]> git.saurik.com Git - apple/security.git/blob - OSX/sec/ipc/securityd_client.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-59754.41.1.tar.gz
[apple/security.git] / OSX / sec / ipc / securityd_client.h
1 /*
2 * Copyright (c) 2007-2020 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23 #ifndef _SECURITYD_CLIENT_H_
24 #define _SECURITYD_CLIENT_H_
25
26 #include <stdint.h>
27
28 #include "keychain/securityd/SecKeybagSupport.h"
29
30 #include <Security/SecTrust.h>
31 #include <Security/SecTask.h>
32 #ifndef MINIMIZE_INCLUDES
33
34 #pragma clang diagnostic push
35 #pragma clang diagnostic ignored "-Wfour-char-constants"
36 # include "OSX/sec/Security/SecTrustStore.h"
37 #pragma clang diagnostic pop
38
39 #else
40 typedef struct __SecTrustStore *SecTrustStoreRef;
41 //# ifndef _SECURITY_SECCERTIFICATE_H_
42 //typedef struct __SecCertificate *SecCertificateRef;
43 //# endif // _SECURITY_SECCERTIFICATE_H_
44 #endif // MINIMIZE_INCLUDES
45
46 #include "OSX/utilities/SecAKSWrappers.h"
47
48 #include <CoreFoundation/CFArray.h>
49 #include <CoreFoundation/CFDictionary.h>
50 #include <CoreFoundation/CFError.h>
51
52 #include "keychain/SecureObjectSync/SOSCloudCircle.h"
53 #include "keychain/SecureObjectSync/SOSPeerInfo.h"
54 #include "keychain/SecureObjectSync/SOSRing.h"
55
56 #include <xpc/xpc.h>
57 #include <CoreFoundation/CFXPCBridge.h>
58
59 #include <TargetConditionals.h>
60
61 #if TARGET_OS_OSX
62 #define kSecuritydXPCServiceName "com.apple.securityd.xpc"
63 #define kSecuritydSystemXPCServiceName "com.apple.securityd.system.xpc"
64 #define kTrustdAgentXPCServiceName "com.apple.trustd.agent"
65 #define kTrustdXPCServiceName "com.apple.trustd"
66 #else
67 #define kSecuritydXPCServiceName "com.apple.securityd"
68 #define kTrustdAgentXPCServiceName "com.apple.trustd"
69 #define kTrustdXPCServiceName "com.apple.trustd"
70 #endif // *** END TARGET_OS_OSX ***
71
72 #define kSecuritydGeneralServiceName "com.apple.securityd.general"
73 #define kSecuritydSOSServiceName "com.apple.securityd.sos"
74
75 //
76 // MARK: XPC Information.
77 //
78
79 #if TARGET_OS_IPHONE
80 extern CFStringRef sSecXPCErrorDomain;
81 #endif
82
83 extern const char *kSecXPCKeyOperation;
84 extern const char *kSecXPCKeyResult;
85 extern const char *kSecXPCKeyEndpoint;
86 extern const char *kSecXPCKeyError;
87 extern const char *kSecXPCKeyPeerInfoArray;
88 extern const char *kSecXPCKeyUserLabel;
89 extern const char *kSecXPCKeyBackup;
90 extern const char *kSecXPCKeyKeybag;
91 extern const char *kSecXPCKeyFlags;
92 extern const char *kSecXPCKeyUserPassword;
93 extern const char *kSecXPCKeyEMCSBackup;
94 extern const char *kSecXPCKeyDSID;
95 extern const char *kSecXPCKeyViewName;
96 extern const char *kSecXPCKeyViewActionCode;
97 extern const char *kSecXPCKeyNewPublicBackupKey;
98 extern const char *kSecXPCKeyRecoveryPublicKey;
99 extern const char *kSecXPCKeyIncludeV0;
100 extern const char *kSecXPCKeyEnabledViewsKey;
101 extern const char *kSecXPCKeyDisabledViewsKey;
102 extern const char *kSecXPCKeyEscrowLabel;
103 extern const char *kSecXPCKeyTriesLabel;
104 extern const char *kSecXPCKeyFileDescriptor;
105 extern const char *kSecXPCKeyAccessGroups;
