[apple/security.git] / libsecurity_codesigning / lib / codedirectory.cpp

/*
 * Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

//
// codedirectory - format and operations for code signing "code directory" structures
//
#include "codedirectory.h"
#include "csutilities.h"
#include "CSCommonPriv.h"

using namespace UnixPlusPlus;


namespace Security {
namespace CodeSigning {


//
// Highest understood special slot in this CodeDirectory.
//
CodeDirectory::SpecialSlot CodeDirectory::maxSpecialSlot() const
{
	SpecialSlot slot = this->nSpecialSlots;
	if (slot > cdSlotMax)
		slot = cdSlotMax;
	return slot;
}


//
// Canonical filesystem names for select slot numbers.
// These are variously used for filenames, extended attribute names, etc.
// to get some consistency in naming. These are for storing signing-related
// data; they have no bearing on the actual hash slots in the CodeDirectory.
//
const char *CodeDirectory::canonicalSlotName(SpecialSlot slot)
{
	switch (slot) {
	case cdRequirementsSlot:
		return kSecCS_REQUIREMENTSFILE;
	case cdResourceDirSlot:
		return kSecCS_RESOURCEDIRFILE;
	case cdCodeDirectorySlot:
		return kSecCS_CODEDIRECTORYFILE;
	case cdSignatureSlot:
		return kSecCS_SIGNATUREFILE;
	case cdApplicationSlot:
		return kSecCS_APPLICATIONFILE;
	case cdEntitlementSlot:
		return kSecCS_ENTITLEMENTFILE;
	default:
		return NULL;
	}
}


//
// Canonical attributes of SpecialSlots.
//
unsigned CodeDirectory::slotAttributes(SpecialSlot slot)
{
	switch (slot) {
	case cdRequirementsSlot:
		return cdComponentIsBlob; // global
	case cdCodeDirectorySlot:
		return cdComponentPerArchitecture | cdComponentIsBlob;
	case cdSignatureSlot:
		return cdComponentPerArchitecture; // raw
	case cdEntitlementSlot:
		return cdComponentIsBlob; // global
	case cdIdentificationSlot:
		return cdComponentPerArchitecture; // raw
	default:
		return 0; // global, raw
	}
}


//
// Symbolic names for code directory special slots.
// These are only used for debug output. They are not API-official.
// Needs to be coordinated with the cd*Slot enumeration in codedirectory.h.
//
#if !defined(NDEBUG)
const char * const CodeDirectory::debugSlotName[] = {
	"codedirectory",
	"info",
	"requirements",
	"resources",
	"application",
	"entitlement"
};
#endif //NDEBUG


//
// Check a CodeDirectory for basic integrity. This should ensure that the
// version is understood by our code, and that the internal structure
// (offsets etc.) is intact. In particular, it must make sure that no offsets
// point outside the CodeDirectory.
// Throws if the directory is corrupted or out of versioning bounds.
// Returns if the version is usable (perhaps with degraded features due to
// compatibility hacks).
//
// Note: There are some things we don't bother checking because they won't
// cause crashes, and will just be flagged as nonsense later. For example,
// a Bad Guy could overlap the identifier and hash fields, which is nonsense
// but not dangerous.
//
void CodeDirectory::checkIntegrity() const
{
	// check version for support
	if (!this->validateBlob())
		MacOSError::throwMe(errSecCSSignatureInvalid);	// busted
	if (version > compatibilityLimit)
		MacOSError::throwMe(errSecCSSignatureUnsupported);	// too new - no clue
	if (version < earliestVersion)
		MacOSError::throwMe(errSecCSSignatureUnsupported);	// too old - can't support
	if (version > currentVersion)
		secdebug("codedir", "%p version 0x%x newer than current 0x%x",
			this, uint32_t(version), currentVersion);
	
