/*
- * Copyright (c) 2006-2007 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
[Assigned range 0xFFFE_FAxx].
*/
enum {
- errSecCSUnimplemented = -67072, /* unimplemented code signing feature */
- errSecCSInvalidObjectRef, /* invalid API object reference */
- errSecCSInvalidFlags, /* invalid or inapprpopriate API flag(s) specified */
- errSecCSObjectRequired, /* a required pointer argument was NULL */
- errSecCSStaticCodeNotFound, /* cannot find code object on disk */
- errSecCSUnsupportedGuestAttributes, /* cannot locate guests using this attribute set */
- errSecCSInvalidAttributeValues, /* given attribute values are invalid */
- errSecCSNoSuchCode, /* host has no guest with the requested attributes */
- errSecCSMultipleGuests, /* host has multiple guests with this attribute value */
- errSecCSGuestInvalid, /* code identity has been invalidated */
- errSecCSUnsigned, /* code object is not signed */
- errSecCSSignatureFailed, /* code or signature modified */
- errSecCSSignatureNotVerifiable, /* signature cannot be read, e.g., due to a filesystem that maps root to an unprivileged user */
- errSecCSSignatureUnsupported, /* unsupported type or version of signature */
- errSecCSBadDictionaryFormat, /* a required plist file or resource is malformed */
- errSecCSResourcesNotSealed, /* resources are not sealed by signature */
- errSecCSResourcesNotFound, /* cannot find sealed resources in code */
- errSecCSResourcesInvalid, /* the sealed resource directory is invalid */
- errSecCSBadResource, /* a sealed resource is missing or invalid */
- errSecCSResourceRulesInvalid, /* invalid resource selection rule(s) */
- errSecCSReqInvalid, /* invalid or corrupted code requirement(s) */
- errSecCSReqUnsupported, /* unsupported type or version of code requirement(s) */
- errSecCSReqFailed, /* failed to satisfy code requirement(s) */
- errSecCSBadObjectFormat, /* object file format invalid or unsuitable */
- errSecCSInternalError, /* internal error in Code Signing subsystem */
- errSecCSHostReject, /* code rejected its host */
- errSecCSNotAHost, /* this code is not a host */
- errSecCSSignatureInvalid, /* invalid format for signature */
- errSecCSHostProtocolRelativePath, /* host protocol violation - absolute guest path required */
- errSecCSHostProtocolContradiction, /* host protocol violation - contradictory hosting modes */
- errSecCSHostProtocolDedicationError, /* host protocol violation - operation not allowed with/for a dedicated guest */
- errSecCSHostProtocolNotProxy, /* host protocol violation - proxy hosting not engaged */
- errSecCSHostProtocolStateError, /* host protocol violation - invalid guest state change request */
- errSecCSHostProtocolUnrelated, /* host protocol violation - the given guest is not a guest of the given host */
- errSecCSInvalidOperation, /* requested operation is not valid */
- errSecCSNotSupported, /* operation not supported for this type of code */
+ errSecCSUnimplemented = -67072, /* unimplemented code signing feature */
+ errSecCSInvalidObjectRef = -67071, /* invalid API object reference */
+ errSecCSInvalidFlags = -67070, /* invalid or inappropriate API flag(s) specified */
+ errSecCSObjectRequired = -67069, /* a required pointer argument was NULL */
+ errSecCSStaticCodeNotFound = -67068, /* cannot find code object on disk */
+ errSecCSUnsupportedGuestAttributes = -67067, /* cannot locate guests using this attribute set */
+ errSecCSInvalidAttributeValues = -67066, /* given attribute values are invalid */
+ errSecCSNoSuchCode = -67065, /* host has no guest with the requested attributes */
+ errSecCSMultipleGuests = -67064, /* ambiguous guest specification (host has multiple guests with these attribute values) */
+ errSecCSGuestInvalid = -67063, /* code identity has been invalidated */
+ errSecCSUnsigned = -67062, /* code object is not signed at all */
+ errSecCSSignatureFailed = -67061, /* invalid signature (code or signature have been modified) */
+ errSecCSSignatureNotVerifiable = -67060, /* the code cannot be read by the verifier (file system permissions etc.) */
+ errSecCSSignatureUnsupported = -67059, /* unsupported type or version of signature */
+ errSecCSBadDictionaryFormat = -67058, /* a required plist file or resource is malformed */
+ errSecCSResourcesNotSealed = -67057, /* resources are present but not sealed by signature */
+ errSecCSResourcesNotFound = -67056, /* code has no resources but signature indicates they must be present */
+ errSecCSResourcesInvalid = -67055, /* the sealed resource directory is invalid */
+ errSecCSBadResource = -67054, /* a sealed resource is missing or invalid */
+ errSecCSResourceRulesInvalid = -67053, /* invalid resource specification rule(s) */
+ errSecCSReqInvalid = -67052, /* invalid or corrupted code requirement(s) */
+ errSecCSReqUnsupported = -67051, /* unsupported type or version of code requirement(s) */
