[apple/security.git] / libsecurity_codesigning / lib / codedirectory.cpp

/*
 * Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

//
// codedirectory - format and operations for code signing "code directory" structures
//
#include "codedirectory.h"
#include "csutilities.h"
#include "CSCommonPriv.h"

using namespace UnixPlusPlus;


namespace Security {
namespace CodeSigning {


//
// Highest understood special slot in this CodeDirectory.
//
CodeDirectory::SpecialSlot CodeDirectory::maxSpecialSlot() const
{
	SpecialSlot slot = this->nSpecialSlots;
	if (slot > cdSlotMax)
		slot = cdSlotMax;
	return slot;
}


//
// Canonical filesystem names for select slot numbers.
// These are variously used for filenames, extended attribute names, etc.
// to get some consistency in naming. These are for storing signing-related
// data; they have no bearing on the actual hash slots in the CodeDirectory.
//
const char *CodeDirectory::canonicalSlotName(SpecialSlot slot)
{
	switch (slot) {
	case cdRequirementsSlot:
		return kSecCS_REQUIREMENTSFILE;
	case cdResourceDirSlot:
		return kSecCS_RESOURCEDIRFILE;
	case cdCodeDirectorySlot:
		return kSecCS_CODEDIRECTORYFILE;
	case cdSignatureSlot:
		return kSecCS_SIGNATUREFILE;
	case cdApplicationSlot:
		return kSecCS_APPLICATIONFILE;
	case cdEntitlementSlot:
		return kSecCS_ENTITLEMENTFILE;
	default:
		return NULL;
	}
}


//
// Canonical attributes of SpecialSlots.
//
unsigned CodeDirectory::slotAttributes(SpecialSlot slot)
{
	switch (slot) {
	case cdRequirementsSlot:
		return cdComponentIsBlob; // global
	case cdCodeDirectorySlot:
		return cdComponentPerArchitecture | cdComponentIsBlob;
	case cdSignatureSlot:
		return cdComponentPerArchitecture; // raw
	case cdEntitlementSlot:
		return cdComponentIsBlob; // global
	case cdIdentificationSlot:
		return cdComponentPerArchitecture; // raw
	default:
		return 0; // global, raw
	}
}


//
// Symbolic names for code directory special slots.
// These are only used for debug output. They are not API-official.
// Needs to be coordinated with the cd*Slot enumeration in codedirectory.h.
//
#if !defined(NDEBUG)
const char * const CodeDirectory::debugSlotName[] = {
	"codedirectory",
	"info",
	"requirements",
	"resources",
	"application",
	"entitlement"
};
#endif //NDEBUG


//
// Check a CodeDirectory for basic integrity. This should ensure that the
// version is understood by our code, and that the internal structure
// (offsets etc.) is intact. In particular, it must make sure that no offsets
// point outside the CodeDirectory.
// Throws if the directory is corrupted or out of versioning bounds.
// Returns if the version is usable (perhaps with degraded features due to
// compatibility hacks).
//
// Note: There are some things we don't bother checking because they won't
// cause crashes, and will just be flagged as nonsense later. For example,
// a Bad Guy could overlap the identifier and hash fields, which is nonsense
// but not dangerous.
//
void CodeDirectory::checkIntegrity() const
{
	// check version for support
	if (!this->validateBlob())
		MacOSError::throwMe(errSecCSSignatureInvalid);	// busted
	if (version > compatibilityLimit)
		MacOSError::throwMe(errSecCSSignatureUnsupported);	// too new - no clue
	if (version < earliestVersion)
		MacOSError::throwMe(errSecCSSignatureUnsupported);	// too old - can't support
	if (version > currentVersion)
		secdebug("codedir", "%p version 0x%x newer than current 0x%x",
			this, uint32_t(version), currentVersion);
	
