X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/80e2389990082500d76eb566d4946be3e786c3ef..d8f41ccd20de16f8ebe2ccc84d47bf1cb2b26bbb:/Security/libsecurity_codesigning/lib/StaticCode.cpp?ds=sidebyside diff --git a/Security/libsecurity_codesigning/lib/StaticCode.cpp b/Security/libsecurity_codesigning/lib/StaticCode.cpp new file mode 100644 index 00000000..7a5fb176 --- /dev/null +++ b/Security/libsecurity_codesigning/lib/StaticCode.cpp @@ -0,0 +1,1636 @@ +/* + * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// StaticCode - SecStaticCode API objects +// +#include "StaticCode.h" +#include "Code.h" +#include "reqmaker.h" +#include "drmaker.h" +#include "reqdumper.h" +#include "reqparser.h" +#include "sigblob.h" +#include "resources.h" +#include "detachedrep.h" +#include "csdatabase.h" +#include "csutilities.h" +#include "dirscanner.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +namespace Security { +namespace CodeSigning { + +using namespace UnixPlusPlus; + +// A requirement representing a Mac or iOS dev cert, a Mac or iOS distribution cert, or a developer ID +static const char WWDRRequirement[] = "anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.2] exists"; +static const char MACWWDRRequirement[] = "anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.12] exists"; +static const char developerID[] = "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists" + " and certificate leaf[field.1.2.840.113635.100.6.1.13] exists"; +static const char distributionCertificate[] = "anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.7] exists"; +static const char iPhoneDistributionCert[] = "anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.4] exists"; + +// +// Map a component slot number to a suitable error code for a failure +// +static inline OSStatus errorForSlot(CodeDirectory::SpecialSlot slot) +{ + switch (slot) { + case cdInfoSlot: + return errSecCSInfoPlistFailed; + case cdResourceDirSlot: + return errSecCSResourceDirectoryFailed; + default: + return errSecCSSignatureFailed; + } +} + + +// +// Construct a SecStaticCode object given a disk representation object +// +SecStaticCode::SecStaticCode(DiskRep *rep) + : mRep(rep), + mValidated(false), mExecutableValidated(false), mResourcesValidated(false), mResourcesValidContext(NULL), + mDesignatedReq(NULL), mGotResourceBase(false), mMonitor(NULL), mEvalDetails(NULL) +{ + CODESIGN_STATIC_CREATE(this, rep); + CFRef codeDirectory = rep->codeDirectory(); + if (codeDirectory && CFDataGetLength(codeDirectory) <= 0) + MacOSError::throwMe(errSecCSSignatureInvalid); + checkForSystemSignature(); +} + + +// +// Clean up a SecStaticCode object +// +SecStaticCode::~SecStaticCode() throw() +try { + ::free(const_cast(mDesignatedReq)); + if (mResourcesValidContext) + delete mResourcesValidContext; +} catch (...) { + return; +} + + +// +// CF-level comparison of SecStaticCode objects compares CodeDirectory hashes if signed, +// and falls back on comparing canonical paths if (both are) not. +// +bool SecStaticCode::equal(SecCFObject &secOther) +{ + SecStaticCode *other = static_cast(&secOther); + CFDataRef mine = this->cdHash(); + CFDataRef his = other->cdHash(); + if (mine || his) + return mine && his && CFEqual(mine, his); + else + return CFEqual(CFRef(this->copyCanonicalPath()), CFRef(other->copyCanonicalPath())); +} + +CFHashCode SecStaticCode::hash() +{ + if (CFDataRef h = this->cdHash()) + return CFHash(h); + else + return CFHash(CFRef(this->copyCanonicalPath())); +} + + +// +// Invoke a stage monitor if registered +// +CFTypeRef SecStaticCode::reportEvent(CFStringRef stage, CFDictionaryRef info) +{ + if (mMonitor) + return mMonitor(this->handle(false), stage, info); + else + return NULL; +} + +void SecStaticCode::prepareProgress(unsigned int workload) +{ + { + StLock _(mCancelLock); + mCancelPending = false; // not cancelled + } + if (mValidationFlags & kSecCSReportProgress) { + mCurrentWork = 0; // nothing done yet + mTotalWork = workload; // totally fake - we don't know how many files we'll get to chew + } +} + +void SecStaticCode::reportProgress(unsigned amount /* = 1 */) +{ + if (mMonitor && (mValidationFlags & kSecCSReportProgress)) { + { + // if cancellation is pending, abort now + StLock _(mCancelLock); + if (mCancelPending) + MacOSError::throwMe(errSecCSCancelled); + } + // update progress and report + mCurrentWork += amount; + mMonitor(this->handle(false), CFSTR("progress"), CFTemp("{current=%d,total=%d}", mCurrentWork, mTotalWork)); + } +} + + +// +// Set validation conditions for fine-tuning legacy tolerance +// +static void addError(CFTypeRef cfError, void* context) +{ + if (CFGetTypeID(cfError) == CFNumberGetTypeID()) { + int64_t error; + CFNumberGetValue(CFNumberRef(cfError), kCFNumberSInt64Type, (void*)&error); + MacOSErrorSet* errors = (MacOSErrorSet*)context; + errors->insert(OSStatus(error)); + } +} + +void SecStaticCode::setValidationModifiers(CFDictionaryRef conditions) +{ + if (conditions) { + CFDictionary source(conditions, errSecCSDbCorrupt); + mAllowOmissions = source.get("omissions"); + if (CFArrayRef errors = source.get("errors")) + CFArrayApplyFunction(errors, CFRangeMake(0, CFArrayGetCount(errors)), addError, &this->mTolerateErrors); + } +} + + +// +// Request cancellation of a validation in progress. +// We do this by posting an abort flag that is checked periodically. +// +void SecStaticCode::cancelValidation() +{ + StLock _(mCancelLock); + if (!(mValidationFlags & kSecCSReportProgress)) // not using progress reporting; cancel won't make it through + MacOSError::throwMe(errSecCSInvalidFlags); + mCancelPending = true; +} + + +// +// Attach a detached signature. +// +void SecStaticCode::detachedSignature(CFDataRef sigData) +{ + if (sigData) { + mDetachedSig = sigData; + mRep = new DetachedRep(sigData, mRep->base(), "explicit detached"); + CODESIGN_STATIC_ATTACH_EXPLICIT(this, mRep); + } else { + mDetachedSig = NULL; + mRep = mRep->base(); + CODESIGN_STATIC_ATTACH_EXPLICIT(this, NULL); + } +} + + +// +// Consult the system detached signature database to see if it contains +// a detached signature for this StaticCode. If it does, fetch and attach it. +// We do this only if the code has no signature already attached. +// +void SecStaticCode::checkForSystemSignature() +{ + if (!this->isSigned()) { + SignatureDatabase db; + if (db.isOpen()) + try { + if (RefPointer dsig = db.findCode(mRep)) { + CODESIGN_STATIC_ATTACH_SYSTEM(this, dsig); + mRep = dsig; + } + } catch (...) { + } + } +} + + +// +// Return a descriptive string identifying the source of the code signature +// +string SecStaticCode::signatureSource() +{ + if (!isSigned()) + return "unsigned"; + if (DetachedRep *rep = dynamic_cast(mRep.get())) + return rep->source(); + return "embedded"; +} + + +// +// Do ::required, but convert incoming SecCodeRefs to their