]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_codesigning/lib/reqinterp.cpp
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57740.60.18.tar.gz
[apple/security.git] / OSX / libsecurity_codesigning / lib / reqinterp.cpp
1 /*
2 * Copyright (c) 2006,2011-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 //
25 // reqinterp - Requirement language (exprOp) interpreter
26 //
27 #include "reqinterp.h"
28 #include "codesigning_dtrace.h"
29 #include <Security/SecTrustSettingsPriv.h>
30 #include <Security/SecCertificatePriv.h>
31 #include <security_utilities/memutils.h>
32 #include <security_utilities/logging.h>
33 #include <sys/csr.h>
34 #include <IOKit/IOKitLib.h>
35 #include <IOKit/IOCFUnserialize.h>
36 #include "csutilities.h"
37
38 namespace Security {
39 namespace CodeSigning {
40
41
42 //
43 // Fragment fetching, caching, and evaluation.
44 //
45 // Several language elements allow "calling" of separate requirement programs
46 // stored on disk as (binary) requirement blobs. The Fragments class takes care
47 // of finding, loading, caching, and evaluating them.
48 //
49 // This is a singleton for (process global) caching. It works fine as multiple instances,
50 // at a loss of caching effectiveness.
51 //
52 class Fragments {
53 public:
54 Fragments();
55
56 bool named(const std::string &name, const Requirement::Context &ctx)
57 { return evalNamed("subreq", name, ctx); }
58 bool namedAnchor(const std::string &name, const Requirement::Context &ctx)
59 { return evalNamed("anchorreq", name, ctx); }
60
61 private:
62 bool evalNamed(const char *type, const std::string &name, const Requirement::Context &ctx);
63 CFDataRef fragment(const char *type, const std::string &name);
64
65 typedef std::map<std::string, CFRef<CFDataRef> > FragMap;
66
67 private:
68 CFBundleRef mMyBundle; // Security.framework bundle
69 Mutex mLock; // lock for all of the below...
70 FragMap mFragments; // cached fragments
71 };
72
73 static ModuleNexus<Fragments> fragments;
74
75
76 //
77 // Magic certificate features
78 //
79 static CFStringRef appleIntermediateCN = CFSTR("Apple Code Signing Certification Authority");
80 static CFStringRef appleIntermediateO = CFSTR("Apple Inc.");
81
82
83 //
84 // Main interpreter function.
85 //
86 // ExprOp code is in Polish Notation (operator followed by operands),
87 // and this engine uses opportunistic evaluation.
88 //
89 bool Requirement::Interpreter::evaluate()
90 { return eval(stackLimit); }
91
92 bool Requirement::Interpreter::eval(int depth)
93 {
94 if (--depth <= 0) // nested too deeply - protect the stack
95 MacOSError::throwMe(errSecCSReqInvalid);
96
97 ExprOp op = ExprOp(get<uint32_t>());
98 CODESIGN_EVAL_REQINT_OP(op, this->pc() - sizeof(uint32_t));
99 switch (op & ~opFlagMask) {
100 case opFalse:
101 return false;
102 case opTrue:
103 return true;
104 case opIdent:
105 return mContext->directory && getString() == mContext->directory->identifier();
106 case opAppleAnchor:
107 return appleSigned();
108 case opAppleGenericAnchor:
109 return appleAnchored();
110 case opAnchorHash:
111 {
112 SecCertificateRef cert = mContext->cert(get<int32_t>());
113 return verifyAnchor(cert, getSHA1());
114 }
115 case opInfoKeyValue: // [legacy; use opInfoKeyField]
116 {
117 string key = getString();
118 return infoKeyValue(key, Match(CFTempString(getString()), matchEqual));
119 }
120 case opAnd:
121 return eval(depth) & eval(depth);
122 case opOr:
123 return eval(depth) | eval(depth);
124 case opCDHash:
125 if (mContext->directory) {
126 CFRef<CFDataRef> cdhash = mContext->directory->cdhash();
127 CFRef<CFDataRef> required = getHash();
128 return CFEqual(cdhash, required);
129 } else
130 return false;
131 case opNot:
132 return !eval(depth);
133 case opInfoKeyField:
134 {
135 string key = getString();
136 Match match(*this);
137 return infoKeyValue(key, match);
138 }
139 case opEntitlementField:
140 {
141 string key = getString();
142 Match match(*this);
143 return entitlementValue(key, match);
