X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/fa7225c82381bac4432a6edf16f53b5370238d85..dbe775057b53a81d9983d810772462c3233fccd3:/OSX/libsecurity_codesigning/lib/reqinterp.cpp?ds=sidebyside diff --git a/OSX/libsecurity_codesigning/lib/reqinterp.cpp b/OSX/libsecurity_codesigning/lib/reqinterp.cpp index 3215df48..80a6ae13 100644 --- a/OSX/libsecurity_codesigning/lib/reqinterp.cpp +++ b/OSX/libsecurity_codesigning/lib/reqinterp.cpp @@ -34,6 +34,7 @@ #include #include #include "csutilities.h" +#include "notarization.h" namespace Security { namespace CodeSigning { @@ -149,6 +150,7 @@ bool Requirement::Interpreter::eval(int depth) Match match(*this); return certFieldValue(key, match, cert); } +#if TARGET_OS_OSX case opCertGeneric: { SecCertificateRef cert = mContext->cert(get()); @@ -163,6 +165,7 @@ bool Requirement::Interpreter::eval(int depth) Match match(*this); return certFieldPolicy(key, match, cert); } +#endif case opTrustedCert: return trustedCert(get()); case opTrustedCerts: @@ -176,6 +179,10 @@ bool Requirement::Interpreter::eval(int depth) int32_t targetPlatform = get(); return mContext->directory && mContext->directory->platform == targetPlatform; } + case opNotarized: + { + return isNotarized(mContext); + } default: // opcode not recognized - handle generically if possible, fail otherwise if (op & (opGenericFalse | opGenericSkip)) { @@ -222,6 +229,8 @@ bool Requirement::Interpreter::entitlementValue(const string &key, const Match & bool Requirement::Interpreter::certFieldValue(const string &key, const Match &match, SecCertificateRef cert) { +// XXX: Not supported on embedded yet due to lack of supporting API +#if TARGET_OS_OSX // no cert, no chance if (cert == NULL) return false; @@ -273,10 +282,11 @@ bool Requirement::Interpreter::certFieldValue(const string &key, const Match &ma // unrecognized key. Fail but do not abort to promote backward compatibility down the road secinfo("csinterp", "cert field notation \"%s\" not understood", key.c_str()); +#endif return false; } - +#if TARGET_OS_OSX bool Requirement::Interpreter::certFieldGeneric(const string &key, const Match &match, SecCertificateRef cert) { // the key is actually a (binary) OID value @@ -300,7 +310,7 @@ bool Requirement::Interpreter::certFieldPolicy(const CssmOid &oid, const Match & { return cert && certificateHasPolicy(cert, oid) && match(kCFBooleanTrue); } - +#endif // // Check the Apple-signed condition @@ -366,6 +376,10 @@ bool Requirement::Interpreter::appleLocalAnchored() if (csr_check(CSR_ALLOW_APPLE_INTERNAL)) return false; + if (mContext->forcePlatform) { + return true; + } + static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ additionalTrustedCertificates = getAdditionalTrustedAnchors(); @@ -394,7 +408,7 @@ bool Requirement::Interpreter::appleSigned() return true; } else if (appleLocalAnchored()) { return true; - } + } return false; } @@ -406,12 +420,16 @@ bool Requirement::Interpreter::verifyAnchor(SecCertificateRef cert, const unsign { // get certificate bytes if (cert) { + SHA1 hasher; +#if TARGET_OS_OSX CSSM_DATA certData; MacOSError::check(SecCertificateGetData(cert, &certData)); // verify hash - SHA1 hasher; hasher(certData.Data, certData.Length); +#else + hasher(SecCertificateGetBytePtr(cert), SecCertificateGetLength(cert)); +#endif return hasher.verify(digest); } return false; @@ -469,6 +487,8 @@ bool Requirement::Interpreter::trustedCert(int slot) // SecTrustSettingsResult Requirement::Interpreter::trustSetting(SecCertificateRef cert, bool isAnchor) { + // XXX: Not supported on embedded yet due to lack of supporting API +#if TARGET_OS_OSX // the SPI input is the uppercase hex form of the SHA-1 of the certificate... assert(cert); SHA1::Digest digest; @@ -506,6 +526,9 @@ SecTrustSettingsResult Requirement::Interpreter::trustSetting(SecCertificateRef ::free(errors); MacOSError::throwMe(rc); } +#else + return kSecTrustSettingsResultUnspecified; +#endif }