106 extern const char *kSecXPCKeyClasses;
107 extern const char *kSecXPCKeyNormalizedIssuer;
108 extern const char *kSecXPCKeySerialNumber;
109 extern const char *kSecXPCKeyBackupKeybagIdentifier;
110 extern const char *kSecXPCKeyBackupKeybagPath;
111
112 //
113 // MARK: Dispatch macros
114 //
115
116 #define SECURITYD_XPC(sdp, wrapper, ...) ((gSecurityd && gSecurityd->sdp) ? gSecurityd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
117 #define TRUSTD_XPC(sdp, wrapper, ...) ((gTrustd && gTrustd->sdp) ? gTrustd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
118
119 #define TRUSTD_XPC_ASYNC(sdp, wrapper, q, h, ...) do { \
120 if (gTrustd != NULL && gTrustd->sdp != NULL) { \
121 dispatch_async(q, ^{ \
122 CFErrorRef _error = NULL; \
123 SecTrustResultType _tr = gTrustd->sdp(__VA_ARGS__, &_error); \
124 h(_tr, _error); \
125 }); \
126 } else { \
127 wrapper(q, h, sdp ## _id, __VA_ARGS__); \
128 } \
129 } while (0)
130
131 //
132 // MARK: Object to XPC format conversion.
133 //
134
135
136 //
137 // MARK: XPC Interfaces
138 //
139
140 extern const char *kSecXPCKeyPeerInfo;
141 extern const char *kSecXPCLimitInMinutes;
142 extern const char *kSecXPCKeyQuery;
143 extern const char *kSecXPCKeyAttributesToUpdate;
144 extern const char *kSecXPCKeyDomain;
145 extern const char *kSecXPCKeyDigest;
146 extern const char *kSecXPCKeyCertificate;
147 extern const char *kSecXPCKeySettings;
148 extern const char *kSecXPCPublicPeerId; // Public peer id
149 extern const char *kSecXPCOTRSession; // OTR session bytes
150 extern const char *kSecXPCData; // Data to process
151 extern const char *kSecXPCOTRReady; // OTR ready for messages
152 extern const char *kSecXPCKeyViewName;
153 extern const char *kSecXPCKeyViewActionCode;
154 extern const char *kSecXPCKeyHSA2AutoAcceptInfo;
155 extern const char *kSecXPCKeyString;
156 extern const char *kSecXPCKeyArray;
157 extern const char *kSecXPCKeySet;
158 extern const char *kSecXPCKeySet2;
159 extern const char *kSecXPCVersion;
160 extern const char *kSecXPCKeySignInAnalytics;
161 extern const char *kSecXPCKeyReason;
162
163 //
164 // MARK: Mach port request IDs
165 //
166 enum SecXPCOperation {
167 sec_item_add_id = 0,
168 sec_item_copy_matching_id = 1,
169 sec_item_update_id = 2,
170 sec_item_delete_id = 3,
171 // trust_store_for_domain -- NOT an ipc
172 sec_trust_store_contains_id = 4,
173 sec_trust_store_set_trust_settings_id = 5,
174 sec_trust_store_remove_certificate_id = 6,
175 // remove_all -- NOT an ipc
176 sec_delete_all_id = 7,
177 sec_trust_evaluate_id = 8,
178 // Any new items MUST be added below here
179 // This allows updating roots on a device, since SecTrustEvaluate must continue to work
180 sec_keychain_backup_id,
181 sec_keychain_restore_id,
182 sec_keychain_backup_syncable_id,
183 sec_keychain_restore_syncable_id,
184 sec_item_backup_copy_names_id,
185 sec_item_backup_ensure_copy_view_id,
186 sec_item_backup_handoff_fd_id,
187 sec_item_backup_set_confirmed_manifest_id,
188 sec_item_backup_restore_id,
189 sec_keychain_sync_update_message_id,
190 sec_ota_pki_trust_store_version_id,
191 sec_ota_pki_asset_version_id,
192 sec_otr_session_create_remote_id,
193 sec_otr_session_process_packet_remote_id,
