[apple/security.git] / OSX / libsecurity_cdsa_utilities / lib / acl_codesigning.h

/*
 * Copyright (c) 2000-2004,2006,2011,2014 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


//
// acl_codesigning - ACL subject for signature of calling application
//
// Note:
// Once upon a time, a code signature was a single binary blob, a "signature".
// Then we added an optional second blob, a "comment". The comment was only
// ancilliary (non-security) data first, but then we added more security data
// to it later. Now, the security-relevant data is kept in a (signature, comment)
// pair, all of which is relevant for the security of such subjects.
// Don't read any particular semantics into this separation. It is historical only
// (having to do with backward binary compatibility of ACL blobs).
//
#ifndef _H_ACL_CODESIGNING
#define _H_ACL_CODESIGNING

#include <security_cdsa_utilities/cssmdata.h>
#include <security_cdsa_utilities/cssmacl.h>
#include <security_cdsa_utilities/osxverifier.h>

namespace Security {


//
// The CodeSignature subject type matches a code signature applied to the
// disk image that originated the client process.
//
class CodeSignatureAclSubject : public AclSubject, public OSXVerifier {
public:
	class Maker; friend class Maker;
	
	static const size_t commentBagAlignment = 4;
	
    CodeSignatureAclSubject(const SHA1::Byte *hash, const std::string &path)
		: AclSubject(CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE), OSXVerifier(hash, path) { }

	CodeSignatureAclSubject(const OSXVerifier &verifier)
		: AclSubject(CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE), OSXVerifier(verifier) { }
	
    bool validate(const AclValidationContext &baseCtx) const;
    CssmList toList(Allocator &alloc) const;
    
    void exportBlob(Writer::Counter &pub, Writer::Counter &priv);
    void exportBlob(Writer &pub, Writer &priv);
	
	IFDUMP(void debugDump() const);
    
public:
    class Environment : public virtual AclValidationEnvironment {
    public:
		virtual bool verifyCodeSignature(const OSXVerifier &verifier,
			const AclValidationContext &context) = 0;
    };

public:
    class Maker : public AclSubject::Maker {
    public:
    	Maker()
		: AclSubject::Maker(CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE) { }
    	CodeSignatureAclSubject *make(const TypedList &list) const;
    	CodeSignatureAclSubject *make(Version version, Reader &pub, Reader &priv) const;
	
	private:
		CodeSignatureAclSubject *make(const SHA1::Byte *hash, const CssmData &commentBag) const;
    };
};

} // end namespace Security


#endif //_H_ACL_CODESIGNING
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2000-2004,2006,2011,2014 Apple Inc. All Rights Reserved.
b1ab9ed8 A	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	//
	26	// acl_codesigning - ACL subject for signature of calling application
	27	//
	28	// Note:
	29	// Once upon a time, a code signature was a single binary blob, a "signature".
	30	// Then we added an optional second blob, a "comment". The comment was only
	31	// ancilliary (non-security) data first, but then we added more security data
	32	// to it later. Now, the security-relevant data is kept in a (signature, comment)
	33	// pair, all of which is relevant for the security of such subjects.
	34	// Don't read any particular semantics into this separation. It is historical only
	35	// (having to do with backward binary compatibility of ACL blobs).
	36	//
	37	#ifndef _H_ACL_CODESIGNING
	38	#define _H_ACL_CODESIGNING
	39
	40	#include <security_cdsa_utilities/cssmdata.h>
	41	#include <security_cdsa_utilities/cssmacl.h>
	42	#include <security_cdsa_utilities/osxverifier.h>
	43
	44	namespace Security {
	45
	46
	47	//
	48	// The CodeSignature subject type matches a code signature applied to the
	49	// disk image that originated the client process.
	50	//
	51	class CodeSignatureAclSubject : public AclSubject, public OSXVerifier {
	52	public:
	53	class Maker; friend class Maker;
	54
	55	static const size_t commentBagAlignment = 4;
	56
	57	CodeSignatureAclSubject(const SHA1::Byte *hash, const std::string &path)
	58	: AclSubject(CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE), OSXVerifier(hash, path) { }
	59
	60	CodeSignatureAclSubject(const OSXVerifier &verifier)
	61	: AclSubject(CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE), OSXVerifier(verifier) { }
	62
	63	bool validate(const AclValidationContext &baseCtx) const;
	64	CssmList toList(Allocator &alloc) const;
	65
	66	void exportBlob(Writer::Counter &pub, Writer::Counter &priv);
67	void exportBlob(Writer &pub, Writer &priv);
68
69	IFDUMP(void debugDump() const);
70
71	public:
72	class Environment : public virtual AclValidationEnvironment {
73	public:
74	virtual bool verifyCodeSignature(const OSXVerifier &verifier,
75	const AclValidationContext &context) = 0;
76	};
77
78	public:
79	class Maker : public AclSubject::Maker {
80	public:
81	Maker()
82	: AclSubject::Maker(CSSM_ACL_SUBJECT_TYPE_CODE_SIGNATURE) { }
83	CodeSignatureAclSubject *make(const TypedList &list) const;
84	CodeSignatureAclSubject *make(Version version, Reader &pub, Reader &priv) const;
85
86	private:
87	CodeSignatureAclSubject make(const SHA1::Byte hash, const CssmData &commentBag) const;
88	};
89	};
90
91	} // end namespace Security
92
93
94
95	#endif //_H_ACL_CODESIGNING