1/* 2 * Copyright (c) 2007-2009,2012-2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23#ifndef _SECURITYD_CLIENT_H_ 24#define _SECURITYD_CLIENT_H_ 25 26#include <stdint.h> 27 28# include <Security/SecTrust.h> 29#ifndef MINIMIZE_INCLUDES 30# include <Security/SecTrustStore.h> 31# include <Security/SecCertificatePath.h> 32#else 33typedef struct __SecTrustStore *SecTrustStoreRef; 34# ifndef _SECURITY_SECCERTIFICATE_H_ 35typedef struct __SecCertificate *SecCertificateRef; 36# endif // _SECURITY_SECCERTIFICATE_H_ 37# ifndef _SECURITY_SECCERTIFICATEPATH_H_ 38typedef struct SecCertificatePath *SecCertificatePathRef; 39# endif // _SECURITY_SECCERTIFICATEPATH_H_ 40#endif // MINIMIZE_INCLUDES 41 42#include <CoreFoundation/CFArray.h> 43#include <CoreFoundation/CFDictionary.h> 44#include <CoreFoundation/CFError.h> 45 46#include <SecureObjectSync/SOSCloudCircle.h> 47 48#include <xpc/xpc.h> 49#include <CoreFoundation/CFXPCBridge.h> 50 51// TODO: This should be in client of XPC code locations... 52#if SECITEM_SHIM_OSX 53#define kSecuritydXPCServiceName "com.apple.securityd.xpc" 54#else 55#define kSecuritydXPCServiceName "com.apple.securityd" 56#endif // *** END SECITEM_SHIM_OSX *** 57 58// 59// MARK: XPC Information. 60// 61 62extern CFStringRef sSecXPCErrorDomain; 63 64extern const char *kSecXPCKeyOperation; 65extern const char *kSecXPCKeyResult; 66extern const char *kSecXPCKeyError; 67extern const char *kSecXPCKeyPeerInfos; 68extern const char *kSecXPCKeyUserLabel; 69extern const char *kSecXPCKeyBackup; 70extern const char *kSecXPCKeyKeybag; 71extern const char *kSecXPCKeyUserPassword; 72 73// 74// MARK: Dispatch macros 75// 76 77#define SECURITYD_XPC(sdp, wrapper, ...) ((gSecurityd && gSecurityd->sdp) ? gSecurityd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__)) 78 79// 80// MARK: Object to XPC format conversion. 81// 82 83 84// 85// MARK: XPC Interfaces 86// 87 88extern const char *kSecXPCKeyOperation; 89extern const char *kSecXPCKeyResult; 90extern const char *kSecXPCKeyError; 91extern const char *kSecXPCKeyPeerInfos; 92extern const char *kSecXPCKeyUserLabel; 93extern const char *kSecXPCKeyUserPassword; 94extern const char *kSecXPCLimitInMinutes; 95extern const char *kSecXPCKeyQuery; 96extern const char *kSecXPCKeyAttributesToUpdate; 97extern const char *kSecXPCKeyDomain; 98extern const char *kSecXPCKeyDigest; 99extern const char *kSecXPCKeyCertificate; 100extern const char *kSecXPCKeySettings; 101extern const char *kSecXPCPublicPeerId; // Public peer id 102extern const char *kSecXPCOTRSession; // OTR session bytes 103extern const char *kSecXPCData; // Data to process 104extern const char *kSecXPCOTRReady; // OTR ready for messages 105extern const char *kSecXPCKeyDeviceID; 106 107// 108// MARK: Mach port request IDs 109// 110enum SecXPCOperation { 111 sec_item_add_id = 0, 112 sec_item_copy_matching_id = 1, 113 sec_item_update_id = 2, 114 sec_item_delete_id = 3, 115 // trust_store_for_domain -- NOT an ipc 116 sec_trust_store_contains_id = 4, 117 sec_trust_store_set_trust_settings_id = 5, 118 sec_trust_store_remove_certificate_id = 6, 119 // remove_all -- NOT an ipc 120 sec_delete_all_id = 7, 121 sec_trust_evaluate_id = 8, 122 // Any new items MUST be added below here 123 // This allows updating roots on a device, since SecTrustEvaluate must continue to work 124 sec_keychain_backup_id, 125 sec_keychain_restore_id, 126 sec_keychain_backup_syncable_id, 127 sec_keychain_restore_syncable_id, 128 sec_keychain_sync_update_key_parameter_id, 129 sec_keychain_sync_update_circle_id, 130 sec_keychain_sync_update_message_id, 131 sec_ota_pki_asset_version_id, 