]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_apple_cspdl/lib/SSCSPDLSession.cpp
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57740.51.3.tar.gz
[apple/security.git] / OSX / libsecurity_apple_cspdl / lib / SSCSPDLSession.cpp
1 /*
2 * Copyright (c) 2000-2001,2008,2011-2012 Apple Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 //
20 // SSCSPDLSession.cpp - Security Server CSP/DL session.
21 //
22 #include "SSCSPDLSession.h"
23
24 #include "CSPDLPlugin.h"
25 #include "SSKey.h"
26
27
28 #ifndef SECURITYSERVER_ACL_EDITS
29
30 #include <security_cdsa_client/aclclient.h>
31 #include <security_keychain/Access.h>
32 #include <security_keychain/TrustedApplication.h>
33 #include <security_utilities/seccfobject.h>
34
35 //
36 // ClientSessionKey - Lightweight wrapper for a KeyHandle that is also an CssmClient::AclBearer
37 //
38 class ClientSessionKey: public CssmClient::AclBearer
39 {
40 public:
41 ClientSessionKey(SecurityServer::ClientSession &clientSession, SecurityServer::KeyHandle keyHandle);
42 ~ClientSessionKey();
43
44 // Acl manipulation
45 virtual void getAcl(AutoAclEntryInfoList &aclInfos,
46 const char *selectionTag = NULL) const;
47 virtual void changeAcl(const CSSM_ACL_EDIT &aclEdit,
48 const CSSM_ACCESS_CREDENTIALS *cred = NULL);
49
50 // Acl owner manipulation
51 virtual void getOwner(AutoAclOwnerPrototype &owner) const;
52 virtual void changeOwner(const CSSM_ACL_OWNER_PROTOTYPE &newOwner,
53 const CSSM_ACCESS_CREDENTIALS *cred = NULL);
54
55
56 private:
57 SecurityServer::ClientSession &mClientSession;
58 SecurityServer::KeyHandle mKeyHandle;
59 };
60
61 #endif //!SECURITYSERVER_ACL_EDITS
62
63
64 using namespace SecurityServer;
65
66 //
67 // SSCSPDLSession -- Security Server CSP session
68 //
69 SSCSPDLSession::SSCSPDLSession()
70 {
71 }
72
73
74 //
75 // Reference Key management
76 //
77 void
78 SSCSPDLSession::makeReferenceKey(SSCSPSession &session, KeyHandle inKeyHandle,
79 CssmKey &outKey, SSDatabase &inSSDatabase,
80 uint32 inKeyAttr, const CssmData *inKeyLabel)
81 {
82 SSKey* sskey = new SSKey(session, inKeyHandle, outKey, inSSDatabase, inKeyAttr,
83 inKeyLabel);
84 (void) sskey; // Compiler thinks this variable isn't used, but we want the side effects of creation. Tell the compiler it's okay.
85
86 secinfo("SecAccessReference", "made a new reference sskey with handle %d [%ld]", sskey->keyHandle(), sskey->keyReference());
87 }
88
89 SSKey &
90 SSCSPDLSession::lookupKey(const CssmKey &inKey)
91 {
92 /* for now we only allow ref keys */
93 if(inKey.blobType() != CSSM_KEYBLOB_REFERENCE) {
94 CssmError::throwMe(CSSMERR_CSP_INVALID_KEY);
95 }
96
97 /* fetch key (this is just mapping the value in inKey.KeyData to an SSKey) */
98 SSKey &theKey = find<SSKey>(inKey);
99
100 secinfo("SecAccessReference", "looked up a sskey with handle %d [%ld]", theKey.keyHandle(), theKey.keyReference());
101
102 #ifdef someday
103 /*
104 * Make sure caller hasn't changed any crucial header fields.
105 * Some fields were changed by makeReferenceKey, so make a local copy....
106 */
107 CSSM_KEYHEADER localHdr = cssmKey.KeyHeader;
108 get binKey-like thing from SSKey, maybe SSKey should keep a copy of
109 hdr...but that's' not supersecure....;
110
111 localHdr.BlobType = binKey->mKeyHeader.BlobType;
112 localHdr.Format = binKey->mKeyHeader.Format;
113 if(memcmp(&localHdr, &binKey->mKeyHeader, sizeof(CSSM_KEYHEADER))) {
114 CssmError::throwMe(CSSMERR_CSP_INVALID_KEY_REFERENCE);
115 }
116 #endif
117 return theKey;
118 }
119
120 // Notification we receive when the acl on a key has changed. We should write it back to disk if it's persistent.
