+++ /dev/null
-/*
- * Copyright (c) 2006-2012 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-//
-// StaticCode - SecStaticCode API objects
-//
-#include "StaticCode.h"
-#include "Code.h"
-#include "reqmaker.h"
-#include "drmaker.h"
-#include "reqdumper.h"
-#include "reqparser.h"
-#include "sigblob.h"
-#include "resources.h"
-#include "detachedrep.h"
-#include "csdatabase.h"
-#include "csutilities.h"
-#include "dirscanner.h"
-#include <CoreFoundation/CFURLAccess.h>
-#include <Security/SecPolicyPriv.h>
-#include <Security/SecTrustPriv.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/CMSPrivate.h>
-#include <Security/SecCmsContentInfo.h>
-#include <Security/SecCmsSignerInfo.h>
-#include <Security/SecCmsSignedData.h>
-#include <Security/cssmapplePriv.h>
-#include <security_utilities/unix++.h>
-#include <security_utilities/cfmunge.h>
-#include <Security/CMSDecoder.h>
-#include <security_utilities/logging.h>
-#include <dirent.h>
-#include <sstream>
-
-
-namespace Security {
-namespace CodeSigning {
-
-using namespace UnixPlusPlus;
-
-// A requirement representing a Mac or iOS dev cert, a Mac or iOS distribution cert, or a developer ID
-static const char WWDRRequirement[] = "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists "
- "and ( cert leaf[subject.CN] = \"Mac Developer: \"* or cert leaf[subject.CN] = \"iPhone Developer: \"* )";
-static const char developerID[] = "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists"
- " and certificate leaf[field.1.2.840.113635.100.6.1.13] exists";
-static const char distributionCertificate[] = "anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.7] exists";
-static const char iPhoneDistributionCert[] = "anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.4] exists";
-
-//
-// Map a component slot number to a suitable error code for a failure
-//
-static inline OSStatus errorForSlot(CodeDirectory::SpecialSlot slot)
-{
- switch (slot) {
- case cdInfoSlot:
- return errSecCSInfoPlistFailed;
- case cdResourceDirSlot:
- return errSecCSResourceDirectoryFailed;
- default:
- return errSecCSSignatureFailed;
- }
-}
-
-
-//
-// Construct a SecStaticCode object given a disk representation object
-//
-SecStaticCode::SecStaticCode(DiskRep *rep)
- : mRep(rep),
- mValidated(false), mExecutableValidated(false), mResourcesValidated(false), mResourcesValidContext(NULL),
- mDesignatedReq(NULL), mGotResourceBase(false), mMonitor(NULL), mEvalDetails(NULL)
-{
- CODESIGN_STATIC_CREATE(this, rep);
- checkForSystemSignature();
-}
-
-
-//
-// Clean up a SecStaticCode object
-//
-SecStaticCode::~SecStaticCode() throw()
-try {
- ::free(const_cast<Requirement *>(mDesignatedReq));
- if (mResourcesValidContext)
- delete mResourcesValidContext;
-} catch (...) {
- return;
-}
-
-
-//
-// CF-level comparison of SecStaticCode objects compares CodeDirectory hashes if signed,
-// and falls back on comparing canonical paths if (both are) not.
-//
-bool SecStaticCode::equal(SecCFObject &secOther)
-{
- SecStaticCode *other = static_cast<SecStaticCode *>(&secOther);
- CFDataRef mine = this->cdHash();
- CFDataRef his = other->cdHash();
- if (mine || his)
- return mine && his && CFEqual(mine, his);
- else
- return CFEqual(CFRef<CFURLRef>(this->copyCanonicalPath()), CFRef<CFURLRef>(other->copyCanonicalPath()));
-}
-
-CFHashCode SecStaticCode::hash()
-{
- if (CFDataRef h = this->cdHash())
- return CFHash(h);
- else
- return CFHash(CFRef<CFURLRef>(this->copyCanonicalPath()));
-}
-
-
-//
-// Invoke a stage monitor if registered
-//
-CFTypeRef SecStaticCode::reportEvent(CFStringRef stage, CFDictionaryRef info)
-{
- if (mMonitor)
- return mMonitor(this->handle(false), stage, info);
- else
- return NULL;
-}
-
-
-//
-// Set validation conditions for fine-tuning legacy tolerance
-//
-static void addError(CFTypeRef cfError, void* context)
-{
- if (CFGetTypeID(cfError) == CFNumberGetTypeID()) {
- int64_t error;
- CFNumberGetValue(CFNumberRef(cfError), kCFNumberSInt64Type, (void*)&error);
- MacOSErrorSet* errors = (MacOSErrorSet*)context;
- errors->insert(OSStatus(error));
- }
-}
-
-void SecStaticCode::setValidationModifiers(CFDictionaryRef conditions)
-{
- if (conditions) {
- CFDictionary source(conditions, errSecCSDbCorrupt);
- mAllowOmissions = source.get<CFArrayRef>("omissions");
- if (CFArrayRef errors = source.get<CFArrayRef>("errors"))
- CFArrayApplyFunction(errors, CFRangeMake(0, CFArrayGetCount(errors)), addError, &this->mTolerateErrors);
- }
-}
-
-
-//
-// Attach a detached signature.
-//
-void SecStaticCode::detachedSignature(CFDataRef sigData)
-{
- if (sigData) {
- mDetachedSig = sigData;
- mRep = new DetachedRep(sigData, mRep->base(), "explicit detached");
- CODESIGN_STATIC_ATTACH_EXPLICIT(this, mRep);
- } else {
- mDetachedSig = NULL;
- mRep = mRep->base();
- CODESIGN_STATIC_ATTACH_EXPLICIT(this, NULL);
- }
-}
-
-
-//
-// Consult the system detached signature database to see if it contains
-// a detached signature for this StaticCode. If it does, fetch and attach it.
-// We do this only if the code has no signature already attached.
-//
-void SecStaticCode::checkForSystemSignature()
-{
- if (!this->isSigned()) {
- SignatureDatabase db;
- if (db.isOpen())
- try {
- if (RefPointer<DiskRep> dsig = db.findCode(mRep)) {
- CODESIGN_STATIC_ATTACH_SYSTEM(this, dsig);
- mRep = dsig;
- }
- } catch (...) {
- }
- }
-}
-
-
-//
-// Return a descriptive string identifying the source of the code signature
-//
-string SecStaticCode::signatureSource()
-{
- if (!isSigned())
- return "unsigned";
- if (DetachedRep *rep = dynamic_cast<DetachedRep *>(mRep.get()))
- return rep->source();
- return "embedded";
-}
-
-
-//
-// Do ::required, but convert incoming SecCodeRefs to their SecStaticCodeRefs
-// (if possible).
-//
-SecStaticCode *SecStaticCode::requiredStatic(SecStaticCodeRef ref)
-{
- SecCFObject *object = SecCFObject::required(ref, errSecCSInvalidObjectRef);
- if (SecStaticCode *scode = dynamic_cast<SecStaticCode *>(object))
- return scode;
- else if (SecCode *code = dynamic_cast<SecCode *>(object))
- return code->staticCode();
- else // neither (a SecSomethingElse)
- MacOSError::throwMe(errSecCSInvalidObjectRef);
-}
-
-SecCode *SecStaticCode::optionalDynamic(SecStaticCodeRef ref)
-{
- SecCFObject *object = SecCFObject::required(ref, errSecCSInvalidObjectRef);
- if (dynamic_cast<SecStaticCode *>(object))
- return NULL;
- else if (SecCode *code = dynamic_cast<SecCode *>(object))
- return code;
- else // neither (a SecSomethingElse)
- MacOSError::throwMe(errSecCSInvalidObjectRef);
-}
-
-
-//
-// Void all cached validity data.
