// Copyright 2024 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "crypto/fake_apple_keychain_v2.h"
#import <CoreFoundation/CoreFoundation.h>
#import <Foundation/Foundation.h>
#import <LocalAuthentication/LocalAuthentication.h>
#import <Security/Security.h>
#include <algorithm>
#include <vector>
#include "base/apple/bridging.h"
#include "base/apple/foundation_util.h"
#include "base/apple/scoped_cftyperef.h"
#include "base/apple/scoped_typeref.h"
#include "base/check_op.h"
#include "base/memory/scoped_policy.h"
#include "base/notimplemented.h"
#include "base/strings/sys_string_conversions.h"
#include "crypto/apple_keychain_v2.h"
#if defined(LEAK_SANITIZER)
#include <sanitizer/lsan_interface.h>
#endif
namespace crypto {
FakeAppleKeychainV2::FakeAppleKeychainV2(
const std::string& keychain_access_group)
: keychain_access_group_(
base::SysUTF8ToCFStringRef(keychain_access_group)) {}
FakeAppleKeychainV2::~FakeAppleKeychainV2() {
// Avoid shutdown leak of error string in Security.framework.
// See
// https://github.com/apple-oss-distributions/Security/blob/Security-60158.140.3/OSX/libsecurity_keychain/lib/SecBase.cpp#L88
#if defined(LEAK_SANITIZER)
__lsan_do_leak_check();
#endif
}
NSArray* FakeAppleKeychainV2::GetTokenIDs() {
if (is_secure_enclave_available_) {
return @[ base::apple::CFToNSPtrCast(kSecAttrTokenIDSecureEnclave) ];
}
return @[];
}
base::apple::ScopedCFTypeRef<SecKeyRef> FakeAppleKeychainV2::KeyCreateRandomKey(
CFDictionaryRef params,
CFErrorRef* error) {
// Validate certain fields that we always expect to be set.
DCHECK(
base::apple::GetValueFromDictionary<CFStringRef>(params, kSecAttrLabel));
// kSecAttrApplicationTag is CFDataRef for new credentials and CFStringRef for
// version < 3. Keychain docs say it should be CFDataRef
// (https://developer.apple.com/documentation/security/ksecattrapplicationtag).
CFTypeRef application_tag = nil;
CFDictionaryGetValueIfPresent(params, kSecAttrApplicationTag,
&application_tag);
if (application_tag) {
CHECK(base::apple::CFCast<CFDataRef>(application_tag) ||
base::apple::CFCast<CFStringRef>(application_tag));
}
DCHECK_EQ(
base::apple::GetValueFromDictionary<CFStringRef>(params, kSecAttrTokenID),
kSecAttrTokenIDSecureEnclave);
DCHECK(CFEqual(base::apple::GetValueFromDictionary<CFStringRef>(
params, kSecAttrAccessGroup),
keychain_access_group_.get()));
// Call Keychain services to create a key pair, but first drop all parameters
// that aren't appropriate in tests.
base::apple::ScopedCFTypeRef<CFMutableDictionaryRef> params_copy(
CFDictionaryCreateMutableCopy(kCFAllocatorDefault, /*capacity=*/0,
params));
// Don't create a Secure Enclave key.
CFDictionaryRemoveValue(params_copy.get(), kSecAttrTokenID);
// Don't bind to a keychain-access-group, which would require an entitlement.
CFDictionaryRemoveValue(params_copy.get(), kSecAttrAccessGroup);
base::apple::ScopedCFTypeRef<CFMutableDictionaryRef> private_key_params(
CFDictionaryCreateMutableCopy(
kCFAllocatorDefault, /*capacity=*/0,
base::apple::GetValueFromDictionary<CFDictionaryRef>(
params_copy.get(), kSecPrivateKeyAttrs)));
DCHECK(CFEqual(base::apple::GetValueFromDictionary<CFBooleanRef>(
private_key_params.get(), kSecAttrIsPermanent),
kCFBooleanTrue));
CFDictionarySetValue(private_key_params.get(), kSecAttrIsPermanent,
kCFBooleanFalse);
CFDictionaryRemoveValue(private_key_params.get(), kSecAttrAccessControl);
CFDictionaryRemoveValue(private_key_params.get(),
kSecUseAuthenticationContext);
CFDictionarySetValue(params_copy.get(), kSecPrivateKeyAttrs,
private_key_params.get());
base::apple::ScopedCFTypeRef<SecKeyRef> private_key(
SecKeyCreateRandomKey(params_copy.get(), error));
if (!private_key) {
return base::apple::ScopedCFTypeRef<SecKeyRef>();
}
// Stash everything in `items_` so it can be retrieved in with
// `ItemCopyMatching. This uses the original `params` rather than the modified
// copy so that `ItemCopyMatching()` will correctly filter on
// kSecAttrAccessGroup.
