2 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
24 #import <TargetConditionals.h>
27 #import "SecKeybagSupport.h"
29 #if __has_include(<libaks.h>)
33 #if __has_include(<libaks_ref_key.h>)
34 #import <libaks_ref_key.h>
37 #if __has_include(<MobileKeyBag/MobileKeyBag.h>)
38 #import <MobileKeyBag/MobileKeyBag.h>
41 #include <os/variant_private.h>
43 #import <ctkclient/ctkclient.h>
44 #import <coreauthd_spi.h>
46 #import <LocalAuthentication/LAPublicDefines.h>
47 #import <LocalAuthentication/LAPrivateDefines.h>
48 #import <LocalAuthentication/LACFSupport.h>
49 #import <SecurityFoundation/SFEncryptionOperation.h>
51 #import "utilities/der_plist.h"
52 #import "tests/secdmockaks/generated_source/MockAKSRefKey.h"
53 #import "tests/secdmockaks/generated_source/MockAKSOptionalParameters.h"
55 bool hwaes_key_available(void)
60 #define SET_FLAG_ON(v, flag) v |= (flag)
61 #define SET_FLAG_OFF(v, flag) v &= ~(flag)
63 @interface SecMockAKS ()
64 @property (class, readonly) NSMutableDictionary<NSNumber*, NSNumber*>* lockedStates;
65 @property (class, readonly) dispatch_queue_t mutabilityQueue;
68 @implementation SecMockAKS
69 static NSMutableDictionary* _lockedStates = nil;
70 static dispatch_queue_t _mutabilityQueue = nil;
71 static keybag_state_t _keybag_state = keybag_state_unlocked | keybag_state_been_unlocked;
72 static NSMutableArray<NSError *>* _decryptRefKeyErrors = nil;
74 * Method that limit where this rather in-secure version of AKS can run
78 static dispatch_once_t onceToken;
79 dispatch_once(&onceToken, ^{
80 #if DEBUG || TARGET_OS_SIMULATOR
83 const char *argv0 = getprogname();
85 if (strcmp(argv0, "securityd") == 0 || strcmp(argv0, "secd") == 0) {
88 if (os_variant_has_internal_content("securityd")) {
91 #if TARGET_OS_IPHONE /* all three platforms: ios, watch, tvos */
92 if (os_variant_uses_ephemeral_storage("securityd")) {
95 if (os_variant_allows_internal_security_policies("securityd")) {
99 #endif /* TARGET_OS_IPHONE */
100 #endif /* !DEBUG || !TARGET_OS_SIMULATOR */
104 + (NSMutableDictionary*)lockedStates
106 if(_lockedStates == nil) {
107 _lockedStates = [NSMutableDictionary dictionary];
109 return _lockedStates;
112 + (dispatch_queue_t)mutabilityQueue
114 static dispatch_once_t onceToken;
115 dispatch_once(&onceToken, ^{
116 _mutabilityQueue = dispatch_queue_create("SecMockAKS", DISPATCH_QUEUE_SERIAL);
118 return _mutabilityQueue;
121 + (keybag_state_t)keybag_state
123 return _keybag_state;
126 + (void)setKeybag_state:(keybag_state_t)keybag_state
128 _keybag_state = keybag_state;
133 dispatch_sync(self.mutabilityQueue, ^{
134 [self.lockedStates removeAllObjects];
135 self.keybag_state = keybag_state_unlocked;
139 + (bool)isLocked:(keyclass_t)key_class
141 __block bool isLocked = false;
142 dispatch_sync(self.mutabilityQueue, ^{
143 NSNumber* key = [NSNumber numberWithInt:key_class];
144 isLocked = [self.lockedStates[key] boolValue];
154 + (bool)useGenerationCount
161 dispatch_sync(self.mutabilityQueue, ^{
162 self.lockedStates[[NSNumber numberWithInt:key_class_a]] = [NSNumber numberWithBool:YES];
163 self.lockedStates[[NSNumber numberWithInt:key_class_ak]] = [NSNumber numberWithBool:YES];
164 self.lockedStates[[NSNumber numberWithInt:key_class_aku]] = [NSNumber numberWithBool:YES];
