2 * Copyright (c) 2006-2012 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 // requirement - Code Requirement Blob description
27 #ifndef _H_REQUIREMENT
28 #define _H_REQUIREMENT
30 #include <security_utilities/blob.h>
31 #include <security_utilities/superblob.h>
32 #include <security_utilities/hashing.h>
33 #include <Security/CodeSigning.h>
34 #include "codedirectory.h"
38 namespace CodeSigning
{
42 // Single requirement.
43 // This is a contiguous binary blob, starting with this header
44 // and followed by binary expr-code. All links within the blob
45 // are offset-relative to the start of the header.
46 // This is designed to be a binary stable format. Note that we restrict
47 // outselves to 4GB maximum size (4 byte size/offset), and we expect real
48 // Requirement blobs to be fairly small (a few kilobytes at most).
50 // The "kind" field allows for adding different kinds of Requirements altogether
51 // in the future. We expect to stay within the framework of "opExpr" requirements,
52 // but it never hurts to have a way out.
54 class Requirement
: public Blob
<Requirement
, 0xfade0c00> {
56 class Maker
; // makes Requirement blobs
57 class Context
; // evaluation context
58 class Reader
; // structured reader
59 class Interpreter
; // evaluation engine
61 // different forms of Requirements. Right now, we only support exprForm ("opExprs")
63 exprForm
= 1 // prefix expr form
66 void kind(Kind k
) { mKind
= k
; }
67 Kind
kind() const { return Kind(uint32_t(mKind
)); }
69 // validate this requirement against a code context
70 void validate(const Context
&ctx
, OSStatus failure
= errSecCSReqFailed
) const; // throws on all failures
71 bool validates(const Context
&ctx
, OSStatus failure
= errSecCSReqFailed
) const; // returns on clean miss
73 // certificate positions (within a standard certificate chain)
74 static const int leafCert
= 0; // index for leaf (first in chain)
75 static const int anchorCert
= -1; // index for anchor (last in chain)
77 // the SHA1 hash of the canonical "Apple Anchor", i.e. the X509 Anchor
78 // that is considered "Apple's anchor certificate", as defined by hashOfCertificate().
79 static const SHA1::Digest
&appleAnchorHash();
80 #if defined(TEST_APPLE_ANCHOR)
81 static const char testAppleAnchorEnv
[];
82 static const SHA1::Digest
&testAppleAnchorHash();
83 #endif //TEST_APPLE_ANCHOR
85 // common alignment rule for all requirement forms
86 static const size_t baseAlignment
= sizeof(uint32_t); // (we might as well say "four")
88 // canonical (source) names of Requirement types (matched to SecRequirementType in CSCommon.h)
89 static const char *const typeNames
[];
91 IFDUMP(void dump() const);
94 Endian
<uint32_t> mKind
; // expression kind
99 // An interpretation context
101 class Requirement::Context
{
104 : certs(NULL
), info(NULL
), entitlements(NULL
), identifier(""), directory(NULL
) { }
107 Context(CFArrayRef certChain
, CFDictionaryRef infoDict
, CFDictionaryRef entitlementDict
,
108 const std::string
&ident
, const CodeDirectory
*dir
)
109 : certs(certChain
), info(infoDict
), entitlements(entitlementDict
), identifier(ident
), directory(dir
) { }
111 CFArrayRef certs
; // certificate chain
112 CFDictionaryRef info
; // Info.plist
113 CFDictionaryRef entitlements
; // entitlement plist
114 std::string identifier
; // signing identifier
115 const CodeDirectory
*directory
; // CodeDirectory
117 SecCertificateRef
cert(int ix
) const; // get a cert from the cert chain (NULL if not found)
118 unsigned int certCount() const; // length of cert chain (including root)
125 // Opcodes are broken into flags in the (HBO) high byte, and an opcode value
126 // in the remaining 24 bits. Note that opcodes will remain fairly small
127 // (almost certainly <60000), so we have the third byte to play around with
128 // in the future, if needed. For now, small opcodes effective reserve this byte
130 // The flag byte allows for limited understanding of unknown opcodes. It allows
131 // the interpreter to use the known opcode parts of the program while semi-creatively
132 // disregarding the parts it doesn't know about. An unrecognized opcode with zero
133 // flag byte causes evaluation to categorically fail, since the semantics of such
134 // an opcode cannot safely be predicted.
137 // semantic bits or'ed into the opcode
138 opFlagMask
= 0xFF000000, // high bit flags
139 opGenericFalse
= 0x80000000, // has size field; okay to default to false
140 opGenericSkip
= 0x40000000, // has size field; skip and continue
144 opFalse
, // unconditionally false
145 opTrue
, // unconditionally true
146 opIdent
, // match canonical code [string]
147 opAppleAnchor
, // signed by Apple as Apple's product
148 opAnchorHash
, // match anchor [cert hash]
149 opInfoKeyValue
, // *legacy* - use opInfoKeyField [key; value]
150 opAnd
, // binary prefix expr AND expr [expr; expr]
151 opOr
, // binary prefix expr OR expr [expr; expr]
152 opCDHash
, // match hash of CodeDirectory directly [cd hash]
153 opNot
, // logical inverse [expr]
154 opInfoKeyField
, // Info.plist key field [string; match suffix]
155 opCertField
, // Certificate field [cert index; field name; match suffix]
156 opTrustedCert
, // require trust settings to approve one particular cert [cert index]
157 opTrustedCerts
, // require trust settings to approve the cert chain
158 opCertGeneric
, // Certificate component by OID [cert index; oid; match suffix]
159 opAppleGenericAnchor
, // signed by Apple in any capacity
160 opEntitlementField
, // entitlement dictionary field [string; match suffix]
161 opCertPolicy
, // Certificate policy by OID [cert index; oid; match suffix]
162 opNamedAnchor
, // named anchor type
163 opNamedCode
, // named subroutine
164 exprOpCount
// (total opcode count in use)
167 // match suffix opcodes
168 enum MatchOperation
{
169 matchExists
, // anything but explicit "false" - no value stored
170 matchEqual
, // equal (CFEqual)
171 matchContains
, // partial match (substring)
172 matchBeginsWith
, // partial match (initial substring)
173 matchEndsWith
, // partial match (terminal substring)
174 matchLessThan
, // less than (string with numeric comparison)
175 matchGreaterThan
, // greater than (string with numeric comparison)
176 matchLessEqual
, // less or equal (string with numeric comparison)
177 matchGreaterEqual
, // greater or equal (string with numeric comparison)
182 // We keep Requirement groups in SuperBlobs, indexed by SecRequirementType
184 typedef SuperBlob
<0xfade0c01> Requirements
;
188 // Byte order flippers
190 inline CodeSigning::ExprOp
h2n(CodeSigning::ExprOp op
)
192 uint32_t intOp
= (uint32_t) op
;
193 return (CodeSigning::ExprOp
) ::h2n(intOp
);
196 inline CodeSigning::ExprOp
n2h(CodeSigning::ExprOp op
)
198 uint32_t intOp
= (uint32_t) op
;
199 return (CodeSigning::ExprOp
) ::n2h(intOp
);
203 inline CodeSigning::MatchOperation
h2n(CodeSigning::MatchOperation op
)
205 return CodeSigning::MatchOperation(::h2n((uint32_t) op
));
208 inline CodeSigning::MatchOperation
n2h(CodeSigning::MatchOperation op
)
210 return CodeSigning::MatchOperation(::n2h((uint32_t) op
));
217 #endif //_H_REQUIREMENT
projects / apple / security.git / blob