OSX/libsecurity_keychain/Security/SecTrustedApplication.cpp

   1 /*
   2  * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #include <Security/SecTrustedApplicationPriv.h>
  25 #include <security_keychain/TrustedApplication.h>
  26 #include <security_keychain/Certificate.h>
  27 #include <securityd_client/ssclient.h>          // for code equivalence SPIs
  28
  29 #include "SecBridge.h"
  30
  31
  32
  33 #pragma clang diagnostic push
  34 #pragma clang diagnostic ignored "-Wunused-function"
  35 static inline CssmData cfData(CFDataRef data)
  36 {
  37     return CssmData(const_cast<UInt8 *>(CFDataGetBytePtr(data)),
  38         CFDataGetLength(data));
  39 }
  40 #pragma clang diagnostic pop
  41
  42
  43 CFTypeID
  44 SecTrustedApplicationGetTypeID(void)
  45 {
  46         BEGIN_SECAPI
  47
  48         return gTypes().TrustedApplication.typeID;
  49
  50         END_SECAPI1(_kCFRuntimeNotATypeID)
  51 }
  52
  53
  54 OSStatus
  55 SecTrustedApplicationCreateFromPath(const char *path, SecTrustedApplicationRef *appRef)
  56 {
  57         BEGIN_SECAPI
  58         SecPointer<TrustedApplication> app =
  59                 path ? new TrustedApplication(path) : new TrustedApplication;
  60         Required(appRef) = app->handle();
  61         END_SECAPI
  62 }
  63
  64 OSStatus SecTrustedApplicationCopyData(SecTrustedApplicationRef appRef,
  65         CFDataRef *dataRef)
  66 {
  67         BEGIN_SECAPI
  68         const char *path = TrustedApplication::required(appRef)->path();
  69         Required(dataRef) = CFDataCreate(NULL, (const UInt8 *)path, strlen(path) + 1);
  70         END_SECAPI
  71 }
  72
  73 OSStatus SecTrustedApplicationSetData(SecTrustedApplicationRef appRef,
  74         CFDataRef dataRef)
  75 {
  76         BEGIN_SECAPI
  77         if (!dataRef)
  78                 return errSecParam;
  79         TrustedApplication::required(appRef)->data(dataRef);
  80         END_SECAPI
  81 }
  82
  83
  84 OSStatus
  85 SecTrustedApplicationValidateWithPath(SecTrustedApplicationRef appRef, const char *path)
  86 {
  87         BEGIN_SECAPI
  88         TrustedApplication &app = *TrustedApplication::required(appRef);
  89         if (!app.verifyToDisk(path))
  90                 return CSSMERR_CSP_VERIFY_FAILED;
  91         END_SECAPI
  92 }
  93
  94
  95 //
  96 // Convert from/to external data representation
  97 //
  98 OSStatus SecTrustedApplicationCopyExternalRepresentation(
  99         SecTrustedApplicationRef appRef,
 100         CFDataRef *externalRef)
 101 {
 102         BEGIN_SECAPI
 103         TrustedApplication &app = *TrustedApplication::required(appRef);
 104         Required(externalRef) = app.externalForm();
 105         END_SECAPI
 106 }
 107
 108 OSStatus SecTrustedApplicationCreateWithExternalRepresentation(
 109         CFDataRef externalRef,
 110         SecTrustedApplicationRef *appRef)
 111 {
 112         BEGIN_SECAPI
 113         Required(appRef) = (new TrustedApplication(externalRef))->handle();
 114         END_SECAPI
 115 }
 116
 117
 118 OSStatus
 119 SecTrustedApplicationMakeEquivalent(SecTrustedApplicationRef oldRef,
 120         SecTrustedApplicationRef newRef, UInt32 flags)
 121 {
 122         BEGIN_SECAPI
 123     return errSecParam;
 124         END_SECAPI
 125 }
 126
 127 OSStatus
 128 SecTrustedApplicationRemoveEquivalence(SecTrustedApplicationRef appRef, UInt32 flags)
 129 {
 130         BEGIN_SECAPI
 131     return errSecParam;
 132         END_SECAPI
 133 }
 134
 135
 136 /*
 137  * Check to see if an application at a given path is a candidate for
 138  * pre-emptive code equivalency establishment
 139  */
 140 OSStatus
 141 SecTrustedApplicationIsUpdateCandidate(const char *installroot, const char *path)
 142 {
 143     BEGIN_SECAPI
 144     return CSSMERR_DL_RECORD_NOT_FOUND; // whatever
 145     END_SECAPI
 146 }
 147
 148
 149 /*
 150  * Point the system at another system root for equivalence use.
 151  * This is for system update installers (only)!
 152  */
 153 OSStatus
 154 SecTrustedApplicationUseAlternateSystem(const char *systemRoot)
 155 {
 156         BEGIN_SECAPI
 157     return errSecParam;
 158         END_SECAPI
 159 }
 160
 161
 162 /*
 163  * Gateway between traditional SecTrustedApplicationRefs and the Code Signing
 164  * subsystem. Invisible to the naked eye, as of 10.5 (Leopard), these reference
 165  * may contain Cod e Signing Requirement objects (SecRequirementRefs). For backward
 166  * compatibility, these are handled implicitly at the SecAccess/SecACL layer.
 167  * However, Those Who Know can bridge the gap for additional functionality.
 168  */
 169 OSStatus SecTrustedApplicationCreateFromRequirement(const char *description,
 170         SecRequirementRef requirement, SecTrustedApplicationRef *appRef)
 171 {
 172         BEGIN_SECAPI
 173         if (description == NULL)
 174                 description = "csreq://";       // default to "generic requirement"
 175         SecPointer<TrustedApplication> app = new TrustedApplication(description, requirement);
 176         Required(appRef) = app->handle();
 177         END_SECAPI
 178 }
 179
 180 OSStatus SecTrustedApplicationCopyRequirement(SecTrustedApplicationRef appRef,
 181         SecRequirementRef *requirement)
 182 {
 183         BEGIN_SECAPI
 184         Required(requirement) = TrustedApplication::required(appRef)->requirement();
 185         if (*requirement)
 186                 CFRetain(*requirement);
 187         END_SECAPI
 188 }
 189
 190
 191 /*
 192  * Create an application group reference.
 193  */
 194 OSStatus SecTrustedApplicationCreateApplicationGroup(const char *groupName,
 195         SecCertificateRef anchor, SecTrustedApplicationRef *appRef)
 196 {
 197         BEGIN_SECAPI
 198
 199         CFRef<SecRequirementRef> req;
 200         MacOSError::check(SecRequirementCreateGroup(CFTempString(groupName), anchor,
 201                 kSecCSDefaultFlags, &req.aref()));
 202         string description = string("group://") + groupName;
 203         if (anchor) {
 204                 Certificate *cert = Certificate::required(anchor);
 205                 const CssmData &hash = cert->publicKeyHash();
 206                 description = description + "?cert=" + cfString(cert->commonName())
 207                         + "&hash=" + hash.toHex();
 208         }
 209         SecPointer<TrustedApplication> app = new TrustedApplication(description, req);
 210         Required(appRef) = app->handle();
 211
 212         END_SECAPI
 213 }