--- /dev/null
+
+#include "codesign.h"
+
+#include <stdint.h>
+#include <stdio.h>
+#include <arpa/inet.h>
+#include <assert.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#include <mach-o/loader.h>
+#include <mach-o/fat.h>
+#include <CommonCrypto/CommonDigest.h>
+
+#define DEBUG_ASSERT_PRODUCTION_CODE 0
+#include <AssertMacros.h>
+
+/*
+ * Magic numbers used by Code Signing
+ */
+enum {
+ CSMAGIC_REQUIREMENT = 0xfade0c00, /* single Requirement blob */
+ CSMAGIC_REQUIREMENTS = 0xfade0c01, /* Requirements vector (internal requirements) */
+ CSMAGIC_CODEDIRECTORY = 0xfade0c02, /* CodeDirectory blob */
+ CSMAGIC_EMBEDDED_SIGNATURE = 0xfade0cc0, /* embedded form of signature data */
+ CSMAGIC_DETACHED_SIGNATURE = 0xfade0cc1, /* multi-arch collection of embedded signatures */
+
+ CSSLOT_CODEDIRECTORY = 0, /* slot index for CodeDirectory */
+};
+
+
+/*
+ * Structure of an embedded-signature SuperBlob
+ */
+typedef struct __BlobIndex {
+ uint32_t type; /* type of entry */
+ uint32_t offset; /* offset of entry */
+} CS_BlobIndex;
+
+typedef struct __SuperBlob {
+ uint32_t magic; /* magic number */
+ uint32_t length; /* total length of SuperBlob */
+ uint32_t count; /* number of index entries following */
+ CS_BlobIndex index[]; /* (count) entries */
+ /* followed by Blobs in no particular order as indicated by offsets in index */
+} CS_SuperBlob;
+
+
+/*
+ * C form of a CodeDirectory.
+ */
+typedef struct __CodeDirectory {
+ uint32_t magic; /* magic number (CSMAGIC_CODEDIRECTORY) */
+ uint32_t length; /* total length of CodeDirectory blob */
+ uint32_t version; /* compatibility version */
+ uint32_t flags; /* setup and mode flags */
+ uint32_t hashOffset; /* offset of hash slot element at index zero */
+ uint32_t identOffset; /* offset of identifier string */
+ uint32_t nSpecialSlots; /* number of special hash slots */
+ uint32_t nCodeSlots; /* number of ordinary (code) hash slots */
+ uint32_t codeLimit; /* limit to main image signature range */
+ uint8_t hashSize; /* size of each hash in bytes */
+ uint8_t hashType; /* type of hash (cdHashType* constants) */
+ uint8_t spare1; /* unused (must be zero) */
+ uint8_t pageSize; /* log2(page size in bytes); 0 => infinite */
+ uint32_t spare2; /* unused (must be zero) */
+ /* followed by dynamic content as located by offset fields above */
+} CS_CodeDirectory;
+
+
+ //assert(page < ntohl(cd->nCodeSlots));
+ //return base + ntohl(cd->hashOffset) + page * 20;
+
+
+static CFMutableDictionaryRef lc_code_sig(uint8_t *lc_code_signature, size_t lc_code_signature_len)
+{
+ CFDataRef codedir = NULL;
+ CFDataRef message = NULL;
+ CFMutableDictionaryRef code_signature =
+ CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ require(code_signature, out);
+
+ CS_SuperBlob *sb = (CS_SuperBlob*)lc_code_signature;
+ require(ntohl(sb->magic) == CSMAGIC_EMBEDDED_SIGNATURE, out);
+ uint32_t count;
+ for (count = 0; count < ntohl(sb->count); count++) {
+ //uint32_t type = ntohl(sb->index[count].type);
+ uint32_t offset = ntohl(sb->index[count].offset);
+ uint8_t *bytes = lc_code_signature + offset;
+ //fprintf(stderr, "blob[%d]: (type: 0x%.08x, offset: %p)\n", count, type, (void*)offset);
