1/*
2 * Copyright (c) 2007-2009,2012-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23#ifndef	_SECURITYD_CLIENT_H_
24#define _SECURITYD_CLIENT_H_
25
26#include <stdint.h>
27
28# include <Security/SecTrust.h>
29#ifndef MINIMIZE_INCLUDES
30# include <Security/SecTrustStore.h>
31# include <Security/SecCertificatePath.h>
32#else
33typedef struct __SecTrustStore *SecTrustStoreRef;
34# ifndef _SECURITY_SECCERTIFICATE_H_
35typedef struct __SecCertificate *SecCertificateRef;
36# endif // _SECURITY_SECCERTIFICATE_H_
37# ifndef _SECURITY_SECCERTIFICATEPATH_H_
38typedef struct SecCertificatePath *SecCertificatePathRef;
39# endif // _SECURITY_SECCERTIFICATEPATH_H_
40#endif // MINIMIZE_INCLUDES
41
42#include <CoreFoundation/CFArray.h>
43#include <CoreFoundation/CFDictionary.h>
44#include <CoreFoundation/CFError.h>
45
46#include <SecureObjectSync/SOSCloudCircle.h>
47
48#include <xpc/xpc.h>
49#include <CoreFoundation/CFXPCBridge.h>
50
51// TODO: This should be in client of XPC code locations...
52#if SECITEM_SHIM_OSX
53#define kSecuritydXPCServiceName "com.apple.securityd.xpc"
54#else
55#define kSecuritydXPCServiceName "com.apple.securityd"
56#endif // *** END SECITEM_SHIM_OSX ***
57
58//
59// MARK: XPC Information.
60//
61
62extern CFStringRef sSecXPCErrorDomain;
63
64extern const char *kSecXPCKeyOperation;
65extern const char *kSecXPCKeyResult;
66extern const char *kSecXPCKeyError;
67extern const char *kSecXPCKeyPeerInfos;
68extern const char *kSecXPCKeyUserLabel;
69extern const char *kSecXPCKeyBackup;
70extern const char *kSecXPCKeyKeybag;
71extern const char *kSecXPCKeyUserPassword;
72
73//
74// MARK: Dispatch macros
75//
76
77#define SECURITYD_XPC(sdp, wrapper, ...) ((gSecurityd && gSecurityd->sdp) ? gSecurityd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
78
79//
80// MARK: Object to XPC format conversion.
81//
82
83
84//
85// MARK: XPC Interfaces
86//
87
88extern const char *kSecXPCKeyOperation;
89extern const char *kSecXPCKeyResult;
90extern const char *kSecXPCKeyError;
91extern const char *kSecXPCKeyPeerInfos;
92extern const char *kSecXPCKeyUserLabel;
93extern const char *kSecXPCKeyUserPassword;
94extern const char *kSecXPCLimitInMinutes;
95extern const char *kSecXPCKeyQuery;
96extern const char *kSecXPCKeyAttributesToUpdate;
97extern const char *kSecXPCKeyDomain;
98extern const char *kSecXPCKeyDigest;
99extern const char *kSecXPCKeyCertificate;
100extern const char *kSecXPCKeySettings;
101extern const char *kSecXPCPublicPeerId; // Public peer id
102extern const char *kSecXPCOTRSession; // OTR session bytes
103extern const char *kSecXPCData; // Data to process
104extern const char *kSecXPCOTRReady; // OTR ready for messages
105extern const char *kSecXPCKeyDeviceID;
106
107//
108// MARK: Mach port request IDs
109//
110enum SecXPCOperation {
111    sec_item_add_id = 0,
112    sec_item_copy_matching_id = 1,
113    sec_item_update_id = 2,
114    sec_item_delete_id = 3,
115    // trust_store_for_domain -- NOT an ipc
116    sec_trust_store_contains_id = 4,
117    sec_trust_store_set_trust_settings_id = 5,
118    sec_trust_store_remove_certificate_id = 6,
119    // remove_all -- NOT an ipc
120    sec_delete_all_id = 7,
121    sec_trust_evaluate_id = 8,
122    // Any new items MUST be added below here
123    // This allows updating roots on a device, since SecTrustEvaluate must continue to work
124    sec_keychain_backup_id,
125    sec_keychain_restore_id,
126    sec_keychain_backup_syncable_id,
127    sec_keychain_restore_syncable_id,
128    sec_keychain_sync_update_key_parameter_id,
129    sec_keychain_sync_update_circle_id,
130    sec_keychain_sync_update_message_id,
131    sec_ota_pki_asset_version_id,
132    sec_otr_session_create_remote_id,
133    sec_otr_session_process_packet_remote_id,
