2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
24 #import "SFKeychainServer.h"
25 #import <TargetConditionals.h>
30 #import "SecCDKeychain.h"
31 #import "SecFileLocations.h"
33 #import "CloudKitCategories.h"
34 #import "SecAKSWrappers.h"
35 #include "securityd_client.h"
36 #import "server_entitlement_helpers.h"
38 #import "keychain/categories/NSError+UsefulConstructors.h"
39 #import "SecEntitlements.h"
40 #import <SecurityFoundation/SFKeychain.h>
41 #import <SecurityFoundation/SFCredential_Private.h>
42 #import <SecurityFoundation/SFCredentialStore_Private.h>
43 #import <Foundation/NSKeyedArchiver_Private.h>
44 #import <Foundation/NSXPCConnection_Private.h>
46 static NSString* const SFKeychainItemAttributeLocalizedLabel = @"label";
47 static NSString* const SFKeychainItemAttributeLocalizedDescription = @"description";
49 static NSString* const SFCredentialAttributeUsername = @"username";
50 static NSString* const SFCredentialAttributePrimaryServiceIdentifier = @"primaryServiceID";
51 static NSString* const SFCredentialAttributeSupplementaryServiceIdentifiers = @"supplementaryServiceIDs";
52 static NSString* const SFCredentialAttributeCreationDate = @"creationDate";
53 static NSString* const SFCredentialAttributeModificationDate = @"modificationDate";
54 static NSString* const SFCredentialAttributeCustom = @"customAttributes";
55 static NSString* const SFCredentialSecretPassword = @"password";
57 @interface SFCredential (securityd_only)
59 - (instancetype)_initWithUsername:(NSString*)username primaryServiceIdentifier:(SFServiceIdentifier*)primaryServiceIdentifier supplementaryServiceIdentifiers:(nullable NSArray<SFServiceIdentifier*>*)supplementaryServiceIdentifiers;
63 @interface SFKeychainServerConnection ()
65 - (instancetype)initWithKeychain:(SecCDKeychain*)keychain xpcConnection:(NSXPCConnection*)connection;
69 @implementation SecCDKeychainItemTypeCredential
71 + (instancetype)itemType
73 static SecCDKeychainItemTypeCredential* itemType = nil;
74 static dispatch_once_t onceToken;
75 dispatch_once(&onceToken, ^{
76 itemType = [[self alloc] _initWithName:@"Credential" version:1 primaryKeys:@[SFCredentialAttributeUsername, SFCredentialAttributePrimaryServiceIdentifier] syncableKeys:nil];
84 @implementation SFKeychainServer {
85 SecCDKeychain* _keychain;
88 - (instancetype)initWithStorageURL:(NSURL*)persistentStoreURL modelURL:(NSURL*)managedObjectURL encryptDatabase:(bool)encryptDatabase
90 if (self = [super init]) {
91 _keychain = [[SecCDKeychain alloc] initWithStorageURL:persistentStoreURL modelURL:managedObjectURL encryptDatabase:encryptDatabase];
97 - (BOOL)listener:(NSXPCListener*)listener shouldAcceptNewConnection:(NSXPCConnection*)newConnection
99 NSNumber* keychainDenyEntitlement = [newConnection valueForEntitlement:(__bridge NSString*)kSecEntitlementKeychainDeny];
100 if ([keychainDenyEntitlement isKindOfClass:[NSNumber class]] && keychainDenyEntitlement.boolValue == YES) {
101 secerror("SFKeychainServer: connection denied due to entitlement %@", kSecEntitlementKeychainDeny);
105 // wait a bit for shared function from SecurityFoundation to get to SDK, then addopt that
106 NSXPCInterface* interface = [NSXPCInterface interfaceWithProtocol:@protocol(SFKeychainServerProtocol)];