-//
-// We also throw out cached components, because the new signature data may have
-// a different idea of what components should be present. We could reconcile the
-// cached data instead, if performance seems to be impacted.
-//
-void SecStaticCode::resetValidity()
-{
- CODESIGN_EVAL_STATIC_RESET(this);
- mValidated = false;
- mExecutableValidated = mResourcesValidated = false;
- if (mResourcesValidContext) {
- delete mResourcesValidContext;
- mResourcesValidContext = NULL;
- }
- mDir = NULL;
- mSignature = NULL;
- for (unsigned n = 0; n < cdSlotCount; n++)
- mCache[n] = NULL;
- mInfoDict = NULL;
- mEntitlements = NULL;
- mResourceDict = NULL;
- mDesignatedReq = NULL;
- mCDHash = NULL;
- mGotResourceBase = false;
- mTrust = NULL;
- mCertChain = NULL;
- mEvalDetails = NULL;
- mRep->flush();
-
- // we may just have updated the system database, so check again
- checkForSystemSignature();
-}
-
-
-//
-// Retrieve a sealed component by special slot index.
-// If the CodeDirectory has already been validated, validate against that.
-// Otherwise, retrieve the component without validation (but cache it). Validation
-// will go through the cache and validate all cached components.
-//
-CFDataRef SecStaticCode::component(CodeDirectory::SpecialSlot slot, OSStatus fail /* = errSecCSSignatureFailed */)
-{
- assert(slot <= cdSlotMax);
-
- CFRef<CFDataRef> &cache = mCache[slot];
- if (!cache) {
- if (CFRef<CFDataRef> data = mRep->component(slot)) {
- if (validated()) // if the directory has been validated...
- if (!codeDirectory()->validateSlot(CFDataGetBytePtr(data), // ... and it's no good
- CFDataGetLength(data), -slot))
- MacOSError::throwMe(errorForSlot(slot)); // ... then bail
- cache = data; // it's okay, cache it
- } else { // absent, mark so
- if (validated()) // if directory has been validated...
- if (codeDirectory()->slotIsPresent(-slot)) // ... and the slot is NOT missing
- MacOSError::throwMe(errorForSlot(slot)); // was supposed to be there
- cache = CFDataRef(kCFNull); // white lie
- }
- }
- return (cache == CFDataRef(kCFNull)) ? NULL : cache.get();
-}
-
-
-//
-// Get the CodeDirectory.
-// Throws (if check==true) or returns NULL (check==false) if there is none.
-// Always throws if the CodeDirectory exists but is invalid.
-// NEVER validates against the signature.
-//
-const CodeDirectory *SecStaticCode::codeDirectory(bool check /* = true */)
-{
- if (!mDir) {
- if (mDir.take(mRep->codeDirectory())) {
- const CodeDirectory *dir = reinterpret_cast<const CodeDirectory *>(CFDataGetBytePtr(mDir));
- dir->checkIntegrity();
- }
- }
- if (mDir)
- return reinterpret_cast<const CodeDirectory *>(CFDataGetBytePtr(mDir));
- if (check)
- MacOSError::throwMe(errSecCSUnsigned);
- return NULL;
-}
-
-
-//
-// Get the hash of the CodeDirectory.
-// Returns NULL if there is none.
-//
-CFDataRef SecStaticCode::cdHash()
-{
- if (!mCDHash) {
- if (const CodeDirectory *cd = codeDirectory(false)) {
- SHA1 hash;
- hash(cd, cd->length());
- SHA1::Digest digest;
- hash.finish(digest);
- mCDHash.take(makeCFData(digest, sizeof(digest)));
- CODESIGN_STATIC_CDHASH(this, digest, sizeof(digest));
- }
- }
- return mCDHash;
-}
-
-
-//
-// Return the CMS signature blob; NULL if none found.
-//
-CFDataRef SecStaticCode::signature()
-{
- if (!mSignature)
- mSignature.take(mRep->signature());
- if (mSignature)
- return mSignature;
- MacOSError::throwMe(errSecCSUnsigned);
-}
-
-
-//
-// Verify the signature on the CodeDirectory.
-// If this succeeds (doesn't throw), the CodeDirectory is statically trustworthy.
-// Any outcome (successful or not) is cached for the lifetime of the StaticCode.
-//
-void SecStaticCode::validateDirectory()
-{
- // echo previous outcome, if any
- if (!validated())
- try {
- // perform validation (or die trying)
- CODESIGN_EVAL_STATIC_DIRECTORY(this);
- mValidationExpired = verifySignature();
- for (CodeDirectory::SpecialSlot slot = codeDirectory()->maxSpecialSlot(); slot >= 1; --slot)
- if (mCache[slot]) // if we already loaded that resource...
- validateComponent(slot, errorForSlot(slot)); // ... then check it now
- mValidated = true; // we've done the deed...
- mValidationResult = errSecSuccess; // ... and it was good
- } catch (const CommonError &err) {
- mValidated = true;
- mValidationResult = err.osStatus();
- throw;
- } catch (...) {
- secdebug("staticCode", "%p validation threw non-common exception", this);
- mValidated = true;
- mValidationResult = errSecCSInternalError;
- throw;
- }
- assert(validated());
- if (mValidationResult == errSecSuccess) {
- if (mValidationExpired)
- if ((apiFlags() & kSecCSConsiderExpiration)
- || (codeDirectory()->flags & kSecCodeSignatureForceExpiration))
- MacOSError::throwMe(CSSMERR_TP_CERT_EXPIRED);
- } else
- MacOSError::throwMe(mValidationResult);
-}
-
-
-//
-// Load and validate the CodeDirectory and all components *except* those related to the resource envelope.
-// Those latter components are checked by validateResources().
-//
-void SecStaticCode::validateNonResourceComponents()
-{
- this->validateDirectory();
- for (CodeDirectory::SpecialSlot slot = codeDirectory()->maxSpecialSlot(); slot >= 1; --slot)
- switch (slot) {
- case cdResourceDirSlot: // validated by validateResources
- break;
- default:
- this->component(slot); // loads and validates
- break;
- }
-}
-
-
-//
-// Get the (signed) signing date from the code signature.
-// Sadly, we need to validate the signature to get the date (as a side benefit).
-// This means that you can't get the signing time for invalidly signed code.
-//
-// We could run the decoder "almost to" verification to avoid this, but there seems
-// little practical point to such a duplication of effort.
-//
-CFAbsoluteTime SecStaticCode::signingTime()
-{
- validateDirectory();
- return mSigningTime;
-}
-
-CFAbsoluteTime SecStaticCode::signingTimestamp()
-{
- validateDirectory();
- return mSigningTimestamp;
-}
-
-
-//
-// Verify the CMS signature on the CodeDirectory.
-// This performs the cryptographic tango. It returns if the signature is valid,
-// or throws if it is not. As a side effect, a successful return sets up the
-// cached certificate chain for future use.
-// Returns true if the signature is expired (the X.509 sense), false if it's not.
-// Expiration is fatal (throws) if a secure timestamp is included, but not otherwise.
