2 * Copyright (c) 2000-2004,2011-2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
31 #include "Certificate.h"
33 #include "ExtendedAttribute.h"
36 #include <security_cdsa_utilities/Schema.h>
37 #include "KCEventNotifier.h"
38 #include "KCExceptions.h"
39 #include "cssmdatetime.h"
40 #include <security_cdsa_client/keychainacl.h>
41 #include <security_utilities/osxcode.h>
42 #include <security_utilities/trackingallocator.h>
43 #include <Security/SecKeychainItemPriv.h>
44 #include <Security/cssmapple.h>
45 #include <CommonCrypto/CommonDigest.h>
46 #include <utilities/der_plist.h>
48 #include <security_utilities/CSPDLTransaction.h>
49 #include <SecBasePriv.h>
51 #define SENDACCESSNOTIFICATIONS 1
53 //%%% schema indexes should be defined in Schema.h
54 #define _kSecAppleSharePasswordItemClass 'ashp'
55 #define APPLEDB_CSSM_PRINTNAME_ATTRIBUTE 1 /* schema index for label attribute of keys or certificates */
56 #define APPLEDB_GENERIC_PRINTNAME_ATTRIBUTE 7 /* schema index for label attribute of password items */
57 #define IS_PASSWORD_ITEM_CLASS(X) ( (X) == kSecInternetPasswordItemClass || \
58 (X) == kSecGenericPasswordItemClass || \
59 (X) == _kSecAppleSharePasswordItemClass ) ? 1 : 0
61 using namespace KeychainCore
;
62 using namespace CSSMDateTimeUtils
;
68 ItemImpl
*ItemImpl::required(SecKeychainItemRef ptr
)
71 if (ItemImpl
*pp
= optional(ptr
)) {
75 MacOSError::throwMe(errSecInvalidItemRef
);
78 ItemImpl
*ItemImpl::optional(SecKeychainItemRef ptr
)
80 if (ptr
!= NULL
&& CFGetTypeID(ptr
) == SecKeyGetTypeID()) {
81 return dynamic_cast<ItemImpl
*>(KeyItem::fromSecKeyRef(ptr
));
82 } else if (SecCFObject
*p
= SecCFObject::optional(ptr
)) {
83 if (ItemImpl
*pp
= dynamic_cast<ItemImpl
*>(p
)) {
86 MacOSError::throwMe(errSecInvalidItemRef
);
93 // NewItemImpl constructor
94 ItemImpl::ItemImpl(SecItemClass itemClass
, OSType itemCreator
, UInt32 length
, const void* data
, bool dontDoAttributes
)
95 : mDbAttributes(new DbAttributes()),
97 secd_PersistentRef(NULL
),
100 mMutex(Mutex::recursive
)
103 mData
= new CssmDataContainer(data
, length
);
105 mDbAttributes
->recordType(Schema::recordTypeFor(itemClass
));
108 mDbAttributes
->add(Schema::attributeInfo(kSecCreatorItemAttr
), itemCreator
);
111 ItemImpl::ItemImpl(SecItemClass itemClass
, SecKeychainAttributeList
*attrList
, UInt32 length
, const void* data
)
112 : mDbAttributes(new DbAttributes()),
114 secd_PersistentRef(NULL
),
115 mDoNotEncrypt(false),
117 mMutex(Mutex::recursive
)
120 mData
= new CssmDataContainer(data
, length
);
123 mDbAttributes
->recordType(Schema::recordTypeFor(itemClass
));
127 for(UInt32 i
=0; i
< attrList
->count
; i
++)
129 mDbAttributes
->add(Schema::attributeInfo(attrList
->attr
[i
].tag
), CssmData(attrList
->attr
[i
].data
, attrList
->attr
[i
].length
));
134 // DbItemImpl constructor
135 ItemImpl::ItemImpl(const Keychain
&keychain
, const PrimaryKey
&primaryKey
, const DbUniqueRecord
&uniqueId
)
136 : mUniqueId(uniqueId
), mKeychain(keychain
), mPrimaryKey(primaryKey
),
137 secd_PersistentRef(NULL
), mDoNotEncrypt(false), mInCache(false),
138 mMutex(Mutex::recursive
)
142 // PrimaryKey ItemImpl constructor
143 ItemImpl::ItemImpl(const Keychain
&keychain
, const PrimaryKey
&primaryKey
)
144 : mKeychain(keychain
), mPrimaryKey(primaryKey
), secd_PersistentRef(NULL
), mDoNotEncrypt(false),
146 mMutex(Mutex::recursive
)
150 ItemImpl
* ItemImpl::make(const Keychain
&keychain
, const PrimaryKey
&primaryKey
, const CssmClient::DbUniqueRecord
&uniqueId
)
152 ItemImpl
* ii
= new ItemImpl(keychain
, primaryKey
, uniqueId
);
153 keychain
->addItem(primaryKey
, ii
);
159 ItemImpl
* ItemImpl::make(const Keychain
&keychain
, const PrimaryKey
&primaryKey
)
161 ItemImpl
* ii
= new ItemImpl(keychain
, primaryKey
);
162 keychain
->addItem(primaryKey
, ii
);
168 // Constructor used when copying an item to a keychain.
170 ItemImpl::ItemImpl(ItemImpl
&item
) :
171 mData(item
.modifiedData() ? NULL
: new CssmDataContainer()),
172 mDbAttributes(new DbAttributes()),
174 secd_PersistentRef(NULL
),
175 mDoNotEncrypt(false),
177 mMutex(Mutex::recursive
)
179 mDbAttributes
->recordType(item
.recordType());
181 if (item
.mKeychain
) {
182 // get the entire source item from its keychain. This requires figuring
183 // out the schema for the item based on its record type.
184 // Ask the remote item to fill our attributes dictionary, because it probably has an attached keychain to ask
185 item
.fillDbAttributesFromSchema(*mDbAttributes
, item
.recordType());
187 item
.getContent(mDbAttributes
.get(), mData
.get());
190 // @@@ We don't deal with modified attributes.
192 if (item
.modifiedData())
193 // the copied data comes from the source item
194 mData
= new CssmDataContainer(item
.modifiedData()->Data
,
195 item
.modifiedData()->Length
);
198 ItemImpl::~ItemImpl()
200 if (secd_PersistentRef
) {
201 CFRelease(secd_PersistentRef
);
208 ItemImpl::getMutexForObject() const
212 return mKeychain
->getKeychainMutex();
220 ItemImpl::aboutToDestruct()
222 if(mKeychain
.get()) {
223 mKeychain
->forceRemoveFromCache(this);
230 ItemImpl::didModify()
232 StLock
<Mutex
>_(mMutex
);
234 mDbAttributes
.reset(NULL
);
238 ItemImpl::defaultAttributeValue(const CSSM_DB_ATTRIBUTE_INFO
&info
)
240 static const uint32 zeroInt
= 0;
241 static const double zeroDouble
= 0.0;
242 static const char timeBytes
[] = "20010101000000Z";
244 static const CSSM_DATA defaultFourBytes
= { 4, (uint8
*) &zeroInt
};
245 static const CSSM_DATA defaultEightBytes
= { 8, (uint8
*) &zeroDouble
};
246 static const CSSM_DATA defaultTime
= { 16, (uint8
*) timeBytes
};
247 static const CSSM_DATA defaultZeroBytes
= { 0, NULL
};
249 switch (info
.AttributeFormat
)
251 case CSSM_DB_ATTRIBUTE_FORMAT_SINT32
:
252 case CSSM_DB_ATTRIBUTE_FORMAT_UINT32
:
253 return defaultFourBytes
;
255 case CSSM_DB_ATTRIBUTE_FORMAT_REAL
:
256 return defaultEightBytes
;
258 case CSSM_DB_ATTRIBUTE_FORMAT_TIME_DATE
:
262 return defaultZeroBytes
;
266 void ItemImpl::fillDbAttributesFromSchema(DbAttributes
& dbAttributes
, CSSM_DB_RECORDTYPE recordType
, Keychain keychain
) {
267 // If we weren't passed a keychain, use our own.
268 keychain
= !!keychain
? keychain
: mKeychain
;
270 // Without a keychain, there's no one to ask.
275 SecKeychainAttributeInfo
* infos
;
276 keychain
->getAttributeInfoForItemID(recordType
, &infos
);
278 secinfo("integrity", "filling %u attributes for type %u", (unsigned int)infos
->count
, recordType
);
280 for (uint32 i
= 0; i
< infos
->count
; i
++) {
281 CSSM_DB_ATTRIBUTE_INFO info
;
282 memset(&info
, 0, sizeof(info
));
284 info
.AttributeNameFormat
= CSSM_DB_ATTRIBUTE_NAME_AS_INTEGER
;
285 info
.Label
.AttributeID
= infos
->tag
[i
];
286 info
.AttributeFormat
= infos
->format
[i
];
288 dbAttributes
.add(info
);
291 keychain
->freeAttributeInfo(infos
);
294 DbAttributes
* ItemImpl::getCurrentAttributes() {
295 DbAttributes
* dbAttributes
;
296 secinfo("integrity", "getting current attributes...");
298 if(mUniqueId
.get()) {
299 // If we have a unique id, there's an item in the database backing us. Ask for its attributes.
300 dbAttributes
= new DbAttributes(dbUniqueRecord()->database(), 1);
301 fillDbAttributesFromSchema(*dbAttributes
, recordType());
302 mUniqueId
->get(dbAttributes
, NULL
);
304 // and fold in any updates.
