]> git.saurik.com Git - apple/security.git/blobdiff - OSX/libsecurity_codesigning/lib/StaticCode.cpp
projects / apple / security.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security-59306.101.1.tar.gz
[apple/security.git] / OSX / libsecurity_codesigning / lib / StaticCode.cpp
diff --git a/OSX/libsecurity_codesigning/lib/StaticCode.cpp b/OSX/libsecurity_codesigning/lib/StaticCode.cpp
index 6bcfb5005208a7ca8ff1bf8dfb0eb62183b19c80..2d5a3e90bcd2a5edccc5189fdd1c569150a3f325 100644 (file)
--- a/OSX/libsecurity_codesigning/lib/StaticCode.cpp
+++ b/OSX/libsecurity_codesigning/lib/StaticCode.cpp
@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2006-2015 Apple Inc. All Rights Reserved.
  *
  * @APPLE_LICENSE_HEADER_START@
  *
  *
  * @APPLE_LICENSE_HEADER_START@
  *
@@ -27,31 +27,46 @@
 #include "StaticCode.h"
 #include "Code.h"
 #include "reqmaker.h"
 #include "StaticCode.h"
 #include "Code.h"
 #include "reqmaker.h"
+#if TARGET_OS_OSX
 #include "drmaker.h"
 #include "drmaker.h"
+#include "notarization.h"
+#endif
 #include "reqdumper.h"
 #include "reqparser.h"
 #include "sigblob.h"
 #include "resources.h"
 #include "detachedrep.h"
 #include "reqdumper.h"
 #include "reqparser.h"
 #include "sigblob.h"
 #include "resources.h"
 #include "detachedrep.h"
+#include "signerutils.h"
+#if TARGET_OS_OSX
 #include "csdatabase.h"
 #include "csdatabase.h"
+#endif
 #include "dirscanner.h"
 #include <CoreFoundation/CFURLAccess.h>
 #include <Security/SecPolicyPriv.h>
 #include <Security/SecTrustPriv.h>
 #include <Security/SecCertificatePriv.h>
 #include "dirscanner.h"
 #include <CoreFoundation/CFURLAccess.h>
 #include <Security/SecPolicyPriv.h>
 #include <Security/SecTrustPriv.h>
 #include <Security/SecCertificatePriv.h>
+#if TARGET_OS_OSX
 #include <Security/CMSPrivate.h>
 #include <Security/CMSPrivate.h>
+#endif
+#import <Security/SecCMS.h>
 #include <Security/SecCmsContentInfo.h>
 #include <Security/SecCmsSignerInfo.h>
 #include <Security/SecCmsSignedData.h>
 #include <Security/SecCmsContentInfo.h>
 #include <Security/SecCmsSignerInfo.h>
 #include <Security/SecCmsSignedData.h>
+#if TARGET_OS_OSX
 #include <Security/cssmapplePriv.h>
 #include <Security/cssmapplePriv.h>
+#endif
 #include <security_utilities/unix++.h>
 #include <security_utilities/cfmunge.h>
 #include <security_utilities/unix++.h>
 #include <security_utilities/cfmunge.h>
+#include <security_utilities/casts.h>
 #include <Security/CMSDecoder.h>
 #include <security_utilities/logging.h>
 #include <dirent.h>
 #include <Security/CMSDecoder.h>
 #include <security_utilities/logging.h>
 #include <dirent.h>
+#include <sys/xattr.h>
 #include <sstream>
 #include <IOKit/storage/IOStorageDeviceCharacteristics.h>
 #include <dispatch/private.h>
 #include <sstream>
 #include <IOKit/storage/IOStorageDeviceCharacteristics.h>
 #include <dispatch/private.h>
+#include <os/assumes.h>
+#include <regex.h>
 
 
 namespace Security {
 
 
 namespace Security {
@@ -86,18 +101,25 @@ static inline OSStatus errorForSlot(CodeDirectory::SpecialSlot slot)
 //
 // Construct a SecStaticCode object given a disk representation object
 //
 //
 // Construct a SecStaticCode object given a disk representation object
 //
-SecStaticCode::SecStaticCode(DiskRep *rep)
-       : mRep(rep),
+SecStaticCode::SecStaticCode(DiskRep *rep, uint32_t flags)
+       : mCheckfix30814861builder1(NULL),
+         mRep(rep),
          mValidated(false), mExecutableValidated(false), mResourcesValidated(false), mResourcesValidContext(NULL),
          mValidated(false), mExecutableValidated(false), mResourcesValidated(false), mResourcesValidContext(NULL),
-         mProgressQueue("com.apple.security.validation-progress", false, DISPATCH_QUEUE_PRIORITY_DEFAULT),
+         mProgressQueue("com.apple.security.validation-progress", false, QOS_CLASS_UNSPECIFIED),
          mOuterScope(NULL), mResourceScope(NULL),
          mOuterScope(NULL), mResourceScope(NULL),
-         mDesignatedReq(NULL), mGotResourceBase(false), mMonitor(NULL), mLimitedAsync(NULL), mEvalDetails(NULL)
+         mDesignatedReq(NULL), mGotResourceBase(false), mMonitor(NULL), mLimitedAsync(NULL),
+         mFlags(flags), mNotarizationChecked(false), mStaplingChecked(false), mNotarizationDate(NAN)
+#if TARGET_OS_OSX
+    , mEvalDetails(NULL)
+#else
+    , mTrustedSigningCertChain(false)
+#endif
+
 {
        CODESIGN_STATIC_CREATE(this, rep);
 {
        CODESIGN_STATIC_CREATE(this, rep);
-       CFRef<CFDataRef> codeDirectory = rep->codeDirectory();
-       if (codeDirectory && CFDataGetLength(codeDirectory) <= 0)
-               MacOSError::throwMe(errSecCSSignatureInvalid);
+#if TARGET_OS_OSX
        checkForSystemSignature();
        checkForSystemSignature();
+#endif
 }
 
 
 }
 
 
@@ -109,6 +131,7 @@ try {
        ::free(const_cast<Requirement *>(mDesignatedReq));
        delete mResourcesValidContext;
        delete mLimitedAsync;
        ::free(const_cast<Requirement *>(mDesignatedReq));
        delete mResourcesValidContext;
        delete mLimitedAsync;
+       delete mCheckfix30814861builder1;
 } catch (...) {
        return;
 }
 } catch (...) {
        return;
 }
@@ -161,7 +184,7 @@ CFTypeRef SecStaticCode::reportEvent(CFStringRef stage, CFDictionaryRef info)
 void SecStaticCode::prepareProgress(unsigned int workload)
 {
        dispatch_sync(mProgressQueue, ^{
 void SecStaticCode::prepareProgress(unsigned int workload)
 {
        dispatch_sync(mProgressQueue, ^{
-               mCancelPending = false;                 // not cancelled
+               mCancelPending = false;                 // not canceled
        });
        if (mValidationFlags & kSecCSReportProgress) {
                mCurrentWork = 0;                               // nothing done yet
        });
        if (mValidationFlags & kSecCSReportProgress) {
                mCurrentWork = 0;                               // nothing done yet
@@ -248,6 +271,7 @@ void SecStaticCode::detachedSignature(CFDataRef sigData)
 //
 void SecStaticCode::checkForSystemSignature()
 {
 //
 void SecStaticCode::checkForSystemSignature()
 {
+#if TARGET_OS_OSX
        if (!this->isSigned()) {
                SignatureDatabase db;
                if (db.isOpen())
        if (!this->isSigned()) {
                SignatureDatabase db;
                if (db.isOpen())
@@ -259,6 +283,9 @@ void SecStaticCode::checkForSystemSignature()
                        } catch (...) {
                        }
        }
                        } catch (...) {
                        }
        }
+#else
+    MacOSError::throwMe(errSecUnimplemented);
+#endif
 }
 
 
 }
 
 
@@ -319,6 +346,7 @@ void SecStaticCode::resetValidity()
                mResourcesValidContext = NULL;
        }
        mDir = NULL;
                mResourcesValidContext = NULL;
        }
        mDir = NULL;
+       mCodeDirectories.clear();
        mSignature = NULL;
        for (unsigned n = 0; n < cdSlotCount; n++)
                mCache[n] = NULL;
        mSignature = NULL;
        for (unsigned n = 0; n < cdSlotCount; n++)
                mCache[n] = NULL;
@@ -330,11 +358,18 @@ void SecStaticCode::resetValidity()
        mGotResourceBase = false;
        mTrust = NULL;
        mCertChain = NULL;
        mGotResourceBase = false;
        mTrust = NULL;
        mCertChain = NULL;
+       mNotarizationChecked = false;
+       mStaplingChecked = false;
+       mNotarizationDate = NAN;
+#if TARGET_OS_OSX
        mEvalDetails = NULL;
        mEvalDetails = NULL;
+#endif
        mRep->flush();
 
        mRep->flush();
 
+#if TARGET_OS_OSX
        // we may just have updated the system database, so check again
        checkForSystemSignature();
        // we may just have updated the system database, so check again
        checkForSystemSignature();
+#endif
 }
 
 
 }
 
 
@@ -356,7 +391,7 @@ CFDataRef SecStaticCode::component(CodeDirectory::SpecialSlot slot, OSStatus fai
                                        return NULL;
 
                                if (!codeDirectory()->validateSlot(CFDataGetBytePtr(data), // ... and it's no good
                                        return NULL;
 
                                if (!codeDirectory()->validateSlot(CFDataGetBytePtr(data), // ... and it's no good
-                                               CFDataGetLength(data), -slot))
+                                               CFDataGetLength(data), -slot, false))
                                        MacOSError::throwMe(errorForSlot(slot)); // ... then bail
                        }
                        cache = data;   // it's okay, cache it
                                        MacOSError::throwMe(errorForSlot(slot)); // ... then bail
                        }
                        cache = data;   // it's okay, cache it
@@ -371,20 +406,67 @@ CFDataRef SecStaticCode::component(CodeDirectory::SpecialSlot slot, OSStatus fai
 }
 
 
 }
 
 
+//
+// Get the CodeDirectories.
+// Throws (if check==true) or returns NULL (check==false) if there are none.
+// Always throws if the CodeDirectories exist but are invalid.
+// NEVER validates against the signature.
+//
+const SecStaticCode::CodeDirectoryMap *
+SecStaticCode::codeDirectories(bool check /* = true */) const
+{
+       if (mCodeDirectories.empty()) {
+               try {
+                       loadCodeDirectories(mCodeDirectories);
+               } catch (...) {
+                       if (check)
+                               throw;
+                       // We wanted a NON-checked peek and failed to safely decode the existing CodeDirectories.
+                       // Pretend this is unsigned, but make sure we didn't somehow cache an invalid CodeDirectory.
+                       if (!mCodeDirectories.empty()) {
+                               assert(false);
+                               Syslog::warning("code signing internal problem: mCodeDirectories set despite exception exit");
+                               MacOSError::throwMe(errSecCSInternalError);
+                       }
+               }
+       } else {
+               return &mCodeDirectories;
+       }
+       if (!mCodeDirectories.empty()) {
+               return &mCodeDirectories;
+       }
+       if (check) {
+               MacOSError::throwMe(errSecCSUnsigned);
+       }
+       return NULL;
+}
+
 //
 // Get the CodeDirectory.
 // Throws (if check==true) or returns NULL (check==false) if there is none.
 // Always throws if the CodeDirectory exists but is invalid.
 // NEVER validates against the signature.
 //
 //
 // Get the CodeDirectory.
 // Throws (if check==true) or returns NULL (check==false) if there is none.
 // Always throws if the CodeDirectory exists but is invalid.
 // NEVER validates against the signature.
 //
-const CodeDirectory *SecStaticCode::codeDirectory(bool check /* = true */)
+const CodeDirectory *SecStaticCode::codeDirectory(bool check /* = true */) const
 {
        if (!mDir) {
 {
        if (!mDir) {
-               if (mDir.take(mRep->codeDirectory())) {
-                       const CodeDirectory *dir = reinterpret_cast<const CodeDirectory *>(CFDataGetBytePtr(mDir));
-                       if (!dir->validateBlob(CFDataGetLength(mDir)))
-                               MacOSError::throwMe(errSecCSSignatureInvalid);
-                       dir->checkIntegrity();
+               // pick our favorite CodeDirectory from the choices we've got
+               try {
+                       CodeDirectoryMap const *candidates = codeDirectories(check);
+                       if (candidates != NULL) {
+                               CodeDirectory::HashAlgorithm type = CodeDirectory::bestHashOf(mHashAlgorithms);
+                               mDir = candidates->at(type);    // and the winner is...
+                       }
+               } catch (...) {
+                       if (check)
+                               throw;
+                       // We wanted a NON-checked peek and failed to safely decode the existing CodeDirectory.
+                       // Pretend this is unsigned, but make sure we didn't somehow cache an invalid CodeDirectory.
+                       if (mDir) {
+                               assert(false);
+                               Syslog::warning("code signing internal problem: mDir set despite exception exit");
+                               MacOSError::throwMe(errSecCSInternalError);
+                       }
                }
        }
        if (mDir)
                }
        }
        if (mDir)
@@ -395,6 +477,46 @@ const CodeDirectory *SecStaticCode::codeDirectory(bool check /* = true */)
 }
 
