{
// make sure the rep passes strict validation
if (strict)
- rep->strictValidate(NULL, MacOSErrorSet(), flags);
+ rep->strictValidate(NULL, MacOSErrorSet(), flags | (kSecCSQuickCheck|kSecCSRestrictSidebandData));
// initialize progress/cancellation state
code->prepareProgress(0); // totally fake workload - we don't know how many files we'll encounter
identifier = state.mIdentifierPrefix + identifier;
if (identifier.find('.') == string::npos && isAdhoc())
identifier = identifier + "-" + uniqueName();
- secdebug("signer", "using default identifier=%s", identifier.c_str());
+ secinfo("signer", "using default identifier=%s", identifier.c_str());
} else
- secdebug("signer", "using explicit identifier=%s", identifier.c_str());
+ secinfo("signer", "using explicit identifier=%s", identifier.c_str());
teamID = state.mTeamID;
if (teamID.empty() && (inherit & kSecCodeSignerPreserveTeamIdentifier)) {
bool haveCdFlags = false;
if (!haveCdFlags && state.mCdFlagsGiven) {
cdFlags = state.mCdFlags;
- secdebug("signer", "using explicit cdFlags=0x%x", cdFlags);
+ secinfo("signer", "using explicit cdFlags=0x%x", cdFlags);
haveCdFlags = true;
}
if (!haveCdFlags) {
if (CFTypeRef csflags = CFDictionaryGetValue(infoDict, CFSTR("CSFlags"))) {
if (CFGetTypeID(csflags) == CFNumberGetTypeID()) {
cdFlags = cfNumber<uint32_t>(CFNumberRef(csflags));
- secdebug("signer", "using numeric cdFlags=0x%x from Info.plist", cdFlags);
+ secinfo("signer", "using numeric cdFlags=0x%x from Info.plist", cdFlags);
} else if (CFGetTypeID(csflags) == CFStringGetTypeID()) {
cdFlags = cdTextFlags(cfString(CFStringRef(csflags)));
- secdebug("signer", "using text cdFlags=0x%x from Info.plist", cdFlags);
+ secinfo("signer", "using text cdFlags=0x%x from Info.plist", cdFlags);
} else
MacOSError::throwMe(errSecCSBadDictionaryFormat);
haveCdFlags = true;
}
if (!haveCdFlags && (inherit & kSecCodeSignerPreserveFlags)) {
cdFlags = code->codeDirectory(false)->flags & ~kSecCodeSignatureAdhoc;
- secdebug("signer", "using inherited cdFlags=0x%x", cdFlags);
+ secinfo("signer", "using inherited cdFlags=0x%x", cdFlags);
haveCdFlags = true;
}
if (!haveCdFlags)
}
// screen and set the signing time
- CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
if (state.mSigningTime == CFDateRef(kCFNull)) {
- signingTime = 0; // no time at all
+ emitSigningTime = false; // no time at all
} else if (!state.mSigningTime) {
- signingTime = now; // default
+ emitSigningTime = true;
+ signingTime = 0; // wall clock, established later
} else {
CFAbsoluteTime time = CFDateGetAbsoluteTime(state.mSigningTime);
- if (time > now) // not allowed to post-date a signature
+ if (time > CFAbsoluteTimeGetCurrent()) // not allowed to post-date a signature
MacOSError::throwMe(errSecCSBadDictionaryFormat);
+ emitSigningTime = true;
signingTime = time;
}
{
typedef ResourceBuilder::Rule Rule;
- secdebug("codesign", "start building resource directory");
+ secinfo("codesign", "start building resource directory");
__block CFRef<CFMutableDictionaryRef> result = makeCFMutableDictionary();
CFDictionaryRef rules = cfget<CFDictionaryRef>(rulesDict, "rules");
target[len] = '\0';
seal.take(cfmake<CFMutableDictionaryRef>("{symlink=%s}", target));
} else {
- seal.take(resources.hashFile(accpath.c_str(), digestAlgorithms()));
+ seal.take(resources.hashFile(accpath.c_str(), digestAlgorithms(), signingFlags() & kSecCSSignStrictPreflight));
}
if (ruleFlags & ResourceBuilder::optional)
CFDictionaryAddValue(seal, CFSTR("optional"), kCFBooleanTrue);
hash.take(resources.hashFile(ent->fts_accpath, kSecCodeSignatureHashSHA1));
if (ruleFlags == 0) { // default case - plain hash
cfadd(files, "{%s=%O}", relpath.c_str(), hash.get());
- secdebug("csresource", "%s added simple (rule %p)", relpath.c_str(), rule);
