[apple/libsecurity_codesigning.git] / lib / csdatabase.cpp

/*
 * Copyright (c) 2006-2007 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

//
// csdb - system-supported Code Signing related database interfaces
//
#include "csdatabase.h"
#include "detachedrep.h"

namespace Security {
namespace CodeSigning {

using namespace SQLite;


//
// The one and only SignatureDatabase object.
// It auto-adapts to readonly vs. writable use.
//
ModuleNexus<SignatureDatabase> signatureDatabase;
ModuleNexus<SignatureDatabaseWriter> signatureDatabaseWriter;


//
// Default path to the signature database.
//
const char SignatureDatabase::defaultPath[] = "/var/db/DetachedSignatures";


//
// Creation commands to initialize the system database.
//
const char schema[] = "\
	create table if not exists code ( \n\
		id integer primary key on conflict replace autoincrement not null, \n\
		global integer null references global (id), \n\
		identifier text not null, \n\
		architecture integer, \n\
		identification blob not null unique on conflict replace, \n\
		signature blob not null, \n\
		created text default current_timestamp \n\
	); \n\
	create index if not exists identifier_index on code (identifier); \n\
	create index if not exists architecture_index on code (architecture); \n\
	create index if not exists id_index on code (identification); \n\
	\n\
	create table if not exists global ( \n\
		id integer primary key on conflict replace autoincrement not null, \n\
		sign_location text not null, \n\
		signature blob null \n\
	); \n\
	create index if not exists location_index on global (sign_location); \n\
";


//
// Open the database (creating it if necessary and possible).
// Note that this isn't creating the schema; we do that on first write.
//
SignatureDatabase::SignatureDatabase(const char *path, int flags)
	: SQLite::Database(path, flags)
{
}

SignatureDatabase::~SignatureDatabase()
{ /* virtual */ }


//
// Consult the database to find code by identification blob.
// Return the signature and (optional) global data blobs.
//
FilterRep *SignatureDatabase::findCode(DiskRep *rep)
{
	if (CFRef<CFDataRef> identification = rep->identification())
		if (!this->empty()) {
			SQLite::Statement query(*this,
				"select code.signature, global.signature from code, global \
				 where code.identification = ?1 and code.global = global.id;");
			query.bind(1) = identification.get();
			if (query.nextRow())
				return new DetachedRep(query[0].data(), query[1].data(), rep, "system");
		}

	// no joy
	return NULL;
}


//
// Given a unified detached signature blob, store its data in the database.
// This writes exactly one Global record, plus one Code record per architecture
// (where non-architectural code is treated as single-architecture).
//
void SignatureDatabaseWriter::storeCode(const BlobCore *sig, const char *location)
{
	Transaction xa(*this, Transaction::exclusive);	// lock out everyone
	if (this->empty())
		this->execute(schema);					// initialize schema
	if (const EmbeddedSignatureBlob *esig = EmbeddedSignatureBlob::specific(sig)) {	// architecture-less
		int64 globid = insertGlobal(location, NULL);
		insertCode(globid, 0, esig);
		xa.commit();
		return;
	} else if (const DetachedSignatureBlob *dsblob = DetachedSignatureBlob::specific(sig)) {
		int64 globid = insertGlobal(location, dsblob->find(0));
		unsigned count = dsblob->count();
		for (unsigned n = 0; n < count; n++)
			if (uint32_t arch = dsblob->type(n))
				insertCode(globid, arch, EmbeddedSignatureBlob::specific(dsblob->blob(n)));
		xa.commit();
		return;
	}
	
	MacOSError::throwMe(errSecCSSignatureInvalid);

}

int64 SignatureDatabaseWriter::insertGlobal(const char *location, const BlobCore *blob)
{
	Statement insert(*this, "insert into global (sign_location, signature) values (?1, ?2);");
	insert.bind(1) = location;
	if (blob)
		insert.bind(2).blob(blob, blob->length(), true);
	insert();
	return lastInsert();
}

void SignatureDatabaseWriter::insertCode(int64 globid, int arch, const EmbeddedSignatureBlob *sig)
{
	// retrieve binary identifier (was added by signer)
	const BlobWrapper *ident = BlobWrapper::specific(sig->find(cdIdentificationSlot));
	assert(ident);
	
	// extract CodeDirectory to get some information from it
	const CodeDirectory *cd = CodeDirectory::specific(sig->find(cdCodeDirectorySlot));
	assert(cd);

	// write the record
	Statement insert(*this,
		"insert into code (global, identifier, architecture, identification, signature) values (?1, ?2, ?3, ?4, ?5);");
	insert.bind(1) = globid;
	insert.bind(2) = cd->identifier();
	if (arch)
		insert.bind(3) = arch;
	insert.bind(4).blob(ident->data(), ident->length(), true);
	insert.bind(5).blob(sig, sig->length(), true);
	insert();
}


