+/*
+ * Copyright (c) 2000-2008,2011-2013 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+//
+// ssclient - SecurityServer client interface library
+//
+// This interface is private to the Security system. It is not a public interface,
+// and it may change at any time. You have been warned.
+//
+#ifndef _H_SSCLIENT
+#define _H_SSCLIENT
+
+#include "sscommon.h"
+#include <Security/Authorization.h>
+#include <Security/AuthSession.h>
+#include <Security/SecCodeHost.h>
+
+#ifdef __cplusplus
+
+#include <security_utilities/osxcode.h>
+#include <security_utilities/unix++.h>
+#include <security_utilities/globalizer.h>
+#include <security_cdsa_utilities/cssmerrors.h>
+#include "ssnotify.h"
+
+
+namespace Security {
+namespace SecurityServer {
+
+#endif //__cplusplus
+
+
+//
+// Unique-identifier blobs for key objects
+//
+typedef struct KeyUID {
+ uint8 signature[20];
+} KeyUID;
+
+
+//
+// Maximum length of hash (digest) arguments (bytes)
+//
+#define maxUcspHashLength 64
+
+
+//
+// Authorization blobs
+//
+typedef struct AuthorizationBlob {
+ uint32 data[2];
+
+#ifdef __cplusplus
+ bool operator < (const AuthorizationBlob &other) const
+ { return memcmp(data, other.data, sizeof(data)) < 0; }
+
+ bool operator == (const AuthorizationBlob &other) const
+ { return memcmp(data, other.data, sizeof(data)) == 0; }
+
+ size_t hash() const { //@@@ revisit this hash
+ return data[0] ^ data[1] << 3;
+ }
+#endif
+} AuthorizationBlob;
+
+
+//
+// Initial-setup data for versioning etc.
+//
+typedef struct {
+ uint32_t order;
+ uint32_t version;
+} ClientSetupInfo;
+
+#define SSPROTOVERSION 20000
+
+
+//
+// Database parameter structure
+//
+typedef struct {
+ uint32_t idleTimeout; // seconds idle timout lock
+ uint8_t lockOnSleep; // lock keychain when system sleeps
+} DBParameters;
+
+
+#ifdef __cplusplus
+
+
+//
+// A client connection (session)
+//
+class ClientSession : public ClientCommon {
+public:
+ ClientSession(Allocator &standard = Allocator::standard(),
+ Allocator &returning = Allocator::standard());
+ virtual ~ClientSession();
+
+public:
+ void activate();
+ void reset();
+
+public:
+ // use this only if you know what you're doing...
+ void contactName(const char *name);
+ const char *contactName() const;
+
+ static GenericHandle toIPCHandle(CSSM_HANDLE h) {
+ // implementation subject to change
+ if (h & (CSSM_HANDLE(~0) ^ GenericHandle(~0)))
+ CssmError::throwMe(CSSM_ERRCODE_INVALID_CONTEXT_HANDLE);
+ return h & GenericHandle(~0);
+ }
+
+
+public:
+ //
+ // common database interface
+ //
+ void authenticateDb(DbHandle db, CSSM_DB_ACCESS_TYPE type, const AccessCredentials *cred);
+ void releaseDb(DbHandle db);
+
+ //
+ // External database interface
+ //
+ DbHandle openToken(uint32 ssid, const AccessCredentials *cred, const char *name = NULL);
+
+ RecordHandle insertRecord(DbHandle db,
+ CSSM_DB_RECORDTYPE recordType,
+ const CssmDbRecordAttributeData *attributes,
+ const CssmData *data);
+ void deleteRecord(DbHandle db, RecordHandle record);
+ void modifyRecord(DbHandle db, RecordHandle &record,
+ CSSM_DB_RECORDTYPE recordType,
+ const CssmDbRecordAttributeData *attributesToBeModified,
+ const CssmData *dataToBeModified,
+ CSSM_DB_MODIFY_MODE modifyMode);
+
+ RecordHandle findFirst(DbHandle db,
+ const CssmQuery &query,
+ SearchHandle &outSearchHandle,
+ CssmDbRecordAttributeData *inOutAttributes,
+ CssmData *outData, KeyHandle &key);
+ RecordHandle findNext(SearchHandle searchHandle,
