[apple/security.git] / ckcdiagnose / ckcdiagnose.sh

#!/bin/sh

# Poor man's option parsing.
# Replace with shift/case once more options come along.
SHORT=0
if [ "$1" == "-s" ]; then
    SHORT=1
fi

PRODUCT_NAME=$(sw_vers -productName)
PRODUCT_VERSION=$(sw_vers -buildVersion)
HOSTNAME=$(hostname -s)
NOW=$(date "+%Y%m%d%H%M%S")

case $PRODUCT_NAME in
    "Mac OS X")
        PROD=OSX
        secd=secd
        secexec=security2
        OUTPUTPARENT=/var/tmp
        CRASHDIR=/Library/Logs/DiagnosticReports
        CSDIR=$HOME/Library/Logs/CloudServices
        SECLOGPATH=/var/log/module/com.apple.securityd
        syd=/System/Library/PrivateFrameworks/SyncedDefaults.framework/Support/syncdefaultsd
        kvsutil=/AppleInternal/Applications/kvsutil
        ;;
    *)
        PROD=IOS
        secd=securityd
        secexec=security
        OUTPUTPARENT=/Library/Logs/CrashReporter
        CRASHDIR=/var/mobile/Library/Logs/CrashReporter
        CSDIR=$CRASHDIR/DiagnosticLogs/CloudServices
        SECLOGPATH=/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs
        syd=/System/Library/PrivateFrameworks/SyncedDefaults.framework/Support/syncdefaultsd
        kvsutil=/usr/local/bin/kvsutil
        ;;
esac

if (( ! $SHORT )); then
    OUTPUTBASE=ckcdiagnose_${HOSTNAME}_${PRODUCT_VERSION}_${NOW}
else
    OUTPUTBASE=ckcdiagnose_snapshot_${HOSTNAME}_${PRODUCT_VERSION}_${NOW}
fi
OUTPUT=$OUTPUTPARENT/$OUTPUTBASE

mkdir $OUTPUT

if [ "$PROD" = "IOS" ]; then
    while !(/usr/local/bin/profilectl cpstate | grep -Eq 'Unlocked|Disabled'); do
        echo Please ensure that your device is unlocked and press Enter. >&2
        read enter
    done
fi

(
echo Outputting to $OUTPUT
set -x

sw_vers > $OUTPUT/sw_vers.log

$secexec sync -D > $OUTPUT/syncD.log
$secexec sync -i > $OUTPUT/synci.log
$secexec sync -L > $OUTPUT/syncL.log

(( $SHORT )) || ([ -x $kvsutil ] && $kvsutil show com.apple.security.cloudkeychainproxy3 > $OUTPUT/kvsutil_show.txt 2>&1)

if [ "$PROD" == "OSX" ]; then
    $secexec item -g class=genp,nleg=1,svce="iCloud Keychain Account Meta-data" > $OUTPUT/ickcmetadata.log
    $secexec item -g class=genp,nleg=1,acct=engine-state > $OUTPUT/engine-state.log
elif [ "$PROD" == "IOS" ]; then
    $secexec item -g class=genp,svce="iCloud Keychain Account Meta-data" > $OUTPUT/ickcmetadata.log
    $secexec item -g class=genp,acct=engine-state > $OUTPUT/engine-state.log
fi

# In preparation, before getting any of the logs, query all classes,
# just in order to excercise the decryption and corruption
# verification for all items. This will log errors and simulated crashes
# if any of the items should turn out corrupted.
# The items are NOT saved in the diagnostic log, because they potentially
# contain very private items.
for class in genp inet cert keys; do
    for sync in 0 1; do
        for tomb in 0 1; do
            echo class=${class},sync=${sync},tomb=${tomb}: >> $OUTPUT/keychain-state.log
            ${secexec} item -q class=${class},sync=${sync},tomb=${tomb} | grep '^acct'|wc -l 2>&1 >> $OUTPUT/keychain-state.log
        done
    done
done

if (( ! $SHORT )); then
    syslog -k Sender Seq syncdefaults > $OUTPUT/syslog_syncdefaults.log
    syslog -k Sender Seq $secd > $OUTPUT/syslog_secd.log
    syslog -k Sender Seq CloudKeychain > $OUTPUT/syslog_cloudkeychain.log
fi

