychain syncing flags
	bool mDoNotEncrypt;

	// mInCache is protected by globals().apiLock
	// True iff we are in the cache of items in mKeychain
	bool mInCache;

protected:
	Mutex mMutex;
};


class Item : public SecPointer<ItemImpl>
{
public:
    Item();
    Item(ItemImpl *impl);
    Item(SecItemClass itemClass, OSType itemCreator, UInt32 length, const void* data, bool inhibitCheck);
	Item(SecItemClass itemClass, SecKeychainAttributeList *attrList, UInt32 length, const void* data);
    Item(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId);
    Item(const Keychain &keychain, const PrimaryKey &primaryKey);
	Item(ItemImpl &item);
};


CFIndex GetItemRetainCount(Item& item);

} // end namespace KeychainCore

} // end namespace Security


#endif // !_SECURITY_ITEM_H_
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2000-2004,2011-2014 Apple Inc. All Rights Reserved.
427c49bc	3	*
b1ab9ed8	4	* @APPLE_LICENSE_HEADER_START@
d8f41ccd	5	*
b1ab9ed8 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
d8f41ccd	12	*
b1ab9ed8 A	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
d8f41ccd	20	*
b1ab9ed8 A	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	//
	26	// Item.h
	27	//
	28	#ifndef _SECURITY_ITEM_H_
	29	#define _SECURITY_ITEM_H_
	30
	31	#include <security_keychain/Keychains.h>
	32	#include <security_keychain/PrimaryKey.h>
	33	#include <security_cdsa_client/securestorage.h>
	34	#include <security_keychain/Access.h>
	35
	36	namespace Security
	37	{
	38
	39	using namespace CssmClient;
	40
	41	namespace KeychainCore
	42	{
	43	class Keychain;
	44
	45	class ItemImpl : public SecCFObject
	46	{
	47	public:
fa7225c8 A	48	SECCFFUNCTIONS_CREATABLE(ItemImpl, SecKeychainItemRef, gTypes().ItemImpl)
	49
	50	static ItemImpl *required(SecKeychainItemRef ptr);
	51	static ItemImpl *optional(SecKeychainItemRef ptr);
b1ab9ed8 A	52
	53	friend class Item;
	54	friend class KeychainImpl;
	55	protected:
	56
	57	// new item constructors
	58	ItemImpl(SecItemClass itemClass, OSType itemCreator, UInt32 length, const void* data, bool inhibitCheck = false);
427c49bc	59
b1ab9ed8 A	60	ItemImpl(SecItemClass itemClass, SecKeychainAttributeList attrList, UInt32 length, const void data);
b1ab9ed8 A	61
427c49bc	62	// db item constructor
b1ab9ed8 A	63	ItemImpl(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId);
b1ab9ed8 A	64
427c49bc	65	// PrimaryKey item constructor
b1ab9ed8 A	66	ItemImpl(const Keychain &keychain, const PrimaryKey &primaryKey);
	67
	68	public:
	69
	70	static ItemImpl* make(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId);
	71	static ItemImpl* make(const Keychain &keychain, const PrimaryKey &primaryKey);
427c49bc	72
b1ab9ed8 A	73	ItemImpl(ItemImpl &item);
	74
	75	// Return true if we got the attribute, false if we only got the actualLength.
	76	void getAttributeFrom(CssmDbAttributeData data, SecKeychainAttribute &attr, UInt32 actualLength);
	77	void getClass(SecKeychainAttribute &attr, UInt32 *actualLength);
427c49bc A	78
	79	// For iOS keys
	80	void setPersistentRef(CFDataRef ref);
	81	// returns NULL for securityd keys, or the (non-NULL) persistent ref for iOS keys
	82	CFDataRef getPersistentRef();
b1ab9ed8 A	83
b1ab9ed8 A	84	PrimaryKey addWithCopyInfo(Keychain &keychain, bool isCopy);
fa7225c8	85	Mutex* getMutexForObject() const;
b1ab9ed8	86
e3d460c9 A	87	// Return true iff the item integrity has not been compromised.
	88	virtual bool checkIntegrity();
	89	bool checkIntegrity(AclBearer& key);
	90	static bool checkIntegrityFromDictionary(AclBearer& key, DbAttributes* dbAttributes);
	91
b1ab9ed8 A	92	protected:
	93	// Methods called by KeychainImpl;
	94
	95	// Add the receiver to keychain
	96	virtual PrimaryKey add(Keychain &keychain);
