OSX/libsecurity_codesigning/lib/reqinterp.h

   1 /*
   2  * Copyright (c) 2006-2007,2011 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // reqinterp - Requirement language (exprOp) interpreter
  26 //
  27 #ifndef _H_REQINTERP
  28 #define _H_REQINTERP
  29
  30 #include <security_codesigning/reqreader.h>
  31 #include <Security/SecTrustSettings.h>
  32 #include <security_cdsa_utilities/cssmdata.h>   // CssmOid
  33
  34 namespace Security {
  35 namespace CodeSigning {
  36
  37
  38 //
  39 // An interpreter for exprForm-type requirements.
  40 // This is a simple Polish Notation stack evaluator.
  41 //
  42 class Requirement::Interpreter : public Requirement::Reader {
  43 public:
  44         Interpreter(const Requirement *req, const Context *ctx) : Reader(req), mContext(ctx) { }
  45
  46         static const unsigned stackLimit = 1000;
  47
  48         bool evaluate();
  49
  50 protected:
  51         class Match {
  52         public:
  53                 Match(Interpreter &interp);             // reads match postfix from interp
  54                 Match(CFStringRef value, MatchOperation op) : mValue(value), mOp(op) { } // explicit
  55                 Match() : mValue(NULL), mOp(matchExists) { } // explict test for presence
  56                 bool operator () (CFTypeRef candidate) const; // match to candidate
  57
  58         protected:
  59                 bool inequality(CFTypeRef candidate, CFStringCompareFlags flags, CFComparisonResult outcome, bool negate) const;
  60
  61         private:
  62                 CFCopyRef<CFStringRef> mValue;  // match value
  63                 MatchOperation mOp;                             // type of match
  64         };
  65
  66 protected:
  67         bool eval(int depth);
  68
  69         bool infoKeyValue(const std::string &key, const Match &match);
  70         bool entitlementValue(const std::string &key, const Match &match);
  71         bool certFieldValue(const string &key, const Match &match, SecCertificateRef cert);
  72         bool certFieldGeneric(const string &key, const Match &match, SecCertificateRef cert);
  73         bool certFieldGeneric(const CssmOid &oid, const Match &match, SecCertificateRef cert);
  74         bool certFieldPolicy(const string &key, const Match &match, SecCertificateRef cert);
  75         bool certFieldPolicy(const CssmOid &oid, const Match &match, SecCertificateRef cert);
  76         bool verifyAnchor(SecCertificateRef cert, const unsigned char *digest);
  77         bool appleSigned();
  78         bool appleAnchored();
  79         bool trustedCerts();
  80         bool trustedCert(int slot);
  81
  82         static SecTrustSettingsResult trustSetting(SecCertificateRef cert, bool isAnchor);
  83
  84 private:
  85         const Context * const mContext;
  86 };
  87
  88
  89 }       // CodeSigning
  90 }       // Security
  91
  92 #endif //_H_REQINTERP