[Fedora-directory-commits] esc/mac/Tokend-30557/Tokend Adornment.cpp, NONE, 1.1 Adornment.h, NONE, 1.1 Attribute.cpp, NONE, 1.1 Attribute.h, NONE, 1.1 AttributeCoder.cpp, NONE, 1.1 AttributeCoder.h, NONE, 1.1 Cursor.cpp, NONE, 1.1 Cursor.h, NONE, 1.1 DbValue.cpp, NONE, 1.1 DbValue.h, NONE, 1.1 KeyHandle.cpp, NONE, 1.1 KeyHandle.h, NONE, 1.1 MetaAttribute.cpp, NONE, 1.1 MetaAttribute.h, NONE, 1.1 MetaRecord.cpp, NONE, 1.1 MetaRecord.h, NONE, 1.1 PKCS11Object.cpp, NONE, 1.1 PKCS11Object.h, NONE, 1.1 Record.cpp, NONE, 1.1 Record.h, NONE, 1.1 RecordHandle.cpp, NONE, 1.1 RecordHandle.h, NONE, 1.1 Relation.cpp, NONE, 1.1 Relation.h, NONE, 1.1 SCardError.cpp, NONE, 1.1 SCardError.h, NONE, 1.1 Schema.cpp, NONE, 1.1 Schema.h, NONE, 1.1 SelectionPredicate.cpp, NONE, 1.1 SelectionPredicate.h, NONE, 1.1 Token.cpp, NONE, 1.1 Token.h, NONE, 1.1 TokenContext.cpp, NONE, 1.1 TokenContext.h, NONE, 1.1
Jack Magne (jmagne)
fedora-directory-commits at redhat.com
Tue Jan 22 18:02:55 UTC 2008
- Previous message (by thread): [Fedora-directory-commits] esc/mac/Tokend-30557/CoolKey/pkcs11 compile.sh, NONE, 1.1 cryptoki.h, NONE, 1.1 mypkcs11.h, NONE, 1.1 pkcs11.h, NONE, 1.1 pkcs11f.h, NONE, 1.1 pkcs11t.h, NONE, 1.1
- Next message (by thread): [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm import-threads.c, 1.13, 1.14
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jmagne
Update of /cvs/dirsec/esc/mac/Tokend-30557/Tokend
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31436/Tokend
Added Files:
Adornment.cpp Adornment.h Attribute.cpp Attribute.h
AttributeCoder.cpp AttributeCoder.h Cursor.cpp Cursor.h
DbValue.cpp DbValue.h KeyHandle.cpp KeyHandle.h
MetaAttribute.cpp MetaAttribute.h MetaRecord.cpp MetaRecord.h
PKCS11Object.cpp PKCS11Object.h Record.cpp Record.h
RecordHandle.cpp RecordHandle.h Relation.cpp Relation.h
SCardError.cpp SCardError.h Schema.cpp Schema.h
SelectionPredicate.cpp SelectionPredicate.h Token.cpp Token.h
TokenContext.cpp TokenContext.h
Log Message:
Initial revision
--- NEW FILE Adornment.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Adornment.cpp
* TokendMuscle
*/
#include "Adornment.h"
#include "MetaAttribute.h"
#include "MetaRecord.h"
#include "Record.h"
namespace Tokend
{
//
// LinkedRecordAdornment
//
//const Adornment::Key LinkedRecordAdornment::key = "LinkedRecordAdornment";
LinkedRecordAdornment::LinkedRecordAdornment(RefPointer<Record> record) :
mRecord(record)
{
}
LinkedRecordAdornment::~LinkedRecordAdornment()
{
}
Record &LinkedRecordAdornment::record()
{
return *mRecord;
}
//
// SecCertificateAdornment
//
SecCertificateAdornment::SecCertificateAdornment(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record)
{
// Get the data for record (the actual certificate).
const MetaAttribute &dma =
metaAttribute.metaRecord().metaAttributeForData();
const Attribute &data = dma.attribute(tokenContext, record);
// Data should have exactly one value.
if (data.size() != 1)
CssmError::throwMe(CSSMERR_DL_MISSING_VALUE);
// Create a new adornment using the data from the certificate.
OSStatus status = SecCertificateCreateFromData(&data[0], CSSM_CERT_X_509v3,
CSSM_CERT_ENCODING_BER, &mCertificate);
if (status)
MacOSError::throwMe(status);
}
SecCertificateAdornment::~SecCertificateAdornment()
{
CFRelease(mCertificate);
}
SecCertificateRef SecCertificateAdornment::certificate()
{
return mCertificate;
}
SecKeychainItemRef SecCertificateAdornment::certificateItem()
{
return SecKeychainItemRef(mCertificate);
}
} // end namespace Tokend
/* arch-tag: C7D4DE5C-F61D-11D8-B69C-000A9595DEEE */
--- NEW FILE Adornment.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Adornment.h
* TokendMuscle
*/
#ifndef _TOKEND_ADORNMENT_H_
#define _TOKEND_ADORNMENT_H_
#include <security_utilities/adornments.h>
#include <security_utilities/refcount.h>
#include <Security/SecCertificate.h>
namespace Tokend
{
class TokenContext;
class MetaRecord;
class MetaAttribute;
class Record;
//
// Adornment that refers to another record
//
class LinkedRecordAdornment : public Adornment
{
NOCOPY(LinkedRecordAdornment)
public:
LinkedRecordAdornment(RefPointer<Record> record);
~LinkedRecordAdornment();
Record &record();
private:
RefPointer<Record> mRecord;
};
class SecCertificateAdornment : public Adornment
{
NOCOPY(SecCertificateAdornment)
public:
SecCertificateAdornment(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record);
~SecCertificateAdornment();
SecCertificateRef certificate();
SecKeychainItemRef certificateItem();
private:
SecCertificateRef mCertificate;
};
} // end namespace Tokend
#endif /* !_TOKEND_ADORNMENT_H_ */
/* arch-tag: C8628EDC-F61D-11D8-98CA-000A9595DEEE */
--- NEW FILE Attribute.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Attribute.cpp
* TokendMuscle
*/
#include "Attribute.h"
namespace Tokend
{
Attribute::Attribute()
{
mCount = 0;
mValues = NULL;
}
Attribute::Attribute(const Attribute &attribute)
{
set(attribute.mValues, attribute.mCount);
}
Attribute::Attribute(bool value)
{
uint32 v = value ? 1 : 0;
set(&v, sizeof(v));
}
Attribute::Attribute(sint32 value)
{
set(&value, sizeof(value));
}
Attribute::Attribute(uint32 value)
{
set(&value, sizeof(value));
}
Attribute::Attribute(const char *value)
{
set(value, strlen(value));
}
Attribute::Attribute(const std::string &value)
{
set(value.c_str(), value.size());
}
Attribute::Attribute(const void *data, uint32 length)
{
set(data, length);
}
Attribute::Attribute(const CSSM_DATA *datas, uint32 count)
{
set(datas, count);
}
Attribute::~Attribute()
{
if (mValues)
free(mValues);
}
Attribute &Attribute::operator = (const Attribute &attribute)
{
if (mValues)
free(mValues);
set(attribute.mValues, attribute.mCount);
return *this;
}
void Attribute::set(const CSSM_DATA *datas, uint32 count)
{
mCount = count;
uint32 size = count * sizeof(CSSM_DATA);
for (uint32 ix = 0; ix < count; ++ix)
size += datas[ix].Length;
uint8 *buffer = (uint8 *)malloc(size);
mValues = CSSM_DATA_PTR(buffer);
buffer += sizeof(CSSM_DATA) * count;
for (uint32 ix = 0; ix < count; ++ix)
{
uint32 length = datas[ix].Length;
mValues[ix].Data = buffer;
mValues[ix].Length = length;
memcpy(mValues[ix].Data, datas[ix].Data, length);
buffer += length;
}
}
void Attribute::set(const void *data, uint32 length)
{
mCount = 1;
uint8 *buffer = (uint8 *)malloc(sizeof(CSSM_DATA) + length);
mValues = CSSM_DATA_PTR(buffer);
mValues[0].Data = buffer + sizeof(CSSM_DATA);
mValues[0].Length = length;
memcpy(mValues[0].Data, data, length);
}
void Attribute::getDateValue(CSSM_DATE &date) const
{
if (mCount == 0 || mValues[0].Length == 0)
{
memset(&date, 0, sizeof(date));
}
else if (mCount == 1 && mValues[0].Length == sizeof(date))
{
memcpy(&date, mValues[0].Data, sizeof(date));
}
else
CssmError::throwMe(CSSMERR_DL_MISSING_VALUE);
}
uint32 Attribute::uint32Value() const
{
if (mCount != 1 || mValues[0].Length != 4)
CssmError::throwMe(CSSMERR_DL_MISSING_VALUE);
return *reinterpret_cast<uint32 *>(mValues[0].Data);
}
} // end namespace Tokend
/* arch-tag: 5C8EA178-F190-11D8-BEF2-000A9595DEEE */
--- NEW FILE Attribute.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Attribute.h
* TokendMuscle
*/
#ifndef _TOKEND_ATTRIBUTE_H_
#define _TOKEND_ATTRIBUTE_H_
#include <Security/cssmtype.h>
#include <security_cdsa_utilities/cssmdb.h>
#include <string>
namespace Tokend
{
class Attribute
{
public:
Attribute();
Attribute(const Attribute &attribute);
Attribute(bool value);
Attribute(sint32 value);
Attribute(uint32 value);
Attribute(const char *value);
Attribute(const std::string &value);
Attribute(const void *data, uint32 length);
Attribute(const CSSM_DATA *datas, uint32 count);
~Attribute();
Attribute &operator = (const Attribute &attribute);
uint32 size() const { return mCount; }
const CSSM_DATA &operator [](uint32 ix) const { return mValues[ix]; }
const CSSM_DATA *values() const { return mValues; }
void getDateValue(CSSM_DATE &date) const;
uint32 uint32Value() const;
bool boolValue() const { return uint32Value() != 0; }
private:
void set(const CSSM_DATA *datas, uint32 count);
void set(const void *data, uint32 length);
uint32 mCount;
CSSM_DATA_PTR mValues;
};
} // end namespace Tokend
#endif /* !_TOKEND_ATTRIBUTE_H_ */
/* arch-tag: 5B8B0720-F190-11D8-9806-000A9595DEEE */
--- NEW FILE AttributeCoder.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* AttributeCoder.cpp
* TokendMuscle
*/
#include "AttributeCoder.h"
#include "Attribute.h"
#include "Adornment.h"
#include "MetaAttribute.h"
#include "MetaRecord.h"
#include "Record.h"
#include <security_cdsa_utilities/cssmerrors.h>
#include <security_cdsa_utilities/cssmkey.h>
#include <Security/cssmerr.h>
#include <Security/SecKey.h>
#include <Security/SecCertificate.h>
#include <Security/SecKeychainItem.h>
#include <Security/SecKeychainItemPriv.h>
namespace Tokend
{
//
// AttributeCoder
//
AttributeCoder::~AttributeCoder() {}
//
// CertificateAttributeCoder
//
CertificateAttributeCoder::~CertificateAttributeCoder() {}
void CertificateAttributeCoder::decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute,
Record &record)
{
// Get the SecCertificateAdornment off record using a pointer to ourself as
// the key
SecCertificateAdornment &sca =
record.adornment<SecCertificateAdornment>(this, tokenContext,
metaAttribute, record);
// Get the keychain item for the certificate from the record's adornment.
SecKeychainItemRef certificate = sca.certificateItem();
// Read the attribute with the requested attributeId from the item.
SecKeychainAttribute ska = { metaAttribute.attributeId() };
SecKeychainAttributeList skal = { 1, &ska };
OSStatus status = SecKeychainItemCopyContent(certificate, NULL, &skal,
NULL, NULL);
if (status)
MacOSError::throwMe(status);
// Add the retrieved attribute as an attribute to the record.
record.attributeAtIndex(metaAttribute.attributeIndex(),
new Attribute(ska.data, ska.length));
// Free the retrieved attribute.
status = SecKeychainItemFreeContent(&skal, NULL);
if (status)
MacOSError::throwMe(status);
// @@@ The code above only returns one email address. Fix this.
}
//
// ConstAttributeCoder
//
ConstAttributeCoder::ConstAttributeCoder(uint32 value) : mValue(value) {}
ConstAttributeCoder::ConstAttributeCoder(bool value) : mValue(value ? 1 : 0) {}
ConstAttributeCoder::~ConstAttributeCoder() {}
void ConstAttributeCoder::decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record)
{
record.attributeAtIndex(metaAttribute.attributeIndex(),
new Attribute(mValue));
}
//
// GuidAttributeCoder
//
GuidAttributeCoder::GuidAttributeCoder(const CSSM_GUID &guid) : mGuid(guid) {}
GuidAttributeCoder::~GuidAttributeCoder() {}
void GuidAttributeCoder::decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record)
{
record.attributeAtIndex(metaAttribute.attributeIndex(),
new Attribute(&mGuid, sizeof(CSSM_GUID)));
}
//
// NullAttributeCoder
//
NullAttributeCoder::~NullAttributeCoder() {}
void NullAttributeCoder::decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record)
{
record.attributeAtIndex(metaAttribute.attributeIndex(), new Attribute());
}
//
// ZeroAttributeCoder
//
ZeroAttributeCoder::~ZeroAttributeCoder() {}
void ZeroAttributeCoder::decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record)
{
record.attributeAtIndex(metaAttribute.attributeIndex(),
new Attribute(reinterpret_cast<const void *>(NULL), 0));
}
//
// KeyDataAttributeCoder
//
KeyDataAttributeCoder::~KeyDataAttributeCoder() {}
void KeyDataAttributeCoder::decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record)
{
const MetaRecord &mr = metaAttribute.metaRecord();
CssmKey key;
key.header().cspGuid(Guid::overlay(gGuidAppleSdCSPDL));
key.blobType(CSSM_KEYBLOB_REFERENCE);
key.blobFormat(CSSM_KEYBLOB_REF_FORMAT_INTEGER);
key.algorithm(mr.metaAttribute(kSecKeyKeyType)
.attribute(tokenContext, record).uint32Value());
key.keyClass(mr.metaAttribute(kSecKeyKeyClass)
.attribute(tokenContext, record).uint32Value());
key.header().LogicalKeySizeInBits =
mr.metaAttribute(kSecKeyKeySizeInBits).attribute(tokenContext, record)
.uint32Value();
key.header().KeyAttr =
(mr.metaAttribute(kSecKeyPermanent).attribute(tokenContext, record)
.boolValue() ? CSSM_KEYATTR_PERMANENT : 0)
| (mr.metaAttribute(kSecKeyPrivate).attribute(tokenContext, record)
.boolValue() ? CSSM_KEYATTR_PRIVATE : 0)
| (mr.metaAttribute(kSecKeyModifiable).attribute(tokenContext, record)
.boolValue() ? CSSM_KEYATTR_MODIFIABLE : 0)
| (mr.metaAttribute(kSecKeySensitive).attribute(tokenContext, record)
.boolValue() ? CSSM_KEYATTR_SENSITIVE : 0)
| (mr.metaAttribute(kSecKeyAlwaysSensitive)
.attribute(tokenContext, record)
.boolValue() ? CSSM_KEYATTR_ALWAYS_SENSITIVE : 0)
| (mr.metaAttribute(kSecKeyExtractable).attribute(tokenContext, record)
.boolValue() ? CSSM_KEYATTR_EXTRACTABLE : 0)
| (mr.metaAttribute(kSecKeyNeverExtractable)
.attribute(tokenContext, record)
.boolValue() ? CSSM_KEYATTR_NEVER_EXTRACTABLE : 0);
CSSM_KEYUSE usage =
(mr.metaAttribute(kSecKeyEncrypt).attribute(tokenContext, record)
.boolValue() ? CSSM_KEYUSE_ENCRYPT : 0)
| (mr.metaAttribute(kSecKeyDecrypt).attribute(tokenContext, record)
.boolValue() ? CSSM_KEYUSE_DECRYPT : 0)
| (mr.metaAttribute(kSecKeySign).attribute(tokenContext, record)
.boolValue() ? CSSM_KEYUSE_SIGN : 0)
| (mr.metaAttribute(kSecKeyVerify).attribute(tokenContext, record)
.boolValue() ? CSSM_KEYUSE_VERIFY : 0)
| (mr.metaAttribute(kSecKeySignRecover).attribute(tokenContext, record)
.boolValue() ? CSSM_KEYUSE_SIGN_RECOVER : 0)
| (mr.metaAttribute(kSecKeyVerifyRecover)
.attribute(tokenContext, record)
.boolValue() ? CSSM_KEYUSE_VERIFY_RECOVER : 0)
| (mr.metaAttribute(kSecKeyWrap).attribute(tokenContext, record)
.boolValue() ? CSSM_KEYUSE_WRAP : 0)
| (mr.metaAttribute(kSecKeyUnwrap).attribute(tokenContext, record)
.boolValue() ? CSSM_KEYUSE_UNWRAP : 0)
| (mr.metaAttribute(kSecKeyDerive).attribute(tokenContext, record)
.boolValue() ? CSSM_KEYUSE_DERIVE : 0);
if (usage == (CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_DECRYPT | CSSM_KEYUSE_SIGN
| CSSM_KEYUSE_VERIFY | CSSM_KEYUSE_SIGN_RECOVER
| CSSM_KEYUSE_VERIFY_RECOVER | CSSM_KEYUSE_WRAP | CSSM_KEYUSE_UNWRAP
| CSSM_KEYUSE_DERIVE))
usage = CSSM_KEYUSE_ANY;
key.header().KeyUsage = usage;
// Dates
mr.metaAttribute(kSecKeyStartDate).attribute(tokenContext, record)
.getDateValue(key.header().StartDate);
mr.metaAttribute(kSecKeyEndDate).attribute(tokenContext, record)
.getDateValue(key.header().EndDate);
record.attributeAtIndex(metaAttribute.attributeIndex(),
new Attribute(&key, sizeof(key)));
}
//
// LinkedRecordAttributeCoder
//
LinkedRecordAttributeCoder::~LinkedRecordAttributeCoder() {}
void LinkedRecordAttributeCoder::decode(Tokend::TokenContext *tokenContext,
const Tokend::MetaAttribute &metaAttribute,
Tokend::Record &record)
{
const Tokend::MetaAttribute *lma = NULL;
LinkedRecordAdornment *lra = NULL;
if (mCertificateMetaAttribute)
{
lma = mCertificateMetaAttribute;
lra = record.getAdornment<LinkedRecordAdornment>(certificateKey());
}
if (!lra && mPublicKeyMetaAttribute)
{
lma = mPublicKeyMetaAttribute;
lra = record.getAdornment<LinkedRecordAdornment>(publicKeyKey());
}
if (!lma || !lra)
CssmError::throwMe(CSSMERR_DL_MISSING_VALUE);
// Get the linked record's attribute and set it on record.
const Attribute &attribute = lma->attribute(tokenContext, lra->record());
record.attributeAtIndex(metaAttribute.attributeIndex(),
new Attribute(attribute));
}
//
// DecriptionAttributeCoder
//
DescriptionAttributeCoder::~DescriptionAttributeCoder()
{
}
void DescriptionAttributeCoder::decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record)
{
record.attributeAtIndex(metaAttribute.attributeIndex(),
new Attribute(record.description()));
}
//
// DataAttributeCoder
//
DataAttributeCoder::~DataAttributeCoder()
{
}
void DataAttributeCoder::decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record)
{
record.attributeAtIndex(metaAttribute.attributeIndex(),
record.getDataAttribute(tokenContext));
}
} // end namespace Tokend
/* arch-tag: BA054F22-F13E-11D8-B797-000A95C4302E */
--- NEW FILE AttributeCoder.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* AttributeCoder.h
* TokendMuscle
*/
#ifndef _TOKEND_ATTRIBUTECODER_H_
#define _TOKEND_ATTRIBUTECODER_H_
#include <security_utilities/utilities.h>
#include <Security/cssmtype.h>
namespace Tokend
{
class MetaAttribute;
class Record;
class TokenContext;
class AttributeCoder
{
NOCOPY(AttributeCoder)
public:
AttributeCoder() {}
virtual ~AttributeCoder() = 0;
virtual void decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record) = 0;
};
//
// A coder that derives certificate attributes for the certificate data
//
class CertificateAttributeCoder : public AttributeCoder
{
NOCOPY(CertificateAttributeCoder)
public:
CertificateAttributeCoder() {}
virtual ~CertificateAttributeCoder();
virtual void decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record);
private:
};
//
// A coder with a constant value
//
class ConstAttributeCoder : public AttributeCoder
{
NOCOPY(ConstAttributeCoder)
public:
ConstAttributeCoder(uint32 value);
ConstAttributeCoder(bool value);
virtual ~ConstAttributeCoder();
virtual void decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record);
private:
uint32 mValue;
};
//
// A coder whose value is a guid.
//
class GuidAttributeCoder : public AttributeCoder
{
NOCOPY(GuidAttributeCoder)
public:
GuidAttributeCoder(const CSSM_GUID &guid);
virtual ~GuidAttributeCoder();
virtual void decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record);
private:
const CSSM_GUID mGuid;
};
//
// A coder whose value contains 0 values.
//
class NullAttributeCoder : public AttributeCoder
{
NOCOPY(NullAttributeCoder)
public:
NullAttributeCoder() {}
virtual ~NullAttributeCoder();
virtual void decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record);
};
//
// A coder whose value contains 1 zero length value.
//
class ZeroAttributeCoder : public AttributeCoder
{
NOCOPY(ZeroAttributeCoder)
public:
ZeroAttributeCoder() {}
virtual ~ZeroAttributeCoder();
virtual void decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record);
};
//
// A data coder for key relations
//
class KeyDataAttributeCoder : public AttributeCoder
{
NOCOPY(KeyDataAttributeCoder)
public:
KeyDataAttributeCoder() {}
virtual ~KeyDataAttributeCoder();
virtual void decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record);
};
//
// A coder for private key objects value is the public key hash of a
// certificate. Generic get an attribute of a linked record coder.
//
class LinkedRecordAttributeCoder : public Tokend::AttributeCoder
{
NOCOPY(LinkedRecordAttributeCoder)
public:
LinkedRecordAttributeCoder() {}
virtual ~LinkedRecordAttributeCoder();
const void *certificateKey() const { return mCertificateMetaAttribute; }
const void *publicKeyKey() const { return mPublicKeyMetaAttribute; }
void setCertificateMetaAttribute(
const Tokend::MetaAttribute *linkedRecordMetaAttribute)
{ mCertificateMetaAttribute = linkedRecordMetaAttribute; }
void setPublicKeyMetaAttribute(
const Tokend::MetaAttribute *linkedRecordMetaAttribute)
{ mPublicKeyMetaAttribute = linkedRecordMetaAttribute; }
virtual void decode(Tokend::TokenContext *tokenContext,
const Tokend::MetaAttribute &metaAttribute,
Tokend::Record &record);
private:
const Tokend::MetaAttribute *mCertificateMetaAttribute;
const Tokend::MetaAttribute *mPublicKeyMetaAttribute;
};
//
// A coder that reads the description of an object
//
class DescriptionAttributeCoder : public AttributeCoder
{
NOCOPY(DescriptionAttributeCoder)
public:
DescriptionAttributeCoder() {}
virtual ~DescriptionAttributeCoder();
virtual void decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record);
};
//
// A coder that reads the data of an object
//
class DataAttributeCoder : public Tokend::AttributeCoder
{
NOCOPY(DataAttributeCoder)
public:
DataAttributeCoder() {}
virtual ~DataAttributeCoder();
virtual void decode(TokenContext *tokenContext,
const MetaAttribute &metaAttribute, Record &record);
};
} // end namespace Tokend
#endif /* !_TOKEND_ATTRIBUTECODER_H_ */
/* arch-tag: BA06D3C6-F13E-11D8-83F1-000A95C4302E */
--- NEW FILE Cursor.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Cursor.cpp
* TokendMuscle
*/
#include "Cursor.h"
#include "MetaRecord.h"
#include "Record.h"
#include "RecordHandle.h"
#include "Relation.h"
#include "Token.h"
#include "SelectionPredicate.h"
namespace Tokend
{
#pragma mark ---------------- Cursor methods --------------
//
// Cursor implemetation
//
Cursor::Cursor()
{
}
Cursor::~Cursor()
{
}
//
// LinearCursor implemetation
//
LinearCursor::LinearCursor(const CSSM_QUERY *inQuery,
const Relation &inRelation) :
mIterator(inRelation.begin()),
mEnd(inRelation.end()),
mMetaRecord(inRelation.metaRecord())
{
mConjunctive = inQuery->Conjunctive;
mQueryFlags = inQuery->QueryFlags;
// @@@ Do something with inQuery->QueryLimits?
uint32 aPredicatesCount = inQuery->NumSelectionPredicates;
mPredicates.resize(aPredicatesCount);
try
{
for (uint32 anIndex = 0; anIndex < aPredicatesCount; anIndex++)
{
CSSM_SELECTION_PREDICATE &aPredicate =
inQuery->SelectionPredicate[anIndex];
mPredicates[anIndex] =
new SelectionPredicate(mMetaRecord, aPredicate);
}
}
catch (...)