(( $SHORT )) || (sbdtool status > $OUTPUT/sbdtool_status.log 2>&1)
(( $SHORT )) || plutil -p $HOME/Library/SyncedPreferences/com.apple.sbd.plist > $OUTPUT/sbd_kvs.txt

$syd status > $OUTPUT/syd_status.txt 2>&1
$syd lastrequest > $OUTPUT/syd_lastrequest.txt 2>&1
$syd serverlimits > $OUTPUT/syd_serverlimits.txt 2>&1

# Compare kvsutil and sync -D state, shows if store diverged from on-device state.
if (( ! $SHORT )); then
    if [ -f $OUTPUT/kvsutil_show.txt ]; then
        cat $OUTPUT/kvsutil_show.txt | grep -E '^    "?[o-]?ak.* = ' | sed -E 's/^    "?([^"]*)"? = \<.* (.*) (.*)\>.*$/\1 \2\3/g;s/^(.*) [0-9a-f]*([0-9a-f]{8})/\1 \2/g' | sort > $OUTPUT/kvs_keys.txt
        cat $OUTPUT/syncD.log | grep -E 'contents = "?[o-]?ak' | sed -E 's/^.*contents = "?([^"]*)"?\} = .*bytes = .* ... [0-9a-f]+([0-9a-f]{8})\}/\1 \2/g' | sort > $OUTPUT/syncD_keys.txt
        diff -u $OUTPUT/kvs_keys.txt $OUTPUT/syncD_keys.txt > $OUTPUT/kvs_syncD_diff.txt
    fi
fi

if [ "$PROD" = "IOS" ]; then
    cp /private/var/preferences/com.apple.security.cloudkeychainproxy3.keysToRegister.plist $OUTPUT/
    cp /var/mobile/Library/SyncedPreferences/com.apple.security.cloudkeychainproxy3.plist $OUTPUT/
else
    cp ~/Library/Preferences/com.apple.security.cloudkeychainproxy3.keysToRegister.plist $OUTPUT/
    cp ~/Library/SyncedPreferences/com.apple.security.cloudkeychainproxy3.plist $OUTPUT/
fi

if (( ! $SHORT )); then
    cp $SECLOGPATH/security.log* $OUTPUT/

    cp $CRASHDIR/*${secd}* $OUTPUT/
    cp $CRASHDIR/*syncdefaults* $OUTPUT/
    cp $CRASHDIR/*CloudKeychain* $OUTPUT/

    (cd $CSDIR && for x in *_*.asl; do syslog -f "$x" > "$OUTPUT/${x%%.asl}.log"; done)

    (cd  $SECLOGPATH; gzcat -c -f security.log*) > $OUTPUT/security-complete.log
    
    # potential problems
    (cd  $SECLOGPATH; gzcat -c security.log.*.gz; cat security.log.*Z) | grep -E -- 'Invalid date.|-26275|[cC]orrupt|[cC]rash|Public Key not available' > $OUTPUT/problems.log
    (cd  $SECLOGPATH; gzcat -c security.log.*.gz; cat security.log.*Z) | cut -d ' ' -f 6- | sort |uniq -c | sort -n > $OUTPUT/security-sorted.log
fi

) > $OUTPUT/ckcdiagnose.log 2>&1

tar czf $OUTPUT.tgz -C $OUTPUTPARENT $OUTPUTBASE

rm -r $OUTPUT

if (( ! $SHORT )); then
    echo
    echo "The file containing the diagnostic information is "
    echo "        $OUTPUT.tgz"
    echo 'Please attach it to a Radar in "Security / iCloud Keychain"'
    echo

