2 * Copyright (c) 2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 * SecAccessControl.m - CoreFoundation based access control object
28 #include <TargetConditionals.h>
29 #include <AssertMacros.h>
30 #include <Security/SecAccessControl.h>
31 #include <Security/SecAccessControlPriv.h>
32 #include <Security/SecItem.h>
33 #include <Security/SecItemPriv.h>
34 #include <utilities/SecCFWrappers.h>
35 #include <utilities/SecCFError.h>
36 #include <utilities/der_plist.h>
37 #include <libaks_acl_cf_keys.h>
39 #include <ACMAclDefs.h>
41 static CFTypeRef kSecAccessControlKeyProtection = CFSTR("prot");
42 static CFTypeRef kSecAccessControlKeyBound = CFSTR("bound");
44 struct __SecAccessControl {
46 CFMutableDictionaryRef dict;
49 static SecAccessConstraintRef SecAccessConstraintCreateValueOfKofN(CFAllocatorRef allocator, size_t numRequired, CFArrayRef constraints, CFErrorRef *error);
51 static void dumpValue(id value, NSMutableString *target, NSString *separator) {
54 } else if (CFGetTypeID((__bridge CFTypeRef)value) == CFBooleanGetTypeID()) {
55 [target appendString:[value boolValue] ? @"true" : @"false"];
56 } else if ([value isKindOfClass:NSNumber.class]) {
57 [target appendString:[value string]];
58 } else if ([value isKindOfClass:NSString.class]) {
59 [target appendString:value];
60 } else if ([value isKindOfClass:NSDictionary.class]) {
61 [value enumerateKeysAndObjectsUsingBlock:^(id _Nonnull key, id _Nonnull obj, BOOL * _Nonnull stop) {
62 [target appendString:separator];
63 dumpValue(key, target, @"");
64 [target appendString:@"("];
65 dumpValue(obj, target, @"");
66 [target appendString:@")"];
71 static CFStringRef SecAccessControlCopyFormatDescription(CFTypeRef cf, CFDictionaryRef formatOptions) {
72 SecAccessControlRef access_control = (SecAccessControlRef)cf;
73 NSDictionary *contents = (__bridge NSDictionary *)access_control->dict;
74 NSMutableString *dump = [NSMutableString string];
75 dumpValue(contents[(__bridge id)kSecAccessControlKeyProtection], dump, @"");
76 dumpValue(contents[(__bridge id)kAKSKeyAcl], dump, @";");
77 return CFBridgingRetain([NSString stringWithFormat:@"<SecAccessControlRef: %@>", dump]);
80 static Boolean SecAccessControlCompare(CFTypeRef lhs, CFTypeRef rhs) {
81 SecAccessControlRef laccess_control = (SecAccessControlRef)lhs;
82 SecAccessControlRef raccess_control = (SecAccessControlRef)rhs;
83 return (laccess_control == raccess_control) || CFEqual(laccess_control->dict, raccess_control->dict);
86 static void SecAccessControlDestroy(CFTypeRef cf) {
87 SecAccessControlRef access_control = (SecAccessControlRef)cf;
88 CFReleaseSafe(access_control->dict);
91 CFGiblisWithCompareFor(SecAccessControl);
93 static CFMutableDictionaryRef SecAccessControlGetMutableConstraints(SecAccessControlRef access_control) {
94 CFMutableDictionaryRef constraints = (CFMutableDictionaryRef)CFDictionaryGetValue(access_control->dict, kAKSKeyAcl);
97 CFMutableDictionaryRef newConstraints = CFDictionaryCreateMutableForCFTypes(CFGetAllocator(access_control));
98 CFDictionarySetValue(access_control->dict, kAKSKeyAcl, newConstraints);
99 CFRelease(newConstraints);
101 constraints = (CFMutableDictionaryRef)CFDictionaryGetValue(access_control->dict, kAKSKeyAcl);
107 SecAccessControlRef SecAccessControlCreate(CFAllocatorRef allocator, CFErrorRef *error) {
108 SecAccessControlRef access_control = CFTypeAllocate(SecAccessControl, struct __SecAccessControl, allocator);
109 if (!access_control) {
110 SecError(errSecAllocate, error, CFSTR("allocate memory for SecAccessControl"));
