Documentation
¶
Index ¶
- Constants
- Variables
- func ParseRequirements(r *bytes.Reader, reqs Requirements) (string, error)
- type Blob
- type BlobHeader
- type BlobIndex
- type CDFlag
- type CdCodeLimit64
- type CdEarliest
- type CdExecSeg
- type CdLinkage
- type CdRuntime
- type CdScatter
- type CdTeamID
- type CodeDirectory
- type CodeDirectoryType
- type CodeSlot
- type Entitlement
- type LaunchContraints
- type Magic
- type Requirement
- type RequirementType
- type Requirements
- type RequirementsBlob
- type SbHeader
- type Scatter
- type SlotType
- type SpecialSlot
- type SuperBlob
Constants ¶
View Source
const ( /* * Currently only to support Legacy VPN plugins, and Mac App Store * but intended to replace all the various platform code, dev code etc. bits. */ CS_SIGNER_TYPE_UNKNOWN = 0 CS_SIGNER_TYPE_LEGACYVPN = 5 CS_SIGNER_TYPE_MAC_APP_STORE = 6 CS_SUPPL_SIGNER_TYPE_UNKNOWN = 0 CS_SUPPL_SIGNER_TYPE_TRUSTCACHE = 7 CS_SUPPL_SIGNER_TYPE_LOCAL = 8 CS_SIGNER_TYPE_OOPJIT = 9 /* Validation categories used for trusted launch environment */ CS_VALIDATION_CATEGORY_INVALID = 0 CS_VALIDATION_CATEGORY_PLATFORM = 1 CS_VALIDATION_CATEGORY_TESTFLIGHT = 2 CS_VALIDATION_CATEGORY_DEVELOPMENT = 3 CS_VALIDATION_CATEGORY_APP_STORE = 4 CS_VALIDATION_CATEGORY_ENTERPRISE = 5 CS_VALIDATION_CATEGORY_DEVELOPER_ID = 6 CS_VALIDATION_CATEGORY_LOCAL_SIGNING = 7 CS_VALIDATION_CATEGORY_ROSETTA = 8 CS_VALIDATION_CATEGORY_OOPJIT = 9 CS_VALIDATION_CATEGORY_NONE = 10 /* The set of application types we support for linkage signatures */ CS_LINKAGE_APPLICATION_INVALID = 0 CS_LINKAGE_APPLICATION_ROSETTA = 1 /* XOJIT has been renamed to OOP-JIT */ CS_LINKAGE_APPLICATION_XOJIT = 2 CS_LINKAGE_APPLICATION_OOPJIT = 2 /* * For backwards compatibility with older signatures, the AOT sub-type is kept * as 0. */ CS_LINKAGE_APPLICATION_ROSETTA_AOT = 0 /* OOP-JIT sub-types -- XOJIT type kept for external dependencies */ CS_LINKAGE_APPLICATION_XOJIT_PREVIEWS = 1 CS_LINKAGE_APPLICATION_OOPJIT_INVALID = 0 CS_LINKAGE_APPLICATION_OOPJIT_PREVIEWS = 1 CS_LINKAGE_APPLICATION_OOPJIT_MLCOMPILER = 2 CSTYPE_INDEX_REQUIREMENTS = 0x00000002 /* compat with amfi */ CSTYPE_INDEX_ENTITLEMENTS = 0x00000005 /* compat with amfi */ )
View Source
const ( /* * Defined launch types */ CS_LAUNCH_TYPE_NONE = 0 CS_LAUNCH_TYPE_SYSTEM_SERVICE = 1 )
View Source
const ( PAGE_SIZE_BITS = 12 PAGE_SIZE = 1 << PAGE_SIZE_BITS HASHTYPE_NOHASH hashType = 0 HASHTYPE_SHA1 hashType = 1 HASHTYPE_SHA256 hashType = 2 HASHTYPE_SHA256_TRUNCATED hashType = 3 HASHTYPE_SHA384 hashType = 4 HASHTYPE_SHA512 hashType = 5 HASH_SIZE_SHA1 = 20 HASH_SIZE_SHA256 = 32 HASH_SIZE_SHA256_TRUNCATED = 20 CDHASH_LEN = 20 /* always - larger hashes are truncated */ HASH_MAX_SIZE = 48 /* max size of the hash we'll support */ )
View Source
const ( EARLIEST_VERSION cdVersion = 0x20001 SUPPORTS_SCATTER cdVersion = 0x20100 SUPPORTS_TEAMID cdVersion = 0x20200 SUPPORTS_CODELIMIT64 cdVersion = 0x20300 SUPPORTS_EXECSEG cdVersion = 0x20400 SUPPORTS_RUNTIME cdVersion = 0x20500 SUPPORTS_LINKAGE cdVersion = 0x20600 COMPATIBILITY_LIMIT cdVersion = 0x2F000 // "version 3 with wiggle room" )