107 [interface setClasses:[NSSet setWithObjects:[NSArray class], [SFServiceIdentifier class], nil] forSelector:@selector(rpcLookupCredentialsForServiceIdentifiers:reply:) argumentIndex:0 ofReply:NO];
108 [interface setClasses:[NSSet setWithObjects:[NSArray class], [SFPasswordCredential class], nil] forSelector:@selector(rpcLookupCredentialsForServiceIdentifiers:reply:) argumentIndex:0 ofReply:YES];
109 newConnection.exportedInterface = interface;
110 newConnection.exportedObject = [[SFKeychainServerConnection alloc] initWithKeychain:_keychain xpcConnection:newConnection];
111 [newConnection resume];
115 - (SecCDKeychain*)_keychain
122 @implementation SFKeychainServerConnection {
123 SecCDKeychain* _keychain;
124 NSArray* _clientAccessGroups;
127 @synthesize clientAccessGroups = _clientAccessGroups;
129 - (instancetype)initWithKeychain:(SecCDKeychain*)keychain xpcConnection:(NSXPCConnection*)connection
131 if (self = [super init]) {
132 _keychain = keychain;
134 SecTaskRef task = SecTaskCreateWithAuditToken(NULL, connection.auditToken);
136 _clientAccessGroups = (__bridge_transfer NSArray*)SecTaskCopyAccessGroups(task);
144 - (keyclass_t)keyclassForAccessPolicy:(SFAccessPolicy*)accessPolicy
146 if (accessPolicy.accessibility.mode == SFAccessibleAfterFirstUnlock) {
147 if (accessPolicy.sharingPolicy == SFSharingPolicyThisDeviceOnly) {
148 return key_class_cku;
155 if (accessPolicy.sharingPolicy == SFSharingPolicyThisDeviceOnly) {
156 return key_class_aku;
164 - (void)rpcAddCredential:(SFCredential*)credential withAccessPolicy:(SFAccessPolicy*)accessPolicy reply:(void (^)(NSString* persistentIdentifier, NSError* error))reply
166 if (![credential isKindOfClass:[SFPasswordCredential class]]) {
167 reply(nil, [NSError errorWithDomain:SFKeychainErrorDomain code:SFKeychainErrorInvalidParameter userInfo:@{NSLocalizedDescriptionKey : [NSString stringWithFormat:@"attempt to add credential to SFCredentialStore that is not a password credential: %@", credential]}]);
171 NSString* accessGroup = accessPolicy.accessGroup;
173 NSError* error = nil;
174 accessGroup = self.clientAccessGroups.firstObject;
176 error = [NSError errorWithDomain:SFKeychainErrorDomain code:SFKeychainErrorMissingAccessGroup userInfo:@{NSLocalizedDescriptionKey : @"no keychain access group found; ensure that your process has the keychain-access-groups entitlement"}];
182 SFPasswordCredential* passwordCredential = (SFPasswordCredential*)credential;
184 NSError* error = nil;
185 NSData* primaryServiceIdentifierData = [NSKeyedArchiver archivedDataWithRootObject:passwordCredential.primaryServiceIdentifier requiringSecureCoding:YES error:&error];
186 if (!primaryServiceIdentifierData) {
187 dispatch_async(dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0), ^{
188 reply(nil, [NSError errorWithDomain:SFKeychainErrorDomain code:SFKeychainErrorSaveFailed userInfo:@{ NSLocalizedDescriptionKey : @"failed to serialize primary service identifier", NSUnderlyingErrorKey : error }]);
193 NSMutableArray* serializedSupplementaryServiceIdentifiers = [[NSMutableArray alloc] initWithCapacity:passwordCredential.supplementaryServiceIdentifiers.count];
194 for (SFServiceIdentifier* serviceIdentifier in passwordCredential.supplementaryServiceIdentifiers) {
195 NSData* serviceIdentifierData = [NSKeyedArchiver archivedDataWithRootObject:serviceIdentifier requiringSecureCoding:YES error:&error];
196 if (serviceIdentifierData) {
