]> git.saurik.com Git - apple/security.git/blob - SecurityServer/ssclient.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-54.1.3.tar.gz
[apple/security.git] / SecurityServer / ssclient.h
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 //
20 // ssclient - SecurityServer client interface library
21 //
22 // This interface is private to the Security system. It is not a public interface,
23 // and it may change at any time. You have been warned.
24 //
25 #ifndef _H_SSCLIENT
26 #define _H_SSCLIENT
27
28
29 #include <Security/cssm.h>
30 #include <Security/utilities.h>
31 #include <Security/cssmalloc.h>
32 #include <Security/cssmacl.h>
33 #include <Security/context.h>
34 #include <Security/globalizer.h>
35 #include <Security/unix++.h>
36 #include <Security/mach++.h>
37 #include <Security/cssmdb.h>
38 #include <Security/osxsigning.h>
39 #include <Security/Authorization.h>
40 #include <Security/AuthSession.h>
41
42
43 namespace Security {
44 namespace SecurityServer {
45
46 using MachPlusPlus::Port;
47 using MachPlusPlus::ReceivePort;
48
49
50 //
51 // Common data types
52 //
53 typedef CSSM_HANDLE KeyHandle;
54 typedef CSSM_HANDLE DbHandle;
55
56 static const CSSM_HANDLE noDb = 0;
57 static const CSSM_HANDLE noKey = 0;
58
59 struct KeyUID {
60 uint8 signature[20];
61 };
62
63 struct AuthorizationBlob {
64 uint32 data[2];
65
66 bool operator < (const AuthorizationBlob &other) const
67 { return memcmp(data, other.data, sizeof(data)) < 0; }
68
69 bool operator == (const AuthorizationBlob &other) const
70 { return memcmp(data, other.data, sizeof(data)) == 0; }
71
72 size_t hash() const { //@@@ revisit this hash
73 return data[0] ^ data[1] << 3;
74 }
75 };
76
77 enum AclKind { dbAcl, keyAcl, loginAcl };
78
79
80 //
81 // Database parameter structure
82 //
83 class DBParameters {
84 public:
85 uint32 idleTimeout; // seconds idle timout lock
86 uint8 lockOnSleep; // lock keychain when system sleeps
87 };
88
89
90 //
91 // A client connection (session)
92 //
93 class ClientSession {
94 NOCOPY(ClientSession)
95 public:
96 ClientSession(CssmAllocator &standard, CssmAllocator &returning);
97 virtual ~ClientSession();
98
99 CssmAllocator &internalAllocator;
100 CssmAllocator &returnAllocator;
101
102 public:
103 typedef CSSM_DB_ACCESS_TYPE DBAccessType;
104
105 typedef uint32 NotifyEvent;
106 typedef uint32 NotifyEvents;
107 enum {
108 allEvents = uint32(-1)
109 };
110
111 typedef uint32 NotifyDomain;
112 enum {
113 databaseNotifications = 1
114 };
115
116 public:
117 void activate();
118 void terminate();
119
120 public:
121 // database sessions
122 DbHandle createDb(const DLDbIdentifier &dbId,
123 const AccessCredentials *cred, const AclEntryInput *owner,
124 const DBParameters &params);
125 DbHandle decodeDb(const DLDbIdentifier &dbId,
126 const AccessCredentials *cred, const CssmData &blob);
127 void encodeDb(DbHandle db, CssmData &blob, CssmAllocator &alloc);
128 void encodeDb(DbHandle db, CssmData &blob) { return encodeDb(db, blob, returnAllocator); }
129 void releaseDb(DbHandle db);
130 void authenticateDb(DbHandle db, DBAccessType type, const AccessCredentials *cred);
131 void setDbParameters(DbHandle db, const DBParameters &params);
132 void getDbParameters(DbHandle db, DBParameters &params);
133 void changePassphrase(DbHandle db, const AccessCredentials *cred);
134 void lock(DbHandle db);
135 void unlock(DbHandle db);
136 void unlock(DbHandle db, const CssmData &passPhrase);
137 bool isLocked(DbHandle db);
138
139 // key objects
140 void encodeKey(KeyHandle key, CssmData &blob, KeyUID *uid, CssmAllocator &alloc);
141 void encodeKey(KeyHandle key, CssmData &blob, KeyUID *uid = NULL)
142 { return encodeKey(key, blob, uid, returnAllocator); }
143 KeyHandle decodeKey(DbHandle db, const CssmData &blob, CssmKey::Header &header);
144 void releaseKey(KeyHandle key);
145
146 CssmKeySize queryKeySizeInBits(KeyHandle key);
147 uint32 getOutputSize(const Context &context, KeyHandle key,
148 uint32 inputSize, bool encrypt = true);
149
150 public:
151 // key wrapping and unwrapping
152 void wrapKey(const Context &context, KeyHandle key, KeyHandle keyToBeWrapped,
