]> git.saurik.com Git - apple/security.git/blob - OSX/sec/ipc/securityd_client.h
projects / apple / security.git / blob
? search:


496f67a424c5e104daac408ea35d0db9deaf1ffc
[apple/security.git] / OSX / sec / ipc / securityd_client.h
1 /*
2 * Copyright (c) 2007-2018 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23 #ifndef _SECURITYD_CLIENT_H_
24 #define _SECURITYD_CLIENT_H_
25
26 #include <stdint.h>
27
28 #include <securityd/SecKeybagSupport.h>
29
30 #include <Security/SecTrust.h>
31 #include <Security/SecTask.h>
32 #ifndef MINIMIZE_INCLUDES
33 # include <Security/SecTrustStore.h>
34 #else
35 typedef struct __SecTrustStore *SecTrustStoreRef;
36 # ifndef _SECURITY_SECCERTIFICATE_H_
37 typedef struct __SecCertificate *SecCertificateRef;
38 # endif // _SECURITY_SECCERTIFICATE_H_
39 #endif // MINIMIZE_INCLUDES
40
41 #if TARGET_HAS_KEYSTORE
42 #include <libaks.h>
43 #endif
44
45 #include <CoreFoundation/CFArray.h>
46 #include <CoreFoundation/CFDictionary.h>
47 #include <CoreFoundation/CFError.h>
48
49 #include <Security/SecureObjectSync/SOSCloudCircle.h>
50 #include <Security/SecureObjectSync/SOSPeerInfo.h>
51 #include <Security/SecureObjectSync/SOSRing.h>
52
53 #include <xpc/xpc.h>
54 #include <CoreFoundation/CFXPCBridge.h>
55
56 #include <TargetConditionals.h>
57
58 #if TARGET_OS_OSX
59 #define kSecuritydXPCServiceName "com.apple.securityd.xpc"
60 #define kSecuritydSystemXPCServiceName "com.apple.securityd.system.xpc"
61 #define kTrustdAgentXPCServiceName "com.apple.trustd.agent"
62 #define kTrustdXPCServiceName "com.apple.trustd"
63 #else
64 #define kSecuritydXPCServiceName "com.apple.securityd"
65 #define kTrustdAgentXPCServiceName "com.apple.trustd"
66 #define kTrustdXPCServiceName "com.apple.trustd"
67 #endif // *** END TARGET_OS_OSX ***
68
69 #define kSecuritydGeneralServiceName "com.apple.securityd.general"
70 #define kSecuritydSOSServiceName "com.apple.securityd.sos"
71
72 //
73 // MARK: XPC Information.
74 //
75
76 extern CFStringRef sSecXPCErrorDomain;
77
78 extern const char *kSecXPCKeyOperation;
79 extern const char *kSecXPCKeyResult;
80 extern const char *kSecXPCKeyEndpoint;
81 extern const char *kSecXPCKeyError;
82 extern const char *kSecXPCKeyPeerInfoArray;
83 extern const char *kSecXPCKeyUserLabel;
84 extern const char *kSecXPCKeyBackup;
85 extern const char *kSecXPCKeyKeybag;
86 extern const char *kSecXPCKeyUserPassword;
87 extern const char *kSecXPCKeyEMCSBackup;
88 extern const char *kSecXPCKeyDSID;
89 extern const char *kSecXPCKeyViewName;
90 extern const char *kSecXPCKeyViewActionCode;
91 extern const char *kSecXPCKeyNewPublicBackupKey;
92 extern const char *kSecXPCKeyRecoveryPublicKey;
93 extern const char *kSecXPCKeyIncludeV0;
94 extern const char *kSecXPCKeyEnabledViewsKey;
95 extern const char *kSecXPCKeyDisabledViewsKey;
96 extern const char *kSecXPCKeyEscrowLabel;
97 extern const char *kSecXPCKeyTriesLabel;
98 extern const char *kSecXPCKeyFileDescriptor;
99 extern const char *kSecXPCKeyAccessGroups;
100 extern const char *kSecXPCKeyClasses;
101 extern const char *kSecXPCKeyNormalizedIssuer;
102 extern const char *kSecXPCKeySerialNumber;
103 extern const char *kSecXPCKeyBackupKeybagIdentifier;
104 extern const char *kSecXPCKeyBackupKeybagPath;
105
106 //
107 // MARK: Dispatch macros
108 //
109
110 #define SECURITYD_XPC(sdp, wrapper, ...) ((gSecurityd && gSecurityd->sdp) ? gSecurityd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
111 #define TRUSTD_XPC(sdp, wrapper, ...) ((gTrustd && gTrustd->sdp) ? gTrustd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
112
113 #define TRUSTD_XPC_ASYNC(sdp, wrapper, q, h, ...) do { \
114 if (gTrustd != NULL && gTrustd->sdp != NULL) { \
115 dispatch_async(q, ^{ \
116 CFErrorRef _error = NULL; \
117 SecTrustResultType _tr = gTrustd->sdp(__VA_ARGS__, &_error); \
118 h(_tr, _error); \
119 }); \
120 } else { \
121 wrapper(q, h, sdp ## _id, __VA_ARGS__); \
122 } \
123 } while (0)
124
125 //
126 // MARK: Object to XPC format conversion.