165 self.lockedStates[[NSNumber numberWithInt:key_class_akpu]] = [NSNumber numberWithBool:YES];
167 SET_FLAG_ON(self.keybag_state, keybag_state_locked);
168 SET_FLAG_OFF(self.keybag_state, keybag_state_unlocked);
169 // don't touch keybag_state_been_unlocked; leave it as-is
173 // Simulate device being in "before first unlock"
176 dispatch_sync(self.mutabilityQueue, ^{
177 self.lockedStates[[NSNumber numberWithInt:key_class_a]] = [NSNumber numberWithBool:YES];
178 self.lockedStates[[NSNumber numberWithInt:key_class_ak]] = [NSNumber numberWithBool:YES];
179 self.lockedStates[[NSNumber numberWithInt:key_class_aku]] = [NSNumber numberWithBool:YES];
180 self.lockedStates[[NSNumber numberWithInt:key_class_akpu]] = [NSNumber numberWithBool:YES];
181 self.lockedStates[[NSNumber numberWithInt:key_class_c]] = [NSNumber numberWithBool:YES];
182 self.lockedStates[[NSNumber numberWithInt:key_class_ck]] = [NSNumber numberWithBool:YES];
183 self.lockedStates[[NSNumber numberWithInt:key_class_cku]] = [NSNumber numberWithBool:YES];
185 SET_FLAG_ON(self.keybag_state, keybag_state_locked);
186 SET_FLAG_OFF(self.keybag_state, keybag_state_unlocked);
187 SET_FLAG_OFF(self.keybag_state, keybag_state_been_unlocked);
191 + (void)unlockAllClasses
193 dispatch_sync(self.mutabilityQueue, ^{
194 [self.lockedStates removeAllObjects];
196 SET_FLAG_OFF(self.keybag_state, keybag_state_locked);
197 SET_FLAG_ON(self.keybag_state, keybag_state_unlocked);
198 SET_FLAG_ON(self.keybag_state, keybag_state_been_unlocked);
202 + (void)failNextDecryptRefKey: (NSError* _Nonnull) decryptRefKeyError {
203 if (_decryptRefKeyErrors == NULL) {
204 _decryptRefKeyErrors = [NSMutableArray array];
206 @synchronized(_decryptRefKeyErrors) {
207 [_decryptRefKeyErrors addObject: decryptRefKeyError];
211 + (NSError * _Nullable)popDecryptRefKeyFailure {
212 NSError* error = nil;
213 if (_decryptRefKeyErrors == NULL) {
216 @synchronized(_decryptRefKeyErrors) {
217 if(_decryptRefKeyErrors.count > 0) {
218 error = _decryptRefKeyErrors[0];
219 [_decryptRefKeyErrors removeObjectAtIndex:0];
229 aks_load_bag(const void * data, int length, keybag_handle_t* handle)
236 aks_create_bag(const void * passcode, int length, keybag_type_t type, keybag_handle_t* handle)
238 [SecMockAKS unlockAllClasses];
244 aks_unload_bag(keybag_handle_t handle)
246 return kAKSReturnSuccess;
250 aks_save_bag(keybag_handle_t handle, void ** data, int * length)
252 assert(handle != bad_keybag_handle);
256 *data = calloc(1, 12);
257 memcpy(*data, "keybag dump", 12);
260 return kAKSReturnSuccess;
264 aks_get_system(keybag_handle_t special_handle, keybag_handle_t *handle)
267 return kAKSReturnSuccess;
271 aks_get_bag_uuid(keybag_handle_t handle, uuid_t uuid)
273 memcpy(uuid, "0123456789abcdf", sizeof(uuid_t));
274 return kAKSReturnSuccess;
277 kern_return_t aks_lock_bag(keybag_handle_t handle)
279 if (handle == KEYBAG_DEVICE) {
280 [SecMockAKS lockClassA];
282 return kAKSReturnSuccess;
285 kern_return_t aks_unlock_bag(keybag_handle_t handle, const void *passcode, int length)
287 if (handle == KEYBAG_DEVICE) {
288 [SecMockAKS unlockAllClasses];
290 return kAKSReturnSuccess;
293 kern_return_t aks_get_lock_state(keybag_handle_t handle, keybag_state_t *state)
295 *state = SecMockAKS.keybag_state;
296 return kAKSReturnSuccess;
