]> git.saurik.com Git - apple/security.git/blob - keychain/otctl/otctl.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-59306.11.20.tar.gz
[apple/security.git] / keychain / otctl / otctl.m
1 //
2 // Security
3 //
4
5 #import <TargetConditionals.h>
6 #import <Foundation/Foundation.h>
7 #import <Security/SecInternalReleasePriv.h>
8 #import <Security/Security.h>
9 #import <err.h>
10
11 #import "keychain/otctl/OTControlCLI.h"
12 #import "keychain/otctl/EscrowRequestCLI.h"
13 #import "keychain/escrowrequest/Framework/SecEscrowRequest.h"
14 #include "lib/SecArgParse.h"
15 #include "utilities/debugging.h"
16
17 #if TARGET_OS_WATCH
18 #import "keychain/otpaird/OTPairingClient.h"
19 #endif /* TARGET_OS_WATCH */
20
21 static int start = false;
22 static int signIn = false;
23 static int signOut = false;
24 static int resetoctagon = false;
25
26 static int fetchAllBottles = false;
27 static int recover = false;
28 static int depart = false;
29
30 static int status = false;
31
32 static int er_trigger = false;
33 static int er_status = false;
34 static int er_reset = false;
35 static int er_store = false;
36
37 static int ttr_flag = false;
38
39 static int health = false;
40
41 #if TARGET_OS_WATCH
42 static int pairme = false;
43 #endif /* TARGET_OS_WATCH */
44
45 static char* bottleIDArg = NULL;
46 static char* contextNameArg = NULL;
47 static char* secretArg = NULL;
48 static char* skipRateLimitingCheckArg = NULL;
49 static int json = false;
50
51 static char* altDSIDArg = NULL;
52 static char* containerStr = NULL;
53 static char* radarNumber = NULL;
54
55 static void internalOnly(void)
56 {
57 if(!SecIsInternalRelease()) {
58 secnotice("octagon", "Tool not available on non internal builds");
59 errx(1, "Tool not available on non internal builds");
60 }
61 }
62
63 int main(int argc, char** argv)
64 {
65 static struct argument options[] = {
66 {.shortname = 's', .longname = "secret", .argument = &secretArg, .description = "escrow secret"},
67 {.shortname = 'e', .longname = "bottleID", .argument = &bottleIDArg, .description = "bottle record id"},
68 {.shortname = 'r', .longname = "skipRateLimiting", .argument = &skipRateLimitingCheckArg, .description = " enter values YES or NO, option defaults to NO, This gives you the opportunity to skip the rate limiting check when performing the cuttlefish health check"},
69 {.shortname = 'j', .longname = "json", .flag = &json, .flagval = true, .description = "Output in JSON"},
70
71 {.longname = "altDSID", .argument = &altDSIDArg, .description = "altDSID (for sign-in/out)"},
72 {.longname = "entropy", .argument = &secretArg, .description = "escrowed entropy in JSON"},
73
74 {.longname = "container", .argument = &containerStr, .description = "CloudKit container name"},
75 {.longname = "radar", .argument = &radarNumber, .description = "Radar number"},
76
77 {.command = "start", .flag = &start, .flagval = true, .description = "Start Octagon state machine"},
78 {.command = "sign-in", .flag = &signIn, .flagval = true, .description = "Inform Cuttlefish container of sign in"},
79 {.command = "sign-out", .flag = &signOut, .flagval = true, .description = "Inform Cuttlefish container of sign out"},
80 {.command = "status", .flag = &status, .flagval = true, .description = "Report Octagon status"},
81 {.command = "resetoctagon", .flag = &resetoctagon, .flagval = true, .description = "Reset and establish new Octagon trust"},
82 {.command = "allBottles", .flag = &fetchAllBottles, .flagval = true, .description = "Fetch all viable bottles"},
83 {.command = "recover", .flag = &recover, .flagval = true, .description = "Recover using this bottle"},
84 {.command = "depart", .flag = &depart, .flagval = true, .description = "Depart from Octagon Trust"},
85
86 {.command = "er-trigger", .flag = &er_trigger, .flagval = true, .description = "Trigger an Escrow Request request"},
87 {.command = "er-status", .flag = &er_status, .flagval = true, .description = "Report status on any pending Escrow Request requests"},
88 {.command = "er-reset", .flag = &er_reset, .flagval = true, .description = "Delete all Escrow Request requests"},
89 {.command = "er-store", .flag = &er_store, .flagval = true, .description = "Store any pending Escrow Request prerecords"},
90
91 {.command = "health", .flag = &health, .flagval = true, .description = "Check Octagon Health status"},
92
93 {.command = "taptoradar", .flag = &ttr_flag, .flagval = true, .description = "Trigger a TapToRadar"},
