const CFStringRef kSecCFErrorResourceAdded = CFSTR("SecCSResourceAdded");
const CFStringRef kSecCFErrorResourceAltered = CFSTR("SecCSResourceAltered");
const CFStringRef kSecCFErrorResourceMissing = CFSTR("SecCSResourceMissing");
+const CFStringRef kSecCFErrorResourceSideband = CFSTR("SecCSResourceHasSidebandData");
const CFStringRef kSecCFErrorInfoPlist = CFSTR("SecCSInfoPlist");
const CFStringRef kSecCFErrorGuestAttributes = CFSTR("SecCSGuestAttributes");
const CFStringRef kSecCFErrorRequirementSyntax = CFSTR("SecRequirementSyntax");
const CFStringRef kSecGuestAttributeHash = CFSTR("codedirectory-hash");
const CFStringRef kSecGuestAttributeMachPort = CFSTR("mach-port");
const CFStringRef kSecGuestAttributePid = CFSTR("pid");
-const CFStringRef kSecGuestAttributeDynamicCode = CFSTR("dynamicCode");
-const CFStringRef kSecGuestAttributeDynamicCodeInfoPlist = CFSTR("dynamicCodeInfoPlist");
+const CFStringRef kSecGuestAttributeAudit = CFSTR("audit");
+const CFStringRef kSecGuestAttributeDynamicCode = CFSTR("dynamicCode");
+const CFStringRef kSecGuestAttributeDynamicCodeInfoPlist = CFSTR("dynamicCodeInfoPlist");
const CFStringRef kSecGuestAttributeArchitecture = CFSTR("architecture");
const CFStringRef kSecGuestAttributeSubarchitecture = CFSTR("subarchitecture");
+#if TARGET_OS_OSX
OSStatus SecCodeCopyGuestWithAttributes(SecCodeRef hostRef,
CFDictionaryRef attributes, SecCSFlags flags, SecCodeRef *guestRef)
{
//
-// Shorthand for getting the SecCodeRef for a UNIX process
+// Deprecated since 10.6, DO NOT USE. This can be raced.
+// Use SecCodeCreateWithAuditToken instead.
//
OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *processRef)
{
END_CSAPI
}
+//
+// Shorthand for getting the SecCodeRef for a UNIX process
+//
+OSStatus SecCodeCreateWithAuditToken(const audit_token_t *audit,
+ SecCSFlags flags, SecCodeRef *processRef)
+{
+ BEGIN_CSAPI
+
+ checkFlags(flags);
+ CFRef<CFDataRef> auditData = makeCFData(audit, sizeof(audit_token_t));
+ if (SecCode *guest = KernelCode::active()->locateGuest(CFTemp<CFDictionaryRef>("{%O=%O}", kSecGuestAttributeAudit, auditData.get()))) {
+ CodeSigning::Required(processRef) = guest->handle(false);
+ } else {
+ return errSecCSNoSuchCode;
+ }
+
+ END_CSAPI
+}
+#endif // TARGET_OS_OSX
+
//
// Check validity of an Code
OSStatus SecCodeCheckValidityWithErrors(SecCodeRef codeRef, SecCSFlags flags,
SecRequirementRef requirementRef, CFErrorRef *errors)
{
-#if !SECTRUST_OSX
BEGIN_CSAPI
checkFlags(flags,
kSecCSConsiderExpiration
| kSecCSStrictValidate
- | kSecCSEnforceRevocationChecks);
+ | kSecCSStrictValidateStructure
+ | kSecCSRestrictSidebandData
+ | kSecCSEnforceRevocationChecks
+ );
SecPointer<SecCode> code = SecCode::required(codeRef);
code->checkValidity(flags);
if (const SecRequirement *req = SecRequirement::optional(requirementRef))
code->staticCode()->validateRequirement(req->requirement(), errSecCSReqFailed);
END_CSAPI_ERRORS
-#else
-#warning resolve before enabling SECTRUST_OSX: <rdar://21328880>
- OSStatus result = errSecSuccess;
- const char *func = "SecCodeCheckValidity";
- CFErrorRef localErrors = NULL;
- if (!errors) { errors = &localErrors; }
- try {
- checkFlags(flags,
- kSecCSConsiderExpiration
- | kSecCSEnforceRevocationChecks);
- SecPointer<SecCode> code = SecCode::required(codeRef);
- code->checkValidity(flags);
- if (const SecRequirement *req = SecRequirement::optional(requirementRef))
- code->staticCode()->validateRequirement(req->requirement(), errSecCSReqFailed);
- }
- catch (...) {
- // the actual error being thrown is not being caught by any of the
- // type-specific blocks contained in the END_CSAPI_ERRORS macro,
- // so we only have the catch-all block here for now.
- result = errSecCSInternalError;
- }
-
- if (errors && *errors) {
- CFShow(errors);
- CFRelease(errors);
- *errors = NULL;
- }
- if (result == errSecCSInternalError) {
- #if !NDEBUG
- Security::Syslog::error("WARNING: %s ignored error %d", func, (int)result);
- #endif
- result = errSecSuccess;
- }
- return result;
-#endif
}
const CFStringRef kSecCodeInfoTrust = CFSTR("trust");
const CFStringRef kSecCodeInfoUnique = CFSTR("unique");
const CFStringRef kSecCodeInfoCdHashes = CFSTR("cdhashes");
-
+const CFStringRef kSecCodeInfoCdHashesFull = CFSTR("cdhashes-full");
+const CFStringRef kSecCodeInfoRuntimeVersion = CFSTR("runtime-version");
const CFStringRef kSecCodeInfoCodeDirectory = CFSTR("CodeDirectory");
const CFStringRef kSecCodeInfoCodeOffset = CFSTR("CodeOffset");
+const CFStringRef kSecCodeInfoDiskRepInfo = CFSTR("DiskRepInfo");
const CFStringRef kSecCodeInfoResourceDirectory = CFSTR("ResourceDirectory");
+const CFStringRef kSecCodeInfoNotarizationDate = CFSTR("NotarizationDate");
+const CFStringRef kSecCodeInfoCMSDigestHashType = CFSTR("CMSDigestHashType");
+const CFStringRef kSecCodeInfoCMSDigest = CFSTR("CMSDigest");
+
+/* DiskInfoRepInfo types */
+const CFStringRef kSecCodeInfoDiskRepVersionPlatform = CFSTR("VersionPlatform");
+const CFStringRef kSecCodeInfoDiskRepVersionMin = CFSTR("VersionMin");
+const CFStringRef kSecCodeInfoDiskRepVersionSDK = CFSTR("VersionSDK");
+const CFStringRef kSecCodeInfoDiskRepNoLibraryValidation = CFSTR("NoLibraryValidation");
OSStatus SecCodeCopySigningInformation(SecStaticCodeRef codeRef, SecCSFlags flags,
| kSecCSSigningInformation
| kSecCSRequirementInformation
| kSecCSDynamicInformation
- | kSecCSContentInformation);
+ | kSecCSContentInformation
+ | kSecCSSkipResourceDirectory
+ | kSecCSCalculateCMSDigest);
SecPointer<SecStaticCode> code = SecStaticCode::requiredStatic(codeRef);
CFRef<CFDictionaryRef> info = code->signingInformation(flags);
projects / apple / security.git / blobdiff