[apple/security.git] / keychain / SecureObjectSync / SOSAccountPriv.h

//
//  SOSAccountPriv.h
//  Security
//

#ifndef SOSAccountPriv_h
#define SOSAccountPriv_h

#import <Foundation/Foundation.h>

#include <CoreFoundation/CoreFoundation.h>
#include <CoreFoundation/CFRuntime.h>
#include <utilities/SecCFWrappers.h>
#include <utilities/SecCFError.h>
#include <utilities/SecAKSWrappers.h>

#include <Security/SecKeyPriv.h>

#include <Security/der_plist.h>
#include <utilities/der_plist_internal.h>
#include <corecrypto/ccder.h>

#include <AssertMacros.h>

#import <notify.h>

#include "keychain/SecureObjectSync/SOSInternal.h"

#include "keychain/SecureObjectSync/SOSCircle.h"
#include "keychain/SecureObjectSync/SOSCircleV2.h"
#include "keychain/SecureObjectSync/SOSRing.h"
#include "keychain/SecureObjectSync/SOSRingUtils.h"
#include <Security/SecureObjectSync/SOSCloudCircle.h>
#include "keychain/securityd/SOSCloudCircleServer.h"
#include "keychain/SecureObjectSync/SOSEngine.h"
#include "keychain/SecureObjectSync/SOSPeer.h"
#include "keychain/SecureObjectSync/SOSFullPeerInfo.h"
#include <Security/SecureObjectSync/SOSPeerInfo.h>

#include "keychain/SecureObjectSync/SOSPeerInfoInternal.h"
#include "keychain/SecureObjectSync/SOSUserKeygen.h"
#include "keychain/SecureObjectSync/SOSTransportCircle.h"

#include <utilities/iCloudKeychainTrace.h>

#include <Security/SecItemPriv.h>


extern const CFStringRef kSOSUnsyncedViewsKey;
extern const CFStringRef kSOSPendingEnableViewsToBeSetKey;
extern const CFStringRef kSOSPendingDisableViewsToBeSetKey;
extern const CFStringRef kSOSRecoveryKey;
extern const CFStringRef kSOSAccountUUID;
extern const CFStringRef kSOSAccountPeerNegotiationTimeouts;
extern const CFStringRef kSOSRecoveryRing;
extern const CFStringRef kSOSEscrowRecord;
extern const CFStringRef kSOSAccountName;
extern const CFStringRef kSOSTestV2Settings;
extern const CFStringRef kSOSRateLimitingCounters;
extern const CFStringRef kSOSAccountPeerLastSentTimestamp;
extern const CFStringRef kSOSAccountRenegotiationRetryCount;
extern const CFStringRef kSOSInitialSyncTimeoutV0;

typedef void (^SOSAccountSaveBlock)(CFDataRef flattenedAccount, CFErrorRef flattenFailError);

@class SOSMessageKVS;
@class CKKeyParameter;
@class SOSAccountTrustClassic;
@class SOSKVSCircleStorageTransport;
@class SOSCircleStorageTransport;
@class SOSCKCircleStorage;

@interface SOSAccount : NSObject <SOSControlProtocol>

@property   (nonatomic, retain)     NSDictionary                *gestalt;
@property   (nonatomic, retain)     NSData                      *backup_key;
@property   (nonatomic, retain)     NSString                    *deviceID;

@property   (nonatomic, retain)     SOSAccountTrustClassic      *trust;

@property   (nonatomic, retain)     dispatch_queue_t            queue;
@property   (nonatomic, retain)     dispatch_source_t           user_private_timer;
@property   (nonatomic)             SecKeyRef                   accountPrivateKey;

@property   (nonatomic)             SOSDataSourceFactoryRef     factory;

@property   (nonatomic, retain)     NSData                      *_password_tmp;
@property   (nonatomic, assign)     BOOL                        isListeningForSync;
@property   (nonatomic, assign)     int                         lock_notification_token;
@property   (nonatomic, retain)     CKKeyParameter*             key_transport;
@property   (nonatomic, retain)     SOSKVSCircleStorageTransport*  circle_transport;
@property   (nonatomic, retain)     SOSMessageKVS*              kvs_message_transport;
@property   (nonatomic, retain)     SOSCKCircleStorage*         ck_storage;


@property   (nonatomic, assign)     BOOL                        circle_rings_retirements_need_attention;
@property   (nonatomic, assign)     BOOL                        engine_peer_state_needs_repair;
@property   (nonatomic, assign)     BOOL                        key_interests_need_updating;
@property   (nonatomic, assign)     BOOL                        need_backup_peers_created_after_backup_key_set;


@property   (nonatomic, retain)     NSMutableArray               *change_blocks;

@property   (nonatomic, retain)     NSMutableDictionary          *waitForInitialSync_blocks;

@property   (nonatomic, retain)     NSData*                     accountKeyDerivationParameters;

@property   (nonatomic, assign)     BOOL                        accountKeyIsTrusted;
@property   (nonatomic)             SecKeyRef                   accountKey;
@property   (nonatomic)             SecKeyRef                   previousAccountKey;
@property   (nonatomic)             SecKeyRef                   peerPublicKey;

@property   (copy)                  SOSAccountSaveBlock         saveBlock;


