X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/84aacf34eae6543be9f0280b2015385f91e5c2c6..7e6b461318c8a779d91381531435a68ee4e8b6ed:/OSX/libsecurity_codesigning/lib/policydb.cpp

diff --git a/OSX/libsecurity_codesigning/lib/policydb.cpp b/OSX/libsecurity_codesigning/lib/policydb.cpp
index bfe213e5..92d9cfa2 100644
--- a/OSX/libsecurity_codesigning/lib/policydb.cpp
+++ b/OSX/libsecurity_codesigning/lib/policydb.cpp
@@ -360,11 +360,55 @@ void PolicyDatabase::upgradeDatabase()
 			migrateReq(this, 3, "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists");
 		});
 	
-		// Add simpleFeatureNoTransaction for going from the requirements create above, to add secure timestamps in requirements, here before the commit
+		simpleFeatureNoTransaction("legacy_devid_v2", ^{
+			auto migrateReq = [](auto db, int type, string oldreq, string newreq) {
+				const string legacy =
+				" and legacy";
+
+				SQLite::Statement update(*db, "UPDATE OR IGNORE authority "
+										 "SET requirement = :newreq "
+										 "WHERE requirement = :oldreq "
+										 "      AND type = :type "
+										 "      AND label = 'Developer ID'");
+				update.bind(":oldreq") = oldreq;
+				update.bind(":type") = type;
+				update.bind(":newreq") = newreq;
+				update.execute();
+			};
+
+			// App handling has moved to the sunfish path.  The legacy keyword won't work well for apps because we don't collect nested code hashes to whitelist them.
+			migrateReq(this, 2,
+					   "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13]) and (certificate leaf[timestamp.1.2.840.113635.100.6.1.33] absent or certificate leaf[timestamp.1.2.840.113635.100.6.1.33] < timestamp \"20190408000000Z\")",
+					   "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13]) and legacy");
+			migrateReq(this, 3,
+					   "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and (certificate leaf[timestamp.1.2.840.113635.100.6.1.33] absent or certificate leaf[timestamp.1.2.840.113635.100.6.1.33] < timestamp \"20190408000000Z\")",
+					   "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and legacy");
+		});
+		
+		simpleFeatureNoTransaction("unnotarized_without_timestamp", ^{
+			auto migrateReq = [](auto db, int type, string req) {
+				const string to_remove =
+				" and (certificate leaf[timestamp.1.2.840.113635.100.6.1.33] exists and "
+				"certificate leaf[timestamp.1.2.840.113635.100.6.1.33] >= timestamp \"20190408000000Z\")";
+				
+				SQLite::Statement update(*db, "UPDATE OR IGNORE authority "
+										 "SET requirement = :newreq "
+										 "WHERE requirement = :oldreq "
+										 "      AND type = :type "
+										 "      AND label = 'Unnotarized Developer ID'");
+				update.bind(":oldreq") = req + to_remove;
+				update.bind(":type") = type;
+				update.bind(":newreq") = req;
+				update.execute();
+			};
+			
+			migrateReq(this, kAuthorityInstall, "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])");
+			migrateReq(this, kAuthorityOpenDoc, "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists");
+		});
 		
 		devIdRequirementUpgrades.commit();
 	}
-
+	
 	simpleFeature("notarized_documents", ^{
 		SQLite::Statement addNotarizedDocs(*this,
 										   "INSERT INTO authority (type, allow, flags, priority, label, requirement) "
@@ -372,6 +416,20 @@ void PolicyDatabase::upgradeDatabase()
 										   "          'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and notarized')");
 		addNotarizedDocs.execute();
 	});
+
+	simpleFeature("notarization_priority_fix", ^{
+		auto migrateReq = [](auto db, string label, float priority) {
+			SQLite::Statement update(*db,
+									 "UPDATE OR IGNORE authority "
+									 "SET priority = :newpriority "
+									 "WHERE label = :label");
+			update.bind(":newpriority") = priority;
+			update.bind(":label") = label;
+			update.execute();
+		};
+		migrateReq(this, "Developer ID", 4.0);
+		migrateReq(this, "Unnotarized Developer ID", 0.0);
+	});
 }