OSX/libsecurity_codesigning/lib/csutilities.cpp

   1 /*
   2  * Copyright (c) 2006-2013 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // csutilities - miscellaneous utilities for the code signing implementation
  26 //
  27 #include "csutilities.h"
  28 #include <Security/SecCertificatePriv.h>
  29 #include <utilities/SecAppleAnchorPriv.h>
  30 #include <utilities/SecInternalReleasePriv.h>
  31 #include "requirement.h"
  32 #include <security_utilities/hashing.h>
  33 #include <security_utilities/debugging.h>
  34 #include <security_utilities/errors.h>
  35 #include <sys/utsname.h>
  36
  37 namespace Security {
  38 namespace CodeSigning {
  39
  40
  41 //
  42 // Test for the canonical Apple CA certificate
  43 //
  44 bool isAppleCA(SecCertificateRef cert)
  45 {
  46         SecAppleTrustAnchorFlags flags = 0;
  47         if (SecIsInternalRelease())
  48                 flags |= kSecAppleTrustAnchorFlagsIncludeTestAnchors;
  49         return SecIsAppleTrustAnchor(cert, flags);
  50 }
  51
  52
  53 //
  54 // Calculate the canonical hash of a certificate, given its raw (DER) data.
  55 //
  56 void hashOfCertificate(const void *certData, size_t certLength, SHA1::Digest digest)
  57 {
  58         SHA1 hasher;
  59         hasher(certData, certLength);
  60         hasher.finish(digest);
  61 }
  62
  63
  64 //
  65 // Ditto, given a SecCertificateRef
  66 //
  67 void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest)
  68 {
  69         assert(cert);
  70 #if TARGET_OS_OSX
  71         CSSM_DATA certData;
  72         MacOSError::check(SecCertificateGetData(cert, &certData));
  73         hashOfCertificate(certData.Data, certData.Length, digest);
  74 #else
  75     hashOfCertificate(SecCertificateGetBytePtr(cert), SecCertificateGetLength(cert), digest);
  76 #endif
  77 }
  78
  79
  80 //
  81 // One-stop hash-certificate-and-compare
  82 //
  83 bool verifyHash(SecCertificateRef cert, const Hashing::Byte *digest)
  84 {
  85         SHA1::Digest dig;
  86         hashOfCertificate(cert, dig);
  87         return !memcmp(dig, digest, SHA1::digestLength);
  88 }
  89
  90 #if TARGET_OS_OSX
  91 //
  92 // Check to see if a certificate contains a particular field, by OID. This works for extensions,
  93 // even ones not recognized by the local CL. It does not return any value, only presence.
  94 //
  95 bool certificateHasField(SecCertificateRef cert, const CSSM_OID &oid)
  96 {
  97         assert(cert);
  98         CSSM_DATA *value;
  99         switch (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &oid, &value)) {
 100         case errSecSuccess:
 101                 MacOSError::check(SecCertificateReleaseFirstFieldValue(cert, &oid, value));
 102                 return true;                                    // extension found by oid
 103         case errSecUnknownTag:
 104                 break;                                                  // oid not recognized by CL - continue below
 105         default:
 106                 MacOSError::throwMe(rc);                // error: fail
 107         }
 108
 109         // check the CL's bag of unrecognized extensions
 110         CSSM_DATA **values;
 111         bool found = false;
 112         if (SecCertificateCopyFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, &values))
 113                 return false;   // no unrecognized extensions - no match
 114         if (values)
 115                 for (CSSM_DATA **p = values; *p; p++) {
 116                         const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)(*p)->Data;
 117                         if (oid == ext->extnId) {
 118                                 found = true;
 119                                 break;
 120                         }
 121                 }
 122         MacOSError::check(SecCertificateReleaseFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, values));
 123         return found;
 124 }
 125
 126
 127 //
 128 // Retrieve X.509 policy extension OIDs, if any.
 129 // This currently ignores policy qualifiers.
