Security/libsecurity_codesigning/lib/csutilities.cpp

   1 /*
   2  * Copyright (c) 2006-2013 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // csutilities - miscellaneous utilities for the code signing implementation
  26 //
  27 #include "csutilities.h"
  28 #include <Security/SecCertificatePriv.h>
  29 #include <security_codesigning/requirement.h>
  30 #include <security_utilities/hashing.h>
  31 #include <security_utilities/debugging.h>
  32 #include <security_utilities/errors.h>
  33
  34 namespace Security {
  35 namespace CodeSigning {
  36
  37
  38 //
  39 // The (SHA-1) hash of the canonical Apple certificate root anchor
  40 //
  41 static const SHA1::Digest gAppleAnchorHash =
  42         { 0x61, 0x1e, 0x5b, 0x66, 0x2c, 0x59, 0x3a, 0x08, 0xff, 0x58,
  43           0xd1, 0x4a, 0xe2, 0x24, 0x52, 0xd1, 0x98, 0xdf, 0x6c, 0x60 };
  44
  45
  46
  47 //
  48 // Test for the canonical Apple CA certificate
  49 //
  50 bool isAppleCA(SecCertificateRef cert)
  51 {
  52         return verifyHash(cert, gAppleAnchorHash);
  53 }
  54
  55 bool isAppleCA(const Hashing::Byte *sha1)
  56 {
  57         return !memcmp(sha1, gAppleAnchorHash, SHA1::digestLength);
  58 }
  59
  60
  61 //
  62 // Calculate the canonical hash of a certificate, given its raw (DER) data.
  63 //
  64 void hashOfCertificate(const void *certData, size_t certLength, SHA1::Digest digest)
  65 {
  66         SHA1 hasher;
  67         hasher(certData, certLength);
  68         hasher.finish(digest);
  69 }
  70
  71
  72 //
  73 // Ditto, given a SecCertificateRef
  74 //
  75 void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest)
  76 {
  77         assert(cert);
  78         CSSM_DATA certData;
  79         MacOSError::check(SecCertificateGetData(cert, &certData));
  80         hashOfCertificate(certData.Data, certData.Length, digest);
  81 }
  82
  83
  84 //
  85 // One-stop hash-certificate-and-compare
  86 //
  87 bool verifyHash(SecCertificateRef cert, const Hashing::Byte *digest)
  88 {
  89         SHA1::Digest dig;
  90         hashOfCertificate(cert, dig);
  91         return !memcmp(dig, digest, SHA1::digestLength);
  92 }
  93
  94
  95 //
  96 // Check to see if a certificate contains a particular field, by OID. This works for extensions,
  97 // even ones not recognized by the local CL. It does not return any value, only presence.
  98 //
  99 bool certificateHasField(SecCertificateRef cert, const CSSM_OID &oid)
 100 {
 101         assert(cert);
 102         CSSM_DATA *value;
 103         switch (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &oid, &value)) {
 104         case errSecSuccess:
 105                 MacOSError::check(SecCertificateReleaseFirstFieldValue(cert, &oid, value));
 106                 return true;                                    // extension found by oid
 107         case errSecUnknownTag:
 108                 break;                                                  // oid not recognized by CL - continue below
 109         default:
 110                 MacOSError::throwMe(rc);                // error: fail
 111         }
 112
 113         // check the CL's bag of unrecognized extensions
 114         CSSM_DATA **values;
 115         bool found = false;
 116         if (SecCertificateCopyFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, &values))
 117                 return false;   // no unrecognized extensions - no match
 118         if (values)
 119                 for (CSSM_DATA **p = values; *p; p++) {
 120                         const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)(*p)->Data;
 121                         if (oid == ext->extnId) {
 122                                 found = true;
 123                                 break;
 124                         }
 125                 }
 126         MacOSError::check(SecCertificateReleaseFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, values));
 127         return found;
 128 }
 129
 130
 131 //
 132 // Retrieve X.509 policy extension OIDs, if any.
 133 // This currently ignores policy qualifiers.
