[apple/security.git] / OSX / sec / Security / SecKeyProxy.m

/*
 * Copyright (c) 2006-2015 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * SecKeyProxy.m - Remote access to SecKey instance
 */

#import <Foundation/Foundation.h>
#import <Foundation/NSXPCConnection_Private.h>

#include <Security/SecBasePriv.h>
#include <Security/SecKeyInternal.h>
#include <Security/SecIdentityPriv.h>
#include <utilities/debugging.h>
#include <utilities/SecCFError.h>

#include <Security/SecKeyProxy.h>

// MARK: XPC-level protocol for communication between server and client.
@protocol SecKeyProxyProtocol
- (void)initializeWithReply:(void (^)(NSData * _Nullable certificate))reply;
- (void)getBlockSizeWithReply:(void (^)(size_t blockSize))reply;
- (void)getAttributesWithReply:(void (^)(NSDictionary *attributes))reply;
- (void)getExternalRepresentationWithReply:(void (^)(NSData *data, NSError *error))reply;
- (void)getDescriptionWithReply:(void (^)(NSString *description))reply;
- (void)getAlgorithmIDWithReply:(void (^)(NSInteger algorithmID))reply;
- (void)getPublicKey:(void (^)(NSXPCListenerEndpoint *endpoint))reply;
- (void)performOperation:(SecKeyOperationType)operation algorithm:(NSString *)algorithm parameters:(NSArray *)parameters reply:(void (^)(NSArray *result, NSError *error))reply;
@end

// MARK: XPC target object for SecKeyProxy side
// Logically could be embedded in SecKeyProxy, but that would cause ownership cycles, since target object is always owned by its associated XPC connection.
@interface SecKeyProxyTarget : NSObject<SecKeyProxyProtocol> {
    id _key;
    NSData *_certificate;
    SecKeyProxy *_publicKeyProxy;
}
- (instancetype)initWithKey:(id)key certificate:(nullable NSData *)certificate;
@property (readonly, nonatomic) SecKeyRef key;
@end

@implementation SecKeyProxyTarget
- (instancetype)initWithKey:(id)key certificate:(nullable NSData *)certificate {
    if (self = [super init]) {
        _key = key;
        _certificate = certificate;
    }
    return self;
}

- (SecKeyRef)key {
    return (__bridge SecKeyRef)_key;
}

- (void)initializeWithReply:(void (^)(NSData *_Nullable))reply {
    return reply(_certificate);
}

- (void)getBlockSizeWithReply:(void (^)(size_t))reply {
    return reply(SecKeyGetBlockSize(self.key));
}

- (void)getAttributesWithReply:(void (^)(NSDictionary *))reply {
    return reply(CFBridgingRelease(SecKeyCopyAttributes(self.key)));
}

- (void)getExternalRepresentationWithReply:(void (^)(NSData *, NSError *))reply {
    NSError *error;
    NSData *data = CFBridgingRelease(SecKeyCopyExternalRepresentation(self.key, (void *)&error));
    return reply(data, error);
}

- (void)getDescriptionWithReply:(void (^)(NSString *))reply {
    NSString *description = CFBridgingRelease(CFCopyDescription(self.key));

    // Strip wrapping "<SecKeyRef " and ">" if present.
    if ([description hasPrefix:@"<SecKeyRef "] && [description hasSuffix:@">"]) {
        description = [description substringWithRange:NSMakeRange(11, description.length - 12)];
    } else if ([description hasPrefix:@"<SecKeyRef: "] && [description hasSuffix:@">"]) {
        description = [description substringWithRange:NSMakeRange(12, description.length - 13)];
    }

    return reply(description);
}

- (void)getAlgorithmIDWithReply:(void (^)(NSInteger))reply {
    return reply(SecKeyGetAlgorithmId(self.key));
}

- (void)getPublicKey:(void (^)(NSXPCListenerEndpoint *endpoint))reply {
    if (_publicKeyProxy == nil) {
        id publicKey = CFBridgingRelease(SecKeyCopyPublicKey(self.key));
        if (publicKey == nil) {
            return reply(nil);
        }
        _publicKeyProxy = [[SecKeyProxy alloc] initWithKey:(__bridge SecKeyRef)publicKey];
    }
    return reply(_publicKeyProxy.endpoint);
}

