projects / apple / security.git / blame
| Commit | Line | Data |
|---|---|---|
| b1ab9ed8 | 1 | /* |
| d8f41ccd | 2 | * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved. |
| b1ab9ed8 A |
3 | * |
| 4 | * @APPLE_LICENSE_HEADER_START@ | |
| 5 | * | |
| 6 | * This file contains Original Code and/or Modifications of Original Code | |
| 7 | * as defined in and that are subject to the Apple Public Source License | |
| 8 | * Version 2.0 (the 'License'). You may not use this file except in | |
| 9 | * compliance with the License. Please obtain a copy of the License at | |
| 10 | * http://www.opensource.apple.com/apsl/ and read it before using this | |
| 11 | * file. | |
| 12 | * | |
| 13 | * The Original Code and all software distributed under the License are | |
| 14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
| 15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, | |
| 16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
| 17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. | |
| 18 | * Please see the License for the specific language governing rights and | |
| 19 | * limitations under the License. | |
| 20 | * | |
| 21 | * @APPLE_LICENSE_HEADER_END@ | |
| 22 | */ | |
| 23 | ||
| 24 | // | |
| 25 | // signer - Signing operation supervisor and controller | |
| 26 | // | |
| 27 | #include "signer.h" | |
| 28 | #include "resources.h" | |
| 29 | #include "signerutils.h" | |
| 30 | #include "SecCodeSigner.h" | |
| 31 | #include <Security/SecIdentity.h> | |
| 32 | #include <Security/CMSEncoder.h> | |
| 33 | #include <Security/CMSPrivate.h> | |
| 34 | #include <Security/CSCommonPriv.h> | |
| 35 | #include <CoreFoundation/CFBundlePriv.h> | |
| 427c49bc | 36 | #include "resources.h" |
| b1ab9ed8 | 37 | #include "machorep.h" |
| 427c49bc A |
38 | #include "reqparser.h" |
| 39 | #include "reqdumper.h" | |
| b1ab9ed8 A |
40 | #include "csutilities.h" |
| 41 | #include <security_utilities/unix++.h> | |
| 42 | #include <security_utilities/unixchild.h> | |
| 43 | #include <security_utilities/cfmunge.h> | |
| d87e1158 A |
44 | #include <security_utilities/dispatch.h> |
| 45 | #include <IOKit/storage/IOStorageDeviceCharacteristics.h> | |
| b1ab9ed8 A |
46 | |
| 47 | namespace Security { | |
| 48 | namespace CodeSigning { | |
| 49 | ||
| 50 | ||
| 51 | // | |
| 52 | // Sign some code. | |
| 53 | // | |
| 54 | void SecCodeSigner::Signer::sign(SecCSFlags flags) | |
| 55 | { | |
| 56 | rep = code->diskRep()->base(); | |
| 57 | this->prepare(flags); | |
| 420ff9d9 | 58 | |
| b1ab9ed8 | 59 | PreSigningContext context(*this); |
| 420ff9d9 | 60 | |
| e3d460c9 A |
61 | considerTeamID(context); |
| 62 | ||
| 63 | if (Universal *fat = state.mNoMachO ? NULL : rep->mainExecutableImage()) { | |
| 64 | signMachO(fat, context); | |
| 65 | } else { | |
| 66 | signArchitectureAgnostic(context); | |
| 67 | } | |
| 68 | } | |
| 69 | ||
| 70 | ||
| 71 | void SecCodeSigner::Signer::considerTeamID(const PreSigningContext& context) | |
| 72 | { | |
| 420ff9d9 A |
73 | /* If an explicit teamID was passed in it must be |
| 74 | the same as what came from the cert */ | |
| 75 | std::string teamIDFromCert = state.getTeamIDFromSigner(context.certs); | |
| e3d460c9 | 76 | |
| 420ff9d9 A |
77 | if (state.mPreserveMetadata & kSecCodeSignerPreserveTeamIdentifier) { |
| 78 | /* If preserving the team identifier, teamID is set previously when the | |
| 79 | code object is still available */ | |
| 80 | if (!teamIDFromCert.empty() && teamID != teamIDFromCert) | |
| 81 | MacOSError::throwMe(errSecCSInvalidFlags); | |
| 82 | } else { | |
| 83 | if (teamIDFromCert.empty()) { | |
| 84 | /* state.mTeamID is an explicitly passed teamID */ | |
| 85 | teamID = state.mTeamID; | |
| 86 | } else if (state.mTeamID.empty() || (state.mTeamID == teamIDFromCert)) { | |
| 87 | /* If there was no explicit team ID set, or the explicit team ID matches | |
| 88 | what is in the cert, use the team ID from the certificate */ | |
| 89 | teamID = teamIDFromCert; | |
| 90 | } else { | |
| 91 | /* The caller passed in an explicit team ID that does not match what is | |
| 92 | in the signing cert, which is an invalid usage */ | |
| 93 | MacOSError::throwMe(errSecCSInvalidFlags); | |
| 94 | } | |
| 95 | } | |
| b1ab9ed8 | 96 | } |
| e3d460c9 | 97 | |
| b1ab9ed8 A |
98 | |
| 99 | // | |
| 100 | // Remove any existing code signature from code | |
| 101 | // | |
| 102 | void SecCodeSigner::Signer::remove(SecCSFlags flags) | |
| 103 | { | |
| 104 | // can't remove a detached signature | |
| 105 | if (state.mDetached) | |
| 106 | MacOSError::throwMe(errSecCSNotSupported); | |
| 107 | ||
| 108 | rep = code->diskRep(); | |
| 109 | if (Universal *fat = state.mNoMachO ? NULL : rep->mainExecutableImage()) { | |
| 110 | // architecture-sensitive removal | |
