-/*
- * Copyright (c) 2000-2004,2011-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include <Security/SecKeychain.h>
-#include <Security/SecKeychainPriv.h>
-#include <security_keychain/KCCursor.h>
-#include <security_cdsa_utilities/cssmdata.h>
-#include <security_cdsa_client/wrapkey.h>
-#include <security_keychain/KCExceptions.h>
-#include <securityd_client/ssblob.h>
-#include <Security/SecAccess.h>
-#include <Security/SecTrustedApplicationPriv.h>
-#include "SecBridge.h"
-#include "CCallbackMgr.h"
-#include <security_cdsa_utilities/Schema.h>
-#include <security_cdsa_client/mdsclient.h>
-#include <pwd.h>
-
-OSStatus
-SecKeychainMDSInstall()
-{
- BEGIN_SECAPI
-
- Security::MDSClient::Directory d;
- d.install();
-
- END_SECAPI
-}
-
-CFTypeID
-SecKeychainGetTypeID(void)
-{
- BEGIN_SECAPI
-
- return gTypes().KeychainImpl.typeID;
-
- END_SECAPI1(_kCFRuntimeNotATypeID)
-}
-
-
-OSStatus
-SecKeychainGetVersion(UInt32 *returnVers)
-{
- if (!returnVers)
- return errSecSuccess;
-
- *returnVers = 0x02028000;
- return errSecSuccess;
-}
-
-
-OSStatus
-SecKeychainOpen(const char *pathName, SecKeychainRef *keychainRef)
-{
- BEGIN_SECAPI
-
- RequiredParam(keychainRef)=globals().storageManager.make(pathName, false)->handle();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainOpenWithGuid(const CSSM_GUID *guid, uint32 subserviceId, uint32 subserviceType, const char* dbName,
- const CSSM_NET_ADDRESS *dbLocation, SecKeychainRef *keychain)
-{
- BEGIN_SECAPI
-
- // range check parameters
- RequiredParam (guid);
- RequiredParam (dbName);
-
- // create a DLDbIdentifier that describes what should be opened
- const CSSM_VERSION *version = NULL;
- const CssmSubserviceUid ssuid(*guid, version, subserviceId, subserviceType);
- DLDbIdentifier dLDbIdentifier(ssuid, dbName, dbLocation);
-
- // make a keychain from the supplied info
- RequiredParam(keychain) = globals().storageManager.makeKeychain(dLDbIdentifier, false)->handle ();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainCreate(const char *pathName, UInt32 passwordLength, const void *password,
- Boolean promptUser, SecAccessRef initialAccess, SecKeychainRef *keychainRef)
-{
- BEGIN_SECAPI
-
- KCThrowParamErrIf_(!pathName);
- Keychain keychain = globals().storageManager.make(pathName);
-
- // @@@ the call to StorageManager::make above leaves keychain the the cache.
- // If the create below fails we should probably remove it.
- if(promptUser)
- keychain->create();
- else
- {
- KCThrowParamErrIf_(!password);
- keychain->create(passwordLength, password);
- }
-
- RequiredParam(keychainRef)=keychain->handle();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainDelete(SecKeychainRef keychainOrArray)
-{
- BEGIN_SECAPI
-
- KCThrowIf_(!keychainOrArray, errSecInvalidKeychain);
- StorageManager::KeychainList keychains;
- globals().storageManager.optionalSearchList(keychainOrArray, keychains);
-
- globals().storageManager.remove(keychains, true);
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainSetSettings(SecKeychainRef keychainRef, const SecKeychainSettings *newSettings)
-{
- BEGIN_SECAPI
-
- Keychain keychain = Keychain::optional(keychainRef);
- if (newSettings->version==SEC_KEYCHAIN_SETTINGS_VERS1)
- {
- UInt32 lockInterval=newSettings->lockInterval;
- bool lockOnSleep=newSettings->lockOnSleep;
- keychain->setSettings(lockInterval, lockOnSleep);
- }
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainCopySettings(SecKeychainRef keychainRef, SecKeychainSettings *outSettings)
-{
- BEGIN_SECAPI
-
- Keychain keychain = Keychain::optional(keychainRef);
- if (outSettings->version==SEC_KEYCHAIN_SETTINGS_VERS1)
- {
- uint32 lockInterval;
- bool lockOnSleep;
-
- keychain->getSettings(lockInterval, lockOnSleep);
- outSettings->lockInterval=lockInterval;
- outSettings->lockOnSleep=lockOnSleep;
- }
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainUnlock(SecKeychainRef keychainRef, UInt32 passwordLength, const void *password, Boolean usePassword)
-{
- BEGIN_SECAPI
-
- Keychain keychain = Keychain::optional(keychainRef);
-
- if (usePassword)
- keychain->unlock(CssmData(const_cast<void *>(password), passwordLength));
- else
- keychain->unlock();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainLock(SecKeychainRef keychainRef)
-{
- BEGIN_SECAPI
-
- Keychain keychain = Keychain::optional(keychainRef);
- keychain->lock();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainLockAll(void)
-{
- BEGIN_SECAPI
-
- globals().storageManager.lockAll();
-
- END_SECAPI
-}
-
-
-OSStatus SecKeychainResetLogin(UInt32 passwordLength, const void* password, Boolean resetSearchList)
-{
- BEGIN_SECAPI
- //
- // Get the current user (using fallback method if necessary)
- //
- char* uName = getenv("USER");
- string userName = uName ? uName : "";
- if ( userName.length() == 0 )
- {
- uid_t uid = geteuid();
- if (!uid) uid = getuid();
- struct passwd *pw = getpwuid(uid); // fallback case...
