]> git.saurik.com Git - apple/libsecurity_codesigning.git/blob - lib/policyengine.cpp
projects / apple / libsecurity_codesigning.git / blob
? search:


4ebe2a029d131170d8f1e3ed17fdf843f56b5cd2
[apple/libsecurity_codesigning.git] / lib / policyengine.cpp
1 /*
2 * Copyright (c) 2011 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23 #include "policyengine.h"
24 #include "xar++.h"
25 #include <security_utilities/cfmunge.h>
26 #include <Security/Security.h>
27 #include <Security/SecRequirementPriv.h>
28 #include <Security/SecPolicyPriv.h>
29 #include <Security/SecTrustPriv.h>
30 #include <Security/SecCodeSigner.h>
31 #include <Security/cssmapplePriv.h>
32 #include <notify.h>
33 #include <security_utilities/unix++.h>
34 #include "quarantine++.h"
35
36 #include <CoreServices/CoreServicesPriv.h>
37 #undef check // Macro! Yech.
38
39 namespace Security {
40 namespace CodeSigning {
41
42 static const double NEGATIVE_HOLD = 60.0/86400; // 60 seconds to cache negative outcomes
43
44
45 static void authorizeUpdate(SecCSFlags flags, CFDictionaryRef context);
46 static void normalizeTarget(CFRef<CFTypeRef> &target, CFDictionary &context, bool signUnsigned = false);
47
48
49 //
50 // Core structure
51 //
52 PolicyEngine::PolicyEngine()
53 : PolicyDatabase(NULL, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE)
54 {
55 }
56
57 PolicyEngine::~PolicyEngine()
58 { }
59
60
61 //
62 // Top-level evaluation driver
63 //
64 void PolicyEngine::evaluate(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result)
65 {
66 switch (type) {
67 case kAuthorityExecute:
68 evaluateCode(path, flags, context, result);
69 break;
70 case kAuthorityInstall:
71 evaluateInstall(path, flags, context, result);
72 break;
73 case kAuthorityOpenDoc:
74 evaluateDocOpen(path, flags, context, result);
75 break;
76 default:
77 MacOSError::throwMe(errSecCSInvalidAttributeValues);
78 break;
79 }
80 }
81
82
83 //
84 // Executable code.
85 // Read from disk, evaluate properly, cache as indicated. The whole thing, so far.
86 //
87 void PolicyEngine::evaluateCode(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result)
88 {
89 const AuthorityType type = kAuthorityExecute;
90
91 CFRef<SecStaticCodeRef> code;
92 MacOSError::check(SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref()));
93
94 const SecCSFlags validationFlags = kSecCSEnforceRevocationChecks;
95
96 SQLite::Statement query(*this,
97 "SELECT allow, requirement, id, label, expires, flags, disabled FROM scan_authority"
98 " WHERE type = :type"
99 " ORDER BY priority DESC;");
100 query.bind(":type").integer(type);
101 SQLite3::int64 latentID = 0; // first (highest priority) disabled matching ID
102 std::string latentLabel; // ... and associated label, if any
103 while (query.nextRow()) {
104 bool allow = int(query[0]);
105 const char *reqString = query[1];
106 SQLite3::int64 id = query[2];
107 const char *label = query[3];
108 double expires = query[4];
109 sqlite3_int64 ruleFlags = query[5];
110 SQLite3::int64 disabled = query[6];
111
112 CFRef<SecRequirementRef> requirement;
113 MacOSError::check(SecRequirementCreateWithString(CFTempString(reqString), kSecCSDefaultFlags, &requirement.aref()));
114
115 OSStatus rc = SecStaticCodeCheckValidity(code, validationFlags | kSecCSBasicValidateOnly, requirement);
116 // ok, so this rule matches lets do a full validation if not overriding assessments
117 if (rc == noErr && !overrideAssessment())
118 rc = SecStaticCodeCheckValidity(code, validationFlags, requirement);
119
120 switch (rc) {
121 case noErr: // success
122 break;
123 case errSecCSUnsigned:
