[apple/security.git] / Keychain / Keychains.cpp

/*
 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
 * 
 * The contents of this file constitute Original Code as defined in and are
 * subject to the Apple Public Source License Version 1.2 (the 'License').
 * You may not use this file except in compliance with the License. Please obtain
 * a copy of the License at http://www.apple.com/publicsource and read it before
 * using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
 * specific language governing rights and limitations under the License.
 */


//
// Keychains.cpp
//

#include "Keychains.h"
#include "KCEventNotifier.h"

#include "Item.h"
#include "KCCursor.h"
#include "Globals.h"
#include "Schema.h"
#include <Security/keychainacl.h>
#include <Security/cssmacl.h>
#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
#include <Security/cssmdb.h>


using namespace KeychainCore;
using namespace CssmClient;


//
// KeychainSchemaImpl
//
KeychainSchemaImpl::KeychainSchemaImpl(const Db &db)
{
	DbCursor relations(db);
	relations->recordType(CSSM_DL_DB_SCHEMA_INFO);
	DbAttributes relationRecord(db, 1);
	relationRecord.add(Schema::RelationID);
	DbUniqueRecord outerUniqueId(db);

	while (relations->next(&relationRecord, NULL, outerUniqueId))
	{
		DbUniqueRecord uniqueId(db);

		uint32 relationID = relationRecord.at(0);
		if (CSSM_DB_RECORDTYPE_SCHEMA_START <= relationID && relationID < CSSM_DB_RECORDTYPE_SCHEMA_END)
			continue;

		// Create a cursor on the SCHEMA_ATTRIBUTES table for records with RelationID == relationID
		DbCursor attributes(db);
		attributes->recordType(CSSM_DL_DB_SCHEMA_ATTRIBUTES);
		attributes->add(CSSM_DB_EQUAL, Schema::RelationID, relationID);
	
		// Set up a record for retriving the SCHEMA_ATTRIBUTES
		DbAttributes attributeRecord(db, 2);
		attributeRecord.add(Schema::AttributeFormat);
		attributeRecord.add(Schema::AttributeID);
		attributeRecord.add(Schema::AttributeNameFormat);
	
	
		RelationInfoMap &rim = mDatabaseInfoMap[relationID];
		while (attributes->next(&attributeRecord, NULL, uniqueId))
		{
			if(CSSM_DB_ATTRIBUTE_FORMAT(attributeRecord.at(2))==CSSM_DB_ATTRIBUTE_NAME_AS_INTEGER)
				rim[attributeRecord.at(1)] = attributeRecord.at(0);
		}
		
		// Create a cursor on the CSSM_DL_DB_SCHEMA_INDEXES table for records with RelationID == relationID
		DbCursor indexes(db);
		indexes->recordType(CSSM_DL_DB_SCHEMA_INDEXES);
		indexes->conjunctive(CSSM_DB_AND);
		indexes->add(CSSM_DB_EQUAL, Schema::RelationID, relationID);
		indexes->add(CSSM_DB_EQUAL, Schema::IndexType, uint32(CSSM_DB_INDEX_UNIQUE));

		// Set up a record for retriving the SCHEMA_INDEXES
		DbAttributes indexRecord(db, 1);
		indexRecord.add(Schema::AttributeID);

		CssmAutoDbRecordAttributeInfo &infos = *new CssmAutoDbRecordAttributeInfo();
		mPrimaryKeyInfoMap.insert(PrimaryKeyInfoMap::value_type(relationID, &infos));
		infos.DataRecordType = relationID;
		while (indexes->next(&indexRecord, NULL, uniqueId))
		{
			CssmDbAttributeInfo &info = infos.add();
			info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_INTEGER;
			info.Label.AttributeID = indexRecord.at(0);
			info.AttributeFormat = rim[info.Label.AttributeID]; // @@@ Might insert bogus value if DB is corrupt
		}
	}
}

KeychainSchemaImpl::~KeychainSchemaImpl()
{
	for_each_map_delete(mPrimaryKeyInfoMap.begin(), mPrimaryKeyInfoMap.end());
}

CSSM_DB_ATTRIBUTE_FORMAT 
KeychainSchemaImpl::attributeFormatFor(CSSM_DB_RECORDTYPE recordType, uint32 attributeId) const
{

	DatabaseInfoMap::const_iterator dit = mDatabaseInfoMap.find(recordType);
	if (dit == mDatabaseInfoMap.end())
		MacOSError::throwMe(errSecNoSuchClass);
	RelationInfoMap::const_iterator rit = dit->second.find(attributeId);
	if (dit == dit->second.end())
		MacOSError::throwMe(errSecNoSuchAttr);

	return rit->second;
}

CssmDbAttributeInfo
KeychainSchemaImpl::attributeInfoForTag(UInt32 tag)
{
	CSSM_DB_ATTRIBUTE_INFO info;

	for(DatabaseInfoMap::const_iterator dit = mDatabaseInfoMap.begin(); dit != mDatabaseInfoMap.end(); ++dit)
	{
		for(RelationInfoMap::const_iterator rit = dit->second.begin(); rit != dit->second.end(); ++rit)
		{
			if(rit->first==tag)
			{
				info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_INTEGER;
				info.Label.AttributeID = rit->first;
				info.AttributeFormat = rit->second;
				return info;
			}
		}
	}
	return info;
}

void
KeychainSchemaImpl::getAttributeInfoForRecordType(CSSM_DB_RECORDTYPE recordType, SecKeychainAttributeInfo **Info)
{
	DatabaseInfoMap::const_iterator dit = mDatabaseInfoMap.find(recordType);
	if (dit == mDatabaseInfoMap.end())
		MacOSError::throwMe(errSecNoSuchClass);