 
 }
 
 
+//
+// Fetch an array of all available CodeDirectories.
+// Returns false if unsigned (no classic CD slot), true otherwise.
+//
+bool SecStaticCode::loadCodeDirectories(CodeDirectoryMap& cdMap) const
+{
+       __block CodeDirectoryMap candidates;
+       __block CodeDirectory::HashAlgorithms hashAlgorithms;
+       __block CFRef<CFDataRef> baseDir;
+       auto add = ^bool (CodeDirectory::SpecialSlot slot){
+               CFRef<CFDataRef> cdData = diskRep()->component(slot);
+               if (!cdData)
+                       return false;
+               const CodeDirectory* cd = reinterpret_cast<const CodeDirectory*>(CFDataGetBytePtr(cdData));
+               if (!cd->validateBlob(CFDataGetLength(cdData)))
+                       MacOSError::throwMe(errSecCSSignatureFailed);   // no recovery - any suspect CD fails
+               cd->checkIntegrity();
+               auto result = candidates.insert(make_pair(cd->hashType, cdData.get()));
+               if (!result.second)
+                       MacOSError::throwMe(errSecCSSignatureInvalid);  // duplicate hashType, go to heck
+               hashAlgorithms.insert(cd->hashType);
+               if (slot == cdCodeDirectorySlot)
+                       baseDir = cdData;
+               return true;
+       };
+       if (!add(cdCodeDirectorySlot))
+               return false;           // no classic slot CodeDirectory -> unsigned
+       for (CodeDirectory::SpecialSlot slot = cdAlternateCodeDirectorySlots; slot < cdAlternateCodeDirectoryLimit; slot++)
+               if (!add(slot))         // no CodeDirectory at this slot -> end of alternates
+                       break;
+       if (candidates.empty())
+               MacOSError::throwMe(errSecCSSignatureFailed);           // no viable CodeDirectory in sight
+       // commit to cached values
+       cdMap.swap(candidates);
+       mHashAlgorithms.swap(hashAlgorithms);
+       mBaseDir = baseDir;
+       return true;
+}
+
+
 //
 // Get the hash of the CodeDirectory.
 // Returns NULL if there is none.
 //
 // Get the hash of the CodeDirectory.
 // Returns NULL if there is none.
@@ -409,6 +531,45 @@ CFDataRef SecStaticCode::cdHash()
        }
        return mCDHash;
 }
        }
        return mCDHash;
 }
+       
+       
+//
+// Get an array of the cdhashes for all digest types in this signature
+// The array is sorted by cd->hashType.
+//
+CFArrayRef SecStaticCode::cdHashes()
+{
+       if (!mCDHashes) {
+               CFRef<CFMutableArrayRef> cdList = makeCFMutableArray(0);
+               for (auto it = mCodeDirectories.begin(); it != mCodeDirectories.end(); ++it) {
+                       const CodeDirectory *cd = (const CodeDirectory *)CFDataGetBytePtr(it->second);
+                       if (CFRef<CFDataRef> hash = cd->cdhash())
+                               CFArrayAppendValue(cdList, hash);
+               }
+               mCDHashes = cdList.get();
+       }
+       return mCDHashes;
+}
+
+//
+// Get a dictionary of untruncated cdhashes for all digest types in this signature.
+//
+CFDictionaryRef SecStaticCode::cdHashesFull()
+{
+       if (!mCDHashFullDict) {
+               CFRef<CFMutableDictionaryRef> cdDict = makeCFMutableDictionary();
+               for (auto const &it : mCodeDirectories) {
+                       CodeDirectory::HashAlgorithm alg = it.first;
+                       const CodeDirectory *cd = (const CodeDirectory *)CFDataGetBytePtr(it.second);
+                       CFRef<CFDataRef> hash = cd->cdhash(false);
+                       if (hash) {
+                               CFDictionaryAddValue(cdDict, CFTempNumber(alg), hash);
+                       }
+               }
+               mCDHashFullDict = cdDict.get();
+       }
+       return mCDHashFullDict;
+}
 
 
 //
 
 
 //
@@ -452,12 +613,17 @@ void SecStaticCode::validateDirectory()
                        mValidationResult = err.osStatus();
                        throw;
                } catch (...) {
                        mValidationResult = err.osStatus();
                        throw;
                } catch (...) {
-                       secdebug("staticCode", "%p validation threw non-common exception", this);
+                       secinfo("staticCode", "%p validation threw non-common exception", this);
                        mValidated = true;
                        mValidated = true;
+                       Syslog::notice("code signing internal problem: unknown exception thrown by validation");
                        mValidationResult = errSecCSInternalError;
                        throw;
                }
        assert(validated());
                        mValidationResult = errSecCSInternalError;
                        throw;
                }
        assert(validated());
+    // XXX: Embedded doesn't have CSSMERR_TP_CERT_EXPIRED so we can't throw it
+    // XXX: This should be implemented for embedded once we implement
+    // XXX: verifySignature and see how we're going to handle expired certs
+#if TARGET_OS_OSX
        if (mValidationResult == errSecSuccess) {
                if (mValidationExpired)
                        if ((mValidationFlags & kSecCSConsiderExpiration)
        if (mValidationResult == errSecSuccess) {
                if (mValidationExpired)
                        if ((mValidationFlags & kSecCSConsiderExpiration)
@@ -465,6 +631,7 @@ void SecStaticCode::validateDirectory()
                                MacOSError::throwMe(CSSMERR_TP_CERT_EXPIRED);
        } else
                MacOSError::throwMe(mValidationResult);
                                MacOSError::throwMe(CSSMERR_TP_CERT_EXPIRED);
        } else
                MacOSError::throwMe(mValidationResult);
+#endif
 }
 
 
 }
 
 
@@ -484,6 +651,33 @@ void SecStaticCode::validateNonResourceComponents()
                        break;
                }
 }
                        break;
                }
 }
+       
+       
+//
+// Check that any "top index" sealed into the signature conforms to what's actually here.
+//
+void SecStaticCode::validateTopDirectory()
+{
+       assert(mDir);           // must already have loaded CodeDirectories
+       if (CFDataRef topDirectory = component(cdTopDirectorySlot)) {
+               const auto topData = (const Endian<uint32_t> *)CFDataGetBytePtr(topDirectory);
+               const auto topDataEnd = topData + CFDataGetLength(topDirectory) / sizeof(*topData);
+               std::vector<uint32_t> signedVector(topData, topDataEnd);
+               
+               std::vector<uint32_t> foundVector;
+               foundVector.push_back(cdCodeDirectorySlot);     // mandatory
+               for (CodeDirectory::Slot slot = 1; slot <= cdSlotMax; ++slot)
+                       if (component(slot))
+                               foundVector.push_back(slot);
+               int alternateCount = int(mCodeDirectories.size() - 1);          // one will go into cdCodeDirectorySlot
+               for (int n = 0; n < alternateCount; n++)
+                       foundVector.push_back(cdAlternateCodeDirectorySlots + n);
+               foundVector.push_back(cdSignatureSlot);         // mandatory (may be empty)
+               
+               if (signedVector != foundVector)
+                       MacOSError::throwMe(errSecCSSignatureFailed);
+       }
+}
 
 
 //
 
 
 //
@@ -506,9 +700,61 @@ CFAbsoluteTime SecStaticCode::signingTimestamp()
        return mSigningTimestamp;
 }
 
        return mSigningTimestamp;
 }
 
+#if TARGET_OS_OSX
+#define kSecSHA256HashSize 32
+// subject:/C=US/ST=California/L=San Jose/O=Adobe Systems Incorporated/OU=Information Systems/OU=Digital ID Class 3 - Microsoft Software Validation v2/CN=Adobe Systems Incorporated
+// issuer :/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Code Signing 2010 CA
+// Not Before: Dec 15 00:00:00 2010 GMT
+// Not After : Dec 14 23:59:59 2012 GMT
+static const unsigned char ASI_CS_12[] = {
+       0x77,0x82,0x9C,0x64,0x33,0x45,0x2E,0x4A,0xD3,0xA8,0xE4,0x6F,0x00,0x6C,0x27,0xEA,
+       0xFB,0xD3,0xF2,0x6D,0x50,0xF3,0x6F,0xE0,0xE9,0x6D,0x06,0x59,0x19,0xB5,0x46,0xFF
+};
+
+bool SecStaticCode::checkfix41082220(OSStatus cssmTrustResult)
+{
+       // only applicable to revoked results
+       if (cssmTrustResult != CSSMERR_TP_CERT_REVOKED) {
+               return false;
+       }
+
+       // only this leaf certificate
+       if (CFArrayGetCount(mCertChain) == 0) {
+               return false;
+       }
+       CFRef<CFDataRef> leafHash(SecCertificateCopySHA256Digest((SecCertificateRef)CFArrayGetValueAtIndex(mCertChain, 0)));
+       if (memcmp(ASI_CS_12, CFDataGetBytePtr(leafHash), kSecSHA256HashSize) != 0) {
+               return false;
+       }
+
+       // detached dmg signature
+       if (!isDetached() || format() != std::string("disk image")) {
+               return false;
+       }
+
+       // sha-1 signed
+       if (hashAlgorithms().size() != 1 || hashAlgorithm() != kSecCodeSignatureHashSHA1) {
+               return false;
+       }
+
+       // not a privileged binary - no TeamID and no entitlements
+       if (component(cdEntitlementSlot) || teamID()) {
+               return false;
+       }
+
+       // no flags and old version
+       if (codeDirectory()->version != 0x20100 || codeDirectory()->flags != 0) {
+               return false;
+       }
+
+       Security::Syslog::warning("CodeSigning: Check-fix enabled for dmg '%s' with identifier '%s' signed with revoked certificates",
+                                                         mainExecutablePath().c_str(), identifier().c_str());
+       return true;
+}
+#endif // TARGET_OS_OSX
 
 //
 
 //
-// Verify the CMS signature on the CodeDirectory.
+// Verify the CMS signature.
 // This performs the cryptographic tango. It returns if the signature is valid,
 // or throws if it is not. As a side effect, a successful return sets up the
 // cached certificate chain for future use.
 // This performs the cryptographic tango. It returns if the signature is valid,
 // or throws if it is not. As a side effect, a successful return sets up the
 // cached certificate chain for future use.
@@ -524,21 +770,22 @@ bool SecStaticCode::verifySignature()
        }
 
        DTRACK(CODESIGN_EVAL_STATIC_SIGNATURE, this, (char*)this->mainExecutablePath().c_str());
        }
 
