SecRequirement.cpp   [plain text]

/*
 * Copyright (c) 2006 Apple Computer, Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

//
// SecRequirement - API frame for SecRequirement objects
//
#include "cs.h"
#include "Requirements.h"
#include "reqparser.h"
#include "reqmaker.h"
#include "reqdumper.h"
#include <Security/SecCertificate.h>
#include <security_utilities/cfutilities.h>

using namespace CodeSigning;


//
// CF-standard type code function
//
CFTypeID SecRequirementGetTypeID(void)
{
	BEGIN_CSAPI
	return gCFObjects().Requirement.typeID;
    END_CSAPI1(_kCFRuntimeNotATypeID)
}


//
// Create a Requirement from data
//
OSStatus SecRequirementCreateWithData(CFDataRef data, SecCSFlags flags,
	SecRequirementRef *requirementRef)
{
	BEGIN_CSAPI
	
	checkFlags(flags);
	CodeSigning::Required(requirementRef) = (new SecRequirement(CFDataGetBytePtr(data), CFDataGetLength(data)))->handle();

	END_CSAPI
}
	

//
// Create a Requirement from data in a file
//
OSStatus SecRequirementCreateWithResource(CFURLRef resource, SecCSFlags flags,
	SecRequirementRef *requirementRef)
{
	BEGIN_CSAPI
	
	checkFlags(flags);
	CFRef<CFDataRef> data = cfLoadFile(resource);
	CodeSigning::Required(requirementRef) =
		(new SecRequirement(CFDataGetBytePtr(data), CFDataGetLength(data)))->handle();

	END_CSAPI
}


//
// Create a Requirement from source text (compiling it)
//
OSStatus SecRequirementCreateWithString(CFStringRef text, SecCSFlags flags,
	SecRequirementRef *requirementRef)
{
	return SecRequirementCreateWithStringAndErrors(text, flags, NULL, requirementRef);
}

OSStatus SecRequirementCreateWithStringAndErrors(CFStringRef text, SecCSFlags flags,
	CFErrorRef *errors, SecRequirementRef *requirementRef)
{
	BEGIN_CSAPI
	
	checkFlags(flags);
	CodeSigning::Required(requirementRef) = (new SecRequirement(parseRequirement(cfString(text)), true))->handle();

	END_CSAPI_ERRORS
}


//
// Create a Requirement group.
// This is the canonical point where "application group" is defined.
//
OSStatus SecRequirementCreateGroup(CFStringRef groupName, SecCertificateRef anchorRef,
	SecCSFlags flags, SecRequirementRef *requirementRef)
{
	BEGIN_CSAPI
	
	checkFlags(flags);
	Requirement::Maker maker;
	maker.put(opAnd);		// both of...
	maker.infoKey("Application-Group", cfString(groupName));
	if (anchorRef) {
		CSSM_DATA certData;
		MacOSError::check(SecCertificateGetData(anchorRef, &certData));
		maker.anchor(0, certData.Data, certData.Length);
	} else {
		maker.anchor();			// canonical Apple anchor
	}
	CodeSigning::Required(requirementRef) = (new SecRequirement(maker.make(), true))->handle();

	END_CSAPI
}


//
// Extract the stable binary from from a SecRequirementRef
//
OSStatus SecRequirementCopyData(SecRequirementRef requirementRef, SecCSFlags flags,
	CFDataRef *data)
{
	BEGIN_CSAPI
	
	const Requirement *req = SecRequirement::required(requirementRef)->requirement();
	checkFlags(flags);
	CodeSigning::Required(data);
	*data = makeCFData(*req);

	END_CSAPI
}


//
// Generate source form for a SecRequirement (decompile/disassemble)
//
OSStatus SecRequirementCopyString(SecRequirementRef requirementRef, SecCSFlags flags,
	CFStringRef *text)
{
	BEGIN_CSAPI
	
	const Requirement *req = SecRequirement::required(requirementRef)->requirement();
	checkFlags(flags);
	CodeSigning::Required(text);
	*text = makeCFString(Dumper::dump(req));

	END_CSAPI
}


//
CFStringRef kSecRequirementKeyInfoPlist = CFSTR("requirement:eval:info");
CFStringRef kSecRequirementKeyEntitlements = CFSTR("requirement:eval:entitlements");
CFStringRef kSecRequirementKeyIdentifier = CFSTR("requirement:eval:identifier");

OSStatus SecRequirementEvaluate(SecRequirementRef requirementRef,
	CFArrayRef certificateChain, CFDictionaryRef context,
	SecCSFlags flags)
{
	BEGIN_CSAPI

	const Requirement *req = SecRequirement::required(requirementRef)->requirement();
	checkFlags(flags);
	CodeSigning::Required(certificateChain);
	
