]> git.saurik.com Git - apple/security.git/blob - keychain/ot/OTEstablishOperation.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-59306.11.20.tar.gz
[apple/security.git] / keychain / ot / OTEstablishOperation.m
1 /*
2 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #if OCTAGON
25
26 #import <utilities/debugging.h>
27
28 #import "keychain/ot/OTEstablishOperation.h"
29 #import "keychain/ot/OTCuttlefishAccountStateHolder.h"
30 #import "keychain/ot/OTFetchCKKSKeysOperation.h"
31 #import "keychain/ckks/CloudKitCategories.h"
32 #import "keychain/ckks/CKKSCurrentKeyPointer.h"
33 #import "keychain/ckks/CKKSKeychainView.h"
34
35 #import "keychain/TrustedPeersHelper/TrustedPeersHelperProtocol.h"
36 #import "keychain/ot/ObjCImprovements.h"
37
38 @interface OTEstablishOperation ()
39 @property OTOperationDependencies* operationDependencies;
40
41 @property OctagonState* ckksConflictState;
42
43 @property NSOperation* finishedOp;
44 @end
45
46 @implementation OTEstablishOperation
47 @synthesize intendedState = _intendedState;
48
49 - (instancetype)initWithDependencies:(OTOperationDependencies*)dependencies
50 intendedState:(OctagonState*)intendedState
51 ckksConflictState:(OctagonState*)ckksConflictState
52 errorState:(OctagonState*)errorState
53 {
54 if((self = [super init])) {
55 _operationDependencies = dependencies;
56
57 _intendedState = intendedState;
58 _nextState = errorState;
59 _ckksConflictState = ckksConflictState;
60 }
61 return self;
62 }
63
64 - (void)groupStart
65 {
66 secnotice("octagon", "Beginning an establish operation");
67
68 WEAKIFY(self);
69
70 self.finishedOp = [NSBlockOperation blockOperationWithBlock:^{
71 STRONGIFY(self);
72 secnotice("octagon", "Finishing an establish operation with %@", self.error ?: @"no error");
73 }];
74 [self dependOnBeforeGroupFinished:self.finishedOp];
75
76 // First, interrogate CKKS views, and see when they have a TLK proposal.
77 OTFetchCKKSKeysOperation* fetchKeysOp = [[OTFetchCKKSKeysOperation alloc] initWithDependencies:self.operationDependencies];
78 [self runBeforeGroupFinished:fetchKeysOp];
79
80 CKKSResultOperation* proceedWithKeys = [CKKSResultOperation named:@"establish-with-keys"
81 withBlock:^{
82 STRONGIFY(self);
83 [self proceedWithKeys:fetchKeysOp.viewKeySets
84 pendingTLKShares:fetchKeysOp.pendingTLKShares];
85 }];
86
87 [proceedWithKeys addDependency:fetchKeysOp];
88 [self runBeforeGroupFinished:proceedWithKeys];
89 }
90
91 - (void)proceedWithKeys:(NSArray<CKKSKeychainBackedKeySet*>*)viewKeySets pendingTLKShares:(NSArray<CKKSTLKShare*>*)pendingTLKShares
92 {
93 WEAKIFY(self);
94
95 NSArray<NSData*>* publicSigningSPKIs = nil;
96
97 if(self.operationDependencies.sosAdapter.sosEnabled) {
98 NSError* peerError = nil;
99
100 secnotice("octagon-sos", "SOS not enabled; no preapproved keys");
101 NSSet<id<CKKSRemotePeerProtocol>>* peerSet = [self.operationDependencies.sosAdapter fetchTrustedPeers:&peerError];
102
103 if(!peerSet || peerError) {
104 secerror("octagon-sos: Can't fetch trusted peers during establish: %@", peerError);
105 }
106
107 publicSigningSPKIs = [OTSOSActualAdapter peerPublicSigningKeySPKIs:peerSet];
108 secnotice("octagon-sos", "SOS preapproved keys are %@", publicSigningSPKIs);
109 } else {
110 secnotice("octagon-sos", "SOS not enabled; no preapproved keys");
111 }
112
113 NSError* persistError = nil;
114 BOOL persisted = [self.operationDependencies.stateHolder persistOctagonJoinAttempt:OTAccountMetadataClassC_AttemptedAJoinState_ATTEMPTED error:&persistError];
115 if(!persisted || persistError) {
116 secerror("octagon: failed to save 'attempted join' state: %@", persistError);
117 }
118
119 secnotice("octagon-ckks", "Beginning establish with keys: %@", viewKeySets);
120 [[self.operationDependencies.cuttlefishXPC remoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) {
121 STRONGIFY(self);
122 secerror("octagon: Can't talk with TrustedPeersHelper: %@", error);
123 [[CKKSAnalytics logger] logRecoverableError:error forEvent:OctagonEventEstablishIdentity withAttributes:NULL];
124 self.error = error;
125 [self runBeforeGroupFinished:self.finishedOp];
126
127 }] establishWithContainer:self.operationDependencies.containerName
128 context:self.operationDependencies.contextID
129 ckksKeys:viewKeySets
130 tlkShares:pendingTLKShares
131 preapprovedKeys:publicSigningSPKIs
132 reply:^(NSString * _Nullable peerID, NSArray<CKRecord*>* _Nullable keyHierarchyRecords, NSError * _Nullable error) {
133 STRONGIFY(self);
134
135 [[CKKSAnalytics logger] logResultForEvent:OctagonEventEstablishIdentity hardFailure:true result:error];
136 if(error) {
137 secerror("octagon: Error calling establish: %@", error);
138
139 if ([error isCuttlefishError:CuttlefishErrorKeyHierarchyAlreadyExists]) {
140 secnotice("octagon-ckks", "A CKKS key hierarchy is out of date; moving to '%@'", self.ckksConflictState);
141 self.nextState = self.ckksConflictState;
142 } else {
143 self.error = error;
144 }
145 [self runBeforeGroupFinished:self.finishedOp];
146 return;
147 }
148
149 self.peerID = peerID;
150
151 NSError* localError = nil;
152 BOOL persisted = [self.operationDependencies.stateHolder persistAccountChanges:^OTAccountMetadataClassC * _Nonnull(OTAccountMetadataClassC * _Nonnull metadata) {
153 metadata.trustState = OTAccountMetadataClassC_TrustState_TRUSTED;
154 metadata.peerID = peerID;
155 return metadata;
156 } error:&localError];
157 if(!persisted || localError) {
158 secnotice("octagon", "Couldn't persist results: %@", localError);
159 self.error = localError;
160 } else {
161 self.nextState = self.intendedState;
162 }
163
164 // Tell CKKS about our shiny new records!
165 for (id key in self.operationDependencies.viewManager.views) {
166 CKKSKeychainView* view = self.operationDependencies.viewManager.views[key];
167 secnotice("octagon-ckks", "Providing records to %@", view);
168 [view receiveTLKUploadRecords: keyHierarchyRecords];
169 }
170 [self runBeforeGroupFinished:self.finishedOp];
171 }];
172 }
173
174 @end
175
176 #endif // OCTAGON
mirror of Security