+ errSecCSReqFailed = -67050, /* code failed to satisfy specified code requirement(s) */
+ errSecCSBadObjectFormat = -67049, /* object file format unrecognized, invalid, or unsuitable */
+ errSecCSInternalError = -67048, /* internal error in Code Signing subsystem */
+ errSecCSHostReject = -67047, /* code rejected its host */
+ errSecCSNotAHost = -67046, /* attempt to specify guest of code that is not a host */
+ errSecCSSignatureInvalid = -67045, /* invalid or unsupported format for signature */
+ errSecCSHostProtocolRelativePath = -67044, /* host protocol violation - absolute guest path required */
+ errSecCSHostProtocolContradiction = -67043, /* host protocol violation - contradictory hosting modes */
+ errSecCSHostProtocolDedicationError = -67042, /* host protocol violation - operation not allowed with/for a dedicated guest */
+ errSecCSHostProtocolNotProxy = -67041, /* host protocol violation - proxy hosting not engaged */
+ errSecCSHostProtocolStateError = -67040, /* host protocol violation - invalid guest state change request */
+ errSecCSHostProtocolUnrelated = -67039, /* host protocol violation - the given guest is not a guest of the given host */
+ /* -67038 obsolete (no longer issued) */
+ errSecCSNotSupported = -67037, /* operation inapplicable or not supported for this type of code */
+ errSecCSCMSTooLarge = -67036, /* signature too large to embed (size limitation of on-disk representation) */
+ errSecCSHostProtocolInvalidHash = -67035, /* host protocol violation - invalid guest hash */
+ errSecCSStaticCodeChanged = -67034, /* the code on disk does not match what is running */
+ errSecCSDBDenied = -67033, /* permission to use a database denied */
+ errSecCSDBAccess = -67032, /* cannot access a database */
+ errSecCSSigDBDenied = errSecCSDBDenied,
+ errSecCSSigDBAccess = errSecCSDBAccess,
+ errSecCSHostProtocolInvalidAttribute = -67031, /* host returned invalid or inconsistent guest attributes */
+ errSecCSInfoPlistFailed = -67030, /* invalid Info.plist (plist or signature have been modified) */
+ errSecCSNoMainExecutable = -67029, /* the code has no main executable file */
+ errSecCSBadBundleFormat = -67028, /* bundle format unrecognized, invalid, or unsuitable */
+ errSecCSNoMatches = -67027, /* no matches for search or update operation */
+ errSecCSFileHardQuarantined = -67026, /* File created by an AppSandbox, exec/open not allowed */
+ errSecCSOutdated = -67025, /* presented data is out of date */
+ errSecCSDbCorrupt = -67024, /* a system database of file is corrupt */
};
/*
* Code Signing specific CFError "user info" keys.
* In calls that can return CFErrorRef indications, if a CFErrorRef is actually
- * returned, its "user info" dictionary will contain some (but not all) of the
- * following keys to more closely describe the circumstances of the failure.
+ * returned, its "user info" dictionary may contain some of the following keys
+ * to more closely describe the circumstances of the failure.
+ * Do not rely on the presence of any particular key to categorize a problem;
+ * always use the primary OSStatus return for that. The data contained under
+ * these keys is always supplemental and optional.
*/
+extern const CFStringRef kSecCFErrorArchitecture; /* CFStringRef: name of architecture causing the problem */
extern const CFStringRef kSecCFErrorPattern; /* CFStringRef: invalid resource selection pattern encountered */
extern const CFStringRef kSecCFErrorResourceSeal; /* CFTypeRef: invalid component in resource seal (CodeResources) */
extern const CFStringRef kSecCFErrorResourceAdded; /* CFURLRef: unsealed resource found */
extern const CFStringRef kSecCFErrorResourceAltered; /* CFURLRef: modified resource found */
extern const CFStringRef kSecCFErrorResourceMissing; /* CFURLRef: sealed (non-optional) resource missing */
-extern const CFStringRef kSecCFErrorInfoPlist; /* CFTypeRef: Info.plist dictionary or component found invalid */
+extern const CFStringRef kSecCFErrorInfoPlist; /* CFTypeRef: Info.plist dictionary or component thereof found invalid */
extern const CFStringRef kSecCFErrorGuestAttributes; /* CFTypeRef: Guest attribute set of element not accepted */
extern const CFStringRef kSecCFErrorRequirementSyntax; /* CFStringRef: compilation error for Requirement source */
+extern const CFStringRef kSecCFErrorPath; /* CFURLRef: subcomponent containing the error */
/*!
An abstract handle to identify a particular Guest in the context of its Host.
Guest handles are assigned by the host at will, with kSecNoGuest (zero) being
- reserved as the null value). They can be reused for new children if desired.
+ reserved as the null value. They can be reused for new children if desired.
*/
typedef u_int32_t SecGuestRef;
/*!
- @typddef SecCSFlags
+ @typedef SecCSFlags
This is the type of flags arguments to Code Signing API calls.
