2 * Copyright (c) 2007-2020 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
23 #ifndef _SECURITYD_CLIENT_H_
24 #define _SECURITYD_CLIENT_H_
28 #include "keychain/securityd/SecKeybagSupport.h"
30 #include <Security/SecTrust.h>
31 #include <Security/SecTask.h>
32 #ifndef MINIMIZE_INCLUDES
34 #pragma clang diagnostic push
35 #pragma clang diagnostic ignored "-Wfour-char-constants"
36 # include "OSX/sec/Security/SecTrustStore.h"
37 #pragma clang diagnostic pop
40 typedef struct __SecTrustStore
*SecTrustStoreRef
;
41 //# ifndef _SECURITY_SECCERTIFICATE_H_
42 //typedef struct __SecCertificate *SecCertificateRef;
43 //# endif // _SECURITY_SECCERTIFICATE_H_
44 #endif // MINIMIZE_INCLUDES
46 #include "OSX/utilities/SecAKSWrappers.h"
48 #include <CoreFoundation/CFArray.h>
49 #include <CoreFoundation/CFDictionary.h>
50 #include <CoreFoundation/CFError.h>
52 #include "keychain/SecureObjectSync/SOSCloudCircle.h"
53 #include "keychain/SecureObjectSync/SOSPeerInfo.h"
54 #include "keychain/SecureObjectSync/SOSRing.h"
57 #include <CoreFoundation/CFXPCBridge.h>
59 #include <TargetConditionals.h>
62 #define kSecuritydXPCServiceName "com.apple.securityd.xpc"
63 #define kSecuritydSystemXPCServiceName "com.apple.securityd.system.xpc"
64 #define kTrustdAgentXPCServiceName "com.apple.trustd.agent"
65 #define kTrustdXPCServiceName "com.apple.trustd"
67 #define kSecuritydXPCServiceName "com.apple.securityd"
68 #define kTrustdAgentXPCServiceName "com.apple.trustd"
69 #define kTrustdXPCServiceName "com.apple.trustd"
70 #endif // *** END TARGET_OS_OSX ***
72 #define kSecuritydGeneralServiceName "com.apple.securityd.general"
73 #define kSecuritydSOSServiceName "com.apple.securityd.sos"
76 // MARK: XPC Information.
80 extern CFStringRef sSecXPCErrorDomain
;
83 extern const char *kSecXPCKeyOperation
;
84 extern const char *kSecXPCKeyResult
;
85 extern const char *kSecXPCKeyEndpoint
;
86 extern const char *kSecXPCKeyError
;
87 extern const char *kSecXPCKeyPeerInfoArray
;
88 extern const char *kSecXPCKeyUserLabel
;
89 extern const char *kSecXPCKeyBackup
;
90 extern const char *kSecXPCKeyKeybag
;
91 extern const char *kSecXPCKeyFlags
;
92 extern const char *kSecXPCKeyUserPassword
;
93 extern const char *kSecXPCKeyEMCSBackup
;
94 extern const char *kSecXPCKeyDSID
;
95 extern const char *kSecXPCKeyViewName
;
96 extern const char *kSecXPCKeyViewActionCode
;
97 extern const char *kSecXPCKeyNewPublicBackupKey
;
98 extern const char *kSecXPCKeyRecoveryPublicKey
;
99 extern const char *kSecXPCKeyIncludeV0
;
100 extern const char *kSecXPCKeyEnabledViewsKey
;
101 extern const char *kSecXPCKeyDisabledViewsKey
;
102 extern const char *kSecXPCKeyEscrowLabel
;
103 extern const char *kSecXPCKeyTriesLabel
;
104 extern const char *kSecXPCKeyFileDescriptor
;
105 extern const char *kSecXPCKeyAccessGroups
;
106 extern const char *kSecXPCKeyClasses
;
107 extern const char *kSecXPCKeyNormalizedIssuer
;
108 extern const char *kSecXPCKeySerialNumber
;
109 extern const char *kSecXPCKeyBackupKeybagIdentifier
;
110 extern const char *kSecXPCKeyBackupKeybagPath
;
113 // MARK: Dispatch macros
116 #define SECURITYD_XPC(sdp, wrapper, ...) ((gSecurityd && gSecurityd->sdp) ? gSecurityd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
117 #define TRUSTD_XPC(sdp, wrapper, ...) ((gTrustd && gTrustd->sdp) ? gTrustd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
119 #define TRUSTD_XPC_ASYNC(sdp, wrapper, q, h, ...) do { \
120 if (gTrustd != NULL && gTrustd->sdp != NULL) { \
121 dispatch_async(q, ^{ \
122 CFErrorRef _error = NULL; \
123 SecTrustResultType _tr = gTrustd->sdp(__VA_ARGS__, &_error); \
127 wrapper(q, h, sdp ## _id, __VA_ARGS__); \
132 // MARK: Object to XPC format conversion.