View Source
const ( EXECSEG_MAIN_BINARY execSegFlag = 0x01 /* executable segment denotes main binary */ EXECSEG_ALLOW_UNSIGNED execSegFlag = 0x10 /* allow unsigned pages (for debugging) */ EXECSEG_DEBUGGER execSegFlag = 0x20 /* main binary is debugger */ EXECSEG_JIT execSegFlag = 0x40 /* JIT enabled */ EXECSEG_SKIP_LV execSegFlag = 0x80 /* OBSOLETE: skip library validation */ EXECSEG_CAN_LOAD_CDHASH execSegFlag = 0x100 /* can bless cdhash for execution */ EXECSEG_CAN_EXEC_CDHASH execSegFlag = 0x200 /* can execute blessed cdhash */ )
executable segment flags
View Source
const ( // A signature with a nonzero platform identifier value, when endorsed as originated by Apple, // identifies code as belonging to a particular operating system deliverable set. Some system // components restrict functionality to platform binaries. The actual values are arbitrary. NON_PLATFORM_BINARY cdPlatform = 0 )
Variables ¶
View Source
var ( EmptySha256Slot = bytes.Repeat([]byte{0}, sha256.New().Size()) EmptySha256ReqSlot = []byte{ 0x98, 0x79, 0x20, 0x90, 0x4E, 0xAB, 0x65, 0x0E, 0x75, 0x78, 0x8C, 0x05, 0x4A, 0xA0, 0xB0, 0x52, 0x4E, 0x6A, 0x80, 0xBF, 0xC7, 0x1A, 0xA3, 0x2D, 0xF8, 0xD2, 0x37, 0xA6, 0x17, 0x43, 0xF9, 0x86, } )
View Source
var NULL_PAGE_SHA256_HASH = []byte{
0xad, 0x7f, 0xac, 0xb2, 0x58, 0x6f, 0xc6, 0xe9,
0x66, 0xc0, 0x04, 0xd7, 0xd1, 0xd1, 0x6b, 0x02,
0x4f, 0x58, 0x05, 0xff, 0x7c, 0xb4, 0x7c, 0x7a,
0x85, 0xda, 0xbd, 0x8b, 0x48, 0x89, 0x2c, 0xa7,
}
Functions ¶
func ParseRequirements ¶
func ParseRequirements(r *bytes.Reader, reqs Requirements) (string, error)
ParseRequirements parses the requirements set bytes
Types ¶
type Blob ¶
type Blob struct {
BlobHeader
Data []byte // (length - sizeof(blob_header)) bytes
}
Blob object
func CreateRequirements ¶
func CreateRequirements(id string, certs []*x509.Certificate) (Blob, error)
CreateRequirements creates a requirements set cs blob NOTE: /usr/bin/csreq -r="identifier com.foo.test" -t (to test it out)
func (Blob) Sha256Hash ¶
type BlobHeader ¶
type BlobIndex ¶
type BlobIndex struct {
Type SlotType `json:"type,omitempty"` // type of entry
Offset uint32 `json:"offset,omitempty"` // offset of entry
}
BlobIndex object
type CDFlag ¶
type CDFlag uint32
const ( /* code signing attributes of a process */ NONE CDFlag = 0x00000000 /* no flags */ VALID CDFlag = 0x00000001 /* dynamically valid */ ADHOC CDFlag = 0x00000002 /* ad hoc signed */ GET_TASK_ALLOW CDFlag = 0x00000004 /* has get-task-allow entitlement */ INSTALLER CDFlag = 0x00000008 /* has installer entitlement */ FORCED_LV CDFlag = 0x00000010 /* Library Validation required by Hardened System Policy */ INVALID_ALLOWED CDFlag = 0x00000020 /* (macOS Only) Page invalidation allowed by task port policy */ HARD CDFlag = 0x00000100 /* don't load invalid pages */ KILL CDFlag = 0x00000200 /* kill process if it becomes invalid */ CHECK_EXPIRATION CDFlag = 0x00000400 /* force expiration checking */ RESTRICT CDFlag = 0x00000800 /* tell dyld to treat restricted */ ENFORCEMENT CDFlag = 0x00001000 /* require enforcement */ REQUIRE_LV CDFlag = 0x00002000 /* require library validation */ ENTITLEMENTS_VALIDATED CDFlag = 0x00004000 /* code signature permits restricted entitlements */ NVRAM_UNRESTRICTED CDFlag = 0x00008000 /* has com.apple.rootless.restricted-nvram-variables.heritable entitlement */ RUNTIME CDFlag = 0x00010000 /* Apply hardened runtime policies */ LINKER_SIGNED CDFlag = 0x20000 // type property ALLOWED_MACHO CDFlag = (ADHOC | HARD | KILL | CHECK_EXPIRATION | RESTRICT | ENFORCEMENT | REQUIRE_LV | RUNTIME) EXEC_SET_HARD CDFlag = 0x00100000 /* set HARD on any exec'ed process */ EXEC_SET_KILL CDFlag = 0x00200000 /* set KILL on any exec'ed process */ EXEC_SET_ENFORCEMENT CDFlag = 0x00400000 /* set ENFORCEMENT on any exec'ed process */ EXEC_INHERIT_SIP CDFlag = 0x00800000 /* set INSTALLER on any exec'ed process */ KILLED CDFlag = 0x01000000 /* was killed by kernel for invalidity */ DYLD_PLATFORM CDFlag = 0x02000000 /* dyld used to load this is a platform binary */ PLATFORM_BINARY CDFlag = 0x04000000 /* this is a platform binary */ PLATFORM_PATH CDFlag = 0x08000000 /* platform binary by the fact of path (osx only) */ DEBUGGED CDFlag = 0x10000000 /* process is currently or has previously been debugged and allowed to run with invalid pages */ SIGNED CDFlag = 0x20000000 /* process has a signature (may have gone invalid) */ DEV_CODE CDFlag = 0x40000000 /* code is dev signed, cannot be loaded into prod signed code (will go away with rdar://problem/28322552) */ DATAVAULT_CONTROLLER CDFlag = 0x80000000 /* has Data Vault controller entitlement */ ENTITLEMENT_FLAGS CDFlag = (GET_TASK_ALLOW | INSTALLER | DATAVAULT_CONTROLLER | NVRAM_UNRESTRICTED) )
type CdCodeLimit64 ¶
type CdCodeLimit64 struct {
CodeLimit64 uint64 `json:"code_limit_64,omitempty"` /* limit to main image signature range, 64 bits */
// contains filtered or unexported fields
}
type CdEarliest ¶
type CdEarliest struct {
Version cdVersion `json:"version,omitempty"` // compatibility version
Flags CDFlag `json:"flags,omitempty"` // setup and mode flags
HashOffset uint32 `json:"hash_offset,omitempty"` // offset of hash slot element at index zero
IdentOffset uint32 `json:"ident_offset,omitempty"` // offset of identifier string
NSpecialSlots uint32 `json:"n_special_slots,omitempty"` // number of special hash slots
NCodeSlots uint32 `json:"n_code_slots,omitempty"` // number of ordinary (code) hash slots
CodeLimit uint32 `json:"code_limit,omitempty"` // limit to main image signature range
HashSize uint8 `json:"hash_size,omitempty"` // size of each hash in bytes
HashType hashType `json:"hash_type,omitempty"` // type of hash (cdHashType* constants)
Platform cdPlatform `json:"platform,omitempty"` // platform identifier zero if not platform binary
PageSize uint8 `json:"page_size,omitempty"` // log2(page size in bytes) 0 => infinite
// contains filtered or unexported fields
}
type CdExecSeg ¶
type CdExecSeg struct {
/* Version 0x20400 */
ExecSegBase uint64 `json:"exec_seg_base,omitempty"` /* offset of executable segment */
ExecSegLimit uint64 `json:"exec_seg_limit,omitempty"` /* limit of executable segment */