- (void)performOperation:(SecKeyOperationType)operation algorithm:(NSString *)algorithm parameters:(NSArray *)parameters reply:(void (^)(NSArray *, NSError *))reply {
    NSMutableArray *algorithms = @[algorithm].mutableCopy;
    CFTypeRef in1 = (__bridge CFTypeRef)(parameters.count > 0 ? parameters[0] : nil);
    CFTypeRef in2 = (__bridge CFTypeRef)(parameters.count > 1 ? parameters[1] : nil);
    NSError *error;
    SecKeyOperationContext context = { self.key, operation, (__bridge CFMutableArrayRef)algorithms };
    id result = CFBridgingRelease(SecKeyRunAlgorithmAndCopyResult(&context, in1, in2, (void *)&error));
    return reply(result ? @[result] : @[], error);
}
@end

// MARK: SecKeyProxy implementation
@interface SecKeyProxy() <NSXPCListenerDelegate>
@end

@implementation SecKeyProxy
- (instancetype)initWithKey:(SecKeyRef)key certificate:(nullable NSData *)certificate {
    if (self = [super init]) {
        if (key != nil) {
            _key = CFBridgingRelease(CFRetainSafe(key));
        } else {
            _key = nil;
        }
        _certificate = certificate;
        _listener = [NSXPCListener anonymousListener];
        _listener.delegate = self;

        // All connections created to this proxy instance are serialized to this single queue.
        [_listener _setQueue: dispatch_queue_create("SecKeyProxy", NULL)];
        [_listener resume];
    }

    return self;
}

- (instancetype)initWithKey:(SecKeyRef)key {
    return [self initWithKey:key certificate:nil];
}

- (instancetype)initWithIdentity:(SecIdentityRef)identity {
    id key;
    id certificate;
    SecIdentityCopyPrivateKey(identity, (void *)&key);
    SecIdentityCopyCertificate(identity, (void *)&certificate);
    if (key == nil && certificate == nil) {
        return nil;
    }

    // Extract data from the certificate.
    NSData *certificateData = CFBridgingRelease(SecCertificateCopyData((SecCertificateRef)certificate));
    if (certificateData == nil) {
        return nil;
    }

    return [self initWithKey:(__bridge SecKeyRef)key certificate:certificateData];
}

- (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection {
    newConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(SecKeyProxyProtocol)];
    newConnection.exportedObject = [[SecKeyProxyTarget alloc] initWithKey:_key certificate:_certificate];
    [newConnection _setQueue:[_listener _queue]];
    [newConnection resume];
    return YES;
}

- (void)invalidate {
    [_listener invalidate];
}

- (void)dealloc {
    [self invalidate];
}

- (NSXPCListenerEndpoint *)endpoint {
    return _listener.endpoint;
}

// MARK: Client side: remote-connected SecKey instance.
static OSStatus SecRemoteKeyInit(SecKeyRef key, const uint8_t *keyData, CFIndex keyDataLength, SecKeyEncoding encoding) {
    // keyData and key->key are both actually type-punned NSXPCConnection owning pointers.
    key->key = (void *)keyData;
    return errSecSuccess;
}

static void SecRemoteKeyDestroy(SecKeyRef key) {
    NSXPCConnection *conn = CFBridgingRelease(key->key);
    [conn invalidate];
}

+ (id<SecKeyProxyProtocol>)targetForKey:(SecKeyRef)key error:(CFErrorRef *)error {
    NSXPCConnection *connection = (__bridge NSXPCConnection *)key->key;
    id<SecKeyProxyProtocol> result = [connection synchronousRemoteObjectProxyWithErrorHandler:^(NSError * _Nonnull _error) {
        if (error != NULL) {
            *error = (__bridge_retained CFErrorRef)_error;
        }
    }];
    return result;
}

static size_t SecRemoteKeyBlockSize(SecKeyRef key) {
    __block size_t localBlockSize = 0;
    [[SecKeyProxy targetForKey:key error:NULL] getBlockSizeWithReply:^(size_t blockSize) {
        localBlockSize = blockSize;
    }];
    return localBlockSize;
}

static CFDictionaryRef SecRemoteKeyCopyAttributeDictionary(SecKeyRef key) {
    __block NSDictionary *localAttributes;
    [[SecKeyProxy targetForKey:key error:NULL] getAttributesWithReply:^(NSDictionary *attributes) {
        localAttributes = attributes;
    }];
    return CFBridgingRetain(localAttributes);
}

