]> git.saurik.com Git - apple/security.git/blame - OSX/libsecurity_codesigning/lib/CSCommon.h
projects / apple / security.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Security-58286.41.2.tar.gz
[apple/security.git] / OSX / libsecurity_codesigning / lib / CSCommon.h
CommitLineData
b1ab9ed8 1/*
d8f41ccd 2 * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
b1ab9ed8
A		 3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24/*!
25 @header CSCommon
26 CSCommon is the common header of all Code Signing API headers.
27 It defines types, constants, and error codes.
28*/
29#ifndef _H_CSCOMMON
30#define _H_CSCOMMON
31
32#ifdef __cplusplus
33extern "C" {
34#endif
35
36#include <stdint.h>
37#include <CoreFoundation/CoreFoundation.h>
38
5c19dc3a 39CF_ASSUME_NONNULL_BEGIN
b1ab9ed8
A		 40
41/*
42 Code Signing specific OSStatus codes.
43 [Assigned range 0xFFFE_FAxx].
44*/
5c19dc3a 45CF_ENUM(OSStatus) {
b1ab9ed8
A		 46 errSecCSUnimplemented = -67072, /* unimplemented code signing feature */
47 errSecCSInvalidObjectRef = -67071, /* invalid API object reference */
48 errSecCSInvalidFlags = -67070, /* invalid or inappropriate API flag(s) specified */
49 errSecCSObjectRequired = -67069, /* a required pointer argument was NULL */
50 errSecCSStaticCodeNotFound = -67068, /* cannot find code object on disk */
51 errSecCSUnsupportedGuestAttributes = -67067, /* cannot locate guests using this attribute set */
52 errSecCSInvalidAttributeValues = -67066, /* given attribute values are invalid */
53 errSecCSNoSuchCode = -67065, /* host has no guest with the requested attributes */
54 errSecCSMultipleGuests = -67064, /* ambiguous guest specification (host has multiple guests with these attribute values) */
55 errSecCSGuestInvalid = -67063, /* code identity has been invalidated */
56 errSecCSUnsigned = -67062, /* code object is not signed at all */
57 errSecCSSignatureFailed = -67061, /* invalid signature (code or signature have been modified) */
58 errSecCSSignatureNotVerifiable = -67060, /* the code cannot be read by the verifier (file system permissions etc.) */
59 errSecCSSignatureUnsupported = -67059, /* unsupported type or version of signature */
60 errSecCSBadDictionaryFormat = -67058, /* a required plist file or resource is malformed */
61 errSecCSResourcesNotSealed = -67057, /* resources are present but not sealed by signature */
62 errSecCSResourcesNotFound = -67056, /* code has no resources but signature indicates they must be present */
63 errSecCSResourcesInvalid = -67055, /* the sealed resource directory is invalid */
64 errSecCSBadResource = -67054, /* a sealed resource is missing or invalid */
65 errSecCSResourceRulesInvalid = -67053, /* invalid resource specification rule(s) */
66 errSecCSReqInvalid = -67052, /* invalid or corrupted code requirement(s) */
67 errSecCSReqUnsupported = -67051, /* unsupported type or version of code requirement(s) */
68 errSecCSReqFailed = -67050, /* code failed to satisfy specified code requirement(s) */
69 errSecCSBadObjectFormat = -67049, /* object file format unrecognized, invalid, or unsuitable */
70 errSecCSInternalError = -67048, /* internal error in Code Signing subsystem */
71 errSecCSHostReject = -67047, /* code rejected its host */
72 errSecCSNotAHost = -67046, /* attempt to specify guest of code that is not a host */
73 errSecCSSignatureInvalid = -67045, /* invalid or unsupported format for signature */
74 errSecCSHostProtocolRelativePath = -67044, /* host protocol violation - absolute guest path required */
75 errSecCSHostProtocolContradiction = -67043, /* host protocol violation - contradictory hosting modes */
76 errSecCSHostProtocolDedicationError = -67042, /* host protocol violation - operation not allowed with/for a dedicated guest */
77 errSecCSHostProtocolNotProxy = -67041, /* host protocol violation - proxy hosting not engaged */
78 errSecCSHostProtocolStateError = -67040, /* host protocol violation - invalid guest state change request */
79 errSecCSHostProtocolUnrelated = -67039, /* host protocol violation - the given guest is not a guest of the given host */
80 /* -67038 obsolete (no longer issued) */
81 errSecCSNotSupported = -67037, /* operation inapplicable or not supported for this type of code */
