本文整理汇总了C++中CFRef::aref方法的典型用法代码示例。如果您正苦于以下问题:C++ CFRef::aref方法的具体用法?C++ CFRef::aref怎么用?C++ CFRef::aref使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类CFRef的用法示例。
在下文中一共展示了CFRef::aref方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: normalizeTarget
//
// Perform common argument normalizations for update operations
//
static void normalizeTarget(CFRef<CFTypeRef> &target, CFDictionary &context, std::string *signUnsigned)
{
// turn CFURLs into (designated) SecRequirements
if (target && CFGetTypeID(target) == CFURLGetTypeID()) {
CFRef<SecStaticCodeRef> code;
MacOSError::check(SecStaticCodeCreateWithPath(target.as<CFURLRef>(), kSecCSDefaultFlags, &code.aref()));
switch (OSStatus rc = SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, (SecRequirementRef *)&target.aref())) {
case noErr: {
// use the *default* DR to avoid unreasonably wide DRs opening up Gatekeeper to attack
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSRequirementInformation, &info.aref()));
target = CFDictionaryGetValue(info, kSecCodeInfoImplicitDesignatedRequirement);
}
break;
case errSecCSUnsigned:
if (signUnsigned) {
// Ad-hoc sign the code temporarily so we can get its code requirement
CFRef<CFDataRef> signature = CFDataCreateMutable(NULL, 0);
CFRef<SecCodeSignerRef> signer;
CFTemp<CFDictionaryRef> arguments("{%O=%O, %O=#N}", kSecCodeSignerDetached, signature.get(), kSecCodeSignerIdentity);
MacOSError::check(SecCodeSignerCreate(arguments, kSecCSDefaultFlags, &signer.aref()));
MacOSError::check(SecCodeSignerAddSignature(signer, code, kSecCSDefaultFlags));
MacOSError::check(SecCodeSetDetachedSignature(code, signature, kSecCSDefaultFlags));
MacOSError::check(SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, (SecRequirementRef *)&target.aref()));
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSInternalInformation, &info.aref()));
if (CFDataRef cdData = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoCodeDirectory)))
*signUnsigned = ((const CodeDirectory *)CFDataGetBytePtr(cdData))->screeningCode();
break;
}
MacOSError::check(rc);
case errSecCSSignatureFailed:
// recover certain cases of broken signatures (well, try)
if (codeInvalidityExceptions(code, NULL)) {
// Ad-hoc sign the code in place (requiring a writable subject). This requires root privileges.
CFRef<SecCodeSignerRef> signer;
CFTemp<CFDictionaryRef> arguments("{%O=#N}", kSecCodeSignerIdentity);
MacOSError::check(SecCodeSignerCreate(arguments, kSecCSDefaultFlags, &signer.aref()));
MacOSError::check(SecCodeSignerAddSignature(signer, code, kSecCSDefaultFlags));
MacOSError::check(SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, (SecRequirementRef *)&target.aref()));
break;
}
MacOSError::check(rc);
default:
MacOSError::check(rc);
}
if (context.get(kSecAssessmentUpdateKeyRemarks) == NULL) {
// no explicit remarks; add one with the path
CFRef<CFURLRef> path;
MacOSError::check(SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()));
CFMutableDictionaryRef dict = makeCFMutableDictionary(context.get());
CFDictionaryAddValue(dict, kSecAssessmentUpdateKeyRemarks, CFTempString(cfString(path)));
context.take(dict);
}
}
}示例2: nonAppleAnchor
void DRMaker::nonAppleAnchor()
{
// get the Organization DN element for the leaf
CFRef<CFStringRef> leafOrganization;
MacOSError::check(SecCertificateCopySubjectComponent(ctx.cert(Requirement::leafCert),
&CSSMOID_OrganizationName, &leafOrganization.aref()));
// now step up the cert chain looking for the first cert with a different one
int slot = Requirement::leafCert; // start at leaf
if (leafOrganization) {
while (SecCertificateRef ca = ctx.cert(slot+1)) { // NULL if you over-run the anchor slot
CFRef<CFStringRef> caOrganization;
MacOSError::check(SecCertificateCopySubjectComponent(ca, &CSSMOID_OrganizationName, &caOrganization.aref()));
if (!caOrganization || CFStringCompare(leafOrganization, caOrganization, 0) != kCFCompareEqualTo)
break;
slot++;
}
if (slot == ctx.certCount() - 1) // went all the way to the anchor...
slot = Requirement::anchorCert; // ... so say that
}
// nail the last cert with the leaf's Organization value
SHA1::Digest authorityHash;
hashOfCertificate(ctx.cert(slot), authorityHash);
this->anchor(slot, authorityHash);
}示例3: attributes
//
// Identify a guest by returning its StaticCode and running CodeDirectory hash.
