types

package
v0.0.0-...-03f5733 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 15, 2024 License: MIT Imports: 10 Imported by: 0

Documentation

Index

Constants

View Source
const (
	/*
	 * Currently only to support Legacy VPN plugins, and Mac App Store
	 * but intended to replace all the various platform code, dev code etc. bits.
	 */
	CS_SIGNER_TYPE_UNKNOWN       = 0
	CS_SIGNER_TYPE_LEGACYVPN     = 5
	CS_SIGNER_TYPE_MAC_APP_STORE = 6

	CS_SUPPL_SIGNER_TYPE_UNKNOWN    = 0
	CS_SUPPL_SIGNER_TYPE_TRUSTCACHE = 7
	CS_SUPPL_SIGNER_TYPE_LOCAL      = 8

	CS_SIGNER_TYPE_OOPJIT = 9

	/* Validation categories used for trusted launch environment */
	CS_VALIDATION_CATEGORY_INVALID       = 0
	CS_VALIDATION_CATEGORY_PLATFORM      = 1
	CS_VALIDATION_CATEGORY_TESTFLIGHT    = 2
	CS_VALIDATION_CATEGORY_DEVELOPMENT   = 3
	CS_VALIDATION_CATEGORY_APP_STORE     = 4
	CS_VALIDATION_CATEGORY_ENTERPRISE    = 5
	CS_VALIDATION_CATEGORY_DEVELOPER_ID  = 6
	CS_VALIDATION_CATEGORY_LOCAL_SIGNING = 7
	CS_VALIDATION_CATEGORY_ROSETTA       = 8
	CS_VALIDATION_CATEGORY_OOPJIT        = 9
	CS_VALIDATION_CATEGORY_NONE          = 10

	/* The set of application types we support for linkage signatures */
	CS_LINKAGE_APPLICATION_INVALID = 0
	CS_LINKAGE_APPLICATION_ROSETTA = 1
	/* XOJIT has been renamed to OOP-JIT */
	CS_LINKAGE_APPLICATION_XOJIT  = 2
	CS_LINKAGE_APPLICATION_OOPJIT = 2

	/*
	 * For backwards compatibility with older signatures, the AOT sub-type is kept
	 * as 0.
	 */
	CS_LINKAGE_APPLICATION_ROSETTA_AOT = 0
	/* OOP-JIT sub-types -- XOJIT type kept for external dependencies */
	CS_LINKAGE_APPLICATION_XOJIT_PREVIEWS    = 1
	CS_LINKAGE_APPLICATION_OOPJIT_INVALID    = 0
	CS_LINKAGE_APPLICATION_OOPJIT_PREVIEWS   = 1
	CS_LINKAGE_APPLICATION_OOPJIT_MLCOMPILER = 2

	CSTYPE_INDEX_REQUIREMENTS = 0x00000002 /* compat with amfi */
	CSTYPE_INDEX_ENTITLEMENTS = 0x00000005 /* compat with amfi */
)
View Source
const (
	/*
	 * Defined launch types
	 */
	CS_LAUNCH_TYPE_NONE           = 0
	CS_LAUNCH_TYPE_SYSTEM_SERVICE = 1
)
View Source
const (
	PAGE_SIZE_BITS = 12
	PAGE_SIZE      = 1 << PAGE_SIZE_BITS

	HASHTYPE_NOHASH           hashType = 0
	HASHTYPE_SHA1             hashType = 1
	HASHTYPE_SHA256           hashType = 2
	HASHTYPE_SHA256_TRUNCATED hashType = 3
	HASHTYPE_SHA384           hashType = 4
	HASHTYPE_SHA512           hashType = 5

	HASH_SIZE_SHA1             = 20
	HASH_SIZE_SHA256           = 32
	HASH_SIZE_SHA256_TRUNCATED = 20

	CDHASH_LEN    = 20 /* always - larger hashes are truncated */
	HASH_MAX_SIZE = 48 /* max size of the hash we'll support */
)
View Source
const (
	EARLIEST_VERSION     cdVersion = 0x20001
	SUPPORTS_SCATTER     cdVersion = 0x20100
	SUPPORTS_TEAMID      cdVersion = 0x20200
	SUPPORTS_CODELIMIT64 cdVersion = 0x20300
	SUPPORTS_EXECSEG     cdVersion = 0x20400
	SUPPORTS_RUNTIME     cdVersion = 0x20500
	SUPPORTS_LINKAGE     cdVersion = 0x20600
	COMPATIBILITY_LIMIT  cdVersion = 0x2F000 // "version 3 with wiggle room"
)
View Source
const (
	EXECSEG_MAIN_BINARY     execSegFlag = 0x01  /* executable segment denotes main binary */
	EXECSEG_ALLOW_UNSIGNED  execSegFlag = 0x10  /* allow unsigned pages (for debugging) */
	EXECSEG_DEBUGGER        execSegFlag = 0x20  /* main binary is debugger */
	EXECSEG_JIT             execSegFlag = 0x40  /* JIT enabled */
	EXECSEG_SKIP_LV         execSegFlag = 0x80  /* OBSOLETE: skip library validation */
	EXECSEG_CAN_LOAD_CDHASH execSegFlag = 0x100 /* can bless cdhash for execution */
	EXECSEG_CAN_EXEC_CDHASH execSegFlag = 0x200 /* can execute blessed cdhash */
)

