void GemaltoToken::_addPinState(AutoAclEntryInfoList& acl, uint32 slot, uint32 status) { char tag[20]; snprintf(tag, sizeof(tag), "PIN%d?", (int) slot); TypedList subj(acl.allocator(), CSSM_WORDID_PIN, new(acl.allocator()) ListElement(slot), new(acl.allocator()) ListElement(status)); acl.add(subj, CSSM_WORDID_PIN, tag); }
void GemaltoToken::_aclClear(AutoAclEntryInfoList& acl) { if (acl == true) { DataWalkers::ChunkFreeWalker w(acl.allocator()); for (uint32 ix = 0; ix < acl.size(); ix++) walk(w, acl.at(ix)); acl.size(0); } }
void GemaltoToken::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls) { log("\nGemaltoToken::getAcl <BEGIN>\n"); log("tag <%s> - count <%lu>\n", tag, count); Allocator &alloc = Allocator::standard(); if (uint32 pin = _pinFromAclTag(tag, "?")) { static AutoAclEntryInfoList acl; _aclClear(acl); acl.allocator(alloc); uint32_t status = this->pinStatus(pin); if (status == SCARD_SUCCESS) { _addPinState(acl, pin, CSSM_ACL_PREAUTH_TRACKING_AUTHORIZED); } else if (SCARD_AUTHENTICATION_BLOCKED == status) { _addPinState(acl, pin, CSSM_ACL_PREAUTH_TRACKING_BLOCKED); } else { _addPinState(acl, pin, CSSM_ACL_PREAUTH_TRACKING_UNKNOWN); } count = acl.size(); acls = acl.entries(); log("count <%lu>\n", count); log("GemaltoToken::getAcl <END>\n"); return; } // get pin list, then for each pin if (!mAclEntries) { mAclEntries.allocator(alloc); // Anyone can read the attributes and data of any record on this token // (it's further limited by the object itself). mAclEntries.add(CssmClient::AclFactory::AnySubject( mAclEntries.allocator()), AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_DB_READ, 0)); // We support PIN1 with either a passed in password subject or a prompted password subject. mAclEntries.addPin(AclFactory::PWSubject(mAclEntries.allocator()), 1); mAclEntries.addPin(AclFactory::PromptPWSubject(mAclEntries.allocator(), CssmData()), 1); mAclEntries.addPin(AclFactory::PinSubject(mAclEntries.allocator(), CssmData()), 1); } count = mAclEntries.size(); acls = mAclEntries.entries(); log("count <%lu>\n", count); log("GemaltoToken::getAcl <END>\n"); }
void BELPICToken::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls) { Allocator &alloc = Allocator::standard(); if (unsigned pin = pinFromAclTag(tag, "?")) { static AutoAclEntryInfoList acl; acl.clear(); acl.allocator(alloc); uint32_t status = this->pinStatus(pin); if (status == SCARD_SUCCESS) acl.addPinState(pin, CSSM_ACL_PREAUTH_TRACKING_AUTHORIZED); else acl.addPinState(pin, CSSM_ACL_PREAUTH_TRACKING_UNKNOWN); count = acl.size(); acls = acl.entries(); return; } // get pin list, then for each pin if (!mAclEntries) { mAclEntries.allocator(alloc); // Anyone can read the attributes and data of any record on this token // (it's further limited by the object itself). mAclEntries.add(CssmClient::AclFactory::AnySubject( mAclEntries.allocator()), AclAuthorizationSet(CSSM_ACL_AUTHORIZATION_DB_READ, 0)); // We support PIN1 with either a passed in password // subject or a prompted password subject. mAclEntries.addPin(AclFactory::PWSubject(alloc), 1); mAclEntries.addPin(AclFactory::PromptPWSubject(alloc, CssmData()), 1); } count = mAclEntries.size(); acls = mAclEntries.entries(); }
void KeyImpl::getAcl(AutoAclEntryInfoList &aclInfos, const char *selectionTag) const { aclInfos.allocator(allocator()); check(CSSM_GetKeyAcl(csp()->handle(), this, reinterpret_cast<const CSSM_STRING *>(selectionTag), aclInfos, aclInfos)); }
void SDDLSession::PassThrough(CSSM_DB_HANDLE inDbHandle, uint32 inPassThroughId, const void *inInputParams, void **outOutputParams) { switch (inPassThroughId) { case CSSM_APPLECSPDL_DB_LOCK: mClientSession.lock(ClientSession::toIPCHandle(inDbHandle)); break; case CSSM_APPLECSPDL_DB_UNLOCK: { TrackingAllocator track(Allocator::standard()); AutoCredentials creds(track); creds.tag("PIN1"); if (inInputParams) creds += TypedList(track, CSSM_SAMPLE_TYPE_PASSWORD, new (track) ListElement(track, *reinterpret_cast<const CssmData *>(inInputParams))); else creds += TypedList(track, CSSM_SAMPLE_TYPE_PROMPTED_PASSWORD, new (track) ListElement(track, CssmData())); Authenticate(inDbHandle, CSSM_DB_ACCESS_READ, creds); break; } case CSSM_APPLECSPDL_DB_IS_LOCKED: { if (!outOutputParams) CssmError::throwMe(CSSM_ERRCODE_INVALID_OUTPUT_POINTER); bool isLocked = mClientSession.isLocked(ClientSession::toIPCHandle(inDbHandle)); CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR params = DatabaseSession::alloc<CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS>(); params->isLocked = isLocked; *reinterpret_cast<CSSM_APPLECSPDL_DB_IS_LOCKED_PARAMETERS_PTR *> (outOutputParams) = params; break; } case CSSM_APPLECSPDL_DB_CHANGE_PASSWORD: { if (!inInputParams) CssmError::throwMe(CSSM_ERRCODE_INVALID_INPUT_POINTER); const CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS *params = reinterpret_cast <const CSSM_APPLECSPDL_DB_CHANGE_PASSWORD_PARAMETERS *> (inInputParams); AutoAclEntryInfoList acls /* (mClientSession.allocator()) */; CSSM_STRING tag = { 'P', 'I', 'N', '1' }; GetDbAcl(inDbHandle, &tag, *static_cast<uint32 *>(acls), *static_cast<CSSM_ACL_ENTRY_INFO **>(acls)); if (acls.size() == 0) CssmError::throwMe(CSSM_ERRCODE_ACL_ENTRY_TAG_NOT_FOUND); const AclEntryInfo &slot = acls.at(0); if (acls.size() > 1) secinfo("acl", "Using entry handle %ld from %d total candidates", slot.handle(), acls.size()); AclEdit edit(slot.handle(), slot.proto()); ChangeDbAcl(inDbHandle, AccessCredentials::required(params->accessCredentials), edit); break; } case CSSM_APPLECSPDL_DB_RELATION_EXISTS: { // We always return true so that the individual tokend can decide if (!outOutputParams) CssmError::throwMe(CSSM_ERRCODE_INVALID_OUTPUT_POINTER); *reinterpret_cast<CSSM_BOOL *>(outOutputParams) = true; break; } default: CssmError::throwMe(CSSM_ERRCODE_INVALID_PASSTHROUGH_ID); } }