SecStaticCodeRefs +// (if possible). +// +SecStaticCode *SecStaticCode::requiredStatic(SecStaticCodeRef ref) +{ + SecCFObject *object = SecCFObject::required(ref, errSecCSInvalidObjectRef); + if (SecStaticCode *scode = dynamic_cast(object)) + return scode; + else if (SecCode *code = dynamic_cast(object)) + return code->staticCode(); + else // neither (a SecSomethingElse) + MacOSError::throwMe(errSecCSInvalidObjectRef); +} + +SecCode *SecStaticCode::optionalDynamic(SecStaticCodeRef ref) +{ + SecCFObject *object = SecCFObject::required(ref, errSecCSInvalidObjectRef); + if (dynamic_cast(object)) + return NULL; + else if (SecCode *code = dynamic_cast(object)) + return code; + else // neither (a SecSomethingElse) + MacOSError::throwMe(errSecCSInvalidObjectRef); +} + + +// +// Void all cached validity data. +// +// We also throw out cached components, because the new signature data may have +// a different idea of what components should be present. We could reconcile the +// cached data instead, if performance seems to be impacted. +// +void SecStaticCode::resetValidity() +{ + CODESIGN_EVAL_STATIC_RESET(this); + mValidated = false; + mExecutableValidated = mResourcesValidated = false; + if (mResourcesValidContext) { + delete mResourcesValidContext; + mResourcesValidContext = NULL; + } + mDir = NULL; + mSignature = NULL; + for (unsigned n = 0; n < cdSlotCount; n++) + mCache[n] = NULL; + mInfoDict = NULL; + mEntitlements = NULL; + mResourceDict = NULL; + mDesignatedReq = NULL; + mCDHash = NULL; + mGotResourceBase = false; + mTrust = NULL; + mCertChain = NULL; + mEvalDetails = NULL; + mRep->flush(); + + // we may just have updated the system database, so check again + checkForSystemSignature(); +} + + +// +// Retrieve a sealed component by special slot index. +// If the CodeDirectory has already been validated, validate against that. +// Otherwise, retrieve the component without validation (but cache it). Validation +// will go through the cache and validate all cached components. +// +CFDataRef SecStaticCode::component(CodeDirectory::SpecialSlot slot, OSStatus fail /* = errSecCSSignatureFailed */) +{ + assert(slot <= cdSlotMax); + + CFRef &cache = mCache[slot]; + if (!cache) { + if (CFRef data = mRep->component(slot)) { + if (validated()) // if the directory has been validated... + if (!codeDirectory()->validateSlot(CFDataGetBytePtr(data), // ... and it's no good + CFDataGetLength(data), -slot)) + MacOSError::throwMe(errorForSlot(slot)); // ... then bail + cache = data; // it's okay, cache it + } else { // absent, mark so + if (validated()) // if directory has been validated... + if (codeDirectory()->slotIsPresent(-slot)) // ... and the slot is NOT missing + MacOSError::throwMe(errorForSlot(slot)); // was supposed to be there + cache = CFDataRef(kCFNull); // white lie + } + } + return (cache == CFDataRef(kCFNull)) ? NULL : cache.get(); +} + + +// +// Get the CodeDirectory. +// Throws (if check==true) or returns NULL (check==false) if there is none. +// Always throws if the CodeDirectory exists but is invalid. +// NEVER validates against the signature. +// +const CodeDirectory *SecStaticCode::codeDirectory(bool check /* = true */) +{ + if (!mDir) { + if (mDir.take(mRep->codeDirectory())) { + const CodeDirectory *dir = reinterpret_cast(CFDataGetBytePtr(mDir)); + dir->checkIntegrity(); + } + } + if (mDir) + return reinterpret_cast(CFDataGetBytePtr(mDir)); + if (check) + MacOSError::throwMe(errSecCSUnsigned); + return NULL; +} + + +// +// Get the hash of the CodeDirectory. +// Returns NULL if there is none. +// +CFDataRef SecStaticCode::cdHash() +{ + if (!mCDHash) { + if (const CodeDirectory *cd = codeDirectory(false)) { + SHA1 hash; + hash(cd, cd->length()); + SHA1::Digest digest; + hash.finish(digest); + mCDHash.take(makeCFData(digest, sizeof(digest))); + CODESIGN_STATIC_CDHASH(this, digest, sizeof(digest)); + } + } + return mCDHash; +} + + +// +// Return the CMS signature blob; NULL if none found. +// +CFDataRef SecStaticCode::signature() +{ + if (!mSignature) + mSignature.take(mRep->signature()); + if (mSignature) + return mSignature; + MacOSError::throwMe(errSecCSUnsigned); +} + + +// +// Verify the signature on the CodeDirectory. +// If this succeeds (doesn't throw), the CodeDirectory is statically trustworthy. +// Any outcome (successful or not) is cached for the lifetime of the StaticCode. +// +void SecStaticCode::validateDirectory() +{ + // echo previous outcome, if any + if (!validated()) + try { + // perform validation (or die trying) + CODESIGN_EVAL_STATIC_DIRECTORY(this); + mValidationExpired = verifySignature(); + for (CodeDirectory::SpecialSlot slot = codeDirectory()->maxSpecialSlot(); slot >= 1; --slot) + if (mCache[slot]) // if we already loaded that resource... + validateComponent(slot, errorForSlot(slot)); // ... then check it now + mValidated = true; // we've done the deed... + mValidationResult = errSecSuccess; // ... and it was good + } catch (const CommonError &err) { + mValidated = true; + mValidationResult = err.osStatus(); + throw; + } catch (...) { + secdebug("staticCode", "%p validation threw non-common exception", this); + mValidated = true; + mValidationResult = errSecCSInternalError; + throw; + } + assert(validated()); + if (mValidationResult == errSecSuccess) { + if (mValidationExpired) + if ((mValidationFlags & kSecCSConsiderExpiration) + || (codeDirectory()->flags & kSecCodeSignatureForceExpiration)) + MacOSError::throwMe(CSSMERR_TP_CERT_EXPIRED); + } else + MacOSError::throwMe(mValidationResult); +} + + +// +// Load and validate the CodeDirectory and all components *except* those related to the resource envelope. +// Those latter components are checked by validateResources(). +// +void SecStaticCode::validateNonResourceComponents() +{ + this->validateDirectory(); + for (CodeDirectory::SpecialSlot slot = codeDirectory()->maxSpecialSlot(); slot >= 1; --slot) + switch (slot) { + case cdResourceDirSlot: // validated by validateResources + break; + default: + this->component(slot); // loads and validates + break; + } +} + + +// +// Get the (signed) signing date from the code signature. +// Sadly, we need to validate the signature to get the date (as a side benefit). +// This means that you can't get the signing time for invalidly signed code. +// +// We could run the decoder "almost to" verification to avoid this, but there seems +// little practical point to such a duplication of effort. +// +CFAbsoluteTime SecStaticCode::signingTime() +{ + validateDirectory(); + return mSigningTime; +} + +CFAbsoluteTime SecStaticCode::signingTimestamp() +{ + validateDirectory(); + return mSigningTimestamp; +} + + +// +// Verify the CMS signature on the CodeDirectory. +// This performs the cryptographic tango. It returns if the signature is valid, +// or throws if it is not. As a side effect, a successful