executable segment flags

View Source
const (
	// A signature with a nonzero platform identifier value, when endorsed as originated by Apple,
	// identifies code as belonging to a particular operating system deliverable set. Some system
	// components restrict functionality to platform binaries. The actual values are arbitrary.
	NON_PLATFORM_BINARY cdPlatform = 0
)

Variables

View Source
var (
	EmptySha256Slot    = bytes.Repeat([]byte{0}, sha256.New().Size())
	EmptySha256ReqSlot = []byte{
		0x98, 0x79, 0x20, 0x90, 0x4E, 0xAB, 0x65, 0x0E,
		0x75, 0x78, 0x8C, 0x05, 0x4A, 0xA0, 0xB0, 0x52,
		0x4E, 0x6A, 0x80, 0xBF, 0xC7, 0x1A, 0xA3, 0x2D,
		0xF8, 0xD2, 0x37, 0xA6, 0x17, 0x43, 0xF9, 0x86,
	}
)
View Source
var NULL_PAGE_SHA256_HASH = []byte{
	0xad, 0x7f, 0xac, 0xb2, 0x58, 0x6f, 0xc6, 0xe9,
	0x66, 0xc0, 0x04, 0xd7, 0xd1, 0xd1, 0x6b, 0x02,
	0x4f, 0x58, 0x05, 0xff, 0x7c, 0xb4, 0x7c, 0x7a,
	0x85, 0xda, 0xbd, 0x8b, 0x48, 0x89, 0x2c, 0xa7,
}

Functions

func ParseRequirements

func ParseRequirements(r *bytes.Reader, reqs Requirements) (string, error)

ParseRequirements parses the requirements set bytes

Types

type Blob

type Blob struct {
	BlobHeader
	Data []byte // (length - sizeof(blob_header)) bytes
}

Blob object

func CreateRequirements

func CreateRequirements(id string, certs []*x509.Certificate, adhoc bool) (Blob, error)

CreateRequirements creates a requirements set cs blob NOTE: /usr/bin/csreq -r="identifier com.foo.test" -t (to test it out)

func NewBlob

func NewBlob(magic Magic, data []byte) Blob

func (Blob) Bytes

func (b Blob) Bytes() ([]byte, error)

func (Blob) Sha256Hash

func (b Blob) Sha256Hash() ([]byte, error)

type BlobHeader

type BlobHeader struct {
	Magic  Magic  `json:"magic,omitempty"`  // magic number
	Length uint32 `json:"length,omitempty"` // total length of blob
}

type BlobIndex

type BlobIndex struct {
	Type   SlotType `json:"type,omitempty"`   // type of entry
	Offset uint32   `json:"offset,omitempty"` // offset of entry
}

BlobIndex object

type CDFlag

type CDFlag uint32
const (
	/* code signing attributes of a process */
	NONE           CDFlag = 0x00000000 /* no flags */
	VALID          CDFlag = 0x00000001 /* dynamically valid */
	ADHOC          CDFlag = 0x00000002 /* ad hoc signed */
	GET_TASK_ALLOW CDFlag = 0x00000004 /* has get-task-allow entitlement */
	INSTALLER      CDFlag = 0x00000008 /* has installer entitlement */

	FORCED_LV       CDFlag = 0x00000010 /* Library Validation required by Hardened System Policy */
	INVALID_ALLOWED CDFlag = 0x00000020 /* (macOS Only) Page invalidation allowed by task port policy */

	HARD             CDFlag = 0x00000100 /* don't load invalid pages */
	KILL             CDFlag = 0x00000200 /* kill process if it becomes invalid */
	CHECK_EXPIRATION CDFlag = 0x00000400 /* force expiration checking */
	RESTRICT         CDFlag = 0x00000800 /* tell dyld to treat restricted */

