#import <Foundation/Foundation.h>
#import <Security/SecKeychainPriv.h>
#include <MobileKeyBag/MobileKeyBag.h>
static void print(NSString* str) {
if (![str hasSuffix:@"\n"]) {
str = [str stringByAppendingString:@"\n"];
}
[str writeToFile:@"/dev/stdout" atomically:NO encoding:NSUTF8StringEncoding error:nil];
}
static void usage() {
print(@"Usage: stashtester [commands]");
print(@"");
print(@"Commands:");
print(@" -c Combine stash and load requests (equivalent to -s and -l)");
print(@" -l Send stash login request to securityd (SecKeychainLogin)");
print(@" -s Send stash request to securityd (SecKeychainStash)");
print(@" -t Test the complete operation");
}
static bool performStash() {
NSLog(@"attempting stash");
OSStatus result = SecKeychainStash();
NSLog(@"result from stash: return result == errSecSuccess;
}
static bool performLoad() {
NSLog(@"attempting load");
OSStatus result = SecKeychainLogin(0, NULL, 0, NULL);
NSLog(@"result from load: return result == errSecSuccess;
}
static NSMutableDictionary* makeQuery(bool includeData) {
NSMutableDictionary* query = [@{
(id)kSecClass : (id)kSecClassGenericPassword,
(id)kSecAttrAccount : @"stashtester",
(id)kSecUseDataProtectionKeychain : @NO,
} mutableCopy];
if (includeData) {
query[(id)kSecValueData] = [@"sekrit" dataUsingEncoding:NSUTF8StringEncoding];
}
return query;
}
static bool performTest() {
NSLog(@"Begin test");
NSLog(@"Adding item to keychain");
NSMutableDictionary* addQ = makeQuery(true);
OSStatus result = SecItemAdd((__bridge CFDictionaryRef)addQ, NULL);
if (result != errSecSuccess) {
NSLog(@"Failed to add item pre-stash: return false;
}
if (!performStash()) {
NSLog(@"Stash failed; aborting test");
return false;
}
NSLog(@"Locking legacy keychain");
SecKeychainRef loginkc = NULL;
SecKeychainCopyLogin(&loginkc);
result = SecKeychainCopyLogin(&loginkc);
if (result != errSecSuccess) {
NSLog(@"Unable to obtain reference to login keychain; aborting test");
return false;
}
result = SecKeychainLock(loginkc);
if (result != errSecSuccess) {
NSLog(@"Unable to lock login keychain; aborting test");
return false;
}
SecKeychainStatus status = 0;
result = SecKeychainGetStatus(loginkc, &status);
CFRelease(loginkc);
if (result != errSecSuccess) {
NSLog(@"Unable to get login keychain status; aborting test");
return false;
}
if (status & kSecUnlockStateStatus) {
NSLog(@"Login keychain not locked after locking; aborting test");
return false;
}
NSLog(@"Locking keybag");
int rc = MKBLockDevice((__bridge CFDictionaryRef)@{(id)kKeyBagLockDeviceNow : @YES});
if (rc != kIOReturnSuccess) {
NSLog(@"Failed to lock keybag ( return false;
}
// MKB asynchronously locks bag, make sure we don't race it
NSLog(@"Twiddling thumbs for 11 seconds");
sleep(11);
NSLog(@"Verifying keybag is locked");
NSMutableDictionary* checkQ = makeQuery(false);
checkQ[(id)kSecUseDataProtectionKeychain] = @YES;
result = SecItemAdd((__bridge CFDictionaryRef)checkQ, NULL);
if (result != errSecInteractionNotAllowed) {
NSLog(@"Data protection keychain unexpectedly not locked; aborting test");
return false;
}
if (!performLoad()) {
NSLog(@"Failed to load stash ( return false;
}
NSMutableDictionary* findQ = makeQuery(false);
findQ[(id)kSecReturnData] = @YES;
CFTypeRef object = NULL;
result = SecItemCopyMatching((__bridge CFDictionaryRef)findQ, &object);
NSData* password;
if (object) {
password = CFBridgingRelease(object);
}
if (result != errSecSuccess || !password || ![[@"sekrit" dataUsingEncoding:NSUTF8StringEncoding] isEqual:password]) {
NSLog(@"Unable to find item post-stashload ( return false;
}
NSLog(@"Test succeeded");
return true;
}
static bool cleanup() {
NSLog(@"Cleaning up");
NSMutableDictionary* query = makeQuery(false);
OSStatus result = SecItemDelete((__bridge CFDictionaryRef)query);
if (result != errSecSuccess) {
NSLog(@"Cleanup: failed to delete item");
return false;
}
return true;
}
int main(int argc, const char * argv[]) {
@autoreleasepool {
bool stash = false;
bool load = false;
bool test = false;
int arg = 0;
char * const *gargv = (char * const *)argv;
while ((arg = getopt(argc, gargv, "clst")) != -1) {
switch (arg) {
case 'c':
stash = true;
load = true;
break;
case 'l':
load = true;
break;
case 's':
stash = true;
break;
case 't':
test = true;
break;
default:
usage();
return 1;
}
}
if ((!stash && !load && !test) ||
(test && (stash || load)))
{
usage();
return 1;
}
if (test) {
bool testresult = performTest();
bool cleanresult = cleanup();
return (testresult && cleanresult) ? 0 : -1;
}
if (stash && !performStash()) {
return -1;
}
if (load && !performLoad()) {
return -1;
}
}
return 0;
}