]>
git.saurik.com Git - apple/security.git/blob - securityd/src/kcdatabase.h
2 * Copyright (c) 2000-2008,2012-2013 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 // kcdatabase - software database container implementation.
28 // A KeychainDatabase is a software storage container,
29 // implemented in cooperation by the AppleCSLDP CDSA plugin and this daemon.
34 #include "localdatabase.h"
35 #include <securityd_client/ss_types.h>
36 #include "agentclient.h"
38 class KeychainDatabase
;
39 class KeychainDbCommon
;
44 // We identify KeychainDatabases uniquely by a combination of
45 // a DLDbIdentifier and a database (blob) identifier. Equivalence
46 // by DbIdentifier is the criterion for parent-side merging.
50 DbIdentifier(const DLDbIdentifier
&id
, DbBlob::Signature sig
)
51 : mIdent(id
), mSig(sig
) { }
53 const DLDbIdentifier
&dlDbIdentifier() const { return mIdent
; }
54 const DbBlob::Signature
&signature() const { return mSig
; }
55 operator const DLDbIdentifier
&() const { return dlDbIdentifier(); }
56 operator const DbBlob::Signature
&() const { return signature(); }
57 const char *dbName() const { return mIdent
.dbName(); }
59 bool operator < (const DbIdentifier
&id
) const // simple lexicographic
61 if (mIdent
< id
.mIdent
) return true;
62 if (id
.mIdent
< mIdent
) return false;
63 return mSig
< id
.mSig
;
66 bool operator == (const DbIdentifier
&id
) const
67 { return mIdent
== id
.mIdent
&& mSig
== id
.mSig
; }
70 DLDbIdentifier mIdent
;
71 DbBlob::Signature mSig
;
76 // A vestigal system-global database instance
77 // We don't (yet) use it for anything. Perhaps it should carry our ACL...
79 class KeychainDbGlobal
: public PerGlobal
{
81 KeychainDbGlobal(const DbIdentifier
&id
);
84 const DbIdentifier
&identifier() const { return mIdentifier
; }
87 DbIdentifier mIdentifier
; // database external identifier [const]
92 // KeychainDatabase DbCommons
94 class KeychainDbCommon
: public LocalDbCommon
,
95 public DatabaseCryptoCore
, public MachServer::Timer
{
97 KeychainDbCommon(Session
&ssn
, const DbIdentifier
&id
);
100 KeychainDbGlobal
&global() const;
102 bool unlockDb(DbBlob
*blob
, void **privateAclBlob
= NULL
);
103 void lockDb(); // make locked (if currently unlocked)
104 bool isLocked() { return mIsLocked
; } // lock status
106 void invalidateBlob() { version
++; }
108 void activity(); // reset lock timeout
110 void makeNewSecrets();
112 const DbIdentifier
&identifier() const {return mIdentifier
; }
113 const DLDbIdentifier
&dlDbIdent() const { return identifier(); }
114 const char *dbName() const { return dlDbIdent().dbName(); }
115 bool isLoginKeychain() const { return mLoginKeychain
; }
117 DbBlob
*encode(KeychainDatabase
&db
);
119 void notify(NotificationEvent event
) { DbCommon::notify(event
, identifier()); }
121 void sleepProcessing();
122 void lockProcessing();
124 bool belongsToSystem() const;
128 IFDUMP(void dumpNode());
131 void action(); // timer queue action to lock keychain
133 // lifetime management for our Timer personality
138 // all following data locked with object lock
139 uint32 sequence
; // change sequence number
140 DBParameters mParams
; // database parameters (arbitrated copy)
142 uint32 version
; // version stamp for change tracking
145 DbIdentifier mIdentifier
; // database external identifier [const]
146 // all following data protected by object lock
147 bool mIsLocked
; // logically locked
148 bool mValidParams
; // mParams has been set
154 // A Database object represents an Apple CSP/DL open database (DL/DB) object.
