]> git.saurik.com Git - apple/security.git/blob - OSX/sec/ipc/securityd_client.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-59306.101.1.tar.gz
[apple/security.git] / OSX / sec / ipc / securityd_client.h
1 /*
2 * Copyright (c) 2007-2018 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23 #ifndef _SECURITYD_CLIENT_H_
24 #define _SECURITYD_CLIENT_H_
25
26 #include <stdint.h>
27
28 #include "keychain/securityd/SecKeybagSupport.h"
29
30 #include <Security/SecTrust.h>
31 #include <Security/SecTask.h>
32 #ifndef MINIMIZE_INCLUDES
33
34 #pragma clang diagnostic push
35 #pragma clang diagnostic ignored "-Wfour-char-constants"
36 # include "OSX/sec/Security/SecTrustStore.h"
37 #pragma clang diagnostic pop
38
39 #else
40 typedef struct __SecTrustStore *SecTrustStoreRef;
41 //# ifndef _SECURITY_SECCERTIFICATE_H_
42 //typedef struct __SecCertificate *SecCertificateRef;
43 //# endif // _SECURITY_SECCERTIFICATE_H_
44 #endif // MINIMIZE_INCLUDES
45
46 #include "OSX/utilities/SecAKSWrappers.h"
47
48 #include <CoreFoundation/CFArray.h>
49 #include <CoreFoundation/CFDictionary.h>
50 #include <CoreFoundation/CFError.h>
51
52 #include "keychain/SecureObjectSync/SOSCloudCircle.h"
53 #include "keychain/SecureObjectSync/SOSPeerInfo.h"
54 #include "keychain/SecureObjectSync/SOSRing.h"
55
56 #include <xpc/xpc.h>
57 #include <CoreFoundation/CFXPCBridge.h>
58
59 #include <TargetConditionals.h>
60
61 #if TARGET_OS_OSX
62 #define kSecuritydXPCServiceName "com.apple.securityd.xpc"
63 #define kSecuritydSystemXPCServiceName "com.apple.securityd.system.xpc"
64 #define kTrustdAgentXPCServiceName "com.apple.trustd.agent"
65 #define kTrustdXPCServiceName "com.apple.trustd"
66 #else
67 #define kSecuritydXPCServiceName "com.apple.securityd"
68 #define kTrustdAgentXPCServiceName "com.apple.trustd"
69 #define kTrustdXPCServiceName "com.apple.trustd"
70 #endif // *** END TARGET_OS_OSX ***
71
72 #define kSecuritydGeneralServiceName "com.apple.securityd.general"
73 #define kSecuritydSOSServiceName "com.apple.securityd.sos"
74
75 //
76 // MARK: XPC Information.
77 //
78
79 #if TARGET_OS_IPHONE
80 extern CFStringRef sSecXPCErrorDomain;
81 #endif
82
83 extern const char *kSecXPCKeyOperation;
84 extern const char *kSecXPCKeyResult;
85 extern const char *kSecXPCKeyEndpoint;
86 extern const char *kSecXPCKeyError;
87 extern const char *kSecXPCKeyPeerInfoArray;
88 extern const char *kSecXPCKeyUserLabel;
89 extern const char *kSecXPCKeyBackup;
90 extern const char *kSecXPCKeyKeybag;
91 extern const char *kSecXPCKeyFlags;
92 extern const char *kSecXPCKeyUserPassword;
93 extern const char *kSecXPCKeyEMCSBackup;
94 extern const char *kSecXPCKeyDSID;
95 extern const char *kSecXPCKeyViewName;
96 extern const char *kSecXPCKeyViewActionCode;
97 extern const char *kSecXPCKeyNewPublicBackupKey;
98 extern const char *kSecXPCKeyRecoveryPublicKey;
99 extern const char *kSecXPCKeyIncludeV0;
100 extern const char *kSecXPCKeyEnabledViewsKey;
101 extern const char *kSecXPCKeyDisabledViewsKey;
102 extern const char *kSecXPCKeyEscrowLabel;
103 extern const char *kSecXPCKeyTriesLabel;
104 extern const char *kSecXPCKeyFileDescriptor;
105 extern const char *kSecXPCKeyAccessGroups;
106 extern const char *kSecXPCKeyClasses;
107 extern const char *kSecXPCKeyNormalizedIssuer;