305 if(mDbAttributes
.get()) {
306 secinfo("integrity", "adding %d attributes from mDbAttributes", mDbAttributes
->size());
307 dbAttributes
->updateWithDbAttributes(&(*mDbAttributes
.get()));
309 } else if (mDbAttributes
.get()) {
310 // We don't have a backing item, so all our attributes are in mDbAttributes. Copy them.
311 secnotice("integrity", "no unique id, using %d attributes from mDbAttributes", mDbAttributes
->size());
312 dbAttributes
= new DbAttributes();
313 dbAttributes
->updateWithDbAttributes(&(*mDbAttributes
.get()));
315 // No attributes at all. We should maybe throw here, but let's not.
316 secnotice("integrity", "no attributes at all");
317 dbAttributes
= new DbAttributes();
319 dbAttributes
->recordType(recordType());
320 // TODO: We don't set semanticInformation. Issue?
326 void ItemImpl::encodeAttributes(CssmOwnedData
&attributeBlob
) {
327 // Sometimes we don't have our attributes. Find them.
328 auto_ptr
<DbAttributes
> dbAttributes(getCurrentAttributes());
329 encodeAttributesFromDictionary(attributeBlob
, dbAttributes
.get());
333 void ItemImpl::encodeAttributesFromDictionary(CssmOwnedData
&attributeBlob
, DbAttributes
* dbAttributes
) {
334 // Create a CFDictionary from dbAttributes and call der_encode_dictionary on it
335 CFRef
<CFMutableDictionaryRef
> attributes
;
336 attributes
.take(CFDictionaryCreateMutable(NULL
, dbAttributes
->size(), &kCFTypeDictionaryKeyCallBacks
, &kCFTypeDictionaryValueCallBacks
));
338 secinfo("integrity", "looking at %d attributes", dbAttributes
->size());
339 // TODO: include record type and semantic information?
341 for(int i
= 0; i
< dbAttributes
->size(); i
++) {
342 CssmDbAttributeData
& data
= dbAttributes
->attributes()[i
];
343 CssmDbAttributeInfo
& datainfo
= data
.info();
345 // Sometimes we need to normalize the info. Calling Schema::attributeInfo is the best way to do that.
346 // There's no avoiding the try-catch structure here, since only some of the names are in Schema::attributeInfo,
347 // but it will only indicate that by throwing.
348 CssmDbAttributeInfo
& actualInfo
= datainfo
;
350 if(datainfo
.nameFormat() == CSSM_DB_ATTRIBUTE_NAME_AS_INTEGER
&& Schema::haveAttributeInfo(datainfo
.intName())) {
351 actualInfo
= Schema::attributeInfo(datainfo
.intName());
354 actualInfo
= datainfo
;
357 // Pull the label/name out of this data
358 CFRef
<CFDataRef
> label
= NULL
;
360 switch(actualInfo
.nameFormat()) {
361 case CSSM_DB_ATTRIBUTE_NAME_AS_STRING
: {
362 const char* stringname
= actualInfo
.stringName();
363 label
.take(CFDataCreate(NULL
, reinterpret_cast<const UInt8
*>(stringname
), strlen(stringname
)));
366 case CSSM_DB_ATTRIBUTE_NAME_AS_OID
: {
367 const CssmOid
& oidname
= actualInfo
.oidName();
368 label
.take(CFDataCreate(NULL
, reinterpret_cast<const UInt8
*>(oidname
.data()), oidname
.length()));
371 case CSSM_DB_ATTRIBUTE_NAME_AS_INTEGER
: {
372 uint32 iname
= actualInfo
.intName();
373 label
.take(CFDataCreate(NULL
, reinterpret_cast<const UInt8
*>(&(iname
)), sizeof(uint32
)));
378 if(data
.size() == 0) {
379 // This attribute doesn't have a value, and so shouldn't be included in the digest.
383 // Do not include the Creation or Modification date attributes in the hash.
384 // Use this complicated method of checking so we'll catch string and integer names.
385 SecKeychainAttrType cdat
= kSecCreationDateItemAttr
;
386 SecKeychainAttrType cmod
= kSecModDateItemAttr
;
387 if((CFDataGetLength(label
) == sizeof(SecKeychainAttrType
)) &&
388 ((memcmp(CFDataGetBytePtr(label
), &cdat
, sizeof(SecKeychainAttrType
)) == 0) ||
389 (memcmp(CFDataGetBytePtr(label
), &cmod
, sizeof(SecKeychainAttrType
)) == 0))) {
393 // Collect the raw data for each value of this CssmDbAttributeData
394 CFRef
<CFMutableArrayRef
> attributeDataContainer
;
395 attributeDataContainer
.take(CFArrayCreateMutable(NULL
, data
.size(), &kCFTypeArrayCallBacks
));
397 for(int j
= 0; j
< data
.size(); j
++) {
398 CssmData
& entry
= data
.values()[j
];
400 CFRef
<CFDataRef
> datadata
= NULL
;
401 switch(actualInfo
.format()) {
402 case CSSM_DB_ATTRIBUTE_FORMAT_BLOB
:
403 case CSSM_DB_ATTRIBUTE_FORMAT_STRING
:
404 case CSSM_DB_ATTRIBUTE_FORMAT_TIME_DATE
:
405 datadata
.take(CFDataCreate(NULL
, reinterpret_cast<const UInt8
*>(data
.values()[j
].data()), data
.values()[j
].length()));
408 case CSSM_DB_ATTRIBUTE_FORMAT_UINT32
: {
409 uint32 x
= entry
.length() == 1 ? *reinterpret_cast<uint8
*>(entry
.Data
) :
410 entry
.length() == 2 ? *reinterpret_cast<uint16
*>(entry
.Data
) :
411 entry
.length() == 4 ? *reinterpret_cast<uint32
*>(entry
.Data
) : 0;
412 datadata
.take(CFDataCreate(NULL
, reinterpret_cast<const UInt8
*>(&x
), sizeof(x
)));
416 case CSSM_DB_ATTRIBUTE_FORMAT_SINT32
: {
417 sint32 x
= entry
.length() == 1 ? *reinterpret_cast<sint8
*>(entry
.Data
) :
418 entry
.length() == 2 ? *reinterpret_cast<sint16
*>(entry
.Data
) :
419 entry
.length() == 4 ? *reinterpret_cast<sint32
*>(entry
.Data
) : 0;
420 datadata
.take(CFDataCreate(NULL
, reinterpret_cast<const UInt8
*>(&x
), sizeof(x
)));
423 // CSSM_DB_ATTRIBUTE_FORMAT_BIG_NUM is unimplemented here but
424 // has some canonicalization requirements, see DbValue.cpp
430 CFArrayAppendValue(attributeDataContainer
, datadata
);
432 CFDictionaryAddValue(attributes
, label
, attributeDataContainer
);
435 // Now that we have a CFDictionary containing a bunch of CFDatas, turn that
439 CFRef
<CFDataRef
> derBlob
;
440 derBlob
.take(CFPropertyListCreateDERData(NULL
, attributes
, &error
));
442 // TODO: How do we check error here?
448 attributeBlob
.length(CFDataGetLength(derBlob
));
449 attributeBlob
.copy(CFDataGetBytePtr(derBlob
), CFDataGetLength(derBlob
));
452 void ItemImpl::computeDigest(CssmOwnedData
&sha2
) {
453 auto_ptr
<DbAttributes
> dbAttributes(getCurrentAttributes());
454 ItemImpl::computeDigestFromDictionary(sha2
, dbAttributes
.get());
457 void ItemImpl::computeDigestFromDictionary(CssmOwnedData
&sha2
, DbAttributes
* dbAttributes
) {
459 CssmAutoData
attributeBlob(Allocator::standard());
460 encodeAttributesFromDictionary(attributeBlob
, dbAttributes
);
462 sha2
.length(CC_SHA256_DIGEST_LENGTH
);
463 CC_SHA256(attributeBlob
.get().data(), static_cast<CC_LONG
>(attributeBlob
.get().length()), sha2
);
464 secinfo("integrity", "finished: %s", sha2
.get().toHex().c_str());
465 } catch (MacOSError mose
) {
466 secnotice("integrity", "MacOSError: %d", (int)mose
.osStatus());
468 secnotice("integrity", "unknown exception");
472 void ItemImpl::addIntegrity(Access
&access
, bool force
) {
473 if(!force
&& (!mKeychain
|| !mKeychain
->hasIntegrityProtection())) {
474 secinfo("integrity", "skipping integrity add due to keychain version\n");
479 CssmAutoData
digest(Allocator::standard());
480 computeDigest(digest
);
482 // First, check if this already has an integrity tag
484 access
.findSpecificAclsForRight(CSSM_ACL_AUTHORIZATION_INTEGRITY
, acls
);
486 if(acls
.size() >= 1) {
487 // Use the existing ACL
489 secinfo("integrity", "previous integrity acl exists; setting integrity");
490 acl
->setIntegrity(digest
.get());
492 // Delete all extra ACLs
493 for(int i
= 1; i
< acls
.size(); i
++) {
494 secnotice("integrity", "extra integrity acls exist; removing %d",i
);
497 } else if(acls
.size() == 0) {
499 secnotice("integrity", "no previous integrity acl exists; making a new one");
500 acl
= new ACL(digest
.get());
505 void ItemImpl::setIntegrity(bool force
) {
506 if(!force
&& (!mKeychain
|| !mKeychain
->hasIntegrityProtection())) {
507 secnotice("integrity", "skipping integrity set due to keychain version");
511 // For Items, only passwords should have integrity
512 if(!(recordType() == CSSM_DL_DB_RECORD_GENERIC_PASSWORD
|| recordType() == CSSM_DL_DB_RECORD_INTERNET_PASSWORD
)) {
516 // If we're not on an SSDb, we shouldn't have integrity
517 Db
db(mKeychain
->database());
518 if (!useSecureStorage(db
)) {
522 setIntegrity(*group(), force
);
525 void ItemImpl::setIntegrity(AclBearer
&bearer
, bool force
) {
526 if(!force
&& (!mKeychain
|| !mKeychain
->hasIntegrityProtection())) {
527 secnotice("integrity", "skipping integrity acl set due to keychain version");
531 SecPointer
<Access
> access
= new Access(bearer
);
533 access
->removeAclsForRight(CSSM_ACL_AUTHORIZATION_PARTITION_ID
);
534 addIntegrity(*access
, force
);
535 access
->setAccess(bearer
, true);
538 void ItemImpl::removeIntegrity(const AccessCredentials
*cred
) {
539 removeIntegrity(*group(), cred
);
542 void ItemImpl::removeIntegrity(AclBearer
&bearer
, const AccessCredentials
*cred
) {
543 SecPointer
<Access
> access
= new Access(bearer
);
546 access
->findSpecificAclsForRight(CSSM_ACL_AUTHORIZATION_INTEGRITY
, acls
);
547 for(int i
= 0; i
< acls
.size(); i
++) {
551 access
->findSpecificAclsForRight(CSSM_ACL_AUTHORIZATION_PARTITION_ID
, acls
);
552 for(int i
= 0; i
< acls
.size(); i
++) {
556 access
->editAccess(bearer
, true, cred
);
559 bool ItemImpl::checkIntegrity() {
560 // Note: subclasses are responsible for checking themselves.