114 access_control->dict = CFDictionaryCreateMutableForCFTypes(allocator);
115 return access_control;
118 static CFDataRef _getEmptyData() {
119 static CFMutableDataRef emptyData = NULL;
120 static dispatch_once_t onceToken;
122 dispatch_once(&onceToken, ^{
123 emptyData = CFDataCreateMutable(kCFAllocatorDefault, 0);
129 SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CFTypeRef protection,
130 SecAccessControlCreateFlags flags, CFErrorRef *error) {
131 SecAccessControlRef access_control = NULL;
132 CFTypeRef constraint = NULL;
133 CFMutableArrayRef constraints = NULL;
135 require_quiet(access_control = SecAccessControlCreate(allocator, error), errOut);
137 if (!SecAccessControlSetProtection(access_control, protection, error))
141 bool or = (flags & kSecAccessControlOr) ? true : false;
142 bool and = (flags & kSecAccessControlAnd) ? true : false;
145 SecError(errSecParam, error, CFSTR("only one logical operation can be set"));
149 #pragma clang diagnostic push
150 #pragma clang diagnostic ignored "-Wunguarded-availability-new"
152 SecAccessControlCreateFlags maskedFlags = flags & (kSecAccessControlBiometryAny | kSecAccessControlBiometryCurrentSet);
153 if (maskedFlags && maskedFlags != kSecAccessControlBiometryAny && maskedFlags != kSecAccessControlBiometryCurrentSet) {
154 SecError(errSecParam, error, CFSTR("only one bio constraint can be set"));
158 if (flags & kSecAccessControlUserPresence && flags & ~(kSecAccessControlUserPresence | kSecAccessControlApplicationPassword | kSecAccessControlPrivateKeyUsage)) {
159 SecError(errSecParam, error, CFSTR("kSecAccessControlUserPresence can be combined only with kSecAccessControlApplicationPassword and kSecAccessControlPrivateKeyUsage"));
163 constraints = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks);
165 if (flags & kSecAccessControlUserPresence) {
166 require_quiet(constraint = SecAccessConstraintCreatePolicy(allocator, CFSTR(kACMPolicyDeviceOwnerAuthentication), error), errOut);
167 CFArrayAppendValue(constraints, constraint);
168 CFReleaseNull(constraint);
171 if (flags & kSecAccessControlDevicePasscode) {
172 require_quiet(constraint = SecAccessConstraintCreatePasscode(allocator), errOut);
173 CFArrayAppendValue(constraints, constraint);
174 CFReleaseNull(constraint);
177 if (flags & kSecAccessControlBiometryAny) {
178 require_quiet(constraint = SecAccessConstraintCreateBiometryAny(allocator, _getEmptyData()), errOut);
179 CFArrayAppendValue(constraints, constraint);
180 CFReleaseNull(constraint);
183 if (flags & kSecAccessControlBiometryCurrentSet) {
184 require_quiet(constraint = SecAccessConstraintCreateBiometryCurrentSet(allocator, _getEmptyData(), _getEmptyData()), errOut);
185 CFArrayAppendValue(constraints, constraint);
186 CFReleaseNull(constraint);
190 if (flags & kSecAccessControlWatch) {
191 require_quiet(constraint = SecAccessConstraintCreateWatch(allocator), errOut);
192 CFArrayAppendValue(constraints, constraint);
193 CFReleaseNull(constraint);
197 #pragma clang diagnostic pop
199 if (flags & kSecAccessControlApplicationPassword) {
200 SecAccessControlSetRequirePassword(access_control, true);
203 CFIndex constraints_count = CFArrayGetCount(constraints);
204 if (constraints_count > 1) {
205 require_quiet(constraint = SecAccessConstraintCreateValueOfKofN(allocator, or?1:constraints_count, constraints, error), errOut);
206 if (flags & kSecAccessControlPrivateKeyUsage) {
207 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpSign, constraint, error), errOut);