+ CssmDbRecordAttributeData *inOutAttributes,
+ CssmData *inOutData, KeyHandle &key);
+ void findRecordHandle(RecordHandle record,
+ CssmDbRecordAttributeData *inOutAttributes,
+ CssmData *inOutData, KeyHandle &key);
+ void releaseSearch(SearchHandle searchHandle);
+ void releaseRecord(RecordHandle record);
+
+ void getDbName(DbHandle db, std::string &name);
+ void setDbName(DbHandle db, const std::string &name);
+
+ //
+ // Internal database interface
+ //
+ DbHandle createDb(const DLDbIdentifier &dbId,
+ const AccessCredentials *cred, const AclEntryInput *owner,
+ const DBParameters ¶ms);
+ DbHandle cloneDbForSync(const CssmData &secretsBlob, DbHandle srcDb,
+ const CssmData &agentData);
+ DbHandle recodeDbForSync(DbHandle dbToClone, DbHandle srcDb);
+ DbHandle authenticateDbsForSync(const CssmData &dbHandleArray, const CssmData &agentData);
+ void commitDbForSync(DbHandle srcDb, DbHandle cloneDb, CssmData &blob, Allocator &alloc);
+ DbHandle decodeDb(const DLDbIdentifier &dbId,
+ const AccessCredentials *cred, const CssmData &blob);
+ void encodeDb(DbHandle db, CssmData &blob, Allocator &alloc);
+ void encodeDb(DbHandle db, CssmData &blob) { return encodeDb(db, blob, returnAllocator); }
+ void setDbParameters(DbHandle db, const DBParameters ¶ms);
+ void getDbParameters(DbHandle db, DBParameters ¶ms);
+ void changePassphrase(DbHandle db, const AccessCredentials *cred);
+ void lock(DbHandle db);
+ void lockAll(bool forSleep);
+ void unlock(DbHandle db);
+ void unlock(DbHandle db, const CssmData &passPhrase);
+ void stashDb(DbHandle db);
+ void stashDbCheck(DbHandle db);
+ bool isLocked(DbHandle db);
+ void verifyKeyStorePassphrase(uint32_t retries);
+ void resetKeyStorePassphrase(const CssmData &passphrase);
+ void changeKeyStorePassphrase();
+
+public:
+ //
+ // Key objects
+ //
+ void encodeKey(KeyHandle key, CssmData &blob, KeyUID *uid, Allocator &alloc);
+ void encodeKey(KeyHandle key, CssmData &blob, KeyUID *uid = NULL)
+ { return encodeKey(key, blob, uid, returnAllocator); }
+ KeyHandle decodeKey(DbHandle db, const CssmData &blob, CssmKey::Header &header);
+ void recodeKey(DbHandle oldDb, KeyHandle key, DbHandle newDb, CssmData &blob);
+ void releaseKey(KeyHandle key);
+
+ CssmKeySize queryKeySizeInBits(KeyHandle key);
+ uint32 getOutputSize(const Security::Context &context, KeyHandle key,
+ uint32 inputSize, bool encrypt = true);
+
+ void getKeyDigest(KeyHandle key, CssmData &digest, Allocator &alloc);
+ void getKeyDigest(KeyHandle key, CssmData &digest)
+ { return getKeyDigest(key, digest, returnAllocator); }
+
+
+ // key wrapping and unwrapping
+ void wrapKey(const Security::Context &context, KeyHandle key, KeyHandle keyToBeWrapped,
+ const AccessCredentials *cred,
+ const CssmData *descriptiveData, CssmWrappedKey &wrappedKey, Allocator &alloc);
+ void wrapKey(const Security::Context &context, KeyHandle key, KeyHandle keyToBeWrapped,
+ const AccessCredentials *cred,
+ const CssmData *descriptiveData, CssmWrappedKey &wrappedKey)
+ { return wrapKey(context, key, keyToBeWrapped, cred,
+ descriptiveData, wrappedKey, returnAllocator); }
+
+ void unwrapKey(DbHandle db, const Security::Context &context, KeyHandle key, KeyHandle publicKey,
+ const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr,
+ const AccessCredentials *cred, const AclEntryInput *owner,
+ CssmData &data, KeyHandle &newKey, CssmKey::Header &newKeyHeader, Allocator &alloc);