121 void
122 SSCSPDLSession::didChangeKeyAcl(SecurityServer::ClientSession &clientSession,
123 KeyHandle keyHandle, CSSM_ACL_AUTHORIZATION_TAG tag)
124 {
125 SSKey *theKey = NULL;
126
127 {
128 // Lookup the SSKey for the KeyHandle
129 StLock<Mutex> _(mKeyMapLock);
130 KeyMap::const_iterator it;
131 KeyMap::const_iterator end = mKeyMap.end();
132 for (it = mKeyMap.begin(); it != end; ++it)
133 {
134 SSKey *aKey = dynamic_cast<SSKey *>(it->second);
135 if (aKey->optionalKeyHandle() == keyHandle)
136 {
137 // Write the key to disk if it's persistent.
138 theKey = aKey;
139 break;
140 }
141 }
142 }
143
144 if (theKey)
145 {
146 theKey->didChangeAcl();
147 }
148 else
149 {
150 // @@@ Should we really throw here or just continue without updating the ACL? In reality this should never happen, so let's at least log it and throw.
151 secinfo("keyacl", "SSCSPDLSession::didChangeKeyAcl() keyHandle: %lu not found in map", (unsigned long)keyHandle);
152 CssmError::throwMe(CSSMERR_CSP_INVALID_KEY_REFERENCE);
153 }
154 }
155
156 void
157 SSCSPDLSession::didChangeKeyAclCallback(void *context, SecurityServer::ClientSession &clientSession,
158 SecurityServer::KeyHandle key, CSSM_ACL_AUTHORIZATION_TAG tag)
159 {
160 reinterpret_cast<SSCSPDLSession *>(context)->didChangeKeyAcl(clientSession, key, tag);
161 }
162
163 #ifndef SECURITYSERVER_ACL_EDITS
164 //
165 // ClientSessionKey - Lightweight wrapper for a KeyHandle that is also an CssmClient::AclBearer
166 //
167 ClientSessionKey::ClientSessionKey(ClientSession &clientSession, SecurityServer::KeyHandle keyHandle) :
168 mClientSession(clientSession),
169 mKeyHandle(keyHandle)
170 {
171 }
172
173 ClientSessionKey::~ClientSessionKey()
174 {
175 }
176
177 void
178 ClientSessionKey::getAcl(AutoAclEntryInfoList &aclInfos,
179 const char *selectionTag) const
180 {
181 secinfo("keyacl", "ClientSessionKey::getAcl() keyHandle: %u", mKeyHandle);
182 aclInfos.allocator(mClientSession.returnAllocator);
183 mClientSession.getKeyAcl(mKeyHandle, selectionTag,
184 *static_cast<uint32 *>(aclInfos),
185 *reinterpret_cast<AclEntryInfo **>(static_cast<CSSM_ACL_ENTRY_INFO_PTR *>(aclInfos)));
186 }
187
188 void
189 ClientSessionKey::changeAcl(const CSSM_ACL_EDIT &aclEdit,
190 const CSSM_ACCESS_CREDENTIALS *cred)
191 {
192 secinfo("keyacl", "ClientSessionKey::changeAcl() keyHandle: %u", mKeyHandle);
193 mClientSession.changeKeyAcl(mKeyHandle, AccessCredentials::overlay(*cred), AclEdit::overlay(aclEdit));
194 }
195
196 void
197 ClientSessionKey::getOwner(AutoAclOwnerPrototype &owner) const
198 {
199 secinfo("keyacl", "ClientSessionKey::getOwner() keyHandle: %u", mKeyHandle);
200 owner.allocator(mClientSession.returnAllocator);
201 mClientSession.getKeyOwner(mKeyHandle,
202 *reinterpret_cast<AclOwnerPrototype *>(static_cast<CSSM_ACL_OWNER_PROTOTYPE *>(owner)));
203 }
204
205 void
206 ClientSessionKey::changeOwner(const CSSM_ACL_OWNER_PROTOTYPE &newOwner,
207 const CSSM_ACCESS_CREDENTIALS *cred)
208 {
209 secinfo("keyacl", "ClientSessionKey::changeOwner() keyHandle: %u", mKeyHandle);
210 mClientSession.changeKeyOwner(mKeyHandle, AccessCredentials::overlay(*cred), AclOwnerPrototype::overlay(newOwner));
211 }
212
213 #endif // !SECURITYSERVER_ACL_EDITS
mirror of Security