Security-58286.240.4.tar.gz

[apple/security.git] / OSX / libsecurity_codesigning / lib / SecAssessment.cpp

diff --git a/OSX/libsecurity_codesigning/lib/SecAssessment.cpp b/OSX/libsecurity_codesigning/lib/SecAssessment.cpp
index 2c1e06bdf6ce4ee8eed6390eae7db13866de4148..f6aee169badbac8f85966d537258f944dedf6c8c 100644 (file)
--- a/OSX/libsecurity_codesigning/lib/SecAssessment.cpp
+++ b/OSX/libsecurity_codesigning/lib/SecAssessment.cpp
@@ -147,6 +147,7 @@ CFStringRef kSecAssessmentAssessmentAuthorityFlags = CFSTR("assessment:authority
 CFStringRef kSecAssessmentAssessmentFromCache = CFSTR("assessment:authority:cached");
 CFStringRef kSecAssessmentAssessmentWeakSignature = CFSTR("assessment:authority:weak");
 CFStringRef kSecAssessmentAssessmentCodeSigningError = CFSTR("assessment:cserror");
+CFStringRef kSecAssessmentAssessmentNotarizationDate = CFSTR("assessment:notarization-date");
 
 CFStringRef kDisabledOverride = CFSTR("security disabled");
 
@@ -427,12 +428,7 @@ CFDictionaryRef SecAssessmentCopyUpdate(CFTypeRef target,
        CFRef<CFDictionaryRef> result;
 
        // make context exist and writable
-       CFMutableDictionaryRef mcontext;
-       if (context == NULL) {
-               mcontext = makeCFMutableDictionary();
-       } else {
-               mcontext = makeCFMutableDictionary(context);
-       }
+       CFRef<CFMutableDictionaryRef> mcontext = context ? makeCFMutableDictionary(context) : makeCFMutableDictionary();
        
        if (CFDictionaryGetValue(mcontext, kSecAssessmentUpdateKeyAuthorization) == NULL) {
                // no authorization passed in. Make an empty one in this context
@@ -468,7 +464,15 @@ CFDictionaryRef SecAssessmentCopyUpdate(CFTypeRef target,
        traceUpdate(target, context, result);
        return result.yield();
 
-       END_CSAPI_ERRORS1(false)
+       END_CSAPI_ERRORS1(NULL)
+}
+
+static void
+updateAuthority(const char *authority, bool enable, CFErrorRef *errors)
+{
+       CFStringRef updateValue = enable ? kSecAssessmentUpdateOperationEnable : kSecAssessmentUpdateOperationDisable;
+       CFTemp<CFDictionaryRef> ctx("{%O=%s, %O=%O}", kSecAssessmentUpdateKeyLabel, authority, kSecAssessmentContextKeyUpdate, updateValue);
+       SecAssessmentUpdate(NULL, kSecCSDefaultFlags, ctx, errors);
 }
 
 
@@ -501,14 +505,13 @@ Boolean SecAssessmentControl(CFStringRef control, void *arguments, CFErrorRef *e
                        result = kCFBooleanTrue;
                return true;
        } else if (CFEqual(control, CFSTR("ui-enable-devid"))) {
-               CFTemp<CFDictionaryRef> ctx("{%O=%s, %O=%O}", kSecAssessmentUpdateKeyLabel, "Developer ID", kSecAssessmentContextKeyUpdate, kSecAssessmentUpdateOperationEnable);
-        SecAssessmentUpdate(NULL, kSecCSDefaultFlags, ctx, errors);
+               updateAuthority("Developer ID", true, errors);
+               updateAuthority("Notarized Developer ID", true, errors);
                MessageTrace trace("com.apple.security.assessment.state", "enable-devid");
                trace.send("enable Developer ID approval");
                return true;
        } else if (CFEqual(control, CFSTR("ui-disable-devid"))) {
-        CFTemp<CFDictionaryRef> ctx("{%O=%s, %O=%O}", kSecAssessmentUpdateKeyLabel, "Developer ID", kSecAssessmentContextKeyUpdate, kSecAssessmentUpdateOperationDisable);
-        SecAssessmentUpdate(NULL, kSecCSDefaultFlags, ctx, errors);
+               updateAuthority("Developer ID", false, errors);
                MessageTrace trace("com.apple.security.assessment.state", "disable-devid");
                trace.send("disable Developer ID approval");
                return true;
@@ -522,6 +525,26 @@ Boolean SecAssessmentControl(CFStringRef control, void *arguments, CFErrorRef *e
                else
                        result = kCFBooleanTrue;
                return true;
+       } else if (CFEqual(control, CFSTR("ui-enable-notarized"))) {
+               updateAuthority("Notarized Developer ID", true, errors);
+               MessageTrace trace("com.apple.security.assessment.state", "enable-notarized");
+               trace.send("enable Notarized Developer ID approval");
+               return true;
+       } else if (CFEqual(control, CFSTR("ui-disable-notarized"))) {
+               updateAuthority("Notarized Developer ID", false, errors);
+               MessageTrace trace("com.apple.security.assessment.state", "disable-notarized");
+               trace.send("disable Notarized Developer ID approval");
+               return true;
+       } else if (CFEqual(control, CFSTR("ui-get-notarized"))) {
+               xpcEngineCheckNotarized((CFBooleanRef*)(arguments));
+               return true;
+       } else if (CFEqual(control, CFSTR("ui-get-notarized-local"))) {
+               CFBooleanRef &result = *(CFBooleanRef*)(arguments);
+               if (gEngine().value<int>("SELECT disabled FROM authority WHERE label = 'Notarized Developer ID';", true))
+                       result = kCFBooleanFalse;
+               else
+                       result = kCFBooleanTrue;
+               return true;
        } else if (CFEqual(control, CFSTR("ui-record-reject"))) {
                // send this through syspolicyd for update validation
                xpcEngineRecord(CFDictionaryRef(arguments));
@@ -549,3 +572,24 @@ Boolean SecAssessmentControl(CFStringRef control, void *arguments, CFErrorRef *e
 
        END_CSAPI_ERRORS1(false)
 }
+
+Boolean SecAssessmentTicketRegister(CFDataRef ticketData, CFErrorRef *errors)
+{
+       BEGIN_CSAPI
+
+       xpcEngineTicketRegister(ticketData);
+       return true;
+
+       END_CSAPI_ERRORS1(false)
+}
+
+Boolean SecAssessmentTicketLookup(CFDataRef hash, SecCSDigestAlgorithm hashType, SecAssessmentTicketFlags flags, double *date, CFErrorRef *errors)
+{
+       BEGIN_CSAPI
+
+       xpcEngineTicketLookup(hash, hashType, flags, date);
+       return true;
+
+       END_CSAPI_ERRORS1(false)
+}
+