]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/Regressions/secitem/si_77_SecAccessControl.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57740.60.18.tar.gz
[apple/security.git] / OSX / sec / Security / Regressions / secitem / si_77_SecAccessControl.c
1 /*
2 * Copyright (c) 2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 #include <Security/SecItem.h>
26 #include <Security/SecItemPriv.h>
27 #include <Security/SecAccessControl.h>
28 #include <Security/SecAccessControlPriv.h>
29 #include <Security/SecInternal.h>
30 #include <utilities/SecCFWrappers.h>
31 #include <utilities/SecAKSWrappers.h>
32 #include <utilities/array_size.h>
33 #include <utilities/der_plist.h>
34 #include <libaks_acl_cf_keys.h>
35 #include <ACMDefs.h>
36 #include <ACMAclDefs.h>
37
38 #if TARGET_HAS_KEYSTORE
39 #include <Security/SecRandom.h>
40 #include <securityd/SecDbItem.h>
41 #include <coreauthd_spi.h>
42 #include <corecrypto/ccder.h>
43 #endif /* TARGET_HAS_KEYSTORE */
44
45 #include "Security_regressions.h"
46
47 #if LA_CONTEXT_IMPLEMENTED && TARGET_HAS_KEYSTORE
48 static bool aks_consistency_test(bool currentAuthDataFormat, kern_return_t expectedAksResult, SecAccessControlRef access_control, CFDataRef acm_context);
49 static CFDataRef kc_create_auth_data(SecAccessControlRef access_control, CFDictionaryRef auth_attributes);
50 static CFDataRef kc_copy_constraints_data(SecAccessControlRef access_control, CFDictionaryRef auth_attributes);
51 static int aks_crypt_acl(CFTypeRef operation, keybag_handle_t keybag,
52 keyclass_t keyclass, uint32_t textLength, const uint8_t *source,
53 CFMutableDataRef dest, CFDataRef auth_data, CFDataRef acm_context, CFDataRef caller_access_groups);
54 #endif
55
56 static void tests(void)
57 {
58 CFAllocatorRef allocator = kCFAllocatorDefault;
59 CFTypeRef protection = kSecAttrAccessibleAlwaysPrivate;
60 CFErrorRef error = NULL;
61
62 // Simple API tests:
63
64 // ACL with protection only
65 SecAccessControlRef acl = SecAccessControlCreateWithFlags(allocator, protection, 0, &error);
66 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
67 CFReleaseNull(error);
68 CFReleaseNull(acl);
69
70 // ACL with flags only (not allowed)
71 #pragma clang diagnostic push
72 #pragma clang diagnostic ignored "-Wnonnull"
73 // NULL passed as 'protection' newly generates a warning, we need to suppress it in order to compile
74 acl = SecAccessControlCreateWithFlags(allocator, NULL, kSecAccessControlUserPresence, &error);
75 #pragma clang diagnostic pop
76 ok(acl == NULL, "SecAccessControlCreateWithFlags");
77 CFReleaseNull(error);
78 CFReleaseNull(acl);
79
80 // ACL with protection and kSecAccessControlTouchIDCurrentSet
81 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlTouchIDCurrentSet, &error);
82 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
83 CFReleaseNull(error);
84 CFReleaseNull(acl);
85
86 // ACL with protection and flags
87 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlTouchIDAny | kSecAccessControlDevicePasscode | kSecAccessControlOr, &error);
88 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
89 CFReleaseNull(error);
90 CFReleaseNull(acl);
91
92 // ACL with protection and flags
93 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlTouchIDAny | kSecAccessControlDevicePasscode | kSecAccessControlAnd, &error);
94 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