It provides a bit mask of request and option flags. All of the bits in these
masks are reserved to Apple; if you set any bits not defined in these headers,
kSecCSDefaultFlags = 0, /* no particular flags (default behavior) */
kSecCSConsiderExpiration = 1 << 31, /* consider expired certificates invalid */
+ kSecCSEnforceRevocationChecks = 1 << 30, /* force revocation checks regardless of preference settings */
};
@constant kSecCodeSignatureHost
Indicates that the code may act as a host that controls and supervises guest
code. If this flag is not set in a code signature, the code is never considered
- eligible to be a host, and any attempt to act like one will be ignored.
+ eligible to be a host, and any attempt to act like one will be ignored or rejected.
@constant kSecCodeSignatureAdhoc
The code has been sealed without a signing identity. No identity may be retrieved
from it, and any code requirement placing restrictions on the signing identity
Implicitly set the "kill" status bit for the code when it starts running.
This bit indicates that the code wishes to be terminated with prejudice if
it is ever invalidated. Since the kill bit is sticky, setting this option bit
- guarantees that the code will always be valid, since it will die immediately
- if it becomes invalid.
+ guarantees that the code will always be dynamically valid, since it will die
+ immediately if it becomes invalid.
@constant kSecCodeSignatureForceExpiration
- Forces the kSecCSConsiderExpiration on all validations of the code.
+ Forces the kSecCSConsiderExpiration flag on all validations of the code.
*/
typedef uint32_t SecCodeSignatureFlags;
kSecCodeSignatureAdhoc = 0x0002, /* must be used without signer */
kSecCodeSignatureForceHard = 0x0100, /* always set HARD mode on launch */
kSecCodeSignatureForceKill = 0x0200, /* always set KILL mode on launch */
- kSecCodeSignatureForceExpiration = 0x0400, /* force certificat expiration checks */
+ kSecCodeSignatureForceExpiration = 0x0400, /* force certificate expiration checks */
+};
+
+
+/*!
+ @typedef SecCodeStatus
+ The code signing system attaches a set of status flags to each running code.
+ These flags are maintained by the code's host, and can be read by anyone.
+ A code may change its own flags, a host may change its guests' flags,
+ and root may change anyone's flags. However, these flags are sticky in that
+ each can change in only one direction (and never back, for the lifetime of the code).
+ Not even root can violate this restriction.
+
+ There are other flags in SecCodeStatus that are not publicly documented.
+ Do not rely on them, and do not ever attempt to explicitly set them.
+
+ @constant kSecCodeStatusValid
+ Indicates that the code is dynamically valid, i.e. it started correctly
+ and has not been invalidated since then. The valid bit can only be cleared.
+
+ Warning: This bit is not your one-stop shortcut to determining the validity of code.
+ It represents the dynamic component of the full validity function; if this
+ bit is unset, the code is definitely invalid, but the converse is not always true.
+ In fact, code hosts may represent the outcome of some delayed static validation work in this bit,
+ and thus it strictly represents a blend of (all of) dynamic and (some of) static validity,
+ depending on the implementation of the particular host managing the code. You can (only)
+ rely that (1) dynamic invalidation will clear this bit; and (2) the combination
+ of static validation and dynamic validity (as performed by the SecCodeCheckValidity* APIs)
+ will give a correct answer.
+
+ @constant kSecCodeStatusHard
+ Indicates that the code prefers to be denied access to resources if gaining access
+ would invalidate it. This bit can only be set.
+ It is undefined whether code that is marked hard and is already invalid will still
+ be denied access to a resource that would invalidate it if it were still valid. That is,
+ the code may or may not get access to such a resource while being invalid, and that choice
+ may appear random.
+
+ @constant kSecCodeStatusKill
+ Indicates that the code wants to be killed (terminated) if it ever loses its validity.
+ This bit can only be set. Code that has the kill flag set will never be dynamically invalid
+ (and live). Note however that a change in static validity does not necessarily trigger instant
+ death.
+*/
+typedef uint32_t SecCodeStatus;
+enum {
+ kSecCodeStatusValid = 0x0001,
+ kSecCodeStatusHard = 0x0100,
+ kSecCodeStatusKill = 0x0200,
};
/*!
@typedef SecRequirementType
An enumeration indicating different types of internal requirements for code.
-*/
+ */
typedef uint32_t SecRequirementType;
enum {
- kSecHostRequirementType = 1, /* what hosts may run us */
- kSecGuestRequirementType = 2, /* what guests we may run */
- kSecDesignatedRequirementType = 3, /* designated requirement */
- kSecLibraryRequirementType = 4, /* what libraries we may link against */
+ kSecHostRequirementType = 1, /* what hosts may run us */
+ kSecGuestRequirementType = 2, /* what guests we may run */
+ kSecDesignatedRequirementType = 3, /* designated requirement */
+ kSecLibraryRequirementType = 4, /* what libraries we may link against */
+ kSecPluginRequirementType = 5, /* what plug-ins we may load */
kSecInvalidRequirementType, /* invalid type of Requirement (must be last) */
kSecRequirementTypeCount = kSecInvalidRequirementType /* number of valid requirement types */
};
projects / apple / libsecurity_codesigning.git / blobdiff