- if (pw)
- userName = pw->pw_name;
- endpwent();
- }
- if ( userName.length() == 0 ) // did we ultimately get one?
- MacOSError::throwMe(errAuthorizationInternal);
-
- SecurityServer::ClientSession().resetKeyStorePassphrase(password ? CssmData(const_cast<void *>(password), passwordLength) : CssmData());
-
- if (password)
- {
- // Clear the plist and move aside (rename) the existing login.keychain
- globals().storageManager.resetKeychain(resetSearchList);
-
- // Create the login keychain without UI
- globals().storageManager.login((UInt32)userName.length(), userName.c_str(), passwordLength, password);
-
- // Set it as the default
- Keychain keychain = globals().storageManager.loginKeychain();
- globals().storageManager.defaultKeychain(keychain);
- }
- else
- {
- // Create the login keychain, prompting for password
- // (implicitly calls resetKeychain, login, and defaultKeychain)
- globals().storageManager.makeLoginAuthUI(NULL);
- }
-
- // Post a "list changed" event after a reset, so apps can refresh their list.
- // Make sure we are not holding mLock when we post this event.
- KCEventNotifier::PostKeychainEvent(kSecKeychainListChangedEvent);
-
- END_SECAPI
-}
-
-OSStatus
-SecKeychainCopyDefault(SecKeychainRef *keychainRef)
-{
- BEGIN_SECAPI
-
- RequiredParam(keychainRef)=globals().storageManager.defaultKeychain()->handle();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainSetDefault(SecKeychainRef keychainRef)
-{
- BEGIN_SECAPI
-
- globals().storageManager.defaultKeychain(Keychain::optional(keychainRef));
-
- END_SECAPI
-}
-
-OSStatus SecKeychainCopySearchList(CFArrayRef *searchList)
-{
- BEGIN_SECAPI
-
- RequiredParam(searchList);
- StorageManager &smr = globals().storageManager;
- StorageManager::KeychainList keychainList;
- smr.getSearchList(keychainList);
- *searchList = smr.convertFromKeychainList(keychainList);
-
- END_SECAPI
-}
-
-OSStatus SecKeychainSetSearchList(CFArrayRef searchList)
-{
- BEGIN_SECAPI
-
- RequiredParam(searchList);
- StorageManager &smr = globals().storageManager;
- StorageManager::KeychainList keychainList;
- smr.convertToKeychainList(searchList, keychainList);
- smr.setSearchList(keychainList);
-
- END_SECAPI
-}
-
-OSStatus SecKeychainCopyDomainDefault(SecPreferencesDomain domain, SecKeychainRef *keychainRef)
-{
- BEGIN_SECAPI
-
- RequiredParam(keychainRef)=globals().storageManager.defaultKeychain(domain)->handle();
-
- END_SECAPI
-}
-
-OSStatus SecKeychainSetDomainDefault(SecPreferencesDomain domain, SecKeychainRef keychainRef)
-{
- BEGIN_SECAPI
-
- globals().storageManager.defaultKeychain(domain, Keychain::optional(keychainRef));
-
- END_SECAPI
-}
-
-OSStatus SecKeychainCopyDomainSearchList(SecPreferencesDomain domain, CFArrayRef *searchList)
-{
- BEGIN_SECAPI
-
- RequiredParam(searchList);
- StorageManager &smr = globals().storageManager;
- StorageManager::KeychainList keychainList;
- smr.getSearchList(domain, keychainList);
- *searchList = smr.convertFromKeychainList(keychainList);
-
- END_SECAPI
-}
-
-OSStatus SecKeychainSetDomainSearchList(SecPreferencesDomain domain, CFArrayRef searchList)
-{
- BEGIN_SECAPI
-
- RequiredParam(searchList);
- StorageManager &smr = globals().storageManager;
- StorageManager::KeychainList keychainList;
- smr.convertToKeychainList(searchList, keychainList);
- smr.setSearchList(domain, keychainList);
-
- END_SECAPI
-}
-
-OSStatus SecKeychainSetPreferenceDomain(SecPreferencesDomain domain)
-{
- BEGIN_SECAPI
-
- globals().storageManager.domain(domain);
-
- END_SECAPI
-}
-
-OSStatus SecKeychainGetPreferenceDomain(SecPreferencesDomain *domain)
-{
- BEGIN_SECAPI
-
- *domain = globals().storageManager.domain();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainGetStatus(SecKeychainRef keychainRef, SecKeychainStatus *keychainStatus)
-{
- BEGIN_SECAPI
-
- RequiredParam(keychainStatus) = (SecKeychainStatus)Keychain::optional(keychainRef)->status();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainGetPath(SecKeychainRef keychainRef, UInt32 *ioPathLength, char *pathName)
-{
- BEGIN_SECAPI
-
- RequiredParam(pathName);
- RequiredParam(ioPathLength);
-
- const char *name = Keychain::optional(keychainRef)->name();
- UInt32 nameLen = (UInt32)strlen(name);
- UInt32 callersLen = *ioPathLength;
- *ioPathLength = nameLen;
- if (nameLen+1 > callersLen) // if the client's buffer is too small (including null-termination), throw
- return errSecBufferTooSmall;
- strncpy(pathName, name, nameLen);
- pathName[nameLen] = 0;
- *ioPathLength = nameLen; // set the length.
