]> git.saurik.com Git - apple/security.git/blob - OSX/sec/ipc/securityd_client.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-58286.60.28.tar.gz
[apple/security.git] / OSX / sec / ipc / securityd_client.h
1 /*
2 * Copyright (c) 2007-2018 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23 #ifndef _SECURITYD_CLIENT_H_
24 #define _SECURITYD_CLIENT_H_
25
26 #include <stdint.h>
27
28 #include <securityd/SecKeybagSupport.h>
29
30 #include <Security/SecTrust.h>
31 #include <Security/SecTask.h>
32 #ifndef MINIMIZE_INCLUDES
33 # include <Security/SecTrustStore.h>
34 #else
35 typedef struct __SecTrustStore *SecTrustStoreRef;
36 # ifndef _SECURITY_SECCERTIFICATE_H_
37 typedef struct __SecCertificate *SecCertificateRef;
38 # endif // _SECURITY_SECCERTIFICATE_H_
39 #endif // MINIMIZE_INCLUDES
40
41 #if TARGET_HAS_KEYSTORE
42 #include <libaks.h>
43 #endif
44
45 #include <CoreFoundation/CFArray.h>
46 #include <CoreFoundation/CFDictionary.h>
47 #include <CoreFoundation/CFError.h>
48
49 #include <Security/SecureObjectSync/SOSCloudCircle.h>
50 #include <Security/SecureObjectSync/SOSPeerInfo.h>
51 #include <Security/SecureObjectSync/SOSRing.h>
52
53 #include <xpc/xpc.h>
54 #include <CoreFoundation/CFXPCBridge.h>
55
56 #include <TargetConditionals.h>
57
58 #if TARGET_OS_OSX
59 #define kSecuritydXPCServiceName "com.apple.securityd.xpc"
60 #define kSecuritydSystemXPCServiceName "com.apple.securityd.system.xpc"
61 #define kTrustdAgentXPCServiceName "com.apple.trustd.agent"
62 #define kTrustdXPCServiceName "com.apple.trustd"
63 #else
64 #define kSecuritydXPCServiceName "com.apple.securityd"
65 #define kTrustdAgentXPCServiceName "com.apple.trustd"
66 #define kTrustdXPCServiceName "com.apple.trustd"
67 #endif // *** END TARGET_OS_OSX ***
68
69 #define kSecuritydGeneralServiceName "com.apple.securityd.general"
70 #define kSecuritydSOSServiceName "com.apple.securityd.sos"
71
72 //
73 // MARK: XPC Information.
74 //
75
76 extern CFStringRef sSecXPCErrorDomain;
77
78 extern const char *kSecXPCKeyOperation;
79 extern const char *kSecXPCKeyResult;
80 extern const char *kSecXPCKeyEndpoint;
81 extern const char *kSecXPCKeyError;
82 extern const char *kSecXPCKeyPeerInfoArray;
83 extern const char *kSecXPCKeyUserLabel;
84 extern const char *kSecXPCKeyBackup;
85 extern const char *kSecXPCKeyKeybag;
86 extern const char *kSecXPCKeyUserPassword;
87 extern const char *kSecXPCKeyEMCSBackup;
88 extern const char *kSecXPCKeyDSID;
89 extern const char *kSecXPCKeyViewName;
90 extern const char *kSecXPCKeyViewActionCode;
91 extern const char *kSecXPCKeyNewPublicBackupKey;
92 extern const char *kSecXPCKeyRecoveryPublicKey;
93 extern const char *kSecXPCKeyIncludeV0;
94 extern const char *kSecXPCKeyEnabledViewsKey;
95 extern const char *kSecXPCKeyDisabledViewsKey;
96 extern const char *kSecXPCKeyEscrowLabel;
97 extern const char *kSecXPCKeyTriesLabel;
98 extern const char *kSecXPCKeyFileDescriptor;
99 extern const char *kSecXPCKeyAccessGroups;
100 extern const char *kSecXPCKeyClasses;
101 extern const char *kSecXPCKeyNormalizedIssuer;
102 extern const char *kSecXPCKeySerialNumber;
103 extern const char *kSecXPCKeyBackupKeybagIdentifier;
104 extern const char *kSecXPCKeyBackupKeybagPath;
105
106 //
107 // MARK: Dispatch macros
108 //
109
110 #define SECURITYD_XPC(sdp, wrapper, ...) ((gSecurityd && gSecurityd->sdp) ? gSecurityd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
111 #define TRUSTD_XPC(sdp, wrapper, ...) ((gTrustd && gTrustd->sdp) ? gTrustd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
112
113 //
114 // MARK: Object to XPC format conversion.
