X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/5c19dc3ae3bd8e40a9c028b0deddd50ff337692c..7e6b461318c8a779d91381531435a68ee4e8b6ed:/OSX/libsecurity_codesigning/lib/StaticCode.h diff --git a/OSX/libsecurity_codesigning/lib/StaticCode.h b/OSX/libsecurity_codesigning/lib/StaticCode.h index c74ae3e7..56726824 100644 --- a/OSX/libsecurity_codesigning/lib/StaticCode.h +++ b/OSX/libsecurity_codesigning/lib/StaticCode.h @@ -106,7 +106,7 @@ public: static SecStaticCode *requiredStatic(SecStaticCodeRef ref); // convert SecCodeRef static SecCode *optionalDynamic(SecStaticCodeRef ref); // extract SecCodeRef or NULL if static - SecStaticCode(DiskRep *rep); + SecStaticCode(DiskRep *rep, uint32_t flags = 0); virtual ~SecStaticCode() throw(); void initializeFromParent(const SecStaticCode& parent); @@ -117,13 +117,20 @@ public: void detachedSignature(CFDataRef sig); // attach an explicitly given detached signature void checkForSystemSignature(); // check for and attach system-supplied detached signature - const CodeDirectory *codeDirectory(bool check = true); + typedef std::map > CodeDirectoryMap; + + const CodeDirectory *codeDirectory(bool check = true) const; + const CodeDirectoryMap *codeDirectories(bool check = true) const; + CodeDirectory::HashAlgorithm hashAlgorithm() const { return codeDirectory()->hashType; } + CodeDirectory::HashAlgorithms hashAlgorithms() const { return mHashAlgorithms; } CFDataRef cdHash(); + CFArrayRef cdHashes(); + CFDictionaryRef cdHashesFull(); CFDataRef signature(); CFAbsoluteTime signingTime(); CFAbsoluteTime signingTimestamp(); bool isSigned() { return codeDirectory(false) != NULL; } - DiskRep *diskRep() { return mRep; } + DiskRep *diskRep() const { return mRep; } bool isDetached() const { return mRep->base() != mRep; } std::string mainExecutablePath() { return mRep->mainExecutablePath(); } CFURLRef copyCanonicalPath() const { return mRep->copyCanonicalPath(); } @@ -133,16 +140,16 @@ public: std::string signatureSource(); virtual CFDataRef component(CodeDirectory::SpecialSlot slot, OSStatus fail = errSecCSSignatureFailed); virtual CFDictionaryRef infoDictionary(); + CFDictionaryRef diskRepInformation(); CFDictionaryRef entitlements(); + CFDataRef copyComponent(CodeDirectory::SpecialSlot slot, CFDataRef hash); CFDictionaryRef resourceDictionary(bool check = true); CFURLRef resourceBase(); - CFDataRef resource(std::string path); - CFDataRef resource(std::string path, ValidationContext &ctx); void validateResource(CFDictionaryRef files, std::string path, bool isSymlink, ValidationContext &ctx, SecCSFlags flags, uint32_t version); void validateSymlinkResource(std::string fullpath, std::string seal, ValidationContext &ctx, SecCSFlags flags); - + bool flag(uint32_t tested); SecCodeCallback monitor() const { return mMonitor; } @@ -161,18 +168,21 @@ public: { assert(validated()); return mValidated && (mValidationResult == errSecSuccess); } bool validatedExecutable() const { return mExecutableValidated; } bool validatedResources() const { return mResourcesValidated; } - + void prepareProgress(unsigned workload); void cancelValidation(); void validateDirectory(); virtual void validateComponent(CodeDirectory::SpecialSlot slot, OSStatus fail = errSecCSSignatureFailed); void validateNonResourceComponents(); + void validateTopDirectory(); unsigned estimateResourceWorkload(); void validateResources(SecCSFlags flags); void validateExecutable(); void validateNestedCode(CFURLRef path, const ResourceSeal &seal, SecCSFlags flags, bool isFramework); + void validatePlainMemoryResource(string path, CFDataRef fileData, SecCSFlags flags); + const Requirements *internalRequirements(); const Requirement *internalRequirement(SecRequirementType type); const Requirement *designatedRequirement(); @@ -189,27 +199,48 @@ public: CFDictionaryRef signingInformation(SecCSFlags flags); // omnibus information-gathering API (creates new dictionary) - static bool isAppleDeveloperCert(CFArrayRef certs); // determines if this is an apple developer