562 // If we don't have a keychain yet, we don't have any group. Return true?
563 if(!isPersistent()) {
564 secnotice("integrity", "no keychain, integrity is valid?");
568 if(!mKeychain
|| !mKeychain
->hasIntegrityProtection()) {
569 secinfo("integrity", "skipping integrity check due to keychain version");
573 // Collect our SSGroup, if it exists.
575 SSGroup ssGroup
= group();
577 return checkIntegrity(*ssGroup
);
580 // If we don't have an SSGroup, we can't be invalid. return true.
584 bool ItemImpl::checkIntegrity(AclBearer
& aclBearer
) {
585 if(!mKeychain
|| !mKeychain
->hasIntegrityProtection()) {
586 secinfo("integrity", "skipping integrity check due to keychain version");
590 auto_ptr
<DbAttributes
> dbAttributes(getCurrentAttributes());
591 return checkIntegrityFromDictionary(aclBearer
, dbAttributes
.get());
594 bool ItemImpl::checkIntegrityFromDictionary(AclBearer
& aclBearer
, DbAttributes
* dbAttributes
) {
596 AutoAclEntryInfoList aclInfos
;
597 aclBearer
.getAcl(aclInfos
, CSSM_APPLE_ACL_TAG_INTEGRITY
);
599 // We should only expect there to be one integrity tag. If there's not,
600 // take the first one and ignore the rest. We should probably attempt delete
603 AclEntryInfo
&info
= aclInfos
.at(0);
604 auto_ptr
<ACL
> acl(new ACL(info
, Allocator::standard()));
606 for(int i
= 1; i
< aclInfos
.count(); i
++) {
607 secnotice("integrity", "*** DUPLICATE INTEGRITY ACL, something has gone wrong");
610 CssmAutoData
digest(Allocator::standard());
611 computeDigestFromDictionary(digest
, dbAttributes
);
612 if (acl
->integrity() == digest
.get()) {
616 catch (CssmError cssme
) {
617 const char* errStr
= cssmErrorString(cssme
.error
);
618 secnotice("integrity", "caught CssmError: %d %s", (int) cssme
.error
, errStr
);
620 if(cssme
.error
== CSSMERR_CSP_ACL_ENTRY_TAG_NOT_FOUND
) {
621 // TODO: No entry, run migrator?
624 if(cssme
.error
== CSSMERR_CSP_INVALID_ACL_SUBJECT_VALUE
) {
625 // something went horribly wrong with fetching acl.
627 secnotice("integrity", "INVALID ITEM (too many integrity acls)");
630 if(cssme
.error
== CSSMERR_CSP_VERIFY_FAILED
) {
631 secnotice("integrity", "MAC verification failed; something has gone very wrong");
632 return false; // No MAC, no integrity.
638 secnotice("integrity", "***** INVALID ITEM");
642 PrimaryKey
ItemImpl::addWithCopyInfo (Keychain
&keychain
, bool isCopy
)
644 StLock
<Mutex
>_(mMutex
);
645 // If we already have a Keychain we can't be added.
647 MacOSError::throwMe(errSecDuplicateItem
);
649 // If we don't have any attributes we can't be added.
650 // (this might occur if attempting to add the item twice, since our attributes
651 // and data are set to NULL at the end of this function.)
652 if (!mDbAttributes
.get())
653 MacOSError::throwMe(errSecDuplicateItem
);
655 CSSM_DB_RECORDTYPE recordType
= mDbAttributes
->recordType();
657 // update the creation and update dates on the new item
660 KeychainSchema schema
= keychain
->keychainSchema();
662 GetCurrentMacLongDateTime(date
);
663 if (schema
->hasAttribute(recordType
, kSecCreationDateItemAttr
))
665 setAttribute(schema
->attributeInfoFor(recordType
, kSecCreationDateItemAttr
), date
);
668 if (schema
->hasAttribute(recordType
, kSecModDateItemAttr
))
670 setAttribute(schema
->attributeInfoFor(recordType
, kSecModDateItemAttr
), date
);
674 // If the label (PrintName) attribute isn't specified, set a default label.
675 mDbAttributes
->canonicalize(); // make sure we'll find the label with the thing Schema::attributeInfo returns
676 if (!mDoNotEncrypt
&& !mDbAttributes
->find(Schema::attributeInfo(kSecLabelItemAttr
)))
678 // if doNotEncrypt was set all of the attributes are wrapped in the data blob. Don't calculate here.
679 CssmDbAttributeData
*label
= NULL
;
682 case CSSM_DL_DB_RECORD_GENERIC_PASSWORD
:
683 label
= mDbAttributes
->find(Schema::attributeInfo(kSecServiceItemAttr
));
686 case CSSM_DL_DB_RECORD_APPLESHARE_PASSWORD
:
687 case CSSM_DL_DB_RECORD_INTERNET_PASSWORD
:
688 label
= mDbAttributes
->find(Schema::attributeInfo(kSecServerItemAttr
));
689 // if AppleShare server name wasn't specified, try the server address
690 if (!label
) label
= mDbAttributes
->find(Schema::attributeInfo(kSecAddressItemAttr
));
696 // if all else fails, use the account name.
698 label
= mDbAttributes
->find(Schema::attributeInfo(kSecAccountItemAttr
));
700 if (label
&& label
->size())
701 setAttribute (Schema::attributeInfo(kSecLabelItemAttr
), label
->at
<CssmData
>(0));
704 // get the attributes that are part of the primary key
705 const CssmAutoDbRecordAttributeInfo
&primaryKeyInfos
=
706 keychain
->primaryKeyInfosFor(recordType
);
708 // make sure each primary key element has a value in the item, otherwise
709 // the database will complain. we make a set of the provided attribute infos
710 // to avoid O(N^2) behavior.
712 DbAttributes
*attributes
= mDbAttributes
.get();
713 typedef set
<CssmDbAttributeInfo
> InfoSet
;
718 // make a set of all the attributes in the key
719 for (uint32 i
= 0; i
< attributes
->size(); i
++)
720 infoSet
.insert(attributes
->at(i
).Info
);
722 for (uint32 i
= 0; i
< primaryKeyInfos
.size(); i
++) { // check to make sure all required attributes are in the key
723 InfoSet::const_iterator it
= infoSet
.find(primaryKeyInfos
.at(i
));
725 if (it
== infoSet
.end()) { // not in the key? add the default
726 // we need to add a default value to the item attributes
727 attributes
->add(primaryKeyInfos
.at(i
), defaultAttributeValue(primaryKeyInfos
.at(i
)));
733 mKeychain
= keychain
;
734 StLock
<Mutex
>_(*(mKeychain
->getKeychainMutex())); // must hold this mutex before calling db->insert
736 Db
db(keychain
->database());
739 mUniqueId
= db
->insertWithoutEncryption (recordType
, NULL
, mData
.get());
741 else if (useSecureStorage(db
))
743 updateSSGroup(db
, recordType
, mData
.get(), keychain
, mAccess
);
744 mAccess
= NULL
; // use them and lose them - TODO: should this only be unset if there's no error in saveToNewSSGroup? Unclear.
748 // add the item to the (regular) db
749 mUniqueId
= db
->insert(recordType
, mDbAttributes
.get(), mData
.get());
752 mPrimaryKey
= keychain
->makePrimaryKey(recordType
, mUniqueId
);
758 // Forget our data and attributes.
760 mDbAttributes
.reset(NULL
);
768 ItemImpl::add (Keychain
&keychain
)
770 return addWithCopyInfo (keychain
, false);
776 ItemImpl::copyTo(const Keychain
&keychain
, Access
*newAccess
)
778 // We'll be removing any Partition or Integrity ACLs from this item during
779 // the copy. Note that creating a new item from this one fetches the data,
780 // so this process must now be on the ACL/partition ID list for this item,
781 // and an attacker without access can't cause this removal.
