2 * Copyright (c) 2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 #include <Security/SecItem.h>
26 #include <Security/SecItemPriv.h>
27 #include <Security/SecAccessControl.h>
28 #include <Security/SecAccessControlPriv.h>
29 #include <Security/SecInternal.h>
30 #include <utilities/SecCFWrappers.h>
31 #include <utilities/SecAKSWrappers.h>
32 #include <utilities/array_size.h>
33 #include <utilities/der_plist.h>
34 #include <libaks_acl_cf_keys.h>
36 #include <ACMAclDefs.h>
38 #if TARGET_HAS_KEYSTORE
39 #include <Security/SecRandom.h>
40 #include <securityd/SecDbItem.h>
41 #include <coreauthd_spi.h>
42 #include <corecrypto/ccder.h>
43 #endif /* TARGET_HAS_KEYSTORE */
45 #include "Security_regressions.h"
47 #if LA_CONTEXT_IMPLEMENTED && TARGET_HAS_KEYSTORE
48 static bool aks_consistency_test(bool currentAuthDataFormat
, kern_return_t expectedAksResult
, SecAccessControlRef access_control
, CFDataRef acm_context
);
49 static CFDataRef
kc_create_auth_data(SecAccessControlRef access_control
, CFDictionaryRef auth_attributes
);
50 static CFDataRef
kc_copy_constraints_data(SecAccessControlRef access_control
, CFDictionaryRef auth_attributes
);
51 static int aks_crypt_acl(CFTypeRef operation
, keybag_handle_t keybag
,
52 keyclass_t keyclass
, uint32_t textLength
, const uint8_t *source
,
53 CFMutableDataRef dest
, CFDataRef auth_data
, CFDataRef acm_context
, CFDataRef caller_access_groups
);
56 static void tests(void)
58 CFAllocatorRef allocator
= kCFAllocatorDefault
;
59 CFTypeRef protection
= kSecAttrAccessibleAlwaysPrivate
;
60 CFErrorRef error
= NULL
;
64 // ACL with protection only
65 SecAccessControlRef acl
= SecAccessControlCreateWithFlags(allocator
, protection
, 0, &error
);
66 ok(acl
!= NULL
, "SecAccessControlCreateWithFlags: %@", error
);
70 // ACL with flags only (not allowed)
71 #pragma clang diagnostic push
72 #pragma clang diagnostic ignored "-Wnonnull"
73 // NULL passed as 'protection' newly generates a warning, we need to suppress it in order to compile
74 acl
= SecAccessControlCreateWithFlags(allocator
, NULL
, kSecAccessControlUserPresence
, &error
);
75 #pragma clang diagnostic pop
76 ok(acl
== NULL
, "SecAccessControlCreateWithFlags");
80 // ACL with protection and kSecAccessControlTouchIDCurrentSet
81 acl
= SecAccessControlCreateWithFlags(allocator
, protection
, kSecAccessControlTouchIDCurrentSet
, &error
);
82 ok(acl
!= NULL
, "SecAccessControlCreateWithFlags: %@", error
);
86 // ACL with protection and flags
87 acl
= SecAccessControlCreateWithFlags(allocator
, protection
, kSecAccessControlTouchIDAny
| kSecAccessControlDevicePasscode
| kSecAccessControlOr
, &error
);
88 ok(acl
!= NULL
, "SecAccessControlCreateWithFlags: %@", error
);
92 // ACL with protection and flags
93 acl
= SecAccessControlCreateWithFlags(allocator
, protection
, kSecAccessControlTouchIDAny
| kSecAccessControlDevicePasscode
| kSecAccessControlAnd
, &error
);
94 ok(acl
!= NULL
, "SecAccessControlCreateWithFlags: %@", error
);
98 // ACL with protection and flags
99 acl
= SecAccessControlCreateWithFlags(allocator
, protection
, kSecAccessControlTouchIDAny
| kSecAccessControlDevicePasscode
| kSecAccessControlAnd
| kSecAccessControlApplicationPassword
