]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright (c) 2006-2007 Apple Inc. All Rights Reserved. | |
3 | * | |
4 | * @APPLE_LICENSE_HEADER_START@ | |
5 | * | |
6 | * This file contains Original Code and/or Modifications of Original Code | |
7 | * as defined in and that are subject to the Apple Public Source License | |
8 | * Version 2.0 (the 'License'). You may not use this file except in | |
9 | * compliance with the License. Please obtain a copy of the License at | |
10 | * http://www.opensource.apple.com/apsl/ and read it before using this | |
11 | * file. | |
12 | * | |
13 | * The Original Code and all software distributed under the License are | |
14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, | |
16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. | |
18 | * Please see the License for the specific language governing rights and | |
19 | * limitations under the License. | |
20 | * | |
21 | * @APPLE_LICENSE_HEADER_END@ | |
22 | */ | |
23 | ||
24 | // | |
25 | // Requirements Language Grammar | |
26 | // | |
27 | // This file describes two distinct (related) grammars: | |
28 | // Requirement => single requirement (Requirement *) | |
29 | // RequirementSet => set of labeled requirements (Requirements *) | |
30 | // The grammar can "autosense" - i.e. recognize which one it's fed and | |
31 | // return appropriate semantic data. | |
32 | // The semantic data compiled is a malloc'ed BlobCore * - a Requirement | |
33 | // object or a SuperBlob containing multiple Requirements. | |
34 | // | |
35 | header "post_include_hpp" { | |
36 | #include "requirement.h" | |
37 | using namespace CodeSigning; | |
38 | typedef Requirement::Maker Maker; | |
39 | } | |
40 | ||
41 | header "post_include_cpp" { | |
42 | #include "requirement.h" | |
43 | #include "reqmaker.h" | |
44 | #include "csutilities.h" | |
45 | #include <security_utilities/cfutilities.h> | |
46 | #include <security_utilities/hashing.h> | |
47 | using namespace CodeSigning; | |
48 | typedef Requirement::Maker Maker; | |
49 | } | |
50 | ||
51 | options { | |
52 | language="Cpp"; | |
53 | namespace="Security_CodeSigning"; | |
54 | namespaceStd="std"; | |
55 | namespaceAntlr="antlr"; | |
56 | genHashLines=false; | |
57 | } | |
58 | ||
59 | ||
60 | { | |
61 | // | |
62 | // Collect error messages | |
63 | // | |
64 | void RequirementParser::reportError(const antlr::RecognitionException &ex) | |
65 | { | |
66 | errors += ex.toString() + "\n"; | |
67 | } | |
68 | ||
69 | void RequirementParser::reportError(const std::string &s) | |
70 | { | |
71 | errors += s + "\n"; | |
72 | } | |
73 | ||
74 | ||
75 | // | |
76 | // Parser helper functions | |
77 | // | |
78 | string RequirementParser::hexString(const string &s) | |
79 | { | |
80 | if (s.size() % 2) | |
81 | throw antlr::SemanticException("odd number of digits"); | |
82 | const char *p = s.data(); | |
83 | string result; | |
84 | for (unsigned n = 0; n < s.length(); n += 2) { | |
85 | char c; | |
86 | sscanf(p+n, "%2hhx", &c); | |
87 | result.push_back(c); | |
88 | } | |
89 | return result; | |
90 | } | |
91 | ||
92 | void RequirementParser::hashString(const string &s, SHA1::Digest hash) | |
