// // ucsp.defs - Mach RPC interface between SecurityServer and its clients // #include #include subsystem ucsp 1000; serverprefix ucsp_server_; userprefix ucsp_client_; import "securityserver.h"; import "ucsp_types.h"; // // Data types // type Data = array [] of char; type KeyHandle = unsigned32; type KeyBlob = Data ctype: Pointer; type DbHandle = unsigned32; type DbBlob = Data ctype: Pointer; type AclEntryPrototypeBlob = Data ctype: AclEntryPrototypePtr; type AclEntryPrototypePtr = unsigned32; type AclEntryInfoBlob = Data ctype: AclEntryInfoPtr; type AclEntryInfoPtr = unsigned32; type AclOwnerPrototypeBlob = Data ctype: AclOwnerPrototypePtr; type AclOwnerPrototypePtr = unsigned32; type AccessCredentialsBlob = Data ctype: AccessCredentialsPtr; type AccessCredentialsPtr = unsigned32; type DLDbIdentBlob = Data ctype: DLDbIdentPtr; type DLDbIdentPtr = unsigned32; type Context = struct [9] of unsigned32 ctype: CSSM_CONTEXT intran: Context inTrans(CSSM_CONTEXT); type ContextAttributes = array [] of char cservertype: ContextAttributesPointer; type CssmKeyHeader = struct [23] of unsigned32; type CssmKey = struct [23+2] of unsigned32 ctype: CSSM_KEY intran: CssmKey inTrans(CSSM_KEY) outtran: CSSM_KEY outTrans(CssmKey); type DBParameters = struct [1] of unsigned32; type AuthorizationItemSetBlob = Data ctype: AuthorizationItemSetPtr; type AuthorizationItemSetPtr = unsigned32; type AuthorizationBlob = struct [2] of unsigned32; // 8 opaque bytes type AuthorizationExternalForm = struct [8] of unsigned32; // 32 opaque bytes type CssmString = c_string[*:64+4]; type AuthorizationString = c_string[*:1024]; type CSSM_RETURN = int32; type CSSM_ALGORITHMS = unsigned32; type CSSM_ACL_EDIT_MODE = unsigned32; type CSSM_ACL_HANDLE = unsigned32; type AclKind = unsigned32; type uint32 = unsigned32; type SecuritySessionId = unsigned32; type SessionAttributeBits = unsigned32; type SessionCreationFlags = unsigned32; type Pointer = unsigned32; type ExecutablePath = c_string[*:2048]; // // Common argument profiles // #define UCSP_PORTS requestport sport: mach_port_t; \ replyport rport: mach_port_make_send_t; \ serversectoken sourceSecurity: security_token_t; \ out rcode: CSSM_RETURN #define IN_CONTEXT in context: Context; in contextBase: Pointer; in attrs: ContextAttributes #define IN_BLOB(name,type) in name: type##Blob; in name##Base: type##Ptr #define OUT_BLOB(name,type) out name: type##Blob; out name##Base: type##Ptr // // Management and administrative functions // routine setup(UCSP_PORTS; in tport: mach_port_t; in executablePath: ExecutablePath); routine teardown(UCSP_PORTS); // // Database management // routine createDb(UCSP_PORTS; out db: DbHandle; IN_BLOB(ident,DLDbIdent); IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); in params: DBParameters); routine decodeDb(UCSP_PORTS; out db: DbHandle; IN_BLOB(ident,DLDbIdent); IN_BLOB(accessCredentials,AccessCredentials); in blob: DbBlob); routine encodeDb(UCSP_PORTS; in db: DbHandle; out blob: DbBlob); routine releaseDb(UCSP_PORTS; in db: DbHandle); routine authenticateDb(UCSP_PORTS; in db: DbHandle; IN_BLOB(accessCredentials,AccessCredentials)); routine setDbParameters(UCSP_PORTS; in db: DbHandle; in params: DBParameters); routine getDbParameters(UCSP_PORTS; in db: DbHandle; out params: DBParameters); routine changePassphrase(UCSP_PORTS; in db: DbHandle; IN_BLOB(accessCredentials,AccessCredentials)); routine lockDb(UCSP_PORTS; in db: DbHandle); routine unlockDb(UCSP_PORTS; in db: DbHandle); routine unlockDbWithPassphrase(UCSP_PORTS; in db: DbHandle; in passPhrase: Data); routine isLocked(UCSP_PORTS; in db: DbHandle; out locked: boolean_t); // // Key management // routine encodeKey(UCSP_PORTS; in key: KeyHandle; out blob: KeyBlob; in wantUid: boolean_t; out uid: Data); routine decodeKey(UCSP_PORTS; out key: KeyHandle; out