]> git.saurik.com Git - apple/security.git/blob - securityd/src/tokendatabase.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57337.40.85.tar.gz
[apple/security.git] / securityd / src / tokendatabase.h
1 /*
2 * Copyright (c) 2000-2008,2013 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 //
26 // tokendatabase - software database container implementation.
27 //
28 // A TokenDatabase represents access to an external (secure) storage container
29 // of some kind (usually a smartcard token).
30 //
31 #ifndef _H_TOKENDATABASE
32 #define _H_TOKENDATABASE
33
34 #include "database.h"
35 #include "tokenacl.h"
36 #include "session.h"
37 #include "token.h"
38 #include <security_utilities/adornments.h>
39
40 class TokenDatabase;
41 class TokenDbCommon;
42 class TokenKey;
43 class TokenDaemon;
44
45
46 //
47 // The global per-system object for a TokenDatabase (the TokenDbGlobal so to
48 // speak) is the Token object itself (from token.h).
49 //
50
51
52 //
53 // TokenDatabase DbCommons
54 //
55 class TokenDbCommon : public DbCommon, public Adornable {
56 public:
57 TokenDbCommon(Session &ssn, Token &tk, const char *name);
58 ~TokenDbCommon();
59
60 Token &token() const;
61
62 uint32 subservice() const { return token().subservice(); }
63 std::string dbName() const;
64
65 // TokenDbCommons have no real version, return base
66 uint32 dbVersion() { return CommonBlob::version_MacOS_10_0; }
67
68 Adornable &store();
69 void resetAcls();
70
71 void notify(NotificationEvent event);
72
73 void lockProcessing();
74
75 typedef Token::ResetGeneration ResetGeneration;
76
77 private:
78 std::string mDbName; // name given during open
79 bool mHasAclState; // Adornment is carrying active ACL state
80
81 ResetGeneration mResetLevel; // validity tag
82 };
83
84
85 //
86 // A Database object represents a SC/CSPDL per-process access to a token.
87 //
88 class TokenDatabase : public Database {
89 friend class TokenDbCommon;
90 public:
91 TokenDatabase(uint32 ssid, Process &proc, const char *name, const AccessCredentials *cred);
92 ~TokenDatabase();
93
94 TokenDbCommon &common() const;
95 Token &token() const { return common().token(); }
96 TokenDaemon &tokend();
97 uint32 subservice() const { return common().subservice(); }
98 const char *dbName() const;
99 void dbName(const char *name);
100 bool transient() const;
101
102 SecurityServerAcl &acl(); // it's our Token
103 void getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls); // post-processing
104
105 bool isLocked();
106 bool pinState(uint32 pin, int *count = NULL);
107
108 void notify(NotificationEvent event) { return common().notify(event); }
109
110 bool validateSecret(const AclSubject *subject, const AccessCredentials *cred);
111
112 const AccessCredentials *openCreds() const { return mOpenCreds; }
113
114 protected:
115 // any Process-referent concept handle we hand out to the client
116 class Handler {
117 public:
118 Handler() : mHandle(0) { }
119 GenericHandle &tokenHandle() { return mHandle; }
120 GenericHandle tokenHandle() const { return mHandle; }
121
122 protected:
123 GenericHandle mHandle;
124 };
125
126 // CSSM-style search handles (returned by findFirst)
127 struct Search : public Database::Search, public Handler {
128 Search(TokenDatabase &db) : Database::Search(db) { }
129 TokenDatabase &database() const { return referent<TokenDatabase>(); }
130 ~Search();
131
132 Search *commit() { database().addReference(*this); return this; }
133 };
134
135 // CSSM-style record handles (returned by findFirst/findNext et al)
136 struct Record : public Database::Record, public Handler, public TokenAcl {
137 Record(TokenDatabase &db) : Database::Record(db) { }
138 TokenDatabase &database() const { return referent<TokenDatabase>(); }
139 ~Record();
140
141 Record *commit() { database().addReference(*this); return this; }
142
143 void validate(AclAuthorization auth, const AccessCredentials *cred)
144 { TokenAcl::validate(auth, cred, &database()); }
145
146 // TokenAcl personality
147 AclKind aclKind() const;
148 Token &token();
149 using Handler::tokenHandle;
150 GenericHandle tokenHandle() const;
151 };
152
153 public:
154 //
155 // Cryptographic service calls
156 //
157 void queryKeySizeInBits(Key &key, CssmKeySize &result);
