]> git.saurik.com Git - apple/security.git/blob - libsecurity_codesigning/lib/csutilities.cpp
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-55179.1.tar.gz
[apple/security.git] / libsecurity_codesigning / lib / csutilities.cpp
1 /*
2 * Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 //
25 // csutilities - miscellaneous utilities for the code signing implementation
26 //
27 #include "csutilities.h"
28 #include <Security/SecCertificatePriv.h>
29 #include <security_codesigning/requirement.h>
30 #include <security_utilities/hashing.h>
31 #include <security_utilities/debugging.h>
32 #include <security_utilities/errors.h>
33
34 namespace Security {
35 namespace CodeSigning {
36
37
38 //
39 // The (SHA-1) hash of the canonical Apple certificate root anchor
40 //
41 static const SHA1::Digest gAppleAnchorHash =
42 { 0x61, 0x1e, 0x5b, 0x66, 0x2c, 0x59, 0x3a, 0x08, 0xff, 0x58,
43 0xd1, 0x4a, 0xe2, 0x24, 0x52, 0xd1, 0x98, 0xdf, 0x6c, 0x60 };
44
45
46
47 //
48 // Test for the canonical Apple CA certificate
49 //
50 bool isAppleCA(SecCertificateRef cert)
51 {
52 return verifyHash(cert, gAppleAnchorHash);
53 }
54
55 bool isAppleCA(const Hashing::Byte *sha1)
56 {
57 return !memcmp(sha1, gAppleAnchorHash, SHA1::digestLength);
58 }
59
60
61 //
62 // Calculate the canonical hash of a certificate, given its raw (DER) data.
63 //
64 void hashOfCertificate(const void *certData, size_t certLength, SHA1::Digest digest)
65 {
66 SHA1 hasher;
67 hasher(certData, certLength);
68 hasher.finish(digest);
69 }
70
71
72 //
73 // Ditto, given a SecCertificateRef
74 //
75 void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest)
76 {
77 assert(cert);
78 CSSM_DATA certData;
79 MacOSError::check(SecCertificateGetData(cert, &certData));
80 hashOfCertificate(certData.Data, certData.Length, digest);
81 }
82
83
84 //
85 // One-stop hash-certificate-and-compare
86 //
87 bool verifyHash(SecCertificateRef cert, const Hashing::Byte *digest)
88 {
89 SHA1::Digest dig;
90 hashOfCertificate(cert, dig);
91 return !memcmp(dig, digest, SHA1::digestLength);
92 }
93
94
95 //
96 // Check to see if a certificate contains a particular field, by OID. This works for extensions,
97 // even ones not recognized by the local CL. It does not return any value, only presence.
98 //
99 bool certificateHasField(SecCertificateRef cert, const CSSM_OID &oid)
100 {
101 assert(cert);
102 CSSM_DATA *value;
103 switch (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &oid, &value)) {
104 case noErr:
105 MacOSError::check(SecCertificateReleaseFirstFieldValue(cert, &oid, value));
106 return true; // extension found by oid
107 case errSecUnknownTag:
108 break; // oid not recognized by CL - continue below
109 default:
110 MacOSError::throwMe(rc); // error: fail
111 }
112
113 // check the CL's bag of unrecognized extensions
114 CSSM_DATA **values;
115 bool found = false;
116 if (SecCertificateCopyFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, &values))
117 return false; // no unrecognized extensions - no match
118 if (values)
119 for (CSSM_DATA **p = values; *p; p++) {
120 const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)(*p)->Data;
121 if (oid == ext->extnId) {
122 found = true;
123 break;
124 }
125 }
126 MacOSError::check(SecCertificateReleaseFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, values));
127 return found;
128 }
129
130
131 //
132 // Retrieve X.509 policy extension OIDs, if any.
133 // This currently ignores policy qualifiers.
134 //
135 bool certificateHasPolicy(SecCertificateRef cert, const CSSM_OID &policyOid)
136 {
137 bool matched = false;
138 assert(cert);
139 CSSM_DATA *data;
140 if (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &CSSMOID_CertificatePolicies, &data))
141 MacOSError::throwMe(rc);
142 if (data && data->Data && data->Length == sizeof(CSSM_X509_EXTENSION)) {
143 const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)data->Data;
144 assert(ext->format == CSSM_X509_DATAFORMAT_PARSED);
145 const CE_CertPolicies *policies = (const CE_CertPolicies *)ext->value.parsedValue;
146 if (policies)
147 for (unsigned int n = 0; n < policies->numPolicies; n++) {
148 const CE_PolicyInformation &cp = policies->policies[n];
149 if (cp.certPolicyId == policyOid) {
150 matched = true;
151 break;
152 }
153 }
154 }
155 SecCertificateReleaseFirstFieldValue(cert, &CSSMOID_PolicyConstraints, data);
156 return matched;
157 }
158
159
160 //
161 // Copyfile
162 //
163 Copyfile::Copyfile()
164 {
165 if (!(mState = copyfile_state_alloc()))
166 UnixError::throwMe();
167 }
168
169 void Copyfile::set(uint32_t flag, const void *value)
170 {
171 check(::copyfile_state_set(mState, flag, value));
172 }
173
174 void Copyfile::get(uint32_t flag, void *value)
175 {
176 check(::copyfile_state_set(mState, flag, value));
177 }
178
179 void Copyfile::operator () (const char *src, const char *dst, copyfile_flags_t flags)
180 {
181 check(::copyfile(src, dst, mState, flags));
182 }
183
184 void Copyfile::check(int rc)
185 {
186 if (rc < 0)
187 UnixError::throwMe();
188 }
189
190
191 //
192 // MessageTracer support
193 //
194 MessageTrace::MessageTrace(const char *domain, const char *signature)
195 {
196 mAsl = asl_new(ASL_TYPE_MSG);
197 if (domain)
198 asl_set(mAsl, "com.apple.message.domain", domain);
199 if (signature)
200 asl_set(mAsl, "com.apple.message.signature", signature);
201 }
202
203 void MessageTrace::add(const char *key, const char *format, ...)
204 {
205 va_list args;
206 va_start(args, format);
207 char value[200];
208 vsnprintf(value, sizeof(value), format, args);
209 va_end(args);
210 asl_set(mAsl, (string("com.apple.message.") + key).c_str(), value);
211 }
212
213 void MessageTrace::send(const char *format, ...)
214 {
215 va_list args;
216 va_start(args, format);
217 asl_vlog(NULL, mAsl, ASL_LEVEL_NOTICE, format, args);
218 va_end(args);
219 }
220
221
222 } // end namespace CodeSigning
223 } // end namespace Security
mirror of Security