	// now check interior offsets for validity
	if (!stringAt(identOffset))
		MacOSError::throwMe(errSecCSSignatureFailed); // identifier out of blob range
	if (!contains(hashOffset - int64_t(hashSize) * nSpecialSlots, hashSize * (int64_t(nSpecialSlots) + nCodeSlots)))
		MacOSError::throwMe(errSecCSSignatureFailed); // hash array out of blob range
	if (const Scatter *scatter = this->scatterVector()) {
		// the optional scatter vector is terminated with an element having (count == 0)
		unsigned int pagesConsumed = 0;
		for (;; scatter++) {
			if (!contains(scatter, sizeof(Scatter)))
				MacOSError::throwMe(errSecCSSignatureFailed);
			if (scatter->count == 0)
				break;
			pagesConsumed += scatter->count;
		}
		if (!contains((*this)[pagesConsumed-1], hashSize))	// referenced too many main hash slots
			MacOSError::throwMe(errSecCSSignatureFailed);
	}
}


//
// Validate a slot against data in memory.
//
bool CodeDirectory::validateSlot(const void *data, size_t length, Slot slot) const
{
	secdebug("codedir", "%p validating slot %d", this, int(slot));
	MakeHash<CodeDirectory> hasher(this);
	Hashing::Byte digest[hasher->digestLength()];
	generateHash(hasher, data, length, digest);
	return memcmp(digest, (*this)[slot], hasher->digestLength()) == 0;
}


//
// Validate a slot against the contents of an open file. At most 'length' bytes
// will be read from the file.
//
bool CodeDirectory::validateSlot(FileDesc fd, size_t length, Slot slot) const
{
	MakeHash<CodeDirectory> hasher(this);
	Hashing::Byte digest[hasher->digestLength()];
	generateHash(hasher, fd, digest, length);
	return memcmp(digest, (*this)[slot], hasher->digestLength()) == 0;
}


//
// Check whether a particular slot is present.
// Absense is indicated by either a zero hash, or by lying outside
// the slot range.
//
bool CodeDirectory::slotIsPresent(Slot slot) const
{
	if (slot >= -Slot(nSpecialSlots) && slot < Slot(nCodeSlots)) {
		const Hashing::Byte *digest = (*this)[slot];
		for (unsigned n = 0; n < hashSize; n++)
			if (digest[n])
				return true;	// non-zero digest => present
	}
	return false;	// absent
}


//
// Given a hash type code, create an appropriate subclass of DynamicHash
// and return it. The caller owns the object and  must delete it when done.
// This function never returns NULL. It throws if the hashType is unsuupported,
// or if there's an error creating the hasher.
//
DynamicHash *CodeDirectory::hashFor(HashAlgorithm hashType)
{
	CCDigestAlg alg;
	switch (hashType) {
	case kSecCodeSignatureHashSHA1:						alg = kCCDigestSHA1; break;
	case kSecCodeSignatureHashSHA256:					alg = kCCDigestSHA256; break;
	default:
		MacOSError::throwMe(errSecCSSignatureUnsupported);
	}
	return new CCHashInstance(alg);
}


//
// Hash the next limit bytes of a file and return the digest.
// If the file is shorter, hash as much as you can.
// Limit==0 means unlimited (to end of file).
// Return how many bytes were actually hashed.
// Throw on any errors.
//
size_t CodeDirectory::generateHash(DynamicHash *hasher, FileDesc fd, Hashing::Byte *digest, size_t limit)
{
	size_t size = hashFileData(fd, hasher, limit);
	hasher->finish(digest);
	return size;
}


//
// Ditto, but hash a memory buffer instead.
//
size_t CodeDirectory::generateHash(DynamicHash *hasher, const void *data, size_t length, Hashing::Byte *digest)
{
	hasher->update(data, length);
	hasher->finish(digest);
	return length;
}


//
// Turn a hash of canonical type into a hex string
//
std::string CodeDirectory::hexHash(const unsigned char *hash) const
{
	size_t size = this->hashSize;
	char result[2*size+1];
	for (unsigned n = 0; n < size; n++)
		sprintf(result+2*n, "%02.2x", hash[n]);
	return result;
}