{
for_each_delete(mPredicates.begin(), mPredicates.end());
throw;
}
}
LinearCursor::~LinearCursor()
{
for_each_delete(mPredicates.begin(), mPredicates.end());
}
RecordHandle *LinearCursor::next(TokenContext *tokenContext)
{
while (mIterator != mEnd)
{
RefPointer<Record> rec = *mIterator;
++mIterator;
PredicateVector::const_iterator anIt = mPredicates.begin();
PredicateVector::const_iterator anEnd = mPredicates.end();
bool aMatch;
if (anIt == anEnd) // If there are no predicates we have a match.
aMatch = true;
else if (mConjunctive == CSSM_DB_OR)
{
// If mConjunctive is OR, the first predicate that returns
// true indicates a match. Dropthough means no match
aMatch = false;
for (; anIt != anEnd; anIt++)
{
if ((*anIt)->evaluate(tokenContext, *rec))
{
aMatch = true;
break;
}
}
}
else if (mConjunctive == CSSM_DB_AND || mConjunctive == CSSM_DB_NONE)
{
// If mConjunctive is AND (or NONE), the first predicate that
// returns false indicates a mismatch. Dropthough means a match.
aMatch = true;
for (; anIt != anEnd; anIt++)
{
if (!(*anIt)->evaluate(tokenContext, *rec))
{
aMatch = false;
break;
}
}
}
else
{
CssmError::throwMe(CSSMERR_DL_INVALID_QUERY);
}
if (aMatch)
return new RecordHandle(mMetaRecord, rec);
}
return NULL;
}
#pragma mark ---------------- MultiCursor methods --------------
MultiCursor::MultiCursor(const CSSM_QUERY *inQuery, const Schema &inSchema) :
mRelationIterator(inSchema.begin()),
mRelationEnd(inSchema.end())
{
if (inQuery)
mQuery.reset(new CssmAutoQuery(*inQuery));
else
{
mQuery.reset(new CssmAutoQuery());
mQuery->recordType(CSSM_DL_DB_RECORD_ANY);
}
}
MultiCursor::~MultiCursor()
{
}
RecordHandle *MultiCursor::next(TokenContext *tokenContext)
{
RecordHandle *result = NULL;
for (;;)
{
if (!mCursor.get())
{
if (mRelationIterator == mRelationEnd)
return NULL;
const Relation &aRelation = *(mRelationIterator->second);
++mRelationIterator;
if (!aRelation.matchesId(mQuery->recordType()))
continue;
mCursor.reset(new LinearCursor(mQuery.get(), aRelation));
}
if (result = mCursor->next(tokenContext))
return result;
mCursor.reset(NULL);
}
}
} // end namespace Tokend
/* arch-tag: D29D64E5-EBDA-11D8-AF32-000A95C4302E */
--- NEW FILE Cursor.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Cursor.h
* TokendMuscle
*/
#ifndef _TOKEND_CURSOR_H_
#define _TOKEND_CURSOR_H_
#include "Relation.h"
#include "Schema.h"
#include <security_cdsa_utilities/handleobject.h>
#include <vector>
namespace Tokend
{
class MetaRecord;
class RecordHandle;
class Relation;
class SelectionPredicate;
class Cursor : public HandleObject
{
NOCOPY(Cursor)
public:
Cursor();
virtual ~Cursor() = 0;
virtual RecordHandle *next(TokenContext *tokenContext) = 0;
};
class LinearCursor : public Cursor
{
NOCOPY(LinearCursor)
public:
LinearCursor(const CSSM_QUERY *inQuery, const Relation &inRelation);
virtual ~LinearCursor();
virtual RecordHandle *next(TokenContext *tokenContext);
private:
Relation::const_iterator mIterator;
Relation::const_iterator mEnd;
const MetaRecord &mMetaRecord;
CSSM_DB_CONJUNCTIVE mConjunctive;
// If CSSM_QUERY_RETURN_DATA is set return the raw key bits
CSSM_QUERY_FLAGS mQueryFlags;
typedef vector<SelectionPredicate *> PredicateVector;
PredicateVector mPredicates;
};
class MultiCursor : public Cursor
{
NOCOPY(MultiCursor)
public:
MultiCursor(const CSSM_QUERY *inQuery, const Schema &inSchema);
virtual ~MultiCursor();
virtual RecordHandle *next(TokenContext *tokenContext);
private:
Schema::ConstRelationMapIterator mRelationIterator;
Schema::ConstRelationMapIterator mRelationEnd;
auto_ptr<CssmAutoQuery> mQuery;
auto_ptr<Cursor> mCursor;
};
} // end namespace Tokend
#endif /* !_TOKEND_CURSOR_H_ */
/* arch-tag: D2A1003C-EBDA-11D8-8F44-000A95C4302E */
--- NEW FILE DbValue.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* DbValue.cpp
* TokendMuscle
*/
#include "DbValue.h"
#include <ctype.h>
// @@@ missing "pack" methods with WriteSection parameter
namespace Tokend
{
//
// DbValue
//
DbValue::DbValue()
{
}
DbValue::~DbValue()
{
}
UInt32Value::UInt32Value(const CSSM_DATA &data)
{
switch (data.Length)
{
case 1: mValue = *reinterpret_cast<uint8 *>(data.Data); break;
case 2: mValue = *reinterpret_cast<uint16 *>(data.Data); break;
case 4: mValue = *reinterpret_cast<uint32 *>(data.Data); break;
default:
CssmError::throwMe(CSSMERR_DL_INVALID_VALUE);
}
}
UInt32Value::~UInt32Value()
{
}
//
// SInt32Value
//
SInt32Value::SInt32Value(const CSSM_DATA &data)
{
switch (data.Length)
{
case 1: mValue = *reinterpret_cast<sint8 *>(data.Data); break;
case 2: mValue = *reinterpret_cast<sint16 *>(data.Data); break;
case 4: mValue = *reinterpret_cast<sint32 *>(data.Data); break;
default:
CssmError::throwMe(CSSMERR_DL_INVALID_VALUE);
}
}
SInt32Value::~SInt32Value()
{
}
//
// DoubleValue
//
DoubleValue::DoubleValue(const CSSM_DATA &data)
{
switch (data.Length)
{
case 4: mValue = *reinterpret_cast<float *>(data.Data); break;
case 8: mValue = *reinterpret_cast<double *>(data.Data); break;
default:
CssmError::throwMe(CSSMERR_DL_INVALID_VALUE);
}
}
DoubleValue::~DoubleValue()
{
}
//
// BlobValue
//
BlobValue::BlobValue(const CSSM_DATA &data) : CssmData(CssmData::overlay(data))
{
}
BlobValue::~BlobValue()
{
}
BlobValue::Comparator::~Comparator()
{
}
int
BlobValue::Comparator::operator ()(const uint8 *ptr1, const uint8 *ptr2,
uint32 length)
{
return memcmp(ptr1, ptr2, length);
}
bool
BlobValue::evaluate(const BlobValue &other, CSSM_DB_OPERATOR op) const
{
return evaluate(*this, other, op, Comparator());
}
bool
BlobValue::evaluate(const CssmData &inData1, const CssmData &inData2,
CSSM_DB_OPERATOR op, Comparator compare)
{
uint32 length1 = inData1.Length, length2 = inData2.Length;
const uint8 *data1 = inData1.Data;
const uint8 *data2 = inData2.Data;
switch (op) {
case CSSM_DB_CONTAINS_INITIAL_SUBSTRING:
if (length1 > length2)
return false;
length2 = length1;
goto DB_EQUAL;
case CSSM_DB_CONTAINS_FINAL_SUBSTRING:
if (length1 > length2)
return false;
data2 += (length2 - length1);
length2 = length1;
// dropthrough...
case CSSM_DB_EQUAL:
DB_EQUAL:
if (length1 != length2)
return false;
if (length1 == 0)
return true;
return compare(data1, data2, length1) == 0;
case CSSM_DB_NOT_EQUAL:
if (length1 != length2)
return true;
if (length1 == 0)
return false;
return compare(data1, data2, length1) != 0;
case CSSM_DB_LESS_THAN:
case CSSM_DB_GREATER_THAN:
{
uint32 length = min(length1, length2);
int result = (length == 0) ? 0 : compare(data1, data2, length);
if (result < 0 || (result == 0 && length1 < length2))
return op == CSSM_DB_LESS_THAN;
else if (result > 0 || (result == 0 && length1 > length2))
return op == CSSM_DB_GREATER_THAN;
break;
}
case CSSM_DB_CONTAINS:
if (length1 > length2)
return false;
if (length1 == 0)
return true;
// Both buffers are at least 1 byte long.
for (const uint8 *data = data2; data + length1 <= data2 + length2;
++data)
if (compare(data1, data, length1) == 0)
return true;
break;
default:
CssmError::throwMe(CSSMERR_DL_UNSUPPORTED_QUERY);
}
return false;
}
//
// TimeDateValue
//
TimeDateValue::TimeDateValue(const CSSM_DATA &data)
: BlobValue(data)
{
if (Length != kTimeDateSize || !isValidDate())
CssmError::throwMe(CSSMERR_DL_INVALID_VALUE);
}
TimeDateValue::~TimeDateValue()
{
}
bool
TimeDateValue::isValidDate() const
{
if (Length != kTimeDateSize || Data[kTimeDateSize - 1] != 0 ||
Data[kTimeDateSize - 2] != 'Z')
return false;
for (uint32 i = 0; i < kTimeDateSize - 2; i++)
if (!isdigit(Data[i]))
return false;
uint32 month = rangeValue(4, 2);
if (month < 1 || month > 12)
return false;
uint32 day = rangeValue(6, 2);
if (day < 1 || day > 31)
return false;
uint32 hour = rangeValue(8, 2);
if (hour < 0 || hour > 23)
return false;
uint32 minute = rangeValue(10, 2);
if (minute < 0 || minute > 59)
return false;
uint32 second = rangeValue(12, 2);
if (second < 0 || second > 59)
return false;
return true;
}
uint32
TimeDateValue::rangeValue(uint32 start, uint32 length) const
{
uint32 value = 0;
for (uint32 i = 0; i < length; i++)
value = value * 10 + Data[start + i] - '0';
return value;
}
//
// StringValue
//
StringValue::StringValue(const CSSM_DATA &data)
: BlobValue(data)
{
}
StringValue::~StringValue()
{
}
int
StringValue::Comparator::operator ()(const uint8 *ptr1, const uint8 *ptr2,
uint32 length)
{
return strncmp(reinterpret_cast<const char *>(ptr1),
reinterpret_cast<const char *>(ptr2), length);
}
bool
StringValue::evaluate(const StringValue &other, CSSM_DB_OPERATOR op) const
{
return BlobValue::evaluate(*this, other, op, StringValue::Comparator());
}
//
// BigNumValue
//
BigNumValue::BigNumValue(const CSSM_DATA &data)
: BlobValue(data)
{
// remove trailing zero bytes
while (Length > 1 && Data[Length - 1] == 0)
Length--;
// if the number is zero (positive or negative), make the length zero
if (Length == 1 && (Data[0] & ~kSignBit) == 0)
Length = 0;
}
BigNumValue::~BigNumValue()
{
}
// Walk the contents of two equal-sized bignums, moving backward
// from the high-order bytes, and return the comparison result
// ala memcmp.
int
BigNumValue::compare(const uint8 *a, const uint8 *b, int length)
{
for (int diff, i = length - 1; i >= 1; i--)
if ((diff = a[i] - b[i]))
return diff;
// for the last (i.e. first) byte, mask out the sign bit
return (a[0] & ~kSignBit) - (b[0] & ~kSignBit);
}
// Compare two bignums, assuming they are in canonical form (i.e.,
// no bytes containing trailing zeros.
bool
BigNumValue::evaluate(const BigNumValue &other, CSSM_DB_OPERATOR op) const
{
uint32 length1 = Length, length2 = other.Length;
uint8 sign1 = length1 ? (Data[0] & kSignBit) : 0;
uint8 sign2 = length2 ? (other.Data[0] & kSignBit) : 0;
switch (op)
{
case CSSM_DB_EQUAL:
case CSSM_DB_NOT_EQUAL:
return BlobValue::evaluate(other, op);
case CSSM_DB_LESS_THAN:
if (sign1 ^ sign2)
// different signs: return true iff left value is the negative one
return sign1;
else if (length1 != length2)
// in canonical form, shorter numbers have smaller absolute value
return sign1 ? (length1 > length2) : (length1 < length2);
else {
// same length, same sign...
int c = compare(Data, other.Data, length1);
return sign1 ? (c > 0) : (c < 0);
}
break;
case CSSM_DB_GREATER_THAN:
if (sign1 ^ sign2)
return sign2;
else if (length1 != length2)
return sign1 ? (length1 < length2) : (length1 > length2);
else {
int c = compare(Data, other.Data, length1);
return sign1 ? (c < 0) : (c > 0);
}
break;
case CSSM_DB_CONTAINS:
case CSSM_DB_CONTAINS_INITIAL_SUBSTRING:
case CSSM_DB_CONTAINS_FINAL_SUBSTRING:
default:
CssmError::throwMe(CSSMERR_DL_UNSUPPORTED_QUERY);
}
}
//
// MultiUInt32Value
//
MultiUInt32Value::MultiUInt32Value(const CSSM_DATA &data)
{
if (data.Length & (sizeof(uint32) - 1))
CssmError::throwMe(CSSMERR_DL_INVALID_VALUE);
mNumValues = data.Length / sizeof(uint32);
mValues = reinterpret_cast<uint32 *>(data.Data);
mOwnsValues = false;
}
MultiUInt32Value::~MultiUInt32Value()
{
if (mOwnsValues)
delete [] mValues;
}
static inline int
uint32cmp(const uint32 *a, const uint32 *b, uint32 length)
{
return memcmp(a, b, length * sizeof(uint32));
}
bool
MultiUInt32Value::evaluate(const MultiUInt32Value &other,
CSSM_DB_OPERATOR op) const
{
uint32 length1 = mNumValues, length2 = other.mNumValues;
const uint32 *values1 = mValues;
const uint32 *values2 = other.mValues;
switch (op)
{
case CSSM_DB_EQUAL:
if (length1 == length2)
return uint32cmp(values1, values2, length1) == 0;
break;
case CSSM_DB_NOT_EQUAL:
if (length1 != length2 || uint32cmp(values1, values2, length1))
return true;
break;
case CSSM_DB_CONTAINS_INITIAL_SUBSTRING:
if (length1 <= length2)
return uint32cmp(values1, values2, length1) == 0;
break;
case CSSM_DB_CONTAINS_FINAL_SUBSTRING:
if (length1 <= length2)
return uint32cmp(values1, values2 + (length2 - length1), length1)
== 0;
break;
case CSSM_DB_CONTAINS:
if (length1 <= length2) {
if (length1 == 0)
return true;
for (const uint32 *values = values2;
values + length1 < values2 + length2; values++)
if (uint32cmp(values1, values, length1) == 0)
return true;
}
break;
case CSSM_DB_LESS_THAN:
// this is not required by the spec, but is required to sort indexes
// over multi uint32 keys...
if (length1 < length2)
return true;
else if (length1 == length2)
return uint32cmp(values1, values2, length1) < 0;
break;
default:
CssmError::throwMe(CSSMERR_DL_UNSUPPORTED_QUERY);
}
return false;
}
} // end namespace Tokend
/* arch-tag: E9534B59-DF80-11D8-A160-000A95C4302E */
--- NEW FILE DbValue.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* DbValue.h
* TokendMuscle
*/
#ifndef _TOKEND_DBVALUE_H_
#define _TOKEND_DBVALUE_H_
#include <security_cdsa_utilities/cssmdata.h>
#include <security_cdsa_utilities/cssmdb.h>
#include <Security/cssmerr.h>
#include <map>
#include <vector>
namespace Tokend
{
//
// DbValue -- A base class for all types of database values.
//
class DbValue
{
NOCOPY(DbValue)
public:
DbValue();
virtual ~DbValue() = 0;
};
// A collection of subclasses of DbValue that work for simple
// data types, e.g. uint32, sint32, and double, that have
// the usual C comparison and sizeof operations. Defining this
// template saves typing below.
template <class T>
class BasicValue : public DbValue
{
NOCOPY(BasicValue)
public:
BasicValue() {}
BasicValue(T value) : mValue(value) {}
bool evaluate(const BasicValue<T> &other, CSSM_DB_OPERATOR op) const
{
switch (op)
{
case CSSM_DB_EQUAL: return mValue == other.mValue;
case CSSM_DB_NOT_EQUAL: return mValue != other.mValue;
case CSSM_DB_LESS_THAN: return mValue < other.mValue;
case CSSM_DB_GREATER_THAN: return mValue > other.mValue;
default: CssmError::throwMe(CSSMERR_DL_UNSUPPORTED_QUERY);
}
}
size_t size() const { return sizeof(T); }
const uint8 *bytes() const
{ return reinterpret_cast<const uint8 *>(&mValue); }
protected:
T mValue;
};
// Actual useful subclasses of DbValue as instances of BasicValue.
// Note that all of these require a constructor of the form
// (const ReadSection &, uint32 &offset) that advances the offset
// to just after the value.
class UInt32Value : public BasicValue<uint32>
{
NOCOPY(UInt32Value)
public:
UInt32Value(const CSSM_DATA &data);
virtual ~UInt32Value();
};
class SInt32Value : public BasicValue<sint32>
{
NOCOPY(SInt32Value)
public:
SInt32Value(const CSSM_DATA &data);
virtual ~SInt32Value();
};
class DoubleValue : public BasicValue<double>
{
NOCOPY(DoubleValue)
public:
DoubleValue(const CSSM_DATA &data);
virtual ~DoubleValue();
};
// Subclasses of Value for more complex types.
class BlobValue : public DbValue, public CssmData
{
NOCOPY(BlobValue)
public:
BlobValue() {}
BlobValue(const CSSM_DATA &data);
virtual ~BlobValue();
bool evaluate(const BlobValue &other, CSSM_DB_OPERATOR op) const;
size_t size() const { return Length; }
const uint8 *bytes() const { return Data; }
protected:
class Comparator {
public:
virtual ~Comparator();
virtual int operator ()(const uint8 *ptr1, const uint8 *ptr2,
uint32 length);
};
static bool evaluate(const CssmData &data1, const CssmData &data2,
CSSM_DB_OPERATOR op, Comparator compare);
};
class TimeDateValue : public BlobValue
{
NOCOPY(TimeDateValue)
public:
enum { kTimeDateSize = 16 };
TimeDateValue(const CSSM_DATA &data);
virtual ~TimeDateValue();
bool isValidDate() const;
private:
uint32 rangeValue(uint32 start, uint32 length) const;
};
class StringValue : public BlobValue
{
NOCOPY(StringValue)
public:
StringValue(const CSSM_DATA &data);
virtual ~StringValue();
bool evaluate(const StringValue &other, CSSM_DB_OPERATOR op) const;
private:
class Comparator : public BlobValue::Comparator {
public:
virtual int operator ()(const uint8 *ptr1, const uint8 *ptr2,
uint32 length);
};
};
class BigNumValue : public BlobValue
{
NOCOPY(BigNumValue)
public:
static const uint8 kSignBit = 0x80;
BigNumValue(const CSSM_DATA &data);
virtual ~BigNumValue();
bool evaluate(const BigNumValue &other, CSSM_DB_OPERATOR op) const;
private:
static int compare(const uint8 *a, const uint8 *b, int length);
};
class MultiUInt32Value : public DbValue
{
NOCOPY(MultiUInt32Value)
public:
MultiUInt32Value(const CSSM_DATA &data);
virtual ~MultiUInt32Value();
bool evaluate(const MultiUInt32Value &other, CSSM_DB_OPERATOR op) const;
size_t size() const { return mNumValues * sizeof(uint32); }
const uint8 *bytes() const { return reinterpret_cast<uint8 *>(mValues); }
private:
uint32 mNumValues;
uint32 *mValues;
bool mOwnsValues;
};
} // end namespace Tokend
#endif /* !_TOKEND_DBVALUE_H_ */
/* arch-tag: E95684AF-DF80-11D8-A25B-000A95C4302E */
--- NEW FILE KeyHandle.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* KeyHandle.cpp
* TokendMuscle
*/
#include "KeyHandle.h"
namespace Tokend
{
//
// KeyHandle
//
KeyHandle::KeyHandle(const MetaRecord &metaRecord,
const RefPointer<Record> &record) :
RecordHandle(metaRecord, record)
{
}
KeyHandle::~KeyHandle()
{
}
void KeyHandle::wrapUsingKey(const Context &context,
const AccessCredentials *cred, KeyHandle *wrappingKeyHandle,
const CssmKey *wrappingKey, const CssmData *descriptiveData,
CssmKey &wrappedKey)
{
/* We are being asked to wrap this key using another key. */
secdebug("crypto", "wrapKey alg: %lu", context.algorithm());
IFDUMPING("crypto", context.dump("wrapKey context"));
if (wrappingKeyHandle)
{
secdebug("tokend",
"wrapKey of a reference key using a reference key not supported");
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
}
/* First export the key from the card. */
exportKey(context, cred, wrappedKey);
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
}
void KeyHandle::wrapKey(const Context &context, const CssmKey &subjectKey,
const CssmData *descriptiveData, CssmKey &wrappedKey)
{
/* We are being asked to wrap a raw subject key using a key on the card. */
secdebug("tokend", "wrapKey of a raw subject key not supported");
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
}
void KeyHandle::unwrapKey(const Context &context,
const AccessCredentials *cred, const AclEntryPrototype *access,
const CssmKey &wrappedKey, CSSM_KEYUSE usage,
CSSM_KEYATTR_FLAGS attributes, CssmData *descriptiveData,
CSSM_HANDLE &hUnwrappedKey, CssmKey &unwrappedKey)
{
secdebug("crypto", "unwrapKey alg: %lu", context.algorithm());
IFDUMPING("crypto", context.dump("unwrapKey context"));
#if 0
/* Make sure our key type matches the context type */
if (keyClass() == CSSM_KEYCLASS_SESSION_KEY)
{
if (context.type() != CSSM_ALGCLASS_SYMMETRIC))
CssmError::throwMe(CSSMERR_CSP_INVALID_CONTEXT);
}
else
#endif
if (context.type() != CSSM_ALGCLASS_ASYMMETRIC)
CssmError::throwMe(CSSMERR_CSP_INVALID_CONTEXT);
/* validate wrappedKey */
if (wrappedKey.keyClass() != CSSM_KEYCLASS_SESSION_KEY)
CssmError::throwMe(CSSMERR_CSP_INVALID_KEY_CLASS);
if(wrappedKey.blobType() != CSSM_KEYBLOB_WRAPPED)
CssmError::throwMe(CSSMERR_CSP_KEY_BLOB_TYPE_INCORRECT);
/* validate requested storage and usage */
if (!(attributes & CSSM_KEYATTR_RETURN_DATA)
|| (attributes & (CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_RETURN_NONE
| CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_PRIVATE)) != 0)
CssmError::throwMe(CSSMERR_CSP_INVALID_KEYATTR_MASK);
/* prepare outgoing header */
CssmKey::Header &hdr = unwrappedKey.header();
hdr.clearPod();
hdr.HeaderVersion = CSSM_KEYHEADER_VERSION;
hdr.cspGuid(gGuidAppleSdCSPDL);
hdr.blobType(CSSM_KEYBLOB_RAW);
hdr.algorithm(wrappedKey.algorithm());
hdr.keyClass(wrappedKey.keyClass());
hdr.KeyUsage = usage;
hdr.KeyAttr = attributes & ~(CSSM_KEYATTR_RETURN_DATA
| CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_RETURN_NONE);
// defaults (change as needed)
hdr.StartDate = wrappedKey.header().StartDate;
hdr.EndDate = wrappedKey.header().EndDate;
unwrappedKey.KeyData.Data = NULL; // ignore possible incoming KeyData
unwrappedKey.KeyData.Length = 0;
/* validate wrappedKey format */
if (wrappedKey.blobFormat() != CSSM_KEYBLOB_WRAPPED_FORMAT_PKCS7)
CssmError::throwMe(CSSMERR_CSP_INVALID_ATTR_WRAPPED_KEY_FORMAT);
/* There is no descriptiveData in a PKCS7 wrapped blob. */
if (descriptiveData)
{
descriptiveData->Data = NULL;
descriptiveData->Length = 0;
}
/* Decrypt the key blob. */
decrypt(context, wrappedKey.keyData(), unwrappedKey.keyData());
/* We are assuming a CSSM_KEYBLOB_WRAPPED_FORMAT_PKCS7 from here on. */
hdr.blobFormat(CSSM_KEYBLOB_RAW_FORMAT_OCTET_STRING);
hdr.LogicalKeySizeInBits = unwrappedKey.length() * 8;
}
//
// KeyHandleFactory
//
KeyHandleFactory::~KeyHandleFactory()
{
}
} // end namespace Tokend
/* arch-tag: 67BC00A5-05B2-11D9-8035-000393D5F80A */
--- NEW FILE KeyHandle.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* KeyHandle.h
* TokendMuscle
*/
#ifndef _TOKEND_KEYHANDLE_H_
#define _TOKEND_KEYHANDLE_H_
#include "RecordHandle.h"
#include <security_cdsa_utilities/handleobject.h>
#include <security_cdsa_utilities/context.h>
#include <security_cdsa_utilities/cssmaclpod.h>
namespace Tokend
{
class MetaRecord;
class Record;
class TokenContext;
//
// A (nearly pure virtual) KeyHandle object which implements the crypto
// interface.