return sets up the +// cached certificate chain for future use. +// Returns true if the signature is expired (the X.509 sense), false if it's not. +// Expiration is fatal (throws) if a secure timestamp is included, but not otherwise. +// +bool SecStaticCode::verifySignature() +{ + // ad-hoc signed code is considered validly signed by definition + if (flag(kSecCodeSignatureAdhoc)) { + CODESIGN_EVAL_STATIC_SIGNATURE_ADHOC(this); + return false; + } + + DTRACK(CODESIGN_EVAL_STATIC_SIGNATURE, this, (char*)this->mainExecutablePath().c_str()); + + // decode CMS and extract SecTrust for verification + CFRef cms; + MacOSError::check(CMSDecoderCreate(&cms.aref())); // create decoder + CFDataRef sig = this->signature(); + MacOSError::check(CMSDecoderUpdateMessage(cms, CFDataGetBytePtr(sig), CFDataGetLength(sig))); + this->codeDirectory(); // load CodeDirectory (sets mDir) + MacOSError::check(CMSDecoderSetDetachedContent(cms, mDir)); + MacOSError::check(CMSDecoderFinalizeMessage(cms)); + MacOSError::check(CMSDecoderSetSearchKeychain(cms, cfEmptyArray())); + CFRef vf_policies = verificationPolicies(); + CFRef ts_policies = SecPolicyCreateAppleTimeStampingAndRevocationPolicies(vf_policies); + CMSSignerStatus status; + MacOSError::check(CMSDecoderCopySignerStatus(cms, 0, vf_policies, + false, &status, &mTrust.aref(), NULL)); + + if (status != kCMSSignerValid) + MacOSError::throwMe(errSecCSSignatureFailed); + + // internal signing time (as specified by the signer; optional) + mSigningTime = 0; // "not present" marker (nobody could code sign on Jan 1, 2001 :-) + switch (OSStatus rc = CMSDecoderCopySignerSigningTime(cms, 0, &mSigningTime)) { + case errSecSuccess: + case errSecSigningTimeMissing: + break; + default: + MacOSError::throwMe(rc); + } + + // certified signing time (as specified by a TSA; optional) + mSigningTimestamp = 0; + switch (OSStatus rc = CMSDecoderCopySignerTimestampWithPolicy(cms, ts_policies, 0, &mSigningTimestamp)) { + case errSecSuccess: + case errSecTimestampMissing: + break; + default: + MacOSError::throwMe(rc); + } + + // set up the environment for SecTrust + if (mValidationFlags & kSecCSNoNetworkAccess) { + MacOSError::check(SecTrustSetNetworkFetchAllowed(mTrust,false)); // no network? + } + MacOSError::check(SecTrustSetAnchorCertificates(mTrust, cfEmptyArray())); // no anchors + MacOSError::check(SecTrustSetKeychains(mTrust, cfEmptyArray())); // no keychains + CSSM_APPLE_TP_ACTION_DATA actionData = { + CSSM_APPLE_TP_ACTION_VERSION, // version of data structure + CSSM_TP_ACTION_IMPLICIT_ANCHORS // action flags + }; + + for (;;) { // at most twice + MacOSError::check(SecTrustSetParameters(mTrust, + CSSM_TP_ACTION_DEFAULT, CFTempData(&actionData, sizeof(actionData)))); + + // evaluate trust and extract results + SecTrustResultType trustResult; + MacOSError::check(SecTrustEvaluate(mTrust, &trustResult)); + MacOSError::check(SecTrustGetResult(mTrust, &trustResult, &mCertChain.aref(), &mEvalDetails)); + + // if this is an Apple developer cert.... + if (teamID() && SecStaticCode::isAppleDeveloperCert(mCertChain)) { + CFRef teamIDFromCert; + if (CFArrayGetCount(mCertChain) > 0) { + /* Note that SecCertificateCopySubjectComponent sets the out paramater to NULL if there is no field present */ + MacOSError::check(SecCertificateCopySubjectComponent((SecCertificateRef)CFArrayGetValueAtIndex(mCertChain, Requirement::leafCert), + &CSSMOID_OrganizationalUnitName, + &teamIDFromCert.aref())); + + if (teamIDFromCert) { + CFRef teamIDFromCD = CFStringCreateWithCString(NULL, teamID(), kCFStringEncodingUTF8); + if (!teamIDFromCD) { + MacOSError::throwMe(errSecCSInternalError); + } + + if (CFStringCompare(teamIDFromCert, teamIDFromCD, 0) != kCFCompareEqualTo) { + Security::Syslog::error("Team identifier in the signing certificate (%s) does not match the team identifier (%s) in the code directory", cfString(teamIDFromCert).c_str(), teamID()); + MacOSError::throwMe(errSecCSSignatureInvalid); + } + } + } + } + + CODESIGN_EVAL_STATIC_SIGNATURE_RESULT(this, trustResult, mCertChain ? (int)CFArrayGetCount(mCertChain) : 0); + switch (trustResult) { + case kSecTrustResultProceed: + case kSecTrustResultUnspecified: + break; // success + case kSecTrustResultDeny: + MacOSError::throwMe(CSSMERR_APPLETP_TRUST_SETTING_DENY); // user reject + case kSecTrustResultInvalid: + assert(false); // should never happen + MacOSError::throwMe(CSSMERR_TP_NOT_TRUSTED); + default: + { + OSStatus result; + MacOSError::check(SecTrustGetCssmResultCode(mTrust, &result)); + // if we have a valid timestamp, CMS validates against (that) signing time and all is well. + // If we don't have one, may validate against *now*, and must be able to tolerate expiration. + if (mSigningTimestamp == 0) // no timestamp available + if (((result == CSSMERR_TP_CERT_EXPIRED) || (result == CSSMERR_TP_CERT_NOT_VALID_YET)) + && !(actionData.ActionFlags & CSSM_TP_ACTION_ALLOW_EXPIRED)) { + CODESIGN_EVAL_STATIC_SIGNATURE_EXPIRED(this); + actionData.ActionFlags |= CSSM_TP_ACTION_ALLOW_EXPIRED; // (this also allows postdated certs) + continue; // retry validation while tolerating expiration + } + MacOSError::throwMe(result); + } + } + + if (mSigningTimestamp) { + CFIndex rootix = CFArrayGetCount(mCertChain); + if (SecCertificateRef mainRoot = SecCertificateRef(CFArrayGetValueAtIndex(mCertChain, rootix-1))) + if (isAppleCA(mainRoot)) { + // impose policy: if the signature itself draws to Apple, then so must the timestamp signature + CFRef tsCerts; + MacOSError::check(CMSDecoderCopySignerTimestampCertificates(cms, 0, &tsCerts.aref())); + CFIndex tsn = CFArrayGetCount(tsCerts); + bool good = tsn > 0 && isAppleCA(SecCertificateRef(CFArrayGetValueAtIndex(tsCerts, tsn-1))); + if (!good) + MacOSError::throwMe(CSSMERR_TP_NOT_TRUSTED); + } + } + + return actionData.ActionFlags & CSSM_TP_ACTION_ALLOW_EXPIRED; + } +} + + +// +// Return the TP policy used for signature verification. +// This may be a simple SecPolicyRef or a CFArray of policies. +// The caller owns the return value. +// +static SecPolicyRef makeCRLPolicy() +{ + CFRef policy; + MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_REVOCATION_CRL, &policy.aref())); + CSSM_APPLE_TP_CRL_OPTIONS options; + memset(&options, 0, sizeof(options)); + options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION; + options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET | CSSM_TP_ACTION_CRL_SUFFICIENT; + CSSM_DATA optData = { sizeof(options), (uint8 *)&options }; + MacOSError::check(SecPolicySetValue(policy, &optData)); + return policy.yield(); +} + +static SecPolicyRef makeOCSPPolicy() +{ + CFRef policy; + MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_REVOCATION_OCSP, &policy.aref())); + CSSM_APPLE_TP_OCSP_OPTIONS options; + memset(&options, 