194 kSecXPCOpOTAPKIGetNewAsset,
195 kSecXPCOpOTAGetEscrowCertificates,
196 kSecXPCOpOTAPKICopyTrustedCTLogs,
197 kSecXPCOpOTAPKICopyCTLogForKeyID,
198 kSecXPCOpProcessUnlockNotification,
199 kSecXPCOpProcessSyncWithAllPeers,
200 kSecXPCOpRollKeys,
201 sec_add_shared_web_credential_id,
202 sec_copy_shared_web_credential_id,
203 sec_get_log_settings_id,
204 sec_set_xpc_log_settings_id,
205 sec_set_circle_log_settings_id,
206 soscc_EnsurePeerRegistration_id,
207 kSecXPCOpRequestDeviceID,
208 kSecXPCOpSetDeviceID,
209 kSecXPCOpHandleIDSMessage,
210 kSecXPCOpSyncWithKVSPeer,
211 kSecXPCOpSyncWithIDSPeer,
212 kSecXPCOpSendIDSMessage,
213 kSecXPCOpPingTest,
214 kSecXPCOpIDSDeviceID,
215 kSecXPCOpSyncWithKVSPeerIDOnly,
216 // any process using an operation below here is required to have entitlement keychain-cloud-circle
217 kSecXPCOpTryUserCredentials,
218 kSecXPCOpSetUserCredentials,
219 kSecXPCOpSetUserCredentialsAndDSID,
220 kSecXPCOpCanAuthenticate,
221 kSecXPCOpPurgeUserCredentials,
222 kSecXPCOpDeviceInCircle,
223 kSecXPCOpRequestToJoin,
224 kSecXPCOpRequestToJoinAfterRestore,
225 kSecXPCOpResetToOffering,
226 kSecXPCOpResetToEmpty,
227 kSecXPCOpView,
228 kSecXPCOpViewSet,
229 kSecXPCOpRemoveThisDeviceFromCircle,
230 kSecXPCOpRemovePeersFromCircle,
231 kSecXPCOpLoggedIntoAccount,
232 kSecXPCOpLoggedOutOfAccount,
233 kSecXPCOpBailFromCircle,
234 kSecXPCOpAcceptApplicants,
235 kSecXPCOpRejectApplicants,
236 kSecXPCOpCopyApplicantPeerInfo,
237 kSecXPCOpCopyValidPeerPeerInfo,
238 kSecXPCOpValidateUserPublic,
239 kSecXPCOpCopyNotValidPeerPeerInfo,
240 kSecXPCOpCopyPeerPeerInfo,
241 kSecXPCOpCopyConcurringPeerPeerInfo,
242 kSecXPCOpCopyGenerationPeerInfo,
243 kSecXPCOpGetLastDepartureReason,
244 kSecXPCOpSetLastDepartureReason,
245 kSecXPCOpCopyRetirementPeerInfo,
246 kSecXPCOpCopyViewUnawarePeerInfo,
247 kSecXPCOpCopyEngineState,
248 kSecXPCOpCopyMyPeerInfo,
249 kSecXPCOpAccountSetToNew,
250 kSecXPCOpSetNewPublicBackupKey,
251 kSecXPCOpSetBagForAllSlices,
252 kSecXPCOpWaitForInitialSync,
253 kSecXPCOpCheckPeerAvailability,
254 kSecXPCOpCopyApplication,
255 kSecXPCOpCopyCircleJoiningBlob,
256 kSecXPCOpJoinWithCircleJoiningBlob,
257 kSecXPCOpKVSKeyCleanup,
258 kSecXPCOpAccountHasPublicKey,
259 kSecXPCOpClearKVSPeerMessage,
260 kSecXPCOpRegisterRecoveryPublicKey,
261 kSecXPCOpGetRecoveryPublicKey,
262 kSecXPCOpCopyInitialSyncBlob,
263 /* after this is free for all */
264 kSecXPCOpWhoAmI,
265 kSecXPCOpTransmogrifyToSyncBubble,
266 kSecXPCOpTransmogrifyToSystemKeychain,
267 sec_item_update_token_items_for_access_groups_id,
268 kSecXPCOpDeleteUserView,
269 sec_trust_store_copy_all_id,
270 sec_trust_store_copy_usage_constraints_id,
271 sec_ocsp_cache_flush_id,
272 sec_delete_items_with_access_groups_id,
273 sec_keychain_backup_keybag_uuid_id,
274 kSecXPCOpPeersHaveViewsEnabled,
275 kSecXPCOpProcessSyncWithPeers,
276 kSecXPCOpMessageFromPeerIsPending,
277 kSecXPCOpSendToPeerIsPending,
278 sec_item_copy_parent_certificates_id,
279 sec_item_certificate_exists_id,
280 kSecXPCOpBackupKeybagAdd,
281 kSecXPCOpBackupKeybagDelete,
282 kSecXPCOpSFKeychainEndpoint,
283 kSecXPCOpKeychainControlEndpoint,
284 kSecXPCOpNetworkingAnalyticsReport,