	SecKeychainAttributeInfo *theList=reinterpret_cast<SecKeychainAttributeInfo *>(malloc(sizeof(SecKeychainAttributeInfo)));
	
	UInt32 capacity=32;
	UInt32 *tagBuf=reinterpret_cast<UInt32 *>(malloc(capacity*sizeof(UInt32)));
	UInt32 *formatBuf=reinterpret_cast<UInt32 *>(malloc(capacity*sizeof(UInt32)));
	UInt32 i=0;
	
	for(RelationInfoMap::const_iterator rit = dit->second.begin(); rit != dit->second.end(); ++rit)
	{
		if(i>=capacity)
		{
			capacity*=2;
			tagBuf=reinterpret_cast<UInt32 *>(realloc(tagBuf, (capacity*sizeof(UInt32))));
			formatBuf=reinterpret_cast<UInt32 *>(realloc(tagBuf, (capacity*sizeof(UInt32))));
		}
		tagBuf[i]=rit->first;
		formatBuf[i++]=rit->second;
	}
	
	theList->count=i;
	theList->tag=tagBuf;
	theList->format=formatBuf;
	*Info=theList;		
}


const CssmAutoDbRecordAttributeInfo &
KeychainSchemaImpl::primaryKeyInfosFor(CSSM_DB_RECORDTYPE recordType)
{
	PrimaryKeyInfoMap::iterator it;
	it = mPrimaryKeyInfoMap.find(recordType);
	
	// if the primary key attributes have already been determined,
	// return the cached results
	
	if (it == mPrimaryKeyInfoMap.end())
		MacOSError::throwMe(errSecNoSuchClass); // @@@ Not really but whatever.

	return *it->second;
}

bool
KeychainSchemaImpl::operator <(const KeychainSchemaImpl &other) const
{
	return mDatabaseInfoMap < other.mDatabaseInfoMap;
}

bool
KeychainSchemaImpl::operator ==(const KeychainSchemaImpl &other) const
{
	return mDatabaseInfoMap == other.mDatabaseInfoMap;
}


//
// KeychainImpl
//
KeychainImpl::KeychainImpl(const Db &db)
: mDb(db)
{
}

KeychainImpl::~KeychainImpl()
{
}

KCCursor
KeychainImpl::createCursor(SecItemClass itemClass, const SecKeychainAttributeList *attrList)
{
	return KCCursor(DbCursor(mDb), itemClass, attrList);
}

KCCursor
KeychainImpl::createCursor(const SecKeychainAttributeList *attrList)
{
	return KCCursor(DbCursor(mDb), attrList);
}

void
KeychainImpl::create(UInt32 passwordLength, const void *inPassword)
{
	if (!inPassword)
	{
		create();
		return;
	}

	CssmAllocator &alloc = CssmAllocator::standard();
	// @@@ Share this instance
	KeychainAclFactory aclFactory(alloc);

	// @@@ This leaks the returned credentials
	const CssmData password(const_cast<void *>(inPassword), passwordLength);
	const AccessCredentials *cred = aclFactory.passwordChangeCredentials(password);

	// @@@ Create a nice wrapper for building the default AclEntryPrototype. 
	TypedList subject(alloc, CSSM_ACL_SUBJECT_TYPE_ANY);
	AclEntryPrototype protoType(subject);
	AuthorizationGroup &authGroup = protoType.authorization();
	CSSM_ACL_AUTHORIZATION_TAG tag = CSSM_ACL_AUTHORIZATION_ANY;
	authGroup.NumberOfAuthTags = 1;
	authGroup.AuthTags = &tag;

	const ResourceControlContext rcc(protoType, const_cast<AccessCredentials *>(cred));
	create(&rcc);
}

void KeychainImpl::create(ConstStringPtr inPassword)
{
    if ( inPassword )
        create(static_cast<UInt32>(inPassword[0]), &inPassword[1]);
    else
        create();
}

void
KeychainImpl::create()
{
	CssmAllocator &alloc = CssmAllocator::standard();
	// @@@ Share this instance
	KeychainAclFactory aclFactory(alloc);

	const AccessCredentials *cred = aclFactory.keychainPromptUnlockCredentials();

	// @@@ Create a nice wrapper for building the default AclEntryPrototype.
	TypedList subject(alloc, CSSM_ACL_SUBJECT_TYPE_ANY);
	AclEntryPrototype protoType(subject);
	AuthorizationGroup &authGroup = protoType.authorization();
	CSSM_ACL_AUTHORIZATION_TAG tag = CSSM_ACL_AUTHORIZATION_ANY;
	authGroup.NumberOfAuthTags = 1;
	authGroup.AuthTags = &tag;

	const ResourceControlContext rcc(protoType, const_cast<AccessCredentials *>(cred));
	create(&rcc);
}

void
KeychainImpl::create(const ResourceControlContext *rcc)
{
	mDb->dbInfo(&Schema::DBInfo); // Set the schema (to force a create)
	mDb->resourceControlContext(rcc);
    try
    {
        mDb->create();
    }
    catch (...)
    {
		mDb->resourceControlContext(NULL);
        mDb->dbInfo(NULL); // Clear the schema (to not break an open call later)
        throw;
    }
	mDb->resourceControlContext(NULL);
	mDb->dbInfo(NULL); // Clear the schema (to not break an open call later)
	globals().storageManager.created(Keychain(this));
}

