]> git.saurik.com Git - apple/security.git/blob - SecurityServer/ssclient.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-54.tar.gz
[apple/security.git] / SecurityServer / ssclient.h
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 //
20 // ssclient - SecurityServer client interface library
21 //
22 // This interface is private to the Security system. It is not a public interface,
23 // and it may change at any time. You have been warned.
24 //
25 #ifndef _H_SSCLIENT
26 #define _H_SSCLIENT
27
28
29 #include <Security/cssm.h>
30 #include <Security/utilities.h>
31 #include <Security/cssmalloc.h>
32 #include <Security/cssmacl.h>
33 #include <Security/context.h>
34 #include <Security/globalizer.h>
35 #include <Security/mach++.h>
36 #include <Security/cssmdb.h>
37 #include <Security/osxsigning.h>
38 #include <Security/Authorization.h>
39 #include <Security/AuthSession.h>
40
41
42 namespace Security {
43 namespace SecurityServer {
44
45 using MachPlusPlus::Port;
46 using MachPlusPlus::ReceivePort;
47
48
49 //
50 // Common data types
51 //
52 typedef CSSM_HANDLE KeyHandle;
53 typedef CSSM_HANDLE DbHandle;
54
55 static const CSSM_HANDLE noDb = 0;
56 static const CSSM_HANDLE noKey = 0;
57
58 struct KeyUID {
59 uint8 signature[20];
60 };
61
62 struct AuthorizationBlob {
63 uint32 data[2];
64
65 bool operator < (const AuthorizationBlob &other) const
66 { return memcmp(data, other.data, sizeof(data)) < 0; }
67
68 bool operator == (const AuthorizationBlob &other) const
69 { return memcmp(data, other.data, sizeof(data)) == 0; }
70
71 size_t hash() const { //@@@ revisit this hash
72 return data[0] ^ data[1] << 3;
73 }
74 };
75
76 enum AclKind { dbAcl, keyAcl, loginAcl };
77
78
79 //
80 // Database parameter structure
81 //
82 class DBParameters {
83 public:
84 uint32 idleTimeout; // seconds idle timout lock
85 uint8 lockOnSleep; // lock keychain when system sleeps
86 };
87
88
89 //
90 // A client connection (session)
91 //
92 class ClientSession {
93 NOCOPY(ClientSession)
94 public:
95 ClientSession(CssmAllocator &standard, CssmAllocator &returning);
96 virtual ~ClientSession();
97
98 CssmAllocator &internalAllocator;
99 CssmAllocator &returnAllocator;
100
101 public:
102 typedef CSSM_DB_ACCESS_TYPE DBAccessType;
103
104 typedef uint32 NotifyEvent;
105 typedef uint32 NotifyEvents;
106 enum {
107 allEvents = uint32(-1)
108 };
109
110 typedef uint32 NotifyDomain;
111 enum {
112 databaseNotifications = 1
113 };
114
115 public:
116 void activate();
117 void terminate();
118
119 public:
120 // database sessions
121 DbHandle createDb(const DLDbIdentifier &dbId,
122 const AccessCredentials *cred, const AclEntryInput *owner,
123 const DBParameters &params);
124 DbHandle decodeDb(const DLDbIdentifier &dbId,
125 const AccessCredentials *cred, const CssmData &blob);
126 void encodeDb(DbHandle db, CssmData &blob, CssmAllocator &alloc);
127 void encodeDb(DbHandle db, CssmData &blob) { return encodeDb(db, blob, returnAllocator); }
128 void releaseDb(DbHandle db);
129 void authenticateDb(DbHandle db, DBAccessType type, const AccessCredentials *cred);
130 void setDbParameters(DbHandle db, const DBParameters &params);
131 void getDbParameters(DbHandle db, DBParameters &params);
132 void changePassphrase(DbHandle db, const AccessCredentials *cred);
133 void lock(DbHandle db);
134 void unlock(DbHandle db);
135 void unlock(DbHandle db, const CssmData &passPhrase);
136 bool isLocked(DbHandle db);
137
138 // key objects
139 void encodeKey(KeyHandle key, CssmData &blob, KeyUID *uid, CssmAllocator &alloc);
140 void encodeKey(KeyHandle key, CssmData &blob, KeyUID *uid = NULL)
141 { return encodeKey(key, blob, uid, returnAllocator); }
142 KeyHandle decodeKey(DbHandle db, const CssmData &blob, CssmKey::Header &header);
143 void releaseKey(KeyHandle key);
144
145 CssmKeySize queryKeySizeInBits(KeyHandle key);
146 uint32 getOutputSize(const Context &context, KeyHandle key,
147 uint32 inputSize, bool encrypt = true);
148
149 public:
150 // key wrapping and unwrapping
151 void wrapKey(const Context &context, KeyHandle key, KeyHandle keyToBeWrapped,