108 extern const char *kSecXPCKeySerialNumber;
109 extern const char *kSecXPCKeyBackupKeybagIdentifier;
110 extern const char *kSecXPCKeyBackupKeybagPath;
111
112 //
113 // MARK: Dispatch macros
114 //
115
116 #define SECURITYD_XPC(sdp, wrapper, ...) ((gSecurityd && gSecurityd->sdp) ? gSecurityd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
117 #define TRUSTD_XPC(sdp, wrapper, ...) ((gTrustd && gTrustd->sdp) ? gTrustd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
118
119 #define TRUSTD_XPC_ASYNC(sdp, wrapper, q, h, ...) do { \
120 if (gTrustd != NULL && gTrustd->sdp != NULL) { \
121 dispatch_async(q, ^{ \
122 CFErrorRef _error = NULL; \
123 SecTrustResultType _tr = gTrustd->sdp(__VA_ARGS__, &_error); \
124 h(_tr, _error); \
125 }); \
126 } else { \
127 wrapper(q, h, sdp ## _id, __VA_ARGS__); \
128 } \
129 } while (0)
130
131 //
132 // MARK: Object to XPC format conversion.
133 //
134
135
136 //
137 // MARK: XPC Interfaces
138 //
139
140 extern const char *kSecXPCKeyPeerInfo;
141 extern const char *kSecXPCLimitInMinutes;
142 extern const char *kSecXPCKeyQuery;
143 extern const char *kSecXPCKeyAttributesToUpdate;
144 extern const char *kSecXPCKeyDomain;
145 extern const char *kSecXPCKeyDigest;
146 extern const char *kSecXPCKeyCertificate;
147 extern const char *kSecXPCKeySettings;
148 extern const char *kSecXPCPublicPeerId; // Public peer id
149 extern const char *kSecXPCOTRSession; // OTR session bytes
150 extern const char *kSecXPCData; // Data to process
151 extern const char *kSecXPCOTRReady; // OTR ready for messages
152 extern const char *kSecXPCKeyViewName;
153 extern const char *kSecXPCKeyViewActionCode;
154 extern const char *kSecXPCKeyHSA2AutoAcceptInfo;
155 extern const char *kSecXPCKeyString;
156 extern const char *kSecXPCKeyArray;
157 extern const char *kSecXPCKeySet;
158 extern const char *kSecXPCKeySet2;
159 extern const char *kSecXPCVersion;
160 extern const char *kSecXPCKeySignInAnalytics;
161 extern const char *kSecXPCKeyReason;
162
163 //
164 // MARK: Mach port request IDs
165 //
166 enum SecXPCOperation {
167 sec_item_add_id = 0,
168 sec_item_copy_matching_id = 1,
169 sec_item_update_id = 2,
170 sec_item_delete_id = 3,
171 // trust_store_for_domain -- NOT an ipc
172 sec_trust_store_contains_id = 4,
173 sec_trust_store_set_trust_settings_id = 5,
174 sec_trust_store_remove_certificate_id = 6,
175 // remove_all -- NOT an ipc
176 sec_delete_all_id = 7,
177 sec_trust_evaluate_id = 8,
178 // Any new items MUST be added below here
179 // This allows updating roots on a device, since SecTrustEvaluate must continue to work
180 sec_keychain_backup_id,
181 sec_keychain_restore_id,
182 sec_keychain_backup_syncable_id,
183 sec_keychain_restore_syncable_id,
184 sec_item_backup_copy_names_id,
185 sec_item_backup_handoff_fd_id,
186 sec_item_backup_set_confirmed_manifest_id,
187 sec_item_backup_restore_id,
188 sec_keychain_sync_update_message_id,
189 sec_ota_pki_trust_store_version_id,
190 sec_ota_pki_asset_version_id,
191 sec_otr_session_create_remote_id,
192 sec_otr_session_process_packet_remote_id,
193 kSecXPCOpOTAPKIGetNewAsset,
194 kSecXPCOpOTAGetEscrowCertificates,
195 kSecXPCOpOTAPKICopyTrustedCTLogs,
196 kSecXPCOpOTAPKICopyCTLogForKeyID,
197 kSecXPCOpProcessUnlockNotification,
