OSX/libsecurity_codesigning/lib/CodeSigner.h

   1 /*
   2  * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // CodeSigner - SecCodeSigner API objects
  26 //
  27 #ifndef _H_CODESIGNER
  28 #define _H_CODESIGNER
  29
  30 #include "cs.h"
  31 #include "StaticCode.h"
  32 #include "cdbuilder.h"
  33 #include <Security/SecIdentity.h>
  34 #include <security_utilities/utilities.h>
  35
  36 namespace Security {
  37 namespace CodeSigning {
  38
  39
  40 //
  41 // A SecCode object represents running code in the system. It must be subclassed
  42 // to implement a particular notion of code.
  43 //
  44 class SecCodeSigner : public SecCFObject {
  45         NOCOPY(SecCodeSigner)
  46 public:
  47         class Parser;
  48         class Signer;
  49
  50 public:
  51         SECCFFUNCTIONS(SecCodeSigner, SecCodeSignerRef, errSecCSInvalidObjectRef, gCFObjects().CodeSigner)
  52
  53         SecCodeSigner(SecCSFlags flags);
  54     virtual ~SecCodeSigner() _NOEXCEPT;
  55
  56         void parameters(CFDictionaryRef args);  // parse and set parameters
  57         bool valid() const;
  58
  59         std::string getTeamIDFromSigner(CFArrayRef certs);
  60
  61         void sign(SecStaticCode *code, SecCSFlags flags);
  62         void remove(SecStaticCode *code, SecCSFlags flags);
  63
  64         void returnDetachedSignature(BlobCore *blob, Signer &signer);
  65
  66         const CodeDirectory::HashAlgorithms &digestAlgorithms() const { return mDigestAlgorithms; }
  67
  68 public:
  69         // parsed parameter set
  70         SecCSFlags mOpFlags;                    // operation flags
  71         CFRef<SecIdentityRef> mSigner;  // signing identity
  72         CFRef<CFTypeRef> mDetached;             // detached-signing information (NULL => attached)
  73         CFRef<CFDictionaryRef> mResourceRules; // explicit resource collection rules (override)
  74         CFRef<CFDateRef> mSigningTime;  // signing time desired (kCFNull for none)
  75         CFRef<CFDataRef> mApplicationData; // contents of application slot
  76         CFRef<CFDataRef> mEntitlementData; // entitlement configuration data
  77         CFRef<CFURLRef> mSDKRoot;               // substitute filesystem root for sub-component lookup
  78         CFRef<CFTypeRef> mRequirements; // internal code requirements
  79         size_t mCMSSize;                                // size estimate for CMS blob
  80         uint32_t mCdFlags;                              // CodeDirectory flags
  81         uint32_t mPreserveMetadata;             // metadata preservation options
  82         bool mCdFlagsGiven;                             // CodeDirectory flags were specified
  83         CodeDirectory::HashAlgorithms mDigestAlgorithms; // interior digest (hash) algorithm
  84         std::string mIdentifier;                // unique identifier override
  85         std::string mIdentifierPrefix;  // prefix for un-dotted default identifiers
  86         std::string mTeamID;            // teamID
  87         PlatformIdentifier mPlatform;   // platform identifier (zero if not platform binary)
  88         bool mNoMachO;                                  // override to perform non-Mach-O signing
  89         bool mDryRun;                                   // dry run (do not change target)
  90         CFRef<CFNumberRef> mPageSize;   // main executable page size
  91         CFRef<SecIdentityRef> mTimestampAuthentication; // identity for client-side authentication to the Timestamp server
  92         CFRef<CFURLRef> mTimestampService;              // URL for Timestamp server
  93     bool mWantTimeStamp;          // use a Timestamp server
  94     bool mNoTimeStampCerts;       // don't request certificates with timestamping request
  95         LimitedAsync *mLimitedAsync;    // limited async workers for verification
  96         uint32_t mRuntimeVersionOverride;       // runtime Version Override
  97         bool mPreserveAFSC;             // preserve AFSC compression
  98         bool mOmitAdhocFlag;                    // don't add adhoc flag, even without signer identity
  99
 100         // Signature Editing
 101         Architecture mEditArch;                 // architecture to edit (defaults to all if empty)
 102         CFRef<CFDataRef> mEditCMS;              // CMS to replace in the signature
 103
 104 };
 105
 106
 107 } // end namespace CodeSigning
 108 } // end namespace Security
 109
 110 #endif // !_H_CODESIGNER