155 // It maintains its protected semantic state (including keys) and provides controlled
158 class KeychainDatabase
: public LocalDatabase
, private virtual SecurityServerAcl
{
159 friend class KeychainDbCommon
;
161 KeychainDatabase(const DLDbIdentifier
&id
, const DBParameters
¶ms
, Process
&proc
,
162 const AccessCredentials
*cred
, const AclEntryPrototype
*owner
);
163 KeychainDatabase(const DLDbIdentifier
&id
, const DbBlob
*blob
, Process
&proc
,
164 const AccessCredentials
*cred
);
166 // keychain synchronization recode to a specfic blob:
167 KeychainDatabase(KeychainDatabase
&src
, Process
&proc
, DbHandle dbToClone
);
168 virtual ~KeychainDatabase();
170 KeychainDbCommon
&common() const;
171 const char *dbName() const;
172 bool transient() const;
174 KeychainDbGlobal
&global() const { return common().global(); }
177 static const int maxUnlockTryCount
= 3;
180 const DbIdentifier
&identifier() const { return common().identifier(); }
183 // encoding/decoding databases
186 void authenticate(CSSM_DB_ACCESS_TYPE mode
, const AccessCredentials
*cred
);
187 void changePassphrase(const AccessCredentials
*cred
);
188 RefPointer
<Key
> extractMasterKey(Database
&db
, const AccessCredentials
*cred
,
189 const AclEntryPrototype
*owner
, uint32 usage
, uint32 attrs
);
190 void commitSecretsForSync(KeychainDatabase
&cloneDb
);
192 // lock/unlock processing
193 void lockDb(); // unconditional lock
194 void unlockDb(); // full-feature unlock
195 void unlockDb(const CssmData
&passphrase
); // unlock with passphrase
197 void stashDbCheck(); // check AppleKeyStore for master key
198 void stashDb(); // stash master key in AppleKeyStore
200 bool decode(); // unlock given established master key
201 bool decode(const CssmData
&passphrase
); // set master key from PP, try unlock
203 bool validatePassphrase(const CssmData
&passphrase
) const; // nonthrowing validation
204 bool isLocked() { return common().isLocked(); } // lock status
205 void notify(NotificationEvent event
) { return common().notify(event
); }
206 void activity() const { common().activity(); } // reset timeout clock
208 // encoding/decoding keys
209 void decodeKey(KeyBlob
*blob
, CssmKey
&key
, void * &pubAcl
, void * &privAcl
);
210 KeyBlob
*encodeKey(const CssmKey
&key
, const CssmData
&pubAcl
, const CssmData
&privAcl
);
211 KeyBlob
*recodeKey(KeychainKey
&oldKey
);
212 bool validBlob() const { return mBlob
&& version
== common().version
; }
214 // manage database parameters
215 void setParameters(const DBParameters
¶ms
);
216 void getParameters(DBParameters
¶ms
);
218 // where's my (database) ACL?
219 SecurityServerAcl
&acl();
221 AclKind
aclKind() const;
222 Database
*relatedDatabase();
224 // ACL state management hooks
225 void instantiateAcl();
228 // miscellaneous utilities
229 static void validateBlob(const DbBlob
*blob
);
232 IFDUMP(void dumpNode());
235 RefPointer
<Key
> makeKey(const CssmKey
&newKey
, uint32 moreAttributes
, const AclEntryPrototype
*owner
);
236 RefPointer
<Key
> makeKey(Database
&db
, const CssmKey
&newKey
, uint32 moreAttributes
, const AclEntryPrototype
*owner
);
238 void makeUnlocked(); // interior version of unlock()
239 void makeUnlocked(const AccessCredentials
*cred
); // like () with explicit cred
240 void makeUnlocked(const CssmData
&passphrase
); // interior version of unlock(CssmData)
242 void establishOldSecrets(const AccessCredentials
*creds
);
243 bool establishNewSecrets(const AccessCredentials
*creds
, SecurityAgent::Reason reason
);
245 bool interactiveUnlock();
247 CssmClient::Key
keyFromCreds(const TypedList
&sample
, unsigned int requiredLength
);
249 void encode(); // (re)generate mBlob if needed
252 // all following data is locked by the common lock
253 bool mValidData
; // valid ACL and params (blob decoded)
254 CssmAutoData mSecret
;
257 uint32 version
; // version stamp for blob validity
258 DbBlob
*mBlob
; // database blob (encoded)
260 AccessCredentials
*mCred
; // local access credentials (always valid)
262 RefPointer
<KeychainDatabase
> mRecodingSource
; // keychain synchronization ONLY; should not require accessors
265 #endif //_H_KCDATABASE