    [ "$PROD" = "OSX" ] && open $OUTPUTPARENT
else
    echo $OUTPUT.tgz
fi
Commit	Line	Data
5c19dc3a A	1	#!/bin/sh
	2
	3	# Poor man's option parsing.
	4	# Replace with shift/case once more options come along.
	5	SHORT=0
	6	if [ "$1" == "-s" ]; then
	7	SHORT=1
	8	fi
	9
	10	PRODUCT_NAME=$(sw_vers -productName)
	11	PRODUCT_VERSION=$(sw_vers -buildVersion)
	12	HOSTNAME=$(hostname -s)
	13	NOW=$(date "+%Y%m%d%H%M%S")
	14
	15	case $PRODUCT_NAME in
	16	"Mac OS X")
	17	PROD=OSX
	18	secd=secd
	19	secexec=security2
	20	OUTPUTPARENT=/var/tmp
	21	CRASHDIR=/Library/Logs/DiagnosticReports
e0e0d90e	22	CSDIR=$HOME/Library/Logs/CloudServices
5c19dc3a A	23	SECLOGPATH=/var/log/module/com.apple.securityd
	24	syd=/System/Library/PrivateFrameworks/SyncedDefaults.framework/Support/syncdefaultsd
	25	kvsutil=/AppleInternal/Applications/kvsutil
	26	;;
	27	*)
	28	PROD=IOS
	29	secd=securityd
	30	secexec=security
	31	OUTPUTPARENT=/Library/Logs/CrashReporter
	32	CRASHDIR=/var/mobile/Library/Logs/CrashReporter
e0e0d90e	33	CSDIR=$CRASHDIR/DiagnosticLogs/CloudServices
5c19dc3a A	34	SECLOGPATH=/var/mobile/Library/Logs/CrashReporter/DiagnosticLogs
	35	syd=/System/Library/PrivateFrameworks/SyncedDefaults.framework/Support/syncdefaultsd
	36	kvsutil=/usr/local/bin/kvsutil
	37	;;
	38	esac
	39
	40	if (( ! $SHORT )); then
	41	OUTPUTBASE=ckcdiagnose_${HOSTNAME}_${PRODUCT_VERSION}_${NOW}
	42	else
	43	OUTPUTBASE=ckcdiagnose_snapshot_${HOSTNAME}_${PRODUCT_VERSION}_${NOW}
	44	fi
	45	OUTPUT=$OUTPUTPARENT/$OUTPUTBASE
	46
	47	mkdir $OUTPUT
	48
	49	if [ "$PROD" = "IOS" ]; then
	50	while !(/usr/local/bin/profilectl cpstate \| grep -Eq 'Unlocked\|Disabled'); do
	51	echo Please ensure that your device is unlocked and press Enter. >&2
	52	read enter
	53	done
	54	fi
	55
	56	(
	57	echo Outputting to $OUTPUT
	58	set -x
	59
	60	sw_vers > $OUTPUT/sw_vers.log
	61
	62	$secexec sync -D > $OUTPUT/syncD.log
5c19dc3a	63	$secexec sync -i > $OUTPUT/synci.log
e0e0d90e	64	$secexec sync -L > $OUTPUT/syncL.log
5c19dc3a A	65
	66	(( $SHORT )) \|\| ([ -x $kvsutil ] && $kvsutil show com.apple.security.cloudkeychainproxy3 > $OUTPUT/kvsutil_show.txt 2>&1)
	67
	68	if [ "$PROD" == "OSX" ]; then
	69	$secexec item -g class=genp,nleg=1,svce="iCloud Keychain Account Meta-data" > $OUTPUT/ickcmetadata.log
	70	$secexec item -g class=genp,nleg=1,acct=engine-state > $OUTPUT/engine-state.log
	71	elif [ "$PROD" == "IOS" ]; then
	72	$secexec item -g class=genp,svce="iCloud Keychain Account Meta-data" > $OUTPUT/ickcmetadata.log
	73	$secexec item -g class=genp,acct=engine-state > $OUTPUT/engine-state.log
	74	fi
	75
	76	# In preparation, before getting any of the logs, query all classes,
	77	# just in order to excercise the decryption and corruption
	78	# verification for all items. This will log errors and simulated crashes
	79	# if any of the items should turn out corrupted.
	80	# The items are NOT saved in the diagnostic log, because they potentially
	81	# contain very private items.
	82	for class in genp inet cert keys; do
	83	for sync in 0 1; do
	84	for tomb in 0 1; do
	85	echo class=${class},sync=${sync},tomb=${tomb}: >> $OUTPUT/keychain-state.log
