SecurityServer/dbcrypto.h

   1 /*
   2  * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * The contents of this file constitute Original Code as defined in and are
   5  * subject to the Apple Public Source License Version 1.2 (the 'License').
   6  * You may not use this file except in compliance with the License. Please obtain
   7  * a copy of the License at http://www.apple.com/publicsource and read it before
   8  * using this file.
   9  *
  10  * This Original Code and all software distributed under the License are
  11  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
  12  * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
  13  * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
  14  * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
  15  * specific language governing rights and limitations under the License.
  16  */
  17
  18
  19 //
  20 // dbcrypto - cryptographic core for database and key blob cryptography
  21 //
  22 #ifndef _H_DBCRYPTO
  23 #define _H_DBCRYPTO
  24
  25 #include "securityserver.h"
  26 #include <Security/cspclient.h>
  27 #include <Security/keyclient.h>
  28
  29
  30 //
  31 // A DatabaseCryptoCore object encapsulates the secret state of a database.
  32 // It provides for encoding and decoding of database blobs and key blobs,
  33 // and holds all state related to the database secrets.
  34 //
  35 class DatabaseCryptoCore {
  36 public:
  37     DatabaseCryptoCore();
  38         virtual ~DatabaseCryptoCore();
  39
  40     bool isValid() const        { return mIsValid; }
  41         bool hasMaster() const  { return mHaveMaster; }
  42     void invalidate();
  43
  44     void generateNewSecrets();
  45         CssmClient::Key masterKey();
  46
  47         void setup(const DbBlob *blob, const CssmData &passphrase);
  48         void setup(const DbBlob *blob, CssmClient::Key master);
  49
  50     void decodeCore(DbBlob *blob, void **privateAclBlob = NULL);
  51     DbBlob *encodeCore(const DbBlob &blobTemplate,
  52         const CssmData &publicAcl, const CssmData &privateAcl) const;
  53
  54     KeyBlob *encodeKeyCore(const CssmKey &key,
  55         const CssmData &publicAcl, const CssmData &privateAcl) const;
  56     void decodeKeyCore(KeyBlob *blob,
  57         CssmKey &key, void * &pubAcl, void * &privAcl) const;
  58
  59     static const uint32 managedAttributes = KeyBlob::managedAttributes;
  60         static const uint32 forcedAttributes = KeyBlob::forcedAttributes;
  61
  62 public:
  63         bool validatePassphrase(const CssmData &passphrase);
  64
  65 private:
  66         bool mHaveMaster;                               // master key has been entered (setup)
  67     bool mIsValid;                                      // master secrets are valid (decode or generateNew)
  68
  69         CssmClient::Key mMasterKey;             // database master key
  70         uint8 mSalt[20];                                // salt for master key derivation from passphrase (only)
  71
  72     CssmClient::Key mEncryptionKey;     // master encryption key
  73     CssmClient::Key mSigningKey;        // master signing key
  74
  75     CssmClient::Key deriveDbMasterKey(const CssmData &passphrase) const;
  76     CssmClient::Key makeRawKey(void *data, size_t length,
  77         CSSM_ALGORITHMS algid, CSSM_KEYUSE usage);
  78 };
  79
  80
  81 #endif //_H_DBCRYPTO