**/
/* }}} */
+#include <algorithm>
#include <cstdio>
#include <cstdlib>
#include <cstring>
#include <openssl/pkcs12.h>
#include <openssl/ui.h>
-#include <openssl/sha.h>
-
-#define LDID_SHA1_DIGEST_LENGTH SHA_DIGEST_LENGTH
-#define LDID_SHA1 SHA1
-#define LDID_SHA1_CTX SHA_CTX
-#define LDID_SHA1_Init SHA1_Init
-#define LDID_SHA1_Update SHA1_Update
-#define LDID_SHA1_Final SHA1_Final
-
-#define LDID_SHA256_DIGEST_LENGTH SHA256_DIGEST_LENGTH
-#define LDID_SHA256 SHA256
-#define LDID_SHA256_CTX SHA256_CTX
-#define LDID_SHA256_Init SHA256_Init
-#define LDID_SHA256_Update SHA256_Update
-#define LDID_SHA256_Final SHA256_Final
+#include <openssl/evp.h>
#include <plist/plist.h>
Algorithm
{
AlgorithmSHA1() :
- Algorithm(LDID_SHA1_DIGEST_LENGTH, CS_HASHTYPE_SHA160_160)
+ Algorithm(SHA_DIGEST_LENGTH, CS_HASHTYPE_SHA160_160)
{
}
}
void operator ()(uint8_t *hash, const void *data, size_t size) const {
- LDID_SHA1(static_cast<const uint8_t *>(data), size, hash);
+ SHA1(static_cast<const uint8_t *>(data), size, hash);
}
void operator ()(ldid::Hash &hash, const void *data, size_t size) const {
}
void operator ()(std::vector<char> &hash, const void *data, size_t size) const {
- hash.resize(LDID_SHA1_DIGEST_LENGTH);
+ hash.resize(SHA_DIGEST_LENGTH);
return operator ()(reinterpret_cast<uint8_t *>(hash.data()), data, size);
}
Algorithm
{
AlgorithmSHA256() :
- Algorithm(LDID_SHA256_DIGEST_LENGTH, CS_HASHTYPE_SHA256_256)
+ Algorithm(SHA256_DIGEST_LENGTH, CS_HASHTYPE_SHA256_256)
{
}
}
void operator ()(uint8_t *hash, const void *data, size_t size) const {
- LDID_SHA256(static_cast<const uint8_t *>(data), size, hash);
+ SHA256(static_cast<const uint8_t *>(data), size, hash);
}
void operator ()(ldid::Hash &hash, const void *data, size_t size) const {
}
void operator ()(std::vector<char> &hash, const void *data, size_t size) const {
- hash.resize(LDID_SHA256_DIGEST_LENGTH);
+ hash.resize(SHA256_DIGEST_LENGTH);
return operator ()(reinterpret_cast<uint8_t *>(hash.data()), data, size);
}
Buffer()
{
if (i2d_PKCS7_bio(bio_, pkcs) == 0){
- fprintf(stderr, "ldid: An error occured while getting the PKCS12 file: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ fprintf(stderr, "ldid: An error occured while getting the PKCS7 file: %s\n", ERR_error_string(ERR_get_error(), NULL));
exit(1);
}
}
exit(1);
}
- _assert(PKCS7_set_type(value_, NID_pkcs7_signed));
- _assert(PKCS7_content_new(value_, NID_pkcs7_data));
+ if (PKCS7_set_type(value_, NID_pkcs7_signed) == 0 ||
+ PKCS7_content_new(value_, NID_pkcs7_data) == 0) {
+ fprintf(stderr, "ldid: An error occured while getting creating PKCS7 file: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ exit(1);
+ }
STACK_OF(X509) *certs(stuff);
- for (unsigned i(0), e(sk_X509_num(certs)); i != e; i++)
- _assert(PKCS7_add_certificate(value_, sk_X509_value(certs, e - i - 1)));
+ for (unsigned i(0), e(sk_X509_num(certs)); i != e; i++) {
+ if (PKCS7_add_certificate(value_, sk_X509_value(certs, e - i - 1)) == 0) {
+ fprintf(stderr, "ldid: An error occured while signing: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ exit(1);
+ }
+ }
auto info(PKCS7_sign_add_signer(value_, stuff, stuff, NULL, PKCS7_NOSMIMECAP));
if (info == NULL){
