2 * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 SecCode represents separately indentified running code in the system.
27 In addition to UNIX processes, this can also include (with suitable support)
28 scripts, applets, widgets, etc.
33 #include <Security/CSCommon.h>
34 #include <CoreFoundation/CFBase.h>
40 CF_ASSUME_NONNULL_BEGIN
43 @function SecCodeGetTypeID
44 Returns the type identifier of all SecCode instances.
46 CFTypeID
SecCodeGetTypeID(void);
50 @function SecCodeCopySelf
51 Obtains a SecCode object for the code making the call.
52 The calling code is determined in a way that is subject to modification over
53 time, but obeys the following rules. If it is a UNIX process, its process id (pid)
54 is always used. If it is an active code host that has a dedicated guest, such a guest
55 is always preferred. If it is a host that has called SecHostSelectGuest, such selection
56 is considered until revoked.
58 @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
59 @param self Upon successful return, contains a SecCodeRef representing the caller.
61 @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
62 CSCommon.h or certain other Security framework headers.
64 OSStatus
SecCodeCopySelf(SecCSFlags flags
, SecCodeRef
* __nonnull CF_RETURNS_RETAINED self
);
68 @function SecCodeCopyStaticCode
69 Given a SecCode object, locate its origin in the file system and return
70 a SecStaticCode object representing it.
72 The link established by this call is generally reliable but is NOT guaranteed
75 Many API functions taking SecStaticCodeRef arguments will also directly
76 accept a SecCodeRef and apply this translation implicitly, operating on
77 its result or returning its error code if any. Each of these functions
78 calls out that behavior in its documentation.
80 If the code was obtained from a universal (aka "fat") program file,
81 the resulting SecStaticCodeRef will refer only to the architecture actually
82 being used. This means that multiple running codes started from the same file
83 may conceivably result in different static code references if they ended up
84 using different execution architectures. (This is unusual but possible.)
86 @param code A valid SecCode object reference representing code running
89 @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
90 @constant kSecCSUseAllArchitectures
91 If code refers to a single architecture of a universal binary, return a SecStaticCodeRef
92 that refers to the entire universal code with all its architectures. By default, the
93 returned static reference identifies only the actual architecture of the running program.
95 @param staticCode On successful return, a SecStaticCode object reference representing
96 the file system origin of the given SecCode. On error, unchanged.
97 @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
98 CSCommon.h or certain other Security framework headers.
101 kSecCSUseAllArchitectures
= 1 << 0,
104 OSStatus
SecCodeCopyStaticCode(SecCodeRef code
, SecCSFlags flags
, SecStaticCodeRef
* __nonnull CF_RETURNS_RETAINED staticCode
);
108 @function SecCodeCopyHost
109 Given a SecCode object, identify the (different) SecCode object that acts
110 as its host. A SecCode's host acts as a supervisor and controller,
111 and is the ultimate authority on the its dynamic validity and status.
112 The host relationship is securely established (absent reported errors).
114 @param guest A valid SecCode object reference representing code running
116 @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
117 @param host On successful return, a SecCode object reference identifying
119 @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
120 CSCommon.h or certain other Security framework headers.
122 OSStatus
SecCodeCopyHost(SecCodeRef guest
, SecCSFlags flags
, SecCodeRef
* __nonnull CF_RETURNS_RETAINED host
);
124 extern const CFStringRef kSecGuestAttributeCanonical
;
125 extern const CFStringRef kSecGuestAttributeHash
;
126 extern const CFStringRef kSecGuestAttributeMachPort
;
127 extern const CFStringRef kSecGuestAttributePid
;
128 extern const CFStringRef kSecGuestAttributeAudit
;
129 extern const CFStringRef kSecGuestAttributeDynamicCode
;
130 extern const CFStringRef kSecGuestAttributeDynamicCodeInfoPlist
;
131 extern const CFStringRef kSecGuestAttributeArchitecture
;
132 extern const CFStringRef kSecGuestAttributeSubarchitecture
;
136 @function SecCodeCopyGuestWithAttributes
137 This is the omnibus API function for obtaining dynamic code references.
138 In general, it asks a particular code acting as a code host to locate
139 and return a guest with given attributes. Different hosts support
140 different combinations of attributes and values for guest selection.
142 Asking the NULL host invokes system default procedures for obtaining
143 any running code in the system with the attributes given. The returned
144 code may be anywhere in the system.
