X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/e3d460c9de4426da6c630c3ae3f46173a99f82d8..7e6b461318c8a779d91381531435a68ee4e8b6ed:/OSX/libsecurity_codesigning/lib/StaticCode.h?ds=inline diff --git a/OSX/libsecurity_codesigning/lib/StaticCode.h b/OSX/libsecurity_codesigning/lib/StaticCode.h index bb73341a..56726824 100644 --- a/OSX/libsecurity_codesigning/lib/StaticCode.h +++ b/OSX/libsecurity_codesigning/lib/StaticCode.h @@ -106,7 +106,7 @@ public: static SecStaticCode *requiredStatic(SecStaticCodeRef ref); // convert SecCodeRef static SecCode *optionalDynamic(SecStaticCodeRef ref); // extract SecCodeRef or NULL if static - SecStaticCode(DiskRep *rep); + SecStaticCode(DiskRep *rep, uint32_t flags = 0); virtual ~SecStaticCode() throw(); void initializeFromParent(const SecStaticCode& parent); @@ -117,11 +117,15 @@ public: void detachedSignature(CFDataRef sig); // attach an explicitly given detached signature void checkForSystemSignature(); // check for and attach system-supplied detached signature + typedef std::map > CodeDirectoryMap; + const CodeDirectory *codeDirectory(bool check = true) const; + const CodeDirectoryMap *codeDirectories(bool check = true) const; CodeDirectory::HashAlgorithm hashAlgorithm() const { return codeDirectory()->hashType; } CodeDirectory::HashAlgorithms hashAlgorithms() const { return mHashAlgorithms; } CFDataRef cdHash(); CFArrayRef cdHashes(); + CFDictionaryRef cdHashesFull(); CFDataRef signature(); CFAbsoluteTime signingTime(); CFAbsoluteTime signingTimestamp(); @@ -136,13 +140,13 @@ public: std::string signatureSource(); virtual CFDataRef component(CodeDirectory::SpecialSlot slot, OSStatus fail = errSecCSSignatureFailed); virtual CFDictionaryRef infoDictionary(); + CFDictionaryRef diskRepInformation(); CFDictionaryRef entitlements(); + CFDataRef copyComponent(CodeDirectory::SpecialSlot slot, CFDataRef hash); CFDictionaryRef resourceDictionary(bool check = true); CFURLRef resourceBase(); - CFDataRef resource(std::string path); - CFDataRef resource(std::string path, ValidationContext &ctx); void validateResource(CFDictionaryRef files, std::string path, bool isSymlink, ValidationContext &ctx, SecCSFlags flags, uint32_t version); void validateSymlinkResource(std::string fullpath, std::string seal, ValidationContext &ctx, SecCSFlags flags); @@ -177,6 +181,8 @@ public: void validateExecutable(); void validateNestedCode(CFURLRef path, const ResourceSeal &seal, SecCSFlags flags, bool isFramework); + void validatePlainMemoryResource(string path, CFDataRef fileData, SecCSFlags flags); + const Requirements *internalRequirements(); const Requirement *internalRequirement(SecRequirementType type); const Requirement *designatedRequirement(); @@ -193,30 +199,45 @@ public: CFDictionaryRef signingInformation(SecCSFlags flags); // omnibus information-gathering API (creates new dictionary) - static bool isAppleDeveloperCert(CFArrayRef certs); // determines if this is an apple developer certificate for libraray validation + static bool isAppleDeveloperCert(CFArrayRef certs); // determines if this is an apple developer certificate for library validation +#if !TARGET_OS_OSX + bool trustedSigningCertChain() { return mTrustedSigningCertChain; } +#endif + void handleOtherArchitectures(void (^handle)(SecStaticCode* other)); + + uint8_t cmsDigestHashType() const { return mCMSDigestHashType; }; + CFDataRef createCmsDigest(); public: void staticValidate(SecCSFlags flags, const SecRequirement *req); void staticValidateCore(SecCSFlags flags, const SecRequirement *req); protected: - typedef std::map > CodeDirectoryMap; bool loadCodeDirectories(CodeDirectoryMap& cdMap) const; protected: CFDictionaryRef getDictionary(CodeDirectory::SpecialSlot slot, bool check = true); // component value as a dictionary bool verifySignature(); - CFArrayRef verificationPolicies(); + CFArrayRef createVerificationPolicies(); + CFArrayRef createTimeStampingAndRevocationPolicies(); + + // load preferred rules/files dictionaries (cached therein) + bool loadResources(CFDictionaryRef& rules, CFDictionaryRef& files, uint32_t& version); static void checkOptionalResource(CFTypeRef key, CFTypeRef value, void *context); bool hasWeakResourceRules(CFDictionaryRef rulesDict, uint32_t version, CFArrayRef allowedOmissions); - void handleOtherArchitectures(void (^handle)(SecStaticCode* other)); - private: void validateOtherVersions(CFURLRef path, SecCSFlags flags, SecRequirementRef req, SecStaticCode *code); + bool checkfix30814861(string path, bool addition); + bool checkfix41082220(OSStatus result); + ResourceBuilder *mCheckfix30814861builder1; + dispatch_once_t mCheckfix30814861builder1_once; + private: + static const uint8_t mCMSDigestHashType = kSecCodeSignatureHashSHA256; + // hash of CMS digest (kSecCodeSignatureHash* constant) RefPointer mRep; // on-disk representation mutable CodeDirectoryMap mCodeDirectories; // available CodeDirectory blobs by digest type mutable CFRef mBaseDir; // the primary CodeDirectory blob (whether it's chosen or not) @@ -268,7 +289,8 @@ private: const Requirement *mDesignatedReq; // cached designated req if we made one up CFRef mCDHash; // hash of chosen CodeDirectory CFRef mCDHashes; // hashes of all CodeDirectories (in digest type code order) - + CFRef mCDHashFullDict; // untruncated hashes of CodeDirectories (as dictionary) + bool mGotResourceBase; // asked mRep for resourceBasePath CFRef mResourceBase; // URL form of resource base directory @@ -276,10 +298,20 @@ private: LimitedAsync *mLimitedAsync; // limited async workers for verification + uint32_t mFlags; // flags from creation + bool mNotarizationChecked; // ensure notarization check only performed once + bool mStaplingChecked; // ensure stapling check only performed once + double mNotarizationDate; // the notarization ticket's date, if online check failed + // signature verification outcome (mTrust == NULL => not done yet) CFRef mTrust; // outcome of crypto validation (valid or not) CFRef mCertChain; - CSSM_TP_APPLE_EVIDENCE_INFO *mEvalDetails; +#if TARGET_OS_OSX + CSSM_TP_APPLE_EVIDENCE_INFO *mEvalDetails; +#else + bool mTrustedSigningCertChain; +#endif + };