Changeset 74692 in vbox

Timestamp:

Oct 8, 2018 6:48:31 PM (6 years ago)

Author:

vboxsync

Message:

IPRT/RTSignTool: Some adjustments for apple signatures. bugref:9232

Location:

trunk

Files:

• include/iprt/crypto/applecodesign.h (modified) (1 diff)
• include/iprt/crypto/pkcs7.h (modified) (2 diffs)
• src/VBox/Runtime/common/asn1/oiddb.cfg (modified) (2 diffs)
• src/VBox/Runtime/tools/RTSignTool.cpp (modified) (5 diffs)

trunk/include/iprt/crypto/applecodesign.h

@@ -36 +36 @@
  * @{
  */
+
+/** Apple developer ID for application signing. */
+#define RTCR_APPLE_CS_DEVID_APPLICATION_OID             "1.2.840.113635.100.6.1.13"
+/** Apple developer ID for installer signing. */
+#define RTCR_APPLE_CS_DEVID_INSTALLER_OID               "1.2.840.113635.100.6.1.14"
+/** Apple developer ID for kernel extension signing. */
+#define RTCR_APPLE_CS_DEVID_KEXT_OID                    "1.2.840.113635.100.6.1.18"
+/** Apple certificate policy OID.   */
+#define RTCR_APPLE_CS_CERTIFICATE_POLICY_OID            "1.2.840.113635.100.5.1"
+
 
 /** @name Apple code signing magic values for identifying blobs

trunk/include/iprt/crypto/pkcs7.h

@@ -40 +40 @@
  * @{
  */
+
+/** PKCS \#7 data object ID.*/
+#define RTCR_PKCS7_DATA_OID                         "1.2.840.113549.1.7.1"
+/** PKCS \#7 signedData object ID. */
+#define RTCR_PKCS7_SIGNED_DATA_OID                  "1.2.840.113549.1.7.2"
+/** PKCS \#7 envelopedData object ID. */
+#define RTCR_PKCS7_ENVELOPED_DATA_OID               "1.2.840.113549.1.7.3"
+/** PKCS \#7 signedAndEnvelopedData object ID.  */
+#define RTCR_PKCS7_SIGNED_AND_ENVELOPED_DATA_OID    "1.2.840.113549.1.7.4"
+/** PKCS \#7 digestedData object ID. */
+#define RTCR_PKCS7_DIGESTED_DATA_OID                "1.2.840.113549.1.7.5"
+/** PKCS \#7 encryptedData object ID. */
+#define RTCR_PKCS7_ENCRYPTED_DATA_OID               "1.2.840.113549.1.7.6"
 
 
@@ -380 +393 @@
 
 /** PKCS \#7 SignedData object ID.  */
-#define RTCRPKCS7SIGNEDDATA_OID "1.2.840.113549.1.7.2"
+#define RTCRPKCS7SIGNEDDATA_OID   RTCR_PKCS7_SIGNED_DATA_OID
 
 /** PKCS \#7 SignedData version number 1.  */

trunk/src/VBox/Runtime/common/asn1/oiddb.cfg

@@ -83 +83 @@
 1.2.840.113549.1.9.16.2         = pkcs9-SMime-id-aa
 1.2.840.113549.1.9.16.2.12      = pkcs9-id-aa-SigningCertificate
+1.2.840.113549.1.9.16.2.14      = pkcs9-id-aa-Attributes
 1.2.840.113549.1.9.25           = pkcs9-SMime-at
 1.2.840.113549.1.9.25.1         = pkcs9-at-Pkcs15Token
@@ -89 +90 @@
 1.2.840.113549.1.9.25.4         = pkcs9-at-SequenceNumber
 1.2.840.113549.1.9.25.5         = pkcs9-at-Pkcs7PDU
+1.2.840.113635.100.6.1.13       = apple-cs-ext-DevId-Application
+1.2.840.113635.100.6.1.14       = apple-cs-ext-DevId-Installer
+1.2.840.113635.100.6.1.18       = apple-cs-ext-DevId-KernelExt
+1.2.840.113635.100.5.1          = apple-cert-policy
+1.2.840.113635.100.4.13         = apple-eku-packageSign
+#1.2.840.113635.100.9.1         = apple-???
 1.3.6                           = dod
 1.3.6.1                         = dod-Internet

trunk/src/VBox/Runtime/tools/RTSignTool.cpp

@@ -86 +86 @@
     /** Pointer to the decoded SignedData inside the ContentInfo member. */
     PRTCRPKCS7SIGNEDDATA        pSignedData;
-    /** Pointer to the indirect data content. */
-    PRTCRSPCINDIRECTDATACONTENT pIndData;
 
     /** Newly encoded raw signature.
@@ -143 +141 @@
 {
     RTCrPkcs7ContentInfo_Delete(&pThis->ContentInfo);
-    pThis->pIndData    = NULL;
     pThis->pSignedData = NULL;
-    pThis->pIndData    = NULL;
     RTMemFree(pThis->pbBuf);
     pThis->pbBuf       = NULL;
@@ -199 +195 @@
             if (!strcmp(pThis->pSignedData->ContentInfo.ContentType.szObjId, RTCRSPCINDIRECTDATACONTENT_OID))
             {
-                pThis->pIndData = pThis->pSignedData->ContentInfo.u.pIndirectDataContent;
-                Assert(pThis->pIndData);
+                PRTCRSPCINDIRECTDATACONTENT pIndData = pThis->pSignedData->ContentInfo.u.pIndirectDataContent;
+                Assert(pIndData);
 
                 /*
@@ -212 +208 @@
                 if (RT_SUCCESS(rc))
                 {
-                    rc = RTCrSpcIndirectDataContent_CheckSanityEx(pThis->pIndData,
+                    rc = RTCrSpcIndirectDataContent_CheckSanityEx(pIndData,
                                                                   pThis->pSignedData,
                                                                   RTCRSPCINDIRECTDATACONTENT_SANITY_F_ONLY_KNOWN_HASH,
@@ -223 +219 @@
                     RTMsgError("PKCS#7 sanity check failed for '%s': %Rrc - %s\n", pThis->pszFilename, rc, ErrInfo.szMsg);
             }
+            else if (!strcmp(pThis->pSignedData->ContentInfo.ContentType.szObjId, RTCR_PKCS7_DATA_OID))
+            { /* apple code signing */ }
             else if (!fCatalog)
                 RTMsgError("Unexpected the signed content in '%s': %s (expected %s)", pThis->pszFilename,