SOSAccountPersistence.c [plain text]
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#include <AssertMacros.h>
#include "SOSAccountPriv.h"
#include "SOSViews.h"
#include <utilities/SecCFWrappers.h>
#include <utilities/SecCoreCrypto.h>
#include <Security/SecureObjectSync/SOSKVSKeys.h>
#include <SOSPeerInfoDER.h>
#include <Security/SecureObjectSync/SOSPeerInfoCollections.h>
static SOSAccountRef SOSAccountCreateFromRemainingDER_v6(CFAllocatorRef allocator,
SOSDataSourceFactoryRef factory,
CFErrorRef* error,
const uint8_t** der_p, const uint8_t *der_end)
{
SOSAccountRef result = NULL;
SOSAccountRef account = NULL;
CFArrayRef array = NULL;
CFDictionaryRef retiredPeers = NULL;
CFStringRef circle_name = factory->copy_name(factory);
{
CFDictionaryRef decoded_gestalt = NULL;
*der_p = der_decode_dictionary(kCFAllocatorDefault, kCFPropertyListImmutable, &decoded_gestalt, error,
*der_p, der_end);
if (*der_p == 0)
return NULL;
account = SOSAccountCreateBasic(allocator, decoded_gestalt, factory);
CFReleaseNull(decoded_gestalt);
}
*der_p = der_decode_array(kCFAllocatorDefault, 0, &array, error, *der_p, der_end);
uint64_t tmp_departure_code = kSOSNeverAppliedToCircle;
*der_p = ccder_decode_uint64(&tmp_departure_code, *der_p, der_end);
*der_p = ccder_decode_bool(&account->user_public_trusted, *der_p, der_end);
*der_p = der_decode_public_bytes(kCFAllocatorDefault, kSecECDSAAlgorithmID, &account->user_public, error, *der_p, der_end);
*der_p = der_decode_public_bytes(kCFAllocatorDefault, kSecECDSAAlgorithmID, &account->previous_public, error, *der_p, der_end);
*der_p = der_decode_data_or_null(kCFAllocatorDefault, &account->user_key_parameters, error, *der_p, der_end);
*der_p = der_decode_dictionary(kCFAllocatorDefault, kCFPropertyListMutableContainers, (CFDictionaryRef *) &retiredPeers, error, *der_p, der_end);
require_action_quiet(*der_p == der_end, fail, *der_p = NULL);
account->departure_code = (enum DepartureReason) tmp_departure_code;
CFDictionaryForEach(retiredPeers, ^(const void *key, const void *value) {
if (isData(value)) {
SOSPeerInfoRef retiree = SOSPeerInfoCreateFromData(kCFAllocatorDefault, NULL, (CFDataRef) value);
CFSetAddValue(account->retirees, retiree);
CFReleaseNull(retiree);
}
});
require_quiet(array && *der_p, fail);
CFArrayForEach(array, ^(const void *value) {
CFDataRef circleData = NULL;
CFDataRef fullPeerInfoData = NULL;
if (isData(value)) {
circleData = (CFDataRef) value;
} else if (isArray(value)) {
CFArrayRef pair = (CFArrayRef) value;
CFTypeRef circleObject = CFArrayGetValueAtIndex(pair, 0);
CFTypeRef fullPeerInfoObject = CFArrayGetValueAtIndex(pair, 1);
if (CFArrayGetCount(pair) == 2 && isData(circleObject) && isData(fullPeerInfoObject)) {
circleData = (CFDataRef) circleObject;
fullPeerInfoData = (CFDataRef) fullPeerInfoObject;
}
}
if (circleData) {
SOSCircleRef circle = SOSCircleCreateFromData(kCFAllocatorDefault, circleData, error);
require_quiet(circle && CFEqualSafe(circle_name, SOSCircleGetName(circle)), fail);
account->trusted_circle = CFRetainSafe(circle);
if(fullPeerInfoData) {
account->my_identity = SOSFullPeerInfoCreateFromData(kCFAllocatorDefault, fullPeerInfoData, NULL);
}
fail:
CFReleaseNull(circle);
}
});
CFReleaseNull(array);
require_action_quiet(SOSAccountEnsureFactoryCircles(account), fail,
SOSCreateError(kSOSErrorBadFormat, CFSTR("Cannot EnsureFactoryCircles"), (error != NULL) ? *error : NULL, error));
result = CFRetainSafe(account);
fail:
CFReleaseNull(account);
return result;
}