	// now check interior offsets for validity
	if (!stringAt(identOffset))
		MacOSError::throwMe(errSecCSSignatureFailed); // identifier out of blob range
	if (!contains(hashOffset - uint64_t(hashSize) * nSpecialSlots, hashSize * (uint64_t(nSpecialSlots) + nCodeSlots)))
		MacOSError::throwMe(errSecCSSignatureFailed); // hash array out of blob range
	if (const Scatter *scatter = this->scatterVector()) {
		// the optional scatter vector is terminated with an element having (count == 0)
		unsigned int pagesConsumed = 0;
		while (scatter->count) {
			if (!contains(scatter, sizeof(Scatter)))
				MacOSError::throwMe(errSecCSSignatureFailed);
			pagesConsumed += scatter->count;
			scatter++;
		}
		if (!contains(scatter, sizeof(Scatter)))			// (even sentinel must be in range)
			MacOSError::throwMe(errSecCSSignatureFailed);
		if (!contains((*this)[pagesConsumed-1], hashSize))	// referenced too many main hash slots
			MacOSError::throwMe(errSecCSSignatureFailed);
	}
}


//
// Validate a slot against data in memory.
//
bool CodeDirectory::validateSlot(const void *data, size_t length, Slot slot) const
{
	secdebug("codedir", "%p validating slot %d", this, int(slot));
	MakeHash<CodeDirectory> hasher(this);
	Hashing::Byte digest[hasher->digestLength()];
	generateHash(hasher, data, length, digest);
	return memcmp(digest, (*this)[slot], hasher->digestLength()) == 0;
}


//
// Validate a slot against the contents of an open file. At most 'length' bytes
// will be read from the file.
//
bool CodeDirectory::validateSlot(FileDesc fd, size_t length, Slot slot) const
{
	MakeHash<CodeDirectory> hasher(this);
	Hashing::Byte digest[hasher->digestLength()];
	generateHash(hasher, fd, digest, length);
	return memcmp(digest, (*this)[slot], hasher->digestLength()) == 0;
}


//
// Check whether a particular slot is present.
// Absense is indicated by either a zero hash, or by lying outside
// the slot range.
//
bool CodeDirectory::slotIsPresent(Slot slot) const
{
	if (slot >= -Slot(nSpecialSlots) && slot < Slot(nCodeSlots)) {
		const Hashing::Byte *digest = (*this)[slot];
		for (unsigned n = 0; n < hashSize; n++)
			if (digest[n])
				return true;	// non-zero digest => present
	}
	return false;	// absent
}


//
// Given a hash type code, create an appropriate subclass of DynamicHash
// and return it. The caller owns the object and  must delete it when done.
// This function never returns NULL. It throws if the hashType is unsuupported,
// or if there's an error creating the hasher.
//
DynamicHash *CodeDirectory::hashFor(HashAlgorithm hashType)
{
	CCDigestAlg alg;
	switch (hashType) {
	case kSecCodeSignatureHashSHA1:						alg = kCCDigestSHA1; break;
	case kSecCodeSignatureHashSHA256:					alg = kCCDigestSHA256; break;
	case kSecCodeSignatureHashPrestandardSkein160x256:	alg = kCCDigestSkein160; break;
	case kSecCodeSignatureHashPrestandardSkein256x512:	alg = kCCDigestSkein256; break;
	default:
		MacOSError::throwMe(errSecCSSignatureUnsupported);
	}
	return new CCHashInstance(alg);
}


//
// Hash the next limit bytes of a file and return the digest.
// If the file is shorter, hash as much as you can.
// Limit==0 means unlimited (to end of file).
// Return how many bytes were actually hashed.
// Throw on any errors.
//
size_t CodeDirectory::generateHash(DynamicHash *hasher, FileDesc fd, Hashing::Byte *digest, size_t limit)
{
	size_t size = hashFileData(fd, hasher, limit);
	hasher->finish(digest);
	return size;
}


//
// Ditto, but hash a memory buffer instead.
//
size_t CodeDirectory::generateHash(DynamicHash *hasher, const void *data, size_t length, Hashing::Byte *digest)
{
	hasher->update(data, length);
	hasher->finish(digest);
	return length;
}


