2 * Copyright (c) 2007-2009,2012-2015 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
23 #ifndef _SECURITYD_CLIENT_H_
24 #define _SECURITYD_CLIENT_H_
28 # include <Security/SecTrust.h>
29 #ifndef MINIMIZE_INCLUDES
30 # include <Security/SecTrustStore.h>
31 # include <Security/SecCertificatePath.h>
33 typedef struct __SecTrustStore
*SecTrustStoreRef
;
34 # ifndef _SECURITY_SECCERTIFICATE_H_
35 typedef struct __SecCertificate
*SecCertificateRef
;
36 # endif // _SECURITY_SECCERTIFICATE_H_
37 # ifndef _SECURITY_SECCERTIFICATEPATH_H_
38 typedef struct SecCertificatePath
*SecCertificatePathRef
;
39 # endif // _SECURITY_SECCERTIFICATEPATH_H_
40 #endif // MINIMIZE_INCLUDES
42 #include <CoreFoundation/CFArray.h>
43 #include <CoreFoundation/CFDictionary.h>
44 #include <CoreFoundation/CFError.h>
46 #include <Security/SecureObjectSync/SOSCloudCircle.h>
47 #include <Security/SecureObjectSync/SOSPeerInfo.h>
48 #include <Security/SecureObjectSync/SOSRing.h>
51 #include <CoreFoundation/CFXPCBridge.h>
53 // TODO: This should be in client of XPC code locations...
55 #define kSecuritydXPCServiceName "com.apple.securityd.xpc"
56 #define kTrustdAgentXPCServiceName "com.apple.trustd.agent"
57 #define kTrustdXPCServiceName "com.apple.trustd"
59 #define kSecuritydXPCServiceName "com.apple.securityd"
60 #define kTrustdAgentXPCServiceName "com.apple.securityd"
61 #define kTrustdXPCServiceName "com.apple.securityd"
62 #endif // *** END SECITEM_SHIM_OSX ***
65 // MARK: XPC Information.
68 extern CFStringRef sSecXPCErrorDomain
;
70 extern const char *kSecXPCKeyOperation
;
71 extern const char *kSecXPCKeyResult
;
72 extern const char *kSecXPCKeyError
;
73 extern const char *kSecXPCKeyPeerInfos
;
74 extern const char *kSecXPCKeyUserLabel
;
75 extern const char *kSecXPCKeyBackup
;
76 extern const char *kSecXPCKeyKeybag
;
77 extern const char *kSecXPCKeyUserPassword
;
78 extern const char *kSecXPCKeyDSID
;
79 extern const char *kSecXPCKeyViewName
;
80 extern const char *kSecXPCKeyViewActionCode
;
81 extern const char *kSecXPCKeyNewPublicBackupKey
;
82 extern const char *kSecXPCKeyIncludeV0
;
83 extern const char *kSecXPCKeyEnabledViewsKey
;
84 extern const char *kSecXPCKeyDisabledViewsKey
;
85 extern const char *kSecXPCKeyEscrowLabel
;
86 extern const char *kSecXPCKeyAvailability
;
88 // MARK: Dispatch macros
91 #define SECURITYD_XPC(sdp, wrapper, ...) ((gSecurityd && gSecurityd->sdp) ? gSecurityd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
94 // MARK: Object to XPC format conversion.
