X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/ecaf5866106b8f08bdb7c1b4f489ef4dfd01278a..7e6b461318c8a779d91381531435a68ee4e8b6ed:/OSX/libsecurity_keychain/lib/TokenLogin.cpp diff --git a/OSX/libsecurity_keychain/lib/TokenLogin.cpp b/OSX/libsecurity_keychain/lib/TokenLogin.cpp index f0ec1fef..347d007b 100644 --- a/OSX/libsecurity_keychain/lib/TokenLogin.cpp +++ b/OSX/libsecurity_keychain/lib/TokenLogin.cpp @@ -35,10 +35,18 @@ #include extern "C" { -#include +#include #include } +static os_log_t TOKEN_LOG_DEFAULT() { + static dispatch_once_t once; + static os_log_t log; + dispatch_once(&once, ^{ log = os_log_create("com.apple.security", "tokenlogin"); }); + return log; +}; +#define TL_LOG TOKEN_LOG_DEFAULT() + #define kSecTokenLoginDomain CFSTR("com.apple.security.tokenlogin") static CFStringRef CF_RETURNS_RETAINED cfDataToHex(CFDataRef bin) @@ -77,7 +85,7 @@ static CFStringRef getTokenId(CFDictionaryRef context) CFStringRef tokenId = (CFStringRef)CFDictionaryGetValue(context, kSecAttrTokenID); if (!tokenId || CFGetTypeID(tokenId) != CFStringGetTypeID()) { - secinfo("TokenLogin", "Invalid tokenId"); + os_log_debug(TL_LOG, "Invalid tokenId"); return NULL; } return tokenId; @@ -91,7 +99,7 @@ static CFDataRef getPubKeyHash(CFDictionaryRef context) CFDataRef pubKeyHash = (CFDataRef)CFDictionaryGetValue(context, kSecAttrPublicKeyHash); if (!pubKeyHash || CFGetTypeID(pubKeyHash) != CFDataGetTypeID()) { - secinfo("TokenLogin", "Invalid pubkeyhash"); + os_log_debug(TL_LOG, "Invalid pubkeyhash"); return NULL; } return pubKeyHash; @@ -105,17 +113,18 @@ static CFDataRef getPubKeyHashWrap(CFDictionaryRef context) CFDataRef pubKeyHashWrap = (CFDataRef)CFDictionaryGetValue(context, kSecAttrAccount); if (!pubKeyHashWrap || CFGetTypeID(pubKeyHashWrap) != CFDataGetTypeID()) { - secinfo("TokenLogin", "Invalid pubkeyhashwrap"); + os_log_debug(TL_LOG, "Invalid pubkeyhashwrap"); return NULL; } return pubKeyHashWrap; } -static OSStatus privKeyForPubKeyHash(CFDictionaryRef context, SecKeyRef *privKey, CFTypeRef *laCtx) +static OSStatus privKeyForPubKeyHashWrap(CFDictionaryRef context, SecKeyRef *privKey, CFTypeRef *laCtx) { - if (!context) { - return errSecParam; - } + if (!context) { + os_log_error(TL_LOG, "private key for pubkeyhash wrong params"); + return errSecParam; + } CFRef tokenAttributes = makeCFMutableDictionary(1, kSecAttrTokenID, getTokenId(context)); CFRef error; @@ -124,14 +133,14 @@ static OSStatus privKeyForPubKeyHash(CFDictionaryRef context, SecKeyRef *privKey if (pin) { CFRef LAContext = LACreateNewContextWithACMContext(NULL, error.take()); if (!LAContext) { - secinfo("TokenLogin", "Failed to LA Context: %@", error.get()); + os_log_error(TL_LOG, "Failed to LA Context: %{public}@", error.get()); return errSecParam; } if (laCtx) *laCtx = (CFTypeRef)CFRetain(LAContext); CFRef externalizedContext = LACopyACMContext(LAContext, error.take()); if (!externalizedContext) { - secinfo("TokenLogin", "Failed to get externalized context: %@", error.get()); + os_log_error(TL_LOG, "Failed to get externalized context: %{public}@", error.get()); return errSecParam; } CFDictionarySetValue(tokenAttributes, kSecUseCredentialReference, externalizedContext.get()); @@ -140,24 +149,29 @@ static OSStatus privKeyForPubKeyHash(CFDictionaryRef context, SecKeyRef *privKey CFRef token = TKTokenCreate(tokenAttributes, error.take()); if (!token) { - secinfo("TokenLogin", "Failed to create token: %@", error.get()); + os_log_error(TL_LOG, "Failed to create token: %{public}@", error.get()); return errSecParam; } CFRef identities = TKTokenCopyIdentities(token, TKTokenKeyUsageAny, error.take()); if (!identities || !CFArrayGetCount(identities)) { - secinfo("TokenLogin", "No identities found for token: %@", error.get()); + os_log_error(TL_LOG, "No identities found for token: %{public}@", error.get()); + return errSecParam; + } + + CFDataRef desiredHash = getPubKeyHashWrap(context); + if (!desiredHash) { + os_log_error(TL_LOG, "No wrap key in context"); return errSecParam; } - CFDataRef desiredHash = getPubKeyHashWrap(context); CFIndex idx, count = CFArrayGetCount(identities); for (idx = 0; idx < count; ++idx) { SecIdentityRef identity = (SecIdentityRef)CFArrayGetValueAtIndex(identities, idx); CFRef certificate; OSStatus result = SecIdentityCopyCertificate(identity, certificate.take()); if (result != errSecSuccess) { - secinfo("TokenLogin", "Failed to get certificate for identity: %d", (int) result); + os_log_error(TL_LOG, "Failed to get certificate for identity: %d", (int) result); continue; } @@ -165,7 +179,7 @@ static OSStatus privKeyForPubKeyHash(CFDictionaryRef context, SecKeyRef *privKey if (identityHash && CFEqual(desiredHash, identityHash)) { result = SecIdentityCopyPrivateKey(identity, privKey); if (result != errSecSuccess) { - secinfo("TokenLogin", "Failed to get identity private key: %d", (int) result); + os_log_error(TL_LOG, "Failed to get identity private key: %d", (int) result); } return result; } @@ -176,21 +190,22 @@ static OSStatus privKeyForPubKeyHash(CFDictionaryRef context, SecKeyRef *privKey OSStatus TokenLoginGetContext(const void *base64TokenLoginData, UInt32 base64TokenLoginDataLength, CFDictionaryRef *context) { - if (!base64TokenLoginData || !context) { - return errSecParam; - } + if (!base64TokenLoginData || !context) { + os_log_error(TL_LOG, "Get login context - wrong params"); + return errSecParam; + } // Token data are base64 encoded in password. size_t dataLen = SecBase64Decode((const char *)base64TokenLoginData, base64TokenLoginDataLength, NULL, 0); if (!dataLen) { - secinfo("TokenLogin", "Invalid base64 encoded token data"); + os_log_debug(TL_LOG, "Invalid base64 encoded token data"); return errSecParam; } CFRef data = CFDataCreateMutable(kCFAllocatorDefault, dataLen); dataLen = SecBase64Decode((const char *)base64TokenLoginData, base64TokenLoginDataLength, CFDataGetMutableBytePtr(data), dataLen); if (!dataLen) { - secinfo("TokenLogin", "Invalid base64 encoded token data"); + os_log_error(TL_LOG, "Invalid base64 encoded token data"); return errSecParam; } CFDataSetLength(data, dataLen); @@ -203,12 +218,12 @@ OSStatus TokenLoginGetContext(const void *base64TokenLoginData, UInt32 base64Tok NULL, error.take()); if (!