]> git.saurik.com Git - apple/libsecurity_codesigning.git/blob - lib/signer.cpp
projects / apple / libsecurity_codesigning.git / blob
? search:


23cbfd64006e9a3b1fff52ea03a0281bd0be9ab9
[apple/libsecurity_codesigning.git] / lib / signer.cpp
1 /*
2 * Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 //
25 // signer - Signing operation supervisor and controller
26 //
27 #include "signer.h"
28 #include "resources.h"
29 #include "signerutils.h"
30 #include "SecCodeSigner.h"
31 #include <Security/SecIdentity.h>
32 #include <Security/CMSEncoder.h>
33 #include <Security/CMSPrivate.h>
34 #include <Security/CSCommonPriv.h>
35 #include <CoreFoundation/CFBundlePriv.h>
36 #include "renum.h"
37 #include "machorep.h"
38 #include "csutilities.h"
39 #include <security_utilities/unix++.h>
40 #include <security_utilities/unixchild.h>
41 #include <security_utilities/cfmunge.h>
42
43 namespace Security {
44 namespace CodeSigning {
45
46
47 //
48 // Sign some code.
49 //
50 void SecCodeSigner::Signer::sign(SecCSFlags flags)
51 {
52 rep = code->diskRep()->base();
53 this->prepare(flags);
54 if (Universal *fat = state.mNoMachO ? NULL : rep->mainExecutableImage()) {
55 signMachO(fat);
56 } else {
57 signArchitectureAgnostic();
58 }
59 }
60
61
62 //
63 // Remove any existing code signature from code
64 //
65 void SecCodeSigner::Signer::remove(SecCSFlags flags)
66 {
67 // can't remove a detached signature
68 if (state.mDetached)
69 MacOSError::throwMe(errSecCSNotSupported);
70
71 rep = code->diskRep();
72 if (Universal *fat = state.mNoMachO ? NULL : rep->mainExecutableImage()) {
73 // architecture-sensitive removal
74 MachOEditor editor(rep->writer(), *fat, kSecCodeSignatureNoHash, rep->mainExecutablePath());
75 editor.allocate(); // create copy
76 editor.commit(); // commit change
77 } else {
78 // architecture-agnostic removal
79 RefPointer<DiskRep::Writer> writer = rep->writer();
80 writer->remove();
81 writer->flush();
82 }
83 }
84
85
86 //
87 // Contemplate the object-to-be-signed and set up the Signer state accordingly.
88 //
89 void SecCodeSigner::Signer::prepare(SecCSFlags flags)
90 {
91 // get the Info.plist out of the rep for some creative defaulting
92 CFRef<CFDictionaryRef> infoDict;
93 if (CFRef<CFDataRef> infoData = rep->component(cdInfoSlot))
94 infoDict.take(makeCFDictionaryFrom(infoData));
95
96 // work out the canonical identifier
97 identifier = state.mIdentifier;
98 if (identifier.empty()) {
99 identifier = rep->recommendedIdentifier(state);
100 if (identifier.find('.') == string::npos)
101 identifier = state.mIdentifierPrefix + identifier;
102 if (identifier.find('.') == string::npos && state.isAdhoc())
103 identifier = identifier + "-" + uniqueName();
104 secdebug("signer", "using default identifier=%s", identifier.c_str());
105 } else
106 secdebug("signer", "using explicit identifier=%s", identifier.c_str());
107
108 // work out the CodeDirectory flags word
109 if (state.mCdFlagsGiven) {
110 cdFlags = state.mCdFlags;
111 secdebug("signer", "using explicit cdFlags=0x%x", cdFlags);
112 } else {
113 cdFlags = 0;
114 if (infoDict)
115 if (CFTypeRef csflags = CFDictionaryGetValue(infoDict, CFSTR("CSFlags")))
116 if (CFGetTypeID(csflags) == CFNumberGetTypeID()) {
117 cdFlags = cfNumber<uint32_t>(CFNumberRef(csflags));
118 secdebug("signer", "using numeric cdFlags=0x%x from Info.plist", cdFlags);
119 } else if (CFGetTypeID(csflags) == CFStringGetTypeID()) {
120 cdFlags = cdTextFlags(cfString(CFStringRef(csflags)));
121 secdebug("signer", "using text cdFlags=0x%x from Info.plist", cdFlags);
122 } else
123 MacOSError::throwMe(errSecCSBadDictionaryFormat);
124 }
125 if (state.mSigner == SecIdentityRef(kCFNull)) // ad-hoc signing requested...