+ void unwrapKey(DbHandle db, const Security::Context &context, KeyHandle key, KeyHandle publicKey,
+ const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr,
+ const AccessCredentials *cred, const AclEntryInput *owner, CssmData &data,
+ KeyHandle &newKey, CssmKey::Header &newKeyHeader)
+ { return unwrapKey(db, context, key, publicKey, wrappedKey, keyUsage, keyAttr,
+ cred, owner, data, newKey, newKeyHeader, returnAllocator); }
+
+ // key generation and derivation
+ void generateKey(DbHandle db, const Security::Context &context, uint32 keyUsage, uint32 keyAttr,
+ const AccessCredentials *cred, const AclEntryInput *owner,
+ KeyHandle &newKey, CssmKey::Header &newHeader);
+ void generateKey(DbHandle db, const Security::Context &context,
+ uint32 pubKeyUsage, uint32 pubKeyAttr,
+ uint32 privKeyUsage, uint32 privKeyAttr,
+ const AccessCredentials *cred, const AclEntryInput *owner,
+ KeyHandle &pubKey, CssmKey::Header &pubHeader,
+ KeyHandle &privKey, CssmKey::Header &privHeader);
+ void deriveKey(DbHandle db, const Security::Context &context, KeyHandle baseKey,
+ uint32 keyUsage, uint32 keyAttr, CssmData ¶m,
+ const AccessCredentials *cred, const AclEntryInput *owner,
+ KeyHandle &newKey, CssmKey::Header &newHeader, Allocator &alloc);
+ void deriveKey(DbHandle db, const Security::Context &context, KeyHandle baseKey,
+ uint32 keyUsage, uint32 keyAttr, CssmData ¶m,
+ const AccessCredentials *cred, const AclEntryInput *owner,
+ KeyHandle &newKey, CssmKey::Header &newHeader)
+ { return deriveKey(db, context, baseKey, keyUsage, keyAttr, param, cred, owner, newKey, newHeader, returnAllocator); }
+ //void generateAlgorithmParameters(); // not implemented
+
+ void generateRandom(const Security::Context &context, CssmData &data, Allocator &alloc);
+ void generateRandom(const Security::Context &context, CssmData &data)
+ { return generateRandom(context, data, returnAllocator); }
+
+ // encrypt/decrypt
+ void encrypt(const Security::Context &context, KeyHandle key,
+ const CssmData &in, CssmData &out, Allocator &alloc);
+ void encrypt(const Security::Context &context, KeyHandle key, const CssmData &in, CssmData &out)
+ { return encrypt(context, key, in, out, returnAllocator); }
+ void decrypt(const Security::Context &context, KeyHandle key,
+ const CssmData &in, CssmData &out, Allocator &alloc);
+ void decrypt(const Security::Context &context, KeyHandle key, const CssmData &in, CssmData &out)
+ { return decrypt(context, key, in, out, returnAllocator); }
+
+ // signatures
+ void generateSignature(const Security::Context &context, KeyHandle key,
+ const CssmData &data, CssmData &signature, Allocator &alloc,
+ CSSM_ALGORITHMS signOnlyAlgorithm = CSSM_ALGID_NONE);
+ void generateSignature(const Security::Context &context, KeyHandle key,
+ const CssmData &data, CssmData &signature, CSSM_ALGORITHMS signOnlyAlgorithm = CSSM_ALGID_NONE)
+ { return generateSignature(context, key, data, signature, returnAllocator, signOnlyAlgorithm); }
+ void verifySignature(const Security::Context &context, KeyHandle key,
+ const CssmData &data, const CssmData &signature,
+ CSSM_ALGORITHMS verifyOnlyAlgorithm = CSSM_ALGID_NONE);
+
+ // MACs
+ void generateMac(const Security::Context &context, KeyHandle key,
+ const CssmData &data, CssmData &mac, Allocator &alloc);
+ void generateMac(const Security::Context &context, KeyHandle key,
+ const CssmData &data, CssmData &mac)
+ { return generateMac(context, key, data, mac, returnAllocator); }