94
95 #if TARGET_OS_WATCH
96 {.command = "pairme", .flag = &pairme, .flagval = true, .description = "Perform pairing (watchOS only)"},
97 #endif /* TARGET_OS_WATCH */
98 {}};
99
100 static struct arguments args = {
101 .programname = "otctl",
102 .description = "Control and report on Octagon Trust",
103 .arguments = options,
104 };
105
106 if(!options_parse(argc, argv, &args)) {
107 printf("\n");
108 print_usage(&args);
109 return -1;
110 }
111
112 @autoreleasepool {
113 NSError* error = nil;
114
115 // Use a synchronous control object
116 OTControl* rpc = [OTControl controlObject:true error:&error];
117 if(error || !rpc) {
118 errx(1, "no OTControl failed: %s", [[error description] UTF8String]);
119 }
120
121 NSString* context = contextNameArg ? [NSString stringWithCString:contextNameArg encoding:NSUTF8StringEncoding] : OTDefaultContext;
122 NSString* container = containerStr ? [NSString stringWithCString:containerStr encoding:NSUTF8StringEncoding] : nil;
123 NSString* altDSID = altDSIDArg ? [NSString stringWithCString:altDSIDArg encoding:NSUTF8StringEncoding] : nil;
124 NSString* skipRateLimitingCheck = skipRateLimitingCheckArg ? [NSString stringWithCString:skipRateLimitingCheckArg encoding:NSUTF8StringEncoding] : @"NO";
125
126 OTControlCLI* ctl = [[OTControlCLI alloc] initWithOTControl:rpc];
127
128 NSError* escrowRequestError = nil;
129 EscrowRequestCLI* escrowctl = [[EscrowRequestCLI alloc] initWithEscrowRequest:[SecEscrowRequest request:&escrowRequestError]];
130 if(escrowRequestError) {
131 errx(1, "SecEscrowRequest failed: %s", [[escrowRequestError description] UTF8String]);
132 }
133 if(resetoctagon) {
134 long ret = [ctl resetOctagon:container context:context altDSID:altDSID];
135 return (int)ret;
136 }
137 if(fetchAllBottles) {
138 return (int)[ctl fetchAllBottles:altDSID containerName:container context:context control:rpc];
139 }
140 if(recover) {
141 NSString* entropyJSON = secretArg ? [NSString stringWithCString:secretArg encoding:NSUTF8StringEncoding] : nil;
142 NSString* bottleID = bottleIDArg ? [NSString stringWithCString:bottleIDArg encoding:NSUTF8StringEncoding] : nil;
143
144 if(!entropyJSON || !bottleID) {
145 print_usage(&args);
146 return -1;
147 }
148
149 NSData* entropy = [[NSData alloc] initWithBase64EncodedString:entropyJSON options:0];
150 if(!entropy) {
151 print_usage(&args);
152 return -1;
153 }
154
155 return (int)[ctl recoverUsingBottleID:bottleID
156 entropy:entropy
157 altDSID:altDSID
158 containerName:container
159 context:context
160 control:rpc];
161 }
162 if(depart) {
163 return (int)[ctl depart:container context:context];
164 }
165 if(start) {
166 internalOnly();
167 return (int)[ctl startOctagonStateMachine:container context:context];
168 }
169 if(signIn) {
170 internalOnly();
171 return (int)[ctl signIn:altDSID container:container context:context];
172 }
173 if(signOut) {
174 internalOnly();
175 return (int)[ctl signOut:container context:context];
176 }
177
178 if(status) {
179 return (int)[ctl status:container context:context json:json];
180 }
181
182 if(health) {
183 BOOL skip = NO;
184 if([skipRateLimitingCheck isEqualToString:@"YES"]) {
185 skip = YES;
186 } else {
187 skip = NO;
188 }
189 return (int)[ctl healthCheck:container context:context skipRateLimitingCheck:skip];
190 }
191 if (ttr_flag) {
192 if (radarNumber == NULL) {
193 radarNumber = "1";
194 }
195 return (int)[ctl tapToRadar:@"action" description:@"description" radar:[NSString stringWithUTF8String:radarNumber]];
196 }
197 if(er_trigger) {
198 internalOnly();
199 return (int)[escrowctl trigger];
200 }
201 if(er_status) {
202 return (int)[escrowctl status];
203 }
204 if(er_reset) {
205 return (int)[escrowctl reset];
206 }
207 if(er_store) {
208 return (int)[escrowctl storePrerecordsInEscrow];
209 }
210
211
212 #if TARGET_OS_WATCH
213 if (pairme) {
214 dispatch_semaphore_t sema = dispatch_semaphore_create(0);
215 OTPairingInitiateWithCompletion(NULL, ^(bool success, NSError *pairingError) {
216 if (success) {
217 printf("successfully paired with companion\n");
218 } else {
219 printf("failed to pair with companion: %s\n", pairingError.description.UTF8String);
220 }
221 dispatch_semaphore_signal(sema);
222 });
223 dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER);
224 return 0;
225 }
226 #endif /* TARGET_OS_WATCH */
227
228 print_usage(&args);
229 return -1;
230 }
231 return 0;
232 }
mirror of Security