783 // The integrity and partition ID acls will get re-added once the item lands
784 // in the new keychain, if it supports them. If it doesn't, removing the
785 // integrity acl as it leaves will prevent any issues if the item is
786 // modified in the unsupported keychain and then re-copied back into an
787 // integrity keychain.
789 StLock
<Mutex
>_(mMutex
);
792 newAccess
->removeAclsForRight(CSSM_ACL_AUTHORIZATION_PARTITION_ID
);
793 newAccess
->removeAclsForRight(CSSM_ACL_AUTHORIZATION_INTEGRITY
);
794 item
->setAccess(newAccess
);
796 /* Attempt to copy the access from the current item to the newly created one. */
797 SSGroup myGroup
= group();
800 SecPointer
<Access
> access
= new Access(*myGroup
);
801 access
->removeAclsForRight(CSSM_ACL_AUTHORIZATION_PARTITION_ID
);
802 access
->removeAclsForRight(CSSM_ACL_AUTHORIZATION_INTEGRITY
);
803 item
->setAccess(access
);
807 keychain
->addCopy(item
);
814 StLock
<Mutex
>_(mMutex
);
816 MacOSError::throwMe(errSecNoSuchKeychain
);
818 // Don't update if nothing changed.
822 // Hold this before modifying the db below
823 StLock
<Mutex
>__(*(mKeychain
->getKeychainMutex()));
825 CSSM_DB_RECORDTYPE aRecordType
= recordType();
826 KeychainSchema schema
= mKeychain
->keychainSchema();
828 // Update the modification date on the item if there is a mod date attribute.
829 if (schema
->hasAttribute(aRecordType
, kSecModDateItemAttr
))
832 GetCurrentMacLongDateTime(date
);
833 setAttribute(schema
->attributeInfoFor(aRecordType
, kSecModDateItemAttr
), date
);
836 Db
db(dbUniqueRecord()->database());
839 CSSM_DB_RECORD_ATTRIBUTE_DATA attrData
;
840 memset (&attrData
, 0, sizeof (attrData
));
841 attrData
.DataRecordType
= aRecordType
;
843 dbUniqueRecord()->modifyWithoutEncryption(aRecordType
,
846 CSSM_DB_MODIFY_ATTRIBUTE_REPLACE
);
848 else if (useSecureStorage(db
))
850 // Pass mData to updateSSGroup. If we have any data to change (and it's
851 // therefore non-null), it'll save to a new SSGroup; otherwise, it will
852 // update the old ssgroup. This prevents a RAA on attribute update, while
853 // still protecting new data from being decrypted by old SSGroups with
854 // outdated attributes.
855 updateSSGroup(db
, recordType(), mData
.get());
859 dbUniqueRecord()->modify(aRecordType
,
862 CSSM_DB_MODIFY_ATTRIBUTE_REPLACE
);
867 PrimaryKey oldPK
= mPrimaryKey
;
868 mPrimaryKey
= mKeychain
->makePrimaryKey(aRecordType
, mUniqueId
);
870 // Forget our data and attributes.
872 mDbAttributes
.reset(NULL
);
874 // Let the Keychain update what it needs to.
875 mKeychain
->didUpdate(this, oldPK
, mPrimaryKey
);
880 ItemImpl::updateSSGroup(Db
& db
, CSSM_DB_RECORDTYPE recordType
, CssmDataContainer
* newdata
, Keychain keychain
, SecPointer
<Access
> access
)
882 // hhs replaced with the new aclFactory class
883 AclFactory aclFactory
;
884 const AccessCredentials
*nullCred
= aclFactory
.nullCred();
886 bool haveOldUniqueId
= !!mUniqueId
.get();
887 SSDbUniqueRecord
ssUniqueId(NULL
);
888 SSGroup
ssGroup(NULL
);
889 if(haveOldUniqueId
) {
890 ssUniqueId
= SSDbUniqueRecord(dynamic_cast<SSDbUniqueRecordImpl
*>(&(*mUniqueId
)));
891 if (ssUniqueId
.get() == NULL
) {
892 CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER
);
894 ssGroup
= ssUniqueId
->group();
897 // If we have new data OR no old unique id, save to a new group
898 bool saveToNewSSGroup
= (!!newdata
) || (!haveOldUniqueId
);
900 // If there aren't any attributes, make up some blank ones.
901 if (!mDbAttributes
.get())
903 secinfo("integrity", "making new dbattributes");
904 mDbAttributes
.reset(new DbAttributes());
905 mDbAttributes
->recordType(mPrimaryKey
->recordType());
908 // Add the item to the secure storage db
909 SSDbImpl
* impl
= dynamic_cast<SSDbImpl
*>(&(*db
));
912 CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER
);
917 TrackingAllocator
allocator(Allocator::standard());
919 if ((!access
) && (haveOldUniqueId
)) {
920 // Copy the ACL from the old group.
921 secinfo("integrity", "copying old ACL");
922 access
= new Access(*(ssGroup
));
924 // We can't copy these over to the new item; they're going to be reset.
925 // Remove them before securityd complains.
926 access
->removeAclsForRight(CSSM_ACL_AUTHORIZATION_PARTITION_ID
);
927 access
->removeAclsForRight(CSSM_ACL_AUTHORIZATION_INTEGRITY
);
928 } else if (!access
) {
929 secinfo("integrity", "setting up new ACL");
930 // create default access controls for the new item
931 CssmDbAttributeData
*data
= mDbAttributes
->find(Schema::attributeInfo(kSecLabelItemAttr
));
932 string printName
= data
? CssmData::overlay(data
->Value
[0]).toString() : "keychain item";
933 access
= new Access(printName
);
935 secinfo("integrity", "passed an Access, use it");
936 // Access is non-null. Do nothing.
939 // If we have an old group and an old mUniqueId, then we're in the middle of an update.
940 // mDbAttributes contains the newest attributes, but not the old ones. Find
941 // them, merge them, and shove them all back into mDbAttributes. This lets
942 // us re-apply them all to the new item.
943 if(haveOldUniqueId
) {
944 mDbAttributes
.reset(getCurrentAttributes());
947 // Create a CSPDL transaction. Note that this does things when it goes out of scope.
948 CSPDLTransaction
transaction(db
);
951 ResourceControlContext prototype
;
952 maker
.initialOwner(prototype
, nullCred
);
954 if(saveToNewSSGroup
) {
955 secinfo("integrity", "saving to a new SSGroup");
957 // If we're updating an item, it has an old group and possibly an
958 // old mUniqueId. Delete these from the database, so we can insert
960 if(haveOldUniqueId
) {
961 secinfo("integrity", "deleting old mUniqueId");
962 mUniqueId
->deleteRecord();
965 secinfo("integrity", "no old mUniqueId");
968 // Create a new SSGroup with temporary access controls
969 SSGroup
newSSGroup(ssDb
, &prototype
);
970 const AccessCredentials
* cred
= maker
.cred();
973 doChange(keychain
, recordType
, ^{
974 mUniqueId
= ssDb
->ssInsert(recordType
, mDbAttributes
.get(), newdata
, newSSGroup
, cred
);
977 // now finalize the access controls on the group
978 addIntegrity(*access
);
979 access
->setAccess(*newSSGroup
, maker
);
981 // We have to reset this after we add the integrity, since it needs the attributes
982 mDbAttributes
.reset(NULL
);
984 transaction
.commit();
986 catch (CssmError cssme
) {
987 const char* errStr
= cssmErrorString(cssme
.error
);
988 secnotice("integrity", "caught CssmError during add: %d %s", (int) cssme
.error
, errStr
);
990 // Delete the new SSGroup that we just created
991 deleteSSGroup(newSSGroup
, nullCred
);
994 catch (MacOSError mose
) {
995 secnotice("integrity", "caught MacOSError during add: %d", (int) mose
.osStatus());
997 deleteSSGroup(newSSGroup
, nullCred
);
1002 secnotice("integrity", "caught unknown exception during add");
1004 deleteSSGroup(newSSGroup
, nullCred
);
1008 // Modify the old SSGroup
1009 secinfo("integrity", "modifying the existing SSGroup");
1012 doChange(keychain
, recordType
, ^{
1014 const AccessCredentials
*autoPrompt
= globals().itemCredentials();
1015 ssUniqueId
->modify(recordType
,
1016 mDbAttributes
.get(),
1018 CSSM_DB_MODIFY_ATTRIBUTE_REPLACE
,
1022 // Update the integrity on the SSGroup
1023 setIntegrity(*ssGroup
);
1025 // We have to reset this after we add the integrity, since it needs the attributes
1026 mDbAttributes
.reset(NULL
);
1028 transaction
.commit();
1030 catch (CssmError cssme
) {
1031 const char* errStr
= cssmErrorString(cssme
.error
);
1032 secnotice("integrity", "caught CssmError during modify: %d %s", (int) cssme
.error
, errStr
);
1035 catch (MacOSError mose
) {
1036 secnotice("integrity", "caught MacOSError during modify: %d", (int) mose
.osStatus());
1041 secnotice("integrity", "caught unknown exception during modify");
1048 // Helper function to delete a group and swallow all errors
1049 void ItemImpl::deleteSSGroup(SSGroup
& ssgroup
, const AccessCredentials
* nullCred
) {
1051 ssgroup
->deleteKey(nullCred
);
1052 } catch(CssmError error
) {
1053 secnotice("integrity", "caught cssm error during deletion of group: %d %s", (int) error
.osStatus(), error
.what());
1054 } catch(MacOSError error
) {
1055 secnotice("integrity", "caught macos error during deletion of group: %d %s", (int) error
.osStatus(), error
.what());
1056 } catch(UnixError error
) {
1057 secnotice("integrity", "caught unix error during deletion of group: %d %s", (int) error
.osStatus(), error
.what());
1062 ItemImpl::doChange(Keychain keychain
, CSSM_DB_RECORDTYPE recordType
, void (^tryChange
) ())
1064 // Insert the record using the newly created group.
