]> git.saurik.com Git - apple/libsecurity_codesigning.git/blob - lib/reqinterp.cpp
projects / apple / libsecurity_codesigning.git / blob
? search:


089154bad8a5f855e719f854563c38e4fb457657
[apple/libsecurity_codesigning.git] / lib / reqinterp.cpp
1 /*
2 * Copyright (c) 2006 Apple Computer, Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 //
25 // reqinterp - Requirement language (exprOp) interpreter
26 //
27 #include "reqinterp.h"
28 #include <Security/SecTrustSettingsPriv.h>
29 #include <Security/SecCertificatePriv.h>
30 #include <security_utilities/memutils.h>
31 #include "csutilities.h"
32
33 namespace Security {
34 namespace CodeSigning {
35
36
37 static CFStringRef appleIntermediateCN = CFSTR("Apple Code Signing Certification Authority");
38 static CFStringRef appleIntermediateO = CFSTR("Apple Inc.");
39
40
41 //
42 // Construct an interpreter given a Requirement and an evaluation context.
43 //
44 Requirement::Interpreter::Interpreter(const Requirement *req, const Context *ctx)
45 : Reader(req), mContext(ctx)
46 {
47 }
48
49
50 //
51 // Main interpreter function.
52 //
53 // ExprOp code is in Polish Notation (operator followed by operands),
54 // and this engine uses opportunistic evaluation.
55 //
56 bool Requirement::Interpreter::evaluate()
57 {
58 ExprOp op = ExprOp(get<uint32_t>());
59 switch (op & ~opFlagMask) {
60 case opFalse:
61 return false;
62 case opTrue:
63 return true;
64 case opIdent:
65 return getString() == mContext->directory->identifier();
66 case opAppleAnchor:
67 return appleSigned();
68 case opAppleGenericAnchor:
69 return appleAnchored();
70 case opAnchorHash:
71 {
72 SecCertificateRef cert = mContext->cert(get<int32_t>());
73 return verifyAnchor(cert, getSHA1());
74 }
75 case opInfoKeyValue: // [legacy; use opInfoKeyField]
76 {
77 string key = getString();
78 return infoKeyValue(key, Match(CFTempString(getString()), matchEqual));
79 }
80 case opAnd:
81 return evaluate() & evaluate();
82 case opOr:
83 return evaluate() | evaluate();
84 case opCDHash:
85 {
86 SHA1 hash;
87 hash(mContext->directory, mContext->directory->length());
88 return hash.verify(getHash());
89 }
90 case opNot:
91 return !evaluate();
92 case opInfoKeyField:
93 {
94 string key = getString();
95 Match match(*this);
96 return infoKeyValue(key, match);
97 }
98 case opEntitlementField:
99 {
100 string key = getString();
101 Match match(*this);
102 return entitlementValue(key, match);
103 }
104 case opCertField:
105 {
106 SecCertificateRef cert = mContext->cert(get<int32_t>());
107 string key = getString();
108 Match match(*this);
109 return certFieldValue(key, match, cert);
110 }
111 case opCertGeneric:
112 {
113 SecCertificateRef cert = mContext->cert(get<int32_t>());
114 string key = getString();
115 Match match(*this);
116 return certFieldGeneric(key, match, cert);
117 }
118 case opTrustedCert:
119 return trustedCert(get<int32_t>());
120 case opTrustedCerts:
121 return trustedCerts();
122 default:
123 // opcode not recognized - handle generically if possible, fail otherwise
124 if (op & (opGenericFalse | opGenericSkip)) {
125 // unknown opcode, but it has a size field and can be safely bypassed
126 skip(get<uint32_t>());
127 if (op & opGenericFalse) {
128 secdebug("csinterp", "opcode 0x%x interpreted as false", op);
129 return false;
130 } else {
131 secdebug("csinterp", "opcode 0x%x ignored; continuing", op);
132 return evaluate();
133 }
134 }
135 // unrecognized opcode and no way to interpret it
136 secdebug("csinterp", "opcode 0x%x cannot be handled; aborting", op);
137 MacOSError::throwMe(errSecCSUnimplemented);
138 }
139 }
140
141
142 //
143 // Evaluate an Info.plist key condition
144 //
145 bool Requirement::Interpreter::infoKeyValue(const string &key, const Match &match)
146 {
147 if (mContext->info) // we have an Info.plist
148 if (CFTypeRef value = CFDictionaryGetValue(mContext->info, CFTempString(key)))
149 return match(value);
150 return false;
151 }
152
153
154 //
