]> git.saurik.com Git - apple/security.git/blob - OSX/sec/ipc/securityd_client.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-58286.230.21.tar.gz
[apple/security.git] / OSX / sec / ipc / securityd_client.h
1 /*
2 * Copyright (c) 2007-2018 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23 #ifndef _SECURITYD_CLIENT_H_
24 #define _SECURITYD_CLIENT_H_
25
26 #include <stdint.h>
27
28 #include <securityd/SecKeybagSupport.h>
29
30 #include <Security/SecTrust.h>
31 #include <Security/SecTask.h>
32 #ifndef MINIMIZE_INCLUDES
33 # include <Security/SecTrustStore.h>
34 #else
35 typedef struct __SecTrustStore *SecTrustStoreRef;
36 # ifndef _SECURITY_SECCERTIFICATE_H_
37 typedef struct __SecCertificate *SecCertificateRef;
38 # endif // _SECURITY_SECCERTIFICATE_H_
39 #endif // MINIMIZE_INCLUDES
40
41 #if TARGET_HAS_KEYSTORE
42 #include <libaks.h>
43 #endif
44
45 #include <CoreFoundation/CFArray.h>
46 #include <CoreFoundation/CFDictionary.h>
47 #include <CoreFoundation/CFError.h>
48
49 #include <Security/SecureObjectSync/SOSCloudCircle.h>
50 #include <Security/SecureObjectSync/SOSPeerInfo.h>
51 #include <Security/SecureObjectSync/SOSRing.h>
52
53 #include <xpc/xpc.h>
54 #include <CoreFoundation/CFXPCBridge.h>
55
56 #include <TargetConditionals.h>
57
58 #if TARGET_OS_OSX
59 #define kSecuritydXPCServiceName "com.apple.securityd.xpc"
60 #define kSecuritydSystemXPCServiceName "com.apple.securityd.system.xpc"
61 #define kTrustdAgentXPCServiceName "com.apple.trustd.agent"
62 #define kTrustdXPCServiceName "com.apple.trustd"
63 #else
64 #define kSecuritydXPCServiceName "com.apple.securityd"
65 #define kTrustdAgentXPCServiceName "com.apple.trustd"
66 #define kTrustdXPCServiceName "com.apple.trustd"
67 #endif // *** END TARGET_OS_OSX ***
68
69 #define kSecuritydGeneralServiceName "com.apple.securityd.general"
70 #define kSecuritydSOSServiceName "com.apple.securityd.sos"
71
72 //
73 // MARK: XPC Information.
74 //
75
76 extern CFStringRef sSecXPCErrorDomain;
77
78 extern const char *kSecXPCKeyOperation;
79 extern const char *kSecXPCKeyResult;
80 extern const char *kSecXPCKeyEndpoint;
81 extern const char *kSecXPCKeyError;
82 extern const char *kSecXPCKeyPeerInfoArray;
83 extern const char *kSecXPCKeyUserLabel;
84 extern const char *kSecXPCKeyBackup;
85 extern const char *kSecXPCKeyKeybag;
86 extern const char *kSecXPCKeyUserPassword;
87 extern const char *kSecXPCKeyEMCSBackup;
88 extern const char *kSecXPCKeyDSID;
89 extern const char *kSecXPCKeyViewName;
90 extern const char *kSecXPCKeyViewActionCode;
91 extern const char *kSecXPCKeyNewPublicBackupKey;
92 extern const char *kSecXPCKeyRecoveryPublicKey;
93 extern const char *kSecXPCKeyIncludeV0;
94 extern const char *kSecXPCKeyEnabledViewsKey;
95 extern const char *kSecXPCKeyDisabledViewsKey;
96 extern const char *kSecXPCKeyEscrowLabel;
97 extern const char *kSecXPCKeyTriesLabel;
98 extern const char *kSecXPCKeyFileDescriptor;
99 extern const char *kSecXPCKeyAccessGroups;
100 extern const char *kSecXPCKeyClasses;
101 extern const char *kSecXPCKeyNormalizedIssuer;
102 extern const char *kSecXPCKeySerialNumber;
103 extern const char *kSecXPCKeyBackupKeybagIdentifier;
104 extern const char *kSecXPCKeyBackupKeybagPath;
105
106 //
107 // MARK: Dispatch macros
108 //
109
110 #define SECURITYD_XPC(sdp, wrapper, ...) ((gSecurityd && gSecurityd->sdp) ? gSecurityd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
111 #define TRUSTD_XPC(sdp, wrapper, ...) ((gTrustd && gTrustd->sdp) ? gTrustd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
112
113 #define TRUSTD_XPC_ASYNC(sdp, wrapper, q, h, ...) do { \
114 if (gTrustd != NULL && gTrustd->sdp != NULL) { \
115 dispatch_async(q, ^{ \
116 CFErrorRef _error = NULL; \
117 SecTrustResultType _tr = gTrustd->sdp(__VA_ARGS__, &_error); \
118 h(_tr, _error); \
119 }); \
120 } else { \
121 wrapper(q, h, sdp ## _id, __VA_ARGS__); \
122 } \
123 } while (0)
124
125 //
126 // MARK: Object to XPC format conversion.