124 cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict);
125 addAuthority(result, "no usable signature");
126 return;
127 case errSecCSReqFailed: // requirement missed, but otherwise okay
128 continue;
129 default: // broken in some way; all tests will fail like this so bail out
130 MacOSError::throwMe(rc);
131 }
132 if (disabled) {
133 if (latentID == 0) {
134 latentID = id;
135 if (label)
136 latentLabel = label;
137 }
138 continue; // the loop
139 }
140
141 CFRef<CFDictionaryRef> info; // as needed
142 if (flags & kSecAssessmentFlagRequestOrigin) {
143 if (!info)
144 MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
145 if (CFArrayRef chain = CFArrayRef(CFDictionaryGetValue(info, kSecCodeInfoCertificates)))
146 setOrigin(chain, result);
147 }
148 if (!(ruleFlags & kAuthorityFlagInhibitCache) && !(flags & kSecAssessmentFlagNoCache)) { // cache inhibit
149 if (!info)
150 MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
151 if (SecTrustRef trust = SecTrustRef(CFDictionaryGetValue(info, kSecCodeInfoTrust))) {
152 CFRef<CFDictionaryRef> xinfo;
153 MacOSError::check(SecTrustCopyExtendedResult(trust, &xinfo.aref()));
154 if (CFDateRef limit = CFDateRef(CFDictionaryGetValue(xinfo, kSecTrustExpirationDate))) {
155 double julianLimit = CFDateGetAbsoluteTime(limit) / 86400.0 + 2451910.5;
156 this->recordOutcome(code, allow, type, min(expires, julianLimit), id);
157 }
158 }
159 }
160 cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow);
161 addAuthority(result, label, id);
162 return;
163 }
164
165 // no applicable authority. Deny by default
166 if (flags & kSecAssessmentFlagRequestOrigin) {
167 CFRef<CFDictionaryRef> info; // as needed
168 MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
169 if (CFArrayRef chain = CFArrayRef(CFDictionaryGetValue(info, kSecCodeInfoCertificates)))
170 setOrigin(chain, result);
171 }
172 if (!(flags & kSecAssessmentFlagNoCache))
173 this->recordOutcome(code, false, type, this->julianNow() + NEGATIVE_HOLD, latentID);
174 cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, false);
175 addAuthority(result, latentLabel.c_str(), latentID);
176 }
177
178
179 //
180 // Installer archive.
181 // Certs passed from caller (untrusted), no policy engine yet, no caching (since untrusted).
182 // The current "policy" is to trust any proper signature.
183 //
184 static CFTypeRef installerPolicy();
185
186 void PolicyEngine::evaluateInstall(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result)
187 {
188 const AuthorityType type = kAuthorityInstall;
189
190 SQLite3::int64 latentID = 0; // first (highest priority) disabled matching ID
191 std::string latentLabel; // ... and associated label, if any
192 Xar xar(cfString(path).c_str());
193 if (xar) {
194 if (!xar.isSigned()) {
195 // unsigned xar
196 cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, false);
197 addAuthority(result, "no usable signature");
198 return;
199 }
200 if (CFRef<CFArrayRef> certs = xar.copyCertChain()) {
201 CFRef<CFTypeRef> policy = installerPolicy();
202 CFRef<SecTrustRef> trust;
203 MacOSError::check(SecTrustCreateWithCertificates(certs, policy, &trust.aref()));
204 // MacOSError::check(SecTrustSetAnchorCertificates(trust, cfEmptyArray())); // no anchors
205 MacOSError::check(SecTrustSetOptions(trust, kSecTrustOptionAllowExpired | kSecTrustOptionImplicitAnchors));
206
207 SecTrustResultType trustResult;
208 MacOSError::check(SecTrustEvaluate(trust, &trustResult));
209 CFRef<CFArrayRef> chain;
210 CSSM_TP_APPLE_EVIDENCE_INFO *info;
211 MacOSError::check(SecTrustGetResult(trust, &trustResult, &chain.aref(), &info));
