1/* 2 * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24// 25// CodeSigner - SecCodeSigner API objects 26// 27#ifndef _H_CODESIGNER 28#define _H_CODESIGNER 29 30#include "cs.h" 31#include "StaticCode.h" 32#include "cdbuilder.h" 33#include <Security/SecIdentity.h> 34#include <security_utilities/utilities.h> 35 36namespace Security { 37namespace CodeSigning { 38 39 40// 41// A SecCode object represents running code in the system. It must be subclassed 42// to implement a particular notion of code. 43// 44class SecCodeSigner : public SecCFObject, public DiskRep::SigningContext { 45 NOCOPY(SecCodeSigner) 46public: 47 class Parser; 48 class Signer; 49 50public: 51 SECCFFUNCTIONS(SecCodeSigner, SecCodeSignerRef, errSecCSInvalidObjectRef, gCFObjects().CodeSigner) 52 53 SecCodeSigner(SecCSFlags flags); 54 virtual ~SecCodeSigner() throw(); 55 56 void parameters(CFDictionaryRef args); // parse and set parameters 57 bool valid() const; 58 59 std::string getTeamIDFromSigner(CFArrayRef certs); 60 61 void sign(SecStaticCode *code, SecCSFlags flags); 62 void remove(SecStaticCode *code, SecCSFlags flags); 63 64 void returnDetachedSignature(BlobCore *blob, Signer &signer); 65 66protected: 67 std::string sdkPath(const std::string &path) const; 68 bool isAdhoc() const; 69 SecCSFlags signingFlags() const; 70 71private: 72 // parsed parameter set 73 SecCSFlags mOpFlags; // operation flags 74 CFRef<SecIdentityRef> mSigner; // signing identity 75 CFRef<CFTypeRef> mDetached; // detached-signing information (NULL => attached) 76 CFRef<CFDictionaryRef> mResourceRules; // explicit resource collection rules (override) 77 CFRef<CFDateRef> mSigningTime; // signing time desired (kCFNull for none) 78 CFRef<CFDataRef> mApplicationData; // contents of application slot 79 CFRef<CFDataRef> mEntitlementData; // entitlement configuration data 80 CFRef<CFURLRef> mSDKRoot; // substitute filesystem root for sub-component lookup 81 CFRef<CFTypeRef> mRequirements; // internal code requirements 82 size_t mCMSSize; // size estimate for CMS blob 83 uint32_t mCdFlags; // CodeDirectory flags 84 uint32_t mPreserveMetadata; // metadata preservation options 85 bool mCdFlagsGiven; // CodeDirectory flags were specified 86 CodeDirectory::HashAlgorithm mDigestAlgorithm; // interior digest (hash) algorithm 87 std::string mIdentifier; // unique identifier override 88 std::string mIdentifierPrefix; // prefix for un-dotted default identifiers 89 std::string mTeamID; // teamID 90 bool mNoMachO; // override to perform non-Mach-O signing 91 bool mDryRun; // dry run (do not change target) 92 CFRef<CFNumberRef> mPageSize; // main executable page size 93 CFRef<SecIdentityRef> mTimestampAuthentication; // identity for client-side authentication to the Timestamp server 94 CFRef<CFURLRef> mTimestampService; // URL for Timestamp server 95 bool mWantTimeStamp; // use a Timestamp server 96 bool mNoTimeStampCerts; // don't request certificates with timestamping request 97}; 98 99 100} // end namespace CodeSigning 101} // end namespace Security 102 103#endif // !_H_CODESIGNER 104