	ENFORCEMENT            CDFlag = 0x00001000 /* require enforcement */
	REQUIRE_LV             CDFlag = 0x00002000 /* require library validation */
	ENTITLEMENTS_VALIDATED CDFlag = 0x00004000 /* code signature permits restricted entitlements */
	NVRAM_UNRESTRICTED     CDFlag = 0x00008000 /* has com.apple.rootless.restricted-nvram-variables.heritable entitlement */

	RUNTIME CDFlag = 0x00010000 /* Apply hardened runtime policies */

	LINKER_SIGNED CDFlag = 0x20000 // type property

	ALLOWED_MACHO CDFlag = (ADHOC | HARD | KILL | CHECK_EXPIRATION | RESTRICT | ENFORCEMENT | REQUIRE_LV | RUNTIME)

	EXEC_SET_HARD        CDFlag = 0x00100000 /* set HARD on any exec'ed process */
	EXEC_SET_KILL        CDFlag = 0x00200000 /* set KILL on any exec'ed process */
	EXEC_SET_ENFORCEMENT CDFlag = 0x00400000 /* set ENFORCEMENT on any exec'ed process */
	EXEC_INHERIT_SIP     CDFlag = 0x00800000 /* set INSTALLER on any exec'ed process */

	KILLED          CDFlag = 0x01000000 /* was killed by kernel for invalidity */
	DYLD_PLATFORM   CDFlag = 0x02000000 /* dyld used to load this is a platform binary */
	PLATFORM_BINARY CDFlag = 0x04000000 /* this is a platform binary */
	PLATFORM_PATH   CDFlag = 0x08000000 /* platform binary by the fact of path (osx only) */

	DEBUGGED             CDFlag = 0x10000000 /* process is currently or has previously been debugged and allowed to run with invalid pages */
	SIGNED               CDFlag = 0x20000000 /* process has a signature (may have gone invalid) */
	DEV_CODE             CDFlag = 0x40000000 /* code is dev signed, cannot be loaded into prod signed code (will go away with rdar://problem/28322552) */
	DATAVAULT_CONTROLLER CDFlag = 0x80000000 /* has Data Vault controller entitlement */

	ENTITLEMENT_FLAGS CDFlag = (GET_TASK_ALLOW | INSTALLER | DATAVAULT_CONTROLLER | NVRAM_UNRESTRICTED)
)

func (CDFlag) String

func (f CDFlag) String() string

type CdCodeLimit64

type CdCodeLimit64 struct {
	CodeLimit64 uint64 `json:"code_limit_64,omitempty"` /* limit to main image signature range, 64 bits */
	// contains filtered or unexported fields
}

type CdEarliest

type CdEarliest struct {
	Version       cdVersion  `json:"version,omitempty"`         // compatibility version
	Flags         CDFlag     `json:"flags,omitempty"`           // setup and mode flags
	HashOffset    uint32     `json:"hash_offset,omitempty"`     // offset of hash slot element at index zero
	IdentOffset   uint32     `json:"ident_offset,omitempty"`    // offset of identifier string
	NSpecialSlots uint32     `json:"n_special_slots,omitempty"` // number of special hash slots
	NCodeSlots    uint32     `json:"n_code_slots,omitempty"`    // number of ordinary (code) hash slots
	CodeLimit     uint32     `json:"code_limit,omitempty"`      // limit to main image signature range
	HashSize      uint8      `json:"hash_size,omitempty"`       // size of each hash in bytes
	HashType      hashType   `json:"hash_type,omitempty"`       // type of hash (cdHashType* constants)
	Platform      cdPlatform `json:"platform,omitempty"`        // platform identifier zero if not platform binary
	PageSize      uint8      `json:"page_size,omitempty"`       // log2(page size in bytes) 0 => infinite
	// contains filtered or unexported fields
}

type CdExecSeg

type CdExecSeg struct {
	/* Version 0x20400 */
	ExecSegBase  uint64      `json:"exec_seg_base,omitempty"`  /* offset of executable segment */
	ExecSegLimit uint64      `json:"exec_seg_limit,omitempty"` /* limit of executable segment */
	ExecSegFlags execSegFlag `json:"exec_seg_flags,omitempty"` /* exec segment flags */
}

type CdLinkage

type CdLinkage struct {
	/* Version 0x20600 */
	LinkageHashType           uint8  `json:"linkage_hash_type,omitempty"`
	LinkageApplicationType    uint8  `json:"linkage_application_type,omitempty"`
	LinkageApplicationSubType uint16 `json:"linkage_application_sub_type,omitempty"`
	LinkageOffset             uint32 `json:"linkage_offset,omitempty"`
	LinkageSize               uint32 `json:"linkage_size,omitempty"`
}