| e3d460c9 | 111 | MachOEditor editor(rep->writer(), *fat, digestAlgorithms(), rep->mainExecutablePath()); |
| b1ab9ed8 A |
112 | editor.allocate(); // create copy |
| 113 | editor.commit(); // commit change | |
| 114 | } else { | |
| 115 | // architecture-agnostic removal | |
| 116 | RefPointer<DiskRep::Writer> writer = rep->writer(); | |
| 117 | writer->remove(); | |
| 118 | writer->flush(); | |
| 119 | } | |
| 120 | } | |
| 121 | ||
| 122 | ||
| 123 | // | |
| 124 | // Contemplate the object-to-be-signed and set up the Signer state accordingly. | |
| 125 | // | |
| 126 | void SecCodeSigner::Signer::prepare(SecCSFlags flags) | |
| 127 | { | |
| 80e23899 A |
128 | // make sure the rep passes strict validation |
| 129 | if (strict) | |
| fa7225c8 | 130 | rep->strictValidate(NULL, MacOSErrorSet(), flags | (kSecCSQuickCheck|kSecCSRestrictSidebandData)); |
| d8f41ccd A |
131 | |
| 132 | // initialize progress/cancellation state | |
| 133 | code->prepareProgress(0); // totally fake workload - we don't know how many files we'll encounter | |
| 80e23899 | 134 | |
| b1ab9ed8 A |
135 | // get the Info.plist out of the rep for some creative defaulting |
| 136 | CFRef<CFDictionaryRef> infoDict; | |
| 137 | if (CFRef<CFDataRef> infoData = rep->component(cdInfoSlot)) | |
| 138 | infoDict.take(makeCFDictionaryFrom(infoData)); | |
| 427c49bc A |
139 | |
| 140 | uint32_t inherit = code->isSigned() ? state.mPreserveMetadata : 0; | |
| b1ab9ed8 A |
141 | |
| 142 | // work out the canonical identifier | |
| 143 | identifier = state.mIdentifier; | |
| 427c49bc A |
144 | if (identifier.empty() && (inherit & kSecCodeSignerPreserveIdentifier)) |
| 145 | identifier = code->identifier(); | |
| b1ab9ed8 | 146 | if (identifier.empty()) { |
| e3d460c9 | 147 | identifier = rep->recommendedIdentifier(*this); |
| b1ab9ed8 A |
148 | if (identifier.find('.') == string::npos) |
| 149 | identifier = state.mIdentifierPrefix + identifier; | |
| e3d460c9 | 150 | if (identifier.find('.') == string::npos && isAdhoc()) |
| b1ab9ed8 | 151 | identifier = identifier + "-" + uniqueName(); |
| fa7225c8 | 152 | secinfo("signer", "using default identifier=%s", identifier.c_str()); |
| b1ab9ed8 | 153 | } else |
| fa7225c8 | 154 | secinfo("signer", "using explicit identifier=%s", identifier.c_str()); |
| 427c49bc | 155 | |
| 420ff9d9 A |
156 | teamID = state.mTeamID; |
| 157 | if (teamID.empty() && (inherit & kSecCodeSignerPreserveTeamIdentifier)) { | |
| 158 | const char *c_id = code->teamID(); | |
| 159 | if (c_id) | |
| 160 | teamID = c_id; | |
| 161 | } | |
| 5c19dc3a | 162 | |
| e3d460c9 A |
163 | // Digest algorithms: explicit or preserved. Subject to diskRep defaults or final default later. |
| 164 | hashAlgorithms = state.mDigestAlgorithms; | |
| 165 | if (hashAlgorithms.empty() && (inherit & kSecCodeSignerPreserveDigestAlgorithm)) | |
| 166 | hashAlgorithms = code->hashAlgorithms(); | |
| 167 | ||
| 427c49bc A |
168 | entitlements = state.mEntitlementData; |
| 169 | if (!entitlements && (inherit & kSecCodeSignerPreserveEntitlements)) | |
| 170 | entitlements = code->component(cdEntitlementSlot); | |
| b1ab9ed8 A |
171 | |
| 172 | // work out the CodeDirectory flags word | |
| 427c49bc A |
173 | bool haveCdFlags = false; |
| 174 | if (!haveCdFlags && state.mCdFlagsGiven) { | |
| b1ab9ed8 | 175 | cdFlags = state.mCdFlags; |
| fa7225c8 | 176 | secinfo("signer", "using explicit cdFlags=0x%x", cdFlags); |
| 427c49bc A |
177 | haveCdFlags = true; |
| 178 | } | |
| 179 | if (!haveCdFlags) { | |
| b1ab9ed8 A |
180 | cdFlags = 0; |
| 181 | if (infoDict) | |
| 182 | if (CFTypeRef csflags = CFDictionaryGetValue(infoDict, CFSTR("CSFlags"))) { | |
| 183 | if (CFGetTypeID(csflags) == CFNumberGetTypeID()) { | |
| 184 | cdFlags = cfNumber<uint32_t>(CFNumberRef(csflags)); | |
| fa7225c8 | 185 | secinfo("signer", "using numeric cdFlags=0x%x from Info.plist", cdFlags); |
| b1ab9ed8 A |
186 | } else if (CFGetTypeID(csflags) == CFStringGetTypeID()) { |
| 187 | cdFlags = cdTextFlags(cfString(CFStringRef(csflags))); | |
| fa7225c8 | 188 | secinfo("signer", "using text cdFlags=0x%x from Info.plist", cdFlags); |
| b1ab9ed8 A |
189 | } else |
| 190 | MacOSError::throwMe(errSecCSBadDictionaryFormat); | |
| 427c49bc | 191 | haveCdFlags = true; |
| b1ab9ed8 A |
192 | } |
| 193 | } | |
| 427c49bc A |
194 | if (!haveCdFlags && (inherit & kSecCodeSignerPreserveFlags)) { |
| 195 | cdFlags = code->codeDirectory(false)->flags & ~kSecCodeSignatureAdhoc; | |
| fa7225c8 | 196 | secinfo("signer", "using inherited cdFlags=0x%x", cdFlags); |
| 427c49bc A |
197 | haveCdFlags = true; |
| 198 | } | |
| 199 | if (!haveCdFlags) | |
| 200 | cdFlags = 0; | |
| b1ab9ed8 A |
201 | if (state.mSigner == SecIdentityRef(kCFNull)) // ad-hoc signing requested... |
| 202 | cdFlags |= kSecCodeSignatureAdhoc; // ... so note that | |
