// // Copyright (c) 2001-2004 Apple Computer, Inc. All Rights Reserved. // // @APPLE_LICENSE_HEADER_START@ // // Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved. // // This file contains Original Code and/or Modifications of Original Code // as defined in and that are subject to the Apple Public Source License // Version 2.0 (the 'License'). You may not use this file except in // compliance with the License. Please obtain a copy of the License at // http://www.opensource.apple.com/apsl/ and read it before using this // file. // // The Original Code and all software distributed under the License are // distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER // EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, // INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, // FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. // Please see the License for the specific language governing rights and // limitations under the License. // // @APPLE_LICENSE_HEADER_END@ // // ucsp.defs - Mach RPC interface between SecurityServer and its clients // #include #include subsystem ucsp 1000; serverprefix ucsp_server_; userprefix ucsp_client_; import ; import ; // // Data types // type Data = array [] of char; type Pointer = uint32_t; type BasePointer = uint32_t; type KeyHandle = uint32_t; type KeyBlob = Data ctype: Pointer; type DbHandle = uint32_t; type DbBlob = Data ctype: Pointer; type AclEntryPrototypeBlob = Data ctype: AclEntryPrototypePtr; type AclEntryPrototypePtr = BasePointer; type AclEntryInfoBlob = Data ctype: AclEntryInfoPtr; type AclEntryInfoPtr = BasePointer; type AclEntryInputBlob = Data ctype: AclEntryInputPtr; type AclEntryInputPtr = BasePointer; type AclOwnerPrototypeBlob = Data ctype: AclOwnerPrototypePtr; type AclOwnerPrototypePtr = BasePointer; type AccessCredentialsBlob = Data ctype: AccessCredentialsPtr; type AccessCredentialsPtr = BasePointer; type DLDbIdentBlob = Data ctype: DLDbIdentPtr; type DLDbIdentPtr = BasePointer; type ParamInputBlob = Data ctype: ParamInputPtr; type ParamInputPtr = BasePointer; type CssmDbRecordAttributeDataBlob = Data ctype: CssmDbRecordAttributeDataPtr; type CssmDbRecordAttributeDataPtr = BasePointer; type CssmQueryBlob = Data ctype: CssmQueryPtr; type CssmQueryPtr = BasePointer; type CssmSubserviceUidBlob = Data ctype: CssmSubserviceUidPtr; type CssmSubserviceUidPtr = BasePointer; type CSSM_DBINFOBlob = Data ctype: CSSM_DBINFOPtr; type CSSM_DBINFOPtr = BasePointer; type CSSM_DB_SCHEMA_ATTRIBUTE_INFOBlob = Data ctype: CSSM_DB_SCHEMA_ATTRIBUTE_INFOPtr; type CSSM_DB_SCHEMA_ATTRIBUTE_INFOPtr = BasePointer; type CSSM_DB_SCHEMA_INDEX_INFOBlob = Data ctype: CSSM_DB_SCHEMA_INDEX_INFOPtr; type CSSM_DB_SCHEMA_INDEX_INFOPtr = BasePointer; type CSSM_NAME_LISTBlob = Data ctype: CSSM_NAME_LISTPtr; type CSSM_NAME_LISTPtr = BasePointer; type CssmNetAddressBlob = Data ctype: CssmNetAddressPtr; type CssmNetAddressPtr = BasePointer; // @@@ VoidBlob and VoidPtr are't used anymore I think type VoidBlob = Data ctype: VoidPtr; type VoidPtr = uint32_t; type SetupInfo = struct[4] of uint8_t ctype: ClientSetupInfo; type Context = struct [9*4] of uint8_t ctype: CSSM_CONTEXT intran: Context inTrans(CSSM_CONTEXT); type ContextAttributes = array [] of char cservertype: ContextAttributesPointer; type CssmKeyHeader = struct [23*4] of uint8_t; type CssmKey = struct [(23+2)*4] of uint8_t ctype: CSSM_KEY intran: CssmKey inTrans(CSSM_KEY) outtran: CSSM_KEY outTrans(CssmKey); type CSSM_KEY_SIZE = struct [2*4] of uint32_t ctype: CSSM_KEY_SIZE; type DBParameters = struct [1*4] of uint32_t; type AuthorizationItemSetBlob = Data ctype: AuthorizationItemSetPtr; type AuthorizationItemSetPtr = BasePointer; type AuthorizationBlob = struct [8] of uint8_t; // 8 opaque bytes type AuthorizationExternalForm = struct [32] of uint8_t; // 32 opaque