/*
- * Copyright (c) 2006-2007 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2006-2012 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
#include "StaticCode.h"
#include "Code.h"
#include "reqmaker.h"
+#include "drmaker.h"
#include "reqdumper.h"
#include "sigblob.h"
#include "resources.h"
#include "detachedrep.h"
#include "csdatabase.h"
#include "csutilities.h"
+#include "SecCode.h"
#include <CoreFoundation/CFURLAccess.h>
#include <Security/SecPolicyPriv.h>
#include <Security/SecTrustPriv.h>
#include <Security/SecCmsContentInfo.h>
#include <Security/SecCmsSignerInfo.h>
#include <Security/SecCmsSignedData.h>
+#include <Security/cssmapplePriv.h>
#include <security_utilities/unix++.h>
#include <security_utilities/cfmunge.h>
#include <Security/CMSDecoder.h>
//
SecStaticCode::SecStaticCode(DiskRep *rep)
: mRep(rep),
- mValidated(false), mExecutableValidated(false),
+ mValidated(false), mExecutableValidated(false), mResourcesValidated(false), mResourcesValidContext(NULL),
mDesignatedReq(NULL), mGotResourceBase(false), mEvalDetails(NULL)
{
CODESIGN_STATIC_CREATE(this, rep);
// Clean up a SecStaticCode object
//
SecStaticCode::~SecStaticCode() throw()
-{
+try {
::free(const_cast<Requirement *>(mDesignatedReq));
+ if (mResourcesValidContext)
+ delete mResourcesValidContext;
+} catch (...) {
+ return;
}
CODESIGN_EVAL_STATIC_RESET(this);
mValidated = false;
mExecutableValidated = false;
+ mResourcesValidated = false;
+ if (mResourcesValidContext) {
+ delete mResourcesValidContext;
+ mResourcesValidContext = NULL;
+ }
mDir = NULL;
mSignature = NULL;
for (unsigned n = 0; n < cdSlotCount; n++)
// Otherwise, retrieve the component without validation (but cache it). Validation
// will go through the cache and validate all cached components.
//
-CFDataRef SecStaticCode::component(CodeDirectory::SpecialSlot slot)
+CFDataRef SecStaticCode::component(CodeDirectory::SpecialSlot slot, OSStatus fail /* = errSecCSSignatureFailed */)
{
assert(slot <= cdSlotMax);
if (validated()) // if the directory has been validated...
if (!codeDirectory()->validateSlot(CFDataGetBytePtr(data), // ... and it's no good
CFDataGetLength(data), -slot))
- MacOSError::throwMe(errSecCSSignatureFailed); // ... then bail
+ MacOSError::throwMe(fail); // ... then bail
cache = data; // it's okay, cache it
} else { // absent, mark so
if (validated()) // if directory has been validated...
if (codeDirectory()->slotIsPresent(-slot)) // ... and the slot is NOT missing
- MacOSError::throwMe(errSecCSSignatureFailed); // was supposed to be there
+ MacOSError::throwMe(fail); // was supposed to be there
cache = CFDataRef(kCFNull); // white lie
}
}
// perform validation (or die trying)
CODESIGN_EVAL_STATIC_DIRECTORY(this);
mValidationExpired = verifySignature();
- component(cdInfoSlot); // force load of Info Dictionary (if any)
- CodeDirectory::SpecialSlot slot = codeDirectory()->nSpecialSlots;
- if (slot > cdSlotMax) // might have more special slots than we know about...
- slot = cdSlotMax; // ... but only process the ones we understand
- for ( ; slot >= 1; --slot)
+ component(cdInfoSlot, errSecCSInfoPlistFailed); // force load of Info Dictionary (if any)
+ for (CodeDirectory::SpecialSlot slot = codeDirectory()->maxSpecialSlot(); slot >= 1; --slot)
if (mCache[slot]) // if we already loaded that resource...
validateComponent(slot); // ... then check it now
mValidated = true; // we've done the deed...
}
+//
+// Load and validate the CodeDirectory and all components *except* those related to the resource envelope.
+// Those latter components are checked by validateResources().
+//
+void SecStaticCode::validateNonResourceComponents()
+{
+ this->validateDirectory();
+ for (CodeDirectory::SpecialSlot slot = codeDirectory()->maxSpecialSlot(); slot >= 1; --slot)
+ switch (slot) {
+ case cdResourceDirSlot: // validated by validateResources
+ break;
+ default:
+ this->component(slot); // loads and validates
+ break;
+ }
+}
+
+
//
// Get the (signed) signing date from the code signature.