static CFDataRef SecRemoteKeyCopyExternalRepresentation(SecKeyRef key, CFErrorRef *error) {
    __block NSData *localData;
    __block NSError *localError;
    [[SecKeyProxy targetForKey:key error:error] getExternalRepresentationWithReply:^(NSData *data, NSError *error) {
        localData = data;
        localError = error;
    }];
    if (localData == nil && error != NULL) {
        *error = (__bridge_retained CFErrorRef)localError;
    }
    return CFBridgingRetain(localData);
}

static CFStringRef SecRemoteKeyCopyDescription(SecKeyRef key) {
    __block NSString *localDescription;
    [[SecKeyProxy targetForKey:key error:NULL] getDescriptionWithReply:^(NSString *description) {
        localDescription = [NSString stringWithFormat:@"<SecKeyRef remoteKey: %@>", description];
    }];
    return CFBridgingRetain(localDescription);
}

static CFIndex SecRemoteKeyGetAlgorithmID(SecKeyRef key) {
    __block CFIndex localAlgorithmID = kSecNullAlgorithmID;
    [[SecKeyProxy targetForKey:key error:NULL] getAlgorithmIDWithReply:^(NSInteger algorithmID) {
        localAlgorithmID = algorithmID;
    }];
    return localAlgorithmID;
}

static SecKeyRef SecRemoteKeyCopyPublicKey(SecKeyRef key) {
    __block id publicKey;
    [[SecKeyProxy targetForKey:key error:NULL] getPublicKey:^(NSXPCListenerEndpoint *endpoint) {
        if (endpoint != nil) {
            publicKey = CFBridgingRelease([SecKeyProxy createKeyFromEndpoint:endpoint error:nil]);
        }
    }];
    return (__bridge_retained SecKeyRef)publicKey;
}

static CFTypeRef SecRemoteKeyCopyOperationResult(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm, CFArrayRef algorithms, SecKeyOperationMode mode, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
    NSMutableArray *parameters = @[].mutableCopy;
    if (in1 != NULL) {
        [parameters addObject:(__bridge id)in1];
        if (in2 != NULL) {
            [parameters addObject:(__bridge id)in2];
        }
    }
    __block id localResult;
    [[SecKeyProxy targetForKey:key error:error] performOperation:operation algorithm:(__bridge NSString *)algorithm parameters:parameters reply:^(NSArray *result, NSError *_error) {
        if (result.count > 0) {
            localResult = result[0];
        }
        else if (error != NULL) {
            *error = (__bridge_retained CFErrorRef)_error;
        }
    }];
    return CFBridgingRetain(localResult);
}

static const SecKeyDescriptor SecRemoteKeyDescriptor = {
    .version = kSecKeyDescriptorVersion,
    .name = "RemoteKey",
    .init = SecRemoteKeyInit,
    .destroy = SecRemoteKeyDestroy,
    .blockSize = SecRemoteKeyBlockSize,
    .copyDictionary = SecRemoteKeyCopyAttributeDictionary,
    .copyExternalRepresentation = SecRemoteKeyCopyExternalRepresentation,
    .describe = SecRemoteKeyCopyDescription,
    .getAlgorithmID = SecRemoteKeyGetAlgorithmID,
    .copyPublicKey = SecRemoteKeyCopyPublicKey,
    .copyOperationResult = SecRemoteKeyCopyOperationResult,
};

+ (SecKeyRef)createItemFromEndpoint:(NSXPCListenerEndpoint *)endpoint certificate:(NSData **)certificate error:(NSError * _Nullable __autoreleasing *)error {
    // Connect to the server proxy object.
    NSXPCConnection *connection = [[NSXPCConnection alloc] initWithListenerEndpoint:endpoint];
    connection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(SecKeyProxyProtocol)];
    [connection resume];

    // Initialize remote object.
    __block NSError *localError;
    __block NSData *localCertificate;
    [[connection synchronousRemoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) {
        localError = [NSError errorWithDomain:(__bridge NSString *)kSecErrorDomain code:errSecItemNotFound userInfo:@{NSUnderlyingErrorKey: error}];
    }] initializeWithReply:^(NSData *_Nullable _certificate){
        localCertificate = _certificate;
    }];
    if (localError == nil) {
        if (certificate != nil) {
            *certificate = localCertificate;
        }
    } else {
        [connection invalidate];
        if (error != NULL) {
            *error = localError;
        }
        return NULL;
    }