146 The methods a host uses to identify, separate, and control its guests
147 are specific to each type of host. This call provides a generic abstraction layer
148 that allows uniform interrogation of all hosts. A SecCode that does not
149 act as a host will always return errSecCSNoSuchCode. A SecCode that does
150 support hosting may return itself to signify that the attribute refers to
151 itself rather than one of its hosts.
153 @param host A valid SecCode object reference representing code running
154 on the system that acts as a Code Signing host. As a special case, passing
155 NULL indicates that the Code Signing root of trust should be used as a starting
156 point. Currently, that is the system kernel.
157 @param attributes A CFDictionary containing zero or more attribute selector
158 values. Each selector has a CFString key and associated CFTypeRef value.
159 The key name identifies the attribute being specified; the associated value,
160 whose type depends on the the key name, selects a particular value or other
161 constraint on that attribute. Each host only supports particular combinations
162 of keys and values, and errors will be returned if any unsupported set is requested.
163 As a special case, NULL is taken to mean an empty attribute set.
164 Note that some hosts that support hosting chains (guests being hosts)
165 may return sub-guests in this call. In other words, do not assume that
166 a SecCodeRef returned by this call is a direct guest of the queried host
167 (though it will be a proximate guest, i.e. a guest's guest some way down).
168 Asking the NULL host for NULL attributes returns a code reference for the system root
169 of trust (at present, the running Darwin kernel).
170 @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
171 @param guest On successful return, a SecCode object reference identifying
172 the particular guest of the host that owns the attribute value(s) specified.
173 This argument will not be changed if the call fails (does not return errSecSuccess).
174 @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
175 CSCommon.h or certain other Security framework headers. In particular:
176 @error errSecCSUnsupportedGuestAttributes The host does not support the attribute
177 type given by attributeType.
178 @error errSecCSInvalidAttributeValues The type of value given for a guest
179 attribute is not supported by the host.
180 @error errSecCSNoSuchCode The host has no guest with the attribute value given
181 by attributeValue, even though the value is of a supported type. This may also
182 be returned if the host code does not currently act as a Code Signing host.
183 @error errSecCSNotAHost The specified host cannot, in fact, act as a code
184 host. (It is missing the kSecCodeSignatureHost option flag in its code
186 @error errSecCSMultipleGuests The attributes specified do not uniquely identify
187 a guest (the specification is ambiguous).
190 OSStatus
SecCodeCopyGuestWithAttributes(SecCodeRef __nullable host
,
191 CFDictionaryRef __nullable attributes
, SecCSFlags flags
, SecCodeRef
* __nonnull CF_RETURNS_RETAINED guest
);
192 #endif // TARGET_OS_OSX
196 @function SecCodeCheckValidity
197 Performs dynamic validation of the given SecCode object. The call obtains and
198 verifies the signature on the code object. It checks the validity of only those
199 sealed components required to establish identity. It checks the SecCode's
200 dynamic validity status as reported by its host. It ensures that the SecCode's
201 host is in turn valid. Finally, it validates the code against a SecRequirement
202 if one is given. The call succeeds if all these conditions are satisfactory.
205 This call is secure against attempts to modify the file system source of the
208 @param code The code object to be validated.
209 @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
210 @param requirement An optional code requirement specifying additional conditions
211 the code object must satisfy to be considered valid. If NULL, no additional
212 requirements are imposed.
213 @result If validation passes, errSecSuccess. If validation fails, an OSStatus value
214 documented in CSCommon.h or certain other Security framework headers.
216 OSStatus
SecCodeCheckValidity(SecCodeRef code
, SecCSFlags flags
,
217 SecRequirementRef __nullable requirement
);
220 @function SecCodeCheckValidityWifErrors
221 Performs dynamic validation of the given SecCode object. The call obtains and
222 verifies the signature on the code object. It checks the validity of only those
223 sealed components required to establish identity. It checks the SecCode's
224 dynamic validity status as reported by its host. It ensures that the SecCode's
225 host is in turn valid. Finally, it validates the code against a SecRequirement
226 if one is given. The call succeeds if all these conditions are satisfactory.
229 This call is secure against attempts to modify the file system source of the
232 @param code The code object to be validated.
233 @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
234 @param requirement An optional code requirement specifying additional conditions
235 the code object must satisfy to be considered valid. If NULL, no additional
236 requirements are imposed.
237 @param errors An optional pointer to a CFErrorRef variable. If the call fails
238 (and something other than errSecSuccess is returned), and this argument is non-NULL,
239 a CFErrorRef is stored there further describing the nature and circumstances
240 of the failure. The caller must CFRelease() this error object when done with it.