type CdRuntime

type CdRuntime struct {
	/* Version 0x20500 */
	Runtime          mtypes.Version `json:"runtime,omitempty"`            // Runtime version
	PreEncryptOffset uint32         `json:"pre_encrypt_offset,omitempty"` // offset of pre-encrypt hash slots
}

type CdScatter

type CdScatter struct {
	/* Version 0x20100 */
	ScatterOffset uint32 `json:"scatter_offset,omitempty"` /* offset of optional scatter vector */
}

type CdTeamID

type CdTeamID struct {
	/* Version 0x20200 */
	TeamOffset uint32 `json:"team_offset,omitempty"` /* offset of optional team identifier */
}

type CodeDirectory

type CodeDirectory struct {
	BlobHeader
	ID             string            `json:"id,omitempty"`
	TeamID         string            `json:"team_id,omitempty"`
	Scatter        Scatter           `json:"scatter,omitempty"`
	CDHash         string            `json:"cd_hash,omitempty"`
	SpecialSlots   []SpecialSlot     `json:"special_slots,omitempty"`
	CodeSlots      []CodeSlot        `json:"code_slots,omitempty"`
	Header         CodeDirectoryType `json:"header,omitempty"`
	RuntimeVersion string            `json:"runtime_version,omitempty"`
	CodeLimit      uint64            `json:"code_limit,omitempty"`

	PreEncryptSlots [][]byte `json:"pre_encrypt_slots,omitempty"`
	LinkageData     []byte   `json:"linkage_data,omitempty"`
}

CodeDirectory object

type CodeDirectoryType

CodeDirectoryType header

type CodeSlot

type CodeSlot struct {
	Index uint32 `json:"index,omitempty"`
	Page  uint32 `json:"page,omitempty"`
	Hash  []byte `json:"hash,omitempty"`
	Desc  string `json:"desc,omitempty"`
}

type LaunchContraints

type LaunchContraints struct {
	Count        int64          `json:"appl"`
	CCAT         int64          `json:"ccat"`
	COMP         int64          `json:"comp"`
	Requirements map[string]any `json:"reqs"`
	Version      int64          `json:"vers"`
}

LaunchContraints is the ASN.1 DER structure for launch constraints

func ParseLaunchContraints

func ParseLaunchContraints(data []byte) (*LaunchContraints, error)

ParseLaunchContraints parses the launch constraint bytes

type Magic

type Magic uint32
const (
	// Magic numbers used by Code Signing
	MAGIC_REQUIREMENT                Magic = 0xfade0c00 // single Requirement blob
	MAGIC_REQUIREMENTS               Magic = 0xfade0c01 // Requirements vector (internal requirements)
	MAGIC_CODEDIRECTORY              Magic = 0xfade0c02 // CodeDirectory blob
	MAGIC_EMBEDDED_SIGNATURE         Magic = 0xfade0cc0 // embedded form of signature data
	MAGIC_EMBEDDED_SIGNATURE_OLD     Magic = 0xfade0b02 /* XXX */
	MAGIC_LIBRARY_DEPENDENCY_BLOB    Magic = 0xfade0c05
	MAGIC_EMBEDDED_ENTITLEMENTS      Magic = 0xfade7171 /* embedded entitlements */
	MAGIC_EMBEDDED_ENTITLEMENTS_DER  Magic = 0xfade7172 /* embedded entitlements */
	MAGIC_DETACHED_SIGNATURE         Magic = 0xfade0cc1 // multi-arch collection of embedded signatures
	MAGIC_BLOBWRAPPER                Magic = 0xfade0b01 // used for the cms blob
	MAGIC_EMBEDDED_LAUNCH_CONSTRAINT Magic = 0xfade8181 // Light weight code requirement
)

func (Magic) String

func (cm Magic) String() string

type Requirement

type Requirement struct {
	RequirementsBlob
	Requirements
	Detail string `json:"detail,omitempty"`
}

Requirement object

type RequirementType

type RequirementType uint32
const (
	HostRequirementType       RequirementType = 1 /* what hosts may run us */
	GuestRequirementType      RequirementType = 2 /* what guests we may run */
	DesignatedRequirementType RequirementType = 3 /* designated requirement */
	LibraryRequirementType    RequirementType = 4 /* what libraries we may link against */
	PluginRequirementType     RequirementType = 5 /* what plug-ins we may load */
)

func (RequirementType) String

func (cm RequirementType) String() string

type Requirements

type Requirements struct {
	Type   RequirementType `json:"type,omitempty"`   // type of entry
	Offset uint32          `json:"offset,omitempty"` // offset of entry
}