    // Wrap returned connection in SecKeyRef instance.
    return SecKeyCreate(kCFAllocatorDefault, &SecRemoteKeyDescriptor, CFBridgingRetain(connection), 0, kSecKeyEncodingRaw);
}

+ (SecKeyRef)createKeyFromEndpoint:(NSXPCListenerEndpoint *)endpoint error:(NSError * _Nullable __autoreleasing *)error {
    return [self createItemFromEndpoint:endpoint certificate:nil error:error];
}

+ (SecIdentityRef)createIdentityFromEndpoint:(NSXPCListenerEndpoint *)endpoint error:(NSError * _Nullable __autoreleasing *)error {
    NSData *certificateData;
    id key = CFBridgingRelease([self createItemFromEndpoint:endpoint certificate:&certificateData error:error]);
    if (key == nil) {
        return NULL;
    }
    if (certificateData == nil) {
        if (error != NULL) {
            *error = [NSError errorWithDomain:(NSString *)kSecErrorDomain code:errSecParam userInfo:@{(id)NSLocalizedDescriptionKey: @"Attempt to create remote identity from key-only proxy"}];
        }
        return NULL;
    }

    id certificate = CFBridgingRelease(SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef)certificateData));
    return SecIdentityCreate(kCFAllocatorDefault, (__bridge SecCertificateRef)certificate, (__bridge SecKeyRef)key);
}
@end
Commit	Line	Data
79b9da22 A	1	/*
	2	* Copyright (c) 2006-2015 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	/*
	25	* SecKeyProxy.m - Remote access to SecKey instance
	26	*/
	27
	28	#import <Foundation/Foundation.h>
	29	#import <Foundation/NSXPCConnection_Private.h>
	30
	31	#include <Security/SecBasePriv.h>
	32	#include <Security/SecKeyInternal.h>
	33	#include <Security/SecIdentityPriv.h>
	34	#include <utilities/debugging.h>
	35	#include <utilities/SecCFError.h>
	36
	37	#include <Security/SecKeyProxy.h>
	38
	39	// MARK: XPC-level protocol for communication between server and client.
	40	@protocol SecKeyProxyProtocol
	41	- (void)initializeWithReply:(void (^)(NSData * _Nullable certificate))reply;
	42	- (void)getBlockSizeWithReply:(void (^)(size_t blockSize))reply;
	43	- (void)getAttributesWithReply:(void (^)(NSDictionary *attributes))reply;
	44	- (void)getExternalRepresentationWithReply:(void (^)(NSData data, NSError error))reply;
	45	- (void)getDescriptionWithReply:(void (^)(NSString *description))reply;
	46	- (void)getAlgorithmIDWithReply:(void (^)(NSInteger algorithmID))reply;
	47	- (void)getPublicKey:(void (^)(NSXPCListenerEndpoint *endpoint))reply;
	48	- (void)performOperation:(SecKeyOperationType)operation algorithm:(NSString )algorithm parameters:(NSArray )parameters reply:(void (^)(NSArray result, NSError error))reply;
	49	@end
	50
	51	// MARK: XPC target object for SecKeyProxy side
	52	// Logically could be embedded in SecKeyProxy, but that would cause ownership cycles, since target object is always owned by its associated XPC connection.
	53	@interface SecKeyProxyTarget : NSObject<SecKeyProxyProtocol> {
	54	id _key;
	55	NSData *_certificate;
	56	SecKeyProxy *_publicKeyProxy;
	57	}
	58	- (instancetype)initWithKey:(id)key certificate:(nullable NSData *)certificate;
	59	@property (readonly, nonatomic) SecKeyRef key;
	60	@end
	61
	62	@implementation SecKeyProxyTarget
	63	- (instancetype)initWithKey:(id)key certificate:(nullable NSData *)certificate {
	64	if (self = [super init]) {
65	_key = key;
66	_certificate = certificate;
67	}
68	return self;
69	}
70
71	- (SecKeyRef)key {
72	return (__bridge SecKeyRef)_key;
73	}
74
75	- (void)initializeWithReply:(void (^)(NSData *_Nullable))reply {
76	return reply(_certificate);
77	}
78
79	- (void)getBlockSizeWithReply:(void (^)(size_t))reply {
80	return reply(SecKeyGetBlockSize(self.key));
81	}
82
83	- (void)getAttributesWithReply:(void (^)(NSDictionary *))reply {