152 const AccessCredentials *cred,
153 const CssmData *descriptiveData, CssmWrappedKey &wrappedKey, CssmAllocator &alloc);
154 void wrapKey(const Context &context, KeyHandle key, KeyHandle keyToBeWrapped,
155 const AccessCredentials *cred,
156 const CssmData *descriptiveData, CssmWrappedKey &wrappedKey)
157 { return wrapKey(context, key, keyToBeWrapped, cred,
158 descriptiveData, wrappedKey, returnAllocator); }
159
160 void unwrapKey(DbHandle db, const Context &context, KeyHandle key, KeyHandle publicKey,
161 const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr,
162 const AccessCredentials *cred, const AclEntryInput *owner,
163 CssmData &data, KeyHandle &newKey, CssmKey::Header &newKeyHeader, CssmAllocator &alloc);
164 void unwrapKey(DbHandle db, const Context &context, KeyHandle key, KeyHandle publicKey,
165 const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr,
166 const AccessCredentials *cred, const AclEntryInput *owner, CssmData &data,
167 KeyHandle &newKey, CssmKey::Header &newKeyHeader)
168 { return unwrapKey(db, context, key, publicKey, wrappedKey, keyUsage, keyAttr,
169 cred, owner, data, newKey, newKeyHeader, returnAllocator); }
170
171 // key generation and derivation
172 void generateKey(DbHandle db, const Context &context, uint32 keyUsage, uint32 keyAttr,
173 const AccessCredentials *cred, const AclEntryInput *owner,
174 KeyHandle &newKey, CssmKey::Header &newHeader);
175 void generateKey(DbHandle db, const Context &context,
176 uint32 pubKeyUsage, uint32 pubKeyAttr,
177 uint32 privKeyUsage, uint32 privKeyAttr,
178 const AccessCredentials *cred, const AclEntryInput *owner,
179 KeyHandle &pubKey, CssmKey::Header &pubHeader,
180 KeyHandle &privKey, CssmKey::Header &privHeader);
181 void deriveKey(DbHandle db, const Context &context, KeyHandle baseKey,
182 uint32 keyUsage, uint32 keyAttr, CssmData &param,
183 const AccessCredentials *cred, const AclEntryInput *owner,
184 KeyHandle &newKey, CssmKey::Header &newHeader, CssmAllocator &alloc);
185 void deriveKey(DbHandle db, const Context &context, KeyHandle baseKey,
186 uint32 keyUsage, uint32 keyAttr, CssmData &param,
187 const AccessCredentials *cred, const AclEntryInput *owner,
188 KeyHandle &newKey, CssmKey::Header &newHeader)
189 { return deriveKey(db, context, baseKey, keyUsage, keyAttr, param, cred, owner, newKey, newHeader, returnAllocator); }
190 //void generateAlgorithmParameters(); // not implemented
191
192 void generateRandom(CssmData &data);
193
194 // encrypt/decrypt
195 void encrypt(const Context &context, KeyHandle key,
196 const CssmData &in, CssmData &out, CssmAllocator &alloc);
197 void encrypt(const Context &context, KeyHandle key, const CssmData &in, CssmData &out)
198 { return encrypt(context, key, in, out, returnAllocator); }
199 void decrypt(const Context &context, KeyHandle key,
200 const CssmData &in, CssmData &out, CssmAllocator &alloc);
201 void decrypt(const Context &context, KeyHandle key, const CssmData &in, CssmData &out)
202 { return decrypt(context, key, in, out, returnAllocator); }
203
204 // signatures
205 void generateSignature(const Context &context, KeyHandle key,
206 const CssmData &data, CssmData &signature, CssmAllocator &alloc,
207 CSSM_ALGORITHMS signOnlyAlgorithm = CSSM_ALGID_NONE);
208 void generateSignature(const Context &context, KeyHandle key,
209 const CssmData &data, CssmData &signature, CSSM_ALGORITHMS signOnlyAlgorithm = CSSM_ALGID_NONE)
210 { return generateSignature(context, key, data, signature, returnAllocator, signOnlyAlgorithm); }
211 void verifySignature(const Context &context, KeyHandle key,
212 const CssmData &data, const CssmData &signature,
213 CSSM_ALGORITHMS verifyOnlyAlgorithm = CSSM_ALGID_NONE);
214
215 // MACs
216 void generateMac(const Context &context, KeyHandle key,
217 const CssmData &data, CssmData &mac, CssmAllocator &alloc);
218 void generateMac(const Context &context, KeyHandle key,
219 const CssmData &data, CssmData &mac)
220 { return generateMac(context, key, data, mac, returnAllocator); }
221 void verifyMac(const Context &context, KeyHandle key,