137 // MARK: XPC Interfaces
140 extern const char *kSecXPCKeyPeerInfo
;
141 extern const char *kSecXPCLimitInMinutes
;
142 extern const char *kSecXPCKeyQuery
;
143 extern const char *kSecXPCKeyAttributesToUpdate
;
144 extern const char *kSecXPCKeyDomain
;
145 extern const char *kSecXPCKeyDigest
;
146 extern const char *kSecXPCKeyCertificate
;
147 extern const char *kSecXPCKeySettings
;
148 extern const char *kSecXPCPublicPeerId
; // Public peer id
149 extern const char *kSecXPCOTRSession
; // OTR session bytes
150 extern const char *kSecXPCData
; // Data to process
151 extern const char *kSecXPCOTRReady
; // OTR ready for messages
152 extern const char *kSecXPCKeyViewName
;
153 extern const char *kSecXPCKeyViewActionCode
;
154 extern const char *kSecXPCKeyHSA2AutoAcceptInfo
;
155 extern const char *kSecXPCKeyString
;
156 extern const char *kSecXPCKeyArray
;
157 extern const char *kSecXPCKeySet
;
158 extern const char *kSecXPCKeySet2
;
159 extern const char *kSecXPCVersion
;
160 extern const char *kSecXPCKeySignInAnalytics
;
161 extern const char *kSecXPCKeyReason
;
164 // MARK: Mach port request IDs
166 enum SecXPCOperation
{
168 sec_item_copy_matching_id
= 1,
169 sec_item_update_id
= 2,
170 sec_item_delete_id
= 3,
171 // trust_store_for_domain -- NOT an ipc
172 sec_trust_store_contains_id
= 4,
173 sec_trust_store_set_trust_settings_id
= 5,
174 sec_trust_store_remove_certificate_id
= 6,
175 // remove_all -- NOT an ipc
176 sec_delete_all_id
= 7,
177 sec_trust_evaluate_id
= 8,
178 // Any new items MUST be added below here
179 // This allows updating roots on a device, since SecTrustEvaluate must continue to work
180 sec_keychain_backup_id
,
181 sec_keychain_restore_id
,
182 sec_keychain_backup_syncable_id
,
183 sec_keychain_restore_syncable_id
,
184 sec_item_backup_copy_names_id
,
185 sec_item_backup_ensure_copy_view_id
,
186 sec_item_backup_handoff_fd_id
,
187 sec_item_backup_set_confirmed_manifest_id
,
188 sec_item_backup_restore_id
,
189 sec_keychain_sync_update_message_id
,
190 sec_ota_pki_trust_store_version_id
,
191 sec_ota_pki_asset_version_id
,
192 sec_otr_session_create_remote_id
,
193 sec_otr_session_process_packet_remote_id
,
194 kSecXPCOpOTAPKIGetNewAsset
,
195 kSecXPCOpOTAGetEscrowCertificates
,
196 kSecXPCOpOTAPKICopyTrustedCTLogs
,
197 kSecXPCOpOTAPKICopyCTLogForKeyID
,
198 kSecXPCOpProcessUnlockNotification
,
199 kSecXPCOpProcessSyncWithAllPeers
,
201 sec_add_shared_web_credential_id
,
202 sec_copy_shared_web_credential_id
,
203 sec_get_log_settings_id
,
204 sec_set_xpc_log_settings_id
,
205 sec_set_circle_log_settings_id
,
206 soscc_EnsurePeerRegistration_id
,
207 kSecXPCOpRequestDeviceID
,
208 kSecXPCOpSetDeviceID
,
209 kSecXPCOpHandleIDSMessage
,
210 kSecXPCOpSyncWithKVSPeer
,
211 kSecXPCOpSyncWithIDSPeer
,
212 kSecXPCOpSendIDSMessage
,
214 kSecXPCOpIDSDeviceID
,
215 kSecXPCOpSyncWithKVSPeerIDOnly
,
216 // any process using an operation below here is required to have entitlement keychain-cloud-circle
217 kSecXPCOpTryUserCredentials
,
218 kSecXPCOpSetUserCredentials
,
219 kSecXPCOpSetUserCredentialsAndDSID
,
220 kSecXPCOpCanAuthenticate
,
