src/dbcrypto.h

   1 /*
   2  * Copyright (c) 2000-2001,2003-2004 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * Copyright (c) 1999-2003 Apple Computer, Inc.  All Rights Reserved.
   7  *
   8  * This file contains Original Code and/or Modifications of Original Code
   9  * as defined in and that are subject to the Apple Public Source License
  10  * Version 2.0 (the 'License'). You may not use this file except in
  11  * compliance with the License. Please obtain a copy of the License at
  12  * http://www.opensource.apple.com/apsl/ and read it before using this
  13  * file.
  14  *
  15  * The Original Code and all software distributed under the License are
  16  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  17  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  18  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  19  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  20  * Please see the License for the specific language governing rights and
  21  * limitations under the License.
  22  *
  23  * @APPLE_LICENSE_HEADER_END@
  24  */
  25
  26
  27 //
  28 // dbcrypto - cryptographic core for database and key blob cryptography
  29 //
  30 #ifndef _H_DBCRYPTO
  31 #define _H_DBCRYPTO
  32
  33 #include "securityserver.h"
  34 #include <security_cdsa_client/cspclient.h>
  35 #include <security_cdsa_client/keyclient.h>
  36
  37
  38 //
  39 // A DatabaseCryptoCore object encapsulates the secret state of a database.
  40 // It provides for encoding and decoding of database blobs and key blobs,
  41 // and holds all state related to the database secrets.
  42 //
  43 class DatabaseCryptoCore {
  44 public:
  45     DatabaseCryptoCore();
  46         virtual ~DatabaseCryptoCore();
  47
  48     bool isValid() const        { return mIsValid; }
  49         bool hasMaster() const  { return mHaveMaster; }
  50     void invalidate();
  51
  52     void generateNewSecrets();
  53         CssmClient::Key masterKey();
  54
  55         void setup(const DbBlob *blob, const CssmData &passphrase);
  56         void setup(const DbBlob *blob, CssmClient::Key master);
  57
  58     void decodeCore(DbBlob *blob, void **privateAclBlob = NULL);
  59     DbBlob *encodeCore(const DbBlob &blobTemplate,
  60         const CssmData &publicAcl, const CssmData &privateAcl) const;
  61
  62     KeyBlob *encodeKeyCore(const CssmKey &key,
  63         const CssmData &publicAcl, const CssmData &privateAcl) const;
  64     void decodeKeyCore(KeyBlob *blob,
  65         CssmKey &key, void * &pubAcl, void * &privAcl) const;
  66
  67     static const uint32 managedAttributes = KeyBlob::managedAttributes;
  68         static const uint32 forcedAttributes = KeyBlob::forcedAttributes;
  69
  70 public:
  71         bool validatePassphrase(const CssmData &passphrase);
  72
  73 private:
  74         bool mHaveMaster;                               // master key has been entered (setup)
  75     bool mIsValid;                                      // master secrets are valid (decode or generateNew)
  76
  77         CssmClient::Key mMasterKey;             // database master key
  78         uint8 mSalt[20];                                // salt for master key derivation from passphrase (only)
  79
  80     CssmClient::Key mEncryptionKey;     // master encryption key
  81     CssmClient::Key mSigningKey;        // master signing key
  82
  83     CssmClient::Key deriveDbMasterKey(const CssmData &passphrase) const;
  84     CssmClient::Key makeRawKey(void *data, size_t length,
  85         CSSM_ALGORITHMS algid, CSSM_KEYUSE usage);
  86 };
  87
  88
  89 #endif //_H_DBCRYPTO