2 * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 // signer - Signing operation supervisor and controller
30 #include "CodeSigner.h"
31 #include "cdbuilder.h"
32 #include "signerutils.h"
33 #include "StaticCode.h"
34 #include <security_utilities/utilities.h>
37 namespace CodeSigning
{
41 // The signer driver class.
42 // This is a workflow object, containing all the data needed for the various
43 // signing stages to cooperate. It is not meant to be API visible; that is
44 // SecCodeSigner's job.
46 class SecCodeSigner::Signer
{
48 Signer(SecCodeSigner
&s
, SecStaticCode
*c
) : state(s
), code(c
), requirements(NULL
)
49 { strict
= state
.signingFlags() & kSecCSSignStrictPreflight
; }
50 ~Signer() { ::free((Requirements
*)requirements
); }
52 void sign(SecCSFlags flags
);
53 void remove(SecCSFlags flags
);
56 SecStaticCode
* const code
;
58 CodeDirectory::HashAlgorithm
digestAlgorithm() const { return state
.mDigestAlgorithm
; }
60 std::string
path() const { return cfStringRelease(rep
->copyCanonicalPath()); }
61 SecIdentityRef
signingIdentity() const { return state
.mSigner
; }
62 std::string
signingIdentifier() const { return identifier
; }
65 void prepare(SecCSFlags flags
); // set up signing parameters
66 void signMachO(Universal
*fat
, const Requirement::Context
&context
); // sign a Mach-O binary
67 void signArchitectureAgnostic(const Requirement::Context
&context
); // sign anything else
69 void populate(DiskRep::Writer
&writer
); // global
70 void populate(CodeDirectory::Builder
&builder
, DiskRep::Writer
&writer
,
71 InternalRequirements
&ireqs
, size_t offset
= 0, size_t length
= 0); // per-architecture
72 CFDataRef
signCodeDirectory(const CodeDirectory
*cd
);
74 uint32_t cdTextFlags(std::string text
); // convert text CodeDirectory flags
75 std::string
uniqueName() const; // derive unique string from rep
78 void buildResources(std::string root
, std::string relBase
, CFDictionaryRef rules
);
79 CFMutableDictionaryRef
signNested(const std::string
&path
, const std::string
&relpath
);
80 CFDataRef
hashFile(const char *path
);
83 RefPointer
<DiskRep
> rep
; // DiskRep of Code being signed
84 CFRef
<CFDictionaryRef
> resourceDirectory
; // resource directory
85 CFRef
<CFDataRef
> resourceDictData
; // XML form of resourceDirectory
86 std::string identifier
; // signing identifier
87 std::string teamID
; // team identifier
88 CFRef
<CFDataRef
> entitlements
; // entitlements
89 uint32_t cdFlags
; // CodeDirectory flags
90 const Requirements
*requirements
; // internal requirements ready-to-use
91 size_t pagesize
; // size of main executable pages
92 CFAbsoluteTime signingTime
; // signing time for CMS signature (0 => none)
93 bool strict
; // strict validation
100 } // end namespace CodeSigning
101 } // end namespace Security
103 #endif // !_H_CODESIGNER