]> git.saurik.com Git - apple/security.git/blob - keychain/TrustedPeersHelper/Policy.swift
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-59306.11.20.tar.gz
[apple/security.git] / keychain / TrustedPeersHelper / Policy.swift
1 /*
2 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 import Foundation
25
26 struct RawPolicy {
27 let policyVersion: Int
28 let policyHash: String
29 let policyData: String
30 let plaintextPolicy: TPPolicyDocument
31 }
32
33 let prevailingPolicyVersion: UInt64 = 5
34 let prevailingPolicyHash: String = "SHA256:O/ECQlWhvNlLmlDNh2+nal/yekUC87bXpV3k+6kznSo="
35
36 func builtInPolicyDocuments() -> [TPPolicyDocument] {
37
38 // These bytes are generated by tppolicy
39 let rawPolicies = [
40 RawPolicy(
41 policyVersion: 1,
42 policyHash: "SHA256:TLXrcQmY4ue3oP5pCX1pwsi9BF8cKfohlJBilCroeBs=",
43 policyData: "CAESDgoGaVBob25lEgRmdWxsEgwKBGlQYWQSBGZ1bGwSCwoDTWFjEgRmdWxsEgwKBGlNYWMSBGZ1bGwSDQoHQXBwbGVUVhICdHYSDgoFV2F0Y2gSBXdhdGNoGhEKCVBDU0VzY3JvdxIEZnVsbBoXCgRXaUZpEgRmdWxsEgJ0dhIFd2F0Y2gaGQoRU2FmYXJpQ3JlZGl0Q2FyZHMSBGZ1bGwiDAoEZnVsbBIEZnVsbCIUCgV3YXRjaBIEZnVsbBIFd2F0Y2giDgoCdHYSBGZ1bGwSAnR2",
44 plaintextPolicy: try! TPPolicyDocument(version: 1,
45 modelToCategory: [
46 ["prefix": "iPhone", "category": "full"],
47 ["prefix": "iPad", "category": "full"],
48 ["prefix": "Mac", "category": "full"],
49 ["prefix": "iMac", "category": "full"],
50 ["prefix": "AppleTV", "category": "tv"],
51 ["prefix": "Watch", "category": "watch"],
52 ],
53 categoriesByView: [
54 "PCSEscrow": ["full"],
55 "WiFi": ["full", "tv", "watch"],
56 "SafariCreditCards": ["full"],
57 ],
58 introducersByCategory: [
59 "full": ["full"],
60 "watch": ["full", "watch"],
61 "tv": ["full", "tv"],
62 ],
63 redactions: [:],
64 keyViewMapping: [],
65 hashAlgo: .SHA256)
66 ),
67
68 RawPolicy(
69 policyVersion: 2,
70 policyHash: "SHA256:ZL1WBUCyO155rHBJQeghomCCKGmfjtS0jvsK+UEvx5o=",
71 policyData: "CAISDgoGaUN5Y2xlEgRmdWxsEg4KBmlQaG9uZRIEZnVsbBIMCgRpUGFkEgRmdWxsEgsKA01hYxIEZnVsbBIMCgRpTWFjEgRmdWxsEg0KB0FwcGxlVFYSAnR2Eg4KBVdhdGNoEgV3YXRjaBoRCglQQ1NFc2Nyb3cSBGZ1bGwaFwoEV2lGaRIEZnVsbBICdHYSBXdhdGNoGhkKEVNhZmFyaUNyZWRpdENhcmRzEgRmdWxsIgwKBGZ1bGwSBGZ1bGwiFAoFd2F0Y2gSBGZ1bGwSBXdhdGNoIg4KAnR2EgRmdWxsEgJ0dg==",
72 plaintextPolicy: try! TPPolicyDocument(version: 2,
73 modelToCategory: [
74 ["prefix": "iCycle", "category": "full"],
75 ["prefix": "iPhone", "category": "full"],
76 ["prefix": "iPad", "category": "full"],
77 ["prefix": "Mac", "category": "full"],
78 ["prefix": "iMac", "category": "full"],
79 ["prefix": "AppleTV", "category": "tv"],
80 ["prefix": "Watch", "category": "watch"],
81 ],
82 categoriesByView: [
83 "PCSEscrow": ["full"],
84 "WiFi": ["full", "tv", "watch"],
85 "SafariCreditCards": ["full"],
86 ],
87 introducersByCategory: [
88 "full": ["full"],
89 "tv": ["full", "tv"],
90 "watch": ["full", "watch"],
91 ],
92 redactions: [:],
93 keyViewMapping: [],
94 hashAlgo: .SHA256)
95 ),
96
97 RawPolicy(policyVersion: 3,
98 policyHash: "SHA256:JZzazSuHXrUhiOfSgElsg6vYKpnvvEPVpciR8FewRWg=",