void
KeychainImpl::open()
{
	mDb->open();
}

void
KeychainImpl::lock()
{
	mDb->lock();
}

void
KeychainImpl::unlock()
{
	mDb->unlock();
}

void
KeychainImpl::unlock(const CssmData &password)
{
	mDb->unlock(password);
}

void
KeychainImpl::unlock(ConstStringPtr password)
{
	if (password)
	{
		const CssmData data(const_cast<unsigned char *>(&password[1]), password[0]);
		unlock(data);
	}
	else
		unlock();
}

void
KeychainImpl::getSettings(uint32 &outIdleTimeOut, bool &outLockOnSleep)
{
	mDb->getSettings(outIdleTimeOut, outLockOnSleep);
}

void
KeychainImpl::setSettings(uint32 inIdleTimeOut, bool inLockOnSleep)
{
	mDb->setSettings(inIdleTimeOut, inLockOnSleep);
}
void 
KeychainImpl::changePassphrase(UInt32 oldPasswordLength, const void *oldPassword,
	UInt32 newPasswordLength, const void *newPassword)
{
	// @@@ When AutoCredentials is actually finished we should no logner use a tracking allocator.
	TrackingAllocator allocator(CssmAllocator::standard());
	AutoCredentials cred = AutoCredentials(allocator);
	if (oldPassword)
	{
		const CssmData &oldPass = *new(allocator) CssmData(const_cast<void *>(oldPassword), oldPasswordLength);
		TypedList &oldList = *new(allocator) TypedList(allocator, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK);
		oldList.append(new(allocator) ListElement(CSSM_SAMPLE_TYPE_PASSWORD));
		oldList.append(new(allocator) ListElement(oldPass));
		cred += oldList;
	}

	if (newPassword)
	{
		const CssmData &newPass = *new(allocator) CssmData(const_cast<void *>(newPassword), newPasswordLength);
		TypedList &newList = *new(allocator) TypedList(allocator, CSSM_SAMPLE_TYPE_KEYCHAIN_CHANGE_LOCK);
		newList.append(new(allocator) ListElement(CSSM_SAMPLE_TYPE_PASSWORD));
		newList.append(new(allocator) ListElement(newPass));
		cred += newList;
	}

	mDb->changePassphrase(&cred);
}

void
KeychainImpl::changePassphrase(ConstStringPtr oldPassword, ConstStringPtr newPassword)
{
	const void *oldPtr, *newPtr;
	UInt32 oldLen, newLen;
	if (oldPassword)
	{
		oldLen = oldPassword[0];
		oldPtr = oldPassword + 1;
	}
	else
	{
		oldLen = 0;
		oldPtr = NULL;
	}

	if (newPassword)
	{
		newLen = newPassword[0];
		newPtr = newPassword + 1;
	}
	else
	{
		newLen = 0;
		newPtr = NULL;
	}

	changePassphrase(oldLen, oldPtr, newLen, newPtr);
}

void
KeychainImpl::authenticate(const CSSM_ACCESS_CREDENTIALS *cred)
{
	// @@@ This should do an authenticate which is not the same as unlock.
	if (!exists())
		MacOSError::throwMe(errSecNoSuchKeychain);

	MacOSError::throwMe(unimpErr);
}

UInt32
KeychainImpl::status() const
{
	// @@@ We should figure out the read/write status though a DL passthrough or some other way.
	// @@@ Also should locked be unlocked read only or just read-only?
	return (mDb->isLocked() ? 0 : kSecUnlockStateStatus | kSecWrPermStatus) | kSecRdPermStatus;
}

bool
KeychainImpl::exists()
{
	bool exists = true;
	try
	{
		open();
		// Ok to leave the mDb open since it will get closed when it goes away.
	}
	catch (const CssmError &e)
	{
		if (e.cssmError() != CSSMERR_DL_DATASTORE_DOESNOT_EXIST)
			throw;
		exists = false;
	}

	return exists;
}

bool
KeychainImpl::isActive() const
{
	return mDb->isActive();
}

void
KeychainImpl::add(Item &inItem)
{
	PrimaryKey primaryKey = inItem->add(this);
	{
		StLock<Mutex> _(mDbItemMapLock);
		// Use &* to get the item's Impl.
		mDbItemMap[primaryKey] = &*inItem;
	}

    KCEventNotifier::PostKeychainEvent(kSecAddEvent, this, inItem);
}

void
KeychainImpl::didUpdate(ItemImpl *inItemImpl, PrimaryKey &oldPK,
						PrimaryKey &newPK)
{
	// Make sure we only hold mDbItemMapLock as long as we need to.
	{
		StLock<Mutex> _(mDbItemMapLock);
		DbItemMap::iterator it = mDbItemMap.find(oldPK);
		if (it != mDbItemMap.end() && it->second == inItemImpl)
			mDbItemMap.erase(it);
		mDbItemMap[newPK] = inItemImpl;
	}

    KCEventNotifier::PostKeychainEvent( kSecUpdateEvent, this, inItemImpl );
}

void
KeychainImpl::deleteItem(Item &inoutItem)
{
	// item must be persistant.
	if (!inoutItem->isPersistant())
		MacOSError::throwMe(errSecInvalidItemRef);

	DbUniqueRecord uniqueId = inoutItem->dbUniqueRecord();
	PrimaryKey primaryKey = inoutItem->primaryKey();
	uniqueId->deleteRecord();

	// Don't kill the ref or clear the Item() since this potentially
	// messes up things for the receiver of the kSecDeleteEvent notification.
	//inoutItem->killRef();
	//inoutItem = Item();

