2 * Copyright (c) 2000-2001,2004,2006-2008 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 // localkey - Key objects that store a local CSSM key object
31 #include <security_cdsa_utilities/acl_any.h>
32 #include <security_utilities/cfmunge.h>
33 #include <security_utilities/logging.h>
37 // Create a Key from an explicit CssmKey.
39 LocalKey::LocalKey(Database
&db
, const CssmKey
&newKey
, CSSM_KEYATTR_FLAGS moreAttributes
)
40 : Key(db
), mDigest(Server::csp().allocator())
43 setup(newKey
, moreAttributes
);
44 secinfo("SSkey", "%p (handle %#x) created from key alg=%u use=0x%x attr=0x%x db=%p",
45 this, handle(), mKey
.header().algorithm(), mKey
.header().usage(), mAttributes
, &db
);
49 LocalKey::LocalKey(Database
&db
, CSSM_KEYATTR_FLAGS attributes
)
50 : Key(db
), mValidKey(false), mAttributes(attributes
), mDigest(Server::csp().allocator())
56 // Set up the CssmKey part of this Key according to instructions.
58 void LocalKey::setup(const CssmKey
&newKey
, CSSM_KEYATTR_FLAGS moreAttributes
)
60 mKey
= CssmClient::Key(Server::csp(), newKey
, false);
61 CssmKey::Header
&header
= mKey
->header();
64 header
= newKey
.header();
65 mAttributes
= (header
.attributes() & ~forcedAttributes
) | moreAttributes
;
67 // apply initial values of derived attributes (these are all in managedAttributes)
68 if (!(mAttributes
& CSSM_KEYATTR_EXTRACTABLE
))
69 mAttributes
|= CSSM_KEYATTR_NEVER_EXTRACTABLE
;
70 if (mAttributes
& CSSM_KEYATTR_SENSITIVE
)
71 mAttributes
|= CSSM_KEYATTR_ALWAYS_SENSITIVE
;
73 // verify internal/external attribute separation
74 assert((header
.attributes() & managedAttributes
) == forcedAttributes
);
80 secinfo("SSkey", "%p destroyed", this);
84 void LocalKey::setOwner(const AclEntryPrototype
*owner
)
86 // establish initial ACL; reinterpret empty (null-list) owner as NULL for resilence's sake
87 if (owner
&& !owner
->subject().empty())
88 acl().cssmSetInitial(*owner
); // specified
90 acl().cssmSetInitial(new AnyAclSubject()); // defaulted
92 if (this->database().dbVersion() >= CommonBlob::version_partition
) {
93 // put payload into an AclEntry tagged as CSSM_APPLE_ACL_TAG_PARTITION_ID...
94 // ... unless the client has the "converter" entitlement as attested by Apple
95 if (!(process().checkAppleSigned() && process().hasEntitlement(migrationEntitlement
)))
96 this->acl().createClientPartitionID(this->process());
101 LocalDatabase
&LocalKey::database() const
103 return referent
<LocalDatabase
>();
108 // Retrieve the actual CssmKey value for the key object.
109 // This will decode its blob if needed (and appropriate).
111 CssmClient::Key
LocalKey::keyValue()
113 StLock
<Mutex
> _(*this);
123 // Return external key attributees
125 CSSM_KEYATTR_FLAGS
LocalKey::attributes()
132 // Return a key's handle and header in external form
134 void LocalKey::returnKey(U32HandleObject::Handle
&h
, CssmKey::Header
&hdr
)
136 StLock
<Mutex
> _(*this);
141 // obtain the key header, from the valid key or the blob if no valid key
148 // adjust for external attributes
149 hdr
.clearAttribute(forcedAttributes
);
150 hdr
.setAttribute(mAttributes
);
155 // Generate the canonical key digest.
156 // This is defined by a CSP feature that we invoke here.
158 const CssmData
&LocalKey::canonicalDigest()
160 StLock
<Mutex
> _(*this);
162 CssmClient::PassThrough
ctx(Server::csp());
164 CssmData
*digest
= NULL
;
165 ctx(CSSM_APPLECSP_KEYDIGEST
, (const void *)NULL
, &digest
);
167 mDigest
.set(*digest
); // takes ownership of digest data
168 Server::csp().allocator().free(digest
); // the CssmData itself
170 return mDigest
.get();
175 // Default getKey/getHeader calls - should never be called
177 void LocalKey::getKey()
182 void LocalKey::getHeader(CssmKey::Header
&)
189 // Form a KeySpec with checking and masking
191 LocalKey::KeySpec::KeySpec(CSSM_KEYUSE usage
, CSSM_KEYATTR_FLAGS attrs
)
192 : CssmClient::KeySpec(usage
, (attrs
& ~managedAttributes
) | forcedAttributes
)
194 if (attrs
& generatedAttributes
)
195 CssmError::throwMe(CSSMERR_CSP_INVALID_KEYATTR_MASK
);
198 LocalKey::KeySpec::KeySpec(CSSM_KEYUSE usage
, CSSM_KEYATTR_FLAGS attrs
, const CssmData
&label
)
199 : CssmClient::KeySpec(usage
, (attrs
& ~managedAttributes
) | forcedAttributes
, label
)
201 if (attrs
& generatedAttributes
)
202 CssmError::throwMe(CSSMERR_CSP_INVALID_KEYATTR_MASK
);