 130 //
 131 bool certificateHasPolicy(SecCertificateRef cert, const CSSM_OID &policyOid)
 132 {
 133         bool matched = false;
 134         assert(cert);
 135         CSSM_DATA *data;
 136         if (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &CSSMOID_CertificatePolicies, &data))
 137                 MacOSError::throwMe(rc);
 138         if (data && data->Data && data->Length == sizeof(CSSM_X509_EXTENSION)) {
 139                 const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)data->Data;
 140                 assert(ext->format == CSSM_X509_DATAFORMAT_PARSED);
 141                 const CE_CertPolicies *policies = (const CE_CertPolicies *)ext->value.parsedValue;
 142                 if (policies)
 143                         for (unsigned int n = 0; n < policies->numPolicies; n++) {
 144                                 const CE_PolicyInformation &cp = policies->policies[n];
 145                                 if (cp.certPolicyId == policyOid) {
 146                                         matched = true;
 147                                         break;
 148                                 }
 149                         }
 150         }
 151         SecCertificateReleaseFirstFieldValue(cert, &CSSMOID_PolicyConstraints, data);
 152         return matched;
 153 }
 154 #endif
 155
 156 //
 157 // Copyfile
 158 //
 159 Copyfile::Copyfile()
 160 {
 161         if (!(mState = copyfile_state_alloc()))
 162                 UnixError::throwMe();
 163 }
 164
 165 void Copyfile::set(uint32_t flag, const void *value)
 166 {
 167         check(::copyfile_state_set(mState, flag, value));
 168 }
 169
 170 void Copyfile::get(uint32_t flag, void *value)
 171 {
 172         check(::copyfile_state_set(mState, flag, value));
 173 }
 174
 175 void Copyfile::operator () (const char *src, const char *dst, copyfile_flags_t flags)
 176 {
 177         check(::copyfile(src, dst, mState, flags));
 178 }
 179
 180 void Copyfile::check(int rc)
 181 {
 182         if (rc < 0)
 183                 UnixError::throwMe();
 184 }
 185
 186
 187 //
 188 // MessageTracer support
 189 //
 190 MessageTrace::MessageTrace(const char *domain, const char *signature)
 191 {
 192         mAsl = asl_new(ASL_TYPE_MSG);
 193         if (domain)
 194                 asl_set(mAsl, "com.apple.message.domain", domain);
 195         if (signature)
 196                 asl_set(mAsl, "com.apple.message.signature", signature);
 197 }
 198
 199 void MessageTrace::add(const char *key, const char *format, ...)
 200 {
 201         va_list args;
 202         va_start(args, format);
 203         char value[200];
 204         vsnprintf(value, sizeof(value), format, args);
 205         va_end(args);
 206         asl_set(mAsl, (string("com.apple.message.") + key).c_str(), value);
 207 }
 208
 209 void MessageTrace::send(const char *format, ...)
 210 {
 211         va_list args;
 212         va_start(args, format);
 213         asl_vlog(NULL, mAsl, ASL_LEVEL_NOTICE, format, args);
 214         va_end(args);
 215 }
 216
 217
 218
 219 // Resource limited async workers for doing work on nested bundles
 220 LimitedAsync::LimitedAsync(bool async)
 221 {
 222         // validate multiple resources concurrently if bundle resides on solid-state media
 223
 224         // How many async workers to spin off. If zero, validating only happens synchronously.
 225         long async_workers = 0;
 226
 227         long ncpu = sysconf(_SC_NPROCESSORS_ONLN);
 228
 229         if (async && ncpu > 0)
 230                 async_workers = ncpu - 1; // one less because this thread also validates
 231
 232         mResourceSemaphore = new Dispatch::Semaphore(async_workers);
 233 }
 234
 235 LimitedAsync::LimitedAsync(LimitedAsync &limitedAsync)
 236 {
 237         mResourceSemaphore = new Dispatch::Semaphore(*limitedAsync.mResourceSemaphore);
 238 }
 239
 240 LimitedAsync::~LimitedAsync()
 241 {
 242         delete mResourceSemaphore;
 243 }
 244
 245 bool LimitedAsync::perform(Dispatch::Group &groupRef, void (^block)()) {
 246         __block Dispatch::SemaphoreWait wait(*mResourceSemaphore, DISPATCH_TIME_NOW);
 247
 248         if (wait.acquired()) {
 249                 dispatch_queue_t defaultQueue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0);
 250
 251                 groupRef.enqueue(defaultQueue, ^{
 252                         // Hold the semaphore count until the worker is done validating.
 253                         Dispatch::SemaphoreWait innerWait(wait);
 254                         block();
 255                 });
 256                 return true;
 257         } else {
 258                 block();
 259                 return false;
 260         }
 261 }
 262
 263 } // end namespace CodeSigning
 264 } // end namespace Security