-//
-bool SecStaticCode::verifySignature()
-{
- // ad-hoc signed code is considered validly signed by definition
- if (flag(kSecCodeSignatureAdhoc)) {
- CODESIGN_EVAL_STATIC_SIGNATURE_ADHOC(this);
- return false;
- }
-
- DTRACK(CODESIGN_EVAL_STATIC_SIGNATURE, this, (char*)this->mainExecutablePath().c_str());
-
- // decode CMS and extract SecTrust for verification
- CFRef<CMSDecoderRef> cms;
- MacOSError::check(CMSDecoderCreate(&cms.aref())); // create decoder
- CFDataRef sig = this->signature();
- MacOSError::check(CMSDecoderUpdateMessage(cms, CFDataGetBytePtr(sig), CFDataGetLength(sig)));
- this->codeDirectory(); // load CodeDirectory (sets mDir)
- MacOSError::check(CMSDecoderSetDetachedContent(cms, mDir));
- MacOSError::check(CMSDecoderFinalizeMessage(cms));
- MacOSError::check(CMSDecoderSetSearchKeychain(cms, cfEmptyArray()));
- CFRef<CFTypeRef> policy = verificationPolicy(apiFlags());
- CMSSignerStatus status;
- MacOSError::check(CMSDecoderCopySignerStatus(cms, 0, policy,
- false, &status, &mTrust.aref(), NULL));
- if (status != kCMSSignerValid)
- MacOSError::throwMe(errSecCSSignatureFailed);
-
- // internal signing time (as specified by the signer; optional)
- mSigningTime = 0; // "not present" marker (nobody could code sign on Jan 1, 2001 :-)
- switch (OSStatus rc = CMSDecoderCopySignerSigningTime(cms, 0, &mSigningTime)) {
- case errSecSuccess:
- case errSecSigningTimeMissing:
- break;
- default:
- MacOSError::throwMe(rc);
- }
-
- // certified signing time (as specified by a TSA; optional)
- mSigningTimestamp = 0;
- switch (OSStatus rc = CMSDecoderCopySignerTimestamp(cms, 0, &mSigningTimestamp)) {
- case errSecSuccess:
- case errSecTimestampMissing:
- break;
- default:
- MacOSError::throwMe(rc);
- }
-
- // set up the environment for SecTrust
- MacOSError::check(SecTrustSetAnchorCertificates(mTrust, cfEmptyArray())); // no anchors
- MacOSError::check(SecTrustSetKeychains(mTrust, cfEmptyArray())); // no keychains
- CSSM_APPLE_TP_ACTION_DATA actionData = {
- CSSM_APPLE_TP_ACTION_VERSION, // version of data structure
- CSSM_TP_ACTION_IMPLICIT_ANCHORS // action flags
- };
-
- for (;;) { // at most twice
- MacOSError::check(SecTrustSetParameters(mTrust,
- CSSM_TP_ACTION_DEFAULT, CFTempData(&actionData, sizeof(actionData))));
-
- // evaluate trust and extract results
- SecTrustResultType trustResult;
- MacOSError::check(SecTrustEvaluate(mTrust, &trustResult));
- MacOSError::check(SecTrustGetResult(mTrust, &trustResult, &mCertChain.aref(), &mEvalDetails));
-
- // if this is an Apple developer cert....
- if (teamID() && SecStaticCode::isAppleDeveloperCert(mCertChain)) {
- CFRef<CFStringRef> teamIDFromCert;
- if (CFArrayGetCount(mCertChain) > 0) {
- /* Note that SecCertificateCopySubjectComponent sets the out paramater to NULL if there is no field present */
- MacOSError::check(SecCertificateCopySubjectComponent((SecCertificateRef)CFArrayGetValueAtIndex(mCertChain, Requirement::leafCert),
- &CSSMOID_OrganizationalUnitName,
- &teamIDFromCert.aref()));
-
- if (teamIDFromCert) {
- CFRef<CFStringRef> teamIDFromCD = CFStringCreateWithCString(NULL, teamID(), kCFStringEncodingUTF8);
- if (!teamIDFromCD) {
- MacOSError::throwMe(errSecCSInternalError);
- }
-
- if (CFStringCompare(teamIDFromCert, teamIDFromCD, 0) != kCFCompareEqualTo) {
- Security::Syslog::error("Team identifier in the signing certificate (%s) does not match the team identifier (%s) in the code directory", cfString(teamIDFromCert).c_str(), teamID());
- MacOSError::throwMe(errSecCSSignatureInvalid);
- }
- }
- }
- }
-
- CODESIGN_EVAL_STATIC_SIGNATURE_RESULT(this, trustResult, mCertChain ? (int)CFArrayGetCount(mCertChain) : 0);
- switch (trustResult) {
- case kSecTrustResultProceed:
- case kSecTrustResultUnspecified:
- break; // success
- case kSecTrustResultDeny:
- MacOSError::throwMe(CSSMERR_APPLETP_TRUST_SETTING_DENY); // user reject
- case kSecTrustResultInvalid:
- assert(false); // should never happen
- MacOSError::throwMe(CSSMERR_TP_NOT_TRUSTED);
- default:
- {
- OSStatus result;
- MacOSError::check(SecTrustGetCssmResultCode(mTrust, &result));
- // if we have a valid timestamp, CMS validates against (that) signing time and all is well.
- // If we don't have one, may validate against *now*, and must be able to tolerate expiration.
- if (mSigningTimestamp == 0) // no timestamp available
- if (((result == CSSMERR_TP_CERT_EXPIRED) || (result == CSSMERR_TP_CERT_NOT_VALID_YET))
- && !(actionData.ActionFlags & CSSM_TP_ACTION_ALLOW_EXPIRED)) {
- CODESIGN_EVAL_STATIC_SIGNATURE_EXPIRED(this);
- actionData.ActionFlags |= CSSM_TP_ACTION_ALLOW_EXPIRED; // (this also allows postdated certs)
- continue; // retry validation while tolerating expiration
- }
- MacOSError::throwMe(result);
- }
- }
-
- if (mSigningTimestamp) {
- CFIndex rootix = CFArrayGetCount(mCertChain);
- if (SecCertificateRef mainRoot = SecCertificateRef(CFArrayGetValueAtIndex(mCertChain, rootix-1)))
- if (isAppleCA(mainRoot)) {
- // impose policy: if the signature itself draws to Apple, then so must the timestamp signature
- CFRef<CFArrayRef> tsCerts;
- MacOSError::check(CMSDecoderCopySignerTimestampCertificates(cms, 0, &tsCerts.aref()));
- CFIndex tsn = CFArrayGetCount(tsCerts);
- bool good = tsn > 0 && isAppleCA(SecCertificateRef(CFArrayGetValueAtIndex(tsCerts, tsn-1)));
- if (!good)
- MacOSError::throwMe(CSSMERR_TP_NOT_TRUSTED);
- }
- }
-
- return actionData.ActionFlags & CSSM_TP_ACTION_ALLOW_EXPIRED;
- }
-}
-
-
-//
-// Return the TP policy used for signature verification.
-// This may be a simple SecPolicyRef or a CFArray of policies.
-// The caller owns the return value.
