Changeset 74767 in vbox for trunk/src/VBox
- Timestamp:
- Oct 11, 2018 12:16:21 PM (6 years ago)
- Location:
- trunk/src/VBox
- Files:
-
- 2 added
- 2 edited
- 1 moved
-
HostDrivers/Support/Certificates (moved) (moved from trunk/src/VBox/HostDrivers/Support/win/Certificates )
-
HostDrivers/Support/Certificates/AppleRoot-2bd06947947609fef46b8d2e40a6f7474d7f085e.taf (added)
-
HostDrivers/Support/Certificates/AppleRoot-G2-c499136c1803c27bc0a3a00d7f72807a1c77268d.taf (added)
-
HostDrivers/Support/Makefile.kmk (modified) (2 diffs)
-
Runtime/tools/RTSignTool.cpp (modified) (7 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/HostDrivers/Support/Makefile.kmk
r73705 r74767 91 91 NtRootMicrosoft7=NtRoot-MicrosoftCodeVerificationRoot-729404101f3e0ca347837fca175a8438.taf \ 92 92 TimeRootMicrosoft0=Timestamp-CopyrightC1997MicrosoftCorp-01.taf \ 93 TrustedCertVBox0=Trusted-OracleCorporationVirtualBox-51ca009816fdbd80f120e015ee75823e.taf 93 TrustedCertVBox0=Trusted-OracleCorporationVirtualBox-51ca009816fdbd80f120e015ee75823e.taf \ 94 AppleRoot0=AppleRoot-2bd06947947609fef46b8d2e40a6f7474d7f085e.taf \ 95 AppleRoot1=AppleRoot-G2-c499136c1803c27bc0a3a00d7f72807a1c77268d.taf 94 96 VBOX_SUP_WIN_CERT_NAMES := $(foreach cert,$(VBOX_SUP_WIN_CERTS),$(firstword $(subst =,$(SPACE) ,$(cert)))) 95 VBOX_PATH_SUPR3_CERTIFICATES := $(PATH_SUB_CURRENT)/ win/Certificates97 VBOX_PATH_SUPR3_CERTIFICATES := $(PATH_SUB_CURRENT)/Certificates 96 98 97 99 # 1=name, 2=filter, 3=buildcert?. … … 129 131 # Generate certificate lists. 130 132 $(QUIET)$(APPEND) -n "$@" '' \ 131 $(call VBOX_SUP_GEN_CERT_MACRO,All,%,build) \ 132 $(call VBOX_SUP_GEN_CERT_MACRO,SpcRoot,SpcRoot%) \ 133 $(call VBOX_SUP_GEN_CERT_MACRO,NtKernelRoot,NtRoot%) \ 134 $(call VBOX_SUP_GEN_CERT_MACRO,Timestamp,TimeRoot%) \ 135 $(call VBOX_SUP_GEN_CERT_MACRO,Trusted,TrustedCert%,build) 133 $(call VBOX_SUP_GEN_CERT_MACRO,All,%,build) \ 134 $(call VBOX_SUP_GEN_CERT_MACRO,SpcRoot,SpcRoot%) \ 135 $(call VBOX_SUP_GEN_CERT_MACRO,NtKernelRoot,NtRoot%) \ 136 $(call VBOX_SUP_GEN_CERT_MACRO,Timestamp,TimeRoot%) \ 137 $(call VBOX_SUP_GEN_CERT_MACRO,AppleRoot,AppleRoot%) \ 138 $(call VBOX_SUP_GEN_CERT_MACRO,Trusted,TrustedCert%,build) 136 139 137 140 tst: $(VBOX_SUP_WIN_CERTS_FILE) -
trunk/src/VBox/Runtime/tools/RTSignTool.cpp
r74760 r74767 46 46 # include <iprt/formats/pecoff.h> 47 47 #endif 48 #include <iprt/crypto/applecodesign.h> 48 49 #include <iprt/crypto/digest.h> 49 50 #include <iprt/crypto/x509.h> … … 1312 1313 { 1313 1314 /* 1314 * If kernel signing, a valid certificate path must be anchored by the1315 * microsoft kernel signing root certificate. The only alternative is1316 * test signing.1315 * If windows kernel signing, a valid certificate path must be anchored 1316 * by the microsoft kernel signing root certificate. The only 1317 * alternative is test signing. 