]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/Regressions/secitem/si_77_SecAccessControl.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-58286.260.20.tar.gz
[apple/security.git] / OSX / sec / Security / Regressions / secitem / si_77_SecAccessControl.c
1 /*
2 * Copyright (c) 2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 #include <Security/SecItem.h>
26 #include <Security/SecItemPriv.h>
27 #include <Security/SecAccessControl.h>
28 #include <Security/SecAccessControlPriv.h>
29 #include <Security/SecInternal.h>
30 #include <utilities/SecCFWrappers.h>
31 #include <utilities/SecAKSWrappers.h>
32 #include <utilities/array_size.h>
33 #include <utilities/der_plist.h>
34 #include <libaks_acl_cf_keys.h>
35 #include <ACMDefs.h>
36 #include <ACMAclDefs.h>
37
38 #if TARGET_HAS_KEYSTORE
39 #include <Security/SecRandom.h>
40 #include <securityd/SecDbItem.h>
41 #include <coreauthd_spi.h>
42 #include <corecrypto/ccder.h>
43 #endif /* TARGET_HAS_KEYSTORE */
44
45 #include "Security_regressions.h"
46
47 #if LA_CONTEXT_IMPLEMENTED && TARGET_HAS_KEYSTORE
48 static bool aks_consistency_test(bool currentAuthDataFormat, kern_return_t expectedAksResult, SecAccessControlRef access_control, CFDataRef acm_context);
49 static CFDataRef kc_create_auth_data(SecAccessControlRef access_control, CFDictionaryRef auth_attributes);
50 static CFDataRef kc_copy_constraints_data(SecAccessControlRef access_control, CFDictionaryRef auth_attributes);
51 static int aks_crypt_acl(CFTypeRef operation, keybag_handle_t keybag,
52 keyclass_t keyclass, uint32_t textLength, const uint8_t *source,
53 CFMutableDataRef dest, CFDataRef auth_data, CFDataRef acm_context, CFDataRef caller_access_groups);
54 #endif
55
56 static void tests(void)
57 {
58 CFAllocatorRef allocator = kCFAllocatorDefault;
59 CFTypeRef protection = kSecAttrAccessibleAlwaysPrivate;
60 CFErrorRef error = NULL;
61
62 // Simple API tests:
63
64 // ACL with protection only
65 SecAccessControlRef acl = SecAccessControlCreateWithFlags(allocator, protection, 0, &error);
66 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
67 CFReleaseNull(error);
68 CFReleaseNull(acl);
69
70 // ACL with flags only (not allowed)
71 #pragma clang diagnostic push
72 #pragma clang diagnostic ignored "-Wnonnull"
73 // NULL passed as 'protection' newly generates a warning, we need to suppress it in order to compile
74 acl = SecAccessControlCreateWithFlags(allocator, NULL, kSecAccessControlUserPresence, &error);
75 #pragma clang diagnostic pop
76 ok(acl == NULL, "SecAccessControlCreateWithFlags");
77 CFReleaseNull(error);
78 CFReleaseNull(acl);
79
80 // ACL with protection and kSecAccessControlBiometryCurrentSet
81 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlBiometryCurrentSet, &error);
82 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
83 CFReleaseNull(error);
84 CFReleaseNull(acl);
85
86 // ACL with protection and flags
87 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlBiometryAny | kSecAccessControlDevicePasscode | kSecAccessControlOr, &error);
88 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
89 CFReleaseNull(error);
90 CFReleaseNull(acl);
91
92 // ACL with protection and flags
93 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlBiometryAny | kSecAccessControlDevicePasscode | kSecAccessControlAnd, &error);
94 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