        DTRACK(CODESIGN_EVAL_STATIC_SIGNATURE, this, (char*)this->mainExecutablePath().c_str());
-
+#if TARGET_OS_OSX
        // decode CMS and extract SecTrust for verification
        CFRef<CMSDecoderRef> cms;
        MacOSError::check(CMSDecoderCreate(&cms.aref())); // create decoder
        CFDataRef sig = this->signature();
        MacOSError::check(CMSDecoderUpdateMessage(cms, CFDataGetBytePtr(sig), CFDataGetLength(sig)));
        this->codeDirectory();  // load CodeDirectory (sets mDir)
        // decode CMS and extract SecTrust for verification
        CFRef<CMSDecoderRef> cms;
        MacOSError::check(CMSDecoderCreate(&cms.aref())); // create decoder
        CFDataRef sig = this->signature();
        MacOSError::check(CMSDecoderUpdateMessage(cms, CFDataGetBytePtr(sig), CFDataGetLength(sig)));
        this->codeDirectory();  // load CodeDirectory (sets mDir)
-       MacOSError::check(CMSDecoderSetDetachedContent(cms, mDir));
+       MacOSError::check(CMSDecoderSetDetachedContent(cms, mBaseDir));
        MacOSError::check(CMSDecoderFinalizeMessage(cms));
        MacOSError::check(CMSDecoderSetSearchKeychain(cms, cfEmptyArray()));
        MacOSError::check(CMSDecoderFinalizeMessage(cms));
        MacOSError::check(CMSDecoderSetSearchKeychain(cms, cfEmptyArray()));
-       CFRef<CFArrayRef> vf_policies = verificationPolicies();
-    CFRef<CFArrayRef> ts_policies = SecPolicyCreateAppleTimeStampingAndRevocationPolicies(vf_policies);
-    CMSSignerStatus status;
-    MacOSError::check(CMSDecoderCopySignerStatus(cms, 0, vf_policies,
-    false, &status, &mTrust.aref(), NULL));
+       CFRef<CFArrayRef> vf_policies(createVerificationPolicies());
+       CFRef<CFArrayRef> ts_policies(createTimeStampingAndRevocationPolicies());
+
+       CMSSignerStatus status;
+       MacOSError::check(CMSDecoderCopySignerStatus(cms, 0, vf_policies,
+                               false, &status, &mTrust.aref(), NULL));
 
        if (status != kCMSSignerValid) {
                const char *reason;
 
        if (status != kCMSSignerValid) {
                const char *reason;
@@ -555,6 +802,83 @@ bool SecStaticCode::verifySignature()
                MacOSError::throwMe(errSecCSSignatureFailed);
        }
 
                MacOSError::throwMe(errSecCSSignatureFailed);
        }
 
+       // retrieve auxiliary v1 data bag and verify against current state
+       CFRef<CFDataRef> hashAgilityV1;
+       switch (OSStatus rc = CMSDecoderCopySignerAppleCodesigningHashAgility(cms, 0, &hashAgilityV1.aref())) {
+       case noErr:
+               if (hashAgilityV1) {
+                       CFRef<CFDictionaryRef> hashDict = makeCFDictionaryFrom(hashAgilityV1);
+                       CFArrayRef cdList = CFArrayRef(CFDictionaryGetValue(hashDict, CFSTR("cdhashes")));
+                       CFArrayRef myCdList = this->cdHashes();
+
+                       /* Note that this is not very "agile": There's no way to calculate the exact
+                        * list for comparison if it contains hash algorithms we don't know yet... */
+                       if (cdList == NULL || !CFEqual(cdList, myCdList))
+                               MacOSError::throwMe(errSecCSSignatureFailed);
+               }
+               break;
+       case -1:        /* CMS used to return this for "no attribute found", so tolerate it. Now returning noErr/NULL */
+               break;
+       default:
+               MacOSError::throwMe(rc);
+       }
+
+       // retrieve auxiliary v2 data bag and verify against current state
+       CFRef<CFDictionaryRef> hashAgilityV2;
+       switch (OSStatus rc = CMSDecoderCopySignerAppleCodesigningHashAgilityV2(cms, 0, &hashAgilityV2.aref())) {
+               case noErr:
+                       if (hashAgilityV2) {
+                               /* Require number of code directoris and entries in the hash agility
+                                * dict to be the same size (no stripping out code directories).
+                                */
+                               if (CFDictionaryGetCount(hashAgilityV2) != mCodeDirectories.size()) {
+                                       MacOSError::throwMe(errSecCSSignatureFailed);
+                               }
+
+                               /* Require every cdhash of every code directory whose hash
+                                * algorithm we know to be in the agility dictionary.
+                                *
+                                * We check untruncated cdhashes here because we can.
+                                */
+                               bool foundOurs = false;
+                               for (auto& entry : mCodeDirectories) {
+                                       SECOidTag tag = CodeDirectorySet::SECOidTagForAlgorithm(entry.first);
+
+                                       if (tag == SEC_OID_UNKNOWN) {
+                                               // Unknown hash algorithm, ignore.
+                                               continue;
+                                       }
+
+                                       CFRef<CFNumberRef> key = makeCFNumber(int(tag));
+                                       CFRef<CFDataRef> entryCdhash;
+                                       entryCdhash = (CFDataRef)CFDictionaryGetValue(hashAgilityV2, (void*)key.get());
+
+                                       CodeDirectory const *cd = (CodeDirectory const*)CFDataGetBytePtr(entry.second);
+                                       CFRef<CFDataRef> ourCdhash = cd->cdhash(false); // Untruncated cdhash!
+                                       if (!CFEqual(entryCdhash, ourCdhash)) {
+                                               MacOSError::throwMe(errSecCSSignatureFailed);
+                                       }
+
+                                       if (entry.first == this->hashAlgorithm()) {
+                                               foundOurs = true;
+                                       }
+                               }
+
+                               /* Require the cdhash of our chosen code directory to be in the dictionary.
+                                * In theory, the dictionary could be full of unsupported cdhashes, but we
+                                * really want ours, which is bound to be supported, to be covered.
+                                */
+                               if (!foundOurs) {
+                                       MacOSError::throwMe(errSecCSSignatureFailed);
+                               }
+                       }
+                       break;
+               case -1:        /* CMS used to return this for "no attribute found", so tolerate it. Now returning noErr/NULL */
+                       break;
+               default:
+                       MacOSError::throwMe(rc);
+       }
+
        // internal signing time (as specified by the signer; optional)
        mSigningTime = 0;       // "not present" marker (nobody could code sign on Jan 1, 2001 :-)
        switch (OSStatus rc = CMSDecoderCopySignerSigningTime(cms, 0, &mSigningTime)) {
        // internal signing time (as specified by the signer; optional)
        mSigningTime = 0;       // "not present" marker (nobody could code sign on Jan 1, 2001 :-)
        switch (OSStatus rc = CMSDecoderCopySignerSigningTime(cms, 0, &mSigningTime)) {
@@ -581,13 +905,13 @@ bool SecStaticCode::verifySignature()
     if (mValidationFlags & kSecCSNoNetworkAccess) {
         MacOSError::check(SecTrustSetNetworkFetchAllowed(mTrust,false)); // no network?
     }
     if (mValidationFlags & kSecCSNoNetworkAccess) {
         MacOSError::check(SecTrustSetNetworkFetchAllowed(mTrust,false)); // no network?
     }
-    MacOSError::check(SecTrustSetKeychains(mTrust, cfEmptyArray())); // no keychains
-       
+    MacOSError::check(SecTrustSetKeychainsAllowed(mTrust, false));
+
        CSSM_APPLE_TP_ACTION_DATA actionData = {
                CSSM_APPLE_TP_ACTION_VERSION,   // version of data structure
                0       // action flags
        };
        CSSM_APPLE_TP_ACTION_DATA actionData = {
                CSSM_APPLE_TP_ACTION_VERSION,   // version of data structure
                0       // action flags
        };
-       
+
        if (!(mValidationFlags & kSecCSCheckTrustedAnchors)) {
                /* no need to evaluate anchor trust when building cert chain */
                MacOSError::check(SecTrustSetAnchorCertificates(mTrust, cfEmptyArray())); // no anchors
        if (!(mValidationFlags & kSecCSCheckTrustedAnchors)) {
                /* no need to evaluate anchor trust when building cert chain */
                MacOSError::check(SecTrustSetAnchorCertificates(mTrust, cfEmptyArray())); // no anchors
@@ -616,12 +940,13 @@ bool SecStaticCode::verifySignature()
                                        CFRef<CFStringRef> teamIDFromCD = CFStringCreateWithCString(NULL, teamID(), kCFStringEncodingUTF8);
                                        if (!teamIDFromCD) {
                                                Security::Syslog::error("Could not get team identifier (%s)", teamID());
                                        CFRef<CFStringRef> teamIDFromCD = CFStringCreateWithCString(NULL, teamID(), kCFStringEncodingUTF8);
                                        if (!teamIDFromCD) {
                                                Security::Syslog::error("Could not get team identifier (%s)", teamID());
-                                               MacOSError::throwMe(errSecCSInternalError);
+                                               MacOSError::throwMe(errSecCSInvalidTeamIdentifier);
                                        }
 
                                        if (CFStringCompare(teamIDFromCert, teamIDFromCD, 0) != kCFCompareEqualTo) {
                                        }
 
                                        if (CFStringCompare(teamIDFromCert, teamIDFromCD, 0) != kCFCompareEqualTo) {
-                                               Security::Syslog::error("Team identifier in the signing certificate (%s) does not match the team identifier (%s) in the code directory", cfString(teamIDFromCert).c_str(), teamID());
-                                               MacOSError::throwMe(errSecCSSignatureInvalid);
+                                               Security::Syslog::error("Team identifier in the signing certificate (%s) does not match the team identifier (%s) in the code directory",
+                                                                                               cfString(teamIDFromCert).c_str(), teamID());
+                                               MacOSError::throwMe(errSecCSBadTeamIdentifier);
                                        }
                                }
                        }
                                        }
                                }
                        }
@@ -651,6 +976,9 @@ bool SecStaticCode::verifySignature()
                                                continue;               // retry validation while tolerating expiration
                                        }
                                }
                                                continue;               // retry validation while tolerating expiration
                                        }
                                }
+                               if (checkfix41082220(result)) {
+                                       break; // success
+                               }
                                Security::Syslog::error("SecStaticCode: verification failed (trust result %d, error %d)", trustResult, (int)result);
                                MacOSError::throwMe(result);
                        }
                                Security::Syslog::error("SecStaticCode: verification failed (trust result %d, error %d)", trustResult, (int)result);
                                MacOSError::throwMe(result);
                        }
@@ -679,59 +1007,131 @@ bool SecStaticCode::verifySignature()
 
                return actionData.ActionFlags & CSSM_TP_ACTION_ALLOW_EXPIRED;
        }
 
                return actionData.ActionFlags & CSSM_TP_ACTION_ALLOW_EXPIRED;
        }
-}
+#else
+    // Do some pre-verification initialization
+    CFDataRef sig = this->signature();
+    this->codeDirectory();     // load CodeDirectory (sets mDir)
+    mSigningTime = 0;  // "not present" marker (nobody could code sign on Jan 1, 2001 :-)
+
+    CFRef<CFDictionaryRef> attrs;
+       CFRef<CFArrayRef> vf_policies(createVerificationPolicies());
+
+    // Verify the CMS signature against mBaseDir (SHA1)
+    MacOSError::check(SecCMSVerifyCopyDataAndAttributes(sig, mBaseDir, vf_policies, &mTrust.aref(), NULL, &attrs.aref()));
+
+    // Copy the signing time
+    mSigningTime = SecTrustGetVerifyTime(mTrust);
+
+    // Validate the cert chain
+    SecTrustResultType trustResult;
+    MacOSError::check(SecTrustEvaluate(mTrust, &trustResult));
+
+    // retrieve auxiliary data bag and verify against current state
+    CFRef<CFDataRef> hashBag;
+    hashBag = CFDataRef(CFDictionaryGetValue(attrs, kSecCMSHashAgility));
+    if (hashBag) {
+        CFRef<CFDictionaryRef> hashDict = makeCFDictionaryFrom(hashBag);
+        CFArrayRef cdList = CFArrayRef(CFDictionaryGetValue(hashDict, CFSTR("cdhashes")));
+        CFArrayRef myCdList = this->cdHashes();
+        if (cdList == NULL || !CFEqual(cdList, myCdList))
+            MacOSError::throwMe(errSecCSSignatureFailed);
+    }
 
 
+    /*
+     * Populate mCertChain with the certs.  If we failed validation, the
+     * signer's cert will be checked installed provisioning profiles as an
+     * alternative to verification against the policy for store-signed binaries
+     */
+    SecCertificateRef leafCert = SecTrustGetCertificateAtIndex(mTrust, 0);
+    if (leafCert != NULL) {
+        CFIndex count = SecTrustGetCertificateCount(mTrust);
+
+        CFMutableArrayRef certs = CFArrayCreateMutable(kCFAllocatorDefault, count,
+                                                       &kCFTypeArrayCallBacks);
+
+        CFArrayAppendValue(certs, leafCert);
+        for (CFIndex i = 1; i < count; ++i) {
+            CFArrayAppendValue(certs, SecTrustGetCertificateAtIndex(mTrust, i));
+        }
+        
+        mCertChain.take((CFArrayRef)certs);
+    }
+    
+    // Did we implicitly trust the signer?
+    mTrustedSigningCertChain = (trustResult == kSecTrustResultUnspecified || trustResult == kSecTrustResultProceed);
+
+    return false; // XXX: Not checking for expired certs
+#endif
+}
 
