| | 1 | /* |
| | 2 | * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved. |
| | 3 | * |
| | 4 | * @APPLE_LICENSE_HEADER_START@ |
| | 5 | * |
| | 6 | * This file contains Original Code and/or Modifications of Original Code |
| | 7 | * as defined in and that are subject to the Apple Public Source License |
| | 8 | * Version 2.0 (the 'License'). You may not use this file except in |
| | 9 | * compliance with the License. Please obtain a copy of the License at |
| | 10 | * http://www.opensource.apple.com/apsl/ and read it before using this |
| | 11 | * file. |
| | 12 | * |
| | 13 | * The Original Code and all software distributed under the License are |
| | 14 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
| | 15 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
| | 16 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
| | 17 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
| | 18 | * Please see the License for the specific language governing rights and |
| | 19 | * limitations under the License. |
| | 20 | * |
| | 21 | * @APPLE_LICENSE_HEADER_END@ |
| | 22 | */ |
| | 23 | |
| | 24 | #include <Security/SecTrustedApplicationPriv.h> |
| | 25 | #include <security_keychain/TrustedApplication.h> |
| | 26 | #include <security_keychain/Certificate.h> |
| | 27 | #include <securityd_client/ssclient.h> // for code equivalence SPIs |
| | 28 | |
| | 29 | #include "SecBridge.h" |
| | 30 | |
| | 31 | |
| | 32 | |
| | 33 | #pragma clang diagnostic push |
| | 34 | #pragma clang diagnostic ignored "-Wunused-function" |
| | 35 | static inline CssmData cfData(CFDataRef data) |
| | 36 | { |
| | 37 | return CssmData(const_cast<UInt8 *>(CFDataGetBytePtr(data)), |
| | 38 | CFDataGetLength(data)); |
| | 39 | } |
| | 40 | #pragma clang diagnostic pop |
| | 41 | |
| | 42 | |
| | 43 | CFTypeID |
| | 44 | SecTrustedApplicationGetTypeID(void) |
| | 45 | { |
| | 46 | BEGIN_SECAPI |
| | 47 | return gTypes().TrustedApplication.typeID; |
| | 48 | |
| | 49 | END_SECAPI1(_kCFRuntimeNotATypeID) |
| | 50 | } |
| | 51 | |
| | 52 | |
| | 53 | OSStatus |
| | 54 | SecTrustedApplicationCreateFromPath(const char *path, SecTrustedApplicationRef *appRef) |
| | 55 | { |
| | 56 | BEGIN_SECAPI |
| | 57 | SecPointer<TrustedApplication> app = |
| | 58 | path ? new TrustedApplication(path) : new TrustedApplication; |
| | 59 | Required(appRef) = app->handle(); |
| | 60 | END_SECAPI |
| | 61 | } |
| | 62 | |
| | 63 | OSStatus SecTrustedApplicationCopyData(SecTrustedApplicationRef appRef, |
| | 64 | CFDataRef *dataRef) |
| | 65 | { |
| | 66 | BEGIN_SECAPI |
| | 67 | const char *path = TrustedApplication::required(appRef)->path(); |
| | 68 | Required(dataRef) = CFDataCreate(NULL, (const UInt8 *)path, strlen(path) + 1); |
| | 69 | END_SECAPI |
| | 70 | } |
| | 71 | |
| | 72 | OSStatus SecTrustedApplicationSetData(SecTrustedApplicationRef appRef, |
| | 73 | CFDataRef dataRef) |
| | 74 | { |
| | 75 | BEGIN_SECAPI |
| | 76 | if (!dataRef) |
| | 77 | return errSecParam; |
| | 78 | TrustedApplication::required(appRef)->data(dataRef); |
| | 79 | END_SECAPI |
| | 80 | } |
| | 81 | |
| | 82 | |
| | 83 | OSStatus |
| | 84 | SecTrustedApplicationValidateWithPath(SecTrustedApplicationRef appRef, const char *path) |
| | 85 | { |
| | 86 | BEGIN_SECAPI |
| | 87 | TrustedApplication &app = *TrustedApplication::required(appRef); |
| | 88 | if (!app.verifyToDisk(path)) |
| | 89 | return CSSMERR_CSP_VERIFY_FAILED; |
| | 90 | END_SECAPI |
| | 91 | } |
| | 92 | |
| | 93 | |
| | 94 | // |
| | 95 | // Convert from/to external data representation |
| | 96 | // |
| | 97 | OSStatus SecTrustedApplicationCopyExternalRepresentation( |
| | 98 | SecTrustedApplicationRef appRef, |
| | 99 | CFDataRef *externalRef) |
| | 100 | { |
| | 101 | BEGIN_SECAPI |
| | 102 | TrustedApplication &app = *TrustedApplication::required(appRef); |
| | 103 | Required(externalRef) = app.externalForm(); |
| | 104 | END_SECAPI |
| | 105 | } |
| | 106 | |
| | 107 | OSStatus SecTrustedApplicationCreateWithExternalRepresentation( |