95 CFReleaseNull(error);
96 CFReleaseNull(acl);
97
98 // ACL with protection and flags
99 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlTouchIDAny | kSecAccessControlDevicePasscode | kSecAccessControlAnd | kSecAccessControlApplicationPassword, &error);
100 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
101 CFReleaseNull(error);
102 CFReleaseNull(acl);
103
104 // ACL with protection and kSecAccessControlApplicationPassword
105 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlApplicationPassword, &error);
106 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
107 CFReleaseNull(error);
108 CFReleaseNull(acl);
109
110 // ACL with protection and, kSecAccessControlUserPresence can be in combination with kSecAccessControlApplicationPassword and kSecAccessControlPrivateKeyUsage
111 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlUserPresence | kSecAccessControlApplicationPassword | kSecAccessControlPrivateKeyUsage, &error);
112 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
113 CFReleaseNull(error);
114 CFReleaseNull(acl);
115
116 // negative test of ACL with protection and, kSecAccessControlUserPresence can be in combination with kSecAccessControlApplicationPassword and kSecAccessControlPrivateKeyUsage
117 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlUserPresence | kSecAccessControlTouchIDAny, &error);
118 ok(acl == NULL, "SecAccessControlCreateWithFlag wrong combination of flags");
119 CFReleaseNull(error);
120 CFReleaseNull(acl);
121
122 // ACL with protection and flags
123 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlUserPresence, &error);
124 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
125 CFReleaseNull(error);
126
127 // Extended API tests:
128
129 // Check created ACL
130 CFTypeRef aclProtection = SecAccessControlGetProtection(acl);
131 is(aclProtection, protection, "SecAccessControlGetProtection");
132
133 SecAccessConstraintRef aclConstraint = SecAccessControlGetConstraint(acl, kAKSKeyOpDecrypt);
134 // Check created ACL
135 ok(aclConstraint != NULL && isDictionary(aclConstraint), "SecAccessControlGetConstraint");
136 eq_cf(CFDictionaryGetValue(aclConstraint, CFSTR(kACMKeyAclConstraintPolicy)), CFSTR(kACMPolicyDeviceOwnerAuthentication), "SecAccessControlGetConstraint");
137
138 CFReleaseNull(acl);
139
140 // Simple SPI tests:
141
142 // Empty ACL
143 acl = SecAccessControlCreate(allocator, &error);
144 ok(acl != NULL, "SecAccessControlCreate: %@", error);
145 CFReleaseNull(error);
146
147 // ACL protection
148 bool result = SecAccessControlSetProtection(acl, protection, &error);
149 ok(result, "SecAccessControlSetProtection: %@", error);
150 CFReleaseNull(error);
151
152 aclProtection = SecAccessControlGetProtection(acl);
153 // ACL protection
154 is(aclProtection, protection, "SecAccessControlGetProtection");
155
156 // Policy constraint
157 SecAccessConstraintRef policy = SecAccessConstraintCreatePolicy(allocator, CFSTR(kACMPolicyDeviceOwnerAuthentication), &error);
158 ok(policy != NULL, "SecAccessConstraintCreatePolicy: %@", error);
159 ok(isDictionary(policy), "SecAccessConstraintCreatePolicy");
160 is(CFDictionaryGetValue(policy, CFSTR(kACMKeyAclConstraintPolicy)), CFSTR(kACMPolicyDeviceOwnerAuthentication), "SecAccessConstraintCreatePolicy");
161 CFReleaseNull(error);
162 CFReleaseNull(policy);
163
164 // Passcode constraint
