Documentation ¶
Index ¶
- Constants
- Variables
- func ParseRequirements(r *bytes.Reader, reqs Requirements) (string, error)
- type Blob
- type BlobIndex
- type CodeDirectory
- type CodeDirectoryType
- type CodeSignature
- type CodeSlot
- type Requirement
- type RequirementType
- type Requirements
- type RequirementsBlob
- type Scatter
- type SlotType
- type SpecialSlot
- type SuperBlob
Constants ¶
View Source
const ( PAGE_SIZE = 4096 HASHTYPE_NOHASH hashType = 0 HASHTYPE_SHA1 hashType = 1 HASHTYPE_SHA256 hashType = 2 HASHTYPE_SHA256_TRUNCATED hashType = 3 HASHTYPE_SHA384 hashType = 4 HASHTYPE_SHA512 hashType = 5 HASH_SIZE_SHA1 = 20 HASH_SIZE_SHA256 = 32 HASH_SIZE_SHA256_TRUNCATED = 20 CDHASH_LEN = 20 /* always - larger hashes are truncated */ HASH_MAX_SIZE = 48 /* max size of the hash we'll support */ )
View Source
const ( SUPPORTS_SCATTER cdVersion = 0x20100 SUPPORTS_TEAMID cdVersion = 0x20200 SUPPORTS_CODELIMIT64 cdVersion = 0x20300 SUPPORTS_EXECSEG cdVersion = 0x20400 SUPPORTS_RUNTIME cdVersion = 0x20500 SUPPORTS_LINKAGE cdVersion = 0x20600 )
View Source
const ( /* code signing attributes of a process */ NONE cdFlag = 0x00000000 /* no flags */ VALID cdFlag = 0x00000001 /* dynamically valid */ ADHOC cdFlag = 0x00000002 /* ad hoc signed */ GET_TASK_ALLOW cdFlag = 0x00000004 /* has get-task-allow entitlement */ INSTALLER cdFlag = 0x00000008 /* has installer entitlement */ FORCED_LV cdFlag = 0x00000010 /* Library Validation required by Hardened System Policy */ INVALID_ALLOWED cdFlag = 0x00000020 /* (macOS Only) Page invalidation allowed by task port policy */ HARD cdFlag = 0x00000100 /* don't load invalid pages */ KILL cdFlag = 0x00000200 /* kill process if it becomes invalid */ CHECK_EXPIRATION cdFlag = 0x00000400 /* force expiration checking */ RESTRICT cdFlag = 0x00000800 /* tell dyld to treat restricted */ ENFORCEMENT cdFlag = 0x00001000 /* require enforcement */ REQUIRE_LV cdFlag = 0x00002000 /* require library validation */ ENTITLEMENTS_VALIDATED cdFlag = 0x00004000 /* code signature permits restricted entitlements */ NVRAM_UNRESTRICTED cdFlag = 0x00008000 /* has com.apple.rootless.restricted-nvram-variables.heritable entitlement */ RUNTIME cdFlag = 0x00010000 /* Apply hardened runtime policies */ ALLOWED_MACHO cdFlag = (ADHOC | HARD | KILL | CHECK_EXPIRATION | RESTRICT | ENFORCEMENT | REQUIRE_LV | RUNTIME) EXEC_SET_HARD cdFlag = 0x00100000 /* set HARD on any exec'ed process */ EXEC_SET_KILL cdFlag = 0x00200000 /* set KILL on any exec'ed process */ EXEC_SET_ENFORCEMENT cdFlag = 0x00400000 /* set ENFORCEMENT on any exec'ed process */ EXEC_INHERIT_SIP cdFlag = 0x00800000 /* set INSTALLER on any exec'ed process */ KILLED cdFlag = 0x01000000 /* was killed by kernel for invalidity */ DYLD_PLATFORM cdFlag = 0x02000000 /* dyld used to load this is a platform binary */ PLATFORM_BINARY cdFlag = 0x04000000 /* this is a platform binary */ PLATFORM_PATH cdFlag = 0x08000000 /* platform binary by the fact of path (osx only) */ DEBUGGED cdFlag = 0x10000000 /* process is currently or has previously been debugged and allowed to run with invalid pages */ SIGNED cdFlag = 0x20000000 /* process has a signature (may have gone invalid) */ DEV_CODE cdFlag = 0x40000000 /* code is dev signed, cannot be loaded into prod signed code (will go away with rdar://problem/28322552) */ DATAVAULT_CONTROLLER cdFlag = 0x80000000 /* has Data Vault controller entitlement */ ENTITLEMENT_FLAGS cdFlag = (GET_TASK_ALLOW | INSTALLER | DATAVAULT_CONTROLLER | NVRAM_UNRESTRICTED) )
