keychain/ot/OTVouchWithRecoveryKeyOperation.m

   1 /*
   2  * Copyright (c) 2019 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #if OCTAGON
  25
  26 #import <utilities/debugging.h>
  27
  28 #import "keychain/ot/OTVouchWithRecoveryKeyOperation.h"
  29 #import "keychain/ot/OTClientStateMachine.h"
  30 #import "keychain/ot/OTCuttlefishContext.h"
  31 #import "keychain/ot/OTFetchCKKSKeysOperation.h"
  32
  33 #import "keychain/TrustedPeersHelper/TrustedPeersHelperProtocol.h"
  34 #import "keychain/ot/ObjCImprovements.h"
  35
  36 @interface OTVouchWithRecoveryKeyOperation ()
  37 @property OTOperationDependencies* deps;
  38
  39 @property NSString* salt;
  40 @property NSString* recoveryKey;
  41
  42 @property NSOperation* finishOp;
  43 @end
  44
  45 @implementation OTVouchWithRecoveryKeyOperation
  46 @synthesize intendedState = _intendedState;
  47
  48 - (instancetype)initWithDependencies:(OTOperationDependencies*)dependencies
  49                        intendedState:(OctagonState*)intendedState
  50                           errorState:(OctagonState*)errorState
  51                          recoveryKey:(NSString*)recoveryKey
  52 {
  53     if((self = [super init])) {
  54         _deps = dependencies;
  55         _intendedState = intendedState;
  56         _nextState = errorState;
  57
  58         _recoveryKey = recoveryKey;
  59     }
  60     return self;
  61 }
  62
  63 - (void)groupStart
  64 {
  65     secnotice("octagon", "creating voucher using a recovery key");
  66
  67     self.finishOp = [[NSOperation alloc] init];
  68     [self dependOnBeforeGroupFinished:self.finishOp];
  69
  70     NSString *altDSID = [self.deps.authKitAdapter primaryiCloudAccountAltDSID:nil];
  71     if(altDSID){
  72         secnotice("octagon", "using auth kit adapter, altdsid is: %@", altDSID);
  73         self.salt = altDSID;
  74     }
  75     else {
  76         NSError* accountError = nil;
  77         OTAccountMetadataClassC* account = [self.deps.stateHolder loadOrCreateAccountMetadata:&accountError];
  78
  79         if(account && !accountError) {
  80             secnotice("octagon", "retrieved account, altdsid is: %@", account.altDSID);
  81             self.salt = account.altDSID;
  82         }
  83         if(accountError || !account){
  84             secerror("failed to rerieve account object: %@", accountError);
  85         }
  86     }
  87
  88     // First, let's preflight the vouch (to receive a policy and view set to use for TLK fetching
  89     WEAKIFY(self);
  90     [self.deps.cuttlefishXPCWrapper preflightVouchWithRecoveryKeyWithContainer:self.deps.containerName
  91                                                                   context:self.deps.contextID
  92                                                                    recoveryKey:self.recoveryKey
  93                                                                           salt:self.salt
  94                                                                     reply:^(NSString * _Nullable recoveryKeyID,
  95                                                                             NSSet<NSString*>* peerSyncingViews,
  96                                                                             TPPolicy* peerSyncingPolicy,
  97                                                                             NSError * _Nullable error) {
  98         STRONGIFY(self);
  99         [[CKKSAnalytics logger] logResultForEvent:OctagonEventPreflightVouchWithRecoveryKey hardFailure:true result:error];
 100
 101         if(error || !recoveryKeyID) {
 102             secerror("octagon: Error preflighting voucher using recovery key: %@", error);
 103             self.error = error;
 104             [self runBeforeGroupFinished:self.finishOp];
 105             return;
 106         }
 107
 108         secnotice("octagon", "Recovery key ID %@ looks good to go", recoveryKeyID);
 109
 110         // Tell CKKS to spin up the new views and policy
 111         // But, do not persist this view set! We'll do that when we actually manage to join
 112         [self.deps.viewManager setSyncingViews:peerSyncingViews sortingPolicy:peerSyncingPolicy];
 113
 114         [self proceedWithRecoveryKeyID:recoveryKeyID];
 115     }];
 116 }
 117
 118 - (void)proceedWithRecoveryKeyID:(NSString*)recoveryKeyID
 119 {
 120     WEAKIFY(self);
 121
 122     // After a vouch, we also want to acquire all TLKs that the bottled peer might have had
 123     OTFetchCKKSKeysOperation* fetchKeysOp = [[OTFetchCKKSKeysOperation alloc] initWithDependencies:self.deps];
 124     [self runBeforeGroupFinished:fetchKeysOp];
 125
 126     CKKSResultOperation* proceedWithKeys = [CKKSResultOperation named:@"recovery-tlks"
 127                                                             withBlock:^{
 128         STRONGIFY(self);
 129
 130         NSMutableArray<CKKSTLKShare*>* filteredTLKShares = [NSMutableArray array];
 131         for(CKKSTLKShare* share in fetchKeysOp.tlkShares) {
 132             // If we didn't get a recoveryKeyID, just pass every tlkshare and hope for the best
 133             if(recoveryKeyID == nil || [share.receiverPeerID isEqualToString:recoveryKeyID]) {
 134                 [filteredTLKShares addObject:share];
 135             }
 136         }
 137
 138         [self proceedWithKeys:fetchKeysOp.viewKeySets tlkShares:filteredTLKShares salt:self.salt];
 139     }];
 140
 141     [proceedWithKeys addDependency:fetchKeysOp];
 142     [self runBeforeGroupFinished:proceedWithKeys];
 143 }
 144
 145 - (void)proceedWithKeys:(NSArray<CKKSKeychainBackedKeySet*>*)viewKeySets tlkShares:(NSArray<CKKSTLKShare*>*)tlkShares salt:(NSString*)salt
 146 {
 147     WEAKIFY(self);
 148
 149     [self.deps.cuttlefishXPCWrapper vouchWithRecoveryKeyWithContainer:self.deps.containerName
 150                                                               context:self.deps.contextID
 151                                                           recoveryKey:self.recoveryKey
 152                                                                  salt:salt
 153                                                             tlkShares:tlkShares
 154                                                                 reply:^(NSData * _Nullable voucher, NSData * _Nullable voucherSig, NSError * _Nullable error) {
 155             STRONGIFY(self);
 156             if(error){
 157                 [[CKKSAnalytics logger] logResultForEvent:OctagonEventVoucherWithRecoveryKey hardFailure:true result:error];
 158                 secerror("octagon: Error preparing voucher using recovery key: %@", error);
 159                 self.error = error;
 160                 [self runBeforeGroupFinished:self.finishOp];
 161                 return;
 162             }
 163             self.voucher = voucher;
 164             self.voucherSig = voucherSig;
 165             self.nextState = self.intendedState;
 166             [self runBeforeGroupFinished:self.finishOp];
 167         }];
 168 }
 169
 170 @end
 171
 172 #endif // OCTAGON