99 // MARK: XPC Interfaces
102 extern const char *kSecXPCKeyOperation
;
103 extern const char *kSecXPCKeyResult
;
104 extern const char *kSecXPCKeyError
;
105 extern const char *kSecXPCKeyPeerInfos
;
106 extern const char *kSecXPCKeyUserLabel
;
107 extern const char *kSecXPCKeyUserPassword
;
108 extern const char *kSecXPCKeyDSID
;
109 extern const char *kSecXPCLimitInMinutes
;
110 extern const char *kSecXPCKeyQuery
;
111 extern const char *kSecXPCKeyAttributesToUpdate
;
112 extern const char *kSecXPCKeyDomain
;
113 extern const char *kSecXPCKeyDigest
;
114 extern const char *kSecXPCKeyCertificate
;
115 extern const char *kSecXPCKeySettings
;
116 extern const char *kSecXPCPublicPeerId
; // Public peer id
117 extern const char *kSecXPCOTRSession
; // OTR session bytes
118 extern const char *kSecXPCData
; // Data to process
119 extern const char *kSecXPCOTRReady
; // OTR ready for messages
120 extern const char *kSecXPCKeyDeviceID
;
121 extern const char *kSecXPCKeyIDSMessage
;
122 extern const char *kSecXPCKeyViewName
;
123 extern const char *kSecXPCKeyViewActionCode
;
124 extern const char *kSecXPCKeySendIDSMessage
;
125 extern const char *kSecXPCKeyHSA2AutoAcceptInfo
;
126 extern const char *kSecXPCKeyEscrowLabel
;
127 extern const char *kSecXPCKeyTriesLabel
;
128 extern const char *kSecXPCKeyString
;
130 extern const char *kSecXPCKeyReason
;
133 // MARK: Mach port request IDs
135 enum SecXPCOperation
{
137 sec_item_copy_matching_id
= 1,
138 sec_item_update_id
= 2,
139 sec_item_delete_id
= 3,
140 // trust_store_for_domain -- NOT an ipc
141 sec_trust_store_contains_id
= 4,
142 sec_trust_store_set_trust_settings_id
= 5,
143 sec_trust_store_remove_certificate_id
= 6,
144 // remove_all -- NOT an ipc
145 sec_delete_all_id
= 7,
146 sec_trust_evaluate_id
= 8,
147 // Any new items MUST be added below here
148 // This allows updating roots on a device, since SecTrustEvaluate must continue to work
149 sec_keychain_backup_id
,
150 sec_keychain_restore_id
,
151 sec_keychain_backup_syncable_id
,
152 sec_keychain_restore_syncable_id
,
153 sec_item_backup_copy_names_id
,
154 sec_item_backup_handoff_fd_id
,
155 sec_item_backup_set_confirmed_manifest_id
,
156 sec_item_backup_restore_id
,
157 sec_keychain_sync_update_message_id
,
158 sec_ota_pki_asset_version_id
,
159 sec_otr_session_create_remote_id
,
160 sec_otr_session_process_packet_remote_id
,
161 kSecXPCOpOTAPKIGetNewAsset
,
162 kSecXPCOpOTAGetEscrowCertificates
,
163 kSecXPCOpProcessUnlockNotification
,
164 kSecXPCOpProcessSyncWithAllPeers
,
166 sec_add_shared_web_credential_id
,
167 sec_copy_shared_web_credential_id
,
168 sec_get_log_settings_id
,
169 sec_set_xpc_log_settings_id
,
170 sec_set_circle_log_settings_id
,
171 soscc_EnsurePeerRegistration_id
,
172 kSecXPCOpRequestEnsureFreshParameters
,
173 kSecXPCOpGetAllTheRings
,
174 kSecXPCOpApplyToARing
,
175 kSecXPCOpWithdrawlFromARing
,
178 kSecXPCOpRequestDeviceID
,
179 kSecXPCOpSetDeviceID
,
180 kSecXPCOpHandleIDSMessage
,
181 kSecXPCOpSendIDSMessage
,
183 kSecXPCOpIDSDeviceID
,
184 // any process using an operation below here is required to have entitlement keychain-cloud-circle
185 kSecXPCOpTryUserCredentials
,
186 kSecXPCOpSetUserCredentials
,
187 kSecXPCOpSetUserCredentialsAndDSID
,
188 kSecXPCOpCanAuthenticate
,
189 kSecXPCOpPurgeUserCredentials
,
190 kSecXPCOpDeviceInCircle
,
191 kSecXPCOpRequestToJoin
