X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/e3d460c9de4426da6c630c3ae3f46173a99f82d8..dd5fb164cf5b32c462296bc65e289e100f74b59a:/OSX/libsecurity_codesigning/lib/reqinterp.cpp?ds=sidebyside

diff --git a/OSX/libsecurity_codesigning/lib/reqinterp.cpp b/OSX/libsecurity_codesigning/lib/reqinterp.cpp
index 3837d426..b685802b 100644
--- a/OSX/libsecurity_codesigning/lib/reqinterp.cpp
+++ b/OSX/libsecurity_codesigning/lib/reqinterp.cpp
@@ -149,6 +149,7 @@ bool Requirement::Interpreter::eval(int depth)
 			Match match(*this);
 			return certFieldValue(key, match, cert);
 		}
+#if TARGET_OS_OSX
 	case opCertGeneric:
 		{
 			SecCertificateRef cert = mContext->cert(get<int32_t>());
@@ -163,6 +164,7 @@ bool Requirement::Interpreter::eval(int depth)
 			Match match(*this);
 			return certFieldPolicy(key, match, cert);
 		}
+#endif
 	case opTrustedCert:
 		return trustedCert(get<int32_t>());
 	case opTrustedCerts:
@@ -190,7 +192,7 @@ bool Requirement::Interpreter::eval(int depth)
 			}
 		}
 		// unrecognized opcode and no way to interpret it
-		secdebug("csinterp", "opcode 0x%x cannot be handled; aborting", op);
+		secinfo("csinterp", "opcode 0x%x cannot be handled; aborting", op);
 		MacOSError::throwMe(errSecCSUnimplemented);
 	}
 }
@@ -222,6 +224,8 @@ bool Requirement::Interpreter::entitlementValue(const string &key, const Match &
 
 bool Requirement::Interpreter::certFieldValue(const string &key, const Match &match, SecCertificateRef cert)
 {
+// XXX: Not supported on embedded yet due to lack of supporting API
+#if TARGET_OS_OSX
 	// no cert, no chance
 	if (cert == NULL)
 		return false;
@@ -247,13 +251,14 @@ bool Requirement::Interpreter::certFieldValue(const string &key, const Match &ma
 		{ "subject.UID", &CSSMOID_UserID },
 		{ NULL, NULL }
 	};
-	
+
 	// DN-component single-value match
 	for (const CertField *cf = certFields; cf->name; cf++)
 		if (cf->name == key) {
 			CFRef<CFStringRef> value;
-			if (OSStatus rc = SecCertificateCopySubjectComponent(cert, cf->oid, &value.aref())) {
-				secdebug("csinterp", "cert %p lookup for DN.%s failed rc=%d", cert, key.c_str(), (int)rc);
+            OSStatus rc = SecCertificateCopySubjectComponent(cert, cf->oid, &value.aref());
+			if (rc) {
+				secinfo("csinterp", "cert %p lookup for DN.%s failed rc=%d", cert, key.c_str(), (int)rc);
 				return false;
 			}
 			return match(value);
@@ -262,19 +267,21 @@ bool Requirement::Interpreter::certFieldValue(const string &key, const Match &ma
 	// email multi-valued match (any of...)
 	if (key == "email") {
 		CFRef<CFArrayRef> value;
-		if (OSStatus rc = SecCertificateCopyEmailAddresses(cert, &value.aref())) {
-			secdebug("csinterp", "cert %p lookup for email failed rc=%d", cert, (int)rc);
+        OSStatus rc = SecCertificateCopyEmailAddresses(cert, &value.aref());
+		if (rc) {
+			secinfo("csinterp", "cert %p lookup for email failed rc=%d", cert, (int)rc);
 			return false;
 		}
 		return match(value);
 	}
 
 	// unrecognized key. Fail but do not abort to promote backward compatibility down the road
-	secdebug("csinterp", "cert field notation \"%s\" not understood", key.c_str());
+	secinfo("csinterp", "cert field notation \"%s\" not understood", key.c_str());
+#endif
 	return false;
 }
 
-	
+#if TARGET_OS_OSX
 bool Requirement::Interpreter::certFieldGeneric(const string &key, const Match &match, SecCertificateRef cert)
 {
 	// the key is actually a (binary) OID value
@@ -298,7 +305,7 @@ bool Requirement::Interpreter::certFieldPolicy(const CssmOid &oid, const Match &
 {
 	return cert && certificateHasPolicy(cert, oid) && match(kCFBooleanTrue);
 }
-
+#endif
 
 //
 // Check the Apple-signed condition
@@ -327,7 +334,9 @@ CFArrayRef Requirement::Interpreter::getAdditionalTrustedAnchors()
         if (!configData)
             return NULL;
 
-        CFRef<CFDictionaryRef> configDict = CFDictionaryRef(IOCFUnserialize((const char *)CFDataGetBytePtr(configData), kCFAllocatorDefault, 0, NULL));
+        CFRef<CFDictionaryRef> configDict = CFDictionaryRef(IOCFUnserializeWithSize((const char *)CFDataGetBytePtr(configData),
+                                                                                    (size_t)CFDataGetLength(configData),
+                                                                                    kCFAllocatorDefault, 0, NULL));
         if (!configDict)
             return NULL;
 
@@ -402,12 +411,16 @@ bool Requirement::Interpreter::verifyAnchor(SecCertificateRef cert, const unsign
 {
 	// get certificate bytes
 	if (cert) {
+        SHA1 hasher;
+#if TARGET_OS_OSX
 		CSSM_DATA certData;
 		MacOSError::check(SecCertificateGetData(cert, &certData));
 		
 		// verify hash
-		SHA1 hasher;
 		hasher(certData.Data, certData.Length);
+#else
+        hasher(SecCertificateGetBytePtr(cert), SecCertificateGetLength(cert));
+#endif
 		return hasher.verify(digest);
 	}
 	return false;
@@ -465,6 +478,8 @@ bool Requirement::Interpreter::trustedCert(int slot)
 //
 SecTrustSettingsResult Requirement::Interpreter::trustSetting(SecCertificateRef cert, bool isAnchor)
 {
+    // XXX: Not supported on embedded yet due to lack of supporting API
+#if TARGET_OS_OSX
 	// the SPI input is the uppercase hex form of the SHA-1 of the certificate...
 	assert(cert);
 	SHA1::Digest digest;
@@ -502,6 +517,9 @@ SecTrustSettingsResult Requirement::Interpreter::trustSetting(SecCertificateRef
 		::free(errors);
 		MacOSError::throwMe(rc);
 	}
+#else
+    return kSecTrustSettingsResultUnspecified;
+#endif
 }