2 // ucsp.defs - Mach RPC interface between SecurityServer and its clients
4 #include <mach/std_types.defs>
5 #include <mach/mach_types.defs>
8 serverprefix ucsp_server_;
9 userprefix ucsp_client_;
11 import "securityserver.h";
12 import "ucsp_types.h";
18 type Data = array [] of char;
20 type KeyHandle = unsigned32;
24 type DbHandle = unsigned32;
28 type AclEntryPrototypeBlob = Data
29 ctype: AclEntryPrototypePtr;
30 type AclEntryPrototypePtr = unsigned32;
32 type AclEntryInfoBlob = Data
33 ctype: AclEntryInfoPtr;
34 type AclEntryInfoPtr = unsigned32;
36 type AclEntryInputBlob = Data
37 ctype: AclEntryInputPtr;
38 type AclEntryInputPtr = unsigned32;
40 type AclOwnerPrototypeBlob = Data
41 ctype: AclOwnerPrototypePtr;
42 type AclOwnerPrototypePtr = unsigned32;
44 type AccessCredentialsBlob = Data
45 ctype: AccessCredentialsPtr;
46 type AccessCredentialsPtr = unsigned32;
48 type DLDbIdentBlob = Data
50 type DLDbIdentPtr = unsigned32;
54 type VoidPtr = unsigned32;
56 type Context = struct [9] of unsigned32
58 intran: Context inTrans(CSSM_CONTEXT);
59 type ContextAttributes = array [] of char
60 cservertype: ContextAttributesPointer;
62 type CssmKeyHeader = struct [23] of unsigned32;
64 type CssmKey = struct [23+2] of unsigned32
66 intran: CssmKey inTrans(CSSM_KEY)
67 outtran: CSSM_KEY outTrans(CssmKey);
69 type CSSM_KEY_SIZE = struct [2] of unsigned32
72 type DBParameters = struct [1] of unsigned32;
74 type AuthorizationItemSetBlob = Data
75 ctype: AuthorizationItemSetPtr;
76 type AuthorizationItemSetPtr = unsigned32;
78 type AuthorizationBlob = struct [2] of unsigned32; // 8 opaque bytes
79 type AuthorizationExternalForm = struct [8] of unsigned32; // 32 opaque bytes
81 type CssmString = c_string[*:64+4];
82 type AuthorizationString = c_string[*:1024];
83 type CSSM_RETURN = int32;
84 type CSSM_ALGORITHMS = unsigned32;
85 type CSSM_ACL_EDIT_MODE = unsigned32;
86 type CSSM_ACL_HANDLE = unsigned32;
87 type AclKind = unsigned32;
88 type uint32 = unsigned32;
89 type SecuritySessionId = unsigned32;
90 type SessionAttributeBits = unsigned32;
91 type SessionCreationFlags = unsigned32;
93 type Pointer = unsigned32;
95 type ExecutablePath = c_string[*:2048];
99 // Common argument profiles
101 #define UCSP_PORTS requestport sport: mach_port_t; \
102 replyport rport: mach_port_make_send_t; \
103 serversectoken sourceSecurity: security_token_t; \
104 out rcode: CSSM_RETURN
105 #define IN_CONTEXT in context: Context; in contextBase: Pointer; in attrs: ContextAttributes
106 #define IN_BLOB(name,type) in name: type##Blob; in name##Base: type##Ptr
107 #define OUT_BLOB(name,type) out name: type##Blob; out name##Base: type##Ptr
111 // Management and administrative functions
113 routine setup(UCSP_PORTS; in tport: mach_port_t; in executablePath: ExecutablePath);
114 routine setupNew(UCSP_PORTS; in tport: mach_port_t; in executablePath: ExecutablePath;
115 out newServicePort: mach_port_make_send_t);
116 routine teardown(UCSP_PORTS);
120 // Database management
122 routine createDb(UCSP_PORTS; out db: DbHandle; IN_BLOB(ident,DLDbIdent);
123 IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype);
124 in params: DBParameters);
125 routine decodeDb(UCSP_PORTS; out db: DbHandle; IN_BLOB(ident,DLDbIdent);
126 IN_BLOB(accessCredentials,AccessCredentials); in blob: DbBlob);
127 routine encodeDb(UCSP_PORTS; in db: DbHandle; out blob: DbBlob);
128 routine releaseDb(UCSP_PORTS; in db: DbHandle);
129 routine authenticateDb(UCSP_PORTS; in db: DbHandle; IN_BLOB(accessCredentials,AccessCredentials));
130 routine setDbParameters(UCSP_PORTS; in db: DbHandle; in params: DBParameters);
131 routine getDbParameters(UCSP_PORTS; in db: DbHandle; out params: DBParameters);
132 routine changePassphrase(UCSP_PORTS; in db: DbHandle;
133 IN_BLOB(accessCredentials,AccessCredentials));
134 routine lockDb(UCSP_PORTS; in db: DbHandle);
135 routine unlockDb(UCSP_PORTS; in db: DbHandle);
136 routine unlockDbWithPassphrase(UCSP_PORTS; in db: DbHandle; in passPhrase: Data);
137 routine isLocked(UCSP_PORTS; in db: DbHandle; out locked: boolean_t);
143 routine encodeKey(UCSP_PORTS; in key: KeyHandle; out blob: KeyBlob;
144 in wantUid: boolean_t; out uid: Data);
145 routine decodeKey(UCSP_PORTS; out key: KeyHandle; out header: CssmKeyHeader;
146 in db: DbHandle; in blob: KeyBlob);
147 routine releaseKey(UCSP_PORTS; in key: KeyHandle);
149 routine queryKeySizeInBits(UCSP_PORTS; in key: KeyHandle; out length: CSSM_KEY_SIZE);
150 routine getOutputSize(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle;
151 in inputSize: uint32; in encrypt: boolean_t; out outputSize: uint32);