-//
-static SecPolicyRef makeCRLPolicy()
-{
- CFRef<SecPolicyRef> policy;
- MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_REVOCATION_CRL, &policy.aref()));
- CSSM_APPLE_TP_CRL_OPTIONS options;
- memset(&options, 0, sizeof(options));
- options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
- options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET | CSSM_TP_ACTION_CRL_SUFFICIENT;
- CSSM_DATA optData = { sizeof(options), (uint8 *)&options };
- MacOSError::check(SecPolicySetValue(policy, &optData));
- return policy.yield();
-}
-
-static SecPolicyRef makeOCSPPolicy()
-{
- CFRef<SecPolicyRef> policy;
- MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_REVOCATION_OCSP, &policy.aref()));
- CSSM_APPLE_TP_OCSP_OPTIONS options;
- memset(&options, 0, sizeof(options));
- options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION;
- options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT;
- CSSM_DATA optData = { sizeof(options), (uint8 *)&options };
- MacOSError::check(SecPolicySetValue(policy, &optData));
- return policy.yield();
-}
-
-CFTypeRef SecStaticCode::verificationPolicy(SecCSFlags flags)
-{
- CFRef<SecPolicyRef> core;
- MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3,
- &CSSMOID_APPLE_TP_CODE_SIGNING, &core.aref()));
- if (flags & kSecCSEnforceRevocationChecks) {
- CFRef<SecPolicyRef> crl = makeCRLPolicy();
- CFRef<SecPolicyRef> ocsp = makeOCSPPolicy();
- return makeCFArray(3, core.get(), crl.get(), ocsp.get());
- } else {
- return core.yield();
- }
-}
-
-
-//
-// Validate a particular sealed, cached resource against its (special) CodeDirectory slot.
-// The resource must already have been placed in the cache.
-// This does NOT perform basic validation.
-//
-void SecStaticCode::validateComponent(CodeDirectory::SpecialSlot slot, OSStatus fail /* = errSecCSSignatureFailed */)
-{
- assert(slot <= cdSlotMax);
- CFDataRef data = mCache[slot];
- assert(data); // must be cached
- if (data == CFDataRef(kCFNull)) {
- if (codeDirectory()->slotIsPresent(-slot)) // was supposed to be there...
- MacOSError::throwMe(fail); // ... and is missing
- } else {
- if (!codeDirectory()->validateSlot(CFDataGetBytePtr(data), CFDataGetLength(data), -slot))
- MacOSError::throwMe(fail);
- }
-}
-
-
-//
-// Perform static validation of the main executable.
-// This reads the main executable from disk and validates it against the
-// CodeDirectory code slot array.
-// Note that this is NOT an in-memory validation, and is thus potentially
-// subject to timing attacks.
-//
-void SecStaticCode::validateExecutable()
-{
- if (!validatedExecutable()) {
- try {
- DTRACK(CODESIGN_EVAL_STATIC_EXECUTABLE, this,
- (char*)this->mainExecutablePath().c_str(), codeDirectory()->nCodeSlots);
- const CodeDirectory *cd = this->codeDirectory();
- if (!cd)
- MacOSError::throwMe(errSecCSUnsigned);
- AutoFileDesc fd(mainExecutablePath(), O_RDONLY);
- fd.fcntl(F_NOCACHE, true); // turn off page caching (one-pass)
- if (Universal *fat = mRep->mainExecutableImage())
- fd.seek(fat->archOffset());
- size_t pageSize = cd->pageSize ? (1 << cd->pageSize) : 0;
- size_t remaining = cd->codeLimit;
- for (uint32_t slot = 0; slot < cd->nCodeSlots; ++slot) {
- size_t size = min(remaining, pageSize);
- if (!cd->validateSlot(fd, size, slot)) {
- CODESIGN_EVAL_STATIC_EXECUTABLE_FAIL(this, (int)slot);
- MacOSError::throwMe(errSecCSSignatureFailed);
- }
- remaining -= size;
- }
- mExecutableValidated = true;
- mExecutableValidResult = errSecSuccess;
- } catch (const CommonError &err) {
- mExecutableValidated = true;
- mExecutableValidResult = err.osStatus();
- throw;
- } catch (...) {
- secdebug("staticCode", "%p executable validation threw non-common exception", this);
- mExecutableValidated = true;
- mExecutableValidResult = errSecCSInternalError;
- throw;
- }
- }
- assert(validatedExecutable());
- if (mExecutableValidResult != errSecSuccess)
- MacOSError::throwMe(mExecutableValidResult);
-}
-
-
-//
-// Perform static validation of sealed resources and nested code.
-//
-// This performs a whole-code static resource scan and effectively
-// computes a concordance between what's on disk and what's in the ResourceDirectory.
-// Any unsanctioned difference causes an error.
-//
-void SecStaticCode::validateResources(SecCSFlags flags)
-{
- // do we have a superset of this requested validation cached?
- bool doit = true;
- if (mResourcesValidated) { // have cached outcome
- if (!(flags & kSecCSCheckNestedCode) || mResourcesDeep) // was deep or need no deep scan
- doit = false;
- }
- if (doit) {
- try {
- // sanity first
- CFDictionaryRef sealedResources = resourceDictionary();
- if (this->resourceBase()) // disk has resources
- if (sealedResources)
- /* go to work below */;
- else
- MacOSError::throwMe(errSecCSResourcesNotFound);
- else // disk has no resources
- if (sealedResources)
- MacOSError::throwMe(errSecCSResourcesNotFound);
- else
- return; // no resources, not sealed - fine (no work)
-
- // found resources, and they are sealed
- DTRACK(CODESIGN_EVAL_STATIC_RESOURCES, this,
- (char*)this->mainExecutablePath().c_str(), 0);
-
- // scan through the resources on disk, checking each against the resourceDirectory
- mResourcesValidContext = new CollectingContext(*this); // collect all failures in here
- CFDictionaryRef rules;
- CFDictionaryRef files;
- uint32_t version;
- if (CFDictionaryGetValue(sealedResources, CFSTR("files2"))) { // have V2 signature
- rules = cfget<CFDictionaryRef>(sealedResources, "rules2");
- files = cfget<CFDictionaryRef>(sealedResources, "files2");
- version = 2;
- } else { // only V1 available
- rules = cfget<CFDictionaryRef>(sealedResources, "rules");
- files = cfget<CFDictionaryRef>(sealedResources, "files");
- version = 1;
- }
- if (!rules || !files)
- MacOSError::throwMe(errSecCSResourcesInvalid);
- // check for weak resource rules
- bool strict = flags & kSecCSStrictValidate;
- if (strict && (version == 1 || hasWeakResourceRules(rules, mAllowOmissions)))
- if (mTolerateErrors.find(errSecCSWeakResourceRules) == mTolerateErrors.end())
- MacOSError::throwMe(errSecCSWeakResourceRules);
- __block CFRef<CFMutableDictionaryRef> resourceMap = makeCFMutableDictionary(files);
- string base = cfString(this->resourceBase());
- ResourceBuilder resources(base, base, rules, codeDirectory()->hashType, strict, mTolerateErrors);
- diskRep()->adjustResources(resources);