| 427c49bc A |
203 | |
| 204 | // prepare the internal requirements input | |
| 205 | if (state.mRequirements) { | |
| 206 | if (CFGetTypeID(state.mRequirements) == CFDataGetTypeID()) { // binary form | |
| 207 | const Requirements *rp = (const Requirements *)CFDataGetBytePtr(state.mRequirements.as<CFDataRef>()); | |
| 208 | if (!rp->validateBlob()) | |
| 209 | MacOSError::throwMe(errSecCSReqInvalid); | |
| 210 | requirements = rp->clone(); | |
| 211 | } else if (CFGetTypeID(state.mRequirements) == CFStringGetTypeID()) { // text form | |
| 212 | CFRef<CFMutableStringRef> reqText = CFStringCreateMutableCopy(NULL, 0, state.mRequirements.as<CFStringRef>()); | |
| 213 | // substitute $ variable tokens | |
| 214 | CFRange range = { 0, CFStringGetLength(reqText) }; | |
| 215 | CFStringFindAndReplace(reqText, CFSTR("$self.identifier"), CFTempString(identifier), range, 0); | |
| 216 | requirements = parseRequirements(cfString(reqText)); | |
| 217 | } else | |
| 218 | MacOSError::throwMe(errSecCSInvalidObjectRef); | |
| 219 | } else if (inherit & kSecCodeSignerPreserveRequirements) | |
| 220 | if (const Requirements *rp = code->internalRequirements()) | |
| 221 | requirements = rp->clone(); | |
| b1ab9ed8 A |
222 | |
| 223 | // prepare the resource directory, if any | |
| 224 | string rpath = rep->resourcesRootPath(); | |
| e3d460c9 A |
225 | string rrpath; |
| 226 | CFCopyRef<CFDictionaryRef> resourceRules; | |
| b1ab9ed8 A |
227 | if (!rpath.empty()) { |
| 228 | // explicitly given resource rules always win | |
| e3d460c9 | 229 | resourceRules = state.mResourceRules; |
| b1ab9ed8 | 230 | |
| 427c49bc A |
231 | // inherited rules come next (overriding embedded ones!) |
| 232 | if (!resourceRules && (inherit & kSecCodeSignerPreserveResourceRules)) | |
| 233 | if (CFDictionaryRef oldRules = code->resourceDictionary(false)) | |
| 234 | resourceRules = oldRules; | |
| 235 | ||
| b1ab9ed8 A |
236 | // embedded resource rules come next |
| 237 | if (!resourceRules && infoDict) | |
| 238 | if (CFTypeRef spec = CFDictionaryGetValue(infoDict, _kCFBundleResourceSpecificationKey)) { | |
| 239 | if (CFGetTypeID(spec) == CFStringGetTypeID()) | |
| 240 | if (CFRef<CFDataRef> data = cfLoadFile(rpath + "/" + cfString(CFStringRef(spec)))) | |
| 241 | if (CFDictionaryRef dict = makeCFDictionaryFrom(data)) | |
| 242 | resourceRules.take(dict); | |
| 243 | if (!resourceRules) // embedded rules present but unacceptable | |
| 244 | MacOSError::throwMe(errSecCSResourceRulesInvalid); | |
| 245 | } | |
| 427c49bc A |
246 | |
| 247 | // if we got one from anywhere (but the defaults), sanity-check it | |
| 248 | if (resourceRules) { | |
| 249 | CFTypeRef rules = CFDictionaryGetValue(resourceRules, CFSTR("rules")); | |
| 250 | if (!rules || CFGetTypeID(rules) != CFDictionaryGetTypeID()) | |
| 251 | MacOSError::throwMe(errSecCSResourceRulesInvalid); | |
| 252 | } | |
| b1ab9ed8 A |
253 | |
| 254 | // finally, ask the DiskRep for its default | |
| 255 | if (!resourceRules) | |
| e3d460c9 | 256 | resourceRules.take(rep->defaultResourceRules(*this)); |
| 80e23899 A |
257 | |
| 258 | // resource root can optionally be the canonical bundle path, | |
| 259 | // but sealed resource paths are always relative to rpath | |
| e3d460c9 A |
260 | rrpath = rpath; |
| 261 | if (signingFlags() & kSecCSSignBundleRoot) | |
| 262 | rrpath = cfStringRelease(rep->copyCanonicalPath()); | |
| b1ab9ed8 A |
263 | } |
| 264 | ||
| 265 | // screen and set the signing time | |
| b1ab9ed8 | 266 | if (state.mSigningTime == CFDateRef(kCFNull)) { |
| fa7225c8 | 267 | emitSigningTime = false; // no time at all |
| b1ab9ed8 | 268 | } else if (!state.mSigningTime) { |
| fa7225c8 A |
269 | emitSigningTime = true; |
| 270 | signingTime = 0; // wall clock, established later | |
| b1ab9ed8 A |
271 | } else { |
| 272 | CFAbsoluteTime time = CFDateGetAbsoluteTime(state.mSigningTime); | |
| fa7225c8 | 273 | if (time > CFAbsoluteTimeGetCurrent()) // not allowed to post-date a signature |
| b1ab9ed8 | 274 | MacOSError::throwMe(errSecCSBadDictionaryFormat); |
| fa7225c8 | 275 | emitSigningTime = true; |
| b1ab9ed8 A |
276 | signingTime = time; |
| 277 | } | |
| 278 | ||
| e3d460c9 A |
279 | pagesize = state.mPageSize ? cfNumber<size_t>(state.mPageSize) : rep->pageSize(*this); |
| 280 | ||
| 281 | // Allow the DiskRep to modify the signing parameters. This sees explicit and inherited values but not defaults. | |
| 282 | rep->prepareForSigning(*this); | |
| 283 | ||
| 284 | // apply some defaults after diskRep intervention | |
| 285 | if (hashAlgorithms.empty()) { // default to SHA256 + SHA-1 | |
| 286 | hashAlgorithms.insert(kSecCodeSignatureHashSHA1); | |
| 287 | hashAlgorithms.insert(kSecCodeSignatureHashSHA256); | |
| 288 | } | |
| 289 | ||