127 //
128
129
130 //
131 // MARK: XPC Interfaces
132 //
133
134 extern const char *kSecXPCKeyOperation;
135 extern const char *kSecXPCKeyResult;
136 extern const char *kSecXPCKeyError;
137 extern const char *kSecXPCKeyPeerInfoArray;
138 extern const char *kSecXPCKeyPeerInfo;
139 extern const char *kSecXPCKeyUserLabel;
140 extern const char *kSecXPCKeyUserPassword;
141 extern const char *kSecXPCKeyDSID;
142 extern const char *kSecXPCLimitInMinutes;
143 extern const char *kSecXPCKeyQuery;
144 extern const char *kSecXPCKeyAttributesToUpdate;
145 extern const char *kSecXPCKeyDomain;
146 extern const char *kSecXPCKeyDigest;
147 extern const char *kSecXPCKeyCertificate;
148 extern const char *kSecXPCKeySettings;
149 extern const char *kSecXPCPublicPeerId; // Public peer id
150 extern const char *kSecXPCOTRSession; // OTR session bytes
151 extern const char *kSecXPCData; // Data to process
152 extern const char *kSecXPCOTRReady; // OTR ready for messages
153 extern const char *kSecXPCKeyViewName;
154 extern const char *kSecXPCKeyViewActionCode;
155 extern const char *kSecXPCKeyHSA2AutoAcceptInfo;
156 extern const char *kSecXPCKeyEscrowLabel;
157 extern const char *kSecXPCKeyTriesLabel;
158 extern const char *kSecXPCKeyString;
159 extern const char *kSecXPCKeyArray;
160 extern const char *kSecXPCKeySet;
161 extern const char *kSecXPCKeySet2;
162 extern const char *kSecXPCVersion;
163 extern const char *kSecXPCKeySignInAnalytics;
164 extern const char *kSecXPCKeyReason;
165
166 //
167 // MARK: Mach port request IDs
168 //
169 enum SecXPCOperation {
170 sec_item_add_id = 0,
171 sec_item_copy_matching_id = 1,
172 sec_item_update_id = 2,
173 sec_item_delete_id = 3,
174 // trust_store_for_domain -- NOT an ipc
175 sec_trust_store_contains_id = 4,
176 sec_trust_store_set_trust_settings_id = 5,
177 sec_trust_store_remove_certificate_id = 6,
178 // remove_all -- NOT an ipc
179 sec_delete_all_id = 7,
180 sec_trust_evaluate_id = 8,
181 // Any new items MUST be added below here
182 // This allows updating roots on a device, since SecTrustEvaluate must continue to work
183 sec_keychain_backup_id,
184 sec_keychain_restore_id,
185 sec_keychain_backup_syncable_id,
186 sec_keychain_restore_syncable_id,
187 sec_item_backup_copy_names_id,
188 sec_item_backup_handoff_fd_id,
189 sec_item_backup_set_confirmed_manifest_id,
190 sec_item_backup_restore_id,
191 sec_keychain_sync_update_message_id,
192 sec_ota_pki_trust_store_version_id,
193 sec_ota_pki_asset_version_id,
194 sec_otr_session_create_remote_id,
195 sec_otr_session_process_packet_remote_id,
196 kSecXPCOpOTAPKIGetNewAsset,
197 kSecXPCOpOTAGetEscrowCertificates,
198 kSecXPCOpProcessUnlockNotification,
199 kSecXPCOpProcessSyncWithAllPeers,
200 kSecXPCOpRollKeys,
201 sec_add_shared_web_credential_id,
202 sec_copy_shared_web_credential_id,
203 sec_get_log_settings_id,
204 sec_set_xpc_log_settings_id,
205 sec_set_circle_log_settings_id,
206 soscc_EnsurePeerRegistration_id,
207 kSecXPCOpRequestEnsureFreshParameters,
208 kSecXPCOpGetAllTheRings,
209 kSecXPCOpApplyToARing,
210 kSecXPCOpWithdrawlFromARing,
211 kSecXPCOpEnableRing,
212 kSecXPCOpRingStatus,
213 kSecXPCOpRequestDeviceID,
214 kSecXPCOpSetDeviceID,