153 const AccessCredentials *cred,
154 const CssmData *descriptiveData, CssmWrappedKey &wrappedKey, CssmAllocator &alloc);
155 void wrapKey(const Context &context, KeyHandle key, KeyHandle keyToBeWrapped,
156 const AccessCredentials *cred,
157 const CssmData *descriptiveData, CssmWrappedKey &wrappedKey)
158 { return wrapKey(context, key, keyToBeWrapped, cred,
159 descriptiveData, wrappedKey, returnAllocator); }
160
161 void unwrapKey(DbHandle db, const Context &context, KeyHandle key, KeyHandle publicKey,
162 const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr,
163 const AccessCredentials *cred, const AclEntryInput *owner,
164 CssmData &data, KeyHandle &newKey, CssmKey::Header &newKeyHeader, CssmAllocator &alloc);
165 void unwrapKey(DbHandle db, const Context &context, KeyHandle key, KeyHandle publicKey,
166 const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr,
167 const AccessCredentials *cred, const AclEntryInput *owner, CssmData &data,
168 KeyHandle &newKey, CssmKey::Header &newKeyHeader)
169 { return unwrapKey(db, context, key, publicKey, wrappedKey, keyUsage, keyAttr,
170 cred, owner, data, newKey, newKeyHeader, returnAllocator); }
171
172 // key generation and derivation
173 void generateKey(DbHandle db, const Context &context, uint32 keyUsage, uint32 keyAttr,
174 const AccessCredentials *cred, const AclEntryInput *owner,
175 KeyHandle &newKey, CssmKey::Header &newHeader);
176 void generateKey(DbHandle db, const Context &context,
177 uint32 pubKeyUsage, uint32 pubKeyAttr,
178 uint32 privKeyUsage, uint32 privKeyAttr,
179 const AccessCredentials *cred, const AclEntryInput *owner,
180 KeyHandle &pubKey, CssmKey::Header &pubHeader,
181 KeyHandle &privKey, CssmKey::Header &privHeader);
182 void deriveKey(DbHandle db, const Context &context, KeyHandle baseKey,
183 uint32 keyUsage, uint32 keyAttr, CssmData &param,
184 const AccessCredentials *cred, const AclEntryInput *owner,
185 KeyHandle &newKey, CssmKey::Header &newHeader, CssmAllocator &alloc);
186 void deriveKey(DbHandle db, const Context &context, KeyHandle baseKey,
187 uint32 keyUsage, uint32 keyAttr, CssmData &param,
188 const AccessCredentials *cred, const AclEntryInput *owner,
189 KeyHandle &newKey, CssmKey::Header &newHeader)
190 { return deriveKey(db, context, baseKey, keyUsage, keyAttr, param, cred, owner, newKey, newHeader, returnAllocator); }
191 //void generateAlgorithmParameters(); // not implemented
192
193 void generateRandom(CssmData &data);
194
195 // encrypt/decrypt
196 void encrypt(const Context &context, KeyHandle key,
197 const CssmData &in, CssmData &out, CssmAllocator &alloc);
198 void encrypt(const Context &context, KeyHandle key, const CssmData &in, CssmData &out)
199 { return encrypt(context, key, in, out, returnAllocator); }
200 void decrypt(const Context &context, KeyHandle key,
201 const CssmData &in, CssmData &out, CssmAllocator &alloc);
202 void decrypt(const Context &context, KeyHandle key, const CssmData &in, CssmData &out)
203 { return decrypt(context, key, in, out, returnAllocator); }
204
205 // signatures
206 void generateSignature(const Context &context, KeyHandle key,
207 const CssmData &data, CssmData &signature, CssmAllocator &alloc,
208 CSSM_ALGORITHMS signOnlyAlgorithm = CSSM_ALGID_NONE);
209 void generateSignature(const Context &context, KeyHandle key,
210 const CssmData &data, CssmData &signature, CSSM_ALGORITHMS signOnlyAlgorithm = CSSM_ALGID_NONE)
211 { return generateSignature(context, key, data, signature, returnAllocator, signOnlyAlgorithm); }
212 void verifySignature(const Context &context, KeyHandle key,
213 const CssmData &data, const CssmData &signature,
214 CSSM_ALGORITHMS verifyOnlyAlgorithm = CSSM_ALGID_NONE);
215
216 // MACs
217 void generateMac(const Context &context, KeyHandle key,
218 const CssmData &data, CssmData &mac, CssmAllocator &alloc);
219 void generateMac(const Context &context, KeyHandle key,
220 const CssmData &data, CssmData &mac)
221 { return generateMac(context, key, data, mac, returnAllocator); }
222 void verifyMac(const Context &context, KeyHandle key,
