--- /dev/null
+/*
+ * Copyright (c) 2006,2011-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+//
+// reqinterp - Requirement language (exprOp) interpreter
+//
+#include "reqinterp.h"
+#include "codesigning_dtrace.h"
+#include <Security/SecTrustSettingsPriv.h>
+#include <Security/SecCertificatePriv.h>
+#include <security_utilities/memutils.h>
+#include <security_utilities/logging.h>
+#include "csutilities.h"
+
+namespace Security {
+namespace CodeSigning {
+
+
+//
+// Fragment fetching, caching, and evaluation.
+//
+// Several language elements allow "calling" of separate requirement programs
+// stored on disk as (binary) requirement blobs. The Fragments class takes care
+// of finding, loading, caching, and evaluating them.
+//
+// This is a singleton for (process global) caching. It works fine as multiple instances,
+// at a loss of caching effectiveness.
+//
+class Fragments {
+public:
+ Fragments();
+
+ bool named(const std::string &name, const Requirement::Context &ctx)
+ { return evalNamed("subreq", name, ctx); }
+ bool namedAnchor(const std::string &name, const Requirement::Context &ctx)
+ { return evalNamed("anchorreq", name, ctx); }
+
+private:
+ bool evalNamed(const char *type, const std::string &name, const Requirement::Context &ctx);
+ CFDataRef fragment(const char *type, const std::string &name);
+
+ typedef std::map<std::string, CFRef<CFDataRef> > FragMap;
+
+private:
+ CFBundleRef mMyBundle; // Security.framework bundle
+ Mutex mLock; // lock for all of the below...
+ FragMap mFragments; // cached fragments
+};
+
+static ModuleNexus<Fragments> fragments;
+
+
+//
+// Magic certificate features
+//
+static CFStringRef appleIntermediateCN = CFSTR("Apple Code Signing Certification Authority");
+static CFStringRef appleIntermediateO = CFSTR("Apple Inc.");
+
+
+//
+// Main interpreter function.
+//
+// ExprOp code is in Polish Notation (operator followed by operands),
+// and this engine uses opportunistic evaluation.
+//
+bool Requirement::Interpreter::evaluate()
+{
+ ExprOp op = ExprOp(get<uint32_t>());
+ CODESIGN_EVAL_REQINT_OP(op, this->pc() - sizeof(uint32_t));
+ switch (op & ~opFlagMask) {
+ case opFalse:
+ return false;
+ case opTrue:
+ return true;
+ case opIdent:
+ return mContext->directory && getString() == mContext->directory->identifier();
+ case opAppleAnchor:
+ return appleSigned();
+ case opAppleGenericAnchor:
+ return appleAnchored();
+ case opAnchorHash:
+ {
+ SecCertificateRef cert = mContext->cert(get<int32_t>());
+ return verifyAnchor(cert, getSHA1());
+ }
+ case opInfoKeyValue: // [legacy; use opInfoKeyField]
+ {
+ string key = getString();
+ return infoKeyValue(key, Match(CFTempString(getString()), matchEqual));
+ }
+ case opAnd:
+ return evaluate() & evaluate();
+ case opOr:
+ return evaluate() | evaluate();
+ case opCDHash:
+ if (mContext->directory) {
+ SHA1 hash;
+ hash(mContext->directory, mContext->directory->length());
+ return hash.verify(getHash());
+ } else
+ return false;
+ case opNot:
+ return !evaluate();
+ case opInfoKeyField:
+ {
+ string key = getString();
+ Match match(*this);
+ return infoKeyValue(key, match);
+ }
+ case opEntitlementField:
+ {
+ string key = getString();
+ Match match(*this);
+ return entitlementValue(key, match);
+ }
+ case opCertField:
+ {
+ SecCertificateRef cert = mContext->cert(get<int32_t>());
+ string key = getString();
+ Match match(*this);