115 //
116
117
118 //
119 // MARK: XPC Interfaces
120 //
121
122 extern const char *kSecXPCKeyOperation;
123 extern const char *kSecXPCKeyResult;
124 extern const char *kSecXPCKeyError;
125 extern const char *kSecXPCKeyPeerInfoArray;
126 extern const char *kSecXPCKeyPeerInfo;
127 extern const char *kSecXPCKeyUserLabel;
128 extern const char *kSecXPCKeyUserPassword;
129 extern const char *kSecXPCKeyDSID;
130 extern const char *kSecXPCLimitInMinutes;
131 extern const char *kSecXPCKeyQuery;
132 extern const char *kSecXPCKeyAttributesToUpdate;
133 extern const char *kSecXPCKeyDomain;
134 extern const char *kSecXPCKeyDigest;
135 extern const char *kSecXPCKeyCertificate;
136 extern const char *kSecXPCKeySettings;
137 extern const char *kSecXPCPublicPeerId; // Public peer id
138 extern const char *kSecXPCOTRSession; // OTR session bytes
139 extern const char *kSecXPCData; // Data to process
140 extern const char *kSecXPCOTRReady; // OTR ready for messages
141 extern const char *kSecXPCKeyDeviceID;
142 extern const char *kSecXPCKeyIDSMessage;
143 extern const char *kSecXPCKeyViewName;
144 extern const char *kSecXPCKeyViewActionCode;
145 extern const char *kSecXPCKeySendIDSMessage;
146 extern const char *kSecXPCKeyHSA2AutoAcceptInfo;
147 extern const char *kSecXPCKeyEscrowLabel;
148 extern const char *kSecXPCKeyTriesLabel;
149 extern const char *kSecXPCKeyString;
150 extern const char *kSecXPCKeyArray;
151 extern const char *kSecXPCKeySet;
152 extern const char *kSecXPCKeySet2;
153 extern const char *kSecXPCVersion;
154
155 extern const char *kSecXPCKeyReason;
156
157 //
158 // MARK: Mach port request IDs
159 //
160 enum SecXPCOperation {
161 sec_item_add_id = 0,
162 sec_item_copy_matching_id = 1,
163 sec_item_update_id = 2,
164 sec_item_delete_id = 3,
165 // trust_store_for_domain -- NOT an ipc
166 sec_trust_store_contains_id = 4,
167 sec_trust_store_set_trust_settings_id = 5,
168 sec_trust_store_remove_certificate_id = 6,
169 // remove_all -- NOT an ipc
170 sec_delete_all_id = 7,
171 sec_trust_evaluate_id = 8,
172 // Any new items MUST be added below here
173 // This allows updating roots on a device, since SecTrustEvaluate must continue to work
174 sec_keychain_backup_id,
175 sec_keychain_restore_id,
176 sec_keychain_backup_syncable_id,
177 sec_keychain_restore_syncable_id,
178 sec_item_backup_copy_names_id,
179 sec_item_backup_handoff_fd_id,
180 sec_item_backup_set_confirmed_manifest_id,
181 sec_item_backup_restore_id,
182 sec_keychain_sync_update_message_id,
183 sec_ota_pki_trust_store_version_id,
184 sec_otr_session_create_remote_id,
185 sec_otr_session_process_packet_remote_id,
186 kSecXPCOpOTAPKIGetNewAsset,
187 kSecXPCOpOTAGetEscrowCertificates,
188 kSecXPCOpProcessUnlockNotification,
189 kSecXPCOpProcessSyncWithAllPeers,
190 kSecXPCOpRollKeys,
191 sec_add_shared_web_credential_id,
192 sec_copy_shared_web_credential_id,
193 sec_get_log_settings_id,
194 sec_set_xpc_log_settings_id,
195 sec_set_circle_log_settings_id,
196 soscc_EnsurePeerRegistration_id,