//
class KeyHandle : public RecordHandle
{
NOCOPY(KeyHandle)
public:
KeyHandle(const MetaRecord &metaRecord, const RefPointer<Record> &record);
~KeyHandle();
virtual void getKeySize(CSSM_KEY_SIZE &keySize) = 0;
virtual uint32 getOutputSize(const Context &context, uint32 inputSize,
bool encrypting) = 0;
virtual void generateSignature(const Context &context,
CSSM_ALGORITHMS signOnly, const CssmData &input,
CssmData &signature) = 0;
virtual void verifySignature(const Context &context,
CSSM_ALGORITHMS signOnly, const CssmData &input,
const CssmData &signature) = 0;
virtual void generateMac(const Context &context, const CssmData &input,
CssmData &output) = 0;
virtual void verifyMac(const Context &context, const CssmData &input,
const CssmData &compare) = 0;
virtual void encrypt(const Context &context, const CssmData &clear,
CssmData &cipher) = 0;
virtual void decrypt(const Context &context, const CssmData &cipher,
CssmData &clear) = 0;
virtual void exportKey(const Context &context,
const AccessCredentials *cred, CssmKey &wrappedKey) = 0;
virtual void wrapUsingKey(const Context &context,
const AccessCredentials *cred, KeyHandle *wrappingKeyHandle,
const CssmKey *wrappingKey, const CssmData *descriptiveData,
CssmKey &wrappedKey);
virtual void wrapKey(const Context &context, const CssmKey &subjectKey,
const CssmData *descriptiveData, CssmKey &wrappedKey);
virtual void unwrapKey(const Context &context,
const AccessCredentials *cred, const AclEntryPrototype *access,
const CssmKey &wrappedKey, CSSM_KEYUSE usage,
CSSM_KEYATTR_FLAGS attributes, CssmData *descriptiveData,
CSSM_HANDLE &hUnwrappedKey, CssmKey &unwrappedKey);
private:
};
//
// A (pure virtual) factory that creates KeyHandle objects.
//
class KeyHandleFactory
{
NOCOPY(KeyHandleFactory)
public:
KeyHandleFactory() {}
virtual ~KeyHandleFactory() = 0;
virtual KeyHandle *keyHandle(TokenContext *tokenContext,
const MetaRecord &metaRecord, Record &record) const = 0;
};
} // end namespace Tokend
#endif /* !_TOKEND_KEYHANDLE_H_ */
/* arch-tag: 689EDCA0-05B2-11D9-AAAA-000393D5F80A */
--- NEW FILE MetaAttribute.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* MetaAttribute.cpp
* TokendMuscle
*/
#include "MetaAttribute.h"
#include "MetaRecord.h"
#include "Record.h"
#include "DbValue.h"
#include "DbValue.h"
namespace Tokend
{
MetaAttribute::~MetaAttribute()
{
}
// Construct an instance of an appropriate subclass of MetaAttribute based on
// the given format. Called in MetaRecord.cpp createAttribute.
MetaAttribute *MetaAttribute::create(MetaRecord& metaRecord, Format format,
uint32 attributeIndex, uint32 attributeId)
{
switch (format)
{
case kAF_STRING:
return new TypedMetaAttribute<StringValue>(metaRecord, format,
attributeIndex, attributeId);
case kAF_SINT32:
return new TypedMetaAttribute<SInt32Value>(metaRecord, format,
attributeIndex, attributeId);
case kAF_UINT32:
return new TypedMetaAttribute<UInt32Value>(metaRecord, format,
attributeIndex, attributeId);
case kAF_BIG_NUM:
return new TypedMetaAttribute<BigNumValue>(metaRecord, format,
attributeIndex, attributeId);
case kAF_REAL:
return new TypedMetaAttribute<DoubleValue>(metaRecord, format,
attributeIndex, attributeId);
case kAF_TIME_DATE:
return new TypedMetaAttribute<TimeDateValue>(metaRecord, format,
attributeIndex, attributeId);
case kAF_BLOB:
return new TypedMetaAttribute<BlobValue>(metaRecord, format,
attributeIndex, attributeId);
case kAF_MULTI_UINT32:
return new TypedMetaAttribute<MultiUInt32Value>(metaRecord, format,
attributeIndex, attributeId);
case kAF_COMPLEX:
default:
CssmError::throwMe(CSSMERR_DL_UNSUPPORTED_FIELD_FORMAT);
}
}
const Attribute &
MetaAttribute::attribute(TokenContext *tokenContext, Record &record) const
{
if (!record.hasAttributeAtIndex(mAttributeIndex))
{
if (!mCoder)
{
secdebug("coder",
"No coder for r: %p rid: 0x%08lX aid: %lu aix: %lu",
&record, mMetaRecord.relationId(), mAttributeId,
mAttributeIndex);
CssmError::throwMe(CSSMERR_DL_MISSING_VALUE);
}
secdebug("coder",
"Asking coder %p for r: %p rid: 0x%08lX aid: %lu aix: %lu",
mCoder, &record, mMetaRecord.relationId(), mAttributeId,
mAttributeIndex);
mCoder->decode(tokenContext, *this, record);
// The coder had better put something useful in the attribute we asked it to.
if (!record.hasAttributeAtIndex(mAttributeIndex))
{
secdebug("coder",
"Coder %p did not set r: %p rid: 0x%08lX aid: %lu aix: %lu",
mCoder, &record, mMetaRecord.relationId(), mAttributeId,
mAttributeIndex);
CssmError::throwMe(CSSMERR_DL_MISSING_VALUE);
}
}
const Attribute &attribute = record.attributeAtIndex(mAttributeIndex);
#ifndef NDEBUG
if (attribute.size() == 1)
secdebug("mscread",
"r: %p rid: 0x%08lX aid: %lu aix: %lu has: 1 value of length: %lu",
&record, mMetaRecord.relationId(), mAttributeId, mAttributeIndex,
attribute[0].Length);
else
secdebug("mscread",
"r: %p rid: 0x%08lX aid: %lu aix: %lu has: %lu values",
&record, mMetaRecord.relationId(), mAttributeId, mAttributeIndex,
attribute.size());
#endif
return attribute;
}
} // end namespace Tokend
/* arch-tag: E959F780-DF80-11D8-B2A9-000A95C4302E */
--- NEW FILE MetaAttribute.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* MetaAttribute.h
* TokendMuscle
*/
#ifndef _TOKEND_METAATTRIBUTE_H_
#define _TOKEND_METAATTRIBUTE_H_
#include <Security/cssmtype.h>
#include <security_utilities/utilities.h>
#include "Attribute.h"
namespace Tokend
{
class Attribute;
class AttributeCoder;
class DbValue;
class MetaRecord;
class Record;
class TokenContext;
// A base class for all meta attributes.
class MetaAttribute
{
NOCOPY(MetaAttribute)
public:
typedef CSSM_DB_ATTRIBUTE_FORMAT Format;
virtual ~MetaAttribute();
// construct an appropriate subclass of MetaAttribute
static MetaAttribute *create(MetaRecord& metaRecord, Format format,
uint32 attributeIndex, uint32 attributeId);
void attributeCoder(AttributeCoder *coder) { mCoder = coder; }
Format attributeFormat() const { return mFormat; }
uint32 attributeIndex() const { return mAttributeIndex; }
uint32 attributeId() const { return mAttributeId; }
const Attribute &attribute(TokenContext *tokenContext,
Record &record) const;
const MetaRecord &metaRecord() const { return mMetaRecord; }
// interface required of all subclasses, implemented with templates below
virtual DbValue *createValue(const CSSM_DATA &data) const = 0;
virtual bool evaluate(TokenContext *tokenContext, const DbValue *value,
Record& record, CSSM_DB_OPERATOR op) const = 0;
protected:
MetaAttribute(MetaRecord& metaRecord, Format format, uint32 attributeIndex,
uint32 attributeId)
: mCoder(NULL), mMetaRecord(metaRecord), mFormat(format),
mAttributeIndex(attributeIndex), mAttributeId(attributeId) {}
AttributeCoder *mCoder;
MetaRecord &mMetaRecord;
Format mFormat;
uint32 mAttributeIndex;
uint32 mAttributeId;
};
// Template used to describe particular subclasses of MetaAttribute
template <class T>
class TypedMetaAttribute : public MetaAttribute
{
public:
TypedMetaAttribute(MetaRecord& metaRecord, Format format,
uint32 attributeIndex, uint32 attributeId)
: MetaAttribute(metaRecord, format, attributeIndex, attributeId) {}
DbValue *createValue(const CSSM_DATA &data) const
{
return new T(data);
}
bool evaluate(TokenContext *tokenContext, const DbValue *value,
Record &record, CSSM_DB_OPERATOR op) const
{
const Attribute &attr = attribute(tokenContext, record);
uint32 numValues = attr.size();
/* If any of the values for this attribute match we have a match. */
for (uint32 ix = 0; ix < numValues; ++ix)
if (dynamic_cast<const T *>(value)->evaluate(static_cast<const T &>(attr[ix]), op))
return true;
return false;
}
bool evaluate(const DbValue *value1, const DbValue *value2,
CSSM_DB_OPERATOR op) const
{
return (dynamic_cast<const T *>(value1))->
evaluate(*dynamic_cast<const T *>(value2), op);
}
};
} // end namespace Tokend
#endif /* !_TOKEND_METAATTRIBUTE_H_ */
/* arch-tag: E95D3E68-DF80-11D8-B030-000A95C4302E */
--- NEW FILE MetaRecord.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* MetaRecord.cpp
* TokendMuscle
*/
#include "MetaRecord.h"
#include "Attribute.h"
#include "KeyHandle.h"
#include "MetaAttribute.h"
#include "Record.h"
#include <security_utilities/trackingallocator.h>
#include <security_cdsa_utilities/cssmbridge.h>
namespace Tokend
{
#pragma mark ---------------- MetaRecord methods --------------
// Used for normal relations.
MetaRecord::MetaRecord(RelationId inRelationId) : mRelationId(inRelationId),
mKeyHandleFactory(NULL)
{
// Passing in a bogus attributeId for the attribute at index 0 (which is
// the data). It's not possible to look up the attribute by attributeId,
// nor should any coder rely on it's value.
mAttributeVector.push_back(MetaAttribute::create(*this, kAF_BLOB, 0,
'data'));
}
MetaRecord::~MetaRecord()
{
for_each_delete(mAttributeVector.begin(), mAttributeVector.end());
}
MetaAttribute &MetaRecord::createAttribute(const std::string &inAttributeName,
CSSM_DB_ATTRIBUTE_FORMAT inAttributeFormat)
{
uint32 anAttributeId = mAttributeVector.size() - 1;
return createAttribute(&inAttributeName, NULL, anAttributeId,
inAttributeFormat);
}
MetaAttribute &MetaRecord::createAttribute(const string *inAttributeName,
const CssmOid *inAttributeOID, uint32 inAttributeID,
CSSM_DB_ATTRIBUTE_FORMAT inAttributeFormat)
{
// Index of new element is current size of vector
uint32 anAttributeIndex = mAttributeVector.size();
bool aInsertedAttributeName = false;
bool aInsertedAttributeOID = false;
bool aInsertedAttributeID = false;
if (inAttributeName)
{
if (!mNameStringMap.insert(NameStringMap::value_type(*inAttributeName,
anAttributeIndex)).second)
CssmError::throwMe(CSSMERR_DL_FIELD_SPECIFIED_MULTIPLE);
aInsertedAttributeName = true;
}
try
{
if (inAttributeOID)
{
if (!mNameOIDMap.insert(NameOIDMap::value_type(*inAttributeOID,
anAttributeIndex)).second)
CssmError::throwMe(CSSMERR_DL_FIELD_SPECIFIED_MULTIPLE);
aInsertedAttributeOID = true;
}
if (!mNameIntMap.insert(NameIntMap::value_type(inAttributeID,
anAttributeIndex)).second)
CssmError::throwMe(CSSMERR_DL_FIELD_SPECIFIED_MULTIPLE);
aInsertedAttributeID = true;
// Note: this no longer throws INVALID_FIELD_NAME since the attribute
// will always have an attribute ID by which it is known.
MetaAttribute *ma = MetaAttribute::create(*this, inAttributeFormat,
anAttributeIndex, inAttributeID);
mAttributeVector.push_back(ma);
return *ma;
}
catch (...)
{
if (aInsertedAttributeName)
mNameStringMap.erase(*inAttributeName);
if (aInsertedAttributeOID)
mNameOIDMap.erase(*inAttributeOID);
if (inAttributeID)
mNameIntMap.erase(inAttributeID);
throw;
}
}
// Return the index (0 though NumAttributes - 1) of the attribute
// represented by inAttributeInfo
uint32 MetaRecord::attributeIndex(
const CSSM_DB_ATTRIBUTE_INFO &inAttributeInfo) const
{
uint32 anIndex;
switch (inAttributeInfo.AttributeNameFormat)
{
case CSSM_DB_ATTRIBUTE_NAME_AS_STRING:
{
string aName(inAttributeInfo.Label.AttributeName);
NameStringMap::const_iterator it = mNameStringMap.find(aName);
if (it == mNameStringMap.end())
CssmError::throwMe(CSSMERR_DL_INVALID_FIELD_NAME);
anIndex = it->second;
break;
}
case CSSM_DB_ATTRIBUTE_NAME_AS_OID:
{
const CssmOid &aName =
CssmOid::overlay(inAttributeInfo.Label.AttributeOID);
NameOIDMap::const_iterator it = mNameOIDMap.find(aName);
if (it == mNameOIDMap.end())
CssmError::throwMe(CSSMERR_DL_INVALID_FIELD_NAME);
anIndex = it->second;
break;
}
case CSSM_DB_ATTRIBUTE_NAME_AS_INTEGER:
{
uint32 aName = inAttributeInfo.Label.AttributeID;
NameIntMap::const_iterator it = mNameIntMap.find(aName);
if (it == mNameIntMap.end())
CssmError::throwMe(CSSMERR_DL_INVALID_FIELD_NAME);
anIndex = it->second;
break;
}
default:
CssmError::throwMe(CSSMERR_DL_INVALID_FIELD_NAME);
break;
}
return anIndex;
}
const MetaAttribute &MetaRecord::metaAttribute(
const CSSM_DB_ATTRIBUTE_INFO &inAttributeInfo) const
{
return *mAttributeVector[attributeIndex(inAttributeInfo)];
}
const MetaAttribute &MetaRecord::metaAttribute(uint32 name) const
{
NameIntMap::const_iterator it = mNameIntMap.find(name);
if (it == mNameIntMap.end())
CssmError::throwMe(CSSMERR_DL_INVALID_FIELD_NAME);
return *mAttributeVector[it->second];
}
const MetaAttribute &MetaRecord::metaAttribute(const std::string &name) const
{
NameStringMap::const_iterator it = mNameStringMap.find(name);
if (it == mNameStringMap.end())
CssmError::throwMe(CSSMERR_DL_INVALID_FIELD_NAME);
return *mAttributeVector[it->second];
}
const MetaAttribute &MetaRecord::metaAttributeForData() const
{
return *mAttributeVector[0];
}
void MetaRecord::attributeCoder(uint32 name, AttributeCoder *coder)
{
const_cast<MetaAttribute &>(metaAttribute(name)).attributeCoder(coder);
}
void MetaRecord::attributeCoder(const std::string &name, AttributeCoder *coder)
{
const_cast<MetaAttribute &>(metaAttribute(name)).attributeCoder(coder);
}
void MetaRecord::attributeCoderForData(AttributeCoder *coder)
{
const_cast<MetaAttribute &>(metaAttributeForData()).attributeCoder(coder);
}
void
MetaRecord::get(TokenContext *tokenContext, Record &record,
TOKEND_RETURN_DATA &data) const
{
if (data.attributes)
{
// Fetch the requested attributes.
CSSM_DB_RECORD_ATTRIBUTE_DATA &drad = *data.attributes;
drad.DataRecordType = mRelationId;
drad.SemanticInformation = 0;
for (uint32 ix = 0; ix < drad.NumberOfAttributes; ++ix)
{
CSSM_DB_ATTRIBUTE_DATA &dad = drad.AttributeData[ix];
const MetaAttribute &ma = metaAttribute(dad.Info);
dad.Info.AttributeFormat = ma.attributeFormat();
const Attribute &attr = ma.attribute(tokenContext, record);
dad.NumberOfValues = attr.size();
dad.Value = const_cast<CSSM_DATA_PTR>(attr.values());
}
}
if (data.data)
{
// Fetch the data.
const MetaAttribute &ma = metaAttributeForData();
const Attribute &attr = ma.attribute(tokenContext, record);
if (attr.size() != 1)
CssmError::throwMe(CSSMERR_DL_MISSING_VALUE);
(*data.data) = attr.values()[0];
if (mKeyHandleFactory)
{
KeyHandle *keyHandle = mKeyHandleFactory->keyHandle(tokenContext,
*this, record);
data.keyhandle = keyHandle ? keyHandle->handle() : 0;
}
else
data.keyhandle = 0;
}
}
} // end namespace Tokend
/* arch-tag: E9605B3A-DF80-11D8-B3F2-000A95C4302E */
--- NEW FILE MetaRecord.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* MetaRecord.h
* TokendMuscle
*/
#ifndef _TOKEND_METARECORD_H_
#define _TOKEND_METARECORD_H_
#include <security_cdsa_utilities/cssmdata.h>
#include <map>
#include <string>
#include <vector>
#include <SecurityTokend/SecTokend.h>
namespace Tokend
{
// Shorter names for some long cssm constants
enum
{
kAF_STRING = CSSM_DB_ATTRIBUTE_FORMAT_STRING,
kAF_SINT32 = CSSM_DB_ATTRIBUTE_FORMAT_SINT32,
kAF_UINT32 = CSSM_DB_ATTRIBUTE_FORMAT_UINT32,
kAF_BIG_NUM = CSSM_DB_ATTRIBUTE_FORMAT_BIG_NUM,
kAF_REAL = CSSM_DB_ATTRIBUTE_FORMAT_REAL,
kAF_TIME_DATE = CSSM_DB_ATTRIBUTE_FORMAT_TIME_DATE,
kAF_BLOB = CSSM_DB_ATTRIBUTE_FORMAT_BLOB,
kAF_MULTI_UINT32 = CSSM_DB_ATTRIBUTE_FORMAT_MULTI_UINT32,
kAF_COMPLEX = CSSM_DB_ATTRIBUTE_FORMAT_COMPLEX
};
typedef CSSM_DB_RECORDTYPE RelationId;
class AttributeCoder;
class KeyHandleFactory;
class MetaAttribute;
class Record;
class TokenContext;
//
// Meta (or Schema) representation of an a Record. Used for packing and
// unpacking objects.
//
class MetaRecord
{
NOCOPY(MetaRecord)
public:
// Used for normal relations
// dataCoder is the coder which will be used for the "data" value
// (metaAttributeForData() returns a metaAttribute using this coder.
