1/* 2 * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24// 25// signer - Signing operation supervisor and controller 26// 27#ifndef _H_SIGNER 28#define _H_SIGNER 29 30#include "CodeSigner.h" 31#include "cdbuilder.h" 32#include "signerutils.h" 33#include "StaticCode.h" 34#include <security_utilities/utilities.h> 35 36namespace Security { 37namespace CodeSigning { 38 39 40// 41// The signer driver class. 42// This is a workflow object, containing all the data needed for the various 43// signing stages to cooperate. It is not meant to be API visible; that is 44// SecCodeSigner's job. 45// 46class SecCodeSigner::Signer { 47public: 48 Signer(SecCodeSigner &s, SecStaticCode *c) : state(s), code(c), requirements(NULL) 49 { strict = state.signingFlags() & kSecCSSignStrictPreflight; } 50 ~Signer() { ::free((Requirements *)requirements); } 51 52 void sign(SecCSFlags flags); 53 void remove(SecCSFlags flags); 54 55 SecCodeSigner &state; 56 SecStaticCode * const code; 57 58 CodeDirectory::HashAlgorithm digestAlgorithm() const { return state.mDigestAlgorithm; } 59 60 std::string path() const { return cfStringRelease(rep->copyCanonicalPath()); } 61 SecIdentityRef signingIdentity() const { return state.mSigner; } 62 std::string signingIdentifier() const { return identifier; } 63 64protected: 65 void prepare(SecCSFlags flags); // set up signing parameters 66 void signMachO(Universal *fat, const Requirement::Context &context); // sign a Mach-O binary 67 void signArchitectureAgnostic(const Requirement::Context &context); // sign anything else 68 69 void populate(DiskRep::Writer &writer); // global 70 void populate(CodeDirectory::Builder &builder, DiskRep::Writer &writer, 71 InternalRequirements &ireqs, size_t offset = 0, size_t length = 0); // per-architecture 72 CFDataRef signCodeDirectory(const CodeDirectory *cd); 73 74 uint32_t cdTextFlags(std::string text); // convert text CodeDirectory flags 75 std::string uniqueName() const; // derive unique string from rep 76 77protected: 78 void buildResources(std::string root, std::string relBase, CFDictionaryRef rules); 79 CFMutableDictionaryRef signNested(FTSENT *ent, const char *relpath); 80 CFDataRef hashFile(const char *path); 81 82private: 83 RefPointer<DiskRep> rep; // DiskRep of Code being signed 84 CFRef<CFDictionaryRef> resourceDirectory; // resource directory 85 CFRef<CFDataRef> resourceDictData; // XML form of resourceDirectory 86 std::string identifier; // signing identifier 87 std::string teamID; // team identifier 88 CFRef<CFDataRef> entitlements; // entitlements 89 uint32_t cdFlags; // CodeDirectory flags 90 const Requirements *requirements; // internal requirements ready-to-use 91 size_t pagesize; // size of main executable pages 92 CFAbsoluteTime signingTime; // signing time for CMS signature (0 => none) 93 bool strict; // strict validation 94}; 95 96 97} // end namespace CodeSigning 98} // end namespace Security 99 100#endif // !_H_CODESIGNER 101