84	return reply(CFBridgingRelease(SecKeyCopyAttributes(self.key)));
85	}
86
87	- (void)getExternalRepresentationWithReply:(void (^)(NSData , NSError ))reply {
88	NSError *error;
89	NSData data = CFBridgingRelease(SecKeyCopyExternalRepresentation(self.key, (void )&error));
90	return reply(data, error);
91	}
92
93	- (void)getDescriptionWithReply:(void (^)(NSString *))reply {
94	NSString *description = CFBridgingRelease(CFCopyDescription(self.key));
95
96	// Strip wrapping "<SecKeyRef " and ">" if present.
97	if ([description hasPrefix:@"<SecKeyRef "] && [description hasSuffix:@">"]) {
98	description = [description substringWithRange:NSMakeRange(11, description.length - 12)];
99	} else if ([description hasPrefix:@"<SecKeyRef: "] && [description hasSuffix:@">"]) {
100	description = [description substringWithRange:NSMakeRange(12, description.length - 13)];
101	}
102
103	return reply(description);
104	}
105
106	- (void)getAlgorithmIDWithReply:(void (^)(NSInteger))reply {
107	return reply(SecKeyGetAlgorithmId(self.key));
108	}
109
110	- (void)getPublicKey:(void (^)(NSXPCListenerEndpoint *endpoint))reply {
111	if (_publicKeyProxy == nil) {
112	id publicKey = CFBridgingRelease(SecKeyCopyPublicKey(self.key));
113	if (publicKey == nil) {
114	return reply(nil);
115	}
116	_publicKeyProxy = [[SecKeyProxy alloc] initWithKey:(__bridge SecKeyRef)publicKey];
117	}
118	return reply(_publicKeyProxy.endpoint);
119	}
120
121	- (void)performOperation:(SecKeyOperationType)operation algorithm:(NSString )algorithm parameters:(NSArray )parameters reply:(void (^)(NSArray , NSError ))reply {
122	NSMutableArray *algorithms = @[algorithm].mutableCopy;
123	CFTypeRef in1 = (__bridge CFTypeRef)(parameters.count > 0 ? parameters[0] : nil);
124	CFTypeRef in2 = (__bridge CFTypeRef)(parameters.count > 1 ? parameters[1] : nil);
125	NSError *error;
126	SecKeyOperationContext context = { self.key, operation, (__bridge CFMutableArrayRef)algorithms };
127	id result = CFBridgingRelease(SecKeyRunAlgorithmAndCopyResult(&context, in1, in2, (void *)&error));
128	return reply(result ? @[result] : @[], error);
129	}
130	@end
131
132	// MARK: SecKeyProxy implementation
133	@interface SecKeyProxy() <NSXPCListenerDelegate>
134	@end
135
136	@implementation SecKeyProxy
137	- (instancetype)initWithKey:(SecKeyRef)key certificate:(nullable NSData *)certificate {
138	if (self = [super init]) {
d64be36e A	139	if (key != nil) {
	140	_key = CFBridgingRelease(CFRetainSafe(key));
	141	} else {
	142	_key = nil;
	143	}
79b9da22 A	144	_certificate = certificate;
	145	_listener = [NSXPCListener anonymousListener];
	146	_listener.delegate = self;
	147
	148	// All connections created to this proxy instance are serialized to this single queue.
	149	[_listener _setQueue: dispatch_queue_create("SecKeyProxy", NULL)];
	150	[_listener resume];
	151	}
	152
	153	return self;
	154	}
	155
	156	- (instancetype)initWithKey:(SecKeyRef)key {
	157	return [self initWithKey:key certificate:nil];
	158	}
	159
	160	- (instancetype)initWithIdentity:(SecIdentityRef)identity {
	161	id key;
	162	id certificate;
	163	SecIdentityCopyPrivateKey(identity, (void *)&key);
	164	SecIdentityCopyCertificate(identity, (void *)&certificate);
	165	if (key == nil && certificate == nil) {
	166	return nil;
	167	}
	168
	169	// Extract data from the certificate.
	170	NSData *certificateData = CFBridgingRelease(SecCertificateCopyData((SecCertificateRef)certificate));
	171	if (certificateData == nil) {
	172	return nil;
	173	}
	174
	175	return [self initWithKey:(__bridge SecKeyRef)key certificate:certificateData];
	176	}
	177
	178	- (BOOL)listener:(NSXPCListener )listener shouldAcceptNewConnection:(NSXPCConnection )newConnection {
