Security-55471.14.4.tar.gz

[apple/security.git] / libsecurity_codesigning / lib / csutilities.cpp

diff --git a/libsecurity_codesigning/lib/csutilities.cpp b/libsecurity_codesigning/lib/csutilities.cpp
index 6ac5db8fe0a65c6bf642788ef66880fe05ab87a8..0f33281e5e7697b10a8f702eee0630e8e638d987 100644 (file)
--- a/libsecurity_codesigning/lib/csutilities.cpp
+++ b/libsecurity_codesigning/lib/csutilities.cpp
@@ -27,6 +27,7 @@
 #include "csutilities.h"
 #include <Security/SecCertificatePriv.h>
 #include <security_codesigning/requirement.h>
+#include <security_utilities/hashing.h>
 #include <security_utilities/debugging.h>
 #include <security_utilities/errors.h>
 
@@ -34,6 +35,29 @@ namespace Security {
 namespace CodeSigning {
 
 
+//
+// The (SHA-1) hash of the canonical Apple certificate root anchor
+//
+static const SHA1::Digest gAppleAnchorHash =
+       { 0x61, 0x1e, 0x5b, 0x66, 0x2c, 0x59, 0x3a, 0x08, 0xff, 0x58,
+         0xd1, 0x4a, 0xe2, 0x24, 0x52, 0xd1, 0x98, 0xdf, 0x6c, 0x60 };
+
+
+
+//
+// Test for the canonical Apple CA certificate
+//
+bool isAppleCA(SecCertificateRef cert)
+{
+       return verifyHash(cert, gAppleAnchorHash);
+}
+
+bool isAppleCA(const Hashing::Byte *sha1)
+{
+       return !memcmp(sha1, gAppleAnchorHash, SHA1::digestLength);
+}
+
+
 //
 // Calculate the canonical hash of a certificate, given its raw (DER) data.
 //
@@ -57,6 +81,17 @@ void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest)
 }
 
 
+//
+// One-stop hash-certificate-and-compare
+//
+bool verifyHash(SecCertificateRef cert, const Hashing::Byte *digest)
+{
+       SHA1::Digest dig;
+       hashOfCertificate(cert, dig);
+       return !memcmp(dig, digest, SHA1::digestLength);
+}
+
+
 //
 // Check to see if a certificate contains a particular field, by OID. This works for extensions,
 // even ones not recognized by the local CL. It does not return any value, only presence.
@@ -66,7 +101,7 @@ bool certificateHasField(SecCertificateRef cert, const CSSM_OID &oid)
        assert(cert);
        CSSM_DATA *value;
        switch (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &oid, &value)) {
-       case noErr:
+       case errSecSuccess:
                MacOSError::check(SecCertificateReleaseFirstFieldValue(cert, &oid, value));
                return true;                                    // extension found by oid
        case errSecUnknownTag: