2 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 // tokendatabase - software database container implementation.
28 // A TokenDatabase represents access to an external (secure) storage container
29 // of some kind (usually a smartcard token).
31 #ifndef _H_TOKENDATABASE
32 #define _H_TOKENDATABASE
38 #include <security_utilities/adornments.h>
47 // The global per-system object for a TokenDatabase (the TokenDbGlobal so to
48 // speak) is the Token object itself (from token.h).
53 // TokenDatabase DbCommons
55 class TokenDbCommon
: public DbCommon
, public Adornable
{
57 TokenDbCommon(Session
&ssn
, Token
&tk
, const char *name
);
62 uint32
subservice() const { return token().subservice(); }
63 const std::string
&dbName() const;
68 void lockProcessing();
70 typedef Token::ResetGeneration ResetGeneration
;
73 std::string mDbName
; // name given during open
74 Adornable mAdornments
; // Adornable for ACL store
76 ResetGeneration mResetLevel
; // validity tag
81 // A Database object represents a SC/CSPDL per-process access to a token.
83 class TokenDatabase
: public Database
{
84 friend class TokenDbCommon
;
86 TokenDatabase(uint32 ssid
, Process
&proc
, const char *name
, const AccessCredentials
*cred
);
89 TokenDbCommon
&common() const;
90 Token
&token() const { return common().token(); }
91 TokenDaemon
&tokend();
92 uint32
subservice() const { return common().subservice(); }
93 const char *dbName() const;
94 void dbName(const char *name
);
95 bool transient() const;
97 SecurityServerAcl
&acl(); // it's our Token
99 bool isLocked() const;
101 bool validateSecret(const AclSubject
*subject
, const AccessCredentials
*cred
);
103 const AccessCredentials
*openCreds() const { return mOpenCreds
; }
106 // any Process-referent concept handle we hand out to the client
109 Handler() : mHandle(0) { }
110 CSSM_HANDLE
&tokenHandle() { return mHandle
; }
111 CSSM_HANDLE
tokenHandle() const { return mHandle
; }
117 // CSSM-style search handles (returned by findFirst)
118 struct Search
: public Database::Search
, public Handler
{
119 Search(TokenDatabase
&db
) : Database::Search(db
) { }
120 TokenDatabase
&database() const { return referent
<TokenDatabase
>(); }
123 Search
*commit() { database().addReference(*this); return this; }
126 // CSSM-style record handles (returned by findFirst/findNext et al)
127 struct Record
: public Database::Record
, public Handler
, public TokenAcl
{
128 Record(TokenDatabase
&db
) : Database::Record(db
) { }
129 TokenDatabase
&database() const { return referent
<TokenDatabase
>(); }
132 Record
*commit() { database().addReference(*this); return this; }
134 void validate(AclAuthorization auth
, const AccessCredentials
*cred
)
135 { TokenAcl::validate(auth
, cred
, &database()); }
137 // TokenAcl personality
138 AclKind
aclKind() const;
140 using Handler::tokenHandle
;
141 GenericHandle
tokenHandle() const;
146 // Cryptographic service calls
148 void queryKeySizeInBits(Key
&key
, CssmKeySize
&result
);
149 void getOutputSize(const Context
&context
, Key
&key
, uint32 inputSize
, bool encrypt
, uint32
&result
);
152 void generateSignature(const Context
&context
, Key
&key
, CSSM_ALGORITHMS signOnlyAlgorithm
,
153 const CssmData
&data
, CssmData
&signature
);
154 void verifySignature(const Context
&context
, Key
&key
, CSSM_ALGORITHMS verifyOnlyAlgorithm
,
155 const CssmData
&data
, const CssmData
&signature
);
156 void generateMac(const Context
&context
, Key
&key
,
157 const CssmData
&data
, CssmData
&mac
);
