From 296fd38eaec86c17bf93de6343b4c1c98b630ec5 Mon Sep 17 00:00:00 2001 From: "Jay Freeman (saurik)" Date: Sun, 31 Dec 2017 02:08:59 -0800 Subject: Let the user set values for CS flags and platform. --- ldid.cpp | 58 +++++++++++++++++++++++++++++++++++++++++++++++++--------- ldid.hpp | 2 +- 2 files changed, 50 insertions(+), 10 deletions(-) diff --git a/ldid.cpp b/ldid.cpp index 1f9287c..6a16aa8 100644 --- a/ldid.cpp +++ b/ldid.cpp @@ -885,7 +885,7 @@ struct CodeDirectory { uint32_t codeLimit; uint8_t hashSize; uint8_t hashType; - uint8_t spare1; + uint8_t platform; uint8_t pageSize; uint32_t spare2; uint32_t scatterOffset; @@ -894,6 +894,17 @@ struct CodeDirectory { //uint64_t codeLimit64; } _packed; +enum CodeSignatureFlags { + kSecCodeSignatureHost = 0x0001, + kSecCodeSignatureAdhoc = 0x0002, + kSecCodeSignatureForceHard = 0x0100, + kSecCodeSignatureForceKill = 0x0200, + kSecCodeSignatureForceExpiration = 0x0400, + kSecCodeSignatureRestrict = 0x0800, + kSecCodeSignatureEnforcement = 0x1000, + kSecCodeSignatureLibraryValidation = 0x2000, +}; + enum Kind : uint32_t { exprForm = 1, // prefix expr form }; @@ -1769,7 +1780,7 @@ static void req(std::streambuf &buffer, uint8_t (&&data)[Size_]) { put(buffer, zeros, 3 - (Size_ + 3) % 4); } -Hash Sign(const void *idata, size_t isize, std::streambuf &output, const std::string &identifier, const std::string &entitlements, const std::string &requirements, const std::string &key, const Slots &slots, const Progress &progress) { +Hash Sign(const void *idata, size_t isize, std::streambuf &output, const std::string &identifier, const std::string &entitlements, const std::string &requirements, const std::string &key, const Slots &slots, uint32_t flags, bool platform, const Progress &progress) { Hash hash; @@ -1906,13 +1917,13 @@ Hash Sign(const void *idata, size_t isize, std::streambuf &output, const std::st CodeDirectory directory; directory.version = Swap(uint32_t(0x00020200)); - directory.flags = Swap(uint32_t(0)); + directory.flags = Swap(uint32_t(flags)); directory.nSpecialSlots = Swap(special); directory.codeLimit = Swap(uint32_t(limit)); directory.nCodeSlots = Swap(normal); directory.hashSize = algorithm.size_; directory.hashType = algorithm.type_; - directory.spare1 = 0x00; + directory.platform = platform ? 0x01 : 0x00; directory.pageSize = PageShift_; directory.spare2 = Swap(uint32_t(0)); directory.scatterOffset = Swap(uint32_t(0)); @@ -2384,7 +2395,7 @@ struct RuleCode { }; #ifndef LDID_NOPLIST -static Hash Sign(const uint8_t *prefix, size_t size, std::streambuf &buffer, Hash &hash, std::streambuf &save, const std::string &identifier, const std::string &entitlements, const std::string &requirements, const std::string &key, const Slots &slots, size_t length, const Progress &progress) { +static Hash Sign(const uint8_t *prefix, size_t size, std::streambuf &buffer, Hash &hash, std::streambuf &save, const std::string &identifier, const std::string &entitlements, const std::string &requirements, const std::string &key, const Slots &slots, size_t length, uint32_t flags, bool platform, const Progress &progress) { // XXX: this is a miserable fail std::stringbuf temp; put(temp, prefix, size); @@ -2394,7 +2405,7 @@ static Hash Sign(const uint8_t *prefix, size_t size, std::streambuf &buffer, Has auto data(temp.str()); HashProxy proxy(hash, save); - return Sign(data.data(), data.size(), proxy, identifier, entitlements, requirements, key, slots, progress); + return Sign(data.data(), data.size(), proxy, identifier, entitlements, requirements, key, slots, flags, platform, percent); } Bundle