285 kSecXPCOpSetCTExceptions,
286 kSecXPCOpCopyCTExceptions,
287 kSecXPCOpOTASecExperimentGetAsset,
288 kSecXPCOpOTASecExperimentGetNewAsset,
289 sec_trust_get_exception_reset_count_id,
290 sec_trust_increment_exception_reset_count_id,
291 kSecXPCOpSetCARevocationAdditions,
292 kSecXPCOpCopyCARevocationAdditions,
293 kSecXPCOpValidUpdate,
294 };
295
296
297 typedef struct SecurityClient {
298 SecTaskRef task;
299 CFArrayRef accessGroups;
300 bool allowSystemKeychain;
301 bool allowSyncBubbleKeychain;
302 bool isNetworkExtension;
303 bool canAccessNetworkExtensionAccessGroups;
304 uid_t uid;
305 CFDataRef musr;
306 #if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) && TARGET_HAS_KEYSTORE
307 keybag_handle_t keybag;
308 #endif
309 #if TARGET_OS_IPHONE
310 bool inMultiUser;
311 int activeUser;
312 #endif
313 bool isAppClip;
314 CFStringRef applicationIdentifier;
315 } SecurityClient;
316
317
318 extern SecurityClient * SecSecurityClientGet(void);
319 #if TARGET_OS_IOS
320 void SecSecuritySetMusrMode(bool mode, uid_t uid, int activeUser);
321 void SecSecuritySetPersonaMusr(CFStringRef uuid);
322 #endif
323
324 struct securityd {
325 /* LOCAL KEYCHAIN */
326 bool (*sec_item_add)(CFDictionaryRef attributes, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
327 bool (*sec_item_copy_matching)(CFDictionaryRef query, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
328 bool (*sec_item_update)(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, SecurityClient *client, CFErrorRef* error);
329 bool (*sec_item_delete)(CFDictionaryRef query, SecurityClient *client, CFErrorRef* error);
330 bool (*sec_item_delete_all)(CFErrorRef* error);
331 CFArrayRef (*sec_item_copy_parent_certificates)(CFDataRef normalizedIssuer, CFArrayRef accessGroups, CFErrorRef *error);
332 bool (*sec_item_certificate_exists)(CFDataRef normalizedIssuer, CFDataRef serialNumber, CFArrayRef accessGroups, CFErrorRef *error);
333 CFDataRef (*sec_keychain_backup)(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, bool emcs, CFErrorRef* error);
334 bool (*sec_keychain_restore)(CFDataRef backup, SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
335 bool (*sec_roll_keys)(bool force, CFErrorRef* error);
336 bool (*sec_item_update_token_items_for_access_groups)(CFStringRef tokenID, CFArrayRef accessGroups, CFArrayRef tokenItems, SecurityClient *client, CFErrorRef* error);
337 bool (*sec_delete_items_with_access_groups)(CFArrayRef bundleIDs, SecurityClient *client, CFErrorRef *error);
338 /* SHAREDWEBCREDENTIALS */
339 bool (*sec_add_shared_web_credential)(CFDictionaryRef attributes, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
340 bool (*sec_copy_shared_web_credential)(CFDictionaryRef query, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
341 /* SECUREOBJECTSYNC */
342 CFDictionaryRef (*sec_keychain_backup_syncable)(CFDictionaryRef backup_in, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
343 bool (*sec_keychain_restore_syncable)(CFDictionaryRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
344 CFArrayRef (*sec_item_backup_copy_names)(CFErrorRef *error);
345 CFStringRef (*sec_item_backup_ensure_copy_view)(CFStringRef viewName, CFErrorRef *error);