156 routine generateRandom(UCSP_PORTS; in bytes: uint32; out data: Data);
160 // Cryptographic operations
162 routine generateSignature(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle;
163 in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; out signature: Data);
164 routine verifySignature(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle;
165 in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; in signature: Data);
166 routine generateMac(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle;
167 in data: Data; out signature: Data);
168 routine verifyMac(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle;
169 in data: Data; in signature: Data);
171 routine encrypt(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in clear: Data; out cipher: Data);
172 routine decrypt(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in cipher: Data; out clear: Data);
174 routine generateKey(UCSP_PORTS; in db: DbHandle; IN_CONTEXT;
175 IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype);
176 in keyUsage: uint32; in keyAttrs: uint32; out key: KeyHandle; out header: CssmKeyHeader);
177 routine generateKeyPair(UCSP_PORTS; in db: DbHandle; IN_CONTEXT;
178 IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype);
179 in pubUsage: uint32; in pubAttrs: uint32; in privUsage: uint32; in privAttrs: uint32;
180 out pubKey: KeyHandle; out pubHeader: CssmKeyHeader;
181 out privKey: KeyHandle; out privHeader: CssmKeyHeader);
182 routine deriveKey(UCSP_PORTS; in db: DbHandle; IN_CONTEXT; in baseKey: KeyHandle;
183 IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype);
184 IN_BLOB(paramInput,Void); out paramOutput: Data;
185 in keyUsage: uint32; in keyAttrs: uint32; out key: KeyHandle; out header: CssmKeyHeader);
187 routine wrapKey(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle;
188 IN_BLOB(accessCredentials,AccessCredentials); in keyToBeWrapped: KeyHandle;
189 in data: Data; out wrappedKey: CssmKey; out wrappedKeyData: Data);
190 routine unwrapKey(UCSP_PORTS; in db: DbHandle; IN_CONTEXT; in key: KeyHandle;
191 IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype);
192 in publicKey: KeyHandle; in wrappedKey: CssmKey; in wrappedKeyData: Data;
193 in usage: uint32; in attributes: uint32; out data: Data;
194 out resultKey: KeyHandle; out header: CssmKeyHeader);
200 routine getOwner(UCSP_PORTS; in kind: AclKind; in key: KeyHandle;
201 out proto: AclOwnerPrototypeBlob; out protoBase: AclOwnerPrototypePtr);
202 routine setOwner(UCSP_PORTS; in kind: AclKind; in key: KeyHandle;
203 IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclOwnerPrototype,AclOwnerPrototype));
204 routine getAcl(UCSP_PORTS; in kind: AclKind; in key: KeyHandle;
205 in haveTag: boolean_t; in tag: CssmString;
206 out count: uint32; out acls: AclEntryInfoBlob; out aclsBase: AclEntryInfoPtr);
207 routine changeAcl(UCSP_PORTS; in kind: AclKind; in key: KeyHandle;
208 IN_BLOB(accessCredentials,AccessCredentials);
209 in mode: CSSM_ACL_EDIT_MODE; in handle: CSSM_ACL_HANDLE;
210 IN_BLOB(aclEntryInput,AclEntryInput));
214 // Authorization subsystem
216 routine authorizationCreate(UCSP_PORTS; IN_BLOB(rights,AuthorizationItemSet);
218 IN_BLOB(environment,AuthorizationItemSet);
219 out authorization: AuthorizationBlob);
221 routine authorizationRelease(UCSP_PORTS; in authorization: AuthorizationBlob;
224 routine authorizationCopyRights(UCSP_PORTS; in authorization: AuthorizationBlob;
225 IN_BLOB(rights,AuthorizationItemSet); in flags: uint32;
226 IN_BLOB(environment,AuthorizationItemSet);
227 OUT_BLOB(result,AuthorizationItemSet));
229 routine authorizationCopyInfo(UCSP_PORTS; in authorization: AuthorizationBlob;
230 in tag: AuthorizationString;
231 OUT_BLOB(info,AuthorizationItemSet));
233 routine authorizationExternalize(UCSP_PORTS; in authorization: AuthorizationBlob;
234 out form: AuthorizationExternalForm);
236 routine authorizationInternalize(UCSP_PORTS; in form: AuthorizationExternalForm;
237 out authorization: AuthorizationBlob);
241 // Session management subsystem
243 routine getSessionInfo(UCSP_PORTS; inout sessionId: SecuritySessionId;
244 out attrs: SessionAttributeBits);
246 routine setupSession(UCSP_PORTS; in flags: SessionCreationFlags; in attrs: SessionAttributeBits);
250 // Notification subsystem
252 routine requestNotification(UCSP_PORTS; in receiver: mach_port_t; in domain: uint32; in events: uint32);
253 routine stopNotification(UCSP_PORTS; in receiver: mach_port_t);
254 routine postNotification(UCSP_PORTS; in domain: uint32; in event: uint32; in data: Data);