165 SecAccessConstraintRef passcode = SecAccessConstraintCreatePasscode(allocator);
166 ok(passcode != NULL && isDictionary(passcode), "SecAccessConstraintCreatePasscode");
167 is(CFDictionaryGetValue(passcode, CFSTR(kACMKeyAclConstraintUserPasscode)), kCFBooleanTrue, "SecAccessConstraintCreatePasscode");
168 // CFReleaseNull(passcode); passcode will be used in later tests
169
170 CFUUIDRef uuid = CFUUIDCreate(allocator);
171 CFStringRef uuidString = CFUUIDCreateString(allocator, uuid);
172 CFDataRef uuidData = CFStringCreateExternalRepresentation(allocator, uuidString, kCFStringEncodingUTF8, 0);
173 SecAccessConstraintRef touchID = SecAccessConstraintCreateTouchIDCurrentSet(allocator, uuidData, uuidData);
174 // TouchID constraint
175 ok(touchID != NULL, "SecAccessConstraintCreateTouchID: %@", error);
176 ok(isDictionary(touchID), "SecAccessConstraintCreateTouchID");
177 ok(CFDictionaryGetValue(touchID, CFSTR(kACMKeyAclConstraintBio)), "SecAccessConstraintCreateTouchID");
178 CFDictionaryRef bioRef = CFDictionaryGetValue(touchID, CFSTR(kACMKeyAclConstraintBio));
179 ok(isDictionary(bioRef), "SecAccessConstraintCreateTouchID");
180 is(CFDictionaryGetValue(bioRef, CFSTR(kACMKeyAclParamBioCatacombUUID)), uuidData, "SecAccessConstraintCreateTouchID");
181 is(CFDictionaryGetValue(bioRef, CFSTR(kACMKeyAclParamBioDatabaseHash)), uuidData, "SecAccessConstraintCreateTouchID");
182 CFReleaseNull(error);
183 CFReleaseNull(touchID);
184 CFReleaseNull(uuidData);
185 CFReleaseNull(uuidString);
186 CFReleaseNull(uuid);
187
188 uuid = CFUUIDCreate(allocator);
189 uuidString = CFUUIDCreateString(allocator, uuid);
190 uuidData = CFStringCreateExternalRepresentation(allocator, uuidString, kCFStringEncodingUTF8, 0);
191 touchID = SecAccessConstraintCreateTouchIDAny(allocator, uuidData);
192 // TouchID constraint
193 ok(touchID != NULL, "SecAccessConstraintCreateTouchID: %@", error);
194 ok(isDictionary(touchID), "SecAccessConstraintCreateTouchID");
195 ok(CFDictionaryGetValue(touchID, CFSTR(kACMKeyAclConstraintBio)), "SecAccessConstraintCreateTouchID");
196 bioRef = CFDictionaryGetValue(touchID, CFSTR(kACMKeyAclConstraintBio));
197 ok(isDictionary(bioRef), "SecAccessConstraintCreateTouchID");
198 is(CFDictionaryGetValue(bioRef, CFSTR(kACMKeyAclParamBioCatacombUUID)), uuidData, "SecAccessConstraintCreateTouchID");
199 CFReleaseNull(error);
200 // CFReleaseNull(touchID); touchID will be used in later tests
201 CFReleaseNull(uuidData);
202 CFReleaseNull(uuidString);
203 CFReleaseNull(uuid);
204
205 // KofN constraint
206 CFTypeRef constraints_array[] = { passcode, touchID };
207 CFArrayRef constraintsArray = CFArrayCreate(allocator, constraints_array, array_size(constraints_array), &kCFTypeArrayCallBacks);
208 SecAccessConstraintRef kofn = SecAccessConstraintCreateKofN(allocator, 1, constraintsArray, &error);
209 ok(kofn != NULL, "SecAccessConstraintCreateKofN: %@", error);
210 ok(isDictionary(kofn), "SecAccessConstraintCreateKofN");
211 CFTypeRef kofnConstraint = CFDictionaryGetValue(kofn, CFSTR(kACMKeyAclConstraintKofN));
212 ok(kofnConstraint != NULL && isDictionary(kofnConstraint), "SecAccessConstraintCreateKofN");
213 CFNumberRef required = CFNumberCreateWithCFIndex(allocator, 1);
214 is(CFDictionaryGetValue(kofnConstraint, CFSTR(kACMKeyAclParamKofN)), required, "SecAccessConstraintCreateKofN");
