#include <sys/types.h>
#ifndef LDID_NOSMIME
-#include <openssl/provider.h>
+#include <openssl/opensslv.h>
+# if OPENSSL_VERSION_MAJOR >= 3
+# include <openssl/provider.h>
+# endif
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/pkcs7.h>
#include <openssl/pkcs12.h>
+#include <openssl/ui.h>
#endif
#ifdef __APPLE__
#include "ldid.hpp"
+#include "machine.h"
+
#define _assert___(line) \
#line
#define _assert__(line) \
for (auto success : (long[]) {EINTR, __VA_ARGS__}) \
if (error == success) \
return (decltype(expr)) -success; \
- _assert_(false, "errno=%u", error); \
+ fprintf(stderr, "ldid: %s: %s\n", __func__, strerror(error)); \
+ exit(1); \
} }()
#define _trace() \
#define _packed \
__attribute__((packed))
+#ifndef LDID_NOSMIME
+std::string password;
+#endif
+
template <typename Type_>
struct Iterator_ {
typedef typename Type_::const_iterator Result;
#define _scope(function) \
_scope_(__COUNTER__, function)
-#define CPU_ARCH_MASK uint32_t(0xff000000)
-#define CPU_ARCH_ABI64 uint32_t(0x01000000)
-
-#define CPU_TYPE_ANY uint32_t(-1)
-#define CPU_TYPE_VAX uint32_t( 1)
-#define CPU_TYPE_MC680x0 uint32_t( 6)
-#define CPU_TYPE_X86 uint32_t( 7)
-#define CPU_TYPE_MC98000 uint32_t(10)
-#define CPU_TYPE_HPPA uint32_t(11)
-#define CPU_TYPE_ARM uint32_t(12)
-#define CPU_TYPE_MC88000 uint32_t(13)
-#define CPU_TYPE_SPARC uint32_t(14)
-#define CPU_TYPE_I860 uint32_t(15)
-#define CPU_TYPE_POWERPC uint32_t(18)
-
-#define CPU_TYPE_I386 CPU_TYPE_X86
-
-#define CPU_TYPE_ARM64 (CPU_ARCH_ABI64 | CPU_TYPE_ARM)
-#define CPU_TYPE_POWERPC64 (CPU_ARCH_ABI64 | CPU_TYPE_POWERPC)
-#define CPU_TYPE_X86_64 (CPU_ARCH_ABI64 | CPU_TYPE_X86)
-
struct fat_header {
uint32_t magic;
uint32_t nfat_arch;
} break;
case PLIST_REAL: {
- _assert(false);
+ fprintf(stderr, "ldid: Invalid plist entry type\n");
+ exit(1);
} break;
case PLIST_DATE: {
- _assert(false);
+ fprintf(stderr, "ldid: Invalid plist entry type\n");
+ exit(1);
} break;
case PLIST_DATA: {
} break;
default: {
- _assert_(false, "unsupported plist type %d", type);
+ fprintf(stderr, "ldid: Unsupported plist type %d", type);
+ exit(1);
} break;
}
}
break;
default:
- _assert(false);
+ fprintf(stderr, "ldid: Unknown header magic\nAre you sure that is a Mach-O?\n");
+ exit(1);
}
void *post = mach_header_ + 1;
post = (uint32_t *) post + 1;
load_command_ = (struct load_command *) post;
- _assert(
- Swap(mach_header_->filetype) == MH_EXECUTE ||
- Swap(mach_header_->filetype) == MH_DYLIB ||
- Swap(mach_header_->filetype) == MH_DYLINKER ||
- Swap(mach_header_->filetype) == MH_BUNDLE
- );
+ if (Swap(mach_header_->filetype) != MH_EXECUTE &&
+ Swap(mach_header_->filetype) != MH_DYLIB &&
+ Swap(mach_header_->filetype) != MH_DYLINKER &&
+ Swap(mach_header_->filetype) != MH_BUNDLE) {
+ fprintf(stderr, "ldid: Unsupported Mach-O type\n");
+ exit(1);
+ }
}
bool Bits64() const {
}
void open(const char *path, int flags) {
- _assert(file_ == -1);
- file_ = _syscall(::open(path, flags));
+ file_ = ::open(path, flags);
+ if (file_ == -1) {
+ fprintf(stderr, "ldid: %s: %s\n", path, strerror(errno));
+ exit(1);
+ }
}
int file() const {
break;
case CPU_TYPE_ARM:
case CPU_TYPE_ARM64:
+ case CPU_TYPE_ARM64_32:
align = 0xe;
break;
default:
case CPU_TYPE_ARM64:
arch = "arm64";
break;
+ case CPU_TYPE_ARM64_32:
+ arch = "arm64_32";
+ break;
}
offset = Align(offset, 1 << align);
Buffer(PKCS7 *pkcs) :
Buffer()
{
- _assert(i2d_PKCS7_bio(bio_, pkcs) != 0);
+ if(i2d_PKCS7_bio(bio_, pkcs) == 0){
+ fprintf(stderr, "ldid: An error occured while getting the PKCS12 file: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ exit(1);
+ }
}
~Buffer() {
value_(d2i_PKCS12_bio(bio, NULL)),
ca_(NULL)