 
+#if TARGET_OS_OSX
 //
 // Return the TP policy used for signature verification.
 // This may be a simple SecPolicyRef or a CFArray of policies.
 // The caller owns the return value.
 //
 //
 // Return the TP policy used for signature verification.
 // This may be a simple SecPolicyRef or a CFArray of policies.
 // The caller owns the return value.
 //
-static SecPolicyRef makeCRLPolicy()
-{
-       CFRef<SecPolicyRef> policy;
-       MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_REVOCATION_CRL, &policy.aref()));
-       CSSM_APPLE_TP_CRL_OPTIONS options;
-       memset(&options, 0, sizeof(options));
-       options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
-       options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET | CSSM_TP_ACTION_CRL_SUFFICIENT;
-       CSSM_DATA optData = { sizeof(options), (uint8 *)&options };
-       MacOSError::check(SecPolicySetValue(policy, &optData));
-       return policy.yield();
-}
-
-static SecPolicyRef makeOCSPPolicy()
+static SecPolicyRef makeRevocationPolicy(CFOptionFlags flags)
 {
 {
-       CFRef<SecPolicyRef> policy;
-       MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_REVOCATION_OCSP, &policy.aref()));
-       CSSM_APPLE_TP_OCSP_OPTIONS options;
-       memset(&options, 0, sizeof(options));
-       options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION;
-       options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT;
-       CSSM_DATA optData = { sizeof(options), (uint8 *)&options };
-       MacOSError::check(SecPolicySetValue(policy, &optData));
+       CFRef<SecPolicyRef> policy(SecPolicyCreateRevocation(flags));
        return policy.yield();
 }
        return policy.yield();
 }
+#endif
 
 
-CFArrayRef SecStaticCode::verificationPolicies()
+CFArrayRef SecStaticCode::createVerificationPolicies()
 {
 {
+       if (mValidationFlags & kSecCSUseSoftwareSigningCert) {
+               CFRef<SecPolicyRef> ssRef = SecPolicyCreateAppleSoftwareSigning();
+               return makeCFArray(1, ssRef.get());
+       }
+#if TARGET_OS_OSX
        CFRef<SecPolicyRef> core;
        MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3,
        CFRef<SecPolicyRef> core;
        MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3,
-                       &CSSMOID_APPLE_TP_CODE_SIGNING, &core.aref()));
-    if (mValidationFlags & kSecCSNoNetworkAccess) {
-        // Skips all revocation since they require network connectivity
-        // therefore annihilates kSecCSEnforceRevocationChecks if present
-        CFRef<SecPolicyRef> no_revoc = SecPolicyCreateRevocation(kSecRevocationNetworkAccessDisabled);
-        return makeCFArray(2, core.get(), no_revoc.get());
-    }
+                                                                       &CSSMOID_APPLE_TP_CODE_SIGNING, &core.aref()));
+       if (mValidationFlags & kSecCSNoNetworkAccess) {
+               // Skips all revocation since they require network connectivity
+               // therefore annihilates kSecCSEnforceRevocationChecks if present
+               CFRef<SecPolicyRef> no_revoc = makeRevocationPolicy(kSecRevocationNetworkAccessDisabled);
+               return makeCFArray(2, core.get(), no_revoc.get());
+       }
        else if (mValidationFlags & kSecCSEnforceRevocationChecks) {
        else if (mValidationFlags & kSecCSEnforceRevocationChecks) {
-        // Add CRL and OCSPPolicies
-               CFRef<SecPolicyRef> crl = makeCRLPolicy();
-               CFRef<SecPolicyRef> ocsp = makeOCSPPolicy();
-               return makeCFArray(3, core.get(), crl.get(), ocsp.get());
+               // Add CRL and OCSP policies
+               CFRef<SecPolicyRef> revoc = makeRevocationPolicy(kSecRevocationUseAnyAvailableMethod);
+               return makeCFArray(2, core.get(), revoc.get());
        } else {
                return makeCFArray(1, core.get());
        }
        } else {
                return makeCFArray(1, core.get());
        }
+#elif TARGET_OS_TV
+       CFRef<SecPolicyRef> tvOSRef = SecPolicyCreateAppleTVOSApplicationSigning();
+       return makeCFArray(1, tvOSRef.get());
+#else
+       CFRef<SecPolicyRef> iOSRef = SecPolicyCreateiPhoneApplicationSigning();
+       return makeCFArray(1, iOSRef.get());
+#endif
+
+}
+
+CFArrayRef SecStaticCode::createTimeStampingAndRevocationPolicies()
+{
+       CFRef<SecPolicyRef> tsPolicy = SecPolicyCreateAppleTimeStamping();
+#if TARGET_OS_OSX
+       if (mValidationFlags & kSecCSNoNetworkAccess) {
+               // Skips all revocation since they require network connectivity
+               // therefore annihilates kSecCSEnforceRevocationChecks if present
+               CFRef<SecPolicyRef> no_revoc = makeRevocationPolicy(kSecRevocationNetworkAccessDisabled);
+               return makeCFArray(2, tsPolicy.get(), no_revoc.get());
+       }
+       else if (mValidationFlags & kSecCSEnforceRevocationChecks) {
+               // Add CRL and OCSP policies
+               CFRef<SecPolicyRef> revoc = makeRevocationPolicy(kSecRevocationUseAnyAvailableMethod);
+               return makeCFArray(2, tsPolicy.get(), revoc.get());
+       }
+       else {
+               return makeCFArray(1, tsPolicy.get());
+       }
+#else
+       return makeCFArray(1, tsPolicy.get());
+#endif
+
 }
 
 
 }
 
 
@@ -749,7 +1149,7 @@ void SecStaticCode::validateComponent(CodeDirectory::SpecialSlot slot, OSStatus
                if (codeDirectory()->slotIsPresent(-slot)) // was supposed to be there...
                                MacOSError::throwMe(fail);      // ... and is missing
        } else {
                if (codeDirectory()->slotIsPresent(-slot)) // was supposed to be there...
                                MacOSError::throwMe(fail);      // ... and is missing
        } else {
-               if (!codeDirectory()->validateSlot(CFDataGetBytePtr(data), CFDataGetLength(data), -slot))
+               if (!codeDirectory()->validateSlot(CFDataGetBytePtr(data), CFDataGetLength(data), -slot, false))
                        MacOSError::throwMe(fail);
        }
 }
                        MacOSError::throwMe(fail);
        }
 }
@@ -776,15 +1176,25 @@ void SecStaticCode::validateExecutable()
                        if (Universal *fat = mRep->mainExecutableImage())
                                fd.seek(fat->archOffset());
                        size_t pageSize = cd->pageSize ? (1 << cd->pageSize) : 0;
                        if (Universal *fat = mRep->mainExecutableImage())
                                fd.seek(fat->archOffset());
                        size_t pageSize = cd->pageSize ? (1 << cd->pageSize) : 0;
-                       size_t remaining = cd->codeLimit;
+                       size_t remaining = cd->signingLimit();
                        for (uint32_t slot = 0; slot < cd->nCodeSlots; ++slot) {
                        for (uint32_t slot = 0; slot < cd->nCodeSlots; ++slot) {
-                               size_t size = min(remaining, pageSize);
-                               if (!cd->validateSlot(fd, size, slot)) {
+                               size_t thisPage = remaining;
+                               if (pageSize)
+                                       thisPage = min(thisPage, pageSize);
+                               __block bool good = true;
+                               CodeDirectory::multipleHashFileData(fd, thisPage, hashAlgorithms(), ^(CodeDirectory::HashAlgorithm type, Security::DynamicHash *hasher) {
+                                       const CodeDirectory* cd = (const CodeDirectory*)CFDataGetBytePtr(mCodeDirectories[type]);
+                                       if (!hasher->verify(cd->getSlot(slot,
+                                                                                                       mValidationFlags & kSecCSValidatePEH)))
+                                               good = false;
+                               });
+                               if (!good) {
                                        CODESIGN_EVAL_STATIC_EXECUTABLE_FAIL(this, (int)slot);
                                        MacOSError::throwMe(errSecCSSignatureFailed);
                                }
                                        CODESIGN_EVAL_STATIC_EXECUTABLE_FAIL(this, (int)slot);
                                        MacOSError::throwMe(errSecCSSignatureFailed);
                                }
-                               remaining -= size;
+                               remaining -= thisPage;
                        }
                        }
+                       assert(remaining == 0);
                        mExecutableValidated = true;
                        mExecutableValidResult = errSecSuccess;
                } catch (const CommonError &err) {
                        mExecutableValidated = true;
                        mExecutableValidResult = errSecSuccess;
                } catch (const CommonError &err) {
@@ -792,9 +1202,10 @@ void SecStaticCode::validateExecutable()
                        mExecutableValidResult = err.osStatus();
                        throw;
                } catch (...) {
                        mExecutableValidResult = err.osStatus();
                        throw;
                } catch (...) {
-                       secdebug("staticCode", "%p executable validation threw non-common exception", this);
+                       secinfo("staticCode", "%p executable validation threw non-common exception", this);
                        mExecutableValidated = true;
                        mExecutableValidResult = errSecCSInternalError;
                        mExecutableValidated = true;
                        mExecutableValidResult = errSecCSInternalError;
+                       Syslog::notice("code signing internal problem: unknown exception thrown by validation");
                        throw;
                }
        }
                        throw;
                }
        }
@@ -832,22 +1243,17 @@ void SecStaticCode::validateResources(SecCSFlags flags)
 
        if (doit) {
                if (mLimitedAsync == NULL) {
 
        if (doit) {
                if (mLimitedAsync == NULL) {
-                       mLimitedAsync = new LimitedAsync(diskRep()->fd().mediumType() == kIOPropertyMediumTypeSolidStateKey);
+                       bool runMultiThreaded = ((flags & kSecCSSingleThreaded) == kSecCSSingleThreaded) ? false :
+                                       (diskRep()->fd().mediumType() == kIOPropertyMediumTypeSolidStateKey);
+                       mLimitedAsync = new LimitedAsync(runMultiThreaded);
                }
 
                try {
                }
 
                try {
-                       // sanity first
-                       CFDictionaryRef sealedResources = resourceDictionary();
-                       if (this->resourceBase())       // disk has resources
-                               if (sealedResources)
-                                       /* go to work below */;
-                               else
-                                       MacOSError::throwMe(errSecCSResourcesNotFound);
-                       else                                                    // disk has no resources
-                               if (sealedResources)
-                                       MacOSError::throwMe(errSecCSResourcesNotFound);
-                               else
-                                       return;                                 // no resources, not sealed - fine (no work)
+                       CFDictionaryRef rules;
+                       CFDictionaryRef files;
+                       uint32_t version;
+                       if (!loadResources(rules, files, version))
+                               return;         // validly no resources; nothing to do (ok)
 
                        // found resources, and they are sealed
                        DTRACK(CODESIGN_EVAL_STATIC_RESOURCES, this,
 
                        // found resources, and they are sealed
                        DTRACK(CODESIGN_EVAL_STATIC_RESOURCES, this,
@@ -856,22 +1262,6 @@ void SecStaticCode::validateResources(SecCSFlags flags)
                        // scan through the resources on disk, checking each against the resourceDirectory
                        mResourcesValidContext = new CollectingContext(*this);          // collect all failures in here
 
                        // scan through the resources on disk, checking each against the resourceDirectory
                        mResourcesValidContext = new CollectingContext(*this);          // collect all failures in here
 
