OSX/libsecurityd/lib/ssblob.cpp

   1 /*
   2  * Copyright (c) 2000-2004,2006,2011,2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 //
  26 // ssclient - SecurityServer client interface library
  27 //
  28 #include "ssblob.h"
  29
  30
  31 namespace Security {
  32 namespace SecurityServer {
  33
  34 uint32 CommonBlob::getCurrentVersion() {
  35     uint32 ret = version_MacOS_10_0;
  36     // If the integrity protections are turned on, use version_partition.
  37     // else, use version_MacOS_10_0.
  38     CFTypeRef integrity = (CFNumberRef)CFPreferencesCopyValue(CFSTR("KeychainIntegrity"), CFSTR("com.apple.security"), kCFPreferencesAnyUser, kCFPreferencesCurrentHost);
  39     if (integrity && CFGetTypeID(integrity) == CFBooleanGetTypeID()) {
  40         bool integrityProtections = CFBooleanGetValue((CFBooleanRef)integrity);
  41
  42         if(integrityProtections) {
  43             secnotice("integrity", "creating a partition keychain; global is on");
  44             ret = version_partition;
  45         } else {
  46             secnotice("integrity", "creating a old-style keychain; global is off");
  47             ret = version_MacOS_10_0;
  48         }
  49         CFRelease(integrity);
  50     } else {
  51         secnotice("integrity", "global integrity not set, defaulting to on");
  52         ret = version_partition;
  53     }
  54
  55     return ret;
  56 }
  57
  58 uint32 CommonBlob::getCurrentVersionForDb(const char* dbName) {
  59     // Currently, the scheme is as follows:
  60     //   in ~/Library/Keychains:
  61     //     version_partition
  62     //   Elsewhere:
  63     //     version_MacOS_10_0`
  64
  65     if(pathInHomeLibraryKeychains(dbName)) {
  66         return CommonBlob::getCurrentVersion();
  67     }
  68
  69     secnotice("integrity", "outside ~/Library/Keychains/; creating a old-style keychain");
  70     return version_MacOS_10_0;
  71 }
  72
  73 bool CommonBlob::pathInHomeLibraryKeychains(const string& path) {
  74     // We need to check if this path is in Some User's ~/Library/Keychains directory.
  75     // At this level, there's no great way of discovering what's actually a
  76     // user's home directory, so instead let's look for anything under
  77     // ./Library/Keychains/ that isn't /Library/Keychains or /System/Library/Keychains.
  78
  79     string libraryKeychains = "/Library/Keychains";
  80     string systemLibraryKeychains = "/System/Library/Keychains";
  81
  82     bool inALibraryKeychains = (string::npos != path.find(libraryKeychains));
  83     bool inRootLibraryKeychains = (0 == path.find(libraryKeychains));
  84     bool inSystemLibraryKeychains = (0 == path.find(systemLibraryKeychains));
  85
  86     return (inALibraryKeychains && !inRootLibraryKeychains && !inSystemLibraryKeychains);
  87 }
  88
  89 void CommonBlob::initialize()
  90 {
  91     magic = magicNumber;
  92
  93     this->blobVersion = getCurrentVersion();
  94 }
  95
  96 //
  97 // Initialize the blob header for a given version
  98 //
  99 void CommonBlob::initialize(uint32 version)
 100 {
 101     magic = magicNumber;
 102
 103     secinfo("integrity", "creating a keychain with version %d", version);
 104     this->blobVersion = version;
 105 }
 106
 107
 108 //
 109 // Verify the blob header for basic sane-ness.
 110 //
 111 bool CommonBlob::isValid() const
 112 {
 113         return magic == magicNumber;
 114 }
 115
 116 void CommonBlob::validate(CSSM_RETURN failureCode) const
 117 {
 118     if (!isValid())
 119         CssmError::throwMe(failureCode);
 120 }
 121
 122 /*
 123  * This string is placed in KeyBlob.blobSignature to indicate a cleartext
 124  * public key.
 125  */
 126 static const char clearPubKeySig[] = "Cleartext public key";
 127
 128 bool KeyBlob::isClearText()
 129 {
 130         return (memcmp(blobSignature, clearPubKeySig,
 131                 sizeof(blobSignature)) == 0);
 132 }
 133
 134 void KeyBlob::setClearTextSignature()
 135 {
 136         memmove(blobSignature, clearPubKeySig, sizeof(blobSignature));
 137 }
 138
 139 //
 140 // Implementation of a "system keychain unlock key store"
 141 //
 142 SystemKeychainKey::SystemKeychainKey(const char *path)
 143 : mPath(path), mValid(false)
 144 {
 145     // explicitly set up a key header for a raw 3DES key
 146     CssmKey::Header &hdr = mKey.header();
 147     hdr.blobType(CSSM_KEYBLOB_RAW);
 148     hdr.blobFormat(CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING);
 149     hdr.keyClass(CSSM_KEYCLASS_SESSION_KEY);
 150     hdr.algorithm(CSSM_ALGID_3DES_3KEY_EDE);
 151     hdr.KeyAttr = 0;
 152     hdr.KeyUsage = CSSM_KEYUSE_ANY;
 153     mKey = CssmData::wrap(mBlob.masterKey);
 154 }
 155
 156 SystemKeychainKey::~SystemKeychainKey()
 157 {
 158 }
 159
 160 bool SystemKeychainKey::matches(const DbBlob::Signature &signature)
 161 {
 162     return update() && signature == mBlob.signature;
 163 }
 164
 165 CssmKey& SystemKeychainKey::key()
 166 {
 167     if(!mValid) {
 168         update();
 169     }
 170     return mKey;
 171 }
 172
 173 bool SystemKeychainKey::update()
 174 {
 175     // if we checked recently, just assume it's okay
 176     if (mValid && mUpdateThreshold > Time::now())
 177         return mValid;
 178
 179     // check the file
 180     struct stat st;
 181     if (::stat(mPath.c_str(), &st)) {
 182         // something wrong with the file; can't use it
 183         mUpdateThreshold = Time::now() + Time::Interval(checkDelay);
 184         return mValid = false;
 185     }
 186     if (mValid && Time::Absolute(st.st_mtimespec) == mCachedDate)
 187         return true;
 188     mUpdateThreshold = Time::now() + Time::Interval(checkDelay);
 189
 190     try {
 191         secnotice("syskc", "reading system unlock record from %s", mPath.c_str());
 192         UnixPlusPlus::AutoFileDesc fd(mPath, O_RDONLY);
 193         if (fd.read(mBlob) != sizeof(mBlob))
 194             return false;
 195         if (mBlob.isValid()) {
 196             mCachedDate = st.st_mtimespec;
 197             return mValid = true;
 198         } else
 199             return mValid = false;
 200     } catch (...) {
 201         secnotice("syskc", "system unlock record not available");
 202         return false;
 203     }
 204 }
 205
 206 bool SystemKeychainKey::valid()
 207 {
 208     update();
 209     return mValid;
 210 }
 211
 212
 213 } // end namespace SecurityServer
 214
 215 } // end namespace Security