OSX/include/security_codesigning/csutilities.cpp

   1 /*
   2  * Copyright (c) 2006-2013 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // csutilities - miscellaneous utilities for the code signing implementation
  26 //
  27 #include "csutilities.h"
  28 #include <Security/SecCertificatePriv.h>
  29 #include <utilities/SecAppleAnchorPriv.h>
  30 #include <utilities/SecInternalReleasePriv.h>
  31 #include <security_codesigning/requirement.h>
  32 #include <security_utilities/hashing.h>
  33 #include <security_utilities/debugging.h>
  34 #include <security_utilities/errors.h>
  35 #include <sys/utsname.h>
  36
  37 namespace Security {
  38 namespace CodeSigning {
  39
  40
  41 //
  42 // Test for the canonical Apple CA certificate
  43 //
  44 bool isAppleCA(SecCertificateRef cert)
  45 {
  46         SecAppleTrustAnchorFlags flags = 0;
  47         if (SecIsInternalRelease())
  48                 flags |= kSecAppleTrustAnchorFlagsIncludeTestAnchors;
  49         return SecIsAppleTrustAnchor(cert, flags);
  50 }
  51
  52
  53 //
  54 // Calculate the canonical hash of a certificate, given its raw (DER) data.
  55 //
  56 void hashOfCertificate(const void *certData, size_t certLength, SHA1::Digest digest)
  57 {
  58         SHA1 hasher;
  59         hasher(certData, certLength);
  60         hasher.finish(digest);
  61 }
  62
  63
  64 //
  65 // Ditto, given a SecCertificateRef
  66 //
  67 void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest)
  68 {
  69         assert(cert);
  70         CSSM_DATA certData;
  71         MacOSError::check(SecCertificateGetData(cert, &certData));
  72         hashOfCertificate(certData.Data, certData.Length, digest);
  73 }
  74
  75
  76 //
  77 // One-stop hash-certificate-and-compare
  78 //
  79 bool verifyHash(SecCertificateRef cert, const Hashing::Byte *digest)
  80 {
  81         SHA1::Digest dig;
  82         hashOfCertificate(cert, dig);
  83         return !memcmp(dig, digest, SHA1::digestLength);
  84 }
  85
  86
  87 //
  88 // Check to see if a certificate contains a particular field, by OID. This works for extensions,
  89 // even ones not recognized by the local CL. It does not return any value, only presence.
  90 //
  91 bool certificateHasField(SecCertificateRef cert, const CSSM_OID &oid)
  92 {
  93         assert(cert);
  94         CSSM_DATA *value;
  95         switch (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &oid, &value)) {
  96         case errSecSuccess:
  97                 MacOSError::check(SecCertificateReleaseFirstFieldValue(cert, &oid, value));
  98                 return true;                                    // extension found by oid
  99         case errSecUnknownTag:
 100                 break;                                                  // oid not recognized by CL - continue below
 101         default:
 102                 MacOSError::throwMe(rc);                // error: fail
 103         }
 104
 105         // check the CL's bag of unrecognized extensions
 106         CSSM_DATA **values;
 107         bool found = false;
 108         if (SecCertificateCopyFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, &values))
 109                 return false;   // no unrecognized extensions - no match
 110         if (values)
 111                 for (CSSM_DATA **p = values; *p; p++) {
 112                         const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)(*p)->Data;
 113                         if (oid == ext->extnId) {
 114                                 found = true;
 115                                 break;
 116                         }
 117                 }
 118         MacOSError::check(SecCertificateReleaseFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, values));
 119         return found;
 120 }
 121
 122
 123 //
 124 // Retrieve X.509 policy extension OIDs, if any.
 125 // This currently ignores policy qualifiers.