215 ok(CFDictionaryGetValue(kofnConstraint, CFSTR(kACMKeyAclConstraintBio)), "SecAccessConstraintCreateKofN");
216 is(CFDictionaryGetValue(kofnConstraint, CFSTR(kACMKeyAclConstraintUserPasscode)), kCFBooleanTrue, "SecAccessConstraintCreateKofN");
217 CFReleaseNull(error);
218 CFReleaseNull(kofn);
219 CFReleaseNull(required);
220 CFReleaseNull(constraintsArray);
221 CFReleaseNull(passcode);
222
223 // Add ACL constraint for operation
224 result = SecAccessControlAddConstraintForOperation(acl, kAKSKeyOpDecrypt, touchID, &error);
225 ok(result, "SecAccessControlAddConstraintForOperation: %@", error);
226 CFReleaseNull(error);
227
228 // Get ACL operation constraint
229 SecAccessConstraintRef constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpDecrypt);
230 is(constraint, touchID, "SecAccessControlGetConstraint");
231 CFReleaseNull(touchID);
232
233 // Add ACL constraint for operation (kCFBooleanTrue)
234 result = SecAccessControlAddConstraintForOperation(acl, kAKSKeyOpDecrypt, kCFBooleanTrue, &error);
235 ok(result, "SecAccessControlAddConstraintForOperation: %@", error);
236 CFReleaseNull(error);
237
238 // Get ACL operation constraint (kCFBooleanTrue)
239 constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpDecrypt);
240 is(constraint, kCFBooleanTrue, "SecAccessControlGetConstraint");
241
242 // Get ACL constraints
243 CFDictionaryRef constraints = SecAccessControlGetConstraints(acl);
244 ok(constraints != NULL && isDictionary(constraints), "SecAccessControlGetConstraints");
245 // Get ACL constraints
246 is(CFDictionaryGetValue(constraints, kAKSKeyOpDecrypt), kCFBooleanTrue, "SecAccessControlGetConstraints");
247
248 // ACL export and import
249 CFDataRef aclData = SecAccessControlCopyData(acl);
250 ok(aclData != NULL, "SecAccessControlCopyData");
251 SecAccessControlRef aclCopy = SecAccessControlCreateFromData(allocator, aclData, &error);
252 ok(aclCopy != NULL, "SecAccessControlCopyData: %@", error);
253 ok(CFEqual(aclCopy, acl), "SecAccessControlCopyData");
254 CFReleaseNull(error);
255 CFReleaseNull(aclCopy);
256 CFReleaseNull(aclData);
257
258 // Extended SPI tests:
259
260 // kAKSKeyDefaultOpAcl
261 result = SecAccessControlAddConstraintForOperation(acl, kAKSKeyOpDefaultAcl, kCFBooleanTrue, &error);
262 ok(result, "SecAccessControlAddConstraintForOperation: %@", error);
263 constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpDecrypt);
264 is(constraint, kCFBooleanTrue, "SecAccessControlRemoveConstraintForOperation");
265 CFReleaseNull(error);
266
267 CFReleaseNull(acl);
268
269 #if LA_CONTEXT_IMPLEMENTED && TARGET_HAS_KEYSTORE
270 // AKS consistency test:
271
272 acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlUserPresence, &error);
273 ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error);
274 CFReleaseNull(error);
275
276 SKIP: {
277 skip("SecAccessControlCreateWithFlags failed", 7, acl != NULL);
278
279 CFDataRef acm_context = NULL;
280 CFTypeRef auth_handle = NULL;
281
282 auth_handle = LACreateNewContextWithACMContext(NULL, &error);
283 ok(auth_handle != NULL, "LACreateNewContextWithACMContext: %@", error);
284 CFReleaseNull(error);
285
286 SKIP: {
287 skip("LACreateNewContextWithACMContext failed", 6, auth_handle != NULL);
288
289 acm_context = LACopyACMContext(auth_handle, &error);
290 ok(acm_context != NULL, "LACopyACMContext: %@", error);
291 CFReleaseNull(error);