-
- END_SECAPI
-}
-
-
-// @@@ Deprecated
-UInt16
-SecKeychainListGetCount(void)
-{
- BEGIN_SECAPI
-
- return globals().storageManager.size();
-
- END_SECAPI1(0)
-}
-
-
-// @@@ Deprecated
-OSStatus
-SecKeychainListCopyKeychainAtIndex(UInt16 index, SecKeychainRef *keychainRef)
-{
- BEGIN_SECAPI
-
- KeychainCore::StorageManager &smgr=KeychainCore::globals().storageManager;
- RequiredParam(keychainRef)=smgr[index]->handle();
-
- END_SECAPI
-}
-
-
-// @@@ Deprecated
-OSStatus
-SecKeychainListRemoveKeychain(SecKeychainRef *keychainRef)
-{
- BEGIN_SECAPI
-
- Required(keychainRef);
- Keychain keychain = Keychain::optional(*keychainRef);
- StorageManager::KeychainList keychainList;
- keychainList.push_back(keychain);
- globals().storageManager.remove(keychainList);
- *keychainRef = NULL;
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainAttributeInfoForItemID(SecKeychainRef keychainRef, UInt32 itemID, SecKeychainAttributeInfo **info)
-{
- BEGIN_SECAPI
-
- Keychain keychain = Keychain::optional(keychainRef);
- keychain->getAttributeInfoForItemID(itemID, info);
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainFreeAttributeInfo(SecKeychainAttributeInfo *info)
-{
- BEGIN_SECAPI
-
- KeychainImpl::freeAttributeInfo(info);
-
- END_SECAPI
-}
-
-
-pascal OSStatus
-SecKeychainAddCallback(SecKeychainCallback callbackFunction, SecKeychainEventMask eventMask, void* userContext)
-{
- BEGIN_SECAPI
-
- RequiredParam(callbackFunction);
- CCallbackMgr::AddCallback(callbackFunction,eventMask,userContext);
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainRemoveCallback(SecKeychainCallback callbackFunction)
-{
- BEGIN_SECAPI
-
- RequiredParam(callbackFunction);
- CCallbackMgr::RemoveCallback(callbackFunction);
-
- END_SECAPI
-}
-
-OSStatus
-SecKeychainAddInternetPassword(SecKeychainRef keychainRef, UInt32 serverNameLength, const char *serverName, UInt32 securityDomainLength, const char *securityDomain, UInt32 accountNameLength, const char *accountName, UInt32 pathLength, const char *path, UInt16 port, SecProtocolType protocol, SecAuthenticationType authenticationType, UInt32 passwordLength, const void *passwordData, SecKeychainItemRef *itemRef)
-{
- BEGIN_SECAPI
-
- KCThrowParamErrIf_(passwordLength!=0 && passwordData==NULL);
- // @@@ Get real itemClass
- Item item(kSecInternetPasswordItemClass, 'aapl', passwordLength, passwordData, false);
-
- if (serverName && serverNameLength)
- {
- CssmData server(const_cast<void *>(reinterpret_cast<const void *>(serverName)), serverNameLength);
- item->setAttribute(Schema::attributeInfo(kSecServerItemAttr), server);
- // use server name as default label
- item->setAttribute(Schema::attributeInfo(kSecLabelItemAttr), server);
- }
-
- if (accountName && accountNameLength)
- {
- CssmData account(const_cast<void *>(reinterpret_cast<const void *>(accountName)), accountNameLength);
- item->setAttribute(Schema::attributeInfo(kSecAccountItemAttr), account);
- }
-
- if (securityDomain && securityDomainLength)
- item->setAttribute(Schema::attributeInfo(kSecSecurityDomainItemAttr),
- CssmData(const_cast<void *>(reinterpret_cast<const void *>(securityDomain)), securityDomainLength));
-
- item->setAttribute(Schema::attributeInfo(kSecPortItemAttr), UInt32(port));
- item->setAttribute(Schema::attributeInfo(kSecProtocolItemAttr), protocol);
- item->setAttribute(Schema::attributeInfo(kSecAuthenticationTypeItemAttr), authenticationType);
-
- if (path && pathLength)
- item->setAttribute(Schema::attributeInfo(kSecPathItemAttr),
- CssmData(const_cast<void *>(reinterpret_cast<const void *>(path)), pathLength));
-
- Keychain keychain = nil;
- try
- {
- keychain = Keychain::optional(keychainRef);
- if ( !keychain->exists() )
- {
- MacOSError::throwMe(errSecNoSuchKeychain); // Might be deleted or not available at this time.
