X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/80e2389990082500d76eb566d4946be3e786c3ef..d8f41ccd20de16f8ebe2ccc84d47bf1cb2b26bbb:/Security/libsecurity_codesigning/lib/SecRequirementPriv.h diff --git a/Security/libsecurity_codesigning/lib/SecRequirementPriv.h b/Security/libsecurity_codesigning/lib/SecRequirementPriv.h new file mode 100644 index 00000000..c7ad3683 --- /dev/null +++ b/Security/libsecurity_codesigning/lib/SecRequirementPriv.h @@ -0,0 +1,197 @@ +/* + * Copyright (c) 2006,2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header SecRequirement + SecRequirementPriv is the private counter-part to SecRequirement. Its contents are not + official API, and are subject to change without notice. +*/ +#ifndef _H_SECREQUIREMENTPRIV +#define _H_SECREQUIREMENTPRIV + +#include + +#ifdef __cplusplus +extern "C" { +#endif + + +/*! + @function SecRequirementsCreateFromRequirements + Take a dictionary of requirement objects and package them up as a requirement set. + + @param requirements A dictionary of requirements to combine into a set. + Dictionary keys are CFNumbers representing the index keys. Values are SecRequirementRefs. + NULL requirements are not allowed in the dictionary. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param requirementSet Upon success, receives a CFData object + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecRequirementsCreateFromRequirements(CFDictionaryRef requirements, SecCSFlags flags, + CFDataRef *requirementSet); + + +/*! + @function SecRequirementsCopyRequirements + Create a SecRequirement object from binary form obtained from a file. + This call is functionally equivalent to reading the entire contents of a file + into a CFDataRef and then calling SecRequirementCreateWithData with that. + + @param requirementSet A CFData containing a requirement set. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param requirements Upon success, a dictionary containing each requirement contained + in requirementSet. The keys are CFNumbers indicating the requirement type. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecRequirementsCopyRequirements(CFDataRef requirementSet, SecCSFlags flags, + CFDictionaryRef *requirements); + + +/*! + @function SecRequirementsCreateWithString + Create a SecRequirement object or requirement set based on the string provided. + + @param text A CFString containing the text form of a (single) Code Requirement. + @param flags Optional flags. Pass kSecCSDefaultFlags to accept any supported input form. + Pass a combination of individual flags to select what forms to accept; other forms will result + in an error. + @param result Upon success, a CoreFoundation object of some kind representing + the result of parsing text. Depending on the input string and flags, the result + can be a SecRequirementRef (for a single requirement) or a CFDataRef for a requirement set. + @param errors An optional pointer to a CFErrorRef variable. If the call fails + (and something other than errSecSuccess is returned), and this argument is non-NULL, + a CFErrorRef is stored there further describing the nature and circumstances + of the failure. The caller must CFRelease() this error object when done with it. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +enum { + kSecCSParseRequirement = 0x0001, // accept single requirements + kSecCSParseRequirementSet = 0x0002, // accept requirement sets +}; + +OSStatus SecRequirementsCreateWithString(CFStringRef text, SecCSFlags flags, + CFTypeRef *result, CFErrorRef *errors); + + +/*! + @function SecRequirementsCopyString + Converts a requirement object of some kind into text form. + This is the effective inverse of SecRequirementsCreateWithString. + + This function can process individual requirements (SecRequirementRefs) + and requirement sets (represented as CFDataRefs). + + Repeated application of this function may produce text that differs in + formatting, may contain different source comments, and may perform its + validation functions in different order. However, it is guaranteed that + recompiling the text using SecRequirementCreateWithString will produce a + SecRequirement object that behaves identically to the one you start with. + + @param requirements A SecRequirementRef, or a CFDataRef containing a valid requirement set. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param text On successful return, contains a reference to a CFString object + containing a text representation of the requirement. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecRequirementsCopyString(CFTypeRef input, SecCSFlags flags, CFStringRef *text); + + +/*! + @function SecRequirementCreateWithResource + Create a SecRequirement object from binary form obtained from a file. + This call is functionally equivalent to reading the entire contents of a file + into a CFDataRef and then calling SecRequirementCreateWithData with that. + + @param resource A CFURL identifying a file containing a (binary) requirement blob. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param requirement On successful return, contains a reference to a SecRequirement + object that behaves identically to the one the data blob was obtained from. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecRequirementCreateWithResource(CFURLRef resource, SecCSFlags flags, + SecRequirementRef *requirement); + + +/*! + @function SecRequirementCreateGroup + Create a SecRequirement object that represents membership in a developer-defined + application group. Group membership is defined by an entry in the code's + Info.plist, and sealed to a particular signing authority. + + This is not an API-track function. Don't call it if you don't already do. + + @param groupName A CFString containing the name of the desired application group. + @param anchor A reference to a digital certificate representing the signing + authority that asserts group membership. If NULL, indicates Apple's authority. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param requirement On successful return, contains a reference to a SecRequirement + object that requires group membership to pass validation. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecRequirementCreateGroup(CFStringRef groupName, SecCertificateRef anchor, + SecCSFlags flags, SecRequirementRef *requirement); + + + +/*! + @function SecRequirementEvaluate + Explicitly evaluate a SecRequirementRef against context provided in the call. + This allows evaluation of a code requirement outside the context of a code signature. + + @param requirement A valid SecRequirement object. + @param certificateChain A CFArray of SecCertificate objects describing the certificate + chain of the object being validated. This must be a full chain terminating in an anchor + certificate that is cryptographically valid. + @param context An optional CFDictionary containing additional context made available + to the requirement program's evaluation. NULL is equivalent to an empty dictionary. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @result Upon success, errSecSuccess. Failure to pass the check returns errSecCSReqFailed. + All other returns indicate errors as documented in CSCommon.h or certain other + Security framework headers. + + @constant kSecRequirementKeyInfoPlist A context key providing an CFDictionary denoting + an Info.plist. If this key is missing, all references to Info.plist contents will fail. + @constant kSecRequirementKeyEntitlements A context key providing an CFDictionary describing + an entitlement dictionary. If this key is missing, all references to entitlements will fail. + @constant kSecRequirementKeyIdentifier A context key providing the signing identifier as a CFString. +*/ +extern CFStringRef kSecRequirementKeyInfoPlist; +extern CFStringRef kSecRequirementKeyEntitlements; +extern CFStringRef kSecRequirementKeyIdentifier; + +OSStatus SecRequirementEvaluate(SecRequirementRef requirement, + CFArrayRef certificateChain, CFDictionaryRef context, + SecCSFlags flags); + + +#ifdef __cplusplus +} +#endif + +#endif //_H_SECREQUIREMENTPRIV