197 [serializedSupplementaryServiceIdentifiers addObject:serviceIdentifierData];
200 dispatch_async(dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0), ^{
201 reply(nil, [NSError errorWithDomain:SFKeychainErrorDomain code:SFKeychainErrorSaveFailed userInfo:@{ NSLocalizedDescriptionKey : @"failed to serialize supplementary service identifier", NSUnderlyingErrorKey : error }]);
207 NSDictionary* attributes = @{ SFCredentialAttributeUsername : passwordCredential.username,
208 SFCredentialAttributePrimaryServiceIdentifier : primaryServiceIdentifierData,
209 SFCredentialAttributeSupplementaryServiceIdentifiers : serializedSupplementaryServiceIdentifiers,
210 SFCredentialAttributeCreationDate : [NSDate date],
211 SFCredentialAttributeModificationDate : [NSDate date],
212 SFKeychainItemAttributeLocalizedLabel : passwordCredential.localizedLabel,
213 SFKeychainItemAttributeLocalizedDescription : passwordCredential.localizedDescription,
214 SFCredentialAttributeCustom : passwordCredential.customAttributes ?: [NSDictionary dictionary] };
216 NSDictionary* secrets = @{ SFCredentialSecretPassword : passwordCredential.password };
217 NSUUID* persistentID = [NSUUID UUID];
219 // lookup attributes:
220 // 1. primaryServiceIdentifier (always)
221 // 2. username (always)
222 // 3. label (if present)
223 // 4. description (if present)
224 // 5. each of the service identifiers by type, e.g. "domain"
225 // 6. any custom attributes that fit the requirements (key is string, and value is plist type)
227 SecCDKeychainLookupTuple* primaryServiceIdentifierLookup = [SecCDKeychainLookupTuple lookupTupleWithKey:SFCredentialAttributePrimaryServiceIdentifier value:primaryServiceIdentifierData];
228 SecCDKeychainLookupTuple* usernameLookup = [SecCDKeychainLookupTuple lookupTupleWithKey:SFCredentialAttributeUsername value:passwordCredential.username];
229 SecCDKeychainLookupTuple* labelLookup = [SecCDKeychainLookupTuple lookupTupleWithKey:SFKeychainItemAttributeLocalizedLabel value:passwordCredential.localizedLabel];
230 SecCDKeychainLookupTuple* descriptionLookup = [SecCDKeychainLookupTuple lookupTupleWithKey:SFKeychainItemAttributeLocalizedDescription value:passwordCredential.localizedDescription];
231 NSMutableArray* lookupAttributes = [[NSMutableArray alloc] initWithObjects:primaryServiceIdentifierLookup, usernameLookup, nil];
233 [lookupAttributes addObject:labelLookup];
235 if (descriptionLookup) {
236 [lookupAttributes addObject:descriptionLookup];
239 SFServiceIdentifier* primaryServiceIdentifier = credential.primaryServiceIdentifier;
240 [lookupAttributes addObject:[SecCDKeychainLookupTuple lookupTupleWithKey:primaryServiceIdentifier.lookupKey value:primaryServiceIdentifier.serviceID]];
241 for (SFServiceIdentifier* serviceIdentifier in credential.supplementaryServiceIdentifiers) {
242 [lookupAttributes addObject:[SecCDKeychainLookupTuple lookupTupleWithKey:serviceIdentifier.lookupKey value:serviceIdentifier.serviceID]];
245 [passwordCredential.customAttributes enumerateKeysAndObjectsUsingBlock:^(NSString* customKey, id value, BOOL* stop) {
246 if ([customKey isKindOfClass:[NSString class]]) {
247 SecCDKeychainLookupTuple* lookupTuple = [SecCDKeychainLookupTuple lookupTupleWithKey:customKey value:value];
249 [lookupAttributes addObject:lookupTuple];
252 // TODO: an error here?
257 SecCDKeychainAccessControlEntity* owner = [SecCDKeychainAccessControlEntity accessControlEntityWithType:SecCDKeychainAccessControlEntityTypeAccessGroup stringRepresentation:accessGroup];
258 keyclass_t keyclass = [self keyclassForAccessPolicy:accessPolicy];
259 SecCDKeychainItem* item = [[SecCDKeychainItem alloc] initItemType:[SecCDKeychainItemTypeCredential itemType] withPersistentID:persistentID attributes:attributes lookupAttributes:lookupAttributes secrets:secrets owner:owner keyclass:keyclass];
260 [_keychain insertItems:@[item] withConnection:self completionHandler:^(bool success, NSError* error) {
261 if (success && !error) {
262 reply(persistentID.UUIDString, nil);
270 - (void)rpcFetchPasswordCredentialForPersistentIdentifier:(NSString*)persistentIdentifier reply:(void (^)(SFPasswordCredential* credential, NSString* password, NSError* error))reply
272 // TODO: negative testing
273 NSUUID* persistentID = [[NSUUID alloc] initWithUUIDString:persistentIdentifier];
275 secerror("SFKeychainServer: attempt to fetch credential with invalid persistent identifier; %@", persistentIdentifier);
276 reply(nil, nil, [NSError errorWithDomain:SFKeychainErrorDomain code:SFKeychainErrorInvalidPersistentIdentifier userInfo:@{NSLocalizedDescriptionKey : [NSString stringWithFormat:@"invalid persistent identifier: %@", persistentIdentifier]}]);
280 [_keychain fetchItemForPersistentID:persistentID withConnection:self completionHandler:^(SecCDKeychainItem* item, NSError* error) {
281 NSError* localError = error;
282 SFPasswordCredential* credential = nil;
283 if (item && !error) {
284 credential = [self passwordCredentialForItem:item error:&localError];
288 reply(credential, credential.password, nil);
291 reply(nil, nil, localError);
296 - (void)rpcLookupCredentialsForServiceIdentifiers:(nullable NSArray<SFServiceIdentifier*>*)serviceIdentifiers reply:(void (^)(NSArray<SFCredential*>* _Nullable results, NSError* _Nullable error))reply
298 __block NSMutableDictionary* resultsDict = [[NSMutableDictionary alloc] init];
299 __block NSError* resultError = nil;
301 void (^processFetchedItems)(NSArray*) = ^(NSArray* fetchedItems) {
302 for (SecCDKeychainItemMetadata* item in fetchedItems) {
303 if ([item.itemType isKindOfClass:[SecCDKeychainItemTypeCredential class]]) {
304 SFPasswordCredential* credential = [self passwordCredentialForItemMetadata:item error:&resultError];
306 resultsDict[item.persistentID] = credential;
309 resultsDict = nil; // got an error
315 if (!serviceIdentifiers) {
316 // TODO: lookup everything
319 for (SFServiceIdentifier* serviceIdentifier in serviceIdentifiers) {
320 dispatch_semaphore_t semaphore = dispatch_semaphore_create(0);
321 // TODO: this is lamé; make fetchItemsWithValue take an array and get rid of the semaphore crap
322 [_keychain fetchItemsWithValue:serviceIdentifier.serviceID forLookupKey:serviceIdentifier.lookupKey ofType:SecCDKeychainLookupValueTypeString withConnection:self completionHandler:^(NSArray<SecCDKeychainItemMetadata*>* items, NSError* error) {
323 if (items && !error) {
324 processFetchedItems(items);
331 dispatch_semaphore_signal(semaphore);
333 dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER);
337 reply(resultsDict.allValues, resultError);
340 - (void)rpcRemoveCredentialWithPersistentIdentifier:(NSString*)persistentIdentifier reply:(void (^)(BOOL success, NSError* _Nullable error))reply
342 NSUUID* persistentID = [[NSUUID alloc] initWithUUIDString:persistentIdentifier];
344 secerror("SFKeychainServer: attempt to remove credential with invalid persistent identifier; %@", persistentIdentifier);
345 reply(false, [NSError errorWithDomain:SFKeychainErrorDomain code:SFKeychainErrorInvalidPersistentIdentifier userInfo:@{NSLocalizedDescriptionKey : [NSString stringWithFormat:@"invalid persistent identifier: %@", persistentIdentifier]}]);
349 [_keychain deleteItemWithPersistentID:persistentID withConnection:self completionHandler:^(bool success, NSError* error) {
350 reply(success, error);
