keychain/escrowrequest/operations/EscrowRequestInformCloudServicesOperation.m

   1
   2 #import <CloudServices/SecureBackup.h>
   3
   4 #import "utilities/debugging.h"
   5 #import "keychain/ckks/CKKSLockStateTracker.h"
   6
   7 #import "keychain/escrowrequest/EscrowRequestController.h"
   8 #import "keychain/escrowrequest/operations/EscrowRequestInformCloudServicesOperation.h"
   9 #import "keychain/escrowrequest/generated_source/SecEscrowPendingRecord.h"
  10 #import "keychain/escrowrequest/SecEscrowPendingRecord+KeychainSupport.h"
  11
  12 @interface EscrowRequestInformCloudServicesOperation()
  13 @property CKKSLockStateTracker* lockStateTracker;
  14 @end
  15
  16 @implementation EscrowRequestInformCloudServicesOperation
  17 @synthesize nextState = _nextState;
  18 @synthesize intendedState = _intendedState;
  19
  20 - (instancetype)initWithIntendedState:(OctagonState*)intendedState
  21                            errorState:(OctagonState*)errorState
  22                      lockStateTracker:(CKKSLockStateTracker*)lockStateTracker
  23 {
  24     if((self = [super init])) {
  25         _intendedState = intendedState;
  26         _nextState = errorState;
  27         _lockStateTracker = lockStateTracker;
  28     }
  29     return self;
  30 }
  31
  32 - (void)main
  33 {
  34     secnotice("escrowrequest", "Telling CloudServices about any pending requests");
  35
  36     NSError* error = nil;
  37     NSArray<SecEscrowPendingRecord*>* records = [SecEscrowPendingRecord loadAllFromKeychain:&error];
  38     if(error && !([error.domain isEqualToString:NSOSStatusErrorDomain] && error.code == errSecItemNotFound)) {
  39         secnotice("escrowrequest", "failed to fetch records from keychain: %@", error);
  40         if([self.lockStateTracker isLockedError:error]) {
  41             secnotice("escrowrequest", "Trying again after unlock");
  42             self.nextState = EscrowRequestStateWaitForUnlock;
  43         } else {
  44             self.nextState = EscrowRequestStateNothingToDo;
  45         }
  46         self.error = error;
  47         return;
  48     }
  49     error = nil;
  50
  51     SecEscrowPendingRecord* record = nil;
  52
  53     for(SecEscrowPendingRecord* existingRecord in records) {
  54         if(!existingRecord.hasCertCached) {
  55             record = existingRecord;
  56             break;
  57         }
  58     }
  59
  60     if(!record) {
  61         secnotice("escrowrequest", "No pending escrow request needs a certificate");
  62         self.nextState = EscrowRequestStateNothingToDo;
  63         return;
  64     }
  65
  66     // Next, see if CloudServices can cache a certificate
  67     NSData* cachedCert = [EscrowRequestInformCloudServicesOperation triggerCloudServicesPasscodeRequest:record.uuid error:&error];
  68     record.lastCloudServicesTriggerTime = (uint64_t) ([[NSDate date] timeIntervalSince1970] * 1000);
  69
  70     if(!cachedCert || error) {
  71         secerror("escrowrequest: cloudservices reports an issue caching the certificate, so we'll have to try again later: %@", error);
  72         self.error = error;
  73         // TODO: wait for network?
  74         self.nextState = EscrowRequestStateNothingToDo;
  75
  76         NSError* saveCacheTimeError = nil;
  77         [record saveToKeychain:&saveCacheTimeError];
  78         if(saveCacheTimeError) {
  79             secerror("escrowrequest: unable to save the last attempt time: %@", saveCacheTimeError);
  80         }
  81
  82         return;
  83     }
  84
  85     record.certCached = true;
  86     [record saveToKeychain:&error];
  87
  88     if(error) {
  89         // Ignore this error, since we've successfully triggered the update. We'll probably re-cache the certificate later, but that's okay.
  90         secerror("escrowrequest: unable to save escrow update request certificate status, so we'll have to try again later: %@", error);
  91         self.error = error;
  92
  93         if([self.lockStateTracker isLockedError:error]) {
  94             secnotice("escrowrequest", "Trying again after unlock");
  95             self.nextState = EscrowRequestStateWaitForUnlock;
  96         } else {
  97             self.nextState = EscrowRequestStateNothingToDo;
  98         }
  99
 100         return;
 101     }
 102
 103     secnotice("escrowrequest", "CloudService successfully cached a certificate; request is ready for passcode");
 104     self.nextState = EscrowRequestStateNothingToDo;
 105 }
 106
 107 // Separated into a class method for mocking
 108 // Returns any cert that CS has cached
 109 + (NSData* _Nullable)triggerCloudServicesPasscodeRequest:(NSString*)uuid error:(NSError**)error
 110 {
 111     SecureBackup* sb = [[SecureBackup alloc] init];
 112
 113     NSError* localError = nil;
 114     SecureBackupBeginPasscodeRequestResults* results = [sb beginHSA2PasscodeRequest:true
 115                                                                                uuid:uuid
 116                                                                               error:error];
 117
 118     if(!results || localError) {
 119         secerror("escrowrequest: unable to begin passcode request: %@", localError);
 120         if(error) {
 121             *error = localError;
 122         }
 123         return nil;
 124     }
 125
 126     if(!results.cert) {
 127         secerror("escrowrequest: sbd failed to cache a certificate");
 128         // TODO fill in error
 129         return nil;
 130     }
 131
 132     return results.cert;
 133 }
 134
 135 @end