- }
- }
- catch(...)
- {
- keychain = globals().storageManager.defaultKeychainUI(item);
- }
-
- keychain->add(item);
-
- if (itemRef)
- *itemRef = item->handle();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainFindInternetPassword(CFTypeRef keychainOrArray, UInt32 serverNameLength, const char *serverName, UInt32 securityDomainLength, const char *securityDomain, UInt32 accountNameLength, const char *accountName, UInt32 pathLength, const char *path, UInt16 port, SecProtocolType protocol, SecAuthenticationType authenticationType, UInt32 *passwordLength, void **passwordData, SecKeychainItemRef *itemRef)
-
-{
- BEGIN_SECAPI
-
- StorageManager::KeychainList keychains;
- globals().storageManager.optionalSearchList(keychainOrArray, keychains);
- KCCursor cursor(keychains, kSecInternetPasswordItemClass, NULL);
-
- if (serverName && serverNameLength)
- {
- cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecServerItemAttr),
- CssmData(const_cast<char *>(serverName), serverNameLength));
- }
-
- if (securityDomain && securityDomainLength)
- {
- cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecSecurityDomainItemAttr),
- CssmData (const_cast<char*>(securityDomain), securityDomainLength));
- }
-
- if (accountName && accountNameLength)
- {
- cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecAccountItemAttr),
- CssmData (const_cast<char*>(accountName), accountNameLength));
- }
-
- if (port)
- {
- cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecPortItemAttr),
- UInt32(port));
- }
-
- if (protocol)
- {
- cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecProtocolItemAttr),
- protocol);
- }
-
- if (authenticationType)
- {
- cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecAuthenticationTypeItemAttr),
- authenticationType);
- }
-
- if (path && pathLength)
- {
- cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecPathItemAttr), path);
- }
-
- Item item;
- if (!cursor->next(item))
- return errSecItemNotFound;
-
- // Get its data (only if necessary)
- if (passwordData || passwordLength)
- {
- CssmDataContainer outData;
- item->getData(outData);
- *passwordLength=(UInt32)outData.length();
- outData.Length=0;
- *passwordData=outData.data();
- outData.Data=NULL;
- }
-
- if (itemRef)
- *itemRef=item->handle();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainAddGenericPassword(SecKeychainRef keychainRef, UInt32 serviceNameLength, const char *serviceName, UInt32 accountNameLength, const char *accountName, UInt32 passwordLength, const void *passwordData, SecKeychainItemRef *itemRef)
-{
- BEGIN_SECAPI
-
- KCThrowParamErrIf_(passwordLength!=0 && passwordData==NULL);
- // @@@ Get real itemClass
-
- Item item(kSecGenericPasswordItemClass, 'aapl', passwordLength, passwordData, false);
-
- if (serviceName && serviceNameLength)
- {
- CssmData service(const_cast<void *>(reinterpret_cast<const void *>(serviceName)), serviceNameLength);
- item->setAttribute(Schema::attributeInfo(kSecServiceItemAttr), service);
- // use service name as default label (UNLESS the service is iTools and we have an account name [3787371])
- const char *iTools = "iTools";
- if (accountNameLength && serviceNameLength==strlen(iTools) && !memcmp(serviceName, iTools, serviceNameLength))
- {
- CssmData account(const_cast<void *>(reinterpret_cast<const void *>(accountName)), accountNameLength);
- item->setAttribute(Schema::attributeInfo(kSecLabelItemAttr), account);
- }
- else
- {
- item->setAttribute(Schema::attributeInfo(kSecLabelItemAttr), service);
- }
- }
-
- if (accountName && accountNameLength)
- {
- CssmData account(const_cast<void *>(reinterpret_cast<const void *>(accountName)), accountNameLength);
- item->setAttribute(Schema::attributeInfo(kSecAccountItemAttr), account);
- }
-
- Keychain keychain = nil;
- try
- {
- keychain = Keychain::optional(keychainRef);
- if ( !keychain->exists() )
- {
- MacOSError::throwMe(errSecNoSuchKeychain); // Might be deleted or not available at this time.
- }
- }
- catch(...)