95 CFReleaseNull(error);
96 CFReleaseNull(acl);
97
98 // ACL with protection and flags
99 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlBiometryAny | kSecAccessControlDevicePasscode | kSecAccessControlAnd | kSecAccessControlApplicationPassword, &error);
100 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
101 CFReleaseNull(error);
102 CFReleaseNull(acl);
103
104 // ACL with protection and kSecAccessControlApplicationPassword
105 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlApplicationPassword, &error);
106 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
107 CFReleaseNull(error);
108 CFReleaseNull(acl);
109
110 // ACL with protection and, kSecAccessControlUserPresence can be in combination with kSecAccessControlApplicationPassword and kSecAccessControlPrivateKeyUsage
111 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlUserPresence | kSecAccessControlApplicationPassword | kSecAccessControlPrivateKeyUsage, &error);
112 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
113 CFReleaseNull(error);
114 CFReleaseNull(acl);
115
116 // negative test of ACL with protection and, kSecAccessControlUserPresence can be in combination with kSecAccessControlApplicationPassword and kSecAccessControlPrivateKeyUsage
117 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlUserPresence | kSecAccessControlBiometryAny, &error);
118 ok(acl == NULL, "SecAccessControlCreateWithFlag wrong combination of flags");
119 CFReleaseNull(error);
120 CFReleaseNull(acl);
121
122 // ACL with protection and flags
123 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlUserPresence, &error);
124 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
125 CFReleaseNull(error);
126
127 // Extended API tests:
128
129 // Check created ACL
130 CFTypeRef aclProtection = SecAccessControlGetProtection(acl);
131 is(aclProtection, protection, "SecAccessControlGetProtection");
132
133 SecAccessConstraintRef aclConstraint = SecAccessControlGetConstraint(acl, kAKSKeyOpDecrypt);
134 // Check created ACL
135 ok(aclConstraint != NULL && isDictionary(aclConstraint), "SecAccessControlGetConstraint");
136 eq_cf(CFDictionaryGetValue(aclConstraint, CFSTR(kACMKeyAclConstraintPolicy)), CFSTR(kACMPolicyDeviceOwnerAuthentication), "SecAccessControlGetConstraint");
137
138 CFReleaseNull(acl);
139
140 // Simple SPI tests:
141
142 // Empty ACL
143 acl = SecAccessControlCreate(allocator, &error);
144 ok(acl != NULL, "SecAccessControlCreate: %@", error);
145 CFReleaseNull(error);
146
147 // ACL protection
148 bool result = SecAccessControlSetProtection(acl, protection, &error);
149 ok(result, "SecAccessControlSetProtection: %@", error);
150 CFReleaseNull(error);
151
152 aclProtection = SecAccessControlGetProtection(acl);
153 // ACL protection
154 is(aclProtection, protection, "SecAccessControlGetProtection");
155
156 // Policy constraint
157 SecAccessConstraintRef policy = SecAccessConstraintCreatePolicy(allocator, CFSTR(kACMPolicyDeviceOwnerAuthentication), &error);
158 ok(policy != NULL, "SecAccessConstraintCreatePolicy: %@", error);
159 ok(isDictionary(policy), "SecAccessConstraintCreatePolicy");
160 is(CFDictionaryGetValue(policy, CFSTR(kACMKeyAclConstraintPolicy)), CFSTR(kACMPolicyDeviceOwnerAuthentication), "SecAccessConstraintCreatePolicy");
161 CFReleaseNull(error);
162 CFReleaseNull(policy);
163
164 // Passcode constraint