134	kSecXPCOpOTAPKIGetNewAsset,
135	kSecXPCOpOTAGetEscrowCertificates,
136    kSecXPCOpProcessUnlockNotification,
137    kSecXPCOpProcessSyncWithAllPeers,
138    kSecXPCOpRollKeys,
139    sec_add_shared_web_credential_id,
140    sec_copy_shared_web_credential_id,
141    sec_get_log_settings_id,
142    sec_set_xpc_log_settings_id,
143    soscc_EnsurePeerRegistration_id,
144    kSecXPCOpRequestEnsureFreshParameters,
145    // any process using an operation below here is required to have entitlement keychain-cloud-circle
146    kSecXPCOpTryUserCredentials,
147    kSecXPCOpSetUserCredentials,
148    kSecXPCOpCanAuthenticate,
149    kSecXPCOpPurgeUserCredentials,
150    kSecXPCOpDeviceInCircle,
151    kSecXPCOpRequestToJoin,
152    kSecXPCOpRequestToJoinAfterRestore,
153    kSecXPCOpResetToOffering,
154    kSecXPCOpResetToEmpty,
155    kSecXPCOpRemoveThisDeviceFromCircle,
156    kSecXPCOpBailFromCircle,
157    kSecXPCOpAcceptApplicants,
158    kSecXPCOpRejectApplicants,
159    kSecXPCOpCopyApplicantPeerInfo,
160    kSecXPCOpCopyValidPeerPeerInfo,
161    kSecXPCOpValidateUserPublic,
162    kSecXPCOpCopyNotValidPeerPeerInfo,
163    kSecXPCOpCopyPeerPeerInfo,
164    kSecXPCOpCopyConcurringPeerPeerInfo,
165    kSecXPCOpCopyGenerationPeerInfo,
166    kSecXPCOpGetLastDepartureReason,
167    kSecXPCOpCopyIncompatibilityInfo,
168    kSecXPCOpCopyRetirementPeerInfo,
169    kSecXPCOpRequestDeviceID,
170    kSecXPCOpSetDeviceID,
171};
172
173
174
175struct securityd {
176    bool (*sec_item_add)(CFDictionaryRef attributes, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef* error);
177    bool (*sec_item_copy_matching)(CFDictionaryRef query, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef* error);
178    bool (*sec_item_update)(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, CFArrayRef accessGroups, CFErrorRef* error);
179    bool (*sec_item_delete)(CFDictionaryRef query, CFArrayRef accessGroups, CFErrorRef* error);
180    bool (*sec_add_shared_web_credential)(CFDictionaryRef attributes, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
181    bool (*sec_copy_shared_web_credential)(CFDictionaryRef query, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
182    SecTrustStoreRef (*sec_trust_store_for_domain)(CFStringRef domainName, CFErrorRef* error);       // TODO: remove, has no msg id
183    bool (*sec_trust_store_contains)(SecTrustStoreRef ts, CFDataRef digest, bool *contains, CFErrorRef* error);
184    bool (*sec_trust_store_set_trust_settings)(SecTrustStoreRef ts, SecCertificateRef certificate, CFTypeRef trustSettingsDictOrArray, CFErrorRef* error);
185    bool (*sec_trust_store_remove_certificate)(SecTrustStoreRef ts, CFDataRef digest, CFErrorRef* error);
186    bool (*sec_truststore_remove_all)(SecTrustStoreRef ts, CFErrorRef* error);                         // TODO: remove, has no msg id
187    bool (*sec_item_delete_all)(CFErrorRef* error);
188    SecTrustResultType (*sec_trust_evaluate)(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, CFArrayRef policies, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef *details, CFDictionaryRef *info, SecCertificatePathRef *chain, CFErrorRef *error);
189    CFDataRef (*sec_keychain_backup)(CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
190    bool (*sec_keychain_restore)(CFDataRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
191    CFArrayRef (*sec_keychain_sync_update_key_parameter)(CFDictionaryRef update, CFErrorRef *error);
192    CFDictionaryRef (*sec_keychain_backup_syncable)(CFDictionaryRef backup_in, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
193    bool (*sec_keychain_restore_syncable)(CFDictionaryRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
