//
#include "clientid.h"
#include "server.h"
-#include "osxcodewrap.h"
+#include <Security/SecCodePriv.h>
//
//
void ClientIdentification::setup(pid_t pid)
{
- if (IFDEBUG(OSStatus rc =)SecCodeCreateWithPID(pid, kSecCSDefaultFlags,
+ StLock<Mutex> _(mLock);
+ if (OSStatus rc = SecCodeCreateWithPID(pid, kSecCSDefaultFlags,
&mClientProcess.aref()))
- secdebug("clientid", "could not get code for process %d: OSStatus=%ld",
- pid, rc);
+ secdebug("clientid", "could not get code for process %d: OSStatus=%d",
+ pid, int32_t(rc));
+ mGuests.erase(mGuests.begin(), mGuests.end());
}
return CssmData();
}
+const bool ClientIdentification::checkAppleSigned() const
+{
+ if (GuestState *guest = current()) {
+ if (!guest->checkedSignature) {
+ // This is the clownfish supported way to check for a Mac App Store or B&I signed build
+ CFStringRef requirementString = CFSTR("(anchor apple) or (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9])");
+ SecRequirementRef secRequirementRef = NULL;
+ OSStatus status = SecRequirementCreateWithString(requirementString, kSecCSDefaultFlags, &secRequirementRef);
+ if (status == errSecSuccess) {
+ OSStatus status = SecCodeCheckValidity(guest->code, kSecCSDefaultFlags, secRequirementRef);
+ if (status != errSecSuccess) {
+ secdebug("SecurityAgentXPCQuery", "code requirement check failed (%d)", (int32_t)status);
+ } else {
+ guest->appleSigned = true;
+ }
+ guest->checkedSignature = true;
+ }
+ CFRelease(secRequirementRef);
+ }
+ return guest->appleSigned;
+ } else
+ return false;
+}
+
//
// Bonus function: get the path out of a SecCodeRef
{
CFRef<CFURLRef> path;
if (OSStatus rc = SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
- Debug::dump("unknown(rc=%ld)", rc);
+ Debug::dump("unknown(rc=%d)", int32_t(rc));
else
Debug::dump("%s", cfString(path).c_str());
}
projects / apple / securityd.git / blobdiff