//
// Generate a screening code string from a (complete) CodeDirectory.
// This can be used to make a lightweight pre-screening code from (just) a CodeDirectory.
//
std::string CodeDirectory::screeningCode() const
{
	if (slotIsPresent(-cdInfoSlot))		// has Info.plist
		return "I" + hexHash((*this)[-cdInfoSlot]); // use Info.plist hash
	if (pageSize == 0)					// good-enough proxy for "not a Mach-O file"
		return "M" + hexHash((*this)[0]); // use hash of main executable
	return "N";							// no suitable screening code
}


}	// CodeSigning
}	// Security


//
// Canonical text form for user-settable code directory flags.
// Note: This table is actually exported from Security.framework.
//
const SecCodeDirectoryFlagTable kSecCodeDirectoryFlagTable[] = {
	{ "host",		kSecCodeSignatureHost,			true },
	{ "adhoc",		kSecCodeSignatureAdhoc,			false },
	{ "hard",		kSecCodeSignatureForceHard,		true },
	{ "kill",		kSecCodeSignatureForceKill,		true },
	{ "expires",		kSecCodeSignatureForceExpiration,	true },
	{ "restrict",		kSecCodeSignatureRestrict,		true },
	{ "enforcement",	kSecCodeSignatureEnforcement,		true },
	{ NULL }
};
Commit	Line	Data
b1ab9ed8 A	1	/*
	2	* Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	//
	25	// codedirectory - format and operations for code signing "code directory" structures
	26	//
	27	#include "codedirectory.h"
	28	#include "csutilities.h"
	29	#include "CSCommonPriv.h"
	30
	31	using namespace UnixPlusPlus;
	32
	33
	34	namespace Security {
	35	namespace CodeSigning {
	36
	37
	38	//
	39	// Highest understood special slot in this CodeDirectory.
	40	//
	41	CodeDirectory::SpecialSlot CodeDirectory::maxSpecialSlot() const
	42	{
	43	SpecialSlot slot = this->nSpecialSlots;
	44	if (slot > cdSlotMax)
	45	slot = cdSlotMax;
	46	return slot;
	47	}
	48
	49
	50	//
	51	// Canonical filesystem names for select slot numbers.
	52	// These are variously used for filenames, extended attribute names, etc.
	53	// to get some consistency in naming. These are for storing signing-related
	54	// data; they have no bearing on the actual hash slots in the CodeDirectory.
	55	//
	56	const char *CodeDirectory::canonicalSlotName(SpecialSlot slot)
	57	{
	58	switch (slot) {
	59	case cdRequirementsSlot:
	60	return kSecCS_REQUIREMENTSFILE;
	61	case cdResourceDirSlot:
	62	return kSecCS_RESOURCEDIRFILE;
	63	case cdCodeDirectorySlot:
	64	return kSecCS_CODEDIRECTORYFILE;
65	case cdSignatureSlot:
66	return kSecCS_SIGNATUREFILE;
67	case cdApplicationSlot:
68	return kSecCS_APPLICATIONFILE;
69	case cdEntitlementSlot:
70	return kSecCS_ENTITLEMENTFILE;
71	default:
72	return NULL;
73	}
74	}
75
76
77	//
78	// Canonical attributes of SpecialSlots.
79	//
80	unsigned CodeDirectory::slotAttributes(SpecialSlot slot)
81	{
82	switch (slot) {
83	case cdRequirementsSlot:
84	return cdComponentIsBlob; // global
85	case cdCodeDirectorySlot:
86	return cdComponentPerArchitecture \| cdComponentIsBlob;
87	case cdSignatureSlot:
88	return cdComponentPerArchitecture; // raw
89	case cdEntitlementSlot:
90	return cdComponentIsBlob; // global
91	case cdIdentificationSlot:
92	return cdComponentPerArchitecture; // raw
93	default:
94	return 0; // global, raw
95	}
96	}
97
98
99	//
100	// Symbolic names for code directory special slots.
101	// These are only used for debug output. They are not API-official.
102	// Needs to be coordinated with the cd*Slot enumeration in codedirectory.h.
103	//
104	#if !defined(NDEBUG)
105	const char * const CodeDirectory::debugSlotName[] = {
106	"codedirectory",