//
// Turn a hash of canonical type into a hex string
//
std::string CodeDirectory::hexHash(const unsigned char *hash) const
{
	size_t size = this->hashSize;
	char result[2*size+1];
	for (unsigned n = 0; n < size; n++)
		sprintf(result+2*n, "%02.2x", hash[n]);
	return result;
}


//
// Generate a screening code string from a (complete) CodeDirectory.
// This can be used to make a lightweight pre-screening code from (just) a CodeDirectory.
//
std::string CodeDirectory::screeningCode() const
{
	if (slotIsPresent(-cdInfoSlot))		// has Info.plist
		return "I" + hexHash((*this)[-cdInfoSlot]); // use Info.plist hash
	if (pageSize == 0)					// good-enough proxy for "not a Mach-O file"
		return "M" + hexHash((*this)[0]); // use hash of main executable
	return "N";							// no suitable screening code
}


}	// CodeSigning
}	// Security


//
// Canonical text form for user-settable code directory flags.
// Note: This table is actually exported from Security.framework.
//
const SecCodeDirectoryFlagTable kSecCodeDirectoryFlagTable[] = {
	{ "host",		kSecCodeSignatureHost,			true },
	{ "adhoc",		kSecCodeSignatureAdhoc,			false },
	{ "hard",		kSecCodeSignatureForceHard,		true },
	{ "kill",		kSecCodeSignatureForceKill,		true },
	{ "expires",	kSecCodeSignatureForceExpiration, true },
	{ NULL }
};
Commit	Line	Data
b1ab9ed8 A	1	/*
	2	* Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	//
	25	// codedirectory - format and operations for code signing "code directory" structures
	26	//
	27	#include "codedirectory.h"
	28	#include "csutilities.h"
	29	#include "CSCommonPriv.h"
	30
	31	using namespace UnixPlusPlus;
	32
	33
	34	namespace Security {
	35	namespace CodeSigning {
	36
	37
	38	//
	39	// Highest understood special slot in this CodeDirectory.
	40	//
	41	CodeDirectory::SpecialSlot CodeDirectory::maxSpecialSlot() const
	42	{
	43	SpecialSlot slot = this->nSpecialSlots;
	44	if (slot > cdSlotMax)
	45	slot = cdSlotMax;
	46	return slot;
	47	}
	48
	49
	50	//
	51	// Canonical filesystem names for select slot numbers.
	52	// These are variously used for filenames, extended attribute names, etc.
	53	// to get some consistency in naming. These are for storing signing-related
	54	// data; they have no bearing on the actual hash slots in the CodeDirectory.
	55	//
	56	const char *CodeDirectory::canonicalSlotName(SpecialSlot slot)
	57	{
	58	switch (slot) {
	59	case cdRequirementsSlot:
	60	return kSecCS_REQUIREMENTSFILE;
	61	case cdResourceDirSlot:
	62	return kSecCS_RESOURCEDIRFILE;
	63	case cdCodeDirectorySlot:
	64	return kSecCS_CODEDIRECTORYFILE;
65	case cdSignatureSlot:
66	return kSecCS_SIGNATUREFILE;
67	case cdApplicationSlot:
68	return kSecCS_APPLICATIONFILE;
69	case cdEntitlementSlot:
70	return kSecCS_ENTITLEMENTFILE;
71	default:
72	return NULL;
73	}
74	}
75
76
77	//
78	// Canonical attributes of SpecialSlots.
79	//
80	unsigned CodeDirectory::slotAttributes(SpecialSlot slot)
81	{
82	switch (slot) {
83	case cdRequirementsSlot:
84	return cdComponentIsBlob; // global
85	case cdCodeDirectorySlot:
86	return cdComponentPerArchitecture \| cdComponentIsBlob;
87	case cdSignatureSlot:
88	return cdComponentPerArchitecture; // raw
89	case cdEntitlementSlot:
90	return cdComponentIsBlob; // global
91	case cdIdentificationSlot:
92	return cdComponentPerArchitecture; // raw
93	default:
94	return 0; // global, raw
95	}
96	}
97
98
99	//
100	// Symbolic names for code directory special slots.
101	// These are only used for debug output. They are not API-official.
102	// Needs to be coordinated with the cd*Slot enumeration in codedirectory.h.