	Requirement::Context ctx(certificateChain,		// mandatory
		context ? CFDictionaryRef(CFDictionaryGetValue(context, kSecRequirementKeyInfoPlist)) : NULL,
		context ? CFDictionaryRef(CFDictionaryGetValue(context, kSecRequirementKeyEntitlements)) : NULL,
		(context && CFDictionaryGetValue(context, kSecRequirementKeyIdentifier)) ?
			cfString(CFStringRef(CFDictionaryGetValue(context, kSecRequirementKeyIdentifier))) : "",
		NULL	// can't specify a CodeDirectory here
	);
	req->validate(ctx);
	
	END_CSAPI
}


//
// Assemble a requirement set (as a CFData) from a dictionary of requirement objects.
// An empty set is allowed.
//
OSStatus SecRequirementsCreateFromRequirements(CFDictionaryRef requirements, SecCSFlags flags,
	CFDataRef *requirementSet)
{
	BEGIN_CSAPI
	
	checkFlags(flags);
	if (requirements == NULL)
		return errSecCSObjectRequired;
	CFIndex count = CFDictionaryGetCount(requirements);
	CFNumberRef keys[count];
	SecRequirementRef reqs[count];
	CFDictionaryGetKeysAndValues(requirements, (const void **)keys, (const void **)reqs);
	Requirements::Maker maker;
	for (CFIndex n = 0; n < count; n++) {
		const Requirement *req = SecRequirement::required(reqs[n])->requirement();
		maker.add(cfNumber<Requirements::Type>(keys[n]), req->clone());
	}
	Requirements *reqset = maker.make();					// malloc'ed
	CodeSigning::Required(requirementSet) = makeCFDataMalloc(*reqset);	// takes ownership of reqs

	END_CSAPI
}


//
// Break a requirement set (given as a CFData) into its constituent requirements
// and return it as a CFDictionary.
//
OSStatus SecRequirementsCopyRequirements(CFDataRef requirementSet, SecCSFlags flags,
	CFDictionaryRef *requirements)
{
	BEGIN_CSAPI
	
	checkFlags(flags);
	if (requirementSet == NULL)
		return errSecCSObjectRequired;
	const Requirements *reqs = (const Requirements *)CFDataGetBytePtr(requirementSet);
	CFRef<CFMutableDictionaryRef> dict = makeCFMutableDictionary();
	unsigned count = reqs->count();
	for (unsigned n = 0; n < count; n++) {
		CFRef<SecRequirementRef> req = (new SecRequirement(reqs->blob<Requirement>(n)))->handle();
		CFDictionaryAddValue(dict, CFTempNumber(reqs->type(n)), req);
	}
	CodeSigning::Required(requirements) = dict.yield();

	END_CSAPI
}

	
//
// Generically parse a string as some kind of requirement-related source form.
// If properly recognized, return the result as a CF object:
//	SecRequirementRef for a single requirement
//	CFDataRef for a requirement set
//
OSStatus SecRequirementsCreateWithString(CFStringRef text, SecCSFlags flags,
	CFTypeRef *result, CFErrorRef *errors)
{
	BEGIN_CSAPI
	
	checkFlags(flags, kSecCSParseRequirement | kSecCSParseRequirementSet);
	if (text == NULL || result == NULL)
		return errSecCSObjectRequired;
	std::string s = cfString(text);
	switch (flags & (kSecCSParseRequirement | kSecCSParseRequirementSet)) {
	case kSecCSParseRequirement:		// single only
		*result = (new SecRequirement(parseRequirement(s), true))->handle();
		break;
	case kSecCSParseRequirementSet:		// single only
		{
			const Requirements *reqs = parseRequirements(s);
			*result = makeCFDataMalloc(*reqs);
			break;
		}
	case 0:
	case kSecCSParseRequirement | kSecCSParseRequirementSet:
		{
			const BlobCore *any = parseGeneric(s);
			if (any->is<Requirement>())
				*result = (new SecRequirement(Requirement::specific(any), true))->handle();
			else
				*result = makeCFDataMalloc(*any);
			break;
		}
	}

	END_CSAPI_ERRORS
}

	
//
// Convert a SecRequirementRef or a CFDataRef containing a requirement set to text.
// Requirement sets will be formatted as multiple lines (one per requirement). They can be empty.
// A single requirement will return a single line that is NOT newline-terminated.
//
OSStatus SecRequirementsCopyString(CFTypeRef input, SecCSFlags flags, CFStringRef *text)
{
	BEGIN_CSAPI
	
	checkFlags(flags);
	if (input == NULL)
		return errSecCSObjectRequired;
	if (CFGetTypeID(input) == SecRequirementGetTypeID()) {
		return SecRequirementCopyString(SecRequirementRef(input), flags, text);
	} else if (CFGetTypeID(input) == CFDataGetTypeID()) {
		const Requirements *reqs = (const Requirements *)CFDataGetBytePtr(CFDataRef(input));
		if (!reqs->validateBlob(CFDataGetLength(CFDataRef(input))))
			return errSecCSReqInvalid;
		CodeSigning::Required(text) = makeCFString(Dumper::dump(reqs, false));
	} else
		return errSecCSInvalidObjectRef;

	END_CSAPI
}