fprintf(stderr, "ldid: An error occured while signing: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ exit(1);
}
X509_ATTRIBUTE *attribute = X509_ATTRIBUTE_new();
ASN1_OBJECT *obj2 = OBJ_txt2obj("1.2.840.113635.100.9.2", 1);
X509_ATTRIBUTE_set1_object(attribute, obj2);
- // xina fix;
- SEQUENCE_hash_sha1 seq1;
- memcpy((void *)seq1.hash,(void *)alternateCDSHA1.data() ,alternateCDSHA1.size());
- X509_ATTRIBUTE_set1_data(attribute, V_ASN1_SEQUENCE,&seq1, sizeof(seq1));
- // xina fix;
- SEQUENCE_hash_sha256 seq256;
- memcpy((void *)seq256.hash,(void *)alternateCDSHA256.data() ,alternateCDSHA256.size());
- X509_ATTRIBUTE_set1_data(attribute, V_ASN1_SEQUENCE,&seq256, sizeof(seq256));
+ if (alternateCDSHA1.size() != 0) {
+ // xina fix;
+ SEQUENCE_hash_sha1 seq1;
+ memcpy((void *)seq1.hash, (void *)alternateCDSHA1.data(), alternateCDSHA1.size());
+ X509_ATTRIBUTE_set1_data(attribute, V_ASN1_SEQUENCE, &seq1, sizeof(seq1));
+ }
+ if (alternateCDSHA256.size() != 0) {
+ // xina fix;
+ SEQUENCE_hash_sha256 seq256;
+ memcpy((void *)seq256.hash, (void *)alternateCDSHA256.data(), alternateCDSHA256.size());
+ X509_ATTRIBUTE_set1_data(attribute, V_ASN1_SEQUENCE, &seq256, sizeof(seq256));
+ }
STACK_OF(X509_ATTRIBUTE) *sk = PKCS7_get_signed_attributes(info);
if (!sk_X509_ATTRIBUTE_push(sk, attribute)) {
PKCS7_set_detached(value_, 1);
ASN1_OCTET_STRING *string(ASN1_OCTET_STRING_new());
- _assert(string != NULL);
+ if (string == NULL) {
+ fprintf(stderr, "ldid: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ exit(1);
+ }
+
try {
- _assert(ASN1_STRING_set(string, xml.data(), xml.size()));
+ if (ASN1_STRING_set(string, xml.data(), xml.size()) == 0) {
+ fprintf(stderr, "ldid: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ exit(1);
+ }
static auto nid(OBJ_create("1.2.840.113635.100.9.1", "", ""));
- _assert(PKCS7_add_signed_attribute(info, nid, V_ASN1_OCTET_STRING, string));
+ if (PKCS7_add_signed_attribute(info, nid, V_ASN1_OCTET_STRING, string) == 0) {
+ fprintf(stderr, "ldid: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ exit(1);
+ }
} catch (...) {
ASN1_OCTET_STRING_free(string);
throw;
}
- _assert(PKCS7_final(value_, data, PKCS7_BINARY));
+ if (PKCS7_final(value_, data, PKCS7_BINARY) == 0) {
+ fprintf(stderr, "ldid: Failed to sign: %s\n", ERR_error_string(ERR_get_error(), NULL));
+ exit(1);
+ }
}
~Signature() {
private:
ldid::Hash &hash_;
- LDID_SHA1_CTX sha1_;
- LDID_SHA256_CTX sha256_;
+ EVP_MD_CTX *sha1_;
+ EVP_MD_CTX *sha256_;
public:
HashBuffer(ldid::Hash &hash) :
hash_(hash)
{
- LDID_SHA1_Init(&sha1_);
- LDID_SHA256_Init(&sha256_);
+ sha1_ = EVP_MD_CTX_new();
+ sha256_ = EVP_MD_CTX_new();
+
+ EVP_DigestInit_ex(sha1_, EVP_get_digestbyname("sha1"), nullptr);
+ EVP_DigestInit_ex(sha256_, EVP_get_digestbyname("sha256"), nullptr);
}
~HashBuffer() {
- LDID_SHA1_Final(reinterpret_cast<uint8_t *>(hash_.sha1_), &sha1_);
- LDID_SHA256_Final(reinterpret_cast<uint8_t *>(hash_.sha256_), &sha256_);
+ EVP_DigestFinal_ex(sha1_, reinterpret_cast<uint8_t *>(hash_.sha1_), nullptr);
+ EVP_DigestFinal_ex(sha256_, reinterpret_cast<uint8_t *>(hash_.sha256_), nullptr);
+
+ EVP_MD_CTX_free(sha1_);
+ EVP_MD_CTX_free(sha256_);
}
virtual std::streamsize xsputn(const char_type *data, std::streamsize size) {