- {
- keychain = globals().storageManager.defaultKeychainUI(item);
- }
-
- keychain->add(item);
- if (itemRef)
- *itemRef = item->handle();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainFindGenericPassword(CFTypeRef keychainOrArray, UInt32 serviceNameLength, const char *serviceName, UInt32 accountNameLength, const char *accountName, UInt32 *passwordLength, void **passwordData, SecKeychainItemRef *itemRef)
-
-{
- BEGIN_SECAPI
-
- StorageManager::KeychainList keychains;
- globals().storageManager.optionalSearchList(keychainOrArray, keychains);
- KCCursor cursor(keychains, kSecGenericPasswordItemClass, NULL);
-
- if (serviceName && serviceNameLength)
- {
- cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecServiceItemAttr),
- CssmData(const_cast<char *>(serviceName), serviceNameLength));
- }
-
- if (accountName && accountNameLength)
- {
- cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecAccountItemAttr),
- CssmData(const_cast<char *>(accountName), accountNameLength));
- }
-
- Item item;
- if (!cursor->next(item))
- return errSecItemNotFound;
-
- // Get its data (only if necessary)
- if (passwordData || passwordLength)
- {
- CssmDataContainer outData;
- item->getData(outData);
- *passwordLength=(UInt32)outData.length();
- outData.Length=0;
- *passwordData=outData.data();
- outData.Data=NULL;
- }
-
- if (itemRef)
- *itemRef=item->handle();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainSetUserInteractionAllowed(Boolean state)
-{
- BEGIN_SECAPI
-
- globals().setUserInteractionAllowed(state);
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainGetUserInteractionAllowed(Boolean *state)
-{
- BEGIN_SECAPI
-
- Required(state)=globals().getUserInteractionAllowed();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainGetDLDBHandle(SecKeychainRef keychainRef, CSSM_DL_DB_HANDLE *dldbHandle)
-{
- BEGIN_SECAPI
-
- RequiredParam(dldbHandle);
-
- Keychain keychain = Keychain::optional(keychainRef);
- *dldbHandle = keychain->database()->handle();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainGetCSPHandle(SecKeychainRef keychainRef, CSSM_CSP_HANDLE *cspHandle)
-{
- BEGIN_SECAPI
-
- RequiredParam(cspHandle);
-
- Keychain keychain = Keychain::optional(keychainRef);
- *cspHandle = keychain->csp()->handle();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainCopyAccess(SecKeychainRef keychainRef, SecAccessRef *accessRef)
-{
- BEGIN_SECAPI
-
- MacOSError::throwMe(errSecUnimplemented);//%%%for now
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainSetAccess(SecKeychainRef keychainRef, SecAccessRef accessRef)
-{
- BEGIN_SECAPI
-
- MacOSError::throwMe(errSecUnimplemented);//%%%for now
-
- END_SECAPI
-}
-
-
-#pragma mark ---- Private API ----
-
-
-OSStatus
-SecKeychainChangePassword(SecKeychainRef keychainRef, UInt32 oldPasswordLength, const void *oldPassword, UInt32 newPasswordLength, const void *newPassword)
-{
- BEGIN_SECAPI
-
- Keychain keychain = Keychain::optional(keychainRef);
- keychain->changePassphrase (oldPasswordLength, oldPassword, newPasswordLength, newPassword);
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainCopyLogin(SecKeychainRef *keychainRef)
-{
- BEGIN_SECAPI
-
- RequiredParam(keychainRef)=globals().storageManager.loginKeychain()->handle();
-
- END_SECAPI
-}
-
-
-OSStatus
-SecKeychainLogin(UInt32 nameLength, const void* name, UInt32 passwordLength, const void* password)
-{
- BEGIN_SECAPI
-
- try
- {
- if (password) {
- globals().storageManager.login(nameLength, name, passwordLength, password);
- } else {
- globals().storageManager.stashLogin();
- }
- }
- catch (CommonError &e)
- {
- if (e.osStatus() == CSSMERR_DL_OPERATION_AUTH_DENIED)
- {
- return errSecAuthFailed;
- }
- else
- {
- return e.osStatus();
- }
- }
-
- END_SECAPI
-}
-
-OSStatus SecKeychainStash()
-{
- BEGIN_SECAPI
-
- try
- {
- globals().storageManager.stashKeychain();
- }
- catch (CommonError &e)
- {
- if (e.osStatus() == CSSMERR_DL_OPERATION_AUTH_DENIED)
- {
- return errSecAuthFailed;
- }
- else
- {
- return e.osStatus();
- }
- }
-
- END_SECAPI
-}
-
-OSStatus
-SecKeychainLogout()
-{
- BEGIN_SECAPI
-
- globals().storageManager.logout();
-
- END_SECAPI
-}
-
-/* (non-exported C utility routine) 'Makes' a keychain based on a full path
-*/
-static Keychain make(const char *name)
-{
- return globals().storageManager.make(name);
-}
-
-/* 'Makes' a keychain based on a full path for legacy "KC" CoreServices APIs.
- Note this version doesn't take an accessRef or password.
- The "KC" create API takes a keychainRef...
-*/
-OSStatus SecKeychainMakeFromFullPath(const char *fullPathName, SecKeychainRef *keychainRef)
-{
- BEGIN_SECAPI
- RequiredParam(fullPathName);
- RequiredParam(keychainRef)=make(fullPathName)->handle();
- END_SECAPI
-}
-
-
-/* Determines if the keychainRef is a valid keychain.
-*/
-OSStatus SecKeychainIsValid(SecKeychainRef keychainRef, Boolean* isValid)
-{
- BEGIN_SECAPI
- *isValid = false;
- if (KeychainImpl::optional(keychainRef)->dlDbIdentifier().ssuid().guid() == gGuidAppleCSPDL)
- *isValid = true;
- END_SECAPI
-}
-
-/* Removes a keychain from the keychain search list for legacy "KC" CoreServices APIs.
-*/
-OSStatus SecKeychainRemoveFromSearchList(SecKeychainRef keychainRef)
-{
- BEGIN_SECAPI
- StorageManager::KeychainList singleton;
- singleton.push_back(KeychainImpl::required(keychainRef));
- globals().storageManager.remove(singleton);
- END_SECAPI
-}
-
-/* Create a keychain based on a keychain Ref for legacy "KC" CoreServices APIs.
-*/
-OSStatus SecKeychainCreateNew(SecKeychainRef keychainRef, UInt32 passwordLength, const char* inPassword)
-{
- BEGIN_SECAPI
- RequiredParam(inPassword);
- KeychainImpl::required(keychainRef)->create(passwordLength, inPassword);
- END_SECAPI
-}
-
-/* Modify a keychain so that it can be synchronized.
-*/
-OSStatus SecKeychainRecodeKeychain(SecKeychainRef keychainRef, CFArrayRef dbBlobArray, CFDataRef extraData)
-{
- BEGIN_SECAPI
-
- // do error checking for required parameters
- RequiredParam(dbBlobArray);
- RequiredParam(extraData);
-
- const CssmData extraCssmData(const_cast<UInt8 *>(CFDataGetBytePtr(extraData)),
- CFDataGetLength(extraData));
-
- CFIndex dbBlobArrayCount = CFArrayGetCount(dbBlobArray);
- size_t space = sizeof(uint8) + (dbBlobArrayCount * sizeof(SecurityServer::DbHandle));
- void *dataPtr = (void*)malloc(space);
- if ( !dataPtr )
- return errSecAllocate;
- //
- // Get a DbHandle(IPCDbHandle) from securityd for each blob in the array that we'll authenticate with.
- //
- uint8* sizePtr = (uint8*)dataPtr;
- *sizePtr = dbBlobArrayCount;
- SecurityServer::DbHandle *currDbHandle = (SecurityServer::DbHandle *)(sizePtr+1);
- CFIndex index;
- SecurityServer::ClientSession ss(Allocator::standard(), Allocator::standard());
- for (index=0; index < dbBlobArrayCount; index++)
- {
- CFDataRef cfBlobData = (CFDataRef)CFArrayGetValueAtIndex(dbBlobArray, index);
- const CssmData thisKCData(const_cast<UInt8 *>(CFDataGetBytePtr(cfBlobData)), CFDataGetLength(cfBlobData));
- //
- // Since it's to a DbHandle that's not on our disk (it came from user's iDisk),
- // it's OK to use the mIdentifier and access credentials of the keychain we're recoding.
