1/* 2 * Copyright (c) 2010 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Portions Copyright (c) 2010 Apple Inc. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36#ifndef __heimodadmin_h__ 37#define __heimodadmin_h__ 1 38 39#import <CoreFoundation/CoreFoundation.h> 40#import <CFOpenDirectory/CFOpenDirectory.h> 41#import <Security/Security.h> 42 43/* 44 * "CFTypeRef flags" is either a CFStringRef with the kPrincipalFlag 45 * or a CFArrayRef with CFStringRef with kPrincipalFlag 46 */ 47 48 49#define kPrincipalFlagInitial CFSTR("Initial") /* can only be used for initial tickets */ 50#define kPrincipalFlagForwardable CFSTR("Forwardable") /* forwardable ticket allowed */ 51#define kPrincipalFlagProxyable CFSTR("Proxiable") /* proxyable ticket allowed */ 52#define kPrincipalFlagRenewable CFSTR("Renewable") /* renewabled ticket allowed */ 53#define kPrincipalFlagServer CFSTR("Server") /* allowed to be used as server */ 54#define kPrincipalFlagPasswordChangeService CFSTR("PasswordChangeService") /* allowed to be used as the password change service */ 55#define kPrincipalFlagOKAsDelegate CFSTR("OkAsDelegate") /* ok to delegate/forward to */ 56#define kPrincipalFlagRequireStrongPreAuthentication CFSTR("RequireStrongPreAuth") /* require smartcard or other strong mech */ 57#define kPrincipalFlagImmutable CFSTR("Immutable") /* Immutable, can't remove or possibly change */ 58#define kPrincipalFlagInvalid CFSTR("Invalid") /* Invalid and not usable yet */ 59 60#define kHeimODACLAll CFSTR("kHeimODACLAll") 61#define kHeimODACLChangePassword CFSTR("kHeimODACLChangePassword") 62#define kHeimODACLList CFSTR("kHeimODACLList") 63#define kHeimODACLDelete CFSTR("kHeimODACLDelete") 64#define kHeimODACLModify CFSTR("kHeimODACLModify") 65#define kHeimODACLAdd CFSTR("kHeimODACLAdd") 66#define kHeimODACLGet CFSTR("kHeimODACLGet") 67 68/* constants for the srptype argument to HeimODCreateSRPKeys */ 69#define kHeimSRPGroupRFC5054_4096_PBKDF2_SHA512 CFSTR("kHeimSRPGroupRFC5054_4096_PBKDF2_SHA512") 70 71enum { 72 kHeimODAdminSetKeysAppendKey = 1, 73 kHeimODAdminAppendKeySet = 1, /* add an additional keyset */ 74 kHeimODAdminDeleteEnctypes = 2 /* delete enctype from all keysets */ 75}; 76 77enum { 78 kHeimODAdminLoadAsAppend = 1 79}; 80 81#ifdef __cplusplus 82extern "C" { 83#endif 84 85/* Creates a support principal in the realm in node */ 86int HeimODCreateRealm(ODNodeRef node, CFStringRef realm, CFErrorRef *error); 87 88/* Principals are created with Invalid set and have be be cleared with DeleteFlags */ 89int HeimODCreatePrincipalData(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFStringRef principal, CFErrorRef *error); 90int HeimODRemovePrincipalData(ODNodeRef node, ODRecordRef record, CFStringRef principal, CFErrorRef *error); 91 92/* Manage kerberos flags for this entry */ 93int HeimODSetKerberosFlags(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error); 94CFArrayRef HeimODCopyKerberosFlags(ODNodeRef node, ODRecordRef record, CFErrorRef *error); /* return set flags */ 95int HeimODClearKerberosFlags(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error); 96 97/* Manage ACL for a entry */ 98int 99HeimODSetACL(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error); 100CFArrayRef 101HeimODCopyACL(ODNodeRef node, ODRecordRef record, CFErrorRef *error); 102int 103HeimODClearACL(ODNodeRef node, ODRecordRef record, CFTypeRef flags, CFErrorRef *error); 104 105/* Mange server aliases for this record */ 106int HeimODAddServerAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error); 107int HeimODRemoveServerAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error); 108CFArrayRef HeimODCopyServerAliases(ODNodeRef node, ODRecordRef record, CFErrorRef *error); 109 110/* Lifetimes */ 111int HeimODSetKerberosMaxLife(ODNodeRef node, ODRecordRef record, time_t, CFErrorRef *error); 112time_t HeimODGetKerberosMaxLife(ODNodeRef node, ODRecordRef record, CFErrorRef *error); 113int HeimODSetKerberosMaxRenewable(ODNodeRef node, ODRecordRef record, time_t, CFErrorRef *error); 114time_t HeimODGetKerberosMaxRenewable(ODNodeRef node, ODRecordRef record, CFErrorRef *error); 115 116/* Set password */ 117 /* enctypes are