215 kSecXPCOpHandleIDSMessage,
216 kSecXPCOpSyncWithKVSPeer,
217 kSecXPCOpSyncWithIDSPeer,
218 kSecXPCOpSendIDSMessage,
219 kSecXPCOpPingTest,
220 kSecXPCOpIDSDeviceID,
221 kSecXPCOpSyncWithKVSPeerIDOnly,
222 // any process using an operation below here is required to have entitlement keychain-cloud-circle
223 kSecXPCOpTryUserCredentials,
224 kSecXPCOpSetUserCredentials,
225 kSecXPCOpSetUserCredentialsAndDSID,
226 kSecXPCOpSetUserCredentialsAndDSIDWithAnalytics,
227 kSecXPCOpCanAuthenticate,
228 kSecXPCOpPurgeUserCredentials,
229 kSecXPCOpDeviceInCircle,
230 kSecXPCOpRequestToJoin,
231 kSecXPCOpRequestToJoinWithAnalytics,
232 kSecXPCOpRequestToJoinAfterRestore,
233 kSecXPCOpRequestToJoinAfterRestoreWithAnalytics,
234 kSecXPCOpResetToOffering,
235 kSecXPCOpResetToEmpty,
236 kSecXPCOpResetToEmptyWithAnalytics,
237 kSecXPCOpView,
238 kSecXPCOpViewSet,
239 kSecXPCOpViewSetWithAnalytics,
240 kSecXPCOpRemoveThisDeviceFromCircle,
241 kSecXPCOpRemoveThisDeviceFromCircleWithAnalytics,
242 kSecXPCOpRemovePeersFromCircle,
243 kSecXPCOpRemovePeersFromCircleWithAnalytics,
244 kSecXPCOpLoggedOutOfAccount,
245 kSecXPCOpBailFromCircle,
246 kSecXPCOpAcceptApplicants,
247 kSecXPCOpRejectApplicants,
248 kSecXPCOpCopyApplicantPeerInfo,
249 kSecXPCOpCopyValidPeerPeerInfo,
250 kSecXPCOpValidateUserPublic,
251 kSecXPCOpCopyNotValidPeerPeerInfo,
252 kSecXPCOpCopyPeerPeerInfo,
253 kSecXPCOpCopyConcurringPeerPeerInfo,
254 kSecXPCOpCopyGenerationPeerInfo,
255 kSecXPCOpGetLastDepartureReason,
256 kSecXPCOpSetLastDepartureReason,
257 kSecXPCOpCopyIncompatibilityInfo,
258 kSecXPCOpCopyRetirementPeerInfo,
259 kSecXPCOpCopyViewUnawarePeerInfo,
260 kSecXPCOpCopyEngineState,
261 kSecXPCOpCopyMyPeerInfo,
262 kSecXPCOpAccountSetToNew,
263 kSecXPCOpSetNewPublicBackupKey,
264 kSecXPCOpSetBagForAllSlices,
265 kSecXPCOpWaitForInitialSync,
266 kSecXPCOpWaitForInitialSyncWithAnalytics,
267 kSecXPCOpCopyYetToSyncViews,
268 kSecXPCOpSetEscrowRecord,
269 kSecXPCOpGetEscrowRecord,
270 kSecXPCOpCheckPeerAvailability,
271 kSecXPCOpCopyAccountData,
272 kSecXPCOpDeleteAccountData,
273 kSecXPCOpCopyEngineData,
274 kSecXPCOpDeleteEngineData,
275 kSecXPCOpCopyApplication,
276 kSecXPCOpCopyCircleJoiningBlob,
277 kSecXPCOpJoinWithCircleJoiningBlob,
278 kSecXPCOpKVSKeyCleanup,
279 kSecXPCOpPopulateKVS,
280 kSecXPCOpAccountHasPublicKey,
281 kSecXPCOpAccountIsNew,
282 kSecXPCOpClearKVSPeerMessage,
283 kSecXPCOpRegisterRecoveryPublicKey,
284 kSecXPCOpGetRecoveryPublicKey,
285 kSecXPCOpCopyBackupInformation,
286 kSecXPCOpCopyInitialSyncBlob,
287 /* after this is free for all */
288 kSecXPCOpWhoAmI,
289 kSecXPCOpTransmogrifyToSyncBubble,
290 kSecXPCOpTransmogrifyToSystemKeychain,
291 kSecXPCOpWrapToBackupSliceKeyBagForView,
292 sec_item_update_token_items_id,
293 kSecXPCOpDeleteUserView,
294 sec_trust_store_copy_all_id,
295 sec_trust_store_copy_usage_constraints_id,
296 sec_ocsp_cache_flush_id,
297 sec_delete_items_with_access_groups_id,
298 kSecXPCOpIsThisDeviceLastBackup,
299 sec_keychain_backup_keybag_uuid_id,
300 kSecXPCOpPeersHaveViewsEnabled,
301 kSecXPCOpProcessSyncWithPeers,
302 kSecXPCOpMessageFromPeerIsPending,
303 kSecXPCOpSendToPeerIsPending,
304 sec_item_copy_parent_certificates_id,
