#include <security_keychain/Access.h>
#include <Security/SecBase.h>
#include "SecBridge.h"
-#include <security_utilities/devrandom.h>
-#include <security_cdsa_utilities/uniformrandom.h>
+#include <Security/SecRandom.h>
#include <security_cdsa_client/aclclient.h>
#include <vector>
-#include <SecBase.h>
+#include <Security/SecBase.h>
using namespace KeychainCore;
using namespace CssmClient;
//
Access::Access() : mMutex(Mutex::recursive)
{
- SecPointer<ACL> owner = new ACL(*this);
+ SecPointer<ACL> owner = new ACL();
owner->setAuthorization(CSSM_ACL_AUTHORIZATION_CHANGE_ACL);
addOwner(owner);
- SecPointer<ACL> any = new ACL(*this);
+ SecPointer<ACL> any = new ACL();
add(any);
}
StLock<Mutex>_(mMutex);
// owner "entry"
- SecPointer<ACL> owner = new ACL(*this, descriptor, ACL::defaultSelector);
+ SecPointer<ACL> owner = new ACL(descriptor, ACL::defaultSelector);
owner->setAuthorization(CSSM_ACL_AUTHORIZATION_CHANGE_ACL);
addOwner(owner);
// unlimited entry
- SecPointer<ACL> unlimited = new ACL(*this, descriptor, ACL::defaultSelector);
+ SecPointer<ACL> unlimited = new ACL(descriptor, ACL::defaultSelector);
if (freeRights.empty()) {
unlimited->authorizations().clear();
unlimited->authorizations().insert(CSSM_ACL_AUTHORIZATION_ENCRYPT);
add(unlimited);
// limited entry
- SecPointer<ACL> limited = new ACL(*this, descriptor, ACL::defaultSelector);
+ SecPointer<ACL> limited = new ACL(descriptor, ACL::defaultSelector);
if (limitedRights.empty()) {
limited->authorizations().clear();
limited->authorizations().insert(CSSM_ACL_AUTHORIZATION_DECRYPT);
//
CFArrayRef Access::copySecACLs() const
{
- return makeCFArray(convert, mAcls);
+ return makeCFArrayFrom(convert, mAcls);
}
CFArrayRef Access::copySecACLs(CSSM_ACL_AUTHORIZATION_TAG action) const
for (Map::const_iterator it = mAcls.begin(); it != mAcls.end(); it++)
if (it->second->authorizes(action))
choices.push_back(it->second);
- return choices.empty() ? NULL : makeCFArray(convert, choices);
+ return choices.empty() ? NULL : makeCFArrayFrom(convert, choices);
}
}
+//
+// Remove all ACLs that confer this right.
+//
+void Access::removeAclsForRight(AclAuthorization right) {
+ for (Map::const_iterator it = mAcls.begin(); it != mAcls.end(); ) {
+ if (it->second->authorizesSpecifically(right)) {
+ it = mAcls.erase(it);
+ secinfo("SecAccess", "%p removed an acl, %lu left", this, mAcls.size());
+ } else {
+ it++;
+ }
+ }
+}
+
//
// Retrieve the description from a randomly chosen ACL within this Access.
// In the conventional case where all ACLs have the same descriptor, this
void Access::add(ACL *newAcl)
{
StLock<Mutex>_(mMutex);
- if (&newAcl->access != this)
- MacOSError::throwMe(errSecParam);
assert(!mAcls[newAcl->entryHandle()]);
mAcls[newAcl->entryHandle()] = newAcl;
}
{
StLock<Mutex>_(mMutex);
// add owner acl
- mAcls[ownerHandle] = new ACL(*this, AclOwnerPrototype::overlay(owner));
+ mAcls[ownerHandle] = new ACL(AclOwnerPrototype::overlay(owner));
+ secinfo("SecAccess", "form of owner is: %d", mAcls[ownerHandle]->form());
// add acl entries
const AclEntryInfo *acl = AclEntryInfo::overlay(acls);
for (uint32 n = 0; n < aclCount; n++) {
- secdebug("SecAccess", "%p compiling entry %ld", this, acl[n].handle());
- mAcls[acl[n].handle()] = new ACL(*this, acl[n]);
+ secinfo("SecAccess", "%p compiling entry %ld", this, acl[n].handle());
+ mAcls[acl[n].handle()] = new ACL(acl[n]);
+ secinfo("SecAccess", "form is: %d", mAcls[acl[n].handle()]->form());
}
- secdebug("SecAccess", "%p %ld entries compiled", this, mAcls.size());
+ secinfo("SecAccess", "%p %ld entries compiled", this, mAcls.size());
}
{
// generate random key
mKey.malloc(keySize);
- UniformRandomBlobs<DevRandomGenerator>().random(mKey.get());
-
+ CssmData data = mKey.get();
+ MacOSError::check(SecRandomCopyBytes(kSecRandomDefault, data.length(), data.data()));
+
// create entry info for resource creation
mInput = AclEntryPrototype(TypedList(allocator, CSSM_ACL_SUBJECT_TYPE_PASSWORD,
new(allocator) ListElement(mKey.get())));
mInput.proto().tag(creationEntryTag);
+ secinfo("SecAccess", "made a CSSM_ACL_SUBJECT_TYPE_PASSWORD ACL entry for %p", this);
+ secinfo("SecAccess", "mInput: %p, typedList %p", &mInput, &(mInput.Prototype.TypedSubject));
// create credential sample for access
mCreds += TypedList(allocator, CSSM_SAMPLE_TYPE_PASSWORD, new(allocator) ListElement(mKey.get()));
{
// just make it an CSSM_ACL_SUBJECT_TYPE_ANY list
mInput = AclEntryPrototype(TypedList(allocator, CSSM_ACL_SUBJECT_TYPE_ANY));
+ secinfo("SecAccess", "made a CSSM_ACL_SUBJECT_TYPE_ANY ACL entry for %p", this);
}
}
projects / apple / security.git / blobdiff