198 kSecXPCOpProcessSyncWithAllPeers,
199 kSecXPCOpRollKeys,
200 sec_add_shared_web_credential_id,
201 sec_copy_shared_web_credential_id,
202 sec_get_log_settings_id,
203 sec_set_xpc_log_settings_id,
204 sec_set_circle_log_settings_id,
205 soscc_EnsurePeerRegistration_id,
206 kSecXPCOpRequestDeviceID,
207 kSecXPCOpSetDeviceID,
208 kSecXPCOpHandleIDSMessage,
209 kSecXPCOpSyncWithKVSPeer,
210 kSecXPCOpSyncWithIDSPeer,
211 kSecXPCOpSendIDSMessage,
212 kSecXPCOpPingTest,
213 kSecXPCOpIDSDeviceID,
214 kSecXPCOpSyncWithKVSPeerIDOnly,
215 // any process using an operation below here is required to have entitlement keychain-cloud-circle
216 kSecXPCOpTryUserCredentials,
217 kSecXPCOpSetUserCredentials,
218 kSecXPCOpSetUserCredentialsAndDSID,
219 kSecXPCOpSetUserCredentialsAndDSIDWithAnalytics,
220 kSecXPCOpCanAuthenticate,
221 kSecXPCOpPurgeUserCredentials,
222 kSecXPCOpDeviceInCircle,
223 kSecXPCOpRequestToJoin,
224 kSecXPCOpRequestToJoinWithAnalytics,
225 kSecXPCOpRequestToJoinAfterRestore,
226 kSecXPCOpRequestToJoinAfterRestoreWithAnalytics,
227 kSecXPCOpResetToOffering,
228 kSecXPCOpResetToEmpty,
229 kSecXPCOpResetToEmptyWithAnalytics,
230 kSecXPCOpView,
231 kSecXPCOpViewSet,
232 kSecXPCOpViewSetWithAnalytics,
233 kSecXPCOpRemoveThisDeviceFromCircle,
234 kSecXPCOpRemoveThisDeviceFromCircleWithAnalytics,
235 kSecXPCOpRemovePeersFromCircle,
236 kSecXPCOpRemovePeersFromCircleWithAnalytics,
237 kSecXPCOpLoggedOutOfAccount,
238 kSecXPCOpBailFromCircle,
239 kSecXPCOpAcceptApplicants,
240 kSecXPCOpRejectApplicants,
241 kSecXPCOpCopyApplicantPeerInfo,
242 kSecXPCOpCopyValidPeerPeerInfo,
243 kSecXPCOpValidateUserPublic,
244 kSecXPCOpCopyNotValidPeerPeerInfo,
245 kSecXPCOpCopyPeerPeerInfo,
246 kSecXPCOpCopyConcurringPeerPeerInfo,
247 kSecXPCOpCopyGenerationPeerInfo,
248 kSecXPCOpGetLastDepartureReason,
249 kSecXPCOpSetLastDepartureReason,
250 kSecXPCOpCopyRetirementPeerInfo,
251 kSecXPCOpCopyViewUnawarePeerInfo,
252 kSecXPCOpCopyEngineState,
253 kSecXPCOpCopyMyPeerInfo,
254 kSecXPCOpAccountSetToNew,
255 kSecXPCOpSetNewPublicBackupKey,
256 kSecXPCOpSetBagForAllSlices,
257 kSecXPCOpWaitForInitialSync,
258 kSecXPCOpWaitForInitialSyncWithAnalytics,
259 kSecXPCOpCheckPeerAvailability,
260 kSecXPCOpCopyApplication,
261 kSecXPCOpCopyCircleJoiningBlob,
262 kSecXPCOpJoinWithCircleJoiningBlob,
263 kSecXPCOpKVSKeyCleanup,
264 kSecXPCOpAccountHasPublicKey,
265 kSecXPCOpClearKVSPeerMessage,
266 kSecXPCOpRegisterRecoveryPublicKey,
267 kSecXPCOpGetRecoveryPublicKey,
268 kSecXPCOpCopyInitialSyncBlob,
269 /* after this is free for all */
270 kSecXPCOpWhoAmI,
271 kSecXPCOpTransmogrifyToSyncBubble,
272 kSecXPCOpTransmogrifyToSystemKeychain,
273 sec_item_update_token_items_id,
274 kSecXPCOpDeleteUserView,
275 sec_trust_store_copy_all_id,
276 sec_trust_store_copy_usage_constraints_id,
277 sec_ocsp_cache_flush_id,
278 sec_delete_items_with_access_groups_id,
279 sec_keychain_backup_keybag_uuid_id,
280 kSecXPCOpPeersHaveViewsEnabled,
281 kSecXPCOpProcessSyncWithPeers,
282 kSecXPCOpMessageFromPeerIsPending,
283 kSecXPCOpSendToPeerIsPending,
284 sec_item_copy_parent_certificates_id,
285 sec_item_certificate_exists_id,
286 kSecXPCOpBackupKeybagAdd,
287 kSecXPCOpBackupKeybagDelete,
288 kSecXPCOpSFKeychainEndpoint,