} // end namespace CodeSigning
} // end namespace Security
Commit	Line	Data
d1c1ab47 A	1	/*
	2	* Copyright (c) 2006-2007 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	//
	25	// csdb - system-supported Code Signing related database interfaces
	26	//
	27	#include "csdatabase.h"
	28	#include "detachedrep.h"
	29
	30	namespace Security {
	31	namespace CodeSigning {
	32
	33	using namespace SQLite;
	34
	35
	36	//
	37	// The one and only SignatureDatabase object.
	38	// It auto-adapts to readonly vs. writable use.
	39	//
	40	ModuleNexus<SignatureDatabase> signatureDatabase;
f60086fc	41	ModuleNexus<SignatureDatabaseWriter> signatureDatabaseWriter;
d1c1ab47 A	42
	43
	44	//
	45	// Default path to the signature database.
	46	//
	47	const char SignatureDatabase::defaultPath[] = "/var/db/DetachedSignatures";
	48
	49
	50	//
	51	// Creation commands to initialize the system database.
	52	//
	53	const char schema[] = "\
	54	create table if not exists code ( \n\
	55	id integer primary key on conflict replace autoincrement not null, \n\
	56	global integer null references global (id), \n\
	57	identifier text not null, \n\
	58	architecture integer, \n\
	59	identification blob not null unique on conflict replace, \n\
	60	signature blob not null, \n\
	61	created text default current_timestamp \n\
	62	); \n\
	63	create index if not exists identifier_index on code (identifier); \n\
	64	create index if not exists architecture_index on code (architecture); \n\
	65	create index if not exists id_index on code (identification); \n\
	66	\n\
	67	create table if not exists global ( \n\
	68	id integer primary key on conflict replace autoincrement not null, \n\
	69	sign_location text not null, \n\
	70	signature blob null \n\
	71	); \n\
	72	create index if not exists location_index on global (sign_location); \n\
	73	";
	74
	75
	76
	77	//
	78	// Open the database (creating it if necessary and possible).
	79	// Note that this isn't creating the schema; we do that on first write.
	80	//
	81	SignatureDatabase::SignatureDatabase(const char *path, int flags)
	82	: SQLite::Database(path, flags)
	83	{
	84	}
	85
	86	SignatureDatabase::~SignatureDatabase()
	87	{ /* virtual */ }
	88
	89
	90	//
	91	// Consult the database to find code by identification blob.
	92	// Return the signature and (optional) global data blobs.
	93	//
	94	FilterRep SignatureDatabase::findCode(DiskRep rep)
	95	{
	96	if (CFRef<CFDataRef> identification = rep->identification())
	97	if (!this->empty()) {
	98	SQLite::Statement query(*this,
	99	"select code.signature, global.signature from code, global \
	100	where code.identification = ?1 and code.global = global.id;");
	101	query.bind(1) = identification.get();
	102	if (query.nextRow())
	103	return new DetachedRep(query[0].data(), query[1].data(), rep, "system");
	104	}
	105
106	// no joy
107	return NULL;
108	}
109
110
111	//
112	// Given a unified detached signature blob, store its data in the database.
113	// This writes exactly one Global record, plus one Code record per architecture
114	// (where non-architectural code is treated as single-architecture).
115	//
f60086fc	116	void SignatureDatabaseWriter::storeCode(const BlobCore sig, const char location)
d1c1ab47 A	117	{
	118	Transaction xa(*this, Transaction::exclusive); // lock out everyone
	119	if (this->empty())
	120	this->execute(schema); // initialize schema
	121	if (const EmbeddedSignatureBlob *esig = EmbeddedSignatureBlob::specific(sig)) { // architecture-less
	122	int64 globid = insertGlobal(location, NULL);
	123	insertCode(globid, 0, esig);
	124	xa.commit();
	125	return;
	126	} else if (const DetachedSignatureBlob *dsblob = DetachedSignatureBlob::specific(sig)) {
	127	int64 globid = insertGlobal(location, dsblob->find(0));
	128	unsigned count = dsblob->count();
	129	for (unsigned n = 0; n < count; n++)
	130	if (uint32_t arch = dsblob->type(n))
	131	insertCode(globid, arch, EmbeddedSignatureBlob::specific(dsblob->blob(n)));
	132	xa.commit();
	133	return;
	134	}
	135
	136	MacOSError::throwMe(errSecCSSignatureInvalid);
	137
	138	}
	139
f60086fc	140	int64 SignatureDatabaseWriter::insertGlobal(const char location, const BlobCore blob)
d1c1ab47 A	141	{
	142	Statement insert(*this, "insert into global (sign_location, signature) values (?1, ?2);");
	143	insert.bind(1) = location;
	144	if (blob)
	145	insert.bind(2).blob(blob, blob->length(), true);
	146	insert();
	147	return lastInsert();
	148	}
	149
f60086fc	150	void SignatureDatabaseWriter::insertCode(int64 globid, int arch, const EmbeddedSignatureBlob *sig)
d1c1ab47 A	151	{
	152	// retrieve binary identifier (was added by signer)
	153	const BlobWrapper *ident = BlobWrapper::specific(sig->find(cdIdentificationSlot));
	154	assert(ident);
	155
	156	// extract CodeDirectory to get some information from it
	157	const CodeDirectory *cd = CodeDirectory::specific(sig->find(cdCodeDirectorySlot));
	158	assert(cd);
	159
	160	// write the record
	161	Statement insert(*this,
	162	"insert into code (global, identifier, architecture, identification, signature) values (?1, ?2, ?3, ?4, ?5);");
	163	insert.bind(1) = globid;
	164	insert.bind(2) = cd->identifier();
	165	if (arch)
	166	insert.bind(3) = arch;
	167	insert.bind(4).blob(ident->data(), ident->length(), true);
	168	insert.bind(5).blob(sig, sig->length(), true);
	169	insert();
	170	}
	171
	172
	173
	174	} // end namespace CodeSigning
	175	} // end namespace Security