types

package
v0.0.0-...-b52216c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 12, 2022 License: MIT Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	PAGE_SIZE = 4096

	HASHTYPE_NOHASH           hashType = 0
	HASHTYPE_SHA1             hashType = 1
	HASHTYPE_SHA256           hashType = 2
	HASHTYPE_SHA256_TRUNCATED hashType = 3
	HASHTYPE_SHA384           hashType = 4
	HASHTYPE_SHA512           hashType = 5

	HASH_SIZE_SHA1             = 20
	HASH_SIZE_SHA256           = 32
	HASH_SIZE_SHA256_TRUNCATED = 20

	CDHASH_LEN    = 20 /* always - larger hashes are truncated */
	HASH_MAX_SIZE = 48 /* max size of the hash we'll support */
)
View Source 
const (
	EARLIEST_VERSION     cdVersion = 0x20001
	SUPPORTS_SCATTER     cdVersion = 0x20100
	SUPPORTS_TEAMID      cdVersion = 0x20200
	SUPPORTS_CODELIMIT64 cdVersion = 0x20300
	SUPPORTS_EXECSEG     cdVersion = 0x20400
	SUPPORTS_RUNTIME     cdVersion = 0x20500
	SUPPORTS_LINKAGE     cdVersion = 0x20600
	COMPATIBILITY_LIMIT  cdVersion = 0x2F000 // "version 3 with wiggle room"
)
View Source 
const (
	/* code signing attributes of a process */
	NONE           cdFlag = 0x00000000 /* no flags */
	VALID          cdFlag = 0x00000001 /* dynamically valid */
	ADHOC          cdFlag = 0x00000002 /* ad hoc signed */
	GET_TASK_ALLOW cdFlag = 0x00000004 /* has get-task-allow entitlement */
	INSTALLER      cdFlag = 0x00000008 /* has installer entitlement */

	FORCED_LV       cdFlag = 0x00000010 /* Library Validation required by Hardened System Policy */
	INVALID_ALLOWED cdFlag = 0x00000020 /* (macOS Only) Page invalidation allowed by task port policy */

	HARD             cdFlag = 0x00000100 /* don't load invalid pages */
	KILL             cdFlag = 0x00000200 /* kill process if it becomes invalid */
	CHECK_EXPIRATION cdFlag = 0x00000400 /* force expiration checking */
	RESTRICT         cdFlag = 0x00000800 /* tell dyld to treat restricted */

	ENFORCEMENT            cdFlag = 0x00001000 /* require enforcement */
	REQUIRE_LV             cdFlag = 0x00002000 /* require library validation */
	ENTITLEMENTS_VALIDATED cdFlag = 0x00004000 /* code signature permits restricted entitlements */
	NVRAM_UNRESTRICTED     cdFlag = 0x00008000 /* has com.apple.rootless.restricted-nvram-variables.heritable entitlement */

	RUNTIME cdFlag = 0x00010000 /* Apply hardened runtime policies */

	LINKER_SIGNED cdFlag = 0x20000 // type property

	ALLOWED_MACHO cdFlag = (ADHOC | HARD | KILL | CHECK_EXPIRATION | RESTRICT | ENFORCEMENT | REQUIRE_LV | RUNTIME)

	EXEC_SET_HARD        cdFlag = 0x00100000 /* set HARD on any exec'ed process */
	EXEC_SET_KILL        cdFlag = 0x00200000 /* set KILL on any exec'ed process */
	EXEC_SET_ENFORCEMENT cdFlag = 0x00400000 /* set ENFORCEMENT on any exec'ed process */
	EXEC_INHERIT_SIP     cdFlag = 0x00800000 /* set INSTALLER on any exec'ed process */

	KILLED          cdFlag = 0x01000000 /* was killed by kernel for invalidity */
	DYLD_PLATFORM   cdFlag = 0x02000000 /* dyld used to load this is a platform binary */
	PLATFORM_BINARY cdFlag = 0x04000000 /* this is a platform binary */
	PLATFORM_PATH   cdFlag = 0x08000000 /* platform binary by the fact of path (osx only) */

	DEBUGGED             cdFlag = 0x10000000 /* process is currently or has previously been debugged and allowed to run with invalid pages */
	SIGNED               cdFlag = 0x20000000 /* process has a signature (may have gone invalid) */
	DEV_CODE             cdFlag = 0x40000000 /* code is dev signed, cannot be loaded into prod signed code (will go away with rdar://problem/28322552) */
	DATAVAULT_CONTROLLER cdFlag = 0x80000000 /* has Data Vault controller entitlement */