127 //
128
129
130 //
131 // MARK: XPC Interfaces
132 //
133
134 extern const char *kSecXPCKeyOperation;
135 extern const char *kSecXPCKeyResult;
136 extern const char *kSecXPCKeyError;
137 extern const char *kSecXPCKeyPeerInfoArray;
138 extern const char *kSecXPCKeyPeerInfo;
139 extern const char *kSecXPCKeyUserLabel;
140 extern const char *kSecXPCKeyUserPassword;
141 extern const char *kSecXPCKeyDSID;
142 extern const char *kSecXPCLimitInMinutes;
143 extern const char *kSecXPCKeyQuery;
144 extern const char *kSecXPCKeyAttributesToUpdate;
145 extern const char *kSecXPCKeyDomain;
146 extern const char *kSecXPCKeyDigest;
147 extern const char *kSecXPCKeyCertificate;
148 extern const char *kSecXPCKeySettings;
149 extern const char *kSecXPCPublicPeerId; // Public peer id
150 extern const char *kSecXPCOTRSession; // OTR session bytes
151 extern const char *kSecXPCData; // Data to process
152 extern const char *kSecXPCOTRReady; // OTR ready for messages
153 extern const char *kSecXPCKeyViewName;
154 extern const char *kSecXPCKeyViewActionCode;
155 extern const char *kSecXPCKeyHSA2AutoAcceptInfo;
156 extern const char *kSecXPCKeyEscrowLabel;
157 extern const char *kSecXPCKeyTriesLabel;
158 extern const char *kSecXPCKeyString;
159 extern const char *kSecXPCKeyArray;
160 extern const char *kSecXPCKeySet;
161 extern const char *kSecXPCKeySet2;
162 extern const char *kSecXPCVersion;
163 extern const char *kSecXPCKeySignInAnalytics;
164 extern const char *kSecXPCKeyReason;
165
166 //
167 // MARK: Mach port request IDs
168 //
169 enum SecXPCOperation {
170 sec_item_add_id = 0,
171 sec_item_copy_matching_id = 1,
172 sec_item_update_id = 2,
173 sec_item_delete_id = 3,
174 // trust_store_for_domain -- NOT an ipc
175 sec_trust_store_contains_id = 4,
176 sec_trust_store_set_trust_settings_id = 5,
177 sec_trust_store_remove_certificate_id = 6,
178 // remove_all -- NOT an ipc
179 sec_delete_all_id = 7,
180 sec_trust_evaluate_id = 8,
181 // Any new items MUST be added below here
182 // This allows updating roots on a device, since SecTrustEvaluate must continue to work
183 sec_keychain_backup_id,
184 sec_keychain_restore_id,
185 sec_keychain_backup_syncable_id,
186 sec_keychain_restore_syncable_id,
187 sec_item_backup_copy_names_id,
188 sec_item_backup_handoff_fd_id,
189 sec_item_backup_set_confirmed_manifest_id,
190 sec_item_backup_restore_id,
191 sec_keychain_sync_update_message_id,
192 sec_ota_pki_trust_store_version_id,
193 sec_otr_session_create_remote_id,
194 sec_otr_session_process_packet_remote_id,
195 kSecXPCOpOTAPKIGetNewAsset,
196 kSecXPCOpOTAGetEscrowCertificates,
197 kSecXPCOpProcessUnlockNotification,
198 kSecXPCOpProcessSyncWithAllPeers,
199 kSecXPCOpRollKeys,
200 sec_add_shared_web_credential_id,
201 sec_copy_shared_web_credential_id,
202 sec_get_log_settings_id,
203 sec_set_xpc_log_settings_id,
204 sec_set_circle_log_settings_id,
205 soscc_EnsurePeerRegistration_id,
206 kSecXPCOpRequestEnsureFreshParameters,
207 kSecXPCOpGetAllTheRings,
208 kSecXPCOpApplyToARing,
209 kSecXPCOpWithdrawlFromARing,
210 kSecXPCOpEnableRing,
211 kSecXPCOpRingStatus,
212 kSecXPCOpRequestDeviceID,
