]> git.saurik.com Git - apple/securityd.git/blob - src/kcdatabase.h
projects / apple / securityd.git / blob
? search:


99047c80a3510ea6e8f8cdd666dfd033ce8c257d
[apple/securityd.git] / src / kcdatabase.h
1 /*
2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved.
7 *
8 * This file contains Original Code and/or Modifications of Original Code
9 * as defined in and that are subject to the Apple Public Source License
10 * Version 2.0 (the 'License'). You may not use this file except in
11 * compliance with the License. Please obtain a copy of the License at
12 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * file.
14 *
15 * The Original Code and all software distributed under the License are
16 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
17 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
18 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
20 * Please see the License for the specific language governing rights and
21 * limitations under the License.
22 *
23 * @APPLE_LICENSE_HEADER_END@
24 */
25
26
27 //
28 // kcdatabase - software database container implementation.
29 //
30 // A KeychainDatabase is a software storage container,
31 // implemented in cooperation by the AppleCSLDP CDSA plugin and this daemon.
32 //
33 #ifndef _H_KCDATABASE
34 #define _H_KCDATABASE
35
36 #include "localdatabase.h"
37
38 class KeychainDatabase;
39 class KeychainDbCommon;
40 class KeychainKey;
41
42
43 class DbIdentifier {
44 public:
45 DbIdentifier(const DLDbIdentifier &id, DbBlob::Signature sig)
46 : mIdent(id), mSig(sig) { }
47
48 const DLDbIdentifier &dlDbIdentifier() const { return mIdent; }
49 const DbBlob::Signature &signature() const { return mSig; }
50 operator const DLDbIdentifier &() const { return dlDbIdentifier(); }
51 operator const DbBlob::Signature &() const { return signature(); }
52 const char *dbName() const { return mIdent.dbName(); }
53
54 bool operator < (const DbIdentifier &id) const // simple lexicographic
55 {
56 if (mIdent < id.mIdent) return true;
57 if (id.mIdent < mIdent) return false;
58 return mSig < id.mSig;
59 }
60
61 bool operator == (const DbIdentifier &id) const
62 { return mIdent == id.mIdent && mSig == id.mSig; }
63
64 private:
65 DLDbIdentifier mIdent;
66 DbBlob::Signature mSig;
67 };
68
69
70 //
71 // KeychainDatabase DbCommons
72 //
73 class KeychainDbCommon : public DbCommon,
74 public DatabaseCryptoCore, public MachServer::Timer {
75 public:
76 KeychainDbCommon(Session &ssn, const DbIdentifier &id);
77 ~KeychainDbCommon();
78
79 bool unlockDb(DbBlob *blob, void **privateAclBlob = NULL);
80 void lockDb(bool forSleep = false); // versatile lock primitive
81 bool isLocked() const { return mIsLocked; } // lock status
82 void setUnlocked();
83
84 void activity(); // reset lock timeout
85
86 void makeNewSecrets();
87
88 const DbIdentifier &identifier() const {return mIdentifier; }
89 const DLDbIdentifier &dlDbIdent() const { return identifier(); }
90 const char *dbName() const { return dlDbIdent().dbName(); }
91
92 DbBlob *encode(KeychainDatabase &db);
93
94 void notify(NotificationEvent event);
95
96 void sleepProcessing();
97
98 public:
99 // debugging
100 IFDUMP(void dumpNode());
101
102 protected:
103 void action(); // timer queue action to lock keychain
104
105 public:
106 DbIdentifier mIdentifier; // database external identifier [const]
107 // all following data locked with object lock
108 uint32 sequence; // change sequence number
109 DBParameters mParams; // database parameters (arbitrated copy)
110
111 uint32 version; // version stamp for change tracking
112
113 private:
114 bool mIsLocked; // logically locked
115 bool mValidParams; // mParams has been set
116 };
117
118
119 //
120 // A Database object represents an Apple CSP/DL open database (DL/DB) object.
121 // It maintains its protected semantic state (including keys) and provides controlled
122 // access.
123 //
124 class KeychainDatabase : public LocalDatabase {
125 friend class KeychainDbCommon;
126 public:
127 KeychainDatabase(const DLDbIdentifier &id, const DBParameters &params, Process &proc,
128 const AccessCredentials *cred, const AclEntryPrototype *owner);
129 virtual ~KeychainDatabase();
130
131 KeychainDbCommon &common() const;
132 const char *dbName() const;
133
134 public:
135 static const int maxUnlockTryCount = 3;
136
137 public:
138 const DbIdentifier &identifier() const { return common().identifier(); }
139
140 public:
141 // encoding/decoding databases
142 DbBlob *blob();
143 KeychainDatabase(const DLDbIdentifier &id, const DbBlob *blob, Process &proc,
144 const AccessCredentials *cred);
145 void authenticate(const AccessCredentials *cred);
146 void changePassphrase(const AccessCredentials *cred);
147 RefPointer<Key> extractMasterKey(Database &db, const AccessCredentials *cred,
148 const AclEntryPrototype *owner, uint32 usage, uint32 attrs);
149 void getDbIndex(CssmData &indexData);
150
151 // lock/unlock processing
152 void lockDb(); // unconditional lock
153 void unlockDb(); // full-feature unlock
154 void unlockDb(const CssmData &passphrase); // unlock with passphrase
155
156 bool decode(); // unlock given established master key
157 bool decode(const CssmData &passphrase); // set master key from PP, try unlock
158
159 bool validatePassphrase(const CssmData &passphrase) const; // nonthrowing validation
160 bool isLocked() const { return common().isLocked(); } // lock status
161 void notify(NotificationEvent event) { return common().notify(event); }
162 void activity() const { common().activity(); } // reset timeout clock
163
164 // encoding/decoding keys
165 void decodeKey(KeyBlob *blob, CssmKey &key, void * &pubAcl, void * &privAcl);
166 KeyBlob *encodeKey(const CssmKey &key, const CssmData &pubAcl, const CssmData &privAcl);
167
168 bool validBlob() const { return mBlob && version == common().version; }
169
170 // manage database parameters
171 void setParameters(const DBParameters &params);
172 void getParameters(DBParameters &params);
173
174 // ACL state management hooks
175 void instantiateAcl();
176 void changedAcl();
177 const Database *relatedDatabase() const; // "self", for SecurityServerAcl's sake
178
179 // debugging
180 IFDUMP(void dumpNode());
181
182 protected:
183 RefPointer<Key> makeKey(const CssmKey &newKey, uint32 moreAttributes,
184 const AclEntryPrototype *owner);
185
186 void makeUnlocked(); // interior version of unlock()
187 void makeUnlocked(const AccessCredentials *cred); // like () with explicit cred
188 void makeUnlocked(const CssmData &passphrase); // interior version of unlock(CssmData)
189
190 void establishOldSecrets(const AccessCredentials *creds);
191 void establishNewSecrets(const AccessCredentials *creds, SecurityAgent::Reason reason);
192
193 static CssmClient::Key keyFromCreds(const TypedList &sample);
194
195 void encode(); // (re)generate mBlob if needed
196
197 private:
198 // all following data is locked by the common lock
199 bool mValidData; // valid ACL and params (blob decoded)
200
201 uint32 version; // version stamp for blob validity
202 DbBlob *mBlob; // database blob (encoded)
203
204 AccessCredentials *mCred; // local access credentials (always valid)
205 };
206
207 #endif //_H_KCDATABASE
mirror of securityd