 126 //
 127 bool certificateHasPolicy(SecCertificateRef cert, const CSSM_OID &policyOid)
 128 {
 129         bool matched = false;
 130         assert(cert);
 131         CSSM_DATA *data;
 132         if (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &CSSMOID_CertificatePolicies, &data))
 133                 MacOSError::throwMe(rc);
 134         if (data && data->Data && data->Length == sizeof(CSSM_X509_EXTENSION)) {
 135                 const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)data->Data;
 136                 assert(ext->format == CSSM_X509_DATAFORMAT_PARSED);
 137                 const CE_CertPolicies *policies = (const CE_CertPolicies *)ext->value.parsedValue;
 138                 if (policies)
 139                         for (unsigned int n = 0; n < policies->numPolicies; n++) {
 140                                 const CE_PolicyInformation &cp = policies->policies[n];
 141                                 if (cp.certPolicyId == policyOid) {
 142                                         matched = true;
 143                                         break;
 144                                 }
 145                         }
 146         }
 147         SecCertificateReleaseFirstFieldValue(cert, &CSSMOID_PolicyConstraints, data);
 148         return matched;
 149 }
 150
 151
 152 //
 153 // Copyfile
 154 //
 155 Copyfile::Copyfile()
 156 {
 157         if (!(mState = copyfile_state_alloc()))
 158                 UnixError::throwMe();
 159 }
 160
 161 void Copyfile::set(uint32_t flag, const void *value)
 162 {
 163         check(::copyfile_state_set(mState, flag, value));
 164 }
 165
 166 void Copyfile::get(uint32_t flag, void *value)
 167 {
 168         check(::copyfile_state_set(mState, flag, value));
 169 }
 170
 171 void Copyfile::operator () (const char *src, const char *dst, copyfile_flags_t flags)
 172 {
 173         check(::copyfile(src, dst, mState, flags));
 174 }
 175
 176 void Copyfile::check(int rc)
 177 {
 178         if (rc < 0)
 179                 UnixError::throwMe();
 180 }
 181
 182
 183 //
 184 // MessageTracer support
 185 //
 186 MessageTrace::MessageTrace(const char *domain, const char *signature)
 187 {
 188         mAsl = asl_new(ASL_TYPE_MSG);
 189         if (domain)
 190                 asl_set(mAsl, "com.apple.message.domain", domain);
 191         if (signature)
 192                 asl_set(mAsl, "com.apple.message.signature", signature);
 193 }
 194
 195 void MessageTrace::add(const char *key, const char *format, ...)
 196 {
 197         va_list args;
 198         va_start(args, format);
 199         char value[200];
 200         vsnprintf(value, sizeof(value), format, args);
 201         va_end(args);
 202         asl_set(mAsl, (string("com.apple.message.") + key).c_str(), value);
 203 }
 204
 205 void MessageTrace::send(const char *format, ...)
 206 {
 207         va_list args;
 208         va_start(args, format);
 209         asl_vlog(NULL, mAsl, ASL_LEVEL_NOTICE, format, args);
 210         va_end(args);
 211 }
 212
 213
 214
 215 // Resource limited async workers for doing work on nested bundles
 216 LimitedAsync::LimitedAsync(bool async)
 217 {
 218         // validate multiple resources concurrently if bundle resides on solid-state media
 219
 220         // How many async workers to spin off. If zero, validating only happens synchronously.
 221         long async_workers = 0;
 222
 223         long ncpu = sysconf(_SC_NPROCESSORS_ONLN);
 224
 225         if (async && ncpu > 0)
 226                 async_workers = ncpu - 1; // one less because this thread also validates
 227
 228         mResourceSemaphore = new Dispatch::Semaphore(async_workers);
 229 }
 230
 231 LimitedAsync::LimitedAsync(LimitedAsync &limitedAsync)
 232 {
 233         mResourceSemaphore = new Dispatch::Semaphore(*limitedAsync.mResourceSemaphore);
 234 }
 235
 236 LimitedAsync::~LimitedAsync()
 237 {
 238         delete mResourceSemaphore;
 239 }
 240
 241 bool LimitedAsync::perform(Dispatch::Group &groupRef, void (^block)()) {
 242         __block Dispatch::SemaphoreWait wait(*mResourceSemaphore, DISPATCH_TIME_NOW);
 243
 244         if (wait.acquired()) {
 245                 dispatch_queue_t defaultQueue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0);
 246
 247                 groupRef.enqueue(defaultQueue, ^{
 248                         // Hold the semaphore count until the worker is done validating.
 249                         Dispatch::SemaphoreWait innerWait(wait);
 250                         block();
 251                 });
 252                 return true;
 253         } else {
 254                 block();
 255                 return false;
 256         }
 257 }
 258
 259 } // end namespace CodeSigning
 260 } // end namespace Security