,
192 kSecXPCOpRequestToJoinAfterRestore
,
193 kSecXPCOpResetToOffering
,
194 kSecXPCOpResetToEmpty
,
197 kSecXPCOpSecurityProperty
,
198 kSecXPCOpRemoveThisDeviceFromCircle
,
199 kSecXPCOpRemovePeersFromCircle
,
200 kSecXPCOpLoggedOutOfAccount
,
201 kSecXPCOpBailFromCircle
,
202 kSecXPCOpAcceptApplicants
,
203 kSecXPCOpRejectApplicants
,
204 kSecXPCOpCopyApplicantPeerInfo
,
205 kSecXPCOpCopyValidPeerPeerInfo
,
206 kSecXPCOpValidateUserPublic
,
207 kSecXPCOpCopyNotValidPeerPeerInfo
,
208 kSecXPCOpCopyPeerPeerInfo
,
209 kSecXPCOpCopyConcurringPeerPeerInfo
,
210 kSecXPCOpCopyGenerationPeerInfo
,
211 kSecXPCOpGetLastDepartureReason
,
212 kSecXPCOpSetLastDepartureReason
,
213 kSecXPCOpCopyIncompatibilityInfo
,
214 kSecXPCOpCopyRetirementPeerInfo
,
215 kSecXPCOpCopyViewUnawarePeerInfo
,
216 kSecXPCOpCopyEngineState
,
217 kSecXPCOpCopyMyPeerInfo
,
218 kSecXPCOpAccountSetToNew
,
219 kSecXPCOpSetHSA2AutoAcceptInfo
,
220 kSecXPCOpSetNewPublicBackupKey
,
221 kSecXPCOpSetBagForAllSlices
,
222 kSecXPCOpWaitForInitialSync
,
223 kSecXPCOpCopyYetToSyncViews
,
224 kSecXPCOpSetEscrowRecord
,
225 kSecXPCOpGetEscrowRecord
,
226 kSecXPCOpCheckPeerAvailability
,
232 bool (*sec_item_add
)(CFDictionaryRef attributes
, CFArrayRef accessGroups
, CFTypeRef
*result
, CFErrorRef
* error
);
233 bool (*sec_item_copy_matching
)(CFDictionaryRef query
, CFArrayRef accessGroups
, CFTypeRef
*result
, CFErrorRef
* error
);
234 bool (*sec_item_update
)(CFDictionaryRef query
, CFDictionaryRef attributesToUpdate
, CFArrayRef accessGroups
, CFErrorRef
* error
);
235 bool (*sec_item_delete
)(CFDictionaryRef query
, CFArrayRef accessGroups
, CFErrorRef
* error
);
236 bool (*sec_add_shared_web_credential
)(CFDictionaryRef attributes
, const audit_token_t
*clientAuditToken
, CFStringRef appID
, CFArrayRef accessGroups
, CFTypeRef
*result
, CFErrorRef
*error
);
237 bool (*sec_copy_shared_web_credential
)(CFDictionaryRef query
, const audit_token_t
*clientAuditToken
, CFStringRef appID
, CFArrayRef accessGroups
, CFTypeRef
*result
, CFErrorRef
*error
);
238 SecTrustStoreRef (*sec_trust_store_for_domain
)(CFStringRef domainName
, CFErrorRef
* error
); // TODO: remove, has no msg id
239 bool (*sec_trust_store_contains
)(SecTrustStoreRef ts
, CFDataRef digest
, bool *contains
, CFErrorRef
* error
);
240 bool (*sec_trust_store_set_trust_settings
)(SecTrustStoreRef ts
, SecCertificateRef certificate
, CFTypeRef trustSettingsDictOrArray
, CFErrorRef
* error
);
241 bool (*sec_trust_store_remove_certificate
)(SecTrustStoreRef ts
, CFDataRef digest
, CFErrorRef
* error
);
242 bool (*sec_truststore_remove_all
)(SecTrustStoreRef ts
, CFErrorRef
* error
); // TODO: remove, has no msg id
243 bool (*sec_item_delete_all
)(CFErrorRef
* error
);
244 SecTrustResultType (*sec_trust_evaluate
)(CFArrayRef certificates
, CFArrayRef anchors
, bool anchorsOnly
, CFArrayRef policies
, CFArrayRef responses
, CFArrayRef SCTs
, CFArrayRef trustedLogs
, CFAbsoluteTime verifyTime
, __unused CFArrayRef accessGroups
, CFArrayRef
*details
, CFDictionaryRef
*info
, SecCertificatePathRef
*chain
, CFErrorRef
*error
);
245 CFDataRef (*sec_keychain_backup
)(CFDataRef keybag
, CFDataRef passcode
, CFErrorRef
* error
);
246 bool (*sec_keychain_restore
)(CFDataRef backup
, CFDataRef keybag
, CFDataRef passcode
, CFErrorRef
* error
);
247 CFDictionaryRef (*sec_keychain_backup_syncable