221 kSecXPCOpPurgeUserCredentials
,
222 kSecXPCOpDeviceInCircle
,
223 kSecXPCOpRequestToJoin
,
224 kSecXPCOpRequestToJoinAfterRestore
,
225 kSecXPCOpResetToOffering
,
226 kSecXPCOpResetToEmpty
,
229 kSecXPCOpRemoveThisDeviceFromCircle
,
230 kSecXPCOpRemovePeersFromCircle
,
231 kSecXPCOpLoggedIntoAccount
,
232 kSecXPCOpLoggedOutOfAccount
,
233 kSecXPCOpBailFromCircle
,
234 kSecXPCOpAcceptApplicants
,
235 kSecXPCOpRejectApplicants
,
236 kSecXPCOpCopyApplicantPeerInfo
,
237 kSecXPCOpCopyValidPeerPeerInfo
,
238 kSecXPCOpValidateUserPublic
,
239 kSecXPCOpCopyNotValidPeerPeerInfo
,
240 kSecXPCOpCopyPeerPeerInfo
,
241 kSecXPCOpCopyConcurringPeerPeerInfo
,
242 kSecXPCOpCopyGenerationPeerInfo
,
243 kSecXPCOpGetLastDepartureReason
,
244 kSecXPCOpSetLastDepartureReason
,
245 kSecXPCOpCopyRetirementPeerInfo
,
246 kSecXPCOpCopyViewUnawarePeerInfo
,
247 kSecXPCOpCopyEngineState
,
248 kSecXPCOpCopyMyPeerInfo
,
249 kSecXPCOpAccountSetToNew
,
250 kSecXPCOpSetNewPublicBackupKey
,
251 kSecXPCOpSetBagForAllSlices
,
252 kSecXPCOpWaitForInitialSync
,
253 kSecXPCOpCheckPeerAvailability
,
254 kSecXPCOpCopyApplication
,
255 kSecXPCOpCopyCircleJoiningBlob
,
256 kSecXPCOpJoinWithCircleJoiningBlob
,
257 kSecXPCOpKVSKeyCleanup
,
258 kSecXPCOpAccountHasPublicKey
,
259 kSecXPCOpClearKVSPeerMessage
,
260 kSecXPCOpRegisterRecoveryPublicKey
,
261 kSecXPCOpGetRecoveryPublicKey
,
262 kSecXPCOpCopyInitialSyncBlob
,
263 /* after this is free for all */
265 kSecXPCOpTransmogrifyToSyncBubble
,
266 kSecXPCOpTransmogrifyToSystemKeychain
,
267 sec_item_update_token_items_for_access_groups_id
,
268 kSecXPCOpDeleteUserView
,
269 sec_trust_store_copy_all_id
,
270 sec_trust_store_copy_usage_constraints_id
,
271 sec_ocsp_cache_flush_id
,
272 sec_delete_items_with_access_groups_id
,
273 sec_keychain_backup_keybag_uuid_id
,
274 kSecXPCOpPeersHaveViewsEnabled
,
275 kSecXPCOpProcessSyncWithPeers
,
276 kSecXPCOpMessageFromPeerIsPending
,
277 kSecXPCOpSendToPeerIsPending
,
278 sec_item_copy_parent_certificates_id
,
279 sec_item_certificate_exists_id
,
280 kSecXPCOpBackupKeybagAdd
,
281 kSecXPCOpBackupKeybagDelete
,
282 kSecXPCOpSFKeychainEndpoint
,
283 kSecXPCOpKeychainControlEndpoint
,
284 kSecXPCOpNetworkingAnalyticsReport
,
285 kSecXPCOpSetCTExceptions
,
286 kSecXPCOpCopyCTExceptions
,
287 kSecXPCOpOTASecExperimentGetAsset
,
288 kSecXPCOpOTASecExperimentGetNewAsset
,
289 sec_trust_get_exception_reset_count_id
,
290 sec_trust_increment_exception_reset_count_id
,
291 kSecXPCOpSetCARevocationAdditions
,
292 kSecXPCOpCopyCARevocationAdditions
,
293 kSecXPCOpValidUpdate
,
297 typedef struct SecurityClient
{
299 CFArrayRef accessGroups
;
300 bool allowSystemKeychain
;
301 bool allowSyncBubbleKeychain
;
302 bool isNetworkExtension
;
303 bool canAccessNetworkExtensionAccessGroups
;
306 #if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) && TARGET_HAS_KEYSTORE
307 keybag_handle_t keybag
;
314 CFStringRef applicationIdentifier
;
318 extern SecurityClient
* SecSecurityClientGet(void);
320 void SecSecuritySetMusrMode(bool mode
, uid_t uid
, int activeUser
);
321 void SecSecuritySetPersonaMusr(CFStringRef uuid
);
326 bool (*sec_item_add