107	"info",
108	"requirements",
109	"resources",
110	"application",
111	"entitlement"
112	};
113	#endif //NDEBUG
114
115
116	//
117	// Check a CodeDirectory for basic integrity. This should ensure that the
118	// version is understood by our code, and that the internal structure
119	// (offsets etc.) is intact. In particular, it must make sure that no offsets
120	// point outside the CodeDirectory.
121	// Throws if the directory is corrupted or out of versioning bounds.
122	// Returns if the version is usable (perhaps with degraded features due to
123	// compatibility hacks).
124	//
125	// Note: There are some things we don't bother checking because they won't
126	// cause crashes, and will just be flagged as nonsense later. For example,
127	// a Bad Guy could overlap the identifier and hash fields, which is nonsense
128	// but not dangerous.
129	//
130	void CodeDirectory::checkIntegrity() const
131	{
132	// check version for support
133	if (!this->validateBlob())
134	MacOSError::throwMe(errSecCSSignatureInvalid); // busted
135	if (version > compatibilityLimit)
136	MacOSError::throwMe(errSecCSSignatureUnsupported); // too new - no clue
137	if (version < earliestVersion)
138	MacOSError::throwMe(errSecCSSignatureUnsupported); // too old - can't support
139	if (version > currentVersion)
140	secdebug("codedir", "%p version 0x%x newer than current 0x%x",
141	this, uint32_t(version), currentVersion);
142
143	// now check interior offsets for validity
144	if (!stringAt(identOffset))
145	MacOSError::throwMe(errSecCSSignatureFailed); // identifier out of blob range
427c49bc	146	if (!contains(hashOffset - int64_t(hashSize) * nSpecialSlots, hashSize * (int64_t(nSpecialSlots) + nCodeSlots)))
b1ab9ed8 A	147	MacOSError::throwMe(errSecCSSignatureFailed); // hash array out of blob range
	148	if (const Scatter *scatter = this->scatterVector()) {
	149	// the optional scatter vector is terminated with an element having (count == 0)
	150	unsigned int pagesConsumed = 0;
427c49bc	151	for (;; scatter++) {
b1ab9ed8 A	152	if (!contains(scatter, sizeof(Scatter)))
b1ab9ed8 A	153	MacOSError::throwMe(errSecCSSignatureFailed);
427c49bc A	154	if (scatter->count == 0)
427c49bc A	155	break;
b1ab9ed8	156	pagesConsumed += scatter->count;
b1ab9ed8	157	}
b1ab9ed8 A	158	if (!contains((*this)[pagesConsumed-1], hashSize)) // referenced too many main hash slots
	159	MacOSError::throwMe(errSecCSSignatureFailed);
	160	}
	161	}
	162
	163
	164	//
	165	// Validate a slot against data in memory.
	166	//
	167	bool CodeDirectory::validateSlot(const void *data, size_t length, Slot slot) const
	168	{
	169	secdebug("codedir", "%p validating slot %d", this, int(slot));
	170	MakeHash<CodeDirectory> hasher(this);
	171	Hashing::Byte digest[hasher->digestLength()];
	172	generateHash(hasher, data, length, digest);
	173	return memcmp(digest, (*this)[slot], hasher->digestLength()) == 0;
	174	}
	175
	176
	177	//
	178	// Validate a slot against the contents of an open file. At most 'length' bytes
	179	// will be read from the file.
	180	//
	181	bool CodeDirectory::validateSlot(FileDesc fd, size_t length, Slot slot) const
	182	{
	183	MakeHash<CodeDirectory> hasher(this);
	184	Hashing::Byte digest[hasher->digestLength()];
	185	generateHash(hasher, fd, digest, length);
	186	return memcmp(digest, (*this)[slot], hasher->digestLength()) == 0;
	187	}
	188
	189
	190	//
	191	// Check whether a particular slot is present.
	192	// Absense is indicated by either a zero hash, or by lying outside