// This uses cshosting RPCs to ask the host (or its proxy).
//
SecStaticCode *GenericCode::identifyGuest(SecCode *guest, CFDataRef *cdhashOut)
{
if (GenericCode *iguest = dynamic_cast<GenericCode *>(guest)) {
FilePathOut path;
CFRef<CFDataRef> cdhash;
CFDictionary attributes(errSecCSHostProtocolInvalidAttribute);
identifyGuest(iguest->guestRef(), path, cdhash.aref(), attributes.aref());
DiskRep::Context ctx;
if (CFNumberRef architecture = attributes.get<CFNumberRef>(kSecGuestAttributeArchitecture)) {
cpu_type_t cpu = cfNumber<cpu_type_t>(architecture);
if (CFNumberRef subarchitecture = attributes.get<CFNumberRef>(kSecGuestAttributeSubarchitecture))
ctx.arch = Architecture(cpu, cfNumber<cpu_subtype_t>(subarchitecture));
else
ctx.arch = Architecture(cpu);
}
SecPointer<GenericStaticCode> code = new GenericStaticCode(DiskRep::bestGuess(path, &ctx));
CODESIGN_GUEST_IDENTIFY_GENERIC(iguest, iguest->guestRef(), code);
if (cdhash) {
CODESIGN_GUEST_CDHASH_GENERIC(iguest, (void *)CFDataGetBytePtr(cdhash), (unsigned)CFDataGetLength(cdhash));
*cdhashOut = cdhash.yield();
}
return code.yield();
} else
MacOSError::throwMe(errSecCSNotAHost);
}示例4: CFDataCreate
//
// Generate the CMS signature for a (finished) CodeDirectory.
//
CFDataRef SecCodeSigner::Signer::signCodeDirectory(const CodeDirectory *cd)
{
assert(state.mSigner);
CFRef<CFMutableDictionaryRef> defaultTSContext = NULL;
// a null signer generates a null signature blob
if (state.mSigner == SecIdentityRef(kCFNull))
return CFDataCreate(NULL, NULL, 0);
// generate CMS signature
CFRef<CMSEncoderRef> cms;
MacOSError::check(CMSEncoderCreate(&cms.aref()));
MacOSError::check(CMSEncoderSetCertificateChainMode(cms, kCMSCertificateChainWithRoot));
CMSEncoderAddSigners(cms, state.mSigner);
MacOSError::check(CMSEncoderSetHasDetachedContent(cms, true));
if (signingTime) {
MacOSError::check(CMSEncoderAddSignedAttributes(cms, kCMSAttrSigningTime));
MacOSError::check(CMSEncoderSetSigningTime(cms, signingTime));
}
MacOSError::check(CMSEncoderUpdateContent(cms, cd, cd->length()));
// Set up to call Timestamp server if requested
if (state.mWantTimeStamp)
{
CFRef<CFErrorRef> error = NULL;
defaultTSContext = SecCmsTSAGetDefaultContext(&error.aref());
if (error)
MacOSError::throwMe(errSecDataNotAvailable);
if (state.mNoTimeStampCerts || state.mTimestampService) {
if (state.mTimestampService)
CFDictionarySetValue(defaultTSContext, kTSAContextKeyURL, state.mTimestampService);
if (state.mNoTimeStampCerts)
CFDictionarySetValue(defaultTSContext, kTSAContextKeyNoCerts, kCFBooleanTrue);
}
CmsMessageSetTSAContext(cms, defaultTSContext);
}
CFDataRef signature;
MacOSError::check(CMSEncoderCopyEncodedContent(cms, &signature));
return signature;
}示例5: dumpCode
static void dumpCode(SecCodeRef code)
{
CFRef<CFURLRef> path;
if (OSStatus rc = SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
Debug::dump("unknown(rc=%d)", int32_t(rc));
else
Debug::dump("%s", cfString(path).c_str());
}示例6: verifyToDisk
//
// Direct verification interface.
// If path == NULL, we verify against the running code itself.