)(CFDictionaryRef attributes
, SecurityClient
*client
, CFTypeRef
*result
, CFErrorRef
* error
);
327 bool (*sec_item_copy_matching
)(CFDictionaryRef query
, SecurityClient
*client
, CFTypeRef
*result
, CFErrorRef
* error
);
328 bool (*sec_item_update
)(CFDictionaryRef query
, CFDictionaryRef attributesToUpdate
, SecurityClient
*client
, CFErrorRef
* error
);
329 bool (*sec_item_delete
)(CFDictionaryRef query
, SecurityClient
*client
, CFErrorRef
* error
);
330 bool (*sec_item_delete_all
)(CFErrorRef
* error
);
331 CFArrayRef (*sec_item_copy_parent_certificates
)(CFDataRef normalizedIssuer
, CFArrayRef accessGroups
, CFErrorRef
*error
);
332 bool (*sec_item_certificate_exists
)(CFDataRef normalizedIssuer
, CFDataRef serialNumber
, CFArrayRef accessGroups
, CFErrorRef
*error
);
333 CFDataRef (*sec_keychain_backup
)(SecurityClient
*client
, CFDataRef keybag
, CFDataRef passcode
, bool emcs
, CFErrorRef
* error
);
334 bool (*sec_keychain_restore
)(CFDataRef backup
, SecurityClient
*client
, CFDataRef keybag
, CFDataRef passcode
, CFErrorRef
* error
);
335 bool (*sec_roll_keys
)(bool force
, CFErrorRef
* error
);
336 bool (*sec_item_update_token_items_for_access_groups
)(CFStringRef tokenID
, CFArrayRef accessGroups
, CFArrayRef tokenItems
, SecurityClient
*client
, CFErrorRef
* error
);
337 bool (*sec_delete_items_with_access_groups
)(CFArrayRef bundleIDs
, SecurityClient
*client
, CFErrorRef
*error
);
338 /* SHAREDWEBCREDENTIALS */
339 bool (*sec_add_shared_web_credential
)(CFDictionaryRef attributes
, SecurityClient
*client
, const audit_token_t
*clientAuditToken
, CFStringRef appID
, CFArrayRef accessGroups
, CFTypeRef
*result
, CFErrorRef
*error
);
340 bool (*sec_copy_shared_web_credential
)(CFDictionaryRef query
, SecurityClient
*client
, const audit_token_t
*clientAuditToken
, CFStringRef appID
, CFArrayRef accessGroups
, CFTypeRef
*result
, CFErrorRef
*error
);
341 /* SECUREOBJECTSYNC */
342 CFDictionaryRef (*sec_keychain_backup_syncable
)(CFDictionaryRef backup_in
, CFDataRef keybag
, CFDataRef passcode
, CFErrorRef
* error
);
343 bool (*sec_keychain_restore_syncable
)(CFDictionaryRef backup
, CFDataRef keybag
, CFDataRef passcode
, CFErrorRef
* error
);
344 CFArrayRef (*sec_item_backup_copy_names
)(CFErrorRef
*error
);
345 CFStringRef (*sec_item_backup_ensure_copy_view
)(CFStringRef viewName
, CFErrorRef
*error
);
346 int (*sec_item_backup_handoff_fd
)(CFStringRef backupName
, CFErrorRef
*error
);
347 bool (*sec_item_backup_set_confirmed_manifest
)(CFStringRef backupName
, CFDataRef keybagDigest
, CFDataRef manifest
, CFErrorRef
*error
);
348 bool (*sec_item_backup_restore
)(CFStringRef backupName
, CFStringRef peerID
, CFDataRef keybag
, CFDataRef secret
, CFDataRef backup
, CFErrorRef
*error
);
349 CFDataRef (*sec_otr_session_create_remote
)(CFDataRef publicPeerId
, CFErrorRef
* error
);
350 bool (*sec_otr_session_process_packet_remote
)(CFDataRef sessionData
, CFDataRef inputPacket
, CFDataRef
* outputSessionData
, CFDataRef
* outputPacket
, bool *readyForMessages
, CFErrorRef
* error
);
351 bool (*soscc_TryUserCredentials
)(CFStringRef user_label