{
- _assert(value_ != NULL);
- _assert(PKCS12_parse(value_, "", &key_, &cert_, &ca_) != 0);
+ if(value_ == NULL){
+ fprintf(stderr, "ldid: An error occured while getting the PKCS12 file: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ exit(1);
+ }
- _assert(key_ != NULL);
- _assert(cert_ != NULL);
+ if (!PKCS12_verify_mac(value_, "", 0) && password.empty()) {
+ char passbuf[2048];
+ UI_UTIL_read_pw_string(passbuf, 2048, "Enter password: ", 0);
+ password = passbuf;
+ }
+
+ if(PKCS12_parse(value_, password.c_str(), &key_, &cert_, &ca_) <= 0){
+ fprintf(stderr, "ldid: An error occured while parsing: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ exit(1);
+ }
+ if(key_ == NULL || cert_ == NULL){
+ fprintf(stderr, "ldid: An error occured while parsing: %s\nYour p12 cert might not be valid\n", ERR_error_string(ERR_get_error(), NULL));
+ exit(1);
+ }
if (ca_ == NULL)
ca_ = sk_X509_new_null();
- _assert(ca_ != NULL);
+ if(ca_ == NULL){
+ fprintf(stderr, "ldid: An error occured while parsing: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ exit(1);
+ }
}
Stuff(const std::string &data) :
public:
Signature(const Stuff &stuff, const Buffer &data, const std::string &xml) {
value_ = PKCS7_new();
- _assert(value_ != NULL);
+ if(value_ == NULL){
+ fprintf(stderr, "ldid: An error occured while getting creating PKCS7 file: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ exit(1);
+ }
_assert(PKCS7_set_type(value_, NID_pkcs7_signed));
_assert(PKCS7_content_new(value_, NID_pkcs7_data));
for (unsigned i(0), e(sk_X509_num(certs)); i != e; i++)
_assert(PKCS7_add_certificate(value_, sk_X509_value(certs, e - i - 1)));
- // XXX: this is the same as PKCS7_sign_add_signer(value_, stuff, stuff, NULL, PKCS7_NOSMIMECAP)
- _assert(X509_check_private_key(stuff, stuff));
- auto info(PKCS7_add_signature(value_, stuff, stuff, EVP_sha1()));
- _assert(info != NULL);
- _assert(PKCS7_add_certificate(value_, stuff));
- _assert(PKCS7_add_signed_attribute(info, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)));
+ auto info(PKCS7_sign_add_signer(value_, stuff, stuff, NULL, PKCS7_NOSMIMECAP));
+ if(info == NULL){
+ fprintf(stderr, "ldid: An error occured while signing: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ }
PKCS7_set_detached(value_, 1);
throw;
}
- // XXX: this is the same as PKCS7_final(value_, data, PKCS7_BINARY)
- BIO *bio(PKCS7_dataInit(value_, NULL));
- _assert(bio != NULL);
- _scope({ BIO_free_all(bio); });
- SMIME_crlf_copy(data, bio, PKCS7_BINARY);
- BIO_flush(bio);
- _assert(PKCS7_dataFinal(value_, bio));
+ _assert(PKCS7_final(value_, data, PKCS7_BINARY));
}
~Signature() {
if (!key.empty()) {
Stuff stuff(key);
auto name(X509_get_subject_name(stuff));
- _assert(name != NULL);
+ if(name == NULL){
+ fprintf(stderr, "ldid: Your certificate might not be valid: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ exit(1);
+ }
get(team, name, NID_organizationalUnitName);
get(common, name, NID_commonName);
}
#ifndef LDID_NOPLIST
auto entitlements(plist(baton.entitlements_));
_scope({ plist_free(entitlements); });
- _assert(plist_get_node_type(entitlements) == PLIST_DICT);
+ if (plist_get_node_type(entitlements) != PLIST_DICT) {
+ fprintf(stderr, "ldid: Entitlements should be a plist dicionary\n");
+ exit(1);
+ }
const auto entitled([&](const char *key) {
auto item(plist_dict_get_item(entitlements, key));
}
};
-Bundle Sign(const std::string &root, Folder &parent, const std::string &key, State &remote, const std::string &requirements, const Functor<std::string (const std::string &, const std::string &)> &alter, const Progress &progress) {
