OSX/libsecurity_codesigning/lib/signer.h

   1 /*
   2  * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // signer - Signing operation supervisor and controller
  26 //
  27 #ifndef _H_SIGNER
  28 #define _H_SIGNER
  29
  30 #include "CodeSigner.h"
  31 #include "cdbuilder.h"
  32 #include "signerutils.h"
  33 #include "StaticCode.h"
  34 #include <security_utilities/utilities.h>
  35
  36 namespace Security {
  37 namespace CodeSigning {
  38
  39
  40 //
  41 // The signer driver class.
  42 // This is a workflow object, containing all the data needed for the various
  43 // signing stages to cooperate. It is not meant to be API visible; that is
  44 // SecCodeSigner's job.
  45 //
  46 class SecCodeSigner::Signer : public DiskRep::SigningContext {
  47 public:
  48         Signer(SecCodeSigner &s, SecStaticCode *c) : state(s), code(c), requirements(NULL)
  49         { strict = signingFlags() & kSecCSSignStrictPreflight; }
  50         ~Signer() { ::free((Requirements *)requirements); }
  51
  52         void sign(SecCSFlags flags);
  53         void remove(SecCSFlags flags);
  54
  55         SecCodeSigner &state;
  56         SecStaticCode * const code;
  57
  58         const CodeDirectory::HashAlgorithms& digestAlgorithms() const { return hashAlgorithms; }
  59         void setDigestAlgorithms(CodeDirectory::HashAlgorithms types) { hashAlgorithms = types; }
  60
  61         std::string path() const { return cfStringRelease(rep->copyCanonicalPath()); }
  62         SecIdentityRef signingIdentity() const { return state.mSigner; }
  63         std::string signingIdentifier() const { return identifier; }
  64
  65 protected:
  66         void prepare(SecCSFlags flags);                         // set up signing parameters
  67         void signMachO(Universal *fat, const Requirement::Context &context); // sign a Mach-O binary
  68         void signArchitectureAgnostic(const Requirement::Context &context); // sign anything else
  69
  70         // HashAlgorithm -> PreEncrypt hashes
  71         typedef std::map<CodeDirectory::HashAlgorithm, CFCopyRef<CFDataRef> >
  72                 PreEncryptHashMap;
  73         // Architecture -> PreEncryptHashMap
  74         typedef std::map<Architecture, PreEncryptHashMap >
  75                 PreEncryptHashMaps;
  76         // HashAlgorithm -> Hardened Runtime Version
  77         typedef std::map<CodeDirectory::HashAlgorithm, uint32_t>
  78                 RuntimeVersionMap;
  79         // Architecture -> RuntimeVersionMap
  80         typedef std::map<Architecture, RuntimeVersionMap>
  81                 RuntimeVersionMaps;
  82
  83         void populate(DiskRep::Writer &writer);         // global
  84         void populate(CodeDirectory::Builder &builder, DiskRep::Writer &writer,
  85                                   InternalRequirements &ireqs,
  86                                   size_t offset, size_t length,
  87                                   bool mainBinary, size_t execSegBase, size_t execSegLimit,
  88                                   unsigned alternateDigestCount,
  89                                   const PreEncryptHashMap& preEncryptHashMap,
  90                                   uint32_t runtimeVersion);     // per-architecture
  91         CFDataRef signCodeDirectory(const CodeDirectory *cd,
  92                                                                 CFDictionaryRef hashDict, CFArrayRef hashList);
  93
  94         uint32_t cdTextFlags(std::string text);         // convert text CodeDirectory flags
  95         std::string uniqueName() const;                         // derive unique string from rep
  96
  97 protected:
  98
  99         std::string sdkPath(const std::string &path) const;
 100         bool isAdhoc() const;
 101         SecCSFlags signingFlags() const;
 102
 103 private:
 104         void addPreEncryptHashes(PreEncryptHashMap &map, SecStaticCode const *code);
 105         void addRuntimeVersions(RuntimeVersionMap &map, SecStaticCode const *code);
 106
 107         void considerTeamID(const PreSigningContext& context);
 108         std::vector<Endian<uint32_t> > topSlots(CodeDirectory::Builder &builder) const;
 109
 110         static bool booleanEntitlement(CFDictionaryRef entDict, CFStringRef key);
 111         static void cookEntitlements(CFDataRef entitlements, bool generateDER,
 112                                                                  uint64_t *execSegFlags, CFDataRef *entitlementsDER);
 113
 114 protected:
 115         void buildResources(std::string root, std::string relBase, CFDictionaryRef rules);
 116         CFMutableDictionaryRef signNested(const std::string &path, const std::string &relpath);
 117         CFDataRef hashFile(const char *path, CodeDirectory::HashAlgorithm type);
 118         CFDictionaryRef hashFile(const char *path, CodeDirectory::HashAlgorithms types);
 119
 120 private:
 121         RefPointer<DiskRep> rep;                // DiskRep of Code being signed
 122         CFRef<CFDictionaryRef> resourceDirectory;       // resource directory
 123         CFRef<CFDataRef> resourceDictData; // XML form of resourceDirectory
 124         CodeDirectory::HashAlgorithms hashAlgorithms; // hash algorithm(s) to use
 125         std::string identifier;                 // signing identifier
 126         std::string teamID;             // team identifier
 127         CFRef<CFDataRef> entitlements;  // entitlements
 128         Architecture preEncryptMainArch; // pre-encrypt main architecture
 129         PreEncryptHashMaps preEncryptHashMaps;  // pre-encrypt hashes to keep
 130         Architecture runtimeVersionMainArch; // runtime version main architecture
 131         RuntimeVersionMaps runtimeVersionMap; // runtime versions to keep
 132         uint32_t cdFlags;                               // CodeDirectory flags
 133         const Requirements *requirements; // internal requirements ready-to-use
 134         size_t pagesize;                                // size of main executable pages
 135         CFAbsoluteTime signingTime;             // signing time for CMS signature (0 => now)
 136         bool emitSigningTime;                   // emit signing time as a signed CMS attribute
 137         bool strict;                                    // strict validation
 138         bool generateEntitlementDER;    // generate entitlement DER
 139
 140 private:
 141         Mutex resourceLock;
 142 };
 143
 144
 145 } // end namespace CodeSigning
 146 } // end namespace Security
 147
 148 #endif // !_H_CODESIGNER