103	//
104	#if !defined(NDEBUG)
105	const char * const CodeDirectory::debugSlotName[] = {
106	"codedirectory",
107	"info",
108	"requirements",
109	"resources",
110	"application",
111	"entitlement"
112	};
113	#endif //NDEBUG
114
115
116	//
117	// Check a CodeDirectory for basic integrity. This should ensure that the
118	// version is understood by our code, and that the internal structure
119	// (offsets etc.) is intact. In particular, it must make sure that no offsets
120	// point outside the CodeDirectory.
121	// Throws if the directory is corrupted or out of versioning bounds.
122	// Returns if the version is usable (perhaps with degraded features due to
123	// compatibility hacks).
124	//
125	// Note: There are some things we don't bother checking because they won't
126	// cause crashes, and will just be flagged as nonsense later. For example,
127	// a Bad Guy could overlap the identifier and hash fields, which is nonsense
128	// but not dangerous.
129	//
130	void CodeDirectory::checkIntegrity() const
131	{
132	// check version for support
133	if (!this->validateBlob())
134	MacOSError::throwMe(errSecCSSignatureInvalid); // busted
135	if (version > compatibilityLimit)
136	MacOSError::throwMe(errSecCSSignatureUnsupported); // too new - no clue
137	if (version < earliestVersion)
138	MacOSError::throwMe(errSecCSSignatureUnsupported); // too old - can't support
139	if (version > currentVersion)
140	secdebug("codedir", "%p version 0x%x newer than current 0x%x",
141	this, uint32_t(version), currentVersion);
142
143	// now check interior offsets for validity
144	if (!stringAt(identOffset))
145	MacOSError::throwMe(errSecCSSignatureFailed); // identifier out of blob range
146	if (!contains(hashOffset - uint64_t(hashSize) * nSpecialSlots, hashSize * (uint64_t(nSpecialSlots) + nCodeSlots)))
147	MacOSError::throwMe(errSecCSSignatureFailed); // hash array out of blob range
148	if (const Scatter *scatter = this->scatterVector()) {
149	// the optional scatter vector is terminated with an element having (count == 0)
150	unsigned int pagesConsumed = 0;
151	while (scatter->count) {
152	if (!contains(scatter, sizeof(Scatter)))
153	MacOSError::throwMe(errSecCSSignatureFailed);
154	pagesConsumed += scatter->count;
155	scatter++;
156	}
157	if (!contains(scatter, sizeof(Scatter))) // (even sentinel must be in range)
158	MacOSError::throwMe(errSecCSSignatureFailed);
159	if (!contains((*this)[pagesConsumed-1], hashSize)) // referenced too many main hash slots
160	MacOSError::throwMe(errSecCSSignatureFailed);
161	}
162	}
163
164
165	//
166	// Validate a slot against data in memory.
167	//
168	bool CodeDirectory::validateSlot(const void *data, size_t length, Slot slot) const
169	{
170	secdebug("codedir", "%p validating slot %d", this, int(slot));
171	MakeHash<CodeDirectory> hasher(this);
172	Hashing::Byte digest[hasher->digestLength()];
173	generateHash(hasher, data, length, digest);
174	return memcmp(digest, (*this)[slot], hasher->digestLength()) == 0;
175	}
176
177
178	//
179	// Validate a slot against the contents of an open file. At most 'length' bytes
180	// will be read from the file.
181	//
182	bool CodeDirectory::validateSlot(FileDesc fd, size_t length, Slot slot) const
183	{
184	MakeHash<CodeDirectory> hasher(this);
185	Hashing::Byte digest[hasher->digestLength()];
186	generateHash(hasher, fd, digest, length);
187	return memcmp(digest, (*this)[slot], hasher->digestLength()) == 0;
188	}
189
190
191	//
192	// Check whether a particular slot is present.