99 policyData: "CAMSDgoGaVBob25lEgRmdWxsEgwKBGlQYWQSBGZ1bGwSCwoDTWFjEgRmdWxsEgwKBGlNYWMSBGZ1bGwSDQoHQXBwbGVUVhICdHYSDgoFV2F0Y2gSBXdhdGNoEhcKDkF1ZGlvQWNjZXNzb3J5EgVhdWRpbxocCg1EZXZpY2VQYWlyaW5nEgRmdWxsEgV3YXRjaBoXCghBcHBsZVBheRIEZnVsbBIFd2F0Y2gaJAoVUHJvdGVjdGVkQ2xvdWRTdG9yYWdlEgRmdWxsEgV3YXRjaBoXCghCYWNrc3RvcBIEZnVsbBIFd2F0Y2gaGQoKQXV0b1VubG9jaxIEZnVsbBIFd2F0Y2gaHwoQU2VjdXJlT2JqZWN0U3luYxIEZnVsbBIFd2F0Y2gaIAoRU2FmYXJpQ3JlZGl0Q2FyZHMSBGZ1bGwSBXdhdGNoGhMKBEhvbWUSBGZ1bGwSBXdhdGNoGh4KD1NhZmFyaVBhc3N3b3JkcxIEZnVsbBIFd2F0Y2gaGwoMQXBwbGljYXRpb25zEgRmdWxsEgV3YXRjaBoVCgZFbmdyYW0SBGZ1bGwSBXdhdGNoGi0KE0xpbWl0ZWRQZWVyc0FsbG93ZWQSBGZ1bGwSBXdhdGNoEgJ0dhIFYXVkaW8aFgoHTWFuYXRlZRIEZnVsbBIFd2F0Y2gaHgoEV2lGaRIEZnVsbBIFd2F0Y2gSAnR2EgVhdWRpbxoVCgZIZWFsdGgSBGZ1bGwSBXdhdGNoIhMKBGZ1bGwSBGZ1bGwSBXdhdGNoIhsKBWF1ZGlvEgRmdWxsEgV3YXRjaBIFYXVkaW8iFAoFd2F0Y2gSBGZ1bGwSBXdhdGNoIhUKAnR2EgRmdWxsEgV3YXRjaBICdHYyIgoWAAQiEgIEdndodAoKXkFwcGxlUGF5JBIIQXBwbGVQYXkyJgoYAAQiFAIEdndodAoMXkF1dG9VbmxvY2skEgpBdXRvVW5sb2NrMh4KFAAEIhACBHZ3aHQKCF5FbmdyYW0kEgZFbmdyYW0yHgoUAAQiEAIEdndodAoIXkhlYWx0aCQSBkhlYWx0aDIaChIABCIOAgR2d2h0CgZeSG9tZSQSBEhvbWUyIAoVAAQiEQIEdndodAoJXk1hbmF0ZWUkEgdNYW5hdGVlMjgKIQAEIh0CBHZ3aHQKFV5MaW1pdGVkUGVlcnNBbGxvd2VkJBITTGltaXRlZFBlZXJzQWxsb3dlZDJdClAAAhIeAAQiGgIEdndodAoSXkNvbnRpbnVpdHlVbmxvY2skEhUABCIRAgR2d2h0CgleSG9tZUtpdCQSFQAEIhECBHZ3aHQKCV5BcHBsZVRWJBIJTm90U3luY2VkMisKGwAEIhcCBGFncnAKD15bMC05QS1aXXsxMH1cLhIMQXBwbGljYXRpb25zMsUBCrABAAISNAABChMABCIPAgVjbGFzcwoGXmdlbnAkChsABCIXAgRhZ3JwCg9eY29tLmFwcGxlLnNiZCQSPQABChMABCIPAgVjbGFzcwoGXmtleXMkCiQABCIgAgRhZ3JwChheY29tLmFwcGxlLnNlY3VyaXR5LnNvcyQSGQAEIhUCBHZ3aHQKDV5CYWNrdXBCYWdWMCQSHAAEIhgCBHZ3aHQKEF5pQ2xvdWRJZGVudGl0eSQSEFNlY3VyZU9iamVjdFN5bmMyYwpbAAISEgAEIg4CBHZ3aHQKBl5XaUZpJBJDAAEKEwAEIg8CBWNsYXNzCgZeZ2VucCQKEwAEIg8CBGFncnAKB15hcHBsZSQKFQAEIhECBHN2Y2UKCV5BaXJQb3J0JBIEV2lGaTLbAgrBAgACEhkABCIVAgR2d2h0Cg1eUENTQ2xvdWRLaXQkEhcABCITAgR2d2h0CgteUENTRXNjcm93JBIUAAQiEAIEdndodAoIXlBDU0ZERSQSGQAEIhUCBHZ3aHQKDV5QQ1NGZWxkc3BhciQSGQAEIhUCBHZ3aHQKDV5QQ1NNYWlsRHJvcCQSGgAEIhYCBHZ3aHQKDl5QQ1NNYXN0ZXJLZXkkEhYABCISAgR2d2h0CgpeUENTTm90ZXMkEhcABCITAgR2d2h0CgteUENTUGhvdG9zJBIYAAQiFAIEdndodAoMXlBDU1NoYXJpbmckEh0ABCIZAgR2d2h0ChFeUENTaUNsb3VkQmFja3VwJBIcAAQiGAIEdndodAoQXlBDU2lDbG91ZERyaXZlJBIZAAQiFQIEdndodAoNXlBDU2lNZXNzYWdlJBIVUHJvdGVjdGVkQ2xvdWRTdG9yYWdlMkAKKwAEIicCBGFncnAKH15jb20uYXBwbGUuc2FmYXJpLmNyZWRpdC1jYXJkcyQSEVNhZmFyaUNyZWRpdENhcmRzMjQKIQAEIh0CBGFncnAKFV5jb20uYXBwbGUuY2ZuZXR3b3JrJBIPU2FmYXJpUGFzc3dvcmRzMm0KXAACEh4ABCIaAgR2d2h0ChJeQWNjZXNzb3J5UGFpcmluZyQSGgAEIhYCBHZ3aHQKDl5OYW5vUmVnaXN0cnkkEhwABCIYAgR2d2h0ChBeV2F0Y2hNaWdyYXRpb24kEg1EZXZpY2VQYWlyaW5nMi0KIQAEIh0CBGFncnAKFV5jb20uYXBwbGUuY2ZuZXR3b3JrJBIIQmFja3N0b3A=",
100 plaintextPolicy: try! TPPolicyDocument(version: 3,
101 modelToCategory: [
102 ["prefix": "iPhone", "category": "full"],
103 ["prefix": "iPad", "category": "full"],
104 ["prefix": "Mac", "category": "full"],
105 ["prefix": "iMac", "category": "full"],
106 ["prefix": "AppleTV", "category": "tv"],
107 ["prefix": "Watch", "category": "watch"],
108 ["prefix": "AudioAccessory", "category": "audio"],
109 ],
110 categoriesByView: [
111 "AutoUnlock": ["full", "watch"],
112 "ApplePay": ["full", "watch"],
113 "Engram": ["full", "watch"],
114 "Health": ["full", "watch"],
115 "Home": ["full", "watch"],
116 "LimitedPeersAllowed": ["full", "watch", "tv", "audio"],
117 "Manatee": ["full", "watch"],
118
119 "Applications": ["full", "watch"],
120 "SecureObjectSync": ["full", "watch"],
121 "WiFi": ["full", "watch", "tv", "audio"],
122 "ProtectedCloudStorage": ["full", "watch"],
123 "SafariCreditCards": ["full", "watch"],
124 "SafariPasswords": ["full", "watch"],
125 "DevicePairing": ["full", "watch"],
126 "Backstop": ["full", "watch"],
127 ],
128 introducersByCategory: [
129 "full": ["full", "watch"],
130 "watch": ["full", "watch"],
131 "tv": ["full", "watch", "tv"],
132 "audio": ["full", "watch", "audio"],
133 ],
134 redactions: [:],
135 keyViewMapping: [
136 TPPBPolicyKeyViewMapping(view: "ApplePay", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^ApplePay$")),
