lib/SecCode.cpp

   1 /*
   2  * Copyright (c) 2006-2007 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // SecCode - API frame for SecCode objects.
  26 //
  27 // Note that some SecCode* functions take SecStaticCodeRef arguments in order to
  28 // accept either static or dynamic code references, operating on the respective
  29 // StaticCode. Those functions are in SecStaticCode.cpp, not here, despite their name.
  30 //
  31 #include "cs.h"
  32 #include "Code.h"
  33 #include "cskernel.h"
  34 #include <security_codesigning/cfmunge.h>
  35 #include <sys/codesign.h>
  36
  37 using namespace CodeSigning;
  38
  39
  40 //
  41 // CFError user info keys
  42 //
  43 const CFStringRef kSecCFErrorPattern =                  CFSTR("SecCSPattern");
  44 const CFStringRef kSecCFErrorResourceSeal =             CFSTR("SecCSResourceSeal");
  45 const CFStringRef kSecCFErrorResourceAdded =    CFSTR("SecCSResourceAdded");
  46 const CFStringRef kSecCFErrorResourceAltered =  CFSTR("SecCSResourceAltered");
  47 const CFStringRef kSecCFErrorResourceMissing =  CFSTR("SecCSResourceMissing");
  48 const CFStringRef kSecCFErrorInfoPlist =                CFSTR("SecCSInfoPlist");
  49 const CFStringRef kSecCFErrorGuestAttributes =  CFSTR("SecCSGuestAttributes");
  50 const CFStringRef kSecCFErrorRequirementSyntax = CFSTR("SecRequirementSyntax");
  51
  52 //
  53 // CF-standard type code functions
  54 //
  55 CFTypeID SecCodeGetTypeID(void)
  56 {
  57         BEGIN_CSAPI
  58         return gCFObjects().Code.typeID;
  59     END_CSAPI1(_kCFRuntimeNotATypeID)
  60 }
  61
  62
  63 //
  64 // Get the root of trust Code
  65 //
  66 SecCodeRef SecGetRootCode(SecCSFlags flags)
  67 {
  68         BEGIN_CSAPI
  69
  70         checkFlags(flags);
  71         return KernelCode::active()->handle();
  72
  73         END_CSAPI1(NULL)
  74 }
  75
  76
  77 //
  78 // Get a reference to the calling code.
  79 //
  80 OSStatus SecCodeCopySelf(SecCSFlags flags, SecCodeRef *selfRef)
  81 {
  82         BEGIN_CSAPI
  83
  84         checkFlags(flags);
  85         CFRef<CFMutableDictionaryRef> attributes = makeCFMutableDictionary(1,
  86                 kSecGuestAttributePid, CFTempNumber(getpid()).get());
  87         Required(selfRef) = SecCode::autoLocateGuest(attributes, flags)->handle(false);
  88
  89         END_CSAPI
  90 }
  91
  92
  93 //
  94 // Get the StaticCode for an Code
  95 //
  96 OSStatus SecCodeCopyStaticCode(SecCodeRef codeRef, SecCSFlags flags, SecStaticCodeRef *staticCodeRef)
  97 {
  98         BEGIN_CSAPI
  99
 100         checkFlags(flags);
 101         SecPointer<SecStaticCode> staticCode = SecCode::required(codeRef)->staticCode();
 102         Required(staticCodeRef) = staticCode ? staticCode->handle() : NULL;
 103
 104         END_CSAPI
 105 }
 106
 107
 108 //
 109 // Get the host for an Code
 110 //
 111 OSStatus SecCodeCopyHost(SecCodeRef guestRef, SecCSFlags flags, SecCodeRef *hostRef)
 112 {
 113         BEGIN_CSAPI
 114
 115         checkFlags(flags);
 116         SecPointer<SecCode> host = SecCode::required(guestRef)->host();
 117         Required(hostRef) = host ? host->handle() : NULL;
 118
 119         END_CSAPI
 120 }
 121
 122
 123 //
 124 // Find a guest by attribute(s)
 125 //
 126 const CFStringRef kSecGuestAttributePid =                       CFSTR("pid");
 127 const CFStringRef kSecGuestAttributeCanonical =         CFSTR("canonical");
 128 const CFStringRef kSecGuestAttributeMachPort =          CFSTR("mach-port");
 129
 130 OSStatus SecCodeCopyGuestWithAttributes(SecCodeRef hostRef,
 131         CFDictionaryRef attributes,     SecCSFlags flags, SecCodeRef *guestRef)
 132 {
 133         BEGIN_CSAPI
 134
 135         checkFlags(flags);
 136         if (hostRef) {
 137                 if (SecCode *guest = SecCode::required(hostRef)->locateGuest(attributes))
 138                         Required(guestRef) = guest->handle(false);
 139                 else
 140                         return errSecCSNoSuchCode;
 141         } else
 142                 Required(guestRef) = SecCode::autoLocateGuest(attributes, flags)->handle(false);
 143
 144         END_CSAPI
 145 }
 146
 147
 148 //
 149 // Shorthand for getting the SecCodeRef for a UNIX process
 150 //