155 // Evaluate an entitlement condition
156 //
157 bool Requirement::Interpreter::entitlementValue(const string &key, const Match &match)
158 {
159 if (mContext->entitlements) // we have an Info.plist
160 if (CFTypeRef value = CFDictionaryGetValue(mContext->entitlements, CFTempString(key)))
161 return match(value);
162 return false;
163 }
164
165
166 bool Requirement::Interpreter::certFieldValue(const string &key, const Match &match, SecCertificateRef cert)
167 {
168 // no cert, no chance
169 if (cert == NULL)
170 return false;
171
172 // a table of recognized keys for the "certificate[foo]" syntax
173 static const struct CertField {
174 const char *name;
175 const CSSM_OID *oid;
176 } certFields[] = {
177 { "subject.C", &CSSMOID_CountryName },
178 { "subject.CN", &CSSMOID_CommonName },
179 { "subject.D", &CSSMOID_Description },
180 { "subject.L", &CSSMOID_LocalityName },
181 { "subject.O", &CSSMOID_OrganizationName },
182 { "subject.OU", &CSSMOID_OrganizationalUnitName },
183 { "subject.ST", &CSSMOID_StateProvinceName },
184 { "subject.STREET", &CSSMOID_StreetAddress },
185 { NULL, NULL }
186 };
187
188 // DN-component single-value match
189 for (const CertField *cf = certFields; cf->name; cf++)
190 if (cf->name == key) {
191 CFRef<CFStringRef> value;
192 if (IFDEBUG(OSStatus rc =) SecCertificateCopySubjectComponent(cert, cf->oid, &value.aref())) {
193 secdebug("csinterp", "cert %p lookup for DN.%s failed rc=%ld", cert, key.c_str(), rc);
194 return false;
195 }
196 return match(value);
197 }
198
199 // email multi-valued match (any of...)
200 if (key == "email") {
201 CFRef<CFArrayRef> value;
202 if (OSStatus rc = SecCertificateCopyEmailAddresses(cert, &value.aref())) {
203 secdebug("csinterp", "cert %p lookup for email failed rc=%ld", cert, rc);
204 return false;
205 }
206 return match(value);
207 }
208
209 // unrecognized key. Fail but do not abort to promote backward compatibility down the road
210 secdebug("csinterp", "cert field notation \"%s\" not understood", key.c_str());
211 return false;
212 }
213
214
215 bool Requirement::Interpreter::certFieldGeneric(const string &key, const Match &match, SecCertificateRef cert)
216 {
217 // the key is actually a (binary) OID value
218 CssmOid oid((char *)key.data(), key.length());
219 return certFieldGeneric(oid, match, cert);
220 }
221
222 bool Requirement::Interpreter::certFieldGeneric(const CssmOid &oid, const Match &match, SecCertificateRef cert)
223 {
224 return cert && certificateHasField(cert, oid) && match(kCFBooleanTrue);
225 }
226
227
228 //
229 // Check the Apple-signed condition
230 //
231 bool Requirement::Interpreter::appleAnchored()
232 {
233 if (SecCertificateRef cert = mContext->cert(anchorCert))
234 if (verifyAnchor(cert, appleAnchorHash())
235 #if defined(TEST_APPLE_ANCHOR)
236 || verifyAnchor(cert, testAppleAnchorHash())
237 #endif
238 )
239 return true;
240 return false;
241 }
242
243 bool Requirement::Interpreter::appleSigned()
244 {
245 if (appleAnchored())
246 if (SecCertificateRef intermed = mContext->cert(-2)) // first intermediate
247 // first intermediate common name match (exact)
248 if (certFieldValue("subject.CN", Match(appleIntermediateCN, matchEqual), intermed)
249 && certFieldValue("subject.O", Match(appleIntermediateO, matchEqual), intermed))
250 return true;
251 return false;
252 }
253
254
255 //
256 // Verify an anchor requirement against the context
257 //
258 bool Requirement::Interpreter::verifyAnchor(SecCertificateRef cert, const unsigned char *digest)
259 {
260 // get certificate bytes
261 if (cert) {
262 CSSM_DATA certData;
263 MacOSError::check(SecCertificateGetData(cert, &certData));
264
265 // verify hash
266 //@@@ should get SHA1(cert(-1).data) precalculated during chain verification
267 SHA1 hasher;
268 hasher(certData.Data, certData.Length);
269 return hasher.verify(digest);
270 }
271 return false;
272 }
273
274
275 //
276 // Check one or all certificate(s) in the cert chain against the Trust Settings database.
