+++ /dev/null
-/*
- * Copyright (c) 2004,2011-2012,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-//
-// defaultcreds - default computations for keychain open credentials
-//
-#include "Keychains.h"
-#include "defaultcreds.h"
-#include "StorageManager.h"
-#include "Globals.h"
-#include "KCCursor.h"
-#include <security_cdsa_utilities/Schema.h>
-#include <algorithm>
-
-
-namespace Security {
-namespace KeychainCore {
-
-using namespace CssmClient;
-
-
-DefaultCredentials::DefaultCredentials(KeychainImpl* kcImpl, Allocator &alloc)
- : TrackingAllocator(alloc), AutoCredentials(static_cast<TrackingAllocator&>(*this)),
- mMade(false), mKeychainImpl (kcImpl)
-{
-}
-
-
-void DefaultCredentials::clear()
-{
- TrackingAllocator::reset();
- mNeededItems.clear();
- mMade = false;
-}
-
-
-//
-// The main driver.
-// This scans a database for referral records and forms corresponding
-// credentials to trigger unlocks.
-// Returns true if any valid unlock credentials were found; false otherwise.
-// Only throws if the database is messed up.
-//
-bool DefaultCredentials::operator () (Db database)
-{
- if (!mMade) {
- try {
- // before we do anything else, see if we have a relation in the database of the appropriate type
- KeychainSchema keychainSchema = mKeychainImpl->keychainSchema();
- if (keychainSchema->hasRecordType(UnlockReferralRecord::recordType))
- {
- clear();
- Table<UnlockReferralRecord> referrals(database);
- for (Table<UnlockReferralRecord>::iterator it = referrals.begin(); it != referrals.end(); it++) {
- switch ((*it)->type()) {
- case CSSM_APPLE_UNLOCK_TYPE_KEY_DIRECT:
- case CSSM_APPLE_UNLOCK_TYPE_WRAPPED_PRIVATE:
- keyReferral(**it);
- break;
- default:
- secdebug("kcreferral", "referral type %lu (to %s) not supported",
- (unsigned long)(*it)->type(), (*it)->dbName().c_str());
- break;
- }
- }
- }
- secdebug("kcreferral", "%lu samples generated", (unsigned long)size());
- } catch (...) {
- secdebug("kcreferral", "exception setting default credentials for %s; using standard value", database->name());
- }
- mMade = true;
- }
-
- return size() > 0; // got credentials?
-}
-
-
-//
-// Process a single referral record. This will handle all known types
-// of referrals.
-//
-void DefaultCredentials::keyReferral(const UnlockReferralRecord &ref)
-{
- secdebug("kcreferral", "processing type %ld referral to %s",
- (long)ref.type(), ref.dbName().c_str());
- DLDbIdentifier identifier(ref.dbName().c_str(), ref.dbGuid(), ref.dbSSID(), ref.dbSSType());
-
- // first, try the keychain indicated
- try {
- KeychainList list;
- list.push_back(globals().storageManager.keychain(identifier));
- if (unlockKey(ref, list)) // try just this database...
- return; // ... bingo!
- } catch (...) { }
-
- // try the entire search list (just in case)
- try {
- secdebug("kcreferral", "no joy with %s; trying the entire keychain list for guid %s",
- ref.dbName().c_str(), ref.dbGuid().toString().c_str());
- unlockKey(ref, fallbackSearchList(identifier));
- return;
- } catch (...) { }
- secdebug("kcreferral", "no luck at all; we'll skip this record");
-}
-
-
-bool DefaultCredentials::unlockKey(const UnlockReferralRecord &ref, const KeychainList &list)
-{
- bool foundSome = false;
- try {
- // form the query
- SecKeychainAttribute attributes[1] = {
- { kSecKeyLabel, (UInt32)ref.keyLabel().length(), ref.keyLabel().data() }
- };
- SecKeychainAttributeList search = { 1, attributes };
- CSSM_DB_RECORDTYPE recordType =
- (ref.type() == CSSM_APPLE_UNLOCK_TYPE_KEY_DIRECT) ?
- CSSM_DL_DB_RECORD_SYMMETRIC_KEY : CSSM_DL_DB_RECORD_PRIVATE_KEY;
- KCCursor cursor(list, recordType, &search);
-
- Item keyItem;
- while (cursor->next(keyItem)) {
- secdebug("kcreferral", "located source key in %s", keyItem->keychain()->name());
-
- // get a reference to the key in the provider keychain
- CssmClient::Key key = dynamic_cast<KeyItem &>(*keyItem).key();
- const CssmKey &masterKey = key;
-
- // get the CSP handle FOR THE UNLOCKING KEY'S KEYCHAIN
- CSSM_CSP_HANDLE cspHandle = key->csp()->handle();
-
- // (a)symmetric-key form: KCLOCK, (A)SYMMETRIC_KEY, cspHandle, masterKey
- // Note that the last list element ("ref") is doing an implicit cast to a
- // CssmData, which passes the data portion of the UnlockReferralRecord
- append(TypedList(allocator, CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK,
- new(allocator) ListElement((recordType==CSSM_DL_DB_RECORD_SYMMETRIC_KEY)?
- CSSM_WORDID_SYMMETRIC_KEY:CSSM_WORDID_ASYMMETRIC_KEY),
- new(allocator) ListElement(allocator, CssmData::wrap(cspHandle)),
- new(allocator) ListElement(allocator, CssmData::wrap(masterKey)),
- new(allocator) ListElement(allocator, ref.get())
- ));
-
- // let's make sure everything we need stays around
- mNeededItems.insert(keyItem);
- foundSome = true;
- }
- } catch (...) {
- // (ignore it)
- }
- return foundSome;
-}
-
-
-//
-// Take the official keychain search list, and return those keychains whose
-// module Guid matches the one given. Essentially, this focuses the search list
-// to a particular type of keychain.
-//
-struct NotGuid {
- NotGuid(const Guid &g) : guid(g) { }
- const Guid &guid;
- bool operator () (Keychain kc) { return kc->database()->dl()->guid() != guid; }
-};
-
-DefaultCredentials::KeychainList DefaultCredentials::fallbackSearchList(const DLDbIdentifier &ident)
-{
- KeychainList list;
- globals().storageManager.getSearchList(list);
- list.erase(remove_if(list.begin(), list.end(), NotGuid(ident.ssuid().guid())), list.end());
- return list;
-}
-
-
-} // namespace KeychainCore
-} // namespace Security
projects / apple / security.git / blobdiff