137 TPPBPolicyKeyViewMapping(view: "AutoUnlock", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^AutoUnlock$")),
138 TPPBPolicyKeyViewMapping(view: "Engram", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^Engram$")),
139 TPPBPolicyKeyViewMapping(view: "Health", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^Health$")),
140 TPPBPolicyKeyViewMapping(view: "Home", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^Home$")),
141 TPPBPolicyKeyViewMapping(view: "Manatee", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^Manatee$")),
142 TPPBPolicyKeyViewMapping(view: "LimitedPeersAllowed", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^LimitedPeersAllowed$")),
143
144 // These items will not be synced by Octagon
145 TPPBPolicyKeyViewMapping(view: "NotSynced", matchingRule:
146 TPDictionaryMatchingRule.orMatch([
147 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^ContinuityUnlock$"),
148 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^HomeKit$"),
149 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^AppleTV$"),
150 ])),
151
152 TPPBPolicyKeyViewMapping(view: "Applications", matchingRule:
153 TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^[0-9A-Z]{10}\\.")),
154
155 TPPBPolicyKeyViewMapping(view: "SecureObjectSync", matchingRule:
156 TPDictionaryMatchingRule.orMatch([
157 TPDictionaryMatchingRule.andMatch([
158 TPDictionaryMatchingRule.fieldMatch("class", fieldRegex: "^genp$"),
159 TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^com.apple.sbd$"),
160 ]),
161 TPDictionaryMatchingRule.andMatch([
162 TPDictionaryMatchingRule.fieldMatch("class", fieldRegex: "^keys$"),
163 TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^com.apple.security.sos$"),
164 ]),
165 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^BackupBagV0$"),
166 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^iCloudIdentity$"),
167 ])),
168
169 TPPBPolicyKeyViewMapping(view: "WiFi", matchingRule:
170 TPDictionaryMatchingRule.orMatch([
171 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^WiFi$"),
172 TPDictionaryMatchingRule.andMatch([
173 TPDictionaryMatchingRule.fieldMatch("class", fieldRegex: "^genp$"),
174 TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^apple$"),
175 TPDictionaryMatchingRule.fieldMatch("svce", fieldRegex: "^AirPort$"),
176 ]),
177 ])),
178
179 TPPBPolicyKeyViewMapping(view: "ProtectedCloudStorage", matchingRule:
180 TPDictionaryMatchingRule.orMatch([
181 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCSCloudKit$"),
182 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCSEscrow$"),
183 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCSFDE$"),
184 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCSFeldspar$"),
185 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCSMailDrop$"),
186 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCSMasterKey$"),
187 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCSNotes$"),
188 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCSPhotos$"),
189 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCSSharing$"),
190 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCSiCloudBackup$"),
191 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCSiCloudDrive$"),
192 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCSiMessage$"),
193 ])),
194
195 TPPBPolicyKeyViewMapping(view: "SafariCreditCards",
196 matchingRule: TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^com.apple.safari.credit-cards$")),
197