+ return certFieldValue(key, match, cert);
+ }
+ case opCertGeneric:
+ {
+ SecCertificateRef cert = mContext->cert(get<int32_t>());
+ string key = getString();
+ Match match(*this);
+ return certFieldGeneric(key, match, cert);
+ }
+ case opCertPolicy:
+ {
+ SecCertificateRef cert = mContext->cert(get<int32_t>());
+ string key = getString();
+ Match match(*this);
+ return certFieldPolicy(key, match, cert);
+ }
+ case opTrustedCert:
+ return trustedCert(get<int32_t>());
+ case opTrustedCerts:
+ return trustedCerts();
+ case opNamedAnchor:
+ return fragments().namedAnchor(getString(), *mContext);
+ case opNamedCode:
+ return fragments().named(getString(), *mContext);
+ default:
+ // opcode not recognized - handle generically if possible, fail otherwise
+ if (op & (opGenericFalse | opGenericSkip)) {
+ // unknown opcode, but it has a size field and can be safely bypassed
+ skip(get<uint32_t>());
+ if (op & opGenericFalse) {
+ CODESIGN_EVAL_REQINT_UNKNOWN_FALSE(op);
+ return false;
+ } else {
+ CODESIGN_EVAL_REQINT_UNKNOWN_SKIPPED(op);
+ return evaluate();
+ }
+ }
+ // unrecognized opcode and no way to interpret it
+ secdebug("csinterp", "opcode 0x%x cannot be handled; aborting", op);
+ MacOSError::throwMe(errSecCSUnimplemented);
+ }
+}
+
+
+//
+// Evaluate an Info.plist key condition
+//
+bool Requirement::Interpreter::infoKeyValue(const string &key, const Match &match)
+{
+ if (mContext->info) // we have an Info.plist
+ if (CFTypeRef value = CFDictionaryGetValue(mContext->info, CFTempString(key)))
+ return match(value);
+ return false;
+}
+
+
+//
+// Evaluate an entitlement condition
+//
+bool Requirement::Interpreter::entitlementValue(const string &key, const Match &match)
+{
+ if (mContext->entitlements) // we have an Info.plist
+ if (CFTypeRef value = CFDictionaryGetValue(mContext->entitlements, CFTempString(key)))
+ return match(value);
+ return false;
+}
+
+
+bool Requirement::Interpreter::certFieldValue(const string &key, const Match &match, SecCertificateRef cert)
+{
+ // no cert, no chance
+ if (cert == NULL)
+ return false;
+
+ // a table of recognized keys for the "certificate[foo]" syntax
+ static const struct CertField {
+ const char *name;
+ const CSSM_OID *oid;
+ } certFields[] = {
+ { "subject.C", &CSSMOID_CountryName },
+ { "subject.CN", &CSSMOID_CommonName },
+ { "subject.D", &CSSMOID_Description },
+ { "subject.L", &CSSMOID_LocalityName },
+// { "subject.C-L", &CSSMOID_CollectiveLocalityName }, // missing from Security.framework headers
+ { "subject.O", &CSSMOID_OrganizationName },
+ { "subject.C-O", &CSSMOID_CollectiveOrganizationName },
+ { "subject.OU", &CSSMOID_OrganizationalUnitName },
+ { "subject.C-OU", &CSSMOID_CollectiveOrganizationalUnitName },
+ { "subject.ST", &CSSMOID_StateProvinceName },
+ { "subject.C-ST", &CSSMOID_CollectiveStateProvinceName },
+ { "subject.STREET", &CSSMOID_StreetAddress },
+ { "subject.C-STREET", &CSSMOID_CollectiveStreetAddress },
+ { "subject.UID", &CSSMOID_UserID },
+ { NULL, NULL }
+ };
+
+ // DN-component single-value match
+ for (const CertField *cf = certFields; cf->name; cf++)
+ if (cf->name == key) {
+ CFRef<CFStringRef> value;
+ if (OSStatus rc = SecCertificateCopySubjectComponent(cert, cf->oid, &value.aref())) {
+ secdebug("csinterp", "cert %p lookup for DN.%s failed rc=%d", cert, key.c_str(), (int)rc);
+ return false;
+ }
+ return match(value);
+ }
+
+ // email multi-valued match (any of...)