1067 } catch (CssmError cssme
) {
1068 // If there's a "duplicate" of this item, it might be an item with corrupt/invalid attributes
1069 // Try to extract the item and check its attributes, then try again if necessary
1070 auto_ptr
<CssmClient::DbAttributes
> primaryKeyAttrs
;
1071 if(cssme
.error
== CSSMERR_DL_INVALID_UNIQUE_INDEX_DATA
) {
1072 secnotice("integrity", "possible duplicate, trying to delete invalid items");
1074 Keychain kc
= (keychain
? keychain
: mKeychain
);
1076 secnotice("integrity", "no valid keychain");
1079 // Only check for corrupt items if the keychain supports them
1080 if((!kc
) || !kc
->hasIntegrityProtection()) {
1081 secinfo("integrity", "skipping integrity check for corrupt items due to keychain support");
1084 primaryKeyAttrs
.reset(getCurrentAttributes());
1085 PrimaryKey pk
= kc
->makePrimaryKey(recordType
, primaryKeyAttrs
.get());
1087 bool tryAgain
= false;
1089 // Because things are lazy, maybe our keychain has a version
1090 // of this item with different attributes. Ask it!
1091 ItemImpl
* maybeItem
= kc
->_lookupItem(pk
);
1093 if(!maybeItem
->checkIntegrity()) {
1094 Item
item(maybeItem
);
1095 kc
->deleteItem(item
);
1099 // Our keychain doesn't know about any item with this primary key, so maybe
1100 // we have a corrupt item in the database. Let's check.
1102 secinfo("integrity", "making a cursor from primary key");
1103 CssmClient::DbCursor cursor
= pk
->createCursor(kc
);
1104 DbUniqueRecord uniqueId
;
1106 StLock
<Mutex
> _mutexLocker(*kc
->getKeychainMutex());
1108 // The item on-disk might have more or different attributes than we do, since we're
1109 // only searching via primary key. Fetch all of its attributes.
1110 auto_ptr
<DbAttributes
>dbDupAttributes (new DbAttributes(kc
->database(), 1));
1111 fillDbAttributesFromSchema(*dbDupAttributes
, recordType
, kc
);
1113 // Occasionally this cursor won't return the item attributes (for an unknown reason).
1114 // However, we know the attributes any item with this primary key should have, so use those instead.
1115 while (cursor
->next(dbDupAttributes
.get(), NULL
, uniqueId
)) {
1116 secinfo("integrity", "got an item...");
1118 SSGroup group
= safer_cast
<SSDbUniqueRecordImpl
&>(*uniqueId
).group();
1119 if(!ItemImpl::checkIntegrityFromDictionary(*group
, dbDupAttributes
.get())) {
1120 secnotice("integrity", "item is invalid! deleting...");
1121 uniqueId
->deleteRecord();
1128 secnotice("integrity", "trying again...");
1131 // We didn't find an invalid item, the duplicate item exception is real
1132 secnotice("integrity", "duplicate item exception is real; throwing it on");
1143 ItemImpl::getClass(SecKeychainAttribute
&attr
, UInt32
*actualLength
)
1145 StLock
<Mutex
>_(mMutex
);
1147 *actualLength
= sizeof(SecItemClass
);
1149 if (attr
.length
< sizeof(SecItemClass
))
1150 MacOSError::throwMe(errSecBufferTooSmall
);
1152 SecItemClass aClass
= Schema::itemClassFor(recordType());
1153 memcpy(attr
.data
, &aClass
, sizeof(SecItemClass
));
1157 ItemImpl::setAttribute(SecKeychainAttribute
& attr
)
1159 StLock
<Mutex
>_(mMutex
);
1160 setAttribute(Schema::attributeInfo(attr
.tag
), CssmData(attr
.data
, attr
.length
));
1164 ItemImpl::recordType()
1166 StLock
<Mutex
>_(mMutex
);
1167 if (mDbAttributes
.get())
1168 return mDbAttributes
->recordType();
1170 return mPrimaryKey
->recordType();
1173 const DbAttributes
*
1174 ItemImpl::modifiedAttributes()
1176 StLock
<Mutex
>_(mMutex
);
1177 return mDbAttributes
.get();
1181 ItemImpl::modifiedData()
1183 StLock
<Mutex
>_(mMutex
);
1188 ItemImpl::setData(UInt32 length
,const void *data
)
1190 StLock
<Mutex
>_(mMutex
);
1191 mData
= new CssmDataContainer(data
, length
);
1195 ItemImpl::setAccess(Access
*newAccess
)
1197 StLock
<Mutex
>_(mMutex
);
1198 mAccess
= newAccess
;
1201 CssmClient::DbUniqueRecord
1202 ItemImpl::dbUniqueRecord()
1204 StLock
<Mutex
>_(mMutex
);
1205 if (!isPersistent()) // is there no database attached?
1207 MacOSError::throwMe(errSecNotAvailable
);
1212 DbCursor
cursor(mPrimaryKey
->createCursor(mKeychain
));
1213 if (!cursor
->next(NULL
, NULL
, mUniqueId
))
1214 MacOSError::throwMe(errSecInvalidItemRef
);
1217 // Check that our Db still matches our keychain's db. If not, find this item again in the new Db.
1218 // Why silly !(x == y) construction? Compiler calls operator bool() on each pointer otherwise.
1219 if(!(mUniqueId
->database() == keychain()->database())) {
1220 secinfo("integrity", "updating db of mUniqueRecord");
1222 DbCursor
cursor(mPrimaryKey
->createCursor(mKeychain
));
1223 if (!cursor
->next(NULL
, NULL
, mUniqueId
))
1224 MacOSError::throwMe(errSecInvalidItemRef
);
1231 ItemImpl::primaryKey()
1237 ItemImpl::isPersistent()
1243 ItemImpl::isModified()
1245 StLock
<Mutex
>_(mMutex
);
1246 return mData
.get() || mDbAttributes
.get();
1250 ItemImpl::keychain()
1256 ItemImpl::operator < (const ItemImpl
&other
)
1258 if (mData
&& *mData
)
1261 return this < &other
;
1264 return mPrimaryKey
< other
.mPrimaryKey
;
1268 ItemImpl::setAttribute(const CssmDbAttributeInfo
&info
, const CssmPolyData
&data
)
1270 StLock
<Mutex
>_(mMutex
);
1271 if (!mDbAttributes
.get())
1273 mDbAttributes
.reset(new DbAttributes());
1274 mDbAttributes
->recordType(mPrimaryKey
->recordType());
1277 size_t length
= data
.Length
;
1278 const void *buf
= reinterpret_cast<const void *>(data
.Data
);
1279 uint8 timeString
[16];
1281 // XXX This code is duplicated in KCCursorImpl::KCCursorImpl()
1282 // Convert a 4 or 8 byte TIME_DATE to a CSSM_DB_ATTRIBUTE_FORMAT_TIME_DATE
1283 // style attribute value.
1284 if (info
.format() == CSSM_DB_ATTRIBUTE_FORMAT_TIME_DATE
)
1286 if (length
== sizeof(UInt32
))
1288 MacSecondsToTimeString(*reinterpret_cast<const UInt32
*>(buf
), 16, &timeString
);
1292 else if (length
== sizeof(SInt64
))
1294 MacLongDateTimeToTimeString(*reinterpret_cast<const SInt64
*>(buf
), 16, &timeString
);
1300 mDbAttributes
->add(info
, CssmData(const_cast<void*>(buf
), length
));
1304 ItemImpl::modifyContent(const SecKeychainAttributeList
*attrList
, UInt32 dataLength
, const void *inData
)
1306 StLock
<Mutex
>_(mMutex
);
1307 StMaybeLock
<Mutex
>__ (mKeychain
== NULL
? NULL
: mKeychain
->getKeychainMutex());
1309 if (!mDbAttributes
.get())
1311 mDbAttributes
.reset(new DbAttributes());
1312 mDbAttributes
->recordType(mPrimaryKey
->recordType());
1315 if(attrList
) // optional
1317 for(UInt32 ix
=0; ix
< attrList
->count
; ix
++)
1319 SecKeychainAttrType attrTag
= attrList
->attr
[ix
].tag
;
1321 if (attrTag
== APPLEDB_CSSM_PRINTNAME_ATTRIBUTE
)
1323 // must remap a caller-supplied kSecKeyPrintName attribute tag for key items, since it isn't in the schema
1324 // (note that this will ultimately match kGenericPrintName in Schema.cpp)
1325 attrTag
= kSecLabelItemAttr
;
1328 mDbAttributes
->add(Schema::attributeInfo(attrTag
), CssmData(attrList
->attr
[ix
].data
, attrList
->attr
[ix
].length
));
1334 mData
= new CssmDataContainer(inData
, dataLength
);
1341 ItemImpl::getContent(SecItemClass
*itemClass
, SecKeychainAttributeList
*attrList
, UInt32
*length
, void **outData
)
1343 StLock
<Mutex
>_(mMutex
);
1344 // If the data hasn't been set we can't return it.