213 kSecXPCOpSetDeviceID,
214 kSecXPCOpHandleIDSMessage,
215 kSecXPCOpSyncWithKVSPeer,
216 kSecXPCOpSyncWithIDSPeer,
217 kSecXPCOpSendIDSMessage,
218 kSecXPCOpPingTest,
219 kSecXPCOpIDSDeviceID,
220 kSecXPCOpSyncWithKVSPeerIDOnly,
221 // any process using an operation below here is required to have entitlement keychain-cloud-circle
222 kSecXPCOpTryUserCredentials,
223 kSecXPCOpSetUserCredentials,
224 kSecXPCOpSetUserCredentialsAndDSID,
225 kSecXPCOpSetUserCredentialsAndDSIDWithAnalytics,
226 kSecXPCOpCanAuthenticate,
227 kSecXPCOpPurgeUserCredentials,
228 kSecXPCOpDeviceInCircle,
229 kSecXPCOpRequestToJoin,
230 kSecXPCOpRequestToJoinWithAnalytics,
231 kSecXPCOpRequestToJoinAfterRestore,
232 kSecXPCOpRequestToJoinAfterRestoreWithAnalytics,
233 kSecXPCOpResetToOffering,
234 kSecXPCOpResetToEmpty,
235 kSecXPCOpResetToEmptyWithAnalytics,
236 kSecXPCOpView,
237 kSecXPCOpViewSet,
238 kSecXPCOpViewSetWithAnalytics,
239 kSecXPCOpRemoveThisDeviceFromCircle,
240 kSecXPCOpRemoveThisDeviceFromCircleWithAnalytics,
241 kSecXPCOpRemovePeersFromCircle,
242 kSecXPCOpRemovePeersFromCircleWithAnalytics,
243 kSecXPCOpLoggedOutOfAccount,
244 kSecXPCOpBailFromCircle,
245 kSecXPCOpAcceptApplicants,
246 kSecXPCOpRejectApplicants,
247 kSecXPCOpCopyApplicantPeerInfo,
248 kSecXPCOpCopyValidPeerPeerInfo,
249 kSecXPCOpValidateUserPublic,
250 kSecXPCOpCopyNotValidPeerPeerInfo,
251 kSecXPCOpCopyPeerPeerInfo,
252 kSecXPCOpCopyConcurringPeerPeerInfo,
253 kSecXPCOpCopyGenerationPeerInfo,
254 kSecXPCOpGetLastDepartureReason,
255 kSecXPCOpSetLastDepartureReason,
256 kSecXPCOpCopyIncompatibilityInfo,
257 kSecXPCOpCopyRetirementPeerInfo,
258 kSecXPCOpCopyViewUnawarePeerInfo,
259 kSecXPCOpCopyEngineState,
260 kSecXPCOpCopyMyPeerInfo,
261 kSecXPCOpAccountSetToNew,
262 kSecXPCOpSetNewPublicBackupKey,
263 kSecXPCOpSetBagForAllSlices,
264 kSecXPCOpWaitForInitialSync,
265 kSecXPCOpWaitForInitialSyncWithAnalytics,
266 kSecXPCOpCopyYetToSyncViews,
267 kSecXPCOpSetEscrowRecord,
268 kSecXPCOpGetEscrowRecord,
269 kSecXPCOpCheckPeerAvailability,
270 kSecXPCOpCopyAccountData,
271 kSecXPCOpDeleteAccountData,
272 kSecXPCOpCopyEngineData,
273 kSecXPCOpDeleteEngineData,
274 kSecXPCOpCopyApplication,
275 kSecXPCOpCopyCircleJoiningBlob,
276 kSecXPCOpJoinWithCircleJoiningBlob,
277 kSecXPCOpKVSKeyCleanup,
278 kSecXPCOpPopulateKVS,
279 kSecXPCOpAccountHasPublicKey,
280 kSecXPCOpAccountIsNew,
281 kSecXPCOpClearKVSPeerMessage,
282 kSecXPCOpRegisterRecoveryPublicKey,
283 kSecXPCOpGetRecoveryPublicKey,
284 kSecXPCOpCopyBackupInformation,
285 kSecXPCOpCopyInitialSyncBlob,
286 /* after this is free for all */
287 kSecXPCOpWhoAmI,
288 kSecXPCOpTransmogrifyToSyncBubble,
289 kSecXPCOpTransmogrifyToSystemKeychain,
290 kSecXPCOpWrapToBackupSliceKeyBagForView,
291 sec_item_update_token_items_id,
292 kSecXPCOpDeleteUserView,
293 sec_trust_store_copy_all_id,
294 sec_trust_store_copy_usage_constraints_id,
295 sec_ocsp_cache_flush_id,
296 sec_delete_items_with_access_groups_id,
297 kSecXPCOpIsThisDeviceLastBackup,
298 sec_keychain_backup_keybag_uuid_id,
299 kSecXPCOpPeersHaveViewsEnabled,
300 kSecXPCOpProcessSyncWithPeers,