	179	newConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(SecKeyProxyProtocol)];
	180	newConnection.exportedObject = [[SecKeyProxyTarget alloc] initWithKey:_key certificate:_certificate];
	181	[newConnection _setQueue:[_listener _queue]];
	182	[newConnection resume];
	183	return YES;
	184	}
	185
	186	- (void)invalidate {
	187	[_listener invalidate];
	188	}
	189
	190	- (void)dealloc {
	191	[self invalidate];
	192	}
	193
	194	- (NSXPCListenerEndpoint *)endpoint {
	195	return _listener.endpoint;
	196	}
	197
	198	// MARK: Client side: remote-connected SecKey instance.
	199	static OSStatus SecRemoteKeyInit(SecKeyRef key, const uint8_t *keyData, CFIndex keyDataLength, SecKeyEncoding encoding) {
	200	// keyData and key->key are both actually type-punned NSXPCConnection owning pointers.
	201	key->key = (void *)keyData;
	202	return errSecSuccess;
	203	}
	204
	205	static void SecRemoteKeyDestroy(SecKeyRef key) {
	206	NSXPCConnection *conn = CFBridgingRelease(key->key);
	207	[conn invalidate];
208	}
209
210	+ (id<SecKeyProxyProtocol>)targetForKey:(SecKeyRef)key error:(CFErrorRef *)error {
211	NSXPCConnection connection = (__bridge NSXPCConnection )key->key;
212	id<SecKeyProxyProtocol> result = [connection synchronousRemoteObjectProxyWithErrorHandler:^(NSError * _Nonnull _error) {
213	if (error != NULL) {
214	*error = (__bridge_retained CFErrorRef)_error;
215	}
216	}];
217	return result;
218	}
219
220	static size_t SecRemoteKeyBlockSize(SecKeyRef key) {
221	__block size_t localBlockSize = 0;
222	[[SecKeyProxy targetForKey:key error:NULL] getBlockSizeWithReply:^(size_t blockSize) {
223	localBlockSize = blockSize;
224	}];
225	return localBlockSize;
226	}
227
228	static CFDictionaryRef SecRemoteKeyCopyAttributeDictionary(SecKeyRef key) {
229	__block NSDictionary *localAttributes;
230	[[SecKeyProxy targetForKey:key error:NULL] getAttributesWithReply:^(NSDictionary *attributes) {
231	localAttributes = attributes;
232	}];
233	return CFBridgingRetain(localAttributes);
234	}
235
236	static CFDataRef SecRemoteKeyCopyExternalRepresentation(SecKeyRef key, CFErrorRef *error) {
237	__block NSData *localData;
238	__block NSError *localError;
239	[[SecKeyProxy targetForKey:key error:error] getExternalRepresentationWithReply:^(NSData data, NSError error) {
240	localData = data;
241	localError = error;
242	}];
243	if (localData == nil && error != NULL) {
244	*error = (__bridge_retained CFErrorRef)localError;
245	}
246	return CFBridgingRetain(localData);
247	}
248
249	static CFStringRef SecRemoteKeyCopyDescription(SecKeyRef key) {
250	__block NSString *localDescription;
251	[[SecKeyProxy targetForKey:key error:NULL] getDescriptionWithReply:^(NSString *description) {
252	localDescription = [NSString stringWithFormat:@"<SecKeyRef remoteKey: %@>", description];
253	}];
254	return CFBridgingRetain(localDescription);
255	}
256
257	static CFIndex SecRemoteKeyGetAlgorithmID(SecKeyRef key) {
258	__block CFIndex localAlgorithmID = kSecNullAlgorithmID;
259	[[SecKeyProxy targetForKey:key error:NULL] getAlgorithmIDWithReply:^(NSInteger algorithmID) {
260	localAlgorithmID = algorithmID;
261	}];
262	return localAlgorithmID;
263	}
264
265	static SecKeyRef SecRemoteKeyCopyPublicKey(SecKeyRef key) {
266	__block id publicKey;
267	[[SecKeyProxy targetForKey:key error:NULL] getPublicKey:^(NSXPCListenerEndpoint *endpoint) {
268	if (endpoint != nil) {
269	publicKey = CFBridgingRelease([SecKeyProxy createKeyFromEndpoint:endpoint error:nil]);
270	}
271	}];
272	return (__bridge_retained SecKeyRef)publicKey;
273	}
274