222 const CssmData &data, const CssmData &mac);
223
224 // key ACL management
225 void getKeyAcl(KeyHandle key, const char *tag,
226 uint32 &count, AclEntryInfo * &info, CssmAllocator &alloc);
227 void getKeyAcl(KeyHandle key, const char *tag,
228 uint32 &count, AclEntryInfo * &info)
229 { return getKeyAcl(key, tag, count, info, returnAllocator); }
230 void changeKeyAcl(KeyHandle key, const AccessCredentials &cred, const AclEdit &edit);
231 void getKeyOwner(KeyHandle key, AclOwnerPrototype &owner, CssmAllocator &alloc);
232 void getKeyOwner(KeyHandle key, AclOwnerPrototype &owner)
233 { return getKeyOwner(key, owner, returnAllocator); }
234 void changeKeyOwner(KeyHandle key, const AccessCredentials &cred,
235 const AclOwnerPrototype &edit);
236
237 // database ACL management
238 void getDbAcl(DbHandle db, const char *tag,
239 uint32 &count, AclEntryInfo * &info, CssmAllocator &alloc);
240 void getDbAcl(DbHandle db, const char *tag,
241 uint32 &count, AclEntryInfo * &info)
242 { return getDbAcl(db, tag, count, info, returnAllocator); }
243 void changeDbAcl(DbHandle db, const AccessCredentials &cred, const AclEdit &edit);
244 void getDbOwner(DbHandle db, AclOwnerPrototype &owner, CssmAllocator &alloc);
245 void getDbOwner(DbHandle db, AclOwnerPrototype &owner)
246 { return getDbOwner(db, owner, returnAllocator); }
247 void changeDbOwner(DbHandle db, const AccessCredentials &cred,
248 const AclOwnerPrototype &edit);
249
250 public:
251 // Authorization API support
252 void authCreate(const AuthorizationItemSet *rights, const AuthorizationItemSet *environment,
253 AuthorizationFlags flags,AuthorizationBlob &result);
254 void authRelease(const AuthorizationBlob &auth, AuthorizationFlags flags);
255 void authCopyRights(const AuthorizationBlob &auth,
256 const AuthorizationItemSet *rights, const AuthorizationItemSet *environment,
257 AuthorizationFlags flags, AuthorizationItemSet **result);
258 void authCopyInfo(const AuthorizationBlob &auth, const char *tag, AuthorizationItemSet * &info);
259 void authExternalize(const AuthorizationBlob &auth, AuthorizationExternalForm &extForm);
260 void authInternalize(const AuthorizationExternalForm &extForm, AuthorizationBlob &auth);
261
262 public:
263 // Session API support
264 void getSessionInfo(SecuritySessionId &sessionId, SessionAttributeBits &attrs);
265 void setupSession(SessionCreationFlags flags, SessionAttributeBits attrs);
266
267 public:
268 // Notification core support
269 void requestNotification(Port receiver, NotifyDomain domain, NotifyEvents events);
270 void stopNotification(Port receiver);
271 void postNotification(NotifyDomain domain, NotifyEvent event, const CssmData &data);
272
273 typedef OSStatus ConsumeNotification(NotifyDomain domain, NotifyEvent event,
274 const void *data, size_t dataLength, void *context);
275 OSStatus dispatchNotification(const mach_msg_header_t *message,
276 ConsumeNotification *consumer, void *context);
277
278 private:
279 void getAcl(AclKind kind, KeyHandle key, const char *tag,
280 uint32 &count, AclEntryInfo * &info, CssmAllocator &alloc);
281 void changeAcl(AclKind kind, KeyHandle key,
282 const AccessCredentials &cred, const AclEdit &edit);
283 void getOwner(AclKind kind, KeyHandle key, AclOwnerPrototype &owner, CssmAllocator &alloc);
284 void changeOwner(AclKind kind, KeyHandle key, const AccessCredentials &cred,
285 const AclOwnerPrototype &edit);
286
287 private:
288 struct Thread {
289 Thread() : registered(false) { }
290 operator bool() const { return registered; }
291
292 ReceivePort replyPort; // dedicated reply port (send right held by SecurityServer)
293 bool registered; // has been registered with SecurityServer
294 };
295
296 struct Global {
297 Global();
298 Port serverPort;
299 RefPointer<CodeSigning::OSXCode> myself;
300 ThreadNexus<Thread> thread;
301 };
302
303 static ModuleNexus<Global> mGlobal;
304 static bool mSetupSession;
305 };
306
307
308 } // end namespace SecurityServer
309 } // end namespace Security
310
311
312 #endif //_H_SSCLIENT
mirror of Security