]> git.saurik.com Git - apple/security.git/blob - OSX/sec/ipc/securityd_client.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-59306.11.20.tar.gz
[apple/security.git] / OSX / sec / ipc / securityd_client.h
1 /*
2 * Copyright (c) 2007-2018 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23 #ifndef _SECURITYD_CLIENT_H_
24 #define _SECURITYD_CLIENT_H_
25
26 #include <stdint.h>
27
28 #include "securityd/SecKeybagSupport.h"
29
30 #include <Security/SecTrust.h>
31 #include <Security/SecTask.h>
32 #ifndef MINIMIZE_INCLUDES
33
34 #pragma clang diagnostic push
35 #pragma clang diagnostic ignored "-Wfour-char-constants"
36 # include "OSX/sec/Security/SecTrustStore.h"
37 #pragma clang diagnostic pop
38
39 #else
40 typedef struct __SecTrustStore *SecTrustStoreRef;
41 //# ifndef _SECURITY_SECCERTIFICATE_H_
42 //typedef struct __SecCertificate *SecCertificateRef;
43 //# endif // _SECURITY_SECCERTIFICATE_H_
44 #endif // MINIMIZE_INCLUDES
45
46 #include "OSX/utilities/SecAKSWrappers.h"
47
48 #include <CoreFoundation/CFArray.h>
49 #include <CoreFoundation/CFDictionary.h>
50 #include <CoreFoundation/CFError.h>
51
52 #include "keychain/SecureObjectSync/SOSCloudCircle.h"
53 #include "keychain/SecureObjectSync/SOSPeerInfo.h"
54 #include "keychain/SecureObjectSync/SOSRing.h"
55
56 #include <xpc/xpc.h>
57 #include <CoreFoundation/CFXPCBridge.h>
58
59 #include <TargetConditionals.h>
60
61 #if TARGET_OS_OSX
62 #define kSecuritydXPCServiceName "com.apple.securityd.xpc"
63 #define kSecuritydSystemXPCServiceName "com.apple.securityd.system.xpc"
64 #define kTrustdAgentXPCServiceName "com.apple.trustd.agent"
65 #define kTrustdXPCServiceName "com.apple.trustd"
66 #else
67 #define kSecuritydXPCServiceName "com.apple.securityd"
68 #define kTrustdAgentXPCServiceName "com.apple.trustd"
69 #define kTrustdXPCServiceName "com.apple.trustd"
70 #endif // *** END TARGET_OS_OSX ***
71
72 #define kSecuritydGeneralServiceName "com.apple.securityd.general"
73 #define kSecuritydSOSServiceName "com.apple.securityd.sos"
74
75 //
76 // MARK: XPC Information.
77 //
78
79 #if TARGET_OS_IPHONE
80 extern CFStringRef sSecXPCErrorDomain;
81 #endif
82
83 extern const char *kSecXPCKeyOperation;
84 extern const char *kSecXPCKeyResult;
85 extern const char *kSecXPCKeyEndpoint;
86 extern const char *kSecXPCKeyError;
87 extern const char *kSecXPCKeyPeerInfoArray;
88 extern const char *kSecXPCKeyUserLabel;
89 extern const char *kSecXPCKeyBackup;
90 extern const char *kSecXPCKeyKeybag;
91 extern const char *kSecXPCKeyUserPassword;
92 extern const char *kSecXPCKeyEMCSBackup;
93 extern const char *kSecXPCKeyDSID;
94 extern const char *kSecXPCKeyViewName;
95 extern const char *kSecXPCKeyViewActionCode;
96 extern const char *kSecXPCKeyNewPublicBackupKey;
97 extern const char *kSecXPCKeyRecoveryPublicKey;
98 extern const char *kSecXPCKeyIncludeV0;
99 extern const char *kSecXPCKeyEnabledViewsKey;
100 extern const char *kSecXPCKeyDisabledViewsKey;
101 extern const char *kSecXPCKeyEscrowLabel;
102 extern const char *kSecXPCKeyTriesLabel;
103 extern const char *kSecXPCKeyFileDescriptor;
104 extern const char *kSecXPCKeyAccessGroups;
105 extern const char *kSecXPCKeyClasses;
106 extern const char *kSecXPCKeyNormalizedIssuer;
107 extern const char *kSecXPCKeySerialNumber;
108 extern const char *kSecXPCKeyBackupKeybagIdentifier;
109 extern const char *kSecXPCKeyBackupKeybagPath;
110
111 //
112 // MARK: Dispatch macros
113 //
114
115 #define SECURITYD_XPC(sdp, wrapper, ...) ((gSecurityd && gSecurityd->sdp) ? gSecurityd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
116 #define TRUSTD_XPC(sdp, wrapper, ...) ((gTrustd && gTrustd->sdp) ? gTrustd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
117
118 #define TRUSTD_XPC_ASYNC(sdp, wrapper, q, h, ...) do { \
119 if (gTrustd != NULL && gTrustd->sdp != NULL) { \
120 dispatch_async(q, ^{ \
121 CFErrorRef _error = NULL; \
122 SecTrustResultType _tr = gTrustd->sdp(__VA_ARGS__, &_error); \
123 h(_tr, _error); \
124 }); \
125 } else { \
126 wrapper(q, h, sdp ## _id, __VA_ARGS__); \
127 } \
128 } while (0)
129
130 //
131 // MARK: Object to XPC format conversion.