	ENTITLEMENT_FLAGS cdFlag = (GET_TASK_ALLOW | INSTALLER | DATAVAULT_CONTROLLER | NVRAM_UNRESTRICTED)
)
View Source 
const (
	EXECSEG_MAIN_BINARY     execSegFlag = 0x1   /* executable segment denotes main binary */
	EXECSEG_ALLOW_UNSIGNED  execSegFlag = 0x10  /* allow unsigned pages (for debugging) */
	EXECSEG_DEBUGGER        execSegFlag = 0x20  /* main binary is debugger */
	EXECSEG_JIT             execSegFlag = 0x40  /* JIT enabled */
	EXECSEG_SKIP_LV         execSegFlag = 0x80  /* OBSOLETE: skip library validation */
	EXECSEG_CAN_LOAD_CDHASH execSegFlag = 0x100 /* can bless cdhash for execution */
	EXECSEG_CAN_EXEC_CDHASH execSegFlag = 0x200 /* can execute blessed cdhash */
)

executable segment flags

View Source 
const (
	HostRequirementType       RequirementType = 1 /* what hosts may run us */
	GuestRequirementType                      = 2 /* what guests we may run */
	DesignatedRequirementType                 = 3 /* designated requirement */
	LibraryRequirementType                    = 4 /* what libraries we may link against */
	PluginRequirementType                     = 5 /* what plug-ins we may load */
)
View Source 
const (
	// Magic numbers used by Code Signing
	MAGIC_REQUIREMENT               magic = 0xfade0c00 // single Requirement blob
	MAGIC_REQUIREMENTS              magic = 0xfade0c01 // Requirements vector (internal requirements)
	MAGIC_CODEDIRECTORY             magic = 0xfade0c02 // CodeDirectory blob
	MAGIC_EMBEDDED_SIGNATURE        magic = 0xfade0cc0 // embedded form of signature data
	MAGIC_EMBEDDED_SIGNATURE_OLD    magic = 0xfade0b02 /* XXX */
	MAGIC_LIBRARY_DEPENDENCY_BLOB   magic = 0xfade0c05
	MAGIC_EMBEDDED_ENTITLEMENTS     magic = 0xfade7171 /* embedded entitlements */
	MAGIC_EMBEDDED_ENTITLEMENTS_DER magic = 0xfade7172 /* embedded entitlements */
	MAGIC_DETACHED_SIGNATURE        magic = 0xfade0cc1 // multi-arch collection of embedded signatures
	MAGIC_BLOBWRAPPER               magic = 0xfade0b01 // used for the cms blob
)
View Source 
const (
	/*
	 * Currently only to support Legacy VPN plugins, and Mac App Store
	 * but intended to replace all the various platform code, dev code etc. bits.
	 */
	CS_SIGNER_TYPE_UNKNOWN       = 0
	CS_SIGNER_TYPE_LEGACYVPN     = 5
	CS_SIGNER_TYPE_MAC_APP_STORE = 6

	CS_SUPPL_SIGNER_TYPE_UNKNOWN    = 0
	CS_SUPPL_SIGNER_TYPE_TRUSTCACHE = 7
	CS_SUPPL_SIGNER_TYPE_LOCAL      = 8

	CSTYPE_INDEX_REQUIREMENTS = 0x00000002 /* compat with amfi */
	CSTYPE_INDEX_ENTITLEMENTS = 0x00000005 /* compat with amfi */

)

Variables

View Source 
var NULL_PAGE_SHA256_HASH = []byte{0xad, 0x7f, 0xac, 0xb2, 0x58, 0x6f, 0xc6, 0xe9, 0x66, 0xc0, 0x04, 0xd7, 0xd1, 0xd1, 0x6b, 0x02, 0x4f, 0x58, 0x05, 0xff, 0x7c, 0xb4, 0x7c, 0x7a, 0x85, 0xda, 0xbd, 0x8b, 0x48, 0x89, 0x2c, 0xa7}

Functions

func ParseRequirements 

func ParseRequirements(r *bytes.Reader, reqs Requirements) (string, error)

ParseRequirements parses the requirements set bytes

func Sign 

func Sign(out []byte, data io.Reader, id string, codeSize, textOff, textSize int64, isMain bool, flags uint32)

Types

type Blob 

type Blob struct {
	Magic  magic  // magic number
	Length uint32 // total length of blob
}

Blob object

type BlobIndex 

type BlobIndex struct {
	Type   SlotType // type of entry
	Offset uint32   // offset of entry
}

BlobIndex object

type CodeDirectory 

type CodeDirectory struct {
	ID           string
	TeamID       string
	Scatter      Scatter
	CDHash       string
	SpecialSlots []SpecialSlot
	CodeSlots    []CodeSlot
	Header       CodeDirectoryType
}