165 SecAccessConstraintRef passcode = SecAccessConstraintCreatePasscode(allocator);
166 ok(passcode != NULL && isDictionary(passcode), "SecAccessConstraintCreatePasscode");
167 is(CFDictionaryGetValue(passcode, CFSTR(kACMKeyAclConstraintUserPasscode)), kCFBooleanTrue, "SecAccessConstraintCreatePasscode");
168 // CFReleaseNull(passcode); passcode will be used in later tests
169
170 CFUUIDRef uuid = CFUUIDCreate(allocator);
171 CFStringRef uuidString = CFUUIDCreateString(allocator, uuid);
172 CFDataRef uuidData = CFStringCreateExternalRepresentation(allocator, uuidString, kCFStringEncodingUTF8, 0);
173 SecAccessConstraintRef biometry = SecAccessConstraintCreateBiometryCurrentSet(allocator, uuidData, uuidData);
174 // Biometry constraint
175 ok(biometry != NULL, "SecAccessConstraintCreateBiometry: %@", error);
176 ok(isDictionary(biometry), "SecAccessConstraintCreateBiometry");
177 ok(CFDictionaryGetValue(biometry, CFSTR(kACMKeyAclConstraintBio)), "SecAccessConstraintCreateBiometry");
178 CFDictionaryRef bioRef = CFDictionaryGetValue(biometry, CFSTR(kACMKeyAclConstraintBio));
179 ok(isDictionary(bioRef), "SecAccessConstraintCreateBiometry");
180 is(CFDictionaryGetValue(bioRef, CFSTR(kACMKeyAclParamBioCatacombUUID)), uuidData, "SecAccessConstraintCreateBiometry");
181 is(CFDictionaryGetValue(bioRef, CFSTR(kACMKeyAclParamBioDatabaseHash)), uuidData, "SecAccessConstraintCreateBiometry");
182 CFReleaseNull(error);
183 CFReleaseNull(biometry);
184 CFReleaseNull(uuidData);
185 CFReleaseNull(uuidString);
186 CFReleaseNull(uuid);
187
188 uuid = CFUUIDCreate(allocator);
189 uuidString = CFUUIDCreateString(allocator, uuid);
190 uuidData = CFStringCreateExternalRepresentation(allocator, uuidString, kCFStringEncodingUTF8, 0);
191 biometry = SecAccessConstraintCreateBiometryAny(allocator, uuidData);
192 // Biometry constraint
193 ok(biometry != NULL, "SecAccessConstraintCreateBiometry: %@", error);
194 ok(isDictionary(biometry), "SecAccessConstraintCreateBiometry");
195 ok(CFDictionaryGetValue(biometry, CFSTR(kACMKeyAclConstraintBio)), "SecAccessConstraintCreateBiometry");
196 bioRef = CFDictionaryGetValue(biometry, CFSTR(kACMKeyAclConstraintBio));
197 ok(isDictionary(bioRef), "SecAccessConstraintCreateBiometry");
198 is(CFDictionaryGetValue(bioRef, CFSTR(kACMKeyAclParamBioCatacombUUID)), uuidData, "SecAccessConstraintCreateBiometry");
199 CFReleaseNull(error);
200 // CFReleaseNull(biometry); biometry will be used in later tests
201 CFReleaseNull(uuidData);
202 CFReleaseNull(uuidString);
203 CFReleaseNull(uuid);
204
205 // KofN constraint
206 CFTypeRef constraints_array[] = { passcode, biometry };
207 CFArrayRef constraintsArray = CFArrayCreate(allocator, constraints_array, array_size(constraints_array), &kCFTypeArrayCallBacks);
208 SecAccessConstraintRef kofn = SecAccessConstraintCreateKofN(allocator, 1, constraintsArray, &error);
209 ok(kofn != NULL, "SecAccessConstraintCreateKofN: %@", error);
210 ok(isDictionary(kofn), "SecAccessConstraintCreateKofN");
211 CFTypeRef kofnConstraint = CFDictionaryGetValue(kofn, CFSTR(kACMKeyAclConstraintKofN));
212 ok(kofnConstraint != NULL && isDictionary(kofnConstraint), "SecAccessConstraintCreateKofN");
213 CFNumberRef required = CFNumberCreateWithCFIndex(allocator, 1);
214 is(CFDictionaryGetValue(kofnConstraint, CFSTR(kACMKeyAclParamKofN)), required, "SecAccessConstraintCreateKofN");