| 290 | // build the resource directory (once and for all, using the digests determined above) | |
| 291 | if (!rpath.empty()) { | |
| 292 | buildResources(rrpath, rpath, resourceRules); | |
| 293 | } | |
| b1ab9ed8 A |
294 | } |
| 295 | ||
| 296 | ||
| 427c49bc A |
297 | // |
| 298 | // Collect the resource seal for a program. | |
| 299 | // This includes both sealed resources and information about nested code. | |
| 300 | // | |
| 80e23899 | 301 | void SecCodeSigner::Signer::buildResources(std::string root, std::string relBase, CFDictionaryRef rulesDict) |
| 427c49bc A |
302 | { |
| 303 | typedef ResourceBuilder::Rule Rule; | |
| 304 | ||
| fa7225c8 | 305 | secinfo("codesign", "start building resource directory"); |
| 427c49bc A |
306 | __block CFRef<CFMutableDictionaryRef> result = makeCFMutableDictionary(); |
| 307 | ||
| 308 | CFDictionaryRef rules = cfget<CFDictionaryRef>(rulesDict, "rules"); | |
| 309 | assert(rules); | |
| 310 | ||
| d87e1158 A |
311 | if (this->state.mLimitedAsync == NULL) { |
| 312 | this->state.mLimitedAsync = | |
| 60c433a9 A |
313 | /* rdar://problem/20299541: Async workers (i.e. parallelization) are currently |
| 314 | * turned off, because the paths for signing code are not ready for it yet. */ | |
| 315 | // new LimitedAsync(rep->fd().mediumType() == kIOPropertyMediumTypeSolidStateKey); | |
| 316 | new LimitedAsync(false); | |
| d87e1158 A |
317 | } |
| 318 | ||
| 427c49bc | 319 | CFDictionaryRef files2 = NULL; |
| e3d460c9 | 320 | if (!(signingFlags() & kSecCSSignV1)) { |
| 427c49bc A |
321 | CFCopyRef<CFDictionaryRef> rules2 = cfget<CFDictionaryRef>(rulesDict, "rules2"); |
| 322 | if (!rules2) { | |
| 323 | // Clone V1 rules and add default nesting rules at weight 0 (overridden by anything in rules). | |
| 324 | // V1 rules typically do not cover these places so we'll prevail, but if they do, we defer to them. | |
| 325 | rules2 = cfmake<CFDictionaryRef>("{+%O" | |
| d8f41ccd | 326 | "'^(Frameworks|SharedFrameworks|PlugIns|Plug-ins|XPCServices|Helpers|MacOS|Library/(Automator|Spotlight|LoginItems))/' = {nested=#T, weight=0}" // exclude dynamic repositories |
| 427c49bc A |
327 | "}", rules); |
| 328 | } | |
| d87e1158 A |
329 | |
| 330 | Dispatch::Group group; | |
| 331 | Dispatch::Group &groupRef = group; // (into block) | |
| 332 | ||
| 427c49bc A |
333 | // build the modern (V2) resource seal |
| 334 | __block CFRef<CFMutableDictionaryRef> files = makeCFMutableDictionary(); | |
| d87e1158 | 335 | CFMutableDictionaryRef filesRef = files.get(); // (into block) |
| e3d460c9 | 336 | ResourceBuilder resourceBuilder(root, relBase, rules2, strict, MacOSErrorSet()); |
| 427c49bc A |
337 | ResourceBuilder &resources = resourceBuilder; // (into block) |
| 338 | rep->adjustResources(resources); | |
| d87e1158 A |
339 | |
| 340 | resources.scan(^(FTSENT *ent, uint32_t ruleFlags, const std::string relpath, Rule *rule) { | |
| 341 | bool isSymlink = (ent->fts_info == FTS_SL); | |
| 342 | const std::string path(ent->fts_path); | |
| 343 | const std::string accpath(ent->fts_accpath); | |
| 344 | this->state.mLimitedAsync->perform(groupRef, ^{ | |
| 345 | CFRef<CFMutableDictionaryRef> seal; | |
| 346 | if (ruleFlags & ResourceBuilder::nested) { | |
| 347 | seal.take(signNested(path, relpath)); | |
| 348 | } else if (isSymlink) { | |
| 349 | char target[PATH_MAX]; | |
| 350 | ssize_t len = ::readlink(accpath.c_str(), target, sizeof(target)-1); | |
| 351 | if (len < 0) | |
| 352 | UnixError::check(-1); | |
| 353 | target[len] = '\0'; | |
| 354 | seal.take(cfmake<CFMutableDictionaryRef>("{symlink=%s}", target)); | |
| 355 | } else { | |
| fa7225c8 | 356 | seal.take(resources.hashFile(accpath.c_str(), digestAlgorithms(), signingFlags() & kSecCSSignStrictPreflight)); |
| d87e1158 A |
357 | } |
| 358 | if (ruleFlags & ResourceBuilder::optional) | |
| 359 | CFDictionaryAddValue(seal, CFSTR("optional"), kCFBooleanTrue); | |
| 360 | CFTypeRef hash; | |
| 361 | StLock<Mutex> _(resourceLock); | |
| 362 | if ((hash = CFDictionaryGetValue(seal, CFSTR("hash"))) && CFDictionaryGetCount(seal) == 1) // simple form | |
| 363 | CFDictionaryAddValue(filesRef, CFTempString(relpath).get(), hash); | |
| 364 | else | |
| 365 | CFDictionaryAddValue(filesRef, CFTempString(relpath).get(), seal.get()); | |
| 366 | code->reportProgress(); | |
| 367 | }); | |
| 427c49bc | 368 | }); |
| d87e1158 | 369 | group.wait(); |
| 427c49bc A |
370 | CFDictionaryAddValue(result, CFSTR("rules2"), resourceBuilder.rules()); |
| 371 | files2 = files; | |
| 372 | CFDictionaryAddValue(result, CFSTR("files2"), files2); | |
| 373 | } | |
| 374 | ||
| 375 | CFDictionaryAddValue(result, CFSTR("rules"), rules); // preserve V1 rules in any case | |
| e3d460c9 | 376 | if (!(signingFlags() & kSecCSSignNoV1)) { |
| 427c49bc A |