132 //
133
134
135 //
136 // MARK: XPC Interfaces
137 //
138
139 extern const char *kSecXPCKeyPeerInfo;
140 extern const char *kSecXPCLimitInMinutes;
141 extern const char *kSecXPCKeyQuery;
142 extern const char *kSecXPCKeyAttributesToUpdate;
143 extern const char *kSecXPCKeyDomain;
144 extern const char *kSecXPCKeyDigest;
145 extern const char *kSecXPCKeyCertificate;
146 extern const char *kSecXPCKeySettings;
147 extern const char *kSecXPCPublicPeerId; // Public peer id
148 extern const char *kSecXPCOTRSession; // OTR session bytes
149 extern const char *kSecXPCData; // Data to process
150 extern const char *kSecXPCOTRReady; // OTR ready for messages
151 extern const char *kSecXPCKeyViewName;
152 extern const char *kSecXPCKeyViewActionCode;
153 extern const char *kSecXPCKeyHSA2AutoAcceptInfo;
154 extern const char *kSecXPCKeyString;
155 extern const char *kSecXPCKeyArray;
156 extern const char *kSecXPCKeySet;
157 extern const char *kSecXPCKeySet2;
158 extern const char *kSecXPCVersion;
159 extern const char *kSecXPCKeySignInAnalytics;
160 extern const char *kSecXPCKeyReason;
161
162 //
163 // MARK: Mach port request IDs
164 //
165 enum SecXPCOperation {
166 sec_item_add_id = 0,
167 sec_item_copy_matching_id = 1,
168 sec_item_update_id = 2,
169 sec_item_delete_id = 3,
170 // trust_store_for_domain -- NOT an ipc
171 sec_trust_store_contains_id = 4,
172 sec_trust_store_set_trust_settings_id = 5,
173 sec_trust_store_remove_certificate_id = 6,
174 // remove_all -- NOT an ipc
175 sec_delete_all_id = 7,
176 sec_trust_evaluate_id = 8,
177 // Any new items MUST be added below here
178 // This allows updating roots on a device, since SecTrustEvaluate must continue to work
179 sec_keychain_backup_id,
180 sec_keychain_restore_id,
181 sec_keychain_backup_syncable_id,
182 sec_keychain_restore_syncable_id,
183 sec_item_backup_copy_names_id,
184 sec_item_backup_handoff_fd_id,
185 sec_item_backup_set_confirmed_manifest_id,
186 sec_item_backup_restore_id,
187 sec_keychain_sync_update_message_id,
188 sec_ota_pki_trust_store_version_id,
189 sec_ota_pki_asset_version_id,
190 sec_otr_session_create_remote_id,
191 sec_otr_session_process_packet_remote_id,
192 kSecXPCOpOTAPKIGetNewAsset,
193 kSecXPCOpOTAGetEscrowCertificates,
194 kSecXPCOpOTAPKICopyTrustedCTLogs,
195 kSecXPCOpOTAPKICopyCTLogForKeyID,
196 kSecXPCOpProcessUnlockNotification,
197 kSecXPCOpProcessSyncWithAllPeers,
198 kSecXPCOpRollKeys,
199 sec_add_shared_web_credential_id,
200 sec_copy_shared_web_credential_id,
201 sec_get_log_settings_id,
202 sec_set_xpc_log_settings_id,
203 sec_set_circle_log_settings_id,
204 soscc_EnsurePeerRegistration_id,
205 kSecXPCOpRequestEnsureFreshParameters,
206 kSecXPCOpGetAllTheRings,
207 kSecXPCOpApplyToARing,
208 kSecXPCOpWithdrawlFromARing,
209 kSecXPCOpEnableRing,
210 kSecXPCOpRingStatus,
211 kSecXPCOpRequestDeviceID,
212 kSecXPCOpSetDeviceID,
213 kSecXPCOpHandleIDSMessage,
214 kSecXPCOpSyncWithKVSPeer,
215 kSecXPCOpSyncWithIDSPeer,
216 kSecXPCOpSendIDSMessage,
217 kSecXPCOpPingTest,
218 kSecXPCOpIDSDeviceID,
219 kSecXPCOpSyncWithKVSPeerIDOnly,
220 // any process using an operation below here is required to have entitlement keychain-cloud-circle
221 kSecXPCOpTryUserCredentials,
222 kSecXPCOpSetUserCredentials,
223 kSecXPCOpSetUserCredentialsAndDSID,