// Sadly, we need to validate the signature to get the date (as a side benefit).
return mSigningTime;
}
+CFAbsoluteTime SecStaticCode::signingTimestamp()
+{
+ validateDirectory();
+ return mSigningTimestamp;
+}
+
//
// Verify the CMS signature on the CodeDirectory.
MacOSError::check(CMSDecoderSetDetachedContent(cms, mDir));
MacOSError::check(CMSDecoderFinalizeMessage(cms));
MacOSError::check(CMSDecoderSetSearchKeychain(cms, cfEmptyArray()));
+ CFRef<CFTypeRef> policy = verificationPolicy(apiFlags());
CMSSignerStatus status;
- MacOSError::check(CMSDecoderCopySignerStatus(cms, 0, verificationPolicy(),
+ MacOSError::check(CMSDecoderCopySignerStatus(cms, 0, policy,
false, &status, &mTrust.aref(), NULL));
if (status != kCMSSignerValid)
MacOSError::throwMe(errSecCSSignatureFailed);
- // get signing date (we've got the decoder handle right here)
- mSigningTime = 0; // "not present" marker (nobody could code sign on Jan 1, 2001 :-)
- SecCmsMessageRef cmsg;
- MacOSError::check(CMSDecoderGetCmsMessage(cms, &cmsg));
- SecCmsSignedDataRef signedData = NULL;
- int numContentInfos = SecCmsMessageContentLevelCount(cmsg);
- for(int dex = 0; !signedData && dex < numContentInfos; dex++) {
- SecCmsContentInfoRef ci = SecCmsMessageContentLevel(cmsg, dex);
- SECOidTag tag = SecCmsContentInfoGetContentTypeTag(ci);
- switch(tag) {
- case SEC_OID_PKCS7_SIGNED_DATA:
- if (SecCmsSignedDataRef signedData = SecCmsSignedDataRef(SecCmsContentInfoGetContent(ci)))
- if (SecCmsSignerInfoRef signerInfo = SecCmsSignedDataGetSignerInfo(signedData, 0))
- SecCmsSignerInfoGetSigningTime(signerInfo, &mSigningTime);
- break;
- default:
- break;
- }
- }
+ // internal signing time (as specified by the signer; optional)
+ mSigningTime = 0; // "not present" marker (nobody could code sign on Jan 1, 2001 :-)
+ switch (OSStatus rc = CMSDecoderCopySignerSigningTime(cms, 0, &mSigningTime)) {
+ case noErr:
+ case errSecSigningTimeMissing:
+ break;
+ default:
+ MacOSError::throwMe(rc);
+ }
+ // certified signing time (as specified by a TSA; optional)
+ mSigningTimestamp = 0;
+ switch (OSStatus rc = CMSDecoderCopySignerTimestamp(cms, 0, &mSigningTimestamp)) {
+ case noErr:
+ case errSecTimestampMissing:
+ break;
+ default:
+ MacOSError::throwMe(rc);
+ }
+
// set up the environment for SecTrust
MacOSError::check(SecTrustSetAnchorCertificates(mTrust, cfEmptyArray())); // no anchors
+ MacOSError::check(SecTrustSetKeychains(mTrust, cfEmptyArray())); // no keychains
CSSM_APPLE_TP_ACTION_DATA actionData = {
CSSM_APPLE_TP_ACTION_VERSION, // version of data structure
CSSM_TP_ACTION_IMPLICIT_ANCHORS // action flags
CODESIGN_EVAL_STATIC_SIGNATURE_RESULT(this, trustResult, mCertChain ? CFArrayGetCount(mCertChain) : 0);
switch (trustResult) {
case kSecTrustResultProceed:
- case kSecTrustResultConfirm:
case kSecTrustResultUnspecified:
break; // success
case kSecTrustResultDeny:
case kSecTrustResultInvalid:
assert(false); // should never happen
MacOSError::throwMe(CSSMERR_TP_NOT_TRUSTED);
- case kSecTrustResultRecoverableTrustFailure:
- case kSecTrustResultFatalTrustFailure:
- case kSecTrustResultOtherError:
+ default:
{
OSStatus result;
MacOSError::check(SecTrustGetCssmResultCode(mTrust, &result));
- if (result == CSSMERR_TP_CERT_EXPIRED && !(actionData.ActionFlags & CSSM_TP_ACTION_ALLOW_EXPIRED)) {
- CODESIGN_EVAL_STATIC_SIGNATURE_EXPIRED(this);
- actionData.ActionFlags |= CSSM_TP_ACTION_ALLOW_EXPIRED;
- continue; // retry validation
- }
+ // if we have a valid timestamp, CMS validates against (that) signing time and all is well.