305 sec_item_certificate_exists_id,
306 kSecXPCOpBackupKeybagAdd,
307 kSecXPCOpBackupKeybagDelete,
308 kSecXPCOpSFKeychainEndpoint,
309 kSecXPCOpKeychainControlEndpoint,
310 kSecXPCOpNetworkingAnalyticsReport,
311 kSecXPCOpSetCTExceptions,
312 kSecXPCOpCopyCTExceptions,
313 };
314
315
316 typedef struct SecurityClient {
317 SecTaskRef task;
318 CFArrayRef accessGroups;
319 bool allowSystemKeychain;
320 bool allowSyncBubbleKeychain;
321 bool isNetworkExtension;
322 bool canAccessNetworkExtensionAccessGroups;
323 uid_t uid;
324 CFDataRef musr;
325 #if TARGET_OS_EMBEDDED && TARGET_HAS_KEYSTORE
326 keybag_handle_t keybag;
327 #endif
328 #if TARGET_OS_IPHONE
329 bool inMultiUser;
330 int activeUser;
331 #endif
332 } SecurityClient;
333
334
335 extern SecurityClient * SecSecurityClientGet(void);
336 #if TARGET_OS_IOS
337 void SecSecuritySetMusrMode(bool mode, uid_t uid, int activeUser);
338 #endif
339
340 struct securityd {
341 bool (*sec_item_add)(CFDictionaryRef attributes, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
342 bool (*sec_item_copy_matching)(CFDictionaryRef query, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
343 bool (*sec_item_update)(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, SecurityClient *client, CFErrorRef* error);
344 bool (*sec_item_delete)(CFDictionaryRef query, SecurityClient *client, CFErrorRef* error);
345 bool (*sec_add_shared_web_credential)(CFDictionaryRef attributes, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
346 bool (*sec_copy_shared_web_credential)(CFDictionaryRef query, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
347 bool (*sec_item_delete_all)(CFErrorRef* error);
348 CFArrayRef (*sec_item_copy_parent_certificates)(CFDataRef normalizedIssuer, CFArrayRef accessGroups, CFErrorRef *error);
349 bool (*sec_item_certificate_exists)(CFDataRef normalizedIssuer, CFDataRef serialNumber, CFArrayRef accessGroups, CFErrorRef *error);
350 CFDataRef (*sec_keychain_backup)(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, bool emcs, CFErrorRef* error);
351 bool (*sec_keychain_restore)(CFDataRef backup, SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
352 CFDictionaryRef (*sec_keychain_backup_syncable)(CFDictionaryRef backup_in, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
353 bool (*sec_keychain_restore_syncable)(CFDictionaryRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
354 CFArrayRef (*sec_item_backup_copy_names)(CFErrorRef *error);
355 int (*sec_item_backup_handoff_fd)(CFStringRef backupName, CFErrorRef *error);
356 bool (*sec_item_backup_set_confirmed_manifest)(CFStringRef backupName, CFDataRef keybagDigest, CFDataRef manifest, CFErrorRef *error);
357 bool (*sec_item_backup_restore)(CFStringRef backupName, CFStringRef peerID, CFDataRef keybag, CFDataRef secret, CFDataRef backup, CFErrorRef *error);
358 CFDataRef (*sec_otr_session_create_remote)(CFDataRef publicPeerId, CFErrorRef* error);
359 bool (*sec_otr_session_process_packet_remote)(CFDataRef sessionData, CFDataRef inputPacket, CFDataRef* outputSessionData, CFDataRef* outputPacket, bool *readyForMessages, CFErrorRef* error);
360 bool (*soscc_TryUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
