]> git.cameronkatri.com Git - ldid.git/blobdiff - ldid.cpp
git.ckatri.com / ldid.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add Authority to ldid -h
[ldid.git] / ldid.cpp
diff --git a/ldid.cpp b/ldid.cpp
index ac4d17aa50e6134a850da324125ef41f043b4c8a..5e4ded29b5c1f655ccf2c38181419ea56b49956b 100644 (file)
--- a/ldid.cpp
+++ b/ldid.cpp
@@ -1716,7 +1716,7 @@ class Buffer {
         Buffer()
     {
         if (i2d_PKCS7_bio(bio_, pkcs) == 0){
-            fprintf(stderr, "ldid: An error occured while getting the PKCS12 file: %s\n", ERR_error_string(ERR_get_error(), NULL));
+            fprintf(stderr, "ldid: An error occured while getting the PKCS7 file: %s\n", ERR_error_string(ERR_get_error(), NULL));
             exit(1);
         }
     }
@@ -1855,14 +1855,18 @@ class Signature {
         X509_ATTRIBUTE *attribute = X509_ATTRIBUTE_new();
         ASN1_OBJECT *obj2 = OBJ_txt2obj("1.2.840.113635.100.9.2", 1);
         X509_ATTRIBUTE_set1_object(attribute, obj2);
-        // xina fix;
-        SEQUENCE_hash_sha1 seq1;
-        memcpy((void *)seq1.hash,(void *)alternateCDSHA1.data() ,alternateCDSHA1.size());
-        X509_ATTRIBUTE_set1_data(attribute, V_ASN1_SEQUENCE,&seq1, sizeof(seq1));
-        // xina fix;
-        SEQUENCE_hash_sha256 seq256;
-        memcpy((void *)seq256.hash,(void *)alternateCDSHA256.data() ,alternateCDSHA256.size());
-        X509_ATTRIBUTE_set1_data(attribute, V_ASN1_SEQUENCE,&seq256, sizeof(seq256));
+        if (alternateCDSHA1.size() != 0) {
+            // xina fix;
+            SEQUENCE_hash_sha1 seq1;
+            memcpy((void *)seq1.hash, (void *)alternateCDSHA1.data(), alternateCDSHA1.size());
+            X509_ATTRIBUTE_set1_data(attribute, V_ASN1_SEQUENCE, &seq1, sizeof(seq1));
+        }
+        if (alternateCDSHA256.size() != 0) {
+            // xina fix;
+            SEQUENCE_hash_sha256 seq256;
+            memcpy((void *)seq256.hash, (void *)alternateCDSHA256.data(), alternateCDSHA256.size());
+            X509_ATTRIBUTE_set1_data(attribute, V_ASN1_SEQUENCE, &seq256, sizeof(seq256));
+        }
 
         STACK_OF(X509_ATTRIBUTE) *sk = PKCS7_get_signed_attributes(info);
         if (!sk_X509_ATTRIBUTE_push(sk, attribute)) {
@@ -1938,8 +1942,8 @@ class HashBuffer :
         sha1_ = EVP_MD_CTX_new();
         sha256_ = EVP_MD_CTX_new();
         
-        EVP_DigestInit_ex2(sha1_, EVP_get_digestbyname("sha1"), nullptr);
-        EVP_DigestInit_ex2(sha256_, EVP_get_digestbyname("sha256"), nullptr);
+        EVP_DigestInit_ex(sha1_, EVP_get_digestbyname("sha1"), nullptr);
+        EVP_DigestInit_ex(sha256_, EVP_get_digestbyname("sha256"), nullptr);
     }
 