Sign(const std::string &root, Folder &folder, const std::string &key, std::map &remote, const std::string &requirements, const Functor &alter, const Progress &progress) { @@ -2538,7 +2549,7 @@ Bundle Sign(const std::string &root, Folder &folder, const std::string &key, std case MH_CIGAM: case MH_CIGAM_64: folder.Save(name, true, flag, fun([&](std::streambuf &save) { Slots slots; - Sign(header.bytes, size, data, hash, save, identifier, "", "", key, slots, length, Progression(progress, root + name)); + Sign(header.bytes, size, data, hash, save, identifier, "", "", key, slots, length, 0, false, Progression(progress, root + name)); })); return; } @@ -2667,7 +2678,7 @@ Bundle Sign(const std::string &root, Folder &folder, const std::string &key, std Slots slots; slots[1] = local.at(info); slots[3] = local.at(signature); - bundle.hash = Sign(NULL, 0, buffer, local[executable], save, identifier, entitlements, requirements, key, slots, length, Progression(progress, root + executable)); + bundle.hash = Sign(NULL, 0, buffer, local[executable], save, identifier, entitlements, requirements, key, slots, length, 0, false, Progression(progress, root + executable)); })); })); @@ -2717,6 +2728,9 @@ int main(int argc, char *argv[]) { bool flag_u(false); + uint32_t flags(0); + bool platform(false); + uint32_t flag_CPUType(_not(uint32_t)); uint32_t flag_CPUSubtype(_not(uint32_t)); @@ -2793,6 +2807,32 @@ int main(int argc, char *argv[]) { } break; + case 'C': { + const char *name = argv[argi] + 2; + if (false); + else if (strcmp(name, "host") == 0) + flags |= kSecCodeSignatureHost; + else if (strcmp(name, "adhoc") == 0) + flags |= kSecCodeSignatureAdhoc; + else if (strcmp(name, "hard") == 0) + flags |= kSecCodeSignatureForceHard; + else if (strcmp(name, "kill") == 0) + flags |= kSecCodeSignatureForceKill; + else if (strcmp(name, "expires") == 0) + flags |= kSecCodeSignatureForceExpiration; + else if (strcmp(name, "restrict") == 0) + flags |= kSecCodeSignatureRestrict; + else if (strcmp(name, "enforcement") == 0) + flags |= kSecCodeSignatureEnforcement; + else if (strcmp(name, "library-validation") == 0) + flags |= kSecCodeSignatureLibraryValidation; + else _assert(false); + } break; + + case 'P': + platform = true; + break; + case 's': _assert(!flag_r); _assert(!flag_S); @@ -2873,7 +2913,7 @@ int main(int argc, char *argv[]) { ldid::Unsign(input.data(), input.size(), output, dummy_); else { std::string identifier(flag_I ?: split.base.c_str()); - ldid::Sign(input.data(), input.size(), output, identifier, entitlements, requirements, key, slots, dummy_); + ldid::Sign(input.data(), input.size(), output, identifier, entitlements, requirements, key, slots, flags, platform, dummy_); } Commit(path, temp); diff --git a/ldid.hpp b/ldid.hpp index 8b7c76e..503ebc5 100644 --- a/ldid.hpp +++ b/ldid.hpp @@ -157,7 +157,7 @@ Bundle Sign(const std::string &root, Folder &folder, const std::string &key, con typedef std::map Slots; -Hash Sign(const void *idata, size_t isize, std::streambuf &output, const std::string &identifier, const std::string &entitlements, const std::string &requirements, const std::string &key, const Slots &slots, const Progress &progress); +Hash Sign(const void *idata, size_t isize, std::streambuf &output, const std::string &identifier, const std::string &entitlements, const std::string &requirements, const std::string &key, const Slots &slots, uint32_t flags, bool platform, const Progress &progress); } -- cgit v1.2.3-56-ge451