144 }
145 case opCertField:
146 {
147 SecCertificateRef cert = mContext->cert(get<int32_t>());
148 string key = getString();
149 Match match(*this);
150 return certFieldValue(key, match, cert);
151 }
152 case opCertGeneric:
153 {
154 SecCertificateRef cert = mContext->cert(get<int32_t>());
155 string key = getString();
156 Match match(*this);
157 return certFieldGeneric(key, match, cert);
158 }
159 case opCertPolicy:
160 {
161 SecCertificateRef cert = mContext->cert(get<int32_t>());
162 string key = getString();
163 Match match(*this);
164 return certFieldPolicy(key, match, cert);
165 }
166 case opTrustedCert:
167 return trustedCert(get<int32_t>());
168 case opTrustedCerts:
169 return trustedCerts();
170 case opNamedAnchor:
171 return fragments().namedAnchor(getString(), *mContext);
172 case opNamedCode:
173 return fragments().named(getString(), *mContext);
174 case opPlatform:
175 {
176 int32_t targetPlatform = get<int32_t>();
177 return mContext->directory && mContext->directory->platform == targetPlatform;
178 }
179 default:
180 // opcode not recognized - handle generically if possible, fail otherwise
181 if (op & (opGenericFalse | opGenericSkip)) {
182 // unknown opcode, but it has a size field and can be safely bypassed
183 skip(get<uint32_t>());
184 if (op & opGenericFalse) {
185 CODESIGN_EVAL_REQINT_UNKNOWN_FALSE(op);
186 return false;
187 } else {
188 CODESIGN_EVAL_REQINT_UNKNOWN_SKIPPED(op);
189 return eval(depth);
190 }
191 }
192 // unrecognized opcode and no way to interpret it
193 secinfo("csinterp", "opcode 0x%x cannot be handled; aborting", op);
194 MacOSError::throwMe(errSecCSUnimplemented);
195 }
196 }
197
198
199 //
200 // Evaluate an Info.plist key condition
201 //
202 bool Requirement::Interpreter::infoKeyValue(const string &key, const Match &match)
203 {
204 if (mContext->info) // we have an Info.plist
205 if (CFTypeRef value = CFDictionaryGetValue(mContext->info, CFTempString(key)))
206 return match(value);
207 return false;
208 }
209
210
211 //
212 // Evaluate an entitlement condition
213 //
214 bool Requirement::Interpreter::entitlementValue(const string &key, const Match &match)
215 {
216 if (mContext->entitlements) // we have an Info.plist
217 if (CFTypeRef value = CFDictionaryGetValue(mContext->entitlements, CFTempString(key)))
218 return match(value);
219 return false;
220 }
221
222
223 bool Requirement::Interpreter::certFieldValue(const string &key, const Match &match, SecCertificateRef cert)
224 {
225 // no cert, no chance
226 if (cert == NULL)
227 return false;
228
229 // a table of recognized keys for the "certificate[foo]" syntax
230 static const struct CertField {
231 const char *name;
232 const CSSM_OID *oid;
233 } certFields[] = {
234 { "subject.C", &CSSMOID_CountryName },
235 { "subject.CN", &CSSMOID_CommonName },
236 { "subject.D", &CSSMOID_Description },
237 { "subject.L", &CSSMOID_LocalityName },
238 // { "subject.C-L", &CSSMOID_CollectiveLocalityName }, // missing from Security.framework headers
239 { "subject.O", &CSSMOID_OrganizationName },
240 { "subject.C-O", &CSSMOID_CollectiveOrganizationName },
241 { "subject.OU", &CSSMOID_OrganizationalUnitName },
242 { "subject.C-OU", &CSSMOID_CollectiveOrganizationalUnitName },
243 { "subject.ST", &CSSMOID_StateProvinceName },
244 { "subject.C-ST", &CSSMOID_CollectiveStateProvinceName },
245 { "subject.STREET", &CSSMOID_StreetAddress },
246 { "subject.C-STREET", &CSSMOID_CollectiveStreetAddress },
247 { "subject.UID", &CSSMOID_UserID },
248 { NULL, NULL }
249 };
250
251 // DN-component single-value match
252 for (const CertField *cf = certFields; cf->name; cf++)
253 if (cf->name == key) {
254 CFRef<CFStringRef> value;
255 OSStatus rc = SecCertificateCopySubjectComponent(cert, cf->oid, &value.aref());
256 if (rc) {
257 secinfo("csinterp", "cert %p lookup for DN.%s failed rc=%d", cert, key.c_str(), (int)rc);
258 return false;
259 }
260 return match(value);
261 }
262
263 // email multi-valued match (any of...)