certificate for libraray validation + static bool isAppleDeveloperCert(CFArrayRef certs); // determines if this is an apple developer certificate for library validation +#if !TARGET_OS_OSX + bool trustedSigningCertChain() { return mTrustedSigningCertChain; } +#endif + + void handleOtherArchitectures(void (^handle)(SecStaticCode* other)); + uint8_t cmsDigestHashType() const { return mCMSDigestHashType; }; + CFDataRef createCmsDigest(); public: void staticValidate(SecCSFlags flags, const SecRequirement *req); void staticValidateCore(SecCSFlags flags, const SecRequirement *req); +protected: + bool loadCodeDirectories(CodeDirectoryMap& cdMap) const; + protected: CFDictionaryRef getDictionary(CodeDirectory::SpecialSlot slot, bool check = true); // component value as a dictionary bool verifySignature(); - CFArrayRef verificationPolicies(); + CFArrayRef createVerificationPolicies(); + CFArrayRef createTimeStampingAndRevocationPolicies(); + + // load preferred rules/files dictionaries (cached therein) + bool loadResources(CFDictionaryRef& rules, CFDictionaryRef& files, uint32_t& version); static void checkOptionalResource(CFTypeRef key, CFTypeRef value, void *context); bool hasWeakResourceRules(CFDictionaryRef rulesDict, uint32_t version, CFArrayRef allowedOmissions); - void handleOtherArchitectures(void (^handle)(SecStaticCode* other)); - private: void validateOtherVersions(CFURLRef path, SecCSFlags flags, SecRequirementRef req, SecStaticCode *code); + bool checkfix30814861(string path, bool addition); + bool checkfix41082220(OSStatus result); + ResourceBuilder *mCheckfix30814861builder1; + dispatch_once_t mCheckfix30814861builder1_once; + private: + static const uint8_t mCMSDigestHashType = kSecCodeSignatureHashSHA256; + // hash of CMS digest (kSecCodeSignatureHash* constant) RefPointer mRep; // on-disk representation + mutable CodeDirectoryMap mCodeDirectories; // available CodeDirectory blobs by digest type + mutable CFRef mBaseDir; // the primary CodeDirectory blob (whether it's chosen or not) CFRef mDetachedSig; // currently applied explicit detached signature // private validation modifiers (only used by Gatekeeper checkfixes) @@ -243,9 +274,9 @@ private: const SecStaticCode *mOuterScope; // containing code (if this is a nested validation; weak) ResourceBuilder *mResourceScope; // current Resource validation stack (while validating; weak) - // cached contents - CFRef mDir; // code directory data + mutable CFRef mDir; // code directory data + mutable CodeDirectory::HashAlgorithms mHashAlgorithms; // available hash algorithms CFRef mSignature; // CMS signature data CFAbsoluteTime mSigningTime; // (signed) signing time CFAbsoluteTime mSigningTimestamp; // Timestamp time (from timestamping authority) @@ -256,8 +287,10 @@ private: CFRef mEntitlements; // derived from mCache slot CFRef mResourceDict; // derived from mCache slot const Requirement *mDesignatedReq; // cached designated req if we made one up - CFRef mCDHash; // hash of CodeDirectory - + CFRef mCDHash; // hash of chosen CodeDirectory + CFRef mCDHashes; // hashes of all CodeDirectories (in digest type code order) + CFRef mCDHashFullDict; // untruncated hashes of CodeDirectories (as dictionary) + bool mGotResourceBase; // asked mRep for resourceBasePath CFRef mResourceBase; // URL form of resource base directory @@ -265,10 +298,20 @@ private: LimitedAsync *mLimitedAsync; // limited async workers for verification + uint32_t mFlags; // flags from creation + bool mNotarizationChecked; // ensure notarization check only performed once + bool mStaplingChecked; // ensure stapling check only performed once + double mNotarizationDate; // the notarization ticket's date, if online check failed + // signature verification outcome (mTrust == NULL => not done yet) CFRef mTrust; // outcome of crypto validation (valid or not) CFRef mCertChain; - CSSM_TP_APPLE_EVIDENCE_INFO *mEvalDetails; +#if TARGET_OS_OSX + CSSM_TP_APPLE_EVIDENCE_INFO *mEvalDetails; +#else + bool mTrustedSigningCertChain; +#endif + };