224 kSecXPCOpSetUserCredentialsAndDSIDWithAnalytics,
225 kSecXPCOpCanAuthenticate,
226 kSecXPCOpPurgeUserCredentials,
227 kSecXPCOpDeviceInCircle,
228 kSecXPCOpRequestToJoin,
229 kSecXPCOpRequestToJoinWithAnalytics,
230 kSecXPCOpRequestToJoinAfterRestore,
231 kSecXPCOpRequestToJoinAfterRestoreWithAnalytics,
232 kSecXPCOpResetToOffering,
233 kSecXPCOpResetToEmpty,
234 kSecXPCOpResetToEmptyWithAnalytics,
235 kSecXPCOpView,
236 kSecXPCOpViewSet,
237 kSecXPCOpViewSetWithAnalytics,
238 kSecXPCOpRemoveThisDeviceFromCircle,
239 kSecXPCOpRemoveThisDeviceFromCircleWithAnalytics,
240 kSecXPCOpRemovePeersFromCircle,
241 kSecXPCOpRemovePeersFromCircleWithAnalytics,
242 kSecXPCOpLoggedOutOfAccount,
243 kSecXPCOpBailFromCircle,
244 kSecXPCOpAcceptApplicants,
245 kSecXPCOpRejectApplicants,
246 kSecXPCOpCopyApplicantPeerInfo,
247 kSecXPCOpCopyValidPeerPeerInfo,
248 kSecXPCOpValidateUserPublic,
249 kSecXPCOpCopyNotValidPeerPeerInfo,
250 kSecXPCOpCopyPeerPeerInfo,
251 kSecXPCOpCopyConcurringPeerPeerInfo,
252 kSecXPCOpCopyGenerationPeerInfo,
253 kSecXPCOpGetLastDepartureReason,
254 kSecXPCOpSetLastDepartureReason,
255 kSecXPCOpCopyIncompatibilityInfo,
256 kSecXPCOpCopyRetirementPeerInfo,
257 kSecXPCOpCopyViewUnawarePeerInfo,
258 kSecXPCOpCopyEngineState,
259 kSecXPCOpCopyMyPeerInfo,
260 kSecXPCOpAccountSetToNew,
261 kSecXPCOpSetNewPublicBackupKey,
262 kSecXPCOpSetBagForAllSlices,
263 kSecXPCOpWaitForInitialSync,
264 kSecXPCOpWaitForInitialSyncWithAnalytics,
265 kSecXPCOpCopyYetToSyncViews,
266 kSecXPCOpSetEscrowRecord,
267 kSecXPCOpGetEscrowRecord,
268 kSecXPCOpCheckPeerAvailability,
269 kSecXPCOpCopyAccountData,
270 kSecXPCOpDeleteAccountData,
271 kSecXPCOpCopyEngineData,
272 kSecXPCOpDeleteEngineData,
273 kSecXPCOpCopyApplication,
274 kSecXPCOpCopyCircleJoiningBlob,
275 kSecXPCOpJoinWithCircleJoiningBlob,
276 kSecXPCOpKVSKeyCleanup,
277 kSecXPCOpPopulateKVS,
278 kSecXPCOpAccountHasPublicKey,
279 kSecXPCOpAccountIsNew,
280 kSecXPCOpClearKVSPeerMessage,
281 kSecXPCOpRegisterRecoveryPublicKey,
282 kSecXPCOpGetRecoveryPublicKey,
283 kSecXPCOpCopyBackupInformation,
284 kSecXPCOpCopyInitialSyncBlob,
285 /* after this is free for all */
286 kSecXPCOpWhoAmI,
287 kSecXPCOpTransmogrifyToSyncBubble,
288 kSecXPCOpTransmogrifyToSystemKeychain,
289 kSecXPCOpWrapToBackupSliceKeyBagForView,
290 sec_item_update_token_items_id,
291 kSecXPCOpDeleteUserView,
292 sec_trust_store_copy_all_id,
293 sec_trust_store_copy_usage_constraints_id,
294 sec_ocsp_cache_flush_id,
295 sec_delete_items_with_access_groups_id,
296 kSecXPCOpIsThisDeviceLastBackup,
297 sec_keychain_backup_keybag_uuid_id,
298 kSecXPCOpPeersHaveViewsEnabled,
299 kSecXPCOpProcessSyncWithPeers,
300 kSecXPCOpMessageFromPeerIsPending,
301 kSecXPCOpSendToPeerIsPending,
302 sec_item_copy_parent_certificates_id,
303 sec_item_certificate_exists_id,
304 kSecXPCOpBackupKeybagAdd,
305 kSecXPCOpBackupKeybagDelete,
306 kSecXPCOpSFKeychainEndpoint,
307 kSecXPCOpKeychainControlEndpoint,
308 kSecXPCOpNetworkingAnalyticsReport,
309 kSecXPCOpSetCTExceptions,
310 kSecXPCOpCopyCTExceptions,
311 kSecXPCOpOTASecExperimentGetAsset,
312 kSecXPCOpOTASecExperimentGetNewAsset,
313 sec_trust_get_exception_reset_count_id,
314 sec_trust_increment_exception_reset_count_id,
315 };
316
317
318 typedef struct SecurityClient {
