2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
20 // ssclient - SecurityServer client interface library
22 // This interface is private to the Security system. It is not a public interface,
23 // and it may change at any time. You have been warned.
29 #include <Security/cssm.h>
30 #include <Security/utilities.h>
31 #include <Security/cssmalloc.h>
32 #include <Security/cssmacl.h>
33 #include <Security/context.h>
34 #include <Security/globalizer.h>
35 #include <Security/mach++.h>
36 #include <Security/cssmdb.h>
37 #include <Security/osxsigning.h>
38 #include <Security/Authorization.h>
39 #include <Security/AuthSession.h>
43 namespace SecurityServer
{
45 using MachPlusPlus::Port
;
46 using MachPlusPlus::ReceivePort
;
52 typedef CSSM_HANDLE KeyHandle
;
53 typedef CSSM_HANDLE DbHandle
;
55 static const CSSM_HANDLE noDb
= 0;
56 static const CSSM_HANDLE noKey
= 0;
62 struct AuthorizationBlob
{
65 bool operator < (const AuthorizationBlob
&other
) const
66 { return memcmp(data
, other
.data
, sizeof(data
)) < 0; }
68 bool operator == (const AuthorizationBlob
&other
) const
69 { return memcmp(data
, other
.data
, sizeof(data
)) == 0; }
71 size_t hash() const { //@@@ revisit this hash
72 return data
[0] ^ data
[1] << 3;
76 enum AclKind
{ dbAcl
, keyAcl
, loginAcl
};
80 // Database parameter structure
84 uint32 idleTimeout
; // seconds idle timout lock
85 uint8 lockOnSleep
; // lock keychain when system sleeps
90 // A client connection (session)
95 ClientSession(CssmAllocator
&standard
, CssmAllocator
&returning
);
96 virtual ~ClientSession();
98 CssmAllocator
&internalAllocator
;
99 CssmAllocator
&returnAllocator
;
102 typedef CSSM_DB_ACCESS_TYPE DBAccessType
;
104 typedef uint32 NotifyEvent
;
105 typedef uint32 NotifyEvents
;
107 allEvents
= uint32(-1)
110 typedef uint32 NotifyDomain
;
112 databaseNotifications
= 1
121 DbHandle
createDb(const DLDbIdentifier
&dbId
,
122 const AccessCredentials
*cred
, const AclEntryInput
*owner
,
123 const DBParameters
¶ms
);
124 DbHandle
decodeDb(const DLDbIdentifier
&dbId
,
125 const AccessCredentials
*cred
, const CssmData
&blob
);
126 void encodeDb(DbHandle db
, CssmData
&blob
, CssmAllocator
&alloc
);
127 void encodeDb(DbHandle db
, CssmData
&blob
) { return encodeDb(db
, blob
, returnAllocator
); }
128 void releaseDb(DbHandle db
);
129 void authenticateDb(DbHandle db
, DBAccessType type
, const AccessCredentials
*cred
);
130 void setDbParameters(DbHandle db
, const DBParameters
¶ms
);
131 void getDbParameters(DbHandle db
, DBParameters
¶ms
);
132 void changePassphrase(DbHandle db
, const AccessCredentials
*cred
);
133 void lock(DbHandle db
);
134 void unlock(DbHandle db
);
135 void unlock(DbHandle db
, const CssmData
&passPhrase
);
136 bool isLocked(DbHandle db
);
139 void encodeKey(KeyHandle key
, CssmData
&blob
, KeyUID
*uid
, CssmAllocator
&alloc
);
140 void encodeKey(KeyHandle key
, CssmData
&blob
, KeyUID
*uid
= NULL
)
141 { return encodeKey(key
, blob
, uid
, returnAllocator
); }
142 KeyHandle
decodeKey(DbHandle db
, const CssmData
&blob
, CssmKey::Header
&header
);
143 void releaseKey(KeyHandle key
);
145 CssmKeySize
queryKeySizeInBits(KeyHandle key
);
146 uint32
getOutputSize(const Context
&context
, KeyHandle key
,
147 uint32 inputSize
, bool encrypt
= true);
150 // key wrapping and unwrapping
151 void wrapKey(const Context
&context
, KeyHandle key
, KeyHandle keyToBeWrapped
,
152 const AccessCredentials
*cred
,
153 const CssmData
*descriptiveData
, CssmWrappedKey
&wrappedKey
, CssmAllocator
&alloc
);
154 void wrapKey(const Context
&context
, KeyHandle key
, KeyHandle keyToBeWrapped
,
155 const AccessCredentials
*cred
,
156 const CssmData
*descriptiveData
, CssmWrappedKey
&wrappedKey
)
157 { return wrapKey(context
, key
, keyToBeWrapped
, cred
,
158 descriptiveData
, wrappedKey
, returnAllocator
); }
