X-Git-Url: https://git.cameronkatri.com/ldid.git/blobdiff_plain/dfd6fccd7f8950601e32602b47f205f0a4a9ff7e..69b0ced15a9d290c893ae47f27acb069f927472d:/ldid.cpp diff --git a/ldid.cpp b/ldid.cpp index ac4d17a..5e4ded2 100644 --- a/ldid.cpp +++ b/ldid.cpp @@ -1716,7 +1716,7 @@ class Buffer { Buffer() { if (i2d_PKCS7_bio(bio_, pkcs) == 0){ - fprintf(stderr, "ldid: An error occured while getting the PKCS12 file: %s\n", ERR_error_string(ERR_get_error(), NULL)); + fprintf(stderr, "ldid: An error occured while getting the PKCS7 file: %s\n", ERR_error_string(ERR_get_error(), NULL)); exit(1); } } @@ -1855,14 +1855,18 @@ class Signature { X509_ATTRIBUTE *attribute = X509_ATTRIBUTE_new(); ASN1_OBJECT *obj2 = OBJ_txt2obj("1.2.840.113635.100.9.2", 1); X509_ATTRIBUTE_set1_object(attribute, obj2); - // xina fix; - SEQUENCE_hash_sha1 seq1; - memcpy((void *)seq1.hash,(void *)alternateCDSHA1.data() ,alternateCDSHA1.size()); - X509_ATTRIBUTE_set1_data(attribute, V_ASN1_SEQUENCE,&seq1, sizeof(seq1)); - // xina fix; - SEQUENCE_hash_sha256 seq256; - memcpy((void *)seq256.hash,(void *)alternateCDSHA256.data() ,alternateCDSHA256.size()); - X509_ATTRIBUTE_set1_data(attribute, V_ASN1_SEQUENCE,&seq256, sizeof(seq256)); + if (alternateCDSHA1.size() != 0) { + // xina fix; + SEQUENCE_hash_sha1 seq1; + memcpy((void *)seq1.hash, (void *)alternateCDSHA1.data(), alternateCDSHA1.size()); + X509_ATTRIBUTE_set1_data(attribute, V_ASN1_SEQUENCE, &seq1, sizeof(seq1)); + } + if (alternateCDSHA256.size() != 0) { + // xina fix; + SEQUENCE_hash_sha256 seq256; + memcpy((void *)seq256.hash, (void *)alternateCDSHA256.data(), alternateCDSHA256.size()); + X509_ATTRIBUTE_set1_data(attribute, V_ASN1_SEQUENCE, &seq256, sizeof(seq256)); + } STACK_OF(X509_ATTRIBUTE) *sk = PKCS7_get_signed_attributes(info); if (!sk_X509_ATTRIBUTE_push(sk, attribute)) { @@ -1938,8 +1942,8 @@ class HashBuffer : sha1_ = EVP_MD_CTX_new(); sha256_ = EVP_MD_CTX_new(); - EVP_DigestInit_ex2(sha1_, EVP_get_digestbyname("sha1"), nullptr); - EVP_DigestInit_ex2(sha256_, EVP_get_digestbyname("sha256"), nullptr); + EVP_DigestInit_ex(sha1_, EVP_get_digestbyname("sha1"), nullptr); + EVP_DigestInit_ex(sha256_, EVP_get_digestbyname("sha256"), nullptr); } ~HashBuffer() { @@ -3539,6 +3543,10 @@ int main(int argc, char *argv[]) { } if (flag_h) { + char *buf = _syscall(realpath(file.c_str(), NULL)); + printf("Executable=%s\n", buf); + free(buf); + auto algorithms(GetAlgorithms()); uint32_t data = mach_header.Swap(signature->dataoff); @@ -3552,9 +3560,11 @@ int main(int argc, char *argv[]) { size_t size_; Algorithm &algorithm_; std::string hash_; + uint32_t offset; }; std::map candidates; + uint32_t cmsBegin = 0, cmsEnd = 0; for (size_t index(0); index != Swap(super->count); ++index) { auto type(Swap(super->index[index].type)); @@ -3567,7 +3577,10 @@ int main(int argc, char *argv[]) { auto &algorithm(*algorithms[type - 1]); uint8_t hash[algorithm.size_]; algorithm(hash, blob + begin, end - begin); - candidates.insert({type, {directory, end - begin, algorithm, Hex(hash, 20)}}); + candidates.insert({type, {directory, end - begin, algorithm, Hex(hash, 20), begin}}); + } else if (type == CSSLOT_SIGNATURESLOT) { + cmsBegin = Swap(super->index[index].offset); + cmsEnd = index + 1 == Swap(super->count) ? Swap(super->blob.length) : Swap(super->index[index + 1].offset); } } @@ -3578,6 +3591,8 @@ int main(int argc, char *argv[]) { const auto directory(best->second.directory_); const auto flags(Swap(directory->flags)); + printf("Identifier=%s\n", blob + best->second.offset + Swap(directory->identOffset)); + std::string names; if (flags & kSecCodeSignatureHost) names += ",host"; @@ -3612,6 +3627,53 @@ int main(int argc, char *argv[]) { printf("Hash choices=%s\n", choices.c_str() + 1); printf("CDHash=%s\n", best->second.hash_.c_str()); + + if (cmsBegin != 0 && cmsEnd != 0) { + // This loads the CMS blob and parses each X509 cert in the blob to extract the + // common name and print it as "Authority=%s" + Buffer bio(reinterpret_cast(blob) + cmsBegin + sizeof(Blob), cmsEnd - cmsBegin); + PKCS7 *p7 = NULL; + if ((p7 = d2i_PKCS7_bio(bio, NULL)) == NULL) { + // In order to follow codesign, we just ignore errors + printf("Authority=(unavailable)\n"); + PKCS7_free(p7); + continue; + } + STACK_OF(X509) *certs = NULL; + switch (OBJ_obj2nid(p7->type)) { + case NID_pkcs7_signed: + if (p7->d.sign != NULL) + certs = p7->d.sign->cert; + break; + case NID_pkcs7_signedAndEnveloped: + if (p7->d.signed_and_enveloped != NULL) + certs = p7->d.signed_and_enveloped->cert; + break; + default: + break; + } + if (certs != NULL) { + X509 *x; + for (int i = 0; i < sk_X509_num(certs); i++) { + x = sk_X509_value(certs, i); + int lastpos = -1; + X509_NAME *nm = X509_get_subject_name(x); + X509_NAME_ENTRY *e; + + for (;;) { + lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos); + if (lastpos == -1) + break; + e = X509_NAME_get_entry(nm, lastpos); + ASN1_STRING *s = X509_NAME_ENTRY_get_data(e); + printf("Authority=%s\n", reinterpret_cast(ASN1_STRING_get0_data(s))); + } + } + } else { + printf("Authority=(unavailable)\n"); + } + PKCS7_free(p7); + } } }