]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_codesigning/lib/codedirectory.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-59754.41.1.tar.gz
[apple/security.git] / OSX / libsecurity_codesigning / lib / codedirectory.h
1 /*
2 * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 //
25 // codedirectory - format and operations for code signing "code directory" structures
26 //
27 // A CodeDirectory is the top level object describing a particular instance
28 // of (static) code. It contains hashes of other objects that further describe
29 // parts of that code; these hashes hold the various pieces together.
30 //
31 // This means that if you reliably ascertain the contents of a CodeDirectory,
32 // you can verify the integrity of the entire code object it represents - the
33 // CodeDirectory can stand as a proxy for that code.
34 //
35 // Code signatures usually use CMS to sign the CodeDirectory to form full
36 // signature blobs; ad-hoc signatures simply record the interior hash of the
37 // CodeDirectory directly. The interior hash of the CodeDirectory is also widely
38 // used as concordance for a particular code instance - in essence, for
39 // different processes (or a process and the kernel) to "compare notes"
40 // to make sure they refer to the same code.
41 //
42 #ifndef _H_CODEDIRECTORY
43 #define _H_CODEDIRECTORY
44
45 #include <security_utilities/unix++.h>
46 #include <security_utilities/blob.h>
47 #include <security_utilities/cfutilities.h>
48 #include <security_utilities/hashing.h>
49 #include <Security/CSCommonPriv.h>
50 #include <set>
51
52
53 namespace Security {
54 namespace CodeSigning {
55
56
57 //
58 // Conventional string names for various code signature components.
59 // Depending on storage, these may end up as filenames, extended attribute names, etc.
60 //
61 #define kSecCS_CODEDIRECTORYFILE "CodeDirectory" // CodeDirectory
62 #define kSecCS_SIGNATUREFILE "CodeSignature" // CMS Signature
63 #define kSecCS_REQUIREMENTSFILE "CodeRequirements" // internal requirements
64 #define kSecCS_RESOURCEDIRFILE "CodeResources" // resource directory
65 #define kSecCS_ENTITLEMENTFILE "CodeEntitlements" // entitlement configuration
66 #define kSecCS_REPSPECIFICFILE "CodeRepSpecific" // DiskRep-specific use slot
67 #define kSecCS_TOPDIRECTORYFILE "CodeTopDirectory" // Top-level directory list
68 #define kSecCS_ENTITLEMENTDERFILE "CodeEntitlementDER" // DER entitlement representation
69
70 //
71 // Special hash slot values. In a CodeDirectory, these show up at negative slot
72 // indices. This enumeration is also used widely in various internal APIs, and as
73 // type values in embedded SuperBlobs.
74 //
75 // How to add a new special slot type:
76 // 1. Add the new name at the end of the primary or virtual slot array (below).
77 // 2a. For slots representing existing code pieces, follow the ball for cdInfoSlot.
78 // 2b. For slots representing global signature components, follow the ball for cdResourceDirSlot.
79 // 2c. For slots representing per-architecture signature components, follow the ball for cdEntitlementSlot.
80 // ("Follow the ball" -> Global search for that name and do likewise.)
81 //
82 enum {
83 //
84 // Primary slot numbers.
85 // These values are potentially present in the CodeDirectory hash array
86 // under their negative values. They are also used in APIs and SuperBlobs.
87 // Note that zero must not be used for these (it's page 0 of the main code array),
88 // and it is important to assign contiguous (very) small values for them.
89 //
90 cdInfoSlot = 1, // Info.plist
91 cdRequirementsSlot = 2, // internal requirements
92 cdResourceDirSlot = 3, // resource directory
93 cdTopDirectorySlot = 4, // Application specific slot
94 cdEntitlementSlot = 5, // embedded entitlement configuration
95 cdRepSpecificSlot = 6, // for use by disk rep
96 cdEntitlementDERSlot = 7, // DER representation of entitlements
97 // (add further primary slot numbers here)
98
99 cdSlotCount, // total number of special slots (+1 for slot 0)
100 cdSlotMax = cdSlotCount - 1, // highest special slot number (as a positive number)
101
102 //
103 // Virtual slot numbers.
