securityd/src/dbcrypto.h

   1 /*
   2  * Copyright (c) 2000-2001,2003-2006,2013 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 //
  26 // dbcrypto - cryptographic core for database and key blob cryptography
  27 //
  28 #ifndef _H_DBCRYPTO
  29 #define _H_DBCRYPTO
  30
  31 #include <securityd_client/ssblob.h>
  32 #include <security_cdsa_client/cspclient.h>
  33 #include <security_cdsa_client/keyclient.h>
  34
  35 using namespace SecurityServer;
  36
  37
  38 //
  39 // A DatabaseCryptoCore object encapsulates the secret state of a database.
  40 // It provides for encoding and decoding of database blobs and key blobs,
  41 // and holds all state related to the database secrets.
  42 //
  43 class DatabaseCryptoCore {
  44 public:
  45     DatabaseCryptoCore();
  46         virtual ~DatabaseCryptoCore();
  47
  48     bool isValid() const        { return mIsValid; }
  49         bool hasMaster() const  { return mHaveMaster; }
  50     void invalidate();
  51
  52     void generateNewSecrets();
  53         CssmClient::Key masterKey();
  54
  55         void setup(const DbBlob *blob, const CssmData &passphrase, bool copyVersion = true);
  56         void setup(const DbBlob *blob, CssmClient::Key master, bool copyVersion = true);
  57
  58     void decodeCore(const DbBlob *blob, void **privateAclBlob = NULL);
  59     DbBlob *encodeCore(const DbBlob &blobTemplate,
  60         const CssmData &publicAcl, const CssmData &privateAcl) const;
  61         void importSecrets(const DatabaseCryptoCore &src);
  62
  63     KeyBlob *encodeKeyCore(const CssmKey &key,
  64         const CssmData &publicAcl, const CssmData &privateAcl,
  65                 bool inTheClear) const;
  66     void decodeKeyCore(KeyBlob *blob,
  67         CssmKey &key, void * &pubAcl, void * &privAcl) const;
  68
  69     static const uint32 managedAttributes = KeyBlob::managedAttributes;
  70         static const uint32 forcedAttributes = KeyBlob::forcedAttributes;
  71
  72     bool get_encryption_key(CssmOwnedData &data);
  73
  74 public:
  75         bool validatePassphrase(const CssmData &passphrase);
  76
  77 protected:
  78     uint32 mBlobVersion;            // blob version of current database
  79
  80 private:
  81         bool mHaveMaster;                               // master key has been entered (setup)
  82     bool mIsValid;                                      // master secrets are valid (decode or generateNew)
  83
  84         CssmClient::Key mMasterKey;             // database master key
  85         uint8 mSalt[20];                                // salt for master key derivation from passphrase (only)
  86
  87     CssmClient::Key mEncryptionKey;     // master encryption key
  88     CssmClient::Key mSigningKey;        // master signing key
  89
  90     CssmClient::Key deriveDbMasterKey(const CssmData &passphrase) const;
  91     CssmClient::Key makeRawKey(void *data, size_t length,
  92         CSSM_ALGORITHMS algid, CSSM_KEYUSE usage);
  93 };
  94
  95
  96 #endif //_H_DBCRYPTO