319 SecTaskRef task;
320 CFArrayRef accessGroups;
321 bool allowSystemKeychain;
322 bool allowSyncBubbleKeychain;
323 bool isNetworkExtension;
324 bool canAccessNetworkExtensionAccessGroups;
325 uid_t uid;
326 CFDataRef musr;
327 #if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) && TARGET_HAS_KEYSTORE
328 keybag_handle_t keybag;
329 #endif
330 #if TARGET_OS_IPHONE
331 bool inMultiUser;
332 int activeUser;
333 #endif
334 } SecurityClient;
335
336
337 extern SecurityClient * SecSecurityClientGet(void);
338 #if TARGET_OS_IOS
339 void SecSecuritySetMusrMode(bool mode, uid_t uid, int activeUser);
340 void SecSecuritySetPersonaMusr(CFStringRef uuid);
341 #endif
342
343 struct securityd {
344 /* LOCAL KEYCHAIN */
345 bool (*sec_item_add)(CFDictionaryRef attributes, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
346 bool (*sec_item_copy_matching)(CFDictionaryRef query, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
347 bool (*sec_item_update)(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, SecurityClient *client, CFErrorRef* error);
348 bool (*sec_item_delete)(CFDictionaryRef query, SecurityClient *client, CFErrorRef* error);
349 bool (*sec_item_delete_all)(CFErrorRef* error);
350 CFArrayRef (*sec_item_copy_parent_certificates)(CFDataRef normalizedIssuer, CFArrayRef accessGroups, CFErrorRef *error);
351 bool (*sec_item_certificate_exists)(CFDataRef normalizedIssuer, CFDataRef serialNumber, CFArrayRef accessGroups, CFErrorRef *error);
352 CFDataRef (*sec_keychain_backup)(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, bool emcs, CFErrorRef* error);
353 bool (*sec_keychain_restore)(CFDataRef backup, SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
354 bool (*sec_roll_keys)(bool force, CFErrorRef* error);
355 bool (*sec_item_update_token_items)(CFStringRef tokenID, CFArrayRef query, SecurityClient *client, CFErrorRef* error);
356 bool (*sec_delete_items_with_access_groups)(CFArrayRef bundleIDs, SecurityClient *client, CFErrorRef *error);
357 /* SHAREDWEBCREDENTIALS */
358 bool (*sec_add_shared_web_credential)(CFDictionaryRef attributes, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
359 bool (*sec_copy_shared_web_credential)(CFDictionaryRef query, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
360 /* SECUREOBJECTSYNC */
361 CFDictionaryRef (*sec_keychain_backup_syncable)(CFDictionaryRef backup_in, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
362 bool (*sec_keychain_restore_syncable)(CFDictionaryRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
363 CFArrayRef (*sec_item_backup_copy_names)(CFErrorRef *error);
364 int (*sec_item_backup_handoff_fd)(CFStringRef backupName, CFErrorRef *error);
365 bool (*sec_item_backup_set_confirmed_manifest)(CFStringRef backupName, CFDataRef keybagDigest, CFDataRef manifest, CFErrorRef *error);
366 bool (*sec_item_backup_restore)(CFStringRef backupName, CFStringRef peerID, CFDataRef keybag, CFDataRef secret, CFDataRef backup, CFErrorRef *error);
367 CFDataRef (*sec_otr_session_create_remote)(CFDataRef publicPeerId, CFErrorRef* error);
368 bool (*sec_otr_session_process_packet_remote)(CFDataRef sessionData, CFDataRef inputPacket, CFDataRef* outputSessionData, CFDataRef* outputPacket, bool *readyForMessages, CFErrorRef* error);