299 //static uint8_t staticAKSKey[32] = "1234567890123456789012";
301 #define PADDINGSIZE 8
304 aks_wrap_key(const void * key, int key_size, keyclass_t key_class, keybag_handle_t handle, void * wrapped_key, int * wrapped_key_size_inout, keyclass_t * class_out)
306 [SecMockAKS trapdoor];
308 if ([SecMockAKS isSEPDown]) {
309 return kAKSReturnBusy;
312 // Assumes non-device keybags are asym
313 if ([SecMockAKS isLocked:key_class] && handle == KEYBAG_DEVICE) {
314 return kAKSReturnNoPermission;
317 if (class_out) { // Not a required parameter
318 *class_out = key_class;
319 if ([SecMockAKS useGenerationCount]) {
320 *class_out |= (key_class_last + 1);
324 if (key_size > APPLE_KEYSTORE_MAX_KEY_LEN) {
327 if (handle != KEYBAG_DEVICE) { // For now assumes non-device bags are asym
328 if (APPLE_KEYSTORE_MAX_ASYM_WRAPPED_KEY_LEN > *wrapped_key_size_inout) {
332 if (APPLE_KEYSTORE_MAX_SYM_WRAPPED_KEY_LEN > *wrapped_key_size_inout) {
337 *wrapped_key_size_inout = key_size + PADDINGSIZE;
338 memcpy(wrapped_key, key, key_size);
339 memset(((uint8_t *)wrapped_key) + key_size, 0xff, PADDINGSIZE);
340 return kAKSReturnSuccess;
344 aks_unwrap_key(const void * wrapped_key, int wrapped_key_size, keyclass_t key_class, keybag_handle_t handle, void * key, int * key_size_inout)
346 [SecMockAKS trapdoor];
348 if ([SecMockAKS isSEPDown]) {
349 return kAKSReturnBusy;
352 if ([SecMockAKS isLocked:key_class]) {
353 return kAKSReturnNoPermission;
356 if (wrapped_key_size < PADDINGSIZE) {
359 static const char expected_padding[PADDINGSIZE] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
360 if (memcmp(((const uint8_t *)wrapped_key) + (wrapped_key_size - PADDINGSIZE), expected_padding, PADDINGSIZE) != 0) {
361 return kAKSReturnDecodeError;
363 if (*key_size_inout < wrapped_key_size - PADDINGSIZE) {
366 *key_size_inout = wrapped_key_size - PADDINGSIZE;
367 memcpy(key, wrapped_key, *key_size_inout);
369 return kAKSReturnSuccess;
372 @interface MockAKSRefKeyObject: NSObject
373 @property NSData *keyData;
374 @property SFAESKey *key;
375 @property NSData *acmHandle;
376 @property NSData *externalData;
378 @property NSData *blob; // blob is exteralized format
380 - (instancetype)init NS_UNAVAILABLE;
381 - (instancetype)initWithKeyData:(NSData *)keyData parameters:(NSData *)parameters error:(NSError **)error;
384 @implementation MockAKSRefKeyObject
386 - (instancetype)initWithKeyData:(NSData *)keyData
387 parameters:(NSData *)parameters
388 error:(NSError **)error
390 if ((self = [super init]) != NULL) {
392 self.keyData = [keyData copy];
393 SFAESKeySpecifier* keySpecifier = [[SFAESKeySpecifier alloc] initWithBitSize: SFAESKeyBitSize256];
395 self.key = [[SFAESKey alloc] initWithData:self.keyData specifier:keySpecifier error:error];
396 if (self.key == NULL) {
399 } @catch (NSException *exception) {
400 *error = [NSError errorWithDomain:@"foo" code:kAKSReturnBadArgument userInfo:nil];
404 MockAKSOptionalParameters *params = [[MockAKSOptionalParameters alloc] initWithData:parameters];
406 // enforce that the extra data is DER like
407 if (params.externalData) {
409 CFErrorRef cferror = NULL;
410 uint8_t *der = (uint8_t *)params.externalData.bytes;
411 der_decode_plist(NULL, false, &cf, &cferror, der, der + params.externalData.length);