197 kSecXPCOpRequestEnsureFreshParameters,
198 kSecXPCOpGetAllTheRings,
199 kSecXPCOpApplyToARing,
200 kSecXPCOpWithdrawlFromARing,
201 kSecXPCOpEnableRing,
202 kSecXPCOpRingStatus,
203 kSecXPCOpRequestDeviceID,
204 kSecXPCOpSetDeviceID,
205 kSecXPCOpHandleIDSMessage,
206 kSecXPCOpSyncWithKVSPeer,
207 kSecXPCOpSyncWithIDSPeer,
208 kSecXPCOpSendIDSMessage,
209 kSecXPCOpPingTest,
210 kSecXPCOpIDSDeviceID,
211 kSecXPCOpSyncWithKVSPeerIDOnly,
212 // any process using an operation below here is required to have entitlement keychain-cloud-circle
213 kSecXPCOpTryUserCredentials,
214 kSecXPCOpSetUserCredentials,
215 kSecXPCOpSetUserCredentialsAndDSID,
216 kSecXPCOpCanAuthenticate,
217 kSecXPCOpPurgeUserCredentials,
218 kSecXPCOpDeviceInCircle,
219 kSecXPCOpRequestToJoin,
220 kSecXPCOpRequestToJoinAfterRestore,
221 kSecXPCOpResetToOffering,
222 kSecXPCOpResetToEmpty,
223 kSecXPCOpView,
224 kSecXPCOpViewSet,
225 kSecXPCOpSecurityProperty,
226 kSecXPCOpRemoveThisDeviceFromCircle,
227 kSecXPCOpRemovePeersFromCircle,
228 kSecXPCOpLoggedOutOfAccount,
229 kSecXPCOpBailFromCircle,
230 kSecXPCOpAcceptApplicants,
231 kSecXPCOpRejectApplicants,
232 kSecXPCOpCopyApplicantPeerInfo,
233 kSecXPCOpCopyValidPeerPeerInfo,
234 kSecXPCOpValidateUserPublic,
235 kSecXPCOpCopyNotValidPeerPeerInfo,
236 kSecXPCOpCopyPeerPeerInfo,
237 kSecXPCOpCopyConcurringPeerPeerInfo,
238 kSecXPCOpCopyGenerationPeerInfo,
239 kSecXPCOpGetLastDepartureReason,
240 kSecXPCOpSetLastDepartureReason,
241 kSecXPCOpCopyIncompatibilityInfo,
242 kSecXPCOpCopyRetirementPeerInfo,
243 kSecXPCOpCopyViewUnawarePeerInfo,
244 kSecXPCOpCopyEngineState,
245 kSecXPCOpCopyMyPeerInfo,
246 kSecXPCOpAccountSetToNew,
247 kSecXPCOpSetNewPublicBackupKey,
248 kSecXPCOpSetBagForAllSlices,
249 kSecXPCOpWaitForInitialSync,
250 kSecXPCOpCopyYetToSyncViews,
251 kSecXPCOpSetEscrowRecord,
252 kSecXPCOpGetEscrowRecord,
253 kSecXPCOpCheckPeerAvailability,
254 kSecXPCOpCopyAccountData,
255 kSecXPCOpDeleteAccountData,
256 kSecXPCOpCopyEngineData,
257 kSecXPCOpDeleteEngineData,
258 kSecXPCOpCopyApplication,
259 kSecXPCOpCopyCircleJoiningBlob,
260 kSecXPCOpJoinWithCircleJoiningBlob,
261 kSecXPCOpKVSKeyCleanup,
262 kSecXPCOpPopulateKVS,
263 kSecXPCOpAccountHasPublicKey,
264 kSecXPCOpAccountIsNew,
265 kSecXPCOpClearKVSPeerMessage,
266 kSecXPCOpRegisterRecoveryPublicKey,
267 kSecXPCOpGetRecoveryPublicKey,
268 kSecXPCOpCopyBackupInformation,
269 kSecXPCOpCopyInitialSyncBlob,
270 /* after this is free for all */
271 kSecXPCOpWhoAmI,
272 kSecXPCOpTransmogrifyToSyncBubble,
273 kSecXPCOpTransmogrifyToSystemKeychain,
274 kSecXPCOpWrapToBackupSliceKeyBagForView,
275 sec_item_update_token_items_id,
276 kSecXPCOpDeleteUserView,
277 sec_trust_store_copy_all_id,
278 sec_trust_store_copy_usage_constraints_id,
279 sec_ocsp_cache_flush_id,
280 sec_delete_items_with_access_groups_id,
281 kSecXPCOpIsThisDeviceLastBackup,
282 sec_keychain_backup_keybag_uuid_id,
283 kSecXPCOpPeersHaveViewsEnabled,
284 kSecXPCOpProcessSyncWithPeers,