+ if (key == "email") {
+ CFRef<CFArrayRef> value;
+ if (OSStatus rc = SecCertificateCopyEmailAddresses(cert, &value.aref())) {
+ secdebug("csinterp", "cert %p lookup for email failed rc=%d", cert, (int)rc);
+ return false;
+ }
+ return match(value);
+ }
+
+ // unrecognized key. Fail but do not abort to promote backward compatibility down the road
+ secdebug("csinterp", "cert field notation \"%s\" not understood", key.c_str());
+ return false;
+}
+
+
+bool Requirement::Interpreter::certFieldGeneric(const string &key, const Match &match, SecCertificateRef cert)
+{
+ // the key is actually a (binary) OID value
+ CssmOid oid((char *)key.data(), key.length());
+ return certFieldGeneric(oid, match, cert);
+}
+
+bool Requirement::Interpreter::certFieldGeneric(const CssmOid &oid, const Match &match, SecCertificateRef cert)
+{
+ return cert && certificateHasField(cert, oid) && match(kCFBooleanTrue);
+}
+
+bool Requirement::Interpreter::certFieldPolicy(const string &key, const Match &match, SecCertificateRef cert)
+{
+ // the key is actually a (binary) OID value
+ CssmOid oid((char *)key.data(), key.length());
+ return certFieldPolicy(oid, match, cert);
+}
+
+bool Requirement::Interpreter::certFieldPolicy(const CssmOid &oid, const Match &match, SecCertificateRef cert)
+{
+ return cert && certificateHasPolicy(cert, oid) && match(kCFBooleanTrue);
+}
+
+
+//
+// Check the Apple-signed condition
+//
+bool Requirement::Interpreter::appleAnchored()
+{
+ if (SecCertificateRef cert = mContext->cert(anchorCert))
+ if (isAppleCA(cert)
+#if defined(TEST_APPLE_ANCHOR)
+ || verifyAnchor(cert, testAppleAnchorHash())
+#endif
+ )
+ return true;
+ return false;
+}
+
+bool Requirement::Interpreter::appleSigned()
+{
+ if (appleAnchored())
+ if (SecCertificateRef intermed = mContext->cert(-2)) // first intermediate
+ // first intermediate common name match (exact)
+ if (certFieldValue("subject.CN", Match(appleIntermediateCN, matchEqual), intermed)
+ && certFieldValue("subject.O", Match(appleIntermediateO, matchEqual), intermed))
+ return true;
+ return false;
+}
+
+
+//
+// Verify an anchor requirement against the context
+//
+bool Requirement::Interpreter::verifyAnchor(SecCertificateRef cert, const unsigned char *digest)
+{
+ // get certificate bytes
+ if (cert) {
+ CSSM_DATA certData;
+ MacOSError::check(SecCertificateGetData(cert, &certData));
+
+ // verify hash
+ //@@@ should get SHA1(cert(-1).data) precalculated during chain verification
+ SHA1 hasher;
+ hasher(certData.Data, certData.Length);
+ return hasher.verify(digest);
+ }
+ return false;
+}
+
+
+//
+// Check one or all certificate(s) in the cert chain against the Trust Settings database.
+//
+bool Requirement::Interpreter::trustedCerts()
+{
+ int anchor = mContext->certCount() - 1;
+ for (int slot = 0; slot <= anchor; slot++)
+ if (SecCertificateRef cert = mContext->cert(slot))
+ switch (trustSetting(cert, slot == anchor)) {
+ case kSecTrustSettingsResultTrustRoot:
+ case kSecTrustSettingsResultTrustAsRoot:
+ return true;
+ case kSecTrustSettingsResultDeny:
+ return false;
+ case kSecTrustSettingsResultUnspecified:
+ break;
+ default:
+ assert(false);
+ return false;
+ }
+ else
+ return false;
+ return false;
+}
+
+bool Requirement::Interpreter::trustedCert(int slot)
+{
+ if (SecCertificateRef cert = mContext->cert(slot)) {
+ int anchorSlot = mContext->certCount() - 1;
+ switch (trustSetting(cert, slot == anchorCert || slot == anchorSlot)) {
+ case kSecTrustSettingsResultTrustRoot:
+ case kSecTrustSettingsResultTrustAsRoot:
+ return true;
+ case kSecTrustSettingsResultDeny:
+ case kSecTrustSettingsResultUnspecified:
+ return false;
+ default:
+ assert(false);
+ return false;
+ }
+ } else
+ return false;
+}
+
+
+//
+// Explicitly check one certificate against the Trust Settings database and report
+// the findings. This is a helper for the various Trust Settings evaluators.
