From 69b0ced15a9d290c893ae47f27acb069f927472d Mon Sep 17 00:00:00 2001 From: Cameron Katri Date: Thu, 14 Jul 2022 23:38:36 -0400 Subject: Add Authority to ldid -h This will not list in the same order as codesign -dvvv and will not always show (unavailable) when codesign -dvvv does, but it is good enough. --- ldid.cpp | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/ldid.cpp b/ldid.cpp index f439dac..5e4ded2 100644 --- a/ldid.cpp +++ b/ldid.cpp @@ -1716,7 +1716,7 @@ class Buffer { Buffer() { if (i2d_PKCS7_bio(bio_, pkcs) == 0){ - fprintf(stderr, "ldid: An error occured while getting the PKCS12 file: %s\n", ERR_error_string(ERR_get_error(), NULL)); + fprintf(stderr, "ldid: An error occured while getting the PKCS7 file: %s\n", ERR_error_string(ERR_get_error(), NULL)); exit(1); } } @@ -3564,6 +3564,7 @@ int main(int argc, char *argv[]) { }; std::map candidates; + uint32_t cmsBegin = 0, cmsEnd = 0; for (size_t index(0); index != Swap(super->count); ++index) { auto type(Swap(super->index[index].type)); @@ -3577,6 +3578,9 @@ int main(int argc, char *argv[]) { uint8_t hash[algorithm.size_]; algorithm(hash, blob + begin, end - begin); candidates.insert({type, {directory, end - begin, algorithm, Hex(hash, 20), begin}}); + } else if (type == CSSLOT_SIGNATURESLOT) { + cmsBegin = Swap(super->index[index].offset); + cmsEnd = index + 1 == Swap(super->count) ? Swap(super->blob.length) : Swap(super->index[index + 1].offset); } } @@ -3623,6 +3627,53 @@ int main(int argc, char *argv[]) { printf("Hash choices=%s\n", choices.c_str() + 1); printf("CDHash=%s\n", best->second.hash_.c_str()); + + if (cmsBegin != 0 && cmsEnd != 0) { + // This loads the CMS blob and parses each X509 cert in the blob to extract the + // common name and print it as "Authority=%s" + Buffer bio(reinterpret_cast(blob) + cmsBegin + sizeof(Blob), cmsEnd - cmsBegin); + PKCS7 *p7 = NULL; + if ((p7 = d2i_PKCS7_bio(bio, NULL)) == NULL) { + // In order to follow codesign, we just ignore errors + printf("Authority=(unavailable)\n"); + PKCS7_free(p7); + continue; + } + STACK_OF(X509) *certs = NULL; + switch (OBJ_obj2nid(p7->type)) { + case NID_pkcs7_signed: + if (p7->d.sign != NULL) + certs = p7->d.sign->cert; + break; + case NID_pkcs7_signedAndEnveloped: + if (p7->d.signed_and_enveloped != NULL) + certs = p7->d.signed_and_enveloped->cert; + break; + default: + break; + } + if (certs != NULL) { + X509 *x; + for (int i = 0; i < sk_X509_num(certs); i++) { + x = sk_X509_value(certs, i); + int lastpos = -1; + X509_NAME *nm = X509_get_subject_name(x); + X509_NAME_ENTRY *e; + + for (;;) { + lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos); + if (lastpos == -1) + break; + e = X509_NAME_get_entry(nm, lastpos); + ASN1_STRING *s = X509_NAME_ENTRY_get_data(e); + printf("Authority=%s\n", reinterpret_cast(ASN1_STRING_get0_data(s))); + } + } + } else { + printf("Authority=(unavailable)\n"); + } + PKCS7_free(p7); + } } } -- cgit v1.2.3-56-ge451