289 kSecXPCOpKeychainControlEndpoint,
290 kSecXPCOpNetworkingAnalyticsReport,
291 kSecXPCOpSetCTExceptions,
292 kSecXPCOpCopyCTExceptions,
293 kSecXPCOpOTASecExperimentGetAsset,
294 kSecXPCOpOTASecExperimentGetNewAsset,
295 sec_trust_get_exception_reset_count_id,
296 sec_trust_increment_exception_reset_count_id,
297 };
298
299
300 typedef struct SecurityClient {
301 SecTaskRef task;
302 CFArrayRef accessGroups;
303 bool allowSystemKeychain;
304 bool allowSyncBubbleKeychain;
305 bool isNetworkExtension;
306 bool canAccessNetworkExtensionAccessGroups;
307 uid_t uid;
308 CFDataRef musr;
309 #if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) && TARGET_HAS_KEYSTORE
310 keybag_handle_t keybag;
311 #endif
312 #if TARGET_OS_IPHONE
313 bool inMultiUser;
314 int activeUser;
315 #endif
316 } SecurityClient;
317
318
319 extern SecurityClient * SecSecurityClientGet(void);
320 #if TARGET_OS_IOS
321 void SecSecuritySetMusrMode(bool mode, uid_t uid, int activeUser);
322 void SecSecuritySetPersonaMusr(CFStringRef uuid);
323 #endif
324
325 struct securityd {
326 /* LOCAL KEYCHAIN */
327 bool (*sec_item_add)(CFDictionaryRef attributes, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
328 bool (*sec_item_copy_matching)(CFDictionaryRef query, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
329 bool (*sec_item_update)(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, SecurityClient *client, CFErrorRef* error);
330 bool (*sec_item_delete)(CFDictionaryRef query, SecurityClient *client, CFErrorRef* error);
331 bool (*sec_item_delete_all)(CFErrorRef* error);
332 CFArrayRef (*sec_item_copy_parent_certificates)(CFDataRef normalizedIssuer, CFArrayRef accessGroups, CFErrorRef *error);
333 bool (*sec_item_certificate_exists)(CFDataRef normalizedIssuer, CFDataRef serialNumber, CFArrayRef accessGroups, CFErrorRef *error);
334 CFDataRef (*sec_keychain_backup)(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, bool emcs, CFErrorRef* error);
335 bool (*sec_keychain_restore)(CFDataRef backup, SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
336 bool (*sec_roll_keys)(bool force, CFErrorRef* error);
337 bool (*sec_item_update_token_items)(CFStringRef tokenID, CFArrayRef query, SecurityClient *client, CFErrorRef* error);
338 bool (*sec_delete_items_with_access_groups)(CFArrayRef bundleIDs, SecurityClient *client, CFErrorRef *error);
339 /* SHAREDWEBCREDENTIALS */
340 bool (*sec_add_shared_web_credential)(CFDictionaryRef attributes, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
341 bool (*sec_copy_shared_web_credential)(CFDictionaryRef query, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
342 /* SECUREOBJECTSYNC */
343 CFDictionaryRef (*sec_keychain_backup_syncable)(CFDictionaryRef backup_in, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
344 bool (*sec_keychain_restore_syncable)(CFDictionaryRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
345 CFArrayRef (*sec_item_backup_copy_names)(CFErrorRef *error);
346 int (*sec_item_backup_handoff_fd)(CFStringRef backupName, CFErrorRef *error);
347 bool (*sec_item_backup_set_confirmed_manifest)(CFStringRef backupName, CFDataRef keybagDigest, CFDataRef manifest, CFErrorRef *error);