194    int (*sec_ota_pki_asset_version)(CFErrorRef* error);
195    CFDataRef (*sec_otr_session_create_remote)(CFDataRef publicPeerId, CFErrorRef* error);
196    bool (*sec_otr_session_process_packet_remote)(CFDataRef sessionData, CFDataRef inputPacket, CFDataRef* outputSessionData, CFDataRef* outputPacket, bool *readyForMessages, CFErrorRef* error);
197    bool (*soscc_TryUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error);
198    bool (*soscc_SetUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error);
199    bool (*soscc_CanAuthenticate)(CFErrorRef *error);
200    bool (*soscc_PurgeUserCredentials)(CFErrorRef *error);
201    SOSCCStatus (*soscc_ThisDeviceIsInCircle)(CFErrorRef* error);
202    bool (*soscc_RequestToJoinCircle)(CFErrorRef* error);
203    bool (*soscc_RequestToJoinCircleAfterRestore)(CFErrorRef* error);
204    bool (*soscc_RequestEnsureFreshParameters)(CFErrorRef* error);
205    CFStringRef (*soscc_RequestDeviceID)(CFErrorRef* error);
206    bool (*soscc_SetDeviceID)(CFStringRef IDS, CFErrorRef *error);
207    bool (*soscc_ResetToOffering)(CFErrorRef* error);
208    bool (*soscc_ResetToEmpty)(CFErrorRef* error);
209    bool (*soscc_RemoveThisDeviceFromCircle)(CFErrorRef* error);
210    bool (*soscc_BailFromCircle)(uint64_t limit_in_seconds, CFErrorRef* error);
211    bool (*soscc_AcceptApplicants)(CFArrayRef applicants, CFErrorRef* error);
212    bool (*soscc_RejectApplicants)(CFArrayRef applicants, CFErrorRef* error);
213    bool (*soscc_ValidateUserPublic)(CFErrorRef* error);
214    CFArrayRef (*soscc_CopyGenerationPeerInfo)(CFErrorRef* error);
215    CFArrayRef (*soscc_CopyApplicantPeerInfo)(CFErrorRef* error);
216    CFArrayRef (*soscc_CopyValidPeerPeerInfo)(CFErrorRef* error);
217    CFArrayRef (*soscc_CopyNotValidPeerPeerInfo)(CFErrorRef* error);
218    CFArrayRef (*soscc_CopyRetirementPeerInfo)(CFErrorRef* error);
219    CFArrayRef (*soscc_CopyPeerInfo)(CFErrorRef* error);
220    CFArrayRef (*soscc_CopyConcurringPeerInfo)(CFErrorRef* error);
221    CFStringRef (*soscc_CopyIncompatibilityInfo)(CFErrorRef* error);
222    enum DepartureReason (*soscc_GetLastDepartureReason)(CFErrorRef* error);
223	CFArrayRef (*ota_CopyEscrowCertificates)(uint32_t escrowRootType, CFErrorRef* error);
224	int (*sec_ota_pki_get_new_asset)(CFErrorRef* error);
225    SyncWithAllPeersReason (*soscc_ProcessSyncWithAllPeers)(CFErrorRef* error);
226    bool (*soscc_EnsurePeerRegistration)(CFErrorRef* error);
227    bool (*sec_roll_keys)(bool force, CFErrorRef* error);
228    CFArrayRef (*sec_keychain_sync_update_circle)(CFDictionaryRef update, CFErrorRef *error);
229    CFArrayRef (*sec_keychain_sync_update_message)(CFDictionaryRef update, CFErrorRef *error);
230    CFPropertyListRef   (*sec_get_log_settings)(CFErrorRef* error);
231    bool   (*sec_set_xpc_log_settings)(CFTypeRef type, CFErrorRef* error);
232};
233
234extern struct securityd *gSecurityd;
235
236CFArrayRef SecAccessGroupsGetCurrent(void);
237
238// TODO Rename me
239CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op);
240xpc_object_t securityd_message_with_reply_sync(xpc_object_t message, CFErrorRef *error);
241xpc_object_t securityd_create_message(enum SecXPCOperation op, CFErrorRef *error);
242bool securityd_message_no_error(xpc_object_t message, CFErrorRef *error);
243
244
245bool securityd_send_sync_and_do(enum SecXPCOperation op, CFErrorRef *error,
246                                bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
247                                bool (^handle_response)(xpc_object_t response, CFErrorRef* error));
248
249// For testing only, never call this in a threaded program!
250void SecServerSetMachServiceName(const char *name);
251
252#endif /* _SECURITYD_CLIENT_H_ */
253