82 errSecCSCMSTooLarge = -67036, /* signature too large to embed (size limitation of on-disk representation) */
83 errSecCSHostProtocolInvalidHash = -67035, /* host protocol violation - invalid guest hash */
84 errSecCSStaticCodeChanged = -67034, /* the code on disk does not match what is running */
85 errSecCSDBDenied = -67033, /* permission to use a database denied */
86 errSecCSDBAccess = -67032, /* cannot access a database */
87 errSecCSSigDBDenied = errSecCSDBDenied,
88 errSecCSSigDBAccess = errSecCSDBAccess,
89 errSecCSHostProtocolInvalidAttribute = -67031, /* host returned invalid or inconsistent guest attributes */
90 errSecCSInfoPlistFailed = -67030, /* invalid Info.plist (plist or signature have been modified) */
91 errSecCSNoMainExecutable = -67029, /* the code has no main executable file */
92 errSecCSBadBundleFormat = -67028, /* bundle format unrecognized, invalid, or unsuitable */
93 errSecCSNoMatches = -67027, /* no matches for search or update operation */
94 errSecCSFileHardQuarantined = -67026, /* File created by an AppSandbox, exec/open not allowed */
95 errSecCSOutdated = -67025, /* presented data is out of date */
313fa17b 96 errSecCSDbCorrupt = -67024, /* a system database or file is corrupt */
427c49bc
A		 97 errSecCSResourceDirectoryFailed = -67023, /* invalid resource directory (directory or signature have been modified) */
98 errSecCSUnsignedNestedCode = -67022, /* nested code is unsigned */
99 errSecCSBadNestedCode = -67021, /* nested code is modified or invalid */
100 errSecCSBadCallbackValue = -67020, /* monitor callback returned invalid value */
101 errSecCSHelperFailed = -67019, /* the codesign_allocate helper tool cannot be found or used */
102 errSecCSVetoed = -67018,
80e23899
A		 103 errSecCSBadLVArch = -67017, /* library validation flag cannot be used with an i386 binary */
104 errSecCSResourceNotSupported = -67016, /* unsupported resource found (something not a directory, file or symlink) */
105 errSecCSRegularFile = -67015, /* the main executable or Info.plist must be a regular file (no symlinks, etc.) */
106 errSecCSUnsealedAppRoot = -67014, /* unsealed contents present in the bundle root */
d8f41ccd 107 errSecCSWeakResourceRules = -67013, /* resource envelope is obsolete (custom omit rules) */
80e23899
A		 108 errSecCSDSStoreSymlink = -67012, /* .DS_Store files cannot be a symlink */
109 errSecCSAmbiguousBundleFormat = -67011, /* bundle format is ambiguous (could be app or framework) */
110 errSecCSBadMainExecutable = -67010, /* main executable failed strict validation */
111 errSecCSBadFrameworkVersion = -67009, /* embedded framework contains modified or invalid version */
112 errSecCSUnsealedFrameworkRoot = -67008, /* unsealed contents present in the root directory of an embedded framework */
d8f41ccd 113 errSecCSWeakResourceEnvelope = -67007, /* resource envelope is obsolete (version 1 signature) */
866f8763 114 errSecCSCancelled = -67006, /* operation was terminated by explicit cancelation */
5c19dc3a
A		 115 errSecCSInvalidPlatform = -67005, /* invalid platform identifier or platform mismatch */
116 errSecCSTooBig = -67004, /* code is too big for current signing format */
117 errSecCSInvalidSymlink = -67003, /* invalid destination for symbolic link in bundle */
e3d460c9
A		 118 errSecCSNotAppLike = -67002, /* the code is valid but does not seem to be an app */
119 errSecCSBadDiskImageFormat = -67001, /* disk image format unrecognized, invalid, or unsuitable */
866f8763 120 errSecCSUnsupportedDigestAlgorithm = -67000, /* a requested signature digest algorithm is not supported */
fa7225c8
A		 121 errSecCSInvalidAssociatedFileData = -66999, /* resource fork, Finder information, or similar detritus not allowed */
122 errSecCSInvalidTeamIdentifier = -66998, /* a Team Identifier string is invalid */
123 errSecCSBadTeamIdentifier = -66997, /* a Team Identifier is wrong or inappropriate */
866f8763
A		 124 errSecCSSignatureUntrusted = -66996, /* signature is valid but signer is not trusted */
125 errSecMultipleExecSegments = -66995, /* the image contains multiple executable segments */
b1ab9ed8
A		 126};
127
b1ab9ed8
A		 128/*
129 * Code Signing specific CFError "user info" keys.