413 *error = [NSError errorWithDomain:@"foo" code:kAKSReturnBadArgument userInfo:nil];
420 self.externalData = params.externalData;
421 self.acmHandle = params.acmHandle;
423 MockAKSRefKey *blob = [[MockAKSRefKey alloc] init];
424 blob.key = self.keyData;
425 blob.optionalParams = parameters;
426 self.blob = blob.data;
434 aks_ref_key_create(keybag_handle_t handle, keyclass_t key_class, aks_key_type_t type, const uint8_t *params, size_t params_len, aks_ref_key_t *ot)
436 MockAKSRefKeyObject *key;
438 [SecMockAKS trapdoor];
439 NSError *error = NULL;
441 if ([SecMockAKS isLocked:key_class]) {
442 return kAKSReturnNoPermission;
445 NSData *keyData = [NSData dataWithBytes:"1234567890123456789012345678901" length:32];
446 NSData *parameters = NULL;
447 if (params && params_len != 0) {
448 parameters = [NSData dataWithBytes:params length:params_len];
451 key = [[MockAKSRefKeyObject alloc] initWithKeyData:keyData parameters:parameters error:&error];
454 return (int)error.code;
456 return kAKSReturnError;
460 *ot = (__bridge_retained aks_ref_key_t)key;
461 return kAKSReturnSuccess;
465 aks_ref_key_encrypt(aks_ref_key_t handle,
466 const uint8_t *der_params, size_t der_params_len,
467 const void * data, size_t data_len,
468 void ** out_der, size_t * out_der_len)
470 [SecMockAKS trapdoor];
472 // No current error injection
473 NSError* error = nil;
474 NSData* nsdata = [NSData dataWithBytes:data length:data_len];
476 MockAKSRefKeyObject *key = (__bridge MockAKSRefKeyObject*)handle;
478 SFAuthenticatedEncryptionOperation* op = [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:key.key.keySpecifier authenticationMode:SFAuthenticatedEncryptionModeGCM];
481 SFAuthenticatedCiphertext* ciphertext = [op encrypt:nsdata withKey:key.key error:&error];
483 if(error || !ciphertext || !out_der || !out_der_len) {
484 return kAKSReturnError;
487 NSData* cipherBytes = [NSKeyedArchiver archivedDataWithRootObject:ciphertext requiringSecureCoding:YES error:&error];
488 if(error || !cipherBytes) {
489 return kAKSReturnError;
492 *out_der = calloc(1, cipherBytes.length);
494 memcpy(*out_der, cipherBytes.bytes, cipherBytes.length);
495 *out_der_len = cipherBytes.length;
497 return kAKSReturnSuccess;
501 aks_ref_key_decrypt(aks_ref_key_t handle,
502 const uint8_t *der_params, size_t der_params_len,
503 const void * data, size_t data_len,
504 void ** out_der, size_t * out_der_len)
507 [SecMockAKS trapdoor];
509 NSError *error = [SecMockAKS popDecryptRefKeyFailure];
511 return (int)error.code;
514 if (!out_der || !out_der_len || !data) {
515 return kAKSReturnError;
519 NSData *paramsData = [NSData dataWithBytes:der_params length:der_params_len];
520 MockAKSOptionalParameters *params = [[MockAKSOptionalParameters alloc] initWithData:paramsData];
522 if (params.hasExternalData && !params.hasAcmHandle) {
523 return kSKSReturnPolicyInvalid;
525 (void)params; /* check ACM context if the item uses policy */
529 NSData* nsdata = [NSData dataWithBytes:data length:data_len];
531 MockAKSRefKeyObject* key = (__bridge MockAKSRefKeyObject*)handle;
533 SFAuthenticatedCiphertext* ciphertext = [NSKeyedUnarchiver unarchivedObjectOfClass:[SFAuthenticatedCiphertext class] fromData:nsdata error:&error];
535 if(error || !ciphertext) {
536 return kAKSReturnDecodeError;
539 // this should not be needed...
