/*
* Private constants for SecCodeCopySigningInformation.
- * These are returned with the
*/
+extern const CFStringRef kSecCodeInfoCdHashesFull; /* Internal */
extern const CFStringRef kSecCodeInfoCodeDirectory; /* Internal */
extern const CFStringRef kSecCodeInfoCodeOffset; /* Internal */
+extern const CFStringRef kSecCodeInfoDiskRepInfo; /* Internal */
extern const CFStringRef kSecCodeInfoResourceDirectory; /* Internal */
+extern const CFStringRef kSecCodeInfoNotarizationDate; /* Internal */
+extern const CFStringRef kSecCodeInfoCMSDigestHashType; /* Internal */
+extern const CFStringRef kSecCodeInfoCMSDigest; /* Internal */
+extern const CFStringRef kSecCodeInfoDiskRepVersionPlatform; /* Number */
+extern const CFStringRef kSecCodeInfoDiskRepVersionMin; /* Number */
+extern const CFStringRef kSecCodeInfoDiskRepVersionSDK; /* Number */
+extern const CFStringRef kSecCodeInfoDiskRepNoLibraryValidation; /* String */
/*!
@function SecCodeGetStatus
*/
OSStatus SecCodeGetStatus(SecCodeRef code, SecCSFlags flags, SecCodeStatus *status);
+typedef uint32_t SecCodeStatusOperation;
+enum {
+ kSecCodeOperationNull = 0,
+ kSecCodeOperationInvalidate = 1,
+ kSecCodeOperationSetHard = 2,
+ kSecCodeOperationSetKill = 3,
+};
/*!
@function SecCodeSetStatus
@param code A valid SecCode object reference representing code running
on the system.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
- @param status Upon successful return, contains the dynamic status of code as
- determined by its host.
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
*/
-typedef uint32_t SecCodeStatusOperation;
-enum {
- kSecCodeOperationNull = 0,
- kSecCodeOperationInvalidate = 1,
- kSecCodeOperationSetHard = 2,
- kSecCodeOperationSetKill = 3,
-};
-
OSStatus SecCodeSetStatus(SecCodeRef code, SecCodeStatusOperation operation,
CFDictionaryRef arguments, SecCSFlags flags);
SecCSFlags flags, SecRequirementRef *requirement);
+#if TARGET_OS_OSX
/*!
- @function SecCodeCreateWithPID
+ @function SecCodeCreateWithAuditToken
Asks the kernel to return a SecCode object for a process identified
- by a UNIX process id (pid). This is a shorthand for asking SecGetRootCode()
- for a guest whose "pid" attribute has the given pid value.
+ by a UNIX audit token. This is a shorthand for asking SecGetRootCode()
+ for a guest whose "audit" attribute has the given audit token.
- This is a deprecated convenience function.
- Call SecCodeCopyGuestWithAttributes instead.
-
- @param pid A process id for an existing UNIX process on the system.
+ @param audit A process audit token for an existing UNIX process on the system.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param process On successful return, a SecCode object reference identifying
the requesteed process.
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
*/
+OSStatus SecCodeCreateWithAuditToken(const audit_token_t *audit,
+ SecCSFlags flags, SecCodeRef *process)
+ AVAILABLE_MAC_OS_X_VERSION_10_15_AND_LATER;
+
+/* Deprecated and unsafe, DO NOT USE. */
OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *process)
AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_6;
+#endif
/*
SecCSFlags flags);
+
+/*
+ @function SecCodeCopyComponent
+ For a SecStaticCodeRef, directly retrieve the binary blob for a special slot,
+ optionally checking that its native hash is the one given.
+
+ @param code A code or StaticCode object.
+ @param slot The (positive) special slot number requested.
+ @param hash A CFDataRef containing the native slot hash for the slot requested.
+ @result NULL if anything went wrong (including a missing slot), or a CFDataRef
+ containing the slot data.
+ */
+CFDataRef SecCodeCopyComponent(SecCodeRef code, int slot, CFDataRef hash);
+
+
+/*
+ @function SecCodeValidateFileResource
+ For a SecStaticCodeRef, check that a given CFData object faithfully represents
+ a plain-file resource in its resource seal.
+ This call will fail if the file is missing in the bundle, even if it is optional.
+
+ @param code A code or StaticCode object.
+ @param relativePath A CFStringRef containing the relative path to a sealed resource
+ file. This path is relative to the resource base, which is either Contents or
+ the bundle root, depending on bundle format.
+ @param fileData A CFDataRef containing the exact contents of that resource file.
+ @param flags Pass kSecCSDefaultFlags.
+ @result noErr if fileData is the exact content of the file at relativePath at the
+ time it was signed. Various error codes if it is different, there was no such file,
+ it was not a plain file, or anything is irregular.
+*/
+OSStatus SecCodeValidateFileResource(SecStaticCodeRef code, CFStringRef relativePath, CFDataRef fileData, SecCSFlags flags);
+
+
+/*
+ @constant kSecCSStrictValidateStructure
+ A subset of the work kSecCSStrictValidate performs, omitting work that
+ is unnecessary on some platforms. Since the definition of what can be
+ omitted is in flux, and since we would like to remove that notion
+ entirely eventually, we makes this a private flag.
+ */
+CF_ENUM(uint32_t) {
+ kSecCSStrictValidateStructure = 1 << 13,
+};
+
+#if TARGET_OS_OSX
+/* Here just to make TAPI happy. */
+extern int GKBIS_DS_Store_Present;
+extern int GKBIS_Dot_underbar_Present;
+extern int GKBIS_Num_localizations;
+extern int GKBIS_Num_files;
+extern int GKBIS_Num_dirs;
+extern int GKBIS_Num_symlinks;
+#endif /* TARGET_OS_OSX */
+
#ifdef __cplusplus
}
#endif
projects / apple / security.git / blobdiff