+ // If we don't have one, may validate against *now*, and must be able to tolerate expiration.
+ if (mSigningTimestamp == 0) // no timestamp available
+ if (((result == CSSMERR_TP_CERT_EXPIRED) || (result == CSSMERR_TP_CERT_NOT_VALID_YET))
+ && !(actionData.ActionFlags & CSSM_TP_ACTION_ALLOW_EXPIRED)) {
+ CODESIGN_EVAL_STATIC_SIGNATURE_EXPIRED(this);
+ actionData.ActionFlags |= CSSM_TP_ACTION_ALLOW_EXPIRED; // (this also allows postdated certs)
+ continue; // retry validation while tolerating expiration
+ }
MacOSError::throwMe(result);
}
}
//
// Return the TP policy used for signature verification.
-// This policy object is cached and reused.
+// This may be a simple SecPolicyRef or a CFArray of policies.
+// The caller owns the return value.
//
-SecPolicyRef SecStaticCode::verificationPolicy()
+static SecPolicyRef makeCRLPolicy()
{
- if (!mPolicy)
- MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3,
- &CSSMOID_APPLE_TP_CODE_SIGNING, &mPolicy.aref()));
- return mPolicy;
+ CFRef<SecPolicyRef> policy;
+ MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_REVOCATION_CRL, &policy.aref()));
+ CSSM_APPLE_TP_CRL_OPTIONS options;
+ memset(&options, 0, sizeof(options));
+ options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
+ options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET | CSSM_TP_ACTION_CRL_SUFFICIENT;
+ CSSM_DATA optData = { sizeof(options), (uint8 *)&options };
+ MacOSError::check(SecPolicySetValue(policy, &optData));
+ return policy.yield();
+}
+
+static SecPolicyRef makeOCSPPolicy()
+{
+ CFRef<SecPolicyRef> policy;
+ MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_REVOCATION_OCSP, &policy.aref()));
+ CSSM_APPLE_TP_OCSP_OPTIONS options;
+ memset(&options, 0, sizeof(options));
+ options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION;
+ options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT;
+ CSSM_DATA optData = { sizeof(options), (uint8 *)&options };
+ MacOSError::check(SecPolicySetValue(policy, &optData));
+ return policy.yield();
+}
+
+CFTypeRef SecStaticCode::verificationPolicy(SecCSFlags flags)
+{
+ CFRef<SecPolicyRef> core;
+ MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3,
+ &CSSMOID_APPLE_TP_CODE_SIGNING, &core.aref()));
+ if (flags & kSecCSEnforceRevocationChecks) {
+ CFRef<SecPolicyRef> crl = makeCRLPolicy();
+ CFRef<SecPolicyRef> ocsp = makeOCSPPolicy();
+ return makeCFArray(3, core.get(), crl.get(), ocsp.get());
+ } else {
+ return core.yield();
+ }
}
// The resource must already have been placed in the cache.
// This does NOT perform basic validation.
//
-void SecStaticCode::validateComponent(CodeDirectory::SpecialSlot slot)
+void SecStaticCode::validateComponent(CodeDirectory::SpecialSlot slot, OSStatus fail /* = errSecCSSignatureFailed */)
{
assert(slot <= cdSlotMax);
CFDataRef data = mCache[slot];
assert(data); // must be cached
if (data == CFDataRef(kCFNull)) {
if (codeDirectory()->slotIsPresent(-slot)) // was supposed to be there...