    // Post the notification for the item deletion with
	// the primaryKey obtained when the item still existed
	KCEventNotifier::PostKeychainEvent(kSecDeleteEvent, dLDbIdentifier(), primaryKey);
}

PrimaryKey
KeychainImpl::makePrimaryKey(CSSM_DB_RECORDTYPE recordType, DbUniqueRecord &uniqueId)
{
	DbAttributes primaryKeyAttrs(uniqueId->database());
	primaryKeyAttrs.recordType(recordType);
	gatherPrimaryKeyAttributes(primaryKeyAttrs);
	uniqueId->get(&primaryKeyAttrs, NULL);
	return PrimaryKey(primaryKeyAttrs);
}

const CssmAutoDbRecordAttributeInfo &
KeychainImpl::primaryKeyInfosFor(CSSM_DB_RECORDTYPE recordType)
{
	return keychainSchema()->primaryKeyInfosFor(recordType);
}

void KeychainImpl::gatherPrimaryKeyAttributes(DbAttributes& primaryKeyAttrs)
{
	const CssmAutoDbRecordAttributeInfo &infos =
		primaryKeyInfosFor(primaryKeyAttrs.recordType());

	// @@@ fix this to not copy info.		
	for (uint32 i = 0; i < infos.size(); i++)
		primaryKeyAttrs.add(infos.at(i));
}

Item
KeychainImpl::item(const PrimaryKey& primaryKey)
{
	{
		StLock<Mutex> _(mDbItemMapLock);
		DbItemMap::iterator it = mDbItemMap.find(primaryKey);
		if (it != mDbItemMap.end())
		{
			return Item(it->second);
		}
	}

	// Create an item with just a primary key
    return Item(this, primaryKey);
}

Item
KeychainImpl::item(CSSM_DB_RECORDTYPE recordType, DbUniqueRecord &uniqueId)
{
	PrimaryKey primaryKey = makePrimaryKey(recordType, uniqueId);
	{
		StLock<Mutex> _(mDbItemMapLock);
		DbItemMap::iterator it = mDbItemMap.find(primaryKey);
		if (it != mDbItemMap.end())
		{
			return Item(it->second);
		}
	}

	// Create a new item
    return Item(this, primaryKey, uniqueId);
}

KeychainSchema
KeychainImpl::keychainSchema()
{
	if (!mKeychainSchema)
	{
		// @@@ Use cache in storageManager
		mKeychainSchema = KeychainSchema(mDb);
	}

	return mKeychainSchema;
}

// Called from DbItemImpl's constructor (so it is only paritally constructed), add it to the map. 
void
KeychainImpl::addItem(const PrimaryKey &primaryKey, ItemImpl *dbItemImpl)
{
	StLock<Mutex> _(mDbItemMapLock);
	DbItemMap::iterator it = mDbItemMap.find(primaryKey);
	if (it != mDbItemMap.end())
	{
		// @@@ There is a race condition here when being called in multiple threads
		// We might have added an item using add and received a notification at the same time
		//assert(true);
		throw errSecDuplicateItem;
		//mDbItemMap.erase(it);
		// @@@ What to do here?
	}

	mDbItemMap.insert(DbItemMap::value_type(primaryKey, dbItemImpl));
}

void
KeychainImpl::removeItem(const PrimaryKey &primaryKey, const ItemImpl *inItemImpl)
{
	// Sent from DbItemImpl's destructor, remove it from the map. 
	StLock<Mutex> _(mDbItemMapLock);
	DbItemMap::iterator it = mDbItemMap.find(primaryKey);
	if (it != mDbItemMap.end() && it->second == inItemImpl)
		mDbItemMap.erase(it);
}

void
KeychainImpl::getAttributeInfoForItemID(CSSM_DB_RECORDTYPE itemID, SecKeychainAttributeInfo **Info)
{
	keychainSchema()->getAttributeInfoForRecordType(itemID, Info);
}

void 
KeychainImpl::freeAttributeInfo(SecKeychainAttributeInfo *Info)
{
	free(Info->tag);
	free(Info->format);
	free(Info);
}

CssmDbAttributeInfo
KeychainImpl::attributeInfoForTag(UInt32 tag)
{
	return keychainSchema()->attributeInfoForTag(tag);