301 kSecXPCOpMessageFromPeerIsPending,
302 kSecXPCOpSendToPeerIsPending,
303 sec_item_copy_parent_certificates_id,
304 sec_item_certificate_exists_id,
305 kSecXPCOpBackupKeybagAdd,
306 kSecXPCOpBackupKeybagDelete,
307 kSecXPCOpSFKeychainEndpoint,
308 kSecXPCOpKeychainControlEndpoint,
309 kSecXPCOpTLSAnaltyicsReport,
310 };
311
312
313 typedef struct SecurityClient {
314 SecTaskRef task;
315 CFArrayRef accessGroups;
316 bool allowSystemKeychain;
317 bool allowSyncBubbleKeychain;
318 bool isNetworkExtension;
319 bool canAccessNetworkExtensionAccessGroups;
320 uid_t uid;
321 CFDataRef musr;
322 #if TARGET_OS_EMBEDDED && TARGET_HAS_KEYSTORE
323 keybag_handle_t keybag;
324 #endif
325 #if TARGET_OS_IPHONE
326 bool inMultiUser;
327 int activeUser;
328 #endif
329 } SecurityClient;
330
331
332 extern SecurityClient * SecSecurityClientGet(void);
333 #if TARGET_OS_IOS
334 void SecSecuritySetMusrMode(bool mode, uid_t uid, int activeUser);
335 #endif
336
337 struct securityd {
338 bool (*sec_item_add)(CFDictionaryRef attributes, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
339 bool (*sec_item_copy_matching)(CFDictionaryRef query, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
340 bool (*sec_item_update)(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, SecurityClient *client, CFErrorRef* error);
341 bool (*sec_item_delete)(CFDictionaryRef query, SecurityClient *client, CFErrorRef* error);
342 bool (*sec_add_shared_web_credential)(CFDictionaryRef attributes, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
343 bool (*sec_copy_shared_web_credential)(CFDictionaryRef query, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
344 bool (*sec_item_delete_all)(CFErrorRef* error);
345 CFArrayRef (*sec_item_copy_parent_certificates)(CFDataRef normalizedIssuer, CFArrayRef accessGroups, CFErrorRef *error);
346 bool (*sec_item_certificate_exists)(CFDataRef normalizedIssuer, CFDataRef serialNumber, CFArrayRef accessGroups, CFErrorRef *error);
347 CFDataRef (*sec_keychain_backup)(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, bool emcs, CFErrorRef* error);
348 bool (*sec_keychain_restore)(CFDataRef backup, SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
349 CFDictionaryRef (*sec_keychain_backup_syncable)(CFDictionaryRef backup_in, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
350 bool (*sec_keychain_restore_syncable)(CFDictionaryRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
351 CFArrayRef (*sec_item_backup_copy_names)(CFErrorRef *error);
352 int (*sec_item_backup_handoff_fd)(CFStringRef backupName, CFErrorRef *error);
353 bool (*sec_item_backup_set_confirmed_manifest)(CFStringRef backupName, CFDataRef keybagDigest, CFDataRef manifest, CFErrorRef *error);
354 bool (*sec_item_backup_restore)(CFStringRef backupName, CFStringRef peerID, CFDataRef keybag, CFDataRef secret, CFDataRef backup, CFErrorRef *error);
355 CFDataRef (*sec_otr_session_create_remote)(CFDataRef publicPeerId, CFErrorRef* error);
356 bool (*sec_otr_session_process_packet_remote)(CFDataRef sessionData, CFDataRef inputPacket, CFDataRef* outputSessionData, CFDataRef* outputPacket, bool *readyForMessages, CFErrorRef* error);
