#include <Security/CSCommon.h>
#include <CoreFoundation/CFBase.h>
+#include <xpc/xpc.h>
#ifdef __cplusplus
extern "C" {
Obtains a SecCode object for the code making the call.
The calling code is determined in a way that is subject to modification over
time, but obeys the following rules. If it is a UNIX process, its process id (pid)
- is always used. If it is an active code host that has a dedicated guest, such a guest
- is always preferred. If it is a host that has called SecHostSelectGuest, such selection
- is considered until revoked.
+ is always used.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param self Upon successful return, contains a SecCodeRef representing the caller.
OSStatus SecCodeCopyGuestWithAttributes(SecCodeRef __nullable host,
CFDictionaryRef __nullable attributes, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED guest);
+
+/*!
+ @function SecCodeCreateWithXPCMessage
+ Creates a SecCode reference to the process that sent the provided XPC message, using the
+ associated audit token.
+
+ @param message The xpc_object_t of a message recieved via xpc to look up the audit token
+ of the process that sent the message.
+ @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
+ @param processRef On successful return, a SecCode object reference identifying
+ the particular guest of the process from the audit token. This argument will not be
+ changed if the call fails (does not return errSecSuccess).
+ @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
+ CSCommon.h or certain other Security framework headers. In particular:
+ @error errSecCSInvalidObjectRef The xpc_object_t was not of type XPC_TYPE_DICTIONARY.
+ @error errSecCSInvalidObjectRef The xpc_object_t was not an xpc message with an associated
+ connection.
+ For a complete list of errors, please see {@link SecCodeCopyGuestWithAttributes}.
+*/
+OSStatus SecCodeCreateWithXPCMessage(xpc_object_t message, SecCSFlags flags,
+ SecCodeRef * __nonnull CF_RETURNS_RETAINED target);
+
#endif // TARGET_OS_OSX
SecRequirementRef __nullable requirement);
/*!
- @function SecCodeCheckValidityWifErrors
+ @function SecCodeCheckValidityWithErrors
Performs dynamic validation of the given SecCode object. The call obtains and
verifies the signature on the code object. It checks the validity of only those
sealed components required to establish identity. It checks the SecCode's
@function SecCodeCopySigningInformation
For a given Code or StaticCode object, extract various pieces of information
from its code signature and return them in the form of a CFDictionary. The amount
- and detail level of the data is controlled by the flags passed to the call.
+ and detail level of the data is controlled by the flags passed to the call. For
+ Code objects, some of the signing information returned will be from disk. You can
+ call one of the CheckValidity functions to check that the content on disk matches
+ the signing information attached to the running Code.
If the code exists but is not signed at all, this call will succeed and return
a dictionary that does NOT contain the kSecCodeInfoIdentifier key. This is the
kSecCSRequirementInformation = 1 << 2,
kSecCSDynamicInformation = 1 << 3,
kSecCSContentInformation = 1 << 4,
- kSecCSSkipResourceDirectory = 1 << 5
+ kSecCSSkipResourceDirectory = 1 << 5,
+ kSecCSCalculateCMSDigest = 1 << 6,
};
/* flag required to get this value */
extern const CFStringRef kSecCodeInfoCertificates; /* Signing */
extern const CFStringRef kSecCodeInfoTrust; /* Signing */
extern const CFStringRef kSecCodeInfoUnique; /* generic */
extern const CFStringRef kSecCodeInfoCdHashes; /* generic */
+extern const CFStringRef kSecCodeInfoRuntimeVersion; /*generic */
OSStatus SecCodeCopySigningInformation(SecStaticCodeRef code, SecCSFlags flags,
CFDictionaryRef * __nonnull CF_RETURNS_RETAINED information);
projects / apple / security.git / blobdiff