	86	${secexec} item -q class=${class},sync=${sync},tomb=${tomb} \| grep '^acct'\|wc -l 2>&1 >> $OUTPUT/keychain-state.log
	87	done
	88	done
	89	done
	90
	91	if (( ! $SHORT )); then
	92	syslog -k Sender Seq syncdefaults > $OUTPUT/syslog_syncdefaults.log
	93	syslog -k Sender Seq $secd > $OUTPUT/syslog_secd.log
	94	syslog -k Sender Seq CloudKeychain > $OUTPUT/syslog_cloudkeychain.log
	95	fi
	96
	97	(( $SHORT )) \|\| (sbdtool status > $OUTPUT/sbdtool_status.log 2>&1)
e0e0d90e	98	(( $SHORT )) \|\| plutil -p $HOME/Library/SyncedPreferences/com.apple.sbd.plist > $OUTPUT/sbd_kvs.txt
5c19dc3a A	99
	100	$syd status > $OUTPUT/syd_status.txt 2>&1
	101	$syd lastrequest > $OUTPUT/syd_lastrequest.txt 2>&1
	102	$syd serverlimits > $OUTPUT/syd_serverlimits.txt 2>&1
	103
	104	# Compare kvsutil and sync -D state, shows if store diverged from on-device state.
	105	if (( ! $SHORT )); then
	106	if [ -f $OUTPUT/kvsutil_show.txt ]; then
	107	cat $OUTPUT/kvsutil_show.txt \| grep -E '^ "?[o-]?ak.* = ' \| sed -E 's/^ "?([^"])"? = \<. (.) (.)\>.$/\1 \2\3/g;s/^(.) [0-9a-f]*([0-9a-f]{8})/\1 \2/g' \| sort > $OUTPUT/kvs_keys.txt
	108	cat $OUTPUT/syncD.log \| grep -E 'contents = "?[o-]?ak' \| sed -E 's/^.contents = "?([^"])"?\} = .bytes = . ... [0-9a-f]+([0-9a-f]{8})\}/\1 \2/g' \| sort > $OUTPUT/syncD_keys.txt
	109	diff -u $OUTPUT/kvs_keys.txt $OUTPUT/syncD_keys.txt > $OUTPUT/kvs_syncD_diff.txt
	110	fi
	111	fi
	112
	113	if [ "$PROD" = "IOS" ]; then
	114	cp /private/var/preferences/com.apple.security.cloudkeychainproxy3.keysToRegister.plist $OUTPUT/
	115	cp /var/mobile/Library/SyncedPreferences/com.apple.security.cloudkeychainproxy3.plist $OUTPUT/
	116	else
	117	cp ~/Library/Preferences/com.apple.security.cloudkeychainproxy3.keysToRegister.plist $OUTPUT/
	118	cp ~/Library/SyncedPreferences/com.apple.security.cloudkeychainproxy3.plist $OUTPUT/
	119	fi
	120
	121	if (( ! $SHORT )); then
	122	cp $SECLOGPATH/security.log* $OUTPUT/
	123
	124	cp $CRASHDIR/${secd} $OUTPUT/
	125	cp $CRASHDIR/syncdefaults $OUTPUT/
	126	cp $CRASHDIR/CloudKeychain $OUTPUT/
	127
e0e0d90e A	128	(cd $CSDIR && for x in _.asl; do syslog -f "$x" > "$OUTPUT/${x%%.asl}.log"; done)
e0e0d90e A	129
5c19dc3a A	130	(cd $SECLOGPATH; gzcat -c -f security.log*) > $OUTPUT/security-complete.log
	131
	132	# potential problems
	133	(cd $SECLOGPATH; gzcat -c security.log..gz; cat security.log.Z) \| grep -E -- 'Invalid date.\|-26275\|[cC]orrupt\|[cC]rash\|Public Key not available' > $OUTPUT/problems.log
	134	(cd $SECLOGPATH; gzcat -c security.log..gz; cat security.log.Z) \| cut -d ' ' -f 6- \| sort \|uniq -c \| sort -n > $OUTPUT/security-sorted.log
	135	fi
	136
	137	) > $OUTPUT/ckcdiagnose.log 2>&1
	138
	139	tar czf $OUTPUT.tgz -C $OUTPUTPARENT $OUTPUTBASE
	140
	141	rm -r $OUTPUT
	142
	143	if (( ! $SHORT )); then
	144	echo
	145	echo "The file containing the diagnostic information is "
	146	echo " $OUTPUT.tgz"
	147	echo 'Please attach it to a Radar in "Security / iCloud Keychain"'
	148	echo
	149
	150	[ "$PROD" = "OSX" ] && open $OUTPUTPARENT
	151	else
	152	echo $OUTPUT.tgz
	153	fi
	154
	155