, CFDataRef user_password
, CFStringRef dsid
, CFErrorRef
*error
);
352 bool (*soscc_SetUserCredentials
)(CFStringRef user_label
, CFDataRef user_password
, CFErrorRef
*error
);
353 bool (*soscc_SetUserCredentialsAndDSID
)(CFStringRef user_label
, CFDataRef user_password
, CFStringRef dsid
, CFErrorRef
*error
);
354 bool (*soscc_CanAuthenticate
)(CFErrorRef
*error
);
355 bool (*soscc_PurgeUserCredentials
)(CFErrorRef
*error
);
356 SOSCCStatus (*soscc_ThisDeviceIsInCircle
)(CFErrorRef
* error
);
357 bool (*soscc_RequestToJoinCircle
)(CFErrorRef
* error
);
358 bool (*soscc_RequestToJoinCircleAfterRestore
)(CFErrorRef
* error
);
359 bool (*soscc_SetToNew
)(CFErrorRef
*error
);
360 bool (*soscc_ResetToOffering
)(CFErrorRef
* error
);
361 bool (*soscc_ResetToEmpty
)(CFErrorRef
* error
);
362 SOSViewResultCode (*soscc_View
)(CFStringRef view
, SOSViewActionCode action
, CFErrorRef
*error
);
363 bool (*soscc_ViewSet
)(CFSetRef enabledViews
, CFSetRef disabledViews
);
364 bool (*soscc_RegisterSingleRecoverySecret
)(CFDataRef backupSlice
, bool forV0Only
, CFErrorRef
*error
);
365 bool (*soscc_RegisterRecoveryPublicKey
)(CFDataRef recovery_key
, CFErrorRef
*error
);
366 CFDataRef (*soscc_CopyRecoveryPublicKey
)(CFErrorRef
*error
);
367 bool (*soscc_RemoveThisDeviceFromCircle
)(CFErrorRef
* error
);
368 bool (*soscc_RemovePeersFromCircle
)(CFArrayRef peers
, CFErrorRef
* error
);
369 bool (*soscc_LoggedIntoAccount
)(CFErrorRef
* error
);
370 bool (*soscc_LoggedOutOfAccount
)(CFErrorRef
* error
);
371 bool (*soscc_BailFromCircle
)(uint64_t limit_in_seconds
, CFErrorRef
* error
);
372 bool (*soscc_AcceptApplicants
)(CFArrayRef applicants
, CFErrorRef
* error
);
373 bool (*soscc_RejectApplicants
)(CFArrayRef applicants
, CFErrorRef
* error
);
374 SOSPeerInfoRef (*soscc_SetNewPublicBackupKey
)(CFDataRef pubKey
, CFErrorRef
*error
);
375 bool (*soscc_ValidateUserPublic
)(CFErrorRef
* error
);
376 CFArrayRef (*soscc_CopyGenerationPeerInfo
)(CFErrorRef
* error
);
377 CFArrayRef (*soscc_CopyApplicantPeerInfo
)(CFErrorRef
* error
);
378 CFArrayRef (*soscc_CopyValidPeerPeerInfo
)(CFErrorRef
* error
);
379 CFArrayRef (*soscc_CopyNotValidPeerPeerInfo
)(CFErrorRef
* error
);
380 CFArrayRef (*soscc_CopyRetirementPeerInfo
)(CFErrorRef
* error
);
381 CFArrayRef (*soscc_CopyViewUnawarePeerInfo
)(CFErrorRef
* error
);
382 CFArrayRef (*soscc_CopyEngineState
)(CFErrorRef
* error
);
383 // Not sure why these are below the last entry in the enum order above, but they are:
384 CFArrayRef (*soscc_CopyPeerInfo
)(CFErrorRef
* error
);
385 CFArrayRef (*soscc_CopyConcurringPeerInfo
)(CFErrorRef
* error
);
386 enum DepartureReason (*soscc_GetLastDepartureReason
)(CFErrorRef
* error
);
387 bool (*soscc_SetLastDepartureReason
)(enum DepartureReason
, CFErrorRef
* error
);
388 CFSetRef (*soscc_ProcessSyncWithPeers
)(CFSetRef peerIDs
, CFSetRef backupPeerIDs
, CFErrorRef
* error
);
389 SyncWithAllPeersReason (*soscc_ProcessSyncWithAllPeers
)(CFErrorRef
* error
);
390 bool (*soscc_EnsurePeerRegistration
)(CFErrorRef
* error
);
391 CFArrayRef (*sec_keychain_sync_update_message
)(CFDictionaryRef update