View Source
const ( EXECSEG_MAIN_BINARY execSegFlag = 0x1 /* executable segment denotes main binary */ EXECSEG_ALLOW_UNSIGNED execSegFlag = 0x10 /* allow unsigned pages (for debugging) */ EXECSEG_DEBUGGER execSegFlag = 0x20 /* main binary is debugger */ EXECSEG_JIT execSegFlag = 0x40 /* JIT enabled */ EXECSEG_SKIP_LV execSegFlag = 0x80 /* OBSOLETE: skip library validation */ EXECSEG_CAN_LOAD_CDHASH execSegFlag = 0x100 /* can bless cdhash for execution */ EXECSEG_CAN_EXEC_CDHASH execSegFlag = 0x200 /* can execute blessed cdhash */ )
executable segment flags
View Source
const ( HostRequirementType RequirementType = 1 /* what hosts may run us */ GuestRequirementType = 2 /* what guests we may run */ DesignatedRequirementType = 3 /* designated requirement */ LibraryRequirementType = 4 /* what libraries we may link against */ PluginRequirementType = 5 /* what plug-ins we may load */ )
View Source
const ( // Magic numbers used by Code Signing MAGIC_REQUIREMENT magic = 0xfade0c00 // single Requirement blob MAGIC_REQUIREMENTS magic = 0xfade0c01 // Requirements vector (internal requirements) MAGIC_CODEDIRECTORY magic = 0xfade0c02 // CodeDirectory blob MAGIC_EMBEDDED_SIGNATURE magic = 0xfade0cc0 // embedded form of signature data MAGIC_EMBEDDED_SIGNATURE_OLD magic = 0xfade0b02 /* XXX */ MAGIC_LIBRARY_DEPENDENCY_BLOB magic = 0xfade0c05 MAGIC_EMBEDDED_ENTITLEMENTS magic = 0xfade7171 /* embedded entitlements */ MAGIC_EMBEDDED_ENTITLEMENTS_DER magic = 0xfade7172 /* embedded entitlements */ MAGIC_DETACHED_SIGNATURE magic = 0xfade0cc1 // multi-arch collection of embedded signatures MAGIC_BLOBWRAPPER magic = 0xfade0b01 // used for the cms blob )
View Source
const ( /* * Currently only to support Legacy VPN plugins, and Mac App Store * but intended to replace all the various platform code, dev code etc. bits. */ CS_SIGNER_TYPE_UNKNOWN = 0 CS_SIGNER_TYPE_LEGACYVPN = 5 CS_SIGNER_TYPE_MAC_APP_STORE = 6 CS_SUPPL_SIGNER_TYPE_UNKNOWN = 0 CS_SUPPL_SIGNER_TYPE_TRUSTCACHE = 7 CS_SUPPL_SIGNER_TYPE_LOCAL = 8 CSTYPE_INDEX_REQUIREMENTS = 0x00000002 /* compat with amfi */ CSTYPE_INDEX_ENTITLEMENTS = 0x00000005 /* compat with amfi */ )
Variables ¶
View Source
var NULL_PAGE_SHA256_HASH = []byte{0xad, 0x7f, 0xac, 0xb2, 0x58, 0x6f, 0xc6, 0xe9, 0x66, 0xc0, 0x04, 0xd7, 0xd1, 0xd1, 0x6b, 0x02, 0x4f, 0x58, 0x05, 0xff, 0x7c, 0xb4, 0x7c, 0x7a, 0x85, 0xda, 0xbd, 0x8b, 0x48, 0x89, 0x2c, 0xa7}
Functions ¶
func ParseRequirements ¶
func ParseRequirements(r *bytes.Reader, reqs Requirements) (string, error)
ParseRequirements parses the requirements set bytes
Types ¶
type Blob ¶
type Blob struct { Magic magic // magic number Length uint32 // total length of blob }
Blob object
type CodeDirectory ¶
type CodeDirectory struct { ID string TeamID string CDHash string SpecialSlots []SpecialSlot CodeSlots []CodeSlot Header CodeDirectoryType }
CodeDirectory object
type CodeDirectoryType ¶ added in v1.0.19