MetaRecord(RelationId inRelationId);
~MetaRecord();
MetaAttribute &createAttribute(const std::string &inAttributeName,
CSSM_DB_ATTRIBUTE_FORMAT inAttributeFormat);
MetaAttribute &createAttribute(const std::string *inAttributeName,
const CssmOid *inAttributeOID,
uint32 inAttributeID,
CSSM_DB_ATTRIBUTE_FORMAT inAttributeFormat);
const MetaAttribute &metaAttribute(
const CSSM_DB_ATTRIBUTE_INFO &inAttributeInfo) const;
const MetaAttribute &MetaRecord::metaAttribute(uint32 name) const;
const MetaAttribute &MetaRecord::metaAttribute(
const std::string &name) const;
const MetaAttribute &metaAttributeForData() const;
void attributeCoder(uint32 name, AttributeCoder *coder);
void attributeCoder(const std::string &name, AttributeCoder *coder);
void attributeCoderForData(AttributeCoder *coder);
RelationId relationId() const { return mRelationId; }
// Return the index (0 though NumAttributes - 1) of the attribute
// represented by inAttributeInfo
uint32 attributeIndex(const CSSM_DB_ATTRIBUTE_INFO &inAttributeInfo) const;
void get(TokenContext *tokenContext, Record &record,
TOKEND_RETURN_DATA &data) const;
void keyHandleFactory(KeyHandleFactory *keyHandleFactory)
{ mKeyHandleFactory = keyHandleFactory; }
private:
//friend class MetaAttribute;
RelationId mRelationId;
typedef std::map<std::string, uint32> NameStringMap;
typedef std::map<CssmBuffer<CssmOidContainer>, uint32> NameOIDMap;
typedef std::map<uint32, uint32> NameIntMap;
NameStringMap mNameStringMap;
NameOIDMap mNameOIDMap;
NameIntMap mNameIntMap;
typedef std::vector<MetaAttribute *> AttributeVector;
typedef AttributeVector::iterator AttributeIterator;
typedef AttributeVector::const_iterator ConstAttributeIterator;
AttributeVector mAttributeVector;
KeyHandleFactory *mKeyHandleFactory;
};
} // end namespace Tokend
#endif /* !_TOKEND_METARECORD_H_ */
/* arch-tag: E9626F11-DF80-11D8-BBDF-000A95C4302E */
--- NEW FILE PKCS11Object.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* PKCS11Object.cpp
* TokendMuscle
*/
#include "PKCS11Object.h"
#include <security_utilities/debugging.h>
#include <security_cdsa_utilities/cssmerrors.h>
#include <Security/cssmerr.h>
#if defined(DEBUGDUMP)
#include "cryptoki.h"
#include "pkcs11.h"
#endif /* !defined(DEBUGDUMP) */
namespace Tokend
{
PKCS11Object::PKCS11Object(const void *inData, size_t inSize)
{
const PKCS11ObjectHeader *object =
reinterpret_cast<const PKCS11ObjectHeader *>(inData);
if (inSize < sizeof(PKCS11ObjectHeader) || !object
|| inSize < (object->size() + sizeof(PKCS11ObjectHeader)))
CssmError::throwMe(CSSM_ERRCODE_INTERNAL_ERROR);
size_t objectSize = object->size();
const uint8_t *data = object->data();
for (size_t bytesRead = 0; bytesRead < objectSize;)
{
const PKCS11Attribute *attribute =
reinterpret_cast<const PKCS11Attribute *>(&data[bytesRead]);
IFDUMPING("pkcs11", debugDump(*attribute));
mAttributeMap.insert(pair<uint32_t,
const PKCS11Attribute *>(attribute->attributeId(), attribute));
bytesRead += sizeof(PKCS11Attribute) + attribute->size();
}
}
const PKCS11Object::PKCS11Attribute *
PKCS11Object::attribute(uint32_t attributeId) const
{
AttributeMap::const_iterator it = mAttributeMap.find(attributeId);
if (it == mAttributeMap.end())
{
secdebug("pkcs11", "pkcs11 attribute: %08X not found", attributeId);
return NULL;
}
secdebug("pkcs11-d", "accessing pkcs11 attribute: %08X size: %lu",
attributeId, it->second->size());
return it->second;
}
bool PKCS11Object::attributeValueAsBool(uint32_t attributeId) const
{
const PKCS11Attribute *attr = attribute(attributeId);
if (!attr)
return false;
if (attr->size() != 1)
{
secdebug("pkcs11",
"attributeValueAsBool: pkcs11 attribute: %08X size: %lu",
attributeId, attr->size());
CssmError::throwMe(CSSMERR_DL_INCOMPATIBLE_FIELD_FORMAT);
}
return *attr->data() != 0;
}
uint32_t PKCS11Object::attributeValueAsUint32(uint32_t attributeId) const
{
const PKCS11Attribute *attr = attribute(attributeId);
if (!attr)
CssmError::throwMe(CSSMERR_DL_MISSING_VALUE);
if (attr->size() != 4)
{
secdebug("pkcs11",
"attributeValueAsUint32: pkcs11 attribute: %08X size: %lu",
attributeId, attr->size());
CssmError::throwMe(CSSMERR_DL_INCOMPATIBLE_FIELD_FORMAT);
}
const uint8_t *data = attr->data();
return (data[0] << 24) + (data[1] << 16) + (data[2] << 8) + data[3];
}
void PKCS11Object::attributeValueAsData(uint32_t attributeId,
const uint8_t *&data, size_t &size) const
{
const PKCS11Attribute *attr = attribute(attributeId);
if (!attr)
CssmError::throwMe(CSSMERR_DL_MISSING_VALUE);
size = attr->size();
data = attr->data();
}
#if defined(DEBUGDUMP)
void PKCS11Object::debugDump(const PKCS11Attribute &attribute)
{
Debug::dump("found pkcs11 attribute: %s size: %lu ",
attributeName(attribute.attributeId()), attribute.size());
Debug::dumpData(attribute.data(), attribute.size());
Debug::dump("\n");
}
const char *PKCS11Object::attributeName(uint32_t attributeId)
{
static char buffer[20];
switch (attributeId)
{
case CKA_CLASS: return "CLASS";
case CKA_TOKEN: return "TOKEN";
case CKA_PRIVATE: return "PRIVATE";
case CKA_LABEL: return "LABEL";
case CKA_APPLICATION: return "APPLICATION";
case CKA_VALUE: return "VALUE";
case CKA_OBJECT_ID: return "OBJECT_ID";
case CKA_CERTIFICATE_TYPE: return "CERTIFICATE_TYPE";
case CKA_ISSUER: return "ISSUER";
case CKA_SERIAL_NUMBER: return "SERIAL_NUMBER";
case CKA_AC_ISSUER: return "AC_ISSUER";
case CKA_OWNER: return "OWNER";
case CKA_ATTR_TYPES: return "ATTR_TYPES";
case CKA_TRUSTED: return "TRUSTED";
case CKA_KEY_TYPE: return "KEY_TYPE";
case CKA_SUBJECT: return "SUBJECT";
case CKA_ID: return "ID";
case CKA_SENSITIVE: return "SENSITIVE";
case CKA_ENCRYPT: return "ENCRYPT";
case CKA_DECRYPT: return "DECRYPT";
case CKA_WRAP: return "WRAP";
case CKA_UNWRAP: return "UNWRAP";
case CKA_SIGN: return "SIGN";
case CKA_SIGN_RECOVER: return "SIGN_RECOVER";
case CKA_VERIFY: return "VERIFY";
case CKA_VERIFY_RECOVER: return "VERIFY_RECOVER";
case CKA_DERIVE: return "DERIVE";
case CKA_START_DATE: return "START_DATE";
case CKA_END_DATE: return "END_DATE";
case CKA_MODULUS: return "MODULUS";
case CKA_MODULUS_BITS: return "MODULUS_BITS";
case CKA_PUBLIC_EXPONENT: return "PUBLIC_EXPONENT";
case CKA_PRIVATE_EXPONENT: return "PRIVATE_EXPONENT";
case CKA_PRIME_1: return "PRIME_1";
case CKA_PRIME_2: return "PRIME_2";
case CKA_EXPONENT_1: return "EXPONENT_1";
case CKA_EXPONENT_2: return "EXPONENT_2";
case CKA_COEFFICIENT: return "COEFFICIENT";
case CKA_PRIME: return "PRIME";
case CKA_SUBPRIME: return "SUBPRIME";
case CKA_BASE: return "BASE";
case CKA_PRIME_BITS: return "PRIME_BITS";
case CKA_SUB_PRIME_BITS: return "SUB_PRIME_BITS";
case CKA_VALUE_BITS: return "VALUE_BITS";
case CKA_VALUE_LEN: return "VALUE_LEN";
case CKA_EXTRACTABLE: return "EXTRACTABLE";
case CKA_LOCAL: return "LOCAL";
case CKA_NEVER_EXTRACTABLE: return "NEVER_EXTRACTABLE";
case CKA_ALWAYS_SENSITIVE: return "ALWAYS_SENSITIVE";
case CKA_KEY_GEN_MECHANISM: return "KEY_GEN_MECHANISM";
case CKA_MODIFIABLE: return "MODIFIABLE";
case CKA_EC_PARAMS: return "EC_PARAMS";
case CKA_EC_POINT: return "EC_POINT";
case CKA_SECONDARY_AUTH: return "SECONDARY_AUTH";
case CKA_AUTH_PIN_FLAGS: return "AUTH_PIN_FLAGS";
case CKA_HW_FEATURE_TYPE: return "HW_FEATURE_TYPE";
case CKA_RESET_ON_INIT: return "RESET_ON_INIT";
case CKA_HAS_RESET: return "HAS_RESET";
case CKA_VENDOR_DEFINED: return "VENDOR_DEFINED";
default:
snprintf(buffer, sizeof(buffer), "unknown(%0x08X)", attributeId);
return buffer;
}
}
#endif /* !defined(DEBUGDUMP) */
} // end namespace Tokend
/* arch-tag: 91F38B1F-FE04-11D8-BD24-000A95C4302E */
--- NEW FILE PKCS11Object.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* PKCS11Object.h
* TokendMuscle
*/
#ifndef _TOKEND_PKCS11OBJECT_H_
#define _TOKEND_PKCS11OBJECT_H_
#include <stdint.h>
#include <map>
#include <security_utilities/debugging.h>
namespace Tokend
{
// This object doesn't copy it's data. It's assumed that the data will live at
// least as long as this object does.
class PKCS11Object
{
public:
PKCS11Object(const void *inData, size_t inSize);
bool attributeValueAsBool(uint32_t attributeId) const;
uint32_t attributeValueAsUint32(uint32_t attributeId) const;
void PKCS11Object::attributeValueAsData(uint32_t attributeId,
const uint8_t *&data, size_t &size) const;
private:
struct PKCS11ObjectHeader
{
uint8_t oh_type;
uint8_t oh_id[2];
uint8_t oh_next_id[2];
uint8_t oa_size[2];
uint8_t oh_data[0];
size_t size() const { return (oa_size[0] << 8) + oa_size[1]; }
const uint8_t *data() const { return oh_data; }
};
struct PKCS11Attribute
{
uint8_t oa_id[4]; // big endian attribute type
uint8_t oa_size[2]; // big endian attribute length
uint8_t oa_data[0];
uint32_t attributeId() const { return (oa_id[0] << 24)
+ (oa_id[1] << 16) + (oa_id[2] << 8) + oa_id[3]; }
size_t size() const { return (oa_size[0] << 8) + oa_size[1]; }
const uint8_t *data() const { return oa_data; }
};
const PKCS11Attribute *attribute(uint32_t attributeId) const;
#if defined(DEBUGDUMP)
void debugDump(const PKCS11Attribute &attribute);
static const char *attributeName(uint32_t attributeId);
#endif /* !defined(DEBUGDUMP) */
typedef std::map<uint32_t, const PKCS11Attribute *> AttributeMap;
AttributeMap mAttributeMap;
};
} // end namespace Tokend
#endif /* !_TOKEND_PKCS11OBJECT_H_ */
/* arch-tag: 9266465C-FE04-11D8-9E28-000A95C4302E */
--- NEW FILE Record.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Record.cpp
* TokendMuscle
*/
#include "Record.h"
#include <security_cdsa_client/aclclient.h>
namespace Tokend
{
AutoAclOwnerPrototype Record::gNobodyAclOwner;
AutoAclEntryInfoList Record::gAnyReadAclEntries;
Record::Record()
{
}
Record::~Record()
{
for_each_delete(mAttributes.begin(), mAttributes.end());
}
bool
Record::hasAttributeAtIndex(uint32 attributeIndex) const
{
if (attributeIndex < mAttributes.size())
return mAttributes[attributeIndex] != NULL;
return false;
}
const Attribute &
Record::attributeAtIndex(uint32 attributeIndex) const
{
if (attributeIndex < mAttributes.size())
{
Attribute *attribute = mAttributes[attributeIndex];
if (attribute)
return *attribute;
}
CssmError::throwMe(CSSMERR_DL_INTERNAL_ERROR);
}
void Record::attributeAtIndex(uint32 attributeIndex, Attribute *attribute)
{
auto_ptr<Attribute> _(attribute);
if (attributeIndex >= mAttributes.size())
mAttributes.resize(attributeIndex + 1);
if (mAttributes[attributeIndex] != NULL)
CssmError::throwMe(CSSMERR_DL_INTERNAL_ERROR);
mAttributes[attributeIndex] = _.release();
}
void Record::getOwner(AclOwnerPrototype &owner)
{
// Normally nobody can change the acl of an object on a smartcard.
if (!gNobodyAclOwner)
{
Allocator &alloc = Allocator::standard();
gNobodyAclOwner.allocator(alloc);
gNobodyAclOwner = CssmClient::AclFactory::NobodySubject(alloc);
}
owner = gNobodyAclOwner;
}
void Record::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
{
// Normally anyone can read an object on a smartcard (subclasses might
// override this).
if (!gAnyReadAclEntries) {
gAnyReadAclEntries.allocator(Allocator::standard());
gAnyReadAclEntries.add(CssmClient::AclFactory::AnySubject(
gAnyReadAclEntries.allocator()),
AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_DB_READ, 0));
}
count = gAnyReadAclEntries.size();
acls = gAnyReadAclEntries.entries();
}
void Record::changeOwner(const AclOwnerPrototype &owner)
{
// Default changeOwner on a record always fails.
CssmError::throwMe(CSSM_ERRCODE_OBJECT_MANIP_AUTH_DENIED);
}
void Record::changeAcl(const AccessCredentials &cred, const AclEdit &edit)
{
// Default changeAcl on a record always fails.
CssmError::throwMe(CSSM_ERRCODE_OBJECT_MANIP_AUTH_DENIED);
}
const char *Record::description()
{
CssmError::throwMe(CSSMERR_DL_MISSING_VALUE);
}
Attribute *Record::getDataAttribute(TokenContext *tokenContext)
{
CssmError::throwMe(CSSMERR_DL_MISSING_VALUE);
}
} // end namespace Tokend
/* arch-tag: E92DB3E0-DF80-11D8-8D83-000A95C4302E */
--- NEW FILE Record.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Record.h
* TokendMuscle
*/
#ifndef _TOKEND_RECORD_H_
#define _TOKEND_RECORD_H_
#include "AttributeCoder.h"
#include "MetaRecord.h"
#include "Attribute.h"
#include <security_utilities/refcount.h>
#include <security_utilities/adornments.h>
#include <security_cdsa_utilities/cssmaclpod.h>
#include <security_cdsa_utilities/cssmcred.h>
#include <SecurityTokend/SecTokend.h>
namespace Tokend
{
class Record : public RefCount, public Security::Adornable
{
NOCOPY(Record)
public:
Record();
virtual ~Record();
bool hasAttributeAtIndex(uint32 attributeIndex) const;
const Attribute &attributeAtIndex(uint32 attributeIndex) const;
void attributeAtIndex(uint32 attributeIndex, Attribute *attribute);
virtual void getOwner(AclOwnerPrototype &owner);
virtual void getAcl(const char *tag, uint32 &count,
AclEntryInfo *&aclList);
virtual void changeOwner(const AclOwnerPrototype &owner);
virtual void changeAcl(const AccessCredentials &cred, const AclEdit &edit);
virtual const char *description();
virtual Attribute *getDataAttribute(TokenContext *tokenContext);
protected:
typedef std::vector<Attribute *> Attributes;
typedef Attributes::iterator AttributesIterator;
typedef Attributes::const_iterator ConstAttributesIterator;
Attributes mAttributes;
// temporary ACL cache hack - to be removed
static AutoAclOwnerPrototype gNobodyAclOwner;
static AutoAclEntryInfoList gAnyReadAclEntries;
};
} // end namespace Tokend
#endif /* !_TOKEND_RECORD_H_ */
/* arch-tag: E931F716-DF80-11D8-A25D-000A95C4302E */
--- NEW FILE RecordHandle.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* RecordHandle.cpp
* TokendMuscle
*/
#include "RecordHandle.h"
#include "MetaRecord.h"
#include "Record.h"
namespace Tokend
{
RecordHandle::RecordHandle(const MetaRecord &metaRecord,
const RefPointer<Record> &record) :
mMetaRecord(metaRecord), mRecord(record)
{
}
RecordHandle::~RecordHandle()
{
}
void RecordHandle::get(TokenContext *tokenContext, TOKEND_RETURN_DATA &data)
{
mMetaRecord.get(tokenContext, *mRecord, data);
data.record = handle();
}
void RecordHandle::getOwner(AclOwnerPrototype &owner)
{
mRecord->getOwner(owner);
}
void RecordHandle::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
{
mRecord->getAcl(tag, count, acls);
}
void RecordHandle::changeOwner(const AclOwnerPrototype &owner)
{
mRecord->changeOwner(owner);
}
void RecordHandle::changeAcl(const AccessCredentials &cred,
const AclEdit &edit)
{
mRecord->changeAcl(cred, edit);
}
} // end namespace Tokend
/* arch-tag: 6974FF0F-F7B9-11D8-BDE2-000A9595DEEE */
--- NEW FILE RecordHandle.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* RecordHandle.h
* TokendMuscle
*/
#ifndef _TOKEND_RECORDHANDLE_H_
#define _TOKEND_RECORDHANDLE_H_
#include <security_cdsa_utilities/handleobject.h>
#include <security_utilities/refcount.h>
#include <security_cdsa_utilities/cssmaclpod.h>
#include <security_cdsa_utilities/cssmcred.h>
#include <SecurityTokend/SecTokend.h>
namespace Tokend
{
class MetaRecord;
class Record;
class TokenContext;
class RecordHandle: public HandleObject
{
NOCOPY(RecordHandle)
public:
RecordHandle(const MetaRecord &metaRecord,
const RefPointer<Record> &record);
virtual ~RecordHandle();
virtual void get(TokenContext *tokenContext, TOKEND_RETURN_DATA &data);
virtual void getOwner(AclOwnerPrototype &owner);
virtual void getAcl(const char *tag, uint32 &count,
AclEntryInfo *&aclList);
virtual void changeOwner(const AclOwnerPrototype &owner);
virtual void changeAcl(const AccessCredentials &cred, const AclEdit &edit);
private:
const MetaRecord &mMetaRecord;
RefPointer<Record> mRecord;
};
} // end namespace Tokend
#endif /* !_TOKEND_RECORDHANDLE_H_ */
/* arch-tag: 3A2EEFFE-F7B9-11D8-BB62-000A9595DEEE */
--- NEW FILE Relation.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Relation.cpp
* TokendMuscle
*/
#include "Relation.h"
namespace Tokend
{
// @@@ need to distinguish between records that exist at db open time, and
// those that are being added and must be written back to the card
#pragma mark ---------------- Relation methods --------------
Relation::~Relation()
{
delete mMetaRecord;
}
void Relation::insertRecord(const RefPointer<Record> &record)
{
push_back(record);
}
bool Relation::matchesId(RelationId inRelationId) const
{
RelationId anId = mMetaRecord->relationId();
if (inRelationId == CSSM_DL_DB_RECORD_ANY) // All non schema tables.
return !(CSSM_DB_RECORDTYPE_SCHEMA_START <= anId
&& anId < CSSM_DB_RECORDTYPE_SCHEMA_END);
if (inRelationId == CSSM_DL_DB_RECORD_ALL_KEYS) // All key tables.
return (anId == CSSM_DL_DB_RECORD_PUBLIC_KEY
|| anId == CSSM_DL_DB_RECORD_PRIVATE_KEY
|| anId == CSSM_DL_DB_RECORD_SYMMETRIC_KEY);
return inRelationId == anId; // Only if exact match.
}
} // end namespace Tokend
/* arch-tag: E9350280-DF80-11D8-B395-000A95C4302E */
--- NEW FILE Relation.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Relation.h
* TokendMuscle
*/
#ifndef _TOKEND_RELATION_H_
#define _TOKEND_RELATION_H_
#include "Record.h"
#include <vector>
namespace Tokend
{
class MetaRecord;
class Record;
class Relation : public std::vector< RefPointer<Record> >
{
NOCOPY(Relation)
public:
Relation(MetaRecord *metaRecord) : mMetaRecord(metaRecord) { }
~Relation();
const MetaRecord &metaRecord() const { return *mMetaRecord; }
MetaRecord &metaRecord() { return *mMetaRecord; }
void insertRecord(const RefPointer<Record> &record);
bool matchesId(RelationId inRelationId) const;
protected:
MetaRecord *mMetaRecord;
};
} // end namespace Tokend
#endif /* !_TOKEND_RELATION_H_ */
/* arch-tag: E936FF49-DF80-11D8-9195-000A95C4302E */
--- NEW FILE SCardError.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* SCardError.cpp
* TokendMuscle
*/
#include "SCardError.h"
#include <Security/cssmerr.h>
namespace Tokend
{
/*
Excerpt from ISO/IEC 7816 part 3:
Status bytes (SW1=$6x or $9x, expect $60; SW2 any value)
--------------------------------------------------------
The end sequence SW1-SW2 gives the card status at the end of the command.
The normal ending is indicated by SW1-SW2 = $90-$00.
When the most significant half byte SW1 is $6, the meaning of SW1 is
independant of the application. The following five values are defined:
$6E The card does not support the instruction class.
$6D The instruction code is not programmed or is invalid.
$6B The reference is incorrect.
$67 The length is incorrect.
$6F No precise diagnostic is given.
Other values are reserved for future use by ISO7816. When SW1 is neither $6E
nor $6D, the card support the instruction. This part of ISO7816 does not
interprets neither $9X SW1 bytes, nor SW2
bytes; Their meaning relates to the application itself.
Supplement (were seen sometimes):
---------------------------------
SW1 SW2 Meaning
62 81 Returned data may be corrupted.
62 82 The end of the file has been reached before the end of reading.
62 84 Selected file is not valid.
65 01 Memory failure. There have been problems in writing or reading
the EEPROM. Other hardware problems may also bring this error.
68 00 The request function is not supported by the card.
6A 00 Bytes P1 and/or P2 are incorrect.
6A 80 The parameters in the data field are incorrect.
6A 82 File not found.
6A 83 Record not found.
6A 84 There is insufficient memory space in record or file.
6A 87 The P3 value is not consistent with the P1 and P2 values.
6A 88 Referenced data not found.
6C XX Incorrect P3 length.
Excerpt from ISO/IEC 7816 part 4:
Due to specifications in part 3 of ISO/IEC 7816, this part does not define the
following values of SW1-SW2 :
'60XX'
'67XX', '6BXX', '6DXX', '6EXX', '6FXX'; in each case if 'XX'!='00'
'9XXX', if 'XXX'!='000'
The following values of SW1-SW2 are defined whichever protocol is used (see
examples in annex A).
If a command is aborted with a response where SW1='6C', then SW2 indicates the
value to be given to the short Le field (exact length of requested data) when
re-issuing the same command before issuing any other command.
If a command (which may be of case 2 or 4, see table 4 and figure 4) is
processed with a response where SW1='61', then SW2 indicates the maximum value
to be given to the short Le field (length of extra data still available) in
a GET RESPONSE command issued before issuing any other command.
NOTE - A functionality similar to that offered by '61XX' may be offered at
application level by '9FXX'. However, applications may use '9FXX' for other
purposes.
Table 12 completed by tables 13 to 18 shows the general meanings of the values
of SW1-SW2 defined in this part of ISO/IEC 7816. For each command, an
appropriate clause provides more detailed meanings.
Tables 13 to 18 specify values of SW2 when SW1 is valued to '62', '63', '65',
'68', '69' and '6A'. The values of SW2 not defined in tables 13 to 18 are RFU,
except the values from 'F0' to 'FF' which are not defined in this part of
ISO/IEC 7816.