377 | // build the legacy (V1) resource seal |
| 378 | __block CFRef<CFMutableDictionaryRef> files = makeCFMutableDictionary(); | |
| e3d460c9 | 379 | ResourceBuilder resourceBuilder(root, relBase, rules, strict, MacOSErrorSet()); |
| 427c49bc A |
380 | ResourceBuilder &resources = resourceBuilder; |
| 381 | rep->adjustResources(resources); // DiskRep-specific adjustments | |
| d87e1158 | 382 | resources.scan(^(FTSENT *ent, uint32_t ruleFlags, std::string relpath, Rule *rule) { |
| 427c49bc A |
383 | if (ent->fts_info == FTS_F) { |
| 384 | CFRef<CFDataRef> hash; | |
| 385 | if (files2) // try to get the hash from a previously-made version | |
| 386 | if (CFTypeRef seal = CFDictionaryGetValue(files2, CFTempString(relpath))) { | |
| 387 | if (CFGetTypeID(seal) == CFDataGetTypeID()) | |
| 388 | hash = CFDataRef(seal); | |
| 389 | else | |
| 390 | hash = CFDataRef(CFDictionaryGetValue(CFDictionaryRef(seal), CFSTR("hash"))); | |
| 391 | } | |
| 392 | if (!hash) | |
| e3d460c9 | 393 | hash.take(resources.hashFile(ent->fts_accpath, kSecCodeSignatureHashSHA1)); |
| 427c49bc | 394 | if (ruleFlags == 0) { // default case - plain hash |
| d87e1158 | 395 | cfadd(files, "{%s=%O}", relpath.c_str(), hash.get()); |
| fa7225c8 | 396 | secinfo("csresource", "%s added simple (rule %p)", relpath.c_str(), rule); |
| 427c49bc A |
397 | } else { // more complicated - use a sub-dictionary |
| 398 | cfadd(files, "{%s={hash=%O,optional=%B}}", | |
| d87e1158 | 399 | relpath.c_str(), hash.get(), ruleFlags & ResourceBuilder::optional); |
| fa7225c8 | 400 | secinfo("csresource", "%s added complex (rule %p)", relpath.c_str(), rule); |
| 427c49bc A |
401 | } |
| 402 | } | |
| 403 | }); | |
| 404 | CFDictionaryAddValue(result, CFSTR("files"), files.get()); | |
| 405 | } | |
| 406 | ||
| 407 | resourceDirectory = result.get(); | |
| 408 | resourceDictData.take(makeCFData(resourceDirectory.get())); | |
| 409 | } | |
| 410 | ||
| 411 | ||
| 412 | // | |
| 413 | // Deal with one piece of nested code | |
| 414 | // | |
| d87e1158 | 415 | CFMutableDictionaryRef SecCodeSigner::Signer::signNested(const std::string &path, const std::string &relpath) |
| 427c49bc A |
416 | { |
| 417 | // sign nested code and collect nesting information | |
| 418 | try { | |
| d87e1158 | 419 | SecPointer<SecStaticCode> code = new SecStaticCode(DiskRep::bestGuess(path)); |
| e3d460c9 A |
420 | if (signingFlags() & kSecCSSignNestedCode) |
| 421 | this->state.sign(code, signingFlags()); | |
| 427c49bc | 422 | std::string dr = Dumper::dump(code->designatedRequirement()); |
| fa7225c8 A |
423 | if (CFDataRef hash = code->cdHash()) |
| 424 | return cfmake<CFMutableDictionaryRef>("{requirement=%s,cdhash=%O}", | |
| 425 | Dumper::dump(code->designatedRequirement()).c_str(), | |
| 426 | hash); | |
| 427 | MacOSError::throwMe(errSecCSUnsigned); | |
| 427c49bc A |
428 | } catch (const CommonError &err) { |
| 429 | CSError::throwMe(err.osStatus(), kSecCFErrorPath, CFTempURL(relpath, false, this->code->resourceBase())); | |
| 430 | } | |
| 431 | } | |
| 432 | ||
| 433 | ||
| b1ab9ed8 A |
434 | // |
| 435 | // Sign a Mach-O binary, using liberal dollops of that special Mach-O magic sauce. | |
| 436 | // Note that this will deal just fine with non-fat Mach-O binaries, but it will | |
| 437 | // treat them as architectural binaries containing (only) one architecture - that | |
| 438 | // interpretation is courtesy of the Universal/MachO support classes. | |
| 439 | // | |
| 440 | void SecCodeSigner::Signer::signMachO(Universal *fat, const Requirement::Context &context) | |
| 441 | { | |
| 442 | // Mach-O executable at the core - perform multi-architecture signing | |
| fa7225c8 | 443 | RefPointer<DiskRep::Writer> writer = rep->writer(); |
| b1ab9ed8 A |
444 | auto_ptr<ArchEditor> editor(state.mDetached |
| 445 | ? static_cast<ArchEditor *>(new BlobEditor(*fat, *this)) | |
| fa7225c8 | 446 | : new MachOEditor(writer, *fat, this->digestAlgorithms(), rep->mainExecutablePath())); |
| b1ab9ed8 A |
447 | assert(editor->count() > 0); |
| 448 | if (!editor->attribute(writerNoGlobal)) // can store architecture-common components | |
| 449 | populate(*editor); | |
| 450 | ||
| 451 | // pass 1: prepare signature blobs and calculate sizes | |
| 452 | for (MachOEditor::Iterator it = editor->begin(); it != editor->end(); ++it) { | |
| 453 | MachOEditor::Arch &arch = *it->second; | |
| 454 | arch.source.reset(fat->architecture(it->first)); | |
| d8f41ccd A |
455 | |
| 456 | // library validation is not compatible with i386 | |
| 457 | if (arch.architecture.cpuType() == CPU_TYPE_I386) { | |
| 458 | if (cdFlags & kSecCodeSignatureLibraryValidation) { | |
| 459 | MacOSError::throwMe(errSecCSBadLVArch); | |
| 460 | } | |
| 461 | } | |
| 462 | ||
| e3d460c9 | 463 | arch.ireqs(requirements, rep->defaultRequirements(&arch.architecture, *this), context); |