0, sizeof(options)); + options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION; + options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT; + CSSM_DATA optData = { sizeof(options), (uint8 *)&options }; + MacOSError::check(SecPolicySetValue(policy, &optData)); + return policy.yield(); +} + +CFArrayRef SecStaticCode::verificationPolicies() +{ + CFRef core; + MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, + &CSSMOID_APPLE_TP_CODE_SIGNING, &core.aref())); + if (mValidationFlags & kSecCSNoNetworkAccess) { + // Skips all revocation since they require network connectivity + // therefore annihilates kSecCSEnforceRevocationChecks if present + CFRef no_revoc = SecPolicyCreateRevocation(kSecRevocationNetworkAccessDisabled); + return makeCFArray(2, core.get(), no_revoc.get()); + } + else if (mValidationFlags & kSecCSEnforceRevocationChecks) { + // Add CRL and OCSPPolicies + CFRef crl = makeCRLPolicy(); + CFRef ocsp = makeOCSPPolicy(); + return makeCFArray(3, core.get(), crl.get(), ocsp.get()); + } else { + return makeCFArray(1, core.get()); + } +} + + +// +// Validate a particular sealed, cached resource against its (special) CodeDirectory slot. +// The resource must already have been placed in the cache. +// This does NOT perform basic validation. +// +void SecStaticCode::validateComponent(CodeDirectory::SpecialSlot slot, OSStatus fail /* = errSecCSSignatureFailed */) +{ + assert(slot <= cdSlotMax); + CFDataRef data = mCache[slot]; + assert(data); // must be cached + if (data == CFDataRef(kCFNull)) { + if (codeDirectory()->slotIsPresent(-slot)) // was supposed to be there... + MacOSError::throwMe(fail); // ... and is missing + } else { + if (!codeDirectory()->validateSlot(CFDataGetBytePtr(data), CFDataGetLength(data), -slot)) + MacOSError::throwMe(fail); + } +} + + +// +// Perform static validation of the main executable. +// This reads the main executable from disk and validates it against the +// CodeDirectory code slot array. +// Note that this is NOT an in-memory validation, and is thus potentially +// subject to timing attacks. +// +void SecStaticCode::validateExecutable() +{ + if (!validatedExecutable()) { + try { + DTRACK(CODESIGN_EVAL_STATIC_EXECUTABLE, this, + (char*)this->mainExecutablePath().c_str(), codeDirectory()->nCodeSlots); + const CodeDirectory *cd = this->codeDirectory(); + if (!cd) + MacOSError::throwMe(errSecCSUnsigned); + AutoFileDesc fd(mainExecutablePath(), O_RDONLY); + fd.fcntl(F_NOCACHE, true); // turn off page caching (one-pass) + if (Universal *fat = mRep->mainExecutableImage()) + fd.seek(fat->archOffset()); + size_t pageSize = cd->pageSize ? (1 << cd->pageSize) : 0; + size_t remaining = cd->codeLimit; + for (uint32_t slot = 0; slot < cd->nCodeSlots; ++slot) { + size_t size = min(remaining, pageSize); + if (!cd->validateSlot(fd, size, slot)) { + CODESIGN_EVAL_STATIC_EXECUTABLE_FAIL(this, (int)slot); + MacOSError::throwMe(errSecCSSignatureFailed); + } + remaining -= size; + } + mExecutableValidated = true; + mExecutableValidResult = errSecSuccess; + } catch (const CommonError &err) { + mExecutableValidated = true; + mExecutableValidResult = err.osStatus(); + throw; + } catch (...) { + secdebug("staticCode", "%p executable validation threw non-common exception", this); + mExecutableValidated = true; + mExecutableValidResult = errSecCSInternalError; + throw; + } + } + assert(validatedExecutable()); + if (mExecutableValidResult != errSecSuccess) + MacOSError::throwMe(mExecutableValidResult); +} + + +// +// Perform static validation of sealed resources and nested code. +// +// This performs a whole-code static resource scan and effectively +// computes a concordance between what's on disk and what's in the ResourceDirectory. +// Any unsanctioned difference causes an error. +// +unsigned SecStaticCode::estimateResourceWorkload() +{ + // workload estimate = number of sealed files + CFDictionaryRef sealedResources = resourceDictionary(); + CFDictionaryRef files = cfget(sealedResources, "files2"); + if (files == NULL) + files = cfget(sealedResources, "files"); + return files ? unsigned(CFDictionaryGetCount(files)) : 0; +} + +void SecStaticCode::validateResources(SecCSFlags flags) +{ + // do we have a superset of this requested validation cached? + bool doit = true; + if (mResourcesValidated) { // have cached outcome + if (!(flags & kSecCSCheckNestedCode) || mResourcesDeep) // was deep or need no deep scan + doit = false; + } + if (doit) { + try { + // sanity first + CFDictionaryRef sealedResources = resourceDictionary(); + if (this->resourceBase()) // disk has resources + if (sealedResources) + /* go to work below */; + else + MacOSError::throwMe(errSecCSResourcesNotFound); + else // disk has no resources + if (sealedResources) + MacOSError::throwMe(errSecCSResourcesNotFound); + else + return; // no resources, not sealed - fine (no work) + + // found resources, and they are sealed + DTRACK(CODESIGN_EVAL_STATIC_RESOURCES, this, + (char*)this->mainExecutablePath().c_str(), 0); + + // scan through the resources on disk, checking each against the resourceDirectory + if (mValidationFlags & kSecCSFullReport) + mResourcesValidContext = new CollectingContext(*this); // collect all failures in here + else + mResourcesValidContext = new ValidationContext(*this); // simple bug-out on first error + + CFDictionaryRef rules; + CFDictionaryRef files; + uint32_t version; + if (CFDictionaryGetValue(sealedResources, CFSTR("files2"))) { // have V2 signature + rules = cfget(sealedResources, "rules2"); + files = cfget(sealedResources, "files2"); + version = 2; + } else { // only V1 available + rules = cfget(sealedResources, "rules"); + files = cfget(sealedResources, "files"); + version = 1; + } + if (!rules || !files) + MacOSError::throwMe(errSecCSResourcesInvalid); + // check for weak resource rules + bool strict = flags & kSecCSStrictValidate; + if (strict) { + if (hasWeakResourceRules(rules, version, mAllowOmissions)) + if (mTolerateErrors.find(errSecCSWeakResourceRules) == mTolerateErrors.end()) + MacOSError::throwMe(errSecCSWeakResourceRules); + if (version == 1) + if (mTolerateErrors.find(errSecCSWeakResourceEnvelope) == mTolerateErrors.end()) + MacOSError::throwMe(errSecCSWeakResourceEnvelope); + } + __block CFRef resourceMap = makeCFMutableDictionary(files); + string base = cfString(this->resourceBase()); + ResourceBuilder resources(base, base, rules, codeDirectory()->hashType, strict, mTolerateErrors); + diskRep()->adjustResources(resources); + resources.scan(^(FTSENT *ent, uint32_t ruleFlags, const char *relpath, ResourceBuilder::Rule *rule) { + validateResource(files, relpath, ent->fts_info == FTS_SL, *mResourcesValidContext, flags, version); + reportProgress(); + CFDictionaryRemoveValue(resourceMap, CFTempString(relpath)); + }); + + unsigned leftovers = unsigned(CFDictionaryGetCount(resourceMap)); + if (leftovers > 0) { + secdebug("staticCode", "%d