93 | { | |
94 | if (s.size() != 2 * SHA1::digestLength) | |
95 | throw antlr::SemanticException("invalid hash length"); | |
96 | memcpy(hash, hexString(s).data(), SHA1::digestLength); | |
97 | } | |
98 | } | |
99 | ||
100 | class RequirementParser extends Parser; | |
101 | ||
102 | options { | |
103 | k=2; | |
104 | } | |
105 | ||
106 | { | |
107 | public: | |
108 | std::string errors; | |
109 | void reportError(const antlr::RecognitionException &ex); | |
110 | void reportError(const std::string &s); | |
111 | ||
112 | private: | |
113 | static string hexString(const string &s); | |
114 | static void hashString(const string &s, SHA1::Digest hash); | |
115 | } | |
116 | ||
117 | ||
118 | // | |
119 | // Compound target; compiles single requirements or requirement sets | |
120 | // and returns them as a BlobCore. | |
121 | // | |
122 | autosense returns [BlobCore *result = NULL] | |
123 | : result=requirement | |
124 | | result=requirementSet | |
125 | ; | |
126 | ||
127 | ||
128 | // | |
129 | // A Requirements Set. | |
130 | // | |
131 | requirementSet returns [Requirements *result = NULL] | |
132 | { Requirements::Maker maker; } | |
133 | : ( { uint32_t t; Requirement *req; } | |
134 | t=requirementType ARROW req=requirementElement | |
135 | { maker.add(t, req); } | |
136 | )+ | |
137 | { result = errors.empty() ? maker() : NULL; } | |
138 | EOF | |
139 | ; | |
140 | ||
141 | requirementType returns [uint32_t type = kSecInvalidRequirementType] | |
142 | : "guest" | |
143 | { type = kSecGuestRequirementType; } | |
144 | | "host" | |
145 | { type = kSecHostRequirementType; } | |
146 | | "designated" | |
147 | { type = kSecDesignatedRequirementType; } | |
148 | | "library" | |
149 | { type = kSecLibraryRequirementType; } | |
150 | | stype:INTEGER | |
151 | { type = atol(stype->getText().c_str()); } | |
152 | ; | |
153 | ||
154 | ||
155 | // | |
156 | // A single Requirement (untyped) | |
157 | // | |
158 | requirement returns [Requirement *result = NULL] | |
159 | : result = requirementElement | |
160 | EOF | |
161 | ; | |
162 | ||
163 | requirementElement returns [Requirement *result = NULL] | |
164 | { Requirement::Maker maker; } | |
165 | : expr[maker] | |
166 | { result = maker(); } | |
167 | ( fluff )* | |
168 | ; | |
169 | ||
170 | ||
171 | // | |
172 | // Classic recursive expressions | |
173 | // | |
174 | expr[Maker &maker] | |
175 | { Maker::Label label(maker); } | |
176 | : term[maker] ( "and" { maker.insert<ExprOp>(label) = opAnd; } term[maker] )* | |
177 | ; | |
178 | ||
179 | term[Maker &maker] | |
180 | { Maker::Label label(maker); } | |
181 | : primary[maker] ( "or" { maker.insert<ExprOp>(label) = opOr; } primary[maker] )* | |
182 | ; | |
183 | ||
184 | primary[Maker &maker] | |
185 | : LPAREN expr[maker] RPAREN | |
186 | | NOT { maker.put(opNot); } primary[maker] | |
187 | | ( "always" | "true" ) | |
188 | { maker.put(opTrue); } | |
189 | | ( "never" | "false" ) | |
190 | { maker.put(opFalse); } | |
191 | | certspec[maker] | |
192 | | infospec[maker] | |
193 | | "identifier" { string code; } eql code=identifierString | |
194 | { maker.ident(code); } | |