static size_t der_sizeof_data_optional(CFDataRef data)
{
return data ? der_sizeof_data(data, NULL) : 0;
}
static uint8_t* der_encode_data_optional(CFDataRef data, CFErrorRef *error,
const uint8_t *der, uint8_t *der_end)
{
return data ? der_encode_data(data, error, der, der_end) : der_end;
}
static const uint8_t* der_decode_data_optional(CFAllocatorRef allocator, CFOptionFlags mutability,
CFDataRef* data, CFErrorRef *error,
const uint8_t* der, const uint8_t *der_end)
{
const uint8_t *dt_end = der_decode_data(allocator, mutability, data, NULL, der, der_end);
return dt_end ? dt_end : der;
}
static SOSAccountRef SOSAccountCreateFromRemainingDER_v7(CFAllocatorRef allocator,
SOSDataSourceFactoryRef factory,
CFErrorRef* error,
const uint8_t** der_p, const uint8_t *der_end)
{
SOSAccountRef account = NULL;
SOSAccountRef result = NULL;
{
CFDictionaryRef decoded_gestalt = NULL;
*der_p = der_decode_dictionary(kCFAllocatorDefault, kCFPropertyListImmutable, &decoded_gestalt, error,
*der_p, der_end);
if (*der_p == 0)
return NULL;
account = SOSAccountCreateBasic(allocator, decoded_gestalt, factory);
CFReleaseNull(decoded_gestalt);
}
account->trusted_circle = SOSCircleCreateFromDER(kCFAllocatorDefault, error, der_p, der_end);
*der_p = der_decode_fullpeer_or_null(kCFAllocatorDefault, &account->my_identity, error, *der_p, der_end);
uint64_t tmp_departure_code = kSOSNeverAppliedToCircle;
*der_p = ccder_decode_uint64(&tmp_departure_code, *der_p, der_end);
*der_p = ccder_decode_bool(&account->user_public_trusted, *der_p, der_end);
*der_p = der_decode_public_bytes(kCFAllocatorDefault, kSecECDSAAlgorithmID, &account->user_public, error, *der_p, der_end);
*der_p = der_decode_public_bytes(kCFAllocatorDefault, kSecECDSAAlgorithmID, &account->previous_public, error, *der_p, der_end);
*der_p = der_decode_data_or_null(kCFAllocatorDefault, &account->user_key_parameters, error, *der_p, der_end);
account->retirees = SOSPeerInfoSetCreateFromArrayDER(kCFAllocatorDefault, &kSOSPeerSetCallbacks, error, der_p, der_end);
*der_p = der_decode_data_optional(kCFAllocatorDefault, kCFPropertyListImmutable, &account->backup_key, error, *der_p, der_end);
account->departure_code = (enum DepartureReason) tmp_departure_code;
require_action_quiet(*der_p && *der_p == der_end, fail,
SOSCreateError(kSOSErrorBadFormat, CFSTR("Didn't consume all bytes v7"), (error != NULL) ? *error : NULL, error));
result = CFRetainSafe(account);
fail:
CFReleaseNull(account);
return result;
}
static SOSAccountRef SOSAccountCreateFromRemainingDER_v8(CFAllocatorRef allocator,
SOSDataSourceFactoryRef factory,
CFErrorRef* error,
const uint8_t** der_p, const uint8_t *der_end)
{
SOSAccountRef account = NULL;
SOSAccountRef result = NULL;
{
CFDictionaryRef decoded_gestalt = NULL;
*der_p = der_decode_dictionary(kCFAllocatorDefault, kCFPropertyListImmutable, &decoded_gestalt, error,
*der_p, der_end);
if (*der_p == 0)
return NULL;
account = SOSAccountCreateBasic(allocator, decoded_gestalt, factory);
CFReleaseNull(decoded_gestalt);
}
CFReleaseNull(account->trusted_circle);
account->trusted_circle = SOSCircleCreateFromDER(kCFAllocatorDefault, error, der_p, der_end);
CFReleaseNull(account->my_identity);
*der_p = der_decode_fullpeer_or_null(kCFAllocatorDefault, &account->my_identity, error, *der_p, der_end);
uint64_t tmp_departure_code = kSOSNeverAppliedToCircle;
*der_p = ccder_decode_uint64(&tmp_departure_code, *der_p, der_end);
*der_p = ccder_decode_bool(&account->user_public_trusted, *der_p, der_end);