357 bool (*soscc_TryUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
358 bool (*soscc_SetUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error);
359 bool (*soscc_SetUserCredentialsAndDSID)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
360 bool (*soscc_SetUserCredentialsAndDSIDWithAnalytics)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFDataRef parentEvent, CFErrorRef *error);
361 bool (*soscc_CanAuthenticate)(CFErrorRef *error);
362 bool (*soscc_PurgeUserCredentials)(CFErrorRef *error);
363 SOSCCStatus (*soscc_ThisDeviceIsInCircle)(CFErrorRef* error);
364 bool (*soscc_RequestToJoinCircle)(CFErrorRef* error);
365 bool (*soscc_RequestToJoinCircleWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
366 bool (*soscc_RequestToJoinCircleAfterRestore)(CFErrorRef* error);
367 bool (*soscc_RequestToJoinCircleAfterRestoreWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
368 bool (*soscc_RequestEnsureFreshParameters)(CFErrorRef* error);
369 CFStringRef (*soscc_GetAllTheRings)(CFErrorRef *error);
370 bool (*soscc_ApplyToARing)(CFStringRef ringName, CFErrorRef* error);
371 bool (*soscc_WithdrawlFromARing)(CFStringRef ringName, CFErrorRef* error);
372 bool (*soscc_EnableRing)(CFStringRef ringName, CFErrorRef* error);
373 SOSRingStatus (*soscc_RingStatus)(CFStringRef ringName, CFErrorRef* error);
374 bool (*soscc_SetToNew)(CFErrorRef *error);
375 bool (*soscc_ResetToOffering)(CFErrorRef* error);
376 bool (*soscc_ResetToEmpty)(CFErrorRef* error);
377 bool (*soscc_ResetToEmptyWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
378 SOSViewResultCode (*soscc_View)(CFStringRef view, SOSViewActionCode action, CFErrorRef *error);
379 bool (*soscc_ViewSet)(CFSetRef enabledViews, CFSetRef disabledViews);
380 bool (*soscc_ViewSetWithAnalytics)(CFSetRef enabledViews, CFSetRef disabledViews, CFDataRef parentEvent);
381 bool (*soscc_RegisterSingleRecoverySecret)(CFDataRef backupSlice, bool forV0Only, CFErrorRef *error);
382 bool (*soscc_RegisterRecoveryPublicKey)(CFDataRef recovery_key, CFErrorRef *error);
383 CFDataRef (*soscc_CopyRecoveryPublicKey)(CFErrorRef *error);
384 bool (*soscc_RemoveThisDeviceFromCircle)(CFErrorRef* error);
385 bool (*soscc_RemoveThisDeviceFromCircleWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
386 bool (*soscc_RemovePeersFromCircle)(CFArrayRef peers, CFErrorRef* error);
387 bool (*soscc_RemovePeersFromCircleWithAnalytics)(CFArrayRef peers, CFDataRef parentEvent, CFErrorRef* error);
388 bool (*soscc_LoggedOutOfAccount)(CFErrorRef* error);
389 bool (*soscc_BailFromCircle)(uint64_t limit_in_seconds, CFErrorRef* error);
390 bool (*soscc_AcceptApplicants)(CFArrayRef applicants, CFErrorRef* error);
391 bool (*soscc_RejectApplicants)(CFArrayRef applicants, CFErrorRef* error);
392 SOSPeerInfoRef (*soscc_SetNewPublicBackupKey)(CFDataRef pubKey, CFErrorRef *error);
393 bool (*soscc_ValidateUserPublic)(CFErrorRef* error);
394 CFArrayRef (*soscc_CopyGenerationPeerInfo)(CFErrorRef* error);
395 CFArrayRef (*soscc_CopyApplicantPeerInfo)(CFErrorRef* error);
396 CFArrayRef (*soscc_CopyValidPeerPeerInfo)(CFErrorRef* error);