195 | | "cdhash" { SHA1::Digest digest; } hash[digest] | |
196 | { maker.cdhash(digest); } | |
197 | ; | |
198 | ||
199 | ||
200 | // | |
201 | // Certificate specifications restrict certificates in the signing chain | |
202 | // | |
203 | certspec[Maker &maker] | |
204 | : "anchor" "apple" | |
205 | { maker.put(opAppleAnchor); } | |
206 | | ( "certificate" | "cert" | "anchor" ) "trusted" | |
207 | { maker.trustedAnchor(); } | |
208 | | ( "certificate" | "cert" ) { int slot; } slot=certSlot | |
209 | ( certslotspec[maker, slot] | "trusted" { maker.trustedAnchor(slot); } ) | |
210 | | "anchor" certslotspec[maker, Requirement::anchorCert] | |
211 | ; | |
212 | ||
213 | certslotspec[Maker &maker, int slot] { string key; } | |
214 | : eql { SHA1::Digest digest; } certificateDigest[digest] | |
215 | { maker.anchor(slot, digest); } | |
216 | | key=bracketKey | |
217 | { maker.put(opCertField); maker.put(slot); maker.put(key); } | |
218 | match_suffix[maker] | |
219 | ; | |
220 | ||
221 | ||
222 | // | |
223 | // Info specifications place conditions on entries in the Info.plist | |
224 | // | |
225 | infospec[Maker &maker] { string key; } | |
226 | : "info" key=bracketKey | |
227 | { maker.put(opInfoKeyField); maker.put(key); } | |
228 | match_suffix[maker] | |
229 | ; | |
230 | ||
231 | match_suffix[Maker &maker] | |
232 | : empty | |
233 | { maker.put(matchExists); } | |
234 | | EQL { string value; } value=datavalue | |
235 | { maker.put(matchEqual); maker.put(value); } | |
236 | | SUBS { string value; } value=datavalue | |
237 | { maker.put(matchContains); maker.put(value); } | |
238 | ; | |
239 | ||
240 | bracketKey returns [string key] | |
241 | : LBRACK key=stringvalue RBRACK | |
242 | ; | |
243 | ||
244 | // | |
245 | // A certSlot identifiers one certificate from the certificate chain | |
246 | // | |
247 | certSlot returns [int slot] | |
248 | : s:INTEGER // counting from the anchor up | |
249 | { slot = atol(s->getText().c_str()); } | |
250 | | NEG ss:INTEGER // counting from the leaf down | |
251 | { slot = -atol(ss->getText().c_str()); } | |
252 | | "leaf" // the leaf ( == -1) | |
253 | { slot = Requirement::leafCert; } | |
254 | | "root" // the root ( == 0) | |
255 | { slot = Requirement::anchorCert; } | |
256 | ; | |
257 | ||
258 | certSlotAnchor returns [int slot] | |
259 | : slot=certSlot | |
260 | | empty // defaults to anchor ( == 0) | |
261 | { slot = Requirement::anchorCert; } | |
262 | ; | |
263 | ||
264 | // an arbitrary digest value | |
265 | hash[SHA1::Digest digest] | |
266 | : hash:HASHCONSTANT | |
267 | { hashString(hash->getText(), digest); } | |
268 | ; | |
269 | ||
270 | // various forms to specify a certificate hash | |
271 | certificateDigest[SHA1::Digest digest] | |
272 | : hash[digest] | |
273 | | { string path; } path=pathstring | |
274 | { if (CFRef<CFDataRef> certData = cfLoadFile(path)) | |
275 | hashOfCertificate(CFDataGetBytePtr(certData), CFDataGetLength(certData), digest); | |
276 | else | |
277 | throw antlr::SemanticException(path + ": not found"); | |
278 | } | |
279 | ; | |
280 | ||
281 | // generic data - can be simple string, quoted string, or 0x-style hex | |
282 | datavalue returns [string result] | |