 151 OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *processRef)
 152 {
 153         BEGIN_CSAPI
 154
 155         checkFlags(flags);
 156         if (SecCode *guest = KernelCode::active()->locateGuest(CFTemp<CFDictionaryRef>("{%O=%d}", kSecGuestAttributePid, pid)))
 157                 Required(processRef) = guest->handle(false);
 158         else
 159                 return errSecCSNoSuchCode;
 160
 161         END_CSAPI
 162 }
 163
 164
 165 //
 166 // Check validity of an Code
 167 //
 168 OSStatus SecCodeCheckValidity(SecCodeRef codeRef, SecCSFlags flags,
 169         SecRequirementRef requirementRef)
 170 {
 171         return SecCodeCheckValidityWithErrors(codeRef, flags, requirementRef, NULL);
 172 }
 173
 174 OSStatus SecCodeCheckValidityWithErrors(SecCodeRef codeRef, SecCSFlags flags,
 175         SecRequirementRef requirementRef, CFErrorRef *errors)
 176 {
 177         BEGIN_CSAPI
 178
 179         checkFlags(flags,
 180                 kSecCSConsiderExpiration);
 181         SecPointer<SecCode> code = SecCode::required(codeRef);
 182         code->checkValidity(flags);
 183         if (const SecRequirement *req = SecRequirement::optional(requirementRef))
 184                 code->staticCode()->validateRequirements(req->requirement(), errSecCSReqFailed);
 185
 186         END_CSAPI_ERRORS
 187 }
 188
 189
 190 //
 191 // Collect suitably laundered information about the code signature of a SecStaticCode
 192 // and return it as a CFDictionary.
 193 //
 194 // This API contracts to return a few pieces of information even for unsigned
 195 // code. This means that a SecStaticCodeRef is usable as a basic indentifier
 196 // (i.e. handle) for any code out there.
 197 //
 198 const CFStringRef kSecCodeInfoCertificates =    CFSTR("certificates");
 199 const CFStringRef kSecCodeInfoChangedFiles =    CFSTR("changed-files");
 200 const CFStringRef kSecCodeInfoCMS =                             CFSTR("cms");
 201 const CFStringRef kSecCodeInfoDesignatedRequirement = CFSTR("designated-requirement");
 202 const CFStringRef kSecCodeInfoEntitlements =    CFSTR("entitlements");
 203 const CFStringRef kSecCodeInfoTime =                    CFSTR("signing-time");
 204 const CFStringRef kSecCodeInfoFormat =                  CFSTR("format");
 205 const CFStringRef kSecCodeInfoIdentifier =              CFSTR("identifier");
 206 const CFStringRef kSecCodeInfoImplicitDesignatedRequirement = CFSTR("implicit-requirement");
 207 const CFStringRef kSecCodeInfoMainExecutable =  CFSTR("main-executable");
 208 const CFStringRef kSecCodeInfoPList =                   CFSTR("info-plist");
 209 const CFStringRef kSecCodeInfoRequirements =    CFSTR("requirements");
 210 const CFStringRef kSecCodeInfoRequirementData = CFSTR("requirement-data");
 211 const CFStringRef kSecCodeInfoStatus =                  CFSTR("status");
 212 const CFStringRef kSecCodeInfoTrust =                   CFSTR("trust");
 213
 214 OSStatus SecCodeCopySigningInformation(SecStaticCodeRef codeRef, SecCSFlags flags,
 215         CFDictionaryRef *infoRef)
 216 {
 217         BEGIN_CSAPI
 218
 219         checkFlags(flags,
 220                   kSecCSInternalInformation
 221                 | kSecCSSigningInformation
 222                 | kSecCSRequirementInformation
 223                 | kSecCSDynamicInformation
 224                 | kSecCSContentInformation);
 225
 226         SecPointer<SecStaticCode> code = SecStaticCode::requiredStatic(codeRef);
 227         CFRef<CFDictionaryRef> info = code->signingInformation(flags);
 228
 229         if (flags & kSecCSDynamicInformation)
 230                 if (SecPointer<SecCode> dcode = SecStaticCode::optionalDynamic(codeRef)) {
 231                         uint32_t status;
 232                         if (SecPointer<SecCode> host = dcode->host())
 233                                 status = host->getGuestStatus(dcode);
 234                         else
 235                                 status = CS_VALID;              // root of trust, presumed valid
 236                         info = cfmake<CFDictionaryRef>("{+%O,%O=%u}", info.get(),
 237                                 kSecCodeInfoStatus, status);
 238                 }
 239
 240         Required(infoRef) = info.yield();
 241
 242         END_CSAPI
 243 }
 244