285 kSecXPCOpMessageFromPeerIsPending,
286 kSecXPCOpSendToPeerIsPending,
287 sec_item_copy_parent_certificates_id,
288 sec_item_certificate_exists_id,
289 kSecXPCOpBackupKeybagAdd,
290 kSecXPCOpBackupKeybagDelete,
291 kSecXPCOpKeychainControlEndpoint,
292 kSecXPCOpTLSAnaltyicsReport,
293 };
294
295
296 typedef struct SecurityClient {
297 SecTaskRef task;
298 CFArrayRef accessGroups;
299 bool allowSystemKeychain;
300 bool allowSyncBubbleKeychain;
301 bool isNetworkExtension;
302 bool canAccessNetworkExtensionAccessGroups;
303 uid_t uid;
304 CFDataRef musr;
305 #if TARGET_OS_EMBEDDED && TARGET_HAS_KEYSTORE
306 keybag_handle_t keybag;
307 #endif
308 #if TARGET_OS_IPHONE
309 bool inMultiUser;
310 int activeUser;
311 #endif
312 } SecurityClient;
313
314
315 extern SecurityClient * SecSecurityClientGet(void);
316 #if TARGET_OS_IOS
317 void SecSecuritySetMusrMode(bool mode, uid_t uid, int activeUser);
318 #endif
319
320 struct securityd {
321 bool (*sec_item_add)(CFDictionaryRef attributes, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
322 bool (*sec_item_copy_matching)(CFDictionaryRef query, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
323 bool (*sec_item_update)(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, SecurityClient *client, CFErrorRef* error);
324 bool (*sec_item_delete)(CFDictionaryRef query, SecurityClient *client, CFErrorRef* error);
325 bool (*sec_add_shared_web_credential)(CFDictionaryRef attributes, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
326 bool (*sec_copy_shared_web_credential)(CFDictionaryRef query, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
327 bool (*sec_item_delete_all)(CFErrorRef* error);
328 CFArrayRef (*sec_item_copy_parent_certificates)(CFDataRef normalizedIssuer, CFArrayRef accessGroups, CFErrorRef *error);
329 bool (*sec_item_certificate_exists)(CFDataRef normalizedIssuer, CFDataRef serialNumber, CFArrayRef accessGroups, CFErrorRef *error);
330 CFDataRef (*sec_keychain_backup)(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, bool emcs, CFErrorRef* error);
331 bool (*sec_keychain_restore)(CFDataRef backup, SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
332 CFDictionaryRef (*sec_keychain_backup_syncable)(CFDictionaryRef backup_in, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
333 bool (*sec_keychain_restore_syncable)(CFDictionaryRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
334 CFArrayRef (*sec_item_backup_copy_names)(CFErrorRef *error);
335 int (*sec_item_backup_handoff_fd)(CFStringRef backupName, CFErrorRef *error);
336 bool (*sec_item_backup_set_confirmed_manifest)(CFStringRef backupName, CFDataRef keybagDigest, CFDataRef manifest, CFErrorRef *error);
337 bool (*sec_item_backup_restore)(CFStringRef backupName, CFStringRef peerID, CFDataRef keybag, CFDataRef secret, CFDataRef backup, CFErrorRef *error);
338 CFDataRef (*sec_otr_session_create_remote)(CFDataRef publicPeerId, CFErrorRef* error);