, CFErrorRef
*error
);
392 CFPropertyListRef (*sec_get_log_settings
)(CFErrorRef
* error
);
393 bool (*sec_set_xpc_log_settings
)(CFTypeRef type
, CFErrorRef
* error
);
394 bool (*sec_set_circle_log_settings
)(CFTypeRef type
, CFErrorRef
* error
);
395 SOSPeerInfoRef (*soscc_CopyMyPeerInfo
)(CFErrorRef
*);
396 bool (*soscc_WaitForInitialSync
)(CFErrorRef
*);
397 bool (*soscc_PeerAvailability
)(CFErrorRef
*error
);
398 SOSPeerInfoRef (*soscc_CopyApplicant
)(CFErrorRef
*error
);
399 CFDataRef (*soscc_CopyCircleJoiningBlob
)(SOSPeerInfoRef applicant
, CFErrorRef
*error
);
400 CFDataRef (*soscc_CopyInitialSyncData
)(SOSInitialSyncFlags flags
, CFErrorRef
*error
);
401 bool (*soscc_JoinWithCircleJoiningBlob
)(CFDataRef joiningBlob
, PiggyBackProtocolVersion version
, CFErrorRef
*error
);
402 bool (*soscc_SOSCCCleanupKVSKeys
)(CFErrorRef
*error
);
403 bool (*soscc_AccountHasPublicKey
)(CFErrorRef
*error
);
404 bool (*soscc_requestSyncWithPeerOverKVS
)(CFStringRef peerID
, CFDataRef message
, CFErrorRef
*error
);
405 CFBooleanRef (*soscc_SOSCCPeersHaveViewsEnabled
)(CFArrayRef views
, CFErrorRef
*error
);
406 bool (*socc_clearPeerMessageKeyInKVS
)(CFStringRef peerID
, CFErrorRef
*error
);
407 bool (*soscc_SOSCCMessageFromPeerIsPending
)(SOSPeerInfoRef peer
, CFErrorRef
* error
);
408 bool (*soscc_SOSCCSendToPeerIsPending
)(SOSPeerInfoRef peer
, CFErrorRef
* error
);
409 CFTypeRef (*soscc_status
)(void);
411 CFTypeRef secd_xpc_server
;
414 extern struct securityd
*gSecurityd
;
417 SecTrustStoreRef (*sec_trust_store_for_domain
)(CFStringRef domainName
, CFErrorRef
* error
);
418 bool (*sec_trust_store_contains
)(SecTrustStoreRef ts
, CFDataRef digest
, bool *contains
, CFErrorRef
* error
);
419 bool (*sec_trust_store_set_trust_settings
)(SecTrustStoreRef ts
, SecCertificateRef certificate
, CFTypeRef trustSettingsDictOrArray
, CFErrorRef
* error
);
420 bool (*sec_trust_store_remove_certificate
)(SecTrustStoreRef ts
, CFDataRef digest
, CFErrorRef
* error
);
421 bool (*sec_truststore_remove_all
)(SecTrustStoreRef ts
, CFErrorRef
* error
);
422 SecTrustResultType (*sec_trust_evaluate
)(CFArrayRef certificates
, CFArrayRef anchors
, bool anchorsOnly
, bool keychainsAllowed
, CFArrayRef policies
, CFArrayRef responses
, CFArrayRef SCTs
, CFArrayRef trustedLogs
, CFAbsoluteTime verifyTime
, __unused CFArrayRef accessGroups
, CFArrayRef exceptions
, CFArrayRef
*details
, CFDictionaryRef
*info
, CFArrayRef
*chain
, CFErrorRef
*error
);
423 uint64_t (*sec_ota_pki_trust_store_version
)(CFErrorRef
* error
);
424 uint64_t (*sec_ota_pki_asset_version
)(CFErrorRef
* error
);
425 CFArrayRef (*ota_CopyEscrowCertificates
)(uint32_t escrowRootType
, CFErrorRef
* error
);
426 uint64_t (*sec_ota_pki_get_new_asset
)(CFErrorRef
* error
);
427 uint64_t (*sec_ota_secexperiment_get_new_asset
)(CFErrorRef
* error
);
428 CFDictionaryRef (*sec_ota_secexperiment_get_asset
)(CFErrorRef
* error
);
429 CFDictionaryRef (*sec_ota_pki_copy_trusted_ct_logs
)(CFErrorRef
*error
);
430 CFDictionaryRef (*sec_ota_pki_copy_ct_log_for_keyid
)(CFDataRef keyID
, CFErrorRef
*error
);
431 bool (*sec_trust_store_copy_all