277 //
278 bool Requirement::Interpreter::trustedCerts()
279 {
280 int anchor = mContext->certCount() - 1;
281 for (int slot = 0; slot <= anchor; slot++)
282 if (SecCertificateRef cert = mContext->cert(slot))
283 switch (trustSetting(cert, slot == anchor)) {
284 case kSecTrustSettingsResultTrustRoot:
285 case kSecTrustSettingsResultTrustAsRoot:
286 return true;
287 case kSecTrustSettingsResultDeny:
288 return false;
289 case kSecTrustSettingsResultUnspecified:
290 break;
291 default:
292 assert(false);
293 return false;
294 }
295 else
296 return false;
297 return false;
298 }
299
300 bool Requirement::Interpreter::trustedCert(int slot)
301 {
302 if (SecCertificateRef cert = mContext->cert(slot)) {
303 int anchorSlot = mContext->certCount() - 1;
304 switch (trustSetting(cert, slot == anchorCert || slot == anchorSlot)) {
305 case kSecTrustSettingsResultTrustRoot:
306 case kSecTrustSettingsResultTrustAsRoot:
307 return true;
308 case kSecTrustSettingsResultDeny:
309 case kSecTrustSettingsResultUnspecified:
310 return false;
311 default:
312 assert(false);
313 return false;
314 }
315 } else
316 return false;
317 }
318
319
320 //
321 // Explicitly check one certificate against the Trust Settings database and report
322 // the findings. This is a helper for the various Trust Settings evaluators.
323 //
324 SecTrustSettingsResult Requirement::Interpreter::trustSetting(SecCertificateRef cert, bool isAnchor)
325 {
326 // the SPI input is the uppercase hex form of the SHA-1 of the certificate...
327 assert(cert);
328 SHA1::Digest digest;
329 hashOfCertificate(cert, digest);
330 string Certhex = CssmData(digest, sizeof(digest)).toHex();
331 for (string::iterator it = Certhex.begin(); it != Certhex.end(); ++it)
332 if (islower(*it))
333 *it = toupper(*it);
334
335 // call Trust Settings and see what it finds
336 SecTrustSettingsDomain domain;
337 SecTrustSettingsResult result;
338 CSSM_RETURN *errors = NULL;
339 uint32 errorCount = 0;
340 bool foundMatch, foundAny;
341 switch (OSStatus rc = SecTrustSettingsEvaluateCert(
342 CFTempString(Certhex), // settings index
343 &CSSMOID_APPLE_TP_CODE_SIGNING, // standard code signing policy
344 NULL, 0, // policy string (unused)
345 kSecTrustSettingsKeyUseAny, // no restriction on key usage @@@
346 isAnchor, // consult system default anchor set
347
348 &domain, // domain of found setting
349 &errors, &errorCount, // error set and maximum count
350 &result, // the actual setting
351 &foundMatch, &foundAny // optimization hints (not used)
352 )) {
353 case noErr:
354 ::free(errors);
355 if (foundMatch)
356 return result;
357 else
358 return kSecTrustSettingsResultUnspecified;
359 default:
360 ::free(errors);
361 MacOSError::throwMe(rc);
362 }
363 }
364
365
366 //
367 // Create a Match object from the interpreter stream
368 //
369 Requirement::Interpreter::Match::Match(Interpreter &interp)
370 {
371 switch (mOp = interp.get<MatchOperation>()) {
372 case matchExists:
373 break;
374 case matchEqual:
375 case matchContains:
376 case matchBeginsWith:
377 case matchEndsWith:
378 case matchLessThan:
379 case matchGreaterThan:
380 case matchLessEqual:
381 case matchGreaterEqual:
382 mValue = makeCFString(interp.getString());
383 break;
384 default:
385 // Assume this (unknown) match type has a single data argument.
