]> git.saurik.com Git - apple/security.git/blame - securityd/src/dbcrypto.h
projects / apple / security.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Security-57336.10.29.tar.gz
[apple/security.git] / securityd / src / dbcrypto.h
CommitLineData
d8f41ccd
A		 1/*
2 * Copyright (c) 2000-2001,2003-2006,2013 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25//
26// dbcrypto - cryptographic core for database and key blob cryptography
27//
28#ifndef _H_DBCRYPTO
29#define _H_DBCRYPTO
30
31#include <securityd_client/ssblob.h>
32#include <security_cdsa_client/cspclient.h>
33#include <security_cdsa_client/keyclient.h>
34
35using namespace SecurityServer;
36
37
38//
39// A DatabaseCryptoCore object encapsulates the secret state of a database.
40// It provides for encoding and decoding of database blobs and key blobs,
41// and holds all state related to the database secrets.
42//
43class DatabaseCryptoCore {
44public:
45 DatabaseCryptoCore();
46 virtual ~DatabaseCryptoCore();
47
48 bool isValid() const { return mIsValid; }
49 bool hasMaster() const { return mHaveMaster; }
50 void invalidate();
51
52 void generateNewSecrets();
53 CssmClient::Key masterKey();
54
55 void setup(const DbBlob *blob, const CssmData &passphrase);
56 void setup(const DbBlob *blob, CssmClient::Key master);
57
58 void decodeCore(const DbBlob *blob, void **privateAclBlob = NULL);
59 DbBlob *encodeCore(const DbBlob &blobTemplate,
60 const CssmData &publicAcl, const CssmData &privateAcl) const;
61 void importSecrets(const DatabaseCryptoCore &src);
62
63 KeyBlob *encodeKeyCore(const CssmKey &key,
64 const CssmData &publicAcl, const CssmData &privateAcl,
65 bool inTheClear) const;
66 void decodeKeyCore(KeyBlob *blob,
67 CssmKey &key, void * &pubAcl, void * &privAcl) const;
68
69 static const uint32 managedAttributes = KeyBlob::managedAttributes;
70 static const uint32 forcedAttributes = KeyBlob::forcedAttributes;
71
72 bool get_encryption_key(CssmOwnedData &data);
73
74public:
75 bool validatePassphrase(const CssmData &passphrase);
76
77private:
78 bool mHaveMaster; // master key has been entered (setup)
79 bool mIsValid; // master secrets are valid (decode or generateNew)
80
81 CssmClient::Key mMasterKey; // database master key
82 uint8 mSalt[20]; // salt for master key derivation from passphrase (only)
83
84 CssmClient::Key mEncryptionKey; // master encryption key
85 CssmClient::Key mSigningKey; // master signing key
86
87 CssmClient::Key deriveDbMasterKey(const CssmData &passphrase) const;
88 CssmClient::Key makeRawKey(void *data, size_t length,
89 CSSM_ALGORITHMS algid, CSSM_KEYUSE usage);
90};
91
92
93#endif //_H_DBCRYPTO
mirror of Security