126 cdFlags |= kSecCodeSignatureAdhoc; // ... so note that
127
128 // prepare the resource directory, if any
129 string rpath = rep->resourcesRootPath();
130 if (!rpath.empty()) {
131 // explicitly given resource rules always win
132 CFCopyRef<CFDictionaryRef> resourceRules = state.mResourceRules;
133
134 // embedded resource rules come next
135 if (!resourceRules && infoDict)
136 if (CFTypeRef spec = CFDictionaryGetValue(infoDict, _kCFBundleResourceSpecificationKey)) {
137 if (CFGetTypeID(spec) == CFStringGetTypeID())
138 if (CFRef<CFDataRef> data = cfLoadFile(rpath + "/" + cfString(CFStringRef(spec))))
139 if (CFDictionaryRef dict = makeCFDictionaryFrom(data))
140 resourceRules.take(dict);
141 if (!resourceRules) // embedded rules present but unacceptable
142 MacOSError::throwMe(errSecCSResourceRulesInvalid);
143 }
144
145 // finally, ask the DiskRep for its default
146 if (!resourceRules)
147 resourceRules.take(rep->defaultResourceRules(state));
148
149 // build the resource directory
150 ResourceBuilder resources(rpath, cfget<CFDictionaryRef>(resourceRules, "rules"), digestAlgorithm());
151 rep->adjustResources(resources); // DiskRep-specific adjustments
152 CFRef<CFDictionaryRef> rdir = resources.build();
153 resourceDirectory.take(CFPropertyListCreateXMLData(NULL, rdir));
154 }
155
156 // screen and set the signing time
157 CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
158 if (state.mSigningTime == CFDateRef(kCFNull)) {
159 signingTime = 0; // no time at all
160 } else if (!state.mSigningTime) {
161 signingTime = now; // default
162 } else {
163 CFAbsoluteTime time = CFDateGetAbsoluteTime(state.mSigningTime);
164 if (time > now) // not allowed to post-date a signature
165 MacOSError::throwMe(errSecCSBadDictionaryFormat);
166 signingTime = time;
167 }
168
169 pagesize = state.mPageSize ? cfNumber<size_t>(state.mPageSize) : rep->pageSize(state);
170 }
171
172
173 //
174 // Sign a Mach-O binary, using liberal dollops of that special Mach-O magic sauce.
175 // Note that this will deal just fine with non-fat Mach-O binaries, but it will
176 // treat them as architectural binaries containing (only) one architecture - that
177 // interpretation is courtesy of the Universal/MachO support classes.