346 int (*sec_item_backup_handoff_fd)(CFStringRef backupName, CFErrorRef *error);
347 bool (*sec_item_backup_set_confirmed_manifest)(CFStringRef backupName, CFDataRef keybagDigest, CFDataRef manifest, CFErrorRef *error);
348 bool (*sec_item_backup_restore)(CFStringRef backupName, CFStringRef peerID, CFDataRef keybag, CFDataRef secret, CFDataRef backup, CFErrorRef *error);
349 CFDataRef (*sec_otr_session_create_remote)(CFDataRef publicPeerId, CFErrorRef* error);
350 bool (*sec_otr_session_process_packet_remote)(CFDataRef sessionData, CFDataRef inputPacket, CFDataRef* outputSessionData, CFDataRef* outputPacket, bool *readyForMessages, CFErrorRef* error);
351 bool (*soscc_TryUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
352 bool (*soscc_SetUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error);
353 bool (*soscc_SetUserCredentialsAndDSID)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
354 bool (*soscc_CanAuthenticate)(CFErrorRef *error);
355 bool (*soscc_PurgeUserCredentials)(CFErrorRef *error);
356 SOSCCStatus (*soscc_ThisDeviceIsInCircle)(CFErrorRef* error);
357 bool (*soscc_RequestToJoinCircle)(CFErrorRef* error);
358 bool (*soscc_RequestToJoinCircleAfterRestore)(CFErrorRef* error);
359 bool (*soscc_SetToNew)(CFErrorRef *error);
360 bool (*soscc_ResetToOffering)(CFErrorRef* error);
361 bool (*soscc_ResetToEmpty)(CFErrorRef* error);
362 SOSViewResultCode (*soscc_View)(CFStringRef view, SOSViewActionCode action, CFErrorRef *error);
363 bool (*soscc_ViewSet)(CFSetRef enabledViews, CFSetRef disabledViews);
364 bool (*soscc_RegisterSingleRecoverySecret)(CFDataRef backupSlice, bool forV0Only, CFErrorRef *error);
365 bool (*soscc_RegisterRecoveryPublicKey)(CFDataRef recovery_key, CFErrorRef *error);
366 CFDataRef (*soscc_CopyRecoveryPublicKey)(CFErrorRef *error);
367 bool (*soscc_RemoveThisDeviceFromCircle)(CFErrorRef* error);
368 bool (*soscc_RemovePeersFromCircle)(CFArrayRef peers, CFErrorRef* error);
369 bool (*soscc_LoggedIntoAccount)(CFErrorRef* error);
370 bool (*soscc_LoggedOutOfAccount)(CFErrorRef* error);
371 bool (*soscc_BailFromCircle)(uint64_t limit_in_seconds, CFErrorRef* error);
372 bool (*soscc_AcceptApplicants)(CFArrayRef applicants, CFErrorRef* error);
373 bool (*soscc_RejectApplicants)(CFArrayRef applicants, CFErrorRef* error);
374 SOSPeerInfoRef (*soscc_SetNewPublicBackupKey)(CFDataRef pubKey, CFErrorRef *error);
375 bool (*soscc_ValidateUserPublic)(CFErrorRef* error);
376 CFArrayRef (*soscc_CopyGenerationPeerInfo)(CFErrorRef* error);
377 CFArrayRef (*soscc_CopyApplicantPeerInfo)(CFErrorRef* error);
378 CFArrayRef (*soscc_CopyValidPeerPeerInfo)(CFErrorRef* error);
379 CFArrayRef (*soscc_CopyNotValidPeerPeerInfo)(CFErrorRef* error);
380 CFArrayRef (*soscc_CopyRetirementPeerInfo)(CFErrorRef* error);
381 CFArrayRef (*soscc_CopyViewUnawarePeerInfo)(CFErrorRef* error);
382 CFArrayRef (*soscc_CopyEngineState)(CFErrorRef* error);
383 // Not sure why these are below the last entry in the enum order above, but they are:
384 CFArrayRef (*soscc_CopyPeerInfo)(CFErrorRef* error);
385 CFArrayRef (*soscc_CopyConcurringPeerInfo)(CFErrorRef* error);
386 enum DepartureReason (*soscc_GetLastDepartureReason)(CFErrorRef* error);
