1/*
2 * Copyright (c) 2006-2010 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24//
25// signer - Signing operation supervisor and controller
26//
27#ifndef _H_SIGNER
28#define _H_SIGNER
29
30#include "CodeSigner.h"
31#include "cdbuilder.h"
32#include "signerutils.h"
33#include "StaticCode.h"
34#include <security_utilities/utilities.h>
35
36namespace Security {
37namespace CodeSigning {
38
39
40//
41// The signer driver class.
42// This is a workflow object, containing all the data needed for the various
43// signing stages to cooperate. It is not meant to be API visible; that is
44// SecCodeSigner's job.
45//
46class SecCodeSigner::Signer {
47public:
48	Signer(SecCodeSigner &s, SecStaticCode *c) : state(s), code(c), requirements(NULL)
49	{ strict = state.signingFlags() & kSecCSSignStrictPreflight; }
50	~Signer() { ::free((Requirements *)requirements); }
51
52	void sign(SecCSFlags flags);
53	void remove(SecCSFlags flags);
54
55	SecCodeSigner &state;
56	SecStaticCode * const code;
57
58	CodeDirectory::HashAlgorithm digestAlgorithm() const { return state.mDigestAlgorithm; }
59
60	std::string path() const { return cfString(rep->copyCanonicalPath()); }
61	SecIdentityRef signingIdentity() const { return state.mSigner; }
62	std::string signingIdentifier() const { return identifier; }
63
64protected:
65	void prepare(SecCSFlags flags);				// set up signing parameters
66	void signMachO(Universal *fat, const Requirement::Context &context); // sign a Mach-O binary
67	void signArchitectureAgnostic(const Requirement::Context &context); // sign anything else
68
69	void populate(DiskRep::Writer &writer);		// global
70	void populate(CodeDirectory::Builder &builder, DiskRep::Writer &writer,
71		InternalRequirements &ireqs, size_t offset = 0, size_t length = 0);	// per-architecture
72	CFDataRef signCodeDirectory(const CodeDirectory *cd);
73
74	uint32_t cdTextFlags(std::string text);		// convert text CodeDirectory flags
75	std::string uniqueName() const;				// derive unique string from rep
76
77protected:
78	void buildResources(std::string root, std::string relBase, CFDictionaryRef rules);
79	CFMutableDictionaryRef signNested(FTSENT *ent, const char *relpath);
80	CFDataRef hashFile(const char *path);
81
82private:
83	RefPointer<DiskRep> rep;		// DiskRep of Code being signed
84	CFRef<CFDictionaryRef> resourceDirectory;	// resource directory
85	CFRef<CFDataRef> resourceDictData; // XML form of resourceDirectory
86	std::string identifier;			// signing identifier
87	std::string teamID;             // team identifier
88	CFRef<CFDataRef> entitlements;	// entitlements
89	uint32_t cdFlags;				// CodeDirectory flags
90	const Requirements *requirements; // internal requirements ready-to-use
91	size_t pagesize;				// size of main executable pages
92	CFAbsoluteTime signingTime;		// signing time for CMS signature (0 => none)
93	bool strict;					// strict validation
94};
95
96
97} // end namespace CodeSigning
98} // end namespace Security
99
100#endif // !_H_CODESIGNER
101