132 sec_otr_session_create_remote_id, 133 sec_otr_session_process_packet_remote_id, 134 kSecXPCOpOTAPKIGetNewAsset, 135 kSecXPCOpOTAGetEscrowCertificates, 136 kSecXPCOpProcessUnlockNotification, 137 kSecXPCOpProcessSyncWithAllPeers, 138 kSecXPCOpRollKeys, 139 sec_add_shared_web_credential_id, 140 sec_copy_shared_web_credential_id, 141 sec_get_log_settings_id, 142 sec_set_xpc_log_settings_id, 143 soscc_EnsurePeerRegistration_id, 144 kSecXPCOpRequestEnsureFreshParameters, 145 // any process using an operation below here is required to have entitlement keychain-cloud-circle 146 kSecXPCOpTryUserCredentials, 147 kSecXPCOpSetUserCredentials, 148 kSecXPCOpCanAuthenticate, 149 kSecXPCOpPurgeUserCredentials, 150 kSecXPCOpDeviceInCircle, 151 kSecXPCOpRequestToJoin, 152 kSecXPCOpRequestToJoinAfterRestore, 153 kSecXPCOpResetToOffering, 154 kSecXPCOpResetToEmpty, 155 kSecXPCOpRemoveThisDeviceFromCircle, 156 kSecXPCOpBailFromCircle, 157 kSecXPCOpAcceptApplicants, 158 kSecXPCOpRejectApplicants, 159 kSecXPCOpCopyApplicantPeerInfo, 160 kSecXPCOpCopyValidPeerPeerInfo, 161 kSecXPCOpValidateUserPublic, 162 kSecXPCOpCopyNotValidPeerPeerInfo, 163 kSecXPCOpCopyPeerPeerInfo, 164 kSecXPCOpCopyConcurringPeerPeerInfo, 165 kSecXPCOpCopyGenerationPeerInfo, 166 kSecXPCOpGetLastDepartureReason, 167 kSecXPCOpCopyIncompatibilityInfo, 168 kSecXPCOpCopyRetirementPeerInfo, 169 kSecXPCOpRequestDeviceID, 170 kSecXPCOpSetDeviceID, 171}; 172 173 174 175struct securityd { 176 bool (*sec_item_add)(CFDictionaryRef attributes, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef* error); 177 bool (*sec_item_copy_matching)(CFDictionaryRef query, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef* error); 178 bool (*sec_item_update)(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, CFArrayRef accessGroups, CFErrorRef* error); 179 bool (*sec_item_delete)(CFDictionaryRef query, CFArrayRef accessGroups, CFErrorRef* error); 180 bool (*sec_add_shared_web_credential)(CFDictionaryRef attributes, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error); 181 bool (*sec_copy_shared_web_credential)(CFDictionaryRef query, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error); 182 SecTrustStoreRef (*sec_trust_store_for_domain)(CFStringRef domainName, CFErrorRef* error); // TODO: remove, has no msg id 183 bool (*sec_trust_store_contains)(SecTrustStoreRef ts, CFDataRef digest, bool *contains, CFErrorRef* error); 184 bool (*sec_trust_store_set_trust_settings)(SecTrustStoreRef ts, SecCertificateRef certificate, CFTypeRef trustSettingsDictOrArray, CFErrorRef* error); 185 bool (*sec_trust_store_remove_certificate)(SecTrustStoreRef ts, CFDataRef digest, CFErrorRef* error); 186 bool (*sec_truststore_remove_all)(SecTrustStoreRef ts, CFErrorRef* error); // TODO: remove, has no msg id 187 bool (*sec_item_delete_all)(CFErrorRef* error); 188 SecTrustResultType (*sec_trust_evaluate)(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, CFArrayRef policies, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef *details, CFDictionaryRef *info, SecCertificatePathRef *chain, CFErrorRef *error); 189 CFDataRef (*sec_keychain_backup)(CFDataRef keybag, CFDataRef passcode, CFErrorRef* error); 190 bool (*sec_keychain_restore)(CFDataRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error); 191 CFArrayRef (*sec_keychain_sync_update_key_parameter)(CFDictionaryRef update, CFErrorRef *error); 192 CFDictionaryRef (*sec_keychain_backup_syncable)(CFDictionaryRef backup_in, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error); 193 bool (*sec_keychain_restore_syncable)(CFDictionaryRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error); 