ExecSegFlags execSegFlag `json:"exec_seg_flags,omitempty"` /* exec segment flags */
}
type CdLinkage ¶
type CdLinkage struct {
/* Version 0x20600 */
LinkageHashType uint8 `json:"linkage_hash_type,omitempty"`
LinkageApplicationType uint8 `json:"linkage_application_type,omitempty"`
LinkageApplicationSubType uint16 `json:"linkage_application_sub_type,omitempty"`
LinkageOffset uint32 `json:"linkage_offset,omitempty"`
LinkageSize uint32 `json:"linkage_size,omitempty"`
}
type CdScatter ¶
type CdScatter struct {
/* Version 0x20100 */
ScatterOffset uint32 `json:"scatter_offset,omitempty"` /* offset of optional scatter vector */
}
type CdTeamID ¶
type CdTeamID struct {
/* Version 0x20200 */
TeamOffset uint32 `json:"team_offset,omitempty"` /* offset of optional team identifier */
}
type CodeDirectory ¶
type CodeDirectory struct {
BlobHeader
ID string `json:"id,omitempty"`
TeamID string `json:"team_id,omitempty"`
Scatter Scatter `json:"scatter,omitempty"`
CDHash string `json:"cd_hash,omitempty"`
SpecialSlots []SpecialSlot `json:"special_slots,omitempty"`
CodeSlots []CodeSlot `json:"code_slots,omitempty"`
Header CodeDirectoryType `json:"header,omitempty"`
RuntimeVersion string `json:"runtime_version,omitempty"`
CodeLimit uint64 `json:"code_limit,omitempty"`
PreEncryptSlots [][]byte `json:"pre_encrypt_slots,omitempty"`
LinkageData []byte `json:"linkage_data,omitempty"`
}
CodeDirectory object
type CodeDirectoryType ¶
type CodeDirectoryType struct {
CdEarliest
CdScatter
CdTeamID
CdCodeLimit64
CdExecSeg
CdRuntime
CdLinkage
}
CodeDirectoryType header
type Entitlement ¶
type Entitlement struct {
Raw asn1.RawContent
Operation int64
Value asn1.RawValue
}
type LaunchContraints ¶
type LaunchContraints struct {
Count int64 `json:"appl"`
CCAT int64 `json:"ccat"`
COMP int64 `json:"comp"`
Requirements map[string]any `json:"reqs"`
Version int64 `json:"vers"`
}
LaunchContraints is the ASN.1 DER structure for launch constraints
func ParseLaunchContraints ¶
func ParseLaunchContraints(data []byte) (*LaunchContraints, error)
ParseLaunchContraints parses the launch constraint bytes
type Magic ¶
type Magic uint32
const ( // Magic numbers used by Code Signing MAGIC_REQUIREMENT Magic = 0xfade0c00 // single Requirement blob MAGIC_REQUIREMENTS Magic = 0xfade0c01 // Requirements vector (internal requirements) MAGIC_CODEDIRECTORY Magic = 0xfade0c02 // CodeDirectory blob MAGIC_EMBEDDED_SIGNATURE Magic = 0xfade0cc0 // embedded form of signature data MAGIC_EMBEDDED_SIGNATURE_OLD Magic = 0xfade0b02 /* XXX */ MAGIC_LIBRARY_DEPENDENCY_BLOB Magic = 0xfade0c05 MAGIC_EMBEDDED_ENTITLEMENTS Magic = 0xfade7171 /* embedded entitlements */ MAGIC_EMBEDDED_ENTITLEMENTS_DER Magic = 0xfade7172 /* embedded entitlements */ MAGIC_DETACHED_SIGNATURE Magic = 0xfade0cc1 // multi-arch collection of embedded signatures MAGIC_BLOBWRAPPER Magic = 0xfade0b01 // used for the cms blob MAGIC_EMBEDDED_LAUNCH_CONSTRAINT Magic = 0xfade8181 // Light weight code requirement )
type Requirement ¶
type Requirement struct {
RequirementsBlob
Requirements
Detail string `json:"detail,omitempty"`
}