| | 108 | CFDataRef externalRef, |
| | 109 | SecTrustedApplicationRef *appRef) |
| | 110 | { |
| | 111 | BEGIN_SECAPI |
| | 112 | Required(appRef) = (new TrustedApplication(externalRef))->handle(); |
| | 113 | END_SECAPI |
| | 114 | } |
| | 115 | |
| | 116 | |
| | 117 | OSStatus |
| | 118 | SecTrustedApplicationMakeEquivalent(SecTrustedApplicationRef oldRef, |
| | 119 | SecTrustedApplicationRef newRef, UInt32 flags) |
| | 120 | { |
| | 121 | BEGIN_SECAPI |
| | 122 | return errSecParam; |
| | 123 | END_SECAPI |
| | 124 | } |
| | 125 | |
| | 126 | OSStatus |
| | 127 | SecTrustedApplicationRemoveEquivalence(SecTrustedApplicationRef appRef, UInt32 flags) |
| | 128 | { |
| | 129 | BEGIN_SECAPI |
| | 130 | return errSecParam; |
| | 131 | END_SECAPI |
| | 132 | } |
| | 133 | |
| | 134 | |
| | 135 | /* |
| | 136 | * Check to see if an application at a given path is a candidate for |
| | 137 | * pre-emptive code equivalency establishment |
| | 138 | */ |
| | 139 | OSStatus |
| | 140 | SecTrustedApplicationIsUpdateCandidate(const char *installroot, const char *path) |
| | 141 | { |
| | 142 | BEGIN_SECAPI |
| | 143 | return CSSMERR_DL_RECORD_NOT_FOUND; // whatever |
| | 144 | END_SECAPI |
| | 145 | } |
| | 146 | |
| | 147 | |
| | 148 | /* |
| | 149 | * Point the system at another system root for equivalence use. |
| | 150 | * This is for system update installers (only)! |
| | 151 | */ |
| | 152 | OSStatus |
| | 153 | SecTrustedApplicationUseAlternateSystem(const char *systemRoot) |
| | 154 | { |
| | 155 | BEGIN_SECAPI |
| | 156 | return errSecParam; |
| | 157 | END_SECAPI |
| | 158 | } |
| | 159 | |
| | 160 | |
| | 161 | /* |
| | 162 | * Gateway between traditional SecTrustedApplicationRefs and the Code Signing |
| | 163 | * subsystem. Invisible to the naked eye, as of 10.5 (Leopard), these reference |
| | 164 | * may contain Cod e Signing Requirement objects (SecRequirementRefs). For backward |
| | 165 | * compatibility, these are handled implicitly at the SecAccess/SecACL layer. |
| | 166 | * However, Those Who Know can bridge the gap for additional functionality. |
| | 167 | */ |
| | 168 | OSStatus SecTrustedApplicationCreateFromRequirement(const char *description, |
| | 169 | SecRequirementRef requirement, SecTrustedApplicationRef *appRef) |
| | 170 | { |
| | 171 | BEGIN_SECAPI |
| | 172 | if (description == NULL) |
| | 173 | description = "csreq://"; // default to "generic requirement" |
| | 174 | SecPointer<TrustedApplication> app = new TrustedApplication(description, requirement); |
| | 175 | Required(appRef) = app->handle(); |
| | 176 | END_SECAPI |
| | 177 | } |
| | 178 | |
| | 179 | OSStatus SecTrustedApplicationCopyRequirement(SecTrustedApplicationRef appRef, |
| | 180 | SecRequirementRef *requirement) |
| | 181 | { |
| | 182 | BEGIN_SECAPI |
| | 183 | Required(requirement) = TrustedApplication::required(appRef)->requirement(); |
| | 184 | if (*requirement) |
| | 185 | CFRetain(*requirement); |
| | 186 | END_SECAPI |
| | 187 | } |
| | 188 | |
| | 189 | |
| | 190 | /* |
| | 191 | * Create an application group reference. |
| | 192 | */ |
| | 193 | OSStatus SecTrustedApplicationCreateApplicationGroup(const char *groupName, |
| | 194 | SecCertificateRef anchor, SecTrustedApplicationRef *appRef) |
| | 195 | { |
| | 196 | BEGIN_SECAPI |
| | 197 | CFRef<SecRequirementRef> req; |
| | 198 | MacOSError::check(SecRequirementCreateGroup(CFTempString(groupName), anchor, |
| | 199 | kSecCSDefaultFlags, &req.aref())); |
| | 200 | string description = string("group://") + groupName; |
| | 201 | if (anchor) { |
| | 202 | Certificate *cert = Certificate::required(anchor); |
| | 203 | const CssmData &hash = cert->publicKeyHash(); |
| | 204 | description = description + "?cert=" + cfString(cert->commonName()) |
| | 205 | + "&hash=" + hash.toHex(); |
| | 206 | } |
| | 207 | SecPointer<TrustedApplication> app = new TrustedApplication(description, req); |
| | 208 | Required(appRef) = app->handle(); |
| | 209 | |
| | 210 | END_SECAPI |
| | 211 | } |
projects / apple / security.git / blame_incremental