397 CFArrayRef (*soscc_CopyNotValidPeerPeerInfo)(CFErrorRef* error);
398 CFArrayRef (*soscc_CopyRetirementPeerInfo)(CFErrorRef* error);
399 CFArrayRef (*soscc_CopyViewUnawarePeerInfo)(CFErrorRef* error);
400 CFArrayRef (*soscc_CopyEngineState)(CFErrorRef* error);
401 // Not sure why these are below the last entry in the enum order above, but they are:
402 CFArrayRef (*soscc_CopyPeerInfo)(CFErrorRef* error);
403 CFArrayRef (*soscc_CopyConcurringPeerInfo)(CFErrorRef* error);
404 CFStringRef (*soscc_CopyIncompatibilityInfo)(CFErrorRef* error);
405 enum DepartureReason (*soscc_GetLastDepartureReason)(CFErrorRef* error);
406 bool (*soscc_SetLastDepartureReason)(enum DepartureReason, CFErrorRef* error);
407 CFSetRef (*soscc_ProcessSyncWithPeers)(CFSetRef peerIDs, CFSetRef backupPeerIDs, CFErrorRef* error);
408 SyncWithAllPeersReason (*soscc_ProcessSyncWithAllPeers)(CFErrorRef* error);
409 bool (*soscc_EnsurePeerRegistration)(CFErrorRef* error);
410 bool (*sec_roll_keys)(bool force, CFErrorRef* error);
411 CFArrayRef (*sec_keychain_sync_update_message)(CFDictionaryRef update, CFErrorRef *error);
412 CFPropertyListRef (*sec_get_log_settings)(CFErrorRef* error);
413 bool (*sec_set_xpc_log_settings)(CFTypeRef type, CFErrorRef* error);
414 bool (*sec_set_circle_log_settings)(CFTypeRef type, CFErrorRef* error);
415 SOSPeerInfoRef (*soscc_CopyMyPeerInfo)(CFErrorRef*);
416 bool (*soscc_WaitForInitialSync)(CFErrorRef*);
417 bool (*soscc_WaitForInitialSyncWithAnalytics)(CFDataRef parentEvent, CFErrorRef *error);
418 CFArrayRef (*soscc_CopyYetToSyncViewsList)(CFErrorRef*);
419 bool (*soscc_SetEscrowRecords)(CFStringRef escrow_label, uint64_t tries, CFErrorRef *error);
420 CFDictionaryRef (*soscc_CopyEscrowRecords)(CFErrorRef *error);
421 CFDictionaryRef (*soscc_CopyBackupInformation)(CFErrorRef *error);
422 bool (*soscc_PeerAvailability)(CFErrorRef *error);
423 bool (*sosbskb_WrapToBackupSliceKeyBagForView)(CFStringRef viewName, CFDataRef input, CFDataRef* output, CFDataRef* bskbEncoded, CFErrorRef* error);
424 CFDataRef (*soscc_CopyAccountState)(CFErrorRef *error);
425 bool (*soscc_DeleteAccountState)(CFErrorRef *error);
426 CFDataRef (*soscc_CopyEngineData)(CFErrorRef *error);
427 bool (*soscc_DeleteEngineState)(CFErrorRef *error);
428 SOSPeerInfoRef (*soscc_CopyApplicant)(CFErrorRef *error);
429 CFDataRef (*soscc_CopyCircleJoiningBlob)(SOSPeerInfoRef applicant, CFErrorRef *error);
430 CFDataRef (*soscc_CopyInitialSyncData)(CFErrorRef *error);
431 bool (*soscc_JoinWithCircleJoiningBlob)(CFDataRef joiningBlob, PiggyBackProtocolVersion version, CFErrorRef *error);
432 bool (*soscc_SOSCCCleanupKVSKeys)(CFErrorRef *error);
433 bool (*soscc_SOSCCTestPopulateKVSWithBadKeys)(CFErrorRef *error);
434 bool (*soscc_AccountHasPublicKey)(CFErrorRef *error);
435 bool (*soscc_AccountIsNew)(CFErrorRef *error);
436 bool (*sec_item_update_token_items)(CFStringRef tokenID, CFArrayRef query, SecurityClient *client, CFErrorRef* error);
437 bool (*sec_delete_items_with_access_groups)(CFArrayRef bundleIDs, SecurityClient *client, CFErrorRef *error);