212
213 if (flags & kSecAssessmentFlagRequestOrigin)
214 setOrigin(chain, result);
215
216 switch (trustResult) {
217 case kSecTrustResultProceed:
218 case kSecTrustResultConfirm:
219 case kSecTrustResultUnspecified:
220 break;
221 default:
222 {
223 OSStatus rc;
224 MacOSError::check(SecTrustGetCssmResultCode(trust, &rc));
225 MacOSError::throwMe(rc);
226 }
227 }
228
229 SQLite::Statement query(*this,
230 "SELECT allow, requirement, id, label, flags, disabled FROM scan_authority"
231 " WHERE type = :type"
232 " ORDER BY priority DESC;");
233 query.bind(":type").integer(type);
234 while (query.nextRow()) {
235 bool allow = int(query[0]);
236 const char *reqString = query[1];
237 SQLite3::int64 id = query[2];
238 const char *label = query[3];
239 //sqlite_uint64 ruleFlags = query[4];
240 SQLite3::int64 disabled = query[5];
241
242 CFRef<SecRequirementRef> requirement;
243 MacOSError::check(SecRequirementCreateWithString(CFTempString(reqString), kSecCSDefaultFlags, &requirement.aref()));
244 switch (OSStatus rc = SecRequirementEvaluate(requirement, chain, NULL, kSecCSDefaultFlags)) {
245 case noErr: // success
246 break;
247 case errSecCSReqFailed: // requirement missed, but otherwise okay
248 continue;
249 default: // broken in some way; all tests will fail like this so bail out
250 MacOSError::throwMe(rc);
251 }
252 if (disabled) {
253 if (latentID == 0) {
254 latentID = id;
255 if (label)
256 latentLabel = label;
257 }
258 continue; // the loop
259 }
260 // not adding to the object cache - we could, but it's not likely to be worth it
261 cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow);
262 addAuthority(result, label, id);
263 return;
264 }
265 }
266 }
267
268 // no applicable authority. Deny by default
269 cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict);
270 addAuthority(result, latentLabel.c_str(), latentID);
271 }
272
273
274 //
275 // Create a suitable policy array for verification of installer signatures.
276 //
277 static SecPolicyRef makeCRLPolicy()
278 {
279 CFRef<SecPolicyRef> policy;
280 MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_REVOCATION_CRL, &policy.aref()));
281 CSSM_APPLE_TP_CRL_OPTIONS options;
282 memset(&options, 0, sizeof(options));
283 options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
284 options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET | CSSM_TP_ACTION_CRL_SUFFICIENT;
285 CSSM_DATA optData = { sizeof(options), (uint8 *)&options };
286 MacOSError::check(SecPolicySetValue(policy, &optData));
287 return policy.yield();
288 }
289
290 static SecPolicyRef makeOCSPPolicy()
291 {
292 CFRef<SecPolicyRef> policy;
293 MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_REVOCATION_OCSP, &policy.aref()));
294 CSSM_APPLE_TP_OCSP_OPTIONS options;
295 memset(&options, 0, sizeof(options));
296 options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION;
297 options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT;
298 CSSM_DATA optData = { sizeof(options), (uint8 *)&options };
299 MacOSError::check(SecPolicySetValue(policy, &optData));
300 return policy.yield();
301 }
302
303 static CFTypeRef installerPolicy()
304 {
305 CFRef<SecPolicyRef> base = SecPolicyCreateBasicX509();
306 CFRef<SecPolicyRef> crl = makeCRLPolicy();
307 CFRef<SecPolicyRef> ocsp = makeOCSPPolicy();
308 return makeCFArray(3, base.get(), crl.get(), ocsp.get());
309 }
310
311
312 //
313 // LaunchServices-layer document open.
314 // We don't cache those at present. If we ever do, we need to authenticate CoreServicesUIAgent as the source of its risk assessment.
