lib/csutilities.h

   1 /*
   2  * Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // csutilities - miscellaneous utilities for the code signing implementation
  26 //
  27 // This is a collection of odds and ends that wouldn't fit anywhere else.
  28 // The common theme is that the contents are otherwise naturally homeless.
  29 //
  30 #ifndef _H_CSUTILITIES
  31 #define _H_CSUTILITIES
  32
  33 #include <Security/Security.h>
  34 #include <security_utilities/hashing.h>
  35 #include <security_utilities/unix++.h>
  36 #include <security_cdsa_utilities/cssmdata.h>
  37 #include <copyfile.h>
  38 #include <asl.h>
  39 #include <cstdarg>
  40
  41 namespace Security {
  42 namespace CodeSigning {
  43
  44
  45 //
  46 // Calculate canonical hashes of certificate.
  47 // This is simply defined as (always) the SHA1 hash of the DER.
  48 //
  49 void hashOfCertificate(const void *certData, size_t certLength, SHA1::Digest digest);
  50 void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest);
  51
  52
  53 //
  54 // Calculate hashes of (a section of) a file.
  55 // Starts at the current file position.
  56 // Extends to end of file, or (if limit > 0) at most limit bytes.
  57 // Returns number of bytes digested.
  58 //
  59 template <class _Hash>
  60 size_t hashFileData(const char *path, _Hash *hasher)
  61 {
  62         UnixPlusPlus::AutoFileDesc fd(path);
  63         return hashFileData(fd, hasher);
  64 }
  65
  66 template <class _Hash>
  67 size_t hashFileData(UnixPlusPlus::FileDesc fd, _Hash *hasher, size_t limit = 0)
  68 {
  69         unsigned char buffer[4096];
  70         size_t total = 0;
  71         for (;;) {
  72                 size_t size = sizeof(buffer);
  73                 if (limit && limit < size)
  74                         size = limit;
  75                 size_t got = fd.read(buffer, size);
  76                 total += got;
  77                 if (fd.atEnd())
  78                         break;
  79                 hasher->update(buffer, got);
  80                 if (limit && (limit -= got) == 0)
  81                         break;
  82         }
  83         return total;
  84 }
  85
  86
  87 //
  88 // Check to see if a certificate contains a particular field, by OID. This works for extensions,
  89 // even ones not recognized by the local CL. It does not return any value, only presence.
  90 //
  91 bool certificateHasField(SecCertificateRef cert, const CSSM_OID &oid);
  92 bool certificateHasPolicy(SecCertificateRef cert, const CSSM_OID &policyOid);
  93
  94
  95 //
  96 // Encapsulation of the copyfile(3) API.
  97 // This is slated to go into utilities once stable.
  98 //
  99 class Copyfile {
 100 public:
 101         Copyfile();
 102         ~Copyfile()     { copyfile_state_free(mState); }
 103
 104         operator copyfile_state_t () const { return mState; }
 105
 106         void set(uint32_t flag, const void *value);
 107         void get(uint32_t flag, void *value);
 108
 109         void operator () (const char *src, const char *dst, copyfile_flags_t flags);
 110
 111 private:
 112         void check(int rc);
 113
 114 private:
 115         copyfile_state_t mState;
 116 };
 117
 118
 119 //
 120 // MessageTracer support
 121 //
 122 class MessageTrace {
 123 public:
 124         MessageTrace(const char *domain, const char *signature);
 125         void add(const char *key, const char *format, ...);
 126         void send(const char *format, ...);
 127
 128 private:
 129         aslmsg mAsl;
 130 };
 131
 132
 133 //
 134 // A reliable uid set/reset bracket
 135 //
 136 class UidGuard {
 137 public:
 138         UidGuard() : mPrevious(-1) { }
 139         UidGuard(uid_t uid) : mPrevious(-1) { seteuid(uid); }
 140         ~UidGuard()
 141         {
 142                 if (active())
 143                         UnixError::check(::seteuid(mPrevious));
 144         }
 145
 146         bool seteuid(uid_t uid)
 147         {
 148                 if (uid == geteuid())
 149                         return true;    // no change, don't bother the kernel
 150                 if (!active())
 151                         mPrevious = ::geteuid();
 152                 return ::seteuid(uid) == 0;
 153         }
 154
 155         bool active() const { return mPrevious != uid_t(-1); }
 156         operator bool () const { return active(); }
 157         uid_t saved() const { assert(active()); return mPrevious; }
 158
 159 private:
 160         uid_t mPrevious;
 161 };
 162
 163
 164 } // end namespace CodeSigning
 165 } // end namespace Security
 166
 167 #endif // !_H_CSUTILITIES