*context || CFGetTypeID(*context) != CFDictionaryGetTypeID()) { - secinfo("TokenLogin", "Invalid token login data property list, %@", error.get()); + os_log_error(TL_LOG, "Invalid token login data property list, %{public}@", error.get()); return errSecParam; } if (!getPin(*context) || !getTokenId(*context) || !getPubKeyHash(*context) || !getPubKeyHashWrap(*context)) { - secinfo("TokenLogin", "Invalid token login data context, %@", error.get()); + os_log_error(TL_LOG, "Invalid token login data context, %{public}@", error.get()); return errSecParam; } @@ -217,39 +232,51 @@ OSStatus TokenLoginGetContext(const void *base64TokenLoginData, UInt32 base64Tok OSStatus TokenLoginGetUnlockKey(CFDictionaryRef context, CFDataRef *unlockKey) { - if (!context || !unlockKey) { - return errSecParam; - } - - CFRef loginData; + if (!context || !unlockKey) { + os_log_error(TL_LOG, "Get unlock key - wrong params"); + return errSecParam; + } + + CFRef loginData; OSStatus result = TokenLoginGetLoginData(context, loginData.take()); if (result != errSecSuccess) { - secinfo("TokenLogin", "Failed to get login data: %d", (int)result); + os_log_error(TL_LOG, "Failed to get login data: %d", (int)result); return result; } CFDataRef wrappedUnlockKey = (CFDataRef)CFDictionaryGetValue(loginData, kSecValueData); if (!wrappedUnlockKey) { - secinfo("TokenLogin", "Wrapped unlock key not found in unlock key data"); + os_log_error(TL_LOG, "Wrapped unlock key not found in unlock key data"); return errSecParam; } SecKeyAlgorithm algorithm = (SecKeyAlgorithm)CFDictionaryGetValue(loginData, kSecAttrService); if (!algorithm) { - secinfo("TokenLogin", "Algorithm not found in unlock key data"); + os_log_error(TL_LOG, "Algorithm not found in unlock key data"); return errSecParam; } + CFDataRef pubKeyHashWrapFromPlist = (CFDataRef)CFDictionaryGetValue(loginData, kSecAttrPublicKeyHash); + if (pubKeyHashWrapFromPlist == NULL) { + os_log_error(TL_LOG, "Failed to get wrapkey for unlock key data"); + return errSecInternal; + } + CFRef ctx = makeCFDictionary(3, + kSecAttrTokenID, getTokenId(context), + kSecAttrService, getPin(context), + kSecAttrAccount, pubKeyHashWrapFromPlist + ); + CFRef privKey; CFRef LAContext; - result = privKeyForPubKeyHash(context, privKey.take(), LAContext.take()); + result = privKeyForPubKeyHashWrap(ctx, privKey.take(), LAContext.take()); if (result != errSecSuccess) { - secinfo("TokenLogin", "Failed to get private key for public key hash: %d", (int)result); + os_log_error(TL_LOG, "Failed to get private key for public key hash %{public}@: %d", pubKeyHashWrapFromPlist, (int)result); return result; } CFRef pubKey = SecKeyCopyPublicKey(privKey); if (!pubKey) { - secinfo("TokenLogin", "Failed to get public key from private key"); + os_log_error(TL_LOG, "Failed to get public key from private key"); return errSecParam; } CFRef error; @@ -258,14 +285,14 @@ OSStatus TokenLoginGetUnlockKey(CFDictionaryRef context, CFDataRef *unlockKey) wrappedUnlockKey, error.take()); if (!*unlockKey) { - secinfo("TokenLogin", "Failed to unwrap unlock key: %@", error.get()); + os_log_error(TL_LOG, "Failed to unwrap unlock key: %{public}@", error.get()); return errSecDecode; } // we need to re-wrap already unwrapped data to avoid capturing and reusing communication with the smartcard CFRef reWrappedUnlockKey = SecKeyCreateEncryptedData(pubKey, algorithm, *unlockKey, error.take()); if (!reWrappedUnlockKey) { - secinfo("TokenLogin", "Failed to rewrap unlock key: %@", error.get()); + os_log_error(TL_LOG, "Failed to rewrap unlock key: %{public}@", error.get()); TokenLoginDeleteUnlockData(getPubKeyHash(context)); return errSecParam; } @@ -281,15 +308,18 @@ OSStatus TokenLoginGetUnlockKey(CFDictionaryRef context, CFDataRef *unlockKey) OSStatus TokenLoginGetLoginData(CFDictionaryRef context, CFDictionaryRef *loginData) { - if (!loginData || !context) { - return errSecParam; - } + if (!loginData || !context) { + os_log_error(TL_LOG, "Get login data - wrong params"); + return errSecParam; + } CFRef pubKeyHashHex = cfDataToHex(getPubKeyHash(context)); + CFPreferencesSynchronize(kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost); CFRef storedData = (CFDataRef)CFPreferencesCopyValue(pubKeyHashHex, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost); - if (!storedData) { - secinfo("TokenLogin", "Failed to read token login plist"); + if (!storedData) { + // this is not an error, might be a normal situation if the value does not exist + os_log_debug(TL_LOG, "Failed to read token login plist"); return errSecIO; } @@ -300,7 +330,7 @@ OSStatus TokenLoginGetLoginData(CFDictionaryRef context, CFDictionaryRef *loginD NULL, error.take()); if (!*loginData || CFGetTypeID(*loginData) != CFDictionaryGetTypeID()) { - secinfo("TokenLogin", "Failed to deserialize unlock key data: %@", error.get()); + os_log_error(TL_LOG, "Failed to deserialize unlock key data: %{public}@", error.get()); return errSecParam; } @@ -319,14 +349,15 @@ OSStatus TokenLoginGetPin(CFDictionaryRef context, CFStringRef *pin) OSStatus TokenLoginUpdateUnlockData(CFDictionaryRef context, CFStringRef password) { - if (!context) { - return errSecParam; - } + if (!context) { + os_log_error(TL_LOG, "Updating unlock data - wrong params"); + return errSecParam; + } CFRef loginKeychain; OSStatus result = SecKeychainCopyLogin(loginKeychain.take()); if (result != errSecSuccess) { - secinfo("TokenLogin", "Failed to get user keychain: %d", (int) result); + os_log_error(TL_LOG, "Failed to get user keychain: %d", (int) result); return result; } @@ -335,8 +366,10 @@ OSStatus TokenLoginUpdateUnlockData(CFDictionaryRef context, CFStringRef passwor OSStatus TokenLoginCreateLoginData(CFStringRef tokenId, CFDataRef pubKeyHash, CFDataRef pubKeyHashWrap, CFDataRef unlockKey, CFDataRef scBlob) { - if (!tokenId || !pubKeyHash || !pubKeyHashWrap || !unlockKey || !scBlob) - return errSecParam; + if (!tokenId || !pubKeyHash || !pubKeyHashWrap || !unlockKey || !scBlob) { + os_log_error(TL_LOG, "Create login data - wrong params"); + return errSecParam; + } CFRef ctx = makeCFDictionary(3, kSecAttrTokenID, tokenId, @@ -344,15 +377,15 @@ OSStatus TokenLoginCreateLoginData(CFStringRef tokenId, CFDataRef pubKeyHash, CF kSecAttrAccount, pubKeyHashWrap ); CFRef privKey; - OSStatus result = privKeyForPubKeyHash(ctx, privKey.take(), NULL); + OSStatus result = privKeyForPubKeyHashWrap(ctx, privKey.take(), NULL); if (result != errSecSuccess) { - secinfo("TokenLogin", "Failed to get private key for public key hash: %d", (int) result); + os_log_error(TL_LOG, "Failed to get private key for public key hash %{public}@: %d", pubKeyHashWrap, (int)result); return result; } CFRef pubKey = SecKeyCopyPublicKey(privKey); if (!pubKey) { - secinfo("TokenLogin", "Failed to get public key from private key"); + os_log_error(TL_LOG, "Failed to get public key from private key"); return errSecParam; } @@ -378,14 +411,14 @@ OSStatus TokenLoginCreateLoginData(CFStringRef tokenId, CFDataRef pubKeyHash, CF } } if (algorithm == NULL) { - secinfo("SecKeychain", "Failed to find supported wrap algorithm"); + os_log_error(TL_LOG, "Failed to find supported wrap algorithm"); return errSecParam; } CFRef