315 //
316 void PolicyEngine::evaluateDocOpen(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result)
317 {
318 if (context) {
319 if (CFStringRef riskCategory = CFStringRef(CFDictionaryGetValue(context, kLSDownloadRiskCategoryKey))) {
320 if (CFEqual(riskCategory, kLSRiskCategorySafe)
321 || CFEqual(riskCategory, kLSRiskCategoryNeutral)
322 || CFEqual(riskCategory, kLSRiskCategoryUnknown)
323 || CFEqual(riskCategory, kLSRiskCategoryMayContainUnsafeExecutable)) {
324 cfadd(result, "{%O=#T}", kSecAssessmentAssessmentVerdict);
325 addAuthority(result, "_XProtect");
326 } else if (FileQuarantine(cfString(path).c_str()).flag(QTN_FLAG_ASSESSMENT_OK)) {
327 cfadd(result, "{%O=#T}", kSecAssessmentAssessmentVerdict);
328 addAuthority(result, "Prior Assessment");
329 } else {
330 cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict);
331 addAuthority(result, "_XProtect");
332 }
333 addToAuthority(result, kLSDownloadRiskCategoryKey, riskCategory);
334 return;
335 }
336 }
337 // insufficient information from LS - deny by default
338 cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict);
339 addAuthority(result, "Insufficient Context");
340 }
341
342
343 //
344 // Result-creation helpers
345 //
346 void PolicyEngine::addAuthority(CFMutableDictionaryRef parent, const char *label, SQLite::int64 row, CFTypeRef cacheInfo)
347 {
348 CFRef<CFMutableDictionaryRef> auth = makeCFMutableDictionary();
349 if (label && label[0])
350 cfadd(auth, "{%O=%s}", kSecAssessmentAssessmentSource, label);
351 if (row)
352 CFDictionaryAddValue(auth, kSecAssessmentAssessmentAuthorityRow, CFTempNumber(row));
353 if (cacheInfo)
354 CFDictionaryAddValue(auth, kSecAssessmentAssessmentFromCache, cacheInfo);
355 CFDictionaryAddValue(parent, kSecAssessmentAssessmentAuthority, auth);
356 }
357
358 void PolicyEngine::addToAuthority(CFMutableDictionaryRef parent, CFStringRef key, CFTypeRef value)
359 {
360 CFMutableDictionaryRef authority = CFMutableDictionaryRef(CFDictionaryGetValue(parent, kSecAssessmentAssessmentAuthority));
361 assert(authority);
362 CFDictionaryAddValue(authority, key, value);
363 }
364
365
366 //
367 // Add a rule to the policy database
368 //
369 bool PolicyEngine::add(CFTypeRef inTarget, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context)
370 {
371 // default type to execution
372 if (type == kAuthorityInvalid)
373 type = kAuthorityExecute;
374
375 authorizeUpdate(flags, context);
376 CFDictionary ctx(context, errSecCSInvalidAttributeValues);
377 CFCopyRef<CFTypeRef> target = inTarget;
378
379 if (type == kAuthorityOpenDoc) {
380 // handle document-open differently: use quarantine flags for whitelisting
381 if (!target || CFGetTypeID(target) != CFURLGetTypeID())
382 MacOSError::throwMe(errSecCSInvalidObjectRef);
383 std::string spath = cfString(target.as<CFURLRef>()).c_str();
384 FileQuarantine qtn(spath.c_str());
385 qtn.setFlag(QTN_FLAG_ASSESSMENT_OK);
386 qtn.applyTo(spath.c_str());
387 return true;
388 }
389
390 if (type == kAuthorityInstall) {
391 return cfmake<CFDictionaryRef>("{%O=%O}", kSecAssessmentAssessmentAuthorityOverride, CFSTR("virtual install"));
392 }
393
394 // resolve URLs to Requirements
395 normalizeTarget(target, ctx, true);
396
397 // if we now have anything else, we're busted
398 if (!target || CFGetTypeID(target) != SecRequirementGetTypeID())
399 MacOSError::throwMe(errSecCSInvalidObjectRef);
400
401 double priority = 0;
402 string label;
403 bool allow = true;
404 double expires = never;
405 string remarks;
406
407 if (CFNumberRef pri = ctx.get<CFNumberRef>(kSecAssessmentUpdateKeyPriority))
