[apple/libsecurity_codesigning.git] / requirements.grammar

/*
 * Copyright (c) 2006-2007 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

//
// Requirements Language Grammar
//
// This file describes two distinct (related) grammars:
//	Requirement => single requirement (Requirement *)
//	RequirementSet => set of labeled requirements (Requirements *)
// The grammar can "autosense" - i.e. recognize which one it's fed and
// return appropriate semantic data.
// The semantic data compiled is a malloc'ed BlobCore * - a Requirement
// object or a SuperBlob containing multiple Requirements.
//
header "post_include_hpp" {
#include "requirement.h"
using namespace CodeSigning;
typedef Requirement::Maker Maker;
}

header "post_include_cpp" {
#include "requirement.h"
#include "reqmaker.h"
#include "csutilities.h"
#include <security_utilities/cfutilities.h>
#include <security_utilities/hashing.h>
using namespace CodeSigning;
typedef Requirement::Maker Maker;
}

options {
	language="Cpp";
	namespace="Security_CodeSigning";
	namespaceStd="std";
	namespaceAntlr="antlr";
	genHashLines=false;
}


{
	//
	// Collect error messages
	//
	void RequirementParser::reportError(const antlr::RecognitionException &ex)
	{
		errors += ex.toString() + "\n";
	}
	
	void RequirementParser::reportError(const std::string &s)
	{
		errors += s + "\n";
	}

	
	//
	// Parser helper functions
	//
	string RequirementParser::hexString(const string &s)
	{
		if (s.size() % 2)
			throw antlr::SemanticException("odd number of digits");
		const char *p = s.data();
		string result;
		for (unsigned n = 0; n < s.length(); n += 2) {
			char c;
			sscanf(p+n, "%2hhx", &c);
			result.push_back(c);
		}
		return result;
	}

	void RequirementParser::hashString(const string &s, SHA1::Digest hash)
	{
		if (s.size() != 2 * SHA1::digestLength)
			throw antlr::SemanticException("invalid hash length");
		memcpy(hash, hexString(s).data(), SHA1::digestLength);
	}
}

class RequirementParser extends Parser;

options {
	k=2;
}

{
public:
	std::string errors;
	void reportError(const antlr::RecognitionException &ex);
	void reportError(const std::string &s);

private:
	static string hexString(const string &s);
	static void hashString(const string &s, SHA1::Digest hash);
}


//
// Compound target; compiles single requirements or requirement sets
// and returns them as a BlobCore.
//
autosense returns [BlobCore *result = NULL]
	:	result=requirement
	|	result=requirementSet
	;


//
// A Requirements Set.
//
requirementSet returns [Requirements *result = NULL]
		{ Requirements::Maker maker; }
	:	(		{ uint32_t t; Requirement *req; }
			t=requirementType ARROW req=requirementElement
				{ maker.add(t, req); }
		)+
			{ result = errors.empty() ? maker() : NULL; }
		EOF
	;

requirementType returns [uint32_t type = kSecInvalidRequirementType]
	:	"guest"
			{ type = kSecGuestRequirementType; }
	|	"host"
			{ type = kSecHostRequirementType; }
	|	"designated"
			{ type = kSecDesignatedRequirementType; }
	|	"library"
			{ type = kSecLibraryRequirementType; }
	|	stype:INTEGER
			{ type = atol(stype->getText().c_str()); }
	;


//
// A single Requirement (untyped)
//
requirement returns [Requirement *result = NULL]
	:	result = requirementElement
		EOF
	;

requirementElement returns [Requirement *result = NULL]
		{ Requirement::Maker maker; }
	:	expr[maker]
		{ result = maker(); }
		( fluff )*
	;


//
// Classic recursive expressions
// 
expr[Maker &maker]
		{ Maker::Label label(maker); }
	:	term[maker] ( "and" { maker.insert<ExprOp>(label) = opAnd; } term[maker] )*
	;

term[Maker &maker]
		{ Maker::Label label(maker); }
	:	primary[maker] ( "or" { maker.insert<ExprOp>(label) = opOr; } primary[maker] )*
	;

primary[Maker &maker]
	:	LPAREN expr[maker] RPAREN
	|	NOT { maker.put(opNot); } primary[maker]
	|	( "always" | "true" )
			{ maker.put(opTrue); }
	|	( "never" | "false" )
			{ maker.put(opFalse); }
	|	certspec[maker]
	|	infospec[maker]
	|	"identifier" { string code; } eql code=identifierString
			{ maker.ident(code); }
	|	"cdhash" { SHA1::Digest digest; } hash[digest]
			{ maker.cdhash(digest); }
	;