+ uint32_t magic = ntohl(*(uint32_t*)bytes);
+ uint32_t length = ntohl(*(uint32_t*)(bytes+4));
+ //fprintf(stderr, " magic: 0x%.08x length: %d\n", magic, length);
+ switch(magic) {
+ case 0xfade0c01: //write_data("requirements", bytes, length);
+ break;
+ case 0xfade0c02: //write_data("codedir", bytes, length);
+ codedir = CFDataCreate(kCFAllocatorDefault, bytes, length);
+ require(codedir, out);
+ CFDictionarySetValue(code_signature, CFSTR("CodeDirectory"), codedir);
+ CFRelease(codedir);
+ uint8_t *cursor = bytes;
+ require_string(htonl(*(uint32_t*)(cursor+8)) >= 0x20001, out, "incompatible version");
+ require_string(htonl(*(uint32_t*)(cursor+8)) <= 0x2F000, out, "incompatible version");
+ uint32_t hash_offset = htonl(*(uint32_t*)(cursor+16));
+ require_string(htonl(*(uint32_t*)(cursor+24)) >= 5, out, "no entitlements slot yet");
+ require_string(*(cursor+36) == 20, out, "unexpected hash size");
+ require_string(*(cursor+37) == 1, out, "unexpected hash type");
+ message = CFDataCreate(kCFAllocatorDefault, cursor+hash_offset-5*20, 20);
+ require(message, out);
+ CFDictionarySetValue(code_signature, CFSTR("EntitlementsCDHash"), message);
+ CFRelease(message);
+ break;
+ case 0xfade0b01: //write_data("signed", lc_code_signature, bytes-lc_code_signature);
+ if (length == 8) {
+ fprintf(stderr, "Ad-hoc signed binary\n");
+ goto out;
+ } else {
+ message = CFDataCreate(kCFAllocatorDefault, bytes+8, length-8);
+ require(message, out);
+ CFDictionarySetValue(code_signature, CFSTR("SignedData"), message);
+ CFRelease(message);
+ }
+ break;
+ case 0xfade7171:
+ {
+ unsigned char digest[CC_SHA1_DIGEST_LENGTH];
+ CCDigest(kCCDigestSHA1, bytes, length, digest);
+ message = CFDataCreate(kCFAllocatorDefault, digest, sizeof(digest));
+ require(message, out);
+ CFDictionarySetValue(code_signature, CFSTR("EntitlementsHash"), message);
+ CFRelease(message);
+ message = CFDataCreate(kCFAllocatorDefault, bytes+8, length-8);
+ require(message, out);
+ CFDictionarySetValue(code_signature, CFSTR("Entitlements"), message);
+ CFRelease(message);
+ break;
+ }
+ default:
+ fprintf(stderr, "Skipping block with magic: 0x%x\n", magic);
+ break;
+ }
+ }
+ return code_signature;
+out:
+ if (code_signature) CFRelease(code_signature);
+ return NULL;
+}
+
+#if 1
+static FILE *
+open_bundle(const char * path, const char * mode)
+{
+ char full_path[1024] = {};
+ CFStringRef path_cfstring = NULL;
+ CFURLRef path_url = NULL;
+ CFBundleRef bundle = NULL;
+
+ path_cfstring = CFStringCreateWithFileSystemRepresentation(kCFAllocatorDefault, path);
+ require(path_cfstring, out);
+ path_url = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, path_cfstring, kCFURLPOSIXPathStyle, true);
+ require(path_url, out);
+ bundle = CFBundleCreate(kCFAllocatorDefault, path_url);
+ require(bundle, out);
+ CFURLRef exec = CFBundleCopyExecutableURL(bundle);
+ require(exec, out);
+ require(CFURLGetFileSystemRepresentation(exec, true, (uint8_t*)full_path, sizeof(full_path)), out);
+out:
+ if (path_cfstring) CFRelease(path_cfstring);
+ if (path_url) CFRelease(path_url);
+ if (bundle) CFRelease(bundle);
+