	97
e3d460c9 A	98	// Prepare a dbAttributes to extract all possible attributes with a call to
	99	// getContent.
	100	void fillDbAttributesFromSchema(DbAttributes& dbAttributes, CSSM_DB_RECORDTYPE recordType, Keychain keychain = NULL);
	101
	102	// Get all current attributes of this item. This will call out to the
	103	// database (if there is one) and then overly the current pending updates.
	104	// You must delete the returned object.
	105	DbAttributes* getCurrentAttributes();
	106
	107	// Return a canonical form of this item's attributes
	108	void encodeAttributes(CssmOwnedData &attributeBlob);
	109
	110	// Return a canonical form of the attributes passed in
	111	static void encodeAttributesFromDictionary(CssmOwnedData &attributeBlob, DbAttributes* dbAttributes);
	112
	113	// Return a canonical digest of the record type and attributes of the item
	114	void computeDigest(CssmOwnedData &sha2);
	115
	116	// Return a canonical digest of the record type and attributes passed in
	117	static void computeDigestFromDictionary(CssmOwnedData &sha2, DbAttributes* dbAttributes);
	118
b1ab9ed8 A	119	// Get the default value for an attribute
	120	static const CSSM_DATA &defaultAttributeValue(const CSSM_DB_ATTRIBUTE_INFO &info);
	121
	122	public:
	123	virtual ~ItemImpl();
	124	bool isPersistent();
	125	bool isModified();
	126
	127	virtual void update();
	128
	129	void aboutToDestruct();
427c49bc	130
b1ab9ed8 A	131	// put a copy of the item into a given keychain
	132	virtual Item copyTo(const Keychain &keychain, Access *newAccess = NULL);
	133
	134	CSSM_DB_RECORDTYPE recordType();
	135
	136	// Used for writing the record to the database.
	137	CssmClient::DbUniqueRecord dbUniqueRecord();
	138	const CssmClient::DbAttributes *modifiedAttributes();
	139	const CssmData *modifiedData();
	140	virtual void didModify(); // Forget any attributes and data we just wrote to the db
	141
	142	Keychain keychain();
	143	PrimaryKey primaryKey();
	144	bool operator < (const ItemImpl &other);
	145
	146	void getAttribute(SecKeychainAttribute& attr, UInt32 *actualLength);
	147	void getData(CssmDataContainer& outData);
427c49bc	148
b1ab9ed8 A	149	void modifyContent(const SecKeychainAttributeList attrList, UInt32 dataLength, const void inData);
	150	void getContent(SecItemClass itemClass, SecKeychainAttributeList attrList, UInt32 length, void *outData);
	151	static void freeContent(SecKeychainAttributeList attrList, void data);
	152	static void freeAttributesAndData(SecKeychainAttributeList attrList, void data);
	153
	154	void getAttributesAndData(SecKeychainAttributeInfo info, SecItemClass itemClass,
	155	SecKeychainAttributeList *attrList, UInt32 length, void **outData);
	156	void modifyAttributesAndData(const SecKeychainAttributeList attrList, UInt32 dataLength, const void inData);
	157
	158	void setAttribute(SecKeychainAttribute& attr);
	159	void setAttribute(const CssmDbAttributeInfo &info, const CssmPolyData &data);
	160	void setData(UInt32 length,const void *data);
	161	void setAccess(Access *newAccess);
	162	void copyRecordIdentifier(CSSM_DATA &data);
	163	SSGroup group();
	164
	165	void getContent(DbAttributes dbAttributes, CssmDataContainer itemData);
	166	void getLocalContent(SecKeychainAttributeList attributeList, UInt32 outLength, void **outData);
	167
	168	bool useSecureStorage(const CssmClient::Db &db);
	169	virtual void willRead();
	170
	171	// create a persistent reference to this item
427c49bc A	172	void copyPersistentReference(CFDataRef &outDataRef, bool isSecIdentityRef=false);
427c49bc A	173	static Item makeFromPersistentReference(const CFDataRef persistentRef, bool *isIdentityRef=NULL);
b1ab9ed8 A	174
	175	// for keychain syncing