438 bool (*soscc_IsThisDeviceLastBackup)(CFErrorRef *error);
439 bool (*soscc_requestSyncWithPeerOverKVS)(CFStringRef peerID, CFDataRef message, CFErrorRef *error);
440 CFBooleanRef (*soscc_SOSCCPeersHaveViewsEnabled)(CFArrayRef views, CFErrorRef *error);
441 bool (*socc_clearPeerMessageKeyInKVS)(CFStringRef peerID, CFErrorRef *error);
442 bool (*soscc_SOSCCMessageFromPeerIsPending)(SOSPeerInfoRef peer, CFErrorRef* error);
443 bool (*soscc_SOSCCSendToPeerIsPending)(SOSPeerInfoRef peer, CFErrorRef* error);
444 CFTypeRef (*soscc_status)(void);
445 CFTypeRef secd_xpc_server;
446 };
447
448 extern struct securityd *gSecurityd;
449
450 struct trustd {
451 SecTrustStoreRef (*sec_trust_store_for_domain)(CFStringRef domainName, CFErrorRef* error);
452 bool (*sec_trust_store_contains)(SecTrustStoreRef ts, CFDataRef digest, bool *contains, CFErrorRef* error);
453 bool (*sec_trust_store_set_trust_settings)(SecTrustStoreRef ts, SecCertificateRef certificate, CFTypeRef trustSettingsDictOrArray, CFErrorRef* error);
454 bool (*sec_trust_store_remove_certificate)(SecTrustStoreRef ts, CFDataRef digest, CFErrorRef* error);
455 bool (*sec_truststore_remove_all)(SecTrustStoreRef ts, CFErrorRef* error);
456 SecTrustResultType (*sec_trust_evaluate)(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, CFArrayRef *chain, CFErrorRef *error);
457 uint64_t (*sec_ota_pki_trust_store_version)(CFErrorRef* error);
458 CFArrayRef (*ota_CopyEscrowCertificates)(uint32_t escrowRootType, CFErrorRef* error);
459 uint64_t (*sec_ota_pki_get_new_asset)(CFErrorRef* error);
460 bool (*sec_trust_store_copy_all)(SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFErrorRef *error);
461 bool (*sec_trust_store_copy_usage_constraints)(SecTrustStoreRef ts, CFDataRef digest, CFArrayRef *usageConstraints, CFErrorRef *error);
462 bool (*sec_ocsp_cache_flush)(CFErrorRef *error);
463 bool (*sec_tls_analytics_report)(CFStringRef event_name, xpc_object_t tls_analytics_attributes, CFErrorRef *error);
464 };
465
466 extern struct trustd *gTrustd;
467
468 CFArrayRef SecAccessGroupsGetCurrent(void);
469
470 // TODO Rename me
471 CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op);
472 XPC_RETURNS_RETAINED xpc_object_t securityd_message_with_reply_sync(xpc_object_t message, CFErrorRef *error);
473 typedef void (^securityd_handler_t)(xpc_object_t reply, CFErrorRef error);
474 void securityd_message_with_reply_async(xpc_object_t message, dispatch_queue_t replyq,
475 securityd_handler_t handler);
476 XPC_RETURNS_RETAINED xpc_object_t securityd_create_message(enum SecXPCOperation op, CFErrorRef *error);
477 bool securityd_message_no_error(xpc_object_t message, CFErrorRef *error);
478
479
480 bool securityd_send_sync_and_do(enum SecXPCOperation op, CFErrorRef *error,
481 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
482 bool (^handle_response)(xpc_object_t response, CFErrorRef* error));
483
484 void securityd_send_async_and_do(enum SecXPCOperation op, dispatch_queue_t replyq,
485 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
486 securityd_handler_t handler);
487
488 // For testing only, never call this in a threaded program!