178 //
179 void SecCodeSigner::Signer::signMachO(Universal *fat)
180 {
181 // Mach-O executable at the core - perform multi-architecture signing
182 auto_ptr<ArchEditor> editor(state.mDetached
183 ? static_cast<ArchEditor *>(new BlobEditor(*fat, *this))
184 : new MachOEditor(rep->writer(), *fat, this->digestAlgorithm(), rep->mainExecutablePath()));
185 assert(editor->count() > 0);
186 if (!editor->attribute(writerNoGlobal)) // can store architecture-common components
187 populate(*editor);
188
189 // pass 1: prepare signature blobs and calculate sizes
190 for (MachOEditor::Iterator it = editor->begin(); it != editor->end(); ++it) {
191 MachOEditor::Arch &arch = *it->second;
192 arch.source.reset(fat->architecture(it->first));
193 arch.ireqs(state.mRequirements, rep->defaultRequirements(&arch.architecture, state));
194 if (editor->attribute(writerNoGlobal)) // can't store globally, add per-arch
195 populate(arch);
196 populate(arch.cdbuilder, arch, arch.ireqs,
197 arch.source->offset(), arch.source->signingExtent());
198
199 // add identification blob (made from this architecture) only if we're making a detached signature
200 if (state.mDetached) {
201 CFRef<CFDataRef> identification = MachORep::identificationFor(arch.source.get());
202 arch.add(cdIdentificationSlot, BlobWrapper::alloc(
203 CFDataGetBytePtr(identification), CFDataGetLength(identification)));
204 }
205
206 // prepare SuperBlob size estimate
207 size_t cdSize = arch.cdbuilder.size();
208 arch.blobSize = arch.size(cdSize, state.mCMSSize, 0);
209 }
210
211 editor->allocate();
212
213 // pass 2: Finish and generate signatures, and write them
214 for (MachOEditor::Iterator it = editor->begin(); it != editor->end(); ++it) {
215 MachOEditor::Arch &arch = *it->second;
216 editor->reset(arch);
217
218 // finish CodeDirectory (off new binary) and sign it
219 CodeDirectory *cd = arch.cdbuilder.build();
220 CFRef<CFDataRef> signature = signCodeDirectory(cd);
221
222 // complete the SuperBlob
223 arch.add(cdCodeDirectorySlot, cd); // takes ownership
224 arch.add(cdSignatureSlot, BlobWrapper::alloc(
225 CFDataGetBytePtr(signature), CFDataGetLength(signature)));
226 if (!state.mDryRun) {
227 EmbeddedSignatureBlob *blob = arch.make();
228 editor->write(arch, blob); // takes ownership of blob
229 }
230 }
231
232 // done: write edit copy back over the original
233 if (!state.mDryRun)
234 editor->commit();
235 }
236
237
238 //
239 // Sign a binary that has no notion of architecture.
240 // That currently means anything that isn't Mach-O format.
241 //
242 void SecCodeSigner::Signer::signArchitectureAgnostic()
243 {
244 // non-Mach-O executable - single-instance signing
245 RefPointer<DiskRep::Writer> writer = state.mDetached ?
246 (new DetachedBlobWriter(*this)) : rep->writer();
247 CodeDirectory::Builder builder(state.mDigestAlgorithm);
248 InternalRequirements ireqs;
249 ireqs(state.mRequirements, rep->defaultRequirements(NULL, state));
250 populate(*writer);
251 populate(builder, *writer, ireqs, rep->signingBase(), rep->signingLimit());
252
253 // add identification blob (made from this architecture) only if we're making a detached signature
254 if (state.mDetached) {
255 CFRef<CFDataRef> identification = rep->identification();
256 writer->component(cdIdentificationSlot, identification);
257 }
258
259 CodeDirectory *cd = builder.build();
260 CFRef<CFDataRef> signature = signCodeDirectory(cd);
261 if (!state.mDryRun) {
262 writer->codeDirectory(cd);
263 writer->signature(signature);
264 writer->flush();
265 }
266 ::free(cd);
267 }
268
269
270 //
271 // Global populate - send components to destination buffers ONCE
272 //
273 void SecCodeSigner::Signer::populate(DiskRep::Writer &writer)
274 {
275 if (resourceDirectory)
276 writer.component(cdResourceDirSlot, resourceDirectory);
277 }
278
279
280 //
281 // Per-architecture populate - send components to per-architecture buffers
282 // and populate the CodeDirectory for an architecture. In architecture-agnostic
283 // signing operations, the non-architectural binary is considered one (arbitrary) architecture
284 // for the purposes of this call.