241 @result If validation passes, errSecSuccess. If validation fails, an OSStatus value
242 documented in CSCommon.h or certain other Security framework headers.
244 OSStatus
SecCodeCheckValidityWithErrors(SecCodeRef code
, SecCSFlags flags
,
245 SecRequirementRef __nullable requirement
, CFErrorRef
*errors
);
249 @function SecCodeCopyPath
250 For a given Code or StaticCode object, returns a URL to a location on disk where the
251 code object can be found. For single files, the URL points to that file.
252 For bundles, it points to the directory containing the entire bundle.
254 @param staticCode The Code or StaticCode object to be located. For a Code
255 argument, its StaticCode is processed as per SecCodeCopyStaticCode.
256 @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
257 @param path On successful return, contains a CFURL identifying the location
258 on disk of the staticCode object.
259 @result On success, errSecSuccess. On error, an OSStatus value
260 documented in CSCommon.h or certain other Security framework headers.
262 OSStatus
SecCodeCopyPath(SecStaticCodeRef staticCode
, SecCSFlags flags
,
263 CFURLRef
* __nonnull CF_RETURNS_RETAINED path
);
267 @function SecCodeCopyDesignatedRequirement
268 For a given Code or StaticCode object, determines its Designated Code Requirement.
269 The Designated Requirement is the SecRequirement that the code believes
270 should be used to properly identify it in the future.
272 If the SecCode contains an explicit Designated Requirement, a copy of that
273 is returned. If it does not, a SecRequirement is implicitly constructed from
274 its signing authority and its embedded unique identifier. No Designated
275 Requirement can be obtained from code that is unsigned. Code that is modified
276 after signature, improperly signed, or has become invalid, may or may not yield
277 a Designated Requirement. This call does not validate the SecStaticCode argument.
279 @param code The Code or StaticCode object to be interrogated. For a Code
280 argument, its StaticCode is processed as per SecCodeCopyStaticCode.
281 @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
282 @param requirement On successful return, contains a copy of a SecRequirement
283 object representing the code's Designated Requirement. On error, unchanged.
284 @result On success, errSecSuccess. On error, an OSStatus value
285 documented in CSCommon.h or certain other Security framework headers.
287 OSStatus
SecCodeCopyDesignatedRequirement(SecStaticCodeRef code
, SecCSFlags flags
,
288 SecRequirementRef
* __nonnull CF_RETURNS_RETAINED requirement
);
292 @function SecCodeCopySigningInformation
293 For a given Code or StaticCode object, extract various pieces of information
294 from its code signature and return them in the form of a CFDictionary. The amount
295 and detail level of the data is controlled by the flags passed to the call.
297 If the code exists but is not signed at all, this call will succeed and return
298 a dictionary that does NOT contain the kSecCodeInfoIdentifier key. This is the
299 recommended way to check quickly whether a code is signed.
301 If the signing data for the code is corrupt or invalid, this call may fail or it
302 may return partial data. To ensure that only valid data is returned (and errors
303 are raised for invalid data), you must successfully call one of the CheckValidity
304 functions on the code before calling CopySigningInformation.
306 @param code The Code or StaticCode object to be interrogated. For a Code
307 argument, its StaticCode is processed as per SecCodeCopyStaticCode.
308 Note that dynamic information (kSecCSDynamicInformation) cannot be obtained
309 for a StaticCode argument.
310 @param flags Optional flags. Use any or all of the kSecCS*Information flags
311 to select what information to return. A generic set of entries is returned
312 regardless; you may specify kSecCSDefaultFlags for just those.
313 @param information A CFDictionary containing information about the code is stored
314 here on successful completion. The contents of the dictionary depend on
315 the flags passed. Regardless of flags, the kSecCodeInfoIdentifier key is
316 always present if the code is signed, and always absent if the code is
318 Note that some of the objects returned are (retained) "live" API objects
319 used by the code signing infrastructure. Making changes to these objects
320 is unsupported and may cause subsequent code signing operations on the
321 affected code to behave in undefined ways.
322 @result On success, errSecSuccess. On error, an OSStatus value
323 documented in CSCommon.h or certain other Security framework headers.
327 @constant kSecCSSigningInformation Return cryptographic signing information,
328 including the certificate chain and CMS data (if any). For ad-hoc signed
329 code, there are no certificates and the CMS data is empty.
330 @constant kSecCSRequirementInformation Return information about internal code
331 requirements embedded in the code. This includes the Designated Requirement.
332 @constant kSecCSInternalInformation Return internal code signing information.
