projects / apple / libsecurity_codesigning.git / blame
| Commit | Line | Data |
|---|---|---|
| 7d31e928 A |
1 | /* |
| 2 | * Copyright (c) 2006-2007 Apple Inc. All Rights Reserved. | |
| 3 | * | |
| 4 | * @APPLE_LICENSE_HEADER_START@ | |
| 5 | * | |
| 6 | * This file contains Original Code and/or Modifications of Original Code | |
| 7 | * as defined in and that are subject to the Apple Public Source License | |
| 8 | * Version 2.0 (the 'License'). You may not use this file except in | |
| 9 | * compliance with the License. Please obtain a copy of the License at | |
| 10 | * http://www.opensource.apple.com/apsl/ and read it before using this | |
| 11 | * file. | |
| 12 | * | |
| 13 | * The Original Code and all software distributed under the License are | |
| 14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
| 15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, | |
| 16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
| 17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. | |
| 18 | * Please see the License for the specific language governing rights and | |
| 19 | * limitations under the License. | |
| 20 | * | |
| 21 | * @APPLE_LICENSE_HEADER_END@ | |
| 22 | */ | |
| 23 | ||
| 24 | // | |
| 25 | // requirement - Code Requirement Blob description | |
| 26 | // | |
| 27 | #include "requirement.h" | |
| 28 | #include "reqinterp.h" | |
| 29 | #include <security_utilities/errors.h> | |
| 30 | #include <security_utilities/unix++.h> | |
| 31 | #include <security_utilities/logging.h> | |
| 32 | #include <security_utilities/cfutilities.h> | |
| 33 | #include <security_utilities/hashing.h> | |
| 34 | ||
| 35 | #ifdef DEBUGDUMP | |
| 36 | #include <security_codesigning/reqdumper.h> | |
| 37 | #endif | |
| 38 | ||
| 39 | namespace Security { | |
| 40 | namespace CodeSigning { | |
| 41 | ||
| 42 | ||
| 43 | // | |
| 44 | // The (SHA-1) hash of the canonical Apple certificate root anchor | |
| 45 | // | |
| 46 | static const SHA1::Digest gAppleAnchorHash = | |
| 47 | { 0x61, 0x1e, 0x5b, 0x66, 0x2c, 0x59, 0x3a, 0x08, 0xff, 0x58, | |
| 48 | 0xd1, 0x4a, 0xe2, 0x24, 0x52, 0xd1, 0x98, 0xdf, 0x6c, 0x60 }; | |
| 49 | ||
| 50 | ||
| 51 | // | |
| 52 | // Canonical names for requirement types | |
| 53 | // | |
| 54 | const char *const Requirement::typeNames[] = { | |
| 55 | "invalid", | |
| 56 | "host", | |
| 57 | "guest", | |
| 58 | "designated", | |
| 59 | "library" | |
| 60 | }; | |
| 61 | ||
| 62 | ||
| 63 | // | |
| 64 | // validate a requirement against a code context | |
| 65 | // | |
| 66 | void Requirement::validate(const Requirement::Context &ctx, OSStatus failure /* = errSecCSReqFailed */) const | |
| 67 | { | |
| 68 | switch (kind()) { | |
| 69 | case exprForm: | |
| 70 | if (!Requirement::Interpreter(this, &ctx).evaluate()) | |
| 71 | MacOSError::throwMe(failure); | |
| 72 | return; | |
| 73 | default: | |
| 74 | secdebug("reqval", "unrecognized requirement kind %d", kind()); | |
| 75 | MacOSError::throwMe(errSecCSReqUnsupported); | |
| 76 | } | |
| 77 | } | |
| 78 | ||
| 79 | ||
| 80 | // | |
| 81 | // Retrieve one certificate from the cert chain. | |
| 82 | // Positive and negative indices can be used: | |
| 83 | // [ leaf, intermed-1, ..., intermed-n, anchor ] | |
| 84 | // 0 1 ... -2 -1 | |
| 85 | // Returns NULL if unavailable for any reason. | |
| 86 | // | |
| 87 | SecCertificateRef Requirement::Context::cert(int ix) const | |
| 88 | { | |
| 89 | if (certs) { | |
| 90 | if (ix < 0) | |
| 91 | ix += certCount(); | |
| 92 | if (CFTypeRef element = CFArrayGetValueAtIndex(certs, ix)) | |
| 93 | return SecCertificateRef(element); | |
| 94 | } | |
| 95 | return NULL; | |
| 96 | } | |
| 97 | ||
| 98 | unsigned int Requirement::Context::certCount() const | |
| 99 | { | |
| 100 | if (certs) | |
| 101 | return CFArrayGetCount(certs); | |
| 102 | else | |
| 103 | return 0; | |
| 104 | } | |
| 105 | ||
| 106 | ||
| 107 | // | |
| 108 | // Return the hash of the canonical Apple certificate root (anchor). | |
| 109 | // In a special test mode, also return an alternate root hash for testing. | |
| 110 | // | |
| 111 | const SHA1::Digest &Requirement::appleAnchorHash() | |
| 112 | { | |
| 113 | return gAppleAnchorHash; | |
| 114 | } | |
| 115 | ||
| 116 | #if defined(TEST_APPLE_ANCHOR) | |
| 117 | ||
| 118 | const char Requirement::testAppleAnchorEnv[] = "TEST_APPLE_ANCHOR"; | |
| 119 | ||
| 120 | const SHA1::Digest &Requirement::testAppleAnchorHash() | |
| 121 | { | |
| 122 | static bool tried = false; | |
| 123 | static SHA1::Digest testHash; | |
| 124 | if (!tried) { | |
| 125 | // see if we have one configured | |
| 126 | if (const char *path = getenv(testAppleAnchorEnv)) | |
| 127 | try { | |
| 128 | UnixPlusPlus::FileDesc fd(path); | |
| 129 | char buffer[2048]; // arbitrary limit | |
| 130 | size_t size = fd.read(buffer, sizeof(buffer)); | |
| 131 | SHA1 hash; | |
| 132 | hash(buffer, size); | |
| 133 | hash.finish(testHash); | |
| 134 | Syslog::alert("ACCEPTING TEST AUTHORITY %s FOR APPLE CODE IDENTITY", path); | |
| 135 | } catch (...) { } | |
| 136 | tried = true; | |
| 137 | } | |
| 138 | return testHash; // will be zeroes (no match) if not configured | |
| 139 | } | |
| 140 | ||
| 141 | #endif //TEST_APPLE_ANCHOR | |
| 142 | ||
| 143 | ||
| 144 | ||
| 145 | // | |
| 146 | // Debug dump support | |
| 147 | // | |
| 148 | #ifdef DEBUGDUMP | |
| 149 | ||
| 150 | void Requirement::dump() const | |
| 151 | { | |
| 152 | Debug::dump("%s\n", Dumper::dump(this).c_str()); | |
| 153 | } | |
| 154 | ||
| 155 | #endif //DEBUGDUMP | |
| 156 | ||
| 157 | ||
| 158 | } // CodeSigning | |
| 159 | } // Security |