[apple/security.git] / libsecurity_codesigning / lib / csutilities.cpp

/*
 * Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

//
// csutilities - miscellaneous utilities for the code signing implementation
//
#include "csutilities.h"
#include <Security/SecCertificatePriv.h>
#include <security_codesigning/requirement.h>
#include <security_utilities/hashing.h>
#include <security_utilities/debugging.h>
#include <security_utilities/errors.h>

namespace Security {
namespace CodeSigning {


//
// The (SHA-1) hash of the canonical Apple certificate root anchor
//
static const SHA1::Digest gAppleAnchorHash =
	{ 0x61, 0x1e, 0x5b, 0x66, 0x2c, 0x59, 0x3a, 0x08, 0xff, 0x58,
	  0xd1, 0x4a, 0xe2, 0x24, 0x52, 0xd1, 0x98, 0xdf, 0x6c, 0x60 };


//
// Test for the canonical Apple CA certificate
//
bool isAppleCA(SecCertificateRef cert)
{
	return verifyHash(cert, gAppleAnchorHash);
}

bool isAppleCA(const Hashing::Byte *sha1)
{
	return !memcmp(sha1, gAppleAnchorHash, SHA1::digestLength);
}


//
// Calculate the canonical hash of a certificate, given its raw (DER) data.
//
void hashOfCertificate(const void *certData, size_t certLength, SHA1::Digest digest)
{
	SHA1 hasher;
	hasher(certData, certLength);
	hasher.finish(digest);
}


//
// Ditto, given a SecCertificateRef
//
void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest)
{
	assert(cert);
	CSSM_DATA certData;
	MacOSError::check(SecCertificateGetData(cert, &certData));
	hashOfCertificate(certData.Data, certData.Length, digest);
}


//
// One-stop hash-certificate-and-compare
//
bool verifyHash(SecCertificateRef cert, const Hashing::Byte *digest)
{
	SHA1::Digest dig;
	hashOfCertificate(cert, dig);
	return !memcmp(dig, digest, SHA1::digestLength);
}


//
// Check to see if a certificate contains a particular field, by OID. This works for extensions,
// even ones not recognized by the local CL. It does not return any value, only presence.
//
bool certificateHasField(SecCertificateRef cert, const CSSM_OID &oid)
{
	assert(cert);
	CSSM_DATA *value;
	switch (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &oid, &value)) {
	case errSecSuccess:
		MacOSError::check(SecCertificateReleaseFirstFieldValue(cert, &oid, value));
		return true;					// extension found by oid
	case errSecUnknownTag:
		break;							// oid not recognized by CL - continue below
	default:
		MacOSError::throwMe(rc);		// error: fail
	}
	
	// check the CL's bag of unrecognized extensions
	CSSM_DATA **values;
	bool found = false;
	if (SecCertificateCopyFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, &values))
		return false;	// no unrecognized extensions - no match
	if (values)
		for (CSSM_DATA **p = values; *p; p++) {
			const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)(*p)->Data;
			if (oid == ext->extnId) {
				found = true;
				break;
			}
		}
	MacOSError::check(SecCertificateReleaseFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, values));
	return found;
}
    
    
//
// Retrieve X.509 policy extension OIDs, if any.
// This currently ignores policy qualifiers.
//
bool certificateHasPolicy(SecCertificateRef cert, const CSSM_OID &policyOid)
{
	bool matched = false;
	assert(cert);
	CSSM_DATA *data;
	if (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &CSSMOID_CertificatePolicies, &data))
		MacOSError::throwMe(rc);
	if (data && data->Data && data->Length == sizeof(CSSM_X509_EXTENSION)) {
		const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)data->Data;
		assert(ext->format == CSSM_X509_DATAFORMAT_PARSED);
		const CE_CertPolicies *policies = (const CE_CertPolicies *)ext->value.parsedValue;
		if (policies)
			for (unsigned int n = 0; n < policies->numPolicies; n++) {
				const CE_PolicyInformation &cp = policies->policies[n];
				if (cp.certPolicyId == policyOid) {
					matched = true;
					break;
				}
			}
	}
	SecCertificateReleaseFirstFieldValue(cert, &CSSMOID_PolicyConstraints, data);
	return matched;
}