339 bool (*sec_otr_session_process_packet_remote)(CFDataRef sessionData, CFDataRef inputPacket, CFDataRef* outputSessionData, CFDataRef* outputPacket, bool *readyForMessages, CFErrorRef* error);
340 bool (*soscc_TryUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
341 bool (*soscc_SetUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error);
342 bool (*soscc_SetUserCredentialsAndDSID)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
343 bool (*soscc_CanAuthenticate)(CFErrorRef *error);
344 bool (*soscc_PurgeUserCredentials)(CFErrorRef *error);
345 SOSCCStatus (*soscc_ThisDeviceIsInCircle)(CFErrorRef* error);
346 bool (*soscc_RequestToJoinCircle)(CFErrorRef* error);
347 bool (*soscc_RequestToJoinCircleAfterRestore)(CFErrorRef* error);
348 bool (*soscc_RequestEnsureFreshParameters)(CFErrorRef* error);
349 CFStringRef (*soscc_GetAllTheRings)(CFErrorRef *error);
350 bool (*soscc_ApplyToARing)(CFStringRef ringName, CFErrorRef* error);
351 bool (*soscc_WithdrawlFromARing)(CFStringRef ringName, CFErrorRef* error);
352 bool (*soscc_EnableRing)(CFStringRef ringName, CFErrorRef* error);
353 SOSRingStatus (*soscc_RingStatus)(CFStringRef ringName, CFErrorRef* error);
354 CFStringRef (*soscc_CopyDeviceID)(CFErrorRef* error);
355 bool (*soscc_SetDeviceID)(CFStringRef IDS, CFErrorRef *error);
356 HandleIDSMessageReason (*soscc_HandleIDSMessage)(CFDictionaryRef IDS, CFErrorRef *error);
357 bool (*soscc_CheckIDSRegistration)(CFStringRef message, CFErrorRef *error);
358 bool (*soscc_PingTest)(CFStringRef message, CFErrorRef *error);
359 bool (*soscc_GetIDSIDFromIDS)(CFErrorRef *error);
360 bool (*soscc_SetToNew)(CFErrorRef *error);
361 bool (*soscc_ResetToOffering)(CFErrorRef* error);
362 bool (*soscc_ResetToEmpty)(CFErrorRef* error);
363 SOSViewResultCode (*soscc_View)(CFStringRef view, SOSViewActionCode action, CFErrorRef *error);
364 bool (*soscc_ViewSet)(CFSetRef enabledViews, CFSetRef disabledViews);
365 SOSSecurityPropertyResultCode (*soscc_SecurityProperty)(CFStringRef property, SOSSecurityPropertyActionCode action, CFErrorRef *error);
366 bool (*soscc_RegisterSingleRecoverySecret)(CFDataRef backupSlice, bool forV0Only, CFErrorRef *error);
367 bool (*soscc_RegisterRecoveryPublicKey)(CFDataRef recovery_key, CFErrorRef *error);
368 CFDataRef (*soscc_CopyRecoveryPublicKey)(CFErrorRef *error);
369 bool (*soscc_RemoveThisDeviceFromCircle)(CFErrorRef* error);
370 bool (*soscc_RemovePeersFromCircle)(CFArrayRef peers, CFErrorRef* error);
371 bool (*soscc_LoggedOutOfAccount)(CFErrorRef* error);
372 bool (*soscc_BailFromCircle)(uint64_t limit_in_seconds, CFErrorRef* error);
373 bool (*soscc_AcceptApplicants)(CFArrayRef applicants, CFErrorRef* error);
374 bool (*soscc_RejectApplicants)(CFArrayRef applicants, CFErrorRef* error);
375 SOSPeerInfoRef (*soscc_SetNewPublicBackupKey)(CFDataRef pubKey, CFErrorRef *error);
376 bool (*soscc_ValidateUserPublic)(CFErrorRef* error);
377 CFArrayRef (*soscc_CopyGenerationPeerInfo)(CFErrorRef* error);
378 CFArrayRef (*soscc_CopyApplicantPeerInfo)(CFErrorRef* error);