error; CFRef wrappedUnlockKey = SecKeyCreateEncryptedData(pubKey, algorithm, unlockKey, error.take()); if (!wrappedUnlockKey) { - secinfo("TokenLogin", "Failed to wrap unlock key: %@", error.get()); + os_log_error(TL_LOG, "Failed to wrap unlock key: %{public}@", error.get()); return errSecParam; } @@ -400,6 +433,7 @@ OSStatus TokenLoginCreateLoginData(CFStringRef tokenId, CFDataRef pubKeyHash, CF OSStatus TokenLoginStoreUnlockData(CFDictionaryRef context, CFDictionaryRef loginData) { + os_log_debug(TL_LOG, "Storing unlock data"); CFRef error; CFRef data = CFPropertyListCreateData(kCFAllocatorDefault, @@ -408,18 +442,24 @@ OSStatus TokenLoginStoreUnlockData(CFDictionaryRef context, CFDictionaryRef logi 0, error.take()); if (!data) { - secdebug("TokenLogin", "Failed to create unlock data: %@", error.get()); + os_log_error(TL_LOG, "Failed to create unlock data: %{public}@", error.get()); return errSecInternal; } CFRef pubKeyHashHex = cfDataToHex(getPubKeyHash(context)); - CFPreferencesSetValue(pubKeyHashHex, data, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost); + os_log_debug(TL_LOG, "Pubkeyhash %@", pubKeyHashHex.get()); + + CFPreferencesSetValue(pubKeyHashHex, data, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost); + os_log_debug(TL_LOG, "Pubkeyhash %@", pubKeyHashHex.get()); + CFPreferencesSynchronize(kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost); CFRef storedData = (CFDataRef)CFPreferencesCopyValue(pubKeyHashHex, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost); + os_log_debug(TL_LOG, "Stored data %@", storedData.get()); if (!storedData || !CFEqual(storedData, data)) { - secinfo("TokenLogin", "Failed to write token login plist"); + os_log_error(TL_LOG, "Failed to write token login plist"); return errSecIO; } + os_log_debug(TL_LOG, "Original data %@. Everything is OK", data.get()); return errSecSuccess; } @@ -432,7 +472,7 @@ OSStatus TokenLoginDeleteUnlockData(CFDataRef pubKeyHash) CFRef storedData = (CFDataRef)CFPreferencesCopyValue(pubKeyHashHex, kSecTokenLoginDomain, kCFPreferencesCurrentUser, kCFPreferencesAnyHost); if (storedData) { - secinfo("TokenLogin", "Failed to remove unlock data"); + os_log_error(TL_LOG, "Failed to remove unlock data"); return errSecIO; } @@ -442,7 +482,7 @@ OSStatus TokenLoginDeleteUnlockData(CFDataRef pubKeyHash) OSStatus TokenLoginGetScBlob(CFDataRef pubKeyHashWrap, CFStringRef tokenId, CFStringRef password, CFDataRef *scBlob) { if (scBlob == NULL || password == NULL || pubKeyHashWrap == NULL || tokenId == NULL) { - secinfo("TokenLogin", "TokenLoginGetScBlob wrong params"); + os_log_error(TL_LOG, "TokenLoginGetScBlob wrong params"); return errSecParam; } @@ -452,21 +492,21 @@ OSStatus TokenLoginGetScBlob(CFDataRef pubKeyHashWrap, CFStringRef tokenId, CFSt ); CFRef privKey; - OSStatus retval = privKeyForPubKeyHash(ctx, privKey.take(), NULL); + OSStatus retval = privKeyForPubKeyHashWrap(ctx, privKey.take(), NULL); if (retval != errSecSuccess) { - secinfo("TokenLogin", "TokenLoginGetScBlob failed to get private key for public key hash: %d", (int) retval); + os_log_error(TL_LOG, "TokenLoginGetScBlob failed to get private key for public key hash %{public}@: %d", pubKeyHashWrap, (int)retval); return retval; } CFRef pubKey = SecKeyCopyPublicKey(privKey); if (!pubKey) { - secinfo("TokenLogin", "TokenLoginGetScBlob no