| b1ab9ed8 A |
464 | if (editor->attribute(writerNoGlobal)) // can't store globally, add per-arch |
| 465 | populate(arch); | |
| e3d460c9 A |
466 | for (auto type = digestAlgorithms().begin(); type != digestAlgorithms().end(); ++type) { |
| 467 | arch.eachDigest(^(CodeDirectory::Builder& builder) { | |
| 468 | populate(builder, arch, arch.ireqs, | |
| 469 | arch.source->offset(), arch.source->signingExtent(), unsigned(digestAlgorithms().size()-1)); | |
| 470 | }); | |
| 471 | } | |
| b1ab9ed8 A |
472 | |
| 473 | // add identification blob (made from this architecture) only if we're making a detached signature | |
| 474 | if (state.mDetached) { | |
| 475 | CFRef<CFDataRef> identification = MachORep::identificationFor(arch.source.get()); | |
| 476 | arch.add(cdIdentificationSlot, BlobWrapper::alloc( | |
| 477 | CFDataGetBytePtr(identification), CFDataGetLength(identification))); | |
| 478 | } | |
| 479 | ||
| 480 | // prepare SuperBlob size estimate | |
| e3d460c9 A |
481 | __block std::vector<size_t> sizes; |
| 482 | arch.eachDigest(^(CodeDirectory::Builder& builder){ | |
| 483 | sizes.push_back(builder.size(CodeDirectory::currentVersion)); | |
| 484 | }); | |
| 485 | arch.blobSize = arch.size(sizes, state.mCMSSize, 0); | |
| b1ab9ed8 A |
486 | } |
| 487 | ||
| 488 | editor->allocate(); | |
| 489 | ||
| 490 | // pass 2: Finish and generate signatures, and write them | |
| 491 | for (MachOEditor::Iterator it = editor->begin(); it != editor->end(); ++it) { | |
| 492 | MachOEditor::Arch &arch = *it->second; | |
| 493 | editor->reset(arch); | |
| 494 | ||
| e3d460c9 A |
495 | // finish CodeDirectories (off new binary) and sign it |
| 496 | __block CodeDirectorySet cdSet; | |
| 497 | arch.eachDigest(^(CodeDirectory::Builder &builder) { | |
| 498 | CodeDirectory *cd = builder.build(); | |
| 499 | cdSet.add(cd); | |
| 500 | }); | |
| 501 | CFRef<CFArrayRef> hashes = cdSet.hashBag(); | |
| 502 | CFTemp<CFDictionaryRef> hashDict("{cdhashes=%O}", hashes.get()); | |
| 503 | CFRef<CFDataRef> hashBag = makeCFData(hashDict.get()); | |
| 504 | CFRef<CFDataRef> signature = signCodeDirectory(cdSet.primary(), hashBag); | |
| b1ab9ed8 A |
505 | |
| 506 | // complete the SuperBlob | |
| e3d460c9 | 507 | cdSet.populate(&arch); |
| b1ab9ed8 A |
508 | arch.add(cdSignatureSlot, BlobWrapper::alloc( |
| 509 | CFDataGetBytePtr(signature), CFDataGetLength(signature))); | |
| 510 | if (!state.mDryRun) { | |
| 511 | EmbeddedSignatureBlob *blob = arch.make(); | |
| 512 | editor->write(arch, blob); // takes ownership of blob | |
| 513 | } | |
| 514 | } | |
| 515 | ||
| 516 | // done: write edit copy back over the original | |
| fa7225c8 | 517 | if (!state.mDryRun) { |
| b1ab9ed8 | 518 | editor->commit(); |
| fa7225c8 | 519 | } |
| b1ab9ed8 A |
520 | } |
| 521 | ||
| 522 | ||
| 523 | // | |
| 524 | // Sign a binary that has no notion of architecture. | |
| 525 | // That currently means anything that isn't Mach-O format. | |
| 526 | // | |
| 527 | void SecCodeSigner::Signer::signArchitectureAgnostic(const Requirement::Context &context) | |
| 528 | { | |
| 529 | // non-Mach-O executable - single-instance signing | |
| 530 | RefPointer<DiskRep::Writer> writer = state.mDetached ? | |
| 531 | (new DetachedBlobWriter(*this)) : rep->writer(); | |
| e3d460c9 A |
532 | |
| 533 | CodeDirectorySet cdSet; | |
| 534 | for (auto type = digestAlgorithms().begin(); type != digestAlgorithms().end(); ++type) { | |
| 535 | CodeDirectory::Builder builder(*type); | |
| 536 | InternalRequirements ireqs; | |
| 537 | ireqs(requirements, rep->defaultRequirements(NULL, *this), context); | |
| 538 | populate(*writer); | |
| 539 | populate(builder, *writer, ireqs, rep->signingBase(), rep->signingLimit(), unsigned(digestAlgorithms().size()-1)); | |
| 540 | ||
| 541 | CodeDirectory *cd = builder.build(); | |
| 542 | if (!state.mDryRun) | |
| 543 | cdSet.add(cd); | |
| 544 | } | |
| b1ab9ed8 A |
545 | |
| 546 | // add identification blob (made from this architecture) only if we're making a detached signature | |
| 547 | if (state.mDetached) { | |
| 548 | CFRef<CFDataRef> identification = rep->identification(); | |
| 549 | writer->component(cdIdentificationSlot, identification); | |
| b1ab9ed8 | 550 | } |
| e3d460c9 A |
551 | |
| 552 | // write out all CodeDirectories | |
| 553 | cdSet.populate(writer); | |
| e3d460c9 A |
554 | |
| 555 | CFRef<CFArrayRef> hashes = cdSet.hashBag(); | |
| 556 | CFTemp<CFDictionaryRef> hashDict("{cdhashes=%O}", hashes.get()); | |
| 557 | CFRef<CFDataRef> hashBag = makeCFData(hashDict.get()); | |
| 558 | CFRef<CFDataRef> signature = signCodeDirectory(cdSet.primary(), hashBag); | |
| 559 | writer->signature(signature); | |
| 641423b6 A |
560 | |
| 561 | // commit to storage | |