- //
- Keychain kc = KeychainImpl::required(keychainRef);
- *currDbHandle = ss.decodeDb(kc->dlDbIdentifier(), kc->defaultCredentials(), thisKCData); /* returns a DbHandle (IPCDbHandle) */
-
- currDbHandle++;
- }
- // do the work
- Keychain keychain = Keychain::optional(keychainRef);
- const CssmData data(const_cast<UInt8 *>((uint8*)dataPtr), space);
- Boolean recodeFailed = false;
-
- int errCode=errSecSuccess;
-
- try
- {
- keychain->recode(data, extraCssmData);
- }
- catch (MacOSError e)
- {
- errCode = e.osStatus();
- recodeFailed = true;
- }
- catch (UnixError ue)
- {
- errCode = ue.unixError();
- }
-
- currDbHandle = (SecurityServer::DbHandle *)(sizePtr+1);
- for (index=0; index < dbBlobArrayCount; index++)
- {
- ss.releaseDb(*currDbHandle);
- currDbHandle++;
- }
- if ( dataPtr )
- free(dataPtr);
-
- if ( recodeFailed )
- {
- return errCode;
- }
-
- END_SECAPI
-}
-
-OSStatus SecKeychainCopySignature(SecKeychainRef keychainRef, CFDataRef *keychainSignature)
-{
- BEGIN_SECAPI
-
- // do error checking for required parameters
- RequiredParam(keychainSignature);
-
- // make a keychain object "wrapper" for this keychain ref
- Keychain keychain = Keychain::optional(keychainRef);
- CssmAutoData data(keychain->database()->allocator());
- keychain->copyBlob(data.get());
-
- // get the cssmDBBlob
- const SecurityServer::DbBlob *cssmDBBlob =
- data.get().interpretedAs<const SecurityServer::DbBlob>();
-
- // convert from CDSA standards to CF standards
- *keychainSignature = CFDataCreate(kCFAllocatorDefault,
- cssmDBBlob->randomSignature.bytes,
- sizeof(SecurityServer::DbBlob::Signature));
-
- END_SECAPI
-}
-
-OSStatus SecKeychainCopyBlob(SecKeychainRef keychainRef, CFDataRef *dbBlob)
-{
- BEGIN_SECAPI
-
- // do error checking for required parameters
- RequiredParam(dbBlob);
-
- // make a keychain object "wrapper" for this keychain ref
- Keychain keychain = Keychain::optional(keychainRef);
- CssmAutoData data(keychain->database()->allocator());
- keychain->copyBlob(data.get());
-
- // convert from CDSA standards to CF standards
- *dbBlob = CFDataCreate(kCFAllocatorDefault, data, data.length());
-
- END_SECAPI
-}
-
-// make a new keychain with pre-existing secrets
-OSStatus SecKeychainCreateWithBlob(const char* fullPathName, CFDataRef dbBlob, SecKeychainRef *kcRef)
-{
- BEGIN_SECAPI
-
- KCThrowParamErrIf_(!fullPathName);
- KCThrowParamErrIf_(!dbBlob);
-
- Keychain keychain = globals().storageManager.make(fullPathName);
-
- CssmData blob(const_cast<unsigned char *>(CFDataGetBytePtr(dbBlob)), CFDataGetLength(dbBlob));
-
- // @@@ the call to StorageManager::make above leaves keychain the the cache.
- // If the create below fails we should probably remove it.
- keychain->createWithBlob(blob);
-
- RequiredParam(kcRef)=keychain->handle();
-
- //
-
- END_SECAPI
-}
-
-// add a non-file based DB to the keychain list
-OSStatus SecKeychainAddDBToKeychainList (SecPreferencesDomain domain, const char* dbName,
- const CSSM_GUID *guid, uint32 subServiceType)
-{
- BEGIN_SECAPI
-
- RequiredParam(dbName);
- StorageManager &smr = globals().storageManager;
- smr.addToDomainList(domain, dbName, *guid, subServiceType);
-
- END_SECAPI
-}
-
-// determine if a non-file based DB is in the keychain list
-OSStatus SecKeychainDBIsInKeychainList (SecPreferencesDomain domain, const char* dbName,
- const CSSM_GUID *guid, uint32 subServiceType)
-{
- BEGIN_SECAPI
- RequiredParam(dbName);
- StorageManager &smr = globals().storageManager;
- smr.isInDomainList(domain, dbName, *guid, subServiceType);
- END_SECAPI
-}
-
-// remove a non-file based DB from the keychain list
-OSStatus SecKeychainRemoveDBFromKeychainList (SecPreferencesDomain domain, const char* dbName,
- const CSSM_GUID *guid, uint32 subServiceType)
-{
- BEGIN_SECAPI
- RequiredParam(dbName);
- StorageManager &smr = globals().storageManager;
- smr.removeFromDomainList(domain, dbName, *guid, subServiceType);
- END_SECAPI
-}
-
-
-// set server mode -- must be called before any other Sec* etc. call
-void SecKeychainSetServerMode()
-{
- gServerMode = true;
-}
-
-
-
-OSStatus SecKeychainSetBatchMode (SecKeychainRef kcRef, Boolean mode, Boolean rollback)
-{
- BEGIN_SECAPI
- RequiredParam(kcRef);
- Keychain keychain = Keychain::optional(kcRef);
- keychain->setBatchMode(mode, rollback);
- END_SECAPI
-}
-
-
-
-OSStatus SecKeychainCleanupHandles()
-{
- BEGIN_SECAPI
- END_SECAPI // which causes the handle cache cleanup routine to run
-}
-
-OSStatus SecKeychainVerifyKeyStorePassphrase(uint32_t retries)
-{
- BEGIN_SECAPI