104 // These values are NOT used in the CodeDirectory hash array. They are used as
105 // internal API identifiers and as types in SuperBlobs.
106 // Zero is okay to use here; and we assign that to the CodeDirectory itself so
107 // it shows up first in (properly sorted) SuperBlob indices. The rest of the
108 // numbers is set Far Away so the primary slot set can expand safely.
109 // It's okay to have large gaps in these assignments.
110 //
111 cdCodeDirectorySlot = 0, // CodeDirectory
112 cdAlternateCodeDirectorySlots = 0x1000, // alternate CodeDirectory array
113 cdAlternateCodeDirectoryLimit = 0x1005, // 5+1 hashes should be enough for everyone...
114 cdSignatureSlot = 0x10000, // CMS signature
115 cdIdentificationSlot, // identification blob (detached signatures only)
116 cdTicketSlot, // ticket embedded in signature (DMG only)
117 // (add further virtual slot numbers here)
118 };
119
120
121 //
122 // Special hash slot attributes.
123 // This is a central description of attributes of each slot.
124 // Various places in Code Signing pick up those attributes and act accordingly.
125 //
126 enum {
127 cdComponentPerArchitecture = 1, // slot value differs for each Mach-O architecture
128 cdComponentIsBlob = 2, // slot value is a Blob (need not be BlobWrapped)
129 };
130
131
132 //
133 // A signature with a nonzero platform identifier value, when endorsed as originated by Apple,
134 // identifies code as belonging to a particular operating system deliverable set. Some system
135 // components restrict functionality to platform binaries. The actual values are arbitrary.
136 //
137 typedef uint8_t PlatformIdentifier;
138 static const PlatformIdentifier noPlatform = 0;
139 static const unsigned int maxPlatform = 255; // stored in a uint8_t
140
141
142 //
143 // A CodeDirectory is a typed Blob describing the secured pieces of a program.
144 // This structure describes the common header and provides access to the variable-size
145 // elements packed after it. For help in constructing a CodeDirectory, use the nested
146 // Builder class.
147 //
148 // At the heart of a CodeDirectory lies a packed array of hash digests.
149 // The array's zero-index element is at offset hashOffset, and the array covers
150 // elements in the range [-nSpecialSlots .. nCodeSlots-1]. Non-negative indices
151 // denote pages of the main executable. Negative indices indicate "special" hashes,
152 // each of a different thing (see cd*Slot constants above).
153 // Special slots that are in range but not present are zeroed out. Unallocated special
154 // slots are also presumed absent; this is not an error. (Thus the range of special
155 // slots can be extended at will.)
156 //
157 // HOW TO MANAGE COMPATIBILITY:
158 // Each CodeDirectory has a format (compatibility) version. Two constants control
159 // versioning:
160 // * currentVersion is the version used for newly created CodeDirectories.
161 // * compatibilityLimit is the highest version the code will accept as compatible.
162 // Test for version < currentVersion to detect old formats that may need special
163 // handling; this is done in checkIntegrity(). The current code rejects versions
164 // below earliestVersion.
165 // Break backward compatibility by rejecting versions that are unsuitable.
166 // Accept currentVersion < version <= compatibilityLimit as versions newer than
167 // those understood by this code but engineered (by newer code) to be backward
168 // compatible. Reject version > compatibilityLimit as incomprehensible gibberish.
169 //
170 // When creating a new version, increment currentVersion. When adding new fixed fields,
171 // just append them; the flex fields will shift to make room. To add new flex fields,
172 // add a fixed field containing the new field's offset and add suitable computations
173 // to the Builder to place the new data (right) before the hash array. Remember to check
174 // for offset in-range in checkIntegrity(). Older code will then simply ignore your
175 // new fields on load/read.
176 // Add flag bits to the existing flags field to add features that step outside
177 // of the linear versioning stream. Leave the 'spare' fields alone unless you need
178 // something extraordinarily weird - they're meant to be the final escape when everything
179 // else fails.
180 // As you create new versions, consider moving the compatibilityLimit out to open up
181 // new room for backward compatibility.
