1/*
2 * Copyright (c) 2000-2001,2003-2006,2013 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25//
26// dbcrypto - cryptographic core for database and key blob cryptography
27//
28#ifndef _H_DBCRYPTO
29#define _H_DBCRYPTO
30
31#include <securityd_client/ssblob.h>
32#include <security_cdsa_client/cspclient.h>
33#include <security_cdsa_client/keyclient.h>
34
35using namespace SecurityServer;
36
37
38//
39// A DatabaseCryptoCore object encapsulates the secret state of a database.
40// It provides for encoding and decoding of database blobs and key blobs,
41// and holds all state related to the database secrets.
42//
43class DatabaseCryptoCore {
44public:
45    DatabaseCryptoCore();
46	virtual ~DatabaseCryptoCore();
47
48    bool isValid() const	{ return mIsValid; }
49	bool hasMaster() const	{ return mHaveMaster; }
50    void invalidate();
51
52    void generateNewSecrets();
53	CssmClient::Key masterKey();
54
55	void setup(const DbBlob *blob, const CssmData &passphrase);
56	void setup(const DbBlob *blob, CssmClient::Key master);
57
58    void decodeCore(const DbBlob *blob, void **privateAclBlob = NULL);
59    DbBlob *encodeCore(const DbBlob &blobTemplate,
60        const CssmData &publicAcl, const CssmData &privateAcl) const;
61	void importSecrets(const DatabaseCryptoCore &src);
62
63    KeyBlob *encodeKeyCore(const CssmKey &key,
64        const CssmData &publicAcl, const CssmData &privateAcl,
65		bool inTheClear) const;
66    void decodeKeyCore(KeyBlob *blob,
67        CssmKey &key, void * &pubAcl, void * &privAcl) const;
68
69    static const uint32 managedAttributes = KeyBlob::managedAttributes;
70	static const uint32 forcedAttributes = KeyBlob::forcedAttributes;
71
72    bool get_encryption_key(CssmOwnedData &data);
73
74public:
75	bool validatePassphrase(const CssmData &passphrase);
76
77private:
78	bool mHaveMaster;				// master key has been entered (setup)
79    bool mIsValid;					// master secrets are valid (decode or generateNew)
80
81	CssmClient::Key mMasterKey;		// database master key
82	uint8 mSalt[20];				// salt for master key derivation from passphrase (only)
83
84    CssmClient::Key mEncryptionKey;	// master encryption key
85    CssmClient::Key mSigningKey;	// master signing key
86
87    CssmClient::Key deriveDbMasterKey(const CssmData &passphrase) const;
88    CssmClient::Key makeRawKey(void *data, size_t length,
89        CSSM_ALGORITHMS algid, CSSM_KEYUSE usage);
90};
91
92
93#endif //_H_DBCRYPTO
94