130 * In calls that can return CFErrorRef indications, if a CFErrorRef is actually
131 * returned, its "user info" dictionary may contain some of the following keys
132 * to more closely describe the circumstances of the failure.
133 * Do not rely on the presence of any particular key to categorize a problem;
134 * always use the primary OSStatus return for that. The data contained under
135 * these keys is always supplemental and optional.
136 */
137extern const CFStringRef kSecCFErrorArchitecture; /* CFStringRef: name of architecture causing the problem */
138extern const CFStringRef kSecCFErrorPattern; /* CFStringRef: invalid resource selection pattern encountered */
139extern const CFStringRef kSecCFErrorResourceSeal; /* CFTypeRef: invalid component in resource seal (CodeResources) */
140extern const CFStringRef kSecCFErrorResourceAdded; /* CFURLRef: unsealed resource found */
141extern const CFStringRef kSecCFErrorResourceAltered; /* CFURLRef: modified resource found */
142extern const CFStringRef kSecCFErrorResourceMissing; /* CFURLRef: sealed (non-optional) resource missing */
fa7225c8 143extern const CFStringRef kSecCFErrorResourceSideband; /* CFURLRef: sealed resource has invalid sideband data (resource fork, etc.) */
b1ab9ed8
A		 144extern const CFStringRef kSecCFErrorInfoPlist; /* CFTypeRef: Info.plist dictionary or component thereof found invalid */
145extern const CFStringRef kSecCFErrorGuestAttributes; /* CFTypeRef: Guest attribute set of element not accepted */
146extern const CFStringRef kSecCFErrorRequirementSyntax; /* CFStringRef: compilation error for Requirement source */
147extern const CFStringRef kSecCFErrorPath; /* CFURLRef: subcomponent containing the error */
148
b1ab9ed8
A		 149/*!
150 @typedef SecCodeRef
151 This is the type of a reference to running code.
152
153 In many (but not all) calls, this can be passed to a SecStaticCodeRef
154 argument, which performs an implicit SecCodeCopyStaticCode call and
155 operates on the result.
156*/
5c19dc3a 157typedef struct CF_BRIDGED_TYPE(id) __SecCode *SecCodeRef; /* running code */
b1ab9ed8
A		 158
159/*!
160 @typedef SecStaticCodeRef
161 This is the type of a reference to static code on disk.
162*/
5c19dc3a 163typedef struct CF_BRIDGED_TYPE(id) __SecCode const *SecStaticCodeRef; /* code on disk */
b1ab9ed8
A		 164
165/*!
166 @typedef SecRequirementRef
167 This is the type of a reference to a code requirement.
168*/
5c19dc3a 169typedef struct CF_BRIDGED_TYPE(id) __SecRequirement *SecRequirementRef; /* code requirement */
b1ab9ed8
A		 170
171
172/*!
173 @typedef SecGuestRef
174 An abstract handle to identify a particular Guest in the context of its Host.
175
176 Guest handles are assigned by the host at will, with kSecNoGuest (zero) being
177 reserved as the null value. They can be reused for new children if desired.
178*/
179typedef u_int32_t SecGuestRef;
180
5c19dc3a 181CF_ENUM(SecGuestRef) {
b1ab9ed8
A		 182 kSecNoGuest = 0, /* not a valid SecGuestRef */
183};
184
185
186/*!
187 @typedef SecCSFlags
188 This is the type of flags arguments to Code Signing API calls.
189 It provides a bit mask of request and option flags. All of the bits in these
190 masks are reserved to Apple; if you set any bits not defined in these headers,
191 the behavior is generally undefined.