540 if (![ciphertext isKindOfClass:[SFAuthenticatedCiphertext class]]) {
541 return kAKSReturnDecodeError;
543 if (![ciphertext.ciphertext isKindOfClass:[NSData class]]) {
544 return kAKSReturnDecodeError;
546 if (![ciphertext.authenticationCode isKindOfClass:[NSData class]]) {
547 return kAKSReturnDecodeError;
549 if (![ciphertext.initializationVector isKindOfClass:[NSData class]]) {
550 return kAKSReturnDecodeError;
553 NSData* plaintext = NULL;
555 SFAuthenticatedEncryptionOperation* op = [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:key.key.keySpecifier authenticationMode:SFAuthenticatedEncryptionModeGCM];
556 plaintext = [op decrypt:ciphertext withKey:key.key error:&error];
558 if(error || !plaintext) {
559 return kAKSReturnDecodeError;
564 * The output of aks_ref_key_encrypt is not the decrypted data, it's a DER blob that contains an octet string of the data....
567 CFErrorRef cfError = NULL;
568 NSData* derData = (__bridge_transfer NSData*)CFPropertyListCreateDERData(NULL, (__bridge CFTypeRef)plaintext, &cfError);
569 CFReleaseNull(cfError);
570 if (derData == NULL) {
571 return kAKSReturnDecodeError;
574 *out_der = calloc(1, derData.length);
575 if (*out_der == NULL) {
579 memcpy(*out_der, derData.bytes, derData.length);
580 *out_der_len = derData.length;
582 return kAKSReturnSuccess;
586 int aks_ref_key_wrap(aks_ref_key_t handle,
587 uint8_t *der_params, size_t der_params_len,
588 const uint8_t *key, size_t key_len,
589 void **out_der, size_t *out_der_len)
591 [SecMockAKS trapdoor];
593 return aks_ref_key_encrypt(handle, der_params, der_params_len, key, key_len, out_der, out_der_len);
596 int aks_ref_key_unwrap(aks_ref_key_t handle,
597 uint8_t *der_params, size_t der_params_len,
598 const uint8_t *wrapped, size_t wrapped_len,
599 void **out_der, size_t *out_der_len)
601 [SecMockAKS trapdoor];
603 return aks_ref_key_decrypt(handle, der_params, der_params_len, wrapped, wrapped_len, out_der, out_der_len);
608 aks_ref_key_delete(aks_ref_key_t handle, const uint8_t *der_params, size_t der_params_len)
610 return kAKSReturnSuccess;
614 aks_operation_optional_params(const uint8_t * access_groups, size_t access_groups_len, const uint8_t * external_data, size_t external_data_len, const void * acm_handle, int acm_handle_len, void ** out_der, size_t * out_der_len)
617 [SecMockAKS trapdoor];
619 MockAKSOptionalParameters* params = [[MockAKSOptionalParameters alloc] init];
622 params.accessGroups = [NSData dataWithBytes:access_groups length:access_groups_len];
625 params.externalData = [NSData dataWithBytes:external_data length:external_data_len];
628 params.acmHandle = [NSData dataWithBytes:acm_handle length:acm_handle_len];
631 NSData *result = params.data;
632 *out_der = malloc(result.length);
633 memcpy(*out_der, result.bytes, result.length);
634 *out_der_len = result.length;
635 return kAKSReturnSuccess;
639 int aks_ref_key_create_with_blob(keybag_handle_t keybag, const uint8_t *ref_key_blob, size_t ref_key_blob_len, aks_ref_key_t* handle)
641 NSError *error = NULL;
642 MockAKSRefKeyObject *key = NULL;
