OSX/libsecurity_codesigning/lib/reqinterp.h

   1 /*
   2  * Copyright (c) 2006-2007,2011 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // reqinterp - Requirement language (exprOp) interpreter
  26 //
  27 #ifndef _H_REQINTERP
  28 #define _H_REQINTERP
  29
  30 #include "reqreader.h"
  31 #include <Security/SecTrustSettings.h>
  32
  33 #if TARGET_OS_OSX
  34 #include <security_cdsa_utilities/cssmdata.h>   // CssmOid
  35 #endif
  36
  37 namespace Security {
  38 namespace CodeSigning {
  39
  40
  41 //
  42 // An interpreter for exprForm-type requirements.
  43 // This is a simple Polish Notation stack evaluator.
  44 //
  45 class Requirement::Interpreter : public Requirement::Reader {
  46 public:
  47         Interpreter(const Requirement *req, const Context *ctx) : Reader(req), mContext(ctx) { }
  48
  49         static const unsigned stackLimit = 1000;
  50
  51         bool evaluate();
  52
  53 protected:
  54         class Match {
  55         public:
  56                 Match(Interpreter &interp);             // reads match postfix from interp
  57                 Match(CFStringRef value, MatchOperation op) : mValue(value), mOp(op) { } // explicit
  58                 Match() : mValue(NULL), mOp(matchExists) { } // explict test for presence
  59                 bool operator () (CFTypeRef candidate) const; // match to candidate
  60
  61         protected:
  62                 bool inequality(CFTypeRef candidate, CFStringCompareFlags flags, CFComparisonResult outcome, bool negate) const;
  63
  64         private:
  65                 CFCopyRef<CFTypeRef> mValue;    // match value
  66                 MatchOperation mOp;                             // type of match
  67
  68                 bool isStringValue() const { return CFGetTypeID(mValue) == CFStringGetTypeID(); }
  69                 bool isDateValue() const { return CFGetTypeID(mValue) == CFDateGetTypeID(); }
  70                 CFStringRef cfStringValue() const { return isStringValue() ? (CFStringRef)mValue.get() : NULL; }
  71                 CFDateRef cfDateValue() const { return isDateValue() ? (CFDateRef)mValue.get() : NULL; }
  72         };
  73
  74 protected:
  75         bool eval(int depth);
  76
  77         bool infoKeyValue(const std::string &key, const Match &match);
  78         bool entitlementValue(const std::string &key, const Match &match);
  79         bool certFieldValue(const string &key, const Match &match, SecCertificateRef cert);
  80 #if TARGET_OS_OSX
  81         bool certFieldGeneric(const string &key, const Match &match, SecCertificateRef cert);
  82         bool certFieldGeneric(const CssmOid &oid, const Match &match, SecCertificateRef cert);
  83         bool certFieldPolicy(const string &key, const Match &match, SecCertificateRef cert);
  84         bool certFieldPolicy(const CssmOid &oid, const Match &match, SecCertificateRef cert);
  85         bool certFieldDate(const string &key, const Match &match, SecCertificateRef cert);
  86         bool certFieldDate(const CssmOid &oid, const Match &match, SecCertificateRef cert);
  87 #endif
  88         bool verifyAnchor(SecCertificateRef cert, const unsigned char *digest);
  89         bool appleSigned();
  90         bool appleAnchored();
  91         bool inTrustCache();
  92
  93         bool trustedCerts();
  94         bool trustedCert(int slot);
  95
  96         static SecTrustSettingsResult trustSetting(SecCertificateRef cert, bool isAnchor);
  97
  98 private:
  99     CFArrayRef getAdditionalTrustedAnchors();
 100     bool appleLocalAnchored();
 101         const Context * const mContext;
 102 };
 103
 104
 105 }       // CodeSigning
 106 }       // Security
 107
 108 #endif //_H_REQINTERP