]> git.saurik.com Git - apple/security.git/blob - SecurityServer/codesigdb.h
Security-164.1.tar.gz
[apple/security.git] / SecurityServer / codesigdb.h
1 /*
2 * Copyright (c) 2003 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 //
20 // codesigdb - code-hash equivalence database
21 //
22 #ifndef _H_CODESIGDB
23 #define _H_CODESIGDB
24
25 #include <Security/db++.h>
26 #include <Security/osxsigner.h>
27
28
29 class Process;
30 class CodeSignatures;
31
32
33 //
34 // A CodeSignaturse object represents a database of code-signature equivalencies
35 // as (previously) expressed by a user and/or the system.
36 // You'll usually only need one of these.
37 //
38 class CodeSignatures {
39 public:
40 //
41 // Identity is an abstract class modeling a code-identity in the database.
42 // It can represent either an existing or latent code-hash link.
43 // Subclass must provide path and hash source functions.
44 //
45 class Identity {
46 friend class CodeSignatures;
47 public:
48 Identity();
49 virtual ~Identity();
50
51 operator bool () const { return mState == valid; }
52 std::string path() { return getPath(); }
53 std::string name() { return canonicalName(path()); }
54 std::string trustedName() const { return mName; }
55
56 static std::string canonicalName(const std::string &path);
57
58 IFDUMP(void debugDump(const char *how = NULL) const);
59
60 virtual std::string getPath() const = 0;
61 virtual const CssmData getHash(CodeSigning::OSXSigner &signer) const = 0;
62
63 private:
64 enum { untried, valid, invalid } mState;
65 std::string mName; // link db value (canonical name linked to)
66 };
67
68 public:
69 CodeSignatures(const char *path);
70 ~CodeSignatures();
71
72 void open(const char *path);
73
74 public:
75 bool find(Identity &id, uid_t user);
76
77 void makeLink(Identity &id, const std::string &ident, bool forUser = false, uid_t user = 0);
78 void makeApplication(const std::string &name, const std::string &path);
79
80 void addLink(const CssmData &oldHash, const CssmData &newHash,
81 const char *name, bool forSystem);
82 void removeLink(const CssmData &hash, const char *name, bool forSystem);
83
84 IFDUMP(void debugDump(const char *how = NULL) const);
85
86 public:
87 bool verify(Process &process,
88 const CodeSigning::Signature *trustedSignature, const CssmData *comment);
89
90 private:
91 UnixPlusPlus::UnixDb mDb;
92 CodeSigning::OSXSigner mSigner;
93
94 // lock hierarchy: mUILock first, then mDatabaseLock, no back-off
95 Mutex mDatabaseLock; // controls mDb access
96 Mutex mUILock; // serializes user interaction
97 };
98
99
100
101 #endif //_H_CODESIGDB