408 CFNumberGetValue(pri, kCFNumberDoubleType, &priority);
409 if (CFStringRef lab = ctx.get<CFStringRef>(kSecAssessmentUpdateKeyLabel))
410 label = cfString(lab);
411 if (CFDateRef time = ctx.get<CFDateRef>(kSecAssessmentUpdateKeyExpires))
412 // we're using Julian dates here; convert from CFDate
413 expires = CFDateGetAbsoluteTime(time) / 86400.0 + 2451910.5;
414 if (CFBooleanRef allowing = ctx.get<CFBooleanRef>(kSecAssessmentUpdateKeyAllow))
415 allow = allowing == kCFBooleanTrue;
416 if (CFStringRef rem = ctx.get<CFStringRef>(kSecAssessmentUpdateKeyRemarks))
417 remarks = cfString(rem);
418
419 CFRef<CFStringRef> requirementText;
420 MacOSError::check(SecRequirementCopyString(target.as<SecRequirementRef>(), kSecCSDefaultFlags, &requirementText.aref()));
421 SQLite::Transaction xact(*this, SQLite3::Transaction::deferred, "add_rule");
422 SQLite::Statement insert(*this,
423 "INSERT INTO authority (type, allow, requirement, priority, label, expires, remarks)"
424 " VALUES (:type, :allow, :requirement, :priority, :label, :expires, :remarks);");
425 insert.bind(":type").integer(type);
426 insert.bind(":allow").integer(allow);
427 insert.bind(":requirement") = requirementText.get();
428 insert.bind(":priority") = priority;
429 if (!label.empty())
430 insert.bind(":label") = label.c_str();
431 insert.bind(":expires") = expires;
432 if (!remarks.empty())
433 insert.bind(":remarks") = remarks.c_str();
434 insert.execute();
435 this->purgeObjects(priority);
436 xact.commit();
437 notify_post(kNotifySecAssessmentUpdate);
438 return true;
439 }
440
441
442 //
443 // Perform an action on existing authority rule(s)
444 //
445 bool PolicyEngine::manipulateRules(const std::string &stanza,
446 CFTypeRef inTarget, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context)
447 {
448 authorizeUpdate(flags, context);
449 CFDictionary ctx(context, errSecCSInvalidAttributeValues);
450 CFCopyRef<CFTypeRef> target = inTarget;
451 normalizeTarget(target, ctx);
452
453 string label;
454
455 if (CFStringRef lab = ctx.get<CFStringRef>(kSecAssessmentUpdateKeyLabel))
456 label = cfString(CFStringRef(lab));
457
458 SQLite::Transaction xact(*this, SQLite3::Transaction::deferred, "rule_change");
459 SQLite::Statement action(*this);
460 if (!target) {
461 if (label.empty()) // underspecified
462 MacOSError::throwMe(errSecCSInvalidObjectRef);
463 if (type == kAuthorityInvalid) {
464 action.query(stanza + " WHERE label = :label");
465 } else {
466 action.query(stanza + " WHERE type = :type AND label = :label");
467 action.bind(":type").integer(type);
468 }
469 action.bind(":label") = label.c_str();
470 } else if (CFGetTypeID(target) == CFNumberGetTypeID()) {
471 action.query(stanza + " WHERE id = :id");
472 action.bind(":id").integer(cfNumber<uint64_t>(target.as<CFNumberRef>()));
473 } else if (CFGetTypeID(target) == SecRequirementGetTypeID()) {
474 if (type == kAuthorityInvalid)
475 type = kAuthorityExecute;
476 CFRef<CFStringRef> requirementText;
477 MacOSError::check(SecRequirementCopyString(target.as<SecRequirementRef>(), kSecCSDefaultFlags, &requirementText.aref()));
478 action.query(stanza + " WHERE type = :type AND requirement = :requirement");
479 action.bind(":type").integer(type);
480 action.bind(":requirement") = requirementText.get();
481 } else
482 MacOSError::throwMe(errSecCSInvalidObjectRef);
483
484 action.execute();
485 unsigned int changes = this->changes(); // latch change count
486 // We MUST purge objects with priority <= MAX(priority of any changed rules);
487 // but for now we just get lazy and purge them ALL.