193	// Absense is indicated by either a zero hash, or by lying outside
194	// the slot range.
195	//
196	bool CodeDirectory::slotIsPresent(Slot slot) const
197	{
198	if (slot >= -Slot(nSpecialSlots) && slot < Slot(nCodeSlots)) {
199	const Hashing::Byte digest = (this)[slot];
200	for (unsigned n = 0; n < hashSize; n++)
201	if (digest[n])
202	return true; // non-zero digest => present
203	}
204	return false; // absent
205	}
206
207
208	//
209	// Given a hash type code, create an appropriate subclass of DynamicHash
210	// and return it. The caller owns the object and must delete it when done.
211	// This function never returns NULL. It throws if the hashType is unsuupported,
212	// or if there's an error creating the hasher.
213	//
214	DynamicHash *CodeDirectory::hashFor(HashAlgorithm hashType)
215	{
216	CCDigestAlg alg;
217	switch (hashType) {
218	case kSecCodeSignatureHashSHA1: alg = kCCDigestSHA1; break;
219	case kSecCodeSignatureHashSHA256: alg = kCCDigestSHA256; break;
220	case kSecCodeSignatureHashPrestandardSkein160x256: alg = kCCDigestSkein160; break;
221	case kSecCodeSignatureHashPrestandardSkein256x512: alg = kCCDigestSkein256; break;
222	default:
223	MacOSError::throwMe(errSecCSSignatureUnsupported);
224	}
225	return new CCHashInstance(alg);
226	}
227
228
229	//
230	// Hash the next limit bytes of a file and return the digest.
231	// If the file is shorter, hash as much as you can.
232	// Limit==0 means unlimited (to end of file).
233	// Return how many bytes were actually hashed.
234	// Throw on any errors.
235	//
236	size_t CodeDirectory::generateHash(DynamicHash hasher, FileDesc fd, Hashing::Byte digest, size_t limit)
237	{
238	size_t size = hashFileData(fd, hasher, limit);
239	hasher->finish(digest);
240	return size;
241	}
242
243
244	//
245	// Ditto, but hash a memory buffer instead.
246	//
247	size_t CodeDirectory::generateHash(DynamicHash hasher, const void data, size_t length, Hashing::Byte *digest)
248	{
249	hasher->update(data, length);
250	hasher->finish(digest);
251	return length;
252	}
253
254
313fa17b A	255	//
	256	// Turn a hash of canonical type into a hex string
	257	//
	258	std::string CodeDirectory::hexHash(const unsigned char *hash) const
	259	{
	260	size_t size = this->hashSize;
	261	char result[2*size+1];
	262	for (unsigned n = 0; n < size; n++)
	263	sprintf(result+2*n, "%02.2x", hash[n]);
	264	return result;
	265	}
	266
	267
	268	//
	269	// Generate a screening code string from a (complete) CodeDirectory.
	270	// This can be used to make a lightweight pre-screening code from (just) a CodeDirectory.
	271	//
	272	std::string CodeDirectory::screeningCode() const
	273	{
	274	if (slotIsPresent(-cdInfoSlot)) // has Info.plist
	275	return "I" + hexHash((*this)[-cdInfoSlot]); // use Info.plist hash
	276	if (pageSize == 0) // good-enough proxy for "not a Mach-O file"
	277	return "M" + hexHash((*this)[0]); // use hash of main executable
	278	return "N"; // no suitable screening code
	279	}
	280
	281
b1ab9ed8 A	282	} // CodeSigning
	283	} // Security
	284
	285
	286	//
	287	// Canonical text form for user-settable code directory flags.
	288	// Note: This table is actually exported from Security.framework.
	289	//
	290	const SecCodeDirectoryFlagTable kSecCodeDirectoryFlagTable[] = {
	291	{ "host", kSecCodeSignatureHost, true },
	292	{ "adhoc", kSecCodeSignatureAdhoc, false },
	293	{ "hard", kSecCodeSignatureForceHard, true },
	294	{ "kill", kSecCodeSignatureForceKill, true },
	295	{ "expires", kSecCodeSignatureForceExpiration, true },
	296	{ NULL }
	297	};