]> git.saurik.com Git - apple/security.git/blob - secdxctests/KeychainXCTest.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-59306.11.20.tar.gz
[apple/security.git] / secdxctests / KeychainXCTest.m
1 /*
2 * Copyright (c) 2018 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #import "KeychainXCTest.h"
25 #import "SecDbKeychainItem.h"
26 #import "SecdTestKeychainUtilities.h"
27 #import "CKKS.h"
28 #import "SecDbKeychainItemV7.h"
29 #import "SecDbKeychainMetadataKeyStore.h"
30 #import "SecAKSObjCWrappers.h"
31 #import "SecItemPriv.h"
32 #import "SecTaskPriv.h"
33 #import "server_security_helpers.h"
34 #import "SecItemServer.h"
35 #import "spi.h"
36 #import "SecDbKeychainSerializedItemV7.h"
37 #import "SecDbKeychainSerializedMetadata.h"
38 #import "SecDbKeychainSerializedSecretData.h"
39 #import "SecDbKeychainSerializedAKSWrappedKey.h"
40 #import "SecCDKeychain.h"
41 #import <utilities/SecCFWrappers.h>
42 #import <SecurityFoundation/SFEncryptionOperation.h>
43 #import <SecurityFoundation/SFCryptoServicesErrors.h>
44 #import <SecurityFoundation/SFKeychain.h>
45 #import <XCTest/XCTest.h>
46 #import <OCMock/OCMock.h>
47
48 #if USE_KEYSTORE
49
50 @interface SecDbKeychainItemV7 ()
51
52 + (SFAESKeySpecifier*)keySpecifier;
53
54 @end
55
56 @interface FakeAKSRefKey : NSObject <SecAKSRefKey>
57 @end
58
59 @implementation FakeAKSRefKey {
60 SFAESKey* _key;
61 }
62
63 - (instancetype)initWithKeybag:(keybag_handle_t)keybag keyclass:(keyclass_t)keyclass
64 {
65 if (self = [super init]) {
66 _key = [[SFAESKey alloc] initRandomKeyWithSpecifier:[[SFAESKeySpecifier alloc] initWithBitSize:SFAESKeyBitSize256] error:nil];
67 }
68
69 return self;
70 }
71
72 - (instancetype)initWithBlob:(NSData*)blob keybag:(keybag_handle_t)keybag
73 {
74 if (self = [super init]) {
75 _key = [[SFAESKey alloc] initWithData:blob specifier:[[SFAESKeySpecifier alloc] initWithBitSize:SFAESKeyBitSize256] error:nil];
76 }
77
78 return self;
79 }
80
81 - (NSData*)wrappedDataForKey:(SFAESKey*)key
82 {
83 SFAuthenticatedEncryptionOperation* encryptionOperation = [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:[[SFAESKeySpecifier alloc] initWithBitSize:SFAESKeyBitSize256]];
84 return [NSKeyedArchiver archivedDataWithRootObject:[encryptionOperation encrypt:key.keyData withKey:_key error:nil] requiringSecureCoding:YES error:nil];
85 }
86
87 - (SFAESKey*)keyWithWrappedData:(NSData*)wrappedKeyData
88 {
89 SFAESKeySpecifier* keySpecifier = [[SFAESKeySpecifier alloc] initWithBitSize:SFAESKeyBitSize256];
90 SFAuthenticatedEncryptionOperation* encryptionOperation = [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:keySpecifier];
91 NSData* keyData = [encryptionOperation decrypt:[NSKeyedUnarchiver unarchivedObjectOfClass:[SFAuthenticatedCiphertext class] fromData:wrappedKeyData error:nil] withKey:_key error:nil];
92 return [[SFAESKey alloc] initWithData:keyData specifier:keySpecifier error:nil];
93 }
94
95 - (NSData*)refKeyBlob
96 {
97 return _key.keyData;
98 }
99
100 @end
101
102 @implementation SFKeychainServerFakeConnection {
103 NSArray* _fakeAccessGroups;
104 }
105
106 - (void)setFakeAccessGroups:(NSArray*)fakeAccessGroups
107 {
108 _fakeAccessGroups = fakeAccessGroups.copy;
109 }
110
111 - (NSArray*)clientAccessGroups
112 {
113 return _fakeAccessGroups ?: @[@"com.apple.token"];
114 }
115
116 @end
117
118 @implementation KeychainXCTest {
119 id _keychainPartialMock;
120 CFArrayRef _originalAccessGroups;
121 }
122
123 @synthesize keychainPartialMock = _keychainPartialMock;
124
125 + (void)setUp
126 {
127 [super setUp];
128
129 SecCKKSDisable();
130 securityd_init(NULL);
131 }
132
133 - (void)setUp
134 {
135 [super setUp];
136
137 self.lockState = LockStateUnlocked;
138 self.allowDecryption = true;
139 self.didAKSDecrypt = NO;
140 self.simulateRolledAKSKey = NO;
141
142
143 self.keyclassUsedForAKSDecryption = 0;
144
145 self.keySpecifier = [[SFAESKeySpecifier alloc] initWithBitSize:SFAESKeyBitSize256];
146 [self setNewFakeAKSKey:[NSData dataWithBytes:"1234567890123456789012345678901" length:32]];
147
148 [SecDbKeychainMetadataKeyStore resetSharedStore];
149
150 self.mockSecDbKeychainItemV7 = OCMClassMock([SecDbKeychainItemV7 class]);
151 [[[self.mockSecDbKeychainItemV7 stub] andCall:@selector(decryptionOperation) onObject:self] decryptionOperation];
152
153 self.mockSecAKSObjCWrappers = OCMClassMock([SecAKSObjCWrappers class]);
154 [[[[self.mockSecAKSObjCWrappers stub] andCall:@selector(fakeAKSEncryptWithKeybag:keyclass:plaintext:outKeyclass:ciphertext:error:) onObject:self] ignoringNonObjectArgs] aksEncryptWithKeybag:0 keyclass:0 plaintext:[OCMArg any] outKeyclass:NULL ciphertext:[OCMArg any] error:NULL];
155 [[[[self.mockSecAKSObjCWrappers stub] andCall:@selector(fakeAKSDecryptWithKeybag:keyclass:ciphertext:outKeyclass:plaintext:error:) onObject:self] ignoringNonObjectArgs] aksDecryptWithKeybag:0 keyclass:0 ciphertext:[OCMArg any] outKeyclass:NULL plaintext:[OCMArg any] error:NULL];
156
157 // bring back with <rdar://problem/37523001>
158 // [[[self.mockSecDbKeychainItemV7 stub] andCall:@selector(isKeychainUnlocked) onObject:self] isKeychainUnlocked];
159
160 id refKeyMock = OCMClassMock([SecAKSRefKey class]);
161 [[[refKeyMock stub] andCall:@selector(alloc) onObject:[FakeAKSRefKey class]] alloc];
162
163 NSArray* partsOfName = [self.name componentsSeparatedByCharactersInSet:[NSCharacterSet characterSetWithCharactersInString:@" ]"]];
164 secd_test_setup_temp_keychain([partsOfName[1] UTF8String], NULL);
165
166 _originalAccessGroups = SecAccessGroupsGetCurrent();
167 }
168
169 - (void)tearDown
170 {
171 [self.mockSecDbKeychainItemV7 stopMocking];
172 [self.mockSecAKSObjCWrappers stopMocking];
173 SecAccessGroupsSetCurrent(_originalAccessGroups);
174
175 [super tearDown];
176 }
177
178 - (bool)isKeychainUnlocked
179 {
180 return self.lockState == LockStateUnlocked;
181 }
182
183 - (id)decryptionOperation
184 {
185 return self.allowDecryption ? [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:[SecDbKeychainItemV7 keySpecifier]] : nil;
186 }
187
188 - (bool)setNewFakeAKSKey:(NSData*)newKeyData
189 {
190 NSError* error = nil;
191 self.fakeAKSKey = [[SFAESKey alloc] initWithData:newKeyData specifier:self.keySpecifier error:&error];
192 XCTAssertNil(error, "Should be no error making a fake AKS key");
193 XCTAssertNotNil(self.fakeAKSKey, "Should have received a fake AKS key");
194 return true;
195 }
196
197 - (bool)fakeAKSEncryptWithKeybag:(keybag_handle_t)keybag
198 keyclass:(keyclass_t)keyclass
199 plaintext:(NSData*)plaintext
200 outKeyclass:(keyclass_t*)outKeyclass
201 ciphertext:(NSMutableData*)ciphertextOut
202 error:(NSError**)error
203 {
204 if (self.lockState == LockStateLockedAndDisallowAKS) {
205 if (error) {
206 *error = [NSError errorWithDomain:(__bridge NSString *)kSecErrorDomain code:errSecInteractionNotAllowed userInfo:NULL];
207 }
208 return false;
209 }
210
211 uint32_t keyLength = (uint32_t)plaintext.length;
212 const uint8_t* keyBytes = plaintext.bytes;
213
214 NSData* dataToEncrypt = [NSData dataWithBytes:keyBytes length:keyLength];
215 NSError* localError = nil;
216
217 SFAuthenticatedEncryptionOperation* encryptionOperation = [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:self.keySpecifier];
218 encryptionOperation.authenticationCodeLength = 8;
219 SFAuthenticatedCiphertext* ciphertext = [encryptionOperation encrypt:dataToEncrypt withKey:self.fakeAKSKey error:&localError];
220
221 if (error) {
222 *error = localError;
223 }
224
225 if (ciphertext) {
226 void* wrappedKeyMutableBytes = ciphertextOut.mutableBytes;
227 memcpy(wrappedKeyMutableBytes, ciphertext.ciphertext.bytes, 32);
228 memcpy(wrappedKeyMutableBytes + 32, ciphertext.initializationVector.bytes, 32);
229 memcpy(wrappedKeyMutableBytes + 64, ciphertext.authenticationCode.bytes, 8);
230
231 if (self.simulateRolledAKSKey && outKeyclass) {
232 *outKeyclass = keyclass | (key_class_last + 1);
233 } else if (outKeyclass) {
234 *outKeyclass = keyclass;
235 }
236
237 return true;
238 }
239 else {
240 return false;
241 }
242 }
243
244 - (bool)fakeAKSDecryptWithKeybag:(keybag_handle_t)keybag
245 keyclass:(keyclass_t)keyclass
246 ciphertext:(NSData*)ciphertextIn
247 outKeyclass:(keyclass_t*)outKeyclass
248 plaintext:(NSMutableData*)plaintext
249 error:(NSError**)error
250 {
251 if (self.lockState == LockStateLockedAndDisallowAKS) {
252 if (error) {
253 *error = [NSError errorWithDomain:(__bridge NSString *)kSecErrorDomain code:errSecInteractionNotAllowed userInfo:NULL];
254 }
255 return false;
256 }
257
258 if (self.simulateRolledAKSKey && keyclass < key_class_last) {
259 // let's make decryption fail like it would if this were an old metadata key entry made with a generational AKS key, but we didn't store that info in the database
260 return false;
261 }
262
263 const uint8_t* wrappedKeyBytes = ciphertextIn.bytes;
264
265 NSData* ciphertextData = [NSData dataWithBytes:wrappedKeyBytes length:32];
266 NSData* ivData = [NSData dataWithBytes:wrappedKeyBytes + 32 length:32];
267 NSData* authCodeData = [NSData dataWithBytes:wrappedKeyBytes + 64 length:8];
268 SFAuthenticatedCiphertext* ciphertext = [[SFAuthenticatedCiphertext alloc] initWithCiphertext:ciphertextData authenticationCode:authCodeData initializationVector:ivData];
269
270 NSError* localError = nil;
271
272 SFAuthenticatedEncryptionOperation* encryptionOperation = [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:self.keySpecifier];
273 encryptionOperation.authenticationCodeLength = 8;
274 NSData* decryptedData = [encryptionOperation decrypt:ciphertext withKey:self.fakeAKSKey error:&localError];
275
276 // in real securityd, we go through AKS rather than SFCryptoServices
277 // we need to translate the error for proper handling
278 if ([localError.domain isEqualToString:SFCryptoServicesErrorDomain] && localError.code == SFCryptoServicesErrorDecryptionFailed) {
279 if (!self.simulateRolledAKSKey && keyclass > key_class_last) {
280 // for this case we want to simulate what happens when we try decrypting with a rolled keyclass on a device which has never been rolled, which is it ends up with a NotPermitted error from AKS which the security layer translates as locked keybag
281 localError = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecInteractionNotAllowed userInfo:nil];
282 }
283 else {
284 localError = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecDecode userInfo:nil];
285 }
286 }
287
288 if (error) {
289 *error = localError;
290 }
291
292 self.keyclassUsedForAKSDecryption = keyclass;
293 if (decryptedData && decryptedData.length <= plaintext.length) {
294 memcpy(plaintext.mutableBytes, decryptedData.bytes, decryptedData.length);
295 plaintext.length = decryptedData.length;
296 self.didAKSDecrypt = YES;
297 return true;
298 }
299 else {
300 return false;
301 }
302 }
303
304 - (NSData*)getDatabaseKeyDataithError:(NSError**)error
305 {
306 if (_lockState == LockStateUnlocked) {
307 return [NSData dataWithBytes:"1234567890123456789012345678901" length:32];
308 }
309 else {
310 if (error) {
311 // <rdar://problem/38972671> add SFKeychainErrorDeviceLocked
312 *error = [NSError errorWithDomain:SFKeychainErrorDomain code:SFKeychainErrorFailedToCommunicateWithServer userInfo:nil];
313 }
314 return nil;
315 }
316 }
317
318 // Mock SecTask entitlement retrieval API, so that we can test access group entitlement parsing code in SecTaskCopyAccessGroups()
319 static NSDictionary *currentEntitlements = nil;
320 static BOOL currentEntitlementsValidated = false;
321 static NSArray *currentAccessGroups = nil;
322
323 CFTypeRef SecTaskCopyValueForEntitlement(SecTaskRef task, CFStringRef entitlement, CFErrorRef *error) {
324 id value = currentEntitlements[(__bridge id)entitlement];
325 if (value == nil && error != NULL) {
326 *error = (CFErrorRef)CFBridgingRetain([NSError errorWithDomain:NSPOSIXErrorDomain code:EINVAL userInfo:nil]);
327 }
328 return CFBridgingRetain(value);
329 }
330
331 Boolean SecTaskEntitlementsValidated(SecTaskRef task) {
332 return currentEntitlementsValidated;
333 }
334
335 - (void)setEntitlements:(NSDictionary<NSString *, id> *)entitlements validated:(BOOL)validated {
336 currentEntitlements = entitlements;
337 currentEntitlementsValidated = validated;
338 id task = CFBridgingRelease(SecTaskCreateFromSelf(kCFAllocatorDefault));
339 currentAccessGroups = CFBridgingRelease(SecTaskCopyAccessGroups((__bridge SecTaskRef)task));
340 SecAccessGroupsSetCurrent((__bridge CFArrayRef)currentAccessGroups);
341 }
342
343 @end
344
345 #endif
mirror of Security