- LDID_SHA1_Update(&sha1_, data, size);
- LDID_SHA256_Update(&sha256_, data, size);
+ EVP_DigestUpdate(sha1_, data, size);
+ EVP_DigestUpdate(sha256_, data, size);
return size;
}
put(buffer, zeros, 3 - (Size_ + 3) % 4);
}
-Hash Sign(const void *idata, size_t isize, std::streambuf &output, const std::string &identifier, const std::string &entitlements, bool merge, const std::string &requirements, const std::string &key, const Slots &slots, uint32_t flags, bool platform, const Progress &progress) {
+Hash Sign(const void *idata, size_t isize, std::streambuf &output, const std::string &identifier, const std::string &entitlements, bool merge, const std::string &requirements, const std::string &key, const Slots &slots, uint32_t flags, uint8_t platform, const Progress &progress) {
Hash hash;
directory.nCodeSlots = Swap(normal);
directory.hashSize = algorithm.size_;
directory.hashType = algorithm.type_;
- directory.platform = platform ? 0x01 : 0x00;
+ directory.platform = platform;
directory.pageSize = PageShift_;
directory.spare2 = Swap(uint32_t(0));
directory.scatterOffset = Swap(uint32_t(0));
}
};
-static Hash Sign(const uint8_t *prefix, size_t size, std::streambuf &buffer, Hash &hash, std::streambuf &save, const std::string &identifier, const std::string &entitlements, bool merge, const std::string &requirements, const std::string &key, const Slots &slots, size_t length, uint32_t flags, bool platform, const Progress &progress) {
+static Hash Sign(const uint8_t *prefix, size_t size, std::streambuf &buffer, Hash &hash, std::streambuf &save, const std::string &identifier, const std::string &entitlements, bool merge, const std::string &requirements, const std::string &key, const Slots &slots, size_t length, uint32_t flags, uint8_t platform, const Progress &progress) {
// XXX: this is a miserable fail
std::stringbuf temp;
put(temp, prefix, size);
}
};
-Bundle Sign(const std::string &root, Folder &parent, const std::string &key, State &local, const std::string &requirements, const Functor<std::string (const std::string &, const std::string &)> &alter, const Progress &progress) {
+Bundle Sign(const std::string &root, Folder &parent, const std::string &key, State &local, const std::string &requirements, const Functor<std::string (const std::string &, const std::string &)> &alter, bool merge, uint8_t platform, const Progress &progress) {
std::string executable;
std::string identifier;
State remote;
bundles[nested[1]] = Sign(root + bundle, subfolder, key, remote, "", Starts(name, "PlugIns/") ? alter :
static_cast<const Functor<std::string (const std::string &, const std::string &)> &>(fun([&](const std::string &, const std::string &) -> std::string { return entitlements; }))
- , progress);
+ , merge, platform, progress);
local.Merge(bundle, remote);
}), fun([&](const std::string &name, const Functor<std::string ()> &read) {
}));
case MH_CIGAM: case MH_CIGAM_64:
folder.Save(name, true, flag, fun([&](std::streambuf &save) {
Slots slots;
- Sign(header.bytes, size, data, hash, save, identifier, "", false, "", key, slots, length, 0, false, Progression(progress, root + name));
+ Sign(header.bytes, size, data, hash, save, identifier, "", false, "", key, slots, length, 0, platform, Progression(progress, root + name));