264 if (key == "email") {
265 CFRef<CFArrayRef> value;
266 OSStatus rc = SecCertificateCopyEmailAddresses(cert, &value.aref());
267 if (rc) {
268 secinfo("csinterp", "cert %p lookup for email failed rc=%d", cert, (int)rc);
269 return false;
270 }
271 return match(value);
272 }
273
274 // unrecognized key. Fail but do not abort to promote backward compatibility down the road
275 secinfo("csinterp", "cert field notation \"%s\" not understood", key.c_str());
276 return false;
277 }
278
279
280 bool Requirement::Interpreter::certFieldGeneric(const string &key, const Match &match, SecCertificateRef cert)
281 {
282 // the key is actually a (binary) OID value
283 CssmOid oid((char *)key.data(), key.length());
284 return certFieldGeneric(oid, match, cert);
285 }
286
287 bool Requirement::Interpreter::certFieldGeneric(const CssmOid &oid, const Match &match, SecCertificateRef cert)
288 {
289 return cert && certificateHasField(cert, oid) && match(kCFBooleanTrue);
290 }
291
292 bool Requirement::Interpreter::certFieldPolicy(const string &key, const Match &match, SecCertificateRef cert)
293 {
294 // the key is actually a (binary) OID value
295 CssmOid oid((char *)key.data(), key.length());
296 return certFieldPolicy(oid, match, cert);
297 }
298
299 bool Requirement::Interpreter::certFieldPolicy(const CssmOid &oid, const Match &match, SecCertificateRef cert)
300 {
301 return cert && certificateHasPolicy(cert, oid) && match(kCFBooleanTrue);
302 }
303
304
305 //
306 // Check the Apple-signed condition
307 //
308 bool Requirement::Interpreter::appleAnchored()
309 {
310 if (SecCertificateRef cert = mContext->cert(anchorCert))
311 if (isAppleCA(cert))
312 return true;
313 return false;
314 }
315
316 static CFStringRef kAMFINVRAMTrustedKeys = CFSTR("AMFITrustedKeys");
317
318 CFArrayRef Requirement::Interpreter::getAdditionalTrustedAnchors()
319 {
320 __block CFRef<CFMutableArrayRef> keys = makeCFMutableArray(0);
321
322 try {
323 io_registry_entry_t entry = IORegistryEntryFromPath(kIOMasterPortDefault, "IODeviceTree:/options");
324 if (entry == IO_OBJECT_NULL)
325 return NULL;
326
327 CFRef<CFDataRef> configData = (CFDataRef)IORegistryEntryCreateCFProperty(entry, kAMFINVRAMTrustedKeys, kCFAllocatorDefault, 0);
328 IOObjectRelease(entry);
329 if (!configData)
330 return NULL;
331
332 CFRef<CFDictionaryRef> configDict = CFDictionaryRef(IOCFUnserializeWithSize((const char *)CFDataGetBytePtr(configData),
333 (size_t)CFDataGetLength(configData),
334 kCFAllocatorDefault, 0, NULL));
335 if (!configDict)
336 return NULL;
337
338 CFArrayRef trustedKeys = CFArrayRef(CFDictionaryGetValue(configDict, CFSTR("trustedKeys")));
339 if (!trustedKeys && CFGetTypeID(trustedKeys) != CFArrayGetTypeID())
340 return NULL;
341
342 cfArrayApplyBlock(trustedKeys, ^(const void *value) {
343 CFDictionaryRef key = CFDictionaryRef(value);
344 if (!key && CFGetTypeID(key) != CFDictionaryGetTypeID())
345 return;
346
347 CFDataRef hash = CFDataRef(CFDictionaryGetValue(key, CFSTR("certDigest")));
348 if (!hash && CFGetTypeID(hash) != CFDataGetTypeID())
349 return;
350 CFArrayAppendValue(keys, hash);
351 });
352
353 } catch (...) {
354 }
355