	176	void doNotEncrypt () {mDoNotEncrypt = true;}
	177
	178	// for posting events on this item
	179	void postItemEvent (SecKeychainEvent theEvent);
	180
	181	// Only call these functions while holding globals().apiLock.
	182	bool inCache() const throw() { return mInCache; }
	183	void inCache(bool inCache) throw() { mInCache = inCache; }
	184
	185	/* For binding to extended attributes. */
	186	virtual const CssmData &itemID();
427c49bc A	187
	188	/* Overrides for SecCFObject methods */
	189	bool equal(SecCFObject &other);
	190	virtual CFHashCode hash();
b1ab9ed8	191
427c49bc A	192	bool mayDelete();
427c49bc A	193
b1ab9ed8	194	protected:
e3d460c9 A	195
	196	/* Saves the item with a new SSGroup and ACL. If you pass in an old SSGroup,
	197	* the ACL will be copied from the old group, and the old group deleted. */
	198	void updateSSGroup(Db& db, CSSM_DB_RECORDTYPE recordType, CssmDataContainer* data, Keychain keychain = NULL, SecPointer<Access> access = NULL);
	199
fa7225c8 A	200	// Helper function to abstract out error handling. Does not report any errors.
	201	void deleteSSGroup(SSGroup & ssgroup, const AccessCredentials* nullCred);
	202
e3d460c9 A	203	void doChange(Keychain keychain, CSSM_DB_RECORDTYPE recordType, void (^tryChange) () );
	204
	205	// Add integrity acl entry to access.
	206	void addIntegrity(Access &access, bool force = false);
	207
	208	// Set the integrity of this item to whatever my attributes are now
	209	// If force, then perform this even if the underlying keychain claims to not
	210	// support it. (This is needed because during an upgrade, the underlying
	211	// keychain is confused about its actual version until it's written to disk.)
	212	virtual void setIntegrity(bool force = false);
	213
	214	// Set the integrity of this bearer to be whatever my attributes are now
	215	virtual void setIntegrity(AclBearer &bearer, bool force = false);
	216
fa7225c8 A	217	// Call this function to remove the integrity and partition_id ACLs from
	218	// this item. You're not supposed to be able to do this, so force the issue
	219	// by providing credentials to this keychain.
	220	virtual void removeIntegrity(const AccessCredentials *cred);
	221	virtual void removeIntegrity(AclBearer &bearer, const AccessCredentials *cred);
	222
b1ab9ed8	223	// new item members
427c49bc A	224	RefPointer<CssmDataContainer> mData;
427c49bc A	225	auto_ptr<CssmClient::DbAttributes> mDbAttributes;
b1ab9ed8 A	226	SecPointer<Access> mAccess;
	227
	228	// db item members
427c49bc	229	CssmClient::DbUniqueRecord mUniqueId;
b1ab9ed8	230	Keychain mKeychain;
427c49bc A	231	PrimaryKey mPrimaryKey;
	232
	233	// non-NULL only for secd items (managed by secd, not securityd)
	234	CFDataRef secd_PersistentRef;
	235
b1ab9ed8 A	236	private:
	237	// keychain syncing flags
	238	bool mDoNotEncrypt;
	239
	240	// mInCache is protected by globals().apiLock
	241	// True iff we are in the cache of items in mKeychain
	242	bool mInCache;
	243
	244	protected:
	245	Mutex mMutex;
	246	};
	247
	248
	249	class Item : public SecPointer<ItemImpl>
	250	{
	251	public:
	252	Item();
	253	Item(ItemImpl *impl);
	254	Item(SecItemClass itemClass, OSType itemCreator, UInt32 length, const void* data, bool inhibitCheck);
	255	Item(SecItemClass itemClass, SecKeychainAttributeList attrList, UInt32 length, const void data);
	256	Item(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId);
	257	Item(const Keychain &keychain, const PrimaryKey &primaryKey);
	258	Item(ItemImpl &item);
	259	};
	260
427c49bc	261
b1ab9ed8 A	262	CFIndex GetItemRetainCount(Item& item);
	263
	264	} // end namespace KeychainCore
	265
	266	} // end namespace Security
	267
427c49bc A	268
427c49bc A	269
b1ab9ed8	270	#endif // !_SECURITY_ITEM_H_