Table 12 - Coding of SW1-SW2
SW1-SW2 Meaning
Normal processing
'9000' No further qualification
'61XX' SW2 indicates the number of response bytes still available
(see text below)
Warning processings
'62XX' State of non-volatile memory unchanged (further qualification in SW2,
see table 13)
'63XX' State of non-volatile memory changed (further qualification in SW2,
see table 14)
Execution errors
'64XX' State of non-volatile memory unchanged (SW2='00', other values are RFU)
'65XX' State of non-volatile memory changed (further qualification in SW2,
see table 15)
'66XX' Reserved for security-related issues (not defined in this part of
ISO/IEC 7816)
Checking errors
'6700' Wrong length
'68XX' Functions in CLA not supported (further qualification in SW2, see
table 16)
'69XX' Command not allowed (further qualification in SW2, see table 17)
'6AXX' Wrong parameter(s) P1-P2 (further qualification in SW2, see table 18)
'6B00' Wrong parameter(s) P1-P2
'6CXX' Wrong length Le: SW2 indicates the exact length (see text below)
'6D00' Instruction code not supported or invalid
'6E00' Class not supported
'6F00' No precise diagnosis
Table 13 - Coding of SW2 when SW1='62'
SW2 Meaning
'00' No information given
'81' Part of returned data may be corrupted
'82' End of file/record reached before reading Le bytes
'83' Selected file invalidated
'84' FCI not formatted according to 1.1.5
Table 14 - Coding of SW2 when SW1='63'
SW2 Meaning
'00' No information given
'81' File filled up by the last write
'CX' Counter provided by 'X' (valued from 0 to 15) (exact meaning depending
on the command)
Table 15 - Coding of SW2 when SW1='65'
SW2 Meaning
'00' No information given
'81' Memory failure
Table 16 - Coding of SW2 when SW1='68'
SW2 Meaning
'00' No information given
'81' Logical channel not supported
'82' Secure messaging not supported
Table 17 - Coding of SW2 when SW1='69'
SW2 Meaning
'00' No information given
'81' Command incompatible with file structure
'82' Security status not satisfied
'83' Authentication method blocked
'84' Referenced data invalidated
'85' Conditions of use not satisfied
'86' Command not allowed (no current EF)
'87' Expected SM data objects missing
'88' SM data objects incorrect
Table 18 - Coding of SW2 when SW1='6A'
SW2 Meaning
'00' No information given
'80' Incorrect parameters in the data field
'81' Function not supported
'82' File not found
'83' Record not found
'84' Not enough memory space in the file
'85' Lc inconsistent with TLV structure
'86' Incorrect parameters P1-P2
'87' Lc inconsistent with P1-P2
'88' Referenced data not found
*/
//
// SCardError exceptions
//
SCardError::SCardError(uint16_t sw) : statusWord(sw)
{
IFDEBUG(debugDiagnose(this));
}
const char *SCardError::what() const throw ()
{ return "SCardError"; }
OSStatus SCardError::osStatus() const
{
switch (statusWord)
{
case SCARD_SUCCESS:
return 0;
case SCARD_FILE_FILLED:
case SCARD_MEMORY_FAILURE:
case SCARD_NO_MEMORY_LEFT:
return CSSM_ERRCODE_MEMORY_ERROR;
case SCARD_AUTHENTICATION_FAILED:
case SCARD_AUTHENTICATION_FAILED_0:
case SCARD_AUTHENTICATION_FAILED_1:
case SCARD_AUTHENTICATION_FAILED_2:
case SCARD_AUTHENTICATION_FAILED_3:
case SCARD_AUTHENTICATION_FAILED_4:
case SCARD_AUTHENTICATION_FAILED_5:
case SCARD_AUTHENTICATION_FAILED_6:
case SCARD_AUTHENTICATION_FAILED_7:
case SCARD_AUTHENTICATION_FAILED_8:
case SCARD_AUTHENTICATION_FAILED_9:
case SCARD_AUTHENTICATION_FAILED_10:
case SCARD_AUTHENTICATION_FAILED_11:
case SCARD_AUTHENTICATION_FAILED_12:
case SCARD_AUTHENTICATION_FAILED_13:
case SCARD_AUTHENTICATION_FAILED_14:
case SCARD_AUTHENTICATION_FAILED_15:
case SCARD_AUTHENTICATION_BLOCKED:
return CSSM_ERRCODE_OPERATION_AUTH_DENIED;
case SCARD_COMMAND_NOT_ALLOWED:
case SCARD_NOT_AUTHORIZED:
case SCARD_USE_CONDITIONS_NOT_MET:
return CSSM_ERRCODE_OBJECT_USE_AUTH_DENIED;
case SCARD_FUNCTION_NOT_SUPPORTED:
case SCARD_INSTRUCTION_CODE_INVALID:
return CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED;
case SCARD_FILE_NOT_FOUND:
case SCARD_RECORD_NOT_FOUND:
return CSSMERR_DL_RECORD_NOT_FOUND;
case SCARD_BYTES_LEFT_IN_SW2:
case SCARD_EXECUTION_WARNING:
case SCARD_RETURNED_DATA_CORRUPTED:
case SCARD_END_OF_FILE_REACHED:
case SCARD_FILE_INVALIDATED:
case SCARD_FCI_INVALID:
case SCARD_EXECUTION_ERROR:
case SCARD_CHANGED_ERROR:
case SCARD_LENGTH_INCORRECT:
case SCARD_CLA_UNSUPPORTED:
case SCARD_LOGICAL_CHANNEL_UNSUPPORTED:
case SCARD_SECURE_MESSAGING_UNSUPPORTED:
case SCARD_COMMAND_INCOMPATIBLE:
case SCARD_REFERENCED_DATA_INVALIDATED:
case SCARD_NO_CURRENT_EF:
case SCARD_SM_DATA_OBJECTS_MISSING:
case SCARD_SM_DATA_NOT_ALLOWED:
case SCARD_WRONG_PARAMETER:
case SCARD_DATA_INCORRECT:
case SCARD_LC_INCONSISTENT_TLV:
case SCARD_INCORRECT_P1_P2:
case SCARD_LC_INCONSISTENT_P1_P2:
case SCARD_REFERENCED_DATA_NOT_FOUND:
case SCARD_WRONG_PARAMETER_P1_P2:
case SCARD_LE_IN_SW2:
case SCARD_INSTRUCTION_CLASS_UNSUPPORTED:
case SCARD_UNSPECIFIED_ERROR:
default:
return CSSM_ERRCODE_INTERNAL_ERROR;
}
}
int SCardError::unixError() const
{
switch (statusWord)
{
default:
// cannot map this to errno space
return -1;
}
}
void SCardError::throwMe(uint16_t sw)
{ throw SCardError(sw); }
#if !defined(NDEBUG)
void SCardError::debugDiagnose(const void *id) const
{
secdebug("exception", "%p Error %s (%04hX)",
id, errorstr(statusWord), statusWord);
}
const char *SCardError::errorstr(uint16_t sw)
{
switch (sw)
{
case SCARD_SUCCESS:
return "Success";
case SCARD_BYTES_LEFT_IN_SW2:
return "SW2 indicates the number of response bytes still available";
case SCARD_EXECUTION_WARNING:
return "Execution warning, state of non-volatile memory unchanged";
case SCARD_RETURNED_DATA_CORRUPTED:
return "Part of returned data may be corrupted.";
case SCARD_END_OF_FILE_REACHED:
return "End of file/record reached before reading Le bytes.";
case SCARD_FILE_INVALIDATED:
return "Selected file invalidated.";
case SCARD_FCI_INVALID:
return "FCI not formatted according to 1.1.5.";
case SCARD_AUTHENTICATION_FAILED:
return "Authentication failed.";
case SCARD_FILE_FILLED:
return "File filled up by the last write.";
case SCARD_AUTHENTICATION_FAILED_0:
return "Authentication failed, 0 retries left.";
case SCARD_AUTHENTICATION_FAILED_1:
return "Authentication failed, 1 retry left.";
case SCARD_AUTHENTICATION_FAILED_2:
return "Authentication failed, 2 retries left.";
case SCARD_AUTHENTICATION_FAILED_3:
return "Authentication failed, 3 retries left.";
case SCARD_AUTHENTICATION_FAILED_4:
return "Authentication failed, 4 retries left.";
case SCARD_AUTHENTICATION_FAILED_5:
return "Authentication failed, 5 retries left.";
case SCARD_AUTHENTICATION_FAILED_6:
return "Authentication failed, 6 retries left.";
case SCARD_AUTHENTICATION_FAILED_7:
return "Authentication failed, 7 retries left.";
case SCARD_AUTHENTICATION_FAILED_8:
return "Authentication failed, 8 retries left.";
case SCARD_AUTHENTICATION_FAILED_9:
return "Authentication failed, 9 retries left.";
case SCARD_AUTHENTICATION_FAILED_10:
return "Authentication failed, 10 retries left.";
case SCARD_AUTHENTICATION_FAILED_11:
return "Authentication failed, 11 retries left.";
case SCARD_AUTHENTICATION_FAILED_12:
return "Authentication failed, 12 retries left.";
case SCARD_AUTHENTICATION_FAILED_13:
return "Authentication failed, 13 retries left.";
case SCARD_AUTHENTICATION_FAILED_14:
return "Authentication failed, 14 retries left.";
case SCARD_AUTHENTICATION_FAILED_15:
return "Authentication failed, 15 retries left.";
case SCARD_EXECUTION_ERROR:
return "Execution error, state of non-volatile memory unchanged.";
case SCARD_CHANGED_ERROR:
return "Execution error, state of non-volatile memory changed.";
case SCARD_MEMORY_FAILURE:
return "Memory failure.";
case SCARD_LENGTH_INCORRECT:
return "The length is incorrect.";
case SCARD_CLA_UNSUPPORTED:
return "Functions in CLA not supported.";
case SCARD_LOGICAL_CHANNEL_UNSUPPORTED:
return "Logical channel not supported.";
case SCARD_SECURE_MESSAGING_UNSUPPORTED:
return "Secure messaging not supported.";
case SCARD_COMMAND_NOT_ALLOWED:
return "Command not allowed.";
case SCARD_COMMAND_INCOMPATIBLE:
return "Command incompatible with file structure.";
case SCARD_NOT_AUTHORIZED:
return "Security status not satisfied.";
case SCARD_AUTHENTICATION_BLOCKED:
return "Authentication method blocked.";
case SCARD_REFERENCED_DATA_INVALIDATED:
return "Referenced data invalidated.";
case SCARD_USE_CONDITIONS_NOT_MET:
return "Conditions of use not satisfied.";
case SCARD_NO_CURRENT_EF:
return "Command not allowed (no current EF).";
case SCARD_SM_DATA_OBJECTS_MISSING:
return "Expected SM data objects missing.";
case SCARD_SM_DATA_NOT_ALLOWED:
return "SM data objects incorrect.";
case SCARD_WRONG_PARAMETER:
return "Wrong parameter.";
case SCARD_DATA_INCORRECT:
return "Incorrect parameters in the data field.";
case SCARD_FUNCTION_NOT_SUPPORTED:
return "Function not supported.";
case SCARD_FILE_NOT_FOUND:
return "File not found.";
case SCARD_RECORD_NOT_FOUND:
return "Record not found.";
case SCARD_NO_MEMORY_LEFT:
return "Not enough memory space in the file.";
case SCARD_LC_INCONSISTENT_TLV:
return "Lc inconsistent with TLV structure.";
case SCARD_INCORRECT_P1_P2:
return "Incorrect parameters P1-P2.";
case SCARD_LC_INCONSISTENT_P1_P2:
return "Lc inconsistent with P1-P2.";
case SCARD_REFERENCED_DATA_NOT_FOUND:
return "Referenced data not found.";
case SCARD_WRONG_PARAMETER_P1_P2:
return "Wrong parameter(s) P1-P2.";
case SCARD_LE_IN_SW2:
return "Wrong length Le: SW2 indicates the exact length";
case SCARD_INSTRUCTION_CODE_INVALID:
return "The instruction code is not programmed or is invalid.";
case SCARD_INSTRUCTION_CLASS_UNSUPPORTED:
return "The card does not support the instruction class.";
case SCARD_UNSPECIFIED_ERROR:
return "No precise diagnostic is given.";
default:
return "Unknown error";
}
}
#endif //NDEBUG
} // end namespace Tokend
/* arch-tag: 0BEE055D-8BC7-49A8-B695-DD3C6FD9089A */
--- NEW FILE SCardError.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* SCardError.h
* TokendMuscle
*/
#ifndef _TOKEND_SCARDERROR_H_
#define _TOKEND_SCARDERROR_H_
#include <security_utilities/debugging.h>
#include <security_utilities/errors.h>
/* ISO/IEC 7816 part 3 and 4 error codes. */
/** success */
#define SCARD_SUCCESS 0x9000
/* '61XX' SW2 indicates the number of response bytes still available. */
#define SCARD_BYTES_LEFT_IN_SW2 0x6100
/* '62XX' Warning processings - State of non-volatile memory unchanged. */
/** Execution warning, state of non-volatile memory unchanged */
#define SCARD_EXECUTION_WARNING 0x6200
/** Part of returned data may be corrupted. */
#define SCARD_RETURNED_DATA_CORRUPTED 0x6281
/** End of file/record reached before reading Le bytes. */
#define SCARD_END_OF_FILE_REACHED 0x6282
/** Selected file invalidated. */
#define SCARD_FILE_INVALIDATED 0x6283
/** FCI not formatted according to 1.1.5. */
#define SCARD_FCI_INVALID 0x6284
/* '62XX' Warning processings - State of non-volatile memory changed. */
/** Authentication failed. */
#define SCARD_AUTHENTICATION_FAILED 0x6300
/** File filled up by the last write. */
#define SCARD_FILE_FILLED 0x6381
/** Authentication failed, 0 retries left. */
#define SCARD_AUTHENTICATION_FAILED_0 0x63C0
/** Authentication failed, 1 retry left. */
#define SCARD_AUTHENTICATION_FAILED_1 0x63C1
/** Authentication failed, 2 retries left. */
#define SCARD_AUTHENTICATION_FAILED_2 0x63C2
/** Authentication failed, 3 retries left. */
#define SCARD_AUTHENTICATION_FAILED_3 0x63C3
/** Authentication failed, 4 retries left. */
#define SCARD_AUTHENTICATION_FAILED_4 0x63C4
/** Authentication failed, 5 retries left. */
#define SCARD_AUTHENTICATION_FAILED_5 0x63C5
/** Authentication failed, 6 retries left. */
#define SCARD_AUTHENTICATION_FAILED_6 0x63C6
/** Authentication failed, 7 retries left. */
#define SCARD_AUTHENTICATION_FAILED_7 0x63C7
/** Authentication failed, 8 retries left. */
#define SCARD_AUTHENTICATION_FAILED_8 0x63C8
/** Authentication failed, 9 retries left. */
#define SCARD_AUTHENTICATION_FAILED_9 0x63C9
/** Authentication failed, 10 retries left. */
#define SCARD_AUTHENTICATION_FAILED_10 0x63CA
/** Authentication failed, 11 retries left. */
#define SCARD_AUTHENTICATION_FAILED_11 0x63CB
/** Authentication failed, 12 retries left. */
#define SCARD_AUTHENTICATION_FAILED_12 0x63CC
/** Authentication failed, 13 retries left. */
#define SCARD_AUTHENTICATION_FAILED_13 0x63CD
/** Authentication failed, 14 retries left. */
#define SCARD_AUTHENTICATION_FAILED_14 0x63CE
/** Authentication failed, 15 retries left. */
#define SCARD_AUTHENTICATION_FAILED_15 0x63CF
/* '64XX' Execution errors - State of non-volatile memory unchanged. */
/** Execution error, state of non-volatile memory unchanged. */
#define SCARD_EXECUTION_ERROR 0x6400
/* '65XX' Execution errors - State of non-volatile memory changed. */
/** Execution error, state of non-volatile memory changed. */
#define SCARD_CHANGED_ERROR 0x6500
/** Memory failure. */
#define SCARD_MEMORY_FAILURE 0x6581
/* '66XX' Reserved for security-related issues. */
/* '6700' Wrong length. */
/** The length is incorrect. */
#define SCARD_LENGTH_INCORRECT 0x6700
/* '68XX' Functions in CLA not supported. */
/** No information given. */
#define SCARD_CLA_UNSUPPORTED 0x6800
/** Logical channel not supported. */
#define SCARD_LOGICAL_CHANNEL_UNSUPPORTED 0x6881
/** Secure messaging not supported. */
#define SCARD_SECURE_MESSAGING_UNSUPPORTED 0x6882
/* '69XX' Command not allowed. */
/** Command not allowed. */
#define SCARD_COMMAND_NOT_ALLOWED 0x6900
/** Command incompatible with file structure. */
#define SCARD_COMMAND_INCOMPATIBLE 0x6981
/** Security status not satisfied. */
#define SCARD_NOT_AUTHORIZED 0x6982
/** Authentication method blocked. */
#define SCARD_AUTHENTICATION_BLOCKED 0x6983
/** Referenced data invalidated. */
#define SCARD_REFERENCED_DATA_INVALIDATED 0x6984
/** Conditions of use not satisfied. */
#define SCARD_USE_CONDITIONS_NOT_MET 0x6985
/** Command not allowed (no current EF). */
#define SCARD_NO_CURRENT_EF 0x6986
/** Expected SM data objects missing. */
#define SCARD_SM_DATA_OBJECTS_MISSING 0x6987
/** SM data objects incorrect. */
#define SCARD_SM_DATA_NOT_ALLOWED 0x6988
/* '6AXX' Wrong parameter(s) P1-P2. */
/** Wrong parameter. */
#define SCARD_WRONG_PARAMETER 0x6A00
/** Incorrect parameters in the data field. */
#define SCARD_DATA_INCORRECT 0x6A80
/** Function not supported. */
#define SCARD_FUNCTION_NOT_SUPPORTED 0x6A81
/** File not found. */
#define SCARD_FILE_NOT_FOUND 0x6A82
/** Record not found. */
#define SCARD_RECORD_NOT_FOUND 0x6A83
/** Not enough memory space in the file. */
#define SCARD_NO_MEMORY_LEFT 0x6A84
/** Lc inconsistent with TLV structure. */
#define SCARD_LC_INCONSISTENT_TLV 0x6A85
/** Incorrect parameters P1-P2. */
#define SCARD_INCORRECT_P1_P2 0x6A86
/** Lc inconsistent with P1-P2. */
#define SCARD_LC_INCONSISTENT_P1_P2 0x6A87
/** Referenced data not found. */
#define SCARD_REFERENCED_DATA_NOT_FOUND 0x6A88
/* '6B00' Wrong parameter(s) P1-P2. */
/** Wrong parameter(s) P1-P2. */
#define SCARD_WRONG_PARAMETER_P1_P2 0x6B00
/* '6CXX' Wrong length Le: SW2 indicates the exact length */
#define SCARD_LE_IN_SW2 0x6C00
/* '6D00' Instruction code not supported or invalid. */
/** The instruction code is not programmed or is invalid. */
#define SCARD_INSTRUCTION_CODE_INVALID 0x6D00
/* '6E00' Class not supported. */
/** The card does not support the instruction class. */
#define SCARD_INSTRUCTION_CLASS_UNSUPPORTED 0x6E00
/* '6F00' No precise diagnosis. */
/** No precise diagnostic is given. */
#define SCARD_UNSPECIFIED_ERROR 0x6F00
namespace Tokend
{
class SCardError : public Security::CommonError
{
protected:
SCardError(uint16_t sw);
public:
const uint16_t statusWord;
virtual OSStatus osStatus() const;
virtual int unixError() const;
virtual const char *what () const throw ();
static void check(uint16_t sw) { if (sw != SCARD_SUCCESS) throwMe(sw); }
static void throwMe(uint16_t sw) __attribute__((noreturn));
protected:
IFDEBUG(void debugDiagnose(const void *id) const;)
IFDEBUG(static const char *errorstr(uint16_t sw);)
};
} // end namespace Tokend
#endif /* !_TOKEND_SCARDERROR_H_ */
/* arch-tag: D03ECC8E-C502-473C-9A1D-AAF96094CA48 */
--- NEW FILE Schema.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Schema.cpp
* TokendMuscle
*/
#include "Schema.h"
#include "Attribute.h"
#include "MetaRecord.h"
#include "MetaAttribute.h"
#include <Security/SecKey.h>
#include <Security/SecCertificate.h>
#include <Security/SecKeychainItem.h>
#include <Security/SecKeychainItemPriv.h>
#include <Security/cssmapple.h>
namespace Tokend
{
#pragma mark ---------------- Schema --------------
Schema::Schema() :
mTrueCoder(true),
mFalseCoder(false),
mCertEncodingBERCoder(CSSM_CERT_ENCODING(CSSM_CERT_ENCODING_BER)),
mSdCSPDLGuidCoder(gGuidAppleSdCSPDL),
mPublicKeyClassCoder(CSSM_KEYCLASS(CSSM_KEYCLASS_PUBLIC_KEY)),
mPrivateKeyClassCoder(CSSM_KEYCLASS(CSSM_KEYCLASS_PRIVATE_KEY)),
mSessionKeyClassCoder(CSSM_KEYCLASS(CSSM_KEYCLASS_SESSION_KEY))
{
}
Schema::~Schema()
{
try
{
for_each_map_delete(mRelationMap.begin(), mRelationMap.end());
}
catch(...) {}
}
void Schema::create()
{
// Attribute names.
std::string
an_RelationID("RelationID"),
an_RelationName("RelationName"),
an_AttributeID("AttributeID"),
an_AttributeNameFormat("AttributeNameFormat"),
an_AttributeName("AttributeName"),
an_AttributeNameID("AttributeNameID"),
an_AttributeFormat("AttributeFormat"),
an_IndexID("IndexID"),
an_IndexType("IndexType"),
an_IndexedDataLocation("IndexedDataLocation");
// Record the attributeIndex of each created attribute for use by our
// register functions laster on.
// Create CSSM_DL_DB_SCHEMA_INFO relation.
MetaRecord *mrio = new MetaRecord(CSSM_DL_DB_SCHEMA_INFO);
io_rid = mrio->createAttribute(an_RelationID,
kAF_UINT32).attributeIndex();
io_rn = mrio->createAttribute(an_RelationName,
kAF_STRING).attributeIndex();
mInfo = createRelation(mrio);
// Create CSSM_DL_DB_SCHEMA_ATTRIBUTES relation
MetaRecord *mras = new MetaRecord(CSSM_DL_DB_SCHEMA_ATTRIBUTES);
as_rid = mras->createAttribute(an_RelationID,
kAF_UINT32).attributeIndex();
as_aid = mras->createAttribute(an_AttributeID,
kAF_UINT32).attributeIndex();
as_anf = mras->createAttribute(an_AttributeNameFormat,
kAF_UINT32).attributeIndex();
as_an = mras->createAttribute(an_AttributeName,
kAF_STRING).attributeIndex();
as_anid= mras->createAttribute(an_AttributeNameID,
kAF_BLOB ).attributeIndex();
as_af = mras->createAttribute(an_AttributeFormat,
kAF_UINT32).attributeIndex();
mAttributes = createRelation(mras);
// Create CSSM_DL_DB_SCHEMA_INDEXES relation
MetaRecord *mrix = new MetaRecord(CSSM_DL_DB_SCHEMA_INDEXES);
ix_rid = mrix->createAttribute(an_RelationID,
kAF_UINT32).attributeIndex();
ix_iid = mrix->createAttribute(an_IndexID,
kAF_UINT32).attributeIndex();
ix_aid = mrix->createAttribute(an_AttributeID,
kAF_UINT32).attributeIndex();
ix_it = mrix->createAttribute(an_IndexType,
kAF_UINT32).attributeIndex();
ix_idl = mrix->createAttribute(an_IndexedDataLocation,
kAF_UINT32).attributeIndex();
mIndices = createRelation(mrix);
#ifdef ADD_SCHEMA_PARSING_MODULE
// @@@ Skipping CSSM_DL_DB_SCHEMA_PARSING_MODULE relation since no one uses
// it and it's definition in CDSA is broken anyway
// Attribute names.
std::string
an_ModuleID("ModuleID"),
an_AddinVersion("AddinVersion"),
an_SSID("SSID"),
an_SubserviceType("SubserviceType");
// Create CSSM_DL_DB_SCHEMA_PARSING_MODULE Relation
MetaRecord *mr_parsing = new MetaRecord(CSSM_DL_DB_SCHEMA_PARSING_MODULE);
mr_parsing->createAttribute(an_AttributeID, kAF_UINT32);
mr_parsing->createAttribute(an_ModuleID, kAF_BLOB );
mr_parsing->createAttribute(an_AddinVersion, kAF_STRING);
mr_parsing->createAttribute(an_SSID, kAF_UINT32);
mr_parsing->createAttribute(an_SubserviceType, kAF_UINT32);
createRelation(mr_parsing);
#endif
#ifdef REGISTER_SCHEMA_RELATIONS
registerRelation("CSSM_DL_DB_SCHEMA_INFO", CSSM_DL_DB_SCHEMA_INFO)
registerAttribute(CSSM_DL_DB_SCHEMA_INFO, &an_RelationID, 0,
kAF_UINT32, true);
registerAttribute(CSSM_DL_DB_SCHEMA_INFO, &an_RelationName, 1,
kAF_UINT32, false);
registerRelation("CSSM_DL_DB_SCHEMA_ATTRIBUTES",
CSSM_DL_DB_SCHEMA_ATTRIBUTES)
registerAttribute(CSSM_DL_DB_SCHEMA_ATTRIBUTES, &an_RelationID, 0,
kAF_UINT32, true);
registerAttribute(CSSM_DL_DB_SCHEMA_ATTRIBUTES, &an_AttributeID, 2,
kAF_UINT32, true);
registerAttribute(CSSM_DL_DB_SCHEMA_ATTRIBUTES, &an_AttributeNameFormat, 3,
kAF_UINT32, false);
registerAttribute(CSSM_DL_DB_SCHEMA_ATTRIBUTES, &an_AttributeName, 4,
kAF_STRING, false);
registerAttribute(CSSM_DL_DB_SCHEMA_ATTRIBUTES, &an_AttributeNameId, 5,
kAF_BLOB, false);
registerAttribute(CSSM_DL_DB_SCHEMA_ATTRIBUTES, &an_AttributeFormat, 6,
kAF_UINT32, false);
registerRelation("CSSM_DL_DB_SCHEMA_INDEXES", CSSM_DL_DB_SCHEMA_INDEXES)
registerAttribute(CSSM_DL_DB_SCHEMA_INDEXES, &an_RelationID, 0,
kAF_UINT32, true);
registerAttribute(CSSM_DL_DB_SCHEMA_INDEXES, &an_IndexID, 1,
kAF_UINT32, true);
registerAttribute(CSSM_DL_DB_SCHEMA_INDEXES, &an_AttributeID, 2,
kAF_UINT32, true);
registerAttribute(CSSM_DL_DB_SCHEMA_INDEXES, &an_IndexType, 3,
kAF_UINT32, false);
registerAttribute(CSSM_DL_DB_SCHEMA_INDEXES, &an_IndexedDataLocation, 4,
kAF_UINT32, false);
#endif
}
// Create one of the standard relations conforming to what the SecKeychain
// layer expects.
