X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/72a12576750f52947eb043106ba5c12c0d07decf..b1ab9ed8d0e0f1c3b66d7daa8fd5564444c56195:/libsecurity_codesigning/lib/SecCodePriv.h diff --git a/libsecurity_codesigning/lib/SecCodePriv.h b/libsecurity_codesigning/lib/SecCodePriv.h new file mode 100644 index 00000000..54759b82 --- /dev/null +++ b/libsecurity_codesigning/lib/SecCodePriv.h @@ -0,0 +1,185 @@ +/* + * Copyright (c) 2006-2007 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header SecCodePriv + SecCodePriv is the private counter-part to SecCode. Its contents are not + official API, and are subject to change without notice. +*/ +#ifndef _H_SECCODEPRIV +#define _H_SECCODEPRIV + +#include + +#ifdef __cplusplus +extern "C" { +#endif + + +/* + * Private constants for SecCodeCopySigningInformation. + * These are returned with the + */ +extern const CFStringRef kSecCodeInfoCodeDirectory; /* Internal */ +extern const CFStringRef kSecCodeInfoCodeOffset; /* Internal */ +extern const CFStringRef kSecCodeInfoResourceDirectory; /* Internal */ + + +/*! + @function SecCodeGetStatus + Retrieves the dynamic status for a SecCodeRef. + + The dynamic status of a code can change at any time; the value returned is a snapshot + in time that is inherently stale by the time it is received by the caller. However, + since the status bits can only change in certain ways, some information is indefinitely + valid. For example, an indication of invalidity (kSecCodeStatusValid bit off) is permanent + since the valid bit cannot be set once clear, while an indication of validity (bit set) + may already be out of date. + Use this call with caution; it is usually wiser to call the validation API functions + and let then consider the status as part of their holistic computation. However, + SecCodeGetStatus is useful at times to capture persistent (sticky) status configurations. + + @param code A valid SecCode object reference representing code running + on the system. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param status Upon successful return, contains the dynamic status of code as + determined by its host. + + @result Upon success, noErr. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. + */ +OSStatus SecCodeGetStatus(SecCodeRef code, SecCSFlags flags, SecCodeStatus *status); + + +/*! + @function SecCodeSetStatus + Change the dynamic status of a SecCodeRef. + + @param code A valid SecCode object reference representing code running + on the system. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param status Upon successful return, contains the dynamic status of code as + determined by its host. + + @result Upon success, noErr. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. + */ +typedef uint32_t SecCodeStatusOperation; +enum { + kSecCodeOperationNull = 0, + kSecCodeOperationInvalidate = 1, + kSecCodeOperationSetHard = 2, + kSecCodeOperationSetKill = 3, +}; + +OSStatus SecCodeSetStatus(SecCodeRef code, SecCodeStatusOperation operation, + CFDictionaryRef arguments, SecCSFlags flags); + + +/*! + @function SecCodeCopyInternalRequirement + For a given Code or StaticCode object, retrieves a particular kind of internal + requirement that was sealed during signing. + + This function will always fail for unsigned code. Requesting a type of internal + requirement that was not given during signing is not an error. + + Specifying a type of kSecDesignatedRequirementType is not the same as calling + SecCodeCopyDesignatedRequirement. This function will only return an explicit + Designated Requirement if one was specified during signing. SecCodeCopyDesignatedRequirement + will synthesize a suitable Designated Requirement if one was not given explicitly. + + @param code The Code or StaticCode object to be interrogated. For a Code + argument, its StaticCode is processed as per SecCodeCopyStaticCode. + @param type A SecRequirementType specifying which internal requirement is being + requested. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param requirement On successful return, contains a copy of the internal requirement + of the given type included in the given code. If the code has no such internal + requirement, this argument is set to NULL (with no error). + @result On success, noErr. On error, an OSStatus value + documented in CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecCodeCopyInternalRequirement(SecStaticCodeRef code, SecRequirementType type, + SecCSFlags flags, SecRequirementRef *requirement); + + +/*! + @function SecCodeCreateWithPID + Asks the kernel to return a SecCode object for a process identified + by a UNIX process id (pid). This is a shorthand for asking SecGetRootCode() + for a guest whose "pid" attribute has the given pid value. + + This is a deprecated convenience function. + Call SecCodeCopyGuestWithAttributes instead. + + @param pid A process id for an existing UNIX process on the system. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param process On successful return, a SecCode object reference identifying + the requesteed process. + @result Upon success, noErr. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *process) + AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_6; + + +/* + @function SecCodeSetDetachedSignature + For a given Code or StaticCode object, explicitly specify the detached signature + data used to verify it. + This call unconditionally overrides any signature embedded in the Code and any + previously specified detached signature; only the signature data specified here + will be used from now on for this Code object. If NULL data is specified, the + code object is returned to its natural signing state (before a detached + signature was first attached to it). + Any call to this function voids all cached validations for the Code object. + Validations will be performed again as needed in the future. This call does not, + by itself, perform or trigger any validations. + Please note that it is possible to have multiple Code objects for the same static + or dynamic code entity in the system. This function only attaches signature data + to the particular SecStaticCodeRef involved. It is your responsibility to understand + the object graph and pick the right one(s). + + @param code A Code or StaticCode object whose signature information is to be changed. + @param signature A CFDataRef containing the signature data to be used for validating + the given Code. This must be exactly the data previously generated as a detached + signature by the SecCodeSignerAddSignature API or the codesign(1) command with + the -D/--detached option. + If signature is NULL, discards any previously set signature data and reverts + to using the embedded signature, if any. If not NULL, the data is retained and used + for future validation operations. + The data may be retained or copied. Behavior is undefined if this object + is modified after this call before it is replaced through another call to this + function). + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + */ +OSStatus SecCodeSetDetachedSignature(SecStaticCodeRef code, CFDataRef signature, + SecCSFlags flags); + + +#ifdef __cplusplus +} +#endif + +#endif //_H_SECCODE