645 [SecMockAKS trapdoor];
646 NSData *data = [NSData dataWithBytes:ref_key_blob length:ref_key_blob_len];
648 MockAKSRefKey *blob = [[MockAKSRefKey alloc] initWithData:data];
650 return kAKSReturnBadData;
652 if (!blob.hasKey || blob.key.length == 0) {
653 return kAKSReturnBadData;
656 key = [[MockAKSRefKeyObject alloc] initWithKeyData:blob.key parameters:blob.optionalParams error:&error];
659 *handle = (aks_ref_key_t)-1;
661 return (int)error.code;
663 return kAKSReturnError;
666 *handle = (__bridge_retained aks_ref_key_t)key;
667 return kAKSReturnSuccess;
670 const uint8_t * aks_ref_key_get_blob(aks_ref_key_t refkey, size_t *out_blob_len)
672 MockAKSRefKeyObject *key = (__bridge MockAKSRefKeyObject*)refkey;
674 *out_blob_len = key.blob.length;
675 return (const uint8_t *)key.blob.bytes;
679 aks_ref_key_free(aks_ref_key_t* refkey)
681 if (*refkey != NULL) {
682 MockAKSRefKeyObject *key = (__bridge MockAKSRefKeyObject*)*refkey;
683 CFTypeRef cfkey = CFBridgingRetain(key);
687 return kAKSReturnSuccess;
691 aks_ref_key_get_external_data(aks_ref_key_t refkey, size_t *out_external_data_len)
693 MockAKSRefKeyObject *key = (__bridge MockAKSRefKeyObject*)refkey;
695 *out_external_data_len = key.externalData.length;
696 return (const uint8_t *)key.externalData.bytes;
700 aks_assert_hold(keybag_handle_t handle, uint32_t type, uint64_t timeout)
702 if ([SecMockAKS isLocked:key_class_ak]) {
703 return kAKSReturnNoPermission;
705 return kAKSReturnSuccess;
709 aks_assert_drop(keybag_handle_t handle, uint32_t type)
711 return kAKSReturnSuccess;
715 aks_generation(keybag_handle_t handle,
716 generation_option_t generation_option,
717 uint32_t * current_generation)
719 *current_generation = 0;
720 return kAKSReturnSuccess;
723 CFStringRef kMKBDeviceModeMultiUser = CFSTR("kMKBDeviceModeMultiUser");
724 CFStringRef kMKBDeviceModeSingleUser = CFSTR("kMKBDeviceModeSingleUser");
725 CFStringRef kMKBDeviceModeKey = CFSTR("kMKBDeviceModeKey");
727 static CFStringRef staticKeybagHandle = CFSTR("keybagHandle");
730 MKBKeyBagCreateWithData(CFDataRef keybagBlob, MKBKeyBagHandleRef* newHandle)
732 *newHandle = (MKBKeyBagHandleRef)staticKeybagHandle;
733 return kMobileKeyBagSuccess;
737 MKBKeyBagUnlock(MKBKeyBagHandleRef keybag, CFDataRef passcode)
739 if (keybag == NULL || !CFEqual(keybag, staticKeybagHandle)) {
742 return kMobileKeyBagSuccess;
745 int MKBKeyBagGetAKSHandle(MKBKeyBagHandleRef keybag, int32_t *handle)
747 if (keybag == NULL || !CFEqual(keybag, staticKeybagHandle)) {
751 return kMobileKeyBagSuccess;
754 int MKBGetDeviceLockState(CFDictionaryRef options)
756 if ([SecMockAKS isLocked:key_class_ak]) {
757 return kMobileKeyBagDeviceIsLocked;
759 return kMobileKeyBagDeviceIsUnlocked;
762 CF_RETURNS_RETAINED CFDictionaryRef
763 MKBUserTypeDeviceMode(CFDictionaryRef options, CFErrorRef * error)
765 return CFBridgingRetain(@{
766 (__bridge NSString *)kMKBDeviceModeKey : (__bridge NSString *)kMKBDeviceModeSingleUser,
770 int MKBForegroundUserSessionID( CFErrorRef * error)
772 return kMobileKeyBagSuccess;