base::apple::ScopedCFTypeRef<CFMutableDictionaryRef> keychain_item(
CFDictionaryCreateMutableCopy(kCFAllocatorDefault, /*capacity=*/0,
params));
CFDictionarySetValue(keychain_item.get(), kSecValueRef, private_key.get());
// When left unset, the real keychain sets the application label to the hash
// of the public key on creation. We need to retrieve it to allow filtering
// for it later.
if (!base::apple::GetValueFromDictionary<CFDataRef>(
keychain_item.get(), kSecAttrApplicationLabel)) {
base::apple::ScopedCFTypeRef<CFDictionaryRef> key_metadata(
SecKeyCopyAttributes(private_key.get()));
CFDataRef application_label =
base::apple::GetValueFromDictionary<CFDataRef>(
key_metadata.get(), kSecAttrApplicationLabel);
CFDictionarySetValue(keychain_item.get(), kSecAttrApplicationLabel,
application_label);
}
items_.push_back(keychain_item);
return private_key;
}
base::apple::ScopedCFTypeRef<CFDictionaryRef>
FakeAppleKeychainV2::KeyCopyAttributes(SecKeyRef key) {
const auto& it = std::ranges::find_if(items_, [&key](const auto& item) {
return CFEqual(key, CFDictionaryGetValue(item.get(), kSecValueRef));
});
if (it == items_.end()) {
return base::apple::ScopedCFTypeRef<CFDictionaryRef>();
}
base::apple::ScopedCFTypeRef<CFMutableDictionaryRef> result(
CFDictionaryCreateMutableCopy(kCFAllocatorDefault, /*capacity=*/0,
it->get()));
// The real implementation does not return the actual key.
CFDictionaryRemoveValue(result.get(), kSecValueRef);
return result;
}
OSStatus FakeAppleKeychainV2::ItemAdd(CFDictionaryRef attributes,
CFTypeRef* result) {
CFStringRef keychain_access_group =
base::apple::GetValueFromDictionary<CFStringRef>(attributes,
kSecAttrAccessGroup);
if (!CFEqual(keychain_access_group, keychain_access_group_.get())) {
return errSecMissingEntitlement;
}
base::apple::ScopedCFTypeRef<CFDictionaryRef> item(
attributes, base::scoped_policy::RETAIN);
items_.push_back(item);
return errSecSuccess;
}
OSStatus FakeAppleKeychainV2::ItemCopyMatching(CFDictionaryRef query,
CFTypeRef* result) {
// In practice we don't need to care about limit queries, or leaving out the
// SecKeyRef or attributes from the result set.
DCHECK_EQ(
base::apple::GetValueFromDictionary<CFBooleanRef>(query, kSecReturnRef),
kCFBooleanTrue);
DCHECK_EQ(base::apple::GetValueFromDictionary<CFBooleanRef>(
query, kSecReturnAttributes),
kCFBooleanTrue);
CFStringRef match_limit =
base::apple::GetValueFromDictionary<CFStringRef>(query, kSecMatchLimit);
bool match_all = match_limit && CFEqual(match_limit, kSecMatchLimitAll);
// Match fields present in `query`.
CFStringRef query_label =
base::apple::GetValueFromDictionary<CFStringRef>(query, kSecAttrLabel);
CFDataRef query_application_label =
base::apple::GetValueFromDictionary<CFDataRef>(query,
kSecAttrApplicationLabel);
// kSecAttrApplicationTag can be CFStringRef for legacy credentials and
// CFDataRef for new ones, hence using CFTypeRef.
CFTypeRef query_application_tag =
CFDictionaryGetValue(query, kSecAttrApplicationTag);
// Filter the items based on `query`.
base::apple::ScopedCFTypeRef<CFMutableArrayRef> items(
CFArrayCreateMutable(nullptr, items_.size(), &kCFTypeArrayCallBacks));
for (auto& item : items_) {
// Each `Keychain` instance is expected to operate only on items of a single
// keychain-access-group, which is tied to the `Profile`.
CFStringRef keychain_access_group =
base::apple::GetValueFromDictionary<CFStringRef>(query,
kSecAttrAccessGroup);
DCHECK(CFEqual(keychain_access_group,
base::apple::GetValueFromDictionary<CFStringRef>(
item.get(), kSecAttrAccessGroup)) &&
CFEqual(keychain_access_group, keychain_access_group_.get()));
CFStringRef item_label = base::apple::GetValueFromDictionary<CFStringRef>(
item.get(), kSecAttrLabel);
CFDataRef item_application_label =
base::apple::GetValueFromDictionary<CFDataRef>(
item.get(), kSecAttrApplicationLabel);
CFTypeRef item_application_tag =
CFDictionaryGetValue(item.get(), kSecAttrApplicationTag);
if ((query_label && (!item_label || !CFEqual(query_label, item_label))) ||
(query_application_label &&
(!item_application_label ||
!CFEqual(query_application_label, item_application_label))) ||
(query_application_tag &&
(!item_application_tag ||
!CFEqual(query_application_tag, item_application_tag)))) {
continue;
}
if (match_all) {
base::apple::ScopedCFTypeRef<CFDictionaryRef> item_copy(
CFDictionaryCreateCopy(kCFAllocatorDefault, item.get()));
CFArrayAppendValue(items.get(), item_copy.get());
} else {
*result = CFDictionaryCreateCopy(kCFAllocatorDefault, item.get());
return errSecSuccess;
}
}
if (CFArrayGetCount(items.get()) == 0) {
return errSecItemNotFound;
}
*result = items.release();
return errSecSuccess;
}
OSStatus FakeAppleKeychainV2::ItemDelete(CFDictionaryRef query) {
// Validate certain fields that we always expect to be set.
