2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved.
8 * This file contains Original Code and/or Modifications of Original Code
9 * as defined in and that are subject to the Apple Public Source License
10 * Version 2.0 (the 'License'). You may not use this file except in
11 * compliance with the License. Please obtain a copy of the License at
12 * http://www.opensource.apple.com/apsl/ and read it before using this
15 * The Original Code and all software distributed under the License are
16 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
17 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
18 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
20 * Please see the License for the specific language governing rights and
21 * limitations under the License.
23 * @APPLE_LICENSE_HEADER_END@
28 // database - abstract database management
30 // This file defines database objects that represent different
31 // way to implement "database with cryptographic operations on its contents".
32 // The objects here are abstract and need to be implemented to be useful.
37 #include "securityserver.h"
38 #include "structure.h"
41 #include "notifications.h"
42 #include <security_utilities/utilities.h>
43 #include <security_cdsa_utilities/handleobject.h>
44 #include <security_cdsa_utilities/cssmdb.h>
45 #include <security_utilities/machserver.h>
46 #include <security_agent_client/agentclient.h>
47 #include <security_utilities/timeflow.h>
56 using MachPlusPlus::MachServer
;
60 // A Database::DbCommon is the "common core" of all Database objects that
61 // represent the same client database (on disk, presumably).
62 // NOTE: DbCommon obeys exterior locking protocol: the caller (always Database)
63 // must lock it before operating on its non-const members. In practice,
64 // most Database methods lock down their DbCommon first thing.
66 class DbCommon
: public PerSession
{
68 DbCommon(Session
&ssn
);
70 Session
&session() const;
72 virtual void sleepProcessing();
77 // A Database object represents an Apple CSP/DL open database (DL/DB) object.
78 // It maintains its protected semantic state (including keys) and provides controlled
81 class Database
: public PerProcess
, public SecurityServerAcl
{
82 static const NotificationEvent lockedEvent
= kNotificationEventLocked
;
83 static const NotificationEvent unlockedEvent
= kNotificationEventUnlocked
;
84 static const NotificationEvent passphraseChangedEvent
= kNotificationEventPassphraseChanged
;
87 Database(Process
&proc
);
90 Process
& process() const;
92 virtual void releaseKey(Key
&key
);
93 virtual CSSM_KEY_SIZE
queryKeySize(Key
&key
) = 0;
96 virtual void generateSignature(const Context
&context
, Key
&key
,
97 CSSM_ALGORITHMS signOnlyAlgorithm
, const CssmData
&data
, CssmData
&signature
) = 0;
98 virtual void verifySignature(const Context
&context
, Key
&key
,
99 CSSM_ALGORITHMS verifyOnlyAlgorithm
, const CssmData
&data
, const CssmData
&signature
) = 0;
100 virtual void generateMac(const Context
&context
, Key
&key
,
101 const CssmData
&data
, CssmData
&mac
) = 0;
102 virtual void verifyMac(const Context
&context
, Key
&key
,
103 const CssmData
&data
, const CssmData
&mac
) = 0;
105 virtual void encrypt(const Context
&context
, Key
&key
, const CssmData
&clear
, CssmData
&cipher
) = 0;
106 virtual void decrypt(const Context
&context
, Key
&key
, const CssmData
&cipher
, CssmData
&clear
) = 0;
108 virtual void generateKey(const Context
&context
,
109 const AccessCredentials
*cred
, const AclEntryPrototype
*owner
,
110 uint32 usage
, uint32 attrs
, RefPointer
<Key
> &newKey
) = 0;
111 virtual void generateKey(const Context
&context
,
112 const AccessCredentials
*cred
, const AclEntryPrototype
*owner
,
113 uint32 pubUsage
, uint32 pubAttrs
, uint32 privUsage
, uint32 privAttrs
,
114 RefPointer
<Key
> &publicKey
, RefPointer
<Key
> &privateKey
) = 0;
115 virtual RefPointer
<Key
> deriveKey(const Context
&context
, Key
*key
,
116 const AccessCredentials
*cred
, const AclEntryPrototype
*owner
,
117 CssmData
*param
, uint32 usage
, uint32 attrs
) = 0;
119 virtual void wrapKey(const Context
&context
, Key
*key
,
120 Key
&keyToBeWrapped
, const AccessCredentials
*cred
,
121 const CssmData
&descriptiveData
, CssmKey
&wrappedKey
) = 0;
122 virtual RefPointer
<Key
> unwrapKey(const Context
&context
, Key
*key
,
123 const AccessCredentials
*cred
, const AclEntryPrototype
*owner
,
124 uint32 usage
, uint32 attrs
, const CssmKey wrappedKey
,
125 Key
*publicKey
, CssmData
*descriptiveData
) = 0;
127 virtual uint32
getOutputSize(const Context
&context
, Key
&key
,
128 uint32 inputSize
, bool encrypt
= true) = 0;
130 virtual void authenticate(const AccessCredentials
*cred
) = 0;
133 static const int maxUnlockTryCount
= 3;
136 DbCommon
& common() const { return parent
<DbCommon
>(); }
137 virtual const char *dbName() const = 0;
140 AccessCredentials
*mCred
; // local access credentials (always valid)
145 // This class implements a "system keychaiin unlock record" store
147 class SystemKeychainKey
{
149 SystemKeychainKey(const char *path
);
150 ~SystemKeychainKey();
152 bool matches(const DbBlob::Signature
&signature
);
153 CssmKey
&key() { return mKey
; }
156 std::string mPath
; // path to file
157 CssmKey mKey
; // proper CssmKey with data in mBlob
159 bool mValid
; // mBlob was validly read from mPath
160 UnlockBlob mBlob
; // contents of mPath as last read
162 Time::Absolute mCachedDate
; // modify date of file when last read
163 Time::Absolute mUpdateThreshold
; // cutoff threshold for checking again
165 static const int checkDelay
= 1; // seconds minimum delay between update checks
projects / apple / securityd.git / blob