From 375f7bd9cc5868ab5c35a07c0d2b9939a484e498 Mon Sep 17 00:00:00 2001 From: Pete Markowsky Date: Fri, 5 Apr 2024 12:27:33 -0400 Subject: [PATCH] Fix: Update code to use the new MOLCodesignChecker interfaces for codesigning info (#1322) * Update code to use the new MOLCodesignChecker interfaces for codesigning info. --- Source/common/SNTXPCControlInterface.m | 3 +-- Source/santactl/Commands/SNTCommandFileInfo.m | 19 +++++++------------ Source/santactl/Commands/SNTCommandRule.m | 3 +-- Source/santad/SNTExecutionControllerTest.mm | 8 ++------ Source/santad/SNTPolicyProcessor.m | 11 +++-------- 5 files changed, 14 insertions(+), 30 deletions(-) diff --git a/Source/common/SNTXPCControlInterface.m b/Source/common/SNTXPCControlInterface.m index 07f4c7a55..c2a388120 100644 --- a/Source/common/SNTXPCControlInterface.m +++ b/Source/common/SNTXPCControlInterface.m @@ -34,8 +34,7 @@ + (NSString *)serviceID { #else MOLCodesignChecker *cs = [[MOLCodesignChecker alloc] initWithSelf]; // "teamid.com.google.santa.daemon.xpc" - NSString *t = cs.signingInformation[@"teamid"]; - return [NSString stringWithFormat:@"%@.%@.xpc", t, kBundleID]; + return [NSString stringWithFormat:@"%@.%@.xpc", cs.teamID, kBundleID]; #endif } diff --git a/Source/santactl/Commands/SNTCommandFileInfo.m b/Source/santactl/Commands/SNTCommandFileInfo.m index fadb710ff..a3b086bf9 100644 --- a/Source/santactl/Commands/SNTCommandFileInfo.m +++ b/Source/santactl/Commands/SNTCommandFileInfo.m @@ -380,21 +380,16 @@ - (SNTAttributeBlock)rule { NSError *err; MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:&err]; - NSString *cdhash = - [csc.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoUnique]; - NSString *teamID = - [csc.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoTeamIdentifier]; - NSString *identifier = - [csc.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoIdentifier]; + NSString *cdhash = csc.cdhash; + NSString *teamID = csc.teamID; + NSString *identifier = csc.signingID; NSString *signingID; if (identifier) { if (teamID) { signingID = [NSString stringWithFormat:@"%@:%@", teamID, identifier]; } else { - id platformID = - [csc.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoPlatformIdentifier]; - if ([platformID isKindOfClass:[NSNumber class]] && [platformID intValue] != 0) { + if (csc.platformBinary) { signingID = [NSString stringWithFormat:@"platform:%@", identifier]; } } @@ -522,21 +517,21 @@ - (SNTAttributeBlock)universalSigningChain { - (SNTAttributeBlock)teamID { return ^id(SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) { MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:NULL]; - return [csc.signingInformation valueForKey:@"teamid"]; + return csc.teamID; }; } - (SNTAttributeBlock)signingID { return ^id(SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) { MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:NULL]; - return [csc.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoIdentifier]; + return csc.signingID; }; } - (SNTAttributeBlock)cdhash { return ^id(SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) { MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:NULL]; - return [csc.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoUnique]; + return csc.cdhash; }; } diff --git a/Source/santactl/Commands/SNTCommandRule.m b/Source/santactl/Commands/SNTCommandRule.m index 3a7954b1d..248e71213 100644 --- a/Source/santactl/Commands/SNTCommandRule.m +++ b/Source/santactl/Commands/SNTCommandRule.m @@ -259,8 +259,7 @@ - (void)runWithArguments:(NSArray *)arguments { newRule.identifier = cs.leafCertificate.SHA256; } else if (newRule.type == SNTRuleTypeCDHash) { MOLCodesignChecker *cs = [fi codesignCheckerWithError:NULL]; - newRule.identifier = - [cs.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoIdentifier]; + newRule.identifier = cs.signingID; } else if (newRule.type == SNTRuleTypeTeamID || newRule.type == SNTRuleTypeSigningID) { // noop } diff --git a/Source/santad/SNTExecutionControllerTest.mm b/Source/santad/SNTExecutionControllerTest.mm index 017ab58d9..858df062f 100644 --- a/Source/santad/SNTExecutionControllerTest.mm +++ b/Source/santad/SNTExecutionControllerTest.mm @@ -387,9 +387,7 @@ - (void)testSigningIDBlockRule { } - (void)testTeamIDAllowRule { - OCMStub([self.mockCodesignChecker signingInformation]).andReturn((@{ - (__bridge NSString *)kSecCodeInfoTeamIdentifier : @(kExampleTeamID), - })); + OCMStub([self.mockCodesignChecker teamID]).andReturn(@(kExampleTeamID)); SNTRule *rule = [[SNTRule alloc] init]; rule.state = SNTRuleStateAllow; @@ -405,9 +403,7 @@ - (void)testTeamIDAllowRule { } - (void)testTeamIDBlockRule { - OCMStub([self.mockCodesignChecker signingInformation]).andReturn((@{ - (__bridge NSString *)kSecCodeInfoTeamIdentifier : @(kExampleTeamID), - })); + OCMStub([self.mockCodesignChecker teamID]).andReturn(@(kExampleTeamID)); SNTRule *rule = [[SNTRule alloc] init]; rule.state = SNTRuleStateBlock; diff --git a/Source/santad/SNTPolicyProcessor.m b/Source/santad/SNTPolicyProcessor.m index ae67249cc..7b509cf50 100644 --- a/Source/santad/SNTPolicyProcessor.m +++ b/Source/santad/SNTPolicyProcessor.m @@ -90,22 +90,17 @@ - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileIn cd.certSHA256 = csInfo.leafCertificate.SHA256; cd.certCommonName = csInfo.leafCertificate.commonName; cd.certChain = csInfo.certificates; - cd.teamID = teamID - ?: [csInfo.signingInformation - objectForKey:(__bridge NSString *)kSecCodeInfoTeamIdentifier]; + cd.teamID = teamID ?: csInfo.teamID; // Ensure that if no teamID exists that the signing info confirms it is a // platform binary. If not, remove the signingID. if (!cd.teamID && cd.signingID) { - id platformID = [csInfo.signingInformation - objectForKey:(__bridge NSString *)kSecCodeInfoPlatformIdentifier]; - if (![platformID isKindOfClass:[NSNumber class]] || [platformID intValue] == 0) { + if (!csInfo.platformBinary) { cd.signingID = nil; } } - NSDictionary *entitlements = - csInfo.signingInformation[(__bridge NSString *)kSecCodeInfoEntitlementsDict]; + NSDictionary *entitlements = csInfo.entitlements; if (entitlementsFilterCallback) { cd.entitlements = entitlementsFilterCallback(entitlements);