369 bool (*soscc_TryUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
370 bool (*soscc_SetUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error);
371 bool (*soscc_SetUserCredentialsAndDSID)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
372 bool (*soscc_SetUserCredentialsAndDSIDWithAnalytics)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFDataRef parentEvent, CFErrorRef *error);
373 bool (*soscc_CanAuthenticate)(CFErrorRef *error);
374 bool (*soscc_PurgeUserCredentials)(CFErrorRef *error);
375 SOSCCStatus (*soscc_ThisDeviceIsInCircle)(CFErrorRef* error);
376 bool (*soscc_RequestToJoinCircle)(CFErrorRef* error);
377 bool (*soscc_RequestToJoinCircleWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
378 bool (*soscc_RequestToJoinCircleAfterRestore)(CFErrorRef* error);
379 bool (*soscc_RequestToJoinCircleAfterRestoreWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
380 bool (*soscc_RequestEnsureFreshParameters)(CFErrorRef* error);
381 CFStringRef (*soscc_GetAllTheRings)(CFErrorRef *error);
382 bool (*soscc_ApplyToARing)(CFStringRef ringName, CFErrorRef* error);
383 bool (*soscc_WithdrawlFromARing)(CFStringRef ringName, CFErrorRef* error);
384 bool (*soscc_EnableRing)(CFStringRef ringName, CFErrorRef* error);
385 SOSRingStatus (*soscc_RingStatus)(CFStringRef ringName, CFErrorRef* error);
386 bool (*soscc_SetToNew)(CFErrorRef *error);
387 bool (*soscc_ResetToOffering)(CFErrorRef* error);
388 bool (*soscc_ResetToEmpty)(CFErrorRef* error);
389 bool (*soscc_ResetToEmptyWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
390 SOSViewResultCode (*soscc_View)(CFStringRef view, SOSViewActionCode action, CFErrorRef *error);
391 bool (*soscc_ViewSet)(CFSetRef enabledViews, CFSetRef disabledViews);
392 bool (*soscc_ViewSetWithAnalytics)(CFSetRef enabledViews, CFSetRef disabledViews, CFDataRef parentEvent);
393 bool (*soscc_RegisterSingleRecoverySecret)(CFDataRef backupSlice, bool forV0Only, CFErrorRef *error);
394 bool (*soscc_RegisterRecoveryPublicKey)(CFDataRef recovery_key, CFErrorRef *error);
395 CFDataRef (*soscc_CopyRecoveryPublicKey)(CFErrorRef *error);
396 bool (*soscc_RemoveThisDeviceFromCircle)(CFErrorRef* error);
397 bool (*soscc_RemoveThisDeviceFromCircleWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
398 bool (*soscc_RemovePeersFromCircle)(CFArrayRef peers, CFErrorRef* error);
399 bool (*soscc_RemovePeersFromCircleWithAnalytics)(CFArrayRef peers, CFDataRef parentEvent, CFErrorRef* error);
400 bool (*soscc_LoggedOutOfAccount)(CFErrorRef* error);
401 bool (*soscc_BailFromCircle)(uint64_t limit_in_seconds, CFErrorRef* error);
402 bool (*soscc_AcceptApplicants)(CFArrayRef applicants, CFErrorRef* error);
403 bool (*soscc_RejectApplicants)(CFArrayRef applicants, CFErrorRef* error);
404 SOSPeerInfoRef (*soscc_SetNewPublicBackupKey)(CFDataRef pubKey, CFErrorRef *error);
405 bool (*soscc_ValidateUserPublic)(CFErrorRef* error);
406 CFArrayRef (*soscc_CopyGenerationPeerInfo)(CFErrorRef* error);
407 CFArrayRef (*soscc_CopyApplicantPeerInfo)(CFErrorRef* error);
408 CFArrayRef (*soscc_CopyValidPeerPeerInfo)(CFErrorRef* error);
409 CFArrayRef (*soscc_CopyNotValidPeerPeerInfo)(CFErrorRef* error);
410 CFArrayRef (*soscc_CopyRetirementPeerInfo)(CFErrorRef* error);
