SecTrustedApplication.cpp [plain text]
#include <Security/SecTrustedApplicationPriv.h>
#include <security_keychain/TrustedApplication.h>
#include <security_keychain/Certificate.h>
#include <securityd_client/ssclient.h> // for code equivalence SPIs
#include "SecBridge.h"
static inline CssmData cfData(CFDataRef data)
{
return CssmData(const_cast<UInt8 *>(CFDataGetBytePtr(data)),
CFDataGetLength(data));
}
CFTypeID
SecTrustedApplicationGetTypeID(void)
{
BEGIN_SECAPI
return gTypes().TrustedApplication.typeID;
END_SECAPI1(_kCFRuntimeNotATypeID)
}
OSStatus
SecTrustedApplicationCreateFromPath(const char *path, SecTrustedApplicationRef *appRef)
{
BEGIN_SECAPI
SecPointer<TrustedApplication> app =
path ? new TrustedApplication(path) : new TrustedApplication;
Required(appRef) = app->handle();
END_SECAPI
}
OSStatus SecTrustedApplicationCopyData(SecTrustedApplicationRef appRef,
CFDataRef *dataRef)
{
BEGIN_SECAPI
const char *path = TrustedApplication::required(appRef)->path();
Required(dataRef) = CFDataCreate(NULL, (const UInt8 *)path, strlen(path) + 1);
END_SECAPI
}
OSStatus SecTrustedApplicationSetData(SecTrustedApplicationRef appRef,
CFDataRef dataRef)
{
BEGIN_SECAPI
secdebug("UNIMP", "legacy SecTrustedApplicationSetData not re-implemented");
END_SECAPI
}
OSStatus
SecTrustedApplicationValidateWithPath(SecTrustedApplicationRef appRef, const char *path)
{
BEGIN_SECAPI
TrustedApplication &app = *TrustedApplication::required(appRef);
if (!app.verifyToDisk(path))
return CSSMERR_CSP_VERIFY_FAILED;
END_SECAPI
}
OSStatus SecTrustedApplicationCopyExternalRepresentation(
SecTrustedApplicationRef appRef,
CFDataRef *externalRef)
{
BEGIN_SECAPI
TrustedApplication &app = *TrustedApplication::required(appRef);
Required(externalRef) = app.externalForm();
END_SECAPI
}
OSStatus SecTrustedApplicationCreateWithExternalRepresentation(
CFDataRef externalRef,
SecTrustedApplicationRef *appRef)
{
BEGIN_SECAPI
Required(appRef) = (new TrustedApplication(externalRef))->handle();
END_SECAPI
}
OSStatus
SecTrustedApplicationMakeEquivalent(SecTrustedApplicationRef oldRef,
SecTrustedApplicationRef newRef, UInt32 flags)
{
BEGIN_SECAPI
if (flags & ~kSecApplicationValidFlags)
return paramErr;
SecurityServer::ClientSession ss(Allocator::standard(), Allocator::standard());
TrustedApplication *oldApp = TrustedApplication::required(oldRef);
TrustedApplication *newApp = TrustedApplication::required(newRef);
ss.addCodeEquivalence(oldApp->legacyHash(), newApp->legacyHash(), oldApp->path(),
flags & kSecApplicationFlagSystemwide);
END_SECAPI
}
OSStatus
SecTrustedApplicationRemoveEquivalence(SecTrustedApplicationRef appRef, UInt32 flags)
{
BEGIN_SECAPI
if (flags & ~kSecApplicationValidFlags)
return paramErr;
SecurityServer::ClientSession ss(Allocator::standard(), Allocator::standard());
TrustedApplication *app = TrustedApplication::required(appRef);
ss.removeCodeEquivalence(app->legacyHash(), app->path(),
flags & kSecApplicationFlagSystemwide);
END_SECAPI
}
OSStatus
SecTrustedApplicationIsUpdateCandidate(const char *installroot, const char *path)
{
BEGIN_SECAPI
if (installroot) {
size_t rootlen = strlen(installroot);
if (!strncmp(installroot, path, rootlen))
path += rootlen - 1; }
static ModuleNexus<PathDatabase> paths;
static ModuleNexus<RecursiveMutex> mutex;
StLock<Mutex>_(mutex());
if (!paths()[path])
return CSSMERR_DL_RECORD_NOT_FOUND; END_SECAPI
}
OSStatus
SecTrustedApplicationUseAlternateSystem(const char *systemRoot)
{
BEGIN_SECAPI
Required(systemRoot);
SecurityServer::ClientSession ss(Allocator::standard(), Allocator::standard());
ss.setAlternateSystemRoot(systemRoot);
END_SECAPI
}
OSStatus SecTrustedApplicationCreateFromRequirement(const char *description,
SecRequirementRef requirement, SecTrustedApplicationRef *appRef)
{
BEGIN_SECAPI
if (description == NULL)
description = "csreq://"; SecPointer<TrustedApplication> app = new TrustedApplication(description, requirement);
Required(appRef) = app->handle();
END_SECAPI
}
OSStatus SecTrustedApplicationCopyRequirement(SecTrustedApplicationRef appRef,
SecRequirementRef *requirement)
{
BEGIN_SECAPI
Required(requirement) = TrustedApplication::required(appRef)->requirement();
if (*requirement)
CFRetain(*requirement);
END_SECAPI
}
OSStatus SecTrustedApplicationCreateApplicationGroup(const char *groupName,
SecCertificateRef anchor, SecTrustedApplicationRef *appRef)
{
BEGIN_SECAPI
CFRef<SecRequirementRef> req;
MacOSError::check(SecRequirementCreateGroup(CFTempString(groupName), anchor,
kSecCSDefaultFlags, &req.aref()));
string description = string("group://") + groupName;
if (anchor) {
Certificate *cert = Certificate::required(anchor);
const CssmData &hash = cert->publicKeyHash();
description = description + "?cert=" + cfString(cert->commonName())
+ "&hash=" + hash.toHex();
}
SecPointer<TrustedApplication> app = new TrustedApplication(description, req);
Required(appRef) = app->handle();
END_SECAPI
}