Relation *Schema::createStandardRelation(RelationId relationId)
{
std::string relationName;
// Get the name based on the relation
switch (relationId)
{
case CSSM_DL_DB_RECORD_PRIVATE_KEY:
relationName = "CSSM_DL_DB_RECORD_PRIVATE_KEY"; break;
case CSSM_DL_DB_RECORD_PUBLIC_KEY:
relationName = "CSSM_DL_DB_RECORD_PUBLIC_KEY"; break;
case CSSM_DL_DB_RECORD_SYMMETRIC_KEY:
relationName = "CSSM_DL_DB_RECORD_SYMMETRIC_KEY"; break;
case CSSM_DL_DB_RECORD_X509_CERTIFICATE:
relationName = "CSSM_DL_DB_RECORD_X509_CERTIFICATE"; break;
case CSSM_DL_DB_RECORD_GENERIC:
relationName = "CSSM_DL_DB_RECORD_GENERIC"; break;
default: CssmError::throwMe(CSSMERR_DL_INVALID_RECORDTYPE);
}
Relation *rt = createRelation(relationName, relationId);
std::string
an_CertType = "CertType",
an_CertEncoding = "CertEncoding",
an_PrintName = "PrintName",
an_Alias = "Alias",
an_Subject = "Subject",
an_Issuer = "Issuer",
an_SerialNumber = "SerialNumber",
an_SubjectKeyIdentifier = "SubjectKeyIdentifier",
an_PublicKeyHash = "PublicKeyHash",
an_KeyClass = "KeyClass",
an_Permanent = "Permanent",
an_Private = "Private",
an_Modifiable = "Modifiable",
an_Label = "Label",
an_ApplicationTag = "ApplicationTag",
an_KeyCreator = "KeyCreator",
an_KeyType = "KeyType",
an_KeySizeInBits = "KeySizeInBits",
an_EffectiveKeySize = "EffectiveKeySize",
an_StartDate = "StartDate",
an_EndDate = "EndDate",
an_Sensitive = "Sensitive",
an_AlwaysSensitive = "AlwaysSensitive",
an_Extractable = "Extractable",
an_NeverExtractable = "NeverExtractable",
an_Encrypt = "Encrypt",
an_Decrypt = "Decrypt",
an_Derive = "Derive",
an_Sign = "Sign",
an_Verify = "Verify",
an_SignRecover = "SignRecover",
an_VerifyRecover = "VerifyRecover",
an_Wrap = "Wrap",
an_Unwrap = "Unwrap";
// @@@ HARDWIRED Based on what SecKeychain layer expects @@@
switch (relationId)
{
case CSSM_DL_DB_RECORD_GENERIC:
createAttribute(*rt, &an_PrintName, kSecLabelItemAttr, kAF_BLOB, false)
.attributeCoder(&mDescriptionCoder);
createAttribute(*rt, &an_Alias, kSecAliasItemAttr, kAF_BLOB, false)
.attributeCoder(&mZeroCoder);
rt->metaRecord().attributeCoderForData(&mDataAttributeCoder);
break;
case CSSM_DL_DB_RECORD_X509_CERTIFICATE:
createAttribute(*rt, &an_CertType, kSecCertTypeItemAttr,
kAF_UINT32, true).attributeCoder(&mCertificateCoder);
createAttribute(*rt, &an_CertEncoding, kSecCertEncodingItemAttr,
kAF_UINT32, false).attributeCoder(&mCertEncodingBERCoder);
createAttribute(*rt, &an_PrintName, kSecLabelItemAttr,
kAF_BLOB, false).attributeCoder(&mCertificateCoder);
createAttribute(*rt, &an_Alias, kSecAliasItemAttr,
kAF_BLOB, false).attributeCoder(&mCertificateCoder);
createAttribute(*rt, &an_Subject, kSecSubjectItemAttr,
kAF_BLOB, false).attributeCoder(&mCertificateCoder);
createAttribute(*rt, &an_Issuer, kSecIssuerItemAttr,
kAF_BLOB, true).attributeCoder(&mCertificateCoder);
createAttribute(*rt, &an_SerialNumber, kSecSerialNumberItemAttr,
kAF_BLOB, true).attributeCoder(&mCertificateCoder);
createAttribute(*rt, &an_SubjectKeyIdentifier,
kSecSubjectKeyIdentifierItemAttr,
kAF_BLOB, false).attributeCoder(&mCertificateCoder);
createAttribute(*rt, &an_PublicKeyHash, kSecPublicKeyHashItemAttr,
kAF_BLOB, false).attributeCoder(&mCertificateCoder);
rt->metaRecord().attributeCoderForData(&mDataAttributeCoder);
// Initialize mPublicKeyHashCoder so it knows which attribute of a
// certificate to use to get the public key hash of a key.
mPublicKeyHashCoder.setCertificateMetaAttribute(&(rt->metaRecord()
.metaAttribute(kSecPublicKeyHashItemAttr)));
break;
case CSSM_DL_DB_RECORD_PUBLIC_KEY:
case CSSM_DL_DB_RECORD_PRIVATE_KEY:
case CSSM_DL_DB_RECORD_SYMMETRIC_KEY:
rt->metaRecord().attributeCoderForData(&mKeyDataCoder);
createAttribute(*rt, &an_KeyClass, kSecKeyKeyClass,
kAF_UINT32, false).attributeCoder(
relationId == CSSM_DL_DB_RECORD_PUBLIC_KEY
? &mPublicKeyClassCoder
: relationId == CSSM_DL_DB_RECORD_PRIVATE_KEY
? &mPrivateKeyClassCoder
: &mSessionKeyClassCoder);
createAttribute(*rt, &an_PrintName, kSecKeyPrintName,
kAF_BLOB, false).attributeCoder(&mZeroCoder);
createAttribute(*rt, &an_Alias, kSecKeyAlias,
kAF_BLOB, false).attributeCoder(&mZeroCoder);
createAttribute(*rt, &an_Permanent, kSecKeyPermanent,
kAF_UINT32, false).attributeCoder(&mTrueCoder);
createAttribute(*rt, &an_Private, kSecKeyPrivate,
kAF_UINT32, false).attributeCoder(
relationId == CSSM_DL_DB_RECORD_PUBLIC_KEY
? &mFalseCoder : &mTrueCoder);
createAttribute(*rt, &an_Modifiable, kSecKeyModifiable,
kAF_UINT32, false).attributeCoder(&mFalseCoder);
createAttribute(*rt, &an_Label, kSecKeyLabel,
kAF_BLOB, true).attributeCoder(
relationId == CSSM_DL_DB_RECORD_PRIVATE_KEY
? &mPublicKeyHashCoder : NULL);
createAttribute(*rt, &an_ApplicationTag, kSecKeyApplicationTag,
kAF_BLOB, true).attributeCoder(&mZeroCoder);
createAttribute(*rt, &an_KeyCreator, kSecKeyKeyCreator,
kAF_BLOB, true).attributeCoder(&mSdCSPDLGuidCoder);
createAttribute(*rt, &an_KeyType, kSecKeyKeyType, kAF_UINT32, true);
createAttribute(*rt, &an_KeySizeInBits, kSecKeyKeySizeInBits,
kAF_UINT32, true);
createAttribute(*rt, &an_EffectiveKeySize, kSecKeyEffectiveKeySize,
kAF_UINT32, true);
createAttribute(*rt, &an_StartDate, kSecKeyStartDate,
kAF_TIME_DATE, true).attributeCoder(&mZeroCoder);
createAttribute(*rt, &an_EndDate, kSecKeyEndDate,
kAF_TIME_DATE, true).attributeCoder(&mZeroCoder);
createAttribute(*rt, &an_Sensitive, kSecKeySensitive,
kAF_UINT32, false).attributeCoder(
relationId == CSSM_DL_DB_RECORD_PUBLIC_KEY
? &mFalseCoder : &mTrueCoder);
createAttribute(*rt, &an_AlwaysSensitive, kSecKeyAlwaysSensitive,
kAF_UINT32, false).attributeCoder(&mFalseCoder);
createAttribute(*rt, &an_Extractable, kSecKeyExtractable,
kAF_UINT32, false).attributeCoder(&mFalseCoder);
createAttribute(*rt, &an_NeverExtractable, kSecKeyNeverExtractable,
kAF_UINT32, false).attributeCoder(&mFalseCoder);
createAttribute(*rt, &an_Encrypt, kSecKeyEncrypt, kAF_UINT32, false);
createAttribute(*rt, &an_Decrypt, kSecKeyDecrypt, kAF_UINT32, false);
createAttribute(*rt, &an_Derive, kSecKeyDerive, kAF_UINT32, false);
createAttribute(*rt, &an_Sign, kSecKeySign, kAF_UINT32, false);
createAttribute(*rt, &an_Verify, kSecKeyVerify, kAF_UINT32, false);
createAttribute(*rt, &an_SignRecover, kSecKeySignRecover,
kAF_UINT32, false);
createAttribute(*rt, &an_VerifyRecover, kSecKeyVerifyRecover,
kAF_UINT32, false);
createAttribute(*rt, &an_Wrap, kSecKeyWrap, kAF_UINT32, false);
createAttribute(*rt, &an_Unwrap, kSecKeyUnwrap, kAF_UINT32, false);
// Initialize mPublicKeyHashCoder so it knows which attribute of a
// public key to use to get the public key hash of a key.
if (relationId == CSSM_DL_DB_RECORD_PUBLIC_KEY)
mPublicKeyHashCoder.setPublicKeyMetaAttribute(&(rt->metaRecord()
.metaAttribute(kSecKeyLabel)));
break;
}
return rt;
}
// Create a new relation using metaRecord. Does not register this in the
// CSSM_DL_DB_SCHEMA_INFO relation. This is used for creating the schema
// relations themselves only.
Relation *Schema::createRelation(MetaRecord *metaRecord)
{
auto_ptr<Relation> aRelation(new Relation(metaRecord));
if (!mRelationMap.insert(RelationMap::value_type(metaRecord->relationId(),
aRelation.get())).second)
{
// @@@ Should be CSSMERR_DL_DUPLICATE_RECORDTYPE. Since that
// doesn't exist we report that the meta-relation's unique index would
// no longer be valid
CssmError::throwMe(CSSMERR_DL_INVALID_UNIQUE_INDEX_DATA);
}
return aRelation.release();
}
// Create a new relation and register this in the CSSM_DL_DB_SCHEMA_INFO
// relation.
Relation *Schema::createRelation(const std::string &relationName,
RelationId relationId)
{
MetaRecord *mr = new MetaRecord(relationId);
Relation *rt = createRelation(mr);
registerRelation(relationName, relationId);
return rt;
}
// Create a new attribute and register this with the schema. Do not use this
// for creating schema relations.
MetaAttribute &Schema::createAttribute(Relation &relation,
const std::string *name, uint32 attributeId,
CSSM_DB_ATTRIBUTE_FORMAT attributeFormat, bool isIndex)
{
MetaRecord &mr = relation.metaRecord();
registerAttribute(mr.relationId(), name, attributeId, attributeFormat,
isIndex);
return mr.createAttribute(name, NULL, attributeId, attributeFormat);
}
// Insert a record containing a relationId and it's name into
// CSSM_DL_DB_SCHEMA_INFO relation
void Schema::registerRelation(const std::string &relationName,
RelationId relationId)
{
RefPointer<Record> record = new Record();
record->attributeAtIndex(io_rid, new Attribute(relationId));
record->attributeAtIndex(io_rn, new Attribute(relationName));
mInfo->insertRecord(record);
}
// Insert a record containing a relationId, attributeId and other meta
// information into the CSSM_DL_DB_SCHEMA_ATTRIBUTES relation. In addition, if
// isIndex is true insert a record into the CSSM_DL_DB_SCHEMA_INDEXES relation.
void Schema::registerAttribute(RelationId relationId, const std::string *name,
uint32 attributeId, CSSM_DB_ATTRIBUTE_FORMAT attributeFormat, bool isIndex)
{
CSSM_DB_ATTRIBUTE_NAME_FORMAT nameFormat = name
? CSSM_DB_ATTRIBUTE_NAME_AS_STRING : CSSM_DB_ATTRIBUTE_NAME_AS_INTEGER;
RefPointer<Record> rc_attribute = new Record();
rc_attribute->attributeAtIndex(as_rid, new Attribute(relationId));
rc_attribute->attributeAtIndex(as_aid, new Attribute(attributeId));
rc_attribute->attributeAtIndex(as_anf, new Attribute(nameFormat));
rc_attribute->attributeAtIndex(as_an, name
? new Attribute(*name) : new Attribute()); // AttributeName
rc_attribute->attributeAtIndex(as_anid, new Attribute());// AttributeNameId
rc_attribute->attributeAtIndex(as_af, new Attribute(attributeFormat));
mAttributes->insertRecord(rc_attribute);
if (isIndex)
{
RefPointer<Record> rc_index = new Record();
rc_index->attributeAtIndex(ix_rid, // RelationId
new Attribute(relationId));
rc_index->attributeAtIndex(ix_iid, // IndexId
new Attribute(uint32(0)));
rc_index->attributeAtIndex(ix_aid, // AttributeId
new Attribute(attributeId));
rc_index->attributeAtIndex(ix_it, // IndexType
new Attribute(uint32(CSSM_DB_INDEX_UNIQUE)));
rc_index->attributeAtIndex(ix_idl, // IndexedDataLocation
new Attribute(uint32(CSSM_DB_INDEX_ON_UNKNOWN)));
mIndices->insertRecord(rc_index);
}
}
#pragma mark ---------------- Utility methods --------------
const Relation &Schema::findRelation(RelationId inRelationId) const
{
RelationMap::const_iterator it = mRelationMap.find(inRelationId);
if (it == mRelationMap.end())
CssmError::throwMe(CSSMERR_DL_INVALID_RECORDTYPE);
return *it->second;
}
Relation &Schema::findRelation(RelationId inRelationId)
{
RelationMap::iterator it = mRelationMap.find(inRelationId);
if (it == mRelationMap.end())
CssmError::throwMe(CSSMERR_DL_INVALID_RECORDTYPE);
return *it->second;
}
MetaRecord &Schema::findMetaRecord(RelationId inRelationId)
{
return findRelation(inRelationId).metaRecord();
}
} // end namespace Tokend
/* arch-tag: BA0AF80B-F13E-11D8-AC69-000A95C4302E */
--- NEW FILE Schema.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Schema.h
* TokendMuscle
*/
#ifndef _TOKEND_SCHEMA_H_
#define _TOKEND_SCHEMA_H_
#include <security_cdsa_utilities/cssmdata.h>
#include <security_cdsa_utilities/cssmdb.h>
#include <map>
#include "MetaRecord.h"
#include "Relation.h"
#include "AttributeCoder.h"
namespace Tokend
{
class Relation;
//
// Schema
//
class Schema
{
NOCOPY(Schema)
public:
typedef std::map<RelationId, Relation *> RelationMap;
typedef RelationMap::const_iterator ConstRelationMapIterator;
Schema();
virtual ~Schema();
virtual void create();
const Relation &findRelation(RelationId inRelationId) const;
Relation &findRelation(RelationId inRelationId);
MetaRecord &findMetaRecord(RelationId inRelationId);
ConstRelationMapIterator begin() const { return mRelationMap.begin(); }
ConstRelationMapIterator end() const { return mRelationMap.end(); }
const LinkedRecordAttributeCoder &publicKeyHashCoder() const
{ return mPublicKeyHashCoder; }
protected:
Relation *createRelation(const std::string &relationName,
RelationId relationId);
Relation *createStandardRelation(RelationId relationId);
MetaAttribute &createAttribute(Relation &relation,
const std::string *name, uint32 attributeId,
CSSM_DB_ATTRIBUTE_FORMAT attributeFormat, bool isIndex);
private:
Relation *createRelation(MetaRecord *inMetaRecord);
void registerRelation(const std::string &relationName,
RelationId relationId);
void registerAttribute(RelationId relationId, const std::string *name,
uint32 attributeId, CSSM_DB_ATTRIBUTE_FORMAT attributeFormat,
bool isIndex);
private:
Relation *mInfo, *mAttributes, *mIndices;
RelationMap mRelationMap;
// AttributeIndices for attributes of CSSM_DL_DB_SCHEMA_INFO relation.
uint32 io_rid;
uint32 io_rn;
// AttributeIndices for attributes of CSSM_DL_DB_SCHEMA_ATTRIBUTES
// relation.
uint32 as_rid;
uint32 as_aid;
uint32 as_anf;
uint32 as_an;
uint32 as_anid;
uint32 as_af;
// AttributeIndices for attributes of CSSM_DL_DB_SCHEMA_INDEXES relation.
uint32 ix_rid;
uint32 ix_iid;
uint32 ix_aid;
uint32 ix_it;
uint32 ix_idl;
protected:
// Coders for some standard attributes
ConstAttributeCoder mTrueCoder;
ConstAttributeCoder mFalseCoder;
ConstAttributeCoder mCertEncodingBERCoder;
GuidAttributeCoder mSdCSPDLGuidCoder;
CertificateAttributeCoder mCertificateCoder;
ZeroAttributeCoder mZeroCoder;
ConstAttributeCoder mPublicKeyClassCoder;
ConstAttributeCoder mPrivateKeyClassCoder;
ConstAttributeCoder mSessionKeyClassCoder;
KeyDataAttributeCoder mKeyDataCoder;
LinkedRecordAttributeCoder mPublicKeyHashCoder;
DataAttributeCoder mDataAttributeCoder;
DescriptionAttributeCoder mDescriptionCoder;
};
} // end namespace Tokend
#endif /* !_TOKEND_SCHEMA_H_ */
/* arch-tag: BA0C467A-F13E-11D8-BE5A-000A95C4302E */
--- NEW FILE SelectionPredicate.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* SelectionPredicate.cpp
* TokendMuscle
*/
#include "SelectionPredicate.h"
#include "MetaAttribute.h"
#include "MetaRecord.h"
#include "DbValue.h"
#include <Security/cssmerr.h>
namespace Tokend
{
SelectionPredicate::SelectionPredicate(const MetaRecord &inMetaRecord,
const CSSM_SELECTION_PREDICATE &inPredicate)
: mMetaAttribute(inMetaRecord.metaAttribute(inPredicate.Attribute.Info)),
mDbOperator(inPredicate.DbOperator)
{
// Make sure that the caller specified the attribute values in the correct
// format.
if (inPredicate.Attribute.Info.AttributeFormat
!= mMetaAttribute.attributeFormat())
CssmError::throwMe(CSSMERR_DL_INCOMPATIBLE_FIELD_FORMAT);
// @@@ See ISSUES
if (inPredicate.Attribute.NumberOfValues != 1)
CssmError::throwMe(CSSMERR_DL_UNSUPPORTED_QUERY);
mData = inPredicate.Attribute.Value[0];
mValue = mMetaAttribute.createValue(mData);
}
SelectionPredicate::~SelectionPredicate()
{
delete mValue;
}
bool SelectionPredicate::evaluate(TokenContext *tokenContext,
Record& record) const
{
return mMetaAttribute.evaluate(tokenContext, mValue, record, mDbOperator);
}
} // end namespace Tokend
/* arch-tag: E96BD4DB-DF80-11D8-8EA7-000A95C4302E */
--- NEW FILE SelectionPredicate.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* SelectionPredicate.h
* TokendMuscle
*/
#ifndef _TOKEND_SELECTIONPREDICATE_H_
#define _TOKEND_SELECTIONPREDICATE_H_
#include <security_cdsa_utilities/cssmdata.h>
namespace Tokend
{
class DbValue;
class MetaAttribute;
class MetaRecord;
class Record;
class TokenContext;
class SelectionPredicate
{
NOCOPY(SelectionPredicate)
public:
SelectionPredicate(const MetaRecord &inMetaRecord,
const CSSM_SELECTION_PREDICATE &inPredicate);
~SelectionPredicate();
bool evaluate(TokenContext *tokenContext, Record& record) const;
private:
const MetaAttribute &mMetaAttribute;
CSSM_DB_OPERATOR mDbOperator;
CssmDataContainer mData;
DbValue *mValue;
};
} // end namespace Tokend
#endif /* !_TOKEND_SELECTIONPREDICATE_H_ */
/* arch-tag: E96F0CEA-DF80-11D8-923F-000A95C4302E */
--- NEW FILE Token.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Token.cpp
* TokendMuscle
*/
#include "Token.h"
#include "Cursor.h"
#include "KeyHandle.h"
#include "RecordHandle.h"
#include "Schema.h"
#include <memory>
#include <security_cdsa_utilities/cssmaclpod.h>
#include <security_utilities/unix++.h>
#include <security_utilities/logging.h>
//
// SPI wrapper macros
//
#define BEGIN try {
#define END(SS) \
return CSSM_OK; \
} catch (const CommonError &err) { \
return CssmError::cssmError(err, CSSM_##SS##_BASE_ERROR); \
} catch (...) { \
return CSSM_ERRCODE_INTERNAL_ERROR; \
}
//
// Singleton
//
Tokend::Token *token;
namespace Tokend
{
Token::Token() : mSchema(NULL), mTokenContext(NULL)
{
}
Token::~Token()
{
}
//
// Initial: Your first chance to do anything with the tokend framework
// initialized.
//
CSSM_RETURN Token::_initial()
{
BEGIN
token->initial();
secdebug("tokend", "using reader %s",
token->startupReaderInfo()->szReader);
END(CSSM)
}
//
// Probe:
// (1) See if we support this token. Return zero if not.
// Return a score if we do - the lower, the better. 1 beats everyone else.
// (2) Generate a unique id string for the token. This doesn't have to be
// human readable. If you REALLY can't make one up, leave tokenUid alone.
// But do try.