- MacOSError::throwMe(errSecCSSignatureFailed); // ... and is missing
+ MacOSError::throwMe(fail); // ... and is missing
} else {
if (!codeDirectory()->validateSlot(CFDataGetBytePtr(data), CFDataGetLength(data), -slot))
- MacOSError::throwMe(errSecCSSignatureFailed);
+ MacOSError::throwMe(fail);
}
}
//
void SecStaticCode::validateExecutable()
{
- DTRACK(CODESIGN_EVAL_STATIC_EXECUTABLE, this,
- (char*)this->mainExecutablePath().c_str(), codeDirectory()->nCodeSlots);
- const CodeDirectory *cd = this->codeDirectory();
- if (!cd)
- MacOSError::throwMe(errSecCSUnsigned);
- AutoFileDesc fd(mainExecutablePath(), O_RDONLY);
- fd.fcntl(F_NOCACHE, true); // turn off page caching (one-pass)
- if (Universal *fat = mRep->mainExecutableImage())
- fd.seek(fat->archOffset());
- size_t pageSize = cd->pageSize ? (1 << cd->pageSize) : 0;
- size_t remaining = cd->codeLimit;
- for (size_t slot = 0; slot < cd->nCodeSlots; ++slot) {
- size_t size = min(remaining, pageSize);
- if (!cd->validateSlot(fd, size, slot)) {
- CODESIGN_EVAL_STATIC_EXECUTABLE_FAIL(this, slot);
- mExecutableValidated = true; // we tried
- mExecutableValid = false; // it failed
- MacOSError::throwMe(errSecCSSignatureFailed);
+ if (!validatedExecutable()) {
+ try {
+ DTRACK(CODESIGN_EVAL_STATIC_EXECUTABLE, this,
+ (char*)this->mainExecutablePath().c_str(), codeDirectory()->nCodeSlots);
+ const CodeDirectory *cd = this->codeDirectory();
+ if (!cd)
+ MacOSError::throwMe(errSecCSUnsigned);
+ AutoFileDesc fd(mainExecutablePath(), O_RDONLY);
+ fd.fcntl(F_NOCACHE, true); // turn off page caching (one-pass)
+ if (Universal *fat = mRep->mainExecutableImage())
+ fd.seek(fat->archOffset());
+ size_t pageSize = cd->pageSize ? (1 << cd->pageSize) : 0;
+ size_t remaining = cd->codeLimit;
+ for (size_t slot = 0; slot < cd->nCodeSlots; ++slot) {
+ size_t size = min(remaining, pageSize);
+ if (!cd->validateSlot(fd, size, slot)) {
+ CODESIGN_EVAL_STATIC_EXECUTABLE_FAIL(this, slot);
+ MacOSError::throwMe(errSecCSSignatureFailed);
+ }
+ remaining -= size;
+ }
+ mExecutableValidated = true;
+ mExecutableValidResult = noErr;
+ } catch (const CommonError &err) {
+ mExecutableValidated = true;
+ mExecutableValidResult = err.osStatus();
+ throw;
+ } catch (...) {
+ secdebug("staticCode", "%p executable validation threw non-common exception", this);
+ mExecutableValidated = true;
+ mExecutableValidResult = errSecCSInternalError;
+ throw;
}
- remaining -= size;
}
- mExecutableValidated = true; // we tried
- mExecutableValid = true; // it worked
+ assert(validatedExecutable());
+ if (mExecutableValidResult != noErr)
+ MacOSError::throwMe(mExecutableValidResult);
}
//
void SecStaticCode::validateResources()
{
- // sanity first
- CFDictionaryRef sealedResources = resourceDictionary();
- if (this->resourceBase()) // disk has resources
- if (sealedResources)
- /* go to work below */;
- else
- MacOSError::throwMe(errSecCSResourcesNotFound);
- else // disk has no resources
- if (sealedResources)
- MacOSError::throwMe(errSecCSResourcesNotFound);
- else
- return; // no resources, not sealed - fine (no work)
-
- // found resources, and they are sealed
- CFDictionaryRef rules = cfget<CFDictionaryRef>(sealedResources, "rules");
- CFDictionaryRef files = cfget<CFDictionaryRef>(sealedResources, "files");
- DTRACK(CODESIGN_EVAL_STATIC_RESOURCES, this,
- (char*)this->mainExecutablePath().c_str(), int(CFDictionaryGetCount(files)));
-
- // make a shallow copy of the ResourceDirectory so we can "check off" what we find
- CFRef<CFMutableDictionaryRef> resourceMap = makeCFMutableDictionary(files);
-
- // scan through the resources on disk, checking each against the resourceDirectory
- CollectingContext ctx(*this); // collect all failures in here
- ResourceBuilder resources(cfString(this->resourceBase()), rules);
- mRep->adjustResources(resources);
- string path;
- ResourceBuilder::Rule *rule;
-
- while (resources.next(path, rule)) {