158 void verifyMac(const Context
&context
, Key
&key
,
159 const CssmData
&data
, const CssmData
&mac
);
161 void encrypt(const Context
&context
, Key
&key
, const CssmData
&clear
, CssmData
&cipher
);
162 void decrypt(const Context
&context
, Key
&key
, const CssmData
&cipher
, CssmData
&clear
);
164 void generateKey(const Context
&context
,
165 const AccessCredentials
*cred
, const AclEntryPrototype
*owner
,
166 uint32 usage
, uint32 attrs
, RefPointer
<Key
> &newKey
);
167 void generateKey(const Context
&context
,
168 const AccessCredentials
*cred
, const AclEntryPrototype
*owner
,
169 uint32 pubUsage
, uint32 pubAttrs
, uint32 privUsage
, uint32 privAttrs
,
170 RefPointer
<Key
> &publicKey
, RefPointer
<Key
> &privateKey
);
171 void deriveKey(const Context
&context
, Key
*key
,
172 const AccessCredentials
*cred
, const AclEntryPrototype
*owner
,
173 CssmData
*param
, uint32 usage
, uint32 attrs
, RefPointer
<Key
> &derivedKey
);
175 void wrapKey(const Context
&context
, const AccessCredentials
*cred
,
176 Key
*hWrappingKey
, Key
&keyToBeWrapped
,
177 const CssmData
&descriptiveData
, CssmKey
&wrappedKey
);
178 void unwrapKey(const Context
&context
,
179 const AccessCredentials
*cred
, const AclEntryPrototype
*owner
,
180 Key
*wrappingKey
, Key
*publicKey
, CSSM_KEYUSE usage
, CSSM_KEYATTR_FLAGS attrs
,
181 const CssmKey wrappedKey
, RefPointer
<Key
> &unwrappedKey
, CssmData
&descriptiveData
);
187 void findFirst(const CssmQuery
&query
,
188 CssmDbRecordAttributeData
*inAttributes
, mach_msg_type_number_t inAttributesLength
,
189 CssmData
*data
, RefPointer
<Key
> &key
,
190 RefPointer
<Database::Search
> &search
, RefPointer
<Database::Record
> &record
,
191 CssmDbRecordAttributeData
* &outAttributes
, mach_msg_type_number_t
&outAttributesLength
);
192 void findNext(Database::Search
*search
,
193 CssmDbRecordAttributeData
*inAttributes
, mach_msg_type_number_t inAttributesLength
,
194 CssmData
*data
, RefPointer
<Key
> &key
, RefPointer
<Database::Record
> &record
,
195 CssmDbRecordAttributeData
* &outAttributes
, mach_msg_type_number_t
&outAttributesLength
);
196 void findRecordHandle(Database::Record
*record
,
197 CssmDbRecordAttributeData
*inAttributes
, mach_msg_type_number_t inAttributesLength
,
198 CssmData
*data
, RefPointer
<Key
> &key
,
199 CssmDbRecordAttributeData
* &outAttributes
, mach_msg_type_number_t
&outAttributesLength
);
200 void insertRecord(CSSM_DB_RECORDTYPE recordtype
,
201 const CssmDbRecordAttributeData
*attributes
, mach_msg_type_number_t inAttributesLength
,
202 const CssmData
&data
, RefPointer
<Database::Record
> &record
);
203 void modifyRecord(CSSM_DB_RECORDTYPE recordtype
, Record
*record
,
204 const CssmDbRecordAttributeData
*attributes
, mach_msg_type_number_t inAttributesLength
,
205 const CssmData
*data
, CSSM_DB_MODIFY_MODE modifyMode
);
206 void deleteRecord(Database::Record
*record
);
208 // authenticate to database
209 void authenticate(CSSM_DB_ACCESS_TYPE mode
, const AccessCredentials
*cred
);
212 // internal utilities
213 RefPointer
<Key
> makeKey(KeyHandle hKey
, const CssmKey
*key
,
214 const AclEntryPrototype
*owner
);
218 InputKey(Key
*key
) { setup(key
); }
219 InputKey(Key
&key
) { setup(&key
); }
222 operator KeyHandle () const { return mKeyHandle
; }
223 operator const CssmKey
* () const { return mKeyPtr
; }
226 KeyHandle mKeyHandle
;
230 void setup(Key
*key
);
234 AccessCredentials
*mOpenCreds
; // credentials passed during open
238 #endif //_H_TOKENDATABASE
projects / apple / securityd.git / blob