[apple/security.git] / libsecurity_codesigning / lib / signer.h

/*
 * Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

//
// signer - Signing operation supervisor and controller
//
#ifndef _H_SIGNER
#define _H_SIGNER

#include "CodeSigner.h"
#include "cdbuilder.h"
#include "signerutils.h"
#include "StaticCode.h"
#include <security_utilities/utilities.h>

namespace Security {
namespace CodeSigning {


//
// The signer driver class.
// This is a workflow object, containing all the data needed for the various
// signing stages to cooperate. It is not meant to be API visible; that is
// SecCodeSigner's job.
//
class SecCodeSigner::Signer {
public:
	Signer(SecCodeSigner &s, SecStaticCode *c) : state(s), code(c), requirements(NULL) { }
	~Signer() { ::free((Requirements *)requirements); }

	void sign(SecCSFlags flags);
	void remove(SecCSFlags flags);
	
	SecCodeSigner &state;
	SecStaticCode * const code;
	
	CodeDirectory::HashAlgorithm digestAlgorithm() const { return state.mDigestAlgorithm; }
	
	std::string path() const { return cfString(rep->canonicalPath()); }
	SecIdentityRef signingIdentity() const { return state.mSigner; }
	std::string signingIdentifier() const { return identifier; }
	
protected:
	void prepare(SecCSFlags flags);				// set up signing parameters
	void signMachO(Universal *fat, const Requirement::Context &context); // sign a Mach-O binary
	void signArchitectureAgnostic(const Requirement::Context &context); // sign anything else

	void populate(DiskRep::Writer &writer);		// global
	void populate(CodeDirectory::Builder &builder, DiskRep::Writer &writer,
		InternalRequirements &ireqs, size_t offset = 0, size_t length = 0);	// per-architecture
	CFDataRef signCodeDirectory(const CodeDirectory *cd);

	uint32_t cdTextFlags(std::string text);		// convert text CodeDirectory flags
	std::string uniqueName() const;				// derive unique string from rep

protected:
	void buildResources(std::string root, CFDictionaryRef rules);
	CFMutableDictionaryRef signNested(FTSENT *ent, const char *relpath);
	CFDataRef hashFile(const char *path);

private:
	RefPointer<DiskRep> rep;		// DiskRep of Code being signed
	CFRef<CFDictionaryRef> resourceDirectory;	// resource directory
	CFRef<CFDataRef> resourceDictData; // XML form of resourceDirectory
	std::string identifier;			// signing identifier
	std::string teamID;             // team identifier
	CFRef<CFDataRef> entitlements;	// entitlements
	uint32_t cdFlags;				// CodeDirectory flags
	const Requirements *requirements; // internal requirements ready-to-use
	size_t pagesize;				// size of main executable pages
	CFAbsoluteTime signingTime;		// signing time for CMS signature (0 => none)
};


} // end namespace CodeSigning
} // end namespace Security

#endif // !_H_CODESIGNER
Commit	Line	Data
b1ab9ed8 A	1	/*
	2	* Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	//
	25	// signer - Signing operation supervisor and controller
	26	//
	27	#ifndef _H_SIGNER
	28	#define _H_SIGNER
	29
	30	#include "CodeSigner.h"
	31	#include "cdbuilder.h"
	32	#include "signerutils.h"
	33	#include "StaticCode.h"
	34	#include <security_utilities/utilities.h>
	35
	36	namespace Security {
	37	namespace CodeSigning {
	38
	39
	40	//
	41	// The signer driver class.
	42	// This is a workflow object, containing all the data needed for the various
	43	// signing stages to cooperate. It is not meant to be API visible; that is
	44	// SecCodeSigner's job.
	45	//
	46	class SecCodeSigner::Signer {
	47	public:
427c49bc A	48	Signer(SecCodeSigner &s, SecStaticCode *c) : state(s), code(c), requirements(NULL) { }
	49	~Signer() { ::free((Requirements *)requirements); }
	50
b1ab9ed8 A	51	void sign(SecCSFlags flags);
	52	void remove(SecCSFlags flags);
	53
	54	SecCodeSigner &state;
	55	SecStaticCode * const code;
	56
	57	CodeDirectory::HashAlgorithm digestAlgorithm() const { return state.mDigestAlgorithm; }
	58
	59	std::string path() const { return cfString(rep->canonicalPath()); }
	60	SecIdentityRef signingIdentity() const { return state.mSigner; }
	61	std::string signingIdentifier() const { return identifier; }
	62
	63	protected:
	64	void prepare(SecCSFlags flags); // set up signing parameters
	65	void signMachO(Universal *fat, const Requirement::Context &context); // sign a Mach-O binary
	66	void signArchitectureAgnostic(const Requirement::Context &context); // sign anything else
	67
	68	void populate(DiskRep::Writer &writer); // global
	69	void populate(CodeDirectory::Builder &builder, DiskRep::Writer &writer,
	70	InternalRequirements &ireqs, size_t offset = 0, size_t length = 0); // per-architecture
	71	CFDataRef signCodeDirectory(const CodeDirectory *cd);
	72
	73	uint32_t cdTextFlags(std::string text); // convert text CodeDirectory flags
	74	std::string uniqueName() const; // derive unique string from rep
427c49bc A	75
	76	protected:
	77	void buildResources(std::string root, CFDictionaryRef rules);
	78	CFMutableDictionaryRef signNested(FTSENT ent, const char relpath);
	79	CFDataRef hashFile(const char *path);
	80
b1ab9ed8 A	81	private:
b1ab9ed8 A	82	RefPointer<DiskRep> rep; // DiskRep of Code being signed
427c49bc A	83	CFRef<CFDictionaryRef> resourceDirectory; // resource directory
427c49bc A	84	CFRef<CFDataRef> resourceDictData; // XML form of resourceDirectory
b1ab9ed8	85	std::string identifier; // signing identifier
420ff9d9	86	std::string teamID; // team identifier
427c49bc	87	CFRef<CFDataRef> entitlements; // entitlements
b1ab9ed8	88	uint32_t cdFlags; // CodeDirectory flags
427c49bc	89	const Requirements *requirements; // internal requirements ready-to-use
b1ab9ed8 A	90	size_t pagesize; // size of main executable pages
	91	CFAbsoluteTime signingTime; // signing time for CMS signature (0 => none)
	92	};
	93
	94
	95	} // end namespace CodeSigning
	96	} // end namespace Security
	97
	98	#endif // !_H_CODESIGNER