+++ /dev/null
-/*
- * Copyright (c) 2000-2001,2007,2011 Apple Inc. All Rights Reserved.
- *
- * The contents of this file constitute Original Code as defined in and are
- * subject to the Apple Public Source License Version 1.2 (the 'License').
- * You may not use this file except in compliance with the License. Please obtain
- * a copy of the License at http://www.apple.com/publicsource and read it before
- * using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
- * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
- * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
- * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
- * specific language governing rights and limitations under the License.
- */
-
-
-//
-// aclclient
-//
-#include <security_cdsa_client/cssmclient.h>
-#include <security_cdsa_client/aclclient.h>
-#include <security_cdsa_client/keychainacl.h>
-#include <security_cdsa_utilities/cssmwalkers.h>
-#include <security_cdsa_utilities/cssmdata.h>
-
-
-namespace Security {
-namespace CssmClient {
-
-static inline void check(CSSM_RETURN rc)
-{
- ObjectImpl::check(rc);
-}
-
-
-//
-// AclBearer methods (trivial)
-//
-AclBearer::~AclBearer()
-{ }
-
-
-//
-// Variant forms of AclBearer implemented in terms of its canonical virtual methods
-//
-void AclBearer::addAcl(const AclEntryInput &input, const CSSM_ACCESS_CREDENTIALS *cred)
-{
- changeAcl(AclEdit(input), cred);
-}
-
-void AclBearer::changeAcl(CSSM_ACL_HANDLE handle, const AclEntryInput &input,
- const CSSM_ACCESS_CREDENTIALS *cred)
-{
- changeAcl(AclEdit(handle, input), cred);
-}
-
-void AclBearer::deleteAcl(CSSM_ACL_HANDLE handle, const CSSM_ACCESS_CREDENTIALS *cred)
-{
- changeAcl(AclEdit(handle), cred);
-}
-
-void AclBearer::deleteAcl(const char *tag, const CSSM_ACCESS_CREDENTIALS *cred)
-{
- AutoAclEntryInfoList entries;
- getAcl(entries, tag);
- for (uint32 n = 0; n < entries.count(); n++)
- deleteAcl(entries[n].handle(), cred);
-}
-
-
-//
-// KeyAclBearer implementation
-//
-void KeyAclBearer::getAcl(AutoAclEntryInfoList &aclInfos, const char *selectionTag) const
-{
- aclInfos.allocator(allocator);
- check(CSSM_GetKeyAcl(csp, &key, reinterpret_cast<const CSSM_STRING *>(selectionTag), aclInfos, aclInfos));
-}
-
-void KeyAclBearer::changeAcl(const CSSM_ACL_EDIT &aclEdit, const CSSM_ACCESS_CREDENTIALS *cred)
-{
- check(CSSM_ChangeKeyAcl(csp, AccessCredentials::needed(cred), &aclEdit, &key));
-}
-
-void KeyAclBearer::getOwner(AutoAclOwnerPrototype &owner) const
-{
- owner.allocator(allocator);
- check(CSSM_GetKeyOwner(csp, &key, owner));
-}
-
-void KeyAclBearer::changeOwner(const CSSM_ACL_OWNER_PROTOTYPE &newOwner,
- const CSSM_ACCESS_CREDENTIALS *cred)
-{
- check(CSSM_ChangeKeyOwner(csp, AccessCredentials::needed(cred), &key, &newOwner));
-}
-
-
-//
-// A single global structure containing pseudo-static data
-//
-struct Statics {
- Statics();
- Allocator &alloc;
-
- AutoCredentials nullCred;
- AutoCredentials promptCred;
- AutoCredentials unlockCred;
- AutoCredentials cancelCred;
- AutoCredentials promptedPINCred;
- AutoCredentials promptedPINItemCred;
-
- AclOwnerPrototype anyOwner;
- AclEntryInfo anyAcl;
-};
-
-namespace {
- ModuleNexus<Statics> statics;
-}
-
-
-//
-// Make pseudo-statics.
-// Note: This is an eternal object. It is not currently destroyed
-// if the containing code is unloaded.
-//
-Statics::Statics()
- : alloc(Allocator::standard()),
- nullCred(alloc, 1),
- promptCred(alloc, 3),
- unlockCred(alloc, 1),
- cancelCred(alloc, 1),
- promptedPINCred(alloc, 1),
- promptedPINItemCred(alloc, 1),
- anyOwner(TypedList(alloc, CSSM_ACL_SUBJECT_TYPE_ANY)),
- anyAcl(AclEntryPrototype(TypedList(alloc, CSSM_ACL_SUBJECT_TYPE_ANY), 1))
-{
- // nullCred: nothing at all
- // contains:
- // an empty THRESHOLD sample to match threshold subjects with "free" subjects
- nullCred.sample(0) = TypedList(alloc, CSSM_SAMPLE_TYPE_THRESHOLD);
-
- // promptCred: a credential permitting user prompt confirmations
- // contains:
- // a KEYCHAIN_PROMPT sample, both by itself and in a THRESHOLD
- // a PROMPTED_PASSWORD sample
- promptCred.sample(0) = TypedList(alloc, CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT);
- promptCred.sample(1) = TypedList(alloc, CSSM_SAMPLE_TYPE_THRESHOLD,
- new(alloc) ListElement(TypedList(alloc, CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT)));
- promptCred.sample(2) = TypedList(alloc, CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD,
- new(alloc) ListElement(alloc, CssmData()));
-
- // unlockCred: ???
- unlockCred.sample(0) = TypedList(alloc, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
- new(alloc) ListElement(CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT));
-
- cancelCred.sample(0) = TypedList(alloc, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
- new(alloc) ListElement(CSSM_WORDID_CANCELED));
-
- /*
- We don't set this:
-
- promptedPINCred.tag("PIN1");
-
- here to avoid triggering code in TokenDatabase::getAcl in securityd that
- would always show a PIN unlock dialog. This credential is used for an
- unlock of the database, i.e. a dbauthenticate call to unlock the card.
- */
- promptedPINCred.sample(0) = TypedList(alloc, CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD,
- new(alloc) ListElement(alloc, CssmData()));
-
- /*
- This credential is used for items like non-repudiation keys that always
- require an explicit entry of the PIN. We set this so that Token::authenticate
- will recognize the number of the PIN we need to unlock.
- */
- promptedPINItemCred.tag("PIN1");
- promptedPINItemCred.sample(0) = TypedList(alloc, CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD,
- new(alloc) ListElement(alloc, CssmData()));
-}
-
-
-//
-// Make and break AclFactories
-//
-AclFactory::AclFactory()
-{ }
-
-AclFactory::~AclFactory()
-{ }
-
-
-//
-// Return basic pseudo-static values
-//
-const AccessCredentials *AclFactory::nullCred() const
-{ return &statics().nullCred; }
-
-const AccessCredentials *AclFactory::promptCred() const
-{ return &statics().promptCred; }
-
-const AccessCredentials *AclFactory::unlockCred() const
-{ return &statics().unlockCred; }
-
-
-const AccessCredentials *AclFactory::cancelCred() const
-{ return &statics().cancelCred; }
-
-const AccessCredentials *AclFactory::promptedPINCred() const
-{ return &statics().promptedPINCred; }
-
-const AccessCredentials *AclFactory::promptedPINItemCred() const
-{ return &statics().promptedPINItemCred; }
-
-
-//
-// Manage the (pseudo) credentials used to explicitly provide a passphrase to a keychain.
-// Use the eternal unlockCred() for normal (protected prompt) unlocking.
-//
-AclFactory::KeychainCredentials::~KeychainCredentials ()
-{
- DataWalkers::chunkFree(mCredentials, allocator);
-}
-
-AclFactory::PassphraseUnlockCredentials::PassphraseUnlockCredentials (const CssmData& password,
- Allocator& allocator) : KeychainCredentials(allocator)
-{
- mCredentials->sample(0) = TypedList(allocator, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
- new (allocator) ListElement (CSSM_SAMPLE_TYPE_PASSWORD),
- new (allocator) ListElement (CssmAutoData(allocator, password).release()));
-}
-
-
-//
-// Manage the (pseudo) credentials used to explicitly change a keychain's passphrase
-//
-AclFactory::PasswordChangeCredentials::PasswordChangeCredentials (const CssmData& password,
- Allocator& allocator) : KeychainCredentials(allocator)
-{
- mCredentials->sample(0) = TypedList(allocator, CSSM_SAMPLE_TYPE_KEYCHAIN_CHANGE_LOCK,
- new (allocator) ListElement (CSSM_SAMPLE_TYPE_PASSWORD),
- new (allocator) ListElement (CssmAutoData(allocator, password).release()));
-}
-
-
-//
-// Wide open ("ANY") CSSM forms for owner and ACL entry
-//
-const AclOwnerPrototype &AclFactory::anyOwner() const
-{ return statics().anyOwner; }
-
-const AclEntryInfo &AclFactory::anyAcl() const
-{ return statics().anyAcl; }
-
-
-//
-// Create an ANY style AclEntryInput.
-// This can be used to explicitly request wide-open authorization on a new CSSM object.
-//
-AclFactory::AnyResourceContext::AnyResourceContext(const CSSM_ACCESS_CREDENTIALS *cred)
- : mAny(CSSM_ACL_SUBJECT_TYPE_ANY), mTag(CSSM_ACL_AUTHORIZATION_ANY)
-{
- // set up an ANY/EVERYTHING AclEntryInput
- input().proto().subject() += &mAny;
- AuthorizationGroup &authGroup = input().proto().authorization();
- authGroup.NumberOfAuthTags = 1;
- authGroup.AuthTags = &mTag;
-
- // install the cred (not copied)
- credentials(cred);
-}
-
-
-//
-// CSSM ACL makers
-//
-AclFactory::Subject::Subject(Allocator &alloc, CSSM_ACL_SUBJECT_TYPE type)
- : TypedList(alloc, type)
-{ }
-
-
-AclFactory::PWSubject::PWSubject(Allocator &alloc)
- : Subject(alloc, CSSM_ACL_SUBJECT_TYPE_PASSWORD)
-{ }
-
-AclFactory::PWSubject::PWSubject(Allocator &alloc, const CssmData &secret)
- : Subject(alloc, CSSM_ACL_SUBJECT_TYPE_PASSWORD)
-{
- append(new(alloc) ListElement(alloc, secret));
-}
-
-AclFactory::PromptPWSubject::PromptPWSubject(Allocator &alloc, const CssmData &prompt)
- : Subject(alloc, CSSM_ACL_SUBJECT_TYPE_PROMPTED_PASSWORD)
-{
- append(new(alloc) ListElement(alloc, prompt));
-}
-
-AclFactory::PromptPWSubject::PromptPWSubject(Allocator &alloc, const CssmData &prompt, const CssmData &secret)
- : Subject(alloc, CSSM_ACL_SUBJECT_TYPE_PROMPTED_PASSWORD)
-{
- append(new(alloc) ListElement(alloc, prompt));
- append(new(alloc) ListElement(alloc, secret));
-}
-
-AclFactory::ProtectedPWSubject::ProtectedPWSubject(Allocator &alloc)
- : Subject(alloc, CSSM_ACL_SUBJECT_TYPE_PROTECTED_PASSWORD)
-{ }
-
-AclFactory::PinSubject::PinSubject(Allocator &alloc, uint32 slot)
- : Subject(alloc, CSSM_ACL_SUBJECT_TYPE_PREAUTH)
-{
- append(new(alloc) ListElement(CSSM_ACL_AUTHORIZATION_PREAUTH(slot)));
-}
-
-AclFactory::PinSourceSubject::PinSourceSubject(Allocator &alloc, const TypedList &form)
- : Subject(alloc, CSSM_ACL_SUBJECT_TYPE_PREAUTH_SOURCE)
-{
- append(new(alloc) ListElement(form));
-}
-
-
-} // end namespace CssmClient
-} // end namespace Security
projects / apple / security.git / blobdiff