208 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpComputeKey, constraint, error), errOut);
209 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpAttest, kCFBooleanTrue, error), errOut);
212 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDecrypt, constraint, error), errOut);
213 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpEncrypt, kCFBooleanTrue, error), errOut);
215 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDelete, kCFBooleanTrue, error), errOut);
216 CFReleaseNull(constraint);
217 } else if (constraints_count == 1) {
218 if (flags & kSecAccessControlPrivateKeyUsage) {
219 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpSign, CFArrayGetValueAtIndex(constraints, 0), error), errOut);
220 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpComputeKey, CFArrayGetValueAtIndex(constraints, 0), error), errOut);
221 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpAttest, kCFBooleanTrue, error), errOut);
224 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDecrypt, CFArrayGetValueAtIndex(constraints, 0), error), errOut);
225 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpEncrypt, kCFBooleanTrue, error), errOut);
227 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDelete, kCFBooleanTrue, error), errOut);
229 if (flags & kSecAccessControlPrivateKeyUsage) {
230 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpSign, kCFBooleanTrue, error), errOut);
231 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpComputeKey, kCFBooleanTrue, error), errOut);
232 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpAttest, kCFBooleanTrue, error), errOut);
233 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDelete, kCFBooleanTrue, error), errOut);
236 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDefaultAcl, kCFBooleanTrue, error), errOut);
240 CFReleaseNull(constraints);
243 require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDefaultAcl, kCFBooleanTrue, error), errOut);
246 return access_control;
249 CFReleaseSafe(access_control);
250 CFReleaseSafe(constraints);
251 CFReleaseSafe(constraint);
255 CFTypeRef SecAccessControlGetProtection(SecAccessControlRef access_control) {
256 return CFDictionaryGetValue(access_control->dict, kSecAccessControlKeyProtection);
259 static bool checkItemInArray(CFTypeRef item, const CFTypeRef *values, CFIndex count, CFStringRef errMessage, CFErrorRef *error) {
260 for (CFIndex i = 0; i < count; i++) {
261 if (CFEqualSafe(item, values[i])) {
265 return SecError(errSecParam, error, CFSTR("%@: %@"), errMessage, item);
268 #define CheckItemInArray(item, values, msg) \
270 const CFTypeRef vals[] = values; \
271 if (!checkItemInArray(item, vals, sizeof(vals)/sizeof(*vals), msg, error)) { \
276 #define ItemArray(...) { __VA_ARGS__ }
279 bool SecAccessControlSetProtection(SecAccessControlRef access_control, CFTypeRef protection, CFErrorRef *error) {
280 if (!protection || CFGetTypeID(protection) != CFDictionaryGetTypeID()) {
281 // Verify protection type.
282 CheckItemInArray(protection, ItemArray(kSecAttrAccessibleAlwaysPrivate, kSecAttrAccessibleAfterFirstUnlock,
283 kSecAttrAccessibleWhenUnlocked, kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate,
284 kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
285 kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
286 kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
287 kSecAttrAccessibleUntilReboot),
288 CFSTR("SecAccessControl: invalid protection"));
291 // Protection valid, use it.