header: CssmKeyHeader; in db: DbHandle; in blob: KeyBlob); routine releaseKey(UCSP_PORTS; in key: KeyHandle); // // Random numbers // routine generateRandom(UCSP_PORTS; in bytes: uint32; out data: Data); // // Cryptographic operations // routine generateSignature(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in data: Data; out signature: Data); routine verifySignature(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in data: Data; in signature: Data); routine generateMac(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in data: Data; out signature: Data); routine verifyMac(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in data: Data; in signature: Data); routine encrypt(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in clear: Data; out cipher: Data); routine decrypt(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in cipher: Data; out clear: Data); routine generateKey(UCSP_PORTS; in db: DbHandle; IN_CONTEXT; IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); in keyUsage: uint32; in keyAttrs: uint32; out key: KeyHandle; out header: CssmKeyHeader); routine generateKeyPair(UCSP_PORTS; in db: DbHandle; IN_CONTEXT; IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); in pubUsage: uint32; in pubAttrs: uint32; in privUsage: uint32; in privAttrs: uint32; out pubKey: KeyHandle; out pubHeader: CssmKeyHeader; out privKey: KeyHandle; out privHeader: CssmKeyHeader); routine wrapKey(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; IN_BLOB(accessCredentials,AccessCredentials); in keyToBeWrapped: KeyHandle; in data: Data; out wrappedKey: CssmKey; out wrappedKeyData: Data); routine unwrapKey(UCSP_PORTS; in db: DbHandle; IN_CONTEXT; in key: KeyHandle; IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); in publicKey: KeyHandle; in wrappedKey: CssmKey; in wrappedKeyData: Data; in usage: uint32; in attributes: uint32; out data: Data; out resultKey: KeyHandle; out header: CssmKeyHeader); // // ACL management // routine getOwner(UCSP_PORTS; in kind: AclKind; in key: KeyHandle; out proto: AclOwnerPrototypeBlob; out protoBase: AclOwnerPrototypePtr); routine setOwner(UCSP_PORTS; in kind: AclKind; in key: KeyHandle; IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclOwnerPrototype,AclOwnerPrototype)); routine getAcl(UCSP_PORTS; in kind: AclKind; in key: KeyHandle; in haveTag: boolean_t; in tag: CssmString; out count: uint32; out acls: AclEntryInfoBlob; out aclsBase: AclEntryInfoPtr); routine changeAcl(UCSP_PORTS; in kind: AclKind; in key: KeyHandle; IN_BLOB(accessCredentials,AccessCredentials); in mode: CSSM_ACL_EDIT_MODE; in handle: CSSM_ACL_HANDLE; IN_BLOB(aclEntryPrototype,AclEntryPrototype)); // // Authorization subsystem // routine authorizationCreate(UCSP_PORTS; IN_BLOB(rights,AuthorizationItemSet); in flags: uint32; IN_BLOB(environment,AuthorizationItemSet); out authorization: AuthorizationBlob); routine authorizationRelease(UCSP_PORTS; in authorization: AuthorizationBlob; in flags: uint32); routine authorizationCopyRights(UCSP_PORTS; in authorization: AuthorizationBlob; IN_BLOB(rights,AuthorizationItemSet); in flags: uint32; IN_BLOB(environment,AuthorizationItemSet); OUT_BLOB(result,AuthorizationItemSet)); routine authorizationCopyInfo(UCSP_PORTS; in authorization: AuthorizationBlob; in tag: AuthorizationString; OUT_BLOB(info,AuthorizationItemSet)); routine authorizationExternalize(UCSP_PORTS; in authorization: AuthorizationBlob; out form: AuthorizationExternalForm); routine authorizationInternalize(UCSP_PORTS; in form: AuthorizationExternalForm; out authorization: AuthorizationBlob); // // Session management subsystem // routine getSessionInfo(UCSP_PORTS; inout sessionId: SecuritySessionId; out attrs: SessionAttributeBits); routine setupSession(UCSP_PORTS; in flags: SessionCreationFlags; in attrs: SessionAttributeBits);