//
bool TrustedApplication::verifyToDisk(const char *path)
{
if (SecRequirementRef requirement = mForm->requirement()) {
secdebug("trustedapp", "%p validating requirement against path %s", this, path);
CFRef<SecStaticCodeRef> ondisk;
if (path)
MacOSError::check(SecStaticCodeCreateWithPath(CFTempURL(path),
kSecCSDefaultFlags, &ondisk.aref()));
else
MacOSError::check(SecCodeCopySelf(kSecCSDefaultFlags, (SecCodeRef *)&ondisk.aref()));
return SecStaticCodeCheckValidity(ondisk, kSecCSDefaultFlags, requirement) == noErr;
} else {
secdebug("trustedapp", "%p validating hash against path %s", this, path);
RefPointer<OSXCode> code = path ? OSXCode::at(path) : OSXCode::main();
SHA1::Digest ondiskDigest;
OSXVerifier::makeLegacyHash(code, ondiskDigest);
return memcmp(ondiskDigest, mForm->legacyHash(), sizeof(ondiskDigest)) == 0;
}
}示例7: CodeSignatureAclSubject
//
// Create a TrustedApplication from a SecRequirementRef.
// Note that the path argument is only stored for documentation;
// it is NOT used to denote anything on disk.
//
TrustedApplication::TrustedApplication(const std::string &path, SecRequirementRef reqRef)
{
CFRef<CFDataRef> reqData;
MacOSError::check(SecRequirementCopyData(reqRef, kSecCSDefaultFlags, &reqData.aref()));
mForm = new CodeSignatureAclSubject(NULL, path);
mForm->add((const BlobCore *)CFDataGetBytePtr(reqData));
secdebug("trustedapp", "%p created from path %s and requirement %p",
this, path.c_str(), reqRef);
IFDUMPING("codesign", mForm->debugDump());
}示例8: recordOutcome
//
// Take an assessment outcome and record it in the object cache
//
void PolicyEngine::recordOutcome(SecStaticCodeRef code, bool allow, AuthorityType type, double expires, SQLite::int64 authority)
{
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
CFDataRef cdHash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
assert(cdHash); // was signed
CFRef<CFURLRef> path;
MacOSError::check(SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()));
assert(expires);
SQLite::Transaction xact(*this, SQLite3::Transaction::deferred, "caching");
SQLite::Statement insert(*this,
"INSERT OR REPLACE INTO object (type, allow, hash, expires, path, authority)"
" VALUES (:type, :allow, :hash, :expires, :path,"
" CASE :authority WHEN 0 THEN (SELECT id FROM authority WHERE label = 'No Matching Rule') ELSE :authority END"
" );");
insert.bind(":type").integer(type);
insert.bind(":allow").integer(allow);
insert.bind(":hash") = cdHash;
insert.bind(":expires") = expires;
insert.bind(":path") = cfString(path);
insert.bind(":authority").integer(authority);
insert.execute();
xact.commit();
}示例9: codeInvalidityExceptions
//
// Process special overrides for invalidly signed code.
// This is the (hopefully minimal) concessions we make to keep hurting our customers
// for our own prior mistakes...
//
static bool codeInvalidityExceptions(SecStaticCodeRef code, CFMutableDictionaryRef result)
{
if (OSAIsRecognizedExecutableURL) {
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
if (CFURLRef executable = CFURLRef(CFDictionaryGetValue(info, kSecCodeInfoMainExecutable))) {
SInt32 error;
if (OSAIsRecognizedExecutableURL(executable, &error)) {
if (result)
CFDictionaryAddValue(result,
kSecAssessmentAssessmentAuthorityOverride, CFSTR("ignoring known invalid applet signature"));
return true;
}
}
}
return false;
}示例10: shutdownSnitch
void Server::shutdownSnitch()
{
time_t now;
time(&now);
fprintf(reportFile, "%.24s %d residual clients:\n", ctime(&now), int(mPids.size()));
for (PidMap::const_iterator it = mPids.begin(); it != mPids.end(); ++it)
if (SecCodeRef clientCode = it->second->processCode()) {
CFRef<CFURLRef> path;
OSStatus rc = SecCodeCopyPath(clientCode, kSecCSDefaultFlags, &path.aref());
if (path)
fprintf(reportFile, " %s (%d)\n", cfString(path).c_str(), it->first);
else
fprintf(reportFile, "pid=%d (error %d)\n", it->first, int32_t(rc));
}
fprintf(reportFile, "\n");
fflush(reportFile);
}示例11: makeCFDictionary
ClientIdentification::GuestState *ClientIdentification::current() const
{
// if we have no client identification, we can't find a current guest either
if (!processCode())
return NULL;
SecGuestRef guestRef = Server::connection().guestRef();
// try to deliver an already-cached entry
{
StLock<Mutex> _(mLock);
GuestMap::iterator it = mGuests.find(guestRef);
if (it != mGuests.end())
return &it->second;
}
// okay, make a new one (this may take a while)
CFRef<CFDictionaryRef> attributes = (guestRef == kSecNoGuest)
? NULL
: makeCFDictionary(1, kSecGuestAttributeCanonical, CFTempNumber(guestRef).get());
Server::active().longTermActivity();
CFRef<SecCodeRef> code;
switch (OSStatus rc = SecCodeCopyGuestWithAttributes(processCode(),
attributes, kSecCSDefaultFlags, &code.aref())) {
case noErr:
break;
case errSecCSUnsigned: // not signed; clearly not a host
case errSecCSNotAHost: // signed but not marked as a (potential) host
code = mClientProcess;
break;
case errSecCSNoSuchCode: // potential host, but...
