]> git.saurik.com Git - apple/security.git/blob - securityd/src/dbcrypto.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-59306.101.1.tar.gz
[apple/security.git] / securityd / src / dbcrypto.h
1 /*
2 * Copyright (c) 2000-2001,2003-2006,2013 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 //
26 // dbcrypto - cryptographic core for database and key blob cryptography
27 //
28 #ifndef _H_DBCRYPTO
29 #define _H_DBCRYPTO
30
31 #include <securityd_client/ssblob.h>
32 #include <security_cdsa_client/cspclient.h>
33 #include <security_cdsa_client/keyclient.h>
34
35 using namespace SecurityServer;
36
37
38 //
39 // A DatabaseCryptoCore object encapsulates the secret state of a database.
40 // It provides for encoding and decoding of database blobs and key blobs,
41 // and holds all state related to the database secrets.
42 //
43 class DatabaseCryptoCore {
44 public:
45 DatabaseCryptoCore(uint32 requestedVersion = CommonBlob::version_none);
46 virtual ~DatabaseCryptoCore();
47
48 void initializeFrom(DatabaseCryptoCore& core, uint32 requestedVersion = CommonBlob::version_none);
49
50 bool isValid() const { return mIsValid; }
51 bool hasMaster() const { return mHaveMaster; }
52 void invalidate();
53
54 void generateNewSecrets();
55 CssmClient::Key masterKey();
56
57 void setup(const DbBlob *blob, const CssmData &passphrase, bool copyVersion = true);
58 void setup(const DbBlob *blob, CssmClient::Key master, bool copyVersion = true);
59
60 void decodeCore(const DbBlob *blob, void **privateAclBlob = NULL);
61 DbBlob *encodeCore(const DbBlob &blobTemplate,
62 const CssmData &publicAcl, const CssmData &privateAcl) const;
63 void importSecrets(const DatabaseCryptoCore &src);
64
65 KeyBlob *encodeKeyCore(const CssmKey &key,
66 const CssmData &publicAcl, const CssmData &privateAcl,
67 bool inTheClear) const;
68 void decodeKeyCore(KeyBlob *blob,
69 CssmKey &key, void * &pubAcl, void * &privAcl) const;
70
71 static const uint32 managedAttributes = KeyBlob::managedAttributes;
72 static const uint32 forcedAttributes = KeyBlob::forcedAttributes;
73
74 bool get_encryption_key(CssmOwnedData &data);
75
76 public:
77 bool validatePassphrase(const CssmData &passphrase);
78 bool validateKey(const CssmClient::Key& master);
79
80 protected:
81 uint32 mBlobVersion; // blob version of current database
82
83 private:
84 bool mHaveMaster; // master key has been entered (setup)
85 bool mIsValid; // master secrets are valid (decode or generateNew)
86
87 CssmClient::Key mMasterKey; // database master key
88 uint8 mSalt[20]; // salt for master key derivation from passphrase (only)
89
90 CssmClient::Key mEncryptionKey; // master encryption key
91 CssmClient::Key mSigningKey; // master signing key
92
93 CssmClient::Key deriveDbMasterKey(const CssmData &passphrase) const;
94 CssmClient::Key makeRawKey(void *data, size_t length,
95 CSSM_ALGORITHMS algid, CSSM_KEYUSE usage);
96 };
97
98
99 #endif //_H_DBCRYPTO
mirror of Security