215 ok(CFDictionaryGetValue(kofnConstraint, CFSTR(kACMKeyAclConstraintBio)), "SecAccessConstraintCreateKofN");
216 is(CFDictionaryGetValue(kofnConstraint, CFSTR(kACMKeyAclConstraintUserPasscode)), kCFBooleanTrue, "SecAccessConstraintCreateKofN");
217 CFReleaseNull(error);
218 CFReleaseNull(kofn);
219 CFReleaseNull(required);
220 CFReleaseNull(constraintsArray);
221 CFReleaseNull(passcode);
222
223 // Add ACL constraint for operation
224 result = SecAccessControlAddConstraintForOperation(acl, kAKSKeyOpDecrypt, biometry, &error);
225 ok(result, "SecAccessControlAddConstraintForOperation: %@", error);
226 CFReleaseNull(error);
227
228 // Get ACL operation constraint
229 SecAccessConstraintRef constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpDecrypt);
230 is(constraint, biometry, "SecAccessControlGetConstraint");
231 CFReleaseNull(biometry);
232
233 // Add ACL constraint for operation (kCFBooleanTrue)
234 result = SecAccessControlAddConstraintForOperation(acl, kAKSKeyOpDecrypt, kCFBooleanTrue, &error);
235 ok(result, "SecAccessControlAddConstraintForOperation: %@", error);
236 CFReleaseNull(error);
237
238 // Get ACL operation constraint (kCFBooleanTrue)
239 constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpDecrypt);
240 is(constraint, kCFBooleanTrue, "SecAccessControlGetConstraint");
241
242 // Get ACL constraints
243 CFDictionaryRef constraints = SecAccessControlGetConstraints(acl);
244 ok(constraints != NULL && isDictionary(constraints), "SecAccessControlGetConstraints");
245 // Get ACL constraints
246 is(CFDictionaryGetValue(constraints, kAKSKeyOpDecrypt), kCFBooleanTrue, "SecAccessControlGetConstraints");
247
248 // ACL export and import
249 CFDataRef aclData = SecAccessControlCopyData(acl);
250 ok(aclData != NULL, "SecAccessControlCopyData");
251 SecAccessControlRef aclCopy = SecAccessControlCreateFromData(allocator, aclData, &error);
252 ok(aclCopy != NULL, "SecAccessControlCopyData: %@", error);
253 ok(CFEqual(aclCopy, acl), "SecAccessControlCopyData");
254 CFReleaseNull(error);
255 CFReleaseNull(aclCopy);
256 CFReleaseNull(aclData);
257
258 // Extended SPI tests:
259
260 // kAKSKeyDefaultOpAcl
261 result = SecAccessControlAddConstraintForOperation(acl, kAKSKeyOpDefaultAcl, kCFBooleanTrue, &error);
262 ok(result, "SecAccessControlAddConstraintForOperation: %@", error);
263 constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpDecrypt);
264 is(constraint, kCFBooleanTrue, "SecAccessControlRemoveConstraintForOperation");
265 CFReleaseNull(error);
266
267 CFReleaseNull(acl);
268
269 #if LA_CONTEXT_IMPLEMENTED && TARGET_HAS_KEYSTORE
270 // AKS consistency test:
271
272 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlUserPresence, &error);
273 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
274 CFReleaseNull(error);
275
276 SKIP: {
277 skip("SecAccessControlCreateWithFlags failed", 7, acl != NULL);
278
279 CFDataRef acm_context = NULL;
280 CFTypeRef auth_handle = NULL;
281
282 auth_handle = LACreateNewContextWithACMContext(NULL, &error);
283 ok(auth_handle != NULL, "LACreateNewContextWithACMContext: %@", error);
284 CFReleaseNull(error);
285
286 SKIP: {
287 skip("LACreateNewContextWithACMContext failed", 6, auth_handle != NULL);
288
289 acm_context = LACopyACMContext(auth_handle, &error);
290 ok(acm_context != NULL, "LACopyACMContext: %@", error);
291 CFReleaseNull(error);
292
293 CFReleaseNull(auth_handle);
294
295 SKIP: {