+//
+SecTrustSettingsResult Requirement::Interpreter::trustSetting(SecCertificateRef cert, bool isAnchor)
+{
+ // the SPI input is the uppercase hex form of the SHA-1 of the certificate...
+ assert(cert);
+ SHA1::Digest digest;
+ hashOfCertificate(cert, digest);
+ string Certhex = CssmData(digest, sizeof(digest)).toHex();
+ for (string::iterator it = Certhex.begin(); it != Certhex.end(); ++it)
+ if (islower(*it))
+ *it = toupper(*it);
+
+ // call Trust Settings and see what it finds
+ SecTrustSettingsDomain domain;
+ SecTrustSettingsResult result;
+ CSSM_RETURN *errors = NULL;
+ uint32 errorCount = 0;
+ bool foundMatch, foundAny;
+ switch (OSStatus rc = SecTrustSettingsEvaluateCert(
+ CFTempString(Certhex), // settings index
+ &CSSMOID_APPLE_TP_CODE_SIGNING, // standard code signing policy
+ NULL, 0, // policy string (unused)
+ kSecTrustSettingsKeyUseAny, // no restriction on key usage @@@
+ isAnchor, // consult system default anchor set
+
+ &domain, // domain of found setting
+ &errors, &errorCount, // error set and maximum count
+ &result, // the actual setting
+ &foundMatch, &foundAny // optimization hints (not used)
+ )) {
+ case errSecSuccess:
+ ::free(errors);
+ if (foundMatch)
+ return result;
+ else
+ return kSecTrustSettingsResultUnspecified;
+ default:
+ ::free(errors);
+ MacOSError::throwMe(rc);
+ }
+}
+
+
+//
+// Create a Match object from the interpreter stream
+//
+Requirement::Interpreter::Match::Match(Interpreter &interp)
+{
+ switch (mOp = interp.get<MatchOperation>()) {
+ case matchExists:
+ break;
+ case matchEqual:
+ case matchContains:
+ case matchBeginsWith:
+ case matchEndsWith:
+ case matchLessThan:
+ case matchGreaterThan:
+ case matchLessEqual:
+ case matchGreaterEqual:
+ mValue.take(makeCFString(interp.getString()));
+ break;
+ default:
+ // Assume this (unknown) match type has a single data argument.
+ // This gives us a chance to keep the instruction stream aligned.
+ interp.getString(); // discard
+ break;
+ }
+}
+
+
+//
+// Execute a match against a candidate value
+//
+bool Requirement::Interpreter::Match::operator () (CFTypeRef candidate) const
+{
+ // null candidates always fail
+ if (!candidate)
+ return false;
+
+ // interpret an array as matching alternatives (any one succeeds)
+ if (CFGetTypeID(candidate) == CFArrayGetTypeID()) {
+ CFArrayRef array = CFArrayRef(candidate);
+ CFIndex count = CFArrayGetCount(array);
+ for (CFIndex n = 0; n < count; n++)
+ if ((*this)(CFArrayGetValueAtIndex(array, n))) // yes, it's recursive
+ return true;
+ }
+
+ switch (mOp) {
+ case matchExists: // anything but NULL and boolean false "exists"
+ return !CFEqual(candidate, kCFBooleanFalse);
+ case matchEqual: // equality works for all CF types
+ return CFEqual(candidate, mValue);
+ case matchContains:
+ if (CFGetTypeID(candidate) == CFStringGetTypeID()) {
+ CFStringRef value = CFStringRef(candidate);
+ if (CFStringFindWithOptions(value, mValue, CFRangeMake(0, CFStringGetLength(value)), 0, NULL))
+ return true;
+ }
+ return false;
+ case matchBeginsWith:
+ if (CFGetTypeID(candidate) == CFStringGetTypeID()) {