387 bool (*soscc_SetLastDepartureReason)(enum DepartureReason, CFErrorRef* error);
388 CFSetRef (*soscc_ProcessSyncWithPeers)(CFSetRef peerIDs, CFSetRef backupPeerIDs, CFErrorRef* error);
389 SyncWithAllPeersReason (*soscc_ProcessSyncWithAllPeers)(CFErrorRef* error);
390 bool (*soscc_EnsurePeerRegistration)(CFErrorRef* error);
391 CFArrayRef (*sec_keychain_sync_update_message)(CFDictionaryRef update, CFErrorRef *error);
392 CFPropertyListRef (*sec_get_log_settings)(CFErrorRef* error);
393 bool (*sec_set_xpc_log_settings)(CFTypeRef type, CFErrorRef* error);
394 bool (*sec_set_circle_log_settings)(CFTypeRef type, CFErrorRef* error);
395 SOSPeerInfoRef (*soscc_CopyMyPeerInfo)(CFErrorRef*);
396 bool (*soscc_WaitForInitialSync)(CFErrorRef*);
397 bool (*soscc_PeerAvailability)(CFErrorRef *error);
398 SOSPeerInfoRef (*soscc_CopyApplicant)(CFErrorRef *error);
399 CFDataRef (*soscc_CopyCircleJoiningBlob)(SOSPeerInfoRef applicant, CFErrorRef *error);
400 CFDataRef (*soscc_CopyInitialSyncData)(SOSInitialSyncFlags flags, CFErrorRef *error);
401 bool (*soscc_JoinWithCircleJoiningBlob)(CFDataRef joiningBlob, PiggyBackProtocolVersion version, CFErrorRef *error);
402 bool (*soscc_SOSCCCleanupKVSKeys)(CFErrorRef *error);
403 bool (*soscc_AccountHasPublicKey)(CFErrorRef *error);
404 bool (*soscc_requestSyncWithPeerOverKVS)(CFStringRef peerID, CFDataRef message, CFErrorRef *error);
405 CFBooleanRef (*soscc_SOSCCPeersHaveViewsEnabled)(CFArrayRef views, CFErrorRef *error);
406 bool (*socc_clearPeerMessageKeyInKVS)(CFStringRef peerID, CFErrorRef *error);
407 bool (*soscc_SOSCCMessageFromPeerIsPending)(SOSPeerInfoRef peer, CFErrorRef* error);
408 bool (*soscc_SOSCCSendToPeerIsPending)(SOSPeerInfoRef peer, CFErrorRef* error);
409 CFTypeRef (*soscc_status)(void);
410 /* otherstuff */
411 CFTypeRef secd_xpc_server;
412 };
413
414 extern struct securityd *gSecurityd;
415
416 struct trustd {
417 SecTrustStoreRef (*sec_trust_store_for_domain)(CFStringRef domainName, CFErrorRef* error);
418 bool (*sec_trust_store_contains)(SecTrustStoreRef ts, CFDataRef digest, bool *contains, CFErrorRef* error);
419 bool (*sec_trust_store_set_trust_settings)(SecTrustStoreRef ts, SecCertificateRef certificate, CFTypeRef trustSettingsDictOrArray, CFErrorRef* error);
420 bool (*sec_trust_store_remove_certificate)(SecTrustStoreRef ts, CFDataRef digest, CFErrorRef* error);
421 bool (*sec_truststore_remove_all)(SecTrustStoreRef ts, CFErrorRef* error);
422 SecTrustResultType (*sec_trust_evaluate)(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, CFArrayRef *chain, CFErrorRef *error);
423 uint64_t (*sec_ota_pki_trust_store_version)(CFErrorRef* error);
424 uint64_t (*sec_ota_pki_asset_version)(CFErrorRef* error);
425 CFArrayRef (*ota_CopyEscrowCertificates)(uint32_t escrowRootType, CFErrorRef* error);
426 uint64_t (*sec_ota_pki_get_new_asset)(CFErrorRef* error);
427 uint64_t (*sec_ota_secexperiment_get_new_asset)(CFErrorRef* error);
428 CFDictionaryRef (*sec_ota_secexperiment_get_asset)(CFErrorRef* error);
429 CFDictionaryRef (*sec_ota_pki_copy_trusted_ct_logs)(CFErrorRef *error);
430 CFDictionaryRef (*sec_ota_pki_copy_ct_log_for_keyid)(CFDataRef keyID, CFErrorRef *error);