198 TPPBPolicyKeyViewMapping(view: "SafariPasswords",
199 matchingRule: TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^com.apple.cfnetwork$")),
200
201 TPPBPolicyKeyViewMapping(view: "DevicePairing", matchingRule:
202 TPDictionaryMatchingRule.orMatch([
203 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^AccessoryPairing$"),
204 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^NanoRegistry$"),
205 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^WatchMigration$"),
206 ])),
207
208 TPPBPolicyKeyViewMapping(view: "Backstop",
209 matchingRule: TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^com.apple.cfnetwork$")),
210 ],
211 hashAlgo: .SHA256)
212 ),
213 RawPolicy(policyVersion: 4,
214 policyHash: "SHA256:Tjdu5QrWGvKWMx7k3VWFrEWSsBDPZAwCql9ybDkvFs8=",
215 policyData: "CAQSDgoGaVBob25lEgRmdWxsEgwKBGlQYWQSBGZ1bGwSCwoDTWFjEgRmdWxsEgwKBGlNYWMSBGZ1bGwSDQoHQXBwbGVUVhICdHYSDgoFV2F0Y2gSBXdhdGNoEhcKDkF1ZGlvQWNjZXNzb3J5EgVhdWRpbxoTCgRIb21lEgRmdWxsEgV3YXRjaBobCgxBcHBsaWNhdGlvbnMSBGZ1bGwSBXdhdGNoGh4KBFdpRmkSBGZ1bGwSBXdhdGNoEgJ0dhIFYXVkaW8aGQoKQXV0b1VubG9jaxIEZnVsbBIFd2F0Y2gaFwoIQXBwbGVQYXkSBGZ1bGwSBXdhdGNoGhUKBkhlYWx0aBIEZnVsbBIFd2F0Y2gaFgoHTWFuYXRlZRIEZnVsbBIFd2F0Y2gaLQoTTGltaXRlZFBlZXJzQWxsb3dlZBIEZnVsbBIFd2F0Y2gSAnR2EgVhdWRpbxokChVQcm90ZWN0ZWRDbG91ZFN0b3JhZ2USBGZ1bGwSBXdhdGNoGhgKCVBhc3N3b3JkcxIEZnVsbBIFd2F0Y2gaHAoNRGV2aWNlUGFpcmluZxIEZnVsbBIFd2F0Y2gaHwoQU2VjdXJlT2JqZWN0U3luYxIEZnVsbBIFd2F0Y2gaFQoGRW5ncmFtEgRmdWxsEgV3YXRjaBoaCgtDcmVkaXRDYXJkcxIEZnVsbBIFd2F0Y2giGwoFYXVkaW8SBGZ1bGwSBXdhdGNoEgVhdWRpbyITCgRmdWxsEgRmdWxsEgV3YXRjaCIUCgV3YXRjaBIEZnVsbBIFd2F0Y2giFQoCdHYSBGZ1bGwSBXdhdGNoEgJ0djIiChYABCISAgR2d2h0CgpeQXBwbGVQYXkkEghBcHBsZVBheTImChgABCIUAgR2d2h0CgxeQXV0b1VubG9jayQSCkF1dG9VbmxvY2syHgoUAAQiEAIEdndodAoIXkVuZ3JhbSQSBkVuZ3JhbTIeChQABCIQAgR2d2h0CgheSGVhbHRoJBIGSGVhbHRoMhoKEgAEIg4CBHZ3aHQKBl5Ib21lJBIESG9tZTIgChUABCIRAgR2d2h0CgleTWFuYXRlZSQSB01hbmF0ZWUyOAohAAQiHQIEdndodAoVXkxpbWl0ZWRQZWVyc0FsbG93ZWQkEhNMaW1pdGVkUGVlcnNBbGxvd2VkMl0KUAACEh4ABCIaAgR2d2h0ChJeQ29udGludWl0eVVubG9jayQSFQAEIhECBHZ3aHQKCV5Ib21lS2l0JBIVAAQiEQIEdndodAoJXkFwcGxlVFYkEglOb3RTeW5jZWQyKwobAAQiFwIEYWdycAoPXlswLTlBLVpdezEwfVwuEgxBcHBsaWNhdGlvbnMyxQEKsAEAAhI0AAEKEwAEIg8CBWNsYXNzCgZeZ2VucCQKGwAEIhcCBGFncnAKD15jb20uYXBwbGUuc2JkJBI9AAEKEwAEIg8CBWNsYXNzCgZea2V5cyQKJAAEIiACBGFncnAKGF5jb20uYXBwbGUuc2VjdXJpdHkuc29zJBIZAAQiFQIEdndodAoNXkJhY2t1cEJhZ1YwJBIcAAQiGAIEdndodAoQXmlDbG91ZElkZW50aXR5JBIQU2VjdXJlT2JqZWN0U3luYzJjClsAAhISAAQiDgIEdndodAoGXldpRmkkEkMAAQoTAAQiDwIFY2xhc3MKBl5nZW5wJAoTAAQiDwIEYWdycAoHXmFwcGxlJAoVAAQiEQIEc3ZjZQoJXkFpclBvcnQkEgRXaUZpMucCCs0CAAISGgAEIhYCBHZ3aHQKDl5QQ1MtQ2xvdWRLaXQkEhgABCIUAgR2d2h0CgxeUENTLUVzY3JvdyQSFQAEIhECBHZ3aHQKCV5QQ1MtRkRFJBIaAAQiFgIEdndodAoOXlBDUy1GZWxkc3BhciQSGgAEIhYCBHZ3aHQKDl5QQ1MtTWFpbERyb3AkEhsABCIXAgR2d2h0Cg9eUENTLU1hc3RlcktleSQSFwAEIhMCBHZ3aHQKC15QQ1MtTm90ZXMkEhgABCIUAgR2d2h0CgxeUENTLVBob3RvcyQSGQAEIhUCBHZ3aHQKDV5QQ1MtU2hhcmluZyQSHgAEIhoCBHZ3aHQKEl5QQ1MtaUNsb3VkQmFja3VwJBIdAAQiGQIEdndodAoRXlBDUy1pQ2xvdWREcml2ZSQSGgAEIhYCBHZ3aHQKDl5QQ1MtaU1lc3NhZ2UkEhVQcm90ZWN0ZWRDbG91ZFN0b3JhZ2UyOgorAAQiJwIEYWdycAofXmNvbS5hcHBsZS5zYWZhcmkuY3JlZGl0LWNhcmRzJBILQ3JlZGl0Q2FyZHMyLgohAAQiHQIEYWdycAoVXmNvbS5hcHBsZS5jZm5ldHdvcmskEglQYXNzd29yZHMybQpcAAISHgAEIhoCBHZ3aHQKEl5BY2Nlc3NvcnlQYWlyaW5nJBIaAAQiFgIEdndodAoOXk5hbm9SZWdpc3RyeSQSHAAEIhgCBHZ3aHQKEF5XYXRjaE1pZ3JhdGlvbiQSDURldmljZVBhaXJpbmc=",
216 plaintextPolicy: try! TPPolicyDocument(version: 4,
217 modelToCategory: [
218 ["prefix": "iPhone", "category": "full"],
219 ["prefix": "iPad", "category": "full"],
220 ["prefix": "Mac", "category": "full"],
