2 * Copyright (c) 2009-2010,2012-2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 #undef SECUREOBJECTSYNC
27 #undef SHAREDWEBCREDENTIALS
30 #pragma clang diagnostic push
31 #pragma clang diagnostic ignored "-Wfour-char-constants"
33 #include "keychain/securityd/spi.h"
34 #include "ipc/SecdWatchdog.h"
35 #include "ipc/server_security_helpers.h"
36 #include "ipc/securityd_client.h"
37 #include "keychain/securityd/SecItemBackupServer.h"
38 #include "keychain/securityd/SecItemServer.h"
39 #include <Security/SecureObjectSync/SOSPeerInfo.h>
40 #include <CoreFoundation/CFString.h>
41 #include <CoreFoundation/CFError.h>
42 #include "keychain/securityd/SOSCloudCircleServer.h"
43 #include "keychain/securityd/SecOTRRemote.h"
44 #include "keychain/securityd/SecLogSettingsServer.h"
46 #include <CoreFoundation/CFXPCBridge.h>
47 #include "utilities/iOSforOSX.h"
48 #include "utilities/SecFileLocations.h"
49 #include "trust/trustd/OTATrustUtilities.h"
50 #include "trust/trustd/trustd_spi.h"
52 #pragma clang diagnostic pop
54 static struct securityd securityd_spi
= {
55 .sec_item_add
= _SecItemAdd
,
56 .sec_item_copy_matching
= _SecItemCopyMatching
,
57 .sec_item_update
= _SecItemUpdate
,
58 .sec_item_delete
= _SecItemDelete
,
59 .sec_item_delete_all
= _SecItemDeleteAll
,
60 .sec_keychain_backup
= _SecServerKeychainCreateBackup
,
61 .sec_keychain_restore
= _SecServerKeychainRestore
,
62 .sec_item_copy_parent_certificates
= _SecItemCopyParentCertificates
,
63 .sec_item_certificate_exists
= _SecItemCertificateExists
,
64 .sec_roll_keys
= _SecServerRollKeysGlue
,
65 .sec_item_update_token_items_for_access_groups
= _SecItemUpdateTokenItemsForAccessGroups
,
66 .sec_delete_items_with_access_groups
= _SecItemServerDeleteAllWithAccessGroups
,
67 #if SHAREDWEBCREDENTIALS
68 .sec_add_shared_web_credential
= _SecAddSharedWebCredential
,
69 .sec_copy_shared_web_credential
= _SecCopySharedWebCredential
,
72 .sec_keychain_backup_syncable
= _SecServerBackupSyncable
,
73 .sec_keychain_restore_syncable
= _SecServerRestoreSyncable
,
74 .sec_item_backup_copy_names
= SecServerItemBackupCopyNames
,
75 .sec_item_backup_ensure_copy_view
= SecServerItemBackupEnsureCopyView
,
76 .sec_item_backup_handoff_fd
= SecServerItemBackupHandoffFD
,
77 .sec_item_backup_set_confirmed_manifest
= SecServerItemBackupSetConfirmedManifest
,
78 .sec_item_backup_restore
= SecServerItemBackupRestore
,
79 .sec_otr_session_create_remote
= _SecOTRSessionCreateRemote
,
80 .sec_otr_session_process_packet_remote
= _SecOTRSessionProcessPacketRemote
,
81 .soscc_TryUserCredentials
= SOSCCTryUserCredentials_Server
,
82 .soscc_SetUserCredentials
= SOSCCSetUserCredentials_Server
,
83 .soscc_SetUserCredentialsAndDSID
= SOSCCSetUserCredentialsAndDSID_Server
,
84 .soscc_CanAuthenticate
= SOSCCCanAuthenticate_Server
,
85 .soscc_PurgeUserCredentials
= SOSCCPurgeUserCredentials_Server
,
86 .soscc_ThisDeviceIsInCircle
= SOSCCThisDeviceIsInCircle_Server
,
87 .soscc_RequestToJoinCircle
= SOSCCRequestToJoinCircle_Server
,
88 .soscc_RequestToJoinCircleAfterRestore
= SOSCCRequestToJoinCircleAfterRestore_Server
,
89 .soscc_SetToNew
= SOSCCAccountSetToNew_Server
,
90 .soscc_ResetToOffering
= SOSCCResetToOffering_Server
,
91 .soscc_ResetToEmpty
= SOSCCResetToEmpty_Server
,
92 .soscc_View
= SOSCCView_Server
,
93 .soscc_ViewSet
= SOSCCViewSet_Server
,
94 .soscc_RemoveThisDeviceFromCircle
= SOSCCRemoveThisDeviceFromCircle_Server
,
95 .soscc_RemovePeersFromCircle
= SOSCCRemovePeersFromCircle_Server
,
96 .soscc_LoggedOutOfAccount