292 CFDictionarySetValue(access_control->dict, kSecAccessControlKeyProtection, protection);
296 SecAccessConstraintRef SecAccessConstraintCreatePolicy(CFAllocatorRef allocator, CFTypeRef policy, CFErrorRef *error) {
297 return CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclConstraintPolicy), policy, NULL);
300 SecAccessConstraintRef SecAccessConstraintCreatePasscode(CFAllocatorRef allocator) {
301 return CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclConstraintUserPasscode), kCFBooleanTrue, NULL);
304 SecAccessConstraintRef SecAccessConstraintCreateBiometryAny(CFAllocatorRef allocator, CFDataRef catacombUUID) {
305 CFMutableDictionaryRef bioDict = CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclParamBioCatacombUUID), catacombUUID, NULL);
306 SecAccessConstraintRef constraint = CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclConstraintBio), bioDict, NULL);
307 CFReleaseSafe(bioDict);
311 SecAccessConstraintRef SecAccessConstraintCreateTouchIDAny(CFAllocatorRef allocator, CFDataRef catacombUUID) {
312 return SecAccessConstraintCreateBiometryAny(allocator, catacombUUID);
315 SecAccessConstraintRef SecAccessConstraintCreateBiometryCurrentSet(CFAllocatorRef allocator, CFDataRef catacombUUID, CFDataRef bioDbHash) {
316 CFMutableDictionaryRef bioDict = CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclParamBioCatacombUUID), catacombUUID, NULL);
317 CFDictionarySetValue(bioDict, CFSTR(kACMKeyAclParamBioDatabaseHash), bioDbHash);
318 SecAccessConstraintRef constraint = CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclConstraintBio), bioDict, NULL);
319 CFReleaseSafe(bioDict);
323 SecAccessConstraintRef SecAccessConstraintCreateTouchIDCurrentSet(CFAllocatorRef allocator, CFDataRef catacombUUID, CFDataRef bioDbHash) {
324 return SecAccessConstraintCreateBiometryCurrentSet(allocator, catacombUUID, bioDbHash);
327 SecAccessConstraintRef SecAccessConstraintCreateWatch(CFAllocatorRef allocator) {
328 return CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclConstraintWatch), kCFBooleanTrue, NULL);
331 static SecAccessConstraintRef SecAccessConstraintCreateValueOfKofN(CFAllocatorRef allocator, size_t numRequired, CFArrayRef constraints, CFErrorRef *error) {
332 CFNumberRef k = CFNumberCreateWithCFIndex(allocator, numRequired);
333 CFMutableDictionaryRef kofn = CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclParamKofN), k, NULL);
336 /* Populate kofn dictionary with constraint keys from the array. note that for now we just ignore any additional
337 constraint parameters, but we might err-out if some parameter is found, since we cannot propagate parameteres
338 into k-of-n dictionary. */
339 const CFTypeRef keysToCopy[] = { CFSTR(kACMKeyAclConstraintBio), CFSTR(kACMKeyAclConstraintPolicy),
340 CFSTR(kACMKeyAclConstraintUserPasscode), CFSTR(kACMKeyAclConstraintWatch) };
341 SecAccessConstraintRef constraint;
342 CFArrayForEachC(constraints, constraint) {
343 require_quiet(isDictionary(constraint), errOut);
345 for (CFIndex i = 0; i < (CFIndex)(sizeof(keysToCopy) / sizeof(keysToCopy[0])); i++) {
346 CFTypeRef value = CFDictionaryGetValue(constraint, keysToCopy[i]);
348 CFDictionarySetValue(kofn, keysToCopy[i], value);
353 require_quiet(found, errOut);
359 SecError(errSecParam, error, CFSTR("SecAccessControl: invalid constraint for k-of-n"));
364 SecAccessConstraintRef SecAccessConstraintCreateKofN(CFAllocatorRef allocator, size_t numRequired, CFArrayRef constraints, CFErrorRef *error) {
365 SecAccessConstraintRef valueOfKofN = SecAccessConstraintCreateValueOfKofN(allocator, numRequired, constraints, error);
366 require_quiet(valueOfKofN, errOut);
368 SecAccessConstraintRef constraint = CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclConstraintKofN), valueOfKofN, NULL);
369 CFReleaseSafe(valueOfKofN);
376 bool SecAccessControlAddConstraintForOperation(SecAccessControlRef access_control, CFTypeRef operation, CFTypeRef constraint, CFErrorRef *error) {
377 if (!isDictionary(constraint) && !CFEqual(constraint, kCFBooleanTrue) && !CFEqual(constraint, kCFBooleanFalse) ) {
378 return SecError(errSecParam, error, CFSTR("invalid constraint"));
381 CFMutableDictionaryRef constraints = SecAccessControlGetMutableConstraints(access_control);
382 CFDictionarySetValue(constraints, operation, constraint);
386 SecAccessConstraintRef SecAccessControlGetConstraint(SecAccessControlRef access_control, CFTypeRef operation) {
387 CFMutableDictionaryRef ops = (CFMutableDictionaryRef)CFDictionaryGetValue(access_control->dict, kAKSKeyAcl);
388 if (!ops || CFDictionaryGetCount(ops) == 0)
389 // No ACL is present, this means that everything is allowed.
