X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/5c19dc3ae3bd8e40a9c028b0deddd50ff337692c..918dce6758f4f57e8c0b650cb5eead501f6684ca:/OSX/libsecurity_codesigning/lib/SecCodePriv.h?ds=inline

diff --git a/OSX/libsecurity_codesigning/lib/SecCodePriv.h b/OSX/libsecurity_codesigning/lib/SecCodePriv.h
index 158121a9..d88239c8 100644
--- a/OSX/libsecurity_codesigning/lib/SecCodePriv.h
+++ b/OSX/libsecurity_codesigning/lib/SecCodePriv.h
@@ -38,12 +38,20 @@ extern "C" {
 
 /*
  *	Private constants for SecCodeCopySigningInformation.
- *	These are returned with the 
  */
+extern const CFStringRef kSecCodeInfoCdHashesFull;          /* Internal */
 extern const CFStringRef kSecCodeInfoCodeDirectory;			/* Internal */
 extern const CFStringRef kSecCodeInfoCodeOffset;			/* Internal */
+extern const CFStringRef kSecCodeInfoDiskRepInfo;           /* Internal */
 extern const CFStringRef kSecCodeInfoResourceDirectory;		/* Internal */
+extern const CFStringRef kSecCodeInfoNotarizationDate;      /* Internal */
+extern const CFStringRef kSecCodeInfoCMSDigestHashType;     /* Internal */
+extern const CFStringRef kSecCodeInfoCMSDigest;             /* Internal */
 
+extern const CFStringRef kSecCodeInfoDiskRepVersionPlatform;     /* Number */
+extern const CFStringRef kSecCodeInfoDiskRepVersionMin;          /* Number */
+extern const CFStringRef kSecCodeInfoDiskRepVersionSDK;          /* Number */
+extern const CFStringRef kSecCodeInfoDiskRepNoLibraryValidation; /* String */
 
 /*!
 	@function SecCodeGetStatus
@@ -70,6 +78,13 @@ extern const CFStringRef kSecCodeInfoResourceDirectory;		/* Internal */
  */
 OSStatus SecCodeGetStatus(SecCodeRef code, SecCSFlags flags, SecCodeStatus *status);
 
+typedef uint32_t SecCodeStatusOperation;
+enum {
+    kSecCodeOperationNull = 0,
+    kSecCodeOperationInvalidate = 1,
+    kSecCodeOperationSetHard = 2,
+    kSecCodeOperationSetKill = 3,
+};
 
 /*!
 	@function SecCodeSetStatus
@@ -78,20 +93,10 @@ OSStatus SecCodeGetStatus(SecCodeRef code, SecCSFlags flags, SecCodeStatus *stat
 	@param code A valid SecCode object reference representing code running
 	on the system.
 	@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
-	@param status Upon successful return, contains the dynamic status of code as
-	determined by its host.
 	
 	@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
 	CSCommon.h or certain other Security framework headers.
  */
-typedef uint32_t SecCodeStatusOperation;
-enum {
-	kSecCodeOperationNull = 0,
-	kSecCodeOperationInvalidate = 1,
-	kSecCodeOperationSetHard = 2,
-	kSecCodeOperationSetKill = 3,
-};
-
 OSStatus SecCodeSetStatus(SecCodeRef code, SecCodeStatusOperation operation,
 	CFDictionaryRef arguments, SecCSFlags flags);
 
@@ -124,24 +129,28 @@ OSStatus SecCodeCopyInternalRequirement(SecStaticCodeRef code, SecRequirementTyp
 	SecCSFlags flags, SecRequirementRef *requirement);
 
 
+#if TARGET_OS_OSX
 /*!
-	@function SecCodeCreateWithPID
+	@function SecCodeCreateWithAuditToken
 	Asks the kernel to return a SecCode object for a process identified
-	by a UNIX process id (pid). This is a shorthand for asking SecGetRootCode()
-	for a guest whose "pid" attribute has the given pid value.
+	by a UNIX audit token. This is a shorthand for asking SecGetRootCode()
+	for a guest whose "audit" attribute has the given audit token.
 	
-	This is a deprecated convenience function.
-	Call SecCodeCopyGuestWithAttributes instead.
-	
-	@param pid A process id for an existing UNIX process on the system.
+	@param audit A process audit token for an existing UNIX process on the system.
 	@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
 	@param process On successful return, a SecCode object reference identifying
 	the requesteed process.
 	@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
 	CSCommon.h or certain other Security framework headers.
 */
+OSStatus SecCodeCreateWithAuditToken(const audit_token_t *audit,
+                                     SecCSFlags flags, SecCodeRef *process)
+    AVAILABLE_MAC_OS_X_VERSION_10_15_AND_LATER;
+    
+/* Deprecated and unsafe, DO NOT USE. */
 OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *process)
 	AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_6;
+#endif
 
 
 /*
@@ -178,6 +187,61 @@ OSStatus SecCodeSetDetachedSignature(SecStaticCodeRef code, CFDataRef signature,
 	SecCSFlags flags);
 
 
+	
+/*
+	@function SecCodeCopyComponent
+ 	For a SecStaticCodeRef, directly retrieve the binary blob for a special slot,
+ 	optionally checking that its native hash is the one given.
+ 
+ 	@param code A code or StaticCode object.
+ 	@param slot The (positive) special slot number requested.
+ 	@param hash A CFDataRef containing the native slot hash for the slot requested.
+ 	@result NULL if anything went wrong (including a missing slot), or a CFDataRef
+ 		containing the slot data.
+ */
+CFDataRef SecCodeCopyComponent(SecCodeRef code, int slot, CFDataRef hash);
+    
+    
+/*
+    @function SecCodeValidateFileResource
+    For a SecStaticCodeRef, check that a given CFData object faithfully represents
+    a plain-file resource in its resource seal.
+    This call will fail if the file is missing in the bundle, even if it is optional.
+     
+    @param code A code or StaticCode object.
+    @param relativePath A CFStringRef containing the relative path to a sealed resource
+        file. This path is relative to the resource base, which is either Contents or
+        the bundle root, depending on bundle format.
+    @param fileData A CFDataRef containing the exact contents of that resource file.
+    @param flags Pass kSecCSDefaultFlags.
+    @result noErr if fileData is the exact content of the file at relativePath at the
+        time it was signed. Various error codes if it is different, there was no such file,
+        it was not a plain file, or anything is irregular.
+*/
+OSStatus SecCodeValidateFileResource(SecStaticCodeRef code, CFStringRef relativePath, CFDataRef fileData, SecCSFlags flags);
+
+
+/*
+ @constant kSecCSStrictValidateStructure
+ A subset of the work kSecCSStrictValidate performs, omitting work that
+ is unnecessary on some platforms. Since the definition of what can be
+ omitted is in flux, and since we would like to remove that notion
+ entirely eventually, we makes this a private flag.
+ */
+CF_ENUM(uint32_t) {
+	kSecCSStrictValidateStructure = 1 << 13,
+};
+
+#if TARGET_OS_OSX
+/* Here just to make TAPI happy. */
+extern int GKBIS_DS_Store_Present;
+extern int GKBIS_Dot_underbar_Present;
+extern int GKBIS_Num_localizations;
+extern int GKBIS_Num_files;
+extern int GKBIS_Num_dirs;
+extern int GKBIS_Num_symlinks;
+#endif /* TARGET_OS_OSX */
+
 #ifdef __cplusplus
 }
 #endif