, &error
);
100 ok(acl
!= NULL
, "SecAccessControlCreateWithFlags: %@", error
);
101 CFReleaseNull(error
);
104 // ACL with protection and kSecAccessControlApplicationPassword
105 acl
= SecAccessControlCreateWithFlags(allocator
, protection
, kSecAccessControlApplicationPassword
, &error
);
106 ok(acl
!= NULL
, "SecAccessControlCreateWithFlags: %@", error
);
107 CFReleaseNull(error
);
110 // ACL with protection and, kSecAccessControlUserPresence can be in combination with kSecAccessControlApplicationPassword and kSecAccessControlPrivateKeyUsage
111 acl
= SecAccessControlCreateWithFlags(allocator
, protection
, kSecAccessControlUserPresence
| kSecAccessControlApplicationPassword
| kSecAccessControlPrivateKeyUsage
, &error
);
112 ok(acl
!= NULL
, "SecAccessControlCreateWithFlags: %@", error
);
113 CFReleaseNull(error
);
116 // negative test of ACL with protection and, kSecAccessControlUserPresence can be in combination with kSecAccessControlApplicationPassword and kSecAccessControlPrivateKeyUsage
117 acl
= SecAccessControlCreateWithFlags(allocator
, protection
, kSecAccessControlUserPresence
| kSecAccessControlTouchIDAny
, &error
);
118 ok(acl
== NULL
, "SecAccessControlCreateWithFlag wrong combination of flags");
119 CFReleaseNull(error
);
122 // ACL with protection and flags
123 acl
= SecAccessControlCreateWithFlags(allocator
, protection
, kSecAccessControlUserPresence
, &error
);
124 ok(acl
!= NULL
, "SecAccessControlCreateWithFlags: %@", error
);
125 CFReleaseNull(error
);
127 // Extended API tests:
130 CFTypeRef aclProtection
= SecAccessControlGetProtection(acl
);
131 is(aclProtection
, protection
, "SecAccessControlGetProtection");
133 SecAccessConstraintRef aclConstraint
= SecAccessControlGetConstraint(acl
, kAKSKeyOpDecrypt
);
135 ok(aclConstraint
!= NULL
&& isDictionary(aclConstraint
), "SecAccessControlGetConstraint");
136 eq_cf(CFDictionaryGetValue(aclConstraint
, CFSTR(kACMKeyAclConstraintPolicy
)), CFSTR(kACMPolicyDeviceOwnerAuthentication
), "SecAccessControlGetConstraint");
143 acl
= SecAccessControlCreate(allocator
, &error
);
144 ok(acl
!= NULL
, "SecAccessControlCreate: %@", error
);
145 CFReleaseNull(error
);
148 bool result
= SecAccessControlSetProtection(acl
, protection
, &error
);
149 ok(result
, "SecAccessControlSetProtection: %@", error
);
150 CFReleaseNull(error
);
152 aclProtection
= SecAccessControlGetProtection(acl
);
154 is(aclProtection
, protection
, "SecAccessControlGetProtection");
157 SecAccessConstraintRef policy
= SecAccessConstraintCreatePolicy(allocator
, CFSTR(kACMPolicyDeviceOwnerAuthentication
), &error
);
158 ok(policy
!= NULL
, "SecAccessConstraintCreatePolicy: %@", error
);
159 ok(isDictionary(policy
), "SecAccessConstraintCreatePolicy");
160 is(CFDictionaryGetValue(policy
, CFSTR(kACMKeyAclConstraintPolicy
)), CFSTR(kACMPolicyDeviceOwnerAuthentication
), "SecAccessConstraintCreatePolicy");
161 CFReleaseNull(error
);
162 CFReleaseNull(policy
);
164 // Passcode constraint
165 SecAccessConstraintRef passcode
= SecAccessConstraintCreatePasscode(allocator
);
166 ok(passcode
!= NULL
&& isDictionary(passcode
), "SecAccessConstraintCreatePasscode");
167 is(CFDictionaryGetValue(passcode