296 skip("LACopyACMContext failed", 5, acm_context != NULL);
297
298 ok(aks_consistency_test(true, kAKSReturnPolicyError, acl, acm_context), "AKS consistency negative test (current auth_data format)");
299 ok(aks_consistency_test(false, kAKSReturnPolicyError, acl, acm_context), "AKS consistency negative test (old auth_data format)");
300
301 bool decrypt_enabled = false;
302 CFDictionaryRef constraints = SecAccessControlGetConstraints(acl);
303 if (constraints) {
304 CFMutableDictionaryRef new_constraints = CFDictionaryCreateMutableCopy(NULL, 0, constraints);
305 if (new_constraints) {
306 CFDictionarySetValue(new_constraints, kAKSKeyOpDecrypt, kCFBooleanTrue);
307 SecAccessControlSetConstraints(acl, new_constraints);
308 CFReleaseSafe(new_constraints);
309 decrypt_enabled = true;
310 }
311 }
312 ok(decrypt_enabled, "Cannot enable decrypt operation for AKS consistency positive tests");
313
314 ok(aks_consistency_test(true, kAKSReturnSuccess, acl, acm_context), "AKS consistency positive test (current auth_data format)");
315 ok(aks_consistency_test(false, kAKSReturnSuccess, acl, acm_context), "AKS consistency positive test (old auth_data format)");
316
317 CFReleaseNull(acm_context);
318 }
319 }
320
321 CFReleaseNull(acl);
322 }
323 #endif
324
325 // kSecAccessControlPrivateKeyUsage
326 acl = SecAccessControlCreateWithFlags(kCFAllocatorDefault, protection, kSecAccessControlPrivateKeyUsage | kSecAccessControlDevicePasscode, NULL);
327 ok(acl, "kSecAccessControlPrivateKeyUsage ACL create with constraint");
328 ok(!SecAccessControlGetConstraint(acl, kAKSKeyOpEncrypt), "kAKSKeyOpEncrypt constraint");
329 ok(!SecAccessControlGetConstraint(acl, kAKSKeyOpDecrypt), "kAKSKeyOpDecrypt constraint");
330 ok(constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpDelete), "kAKSKeyOpDelete constraint");
331 is(constraint, kCFBooleanTrue, "kAKSKeyOpDelete constraint value");
332 ok(constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpSign), "kAKSKeyOpSign constraint");
333 ok(constraint && isDictionary(constraint), "kAKSKeyOpSign constraint value");
334 CFReleaseNull(acl);
335
336 acl = SecAccessControlCreateWithFlags(kCFAllocatorDefault, protection, kSecAccessControlPrivateKeyUsage, NULL);
337 ok(acl, "kSecAccessControlPrivateKeyUsage ACL create without constraint");
338 ok(!SecAccessControlGetConstraint(acl, kAKSKeyOpEncrypt), "kAKSKeyOpEncrypt constraint");
339 ok(!SecAccessControlGetConstraint(acl, kAKSKeyOpDecrypt), "kAKSKeyOpDecrypt constraint");
340 ok(constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpDelete), "kAKSKeyOpDelete constraint");
341 is(constraint, kCFBooleanTrue, "kAKSKeyOpDelete constraint value");
342 ok(constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpSign), "kAKSKeyOpSign constraint");
343 is(constraint, kCFBooleanTrue, "kAKSKeyOpSign constraint value");
344 CFReleaseNull(acl);
345 }
346
347 #if LA_CONTEXT_IMPLEMENTED && TARGET_HAS_KEYSTORE
348
349 static bool aks_consistency_test(bool currentAuthDataFormat, kern_return_t expectedAksResult, SecAccessControlRef access_control, CFDataRef acm_context)
350 {
351 bool result = false;
352
353 const uint32_t bulkKeySize = 32;
354 const uint32_t maxKeyWrapOverHead = 8 + 32;
355 uint8_t bulkKey[bulkKeySize];
356 CFMutableDataRef bulkKeyWrapped = CFDataCreateMutable(NULL, 0);
357 CFDataSetLength(bulkKeyWrapped, bulkKeySize + maxKeyWrapOverHead);