275	static CFTypeRef SecRemoteKeyCopyOperationResult(SecKeyRef key, SecKeyOperationType operation, SecKeyAlgorithm algorithm, CFArrayRef algorithms, SecKeyOperationMode mode, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) {
276	NSMutableArray *parameters = @[].mutableCopy;
277	if (in1 != NULL) {
278	[parameters addObject:(__bridge id)in1];
279	if (in2 != NULL) {
280	[parameters addObject:(__bridge id)in2];
281	}
282	}
283	__block id localResult;
284	[[SecKeyProxy targetForKey:key error:error] performOperation:operation algorithm:(__bridge NSString )algorithm parameters:parameters reply:^(NSArray result, NSError *_error) {
285	if (result.count > 0) {
286	localResult = result[0];
287	}
288	else if (error != NULL) {
289	*error = (__bridge_retained CFErrorRef)_error;
290	}
291	}];
292	return CFBridgingRetain(localResult);
293	}
294
295	static const SecKeyDescriptor SecRemoteKeyDescriptor = {
296	.version = kSecKeyDescriptorVersion,
297	.name = "RemoteKey",
298	.init = SecRemoteKeyInit,
299	.destroy = SecRemoteKeyDestroy,
300	.blockSize = SecRemoteKeyBlockSize,
301	.copyDictionary = SecRemoteKeyCopyAttributeDictionary,
302	.copyExternalRepresentation = SecRemoteKeyCopyExternalRepresentation,
303	.describe = SecRemoteKeyCopyDescription,
304	.getAlgorithmID = SecRemoteKeyGetAlgorithmID,
305	.copyPublicKey = SecRemoteKeyCopyPublicKey,
306	.copyOperationResult = SecRemoteKeyCopyOperationResult,
307	};
308
309	+ (SecKeyRef)createItemFromEndpoint:(NSXPCListenerEndpoint )endpoint certificate:(NSData )certificate error:(NSError _Nullable __autoreleasing *)error {
310	// Connect to the server proxy object.
311	NSXPCConnection *connection = [[NSXPCConnection alloc] initWithListenerEndpoint:endpoint];
312	connection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(SecKeyProxyProtocol)];
313	[connection resume];
314
315	// Initialize remote object.
316	__block NSError *localError;
317	__block NSData *localCertificate;
318	[[connection synchronousRemoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) {
319	localError = [NSError errorWithDomain:(__bridge NSString *)kSecErrorDomain code:errSecItemNotFound userInfo:@{NSUnderlyingErrorKey: error}];
320	}] initializeWithReply:^(NSData *_Nullable _certificate){
321	localCertificate = _certificate;
322	}];
323	if (localError == nil) {
324	if (certificate != nil) {
325	*certificate = localCertificate;
326	}
327	} else {
328	[connection invalidate];
329	if (error != NULL) {
330	*error = localError;
331	}
332	return NULL;
333	}
334
335	// Wrap returned connection in SecKeyRef instance.
336	return SecKeyCreate(kCFAllocatorDefault, &SecRemoteKeyDescriptor, CFBridgingRetain(connection), 0, kSecKeyEncodingRaw);
337	}
338
339	+ (SecKeyRef)createKeyFromEndpoint:(NSXPCListenerEndpoint )endpoint error:(NSError _Nullable __autoreleasing *)error {
340	return [self createItemFromEndpoint:endpoint certificate:nil error:error];
341	}
342
343	+ (SecIdentityRef)createIdentityFromEndpoint:(NSXPCListenerEndpoint )endpoint error:(NSError _Nullable __autoreleasing *)error {
344	NSData *certificateData;
345	id key = CFBridgingRelease([self createItemFromEndpoint:endpoint certificate:&certificateData error:error]);
346	if (key == nil) {
347	return NULL;
348	}
349	if (certificateData == nil) {
350	if (error != NULL) {
351	error = [NSError errorWithDomain:(NSString )kSecErrorDomain code:errSecParam userInfo:@{(id)NSLocalizedDescriptionKey: @"Attempt to create remote identity from key-only proxy"}];
352	}
353	return NULL;
354	}
355
356	id certificate = CFBridgingRelease(SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef)certificateData));
357	return SecIdentityCreate(kCFAllocatorDefault, (__bridge SecCertificateRef)certificate, (__bridge SecKeyRef)key);
358	}
359	@end