bytes type CssmString = c_string[*:64+4]; type AuthorizationString = c_string[*:1024]; type CSSM_RETURN = int32; type CSSM_ALGORITHMS = uint32_t; type CSSM_ACL_EDIT_MODE = uint32_t; type CSSM_ACL_HANDLE = uint32_t; type AclKind = uint32_t; type uint32 = uint32_t; type SecuritySessionId = uint32_t; type SessionAttributeBits = uint32_t; type SessionCreationFlags = uint32_t; type AttachmentHandle = uint32_t; type RecordHandle = uint32_t; type SearchHandle = uint32_t; type CSSM_DB_RECORDTYPE = uint32_t; type CSSM_DB_ACCESS_TYPE = uint32_t; type CSSM_DB_MODIFY_MODE = uint32_t; type ExecutablePath = c_string[*:2048]; type RelationName = c_string[*:2048]; // // Common argument profiles // #define UCSP_PORTS requestport sport: mach_port_t; \ replyport rport: mach_port_make_send_t; \ serversectoken sourceSecurity: security_token_t; \ out rcode: CSSM_RETURN #define IN_CONTEXT in context: Context; in contextBase: BasePointer; in attrs: ContextAttributes #define IN_BLOB(name,type) in name: type##Blob; in name##Base: type##Ptr #define OUT_BLOB(name,type) out name: type##Blob; out name##Base: type##Ptr // // Management and administrative functions // routine setup(UCSP_PORTS; in tport: mach_port_t; in info: SetupInfo; in executablePath: ExecutablePath); routine setupNew(UCSP_PORTS; in tport: mach_port_t; in info: SetupInfo; in executablePath: ExecutablePath; out newServicePort: mach_port_make_send_t); routine setupThread(UCSP_PORTS; in tport: mach_port_t); routine teardown(UCSP_PORTS); // // DL Interface // routine attach(UCSP_PORTS; IN_BLOB(ssUid,CssmSubserviceUid); out attachment: AttachmentHandle); routine detach(UCSP_PORTS; in attachment: AttachmentHandle); routine openDb(UCSP_PORTS; in attachment: AttachmentHandle; in dbName: Data; IN_BLOB(location,CssmNetAddress); in accessType: CSSM_DB_ACCESS_TYPE; IN_BLOB(accessCredentials,AccessCredentials); in openParameters: Data; out db: DbHandle); routine createDb2(UCSP_PORTS; in attachment: AttachmentHandle; in dbName: Data; IN_BLOB(location,CssmNetAddress); IN_BLOB(dbInfo,CSSM_DBINFO); in accessType: CSSM_DB_ACCESS_TYPE; IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); in openParameters: Data; out db: DbHandle); routine deleteDb(UCSP_PORTS; in attachment: AttachmentHandle; in dbName: Data; IN_BLOB(location,CssmNetAddress); IN_BLOB(accessCredentials,AccessCredentials)); routine getDbNames(UCSP_PORTS; in attachment: AttachmentHandle; OUT_BLOB(nameList,CSSM_NAME_LIST)); routine getDbNameFromHandle(UCSP_PORTS; in db: DbHandle; out name: Data); routine closeDb(UCSP_PORTS; in db: DbHandle); routine authenticateDb(UCSP_PORTS; in db: DbHandle; in accessType: CSSM_DB_ACCESS_TYPE; IN_BLOB(accessCredentials,AccessCredentials)); routine createRelation(UCSP_PORTS; in db: DbHandle; in recordType: CSSM_DB_RECORDTYPE; in relationName: RelationName; in attributeCount: uint32; IN_BLOB(attributes,CSSM_DB_SCHEMA_ATTRIBUTE_INFO); in indexCount: uint32; IN_BLOB(indices,CSSM_DB_SCHEMA_INDEX_INFO)); routine destroyRelation(UCSP_PORTS; in db: DbHandle; in recordType: CSSM_DB_RECORDTYPE); routine insertRecord(UCSP_PORTS; in db: DbHandle; in recordType: CSSM_DB_RECORDTYPE; IN_BLOB(attributes,CssmDbRecordAttributeData); in data: Data; out record: RecordHandle); routine deleteRecord(UCSP_PORTS; in record: RecordHandle); routine modifyRecord(UCSP_PORTS; in record: RecordHandle; in recordType: CSSM_DB_RECORDTYPE; IN_BLOB(attributes,CssmDbRecordAttributeData); in data: Data; in modifyMode: CSSM_DB_MODIFY_MODE); routine findFirstRecord(UCSP_PORTS; in db: DbHandle; IN_BLOB(query,CssmQuery); out search: SearchHandle; IN_BLOB(inAttributes,CssmDbRecordAttributeData); OUT_BLOB(outAttributes,CssmDbRecordAttributeData); in getData: boolean_t; out data: Data; out record: RecordHandle); routine findNextRecord(UCSP_PORTS; in search: SearchHandle; IN_BLOB(inAttributes,CssmDbRecordAttributeData); OUT_BLOB(outAttributes,CssmDbRecordAttributeData); in getData: boolean_t; out data: Data; out record: RecordHandle); routine abortFind(UCSP_PORTS; in search: SearchHandle); routine getRecordFromHandle(UCSP_PORTS; in record: RecordHandle; IN_BLOB(inAttributes,CssmDbRecordAttributeData); OUT_BLOB(outAttributes,CssmDbRecordAttributeData); in getData: boolean_t; out data: Data); routine freeRecordHandle(UCSP_PORTS; in record: RecordHandle); // // Database management // routine createDb(UCSP_PORTS; out db: DbHandle; IN_BLOB(ident,DLDbIdent); IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); in params: DBParameters); routine decodeDb(UCSP_PORTS; out db: DbHandle; IN_BLOB(ident,DLDbIdent); IN_BLOB(accessCredentials,AccessCredentials); in blob: DbBlob); routine encodeDb(UCSP_PORTS; in db: DbHandle; out blob: DbBlob); routine releaseDb(UCSP_PORTS; in db: DbHandle); routine setDbParameters(UCSP_PORTS; in db: DbHandle; in params: DBParameters); routine getDbParameters(UCSP_PORTS; in db: DbHandle; out params: DBParameters); routine changePassphrase(UCSP_PORTS; in db: DbHandle; IN_BLOB(accessCredentials,AccessCredentials)); routine lockDb(UCSP_PORTS; in db: DbHandle); routine lockAll(UCSP_PORTS; in forSleep: boolean_t); routine unlockDb(UCSP_PORTS; in db: DbHandle); routine unlockDbWithPassphrase(UCSP_PORTS; in db: DbHandle; in passPhrase: Data); routine isLocked(UCSP_PORTS; in db: DbHandle; out locked: boolean_t); // // Key management // routine encodeKey(UCSP_PORTS; in key: KeyHandle; out blob: KeyBlob; in wantUid: boolean_t; out uid: Data); routine decodeKey(UCSP_PORTS; out key: KeyHandle; out header: CssmKeyHeader; in db: DbHandle; in blob: KeyBlob); routine releaseKey(UCSP_PORTS; in key: KeyHandle); routine queryKeySizeInBits(UCSP_PORTS; in key: KeyHandle; out length: CSSM_KEY_SIZE); routine getOutputSize(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in inputSize: uint32; in encrypt: boolean_t; out outputSize: uint32); routine getKeyDigest(UCSP_PORTS; in key: KeyHandle; out digest: Data); // // Random numbers // routine generateRandom(UCSP_PORTS; in bytes: uint32; out data: Data); // // Cryptographic operations // routine generateSignature(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; out signature: Data); routine verifySignature(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; in signature: Data); routine generateMac(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in data: Data; out signature: Data); routine verifyMac(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in data: Data; in signature: Data); routine encrypt(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in clear: Data; out cipher: Data); routine decrypt(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in cipher: Data; out clear: Data); routine generateKey(UCSP_PORTS; in db: DbHandle; IN_CONTEXT; IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); in keyUsage: uint32; in keyAttrs: uint32; out key: KeyHandle; out header: CssmKeyHeader); routine generateKeyPair(UCSP_PORTS; in db: DbHandle; IN_CONTEXT; IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); in pubUsage: uint32; in pubAttrs: uint32; in privUsage: uint32; in privAttrs: uint32; out pubKey: KeyHandle; out pubHeader: CssmKeyHeader; out privKey: KeyHandle; out privHeader: CssmKeyHeader); routine deriveKey(UCSP_PORTS; in db: DbHandle; IN_CONTEXT; in baseKey: KeyHandle; IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); IN_BLOB(paramInput,ParamInput); out paramOutput: Data; in keyUsage: uint32; in keyAttrs: uint32; out key: KeyHandle; out header: CssmKeyHeader); routine wrapKey(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; IN_BLOB(accessCredentials,AccessCredentials); in keyToBeWrapped: KeyHandle; in data: Data; out wrappedKey: CssmKey; out wrappedKeyData: Data); routine unwrapKey(UCSP_PORTS; in db: DbHandle; IN_CONTEXT; in key: KeyHandle; IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); in publicKey: KeyHandle; in wrappedKey: CssmKey; in wrappedKeyData: Data; in usage: uint32; in attributes: uint32; out data: Data; out resultKey: KeyHandle; out header: CssmKeyHeader); // // ACL management // routine getOwner(UCSP_PORTS; in kind: AclKind; in key: KeyHandle; out proto: AclOwnerPrototypeBlob; out protoBase: AclOwnerPrototypePtr); routine setOwner(UCSP_PORTS; in kind: AclKind; in key: KeyHandle; IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclOwnerPrototype,AclOwnerPrototype)); routine getAcl(UCSP_PORTS; in kind: AclKind; in key: KeyHandle; in haveTag: boolean_t; in tag: CssmString; out count: uint32; out acls: AclEntryInfoBlob; out aclsBase: AclEntryInfoPtr); routine changeAcl(UCSP_PORTS; in kind: AclKind; in key: KeyHandle; IN_BLOB(accessCredentials,AccessCredentials); in mode: CSSM_ACL_EDIT_MODE; in handle: CSSM_ACL_HANDLE; IN_BLOB(aclEntryInput,AclEntryInput)); // // Authorization subsystem // routine authorizationCreate(UCSP_PORTS; IN_BLOB(rights,AuthorizationItemSet); in flags: uint32; IN_BLOB(environment,AuthorizationItemSet); out authorization: AuthorizationBlob); routine authorizationRelease(UCSP_PORTS; in authorization: AuthorizationBlob; in flags: uint32); routine authorizationCopyRights(UCSP_PORTS; in authorization: AuthorizationBlob; IN_BLOB(rights,AuthorizationItemSet); in flags: uint32; IN_BLOB(environment,AuthorizationItemSet); OUT_BLOB(result,AuthorizationItemSet)); routine authorizationCopyInfo(UCSP_PORTS; in authorization: AuthorizationBlob; in tag: AuthorizationString; OUT_BLOB(info,AuthorizationItemSet)); routine authorizationExternalize(UCSP_PORTS; in authorization: AuthorizationBlob; out form: AuthorizationExternalForm); routine authorizationInternalize(UCSP_PORTS; in form: AuthorizationExternalForm; out authorization: AuthorizationBlob); // // Session management subsystem // routine getSessionInfo(UCSP_PORTS; inout sessionId: SecuritySessionId; out attrs: SessionAttributeBits); routine setupSession(UCSP_PORTS; in flags: SessionCreationFlags; in attrs: SessionAttributeBits); // // Notification subsystem // routine requestNotification(UCSP_PORTS; in receiver: mach_port_t; in domain: uint32; in events: uint32); routine stopNotification(UCSP_PORTS; in receiver: mach_port_t); routine postNotification(UCSP_PORTS; in domain: uint32; in event: uint32; in data: Data); // // Database key management // routine extractMasterKey(UCSP_PORTS; in db: DbHandle; IN_CONTEXT; in sourceDb: DbHandle; IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype); in keyUsage: uint32; in keyAttrs: uint32; out key: KeyHandle; out header: CssmKeyHeader); routine getDbIndex(UCSP_PORTS; in db: DbHandle; out index: Data); // // AuthorizationDB operations // routine authorizationdbGet(UCSP_PORTS; in rightname: AuthorizationString; out rightdefinition: Data); routine authorizationdbSet(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString; in rightDefinition: Data); routine authorizationdbRemove(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString); // // Miscellaneous administrative calls // routine addCodeEquivalence(UCSP_PORTS; in oldCode: Data; in newCode: Data; in name: ExecutablePath; in forSystem: boolean_t); routine removeCodeEquivalence(UCSP_PORTS; in code: Data; in name: ExecutablePath; in forSystem: boolean_t); routine setAlternateSystemRoot(UCSP_PORTS; in path: ExecutablePath); // // Child releated calls // simpleroutine registerChild(requestport sport: mach_port_t; replyport rport: mach_port_make_send_t; in task_port: mach_port_t); simpleroutine handleSignal(requestport sport: mach_port_make_send_t; in task_port: mach_port_t; in signal_number: int);