CodeDirectory object

type CodeDirectoryType 

type CodeDirectoryType struct {
	Magic         magic     // magic number (CSMAGIC_CODEDIRECTORY) */
	Length        uint32    // total length of CodeDirectory blob
	Version       cdVersion // compatibility version
	Flags         cdFlag    // setup and mode flags
	HashOffset    uint32    // offset of hash slot element at index zero
	IdentOffset   uint32    // offset of identifier string
	NSpecialSlots uint32    // number of special hash slots
	NCodeSlots    uint32    // number of ordinary (code) hash slots
	CodeLimit     uint32    // limit to main image signature range
	HashSize      uint8     // size of each hash in bytes
	HashType      hashType  // type of hash (cdHashType* constants)
	Platform      uint8     // platform identifier zero if not platform binary
	PageSize      uint8     // log2(page size in bytes) 0 => infinite
	Spare2        uint32    // unused (must be zero)

	EndEarliest [0]uint8

	/* Version 0x20100 */
	ScatterOffset  uint32 /* offset of optional scatter vector */
	EndWithScatter [0]uint8

	/* Version 0x20200 */
	TeamOffset  uint32 /* offset of optional team identifier */
	EndWithTeam [0]uint8

	/* Version 0x20300 */
	Spare3             uint32 /* unused (must be zero) */
	CodeLimit64        uint64 /* limit to main image signature range, 64 bits */
	EndWithCodeLimit64 [0]uint8

	/* Version 0x20400 */
	ExecSegBase    uint64      /* offset of executable segment */
	ExecSegLimit   uint64      /* limit of executable segment */
	ExecSegFlags   execSegFlag /* exec segment flags */
	EndWithExecSeg [0]uint8
}

CodeDirectoryType header

type CodeSignature 

type CodeSignature struct {
	CodeDirectories []CodeDirectory
	Requirements    []Requirement
	CMSSignature    []byte
	Entitlements    string
	EntitlementsDER []byte
}

CodeSignature highlevel object

type CodeSlot 

type CodeSlot struct {
	Index uint32
	Page  uint32
	Hash  []byte
	Desc  string
}

type Requirement 

type Requirement struct {
	Detail string
	RequirementsBlob
	Requirements
}

Requirement object

type RequirementType 

type RequirementType uint32

func (RequirementType) GoString 

func (cm RequirementType) GoString() string

func (RequirementType) String 

func (cm RequirementType) String() string

type Requirements 

type Requirements struct {
	Type   RequirementType // type of entry
	Offset uint32          // offset of entry
}

Requirements object

type RequirementsBlob 

type RequirementsBlob struct {
	Magic  magic  // magic number
	Length uint32 // total length of blob
	Data   uint32 // zero for dyld shared cache
}

RequirementsBlob object

type Scatter 

type Scatter struct {
	Count        uint32 // number of pages zero for sentinel (only)
	Base         uint32 // first page number
	TargetOffset uint64 // byte offset in target
	Spare        uint64 // reserved (must be zero)
}

Scatter object

type SlotType 

type SlotType uint32
const (
	CSSLOT_CODEDIRECTORY                 SlotType = 0
	CSSLOT_INFOSLOT                      SlotType = 1 // Info.plist
	CSSLOT_REQUIREMENTS                  SlotType = 2 // internal requirements
	CSSLOT_RESOURCEDIR                   SlotType = 3 // resource directory
	CSSLOT_APPLICATION                   SlotType = 4 // Application specific slot/Top-level directory list
	CSSLOT_ENTITLEMENTS                  SlotType = 5 // embedded entitlement configuration
	CSSLOT_REP_SPECIFIC                  SlotType = 6 // for use by disk rep
	CSSLOT_ENTITLEMENTS_DER              SlotType = 7 // DER representation of entitlements
	CSSLOT_ALTERNATE_CODEDIRECTORIES     SlotType = 0x1000
	CSSLOT_ALTERNATE_CODEDIRECTORY_MAX            = 5
	CSSLOT_ALTERNATE_CODEDIRECTORY_LIMIT          = CSSLOT_ALTERNATE_CODEDIRECTORIES + CSSLOT_ALTERNATE_CODEDIRECTORY_MAX
	CSSLOT_CMS_SIGNATURE                 SlotType = 0x10000
	CSSLOT_IDENTIFICATIONSLOT            SlotType = 0x10001
	CSSLOT_TICKETSLOT                    SlotType = 0x10002
)

func (SlotType) GoString 

func (c SlotType) GoString() string

func (SlotType) String 

func (c SlotType) String() string

type SpecialSlot 

type SpecialSlot struct {
	Index uint32
	Hash  []byte
	Desc  string
}

type SuperBlob 

type SuperBlob struct {
	Magic  magic  // magic number
	Length uint32 // total length of SuperBlob
	Count  uint32 // number of index entries following

}

SuperBlob object

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.