X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/e3d460c9de4426da6c630c3ae3f46173a99f82d8..0e1db9d189370fed9f1993183ec38d748a8812f7:/OSX/libsecurity_codesigning/lib/reqinterp.cpp diff --git a/OSX/libsecurity_codesigning/lib/reqinterp.cpp b/OSX/libsecurity_codesigning/lib/reqinterp.cpp index 3837d426..80a6ae13 100644 --- a/OSX/libsecurity_codesigning/lib/reqinterp.cpp +++ b/OSX/libsecurity_codesigning/lib/reqinterp.cpp @@ -34,6 +34,7 @@ #include #include #include "csutilities.h" +#include "notarization.h" namespace Security { namespace CodeSigning { @@ -149,6 +150,7 @@ bool Requirement::Interpreter::eval(int depth) Match match(*this); return certFieldValue(key, match, cert); } +#if TARGET_OS_OSX case opCertGeneric: { SecCertificateRef cert = mContext->cert(get()); @@ -163,6 +165,7 @@ bool Requirement::Interpreter::eval(int depth) Match match(*this); return certFieldPolicy(key, match, cert); } +#endif case opTrustedCert: return trustedCert(get()); case opTrustedCerts: @@ -176,6 +179,10 @@ bool Requirement::Interpreter::eval(int depth) int32_t targetPlatform = get(); return mContext->directory && mContext->directory->platform == targetPlatform; } + case opNotarized: + { + return isNotarized(mContext); + } default: // opcode not recognized - handle generically if possible, fail otherwise if (op & (opGenericFalse | opGenericSkip)) { @@ -190,7 +197,7 @@ bool Requirement::Interpreter::eval(int depth) } } // unrecognized opcode and no way to interpret it - secdebug("csinterp", "opcode 0x%x cannot be handled; aborting", op); + secinfo("csinterp", "opcode 0x%x cannot be handled; aborting", op); MacOSError::throwMe(errSecCSUnimplemented); } } @@ -222,6 +229,8 @@ bool Requirement::Interpreter::entitlementValue(const string &key, const Match & bool Requirement::Interpreter::certFieldValue(const string &key, const Match &match, SecCertificateRef cert) { +// XXX: Not supported on embedded yet due to lack of supporting API +#if TARGET_OS_OSX // no cert, no chance if (cert == NULL) return false; @@ -247,13 +256,14 @@ bool Requirement::Interpreter::certFieldValue(const string &key, const Match &ma { "subject.UID", &CSSMOID_UserID }, { NULL, NULL } }; - + // DN-component single-value match for (const CertField *cf = certFields; cf->name; cf++) if (cf->name == key) { CFRef value; - if (OSStatus rc = SecCertificateCopySubjectComponent(cert, cf->oid, &value.aref())) { - secdebug("csinterp", "cert %p lookup for DN.%s failed rc=%d", cert, key.c_str(), (int)rc); + OSStatus rc = SecCertificateCopySubjectComponent(cert, cf->oid, &value.aref()); + if (rc) { + secinfo("csinterp", "cert %p lookup for DN.%s failed rc=%d", cert, key.c_str(), (int)rc); return false; } return match(value); @@ -262,19 +272,21 @@ bool Requirement::Interpreter::certFieldValue(const string &key, const Match &ma // email multi-valued match (any of...) if (key == "email") { CFRef value; - if (OSStatus rc = SecCertificateCopyEmailAddresses(cert, &value.aref())) { - secdebug("csinterp", "cert %p lookup for email failed rc=%d", cert, (int)rc); + OSStatus rc = SecCertificateCopyEmailAddresses(cert, &value.aref()); + if (rc) { + secinfo("csinterp", "cert %p lookup for email failed rc=%d", cert, (int)rc); return false; } return match(value); } // unrecognized key. Fail but do not abort to promote backward compatibility down the road - secdebug("csinterp", "cert field notation \"%s\" not understood", key.c_str()); + secinfo("csinterp", "cert field notation \"%s\" not understood", key.c_str()); +#endif return false; } - +#if TARGET_OS_OSX bool Requirement::Interpreter::certFieldGeneric(const string &key, const Match &match, SecCertificateRef cert) { // the key is actually a (binary) OID value @@ -298,7 +310,7 @@ bool Requirement::Interpreter::certFieldPolicy(const CssmOid &oid, const Match & { return cert && certificateHasPolicy(cert, oid) && match(kCFBooleanTrue); } - +#endif // // Check the Apple-signed condition @@ -327,7 +339,9 @@ CFArrayRef Requirement::Interpreter::getAdditionalTrustedAnchors() if (!configData) return NULL; - CFRef configDict = CFDictionaryRef(IOCFUnserialize((const char *)CFDataGetBytePtr(configData), kCFAllocatorDefault, 0, NULL)); + CFRef configDict = CFDictionaryRef(IOCFUnserializeWithSize((const char *)CFDataGetBytePtr(configData), + (size_t)CFDataGetLength(configData), + kCFAllocatorDefault, 0, NULL)); if (!configDict) return NULL; @@ -362,6 +376,10 @@ bool Requirement::Interpreter::appleLocalAnchored() if (csr_check(CSR_ALLOW_APPLE_INTERNAL)) return false; + if (mContext->forcePlatform) { + return true; + } + static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ additionalTrustedCertificates = getAdditionalTrustedAnchors(); @@ -390,7 +408,7 @@ bool Requirement::Interpreter::appleSigned() return true; } else if (appleLocalAnchored()) { return true; - } + } return false; } @@ -402,12 +420,16 @@ bool Requirement::Interpreter::verifyAnchor(SecCertificateRef cert, const unsign { // get certificate bytes if (cert) { + SHA1 hasher; +#if TARGET_OS_OSX CSSM_DATA certData; MacOSError::check(SecCertificateGetData(cert, &certData)); // verify hash - SHA1 hasher; hasher(certData.Data, certData.Length); +#else + hasher(SecCertificateGetBytePtr(cert), SecCertificateGetLength(cert)); +#endif return hasher.verify(digest); } return false; @@ -465,6 +487,8 @@ bool Requirement::Interpreter::trustedCert(int slot) // SecTrustSettingsResult Requirement::Interpreter::trustSetting(SecCertificateRef cert, bool isAnchor) { + // XXX: Not supported on embedded yet due to lack of supporting API +#if TARGET_OS_OSX // the SPI input is the uppercase hex form of the SHA-1 of the certificate... assert(cert); SHA1::Digest digest; @@ -502,6 +526,9 @@ SecTrustSettingsResult Requirement::Interpreter::trustSetting(SecCertificateRef ::free(errors); MacOSError::throwMe(rc); } +#else + return kSecTrustSettingsResultUnspecified; +#endif }