+ void verifyMac(const Security::Context &context, KeyHandle key,
+ const CssmData &data, const CssmData &mac);
+
+ // key ACL management
+ void getKeyAcl(KeyHandle key, const char *tag,
+ uint32 &count, AclEntryInfo * &info, Allocator &alloc);
+ void getKeyAcl(KeyHandle key, const char *tag,
+ uint32 &count, AclEntryInfo * &info)
+ { return getKeyAcl(key, tag, count, info, returnAllocator); }
+ void changeKeyAcl(KeyHandle key, const AccessCredentials &cred, const AclEdit &edit);
+ void getKeyOwner(KeyHandle key, AclOwnerPrototype &owner, Allocator &alloc);
+ void getKeyOwner(KeyHandle key, AclOwnerPrototype &owner)
+ { return getKeyOwner(key, owner, returnAllocator); }
+ void changeKeyOwner(KeyHandle key, const AccessCredentials &cred,
+ const AclOwnerPrototype &edit);
+
+ // database ACL management
+ void getDbAcl(DbHandle db, const char *tag,
+ uint32 &count, AclEntryInfo * &info, Allocator &alloc);
+ void getDbAcl(DbHandle db, const char *tag,
+ uint32 &count, AclEntryInfo * &info)
+ { return getDbAcl(db, tag, count, info, returnAllocator); }
+ void changeDbAcl(DbHandle db, const AccessCredentials &cred, const AclEdit &edit);
+ void getDbOwner(DbHandle db, AclOwnerPrototype &owner, Allocator &alloc);
+ void getDbOwner(DbHandle db, AclOwnerPrototype &owner)
+ { return getDbOwner(db, owner, returnAllocator); }
+ void changeDbOwner(DbHandle db, const AccessCredentials &cred,
+ const AclOwnerPrototype &edit);
+
+ // database key manipulations
+ void extractMasterKey(DbHandle db, const Context &context, DbHandle sourceDb,
+ uint32 keyUsage, uint32 keyAttr,
+ const AccessCredentials *cred, const AclEntryInput *owner,
+ KeyHandle &newKey, CssmKey::Header &newHeader, Allocator &alloc);
+ void extractMasterKey(DbHandle db, const Context &context, DbHandle sourceDb,
+ uint32 keyUsage, uint32 keyAttr,
+ const AccessCredentials *cred, const AclEntryInput *owner,
+ KeyHandle &newKey, CssmKey::Header &newHeader)
+ { return extractMasterKey(db, context, sourceDb, keyUsage, keyAttr, cred, owner,
+ newKey, newHeader, returnAllocator); }
+
+public:
+ // Authorization API support
+ void authCreate(const AuthorizationItemSet *rights, const AuthorizationItemSet *environment,
+ AuthorizationFlags flags,AuthorizationBlob &result);
+ void authRelease(const AuthorizationBlob &auth, AuthorizationFlags flags);
+ void authCopyRights(const AuthorizationBlob &auth,
+ const AuthorizationItemSet *rights, const AuthorizationItemSet *environment,
+ AuthorizationFlags flags, AuthorizationItemSet **result);
+ void authCopyInfo(const AuthorizationBlob &auth, const char *tag, AuthorizationItemSet * &info);
+ void authExternalize(const AuthorizationBlob &auth, AuthorizationExternalForm &extForm);
+ void authInternalize(const AuthorizationExternalForm &extForm, AuthorizationBlob &auth);
+
+public:
+ // Session API support
+ void setSessionUserPrefs(SecuritySessionId sessionId, uint32_t userPreferencesLength, const void *userPreferences);
+
+public:
+ // Notification core support
+ void postNotification(NotificationDomain domain, NotificationEvent event, const CssmData &data);
+
+ // low-level callback (C form)
+ typedef OSStatus ConsumeNotification(NotificationDomain domain, NotificationEvent event,
+ const void *data, size_t dataLength, void *context);
+
+public:
+ // AuthorizationDB API
+ void authorizationdbGet(const AuthorizationString rightname, CssmData &rightDefinition, Allocator &alloc);