1317 1318 */ 1318 if (pState->fKernel && hCertPaths != NIL_RTCRX509CERTPATHS) 1319 if ( pState->fKernel 1320 && hCertPaths != NIL_RTCRX509CERTPATHS 1321 && pState->enmSignType == VERIFYEXESTATE::kSignType_Windows) 1319 1322 { 1320 1323 uint32_t cFound = 0; … … 1362 1365 RTMsgWarning("%u valid paths, expected 2", cValid); 1363 1366 } 1367 /* 1368 * For Mac OS X signing, check for special developer ID attributes. 1369 */ 1370 else if (pState->enmSignType == VERIFYEXESTATE::kSignType_OSX) 1371 { 1372 uint32_t cDevIdApp = 0; 1373 uint32_t cDevIdKext = 0; 1374 for (uint32_t i = 0; i < pCert->TbsCertificate.T3.Extensions.cItems; i++) 1375 { 1376 PCRTCRX509EXTENSION pExt = pCert->TbsCertificate.T3.Extensions.papItems[i]; 1377 if (RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCR_APPLE_CS_DEVID_APPLICATION_OID) == 0) 1378 { 1379 cDevIdApp++; 1380 if (!pExt->Critical.fValue) 1381 rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, 1382 "Dev ID Application certificate extension is not flagged critical"); 1383 } 1384 else if (RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCR_APPLE_CS_DEVID_KEXT_OID) == 0) 1385 { 1386 cDevIdKext++; 1387 if (!pExt->Critical.fValue) 1388 rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, 1389 "Dev ID kext certificate extension is not flagged critical"); 1390 } 1391 } 1392 if (cDevIdApp == 0) 1393 rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, 1394 "Certificate is missing the 'Dev ID Application' extension"); 1395 if (cDevIdKext == 0 && pState->fKernel) 1396 rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, 1397 "Certificate is missing the 'Dev ID kext' extension"); 1398 } 1364 1399 } 1365 1400 … … 1418 1453 } 1419 1454 1420 /** Worker for HandleVerifyExe. */ 1455 /** 1456 * Worker for HandleVerifyExe. 1457 */ 1421 1458 static RTEXITCODE HandleVerifyExeWorker(VERIFYEXESTATE *pState, const char *pszFilename, PRTERRINFOSTATIC pStaticErrInfo) 1422 1459 { … … 1546 1583 * Populate the certificate stores according to the signing type. 1547 1584 */ 1548 # ifdef VBOX1585 # ifdef VBOX 1549 1586 unsigned cSets = 0; 1550 1587 struct STSTORESET aSets[6]; 1551 #endif1552 1553 1588 switch (State.enmSignType) 1554 1589 { 1555 1590 case VERIFYEXESTATE::kSignType_Windows: 1556 #ifdef VBOX1557 1591 aSets[cSets].hStore = State.hRootStore; 1558 1592 aSets[cSets].paTAs = g_aSUPTimestampTAs; … … 1571 1605 aSets[cSets].cTAs = g_cSUPNtKernelRootTAs; 1572 1606 cSets++; 1573 #endif1574 1607 break; 1575 1608 1576 1609 case VERIFYEXESTATE::kSignType_OSX: 1577 return RTMsgErrorExit(RTEXITCODE_FAILURE, "Mac OS X executable signing is not implemented."); 1578 } 1579 1580 #ifdef VBOX 1610 aSets[cSets].hStore = State.hRootStore; 1611 aSets[cSets].paTAs = g_aSUPAppleRootTAs; 1612 aSets[cSets].cTAs = g_cSUPAppleRootTAs; 1613 cSets++; 1614 break; 1615 } 1581 1616 for (unsigned i = 0; i < cSets; i++) 1582 1617 for (unsigned j = 0; j < aSets[i].cTAs; j++) … … 1588 1623 i, j, StaticErrInfo.szMsg); 1589 1624 } 1590 # endif1625 # endif /* VBOX */ 1591 1626 1592 1627 /*
Note:
See TracChangeset
for help on using the changeset viewer.