pubkey"); + os_log_error(TL_LOG, "TokenLoginGetScBlob no pubkey"); return errSecInternal; } CFRef attributes = SecKeyCopyAttributes(pubKey); if (!attributes) { - secinfo("TokenLogin", "TokenLoginGetScBlob no attributes"); + os_log_error(TL_LOG, "TokenLoginGetScBlob no attributes"); return errSecInternal; } @@ -477,25 +517,25 @@ OSStatus TokenLoginGetScBlob(CFDataRef pubKeyHashWrap, CFStringRef tokenId, CFSt else if (CFEqual(type, kSecAttrKeyTypeEC)) mode = AKS_SMARTCARD_MODE_ECDH; else { - secinfo("TokenLogin", "TokenLoginGetScBlob bad type"); + os_log_error(TL_LOG, "TokenLoginGetScBlob bad type"); return errSecNotAvailable; } CFRef publicBytes = SecKeyCopyExternalRepresentation(pubKey, NULL); if (!publicBytes) { - secinfo("TokenLogin", "TokenLoginGetScBlob cannot get public bytes"); + os_log_error(TL_LOG, "TokenLoginGetScBlob cannot get public bytes"); return retval; } CFIndex maxLength = CFStringGetMaximumSizeForEncoding(CFStringGetLength(password), kCFStringEncodingUTF8) + 1; char* buf = (char*)malloc(maxLength); if (buf == NULL) { - secinfo("TokenLogin", "TokenLoginGetScBlob no mem for buffer"); + os_log_error(TL_LOG, "TokenLoginGetScBlob no mem for buffer"); return retval; } if (CFStringGetCString(password, buf, maxLength, kCFStringEncodingUTF8) == FALSE) { - secinfo("TokenLogin", "TokenLoginGetScBlob no pwd cstr"); + os_log_error(TL_LOG, "TokenLoginGetScBlob no pwd cstr"); free(buf); return retval; } @@ -505,7 +545,7 @@ OSStatus TokenLoginGetScBlob(CFDataRef pubKeyHashWrap, CFStringRef tokenId, CFSt aks_smartcard_unregister(session_keybag_handle); // just to be sure no previous registration exist kern_return_t aks_retval = aks_smartcard_register(session_keybag_handle, (uint8_t *)buf, strlen(buf), mode, (uint8_t *)CFDataGetBytePtr(publicBytes), (size_t)CFDataGetLength(publicBytes), &sc_blob, &sc_len); free(buf); - secinfo("TokenLogin", "TokenLoginGetScBlob register result %d", aks_retval); + os_log_debug(TL_LOG, "TokenLoginGetScBlob register result %d", aks_retval); if (sc_blob) { *scBlob = CFDataCreate(kCFAllocatorDefault, (const UInt8 *)sc_blob, (CFIndex)sc_len); @@ -514,6 +554,7 @@ OSStatus TokenLoginGetScBlob(CFDataRef pubKeyHashWrap, CFStringRef tokenId, CFSt return aks_retval; } +// context = data wrapped in password variable, loginData = dictionary from stored plist OSStatus TokenLoginUnlockKeybag(CFDictionaryRef context, CFDictionaryRef loginData) { if (!loginData || !context) { @@ -522,28 +563,40 @@ OSStatus TokenLoginUnlockKeybag(CFDictionaryRef context, CFDictionaryRef loginDa CFDataRef scBlob = (CFDataRef)CFDictionaryGetValue(loginData, kSecClassKey); if (scBlob == NULL) { - secinfo("TokenLogin", "Failed to get scblob"); + os_log_error(TL_LOG, "Failed to get scblob"); return errSecInternal; } + CFDataRef pubKeyHashWrapFromPlist = (CFDataRef)CFDictionaryGetValue(loginData, kSecAttrPublicKeyHash); + if (pubKeyHashWrapFromPlist == NULL) { + os_log_error(TL_LOG, "Failed to get wrapkey"); + return errSecInternal; + } + + CFRef ctx = makeCFDictionary(3, + kSecAttrTokenID, getTokenId(context), + kSecAttrService, getPin(context), + kSecAttrAccount, pubKeyHashWrapFromPlist + ); + CFRef error; CFRef privKey; CFRef LAContext; - OSStatus retval = privKeyForPubKeyHash(context, privKey.take(), LAContext.take()); + OSStatus retval = privKeyForPubKeyHashWrap(ctx, privKey.take(), LAContext.take()); if (retval != errSecSuccess) { - secinfo("TokenLogin", "Failed to get private key for public key hash: %d", (int) retval); + os_log_error(TL_LOG, "Failed to get private key for public key hash %{public}@: %d", pubKeyHashWrapFromPlist, (int)retval); return retval; } CFRef pubKey = SecKeyCopyPublicKey(privKey); if (!pubKey) { - secinfo("TokenLogin", "Failed to get pubkey"); + os_log_error(TL_LOG, "Failed to get pubkey"); return retval; } CFRef attributes = SecKeyCopyAttributes(pubKey); if (!attributes) { - secinfo("TokenLogin", "TokenLoginUnlockKeybag no attributes"); + os_log_error(TL_LOG, "TokenLoginUnlockKeybag no attributes"); return errSecInternal; } @@ -554,7 +607,7 @@ OSStatus TokenLoginUnlockKeybag(CFDictionaryRef context, CFDictionaryRef loginDa else if (CFEqual(type, kSecAttrKeyTypeEC)) mode = AKS_SMARTCARD_MODE_ECDH; else { - secinfo("TokenLogin", "TokenLoginUnlockKeybag bad type"); + os_log_error(TL_LOG, "TokenLoginUnlockKeybag bad type"); return errSecNotAvailable; } @@ -562,7 +615,7 @@ OSStatus TokenLoginUnlockKeybag(CFDictionaryRef context, CFDictionaryRef loginDa size_t scChallengeLen = 0; int res = aks_smartcard_request_unlock(session_keybag_handle, (uint8_t *)CFDataGetBytePtr(scBlob), (size_t)CFDataGetLength(scBlob), &scChallenge, &scChallengeLen); if (res != 0) { - secinfo("TokenLogin", "TokenLoginUnlockKeybag cannot request unlock: %x", res); + os_log_error(TL_LOG, "TokenLoginUnlockKeybag cannot request unlock: %x", res); return errSecInternal; } const void *scUsk = NULL; @@ -571,7 +624,7 @@ OSStatus TokenLoginUnlockKeybag(CFDictionaryRef context, CFDictionaryRef loginDa if (res != 0 || scUsk == NULL) { free(scChallenge); - secinfo("TokenLogin", "TokenLoginUnlockKeybag cannot get usk: %x", res); + os_log_error(TL_LOG, "TokenLoginUnlockKeybag cannot get usk: %x", res); return errSecInternal; } @@ -582,13 +635,13 @@ OSStatus TokenLoginUnlockKeybag(CFDictionaryRef context, CFDictionaryRef loginDa res = aks_smartcard_get_ec_pub(scChallenge, scChallengeLen, &ecPub, &ecPubLen); if (res != 0 || ecPub == NULL) { free(scChallenge); - secinfo("TokenLogin", "TokenLoginUnlockKeybag cannot get ecpub: %x", res); + os_log_error(TL_LOG, "TokenLoginUnlockKeybag cannot get ecpub: %x", res); return errSecInternal; } wrappedUsk = CFDataCreateMutable(kCFAllocatorDefault, ecPubLen + scUskLen); if (!wrappedUsk) { free(scChallenge); - secinfo("TokenLogin", "TokenLoginUnlockKeybag no mem for ecpubusk"); + os_log_error(TL_LOG, "TokenLoginUnlockKeybag no mem for ecpubusk"); return errSecInternal; } CFDataAppendBytes((CFMutableDataRef)wrappedUsk.get(), (const UInt8 *)ecPub, (CFIndex)ecPubLen); @@ -603,7 +656,7 @@ OSStatus TokenLoginUnlockKeybag(CFDictionaryRef context, CFDictionaryRef loginDa (CFDataRef)wrappedUsk.get(), error.take()); if (!unwrappedUsk) { - secinfo("TokenLogin", "TokenLoginUnlockKeybag failed to unwrap blob: %@", error.get()); + os_log_error(TL_LOG, "TokenLoginUnlockKeybag failed to unwrap blob: %{public}@", error.get()); return errSecInternal; } @@ -618,6 +671,8 @@ OSStatus TokenLoginUnlockKeybag(CFDictionaryRef context, CFDictionaryRef loginDa CFDictionarySetValue(newDict, kSecClassKey, newBlobData.get()); TokenLoginStoreUnlockData(context, newDict); } - } + } else { + os_log_error(TL_LOG, "TokenLoginUnlockKeybag no new scblob received: %d", res); + } return res; }