     ~HashBuffer() {
@@ -3539,6 +3543,10 @@ int main(int argc, char *argv[]) {
             }
 
             if (flag_h) {
+                char *buf = _syscall(realpath(file.c_str(), NULL));
+                printf("Executable=%s\n", buf);
+                free(buf);
+
                 auto algorithms(GetAlgorithms());
 
                 uint32_t data = mach_header.Swap(signature->dataoff);
@@ -3552,9 +3560,11 @@ int main(int argc, char *argv[]) {
                     size_t size_;
                     Algorithm &algorithm_;
                     std::string hash_;
+                    uint32_t offset;
                 };
 
                 std::map<uint8_t, Candidate> candidates;
+                uint32_t cmsBegin = 0, cmsEnd = 0;
 
                 for (size_t index(0); index != Swap(super->count); ++index) {
                     auto type(Swap(super->index[index].type));
@@ -3567,7 +3577,10 @@ int main(int argc, char *argv[]) {
                         auto &algorithm(*algorithms[type - 1]);
                         uint8_t hash[algorithm.size_];
                         algorithm(hash, blob + begin, end - begin);
-                        candidates.insert({type, {directory, end - begin, algorithm, Hex(hash, 20)}});
+                        candidates.insert({type, {directory, end - begin, algorithm, Hex(hash, 20), begin}});
+                    } else if (type == CSSLOT_SIGNATURESLOT) {
+                        cmsBegin = Swap(super->index[index].offset);
+                        cmsEnd = index + 1 == Swap(super->count) ? Swap(super->blob.length) : Swap(super->index[index + 1].offset);
                     }
                 }
 
@@ -3578,6 +3591,8 @@ int main(int argc, char *argv[]) {
                 const auto directory(best->second.directory_);
                 const auto flags(Swap(directory->flags));
 
+                printf("Identifier=%s\n", blob + best->second.offset + Swap(directory->identOffset));
+
                 std::string names;
                 if (flags & kSecCodeSignatureHost)
                     names += ",host";
@@ -3612,6 +3627,53 @@ int main(int argc, char *argv[]) {
                 printf("Hash choices=%s\n", choices.c_str() + 1);
 
                 printf("CDHash=%s\n", best->second.hash_.c_str());
+
+                if (cmsBegin != 0 && cmsEnd != 0) {
+                    // This loads the CMS blob and parses each X509 cert in the blob to extract the
+                    // common name and print it as "Authority=%s"
+                    Buffer bio(reinterpret_cast<const char *>(blob) + cmsBegin + sizeof(Blob), cmsEnd - cmsBegin);
+                    PKCS7 *p7 = NULL;
+                    if ((p7 = d2i_PKCS7_bio(bio, NULL)) == NULL) {
+                        // In order to follow codesign, we just ignore errors
+                        printf("Authority=(unavailable)\n");
+                        PKCS7_free(p7);
+                        continue;
+                    }
+                    STACK_OF(X509) *certs = NULL;
+                    switch (OBJ_obj2nid(p7->type)) {
+                        case NID_pkcs7_signed:
+                            if (p7->d.sign != NULL)
+                                certs = p7->d.sign->cert;
+                            break;
+                        case NID_pkcs7_signedAndEnveloped:
+                            if (p7->d.signed_and_enveloped != NULL)
+                                certs = p7->d.signed_and_enveloped->cert;
+                            break;
+                        default:
+                            break;
+                    }
+                    if (certs != NULL) {
+                        X509 *x;
+                        for (int i = 0; i < sk_X509_num(certs); i++) {
+                            x = sk_X509_value(certs, i);
+                            int lastpos = -1;
+                            X509_NAME *nm = X509_get_subject_name(x);
+                            X509_NAME_ENTRY *e;
+
+                            for (;;) {
+                                lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos);
+                                if (lastpos == -1)
+                                    break;
+                                e = X509_NAME_get_entry(nm, lastpos);
+                                ASN1_STRING *s = X509_NAME_ENTRY_get_data(e);
+                                printf("Authority=%s\n", reinterpret_cast<const char *>(ASN1_STRING_get0_data(s)));
+                            }
+                        }
+                    } else {
+                        printf("Authority=(unavailable)\n");
+                    }
+                    PKCS7_free(p7);
+                }
             }
         }
 
Link Identity Editor. Put real or fake signatures in a Mach-O.