361 bool (*soscc_SetUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error);
362 bool (*soscc_SetUserCredentialsAndDSID)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
363 bool (*soscc_SetUserCredentialsAndDSIDWithAnalytics)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFDataRef parentEvent, CFErrorRef *error);
364 bool (*soscc_CanAuthenticate)(CFErrorRef *error);
365 bool (*soscc_PurgeUserCredentials)(CFErrorRef *error);
366 SOSCCStatus (*soscc_ThisDeviceIsInCircle)(CFErrorRef* error);
367 bool (*soscc_RequestToJoinCircle)(CFErrorRef* error);
368 bool (*soscc_RequestToJoinCircleWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
369 bool (*soscc_RequestToJoinCircleAfterRestore)(CFErrorRef* error);
370 bool (*soscc_RequestToJoinCircleAfterRestoreWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
371 bool (*soscc_RequestEnsureFreshParameters)(CFErrorRef* error);
372 CFStringRef (*soscc_GetAllTheRings)(CFErrorRef *error);
373 bool (*soscc_ApplyToARing)(CFStringRef ringName, CFErrorRef* error);
374 bool (*soscc_WithdrawlFromARing)(CFStringRef ringName, CFErrorRef* error);
375 bool (*soscc_EnableRing)(CFStringRef ringName, CFErrorRef* error);
376 SOSRingStatus (*soscc_RingStatus)(CFStringRef ringName, CFErrorRef* error);
377 bool (*soscc_SetToNew)(CFErrorRef *error);
378 bool (*soscc_ResetToOffering)(CFErrorRef* error);
379 bool (*soscc_ResetToEmpty)(CFErrorRef* error);
380 bool (*soscc_ResetToEmptyWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
381 SOSViewResultCode (*soscc_View)(CFStringRef view, SOSViewActionCode action, CFErrorRef *error);
382 bool (*soscc_ViewSet)(CFSetRef enabledViews, CFSetRef disabledViews);
383 bool (*soscc_ViewSetWithAnalytics)(CFSetRef enabledViews, CFSetRef disabledViews, CFDataRef parentEvent);
384 bool (*soscc_RegisterSingleRecoverySecret)(CFDataRef backupSlice, bool forV0Only, CFErrorRef *error);
385 bool (*soscc_RegisterRecoveryPublicKey)(CFDataRef recovery_key, CFErrorRef *error);
386 CFDataRef (*soscc_CopyRecoveryPublicKey)(CFErrorRef *error);
387 bool (*soscc_RemoveThisDeviceFromCircle)(CFErrorRef* error);
388 bool (*soscc_RemoveThisDeviceFromCircleWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
389 bool (*soscc_RemovePeersFromCircle)(CFArrayRef peers, CFErrorRef* error);
390 bool (*soscc_RemovePeersFromCircleWithAnalytics)(CFArrayRef peers, CFDataRef parentEvent, CFErrorRef* error);
391 bool (*soscc_LoggedOutOfAccount)(CFErrorRef* error);
392 bool (*soscc_BailFromCircle)(uint64_t limit_in_seconds, CFErrorRef* error);
393 bool (*soscc_AcceptApplicants)(CFArrayRef applicants, CFErrorRef* error);
394 bool (*soscc_RejectApplicants)(CFArrayRef applicants, CFErrorRef* error);
395 SOSPeerInfoRef (*soscc_SetNewPublicBackupKey)(CFDataRef pubKey, CFErrorRef *error);
396 bool (*soscc_ValidateUserPublic)(CFErrorRef* error);
397 CFArrayRef (*soscc_CopyGenerationPeerInfo)(CFErrorRef* error);
398 CFArrayRef (*soscc_CopyApplicantPeerInfo)(CFErrorRef* error);
399 CFArrayRef (*soscc_CopyValidPeerPeerInfo)(CFErrorRef* error);
400 CFArrayRef (*soscc_CopyNotValidPeerPeerInfo)(CFErrorRef* error);
401 CFArrayRef (*soscc_CopyRetirementPeerInfo)(CFErrorRef* error);