356 if (CFArrayGetCount(keys) == 0)
357 return NULL;
358
359 return keys.yield();
360 }
361
362 bool Requirement::Interpreter::appleLocalAnchored()
363 {
364 static CFArrayRef additionalTrustedCertificates = NULL;
365
366 if (csr_check(CSR_ALLOW_APPLE_INTERNAL))
367 return false;
368
369 static dispatch_once_t onceToken;
370 dispatch_once(&onceToken, ^{
371 additionalTrustedCertificates = getAdditionalTrustedAnchors();
372 });
373
374 if (additionalTrustedCertificates == NULL)
375 return false;
376
377 CFRef<CFDataRef> hash = SecCertificateCopySHA256Digest(mContext->cert(leafCert));
378 if (!hash)
379 return false;
380
381 if (CFArrayContainsValue(additionalTrustedCertificates, CFRangeMake(0, CFArrayGetCount(additionalTrustedCertificates)), hash))
382 return true;
383
384 return false;
385 }
386
387 bool Requirement::Interpreter::appleSigned()
388 {
389 if (appleAnchored()) {
390 if (SecCertificateRef intermed = mContext->cert(-2)) // first intermediate
391 // first intermediate common name match (exact)
392 if (certFieldValue("subject.CN", Match(appleIntermediateCN, matchEqual), intermed)
393 && certFieldValue("subject.O", Match(appleIntermediateO, matchEqual), intermed))
394 return true;
395 } else if (appleLocalAnchored()) {
396 return true;
397 }
398 return false;
399 }
400
401
402 //
403 // Verify an anchor requirement against the context
404 //
405 bool Requirement::Interpreter::verifyAnchor(SecCertificateRef cert, const unsigned char *digest)
406 {
407 // get certificate bytes
408 if (cert) {
409 CSSM_DATA certData;
410 MacOSError::check(SecCertificateGetData(cert, &certData));
411
412 // verify hash
413 SHA1 hasher;
414 hasher(certData.Data, certData.Length);
415 return hasher.verify(digest);
416 }
417 return false;
418 }
419
420
421 //
422 // Check one or all certificate(s) in the cert chain against the Trust Settings database.
423 //
424 bool Requirement::Interpreter::trustedCerts()
425 {
426 int anchor = mContext->certCount() - 1;
427 for (int slot = 0; slot <= anchor; slot++)
428 if (SecCertificateRef cert = mContext->cert(slot))
429 switch (trustSetting(cert, slot == anchor)) {
430 case kSecTrustSettingsResultTrustRoot:
431 case kSecTrustSettingsResultTrustAsRoot:
432 return true;
433 case kSecTrustSettingsResultDeny:
434 return false;
435 case kSecTrustSettingsResultUnspecified:
436 break;
437 default:
438 assert(false);
439 return false;
440 }
441 else
442 return false;
443 return false;
444 }
445
446 bool Requirement::Interpreter::trustedCert(int slot)
447 {
448 if (SecCertificateRef cert = mContext->cert(slot)) {
449 int anchorSlot = mContext->certCount() - 1;
450 switch (trustSetting(cert, slot == anchorCert || slot == anchorSlot)) {
451 case kSecTrustSettingsResultTrustRoot:
452 case kSecTrustSettingsResultTrustAsRoot:
453 return true;
454 case kSecTrustSettingsResultDeny:
455 case kSecTrustSettingsResultUnspecified:
456 return false;
457 default:
458 assert(false);
459 return false;
460 }
461 } else
462 return false;
463 }
464
465
466 //
467 // Explicitly check one certificate against the Trust Settings database and report
468 // the findings. This is a helper for the various Trust Settings evaluators.