+ secinfo("csresource", "%s added simple (rule %p)", relpath.c_str(), rule);
} else { // more complicated - use a sub-dictionary
cfadd(files, "{%s={hash=%O,optional=%B}}",
relpath.c_str(), hash.get(), ruleFlags & ResourceBuilder::optional);
- secdebug("csresource", "%s added complex (rule %p)", relpath.c_str(), rule);
+ secinfo("csresource", "%s added complex (rule %p)", relpath.c_str(), rule);
}
}
});
if (signingFlags() & kSecCSSignNestedCode)
this->state.sign(code, signingFlags());
std::string dr = Dumper::dump(code->designatedRequirement());
- return cfmake<CFMutableDictionaryRef>("{requirement=%s,cdhash=%O}",
- Dumper::dump(code->designatedRequirement()).c_str(),
- code->cdHash());
+ if (CFDataRef hash = code->cdHash())
+ return cfmake<CFMutableDictionaryRef>("{requirement=%s,cdhash=%O}",
+ Dumper::dump(code->designatedRequirement()).c_str(),
+ hash);
+ MacOSError::throwMe(errSecCSUnsigned);
} catch (const CommonError &err) {
CSError::throwMe(err.osStatus(), kSecCFErrorPath, CFTempURL(relpath, false, this->code->resourceBase()));
}
void SecCodeSigner::Signer::signMachO(Universal *fat, const Requirement::Context &context)
{
// Mach-O executable at the core - perform multi-architecture signing
+ RefPointer<DiskRep::Writer> writer = rep->writer();
auto_ptr<ArchEditor> editor(state.mDetached
? static_cast<ArchEditor *>(new BlobEditor(*fat, *this))
- : new MachOEditor(rep->writer(), *fat, this->digestAlgorithms(), rep->mainExecutablePath()));
+ : new MachOEditor(writer, *fat, this->digestAlgorithms(), rep->mainExecutablePath()));
assert(editor->count() > 0);
if (!editor->attribute(writerNoGlobal)) // can store architecture-common components
populate(*editor);
MacOSError::throwMe(errSecCSBadLVArch);
}
}
-
+
+ bool mainBinary = arch.source.get()->type() == MH_EXECUTE;
+
arch.ireqs(requirements, rep->defaultRequirements(&arch.architecture, *this), context);
if (editor->attribute(writerNoGlobal)) // can't store globally, add per-arch
populate(arch);
for (auto type = digestAlgorithms().begin(); type != digestAlgorithms().end(); ++type) {
arch.eachDigest(^(CodeDirectory::Builder& builder) {
populate(builder, arch, arch.ireqs,
- arch.source->offset(), arch.source->signingExtent(), unsigned(digestAlgorithms().size()-1));
+ arch.source->offset(), arch.source->signingExtent(),
+ mainBinary, rep->execSegBase(&(arch.architecture)), rep->execSegLimit(&(arch.architecture)),
+ unsigned(digestAlgorithms().size()-1));
});
}
}
// done: write edit copy back over the original
- if (!state.mDryRun)
+ if (!state.mDryRun) {
editor->commit();
+ }
}
(new DetachedBlobWriter(*this)) : rep->writer();
CodeDirectorySet cdSet;
+
for (auto type = digestAlgorithms().begin(); type != digestAlgorithms().end(); ++type) {
CodeDirectory::Builder builder(*type);
InternalRequirements ireqs;
ireqs(requirements, rep->defaultRequirements(NULL, *this), context);
populate(*writer);
- populate(builder, *writer, ireqs, rep->signingBase(), rep->signingLimit(), unsigned(digestAlgorithms().size()-1));
+ populate(builder, *writer, ireqs, rep->signingBase(), rep->signingLimit(),
+ false, // only machOs can currently be main binaries
+ rep->execSegBase(NULL), rep->execSegLimit(NULL),
+ unsigned(digestAlgorithms().size()-1));
CodeDirectory *cd = builder.build();
if (!state.mDryRun)
}
// write out all CodeDirectories
- cdSet.populate(writer);
- writer->flush();
+ if (!state.mDryRun)
+ cdSet.populate(writer);
CFRef<CFArrayRef> hashes = cdSet.hashBag();
CFTemp<CFDictionaryRef> hashDict("{cdhashes=%O}", hashes.get());
CFRef<CFDataRef> hashBag = makeCFData(hashDict.get());
CFRef<CFDataRef> signature = signCodeDirectory(cdSet.primary(), hashBag);
writer->signature(signature);
+
+ // commit to storage
+ writer->flush();
}
// for the purposes of this call.