292
293 CFReleaseNull(auth_handle);
294
295 SKIP: {
296 skip("LACopyACMContext failed", 5, acm_context != NULL);
297
298 ok(aks_consistency_test(true, kAKSReturnPolicyError, acl, acm_context), "AKS consistency negative test (current auth_data format)");
299 ok(aks_consistency_test(false, kAKSReturnPolicyError, acl, acm_context), "AKS consistency negative test (old auth_data format)");
300
301 bool decrypt_enabled = false;
302 CFDictionaryRef constraints = SecAccessControlGetConstraints(acl);
303 if (constraints) {
304 CFMutableDictionaryRef new_constraints = CFDictionaryCreateMutableCopy(NULL, 0, constraints);
305 if (new_constraints) {
306 CFDictionarySetValue(new_constraints, kAKSKeyOpDecrypt, kCFBooleanTrue);
307 SecAccessControlSetConstraints(acl, new_constraints);
308 CFReleaseSafe(new_constraints);
309 decrypt_enabled = true;
310 }
311 }
312 ok(decrypt_enabled, "Cannot enable decrypt operation for AKS consistency positive tests");
313
314 ok(aks_consistency_test(true, kAKSReturnSuccess, acl, acm_context), "AKS consistency positive test (current auth_data format)");
315 ok(aks_consistency_test(false, kAKSReturnSuccess, acl, acm_context), "AKS consistency positive test (old auth_data format)");
316
317 CFReleaseNull(acm_context);
318 }
319 }
320
321 CFReleaseNull(acl);
322 }
323 #endif
324
325 // kSecAccessControlPrivateKeyUsage
326 acl = SecAccessControlCreateWithFlags(kCFAllocatorDefault, protection, kSecAccessControlPrivateKeyUsage | kSecAccessControlDevicePasscode, NULL);
327 ok(acl, "kSecAccessControlPrivateKeyUsage ACL create with constraint");
328 ok(!SecAccessControlGetConstraint(acl, kAKSKeyOpEncrypt), "kAKSKeyOpEncrypt constraint");
329 ok(!SecAccessControlGetConstraint(acl, kAKSKeyOpDecrypt), "kAKSKeyOpDecrypt constraint");
330 ok(constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpDelete), "kAKSKeyOpDelete constraint");
331 is(constraint, kCFBooleanTrue, "kAKSKeyOpDelete constraint value");
332 ok(constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpSign), "kAKSKeyOpSign constraint");
333 ok(constraint && isDictionary(constraint), "kAKSKeyOpSign constraint value");
334 CFReleaseNull(acl);
335
336 acl = SecAccessControlCreateWithFlags(kCFAllocatorDefault, protection, kSecAccessControlPrivateKeyUsage, NULL);
337 ok(acl, "kSecAccessControlPrivateKeyUsage ACL create without constraint");
338 ok(!SecAccessControlGetConstraint(acl, kAKSKeyOpEncrypt), "kAKSKeyOpEncrypt constraint");
339 ok(!SecAccessControlGetConstraint(acl, kAKSKeyOpDecrypt), "kAKSKeyOpDecrypt constraint");
340 ok(constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpDelete), "kAKSKeyOpDelete constraint");
341 is(constraint, kCFBooleanTrue, "kAKSKeyOpDelete constraint value");
342 ok(constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpSign), "kAKSKeyOpSign constraint");
343 is(constraint, kCFBooleanTrue, "kAKSKeyOpSign constraint value");
344 CFReleaseNull(acl);
345 }
346
347 #if LA_CONTEXT_IMPLEMENTED && TARGET_HAS_KEYSTORE
348
349 static bool aks_consistency_test(bool currentAuthDataFormat, kern_return_t expectedAksResult, SecAccessControlRef access_control, CFDataRef acm_context)
350 {
351 bool result = false;
352
353 const uint32_t bulkKeySize = 32;
354 const uint32_t maxKeyWrapOverHead = 8 + 32;
355 uint8_t bulkKey[bulkKeySize];
356 CFMutableDataRef bulkKeyWrapped = CFDataCreateMutable(NULL, 0);