sealed resource(s) not found in code", int(leftovers)); + CFDictionaryApplyFunction(resourceMap, SecStaticCode::checkOptionalResource, mResourcesValidContext); + } + + // now check for any errors found in the reporting context + mResourcesValidated = true; + mResourcesDeep = flags & kSecCSCheckNestedCode; + if (mResourcesValidContext->osStatus() != errSecSuccess) + mResourcesValidContext->throwMe(); + } catch (const CommonError &err) { + mResourcesValidated = true; + mResourcesDeep = flags & kSecCSCheckNestedCode; + mResourcesValidResult = err.osStatus(); + throw; + } catch (...) { + secdebug("staticCode", "%p executable validation threw non-common exception", this); + mResourcesValidated = true; + mResourcesDeep = flags & kSecCSCheckNestedCode; + mResourcesValidResult = errSecCSInternalError; + throw; + } + } + assert(validatedResources()); + if (mResourcesValidResult) + MacOSError::throwMe(mResourcesValidResult); + if (mResourcesValidContext->osStatus() != errSecSuccess) + mResourcesValidContext->throwMe(); +} + + +void SecStaticCode::checkOptionalResource(CFTypeRef key, CFTypeRef value, void *context) +{ + ValidationContext *ctx = static_cast(context); + ResourceSeal seal(value); + if (!seal.optional()) { + if (key && CFGetTypeID(key) == CFStringGetTypeID()) { + CFTempURL tempURL(CFStringRef(key), false, ctx->code.resourceBase()); + if (!tempURL.get()) { + ctx->reportProblem(errSecCSBadDictionaryFormat, kSecCFErrorResourceSeal, key); + } else { + ctx->reportProblem(errSecCSBadResource, kSecCFErrorResourceMissing, tempURL); + } + } else { + ctx->reportProblem(errSecCSBadResource, kSecCFErrorResourceSeal, key); + } + } +} + + +static bool isOmitRule(CFTypeRef value) +{ + if (CFGetTypeID(value) == CFBooleanGetTypeID()) + return value == kCFBooleanFalse; + CFDictionary rule(value, errSecCSResourceRulesInvalid); + return rule.get("omit") == kCFBooleanTrue; +} + +bool SecStaticCode::hasWeakResourceRules(CFDictionaryRef rulesDict, uint32_t version, CFArrayRef allowedOmissions) +{ + // compute allowed omissions + CFRef defaultOmissions = this->diskRep()->allowedResourceOmissions(); + if (!defaultOmissions) + MacOSError::throwMe(errSecCSInternalError); + CFRef allowed = CFArrayCreateMutableCopy(NULL, 0, defaultOmissions); + if (allowedOmissions) + CFArrayAppendArray(allowed, allowedOmissions, CFRangeMake(0, CFArrayGetCount(allowedOmissions))); + CFRange range = CFRangeMake(0, CFArrayGetCount(allowed)); + + // check all resource rules for weakness + string catchAllRule = (version == 1) ? "^Resources/" : "^.*"; + __block bool coversAll = false; + __block bool forbiddenOmission = false; + CFDictionary rules(rulesDict, errSecCSResourceRulesInvalid); + rules.apply(^(CFStringRef key, CFTypeRef value) { + string pattern = cfString(key, errSecCSResourceRulesInvalid); + if (pattern == catchAllRule && value == kCFBooleanTrue) { + coversAll = true; + return; + } + if (isOmitRule(value)) + forbiddenOmission |= !CFArrayContainsValue(allowed, range, key); + }); + + return !coversAll || forbiddenOmission; +} + + +// +// Load, validate, cache, and return CFDictionary forms of sealed resources. +// +CFDictionaryRef SecStaticCode::infoDictionary() +{ + if (!mInfoDict) { + mInfoDict.take(getDictionary(cdInfoSlot, errSecCSInfoPlistFailed)); + secdebug("staticCode", "%p loaded InfoDict %p", this, mInfoDict.get()); + } + return mInfoDict; +} + +CFDictionaryRef SecStaticCode::entitlements() +{ + if (!mEntitlements) { + validateDirectory(); + if (CFDataRef entitlementData = component(cdEntitlementSlot)) { + validateComponent(cdEntitlementSlot); + const EntitlementBlob *blob = reinterpret_cast(CFDataGetBytePtr(entitlementData)); + if (blob->validateBlob()) { + mEntitlements.take(blob->entitlements()); + secdebug("staticCode", "%p loaded Entitlements %p", this, mEntitlements.get()); + } + // we do not consider a different blob type to be an error. We think it's a new format we don't understand + } + } + return mEntitlements; +} + +CFDictionaryRef SecStaticCode::resourceDictionary(bool check /* = true */) +{ + if (mResourceDict) // cached + return mResourceDict; + if (CFRef dict = getDictionary(cdResourceDirSlot, check)) + if (cfscan(dict, "{rules=%Dn,files=%Dn}")) { + secdebug("staticCode", "%p loaded ResourceDict %p", + this, mResourceDict.get()); + return mResourceDict = dict; + } + // bad format + return NULL; +} + + +// +// Load and cache the resource directory base. +// Note that the base is optional for each DiskRep. +// +CFURLRef SecStaticCode::resourceBase() +{ + if (!mGotResourceBase) { + string base = mRep->resourcesRootPath(); + if (!base.empty()) + mResourceBase.take(makeCFURL(base, true)); + mGotResourceBase = true; + } + return mResourceBase; +} + + +// +// Load a component, validate it, convert it to a CFDictionary, and return that. +// This will force load and validation, which means that it will perform basic +// validation if it hasn't been done yet. +// +CFDictionaryRef SecStaticCode::getDictionary(CodeDirectory::SpecialSlot slot, bool check /* = true */) +{ + if (check) + validateDirectory(); + if (CFDataRef infoData = component(slot)) { + validateComponent(slot); + if (CFDictionaryRef dict = makeCFDictionaryFrom(infoData)) + return dict; + else + MacOSError::throwMe(errSecCSBadDictionaryFormat); + } + return NULL; +} + + +// +// Load, validate, and return a sealed resource. +// The resource data (loaded in to memory as a blob) is returned and becomes +// the responsibility of the caller; it is NOT cached by SecStaticCode. +// +// A resource that is not sealed will not be returned, and an error will be thrown. +// A missing resource will cause an error unless it's marked optional in the Directory. +// Under no circumstances will a corrupt resource be returned. +// NULL will only be returned for a resource that is neither sealed nor present +// (or that is sealed, absent, and marked optional). +// If the ResourceDictionary itself is not sealed, this function will always fail. +// +// There is currently no interface for partial retrieval of the resource data. +// (Since the ResourceDirectory does not currently support segmentation, all the +// data would have to be read anyway, but it could be read into a reusable buffer.) +// +CFDataRef SecStaticCode::resource(string path, ValidationContext &ctx) +{ + if (CFDictionaryRef rdict = resourceDictionary()) { + if (CFTypeRef file = cfget(rdict, "files.