*der_p = der_decode_public_bytes(kCFAllocatorDefault, kSecECDSAAlgorithmID, &account->user_public, error, *der_p, der_end);
*der_p = der_decode_public_bytes(kCFAllocatorDefault, kSecECDSAAlgorithmID, &account->previous_public, error, *der_p, der_end);
*der_p = der_decode_data_or_null(kCFAllocatorDefault, &account->user_key_parameters, error, *der_p, der_end);
CFReleaseNull(account->retirees);
account->retirees = SOSPeerInfoSetCreateFromArrayDER(kCFAllocatorDefault, &kSOSPeerSetCallbacks, error, der_p, der_end);
*der_p = der_decode_data_optional(kCFAllocatorDefault, kCFPropertyListImmutable, &account->backup_key, error, *der_p, der_end);
{
CFDictionaryRef expansion = NULL;
*der_p = der_decode_dictionary(kCFAllocatorDefault, kCFPropertyListImmutable, &expansion, error,
*der_p, der_end);
if (*der_p == 0)
return NULL;
CFReleaseNull(account->expansion);
account->expansion = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, expansion);
CFReleaseNull(expansion);
}
account->departure_code = (enum DepartureReason) tmp_departure_code;
require_action_quiet(*der_p && *der_p == der_end, fail,
SOSCreateError(kSOSErrorBadFormat, CFSTR("Didn't consume all bytes v7"), (error != NULL) ? *error : NULL, error));
result = CFRetainSafe(account);
fail:
CFReleaseNull(account);
return result;
}
#define CURRENT_ACCOUNT_PERSISTENT_VERSION 8
SOSAccountRef SOSAccountCreateFromDER(CFAllocatorRef allocator,
SOSDataSourceFactoryRef factory,
CFErrorRef* error,
const uint8_t** der_p, const uint8_t *der_end)
{
SOSAccountRef account = NULL;
SOSAccountRef result = NULL;
uint64_t version = 0;
const uint8_t *sequence_end;
*der_p = ccder_decode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, &sequence_end, *der_p, der_end);
*der_p = ccder_decode_uint64(&version, *der_p, sequence_end);
require_action_quiet(*der_p, errOut,
SOSCreateError(kSOSErrorBadFormat, CFSTR("Version parsing failed"), (error != NULL) ? *error : NULL, error));
switch (version) {
case CURRENT_ACCOUNT_PERSISTENT_VERSION:
account = SOSAccountCreateFromRemainingDER_v8(allocator, factory, error, der_p, sequence_end);
break;
case 7:
account = SOSAccountCreateFromRemainingDER_v7(allocator, factory, error, der_p, sequence_end);
break;
case 6:
account = SOSAccountCreateFromRemainingDER_v6(allocator, factory, error, der_p, sequence_end);
break;
default:
SOSCreateErrorWithFormat(kSOSErrorBadFormat, (error != NULL) ? *error : NULL, error,
NULL, CFSTR("Unsupported version (%llu)"), version);
break;
}
require_quiet(account, errOut);
require_quiet(*der_p && *der_p == sequence_end, errOut);
if(account->my_identity) {
require_action_quiet(SOSFullPeerInfoPrivKeyExists(account->my_identity), errOut, secnotice("account", "No private key associated with my_identity, resetting"));
}
require_action_quiet(SOSAccountEnsureFactoryCircles(account), errOut,
SOSCreateError(kSOSErrorBadFormat, CFSTR("Cannot EnsureFactoryCircles"), (error != NULL) ? *error : NULL, error));
SOSPeerInfoRef myPI = SOSAccountGetMyPeerInfo(account);
if (myPI) {
bool wasSyncingLegacy = !SOSPeerInfoVersionIsCurrent(myPI) && SOSAccountIsInCircle(account, NULL);
CFSetRef viewsToEnsure = SOSViewsCreateDefault(wasSyncingLegacy, NULL);
SOSAccountUpdateFullPeerInfo(account, viewsToEnsure);
CFReleaseNull(viewsToEnsure);
}
SOSAccountCheckHasBeenInSync(account);
result = CFRetainSafe(account);
errOut:
CFReleaseNull(account);
return result;
}
SOSAccountRef SOSAccountCreateFromData(CFAllocatorRef allocator, CFDataRef circleData,
SOSDataSourceFactoryRef factory,
CFErrorRef* error)
{
