]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_cdsa_client/lib/aclclient.cpp
Security-59306.101.1.tar.gz
[apple/security.git] / OSX / libsecurity_cdsa_client / lib / aclclient.cpp
1 /*
2 * Copyright (c) 2000-2001,2007,2011 Apple Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 //
20 // aclclient
21 //
22 #include <security_cdsa_client/cssmclient.h>
23 #include <security_cdsa_client/aclclient.h>
24 #include <security_cdsa_client/keyclient.h>
25 #include <security_cdsa_client/keychainacl.h>
26 #include <security_cdsa_utilities/cssmwalkers.h>
27 #include <security_cdsa_utilities/cssmdata.h>
28 #include <security_cdsa_utilities/cssmendian.h>
29 #include <securityd_client/handletypes.h>
30
31 namespace Security {
32 namespace CssmClient {
33
34 static inline void check(CSSM_RETURN rc)
35 {
36 ObjectImpl::check(rc);
37 }
38
39
40 //
41 // AclBearer methods (trivial)
42 //
43 AclBearer::~AclBearer()
44 { }
45
46
47 //
48 // Variant forms of AclBearer implemented in terms of its canonical virtual methods
49 //
50 void AclBearer::addAcl(const AclEntryInput &input, const CSSM_ACCESS_CREDENTIALS *cred)
51 {
52 changeAcl(AclEdit(input), cred);
53 }
54
55 void AclBearer::changeAcl(CSSM_ACL_HANDLE handle, const AclEntryInput &input,
56 const CSSM_ACCESS_CREDENTIALS *cred)
57 {
58 changeAcl(AclEdit(handle, input), cred);
59 }
60
61 void AclBearer::deleteAcl(CSSM_ACL_HANDLE handle, const CSSM_ACCESS_CREDENTIALS *cred)
62 {
63 changeAcl(AclEdit(handle), cred);
64 }
65
66 void AclBearer::deleteAcl(const char *tag, const CSSM_ACCESS_CREDENTIALS *cred)
67 {
68 AutoAclEntryInfoList entries;
69 getAcl(entries, tag);
70 for (uint32 n = 0; n < entries.count(); n++)
71 deleteAcl(entries[n].handle(), cred);
72 }
73
74
75 //
76 // KeyAclBearer implementation
77 //
78 void KeyAclBearer::getAcl(AutoAclEntryInfoList &aclInfos, const char *selectionTag) const
79 {
80 aclInfos.allocator(allocator);
81 check(CSSM_GetKeyAcl(csp, &key, reinterpret_cast<const CSSM_STRING *>(selectionTag), aclInfos, aclInfos));
82 }
83
84 void KeyAclBearer::changeAcl(const CSSM_ACL_EDIT &aclEdit, const CSSM_ACCESS_CREDENTIALS *cred)
85 {
86 check(CSSM_ChangeKeyAcl(csp, AccessCredentials::needed(cred), &aclEdit, &key));
87 }
88
89 void KeyAclBearer::getOwner(AutoAclOwnerPrototype &owner) const
90 {
91 owner.allocator(allocator);
92 check(CSSM_GetKeyOwner(csp, &key, owner));
93 }
94
95 void KeyAclBearer::changeOwner(const CSSM_ACL_OWNER_PROTOTYPE &newOwner,
96 const CSSM_ACCESS_CREDENTIALS *cred)
97 {
98 check(CSSM_ChangeKeyOwner(csp, AccessCredentials::needed(cred), &key, &newOwner));
99 }
100
101
102 //
103 // A single global structure containing pseudo-static data
104 //
105 struct Statics {
106 Statics();
107 Allocator &alloc;
108
109 AutoCredentials nullCred;
110 AutoCredentials promptCred;
111 AutoCredentials unlockCred;
112 AutoCredentials cancelCred;
113 AutoCredentials promptedPINCred;
114 AutoCredentials promptedPINItemCred;
115
116 AclOwnerPrototype anyOwner;
117 AclEntryInfo anyAcl;
118 };
119
120 namespace {
121 ModuleNexus<Statics> statics;
122 }
123
124
125 //
126 // Make pseudo-statics.
127 // Note: This is an eternal object. It is not currently destroyed
128 // if the containing code is unloaded.
