2 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 #import <utilities/debugging.h>
28 #import "keychain/ot/OTEstablishOperation.h"
29 #import "keychain/ot/OTCuttlefishAccountStateHolder.h"
30 #import "keychain/ot/OTFetchCKKSKeysOperation.h"
31 #import "keychain/ckks/CloudKitCategories.h"
32 #import "keychain/ckks/CKKSCurrentKeyPointer.h"
33 #import "keychain/ckks/CKKSKeychainView.h"
35 #import "keychain/TrustedPeersHelper/TrustedPeersHelperProtocol.h"
36 #import "keychain/ot/ObjCImprovements.h"
38 @interface OTEstablishOperation ()
39 @property OTOperationDependencies* operationDependencies;
41 @property OctagonState* ckksConflictState;
43 @property NSOperation* finishedOp;
46 @implementation OTEstablishOperation
47 @synthesize intendedState = _intendedState;
49 - (instancetype)initWithDependencies:(OTOperationDependencies*)dependencies
50 intendedState:(OctagonState*)intendedState
51 ckksConflictState:(OctagonState*)ckksConflictState
52 errorState:(OctagonState*)errorState
54 if((self = [super init])) {
55 _operationDependencies = dependencies;
57 _intendedState = intendedState;
58 _nextState = errorState;
59 _ckksConflictState = ckksConflictState;
66 secnotice("octagon", "Beginning an establish operation");
70 self.finishedOp = [NSBlockOperation blockOperationWithBlock:^{
72 secnotice("octagon", "Finishing an establish operation with %@", self.error ?: @"no error");
74 [self dependOnBeforeGroupFinished:self.finishedOp];
76 // First, interrogate CKKS views, and see when they have a TLK proposal.
77 OTFetchCKKSKeysOperation* fetchKeysOp = [[OTFetchCKKSKeysOperation alloc] initWithDependencies:self.operationDependencies];
78 [self runBeforeGroupFinished:fetchKeysOp];
80 CKKSResultOperation* proceedWithKeys = [CKKSResultOperation named:@"establish-with-keys"
83 [self proceedWithKeys:fetchKeysOp.viewKeySets
84 pendingTLKShares:fetchKeysOp.pendingTLKShares];
87 [proceedWithKeys addDependency:fetchKeysOp];
88 [self runBeforeGroupFinished:proceedWithKeys];
91 - (void)proceedWithKeys:(NSArray<CKKSKeychainBackedKeySet*>*)viewKeySets pendingTLKShares:(NSArray<CKKSTLKShare*>*)pendingTLKShares
95 NSArray<NSData*>* publicSigningSPKIs = nil;
97 if(self.operationDependencies.sosAdapter.sosEnabled) {
98 NSError* peerError = nil;
100 secnotice("octagon-sos", "SOS not enabled; no preapproved keys");
101 NSSet<id<CKKSRemotePeerProtocol>>* peerSet = [self.operationDependencies.sosAdapter fetchTrustedPeers:&peerError];
103 if(!peerSet || peerError) {
104 secerror("octagon-sos: Can't fetch trusted peers during establish: %@", peerError);
107 publicSigningSPKIs = [OTSOSActualAdapter peerPublicSigningKeySPKIs:peerSet];
108 secnotice("octagon-sos", "SOS preapproved keys are %@", publicSigningSPKIs);
110 secnotice("octagon-sos", "SOS not enabled; no preapproved keys");
113 NSError* persistError = nil;
114 BOOL persisted = [self.operationDependencies.stateHolder persistOctagonJoinAttempt:OTAccountMetadataClassC_AttemptedAJoinState_ATTEMPTED error:&persistError];
115 if(!persisted || persistError) {
116 secerror("octagon: failed to save 'attempted join' state: %@", persistError);
119 secnotice("octagon-ckks", "Beginning establish with keys: %@", viewKeySets);
120 [[self.operationDependencies.cuttlefishXPC remoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) {
122 secerror("octagon: Can't talk with TrustedPeersHelper: %@", error);
123 [[CKKSAnalytics logger] logRecoverableError:error forEvent:OctagonEventEstablishIdentity withAttributes:NULL];
125 [self runBeforeGroupFinished:self.finishedOp];
127 }] establishWithContainer:self.operationDependencies.containerName
128 context:self.operationDependencies.contextID
130 tlkShares:pendingTLKShares
131 preapprovedKeys:publicSigningSPKIs
132 reply:^(NSString * _Nullable peerID, NSArray<CKRecord*>* _Nullable keyHierarchyRecords, NSError * _Nullable error) {
135 [[CKKSAnalytics logger] logResultForEvent:OctagonEventEstablishIdentity hardFailure:true result:error];
137 secerror("octagon: Error calling establish: %@", error);
139 if ([error isCuttlefishError:CuttlefishErrorKeyHierarchyAlreadyExists]) {
140 secnotice("octagon-ckks", "A CKKS key hierarchy is out of date; moving to '%@'", self.ckksConflictState);
141 self.nextState = self.ckksConflictState;
145 [self runBeforeGroupFinished:self.finishedOp];
149 self.peerID = peerID;
151 NSError* localError = nil;
152 BOOL persisted = [self.operationDependencies.stateHolder persistAccountChanges:^OTAccountMetadataClassC * _Nonnull(OTAccountMetadataClassC * _Nonnull metadata) {
153 metadata.trustState = OTAccountMetadataClassC_TrustState_TRUSTED;
154 metadata.peerID = peerID;
156 } error:&localError];
157 if(!persisted || localError) {
158 secnotice("octagon", "Couldn't persist results: %@", localError);
159 self.error = localError;
161 self.nextState = self.intendedState;
164 // Tell CKKS about our shiny new records!
165 for (id key in self.operationDependencies.viewManager.views) {
166 CKKSKeychainView* view = self.operationDependencies.viewManager.views[key];
167 secnotice("octagon-ckks", "Providing records to %@", view);
168 [view receiveTLKUploadRecords: keyHierarchyRecords];
170 [self runBeforeGroupFinished:self.finishedOp];