]> git.saurik.com Git - apple/security.git/blob - SecurityServer/ssclient.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-29.tar.gz
[apple/security.git] / SecurityServer / ssclient.h
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 //
20 // ssclient - SecurityServer client interface library
21 //
22 #ifndef _H_SSCLIENT
23 #define _H_SSCLIENT
24
25
26 #include <Security/cssm.h>
27 #include <Security/utilities.h>
28 #include <Security/cssmalloc.h>
29 #include <Security/cssmacl.h>
30 #include <Security/context.h>
31 #include <Security/globalizer.h>
32 #include <Security/mach++.h>
33 #include <Security/cssmdb.h>
34 #include <Security/osxsigning.h>
35 #include <Security/Authorization.h>
36 #include <Security/AuthSession.h>
37
38
39 namespace Security
40 {
41
42 using MachPlusPlus::Port;
43 using MachPlusPlus::ReceivePort;
44
45
46 namespace SecurityServer
47 {
48
49 //
50 // Common data types
51 //
52 typedef CSSM_HANDLE KeyHandle;
53 typedef CSSM_HANDLE DbHandle;
54
55 static const CSSM_HANDLE noDb = 0;
56 static const CSSM_HANDLE noKey = 0;
57
58 struct KeyUID {
59 uint8 signature[20];
60 };
61
62 struct AuthorizationBlob {
63 uint32 data[2];
64
65 bool operator < (const AuthorizationBlob &other) const
66 { return memcmp(data, other.data, sizeof(data)) < 0; }
67
68 bool operator == (const AuthorizationBlob &other) const
69 { return memcmp(data, other.data, sizeof(data)) == 0; }
70
71 size_t hash() const { //@@@ revisit this hash
72 return data[0] ^ data[1] << 3;
73 }
74 };
75
76 enum AclKind { dbAcl, keyAcl, loginAcl };
77
78
79 //
80 // Database parameter structure
81 //
82 class DBParameters {
83 public:
84 uint32 idleTimeout; // seconds idle timout lock
85 uint8 lockOnSleep; // lock keychain when system sleeps
86 };
87
88
89 //
90 // A client connection (session)
91 //
92 class ClientSession {
93 NOCOPY(ClientSession)
94 public:
95 ClientSession(CssmAllocator &standard, CssmAllocator &returning);
96 virtual ~ClientSession();
97
98 CssmAllocator &internalAllocator;
99 CssmAllocator &returnAllocator;
100
101 public:
102 typedef CSSM_DB_ACCESS_TYPE DBAccessType;
103
104 public:
105 void activate();
106 void terminate();
107
108 public:
109 // database sessions
110 DbHandle createDb(const DLDbIdentifier &dbId,
111 const AccessCredentials *cred, const AclEntryInput *owner,
112 const DBParameters &params);
113 DbHandle decodeDb(const DLDbIdentifier &dbId,
114 const AccessCredentials *cred, const CssmData &blob);
115 void encodeDb(DbHandle db, CssmData &blob, CssmAllocator &alloc);
116 void encodeDb(DbHandle db, CssmData &blob) { return encodeDb(db, blob, returnAllocator); }
117 void releaseDb(DbHandle db);
118 void authenticateDb(DbHandle db, DBAccessType type, const AccessCredentials *cred);
119 void setDbParameters(DbHandle db, const DBParameters &params);
120 void getDbParameters(DbHandle db, DBParameters &params);
121 void changePassphrase(DbHandle db, const AccessCredentials *cred);
122 void lock(DbHandle db);
123 void unlock(DbHandle db);
124 void unlock(DbHandle db, const CssmData &passPhrase);
125 bool isLocked(DbHandle db);
126
127 // key objects
128 void encodeKey(KeyHandle key, CssmData &blob, KeyUID *uid, CssmAllocator &alloc);
129 void encodeKey(KeyHandle key, CssmData &blob, KeyUID *uid = NULL)
130 { return encodeKey(key, blob, uid, returnAllocator); }
131 KeyHandle decodeKey(DbHandle db, const CssmData &blob, CssmKey::Header &header);
132 void releaseKey(KeyHandle key);
133
134 public:
