Security/libsecurity_codesigning/lib/SecStaticCode.cpp

   1 /*
   2  * Copyright (c) 2006-2007,2011-2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // SecStaticCode - API frame for SecStaticCode objects
  26 //
  27 #include "cs.h"
  28 #include "StaticCode.h"
  29 #include <security_utilities/cfmunge.h>
  30 #include <fcntl.h>
  31 #include <dirent.h>
  32
  33 using namespace CodeSigning;
  34
  35
  36 //
  37 // CF-standard type code function
  38 //
  39 CFTypeID SecStaticCodeGetTypeID(void)
  40 {
  41         BEGIN_CSAPI
  42         return gCFObjects().StaticCode.typeID;
  43     END_CSAPI1(_kCFRuntimeNotATypeID)
  44 }
  45
  46
  47 //
  48 // Create an StaticCode directly from disk path.
  49 //
  50 OSStatus SecStaticCodeCreateWithPath(CFURLRef path, SecCSFlags flags, SecStaticCodeRef *staticCodeRef)
  51 {
  52         BEGIN_CSAPI
  53
  54         checkFlags(flags);
  55         CodeSigning::Required(staticCodeRef) = (new SecStaticCode(DiskRep::bestGuess(cfString(path).c_str())))->handle();
  56
  57         END_CSAPI
  58 }
  59
  60 const CFStringRef kSecCodeAttributeArchitecture =       CFSTR("architecture");
  61 const CFStringRef kSecCodeAttributeSubarchitecture =CFSTR("subarchitecture");
  62 const CFStringRef kSecCodeAttributeBundleVersion =      CFSTR("bundleversion");
  63 const CFStringRef kSecCodeAttributeUniversalFileOffset =        CFSTR("UniversalFileOffset");
  64
  65 OSStatus SecStaticCodeCreateWithPathAndAttributes(CFURLRef path, SecCSFlags flags, CFDictionaryRef attributes,
  66         SecStaticCodeRef *staticCodeRef)
  67 {
  68         BEGIN_CSAPI
  69
  70         checkFlags(flags);
  71         DiskRep::Context ctx;
  72         std::string version; // holds memory placed into ctx
  73         if (attributes) {
  74                 std::string archName;
  75                 int archNumber, subarchNumber, offset;
  76                 if (cfscan(attributes, "{%O=%d}", kSecCodeAttributeUniversalFileOffset, &offset)) {
  77                         ctx.offset = offset;
  78                 } else if (cfscan(attributes, "{%O=%s}", kSecCodeAttributeArchitecture, &archName)) {
  79                         ctx.arch = Architecture(archName.c_str());
  80                 } else if (cfscan(attributes, "{%O=%d,%O=%d}",
  81                                 kSecCodeAttributeArchitecture, &archNumber, kSecCodeAttributeSubarchitecture, &subarchNumber))
  82                         ctx.arch = Architecture(archNumber, subarchNumber);
  83                 else if (cfscan(attributes, "{%O=%d}", kSecCodeAttributeArchitecture, &archNumber))
  84                         ctx.arch = Architecture(archNumber);
  85                 if (cfscan(attributes, "{%O=%s}", kSecCodeAttributeBundleVersion, &version))
  86                         ctx.version = version.c_str();
  87         }
  88
  89         CodeSigning::Required(staticCodeRef) = (new SecStaticCode(DiskRep::bestGuess(cfString(path).c_str(), &ctx)))->handle();
  90
  91         END_CSAPI
  92 }
  93
  94
  95 //
  96 // Check static validity of a StaticCode
  97 //
  98 OSStatus SecStaticCodeCheckValidity(SecStaticCodeRef staticCodeRef, SecCSFlags flags,
  99         SecRequirementRef requirementRef)
 100 {
 101         return SecStaticCodeCheckValidityWithErrors(staticCodeRef, flags, requirementRef, NULL);
 102 }
 103
 104 OSStatus SecStaticCodeCheckValidityWithErrors(SecStaticCodeRef staticCodeRef, SecCSFlags flags,
 105         SecRequirementRef requirementRef, CFErrorRef *errors)
 106 {
 107         BEGIN_CSAPI
 108
 109         checkFlags(flags,
 110                   kSecCSReportProgress
 111                 | kSecCSCheckAllArchitectures
 112                 | kSecCSDoNotValidateExecutable
 113                 | kSecCSDoNotValidateResources
 114                 | kSecCSConsiderExpiration
 115         | kSecCSEnforceRevocationChecks
 116                 | kSecCSNoNetworkAccess
 117                 | kSecCSCheckNestedCode
 118                 | kSecCSStrictValidate);
 119
 120         if (errors)
 121                 flags |= kSecCSFullReport;      // internal-use flag
 122
 123         SecPointer<SecStaticCode> code = SecStaticCode::requiredStatic(staticCodeRef);
 124         code->setValidationFlags(flags);
 125         const SecRequirement *req = SecRequirement::optional(requirementRef);
 126         DTRACK(CODESIGN_EVAL_STATIC, code, (char*)code->mainExecutablePath().c_str());
 127         code->staticValidate(flags, req);
 128
 129         END_CSAPI_ERRORS
 130 }
 131
 132
 133 //
 134 // ====================================================================================
 135 //
 136 // The following API functions are called SecCode* but accept both SecCodeRef and
 137 // SecStaticCodeRef arguments, operating on the implied SecStaticCodeRef as appropriate.
