overby.me / darling-nix
this repo has no description
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Various AKS improvments and fixes

...using hints from some Security code

Ariel Abreu 9015cbed f95e3b18

+54 -28
+34 -8
src/libaks/include/libaks.h
··· 12 12 // FIXME: I have no idea what these are for, so they are 0 for now 13 13 #define session_keybag_handle 0 14 14 #define device_keybag_handle 0 15 + #define backup_keybag_handle 1 // ??? 15 16 #define bad_keybag_handle (-1) // that's a pretty common "bad" signed integer value 16 17 17 18 typedef uint32_t keybag_state_t; 18 19 typedef int32_t keybag_handle_t; 19 - 20 - #if TARGET_OS_MAC && !TARGET_OS_EMBEDDED 21 - static keybag_handle_t g_keychain_keybag = session_keybag_handle; 22 - #else 23 - static keybag_handle_t g_keychain_keybag = device_keybag_handle; 24 - #endif 25 20 26 21 enum keybag_state { 27 22 keybag_state_unlocked = 0, ··· 60 55 kAKSReturnBadDeviceKey, 61 56 kAKSReturnBadSignature, 62 57 kAKSReturnPolicyInvalid, 58 + kAKSReturnBadPassword, 63 59 }; 60 + 61 + // i'm 99.9999999...% sure this is a typo in Security, but whatever 62 + #define kSKSReturnNoPermission kAKSReturnNoPermission 64 63 65 64 typedef int32_t keyclass_t; 66 65 ··· 72 71 kAppleKeyStoreAsymmetricBackupBag, 73 72 }; 74 73 75 - #define key_class_last (0) 76 - 77 74 kern_return_t aks_create_bag(uint8_t* secret, int secret_size, int bag_type, keybag_handle_t* handle); 78 75 kern_return_t aks_save_bag(keybag_handle_t handle, void** bytes, size_t* size); 79 76 kern_return_t aks_unload_bag(keybag_handle_t handle); 80 77 kern_return_t aks_unlock_bag(keybag_handle_t handle, const void* passcode, int length); 81 78 kern_return_t aks_load_bag(const void* data, int length, keybag_handle_t* handle); 79 + 80 + typedef enum _aks_key_type_enum { 81 + key_class_none, 82 + key_type_sym, 83 + key_class_ak, 84 + key_class_ck, 85 + key_class_dk, 86 + key_class_aku, 87 + key_class_cku, 88 + key_class_dku, 89 + key_class_akpu, // implied to exist by some Security code (`SecDbBackupmanager.m`) 90 + key_class_last, 91 + } aks_key_type_t; 92 + 93 + // 4096-bit = 512-byte; i *think* that's the maximum key length? 94 + #define APPLE_KEYSTORE_MAX_KEY_LEN (512) 95 + 96 + // according to `mockaks.m` in Security, these seem to be the same? 97 + #define APPLE_KEYSTORE_MAX_ASYM_WRAPPED_KEY_LEN (APPLE_KEYSTORE_MAX_KEY_LEN + 8) 98 + #define APPLE_KEYSTORE_MAX_SYM_WRAPPED_KEY_LEN (APPLE_KEYSTORE_MAX_KEY_LEN + 8) 99 + 100 + enum _generation_option_enum { 101 + generation_noop, 102 + generation_current, 103 + generation_change_in_progress, 104 + }; 105 + typedef enum _generation_option_enum generation_option_t; 106 + 107 + kern_return_t aks_generation(keybag_handle_t handle, generation_option_t option, uint32_t* current); 82 108 83 109 #ifdef __cplusplus 84 110 }
+10 -10
src/libaks/include/libaks_acl_cf_keys.h
··· 3 3 4 4 //typedef aks_key_t *aks_ref_key_t; 5 5 6 - extern CFStringRef kAKSKeyAcl; 7 - extern CFStringRef kAKSKeyAclParamRequirePasscode; 6 + extern const CFStringRef kAKSKeyAcl; 7 + extern const CFStringRef kAKSKeyAclParamRequirePasscode; 8 8 9 - extern CFStringRef kAKSKeyOpDefaultAcl; 10 - extern CFStringRef kAKSKeyOpSign; 11 - extern CFStringRef kAKSKeyOpComputeKey; 12 - extern CFStringRef kAKSKeyOpAttest; 13 - extern CFStringRef kAKSKeyOpDecrypt; 14 - extern CFStringRef kAKSKeyOpEncrypt; 15 - extern CFStringRef kAKSKeyOpDelete; 16 - extern CFStringRef kAKSKeyOpECIESTranscode; 9 + extern const CFStringRef kAKSKeyOpDefaultAcl; 10 + extern const CFStringRef kAKSKeyOpSign; 11 + extern const CFStringRef kAKSKeyOpComputeKey; 12 + extern const CFStringRef kAKSKeyOpAttest; 13 + extern const CFStringRef kAKSKeyOpDecrypt; 14 + extern const CFStringRef kAKSKeyOpEncrypt; 15 + extern const CFStringRef kAKSKeyOpDelete; 16 + extern const CFStringRef kAKSKeyOpECIESTranscode; 17 17 18 18 #endif
+10 -10
src/libaks/libaks.c
··· 1 1 #include "libaks.h" 2 2 #include "libaks_smartcard.h" 3 3 4 - CFStringRef kAKSKeyAcl = CFSTR("AKSKeyAcl"); 5 - CFStringRef kAKSKeyAclParamRequirePasscode = CFSTR("AKSKeyAclParamRequirePasscode"); 6 - CFStringRef kAKSKeyOpDefaultAcl = CFSTR("AKSKeyOpDefaultAcl"); 7 - CFStringRef kAKSKeyOpSign = CFSTR("AKSKeyOpSign"); 8 - CFStringRef kAKSKeyOpComputeKey = CFSTR("AKSKeyOpComputeKey"); 9 - CFStringRef kAKSKeyOpAttest = CFSTR("AKSKeyOpAttest"); 10 - CFStringRef kAKSKeyOpDecrypt = CFSTR("AKSKeyOpDecrypt"); 11 - CFStringRef kAKSKeyOpEncrypt = CFSTR("AKSKeyOpEncrypt"); 12 - CFStringRef kAKSKeyOpDelete = CFSTR("AKSKeyOpDelete"); 13 - CFStringRef kAKSKeyOpECIESTranscode = CFSTR("AKSKeyOpECIESTranscode"); 4 + const CFStringRef kAKSKeyAcl = CFSTR("AKSKeyAcl"); 5 + const CFStringRef kAKSKeyAclParamRequirePasscode = CFSTR("AKSKeyAclParamRequirePasscode"); 6 + const CFStringRef kAKSKeyOpDefaultAcl = CFSTR("AKSKeyOpDefaultAcl"); 7 + const CFStringRef kAKSKeyOpSign = CFSTR("AKSKeyOpSign"); 8 + const CFStringRef kAKSKeyOpComputeKey = CFSTR("AKSKeyOpComputeKey"); 9 + const CFStringRef kAKSKeyOpAttest = CFSTR("AKSKeyOpAttest"); 10 + const CFStringRef kAKSKeyOpDecrypt = CFSTR("AKSKeyOpDecrypt"); 11 + const CFStringRef kAKSKeyOpEncrypt = CFSTR("AKSKeyOpEncrypt"); 12 + const CFStringRef kAKSKeyOpDelete = CFSTR("AKSKeyOpDelete"); 13 + const CFStringRef kAKSKeyOpECIESTranscode = CFSTR("AKSKeyOpECIESTranscode"); 14 14 15 15 void aks_smartcard_unregister(int a) 16 16 {