1345 if (!mKeychain
&& outData
)
1347 CssmData
*data
= mData
.get();
1349 MacOSError::throwMe(errSecDataNotAvailable
);
1351 // TODO: need to check and make sure attrs are valid and handle error condition
1355 *itemClass
= Schema::itemClassFor(recordType());
1357 bool getDataFromDatabase
= mKeychain
&& mPrimaryKey
;
1358 if (getDataFromDatabase
) // are we attached to a database?
1362 // get the number of attributes requested by the caller
1363 UInt32 attrCount
= attrList
? attrList
->count
: 0;
1365 // make a DBAttributes structure and populate it
1366 DbAttributes
dbAttributes(dbUniqueRecord()->database(), attrCount
);
1367 for (UInt32 ix
= 0; ix
< attrCount
; ++ix
)
1369 dbAttributes
.add(Schema::attributeInfo(attrList
->attr
[ix
].tag
));
1372 // request the data from the database (since we are a reference "item" and the data is really stored there)
1373 CssmDataContainer itemData
;
1374 getContent(&dbAttributes
, outData
? &itemData
: NULL
);
1376 // retrieve the data from result
1377 for (UInt32 ix
= 0; ix
< attrCount
; ++ix
)
1379 if (dbAttributes
.at(ix
).NumberOfValues
> 0)
1381 attrList
->attr
[ix
].data
= dbAttributes
.at(ix
).Value
[0].Data
;
1382 attrList
->attr
[ix
].length
= (UInt32
)dbAttributes
.at(ix
).Value
[0].Length
;
1384 // We don't want the data released, it is up the client
1385 dbAttributes
.at(ix
).Value
[0].Data
= NULL
;
1386 dbAttributes
.at(ix
).Value
[0].Length
= 0;
1390 attrList
->attr
[ix
].data
= NULL
;
1391 attrList
->attr
[ix
].length
= 0;
1398 *outData
=itemData
.data();
1399 itemData
.Data
= NULL
;
1402 *length
=(UInt32
)itemData
.length();
1403 itemData
.Length
= 0;
1408 getLocalContent(attrList
, length
, outData
);
1411 // Inform anyone interested that we are doing this
1412 #if SENDACCESSNOTIFICATIONS
1415 secinfo("kcnotify", "ItemImpl::getContent(%p, %p, %p, %p) retrieved content",
1416 itemClass
, attrList
, length
, outData
);
1418 KCEventNotifier::PostKeychainEvent(kSecDataAccessEvent
, mKeychain
, this);
1424 ItemImpl::freeContent(SecKeychainAttributeList
*attrList
, void *data
)
1426 Allocator
&allocator
= Allocator::standard(); // @@@ This might not match the one used originally
1428 allocator
.free(data
);
1430 UInt32 attrCount
= attrList
? attrList
->count
: 0;
1431 for (UInt32 ix
= 0; ix
< attrCount
; ++ix
)
1433 allocator
.free(attrList
->attr
[ix
].data
);
1434 attrList
->attr
[ix
].data
= NULL
;
1439 ItemImpl::modifyAttributesAndData(const SecKeychainAttributeList
*attrList
, UInt32 dataLength
, const void *inData
)
1441 StLock
<Mutex
>_(mMutex
);
1443 MacOSError::throwMe(errSecNoSuchKeychain
);
1447 if (!mDbAttributes
.get())
1449 mDbAttributes
.reset(new DbAttributes());
1450 mDbAttributes
->recordType(mPrimaryKey
->recordType());
1453 CSSM_DB_RECORDTYPE recordType
= mDbAttributes
->recordType();
1454 UInt32 attrCount
= attrList
? attrList
->count
: 0;
1455 for (UInt32 ix
= 0; ix
< attrCount
; ix
++)
1457 SecKeychainAttrType attrTag
= attrList
->attr
[ix
].tag
;
1459 if (attrTag
== kSecLabelItemAttr
)
1461 // must remap a caller-supplied label attribute tag for password items, since it isn't in the schema
1462 // (note that this will ultimately match kGenericPrintName in Schema.cpp)
1463 if (IS_PASSWORD_ITEM_CLASS( Schema::itemClassFor(recordType
) ))
1464 attrTag
= APPLEDB_GENERIC_PRINTNAME_ATTRIBUTE
;
1467 CssmDbAttributeInfo info
=mKeychain
->attributeInfoFor(recordType
, attrTag
);
1469 if (attrList
->attr
[ix
].length
|| info
.AttributeFormat
==CSSM_DB_ATTRIBUTE_FORMAT_STRING
|| info
.AttributeFormat
==CSSM_DB_ATTRIBUTE_FORMAT_BLOB
1470 || info
.AttributeFormat
==CSSM_DB_ATTRIBUTE_FORMAT_STRING
|| info
.AttributeFormat
==CSSM_DB_ATTRIBUTE_FORMAT_BIG_NUM
1471 || info
.AttributeFormat
==CSSM_DB_ATTRIBUTE_FORMAT_MULTI_UINT32
)
1472 mDbAttributes
->add(info
, CssmData(attrList
->attr
[ix
].data
, attrList
->attr
[ix
].length
));
1474 mDbAttributes
->add(info
);
1480 mData
= new CssmDataContainer(inData
, dataLength
);
1487 ItemImpl::getAttributesAndData(SecKeychainAttributeInfo
*info
, SecItemClass
*itemClass
,
1488 SecKeychainAttributeList
**attrList
, UInt32
*length
, void **outData
)
1490 StLock
<Mutex
>_(mMutex
);
1491 // If the data hasn't been set we can't return it.
1492 if (!mKeychain
&& outData
)
1494 CssmData
*data
= mData
.get();
1496 MacOSError::throwMe(errSecDataNotAvailable
);
1498 // TODO: need to check and make sure attrs are valid and handle error condition
1500 SecItemClass myItemClass
= Schema::itemClassFor(recordType());
1502 *itemClass
= myItemClass
;
1504 // @@@ This call won't work for floating items (like certificates).
1507 UInt32 attrCount
= info
? info
->count
: 0;
1508 DbAttributes
dbAttributes(dbUniqueRecord()->database(), attrCount
);
1509 for (UInt32 ix
= 0; ix
< attrCount
; ix
++)
1511 CssmDbAttributeData
&record
= dbAttributes
.add();
1512 record
.Info
.AttributeNameFormat
=CSSM_DB_ATTRIBUTE_NAME_AS_INTEGER
;
1513 record
.Info
.Label
.AttributeID
=info
->tag
[ix
];
1515 if (record
.Info
.Label
.AttributeID
== kSecLabelItemAttr
)
1517 // must remap a caller-supplied label attribute tag for password items, since it isn't in the schema
1518 if (IS_PASSWORD_ITEM_CLASS( myItemClass
))
1519 record
.Info
.Label
.AttributeID
= APPLEDB_GENERIC_PRINTNAME_ATTRIBUTE
;
1523 CssmDataContainer itemData
;
1524 getContent(&dbAttributes
, outData
? &itemData
: NULL
);
1526 if (info
&& attrList
)
1528 SecKeychainAttributeList
*theList
=reinterpret_cast<SecKeychainAttributeList
*>(malloc(sizeof(SecKeychainAttributeList
)));
1530 if(attrCount
== 0) {
1532 theList
->attr
= NULL
;
1534 SecKeychainAttribute
*attr
=reinterpret_cast<SecKeychainAttribute
*>(malloc(sizeof(SecKeychainAttribute
)*attrCount
));
1535 theList
->count
=attrCount
;
1538 for (UInt32 ix
= 0; ix
< attrCount
; ++ix
)
1540 attr
[ix
].tag
=info
->tag
[ix
];
1542 if (dbAttributes
.at(ix
).NumberOfValues
> 0)
1544 attr
[ix
].data
= dbAttributes
.at(ix
).Value
[0].Data
;
1545 attr
[ix
].length
= (UInt32
)dbAttributes
.at(ix
).Value
[0].Length
;
1547 // We don't want the data released, it is up the client
1548 dbAttributes
.at(ix
).Value
[0].Data
= NULL
;
1549 dbAttributes
.at(ix
).Value
[0].Length
= 0;
1553 attr
[ix
].data
= NULL
;
1554 attr
[ix
].length
= 0;
1563 *outData
=itemData
.data();
1566 if (length
) *length
=(UInt32
)itemData
.length();
1569 #if SENDACCESSNOTIFICATIONS
1570 secinfo("kcnotify", "ItemImpl::getAttributesAndData(%p, %p, %p, %p, %p) retrieved data",
1571 info
, itemClass
, attrList
, length
, outData
);
1573 KCEventNotifier::PostKeychainEvent(kSecDataAccessEvent
, mKeychain
, this);
1580 ItemImpl::freeAttributesAndData(SecKeychainAttributeList
*attrList
, void *data
)
1582 Allocator
&allocator
= Allocator::standard(); // @@@ This might not match the one used originally
1585 allocator
.free(data
);
1589 for (UInt32 ix
= 0; ix
< attrList
->count
; ++ix
)
1591 allocator
.free(attrList
->attr
[ix
].data
);
1593 free(attrList
->attr
);
1599 ItemImpl::getAttribute(SecKeychainAttribute
& attr
, UInt32
*actualLength
)
1601 StLock
<Mutex
>_(mMutex
);
1602 if (attr
.tag
== kSecClassItemAttr
)
1603 return getClass(attr
, actualLength
);
1605 if (mDbAttributes
.get())
1607 CssmDbAttributeData
*data
= mDbAttributes
->find(Schema::attributeInfo(attr
.tag
));
1610 getAttributeFrom(data
, attr
, actualLength
);
1616 MacOSError::throwMe(errSecNoSuchAttr
);
1618 DbAttributes
dbAttributes(dbUniqueRecord()->database(), 1);
1619 dbAttributes
.add(Schema::attributeInfo(attr
.tag
));
1620 dbUniqueRecord()->get(&dbAttributes
, NULL
);
1621 getAttributeFrom(&dbAttributes
.at(0), attr
, actualLength
);
1625 ItemImpl::getAttributeFrom(CssmDbAttributeData
*data
, SecKeychainAttribute
&attr
, UInt32
*actualLength
)
1627 StLock
<Mutex
>_(mMutex
);
1628 static const uint32 zero
= 0;
1630 const void *buf
= NULL
;
1632 // Temporary storage for buf.