//
// Certificate specifications restrict certificates in the signing chain
//
certspec[Maker &maker]
	:	"anchor" "apple"
			{ maker.put(opAppleAnchor); }
	|	( "certificate" | "cert" | "anchor" ) "trusted"
			{ maker.trustedAnchor(); }
	|	( "certificate" | "cert" ) { int slot; } slot=certSlot
		( certslotspec[maker, slot] | "trusted" { maker.trustedAnchor(slot); } )
	|	"anchor" certslotspec[maker, Requirement::anchorCert]
	;

certslotspec[Maker &maker, int slot]	{ string key; }
	:	eql { SHA1::Digest digest; } certificateDigest[digest]
            { maker.anchor(slot, digest); }
	|	key=bracketKey
			{ maker.put(opCertField); maker.put(slot); maker.put(key); }
		match_suffix[maker]
	;


//
// Info specifications place conditions on entries in the Info.plist
//
infospec[Maker &maker]		{ string key; }
	:	"info" key=bracketKey
			{ maker.put(opInfoKeyField); maker.put(key); }
		match_suffix[maker]
	;

match_suffix[Maker &maker]
	:	empty
			{ maker.put(matchExists); }
	|	EQL { string value; } value=datavalue
			{ maker.put(matchEqual); maker.put(value); }
	|	SUBS { string value; } value=datavalue
			{ maker.put(matchContains); maker.put(value); }
	;

bracketKey returns [string key]
	:	LBRACK key=stringvalue RBRACK
	;

//
// A certSlot identifiers one certificate from the certificate chain
//
certSlot returns [int slot]
	:	s:INTEGER		// counting from the anchor up
			{ slot = atol(s->getText().c_str()); }
	|	NEG ss:INTEGER	// counting from the leaf down
			{ slot = -atol(ss->getText().c_str()); }
	|	"leaf"			// the leaf ( == -1)
			{ slot = Requirement::leafCert; }
	|	"root"			// the root ( == 0)
			{ slot = Requirement::anchorCert; }
	;

certSlotAnchor returns [int slot]
	:	slot=certSlot
	|	empty			// defaults to anchor ( == 0)
			{ slot = Requirement::anchorCert; }
	;

// an arbitrary digest value
hash[SHA1::Digest digest]
	:	hash:HASHCONSTANT
			{ hashString(hash->getText(), digest); }
	;

// various forms to specify a certificate hash
certificateDigest[SHA1::Digest digest]
	:	hash[digest]
	|	{ string path; } path=pathstring
			{ if (CFRef<CFDataRef> certData = cfLoadFile(path))
				hashOfCertificate(CFDataGetBytePtr(certData), CFDataGetLength(certData), digest);
			  else
				throw antlr::SemanticException(path + ": not found");
			}
	;

// generic data - can be simple string, quoted string, or 0x-style hex
datavalue returns [string result]
	:	result=stringvalue
	|	hex:HEXCONSTANT { result = hexString(hex->getText()); }
	;

// strings can always be quoted, but DOTKEYs don't need to be
stringvalue returns [string result]
	:	dk:DOTKEY	{ result = dk->getText(); }
	|	s:STRING	{ result = s->getText(); }
	;

// pathstrings are like strings, but PATHNAMEs don't need to be quoted either
pathstring returns [string result]
	:	dk:DOTKEY	{ result = dk->getText(); }
	|	s:STRING	{ result = s->getText(); }
	|	pn:PATHNAME	{ result = pn->getText(); }
	;

// unique identifier value
identifierString returns [string result]
	:	dk:DOTKEY	{ result = dk->getText(); }
	|	s:STRING	{ result = s->getText(); }
	;

// syntactic cavity generators
fluff
	:	SEMI
	;

eql
	:	EQL
	|	empty
	;

empty : ;


//
// The lexer for the Requirement language.
// Really straightforward and conventional.
// A subset of strings don't need to be quoted (DOTKEYs), though the disassembler
//   will always quote them anyway.
// There's a syntax H"abcd" to denote hash values (in hex).
//
class RequirementLexer extends Lexer;

options {
	k=2;
	testLiterals=false;
}

protected
IDENT options { testLiterals=true; }
	:	( 'A' .. 'Z' | 'a' .. 'z' ) ( 'A' .. 'Z' | 'a' .. 'z' | '0' .. '9' )*
	;

