[apple/security.git] / OSX / libsecurity_keychain / lib / SecTrustedApplication.cpp

/*
 * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

#include <Security/SecTrustedApplicationPriv.h>
#include <security_keychain/TrustedApplication.h>
#include <security_keychain/Certificate.h>
#include <securityd_client/ssclient.h>		// for code equivalence SPIs

#include "SecBridge.h"


#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wunused-function"
static inline CssmData cfData(CFDataRef data)
{
    return CssmData(const_cast<UInt8 *>(CFDataGetBytePtr(data)),
        CFDataGetLength(data));
}
#pragma clang diagnostic pop


CFTypeID
SecTrustedApplicationGetTypeID(void)
{
	BEGIN_SECAPI

	return gTypes().TrustedApplication.typeID;

	END_SECAPI1(_kCFRuntimeNotATypeID)
}


OSStatus
SecTrustedApplicationCreateFromPath(const char *path, SecTrustedApplicationRef *appRef)
{
	BEGIN_SECAPI
	SecPointer<TrustedApplication> app =
		path ? new TrustedApplication(path) : new TrustedApplication;
	Required(appRef) = app->handle();
	END_SECAPI
}

OSStatus SecTrustedApplicationCopyData(SecTrustedApplicationRef appRef,
	CFDataRef *dataRef)
{
	BEGIN_SECAPI
	const char *path = TrustedApplication::required(appRef)->path();
	Required(dataRef) = CFDataCreate(NULL, (const UInt8 *)path, strlen(path) + 1);
	END_SECAPI
}

OSStatus SecTrustedApplicationSetData(SecTrustedApplicationRef appRef,
	CFDataRef dataRef)
{
	BEGIN_SECAPI
	if (!dataRef)
		return errSecParam;
	TrustedApplication::required(appRef)->data(dataRef);
	END_SECAPI
}


OSStatus
SecTrustedApplicationValidateWithPath(SecTrustedApplicationRef appRef, const char *path)
{
	BEGIN_SECAPI
	TrustedApplication &app = *TrustedApplication::required(appRef);
	if (!app.verifyToDisk(path))
		return CSSMERR_CSP_VERIFY_FAILED;
	END_SECAPI
}


//
// Convert from/to external data representation
//
OSStatus SecTrustedApplicationCopyExternalRepresentation(
	SecTrustedApplicationRef appRef,
	CFDataRef *externalRef)
{
	BEGIN_SECAPI
	TrustedApplication &app = *TrustedApplication::required(appRef);
	Required(externalRef) = app.externalForm();
	END_SECAPI
}

OSStatus SecTrustedApplicationCreateWithExternalRepresentation(
	CFDataRef externalRef,
	SecTrustedApplicationRef *appRef)
{
	BEGIN_SECAPI
	Required(appRef) = (new TrustedApplication(externalRef))->handle();
	END_SECAPI
}


OSStatus
SecTrustedApplicationMakeEquivalent(SecTrustedApplicationRef oldRef,
	SecTrustedApplicationRef newRef, UInt32 flags)
{
	BEGIN_SECAPI
    return errSecParam;
	END_SECAPI
}

OSStatus
SecTrustedApplicationRemoveEquivalence(SecTrustedApplicationRef appRef, UInt32 flags)
{
	BEGIN_SECAPI
    return errSecParam;
	END_SECAPI
}


/*
 * Check to see if an application at a given path is a candidate for
 * pre-emptive code equivalency establishment
 */
OSStatus
SecTrustedApplicationIsUpdateCandidate(const char *installroot, const char *path)
{
    BEGIN_SECAPI
    return CSSMERR_DL_RECORD_NOT_FOUND;	// whatever
    END_SECAPI
}


/*
 * Point the system at another system root for equivalence use.
 * This is for system update installers (only)!
 */
OSStatus
SecTrustedApplicationUseAlternateSystem(const char *systemRoot)
{
	BEGIN_SECAPI
    return errSecParam;
	END_SECAPI
}


/*
 * Gateway between traditional SecTrustedApplicationRefs and the Code Signing
 * subsystem. Invisible to the naked eye, as of 10.5 (Leopard), these reference
 * may contain Cod e Signing Requirement objects (SecRequirementRefs). For backward
 * compatibility, these are handled implicitly at the SecAccess/SecACL layer.
 * However, Those Who Know can bridge the gap for additional functionality.
 */
OSStatus SecTrustedApplicationCreateFromRequirement(const char *description,
	SecRequirementRef requirement, SecTrustedApplicationRef *appRef)
{
	BEGIN_SECAPI
	if (description == NULL)
		description = "csreq://";	// default to "generic requirement"
	SecPointer<TrustedApplication> app = new TrustedApplication(description, requirement);
	Required(appRef) = app->handle();
	END_SECAPI
}