, CFSTR(kACMKeyAclConstraintUserPasscode
)), kCFBooleanTrue
, "SecAccessConstraintCreatePasscode");
168 // CFReleaseNull(passcode); passcode will be used in later tests
170 CFUUIDRef uuid
= CFUUIDCreate(allocator
);
171 CFStringRef uuidString
= CFUUIDCreateString(allocator
, uuid
);
172 CFDataRef uuidData
= CFStringCreateExternalRepresentation(allocator
, uuidString
, kCFStringEncodingUTF8
, 0);
173 SecAccessConstraintRef touchID
= SecAccessConstraintCreateTouchIDCurrentSet(allocator
, uuidData
, uuidData
);
174 // TouchID constraint
175 ok(touchID
!= NULL
, "SecAccessConstraintCreateTouchID: %@", error
);
176 ok(isDictionary(touchID
), "SecAccessConstraintCreateTouchID");
177 ok(CFDictionaryGetValue(touchID
, CFSTR(kACMKeyAclConstraintBio
)), "SecAccessConstraintCreateTouchID");
178 CFDictionaryRef bioRef
= CFDictionaryGetValue(touchID
, CFSTR(kACMKeyAclConstraintBio
));
179 ok(isDictionary(bioRef
), "SecAccessConstraintCreateTouchID");
180 is(CFDictionaryGetValue(bioRef
, CFSTR(kACMKeyAclParamBioCatacombUUID
)), uuidData
, "SecAccessConstraintCreateTouchID");
181 is(CFDictionaryGetValue(bioRef
, CFSTR(kACMKeyAclParamBioDatabaseHash
)), uuidData
, "SecAccessConstraintCreateTouchID");
182 CFReleaseNull(error
);
183 CFReleaseNull(touchID
);
184 CFReleaseNull(uuidData
);
185 CFReleaseNull(uuidString
);
188 uuid
= CFUUIDCreate(allocator
);
189 uuidString
= CFUUIDCreateString(allocator
, uuid
);
190 uuidData
= CFStringCreateExternalRepresentation(allocator
, uuidString
, kCFStringEncodingUTF8
, 0);
191 touchID
= SecAccessConstraintCreateTouchIDAny(allocator
, uuidData
);
192 // TouchID constraint
193 ok(touchID
!= NULL
, "SecAccessConstraintCreateTouchID: %@", error
);
194 ok(isDictionary(touchID
), "SecAccessConstraintCreateTouchID");
195 ok(CFDictionaryGetValue(touchID
, CFSTR(kACMKeyAclConstraintBio
)), "SecAccessConstraintCreateTouchID");
196 bioRef
= CFDictionaryGetValue(touchID
, CFSTR(kACMKeyAclConstraintBio
));
197 ok(isDictionary(bioRef
), "SecAccessConstraintCreateTouchID");
198 is(CFDictionaryGetValue(bioRef
, CFSTR(kACMKeyAclParamBioCatacombUUID
)), uuidData
, "SecAccessConstraintCreateTouchID");
199 CFReleaseNull(error
);
200 // CFReleaseNull(touchID); touchID will be used in later tests
201 CFReleaseNull(uuidData
);
202 CFReleaseNull(uuidString
);
206 CFTypeRef constraints_array
[] = { passcode
, touchID
};
207 CFArrayRef constraintsArray
= CFArrayCreate(allocator
, constraints_array
, array_size(constraints_array
), &kCFTypeArrayCallBacks
);
208 SecAccessConstraintRef kofn
= SecAccessConstraintCreateKofN(allocator
, 1, constraintsArray
, &error
);
209 ok(kofn
!= NULL
, "SecAccessConstraintCreateKofN: %@", error
);
210 ok(isDictionary(kofn
), "SecAccessConstraintCreateKofN");
211 CFTypeRef kofnConstraint
= CFDictionaryGetValue(kofn
, CFSTR(kACMKeyAclConstraintKofN
));
212 ok(kofnConstraint
!= NULL
&& isDictionary(kofnConstraint
), "SecAccessConstraintCreateKofN");
213 CFNumberRef required
= CFNumberCreateWithCFIndex(allocator
, 1);
214 is(CFDictionaryGetValue(kofnConstraint
, CFSTR(kACMKeyAclParamKofN
)), required
, "SecAccessConstraintCreateKofN");
215 ok(CFDictionaryGetValue(kofnConstraint
