]> git.saurik.com Git - apple/security.git/blob - securityd/src/tokendatabase.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-59754.80.3.tar.gz
[apple/security.git] / securityd / src / tokendatabase.h
1 /*
2 * Copyright (c) 2000-2008,2013 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 //
26 // tokendatabase - software database container implementation.
27 //
28 // A TokenDatabase represents access to an external (secure) storage container
29 // of some kind (usually a smartcard token).
30 //
31 #ifndef _H_TOKENDATABASE
32 #define _H_TOKENDATABASE
33
34 #include "database.h"
35 #include "tokenacl.h"
36 #include "session.h"
37 #include "token.h"
38 #include <security_utilities/adornments.h>
39
40 class TokenDatabase;
41 class TokenDbCommon;
42 class TokenKey;
43 class TokenDaemon;
44
45
46 //
47 // The global per-system object for a TokenDatabase (the TokenDbGlobal so to
48 // speak) is the Token object itself (from token.h).
49 //
50
51
52 //
53 // TokenDatabase DbCommons
54 //
55 class TokenDbCommon : public DbCommon, public Adornable {
56 public:
57 TokenDbCommon(Session &ssn, Token &tk, const char *name);
58 ~TokenDbCommon();
59
60 Token &token() const;
61
62 uint32 subservice() const { return token().subservice(); }
63 std::string dbName() const;
64
65 // TokenDbCommons have no real version, return base
66 uint32 dbVersion() { return CommonBlob::version_MacOS_10_0; }
67
68 Adornable &store();
69 void resetAcls();
70
71 void notify(NotificationEvent event);
72
73 void lockProcessing();
74
75 typedef Token::ResetGeneration ResetGeneration;
76
77 private:
78 std::string mDbName; // name given during open
79 bool mHasAclState; // Adornment is carrying active ACL state
80 };
81
82
83 //
84 // A Database object represents a SC/CSPDL per-process access to a token.
85 //
86 class TokenDatabase : public Database {
87 friend class TokenDbCommon;
88 public:
89 TokenDatabase(uint32 ssid, Process &proc, const char *name, const AccessCredentials *cred);
90 ~TokenDatabase();
91
92 TokenDbCommon &common() const;
93 Token &token() const { return common().token(); }
94 TokenDaemon &tokend();
95 uint32 subservice() const { return common().subservice(); }
96 const char *dbName() const;
97 void dbName(const char *name);
98 bool transient() const;
99
100 SecurityServerAcl &acl(); // it's our Token
101 void getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls); // post-processing
102
103 bool isLocked();
104 bool pinState(uint32 pin, int *count = NULL);
105
106 void notify(NotificationEvent event) { return common().notify(event); }
107
108 bool validateSecret(const AclSubject *subject, const AccessCredentials *cred);
109
110 const AccessCredentials *openCreds() const { return mOpenCreds; }
111
112 protected:
113 // any Process-referent concept handle we hand out to the client
114 class Handler {
115 public:
116 Handler() : mHandle(0) { }
117 GenericHandle &tokenHandle() { return mHandle; }
118 GenericHandle tokenHandle() const { return mHandle; }
119
120 protected:
121 GenericHandle mHandle;
122 };
123
124 // CSSM-style search handles (returned by findFirst)
125 struct Search : public Database::Search, public Handler {
126 Search(TokenDatabase &db) : Database::Search(db) { }
127 TokenDatabase &database() const { return referent<TokenDatabase>(); }
128 ~Search();
129
130 Search *commit() { database().addReference(*this); return this; }
131 };
132
133 // CSSM-style record handles (returned by findFirst/findNext et al)
134 struct Record : public Database::Record, public Handler, public TokenAcl {
135 Record(TokenDatabase &db) : Database::Record(db) { }
136 TokenDatabase &database() const { return referent<TokenDatabase>(); }
137 ~Record();
138
139 Record *commit() { database().addReference(*this); return this; }
140
141 void validate(AclAuthorization auth, const AccessCredentials *cred, Database *relatedDatabase = NULL)
142 { TokenAcl::validate(auth, cred, relatedDatabase ? relatedDatabase : &database()); }
143
144 // TokenAcl personality
145 AclKind aclKind() const;
146 Token &token();
147 using Handler::tokenHandle;
148 GenericHandle tokenHandle() const;
149 };
150
151 public:
152 //
153 // Cryptographic service calls
154 //
155 void queryKeySizeInBits(Key &key, CssmKeySize &result);