223 const CssmData &data, const CssmData &mac);
224
225 // key ACL management
226 void getKeyAcl(KeyHandle key, const char *tag,
227 uint32 &count, AclEntryInfo * &info, CssmAllocator &alloc);
228 void getKeyAcl(KeyHandle key, const char *tag,
229 uint32 &count, AclEntryInfo * &info)
230 { return getKeyAcl(key, tag, count, info, returnAllocator); }
231 void changeKeyAcl(KeyHandle key, const AccessCredentials &cred, const AclEdit &edit);
232 void getKeyOwner(KeyHandle key, AclOwnerPrototype &owner, CssmAllocator &alloc);
233 void getKeyOwner(KeyHandle key, AclOwnerPrototype &owner)
234 { return getKeyOwner(key, owner, returnAllocator); }
235 void changeKeyOwner(KeyHandle key, const AccessCredentials &cred,
236 const AclOwnerPrototype &edit);
237
238 // database ACL management
239 void getDbAcl(DbHandle db, const char *tag,
240 uint32 &count, AclEntryInfo * &info, CssmAllocator &alloc);
241 void getDbAcl(DbHandle db, const char *tag,
242 uint32 &count, AclEntryInfo * &info)
243 { return getDbAcl(db, tag, count, info, returnAllocator); }
244 void changeDbAcl(DbHandle db, const AccessCredentials &cred, const AclEdit &edit);
245 void getDbOwner(DbHandle db, AclOwnerPrototype &owner, CssmAllocator &alloc);
246 void getDbOwner(DbHandle db, AclOwnerPrototype &owner)
247 { return getDbOwner(db, owner, returnAllocator); }
248 void changeDbOwner(DbHandle db, const AccessCredentials &cred,
249 const AclOwnerPrototype &edit);
250
251 public:
252 // Authorization API support
253 void authCreate(const AuthorizationItemSet *rights, const AuthorizationItemSet *environment,
254 AuthorizationFlags flags,AuthorizationBlob &result);
255 void authRelease(const AuthorizationBlob &auth, AuthorizationFlags flags);
256 void authCopyRights(const AuthorizationBlob &auth,
257 const AuthorizationItemSet *rights, const AuthorizationItemSet *environment,
258 AuthorizationFlags flags, AuthorizationItemSet **result);
259 void authCopyInfo(const AuthorizationBlob &auth, const char *tag, AuthorizationItemSet * &info);
260 void authExternalize(const AuthorizationBlob &auth, AuthorizationExternalForm &extForm);
261 void authInternalize(const AuthorizationExternalForm &extForm, AuthorizationBlob &auth);
262
263 public:
264 // Session API support
265 void getSessionInfo(SecuritySessionId &sessionId, SessionAttributeBits &attrs);
266 void setupSession(SessionCreationFlags flags, SessionAttributeBits attrs);
267
268 public:
269 // Notification core support
270 void requestNotification(Port receiver, NotifyDomain domain, NotifyEvents events);
271 void stopNotification(Port receiver);
272 void postNotification(NotifyDomain domain, NotifyEvent event, const CssmData &data);
273
274 typedef OSStatus ConsumeNotification(NotifyDomain domain, NotifyEvent event,
275 const void *data, size_t dataLength, void *context);
276 OSStatus dispatchNotification(const mach_msg_header_t *message,
277 ConsumeNotification *consumer, void *context);
278
279 private:
280 void getAcl(AclKind kind, KeyHandle key, const char *tag,
281 uint32 &count, AclEntryInfo * &info, CssmAllocator &alloc);
282 void changeAcl(AclKind kind, KeyHandle key,
283 const AccessCredentials &cred, const AclEdit &edit);
284 void getOwner(AclKind kind, KeyHandle key, AclOwnerPrototype &owner, CssmAllocator &alloc);
285 void changeOwner(AclKind kind, KeyHandle key, const AccessCredentials &cred,
286 const AclOwnerPrototype &edit);
287
288 private:
289 static UnixPlusPlus::StaticForkMonitor mHasForked; // global fork indicator
290
291 struct Thread {
292 Thread() : registered(false) { }
293 operator bool() const { return registered; }
294
295 ReceivePort replyPort; // dedicated reply port (send right held by SecurityServer)
296 bool registered; // has been registered with SecurityServer
297 };
298
299 struct Global {
300 Global();
301 Port serverPort;
302 RefPointer<CodeSigning::OSXCode> myself;
303 ThreadNexus<Thread> thread;
304 };
305
306 static ModuleNexus<Global> mGlobal;
307 static bool mSetupSession;
308 };
309
310
311 } // end namespace SecurityServer
312 } // end namespace Security
313
314
315 #endif //_H_SSCLIENT
mirror of Security