)(CFDictionaryRef backup_in
, CFDataRef keybag
, CFDataRef passcode
, CFErrorRef
* error
);
248 bool (*sec_keychain_restore_syncable
)(CFDictionaryRef backup
, CFDataRef keybag
, CFDataRef passcode
, CFErrorRef
* error
);
249 CFArrayRef (*sec_item_backup_copy_names
)(CFErrorRef
*error
);
250 int (*sec_item_backup_handoff_fd
)(CFStringRef backupName
, CFErrorRef
*error
);
251 bool (*sec_item_backup_set_confirmed_manifest
)(CFStringRef backupName
, CFDataRef keybagDigest
, CFDataRef manifest
, CFErrorRef
*error
);
252 bool (*sec_item_backup_restore
)(CFStringRef backupName
, CFStringRef peerID
, CFDataRef keybag
, CFDataRef secret
, CFDataRef backup
, CFErrorRef
*error
);
253 int (*sec_ota_pki_asset_version
)(CFErrorRef
* error
);
254 CFDataRef (*sec_otr_session_create_remote
)(CFDataRef publicPeerId
, CFErrorRef
* error
);
255 bool (*sec_otr_session_process_packet_remote
)(CFDataRef sessionData
, CFDataRef inputPacket
, CFDataRef
* outputSessionData
, CFDataRef
* outputPacket
, bool *readyForMessages
, CFErrorRef
* error
);
256 bool (*soscc_TryUserCredentials
)(CFStringRef user_label
, CFDataRef user_password
, CFErrorRef
*error
);
257 bool (*soscc_SetUserCredentials
)(CFStringRef user_label
, CFDataRef user_password
, CFErrorRef
*error
);
258 bool (*soscc_SetUserCredentialsAndDSID
)(CFStringRef user_label
, CFDataRef user_password
, CFStringRef dsid
, CFErrorRef
*error
);
259 bool (*soscc_CanAuthenticate
)(CFErrorRef
*error
);
260 bool (*soscc_PurgeUserCredentials
)(CFErrorRef
*error
);
261 SOSCCStatus (*soscc_ThisDeviceIsInCircle
)(CFErrorRef
* error
);
262 bool (*soscc_RequestToJoinCircle
)(CFErrorRef
* error
);
263 bool (*soscc_RequestToJoinCircleAfterRestore
)(CFErrorRef
* error
);
264 bool (*soscc_RequestEnsureFreshParameters
)(CFErrorRef
* error
);
265 CFStringRef (*soscc_GetAllTheRings
)(CFErrorRef
*error
);
266 bool (*soscc_ApplyToARing
)(CFStringRef ringName
, CFErrorRef
* error
);
267 bool (*soscc_WithdrawlFromARing
)(CFStringRef ringName
, CFErrorRef
* error
);
268 bool (*soscc_EnableRing
)(CFStringRef ringName
, CFErrorRef
* error
);
269 SOSRingStatus (*soscc_RingStatus
)(CFStringRef ringName
, CFErrorRef
* error
);
270 CFStringRef (*soscc_CopyDeviceID
)(CFErrorRef
* error
);
271 bool (*soscc_SetDeviceID
)(CFStringRef IDS
, CFErrorRef
*error
);
272 HandleIDSMessageReason (*soscc_HandleIDSMessage
)(CFDictionaryRef IDS
, CFErrorRef
*error
);
273 bool (*soscc_CheckIDSRegistration
)(CFStringRef message
, CFErrorRef
*error
);
274 bool (*soscc_PingTest
)(CFStringRef message
, CFErrorRef
*error
);
275 bool (*soscc_GetIDSIDFromIDS
)(CFErrorRef
*error
);
276 bool (*soscc_SetToNew
)(CFErrorRef
*error
);
277 bool (*soscc_ResetToOffering
)(CFErrorRef
* error
);
278 bool (*soscc_ResetToEmpty
)(CFErrorRef
* error
);
279 SOSViewResultCode (*soscc_View
)(CFStringRef view
, SOSViewActionCode action
, CFErrorRef
*error
);
280 bool (*soscc_ViewSet
)(CFSetRef enabledViews
, CFSetRef disabledViews
);
281 SOSSecurityPropertyResultCode (*soscc_SecurityProperty
)(CFStringRef property
, SOSSecurityPropertyActionCode action
, CFErrorRef
*error
);
282 bool (*soscc_RegisterSingleRecoverySecret
)(CFDataRef backupSlice
, bool forV0Only
, CFErrorRef
*error
);
283 bool (*soscc_RemoveThisDeviceFromCircle
)(CFErrorRef
* error
);
284 bool (*soscc_RemovePeersFromCircle
)(CFArrayRef peers
, CFErrorRef
* error
);