OSStatus SecTrustedApplicationCopyRequirement(SecTrustedApplicationRef appRef,
	SecRequirementRef *requirement)
{
	BEGIN_SECAPI
	Required(requirement) = TrustedApplication::required(appRef)->requirement();
	if (*requirement)
		CFRetain(*requirement);
	END_SECAPI
}


/*
 * Create an application group reference.
 */
OSStatus SecTrustedApplicationCreateApplicationGroup(const char *groupName,
	SecCertificateRef anchor, SecTrustedApplicationRef *appRef)
{
	BEGIN_SECAPI

	CFRef<SecRequirementRef> req;
	MacOSError::check(SecRequirementCreateGroup(CFTempString(groupName), anchor,
		kSecCSDefaultFlags, &req.aref()));
	string description = string("group://") + groupName;
	if (anchor) {
		Certificate *cert = Certificate::required(anchor);
		const CssmData &hash = cert->publicKeyHash();
		description = description + "?cert=" + cfString(cert->commonName())
			+ "&hash=" + hash.toHex();
	}
	SecPointer<TrustedApplication> app = new TrustedApplication(description, req);
	Required(appRef) = app->handle();

	END_SECAPI
}
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
427c49bc	3	*
b1ab9ed8	4	* @APPLE_LICENSE_HEADER_START@
d8f41ccd	5	*
b1ab9ed8 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
d8f41ccd	12	*
b1ab9ed8 A	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
d8f41ccd	20	*
b1ab9ed8 A	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	#include <Security/SecTrustedApplicationPriv.h>
	25	#include <security_keychain/TrustedApplication.h>
	26	#include <security_keychain/Certificate.h>
	27	#include <securityd_client/ssclient.h> // for code equivalence SPIs
	28
	29	#include "SecBridge.h"
	30
427c49bc A	31
427c49bc A	32
d8f41ccd A	33	#pragma clang diagnostic push
d8f41ccd A	34	#pragma clang diagnostic ignored "-Wunused-function"
b1ab9ed8 A	35	static inline CssmData cfData(CFDataRef data)
	36	{
	37	return CssmData(const_cast<UInt8 *>(CFDataGetBytePtr(data)),
	38	CFDataGetLength(data));
	39	}
d8f41ccd	40	#pragma clang diagnostic pop
b1ab9ed8 A	41
	42
	43	CFTypeID
	44	SecTrustedApplicationGetTypeID(void)
	45	{
	46	BEGIN_SECAPI
	47
	48	return gTypes().TrustedApplication.typeID;
	49
	50	END_SECAPI1(_kCFRuntimeNotATypeID)
	51	}
	52
	53
	54	OSStatus
	55	SecTrustedApplicationCreateFromPath(const char path, SecTrustedApplicationRef appRef)
	56	{
	57	BEGIN_SECAPI
	58	SecPointer<TrustedApplication> app =
	59	path ? new TrustedApplication(path) : new TrustedApplication;
	60	Required(appRef) = app->handle();
	61	END_SECAPI
	62	}
	63
	64	OSStatus SecTrustedApplicationCopyData(SecTrustedApplicationRef appRef,
	65	CFDataRef *dataRef)
	66	{
	67	BEGIN_SECAPI
	68	const char *path = TrustedApplication::required(appRef)->path();
	69	Required(dataRef) = CFDataCreate(NULL, (const UInt8 *)path, strlen(path) + 1);
	70	END_SECAPI
	71	}
	72
	73	OSStatus SecTrustedApplicationSetData(SecTrustedApplicationRef appRef,
	74	CFDataRef dataRef)
	75	{
	76	BEGIN_SECAPI
427c49bc A	77	if (!dataRef)
	78	return errSecParam;
	79	TrustedApplication::required(appRef)->data(dataRef);
b1ab9ed8 A	80	END_SECAPI
	81	}
	82
	83
	84	OSStatus
	85	SecTrustedApplicationValidateWithPath(SecTrustedApplicationRef appRef, const char *path)
	86	{
	87	BEGIN_SECAPI
	88	TrustedApplication &app = *TrustedApplication::required(appRef);
	89	if (!app.verifyToDisk(path))
	90	return CSSMERR_CSP_VERIFY_FAILED;
	91	END_SECAPI
	92	}
	93
	94
	95	//
	96	// Convert from/to external data representation
	97	//
	98	OSStatus SecTrustedApplicationCopyExternalRepresentation(
427c49bc	99	SecTrustedApplicationRef appRef,
b1ab9ed8 A	100	CFDataRef *externalRef)
	101	{
	102	BEGIN_SECAPI