- resources.scan(^(FTSENT *ent, uint32_t ruleFlags, const char *relpath, ResourceBuilder::Rule *rule) {
- validateResource(files, relpath, ent->fts_info == FTS_SL, *mResourcesValidContext, flags, version);
- CFDictionaryRemoveValue(resourceMap, CFTempString(relpath));
- });
-
- if (CFDictionaryGetCount(resourceMap) > 0) {
- secdebug("staticCode", "%p sealed resource(s) not found in code", this);
- CFDictionaryApplyFunction(resourceMap, SecStaticCode::checkOptionalResource, mResourcesValidContext);
- }
-
- // now check for any errors found in the reporting context
- mResourcesValidated = true;
- mResourcesDeep = flags & kSecCSCheckNestedCode;
- if (mResourcesValidContext->osStatus() != errSecSuccess)
- mResourcesValidContext->throwMe();
- } catch (const CommonError &err) {
- mResourcesValidated = true;
- mResourcesDeep = flags & kSecCSCheckNestedCode;
- mResourcesValidResult = err.osStatus();
- throw;
- } catch (...) {
- secdebug("staticCode", "%p executable validation threw non-common exception", this);
- mResourcesValidated = true;
- mResourcesDeep = flags & kSecCSCheckNestedCode;
- mResourcesValidResult = errSecCSInternalError;
- throw;
- }
- }
- assert(validatedResources());
- if (mResourcesValidResult)
- MacOSError::throwMe(mResourcesValidResult);
- if (mResourcesValidContext->osStatus() != errSecSuccess)
- mResourcesValidContext->throwMe();
-}
-
-
-void SecStaticCode::checkOptionalResource(CFTypeRef key, CFTypeRef value, void *context)
-{
- CollectingContext *ctx = static_cast<CollectingContext *>(context);
- ResourceSeal seal(value);
- if (!seal.optional()) {
- if (key && CFGetTypeID(key) == CFStringGetTypeID()) {
- ctx->reportProblem(errSecCSBadResource, kSecCFErrorResourceMissing,
- CFTempURL(CFStringRef(key), false, ctx->code.resourceBase()));
- } else {
- ctx->reportProblem(errSecCSBadResource, kSecCFErrorResourceSeal, key);
- }
- }
-}
-
-
-static bool isOmitRule(CFTypeRef value)
-{
- if (CFGetTypeID(value) == CFBooleanGetTypeID())
- return value == kCFBooleanFalse;
- CFDictionary rule(value, errSecCSResourceRulesInvalid);
- return rule.get<CFBooleanRef>("omit") == kCFBooleanTrue;
-}
-
-bool SecStaticCode::hasWeakResourceRules(CFDictionaryRef rulesDict, CFArrayRef allowedOmissions)
-{
- // compute allowed omissions
- CFRef<CFArrayRef> defaultOmissions = this->diskRep()->allowedResourceOmissions();
- assert(defaultOmissions);
- CFRef<CFMutableArrayRef> allowed = CFArrayCreateMutableCopy(NULL, 0, defaultOmissions);
- if (allowedOmissions)
- CFArrayAppendArray(allowed, allowedOmissions, CFRangeMake(0, CFArrayGetCount(allowedOmissions)));
- CFRange range = CFRangeMake(0, CFArrayGetCount(allowed));
-
- // check all resource rules for weakness
- __block bool coversAll = false;
- __block bool forbiddenOmission = false;
- CFDictionary rules(rulesDict, errSecCSResourceRulesInvalid);
- rules.apply(^(CFStringRef key, CFTypeRef value) {
- string pattern = cfString(key, errSecCSResourceRulesInvalid);
- if (pattern == "^.*" && value == kCFBooleanTrue) {
- coversAll = true;
- return;
- }
- if (isOmitRule(value))
- forbiddenOmission |= !CFArrayContainsValue(allowed, range, key);
- });
-
- return !coversAll || forbiddenOmission;
-}
-
-
-//
-// Load, validate, cache, and return CFDictionary forms of sealed resources.
-//
-CFDictionaryRef SecStaticCode::infoDictionary()
-{
- if (!mInfoDict) {
- mInfoDict.take(getDictionary(cdInfoSlot, errSecCSInfoPlistFailed));
- secdebug("staticCode", "%p loaded InfoDict %p", this, mInfoDict.get());
- }
- return mInfoDict;
-}
-
-CFDictionaryRef SecStaticCode::entitlements()
-{
- if (!mEntitlements) {
- validateDirectory();
- if (CFDataRef entitlementData = component(cdEntitlementSlot)) {
- validateComponent(cdEntitlementSlot);
- const EntitlementBlob *blob = reinterpret_cast<const EntitlementBlob *>(CFDataGetBytePtr(entitlementData));
- if (blob->validateBlob()) {
- mEntitlements.take(blob->entitlements());
- secdebug("staticCode", "%p loaded Entitlements %p", this, mEntitlements.get());
- }
- // we do not consider a different blob type to be an error. We think it's a new format we don't understand
- }
- }
- return mEntitlements;
-}
-
-CFDictionaryRef SecStaticCode::resourceDictionary(bool check /* = true */)
-{
- if (mResourceDict) // cached
- return mResourceDict;
- if (CFRef<CFDictionaryRef> dict = getDictionary(cdResourceDirSlot, check))
- if (cfscan(dict, "{rules=%Dn,files=%Dn}")) {
- secdebug("staticCode", "%p loaded ResourceDict %p",
- this, mResourceDict.get());
- return mResourceDict = dict;
- }
- // bad format
- return NULL;
-}
-
-
-//
-// Load and cache the resource directory base.
-// Note that the base is optional for each DiskRep.
-//
-CFURLRef SecStaticCode::resourceBase()
-{
- if (!mGotResourceBase) {
- string base = mRep->resourcesRootPath();
- if (!base.empty())
- mResourceBase.take(makeCFURL(base, true));
- mGotResourceBase = true;
- }
- return mResourceBase;
-}
-
-
-//
-// Load a component, validate it, convert it to a CFDictionary, and return that.
-// This will force load and validation, which means that it will perform basic
-// validation if it hasn't been done yet.
-//
-CFDictionaryRef SecStaticCode::getDictionary(CodeDirectory::SpecialSlot slot, bool check /* = true */)
-{
- if (check)
- validateDirectory();
- if (CFDataRef infoData = component(slot)) {
- validateComponent(slot);
- if (CFDictionaryRef dict = makeCFDictionaryFrom(infoData))
- return dict;
- else
- MacOSError::throwMe(errSecCSBadDictionaryFormat);
- }
- return NULL;
-}
-
-
-//
-// Load, validate, and return a sealed resource.
-// The resource data (loaded in to memory as a blob) is returned and becomes
-// the responsibility of the caller; it is NOT cached by SecStaticCode.
-//
-// A resource that is not sealed will not be returned, and an error will be thrown.
-// A missing resource will cause an error unless it's marked optional in the Directory.
-// Under no circumstances will a corrupt resource be returned.
-// NULL will only be returned for a resource that is neither sealed nor present
-// (or that is sealed, absent, and marked optional).
-// If the ResourceDictionary itself is not sealed, this function will always fail.
-//
-// There is currently no interface for partial retrieval of the resource data.
-// (Since the ResourceDirectory does not currently support segmentation, all the
-// data would have to be read anyway, but it could be read into a reusable buffer.)