402 CFArrayRef (*soscc_CopyViewUnawarePeerInfo)(CFErrorRef* error);
403 CFArrayRef (*soscc_CopyEngineState)(CFErrorRef* error);
404 // Not sure why these are below the last entry in the enum order above, but they are:
405 CFArrayRef (*soscc_CopyPeerInfo)(CFErrorRef* error);
406 CFArrayRef (*soscc_CopyConcurringPeerInfo)(CFErrorRef* error);
407 CFStringRef (*soscc_CopyIncompatibilityInfo)(CFErrorRef* error);
408 enum DepartureReason (*soscc_GetLastDepartureReason)(CFErrorRef* error);
409 bool (*soscc_SetLastDepartureReason)(enum DepartureReason, CFErrorRef* error);
410 CFSetRef (*soscc_ProcessSyncWithPeers)(CFSetRef peerIDs, CFSetRef backupPeerIDs, CFErrorRef* error);
411 SyncWithAllPeersReason (*soscc_ProcessSyncWithAllPeers)(CFErrorRef* error);
412 bool (*soscc_EnsurePeerRegistration)(CFErrorRef* error);
413 bool (*sec_roll_keys)(bool force, CFErrorRef* error);
414 CFArrayRef (*sec_keychain_sync_update_message)(CFDictionaryRef update, CFErrorRef *error);
415 CFPropertyListRef (*sec_get_log_settings)(CFErrorRef* error);
416 bool (*sec_set_xpc_log_settings)(CFTypeRef type, CFErrorRef* error);
417 bool (*sec_set_circle_log_settings)(CFTypeRef type, CFErrorRef* error);
418 SOSPeerInfoRef (*soscc_CopyMyPeerInfo)(CFErrorRef*);
419 bool (*soscc_WaitForInitialSync)(CFErrorRef*);
420 bool (*soscc_WaitForInitialSyncWithAnalytics)(CFDataRef parentEvent, CFErrorRef *error);
421 CFArrayRef (*soscc_CopyYetToSyncViewsList)(CFErrorRef*);
422 bool (*soscc_SetEscrowRecords)(CFStringRef escrow_label, uint64_t tries, CFErrorRef *error);
423 CFDictionaryRef (*soscc_CopyEscrowRecords)(CFErrorRef *error);
424 CFDictionaryRef (*soscc_CopyBackupInformation)(CFErrorRef *error);
425 bool (*soscc_PeerAvailability)(CFErrorRef *error);
426 bool (*sosbskb_WrapToBackupSliceKeyBagForView)(CFStringRef viewName, CFDataRef input, CFDataRef* output, CFDataRef* bskbEncoded, CFErrorRef* error);
427 CFDataRef (*soscc_CopyAccountState)(CFErrorRef *error);
428 bool (*soscc_DeleteAccountState)(CFErrorRef *error);
429 CFDataRef (*soscc_CopyEngineData)(CFErrorRef *error);
430 bool (*soscc_DeleteEngineState)(CFErrorRef *error);
431 SOSPeerInfoRef (*soscc_CopyApplicant)(CFErrorRef *error);
432 CFDataRef (*soscc_CopyCircleJoiningBlob)(SOSPeerInfoRef applicant, CFErrorRef *error);
433 CFDataRef (*soscc_CopyInitialSyncData)(CFErrorRef *error);
434 bool (*soscc_JoinWithCircleJoiningBlob)(CFDataRef joiningBlob, PiggyBackProtocolVersion version, CFErrorRef *error);
435 bool (*soscc_SOSCCCleanupKVSKeys)(CFErrorRef *error);
436 bool (*soscc_SOSCCTestPopulateKVSWithBadKeys)(CFErrorRef *error);
437 bool (*soscc_AccountHasPublicKey)(CFErrorRef *error);
438 bool (*soscc_AccountIsNew)(CFErrorRef *error);
439 bool (*sec_item_update_token_items)(CFStringRef tokenID, CFArrayRef query, SecurityClient *client, CFErrorRef* error);
440 bool (*sec_delete_items_with_access_groups)(CFArrayRef bundleIDs, SecurityClient *client, CFErrorRef *error);
441 bool (*soscc_IsThisDeviceLastBackup)(CFErrorRef *error);
442 bool (*soscc_requestSyncWithPeerOverKVS)(CFStringRef peerID, CFDataRef message, CFErrorRef *error);
443 CFBooleanRef (*soscc_SOSCCPeersHaveViewsEnabled)(CFArrayRef views, CFErrorRef *error);