%s", path.c_str())) { + ResourceSeal seal = file; + if (!resourceBase()) // no resources in DiskRep + MacOSError::throwMe(errSecCSResourcesNotFound); + if (seal.nested()) + MacOSError::throwMe(errSecCSResourcesNotSealed); // (it's nested code) + CFRef fullpath = makeCFURL(path, false, resourceBase()); + if (CFRef data = cfLoadFile(fullpath)) { + MakeHash hasher(this->codeDirectory()); + hasher->update(CFDataGetBytePtr(data), CFDataGetLength(data)); + if (hasher->verify(seal.hash())) + return data.yield(); // good + else + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // altered + } else { + if (!seal.optional()) + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceMissing, fullpath); // was sealed but is now missing + else + return NULL; // validly missing + } + } else + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAdded, CFTempURL(path, false, resourceBase())); + return NULL; + } else + MacOSError::throwMe(errSecCSResourcesNotSealed); +} + +CFDataRef SecStaticCode::resource(string path) +{ + ValidationContext ctx(*this); + return resource(path, ctx); +} + +void SecStaticCode::validateResource(CFDictionaryRef files, string path, bool isSymlink, ValidationContext &ctx, SecCSFlags flags, uint32_t version) +{ + if (!resourceBase()) // no resources in DiskRep + MacOSError::throwMe(errSecCSResourcesNotFound); + CFRef fullpath = makeCFURL(path, false, resourceBase()); + if (CFTypeRef file = CFDictionaryGetValue(files, CFTempString(path))) { + ResourceSeal seal = file; + if (seal.nested()) { + if (isSymlink) + return ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // changed type + string suffix = ".framework"; + bool isFramework = (path.length() > suffix.length()) + && (path.compare(path.length()-suffix.length(), suffix.length(), suffix) == 0); + validateNestedCode(fullpath, seal, flags, isFramework); + } else if (seal.link()) { + char target[PATH_MAX]; + ssize_t len = ::readlink(cfString(fullpath).c_str(), target, sizeof(target)-1); + if (len < 0) + UnixError::check(-1); + target[len] = '\0'; + if (cfString(seal.link()) != target) + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); + } else if (seal.hash()) { // genuine file + AutoFileDesc fd(cfString(fullpath), O_RDONLY, FileDesc::modeMissingOk); // open optional file + if (fd) { + MakeHash hasher(this->codeDirectory()); + hashFileData(fd, hasher.get()); + if (hasher->verify(seal.hash())) + return; // verify good + else + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // altered + } else { + if (!seal.optional()) + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceMissing, fullpath); // was sealed but is now missing + else + return; // validly missing + } + } else + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // changed type + return; + } + if (version == 1) { // version 1 ignores symlinks altogether + char target[PATH_MAX]; + if (::readlink(cfString(fullpath).c_str(), target, sizeof(target)) > 0) + return; + } + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAdded, CFTempURL(path, false, resourceBase())); +} + +void SecStaticCode::validateNestedCode(CFURLRef path, const ResourceSeal &seal, SecCSFlags flags, bool isFramework) +{ + CFRef req; + if (SecRequirementCreateWithString(seal.requirement(), kSecCSDefaultFlags, &req.aref())) + MacOSError::throwMe(errSecCSResourcesInvalid); + + // recursively verify this nested code + try { + if (!(flags & kSecCSCheckNestedCode)) + flags |= kSecCSBasicValidateOnly; + SecPointer code = new SecStaticCode(DiskRep::bestGuess(cfString(path))); + code->setMonitor(this->monitor()); + code->staticValidate(flags, SecRequirement::required(req)); + + if (isFramework && (flags & kSecCSStrictValidate)) + try { + validateOtherVersions(path, flags, req, code); + } catch (const CSError &err) { + MacOSError::throwMe(errSecCSBadFrameworkVersion); + } catch (const MacOSError &err) { + MacOSError::throwMe(errSecCSBadFrameworkVersion); + } + + } catch (CSError &err) { + if (err.error == errSecCSReqFailed) { + mResourcesValidContext->reportProblem(errSecCSBadNestedCode, kSecCFErrorResourceAltered, path); + return; + } + err.augment(kSecCFErrorPath, path); + throw; + } catch (const MacOSError &err) { + if (err.error == errSecCSReqFailed) { + mResourcesValidContext->reportProblem(errSecCSBadNestedCode, kSecCFErrorResourceAltered, path); + return; + } + CSError::throwMe(err.error, kSecCFErrorPath, path); + } +} + +void SecStaticCode::validateOtherVersions(CFURLRef path, SecCSFlags flags, SecRequirementRef req, SecStaticCode *code) +{ + // Find out what current points to and do not revalidate + std::string mainPath = cfStringRelease(code->diskRep()->copyCanonicalPath()); + + char main_path[PATH_MAX]; + bool foundTarget = false; + + /* If it failed to get the target of the symlink, do not fail. It is a performance loss, + not a security hole */ + if (realpath(mainPath.c_str(), main_path) != NULL) + foundTarget = true; + + std::ostringstream versionsPath; + versionsPath << cfString(path) << "/Versions/"; + + DirScanner scanner(versionsPath.str()); + + if (scanner.initialized()) { + struct dirent *entry = NULL; + while ((entry = scanner.getNext()) != NULL) { + std::ostringstream fullPath; + + if (entry->d_type != DT_DIR || + strcmp(entry->d_name, ".") == 0 || + strcmp(entry->d_name, "..") == 0 || + strcmp(entry->d_name, "Current") == 0) + continue; + + fullPath << versionsPath.str() << entry->d_name; + + char real_full_path[PATH_MAX]; + if (realpath(fullPath.str().c_str(), real_full_path) == NULL) + UnixError::check(-1); + + // Do case insensitive comparions because realpath() was called for both paths + if (foundTarget && strcmp(main_path, real_full_path) == 0) + continue; + + SecPointer frameworkVersion = new SecStaticCode(DiskRep::bestGuess(real_full_path)); + frameworkVersion->setMonitor(this->monitor()); + frameworkVersion->staticValidate(flags, SecRequirement::required(req)); + } + } +} + + +// +// Test a CodeDirectory flag. +// Returns false if there is no CodeDirectory. +// May throw if the CodeDirectory is present but somehow invalid. +// +bool SecStaticCode::flag(uint32_t tested) +{ + if (const CodeDirectory *cd = this->codeDirectory(false)) + return cd->flags & tested; + else + return false; +} + + +// +// Retrieve the full SuperBlob containing all internal requirements. +// +const Requirements *SecStaticCode::internalRequirements() +{ + if (CFDataRef reqData = component(cdRequirementsSlot)) { + const Requirements *req = (const Requirements *)CFDataGetBytePtr(reqData); + if (!req->validateBlob()) + MacOSError::throwMe(errSecCSReqInvalid); + return req; + } else + return NULL; +} + + +// +// Retrieve a particular internal requirement by type. +// +const Requirement *SecStaticCode::internalRequirement(SecRequirementType type) +{ + if (const Requirements *reqs = internalRequirements()) + return reqs->find(type); + else + return NULL; +} + + +// +// Return the Designated Requirement (DR). This can be either explicit in the +// Internal Requirements component, or implicitly generated on demand here. +// Note that an explicit DR may have been implicitly generated at signing time; +// we don't distinguish this case. +// +const Requirement *SecStaticCode::designatedRequirement() +{ + if (const Requirement *req = internalRequirement(kSecDesignatedRequirementType)) { + return req; // explicit in signing data + } else { + if (!mDesignatedReq) + mDesignatedReq = defaultDesignatedRequirement(); + return mDesignatedReq; + } +} + + +// +// Generate the default Designated Requirement (DR) for this StaticCode. +// Ignore any explicit DR it may contain. +// +const Requirement *SecStaticCode::defaultDesignatedRequirement() +{ + if (flag(kSecCodeSignatureAdhoc)) { + // adhoc signature: return a cdhash requirement for all architectures + __block Requirement::Maker maker; + Requirement::Maker::Chain chain(maker, opOr); + + // insert cdhash requirement for all architectures + chain.add(); + maker.cdhash(this->cdHash()); + handleOtherArchitectures(^(SecStaticCode *subcode) { + if (CFDataRef cdhash = subcode->cdHash()) { + chain.add(); + maker.cdhash(cdhash); + } + }); + return maker.make(); + } else { + // full signature: Gin up full context and let DRMaker do its thing + validateDirectory(); // need the cert chain + Requirement::Context context(this->certificates(), + this->infoDictionary(), + this->entitlements(), + this->identifier(), + this->codeDirectory() + ); + return DRMaker(context).make(); + } +} + + +// +// Validate a SecStaticCode against the internal requirement of a particular type. +// +void SecStaticCode::validateRequirements(SecRequirementType type, SecStaticCode *target, + OSStatus nullError /* = errSecSuccess */) +{ + DTRACK(CODESIGN_EVAL_STATIC_INTREQ, this, type, target, nullError); + if (const Requirement *req = internalRequirement(type)) + target->validateRequirement(req, nullError ? nullError : errSecCSReqFailed); + else if (nullError) + MacOSError::throwMe(nullError); + else + /* accept it */; +} + + +// +// Validate this StaticCode against an external Requirement +// +bool SecStaticCode::satisfiesRequirement(const Requirement *req, OSStatus failure) +{ + assert(req); + validateDirectory(); + return req->validates(Requirement::Context(mCertChain, infoDictionary(), entitlements(), codeDirectory()->identifier(), codeDirectory()), failure); +} + +void SecStaticCode::validateRequirement(const Requirement *req, OSStatus failure) +{ + if (!this->satisfiesRequirement(req, failure)) + MacOSError::throwMe(failure); +} + + +// +// Retrieve one certificate from the cert chain. +// Positive and negative indices can be used: +// [ leaf, intermed-1, ..., intermed-n, anchor ] +// 0 1 ... -2 -1 +// Returns NULL if unavailable for any reason. +// +SecCertificateRef SecStaticCode::cert(int ix) +{ + validateDirectory(); // need cert chain + if (mCertChain) { + CFIndex length = CFArrayGetCount(mCertChain); + if (ix < 0) + ix += length; + if (ix >= 0 && ix < length) + return SecCertificateRef(CFArrayGetValueAtIndex(mCertChain, ix)); + } + return NULL; +} + +CFArrayRef SecStaticCode::certificates() +{ + validateDirectory(); // need cert chain + return mCertChain; +} + + +// +// Gather (mostly) API-official information about this StaticCode. +// +// This method lives in the twilight between the API and internal layers, +// since it generates API objects (Sec*Refs) for return. +// +CFDictionaryRef SecStaticCode::signingInformation(SecCSFlags flags) +{ + // + // Start with the pieces that we return even for unsigned code. + // This makes Sec[Static]CodeRefs useful as API-level replacements + // of our internal OSXCode objects. + // + CFRef dict = makeCFMutableDictionary(1, + kSecCodeInfoMainExecutable, CFTempURL(this->mainExecutablePath()).get() + ); + + // + // If we're not signed, this is all you get + // + if (!this->isSigned()) + return dict.yield(); + + // + // Add the generic attributes that we always include + // + CFDictionaryAddValue(dict, kSecCodeInfoIdentifier, CFTempString(this->identifier())); + CFDictionaryAddValue(dict, kSecCodeInfoFlags, CFTempNumber(this->codeDirectory(false)->flags.get())); + CFDictionaryAddValue(dict, kSecCodeInfoFormat, CFTempString(this->format())); + CFDictionaryAddValue(dict, kSecCodeInfoSource, CFTempString(this->signatureSource())); + CFDictionaryAddValue(dict, kSecCodeInfoUnique, this->cdHash()); + CFDictionaryAddValue(dict, kSecCodeInfoDigestAlgorithm, CFTempNumber(this->codeDirectory(false)->hashType)); + + // + // Deliver any Info.plist only if it looks intact + // + try { + if (CFDictionaryRef info = this->infoDictionary()) + CFDictionaryAddValue(dict, kSecCodeInfoPList, info); + } catch (...) { } // don't deliver Info.plist if questionable + + // + // kSecCSSigningInformation adds information about signing certificates and chains + // + if (flags & kSecCSSigningInformation) + try { + if (CFArrayRef certs = this->certificates()) + CFDictionaryAddValue(dict, kSecCodeInfoCertificates, certs); + if (CFDataRef sig = this->signature()) + CFDictionaryAddValue(dict, kSecCodeInfoCMS, sig); + if (mTrust) + CFDictionaryAddValue(dict, kSecCodeInfoTrust, mTrust); + if (CFAbsoluteTime time = this->signingTime()) + if (CFRef date = CFDateCreate(NULL, time)) + CFDictionaryAddValue(dict, kSecCodeInfoTime, date); + if (CFAbsoluteTime time = this->signingTimestamp()) + if (CFRef date = CFDateCreate(NULL, time)) + CFDictionaryAddValue(dict, kSecCodeInfoTimestamp, date); + if (const char *teamID = this->teamID()) + CFDictionaryAddValue(dict, kSecCodeInfoTeamIdentifier, CFTempString(teamID)); + } catch (...) { } + + // + // kSecCSRequirementInformation adds information on requirements + // + if (flags & kSecCSRequirementInformation) + try { + if (const Requirements *reqs = this->internalRequirements()) { + CFDictionaryAddValue(dict, kSecCodeInfoRequirements, + CFTempString(Dumper::dump(reqs))); + CFDictionaryAddValue(dict, kSecCodeInfoRequirementData, CFTempData(*reqs)); + } + + const Requirement *dreq = this->designatedRequirement(); + CFRef dreqRef = (new SecRequirement(dreq))->handle(); + CFDictionaryAddValue(dict, kSecCodeInfoDesignatedRequirement, dreqRef); + if (this->internalRequirement(kSecDesignatedRequirementType)) { // explicit + CFRef ddreqRef = (new SecRequirement(this->defaultDesignatedRequirement(), true))->handle(); + CFDictionaryAddValue(dict, kSecCodeInfoImplicitDesignatedRequirement, ddreqRef); + } else { // implicit + CFDictionaryAddValue(dict, kSecCodeInfoImplicitDesignatedRequirement, dreqRef); + } + } catch (...) { } + + try { + if (CFDataRef ent = this->component(cdEntitlementSlot)) { + CFDictionaryAddValue(dict, kSecCodeInfoEntitlements, ent); + if (CFDictionaryRef entdict = this->entitlements()) + CFDictionaryAddValue(dict, kSecCodeInfoEntitlementsDict, entdict); + } + } catch (...) { } + + // + // kSecCSInternalInformation adds internal information meant to be for Apple internal + // use (SPI), and not guaranteed to be stable. Primarily, this is data we want + // to reliably transmit through the API wall so that code outside the Security.framework + // can use it without having to