156 void getOutputSize(const Context &context, Key &key, uint32 inputSize, bool encrypt, uint32 &result);
157
158 // service calls
159 void generateSignature(const Context &context, Key &key, CSSM_ALGORITHMS signOnlyAlgorithm,
160 const CssmData &data, CssmData &signature);
161 void verifySignature(const Context &context, Key &key, CSSM_ALGORITHMS verifyOnlyAlgorithm,
162 const CssmData &data, const CssmData &signature);
163 void generateMac(const Context &context, Key &key,
164 const CssmData &data, CssmData &mac);
165 void verifyMac(const Context &context, Key &key,
166 const CssmData &data, const CssmData &mac);
167
168 void encrypt(const Context &context, Key &key, const CssmData &clear, CssmData &cipher);
169 void decrypt(const Context &context, Key &key, const CssmData &cipher, CssmData &clear);
170
171 void generateKey(const Context &context,
172 const AccessCredentials *cred, const AclEntryPrototype *owner,
173 uint32 usage, uint32 attrs, RefPointer<Key> &newKey);
174 void generateKey(const Context &context,
175 const AccessCredentials *cred, const AclEntryPrototype *owner,
176 uint32 pubUsage, uint32 pubAttrs, uint32 privUsage, uint32 privAttrs,
177 RefPointer<Key> &publicKey, RefPointer<Key> &privateKey);
178 void deriveKey(const Context &context, Key *key,
179 const AccessCredentials *cred, const AclEntryPrototype *owner,
180 CssmData *param, uint32 usage, uint32 attrs, RefPointer<Key> &derivedKey);
181
182 void wrapKey(const Context &context, const AccessCredentials *cred,
183 Key *hWrappingKey, Key &keyToBeWrapped,
184 const CssmData &descriptiveData, CssmKey &wrappedKey);
185 void unwrapKey(const Context &context,
186 const AccessCredentials *cred, const AclEntryPrototype *owner,
187 Key *wrappingKey, Key *publicKey, CSSM_KEYUSE usage, CSSM_KEYATTR_FLAGS attrs,
188 const CssmKey wrappedKey, RefPointer<Key> &unwrappedKey, CssmData &descriptiveData);
189
190 public:
191 //
192 // Data-access calls
193 //
194 void findFirst(const CssmQuery &query,
195 CssmDbRecordAttributeData *inAttributes, mach_msg_type_number_t inAttributesLength,
196 CssmData *data, RefPointer<Key> &key,
197 RefPointer<Database::Search> &search, RefPointer<Database::Record> &record,
198 CssmDbRecordAttributeData * &outAttributes, mach_msg_type_number_t &outAttributesLength);
199 void findNext(Database::Search *search,
200 CssmDbRecordAttributeData *inAttributes, mach_msg_type_number_t inAttributesLength,
201 CssmData *data, RefPointer<Key> &key, RefPointer<Database::Record> &record,
202 CssmDbRecordAttributeData * &outAttributes, mach_msg_type_number_t &outAttributesLength);
203 void findRecordHandle(Database::Record *record,
204 CssmDbRecordAttributeData *inAttributes, mach_msg_type_number_t inAttributesLength,
205 CssmData *data, RefPointer<Key> &key,
206 CssmDbRecordAttributeData * &outAttributes, mach_msg_type_number_t &outAttributesLength);
207 void tokenInsertRecord(CSSM_DB_RECORDTYPE recordtype,
208 const CssmDbRecordAttributeData *attributes, mach_msg_type_number_t inAttributesLength,
209 const CssmData &data, RefPointer<Database::Record> &record);
210 void modifyRecord(CSSM_DB_RECORDTYPE recordtype, Database::Record *record,
211 const CssmDbRecordAttributeData *attributes, mach_msg_type_number_t inAttributesLength,
212 const CssmData *data, CSSM_DB_MODIFY_MODE modifyMode);
213 void deleteRecord(Database::Record *record);
214
215 // authenticate to database
216 void authenticate(CSSM_DB_ACCESS_TYPE mode, const AccessCredentials *cred);
217
218 private:
219 // internal utilities
220 RefPointer<Key> makeKey(KeyHandle hKey, const CssmKey *key,
221 uint32 moreAttributes, const AclEntryPrototype *owner);
222
223 class InputKey {
224 public:
225 InputKey(Key *key) { setup(key); }
226 InputKey(Key &key) { setup(&key); }
227 ~InputKey();
228
229 operator KeyHandle () const { return mKeyHandle; }
230 operator const CssmKey * () const { return mKeyPtr; }
231
232 private:
233 KeyHandle mKeyHandle;
234 CssmKey mKey;
235 CssmKey *mKeyPtr;
236
237 void setup(Key *key);
238 };
239
240 private:
241 AccessCredentials *mOpenCreds; // credentials passed during open
242 mutable std::string mDbName; // stored name for method dbName() which need to call c_str on object outside function scope
243 };
244
245
246 #endif //_H_TOKENDATABASE
mirror of Security