182 // To break backward compatibility intentionally, move currentVersion beyond the
183 // old compatibilityLimit (and move compatibilityLimit further out).
184 //
185 class CodeDirectory: public Blob<CodeDirectory, kSecCodeMagicCodeDirectory> {
186 public:
187 Endian<uint32_t> version; // compatibility version
188 Endian<uint32_t> flags; // setup and mode flags
189 Endian<uint32_t> hashOffset; // offset of hash slot element at index zero
190 Endian<uint32_t> identOffset; // offset of identifier string
191 Endian<uint32_t> nSpecialSlots; // number of special hash slots
192 Endian<uint32_t> nCodeSlots; // number of ordinary (code) hash slots
193 Endian<uint32_t> codeLimit; // limit to main image signature range
194 uint8_t hashSize; // size of each hash digest (bytes)
195 uint8_t hashType; // type of hash (kSecCodeSignatureHash* constants)
196 uint8_t platform; // platform identifier; zero if not platform binary
197 uint8_t pageSize; // log2(page size in bytes); 0 => infinite
198 Endian<uint32_t> spare2; // unused (must be zero)
199 Endian<uint32_t> scatterOffset; // offset of optional scatter vector (zero if absent)
200 Endian<uint32_t> teamIDOffset; // offset of optional teamID string
201 Endian<uint32_t> spare3; // unused (most be zero)
202 Endian<uint64_t> codeLimit64; // limit to main image signature range, 64 bits
203 Endian<uint64_t> execSegBase; // offset of executable segment
204 Endian<uint64_t> execSegLimit; // limit of executable segment
205 Endian<uint64_t> execSegFlags; // exec segment flags
206
207 Endian<uint32_t> runtime; // Runtime version encoded as an unsigned int
208 Endian<uint32_t> preEncryptOffset; // offset of pre-encrypt hash slots
209
210 // works with the version field; see comments above
211 static const uint32_t currentVersion = 0x20500; // "version 2.5"
212 static const uint32_t compatibilityLimit = 0x2F000; // "version 3 with wiggle room"
213
214 static const uint32_t earliestVersion = 0x20001; // earliest supported version
215 static const uint32_t supportsScatter = 0x20100; // first version to support scatter option
216 static const uint32_t supportsTeamID = 0x20200; // first version to support team ID option
217 static const uint32_t supportsCodeLimit64 = 0x20300; // first version to support codeLimit64
218 static const uint32_t supportsExecSegment = 0x20400; // first version to support exec base and limit
219 static const uint32_t supportsPreEncrypt = 0x20500; // first version to support pre-encrypt hashes and runtime version
220
221 void checkIntegrity() const; // throws if inconsistent or unsupported version
222
223 typedef uint32_t HashAlgorithm; // types of internal glue hashes
224 typedef std::set<HashAlgorithm> HashAlgorithms;
225 typedef int Slot; // slot index (negative for special slots)
226 typedef unsigned int SpecialSlot; // positive special slot index (not for code slots)
227
228 const char *identifier() const { return at<const char>(identOffset); }
229 char *identifier() { return at<char>(identOffset); }
230
231 size_t signingLimit() const
232 { return (version >= supportsCodeLimit64 && codeLimit64) ? size_t(codeLimit64) : size_t(codeLimit); }
233
234 // main hash array access
235 SpecialSlot maxSpecialSlot() const;
236
237 unsigned char *getSlotMutable (Slot slot, bool preEncrypt)
238 {
239 assert(slot >= int(-nSpecialSlots) && slot < int(nCodeSlots));
240
241 if (preEncrypt) {
242 if (version >= supportsPreEncrypt && preEncryptOffset != 0) {
243 assert(slot >= 0);
244 return at<unsigned char>(preEncryptOffset) + hashSize * slot;
245 } else {
246 return NULL;
247 }
248 } else {
249 return at<unsigned char>(hashOffset) + hashSize * slot;
250 }
251 }
252
253 const unsigned char *getSlot (Slot slot, bool preEncrypt) const
254 {
255 CodeDirectory *cd = const_cast<CodeDirectory *>(this);
256 return const_cast<const unsigned char *>(cd->getSlotMutable(slot, preEncrypt));
257 }
258
259 //
260 // The main page hash array can be "scattered" across the code file
261 // by specifying an array of Scatter elements, terminated with an
262 // element whose count field is zero.