489 void SecServerSetTrustdMachServiceName(const char *name);
490
491 XPC_RETURNS_RETAINED xpc_endpoint_t _SecSecuritydCopyEndpoint(enum SecXPCOperation op, CFErrorRef *error);
492
493 #if __OBJC__
494 #import <Foundation/Foundation.h>
495 #import <Foundation/NSXPCConnection.h>
496 typedef void (^SecBoolNSErrorCallback) (bool, NSError*);
497
498 @protocol SecuritydXPCCallbackProtocol <NSObject>
499 - (void)callCallback: (bool) result error:(NSError*) error;
500 @end
501
502 @protocol SecuritydXPCProtocol <NSObject>
503 - (void) SecItemAddAndNotifyOnSync:(NSDictionary*) attributes
504 syncCallback:(id<SecuritydXPCCallbackProtocol>) callback
505 complete:(void (^) (NSDictionary* opDictResult, NSArray* opArrayResult, NSError* operror)) complete;
506
507 // For the given item (specified exactly by its hash (currently SHA1)), attempt to set the CloudKit 'current' pointer
508 // to point to the given item.
509 // This can fail if:
510 // 1. your knowledge of the old current item is out of date
511 // 2. either the new item or old item has changed (checked by hash)
512 // 3. If this device can't talk with CloudKit for any reason
513 - (void)secItemSetCurrentItemAcrossAllDevices:(NSData*)newItemPersistentRef
514 newCurrentItemHash:(NSData*)newItemSHA1
515 accessGroup:(NSString*)accessGroup
516 identifier:(NSString*)identifier
517 viewHint:(NSString*)viewHint
518 oldCurrentItemReference:(NSData*)oldCurrentItemPersistentRef
519 oldCurrentItemHash:(NSData*)oldItemSHA1
520 complete:(void (^) (NSError* operror)) complete;
521
522 // For the given access group and identifier, check the current local idea of the 'current' item
523 -(void)secItemFetchCurrentItemAcrossAllDevices:(NSString*)accessGroup
524 identifier:(NSString*)identifier
525 viewHint:(NSString*)viewHint
526 fetchCloudValue:(bool)fetchCloudValue
527 complete:(void (^) (NSData* persistentref, NSError* operror)) complete;
528
529
530 // For each item in the keychainClass, return a persistant reference and the digest of the value
531 // The digest is not stable, and can change any time, the only promise is that if the digest
532 // value didn't change, the item didn't change. If digest change, the value MIGHT have changed,/
533 // but it could also just have stayed the same.
534 // The this interface bypass SEP/AKS and for that reason is a higher performance then SecItemCopyMatching().
535 - (void) secItemDigest:(NSString *)keychainClass
536 accessGroup:(NSString *)accessGroup
537 complete:(void (^)(NSArray<NSDictionary *> *digest, NSError* error))complete;
538 @end
539
540 // Call this to receive a proxy object conforming to SecuritydXPCProtocol that you can call methods on.
541 // It's probably a remote object for securityd/secd, but it might be in-process if you've configured it that way.
542 id<SecuritydXPCProtocol> SecuritydXPCProxyObject(void (^rpcErrorHandler)(NSError *));
543
544 // Set up a local securityxpcserver: after this call, all securitydxpc calls will be handled in-process instead of actually transferring to securityd
545 id<SecuritydXPCProtocol> SecCreateLocalSecuritydXPCServer(void);
546
547 // Make a SecBoolNSErrorCallback block into an Objective-C object (for proxying across NSXPC)
548 @interface SecuritydXPCCallback : NSObject <SecuritydXPCCallbackProtocol> {
549 SecBoolNSErrorCallback _callback;
550 }
551 @property SecBoolNSErrorCallback callback;
552 - (instancetype)initWithCallback: (SecBoolNSErrorCallback) callback;
553 @end
554
555 @interface SecuritydXPCClient : NSObject {
556 NSXPCConnection* _connection;
557 }
558 @property NSXPCConnection* connection;
559
560 +(void)configureSecuritydXPCProtocol: (NSXPCInterface*) interface;
561 @end
562
563 #endif // OBJC
564
565 #endif /* _SECURITYD_CLIENT_H_ */
mirror of Security