reqinterp.h
1 /* 2 * Copyright (c) 2006-2007,2011 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24 // 25 // reqinterp - Requirement language (exprOp) interpreter 26 // 27 #ifndef _H_REQINTERP 28 #define _H_REQINTERP 29 30 #include "reqreader.h" 31 #include <Security/SecTrustSettings.h> 32 33 #if TARGET_OS_OSX 34 #include <security_cdsa_utilities/cssmdata.h> // CssmOid 35 #endif 36 37 namespace Security { 38 namespace CodeSigning { 39 40 41 // 42 // An interpreter for exprForm-type requirements. 43 // This is a simple Polish Notation stack evaluator. 44 // 45 class Requirement::Interpreter : public Requirement::Reader { 46 public: 47 Interpreter(const Requirement *req, const Context *ctx) : Reader(req), mContext(ctx) { } 48 49 static const unsigned stackLimit = 1000; 50 51 bool evaluate(); 52 53 protected: 54 class Match { 55 public: 56 Match(Interpreter &interp); // reads match postfix from interp 57 Match(CFStringRef value, MatchOperation op) : mValue(value), mOp(op) { } // explicit 58 Match() : mValue(NULL), mOp(matchExists) { } // explict test for presence 59 bool operator () (CFTypeRef candidate) const; // match to candidate 60 61 protected: 62 bool inequality(CFTypeRef candidate, CFStringCompareFlags flags, CFComparisonResult outcome, bool negate) const; 63 64 private: 65 CFCopyRef<CFTypeRef> mValue; // match value 66 MatchOperation mOp; // type of match 67 68 bool isStringValue() const { return CFGetTypeID(mValue) == CFStringGetTypeID(); } 69 bool isDateValue() const { return CFGetTypeID(mValue) == CFDateGetTypeID(); } 70 CFStringRef cfStringValue() const { return isStringValue() ? (CFStringRef)mValue.get() : NULL; } 71 CFDateRef cfDateValue() const { return isDateValue() ? (CFDateRef)mValue.get() : NULL; } 72 }; 73 74 protected: 75 bool eval(int depth); 76 77 bool infoKeyValue(const std::string &key, const Match &match); 78 bool entitlementValue(const std::string &key, const Match &match); 79 bool certFieldValue(const string &key, const Match &match, SecCertificateRef cert); 80 #if TARGET_OS_OSX 81 bool certFieldGeneric(const string &key, const Match &match, SecCertificateRef cert); 82 bool certFieldGeneric(const CssmOid &oid, const Match &match, SecCertificateRef cert); 83 bool certFieldPolicy(const string &key, const Match &match, SecCertificateRef cert); 84 bool certFieldPolicy(const CssmOid &oid, const Match &match, SecCertificateRef cert); 85 bool certFieldDate(const string &key, const Match &match, SecCertificateRef cert); 86 bool certFieldDate(const CssmOid &oid, const Match &match, SecCertificateRef cert); 87 #endif 88 bool verifyAnchor(SecCertificateRef cert, const unsigned char *digest); 89 bool appleSigned(); 90 bool appleAnchored(); 91 bool inTrustCache(); 92 93 bool trustedCerts(); 94 bool trustedCert(int slot); 95 96 static SecTrustSettingsResult trustSetting(SecCertificateRef cert, bool isAnchor); 97 98 private: 99 CFArrayRef getAdditionalTrustedAnchors(); 100 bool appleLocalAnchored(); 101 const Context * const mContext; 102 }; 103 104 105 } // CodeSigning 106 } // Security 107 108 #endif //_H_REQINTERP