431 bool (*sec_trust_store_copy_all)(SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFErrorRef *error);
432 bool (*sec_trust_store_copy_usage_constraints)(SecTrustStoreRef ts, CFDataRef digest, CFArrayRef *usageConstraints, CFErrorRef *error);
433 bool (*sec_ocsp_cache_flush)(CFErrorRef *error);
434 bool (*sec_networking_analytics_report)(CFStringRef event_name, xpc_object_t tls_analytics_attributes, CFErrorRef *error);
435 bool (*sec_trust_store_set_ct_exceptions)(CFStringRef appID, CFDictionaryRef exceptions, CFErrorRef *error);
436 CFDictionaryRef (*sec_trust_store_copy_ct_exceptions)(CFStringRef appID, CFErrorRef *error);
437 #if TARGET_OS_IPHONE
438 bool (*sec_trust_increment_exception_reset_count)(CFErrorRef *error);
439 uint64_t (*sec_trust_get_exception_reset_count)(CFErrorRef *error);
440 #endif
441 bool (*sec_trust_store_set_ca_revocation_additions)(CFStringRef appID, CFDictionaryRef additions, CFErrorRef *error);
442 CFDictionaryRef (*sec_trust_store_copy_ca_revocation_additions)(CFStringRef appID, CFErrorRef *error);
443 bool (*sec_valid_update)(CFErrorRef *error);
444 };
445
446 extern struct trustd *gTrustd;
447
448 CFArrayRef SecAccessGroupsGetCurrent(void);
449
450 // TODO Rename me
451 CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op);
452 XPC_RETURNS_RETAINED xpc_object_t securityd_message_with_reply_sync(xpc_object_t message, CFErrorRef *error);
453 typedef void (^securityd_handler_t)(xpc_object_t reply, CFErrorRef error);
454 void securityd_message_with_reply_async(xpc_object_t message, dispatch_queue_t replyq,
455 securityd_handler_t handler);
456 XPC_RETURNS_RETAINED xpc_object_t securityd_create_message(enum SecXPCOperation op, CFErrorRef *error);
457 bool securityd_message_no_error(xpc_object_t message, CFErrorRef *error);
458
459
460 bool securityd_send_sync_and_do(enum SecXPCOperation op, CFErrorRef *error,
461 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
462 bool (^handle_response)(xpc_object_t response, CFErrorRef* error));
463
464 void securityd_send_async_and_do(enum SecXPCOperation op, dispatch_queue_t replyq,
465 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
466 securityd_handler_t handler);
467
468 // For testing only, never call this in a threaded program!
469 void SecServerSetTrustdMachServiceName(const char *name);
470
471 XPC_RETURNS_RETAINED xpc_endpoint_t _SecSecuritydCopyEndpoint(enum SecXPCOperation op, CFErrorRef *error);
472
473 #if __OBJC__
474 #import <Foundation/Foundation.h>
475 #import <Foundation/NSXPCConnection.h>
476 typedef void (^SecBoolNSErrorCallback) (bool, NSError*);
477
478 @protocol SecuritydXPCCallbackProtocol <NSObject>
479 - (void)callCallback: (bool) result error:(NSError*) error;
480 @end
481
482 @protocol SecuritydXPCProtocol <NSObject>
483 - (void) SecItemAddAndNotifyOnSync:(NSDictionary*) attributes
484 syncCallback:(id<SecuritydXPCCallbackProtocol>) callback
485 complete:(void (^) (NSDictionary* opDictResult, NSArray* opArrayResult, NSError* operror)) complete;
486
487 // For the given item (specified exactly by its hash (currently SHA1)), attempt to set the CloudKit 'current' pointer
488 // to point to the given item.
