2  * Copyright (c) 2006-2013 Apple Inc. All Rights Reserved. 
   4  * @APPLE_LICENSE_HEADER_START@ 
   6  * This file contains Original Code and/or Modifications of Original Code 
   7  * as defined in and that are subject to the Apple Public Source License 
   8  * Version 2.0 (the 'License'). You may not use this file except in 
   9  * compliance with the License. Please obtain a copy of the License at 
  10  * http://www.opensource.apple.com/apsl/ and read it before using this 
  13  * The Original Code and all software distributed under the License are 
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 
  18  * Please see the License for the specific language governing rights and 
  19  * limitations under the License. 
  21  * @APPLE_LICENSE_HEADER_END@ 
  25 // csutilities - miscellaneous utilities for the code signing implementation 
  28 #include "csutilities.h" 
  29 #include <libDER/DER_Encode.h> 
  30 #include <libDER/DER_Keys.h> 
  31 #include <libDER/asn1Types.h> 
  32 #include <libDER/oids.h> 
  33 #include <security_asn1/SecAsn1Coder.h> 
  34 #include <security_asn1/SecAsn1Templates.h> 
  35 #include <Security/SecCertificatePriv.h> 
  36 #include <Security/SecCertificate.h> 
  37 #include <Security/SecPolicyPriv.h> 
  38 #include <utilities/SecAppleAnchorPriv.h> 
  39 #include <utilities/SecInternalReleasePriv.h> 
  40 #include "requirement.h" 
  41 #include <security_utilities/hashing.h> 
  42 #include <security_utilities/debugging.h> 
  43 #include <security_utilities/errors.h> 
  44 #include <sys/mount.h> 
  45 #include <sys/utsname.h> 
  46 #include "debugging.h" 
  50 /* Decode a choice of UTCTime or GeneralizedTime to a CFAbsoluteTime. Return 
  51  an absoluteTime if the date was valid and properly decoded.  Return 
  52  NULL_TIME otherwise. */ 
  53 CFAbsoluteTime 
SecAbsoluteTimeFromDateContent(DERTag tag
, const uint8_t *bytes
, 
  59 namespace CodeSigning 
{ 
  63 // Test for the canonical Apple CA certificate 
  65 bool isAppleCA(SecCertificateRef cert
) 
  67         SecAppleTrustAnchorFlags flags 
= 0; 
  68         if (SecIsInternalRelease()) 
  69                 flags 
|= kSecAppleTrustAnchorFlagsIncludeTestAnchors
; 
  70         return SecIsAppleTrustAnchor(cert
, flags
); 
  75 // Calculate the canonical hash of a certificate, given its raw (DER) data. 
  77 void hashOfCertificate(const void *certData
, size_t certLength
, SHA1::Digest digest
) 
  80         hasher(certData
, certLength
); 
  81         hasher
.finish(digest
); 
  86 // Ditto, given a SecCertificateRef 
  88 void hashOfCertificate(SecCertificateRef cert
, SHA1::Digest digest
) 
  91     hashOfCertificate(SecCertificateGetBytePtr(cert
), SecCertificateGetLength(cert
), digest
); 
  96 // One-stop hash-certificate-and-compare 
  98 bool verifyHash(SecCertificateRef cert
, const Hashing::Byte 
*digest
) 
 101         hashOfCertificate(cert
, dig
); 
 102         return !memcmp(dig
, digest
, SHA1::digestLength
); 
 107 // Check to see if a certificate contains a particular field, by OID. This works for extensions, 
 108 // even ones not recognized by the local CL. It does not return any value, only presence. 
 110 bool certificateHasField(SecCertificateRef cert
, const CSSM_OID 
&oid
) 
 112         CFDataRef oidData 
= NULL
; 
 113         CFDataRef data 
= NULL
; 
 114         bool isCritical 
= false; 
 115         bool matched 
= false; 
 117         oidData 
= CFDataCreateWithBytesNoCopy(NULL
, oid
.Data
, oid
.Length
, 
 119         if (!(cert 
&& oidData
)) { 
 122         data 
= SecCertificateCopyExtensionValue(cert
, oidData
, &isCritical
); 
 139 // Retrieve X.509 policy extension OIDs, if any. 
 140 // This currently ignores policy qualifiers. 