if (guestRef == kSecNoGuest) { // ... no guests (yet), so return the process
code = mClientProcess;
break;
}
// else fall through // ... the guest we expected to be there isn't
default:
MacOSError::throwMe(rc);
}
StLock<Mutex> _(mLock);
GuestState &slot = mGuests[guestRef];
if (!slot.code) // if another thread didn't get here first...
slot.code = code;
return &slot;
}示例12: dump
void OSXVerifier::dump() const
{
static const SHA1::Digest nullDigest = { 0 };
if (!memcmp(mLegacyHash, nullDigest, sizeof(mLegacyHash))) {
Debug::dump("(no hash)");
} else {
Debug::dump("oldHash=");
Debug::dumpData(mLegacyHash, sizeof(mLegacyHash));
}
if (mRequirement) {
CFRef<CFDataRef> reqData;
if (!SecRequirementCopyData(mRequirement, 0, &reqData.aref())) {
Debug::dump(" Requirement =>");
((const Requirement *)CFDataGetBytePtr(reqData))->dump();
}
} else {
Debug::dump(" NO REQ");
}
}示例13: SecPolicyCreateWithOID
//
// Pre-Signing contexts
//
PreSigningContext::PreSigningContext(const SecCodeSigner::Signer &signer)
{
// construct a cert chain
if (signer.signingIdentity() != SecIdentityRef(kCFNull)) {
CFRef<SecCertificateRef> signingCert;
MacOSError::check(SecIdentityCopyCertificate(signer.signingIdentity(), &signingCert.aref()));
CFRef<SecPolicyRef> policy = SecPolicyCreateWithOID(kSecPolicyAppleCodeSigning);
CFRef<SecTrustRef> trust;
MacOSError::check(SecTrustCreateWithCertificates(CFArrayRef(signingCert.get()), policy, &trust.aref()));
SecTrustResultType result;
MacOSError::check(SecTrustEvaluate(trust, &result));
CSSM_TP_APPLE_EVIDENCE_INFO *info;
MacOSError::check(SecTrustGetResult(trust, &result, &mCerts.aref(), &info));
this->certs = mCerts;
}
// other stuff
this->identifier = signer.signingIdentifier();
}示例14: OSXCodeWrap
//
// Produce an OSXCode for the currently running application.
//
// Note that we don't build the CFBundleRef here; we defer this to when we
// really need it for something more interesting than the base or executable paths.
// This is important because OSXCode::main() is called from various initialization
// scenarios (out of the securityd client layer), and CFBundle calls into some
// bizarrely high-level APIs to complete CFBundleGetMainBundle. Until that is fixed
// (if it ever is), this particular instance of laziness is mandatory.
//
RefPointer<OSXCode> OSXCode::main()
{
// return a code signing-aware OSXCode subclass if possible
CFRef<SecCodeRef> me;
if (!SecCodeCopySelf(kSecCSDefaultFlags, &me.aref()))
return new OSXCodeWrap(me);
// otherwise, follow the legacy path precisely - no point in messing with this, is there?
Boolean isRealBundle;
string path = cfStringRelease(_CFBundleCopyMainBundleExecutableURL(&isRealBundle));
if (isRealBundle) {
const char *cpath = path.c_str();
if (const char *slash = strrchr(cpath, '/'))
if (const char *contents = strstr(cpath, "/Contents/MacOS/"))
if (contents + 15 == slash)
return new Bundle(path.substr(0, contents-cpath).c_str());
secdebug("bundle", "OSXCode::main(%s) not recognized as bundle (treating as tool)", cpath);
}
return new ExecutableTool(path.c_str());
}示例15: executablePath
//
// The executable path is a bit annoying to get, but not quite
// annoying enough to cache the result.
//
string OSXCodeWrap::executablePath() const
{
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(mCode, kSecCSDefaultFlags, &info.aref()));
return cfString(CFURLRef(CFDictionaryGetValue(info, kSecCodeInfoMainExecutable)));
}