-/*
- * Copyright (c) 2006-2007 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*!
- @header SecCodePriv
- SecCodePriv is the private counter-part to SecCode. Its contents are not
- official API, and are subject to change without notice.
-*/
-#ifndef _H_SECCODEPRIV
-#define _H_SECCODEPRIV
-
-#include <Security/SecCode.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-
-/*
- * Private constants for SecCodeCopySigningInformation.
- * These are returned with the
- */
-extern const CFStringRef kSecCodeInfoCodeDirectory; /* Internal */
-extern const CFStringRef kSecCodeInfoCodeOffset; /* Internal */
-extern const CFStringRef kSecCodeInfoResourceDirectory; /* Internal */
-
-
-/*!
- @function SecCodeGetStatus
- Retrieves the dynamic status for a SecCodeRef.
-
- The dynamic status of a code can change at any time; the value returned is a snapshot
- in time that is inherently stale by the time it is received by the caller. However,
- since the status bits can only change in certain ways, some information is indefinitely
- valid. For example, an indication of invalidity (kSecCodeStatusValid bit off) is permanent
- since the valid bit cannot be set once clear, while an indication of validity (bit set)
- may already be out of date.
- Use this call with caution; it is usually wiser to call the validation API functions
- and let then consider the status as part of their holistic computation. However,
- SecCodeGetStatus is useful at times to capture persistent (sticky) status configurations.
-
- @param code A valid SecCode object reference representing code running
- on the system.
- @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
- @param status Upon successful return, contains the dynamic status of code as
- determined by its host.
-
- @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
- CSCommon.h or certain other Security framework headers.
- */
-OSStatus SecCodeGetStatus(SecCodeRef code, SecCSFlags flags, SecCodeStatus *status);
-
-
-/*!
- @function SecCodeSetStatus
- Change the dynamic status of a SecCodeRef.
-
- @param code A valid SecCode object reference representing code running
- on the system.
- @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
- @param status Upon successful return, contains the dynamic status of code as
- determined by its host.
-
- @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
- CSCommon.h or certain other Security framework headers.
- */
-typedef uint32_t SecCodeStatusOperation;
-enum {
- kSecCodeOperationNull = 0,
- kSecCodeOperationInvalidate = 1,
- kSecCodeOperationSetHard = 2,
- kSecCodeOperationSetKill = 3,
-};
-
-OSStatus SecCodeSetStatus(SecCodeRef code, SecCodeStatusOperation operation,
- CFDictionaryRef arguments, SecCSFlags flags);
-
-
-/*!
- @function SecCodeCopyInternalRequirement
- For a given Code or StaticCode object, retrieves a particular kind of internal
- requirement that was sealed during signing.
-
- This function will always fail for unsigned code. Requesting a type of internal
- requirement that was not given during signing is not an error.
-
- Specifying a type of kSecDesignatedRequirementType is not the same as calling
- SecCodeCopyDesignatedRequirement. This function will only return an explicit
- Designated Requirement if one was specified during signing. SecCodeCopyDesignatedRequirement
- will synthesize a suitable Designated Requirement if one was not given explicitly.
-
- @param code The Code or StaticCode object to be interrogated. For a Code
- argument, its StaticCode is processed as per SecCodeCopyStaticCode.
- @param type A SecRequirementType specifying which internal requirement is being
- requested.
- @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
- @param requirement On successful return, contains a copy of the internal requirement
- of the given type included in the given code. If the code has no such internal
- requirement, this argument is set to NULL (with no error).
- @result On success, errSecSuccess. On error, an OSStatus value
- documented in CSCommon.h or certain other Security framework headers.
-*/
-OSStatus SecCodeCopyInternalRequirement(SecStaticCodeRef code, SecRequirementType type,
- SecCSFlags flags, SecRequirementRef *requirement);
-
-
-/*!
- @function SecCodeCreateWithPID
- Asks the kernel to return a SecCode object for a process identified
- by a UNIX process id (pid). This is a shorthand for asking SecGetRootCode()
- for a guest whose "pid" attribute has the given pid value.
-
- This is a deprecated convenience function.
- Call SecCodeCopyGuestWithAttributes instead.
-
- @param pid A process id for an existing UNIX process on the system.
- @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
- @param process On successful return, a SecCode object reference identifying
- the requesteed process.
- @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
- CSCommon.h or certain other Security framework headers.
-*/
-OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *process)
- AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_6;
-
-
-/*
- @function SecCodeSetDetachedSignature
- For a given Code or StaticCode object, explicitly specify the detached signature
- data used to verify it.
- This call unconditionally overrides any signature embedded in the Code and any
- previously specified detached signature; only the signature data specified here
- will be used from now on for this Code object. If NULL data is specified, the
- code object is returned to its natural signing state (before a detached
- signature was first attached to it).
- Any call to this function voids all cached validations for the Code object.
- Validations will be performed again as needed in the future. This call does not,
- by itself, perform or trigger any validations.
- Please note that it is possible to have multiple Code objects for the same static
- or dynamic code entity in the system. This function only attaches signature data
- to the particular SecStaticCodeRef involved. It is your responsibility to understand
- the object graph and pick the right one(s).
-
- @param code A Code or StaticCode object whose signature information is to be changed.
- @param signature A CFDataRef containing the signature data to be used for validating
- the given Code. This must be exactly the data previously generated as a detached
- signature by the SecCodeSignerAddSignature API or the codesign(1) command with
- the -D/--detached option.
- If signature is NULL, discards any previously set signature data and reverts
- to using the embedded signature, if any. If not NULL, the data is retained and used
- for future validation operations.
- The data may be retained or copied. Behavior is undefined if this object
- is modified after this call before it is replaced through another call to this
- function).
- @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
- */
-OSStatus SecCodeSetDetachedSignature(SecStaticCodeRef code, CFDataRef signature,
- SecCSFlags flags);
-
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif //_H_SECCODE
projects / apple / security.git / blobdiff