2 * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 @header SecDbQuery.h - The thing that does the stuff with the gibli.
28 #ifndef _SECURITYD_SECDBQUERY_H_
29 #define _SECURITYD_SECDBQUERY_H_
31 #include "keychain/securityd/SecKeybagSupport.h"
32 #include "keychain/securityd/SecDbItem.h"
33 #include "ipc/securityd_client.h" // be able to create queries which restrict API
37 typedef struct Pair
*SecDbPairRef
;
38 typedef struct Query
*SecDbQueryRef
;
41 typedef uint32_t ReturnTypeMask
;
44 kSecReturnDataMask
= 1 << 0,
45 kSecReturnAttributesMask
= 1 << 1,
46 kSecReturnRefMask
= 1 << 2,
47 kSecReturnPersistentRefMask
= 1 << 3,
50 /* Constant indicating there is no limit to the number of results to return. */
53 kSecMatchUnlimited
= kCFNotFound
62 /* Nothing in this struct is retained since all the
63 values below are extracted from the dictionary passed in by the
67 /* Class of this query. */
68 const SecDbClass
*q_class
;
70 /* Dictionary with all attributes and values in clear (to be encrypted). */
71 CFMutableDictionaryRef q_item
;
73 /* q_pairs is an array of Pair structs. Elements with indices
74 [0, q_attr_end) contain attribute key value pairs. Elements with
75 indices [q_match_begin, q_match_end) contain match key value pairs.
76 Thus q_attr_end is the number of attrs in q_pairs and
77 q_match_begin - q_match_end is the number of matches in q_pairs. */
78 CFIndex q_match_begin
;
83 ReturnTypeMask q_return_type
;
87 sqlite_int64 q_row_id
;
89 CFArrayRef q_use_item_list
;
90 CFBooleanRef q_use_tomb
;
92 /* Value of kSecMatchLimit key if present. */
95 /* True if query contained a kSecAttrSynchronizable attribute,
96 * regardless of its actual value. If this is false, then we
97 * will add an explicit sync=0 to the query. */
100 // Set to true if we modified any item as part of executing this query
103 // Set to true if we modified any synchronizable item as part of executing this query
106 /* Keybag handle to use for this item. */
107 keybag_handle_t q_keybag
;
109 /* musr view to use when modifying the database */
110 CFDataRef q_musrView
;
112 /* ACL and credHandle passed to the query. q_cred_handle contain LA context object. */
113 SecAccessControlRef q_access_control
;
114 CFDataRef q_use_cred_handle
;
116 // Flag indicating that ui-protected items should be simply skipped
117 // instead of reporting them to the client as an error.
118 bool q_skip_acl_items
;
120 // Some queries (e.g. backups) explicitly do not want to deal with clip-created items
121 bool q_skip_app_clip_items
;
123 // Set to true if any UUIDs generated by this query should be generated from the SHA2 digest of the item in question
124 bool q_uuid_from_primary_key
;
126 // Set to true if you'd like any Tombstones created by this query to have an mdat that is one second after the non-tombstone's mdat.
127 // This is used if you're deleting an item, but are unsure when the item deletion occurred (e.g., you receive an item delete via CloudKit).
128 bool q_tombstone_use_mdat_from_item
;
130 // Set this to a callback that, on an add query, will get passed along with the CKKS subsystem and called when the item makes it off-device (or doesn't)
131 __unsafe_unretained SecBoolCFErrorCallback q_add_sync_callback
;
133 // SHA1 digest of DER encoded primary key
134 CFDataRef q_primary_key_digest
;
136 CFArrayRef q_match_issuer
;
138 /* Caller acces groups for AKS */
139 CFArrayRef q_caller_access_groups
;
140 bool q_system_keychain
;
141 int32_t q_sync_bubble
;
142 bool q_spindump_on_failure
;
144 //policy for filtering certs and identities
145 SecPolicyRef q_match_policy
;
146 //date for filtering certs and identities
147 CFDateRef q_match_valid_on_date
;
148 //trusted only certs and identities
149 CFBooleanRef q_match_trusted_only
;
150 //token persistent reference for filtering items is represented by token ID (in attrs) and token object ID
151 CFDataRef q_token_object_id
;
153 CFIndex q_pairs_count
;
157 Query
*query_create(const SecDbClass
*qclass
, CFDataRef musr
, CFDictionaryRef query
, SecurityClient
* client
, CFErrorRef
*error
);
158 bool query_destroy(Query
*q
, CFErrorRef
*error
);
159 bool query_error(Query
*q
, CFErrorRef
*error
);
160 Query
*query_create_with_limit(CFDictionaryRef query
, CFDataRef musr
, CFIndex limit
, SecurityClient
* client
, CFErrorRef
*error
);
161 void query_add_attribute(const void *key
, const void *value
, Query
*q
);
162 void query_add_or_attribute(const void *key
, const void *value
, Query
*q
);
163 void query_add_not_attribute(const void *key
, const void *value
, Query
*q
);
164 void query_add_attribute_with_desc(const SecDbAttr
*desc
, const void *value
, Query
*q
);
165 void query_ensure_access_control(Query
*q
, CFStringRef agrp
);
166 void query_pre_add(Query
*q
, bool force_date
);
167 bool query_notify_and_destroy(Query
*q
, bool ok
, CFErrorRef
*error
);
168 CFIndex
query_match_count(const Query
*q
);
169 CFIndex
query_attr_count(const Query
*q
);
170 Pair
query_attr_at(const Query
*q
, CFIndex ix
);
171 bool query_update_parse(Query
*q
, CFDictionaryRef update
, CFErrorRef
*error
);
172 const SecDbClass
*kc_class_with_name(CFStringRef name
);
173 void query_set_caller_access_groups(Query
*q
, CFArrayRef caller_access_groups
);
174 void query_set_policy(Query
*q
, SecPolicyRef policy
);
175 void query_set_valid_on_date(Query
*q
, CFDateRef policy
);
176 void query_set_trusted_only(Query
*q
, CFBooleanRef trusted_only
);
179 SecMUSRCopySystemKeychainUUID(void);
182 SecMUSRGetSystemKeychainUUID(void);
185 SecMUSRGetSingleUserKeychainUUID(void);
188 SecMUSRIsSingleUserView(CFDataRef uuid
);
191 SecMUSRGetAllViews(void);
194 SecMUSRIsViewAllViews(CFDataRef musr
);
198 SecMUSRCreateActiveUserUUID(uid_t uid
);
201 SecMUSRCreateSyncBubbleUserUUID(uid_t uid
);
204 SecMUSRCreateBothUserAndSystemUUID(uid_t uid
);
207 SecMUSRGetBothUserAndSystemUUID(CFDataRef musr
, uid_t
*uid
);
214 #endif /* _SECURITYD_SECDBQUERY_H_ */