Security/libsecurity_codesigning/lib/CodeSigner.cpp

   1 /*
   2  * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // CodeSigner - SecCodeSigner API objects
  26 //
  27 #include "CodeSigner.h"
  28 #include "signer.h"
  29 #include "csdatabase.h"
  30 #include "drmaker.h"
  31 #include "csutilities.h"
  32 #include <security_utilities/unix++.h>
  33 #include <security_utilities/unixchild.h>
  34 #include <Security/SecCertificate.h>
  35 #include <Security/SecCertificatePriv.h>
  36 #include <vector>
  37
  38 namespace Security {
  39
  40 __SEC_CFTYPE(SecIdentity)
  41
  42 namespace CodeSigning {
  43
  44 using namespace UnixPlusPlus;
  45
  46
  47 //
  48 // A helper for parsing out a CFDictionary signing-data specification
  49 //
  50 class SecCodeSigner::Parser : CFDictionary {
  51 public:
  52         Parser(SecCodeSigner &signer, CFDictionaryRef parameters);
  53
  54         bool getBool(CFStringRef key) const
  55         {
  56                 if (CFBooleanRef flag = get<CFBooleanRef>(key))
  57                         return flag == kCFBooleanTrue;
  58                 else
  59                         return false;
  60         }
  61 };
  62
  63
  64 //
  65 // Construct a SecCodeSigner
  66 //
  67 SecCodeSigner::SecCodeSigner(SecCSFlags flags)
  68         : mOpFlags(flags), mDigestAlgorithm(kSecCodeSignatureDefaultDigestAlgorithm), mLimitedAsync(NULL)
  69 {
  70 }
  71
  72
  73 //
  74 // Clean up a SecCodeSigner
  75 //
  76 SecCodeSigner::~SecCodeSigner() throw()
  77 try {
  78         delete mLimitedAsync;
  79 } catch (...) {
  80         return;
  81 }
  82
  83
  84 //
  85 // Parse an input parameter dictionary and set ready-to-use parameters
  86 //
  87 void SecCodeSigner::parameters(CFDictionaryRef paramDict)
  88 {
  89         Parser(*this, paramDict);
  90         if (!valid())
  91                 MacOSError::throwMe(errSecCSInvalidObjectRef);
  92 }
  93
  94 //
  95 // Retrieve the team ID from the signing certificate if and only if
  96 // it is an apple developer signing cert
  97 //
  98 std::string SecCodeSigner::getTeamIDFromSigner(CFArrayRef certs)
  99 {
 100         if (mSigner && mSigner != SecIdentityRef(kCFNull)) {
 101                 CFRef<SecCertificateRef> signerCert;
 102                 MacOSError::check(SecIdentityCopyCertificate(mSigner, &signerCert.aref()));
 103
 104                 /* Make sure the certificate looks like an Apple certificate, because we do not
 105                         extract the team ID from a non Apple certificate */
 106                 if (SecStaticCode::isAppleDeveloperCert(certs)) {
 107                         CFRef<CFStringRef> teamIDFromCert;
 108
 109                         MacOSError::check(SecCertificateCopySubjectComponent(signerCert.get(), &CSSMOID_OrganizationalUnitName, &teamIDFromCert.aref()));
 110
 111                         if (teamIDFromCert)
 112                                 return cfString(teamIDFromCert);
 113                 }
 114         }
 115
 116         return "";
 117 }
 118
 119 //
 120 // Roughly check for validity.
 121 // This isn't thorough; it just sees if if looks like we've set up the object appropriately.