}

Keychain
Keychain::optional(SecKeychainRef handle)
{
	if (handle)
		return KeychainRef::required(handle);
	else
		return globals().defaultKeychain;
}
Commit	Line	Data
bac41a7b A	1	/*
	2	* Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
	3	*
	4	* The contents of this file constitute Original Code as defined in and are
	5	* subject to the Apple Public Source License Version 1.2 (the 'License').
	6	* You may not use this file except in compliance with the License. Please obtain
	7	* a copy of the License at http://www.apple.com/publicsource and read it before
	8	* using this file.
	9	*
	10	* This Original Code and all software distributed under the License are
	11	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
	12	* OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
	13	* LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
	14	* PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
	15	* specific language governing rights and limitations under the License.
	16	*/
	17
	18
	19	//
	20	// Keychains.cpp
	21	//
	22
	23	#include "Keychains.h"
	24	#include "KCEventNotifier.h"
	25
	26	#include "Item.h"
	27	#include "KCCursor.h"
	28	#include "Globals.h"
	29	#include "Schema.h"
	30	#include <Security/keychainacl.h>
	31	#include <Security/cssmacl.h>
	32	#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
	33	#include <Security/cssmdb.h>
	34
	35
	36	using namespace KeychainCore;
	37	using namespace CssmClient;
	38
	39
	40	//
	41	// KeychainSchemaImpl
	42	//
	43	KeychainSchemaImpl::KeychainSchemaImpl(const Db &db)
	44	{
	45	DbCursor relations(db);
	46	relations->recordType(CSSM_DL_DB_SCHEMA_INFO);
	47	DbAttributes relationRecord(db, 1);
	48	relationRecord.add(Schema::RelationID);
	49	DbUniqueRecord outerUniqueId(db);
	50
	51	while (relations->next(&relationRecord, NULL, outerUniqueId))
	52	{
	53	DbUniqueRecord uniqueId(db);
	54
	55	uint32 relationID = relationRecord.at(0);
	56	if (CSSM_DB_RECORDTYPE_SCHEMA_START <= relationID && relationID < CSSM_DB_RECORDTYPE_SCHEMA_END)
	57	continue;
	58
	59	// Create a cursor on the SCHEMA_ATTRIBUTES table for records with RelationID == relationID
	60	DbCursor attributes(db);
	61	attributes->recordType(CSSM_DL_DB_SCHEMA_ATTRIBUTES);
	62	attributes->add(CSSM_DB_EQUAL, Schema::RelationID, relationID);
	63
	64	// Set up a record for retriving the SCHEMA_ATTRIBUTES
65	DbAttributes attributeRecord(db, 2);
66	attributeRecord.add(Schema::AttributeFormat);
67	attributeRecord.add(Schema::AttributeID);
68	attributeRecord.add(Schema::AttributeNameFormat);
69
70
71	RelationInfoMap &rim = mDatabaseInfoMap[relationID];
72	while (attributes->next(&attributeRecord, NULL, uniqueId))
73	{
74	if(CSSM_DB_ATTRIBUTE_FORMAT(attributeRecord.at(2))==CSSM_DB_ATTRIBUTE_NAME_AS_INTEGER)
75	rim[attributeRecord.at(1)] = attributeRecord.at(0);
76	}
77
78	// Create a cursor on the CSSM_DL_DB_SCHEMA_INDEXES table for records with RelationID == relationID
79	DbCursor indexes(db);
80	indexes->recordType(CSSM_DL_DB_SCHEMA_INDEXES);
81	indexes->conjunctive(CSSM_DB_AND);
82	indexes->add(CSSM_DB_EQUAL, Schema::RelationID, relationID);
83	indexes->add(CSSM_DB_EQUAL, Schema::IndexType, uint32(CSSM_DB_INDEX_UNIQUE));
84
85	// Set up a record for retriving the SCHEMA_INDEXES
86	DbAttributes indexRecord(db, 1);
87	indexRecord.add(Schema::AttributeID);
88
89	CssmAutoDbRecordAttributeInfo &infos = *new CssmAutoDbRecordAttributeInfo();
90	mPrimaryKeyInfoMap.insert(PrimaryKeyInfoMap::value_type(relationID, &infos));
91	infos.DataRecordType = relationID;
92	while (indexes->next(&indexRecord, NULL, uniqueId))
93	{
94	CssmDbAttributeInfo &info = infos.add();
95	info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_INTEGER;
96	info.Label.AttributeID = indexRecord.at(0);
97	info.AttributeFormat = rim[info.Label.AttributeID]; // @@@ Might insert bogus value if DB is corrupt
98	}
99	}
100	}
101
102	KeychainSchemaImpl::~KeychainSchemaImpl()
103	{
104	for_each_map_delete(mPrimaryKeyInfoMap.begin(), mPrimaryKeyInfoMap.end());
105	}
106
107	CSSM_DB_ATTRIBUTE_FORMAT
108	KeychainSchemaImpl::attributeFormatFor(CSSM_DB_RECORDTYPE recordType, uint32 attributeId) const
109	{
110
111	DatabaseInfoMap::const_iterator dit = mDatabaseInfoMap.find(recordType);
112	if (dit == mDatabaseInfoMap.end())
113	MacOSError::throwMe(errSecNoSuchClass);
114	RelationInfoMap::const_iterator rit = dit->second.find(attributeId);
115	if (dit == dit->second.end())
116	MacOSError::throwMe(errSecNoSuchAttr);
117
118	return rit->second;
119	}
120
121	CssmDbAttributeInfo
122	KeychainSchemaImpl::attributeInfoForTag(UInt32 tag)
123	{
124	CSSM_DB_ATTRIBUTE_INFO info;
125
126	for(DatabaseInfoMap::const_iterator dit = mDatabaseInfoMap.begin(); dit != mDatabaseInfoMap.end(); ++dit)
