lib/csutilities.h

   1 /*
   2  * Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // csutilities - miscellaneous utilities for the code signing implementation
  26 //
  27 // This is a collection of odds and ends that wouldn't fit anywhere else.
  28 // The common theme is that the contents are otherwise naturally homeless.
  29 //
  30 #ifndef _H_CSUTILITIES
  31 #define _H_CSUTILITIES
  32
  33 #include <Security/Security.h>
  34 #include <security_utilities/hashing.h>
  35 #include <security_utilities/unix++.h>
  36 #include <security_cdsa_utilities/cssmdata.h>
  37 #include <copyfile.h>
  38
  39 namespace Security {
  40 namespace CodeSigning {
  41
  42
  43 //
  44 // Calculate canonical hashes of certificate.
  45 // This is simply defined as (always) the SHA1 hash of the DER.
  46 //
  47 void hashOfCertificate(const void *certData, size_t certLength, SHA1::Digest digest);
  48 void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest);
  49
  50
  51 //
  52 // Calculate hashes of (a section of) a file.
  53 // Starts at the current file position.
  54 // Extends to end of file, or (if limit > 0) at most limit bytes.
  55 // Returns number of bytes digested.
  56 //
  57 template <class _Hash>
  58 size_t hashFileData(const char *path, _Hash *hasher)
  59 {
  60         UnixPlusPlus::AutoFileDesc fd(path);
  61         return hashFileData(fd, hasher);
  62 }
  63
  64 template <class _Hash>
  65 size_t hashFileData(UnixPlusPlus::FileDesc fd, _Hash *hasher, size_t limit = 0)
  66 {
  67         unsigned char buffer[4096];
  68         size_t total = 0;
  69         for (;;) {
  70                 size_t size = sizeof(buffer);
  71                 if (limit && limit < size)
  72                         size = limit;
  73                 size_t got = fd.read(buffer, size);
  74                 total += got;
  75                 if (fd.atEnd())
  76                         break;
  77                 hasher->update(buffer, got);
  78                 if (limit && (limit -= got) == 0)
  79                         break;
  80         }
  81         return total;
  82 }
  83
  84
  85 //
  86 // Check to see if a certificate contains a particular field, by OID. This works for extensions,
  87 // even ones not recognized by the local CL. It does not return any value, only presence.
  88 //
  89 bool certificateHasField(SecCertificateRef cert, const CssmOid &oid);
  90 bool certificateHasPolicy(SecCertificateRef cert, const CssmOid &policyOid);
  91
  92
  93 //
  94 // Encapsulation of the copyfile(3) API.
  95 // This is slated to go into utilities once stable.
  96 //
  97 class Copyfile {
  98 public:
  99         Copyfile();
 100         ~Copyfile()     { copyfile_state_free(mState); }
 101
 102         operator copyfile_state_t () const { return mState; }
 103
 104         void set(uint32_t flag, const void *value);
 105         void get(uint32_t flag, void *value);
 106
 107         void operator () (const char *src, const char *dst, copyfile_flags_t flags);
 108
 109 private:
 110         void check(int rc);
 111
 112 private:
 113         copyfile_state_t mState;
 114 };
 115
 116
 117 //
 118 // A reliable uid set/reset bracket
 119 //
 120 class UidGuard {
 121 public:
 122         UidGuard() : mPrevious(-1) { }
 123         UidGuard(uid_t uid) : mPrevious(-1) { seteuid(uid); }
 124         ~UidGuard()
 125         {
 126                 if (active())
 127                         UnixError::check(::seteuid(mPrevious));
 128         }
 129
 130         bool seteuid(uid_t uid)
 131         {
 132                 if (uid == geteuid())
 133                         return true;    // no change, don't bother the kernel
 134                 if (!active())
 135                         mPrevious = ::geteuid();
 136                 return ::seteuid(uid) == 0;
 137         }
 138
 139         bool active() const { return mPrevious != uid_t(-1); }
 140         operator bool () const { return active(); }
 141         uid_t saved() const { assert(active()); return mPrevious; }
 142
 143 private:
 144         uid_t mPrevious;
 145 };
 146
 147
 148 } // end namespace CodeSigning
 149 } // end namespace Security
 150
 151 #endif // !_H_CSUTILITIES