1642 else if (data
->size() < 1) // Attribute has no values.
1644 if (data
->format() == CSSM_DB_ATTRIBUTE_FORMAT_SINT32
1645 || data
->format() == CSSM_DB_ATTRIBUTE_FORMAT_UINT32
)
1647 length
= sizeof(zero
);
1650 else if (data
->format() == CSSM_DB_ATTRIBUTE_FORMAT_TIME_DATE
)
1651 length
= 0; // Should we throw here?
1652 else // All other formats
1655 else // Get the first value
1657 length
= (UInt32
)data
->Value
[0].Length
;
1658 buf
= data
->Value
[0].Data
;
1660 if (data
->format() == CSSM_DB_ATTRIBUTE_FORMAT_SINT32
)
1662 if (attr
.length
== sizeof(sint8
))
1664 length
= attr
.length
;
1665 svalue8
= sint8(*reinterpret_cast<const sint32
*>(buf
));
1668 else if (attr
.length
== sizeof(sint16
))
1670 length
= attr
.length
;
1671 svalue16
= sint16(*reinterpret_cast<const sint32
*>(buf
));
1675 else if (data
->format() == CSSM_DB_ATTRIBUTE_FORMAT_UINT32
)
1677 if (attr
.length
== sizeof(uint8
))
1679 length
= attr
.length
;
1680 uvalue8
= uint8(*reinterpret_cast<const uint32
*>(buf
));
1683 else if (attr
.length
== sizeof(uint16
))
1685 length
= attr
.length
;
1686 uvalue16
= uint16(*reinterpret_cast<const uint32
*>(buf
));
1690 else if (data
->format() == CSSM_DB_ATTRIBUTE_FORMAT_TIME_DATE
)
1692 if (attr
.length
== sizeof(uint32
))
1694 TimeStringToMacSeconds(data
->Value
[0], macSeconds
);
1696 length
= attr
.length
;
1698 else if (attr
.length
== sizeof(sint64
))
1700 TimeStringToMacLongDateTime(data
->Value
[0], macLDT
);
1702 length
= attr
.length
;
1708 *actualLength
= length
;
1712 if (attr
.length
< length
)
1713 MacOSError::throwMe(errSecBufferTooSmall
);
1715 memcpy(attr
.data
, buf
, length
);
1720 ItemImpl::getData(CssmDataContainer
& outData
)
1722 StLock
<Mutex
>_(mMutex
);
1725 CssmData
*data
= mData
.get();
1726 // If the data hasn't been set we can't return it.
1728 MacOSError::throwMe(errSecDataNotAvailable
);
1734 getContent(NULL
, &outData
);
1736 #if SENDACCESSNOTIFICATIONS
1737 secinfo("kcnotify", "ItemImpl::getData retrieved data");
1739 //%%%<might> be done elsewhere, but here is good for now
1740 KCEventNotifier::PostKeychainEvent(kSecDataAccessEvent
, mKeychain
, this);
1747 StLock
<Mutex
>_(mMutex
);
1751 Db
db(mKeychain
->database());
1752 if (useSecureStorage(db
))
1754 group
= safer_cast
<SSDbUniqueRecordImpl
&>(*dbUniqueRecord()).group();
1761 void ItemImpl::getLocalContent(SecKeychainAttributeList
*attributeList
, UInt32
*outLength
, void **outData
)
1763 StLock
<Mutex
>_(mMutex
);
1765 Allocator
&allocator
= Allocator::standard(); // @@@ This might not match the one used originally
1768 CssmData
*data
= mData
.get();
1770 MacOSError::throwMe(errSecDataNotAvailable
);
1772 // Copy the data out of our internal cached copy.
1773 UInt32 length
= (UInt32
)data
->Length
;
1774 *outData
= allocator
.malloc(length
);
1775 memcpy(*outData
, data
->Data
, length
);
1777 *outLength
= length
;
1782 if (!mDbAttributes
.get())
1783 MacOSError::throwMe(errSecDataNotAvailable
);
1785 // Pull attributes out of a "floating" item, i.e. one that isn't attached to a database
1786 for (UInt32 ix
= 0; ix
< attributeList
->count
; ++ix
)
1788 SecKeychainAttribute
&attribute
= attributeList
->attr
[ix
];
1789 CssmDbAttributeData
*data
= mDbAttributes
->find(Schema::attributeInfo(attribute
.tag
));
1790 if (data
&& data
->NumberOfValues
> 0)
1792 // Copy the data out of our internal cached copy.
1793 UInt32 length
= (UInt32
)data
->Value
[0].Length
;
1794 attribute
.data
= allocator
.malloc(length
);
1795 memcpy(attribute
.data
, data
->Value
[0].Data
, length
);
1796 attribute
.length
= length
;
1800 attribute
.length
= 0;
1801 attribute
.data
= NULL
;
1808 ItemImpl::getContent(DbAttributes
*dbAttributes
, CssmDataContainer
*itemData
)
1810 StLock
<Mutex
>_(mMutex
);
1813 Db
db(dbUniqueRecord()->database());
1816 dbUniqueRecord()->getWithoutEncryption (dbAttributes
, itemData
);
1819 if (useSecureStorage(db
))
1822 if(!checkIntegrity()) {
1823 secnotice("integrity", "item has no integrity, denying access");
1824 CssmError::throwMe(errSecInvalidItemRef
);
1826 } catch(CssmError cssme
) {
1827 secnotice("integrity", "error while checking integrity, denying access: %s", cssme
.what());
1831 SSDbUniqueRecordImpl
* impl
= dynamic_cast<SSDbUniqueRecordImpl
*>(&(*dbUniqueRecord()));
1834 CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER
);
1837 SSDbUniqueRecord
ssUniqueId(impl
);
1838 const AccessCredentials
*autoPrompt
= globals().itemCredentials();
1839 ssUniqueId
->get(dbAttributes
, itemData
, autoPrompt
);
1844 dbUniqueRecord()->get(dbAttributes
, itemData
);
1848 ItemImpl::useSecureStorage(const Db
&db
)
1850 StLock
<Mutex
>_(mMutex
);
1851 switch (recordType())
1853 case CSSM_DL_DB_RECORD_GENERIC_PASSWORD
:
1854 case CSSM_DL_DB_RECORD_INTERNET_PASSWORD
:
1855 case CSSM_DL_DB_RECORD_APPLESHARE_PASSWORD
:
1856 if (db
->dl()->subserviceMask() & CSSM_SERVICE_CSP
)
1865 void ItemImpl::willRead()
1869 Item
ItemImpl::makeFromPersistentReference(const CFDataRef persistentRef
, bool *isIdentityRef
)
1871 CssmData
dictData((void*)::CFDataGetBytePtr(persistentRef
), ::CFDataGetLength(persistentRef
));
1872 NameValueDictionary
dict(dictData
);
1875 Item item
= (ItemImpl
*) NULL
;
1877 if (isIdentityRef
) {
1878 *isIdentityRef
= (dict
.FindByName(IDENTITY_KEY
) != 0) ? true : false;
1881 // make sure we have a database identifier
1882 if (dict
.FindByName(SSUID_KEY
) != 0)
1884 DLDbIdentifier dlDbIdentifier
= NameValueDictionary::MakeDLDbIdentifierFromNameValueDictionary(dict
);
1885 DLDbIdentifier
newDlDbIdentifier(dlDbIdentifier
.ssuid(),
1886 DLDbListCFPref::ExpandTildesInPath(dlDbIdentifier
.dbName()).c_str(),
1887 dlDbIdentifier
.dbLocation());
1889 keychain
= globals().storageManager
.keychain(newDlDbIdentifier
);
1891 const NameValuePair
* aDictItem
= dict
.FindByName(ITEM_KEY
);
1892 if (aDictItem
&& keychain
)
1894 PrimaryKey
primaryKey(aDictItem
->Value());
1895 item
= keychain
->item(primaryKey
);
1898 KCThrowIf_( !item
, errSecItemNotFound
);
1902 void ItemImpl::copyPersistentReference(CFDataRef
&outDataRef
, bool isSecIdentityRef
)
1904 if (secd_PersistentRef
) {
1905 outDataRef
= secd_PersistentRef
;
1908 StLock
<Mutex
>_(mMutex
);
1909 // item must be in a keychain and have a primary key to be persistent
1910 if (!mKeychain
|| !mPrimaryKey
) {
1911 MacOSError::throwMe(errSecItemNotFound
);
1913 DLDbIdentifier dlDbIdentifier
= mKeychain
->dlDbIdentifier();
1914 DLDbIdentifier
newDlDbIdentifier(dlDbIdentifier
.ssuid(),
1915 DLDbListCFPref::AbbreviatedPath(mKeychain
->name()).c_str(),
1916 dlDbIdentifier
.dbLocation());
1917 NameValueDictionary dict
;
1918 NameValueDictionary::MakeNameValueDictionaryFromDLDbIdentifier(newDlDbIdentifier
, dict
);
1920 CssmData
* pKey
= mPrimaryKey
;
1921 dict
.Insert (new NameValuePair(ITEM_KEY
, *pKey
));
1923 if (isSecIdentityRef
) {
1924 uint32_t value
= -1;
1925 CssmData
valueData((void*)&value
, sizeof(value
));
1926 dict
.Insert (new NameValuePair(IDENTITY_KEY
, valueData
));
1929 // flatten the NameValueDictionary
1931 dict
.Export(dictData
);
1932 outDataRef
= ::CFDataCreate(kCFAllocatorDefault
, dictData
.Data
, dictData
.Length
);
1933 free (dictData
.Data
);
1936 void ItemImpl::copyRecordIdentifier(CSSM_DATA
&data
)
1938 StLock
<Mutex
>_(mMutex
);
1939 CssmClient::DbUniqueRecord uniqueRecord
= dbUniqueRecord ();
1940 uniqueRecord
->getRecordIdentifier(data
);
1944 * Obtain blob used to bind a keychain item to an Extended Attribute record.
