]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_keychain/lib/defaultcreds.cpp
Security-57337.40.85.tar.gz
[apple/security.git] / OSX / libsecurity_keychain / lib / defaultcreds.cpp
1 /*
2 * Copyright (c) 2004,2011-2012,2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 //
25 // defaultcreds - default computations for keychain open credentials
26 //
27 #include "Keychains.h"
28 #include "defaultcreds.h"
29 #include "StorageManager.h"
30 #include "Globals.h"
31 #include "KCCursor.h"
32 #include <security_cdsa_utilities/Schema.h>
33 #include <algorithm>
34
35
36 namespace Security {
37 namespace KeychainCore {
38
39 using namespace CssmClient;
40
41
42 DefaultCredentials::DefaultCredentials(KeychainImpl* kcImpl, Allocator &alloc)
43 : TrackingAllocator(alloc), AutoCredentials(static_cast<TrackingAllocator&>(*this)),
44 mMade(false), mKeychainImpl (kcImpl)
45 {
46 }
47
48
49 void DefaultCredentials::clear()
50 {
51 TrackingAllocator::reset();
52 mNeededItems.clear();
53 mMade = false;
54 }
55
56
57 //
58 // The main driver.
59 // This scans a database for referral records and forms corresponding
60 // credentials to trigger unlocks.
61 // Returns true if any valid unlock credentials were found; false otherwise.
62 // Only throws if the database is messed up.
63 //
64 bool DefaultCredentials::operator () (Db database)
65 {
66 if (!mMade) {
67 try {
68 // before we do anything else, see if we have a relation in the database of the appropriate type
69 KeychainSchema keychainSchema = mKeychainImpl->keychainSchema();
70 if (keychainSchema->hasRecordType(UnlockReferralRecord::recordType))
71 {
72 clear();
73 Table<UnlockReferralRecord> referrals(database);
74 for (Table<UnlockReferralRecord>::iterator it = referrals.begin(); it != referrals.end(); it++) {
75 switch ((*it)->type()) {
76 case CSSM_APPLE_UNLOCK_TYPE_KEY_DIRECT:
77 case CSSM_APPLE_UNLOCK_TYPE_WRAPPED_PRIVATE:
78 keyReferral(**it);
79 break;
80 default:
81 secdebug("kcreferral", "referral type %lu (to %s) not supported",
82 (unsigned long)(*it)->type(), (*it)->dbName().c_str());
83 break;
84 }
85 }
86 }
87 secdebug("kcreferral", "%lu samples generated", (unsigned long)size());
88 } catch (...) {
89 secdebug("kcreferral", "exception setting default credentials for %s; using standard value", database->name());
90 }
91 mMade = true;
92 }
93
94 return size() > 0; // got credentials?
95 }
96
97
98 //
99 // Process a single referral record. This will handle all known types
100 // of referrals.
101 //
102 void DefaultCredentials::keyReferral(const UnlockReferralRecord &ref)
103 {
104 secdebug("kcreferral", "processing type %ld referral to %s",
105 (long)ref.type(), ref.dbName().c_str());
106 DLDbIdentifier identifier(ref.dbName().c_str(), ref.dbGuid(), ref.dbSSID(), ref.dbSSType());
107
108 // first, try the keychain indicated
109 try {
110 KeychainList list;
111 list.push_back(globals().storageManager.keychain(identifier));
112 if (unlockKey(ref, list)) // try just this database...
113 return; // ... bingo!
114 } catch (...) { }
115
116 // try the entire search list (just in case)
117 try {
118 secdebug("kcreferral", "no joy with %s; trying the entire keychain list for guid %s",
119 ref.dbName().c_str(), ref.dbGuid().toString().c_str());
120 unlockKey(ref, fallbackSearchList(identifier));
121 return;
122 } catch (...) { }
123 secdebug("kcreferral", "no luck at all; we'll skip this record");
124 }
125
126
127 bool DefaultCredentials::unlockKey(const UnlockReferralRecord &ref, const KeychainList &list)
128 {
129 bool foundSome = false;
130 try {
131 // form the query
132 SecKeychainAttribute attributes[1] = {
133 { kSecKeyLabel, (UInt32)ref.keyLabel().length(), ref.keyLabel().data() }
134 };
135 SecKeychainAttributeList search = { 1, attributes };
136 CSSM_DB_RECORDTYPE recordType =
137 (ref.type() == CSSM_APPLE_UNLOCK_TYPE_KEY_DIRECT) ?
138 CSSM_DL_DB_RECORD_SYMMETRIC_KEY : CSSM_DL_DB_RECORD_PRIVATE_KEY;
139 KCCursor cursor(list, recordType, &search);
140
141 Item keyItem;
142 while (cursor->next(keyItem)) {
143 secdebug("kcreferral", "located source key in %s", keyItem->keychain()->name());
144
145 // get a reference to the key in the provider keychain
146 CssmClient::Key key = dynamic_cast<KeyItem &>(*keyItem).key();
147 const CssmKey &masterKey = key;
148
149 // get the CSP handle FOR THE UNLOCKING KEY'S KEYCHAIN
150 CSSM_CSP_HANDLE cspHandle = key->csp()->handle();
151
152 // (a)symmetric-key form: KCLOCK, (A)SYMMETRIC_KEY, cspHandle, masterKey
153 // Note that the last list element ("ref") is doing an implicit cast to a
154 // CssmData, which passes the data portion of the UnlockReferralRecord
155 append(TypedList(allocator, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
156 new(allocator) ListElement((recordType==CSSM_DL_DB_RECORD_SYMMETRIC_KEY)?
157 CSSM_WORDID_SYMMETRIC_KEY:CSSM_WORDID_ASYMMETRIC_KEY),
158 new(allocator) ListElement(allocator, CssmData::wrap(cspHandle)),
159 new(allocator) ListElement(allocator, CssmData::wrap(masterKey)),
160 new(allocator) ListElement(allocator, ref.get())
161 ));
162
163 // let's make sure everything we need stays around
164 mNeededItems.insert(keyItem);
165 foundSome = true;
166 }
167 } catch (...) {
168 // (ignore it)
169 }
170 return foundSome;
171 }
172
173
174 //
175 // Take the official keychain search list, and return those keychains whose
176 // module Guid matches the one given. Essentially, this focuses the search list
177 // to a particular type of keychain.
178 //
179 struct NotGuid {
180 NotGuid(const Guid &g) : guid(g) { }
181 const Guid &guid;
182 bool operator () (Keychain kc) { return kc->database()->dl()->guid() != guid; }
183 };
184
185 DefaultCredentials::KeychainList DefaultCredentials::fallbackSearchList(const DLDbIdentifier &ident)
186 {
187 KeychainList list;
188 globals().storageManager.getSearchList(list);
189 list.erase(remove_if(list.begin(), list.end(), NotGuid(ident.ssuid().guid())), list.end());
190 return list;
191 }
192
193
194 } // namespace KeychainCore
195 } // namespace Security