2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 // key - representation of securityd key objects
31 #include <security_cdsa_utilities/acl_any.h>
35 // Create a Key object from a database-encoded blob.
36 // Note that this doesn't decode the blob (yet).
38 KeychainKey::KeychainKey(Database
&db
, const KeyBlob
*blob
)
39 : LocalKey(db
, n2h(blob
->header
.attributes()))
41 // perform basic validation on the incoming blob
43 blob
->validate(CSSMERR_APPLEDL_INVALID_KEY_BLOB
);
44 switch (blob
->version()) {
45 #if defined(COMPAT_OSX_10_0)
46 case blob
->version_MacOS_10_0
:
49 case blob
->version_MacOS_10_1
:
52 CssmError::throwMe(CSSMERR_APPLEDL_INCOMPATIBLE_KEY_BLOB
);
56 mBlob
= blob
->copy(Allocator::standard());
58 db
.addReference(*this);
59 secdebug("SSkey", "%p (handle 0x%lx) created from blob version %lx",
60 this, handle(), blob
->version());
65 // Create a Key from an explicit CssmKey.
67 KeychainKey::KeychainKey(Database
&db
, const CssmKey
&newKey
, uint32 moreAttributes
,
68 const AclEntryPrototype
*owner
)
69 : LocalKey(db
, newKey
, moreAttributes
)
71 assert(moreAttributes
& CSSM_KEYATTR_PERMANENT
);
75 db
.addReference(*this);
79 KeychainKey::~KeychainKey()
81 Allocator::standard().free(mBlob
);
82 secdebug("SSkey", "%p destroyed", this);
86 KeychainDatabase
&KeychainKey::database() const
88 return referent
<KeychainDatabase
>();
93 // Retrieve the actual CssmKey value for the key object.
94 // This will decode its blob if needed (and appropriate).
96 void KeychainKey::getKey()
101 void KeychainKey::getHeader(CssmKey::Header
&hdr
)
105 n2hi(hdr
); // correct for endian-ness
110 // Ensure that a key is fully decoded.
111 // This makes the mKey key value available for use, as well as its ACL.
113 void KeychainKey::decode()
116 assert(mValidBlob
); // must have a blob to decode
119 void *publicAcl
, *privateAcl
;
121 database().decodeKey(mBlob
, key
, publicAcl
, privateAcl
);
122 mKey
= CssmClient::Key(Server::csp(), key
);
123 acl().importBlob(publicAcl
, privateAcl
);
124 // publicAcl points into the blob; privateAcl was allocated for us
125 Allocator::standard().free(privateAcl
);
127 // extract managed attribute bits
128 mAttributes
= mKey
.header().attributes() & managedAttributes
;
129 mKey
.header().clearAttribute(managedAttributes
);
130 mKey
.header().setAttribute(forcedAttributes
);
139 // Encode a key into a blob.
140 // We'll have to ask our Database to do this - we don't have its keys.
141 // Note that this returns memory we own and keep.
143 KeyBlob
*KeychainKey::blob()
146 assert(mValidKey
); // must have valid key to encode
148 // export Key ACL to blob form
149 CssmData pubAcl
, privAcl
;
150 acl().exportBlob(pubAcl
, privAcl
);
152 // assemble external key form
153 CssmKey externalKey
= mKey
;
154 externalKey
.clearAttribute(forcedAttributes
);
155 externalKey
.setAttribute(mAttributes
);
157 // encode the key and replace blob
158 KeyBlob
*newBlob
= database().encodeKey(externalKey
, pubAcl
, privAcl
);
159 Allocator::standard().free(mBlob
);
164 acl().allocator
.free(pubAcl
);
165 acl().allocator
.free(privAcl
);
170 void KeychainKey::invalidateBlob()
177 // Override ACL-related methods and events.
178 // Decode the key before ACL activity; invalidate the stored blob on ACL edits;
179 // and return the key's database as "related".
181 void KeychainKey::instantiateAcl()
186 void KeychainKey::changedAcl()
193 // Intercept Key validation and double-check that the keychain is (still) unlocked
195 void KeychainKey::validate(AclAuthorization auth
, const AccessCredentials
*cred
,
196 Database
*relatedDatabase
)
198 if (KeychainDatabase
*db
= dynamic_cast<KeychainDatabase
*>(relatedDatabase
))
200 SecurityServerAcl::validate(auth
, cred
, relatedDatabase
);
207 AclKind
KeychainKey::aclKind() const
213 Database
*KeychainKey::relatedDatabase()
218 SecurityServerAcl
&KeychainKey::acl()