OSX/libsecurity_codesigning/lib/SecStaticCode.h

   1 /*
   2  * Copyright (c) 2006,2011-2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 /*!
  25         @header SecStaticCode
  26         SecStaticCode represents the Code Signing identity of code in the file system.
  27         This includes applications, tools, frameworks, plugins, scripts, and so on.
  28         Note that arbitrary files will be considered scripts of unknown provenance;
  29         and thus it is possible to handle most files as if they were code, though that is
  30         not necessarily a good idea.
  31
  32         Normally, each SecCode has a specific SecStaticCode that holds its static signing
  33         data. Informally, that is the SecStaticCode the SecCode "was made from" (by its host).
  34         There is however no viable link in the other direction - given a SecStaticCode,
  35         it is not possible to find, enumerate, or control any SecCode that originated from it.
  36         There might not be any at a given point in time; or there might be many.
  37 */
  38 #ifndef _H_SECSTATICCODE
  39 #define _H_SECSTATICCODE
  40
  41 #include <Security/CSCommon.h>
  42
  43 #ifdef __cplusplus
  44 extern "C" {
  45 #endif
  46
  47 CF_ASSUME_NONNULL_BEGIN
  48
  49 /*!
  50         @function SecStaticCodeGetTypeID
  51         Returns the type identifier of all SecStaticCode instances.
  52 */
  53 CFTypeID SecStaticCodeGetTypeID(void);
  54
  55
  56 /*!
  57         @function SecStaticCodeCreateWithPath
  58         Given a path to a file system object, create a SecStaticCode object representing
  59         the code at that location, if possible. Such a SecStaticCode is not inherently
  60         linked to running code in the system.
  61
  62         It is possible to create a SecStaticCode object from an unsigned code object.
  63         Most uses of such an object will return the errSecCSUnsigned error. However,
  64         SecCodeCopyPath and SecCodeCopySigningInformation can be safely applied to such objects.
  65
  66         @param path A path to a location in the file system. Only file:// URLs are
  67         currently supported. For bundles, pass a URL to the root directory of the
  68         bundle. For single files, pass a URL to the file. If you pass a URL to the
  69         main executable of a bundle, the bundle as a whole will be generally recognized.
  70         Caution: Paths containing embedded // or /../ within a bundle's directory
  71         may cause the bundle to be misconstrued. If you expect to submit such paths,
  72         first clean them with realpath(3) or equivalent.
  73         @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
  74         @param attributes A CFDictionary containing additional attributes of the code sought.
  75         @param staticCode On successful return, contains a reference to the StaticCode object
  76         representing the code at path. Unchanged on error.
  77         @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
  78         CSCommon.h or certain other Security framework headers.
  79
  80         @constant kSecCodeAttributeArchitecture Specifies the Mach-O architecture of code desired.
  81         This can be a CFString containing a canonical architecture name ("i386" etc.), or a CFNumber
  82         specifying an architecture numerically (see mach/machine.h). This key is ignored if the code
  83         is not in Mach-O binary form. If the code is Mach-O but not universal ("thin"), the architecture
  84         specified must agree with the actual file contents.
  85         @constant kSecCodeAttributeSubarchitecture If the architecture is specified numerically
  86         (using the kSecCodeAttributeArchitecture key), specifies any sub-architecture by number.
  87         This key is ignored if no main architecture is specified; if it is specified by name; or
  88         if the code is not in Mach-O form.
  89         @constant kSecCodeAttributeUniversalFileOffset The offset of a Mach-O specific slice of a universal Mach-O file.
  90 */
  91 extern const CFStringRef kSecCodeAttributeArchitecture;
  92 extern const CFStringRef kSecCodeAttributeSubarchitecture;
  93 extern const CFStringRef kSecCodeAttributeUniversalFileOffset;
  94 extern const CFStringRef kSecCodeAttributeBundleVersion;
  95
  96 OSStatus SecStaticCodeCreateWithPath(CFURLRef path, SecCSFlags flags, SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode);
  97
  98 OSStatus SecStaticCodeCreateWithPathAndAttributes(CFURLRef path, SecCSFlags flags, CFDictionaryRef attributes,
  99         SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode);
 100
 101
 102 /*!
 103         @function SecStaticCodeCheckValidity
 104         Performs static validation on the given SecStaticCode object. The call obtains and
 105         verifies the signature on the code object. It checks the validity of all
 106         sealed components (including resources, if any). It validates the code against
 107         a SecRequirement if one is given. The call succeeds if all these conditions
 108         are satisfactory. It fails otherwise.
 109
 110         This call is only secure if the code is not subject to concurrent modification,
 111         and the outcome is only valid as long as the code is unmodified thereafter.
 112         Consider this carefully if the underlying file system has dynamic characteristics,
 113         such as a network file system, union mount, FUSE, etc.
 114
 115         @param staticCode The code object to be validated.
 116         @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
 117
 118         @constant kSecCSCheckAllArchitectures
 119         For multi-architecture (universal) Mach-O programs, validate all architectures
 120         included. By default, only the native architecture is validated.
 121         @constant kSecCSNoDnotValidateExecutable
 122         Do not validate the contents of the main executable. This is normally done.
 123         @constant kSecCSNoNotValidateResources
 124         Do not validate the presence and contents of all bundle resources (if any).
 125         By default, a mismatch in any bundle resource causes validation to fail.
 126         @constant kSecCSCheckNestedCode
 127         For code in bundle form, locate and recursively check embedded code. Only code
 128         in standard locations is considered.
 129         @constant kSecCSStrictValidate
 130         For code in bundle form, perform additional checks to verify that the bundle
 131         is not structured in a way that would allow tampering, and reject any resource
 132         envelope that introduces weaknesses into the signature.
 133
 134         @param requirement On optional code requirement specifying additional conditions
 135         the staticCode object must satisfy to be considered valid. If NULL, no additional
 136         requirements are imposed.
 137         @param errors An optional pointer to a CFErrorRef variable. If the call fails
 138         (something other than errSecSuccess is returned), and this argument is non-NULL,
 139         a CFErrorRef is stored there further describing the nature and circumstances
 140         of the failure. The caller must CFRelease() this error object when done with it.
 141         @result If validation succeeds, errSecSuccess. If validation fails, an OSStatus value
 142         documented in CSCommon.h or certain other Security framework headers.
 143 */
 144 CF_ENUM(uint32_t) {
 145         kSecCSCheckAllArchitectures = 1 << 0,
 146         kSecCSDoNotValidateExecutable = 1 << 1,
 147         kSecCSDoNotValidateResources = 1 << 2,
 148         kSecCSBasicValidateOnly = kSecCSDoNotValidateExecutable | kSecCSDoNotValidateResources,
 149         kSecCSCheckNestedCode = 1 << 3,
 150         kSecCSStrictValidate = 1 << 4,
 151         kSecCSFullReport = 1 << 5,
 152         kSecCSCheckGatekeeperArchitectures = (1 << 6) | kSecCSCheckAllArchitectures,
 153         kSecCSRestrictSymlinks = 1 << 7,
 154 };
 155
 156 OSStatus SecStaticCodeCheckValidity(SecStaticCodeRef staticCode, SecCSFlags flags,
 157         SecRequirementRef __nullable requirement);
 158
 159 OSStatus SecStaticCodeCheckValidityWithErrors(SecStaticCodeRef staticCode, SecCSFlags flags,
 160         SecRequirementRef __nullable requirement, CFErrorRef *errors);
 161
 162 CF_ASSUME_NONNULL_END
 163
 164 #ifdef __cplusplus
 165 }
 166 #endif
 167
 168 #endif //_H_SECSTATICCODE