+Bundle Sign(const std::string &root, Folder &parent, const std::string &key, State &local, const std::string &requirements, const Functor<std::string (const std::string &, const std::string &)> &alter, const Progress &progress) {
std::string executable;
std::string identifier;
else if (parent.Look("Resources/" + info)) {
info = "Resources/" + info;
return "";
- } else _assert_(false, "cannot find Info.plist");
+ } else {
+ fprintf(stderr, "ldid: Could not find Info.plist\n");
+ exit(1);
+ }
}());
folder.Open(info, fun([&](std::streambuf &buffer, size_t length, const void *flag) {
rules2.insert(Rule{20, NoMode, "^version\\.plist$"});
}
- State local;
-
std::string failure(mac ? "Contents/|Versions/[^/]*/Resources/" : "");
Expression nested("^(Frameworks/[^/]*\\.framework|PlugIns/[^/]*\\.appex(()|/[^/]*.app))/(" + failure + ")Info\\.plist$");
std::map<std::string, Bundle> bundles;
folder.Find("", fun([&](const std::string &name) {
if (!nested(name))
return;
- auto bundle(root + Split(name).dir);
+ auto bundle(Split(name).dir);
if (mac) {
_assert(!bundle.empty());
bundle = Split(bundle.substr(0, bundle.size() - 1)).dir;
}
SubFolder subfolder(folder, bundle);
- bundles[nested[1]] = Sign(bundle, subfolder, key, local, "", Starts(name, "PlugIns/") ? alter :
+ State remote;
+ bundles[nested[1]] = Sign(root + bundle, subfolder, key, remote, "", Starts(name, "PlugIns/") ? alter :
static_cast<const Functor<std::string (const std::string &, const std::string &)> &>(fun([&](const std::string &, const std::string &) -> std::string { return entitlements; }))
, progress);
+ local.Merge(bundle, remote);
}), fun([&](const std::string &name, const Functor<std::string ()> &read) {
}));
}));
}));
- remote.Merge(root, local);
return bundle;
}
}
static void usage(const char *argv0) {
- fprintf(stderr, "usage: %s -S[entitlements.xml] <binary>\n", argv0);
- fprintf(stderr, " %s -e MobileSafari\n", argv0);
- fprintf(stderr, " %s -S cat\n", argv0);
- fprintf(stderr, " %s -Stfp.xml gdb\n", argv0);
+ fprintf(stderr, "Link Identity Editor %s\n\n", LDID_VERSION);
+ fprintf(stderr, "Usage: %s [-Acputype:subtype] [-a] [-C[adhoc | enforcement | expires | hard |\n", argv0);
+ fprintf(stderr, " host | kill | library-validation | restrict | runtime]] [-D] [-d]\n");
+ fprintf(stderr, " [-Enum:file] [-e] [-H[sha1 | sha256]] [-h] [-Iname]\n");
+ fprintf(stderr, " [-Kkey.p12 [-Upassword]] [-M] [-P] [-Qrequirements.xml] [-q]\n");
+ fprintf(stderr, " [-r | -Sfile.xml | -s] [-Ttimestamp] [-u] [-arch arch_type] file ...\n");
+ fprintf(stderr, "Options:\n");
+ fprintf(stderr, " -S[file.xml] Pseudo-sign using the entitlements in file.xml\n");
+ fprintf(stderr, " -Kkey.p12 Sign using private key in key.p12\n");
+ fprintf(stderr, " -Upassword Use password to unlock key.p12\n");
+ fprintf(stderr, " -M Merge entitlements with any existing\n");
+ fprintf(stderr, " -h Print CDHash of file\n\n");
+ fprintf(stderr, "More information: 'man ldid'\n");
}
#ifndef LDID_NOTOOLS
int main(int argc, char *argv[]) {
#ifndef LDID_NOSMIME
OpenSSL_add_all_algorithms();
+# if OPENSSL_VERSION_MAJOR >= 3
OSSL_PROVIDER *legacy = OSSL_PROVIDER_load(NULL, "legacy");
OSSL_PROVIDER *deflt = OSSL_PROVIDER_load(NULL, "default");
+# endif
#endif
union {
for (int argi(1); argi != argc; ++argi)
if (argv[argi][0] != '-')
files.push_back(argv[argi]);
- else switch (argv[argi][1]) {
+ else if (strcmp(argv[argi], "-arch") == 0) {
+ bool foundarch = false;
+ flag_A = true;
+ argi++;
+ if (argi == argc) {
+ fprintf(stderr, "ldid: -arch must be followed by an architecture string\n");
+ exit(1);
+ }
+ for (int i = 0; archs[i].name != NULL; i++) {
+ if (strcmp(archs[i].name, argv[argi]) == 0) {