192
193 This list describes the flags that are shared among several Code Signing API calls.
194 Flags that only apply to one call are defined and documented with that call.
195 Global flags are assigned from high order down (31 -> 0); call-specific flags
196 are assigned from the bottom up (0 -> 31).
197
198 @constant kSecCSDefaultFlags
199 When passed to a flags argument throughout, indicates that default behavior
200 is desired. Do not mix with other flags values.
201 @constant kSecCSConsiderExpiration
202 When passed to a call that performs code validation, requests that code signatures
203 made by expired certificates be rejected. By default, expiration of participating
204 certificates is not automatic grounds for rejection.
205*/
5c19dc3a 206typedef CF_OPTIONS(uint32_t, SecCSFlags) {
d8f41ccd 207 kSecCSDefaultFlags = 0, /* no particular flags (default behavior) */
b1ab9ed8 208
fa7225c8 209 kSecCSConsiderExpiration = 1U << 31, /* consider expired certificates invalid */
d8f41ccd
A		 210 kSecCSEnforceRevocationChecks = 1 << 30, /* force revocation checks regardless of preference settings */
211 kSecCSNoNetworkAccess = 1 << 29, /* do not use the network, cancels "kSecCSEnforceRevocationChecks" */
212 kSecCSReportProgress = 1 << 28, /* make progress report call-backs when configured */
5c19dc3a 213 kSecCSCheckTrustedAnchors = 1 << 27, /* build certificate chain to system trust anchors, not to any self-signed certificate */
fa7225c8 214 kSecCSQuickCheck = 1 << 26, /* (internal) */
b1ab9ed8
A		 215};
216
217
218/*!
219 @typedef SecCodeSignatureFlags
220 This is the type of option flags that can be embedded in a code signature
221 during signing, and that govern the use of the signature thereafter.
222 Some of these flags can be set through the codesign(1) command's --options
223 argument; some are set implicitly based on signing circumstances; and all
224 can be set with the kSecCodeSignerFlags item of a signing information dictionary.
225
226 @constant kSecCodeSignatureHost
227 Indicates that the code may act as a host that controls and supervises guest
228 code. If this flag is not set in a code signature, the code is never considered
229 eligible to be a host, and any attempt to act like one will be ignored or rejected.
230 @constant kSecCodeSignatureAdhoc
231 The code has been sealed without a signing identity. No identity may be retrieved
232 from it, and any code requirement placing restrictions on the signing identity
233 will fail. This flag is set by the code signing API and cannot be set explicitly.
234 @constant kSecCodeSignatureForceHard
235 Implicitly set the "hard" status bit for the code when it starts running.
236 This bit indicates that the code prefers to be denied access to a resource
237 if gaining such access would cause its invalidation. Since the hard bit is
238 sticky, setting this option bit guarantees that the code will always have
239 it set.
240 @constant kSecCodeSignatureForceKill
241 Implicitly set the "kill" status bit for the code when it starts running.
242 This bit indicates that the code wishes to be terminated with prejudice if
243 it is ever invalidated. Since the kill bit is sticky, setting this option bit
244 guarantees that the code will always be dynamically valid, since it will die
245 immediately if it becomes invalid.
246 @constant kSecCodeSignatureForceExpiration
247 Forces the kSecCSConsiderExpiration flag on all validations of the code.
248 */
5c19dc3a 249typedef CF_OPTIONS(uint32_t, SecCodeSignatureFlags) {
b1ab9ed8
A		 250 kSecCodeSignatureHost = 0x0001, /* may host guest code */
251 kSecCodeSignatureAdhoc = 0x0002, /* must be used without signer */
252 kSecCodeSignatureForceHard = 0x0100, /* always set HARD mode on launch */
253 kSecCodeSignatureForceKill = 0x0200, /* always set KILL mode on launch */
254 kSecCodeSignatureForceExpiration = 0x0400, /* force certificate expiration checks */
427c49bc
A		 255 kSecCodeSignatureRestrict = 0x0800, /* restrict dyld loading */
256 kSecCodeSignatureEnforcement = 0x1000, /* enforce code signing */
420ff9d9 257 kSecCodeSignatureLibraryValidation = 0x2000, /* library validation required */
b1ab9ed8
A		 258};
259
b1ab9ed8
A		 260/*!