221 ["prefix": "iMac", "category": "full"],
222 ["prefix": "AppleTV", "category": "tv"],
223 ["prefix": "Watch", "category": "watch"],
224 ["prefix": "AudioAccessory", "category": "audio"],
225 ],
226 categoriesByView: [
227 "AutoUnlock": ["full", "watch"],
228 "ApplePay": ["full", "watch"],
229 "Engram": ["full", "watch"],
230 "Health": ["full", "watch"],
231 "Home": ["full", "watch"],
232 "LimitedPeersAllowed": ["full", "watch", "tv", "audio"],
233 "Manatee": ["full", "watch"],
234 "Applications": ["full", "watch"],
235 "SecureObjectSync": ["full", "watch"],
236 "WiFi": ["full", "watch", "tv", "audio"],
237 "ProtectedCloudStorage": ["full", "watch"],
238 "CreditCards": ["full", "watch"],
239 "Passwords": ["full", "watch"],
240 "DevicePairing": ["full", "watch"],
241 ],
242 introducersByCategory: [
243 "full": ["full", "watch"],
244 "watch": ["full", "watch"],
245 "tv": ["full", "watch", "tv"],
246 "audio": ["full", "watch", "audio"],
247 ],
248 redactions: [:],
249 keyViewMapping: [
250 TPPBPolicyKeyViewMapping(view: "ApplePay", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^ApplePay$")),
251 TPPBPolicyKeyViewMapping(view: "AutoUnlock", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^AutoUnlock$")),
252 TPPBPolicyKeyViewMapping(view: "Engram", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^Engram$")),
253 TPPBPolicyKeyViewMapping(view: "Health", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^Health$")),
254 TPPBPolicyKeyViewMapping(view: "Home", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^Home$")),
255 TPPBPolicyKeyViewMapping(view: "Manatee", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^Manatee$")),
256 TPPBPolicyKeyViewMapping(view: "LimitedPeersAllowed", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^LimitedPeersAllowed$")),
257
258 // These items will not be synced by Octagon
259 TPPBPolicyKeyViewMapping(view: "NotSynced", matchingRule:
260 TPDictionaryMatchingRule.orMatch([
261 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^ContinuityUnlock$"),
262 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^HomeKit$"),
263 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^AppleTV$"),
264 ])),
265
266 TPPBPolicyKeyViewMapping(view: "Applications", matchingRule:
267 TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^[0-9A-Z]{10}\\.")),
268
269 TPPBPolicyKeyViewMapping(view: "SecureObjectSync", matchingRule:
270 TPDictionaryMatchingRule.orMatch([
271 TPDictionaryMatchingRule.andMatch([
272 TPDictionaryMatchingRule.fieldMatch("class", fieldRegex: "^genp$"),
273 TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^com.apple.sbd$"),
274 ]),
275 TPDictionaryMatchingRule.andMatch([
276 TPDictionaryMatchingRule.fieldMatch("class", fieldRegex: "^keys$"),
277 TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^com.apple.security.sos$"),
278 ]),
279 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^BackupBagV0$"),
280 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^iCloudIdentity$"),
281 ])),
282
283 TPPBPolicyKeyViewMapping(view: "WiFi", matchingRule:
284 TPDictionaryMatchingRule.orMatch([
285 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^WiFi$"),
286 TPDictionaryMatchingRule.andMatch([
287 TPDictionaryMatchingRule.fieldMatch("class", fieldRegex: "^genp$"),
288 TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^apple$"),
289 TPDictionaryMatchingRule.fieldMatch("svce", fieldRegex: "^AirPort$"),
290 ]),
291 ])),
292
293 TPPBPolicyKeyViewMapping(view: "ProtectedCloudStorage", matchingRule:
