X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/80e2389990082500d76eb566d4946be3e786c3ef..d8f41ccd20de16f8ebe2ccc84d47bf1cb2b26bbb:/Security/libsecurity_codesigning/lib/signer.h diff --git a/Security/libsecurity_codesigning/lib/signer.h b/Security/libsecurity_codesigning/lib/signer.h new file mode 100644 index 00000000..c7ac989c --- /dev/null +++ b/Security/libsecurity_codesigning/lib/signer.h @@ -0,0 +1,100 @@ +/* + * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// signer - Signing operation supervisor and controller +// +#ifndef _H_SIGNER +#define _H_SIGNER + +#include "CodeSigner.h" +#include "cdbuilder.h" +#include "signerutils.h" +#include "StaticCode.h" +#include + +namespace Security { +namespace CodeSigning { + + +// +// The signer driver class. +// This is a workflow object, containing all the data needed for the various +// signing stages to cooperate. It is not meant to be API visible; that is +// SecCodeSigner's job. +// +class SecCodeSigner::Signer { +public: + Signer(SecCodeSigner &s, SecStaticCode *c) : state(s), code(c), requirements(NULL) + { strict = state.signingFlags() & kSecCSSignStrictPreflight; } + ~Signer() { ::free((Requirements *)requirements); } + + void sign(SecCSFlags flags); + void remove(SecCSFlags flags); + + SecCodeSigner &state; + SecStaticCode * const code; + + CodeDirectory::HashAlgorithm digestAlgorithm() const { return state.mDigestAlgorithm; } + + std::string path() const { return cfStringRelease(rep->copyCanonicalPath()); } + SecIdentityRef signingIdentity() const { return state.mSigner; } + std::string signingIdentifier() const { return identifier; } + +protected: + void prepare(SecCSFlags flags); // set up signing parameters + void signMachO(Universal *fat, const Requirement::Context &context); // sign a Mach-O binary + void signArchitectureAgnostic(const Requirement::Context &context); // sign anything else + + void populate(DiskRep::Writer &writer); // global + void populate(CodeDirectory::Builder &builder, DiskRep::Writer &writer, + InternalRequirements &ireqs, size_t offset = 0, size_t length = 0); // per-architecture + CFDataRef signCodeDirectory(const CodeDirectory *cd); + + uint32_t cdTextFlags(std::string text); // convert text CodeDirectory flags + std::string uniqueName() const; // derive unique string from rep + +protected: + void buildResources(std::string root, std::string relBase, CFDictionaryRef rules); + CFMutableDictionaryRef signNested(FTSENT *ent, const char *relpath); + CFDataRef hashFile(const char *path); + +private: + RefPointer rep; // DiskRep of Code being signed + CFRef resourceDirectory; // resource directory + CFRef resourceDictData; // XML form of resourceDirectory + std::string identifier; // signing identifier + std::string teamID; // team identifier + CFRef entitlements; // entitlements + uint32_t cdFlags; // CodeDirectory flags + const Requirements *requirements; // internal requirements ready-to-use + size_t pagesize; // size of main executable pages + CFAbsoluteTime signingTime; // signing time for CMS signature (0 => none) + bool strict; // strict validation +}; + + +} // end namespace CodeSigning +} // end namespace Security + +#endif // !_H_CODESIGNER