285 //
286 void SecCodeSigner::Signer::populate(CodeDirectory::Builder &builder, DiskRep::Writer &writer,
287 InternalRequirements &ireqs, size_t offset /* = 0 */, size_t length /* = 0 */)
288 {
289 // fill the CodeDirectory
290 builder.executable(rep->mainExecutablePath(), pagesize, offset, length);
291 builder.flags(cdFlags);
292 builder.identifier(identifier);
293
294 if (CFDataRef data = rep->component(cdInfoSlot))
295 builder.specialSlot(cdInfoSlot, data);
296 if (ireqs) {
297 CFRef<CFDataRef> data = makeCFData(*ireqs);
298 writer.component(cdRequirementsSlot, data);
299 builder.specialSlot(cdRequirementsSlot, data);
300 }
301 if (resourceDirectory)
302 builder.specialSlot(cdResourceDirSlot, resourceDirectory);
303 #if NOT_YET
304 if (state.mApplicationData)
305 builder.specialSlot(cdApplicationSlot, state.mApplicationData);
306 #endif
307 if (state.mEntitlementData) {
308 writer.component(cdEntitlementSlot, state.mEntitlementData);
309 builder.specialSlot(cdEntitlementSlot, state.mEntitlementData);
310 }
311
312 writer.addDiscretionary(builder);
313 }
314
315
316 //
317 // Generate the CMS signature for a (finished) CodeDirectory.
318 //
319 CFDataRef SecCodeSigner::Signer::signCodeDirectory(const CodeDirectory *cd)
320 {
321 assert(state.mSigner);
322
323 // a null signer generates a null signature blob
324 if (state.mSigner == SecIdentityRef(kCFNull))
325 return CFDataCreate(NULL, NULL, 0);
326
327 // generate CMS signature
328 CFRef<CMSEncoderRef> cms;
329 MacOSError::check(CMSEncoderCreate(&cms.aref()));
330 MacOSError::check(CMSEncoderSetCertificateChainMode(cms, kCMSCertificateChainWithRoot));
331 CMSEncoderAddSigners(cms, state.mSigner);
332 MacOSError::check(CMSEncoderSetHasDetachedContent(cms, true));
333
334 if (signingTime) {
335 MacOSError::check(CMSEncoderAddSignedAttributes(cms, kCMSAttrSigningTime));
336 MacOSError::check(CMSEncoderSetSigningTime(cms, signingTime));
337 }
338
339 MacOSError::check(CMSEncoderUpdateContent(cms, cd, cd->length()));
340 CFDataRef signature;
341 MacOSError::check(CMSEncoderCopyEncodedContent(cms, &signature));
342 return signature;
343 }
344
345
346 //
347 // Parse a text of the form
348 // flag,...,flag
349 // where each flag is the canonical name of a signable CodeDirectory flag.
350 // No abbreviations are allowed, and internally set flags are not accepted.
351 //
352 uint32_t SecCodeSigner::Signer::cdTextFlags(std::string text)
353 {
354 uint32_t flags = 0;
355 for (string::size_type comma = text.find(','); ; text = text.substr(comma+1), comma = text.find(',')) {
356 string word = (comma == string::npos) ? text : text.substr(0, comma);
357 const SecCodeDirectoryFlagTable *item;
358 for (item = kSecCodeDirectoryFlagTable; item->name; item++)
359 if (item->signable && word == item->name) {
360 flags |= item->value;
361 break;
362 }
363 if (!item->name) // not found
364 MacOSError::throwMe(errSecCSInvalidFlags);
365 if (comma == string::npos) // last word
366 break;
367 }
368 return flags;
369 }
370
371
372 //
373 // Generate a unique string from our underlying DiskRep.
374 // We could get 90%+ of the uniquing benefit by just generating
375 // a random string here. Instead, we pick the (hex string encoding of)
376 // the source rep's unique identifier blob. For universal binaries,
377 // this is the canonical local architecture, which is a bit arbitrary.
378 // This provides us with a consistent unique string for all architectures
379 // of a fat binary, *and* (unlike a random string) is reproducible
380 // for identical inputs, even upon resigning.
381 //
382 std::string SecCodeSigner::Signer::uniqueName() const
383 {
384 CFRef<CFDataRef> identification = rep->identification();
385 const UInt8 *ident = CFDataGetBytePtr(identification);
386 const unsigned int length = CFDataGetLength(identification);
387 string result;
388 for (unsigned int n = 0; n < length; n++) {
389 char hex[3];
390 snprintf(hex, sizeof(hex), "%02x", ident[n]);
391 result += hex;
392 }
393 return result;
394 }
395
396
397 } // end namespace CodeSigning
398 } // end namespace Security
mirror of libsecurity_codesigning