127	{
128	for(RelationInfoMap::const_iterator rit = dit->second.begin(); rit != dit->second.end(); ++rit)
129	{
130	if(rit->first==tag)
131	{
132	info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_INTEGER;
133	info.Label.AttributeID = rit->first;
134	info.AttributeFormat = rit->second;
135	return info;
136	}
137	}
138	}
139	return info;
140	}
141
142	void
143	KeychainSchemaImpl::getAttributeInfoForRecordType(CSSM_DB_RECORDTYPE recordType, SecKeychainAttributeInfo **Info)
144	{
145	DatabaseInfoMap::const_iterator dit = mDatabaseInfoMap.find(recordType);
146	if (dit == mDatabaseInfoMap.end())
147	MacOSError::throwMe(errSecNoSuchClass);
148
149	SecKeychainAttributeInfo theList=reinterpret_cast<SecKeychainAttributeInfo >(malloc(sizeof(SecKeychainAttributeInfo)));
150
151	UInt32 capacity=32;
152	UInt32 tagBuf=reinterpret_cast<UInt32 >(malloc(capacity*sizeof(UInt32)));
153	UInt32 formatBuf=reinterpret_cast<UInt32 >(malloc(capacity*sizeof(UInt32)));
154	UInt32 i=0;
155
156	for(RelationInfoMap::const_iterator rit = dit->second.begin(); rit != dit->second.end(); ++rit)
157	{
158	if(i>=capacity)
159	{
160	capacity*=2;
161	tagBuf=reinterpret_cast<UInt32 >(realloc(tagBuf, (capacitysizeof(UInt32))));
162	formatBuf=reinterpret_cast<UInt32 >(realloc(tagBuf, (capacitysizeof(UInt32))));
163	}
164	tagBuf[i]=rit->first;
165	formatBuf[i++]=rit->second;
166	}
167
168	theList->count=i;
169	theList->tag=tagBuf;
170	theList->format=formatBuf;
171	*Info=theList;
172	}
173
174
175	const CssmAutoDbRecordAttributeInfo &
176	KeychainSchemaImpl::primaryKeyInfosFor(CSSM_DB_RECORDTYPE recordType)
177	{
178	PrimaryKeyInfoMap::iterator it;
179	it = mPrimaryKeyInfoMap.find(recordType);
180
181	// if the primary key attributes have already been determined,
182	// return the cached results
183
184	if (it == mPrimaryKeyInfoMap.end())
185	MacOSError::throwMe(errSecNoSuchClass); // @@@ Not really but whatever.
186
187	return *it->second;
188	}
189
190	bool
191	KeychainSchemaImpl::operator <(const KeychainSchemaImpl &other) const
192	{
193	return mDatabaseInfoMap < other.mDatabaseInfoMap;
194	}
195
196	bool
197	KeychainSchemaImpl::operator ==(const KeychainSchemaImpl &other) const
198	{
199	return mDatabaseInfoMap == other.mDatabaseInfoMap;
200	}
201
202
203	//
204	// KeychainImpl
205	//
206	KeychainImpl::KeychainImpl(const Db &db)
207	: mDb(db)
208	{
209	}
210
211	KeychainImpl::~KeychainImpl()
212	{
213	}
214
215	KCCursor
216	KeychainImpl::createCursor(SecItemClass itemClass, const SecKeychainAttributeList *attrList)
217	{
218	return KCCursor(DbCursor(mDb), itemClass, attrList);
219	}
220
221	KCCursor
222	KeychainImpl::createCursor(const SecKeychainAttributeList *attrList)
223	{
224	return KCCursor(DbCursor(mDb), attrList);
225	}
226
227	void
228	KeychainImpl::create(UInt32 passwordLength, const void *inPassword)
229	{
230	if (!inPassword)
231	{
232	create();
233	return;
234	}
235
236	CssmAllocator &alloc = CssmAllocator::standard();
237	// @@@ Share this instance
238	KeychainAclFactory aclFactory(alloc);
239
240	// @@@ This leaks the returned credentials
241	const CssmData password(const_cast<void *>(inPassword), passwordLength);
242	const AccessCredentials *cred = aclFactory.passwordChangeCredentials(password);
243
244	// @@@ Create a nice wrapper for building the default AclEntryPrototype.
245	TypedList subject(alloc, CSSM_ACL_SUBJECT_TYPE_ANY);
246	AclEntryPrototype protoType(subject);
247	AuthorizationGroup &authGroup = protoType.authorization();
248	CSSM_ACL_AUTHORIZATION_TAG tag = CSSM_ACL_AUTHORIZATION_ANY;
249	authGroup.NumberOfAuthTags = 1;
250	authGroup.AuthTags = &tag;
251
252	const ResourceControlContext rcc(protoType, const_cast<AccessCredentials *>(cred));
253	create(&rcc);
254	}
255
256	void KeychainImpl::create(ConstStringPtr inPassword)
257	{
258	if ( inPassword )
259	create(static_cast<UInt32>(inPassword[0]), &inPassword[1]);
260	else
261	create();
262	}
263
264	void
265	KeychainImpl::create()
266	{
267	CssmAllocator &alloc = CssmAllocator::standard();
268	// @@@ Share this instance
269	KeychainAclFactory aclFactory(alloc);
270
271	const AccessCredentials *cred = aclFactory.keychainPromptUnlockCredentials();
272
273	// @@@ Create a nice wrapper for building the default AclEntryPrototype.
274	TypedList subject(alloc, CSSM_ACL_SUBJECT_TYPE_ANY);
275	AclEntryPrototype protoType(subject);
276	AuthorizationGroup &authGroup = protoType.authorization();
277	CSSM_ACL_AUTHORIZATION_TAG tag = CSSM_ACL_AUTHORIZATION_ANY;
278	authGroup.NumberOfAuthTags = 1;
279	authGroup.AuthTags = &tag;
280
281	const ResourceControlContext rcc(protoType, const_cast<AccessCredentials *>(cred));