DOTKEY options { testLiterals=true; }
	:	IDENT ( "." IDENT )*
	;

PATHNAME
	:	"/" IDENT ( "/" IDENT )+
	;

HASHCONSTANT
	:	'H'! '"'! ( HEX )+ '"'!
	;

HEXCONSTANT
	:	'0'! 'x'! ( HEX )+
	;

STRING
	:	'"'! ( ( '\\'! '"' ) | ( ~ ( '"' | '\\' ) ) )* '"'!
	;

INTEGER
	:	( '0' .. '9' ) +
	;

protected
HEX	:	'0' .. '9' | 'a' .. 'f' | 'A' .. 'F' ;

// operator tokens
ARROW	: "=>" ;
SEMI	: ';' ;
LPAREN	: '(' ;
RPAREN	: ')' ;
LBRACK	: '[' ;
RBRACK	: ']' ;
COMMA	: ',' ;
EQL		: '=' ;
SUBS	: '~' ;
NEG		: '-' ;
NOT		: '!' ;


//
// White spaces
//
WS	:	( ' ' | '\n' { newline(); } | '\t' )+
	{ $setType(antlr::Token::SKIP); }
	;

SHELLCOMMENT
	:	'#' ( ~ '\n' )*
	{ $setType(antlr::Token::SKIP); }
	;

C_COMMENT
	:	"/*" ( (~'*')|('*'(~'/')) )* "*/"
	{ $setType(antlr::Token::SKIP); }
	;