-                       // use V2 resource seal if available, otherwise fall back to V1
-                       CFDictionaryRef rules;
-                       CFDictionaryRef files;
-                       uint32_t version;
-                       if (CFDictionaryGetValue(sealedResources, CFSTR("files2"))) {   // have V2 signature
-                               rules = cfget<CFDictionaryRef>(sealedResources, "rules2");
-                               files = cfget<CFDictionaryRef>(sealedResources, "files2");
-                               version = 2;
-                       } else {        // only V1 available
-                               rules = cfget<CFDictionaryRef>(sealedResources, "rules");
-                               files = cfget<CFDictionaryRef>(sealedResources, "files");
-                               version = 1;
-                       }
-                       if (!rules || !files)
-                               MacOSError::throwMe(errSecCSResourcesInvalid);
-
                        // check for weak resource rules
                        bool strict = flags & kSecCSStrictValidate;
                        if (strict) {
                        // check for weak resource rules
                        bool strict = flags & kSecCSStrictValidate;
                        if (strict) {
@@ -889,7 +1279,7 @@ void SecStaticCode::validateResources(SecCSFlags flags)
                        // scan through the resources on disk, checking each against the resourceDirectory
                        __block CFRef<CFMutableDictionaryRef> resourceMap = makeCFMutableDictionary(files);
                        string base = cfString(this->resourceBase());
                        // scan through the resources on disk, checking each against the resourceDirectory
                        __block CFRef<CFMutableDictionaryRef> resourceMap = makeCFMutableDictionary(files);
                        string base = cfString(this->resourceBase());
-                       ResourceBuilder resources(base, base, rules, codeDirectory()->hashType, strict, mTolerateErrors);
+                       ResourceBuilder resources(base, base, rules, strict, mTolerateErrors);
                        this->mResourceScope = &resources;
                        diskRep()->adjustResources(resources);
 
                        this->mResourceScope = &resources;
                        diskRep()->adjustResources(resources);
 
@@ -908,7 +1298,7 @@ void SecStaticCode::validateResources(SecCSFlags flags)
 
                        unsigned leftovers = unsigned(CFDictionaryGetCount(resourceMap));
                        if (leftovers > 0) {
 
                        unsigned leftovers = unsigned(CFDictionaryGetCount(resourceMap));
                        if (leftovers > 0) {
-                               secdebug("staticCode", "%d sealed resource(s) not found in code", int(leftovers));
+                               secinfo("staticCode", "%d sealed resource(s) not found in code", int(leftovers));
                                CFDictionaryApplyFunction(resourceMap, SecStaticCode::checkOptionalResource, mResourcesValidContext);
                        }
 
                                CFDictionaryApplyFunction(resourceMap, SecStaticCode::checkOptionalResource, mResourcesValidContext);
                        }
 
@@ -923,10 +1313,11 @@ void SecStaticCode::validateResources(SecCSFlags flags)
                        mResourcesValidResult = err.osStatus();
                        throw;
                } catch (...) {
                        mResourcesValidResult = err.osStatus();
                        throw;
                } catch (...) {
-                       secdebug("staticCode", "%p executable validation threw non-common exception", this);
+                       secinfo("staticCode", "%p executable validation threw non-common exception", this);
                        mResourcesValidated = true;
                        mResourcesDeep = flags & kSecCSCheckNestedCode;
                        mResourcesValidResult = errSecCSInternalError;
                        mResourcesValidated = true;
                        mResourcesDeep = flags & kSecCSCheckNestedCode;
                        mResourcesValidResult = errSecCSInternalError;
+                       Syslog::notice("code signing internal problem: unknown exception thrown by validation");
                        throw;
                }
        }
                        throw;
                }
        }
@@ -938,6 +1329,38 @@ void SecStaticCode::validateResources(SecCSFlags flags)
 }
 
 
 }
 
 
+bool SecStaticCode::loadResources(CFDictionaryRef& rules, CFDictionaryRef& files, uint32_t& version)
+{
+       // sanity first
+       CFDictionaryRef sealedResources = resourceDictionary();
+       if (this->resourceBase()) {     // disk has resources
+               if (sealedResources)
+                       /* go to work below */;
+               else
+                       MacOSError::throwMe(errSecCSResourcesNotFound);
+       } else {                                                        // disk has no resources
+               if (sealedResources)
+                       MacOSError::throwMe(errSecCSResourcesNotFound);
+               else
+                       return false;                                   // no resources, not sealed - fine (no work)
+       }
+       
+       // use V2 resource seal if available, otherwise fall back to V1
+       if (CFDictionaryGetValue(sealedResources, CFSTR("files2"))) {   // have V2 signature
+               rules = cfget<CFDictionaryRef>(sealedResources, "rules2");
+               files = cfget<CFDictionaryRef>(sealedResources, "files2");
+               version = 2;
+       } else {        // only V1 available
+               rules = cfget<CFDictionaryRef>(sealedResources, "rules");
+               files = cfget<CFDictionaryRef>(sealedResources, "files");
+               version = 1;
+       }
+       if (!rules || !files)
+               MacOSError::throwMe(errSecCSResourcesInvalid);
+       return true;
+}
+       
+
 void SecStaticCode::checkOptionalResource(CFTypeRef key, CFTypeRef value, void *context)
 {
        ValidationContext *ctx = static_cast<ValidationContext *>(context);
 void SecStaticCode::checkOptionalResource(CFTypeRef key, CFTypeRef value, void *context)
 {
        ValidationContext *ctx = static_cast<ValidationContext *>(context);
@@ -969,8 +1392,10 @@ bool SecStaticCode::hasWeakResourceRules(CFDictionaryRef rulesDict, uint32_t ver
 {
        // compute allowed omissions
        CFRef<CFArrayRef> defaultOmissions = this->diskRep()->allowedResourceOmissions();
 {
        // compute allowed omissions
        CFRef<CFArrayRef> defaultOmissions = this->diskRep()->allowedResourceOmissions();
-       if (!defaultOmissions)
+       if (!defaultOmissions) {
+               Syslog::notice("code signing internal problem: diskRep returned no allowedResourceOmissions");
                MacOSError::throwMe(errSecCSInternalError);
                MacOSError::throwMe(errSecCSInternalError);
+       }
        CFRef<CFMutableArrayRef> allowed = CFArrayCreateMutableCopy(NULL, 0, defaultOmissions);
        if (allowedOmissions)
                CFArrayAppendArray(allowed, allowedOmissions, CFRangeMake(0, CFArrayGetCount(allowedOmissions)));
        CFRef<CFMutableArrayRef> allowed = CFArrayCreateMutableCopy(NULL, 0, defaultOmissions);
        if (allowedOmissions)
                CFArrayAppendArray(allowed, allowedOmissions, CFRangeMake(0, CFArrayGetCount(allowedOmissions)));
@@ -1003,7 +1428,7 @@ CFDictionaryRef SecStaticCode::infoDictionary()
 {
        if (!mInfoDict) {
                mInfoDict.take(getDictionary(cdInfoSlot, errSecCSInfoPlistFailed));
 {
        if (!mInfoDict) {
                mInfoDict.take(getDictionary(cdInfoSlot, errSecCSInfoPlistFailed));
-               secdebug("staticCode", "%p loaded InfoDict %p", this, mInfoDict.get());
+               secinfo("staticCode", "%p loaded InfoDict %p", this, mInfoDict.get());
        }
        return mInfoDict;
 }
        }
        return mInfoDict;
 }
@@ -1017,7 +1442,7 @@ CFDictionaryRef SecStaticCode::entitlements()
                        const EntitlementBlob *blob = reinterpret_cast<const EntitlementBlob *>(CFDataGetBytePtr(entitlementData));
                        if (blob->validateBlob()) {
                                mEntitlements.take(blob->entitlements());
                        const EntitlementBlob *blob = reinterpret_cast<const EntitlementBlob *>(CFDataGetBytePtr(entitlementData));
                        if (blob->validateBlob()) {
                                mEntitlements.take(blob->entitlements());
-                               secdebug("staticCode", "%p loaded Entitlements %p", this, mEntitlements.get());
+                               secinfo("staticCode", "%p loaded Entitlements %p", this, mEntitlements.get());
                        }
                        // we do not consider a different blob type to be an error. We think it's a new format we don't understand
                }
                        }
                        // we do not consider a different blob type to be an error. We think it's a new format we don't understand
                }
@@ -1031,13 +1456,31 @@ CFDictionaryRef SecStaticCode::resourceDictionary(bool check /* = true */)
                return mResourceDict;
        if (CFRef<CFDictionaryRef> dict = getDictionary(cdResourceDirSlot, check))
                if (cfscan(dict, "{rules=%Dn,files=%Dn}")) {
                return mResourceDict;
        if (CFRef<CFDictionaryRef> dict = getDictionary(cdResourceDirSlot, check))
                if (cfscan(dict, "{rules=%Dn,files=%Dn}")) {
-                       secdebug("staticCode", "%p loaded ResourceDict %p",
+                       secinfo("staticCode", "%p loaded ResourceDict %p",
                                this, mResourceDict.get());
                        return mResourceDict = dict;
                }
        // bad format
        return NULL;
 }
                                this, mResourceDict.get());
                        return mResourceDict = dict;
                }
        // bad format
        return NULL;
 }
+       
+       
+CFDataRef SecStaticCode::copyComponent(CodeDirectory::SpecialSlot slot, CFDataRef hash)
+{
+       const CodeDirectory* cd = this->codeDirectory();
+       if (CFCopyRef<CFDataRef> component = this->component(slot)) {
+               if (hash) {
+                       const void *slotHash = cd->getSlot(slot, false);
+                       if (cd->hashSize != CFDataGetLength(hash) || 0 != memcmp(slotHash, CFDataGetBytePtr(hash), cd->hashSize)) {
+                               Syslog::notice("copyComponent hash mismatch slot %d length %d", slot, int(CFDataGetLength(hash)));
+                               return NULL;    // mismatch
+                       }
+               }
+               return component.yield();
+       }
+       return NULL;
+}
+
 
 
 //
 
 
 //
@@ -1075,57 +1518,84 @@ CFDictionaryRef SecStaticCode::getDictionary(CodeDirectory::SpecialSlot slot, bo
        return NULL;
 }
 
        return NULL;
 }
 
-
 //
 //
-// Load, validate, and return a sealed resource.
-// The resource data (loaded in to memory as a blob) is returned and becomes
-// the responsibility of the caller; it is NOT cached by SecStaticCode.
 //
 //
-// A resource that is not sealed will not be returned, and an error will be thrown.
-// A missing resource will cause an error unless it's marked optional in the Directory.
-// Under no circumstances will a corrupt resource be returned.
-// NULL will only be returned for a resource that is neither sealed nor present
-// (or that is sealed, absent, and marked optional).
-// If the ResourceDictionary itself is not sealed, this function will always fail.
 //
 //
-// There is currently no interface for partial retrieval of the resource data.
-// (Since the ResourceDirectory does not currently support segmentation, all the
-// data would have to be read anyway, but it could be read into a reusable buffer.)
-//
-CFDataRef SecStaticCode::resource(string path, ValidationContext &ctx)
+CFDictionaryRef SecStaticCode::diskRepInformation()
 {
 {
-       if (CFDictionaryRef rdict = resourceDictionary()) {
-               if (CFTypeRef file = cfget(rdict, "files.%s", path.c_str())) {
-                       ResourceSeal seal = file;
-                       if (!resourceBase())    // no resources in DiskRep
-                               MacOSError::throwMe(errSecCSResourcesNotFound);
-                       if (seal.nested())
-                               MacOSError::throwMe(errSecCSResourcesNotSealed);        // (it's nested code)
-                       CFRef<CFURLRef> fullpath = makeCFURL(path, false, resourceBase());
-                       if (CFRef<CFDataRef> data = cfLoadFile(fullpath)) {
-                               MakeHash<CodeDirectory> hasher(this->codeDirectory());
-                               hasher->update(CFDataGetBytePtr(data), CFDataGetLength(data));
-                               if (hasher->verify(seal.hash()))
-                                       return data.yield();    // good
-                               else
-                                       ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // altered
-                       } else {
-                               if (!seal.optional())
-                                       ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceMissing, fullpath); // was sealed but is now missing
-                               else
-                                       return NULL;    // validly missing
-                       }
-               } else
-                       ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAdded, CFTempURL(path, false, resourceBase()));
-               return NULL;
-       } else
-               MacOSError::throwMe(errSecCSResourcesNotSealed);
+       return mRep->diskRepInformation();
 }
 
