OSX/libsecurity_keychain/lib/SecTrustedApplication.cpp

   1 /*
   2  * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #include <Security/SecTrustedApplicationPriv.h>
  25 #include <security_keychain/TrustedApplication.h>
  26 #include <security_keychain/Certificate.h>
  27 #include <securityd_client/ssclient.h>          // for code equivalence SPIs
  28
  29 #include "SecBridge.h"
  30
  31
  32
  33 #pragma clang diagnostic push
  34 #pragma clang diagnostic ignored "-Wunused-function"
  35 static inline CssmData cfData(CFDataRef data)
  36 {
  37     return CssmData(const_cast<UInt8 *>(CFDataGetBytePtr(data)),
  38         CFDataGetLength(data));
  39 }
  40 #pragma clang diagnostic pop
  41
  42
  43 CFTypeID
  44 SecTrustedApplicationGetTypeID(void)
  45 {
  46         BEGIN_SECAPI
  47         return gTypes().TrustedApplication.typeID;
  48
  49         END_SECAPI1(_kCFRuntimeNotATypeID)
  50 }
  51
  52
  53 OSStatus
  54 SecTrustedApplicationCreateFromPath(const char *path, SecTrustedApplicationRef *appRef)
  55 {
  56         BEGIN_SECAPI
  57         SecPointer<TrustedApplication> app =
  58                 path ? new TrustedApplication(path) : new TrustedApplication;
  59         Required(appRef) = app->handle();
  60         END_SECAPI
  61 }
  62
  63 OSStatus SecTrustedApplicationCopyData(SecTrustedApplicationRef appRef,
  64         CFDataRef *dataRef)
  65 {
  66         BEGIN_SECAPI
  67         const char *path = TrustedApplication::required(appRef)->path();
  68         Required(dataRef) = CFDataCreate(NULL, (const UInt8 *)path, strlen(path) + 1);
  69         END_SECAPI
  70 }
  71
  72 OSStatus SecTrustedApplicationSetData(SecTrustedApplicationRef appRef,
  73         CFDataRef dataRef)
  74 {
  75         BEGIN_SECAPI
  76         if (!dataRef)
  77                 return errSecParam;
  78         TrustedApplication::required(appRef)->data(dataRef);
  79         END_SECAPI
  80 }
  81
  82
  83 OSStatus
  84 SecTrustedApplicationValidateWithPath(SecTrustedApplicationRef appRef, const char *path)
  85 {
  86         BEGIN_SECAPI
  87         TrustedApplication &app = *TrustedApplication::required(appRef);
  88         if (!app.verifyToDisk(path))
  89                 return CSSMERR_CSP_VERIFY_FAILED;
  90         END_SECAPI
  91 }
  92
  93
  94 //
  95 // Convert from/to external data representation
  96 //
  97 OSStatus SecTrustedApplicationCopyExternalRepresentation(
  98         SecTrustedApplicationRef appRef,
  99         CFDataRef *externalRef)
 100 {
 101         BEGIN_SECAPI
 102         TrustedApplication &app = *TrustedApplication::required(appRef);
 103         Required(externalRef) = app.externalForm();
 104         END_SECAPI
 105 }
 106
 107 OSStatus SecTrustedApplicationCreateWithExternalRepresentation(
 108         CFDataRef externalRef,
 109         SecTrustedApplicationRef *appRef)
 110 {
 111         BEGIN_SECAPI
 112         Required(appRef) = (new TrustedApplication(externalRef))->handle();
 113         END_SECAPI
 114 }
 115
 116
 117 OSStatus
 118 SecTrustedApplicationMakeEquivalent(SecTrustedApplicationRef oldRef,
 119         SecTrustedApplicationRef newRef, UInt32 flags)
 120 {
 121         BEGIN_SECAPI
 122     return errSecParam;
 123         END_SECAPI
 124 }
 125
 126 OSStatus
 127 SecTrustedApplicationRemoveEquivalence(SecTrustedApplicationRef appRef, UInt32 flags)
 128 {
 129         BEGIN_SECAPI
 130     return errSecParam;
 131         END_SECAPI
 132 }
 133
 134
 135 /*
 136  * Check to see if an application at a given path is a candidate for
 137  * pre-emptive code equivalency establishment
 138  */
 139 OSStatus
 140 SecTrustedApplicationIsUpdateCandidate(const char *installroot, const char *path)
 141 {
 142     BEGIN_SECAPI
 143     return CSSMERR_DL_RECORD_NOT_FOUND; // whatever
 144     END_SECAPI
 145 }
 146
 147
 148 /*
 149  * Point the system at another system root for equivalence use.
 150  * This is for system update installers (only)!
 151  */
 152 OSStatus
 153 SecTrustedApplicationUseAlternateSystem(const char *systemRoot)
 154 {
 155         BEGIN_SECAPI
 156     return errSecParam;
 157         END_SECAPI
 158 }
 159
 160
 161 /*
 162  * Gateway between traditional SecTrustedApplicationRefs and the Code Signing
 163  * subsystem. Invisible to the naked eye, as of 10.5 (Leopard), these reference
 164  * may contain Cod e Signing Requirement objects (SecRequirementRefs). For backward
 165  * compatibility, these are handled implicitly at the SecAccess/SecACL layer.
 166  * However, Those Who Know can bridge the gap for additional functionality.
 167  */
 168 OSStatus SecTrustedApplicationCreateFromRequirement(const char *description,
 169         SecRequirementRef requirement, SecTrustedApplicationRef *appRef)
 170 {
 171         BEGIN_SECAPI
 172         if (description == NULL)
 173                 description = "csreq://";       // default to "generic requirement"
 174         SecPointer<TrustedApplication> app = new TrustedApplication(description, requirement);
 175         Required(appRef) = app->handle();
 176         END_SECAPI
 177 }
 178
 179 OSStatus SecTrustedApplicationCopyRequirement(SecTrustedApplicationRef appRef,
 180         SecRequirementRef *requirement)
 181 {
 182         BEGIN_SECAPI
 183         Required(requirement) = TrustedApplication::required(appRef)->requirement();
 184         if (*requirement)
 185                 CFRetain(*requirement);
 186         END_SECAPI
 187 }
 188
 189
 190 /*
 191  * Create an application group reference.
 192  */
 193 OSStatus SecTrustedApplicationCreateApplicationGroup(const char *groupName,
 194         SecCertificateRef anchor, SecTrustedApplicationRef *appRef)
 195 {
 196         BEGIN_SECAPI
 197         CFRef<SecRequirementRef> req;
 198         MacOSError::check(SecRequirementCreateGroup(CFTempString(groupName), anchor,
 199                 kSecCSDefaultFlags, &req.aref()));
 200         string description = string("group://") + groupName;
 201         if (anchor) {
 202                 Certificate *cert = Certificate::required(anchor);
 203                 const CssmData &hash = cert->publicKeyHash();
 204                 description = description + "?cert=" + cfString(cert->commonName())
 205                         + "&hash=" + hash.toHex();
 206         }
 207         SecPointer<TrustedApplication> app = new TrustedApplication(description, req);
 208         Required(appRef) = app->handle();
 209
 210         END_SECAPI
 211 }