1945 * We just use the PrimaryKey blob as the default. Note that for standard Items,
1946 * this can cause the loss of extended attribute bindings if a Primary Key
1947 * attribute changes.
1949 const CssmData
&ItemImpl::itemID()
1951 StLock
<Mutex
>_(mMutex
);
1952 if(mPrimaryKey
->length() == 0) {
1953 /* not in a keychain; we don't have a primary key */
1954 MacOSError::throwMe(errSecNoSuchAttr
);
1956 return *mPrimaryKey
;
1959 bool ItemImpl::equal(SecCFObject
&other
)
1961 // First check to see if both items have a primary key and
1962 // if the primary key is the same. If so then these
1963 // items must be equal
1964 ItemImpl
& other_item
= (ItemImpl
&)other
;
1965 if (mPrimaryKey
!= NULL
&& mPrimaryKey
== other_item
.mPrimaryKey
)
1970 // The primary keys do not match so do a CFHash of the
1971 // data of the item and compare those for equality
1972 CFHashCode this_hash
= hash();
1973 CFHashCode other_hash
= other
.hash();
1974 return (this_hash
== other_hash
);
1977 CFHashCode
ItemImpl::hash()
1979 CFHashCode result
= SecCFObject::hash();
1981 StLock
<Mutex
>_(mMutex
);
1982 RefPointer
<CssmDataContainer
> data_to_hash
;
1984 // Use the item data for the hash
1985 if (mData
&& *mData
)
1987 data_to_hash
= mData
;
1990 // If there is no primary key AND not data ????
1991 // just return the 'old' hash value which is the
1993 if (NULL
!= data_to_hash
.get())
1995 CFDataRef temp_data
= NULL
;
1996 unsigned char digest
[CC_SHA256_DIGEST_LENGTH
];
1998 if (data_to_hash
->length() < 80)
2000 // If it is less than 80 bytes then CFData can be used
2001 temp_data
= CFDataCreateWithBytesNoCopy(kCFAllocatorDefault
,
2002 (const UInt8
*)data_to_hash
->data(), data_to_hash
->length(), kCFAllocatorNull
);
2005 // CFData truncates its hash value to 80 bytes. ????
2006 // In order to do the 'right thing' a SHA 256 hash will be used to
2007 // include all of the data
2010 memset(digest
, 0, CC_SHA256_DIGEST_LENGTH
);
2012 CC_SHA256((const void *)data_to_hash
->data(), (CC_LONG
)data_to_hash
->length(), digest
);
2014 temp_data
= CFDataCreateWithBytesNoCopy(kCFAllocatorDefault
,
2015 (const UInt8
*)digest
, CC_SHA256_DIGEST_LENGTH
, kCFAllocatorNull
);
2018 if (NULL
!= temp_data
)
2020 result
= CFHash(temp_data
);
2021 CFRelease(temp_data
);
2030 void ItemImpl::postItemEvent(SecKeychainEvent theEvent
)
2032 mKeychain
->postEvent(theEvent
, this);
2038 // Item -- This class is here to magically create the right subclass of ItemImpl
2039 // when constructing new items.
2045 Item::Item(ItemImpl
*impl
) : SecPointer
<ItemImpl
>(impl
)
2049 Item::Item(SecItemClass itemClass
, OSType itemCreator
, UInt32 length
, const void* data
, bool inhibitCheck
)
2053 if (itemClass
== CSSM_DL_DB_RECORD_X509_CERTIFICATE
2054 || itemClass
== CSSM_DL_DB_RECORD_PUBLIC_KEY
2055 || itemClass
== CSSM_DL_DB_RECORD_PRIVATE_KEY
2056 || itemClass
== CSSM_DL_DB_RECORD_SYMMETRIC_KEY
)
2057 MacOSError::throwMe(errSecNoSuchClass
); /* @@@ errSecInvalidClass */
2060 *this = new ItemImpl(itemClass
, itemCreator
, length
, data
, inhibitCheck
);
2063 Item::Item(SecItemClass itemClass
, SecKeychainAttributeList
*attrList
, UInt32 length
, const void* data
)
2065 *this = new ItemImpl(itemClass
, attrList
, length
, data
);
2068 Item::Item(const Keychain
&keychain
, const PrimaryKey
&primaryKey
, const CssmClient::DbUniqueRecord
&uniqueId
)
2069 : SecPointer
<ItemImpl
>(
2070 primaryKey
->recordType() == CSSM_DL_DB_RECORD_X509_CERTIFICATE
2071 ? Certificate::make(keychain
, primaryKey
, uniqueId
)
2072 : (primaryKey
->recordType() == CSSM_DL_DB_RECORD_PUBLIC_KEY
2073 || primaryKey
->recordType() == CSSM_DL_DB_RECORD_PRIVATE_KEY
2074 || primaryKey
->recordType() == CSSM_DL_DB_RECORD_SYMMETRIC_KEY
)
2075 ? KeyItem::make(keychain
, primaryKey
, uniqueId
)
2076 : primaryKey
->recordType() == CSSM_DL_DB_RECORD_EXTENDED_ATTRIBUTE
2077 ? ExtendedAttribute::make(keychain
, primaryKey
, uniqueId
)
2078 : ItemImpl::make(keychain
, primaryKey
, uniqueId
))
2082 Item::Item(const Keychain
&keychain
, const PrimaryKey
&primaryKey
)
2083 : SecPointer
<ItemImpl
>(
2084 primaryKey
->recordType() == CSSM_DL_DB_RECORD_X509_CERTIFICATE
2085 ? Certificate::make(keychain
, primaryKey
)
2086 : (primaryKey
->recordType() == CSSM_DL_DB_RECORD_PUBLIC_KEY
2087 || primaryKey
->recordType() == CSSM_DL_DB_RECORD_PRIVATE_KEY
2088 || primaryKey
->recordType() == CSSM_DL_DB_RECORD_SYMMETRIC_KEY
)
2089 ? KeyItem::make(keychain
, primaryKey
)
2090 : primaryKey
->recordType() == CSSM_DL_DB_RECORD_EXTENDED_ATTRIBUTE
2091 ? ExtendedAttribute::make(keychain
, primaryKey
)
2092 : ItemImpl::make(keychain
, primaryKey
))
2096 Item::Item(ItemImpl
&item
)
2097 : SecPointer
<ItemImpl
>(
2098 item
.recordType() == CSSM_DL_DB_RECORD_X509_CERTIFICATE
2099 ? new Certificate(safer_cast
<Certificate
&>(item
))
2100 : (item
.recordType() == CSSM_DL_DB_RECORD_PUBLIC_KEY
2101 || item
.recordType() == CSSM_DL_DB_RECORD_PRIVATE_KEY
2102 || item
.recordType() == CSSM_DL_DB_RECORD_SYMMETRIC_KEY
)
2103 ? new KeyItem(safer_cast
<KeyItem
&>(item
))
2104 : item
.recordType() == CSSM_DL_DB_RECORD_EXTENDED_ATTRIBUTE
2105 ? new ExtendedAttribute(safer_cast
<ExtendedAttribute
&>(item
))
2106 : new ItemImpl(item
))
2110 CFIndex
KeychainCore::GetItemRetainCount(Item
& item
)
2112 return CFGetRetainCount(item
->handle(false));
2115 void ItemImpl::setPersistentRef(CFDataRef ref
)
2117 if (secd_PersistentRef
) {
2118 CFRelease(secd_PersistentRef
);
2120 secd_PersistentRef
= ref
;
2124 CFDataRef
ItemImpl::getPersistentRef()
2126 return secd_PersistentRef
;
2131 bool ItemImpl::mayDelete()
2133 ObjectImpl
* uniqueIDImpl
= mUniqueId
.get();
2135 if (uniqueIDImpl
!= NULL
)
2137 bool result
= mUniqueId
->isIdle();