775 const CFTypeRef kAKSKeyAcl = (CFTypeRef)CFSTR("kAKSKeyAcl");
776 const CFTypeRef kAKSKeyAclParamRequirePasscode = (CFTypeRef)CFSTR("kAKSKeyAclParamRequirePasscode");
778 const CFTypeRef kAKSKeyOpDefaultAcl = (CFTypeRef)CFSTR("kAKSKeyOpDefaultAcl");
779 const CFTypeRef kAKSKeyOpEncrypt = (CFTypeRef)CFSTR("kAKSKeyOpEncrypt");
780 const CFTypeRef kAKSKeyOpDecrypt = (CFTypeRef)CFSTR("kAKSKeyOpDecrypt");
781 const CFTypeRef kAKSKeyOpSync = (CFTypeRef)CFSTR("kAKSKeyOpSync");
782 const CFTypeRef kAKSKeyOpDelete = (CFTypeRef)CFSTR("kAKSKeyOpDelete");
783 const CFTypeRef kAKSKeyOpCreate = (CFTypeRef)CFSTR("kAKSKeyOpCreate");
784 const CFTypeRef kAKSKeyOpSign = (CFTypeRef)CFSTR("kAKSKeyOpSign");
785 const CFTypeRef kAKSKeyOpSetKeyClass = (CFTypeRef)CFSTR("kAKSKeyOpSetKeyClass");
786 const CFTypeRef kAKSKeyOpWrap = (CFTypeRef)CFSTR("kAKSKeyOpWrap");
787 const CFTypeRef kAKSKeyOpUnwrap = (CFTypeRef)CFSTR("kAKSKeyOpUnwrap");
788 const CFTypeRef kAKSKeyOpComputeKey = (CFTypeRef)CFSTR("kAKSKeyOpComputeKey");
789 const CFTypeRef kAKSKeyOpAttest = (CFTypeRef)CFSTR("kAKSKeyOpAttest");
790 const CFTypeRef kAKSKeyOpTranscrypt = (CFTypeRef)CFSTR("kAKSKeyOpTranscrypt");
791 const CFTypeRef kAKSKeyOpECIESEncrypt = (CFTypeRef)CFSTR("kAKSKeyOpECIESEncrypt");
792 const CFTypeRef kAKSKeyOpECIESDecrypt = (CFTypeRef)CFSTR("kAKSKeyOpECIESDecrypt");
793 const CFTypeRef kAKSKeyOpECIESTranscode = (CFTypeRef)CFSTR("kAKSKeyOpECIESTranscode");
796 TKTokenRef TKTokenCreate(CFDictionaryRef attributes, CFErrorRef *error)
801 CFTypeRef TKTokenCopyObjectData(TKTokenRef token, CFDataRef objectID, CFErrorRef *error)
806 CFDataRef TKTokenCreateOrUpdateObject(TKTokenRef token, CFDataRef objectID, CFMutableDictionaryRef attributes, CFErrorRef *error)
811 CFDataRef TKTokenCopyObjectAccessControl(TKTokenRef token, CFDataRef objectID, CFErrorRef *error)
815 bool TKTokenDeleteObject(TKTokenRef token, CFDataRef objectID, CFErrorRef *error)
820 CFDataRef TKTokenCopyPublicKeyData(TKTokenRef token, CFDataRef objectID, CFErrorRef *error)
825 CFTypeRef TKTokenCopyOperationResult(TKTokenRef token, CFDataRef objectID, CFIndex secKeyOperationType, CFArrayRef algorithm,
826 CFIndex secKeyOperationMode, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error)
831 CF_RETURNS_RETAINED CFDictionaryRef TKTokenControl(TKTokenRef token, CFDictionaryRef attributes, CFErrorRef *error)
836 CFTypeRef LACreateNewContextWithACMContext(CFDataRef acmContext, CFErrorRef *error)
841 CFDataRef LACopyACMContext(CFTypeRef context, CFErrorRef *error)
846 bool LAEvaluateAndUpdateACL(CFTypeRef context, CFDataRef acl, CFTypeRef operation, CFDictionaryRef hints, CFDataRef *updatedACL, CFErrorRef *error)
852 ACMContextCreateWithExternalForm(const void *externalForm, size_t dataLength)
858 ACMContextDelete(ACMContextRef context, bool destroyContext)
860 return kACMErrorSuccess;
864 ACMContextRemovePassphraseCredentialsByPurposeAndScope(const ACMContextRef context, ACMPassphrasePurpose purpose, ACMScope scope)
866 return kACMErrorSuccess;
869 #endif // TARGET_OS_BRIDGE
projects / apple / security.git / blob