// Identity access properties, all delegated to the trust object
@property   (readonly, nonatomic)   BOOL                        hasPeerInfo;
@property   (readonly, nonatomic)   SOSPeerInfoRef              peerInfo;
@property   (readonly, nonatomic)   SOSFullPeerInfoRef          fullPeerInfo;
@property   (readonly, nonatomic)   NSString*                   peerID;

@property   (nonatomic, assign)     BOOL                        notifyCircleChangeOnExit;
@property   (nonatomic, assign)     BOOL                        notifyViewChangeOnExit;
@property   (nonatomic, assign)     BOOL                        notifyBackupOnExit;

@property   (nonatomic, retain)     NSUserDefaults*             settings;

@property   (nonatomic)              SecKeyRef                  octagonSigningFullKeyRef;
@property   (nonatomic)              SecKeyRef                  octagonEncryptionFullKeyRef;

@property   (nonatomic, assign)     BOOL                        accountIsChanging;


-(id) init NS_UNAVAILABLE;
-(id) initWithGestalt:(CFDictionaryRef)gestalt factory:(SOSDataSourceFactoryRef)factory;

- (void)startStateMachine;

void SOSAccountAddSyncablePeerBlock(SOSAccount*  a,
                                    CFStringRef ds_name,
                                    SOSAccountSyncablePeersBlock changeBlock);

-(bool) ensureFactoryCircles;
-(void) ensureOctagonPeerKeys;

-(void) flattenToSaveBlock;

-(void) ghostBustSchedule;
+ (SOSAccountGhostBustingOptions) ghostBustGetRampSettings;
- (bool) ghostBustCheckDate;

#if OCTAGON
- (void)triggerBackupForPeers:(NSArray<NSString*>*)backupPeer;
- (void)triggerRingUpdate;
#endif


void SOSAccountSetToNew(SOSAccount*  a);

bool SOSAccountIsMyPeerActive(SOSAccount* account, CFErrorRef* error);

// MARK: In Sync checking
typedef bool (^SOSAccountWaitForInitialSyncBlock)(SOSAccount*  account);

CF_RETURNS_RETAINED CFStringRef SOSAccountCallWhenInSync(SOSAccount* account, SOSAccountWaitForInitialSyncBlock syncBlock);
bool SOSAccountUnregisterCallWhenInSync(SOSAccount* account, CFStringRef id);

bool SOSAccountHandleOutOfSyncUpdate(SOSAccount* account, CFSetRef oldOOSViews, CFSetRef newOOSViews);

void SOSAccountEnsureSyncChecking(SOSAccount* account);
void SOSAccountCancelSyncChecking(SOSAccount* account);
void SOSAccountInitializeInitialSync(SOSAccount* account);
CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
CFSetRef SOSAccountCopyEnabledViews(SOSAccount* account);
void SOSAccountNotifyEngines(SOSAccount* account);
CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
bool SOSAccountIsViewOutstanding(SOSAccount* account, CFStringRef view);
CFMutableSetRef SOSAccountCopyIntersectionWithOustanding(SOSAccount* account, CFSetRef inSet);
bool SOSAccountIntersectsWithOutstanding(SOSAccount* account, CFSetRef views);
bool SOSAccountHasOustandingViews(SOSAccount* account);
bool SOSAccountHasCompletedInitialSync(SOSAccount* account);
bool SOSAccountHasCompletedRequiredBackupSync(SOSAccount* account);
CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
bool SOSAccountSyncingV0(SOSAccount* account);

// MARK: DER Stuff


size_t der_sizeof_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error);

uint8_t* der_encode_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);

const uint8_t* der_decode_fullpeer_or_null(CFAllocatorRef allocator, SOSFullPeerInfoRef* data,
                                           CFErrorRef* error,
                                           const uint8_t* der, const uint8_t* der_end);


size_t der_sizeof_public_bytes(SecKeyRef publicKey, CFErrorRef* error);

uint8_t* der_encode_public_bytes(SecKeyRef publicKey, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);

const uint8_t* der_decode_public_bytes(CFAllocatorRef allocator, CFIndex algorithmID, SecKeyRef* publicKey, CFErrorRef* error, const uint8_t* der, const uint8_t* der_end);


// Update
-(SOSCCStatus) getCircleStatus:(CFErrorRef*) error;
-(bool) isInCircle:(CFErrorRef *)error;

bool SOSAccountHandleCircleMessage(SOSAccount* account,
                                   CFStringRef circleName, CFDataRef encodedCircleMessage, CFErrorRef *error);

CF_RETURNS_RETAINED
CFDictionaryRef SOSAccountHandleRetirementMessages(SOSAccount* account, CFDictionaryRef circle_retirement_messages, CFErrorRef *error);

bool SOSAccountHandleUpdateCircle(SOSAccount* account,
                                  SOSCircleRef prospective_circle,
                                  bool writeUpdate,
                                  CFErrorRef *error);


// My Peer
bool SOSAccountHasFullPeerInfo(SOSAccount* account, CFErrorRef* error);

bool SOSAccountIsMyPeerInBackupAndCurrentInView(SOSAccount* account, CFStringRef viewname);
bool SOSAccountUpdateOurPeerInBackup(SOSAccount* account, SOSRingRef oldRing, CFErrorRef *error);
bool SOSAccountIsPeerInBackupAndCurrentInView(SOSAccount* account, SOSPeerInfoRef testPeer, CFStringRef viewname);
bool SOSDeleteV0Keybag(CFErrorRef *error);
bool SOSAccountUpdatePeerInfo(SOSAccount* account, CFStringRef updateDescription, CFErrorRef *error, bool (^update)(SOSFullPeerInfoRef fpi, CFErrorRef *error));
bool SOSAccountUpdatePeerInfoAndPush(SOSAccount* account, CFStringRef updateDescription, CFErrorRef *error,
                                     bool (^update)(SOSPeerInfoRef pi, CFErrorRef *error));