//
CSSM_RETURN Token::_probe(SecTokendProbeFlags flags, uint32 *score,
char tokenUid[TOKEND_MAX_UID])
{
BEGIN
*score = token->probe(flags, tokenUid);
secdebug("tokend", "flags=%ld returning score=%ld uid='%s'",
flags, *score, tokenUid);
END(CSSM)
}
//
// Establish:
// Okay, you're the one. The token is yours. Here's your GUID and subservice ID
// (in case you care); it'll get automatically inserted into your MDS unless
// you override it. If you can make up a nice, user-friendly print name for
// your token, return it in printName. If you can't, leave it alone and
// securityd will make something up for you.
//
CSSM_RETURN Token::_establish(const CSSM_GUID *guid, uint32 subserviceID,
SecTokendEstablishFlags flags, const char *cacheDirectory,
const char *workDirectory, char mdsDirectory[PATH_MAX],
char printName[PATH_MAX])
{
BEGIN
secdebug("tokend", "establish(%s,%ld,0x%lX)",
Guid::required(guid).toString().c_str(), subserviceID, flags);
token->establish(guid, subserviceID, flags, cacheDirectory, workDirectory,
mdsDirectory, printName);
// if printName is left alone, securityd will make one up
// if mdsDirectory is left alone, all MDS resources in the Resource bundle
// will be loaded
END(CSSM)
}
//
// Terminate() is called by security when it wants you to go away.
// This function does not (currently) return anything, so the CSSM_RETURN is
// effectively ignored. (It's still here for consistency's sake.)
//
CSSM_RETURN Token::_terminate(uint32 reason, uint32 options)
{
BEGIN
secdebug("tokend", "terminate(%ld,0x%ld)", reason, options);
token->terminate(reason, options);
END(CSSM)
}
CSSM_RETURN Token::_findFirst(const CSSM_QUERY *query,
TOKEND_RETURN_DATA *data, CSSM_HANDLE *hSearch)
{
BEGIN
secdebug("tokend", "findFirst()");
std::auto_ptr<Cursor> curs(token->createCursor(query));
TokenContext *tokenContext = token->tokenContext();
std::auto_ptr<RecordHandle> rh(curs->next(tokenContext));
if (!rh.get())
{
secdebug("tokend", "findFirst() returning: CSSMERR_DL_ENDOFDATA");
#if 1
data->record = 0;
data->keyhandle = 0;
return 0;
#else
return CSSMERR_DL_ENDOFDATA;
#endif
}
rh->get(tokenContext, *data);
// Release the RecordHandle until the caller kills the handle we returned.
rh.release();
// We didn't throw so return a search handle and keep the Cursor around.
*hSearch = curs->handle();
curs.release();
secdebug("tokend", "end findFirst() returned: %ld", *hSearch);
END(DL)
}
CSSM_RETURN Token::_findNext(CSSM_HANDLE hSearch, TOKEND_RETURN_DATA *data)
{
BEGIN
secdebug("tokend", "findNext(%ld)", hSearch);
Cursor& curs = Security::HandleObject::find<Cursor>(hSearch,
CSSMERR_DL_RECORD_NOT_FOUND);
TokenContext *tokenContext = token->tokenContext();
std::auto_ptr<RecordHandle> rh(curs.next(tokenContext));
if (!rh.get())
{
secdebug("tokend", "findNext(%ld) returning: CSSMERR_DL_ENDOFDATA",
hSearch);
#if 1
data->record = 0;
data->keyhandle = 0;
return 0;
#else
return CSSMERR_DL_ENDOFDATA;
#endif
}
rh->get(tokenContext, *data);
rh.release();
END(DL)
}
CSSM_RETURN Token::_findRecordHandle(CSSM_HANDLE hRecord,
TOKEND_RETURN_DATA *data)
{
BEGIN
secdebug("tokend", "findRecordHandle(%ld)", hRecord);
RecordHandle &rh = Security::HandleObject::find<RecordHandle>(hRecord,
CSSMERR_CSSM_INVALID_ADDIN_HANDLE);
rh.get(token->tokenContext(), *data);
END(DL)
}
CSSM_RETURN Token::_insertRecord(CSSM_DB_RECORDTYPE recordType,
const CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes, const CSSM_DATA *data,
CSSM_HANDLE *hRecord)
{
BEGIN
secdebug("tokend", "insertRecord");
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
END(DL)
}
CSSM_RETURN Token::_modifyRecord(CSSM_DB_RECORDTYPE recordType,
CSSM_HANDLE *hRecord, const CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes,
const CSSM_DATA *data, CSSM_DB_MODIFY_MODE modifyMode)
{
BEGIN
secdebug("tokend", "modifyRecord");
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
END(DL)
}
CSSM_RETURN Token::_deleteRecord(CSSM_HANDLE hRecord)
{
BEGIN
secdebug("tokend", "deleteRecord");
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
END(DL)
}
CSSM_RETURN Token::_releaseSearch(CSSM_HANDLE hSearch)
{
BEGIN
secdebug("tokend", "releaseSearch(%ld)", hSearch);
Security::HandleObject::findAndKill<Cursor>(hSearch,
CSSMERR_CSSM_INVALID_ADDIN_HANDLE);
END(DL)
}
CSSM_RETURN Token::_releaseRecord(CSSM_HANDLE hRecord)
{
BEGIN
secdebug("tokend", "releaseRecord(%ld)", hRecord);
Security::HandleObject::findAndKill<RecordHandle>(hRecord,
CSSMERR_CSSM_INVALID_ADDIN_HANDLE);
END(DL)
}
CSSM_RETURN Token::_freeRetrievedData(TOKEND_RETURN_DATA *data)
{
BEGIN
secdebug("tokend", "freeRetrievedData");
// Since we return pointers to our cached interal data this is also a noop
END(DL)
}
CSSM_RETURN Token::_releaseKey(CSSM_HANDLE hKey)
{
BEGIN
secdebug("tokend", "releaseKey(%ld)", hKey);
Security::HandleObject::findAndKill<KeyHandle>(hKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE);
END(CSP)
}
CSSM_RETURN Token::_getKeySize(CSSM_HANDLE hKey, CSSM_KEY_SIZE *size)
{
BEGIN
KeyHandle &key = Security::HandleObject::find<KeyHandle>(hKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE);
key.getKeySize(Required(size));
END(CSP)
}
CSSM_RETURN Token::_getOutputSize(const CSSM_CONTEXT *context,
CSSM_HANDLE hKey, uint32 inputSize, CSSM_BOOL encrypting,
uint32 *outputSize)
{
BEGIN
KeyHandle &key = Security::HandleObject::find<KeyHandle>(hKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE);
Required(outputSize) = key.getOutputSize(Context::required(context),
inputSize, encrypting);
END(CSP)
}
CSSM_RETURN Token::_generateSignature(const CSSM_CONTEXT *context,
CSSM_HANDLE hKey, CSSM_ALGORITHMS signOnly, const CSSM_DATA *input,
CSSM_DATA *signature)
{
BEGIN
KeyHandle &key = Security::HandleObject::find<KeyHandle>(hKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE);
key.generateSignature(Context::required(context), signOnly,
CssmData::required(input), CssmData::required(signature));
END(CSP)
}
CSSM_RETURN Token::_verifySignature(const CSSM_CONTEXT *context,
CSSM_HANDLE hKey, CSSM_ALGORITHMS signOnly, const CSSM_DATA *input,
const CSSM_DATA *signature)
{
BEGIN
KeyHandle &key = Security::HandleObject::find<KeyHandle>(hKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE);
key.verifySignature(Context::required(context), signOnly,
CssmData::required(input), CssmData::required(signature));
END(CSP)
}
CSSM_RETURN Token::_generateMac(const CSSM_CONTEXT *context, CSSM_HANDLE hKey,
const CSSM_DATA *input, CSSM_DATA *output)
{
BEGIN
KeyHandle &key = Security::HandleObject::find<KeyHandle>(hKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE);
key.generateMac(Context::required(context), CssmData::required(input),
CssmData::required(output));
END(CSP)
}
CSSM_RETURN Token::_verifyMac(const CSSM_CONTEXT *context, CSSM_HANDLE hKey,
const CSSM_DATA *input, const CSSM_DATA *compare)
{
BEGIN
KeyHandle &key = Security::HandleObject::find<KeyHandle>(hKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE);
key.verifyMac(Context::required(context), CssmData::required(input),
CssmData::required(compare));
END(CSP)
}
CSSM_RETURN Token::_encrypt(const CSSM_CONTEXT *context, CSSM_HANDLE hKey,
const CSSM_DATA *clear, CSSM_DATA *cipher)
{
BEGIN
KeyHandle &key = Security::HandleObject::find<KeyHandle>(hKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE);
key.encrypt(Context::required(context), CssmData::required(clear),
CssmData::required(cipher));
END(CSP)
}
CSSM_RETURN Token::_decrypt(const CSSM_CONTEXT *context, CSSM_HANDLE hKey,
const CSSM_DATA *cipher, CSSM_DATA *clear)
{
BEGIN
KeyHandle &key = Security::HandleObject::find<KeyHandle>(hKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE);
key.decrypt(Context::required(context), CssmData::required(cipher),
CssmData::required(clear));
END(CSP)
}
CSSM_RETURN Token::_generateKey(const CSSM_CONTEXT *context,
const CSSM_ACCESS_CREDENTIALS *creds,
const CSSM_ACL_ENTRY_PROTOTYPE *owner, CSSM_KEYUSE usage,
CSSM_KEYATTR_FLAGS attrs, CSSM_HANDLE *hKey, CSSM_KEY *header)
{
BEGIN
secdebug("tokend", "generateKey");
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
END(CSP)
}
CSSM_RETURN Token::_generateKeyPair(const CSSM_CONTEXT *context,
const CSSM_ACCESS_CREDENTIALS *creds,
const CSSM_ACL_ENTRY_PROTOTYPE *owner,
CSSM_KEYUSE pubUsage, CSSM_KEYATTR_FLAGS pubAttrs,
CSSM_KEYUSE privUsage, CSSM_KEYATTR_FLAGS privAttrs,
CSSM_HANDLE *hPubKey, CSSM_KEY *pubHeader,
CSSM_HANDLE *hPrivKey, CSSM_KEY *privHeader)
{
BEGIN
secdebug("tokend", "generateKeyPair");
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
END(CSP)
}
CSSM_RETURN Token::_wrapKey(const CSSM_CONTEXT *context,
CSSM_HANDLE hWrappingKey, const CSSM_KEY *wrappingKey,
const CSSM_ACCESS_CREDENTIALS *cred,
CSSM_HANDLE hSubjectKey, const CSSM_KEY *subjectKey,
const CSSM_DATA *descriptiveData, CSSM_KEY *wrappedKey)
{
BEGIN
KeyHandle *subjectKeyHandle = hSubjectKey
? &Security::HandleObject::find<KeyHandle>(hSubjectKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE) : NULL;
KeyHandle *wrappingKeyHandle = hWrappingKey
? &Security::HandleObject::find<KeyHandle>(hWrappingKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE) : NULL;
if (subjectKeyHandle)
{
subjectKeyHandle->wrapUsingKey(Context::required(context),
AccessCredentials::optional(cred),
wrappingKeyHandle, CssmKey::optional(wrappingKey),
CssmData::optional(descriptiveData),
CssmKey::required(wrappedKey));
}
else if (wrappingKeyHandle)
{
wrappingKeyHandle->wrapKey(Context::required(context),
CssmKey::required(subjectKey),
CssmData::optional(descriptiveData),
CssmKey::required(wrappedKey));
}
else
{
secdebug("tokend",
"wrapKey without a reference subject or wrapping key not supported"
);
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
}
END(CSP)
}
CSSM_RETURN Token::_unwrapKey(const CSSM_CONTEXT *context,
CSSM_HANDLE hWrappingKey, const CSSM_KEY *wrappingKey,
const CSSM_ACCESS_CREDENTIALS *cred,
const CSSM_ACL_ENTRY_PROTOTYPE *access,
CSSM_HANDLE hPublicKey, const CSSM_KEY *publicKey,
const CSSM_KEY *wrappedKey, CSSM_KEYUSE usage,
CSSM_KEYATTR_FLAGS attributes, CSSM_DATA *descriptiveData,
CSSM_HANDLE *hUnwrappedKey, CSSM_KEY *unwrappedKey)
{
BEGIN
if (hWrappingKey)
{
KeyHandle &unwrappingKey =
Security::HandleObject::find<KeyHandle>(hWrappingKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE);
if (hPublicKey)
{
secdebug("tokend", "unwrapKey with a public key not supported");
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
}
unwrappingKey.unwrapKey(Context::required(context),
AccessCredentials::optional(cred),
AclEntryPrototype::optional(access), CssmKey::required(wrappedKey),
usage, attributes, CssmData::optional(descriptiveData),
*hUnwrappedKey, CssmKey::required(unwrappedKey));
}
else
{
secdebug("tokend",
"unwrapKey without a wrapping key not supported (import)");
/* There is no key doing the unwrap so this is basically an import. */
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
}
END(CSP)
}
CSSM_RETURN Token::_deriveKey(const CSSM_CONTEXT *context,
CSSM_HANDLE hSourceKey, const CSSM_KEY *sourceKey,
const CSSM_ACCESS_CREDENTIALS *cred,
const CSSM_ACL_ENTRY_PROTOTYPE *access, CSSM_DATA *parameters,
CSSM_KEYUSE usage, CSSM_KEYATTR_FLAGS attributes,
CSSM_HANDLE *hKey, CSSM_KEY *key)
{
BEGIN
secdebug("tokend", "deriveKey");
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
END(CSP)
}
CSSM_RETURN Token::_getObjectOwner(CSSM_HANDLE hRecord,
CSSM_ACL_OWNER_PROTOTYPE *owner)
{
BEGIN
secdebug("tokend", "getObjectOwner");
RecordHandle &rh = Security::HandleObject::find<RecordHandle>(hRecord,
CSSMERR_CSSM_INVALID_ADDIN_HANDLE);
rh.getOwner(AclOwnerPrototype::required(owner));
END(DL)
}
CSSM_RETURN Token::_getObjectAcl(CSSM_HANDLE hRecord,
const char *tag, uint32 *count, CSSM_ACL_ENTRY_INFO **entries)
{
BEGIN
secdebug("tokend", "getObjectAcl");
RecordHandle &rh = Security::HandleObject::find<RecordHandle>(hRecord,
CSSMERR_CSSM_INVALID_ADDIN_HANDLE);
rh.getAcl(tag, Required(count), AclEntryInfo::overlayVar(*entries));
END(DL)
}
CSSM_RETURN Token::_getDatabaseOwner(CSSM_ACL_OWNER_PROTOTYPE *owner)
{
BEGIN
token->getOwner(AclOwnerPrototype::required(owner));
END(DL)
}
CSSM_RETURN Token::_getDatabaseAcl(const char *tag, uint32 *count,
CSSM_ACL_ENTRY_INFO **entries)
{
BEGIN
token->getAcl(tag, *count, AclEntryInfo::overlayVar(*entries));
END(DL)
}
CSSM_RETURN Token::_getKeyOwner(CSSM_HANDLE hKey,
CSSM_ACL_OWNER_PROTOTYPE *owner)
{
BEGIN
KeyHandle &key = Security::HandleObject::find<KeyHandle>(hKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE);
key.getOwner(AclOwnerPrototype::required(owner));
END(CSP)
}
CSSM_RETURN Token::_getKeyAcl(CSSM_HANDLE hKey,
const char *tag, uint32 *count, CSSM_ACL_ENTRY_INFO **entries)
{
BEGIN
KeyHandle &key = Security::HandleObject::find<KeyHandle>(hKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE);
key.getAcl(tag, Required(count), AclEntryInfo::overlayVar(*entries));
END(CSP)
}
CSSM_RETURN Token::_freeOwnerData(CSSM_ACL_OWNER_PROTOTYPE *owner)
{
BEGIN
// @@@ Do something here based on how we return data above.
END(CSP)
}
CSSM_RETURN Token::_freeAclData(uint32 count, CSSM_ACL_ENTRY_INFO *entries)
{
BEGIN
#if 0
AutoAclEntryInfoList aclList(&Allocator::standard());
// Invoke braindead overloaded operators since there are no setters on
// AutoAclEntryInfoList
*static_cast<uint32 *>(aclList) = count;
*static_cast<CSSM_ACL_ENTRY_INFO_PTR *>(aclList) = entries;
#endif
END(CSP)
}
CSSM_RETURN Token::_authenticateDatabase(CSSM_DB_ACCESS_TYPE mode,
const CSSM_ACCESS_CREDENTIALS *cred)
{
BEGIN
secdebug("tokend", "authenticateDatabase");
token->authenticate(mode, AccessCredentials::overlay(cred));
END(DL)
}
CSSM_RETURN Token::_changeDatabaseOwner(const CSSM_ACL_OWNER_PROTOTYPE *owner)
{
BEGIN
secdebug("tokend", "changeDatabaseOwner");
token->changeOwner(AclOwnerPrototype::required(owner));
END(DL)
}
CSSM_RETURN Token::_changeDatabaseAcl(const CSSM_ACCESS_CREDENTIALS *cred,
const CSSM_ACL_EDIT *edit)
{
BEGIN
secdebug("tokend", "changeDatabaseAcl");
token->changeAcl(AccessCredentials::required(cred),
AclEdit::required(edit));
END(DL)
}
CSSM_RETURN Token::_changeObjectOwner(CSSM_HANDLE hRecord,
const CSSM_ACL_OWNER_PROTOTYPE *owner)
{
BEGIN
secdebug("tokend", "changeObjectOwner");
RecordHandle &rh = Security::HandleObject::find<RecordHandle>(hRecord,
CSSMERR_CSSM_INVALID_ADDIN_HANDLE);
rh.changeOwner(AclOwnerPrototype::required(owner));
END(DL)
}
CSSM_RETURN Token::_changeObjectAcl(CSSM_HANDLE hRecord,
const CSSM_ACCESS_CREDENTIALS *cred, const CSSM_ACL_EDIT *edit)
{
BEGIN
secdebug("tokend", "changeObjectAcl");
RecordHandle &rh = Security::HandleObject::find<RecordHandle>(hRecord,
CSSMERR_CSSM_INVALID_ADDIN_HANDLE);
rh.changeAcl(AccessCredentials::required(cred), AclEdit::required(edit));
END(DL)
}
CSSM_RETURN Token::_changeKeyOwner(CSSM_HANDLE hKey,
const CSSM_ACL_OWNER_PROTOTYPE *owner)
{
BEGIN
secdebug("tokend", "changeKeyOwner");
KeyHandle &key = Security::HandleObject::find<KeyHandle>(hKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE);
key.changeOwner(AclOwnerPrototype::required(owner));
END(CSP)
}
CSSM_RETURN Token::_changeKeyAcl(CSSM_HANDLE hKey,
const CSSM_ACCESS_CREDENTIALS *cred, const CSSM_ACL_EDIT *edit)
{
BEGIN
secdebug("tokend", "changeKeyAcl");
KeyHandle &key = Security::HandleObject::find<KeyHandle>(hKey,
CSSMERR_CSP_INVALID_KEY_REFERENCE);
key.changeAcl(AccessCredentials::required(cred), AclEdit::required(edit));
END(CSP)
}
CSSM_RETURN Token::_generateRandom(const CSSM_CONTEXT *context,
CSSM_DATA *result)
{
BEGIN
secdebug("tokend", "generateRandom");
token->generateRandom(Context::required(context),
CssmData::required(result));
END(CSP)
}
CSSM_RETURN Token::_getStatistics(CSSM_CSP_OPERATIONAL_STATISTICS *result)
{
BEGIN
secdebug("tokend", "getStatistics");
token->getStatistics(Required(result));
END(CSP)
}
CSSM_RETURN Token::_getTime(CSSM_ALGORITHMS algorithm, CSSM_DATA *result)
{
BEGIN
secdebug("tokend", "getTime");
token->getTime(algorithm, CssmData::required(result));
END(CSP)
}
CSSM_RETURN Token::_getCounter(CSSM_DATA *result)
{
BEGIN
secdebug("tokend", "getCounter");
token->getCounter(CssmData::required(result));
END(CSP)
}
CSSM_RETURN Token::_selfVerify()
{
BEGIN
secdebug("tokend", "selfVerify");
token->selfVerify();
END(CSP)
}
CSSM_RETURN Token::_cspPassThrough(uint32 id, const CSSM_CONTEXT *context,
CSSM_HANDLE hKey, const CSSM_KEY *key, const CSSM_DATA *input,
CSSM_DATA *output)
{
BEGIN
secdebug("tokend", "cspPassThrough");
CssmError::throwMe(CSSM_ERRCODE_INVALID_PASSTHROUGH_ID);
END(CSP)
}
CSSM_RETURN Token::_dlPassThrough(uint32 id, const CSSM_DATA *input,
CSSM_DATA *output)
{
BEGIN
secdebug("tokend", "dlPassThrough");
CssmError::throwMe(CSSM_ERRCODE_INVALID_PASSTHROUGH_ID);
END(DL)
}
CSSM_RETURN Token::_isLocked(uint32 *locked)
{
BEGIN
secdebug("tokend", "_isLocked");
Required(locked) = token->isLocked();
END(DL)
}
//
// Callback vector into SecTokendMain
//
const SecTokendCallbacks Token::mCallbacks = {
kSecTokendCallbackVersion,
kSecTokendCallbacksDefault,
_initial, _probe, _establish, _terminate,
_findFirst, _findNext, _findRecordHandle,
_insertRecord, _modifyRecord, _deleteRecord,
_releaseSearch, _releaseRecord,
_freeRetrievedData,
_releaseKey, _getKeySize, _getOutputSize,
_generateSignature, _verifySignature,
_generateMac, _verifyMac,
_encrypt, _decrypt,
_generateKey, _generateKeyPair,
_wrapKey, _unwrapKey, _deriveKey,
_getDatabaseOwner, _getDatabaseAcl,
_getObjectOwner, _getObjectAcl,
_getKeyOwner, _getKeyAcl,
_freeOwnerData, _freeAclData,
_authenticateDatabase,
_changeDatabaseOwner, _changeDatabaseAcl,
_changeObjectOwner, _changeObjectAcl,
_changeKeyOwner, _changeKeyAcl,
_generateRandom, _getStatistics,
_getTime, _getCounter,
_selfVerify,
_cspPassThrough, _dlPassThrough,
_isLocked
};
const SecTokendCallbacks *Token::callbacks()
{
return &mCallbacks;
}
SecTokendSupport *Token::support()
{
return this;
}
void Token::initial()
{
}
void Token::terminate(uint32 reason, uint32 options)
{
}
void Token::establish(const CSSM_GUID *guid, uint32 subserviceId,
SecTokendEstablishFlags flags, const char *cacheDirectory,
const char *workDirectory, char mdsDirectory[PATH_MAX],
char printName[PATH_MAX])
{
secdebug("establish", "cacheDirectory %s", cacheDirectory);
mGuid = *guid;
mSubserviceId = subserviceId;
mCacheDirectory = cacheDirectory;
}
bool Token::cachedObject(CSSM_DB_RECORDTYPE relationId,
const std::string &name, CssmData &object) const
{
try
{
UnixPlusPlus::AutoFileDesc fd(cachedObjectPath(relationId, name));
object.Length = fd.fileSize();
object.Data = reinterpret_cast<uint8 *>(malloc(object.Length));
object.Length = fd.readAll(object.Data, object.Length);
}
catch (const UnixError &error)
{
return false;
}
return true;
}
void Token::cacheObject(CSSM_DB_RECORDTYPE relationId, const std::string &name,
const CssmData &object) const
{
std::string path(cachedObjectPath(relationId, name));
try
{
UnixPlusPlus::AutoFileDesc fd(path, O_WRONLY|O_CREAT|O_TRUNC);
fd.writeAll(object.Data, object.Length);
}
catch (const UnixError &e)
{
Syslog::error("error writing cache file: %s: %s\n", path.c_str(),
strerror(e.unixError()));
::unlink(path.c_str());
}
}
std::string Token::cachedObjectPath(CSSM_DB_RECORDTYPE relationId,
const std::string &name) const
{
char buffer[9];
sprintf(buffer, "%lX", relationId);
return mCacheDirectory + "/" + buffer + "-" + name;
}
Cursor *Token::createCursor(const CSSM_QUERY *inQuery)
{
if (!inQuery || inQuery->RecordType == CSSM_DL_DB_RECORD_ANY
|| inQuery->RecordType == CSSM_DL_DB_RECORD_ALL_KEYS)
{
return new MultiCursor(inQuery, *mSchema);
}
const Relation &relation = mSchema->findRelation(inQuery->RecordType);
return new LinearCursor(inQuery, relation);
}
//
// Authenticate to the token
//
void Token::authenticate(CSSM_DB_ACCESS_TYPE mode,
const AccessCredentials *cred)
{
int pinNum;
if (!cred || sscanf(cred->EntryTag, "PIN%d", &pinNum) != 1)
pinNum = -1; // No PIN in tag.
if (mode == CSSM_DB_ACCESS_RESET)
{
// A mode of CSSM_DB_ACCESS_RESET is a request to deauthenticate
// the card completely.
secdebug("authenticate", "unverifying PIN%d", pinNum);
return unverifyPIN(pinNum);
}
else if (cred && pinNum > 0)
{ // tag="PINk"; unlock a PIN
if (cred->size() != 1) // just one, please
CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
const TypedList &sample = (*cred)[0];
switch (sample.type())
{
case CSSM_SAMPLE_TYPE_PASSWORD:
case CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD:
case CSSM_SAMPLE_TYPE_PROTECTED_PASSWORD:
{
CssmData &pin = sample[1].data();
return verifyPIN(pinNum, pin.Data, pin.Length);
}
default:
break;
}
CssmError::throwMe(CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED);
}
else
secdebug("authenticate", "ignoring non-PIN authentication request");
}
void Token::changeOwner(const AclOwnerPrototype &owner)
{
// Default changeOwner on a token always fails.
