#ifndef _H_DBCRYPTO
#define _H_DBCRYPTO
#include <securityd_client/ssblob.h>
#include <security_cdsa_client/cspclient.h>
#include <security_cdsa_client/keyclient.h>
using namespace SecurityServer;
class DatabaseCryptoCore {
public:
DatabaseCryptoCore(uint32 requestedVersion = CommonBlob::version_none);
virtual ~DatabaseCryptoCore();
void initializeFrom(DatabaseCryptoCore& core, uint32 requestedVersion = CommonBlob::version_none);
bool isValid() const { return mIsValid; }
bool hasMaster() const { return mHaveMaster; }
void invalidate();
void generateNewSecrets();
CssmClient::Key masterKey();
void setup(const DbBlob *blob, const CssmData &passphrase, bool copyVersion = true);
void setup(const DbBlob *blob, CssmClient::Key master, bool copyVersion = true);
void decodeCore(const DbBlob *blob, void **privateAclBlob = NULL);
DbBlob *encodeCore(const DbBlob &blobTemplate,
const CssmData &publicAcl, const CssmData &privateAcl) const;
void importSecrets(const DatabaseCryptoCore &src);
KeyBlob *encodeKeyCore(const CssmKey &key,
const CssmData &publicAcl, const CssmData &privateAcl,
bool inTheClear) const;
void decodeKeyCore(KeyBlob *blob,
CssmKey &key, void * &pubAcl, void * &privAcl) const;
static const uint32 managedAttributes = KeyBlob::managedAttributes;
static const uint32 forcedAttributes = KeyBlob::forcedAttributes;
bool get_encryption_key(CssmOwnedData &data);
public:
bool validatePassphrase(const CssmData &passphrase);
bool validateKey(const CssmClient::Key& master);
protected:
uint32 mBlobVersion;
private:
bool mHaveMaster; bool mIsValid;
CssmClient::Key mMasterKey; uint8 mSalt[20];
CssmClient::Key mEncryptionKey; CssmClient::Key mSigningKey;
CssmClient::Key deriveDbMasterKey(const CssmData &passphrase) const;
CssmClient::Key makeRawKey(void *data, size_t length,
CSSM_ALGORITHMS algid, CSSM_KEYUSE usage);
};
#endif //_H_DBCRYPTO