-//
-CFDataRef SecStaticCode::resource(string path, ValidationContext &ctx)
-{
- if (CFDictionaryRef rdict = resourceDictionary()) {
- if (CFTypeRef file = cfget(rdict, "files.%s", path.c_str())) {
- ResourceSeal seal = file;
- if (!resourceBase()) // no resources in DiskRep
- MacOSError::throwMe(errSecCSResourcesNotFound);
- if (seal.nested())
- MacOSError::throwMe(errSecCSResourcesNotSealed); // (it's nested code)
- CFRef<CFURLRef> fullpath = makeCFURL(path, false, resourceBase());
- if (CFRef<CFDataRef> data = cfLoadFile(fullpath)) {
- MakeHash<CodeDirectory> hasher(this->codeDirectory());
- hasher->update(CFDataGetBytePtr(data), CFDataGetLength(data));
- if (hasher->verify(seal.hash()))
- return data.yield(); // good
- else
- ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // altered
- } else {
- if (!seal.optional())
- ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceMissing, fullpath); // was sealed but is now missing
- else
- return NULL; // validly missing
- }
- } else
- ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAdded, CFTempURL(path, false, resourceBase()));
- return NULL;
- } else
- MacOSError::throwMe(errSecCSResourcesNotSealed);
-}
-
-CFDataRef SecStaticCode::resource(string path)
-{
- ValidationContext ctx;
- return resource(path, ctx);
-}
-
-
-void SecStaticCode::validateResource(CFDictionaryRef files, string path, bool isSymlink, ValidationContext &ctx, SecCSFlags flags, uint32_t version)
-{
- if (!resourceBase()) // no resources in DiskRep
- MacOSError::throwMe(errSecCSResourcesNotFound);
- CFRef<CFURLRef> fullpath = makeCFURL(path, false, resourceBase());
- if (CFTypeRef file = CFDictionaryGetValue(files, CFTempString(path))) {
- ResourceSeal seal = file;
- if (seal.nested()) {
- if (isSymlink)
- return ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // changed type
- string suffix = ".framework";
- bool isFramework = (path.length() > suffix.length())
- && (path.compare(path.length()-suffix.length(), suffix.length(), suffix) == 0);
- validateNestedCode(fullpath, seal, flags, isFramework);
- } else if (seal.link()) {
- char target[PATH_MAX];
- ssize_t len = ::readlink(cfString(fullpath).c_str(), target, sizeof(target)-1);
- if (len < 0)
- UnixError::check(-1);
- target[len] = '\0';
- if (cfString(seal.link()) != target)
- ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath);
- } else if (seal.hash()) { // genuine file
- AutoFileDesc fd(cfString(fullpath), O_RDONLY, FileDesc::modeMissingOk); // open optional file
- if (fd) {
- MakeHash<CodeDirectory> hasher(this->codeDirectory());
- hashFileData(fd, hasher.get());
- if (hasher->verify(seal.hash()))
- return; // verify good
- else
- ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // altered
- } else {
- if (!seal.optional())
- ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceMissing, fullpath); // was sealed but is now missing
- else
- return; // validly missing
- }
- } else
- ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // changed type
- return;
- }
- if (version == 1) { // version 1 ignores symlinks altogether
- char target[PATH_MAX];
- if (::readlink(cfString(fullpath).c_str(), target, sizeof(target)) > 0)
- return;
- }
- ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAdded, CFTempURL(path, false, resourceBase()));
-}
-
-void SecStaticCode::validateNestedCode(CFURLRef path, const ResourceSeal &seal, SecCSFlags flags, bool isFramework)
-{
- CFRef<SecRequirementRef> req;
- if (SecRequirementCreateWithString(seal.requirement(), kSecCSDefaultFlags, &req.aref()))
- MacOSError::throwMe(errSecCSResourcesInvalid);
-
- // recursively verify this nested code
- try {
- if (!(flags & kSecCSCheckNestedCode))
- flags |= kSecCSBasicValidateOnly;
- SecPointer<SecStaticCode> code = new SecStaticCode(DiskRep::bestGuess(cfString(path)));
- code->setMonitor(this->monitor());
- code->staticValidate(flags, SecRequirement::required(req));
-
- if (isFramework && (flags & kSecCSStrictValidate))
- try {
- validateOtherVersions(path, flags, req, code);
- } catch (const CSError &err) {
- MacOSError::throwMe(errSecCSBadFrameworkVersion);
- } catch (const MacOSError &err) {
- MacOSError::throwMe(errSecCSBadFrameworkVersion);
- }
-
- } catch (CSError &err) {
- if (err.error == errSecCSReqFailed) {
- mResourcesValidContext->reportProblem(errSecCSBadNestedCode, kSecCFErrorResourceAltered, path);
- return;
- }
- err.augment(kSecCFErrorPath, path);
- throw;
- } catch (const MacOSError &err) {
- if (err.error == errSecCSReqFailed) {
- mResourcesValidContext->reportProblem(errSecCSBadNestedCode, kSecCFErrorResourceAltered, path);
- return;
- }
- CSError::throwMe(err.error, kSecCFErrorPath, path);
- }
-}
-
-void SecStaticCode::validateOtherVersions(CFURLRef path, SecCSFlags flags, SecRequirementRef req, SecStaticCode *code)
-{
- // Find out what current points to and do not revalidate
- std::string mainPath = cfStringRelease(code->diskRep()->copyCanonicalPath());
-
- char main_path[PATH_MAX];
- bool foundTarget = false;
-
- /* If it failed to get the target of the symlink, do not fail. It is a performance loss,
- not a security hole */
- if (realpath(mainPath.c_str(), main_path) != NULL)
- foundTarget = true;
-
- std::ostringstream versionsPath;
- versionsPath << cfString(path) << "/Versions/";
-
- DirScanner scanner(versionsPath.str());
-
- if (scanner.initialized()) {
- struct dirent *entry = NULL;
- while ((entry = scanner.getNext()) != NULL) {
- std::ostringstream fullPath;
-
- if (entry->d_type != DT_DIR ||
- strcmp(entry->d_name, ".") == 0 ||
- strcmp(entry->d_name, "..") == 0 ||
- strcmp(entry->d_name, "Current") == 0)
- continue;
-
- fullPath << versionsPath.str() << entry->d_name;
-
- char real_full_path[PATH_MAX];
- if (realpath(fullPath.str().c_str(), real_full_path) == NULL)
- UnixError::check(-1);
-
- // Do case insensitive comparions because realpath() was called for both paths
- if (foundTarget && strcmp(main_path, real_full_path) == 0)
- continue;
-
- SecPointer<SecStaticCode> frameworkVersion = new SecStaticCode(DiskRep::bestGuess(real_full_path));
- frameworkVersion->setMonitor(this->monitor());
- frameworkVersion->staticValidate(flags, SecRequirement::required(req));
- }
- }
-}
-
-
-//
-// Test a CodeDirectory flag.
-// Returns false if there is no CodeDirectory.
-// May throw if the CodeDirectory is present but somehow invalid.
-//
-bool SecStaticCode::flag(uint32_t tested)
-{
- if (const CodeDirectory *cd = this->codeDirectory(false))
- return cd->flags & tested;
- else
- return false;
-}
-
-
-//
-// Retrieve the full SuperBlob containing all internal requirements.
-//
-const Requirements *SecStaticCode::internalRequirements()
-{
- if (CFDataRef reqData = component(cdRequirementsSlot)) {
- const Requirements *req = (const Requirements *)CFDataGetBytePtr(reqData);
- if (!req->validateBlob())
- MacOSError::throwMe(errSecCSReqInvalid);
- return req;
- } else
- return NULL;
-}
-
-
-//
-// Retrieve a particular internal requirement by type.
-//
-const Requirement *SecStaticCode::internalRequirement(SecRequirementType type)
-{
- if (const Requirements *reqs = internalRequirements())
- return reqs->find<Requirement>(type);
- else
- return NULL;
-}
-
-
-//
-// Return the Designated Requirement (DR). This can be either explicit in the
-// Internal Requirements component, or implicitly generated on demand here.
-// Note that an explicit DR may have been implicitly generated at signing time;
-// we don't distinguish this case.
-//
-const Requirement *SecStaticCode::designatedRequirement()
-{
- if (const Requirement *req = internalRequirement(kSecDesignatedRequirementType)) {
- return req; // explicit in signing data
- } else {
- if (!mDesignatedReq)
- mDesignatedReq = defaultDesignatedRequirement();
- return mDesignatedReq;
- }
-}
-
-
-//
-// Generate the default Designated Requirement (DR) for this StaticCode.
-// Ignore any explicit DR it may contain.
