X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/641423b6670d8656d5daeaf988e7d307fb6c1ebc..7e6b461318c8a779d91381531435a68ee4e8b6ed:/OSX/libsecurity_codesigning/lib/SecAssessment.cpp diff --git a/OSX/libsecurity_codesigning/lib/SecAssessment.cpp b/OSX/libsecurity_codesigning/lib/SecAssessment.cpp index ff228381..1db11311 100644 --- a/OSX/libsecurity_codesigning/lib/SecAssessment.cpp +++ b/OSX/libsecurity_codesigning/lib/SecAssessment.cpp @@ -26,23 +26,16 @@ #include "policyengine.h" #include "xpcengine.h" #include "csutilities.h" +#include "xar++.h" #include +#include #include #include #include #include -#include using namespace CodeSigning; - -static void esp_do_check(const char *op, CFDictionaryRef dict) -{ - OSStatus result = __esp_check_ns(op, (void *)(CFDictionaryRef)dict); - if (result != noErr) - MacOSError::throwMe(result); -} - // // CF Objects // @@ -133,6 +126,8 @@ CFStringRef kSecAssessmentFeedbackProgress = CFSTR("feedback:progress"); CFStringRef kSecAssessmentFeedbackInfoCurrent = CFSTR("current"); CFStringRef kSecAssessmentFeedbackInfoTotal = CFSTR("total"); +CFStringRef kSecAssessmentContextKeyPrimarySignature = CFSTR("context:primary-signature"); + CFStringRef kSecAssessmentAssessmentVerdict = CFSTR("assessment:verdict"); CFStringRef kSecAssessmentAssessmentOriginator = CFSTR("assessment:originator"); CFStringRef kSecAssessmentAssessmentAuthority = CFSTR("assessment:authority"); @@ -140,9 +135,11 @@ CFStringRef kSecAssessmentAssessmentSource = CFSTR("assessment:authority:source" CFStringRef kSecAssessmentAssessmentAuthorityRow = CFSTR("assessment:authority:row"); CFStringRef kSecAssessmentAssessmentAuthorityOverride = CFSTR("assessment:authority:override"); CFStringRef kSecAssessmentAssessmentAuthorityOriginalVerdict = CFSTR("assessment:authority:verdict"); +CFStringRef kSecAssessmentAssessmentAuthorityFlags = CFSTR("assessment:authority:flags"); CFStringRef kSecAssessmentAssessmentFromCache = CFSTR("assessment:authority:cached"); CFStringRef kSecAssessmentAssessmentWeakSignature = CFSTR("assessment:authority:weak"); CFStringRef kSecAssessmentAssessmentCodeSigningError = CFSTR("assessment:cserror"); +CFStringRef kSecAssessmentAssessmentNotarizationDate = CFSTR("assessment:notarization-date"); CFStringRef kDisabledOverride = CFSTR("security disabled"); @@ -162,11 +159,6 @@ SecAssessmentRef SecAssessmentCreate(CFURLRef path, SYSPOLICY_ASSESS_API(cfString(path).c_str(), int(type), flags); try { - if (__esp_enabled() && (flags & kSecAssessmentFlagDirect)) { - CFTemp dict("{path=%O, flags=%d, context=%O, override=%d}", path, flags, context, overrideAssessment()); - esp_do_check("cs-assessment-evaluate", dict); - } - if (flags & kSecAssessmentFlagDirect) { // ask the engine right here to do its thing SYSPOLICY_ASSESS_LOCAL(); @@ -194,11 +186,6 @@ SecAssessmentRef SecAssessmentCreate(CFURLRef path, cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict); } - if (__esp_enabled() && (flags & kSecAssessmentFlagDirect)) { - CFTemp dict("{path=%O, flags=%d, context=%O, override=%d, result=%O}", path, flags, context, overrideAssessment(), (CFDictionaryRef)result); - __esp_notify_ns("cs-assessment-evaluate", (void *)(CFDictionaryRef)dict); - } - return new SecAssessment(path, type, result.yield()); END_CSAPI_ERRORS1(NULL) @@ -238,7 +225,7 @@ static void traceResult(CFURLRef target, MessageTrace &trace, std::string &sanit string identifier = "UNBUNDLED"; string version = "UNKNOWN"; - if (CFRef bundle = CFBundleCreate(NULL, target)) { + if (CFRef bundle = _CFBundleCreateUnique(NULL, target)) { if (CFStringRef ident = CFBundleGetIdentifier(bundle)) identifier = cfString(ident); if (CFStringRef vers = CFStringRef(CFBundleGetValueForInfoDictionaryKey(bundle, CFSTR("CFBundleShortVersionString")))) @@ -423,12 +410,7 @@ CFDictionaryRef SecAssessmentCopyUpdate(CFTypeRef target, CFRef result; // make context exist and writable - CFMutableDictionaryRef mcontext; - if (context == NULL) { - mcontext = makeCFMutableDictionary(); - } else { - mcontext = makeCFMutableDictionary(context); - } + CFRef mcontext = context ? makeCFMutableDictionary(context) : makeCFMutableDictionary(); if (CFDictionaryGetValue(mcontext, kSecAssessmentUpdateKeyAuthorization) == NULL) { // no authorization passed in. Make an empty one in this context @@ -442,13 +424,6 @@ CFDictionaryRef SecAssessmentCopyUpdate(CFTypeRef target, } if (flags & kSecAssessmentFlagDirect) { - if (__esp_enabled()) { - CFTemp dict("{target=%O, flags=%d, context=%O}", target, flags, context); - OSStatus esp_result = __esp_check_ns("cs-assessment-update", (void *)(CFDictionaryRef)dict); - if (esp_result != noErr) - return NULL; - } - // ask the engine right here to do its thing result = gEngine().update(target, flags, ctx); } else { @@ -456,15 +431,18 @@ CFDictionaryRef SecAssessmentCopyUpdate(CFTypeRef target, result = xpcEngineUpdate(target, flags, ctx); } - if (__esp_enabled() && (flags & kSecAssessmentFlagDirect)) { - CFTemp dict("{target=%O, flags=%d, context=%O, outcome=%O}", target, flags, context, (CFDictionaryRef)result); - __esp_notify_ns("cs-assessment-update", (void *)(CFDictionaryRef)dict); - } - traceUpdate(target, context, result); return result.yield(); - END_CSAPI_ERRORS1(false) + END_CSAPI_ERRORS1(NULL) +} + +static Boolean +updateAuthority(const char *authority, bool enable, CFErrorRef *errors) +{ + CFStringRef updateValue = enable ? kSecAssessmentUpdateOperationEnable : kSecAssessmentUpdateOperationDisable; + CFTemp ctx("{%O=%s, %O=%O}", kSecAssessmentUpdateKeyLabel, authority, kSecAssessmentContextKeyUpdate, updateValue); + return SecAssessmentUpdate(NULL, kSecCSDefaultFlags, ctx, errors); } @@ -476,9 +454,6 @@ Boolean SecAssessmentControl(CFStringRef control, void *arguments, CFErrorRef *e { BEGIN_CSAPI - CFTemp dict("{control=%O}", control); - esp_do_check("cs-assessment-control", dict); - if (CFEqual(control, CFSTR("ui-enable"))) { setAssessment(true); MessageTrace trace("com.apple.security.assessment.state", "enable"); @@ -497,26 +472,48 @@ Boolean SecAssessmentControl(CFStringRef control, void *arguments, CFErrorRef *e result = kCFBooleanTrue; return true; } else if (CFEqual(control, CFSTR("ui-enable-devid"))) { - CFTemp ctx("{%O=%s}", kSecAssessmentUpdateKeyLabel, "Developer ID"); - if (CFDictionaryRef result = gEngine().enable(NULL, kAuthorityInvalid, kSecCSDefaultFlags, ctx, false)) - CFRelease(result); + updateAuthority("Developer ID", true, errors); + updateAuthority("Notarized Developer ID", true, errors); MessageTrace trace("com.apple.security.assessment.state", "enable-devid"); trace.send("enable Developer ID