Requirement object
type RequirementType ¶
type RequirementType uint32
const ( HostRequirementType RequirementType = 1 /* what hosts may run us */ GuestRequirementType RequirementType = 2 /* what guests we may run */ DesignatedRequirementType RequirementType = 3 /* designated requirement */ LibraryRequirementType RequirementType = 4 /* what libraries we may link against */ PluginRequirementType RequirementType = 5 /* what plug-ins we may load */ )
func (RequirementType) String ¶
func (cm RequirementType) String() string
type Requirements ¶
type Requirements struct {
Type RequirementType `json:"type,omitempty"` // type of entry
Offset uint32 `json:"offset,omitempty"` // offset of entry
}
Requirements object
type RequirementsBlob ¶
type RequirementsBlob struct {
Magic Magic `json:"magic,omitempty"` // magic number
Length uint32 `json:"length,omitempty"` // total length of blob
Data uint32 `json:"data,omitempty"` // zero for dyld shared cache
}
RequirementsBlob object
type Scatter ¶
type Scatter struct {
Count uint32 `json:"count,omitempty"` // number of pages zero for sentinel (only)
Base uint32 `json:"base,omitempty"` // first page number
TargetOffset uint64 `json:"target_offset,omitempty"` // byte offset in target
// contains filtered or unexported fields
}
Scatter object
type SlotType ¶
type SlotType uint32
const ( CSSLOT_CODEDIRECTORY SlotType = 0 CSSLOT_INFOSLOT SlotType = 1 // Info.plist CSSLOT_REQUIREMENTS SlotType = 2 // internal requirements CSSLOT_RESOURCEDIR SlotType = 3 // resource directory CSSLOT_APPLICATION SlotType = 4 // Application specific slot/Top-level directory list CSSLOT_ENTITLEMENTS SlotType = 5 // embedded entitlement configuration CSSLOT_REP_SPECIFIC SlotType = 6 // for use by disk images CSSLOT_ENTITLEMENTS_DER SlotType = 7 // DER representation of entitlements plist CSSLOT_LAUNCH_CONSTRAINT_SELF SlotType = 8 CSSLOT_LAUNCH_CONSTRAINT_PARENT SlotType = 9 CSSLOT_LAUNCH_CONSTRAINT_RESPONSIBLE SlotType = 10 CSSLOT_LIBRARY_CONSTRAINT SlotType = 11 CSSLOT_ALTERNATE_CODEDIRECTORIES SlotType = 0x1000 // Used for expressing a code directory using an alternate digest type. CSSLOT_ALTERNATE_CODEDIRECTORIES1 SlotType = 0x1001 // Used for expressing a code directory using an alternate digest type. CSSLOT_ALTERNATE_CODEDIRECTORIES2 SlotType = 0x1002 // Used for expressing a code directory using an alternate digest type. CSSLOT_ALTERNATE_CODEDIRECTORIES3 SlotType = 0x1003 // Used for expressing a code directory using an alternate digest type. CSSLOT_ALTERNATE_CODEDIRECTORIES4 SlotType = 0x1004 // Used for expressing a code directory using an alternate digest type. CSSLOT_ALTERNATE_CODEDIRECTORY_MAX = 5 CSSLOT_ALTERNATE_CODEDIRECTORY_LIMIT = CSSLOT_ALTERNATE_CODEDIRECTORIES + CSSLOT_ALTERNATE_CODEDIRECTORY_MAX CSSLOT_CMS_SIGNATURE SlotType = 0x10000 // CMS signature CSSLOT_IDENTIFICATIONSLOT SlotType = 0x10001 // identification blob; used for detached signature CSSLOT_TICKETSLOT SlotType = 0x10002 // Notarization ticket )
type SpecialSlot ¶
Source Files
Click to show internal directories.
Click to hide internal directories.