358 CFMutableDataRef bulkKeyUnwrapped = CFDataCreateMutable(NULL, 0);
359 CFDataSetLength(bulkKeyUnwrapped, bulkKeySize);
360
361 CFDataRef auth_data = NULL;
362 CFMutableDictionaryRef auth_attribs = NULL;
363
364 OSStatus status = SecRandomCopyBytes(kSecRandomDefault, bulkKeySize, bulkKey);
365 ok_status(status, "SecRandomCopyBytes failed");
366 require_noerr(status, out);
367
368 auth_attribs = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
369 if (currentAuthDataFormat) {
370 auth_data = kc_create_auth_data(access_control, auth_attribs);
371 }
372 else {
373 auth_data = kc_copy_constraints_data(access_control, auth_attribs);
374 }
375
376 status = aks_crypt_acl(kAKSKeyOpEncrypt, KEYBAG_DEVICE, key_class_dk, bulkKeySize, bulkKey, bulkKeyWrapped, auth_data, acm_context, NULL);
377 is_status(status, kAKSReturnSuccess, "kAKSKeyOpEncrypt failed");
378 require(status == kAKSReturnSuccess, out);
379
380 uint32_t blobLenWrapped = (uint32_t)CFDataGetLength(bulkKeyWrapped);
381 const uint8_t *cursor = CFDataGetBytePtr(bulkKeyWrapped);
382
383 status = aks_crypt_acl(kAKSKeyOpDecrypt, KEYBAG_DEVICE, key_class_dk, blobLenWrapped, cursor, bulkKeyUnwrapped, auth_data, acm_context, NULL);
384 is_status(status, expectedAksResult, "kAKSKeyOpDecrypt finished with unexpected result");
385 require(status == expectedAksResult, out);
386
387 result = true;
388
389 out:
390 CFReleaseSafe(bulkKeyUnwrapped);
391 CFReleaseSafe(bulkKeyWrapped);
392 CFReleaseSafe(auth_data);
393 CFReleaseSafe(auth_attribs);
394
395 return result;
396 }
397
398 static bool merge_der_in_to_data(const void *der1, size_t der1_len, const void *der2, size_t der2_len, CFMutableDataRef mergedData)
399 {
400 bool result = false;
401 CFPropertyListRef dict1 = NULL;
402 CFPropertyListRef dict2 = NULL;
403
404 der_decode_plist(NULL, kCFPropertyListImmutable, &dict1, NULL, der1, der1 + der1_len);
405 der_decode_plist(NULL, kCFPropertyListImmutable, &dict2, NULL, der2, der2 + der2_len);
406 if (dict1 && dict2) {
407 CFMutableDictionaryRef result_dict = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, dict1);
408 CFDictionaryForEach(dict2, ^(const void *key, const void *value) {
409 CFDictionaryAddValue(result_dict, key, value);
410 });
411
412 CFDataSetLength(mergedData, 0);
413 CFDataRef der_data = CFPropertyListCreateDERData(kCFAllocatorDefault, result_dict, NULL);
414 if (der_data) {
415 CFDataAppend(mergedData, der_data);
416 CFRelease(der_data);
417 result = CFDataGetLength(mergedData) > 0;
418 }
419 CFRelease(result_dict);
420 }
421
422 CFReleaseSafe(dict1);
423 CFReleaseSafe(dict2);
424 return result;
425 }
426
427 static int aks_crypt_acl(CFTypeRef operation, keybag_handle_t keybag,
428 keyclass_t keyclass, uint32_t textLength, const uint8_t *source,
429 CFMutableDataRef dest, CFDataRef auth_data, CFDataRef acm_context, CFDataRef caller_access_groups)
430 {
431 int aks_return = kAKSReturnSuccess;
432 void *params = NULL, *der = NULL;
433 const uint8_t *access_groups = caller_access_groups?CFDataGetBytePtr(caller_access_groups):NULL;
434 size_t params_len = 0, der_len = 0, access_groups_len = caller_access_groups?CFDataGetLength(caller_access_groups):0;
435 aks_ref_key_t key_handle = NULL;
436
437 if (CFEqual(operation, kAKSKeyOpEncrypt)) {
438 aks_operation_optional_params(0, 0, CFDataGetBytePtr(auth_data), CFDataGetLength(auth_data),
439 CFDataGetBytePtr(acm_context), (int)CFDataGetLength(acm_context), &params, &params_len);