+ return fopen(full_path, "r");
+}
+#else
+static FILE *
+open_bundle(const char *path, const char *mode)
+{
+ char full_path[1024] = {};
+ const char *slash;
+ char *dot;
+ slash = rindex(path, '/');
+ if (!slash) slash = path;
+ require(strlcpy(full_path, path, sizeof(full_path)) < sizeof(full_path), out);
+ require(strlcat(full_path, "/", sizeof(full_path)), out);
+ require(strlcat(full_path, slash, sizeof(full_path)), out);
+ require(dot = rindex(full_path, '.'), out);
+ *dot = '\0';
+ return fopen(full_path, "r");
+out:
+ return NULL;
+}
+#endif
+
+CFMutableDictionaryRef load_code_signature(FILE *binary, size_t slice_offset)
+{
+ bool signature_found = false;
+ CFMutableDictionaryRef result = NULL;
+ union {
+ struct load_command lc;
+ struct linkedit_data_command le_lc;
+ } cmd;
+ do {
+ require(1 == fread(&cmd.lc, sizeof(cmd.lc), 1, binary), out);
+ if (cmd.lc.cmd == LC_CODE_SIGNATURE) {
+ require(1 == fread((uint8_t *)&cmd.lc + sizeof(cmd.lc), sizeof(cmd.le_lc) - sizeof(cmd.lc), 1, binary), out);
+ require_noerr(fseek(binary, slice_offset+cmd.le_lc.dataoff, SEEK_SET), out);
+ size_t length = cmd.le_lc.datasize;
+ uint8_t *data = malloc(length);
+ require(length && data, out);
+ require(1 == fread(data, length, 1, binary), out);
+ signature_found = true;
+ result = lc_code_sig(data, length);
+ free(data);
+ break;
+ }
+ require_noerr(fseek(binary, cmd.lc.cmdsize-sizeof(cmd.lc), SEEK_CUR), out);
+ } while(cmd.lc.cmd || cmd.lc.cmdsize); /* count lc */
+out:
+ if (!signature_found)
+ fprintf(stderr, "No LC_CODE_SIGNATURE segment found\n");
+ return result;
+}
+
+CFArrayRef load_code_signatures(const char *path)
+{
+ bool fully_parsed_binary = false;
+ CFMutableDictionaryRef result = NULL;
+ CFMutableArrayRef results = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
+
+ FILE *binary = open_bundle(path, "r");
+ require(binary, out);
+
+ struct mach_header header;
+ require(1 == fread(&header, sizeof(header), 1, binary), out);
+ if (header.magic == 0xfeedface) {
+ result = load_code_signature(binary, 0 /*non fat*/);
+ require(result, out);
+ CFArrayAppendValue(results, result);
+ }
+ else
+ {
+ struct fat_header fat;
+ require(!fseek(binary, 0L, SEEK_SET), out);
+ require(1 == fread(&fat, sizeof(fat), 1, binary), out);
+ require(htonl(fat.magic) == FAT_MAGIC, out);
+ uint32_t slice, slices = htonl(fat.nfat_arch);
+ struct fat_arch *archs = calloc(slices, sizeof(struct fat_arch));
+ require(slices == fread(archs, sizeof(struct fat_arch), slices, binary), out);
+ for (slice = 0; slice < slices; slice++) {
+ uint32_t slice_offset = htonl(archs[slice].offset);
+ require(!fseek(binary, slice_offset, SEEK_SET), out);
+ require(1 == fread(&header, sizeof(header), 1, binary), out);
+ require(header.magic == 0xfeedface, out);
+ result = load_code_signature(binary, slice_offset);
+ require(result, out);
+ CFArrayAppendValue(results, result);
+ CFRelease(result);
+ }
+ }
+ fully_parsed_binary = true;
+out:
+ if (!fully_parsed_binary) {
+ if (results) {
+ CFRelease(results);
+ results = NULL;
+ }
+ }
+ if (binary)
+ fclose(binary);
+ return results;
+}
projects / apple / security.git / blobdiff