444 bool (*socc_clearPeerMessageKeyInKVS)(CFStringRef peerID, CFErrorRef *error);
445 bool (*soscc_SOSCCMessageFromPeerIsPending)(SOSPeerInfoRef peer, CFErrorRef* error);
446 bool (*soscc_SOSCCSendToPeerIsPending)(SOSPeerInfoRef peer, CFErrorRef* error);
447 CFTypeRef (*soscc_status)(void);
448 CFTypeRef secd_xpc_server;
449 };
450
451 extern struct securityd *gSecurityd;
452
453 struct trustd {
454 SecTrustStoreRef (*sec_trust_store_for_domain)(CFStringRef domainName, CFErrorRef* error);
455 bool (*sec_trust_store_contains)(SecTrustStoreRef ts, CFDataRef digest, bool *contains, CFErrorRef* error);
456 bool (*sec_trust_store_set_trust_settings)(SecTrustStoreRef ts, SecCertificateRef certificate, CFTypeRef trustSettingsDictOrArray, CFErrorRef* error);
457 bool (*sec_trust_store_remove_certificate)(SecTrustStoreRef ts, CFDataRef digest, CFErrorRef* error);
458 bool (*sec_truststore_remove_all)(SecTrustStoreRef ts, CFErrorRef* error);
459 SecTrustResultType (*sec_trust_evaluate)(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, CFArrayRef *chain, CFErrorRef *error);
460 uint64_t (*sec_ota_pki_trust_store_version)(CFErrorRef* error);
461 uint64_t (*sec_ota_pki_asset_version)(CFErrorRef* error);
462 CFArrayRef (*ota_CopyEscrowCertificates)(uint32_t escrowRootType, CFErrorRef* error);
463 uint64_t (*sec_ota_pki_get_new_asset)(CFErrorRef* error);
464 bool (*sec_trust_store_copy_all)(SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFErrorRef *error);
465 bool (*sec_trust_store_copy_usage_constraints)(SecTrustStoreRef ts, CFDataRef digest, CFArrayRef *usageConstraints, CFErrorRef *error);
466 bool (*sec_ocsp_cache_flush)(CFErrorRef *error);
467 bool (*sec_networking_analytics_report)(CFStringRef event_name, xpc_object_t tls_analytics_attributes, CFErrorRef *error);
468 bool (*sec_trust_store_set_ct_exceptions)(CFStringRef appID, CFDictionaryRef exceptions, CFErrorRef *error);
469 CFDictionaryRef (*sec_trust_store_copy_ct_exceptions)(CFStringRef appID, CFErrorRef *error);
470 };
471
472 extern struct trustd *gTrustd;
473
474 CFArrayRef SecAccessGroupsGetCurrent(void);
475
476 // TODO Rename me
477 CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op);
478 XPC_RETURNS_RETAINED xpc_object_t securityd_message_with_reply_sync(xpc_object_t message, CFErrorRef *error);
479 typedef void (^securityd_handler_t)(xpc_object_t reply, CFErrorRef error);
480 void securityd_message_with_reply_async(xpc_object_t message, dispatch_queue_t replyq,
481 securityd_handler_t handler);
482 XPC_RETURNS_RETAINED xpc_object_t securityd_create_message(enum SecXPCOperation op, CFErrorRef *error);
483 bool securityd_message_no_error(xpc_object_t message, CFErrorRef *error);
484
485
486 bool securityd_send_sync_and_do(enum SecXPCOperation op, CFErrorRef *error,
487 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
488 bool (^handle_response)(xpc_object_t response, CFErrorRef* error));
489
490 void securityd_send_async_and_do(enum SecXPCOperation op, dispatch_queue_t replyq,
491 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
492 securityd_handler_t handler);
493
494 // For testing only, never call this in a threaded program!