333 This information is for use by Apple, and is subject to change without notice.
334 It will not be further documented here.
335 @constant kSecCSDynamicInformation Return dynamic validity information about
336 the Code. The subject code must be a SecCodeRef (not a SecStaticCodeRef).
337 @constant kSecCSContentInformation Return more information about the file system
338 contents making up the signed code on disk. It is not generally advisable to
339 make use of this information, but some utilities (such as software-update
340 tools) may find it useful.
344 @constant kSecCodeInfoCertificates A CFArray of SecCertificates identifying the
345 certificate chain of the signing certificate as seen by the system. Absent
346 for ad-hoc signed code. May be partial or absent in error cases.
347 @constant kSecCodeInfoChangedFiles A CFArray of CFURLs identifying all files in
348 the code that may have been modified by the process of signing it. (In other
349 words, files not in this list will not have been touched by the signing operation.)
350 @constant kSecCodeInfoCMS A CFData containing the CMS cryptographic object that
351 secures the code signature. Empty for ad-hoc signed code.
352 @constant kSecCodeInfoDesignatedRequirement A SecRequirement describing the
353 actual Designated Requirement of the code.
354 @constant kSecCodeInfoEntitlements A CFData containing the embedded entitlement
355 blob of the code, if any.
356 @constant kSecCodeInfoEntitlementsDict A CFDictionary containing the embedded entitlements
357 of the code if it has entitlements and they are in standard dictionary form.
358 Absent if the code has no entitlements, or they are in a different format (in which
359 case, see kSecCodeInfoEntitlements).
360 @constant kSecCodeInfoFlags A CFNumber with the static (on-disk) state of the object.
361 Contants are defined by the type SecCodeSignatureFlags.
362 @constant kSecCodeInfoFormat A CFString characterizing the type and format of
363 the code. Suitable for display to a (knowledeable) user.
364 @constant kSecCodeInfoDigestAlgorithm A CFNumber indicating the kind of cryptographic
365 hash function chosen to establish integrity of the signature on this system, which
366 is the best supported algorithm from kSecCodeInfoDigestAlgorithms.
367 @constant kSecCodeInfoDigestAlgorithms A CFArray of CFNumbers indicating the kinds of
368 cryptographic hash functions available within the signature. The ordering of those items
369 has no significance in terms of priority, but determines the order in which
370 the hashes appear in kSecCodeInfoCdHashes.
371 @constant kSecCodeInfoPlatformIdentifier If this code was signed as part of an operating
372 system release, this value identifies that release.
373 @constant kSecCodeInfoIdentifier A CFString with the actual signing identifier
374 sealed into the signature. Absent for unsigned code.
375 @constant kSecCodeInfoImplicitDesignatedRequirement A SecRequirement describing
376 the designated requirement that the system did generate, or would have generated,
377 for the code. If the Designated Requirement was implicitly generated, this is
378 the same object as kSecCodeInfoDesignatedRequirement; this can be used to test
379 for an explicit Designated Requirement.
380 @constant kSecCodeInfoMainExecutable A CFURL identifying the main executable file
381 of the code. For single files, that is the file itself. For bundles, it is the
382 main executable as identified by its Info.plist.
383 @constant kSecCodeInfoPList A retained CFDictionary referring to the secured Info.plist
384 as seen by code signing. Absent if no Info.plist is known to the code signing
385 subsystem. Note that this is not the same dictionary as the one CFBundle would
386 give you (CFBundle is free to add entries to the on-disk plist).
387 @constant kSecCodeInfoRequirements A CFString describing the internal requirements
388 of the code in canonical syntax.
389 @constant kSecCodeInfoRequirementsData A CFData containing the internal requirements
390 of the code as a binary blob.
391 @constant kSecCodeInfoSource A CFString describing the source of the code signature
392 used for the code object. The values are meant to be shown in informational
393 displays; do not rely on the precise value returned.
394 @constant kSecCodeInfoStatus A CFNumber containing the dynamic status word of the
395 (running) code. This is a snapshot at the time the API is executed and may be
396 out of date by the time you examine it. Do note however that most of the bits
397 are sticky and thus some values are permanently reliable. Be careful.
398 @constant kSecCodeInfoTime A CFDate describing the signing date (securely) embedded
399 in the code signature. Note that a signer is able to omit this date or pre-date
400 it. Nobody certifies that this was really the date the code was signed; however,
401 you do know that this is the date the signer wanted you to see.
402 Ad-hoc signatures have no CMS and thus never have secured signing dates.
403 @constant kSecCodeInfoTimestamp A CFDate describing the signing date as (securely)
404 certified by a timestamp authority service. This time cannot be falsified by the
405 signer; you trust the timestamp authority's word on this.