129 //
130 Statics::Statics()
131 : alloc(Allocator::standard()),
132 nullCred(alloc, 1),
133 promptCred(alloc, 3),
134 unlockCred(alloc, 1),
135 cancelCred(alloc, 1),
136 promptedPINCred(alloc, 1),
137 promptedPINItemCred(alloc, 1),
138 anyOwner(TypedList(alloc, CSSM_ACL_SUBJECT_TYPE_ANY)),
139 anyAcl(AclEntryPrototype(TypedList(alloc, CSSM_ACL_SUBJECT_TYPE_ANY), 1))
140 {
141 // nullCred: nothing at all
142 // contains:
143 // an empty THRESHOLD sample to match threshold subjects with "free" subjects
144 nullCred.sample(0) = TypedList(alloc, CSSM_SAMPLE_TYPE_THRESHOLD);
145
146 // promptCred: a credential permitting user prompt confirmations
147 // contains:
148 // a KEYCHAIN_PROMPT sample, both by itself and in a THRESHOLD
149 // a PROMPTED_PASSWORD sample
150 promptCred.sample(0) = TypedList(alloc, CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT);
151 promptCred.sample(1) = TypedList(alloc, CSSM_SAMPLE_TYPE_THRESHOLD,
152 new(alloc) ListElement(TypedList(alloc, CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT)));
153 promptCred.sample(2) = TypedList(alloc, CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD,
154 new(alloc) ListElement(alloc, CssmData()));
155
156 // unlockCred: ???
157 unlockCred.sample(0) = TypedList(alloc, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
158 new(alloc) ListElement(CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT));
159
160 cancelCred.sample(0) = TypedList(alloc, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
161 new(alloc) ListElement(CSSM_WORDID_CANCELED));
162
163 /*
164 We don't set this:
165
166 promptedPINCred.tag("PIN1");
167
168 here to avoid triggering code in TokenDatabase::getAcl in securityd that
169 would always show a PIN unlock dialog. This credential is used for an
170 unlock of the database, i.e. a dbauthenticate call to unlock the card.
171 */
172 promptedPINCred.sample(0) = TypedList(alloc, CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD,
173 new(alloc) ListElement(alloc, CssmData()));
174
175 /*
176 This credential is used for items like non-repudiation keys that always
177 require an explicit entry of the PIN. We set this so that Token::authenticate
178 will recognize the number of the PIN we need to unlock.
179 */
180 promptedPINItemCred.tag("PIN1");
181 promptedPINItemCred.sample(0) = TypedList(alloc, CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD,
182 new(alloc) ListElement(alloc, CssmData()));
183 }
184
185
186 //
187 // Make and break AclFactories
188 //
189 AclFactory::AclFactory()
190 { }
191
192 AclFactory::~AclFactory()
193 { }
194
195
196 //
197 // Return basic pseudo-static values
198 //
199 const AccessCredentials *AclFactory::nullCred() const
200 { return &statics().nullCred; }
201
202 const AccessCredentials *AclFactory::promptCred() const
203 { return &statics().promptCred; }
204
205 const AccessCredentials *AclFactory::unlockCred() const
206 { return &statics().unlockCred; }
207
208
209 const AccessCredentials *AclFactory::cancelCred() const
210 { return &statics().cancelCred; }
211
212 const AccessCredentials *AclFactory::promptedPINCred() const
213 { return &statics().promptedPINCred; }
214
215 const AccessCredentials *AclFactory::promptedPINItemCred() const
216 { return &statics().promptedPINItemCred; }
217
218
219 //
220 // Manage the (pseudo) credentials used to explicitly provide a passphrase to a keychain.
221 // Use the eternal unlockCred() for normal (protected prompt) unlocking.
222 //
223 AclFactory::KeychainCredentials::~KeychainCredentials ()
224 {
225 DataWalkers::chunkFree(mCredentials, allocator);
226 }
227
228 AclFactory::PassphraseUnlockCredentials::PassphraseUnlockCredentials (const CssmData& password,
229 Allocator& allocator) : KeychainCredentials(allocator)
230 {
231 mCredentials->sample(0) = TypedList(allocator, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
232 new (allocator) ListElement (CSSM_SAMPLE_TYPE_PASSWORD),
233 new (allocator) ListElement (CssmAutoData(allocator, password).release()));
234 }
235
236
237 //
238 // Manage the (pseudo) credentials used to explicitly change a keychain's passphrase
239 //
240 AclFactory::PasswordChangeCredentials::PasswordChangeCredentials (const CssmData& password,
241 Allocator& allocator) : KeychainCredentials(allocator)
242 {
243 mCredentials->sample(0) = TypedList(allocator, CSSM_SAMPLE_TYPE_KEYCHAIN_CHANGE_LOCK,
244 new (allocator) ListElement (CSSM_SAMPLE_TYPE_PASSWORD),
245 new (allocator) ListElement (CssmAutoData(allocator, password).release()));
246 }
247
248
249 //
250 // Manage the (pseudo) credentials used to explicitly provide a master key to a keychain.