135 // key wrapping and unwrapping
136 void wrapKey(const Context &context, KeyHandle key, KeyHandle keyToBeWrapped,
137 const AccessCredentials *cred,
138 const CssmData *descriptiveData, CssmWrappedKey &wrappedKey, CssmAllocator &alloc);
139 void wrapKey(const Context &context, KeyHandle key, KeyHandle keyToBeWrapped,
140 const AccessCredentials *cred,
141 const CssmData *descriptiveData, CssmWrappedKey &wrappedKey)
142 { return wrapKey(context, key, keyToBeWrapped, cred,
143 descriptiveData, wrappedKey, returnAllocator); }
144
145 void unwrapKey(DbHandle db, const Context &context, KeyHandle key, KeyHandle publicKey,
146 const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr,
147 const AccessCredentials *cred, const AclEntryInput *owner,
148 CssmData &data, KeyHandle &newKey, CssmKey::Header &newKeyHeader, CssmAllocator &alloc);
149 void unwrapKey(DbHandle db, const Context &context, KeyHandle key, KeyHandle publicKey,
150 const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr,
151 const AccessCredentials *cred, const AclEntryInput *owner, CssmData &data,
152 KeyHandle &newKey, CssmKey::Header &newKeyHeader)
153 { return unwrapKey(db, context, key, publicKey, wrappedKey, keyUsage, keyAttr,
154 cred, owner, data, newKey, newKeyHeader, returnAllocator); }
155
156 // key generation and derivation
157 void generateKey(DbHandle db, const Context &context, uint32 keyUsage, uint32 keyAttr,
158 const AccessCredentials *cred, const AclEntryInput *owner,
159 KeyHandle &newKey, CssmKey::Header &newHeader);
160 void generateKey(DbHandle db, const Context &context,
161 uint32 pubKeyUsage, uint32 pubKeyAttr,
162 uint32 privKeyUsage, uint32 privKeyAttr,
163 const AccessCredentials *cred, const AclEntryInput *owner,
164 KeyHandle &pubKey, CssmKey::Header &pubHeader,
165 KeyHandle &privKey, CssmKey::Header &privHeader);
166 void deriveKey(DbHandle db, KeyHandle &newKey, CssmKey::Header &newHeader);
167 //void generateAlgorithmParameters(); // not implemented
168
169 void generateRandom(CssmData &data);
170
171 // encrypt/decrypt
172 void encrypt(const Context &context, KeyHandle key,
173 const CssmData &in, CssmData &out, CssmAllocator &alloc);
174 void encrypt(const Context &context, KeyHandle key, const CssmData &in, CssmData &out)
175 { return encrypt(context, key, in, out, returnAllocator); }
176 void decrypt(const Context &context, KeyHandle key,
177 const CssmData &in, CssmData &out, CssmAllocator &alloc);
178 void decrypt(const Context &context, KeyHandle key, const CssmData &in, CssmData &out)
179 { return decrypt(context, key, in, out, returnAllocator); }
180
181 // signatures
182 void generateSignature(const Context &context, KeyHandle key,
183 const CssmData &data, CssmData &signature, CssmAllocator &alloc);
184 void generateSignature(const Context &context, KeyHandle key,
185 const CssmData &data, CssmData &signature)
186 { return generateSignature(context, key, data, signature, returnAllocator); }
187 void verifySignature(const Context &context, KeyHandle key,
188 const CssmData &data, const CssmData &signature);
189
190 // MACs
191 void generateMac(const Context &context, KeyHandle key,
192 const CssmData &data, CssmData &mac, CssmAllocator &alloc);
193 void generateMac(const Context &context, KeyHandle key,
194 const CssmData &data, CssmData &mac)
195 { return generateMac(context, key, data, mac, returnAllocator); }
196 void verifyMac(const Context &context, KeyHandle key,
197 const CssmData &data, const CssmData &mac);