- SecurityServer::ClientSession().verifyKeyStorePassphrase(retries);
- END_SECAPI
-}
-
-OSStatus SecKeychainChangeKeyStorePassphrase()
-{
- BEGIN_SECAPI
- SecurityServer::ClientSession().changeKeyStorePassphrase();
- END_SECAPI
-}
-
-static OSStatus SecKeychainGetMasterKey(SecKeychainRef userKeychainRef, CFDataRef *masterKey, CFStringRef password)
-{
- BEGIN_SECAPI
-
- // make a keychain object "wrapper" for this keychain ref
- Keychain keychain = Keychain::optional(userKeychainRef);
-
- CssmClient::Db db = keychain->database();
-
- // create the keychain, using appropriate credentials
- Allocator &alloc = db->allocator();
- AutoCredentials cred(alloc); // will leak, but we're quitting soon :-)
-
- char passphrase[1024];
- CFStringGetCString(password, passphrase, sizeof(passphrase), kCFStringEncodingUTF8);
-
- // use this passphrase
- cred += TypedList(alloc, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
- new(alloc) ListElement(CSSM_SAMPLE_TYPE_PASSWORD),
- new(alloc) ListElement(StringData(passphrase)));
- db->accessCredentials(&cred);
-
- CSSM_DL_DB_HANDLE dlDb = db->handle();
- CssmData dlDbData = CssmData::wrap(dlDb);
- CssmKey refKey;
- KeySpec spec(CSSM_KEYUSE_ANY,
- CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE);
-
- DeriveKey derive(keychain->csp(), CSSM_ALGID_KEYCHAIN_KEY, CSSM_ALGID_3DES_3KEY, 3 * 64);
- derive(&dlDbData, spec, refKey);
-
- // now extract the raw keybits
- CssmKey rawKey;
- WrapKey wrap(keychain->csp(), CSSM_ALGID_NONE);
- wrap(refKey, rawKey);
-
- *masterKey = CFDataCreate(kCFAllocatorDefault, rawKey.keyData(), rawKey.length());
-
- END_SECAPI
-}
-
-
-OSStatus SecKeychainStoreUnlockKey(SecKeychainRef userKeychainRef, SecKeychainRef systemKeychainRef, CFStringRef username, CFStringRef password) {
- SecTrustedApplicationRef itemPath;
- SecAccessRef ourAccessRef = NULL;
-
- OSStatus result = errSecParam;
-
- CFDataRef masterKey = NULL;
- result = SecKeychainGetMasterKey(userKeychainRef, &masterKey, password);
- if (errSecSuccess != result) {
- return result;
- }
-
- result = SecKeychainStash();
- if (errSecSuccess != result) {
- if (NULL != masterKey) CFRelease(masterKey);
- return result;
- }
-
- CFMutableArrayRef trustedApplications = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- if ( noErr == SecTrustedApplicationCreateApplicationGroup("com.apple.security.auto-login", NULL, &itemPath) && itemPath )
- CFArrayAppendValue(trustedApplications, itemPath);
-
- if ( trustedApplications && (CFArrayGetCount(trustedApplications) > 0)) {
- if (errSecSuccess == (result = SecAccessCreate(CFSTR("Auto-Login applications"), trustedApplications, &ourAccessRef))) {
- if (NULL == systemKeychainRef) {
- SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem, &systemKeychainRef);
- }
-
- const void *queryKeys[] = { kSecClass,
- kSecAttrService,
- kSecAttrAccount,
- kSecUseKeychain,
- };
- const void *queryValues[] = { kSecClassGenericPassword,
- CFSTR("com.apple.loginwindow.auto-login"),
- username,
- systemKeychainRef,
- };
-
- const void *updateKeys[] = { kSecAttrAccess,
- kSecValueData,
- };
- const void *updateValues[] = { ourAccessRef,
- masterKey,
- };
-
- CFDictionaryRef query = CFDictionaryCreate(kCFAllocatorDefault, queryKeys, queryValues, sizeof(queryValues)/sizeof(*queryValues), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- CFDictionaryRef update = CFDictionaryCreate(kCFAllocatorDefault, updateKeys, updateValues, sizeof(updateValues)/sizeof(*updateValues), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
-
- result = SecItemUpdate(query, update);
-
- if (errSecSuccess != result) {
- const void *addKeys[] = { kSecClass,
- kSecAttrService,
- kSecAttrAccount,
- kSecUseKeychain,
- kSecAttrAccess,
- kSecValueData,
- };
- const void *addValues[] = { kSecClassGenericPassword,
- CFSTR("com.apple.loginwindow.auto-login"),
- username,
- systemKeychainRef,
- ourAccessRef,
- masterKey,
- };
-
- CFDictionaryRef add = CFDictionaryCreate(kCFAllocatorDefault, addKeys, addValues, sizeof(addValues)/sizeof(*addValues), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- result = SecItemAdd(add, NULL);
- if (NULL != add) CFRelease(add);
- }
-
- if (NULL != query) CFRelease(query);
- if (NULL != update) CFRelease(update);
- }
- }
-
- if (NULL != masterKey) CFRelease(masterKey);
- if (NULL != trustedApplications) CFRelease(trustedApplications);
- if (NULL != ourAccessRef) CFRelease(ourAccessRef);
- if (NULL != systemKeychainRef) CFRelease(systemKeychainRef);
-
- return result;
-}
projects / apple / security.git / blobdiff