OSX/libsecurity_codesigning/lib/SecCodeSigner.cpp

   1 /*
   2  * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // SecCode - API frame for SecCode objects.
  26 //
  27 // Note that some SecCode* functions take SecStaticCodeRef arguments in order to
  28 // accept either static or dynamic code references, operating on the respective
  29 // StaticCode. Those functions are in SecStaticCode.cpp, not here, despite their name.
  30 //
  31 #include "cs.h"
  32 #include "CodeSigner.h"
  33 #include "cskernel.h"
  34
  35 using namespace CodeSigning;
  36
  37
  38 //
  39 // Parameter keys
  40 //
  41 const CFStringRef kSecCodeSignerApplicationData = CFSTR("application-specific");
  42 const CFStringRef kSecCodeSignerDetached =              CFSTR("detached");
  43 const CFStringRef kSecCodeSignerDigestAlgorithm = CFSTR("digest-algorithm");
  44 const CFStringRef kSecCodeSignerDryRun =                CFSTR("dryrun");
  45 const CFStringRef kSecCodeSignerEntitlements =  CFSTR("entitlements");
  46 const CFStringRef kSecCodeSignerFlags =                 CFSTR("flags");
  47 const CFStringRef kSecCodeSignerIdentifier =    CFSTR("identifier");
  48 const CFStringRef kSecCodeSignerIdentifierPrefix = CFSTR("identifier-prefix");
  49 const CFStringRef kSecCodeSignerIdentity =              CFSTR("signer");
  50 const CFStringRef kSecCodeSignerPageSize =              CFSTR("pagesize");
  51 const CFStringRef kSecCodeSignerRequirements =  CFSTR("requirements");
  52 const CFStringRef kSecCodeSignerResourceRules = CFSTR("resource-rules");
  53 const CFStringRef kSecCodeSignerSDKRoot =               CFSTR("sdkroot");
  54 const CFStringRef kSecCodeSignerSigningTime =   CFSTR("signing-time");
  55 const CFStringRef kSecCodeSignerRequireTimestamp = CFSTR("timestamp-required");
  56 const CFStringRef kSecCodeSignerTimestampServer = CFSTR("timestamp-url");
  57 const CFStringRef kSecCodeSignerTimestampAuthentication = CFSTR("timestamp-authentication");
  58 const CFStringRef kSecCodeSignerTimestampOmitCertificates =     CFSTR("timestamp-omit-certificates");
  59 const CFStringRef kSecCodeSignerPreserveMetadata = CFSTR("preserve-metadata");
  60 const CFStringRef kSecCodeSignerTeamIdentifier =        CFSTR("teamidentifier");
  61 const CFStringRef kSecCodeSignerPlatformIdentifier = CFSTR("platform-identifier");
  62 const CFStringRef kSecCodeSignerRuntimeVersion = CFSTR("runtime-version");
  63 const CFStringRef kSecCodeSignerPreserveAFSC =  CFSTR("preserve-afsc");
  64 const CFStringRef kSecCodeSignerOmitAdhocFlag = CFSTR("omit-adhoc-flag");
  65
  66 // Keys for signature editing
  67 const CFStringRef kSecCodeSignerEditCpuType =   CFSTR("edit-cpu-type");
  68 const CFStringRef kSecCodeSignerEditCpuSubtype = CFSTR("edit-cpu-subtype");
  69 const CFStringRef kSecCodeSignerEditCMS =               CFSTR("edit-cms");
  70
  71
  72
  73 //
  74 // CF-standard type code functions
  75 //
  76 CFTypeID SecCodeSignerGetTypeID(void)
  77 {
  78         BEGIN_CSAPI
  79         return gCFObjects().CodeSigner.typeID;
  80     END_CSAPI1(_kCFRuntimeNotATypeID)
  81 }
  82
  83
  84 //
  85 // Create a signer object
  86 //
  87 OSStatus SecCodeSignerCreate(CFDictionaryRef parameters, SecCSFlags flags,
  88         SecCodeSignerRef *signerRef)
  89 {
  90         BEGIN_CSAPI
  91
  92         checkFlags(flags,
  93                   kSecCSEditSignature
  94                 | kSecCSRemoveSignature
  95                 | kSecCSSignPreserveSignature
  96                 | kSecCSSignNestedCode
  97                 | kSecCSSignOpaque
  98                 | kSecCSSignV1
  99                 | kSecCSSignNoV1
 100                 | kSecCSSignBundleRoot
 101                 | kSecCSSignStrictPreflight
 102         | kSecCSSignGeneratePEH
 103                 | kSecCSSignGenerateEntitlementDER);
 104         SecPointer<SecCodeSigner> signer = new SecCodeSigner(flags);
 105         signer->parameters(parameters);
 106         CodeSigning::Required(signerRef) = signer->handle();
 107
 108     END_CSAPI
 109 }
 110
 111
 112 //
 113 // Generate a signature
 114 //
 115 OSStatus SecCodeSignerAddSignature(SecCodeSignerRef signerRef,
 116         SecStaticCodeRef codeRef, SecCSFlags flags)
 117 {
 118         return SecCodeSignerAddSignatureWithErrors(signerRef, codeRef, flags, NULL);
 119 }
 120
 121 OSStatus SecCodeSignerAddSignatureWithErrors(SecCodeSignerRef signerRef,
 122         SecStaticCodeRef codeRef, SecCSFlags flags, CFErrorRef *errors)
 123 {
 124         BEGIN_CSAPI
 125         checkFlags(flags,
 126                 kSecCSReportProgress
 127         );
 128         SecCodeSigner::required(signerRef)->sign(SecStaticCode::required(codeRef), flags);
 129     END_CSAPI_ERRORS
 130 }