-/*
- * Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-//
-// csutilities - miscellaneous utilities for the code signing implementation
-//
-// This is a collection of odds and ends that wouldn't fit anywhere else.
-// The common theme is that the contents are otherwise naturally homeless.
-//
-#ifndef _H_CSUTILITIES
-#define _H_CSUTILITIES
-
-#include <Security/Security.h>
-#include <security_utilities/hashing.h>
-#include <security_utilities/unix++.h>
-#include <security_cdsa_utilities/cssmdata.h>
-#include <copyfile.h>
-#include <asl.h>
-#include <cstdarg>
-
-namespace Security {
-namespace CodeSigning {
-
-
-//
-// Test for the canonical Apple CA certificate
-//
-bool isAppleCA(SecCertificateRef cert);
-bool isAppleCA(const Hashing::Byte *sha1);
-
-
-//
-// Calculate canonical hashes of certificate.
-// This is simply defined as (always) the SHA1 hash of the DER.
-//
-void hashOfCertificate(const void *certData, size_t certLength, SHA1::Digest digest);
-void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest);
-bool verifyHash(SecCertificateRef cert, const Hashing::Byte *digest);
-
-
-//
-// Calculate hashes of (a section of) a file.
-// Starts at the current file position.
-// Extends to end of file, or (if limit > 0) at most limit bytes.
-// Returns number of bytes digested.
-//
-template <class _Hash>
-size_t hashFileData(UnixPlusPlus::FileDesc fd, _Hash *hasher, size_t limit = 0)
-{
- unsigned char buffer[4096];
- size_t total = 0;
- for (;;) {
- size_t size = sizeof(buffer);
- if (limit && limit < size)
- size = limit;
- size_t got = fd.read(buffer, size);
- total += got;
- if (fd.atEnd())
- break;
- hasher->update(buffer, got);
- if (limit && (limit -= got) == 0)
- break;
- }
- return total;
-}
-
-template <class _Hash>
-size_t hashFileData(const char *path, _Hash *hasher)
-{
- UnixPlusPlus::AutoFileDesc fd(path);
- return hashFileData(fd, hasher);
-}
-
-
-//
-// Check to see if a certificate contains a particular field, by OID. This works for extensions,
-// even ones not recognized by the local CL. It does not return any value, only presence.
-//
-bool certificateHasField(SecCertificateRef cert, const CSSM_OID &oid);
-bool certificateHasPolicy(SecCertificateRef cert, const CSSM_OID &policyOid);
-
-
-//
-// Encapsulation of the copyfile(3) API.
-// This is slated to go into utilities once stable.
-//
-class Copyfile {
-public:
- Copyfile();
- ~Copyfile() { copyfile_state_free(mState); }
-
- operator copyfile_state_t () const { return mState; }
-
- void set(uint32_t flag, const void *value);
- void get(uint32_t flag, void *value);
-
- void operator () (const char *src, const char *dst, copyfile_flags_t flags);
-
-private:
- void check(int rc);
-
-private:
- copyfile_state_t mState;
-};
-
-
-//
-// MessageTracer support
-//
-class MessageTrace {
-public:
- MessageTrace(const char *domain, const char *signature);
- ~MessageTrace() { ::asl_free(mAsl); }
- void add(const char *key, const char *format, ...);
- void send(const char *format, ...);
-
-private:
- aslmsg mAsl;
-};
-
-
-//
-// A reliable uid set/reset bracket
-//
-class UidGuard {
-public:
- UidGuard() : mPrevious(-1) { }
- UidGuard(uid_t uid) : mPrevious(-1) { seteuid(uid); }
- ~UidGuard()
- {
- if (active())
- UnixError::check(::seteuid(mPrevious));
- }
-
- bool seteuid(uid_t uid)
- {
- if (uid == geteuid())
- return true; // no change, don't bother the kernel
- if (!active())
- mPrevious = ::geteuid();
- return ::seteuid(uid) == 0;
- }
-
- bool active() const { return mPrevious != uid_t(-1); }
- operator bool () const { return active(); }
- uid_t saved() const { assert(active()); return mPrevious; }
-
-private:
- uid_t mPrevious;
-};
-
-
-} // end namespace CodeSigning
-} // end namespace Security
-
-#endif // !_H_CSUTILITIES
projects / apple / security.git / blobdiff