 138 // Hence they're here, rather than in SecCode.cpp.
 139 //
 140
 141
 142 //
 143 // Retrieve location information for an StaticCode.
 144 //
 145 OSStatus SecCodeCopyPath(SecStaticCodeRef staticCodeRef, SecCSFlags flags, CFURLRef *path)
 146 {
 147         BEGIN_CSAPI
 148
 149         checkFlags(flags);
 150         SecPointer<SecStaticCode> staticCode = SecStaticCode::requiredStatic(staticCodeRef);
 151         CodeSigning::Required(path) = staticCode->copyCanonicalPath();
 152
 153         END_CSAPI
 154 }
 155
 156
 157 //
 158 // Fetch or make up a designated requirement
 159 //
 160 OSStatus SecCodeCopyDesignatedRequirement(SecStaticCodeRef staticCodeRef, SecCSFlags flags,
 161         SecRequirementRef *requirementRef)
 162 {
 163         BEGIN_CSAPI
 164
 165         checkFlags(flags);
 166         const Requirement *req =
 167                 SecStaticCode::requiredStatic(staticCodeRef)->designatedRequirement();
 168         CodeSigning::Required(requirementRef) = (new SecRequirement(req))->handle();
 169
 170         END_CSAPI
 171 }
 172
 173
 174 //
 175 // Fetch a particular internal requirement, if present
 176 //
 177 OSStatus SecCodeCopyInternalRequirement(SecStaticCodeRef staticCodeRef, SecRequirementType type,
 178         SecCSFlags flags, SecRequirementRef *requirementRef)
 179 {
 180         BEGIN_CSAPI
 181
 182         checkFlags(flags);
 183         const Requirement *req =
 184                 SecStaticCode::requiredStatic(staticCodeRef)->internalRequirement(type);
 185         CodeSigning::Required(requirementRef) = req ? (new SecRequirement(req))->handle() : NULL;
 186
 187         END_CSAPI
 188 }
 189
 190
 191 //
 192 // Record for future use a detached code signature.
 193 //
 194 OSStatus SecCodeSetDetachedSignature(SecStaticCodeRef codeRef, CFDataRef signature,
 195         SecCSFlags flags)
 196 {
 197         BEGIN_CSAPI
 198
 199         checkFlags(flags);
 200         SecPointer<SecStaticCode> code = SecStaticCode::requiredStatic(codeRef);
 201
 202         code->detachedSignature(signature); // ... and pass it to the code
 203         code->resetValidity();
 204
 205         END_CSAPI
 206 }
 207
 208
 209 //
 210 // Attach a code signature to a kernel memory mapping for page-in validation.
 211 //
 212 OSStatus SecCodeMapMemory(SecStaticCodeRef codeRef, SecCSFlags flags)
 213 {
 214         BEGIN_CSAPI
 215
 216         checkFlags(flags);
 217         SecPointer<SecStaticCode> code = SecStaticCode::requiredStatic(codeRef);
 218         if (const CodeDirectory *cd = code->codeDirectory(false)) {
 219                 fsignatures args = { code->diskRep()->signingBase(), (void *)cd, cd->length() };
 220                 UnixError::check(::fcntl(code->diskRep()->fd(), F_ADDSIGS, &args));
 221         } else
 222                 MacOSError::throwMe(errSecCSUnsigned);
 223
 224         END_CSAPI
 225 }
 226
 227
 228 //
 229 // Attach a callback block to a code object
 230 //
 231 OSStatus SecStaticCodeSetCallback(SecStaticCodeRef codeRef, SecCSFlags flags, SecCodeCallback *old, SecCodeCallback monitor)
 232 {
 233         BEGIN_CSAPI
 234
 235         checkFlags(flags);
 236         SecStaticCode *code = SecStaticCode::requiredStatic(codeRef);
 237         if (old)
 238                 *old = code->monitor();
 239         code->setMonitor(monitor);
 240
 241         END_CSAPI
 242 }
 243
 244
 245 OSStatus SecStaticCodeSetValidationConditions(SecStaticCodeRef codeRef, CFDictionaryRef conditions)
 246 {
 247         BEGIN_CSAPI
 248
 249         checkFlags(0);
 250         SecStaticCode *code = SecStaticCode::requiredStatic(codeRef);
 251         code->setValidationModifiers(conditions);
 252
 253         END_CSAPI
 254 }
 255
 256
 257 //
 258 // Set cancellation flag on a static code object.
 259 //
 260 OSStatus SecStaticCodeCancelValidation(SecStaticCodeRef codeRef, SecCSFlags flags)
 261 {
 262         BEGIN_CSAPI
 263
 264         checkFlags(0);
 265         SecStaticCode *code = SecStaticCode::requiredStatic(codeRef);
 266         code->cancelValidation();
 267
 268         END_CSAPI
 269 }