348 bool (*sec_item_backup_restore)(CFStringRef backupName, CFStringRef peerID, CFDataRef keybag, CFDataRef secret, CFDataRef backup, CFErrorRef *error);
349 CFDataRef (*sec_otr_session_create_remote)(CFDataRef publicPeerId, CFErrorRef* error);
350 bool (*sec_otr_session_process_packet_remote)(CFDataRef sessionData, CFDataRef inputPacket, CFDataRef* outputSessionData, CFDataRef* outputPacket, bool *readyForMessages, CFErrorRef* error);
351 bool (*soscc_TryUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
352 bool (*soscc_SetUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error);
353 bool (*soscc_SetUserCredentialsAndDSID)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
354 bool (*soscc_SetUserCredentialsAndDSIDWithAnalytics)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFDataRef parentEvent, CFErrorRef *error);
355 bool (*soscc_CanAuthenticate)(CFErrorRef *error);
356 bool (*soscc_PurgeUserCredentials)(CFErrorRef *error);
357 SOSCCStatus (*soscc_ThisDeviceIsInCircle)(CFErrorRef* error);
358 bool (*soscc_RequestToJoinCircle)(CFErrorRef* error);
359 bool (*soscc_RequestToJoinCircleWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
360 bool (*soscc_RequestToJoinCircleAfterRestore)(CFErrorRef* error);
361 bool (*soscc_RequestToJoinCircleAfterRestoreWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
362 bool (*soscc_SetToNew)(CFErrorRef *error);
363 bool (*soscc_ResetToOffering)(CFErrorRef* error);
364 bool (*soscc_ResetToEmpty)(CFErrorRef* error);
365 bool (*soscc_ResetToEmptyWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
366 SOSViewResultCode (*soscc_View)(CFStringRef view, SOSViewActionCode action, CFErrorRef *error);
367 bool (*soscc_ViewSet)(CFSetRef enabledViews, CFSetRef disabledViews);
368 bool (*soscc_ViewSetWithAnalytics)(CFSetRef enabledViews, CFSetRef disabledViews, CFDataRef parentEvent);
369 bool (*soscc_RegisterSingleRecoverySecret)(CFDataRef backupSlice, bool forV0Only, CFErrorRef *error);
370 bool (*soscc_RegisterRecoveryPublicKey)(CFDataRef recovery_key, CFErrorRef *error);
371 CFDataRef (*soscc_CopyRecoveryPublicKey)(CFErrorRef *error);
372 bool (*soscc_RemoveThisDeviceFromCircle)(CFErrorRef* error);
373 bool (*soscc_RemoveThisDeviceFromCircleWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
374 bool (*soscc_RemovePeersFromCircle)(CFArrayRef peers, CFErrorRef* error);
375 bool (*soscc_RemovePeersFromCircleWithAnalytics)(CFArrayRef peers, CFDataRef parentEvent, CFErrorRef* error);
376 bool (*soscc_LoggedOutOfAccount)(CFErrorRef* error);
377 bool (*soscc_BailFromCircle)(uint64_t limit_in_seconds, CFErrorRef* error);
378 bool (*soscc_AcceptApplicants)(CFArrayRef applicants, CFErrorRef* error);
379 bool (*soscc_RejectApplicants)(CFArrayRef applicants, CFErrorRef* error);
380 SOSPeerInfoRef (*soscc_SetNewPublicBackupKey)(CFDataRef pubKey, CFErrorRef *error);
381 bool (*soscc_ValidateUserPublic)(CFErrorRef* error);
382 CFArrayRef (*soscc_CopyGenerationPeerInfo)(CFErrorRef* error);
383 CFArrayRef (*soscc_CopyApplicantPeerInfo)(CFErrorRef* error);
384 CFArrayRef (*soscc_CopyValidPeerPeerInfo)(CFErrorRef* error);
385 CFArrayRef (*soscc_CopyNotValidPeerPeerInfo)(CFErrorRef* error);
386 CFArrayRef (*soscc_CopyRetirementPeerInfo)(CFErrorRef* error);
387 CFArrayRef (*soscc_CopyViewUnawarePeerInfo)(CFErrorRef* error);