379 CFArrayRef (*soscc_CopyValidPeerPeerInfo)(CFErrorRef* error);
380 CFArrayRef (*soscc_CopyNotValidPeerPeerInfo)(CFErrorRef* error);
381 CFArrayRef (*soscc_CopyRetirementPeerInfo)(CFErrorRef* error);
382 CFArrayRef (*soscc_CopyViewUnawarePeerInfo)(CFErrorRef* error);
383 CFArrayRef (*soscc_CopyEngineState)(CFErrorRef* error);
384 // Not sure why these are below the last entry in the enum order above, but they are:
385 CFArrayRef (*soscc_CopyPeerInfo)(CFErrorRef* error);
386 CFArrayRef (*soscc_CopyConcurringPeerInfo)(CFErrorRef* error);
387 CFStringRef (*soscc_CopyIncompatibilityInfo)(CFErrorRef* error);
388 enum DepartureReason (*soscc_GetLastDepartureReason)(CFErrorRef* error);
389 bool (*soscc_SetLastDepartureReason)(enum DepartureReason, CFErrorRef* error);
390 CFSetRef (*soscc_ProcessSyncWithPeers)(CFSetRef peerIDs, CFSetRef backupPeerIDs, CFErrorRef* error);
391 SyncWithAllPeersReason (*soscc_ProcessSyncWithAllPeers)(CFErrorRef* error);
392 bool (*soscc_EnsurePeerRegistration)(CFErrorRef* error);
393 bool (*sec_roll_keys)(bool force, CFErrorRef* error);
394 CFArrayRef (*sec_keychain_sync_update_message)(CFDictionaryRef update, CFErrorRef *error);
395 CFPropertyListRef (*sec_get_log_settings)(CFErrorRef* error);
396 bool (*sec_set_xpc_log_settings)(CFTypeRef type, CFErrorRef* error);
397 bool (*sec_set_circle_log_settings)(CFTypeRef type, CFErrorRef* error);
398 SOSPeerInfoRef (*soscc_CopyMyPeerInfo)(CFErrorRef*);
399 bool (*soscc_WaitForInitialSync)(CFErrorRef*);
400 CFArrayRef (*soscc_CopyYetToSyncViewsList)(CFErrorRef*);
401 bool (*soscc_SetEscrowRecords)(CFStringRef escrow_label, uint64_t tries, CFErrorRef *error);
402 CFDictionaryRef (*soscc_CopyEscrowRecords)(CFErrorRef *error);
403 CFDictionaryRef (*soscc_CopyBackupInformation)(CFErrorRef *error);
404 bool (*soscc_PeerAvailability)(CFErrorRef *error);
405 bool (*sosbskb_WrapToBackupSliceKeyBagForView)(CFStringRef viewName, CFDataRef input, CFDataRef* output, CFDataRef* bskbEncoded, CFErrorRef* error);
406 CFDataRef (*soscc_CopyAccountState)(CFErrorRef *error);
407 bool (*soscc_DeleteAccountState)(CFErrorRef *error);
408 CFDataRef (*soscc_CopyEngineData)(CFErrorRef *error);
409 bool (*soscc_DeleteEngineState)(CFErrorRef *error);
410 SOSPeerInfoRef (*soscc_CopyApplicant)(CFErrorRef *error);
411 CFDataRef (*soscc_CopyCircleJoiningBlob)(SOSPeerInfoRef applicant, CFErrorRef *error);
412 CFDataRef (*soscc_CopyInitialSyncData)(CFErrorRef *error);
413 bool (*soscc_JoinWithCircleJoiningBlob)(CFDataRef joiningBlob, PiggyBackProtocolVersion version, CFErrorRef *error);
414 bool (*soscc_SOSCCCleanupKVSKeys)(CFErrorRef *error);
415 bool (*soscc_SOSCCTestPopulateKVSWithBadKeys)(CFErrorRef *error);
416 bool (*soscc_AccountHasPublicKey)(CFErrorRef *error);
417 bool (*soscc_AccountIsNew)(CFErrorRef *error);
418 bool (*sec_item_update_token_items)(CFStringRef tokenID, CFArrayRef query, SecurityClient *client, CFErrorRef* error);
