1/*
2 * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24//
25// tdclient - Security tokend client interface library
26//
27// This interface is private to the Security system. It is not a public interface,
28// and it may change at any time. You have been warned.
29//
30#ifndef _H_TDCLIENT
31#define _H_TDCLIENT
32
33#include <securityd_client/sscommon.h>
34#include <SecurityTokend/SecTokend.h>
35#include <security_cdsa_utilities/cssmkey.h>
36#include <security_utilities/unix++.h>
37
38#define __MigTypeCheck 1
39
40
41namespace Security {
42namespace Tokend {
43
44using namespace SecurityServer;
45
46
47//
48// Securityd/tokend protocol version.
49// Tokend must support this or abort immediately (i.e. don't even try to
50// bring up the server loop if you don't).
51//
52#define TDPROTOVERSION	5
53
54
55//
56// A client connection (session)
57//
58class ClientSession : public ClientCommon {
59public:
60	ClientSession(Allocator &standard, Allocator &returning);
61	virtual ~ClientSession();
62
63	Port servicePort() const { return mServicePort; }
64
65public:
66	// tokend setup/teardown interface
67	typedef uint32 Score;
68	void probe(Score &score, std::string &tokenUid);
69	void establish(Guid &guid, uint32 subserviceID,
70		uint32 flags, const char *cacheDirectory, const char *workDirectory,
71		char mdsDirectory[PATH_MAX], char printName[PATH_MAX]);
72	void terminate(uint32 reason, uint32 options);
73
74	// search/retrieve interface
75	RecordHandle findFirst(const CssmQuery &query,
76		CssmDbRecordAttributeData *inAttributes, size_t inAttributesLength,
77		SearchHandle &hSearch, CssmData *outData, KeyHandle &hKey,
78		CssmDbRecordAttributeData *&outAttributes, mach_msg_type_number_t &outAttributesLength);
79	RecordHandle findNext(SearchHandle hSearch,
80		CssmDbRecordAttributeData *inAttributes, size_t inAttributesLength,
81		CssmData *outData, KeyHandle &hKey,
82		CssmDbRecordAttributeData *&outAttributes, mach_msg_type_number_t &outAttributesLength);
83	void findRecordHandle(RecordHandle record,
84		CssmDbRecordAttributeData *inAttributes, size_t inAttributesLength,
85		CssmData *inOutData, KeyHandle &hKey,
86		CssmDbRecordAttributeData *&outAttributes, mach_msg_type_number_t &outAttributesLength);
87	void insertRecord(CSSM_DB_RECORDTYPE recordType,
88		const CssmDbRecordAttributeData *attributes, size_t attributesLength,
89		const CssmData &data, RecordHandle &hRecord);
90	void modifyRecord(CSSM_DB_RECORDTYPE recordType, RecordHandle &hRecord,
91		const CssmDbRecordAttributeData *attributes, size_t attributesLength,
92		const CssmData *data, CSSM_DB_MODIFY_MODE modifyMode);
93	void deleteRecord(RecordHandle hRecord);
94
95	void releaseSearch(SearchHandle hSeearch);
96	void releaseRecord(RecordHandle hRecord);
97
98public:
99	// key objects
100	void releaseKey(KeyHandle key);
101
102	void queryKeySizeInBits(KeyHandle key, CssmKeySize &result);
103    void getOutputSize(const Security::Context &context, KeyHandle key,
104        uint32 inputSize, bool encrypt, uint32 &result);
105
106    // encrypt/decrypt
107	void encrypt(const Security::Context &context, KeyHandle key,
108        const CssmData &in, CssmData &out);
109	void decrypt(const Security::Context &context, KeyHandle key,
110        const CssmData &in, CssmData &out);
111
112    // signatures
113	void generateSignature(const Security::Context &context, KeyHandle key,
114        const CssmData &data, CssmData &signature,
115        CSSM_ALGORITHMS signOnlyAlgorithm = CSSM_ALGID_NONE);
116	void verifySignature(const Security::Context &context, KeyHandle key,
117		const CssmData &data, const CssmData &signature,
118        CSSM_ALGORITHMS verifyOnlyAlgorithm = CSSM_ALGID_NONE);
119
120    // MACs
121	void generateMac(const Security::Context &context, KeyHandle key,
122		const CssmData &data, CssmData &mac);
123	void verifyMac(const Security::Context &context, KeyHandle key,
124		const CssmData &data, const CssmData &mac);
125
126public:
127    // key generation and derivation
128	void generateKey(const Security::Context &context,
129		const AccessCredentials *cred, const AclEntryPrototype *owner,
130		uint32 keyUsage, uint32 keyAttr,
131        KeyHandle &hKey, CssmKey *&key);
132	void generateKey(const Security::Context &context,
133		const AccessCredentials *cred, const AclEntryPrototype *owner,
134		CSSM_KEYUSE pubKeyUsage, CSSM_KEYATTR_FLAGS pubKeyAttr,
135		CSSM_KEYUSE privKeyUsage, CSSM_KEYATTR_FLAGS privKeyAttr,
136		KeyHandle &hPublic, CssmKey *&publicKey,
137		KeyHandle &hPrivate, CssmKey *&privateKey);
138	//void generateAlgorithmParameters();	// not implemented
139
140public:
141    // key wrapping and unwrapping
142	void wrapKey(const Security::Context &context, const AccessCredentials *cred,
143		KeyHandle hWrappingKey, const CssmKey *wrappingKey,
144		KeyHandle hSubjectKey, const CssmKey *subjectKey,
145		const CssmData &descriptiveData, CssmWrappedKey *&wrappedKey);
146	void unwrapKey(const Security::Context &context,
147		const AccessCredentials *cred, const AclEntryPrototype *owner,
148		KeyHandle hSourceKey, const CssmKey *sourceKey,
149		KeyHandle hPublicKey, const CssmKey *publicKey,
150		const CssmWrappedKey &wrappedKey, uint32 keyUsage, uint32 keyAttr,
151		CssmData &data, KeyHandle &hUnwrappedKey, CssmKey *&unwrappedKey);
152
153	// key derivation
154	void deriveKey(DbHandle db, const Security::Context &context,
155		KeyHandle hBaseKey, const CssmKey *baseKey,
156        uint32 keyUsage, uint32 keyAttr, CssmData &param,
157		const AccessCredentials *cred, const AclEntryPrototype *owner,
158        KeyHandle &hDerivedKey, CssmKey *&derivedKey);
159
160	void generateRandom(CssmData &data);
161
162public:
163	// access control
164	void authenticate(CSSM_DB_ACCESS_TYPE mode, const AccessCredentials *cred);
165
166	void getAcl(AclKind kind, GenericHandle key, const char *tag,
167		uint32 &count, AclEntryInfo * &info);
168	void changeAcl(AclKind kind, GenericHandle key,
169		const AccessCredentials &cred, const AclEdit &edit);
170	void getOwner(AclKind kind, GenericHandle key, AclOwnerPrototype *&owner);
171	void changeOwner(AclKind kind, GenericHandle key, const AccessCredentials &cred,
172		const AclOwnerPrototype &edit);
173
174	bool isLocked();
175
176public:
177	virtual void fault();		// called if tokend connection fails
178
179protected:
180	void servicePort(Port p);
181
182private:
183	void check(kern_return_t rc);
184
185private:
186	Port mServicePort;			// tokend's service port
187	ReceivePort mReplyPort;		// the reply port we use
188};
189
190
191} // end namespace Tokend
192} // end namespace Security
193
194
195#endif //_H_TDCLIENT
196
197