469 //
470 SecTrustSettingsResult Requirement::Interpreter::trustSetting(SecCertificateRef cert, bool isAnchor)
471 {
472 // the SPI input is the uppercase hex form of the SHA-1 of the certificate...
473 assert(cert);
474 SHA1::Digest digest;
475 hashOfCertificate(cert, digest);
476 string Certhex = CssmData(digest, sizeof(digest)).toHex();
477 for (string::iterator it = Certhex.begin(); it != Certhex.end(); ++it)
478 if (islower(*it))
479 *it = toupper(*it);
480
481 // call Trust Settings and see what it finds
482 SecTrustSettingsDomain domain;
483 SecTrustSettingsResult result;
484 CSSM_RETURN *errors = NULL;
485 uint32 errorCount = 0;
486 bool foundMatch, foundAny;
487 switch (OSStatus rc = SecTrustSettingsEvaluateCert(
488 CFTempString(Certhex), // settings index
489 &CSSMOID_APPLE_TP_CODE_SIGNING, // standard code signing policy
490 NULL, 0, // policy string (unused)
491 kSecTrustSettingsKeyUseAny, // no restriction on key usage @@@
492 isAnchor, // consult system default anchor set
493
494 &domain, // domain of found setting
495 &errors, &errorCount, // error set and maximum count
496 &result, // the actual setting
497 &foundMatch, &foundAny // optimization hints (not used)
498 )) {
499 case errSecSuccess:
500 ::free(errors);
501 if (foundMatch)
502 return result;
503 else
504 return kSecTrustSettingsResultUnspecified;
505 default:
506 ::free(errors);
507 MacOSError::throwMe(rc);
508 }
509 }
510
511
512 //
513 // Create a Match object from the interpreter stream
514 //
515 Requirement::Interpreter::Match::Match(Interpreter &interp)
516 {
517 switch (mOp = interp.get<MatchOperation>()) {
518 case matchExists:
519 break;
520 case matchEqual:
521 case matchContains:
522 case matchBeginsWith:
523 case matchEndsWith:
524 case matchLessThan:
525 case matchGreaterThan:
526 case matchLessEqual:
527 case matchGreaterEqual:
528 mValue.take(makeCFString(interp.getString()));
529 break;
530 default:
531 // Assume this (unknown) match type has a single data argument.
532 // This gives us a chance to keep the instruction stream aligned.
533 interp.getString(); // discard
534 break;
535 }
536 }
537
538
539 //
540 // Execute a match against a candidate value
541 //
542 bool Requirement::Interpreter::Match::operator () (CFTypeRef candidate) const
543 {
544 // null candidates always fail
545 if (!candidate)
546 return false;
547
548 // interpret an array as matching alternatives (any one succeeds)
549 if (CFGetTypeID(candidate) == CFArrayGetTypeID()) {
550 CFArrayRef array = CFArrayRef(candidate);
551 CFIndex count = CFArrayGetCount(array);
552 for (CFIndex n = 0; n < count; n++)
553 if ((*this)(CFArrayGetValueAtIndex(array, n))) // yes, it's recursive
554 return true;
555 }
556
557 switch (mOp) {
558 case matchExists: // anything but NULL and boolean false "exists"
559 return !CFEqual(candidate, kCFBooleanFalse);
560 case matchEqual: // equality works for all CF types
561 return CFEqual(candidate, mValue);
562 case matchContains:
563 if (CFGetTypeID(candidate) == CFStringGetTypeID()) {
564 CFStringRef value = CFStringRef(candidate);
565 if (CFStringFindWithOptions(value, mValue, CFRangeMake(0, CFStringGetLength(value)), 0, NULL))
566 return true;
567 }
568 return false;
569 case matchBeginsWith:
570 if (CFGetTypeID(candidate) == CFStringGetTypeID()) {