, CFSTR(kACMKeyAclConstraintBio
)), "SecAccessConstraintCreateKofN");
216 is(CFDictionaryGetValue(kofnConstraint
, CFSTR(kACMKeyAclConstraintUserPasscode
)), kCFBooleanTrue
, "SecAccessConstraintCreateKofN");
217 CFReleaseNull(error
);
219 CFReleaseNull(required
);
220 CFReleaseNull(constraintsArray
);
221 CFReleaseNull(passcode
);
223 // Add ACL constraint for operation
224 result
= SecAccessControlAddConstraintForOperation(acl
, kAKSKeyOpDecrypt
, touchID
, &error
);
225 ok(result
, "SecAccessControlAddConstraintForOperation: %@", error
);
226 CFReleaseNull(error
);
228 // Get ACL operation constraint
229 SecAccessConstraintRef constraint
= SecAccessControlGetConstraint(acl
, kAKSKeyOpDecrypt
);
230 is(constraint
, touchID
, "SecAccessControlGetConstraint");
231 CFReleaseNull(touchID
);
233 // Add ACL constraint for operation (kCFBooleanTrue)
234 result
= SecAccessControlAddConstraintForOperation(acl
, kAKSKeyOpDecrypt
, kCFBooleanTrue
, &error
);
235 ok(result
, "SecAccessControlAddConstraintForOperation: %@", error
);
236 CFReleaseNull(error
);
238 // Get ACL operation constraint (kCFBooleanTrue)
239 constraint
= SecAccessControlGetConstraint(acl
, kAKSKeyOpDecrypt
);
240 is(constraint
, kCFBooleanTrue
, "SecAccessControlGetConstraint");
242 // Get ACL constraints
243 CFDictionaryRef constraints
= SecAccessControlGetConstraints(acl
);
244 ok(constraints
!= NULL
&& isDictionary(constraints
), "SecAccessControlGetConstraints");
245 // Get ACL constraints
246 is(CFDictionaryGetValue(constraints
, kAKSKeyOpDecrypt
), kCFBooleanTrue
, "SecAccessControlGetConstraints");
248 // ACL export and import
249 CFDataRef aclData
= SecAccessControlCopyData(acl
);
250 ok(aclData
!= NULL
, "SecAccessControlCopyData");
251 SecAccessControlRef aclCopy
= SecAccessControlCreateFromData(allocator
, aclData
, &error
);
252 ok(aclCopy
!= NULL
, "SecAccessControlCopyData: %@", error
);
253 ok(CFEqual(aclCopy
, acl
), "SecAccessControlCopyData");
254 CFReleaseNull(error
);
255 CFReleaseNull(aclCopy
);
256 CFReleaseNull(aclData
);
258 // Extended SPI tests:
260 // kAKSKeyDefaultOpAcl
261 result
= SecAccessControlAddConstraintForOperation(acl
, kAKSKeyOpDefaultAcl
, kCFBooleanTrue
, &error
);
262 ok(result
, "SecAccessControlAddConstraintForOperation: %@", error
);
263 constraint
= SecAccessControlGetConstraint(acl
, kAKSKeyOpDecrypt
);
264 is(constraint
, kCFBooleanTrue
, "SecAccessControlRemoveConstraintForOperation");
265 CFReleaseNull(error
);
269 #if LA_CONTEXT_IMPLEMENTED && TARGET_HAS_KEYSTORE
270 // AKS consistency test:
272 acl
= SecAccessControlCreateWithFlags(allocator
, protection
, kSecAccessControlUserPresence
, &error
);
273 ok(acl
!= NULL
, "SecAccessControlCreateWithFlags: %@", error
);
274 CFReleaseNull(error
);
277 skip("SecAccessControlCreateWithFlags failed", 7, acl
!= NULL
);
279 CFDataRef acm_context
= NULL
;
280 CFTypeRef auth_handle
= NULL
;
282 auth_handle
= LACreateNewContextWithACMContext(NULL
, &error
);
283 ok(auth_handle
!= NULL
, "LACreateNewContextWithACMContext: %@", error
);
284 CFReleaseNull(error
);
287 skip("LACreateNewContextWithACMContext failed", 6, auth_handle
!= NULL
);
289 acm_context
= LACopyACMContext(auth_handle
