xref: /xnu-10002.61.3/libkern/libkern/coretrust/coretrust.h (revision 0f4c859e951fba394238ab619495c4e1d54d0f34) ! 
1 /*
2  * Copyright (c) 2020 Apple Inc. All rights reserved.
3  *
4  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5  *
6  * This file contains Original Code and/or Modifications of Original Code
7  * as defined in and that are subject to the Apple Public Source License
8  * Version 2.0 (the 'License'). You may not use this file except in
9  * compliance with the License. The rights granted to you under the License
10  * may not be used to create, or enable the creation or redistribution of,
11  * unlawful or unlicensed copies of an Apple operating system, or to
12  * circumvent, violate, or enable the circumvention or violation of, any
13  * terms of an Apple operating system software license agreement.
14  *
15  * Please obtain a copy of the License at
16  * http://www.opensource.apple.com/apsl/ and read it before using this file.
17  *
18  * The Original Code and all software distributed under the License are
19  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23  * Please see the License for the specific language governing rights and
24  * limitations under the License.
25  *
26  * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27  */
28 
29 #ifndef __CORETRUST_H
30 #define __CORETRUST_H
31 
32 #include <os/base.h>
33 #include <sys/cdefs.h>
34 #include <sys/types.h>
35 
36 #if XNU_KERNEL_PRIVATE
37 /*
38  * Only include this when building for XNU. CoreTrust will include its local copy
39  * of the header.
40  */
41 #include <CoreTrust/CTEvaluate.h>
42 #endif
43 
44 #define XNU_SUPPORTS_CORETRUST_AMFI 1
45 typedef int (*coretrust_CTEvaluateAMFICodeSignatureCMS_t)(
46 	const uint8_t *cms_data,
47 	size_t cms_data_length,
48 	const uint8_t *detached_data,
49 	size_t detached_data_length,
50 	bool allow_test_hierarchy,
51 	const uint8_t **leaf_certificate,
52 	size_t *leaf_certificate_length,
53 	CoreTrustPolicyFlags *policy_flags,
54 	CoreTrustDigestType *cms_digest_type,
55 	CoreTrustDigestType *hash_agility_digest_type,
56 	const uint8_t **digest_data,
57 	size_t *digest_length
58 	);
59 
60 #define XNU_SUPPORTS_CORETRUST_LOCAL_SIGNING 1
61 typedef int (*coretrust_CTEvaluateAMFICodeSignatureCMSPubKey_t)(
62 	const uint8_t *cms_data,
63 	size_t cms_data_length,
64 	const uint8_t *detached_data,
65 	size_t detached_data_length,
66 	const uint8_t *anchor_public_key,
67 	size_t anchor_public_key_length,
68 	CoreTrustDigestType *cms_digest_type,
69 	CoreTrustDigestType *hash_agility_digest_type,
70 	const uint8_t **digest_data,
71 	size_t *digest_length
72 	);
73 
74 #define XNU_SUPPORTS_CORETRUST_PROVISIONING_PROFILE 1
75 typedef int (*coretrust_CTEvaluateProvisioningProfile_t)(
76 	const uint8_t *provisioning_profile_data,
77 	size_t provisioning_profile_length,
78 	bool allow_test_roots,
79 	const uint8_t **profile_content,
80 	size_t *profile_content_length
81 	);
82 
83 #define XNU_SUPPORTS_CORETRUST_MULTI_STEP_AMFI 1
84 
85 typedef int (*coretrust_CTParseKey_t)(
86 	const uint8_t *cert_data,
87 	size_t cert_length,
88 	const uint8_t **key_data,
89 	size_t *key_length
90 	);
91 
92 typedef int (*coretrust_CTParseAmfiCMS_t)(
93 	const uint8_t *cms_data,
94 	size_t cms_length,
95 	CoreTrustDigestType max_digest_type,
96 	const uint8_t **leaf_cert, size_t *leaf_cert_length,