+ flag_CPUType = archs[i].cputype;
+ flag_CPUSubtype = archs[i].cpusubtype;
+ foundarch = true;
+ }
+ if (foundarch)
+ break;
+ }
+
+ if (!foundarch) {
+ fprintf(stderr, "error: unknown architecture specification flag: -arch %s\n", argv[argi]);
+ exit(1);
+ }
+ } else switch (argv[argi][1]) {
case 'r':
- _assert(!flag_s);
- _assert(!flag_S);
+ if (flag_s || flag_S) {
+ fprintf(stderr, "ldid: Can only specify one of -r, -S, -s\n");
+ exit(1);
+ }
flag_r = true;
break;
do_sha1 = false;
do_sha256 = false;
-
- fprintf(stderr, "WARNING: -H is only present for compatibility with a fork of ldid\n");
- fprintf(stderr, " you should NOT be manually specifying the hash algorithm\n");
}
if (false);
do_sha1 = true;
else if (strcmp(hash, "sha256") == 0)
do_sha256 = true;
- else _assert(false);
+ else {
+ fprintf(stderr, "ldid: only sha1 and sha256 are supported at this time\n");
+ exit(1);
+ }
} break;
case 'h': flag_h = true; break;
case 'a': flag_a = true; break;
case 'A':
- _assert(!flag_A);
+ if (flag_A) {
+ fprintf(stderr, "ldid: -A can only be specified once\n");
+ exit(1);
+ }
flag_A = true;
if (argv[argi][2] != '\0') {
const char *cpu = argv[argi] + 2;
flags |= kSecCodeSignatureLibraryValidation;
else if (strcmp(name, "runtime") == 0)
flags |= kSecCodeSignatureRuntime;
- else _assert(false);
+ else {
+ fprintf(stderr, "ldid: -C: Unsupported option\n");
+ exit(1);
+ }
} break;
case 'P':
break;
case 's':
- _assert(!flag_r);
- _assert(!flag_S);
+ if (flag_r || flag_S) {
+ fprintf(stderr, "ldid: Can only specify one of -r, -S, -s\n");
+ exit(1);
+ }
flag_s = true;
break;
case 'S':
- _assert(!flag_r);
- _assert(!flag_s);
+ if (flag_r || flag_s) {
+ fprintf(stderr, "ldid: Can only specify one of -r, -S, -s\n");
+ exit(1);
+ }
flag_S = true;
if (argv[argi][2] != '\0') {
const char *xml = argv[argi] + 2;
flag_M = true;
break;
+ case 'U':
+ password = argv[argi] + 2;
+ break;
+
case 'K':
if (argv[argi][2] != '\0')
key.open(argv[argi] + 2, O_RDONLY, PROT_READ, MAP_PRIVATE);
std::string path(file);
struct stat info;
- _syscall(stat(path.c_str(), &info));
+ if (stat(path.c_str(), &info) == -1) {
+ fprintf(stderr, "ldid: %s: %s\n", path.c_str(), strerror(errno));
+ exit(1);
+ }
if (S_ISDIR(info.st_mode)) {
- _assert(flag_S);
+ if (!flag_S) {
+ fprintf(stderr, "ldid: Only -S can be used on directories\n");
+ exit(1);
+ }
#ifndef LDID_NOPLIST
ldid::DiskFolder folder(path + "/");
path += "/" + Sign("", folder, key, requirements, ldid::fun([&](const std::string &, const std::string &) -> std::string { return entitlements; }), dummy_).path;
encryption->cryptid = mach_header.Swap(0);
}
- if (flag_e) {
- _assert(signature != NULL);
+ if ((flag_e || flag_q || flag_s || flag_h) && signature == NULL) {
+ fprintf(stderr, "ldid: -e, -q, -s, and -h requre a signed binary\n");
+ exit(1);
+ }
+ if (flag_e) {
uint32_t data = mach_header.Swap(signature->dataoff);
uint8_t *top = reinterpret_cast<uint8_t *>(mach_header.GetBase());
}
if (flag_q) {
- _assert(signature != NULL);
-
uint32_t data = mach_header.Swap(signature->dataoff);
uint8_t *top = reinterpret_cast<uint8_t *>(mach_header.GetBase());
}
if (flag_s) {
- _assert(signature != NULL);
-
uint32_t data = mach_header.Swap(signature->dataoff);
uint8_t *top = reinterpret_cast<uint8_t *>(mach_header.GetBase());
}
if (flag_h) {
- _assert(signature != NULL);
-
auto algorithms(GetAlgorithms());
uint32_t data = mach_header.Swap(signature->dataoff);
++filei;
}
-#ifndef LDID_NOSMINE
+#ifndef LDID_NOSMIME
+# if OPENSSL_VERSION_MAJOR >= 3
OSSL_PROVIDER_unload(legacy);
OSSL_PROVIDER_unload(deflt);
+# endif
#endif
return filee;
git.ckatri.com / ldid.git / blobdiff