 134 //
 135 bool certificateHasPolicy(SecCertificateRef cert, const CSSM_OID &policyOid)
 136 {
 137         bool matched = false;
 138         assert(cert);
 139         CSSM_DATA *data;
 140         if (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &CSSMOID_CertificatePolicies, &data))
 141                 MacOSError::throwMe(rc);
 142         if (data && data->Data && data->Length == sizeof(CSSM_X509_EXTENSION)) {
 143                 const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)data->Data;
 144                 assert(ext->format == CSSM_X509_DATAFORMAT_PARSED);
 145                 const CE_CertPolicies *policies = (const CE_CertPolicies *)ext->value.parsedValue;
 146                 if (policies)
 147                         for (unsigned int n = 0; n < policies->numPolicies; n++) {
 148                                 const CE_PolicyInformation &cp = policies->policies[n];
 149                                 if (cp.certPolicyId == policyOid) {
 150                                         matched = true;
 151                                         break;
 152                                 }
 153                         }
 154         }
 155         SecCertificateReleaseFirstFieldValue(cert, &CSSMOID_PolicyConstraints, data);
 156         return matched;
 157 }
 158
 159
 160 //
 161 // Copyfile
 162 //
 163 Copyfile::Copyfile()
 164 {
 165         if (!(mState = copyfile_state_alloc()))
 166                 UnixError::throwMe();
 167 }
 168
 169 void Copyfile::set(uint32_t flag, const void *value)
 170 {
 171         check(::copyfile_state_set(mState, flag, value));
 172 }
 173
 174 void Copyfile::get(uint32_t flag, void *value)
 175 {
 176         check(::copyfile_state_set(mState, flag, value));
 177 }
 178
 179 void Copyfile::operator () (const char *src, const char *dst, copyfile_flags_t flags)
 180 {
 181         check(::copyfile(src, dst, mState, flags));
 182 }
 183
 184 void Copyfile::check(int rc)
 185 {
 186         if (rc < 0)
 187                 UnixError::throwMe();
 188 }
 189
 190
 191 //
 192 // MessageTracer support
 193 //
 194 MessageTrace::MessageTrace(const char *domain, const char *signature)
 195 {
 196         mAsl = asl_new(ASL_TYPE_MSG);
 197         if (domain)
 198                 asl_set(mAsl, "com.apple.message.domain", domain);
 199         if (signature)
 200                 asl_set(mAsl, "com.apple.message.signature", signature);
 201 }
 202
 203 void MessageTrace::add(const char *key, const char *format, ...)
 204 {
 205         va_list args;
 206         va_start(args, format);
 207         char value[200];
 208         vsnprintf(value, sizeof(value), format, args);
 209         va_end(args);
 210         asl_set(mAsl, (string("com.apple.message.") + key).c_str(), value);
 211 }
 212
 213 void MessageTrace::send(const char *format, ...)
 214 {
 215         va_list args;
 216         va_start(args, format);
 217         asl_vlog(NULL, mAsl, ASL_LEVEL_NOTICE, format, args);
 218         va_end(args);
 219 }
 220
 221
 222
 223 // Resource limited async workers for doing work on nested bundles
 224 LimitedAsync::LimitedAsync(bool async)
 225 {
 226         // validate multiple resources concurrently if bundle resides on solid-state media
 227
 228         // How many async workers to spin off. If zero, validating only happens synchronously.
 229         long async_workers = 0;
 230
 231         long ncpu = sysconf(_SC_NPROCESSORS_ONLN);
 232
 233         if (async && ncpu > 0)
 234                 async_workers = ncpu - 1; // one less because this thread also validates
 235
 236         mResourceSemaphore = new Dispatch::Semaphore(async_workers);
 237 }
 238
 239 LimitedAsync::LimitedAsync(LimitedAsync &limitedAsync)
 240 {
 241         mResourceSemaphore = new Dispatch::Semaphore(*limitedAsync.mResourceSemaphore);
 242 }
 243
 244 LimitedAsync::~LimitedAsync()
 245 {
 246         delete mResourceSemaphore;
 247 }
 248
 249 bool LimitedAsync::perform(Dispatch::Group &groupRef, void (^block)()) {
 250         __block Dispatch::SemaphoreWait wait(*mResourceSemaphore, DISPATCH_TIME_NOW);
 251
 252         if (wait.acquired()) {
 253                 dispatch_queue_t defaultQueue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0);
 254
 255                 groupRef.enqueue(defaultQueue, ^{
 256                         // Hold the semaphore count until the worker is done validating.
 257                         Dispatch::SemaphoreWait innerWait(wait);
 258                         block();
 259                 });
 260                 return true;
 261         } else {
 262                 block();
 263                 return false;
 264         }
 265 }
 266
 267 } // end namespace CodeSigning
 268 } // end namespace Security