X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/ecaf5866106b8f08bdb7c1b4f489ef4dfd01278a..bf028f67fd3bb2266df81b80fb6f25a77112e308:/OSX/libsecurity_codesigning/lib/SecCode.cpp diff --git a/OSX/libsecurity_codesigning/lib/SecCode.cpp b/OSX/libsecurity_codesigning/lib/SecCode.cpp index 3d918e4b..2a494dc7 100644 --- a/OSX/libsecurity_codesigning/lib/SecCode.cpp +++ b/OSX/libsecurity_codesigning/lib/SecCode.cpp @@ -179,7 +179,8 @@ OSStatus SecCodeCopyGuestWithAttributes(SecCodeRef hostRef, // -// Shorthand for getting the SecCodeRef for a UNIX process +// Deprecated since 10.6, DO NOT USE. This can be raced. +// Use SecCodeCreateWithAuditToken instead. // OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *processRef) { @@ -193,6 +194,25 @@ OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *processRe END_CSAPI } + +// +// Shorthand for getting the SecCodeRef for a UNIX process +// +OSStatus SecCodeCreateWithAuditToken(const audit_token_t *audit, + SecCSFlags flags, SecCodeRef *processRef) +{ + BEGIN_CSAPI + + checkFlags(flags); + CFRef auditData = makeCFData(audit, sizeof(audit_token_t)); + if (SecCode *guest = KernelCode::active()->locateGuest(CFTemp("{%O=%O}", kSecGuestAttributeAudit, auditData.get()))) { + CodeSigning::Required(processRef) = guest->handle(false); + } else { + return errSecCSNoSuchCode; + } + + END_CSAPI +} #endif // TARGET_OS_OSX @@ -213,8 +233,10 @@ OSStatus SecCodeCheckValidityWithErrors(SecCodeRef codeRef, SecCSFlags flags, checkFlags(flags, kSecCSConsiderExpiration | kSecCSStrictValidate + | kSecCSStrictValidateStructure | kSecCSRestrictSidebandData - | kSecCSEnforceRevocationChecks); + | kSecCSEnforceRevocationChecks + ); SecPointer code = SecCode::required(codeRef); code->checkValidity(flags); if (const SecRequirement *req = SecRequirement::optional(requirementRef)) @@ -257,18 +279,22 @@ const CFStringRef kSecCodeInfoTimestamp = CFSTR("signing-timestamp"); const CFStringRef kSecCodeInfoTrust = CFSTR("trust"); const CFStringRef kSecCodeInfoUnique = CFSTR("unique"); const CFStringRef kSecCodeInfoCdHashes = CFSTR("cdhashes"); - +const CFStringRef kSecCodeInfoCdHashesFull = CFSTR("cdhashes-full"); +const CFStringRef kSecCodeInfoRuntimeVersion = CFSTR("runtime-version"); const CFStringRef kSecCodeInfoCodeDirectory = CFSTR("CodeDirectory"); const CFStringRef kSecCodeInfoCodeOffset = CFSTR("CodeOffset"); const CFStringRef kSecCodeInfoDiskRepInfo = CFSTR("DiskRepInfo"); const CFStringRef kSecCodeInfoResourceDirectory = CFSTR("ResourceDirectory"); +const CFStringRef kSecCodeInfoNotarizationDate = CFSTR("NotarizationDate"); +const CFStringRef kSecCodeInfoCMSDigestHashType = CFSTR("CMSDigestHashType"); +const CFStringRef kSecCodeInfoCMSDigest = CFSTR("CMSDigest"); /* DiskInfoRepInfo types */ -const CFStringRef kSecCodeInfoDiskRepOSPlatform = CFSTR("OSPlatform"); -const CFStringRef kSecCodeInfoDiskRepOSVersionMin = CFSTR("OSVersionMin"); -const CFStringRef kSecCodeInfoDiskRepOSSDKVersion = CFSTR("SDKVersion"); -const CFStringRef kSecCodeInfoDiskRepNoLibraryValidation = CFSTR("NoLibraryValidation"); +const CFStringRef kSecCodeInfoDiskRepVersionPlatform = CFSTR("VersionPlatform"); +const CFStringRef kSecCodeInfoDiskRepVersionMin = CFSTR("VersionMin"); +const CFStringRef kSecCodeInfoDiskRepVersionSDK = CFSTR("VersionSDK"); +const CFStringRef kSecCodeInfoDiskRepNoLibraryValidation = CFSTR("NoLibraryValidation"); OSStatus SecCodeCopySigningInformation(SecStaticCodeRef codeRef, SecCSFlags flags, @@ -282,7 +308,8 @@ OSStatus SecCodeCopySigningInformation(SecStaticCodeRef codeRef, SecCSFlags flag | kSecCSRequirementInformation | kSecCSDynamicInformation | kSecCSContentInformation - | kSecCSSkipResourceDirectory); + | kSecCSSkipResourceDirectory + | kSecCSCalculateCMSDigest); SecPointer code = SecStaticCode::requiredStatic(codeRef); CFRef info = code->signingInformation(flags);