419 bool (*sec_delete_items_with_access_groups)(CFArrayRef bundleIDs, SecurityClient *client, CFErrorRef *error);
420 bool (*soscc_IsThisDeviceLastBackup)(CFErrorRef *error);
421 bool (*soscc_requestSyncWithPeerOverKVS)(CFStringRef peerID, CFDataRef message, CFErrorRef *error);
422 bool (*soscc_requestSyncWithPeerOverIDS)(CFStringRef peerID, CFErrorRef *error);
423 CFBooleanRef (*soscc_SOSCCPeersHaveViewsEnabled)(CFArrayRef views, CFErrorRef *error);
424 bool (*socc_clearPeerMessageKeyInKVS)(CFStringRef peerID, CFErrorRef *error);
425 bool (*soscc_requestSyncWithPeerOverKVSIDOnly)(CFStringRef peerID, CFErrorRef *error);
426 bool (*soscc_SOSCCMessageFromPeerIsPending)(SOSPeerInfoRef peer, CFErrorRef* error);
427 bool (*soscc_SOSCCSendToPeerIsPending)(SOSPeerInfoRef peer, CFErrorRef* error);
428 CFTypeRef (*soscc_status)(void);
429 CFTypeRef secd_xpc_server;
430 };
431
432 extern struct securityd *gSecurityd;
433
434 struct trustd {
435 SecTrustStoreRef (*sec_trust_store_for_domain)(CFStringRef domainName, CFErrorRef* error);
436 bool (*sec_trust_store_contains)(SecTrustStoreRef ts, CFDataRef digest, bool *contains, CFErrorRef* error);
437 bool (*sec_trust_store_set_trust_settings)(SecTrustStoreRef ts, SecCertificateRef certificate, CFTypeRef trustSettingsDictOrArray, CFErrorRef* error);
438 bool (*sec_trust_store_remove_certificate)(SecTrustStoreRef ts, CFDataRef digest, CFErrorRef* error);
439 bool (*sec_truststore_remove_all)(SecTrustStoreRef ts, CFErrorRef* error);
440 SecTrustResultType (*sec_trust_evaluate)(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, CFArrayRef *chain, CFErrorRef *error);
441 uint64_t (*sec_ota_pki_trust_store_version)(CFErrorRef* error);
442 CFArrayRef (*ota_CopyEscrowCertificates)(uint32_t escrowRootType, CFErrorRef* error);
443 uint64_t (*sec_ota_pki_get_new_asset)(CFErrorRef* error);
444 bool (*sec_trust_store_copy_all)(SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFErrorRef *error);
445 bool (*sec_trust_store_copy_usage_constraints)(SecTrustStoreRef ts, CFDataRef digest, CFArrayRef *usageConstraints, CFErrorRef *error);
446 bool (*sec_ocsp_cache_flush)(CFErrorRef *error);
447 bool (*sec_tls_analytics_report)(CFStringRef event_name, xpc_object_t tls_analytics_attributes, CFErrorRef *error);
448 };
449
450 extern struct trustd *gTrustd;
451
452 CFArrayRef SecAccessGroupsGetCurrent(void);
453
454 // TODO Rename me
455 CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op);
456 XPC_RETURNS_RETAINED xpc_object_t securityd_message_with_reply_sync(xpc_object_t message, CFErrorRef *error);
457 XPC_RETURNS_RETAINED xpc_object_t securityd_create_message(enum SecXPCOperation op, CFErrorRef *error);
458 bool securityd_message_no_error(xpc_object_t message, CFErrorRef *error);
459
460
461 bool securityd_send_sync_and_do(enum SecXPCOperation op, CFErrorRef *error,
462 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
463 bool (^handle_response)(xpc_object_t response, CFErrorRef* error));
464
465 // For testing only, never call this in a threaded program!
