void GemaltoToken::_addPinState(AutoAclEntryInfoList& acl, uint32 slot, uint32 status)
{
char tag[20];
snprintf(tag, sizeof(tag), "PIN%d?", (int) slot);
TypedList subj(acl.allocator(), CSSM_WORDID_PIN, new(acl.allocator()) ListElement(slot), new(acl.allocator()) ListElement(status));
acl.add(subj, CSSM_WORDID_PIN, tag);
}
void GemaltoToken::_aclClear(AutoAclEntryInfoList& acl)
{
if (acl == true)
{
DataWalkers::ChunkFreeWalker w(acl.allocator());
for (uint32 ix = 0; ix < acl.size(); ix++)
walk(w, acl.at(ix));
acl.size(0);
}
}
void GemaltoToken::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
{
log("\nGemaltoToken::getAcl <BEGIN>\n");
log("tag <%s> - count <%lu>\n", tag, count);
Allocator &alloc = Allocator::standard();
if (uint32 pin = _pinFromAclTag(tag, "?"))
{
static AutoAclEntryInfoList acl;
_aclClear(acl);
acl.allocator(alloc);
uint32_t status = this->pinStatus(pin);
if (status == SCARD_SUCCESS)
{
_addPinState(acl, pin, CSSM_ACL_PREAUTH_TRACKING_AUTHORIZED);
}
else if (SCARD_AUTHENTICATION_BLOCKED == status)
{
_addPinState(acl, pin, CSSM_ACL_PREAUTH_TRACKING_BLOCKED);
}
else
{
_addPinState(acl, pin, CSSM_ACL_PREAUTH_TRACKING_UNKNOWN);
}
count = acl.size();
acls = acl.entries();
log("count <%lu>\n", count);
log("GemaltoToken::getAcl <END>\n");
return;
}
// get pin list, then for each pin
if (!mAclEntries)
{
mAclEntries.allocator(alloc);
// Anyone can read the attributes and data of any record on this token
// (it's further limited by the object itself).
mAclEntries.add(CssmClient::AclFactory::AnySubject( mAclEntries.allocator()), AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_DB_READ, 0));
// We support PIN1 with either a passed in password subject or a prompted password subject.
mAclEntries.addPin(AclFactory::PWSubject(mAclEntries.allocator()), 1);
mAclEntries.addPin(AclFactory::PromptPWSubject(mAclEntries.allocator(), CssmData()), 1);
mAclEntries.addPin(AclFactory::PinSubject(mAclEntries.allocator(), CssmData()), 1);
}
count = mAclEntries.size();
acls = mAclEntries.entries();
log("count <%lu>\n", count);
log("GemaltoToken::getAcl <END>\n");
}
void BELPICToken::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
{
Allocator &alloc = Allocator::standard();
if (unsigned pin = pinFromAclTag(tag, "?")) {
static AutoAclEntryInfoList acl;
acl.clear();
acl.allocator(alloc);
uint32_t status = this->pinStatus(pin);
if (status == SCARD_SUCCESS)
acl.addPinState(pin, CSSM_ACL_PREAUTH_TRACKING_AUTHORIZED);
else
acl.addPinState(pin, CSSM_ACL_PREAUTH_TRACKING_UNKNOWN);
count = acl.size();
acls = acl.entries();
return;
}
// get pin list, then for each pin
if (!mAclEntries)
{
mAclEntries.allocator(alloc);
// Anyone can read the attributes and data of any record on this token
// (it's further limited by the object itself).
mAclEntries.add(CssmClient::AclFactory::AnySubject(
mAclEntries.allocator()),
AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_DB_READ, 0));
// We support PIN1 with either a passed in password
// subject or a prompted password subject.
mAclEntries.addPin(AclFactory::PWSubject(alloc), 1);
mAclEntries.addPin(AclFactory::PromptPWSubject(alloc, CssmData()), 1);
}
count = mAclEntries.size();
acls = mAclEntries.entries();
}
void
KeyImpl::getAcl(AutoAclEntryInfoList &aclInfos, const char *selectionTag) const
{
aclInfos.allocator(allocator());
check(CSSM_GetKeyAcl(csp()->handle(), this, reinterpret_cast<const CSSM_STRING *>(selectionTag), aclInfos, aclInfos));
}
void
SDDLSession::PassThrough(CSSM_DB_HANDLE inDbHandle,
uint32 inPassThroughId,
const void *inInputParams,
void **outOutputParams)
{
switch (inPassThroughId)
{
case CSSM_APPLECSPDL_DB_LOCK:
mClientSession.lock(ClientSession::toIPCHandle(inDbHandle));
break;
case CSSM_APPLECSPDL_DB_UNLOCK:
{
TrackingAllocator track(Allocator::standard());
AutoCredentials creds(track);
creds.tag("PIN1");
if (inInputParams)
creds += TypedList(track, CSSM_SAMPLE_TYPE_PASSWORD,
new (track) ListElement(track,
*reinterpret_cast<const CssmData *>(inInputParams)));
else
creds += TypedList(track, CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD,
new (track) ListElement(track, CssmData()));
Authenticate(inDbHandle, CSSM_DB_ACCESS_READ, creds);
break;
}
case CSSM_APPLECSPDL_DB_IS_LOCKED:
{
if (!outOutputParams)
CssmError::throwMe(CSSM_ERRCODE_INVALID_OUTPUT_POINTER);
bool isLocked = mClientSession.isLocked(ClientSession::toIPCHandle(inDbHandle));
CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR params =
DatabaseSession::alloc<CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS>();
params->isLocked = isLocked;
*reinterpret_cast<CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR *>
(outOutputParams) = params;
break;
}
case CSSM_APPLECSPDL_DB_CHANGE_PASSWORD:
{
if (!inInputParams)
CssmError::throwMe(CSSM_ERRCODE_INVALID_INPUT_POINTER);
const CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS *params =
reinterpret_cast
<const CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS *>
(inInputParams);
AutoAclEntryInfoList acls /* (mClientSession.allocator()) */;
CSSM_STRING tag = { 'P', 'I', 'N', '1' };
GetDbAcl(inDbHandle, &tag,
*static_cast<uint32 *>(acls),
*static_cast<CSSM_ACL_ENTRY_INFO **>(acls));
if (acls.size() == 0)
CssmError::throwMe(CSSM_ERRCODE_ACL_ENTRY_TAG_NOT_FOUND);
const AclEntryInfo &slot = acls.at(0);
if (acls.size() > 1)
secinfo("acl",
"Using entry handle %ld from %d total candidates",
slot.handle(), acls.size());
AclEdit edit(slot.handle(), slot.proto());
ChangeDbAcl(inDbHandle,
AccessCredentials::required(params->accessCredentials), edit);
break;
}
case CSSM_APPLECSPDL_DB_RELATION_EXISTS:
{
// We always return true so that the individual tokend can decide
if (!outOutputParams)
CssmError::throwMe(CSSM_ERRCODE_INVALID_OUTPUT_POINTER);
*reinterpret_cast<CSSM_BOOL *>(outOutputParams) = true;
break;
}
default:
CssmError::throwMe(CSSM_ERRCODE_INVALID_PASSTHROUGH_ID);
}
}