489 // This can fail if:
490 // 1. your knowledge of the old current item is out of date
491 // 2. either the new item or old item has changed (checked by hash)
492 // 3. If this device can't talk with CloudKit for any reason
493 - (void)secItemSetCurrentItemAcrossAllDevices:(NSData*)newItemPersistentRef
494 newCurrentItemHash:(NSData*)newItemSHA1
495 accessGroup:(NSString*)accessGroup
496 identifier:(NSString*)identifier
497 viewHint:(NSString*)viewHint
498 oldCurrentItemReference:(NSData*)oldCurrentItemPersistentRef
499 oldCurrentItemHash:(NSData*)oldItemSHA1
500 complete:(void (^) (NSError* operror)) complete;
501
502 // For the given access group and identifier, check the current local idea of the 'current' item
503 -(void)secItemFetchCurrentItemAcrossAllDevices:(NSString*)accessGroup
504 identifier:(NSString*)identifier
505 viewHint:(NSString*)viewHint
506 fetchCloudValue:(bool)fetchCloudValue
507 complete:(void (^) (NSData* persistentref, NSError* operror)) complete;
508
509
510 // For each item in the keychainClass, return a persistant reference and the digest of the value
511 // The digest is not stable, and can change any time, the only promise is that if the digest
512 // value didn't change, the item didn't change. If digest change, the value MIGHT have changed,/
513 // but it could also just have stayed the same.
514 // The this interface bypass SEP/AKS and for that reason is a higher performance then SecItemCopyMatching().
515 - (void) secItemDigest:(NSString *)keychainClass
516 accessGroup:(NSString *)accessGroup
517 complete:(void (^)(NSArray<NSDictionary *> *digest, NSError* error))complete;
518
519 // Delete the multi-user slice of persona uuid
520 //
521 // Should be done just before account volume is unmounted, will delete all this user's data unconditionally
522 // There is nothing stopping futher storage though.
523 - (void) secKeychainDeleteMultiuser:(NSData *)uuid
524 complete:(void (^)(bool status, NSError* error))complete;
525
526 // Go through the keychain to verify the backup infrastructure is present and valid.
527 // The completion handler's dictionary will contain a string with statistics about the class, error will be nil or
528 // complain about what went wrong during verification.
529 // Lightweight mode only checks consistency of the backup infrastructure without verifying all keychain items
530 - (void)secItemVerifyBackupIntegrity:(BOOL)lightweight
531 completion:(void (^)(NSDictionary<NSString*, NSString*>* resultsPerKeyclass, NSError* error))completion;
532
533 // Delete all items from the keychain where agrp==identifier and clip==1. Requires App Clip deletion entitlement.
534 - (void)secItemDeleteForAppClipApplicationIdentifier:(NSString*)identifier
535 completion:(void (^)(OSStatus status))completion;
536 @end
537
538 // Call this to receive a proxy object conforming to SecuritydXPCProtocol that you can call methods on.
539 // It's probably a remote object for securityd/secd, but it might be in-process if you've configured it that way.
540 id<SecuritydXPCProtocol> SecuritydXPCProxyObject(bool synchronous, void (^rpcErrorHandler)(NSError *));
541
542 // Set up a local securityxpcserver: after this call, all securitydxpc calls will be handled in-process instead of actually transferring to securityd
543 id<SecuritydXPCProtocol> SecCreateLocalSecuritydXPCServer(void) NS_RETURNS_RETAINED;
544
545 // Make a SecBoolNSErrorCallback block into an Objective-C object (for proxying across NSXPC)
546 @interface SecuritydXPCCallback : NSObject <SecuritydXPCCallbackProtocol> {
547 SecBoolNSErrorCallback _callback;
548 }
549 @property SecBoolNSErrorCallback callback;
550 - (instancetype)initWithCallback: (SecBoolNSErrorCallback) callback;
551 @end
552
553 @interface SecuritydXPCClient : NSObject {
554 NSXPCConnection* _connection;
555 }
556 @property NSXPCConnection* connection;
557
558 +(void)configureSecuritydXPCProtocol: (NSXPCInterface*) interface;
559 @end
560
561 #endif // OBJC
562
563 #endif /* _SECURITYD_CLIENT_H_ */
mirror of Security