//
// Copyfile
//
Copyfile::Copyfile()
{
	if (!(mState = copyfile_state_alloc()))
		UnixError::throwMe();
}
	
void Copyfile::set(uint32_t flag, const void *value)
{
	check(::copyfile_state_set(mState, flag, value));
}

void Copyfile::get(uint32_t flag, void *value)
{
	check(::copyfile_state_set(mState, flag, value));
}
	
void Copyfile::operator () (const char *src, const char *dst, copyfile_flags_t flags)
{
	check(::copyfile(src, dst, mState, flags));
}

void Copyfile::check(int rc)
{
	if (rc < 0)
		UnixError::throwMe();
}


//
// MessageTracer support
//
MessageTrace::MessageTrace(const char *domain, const char *signature)
{
	mAsl = asl_new(ASL_TYPE_MSG);
	if (domain)
		asl_set(mAsl, "com.apple.message.domain", domain);
	if (signature)
		asl_set(mAsl, "com.apple.message.signature", signature);
}

void MessageTrace::add(const char *key, const char *format, ...)
{
	va_list args;
	va_start(args, format);
	char value[200];
	vsnprintf(value, sizeof(value), format, args);
	va_end(args);
	asl_set(mAsl, (string("com.apple.message.") + key).c_str(), value);
}
	
void MessageTrace::send(const char *format, ...)
{
	va_list args;
	va_start(args, format);
	asl_vlog(NULL, mAsl, ASL_LEVEL_NOTICE, format, args);
	va_end(args);
}


