X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/b1ab9ed8d0e0f1c3b66d7daa8fd5564444c56195..c38e3ce98599a410a47dc10253faa4d5830f13b2:/libsecurity_codesigning/lib/csutilities.cpp?ds=sidebyside

diff --git a/libsecurity_codesigning/lib/csutilities.cpp b/libsecurity_codesigning/lib/csutilities.cpp
index 6ac5db8f..c3d3d926 100644
--- a/libsecurity_codesigning/lib/csutilities.cpp
+++ b/libsecurity_codesigning/lib/csutilities.cpp
@@ -27,6 +27,7 @@
 #include "csutilities.h"
 #include <Security/SecCertificatePriv.h>
 #include <security_codesigning/requirement.h>
+#include <security_utilities/hashing.h>
 #include <security_utilities/debugging.h>
 #include <security_utilities/errors.h>
 
@@ -34,6 +35,29 @@ namespace Security {
 namespace CodeSigning {
 
 
+//
+// The (SHA-1) hash of the canonical Apple certificate root anchor
+//
+static const SHA1::Digest gAppleAnchorHash =
+	{ 0x61, 0x1e, 0x5b, 0x66, 0x2c, 0x59, 0x3a, 0x08, 0xff, 0x58,
+	  0xd1, 0x4a, 0xe2, 0x24, 0x52, 0xd1, 0x98, 0xdf, 0x6c, 0x60 };
+
+
+
+//
+// Test for the canonical Apple CA certificate
+//
+bool isAppleCA(SecCertificateRef cert)
+{
+	return verifyHash(cert, gAppleAnchorHash);
+}
+
+bool isAppleCA(const Hashing::Byte *sha1)
+{
+	return !memcmp(sha1, gAppleAnchorHash, SHA1::digestLength);
+}
+
+
 //
 // Calculate the canonical hash of a certificate, given its raw (DER) data.
 //
@@ -57,6 +81,17 @@ void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest)
 }
 
 
+//
+// One-stop hash-certificate-and-compare
+//
+bool verifyHash(SecCertificateRef cert, const Hashing::Byte *digest)
+{
+	SHA1::Digest dig;
+	hashOfCertificate(cert, dig);
+	return !memcmp(dig, digest, SHA1::digestLength);
+}
+
+
 //
 // Check to see if a certificate contains a particular field, by OID. This works for extensions,
 // even ones not recognized by the local CL. It does not return any value, only presence.