keychain/securityd/SecDbQuery.h

   1 /*
   2  * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*!
  25  @header SecDbQuery.h - The thing that does the stuff with the gibli.
  26  */
  27
  28 #ifndef _SECURITYD_SECDBQUERY_H_
  29 #define _SECURITYD_SECDBQUERY_H_
  30
  31 #include "keychain/securityd/SecKeybagSupport.h"
  32 #include "keychain/securityd/SecDbItem.h"
  33
  34 __BEGIN_DECLS
  35
  36 typedef struct Pair *SecDbPairRef;
  37 typedef struct Query *SecDbQueryRef;
  38
  39 /* Return types. */
  40 typedef uint32_t ReturnTypeMask;
  41 enum
  42 {
  43     kSecReturnDataMask = 1 << 0,
  44     kSecReturnAttributesMask = 1 << 1,
  45     kSecReturnRefMask = 1 << 2,
  46     kSecReturnPersistentRefMask = 1 << 3,
  47 };
  48
  49 /* Constant indicating there is no limit to the number of results to return. */
  50 enum
  51 {
  52     kSecMatchUnlimited = kCFNotFound
  53 };
  54
  55 typedef struct Pair
  56 {
  57     const void *key;
  58     const void *value;
  59 } Pair;
  60
  61 /* Nothing in this struct is retained since all the
  62  values below are extracted from the dictionary passed in by the
  63  caller. */
  64 typedef struct Query
  65 {
  66     /* Class of this query. */
  67     const SecDbClass *q_class;
  68
  69     /* Dictionary with all attributes and values in clear (to be encrypted). */
  70     CFMutableDictionaryRef q_item;
  71
  72     /* q_pairs is an array of Pair structs.  Elements with indices
  73      [0, q_attr_end) contain attribute key value pairs.  Elements with
  74      indices [q_match_begin, q_match_end) contain match key value pairs.
  75      Thus q_attr_end is the number of attrs in q_pairs and
  76      q_match_begin - q_match_end is the number of matches in q_pairs.  */
  77     CFIndex q_match_begin;
  78     CFIndex q_match_end;
  79     CFIndex q_attr_end;
  80
  81     CFErrorRef q_error;
  82     ReturnTypeMask q_return_type;
  83
  84     CFDataRef q_data;
  85     CFTypeRef q_ref;
  86     sqlite_int64 q_row_id;
  87
  88     CFArrayRef q_use_item_list;
  89     CFBooleanRef q_use_tomb;
  90
  91     /* Value of kSecMatchLimit key if present. */
  92     CFIndex q_limit;
  93
  94     /* True if query contained a kSecAttrSynchronizable attribute,
  95      * regardless of its actual value. If this is false, then we
  96      * will add an explicit sync=0 to the query. */
  97     bool q_sync;
  98
  99     // Set to true if we modified any item as part of executing this query
 100     bool q_changed;
 101
 102     // Set to true if we modified any synchronizable item as part of executing this query
 103     bool q_sync_changed;
 104
 105     /* Keybag handle to use for this item. */
 106     keybag_handle_t q_keybag;
 107
 108     /* musr view to use when modifying the database */
 109     CFDataRef q_musrView;
 110
 111     /* ACL and credHandle passed to the query. q_cred_handle contain LA context object. */
 112     SecAccessControlRef q_access_control;
 113     CFDataRef q_use_cred_handle;
 114
 115     // Flag indicating that ui-protected items should be simply skipped
 116     // instead of reporting them to the client as an error.
 117     bool q_skip_acl_items;
 118
 119     // Set to true if any UUIDs generated by this query should be generated from the SHA2 digest of the item in question
 120     bool q_uuid_from_primary_key;
 121
 122     // Set this to a callback that, on an add query, will get passed along with the CKKS subsystem and called when the item makes it off-device (or doesn't)
 123     __unsafe_unretained SecBoolCFErrorCallback q_add_sync_callback;
 124
 125     // SHA1 digest of DER encoded primary key
 126     CFDataRef q_primary_key_digest;
 127
 128     CFArrayRef q_match_issuer;
 129
 130     /* Caller acces groups for AKS */
 131     CFArrayRef q_caller_access_groups;
 132     bool q_system_keychain;
 133     int32_t q_sync_bubble;
 134     bool q_spindump_on_failure;
 135
 136     //policy for filtering certs and identities
 137     SecPolicyRef q_match_policy;
 138     //date for filtering certs and identities
 139     CFDateRef q_match_valid_on_date;
 140     //trusted only certs and identities
 141     CFBooleanRef q_match_trusted_only;
 142     //token persistent reference for filtering items is represented by token ID (in attrs) and token object ID
 143     CFDataRef q_token_object_id;
 144
 145     CFIndex q_pairs_count;
 146     Pair q_pairs[];
 147 } Query;
 148
 149 Query *query_create(const SecDbClass *qclass, CFDataRef musr, CFDictionaryRef query, CFErrorRef *error);
 150 bool query_destroy(Query *q, CFErrorRef *error);
 151 bool query_error(Query *q, CFErrorRef *error);
 152 Query *query_create_with_limit(CFDictionaryRef query, CFDataRef musr, CFIndex limit, CFErrorRef *error);
 153 void query_add_attribute(const void *key, const void *value, Query *q);
 154 void query_add_or_attribute(const void *key, const void *value, Query *q);
 155 void query_add_not_attribute(const void *key, const void *value, Query *q);
 156 void query_add_attribute_with_desc(const SecDbAttr *desc, const void *value, Query *q);
 157 void query_ensure_access_control(Query *q, CFStringRef agrp);
 158 void query_pre_add(Query *q, bool force_date);
 159 bool query_notify_and_destroy(Query *q, bool ok, CFErrorRef *error);
 160 CFIndex query_match_count(const Query *q);
 161 CFIndex query_attr_count(const Query *q);
 162 Pair query_attr_at(const Query *q, CFIndex ix);
 163 bool query_update_parse(Query *q, CFDictionaryRef update, CFErrorRef *error);
 164 const SecDbClass *kc_class_with_name(CFStringRef name);
 165 void query_set_caller_access_groups(Query *q, CFArrayRef caller_access_groups);
 166 void query_set_policy(Query *q, SecPolicyRef policy);
 167 void query_set_valid_on_date(Query *q, CFDateRef policy);
 168 void query_set_trusted_only(Query *q, CFBooleanRef trusted_only);
 169
 170 CFDataRef
 171 SecMUSRCopySystemKeychainUUID(void);
 172
 173 CFDataRef
 174 SecMUSRGetSystemKeychainUUID(void);
 175
 176 CFDataRef
 177 SecMUSRGetSingleUserKeychainUUID(void);
 178
 179 bool
 180 SecMUSRIsSingleUserView(CFDataRef uuid);
 181
 182 CFDataRef
 183 SecMUSRGetAllViews(void);
 184
 185 bool
 186 SecMUSRIsViewAllViews(CFDataRef musr);
 187
 188 #if TARGET_OS_IPHONE
 189 CFDataRef
 190 SecMUSRCreateActiveUserUUID(uid_t uid);
 191
 192 CFDataRef
 193 SecMUSRCreateSyncBubbleUserUUID(uid_t uid);
 194
 195 CFDataRef
 196 SecMUSRCreateBothUserAndSystemUUID(uid_t uid);
 197
 198 bool
 199 SecMUSRGetBothUserAndSystemUUID(CFDataRef musr, uid_t *uid);
 200
 201 #endif
 202
 203
 204 __END_DECLS
 205
 206 #endif /* _SECURITYD_SECDBQUERY_H_ */