}));
return;
}
Slots slots;
slots[1] = local.files.at(info);
slots[3] = local.files.at(signature);
- bundle.hash = Sign(NULL, 0, buffer, local.files[executable], save, identifier, entitlements, false, requirements, key, slots, length, 0, false, Progression(progress, root + executable));
+ bundle.hash = Sign(NULL, 0, buffer, local.files[executable], save, identifier, entitlements, merge, requirements, key, slots, length, 0, platform, Progression(progress, root + executable));
}));
}));
return bundle;
}
-Bundle Sign(const std::string &root, Folder &folder, const std::string &key, const std::string &requirements, const Functor<std::string (const std::string &, const std::string &)> &alter, const Progress &progress) {
+Bundle Sign(const std::string &root, Folder &folder, const std::string &key, const std::string &requirements, const Functor<std::string (const std::string &, const std::string &)> &alter, bool merge, uint8_t platform, const Progress &progress) {
State local;
- return Sign(root, folder, key, local, requirements, alter, progress);
+ return Sign(root, folder, key, local, requirements, alter, merge, platform, progress);
}
#endif
fprintf(stderr, "Usage: %s [-Acputype:subtype] [-a] [-C[adhoc | enforcement | expires | hard |\n", argv0);
fprintf(stderr, " host | kill | library-validation | restrict | runtime]] [-D] [-d]\n");
fprintf(stderr, " [-Enum:file] [-e] [-H[sha1 | sha256]] [-h] [-Iname]\n");
- fprintf(stderr, " [-Kkey.p12 [-Upassword]] [-M] [-P] [-Qrequirements.xml] [-q]\n");
- fprintf(stderr, " [-r | -Sfile.xml | -s] [-Ttimestamp] [-u] [-arch arch_type] file ...\n");
- fprintf(stderr, "Options:\n");
+ fprintf(stderr, " [-Kkey.p12 [-Upassword]] [-M] [-P[num]] [-Qrequirements.xml] [-q]\n");
+ fprintf(stderr, " [-r | -Sfile.xml | -s] [-u] [-arch arch_type] file ...\n");
+ fprintf(stderr, "Common Options:\n");
fprintf(stderr, " -S[file.xml] Pseudo-sign using the entitlements in file.xml\n");
fprintf(stderr, " -Kkey.p12 Sign using private key in key.p12\n");
fprintf(stderr, " -Upassword Use password to unlock key.p12\n");
bool flag_M(false);
uint32_t flags(0);
- bool platform(false);
+ uint8_t platform(0);
uint32_t flag_CPUType(_not(uint32_t));
uint32_t flag_CPUSubtype(_not(uint32_t));
} break;
case 'P':
- platform = true;
+ if (argv[argi][2] != '\0') {
+ char *platformchar = argv[argi] + 2;
+ char *arge;
+ platform = strtoul(platformchar, &arge, 0);
+ } else {
+ platform = 13;
+ }
break;
case 's':
}
if (S_ISDIR(info.st_mode)) {
- if (!flag_S) {
- fprintf(stderr, "ldid: Only -S can be used on directories\n");
+ if (!flag_S && !flag_s) {
+ fprintf(stderr, "ldid: Only -S and -s can be used on directories\n");
exit(1);
}
ldid::DiskFolder folder(path + "/");
- path += "/" + Sign("", folder, key, requirements, ldid::fun([&](const std::string &, const std::string &) -> std::string { return entitlements; }), dummy_).path;
- } else if (flag_S || flag_r) {
+ path += "/" + Sign("", folder, key, requirements, ldid::fun([&](const std::string &, const std::string &) -> std::string { return entitlements; }), flag_M, platform, dummy_).path;
+ } else if (flag_S || flag_r || flag_s) {
Map input(path, O_RDONLY, PROT_READ, MAP_PRIVATE);
std::filebuf output;
}
if (flag_h) {