= SOSCCLoggedOutOfAccount_Server
,
97 .soscc_BailFromCircle
= SOSCCBailFromCircle_Server
,
98 .soscc_AcceptApplicants
= SOSCCAcceptApplicants_Server
,
99 .soscc_RejectApplicants
= SOSCCRejectApplicants_Server
,
100 .soscc_CopyApplicantPeerInfo
= SOSCCCopyApplicantPeerInfo_Server
,
101 .soscc_CopyGenerationPeerInfo
= SOSCCCopyGenerationPeerInfo_Server
,
102 .soscc_CopyValidPeerPeerInfo
= SOSCCCopyValidPeerPeerInfo_Server
,
103 .soscc_ValidateUserPublic
= SOSCCValidateUserPublic_Server
,
104 .soscc_CopyNotValidPeerPeerInfo
= SOSCCCopyNotValidPeerPeerInfo_Server
,
105 .soscc_CopyRetirementPeerInfo
= SOSCCCopyRetirementPeerInfo_Server
,
106 .soscc_CopyViewUnawarePeerInfo
= SOSCCCopyViewUnawarePeerInfo_Server
,
107 .soscc_CopyEngineState
= SOSCCCopyEngineState_Server
,
108 .soscc_CopyPeerInfo
= SOSCCCopyPeerPeerInfo_Server
,
109 .soscc_CopyConcurringPeerInfo
= SOSCCCopyConcurringPeerPeerInfo_Server
,
110 .soscc_ProcessSyncWithPeers
= SOSCCProcessSyncWithPeers_Server
,
111 .soscc_ProcessSyncWithAllPeers
= SOSCCProcessSyncWithAllPeers_Server
,
112 .soscc_EnsurePeerRegistration
= SOSCCProcessEnsurePeerRegistration_Server
,
113 .sec_keychain_sync_update_message
= _SecServerKeychainSyncUpdateMessage
,
114 .sec_get_log_settings
= SecCopyLogSettings_Server
,
115 .sec_set_xpc_log_settings
= SecSetXPCLogSettings_Server
,
116 .sec_set_circle_log_settings
= SecSetCircleLogSettings_Server
,
117 .soscc_CopyMyPeerInfo
= SOSCCCopyMyPeerInfo_Server
,
118 .soscc_SetLastDepartureReason
= SOSCCSetLastDepartureReason_Server
,
119 .soscc_SetNewPublicBackupKey
= SOSCCSetNewPublicBackupKey_Server
,
120 .soscc_RegisterSingleRecoverySecret
= SOSCCRegisterSingleRecoverySecret_Server
,
121 .soscc_WaitForInitialSync
= SOSCCWaitForInitialSync_Server
,
122 .soscc_AccountHasPublicKey
= SOSCCAccountHasPublicKey_Server
,
123 .soscc_SOSCCPeersHaveViewsEnabled
= SOSCCPeersHaveViewsEnabled_Server
,
124 .soscc_RegisterRecoveryPublicKey
= SOSCCRegisterRecoveryPublicKey_Server
,
125 .soscc_CopyRecoveryPublicKey
= SOSCCCopyRecoveryPublicKey_Server
,
126 .soscc_SOSCCMessageFromPeerIsPending
= SOSCCMessageFromPeerIsPending_Server
,
127 .soscc_SOSCCSendToPeerIsPending
= SOSCCSendToPeerIsPending_Server
,
128 #endif /* SECUREOBJECTSYNC */
131 #if SECD_SERVER && SECUREOBJECTSYNC
133 delayedSOSSharedObject(void)
135 return SOSKeychainAccountGetSharedAccount();
139 void securityd_init_local_spi(void) {
140 gSecurityd
= &securityd_spi
;
141 #if SECD_SERVER && SECUREOBJECTSYNC
142 // We're the server: we need to handle this locally. Bring them up and set them in the global object.
143 securityd_spi
.soscc_status
= delayedSOSSharedObject
;
145 // You're trying to bring up a (non-trustd) 'securityd'. Create the local handler for securityd XPCs.
146 securityd_spi
.secd_xpc_server
= SecCreateLocalCFSecuritydXPCServer();
149 void securityd_init_server(void) {
150 securityd_init_local_spi();
152 // Lazy initialization is no good; bring up the keychain on start
153 // If you want to not do this, you'll need to check the APSConnection Mach mailbox for messages here instead (good luck)
154 CFErrorRef cferror
= nil
;
155 bool keychainAlive
= kc_with_dbt(false, &cferror
, ^bool(SecDbConnectionRef dbt
) {
156 secnotice("keychain", "Keychain initialized!");
159 if(!keychainAlive
|| cferror
) {
160 secerror("Couldn't bring up keychain: %@", cferror
);
162 CFReleaseNull(cferror
);
167 void securityd_init(CFURLRef home_path
) {
169 SetCustomHomeURL(home_path
);
172 securityd_init_server();
174 trustd_init_server();