97 	const uint8_t **content_data, size_t *content_length,
98 	CoreTrustDigestType *cms_digest_type,
99 	CoreTrustPolicyFlags *policy_flags
100 	);
101 
102 typedef int (*coretrust_CTVerifyAmfiCMS_t)(
103 	const uint8_t *cms_data,
104 	size_t cms_length,
105 	const uint8_t *digest_data,
106 	size_t digest_length,
107 	CoreTrustDigestType max_digest_type,
108 	CoreTrustDigestType *hash_agility_digest_type,
109 	const uint8_t **agility_digest_data,
110 	size_t *agility_digest_length
111 	);
112 
113 typedef int (*coretrust_CTVerifyAmfiCertificateChain_t)(
114 	const uint8_t *cms_data,
115 	size_t cms_length,
116 	bool allow_test_hierarchy,
117 	CoreTrustDigestType max_digest_type,
118 	CoreTrustPolicyFlags *policy_flags
119 	);
120 
121 typedef struct _coretrust {
122 	coretrust_CTEvaluateAMFICodeSignatureCMS_t CTEvaluateAMFICodeSignatureCMS;
123 	coretrust_CTEvaluateAMFICodeSignatureCMSPubKey_t CTEvaluateAMFICodeSignatureCMSPubKey;
124 	coretrust_CTEvaluateProvisioningProfile_t CTEvaluateProvisioningProfile;
125 	coretrust_CTParseKey_t CTParseKey;
126 	coretrust_CTParseAmfiCMS_t CTParseAmfiCMS;
127 	coretrust_CTVerifyAmfiCMS_t CTVerifyAmfiCMS;
128 	coretrust_CTVerifyAmfiCertificateChain_t CTVerifyAmfiCertificateChain;
129 } coretrust_t;
130 
131 __BEGIN_DECLS
132 
133 /*!
134  * @const coretrust_appstore_policy
135  * The CoreTrust policy flags which collectively map an applications
136  * signature to the App Store certificate chain.
137  */
138 static const CoreTrustPolicyFlags coretrust_appstore_policy =
139     CORETRUST_POLICY_IPHONE_APP_PROD  | CORETRUST_POLICY_IPHONE_APP_DEV |
140     CORETRUST_POLICY_TVOS_APP_PROD    | CORETRUST_POLICY_TVOS_APP_DEV   |
141     CORETRUST_POLICY_TEST_FLIGHT_PROD | CORETRUST_POLICY_TEST_FLIGHT_DEV;
142 
143 /*!
144  * @const coretrust_profile_validated_policy
145  * The CoreTrust policy flags which collectively map an applications
146  * signature to the profile validated certificate chain.
147  */
148 static const CoreTrustPolicyFlags coretrust_profile_validated_policy =
149     CORETRUST_POLICY_IPHONE_DEVELOPER | CORETRUST_POLICY_IPHONE_DISTRIBUTION;
150 
151 /*!
152  * @const coretrust_local_signing_policy
153  * The CoreTrust policy which maps an application's signature to the locally
154  * signed key.
155  */
156 static const CoreTrustPolicyFlags coretrust_local_signing_policy =
157     CORETRUST_POLICY_BASIC;
158 
159 /*!
160  * @const coretrust_provisioning_profile_policy
161  * The CoreTrust policy which maps a profile's signature to the provisioning
162  * profile WWDR certificate chain.
163  */
164 static const CoreTrustPolicyFlags coretrust_provisioning_profile_policy =
165     CORETRUST_POLICY_PROVISIONING_PROFILE;
166 
167 /*!
168  * @const coretrust
169  * The CoreTrust interface that was registered.
170  */
171 extern const coretrust_t *coretrust;
172 
173 /*!
174  * @function coretrust_interface_register
175  * Registers the CoreTrust kext interface for use within the kernel proper.
176  *
177  * @param ct
178  * The interface to register.
179  *
180  * @discussion
181  * This routine may only be called once and must be called before late-const has
182  * been applied to kernel memory.
183  */
184 OS_EXPORT OS_NONNULL1
185 void
186 coretrust_interface_register(const coretrust_t *ct);
187 
188 __END_DECLS
189 
190 #endif // __CORETRUST_H
191