| 562 | writer->flush(); | |
| b1ab9ed8 A |
563 | } |
| 564 | ||
| 565 | ||
| 566 | // | |
| 567 | // Global populate - send components to destination buffers ONCE | |
| 568 | // | |
| 569 | void SecCodeSigner::Signer::populate(DiskRep::Writer &writer) | |
| 570 | { | |
| 427c49bc A |
571 | if (resourceDirectory && !state.mDryRun) |
| 572 | writer.component(cdResourceDirSlot, resourceDictData); | |
| b1ab9ed8 A |
573 | } |
| 574 | ||
| 575 | ||
| 576 | // | |
| 577 | // Per-architecture populate - send components to per-architecture buffers | |
| 578 | // and populate the CodeDirectory for an architecture. In architecture-agnostic | |
| 579 | // signing operations, the non-architectural binary is considered one (arbitrary) architecture | |
| 580 | // for the purposes of this call. | |
| 581 | // | |
| 582 | void SecCodeSigner::Signer::populate(CodeDirectory::Builder &builder, DiskRep::Writer &writer, | |
| e3d460c9 | 583 | InternalRequirements &ireqs, size_t offset, size_t length, unsigned alternateDigestCount) |
| b1ab9ed8 A |
584 | { |
| 585 | // fill the CodeDirectory | |
| 586 | builder.executable(rep->mainExecutablePath(), pagesize, offset, length); | |
| 587 | builder.flags(cdFlags); | |
| 588 | builder.identifier(identifier); | |
| 420ff9d9 | 589 | builder.teamID(teamID); |
| 5c19dc3a | 590 | builder.platform(state.mPlatform); |
| 420ff9d9 | 591 | |
| b1ab9ed8 A |
592 | if (CFRef<CFDataRef> data = rep->component(cdInfoSlot)) |
| 593 | builder.specialSlot(cdInfoSlot, data); | |
| 594 | if (ireqs) { | |
| 595 | CFRef<CFDataRef> data = makeCFData(*ireqs); | |
| 596 | writer.component(cdRequirementsSlot, data); | |
| 597 | builder.specialSlot(cdRequirementsSlot, data); | |
| 598 | } | |
| 599 | if (resourceDirectory) | |
| 427c49bc | 600 | builder.specialSlot(cdResourceDirSlot, resourceDictData); |
| 427c49bc A |
601 | if (entitlements) { |
| 602 | writer.component(cdEntitlementSlot, entitlements); | |
| 603 | builder.specialSlot(cdEntitlementSlot, entitlements); | |
| b1ab9ed8 | 604 | } |
| e3d460c9 A |
605 | if (CFRef<CFDataRef> repSpecific = rep->component(cdRepSpecificSlot)) |
| 606 | builder.specialSlot(cdRepSpecificSlot, repSpecific); | |
| b1ab9ed8 A |
607 | |
| 608 | writer.addDiscretionary(builder); | |
| e3d460c9 | 609 | |
| 641423b6 A |
610 | #if 0 // rdar://problem/25720754 |
| 611 | if ((signingFlags() & (kSecCSSignOpaque|kSecCSSignV1)) == 0 && builder.hashType() != kSecCodeSignatureHashSHA1) { | |
| e3d460c9 A |
612 | // calculate sorted list of top SuperBlob keys in this EmbeddedSignatureBlob (if any) |
| 613 | // (but not for opaque or V1 construction, which must remain bit-for-bit compatible) | |
| 614 | std::vector<Endian<uint32_t> > slotVector; | |
| 615 | slotVector.push_back(cdCodeDirectorySlot); // mandatory | |
| 616 | std::set<CodeDirectory::Slot> filledSlots = builder.filledSpecialSlots(); | |
| 617 | filledSlots.insert(cdTopDirectorySlot); // will be added below | |
| 618 | copy(filledSlots.begin(), filledSlots.end(), back_inserter(slotVector)); | |
| 619 | for (unsigned n = 0; n < alternateDigestCount; n++) | |
| 620 | slotVector.push_back(cdAlternateCodeDirectorySlots + n); | |
| 621 | slotVector.push_back(cdSignatureSlot); | |
| 622 | CFTempData cfSlotVector(&slotVector[0], slotVector.size() * sizeof(slotVector[0])); | |
| 623 | writer.component(cdTopDirectorySlot, cfSlotVector); | |
| 624 | builder.specialSlot(cdTopDirectorySlot, cfSlotVector); | |
| 625 | } | |
| 641423b6 | 626 | #endif |
| b1ab9ed8 A |
627 | } |
| 628 | ||
| e3d460c9 | 629 | |
| b1ab9ed8 A |
630 | #include <security_smime/tsaSupport.h> |
| 631 | ||
| 632 | // | |
| 633 | // Generate the CMS signature for a (finished) CodeDirectory. | |
| 634 | // | |
| e3d460c9 | 635 | CFDataRef SecCodeSigner::Signer::signCodeDirectory(const CodeDirectory *cd, CFDataRef hashBag) |
| b1ab9ed8 A |
636 | { |
| 637 | assert(state.mSigner); | |
| 638 | CFRef<CFMutableDictionaryRef> defaultTSContext = NULL; | |
| 639 | ||
| 640 | // a null signer generates a null signature blob | |
| 641 | if (state.mSigner == SecIdentityRef(kCFNull)) | |
| 642 | return CFDataCreate(NULL, NULL, 0); | |
| 643 | ||
| 644 | // generate CMS signature | |
| 645 | CFRef<CMSEncoderRef> cms; | |
| 646 | MacOSError::check(CMSEncoderCreate(&cms.aref())); | |
| 647 | MacOSError::check(CMSEncoderSetCertificateChainMode(cms, kCMSCertificateChainWithRoot)); | |
| 648 | CMSEncoderAddSigners(cms, state.mSigner); | |
| 5c19dc3a | 649 | CMSEncoderSetSignerAlgorithm(cms, kCMSEncoderDigestAlgorithmSHA256); |
| b1ab9ed8 A |
650 | MacOSError::check(CMSEncoderSetHasDetachedContent(cms, true)); |
| 651 | ||
| fa7225c8 | 652 | if (emitSigningTime) { |
| b1ab9ed8 | 653 | MacOSError::check(CMSEncoderAddSignedAttributes(cms, kCMSAttrSigningTime)); |
| fa7225c8 A |