357 CFDataSetLength(bulkKeyWrapped, bulkKeySize + maxKeyWrapOverHead);
358 CFMutableDataRef bulkKeyUnwrapped = CFDataCreateMutable(NULL, 0);
359 CFDataSetLength(bulkKeyUnwrapped, bulkKeySize);
360
361 CFDataRef auth_data = NULL;
362 CFMutableDictionaryRef auth_attribs = NULL;
363
364 require_noerr_string(SecRandomCopyBytes(kSecRandomDefault, bulkKeySize, bulkKey), out, "SecRandomCopyBytes failed");
365
366 auth_attribs = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
367 if (currentAuthDataFormat) {
368 auth_data = kc_create_auth_data(access_control, auth_attribs);
369 }
370 else {
371 auth_data = kc_copy_constraints_data(access_control, auth_attribs);
372 }
373
374 require_string(aks_crypt_acl(kAKSKeyOpEncrypt, KEYBAG_DEVICE, key_class_dk, bulkKeySize, bulkKey, bulkKeyWrapped,
375 auth_data, acm_context, NULL) == kAKSReturnSuccess, out, "kAKSKeyOpEncrypt failed");
376
377 uint32_t blobLenWrapped = (uint32_t)CFDataGetLength(bulkKeyWrapped);
378 const uint8_t *cursor = CFDataGetBytePtr(bulkKeyWrapped);
379
380 require_string(aks_crypt_acl(kAKSKeyOpDecrypt, KEYBAG_DEVICE, key_class_dk, blobLenWrapped, cursor, bulkKeyUnwrapped,
381 auth_data, acm_context, NULL) == expectedAksResult, out, "kAKSKeyOpDecrypt finished with unexpected result");
382
383 result = true;
384
385 out:
386 CFReleaseSafe(bulkKeyUnwrapped);
387 CFReleaseSafe(bulkKeyWrapped);
388 CFReleaseSafe(auth_data);
389 CFReleaseSafe(auth_attribs);
390
391 return result;
392 }
393
394 static bool merge_der_in_to_data(const void *der1, size_t der1_len, const void *der2, size_t der2_len, CFMutableDataRef mergedData)
395 {
396 bool result = false;
397 CFPropertyListRef dict1 = NULL;
398 CFPropertyListRef dict2 = NULL;
399
400 der_decode_plist(NULL, kCFPropertyListImmutable, &dict1, NULL, der1, der1 + der1_len);
401 der_decode_plist(NULL, kCFPropertyListImmutable, &dict2, NULL, der2, der2 + der2_len);
402 if (dict1 && dict2) {
403 CFMutableDictionaryRef result_dict = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, dict1);
404 CFDictionaryForEach(dict2, ^(const void *key, const void *value) {
405 CFDictionaryAddValue(result_dict, key, value);
406 });
407
408 CFDataSetLength(mergedData, 0);
409 CFDataRef der_data = CFPropertyListCreateDERData(kCFAllocatorDefault, result_dict, NULL);
410 if (der_data) {
411 CFDataAppend(mergedData, der_data);
412 CFRelease(der_data);
413 result = CFDataGetLength(mergedData) > 0;
414 }
415 CFRelease(result_dict);
416 }
417
418 CFReleaseSafe(dict1);
419 CFReleaseSafe(dict2);
420 return result;
421 }
422
423 static int aks_crypt_acl(CFTypeRef operation, keybag_handle_t keybag,
424 keyclass_t keyclass, uint32_t textLength, const uint8_t *source,
425 CFMutableDataRef dest, CFDataRef auth_data, CFDataRef acm_context, CFDataRef caller_access_groups)
426 {
427 int aks_return = kAKSReturnSuccess;
428 void *params = NULL, *der = NULL;
429 const uint8_t *access_groups = caller_access_groups?CFDataGetBytePtr(caller_access_groups):NULL;
430 size_t params_len = 0, der_len = 0, access_groups_len = caller_access_groups?CFDataGetLength(caller_access_groups):0;
431 aks_ref_key_t key_handle = NULL;
432
433 if (CFEqual(operation, kAKSKeyOpEncrypt)) {
434 aks_operation_optional_params(0, 0, CFDataGetBytePtr(auth_data), CFDataGetLength(auth_data),
435 CFDataGetBytePtr(acm_context), (int)CFDataGetLength(acm_context), &params, &params_len);