play nasty tricks to get it. + // + if (flags & kSecCSInternalInformation) + try { + if (mDir) + CFDictionaryAddValue(dict, kSecCodeInfoCodeDirectory, mDir); + CFDictionaryAddValue(dict, kSecCodeInfoCodeOffset, CFTempNumber(mRep->signingBase())); + if (CFRef rdict = getDictionary(cdResourceDirSlot, false)) // suppress validation + CFDictionaryAddValue(dict, kSecCodeInfoResourceDirectory, rdict); + } catch (...) { } + + + // + // kSecCSContentInformation adds more information about the physical layout + // of the signed code. This is (only) useful for packaging or patching-oriented + // applications. + // + if (flags & kSecCSContentInformation) + if (CFRef files = mRep->modifiedFiles()) + CFDictionaryAddValue(dict, kSecCodeInfoChangedFiles, files); + + return dict.yield(); +} + + +// +// Resource validation contexts. +// The default context simply throws a CSError, rudely terminating the operation. +// +SecStaticCode::ValidationContext::~ValidationContext() +{ /* virtual */ } + +void SecStaticCode::ValidationContext::reportProblem(OSStatus rc, CFStringRef type, CFTypeRef value) +{ + CSError::throwMe(rc, type, value); +} + +void SecStaticCode::CollectingContext::reportProblem(OSStatus rc, CFStringRef type, CFTypeRef value) +{ + if (mStatus == errSecSuccess) + mStatus = rc; // record first failure for eventual error return + if (type) { + if (!mCollection) + mCollection.take(makeCFMutableDictionary()); + CFMutableArrayRef element = CFMutableArrayRef(CFDictionaryGetValue(mCollection, type)); + if (!element) { + element = makeCFMutableArray(0); + if (!element) + CFError::throwMe(); + CFDictionaryAddValue(mCollection, type, element); + CFRelease(element); + } + CFArrayAppendValue(element, value); + } +} + +void SecStaticCode::CollectingContext::throwMe() +{ + assert(mStatus != errSecSuccess); + throw CSError(mStatus, mCollection.retain()); +} + + +// +// Master validation driver. +// This is the static validation (only) driver for the API. +// +// SecStaticCode exposes an a la carte menu of topical validators applying +// to a given object. The static validation API pulls them together reliably, +// but it also adds two matrix dimensions: architecture (for "fat" Mach-O binaries) +// and nested code. This function will crawl a suitable cross-section of this +// validation matrix based on which options it is given, creating temporary +// SecStaticCode objects on the fly to complete the task. +// (The point, of course, is to do as little duplicate work as possible.) +// +void SecStaticCode::staticValidate(SecCSFlags flags, const SecRequirement *req) +{ + setValidationFlags(flags); + + // initialize progress/cancellation state + prepareProgress(estimateResourceWorkload() + 2); // +1 head, +1 tail + + // core components: once per architecture (if any) + this->staticValidateCore(flags, req); + if (flags & kSecCSCheckAllArchitectures) + handleOtherArchitectures(^(SecStaticCode* subcode) { + subcode->detachedSignature(this->mDetachedSig); // carry over explicit (but not implicit) architecture + subcode->staticValidateCore(flags, req); + }); + reportProgress(); + + // allow monitor intervention in source validation phase + reportEvent(CFSTR("prepared"), NULL); + + // resources: once for all architectures + if (!(flags & kSecCSDoNotValidateResources)) + this->validateResources(flags); + + // perform strict validation if desired + if (flags & kSecCSStrictValidate) + mRep->strictValidate(mTolerateErrors); + reportProgress(); + + // allow monitor intervention + if (CFRef veto = reportEvent(CFSTR("validated"), NULL)) { + if (CFGetTypeID(veto) == CFNumberGetTypeID()) + MacOSError::throwMe(cfNumber(veto.as())); + else + MacOSError::throwMe(errSecCSBadCallbackValue); + } +} + +void SecStaticCode::staticValidateCore(SecCSFlags flags, const SecRequirement *req) +{ + try { + this->validateNonResourceComponents(); // also validates the CodeDirectory + if (!(flags & kSecCSDoNotValidateExecutable)) + this->validateExecutable(); + if (req) + this->validateRequirement(req->requirement(), errSecCSReqFailed); + } catch (CSError &err) { + if (Universal *fat = this->diskRep()->mainExecutableImage()) // Mach-O + if (MachO *mach = fat->architecture()) { + err.augment(kSecCFErrorArchitecture, CFTempString(mach->architecture().displayName())); + delete mach; + } + throw; + } catch (const MacOSError &err) { + // add architecture information if we can get it + if (Universal *fat = this->diskRep()->mainExecutableImage()) + if (MachO *mach = fat->architecture()) { + CFTempString arch(mach->architecture().displayName()); + delete mach; + CSError::throwMe(err.error, kSecCFErrorArchitecture, arch); + } + throw; + } +} + + +// +// A helper that generates SecStaticCode objects for all but the primary architecture +// of a fat binary and calls a block on them. +// If there's only one architecture (or this is an architecture-agnostic code), +// nothing happens quickly. +// +void SecStaticCode::handleOtherArchitectures(void (^handle)(SecStaticCode* other)) +{ + if (Universal *fat = this->diskRep()->mainExecutableImage()) { + Universal::Architectures architectures; + fat->architectures(architectures); + if (architectures.size() > 1) { + DiskRep::Context ctx; + size_t activeOffset = fat->archOffset(); + for (Universal::Architectures::const_iterator arch = architectures.begin(); arch != architectures.end(); ++arch) { + ctx.offset = fat->archOffset(*arch); + if (ctx.offset > SIZE_MAX) + MacOSError::throwMe(errSecCSInternalError); + ctx.size = fat->lengthOfSlice((size_t)ctx.offset); + if (ctx.offset != activeOffset) { // inactive architecture; check it + SecPointer subcode = new SecStaticCode(DiskRep::bestGuess(this->mainExecutablePath(), &ctx)); + subcode->detachedSignature(this->mDetachedSig); // carry over explicit (but not implicit) detached signature + if (this->teamID() == NULL || subcode->teamID() == NULL) { + if (this->teamID() != subcode->teamID()) + MacOSError::throwMe(errSecCSSignatureInvalid); + } else if (strcmp(this->teamID(), subcode->teamID()) != 0) + MacOSError::throwMe(errSecCSSignatureInvalid); + handle(subcode); + } + } + } + } +} + +// +// A method that takes a certificate chain (certs) and evaluates +// if it is a Mac or IPhone developer cert, an app store distribution cert, +// or a developer ID +// +bool SecStaticCode::isAppleDeveloperCert(CFArrayRef certs) +{ + static const std::string appleDeveloperRequirement = "(" + std::string(WWDRRequirement) + ") or (" + MACWWDRRequirement + ") or (" + developerID + ") or (" + distributionCertificate + ") or (" + iPhoneDistributionCert + ")"; + SecPointer req = new SecRequirement(parseRequirement(appleDeveloperRequirement), true); + Requirement::Context ctx(certs, NULL, NULL, "", NULL); + + return req->requirement()->validates(ctx); +} + +} // end namespace CodeSigning +} // end namespace Security