354 - (void)rpcReplaceOldCredential:(SFCredential*)oldCredential withNewCredential:(SFCredential*)newCredential reply:(void (^)(NSString* newPersistentIdentifier, NSError* _Nullable error))reply
360 - (SFPasswordCredential*)passwordCredentialForItem:(SecCDKeychainItem*)item error:(NSError**)error
362 SFPasswordCredential* credential = [self passwordCredentialForItemMetadata:item.metadata error:error];
364 credential.password = item.secrets[SFCredentialSecretPassword];
365 if (!credential.password) {
367 *error = [NSError errorWithDomain:SFKeychainErrorDomain code:SFKeychainErrorSecureDecodeFailed userInfo:@{NSLocalizedDescriptionKey : @"failed to get password for SFCredential"}];
376 - (SFPasswordCredential*)passwordCredentialForItemMetadata:(SecCDKeychainItemMetadata*)metadata error:(NSError**)error
378 NSDictionary* attributes = metadata.attributes;
379 NSString* username = attributes[SFCredentialAttributeUsername];
381 NSError* localError = nil;
382 SFServiceIdentifier* primaryServiceIdentifier = [NSKeyedUnarchiver unarchivedObjectOfClass:[SFServiceIdentifier class] fromData:attributes[SFCredentialAttributePrimaryServiceIdentifier] error:&localError];
384 NSArray* serializedSupplementaryServiceIdentifiers = attributes[SFCredentialAttributeSupplementaryServiceIdentifiers];
385 NSMutableArray* supplementaryServiceIdentifiers = [[NSMutableArray alloc] initWithCapacity:serializedSupplementaryServiceIdentifiers.count];
386 for (NSData* serializedServiceIdentifier in serializedSupplementaryServiceIdentifiers) {
387 if ([serializedServiceIdentifier isKindOfClass:[NSData class]]) {
388 SFServiceIdentifier* serviceIdentifier = [NSKeyedUnarchiver unarchivedObjectOfClass:[SFServiceIdentifier class] fromData:serializedServiceIdentifier error:&localError];
389 if (serviceIdentifier) {
390 [supplementaryServiceIdentifiers addObject:serviceIdentifier];
393 supplementaryServiceIdentifiers = nil;
398 supplementaryServiceIdentifiers = nil;
399 localError = [NSError errorWithDomain:SFKeychainErrorDomain code:SFKeychainErrorSecureDecodeFailed userInfo:@{NSLocalizedDescriptionKey : @"malformed supplementary service identifiers array in SecCDKeychainItem"}];
404 if (username && primaryServiceIdentifier && supplementaryServiceIdentifiers) {
405 SFPasswordCredential* credential = [[SFPasswordCredential alloc] _initWithUsername:username primaryServiceIdentifier:primaryServiceIdentifier supplementaryServiceIdentifiers:supplementaryServiceIdentifiers];
406 credential.creationDate = attributes[SFCredentialAttributeCreationDate];
407 credential.modificationDate = attributes[SFCredentialAttributeModificationDate];
408 credential.localizedLabel = attributes[SFKeychainItemAttributeLocalizedLabel];
409 credential.localizedDescription = attributes[SFKeychainItemAttributeLocalizedDescription];
410 credential.persistentIdentifier = metadata.persistentID.UUIDString;
411 credential.customAttributes = attributes[SFCredentialAttributeCustom];
416 *error = [NSError errorWithDomain:SFKeychainErrorDomain code:SFKeychainErrorSecureDecodeFailed userInfo:@{ NSLocalizedDescriptionKey : @"failed to deserialize SFCredential", NSUnderlyingErrorKey : localError }];
426 void SFKeychainServerInitialize(void)
428 static dispatch_once_t once;
429 static SFKeychainServer* server;
430 static NSXPCListener* listener;
432 dispatch_once(&once, ^{
434 NSURL* persistentStoreURL = (__bridge_transfer NSURL*)SecCopyURLForFileInKeychainDirectory((__bridge CFStringRef)@"CDKeychain");
435 NSBundle* resourcesBundle = [NSBundle bundleWithPath:@"/System/Library/Keychain/KeychainResources.bundle"];
436 NSURL* managedObjectModelURL = [resourcesBundle URLForResource:@"KeychainModel" withExtension:@"momd"];
437 server = [[SFKeychainServer alloc] initWithStorageURL:persistentStoreURL modelURL:managedObjectModelURL encryptDatabase:true];
438 listener = [[NSXPCListener alloc] initWithMachServiceName:@(kSFKeychainServerServiceName)];
439 listener.delegate = server;
445 #else // !TARGET_OS_BRIDGE
447 void SFKeychainServerInitialize(void) {}