DCHECK_EQ(base::apple::GetValueFromDictionary<CFStringRef>(query, kSecClass),
kSecClassKey);
DCHECK(CFEqual(base::apple::GetValueFromDictionary<CFStringRef>(
query, kSecAttrAccessGroup),
keychain_access_group_.get()));
// Only supporting deletion via `kSecAttrApplicationLabel` (credential ID) for
// now (see `TouchIdCredentialStore::DeleteCredentialById()`).
CFDataRef query_credential_id =
base::apple::GetValueFromDictionary<CFDataRef>(query,
kSecAttrApplicationLabel);
DCHECK(query_credential_id);
for (auto it = items_.begin(); it != items_.end(); ++it) {
const base::apple::ScopedCFTypeRef<CFDictionaryRef>& item = *it;
CFDataRef item_credential_id =
base::apple::GetValueFromDictionary<CFDataRef>(
item.get(), kSecAttrApplicationLabel);
DCHECK(item_credential_id);
if (CFEqual(query_credential_id, item_credential_id)) {
items_.erase(it); // N.B. `it` becomes invalid
return errSecSuccess;
}
}
return errSecItemNotFound;
}
OSStatus FakeAppleKeychainV2::ItemUpdate(CFDictionaryRef query,
CFDictionaryRef attributes_to_update) {
DCHECK_EQ(base::apple::GetValueFromDictionary<CFStringRef>(query, kSecClass),
kSecClassKey);
DCHECK(CFEqual(base::apple::GetValueFromDictionary<CFStringRef>(
query, kSecAttrAccessGroup),
keychain_access_group_.get()));
CFDataRef query_credential_id =
base::apple::GetValueFromDictionary<CFDataRef>(query,
kSecAttrApplicationLabel);
DCHECK(query_credential_id);
for (base::apple::ScopedCFTypeRef<CFDictionaryRef>& item : items_) {
CFDataRef item_credential_id =
base::apple::GetValueFromDictionary<CFDataRef>(
item.get(), kSecAttrApplicationLabel);
DCHECK(item_credential_id);
if (!CFEqual(query_credential_id, item_credential_id)) {
continue;
}
base::apple::ScopedCFTypeRef<CFMutableDictionaryRef> item_copy(
CFDictionaryCreateMutableCopy(kCFAllocatorDefault, /*capacity=*/0,
item.get()));
[base::apple::CFToNSPtrCast(item_copy.get())
addEntriesFromDictionary:base::apple::CFToNSPtrCast(
attributes_to_update)];
item = item_copy;
return errSecSuccess;
}
return errSecItemNotFound;
}
#if !BUILDFLAG(IS_IOS)
base::apple::ScopedCFTypeRef<CFTypeRef>
FakeAppleKeychainV2::TaskCopyValueForEntitlement(SecTaskRef task,
CFStringRef entitlement,
CFErrorRef* error) {
CHECK(task);
CHECK(CFEqual(entitlement,
base::SysUTF8ToCFStringRef("keychain-access-groups").get()))
<< "Entitlement " << entitlement << " not supported by fake";
base::apple::ScopedCFTypeRef<CFMutableArrayRef> keychain_access_groups(
CFArrayCreateMutable(kCFAllocatorDefault, /*capacity=*/1,
&kCFTypeArrayCallBacks));
CFArrayAppendValue(
keychain_access_groups.get(),
CFStringCreateCopy(kCFAllocatorDefault, keychain_access_group_.get()));
return keychain_access_groups;
}
#endif // !BUILDFLAG(IS_IOS)
BOOL FakeAppleKeychainV2::LAContextCanEvaluatePolicy(
LAPolicy policy,
NSError* __autoreleasing* error) {
switch (policy) {
case LAPolicyDeviceOwnerAuthentication:
return uv_method_ == UVMethod::kBiometrics ||
uv_method_ == UVMethod::kPasswordOnly;
case LAPolicyDeviceOwnerAuthenticationWithBiometrics:
return uv_method_ == UVMethod::kBiometrics;
case LAPolicyDeviceOwnerAuthenticationWithBiometricsOrWatch:
return uv_method_ == UVMethod::kBiometrics;
default: // Avoid needing to refer to values not available in the minimum
// supported macOS version.
NOTIMPLEMENTED();
return false;
}
}
} // namespace crypto