261 @typedef SecCodeStatus
262 The code signing system attaches a set of status flags to each running code.
263 These flags are maintained by the code's host, and can be read by anyone.
264 A code may change its own flags, a host may change its guests' flags,
265 and root may change anyone's flags. However, these flags are sticky in that
266 each can change in only one direction (and never back, for the lifetime of the code).
267 Not even root can violate this restriction.
268
269 There are other flags in SecCodeStatus that are not publicly documented.
270 Do not rely on them, and do not ever attempt to explicitly set them.
271
272 @constant kSecCodeStatusValid
273 Indicates that the code is dynamically valid, i.e. it started correctly
274 and has not been invalidated since then. The valid bit can only be cleared.
275
276 Warning: This bit is not your one-stop shortcut to determining the validity of code.
277 It represents the dynamic component of the full validity function; if this
278 bit is unset, the code is definitely invalid, but the converse is not always true.
279 In fact, code hosts may represent the outcome of some delayed static validation work in this bit,
280 and thus it strictly represents a blend of (all of) dynamic and (some of) static validity,
281 depending on the implementation of the particular host managing the code. You can (only)
282 rely that (1) dynamic invalidation will clear this bit; and (2) the combination
283 of static validation and dynamic validity (as performed by the SecCodeCheckValidity* APIs)
284 will give a correct answer.
285
286 @constant kSecCodeStatusHard
287 Indicates that the code prefers to be denied access to resources if gaining access
288 would invalidate it. This bit can only be set.
289 It is undefined whether code that is marked hard and is already invalid will still
290 be denied access to a resource that would invalidate it if it were still valid. That is,
291 the code may or may not get access to such a resource while being invalid, and that choice
292 may appear random.
293
294 @constant kSecCodeStatusKill
295 Indicates that the code wants to be killed (terminated) if it ever loses its validity.
296 This bit can only be set. Code that has the kill flag set will never be dynamically invalid
297 (and live). Note however that a change in static validity does not necessarily trigger instant
298 death.
299*/
5c19dc3a 300typedef CF_OPTIONS(uint32_t, SecCodeStatus) {
b1ab9ed8
A		 301 kSecCodeStatusValid = 0x0001,
302 kSecCodeStatusHard = 0x0100,
303 kSecCodeStatusKill = 0x0200,
304};
305
306
307/*!
308 @typedef SecRequirementType
309 An enumeration indicating different types of internal requirements for code.
310 */
5c19dc3a 311typedef CF_ENUM(uint32_t, SecRequirementType) {
b1ab9ed8
A		 312 kSecHostRequirementType = 1, /* what hosts may run us */
313 kSecGuestRequirementType = 2, /* what guests we may run */
314 kSecDesignatedRequirementType = 3, /* designated requirement */
315 kSecLibraryRequirementType = 4, /* what libraries we may link against */
316 kSecPluginRequirementType = 5, /* what plug-ins we may load */
317 kSecInvalidRequirementType, /* invalid type of Requirement (must be last) */
318 kSecRequirementTypeCount = kSecInvalidRequirementType /* number of valid requirement types */
319};
e3d460c9
A		 320
321
322/*!
323 Types of cryptographic digests (hashes) used to hold code signatures
324 together.
325
326 Each combination of type, length, and other parameters is a separate
327 hash type; we don't understand "families" here.
328
329 These type codes govern the digest links that connect a CodeDirectory
330 to its subordinate data structures (code pages, resources, etc.)
331 They do not directly control other uses of hashes (such as those used
332 within X.509 certificates and CMS blobs).
333 */
334typedef CF_ENUM(uint32_t, SecCSDigestAlgorithm) {
335 kSecCodeSignatureNoHash = 0, /* null value */
336 kSecCodeSignatureHashSHA1 = 1, /* SHA-1 */
337 kSecCodeSignatureHashSHA256 = 2, /* SHA-256 */
338 kSecCodeSignatureHashSHA256Truncated = 3, /* SHA-256 truncated to first 20 bytes */
339 kSecCodeSignatureHashSHA384 = 4, /* SHA-384 */
340};
b1ab9ed8 341
5c19dc3a 342CF_ASSUME_NONNULL_END
b1ab9ed8
A		 343
344#ifdef __cplusplus
345}
346#endif
347
348#endif //_H_CSCOMMON
mirror of Security