CPP_COMMENT
	:	"//" ( ~ '\n' )*
	{ $setType(antlr::Token::SKIP); }
	;
Commit	Line	Data
7d31e928 A	1	/*
	2	* Copyright (c) 2006-2007 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	//
	25	// Requirements Language Grammar
	26	//
	27	// This file describes two distinct (related) grammars:
	28	// Requirement => single requirement (Requirement *)
	29	// RequirementSet => set of labeled requirements (Requirements *)
	30	// The grammar can "autosense" - i.e. recognize which one it's fed and
	31	// return appropriate semantic data.
	32	// The semantic data compiled is a malloc'ed BlobCore * - a Requirement
	33	// object or a SuperBlob containing multiple Requirements.
	34	//
	35	header "post_include_hpp" {
	36	#include "requirement.h"
	37	using namespace CodeSigning;
	38	typedef Requirement::Maker Maker;
	39	}
	40
	41	header "post_include_cpp" {
	42	#include "requirement.h"
	43	#include "reqmaker.h"
	44	#include "csutilities.h"
	45	#include <security_utilities/cfutilities.h>
	46	#include <security_utilities/hashing.h>
	47	using namespace CodeSigning;
	48	typedef Requirement::Maker Maker;
	49	}
	50
	51	options {
	52	language="Cpp";
	53	namespace="Security_CodeSigning";
	54	namespaceStd="std";
	55	namespaceAntlr="antlr";
	56	genHashLines=false;
	57	}
	58
	59
	60	{
	61	//
	62	// Collect error messages
	63	//
	64	void RequirementParser::reportError(const antlr::RecognitionException &ex)
65	{
66	errors += ex.toString() + "\n";
67	}
68
69	void RequirementParser::reportError(const std::string &s)
70	{
71	errors += s + "\n";
72	}
73
74
75	//
76	// Parser helper functions
77	//
78	string RequirementParser::hexString(const string &s)
79	{
80	if (s.size() % 2)
81	throw antlr::SemanticException("odd number of digits");
82	const char *p = s.data();
83	string result;
84	for (unsigned n = 0; n < s.length(); n += 2) {
85	char c;
86	sscanf(p+n, "%2hhx", &c);
87	result.push_back(c);
88	}
89	return result;
90	}
91
92	void RequirementParser::hashString(const string &s, SHA1::Digest hash)
93	{
94	if (s.size() != 2 * SHA1::digestLength)
95	throw antlr::SemanticException("invalid hash length");
96	memcpy(hash, hexString(s).data(), SHA1::digestLength);
97	}
98	}
99
100	class RequirementParser extends Parser;
101
102	options {
103	k=2;
104	}
105
106	{
107	public:
108	std::string errors;
109	void reportError(const antlr::RecognitionException &ex);
110	void reportError(const std::string &s);
111
112	private:
113	static string hexString(const string &s);
114	static void hashString(const string &s, SHA1::Digest hash);
115	}
116
117
118	//
119	// Compound target; compiles single requirements or requirement sets
120	// and returns them as a BlobCore.
121	//
122	autosense returns [BlobCore *result = NULL]
123	: result=requirement
124	\| result=requirementSet
125	;
126
127
128	//
129	// A Requirements Set.
130	//
131	requirementSet returns [Requirements *result = NULL]
132	{ Requirements::Maker maker; }
133	: ( { uint32_t t; Requirement *req; }
134	t=requirementType ARROW req=requirementElement
135	{ maker.add(t, req); }
136	)+
137	{ result = errors.empty() ? maker() : NULL; }
138	EOF
139	;
140
141	requirementType returns [uint32_t type = kSecInvalidRequirementType]
142	: "guest"
143	{ type = kSecGuestRequirementType; }
144	\| "host"
145	{ type = kSecHostRequirementType; }
146	\| "designated"
147	{ type = kSecDesignatedRequirementType; }
148	\| "library"
149	{ type = kSecLibraryRequirementType; }
150	\| stype:INTEGER
151	{ type = atol(stype->getText().c_str()); }
152	;
153
154
155	//
156	// A single Requirement (untyped)
157	//
158	requirement returns [Requirement *result = NULL]
159	: result = requirementElement
160	EOF
161	;
162
163	requirementElement returns [Requirement *result = NULL]
164	{ Requirement::Maker maker; }
165	: expr[maker]
166	{ result = maker(); }
167	( fluff )*
168	;
169
170
171	//
172	// Classic recursive expressions
173	//
174	expr[Maker &maker]
175	{ Maker::Label label(maker); }
176	: term[maker] ( "and" { maker.insert<ExprOp>(label) = opAnd; } term[maker] )*
177	;
178
179	term[Maker &maker]
180	{ Maker::Label label(maker); }
181	: primary[maker] ( "or" { maker.insert<ExprOp>(label) = opOr; } primary[maker] )*
182	;
183
184	primary[Maker &maker]
185	: LPAREN expr[maker] RPAREN
186	\| NOT { maker.put(opNot); } primary[maker]
187	\| ( "always" \| "true" )
188	{ maker.put(opTrue); }
189	\| ( "never" \| "false" )
190	{ maker.put(opFalse); }
191	\| certspec[maker]
192	\| infospec[maker]
193	\| "identifier" { string code; } eql code=identifierString
194	{ maker.ident(code); }
195	\| "cdhash" { SHA1::Digest digest; } hash[digest]
196	{ maker.cdhash(digest); }
197	;
198
199
200	//
201	// Certificate specifications restrict certificates in the signing chain
202	//
203	certspec[Maker &maker]
204	: "anchor" "apple"
205	{ maker.put(opAppleAnchor); }
206	\| ( "certificate" \| "cert" \| "anchor" ) "trusted"