263 // The scatter vector is optional; if absent, the hash array covers
264 // a single contiguous range of pages. CodeDirectory versions below
265 // supportsScatter never have scatter vectors (they lack the scatterOffset field).
266 //
267 struct Scatter {
268 Endian<uint32_t> count; // number of pages; zero for sentinel (only)
269 Endian<uint32_t> base; // first page number
270 Endian<uint64_t> targetOffset; // byte offset in target
271 Endian<uint64_t> spare; // reserved (must be zero)
272 };
273 Scatter *scatterVector() // first scatter vector element (NULL if none)
274 { return (version >= supportsScatter && scatterOffset) ? at<Scatter>(scatterOffset) : NULL; }
275 const Scatter *scatterVector() const
276 { return (version >= supportsScatter && scatterOffset) ? at<const Scatter>(scatterOffset) : NULL; }
277
278 const char *teamID() const { return version >= supportsTeamID && teamIDOffset ? at<const char>(teamIDOffset) : NULL; }
279 char *teamID() { return version >= supportsTeamID && teamIDOffset ? at<char>(teamIDOffset) : NULL; }
280
281 uint64_t execSegmentBase() const { return (version >= supportsExecSegment) ? execSegBase.get() : 0; }
282 uint64_t execSegmentLimit() const { return (version >= supportsExecSegment) ? execSegLimit.get() : 0; }
283 uint64_t execSegmentFlags() const { return (version >= supportsExecSegment) ? execSegFlags.get() : 0; }
284
285 const unsigned char *preEncryptHashes() const { return getSlot(0, true); }
286
287 uint32_t runtimeVersion() const {return (version >= supportsPreEncrypt) ? runtime.get() : 0; }
288
289 public:
290 bool validateSlot(const void *data, size_t size, Slot slot, bool preEncrypted) const; // validate memory buffer against page slot
291 bool validateSlot(UnixPlusPlus::FileDesc fd, size_t size, Slot slot, bool preEncrypted) const; // read and validate file
292 bool slotIsPresent(Slot slot) const;
293
294 class Builder;
295
296 public:
297 static DynamicHash *hashFor(HashAlgorithm hashType); // create a DynamicHash subclass for (hashType) digests
298 DynamicHash *getHash() const { return hashFor(this->hashType); } // make one for me
299 CFDataRef cdhash(bool truncate = true) const;
300
301 static void multipleHashFileData(UnixPlusPlus::FileDesc fd, size_t limit, HashAlgorithms types, void (^action)(HashAlgorithm type, DynamicHash* hasher));
302 bool verifyMemoryContent(CFDataRef data, const Byte* digest) const;
303
304 static bool viableHash(HashAlgorithm type);
305 static HashAlgorithm bestHashOf(const HashAlgorithms& types);
306
307 std::string hexHash(const unsigned char *hash) const; // encode any canonical-type hash as a hex string
308
309 protected:
310 static size_t generateHash(DynamicHash *hash, UnixPlusPlus::FileDesc fd, Hashing::Byte *digest, size_t limit = 0); // hash to count or end of file
311 static size_t generateHash(DynamicHash *hash, const void *data, size_t length, Hashing::Byte *digest); // hash data buffer
312
313 public:
314 //
315 // Information about SpecialSlots.
316 // This specifies meta-data about slots themselves;
317 // it does not work with the contents of hash slots.
318 //
319 static const char *canonicalSlotName(SpecialSlot slot);
320 static unsigned slotAttributes(SpecialSlot slot);
321 IFDEBUG(static const char * const debugSlotName[]);
322
323 public:
324 //
325 // Canonical screening code. Requires a fully formed CodeDirectory.
326 //
327 std::string screeningCode() const;
328 };
329
330
331 } // CodeSigning
332 } // Security
333
334
335 #endif //_H_CODEDIRECTORY
mirror of Security