- validateResource(path, ctx);
- CFDictionaryRemoveValue(resourceMap, CFTempString(path));
- }
-
- if (CFDictionaryGetCount(resourceMap) > 0) {
- secdebug("staticCode", "%p sealed resource(s) not found in code", this);
- CFDictionaryApplyFunction(resourceMap, SecStaticCode::checkOptionalResource, &ctx);
+ if (!validatedResources()) {
+ try {
+ // sanity first
+ CFDictionaryRef sealedResources = resourceDictionary();
+ if (this->resourceBase()) // disk has resources
+ if (sealedResources)
+ /* go to work below */;
+ else
+ MacOSError::throwMe(errSecCSResourcesNotFound);
+ else // disk has no resources
+ if (sealedResources)
+ MacOSError::throwMe(errSecCSResourcesNotFound);
+ else
+ return; // no resources, not sealed - fine (no work)
+
+ // found resources, and they are sealed
+ CFDictionaryRef rules = cfget<CFDictionaryRef>(sealedResources, "rules");
+ CFDictionaryRef files = cfget<CFDictionaryRef>(sealedResources, "files");
+ DTRACK(CODESIGN_EVAL_STATIC_RESOURCES, this,
+ (char*)this->mainExecutablePath().c_str(), int(CFDictionaryGetCount(files)));
+
+ // make a shallow copy of the ResourceDirectory so we can "check off" what we find
+ CFRef<CFMutableDictionaryRef> resourceMap = makeCFMutableDictionary(files);
+
+ // scan through the resources on disk, checking each against the resourceDirectory
+ mResourcesValidContext = new CollectingContext(*this); // collect all failures in here
+ ResourceBuilder resources(cfString(this->resourceBase()), rules, codeDirectory()->hashType);
+ mRep->adjustResources(resources);
+ string path;
+ ResourceBuilder::Rule *rule;
+
+ while (resources.next(path, rule)) {
+ validateResource(path, *mResourcesValidContext);
+ CFDictionaryRemoveValue(resourceMap, CFTempString(path));
+ }
+
+ if (CFDictionaryGetCount(resourceMap) > 0) {
+ secdebug("staticCode", "%p sealed resource(s) not found in code", this);
+ CFDictionaryApplyFunction(resourceMap, SecStaticCode::checkOptionalResource, mResourcesValidContext);
+ }
+
+ // now check for any errors found in the reporting context
+ mResourcesValidated = true;
+ if (mResourcesValidContext->osStatus() != noErr)
+ mResourcesValidContext->throwMe();
+
+ } catch (const CommonError &err) {
+ mResourcesValidated = true;
+ mResourcesValidResult = err.osStatus();
+ throw;
+ } catch (...) {
+ secdebug("staticCode", "%p executable validation threw non-common exception", this);
+ mResourcesValidated = true;
+ mResourcesValidResult = errSecCSInternalError;
+ throw;
+ }
}
-
- // now check for any errors found in the reporting context
- if (ctx)
- ctx.throwMe();
+ assert(validatedResources());
+ if (mResourcesValidResult)
+ MacOSError::throwMe(mResourcesValidResult);
+ if (mResourcesValidContext->osStatus() != noErr)
+ mResourcesValidContext->throwMe();
}
{
CollectingContext *ctx = static_cast<CollectingContext *>(context);
ResourceSeal seal(value);
- if (!seal.optional())
+ if (!seal.optional()) {
if (key && CFGetTypeID(key) == CFStringGetTypeID()) {
ctx->reportProblem(errSecCSBadResource, kSecCFErrorResourceMissing,
CFTempURL(CFStringRef(key), false, ctx->code.resourceBase()));
- } else
+ } else {
ctx->reportProblem(errSecCSBadResource, kSecCFErrorResourceSeal, key);
+ }
+ }
}
CFDictionaryRef SecStaticCode::infoDictionary()
{
if (!mInfoDict) {
- mInfoDict.take(getDictionary(cdInfoSlot));
+ mInfoDict.take(getDictionary(cdInfoSlot, errSecCSInfoPlistFailed));
secdebug("staticCode", "%p loaded InfoDict %p", this, mInfoDict.get());
}
return mInfoDict;
{
if (mResourceDict) // cached
return mResourceDict;
- if (CFRef<CFDictionaryRef> dict = getDictionary(cdResourceDirSlot))
+ if (CFRef<CFDictionaryRef> dict = getDictionary(cdResourceDirSlot, errSecCSSignatureFailed))
if (cfscan(dict, "{rules=%Dn,files=%Dn}")) {
secdebug("staticCode", "%p loaded ResourceDict %p",
this, mResourceDict.get());
// This will force load and validation, which means that it will perform basic
// validation if it hasn't been done yet.