411 CFArrayRef (*soscc_CopyViewUnawarePeerInfo)(CFErrorRef* error);
412 CFArrayRef (*soscc_CopyEngineState)(CFErrorRef* error);
413 // Not sure why these are below the last entry in the enum order above, but they are:
414 CFArrayRef (*soscc_CopyPeerInfo)(CFErrorRef* error);
415 CFArrayRef (*soscc_CopyConcurringPeerInfo)(CFErrorRef* error);
416 CFStringRef (*soscc_CopyIncompatibilityInfo)(CFErrorRef* error);
417 enum DepartureReason (*soscc_GetLastDepartureReason)(CFErrorRef* error);
418 bool (*soscc_SetLastDepartureReason)(enum DepartureReason, CFErrorRef* error);
419 CFSetRef (*soscc_ProcessSyncWithPeers)(CFSetRef peerIDs, CFSetRef backupPeerIDs, CFErrorRef* error);
420 SyncWithAllPeersReason (*soscc_ProcessSyncWithAllPeers)(CFErrorRef* error);
421 bool (*soscc_EnsurePeerRegistration)(CFErrorRef* error);
422 CFArrayRef (*sec_keychain_sync_update_message)(CFDictionaryRef update, CFErrorRef *error);
423 CFPropertyListRef (*sec_get_log_settings)(CFErrorRef* error);
424 bool (*sec_set_xpc_log_settings)(CFTypeRef type, CFErrorRef* error);
425 bool (*sec_set_circle_log_settings)(CFTypeRef type, CFErrorRef* error);
426 SOSPeerInfoRef (*soscc_CopyMyPeerInfo)(CFErrorRef*);
427 bool (*soscc_WaitForInitialSync)(CFErrorRef*);
428 bool (*soscc_WaitForInitialSyncWithAnalytics)(CFDataRef parentEvent, CFErrorRef *error);
429 CFArrayRef (*soscc_CopyYetToSyncViewsList)(CFErrorRef*);
430 bool (*soscc_SetEscrowRecords)(CFStringRef escrow_label, uint64_t tries, CFErrorRef *error);
431 CFDictionaryRef (*soscc_CopyEscrowRecords)(CFErrorRef *error);
432 CFDictionaryRef (*soscc_CopyBackupInformation)(CFErrorRef *error);
433 bool (*soscc_PeerAvailability)(CFErrorRef *error);
434 bool (*sosbskb_WrapToBackupSliceKeyBagForView)(CFStringRef viewName, CFDataRef input, CFDataRef* output, CFDataRef* bskbEncoded, CFErrorRef* error);
435 CFDataRef (*soscc_CopyAccountState)(CFErrorRef *error);
436 bool (*soscc_DeleteAccountState)(CFErrorRef *error);
437 CFDataRef (*soscc_CopyEngineData)(CFErrorRef *error);
438 bool (*soscc_DeleteEngineState)(CFErrorRef *error);
439 SOSPeerInfoRef (*soscc_CopyApplicant)(CFErrorRef *error);
440 CFDataRef (*soscc_CopyCircleJoiningBlob)(SOSPeerInfoRef applicant, CFErrorRef *error);
441 CFDataRef (*soscc_CopyInitialSyncData)(CFErrorRef *error);
442 bool (*soscc_JoinWithCircleJoiningBlob)(CFDataRef joiningBlob, PiggyBackProtocolVersion version, CFErrorRef *error);
443 bool (*soscc_SOSCCCleanupKVSKeys)(CFErrorRef *error);
444 bool (*soscc_SOSCCTestPopulateKVSWithBadKeys)(CFErrorRef *error);
445 bool (*soscc_AccountHasPublicKey)(CFErrorRef *error);
446 bool (*soscc_AccountIsNew)(CFErrorRef *error);
447 bool (*soscc_IsThisDeviceLastBackup)(CFErrorRef *error);
448 bool (*soscc_requestSyncWithPeerOverKVS)(CFStringRef peerID, CFDataRef message, CFErrorRef *error);
449 CFBooleanRef (*soscc_SOSCCPeersHaveViewsEnabled)(CFArrayRef views, CFErrorRef *error);
450 bool (*socc_clearPeerMessageKeyInKVS)(CFStringRef peerID, CFErrorRef *error);
451 bool (*soscc_SOSCCMessageFromPeerIsPending)(SOSPeerInfoRef peer, CFErrorRef* error);
452 bool (*soscc_SOSCCSendToPeerIsPending)(SOSPeerInfoRef peer, CFErrorRef* error);
453 CFTypeRef (*soscc_status)(void);
454 /* otherstuff */
455 CFTypeRef secd_xpc_server;
456 };
457
458 extern struct securityd *gSecurityd;
459
460 struct trustd {