388 CFArrayRef (*soscc_CopyEngineState)(CFErrorRef* error);
389 // Not sure why these are below the last entry in the enum order above, but they are:
390 CFArrayRef (*soscc_CopyPeerInfo)(CFErrorRef* error);
391 CFArrayRef (*soscc_CopyConcurringPeerInfo)(CFErrorRef* error);
392 enum DepartureReason (*soscc_GetLastDepartureReason)(CFErrorRef* error);
393 bool (*soscc_SetLastDepartureReason)(enum DepartureReason, CFErrorRef* error);
394 CFSetRef (*soscc_ProcessSyncWithPeers)(CFSetRef peerIDs, CFSetRef backupPeerIDs, CFErrorRef* error);
395 SyncWithAllPeersReason (*soscc_ProcessSyncWithAllPeers)(CFErrorRef* error);
396 bool (*soscc_EnsurePeerRegistration)(CFErrorRef* error);
397 CFArrayRef (*sec_keychain_sync_update_message)(CFDictionaryRef update, CFErrorRef *error);
398 CFPropertyListRef (*sec_get_log_settings)(CFErrorRef* error);
399 bool (*sec_set_xpc_log_settings)(CFTypeRef type, CFErrorRef* error);
400 bool (*sec_set_circle_log_settings)(CFTypeRef type, CFErrorRef* error);
401 SOSPeerInfoRef (*soscc_CopyMyPeerInfo)(CFErrorRef*);
402 bool (*soscc_WaitForInitialSync)(CFErrorRef*);
403 bool (*soscc_WaitForInitialSyncWithAnalytics)(CFDataRef parentEvent, CFErrorRef *error);
404 bool (*soscc_PeerAvailability)(CFErrorRef *error);
405 SOSPeerInfoRef (*soscc_CopyApplicant)(CFErrorRef *error);
406 CFDataRef (*soscc_CopyCircleJoiningBlob)(SOSPeerInfoRef applicant, CFErrorRef *error);
407 CFDataRef (*soscc_CopyInitialSyncData)(SOSInitialSyncFlags flags, CFErrorRef *error);
408 bool (*soscc_JoinWithCircleJoiningBlob)(CFDataRef joiningBlob, PiggyBackProtocolVersion version, CFErrorRef *error);
409 bool (*soscc_SOSCCCleanupKVSKeys)(CFErrorRef *error);
410 bool (*soscc_AccountHasPublicKey)(CFErrorRef *error);
411 bool (*soscc_requestSyncWithPeerOverKVS)(CFStringRef peerID, CFDataRef message, CFErrorRef *error);
412 CFBooleanRef (*soscc_SOSCCPeersHaveViewsEnabled)(CFArrayRef views, CFErrorRef *error);
413 bool (*socc_clearPeerMessageKeyInKVS)(CFStringRef peerID, CFErrorRef *error);
414 bool (*soscc_SOSCCMessageFromPeerIsPending)(SOSPeerInfoRef peer, CFErrorRef* error);
415 bool (*soscc_SOSCCSendToPeerIsPending)(SOSPeerInfoRef peer, CFErrorRef* error);
416 CFTypeRef (*soscc_status)(void);
417 /* otherstuff */
418 CFTypeRef secd_xpc_server;
419 };
420
421 extern struct securityd *gSecurityd;
422
423 struct trustd {
424 SecTrustStoreRef (*sec_trust_store_for_domain)(CFStringRef domainName, CFErrorRef* error);
425 bool (*sec_trust_store_contains)(SecTrustStoreRef ts, CFDataRef digest, bool *contains, CFErrorRef* error);
426 bool (*sec_trust_store_set_trust_settings)(SecTrustStoreRef ts, SecCertificateRef certificate, CFTypeRef trustSettingsDictOrArray, CFErrorRef* error);
427 bool (*sec_trust_store_remove_certificate)(SecTrustStoreRef ts, CFDataRef digest, CFErrorRef* error);
428 bool (*sec_truststore_remove_all)(SecTrustStoreRef ts, CFErrorRef* error);
429 SecTrustResultType (*sec_trust_evaluate)(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, CFArrayRef *chain, CFErrorRef *error);
430 uint64_t (*sec_ota_pki_trust_store_version)(CFErrorRef* error);
431 uint64_t (*sec_ota_pki_asset_version)(CFErrorRef* error);
432 CFArrayRef (*ota_CopyEscrowCertificates)(uint32_t escrowRootType, CFErrorRef* error);