optional, if NULL, default types are used */ 118 /* if password is NULL, a random password is used */ 119int HeimODSetKeys(ODNodeRef node, ODRecordRef record, CFStringRef principal, CFArrayRef enctypes, CFTypeRef password, unsigned long flags, CFErrorRef *error); 120CFArrayRef HeimODCopyDefaultEnctypes(CFErrorRef *error); 121 122/* SRP */ 123bool HeimODSetVerifiers(ODNodeRef node, ODRecordRef record, CFStringRef principal, CFArrayRef types, CFTypeRef password, unsigned long flags, CFErrorRef *error); 124 125/** 126 * Add/delete/modify keyset 127 * 128 * Used manipulate Kerberos Keys. 129 * This function does not manipulate the keys stored in OpenDirectory, that up to the caller to do. 130 * 131 * Most callers should not pass in kHeimODAdminAppendKeySet when changing password for users, they should only be used for services that does key rollover and for Mac OS X Server that stores keysets for different principals in same computer record. 132 * 133 * @param prevKeyset keyset to be manipulated, can me NULL 134 * @param principal user changed for, used for salting 135 * @param enctypes to set, use HeimODCopyDefaultEnctypes() to get default list 136 * @param password new password, can be NULL is enctypes are deleted 137 * @param flags 138 * flags is 0, return a new keyset 139 * flags is kHeimODAdminAppendKeySet, add additional keyset (keep old versions) 140 * flags is kHeimODAdminDeleteEnctypes, delete enctype from old keysets 141 * 142 * @param error return CFErrorRef with user error in case there is one, NULL is allowed if no error is expected. 143 * @return the new keyset or NULL on failure, error might be set 144 */ 145CFArrayRef HeimODModifyKeys(CFArrayRef prevKeyset, CFStringRef principal, CFArrayRef enctypes, CFTypeRef password, unsigned long flags, CFErrorRef *error) __attribute__((cf_returns_retained)); 146 147 148CFArrayRef HeimODCreateSRPKeys(CFArrayRef srptype, CFStringRef principal, CFTypeRef password, unsigned long flags, CFErrorRef *error); 149 150/** 151 * Debug function to print content of a keyset element 152 * 153 * @param element element to print 154 * @param error eventual error, by default, NULL 155 * @return the debug string 156 */ 157CFStringRef HeimODKeysetToString(CFDataRef element, CFErrorRef *error) __attribute__((cf_returns_retained)); 158 159/* Mange allowed cert names for this principal: aka AltSecurityIdentities */ 160int HeimODAddCertificate(ODNodeRef node, ODRecordRef record, SecCertificateRef ref, CFErrorRef *error); 161int HeimODAddSubjectAltCertName(ODNodeRef node, ODRecordRef record, CFStringRef subject, CFStringRef issuer, CFErrorRef *error); 162int HeimODAddSubjectAltCertSHA1Digest(ODNodeRef node, ODRecordRef record, CFDataRef hash, CFErrorRef *error); 163CFArrayRef HeimODCopySubjectAltNames(ODNodeRef node, ODRecordRef record, CFErrorRef *error); 164int HeimODRemoveSubjectAltElement(ODNodeRef node, ODRecordRef record, CFTypeRef element, CFErrorRef *error); /* return on element as returned by HeimODCopySubjectAltNames */ 165 166/* These are for MMe/AppleId certs infratructure */ 167int HeimODAddCertificateSubjectAndTrustAnchor(ODNodeRef node, ODRecordRef record, CFStringRef leafSubject, CFStringRef trustAnchorSubject, CFErrorRef *error); 168int HeimODRemoveCertificateSubjectAndTrustAnchor(ODNodeRef node, ODRecordRef record, CFStringRef leafSubject, CFStringRef trustAnchorSubject, CFErrorRef *error); 169 170/* Add Kerberos principal alias for MMe/AppleID */ 171int HeimODAddAppleIDAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error); 172int HeimODRemoveAppleIDAlias(ODNodeRef node, ODRecordRef record, CFStringRef alias, CFErrorRef *error); 173 174 175/* dump and load entries */ 176CFDictionaryRef HeimODDumpRecord(ODNodeRef node, ODRecordRef record, CFStringRef principal, CFErrorRef *error) __attribute__((cf_returns_retained)); 177bool HeimODLoadRecord(ODNodeRef node, ODRecordRef record, CFDictionaryRef dict, unsigned long flags, CFErrorRef *error); 178 179struct hdb_entry; 180CFDictionaryRef HeimODDumpHdbEntry(struct hdb_entry *, CFErrorRef *error) __attribute__((cf_returns_retained)); 181 182#ifdef __cplusplus 183}; 184#endif 185 186#endif /* __heimodadmin_h__ */ 187