//
// ucsp.defs - Mach RPC interface between SecurityServer and its clients
//
#include <mach/std_types.defs>
#include <mach/mach_types.defs>
subsystem ucsp 1000;
serverprefix ucsp_server_;
userprefix ucsp_client_;
import "securityserver.h";
import "ucsp_types.h";
//
// Data types
//
type Data = array [] of char;
type Pointer = unsigned32;
type BasePointer = unsigned32;
type KeyHandle = unsigned32;
type KeyBlob = Data
ctype: Pointer;
type DbHandle = unsigned32;
type DbBlob = Data
ctype: Pointer;
type AclEntryPrototypeBlob = Data
ctype: AclEntryPrototypePtr;
type AclEntryPrototypePtr = BasePointer;
type AclEntryInfoBlob = Data
ctype: AclEntryInfoPtr;
type AclEntryInfoPtr = BasePointer;
type AclEntryInputBlob = Data
ctype: AclEntryInputPtr;
type AclEntryInputPtr = BasePointer;
type AclOwnerPrototypeBlob = Data
ctype: AclOwnerPrototypePtr;
type AclOwnerPrototypePtr = BasePointer;
type AccessCredentialsBlob = Data
ctype: AccessCredentialsPtr;
type AccessCredentialsPtr = BasePointer;
type DLDbIdentBlob = Data
ctype: DLDbIdentPtr;
type DLDbIdentPtr = BasePointer;
type ParamInputBlob = Data
ctype: ParamInputPtr;
type ParamInputPtr = BasePointer;
type VoidBlob = Data
ctype: VoidPtr;
type VoidPtr = unsigned32;
type SetupInfo = struct[4] of uint8_t
ctype: ClientSetupInfo;
type Context = struct [9*4] of uint8_t
ctype: CSSM_CONTEXT
intran: Context inTrans(CSSM_CONTEXT);
type ContextAttributes = array [] of char
cservertype: ContextAttributesPointer;
type CssmKeyHeader = struct [23*4] of uint8_t;
type CssmKey = struct [(23+2)*4] of uint8_t
ctype: CSSM_KEY
intran: CssmKey inTrans(CSSM_KEY)
outtran: CSSM_KEY outTrans(CssmKey);
type CSSM_KEY_SIZE = struct [2*4] of uint32_t
ctype: CSSM_KEY_SIZE;
type DBParameters = struct [1*4] of uint32_t;
type AuthorizationItemSetBlob = Data
ctype: AuthorizationItemSetPtr;
type AuthorizationItemSetPtr = BasePointer;
type AuthorizationBlob = struct [8] of uint8_t; // 8 opaque bytes
type AuthorizationExternalForm = struct [32] of uint8_t; // 32 opaque bytes
type CssmString = c_string[*:64+4];
type AuthorizationString = c_string[*:1024];
type CSSM_RETURN = int32;
type CSSM_ALGORITHMS = unsigned32;
type CSSM_ACL_EDIT_MODE = unsigned32;
type CSSM_ACL_HANDLE = unsigned32;
type AclKind = unsigned32;
type uint32 = unsigned32;
type SecuritySessionId = unsigned32;
type SessionAttributeBits = unsigned32;
type SessionCreationFlags = unsigned32;
type ExecutablePath = c_string[*:2048];
//
// Common argument profiles
//
#define UCSP_PORTS requestport sport: mach_port_t; \
replyport rport: mach_port_make_send_t; \
serversectoken sourceSecurity: security_token_t; \
out rcode: CSSM_RETURN
#define IN_CONTEXT in context: Context; in contextBase: BasePointer; in attrs: ContextAttributes
#define IN_BLOB(name,type) in name: type##Blob; in name##Base: type##Ptr
#define OUT_BLOB(name,type) out name: type##Blob; out name##Base: type##Ptr
//
// Management and administrative functions
//
routine setup(UCSP_PORTS; in tport: mach_port_t; in info: SetupInfo; in executablePath: ExecutablePath);
routine setupNew(UCSP_PORTS; in tport: mach_port_t; in info: SetupInfo; in executablePath: ExecutablePath;
out newServicePort: mach_port_make_send_t);
routine setupThread(UCSP_PORTS; in tport: mach_port_t);
routine teardown(UCSP_PORTS);
//
// Database management
//
routine createDb(UCSP_PORTS; out db: DbHandle; IN_BLOB(ident,DLDbIdent);
IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype);
in params: DBParameters);