283 | : result=stringvalue | |
284 | | hex:HEXCONSTANT { result = hexString(hex->getText()); } | |
285 | ; | |
286 | ||
287 | // strings can always be quoted, but DOTKEYs don't need to be | |
288 | stringvalue returns [string result] | |
289 | : dk:DOTKEY { result = dk->getText(); } | |
290 | | s:STRING { result = s->getText(); } | |
291 | ; | |
292 | ||
293 | // pathstrings are like strings, but PATHNAMEs don't need to be quoted either | |
294 | pathstring returns [string result] | |
295 | : dk:DOTKEY { result = dk->getText(); } | |
296 | | s:STRING { result = s->getText(); } | |
297 | | pn:PATHNAME { result = pn->getText(); } | |
298 | ; | |
299 | ||
300 | // unique identifier value | |
301 | identifierString returns [string result] | |
302 | : dk:DOTKEY { result = dk->getText(); } | |
303 | | s:STRING { result = s->getText(); } | |
304 | ; | |
305 | ||
306 | // syntactic cavity generators | |
307 | fluff | |
308 | : SEMI | |
309 | ; | |
310 | ||
311 | eql | |
312 | : EQL | |
313 | | empty | |
314 | ; | |
315 | ||
316 | empty : ; | |
317 | ||
318 | ||
319 | // | |
320 | // The lexer for the Requirement language. | |
321 | // Really straightforward and conventional. | |
322 | // A subset of strings don't need to be quoted (DOTKEYs), though the disassembler | |
323 | // will always quote them anyway. | |
324 | // There's a syntax H"abcd" to denote hash values (in hex). | |
325 | // | |
326 | class RequirementLexer extends Lexer; | |
327 | ||
328 | options { | |
329 | k=2; | |
330 | testLiterals=false; | |
331 | } | |
332 | ||
333 | protected | |
334 | IDENT options { testLiterals=true; } | |
335 | : ( 'A' .. 'Z' | 'a' .. 'z' ) ( 'A' .. 'Z' | 'a' .. 'z' | '0' .. '9' )* | |
336 | ; | |
337 | ||
338 | DOTKEY options { testLiterals=true; } | |
339 | : IDENT ( "." IDENT )* | |
340 | ; | |
341 | ||
342 | PATHNAME | |
343 | : "/" IDENT ( "/" IDENT )+ | |
344 | ; | |
345 | ||
346 | HASHCONSTANT | |
347 | : 'H'! '"'! ( HEX )+ '"'! | |
348 | ; | |
349 | ||
350 | HEXCONSTANT | |
351 | : '0'! 'x'! ( HEX )+ | |
352 | ; | |
353 | ||
354 | STRING | |
355 | : '"'! ( ( '\\'! '"' ) | ( ~ ( '"' | '\\' ) ) )* '"'! | |
356 | ; | |
357 | ||
358 | INTEGER | |
359 | : ( '0' .. '9' ) + | |
360 | ; | |
361 | ||
362 | protected | |
363 | HEX : '0' .. '9' | 'a' .. 'f' | 'A' .. 'F' ; | |
364 | ||
365 | // operator tokens | |
366 | ARROW : "=>" ; | |
367 | SEMI : ';' ; | |
368 | LPAREN : '(' ; | |
369 | RPAREN : ')' ; | |
370 | LBRACK : '[' ; | |
371 | RBRACK : ']' ; | |
372 | COMMA : ',' ; | |
373 | EQL : '=' ; | |
374 | SUBS : '~' ; | |
375 | NEG : '-' ; | |
376 | NOT : '!' ; | |
377 | ||
378 | ||
379 | // | |
380 | // White spaces | |
381 | // | |
382 | WS : ( ' ' | '\n' { newline(); } | '\t' )+ | |
383 | { $setType(antlr::Token::SKIP); } | |
384 | ; | |
385 | ||
386 | SHELLCOMMENT | |
387 | : '#' ( ~ '\n' )* | |
388 | { $setType(antlr::Token::SKIP); } | |
389 | ; | |
390 | ||
391 | C_COMMENT | |
392 | : "/*" ( (~'*')|('*'(~'/')) )* "*/" | |
393 | { $setType(antlr::Token::SKIP); } | |
394 | ; | |
395 | ||
396 | CPP_COMMENT | |
397 | : "//" ( ~ '\n' )* | |
398 | { $setType(antlr::Token::SKIP); } | |
399 | ; |