-//
-const Requirement *SecStaticCode::defaultDesignatedRequirement()
-{
- if (flag(kSecCodeSignatureAdhoc)) {
- // adhoc signature: return a cdhash requirement for all architectures
- __block Requirement::Maker maker;
- Requirement::Maker::Chain chain(maker, opOr);
-
- // insert cdhash requirement for all architectures
- chain.add();
- maker.cdhash(this->cdHash());
- handleOtherArchitectures(^(SecStaticCode *subcode) {
- if (CFDataRef cdhash = subcode->cdHash()) {
- chain.add();
- maker.cdhash(cdhash);
- }
- });
- return maker.make();
- } else {
- // full signature: Gin up full context and let DRMaker do its thing
- validateDirectory(); // need the cert chain
- Requirement::Context context(this->certificates(),
- this->infoDictionary(),
- this->entitlements(),
- this->identifier(),
- this->codeDirectory()
- );
- return DRMaker(context).make();
- }
-}
-
-
-//
-// Validate a SecStaticCode against the internal requirement of a particular type.
-//
-void SecStaticCode::validateRequirements(SecRequirementType type, SecStaticCode *target,
- OSStatus nullError /* = errSecSuccess */)
-{
- DTRACK(CODESIGN_EVAL_STATIC_INTREQ, this, type, target, nullError);
- if (const Requirement *req = internalRequirement(type))
- target->validateRequirement(req, nullError ? nullError : errSecCSReqFailed);
- else if (nullError)
- MacOSError::throwMe(nullError);
- else
- /* accept it */;
-}
-
-
-//
-// Validate this StaticCode against an external Requirement
-//
-bool SecStaticCode::satisfiesRequirement(const Requirement *req, OSStatus failure)
-{
- assert(req);
- validateDirectory();
- return req->validates(Requirement::Context(mCertChain, infoDictionary(), entitlements(), codeDirectory()->identifier(), codeDirectory()), failure);
-}
-
-void SecStaticCode::validateRequirement(const Requirement *req, OSStatus failure)
-{
- if (!this->satisfiesRequirement(req, failure))
- MacOSError::throwMe(failure);
-}
-
-
-//
-// Retrieve one certificate from the cert chain.
-// Positive and negative indices can be used:
-// [ leaf, intermed-1, ..., intermed-n, anchor ]
-// 0 1 ... -2 -1
-// Returns NULL if unavailable for any reason.
-//
-SecCertificateRef SecStaticCode::cert(int ix)
-{
- validateDirectory(); // need cert chain
- if (mCertChain) {
- CFIndex length = CFArrayGetCount(mCertChain);
- if (ix < 0)
- ix += length;
- if (ix >= 0 && ix < length)
- return SecCertificateRef(CFArrayGetValueAtIndex(mCertChain, ix));
- }
- return NULL;
-}
-
-CFArrayRef SecStaticCode::certificates()
-{
- validateDirectory(); // need cert chain
- return mCertChain;
-}
-
-
-//
-// Gather (mostly) API-official information about this StaticCode.
-//
-// This method lives in the twilight between the API and internal layers,
-// since it generates API objects (Sec*Refs) for return.
-//
-CFDictionaryRef SecStaticCode::signingInformation(SecCSFlags flags)
-{
- //
- // Start with the pieces that we return even for unsigned code.
- // This makes Sec[Static]CodeRefs useful as API-level replacements
- // of our internal OSXCode objects.
- //
- CFRef<CFMutableDictionaryRef> dict = makeCFMutableDictionary(1,
- kSecCodeInfoMainExecutable, CFTempURL(this->mainExecutablePath()).get()
- );
-
- //
- // If we're not signed, this is all you get
- //
- if (!this->isSigned())
- return dict.yield();
-
- //
- // Add the generic attributes that we always include
- //
- CFDictionaryAddValue(dict, kSecCodeInfoIdentifier, CFTempString(this->identifier()));
- CFDictionaryAddValue(dict, kSecCodeInfoFlags, CFTempNumber(this->codeDirectory(false)->flags.get()));
- CFDictionaryAddValue(dict, kSecCodeInfoFormat, CFTempString(this->format()));
- CFDictionaryAddValue(dict, kSecCodeInfoSource, CFTempString(this->signatureSource()));
- CFDictionaryAddValue(dict, kSecCodeInfoUnique, this->cdHash());
- CFDictionaryAddValue(dict, kSecCodeInfoDigestAlgorithm, CFTempNumber(this->codeDirectory(false)->hashType));
-
- //
- // Deliver any Info.plist only if it looks intact
- //
- try {
- if (CFDictionaryRef info = this->infoDictionary())
- CFDictionaryAddValue(dict, kSecCodeInfoPList, info);
- } catch (...) { } // don't deliver Info.plist if questionable
-
- //
- // kSecCSSigningInformation adds information about signing certificates and chains
- //
- if (flags & kSecCSSigningInformation)
- try {
- if (CFArrayRef certs = this->certificates())
- CFDictionaryAddValue(dict, kSecCodeInfoCertificates, certs);
- if (CFDataRef sig = this->signature())
- CFDictionaryAddValue(dict, kSecCodeInfoCMS, sig);
- if (mTrust)
- CFDictionaryAddValue(dict, kSecCodeInfoTrust, mTrust);
- if (CFAbsoluteTime time = this->signingTime())
- if (CFRef<CFDateRef> date = CFDateCreate(NULL, time))
- CFDictionaryAddValue(dict, kSecCodeInfoTime, date);
- if (CFAbsoluteTime time = this->signingTimestamp())
- if (CFRef<CFDateRef> date = CFDateCreate(NULL, time))
- CFDictionaryAddValue(dict, kSecCodeInfoTimestamp, date);
- if (const char *teamID = this->teamID())
- CFDictionaryAddValue(dict, kSecCodeInfoTeamIdentifier, CFTempString(teamID));
- } catch (...) { }
-
- //
- // kSecCSRequirementInformation adds information on requirements
- //
- if (flags & kSecCSRequirementInformation)
- try {
- if (const Requirements *reqs = this->internalRequirements()) {
- CFDictionaryAddValue(dict, kSecCodeInfoRequirements,
- CFTempString(Dumper::dump(reqs)));
- CFDictionaryAddValue(dict, kSecCodeInfoRequirementData, CFTempData(*reqs));
- }
-
- const Requirement *dreq = this->designatedRequirement();
- CFRef<SecRequirementRef> dreqRef = (new SecRequirement(dreq))->handle();
- CFDictionaryAddValue(dict, kSecCodeInfoDesignatedRequirement, dreqRef);
- if (this->internalRequirement(kSecDesignatedRequirementType)) { // explicit
- CFRef<SecRequirementRef> ddreqRef = (new SecRequirement(this->defaultDesignatedRequirement(), true))->handle();
- CFDictionaryAddValue(dict, kSecCodeInfoImplicitDesignatedRequirement, ddreqRef);
- } else { // implicit
- CFDictionaryAddValue(dict, kSecCodeInfoImplicitDesignatedRequirement, dreqRef);
- }
- } catch (...) { }
-
- try {
- if (CFDataRef ent = this->component(cdEntitlementSlot)) {
- CFDictionaryAddValue(dict, kSecCodeInfoEntitlements, ent);
- if (CFDictionaryRef entdict = this->entitlements())
- CFDictionaryAddValue(dict, kSecCodeInfoEntitlementsDict, entdict);
- }
- } catch (...) { }
-
- //
- // kSecCSInternalInformation adds internal information meant to be for Apple internal
- // use (SPI), and not guaranteed to be stable. Primarily, this is data we want
- // to reliably transmit through the API wall so that code outside the Security.framework
- // can use it without having to play nasty tricks to get it.