198 uint32 queryKeySizeInBits(KeyHandle key);
199
200 // key ACL management
201 void getKeyAcl(KeyHandle key, const char *tag,
202 uint32 &count, AclEntryInfo * &info, CssmAllocator &alloc);
203 void getKeyAcl(KeyHandle key, const char *tag,
204 uint32 &count, AclEntryInfo * &info)
205 { return getKeyAcl(key, tag, count, info, returnAllocator); }
206 void changeKeyAcl(KeyHandle key, const AccessCredentials &cred, const AclEdit &edit);
207 void getKeyOwner(KeyHandle key, AclOwnerPrototype &owner, CssmAllocator &alloc);
208 void getKeyOwner(KeyHandle key, AclOwnerPrototype &owner)
209 { return getKeyOwner(key, owner, returnAllocator); }
210 void changeKeyOwner(KeyHandle key, const AccessCredentials &cred,
211 const AclOwnerPrototype &edit);
212
213 // database ACL management
214 void getDbAcl(DbHandle db, const char *tag,
215 uint32 &count, AclEntryInfo * &info, CssmAllocator &alloc);
216 void getDbAcl(DbHandle db, const char *tag,
217 uint32 &count, AclEntryInfo * &info)
218 { return getDbAcl(db, tag, count, info, returnAllocator); }
219 void changeDbAcl(DbHandle db, const AccessCredentials &cred, const AclEdit &edit);
220 void getDbOwner(DbHandle db, AclOwnerPrototype &owner, CssmAllocator &alloc);
221 void getDbOwner(DbHandle db, AclOwnerPrototype &owner)
222 { return getDbOwner(db, owner, returnAllocator); }
223 void changeDbOwner(DbHandle db, const AccessCredentials &cred,
224 const AclOwnerPrototype &edit);
225
226 public:
227 // Authorization API support
228 void authCreate(const AuthorizationItemSet *rights, const AuthorizationItemSet *environment,
229 AuthorizationFlags flags,AuthorizationBlob &result);
230 void authRelease(const AuthorizationBlob &auth, AuthorizationFlags flags);
231 void authCopyRights(const AuthorizationBlob &auth,
232 const AuthorizationItemSet *rights, const AuthorizationItemSet *environment,
233 AuthorizationFlags flags, AuthorizationItemSet **result);
234 void authCopyInfo(const AuthorizationBlob &auth, const char *tag, AuthorizationItemSet * &info);
235 void authExternalize(const AuthorizationBlob &auth, AuthorizationExternalForm &extForm);
236 void authInternalize(const AuthorizationExternalForm &extForm, AuthorizationBlob &auth);
237
238 public:
239 // Session API support
240 void getSessionInfo(SecuritySessionId &sessionId, SessionAttributeBits &attrs);
241 void setupSession(SessionCreationFlags flags, SessionAttributeBits attrs);
242
243 private:
244 void getAcl(AclKind kind, KeyHandle key, const char *tag,
245 uint32 &count, AclEntryInfo * &info, CssmAllocator &alloc);
246 void changeAcl(AclKind kind, KeyHandle key,
247 const AccessCredentials &cred, const AclEdit &edit);
248 void getOwner(AclKind kind, KeyHandle key, AclOwnerPrototype &owner, CssmAllocator &alloc);
249 void changeOwner(AclKind kind, KeyHandle key, const AccessCredentials &cred,
250 const AclOwnerPrototype &edit);
251
252 private:
253 struct Thread {
254 Thread() : replyPort(mig_get_reply_port()), registered(false) { }
255 operator bool() const { return registered; }
256
257 Port replyPort; // cached mig_get_reply_port
258 bool registered; // has been registered with SecurityServer
259 };
260
261 struct Global {
262 Global();
263 Port serverPort;
264 CodeSigning::OSXCode *myself;
265 ThreadNexus<Thread> thread;
266 };
267
268 static ModuleNexus<Global> mGlobal;
269 };
270
271
272 } // end namespace SecurityServer
273
274 } // end namespace Security
275
276
277 #endif //_H_SSCLIENT
mirror of Security