X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/90dc47c27df1983f6ebc252b0c4b94c8718fe52d..7e6b461318c8a779d91381531435a68ee4e8b6ed:/OSX/libsecurity_codesigning/lib/StaticCode.h diff --git a/OSX/libsecurity_codesigning/lib/StaticCode.h b/OSX/libsecurity_codesigning/lib/StaticCode.h index 71ead90f..56726824 100644 --- a/OSX/libsecurity_codesigning/lib/StaticCode.h +++ b/OSX/libsecurity_codesigning/lib/StaticCode.h @@ -106,7 +106,7 @@ public: static SecStaticCode *requiredStatic(SecStaticCodeRef ref); // convert SecCodeRef static SecCode *optionalDynamic(SecStaticCodeRef ref); // extract SecCodeRef or NULL if static - SecStaticCode(DiskRep *rep); + SecStaticCode(DiskRep *rep, uint32_t flags = 0); virtual ~SecStaticCode() throw(); void initializeFromParent(const SecStaticCode& parent); @@ -125,6 +125,7 @@ public: CodeDirectory::HashAlgorithms hashAlgorithms() const { return mHashAlgorithms; } CFDataRef cdHash(); CFArrayRef cdHashes(); + CFDictionaryRef cdHashesFull(); CFDataRef signature(); CFAbsoluteTime signingTime(); CFAbsoluteTime signingTimestamp(); @@ -205,6 +206,8 @@ public: void handleOtherArchitectures(void (^handle)(SecStaticCode* other)); + uint8_t cmsDigestHashType() const { return mCMSDigestHashType; }; + CFDataRef createCmsDigest(); public: void staticValidate(SecCSFlags flags, const SecRequirement *req); void staticValidateCore(SecCSFlags flags, const SecRequirement *req); @@ -227,11 +230,14 @@ protected: private: void validateOtherVersions(CFURLRef path, SecCSFlags flags, SecRequirementRef req, SecStaticCode *code); bool checkfix30814861(string path, bool addition); + bool checkfix41082220(OSStatus result); ResourceBuilder *mCheckfix30814861builder1; dispatch_once_t mCheckfix30814861builder1_once; private: + static const uint8_t mCMSDigestHashType = kSecCodeSignatureHashSHA256; + // hash of CMS digest (kSecCodeSignatureHash* constant) RefPointer mRep; // on-disk representation mutable CodeDirectoryMap mCodeDirectories; // available CodeDirectory blobs by digest type mutable CFRef mBaseDir; // the primary CodeDirectory blob (whether it's chosen or not) @@ -283,7 +289,8 @@ private: const Requirement *mDesignatedReq; // cached designated req if we made one up CFRef mCDHash; // hash of chosen CodeDirectory CFRef mCDHashes; // hashes of all CodeDirectories (in digest type code order) - + CFRef mCDHashFullDict; // untruncated hashes of CodeDirectories (as dictionary) + bool mGotResourceBase; // asked mRep for resourceBasePath CFRef mResourceBase; // URL form of resource base directory @@ -291,6 +298,11 @@ private: LimitedAsync *mLimitedAsync; // limited async workers for verification + uint32_t mFlags; // flags from creation + bool mNotarizationChecked; // ensure notarization check only performed once + bool mStaplingChecked; // ensure stapling check only performed once + double mNotarizationDate; // the notarization ticket's date, if online check failed + // signature verification outcome (mTrust == NULL => not done yet) CFRef mTrust; // outcome of crypto validation (valid or not) CFRef mCertChain;