//
-CFDictionaryRef SecStaticCode::getDictionary(CodeDirectory::SpecialSlot slot)
+CFDictionaryRef SecStaticCode::getDictionary(CodeDirectory::SpecialSlot slot, OSStatus fail /* = errSecCSSignatureFailed */)
{
validateDirectory();
- if (CFDataRef infoData = component(slot)) {
- validateComponent(slot);
+ if (CFDataRef infoData = component(slot, fail)) {
+ validateComponent(slot, fail);
if (CFDictionaryRef dict = makeCFDictionaryFrom(infoData))
return dict;
else
MacOSError::throwMe(errSecCSResourcesNotFound);
CFRef<CFURLRef> fullpath = makeCFURL(path, false, resourceBase());
if (CFRef<CFDataRef> data = cfLoadFile(fullpath)) {
- SHA1 hasher;
- hasher(CFDataGetBytePtr(data), CFDataGetLength(data));
- if (hasher.verify(seal.hash()))
+ MakeHash<CodeDirectory> hasher(this->codeDirectory());
+ hasher->update(CFDataGetBytePtr(data), CFDataGetLength(data));
+ if (hasher->verify(seal.hash()))
return data.yield(); // good
else
ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // altered
CFRef<CFURLRef> fullpath = makeCFURL(path, false, resourceBase());
AutoFileDesc fd(cfString(fullpath), O_RDONLY, FileDesc::modeMissingOk); // open optional filee
if (fd) {
- SHA1 hasher;
- hashFileData(fd, hasher);
- if (hasher.verify(seal.hash()))
+ MakeHash<CodeDirectory> hasher(this->codeDirectory());
+ hashFileData(fd, hasher.get());
+ if (hasher->verify(seal.hash()))
return; // verify good
else
ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // altered
//
-// Return the Designated Requirement. This can be either explicit in the
-// Internal Requirements resource, or implicitly generated.
+// Return the Designated Requirement (DR). This can be either explicit in the
+// Internal Requirements component, or implicitly generated on demand here.
+// Note that an explicit DR may have been implicitly generated at signing time;
+// we don't distinguish this case.
//
const Requirement *SecStaticCode::designatedRequirement()
{
//
-// Generate the default (implicit) Designated Requirement for this StaticCode.
-// This is a heuristic of sorts, and may change over time (for the better, we hope).
-//
-// The current logic is this:
-// * If the code is ad-hoc signed, use the CodeDirectory hash directory.
-// * Otherwise, use the form anchor (anchor) and identifier (CodeDirectory identifier).
-// ** If the root CA is Apple's, we use the "anchor apple" construct. Otherwise,
-// we default to the leaf (directly signing) certificate.
+// Generate the default Designated Requirement (DR) for this StaticCode.
+// Ignore any explicit DR it may contain.
//
const Requirement *SecStaticCode::defaultDesignatedRequirement()
{
- validateDirectory(); // need the cert chain
- Requirement::Maker maker;
-
- // if this is an ad-hoc (unsigned) object, return a cdhash requirement
if (flag(kSecCodeSignatureAdhoc)) {
+ // adhoc signature: return a plain cdhash requirement
+ Requirement::Maker maker;
SHA1 hash;
hash(codeDirectory(), codeDirectory()->length());
SHA1::Digest digest;
hash.finish(digest);
maker.cdhash(digest);
+ return maker.make();
} else {
- // always require the identifier
- maker.put(opAnd);
- maker.ident(codeDirectory()->identifier());
-
- SHA1::Digest anchorHash;
- hashOfCertificate(cert(Requirement::anchorCert), anchorHash);
- if (!memcmp(anchorHash, Requirement::appleAnchorHash(), SHA1::digestLength)
-#if defined(TEST_APPLE_ANCHOR)
- || !memcmp(anchorHash, Requirement::testAppleAnchorHash(), SHA1::digestLength)
-#endif
- )
- defaultDesignatedAppleAnchor(maker);
- else
- defaultDesignatedNonAppleAnchor(maker);
+ // full signature: Gin up full context and let DRMaker do its thing
+ validateDirectory(); // need the cert chain
+ Requirement::Context context(this->certificates(),
+ this->infoDictionary(),
+ this->entitlements(),
+ this->identifier(),
+ this->codeDirectory()
+ );
+ return DRMaker(context).make();
}
-
- return maker();
-}
-
-static const uint8_t adcSdkMarker[] = { APPLE_EXTENSION_OID, 2, 1 };
-static const CSSM_DATA adcSdkMarkerOID = { sizeof(adcSdkMarker), (uint8_t *)adcSdkMarker };
-
-void SecStaticCode::defaultDesignatedAppleAnchor(Requirement::Maker &maker)
-{
- if (isAppleSDKSignature()) {
- // get the Common Name DN element for the leaf
- CFRef<CFStringRef> leafCN;
- MacOSError::check(SecCertificateCopySubjectComponent(cert(Requirement::leafCert),
- &CSSMOID_CommonName, &leafCN.aref()));
-
- // apple anchor generic and ...