size_t size = CFDataGetLength(circleData);
const uint8_t *der = CFDataGetBytePtr(circleData);
SOSAccountRef account = SOSAccountCreateFromDER(allocator, factory,
error,
&der, der + size);
return account;
}
CFMutableSetRef SOSPeerInfoSetCreateFromArrayDER(CFAllocatorRef allocator, const CFSetCallBacks *callbacks, CFErrorRef* error,
const uint8_t** der_p, const uint8_t *der_end);
size_t SOSPeerInfoSetGetDEREncodedArraySize(CFSetRef pia, CFErrorRef *error);
uint8_t* SOSPeerInfoSetEncodeToArrayDER(CFSetRef pia, CFErrorRef* error, const uint8_t* der, uint8_t* der_end);
size_t SOSAccountGetDEREncodedSize(SOSAccountRef account, CFErrorRef *error)
{
size_t sequence_size = 0;
uint64_t version = CURRENT_ACCOUNT_PERSISTENT_VERSION;
require_quiet(accumulate_size(&sequence_size, ccder_sizeof_uint64(version)), fail);
require_quiet(accumulate_size(&sequence_size, der_sizeof_dictionary(account->gestalt, error)), fail);
require_quiet(accumulate_size(&sequence_size, SOSCircleGetDEREncodedSize(account->trusted_circle, error)), fail);
require_quiet(accumulate_size(&sequence_size, der_sizeof_fullpeer_or_null(account->my_identity, error)), fail);
require_quiet(accumulate_size(&sequence_size, ccder_sizeof_uint64(account->departure_code)), fail);
require_quiet(accumulate_size(&sequence_size, ccder_sizeof_bool(account->user_public_trusted, error)), fail);
require_quiet(accumulate_size(&sequence_size, der_sizeof_public_bytes(account->user_public, error)), fail);
require_quiet(accumulate_size(&sequence_size, der_sizeof_public_bytes(account->previous_public, error)), fail);
require_quiet(accumulate_size(&sequence_size, der_sizeof_data_or_null(account->user_key_parameters, error)), fail);
require_quiet(accumulate_size(&sequence_size, SOSPeerInfoSetGetDEREncodedArraySize(account->retirees, error)), fail);
accumulate_size(&sequence_size, der_sizeof_data_optional(account->backup_key));
require_quiet(accumulate_size(&sequence_size, der_sizeof_dictionary(account->expansion, error)), fail);
return ccder_sizeof(CCDER_CONSTRUCTED_SEQUENCE, sequence_size);
fail:
SecCFDERCreateError(kSecDERErrorUnknownEncoding, CFSTR("don't know how to encode"), NULL, error);
return 0;
}
uint8_t* SOSAccountEncodeToDER(SOSAccountRef account, CFErrorRef* error, const uint8_t* der, uint8_t* der_end)
{
uint64_t version = CURRENT_ACCOUNT_PERSISTENT_VERSION;
der_end = ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, der_end, der,
ccder_encode_uint64(version, der,
der_encode_dictionary(account->gestalt, error, der,
SOSCircleEncodeToDER(account->trusted_circle, error, der,
der_encode_fullpeer_or_null(account->my_identity, error, der,
ccder_encode_uint64(account->departure_code, der,
ccder_encode_bool(account->user_public_trusted, der,
der_encode_public_bytes(account->user_public, error, der,
der_encode_public_bytes(account->previous_public, error, der,
der_encode_data_or_null(account->user_key_parameters, error, der,
SOSPeerInfoSetEncodeToArrayDER(account->retirees, error, der,
der_encode_data_optional(account->backup_key, error, der,
der_encode_dictionary(account->expansion, error, der,
der_end)))))))))))));
return der_end;
}
CFDataRef SOSAccountCopyEncodedData(SOSAccountRef account, CFAllocatorRef allocator, CFErrorRef *error)
{
size_t size = SOSAccountGetDEREncodedSize(account, error);
if (size == 0)
return NULL;
uint8_t buffer[size];
uint8_t* start = SOSAccountEncodeToDER(account, error, buffer, buffer + sizeof(buffer));
CFDataRef result = CFDataCreate(kCFAllocatorDefault, start, size);
return result;
}