// Currently permitted backup rings.
void SOSAccountForEachBackupRingName(SOSAccount* account, void (^operation)(CFStringRef value));
void SOSAccountForEachRingName(SOSAccount* account, void (^operation)(CFStringRef value));
void SOSAccountForEachBackupView(SOSAccount* account,  void (^operation)(const void *value));
SOSRingRef SOSAccountCreateBackupRingForView(SOSAccount* account, CFStringRef ringBackupViewName, CFErrorRef *error);


// My Circle
bool SOSAccountHasCircle(SOSAccount* account, CFErrorRef* error);
SOSCircleRef CF_RETURNS_RETAINED SOSAccountEnsureCircle(SOSAccount* a, CFStringRef name, CFErrorRef *error);

void AppendCircleKeyName(CFMutableArrayRef array, CFStringRef name);

CFStringRef SOSInterestListCopyDescription(CFArrayRef interests);


// FullPeerInfos - including Cloud Identity
SOSFullPeerInfoRef CopyCloudKeychainIdentity(SOSPeerInfoRef cloudPeer, CFErrorRef *error);

bool SOSAccountIsAccountIdentity(SOSAccount* account, SOSPeerInfoRef peer_info, CFErrorRef *error);
bool SOSAccountFullPeerInfoVerify(SOSAccount* account, SecKeyRef privKey, CFErrorRef *error);
CF_RETURNS_RETAINED SOSPeerInfoRef GenerateNewCloudIdentityPeerInfo(CFErrorRef *error);

void SOSiCloudIdentityPrivateKeyForEach(void (^complete)(SecKeyRef privKey));

// Credentials
bool SOSAccountHasPublicKey(SOSAccount* account, CFErrorRef* error);
bool SOSAccountPublishCloudParameters(SOSAccount* account, CFErrorRef* error);
bool SOSAccountRetrieveCloudParameters(SOSAccount* account, SecKeyRef *newKey,
                                       CFDataRef derparms,
                                       CFDataRef *newParameters, CFErrorRef* error);

//DSID
void SOSAccountAssertDSID(SOSAccount* account, CFStringRef dsid);

//
// Key extraction
//

SecKeyRef SOSAccountCopyDeviceKey(SOSAccount* account, CFErrorRef *error);
SecKeyRef CF_RETURNS_RETAINED GeneratePermanentFullECKey(int keySize, CFStringRef name, CFErrorRef* error);

// Testing
void SOSAccountSetLastDepartureReason(SOSAccount* account, enum DepartureReason reason);
void SOSAccountSetUserPublicTrustedForTesting(SOSAccount* account);

void SOSAccountPurgeIdentity(SOSAccount*);
bool sosAccountLeaveCircle(SOSAccount* account, SOSCircleRef circle, CFErrorRef* error);

bool SOSAccountForEachRing(SOSAccount* account, SOSRingRef (^action)(CFStringRef name, SOSRingRef ring));
bool SOSAccountUpdateBackUp(SOSAccount* account, CFStringRef viewname, CFErrorRef *error);
void SOSAccountEnsureRecoveryRing(SOSAccount* account);

bool SOSAccountEnsurePeerRegistration(SOSAccount* account, CFErrorRef *error);

extern const CFStringRef kSOSUnsyncedViewsKey;
extern const CFStringRef kSOSPendingEnableViewsToBeSetKey;
extern const CFStringRef kSOSPendingDisableViewsToBeSetKey;
extern const CFStringRef kSOSRecoveryKey;

typedef enum{
    kSOSTransportNone = 0,
    kSOSTransportIDS = 1,
    kSOSTransportKVS = 2,
    kSOSTransportFuture = 3,
    kSOSTransportPresent = 4
}TransportType;

SOSPeerInfoRef SOSAccountCopyPeerWithID(SOSAccount* account, CFStringRef peerid, CFErrorRef *error);

bool SOSAccountSetValue(SOSAccount* account, CFStringRef key, CFTypeRef value, CFErrorRef *error);
bool SOSAccountClearValue(SOSAccount* account, CFStringRef key, CFErrorRef *error);
CFTypeRef SOSAccountGetValue(SOSAccount* account, CFStringRef key, CFErrorRef *error);

bool SOSAccountAddEscrowToPeerInfo(SOSAccount* account, SOSFullPeerInfoRef myPeer, CFErrorRef *error);
void SOSAccountRemoveRing(SOSAccount* a, CFStringRef ringName);
SOSRingRef SOSAccountCopyRingNamed(SOSAccount* a, CFStringRef ringName, CFErrorRef *error);
bool SOSAccountUpdateRingFromRemote(SOSAccount* account, SOSRingRef newRing, CFErrorRef *error);
bool SOSAccountUpdateRing(SOSAccount* account, SOSRingRef newRing, CFErrorRef *error);
bool SOSAccountRemoveBackupPeers(SOSAccount* account, CFArrayRef peerIDs, CFErrorRef *error);
bool SOSAccountUpdateNamedRing(SOSAccount* account, CFStringRef ringName, CFErrorRef *error,
                               SOSRingRef (^create)(CFStringRef ringName, CFErrorRef *error),
                               SOSRingRef (^copyModified)(SOSRingRef existing, CFErrorRef *error));

