Security-59306.101.1.tar.gz

[apple/security.git] / OSX / libsecurity_codesigning / lib / StaticCode.cpp
diff --git a/OSX/libsecurity_codesigning/lib/StaticCode.cpp b/OSX/libsecurity_codesigning/lib/StaticCode.cpp

index 5b8b37aef6f3acaf380b4913e303899bf6236972..2d5a3e90bcd2a5edccc5189fdd1c569150a3f325 100644 (file)
--- a/OSX/libsecurity_codesigning/lib/StaticCode.cpp
+++ b/OSX/libsecurity_codesigning/lib/StaticCode.cpp
@@ -358,6 +358,9 @@ void SecStaticCode::resetValidity()
         mGotResourceBase = false;
         mTrust = NULL;
         mCertChain = NULL;
         mGotResourceBase = false;
         mTrust = NULL;
         mCertChain = NULL;
+       mNotarizationChecked = false;
+       mStaplingChecked = false;
+       mNotarizationDate = NAN;
  #if TARGET_OS_OSX
         mEvalDetails = NULL;
  #endif
  #if TARGET_OS_OSX
         mEvalDetails = NULL;
  #endif
@@ -1897,6 +1900,10 @@ const Requirement *SecStaticCode::defaultDesignatedRequirement()
  #if TARGET_OS_OSX
                 // full signature: Gin up full context and let DRMaker do its thing
                 validateDirectory();            // need the cert chain
  #if TARGET_OS_OSX
                 // full signature: Gin up full context and let DRMaker do its thing
                 validateDirectory();            // need the cert chain
+               CFRef<CFDateRef> secureTimestamp;
+               if (CFAbsoluteTime time = this->signingTimestamp()) {
+                       secureTimestamp.take(CFDateCreate(NULL, time));
+               }
                 Requirement::Context context(this->certificates(),
                         this->infoDictionary(),
                         this->entitlements(),
                 Requirement::Context context(this->certificates(),
                         this->infoDictionary(),
                         this->entitlements(),
@@ -1904,7 +1911,9 @@ const Requirement *SecStaticCode::defaultDesignatedRequirement()
                         this->codeDirectory(),
                         NULL,
                         kSecCodeSignatureNoHash,
                         this->codeDirectory(),
                         NULL,
                         kSecCodeSignatureNoHash,
-                       false
+                       false,
+                       secureTimestamp,
+                       this->teamID()
                 );
                 return DRMaker(context).make();
  #else
                 );
                 return DRMaker(context).make();
  #else
@@ -1937,7 +1946,15 @@ bool SecStaticCode::satisfiesRequirement(const Requirement *req, OSStatus failur
         bool result = false;
         assert(req);
         validateDirectory();
         bool result = false;
         assert(req);
         validateDirectory();
-       result = req->validates(Requirement::Context(mCertChain, infoDictionary(), entitlements(), codeDirectory()->identifier(), codeDirectory(), NULL, kSecCodeSignatureNoHash, mRep->appleInternalForcePlatform()), failure);
+       CFRef<CFDateRef> secureTimestamp;
+       if (CFAbsoluteTime time = this->signingTimestamp()) {
+               secureTimestamp.take(CFDateCreate(NULL, time));
+       }
+       result = req->validates(Requirement::Context(mCertChain, infoDictionary(), entitlements(),
+                                                                                                codeDirectory()->identifier(), codeDirectory(),
+                                                                                                NULL, kSecCodeSignatureNoHash, mRep->appleInternalForcePlatform(),
+                                                                                                secureTimestamp, teamID()),
+                                                       failure);
         return result;
  }
  
         return result;
  }
  
@@ -2235,9 +2252,12 @@ void SecStaticCode::staticValidate(SecCSFlags flags, const SecRequirement *req)
                 this->validateResources(flags);
  
         // perform strict validation if desired
                 this->validateResources(flags);
  
         // perform strict validation if desired
-       if (flags & kSecCSStrictValidate)
+       if (flags & kSecCSStrictValidate) {
                 mRep->strictValidate(codeDirectory(), mTolerateErrors, mValidationFlags);
         reportProgress();
                 mRep->strictValidate(codeDirectory(), mTolerateErrors, mValidationFlags);
         reportProgress();
+       } else if (flags & kSecCSStrictValidateStructure) {
+               mRep->strictValidateStructure(codeDirectory(), mTolerateErrors, mValidationFlags);
+       }
  
         // allow monitor intervention
         if (CFRef<CFTypeRef> veto = reportEvent(CFSTR("validated"), NULL)) {
  
         // allow monitor intervention
         if (CFRef<CFTypeRef> veto = reportEvent(CFSTR("validated"), NULL)) {
@@ -2323,7 +2343,7 @@ bool SecStaticCode::isAppleDeveloperCert(CFArrayRef certs)
  {
         static const std::string appleDeveloperRequirement = "(" + std::string(WWDRRequirement) + ") or (" + MACWWDRRequirement + ") or (" + developerID + ") or (" + distributionCertificate + ") or (" + iPhoneDistributionCert + ")";
         SecPointer<SecRequirement> req = new SecRequirement(parseRequirement(appleDeveloperRequirement), true);
  {
         static const std::string appleDeveloperRequirement = "(" + std::string(WWDRRequirement) + ") or (" + MACWWDRRequirement + ") or (" + developerID + ") or (" + distributionCertificate + ") or (" + iPhoneDistributionCert + ")";
         SecPointer<SecRequirement> req = new SecRequirement(parseRequirement(appleDeveloperRequirement), true);
-       Requirement::Context ctx(certs, NULL, NULL, "", NULL, NULL, kSecCodeSignatureNoHash, false);
+       Requirement::Context ctx(certs, NULL, NULL, "", NULL, NULL, kSecCodeSignatureNoHash, false, NULL, "");
  
         return req->requirement()->validates(ctx);
  }
  
         return req->requirement()->validates(ctx);
  }