571 CFStringRef value = CFStringRef(candidate);
572 if (CFStringFindWithOptions(value, mValue, CFRangeMake(0, CFStringGetLength(mValue)), 0, NULL))
573 return true;
574 }
575 return false;
576 case matchEndsWith:
577 if (CFGetTypeID(candidate) == CFStringGetTypeID()) {
578 CFStringRef value = CFStringRef(candidate);
579 CFIndex matchLength = CFStringGetLength(mValue);
580 CFIndex start = CFStringGetLength(value) - matchLength;
581 if (start >= 0)
582 if (CFStringFindWithOptions(value, mValue, CFRangeMake(start, matchLength), 0, NULL))
583 return true;
584 }
585 return false;
586 case matchLessThan:
587 return inequality(candidate, kCFCompareNumerically, kCFCompareLessThan, true);
588 case matchGreaterThan:
589 return inequality(candidate, kCFCompareNumerically, kCFCompareGreaterThan, true);
590 case matchLessEqual:
591 return inequality(candidate, kCFCompareNumerically, kCFCompareGreaterThan, false);
592 case matchGreaterEqual:
593 return inequality(candidate, kCFCompareNumerically, kCFCompareLessThan, false);
594 default:
595 // unrecognized match types can never match
596 return false;
597 }
598 }
599
600
601 bool Requirement::Interpreter::Match::inequality(CFTypeRef candidate, CFStringCompareFlags flags,
602 CFComparisonResult outcome, bool negate) const
603 {
604 if (CFGetTypeID(candidate) == CFStringGetTypeID()) {
605 CFStringRef value = CFStringRef(candidate);
606 if ((CFStringCompare(value, mValue, flags) == outcome) == negate)
607 return true;
608 }
609 return false;
610 }
611
612
613 //
614 // External fragments
615 //
616 Fragments::Fragments()
617 {
618 mMyBundle = CFBundleGetBundleWithIdentifier(CFSTR("com.apple.security"));
619 }
620
621
622 bool Fragments::evalNamed(const char *type, const std::string &name, const Requirement::Context &ctx)
623 {
624 if (CFDataRef fragData = fragment(type, name)) {
625 const Requirement *req = (const Requirement *)CFDataGetBytePtr(fragData); // was prevalidated as Requirement
626 return req->validates(ctx);
627 }
628 return false;
629 }
630
631
632 CFDataRef Fragments::fragment(const char *type, const std::string &name)
633 {
634 string key = name + "!!" + type; // compound key
635 StLock<Mutex> _(mLock); // lock for cache access
636 FragMap::const_iterator it = mFragments.find(key);
637 if (it == mFragments.end()) {
638 CFRef<CFDataRef> fragData; // will always be set (NULL on any errors)
639 if (CFRef<CFURLRef> fragURL = CFBundleCopyResourceURL(mMyBundle, CFTempString(name), CFSTR("csreq"), CFTempString(type)))
640 if (CFRef<CFDataRef> data = cfLoadFile(fragURL)) { // got data
641 const Requirement *req = (const Requirement *)CFDataGetBytePtr(data);
642 if (req->validateBlob(CFDataGetLength(data))) // looks like a Requirement...
643 fragData = data; // ... so accept it
644 else
645 Syslog::warning("Invalid sub-requirement at %s", cfString(fragURL).c_str());
646 }
647 if (CODESIGN_EVAL_REQINT_FRAGMENT_LOAD_ENABLED())
648 CODESIGN_EVAL_REQINT_FRAGMENT_LOAD(type, name.c_str(), fragData ? CFDataGetBytePtr(fragData) : NULL);
649 mFragments[key] = fragData; // cache it, success or failure
650 return fragData;
651 }
652 CODESIGN_EVAL_REQINT_FRAGMENT_HIT(type, name.c_str());
653 return it->second;
654 }
655
656
657 } // CodeSigning
658 } // Security
mirror of Security