Security/libsecurity_codesigning/lib/SecStaticCode.cpp

   1 /*
   2  * Copyright (c) 2006-2007,2011-2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 //
  25 // SecStaticCode - API frame for SecStaticCode objects
  26 //
  27 #include "cs.h"
  28 #include "StaticCode.h"
  29 #include <security_utilities/cfmunge.h>
  30 #include <fcntl.h>
  31 #include <dirent.h>
  32
  33 using namespace CodeSigning;
  34
  35
  36 //
  37 // CF-standard type code function
  38 //
  39 CFTypeID SecStaticCodeGetTypeID(void)
  40 {
  41         BEGIN_CSAPI
  42         return gCFObjects().StaticCode.typeID;
  43     END_CSAPI1(_kCFRuntimeNotATypeID)
  44 }
  45
  46
  47 //
  48 // Create an StaticCode directly from disk path.
  49 //
  50 OSStatus SecStaticCodeCreateWithPath(CFURLRef path, SecCSFlags flags, SecStaticCodeRef *staticCodeRef)
  51 {
  52         BEGIN_CSAPI
  53
  54         checkFlags(flags);
  55         CodeSigning::Required(staticCodeRef) = (new SecStaticCode(DiskRep::bestGuess(cfString(path).c_str())))->handle();
  56
  57         END_CSAPI
  58 }
  59
  60 const CFStringRef kSecCodeAttributeArchitecture =       CFSTR("architecture");
  61 const CFStringRef kSecCodeAttributeSubarchitecture =CFSTR("subarchitecture");
  62 const CFStringRef kSecCodeAttributeBundleVersion =      CFSTR("bundleversion");
  63 const CFStringRef kSecCodeAttributeUniversalFileOffset =        CFSTR("UniversalFileOffset");
  64
  65 OSStatus SecStaticCodeCreateWithPathAndAttributes(CFURLRef path, SecCSFlags flags, CFDictionaryRef attributes,
  66         SecStaticCodeRef *staticCodeRef)
  67 {
  68         BEGIN_CSAPI
  69
  70         checkFlags(flags);
  71         DiskRep::Context ctx;
  72         std::string version; // holds memory placed into ctx
  73         if (attributes) {
  74                 std::string archName;
  75                 int archNumber, subarchNumber, offset;
  76                 if (cfscan(attributes, "{%O=%d}", kSecCodeAttributeUniversalFileOffset, &offset)) {
  77                         ctx.offset = offset;
  78                 } else if (cfscan(attributes, "{%O=%s}", kSecCodeAttributeArchitecture, &archName)) {
  79                         ctx.arch = Architecture(archName.c_str());
  80                 } else if (cfscan(attributes, "{%O=%d,%O=%d}",
  81                                 kSecCodeAttributeArchitecture, &archNumber, kSecCodeAttributeSubarchitecture, &subarchNumber))
  82                         ctx.arch = Architecture(archNumber, subarchNumber);
  83                 else if (cfscan(attributes, "{%O=%d}", kSecCodeAttributeArchitecture, &archNumber))
  84                         ctx.arch = Architecture(archNumber);
  85                 if (cfscan(attributes, "{%O=%s}", kSecCodeAttributeBundleVersion, &version))
  86                         ctx.version = version.c_str();
  87         }
  88
  89         CodeSigning::Required(staticCodeRef) = (new SecStaticCode(DiskRep::bestGuess(cfString(path).c_str(), &ctx)))->handle();
  90
  91         END_CSAPI
  92 }
  93
  94
  95 //
  96 // Check static validity of a StaticCode
  97 //
  98 OSStatus SecStaticCodeCheckValidity(SecStaticCodeRef staticCodeRef, SecCSFlags flags,
  99         SecRequirementRef requirementRef)
 100 {
 101         return SecStaticCodeCheckValidityWithErrors(staticCodeRef, flags, requirementRef, NULL);
 102 }
 103
 104 OSStatus SecStaticCodeCheckValidityWithErrors(SecStaticCodeRef staticCodeRef, SecCSFlags flags,
 105         SecRequirementRef requirementRef, CFErrorRef *errors)
 106 {
 107         BEGIN_CSAPI
 108
 109         checkFlags(flags,
 110                   kSecCSReportProgress
 111                 | kSecCSCheckAllArchitectures
 112                 | kSecCSDoNotValidateExecutable
 113                 | kSecCSDoNotValidateResources
 114                 | kSecCSConsiderExpiration
 115         | kSecCSEnforceRevocationChecks
 116                 | kSecCSNoNetworkAccess
 117                 | kSecCSCheckNestedCode
 118                 | kSecCSStrictValidate
 119                 | kSecCSCheckGatekeeperArchitectures
 120         );
 121
 122         if (errors)
 123                 flags |= kSecCSFullReport;      // internal-use flag
 124
 125         SecPointer<SecStaticCode> code = SecStaticCode::requiredStatic(staticCodeRef);
 126         code->setValidationFlags(flags);
 127         const SecRequirement *req = SecRequirement::optional(requirementRef);
 128         DTRACK(CODESIGN_EVAL_STATIC, code, (char*)code->mainExecutablePath().c_str());
 129         code->staticValidate(flags, req);
 130
 131         END_CSAPI_ERRORS
 132 }
 133
 134
 135 //
 136 // ====================================================================================
 137 //
 138 // The following API functions are called SecCode* but accept both SecCodeRef and
 139 // SecStaticCodeRef arguments, operating on the implied SecStaticCodeRef as appropriate.