461 SecTrustStoreRef (*sec_trust_store_for_domain)(CFStringRef domainName, CFErrorRef* error);
462 bool (*sec_trust_store_contains)(SecTrustStoreRef ts, CFDataRef digest, bool *contains, CFErrorRef* error);
463 bool (*sec_trust_store_set_trust_settings)(SecTrustStoreRef ts, SecCertificateRef certificate, CFTypeRef trustSettingsDictOrArray, CFErrorRef* error);
464 bool (*sec_trust_store_remove_certificate)(SecTrustStoreRef ts, CFDataRef digest, CFErrorRef* error);
465 bool (*sec_truststore_remove_all)(SecTrustStoreRef ts, CFErrorRef* error);
466 SecTrustResultType (*sec_trust_evaluate)(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, CFArrayRef *chain, CFErrorRef *error);
467 uint64_t (*sec_ota_pki_trust_store_version)(CFErrorRef* error);
468 uint64_t (*sec_ota_pki_asset_version)(CFErrorRef* error);
469 CFArrayRef (*ota_CopyEscrowCertificates)(uint32_t escrowRootType, CFErrorRef* error);
470 uint64_t (*sec_ota_pki_get_new_asset)(CFErrorRef* error);
471 uint64_t (*sec_ota_secexperiment_get_new_asset)(CFErrorRef* error);
472 CFDictionaryRef (*sec_ota_secexperiment_get_asset)(CFErrorRef* error);
473 CFDictionaryRef (*sec_ota_pki_copy_trusted_ct_logs)(CFErrorRef *error);
474 CFDictionaryRef (*sec_ota_pki_copy_ct_log_for_keyid)(CFDataRef keyID, CFErrorRef *error);
475 bool (*sec_trust_store_copy_all)(SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFErrorRef *error);
476 bool (*sec_trust_store_copy_usage_constraints)(SecTrustStoreRef ts, CFDataRef digest, CFArrayRef *usageConstraints, CFErrorRef *error);
477 bool (*sec_ocsp_cache_flush)(CFErrorRef *error);
478 bool (*sec_networking_analytics_report)(CFStringRef event_name, xpc_object_t tls_analytics_attributes, CFErrorRef *error);
479 bool (*sec_trust_store_set_ct_exceptions)(CFStringRef appID, CFDictionaryRef exceptions, CFErrorRef *error);
480 CFDictionaryRef (*sec_trust_store_copy_ct_exceptions)(CFStringRef appID, CFErrorRef *error);
481 #if TARGET_OS_IPHONE
482 bool (*sec_trust_increment_exception_reset_count)(CFErrorRef *error);
483 uint64_t (*sec_trust_get_exception_reset_count)(CFErrorRef *error);
484 #endif
485 };
486
487 extern struct trustd *gTrustd;
488
489 CFArrayRef SecAccessGroupsGetCurrent(void);
490
491 // TODO Rename me
492 CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op);
493 XPC_RETURNS_RETAINED xpc_object_t securityd_message_with_reply_sync(xpc_object_t message, CFErrorRef *error);
494 typedef void (^securityd_handler_t)(xpc_object_t reply, CFErrorRef error);
495 void securityd_message_with_reply_async(xpc_object_t message, dispatch_queue_t replyq,
496 securityd_handler_t handler);
497 XPC_RETURNS_RETAINED xpc_object_t securityd_create_message(enum SecXPCOperation op, CFErrorRef *error);
498 bool securityd_message_no_error(xpc_object_t message, CFErrorRef *error);
499
500
501 bool securityd_send_sync_and_do(enum SecXPCOperation op, CFErrorRef *error,
502 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
503 bool (^handle_response)(xpc_object_t response, CFErrorRef* error));
504
505 void securityd_send_async_and_do(enum SecXPCOperation op, dispatch_queue_t replyq,
506 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
507 securityd_handler_t handler);
508
509 // For testing only, never call this in a threaded program!
