Changeset 89018 in vbox for trunk

Timestamp:

May 12, 2021 4:28:56 PM (4 years ago)

Author:

vboxsync

Message:

SUPDev,IPRT: On darwin allow Mac dev certs as long as it is a build using test signing. bugref:10004

Location:

trunk

Files:

• include/iprt/crypto/applecodesign.h (modified) (1 diff)
• src/VBox/HostDrivers/Support/Makefile.kmk (modified) (1 diff)
• src/VBox/HostDrivers/Support/darwin/SUPDrv-darwin.cpp (modified) (2 diffs)
• src/VBox/Runtime/common/crypto/x509-certpaths.cpp (modified) (1 diff)
• src/VBox/Runtime/tools/RTSignTool.cpp (modified) (2 diffs)

trunk/include/iprt/crypto/applecodesign.h

@@ -39 +39 @@
  */
 
+/** Apple developer ID for iPhone application software development signing. */
+#define RTCR_APPLE_CS_DEVID_IPHONE_SW_DEV_OID           "1.2.840.113635.100.6.1.2"
+/** Apple developer ID for Mac application software development signing. */
+#define RTCR_APPLE_CS_DEVID_MAC_SW_DEV_OID              "1.2.840.113635.100.6.1.12"
 /** Apple developer ID for application signing. */
 #define RTCR_APPLE_CS_DEVID_APPLICATION_OID             "1.2.840.113635.100.6.1.13"

trunk/src/VBox/HostDrivers/Support/Makefile.kmk

@@ -635 +635 @@
  if defined(VBOX_WITH_DARWIN_R0_DARWIN_IMAGE_VERIFICATION) && defined(VBOX_SIGNING_MODE)
   VBoxDrv_DEFS.darwin    += VBOX_WITH_DARWIN_R0_DARWIN_IMAGE_VERIFICATION
+  ifeq ($(VBOX_SIGNING_MODE),test)
+   VBoxDrv_DEFS.darwin   += VBOX_WITH_DARWIN_R0_TEST_SIGN
+  endif
  endif
  ifdef VBOX_WITH_NETFLT

trunk/src/VBox/HostDrivers/Support/darwin/SUPDrv-darwin.cpp

@@ -1320 +1320 @@
         uint32_t cDevIdApp  = 0;
         uint32_t cDevIdKext = 0;
+        uint32_t cDevIdMacDev = 0;
         for (uint32_t i = 0; i < pCert->TbsCertificate.T3.Extensions.cItems; i++)
         {
@@ -1337 +1338 @@
                                        "Dev ID kext certificate extension is not flagged critical");
             }
-        }
+            else if (RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCR_APPLE_CS_DEVID_MAC_SW_DEV_OID) == 0)
+            {
+                cDevIdMacDev++;
+                if (!pExt->Critical.fValue)
+                    rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
+                                       "Dev ID MAC SW dev certificate extension is not flagged critical");
+            }
+        }
+# ifdef VBOX_WITH_DARWIN_R0_TEST_SIGN
+        /*
+         * Mac application software development certs do not have the usually required extensions.
+         */
+        if (cDevIdMacDev)
+        {
+            cDevIdApp++;
+            cDevIdKext++;
+        }
+# endif
         if (cDevIdApp == 0)
             rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,

trunk/src/VBox/Runtime/common/crypto/x509-certpaths.cpp

@@ -2583 +2583 @@
                 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_INSTALLER_OID) != 0
                 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_KEXT_OID) != 0
+                && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_IPHONE_SW_DEV_OID) != 0
+                && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_MAC_SW_DEV_OID) != 0
                )
                 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNKNOWN_CRITICAL_EXTENSION,

trunk/src/VBox/Runtime/tools/RTSignTool.cpp

@@ -1372 +1372 @@
         else if (pState->enmSignType == VERIFYEXESTATE::kSignType_OSX)
         {
-            uint32_t cDevIdApp  = 0;
-            uint32_t cDevIdKext = 0;
+            uint32_t cDevIdApp    = 0;
+            uint32_t cDevIdKext   = 0;
+            uint32_t cDevIdMacDev = 0;
             for (uint32_t i = 0; i < pCert->TbsCertificate.T3.Extensions.cItems; i++)
             {
@@ -1391 +1392 @@
                                            "Dev ID kext certificate extension is not flagged critical");
                 }
+                else if (RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCR_APPLE_CS_DEVID_MAC_SW_DEV_OID) == 0)
+                {
+                    cDevIdMacDev++;
+                    if (!pExt->Critical.fValue)
+                        rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
+                                           "Dev ID Mac SW dev certificate extension is not flagged critical");
+                }
             }
             if (cDevIdApp == 0)
-                rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
-                                   "Certificate is missing the 'Dev ID Application' extension");
+            {
+                if (cDevIdMacDev == 0)
+                    rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
+                                       "Certificate is missing the 'Dev ID Application' extension");
+                else
+                    RTMsgWarning("Mac SW dev certificate used to sign code.");
+            }
             if (cDevIdKext == 0 && pState->fKernel)
-                rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
-                                   "Certificate is missing the 'Dev ID kext' extension");
+            {
+                if (cDevIdMacDev == 0)
+                    rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
+                                       "Certificate is missing the 'Dev ID kext' extension");
+                else
+                    RTMsgWarning("Mac SW dev certificate used to sign kernel code.");
+            }
         }
     }