160 void unwrapKey(DbHandle db
, const Context
&context
, KeyHandle key
, KeyHandle publicKey
,
161 const CssmWrappedKey
&wrappedKey
, uint32 keyUsage
, uint32 keyAttr
,
162 const AccessCredentials
*cred
, const AclEntryInput
*owner
,
163 CssmData
&data
, KeyHandle
&newKey
, CssmKey::Header
&newKeyHeader
, CssmAllocator
&alloc
);
164 void unwrapKey(DbHandle db
, const Context
&context
, KeyHandle key
, KeyHandle publicKey
,
165 const CssmWrappedKey
&wrappedKey
, uint32 keyUsage
, uint32 keyAttr
,
166 const AccessCredentials
*cred
, const AclEntryInput
*owner
, CssmData
&data
,
167 KeyHandle
&newKey
, CssmKey::Header
&newKeyHeader
)
168 { return unwrapKey(db
, context
, key
, publicKey
, wrappedKey
, keyUsage
, keyAttr
,
169 cred
, owner
, data
, newKey
, newKeyHeader
, returnAllocator
); }
171 // key generation and derivation
172 void generateKey(DbHandle db
, const Context
&context
, uint32 keyUsage
, uint32 keyAttr
,
173 const AccessCredentials
*cred
, const AclEntryInput
*owner
,
174 KeyHandle
&newKey
, CssmKey::Header
&newHeader
);
175 void generateKey(DbHandle db
, const Context
&context
,
176 uint32 pubKeyUsage
, uint32 pubKeyAttr
,
177 uint32 privKeyUsage
, uint32 privKeyAttr
,
178 const AccessCredentials
*cred
, const AclEntryInput
*owner
,
179 KeyHandle
&pubKey
, CssmKey::Header
&pubHeader
,
180 KeyHandle
&privKey
, CssmKey::Header
&privHeader
);
181 void deriveKey(DbHandle db
, const Context
&context
, KeyHandle baseKey
,
182 uint32 keyUsage
, uint32 keyAttr
, CssmData
¶m
,
183 const AccessCredentials
*cred
, const AclEntryInput
*owner
,
184 KeyHandle
&newKey
, CssmKey::Header
&newHeader
, CssmAllocator
&alloc
);
185 void deriveKey(DbHandle db
, const Context
&context
, KeyHandle baseKey
,
186 uint32 keyUsage
, uint32 keyAttr
, CssmData
¶m
,
187 const AccessCredentials
*cred
, const AclEntryInput
*owner
,
188 KeyHandle
&newKey
, CssmKey::Header
&newHeader
)
189 { return deriveKey(db
, context
, baseKey
, keyUsage
, keyAttr
, param
, cred
, owner
, newKey
, newHeader
, returnAllocator
); }
190 //void generateAlgorithmParameters(); // not implemented
192 void generateRandom(CssmData
&data
);
195 void encrypt(const Context
&context
, KeyHandle key
,
196 const CssmData
&in
, CssmData
&out
, CssmAllocator
&alloc
);
197 void encrypt(const Context
&context
, KeyHandle key
, const CssmData
&in
, CssmData
&out
)
198 { return encrypt(context
, key
, in
, out
, returnAllocator
); }
199 void decrypt(const Context
&context
, KeyHandle key
,
200 const CssmData
&in
, CssmData
&out
, CssmAllocator
&alloc
);
201 void decrypt(const Context
&context
, KeyHandle key
, const CssmData
&in
, CssmData
&out
)
202 { return decrypt(context
, key
, in
, out
, returnAllocator
); }
205 void generateSignature(const Context
&context
, KeyHandle key
,
206 const CssmData
&data
, CssmData
&signature
, CssmAllocator
&alloc
,
207 CSSM_ALGORITHMS signOnlyAlgorithm
= CSSM_ALGID_NONE
);
208 void generateSignature(const Context
&context
, KeyHandle key
,
209 const CssmData
&data
, CssmData
&signature
, CSSM_ALGORITHMS signOnlyAlgorithm
= CSSM_ALGID_NONE
)
210 { return generateSignature(context
, key
, data
, signature
, returnAllocator
, signOnlyAlgorithm
); }
211 void verifySignature(const Context
&context
, KeyHandle key
,
212 const CssmData
&data
, const CssmData
&signature
,
213 CSSM_ALGORITHMS verifyOnlyAlgorithm
= CSSM_ALGID_NONE
);
216 void generateMac(const Context
&context
, KeyHandle key
,
217 const CssmData
&data
, CssmData
&mac
, CssmAllocator
&alloc
);
218 void generateMac(const Context
&context
, KeyHandle key
,
219 const CssmData
&data
, CssmData
&mac
)
220 { return generateMac(context
, key
, data
, mac
, returnAllocator
); }
221 void verifyMac(const Context
&context
, KeyHandle key
,
222 const CssmData
&data
, const CssmData
&mac
);
224 // key ACL management
