1/* 2 * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24// 25// tdclient - Security tokend client interface library 26// 27// This interface is private to the Security system. It is not a public interface, 28// and it may change at any time. You have been warned. 29// 30#ifndef _H_TDCLIENT 31#define _H_TDCLIENT 32 33#include <securityd_client/sscommon.h> 34#include <SecurityTokend/SecTokend.h> 35#include <security_cdsa_utilities/cssmkey.h> 36#include <security_utilities/unix++.h> 37 38#define __MigTypeCheck 1 39 40 41namespace Security { 42namespace Tokend { 43 44using namespace SecurityServer; 45 46 47// 48// Securityd/tokend protocol version. 49// Tokend must support this or abort immediately (i.e. don't even try to 50// bring up the server loop if you don't). 51// 52#define TDPROTOVERSION 5 53 54 55// 56// A client connection (session) 57// 58class ClientSession : public ClientCommon { 59public: 60 ClientSession(Allocator &standard, Allocator &returning); 61 virtual ~ClientSession(); 62 63 Port servicePort() const { return mServicePort; } 64 65public: 66 // tokend setup/teardown interface 67 typedef uint32 Score; 68 void probe(Score &score, std::string &tokenUid); 69 void establish(Guid &guid, uint32 subserviceID, 70 uint32 flags, const char *cacheDirectory, const char *workDirectory, 71 char mdsDirectory[PATH_MAX], char printName[PATH_MAX]); 72 void terminate(uint32 reason, uint32 options); 73 74 // search/retrieve interface 75 RecordHandle findFirst(const CssmQuery &query, 76 CssmDbRecordAttributeData *inAttributes, size_t inAttributesLength, 77 SearchHandle &hSearch, CssmData *outData, KeyHandle &hKey, 78 CssmDbRecordAttributeData *&outAttributes, mach_msg_type_number_t &outAttributesLength); 79 RecordHandle findNext(SearchHandle hSearch, 80 CssmDbRecordAttributeData *inAttributes, size_t inAttributesLength, 81 CssmData *outData, KeyHandle &hKey, 82 CssmDbRecordAttributeData *&outAttributes, mach_msg_type_number_t &outAttributesLength); 83 void findRecordHandle(RecordHandle record, 84 CssmDbRecordAttributeData *inAttributes, size_t inAttributesLength, 85 CssmData *inOutData, KeyHandle &hKey, 86 CssmDbRecordAttributeData *&outAttributes, mach_msg_type_number_t &outAttributesLength); 87 void insertRecord(CSSM_DB_RECORDTYPE recordType, 88 const CssmDbRecordAttributeData *attributes, size_t attributesLength, 89 const CssmData &data, RecordHandle &hRecord); 90 void modifyRecord(CSSM_DB_RECORDTYPE recordType, RecordHandle &hRecord, 91 const CssmDbRecordAttributeData *attributes, size_t attributesLength, 92 const CssmData *data, CSSM_DB_MODIFY_MODE modifyMode); 93 void deleteRecord(RecordHandle hRecord); 94 95 void releaseSearch(SearchHandle hSeearch); 96 void releaseRecord(RecordHandle hRecord); 97 98public: 99 // key objects 100 void releaseKey(KeyHandle key); 101 102 void queryKeySizeInBits(KeyHandle key, CssmKeySize &result); 103 void getOutputSize(const Security::Context &context, KeyHandle key, 104 uint32 inputSize, bool encrypt, uint32 &result); 105 106 // encrypt/decrypt 107 void encrypt(const Security::Context &context, KeyHandle key, 108 const CssmData &in, CssmData &out); 109 void decrypt(const Security::Context &context, KeyHandle key, 110 const CssmData &in, CssmData &out); 111 112 // signatures 113 void generateSignature(const Security::Context &context, KeyHandle key, 114 const CssmData &data, CssmData &signature, 115 CSSM_ALGORITHMS signOnlyAlgorithm = CSSM_ALGID_NONE); 116 void verifySignature(const Security::Context &context, KeyHandle key, 117 const CssmData &data, const CssmData &signature, 118 CSSM_ALGORITHMS verifyOnlyAlgorithm = CSSM_ALGID_NONE); 119 120 // MACs 121 void generateMac(const Security::Context &context, KeyHandle key, 122 const CssmData &data, CssmData &mac); 123 void verifyMac(const Security::Context &context, KeyHandle key, 124 const CssmData &data, const CssmData &mac); 125 126public: 127 // key generation and derivation 128 void generateKey(const Security::Context &context, 129 const AccessCredentials *cred, const AclEntryPrototype *owner, 130 uint32 keyUsage, uint32 keyAttr, 131 KeyHandle &hKey, CssmKey *&key); 132 void generateKey(const Security::Context &context, 133 const AccessCredentials *cred, const AclEntryPrototype *owner, 134 CSSM_KEYUSE pubKeyUsage, CSSM_KEYATTR_FLAGS pubKeyAttr, 135 CSSM_KEYUSE privKeyUsage, CSSM_KEYATTR_FLAGS privKeyAttr, 136 KeyHandle &hPublic, CssmKey *&publicKey, 137 KeyHandle &hPrivate, CssmKey *&privateKey); 138 //void generateAlgorithmParameters(); // not implemented 139 140public: 141 // key wrapping and unwrapping 142 void wrapKey(const Security::Context &context, const AccessCredentials *cred, 143 KeyHandle hWrappingKey, const CssmKey *wrappingKey, 144 KeyHandle hSubjectKey, const CssmKey *subjectKey, 145 const CssmData &descriptiveData, CssmWrappedKey *&wrappedKey); 146 void unwrapKey(const Security::Context &context, 147 const AccessCredentials *cred, const AclEntryPrototype *owner, 148 KeyHandle hSourceKey, const CssmKey *sourceKey, 149 KeyHandle hPublicKey, const CssmKey *publicKey, 150 const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr, 151 CssmData &data, KeyHandle &hUnwrappedKey, CssmKey *&unwrappedKey); 152 153 // key derivation 154 void deriveKey(DbHandle db, const Security::Context &context, 155 KeyHandle hBaseKey, const CssmKey *baseKey, 156 uint32 keyUsage, uint32 keyAttr, CssmData ¶m, 157 const AccessCredentials *cred, const AclEntryPrototype *owner, 158 KeyHandle &hDerivedKey, CssmKey *&derivedKey); 159 160 void generateRandom(CssmData &data); 161 162public: 163 // access control 164 void authenticate(CSSM_DB_ACCESS_TYPE mode, const AccessCredentials *cred); 165 166 void getAcl(AclKind kind, GenericHandle key, const char *tag, 167 uint32 &count, AclEntryInfo * &info); 168 void changeAcl(AclKind kind, GenericHandle key, 169 const AccessCredentials &cred, const AclEdit &edit); 170 void getOwner(AclKind kind, GenericHandle key, AclOwnerPrototype *&owner); 171 void changeOwner(AclKind kind, GenericHandle key, const AccessCredentials &cred, 172 const AclOwnerPrototype &edit); 173 174 bool isLocked(); 175 176public: 177 virtual void fault(); // called if tokend connection fails 178 179protected: 180 void servicePort(Port p); 181 182private: 183 void check(kern_return_t rc); 184 185private: 186 Port mServicePort; // tokend's service port 187 ReceivePort mReplyPort; // the reply port we use 188}; 189 190 191} // end namespace Tokend 192} // end namespace Security 193 194 195#endif //_H_TDCLIENT 196 197