5 #import <TargetConditionals.h>
6 #import <Foundation/Foundation.h>
7 #import <Security/SecInternalReleasePriv.h>
8 #import <Security/Security.h>
11 #import "keychain/otctl/OTControlCLI.h"
12 #import "keychain/otctl/EscrowRequestCLI.h"
13 #import "keychain/escrowrequest/Framework/SecEscrowRequest.h"
14 #include "lib/SecArgParse.h"
15 #include "utilities/debugging.h"
18 #import "keychain/otpaird/OTPairingClient.h"
19 #endif /* TARGET_OS_WATCH */
21 static int start = false;
22 static int signIn = false;
23 static int signOut = false;
24 static int resetoctagon = false;
26 static int fetchAllBottles = false;
27 static int recover = false;
28 static int depart = false;
30 static int status = false;
32 static int er_trigger = false;
33 static int er_status = false;
34 static int er_reset = false;
35 static int er_store = false;
37 static int ttr_flag = false;
39 static int health = false;
42 static int pairme = false;
43 #endif /* TARGET_OS_WATCH */
45 static char* bottleIDArg = NULL;
46 static char* contextNameArg = NULL;
47 static char* secretArg = NULL;
48 static char* skipRateLimitingCheckArg = NULL;
49 static int json = false;
51 static char* altDSIDArg = NULL;
52 static char* containerStr = NULL;
53 static char* radarNumber = NULL;
55 static void internalOnly(void)
57 if(!SecIsInternalRelease()) {
58 secnotice("octagon", "Tool not available on non internal builds");
59 errx(1, "Tool not available on non internal builds");
63 int main(int argc, char** argv)
65 static struct argument options[] = {
66 {.shortname = 's', .longname = "secret", .argument = &secretArg, .description = "escrow secret"},
67 {.shortname = 'e', .longname = "bottleID", .argument = &bottleIDArg, .description = "bottle record id"},
68 {.shortname = 'r', .longname = "skipRateLimiting", .argument = &skipRateLimitingCheckArg, .description = " enter values YES or NO, option defaults to NO, This gives you the opportunity to skip the rate limiting check when performing the cuttlefish health check"},
69 {.shortname = 'j', .longname = "json", .flag = &json, .flagval = true, .description = "Output in JSON"},
71 {.longname = "altDSID", .argument = &altDSIDArg, .description = "altDSID (for sign-in/out)"},
72 {.longname = "entropy", .argument = &secretArg, .description = "escrowed entropy in JSON"},
74 {.longname = "container", .argument = &containerStr, .description = "CloudKit container name"},
75 {.longname = "radar", .argument = &radarNumber, .description = "Radar number"},
77 {.command = "start", .flag = &start, .flagval = true, .description = "Start Octagon state machine"},
78 {.command = "sign-in", .flag = &signIn, .flagval = true, .description = "Inform Cuttlefish container of sign in"},
79 {.command = "sign-out", .flag = &signOut, .flagval = true, .description = "Inform Cuttlefish container of sign out"},
80 {.command = "status", .flag = &status, .flagval = true, .description = "Report Octagon status"},
81 {.command = "resetoctagon", .flag = &resetoctagon, .flagval = true, .description = "Reset and establish new Octagon trust"},
82 {.command = "allBottles", .flag = &fetchAllBottles, .flagval = true, .description = "Fetch all viable bottles"},
83 {.command = "recover", .flag = &recover, .flagval = true, .description = "Recover using this bottle"},
84 {.command = "depart", .flag = &depart, .flagval = true, .description = "Depart from Octagon Trust"},
86 {.command = "er-trigger", .flag = &er_trigger, .flagval = true, .description = "Trigger an Escrow Request request"},
87 {.command = "er-status", .flag = &er_status, .flagval = true, .description = "Report status on any pending Escrow Request requests"},
88 {.command = "er-reset", .flag = &er_reset, .flagval = true, .description = "Delete all Escrow Request requests"},
89 {.command = "er-store", .flag = &er_store, .flagval = true, .description = "Store any pending Escrow Request prerecords"},
91 {.command = "health", .flag = &health, .flagval = true, .description = "Check Octagon Health status"},
93 {.command = "taptoradar", .flag = &ttr_flag, .flagval = true, .description = "Trigger a TapToRadar"},
96 {.command = "pairme", .flag = &pairme, .flagval = true, .description = "Perform pairing (watchOS only)"},
97 #endif /* TARGET_OS_WATCH */
100 static struct arguments args = {
101 .programname = "otctl",
102 .description = "Control and report on Octagon Trust",
103 .arguments = options,
106 if(!options_parse(argc, argv, &args)) {
113 NSError* error = nil;
115 // Use a synchronous control object
116 OTControl* rpc = [OTControl controlObject:true error:&error];
118 errx(1, "no OTControl failed: %s", [[error description] UTF8String]);
121 NSString* context = contextNameArg ? [NSString stringWithCString:contextNameArg encoding:NSUTF8StringEncoding] : OTDefaultContext;
122 NSString* container = containerStr ? [NSString stringWithCString:containerStr encoding:NSUTF8StringEncoding] : nil;
123 NSString* altDSID = altDSIDArg ? [NSString stringWithCString:altDSIDArg encoding:NSUTF8StringEncoding] : nil;
124 NSString* skipRateLimitingCheck = skipRateLimitingCheckArg ? [NSString stringWithCString:skipRateLimitingCheckArg encoding:NSUTF8StringEncoding] : @"NO";
126 OTControlCLI* ctl = [[OTControlCLI alloc] initWithOTControl:rpc];
128 NSError* escrowRequestError = nil;
129 EscrowRequestCLI* escrowctl = [[EscrowRequestCLI alloc] initWithEscrowRequest:[SecEscrowRequest request:&escrowRequestError]];
130 if(escrowRequestError) {
131 errx(1, "SecEscrowRequest failed: %s", [[escrowRequestError description] UTF8String]);
134 long ret = [ctl resetOctagon:container context:context altDSID:altDSID];
137 if(fetchAllBottles) {
138 return (int)[ctl fetchAllBottles:altDSID containerName:container context:context control:rpc];
141 NSString* entropyJSON = secretArg ? [NSString stringWithCString:secretArg encoding:NSUTF8StringEncoding] : nil;
142 NSString* bottleID = bottleIDArg ? [NSString stringWithCString:bottleIDArg encoding:NSUTF8StringEncoding] : nil;
144 if(!entropyJSON || !bottleID) {
149 NSData* entropy = [[NSData alloc] initWithBase64EncodedString:entropyJSON options:0];
155 return (int)[ctl recoverUsingBottleID:bottleID
158 containerName:container
163 return (int)[ctl depart:container context:context];
167 return (int)[ctl startOctagonStateMachine:container context:context];
171 return (int)[ctl signIn:altDSID container:container context:context];
175 return (int)[ctl signOut:container context:context];
179 return (int)[ctl status:container context:context json:json];
184 if([skipRateLimitingCheck isEqualToString:@"YES"]) {
189 return (int)[ctl healthCheck:container context:context skipRateLimitingCheck:skip];
192 if (radarNumber == NULL) {
195 return (int)[ctl tapToRadar:@"action" description:@"description" radar:[NSString stringWithUTF8String:radarNumber]];
199 return (int)[escrowctl trigger];
202 return (int)[escrowctl status];
205 return (int)[escrowctl reset];
208 return (int)[escrowctl storePrerecordsInEscrow];
214 dispatch_semaphore_t sema = dispatch_semaphore_create(0);
215 OTPairingInitiateWithCompletion(NULL, ^(bool success, NSError *pairingError) {
217 printf("successfully paired with companion\n");
219 printf("failed to pair with companion: %s\n", pairingError.description.UTF8String);
221 dispatch_semaphore_signal(sema);
223 dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER);
226 #endif /* TARGET_OS_WATCH */