488 if (changes) {
489 this->purgeObjects(1.0E100);
490 xact.commit();
491 notify_post(kNotifySecAssessmentUpdate);
492 return true;
493 }
494 // no change; return an error
495 MacOSError::throwMe(errSecCSNoMatches);
496 }
497
498
499 bool PolicyEngine::remove(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context)
500 {
501 if (type == kAuthorityOpenDoc) {
502 // handle document-open differently: use quarantine flags for whitelisting
503 authorizeUpdate(flags, context);
504 if (!target || CFGetTypeID(target) != CFURLGetTypeID())
505 MacOSError::throwMe(errSecCSInvalidObjectRef);
506 std::string spath = cfString(CFURLRef(target)).c_str();
507 FileQuarantine qtn(spath.c_str());
508 qtn.clearFlag(QTN_FLAG_ASSESSMENT_OK);
509 qtn.applyTo(spath.c_str());
510 return true;
511 }
512 return manipulateRules("DELETE FROM authority", target, type, flags, context);
513 }
514
515 bool PolicyEngine::enable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context)
516 {
517 return manipulateRules("UPDATE authority SET disabled = 0", target, type, flags, context);
518 }
519
520 bool PolicyEngine::disable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context)
521 {
522 return manipulateRules("UPDATE authority SET disabled = 1", target, type, flags, context);
523 }
524
525
526 bool PolicyEngine::update(CFTypeRef target, SecAssessmentFlags flags, CFDictionaryRef context)
527 {
528 AuthorityType type = typeFor(context, kAuthorityInvalid);
529 CFStringRef edit = CFStringRef(CFDictionaryGetValue(context, kSecAssessmentContextKeyUpdate));
530 if (CFEqual(edit, kSecAssessmentUpdateOperationAdd))
531 return this->add(target, type, flags, context);
532 else if (CFEqual(edit, kSecAssessmentUpdateOperationRemove))
533 return this->remove(target, type, flags, context);
534 else if (CFEqual(edit, kSecAssessmentUpdateOperationEnable))
535 return this->enable(target, type, flags, context);
536 else if (CFEqual(edit, kSecAssessmentUpdateOperationDisable))
537 return this->disable(target, type, flags, context);
538 else
539 MacOSError::throwMe(errSecCSInvalidAttributeValues);
540 }
541
542
543 //
544 // Fill in extra information about the originator of cryptographic credentials found - if any
545 //
546 void PolicyEngine::setOrigin(CFArrayRef chain, CFMutableDictionaryRef result)
547 {
548 if (chain)
549 if (CFArrayGetCount(chain) > 0)
550 if (SecCertificateRef leaf = SecCertificateRef(CFArrayGetValueAtIndex(chain, 0)))
551 if (CFStringRef summary = SecCertificateCopyLongDescription(NULL, leaf, NULL))
552 CFDictionarySetValue(result, kSecAssessmentAssessmentOriginator, summary);
553 }
554
555
556 //
557 // Take an assessment outcome and record it in the object cache
558 //
559 void PolicyEngine::recordOutcome(SecStaticCodeRef code, bool allow, AuthorityType type, double expires, int authority)
560 {
561 CFRef<CFDictionaryRef> info;
562 MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
563 CFDataRef cdHash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
564 assert(cdHash); // was signed
565 CFRef<CFURLRef> path;
566 MacOSError::check(SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()));
567 assert(expires);
568 SQLite::Transaction xact(*this, SQLite3::Transaction::deferred, "caching");
569 SQLite::Statement insert(*this,
570 "INSERT OR REPLACE INTO object (type, allow, hash, expires, path, authority)"
571 " VALUES (:type, :allow, :hash, :expires, :path,"
572 " CASE :authority WHEN 0 THEN (SELECT id FROM authority WHERE label = 'No Matching Rule') ELSE :authority END"
573 " );");
574 insert.bind(":type").integer(type);
575 insert.bind(":allow").integer(allow);
576 insert.bind(":hash") = cdHash;
577 insert.bind(":expires") = expires;
578 insert.bind(":path") = cfString(path).c_str();
579 insert.bind(":authority").integer(authority);
580 insert.execute();
581 xact.commit();
582 }
583
584
585 //
586 // Perform update authorization processing.
