X-Git-Url: https://git.saurik.com/apple/securityd.git/blobdiff_plain/f7aa9f666a1c7ab343b4ce8f1677ea253c4e126e..4cd1cad0dea00daa03e1b54fdf2797a02373ad5b:/src/clientid.cpp?ds=sidebyside

diff --git a/src/clientid.cpp b/src/clientid.cpp
index b04b7c6..24cfe98 100644
--- a/src/clientid.cpp
+++ b/src/clientid.cpp
@@ -25,7 +25,7 @@
 //
 #include "clientid.h"
 #include "server.h"
-#include "osxcodewrap.h"
+#include <Security/SecCodePriv.h>
 
 
 //
@@ -44,10 +44,12 @@ ClientIdentification::ClientIdentification()
 //
 void ClientIdentification::setup(pid_t pid)
 {
-	if (IFDEBUG(OSStatus rc =)SecCodeCreateWithPID(pid, kSecCSDefaultFlags,
+	StLock<Mutex> _(mLock);
+	if (OSStatus rc = SecCodeCreateWithPID(pid, kSecCSDefaultFlags,
 			&mClientProcess.aref()))
-		secdebug("clientid", "could not get code for process %d: OSStatus=%ld",
-			pid, rc);
+		secdebug("clientid", "could not get code for process %d: OSStatus=%d",
+			pid, int32_t(rc));
+	mGuests.erase(mGuests.begin(), mGuests.end());
 }
 
 
@@ -153,6 +155,30 @@ const CssmData ClientIdentification::getHash() const
 		return CssmData();
 }
 
+const bool ClientIdentification::checkAppleSigned() const
+{
+	if (GuestState *guest = current()) {
+		if (!guest->checkedSignature) {
+            // This is the clownfish supported way to check for a Mac App Store or B&I signed build
+            CFStringRef requirementString = CFSTR("(anchor apple) or (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9])");
+            SecRequirementRef  secRequirementRef = NULL;
+            OSStatus status = SecRequirementCreateWithString(requirementString, kSecCSDefaultFlags, &secRequirementRef);
+            if (status == errSecSuccess) {
+                OSStatus status = SecCodeCheckValidity(guest->code, kSecCSDefaultFlags, secRequirementRef);
+                if (status != errSecSuccess) {
+                    secdebug("SecurityAgentXPCQuery", "code requirement check failed (%d)", (int32_t)status);
+                } else {
+                    guest->appleSigned = true;
+                }
+                guest->checkedSignature = true;
+            }
+            CFRelease(secRequirementRef);
+		}
+		return guest->appleSigned;
+	} else
+		return false;
+}
+
 
 //
 // Bonus function: get the path out of a SecCodeRef
@@ -174,7 +200,7 @@ static void dumpCode(SecCodeRef code)
 {
 	CFRef<CFURLRef> path;
 	if (OSStatus rc = SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
-		Debug::dump("unknown(rc=%ld)", rc);
+		Debug::dump("unknown(rc=%d)", int32_t(rc));
 	else
 		Debug::dump("%s", cfString(path).c_str());
 }