282	create(&rcc);
283	}
284
285	void
286	KeychainImpl::create(const ResourceControlContext *rcc)
287	{
288	mDb->dbInfo(&Schema::DBInfo); // Set the schema (to force a create)
289	mDb->resourceControlContext(rcc);
290	try
291	{
292	mDb->create();
293	}
294	catch (...)
295	{
296	mDb->resourceControlContext(NULL);
297	mDb->dbInfo(NULL); // Clear the schema (to not break an open call later)
298	throw;
299	}
300	mDb->resourceControlContext(NULL);
301	mDb->dbInfo(NULL); // Clear the schema (to not break an open call later)
302	globals().storageManager.created(Keychain(this));
303	}
304
305	void
306	KeychainImpl::open()
307	{
308	mDb->open();
309	}
310
311	void
312	KeychainImpl::lock()
313	{
314	mDb->lock();
315	}
316
317	void
318	KeychainImpl::unlock()
319	{
320	mDb->unlock();
321	}
322
323	void
324	KeychainImpl::unlock(const CssmData &password)
325	{
326	mDb->unlock(password);
327	}
328
329	void
330	KeychainImpl::unlock(ConstStringPtr password)
331	{
332	if (password)
333	{
334	const CssmData data(const_cast<unsigned char *>(&password[1]), password[0]);
335	unlock(data);
336	}
337	else
338	unlock();
339	}
340
341	void
342	KeychainImpl::getSettings(uint32 &outIdleTimeOut, bool &outLockOnSleep)
343	{
344	mDb->getSettings(outIdleTimeOut, outLockOnSleep);
345	}
346
347	void
348	KeychainImpl::setSettings(uint32 inIdleTimeOut, bool inLockOnSleep)
349	{
350	mDb->setSettings(inIdleTimeOut, inLockOnSleep);
351	}
352	void
353	KeychainImpl::changePassphrase(UInt32 oldPasswordLength, const void *oldPassword,
354	UInt32 newPasswordLength, const void *newPassword)
355	{
356	// @@@ When AutoCredentials is actually finished we should no logner use a tracking allocator.
357	TrackingAllocator allocator(CssmAllocator::standard());
358	AutoCredentials cred = AutoCredentials(allocator);
359	if (oldPassword)
360	{
361	const CssmData &oldPass = new(allocator) CssmData(const_cast<void >(oldPassword), oldPasswordLength);
362	TypedList &oldList = *new(allocator) TypedList(allocator, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK);
363	oldList.append(new(allocator) ListElement(CSSM_SAMPLE_TYPE_PASSWORD));
364	oldList.append(new(allocator) ListElement(oldPass));
365	cred += oldList;
366	}
367
368	if (newPassword)
369	{
370	const CssmData &newPass = new(allocator) CssmData(const_cast<void >(newPassword), newPasswordLength);
371	TypedList &newList = *new(allocator) TypedList(allocator, CSSM_SAMPLE_TYPE_KEYCHAIN_CHANGE_LOCK);
372	newList.append(new(allocator) ListElement(CSSM_SAMPLE_TYPE_PASSWORD));
373	newList.append(new(allocator) ListElement(newPass));
374	cred += newList;
375	}
376
377	mDb->changePassphrase(&cred);
378	}
379
380	void
381	KeychainImpl::changePassphrase(ConstStringPtr oldPassword, ConstStringPtr newPassword)
382	{
383	const void oldPtr, newPtr;
384	UInt32 oldLen, newLen;
385	if (oldPassword)
386	{
387	oldLen = oldPassword[0];
388	oldPtr = oldPassword + 1;
389	}
390	else
391	{
392	oldLen = 0;
393	oldPtr = NULL;
394	}
395
396	if (newPassword)
397	{
398	newLen = newPassword[0];
399	newPtr = newPassword + 1;
400	}
401	else
402	{
403	newLen = 0;
404	newPtr = NULL;
405	}
406
407	changePassphrase(oldLen, oldPtr, newLen, newPtr);
408	}
409
410	void
411	KeychainImpl::authenticate(const CSSM_ACCESS_CREDENTIALS *cred)
412	{
413	// @@@ This should do an authenticate which is not the same as unlock.
414	if (!exists())
415	MacOSError::throwMe(errSecNoSuchKeychain);
416
417	MacOSError::throwMe(unimpErr);
418	}
419
420	UInt32
421	KeychainImpl::status() const
422	{
423	// @@@ We should figure out the read/write status though a DL passthrough or some other way.
424	// @@@ Also should locked be unlocked read only or just read-only?
425	return (mDb->isLocked() ? 0 : kSecUnlockStateStatus \| kSecWrPermStatus) \| kSecRdPermStatus;
426	}
427
428	bool
429	KeychainImpl::exists()
430	{
431	bool exists = true;
432	try
433	{
434	open();
435	// Ok to leave the mDb open since it will get closed when it goes away.
436	}
437	catch (const CssmError &e)
438	{
439	if (e.cssmError() != CSSMERR_DL_DATASTORE_DOESNOT_EXIST)
440	throw;
441	exists = false;
442	}
443
444	return exists;
445	}
446
447	bool
448	KeychainImpl::isActive() const
449	{
450	return mDb->isActive();
451	}
452
453	void
454	KeychainImpl::add(Item &inItem)
455	{
456	PrimaryKey primaryKey = inItem->add(this);
457	{
458	StLock<Mutex> _(mDbItemMapLock);
459	// Use &* to get the item's Impl.
460	mDbItemMap[primaryKey] = &*inItem;
461	}
462
463	KCEventNotifier::PostKeychainEvent(kSecAddEvent, this, inItem);
464	}
465
466	void
467	KeychainImpl::didUpdate(ItemImpl *inItemImpl, PrimaryKey &oldPK,
468	PrimaryKey &newPK)
469	{
470	// Make sure we only hold mDbItemMapLock as long as we need to.