 122 //
 123 bool SecCodeSigner::valid() const
 124 {
 125         if (mOpFlags & kSecCSRemoveSignature)
 126                 return true;
 127         return mSigner;
 128 }
 129
 130
 131 //
 132 // Sign code
 133 //
 134 void SecCodeSigner::sign(SecStaticCode *code, SecCSFlags flags)
 135 {
 136         code->setValidationFlags(flags);
 137         if (code->isSigned() && (flags & kSecCSSignPreserveSignature))
 138                 return;
 139         Signer operation(*this, code);
 140         if ((flags | mOpFlags) & kSecCSRemoveSignature) {
 141                 secdebug("signer", "%p will remove signature from %p", this, code);
 142                 operation.remove(flags);
 143         } else {
 144                 if (!valid())
 145                         MacOSError::throwMe(errSecCSInvalidObjectRef);
 146                 secdebug("signer", "%p will sign %p (flags 0x%x)", this, code, flags);
 147                 operation.sign(flags);
 148         }
 149         code->resetValidity();
 150 }
 151
 152
 153 //
 154 // ReturnDetachedSignature is called by writers or editors that try to return
 155 // detached signature data (rather than annotate the target).
 156 //
 157 void SecCodeSigner::returnDetachedSignature(BlobCore *blob, Signer &signer)
 158 {
 159         assert(mDetached);
 160         if (CFGetTypeID(mDetached) == CFURLGetTypeID()) {
 161                 // URL to destination file
 162                 AutoFileDesc fd(cfString(CFURLRef(mDetached.get())), O_WRONLY | O_CREAT | O_TRUNC);
 163                 fd.writeAll(*blob);
 164         } else if (CFGetTypeID(mDetached) == CFDataGetTypeID()) {
 165                 CFDataAppendBytes(CFMutableDataRef(mDetached.get()),
 166                         (const UInt8 *)blob, blob->length());
 167         } else if (CFGetTypeID(mDetached) == CFNullGetTypeID()) {
 168                 SignatureDatabaseWriter db;
 169                 db.storeCode(blob, signer.path().c_str());
 170         } else
 171                 assert(false);
 172 }
 173
 174
 175 //
 176 // Our DiskRep::signingContext methods communicate with the signing subsystem
 177 // in terms those callers can easily understand.
 178 //
 179 string SecCodeSigner::sdkPath(const std::string &path) const
 180 {
 181         assert(path[0] == '/'); // need absolute path here
 182         if (mSDKRoot)
 183                 return cfString(mSDKRoot) + path;
 184         else
 185                 return path;
 186 }
 187
 188 bool SecCodeSigner::isAdhoc() const
 189 {
 190         return mSigner == SecIdentityRef(kCFNull);
 191 }
 192
 193 SecCSFlags SecCodeSigner::signingFlags() const
 194 {
 195         return mOpFlags;
 196 }
 197
 198
 199 //
 200 // The actual parsing operation is done in the Parser class.
 201 //
 202 // Note that we need to copy or retain all incoming data. The caller has no requirement
 203 // to keep the parameters dictionary around.
 204 //
 205 SecCodeSigner::Parser::Parser(SecCodeSigner &state, CFDictionaryRef parameters)
 206         : CFDictionary(parameters, errSecCSBadDictionaryFormat)
 207 {
 208         // the signer may be an identity or null
 209         state.mSigner = SecIdentityRef(get<CFTypeRef>(kSecCodeSignerIdentity));
 210         if (state.mSigner)
 211                 if (CFGetTypeID(state.mSigner) != SecIdentityGetTypeID() && !CFEqual(state.mSigner, kCFNull))
 212                         MacOSError::throwMe(errSecCSInvalidObjectRef);
 213
 214         // the flags need some augmentation
 215         if (CFNumberRef flags = get<CFNumberRef>(kSecCodeSignerFlags)) {
 216                 state.mCdFlagsGiven = true;
 217                 state.mCdFlags = cfNumber<uint32_t>(flags);
 218         } else
 219                 state.mCdFlagsGiven = false;
 220
 221         // digest algorithms are specified as a numeric code
 222         if (CFNumberRef digestAlgorithm = get<CFNumberRef>(kSecCodeSignerDigestAlgorithm))
 223                 state.mDigestAlgorithm = cfNumber<unsigned int>(digestAlgorithm);
 224