//
// MARK: Backup translation functions
//

CFStringRef SOSBackupCopyRingNameForView(CFStringRef viewName);
bool SOSAccountUpdateBackupRing(SOSAccount*  account, CFStringRef viewName, CFErrorRef *error,
                                SOSRingRef (^modify)(SOSRingRef existing, CFErrorRef *error));
//
// Security tool test/debug functions
//
bool SOSAccountPostDebugScope(SOSAccount*  account, CFTypeRef scope, CFErrorRef *error);

bool SOSAccountCheckForAlwaysOnViews(SOSAccount* account);
// UUID, no setter just getter and ensuring value.
void SOSAccountEnsureUUID(SOSAccount* account);
CFStringRef CF_RETURNS_RETAINED SOSAccountCopyUUID(SOSAccount* account);
const uint8_t* der_decode_cloud_parameters(CFAllocatorRef allocator,
                                           CFIndex algorithmID, SecKeyRef* publicKey,
                                           CFDataRef *parameters,
                                           CFErrorRef* error,
                                           const uint8_t* der, const uint8_t* der_end);

/*
 * HSA2/piggybacking
 */

CFDataRef SOSPiggyBackBlobCopyEncodedData(SOSGenCountRef gencount, SecKeyRef pubKey, CFDataRef signature, CFErrorRef *error);

#if __OBJC__
NSData *SOSPiggyCreateInitialSyncData(NSArray<NSData*> *identities, NSArray<NSDictionary *>* tlks);
NSDictionary * SOSPiggyCopyInitialSyncData(const uint8_t** der, const uint8_t *der_end);
NSArray<NSDictionary*>* SOSAccountSortTLKS(NSArray<NSDictionary*>* tlks);
#endif

bool SOSAccountCleanupAllKVSKeys(SOSAccount* account, CFErrorRef* error);

@end

@interface SOSAccount (Persistence)

+(instancetype) accountFromData: (NSData*) data
                        factory: (SOSDataSourceFactoryRef) factory
                          error: (NSError**) error;
+(instancetype) accountFromDER: (const uint8_t**) der
                           end: (const uint8_t*) der_end
                       factory: (SOSDataSourceFactoryRef) factory
                         error: (NSError**) error;

-(NSData*) encodedData: (NSError**) error;