} // end namespace CodeSigning
} // end namespace Security
Commit	Line	Data
b1ab9ed8 A	1	/*
	2	* Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	//
	25	// csutilities - miscellaneous utilities for the code signing implementation
	26	//
	27	#include "csutilities.h"
	28	#include <Security/SecCertificatePriv.h>
	29	#include <security_codesigning/requirement.h>
313fa17b	30	#include <security_utilities/hashing.h>
b1ab9ed8 A	31	#include <security_utilities/debugging.h>
	32	#include <security_utilities/errors.h>
	33
	34	namespace Security {
	35	namespace CodeSigning {
	36
	37
313fa17b A	38	//
	39	// The (SHA-1) hash of the canonical Apple certificate root anchor
	40	//
	41	static const SHA1::Digest gAppleAnchorHash =
	42	{ 0x61, 0x1e, 0x5b, 0x66, 0x2c, 0x59, 0x3a, 0x08, 0xff, 0x58,
	43	0xd1, 0x4a, 0xe2, 0x24, 0x52, 0xd1, 0x98, 0xdf, 0x6c, 0x60 };
	44
	45
	46
	47	//
	48	// Test for the canonical Apple CA certificate
	49	//
	50	bool isAppleCA(SecCertificateRef cert)
	51	{
	52	return verifyHash(cert, gAppleAnchorHash);
	53	}
	54
	55	bool isAppleCA(const Hashing::Byte *sha1)
	56	{
	57	return !memcmp(sha1, gAppleAnchorHash, SHA1::digestLength);
	58	}
	59
	60
b1ab9ed8 A	61	//
	62	// Calculate the canonical hash of a certificate, given its raw (DER) data.
	63	//
	64	void hashOfCertificate(const void *certData, size_t certLength, SHA1::Digest digest)
	65	{
	66	SHA1 hasher;
	67	hasher(certData, certLength);
	68	hasher.finish(digest);
	69	}
	70
	71
	72	//
	73	// Ditto, given a SecCertificateRef
	74	//
	75	void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest)
	76	{
	77	assert(cert);
	78	CSSM_DATA certData;
	79	MacOSError::check(SecCertificateGetData(cert, &certData));
	80	hashOfCertificate(certData.Data, certData.Length, digest);
	81	}
	82
	83
313fa17b A	84	//
	85	// One-stop hash-certificate-and-compare
	86	//
	87	bool verifyHash(SecCertificateRef cert, const Hashing::Byte *digest)
	88	{
	89	SHA1::Digest dig;
	90	hashOfCertificate(cert, dig);
	91	return !memcmp(dig, digest, SHA1::digestLength);
	92	}
	93
	94
b1ab9ed8 A	95	//
	96	// Check to see if a certificate contains a particular field, by OID. This works for extensions,
	97	// even ones not recognized by the local CL. It does not return any value, only presence.
	98	//
	99	bool certificateHasField(SecCertificateRef cert, const CSSM_OID &oid)
	100	{
	101	assert(cert);
	102	CSSM_DATA *value;
	103	switch (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &oid, &value)) {
427c49bc	104	case errSecSuccess:
b1ab9ed8 A	105	MacOSError::check(SecCertificateReleaseFirstFieldValue(cert, &oid, value));
	106	return true; // extension found by oid
	107	case errSecUnknownTag:
	108	break; // oid not recognized by CL - continue below
	109	default:
	110	MacOSError::throwMe(rc); // error: fail
	111	}
	112
	113	// check the CL's bag of unrecognized extensions
	114	CSSM_DATA **values;
	115	bool found = false;
	116	if (SecCertificateCopyFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, &values))
	117	return false; // no unrecognized extensions - no match
	118	if (values)
	119	for (CSSM_DATA *p = values; p; p++) {
	120	const CSSM_X509_EXTENSION ext = (const CSSM_X509_EXTENSION )(*p)->Data;
	121	if (oid == ext->extnId) {
	122	found = true;
	123	break;
	124	}
	125	}
	126	MacOSError::check(SecCertificateReleaseFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, values));
	127	return found;
	128	}
	129
	130
	131	//
	132	// Retrieve X.509 policy extension OIDs, if any.
	133	// This currently ignores policy qualifiers.
	134	//
	135	bool certificateHasPolicy(SecCertificateRef cert, const CSSM_OID &policyOid)
	136	{
	137	bool matched = false;
	138	assert(cert);
	139	CSSM_DATA *data;
	140	if (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &CSSMOID_CertificatePolicies, &data))
	141	MacOSError::throwMe(rc);
	142	if (data && data->Data && data->Length == sizeof(CSSM_X509_EXTENSION)) {
	143	const CSSM_X509_EXTENSION ext = (const CSSM_X509_EXTENSION )data->Data;
	144	assert(ext->format == CSSM_X509_DATAFORMAT_PARSED);
	145	const CE_CertPolicies policies = (const CE_CertPolicies )ext->value.parsedValue;
	146	if (policies)
	147	for (unsigned int n = 0; n < policies->numPolicies; n++) {
	148	const CE_PolicyInformation &cp = policies->policies[n];
	149	if (cp.certPolicyId == policyOid) {
	150	matched = true;
	151	break;
	152	}
	153	}
	154	}
	155	SecCertificateReleaseFirstFieldValue(cert, &CSSMOID_PolicyConstraints, data);
	156	return matched;
	157	}
	158
	159
	160	//
	161	// Copyfile
	162	//
	163	Copyfile::Copyfile()
	164	{
	165	if (!(mState = copyfile_state_alloc()))
	166	UnixError::throwMe();
	167	}
	168
169	void Copyfile::set(uint32_t flag, const void *value)
170	{
171	check(::copyfile_state_set(mState, flag, value));
172	}
173
174	void Copyfile::get(uint32_t flag, void *value)
175	{
176	check(::copyfile_state_set(mState, flag, value));
177	}
178
179	void Copyfile::operator () (const char src, const char dst, copyfile_flags_t flags)
180	{
181	check(::copyfile(src, dst, mState, flags));
182	}
183
184	void Copyfile::check(int rc)
185	{
186	if (rc < 0)
187	UnixError::throwMe();
188	}
189
190
191	//
192	// MessageTracer support
193	//
194	MessageTrace::MessageTrace(const char domain, const char signature)
195	{
196	mAsl = asl_new(ASL_TYPE_MSG);
197	if (domain)
198	asl_set(mAsl, "com.apple.message.domain", domain);
199	if (signature)
200	asl_set(mAsl, "com.apple.message.signature", signature);
201	}
202
203	void MessageTrace::add(const char key, const char format, ...)
204	{
205	va_list args;
206	va_start(args, format);
207	char value[200];
208	vsnprintf(value, sizeof(value), format, args);
209	va_end(args);
210	asl_set(mAsl, (string("com.apple.message.") + key).c_str(), value);
211	}
212
213	void MessageTrace::send(const char *format, ...)
214	{
215	va_list args;
216	va_start(args, format);
217	asl_vlog(NULL, mAsl, ASL_LEVEL_NOTICE, format, args);
218	va_end(args);
219	}
220
221
222	} // end namespace CodeSigning
223	} // end namespace Security