1/* 2 * Copyright (c) 2006-2013 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24// 25// csutilities - miscellaneous utilities for the code signing implementation 26// 27#include "csutilities.h" 28#include <Security/SecCertificatePriv.h> 29#include <security_codesigning/requirement.h> 30#include <security_utilities/hashing.h> 31#include <security_utilities/debugging.h> 32#include <security_utilities/errors.h> 33 34namespace Security { 35namespace CodeSigning { 36 37 38// 39// The (SHA-1) hash of the canonical Apple certificate root anchor 40// 41static const SHA1::Digest gAppleAnchorHash = 42 { 0x61, 0x1e, 0x5b, 0x66, 0x2c, 0x59, 0x3a, 0x08, 0xff, 0x58, 43 0xd1, 0x4a, 0xe2, 0x24, 0x52, 0xd1, 0x98, 0xdf, 0x6c, 0x60 }; 44 45 46 47// 48// Test for the canonical Apple CA certificate 49// 50bool isAppleCA(SecCertificateRef cert) 51{ 52 return verifyHash(cert, gAppleAnchorHash); 53} 54 55bool isAppleCA(const Hashing::Byte *sha1) 56{ 57 return !memcmp(sha1, gAppleAnchorHash, SHA1::digestLength); 58} 59 60 61// 62// Calculate the canonical hash of a certificate, given its raw (DER) data. 63// 64void hashOfCertificate(const void *certData, size_t certLength, SHA1::Digest digest) 65{ 66 SHA1 hasher; 67 hasher(certData, certLength); 68 hasher.finish(digest); 69} 70 71 72// 73// Ditto, given a SecCertificateRef 74// 75void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest) 76{ 77 assert(cert); 78 CSSM_DATA certData; 79 MacOSError::check(SecCertificateGetData(cert, &certData)); 80 hashOfCertificate(certData.Data, certData.Length, digest); 81} 82 83 84// 85// One-stop hash-certificate-and-compare 86// 87bool verifyHash(SecCertificateRef cert, const Hashing::Byte *digest) 88{ 89 SHA1::Digest dig; 90 hashOfCertificate(cert, dig); 91 return !memcmp(dig, digest, SHA1::digestLength); 92} 93 94 95// 96// Check to see if a certificate contains a particular field, by OID. This works for extensions, 97// even ones not recognized by the local CL. It does not return any value, only presence. 98// 99bool certificateHasField(SecCertificateRef cert, const CSSM_OID &oid) 100{ 101 assert(cert); 102 CSSM_DATA *value; 103 switch (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &oid, &value)) { 104 case errSecSuccess: 105 MacOSError::check(SecCertificateReleaseFirstFieldValue(cert, &oid, value)); 106 return true; // extension found by oid 107 case errSecUnknownTag: 108 break; // oid not recognized by CL - continue below 109 default: 110 MacOSError::throwMe(rc); // error: fail 111 } 112 113 // check the CL's bag of unrecognized extensions 114 CSSM_DATA **values; 115 bool found = false; 116 if (SecCertificateCopyFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, &values)) 117 return false; // no unrecognized extensions - no match 118 if (values) 119 for (CSSM_DATA **p = values; *p; p++) { 120 const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)(*p)->Data; 121 if (oid == ext->extnId) { 122 found = true; 123 break; 124 } 125 } 126 MacOSError::check(SecCertificateReleaseFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, values)); 127 return found; 128} 129 130 131// 132// Retrieve X.509 policy extension OIDs, if any. 133// This currently ignores policy qualifiers. 134// 135bool certificateHasPolicy(SecCertificateRef cert, const CSSM_OID &policyOid) 136{ 137 bool matched = false; 138 assert(cert); 139 CSSM_DATA *data; 140 if (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &CSSMOID_CertificatePolicies, &data)) 141 MacOSError::throwMe(rc); 142 if (data && data->Data && data->Length == sizeof(CSSM_X509_EXTENSION)) { 143 const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)data->Data; 144 assert(ext->format == CSSM_X509_DATAFORMAT_PARSED); 145 const CE_CertPolicies *policies = (const CE_CertPolicies *)ext->value.parsedValue; 146 if (policies) 147 for (unsigned int n = 0; n < policies->numPolicies; n++) { 148 const CE_PolicyInformation &cp = policies->policies[n]; 149 if (cp.certPolicyId == policyOid) { 150 matched = true; 151 break; 152 } 153 } 154 } 155 SecCertificateReleaseFirstFieldValue(cert, &CSSMOID_PolicyConstraints, data); 156 return matched; 157} 158 159 160// 161// Copyfile 162// 163Copyfile::Copyfile() 164{ 165 if (!(mState = copyfile_state_alloc())) 166 UnixError::throwMe(); 167} 168 169void Copyfile::set(uint32_t flag, const void *value) 170{ 171 check(::copyfile_state_set(mState, flag, value)); 172} 173 174void Copyfile::get(uint32_t flag, void *value) 175{ 176 check(::copyfile_state_set(mState, flag, value)); 177} 178 179void Copyfile::operator () (const char *src, const char *dst, copyfile_flags_t flags) 180{ 181 check(::copyfile(src, dst, mState, flags)); 182} 183 184void Copyfile::check(int rc) 185{ 186 if (rc < 0) 187 UnixError::throwMe(); 188} 189 190 191// 192// MessageTracer support 193// 194MessageTrace::MessageTrace(const char *domain, const char *signature) 195{ 196 mAsl = asl_new(ASL_TYPE_MSG); 197 if (domain) 198 asl_set(mAsl, "com.apple.message.domain", domain); 199 if (signature) 200 asl_set(mAsl, "com.apple.message.signature", signature); 201} 202 203void MessageTrace::add(const char *key, const char *format, ...) 204{ 205 va_list args; 206 va_start(args, format); 207 char value[200]; 208 vsnprintf(value, sizeof(value), format, args); 209 va_end(args); 210 asl_set(mAsl, (string("com.apple.message.") + key).c_str(), value); 211} 212 213void MessageTrace::send(const char *format, ...) 214{ 215 va_list args; 216 va_start(args, format); 217 asl_vlog(NULL, mAsl, ASL_LEVEL_NOTICE, format, args); 218 va_end(args); 219} 220 221 222} // end namespace CodeSigning 223} // end namespace Security 224