, &error
);
290 ok(acm_context
!= NULL
, "LACopyACMContext: %@", error
);
291 CFReleaseNull(error
);
293 CFReleaseNull(auth_handle
);
296 skip("LACopyACMContext failed", 5, acm_context
!= NULL
);
298 ok(aks_consistency_test(true, kAKSReturnPolicyError
, acl
, acm_context
), "AKS consistency negative test (current auth_data format)");
299 ok(aks_consistency_test(false, kAKSReturnPolicyError
, acl
, acm_context
), "AKS consistency negative test (old auth_data format)");
301 bool decrypt_enabled
= false;
302 CFDictionaryRef constraints
= SecAccessControlGetConstraints(acl
);
304 CFMutableDictionaryRef new_constraints
= CFDictionaryCreateMutableCopy(NULL
, 0, constraints
);
305 if (new_constraints
) {
306 CFDictionarySetValue(new_constraints
, kAKSKeyOpDecrypt
, kCFBooleanTrue
);
307 SecAccessControlSetConstraints(acl
, new_constraints
);
308 CFReleaseSafe(new_constraints
);
309 decrypt_enabled
= true;
312 ok(decrypt_enabled
, "Cannot enable decrypt operation for AKS consistency positive tests");
314 ok(aks_consistency_test(true, kAKSReturnSuccess
, acl
, acm_context
), "AKS consistency positive test (current auth_data format)");
315 ok(aks_consistency_test(false, kAKSReturnSuccess
, acl
, acm_context
), "AKS consistency positive test (old auth_data format)");
317 CFReleaseNull(acm_context
);
325 // kSecAccessControlPrivateKeyUsage
326 acl
= SecAccessControlCreateWithFlags(kCFAllocatorDefault
, protection
, kSecAccessControlPrivateKeyUsage
| kSecAccessControlDevicePasscode
, NULL
);
327 ok(acl
, "kSecAccessControlPrivateKeyUsage ACL create with constraint");
328 ok(!SecAccessControlGetConstraint(acl
, kAKSKeyOpEncrypt
), "kAKSKeyOpEncrypt constraint");
329 ok(!SecAccessControlGetConstraint(acl
, kAKSKeyOpDecrypt
), "kAKSKeyOpDecrypt constraint");
330 ok(constraint
= SecAccessControlGetConstraint(acl
, kAKSKeyOpDelete
), "kAKSKeyOpDelete constraint");
331 is(constraint
, kCFBooleanTrue
, "kAKSKeyOpDelete constraint value");
332 ok(constraint
= SecAccessControlGetConstraint(acl
, kAKSKeyOpSign
), "kAKSKeyOpSign constraint");
333 ok(constraint
&& isDictionary(constraint
), "kAKSKeyOpSign constraint value");
336 acl
= SecAccessControlCreateWithFlags(kCFAllocatorDefault
, protection
, kSecAccessControlPrivateKeyUsage
, NULL
);
337 ok(acl
, "kSecAccessControlPrivateKeyUsage ACL create without constraint");
338 ok(!SecAccessControlGetConstraint(acl
, kAKSKeyOpEncrypt
), "kAKSKeyOpEncrypt constraint");
339 ok(!SecAccessControlGetConstraint(acl
, kAKSKeyOpDecrypt
), "kAKSKeyOpDecrypt constraint");
340 ok(constraint
= SecAccessControlGetConstraint(acl
, kAKSKeyOpDelete
), "kAKSKeyOpDelete constraint");
341 is(constraint
, kCFBooleanTrue
, "kAKSKeyOpDelete constraint value");
342 ok(constraint
= SecAccessControlGetConstraint(acl
, kAKSKeyOpSign
), "kAKSKeyOpSign constraint");
343 is(constraint
, kCFBooleanTrue
, "kAKSKeyOpSign constraint value");
347 #if LA_CONTEXT_IMPLEMENTED && TARGET_HAS_KEYSTORE
349 static bool aks_consistency_test(bool currentAuthDataFormat
, kern_return_t expectedAksResult
, SecAccessControlRef access_control
, CFDataRef acm_context
)
353 const uint32_t bulkKeySize
= 32;
354 const uint32_t maxKeyWrapOverHead
= 8 + 32;
355 uint8_t bulkKey
[bulkKeySize
];
356 CFMutableDataRef bulkKeyWrapped
= CFDataCreateMutable(NULL
, 0);
357 CFDataSetLength(bulkKeyWrapped
, bulkKeySize
+ maxKeyWrapOverHead
);
358 CFMutableDataRef bulkKeyUnwrapped
= CFDataCreateMutable(NULL
, 0);
359 CFDataSetLength(bulkKeyUnwrapped
, bulkKeySize
);
361 CFDataRef auth_data
= NULL
;
362 CFMutableDictionaryRef auth_attribs
= NULL
;
364 require_noerr_string(SecRandomCopyBytes(kSecRandomDefault
, bulkKeySize
, bulkKey
), out
, "SecRandomCopyBytes failed");
366 auth_attribs
= CFDictionaryCreateMutable(NULL
, 0, &kCFTypeDictionaryKeyCallBacks
, &kCFTypeDictionaryValueCallBacks
);
367 if (currentAuthDataFormat
) {
368 auth_data
= kc_create_auth_data(access_control
, auth_attribs
);
371 auth_data
= kc_copy_constraints_data(access_control
, auth_attribs
);
374 require_string(aks_crypt_acl(kAKSKeyOpEncrypt
, KEYBAG_DEVICE
, key_class_dk
, bulkKeySize
, bulkKey
, bulkKeyWrapped
,
375 auth_data
, acm_context
, NULL
) == kAKSReturnSuccess
, out
, "kAKSKeyOpEncrypt failed");
377 uint32_t blobLenWrapped
= (uint32_t)CFDataGetLength(bulkKeyWrapped
);
378 const uint8_t *cursor
= CFDataGetBytePtr(bulkKeyWrapped
);
380 require_string(aks_crypt_acl(kAKSKeyOpDecrypt
, KEYBAG_DEVICE
, key_class_dk
, blobLenWrapped
, cursor
, bulkKeyUnwrapped
,
381 auth_data
, acm_context
, NULL
) == expectedAksResult
, out
, "kAKSKeyOpDecrypt finished with unexpected result");
386 CFReleaseSafe(bulkKeyUnwrapped
);
387 CFReleaseSafe(bulkKeyWrapped
);
388 CFReleaseSafe(auth_data
);
389 CFReleaseSafe(auth_attribs
);
394 static bool merge_der_in_to_data(const void *der1
, size_t der1_len
, const void *der2
, size_t der2_len
, CFMutableDataRef mergedData
)
397 CFPropertyListRef dict1
= NULL
;
398 CFPropertyListRef dict2
= NULL
;
400 der_decode_plist(NULL
, kCFPropertyListImmutable
, &dict1
, NULL
, der1
, der1
+ der1_len
);
401 der_decode_plist(NULL
, kCFPropertyListImmutable
, &dict2
, NULL
, der2
, der2
+ der2_len
);
402 if (dict1
&& dict2
) {
403 CFMutableDictionaryRef result_dict
= CFDictionaryCreateMutableCopy(kCFAllocatorDefault
, 0, dict1
);
404 CFDictionaryForEach(dict2
, ^(const void *key
, const void *value
) {
405 CFDictionaryAddValue(result_dict
, key
, value
);
408 CFDataSetLength(mergedData
, 0);
409 CFDataRef der_data
= CFPropertyListCreateDERData(kCFAllocatorDefault
, result_dict
, NULL
);
411 CFDataAppend(mergedData
, der_data
);
413 result
= CFDataGetLength(mergedData
) > 0;
415 CFRelease(result_dict
);
418 CFReleaseSafe(dict1
);
419 CFReleaseSafe(dict2
);
423 static int aks_crypt_acl(CFTypeRef operation
, keybag_handle_t keybag
,
424 keyclass_t keyclass
, uint32_t textLength
, const uint8_t *source
,
425 CFMutableDataRef dest
, CFDataRef auth_data
, CFDataRef acm_context
, CFDataRef caller_access_groups
)
427 int aks_return
= kAKSReturnSuccess
;
428 void *params
= NULL
, *der
= NULL
;
429 const uint8_t *access_groups
= caller_access_groups
?CFDataGetBytePtr(caller_access_groups
):NULL
;
430 size_t params_len
= 0, der_len
= 0, access_groups_len
= caller_access_groups
?CFDataGetLength(caller_access_groups
):0;
431 aks_ref_key_t key_handle
= NULL
;
433 if (CFEqual(operation
, kAKSKeyOpEncrypt