285 bool (*soscc_LoggedOutOfAccount
)(CFErrorRef
* error
);
286 bool (*soscc_BailFromCircle
)(uint64_t limit_in_seconds
, CFErrorRef
* error
);
287 bool (*soscc_AcceptApplicants
)(CFArrayRef applicants
, CFErrorRef
* error
);
288 bool (*soscc_RejectApplicants
)(CFArrayRef applicants
, CFErrorRef
* error
);
289 SOSPeerInfoRef (*soscc_SetNewPublicBackupKey
)(CFDataRef pubKey
, CFErrorRef
*error
);
290 bool (*soscc_ValidateUserPublic
)(CFErrorRef
* error
);
291 CFArrayRef (*soscc_CopyGenerationPeerInfo
)(CFErrorRef
* error
);
292 CFArrayRef (*soscc_CopyApplicantPeerInfo
)(CFErrorRef
* error
);
293 CFArrayRef (*soscc_CopyValidPeerPeerInfo
)(CFErrorRef
* error
);
294 CFArrayRef (*soscc_CopyNotValidPeerPeerInfo
)(CFErrorRef
* error
);
295 CFArrayRef (*soscc_CopyRetirementPeerInfo
)(CFErrorRef
* error
);
296 CFArrayRef (*soscc_CopyViewUnawarePeerInfo
)(CFErrorRef
* error
);
297 CFArrayRef (*soscc_CopyEngineState
)(CFErrorRef
* error
);
298 // Not sure why these are below the last entry in the enum order above, but they are:
299 CFArrayRef (*soscc_CopyPeerInfo
)(CFErrorRef
* error
);
300 CFArrayRef (*soscc_CopyConcurringPeerInfo
)(CFErrorRef
* error
);
301 CFStringRef (*soscc_CopyIncompatibilityInfo
)(CFErrorRef
* error
);
302 enum DepartureReason (*soscc_GetLastDepartureReason
)(CFErrorRef
* error
);
303 bool (*soscc_SetLastDepartureReason
)(enum DepartureReason
, CFErrorRef
* error
);
304 CFArrayRef (*ota_CopyEscrowCertificates
)(uint32_t escrowRootType
, CFErrorRef
* error
);
305 int (*sec_ota_pki_get_new_asset
)(CFErrorRef
* error
);
306 SyncWithAllPeersReason (*soscc_ProcessSyncWithAllPeers
)(CFErrorRef
* error
);
307 bool (*soscc_EnsurePeerRegistration
)(CFErrorRef
* error
);
308 bool (*sec_roll_keys
)(bool force
, CFErrorRef
* error
);
309 CFArrayRef (*sec_keychain_sync_update_message
)(CFDictionaryRef update
, CFErrorRef
*error
);
310 CFPropertyListRef (*sec_get_log_settings
)(CFErrorRef
* error
);
311 bool (*sec_set_xpc_log_settings
)(CFTypeRef type
, CFErrorRef
* error
);
312 bool (*sec_set_circle_log_settings
)(CFTypeRef type
, CFErrorRef
* error
);
313 SOSPeerInfoRef (*soscc_CopyMyPeerInfo
)(CFErrorRef
*);
314 bool (*soscc_SetHSA2AutoAcceptInfo
)(CFDataRef
, CFErrorRef
*);
315 bool (*soscc_WaitForInitialSync
)(CFErrorRef
*);
316 CFArrayRef (*soscc_CopyYetToSyncViewsList
)(CFErrorRef
*);
317 bool (*soscc_SetEscrowRecords
)(CFStringRef escrow_label
, uint64_t tries
, CFErrorRef
*error
);
318 CFDictionaryRef (*soscc_CopyEscrowRecords
)(CFErrorRef
*error
);
319 bool (*soscc_PeerAvailability
)(CFErrorRef
*error
);
322 extern struct securityd
*gSecurityd
;
324 CFArrayRef
SecAccessGroupsGetCurrent(void);
327 CFStringRef
SOSCCGetOperationDescription(enum SecXPCOperation op
);
328 xpc_object_t
securityd_message_with_reply_sync(xpc_object_t message
, CFErrorRef
*error
);
329 xpc_object_t
securityd_create_message(enum SecXPCOperation op
, CFErrorRef
*error
);
330 bool securityd_message_no_error(xpc_object_t message
, CFErrorRef
*error
);
333 bool securityd_send_sync_and_do(enum SecXPCOperation op
, CFErrorRef
*error
,
334 bool (^add_to_message
)(xpc_object_t message
, CFErrorRef
* error
),
335 bool (^handle_response
)(xpc_object_t response
, CFErrorRef
* error
));
337 // For testing only, never call this in a threaded program!
338 void SecServerSetMachServiceName(const char *name
);
341 #endif /* _SECURITYD_CLIENT_H_ */