X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/b1ab9ed8d0e0f1c3b66d7daa8fd5564444c56195..420ff9d9379a8d93f2c90f026a797bdea1eb4517:/libsecurity_codesigning/lib/csutilities.cpp?ds=sidebyside

diff --git a/libsecurity_codesigning/lib/csutilities.cpp b/libsecurity_codesigning/lib/csutilities.cpp
index 6ac5db8f..0f33281e 100644
--- a/libsecurity_codesigning/lib/csutilities.cpp
+++ b/libsecurity_codesigning/lib/csutilities.cpp
@@ -27,6 +27,7 @@
 #include "csutilities.h"
 #include <Security/SecCertificatePriv.h>
 #include <security_codesigning/requirement.h>
+#include <security_utilities/hashing.h>
 #include <security_utilities/debugging.h>
 #include <security_utilities/errors.h>
 
@@ -34,6 +35,29 @@ namespace Security {
 namespace CodeSigning {
 
 
+//
+// The (SHA-1) hash of the canonical Apple certificate root anchor
+//
+static const SHA1::Digest gAppleAnchorHash =
+	{ 0x61, 0x1e, 0x5b, 0x66, 0x2c, 0x59, 0x3a, 0x08, 0xff, 0x58,
+	  0xd1, 0x4a, 0xe2, 0x24, 0x52, 0xd1, 0x98, 0xdf, 0x6c, 0x60 };
+
+
+
+//
+// Test for the canonical Apple CA certificate
+//
+bool isAppleCA(SecCertificateRef cert)
+{
+	return verifyHash(cert, gAppleAnchorHash);
+}
+
+bool isAppleCA(const Hashing::Byte *sha1)
+{
+	return !memcmp(sha1, gAppleAnchorHash, SHA1::digestLength);
+}
+
+
 //
 // Calculate the canonical hash of a certificate, given its raw (DER) data.
 //
@@ -57,6 +81,17 @@ void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest)
 }
 
 
+//
+// One-stop hash-certificate-and-compare
+//
+bool verifyHash(SecCertificateRef cert, const Hashing::Byte *digest)
+{
+	SHA1::Digest dig;
+	hashOfCertificate(cert, dig);
+	return !memcmp(dig, digest, SHA1::digestLength);
+}
+
+
 //
 // Check to see if a certificate contains a particular field, by OID. This works for extensions,
 // even ones not recognized by the local CL. It does not return any value, only presence.
@@ -66,7 +101,7 @@ bool certificateHasField(SecCertificateRef cert, const CSSM_OID &oid)
 	assert(cert);
 	CSSM_DATA *value;
 	switch (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &oid, &value)) {
-	case noErr:
+	case errSecSuccess:
 		MacOSError::check(SecCertificateReleaseFirstFieldValue(cert, &oid, value));
 		return true;					// extension found by oid
 	case errSecUnknownTag: