+++ /dev/null
-/*
- * Copyright (c) 2006-2007 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-//
-// reqdumper - Requirement un-parsing (disassembly)
-//
-#include "reqdumper.h"
-#include <security_cdsa_utilities/cssmdata.h> // OID encoder
-#include <cstdarg>
-
-namespace Security {
-namespace CodeSigning {
-
-using namespace UnixPlusPlus;
-
-
-//
-// Table of reserved words (keywords), generated by ANTLR
-//
-static const char * const keywords[] = {
-#include "RequirementKeywords.h"
- "",
- NULL
-};
-
-
-//
-// Printf to established output channel
-//
-void Dumper::print(const char *format, ...)
-{
- char buffer[256];
- va_list args;
- va_start(args, format);
- vsnprintf(buffer, sizeof(buffer), format, args);
- va_end(args);
- mOutput += buffer;
-}
-
-
-//
-// Dump the underlying Requirement program
-//
-void Dumper::dump()
-{
- this->expr();
-
- // remove any initial space
- if (mOutput[0] == ' ')
- mOutput = mOutput.substr(1);
-}
-
-
-//
-// Dump an entire Requirements set, using temporary Dumper objects.
-//
-// This detects single Requirement inputs and dumps them successfully (using
-// single-requirement syntax). No indication of error is returned in this case.
-//
-string Dumper::dump(const Requirements *reqs, bool debug /* = false */)
-{
- if (!reqs) {
- return "# no requirement(s)";
- } else if (reqs->magic() == Requirement::typeMagic) { // single requirement
- return dump((const Requirement *)reqs) + "\n";
- } else {
- string result;
- for (unsigned n = 0; n < reqs->count(); n++) {
- char prefix[200];
- if (reqs->type(n) < kSecRequirementTypeCount)
- snprintf(prefix, sizeof(prefix),
- "%s => ", Requirement::typeNames[reqs->type(n)]);
- else
- snprintf(prefix, sizeof(prefix), "/*unknown type*/ %d => ", reqs->type(n));
- Dumper dumper(reqs->blob<Requirement>(n), debug);
- dumper.expr();
- result += prefix + dumper.value() + "\n";
- }
- return result;
- }
-}
-
-string Dumper::dump(const Requirement *req, bool debug /* = false */)
-{
- Dumper dumper(req, debug);
- try {
- dumper.dump();
- return dumper;
- } catch (const CommonError &err) {
- if (debug) {
- char errstr[80];
- snprintf(errstr, sizeof(errstr), " !! error %ld !!", (unsigned long)err.osStatus());
- return dumper.value() + errstr;
- }
- throw;
- }
-}
-
-string Dumper::dump(const BlobCore *req, bool debug /* = false */)
-{
- switch (req->magic()) {
- case Requirement::typeMagic:
- return dump(static_cast<const Requirement *>(req), debug);
- break;
- case Requirements::typeMagic:
- return dump(static_cast<const Requirements *>(req), debug);
- break;
- default:
- return "invalid data type";
- }
-}
-
-
-//
-// Element dumpers. Output accumulates in internal buffer.