294 TPDictionaryMatchingRule.orMatch([
295 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-CloudKit$"),
296 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-Escrow$"),
297 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-FDE$"),
298 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-Feldspar$"),
299 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-MailDrop$"),
300 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-MasterKey$"),
301 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-Notes$"),
302 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-Photos$"),
303 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-Sharing$"),
304 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-iCloudBackup$"),
305 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-iCloudDrive$"),
306 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-iMessage$"),
307 ])),
308
309 TPPBPolicyKeyViewMapping(view: "CreditCards",
310 matchingRule: TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^com.apple.safari.credit-cards$")),
311
312 TPPBPolicyKeyViewMapping(view: "Passwords",
313 matchingRule: TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^com.apple.cfnetwork$")),
314
315 TPPBPolicyKeyViewMapping(view: "DevicePairing", matchingRule:
316 TPDictionaryMatchingRule.orMatch([
317 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^AccessoryPairing$"),
318 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^NanoRegistry$"),
319 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^WatchMigration$"),
320 ])),
321 ],
322 hashAlgo: .SHA256)
323 ),
324
325 RawPolicy(policyVersion: 5,
326 policyHash: "SHA256:O/ECQlWhvNlLmlDNh2+nal/yekUC87bXpV3k+6kznSo=",
327 policyData: "CAUSDgoGaVBob25lEgRmdWxsEgwKBGlQYWQSBGZ1bGwSDAoEaVBvZBIEZnVsbBILCgNNYWMSBGZ1bGwSDAoEaU1hYxIEZnVsbBINCgdBcHBsZVRWEgJ0dhIOCgVXYXRjaBIFd2F0Y2gSFwoOQXVkaW9BY2Nlc3NvcnkSBWF1ZGlvGhsKDEFwcGxpY2F0aW9ucxIEZnVsbBIFd2F0Y2gaHwoQU2VjdXJlT2JqZWN0U3luYxIEZnVsbBIFd2F0Y2gaHAoNRGV2aWNlUGFpcmluZxIEZnVsbBIFd2F0Y2gaGgoLQ3JlZGl0Q2FyZHMSBGZ1bGwSBXdhdGNoGhUKBkhlYWx0aBIEZnVsbBIFd2F0Y2gaLQoTTGltaXRlZFBlZXJzQWxsb3dlZBIEZnVsbBIFd2F0Y2gSAnR2EgVhdWRpbxokChVQcm90ZWN0ZWRDbG91ZFN0b3JhZ2USBGZ1bGwSBXdhdGNoGhcKCEFwcGxlUGF5EgRmdWxsEgV3YXRjaBoZCgpBdXRvVW5sb2NrEgRmdWxsEgV3YXRjaBoWCgdNYW5hdGVlEgRmdWxsEgV3YXRjaBoYCglQYXNzd29yZHMSBGZ1bGwSBXdhdGNoGhUKBkVuZ3JhbRIEZnVsbBIFd2F0Y2gaHgoEV2lGaRIEZnVsbBIFd2F0Y2gSAnR2EgVhdWRpbxoTCgRIb21lEgRmdWxsEgV3YXRjaCIbCgVhdWRpbxIEZnVsbBIFd2F0Y2gSBWF1ZGlvIhMKBGZ1bGwSBGZ1bGwSBXdhdGNoIhUKAnR2EgRmdWxsEgV3YXRjaBICdHYiFAoFd2F0Y2gSBGZ1bGwSBXdhdGNoMiIKFgAEIhICBHZ3aHQKCl5BcHBsZVBheSQSCEFwcGxlUGF5MiYKGAAEIhQCBHZ3aHQKDF5BdXRvVW5sb2NrJBIKQXV0b1VubG9jazIeChQABCIQAgR2d2h0CgheRW5ncmFtJBIGRW5ncmFtMh4KFAAEIhACBHZ3aHQKCF5IZWFsdGgkEgZIZWFsdGgyGgoSAAQiDgIEdndodAoGXkhvbWUkEgRIb21lMiAKFQAEIhECBHZ3aHQKCV5NYW5hdGVlJBIHTWFuYXRlZTI4CiEABCIdAgR2d2h0ChVeTGltaXRlZFBlZXJzQWxsb3dlZCQSE0xpbWl0ZWRQZWVyc0FsbG93ZWQyXQpQAAISHgAEIhoCBHZ3aHQKEl5Db250aW51aXR5VW5sb2NrJBIVAAQiEQIEdndodAoJXkhvbWVLaXQkEhUABCIRAgR2d2h0CgleQXBwbGVUViQSCU5vdFN5bmNlZDIrChsABCIXAgRhZ3JwCg9eWzAtOUEtWl17MTB9XC4SDEFwcGxpY2F0aW9uczLFAQqwAQACEjQAAQoTAAQiDwIFY2xhc3MKBl5nZW5wJAobAAQiFwIEYWdycAoPXmNvbS5hcHBsZS5zYmQkEj0AAQoTAAQiDwIFY2xhc3MKBl5rZXlzJAokAAQiIAIEYWdycAoYXmNvbS5hcHBsZS5zZWN1cml0eS5zb3MkEhkABCIVAgR2d2h0Cg1eQmFja3VwQmFnVjAkEhwABCIYAgR2d2h0ChBeaUNsb3VkSWRlbnRpdHkkEhBTZWN1cmVPYmplY3RTeW5jMmMKWwACEhIABCIOAgR2d2h0CgZeV2lGaSQSQwABChMABCIPAgVjbGFzcwoGXmdlbnAkChMABCIPAgRhZ3JwCgdeYXBwbGUkChUABCIRAgRzdmNlCgleQWlyUG9ydCQSBFdpRmkynQMKgwMAAhIYAAQiFAIEdndodAoMXlBDUy1CYWNrdXAkEhoABCIWAgR2d2h0Cg5eUENTLUNsb3VkS2l0JBIYAAQiFAIEdndodAoMXlBDUy1Fc2Nyb3ckEhUABCIRAgR2d2h0CgleUENTLUZERSQSGgAEIhYCBHZ3aHQKDl5QQ1MtRmVsZHNwYXIkEhoABCIWAgR2d2h0Cg5eUENTLU1haWxEcm9wJBIaAAQiFgIEdndodAoOXlBDUy1NYWlsZHJvcCQSGwAEIhcCBHZ3aHQKD15QQ1MtTWFzdGVyS2V5JBIXAAQiEwIEdndodAoLXlBDUy1Ob3RlcyQSGAAEIhQCBHZ3aHQKDF5QQ1MtUGhvdG9zJBIZAAQiFQIEdndodAoNXlBDUy1TaGFyaW5nJBIeAAQiGgIEdndodAoSXlBDUy1pQ2xvdWRCYWNrdXAkEh0ABCIZAgR2d2h0ChFeUENTLWlDbG91ZERyaXZlJBIaAAQiFgIEdndodAoOXlBDUy1pTWVzc2FnZSQSFVByb3RlY3RlZENsb3VkU3RvcmFnZTI6CisABCInAgRhZ3JwCh9eY29tLmFwcGxlLnNhZmFyaS5jcmVkaXQtY2FyZHMkEgtDcmVkaXRDYXJkczIuCiEABCIdAgRhZ3JwChVeY29tLmFwcGxlLmNmbmV0d29yayQSCVBhc3N3b3JkczJtClwAAhIeAAQiGgIEdndodAoSXkFjY2Vzc29yeVBhaXJpbmckEhoABCIWAgR2d2h0Cg5eTmFub1JlZ2lzdHJ5JBIcAAQiGAIEdndodAoQXldhdGNoTWlncmF0aW9uJBINRGV2aWNlUGFpcmluZzIOCgIABhIIQmFja3N0b3A=",
328 plaintextPolicy: try! TPPolicyDocument(version: 5,
329 modelToCategory: [
330 ["prefix": "iPhone", "category": "full"],
331 ["prefix": "iPad", "category": "full"],
332 ["prefix": "iPod", "category": "full"],
333 ["prefix": "Mac", "category": "full"],
334 ["prefix": "iMac", "category": "full"],
335 ["prefix": "AppleTV", "category": "tv"],
336 ["prefix": "Watch", "category": "watch"],
337 ["prefix": "AudioAccessory", "category": "audio"],
338 ],
339 categoriesByView: [
340 "AutoUnlock": ["full", "watch"],
341 "ApplePay": ["full", "watch"],
342 "Engram": ["full", "watch"],
343 "Health": ["full", "watch"],
344 "Home": ["full", "watch"],
345 "LimitedPeersAllowed": ["full", "watch", "tv", "audio"],
346 "Manatee": ["full", "watch"],
347 "Applications": ["full", "watch"],
348 "SecureObjectSync": ["full", "watch"],
349 "WiFi": ["full", "watch", "tv", "audio"],
350 "ProtectedCloudStorage": ["full", "watch"],
351 "CreditCards": ["full", "watch"],
352 "Passwords": ["full", "watch"],
353 "DevicePairing": ["full", "watch"],
354 ],
355 introducersByCategory: [
356 "full": ["full", "watch"],
357 "watch": ["full", "watch"],
358 "tv": ["full", "watch", "tv"],
359 "audio": ["full", "watch", "audio"],
360 ],
361 redactions: [:],
362 keyViewMapping: [
363 TPPBPolicyKeyViewMapping(view: "ApplePay", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^ApplePay$")),
364 TPPBPolicyKeyViewMapping(view: "AutoUnlock", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^AutoUnlock$")),
365 TPPBPolicyKeyViewMapping(view: "Engram", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^Engram$")),
366 TPPBPolicyKeyViewMapping(view: "Health", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^Health$")),
367 TPPBPolicyKeyViewMapping(view: "Home", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^Home$")),
368 TPPBPolicyKeyViewMapping(view: "Manatee", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^Manatee$")),
369 TPPBPolicyKeyViewMapping(view: "LimitedPeersAllowed", matchingRule: TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^LimitedPeersAllowed$")),
370
371 // These items will not be synced by Octagon
372 TPPBPolicyKeyViewMapping(view: "NotSynced", matchingRule:
373 TPDictionaryMatchingRule.orMatch([
374 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^ContinuityUnlock$"),
375 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^HomeKit$"),
376 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^AppleTV$"),
377 ])),
378
379 TPPBPolicyKeyViewMapping(view: "Applications", matchingRule:
380 TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^[0-9A-Z]{10}\\.")),
381
382 TPPBPolicyKeyViewMapping(view: "SecureObjectSync", matchingRule:
383 TPDictionaryMatchingRule.orMatch([
384 TPDictionaryMatchingRule.andMatch([
385 TPDictionaryMatchingRule.fieldMatch("class", fieldRegex: "^genp$"),
386 TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^com.apple.sbd$"),
387 ]),
388 TPDictionaryMatchingRule.andMatch([
389 TPDictionaryMatchingRule.fieldMatch("class", fieldRegex: "^keys$"),
390 TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^com.apple.security.sos$"),
391 ]),
392 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^BackupBagV0$"),
393 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^iCloudIdentity$"),
394 ])),
395
396 TPPBPolicyKeyViewMapping(view: "WiFi", matchingRule:
397 TPDictionaryMatchingRule.orMatch([
398 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^WiFi$"),
399 TPDictionaryMatchingRule.andMatch([
400 TPDictionaryMatchingRule.fieldMatch("class", fieldRegex: "^genp$"),
401 TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^apple$"),
402 TPDictionaryMatchingRule.fieldMatch("svce", fieldRegex: "^AirPort$"),
403 ]),
404 ])),
405
406 TPPBPolicyKeyViewMapping(view: "ProtectedCloudStorage", matchingRule:
407 TPDictionaryMatchingRule.orMatch([
408 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-Backup$"),
409 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-CloudKit$"),
410 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-Escrow$"),
411 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-FDE$"),
412 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-Feldspar$"),
413 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-MailDrop$"),
414 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-Maildrop$"),
415 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-MasterKey$"),
416 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-Notes$"),
417 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-Photos$"),
418 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-Sharing$"),
419 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-iCloudBackup$"),
420 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-iCloudDrive$"),
421 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^PCS-iMessage$"),
422 ])),
423
424 TPPBPolicyKeyViewMapping(view: "CreditCards",
425 matchingRule: TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^com.apple.safari.credit-cards$")),
426
427 TPPBPolicyKeyViewMapping(view: "Passwords",
428 matchingRule: TPDictionaryMatchingRule.fieldMatch("agrp", fieldRegex: "^com.apple.cfnetwork$")),
429
430 TPPBPolicyKeyViewMapping(view: "DevicePairing", matchingRule:
431 TPDictionaryMatchingRule.orMatch([
432 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^AccessoryPairing$"),
433 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^NanoRegistry$"),
434 TPDictionaryMatchingRule.fieldMatch("vwht", fieldRegex: "^WatchMigration$"),
435 ])),
436
437 TPPBPolicyKeyViewMapping(view: "Backstop", matchingRule:
438 TPDictionaryMatchingRule.trueMatch()),
439 ],
440 hashAlgo: .SHA256)
441 ),
442 ]
443
444 assert(rawPolicies.filter { prevailingPolicyVersion == $0.policyVersion }.count == 1)
445
446 return rawPolicies.map { raw in
447 let data = Data(base64Encoded: raw.policyData)!
448 let doc = TPPolicyDocument.policyDoc(withHash: raw.policyHash, data: data)!
449 assert(doc.policyVersion == raw.policyVersion)
450 if raw.policyVersion == prevailingPolicyVersion {
451 assert(prevailingPolicyHash == raw.policyHash)
452 }
453 assert(doc.isEqual(to: raw.plaintextPolicy))
454 return doc
455 }
456 }
mirror of Security