 225         if (CFNumberRef cmsSize = get<CFNumberRef>(CFSTR("cmssize")))
 226                 state.mCMSSize = cfNumber<size_t>(cmsSize);
 227         else
 228                 state.mCMSSize = 9000;  // likely big enough
 229
 230         // metadata preservation options
 231         if (CFNumberRef preserve = get<CFNumberRef>(kSecCodeSignerPreserveMetadata)) {
 232                 state.mPreserveMetadata = cfNumber<uint32_t>(preserve);
 233         } else
 234                 state.mPreserveMetadata = 0;
 235
 236
 237         // signing time can be a CFDateRef or null
 238         if (CFTypeRef time = get<CFTypeRef>(kSecCodeSignerSigningTime)) {
 239                 if (CFGetTypeID(time) == CFDateGetTypeID() || time == kCFNull)
 240                         state.mSigningTime = CFDateRef(time);
 241                 else
 242                         MacOSError::throwMe(errSecCSInvalidObjectRef);
 243         }
 244
 245         if (CFStringRef ident = get<CFStringRef>(kSecCodeSignerIdentifier))
 246                 state.mIdentifier = cfString(ident);
 247
 248         if (CFStringRef teamid = get<CFStringRef>(kSecCodeSignerTeamIdentifier))
 249                 state.mTeamID = cfString(teamid);
 250
 251         if (CFStringRef prefix = get<CFStringRef>(kSecCodeSignerIdentifierPrefix))
 252                 state.mIdentifierPrefix = cfString(prefix);
 253
 254         // Requirements can be binary or string (to be compiled).
 255         // We must pass them along to the signer for possible text substitution
 256         if (CFTypeRef reqs = get<CFTypeRef>(kSecCodeSignerRequirements)) {
 257                 if (CFGetTypeID(reqs) == CFDataGetTypeID() || CFGetTypeID(reqs) == CFStringGetTypeID())
 258                         state.mRequirements = reqs;
 259                 else
 260                         MacOSError::throwMe(errSecCSInvalidObjectRef);
 261         } else
 262                 state.mRequirements = NULL;
 263
 264         state.mNoMachO = getBool(CFSTR("no-macho"));
 265
 266         state.mPageSize = get<CFNumberRef>(kSecCodeSignerPageSize);
 267
 268         // detached can be (destination) file URL or (mutable) Data to be appended-to
 269         if ((state.mDetached = get<CFTypeRef>(kSecCodeSignerDetached))) {
 270                 CFTypeID type = CFGetTypeID(state.mDetached);
 271                 if (type != CFURLGetTypeID() && type != CFDataGetTypeID() && type != CFNullGetTypeID())
 272                         MacOSError::throwMe(errSecCSInvalidObjectRef);
 273         }
 274
 275         state.mDryRun = getBool(kSecCodeSignerDryRun);
 276
 277         state.mResourceRules = get<CFDictionaryRef>(kSecCodeSignerResourceRules);
 278
 279         state.mApplicationData = get<CFDataRef>(kSecCodeSignerApplicationData);
 280         state.mEntitlementData = get<CFDataRef>(kSecCodeSignerEntitlements);
 281
 282         state.mSDKRoot = get<CFURLRef>(kSecCodeSignerSDKRoot);
 283
 284         if (CFBooleanRef timestampRequest = get<CFBooleanRef>(kSecCodeSignerRequireTimestamp)) {
 285                 state.mWantTimeStamp = timestampRequest == kCFBooleanTrue;
 286         } else {        // pick default
 287                 state.mWantTimeStamp = false;
 288                 if (state.mSigner && state.mSigner != SecIdentityRef(kCFNull)) {
 289                         CFRef<SecCertificateRef> signerCert;
 290                         MacOSError::check(SecIdentityCopyCertificate(state.mSigner, &signerCert.aref()));
 291                         if (certificateHasField(signerCert, devIdLeafMarkerOID))
 292                                 state.mWantTimeStamp = true;
 293                 }
 294         }
 295         state.mTimestampAuthentication = get<SecIdentityRef>(kSecCodeSignerTimestampAuthentication);
 296         state.mTimestampService = get<CFURLRef>(kSecCodeSignerTimestampServer);
 297         state.mNoTimeStampCerts = getBool(kSecCodeSignerTimestampOmitCertificates);
 298 }
 299
 300
 301 } // end namespace CodeSigning
 302 } // end namespace Security