466 void SecServerSetTrustdMachServiceName(const char *name);
467
468 XPC_RETURNS_RETAINED xpc_endpoint_t _SecSecuritydCopyEndpoint(enum SecXPCOperation op, CFErrorRef *error);
469
470 #if __OBJC__
471 #import <Foundation/Foundation.h>
472 #import <Foundation/NSXPCConnection.h>
473 typedef void (^SecBoolNSErrorCallback) (bool, NSError*);
474
475 @protocol SecuritydXPCCallbackProtocol <NSObject>
476 - (void)callCallback: (bool) result error:(NSError*) error;
477 @end
478
479 @protocol SecuritydXPCProtocol <NSObject>
480 - (void) SecItemAddAndNotifyOnSync:(NSDictionary*) attributes
481 syncCallback:(id<SecuritydXPCCallbackProtocol>) callback
482 complete:(void (^) (NSDictionary* opDictResult, NSArray* opArrayResult, NSError* operror)) complete;
483
484 // For the given item (specified exactly by its hash (currently SHA1)), attempt to set the CloudKit 'current' pointer
485 // to point to the given item.
486 // This can fail if:
487 // 1. your knowledge of the old current item is out of date
488 // 2. either the new item or old item has changed (checked by hash)
489 // 3. If this device can't talk with CloudKit for any reason
490 - (void)secItemSetCurrentItemAcrossAllDevices:(NSData*)newItemPersistentRef
491 newCurrentItemHash:(NSData*)newItemSHA1
492 accessGroup:(NSString*)accessGroup
493 identifier:(NSString*)identifier
494 viewHint:(NSString*)viewHint
495 oldCurrentItemReference:(NSData*)oldCurrentItemPersistentRef
496 oldCurrentItemHash:(NSData*)oldItemSHA1
497 complete:(void (^) (NSError* operror)) complete;
498
499 // For the given access group and identifier, check the current local idea of the 'current' item
500 -(void)secItemFetchCurrentItemAcrossAllDevices:(NSString*)accessGroup
501 identifier:(NSString*)identifier
502 viewHint:(NSString*)viewHint
503 fetchCloudValue:(bool)fetchCloudValue
504 complete:(void (^) (NSData* persistentref, NSError* operror)) complete;
505
506
507 // For each item in the keychainClass, return a persistant reference and the digest of the value
508 // The digest is not stable, and can change any time, the only promise is that if the digest
509 // value didn't change, the item didn't change. If digest change, the value MIGHT have changed,/
510 // but it could also just have stayed the same.
511 // The this interface bypass SEP/AKS and for that reason is a higher performance then SecItemCopyMatching().
512 - (void) secItemDigest:(NSString *)keychainClass
513 accessGroup:(NSString *)accessGroup
514 complete:(void (^)(NSArray<NSDictionary *> *digest, NSError* error))complete;
515 @end
516
517 // Call this to receive a proxy object conforming to SecuritydXPCProtocol that you can call methods on.
518 // It's probably a remote object for securityd/secd, but it might be in-process if you've configured it that way.
519 id<SecuritydXPCProtocol> SecuritydXPCProxyObject(void (^rpcErrorHandler)(NSError *));
520
521 // Set up a local securityxpcserver: after this call, all securitydxpc calls will be handled in-process instead of actually transferring to securityd
522 id<SecuritydXPCProtocol> SecCreateLocalSecuritydXPCServer(void);
523
524 // Make a SecBoolNSErrorCallback block into an Objective-C object (for proxying across NSXPC)
525 @interface SecuritydXPCCallback : NSObject <SecuritydXPCCallbackProtocol> {
526 SecBoolNSErrorCallback _callback;
527 }
528 @property SecBoolNSErrorCallback callback;
529 - (instancetype)initWithCallback: (SecBoolNSErrorCallback) callback;
530 @end
531
532 @interface SecuritydXPCClient : NSObject {
533 NSXPCConnection* _connection;
534 }
535 @property NSXPCConnection* connection;
536
537 +(void)configureSecuritydXPCProtocol: (NSXPCInterface*) interface;
538 @end
539
540 #endif // OBJC
541
542 #endif /* _SECURITYD_CLIENT_H_ */
mirror of Security