)) {
434 aks_operation_optional_params(0, 0, CFDataGetBytePtr(auth_data
), CFDataGetLength(auth_data
),
435 CFDataGetBytePtr(acm_context
), (int)CFDataGetLength(acm_context
), ¶ms
, ¶ms_len
);
437 require_noerr_quiet(aks_return
= aks_ref_key_create(keybag
, keyclass
, key_type_sym
, params
, params_len
, &key_handle
), out
);
438 require_noerr_quiet(aks_return
= aks_ref_key_encrypt(key_handle
, params
, params_len
, source
, textLength
, &der
, &der_len
), out
);
440 const void *key_blob
= aks_ref_key_get_blob(key_handle
, &key_blob_len
);
441 require_action_string(key_blob
, out
, aks_return
= kAKSReturnError
, "aks_ref_key_get_blob failed");
442 require_action_string(merge_der_in_to_data(der
, der_len
, key_blob
, key_blob_len
, dest
), out
, aks_return
= kAKSReturnError
, "merge_der_in_to_data failed");
444 } else if (CFEqual(operation
, kAKSKeyOpDecrypt
)) {
445 aks_operation_optional_params(access_groups
, access_groups_len
, 0, 0,
446 CFDataGetBytePtr(acm_context
), (int)CFDataGetLength(acm_context
), (void**)¶ms
, ¶ms_len
);
447 require_noerr_quiet(aks_return
= aks_ref_key_create_with_blob(keybag
, source
, textLength
, &key_handle
), out
);
448 require_noerr_quiet(aks_return
= aks_ref_key_decrypt(key_handle
, params
, params_len
, source
, textLength
, &der
, &der_len
), out
);
449 require_action_string(der
, out
, aks_return
= kAKSReturnError
, "aks_ref_key_decrypt failed");
451 CFPropertyListRef decoded_data
= NULL
;
452 der_decode_plist(kCFAllocatorDefault
, kCFPropertyListImmutable
, &decoded_data
, NULL
, der
, der
+ der_len
);
453 require_action_string(decoded_data
, out
, aks_return
= kAKSReturnError
, "der_decode_plist failed");
454 if (CFGetTypeID(decoded_data
) == CFDataGetTypeID()) {
455 CFDataSetLength(dest
, 0);
456 CFDataAppend(dest
, decoded_data
);
457 CFRelease(decoded_data
);
460 CFRelease(decoded_data
);
461 require_action_string(false, out
, aks_return
= kAKSReturnError
, "wrong decoded data type");
467 aks_ref_key_free(&key_handle
);
478 static CFDataRef
kc_create_auth_data(SecAccessControlRef access_control
, CFDictionaryRef auth_attributes
)
480 CFDictionaryRef constraints
= SecAccessControlGetConstraints(access_control
);
481 CFMutableDictionaryRef auth_data
= CFDictionaryCreateMutableCopy(NULL
, 0, auth_attributes
);
482 CFDictionarySetValue(auth_data
, kAKSKeyAcl
, constraints
);
483 CFDataRef encoded
= CFPropertyListCreateDERData(kCFAllocatorDefault
, auth_data
, NULL
);
484 CFReleaseSafe(auth_data
);
488 static CFDataRef
kc_copy_constraints_data(SecAccessControlRef access_control
, CFDictionaryRef auth_attributes
)
490 CFDictionaryRef constraints
= SecAccessControlGetConstraints(access_control
);
491 CFMutableDictionaryRef auth_data
= CFDictionaryCreateMutableCopy(NULL
, 0, constraints
);
492 if (auth_attributes
) {
493 CFDictionaryForEach(auth_attributes
, ^(const void *key
, const void *value
) {
494 CFDictionaryAddValue(auth_data
, key
, value
);
498 CFDataRef encoded
= CFPropertyListCreateDERData(kCFAllocatorDefault
, auth_data
, NULL
);
499 CFReleaseSafe(auth_data
);
505 int si_77_SecAccessControl(int argc
, char *const *argv
)
507 #if LA_CONTEXT_IMPLEMENTED && TARGET_HAS_KEYSTORE