csblob

package
v8.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 17, 2025 License: Apache-2.0 Imports: 23 Imported by: 5

Documentation

Index

Constants

View Source 
const RootCA = `` /* 1700-byte string literal not displayed */

RootCA lists known proprietary certificate roots

Variables

View Source 
var (
	CodeSign = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 1}

	CodeSignApple                = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 1, 1}
	CodeSignIphoneDev            = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 1, 2}
	CodeSignIphoneApple          = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 1, 3}
	CodeSignIphoneSubmit         = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 1, 4}
	CodeSignSafariExtension      = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 1, 5}
	CodeSignMacAppSubmit         = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 1, 7}
	CodeSignMacInstallerSubmit   = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 1, 8}
	CodeSignMacAppStore          = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 1, 9}
	CodeSignMacAppStoreInstaller = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 1, 10}
	CodeSignMacDev               = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 1, 12}
	CodeSignDevIDExecute         = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 1, 13}
	CodeSignDevIDInstall         = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 1, 14}
	CodeSignDevIDKernel          = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 1, 18}
)

Extensions for specific types of key usage. These endorse a leaf certificate to create signatures with the named capability. https://images.apple.com/certificateauthority/pdf/Apple_WWDR_CPS_v1.22.pdf

View Source 
var (
	Intermediate = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 2}

	IntermediateWWDR  = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 2, 1}
	IntermediateITMS  = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 2, 2}
	IntermediateAAI   = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 2, 3}
	IntermediateDevID = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 6, 2, 6}
)

These endorse an intermediate certificate to sign a certain type of leaf.

View Source 
var (
	// AttrCodeDirHashPlist holds a plist with (truncated) hashes of each code
	// directory found in the signature
	AttrCodeDirHashPlist = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 9, 1}
	// AttrCodeDirHashes is a set of code directory digests identified by ASN.1
	// algorithm
	AttrCodeDirHashes = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 9, 2}
)

Authenticated attributes found in a signature

Functions

func DefaultRequirement 

func DefaultRequirement(identifier string, certs []*x509.Certificate) ([]byte, error)

func MarkHandledExtensions 

func MarkHandledExtensions(cert *x509.Certificate)

MarkHandledExtensions marks proprietary critical extensions as handled so that chain verification can proceed

func Sign 

func Sign(ctx context.Context, cert *certloader.Certificate, params *SignatureParams) ([]byte, *pkcs9.TimestampedSignature, error)

func TeamID 

func TeamID(cert *x509.Certificate) string

TeamID returns the team identifier found in an apple-issued leaf certificate, or "" if none was found

Types

type CodeDirectory 

type CodeDirectory struct {
	Header          CodeDirectoryHeader
	SigningIdentity string
	TeamIdentifier  string
	HashFunc        crypto.Hash

	CodeHashes          [][]byte
	ManifestHash        []byte
	RequirementsHash    []byte
	ResourcesHash       []byte
	EntitlementsHash    []byte
	EntitlementsDERHash []byte
	RepSpecificHash     []byte

	Raw    []byte
	CDHash []byte
	IType  uint32
}

type CodeDirectoryHeader 

type CodeDirectoryHeader struct {
	Magic   csMagic
	Length  uint32
	Version uint32
	Flags   SignatureFlags

	HashOffset       uint32
	IdentOffset      uint32
	SpecialSlotCount uint32
	CodeSlotCount    uint32
	CodeLimit        uint32

	HashSize uint8
	HashType HashType

	PageSizeLog2 uint8

	// Version >= 0x20100
	ScatterOffset uint32
	// Version >= 0x20200
	TeamOffset uint32

	// Version >= 0x20300
	CodeLimit64 int64
	// Version >= 0x20400
	ExecSegmentBase  int64
	ExecSegmentLimit int64
	ExecSegmentFlags int64
	// contains filtered or unexported fields
}

type HashType 

type HashType uint8
const (
	HashNone HashType = iota
	HashSHA1
	HashSHA256
	HashSHA256Truncated
	HashSHA384
	HashSHA512
)

CSCommon.h

type Requirement 

type Requirement struct {
	Raw []byte
}

func (*Requirement) Format 

func (r *Requirement) Format() (string, error)

type RequirementType 

type RequirementType uint32
const (
	HostRequirement RequirementType = iota + 1
	GuestRequirement
	DesignatedRequirement
	LibraryRequirement
	PluginRequirement
)

CSCommon.h

func (RequirementType) String 

func (t RequirementType) String() string

type Requirements 

type Requirements map[RequirementType]*Requirement

func (Requirements) Dump 

func (r Requirements) Dump(w io.Writer) error

type SigBlob 

type SigBlob struct {
	// with blob header
	Entitlement     []byte
	EntitlementDER  []byte
	RawRequirements []byte
	NotaryTicket    []byte
	Unknowns        [][]byte

	Directories []*CodeDirectory
	CMS         *pkcs7.ContentInfoSignedData
}

func (*SigBlob) CodeSize 

func (s *SigBlob) CodeSize() int64

func (*SigBlob) Requirements 

func (b *SigBlob) Requirements() (Requirements, error)

func (*SigBlob) VerifyPages 

func (s *SigBlob) VerifyPages(r io.Reader) error

type SignatureFlags 

type SignatureFlags uint32
const (
	FlagHost              SignatureFlags = 0x000001
	FlagAdhoc             SignatureFlags = 0x000002
	FlagForceHard         SignatureFlags = 0x000100
	FlagForceKill         SignatureFlags = 0x000200
	FlagForceExpiration   SignatureFlags = 0x000400
	FlagRestrict          SignatureFlags = 0x000800
	FlagEnforcement       SignatureFlags = 0x001000
	FlagLibraryValidation SignatureFlags = 0x002000
	FlagRuntime           SignatureFlags = 0x010000
	FlagLinkerSigned      SignatureFlags = 0x020000
)

CSCommon.h

type SignatureParams 

type SignatureParams struct {
	Pages        io.Reader // read page contents
	OldSignature io.Reader // read the existing signature, if any, after the pages
	HashFunc     crypto.Hash
	InfoPlist    []byte // manifest to bind to signature
	Resources    []byte // CodeResources to bind to signature

	// the following are copied from the old signature if empty
	Flags            SignatureFlags
	Requirements     []byte // requirements to embed in signature
	Entitlement      []byte // entitlement to embed in signature
	EntitlementDER   []byte // entitlement in DER format
	RepSpecific      []byte // DMG header
	SigningIdentity  string // bundle ID
	TeamIdentifier   string // team ID from signing cert (set automatically if empty)
	ExecSegmentBase  int64
	ExecSegmentLimit int64
	ExecSegmentFlags int64
}

func (*SignatureParams) DefaultsFromBundle 

func (p *SignatureParams) DefaultsFromBundle(cert *certloader.Certificate) error

func (*SignatureParams) DefaultsFromSignature 

func (p *SignatureParams) DefaultsFromSignature() error

type VerifiedBlob 

type VerifiedBlob struct {
	Blob      *SigBlob
	Signature *pkcs9.TimestampedSignature
	HashFunc  crypto.Hash
}

func Verify 

func Verify(blob []byte, params VerifyParams) (*VerifiedBlob, error)

type VerifyParams 

type VerifyParams struct {
	InfoPlist   []byte
	Resources   []byte
	RepSpecific []byte
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.