654 | CFAbsoluteTime time = signingTime ? signingTime : CFAbsoluteTimeGetCurrent(); |
| 655 | MacOSError::check(CMSEncoderSetSigningTime(cms, time)); | |
| b1ab9ed8 A |
656 | } |
| 657 | ||
| e3d460c9 A |
658 | if (hashBag) { |
| 659 | MacOSError::check(CMSEncoderAddSignedAttributes(cms, kCMSAttrAppleCodesigningHashAgility)); | |
| 660 | MacOSError::check(CMSEncoderSetAppleCodesigningHashAgility(cms, hashBag)); | |
| 661 | } | |
| 662 | ||
| b1ab9ed8 A |
663 | MacOSError::check(CMSEncoderUpdateContent(cms, cd, cd->length())); |
| 664 | ||
| 665 | // Set up to call Timestamp server if requested | |
| b1ab9ed8 A |
666 | if (state.mWantTimeStamp) |
| 667 | { | |
| 668 | CFRef<CFErrorRef> error = NULL; | |
| 669 | defaultTSContext = SecCmsTSAGetDefaultContext(&error.aref()); | |
| 670 | if (error) | |
| 671 | MacOSError::throwMe(errSecDataNotAvailable); | |
| 672 | ||
| 673 | if (state.mNoTimeStampCerts || state.mTimestampService) { | |
| 674 | if (state.mTimestampService) | |
| 675 | CFDictionarySetValue(defaultTSContext, kTSAContextKeyURL, state.mTimestampService); | |
| 676 | if (state.mNoTimeStampCerts) | |
| 677 | CFDictionarySetValue(defaultTSContext, kTSAContextKeyNoCerts, kCFBooleanTrue); | |
| e3d460c9 | 678 | } |
| b1ab9ed8 | 679 | |
| e3d460c9 | 680 | CmsMessageSetTSAContext(cms, defaultTSContext); |
| b1ab9ed8 | 681 | } |
| e3d460c9 | 682 | |
| b1ab9ed8 A |
683 | CFDataRef signature; |
| 684 | MacOSError::check(CMSEncoderCopyEncodedContent(cms, &signature)); | |
| 685 | ||
| 686 | return signature; | |
| 687 | } | |
| e3d460c9 A |
688 | |
| 689 | ||
| 690 | // | |
| 691 | // Our DiskRep::signingContext methods communicate with the signing subsystem | |
| 692 | // in terms those callers can easily understand. | |
| 693 | // | |
| 694 | string SecCodeSigner::Signer::sdkPath(const std::string &path) const | |
| 695 | { | |
| 696 | assert(path[0] == '/'); // need absolute path here | |
| 697 | if (state.mSDKRoot) | |
| 698 | return cfString(state.mSDKRoot) + path; | |
| 699 | else | |
| 700 | return path; | |
| 701 | } | |
| 702 | ||
| 703 | bool SecCodeSigner::Signer::isAdhoc() const | |
| 704 | { | |
| 705 | return state.mSigner == SecIdentityRef(kCFNull); | |
| 706 | } | |
| 707 | ||
| 708 | SecCSFlags SecCodeSigner::Signer::signingFlags() const | |
| 709 | { | |
| 710 | return state.mOpFlags; | |
| 711 | } | |
| b1ab9ed8 A |
712 | |
| 713 | ||
| 714 | // | |
| 715 | // Parse a text of the form | |
| 716 | // flag,...,flag | |
| 717 | // where each flag is the canonical name of a signable CodeDirectory flag. | |
| 718 | // No abbreviations are allowed, and internally set flags are not accepted. | |
| 719 | // | |
| 720 | uint32_t SecCodeSigner::Signer::cdTextFlags(std::string text) | |
| 721 | { | |
| 722 | uint32_t flags = 0; | |
| 723 | for (string::size_type comma = text.find(','); ; text = text.substr(comma+1), comma = text.find(',')) { | |
| 724 | string word = (comma == string::npos) ? text : text.substr(0, comma); | |
| 725 | const SecCodeDirectoryFlagTable *item; | |
| 726 | for (item = kSecCodeDirectoryFlagTable; item->name; item++) | |
| 727 | if (item->signable && word == item->name) { | |
| 728 | flags |= item->value; | |
| 729 | break; | |
| 730 | } | |
| 731 | if (!item->name) // not found | |
| 732 | MacOSError::throwMe(errSecCSInvalidFlags); | |
| 733 | if (comma == string::npos) // last word | |
| 734 | break; | |
| 735 | } | |
| 736 | return flags; | |
| 737 | } | |
| 738 | ||
| 739 | ||
| 740 | // | |
| 741 | // Generate a unique string from our underlying DiskRep. | |
| 742 | // We could get 90%+ of the uniquing benefit by just generating | |
| 743 | // a random string here. Instead, we pick the (hex string encoding of) | |
| 744 | // the source rep's unique identifier blob. For universal binaries, | |
| 745 | // this is the canonical local architecture, which is a bit arbitrary. | |
| 746 | // This provides us with a consistent unique string for all architectures | |
| 747 | // of a fat binary, *and* (unlike a random string) is reproducible | |
| 748 | // for identical inputs, even upon resigning. | |
| 749 | // | |
| 750 | std::string SecCodeSigner::Signer::uniqueName() const | |
| 751 | { | |
| 752 | CFRef<CFDataRef> identification = rep->identification(); | |
| 753 | const UInt8 *ident = CFDataGetBytePtr(identification); | |
| 427c49bc | 754 | const CFIndex length = CFDataGetLength(identification); |
| b1ab9ed8 | 755 | string result; |
| 427c49bc | 756 | for (CFIndex n = 0; n < length; n++) { |
| b1ab9ed8 A |
757 | char hex[3]; |
| 758 | snprintf(hex, sizeof(hex), "%02x", ident[n]); | |
| 759 | result += hex; | |
| 760 | } | |
| 761 | return result; | |
| 762 | } | |
| 763 | ||
| 764 | ||
| 765 | } // end namespace CodeSigning | |
| 766 | } // end namespace Security |