1/* 2 * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24// 25// resource directory construction and verification 26// 27#ifndef _H_RSIGN 28#define _H_RSIGN 29 30#include "codedirectory.h" 31#include <security_utilities/utilities.h> 32#include <security_utilities/cfutilities.h> 33#include <security_utilities/hashing.h> 34#include "regex.h" 35#include <CoreFoundation/CoreFoundation.h> 36#include <vector> 37#include <fts.h> 38 39namespace Security { 40namespace CodeSigning { 41 42 43// 44// The builder of ResourceDirectories. 45// 46// Note that this *is* a ResourceEnumerator, which can enumerate 47// its source directory once (only). 48// 49class ResourceBuilder { 50 NOCOPY(ResourceBuilder) 51public: 52 ResourceBuilder(const std::string &root, const std::string &relBase, 53 CFDictionaryRef rulesDict, CodeDirectory::HashAlgorithm hashType, bool strict, const MacOSErrorSet& toleratedErrors); 54 ~ResourceBuilder(); 55 56 enum { 57 optional = 0x01, // may be absent at runtime 58 omitted = 0x02, // do not seal even if present 59 nested = 0x04, // nested code (recursively signed) 60 exclusion = 0x10, // overriding exclusion (stop looking) 61 top = 0x20, // special top directory handling 62 }; 63 64 typedef unsigned int Weight; 65 66public: 67 class Rule : private regex_t { 68 public: 69 Rule(const std::string &pattern, Weight weight, uint32_t flags); 70 ~Rule(); 71 72 bool match(const char *s) const; 73 74 const Weight weight; 75 const uint32_t flags; 76 std::string source; 77 }; 78 void addRule(Rule *rule) { mRules.push_back(rule); } 79 void addExclusion(const std::string &pattern) { mRules.insert(mRules.begin(), new Rule(pattern, 0, exclusion)); } 80 81 static std::string escapeRE(const std::string &s); 82 83 typedef void (^Scanner)(FTSENT *ent, uint32_t flags, const char *relpath, Rule *rule); 84 void scan(Scanner next); 85 bool includes(string path) const; 86 Rule *findRule(string path) const; 87 88 DynamicHash *getHash() const { return CodeDirectory::hashFor(this->mHashType); } 89 CFDataRef hashFile(const char *path) const; 90 91 CFDictionaryRef rules() const { return mRawRules; } 92 93protected: 94 void addRule(CFTypeRef key, CFTypeRef value); 95 96private: 97 std::string mRoot, mRelBase; 98 FTS *mFTS; 99 CFCopyRef<CFDictionaryRef> mRawRules; 100 typedef std::vector<Rule *> Rules; 101 Rules mRules; 102 CodeDirectory::HashAlgorithm mHashType; 103 bool mCheckUnreadable; 104 bool mCheckUnknownType; 105}; 106 107 108// 109// The "seal" on a single resource. 110// 111class ResourceSeal { 112public: 113 ResourceSeal(CFTypeRef ref); 114 115public: 116 operator bool () const { return mHash; } 117 bool operator ! () const { return mHash == NULL; } 118 119 const SHA1::Byte *hash() const { return CFDataGetBytePtr(mHash); } 120 bool nested() const { return mFlags & ResourceBuilder::nested; } 121 bool optional() const { return mFlags & ResourceBuilder::optional; } 122 CFDictionaryRef dict() const { return mDict; } 123 CFStringRef requirement() const { return mRequirement; } 124 CFStringRef link() const { return mLink; } 125 126private: 127 CFDictionaryRef mDict; 128 CFDataRef mHash; 129 CFStringRef mRequirement; 130 CFStringRef mLink; 131 uint32_t mFlags; 132}; 133 134 135} // end namespace CodeSigning 136} // end namespace Security 137 138#endif // !_H_RSIGN 139