+ char *buf = _syscall(realpath(file.c_str(), NULL));
+ printf("Executable=%s\n", buf);
+ free(buf);
+
auto algorithms(GetAlgorithms());
uint32_t data = mach_header.Swap(signature->dataoff);
size_t size_;
Algorithm &algorithm_;
std::string hash_;
+ uint32_t offset;
};
std::map<uint8_t, Candidate> candidates;
+ uint32_t cmsBegin = 0, cmsEnd = 0;
for (size_t index(0); index != Swap(super->count); ++index) {
auto type(Swap(super->index[index].type));
auto &algorithm(*algorithms[type - 1]);
uint8_t hash[algorithm.size_];
algorithm(hash, blob + begin, end - begin);
- candidates.insert({type, {directory, end - begin, algorithm, Hex(hash, 20)}});
+ candidates.insert({type, {directory, end - begin, algorithm, Hex(hash, algorithm.size_), begin}});
+ } else if (type == CSSLOT_SIGNATURESLOT) {
+ cmsBegin = Swap(super->index[index].offset);
+ cmsEnd = index + 1 == Swap(super->count) ? Swap(super->blob.length) : Swap(super->index[index + 1].offset);
}
}
const auto directory(best->second.directory_);
const auto flags(Swap(directory->flags));
+ printf("Identifier=%s\n", blob + best->second.offset + Swap(directory->identOffset));
+
std::string names;
if (flags & kSecCodeSignatureHost)
names += ",host";
auto choice(candidate.second.algorithm_.name());
choices += ',';
choices += choice;
- printf("CandidateCDHash %s=%s\n", choice, candidate.second.hash_.c_str());
+ printf("CandidateCDHash %s=%.40s\n", choice, candidate.second.hash_.c_str());
+ printf("CandidateCDHashFull %s=%s\n", choice, candidate.second.hash_.c_str());
}
printf("Hash choices=%s\n", choices.c_str() + 1);
- printf("CDHash=%s\n", best->second.hash_.c_str());
+ printf("CDHash=%.40s\n", best->second.hash_.c_str());
+
+ if (cmsBegin != 0 && cmsEnd != 0) {
+ // This loads the CMS blob and parses each X509 cert in the blob to extract the
+ // common name and print it as "Authority=%s"
+ Buffer bio(reinterpret_cast<const char *>(blob) + cmsBegin + sizeof(Blob), cmsEnd - cmsBegin);
+ PKCS7 *p7 = NULL;
+ if ((p7 = d2i_PKCS7_bio(bio, NULL)) == NULL) {
+ // In order to follow codesign, we just ignore errors
+ printf("Authority=(unavailable)\n");
+ } else {
+ STACK_OF(X509) *certs = NULL;
+ switch (OBJ_obj2nid(p7->type)) {
+ case NID_pkcs7_signed:
+ if (p7->d.sign != NULL)
+ certs = p7->d.sign->cert;
+ break;
+ case NID_pkcs7_signedAndEnveloped:
+ if (p7->d.signed_and_enveloped != NULL)
+ certs = p7->d.signed_and_enveloped->cert;
+ break;
+ default:
+ break;
+ }
+ if (certs != NULL) {
+ X509 *x;
+ for (int i = 0; i < sk_X509_num(certs); i++) {
+ x = sk_X509_value(certs, i);
+ int lastpos = -1;
+ X509_NAME *nm = X509_get_subject_name(x);
+ X509_NAME_ENTRY *e;
+
+ for (;;) {
+ lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos);
+ if (lastpos == -1)
+ break;
+ e = X509_NAME_get_entry(nm, lastpos);
+ ASN1_STRING *s = X509_NAME_ENTRY_get_data(e);
+ printf("Authority=%s\n", reinterpret_cast<const char *>(ASN1_STRING_get0_data(s)));
+ }
+ }
+ } else {
+ printf("Authority=(unavailable)\n");
+ }
+ }
+ PKCS7_free(p7);
+ }
+
+ if (Swap(directory->teamIDOffset) > 0)
+ printf("TeamIdentifier=%s\n", blob + best->second.offset + Swap(directory->teamIDOffset));
+ else
+ printf("TeamIdentifier=not set\n");
}
}
git.ckatri.com / ldid.git / blobdiff