225 void getKeyAcl(KeyHandle key
, const char *tag
,
226 uint32
&count
, AclEntryInfo
* &info
, CssmAllocator
&alloc
);
227 void getKeyAcl(KeyHandle key
, const char *tag
,
228 uint32
&count
, AclEntryInfo
* &info
)
229 { return getKeyAcl(key
, tag
, count
, info
, returnAllocator
); }
230 void changeKeyAcl(KeyHandle key
, const AccessCredentials
&cred
, const AclEdit
&edit
);
231 void getKeyOwner(KeyHandle key
, AclOwnerPrototype
&owner
, CssmAllocator
&alloc
);
232 void getKeyOwner(KeyHandle key
, AclOwnerPrototype
&owner
)
233 { return getKeyOwner(key
, owner
, returnAllocator
); }
234 void changeKeyOwner(KeyHandle key
, const AccessCredentials
&cred
,
235 const AclOwnerPrototype
&edit
);
237 // database ACL management
238 void getDbAcl(DbHandle db
, const char *tag
,
239 uint32
&count
, AclEntryInfo
* &info
, CssmAllocator
&alloc
);
240 void getDbAcl(DbHandle db
, const char *tag
,
241 uint32
&count
, AclEntryInfo
* &info
)
242 { return getDbAcl(db
, tag
, count
, info
, returnAllocator
); }
243 void changeDbAcl(DbHandle db
, const AccessCredentials
&cred
, const AclEdit
&edit
);
244 void getDbOwner(DbHandle db
, AclOwnerPrototype
&owner
, CssmAllocator
&alloc
);
245 void getDbOwner(DbHandle db
, AclOwnerPrototype
&owner
)
246 { return getDbOwner(db
, owner
, returnAllocator
); }
247 void changeDbOwner(DbHandle db
, const AccessCredentials
&cred
,
248 const AclOwnerPrototype
&edit
);
251 // Authorization API support
252 void authCreate(const AuthorizationItemSet
*rights
, const AuthorizationItemSet
*environment
,
253 AuthorizationFlags flags
,AuthorizationBlob
&result
);
254 void authRelease(const AuthorizationBlob
&auth
, AuthorizationFlags flags
);
255 void authCopyRights(const AuthorizationBlob
&auth
,
256 const AuthorizationItemSet
*rights
, const AuthorizationItemSet
*environment
,
257 AuthorizationFlags flags
, AuthorizationItemSet
**result
);
258 void authCopyInfo(const AuthorizationBlob
&auth
, const char *tag
, AuthorizationItemSet
* &info
);
259 void authExternalize(const AuthorizationBlob
&auth
, AuthorizationExternalForm
&extForm
);
260 void authInternalize(const AuthorizationExternalForm
&extForm
, AuthorizationBlob
&auth
);
263 // Session API support
264 void getSessionInfo(SecuritySessionId
&sessionId
, SessionAttributeBits
&attrs
);
265 void setupSession(SessionCreationFlags flags
, SessionAttributeBits attrs
);
268 // Notification core support
269 void requestNotification(Port receiver
, NotifyDomain domain
, NotifyEvents events
);
270 void stopNotification(Port receiver
);
271 void postNotification(NotifyDomain domain
, NotifyEvent event
, const CssmData
&data
);
273 typedef OSStatus
ConsumeNotification(NotifyDomain domain
, NotifyEvent event
,
274 const void *data
, size_t dataLength
, void *context
);
275 OSStatus
dispatchNotification(const mach_msg_header_t
*message
,
276 ConsumeNotification
*consumer
, void *context
);
279 void getAcl(AclKind kind
, KeyHandle key
, const char *tag
,
280 uint32
&count
, AclEntryInfo
* &info
, CssmAllocator
&alloc
);
281 void changeAcl(AclKind kind
, KeyHandle key
,
282 const AccessCredentials
&cred
, const AclEdit
&edit
);
283 void getOwner(AclKind kind
, KeyHandle key
, AclOwnerPrototype
&owner
, CssmAllocator
&alloc
);
284 void changeOwner(AclKind kind
, KeyHandle key
, const AccessCredentials
&cred
,
285 const AclOwnerPrototype
&edit
);
289 Thread() : registered(false) { }
290 operator bool() const { return registered
; }
292 ReceivePort replyPort
; // dedicated reply port (send right held by SecurityServer)
293 bool registered
; // has been registered with SecurityServer
299 RefPointer
<CodeSigning::OSXCode
> myself
;
300 ThreadNexus
<Thread
> thread
;
303 static ModuleNexus
<Global
> mGlobal
;
304 static bool mSetupSession
;
308 } // end namespace SecurityServer
309 } // end namespace Security