433 uint64_t (*sec_ota_pki_get_new_asset)(CFErrorRef* error);
434 uint64_t (*sec_ota_secexperiment_get_new_asset)(CFErrorRef* error);
435 CFDictionaryRef (*sec_ota_secexperiment_get_asset)(CFErrorRef* error);
436 CFDictionaryRef (*sec_ota_pki_copy_trusted_ct_logs)(CFErrorRef *error);
437 CFDictionaryRef (*sec_ota_pki_copy_ct_log_for_keyid)(CFDataRef keyID, CFErrorRef *error);
438 bool (*sec_trust_store_copy_all)(SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFErrorRef *error);
439 bool (*sec_trust_store_copy_usage_constraints)(SecTrustStoreRef ts, CFDataRef digest, CFArrayRef *usageConstraints, CFErrorRef *error);
440 bool (*sec_ocsp_cache_flush)(CFErrorRef *error);
441 bool (*sec_networking_analytics_report)(CFStringRef event_name, xpc_object_t tls_analytics_attributes, CFErrorRef *error);
442 bool (*sec_trust_store_set_ct_exceptions)(CFStringRef appID, CFDictionaryRef exceptions, CFErrorRef *error);
443 CFDictionaryRef (*sec_trust_store_copy_ct_exceptions)(CFStringRef appID, CFErrorRef *error);
444 #if TARGET_OS_IPHONE
445 bool (*sec_trust_increment_exception_reset_count)(CFErrorRef *error);
446 uint64_t (*sec_trust_get_exception_reset_count)(CFErrorRef *error);
447 #endif
448 };
449
450 extern struct trustd *gTrustd;
451
452 CFArrayRef SecAccessGroupsGetCurrent(void);
453
454 // TODO Rename me
455 CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op);
456 XPC_RETURNS_RETAINED xpc_object_t securityd_message_with_reply_sync(xpc_object_t message, CFErrorRef *error);
457 typedef void (^securityd_handler_t)(xpc_object_t reply, CFErrorRef error);
458 void securityd_message_with_reply_async(xpc_object_t message, dispatch_queue_t replyq,
459 securityd_handler_t handler);
460 XPC_RETURNS_RETAINED xpc_object_t securityd_create_message(enum SecXPCOperation op, CFErrorRef *error);
461 bool securityd_message_no_error(xpc_object_t message, CFErrorRef *error);
462
463
464 bool securityd_send_sync_and_do(enum SecXPCOperation op, CFErrorRef *error,
465 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
466 bool (^handle_response)(xpc_object_t response, CFErrorRef* error));
467
468 void securityd_send_async_and_do(enum SecXPCOperation op, dispatch_queue_t replyq,
469 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
470 securityd_handler_t handler);
471
472 // For testing only, never call this in a threaded program!
473 void SecServerSetTrustdMachServiceName(const char *name);
474
475 XPC_RETURNS_RETAINED xpc_endpoint_t _SecSecuritydCopyEndpoint(enum SecXPCOperation op, CFErrorRef *error);
476
477 #if __OBJC__
478 #import <Foundation/Foundation.h>
479 #import <Foundation/NSXPCConnection.h>
480 typedef void (^SecBoolNSErrorCallback) (bool, NSError*);
481
482 @protocol SecuritydXPCCallbackProtocol <NSObject>
483 - (void)callCallback: (bool) result error:(NSError*) error;
484 @end
485
486 @protocol SecuritydXPCProtocol <NSObject>
487 - (void) SecItemAddAndNotifyOnSync:(NSDictionary*) attributes
488 syncCallback:(id<SecuritydXPCCallbackProtocol>) callback
489 complete:(void (^) (NSDictionary* opDictResult, NSArray* opArrayResult, NSError* operror)) complete;
490
491 // For the given item (specified exactly by its hash (currently SHA1)), attempt to set the CloudKit 'current' pointer
492 // to point to the given item.
