keychain/KeychainStasher/KeychainStasher.m

   1 #import <xpc/private.h>
   2
   3 #import "utilities/debugging.h"
   4 #import <Security/SecItemPriv.h>
   5 #import "LocalKeychainAnalytics.h"
   6
   7 #import "KeychainStasher.h"
   8
   9 NSString* const kApplicationIdentifier = @"com.apple.security.KeychainStasher";
  10
  11 @implementation KeychainStasher
  12
  13 - (NSError*)errorWithStatus:(OSStatus)status message:(NSString*)format, ... NS_FORMAT_FUNCTION(2, 3)
  14 {
  15     if (status == errSecSuccess) {
  16         return nil;
  17     }
  18
  19     NSString* desc;
  20     if (format) {
  21         va_list ap;
  22         va_start(ap, format);
  23         desc = [[NSString alloc] initWithFormat:format arguments:ap];
  24         va_end(ap);
  25     }
  26     return [NSError errorWithDomain:NSOSStatusErrorDomain
  27                                code:status
  28                            userInfo:desc ? @{NSLocalizedDescriptionKey : desc} : nil];
  29 }
  30
  31 - (NSMutableDictionary*)baseQuery {
  32     return [@{
  33         (id)kSecUseDataProtectionKeychain : @YES,
  34         (id)kSecAttrAccessible : (id)kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
  35         // Prevents backups in case this ever comes to the Mac, prevents sync
  36         (id)kSecAttrSysBound : @(kSecSecAttrSysBoundPreserveDuringRestore),
  37         // Belt-and-suspenders prohibition on syncing
  38         (id)kSecAttrSynchronizable : @NO,
  39         (id)kSecClass : (id)kSecClassKey,
  40         (id)kSecAttrApplicationLabel : @"loginstash",
  41         // This is the default, but just making sure
  42         (id)kSecAttrAccessGroup : kApplicationIdentifier,
  43     } mutableCopy];
  44 }
  45
  46 - (void)stashKey:(NSData*)key withReply:(void (^)(NSError*))reply {
  47     secnotice("stashkey", "Will attempt to stash key");
  48     if (!key || key.length == 0) {
  49         reply([self errorWithStatus:errSecParam message:@"nil or empty key passed"]);
  50         return;
  51     }
  52
  53     NSMutableDictionary* query = [self baseQuery];
  54     query[(id)kSecValueData] = key;
  55
  56     OSStatus status = SecItemAdd((__bridge CFDictionaryRef)query, NULL);
  57     secnotice("stashkey", "SecItemAdd result: %ld", (long)status);
  58
  59     if (status == errSecDuplicateItem) {
  60         [[LocalKeychainAnalytics logger] logResultForEvent:LKAEventStash hardFailure:NO result:[self errorWithStatus:status message:nil]];
  61         query[(id)kSecValueData] = nil;
  62         NSDictionary* update = @{(id)kSecValueData : key};
  63         status = SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)update);
  64         secnotice("stashkey", "SecItemUpdate result: %ld", (long)status);
  65     }
  66
  67     [[LocalKeychainAnalytics logger] logResultForEvent:LKAEventStash hardFailure:YES result:[self errorWithStatus:status message:nil]];
  68     if (status == errSecSuccess) {
  69         reply(nil);
  70     } else {
  71         reply([self errorWithStatus:status message:@"Stash failed with keychain error"]);
  72     }
  73 }
  74
  75 - (void)loadKeyWithReply:(void (^)(NSData*, NSError*))reply {
  76     secnotice("KeychainStasher", "Will attempt to retrieve stashed key");
  77
  78     NSMutableDictionary* query = [self baseQuery];
  79     query[(id)kSecReturnData] = @YES;
  80
  81     CFTypeRef object = NULL;
  82     OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &object);
  83
  84     if (status != errSecSuccess) {
  85         if (status == errSecItemNotFound) {
  86             reply(nil, [self errorWithStatus:status message:@"No stashed key found"]);
  87         } else {
  88             reply(nil, [self errorWithStatus:status message:@"Keychain error"]);
  89         }
  90         [[LocalKeychainAnalytics logger] logResultForEvent:LKAEventStashLoad hardFailure:YES result:[self errorWithStatus:status message:nil]];
  91         return;
  92     }
  93
  94     NSData* key;
  95     if (!object || CFGetTypeID(object) != CFDataGetTypeID() || !(key = CFBridgingRelease(object))) {
  96         reply(nil, [self errorWithStatus:errSecInternalError
  97                                  message:@"No or bad object: %d / %lu / %d",
  98                                          object != NULL, object ? CFGetTypeID(object) : 0, key != nil]);
  99         [[LocalKeychainAnalytics logger] logResultForEvent:LKAEventStashLoad
 100                                                hardFailure:YES
 101                                                     result:[self errorWithStatus:errSecInternalError message:nil]];
 102         return;
 103     }
 104
 105     // Caller does not need to wait for our delete
 106     reply(key, nil);
 107
 108     query[(id)kSecReturnData] = nil;
 109     status = SecItemDelete((__bridge CFDictionaryRef)query);
 110     if (status != errSecSuccess) {
 111         seccritical("Unable to delete masterkey after load: %d", (int)status);
 112     }
 113     [[LocalKeychainAnalytics logger] logResultForEvent:LKAEventStashLoad hardFailure:NO result:[self errorWithStatus:status message:nil]];
 114 }
 115
 116 @end