Security-59754.80.3.tar.gz

[apple/security.git] / OSX / libsecurity_codesigning / lib / SecCode.cpp

diff --git a/OSX/libsecurity_codesigning/lib/SecCode.cpp b/OSX/libsecurity_codesigning/lib/SecCode.cpp
index 47d1cc162cc69a774ee684f8494760b12febe36f..40cc82035941d232f4d377f01c831c05d00057bf 100644 (file)
--- a/OSX/libsecurity_codesigning/lib/SecCode.cpp
+++ b/OSX/libsecurity_codesigning/lib/SecCode.cpp
@@ -33,6 +33,7 @@
 #include "cskernel.h"
 #include <security_utilities/cfmunge.h>
 #include <security_utilities/logging.h>
 #include "cskernel.h"
 #include <security_utilities/cfmunge.h>
 #include <security_utilities/logging.h>

+#include <xpc/private.h>

 
 using namespace CodeSigning;
 
 
 using namespace CodeSigning;
 


@@ -179,7 +180,8 @@ OSStatus SecCodeCopyGuestWithAttributes(SecCodeRef hostRef,
 
 
 //
 
 
 //

-// Shorthand for getting the SecCodeRef for a UNIX process
+// Deprecated since 10.6, DO NOT USE. This can be raced.
+// Use SecCodeCreateWithAuditToken instead.

 //
 OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *processRef)
 {
 //
 OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *processRef)
 {


@@ -193,6 +195,50 @@ OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *processRe
 
        END_CSAPI
 }
 
        END_CSAPI
 }

+
+//
+// Shorthand for getting the SecCodeRef for a UNIX process
+//
+OSStatus SecCodeCreateWithAuditToken(const audit_token_t *audit,
+                                                                        SecCSFlags flags, SecCodeRef *processRef)
+{
+       BEGIN_CSAPI
+       
+       checkFlags(flags);
+       CFRef<CFDataRef> auditData = makeCFData(audit, sizeof(audit_token_t));
+       if (SecCode *guest = KernelCode::active()->locateGuest(CFTemp<CFDictionaryRef>("{%O=%O}", kSecGuestAttributeAudit, auditData.get()))) {
+               CodeSigning::Required(processRef) = guest->handle(false);
+       } else {
+               return errSecCSNoSuchCode;
+       }
+       
+       END_CSAPI
+}
+
+OSStatus SecCodeCreateWithXPCMessage(xpc_object_t message, SecCSFlags flags,
+                                                                        SecCodeRef * __nonnull CF_RETURNS_RETAINED target)
+{
+       BEGIN_CSAPI
+
+       checkFlags(flags);
+
+       if (xpc_get_type(message) != XPC_TYPE_DICTIONARY) {
+               return errSecCSInvalidObjectRef;
+       }
+       
+       xpc_connection_t connection = xpc_dictionary_get_remote_connection(message);
+       if (connection == NULL) {
+               return errSecCSInvalidObjectRef;
+       }
+
+       audit_token_t t = {0};
+       xpc_connection_get_audit_token(connection, &t);
+
+       return SecCodeCreateWithAuditToken(&t, flags, target);
+
+       END_CSAPI
+}
+

 #endif // TARGET_OS_OSX
 
 
 #endif // TARGET_OS_OSX
 
 


@@ -213,6 +259,7 @@ OSStatus SecCodeCheckValidityWithErrors(SecCodeRef codeRef, SecCSFlags flags,
        checkFlags(flags,
                  kSecCSConsiderExpiration
                | kSecCSStrictValidate
        checkFlags(flags,
                  kSecCSConsiderExpiration
                | kSecCSStrictValidate

+               | kSecCSStrictValidateStructure

                | kSecCSRestrictSidebandData
                | kSecCSEnforceRevocationChecks
        );
                | kSecCSRestrictSidebandData
                | kSecCSEnforceRevocationChecks
        );


@@ -258,13 +305,17 @@ const CFStringRef kSecCodeInfoTimestamp =         CFSTR("signing-timestamp");
 const CFStringRef kSecCodeInfoTrust =                  CFSTR("trust");
 const CFStringRef kSecCodeInfoUnique =                 CFSTR("unique");
 const CFStringRef kSecCodeInfoCdHashes =        CFSTR("cdhashes");
 const CFStringRef kSecCodeInfoTrust =                  CFSTR("trust");
 const CFStringRef kSecCodeInfoUnique =                 CFSTR("unique");
 const CFStringRef kSecCodeInfoCdHashes =        CFSTR("cdhashes");

+const CFStringRef kSecCodeInfoCdHashesFull =   CFSTR("cdhashes-full");

 const CFStringRef kSecCodeInfoRuntimeVersion =         CFSTR("runtime-version");
 
 const CFStringRef kSecCodeInfoRuntimeVersion =         CFSTR("runtime-version");
 

-

 const CFStringRef kSecCodeInfoCodeDirectory =  CFSTR("CodeDirectory");
 const CFStringRef kSecCodeInfoCodeOffset =             CFSTR("CodeOffset");
 const CFStringRef kSecCodeInfoDiskRepInfo =     CFSTR("DiskRepInfo");
 const CFStringRef kSecCodeInfoResourceDirectory = CFSTR("ResourceDirectory");
 const CFStringRef kSecCodeInfoCodeDirectory =  CFSTR("CodeDirectory");
 const CFStringRef kSecCodeInfoCodeOffset =             CFSTR("CodeOffset");
 const CFStringRef kSecCodeInfoDiskRepInfo =     CFSTR("DiskRepInfo");
 const CFStringRef kSecCodeInfoResourceDirectory = CFSTR("ResourceDirectory");

+const CFStringRef kSecCodeInfoNotarizationDate = CFSTR("NotarizationDate");
+const CFStringRef kSecCodeInfoCMSDigestHashType = CFSTR("CMSDigestHashType");
+const CFStringRef kSecCodeInfoCMSDigest =        CFSTR("CMSDigest");
+const CFStringRef kSecCodeInfoSignatureVersion = CFSTR("SignatureVersion");

 
 /* DiskInfoRepInfo types */
 const CFStringRef kSecCodeInfoDiskRepVersionPlatform =         CFSTR("VersionPlatform");
 
 /* DiskInfoRepInfo types */
 const CFStringRef kSecCodeInfoDiskRepVersionPlatform =         CFSTR("VersionPlatform");


@@ -284,7 +335,8 @@ OSStatus SecCodeCopySigningInformation(SecStaticCodeRef codeRef, SecCSFlags flag
                | kSecCSRequirementInformation
                | kSecCSDynamicInformation
                | kSecCSContentInformation
                | kSecCSRequirementInformation
                | kSecCSDynamicInformation
                | kSecCSContentInformation

-        | kSecCSSkipResourceDirectory);
+        | kSecCSSkipResourceDirectory
+               | kSecCSCalculateCMSDigest);

 
        SecPointer<SecStaticCode> code = SecStaticCode::requiredStatic(codeRef);
        CFRef<CFDictionaryRef> info = code->signingInformation(flags);
 
        SecPointer<SecStaticCode> code = SecStaticCode::requiredStatic(codeRef);
        CFRef<CFDictionaryRef> info = code->signingInformation(flags);