	193	// the slot range.
	194	//
	195	bool CodeDirectory::slotIsPresent(Slot slot) const
	196	{
	197	if (slot >= -Slot(nSpecialSlots) && slot < Slot(nCodeSlots)) {
	198	const Hashing::Byte digest = (this)[slot];
	199	for (unsigned n = 0; n < hashSize; n++)
	200	if (digest[n])
	201	return true; // non-zero digest => present
	202	}
	203	return false; // absent
	204	}
	205
	206
	207	//
	208	// Given a hash type code, create an appropriate subclass of DynamicHash
	209	// and return it. The caller owns the object and must delete it when done.
	210	// This function never returns NULL. It throws if the hashType is unsuupported,
	211	// or if there's an error creating the hasher.
	212	//
	213	DynamicHash *CodeDirectory::hashFor(HashAlgorithm hashType)
	214	{
	215	CCDigestAlg alg;
	216	switch (hashType) {
	217	case kSecCodeSignatureHashSHA1: alg = kCCDigestSHA1; break;
	218	case kSecCodeSignatureHashSHA256: alg = kCCDigestSHA256; break;
b1ab9ed8 A	219	default:
	220	MacOSError::throwMe(errSecCSSignatureUnsupported);
	221	}
	222	return new CCHashInstance(alg);
	223	}
	224
	225
	226	//
	227	// Hash the next limit bytes of a file and return the digest.
	228	// If the file is shorter, hash as much as you can.
	229	// Limit==0 means unlimited (to end of file).
	230	// Return how many bytes were actually hashed.
	231	// Throw on any errors.
	232	//
	233	size_t CodeDirectory::generateHash(DynamicHash hasher, FileDesc fd, Hashing::Byte digest, size_t limit)
	234	{
	235	size_t size = hashFileData(fd, hasher, limit);
	236	hasher->finish(digest);
	237	return size;
	238	}
	239
	240
	241	//
	242	// Ditto, but hash a memory buffer instead.
	243	//
	244	size_t CodeDirectory::generateHash(DynamicHash hasher, const void data, size_t length, Hashing::Byte *digest)
	245	{
	246	hasher->update(data, length);
	247	hasher->finish(digest);
	248	return length;
	249	}
	250
	251
313fa17b A	252	//
	253	// Turn a hash of canonical type into a hex string
	254	//
	255	std::string CodeDirectory::hexHash(const unsigned char *hash) const
	256	{
	257	size_t size = this->hashSize;
	258	char result[2*size+1];
	259	for (unsigned n = 0; n < size; n++)
	260	sprintf(result+2*n, "%02.2x", hash[n]);
	261	return result;
	262	}
	263
	264
	265	//
	266	// Generate a screening code string from a (complete) CodeDirectory.
	267	// This can be used to make a lightweight pre-screening code from (just) a CodeDirectory.
	268	//
	269	std::string CodeDirectory::screeningCode() const
	270	{
	271	if (slotIsPresent(-cdInfoSlot)) // has Info.plist
	272	return "I" + hexHash((*this)[-cdInfoSlot]); // use Info.plist hash
	273	if (pageSize == 0) // good-enough proxy for "not a Mach-O file"
	274	return "M" + hexHash((*this)[0]); // use hash of main executable
	275	return "N"; // no suitable screening code
	276	}
	277
	278
b1ab9ed8 A	279	} // CodeSigning
	280	} // Security
	281
	282
	283	//
	284	// Canonical text form for user-settable code directory flags.
	285	// Note: This table is actually exported from Security.framework.
	286	//
	287	const SecCodeDirectoryFlagTable kSecCodeDirectoryFlagTable[] = {
	288	{ "host", kSecCodeSignatureHost, true },
	289	{ "adhoc", kSecCodeSignatureAdhoc, false },
	290	{ "hard", kSecCodeSignatureForceHard, true },
	291	{ "kill", kSecCodeSignatureForceKill, true },
427c49bc A	292	{ "expires", kSecCodeSignatureForceExpiration, true },
	293	{ "restrict", kSecCodeSignatureRestrict, true },
	294	{ "enforcement", kSecCodeSignatureEnforcement, true },
b1ab9ed8 A	295	{ NULL }
b1ab9ed8 A	296	};