207	{ maker.trustedAnchor(); }
208	\| ( "certificate" \| "cert" ) { int slot; } slot=certSlot
209	( certslotspec[maker, slot] \| "trusted" { maker.trustedAnchor(slot); } )
210	\| "anchor" certslotspec[maker, Requirement::anchorCert]
211	;
212
213	certslotspec[Maker &maker, int slot] { string key; }
214	: eql { SHA1::Digest digest; } certificateDigest[digest]
215	{ maker.anchor(slot, digest); }
216	\| key=bracketKey
217	{ maker.put(opCertField); maker.put(slot); maker.put(key); }
218	match_suffix[maker]
219	;
220
221
222	//
223	// Info specifications place conditions on entries in the Info.plist
224	//
225	infospec[Maker &maker] { string key; }
226	: "info" key=bracketKey
227	{ maker.put(opInfoKeyField); maker.put(key); }
228	match_suffix[maker]
229	;
230
231	match_suffix[Maker &maker]
232	: empty
233	{ maker.put(matchExists); }
234	\| EQL { string value; } value=datavalue
235	{ maker.put(matchEqual); maker.put(value); }
236	\| SUBS { string value; } value=datavalue
237	{ maker.put(matchContains); maker.put(value); }
238	;
239
240	bracketKey returns [string key]
241	: LBRACK key=stringvalue RBRACK
242	;
243
244	//
245	// A certSlot identifiers one certificate from the certificate chain
246	//
247	certSlot returns [int slot]
248	: s:INTEGER // counting from the anchor up
249	{ slot = atol(s->getText().c_str()); }
250	\| NEG ss:INTEGER // counting from the leaf down
251	{ slot = -atol(ss->getText().c_str()); }
252	\| "leaf" // the leaf ( == -1)
253	{ slot = Requirement::leafCert; }
254	\| "root" // the root ( == 0)
255	{ slot = Requirement::anchorCert; }
256	;
257
258	certSlotAnchor returns [int slot]
259	: slot=certSlot
260	\| empty // defaults to anchor ( == 0)
261	{ slot = Requirement::anchorCert; }
262	;
263
264	// an arbitrary digest value
265	hash[SHA1::Digest digest]
266	: hash:HASHCONSTANT
267	{ hashString(hash->getText(), digest); }
268	;
269
270	// various forms to specify a certificate hash
271	certificateDigest[SHA1::Digest digest]
272	: hash[digest]
273	\| { string path; } path=pathstring
274	{ if (CFRef<CFDataRef> certData = cfLoadFile(path))
275	hashOfCertificate(CFDataGetBytePtr(certData), CFDataGetLength(certData), digest);
276	else
277	throw antlr::SemanticException(path + ": not found");
278	}
279	;
280
281	// generic data - can be simple string, quoted string, or 0x-style hex
282	datavalue returns [string result]
283	: result=stringvalue
284	\| hex:HEXCONSTANT { result = hexString(hex->getText()); }
285	;
286
287	// strings can always be quoted, but DOTKEYs don't need to be
288	stringvalue returns [string result]
289	: dk:DOTKEY { result = dk->getText(); }
290	\| s:STRING { result = s->getText(); }
291	;
292
293	// pathstrings are like strings, but PATHNAMEs don't need to be quoted either
294	pathstring returns [string result]
295	: dk:DOTKEY { result = dk->getText(); }
296	\| s:STRING { result = s->getText(); }
297	\| pn:PATHNAME { result = pn->getText(); }
298	;
299
300	// unique identifier value
301	identifierString returns [string result]
302	: dk:DOTKEY { result = dk->getText(); }
303	\| s:STRING { result = s->getText(); }
304	;
305
306	// syntactic cavity generators
307	fluff
308	: SEMI
309	;
310
311	eql
312	: EQL
313	\| empty
314	;
315
316	empty : ;
317
318
319	//
320	// The lexer for the Requirement language.
321	// Really straightforward and conventional.
322	// A subset of strings don't need to be quoted (DOTKEYs), though the disassembler
323	// will always quote them anyway.
324	// There's a syntax H"abcd" to denote hash values (in hex).
325	//
326	class RequirementLexer extends Lexer;
327
328	options {
329	k=2;
330	testLiterals=false;
331	}
332
333	protected
334	IDENT options { testLiterals=true; }
335	: ( 'A' .. 'Z' \| 'a' .. 'z' ) ( 'A' .. 'Z' \| 'a' .. 'z' \| '0' .. '9' )*
336	;
337
338	DOTKEY options { testLiterals=true; }
339	: IDENT ( "." IDENT )*
340	;
341
342	PATHNAME
343	: "/" IDENT ( "/" IDENT )+
344	;
345
346	HASHCONSTANT
347	: 'H'! '"'! ( HEX )+ '"'!
348	;
349
350	HEXCONSTANT
351	: '0'! 'x'! ( HEX )+
352	;
353
354	STRING
355	: '"'! ( ( '\\'! '"' ) \| ( ~ ( '"' \| '\\' ) ) )* '"'!
356	;
357
358	INTEGER
359	: ( '0' .. '9' ) +
360	;
361
362	protected
363	HEX : '0' .. '9' \| 'a' .. 'f' \| 'A' .. 'F' ;
364
365	// operator tokens
366	ARROW : "=>" ;
367	SEMI : ';' ;
368	LPAREN : '(' ;
369	RPAREN : ')' ;
370	LBRACK : '[' ;
371	RBRACK : ']' ;
372	COMMA : ',' ;
373	EQL : '=' ;
374	SUBS : '~' ;
375	NEG : '-' ;
376	NOT : '!' ;
377
378
379	//
380	// White spaces
381	//
382	WS : ( ' ' \| '\n' { newline(); } \| '\t' )+
383	{ $setType(antlr::Token::SKIP); }
384	;
385
386	SHELLCOMMENT
387	: '#' ( ~ '\n' )*
388	{ $setType(antlr::Token::SKIP); }
389	;
390
391	C_COMMENT
392	: "/" ( (~'')\|(''(~'/')) ) "*/"
393	{ $setType(antlr::Token::SKIP); }
394	;
395
396	CPP_COMMENT
397	: "//" ( ~ '\n' )*
398	{ $setType(antlr::Token::SKIP); }
399	;