 }
 
-CFDataRef SecStaticCode::resource(string path)
-{
-       ValidationContext ctx(*this);
-       return resource(path, ctx);
+bool SecStaticCode::checkfix30814861(string path, bool addition) {
+       // <rdar://problem/30814861> v2 resource rules don't match v1 resource rules
+
+       //// Condition 1: Is the app an iOS app that was built with an SDK lower than 9.0?
+
+       // We started signing correctly in 2014, 9.0 was first seeded mid-2016.
+
+       CFRef<CFDictionaryRef> inf = diskRepInformation();
+       try {
+               CFDictionary info(diskRepInformation(), errSecCSNotSupported);
+               uint32_t platform =
+                       cfNumber(info.get<CFNumberRef>(kSecCodeInfoDiskRepVersionPlatform, errSecCSNotSupported), 0);
+               uint32_t sdkVersion =
+                       cfNumber(info.get<CFNumberRef>(kSecCodeInfoDiskRepVersionSDK, errSecCSNotSupported), 0);
+
+               if (platform != PLATFORM_IOS || sdkVersion >= 0x00090000) {
+                       return false;
+               }
+       } catch (const MacOSError &error) {
+               return false;
+       }
+
+       //// Condition 2: Is it a .sinf/.supf/.supp file at the right location?
+
+       static regex_t pathre_sinf;
+       static regex_t pathre_supp_supf;
+       static dispatch_once_t once;
+
+       dispatch_once(&once, ^{
+               os_assert_zero(regcomp(&pathre_sinf,
+                                                          "^(Frameworks/[^/]+\\.framework/|PlugIns/[^/]+\\.appex/|())SC_Info/[^/]+\\.sinf$",
+                                                          REG_EXTENDED | REG_NOSUB));
+               os_assert_zero(regcomp(&pathre_supp_supf,
+                                                          "^(Frameworks/[^/]+\\.framework/|PlugIns/[^/]+\\.appex/|())SC_Info/[^/]+\\.(supf|supp)$",
+                                                          REG_EXTENDED | REG_NOSUB));
+       });
+
+       // .sinf is added, .supf/.supp are modified.
+       const regex_t &pathre = addition ? pathre_sinf : pathre_supp_supf;
+
+       const int result = regexec(&pathre, path.c_str(), 0, NULL, 0);
+
+       if (result == REG_NOMATCH) {
+               return false;
+       } else if (result != 0) {
+               // Huh?
+               secerror("unexpected regexec result %d for path '%s'", result, path.c_str());
+               return false;
+       }
+
+       //// Condition 3: Do the v1 rules actually exclude the file?
+
+       dispatch_once(&mCheckfix30814861builder1_once, ^{
+               // Create the v1 resource builder lazily.
+               CFDictionaryRef rules1 = cfget<CFDictionaryRef>(resourceDictionary(), "rules");
+               const string base = cfString(resourceBase());
+
+               mCheckfix30814861builder1 = new ResourceBuilder(base, base, rules1, false, mTolerateErrors);
+       });
+
+       ResourceBuilder::Rule const * const matchingRule = mCheckfix30814861builder1->findRule(path);
+
+       if (matchingRule == NULL || !(matchingRule->flags & ResourceBuilder::omitted)) {
+               return false;
+       }
+
+       //// All matched, this file is a check-fixed sinf/supf/supp.
+
+       return true;
+
 }
 
 void SecStaticCode::validateResource(CFDictionaryRef files, string path, bool isSymlink, ValidationContext &ctx, SecCSFlags flags, uint32_t version)
 }
 
 void SecStaticCode::validateResource(CFDictionaryRef files, string path, bool isSymlink, ValidationContext &ctx, SecCSFlags flags, uint32_t version)
@@ -1133,8 +1603,14 @@ void SecStaticCode::validateResource(CFDictionaryRef files, string path, bool is
        if (!resourceBase())    // no resources in DiskRep
                MacOSError::throwMe(errSecCSResourcesNotFound);
        CFRef<CFURLRef> fullpath = makeCFURL(path, false, resourceBase());
        if (!resourceBase())    // no resources in DiskRep
                MacOSError::throwMe(errSecCSResourcesNotFound);
        CFRef<CFURLRef> fullpath = makeCFURL(path, false, resourceBase());
+       if (version > 1 && ((flags & (kSecCSStrictValidate|kSecCSRestrictSidebandData)) == (kSecCSStrictValidate|kSecCSRestrictSidebandData))) {
+               AutoFileDesc fd(cfString(fullpath));
+               if (fd.hasExtendedAttribute(XATTR_RESOURCEFORK_NAME) || fd.hasExtendedAttribute(XATTR_FINDERINFO_NAME))
+                       ctx.reportProblem(errSecCSInvalidAssociatedFileData, kSecCFErrorResourceSideband, fullpath);
+       }
        if (CFTypeRef file = CFDictionaryGetValue(files, CFTempString(path))) {
        if (CFTypeRef file = CFDictionaryGetValue(files, CFTempString(path))) {
-               ResourceSeal seal = file;
+               ResourceSeal seal(file);
+               const ResourceSeal& rseal = seal;
                if (seal.nested()) {
                        if (isSymlink)
                                return ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // changed type
                if (seal.nested()) {
                        if (isSymlink)
                                return ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // changed type
@@ -1146,17 +1622,23 @@ void SecStaticCode::validateResource(CFDictionaryRef files, string path, bool is
                        if (!isSymlink)
                                return ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // changed type
                        validateSymlinkResource(cfString(fullpath), cfString(seal.link()), ctx, flags);
                        if (!isSymlink)
                                return ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // changed type
                        validateSymlinkResource(cfString(fullpath), cfString(seal.link()), ctx, flags);
-               } else if (seal.hash()) {       // genuine file
+               } else if (seal.hash(hashAlgorithm())) {        // genuine file
                        if (isSymlink)
                                return ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // changed type
                        AutoFileDesc fd(cfString(fullpath), O_RDONLY, FileDesc::modeMissingOk); // open optional file
                        if (fd) {
                        if (isSymlink)
                                return ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // changed type
                        AutoFileDesc fd(cfString(fullpath), O_RDONLY, FileDesc::modeMissingOk); // open optional file
                        if (fd) {
-                               MakeHash<CodeDirectory> hasher(this->codeDirectory());
-                               hashFileData(fd, hasher.get());
-                               if (hasher->verify(seal.hash()))
-                                       return;                 // verify good
-                               else
-                                       ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // altered
+                               __block bool good = true;
+                               CodeDirectory::multipleHashFileData(fd, 0, hashAlgorithms(), ^(CodeDirectory::HashAlgorithm type, Security::DynamicHash *hasher) {
+                                       if (!hasher->verify(rseal.hash(type)))
+                                               good = false;
+                               });
+                               if (!good) {
+                                       if (version == 2 && checkfix30814861(path, false)) {
+                                               secinfo("validateResource", "%s check-fixed (altered).", path.c_str());
+                                       } else {
+                                               ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // altered
+                                       }
+                               }
                        } else {
                                if (!seal.optional())
                                        ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceMissing, fullpath); // was sealed but is now missing
                        } else {
                                if (!seal.optional())
                                        ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceMissing, fullpath); // was sealed but is now missing
@@ -1172,7 +1654,29 @@ void SecStaticCode::validateResource(CFDictionaryRef files, string path, bool is
                if (::readlink(cfString(fullpath).c_str(), target, sizeof(target)) > 0)
                        return;
        }
                if (::readlink(cfString(fullpath).c_str(), target, sizeof(target)) > 0)
                        return;
        }
-       ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAdded, CFTempURL(path, false, resourceBase()));
+       if (version == 2 && checkfix30814861(path, true)) {
+               secinfo("validateResource", "%s check-fixed (added).", path.c_str());
+       } else {
+               ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAdded, CFTempURL(path, false, resourceBase()));
+       }
+}
+
+void SecStaticCode::validatePlainMemoryResource(string path, CFDataRef fileData, SecCSFlags flags)
+{
+       CFDictionaryRef rules;
+       CFDictionaryRef files;
+       uint32_t version;
+       if (!loadResources(rules, files, version))
+               MacOSError::throwMe(errSecCSResourcesNotFound);         // no resources sealed; this can't be right
+       if (CFTypeRef file = CFDictionaryGetValue(files, CFTempString(path))) {
+               ResourceSeal seal(file);
+               const Byte *sealHash = seal.hash(hashAlgorithm());
+               if (sealHash) {
+                       if (codeDirectory()->verifyMemoryContent(fileData, sealHash))
+                               return;         // success
+               }
+       }
+       MacOSError::throwMe(errSecCSBadResource);
 }
        
 void SecStaticCode::validateSymlinkResource(std::string fullpath, std::string seal, ValidationContext &ctx, SecCSFlags flags)
 }
        
 void SecStaticCode::validateSymlinkResource(std::string fullpath, std::string seal, ValidationContext &ctx, SecCSFlags flags)
@@ -1236,14 +1740,14 @@ void SecStaticCode::validateNestedCode(CFURLRef path, const ResourceSeal &seal,
        // recursively verify this nested code
        try {
                if (!(flags & kSecCSCheckNestedCode))
        // recursively verify this nested code
        try {
                if (!(flags & kSecCSCheckNestedCode))
-                       flags |= kSecCSBasicValidateOnly;
+                       flags |= kSecCSBasicValidateOnly | kSecCSQuickCheck;
                SecPointer<SecStaticCode> code = new SecStaticCode(DiskRep::bestGuess(cfString(path)));
                code->initializeFromParent(*this);
                SecPointer<SecStaticCode> code = new SecStaticCode(DiskRep::bestGuess(cfString(path)));
                code->initializeFromParent(*this);
-               code->staticValidate(flags, SecRequirement::required(req));
+               code->staticValidate(flags & (~kSecCSRestrictToAppLike), SecRequirement::required(req));
 
                if (isFramework && (flags & kSecCSStrictValidate))
                        try {
 
                if (isFramework && (flags & kSecCSStrictValidate))
                        try {
-                               validateOtherVersions(path, flags, req, code);
+                               validateOtherVersions(path, flags & (~kSecCSRestrictToAppLike), req, code);
                        } catch (const CSError &err) {
                                MacOSError::throwMe(errSecCSBadFrameworkVersion);
                        } catch (const MacOSError &err) {
                        } catch (const CSError &err) {
                                MacOSError::throwMe(errSecCSBadFrameworkVersion);
                        } catch (const MacOSError &err) {
@@ -1289,10 +1793,7 @@ void SecStaticCode::validateOtherVersions(CFURLRef path, SecCSFlags flags, SecRe
                while ((entry = scanner.getNext()) != NULL) {
                        std::ostringstream fullPath;
 
                while ((entry = scanner.getNext()) != NULL) {
                        std::ostringstream fullPath;
 
-                       if (entry->d_type != DT_DIR ||
-                               strcmp(entry->d_name, ".") == 0 ||
-                               strcmp(entry->d_name, "..") == 0 ||
-                               strcmp(entry->d_name, "Current") == 0)
+                       if (entry->d_type != DT_DIR || strcmp(entry->d_name, "Current") == 0)
                                continue;
 
                        fullPath << versionsPath.str() << entry->d_name;
                                continue;
 
                        fullPath << versionsPath.str() << entry->d_name;
@@ -1384,25 +1885,40 @@ const Requirement *SecStaticCode::defaultDesignatedRequirement()
                Requirement::Maker::Chain chain(maker, opOr);
 
                // insert cdhash requirement for all architectures
                Requirement::Maker::Chain chain(maker, opOr);
 