251 //
252 AclFactory::MasterKeyUnlockCredentials::MasterKeyUnlockCredentials (const CssmClient::Key& key,
253 Allocator& allocator) : KeychainCredentials(allocator)
254 {
255 // Flatten out this key into:
256 // { h2ni(CSSM_KEY) : raw data for CSSM_KEY }
257 // which is also (on x86_64):
258 // { h2ni(CSSM_KEYHEADER) : 4 byte align : CSSM_DATA{0:0} : raw data for CSSM_KEY }
259 // (placement of alignment bytes uncertain)
260 //
261 // Data format is for consumption by kcdatabase.cpp:unflattenKey()
262
263 size_t dataLen = sizeof(CSSM_KEY) + key->keyData().length();
264 CssmAutoData flattenedKey(allocator);
265 flattenedKey.malloc(dataLen);
266 memset(flattenedKey, 0, dataLen);
267
268 // The key header must be in network-byte order for some reason
269 CSSM_KEYHEADER header = key->header();
270 Security::h2ni(header);
271 memcpy(flattenedKey, &header, sizeof(CSSM_KEYHEADER));
272 memcpy(((uint8_t*) flattenedKey.data()) + sizeof(CSSM_KEY), key->keyData().data(), key->keyData().length());
273
274 mCredentials->sample(0) = TypedList(allocator, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
275 new (allocator) ListElement(CSSM_SAMPLE_TYPE_SYMMETRIC_KEY),
276 new (allocator) ListElement(CssmAutoData(allocator, CssmData::wrap((SecurityServer::KeyHandle) 0)).release()),
277 new (allocator) ListElement(CssmAutoData(allocator, CssmData::wrap(*((const CssmKey*) key))).release()),
278 new (allocator) ListElement(flattenedKey.release()));
279 }
280
281
282
283 //
284 // Wide open ("ANY") CSSM forms for owner and ACL entry
285 //
286 const AclOwnerPrototype &AclFactory::anyOwner() const
287 { return statics().anyOwner; }
288
289 const AclEntryInfo &AclFactory::anyAcl() const
290 { return statics().anyAcl; }
291
292
293 //
294 // Create an ANY style AclEntryInput.
295 // This can be used to explicitly request wide-open authorization on a new CSSM object.
296 //
297 AclFactory::AnyResourceContext::AnyResourceContext(const CSSM_ACCESS_CREDENTIALS *cred)
298 : mAny(CSSM_ACL_SUBJECT_TYPE_ANY), mTag(CSSM_ACL_AUTHORIZATION_ANY)
299 {
300 // set up an ANY/EVERYTHING AclEntryInput
301 input().proto().subject() += &mAny;
302 AuthorizationGroup &authGroup = input().proto().authorization();
303 authGroup.NumberOfAuthTags = 1;
304 authGroup.AuthTags = &mTag;
305
306 // install the cred (not copied)
307 credentials(cred);
308 }
309
310
311 //
312 // CSSM ACL makers
313 //
314 AclFactory::Subject::Subject(Allocator &alloc, CSSM_ACL_SUBJECT_TYPE type)
315 : TypedList(alloc, type)
316 { }
317
318
319 AclFactory::PWSubject::PWSubject(Allocator &alloc)
320 : Subject(alloc, CSSM_ACL_SUBJECT_TYPE_PASSWORD)
321 { }
322
323 AclFactory::PWSubject::PWSubject(Allocator &alloc, const CssmData &secret)
324 : Subject(alloc, CSSM_ACL_SUBJECT_TYPE_PASSWORD)
325 {
326 append(new(alloc) ListElement(alloc, secret));
327 }
328
329 AclFactory::PromptPWSubject::PromptPWSubject(Allocator &alloc, const CssmData &prompt)
330 : Subject(alloc, CSSM_ACL_SUBJECT_TYPE_PROMPTED_PASSWORD)
331 {
332 append(new(alloc) ListElement(alloc, prompt));
333 }
334
335 AclFactory::PromptPWSubject::PromptPWSubject(Allocator &alloc, const CssmData &prompt, const CssmData &secret)
336 : Subject(alloc, CSSM_ACL_SUBJECT_TYPE_PROMPTED_PASSWORD)
337 {
338 append(new(alloc) ListElement(alloc, prompt));
339 append(new(alloc) ListElement(alloc, secret));
340 }
341
342 AclFactory::ProtectedPWSubject::ProtectedPWSubject(Allocator &alloc)
343 : Subject(alloc, CSSM_ACL_SUBJECT_TYPE_PROTECTED_PASSWORD)
344 { }
345
346 AclFactory::PinSubject::PinSubject(Allocator &alloc, uint32 slot)
347 : Subject(alloc, CSSM_ACL_SUBJECT_TYPE_PREAUTH)
348 {
349 append(new(alloc) ListElement(CSSM_ACL_AUTHORIZATION_PREAUTH(slot)));
350 }
351
352 AclFactory::PinSourceSubject::PinSourceSubject(Allocator &alloc, const TypedList &form)
353 : Subject(alloc, CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE)
354 {
355 append(new(alloc) ListElement(form));
356 }
357
358
359 } // end namespace CssmClient
360 } // end namespace Security