+++ /dev/null
-/*
- * Copyright (c) 2012 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-//
-// drmaker - create automatic Designated Requirements
-//
-#include "drmaker.h"
-#include "csutilities.h"
-#include <Security/oidsbase.h>
-#include <Security/SecCertificatePriv.h>
-//#include <Security/cssmapplePriv.h>
-
-namespace Security {
-namespace CodeSigning {
-
-
-static const uint8_t adcSdkMarker[] = { APPLE_EXTENSION_OID, 2, 1 }; // iOS intermediate marker
-const CSSM_DATA adcSdkMarkerOID = { sizeof(adcSdkMarker), (uint8_t *)adcSdkMarker };
-
-static const uint8_t caspianSdkMarker[] = { APPLE_EXTENSION_OID, 2, 6 }; // Caspian intermediate marker
-const CSSM_DATA devIdSdkMarkerOID = { sizeof(caspianSdkMarker), (uint8_t *)caspianSdkMarker };
-static const uint8_t caspianLeafMarker[] = { APPLE_EXTENSION_OID, 1, 13 }; // Caspian leaf certificate marker
-const CSSM_DATA devIdLeafMarkerOID = { sizeof(caspianLeafMarker), (uint8_t *)caspianLeafMarker };
-
-
-
-DRMaker::DRMaker(const Requirement::Context &context)
- : ctx(context)
-{
-}
-
-DRMaker::~DRMaker()
-{
-}
-
-
-//
-// Generate the default (implicit) Designated Requirement for this StaticCode.
-// This is a heuristic of sorts, and may change over time (for the better, we hope).
-//
-Requirement *DRMaker::make()
-{
- // we can't make an explicit DR for a (proposed) ad-hoc signing because that requires the CodeDirectory (which we ain't got yet)
- if (ctx.certCount() == 0)
- return NULL;
-
- // always require the identifier
- this->put(opAnd);
- this->ident(ctx.identifier);
-
- SHA1::Digest anchorHash;
- hashOfCertificate(ctx.cert(Requirement::anchorCert), anchorHash);
- if (isAppleCA(anchorHash)
-#if defined(TEST_APPLE_ANCHOR)
- || !memcmp(anchorHash, Requirement::testAppleAnchorHash(), SHA1::digestLength)
-#endif
- )
- appleAnchor();
- else
- nonAppleAnchor();
-
- return Maker::make();
-}
-
-
-void DRMaker::nonAppleAnchor()
-{
- // get the Organization DN element for the leaf
- CFRef<CFStringRef> leafOrganization;
- MacOSError::check(SecCertificateCopySubjectComponent(ctx.cert(Requirement::leafCert),
- &CSSMOID_OrganizationName, &leafOrganization.aref()));
-
- // now step up the cert chain looking for the first cert with a different one
- int slot = Requirement::leafCert; // start at leaf
- if (leafOrganization) {
- while (SecCertificateRef ca = ctx.cert(slot+1)) { // NULL if you over-run the anchor slot
- CFRef<CFStringRef> caOrganization;
- MacOSError::check(SecCertificateCopySubjectComponent(ca, &CSSMOID_OrganizationName, &caOrganization.aref()));
- if (!caOrganization || CFStringCompare(leafOrganization, caOrganization, 0) != kCFCompareEqualTo)
- break;
- slot++;
- }
- if (slot == ctx.certCount() - 1) // went all the way to the anchor...
- slot = Requirement::anchorCert; // ... so say that
- }
-
- // nail the last cert with the leaf's Organization value
- SHA1::Digest authorityHash;
- hashOfCertificate(ctx.cert(slot), authorityHash);
- this->anchor(slot, authorityHash);
-}
-
-
-void DRMaker::appleAnchor()
-{
- if (isIOSSignature()) {
- // get the Common Name DN element for the leaf
- CFRef<CFStringRef> leafCN;
- MacOSError::check(SecCertificateCopySubjectComponent(ctx.cert(Requirement::leafCert),
- &CSSMOID_CommonName, &leafCN.aref()));
-
- // apple anchor generic and ...
- this->put(opAnd);
- this->anchorGeneric(); // apple generic anchor and...
- // ... leaf[subject.CN] = <leaf's subject> and ...
- this->put(opAnd);
- this->put(opCertField); // certificate
- this->put(0); // leaf
- this->put("subject.CN"); // [subject.CN]
- this->put(matchEqual); // =
- this->putData(leafCN); // <leaf CN>
- // ... cert 1[field.<marker>] exists
- this->put(opCertGeneric); // certificate
- this->put(1); // 1
- this->putData(adcSdkMarkerOID.Data, adcSdkMarkerOID.Length); // [field.<marker>]
- this->put(matchExists); // exists
- return;
- }
-
- if (isDeveloperIDSignature()) {
- // get the Organizational Unit DN element for the leaf (it contains the TEAMID)
- CFRef<CFStringRef> teamID;
- MacOSError::check(SecCertificateCopySubjectComponent(ctx.cert(Requirement::leafCert),
- &CSSMOID_OrganizationalUnitName, &teamID.aref()));
-
- // apple anchor generic and ...
- this->put(opAnd);
- this->anchorGeneric(); // apple generic anchor and...
-
- // ... certificate 1[intermediate marker oid] exists and ...
- this->put(opAnd);
- this->put(opCertGeneric); // certificate
- this->put(1); // 1
- this->putData(caspianSdkMarker, sizeof(caspianSdkMarker));
- this->put(matchExists); // exists
-
- // ... certificate leaf[Caspian cert oid] exists and ...
- this->put(opAnd);
- this->put(opCertGeneric); // certificate
- this->put(0); // leaf
- this->putData(caspianLeafMarker, sizeof(caspianLeafMarker));
- this->put(matchExists); // exists
-
- // ... leaf[subject.OU] = <leaf's subject>
- this->put(opCertField); // certificate
- this->put(0); // leaf
- this->put("subject.OU"); // [subject.OU]
- this->put(matchEqual); // =
- this->putData(teamID); // TEAMID
- return;
- }
-
- // otherwise, claim this program for Apple Proper
- this->anchor();
-}
-
-bool DRMaker::isIOSSignature()
-{
- if (ctx.certCount() == 3) // leaf, one intermediate, anchor
- if (SecCertificateRef intermediate = ctx.cert(1)) // get intermediate
- if (certificateHasField(intermediate, CssmOid::overlay(adcSdkMarkerOID)))
- return true;
- return false;
-}
-
-bool DRMaker::isDeveloperIDSignature()
-{
- if (ctx.certCount() == 3) // leaf, one intermediate, anchor
- if (SecCertificateRef intermediate = ctx.cert(1)) // get intermediate
- if (certificateHasField(intermediate, CssmOid::overlay(devIdSdkMarkerOID)))
- return true;
- return false;
-}
-
-
-} // end namespace CodeSigning
-} // end namespace Security
projects / apple / security.git / blobdiff