- maker.put(opAnd);
- maker.anchorGeneric(); // apple generic anchor and...
- // ... leaf[subject.CN] = <leaf's subject> and ...
- maker.put(opAnd);
- maker.put(opCertField); // certificate
- maker.put(0); // leaf
- maker.put("subject.CN"); // [subject.CN]
- maker.put(matchEqual); // =
- maker.putData(leafCN); // <leaf CN>
- // ... cert 1[field.<marker>] exists
- maker.put(opCertGeneric); // certificate
- maker.put(1); // 1
- maker.putData(adcSdkMarkerOID.Data, adcSdkMarkerOID.Length); // [field.<marker>]
- maker.put(matchExists); // exists
- return;
- }
-
- // otherwise, claim this program for Apple
- maker.anchor();
-}
-
-bool SecStaticCode::isAppleSDKSignature()
-{
- if (CFArrayRef certChain = certificates()) // got cert chain
- if (CFArrayGetCount(certChain) == 3) // leaf, one intermediate, anchor
- if (SecCertificateRef intermediate = cert(1)) // get intermediate
- if (certificateHasField(intermediate, CssmOid::overlay(adcSdkMarkerOID)))
- return true;
- return false;
-}
-
-void SecStaticCode::defaultDesignatedNonAppleAnchor(Requirement::Maker &maker)
-{
- // get the Organization DN element for the leaf
- CFRef<CFStringRef> leafOrganization;
- MacOSError::check(SecCertificateCopySubjectComponent(cert(Requirement::leafCert),
- &CSSMOID_OrganizationName, &leafOrganization.aref()));
-
- // now step up the cert chain looking for the first cert with a different one
- int slot = Requirement::leafCert; // start at leaf
- if (leafOrganization) {
- while (SecCertificateRef ca = cert(slot+1)) { // NULL if you over-run the anchor slot
- CFRef<CFStringRef> caOrganization;
- MacOSError::check(SecCertificateCopySubjectComponent(ca, &CSSMOID_OrganizationName, &caOrganization.aref()));
- if (!caOrganization || CFStringCompare(leafOrganization, caOrganization, 0) != kCFCompareEqualTo)
- break;
- slot++;
- }
- if (slot == CFArrayGetCount(mCertChain) - 1) // went all the way to the anchor...