-//
-void Dumper::expr(SyntaxLevel level)
-{
- if (mDebug)
- print("/*@0x%x*/", pc());
- ExprOp op = ExprOp(get<uint32_t>());
- switch (op & ~opFlagMask) {
- case opFalse:
- print("never");
- break;
- case opTrue:
- print("always");
- break;
- case opIdent:
- print("identifier ");
- data();
- break;
- case opAppleAnchor:
- print("anchor apple");
- break;
- case opAppleGenericAnchor:
- print("anchor apple generic");
- break;
- case opAnchorHash:
- print("certificate"); certSlot(); print(" = "); hashData();
- break;
- case opInfoKeyValue:
- if (mDebug)
- print("/*legacy*/");
- print("info["); dotString(); print("] = "); data();
- break;
- case opAnd:
- if (level < slAnd)
- print("(");
- expr(slAnd);
- print(" and ");
- expr(slAnd);
- if (level < slAnd)
- print(")");
- break;
- case opOr:
- if (level < slOr)
- print("(");
- expr(slOr);
- print(" or ");
- expr(slOr);
- if (level < slOr)
- print(")");
- break;
- case opNot:
- print("! ");
- expr(slPrimary);
- break;
- case opCDHash:
- print("cdhash ");
- hashData();
- break;
- case opInfoKeyField:
- print("info["); dotString(); print("]"); match();
- break;
- case opEntitlementField:
- print("entitlement["); dotString(); print("]"); match();
- break;
- case opCertField:
- print("certificate"); certSlot(); print("["); dotString(); print("]"); match();
- break;
- case opCertGeneric:
- print("certificate"); certSlot(); print("[");
- {
- const unsigned char *data; size_t length;
- getData(data, length);
- print("field.%s", CssmOid((unsigned char *)data, length).toOid().c_str());
- }
- print("]"); match();
- break;
- case opCertPolicy:
- print("certificate"); certSlot(); print("[");
- {
- const unsigned char *data; size_t length;
- getData(data, length);
- print("policy.%s", CssmOid((unsigned char *)data, length).toOid().c_str());
- }
- print("]"); match();
- break;
- case opTrustedCert:
- print("certificate"); certSlot(); print("trusted");
- break;
- case opTrustedCerts:
- print("anchor trusted");
- break;
- case opNamedAnchor:
- print("anchor apple "); data();
- break;
- case opNamedCode:
- print("("); data(); print(")");
- break;
- default:
- if (op & opGenericFalse) {
- print(" false /* opcode %d */", op & ~opFlagMask);
- break;
- } else if (op & opGenericSkip) {
- print(" /* opcode %d */", op & ~opFlagMask);
- break;
- } else {
- print("OPCODE %d NOT UNDERSTOOD (ending print)", op);
- return;
- }
- }
-}
-
-void Dumper::certSlot()
-{
- switch (int32_t slot = get<int32_t>()) {
- case Requirement::anchorCert:
- print(" root");
- break;
- case Requirement::leafCert:
- print(" leaf");
- break;
- default:
- print(" %d", slot);
- break;
- }
-}
-
-void Dumper::match()
-{
- switch (MatchOperation op = MatchOperation(get<uint32_t>())) {
- case matchExists:
- print(" /* exists */");
- break;
- case matchEqual:
- print(" = "); data();
- break;
- case matchContains:
- print(" ~ "); data();
- break;
- case matchBeginsWith:
- print(" = "); data(); print("*");
- break;
- case matchEndsWith:
- print(" = *"); data();
- break;
- case matchLessThan:
- print(" < "); data();
- break;
- case matchGreaterEqual:
- print(" >= "); data();
- break;
- case matchLessEqual:
- print(" <= "); data();
- break;
- case matchGreaterThan:
- print(" > "); data();
- break;
- default:
- print("MATCH OPCODE %d NOT UNDERSTOOD", op);
- break;
- }
-}
-
-void Dumper::hashData()
-{
- print("H\"");
- const unsigned char *data; size_t length;
- getData(data, length);
- printBytes(data, length);
- print("\"");
-}
-
-void Dumper::data(PrintMode bestMode /* = isSimple */, bool dotOkay /* = false */)
-{
- const unsigned char *data; size_t length;
- getData(data, length);
- for (unsigned n = 0; n < length; n++)
- if ((isalnum(data[n]) || (data[n] == '.' && dotOkay))) { // simple
- if (n == 0 && isdigit(data[n])) // unquoted idents can't start with a digit
- bestMode = isPrintable;
- } else if (isgraph(data[n]) || isspace(data[n])) {
- if (bestMode == isSimple)
- bestMode = isPrintable;
- } else {
- bestMode = isBinary;
- break; // pessimal
- }
-
- if (bestMode == isSimple) {
- string s((const char *)data, length);
- for (const char * const * k = keywords; *k; k++)
- if (s == *k) {
- bestMode = isPrintable; // reserved word; need quotes
- break;
- }
- }
-
- switch (bestMode) {
- case isSimple:
- print("%.*s", length, data);
- break;
- case isPrintable:
- print("\"%.*s\"", length, data);
- break;
- default:
- print("0x");
- printBytes(data, length);
- break;
- }
-}
-
-void Dumper::printBytes(const Byte *data, size_t length)
-{
- for (unsigned n = 0; n < length; n++)
- print("%02.2x", data[n]);
-}
-
-
-} // CodeSigning
-} // Security
projects / apple / security.git / blobdiff