587 // Throws an exception if authorization is denied.
588 //
589 static void authorizeUpdate(SecCSFlags flags, CFDictionaryRef context)
590 {
591 AuthorizationRef authorization = NULL;
592
593 if (context)
594 if (CFTypeRef authkey = CFDictionaryGetValue(context, kSecAssessmentUpdateKeyAuthorization))
595 if (CFGetTypeID(authkey) == CFDataGetTypeID()) {
596 CFDataRef authdata = CFDataRef(authkey);
597 MacOSError::check(AuthorizationCreateFromExternalForm((AuthorizationExternalForm *)CFDataGetBytePtr(authdata), &authorization));
598 }
599 if (authorization == NULL)
600 MacOSError::check(AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &authorization));
601
602 AuthorizationItem right[] = {
603 { "com.apple.security.assessment.update", 0, NULL, 0 }
604 };
605 AuthorizationRights rights = { sizeof(right) / sizeof(right[0]), right };
606 MacOSError::check(AuthorizationCopyRights(authorization, &rights, NULL,
607 kAuthorizationFlagExtendRights | kAuthorizationFlagInteractionAllowed, NULL));
608
609 MacOSError::check(AuthorizationFree(authorization, kAuthorizationFlagDefaults));
610 }
611
612
613 //
614 // Perform common argument normalizations for update operations
615 //
616 static void normalizeTarget(CFRef<CFTypeRef> &target, CFDictionary &context, bool signUnsigned)
617 {
618 // turn CFURLs into (designated) SecRequirements
619 if (target && CFGetTypeID(target) == CFURLGetTypeID()) {
620 CFRef<SecStaticCodeRef> code;
621 MacOSError::check(SecStaticCodeCreateWithPath(target.as<CFURLRef>(), kSecCSDefaultFlags, &code.aref()));
622 CFRef<SecRequirementRef> requirement;
623 switch (OSStatus rc = SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, (SecRequirementRef *)&target.aref())) {
624 case noErr:
625 break;
626 case errSecCSUnsigned:
627 if (signUnsigned) {
628 // Ad-hoc sign the code in the system database. This requires root privileges.
629 CFRef<SecCodeSignerRef> signer;
630 CFTemp<CFDictionaryRef> arguments("{%O=#N, %O=#N}", kSecCodeSignerDetached, kSecCodeSignerIdentity);
631 MacOSError::check(SecCodeSignerCreate(arguments, kSecCSDefaultFlags, &signer.aref()));
632 MacOSError::check(SecCodeSignerAddSignature(signer, code, kSecCSDefaultFlags));
633 MacOSError::check(SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, (SecRequirementRef *)&target.aref()));
634 break;
635 }
636 // fall through
637 default:
638 MacOSError::check(rc);
639 }
640 if (context.get(kSecAssessmentUpdateKeyRemarks) == NULL) {
641 // no explicit remarks; add one with the path
642 CFRef<CFURLRef> path;
643 MacOSError::check(SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()));
644 CFMutableDictionaryRef dict = makeCFMutableDictionary(context.get());
645 CFDictionaryAddValue(dict, kSecAssessmentUpdateKeyRemarks, CFTempString(cfString(path)));
646 context.take(dict);
647 }
648 }
649 }
650
651
652 } // end namespace CodeSigning
653 } // end namespace Security
mirror of libsecurity_codesigning