440
441 require_noerr_quiet(aks_return = aks_ref_key_create(keybag, keyclass, key_type_sym, params, params_len, &key_handle), out);
442 require_noerr_quiet(aks_return = aks_ref_key_encrypt(key_handle, params, params_len, source, textLength, &der, &der_len), out);
443 size_t key_blob_len;
444 const void *key_blob = aks_ref_key_get_blob(key_handle, &key_blob_len);
445 require_action_string(key_blob, out, aks_return = kAKSReturnError, "aks_ref_key_get_blob failed");
446 require_action_string(merge_der_in_to_data(der, der_len, key_blob, key_blob_len, dest), out, aks_return = kAKSReturnError, "merge_der_in_to_data failed");
447
448 } else if (CFEqual(operation, kAKSKeyOpDecrypt)) {
449 aks_operation_optional_params(access_groups, access_groups_len, 0, 0,
450 CFDataGetBytePtr(acm_context), (int)CFDataGetLength(acm_context), (void**)&params, &params_len);
451 require_noerr_quiet(aks_return = aks_ref_key_create_with_blob(keybag, source, textLength, &key_handle), out);
452 require_noerr_quiet(aks_return = aks_ref_key_decrypt(key_handle, params, params_len, source, textLength, &der, &der_len), out);
453 require_action_string(der, out, aks_return = kAKSReturnError, "aks_ref_key_decrypt failed");
454
455 CFPropertyListRef decoded_data = NULL;
456 der_decode_plist(kCFAllocatorDefault, kCFPropertyListImmutable, &decoded_data, NULL, der, der + der_len);
457 require_action_string(decoded_data, out, aks_return = kAKSReturnError, "der_decode_plist failed");
458 if (CFGetTypeID(decoded_data) == CFDataGetTypeID()) {
459 CFDataSetLength(dest, 0);
460 CFDataAppend(dest, decoded_data);
461 CFRelease(decoded_data);
462 }
463 else {
464 CFRelease(decoded_data);
465 require_action_string(false, out, aks_return = kAKSReturnError, "wrong decoded data type");
466 }
467 }
468
469 out:
470 if (key_handle) {
471 aks_ref_key_free(&key_handle);
472 }
473 if (params) {
474 free(params);
475 }
476 if (der) {
477 free(der);
478 }
479 return aks_return;
480 }
481
482 static CFDataRef kc_create_auth_data(SecAccessControlRef access_control, CFDictionaryRef auth_attributes)
483 {
484 CFDictionaryRef constraints = SecAccessControlGetConstraints(access_control);
485 CFMutableDictionaryRef auth_data = CFDictionaryCreateMutableCopy(NULL, 0, auth_attributes);
486 CFDictionarySetValue(auth_data, kAKSKeyAcl, constraints);
487 CFDataRef encoded = CFPropertyListCreateDERData(kCFAllocatorDefault, auth_data, NULL);
488 CFReleaseSafe(auth_data);
489 return encoded;
490 }
491
492 static CFDataRef kc_copy_constraints_data(SecAccessControlRef access_control, CFDictionaryRef auth_attributes)
493 {
494 CFDictionaryRef constraints = SecAccessControlGetConstraints(access_control);
495 CFMutableDictionaryRef auth_data = CFDictionaryCreateMutableCopy(NULL, 0, constraints);
496 if (auth_attributes) {
497 CFDictionaryForEach(auth_attributes, ^(const void *key, const void *value) {
498 CFDictionaryAddValue(auth_data, key, value);
499 });
500 }
501
502 CFDataRef encoded = CFPropertyListCreateDERData(kCFAllocatorDefault, auth_data, NULL);
503 CFReleaseSafe(auth_data);
504 return encoded;
505 }
506
507 #endif
508
509 int si_77_SecAccessControl(int argc, char *const *argv)
510 {
511 #if LA_CONTEXT_IMPLEMENTED && TARGET_HAS_KEYSTORE
512 plan_tests(71);
513 #else
514 plan_tests(63);
515 #endif
516
517 tests();
518
519 return 0;
520 }
mirror of Security