#ifndef _H_SIGNER
#define _H_SIGNER
#include "CodeSigner.h"
#include "cdbuilder.h"
#include "signerutils.h"
#include "StaticCode.h"
#include <security_utilities/utilities.h>
namespace Security {
namespace CodeSigning {
class SecCodeSigner::Signer : public DiskRep::SigningContext {
public:
Signer(SecCodeSigner &s, SecStaticCode *c) : state(s), code(c), requirements(NULL)
{ strict = signingFlags() & kSecCSSignStrictPreflight; }
~Signer() { ::free((Requirements *)requirements); }
void sign(SecCSFlags flags);
void remove(SecCSFlags flags);
void edit(SecCSFlags flags);
SecCodeSigner &state;
SecStaticCode * const code;
const CodeDirectory::HashAlgorithms& digestAlgorithms() const { return hashAlgorithms; }
void setDigestAlgorithms(CodeDirectory::HashAlgorithms types) { hashAlgorithms = types; }
std::string path() const { return cfStringRelease(rep->copyCanonicalPath()); }
SecIdentityRef signingIdentity() const { return state.mSigner; }
std::string signingIdentifier() const { return identifier; }
protected:
void prepare(SecCSFlags flags); void signMachO(Universal *fat, const Requirement::Context &context); void signArchitectureAgnostic(const Requirement::Context &context);
void prepareForEdit(SecCSFlags flags); void editMachO(Universal *fat); void editArchitectureAgnostic();
typedef std::map<CodeDirectory::HashAlgorithm, CFCopyRef<CFDataRef> >
PreEncryptHashMap;
typedef std::map<Architecture, PreEncryptHashMap >
PreEncryptHashMaps;
typedef std::map<CodeDirectory::HashAlgorithm, uint32_t>
RuntimeVersionMap;
typedef std::map<Architecture, RuntimeVersionMap>
RuntimeVersionMaps;
typedef EditableDiskRep::RawComponentMap RawComponentMap;
typedef std::map<Architecture, std::unique_ptr<RawComponentMap>>
RawComponentMaps;
void populate(DiskRep::Writer &writer); void populate(CodeDirectory::Builder &builder, DiskRep::Writer &writer,
InternalRequirements &ireqs,
size_t offset, size_t length,
bool mainBinary, size_t execSegBase, size_t execSegLimit,
unsigned alternateDigestCount,
const PreEncryptHashMap& preEncryptHashMap,
uint32_t runtimeVersion); CFDataRef signCodeDirectory(const CodeDirectory *cd,
CFDictionaryRef hashDict, CFArrayRef hashList);
uint32_t cdTextFlags(std::string text); std::string uniqueName() const;
protected:
std::string sdkPath(const std::string &path) const;
bool isAdhoc() const;
SecCSFlags signingFlags() const;
private:
static EditableDiskRep *editMainExecutableRep(DiskRep *rep);
void addPreEncryptHashes(PreEncryptHashMap &map, SecStaticCode const *code);
void addRuntimeVersions(RuntimeVersionMap &map, SecStaticCode const *code);
void considerTeamID(const PreSigningContext& context);
std::vector<Endian<uint32_t> > topSlots(CodeDirectory::Builder &builder) const;
static bool booleanEntitlement(CFDictionaryRef entDict, CFStringRef key);
static void cookEntitlements(CFDataRef entitlements, bool generateDER,
uint64_t *execSegFlags, CFDataRef *entitlementsDER);
protected:
void buildResources(std::string root, std::string relBase, CFDictionaryRef rules);
CFMutableDictionaryRef signNested(const std::string &path, const std::string &relpath);
CFDataRef hashFile(const char *path, CodeDirectory::HashAlgorithm type);
CFDictionaryRef hashFile(const char *path, CodeDirectory::HashAlgorithms types);
private:
RefPointer<DiskRep> rep; CFRef<CFDictionaryRef> resourceDirectory; CFRef<CFDataRef> resourceDictData; CodeDirectory::HashAlgorithms hashAlgorithms; std::string identifier; std::string teamID; CFRef<CFDataRef> entitlements; Architecture preEncryptMainArch; PreEncryptHashMaps preEncryptHashMaps; Architecture runtimeVersionMainArch; RuntimeVersionMaps runtimeVersionMap; uint32_t cdFlags; const Requirements *requirements; size_t pagesize; CFAbsoluteTime signingTime; bool emitSigningTime; bool strict; bool generateEntitlementDER;
Architecture editMainArch; RawComponentMaps editComponents;
private:
Mutex resourceLock;
};
} }
#endif // !_H_CODESIGNER