471	{
472	StLock<Mutex> _(mDbItemMapLock);
473	DbItemMap::iterator it = mDbItemMap.find(oldPK);
474	if (it != mDbItemMap.end() && it->second == inItemImpl)
475	mDbItemMap.erase(it);
476	mDbItemMap[newPK] = inItemImpl;
477	}
478
479	KCEventNotifier::PostKeychainEvent( kSecUpdateEvent, this, inItemImpl );
480	}
481
482	void
483	KeychainImpl::deleteItem(Item &inoutItem)
484	{
485	// item must be persistant.
486	if (!inoutItem->isPersistant())
487	MacOSError::throwMe(errSecInvalidItemRef);
488
489	DbUniqueRecord uniqueId = inoutItem->dbUniqueRecord();
490	PrimaryKey primaryKey = inoutItem->primaryKey();
491	uniqueId->deleteRecord();
492
493	// Don't kill the ref or clear the Item() since this potentially
494	// messes up things for the receiver of the kSecDeleteEvent notification.
495	//inoutItem->killRef();
496	//inoutItem = Item();
497
498	// Post the notification for the item deletion with
499	// the primaryKey obtained when the item still existed
500	KCEventNotifier::PostKeychainEvent(kSecDeleteEvent, dLDbIdentifier(), primaryKey);
501	}
502
503	PrimaryKey
504	KeychainImpl::makePrimaryKey(CSSM_DB_RECORDTYPE recordType, DbUniqueRecord &uniqueId)
505	{
506	DbAttributes primaryKeyAttrs(uniqueId->database());
507	primaryKeyAttrs.recordType(recordType);
508	gatherPrimaryKeyAttributes(primaryKeyAttrs);
509	uniqueId->get(&primaryKeyAttrs, NULL);
510	return PrimaryKey(primaryKeyAttrs);
511	}
512
513	const CssmAutoDbRecordAttributeInfo &
514	KeychainImpl::primaryKeyInfosFor(CSSM_DB_RECORDTYPE recordType)
515	{
516	return keychainSchema()->primaryKeyInfosFor(recordType);
517	}
518
519	void KeychainImpl::gatherPrimaryKeyAttributes(DbAttributes& primaryKeyAttrs)
520	{
521	const CssmAutoDbRecordAttributeInfo &infos =
522	primaryKeyInfosFor(primaryKeyAttrs.recordType());
523
524	// @@@ fix this to not copy info.
525	for (uint32 i = 0; i < infos.size(); i++)
526	primaryKeyAttrs.add(infos.at(i));
527	}
528
529	Item
530	KeychainImpl::item(const PrimaryKey& primaryKey)
531	{
532	{
533	StLock<Mutex> _(mDbItemMapLock);
534	DbItemMap::iterator it = mDbItemMap.find(primaryKey);
535	if (it != mDbItemMap.end())
536	{
537	return Item(it->second);
538	}
539	}
540
541	// Create an item with just a primary key
542	return Item(this, primaryKey);
543	}
544
545	Item
546	KeychainImpl::item(CSSM_DB_RECORDTYPE recordType, DbUniqueRecord &uniqueId)
547	{
548	PrimaryKey primaryKey = makePrimaryKey(recordType, uniqueId);
549	{
550	StLock<Mutex> _(mDbItemMapLock);
551	DbItemMap::iterator it = mDbItemMap.find(primaryKey);
552	if (it != mDbItemMap.end())
553	{
554	return Item(it->second);
555	}
556	}
557
558	// Create a new item
559	return Item(this, primaryKey, uniqueId);
560	}
561
562	KeychainSchema
563	KeychainImpl::keychainSchema()
564	{
565	if (!mKeychainSchema)
566	{
567	// @@@ Use cache in storageManager
568	mKeychainSchema = KeychainSchema(mDb);
569	}
570
571	return mKeychainSchema;
572	}
573
574	// Called from DbItemImpl's constructor (so it is only paritally constructed), add it to the map.
575	void
576	KeychainImpl::addItem(const PrimaryKey &primaryKey, ItemImpl *dbItemImpl)
577	{
578	StLock<Mutex> _(mDbItemMapLock);
579	DbItemMap::iterator it = mDbItemMap.find(primaryKey);
580	if (it != mDbItemMap.end())
581	{
582	// @@@ There is a race condition here when being called in multiple threads
583	// We might have added an item using add and received a notification at the same time
584	//assert(true);
585	throw errSecDuplicateItem;
586	//mDbItemMap.erase(it);
587	// @@@ What to do here?
588	}
589
590	mDbItemMap.insert(DbItemMap::value_type(primaryKey, dbItemImpl));
591	}
592
593	void
594	KeychainImpl::removeItem(const PrimaryKey &primaryKey, const ItemImpl *inItemImpl)
595	{
596	// Sent from DbItemImpl's destructor, remove it from the map.
597	StLock<Mutex> _(mDbItemMapLock);
598	DbItemMap::iterator it = mDbItemMap.find(primaryKey);
599	if (it != mDbItemMap.end() && it->second == inItemImpl)
600	mDbItemMap.erase(it);
601	}
602
603	void
604	KeychainImpl::getAttributeInfoForItemID(CSSM_DB_RECORDTYPE itemID, SecKeychainAttributeInfo **Info)
605	{
606	keychainSchema()->getAttributeInfoForRecordType(itemID, Info);
607	}
608
609	void
610	KeychainImpl::freeAttributeInfo(SecKeychainAttributeInfo *Info)
611	{
612	free(Info->tag);
613	free(Info->format);
614	free(Info);
615	}
616
617	CssmDbAttributeInfo
618	KeychainImpl::attributeInfoForTag(UInt32 tag)
619	{
620	return keychainSchema()->attributeInfoForTag(tag);
621
622	}
623
624	Keychain
625	Keychain::optional(SecKeychainRef handle)
626	{
627	if (handle)
628	return KeychainRef::required(handle);
629	else
630	return globals().defaultKeychain;
631	}
632