- slot = Requirement::anchorCert; // ... so say that
- }
-
- // nail the last cert with the leaf's Organization value
- SHA1::Digest authorityHash;
- hashOfCertificate(cert(slot), authorityHash);
- maker.anchor(slot, authorityHash);
}
{
DTRACK(CODESIGN_EVAL_STATIC_INTREQ, this, type, target, nullError);
if (const Requirement *req = internalRequirement(type))
- target->validateRequirements(req, nullError ? nullError : errSecCSReqFailed);
+ target->validateRequirement(req, nullError ? nullError : errSecCSReqFailed);
else if (nullError)
MacOSError::throwMe(nullError);
else
//
// Validate this StaticCode against an external Requirement
//
-void SecStaticCode::validateRequirements(const Requirement *req, OSStatus failure)
+bool SecStaticCode::satisfiesRequirement(const Requirement *req, OSStatus failure)
{
assert(req);
validateDirectory();
- req->validate(Requirement::Context(mCertChain, infoDictionary(), entitlements(), codeDirectory()), failure);
+ return req->validates(Requirement::Context(mCertChain, infoDictionary(), entitlements(), codeDirectory()->identifier(), codeDirectory()), failure);
+}
+
+void SecStaticCode::validateRequirement(const Requirement *req, OSStatus failure)
+{
+ if (!this->satisfiesRequirement(req, failure))
+ MacOSError::throwMe(failure);
}
CFDictionaryAddValue(dict, kSecCodeInfoIdentifier, CFTempString(this->identifier()));
CFDictionaryAddValue(dict, kSecCodeInfoFormat, CFTempString(this->format()));
CFDictionaryAddValue(dict, kSecCodeInfoSource, CFTempString(this->signatureSource()));
- if (CFDictionaryRef info = this->infoDictionary())
- CFDictionaryAddValue(dict, kSecCodeInfoPList, info);
CFDictionaryAddValue(dict, kSecCodeInfoUnique, this->cdHash());
+ CFDictionaryAddValue(dict, kSecCodeInfoDigestAlgorithm, CFTempNumber(this->codeDirectory(false)->hashType));
+
+ //
+ // Deliver any Info.plist only if it looks intact
+ //
+ try {
+ if (CFDictionaryRef info = this->infoDictionary())
+ CFDictionaryAddValue(dict, kSecCodeInfoPList, info);
+ } catch (...) { } // don't deliver Info.plist if questionable
//
// kSecCSSigningInformation adds information about signing certificates and chains
if (CFAbsoluteTime time = this->signingTime())
if (CFRef<CFDateRef> date = CFDateCreate(NULL, time))
CFDictionaryAddValue(dict, kSecCodeInfoTime, date);
+ if (CFAbsoluteTime time = this->signingTimestamp())
+ if (CFRef<CFDateRef> date = CFDateCreate(NULL, time))
+ CFDictionaryAddValue(dict, kSecCodeInfoTimestamp, date);
}
//
CFDictionaryAddValue(dict, kSecCodeInfoImplicitDesignatedRequirement, dreqRef);
}
- if (CFDataRef ent = this->component(cdEntitlementSlot))
+ if (CFDataRef ent = this->component(cdEntitlementSlot)) {
CFDictionaryAddValue(dict, kSecCodeInfoEntitlements, ent);
+ if (CFDictionaryRef entdict = this->entitlements())
+ CFDictionaryAddValue(dict, kSecCodeInfoEntitlementsDict, entdict);
+ }
}
//
void SecStaticCode::CollectingContext::throwMe()
{
assert(mStatus != noErr);
- throw CSError(mStatus, mCollection.yield());
+ throw CSError(mStatus, mCollection.retain());
+}
+
+
+//
+// SecStaticCode::AllArchitectures produces SecStaticCode objects separately
+// for each architecture represented by a base object.
+//
+// Performance note: This is a simple, straight-forward implementation that
+// does not heroically try to share resources between the code objects produced.
+// In practice, this means we'll re-open files and re-read resource files.
+// In exchange, we enter all the code paths in the normal way, and do not have
+// special sharing paths to worry about.
+// If a performance tool brings you here because you have *proof* of a performance
+// problem, consider digging up MachO and Universal (for sharing file descriptors),
+// and SecStaticCode (for sharing resource iterators). That ought to cover most of
+// the big chunks. If you're just offended by the simplicity of this implementation,
+// go play somewhere else.
+//
+SecStaticCode::AllArchitectures::AllArchitectures(SecStaticCode *code)
+ : mBase(code)
+{
+ if (Universal *fat = code->diskRep()->mainExecutableImage()) {
+ fat->architectures(mArchitectures);
+ mCurrent = mArchitectures.begin();
+ mState = fatBinary;
+ } else {
+ mState = firstNonFat;
+ }
+}
+
+SecStaticCode *SecStaticCode::AllArchitectures::operator () ()
+{
+ switch (mState) {
+ case firstNonFat:
+ mState = atEnd;
+ return mBase;
+ case fatBinary:
+ {
+ if (mCurrent == mArchitectures.end())
+ return NULL;
+ Architecture arch = *mCurrent++;
+ if (arch == mBase->diskRep()->mainExecutableImage()->bestNativeArch()) {
+ return mBase;
+ } else {
+ DiskRep::Context ctx;
+ ctx.arch = arch;
+ return new SecStaticCode(DiskRep::bestGuess(mBase->mainExecutablePath(), &ctx));
+ }
+ }
+ default:
+ return NULL;
+ }
}
projects / apple / libsecurity_codesigning.git / blobdiff