)(SecTrustStoreRef ts
, CFArrayRef
*trustStoreContents
, CFErrorRef
*error
);
432 bool (*sec_trust_store_copy_usage_constraints
)(SecTrustStoreRef ts
, CFDataRef digest
, CFArrayRef
*usageConstraints
, CFErrorRef
*error
);
433 bool (*sec_ocsp_cache_flush
)(CFErrorRef
*error
);
434 bool (*sec_networking_analytics_report
)(CFStringRef event_name
, xpc_object_t tls_analytics_attributes
, CFErrorRef
*error
);
435 bool (*sec_trust_store_set_ct_exceptions
)(CFStringRef appID
, CFDictionaryRef exceptions
, CFErrorRef
*error
);
436 CFDictionaryRef (*sec_trust_store_copy_ct_exceptions
)(CFStringRef appID
, CFErrorRef
*error
);
438 bool (*sec_trust_increment_exception_reset_count
)(CFErrorRef
*error
);
439 uint64_t (*sec_trust_get_exception_reset_count
)(CFErrorRef
*error
);
441 bool (*sec_trust_store_set_ca_revocation_additions
)(CFStringRef appID
, CFDictionaryRef additions
, CFErrorRef
*error
);
442 CFDictionaryRef (*sec_trust_store_copy_ca_revocation_additions
)(CFStringRef appID
, CFErrorRef
*error
);
443 bool (*sec_valid_update
)(CFErrorRef
*error
);
446 extern struct trustd
*gTrustd
;
448 CFArrayRef
SecAccessGroupsGetCurrent(void);
451 CFStringRef
SOSCCGetOperationDescription(enum SecXPCOperation op
);
452 XPC_RETURNS_RETAINED xpc_object_t
securityd_message_with_reply_sync(xpc_object_t message
, CFErrorRef
*error
);
453 typedef void (^securityd_handler_t
)(xpc_object_t reply
, CFErrorRef error
);
454 void securityd_message_with_reply_async(xpc_object_t message
, dispatch_queue_t replyq
,
455 securityd_handler_t handler
);
456 XPC_RETURNS_RETAINED xpc_object_t
securityd_create_message(enum SecXPCOperation op
, CFErrorRef
*error
);
457 bool securityd_message_no_error(xpc_object_t message
, CFErrorRef
*error
);
460 bool securityd_send_sync_and_do(enum SecXPCOperation op
, CFErrorRef
*error
,
461 bool (^add_to_message
)(xpc_object_t message
, CFErrorRef
* error
),
462 bool (^handle_response
)(xpc_object_t response
, CFErrorRef
* error
));
464 void securityd_send_async_and_do(enum SecXPCOperation op
, dispatch_queue_t replyq
,
465 bool (^add_to_message
)(xpc_object_t message
, CFErrorRef
* error
),
466 securityd_handler_t handler
);
468 // For testing only, never call this in a threaded program!
469 void SecServerSetTrustdMachServiceName(const char *name
);
471 XPC_RETURNS_RETAINED xpc_endpoint_t
_SecSecuritydCopyEndpoint(enum SecXPCOperation op
, CFErrorRef
*error
);
474 #import <Foundation/Foundation.h>
475 #import <Foundation/NSXPCConnection.h>
476 typedef void (^SecBoolNSErrorCallback
) (bool, NSError
*);
478 @protocol SecuritydXPCCallbackProtocol
<NSObject
>
479 - (void)callCallback
: (bool) result error
:(NSError
*) error
;
482 @protocol SecuritydXPCProtocol
<NSObject
>
483 - (void) SecItemAddAndNotifyOnSync
:(NSDictionary
*) attributes
484 syncCallback
:(id
<SecuritydXPCCallbackProtocol
>) callback
485 complete
:(void (^) (NSDictionary
* opDictResult
, NSArray
* opArrayResult
, NSError
* operror
)) complete
;
487 // For the given item (specified exactly by its hash (currently SHA1)), attempt to set the CloudKit 'current' pointer
488 // to point to the given item.