CssmError::throwMe(CSSM_ERRCODE_OBJECT_MANIP_AUTH_DENIED);
}
void Token::changeAcl(const AccessCredentials &cred, const AclEdit &edit)
{
// We don't allow adding or deleting of acls currently
switch (edit.mode())
{
case CSSM_ACL_EDIT_MODE_DELETE:
CssmError::throwMe(CSSM_ERRCODE_ACL_DELETE_FAILED);
case CSSM_ACL_EDIT_MODE_REPLACE:
break;
case CSSM_ACL_EDIT_MODE_ADD:
CssmError::throwMe(CSSM_ERRCODE_ACL_ADD_FAILED);
default:
CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_EDIT_MODE);
}
#if 0
// edit.handle() is the offset in mAclEntries of the acl we are replacing
uint32 ix = edit.handle();
if (ix >= mAclEntries.size())
CssmError::throwMe(CSSM_ERRCODE_ACL_REPLACE_FAILED);
// Now we have the actual AclEntryPrototype being changed
const AclEntryPrototype &oldProto = mAclEntries.at(ix).proto();
#endif
// Now get the new AclEntryPrototype for this entry.
const AclEntryInput *newEntry = edit.newEntry();
if (!newEntry)
CssmError::throwMe(CSSM_ERRCODE_INVALID_INPUT_POINTER);
const AclEntryPrototype &newProto = newEntry->proto();
unsigned int pinNum;
if (sscanf(newProto.EntryTag, "PIN%d", &pinNum) != 1)
CssmError::throwMe(CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED);
const TypedList &subject = newProto.subject();
switch (subject.type())
{
case CSSM_ACL_SUBJECT_TYPE_PASSWORD:
case CSSM_ACL_SUBJECT_TYPE_PROMPTED_PASSWORD:
case CSSM_ACL_SUBJECT_TYPE_PROTECTED_PASSWORD:
break;
default:
CssmError::throwMe(CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED);
}
const CssmData &newPin = subject[1].data();
if (cred.size() != 1)
CssmError::throwMe(CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED);
const TypedList &value = cred[0].value();
switch (value.type())
{
case CSSM_SAMPLE_TYPE_PASSWORD:
case CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD:
case CSSM_SAMPLE_TYPE_PROTECTED_PASSWORD:
break;
default:
CssmError::throwMe(CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED);
}
const CssmData &oldPin = value[1].data();
secdebug("tokend", "CHANGE PIN%d from \"%.*s\" to \"%.*s\"",
pinNum, static_cast<int>(oldPin.Length), oldPin.Data,
static_cast<int>(newPin.Length), newPin.Data);
changePIN(pinNum, oldPin.Data, oldPin.Length, newPin.Data, newPin.Length);
}
void Token::generateRandom(const Context &context, CssmData &result)
{
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
}
void Token::getStatistics(CSSM_CSP_OPERATIONAL_STATISTICS &result)
{
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
}
void Token::getTime(CSSM_ALGORITHMS algorithm, CssmData &result)
{
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
}
void Token::getCounter(CssmData &result)
{
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
}
void Token::selfVerify()
{
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
}
void Token::changePIN(int pinNum,
const unsigned char *oldPin, size_t oldPinLength,
const unsigned char *newPin, size_t newPinLength)
{
// Default changePIN on a token always fails.
CssmError::throwMe(CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED);
}
uint32_t Token::pinStatus(int pinNum)
{
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
}
void Token::verifyPIN(int pinNum,
const unsigned char *pin, size_t pinLength)
{
CssmError::throwMe(CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED);
}
void Token::unverifyPIN(int pinNum)
{
}
bool Token::isLocked()
{
// Check pin1 by default. Subclasses may override.
return pinStatus(1) != 0x9000;
}
//
// ISO7816Token
//
ISO7816Token::ISO7816Token()
{
mPrintName[0]=0;
}
ISO7816Token::~ISO7816Token()
{
}
uint32 ISO7816Token::probe(SecTokendProbeFlags flags,
char tokenUid[TOKEND_MAX_UID])
{
const SCARD_READERSTATE &readerState = *(*startupReaderInfo)();
connect(mSession, readerState.szReader);
return 0;
}
void ISO7816Token::establish(const CSSM_GUID *guid, uint32 subserviceId,
SecTokendEstablishFlags flags, const char *cacheDirectory,
const char *workDirectory, char mdsDirectory[PATH_MAX],
char printName[PATH_MAX])
{
secdebug("establish", "cacheDirectory %s, workDirectory: %s, name: %s",
cacheDirectory, workDirectory, mPrintName);
if (mPrintName[0])
::strlcpy(printName, mPrintName, PATH_MAX);
Token::establish(guid, subserviceId, flags, cacheDirectory,
workDirectory, mdsDirectory, printName);
if (!isConnected())
{
const SCARD_READERSTATE &readerState = *(*startupReaderInfo)();
connect(mSession, readerState.szReader);
}
}
uint16_t ISO7816Token::transmitAPDU(uint8_t cla, uint8_t ins, uint8_t p1,
uint8_t p2, size_t dataSize, const uint8_t *data,
size_t outputLength, std::vector<uint8_t> *output)
{
std::vector<uint8_t> apdu;
uint32_t lc = data ? dataSize : 0;
// Worst case we need this much
apdu.reserve(10 + lc);
apdu.push_back(cla);
apdu.push_back(ins);
apdu.push_back(p1);
apdu.push_back(p2);
if (lc > 0)
{
if (lc < 0x100)
{
// Normal length Lc
apdu.push_back(lc);
}
else if (lc < 0x10000)
{
// Extended length Lc
apdu.push_back(0);
apdu.push_back(lc >> 8);
apdu.push_back(lc);
}
else
{
// Lc too big.
PCSC::Error::throwMe(SCARD_E_PROTO_MISMATCH);
}
apdu.insert(apdu.end(), data, data + dataSize);
}
if (output && outputLength > 0)
{
if (outputLength < 0x100)
{
// Normal length Le
apdu.push_back(outputLength);
}
else if (outputLength < 0x10000)
{
// Extended length Le
apdu.push_back(0);
apdu.push_back(outputLength >> 8);
apdu.push_back(outputLength);
}
else
{
// Le too big
PCSC::Error::throwMe(SCARD_E_PROTO_MISMATCH);
}
// Append the response to what's already in output.
size_t oldSize = output->size();
// Make enough room for the data we are requesting plus the sw
output->resize(oldSize + outputLength + 2);
uint8_t *response = &output->at(oldSize);
size_t responseLength = outputLength + 2;
transmit(&apdu[0], apdu.size(), response, responseLength);
if (responseLength < 2)
{
output->resize(oldSize + responseLength);
PCSC::Error::throwMe(SCARD_E_PROTO_MISMATCH);
}
uint16_t sw = (response[responseLength - 2] << 8)
+ response[responseLength - 1];
// Remove the sw from the output.
output->resize(oldSize + responseLength - 2);
return sw;
}
else
{
uint8_t response[2];
size_t responseLength = sizeof(response);
transmit(&apdu[0], apdu.size(), response, responseLength);
if (responseLength < 2)
PCSC::Error::throwMe(SCARD_E_PROTO_MISMATCH);
return (response[responseLength - 2] << 8)
+ response[responseLength - 1];
}
}
void ISO7816Token::name(const char *printName)
{
// Set the printName
::strlcpy(mPrintName,printName,min(1+strlen(printName),size_t(PATH_MAX)));
}
} // end namespace Tokend
/* arch-tag: E93A5DC0-DF80-11D8-9F16-000A95C4302E */
--- NEW FILE Token.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* Token.h
* TokendMuscle
*/
#ifndef _TOKEND_TOKEN_H_
#define _TOKEND_TOKEN_H_
#include <SecurityTokend/SecTokend.h>
#include <security_utilities/osxcode.h>
#include <security_cdsa_utilities/context.h>
#include <security_cdsa_utilities/cssmpods.h>
#include <security_cdsa_utilities/cssmbridge.h>
#include <security_cdsa_utilities/cssmdb.h>
#include <security_cdsa_utilities/cssmaclpod.h>
#include <security_cdsa_utilities/cssmcred.h>
#include <security_utilities/debugging.h>
#include <security_utilities/pcsc++.h>
#include <string>
#include "TokenContext.h"
namespace Tokend
{
class Cursor;
class Schema;
class TokenContext;
//
// "The" token
//
class Token : public SecTokendSupport
{
NOCOPY(Token)
public:
Token();
virtual ~Token();
bool cachedObject(CSSM_DB_RECORDTYPE relationId, const std::string &name,
CssmData &data) const;
void cacheObject(CSSM_DB_RECORDTYPE relationId, const std::string &name,
const CssmData &object) const;
virtual const SecTokendCallbacks *callbacks();
virtual SecTokendSupport *support();
virtual void initial();
virtual uint32 probe(SecTokendProbeFlags flags,
char tokenUid[TOKEND_MAX_UID]) = 0;
virtual void establish(const CSSM_GUID *guid, uint32 subserviceId,
SecTokendEstablishFlags flags, const char *cacheDirectory,
const char *workDirectory, char mdsDirectory[PATH_MAX],
char printName[PATH_MAX]);
virtual void terminate(uint32 reason, uint32 options);
virtual void authenticate(CSSM_DB_ACCESS_TYPE mode,
const AccessCredentials *cred);
virtual void getOwner(AclOwnerPrototype &owner) = 0;
virtual void getAcl(const char *tag, uint32 &count,
AclEntryInfo *&acls) = 0;
virtual Cursor *createCursor(const CSSM_QUERY *inQuery);
virtual void changeOwner(const AclOwnerPrototype &owner);
virtual void changeAcl(const AccessCredentials &cred, const AclEdit &edit);
virtual void generateRandom(const Context &context, CssmData &result);
virtual void getStatistics(CSSM_CSP_OPERATIONAL_STATISTICS &result);
virtual void getTime(CSSM_ALGORITHMS algorithm, CssmData &result);
virtual void getCounter(CssmData &result);
virtual void selfVerify();
virtual void changePIN(int pinNum,
const unsigned char *oldPin, size_t oldPinLength,
const unsigned char *newPin, size_t newPinLength);
virtual uint32_t pinStatus(int pinNum);
virtual void verifyPIN(int pinNum,
const unsigned char *pin, size_t pinLength);
virtual void unverifyPIN(int pinNum);
virtual bool isLocked();
TokenContext *tokenContext() { return mTokenContext; }
protected:
std::string cachedObjectPath(CSSM_DB_RECORDTYPE relationId,
const std::string &name) const;
static CSSM_RETURN _initial();
static CSSM_RETURN _probe(SecTokendProbeFlags flags, uint32 *score,
char tokenUid[TOKEND_MAX_UID]);
static CSSM_RETURN _establish(const CSSM_GUID *guid, uint32 subserviceId,
SecTokendEstablishFlags flags, const char *cacheDirectory,
const char *workDirectory, char mdsDirectory[PATH_MAX],
char printName[PATH_MAX]);
static CSSM_RETURN _terminate(uint32 reason, uint32 options);
static CSSM_RETURN _findFirst(const CSSM_QUERY *query,
TOKEND_RETURN_DATA *data, CSSM_HANDLE *hSearch);
static CSSM_RETURN _findNext(CSSM_HANDLE hSearch,
TOKEND_RETURN_DATA *data);
static CSSM_RETURN _findRecordHandle(CSSM_HANDLE hRecord,
TOKEND_RETURN_DATA *data);
static CSSM_RETURN _insertRecord(CSSM_DB_RECORDTYPE recordType,
const CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes, const CSSM_DATA *data,
CSSM_HANDLE *hRecord);
static CSSM_RETURN _modifyRecord(CSSM_DB_RECORDTYPE recordType,
CSSM_HANDLE *hRecord, const CSSM_DB_RECORD_ATTRIBUTE_DATA *attributes,
const CSSM_DATA *data, CSSM_DB_MODIFY_MODE modifyMode);
static CSSM_RETURN _deleteRecord(CSSM_HANDLE hRecord);
static CSSM_RETURN _releaseSearch(CSSM_HANDLE hSearch);
static CSSM_RETURN _releaseRecord(CSSM_HANDLE hRecord);
static CSSM_RETURN _freeRetrievedData(TOKEND_RETURN_DATA *data);
static CSSM_RETURN _releaseKey(CSSM_HANDLE hKey);
static CSSM_RETURN _getKeySize(CSSM_HANDLE hKey, CSSM_KEY_SIZE *size);
static CSSM_RETURN _getOutputSize(const CSSM_CONTEXT *context,
CSSM_HANDLE hKey, uint32 inputSize, CSSM_BOOL encrypting,
uint32 *outputSize);
static CSSM_RETURN _generateSignature(const CSSM_CONTEXT *context,
CSSM_HANDLE hKey, CSSM_ALGORITHMS signOnly, const CSSM_DATA *input,
CSSM_DATA *signature);
static CSSM_RETURN _verifySignature(const CSSM_CONTEXT *context,
CSSM_HANDLE hKey, CSSM_ALGORITHMS signOnly, const CSSM_DATA *input,
const CSSM_DATA *signature);
static CSSM_RETURN _generateMac(const CSSM_CONTEXT *context,
CSSM_HANDLE hKey, const CSSM_DATA *input, CSSM_DATA *mac);
static CSSM_RETURN _verifyMac(const CSSM_CONTEXT *context,
CSSM_HANDLE hKey, const CSSM_DATA *input, const CSSM_DATA *mac);
static CSSM_RETURN _encrypt(const CSSM_CONTEXT *context, CSSM_HANDLE hKey,
const CSSM_DATA *clear, CSSM_DATA *cipher);
static CSSM_RETURN _decrypt(const CSSM_CONTEXT *context, CSSM_HANDLE hKey,
const CSSM_DATA *cipher, CSSM_DATA *clear);
static CSSM_RETURN _generateKey(const CSSM_CONTEXT *context,
const CSSM_ACCESS_CREDENTIALS *creds,
const CSSM_ACL_ENTRY_PROTOTYPE *owner, CSSM_KEYUSE usage,
CSSM_KEYATTR_FLAGS attrs, CSSM_HANDLE *hKey, CSSM_KEY *header);
static CSSM_RETURN _generateKeyPair(const CSSM_CONTEXT *context,
const CSSM_ACCESS_CREDENTIALS *creds,
const CSSM_ACL_ENTRY_PROTOTYPE *owner,
CSSM_KEYUSE pubUsage, CSSM_KEYATTR_FLAGS pubAttrs,
CSSM_KEYUSE privUsage, CSSM_KEYATTR_FLAGS privAttrs,
CSSM_HANDLE *hPubKey, CSSM_KEY *pubHeader,
CSSM_HANDLE *hPrivKey, CSSM_KEY *privHeader);
static CSSM_RETURN _wrapKey(const CSSM_CONTEXT *context,
CSSM_HANDLE hWrappingKey, const CSSM_KEY *wrappingKey,
const CSSM_ACCESS_CREDENTIALS *cred, CSSM_HANDLE hSubjectKey,
const CSSM_KEY *subjectKey, const CSSM_DATA *descriptiveData,
CSSM_KEY *wrappedKey);
static CSSM_RETURN _unwrapKey(const CSSM_CONTEXT *context,
CSSM_HANDLE hWrappingKey, const CSSM_KEY *wrappingKey,
const CSSM_ACCESS_CREDENTIALS *cred,
const CSSM_ACL_ENTRY_PROTOTYPE *access,
CSSM_HANDLE hPublicKey, const CSSM_KEY *publicKey,
const CSSM_KEY *wrappedKey, CSSM_KEYUSE usage,
CSSM_KEYATTR_FLAGS attributes, CSSM_DATA *descriptiveData,
CSSM_HANDLE *hUnwrappedKey, CSSM_KEY *unwrappedKey);
static CSSM_RETURN _deriveKey(const CSSM_CONTEXT *context,
CSSM_HANDLE hSourceKey, const CSSM_KEY *sourceKey,
const CSSM_ACCESS_CREDENTIALS *cred,
const CSSM_ACL_ENTRY_PROTOTYPE *access, CSSM_DATA *parameters,
CSSM_KEYUSE usage, CSSM_KEYATTR_FLAGS attributes,
CSSM_HANDLE *hKey, CSSM_KEY *hKey);
static CSSM_RETURN _getObjectOwner(CSSM_HANDLE hKey,
CSSM_ACL_OWNER_PROTOTYPE *owner);
static CSSM_RETURN _getObjectAcl(CSSM_HANDLE hKey,
const char *tag, uint32 *count, CSSM_ACL_ENTRY_INFO **entries);
static CSSM_RETURN _getDatabaseOwner(CSSM_ACL_OWNER_PROTOTYPE *owner);
static CSSM_RETURN _getDatabaseAcl(const char *tag, uint32 *count,
CSSM_ACL_ENTRY_INFO **entries);
static CSSM_RETURN _getKeyOwner(CSSM_HANDLE hKey,
CSSM_ACL_OWNER_PROTOTYPE *owner);
static CSSM_RETURN _getKeyAcl(CSSM_HANDLE hKey, const char *tag,
uint32 *count, CSSM_ACL_ENTRY_INFO **entries);
static CSSM_RETURN _freeOwnerData(CSSM_ACL_OWNER_PROTOTYPE *owner);
static CSSM_RETURN _freeAclData(uint32 count,
CSSM_ACL_ENTRY_INFO *entries);
static CSSM_RETURN _authenticateDatabase(CSSM_DB_ACCESS_TYPE mode,
const CSSM_ACCESS_CREDENTIALS *cred);
static CSSM_RETURN _changeDatabaseOwner(const CSSM_ACL_OWNER_PROTOTYPE *
owner);
static CSSM_RETURN _changeDatabaseAcl(const CSSM_ACCESS_CREDENTIALS *cred,
const CSSM_ACL_EDIT *edit);
static CSSM_RETURN _changeObjectOwner(CSSM_HANDLE hRecord,
const CSSM_ACL_OWNER_PROTOTYPE *owner);
static CSSM_RETURN _changeObjectAcl(CSSM_HANDLE hRecord,
const CSSM_ACCESS_CREDENTIALS *cred, const CSSM_ACL_EDIT *edit);
static CSSM_RETURN _changeKeyOwner(CSSM_HANDLE key,
const CSSM_ACL_OWNER_PROTOTYPE *owner);
static CSSM_RETURN _changeKeyAcl(CSSM_HANDLE key,
const CSSM_ACCESS_CREDENTIALS *cred, const CSSM_ACL_EDIT *edit);
static CSSM_RETURN _generateRandom(const CSSM_CONTEXT *context,
CSSM_DATA *result);
static CSSM_RETURN _getStatistics(CSSM_CSP_OPERATIONAL_STATISTICS *result);
static CSSM_RETURN _getTime(CSSM_ALGORITHMS algorithm, CSSM_DATA *result);
static CSSM_RETURN _getCounter(CSSM_DATA *result);
static CSSM_RETURN _selfVerify();
static CSSM_RETURN _cspPassThrough(uint32 id, const CSSM_CONTEXT *context,
CSSM_HANDLE hKey, const CSSM_KEY *key, const CSSM_DATA *input,
CSSM_DATA *output);
static CSSM_RETURN _dlPassThrough(uint32 id, const CSSM_DATA *input,
CSSM_DATA *output);
static CSSM_RETURN _isLocked(uint32 *locked);
private:
static const SecTokendCallbacks mCallbacks;
protected:
Schema *mSchema;
TokenContext *mTokenContext;
Guid mGuid;
uint32 mSubserviceId;
std::string mCacheDirectory;
};
class ISO7816Token : public Token, public TokenContext, public PCSC::Card
{
NOCOPY(ISO7816Token)
public:
ISO7816Token();
virtual ~ISO7816Token();
virtual uint32 probe(SecTokendProbeFlags flags,
char tokenUid[TOKEND_MAX_UID]);
virtual void establish(const CSSM_GUID *guid, uint32 subserviceId,
SecTokendEstablishFlags flags, const char *cacheDirectory,
const char *workDirectory, char mdsDirectory[PATH_MAX],
char printName[PATH_MAX]);
uint16_t transmitAPDU(uint8_t cla, uint8_t ins, uint8_t p1, uint8_t p2,
size_t dataSize = 0, const uint8_t *data = NULL,
size_t outputLength = 0, std::vector<uint8_t> *output = NULL);
protected:
PCSC::Session mSession;
char mPrintName[PATH_MAX];
virtual void name(const char *printName);
};
} // end namespace Tokend
//
// Singleton
//
extern Tokend::Token *token;
#endif /* !_TOKEND_TOKEN_H_ */
/* arch-tag: E93DF9EE-DF80-11D8-991E-000A95C4302E */
--- NEW FILE TokenContext.cpp ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* TokenContext.cpp
* TokendMuscle
*/
#include "TokenContext.h"
namespace Tokend
{
TokenContext::~TokenContext()
{
}
} // end namespace Tokend
/* arch-tag: 57027497-E707-11D8-B72A-000A95C4302E */
--- NEW FILE TokenContext.h ---
/*
* Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*
* TokenContext.h
* TokendMuscle
*/
#ifndef _TOKEND_TOKENCONTEXT_H_
#define _TOKEND_TOKENCONTEXT_H_
#include <security_utilities/utilities.h>
namespace Tokend
{
class TokenContext
{
NOCOPY(TokenContext)
public:
TokenContext() {}
virtual ~TokenContext() = 0;
};
} // end namespace Tokend
#endif /* !_TOKEND_TOKENCONTEXT_H_ */
/* arch-tag: 57047250-E707-11D8-9366-000A95C4302E */
- Previous message (by thread): [Fedora-directory-commits] esc/mac/Tokend-30557/CoolKey/pkcs11 compile.sh, NONE, 1.1 cryptoki.h, NONE, 1.1 mypkcs11.h, NONE, 1.1 pkcs11.h, NONE, 1.1 pkcs11f.h, NONE, 1.1 pkcs11t.h, NONE, 1.1
- Next message (by thread): [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm import-threads.c, 1.13, 1.14
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list