                // insert cdhash requirement for all architectures
-               chain.add();
-               maker.cdhash(this->cdHash());
-               handleOtherArchitectures(^(SecStaticCode *subcode) {
-                       if (CFDataRef cdhash = subcode->cdHash()) {
-                               chain.add();
-                               maker.cdhash(cdhash);
-                       }
+               __block CFRef<CFMutableArrayRef> allHashes = CFArrayCreateMutableCopy(NULL, 0, this->cdHashes());
+               handleOtherArchitectures(^(SecStaticCode *other) {
+                       CFArrayRef hashes = other->cdHashes();
+                       CFArrayAppendArray(allHashes, hashes, CFRangeMake(0, CFArrayGetCount(hashes)));
                });
                });
+               CFIndex count = CFArrayGetCount(allHashes);
+               for (CFIndex n = 0; n < count; ++n) {
+                       chain.add();
+                       maker.cdhash(CFDataRef(CFArrayGetValueAtIndex(allHashes, n)));
+               }
                return maker.make();
        } else {
                return maker.make();
        } else {
+#if TARGET_OS_OSX
                // full signature: Gin up full context and let DRMaker do its thing
                validateDirectory();            // need the cert chain
                // full signature: Gin up full context and let DRMaker do its thing
                validateDirectory();            // need the cert chain
+               CFRef<CFDateRef> secureTimestamp;
+               if (CFAbsoluteTime time = this->signingTimestamp()) {
+                       secureTimestamp.take(CFDateCreate(NULL, time));
+               }
                Requirement::Context context(this->certificates(),
                        this->infoDictionary(),
                        this->entitlements(),
                        this->identifier(),
                Requirement::Context context(this->certificates(),
                        this->infoDictionary(),
                        this->entitlements(),
                        this->identifier(),
-                       this->codeDirectory()
+                       this->codeDirectory(),
+                       NULL,
+                       kSecCodeSignatureNoHash,
+                       false,
+                       secureTimestamp,
+                       this->teamID()
                );
                return DRMaker(context).make();
                );
                return DRMaker(context).make();
+#else
+        MacOSError::throwMe(errSecCSUnimplemented);
+#endif
        }
 }
 
        }
 }
 
@@ -1422,9 +1938,6 @@ void SecStaticCode::validateRequirements(SecRequirementType type, SecStaticCode
                /* accept it */;
 }
 
                /* accept it */;
 }
 
-/* Public Key Hash for root:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority */
-static const UInt8 retryRootBytes[] = {0x00,0xd8,0x5a,0x4c,0x25,0xc1,0x22,0xe5,0x8b,0x31,0xef,0x6d,0xba,0xf3,0xcc,0x5f,0x29,0xf1,0x0d,0x61};
-
 //
 // Validate this StaticCode against an external Requirement
 //
 //
 // Validate this StaticCode against an external Requirement
 //
@@ -1433,35 +1946,15 @@ bool SecStaticCode::satisfiesRequirement(const Requirement *req, OSStatus failur
        bool result = false;
        assert(req);
        validateDirectory();
        bool result = false;
        assert(req);
        validateDirectory();
-       result = req->validates(Requirement::Context(mCertChain, infoDictionary(), entitlements(), codeDirectory()->identifier(), codeDirectory()), failure);
-       if (result == false) {
-               /* Fix for rdar://problem/21437632: Work around untrusted root in validation chain */
-               CFArrayRef certs = certificates();
-               if (!certs || ((int)CFArrayGetCount(certs) < 1)) {
-                       return false;
-               }
-               SecCertificateRef root = cert((int)CFArrayGetCount(certs) - 1);
-               if (!root) {
-                       return false;
-               }
-               CFDataRef rootHash = SecCertificateCopyPublicKeySHA1Digest(root);
-               if (!rootHash) {
-                       return false;
-               }
-               
-               if ((CFDataGetLength(rootHash) == sizeof(retryRootBytes)) &&
-                       !memcmp(CFDataGetBytePtr(rootHash), retryRootBytes, sizeof(retryRootBytes))) {
-                       // retry with a rebuilt certificate chain, this time evaluating anchor trust
-                       Security::Syslog::debug("Requirements validation failed: retrying");
-                       mResourcesValidated = mValidated = false;
-                       setValidationFlags(mValidationFlags | kSecCSCheckTrustedAnchors);
-               
-                       validateDirectory();
-                       result = req->validates(Requirement::Context(mCertChain, infoDictionary(), entitlements(), codeDirectory()->identifier(), codeDirectory()), failure);
-               }
-               CFRelease(rootHash);
+       CFRef<CFDateRef> secureTimestamp;
+       if (CFAbsoluteTime time = this->signingTimestamp()) {
+               secureTimestamp.take(CFDateCreate(NULL, time));
        }
        }
-       
+       result = req->validates(Requirement::Context(mCertChain, infoDictionary(), entitlements(),
+                                                                                                codeDirectory()->identifier(), codeDirectory(),
+                                                                                                NULL, kSecCodeSignatureNoHash, mRep->appleInternalForcePlatform(),
+                                                                                                secureTimestamp, teamID()),
+                                                       failure);
        return result;
 }
 
        return result;
 }
 
@@ -1529,10 +2022,17 @@ CFDictionaryRef SecStaticCode::signingInformation(SecCSFlags flags)
        CFDictionaryAddValue(dict, kSecCodeInfoFormat, CFTempString(this->format()));
        CFDictionaryAddValue(dict, kSecCodeInfoSource, CFTempString(this->signatureSource()));
        CFDictionaryAddValue(dict, kSecCodeInfoUnique, this->cdHash());
        CFDictionaryAddValue(dict, kSecCodeInfoFormat, CFTempString(this->format()));
        CFDictionaryAddValue(dict, kSecCodeInfoSource, CFTempString(this->signatureSource()));
        CFDictionaryAddValue(dict, kSecCodeInfoUnique, this->cdHash());
+       CFDictionaryAddValue(dict, kSecCodeInfoCdHashes, this->cdHashes());
+       CFDictionaryAddValue(dict, kSecCodeInfoCdHashesFull, this->cdHashesFull());
        const CodeDirectory* cd = this->codeDirectory(false);
        CFDictionaryAddValue(dict, kSecCodeInfoDigestAlgorithm, CFTempNumber(cd->hashType));
        const CodeDirectory* cd = this->codeDirectory(false);
        CFDictionaryAddValue(dict, kSecCodeInfoDigestAlgorithm, CFTempNumber(cd->hashType));
+       CFRef<CFArrayRef> digests = makeCFArrayFrom(^CFTypeRef(CodeDirectory::HashAlgorithm type) { return CFTempNumber(type); }, hashAlgorithms());
+       CFDictionaryAddValue(dict, kSecCodeInfoDigestAlgorithms, digests);
        if (cd->platform)
                CFDictionaryAddValue(dict, kSecCodeInfoPlatformIdentifier, CFTempNumber(cd->platform));
        if (cd->platform)
                CFDictionaryAddValue(dict, kSecCodeInfoPlatformIdentifier, CFTempNumber(cd->platform));
+       if (cd->runtimeVersion()) {
+               CFDictionaryAddValue(dict, kSecCodeInfoRuntimeVersion, CFTempNumber(cd->runtimeVersion()));
+       }
 
        //
        // Deliver any Info.plist only if it looks intact
 
        //
        // Deliver any Info.plist only if it looks intact
@@ -1547,27 +2047,30 @@ CFDictionaryRef SecStaticCode::signingInformation(SecCSFlags flags)
        //
        if (flags & kSecCSSigningInformation)
                try {
        //
        if (flags & kSecCSSigningInformation)
                try {
-                       if (CFArrayRef certs = this->certificates())
-                               CFDictionaryAddValue(dict, kSecCodeInfoCertificates, certs);
                        if (CFDataRef sig = this->signature())
                                CFDictionaryAddValue(dict, kSecCodeInfoCMS, sig);
                        if (CFDataRef sig = this->signature())
                                CFDictionaryAddValue(dict, kSecCodeInfoCMS, sig);
+                       if (const char *teamID = this->teamID())
+                               CFDictionaryAddValue(dict, kSecCodeInfoTeamIdentifier, CFTempString(teamID));
                        if (mTrust)
                                CFDictionaryAddValue(dict, kSecCodeInfoTrust, mTrust);
                        if (mTrust)
                                CFDictionaryAddValue(dict, kSecCodeInfoTrust, mTrust);
+                       if (CFArrayRef certs = this->certificates())
+                               CFDictionaryAddValue(dict, kSecCodeInfoCertificates, certs);
                        if (CFAbsoluteTime time = this->signingTime())
                                if (CFRef<CFDateRef> date = CFDateCreate(NULL, time))
                                        CFDictionaryAddValue(dict, kSecCodeInfoTime, date);
                        if (CFAbsoluteTime time = this->signingTimestamp())
                                if (CFRef<CFDateRef> date = CFDateCreate(NULL, time))
                                        CFDictionaryAddValue(dict, kSecCodeInfoTimestamp, date);
                        if (CFAbsoluteTime time = this->signingTime())
                                if (CFRef<CFDateRef> date = CFDateCreate(NULL, time))
                                        CFDictionaryAddValue(dict, kSecCodeInfoTime, date);
                        if (CFAbsoluteTime time = this->signingTimestamp())
                                if (CFRef<CFDateRef> date = CFDateCreate(NULL, time))
                                        CFDictionaryAddValue(dict, kSecCodeInfoTimestamp, date);
-                       if (const char *teamID = this->teamID())
-                               CFDictionaryAddValue(dict, kSecCodeInfoTeamIdentifier, CFTempString(teamID));
                } catch (...) { }
 
        //
        // kSecCSRequirementInformation adds information on requirements
        //
        if (flags & kSecCSRequirementInformation)
                } catch (...) { }
 
        //
        // kSecCSRequirementInformation adds information on requirements
        //
        if (flags & kSecCSRequirementInformation)
-               try {
+
+//DR not currently supported on iOS
+#if TARGET_OS_OSX
+        try {
                        if (const Requirements *reqs = this->internalRequirements()) {
                                CFDictionaryAddValue(dict, kSecCodeInfoRequirements,
                                        CFTempString(Dumper::dump(reqs)));
                        if (const Requirements *reqs = this->internalRequirements()) {
                                CFDictionaryAddValue(dict, kSecCodeInfoRequirements,
                                        CFTempString(Dumper::dump(reqs)));
@@ -1584,14 +2087,15 @@ CFDictionaryRef SecStaticCode::signingInformation(SecCSFlags flags)
                                CFDictionaryAddValue(dict, kSecCodeInfoImplicitDesignatedRequirement, dreqRef);
                        }
                } catch (...) { }
                                CFDictionaryAddValue(dict, kSecCodeInfoImplicitDesignatedRequirement, dreqRef);
                        }
                } catch (...) { }
+#endif
 
 
-               try {
-                  if (CFDataRef ent = this->component(cdEntitlementSlot)) {
-                          CFDictionaryAddValue(dict, kSecCodeInfoEntitlements, ent);
-                          if (CFDictionaryRef entdict = this->entitlements())
-                                       CFDictionaryAddValue(dict, kSecCodeInfoEntitlementsDict, entdict);
-                       }
-               } catch (...) { }
+       try {
+          if (CFDataRef ent = this->component(cdEntitlementSlot)) {
+                  CFDictionaryAddValue(dict, kSecCodeInfoEntitlements, ent);
+                  if (CFDictionaryRef entdict = this->entitlements())
+                               CFDictionaryAddValue(dict, kSecCodeInfoEntitlementsDict, entdict);
+               }
+       } catch (...) { }
 
        //
        // kSecCSInternalInformation adds internal information meant to be for Apple internal
 
        //
        // kSecCSInternalInformation adds internal information meant to be for Apple internal
@@ -1599,22 +2103,45 @@ CFDictionaryRef SecStaticCode::signingInformation(SecCSFlags flags)
        // to reliably transmit through the API wall so that code outside the Security.framework
        // can use it without having to play nasty tricks to get it.
        //
        // to reliably transmit through the API wall so that code outside the Security.framework
        // can use it without having to play nasty tricks to get it.
        //
-       if (flags & kSecCSInternalInformation)
+       if (flags & kSecCSInternalInformation) {
                try {
                        if (mDir)
                                CFDictionaryAddValue(dict, kSecCodeInfoCodeDirectory, mDir);
                        CFDictionaryAddValue(dict, kSecCodeInfoCodeOffset, CFTempNumber(mRep->signingBase()));
                try {
                        if (mDir)
                                CFDictionaryAddValue(dict, kSecCodeInfoCodeDirectory, mDir);
                        CFDictionaryAddValue(dict, kSecCodeInfoCodeOffset, CFTempNumber(mRep->signingBase()));
-               if (CFRef<CFDictionaryRef> rdict = getDictionary(cdResourceDirSlot, false))     // suppress validation
-                       CFDictionaryAddValue(dict, kSecCodeInfoResourceDirectory, rdict);
+        if (!(flags & kSecCSSkipResourceDirectory)) {
+            if (CFRef<CFDictionaryRef> rdict = getDictionary(cdResourceDirSlot, false))        // suppress validation
+                CFDictionaryAddValue(dict, kSecCodeInfoResourceDirectory, rdict);
+        }
+               if (CFRef<CFDictionaryRef> ddict = diskRepInformation())
+                       CFDictionaryAddValue(dict, kSecCodeInfoDiskRepInfo, ddict);
                } catch (...) { }
                } catch (...) { }
+               if (mNotarizationChecked && !isnan(mNotarizationDate)) {
+                       CFRef<CFDateRef> date = CFDateCreate(NULL, mNotarizationDate);
+                       if (date) {
+                               CFDictionaryAddValue(dict, kSecCodeInfoNotarizationDate, date.get());
+                       } else {
+                               secerror("Error creating date from timestamp: %f", mNotarizationDate);
+                       }
+               }
+       }
 