+ void authorizationdbSet(const AuthorizationBlob &auth, const AuthorizationString rightname, uint32_t rightdefinitionLength, const void *rightdefinition);
+ void authorizationdbRemove(const AuthorizationBlob &auth, const AuthorizationString rightname);
+
+public:
+ // securityd helper support
+ void childCheckIn(Port serverPort, Port taskPort);
+
+public:
+ // miscellaneous administrative calls
+ void addCodeEquivalence(const CssmData &oldCode, const CssmData &newCode,
+ const char *name, bool forSystem = false);
+ void removeCodeEquivalence(const CssmData &code, const char *name, bool forSystem = false);
+ void setAlternateSystemRoot(const char *path);
+
+public:
+ // temporary hack to deal with "edit acl" pseudo-error returns
+ typedef void DidChangeKeyAclCallback(void *context, ClientSession &clientSession,
+ KeyHandle key, CSSM_ACL_AUTHORIZATION_TAG tag);
+ void registerForAclEdits(DidChangeKeyAclCallback *callback, void *context);
+
+public:
+ // Code Signing hosting interface
+ void registerHosting(mach_port_t hostingPort, SecCSFlags flags);
+ mach_port_t hostingPort(pid_t pid);
+
+ SecGuestRef createGuest(SecGuestRef host,
+ uint32_t status, const char *path, const CssmData &cdhash, const CssmData &attributes, SecCSFlags flags);
+ void setGuestStatus(SecGuestRef guest, uint32 status, const CssmData &attributes);
+ void removeGuest(SecGuestRef host, SecGuestRef guest);
+
+ void selectGuest(SecGuestRef guest);
+ SecGuestRef selectedGuest() const;
+
+private:
+ static Port findSecurityd();
+ void getAcl(AclKind kind, GenericHandle key, const char *tag,
+ uint32 &count, AclEntryInfo * &info, Allocator &alloc);
+ void changeAcl(AclKind kind, GenericHandle key,
+ const AccessCredentials &cred, const AclEdit &edit);
+ void getOwner(AclKind kind, GenericHandle key,
+ AclOwnerPrototype &owner, Allocator &alloc);
+ void changeOwner(AclKind kind, GenericHandle key,
+ const AccessCredentials &cred, const AclOwnerPrototype &edit);
+
+ static OSStatus consumerDispatch(NotificationDomain domain, NotificationEvent event,
+ const void *data, size_t dataLength, void *context);
+
+ void notifyAclChange(KeyHandle key, CSSM_ACL_AUTHORIZATION_TAG tag);
+
+ void returnAttrsAndData(CssmDbRecordAttributeData *inOutAttributes,
+ CssmDbRecordAttributeData *attrs, CssmDbRecordAttributeData *attrsBase, mach_msg_type_number_t attrsLength,
+ CssmData *inOutData, void *dataPtr, mach_msg_type_number_t dataLength);
+private:
+ DidChangeKeyAclCallback *mCallback;
+ void *mCallbackContext;
+
+ static UnixPlusPlus::StaticForkMonitor mHasForked; // global fork indicator
+
+ struct Thread {
+ Thread() : registered(false), notifySeq(0),
+ currentGuest(kSecNoGuest), lastGuest(kSecNoGuest) { }
+ operator bool() const { return registered; }
+
+ ReceivePort replyPort; // dedicated reply port (send right held by SecurityServer)
+ bool registered; // has been registered with SecurityServer
+ uint32 notifySeq; // notification sequence number
+
+ SecGuestRef currentGuest; // last set guest path
+ SecGuestRef lastGuest; // last transmitted guest path
+ };
+
+ struct Global {
+ Global();
+ Port serverPort;
+ RefPointer<OSXCode> myself;
+ ThreadNexus<Thread> thread;
+ };
+
+ static ModuleNexus<Global> mGlobal;
+ static const char *mContactName;
+ static SecGuestRef mDedicatedGuest;
+};
+
+
+} // end namespace SecurityServer
+} // end namespace Security
+
+#endif //__cplusplus
+
+
+#endif //_H_SSCLIENT
projects / apple / security.git / blobdiff