436
437 require_noerr_quiet(aks_return = aks_ref_key_create(keybag, keyclass, key_type_sym, params, params_len, &key_handle), out);
438 require_noerr_quiet(aks_return = aks_ref_key_encrypt(key_handle, params, params_len, source, textLength, &der, &der_len), out);
439 size_t key_blob_len;
440 const void *key_blob = aks_ref_key_get_blob(key_handle, &key_blob_len);
441 require_action_string(key_blob, out, aks_return = kAKSReturnError, "aks_ref_key_get_blob failed");
442 require_action_string(merge_der_in_to_data(der, der_len, key_blob, key_blob_len, dest), out, aks_return = kAKSReturnError, "merge_der_in_to_data failed");
443
444 } else if (CFEqual(operation, kAKSKeyOpDecrypt)) {
445 aks_operation_optional_params(access_groups, access_groups_len, 0, 0,
446 CFDataGetBytePtr(acm_context), (int)CFDataGetLength(acm_context), (void**)&params, &params_len);
447 require_noerr_quiet(aks_return = aks_ref_key_create_with_blob(keybag, source, textLength, &key_handle), out);
448 require_noerr_quiet(aks_return = aks_ref_key_decrypt(key_handle, params, params_len, source, textLength, &der, &der_len), out);
449 require_action_string(der, out, aks_return = kAKSReturnError, "aks_ref_key_decrypt failed");
450
451 CFPropertyListRef decoded_data = NULL;
452 der_decode_plist(kCFAllocatorDefault, kCFPropertyListImmutable, &decoded_data, NULL, der, der + der_len);
453 require_action_string(decoded_data, out, aks_return = kAKSReturnError, "der_decode_plist failed");
454 if (CFGetTypeID(decoded_data) == CFDataGetTypeID()) {
455 CFDataSetLength(dest, 0);
456 CFDataAppend(dest, decoded_data);
457 CFRelease(decoded_data);
458 }
459 else {
460 CFRelease(decoded_data);
461 require_action_string(false, out, aks_return = kAKSReturnError, "wrong decoded data type");
462 }
463 }
464
465 out:
466 if (key_handle) {
467 aks_ref_key_free(&key_handle);
468 }
469 if (params) {
470 free(params);
471 }
472 if (der) {
473 free(der);
474 }
475 return aks_return;
476 }
477
478 static CFDataRef kc_create_auth_data(SecAccessControlRef access_control, CFDictionaryRef auth_attributes)
479 {
480 CFDictionaryRef constraints = SecAccessControlGetConstraints(access_control);
481 CFMutableDictionaryRef auth_data = CFDictionaryCreateMutableCopy(NULL, 0, auth_attributes);
482 CFDictionarySetValue(auth_data, kAKSKeyAcl, constraints);
483 CFDataRef encoded = CFPropertyListCreateDERData(kCFAllocatorDefault, auth_data, NULL);
484 CFReleaseSafe(auth_data);
485 return encoded;
486 }
487
488 static CFDataRef kc_copy_constraints_data(SecAccessControlRef access_control, CFDictionaryRef auth_attributes)
489 {
490 CFDictionaryRef constraints = SecAccessControlGetConstraints(access_control);
491 CFMutableDictionaryRef auth_data = CFDictionaryCreateMutableCopy(NULL, 0, constraints);
492 if (auth_attributes) {
493 CFDictionaryForEach(auth_attributes, ^(const void *key, const void *value) {
494 CFDictionaryAddValue(auth_data, key, value);
495 });
496 }
497
498 CFDataRef encoded = CFPropertyListCreateDERData(kCFAllocatorDefault, auth_data, NULL);
499 CFReleaseSafe(auth_data);
500 return encoded;
501 }
502
503 #endif
504
505 int si_77_SecAccessControl(int argc, char *const *argv)
506 {
507 #if LA_CONTEXT_IMPLEMENTED && TARGET_HAS_KEYSTORE
508 plan_tests(71);
509 #else
510 plan_tests(63);
511 #endif
512
513 tests();
514
515 return 0;
516 }
mirror of Security