493 // This can fail if:
494 // 1. your knowledge of the old current item is out of date
495 // 2. either the new item or old item has changed (checked by hash)
496 // 3. If this device can't talk with CloudKit for any reason
497 - (void)secItemSetCurrentItemAcrossAllDevices:(NSData*)newItemPersistentRef
498 newCurrentItemHash:(NSData*)newItemSHA1
499 accessGroup:(NSString*)accessGroup
500 identifier:(NSString*)identifier
501 viewHint:(NSString*)viewHint
502 oldCurrentItemReference:(NSData*)oldCurrentItemPersistentRef
503 oldCurrentItemHash:(NSData*)oldItemSHA1
504 complete:(void (^) (NSError* operror)) complete;
505
506 // For the given access group and identifier, check the current local idea of the 'current' item
507 -(void)secItemFetchCurrentItemAcrossAllDevices:(NSString*)accessGroup
508 identifier:(NSString*)identifier
509 viewHint:(NSString*)viewHint
510 fetchCloudValue:(bool)fetchCloudValue
511 complete:(void (^) (NSData* persistentref, NSError* operror)) complete;
512
513
514 // For each item in the keychainClass, return a persistant reference and the digest of the value
515 // The digest is not stable, and can change any time, the only promise is that if the digest
516 // value didn't change, the item didn't change. If digest change, the value MIGHT have changed,/
517 // but it could also just have stayed the same.
518 // The this interface bypass SEP/AKS and for that reason is a higher performance then SecItemCopyMatching().
519 - (void) secItemDigest:(NSString *)keychainClass
520 accessGroup:(NSString *)accessGroup
521 complete:(void (^)(NSArray<NSDictionary *> *digest, NSError* error))complete;
522
523 // Delete the multi-user slice of persona uuid
524 //
525 // Should be done just before account volume is unmounted, will delete all this user's data unconditionally
526 // There is nothing stopping futher storage though.
527 - (void) secKeychainDeleteMultiuser:(NSData *)uuid
528 complete:(void (^)(bool status, NSError* error))complete;
529
530 // Go through the keychain to verify the backup infrastructure is present and valid.
531 // The completion handler's dictionary will contain a string with statistics about the class, error will be nil or
532 // complain about what went wrong during verification.
533 // Lightweight mode only checks consistency of the backup infrastructure without verifying all keychain items
534 - (void)secItemVerifyBackupIntegrity:(BOOL)lightweight
535 completion:(void (^)(NSDictionary<NSString*, NSString*>* resultsPerKeyclass, NSError* error))completion;
536
537 @end
538
539 // Call this to receive a proxy object conforming to SecuritydXPCProtocol that you can call methods on.
540 // It's probably a remote object for securityd/secd, but it might be in-process if you've configured it that way.
541 id<SecuritydXPCProtocol> SecuritydXPCProxyObject(void (^rpcErrorHandler)(NSError *));
542
543 // Set up a local securityxpcserver: after this call, all securitydxpc calls will be handled in-process instead of actually transferring to securityd
544 id<SecuritydXPCProtocol> SecCreateLocalSecuritydXPCServer(void) NS_RETURNS_RETAINED;
545
546 // Make a SecBoolNSErrorCallback block into an Objective-C object (for proxying across NSXPC)
547 @interface SecuritydXPCCallback : NSObject <SecuritydXPCCallbackProtocol> {
548 SecBoolNSErrorCallback _callback;
549 }
550 @property SecBoolNSErrorCallback callback;
551 - (instancetype)initWithCallback: (SecBoolNSErrorCallback) callback;
552 @end
553
554 @interface SecuritydXPCClient : NSObject {
555 NSXPCConnection* _connection;
556 }
557 @property NSXPCConnection* connection;
558
559 +(void)configureSecuritydXPCProtocol: (NSXPCInterface*) interface;
560 @end
561
562 #endif // OBJC
563
564 #endif /* _SECURITYD_CLIENT_H_ */
mirror of Security