158 void getOutputSize(const Context &context, Key &key, uint32 inputSize, bool encrypt, uint32 &result);
159
160 // service calls
161 void generateSignature(const Context &context, Key &key, CSSM_ALGORITHMS signOnlyAlgorithm,
162 const CssmData &data, CssmData &signature);
163 void verifySignature(const Context &context, Key &key, CSSM_ALGORITHMS verifyOnlyAlgorithm,
164 const CssmData &data, const CssmData &signature);
165 void generateMac(const Context &context, Key &key,
166 const CssmData &data, CssmData &mac);
167 void verifyMac(const Context &context, Key &key,
168 const CssmData &data, const CssmData &mac);
169
170 void encrypt(const Context &context, Key &key, const CssmData &clear, CssmData &cipher);
171 void decrypt(const Context &context, Key &key, const CssmData &cipher, CssmData &clear);
172
173 void generateKey(const Context &context,
174 const AccessCredentials *cred, const AclEntryPrototype *owner,
175 uint32 usage, uint32 attrs, RefPointer<Key> &newKey);
176 void generateKey(const Context &context,
177 const AccessCredentials *cred, const AclEntryPrototype *owner,
178 uint32 pubUsage, uint32 pubAttrs, uint32 privUsage, uint32 privAttrs,
179 RefPointer<Key> &publicKey, RefPointer<Key> &privateKey);
180 void deriveKey(const Context &context, Key *key,
181 const AccessCredentials *cred, const AclEntryPrototype *owner,
182 CssmData *param, uint32 usage, uint32 attrs, RefPointer<Key> &derivedKey);
183
184 void wrapKey(const Context &context, const AccessCredentials *cred,
185 Key *hWrappingKey, Key &keyToBeWrapped,
186 const CssmData &descriptiveData, CssmKey &wrappedKey);
187 void unwrapKey(const Context &context,
188 const AccessCredentials *cred, const AclEntryPrototype *owner,
189 Key *wrappingKey, Key *publicKey, CSSM_KEYUSE usage, CSSM_KEYATTR_FLAGS attrs,
190 const CssmKey wrappedKey, RefPointer<Key> &unwrappedKey, CssmData &descriptiveData);
191
192 public:
193 //
194 // Data-access calls
195 //
196 void findFirst(const CssmQuery &query,
197 CssmDbRecordAttributeData *inAttributes, mach_msg_type_number_t inAttributesLength,
198 CssmData *data, RefPointer<Key> &key,
199 RefPointer<Database::Search> &search, RefPointer<Database::Record> &record,
200 CssmDbRecordAttributeData * &outAttributes, mach_msg_type_number_t &outAttributesLength);
201 void findNext(Database::Search *search,
202 CssmDbRecordAttributeData *inAttributes, mach_msg_type_number_t inAttributesLength,
203 CssmData *data, RefPointer<Key> &key, RefPointer<Database::Record> &record,
204 CssmDbRecordAttributeData * &outAttributes, mach_msg_type_number_t &outAttributesLength);
205 void findRecordHandle(Database::Record *record,
206 CssmDbRecordAttributeData *inAttributes, mach_msg_type_number_t inAttributesLength,
207 CssmData *data, RefPointer<Key> &key,
208 CssmDbRecordAttributeData * &outAttributes, mach_msg_type_number_t &outAttributesLength);
209 void insertRecord(CSSM_DB_RECORDTYPE recordtype,
210 const CssmDbRecordAttributeData *attributes, mach_msg_type_number_t inAttributesLength,
211 const CssmData &data, RefPointer<Database::Record> &record);
212 void modifyRecord(CSSM_DB_RECORDTYPE recordtype, Record *record,
213 const CssmDbRecordAttributeData *attributes, mach_msg_type_number_t inAttributesLength,
214 const CssmData *data, CSSM_DB_MODIFY_MODE modifyMode);
215 void deleteRecord(Database::Record *record);
216
217 // authenticate to database
218 void authenticate(CSSM_DB_ACCESS_TYPE mode, const AccessCredentials *cred);
219
220 private:
221 // internal utilities
222 RefPointer<Key> makeKey(KeyHandle hKey, const CssmKey *key,
223 uint32 moreAttributes, const AclEntryPrototype *owner);
224
225 class InputKey {
226 public:
227 InputKey(Key *key) { setup(key); }
228 InputKey(Key &key) { setup(&key); }
229 ~InputKey();
230
231 operator KeyHandle () const { return mKeyHandle; }
232 operator const CssmKey * () const { return mKeyPtr; }
233
234 private:
235 KeyHandle mKeyHandle;
236 CssmKey mKey;
237 CssmKey *mKeyPtr;
238
239 void setup(Key *key);
240 };
241
242 private:
243 AccessCredentials *mOpenCreds; // credentials passed during open
244 mutable std::string mDbName; // stored name for method dbName() which need to call c_str on object outside function scope
245 };
246
247
248 #endif //_H_TOKENDATABASE
mirror of Security