+ CFStringRef value = CFStringRef(candidate);
+ if (CFStringFindWithOptions(value, mValue, CFRangeMake(0, CFStringGetLength(mValue)), 0, NULL))
+ return true;
+ }
+ return false;
+ case matchEndsWith:
+ if (CFGetTypeID(candidate) == CFStringGetTypeID()) {
+ CFStringRef value = CFStringRef(candidate);
+ CFIndex matchLength = CFStringGetLength(mValue);
+ CFIndex start = CFStringGetLength(value) - matchLength;
+ if (start >= 0)
+ if (CFStringFindWithOptions(value, mValue, CFRangeMake(start, matchLength), 0, NULL))
+ return true;
+ }
+ return false;
+ case matchLessThan:
+ return inequality(candidate, kCFCompareNumerically, kCFCompareLessThan, true);
+ case matchGreaterThan:
+ return inequality(candidate, kCFCompareNumerically, kCFCompareGreaterThan, true);
+ case matchLessEqual:
+ return inequality(candidate, kCFCompareNumerically, kCFCompareGreaterThan, false);
+ case matchGreaterEqual:
+ return inequality(candidate, kCFCompareNumerically, kCFCompareLessThan, false);
+ default:
+ // unrecognized match types can never match
+ return false;
+ }
+}
+
+
+bool Requirement::Interpreter::Match::inequality(CFTypeRef candidate, CFStringCompareFlags flags,
+ CFComparisonResult outcome, bool negate) const
+{
+ if (CFGetTypeID(candidate) == CFStringGetTypeID()) {
+ CFStringRef value = CFStringRef(candidate);
+ if ((CFStringCompare(value, mValue, flags) == outcome) == negate)
+ return true;
+ }
+ return false;
+}
+
+
+//
+// External fragments
+//
+Fragments::Fragments()
+{
+ mMyBundle = CFBundleGetBundleWithIdentifier(CFSTR("com.apple.security"));
+}
+
+
+bool Fragments::evalNamed(const char *type, const std::string &name, const Requirement::Context &ctx)
+{
+ if (CFDataRef fragData = fragment(type, name)) {
+ const Requirement *req = (const Requirement *)CFDataGetBytePtr(fragData); // was prevalidated as Requirement
+ return req->validates(ctx);
+ }
+ return false;
+}
+
+
+CFDataRef Fragments::fragment(const char *type, const std::string &name)
+{
+ string key = name + "!!" + type; // compound key
+ StLock<Mutex> _(mLock); // lock for cache access
+ FragMap::const_iterator it = mFragments.find(key);
+ if (it == mFragments.end()) {
+ CFRef<CFDataRef> fragData; // will always be set (NULL on any errors)
+ if (CFRef<CFURLRef> fragURL = CFBundleCopyResourceURL(mMyBundle, CFTempString(name), CFSTR("csreq"), CFTempString(type)))
+ if (CFRef<CFDataRef> data = cfLoadFile(fragURL)) { // got data
+ const Requirement *req = (const Requirement *)CFDataGetBytePtr(data);
+ if (req->validateBlob(CFDataGetLength(data))) // looks like a Requirement...
+ fragData = data; // ... so accept it
+ else
+ Syslog::warning("Invalid sub-requirement at %s", cfString(fragURL).c_str());
+ }
+ if (CODESIGN_EVAL_REQINT_FRAGMENT_LOAD_ENABLED())
+ CODESIGN_EVAL_REQINT_FRAGMENT_LOAD(type, name.c_str(), fragData ? CFDataGetBytePtr(fragData) : NULL);
+ mFragments[key] = fragData; // cache it, success or failure
+ return fragData;
+ }
+ CODESIGN_EVAL_REQINT_FRAGMENT_HIT(type, name.c_str());
+ return it->second;
+}
+
+
+} // CodeSigning
+} // Security
projects / apple / security.git / blobdiff