 
+       if (flags & kSecCSCalculateCMSDigest) {
+               try {
+                       CFDictionaryAddValue(dict, kSecCodeInfoCMSDigestHashType, CFTempNumber(cmsDigestHashType()));
+                       
+                       CFRef<CFDataRef> cmsDigest = createCmsDigest();
+                       if (cmsDigest) {
+                               CFDictionaryAddValue(dict, kSecCodeInfoCMSDigest, cmsDigest.get());
+                       }
+               } catch (...) { }
+       }
 
        //
        // kSecCSContentInformation adds more information about the physical layout
        // of the signed code. This is (only) useful for packaging or patching-oriented
        // applications.
        //
 
        //
        // kSecCSContentInformation adds more information about the physical layout
        // of the signed code. This is (only) useful for packaging or patching-oriented
        // applications.
        //
-       if (flags & kSecCSContentInformation)
+       if (flags & kSecCSContentInformation && !(flags & kSecCSSkipResourceDirectory))
                if (CFRef<CFArrayRef> files = mRep->modifiedFiles())
                        CFDictionaryAddValue(dict, kSecCodeInfoChangedFiles, files);
 
                if (CFRef<CFArrayRef> files = mRep->modifiedFiles())
                        CFDictionaryAddValue(dict, kSecCodeInfoChangedFiles, files);
 
@@ -1667,8 +2194,8 @@ void SecStaticCode::CollectingContext::throwMe()
 //
 // SecStaticCode exposes an a la carte menu of topical validators applying
 // to a given object. The static validation API pulls them together reliably,
 //
 // SecStaticCode exposes an a la carte menu of topical validators applying
 // to a given object. The static validation API pulls them together reliably,
-// but it also adds two matrix dimensions: architecture (for "fat" Mach-O binaries)
-// and nested code. This function will crawl a suitable cross-section of this
+// but it also adds three matrix dimensions: architecture (for "fat" Mach-O binaries),
+// nested code, and multiple digests. This function will crawl a suitable cross-section of this
 // validation matrix based on which options it is given, creating temporary
 // SecStaticCode objects on the fly to complete the task.
 // (The point, of course, is to do as little duplicate work as possible.)
 // validation matrix based on which options it is given, creating temporary
 // SecStaticCode objects on the fly to complete the task.
 // (The point, of course, is to do as little duplicate work as possible.)
@@ -1677,11 +2204,31 @@ void SecStaticCode::staticValidate(SecCSFlags flags, const SecRequirement *req)
 {
        setValidationFlags(flags);
 
 {
        setValidationFlags(flags);
 
+#if TARGET_OS_OSX
+       if (!mStaplingChecked) {
+               mRep->registerStapledTicket();
+               mStaplingChecked = true;
+       }
+
+       if (mFlags & kSecCSForceOnlineNotarizationCheck) {
+               if (!mNotarizationChecked) {
+                       if (this->cdHash()) {
+                               bool is_revoked = checkNotarizationServiceForRevocation(this->cdHash(), (SecCSDigestAlgorithm)this->hashAlgorithm(), &mNotarizationDate);
+                               if (is_revoked) {
+                                       MacOSError::throwMe(errSecCSRevokedNotarization);
+                               }
+                       }
+                       mNotarizationChecked = true;
+               }
+       }
+#endif // TARGET_OS_OSX
+
        // initialize progress/cancellation state
        if (flags & kSecCSReportProgress)
                prepareProgress(estimateResourceWorkload() + 2);        // +1 head, +1 tail
 
        // initialize progress/cancellation state
        if (flags & kSecCSReportProgress)
                prepareProgress(estimateResourceWorkload() + 2);        // +1 head, +1 tail
 
-       // core components: once per architecture (if any)
+
+       // core components: once per architecture (if any)
        this->staticValidateCore(flags, req);
        if (flags & kSecCSCheckAllArchitectures)
                handleOtherArchitectures(^(SecStaticCode* subcode) {
        this->staticValidateCore(flags, req);
        if (flags & kSecCSCheckAllArchitectures)
                handleOtherArchitectures(^(SecStaticCode* subcode) {
@@ -1692,7 +2239,7 @@ void SecStaticCode::staticValidate(SecCSFlags flags, const SecRequirement *req)
                                if ((arch.cpuType() & ~CPU_ARCH_MASK) == CPU_TYPE_POWERPC)
                                        return; // irrelevant to Gatekeeper
                        }
                                if ((arch.cpuType() & ~CPU_ARCH_MASK) == CPU_TYPE_POWERPC)
                                        return; // irrelevant to Gatekeeper
                        }
-                       subcode->detachedSignature(this->mDetachedSig); // carry over explicit (but not implicit) architecture
+                       subcode->detachedSignature(this->mDetachedSig); // carry over explicit (but not implicit) detached signature
                        subcode->staticValidateCore(flags, req);
                });
        reportProgress();
                        subcode->staticValidateCore(flags, req);
                });
        reportProgress();
@@ -1705,9 +2252,12 @@ void SecStaticCode::staticValidate(SecCSFlags flags, const SecRequirement *req)
                this->validateResources(flags);
 
        // perform strict validation if desired
                this->validateResources(flags);
 
        // perform strict validation if desired
-       if (flags & kSecCSStrictValidate)
-               mRep->strictValidate(codeDirectory(), mTolerateErrors);
+       if (flags & kSecCSStrictValidate) {
+               mRep->strictValidate(codeDirectory(), mTolerateErrors, mValidationFlags);
        reportProgress();
        reportProgress();
+       } else if (flags & kSecCSStrictValidateStructure) {
+               mRep->strictValidateStructure(codeDirectory(), mTolerateErrors, mValidationFlags);
+       }
 
        // allow monitor intervention
        if (CFRef<CFTypeRef> veto = reportEvent(CFSTR("validated"), NULL)) {
 
        // allow monitor intervention
        if (CFRef<CFTypeRef> veto = reportEvent(CFSTR("validated"), NULL)) {
@@ -1722,6 +2272,7 @@ void SecStaticCode::staticValidateCore(SecCSFlags flags, const SecRequirement *r
 {
        try {
                this->validateNonResourceComponents();  // also validates the CodeDirectory
 {
        try {
                this->validateNonResourceComponents();  // also validates the CodeDirectory
+               this->validateTopDirectory();
                if (!(flags & kSecCSDoNotValidateExecutable))
                        this->validateExecutable();
                if (req)
                if (!(flags & kSecCSDoNotValidateExecutable))
                        this->validateExecutable();
                if (req)
@@ -1759,21 +2310,24 @@ void SecStaticCode::handleOtherArchitectures(void (^handle)(SecStaticCode* other
                fat->architectures(architectures);
                if (architectures.size() > 1) {
                        DiskRep::Context ctx;
                fat->architectures(architectures);
                if (architectures.size() > 1) {
                        DiskRep::Context ctx;
-                       size_t activeOffset = fat->archOffset();
+                       off_t activeOffset = fat->archOffset();
                        for (Universal::Architectures::const_iterator arch = architectures.begin(); arch != architectures.end(); ++arch) {
                        for (Universal::Architectures::const_iterator arch = architectures.begin(); arch != architectures.end(); ++arch) {
-                               ctx.offset = fat->archOffset(*arch);
-                               if (ctx.offset > SIZE_MAX)
-                                       MacOSError::throwMe(errSecCSInternalError);
-                               ctx.size = fat->lengthOfSlice((size_t)ctx.offset);
-                               if (ctx.offset != activeOffset) {       // inactive architecture; check it
-                                       SecPointer<SecStaticCode> subcode = new SecStaticCode(DiskRep::bestGuess(this->mainExecutablePath(), &ctx));
-                                       subcode->detachedSignature(this->mDetachedSig); // carry over explicit (but not implicit) detached signature
-                                       if (this->teamID() == NULL || subcode->teamID() == NULL) {
-                                               if (this->teamID() != subcode->teamID())
+                               try {
+                                       ctx.offset = int_cast<size_t, off_t>(fat->archOffset(*arch));
+                                       ctx.size = fat->lengthOfSlice(int_cast<off_t,size_t>(ctx.offset));
+                                       if (ctx.offset != activeOffset) {       // inactive architecture; check it
+                                               SecPointer<SecStaticCode> subcode = new SecStaticCode(DiskRep::bestGuess(this->mainExecutablePath(), &ctx));
+                                               subcode->detachedSignature(this->mDetachedSig); // carry over explicit (but not implicit) detached signature
+                                               if (this->teamID() == NULL || subcode->teamID() == NULL) {
+                                                       if (this->teamID() != subcode->teamID())
+                                                               MacOSError::throwMe(errSecCSSignatureInvalid);
+                                               } else if (strcmp(this->teamID(), subcode->teamID()) != 0)
                                                        MacOSError::throwMe(errSecCSSignatureInvalid);
                                                        MacOSError::throwMe(errSecCSSignatureInvalid);
-                                       } else if (strcmp(this->teamID(), subcode->teamID()) != 0)
-                                               MacOSError::throwMe(errSecCSSignatureInvalid);
-                                       handle(subcode);
+                                               handle(subcode);
+                                       }
+                               } catch(std::out_of_range e) {
+                                       // some of our int_casts fell over.
+                                       MacOSError::throwMe(errSecCSBadObjectFormat);
                                }
                        }
                }
                                }
                        }
                }
@@ -1789,10 +2343,35 @@ bool SecStaticCode::isAppleDeveloperCert(CFArrayRef certs)
 {
        static const std::string appleDeveloperRequirement = "(" + std::string(WWDRRequirement) + ") or (" + MACWWDRRequirement + ") or (" + developerID + ") or (" + distributionCertificate + ") or (" + iPhoneDistributionCert + ")";
        SecPointer<SecRequirement> req = new SecRequirement(parseRequirement(appleDeveloperRequirement), true);
 {
        static const std::string appleDeveloperRequirement = "(" + std::string(WWDRRequirement) + ") or (" + MACWWDRRequirement + ") or (" + developerID + ") or (" + distributionCertificate + ") or (" + iPhoneDistributionCert + ")";
        SecPointer<SecRequirement> req = new SecRequirement(parseRequirement(appleDeveloperRequirement), true);
-       Requirement::Context ctx(certs, NULL, NULL, "", NULL);
+       Requirement::Context ctx(certs, NULL, NULL, "", NULL, NULL, kSecCodeSignatureNoHash, false, NULL, "");
 
        return req->requirement()->validates(ctx);
 }
 
 
        return req->requirement()->validates(ctx);
 }
 
+CFDataRef SecStaticCode::createCmsDigest()
+{
+       /*
+        * The CMS digest is a hash of the primary (first, most compatible) code directory,
+        * but its hash algorithm is fixed and not related to the code directory's
+        * hash algorithm.
+        */
+       
+       auto it = codeDirectories()->begin();
+       
+       if (it == codeDirectories()->end()) {
+               return NULL;
+       }
+
+       CodeDirectory const * const cd = reinterpret_cast<CodeDirectory const*>(CFDataGetBytePtr(it->second));
+       
+       RefPointer<DynamicHash> hash = cd->hashFor(mCMSDigestHashType);
+       CFMutableDataRef data = CFDataCreateMutable(NULL, hash->digestLength());
+       CFDataSetLength(data, hash->digestLength());
+       hash->update(cd, cd->length());
+       hash->finish(CFDataGetMutableBytePtr(data));
+       
+       return data;
+}
+       
 } // end namespace CodeSigning
 } // end namespace Security
 } // end namespace CodeSigning
 } // end namespace Security
mirror of Security