//
void SecCodeSigner::Signer::populate(CodeDirectory::Builder &builder, DiskRep::Writer &writer,
- InternalRequirements &ireqs, size_t offset, size_t length, unsigned alternateDigestCount)
+ InternalRequirements &ireqs, size_t offset, size_t length,
+ bool mainBinary, size_t execSegBase, size_t execSegLimit,
+ unsigned alternateDigestCount)
{
// fill the CodeDirectory
builder.executable(rep->mainExecutablePath(), pagesize, offset, length);
builder.identifier(identifier);
builder.teamID(teamID);
builder.platform(state.mPlatform);
+ builder.execSeg(execSegBase, execSegLimit, mainBinary ? kSecCodeExecSegMainBinary : 0);
if (CFRef<CFDataRef> data = rep->component(cdInfoSlot))
builder.specialSlot(cdInfoSlot, data);
if (entitlements) {
writer.component(cdEntitlementSlot, entitlements);
builder.specialSlot(cdEntitlementSlot, entitlements);
+
+ if (mainBinary) {
+ builder.addExecSegFlags(entitlementsToExecSegFlags(entitlements));
+ }
}
if (CFRef<CFDataRef> repSpecific = rep->component(cdRepSpecificSlot))
builder.specialSlot(cdRepSpecificSlot, repSpecific);
writer.addDiscretionary(builder);
- if ((signingFlags() & (kSecCSSignOpaque|kSecCSSignV1)) == 0) {
+#if 0 // rdar://problem/25720754
+ if ((signingFlags() & (kSecCSSignOpaque|kSecCSSignV1)) == 0 && builder.hashType() != kSecCodeSignatureHashSHA1) {
// calculate sorted list of top SuperBlob keys in this EmbeddedSignatureBlob (if any)
// (but not for opaque or V1 construction, which must remain bit-for-bit compatible)
std::vector<Endian<uint32_t> > slotVector;
writer.component(cdTopDirectorySlot, cfSlotVector);
builder.specialSlot(cdTopDirectorySlot, cfSlotVector);
}
+#endif
}
CMSEncoderSetSignerAlgorithm(cms, kCMSEncoderDigestAlgorithmSHA256);
MacOSError::check(CMSEncoderSetHasDetachedContent(cms, true));
- if (signingTime) {
+ if (emitSigningTime) {
MacOSError::check(CMSEncoderAddSignedAttributes(cms, kCMSAttrSigningTime));
- MacOSError::check(CMSEncoderSetSigningTime(cms, signingTime));
+ CFAbsoluteTime time = signingTime ? signingTime : CFAbsoluteTimeGetCurrent();
+ MacOSError::check(CMSEncoderSetSigningTime(cms, time));
}
if (hashBag) {
return result;
}
+bool SecCodeSigner::Signer::booleanEntitlement(CFDictionaryRef entDict, CFStringRef key) {
+ CFBooleanRef entValue = (CFBooleanRef)CFDictionaryGetValue(entDict, key);
+
+ if (entValue == NULL || CFGetTypeID(entValue) != CFBooleanGetTypeID()) {
+ return false;
+ }
+
+ return CFBooleanGetValue(entValue);
+}
+
+uint64_t SecCodeSigner::Signer::entitlementsToExecSegFlags(CFDataRef entitlements)
+{
+ if (!entitlements) {
+ return 0;
+ }
+
+ const EntitlementBlob *blob = reinterpret_cast<const EntitlementBlob *>(CFDataGetBytePtr(entitlements));
+
+ if (blob == NULL || !blob->validateBlob(CFDataGetLength(entitlements))) {
+ return 0;
+ }
+
+ try {
+ CFRef<CFDictionaryRef> entDict = blob->entitlements();
+
+ uint64_t flags = 0;
+
+ flags |= booleanEntitlement(entDict, CFSTR("get-task-allow")) ? kSecCodeExecSegAllowUnsigned : 0;
+ flags |= booleanEntitlement(entDict, CFSTR("run-unsigned-code")) ? kSecCodeExecSegAllowUnsigned : 0;
+ flags |= booleanEntitlement(entDict, CFSTR("com.apple.private.cs.debugger")) ? kSecCodeExecSegDebugger : 0;
+ flags |= booleanEntitlement(entDict, CFSTR("dynamic-codesigning")) ? kSecCodeExecSegJit : 0;
+ flags |= booleanEntitlement(entDict, CFSTR("com.apple.private.skip-library-validation")) ? kSecCodeExecSegSkipLibraryVal : 0;
+ flags |= booleanEntitlement(entDict, CFSTR("com.apple.private.amfi.can-load-cdhash")) ? kSecCodeExecSegCanLoadCdHash : 0;
+ flags |= booleanEntitlement(entDict, CFSTR("com.apple.private.amfi.can-execute-cdhash")) ? kSecCodeExecSegCanExecCdHash : 0;
+
+ return flags;
+
+ } catch (const CommonError &err) {
+ // Not fatal.
+ secwarning("failed to parse entitlements: %s", err.what());
+ return 0;
+ }
+}
} // end namespace CodeSigning
} // end namespace Security
projects / apple / security.git / blobdiff