approval"); return true; } else if (CFEqual(control, CFSTR("ui-disable-devid"))) { - CFTemp ctx("{%O=%s}", kSecAssessmentUpdateKeyLabel, "Developer ID"); - if (CFDictionaryRef result = gEngine().disable(NULL, kAuthorityInvalid, kSecCSDefaultFlags, ctx, false)) - CFRelease(result); + updateAuthority("Developer ID", false, errors); MessageTrace trace("com.apple.security.assessment.state", "disable-devid"); trace.send("disable Developer ID approval"); return true; - } else if (CFEqual(control, CFSTR("ui-get-devid"))) { + } else if (CFEqual(control, CFSTR("ui-get-devid"))) { + xpcEngineCheckDevID((CFBooleanRef*)(arguments)); + return true; + } else if (CFEqual(control, CFSTR("ui-get-devid-local"))) { CFBooleanRef &result = *(CFBooleanRef*)(arguments); if (gEngine().value("SELECT disabled FROM authority WHERE label = 'Developer ID';", true)) result = kCFBooleanFalse; else result = kCFBooleanTrue; return true; + } else if (CFEqual(control, CFSTR("ui-enable-notarized"))) { + updateAuthority("Notarized Developer ID", true, errors); + updateAuthority("Unnotarized Developer ID", true, errors); + MessageTrace trace("com.apple.security.assessment.state", "enable-notarized"); + trace.send("enable Notarized Developer ID approval"); + return true; + } else if (CFEqual(control, CFSTR("ui-disable-notarized"))) { + updateAuthority("Notarized Developer ID", false, errors); + updateAuthority("Unnotarized Developer ID", false, errors); + MessageTrace trace("com.apple.security.assessment.state", "disable-notarized"); + trace.send("disable Notarized Developer ID approval"); + return true; + } else if (CFEqual(control, CFSTR("ui-get-notarized"))) { + xpcEngineCheckNotarized((CFBooleanRef*)(arguments)); + return true; + } else if (CFEqual(control, CFSTR("ui-get-notarized-local"))) { + CFBooleanRef &result = *(CFBooleanRef*)(arguments); + if (gEngine().value("SELECT disabled FROM authority WHERE label = 'Notarized Developer ID';", true)) + result = kCFBooleanFalse; + else + result = kCFBooleanTrue; + return true; } else if (CFEqual(control, CFSTR("ui-record-reject"))) { // send this through syspolicyd for update validation xpcEngineRecord(CFDictionaryRef(arguments)); @@ -544,3 +541,51 @@ Boolean SecAssessmentControl(CFStringRef control, void *arguments, CFErrorRef *e END_CSAPI_ERRORS1(false) } + +Boolean SecAssessmentTicketRegister(CFDataRef ticketData, CFErrorRef *errors) +{ + BEGIN_CSAPI + + xpcEngineTicketRegister(ticketData); + return true; + + END_CSAPI_ERRORS1(false) +} + +Boolean SecAssessmentRegisterPackageTicket(CFURLRef packageURL, CFErrorRef* errors) +{ + BEGIN_CSAPI + + string path = cfString(packageURL); + Xar xar(path.c_str()); + + if (!xar) { + MacOSError::throwMe(errSecParam); + } + + xar.registerStapledNotarization(); + return true; + + END_CSAPI_ERRORS1(false) +} + +Boolean SecAssessmentTicketLookup(CFDataRef hash, SecCSDigestAlgorithm hashType, SecAssessmentTicketFlags flags, double *date, CFErrorRef *errors) +{ + BEGIN_CSAPI + + xpcEngineTicketLookup(hash, hashType, flags, date); + return true; + + END_CSAPI_ERRORS1(false) +} + +Boolean SecAssessmentLegacyCheck(CFDataRef hash, SecCSDigestAlgorithm hashType, CFStringRef teamID, CFErrorRef *errors) +{ + BEGIN_CSAPI + + xpcEngineLegacyCheck(hash, hashType, teamID); + return true; + + END_CSAPI_ERRORS1(false) +} +