510 void SecServerSetTrustdMachServiceName(const char *name);
511
512 XPC_RETURNS_RETAINED xpc_endpoint_t _SecSecuritydCopyEndpoint(enum SecXPCOperation op, CFErrorRef *error);
513
514 #if __OBJC__
515 #import <Foundation/Foundation.h>
516 #import <Foundation/NSXPCConnection.h>
517 typedef void (^SecBoolNSErrorCallback) (bool, NSError*);
518
519 @protocol SecuritydXPCCallbackProtocol <NSObject>
520 - (void)callCallback: (bool) result error:(NSError*) error;
521 @end
522
523 @protocol SecuritydXPCProtocol <NSObject>
524 - (void) SecItemAddAndNotifyOnSync:(NSDictionary*) attributes
525 syncCallback:(id<SecuritydXPCCallbackProtocol>) callback
526 complete:(void (^) (NSDictionary* opDictResult, NSArray* opArrayResult, NSError* operror)) complete;
527
528 // For the given item (specified exactly by its hash (currently SHA1)), attempt to set the CloudKit 'current' pointer
529 // to point to the given item.
530 // This can fail if:
531 // 1. your knowledge of the old current item is out of date
532 // 2. either the new item or old item has changed (checked by hash)
533 // 3. If this device can't talk with CloudKit for any reason
534 - (void)secItemSetCurrentItemAcrossAllDevices:(NSData*)newItemPersistentRef
535 newCurrentItemHash:(NSData*)newItemSHA1
536 accessGroup:(NSString*)accessGroup
537 identifier:(NSString*)identifier
538 viewHint:(NSString*)viewHint
539 oldCurrentItemReference:(NSData*)oldCurrentItemPersistentRef
540 oldCurrentItemHash:(NSData*)oldItemSHA1
541 complete:(void (^) (NSError* operror)) complete;
542
543 // For the given access group and identifier, check the current local idea of the 'current' item
544 -(void)secItemFetchCurrentItemAcrossAllDevices:(NSString*)accessGroup
545 identifier:(NSString*)identifier
546 viewHint:(NSString*)viewHint
547 fetchCloudValue:(bool)fetchCloudValue
548 complete:(void (^) (NSData* persistentref, NSError* operror)) complete;
549
550
551 // For each item in the keychainClass, return a persistant reference and the digest of the value
552 // The digest is not stable, and can change any time, the only promise is that if the digest
553 // value didn't change, the item didn't change. If digest change, the value MIGHT have changed,/
554 // but it could also just have stayed the same.
555 // The this interface bypass SEP/AKS and for that reason is a higher performance then SecItemCopyMatching().
556 - (void) secItemDigest:(NSString *)keychainClass
557 accessGroup:(NSString *)accessGroup
558 complete:(void (^)(NSArray<NSDictionary *> *digest, NSError* error))complete;
559
560 // Delete the multi-user slice of persona uuid
561 //
562 // Should be done just before account volume is unmounted, will delete all this user's data unconditionally
563 // There is nothing stopping futher storage though.
564 - (void) secKeychainDeleteMultiuser:(NSData *)uuid
565 complete:(void (^)(bool status, NSError* error))complete;
566
567 // Go through the keychain to verify the backup infrastructure is present and valid.
568 // The completion handler's dictionary will contain a string with statistics about the class, error will be nil or
569 // complain about what went wrong during verification.
570 // Lightweight mode only checks consistency of the backup infrastructure without verifying all keychain items
571 - (void)secItemVerifyBackupIntegrity:(BOOL)lightweight
572 completion:(void (^)(NSDictionary<NSString*, NSString*>* resultsPerKeyclass, NSError* error))completion;
573
574 @end
575
576 // Call this to receive a proxy object conforming to SecuritydXPCProtocol that you can call methods on.
577 // It's probably a remote object for securityd/secd, but it might be in-process if you've configured it that way.
578 id<SecuritydXPCProtocol> SecuritydXPCProxyObject(void (^rpcErrorHandler)(NSError *));
579
580 // Set up a local securityxpcserver: after this call, all securitydxpc calls will be handled in-process instead of actually transferring to securityd
581 id<SecuritydXPCProtocol> SecCreateLocalSecuritydXPCServer(void) NS_RETURNS_RETAINED;
582
583 // Make a SecBoolNSErrorCallback block into an Objective-C object (for proxying across NSXPC)
584 @interface SecuritydXPCCallback : NSObject <SecuritydXPCCallbackProtocol> {
585 SecBoolNSErrorCallback _callback;
586 }
587 @property SecBoolNSErrorCallback callback;
588 - (instancetype)initWithCallback: (SecBoolNSErrorCallback) callback;
589 @end
590
591 @interface SecuritydXPCClient : NSObject {
592 NSXPCConnection* _connection;
593 }
594 @property NSXPCConnection* connection;
595
596 +(void)configureSecuritydXPCProtocol: (NSXPCInterface*) interface;
597 @end
598
599 #endif // OBJC
600
601 #endif /* _SECURITYD_CLIENT_H_ */
mirror of Security