 140 // Hence they're here, rather than in SecCode.cpp.
 141 //
 142
 143
 144 //
 145 // Retrieve location information for an StaticCode.
 146 //
 147 OSStatus SecCodeCopyPath(SecStaticCodeRef staticCodeRef, SecCSFlags flags, CFURLRef *path)
 148 {
 149         BEGIN_CSAPI
 150
 151         checkFlags(flags);
 152         SecPointer<SecStaticCode> staticCode = SecStaticCode::requiredStatic(staticCodeRef);
 153         CodeSigning::Required(path) = staticCode->copyCanonicalPath();
 154
 155         END_CSAPI
 156 }
 157
 158
 159 //
 160 // Fetch or make up a designated requirement
 161 //
 162 OSStatus SecCodeCopyDesignatedRequirement(SecStaticCodeRef staticCodeRef, SecCSFlags flags,
 163         SecRequirementRef *requirementRef)
 164 {
 165         BEGIN_CSAPI
 166
 167         checkFlags(flags);
 168         const Requirement *req =
 169                 SecStaticCode::requiredStatic(staticCodeRef)->designatedRequirement();
 170         CodeSigning::Required(requirementRef) = (new SecRequirement(req))->handle();
 171
 172         END_CSAPI
 173 }
 174
 175
 176 //
 177 // Fetch a particular internal requirement, if present
 178 //
 179 OSStatus SecCodeCopyInternalRequirement(SecStaticCodeRef staticCodeRef, SecRequirementType type,
 180         SecCSFlags flags, SecRequirementRef *requirementRef)
 181 {
 182         BEGIN_CSAPI
 183
 184         checkFlags(flags);
 185         const Requirement *req =
 186                 SecStaticCode::requiredStatic(staticCodeRef)->internalRequirement(type);
 187         CodeSigning::Required(requirementRef) = req ? (new SecRequirement(req))->handle() : NULL;
 188
 189         END_CSAPI
 190 }
 191
 192
 193 //
 194 // Record for future use a detached code signature.
 195 //
 196 OSStatus SecCodeSetDetachedSignature(SecStaticCodeRef codeRef, CFDataRef signature,
 197         SecCSFlags flags)
 198 {
 199         BEGIN_CSAPI
 200
 201         checkFlags(flags);
 202         SecPointer<SecStaticCode> code = SecStaticCode::requiredStatic(codeRef);
 203
 204         code->detachedSignature(signature); // ... and pass it to the code
 205         code->resetValidity();
 206
 207         END_CSAPI
 208 }
 209
 210
 211 //
 212 // Attach a code signature to a kernel memory mapping for page-in validation.
 213 //
 214 OSStatus SecCodeMapMemory(SecStaticCodeRef codeRef, SecCSFlags flags)
 215 {
 216         BEGIN_CSAPI
 217
 218         checkFlags(flags);
 219         SecPointer<SecStaticCode> code = SecStaticCode::requiredStatic(codeRef);
 220         if (const CodeDirectory *cd = code->codeDirectory(false)) {
 221                 fsignatures args = { code->diskRep()->signingBase(), (void *)cd, cd->length() };
 222                 UnixError::check(::fcntl(code->diskRep()->fd(), F_ADDSIGS, &args));
 223         } else
 224                 MacOSError::throwMe(errSecCSUnsigned);
 225
 226         END_CSAPI
 227 }
 228
 229
 230 //
 231 // Attach a callback block to a code object
 232 //
 233 OSStatus SecStaticCodeSetCallback(SecStaticCodeRef codeRef, SecCSFlags flags, SecCodeCallback *old, SecCodeCallback monitor)
 234 {
 235         BEGIN_CSAPI
 236
 237         checkFlags(flags);
 238         SecStaticCode *code = SecStaticCode::requiredStatic(codeRef);
 239         if (old)
 240                 *old = code->monitor();
 241         code->setMonitor(monitor);
 242
 243         END_CSAPI
 244 }
 245
 246
 247 OSStatus SecStaticCodeSetValidationConditions(SecStaticCodeRef codeRef, CFDictionaryRef conditions)
 248 {
 249         BEGIN_CSAPI
 250
 251         checkFlags(0);
 252         SecStaticCode *code = SecStaticCode::requiredStatic(codeRef);
 253         code->setValidationModifiers(conditions);
 254
 255         END_CSAPI
 256 }
 257
 258
 259 //
 260 // Set cancellation flag on a static code object.
 261 //
 262 OSStatus SecStaticCodeCancelValidation(SecStaticCodeRef codeRef, SecCSFlags flags)
 263 {
 264         BEGIN_CSAPI
 265
 266         checkFlags(0);
 267         SecStaticCode *code = SecStaticCode::requiredStatic(codeRef);
 268         code->cancelValidation();
 269
 270         END_CSAPI
 271 }