390 return kCFBooleanTrue;
392 SecAccessConstraintRef constraint = CFDictionaryGetValue(ops, operation);
394 constraint = CFDictionaryGetValue(ops, kAKSKeyOpDefaultAcl);
399 CFDataRef SecAccessControlCopyConstraintData(SecAccessControlRef access_control, CFTypeRef operation) {
400 SecAccessConstraintRef constraint = SecAccessControlGetConstraint(access_control, operation);
402 size_t len = der_sizeof_plist(constraint, NULL);
403 CFMutableDataRef encoded = CFDataCreateMutable(0, len);
404 CFDataSetLength(encoded, len);
405 uint8_t *der_end = CFDataGetMutableBytePtr(encoded);
406 const uint8_t *der = der_end;
408 der_end = der_encode_plist(constraint, NULL, der, der_end);
410 CFReleaseNull(encoded);
415 CFDictionaryRef SecAccessControlGetConstraints(SecAccessControlRef access_control) {
416 return CFDictionaryGetValue(access_control->dict, kAKSKeyAcl);
419 void SecAccessControlSetConstraints(SecAccessControlRef access_control, CFDictionaryRef constraints) {
420 CFMutableDictionaryRef mutableConstraints = CFDictionaryCreateMutableCopy(CFGetAllocator(access_control), 0, constraints);
421 CFDictionarySetValue(access_control->dict, kAKSKeyAcl, mutableConstraints);
422 CFReleaseSafe(mutableConstraints);
425 void SecAccessControlSetRequirePassword(SecAccessControlRef access_control, bool require) {
426 CFMutableDictionaryRef constraints = SecAccessControlGetMutableConstraints(access_control);
427 CFDictionarySetValue(constraints, kAKSKeyAclParamRequirePasscode, require?kCFBooleanTrue:kCFBooleanFalse);
430 bool SecAccessControlGetRequirePassword(SecAccessControlRef access_control) {
431 CFMutableDictionaryRef acl = (CFMutableDictionaryRef)CFDictionaryGetValue(access_control->dict, kAKSKeyAcl);
433 return CFEqualSafe(CFDictionaryGetValue(acl, kAKSKeyAclParamRequirePasscode), kCFBooleanTrue);
439 void SecAccessControlSetBound(SecAccessControlRef access_control, bool bound) {
440 CFDictionarySetValue(access_control->dict, kSecAccessControlKeyBound, bound ? kCFBooleanTrue : kCFBooleanFalse);
443 bool SecAccessControlIsBound(SecAccessControlRef access_control) {
444 CFTypeRef bound = CFDictionaryGetValue(access_control->dict, kSecAccessControlKeyBound);
445 return bound != NULL && CFEqualSafe(bound, kCFBooleanTrue);
448 CFDataRef SecAccessControlCopyData(SecAccessControlRef access_control) {
449 size_t len = der_sizeof_plist(access_control->dict, NULL);
450 CFMutableDataRef encoded = CFDataCreateMutable(0, len);
451 CFDataSetLength(encoded, len);
452 uint8_t *der_end = CFDataGetMutableBytePtr(encoded);
453 const uint8_t *der = der_end;
455 der_end = der_encode_plist(access_control->dict, NULL, der, der_end);
457 CFReleaseNull(encoded);
462 SecAccessControlRef SecAccessControlCreateFromData(CFAllocatorRef allocator, CFDataRef data, CFErrorRef *error) {
463 SecAccessControlRef access_control;
464 require_quiet(access_control = SecAccessControlCreate(allocator, error), errOut);
466 CFPropertyListRef plist;
467 const uint8_t *der = CFDataGetBytePtr(data);
468 const uint8_t *der_end = der + CFDataGetLength(data);
469 require_quiet(der = der_decode_plist(0, kCFPropertyListMutableContainers, &plist, error, der, der_end), errOut);
470 if (der != der_end) {
471 SecError(errSecDecode, error, CFSTR("trailing garbage at end of SecAccessControl data"));
475 CFReleaseSafe(access_control->dict);
476 access_control->dict = (CFMutableDictionaryRef)plist;
477 return access_control;
480 CFReleaseSafe(access_control);