Requirements object

type RequirementsBlob

type RequirementsBlob struct {
	Magic  Magic  `json:"magic,omitempty"`  // magic number
	Length uint32 `json:"length,omitempty"` // total length of blob
	Data   uint32 `json:"data,omitempty"`   // zero for dyld shared cache
}

RequirementsBlob object

type SbHeader

type SbHeader struct {
	Magic  Magic  `json:"magic,omitempty"`  // magic number
	Length uint32 `json:"length,omitempty"` // total length of SuperBlob
	Count  uint32 `json:"count,omitempty"`  // number of index entries following
}

type Scatter

type Scatter struct {
	Count        uint32 `json:"count,omitempty"`         // number of pages zero for sentinel (only)
	Base         uint32 `json:"base,omitempty"`          // first page number
	TargetOffset uint64 `json:"target_offset,omitempty"` // byte offset in target
	// contains filtered or unexported fields
}

Scatter object

type SlotType

type SlotType uint32
const (
	CSSLOT_CODEDIRECTORY                 SlotType = 0
	CSSLOT_INFOSLOT                      SlotType = 1 // Info.plist
	CSSLOT_REQUIREMENTS                  SlotType = 2 // internal requirements
	CSSLOT_RESOURCEDIR                   SlotType = 3 // resource directory
	CSSLOT_APPLICATION                   SlotType = 4 // Application specific slot/Top-level directory list
	CSSLOT_ENTITLEMENTS                  SlotType = 5 // embedded entitlement configuration
	CSSLOT_REP_SPECIFIC                  SlotType = 6 // for use by disk images
	CSSLOT_ENTITLEMENTS_DER              SlotType = 7 // DER representation of entitlements plist
	CSSLOT_LAUNCH_CONSTRAINT_SELF        SlotType = 8
	CSSLOT_LAUNCH_CONSTRAINT_PARENT      SlotType = 9
	CSSLOT_LAUNCH_CONSTRAINT_RESPONSIBLE SlotType = 10
	CSSLOT_LIBRARY_CONSTRAINT            SlotType = 11
	CSSLOT_ALTERNATE_CODEDIRECTORIES     SlotType = 0x1000 // Used for expressing a code directory using an alternate digest type.
	CSSLOT_ALTERNATE_CODEDIRECTORIES1    SlotType = 0x1001 // Used for expressing a code directory using an alternate digest type.
	CSSLOT_ALTERNATE_CODEDIRECTORIES2    SlotType = 0x1002 // Used for expressing a code directory using an alternate digest type.
	CSSLOT_ALTERNATE_CODEDIRECTORIES3    SlotType = 0x1003 // Used for expressing a code directory using an alternate digest type.
	CSSLOT_ALTERNATE_CODEDIRECTORIES4    SlotType = 0x1004 // Used for expressing a code directory using an alternate digest type.
	CSSLOT_ALTERNATE_CODEDIRECTORY_MAX            = 5
	CSSLOT_ALTERNATE_CODEDIRECTORY_LIMIT          = CSSLOT_ALTERNATE_CODEDIRECTORIES + CSSLOT_ALTERNATE_CODEDIRECTORY_MAX
	CSSLOT_CMS_SIGNATURE                 SlotType = 0x10000 // CMS signature
	CSSLOT_IDENTIFICATIONSLOT            SlotType = 0x10001 // identification blob; used for detached signature
	CSSLOT_TICKETSLOT                    SlotType = 0x10002 // Notarization ticket
)

func (SlotType) String

func (c SlotType) String() string

type SpecialSlot

type SpecialSlot struct {
	Index uint32 `json:"index,omitempty"`
	Hash  []byte `json:"hash,omitempty"`
	Desc  string `json:"desc,omitempty"`
}

type SuperBlob

type SuperBlob struct {
	SbHeader
	Index []BlobIndex // (count) entries
	Blobs []Blob      // followed by Blobs in no particular order as indicated by offsets in index
}

SuperBlob object

func NewSuperBlob

func NewSuperBlob(magic Magic) SuperBlob

func (*SuperBlob) AddBlob

func (s *SuperBlob) AddBlob(typ SlotType, blob Blob)

func (*SuperBlob) GetBlob

func (s *SuperBlob) GetBlob(typ SlotType) (Blob, error)

func (*SuperBlob) Size

func (s *SuperBlob) Size() int

func (*SuperBlob) Write

func (s *SuperBlob) Write(buf *bytes.Buffer, o binary.ByteOrder) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL