]> git.saurik.com Git - apple/security.git/blob - OSX/sec/ipc/securityd_client.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57337.60.2.tar.gz
[apple/security.git] / OSX / sec / ipc / securityd_client.h
1 /*
2 * Copyright (c) 2007-2009,2012-2015 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23 #ifndef _SECURITYD_CLIENT_H_
24 #define _SECURITYD_CLIENT_H_
25
26 #include <stdint.h>
27
28 #include <Security/SecTrust.h>
29 #include <Security/SecTask.h>
30 #ifndef MINIMIZE_INCLUDES
31 # include <Security/SecTrustStore.h>
32 # include <Security/SecCertificatePath.h>
33 #else
34 typedef struct __SecTrustStore *SecTrustStoreRef;
35 # ifndef _SECURITY_SECCERTIFICATE_H_
36 typedef struct __SecCertificate *SecCertificateRef;
37 # endif // _SECURITY_SECCERTIFICATE_H_
38 # ifndef _SECURITY_SECCERTIFICATEPATH_H_
39 typedef struct SecCertificatePath *SecCertificatePathRef;
40 # endif // _SECURITY_SECCERTIFICATEPATH_H_
41 #endif // MINIMIZE_INCLUDES
42
43 #if TARGET_OS_EMBEDDED
44 #include <libaks.h>
45 #endif
46
47 #include <CoreFoundation/CFArray.h>
48 #include <CoreFoundation/CFDictionary.h>
49 #include <CoreFoundation/CFError.h>
50
51 #include <Security/SecureObjectSync/SOSCloudCircle.h>
52 #include <Security/SecureObjectSync/SOSPeerInfo.h>
53 #include <Security/SecureObjectSync/SOSRing.h>
54
55 #include <xpc/xpc.h>
56 #include <CoreFoundation/CFXPCBridge.h>
57
58 // TODO: This should be in client of XPC code locations...
59 #if SECITEM_SHIM_OSX
60 #define kSecuritydXPCServiceName "com.apple.securityd.xpc"
61 #define kTrustdAgentXPCServiceName "com.apple.trustd.agent"
62 #define kTrustdXPCServiceName "com.apple.trustd"
63 #else
64 #define kSecuritydXPCServiceName "com.apple.securityd"
65 #define kTrustdAgentXPCServiceName "com.apple.securityd"
66 #define kTrustdXPCServiceName "com.apple.securityd"
67 #endif // *** END SECITEM_SHIM_OSX ***
68
69 //
70 // MARK: XPC Information.
71 //
72
73 extern CFStringRef sSecXPCErrorDomain;
74
75 extern const char *kSecXPCKeyOperation;
76 extern const char *kSecXPCKeyResult;
77 extern const char *kSecXPCKeyError;
78 extern const char *kSecXPCKeyPeerInfos;
79 extern const char *kSecXPCKeyUserLabel;
80 extern const char *kSecXPCKeyBackup;
81 extern const char *kSecXPCKeyKeybag;
82 extern const char *kSecXPCKeyUserPassword;
83 extern const char *kSecXPCKeyDSID;
84 extern const char *kSecXPCKeyViewName;
85 extern const char *kSecXPCKeyViewActionCode;
86 extern const char *kSecXPCKeyNewPublicBackupKey;
87 extern const char *kSecXPCKeyIncludeV0;
88 extern const char *kSecXPCKeyEnabledViewsKey;
89 extern const char *kSecXPCKeyDisabledViewsKey;
90 extern const char *kSecXPCKeyEscrowLabel;
91 extern const char *kSecXPCKeyAvailability;
92 extern const char *kSecXPCKeyFileDescriptor;
93 //
94 // MARK: Dispatch macros
95 //
96
97 #define SECURITYD_XPC(sdp, wrapper, ...) ((gSecurityd && gSecurityd->sdp) ? gSecurityd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
98
99 //
100 // MARK: Object to XPC format conversion.
101 //
102
103
104 //
105 // MARK: XPC Interfaces
106 //
107
108 extern const char *kSecXPCKeyOperation;
109 extern const char *kSecXPCKeyResult;
110 extern const char *kSecXPCKeyError;
111 extern const char *kSecXPCKeyPeerInfos;
112 extern const char *kSecXPCKeyUserLabel;
113 extern const char *kSecXPCKeyUserPassword;
114 extern const char *kSecXPCKeyDSID;
115 extern const char *kSecXPCLimitInMinutes;
116 extern const char *kSecXPCKeyQuery;
117 extern const char *kSecXPCKeyAttributesToUpdate;
118 extern const char *kSecXPCKeyDomain;
119 extern const char *kSecXPCKeyDigest;
120 extern const char *kSecXPCKeyCertificate;
121 extern const char *kSecXPCKeySettings;
122 extern const char *kSecXPCPublicPeerId; // Public peer id
123 extern const char *kSecXPCOTRSession; // OTR session bytes
124 extern const char *kSecXPCData; // Data to process
125 extern const char *kSecXPCOTRReady; // OTR ready for messages
126 extern const char *kSecXPCKeyDeviceID;
127 extern const char *kSecXPCKeyIDSMessage;
128 extern const char *kSecXPCKeyViewName;
129 extern const char *kSecXPCKeyViewActionCode;
130 extern const char *kSecXPCKeySendIDSMessage;
131 extern const char *kSecXPCKeyHSA2AutoAcceptInfo;
132 extern const char *kSecXPCKeyEscrowLabel;
133 extern const char *kSecXPCKeyTriesLabel;
134 extern const char *kSecXPCKeyString;
135
136 extern const char *kSecXPCKeyReason;
137
138 //
139 // MARK: Mach port request IDs
140 //
141 enum SecXPCOperation {
142 sec_item_add_id = 0,
143 sec_item_copy_matching_id = 1,
144 sec_item_update_id = 2,
145 sec_item_delete_id = 3,
146 // trust_store_for_domain -- NOT an ipc
147 sec_trust_store_contains_id = 4,
148 sec_trust_store_set_trust_settings_id = 5,
149 sec_trust_store_remove_certificate_id = 6,
150 // remove_all -- NOT an ipc
151 sec_delete_all_id = 7,
152 sec_trust_evaluate_id = 8,
153 // Any new items MUST be added below here
154 // This allows updating roots on a device, since SecTrustEvaluate must continue to work
155 sec_keychain_backup_id,
156 sec_keychain_restore_id,
157 sec_keychain_backup_syncable_id,
158 sec_keychain_restore_syncable_id,
159 sec_item_backup_copy_names_id,
160 sec_item_backup_handoff_fd_id,
161 sec_item_backup_set_confirmed_manifest_id,
162 sec_item_backup_restore_id,
163 sec_keychain_sync_update_message_id,
164 sec_ota_pki_asset_version_id,
165 sec_otr_session_create_remote_id,
166 sec_otr_session_process_packet_remote_id,
167 kSecXPCOpOTAPKIGetNewAsset,
168 kSecXPCOpOTAGetEscrowCertificates,
169 kSecXPCOpProcessUnlockNotification,
170 kSecXPCOpProcessSyncWithAllPeers,
171 kSecXPCOpRollKeys,
172 sec_add_shared_web_credential_id,
173 sec_copy_shared_web_credential_id,
174 sec_get_log_settings_id,
175 sec_set_xpc_log_settings_id,
176 sec_set_circle_log_settings_id,
177 soscc_EnsurePeerRegistration_id,
178 kSecXPCOpRequestEnsureFreshParameters,
179 kSecXPCOpGetAllTheRings,
180 kSecXPCOpApplyToARing,
181 kSecXPCOpWithdrawlFromARing,
182 kSecXPCOpEnableRing,
183 kSecXPCOpRingStatus,
184 kSecXPCOpRequestDeviceID,
185 kSecXPCOpSetDeviceID,
186 kSecXPCOpHandleIDSMessage,
187 kSecXPCOpSendIDSMessage,
188 kSecXPCOpPingTest,
189 kSecXPCOpIDSDeviceID,
190 // any process using an operation below here is required to have entitlement keychain-cloud-circle
191 kSecXPCOpTryUserCredentials,
192 kSecXPCOpSetUserCredentials,
193 kSecXPCOpSetUserCredentialsAndDSID,
194 kSecXPCOpCanAuthenticate,
195 kSecXPCOpPurgeUserCredentials,
196 kSecXPCOpDeviceInCircle,
197 kSecXPCOpRequestToJoin,
198 kSecXPCOpRequestToJoinAfterRestore,
199 kSecXPCOpResetToOffering,
200 kSecXPCOpResetToEmpty,
201 kSecXPCOpView,
202 kSecXPCOpViewSet,
203 kSecXPCOpSecurityProperty,
204 kSecXPCOpRemoveThisDeviceFromCircle,
205 kSecXPCOpRemovePeersFromCircle,
206 kSecXPCOpLoggedOutOfAccount,
207 kSecXPCOpBailFromCircle,
208 kSecXPCOpAcceptApplicants,
209 kSecXPCOpRejectApplicants,
210 kSecXPCOpCopyApplicantPeerInfo,
211 kSecXPCOpCopyValidPeerPeerInfo,
212 kSecXPCOpValidateUserPublic,
213 kSecXPCOpCopyNotValidPeerPeerInfo,
214 kSecXPCOpCopyPeerPeerInfo,
215 kSecXPCOpCopyConcurringPeerPeerInfo,
216 kSecXPCOpCopyGenerationPeerInfo,
217 kSecXPCOpGetLastDepartureReason,
218 kSecXPCOpSetLastDepartureReason,
219 kSecXPCOpCopyIncompatibilityInfo,
220 kSecXPCOpCopyRetirementPeerInfo,
221 kSecXPCOpCopyViewUnawarePeerInfo,
222 kSecXPCOpCopyEngineState,
223 kSecXPCOpCopyMyPeerInfo,
224 kSecXPCOpAccountSetToNew,
225 kSecXPCOpSetHSA2AutoAcceptInfo,
226 kSecXPCOpSetNewPublicBackupKey,
227 kSecXPCOpSetBagForAllSlices,
228 kSecXPCOpWaitForInitialSync,
229 kSecXPCOpCopyYetToSyncViews,
230 kSecXPCOpSetEscrowRecord,
231 kSecXPCOpGetEscrowRecord,
232 kSecXPCOpCheckPeerAvailability,
233 kSecXPCOpCopyAccountData,
234 kSecXPCOpDeleteAccountData,
235 kSecXPCOpCopyEngineData,
236 kSecXPCOpDeleteEngineData,
237 /* after this is free for all */
238 kSecXPCOpWhoAmI,
239 kSecXPCOpTransmogrifyToSyncBubble,
240 kSecXPCOpTransmogrifyToSystemKeychain,
241 kSecXPCOpWrapToBackupSliceKeyBagForView,
242 kSecXPCOpDeleteUserView,
243 };
244
245
246 typedef struct {
247 SecTaskRef task;
248 CFArrayRef accessGroups;
249 bool allowSystemKeychain;
250 bool allowSyncBubbleKeychain;
251 bool isNetworkExtension;
252 uid_t uid;
253 CFDataRef musr;
254 #if TARGET_OS_EMBEDDED
255 keybag_handle_t keybag;
256 #endif
257 #if TARGET_OS_IPHONE
258 bool inMultiUser;
259 int activeUser;
260 #endif
261 } SecurityClient;
262
263
264 extern SecurityClient * SecSecurityClientGet(void);
265 #if TARGET_OS_IOS
266 void SecSecuritySetMusrMode(bool mode, uid_t uid, int activeUser);
267 #endif
268
269 struct securityd {
270 bool (*sec_item_add)(CFDictionaryRef attributes, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
271 bool (*sec_item_copy_matching)(CFDictionaryRef query, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
272 bool (*sec_item_update)(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, SecurityClient *client, CFErrorRef* error);
273 bool (*sec_item_delete)(CFDictionaryRef query, SecurityClient *client, CFErrorRef* error);
274 bool (*sec_add_shared_web_credential)(CFDictionaryRef attributes, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
275 bool (*sec_copy_shared_web_credential)(CFDictionaryRef query, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
276 SecTrustStoreRef (*sec_trust_store_for_domain)(CFStringRef domainName, CFErrorRef* error); // TODO: remove, has no msg id
277 bool (*sec_trust_store_contains)(SecTrustStoreRef ts, CFDataRef digest, bool *contains, CFErrorRef* error);
278 bool (*sec_trust_store_set_trust_settings)(SecTrustStoreRef ts, SecCertificateRef certificate, CFTypeRef trustSettingsDictOrArray, CFErrorRef* error);
279 bool (*sec_trust_store_remove_certificate)(SecTrustStoreRef ts, CFDataRef digest, CFErrorRef* error);
280 bool (*sec_truststore_remove_all)(SecTrustStoreRef ts, CFErrorRef* error); // TODO: remove, has no msg id
281 bool (*sec_item_delete_all)(CFErrorRef* error);
282 SecTrustResultType (*sec_trust_evaluate)(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef *details, CFDictionaryRef *info, SecCertificatePathRef *chain, CFErrorRef *error);
283 CFDataRef (*sec_keychain_backup)(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
284 bool (*sec_keychain_restore)(CFDataRef backup, SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
285 CFDictionaryRef (*sec_keychain_backup_syncable)(CFDictionaryRef backup_in, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
286 bool (*sec_keychain_restore_syncable)(CFDictionaryRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
287 CFArrayRef (*sec_item_backup_copy_names)(CFErrorRef *error);
288 int (*sec_item_backup_handoff_fd)(CFStringRef backupName, CFErrorRef *error);
289 bool (*sec_item_backup_set_confirmed_manifest)(CFStringRef backupName, CFDataRef keybagDigest, CFDataRef manifest, CFErrorRef *error);
290 bool (*sec_item_backup_restore)(CFStringRef backupName, CFStringRef peerID, CFDataRef keybag, CFDataRef secret, CFDataRef backup, CFErrorRef *error);
291 int (*sec_ota_pki_asset_version)(CFErrorRef* error);
292 CFDataRef (*sec_otr_session_create_remote)(CFDataRef publicPeerId, CFErrorRef* error);
293 bool (*sec_otr_session_process_packet_remote)(CFDataRef sessionData, CFDataRef inputPacket, CFDataRef* outputSessionData, CFDataRef* outputPacket, bool *readyForMessages, CFErrorRef* error);
294 bool (*soscc_TryUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error);
295 bool (*soscc_SetUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error);
296 bool (*soscc_SetUserCredentialsAndDSID)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
297 bool (*soscc_CanAuthenticate)(CFErrorRef *error);
298 bool (*soscc_PurgeUserCredentials)(CFErrorRef *error);
299 SOSCCStatus (*soscc_ThisDeviceIsInCircle)(CFErrorRef* error);
300 bool (*soscc_RequestToJoinCircle)(CFErrorRef* error);
301 bool (*soscc_RequestToJoinCircleAfterRestore)(CFErrorRef* error);
302 bool (*soscc_RequestEnsureFreshParameters)(CFErrorRef* error);
303 CFStringRef (*soscc_GetAllTheRings)(CFErrorRef *error);
304 bool (*soscc_ApplyToARing)(CFStringRef ringName, CFErrorRef* error);
305 bool (*soscc_WithdrawlFromARing)(CFStringRef ringName, CFErrorRef* error);
306 bool (*soscc_EnableRing)(CFStringRef ringName, CFErrorRef* error);
307 SOSRingStatus (*soscc_RingStatus)(CFStringRef ringName, CFErrorRef* error);
308 CFStringRef (*soscc_CopyDeviceID)(CFErrorRef* error);
309 bool (*soscc_SetDeviceID)(CFStringRef IDS, CFErrorRef *error);
310 HandleIDSMessageReason (*soscc_HandleIDSMessage)(CFDictionaryRef IDS, CFErrorRef *error);
311 bool (*soscc_CheckIDSRegistration)(CFStringRef message, CFErrorRef *error);
312 bool (*soscc_PingTest)(CFStringRef message, CFErrorRef *error);
313 bool (*soscc_GetIDSIDFromIDS)(CFErrorRef *error);
314 bool (*soscc_SetToNew)(CFErrorRef *error);
315 bool (*soscc_ResetToOffering)(CFErrorRef* error);
316 bool (*soscc_ResetToEmpty)(CFErrorRef* error);
317 SOSViewResultCode (*soscc_View)(CFStringRef view, SOSViewActionCode action, CFErrorRef *error);
318 bool (*soscc_ViewSet)(CFSetRef enabledViews, CFSetRef disabledViews);
319 SOSSecurityPropertyResultCode (*soscc_SecurityProperty)(CFStringRef property, SOSSecurityPropertyActionCode action, CFErrorRef *error);
320 bool (*soscc_RegisterSingleRecoverySecret)(CFDataRef backupSlice, bool forV0Only, CFErrorRef *error);
321 bool (*soscc_RemoveThisDeviceFromCircle)(CFErrorRef* error);
322 bool (*soscc_RemovePeersFromCircle)(CFArrayRef peers, CFErrorRef* error);
323 bool (*soscc_LoggedOutOfAccount)(CFErrorRef* error);
324 bool (*soscc_BailFromCircle)(uint64_t limit_in_seconds, CFErrorRef* error);
325 bool (*soscc_AcceptApplicants)(CFArrayRef applicants, CFErrorRef* error);
326 bool (*soscc_RejectApplicants)(CFArrayRef applicants, CFErrorRef* error);
327 SOSPeerInfoRef (*soscc_SetNewPublicBackupKey)(CFDataRef pubKey, CFErrorRef *error);
328 bool (*soscc_ValidateUserPublic)(CFErrorRef* error);
329 CFArrayRef (*soscc_CopyGenerationPeerInfo)(CFErrorRef* error);
330 CFArrayRef (*soscc_CopyApplicantPeerInfo)(CFErrorRef* error);
331 CFArrayRef (*soscc_CopyValidPeerPeerInfo)(CFErrorRef* error);
332 CFArrayRef (*soscc_CopyNotValidPeerPeerInfo)(CFErrorRef* error);
333 CFArrayRef (*soscc_CopyRetirementPeerInfo)(CFErrorRef* error);
334 CFArrayRef (*soscc_CopyViewUnawarePeerInfo)(CFErrorRef* error);
335 CFArrayRef (*soscc_CopyEngineState)(CFErrorRef* error);
336 // Not sure why these are below the last entry in the enum order above, but they are:
337 CFArrayRef (*soscc_CopyPeerInfo)(CFErrorRef* error);
338 CFArrayRef (*soscc_CopyConcurringPeerInfo)(CFErrorRef* error);
339 CFStringRef (*soscc_CopyIncompatibilityInfo)(CFErrorRef* error);
340 enum DepartureReason (*soscc_GetLastDepartureReason)(CFErrorRef* error);
341 bool (*soscc_SetLastDepartureReason)(enum DepartureReason, CFErrorRef* error);
342 CFArrayRef (*ota_CopyEscrowCertificates)(uint32_t escrowRootType, CFErrorRef* error);
343 int (*sec_ota_pki_get_new_asset)(CFErrorRef* error);
344 SyncWithAllPeersReason (*soscc_ProcessSyncWithAllPeers)(CFErrorRef* error);
345 bool (*soscc_EnsurePeerRegistration)(CFErrorRef* error);
346 bool (*sec_roll_keys)(bool force, CFErrorRef* error);
347 CFArrayRef (*sec_keychain_sync_update_message)(CFDictionaryRef update, CFErrorRef *error);
348 CFPropertyListRef (*sec_get_log_settings)(CFErrorRef* error);
349 bool (*sec_set_xpc_log_settings)(CFTypeRef type, CFErrorRef* error);
350 bool (*sec_set_circle_log_settings)(CFTypeRef type, CFErrorRef* error);
351 SOSPeerInfoRef (*soscc_CopyMyPeerInfo)(CFErrorRef*);
352 bool (*soscc_SetHSA2AutoAcceptInfo)(CFDataRef, CFErrorRef*);
353 bool (*soscc_WaitForInitialSync)(CFErrorRef*);
354 CFArrayRef (*soscc_CopyYetToSyncViewsList)(CFErrorRef*);
355 bool (*soscc_SetEscrowRecords)(CFStringRef escrow_label, uint64_t tries, CFErrorRef *error);
356 CFDictionaryRef (*soscc_CopyEscrowRecords)(CFErrorRef *error);
357 bool (*soscc_PeerAvailability)(CFErrorRef *error);
358 bool (*sosbskb_WrapToBackupSliceKeyBagForView)(CFStringRef viewName, CFDataRef input, CFDataRef* output, CFDataRef* bskbEncoded, CFErrorRef* error);
359 CFDataRef (*soscc_CopyAccountState)(CFErrorRef *error);
360 bool (*soscc_DeleteAccountState)(CFErrorRef *error);
361 CFDataRef (*soscc_CopyEngineData)(CFErrorRef *error);
362 bool (*soscc_DeleteEngineState)(CFErrorRef *error);
363 };
364
365 extern struct securityd *gSecurityd;
366
367 CFArrayRef SecAccessGroupsGetCurrent(void);
368
369 // TODO Rename me
370 CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op);
371 xpc_object_t securityd_message_with_reply_sync(xpc_object_t message, CFErrorRef *error);
372 xpc_object_t securityd_create_message(enum SecXPCOperation op, CFErrorRef *error);
373 bool securityd_message_no_error(xpc_object_t message, CFErrorRef *error);
374
375
376 bool securityd_send_sync_and_do(enum SecXPCOperation op, CFErrorRef *error,
377 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
378 bool (^handle_response)(xpc_object_t response, CFErrorRef* error));
379
380 // For testing only, never call this in a threaded program!
381 void SecServerSetMachServiceName(const char *name);
382
383
384 #endif /* _SECURITYD_CLIENT_H_ */
mirror of Security