routine decodeDb(UCSP_PORTS; out db: DbHandle; IN_BLOB(ident,DLDbIdent);
IN_BLOB(accessCredentials,AccessCredentials); in blob: DbBlob);
routine encodeDb(UCSP_PORTS; in db: DbHandle; out blob: DbBlob);
routine releaseDb(UCSP_PORTS; in db: DbHandle);
routine authenticateDb(UCSP_PORTS; in db: DbHandle; IN_BLOB(accessCredentials,AccessCredentials));
routine setDbParameters(UCSP_PORTS; in db: DbHandle; in params: DBParameters);
routine getDbParameters(UCSP_PORTS; in db: DbHandle; out params: DBParameters);
routine changePassphrase(UCSP_PORTS; in db: DbHandle;
IN_BLOB(accessCredentials,AccessCredentials));
routine lockDb(UCSP_PORTS; in db: DbHandle);
routine lockAll(UCSP_PORTS; in forSleep: boolean_t);
routine unlockDb(UCSP_PORTS; in db: DbHandle);
routine unlockDbWithPassphrase(UCSP_PORTS; in db: DbHandle; in passPhrase: Data);
routine isLocked(UCSP_PORTS; in db: DbHandle; out locked: boolean_t);
//
// Key management
//
routine encodeKey(UCSP_PORTS; in key: KeyHandle; out blob: KeyBlob;
in wantUid: boolean_t; out uid: Data);
routine decodeKey(UCSP_PORTS; out key: KeyHandle; out header: CssmKeyHeader;
in db: DbHandle; in blob: KeyBlob);
routine releaseKey(UCSP_PORTS; in key: KeyHandle);
routine queryKeySizeInBits(UCSP_PORTS; in key: KeyHandle; out length: CSSM_KEY_SIZE);
routine getOutputSize(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle;
in inputSize: uint32; in encrypt: boolean_t; out outputSize: uint32);
routine getKeyDigest(UCSP_PORTS; in key: KeyHandle; out digest: Data);
//
// Random numbers
//
routine generateRandom(UCSP_PORTS; in bytes: uint32; out data: Data);
//
// Cryptographic operations
//
routine generateSignature(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle;
in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; out signature: Data);
routine verifySignature(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle;
in signOnlyAlgorithm: CSSM_ALGORITHMS; in data: Data; in signature: Data);
routine generateMac(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle;
in data: Data; out signature: Data);
routine verifyMac(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle;
in data: Data; in signature: Data);
routine encrypt(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in clear: Data; out cipher: Data);
routine decrypt(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle; in cipher: Data; out clear: Data);
routine generateKey(UCSP_PORTS; in db: DbHandle; IN_CONTEXT;
IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype);
in keyUsage: uint32; in keyAttrs: uint32; out key: KeyHandle; out header: CssmKeyHeader);
routine generateKeyPair(UCSP_PORTS; in db: DbHandle; IN_CONTEXT;
IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype);
in pubUsage: uint32; in pubAttrs: uint32; in privUsage: uint32; in privAttrs: uint32;
out pubKey: KeyHandle; out pubHeader: CssmKeyHeader;
out privKey: KeyHandle; out privHeader: CssmKeyHeader);
routine deriveKey(UCSP_PORTS; in db: DbHandle; IN_CONTEXT; in baseKey: KeyHandle;
IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype);
IN_BLOB(paramInput,ParamInput); out paramOutput: Data;
in keyUsage: uint32; in keyAttrs: uint32; out key: KeyHandle; out header: CssmKeyHeader);
routine wrapKey(UCSP_PORTS; IN_CONTEXT; in key: KeyHandle;
IN_BLOB(accessCredentials,AccessCredentials); in keyToBeWrapped: KeyHandle;
in data: Data; out wrappedKey: CssmKey; out wrappedKeyData: Data);
routine unwrapKey(UCSP_PORTS; in db: DbHandle; IN_CONTEXT; in key: KeyHandle;
IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype);
in publicKey: KeyHandle; in wrappedKey: CssmKey; in wrappedKeyData: Data;
in usage: uint32; in attributes: uint32; out data: Data;
out resultKey: KeyHandle; out header: CssmKeyHeader);
//
// ACL management
//
routine getOwner(UCSP_PORTS; in kind: AclKind; in key: KeyHandle;
out proto: AclOwnerPrototypeBlob; out protoBase: AclOwnerPrototypePtr);
routine setOwner(UCSP_PORTS; in kind: AclKind; in key: KeyHandle;
IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclOwnerPrototype,AclOwnerPrototype));
routine getAcl(UCSP_PORTS; in kind: AclKind; in key: KeyHandle;
in haveTag: boolean_t; in tag: CssmString;
out count: uint32; out acls: AclEntryInfoBlob; out aclsBase: AclEntryInfoPtr);
routine changeAcl(UCSP_PORTS; in kind: AclKind; in key: KeyHandle;
IN_BLOB(accessCredentials,AccessCredentials);
in mode: CSSM_ACL_EDIT_MODE; in handle: CSSM_ACL_HANDLE;
IN_BLOB(aclEntryInput,AclEntryInput));
//
// Authorization subsystem
//
routine authorizationCreate(UCSP_PORTS; IN_BLOB(rights,AuthorizationItemSet);
in flags: uint32;
IN_BLOB(environment,AuthorizationItemSet);
out authorization: AuthorizationBlob);
routine authorizationRelease(UCSP_PORTS; in authorization: AuthorizationBlob;
in flags: uint32);
routine authorizationCopyRights(UCSP_PORTS; in authorization: AuthorizationBlob;
IN_BLOB(rights,AuthorizationItemSet); in flags: uint32;
IN_BLOB(environment,AuthorizationItemSet);
OUT_BLOB(result,AuthorizationItemSet));
routine authorizationCopyInfo(UCSP_PORTS; in authorization: AuthorizationBlob;
in tag: AuthorizationString;
OUT_BLOB(info,AuthorizationItemSet));
routine authorizationExternalize(UCSP_PORTS; in authorization: AuthorizationBlob;
out form: AuthorizationExternalForm);
routine authorizationInternalize(UCSP_PORTS; in form: AuthorizationExternalForm;
out authorization: AuthorizationBlob);
//
// Session management subsystem
//
routine getSessionInfo(UCSP_PORTS; inout sessionId: SecuritySessionId;
out attrs: SessionAttributeBits);
routine setupSession(UCSP_PORTS; in flags: SessionCreationFlags; in attrs: SessionAttributeBits);
//
// Notification subsystem
//
routine requestNotification(UCSP_PORTS; in receiver: mach_port_t; in domain: uint32; in events: uint32);
routine stopNotification(UCSP_PORTS; in receiver: mach_port_t);
routine postNotification(UCSP_PORTS; in domain: uint32; in event: uint32; in data: Data);
//
// Database key management
//
routine extractMasterKey(UCSP_PORTS; in db: DbHandle; IN_CONTEXT; in sourceDb: DbHandle;
IN_BLOB(accessCredentials,AccessCredentials); IN_BLOB(aclEntryPrototype,AclEntryPrototype);
in keyUsage: uint32; in keyAttrs: uint32; out key: KeyHandle; out header: CssmKeyHeader);
routine getDbIndex(UCSP_PORTS; in db: DbHandle; out index: Data);
//
// AuthorizationDB operations
//
routine authorizationdbGet(UCSP_PORTS; in rightname: AuthorizationString; out rightdefinition: Data);
routine authorizationdbSet(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString; in rightDefinition: Data);
routine authorizationdbRemove(UCSP_PORTS; in authorization: AuthorizationBlob; in rightname: AuthorizationString);
//
// Miscellaneous administrative calls
//
routine addCodeEquivalence(UCSP_PORTS; in oldCode: Data; in newCode: Data; in name: ExecutablePath;
in forSystem: boolean_t);
routine removeCodeEquivalence(UCSP_PORTS; in code: Data; in name: ExecutablePath;
in forSystem: boolean_t);
routine setAlternateSystemRoot(UCSP_PORTS; in path: ExecutablePath);