495 void SecServerSetTrustdMachServiceName(const char *name);
496
497 XPC_RETURNS_RETAINED xpc_endpoint_t _SecSecuritydCopyEndpoint(enum SecXPCOperation op, CFErrorRef *error);
498
499 #if __OBJC__
500 #import <Foundation/Foundation.h>
501 #import <Foundation/NSXPCConnection.h>
502 typedef void (^SecBoolNSErrorCallback) (bool, NSError*);
503
504 @protocol SecuritydXPCCallbackProtocol <NSObject>
505 - (void)callCallback: (bool) result error:(NSError*) error;
506 @end
507
508 @protocol SecuritydXPCProtocol <NSObject>
509 - (void) SecItemAddAndNotifyOnSync:(NSDictionary*) attributes
510 syncCallback:(id<SecuritydXPCCallbackProtocol>) callback
511 complete:(void (^) (NSDictionary* opDictResult, NSArray* opArrayResult, NSError* operror)) complete;
512
513 // For the given item (specified exactly by its hash (currently SHA1)), attempt to set the CloudKit 'current' pointer
514 // to point to the given item.
515 // This can fail if:
516 // 1. your knowledge of the old current item is out of date
517 // 2. either the new item or old item has changed (checked by hash)
518 // 3. If this device can't talk with CloudKit for any reason
519 - (void)secItemSetCurrentItemAcrossAllDevices:(NSData*)newItemPersistentRef
520 newCurrentItemHash:(NSData*)newItemSHA1
521 accessGroup:(NSString*)accessGroup
522 identifier:(NSString*)identifier
523 viewHint:(NSString*)viewHint
524 oldCurrentItemReference:(NSData*)oldCurrentItemPersistentRef
525 oldCurrentItemHash:(NSData*)oldItemSHA1
526 complete:(void (^) (NSError* operror)) complete;
527
528 // For the given access group and identifier, check the current local idea of the 'current' item
529 -(void)secItemFetchCurrentItemAcrossAllDevices:(NSString*)accessGroup
530 identifier:(NSString*)identifier
531 viewHint:(NSString*)viewHint
532 fetchCloudValue:(bool)fetchCloudValue
533 complete:(void (^) (NSData* persistentref, NSError* operror)) complete;
534
535
536 // For each item in the keychainClass, return a persistant reference and the digest of the value
537 // The digest is not stable, and can change any time, the only promise is that if the digest
538 // value didn't change, the item didn't change. If digest change, the value MIGHT have changed,/
539 // but it could also just have stayed the same.
540 // The this interface bypass SEP/AKS and for that reason is a higher performance then SecItemCopyMatching().
541 - (void) secItemDigest:(NSString *)keychainClass
542 accessGroup:(NSString *)accessGroup
543 complete:(void (^)(NSArray<NSDictionary *> *digest, NSError* error))complete;
544 @end
545
546 // Call this to receive a proxy object conforming to SecuritydXPCProtocol that you can call methods on.
547 // It's probably a remote object for securityd/secd, but it might be in-process if you've configured it that way.
548 id<SecuritydXPCProtocol> SecuritydXPCProxyObject(void (^rpcErrorHandler)(NSError *));
549
550 // Set up a local securityxpcserver: after this call, all securitydxpc calls will be handled in-process instead of actually transferring to securityd
551 id<SecuritydXPCProtocol> SecCreateLocalSecuritydXPCServer(void);
552
553 // Make a SecBoolNSErrorCallback block into an Objective-C object (for proxying across NSXPC)
554 @interface SecuritydXPCCallback : NSObject <SecuritydXPCCallbackProtocol> {
555 SecBoolNSErrorCallback _callback;
556 }
557 @property SecBoolNSErrorCallback callback;
558 - (instancetype)initWithCallback: (SecBoolNSErrorCallback) callback;
559 @end
560
561 @interface SecuritydXPCClient : NSObject {
562 NSXPCConnection* _connection;
563 }
564 @property NSXPCConnection* connection;
565
566 +(void)configureSecuritydXPCProtocol: (NSXPCInterface*) interface;
567 @end
568
569 #endif // OBJC
570
571 #endif /* _SECURITYD_CLIENT_H_ */
mirror of Security