194 int (*sec_ota_pki_asset_version)(CFErrorRef* error); 195 CFDataRef (*sec_otr_session_create_remote)(CFDataRef publicPeerId, CFErrorRef* error); 196 bool (*sec_otr_session_process_packet_remote)(CFDataRef sessionData, CFDataRef inputPacket, CFDataRef* outputSessionData, CFDataRef* outputPacket, bool *readyForMessages, CFErrorRef* error); 197 bool (*soscc_TryUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error); 198 bool (*soscc_SetUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error); 199 bool (*soscc_CanAuthenticate)(CFErrorRef *error); 200 bool (*soscc_PurgeUserCredentials)(CFErrorRef *error); 201 SOSCCStatus (*soscc_ThisDeviceIsInCircle)(CFErrorRef* error); 202 bool (*soscc_RequestToJoinCircle)(CFErrorRef* error); 203 bool (*soscc_RequestToJoinCircleAfterRestore)(CFErrorRef* error); 204 bool (*soscc_RequestEnsureFreshParameters)(CFErrorRef* error); 205 CFStringRef (*soscc_RequestDeviceID)(CFErrorRef* error); 206 bool (*soscc_SetDeviceID)(CFStringRef IDS, CFErrorRef *error); 207 bool (*soscc_ResetToOffering)(CFErrorRef* error); 208 bool (*soscc_ResetToEmpty)(CFErrorRef* error); 209 bool (*soscc_RemoveThisDeviceFromCircle)(CFErrorRef* error); 210 bool (*soscc_BailFromCircle)(uint64_t limit_in_seconds, CFErrorRef* error); 211 bool (*soscc_AcceptApplicants)(CFArrayRef applicants, CFErrorRef* error); 212 bool (*soscc_RejectApplicants)(CFArrayRef applicants, CFErrorRef* error); 213 bool (*soscc_ValidateUserPublic)(CFErrorRef* error); 214 CFArrayRef (*soscc_CopyGenerationPeerInfo)(CFErrorRef* error); 215 CFArrayRef (*soscc_CopyApplicantPeerInfo)(CFErrorRef* error); 216 CFArrayRef (*soscc_CopyValidPeerPeerInfo)(CFErrorRef* error); 217 CFArrayRef (*soscc_CopyNotValidPeerPeerInfo)(CFErrorRef* error); 218 CFArrayRef (*soscc_CopyRetirementPeerInfo)(CFErrorRef* error); 219 CFArrayRef (*soscc_CopyPeerInfo)(CFErrorRef* error); 220 CFArrayRef (*soscc_CopyConcurringPeerInfo)(CFErrorRef* error); 221 CFStringRef (*soscc_CopyIncompatibilityInfo)(CFErrorRef* error); 222 enum DepartureReason (*soscc_GetLastDepartureReason)(CFErrorRef* error); 223 CFArrayRef (*ota_CopyEscrowCertificates)(uint32_t escrowRootType, CFErrorRef* error); 224 int (*sec_ota_pki_get_new_asset)(CFErrorRef* error); 225 SyncWithAllPeersReason (*soscc_ProcessSyncWithAllPeers)(CFErrorRef* error); 226 bool (*soscc_EnsurePeerRegistration)(CFErrorRef* error); 227 bool (*sec_roll_keys)(bool force, CFErrorRef* error); 228 CFArrayRef (*sec_keychain_sync_update_circle)(CFDictionaryRef update, CFErrorRef *error); 229 CFArrayRef (*sec_keychain_sync_update_message)(CFDictionaryRef update, CFErrorRef *error); 230 CFPropertyListRef (*sec_get_log_settings)(CFErrorRef* error); 231 bool (*sec_set_xpc_log_settings)(CFTypeRef type, CFErrorRef* error); 232}; 233 234extern struct securityd *gSecurityd; 235 236CFArrayRef SecAccessGroupsGetCurrent(void); 237 238// TODO Rename me 239CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op); 240xpc_object_t securityd_message_with_reply_sync(xpc_object_t message, CFErrorRef *error); 241xpc_object_t securityd_create_message(enum SecXPCOperation op, CFErrorRef *error); 242bool securityd_message_no_error(xpc_object_t message, CFErrorRef *error); 243 244 245bool securityd_send_sync_and_do(enum SecXPCOperation op, CFErrorRef *error, 246 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error), 247 bool (^handle_response)(xpc_object_t response, CFErrorRef* error)); 248 249// For testing only, never call this in a threaded program! 250void SecServerSetMachServiceName(const char *name); 251 252#endif /* _SECURITYD_CLIENT_H_ */ 253