	103	TrustedApplication &app = *TrustedApplication::required(appRef);
	104	Required(externalRef) = app.externalForm();
	105	END_SECAPI
	106	}
	107
	108	OSStatus SecTrustedApplicationCreateWithExternalRepresentation(
	109	CFDataRef externalRef,
	110	SecTrustedApplicationRef *appRef)
	111	{
	112	BEGIN_SECAPI
	113	Required(appRef) = (new TrustedApplication(externalRef))->handle();
	114	END_SECAPI
	115	}
	116
	117
	118	OSStatus
	119	SecTrustedApplicationMakeEquivalent(SecTrustedApplicationRef oldRef,
	120	SecTrustedApplicationRef newRef, UInt32 flags)
	121	{
	122	BEGIN_SECAPI
5c19dc3a	123	return errSecParam;
b1ab9ed8 A	124	END_SECAPI
	125	}
	126
	127	OSStatus
	128	SecTrustedApplicationRemoveEquivalence(SecTrustedApplicationRef appRef, UInt32 flags)
	129	{
	130	BEGIN_SECAPI
5c19dc3a	131	return errSecParam;
b1ab9ed8 A	132	END_SECAPI
	133	}
	134
	135
	136	/*
	137	* Check to see if an application at a given path is a candidate for
	138	* pre-emptive code equivalency establishment
	139	*/
	140	OSStatus
	141	SecTrustedApplicationIsUpdateCandidate(const char installroot, const char path)
	142	{
	143	BEGIN_SECAPI
5c19dc3a	144	return CSSMERR_DL_RECORD_NOT_FOUND; // whatever
b1ab9ed8 A	145	END_SECAPI
	146	}
	147
	148
	149	/*
	150	* Point the system at another system root for equivalence use.
	151	* This is for system update installers (only)!
	152	*/
	153	OSStatus
	154	SecTrustedApplicationUseAlternateSystem(const char *systemRoot)
	155	{
	156	BEGIN_SECAPI
5c19dc3a	157	return errSecParam;
b1ab9ed8 A	158	END_SECAPI
	159	}
	160
	161
	162	/*
	163	* Gateway between traditional SecTrustedApplicationRefs and the Code Signing
	164	* subsystem. Invisible to the naked eye, as of 10.5 (Leopard), these reference
	165	* may contain Cod e Signing Requirement objects (SecRequirementRefs). For backward
	166	* compatibility, these are handled implicitly at the SecAccess/SecACL layer.
	167	* However, Those Who Know can bridge the gap for additional functionality.
	168	*/
	169	OSStatus SecTrustedApplicationCreateFromRequirement(const char *description,
	170	SecRequirementRef requirement, SecTrustedApplicationRef *appRef)
	171	{
	172	BEGIN_SECAPI
	173	if (description == NULL)
	174	description = "csreq://"; // default to "generic requirement"
	175	SecPointer<TrustedApplication> app = new TrustedApplication(description, requirement);
427c49bc	176	Required(appRef) = app->handle();
b1ab9ed8 A	177	END_SECAPI
	178	}
	179
	180	OSStatus SecTrustedApplicationCopyRequirement(SecTrustedApplicationRef appRef,
	181	SecRequirementRef *requirement)
	182	{
	183	BEGIN_SECAPI
	184	Required(requirement) = TrustedApplication::required(appRef)->requirement();
	185	if (*requirement)
	186	CFRetain(*requirement);
	187	END_SECAPI
	188	}
	189
	190
	191	/*
	192	* Create an application group reference.
	193	*/
	194	OSStatus SecTrustedApplicationCreateApplicationGroup(const char *groupName,
	195	SecCertificateRef anchor, SecTrustedApplicationRef *appRef)
	196	{
	197	BEGIN_SECAPI
	198
	199	CFRef<SecRequirementRef> req;
	200	MacOSError::check(SecRequirementCreateGroup(CFTempString(groupName), anchor,
	201	kSecCSDefaultFlags, &req.aref()));
	202	string description = string("group://") + groupName;
	203	if (anchor) {
	204	Certificate *cert = Certificate::required(anchor);
	205	const CssmData &hash = cert->publicKeyHash();
	206	description = description + "?cert=" + cfString(cert->commonName())
	207	+ "&hash=" + hash.toHex();
	208	}
	209	SecPointer<TrustedApplication> app = new TrustedApplication(description, req);
	210	Required(appRef) = app->handle();
	211
	212	END_SECAPI
	213	}