386 // This gives us a chance to keep the instruction stream aligned.
387 interp.getString(); // discard
388 break;
389 }
390 }
391
392
393 //
394 // Execute a match against a candidate value
395 //
396 bool Requirement::Interpreter::Match::operator () (CFTypeRef candidate) const
397 {
398 // null candidates always fail
399 if (!candidate)
400 return false;
401
402 // interpret an array as matching alternatives (any one succeeds)
403 if (CFGetTypeID(candidate) == CFArrayGetTypeID()) {
404 CFArrayRef array = CFArrayRef(candidate);
405 CFIndex count = CFArrayGetCount(array);
406 for (CFIndex n = 0; n < count; n++)
407 if ((*this)(CFArrayGetValueAtIndex(array, n))) // yes, it's recursive
408 return true;
409 }
410
411 switch (mOp) {
412 case matchExists: // anything but NULL and boolean false "exists"
413 return !CFEqual(candidate, kCFBooleanFalse);
414 case matchEqual: // equality works for all CF types
415 return CFEqual(candidate, mValue);
416 case matchContains:
417 if (CFGetTypeID(candidate) == CFStringGetTypeID()) {
418 CFStringRef value = CFStringRef(candidate);
419 if (CFStringFindWithOptions(value, mValue, CFRangeMake(0, CFStringGetLength(value)), 0, NULL))
420 return true;
421 }
422 return false;
423 case matchBeginsWith:
424 if (CFGetTypeID(candidate) == CFStringGetTypeID()) {
425 CFStringRef value = CFStringRef(candidate);
426 if (CFStringFindWithOptions(value, mValue, CFRangeMake(0, CFStringGetLength(mValue)), 0, NULL))
427 return true;
428 }
429 return false;
430 case matchEndsWith:
431 if (CFGetTypeID(candidate) == CFStringGetTypeID()) {
432 CFStringRef value = CFStringRef(candidate);
433 CFIndex matchLength = CFStringGetLength(mValue);
434 CFIndex start = CFStringGetLength(value) - matchLength;
435 if (start >= 0)
436 if (CFStringFindWithOptions(value, mValue, CFRangeMake(start, matchLength), 0, NULL))
437 return true;
438 }
439 return false;
440 case matchLessThan:
441 return inequality(candidate, kCFCompareNumerically, kCFCompareLessThan, true);
442 case matchGreaterThan:
443 return inequality(candidate, kCFCompareNumerically, kCFCompareGreaterThan, true);
444 case matchLessEqual:
445 return inequality(candidate, kCFCompareNumerically, kCFCompareGreaterThan, false);
446 case matchGreaterEqual:
447 return inequality(candidate, kCFCompareNumerically, kCFCompareLessThan, false);
448 default:
449 // unrecognized match types can never match
450 return false;
451 }
452 }
453
454
455 bool Requirement::Interpreter::Match::inequality(CFTypeRef candidate, CFStringCompareFlags flags,
456 CFComparisonResult outcome, bool negate) const
457 {
458 if (CFGetTypeID(candidate) == CFStringGetTypeID()) {
459 CFStringRef value = CFStringRef(candidate);
460 if ((CFStringCompare(value, mValue, flags) == outcome) == negate)
461 return true;
462 }
463 return false;
464 }
465
466
467 } // CodeSigning
468 } // Security
mirror of libsecurity_codesigning