490 // 1. your knowledge of the old current item is out of date
491 // 2. either the new item or old item has changed (checked by hash)
492 // 3. If this device can't talk with CloudKit for any reason
493 - (void)secItemSetCurrentItemAcrossAllDevices
:(NSData
*)newItemPersistentRef
494 newCurrentItemHash
:(NSData
*)newItemSHA1
495 accessGroup
:(NSString
*)accessGroup
496 identifier
:(NSString
*)identifier
497 viewHint
:(NSString
*)viewHint
498 oldCurrentItemReference
:(NSData
*)oldCurrentItemPersistentRef
499 oldCurrentItemHash
:(NSData
*)oldItemSHA1
500 complete
:(void (^) (NSError
* operror
)) complete
;
502 // For the given access group and identifier, check the current local idea of the 'current' item
503 -(void)secItemFetchCurrentItemAcrossAllDevices
:(NSString
*)accessGroup
504 identifier
:(NSString
*)identifier
505 viewHint
:(NSString
*)viewHint
506 fetchCloudValue
:(bool)fetchCloudValue
507 complete
:(void (^) (NSData
* persistentref
, NSError
* operror
)) complete
;
510 // For each item in the keychainClass, return a persistant reference and the digest of the value
511 // The digest is not stable, and can change any time, the only promise is that if the digest
512 // value didn't change, the item didn't change. If digest change, the value MIGHT have changed,/
513 // but it could also just have stayed the same.
514 // The this interface bypass SEP/AKS and for that reason is a higher performance then SecItemCopyMatching().
515 - (void) secItemDigest
:(NSString
*)keychainClass
516 accessGroup
:(NSString
*)accessGroup
517 complete
:(void (^)(NSArray
<NSDictionary
*> *digest
, NSError
* error
))complete
;
519 // Delete the multi-user slice of persona uuid
521 // Should be done just before account volume is unmounted, will delete all this user's data unconditionally
522 // There is nothing stopping futher storage though.
523 - (void) secKeychainDeleteMultiuser
:(NSData
*)uuid
524 complete
:(void (^)(bool status
, NSError
* error
))complete
;
526 // Go through the keychain to verify the backup infrastructure is present and valid.
527 // The completion handler's dictionary will contain a string with statistics about the class, error will be nil or
528 // complain about what went wrong during verification.
529 // Lightweight mode only checks consistency of the backup infrastructure without verifying all keychain items
530 - (void)secItemVerifyBackupIntegrity
:(BOOL
)lightweight
531 completion
:(void (^)(NSDictionary
<NSString
*, NSString
*>* resultsPerKeyclass
, NSError
* error
))completion
;
533 // Delete all items from the keychain where agrp==identifier and clip==1. Requires App Clip deletion entitlement.
534 - (void)secItemDeleteForAppClipApplicationIdentifier
:(NSString
*)identifier
535 completion
:(void (^)(OSStatus status
))completion
;
538 // Call this to receive a proxy object conforming to SecuritydXPCProtocol that you can call methods on.
539 // It's probably a remote object for securityd/secd, but it might be in-process if you've configured it that way.
540 id
<SecuritydXPCProtocol
> SecuritydXPCProxyObject(bool synchronous
, void (^rpcErrorHandler
)(NSError
*));
542 // Set up a local securityxpcserver: after this call, all securitydxpc calls will be handled in-process instead of actually transferring to securityd
543 id
<SecuritydXPCProtocol
> SecCreateLocalSecuritydXPCServer(void) NS_RETURNS_RETAINED
;
545 // Make a SecBoolNSErrorCallback block into an Objective-C object (for proxying across NSXPC)
546 @interface SecuritydXPCCallback
: NSObject
<SecuritydXPCCallbackProtocol
> {
547 SecBoolNSErrorCallback _callback
;
549 @property SecBoolNSErrorCallback callback
;
550 - (instancetype
)initWithCallback
: (SecBoolNSErrorCallback
) callback
;
553 @interface SecuritydXPCClient
: NSObject
{
554 NSXPCConnection
* _connection
;
556 @property NSXPCConnection
* connection
;
558 +(void)configureSecuritydXPCProtocol
: (NSXPCInterface
*) interface
;
563 #endif /* _SECURITYD_CLIENT_H_ */