 142 bool certificateHasPolicy(SecCertificateRef cert
, const CSSM_OID 
&policyOid
) 
 144         bool matched 
= false; 
 145         CFDataRef oidData 
= CFDataCreateWithBytesNoCopy(NULL
, policyOid
.Data
, policyOid
.Length
, 
 147         if (!(cert 
&& oidData
)) { 
 150         matched 
= SecPolicyCheckCertCertificatePolicy(cert
, oidData
); 
 159 CFDateRef 
certificateCopyFieldDate(SecCertificateRef cert
, const CSSM_OID 
&policyOid
) 
 161         CFDataRef oidData 
= NULL
; 
 162         CFDateRef value 
= NULL
; 
 163         CFDataRef data 
= NULL
; 
 164         SecAsn1CoderRef coder 
= NULL
; 
 165         CSSM_DATA str 
= { 0 }; 
 166         CFAbsoluteTime time 
= 0.0; 
 170         oidData 
= CFDataCreateWithBytesNoCopy(NULL
, policyOid
.Data
, policyOid
.Length
, 
 173         if (oidData 
== NULL
) { 
 177         data 
= SecCertificateCopyExtensionValue(cert
, oidData
, &isCritical
); 
 183         status 
= SecAsn1CoderCreate(&coder
); 
 188         // We currently only support UTF8 strings. 
 189         status 
= SecAsn1Decode(coder
, CFDataGetBytePtr(data
), CFDataGetLength(data
), 
 190                                                    kSecAsn1UTF8StringTemplate
, &str
); 
 195         time 
= SecAbsoluteTimeFromDateContent(ASN1_GENERALIZED_TIME
, 
 196                                                                                   str
.Data
, str
.Length
); 
 202         value 
= CFDateCreate(NULL
, time
); 
 205                 SecAsn1CoderRelease(coder
); 
 223         if (!(mState 
= copyfile_state_alloc())) 
 224                 UnixError::throwMe(); 
 227 void Copyfile::set(uint32_t flag
, const void *value
) 
 229         check(::copyfile_state_set(mState
, flag
, value
)); 
 232 void Copyfile::get(uint32_t flag
, void *value
) 
 234         check(::copyfile_state_set(mState
, flag
, value
)); 
 237 void Copyfile::operator () (const char *src
, const char *dst
, copyfile_flags_t flags
) 
 239         check(::copyfile(src
, dst
, mState
, flags
)); 
 242 void Copyfile::check(int rc
) 
 245                 UnixError::throwMe(); 
 250 // MessageTracer support 
 252 MessageTrace::MessageTrace(const char *domain
, const char *signature
) 
 254         mAsl 
= asl_new(ASL_TYPE_MSG
); 
 256                 asl_set(mAsl
, "com.apple.message.domain", domain
); 
 258                 asl_set(mAsl
, "com.apple.message.signature", signature
); 
 261 void MessageTrace::add(const char *key
, const char *format
, ...) 
 264         va_start(args
, format
); 
 266         vsnprintf(value
, sizeof(value
), format
, args
); 
 268         asl_set(mAsl
, (string("com.apple.message.") + key
).c_str(), value
); 
 271 void MessageTrace::send(const char *format
, ...) 
 274         va_start(args
, format
); 
 275         asl_vlog(NULL
, mAsl
, ASL_LEVEL_NOTICE
, format
, args
); 
 281 // Resource limited async workers for doing work on nested bundles 
 282 LimitedAsync::LimitedAsync(bool async
) 
 284         // validate multiple resources concurrently if bundle resides on solid-state media 
 286         // How many async workers to spin off. If zero, validating only happens synchronously. 
 287         long async_workers 
= 0; 
 289         long ncpu 
= sysconf(_SC_NPROCESSORS_ONLN
); 
 291         if (async 
&& ncpu 
> 0) 
 292                 async_workers 
= ncpu 
- 1; // one less because this thread also validates 
 294         mResourceSemaphore 
= new Dispatch::Semaphore(async_workers
); 
 297 LimitedAsync::LimitedAsync(LimitedAsync 
&limitedAsync
) 
 299         mResourceSemaphore 
= new Dispatch::Semaphore(*limitedAsync
.mResourceSemaphore
); 
 302 LimitedAsync::~LimitedAsync() 
 304         delete mResourceSemaphore
; 
 307 bool LimitedAsync::perform(Dispatch::Group 
&groupRef
, void (^block
)()) { 
 308         __block 
Dispatch::SemaphoreWait 
wait(*mResourceSemaphore
, DISPATCH_TIME_NOW
); 
 310         if (wait
.acquired()) { 
 311                 dispatch_queue_t defaultQueue 
= dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT
, 0); 
 313                 groupRef
.enqueue(defaultQueue
, ^{ 
 314                         // Hold the semaphore count until the worker is done validating. 
 315                         Dispatch::SemaphoreWait 
innerWait(wait
); 
 325 bool isOnRootFilesystem(const char *path
) 
 330         rc 
= statfs(path
, &sfb
); 
 332                 secerror("Unable to check if path is on rootfs: %d, %s", errno
, path
); 
 335         return ((sfb
.f_flags 
& MNT_ROOTFS
) == MNT_ROOTFS
); 
 338 } // end namespace CodeSigning 
 339 } // end namespace Security