type CodeDirectoryType struct { Magic magic // magic number (CSMAGIC_CODEDIRECTORY) */ Length uint32 // total length of CodeDirectory blob Version cdVersion // compatibility version Flags cdFlag // setup and mode flags HashOffset uint32 // offset of hash slot element at index zero IdentOffset uint32 // offset of identifier string NSpecialSlots uint32 // number of special hash slots NCodeSlots uint32 // number of ordinary (code) hash slots CodeLimit uint32 // limit to main image signature range HashSize uint8 // size of each hash in bytes HashType hashType // type of hash (cdHashType* constants) Platform uint8 // platform identifier zero if not platform binary PageSize uint8 // log2(page size in bytes) 0 => infinite Spare2 uint32 // unused (must be zero) EndEarliest [0]uint8 /* Version 0x20100 */ ScatterOffset uint32 /* offset of optional scatter vector */ EndWithScatter [0]uint8 /* Version 0x20200 */ TeamOffset uint32 /* offset of optional team identifier */ EndWithTeam [0]uint8 /* Version 0x20300 */ Spare3 uint32 /* unused (must be zero) */ CodeLimit64 uint64 /* limit to main image signature range, 64 bits */ EndWithCodeLimit64 [0]uint8 /* Version 0x20400 */ ExecSegBase uint64 /* offset of executable segment */ ExecSegLimit uint64 /* limit of executable segment */ ExecSegFlags execSegFlag /* exec segment flags */ EndWithExecSeg [0]uint8 }
CodeDirectoryType header
type CodeSignature ¶
type CodeSignature struct { CodeDirectories []CodeDirectory Requirements []Requirement CMSSignature []byte Entitlements string EntitlementsDER []byte }
CodeSignature highlevel object
type Requirement ¶
type Requirement struct { Detail string RequirementsBlob Requirements }
Requirement object
type RequirementType ¶
type RequirementType uint32
func (RequirementType) GoString ¶
func (cm RequirementType) GoString() string
func (RequirementType) String ¶
func (cm RequirementType) String() string
type Requirements ¶
type Requirements struct { Type RequirementType // type of entry Offset uint32 // offset of entry }
Requirements object
type RequirementsBlob ¶
type RequirementsBlob struct { Magic magic // magic number Length uint32 // total length of blob Data uint32 // zero for dyld shared cache }
RequirementsBlob object
type Scatter ¶
type Scatter struct { Count uint32 // number of pages zero for sentinel (only) Base uint32 // first page number TargetOffset uint64 // byte offset in target Spare uint64 // reserved (must be zero) }
Scatter object
type SlotType ¶ added in v1.0.19
type SlotType uint32
const ( CSSLOT_CODEDIRECTORY SlotType = 0 CSSLOT_INFOSLOT SlotType = 1 // Info.plist CSSLOT_REQUIREMENTS SlotType = 2 // internal requirements CSSLOT_RESOURCEDIR SlotType = 3 // resource directory CSSLOT_APPLICATION SlotType = 4 // Application specific slot/Top-level directory list CSSLOT_ENTITLEMENTS SlotType = 5 // embedded entitlement configuration CSSLOT_REP_SPECIFIC SlotType = 6 // for use by disk rep CSSLOT_ENTITLEMENTS_DER SlotType = 7 // DER representation of entitlements CSSLOT_ALTERNATE_CODEDIRECTORIES SlotType = 0x1000 CSSLOT_ALTERNATE_CODEDIRECTORY_MAX = 5 CSSLOT_ALTERNATE_CODEDIRECTORY_LIMIT = CSSLOT_ALTERNATE_CODEDIRECTORIES + CSSLOT_ALTERNATE_CODEDIRECTORY_MAX CSSLOT_CMS_SIGNATURE SlotType = 0x10000 CSSLOT_IDENTIFICATIONSLOT SlotType = 0x10001 CSSLOT_TICKETSLOT SlotType = 0x10002 )
type SpecialSlot ¶ added in v1.0.19
Click to show internal directories.
Click to hide internal directories.