]> git.saurik.com Git - apple/securityd.git/blob - src/tempdatabase.cpp
projects / apple / securityd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
securityd-32596.tar.gz
[apple/securityd.git] / src / tempdatabase.cpp
1 /*
2 * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 //
26 // tempdatabase - temporary (scratch) storage for keys
27 //
28 #include <security_cdsa_utilities/cssmdata.h>
29 #include <security_cdsa_utilities/cssmkey.h>
30 #include <security_cdsa_client/wrapkey.h>
31 #include "tempdatabase.h"
32 #include "localkey.h"
33 #include "server.h"
34 #include "session.h"
35 #include "agentquery.h"
36
37
38 //
39 // Temporary-space Key objects are almost normal LocalKeys, with the key
40 // matter always preloaded (and thus no deferral of instantiation).
41 // A TempKey bears its own ACL.
42 //
43 class TempKey : public LocalKey, public SecurityServerAcl {
44 public:
45 TempKey(Database &db, const CssmKey &newKey, uint32 moreAttributes,
46 const AclEntryPrototype *owner = NULL);
47
48 Database *relatedDatabase();
49
50 SecurityServerAcl &acl() { return *this; }
51
52 public:
53 // SecurityServerAcl personality
54 AclKind aclKind() const;
55 };
56
57
58 TempKey::TempKey(Database &db, const CssmKey &newKey, uint32 moreAttributes,
59 const AclEntryPrototype *owner)
60 : LocalKey(db, newKey, moreAttributes)
61 {
62 setOwner(owner);
63 db.addReference(*this);
64 }
65
66
67 AclKind TempKey::aclKind() const
68 {
69 return keyAcl;
70 }
71
72
73 Database *TempKey::relatedDatabase()
74 {
75 return NULL;
76 }
77
78
79 //
80 // Create a Database object from initial parameters (create operation)
81 //
82 TempDatabase::TempDatabase(Process &proc)
83 : LocalDatabase(proc)
84 {
85 proc.addReference(*this);
86 }
87
88
89 //
90 // A LocalDatabase itself doesn't really have a database name,
91 // but here's an innocent placeholder.
92 //
93 const char *TempDatabase::dbName() const
94 {
95 return "(transient)";
96 }
97
98 bool TempDatabase::transient() const
99 {
100 return true;
101 }
102
103
104 //
105 // Invoke the Security Agent to get a passphrase (other than for a Keychain)
106 //
107 void TempDatabase::getSecurePassphrase(const Context &context,
108 string &passphrase)
109 {
110 uint32 verify = context.getInt(CSSM_ATTRIBUTE_VERIFY_PASSPHRASE, CSSMERR_CSSM_ATTRIBUTE_NOT_IN_CONTEXT);
111
112 CssmData *promptData = context.get<CssmData>(CSSM_ATTRIBUTE_PROMPT);
113 const char *prompt = NULL;
114
115 if (promptData)
116 prompt = *promptData;
117
118 QueryGenericPassphrase agentQuery;
119 agentQuery.inferHints(Server::process());
120 agentQuery(prompt, verify, passphrase);
121 }
122
123
124 void TempDatabase::makeSecurePassphraseKey(const Context &context,
125 const AccessCredentials *cred,
126 const AclEntryPrototype *owner,
127 uint32 usage, uint32 attrs,
128 RefPointer<Key> &newKey)
129 {
130 secdebug("SSdb", "requesting secure passphrase");
131
132 string passphrase;
133 getSecurePassphrase(context, passphrase);
134
135 secdebug("SSdb", "wrapping securely-obtained passphrase as key");
136
137 // CssmKey rawKey(StringData(passphrase)) confuses gcc
138 StringData passphraseData(passphrase);
139 CssmKey rawKey(passphraseData);
140 rawKey.algorithm(context.algorithm());
141 rawKey.blobType(CSSM_KEYBLOB_RAW);
142 rawKey.blobFormat(CSSM_KEYBLOB_WRAPPED_FORMAT_NONE);
143 rawKey.keyClass(CSSM_KEYCLASS_SESSION_KEY);
144
145 CssmClient::UnwrapKey unwrap(Server::csp(), CSSM_ALGID_NONE);
146 CssmKey cspKey;
147 unwrap(rawKey, TempKey::KeySpec(usage, attrs), cspKey);
148
149 newKey = makeKey(cspKey, attrs & TempKey::managedAttributes, owner);
150 }
151
152
153 //
154 // Obtain "secure passphrases" for the CSP. Useful for PKCS 12.
155 //
156 void TempDatabase::generateKey(const Context &context,
157 const AccessCredentials *cred,
158 const AclEntryPrototype *owner,
159 uint32 usage, uint32 attrs,
160 RefPointer<Key> &newKey)
161 {
162 switch (context.algorithm())
163 {
164 case CSSM_ALGID_SECURE_PASSPHRASE:
165 makeSecurePassphraseKey(context, cred, owner, usage, attrs, newKey);
166 break;
167 default:
168 LocalDatabase::generateKey(context, cred, owner, usage, attrs, newKey);
169 return;
170 }
171 }
172
173
174 //
175 // Make a new TempKey
176 //
177 RefPointer<Key> TempDatabase::makeKey(const CssmKey &newKey,
178 uint32 moreAttributes, const AclEntryPrototype *owner)
179 {
180 assert(!newKey.attribute(CSSM_KEYATTR_PERMANENT));
181 return new TempKey(*this, newKey, moreAttributes, owner);
182 }
mirror of securityd