- //
- if (flags & kSecCSInternalInformation)
- try {
- if (mDir)
- CFDictionaryAddValue(dict, kSecCodeInfoCodeDirectory, mDir);
- CFDictionaryAddValue(dict, kSecCodeInfoCodeOffset, CFTempNumber(mRep->signingBase()));
- if (CFRef<CFDictionaryRef> rdict = getDictionary(cdResourceDirSlot, false)) // suppress validation
- CFDictionaryAddValue(dict, kSecCodeInfoResourceDirectory, rdict);
- } catch (...) { }
-
-
- //
- // kSecCSContentInformation adds more information about the physical layout
- // of the signed code. This is (only) useful for packaging or patching-oriented
- // applications.
- //
- if (flags & kSecCSContentInformation)
- if (CFRef<CFArrayRef> files = mRep->modifiedFiles())
- CFDictionaryAddValue(dict, kSecCodeInfoChangedFiles, files);
-
- return dict.yield();
-}
-
-
-//
-// Resource validation contexts.
-// The default context simply throws a CSError, rudely terminating the operation.
-//
-SecStaticCode::ValidationContext::~ValidationContext()
-{ /* virtual */ }
-
-void SecStaticCode::ValidationContext::reportProblem(OSStatus rc, CFStringRef type, CFTypeRef value)
-{
- CSError::throwMe(rc, type, value);
-}
-
-void SecStaticCode::CollectingContext::reportProblem(OSStatus rc, CFStringRef type, CFTypeRef value)
-{
- if (mStatus == errSecSuccess)
- mStatus = rc; // record first failure for eventual error return
- if (type) {
- if (!mCollection)
- mCollection.take(makeCFMutableDictionary());
- CFMutableArrayRef element = CFMutableArrayRef(CFDictionaryGetValue(mCollection, type));
- if (!element) {
- element = makeCFMutableArray(0);
- if (!element)
- CFError::throwMe();
- CFDictionaryAddValue(mCollection, type, element);
- CFRelease(element);
- }
- CFArrayAppendValue(element, value);
- }
-}
-
-void SecStaticCode::CollectingContext::throwMe()
-{
- assert(mStatus != errSecSuccess);
- throw CSError(mStatus, mCollection.retain());
-}
-
-
-//
-// Master validation driver.
-// This is the static validation (only) driver for the API.
-//
-// SecStaticCode exposes an à la carte menu of topical validators applying
-// to a given object. The static validation API pulls the together reliably,
-// but it also adds two matrix dimensions: architecture (for "fat" Mach-O binaries)
-// and nested code. This function will crawl a suitable cross-section of this
-// validation matrix based on which options it is given, creating temporary
-// SecStaticCode objects on the fly to complete the task.
-// (The point, of course, is to do as little duplicate work as possible.)
-//
-void SecStaticCode::staticValidate(SecCSFlags flags, const SecRequirement *req)
-{
- // core components: once per architecture (if any)
- this->staticValidateCore(flags, req);
- if (flags & kSecCSCheckAllArchitectures)
- handleOtherArchitectures(^(SecStaticCode* subcode) {
- subcode->detachedSignature(this->mDetachedSig); // carry over explicit (but not implicit) architecture
- subcode->staticValidateCore(flags, req);
- });
-
- // allow monitor intervention in source validation phase
- reportEvent(CFSTR("prepared"), NULL);
-
- // resources: once for all architectures
- if (!(flags & kSecCSDoNotValidateResources))
- this->validateResources(flags);
-
- // perform strict validation if desired
- if (flags & kSecCSStrictValidate)
- mRep->strictValidate(mTolerateErrors);
-
- // allow monitor intervention
- if (CFRef<CFTypeRef> veto = reportEvent(CFSTR("validated"), NULL)) {
- if (CFGetTypeID(veto) == CFNumberGetTypeID())
- MacOSError::throwMe(cfNumber<OSStatus>(veto.as<CFNumberRef>()));
- else
- MacOSError::throwMe(errSecCSBadCallbackValue);
- }
-}
-
-void SecStaticCode::staticValidateCore(SecCSFlags flags, const SecRequirement *req)
-{
- try {
- this->validateNonResourceComponents(); // also validates the CodeDirectory
- if (!(flags & kSecCSDoNotValidateExecutable))
- this->validateExecutable();
- if (req)
- this->validateRequirement(req->requirement(), errSecCSReqFailed);
- } catch (CSError &err) {
- if (Universal *fat = this->diskRep()->mainExecutableImage()) // Mach-O
- if (MachO *mach = fat->architecture()) {
- err.augment(kSecCFErrorArchitecture, CFTempString(mach->architecture().displayName()));
- delete mach;
- }
- throw;
- } catch (const MacOSError &err) {
- // add architecture information if we can get it
- if (Universal *fat = this->diskRep()->mainExecutableImage())
- if (MachO *mach = fat->architecture()) {
- CFTempString arch(mach->architecture().displayName());
- delete mach;
- CSError::throwMe(err.error, kSecCFErrorArchitecture, arch);
- }
- throw;
- }
-}
-
-
-//
-// A helper that generates SecStaticCode objects for all but the primary architecture
-// of a fat binary and calls a block on them.
-// If there's only one architecture (or this is an architecture-agnostic code),
-// nothing happens quickly.
-//
-void SecStaticCode::handleOtherArchitectures(void (^handle)(SecStaticCode* other))
-{
- if (Universal *fat = this->diskRep()->mainExecutableImage()) {
- Universal::Architectures architectures;
- fat->architectures(architectures);
- if (architectures.size() > 1) {
- DiskRep::Context ctx;
- size_t activeOffset = fat->archOffset();
- for (Universal::Architectures::const_iterator arch = architectures.begin(); arch != architectures.end(); ++arch) {
- ctx.offset = fat->archOffset(*arch);
- if (ctx.offset > SIZE_MAX)
- MacOSError::throwMe(errSecCSInternalError);
- ctx.size = fat->lengthOfSlice((size_t)ctx.offset);
- if (ctx.offset != activeOffset) { // inactive architecture; check it
- SecPointer<SecStaticCode> subcode = new SecStaticCode(DiskRep::bestGuess(this->mainExecutablePath(), &ctx));
- subcode->detachedSignature(this->mDetachedSig); // carry over explicit (but not implicit) detached signature
- if (this->teamID() == NULL || subcode->teamID() == NULL) {
- if (this->teamID() != subcode->teamID())
- MacOSError::throwMe(errSecCSSignatureInvalid);
- } else if (strcmp(this->teamID(), subcode->teamID()) != 0)
- MacOSError::throwMe(errSecCSSignatureInvalid);
- handle(subcode);
- }
- }
- }
- }
-}
-
-//
-// A method that takes a certificate chain (certs) and evaluates
-// if it is a Mac or IPhone developer cert, an app store distribution cert,
-// or a developer ID
-//
-bool SecStaticCode::isAppleDeveloperCert(CFArrayRef certs)
-{
- static const std::string appleDeveloperRequirement = "(" + std::string(WWDRRequirement) + ") or (" + developerID + ") or (" + distributionCertificate + ") or (" + iPhoneDistributionCert + ")";
- SecRequirement *req = new SecRequirement(parseRequirement(appleDeveloperRequirement), true);
- Requirement::Context ctx(certs, NULL, NULL, "", NULL);
-
- return req->requirement()->validates(ctx);
-}
-
-} // end namespace CodeSigning
-} // end namespace Security
projects / apple / security.git / blobdiff