Changeset 74767 in vbox for trunk/src/VBox/Runtime/tools
- Timestamp:
- Oct 11, 2018 12:16:21 PM (6 years ago)
- File:
-
- 1 edited
-
trunk/src/VBox/Runtime/tools/RTSignTool.cpp (modified) (7 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/Runtime/tools/RTSignTool.cpp
r74760 r74767 46 46 # include <iprt/formats/pecoff.h> 47 47 #endif 48 #include <iprt/crypto/applecodesign.h> 48 49 #include <iprt/crypto/digest.h> 49 50 #include <iprt/crypto/x509.h> … … 1312 1313 { 1313 1314 /* 1314 * If kernel signing, a valid certificate path must be anchored by the1315 * microsoft kernel signing root certificate. The only alternative is1316 * test signing.1315 * If windows kernel signing, a valid certificate path must be anchored 1316 * by the microsoft kernel signing root certificate. The only 1317 * alternative is test signing. 1317 1318 */ 1318 if (pState->fKernel && hCertPaths != NIL_RTCRX509CERTPATHS) 1319 if ( pState->fKernel 1320 && hCertPaths != NIL_RTCRX509CERTPATHS 1321 && pState->enmSignType == VERIFYEXESTATE::kSignType_Windows) 1319 1322 { 1320 1323 uint32_t cFound = 0; … … 1362 1365 RTMsgWarning("%u valid paths, expected 2", cValid); 1363 1366 } 1367 /* 1368 * For Mac OS X signing, check for special developer ID attributes. 1369 */ 1370 else if (pState->enmSignType == VERIFYEXESTATE::kSignType_OSX) 1371 { 1372 uint32_t cDevIdApp = 0; 1373 uint32_t cDevIdKext = 0; 1374 for (uint32_t i = 0; i < pCert->TbsCertificate.T3.Extensions.cItems; i++) 1375 { 1376 PCRTCRX509EXTENSION pExt = pCert->TbsCertificate.T3.Extensions.papItems[i]; 1377 if (RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCR_APPLE_CS_DEVID_APPLICATION_OID) == 0) 1378 { 1379 cDevIdApp++; 1380 if (!pExt->Critical.fValue) 1381 rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, 1382 "Dev ID Application certificate extension is not flagged critical"); 1383 } 1384 else if (RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCR_APPLE_CS_DEVID_KEXT_OID) == 0) 1385 { 1386 cDevIdKext++; 1387 if (!pExt->Critical.fValue) 1388 rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, 1389 "Dev ID kext certificate extension is not flagged critical"); 1390 } 1391 } 1392 if (cDevIdApp == 0) 1393 rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, 1394 "Certificate is missing the 'Dev ID Application' extension"); 1395 if (cDevIdKext == 0 && pState->fKernel) 1396 rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, 1397 "Certificate is missing the 'Dev ID kext' extension"); 1398 } 1364 1399 } 1365 1400 … … 1418 1453 } 1419 1454 1420 /** Worker for HandleVerifyExe. */ 1455 /** 1456 * Worker for HandleVerifyExe. 1457 */ 1421 1458 static RTEXITCODE HandleVerifyExeWorker(VERIFYEXESTATE *pState, const char *pszFilename, PRTERRINFOSTATIC pStaticErrInfo) 1422 1459 { … … 1546 1583 * Populate the certificate stores according to the signing type. 1547 1584 */ 1548 # ifdef VBOX1585 # ifdef VBOX 1549 1586 unsigned cSets = 0; 1550 1587 struct STSTORESET aSets[6]; 1551 #endif1552 1553 1588 switch (State.enmSignType) 1554 1589 { 1555 1590 case VERIFYEXESTATE::kSignType_Windows: 1556 #ifdef VBOX1557 1591 aSets[cSets].hStore = State.hRootStore; 1558 1592 aSets[cSets].paTAs = g_aSUPTimestampTAs; … … 1571 1605 aSets[cSets].cTAs = g_cSUPNtKernelRootTAs; 1572 1606 cSets++; 1573 #endif1574 1607 break; 1575 1608 1576 1609 case VERIFYEXESTATE::kSignType_OSX: 1577 return RTMsgErrorExit(RTEXITCODE_FAILURE, "Mac OS X executable signing is not implemented."); 1578 } 1579 1580 #ifdef VBOX 1610 aSets[cSets].hStore = State.hRootStore; 1611 aSets[cSets].paTAs = g_aSUPAppleRootTAs; 1612 aSets[cSets].cTAs = g_cSUPAppleRootTAs; 1613 cSets++; 1614 break; 1615 } 1581 1616 for (unsigned i = 0; i < cSets; i++) 1582 1617 for (unsigned j = 0; j < aSets[i].cTAs; j++) … … 1588 1623 i, j, StaticErrInfo.szMsg); 1589 1624 } 1590 # endif1625 # endif /* VBOX */ 1591 1626 1592 1627 /*
Note:
See TracChangeset
for help on using the changeset viewer.