@end

#endif /* SOSAccount_h */
Commit	Line	Data
5c19dc3a A	1	//
5c19dc3a A	2	// SOSAccountPriv.h
866f8763	3	// Security
5c19dc3a A	4	//
5c19dc3a A	5
866f8763 A	6	#ifndef SOSAccountPriv_h
866f8763 A	7	#define SOSAccountPriv_h
5c19dc3a	8
866f8763	9	#import <Foundation/Foundation.h>
5c19dc3a A	10
	11	#include <CoreFoundation/CoreFoundation.h>
	12	#include <CoreFoundation/CFRuntime.h>
	13	#include <utilities/SecCFWrappers.h>
	14	#include <utilities/SecCFError.h>
	15	#include <utilities/SecAKSWrappers.h>
	16
5c19dc3a A	17	#include <Security/SecKeyPriv.h>
5c19dc3a A	18
ecaf5866	19	#include <Security/der_plist.h>
5c19dc3a A	20	#include <utilities/der_plist_internal.h>
	21	#include <corecrypto/ccder.h>
	22
	23	#include <AssertMacros.h>
5c19dc3a A	24
	25	#import <notify.h>
	26
b54c578e	27	#include "keychain/SecureObjectSync/SOSInternal.h"
866f8763	28
b54c578e A	29	#include "keychain/SecureObjectSync/SOSCircle.h"
	30	#include "keychain/SecureObjectSync/SOSCircleV2.h"
	31	#include "keychain/SecureObjectSync/SOSRing.h"
	32	#include "keychain/SecureObjectSync/SOSRingUtils.h"
5c19dc3a	33	#include <Security/SecureObjectSync/SOSCloudCircle.h>
7fb2cbd2	34	#include "keychain/securityd/SOSCloudCircleServer.h"
b54c578e A	35	#include "keychain/SecureObjectSync/SOSEngine.h"
	36	#include "keychain/SecureObjectSync/SOSPeer.h"
	37	#include "keychain/SecureObjectSync/SOSFullPeerInfo.h"
5c19dc3a	38	#include <Security/SecureObjectSync/SOSPeerInfo.h>
b54c578e A	39
	40	#include "keychain/SecureObjectSync/SOSPeerInfoInternal.h"
	41	#include "keychain/SecureObjectSync/SOSUserKeygen.h"
	42	#include "keychain/SecureObjectSync/SOSTransportCircle.h"
866f8763	43
5c19dc3a A	44	#include <utilities/iCloudKeychainTrace.h>
	45
	46	#include <Security/SecItemPriv.h>
	47
5c19dc3a	48
866f8763 A	49	extern const CFStringRef kSOSUnsyncedViewsKey;
	50	extern const CFStringRef kSOSPendingEnableViewsToBeSetKey;
	51	extern const CFStringRef kSOSPendingDisableViewsToBeSetKey;
	52	extern const CFStringRef kSOSRecoveryKey;
	53	extern const CFStringRef kSOSAccountUUID;
	54	extern const CFStringRef kSOSAccountPeerNegotiationTimeouts;
	55	extern const CFStringRef kSOSRecoveryRing;
e0e0d90e	56	extern const CFStringRef kSOSEscrowRecord;
79b9da22	57	extern const CFStringRef kSOSAccountName;
6b200bc3	58	extern const CFStringRef kSOSTestV2Settings;
866f8763 A	59	extern const CFStringRef kSOSRateLimitingCounters;
	60	extern const CFStringRef kSOSAccountPeerLastSentTimestamp;
	61	extern const CFStringRef kSOSAccountRenegotiationRetryCount;
866f8763	62	extern const CFStringRef kSOSInitialSyncTimeoutV0;
5c19dc3a	63
866f8763	64	typedef void (^SOSAccountSaveBlock)(CFDataRef flattenedAccount, CFErrorRef flattenFailError);
5c19dc3a	65
866f8763 A	66	@class SOSMessageKVS;
	67	@class CKKeyParameter;
	68	@class SOSAccountTrustClassic;
	69	@class SOSKVSCircleStorageTransport;
	70	@class SOSCircleStorageTransport;
	71	@class SOSCKCircleStorage;
5c19dc3a	72
ecaf5866	73	@interface SOSAccount : NSObject <SOSControlProtocol>
5c19dc3a	74
866f8763 A	75	@property (nonatomic, retain) NSDictionary *gestalt;
	76	@property (nonatomic, retain) NSData *backup_key;
	77	@property (nonatomic, retain) NSString *deviceID;
6b200bc3	78
866f8763	79	@property (nonatomic, retain) SOSAccountTrustClassic *trust;
6b200bc3	80
866f8763 A	81	@property (nonatomic, retain) dispatch_queue_t queue;
	82	@property (nonatomic, retain) dispatch_source_t user_private_timer;
	83	@property (nonatomic) SecKeyRef accountPrivateKey;
6b200bc3	84
866f8763	85	@property (nonatomic) SOSDataSourceFactoryRef factory;
6b200bc3	86
866f8763 A	87	@property (nonatomic, retain) NSData *_password_tmp;
	88	@property (nonatomic, assign) BOOL isListeningForSync;
	89	@property (nonatomic, assign) int lock_notification_token;
	90	@property (nonatomic, retain) CKKeyParameter* key_transport;
b54c578e	91	@property (nonatomic, retain) SOSKVSCircleStorageTransport* circle_transport;
866f8763	92	@property (nonatomic, retain) SOSMessageKVS* kvs_message_transport;
866f8763	93	@property (nonatomic, retain) SOSCKCircleStorage* ck_storage;
6b200bc3	94
5c19dc3a	95
866f8763 A	96	@property (nonatomic, assign) BOOL circle_rings_retirements_need_attention;
	97	@property (nonatomic, assign) BOOL engine_peer_state_needs_repair;
	98	@property (nonatomic, assign) BOOL key_interests_need_updating;
d64be36e A	99	@property (nonatomic, assign) BOOL need_backup_peers_created_after_backup_key_set;
d64be36e A	100
fa7225c8	101
866f8763	102	@property (nonatomic, retain) NSMutableArray *change_blocks;
fa7225c8	103
866f8763	104	@property (nonatomic, retain) NSMutableDictionary *waitForInitialSync_blocks;
fa7225c8	105
d64be36e	106	@property (nonatomic, retain) NSData* accountKeyDerivationParameters;
fa7225c8	107
866f8763 A	108	@property (nonatomic, assign) BOOL accountKeyIsTrusted;
	109	@property (nonatomic) SecKeyRef accountKey;
	110	@property (nonatomic) SecKeyRef previousAccountKey;
d64be36e	111	@property (nonatomic) SecKeyRef peerPublicKey;
5c19dc3a	112
866f8763	113	@property (copy) SOSAccountSaveBlock saveBlock;
fa7225c8	114
fa7225c8	115
866f8763 A	116	// Identity access properties, all delegated to the trust object
	117	@property (readonly, nonatomic) BOOL hasPeerInfo;
	118	@property (readonly, nonatomic) SOSPeerInfoRef peerInfo;
	119	@property (readonly, nonatomic) SOSFullPeerInfoRef fullPeerInfo;
	120	@property (readonly, nonatomic) NSString* peerID;
fa7225c8	121
79b9da22 A	122	@property (nonatomic, assign) BOOL notifyCircleChangeOnExit;
	123	@property (nonatomic, assign) BOOL notifyViewChangeOnExit;
	124	@property (nonatomic, assign) BOOL notifyBackupOnExit;
	125
d64be36e A	126	@property (nonatomic, retain) NSUserDefaults* settings;
	127
	128	@property (nonatomic) SecKeyRef octagonSigningFullKeyRef;
	129	@property (nonatomic) SecKeyRef octagonEncryptionFullKeyRef;
79b9da22	130
d64be36e	131	@property (nonatomic, assign) BOOL accountIsChanging;
79b9da22	132
5c19dc3a	133
805875f8	134	-(id) init NS_UNAVAILABLE;
866f8763	135	-(id) initWithGestalt:(CFDictionaryRef)gestalt factory:(SOSDataSourceFactoryRef)factory;
6b200bc3	136
d64be36e	137	- (void)startStateMachine;
805875f8	138
866f8763 A	139	void SOSAccountAddSyncablePeerBlock(SOSAccount* a,
	140	CFStringRef ds_name,
	141	SOSAccountSyncablePeersBlock changeBlock);
5c19dc3a	142
866f8763	143	-(bool) ensureFactoryCircles;
8a50f688	144	-(void) ensureOctagonPeerKeys;
5c19dc3a	145
866f8763	146	-(void) flattenToSaveBlock;
5c19dc3a	147
b54c578e A	148	-(void) ghostBustSchedule;
	149	+ (SOSAccountGhostBustingOptions) ghostBustGetRampSettings;
	150	- (bool) ghostBustCheckDate;
	151
805875f8 A	152	#if OCTAGON
805875f8 A	153	- (void)triggerBackupForPeers:(NSArray<NSString>)backupPeer;
d64be36e	154	- (void)triggerRingUpdate;
805875f8 A	155	#endif
805875f8 A	156
b54c578e	157
866f8763 A	158	void SOSAccountSetToNew(SOSAccount* a);
	159
	160	bool SOSAccountIsMyPeerActive(SOSAccount* account, CFErrorRef* error);
	161
	162	// MARK: In Sync checking
	163	typedef bool (^SOSAccountWaitForInitialSyncBlock)(SOSAccount* account);
5c19dc3a	164
866f8763 A	165	CF_RETURNS_RETAINED CFStringRef SOSAccountCallWhenInSync(SOSAccount* account, SOSAccountWaitForInitialSyncBlock syncBlock);
866f8763 A	166	bool SOSAccountUnregisterCallWhenInSync(SOSAccount* account, CFStringRef id);
5c19dc3a	167
866f8763 A	168	bool SOSAccountHandleOutOfSyncUpdate(SOSAccount* account, CFSetRef oldOOSViews, CFSetRef newOOSViews);
	169
	170	void SOSAccountEnsureSyncChecking(SOSAccount* account);
	171	void SOSAccountCancelSyncChecking(SOSAccount* account);
b54c578e	172	void SOSAccountInitializeInitialSync(SOSAccount* account);
866f8763	173	CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
b54c578e	174	CFSetRef SOSAccountCopyEnabledViews(SOSAccount* account);
866f8763 A	175	void SOSAccountNotifyEngines(SOSAccount* account);
	176	CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
	177	bool SOSAccountIsViewOutstanding(SOSAccount* account, CFStringRef view);
	178	CFMutableSetRef SOSAccountCopyIntersectionWithOustanding(SOSAccount* account, CFSetRef inSet);
	179	bool SOSAccountIntersectsWithOutstanding(SOSAccount* account, CFSetRef views);
	180	bool SOSAccountHasOustandingViews(SOSAccount* account);
	181	bool SOSAccountHasCompletedInitialSync(SOSAccount* account);
	182	bool SOSAccountHasCompletedRequiredBackupSync(SOSAccount* account);
	183	CFMutableSetRef SOSAccountCopyOutstandingViews(SOSAccount* account);
	184	bool SOSAccountSyncingV0(SOSAccount* account);
	185
	186	// MARK: DER Stuff
5c19dc3a	187
5c19dc3a A	188
	189	size_t der_sizeof_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error);
	190
	191	uint8_t* der_encode_fullpeer_or_null(SOSFullPeerInfoRef data, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
	192
	193	const uint8_t* der_decode_fullpeer_or_null(CFAllocatorRef allocator, SOSFullPeerInfoRef* data,
866f8763 A	194	CFErrorRef* error,
866f8763 A	195	const uint8_t* der, const uint8_t* der_end);
5c19dc3a A	196
	197
	198	size_t der_sizeof_public_bytes(SecKeyRef publicKey, CFErrorRef* error);
	199
	200	uint8_t* der_encode_public_bytes(SecKeyRef publicKey, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
	201
	202	const uint8_t* der_decode_public_bytes(CFAllocatorRef allocator, CFIndex algorithmID, SecKeyRef* publicKey, CFErrorRef* error, const uint8_t* der, const uint8_t* der_end);
	203
	204
5c19dc3a	205	// Update
866f8763	206	-(SOSCCStatus) getCircleStatus:(CFErrorRef*) error;
79b9da22	207	-(bool) isInCircle:(CFErrorRef *)error;
5c19dc3a	208
866f8763	209	bool SOSAccountHandleCircleMessage(SOSAccount* account,
5c19dc3a A	210	CFStringRef circleName, CFDataRef encodedCircleMessage, CFErrorRef *error);
	211
	212	CF_RETURNS_RETAINED
866f8763	213	CFDictionaryRef SOSAccountHandleRetirementMessages(SOSAccount* account, CFDictionaryRef circle_retirement_messages, CFErrorRef *error);
5c19dc3a	214
866f8763	215	bool SOSAccountHandleUpdateCircle(SOSAccount* account,
5c19dc3a A	216	SOSCircleRef prospective_circle,
	217	bool writeUpdate,
	218	CFErrorRef *error);
	219
5c19dc3a A	220
5c19dc3a A	221	// My Peer
866f8763 A	222	bool SOSAccountHasFullPeerInfo(SOSAccount* account, CFErrorRef* error);
	223
	224	bool SOSAccountIsMyPeerInBackupAndCurrentInView(SOSAccount* account, CFStringRef viewname);
	225	bool SOSAccountUpdateOurPeerInBackup(SOSAccount* account, SOSRingRef oldRing, CFErrorRef *error);
	226	bool SOSAccountIsPeerInBackupAndCurrentInView(SOSAccount* account, SOSPeerInfoRef testPeer, CFStringRef viewname);
e3d460c9	227	bool SOSDeleteV0Keybag(CFErrorRef *error);
866f8763	228	bool SOSAccountUpdatePeerInfo(SOSAccount* account, CFStringRef updateDescription, CFErrorRef error, bool (^update)(SOSFullPeerInfoRef fpi, CFErrorRef error));
79b9da22 A	229	bool SOSAccountUpdatePeerInfoAndPush(SOSAccount* account, CFStringRef updateDescription, CFErrorRef *error,
79b9da22 A	230	bool (^update)(SOSPeerInfoRef pi, CFErrorRef *error));
5c19dc3a A	231
5c19dc3a A	232	// Currently permitted backup rings.
866f8763 A	233	void SOSAccountForEachBackupRingName(SOSAccount* account, void (^operation)(CFStringRef value));
866f8763 A	234	void SOSAccountForEachRingName(SOSAccount* account, void (^operation)(CFStringRef value));
b54c578e A	235	void SOSAccountForEachBackupView(SOSAccount* account, void (^operation)(const void *value));
	236	SOSRingRef SOSAccountCreateBackupRingForView(SOSAccount* account, CFStringRef ringBackupViewName, CFErrorRef *error);
	237
5c19dc3a A	238
5c19dc3a A	239	// My Circle
866f8763	240	bool SOSAccountHasCircle(SOSAccount* account, CFErrorRef* error);
ecaf5866	241	SOSCircleRef CF_RETURNS_RETAINED SOSAccountEnsureCircle(SOSAccount* a, CFStringRef name, CFErrorRef *error);
5c19dc3a A	242
	243	void AppendCircleKeyName(CFMutableArrayRef array, CFStringRef name);
	244
	245	CFStringRef SOSInterestListCopyDescription(CFArrayRef interests);
	246
	247
	248	// FullPeerInfos - including Cloud Identity
	249	SOSFullPeerInfoRef CopyCloudKeychainIdentity(SOSPeerInfoRef cloudPeer, CFErrorRef *error);
	250
866f8763 A	251	bool SOSAccountIsAccountIdentity(SOSAccount* account, SOSPeerInfoRef peer_info, CFErrorRef *error);
866f8763 A	252	bool SOSAccountFullPeerInfoVerify(SOSAccount* account, SecKeyRef privKey, CFErrorRef *error);
ecaf5866	253	CF_RETURNS_RETAINED SOSPeerInfoRef GenerateNewCloudIdentityPeerInfo(CFErrorRef *error);
5c19dc3a	254
d64be36e A	255	void SOSiCloudIdentityPrivateKeyForEach(void (^complete)(SecKeyRef privKey));
d64be36e A	256
5c19dc3a	257	// Credentials
866f8763 A	258	bool SOSAccountHasPublicKey(SOSAccount* account, CFErrorRef* error);
	259	bool SOSAccountPublishCloudParameters(SOSAccount* account, CFErrorRef* error);
	260	bool SOSAccountRetrieveCloudParameters(SOSAccount* account, SecKeyRef *newKey,
5c19dc3a A	261	CFDataRef derparms,
	262	CFDataRef newParameters, CFErrorRef error);
	263
	264	//DSID
866f8763	265	void SOSAccountAssertDSID(SOSAccount* account, CFStringRef dsid);
5c19dc3a A	266
	267	//
	268	// Key extraction
	269	//
	270
866f8763	271	SecKeyRef SOSAccountCopyDeviceKey(SOSAccount* account, CFErrorRef *error);
ecaf5866	272	SecKeyRef CF_RETURNS_RETAINED GeneratePermanentFullECKey(int keySize, CFStringRef name, CFErrorRef* error);
5c19dc3a A	273
5c19dc3a A	274	// Testing
866f8763 A	275	void SOSAccountSetLastDepartureReason(SOSAccount* account, enum DepartureReason reason);
	276	void SOSAccountSetUserPublicTrustedForTesting(SOSAccount* account);
	277
	278	void SOSAccountPurgeIdentity(SOSAccount*);
d64be36e	279	bool sosAccountLeaveCircle(SOSAccount* account, SOSCircleRef circle, CFErrorRef* error);
79b9da22	280
866f8763 A	281	bool SOSAccountForEachRing(SOSAccount* account, SOSRingRef (^action)(CFStringRef name, SOSRingRef ring));
	282	bool SOSAccountUpdateBackUp(SOSAccount* account, CFStringRef viewname, CFErrorRef *error);
	283	void SOSAccountEnsureRecoveryRing(SOSAccount* account);
866f8763 A	284
866f8763 A	285	bool SOSAccountEnsurePeerRegistration(SOSAccount* account, CFErrorRef *error);
5c19dc3a A	286
5c19dc3a A	287	extern const CFStringRef kSOSUnsyncedViewsKey;
fa7225c8 A	288	extern const CFStringRef kSOSPendingEnableViewsToBeSetKey;
fa7225c8 A	289	extern const CFStringRef kSOSPendingDisableViewsToBeSetKey;
6b200bc3	290	extern const CFStringRef kSOSRecoveryKey;
5c19dc3a A	291
5c19dc3a A	292	typedef enum{
e3d460c9	293	kSOSTransportNone = 0,
5c19dc3a A	294	kSOSTransportIDS = 1,
	295	kSOSTransportKVS = 2,
	296	kSOSTransportFuture = 3,
	297	kSOSTransportPresent = 4
	298	}TransportType;
	299
866f8763 A	300	SOSPeerInfoRef SOSAccountCopyPeerWithID(SOSAccount* account, CFStringRef peerid, CFErrorRef *error);
	301
	302	bool SOSAccountSetValue(SOSAccount* account, CFStringRef key, CFTypeRef value, CFErrorRef *error);
	303	bool SOSAccountClearValue(SOSAccount* account, CFStringRef key, CFErrorRef *error);
	304	CFTypeRef SOSAccountGetValue(SOSAccount* account, CFStringRef key, CFErrorRef *error);
	305
	306	bool SOSAccountAddEscrowToPeerInfo(SOSAccount* account, SOSFullPeerInfoRef myPeer, CFErrorRef *error);
866f8763 A	307	void SOSAccountRemoveRing(SOSAccount* a, CFStringRef ringName);
866f8763 A	308	SOSRingRef SOSAccountCopyRingNamed(SOSAccount* a, CFStringRef ringName, CFErrorRef *error);
866f8763 A	309	bool SOSAccountUpdateRingFromRemote(SOSAccount* account, SOSRingRef newRing, CFErrorRef *error);
	310	bool SOSAccountUpdateRing(SOSAccount* account, SOSRingRef newRing, CFErrorRef *error);
	311	bool SOSAccountRemoveBackupPeers(SOSAccount* account, CFArrayRef peerIDs, CFErrorRef *error);
866f8763	312	bool SOSAccountUpdateNamedRing(SOSAccount* account, CFStringRef ringName, CFErrorRef *error,
6b200bc3 A	313	SOSRingRef (^create)(CFStringRef ringName, CFErrorRef *error),
6b200bc3 A	314	SOSRingRef (^copyModified)(SOSRingRef existing, CFErrorRef *error));
5c19dc3a A	315
	316	//
	317	// MARK: Backup translation functions
	318	//
	319
	320	CFStringRef SOSBackupCopyRingNameForView(CFStringRef viewName);
b54c578e A	321	bool SOSAccountUpdateBackupRing(SOSAccount* account, CFStringRef viewName, CFErrorRef *error,
b54c578e A	322	SOSRingRef (^modify)(SOSRingRef existing, CFErrorRef *error));
e3d460c9 A	323	//
	324	// Security tool test/debug functions
	325	//
866f8763	326	bool SOSAccountPostDebugScope(SOSAccount* account, CFTypeRef scope, CFErrorRef *error);
e3d460c9	327
866f8763 A	328	bool SOSAccountCheckForAlwaysOnViews(SOSAccount* account);
	329	// UUID, no setter just getter and ensuring value.
	330	void SOSAccountEnsureUUID(SOSAccount* account);
ecaf5866	331	CFStringRef CF_RETURNS_RETAINED SOSAccountCopyUUID(SOSAccount* account);
866f8763 A	332	const uint8_t* der_decode_cloud_parameters(CFAllocatorRef allocator,
	333	CFIndex algorithmID, SecKeyRef* publicKey,
	334	CFDataRef *parameters,
	335	CFErrorRef* error,
	336	const uint8_t* der, const uint8_t* der_end);
	337
	338	/*
	339	* HSA2/piggybacking
	340	*/
	341
	342	CFDataRef SOSPiggyBackBlobCopyEncodedData(SOSGenCountRef gencount, SecKeyRef pubKey, CFDataRef signature, CFErrorRef *error);
	343
	344	#if __OBJC__
	345	NSData SOSPiggyCreateInitialSyncData(NSArray<NSData> identities, NSArray<NSDictionary >* tlks);
	346	NSDictionary * SOSPiggyCopyInitialSyncData(const uint8_t** der, const uint8_t *der_end);
	347	NSArray<NSDictionary> SOSAccountSortTLKS(NSArray<NSDictionary> tlks);
	348	#endif
e3d460c9	349
866f8763	350	bool SOSAccountCleanupAllKVSKeys(SOSAccount* account, CFErrorRef* error);
6b200bc3	351
866f8763 A	352	@end
	353
	354	@interface SOSAccount (Persistence)
	355
	356	+(instancetype) accountFromData: (NSData*) data
	357	factory: (SOSDataSourceFactoryRef) factory
	358	error: (NSError**) error;
	359	+(instancetype) accountFromDER: (const uint8_t**) der
	360	end: (const uint8_t*) der_end
	361	factory: (SOSDataSourceFactoryRef) factory
	362	error: (NSError**) error;
	363
	364	-(NSData) encodedData: (NSError*) error;
b54c578e A	365
b54c578e A	366
866f8763 A	367	@end
	368
	369	#endif /* SOSAccount_h */