406 Ad-hoc signatures have no CMS and thus never have secured signing dates.
407 @constant kSecCodeInfoTrust The (retained) SecTrust object the system uses to
408 evaluate the validity of the code's signature. You may use the SecTrust API
409 to extract detailed information, particularly for reasons why certificate
410 validation may have failed. This object may continue to be used for further
411 evaluations of this code; if you make any changes to it, behavior is undefined.
412 @constant kSecCodeInfoUnique A CFData binary identifier that uniquely identifies
413 the static code in question. It can be used to recognize this particular code
414 (and none other) now or in the future. Compare to kSecCodeInfoIdentifier, which
415 remains stable across (developer-approved) updates.
416 The algorithm used may change from time to time. However, for any existing signature,
418 @constant kSecCodeInfoCdHashes An array containing the values of the kSecCodeInfoUnique
419 binary identifier for every digest algorithm supported in the signature, in the same
420 order as in the kSecCodeInfoDigestAlgorithms array. The kSecCodeInfoUnique value
421 will be contained in this array, and be the one corresponding to the
422 kSecCodeInfoDigestAlgorithm value.
425 kSecCSInternalInformation
= 1 << 0,
426 kSecCSSigningInformation
= 1 << 1,
427 kSecCSRequirementInformation
= 1 << 2,
428 kSecCSDynamicInformation
= 1 << 3,
429 kSecCSContentInformation
= 1 << 4,
430 kSecCSSkipResourceDirectory
= 1 << 5
432 /* flag required to get this value */
433 extern const CFStringRef kSecCodeInfoCertificates
; /* Signing */
434 extern const CFStringRef kSecCodeInfoChangedFiles
; /* Content */
435 extern const CFStringRef kSecCodeInfoCMS
; /* Signing */
436 extern const CFStringRef kSecCodeInfoDesignatedRequirement
; /* Requirement */
437 extern const CFStringRef kSecCodeInfoEntitlements
; /* generic */
438 extern const CFStringRef kSecCodeInfoEntitlementsDict
; /* generic */
439 extern const CFStringRef kSecCodeInfoFlags
; /* generic */
440 extern const CFStringRef kSecCodeInfoFormat
; /* generic */
441 extern const CFStringRef kSecCodeInfoDigestAlgorithm
; /* generic */
442 extern const CFStringRef kSecCodeInfoDigestAlgorithms
; /* generic */
443 extern const CFStringRef kSecCodeInfoPlatformIdentifier
; /* generic */
444 extern const CFStringRef kSecCodeInfoIdentifier
; /* generic */
445 extern const CFStringRef kSecCodeInfoImplicitDesignatedRequirement
; /* Requirement */
446 extern const CFStringRef kSecCodeInfoMainExecutable
; /* generic */
447 extern const CFStringRef kSecCodeInfoPList
; /* generic */
448 extern const CFStringRef kSecCodeInfoRequirements
; /* Requirement */
449 extern const CFStringRef kSecCodeInfoRequirementData
; /* Requirement */
450 extern const CFStringRef kSecCodeInfoSource
; /* generic */
451 extern const CFStringRef kSecCodeInfoStatus
; /* Dynamic */
452 extern const CFStringRef kSecCodeInfoTeamIdentifier
; /* Signing */
453 extern const CFStringRef kSecCodeInfoTime
; /* Signing */
454 extern const CFStringRef kSecCodeInfoTimestamp
; /* Signing */
455 extern const CFStringRef kSecCodeInfoTrust
; /* Signing */
456 extern const CFStringRef kSecCodeInfoUnique
; /* generic */
457 extern const CFStringRef kSecCodeInfoCdHashes
; /* generic */
459 OSStatus
SecCodeCopySigningInformation(SecStaticCodeRef code
, SecCSFlags flags
,
460 CFDictionaryRef
* __nonnull CF_RETURNS_RETAINED information
);
464 @function SecCodeMapMemory
465 For a given Code or StaticCode object, ask the kernel to accept the signing information
466 currently attached to it in the caller and use it to validate memory page-ins against it,
467 updating dynamic validity state accordingly. This change affects all processes that have
468 the main executable of this code mapped.
470 @param code A Code or StaticCode object representing the signed code whose main executable
471 should be subject to page-in validation.
472 @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
474 OSStatus
SecCodeMapMemory(SecStaticCodeRef code
, SecCSFlags flags
);
476 CF_ASSUME_NONNULL_END