mirror of https://github.com/opa334/TrollStore.git
Fix intendation
This commit is contained in:
parent
4d2bfbf667
commit
7d0f525f51
330
Helper/main.m
330
Helper/main.m
|
@ -24,7 +24,7 @@ extern NSString* BKSOpenApplicationOptionKeyActivateForEvent;
|
||||||
extern void BKSTerminateApplicationForReasonAndReportWithDescription(NSString *bundleID, int reasonID, bool report, NSString *description);
|
extern void BKSTerminateApplicationForReasonAndReportWithDescription(NSString *bundleID, int reasonID, bool report, NSString *description);
|
||||||
|
|
||||||
typedef CF_OPTIONS(uint32_t, SecCSFlags) {
|
typedef CF_OPTIONS(uint32_t, SecCSFlags) {
|
||||||
kSecCSDefaultFlags = 0
|
kSecCSDefaultFlags = 0
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
@ -202,213 +202,213 @@ int runLdid(NSArray* args, NSString** output, NSString** errorOutput)
|
||||||
|
|
||||||
SecStaticCodeRef getStaticCodeRef(NSString *binaryPath)
|
SecStaticCodeRef getStaticCodeRef(NSString *binaryPath)
|
||||||
{
|
{
|
||||||
if(binaryPath == nil)
|
if(binaryPath == nil)
|
||||||
{
|
{
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
CFURLRef binaryURL = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, (__bridge CFStringRef)binaryPath, kCFURLPOSIXPathStyle, false);
|
CFURLRef binaryURL = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, (__bridge CFStringRef)binaryPath, kCFURLPOSIXPathStyle, false);
|
||||||
if(binaryURL == NULL)
|
if(binaryURL == NULL)
|
||||||
{
|
{
|
||||||
NSLog(@"[getStaticCodeRef] failed to get URL to binary %@", binaryPath);
|
NSLog(@"[getStaticCodeRef] failed to get URL to binary %@", binaryPath);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
SecStaticCodeRef codeRef = NULL;
|
SecStaticCodeRef codeRef = NULL;
|
||||||
OSStatus result;
|
OSStatus result;
|
||||||
|
|
||||||
result = SecStaticCodeCreateWithPathAndAttributes(binaryURL, kSecCSDefaultFlags, NULL, &codeRef);
|
result = SecStaticCodeCreateWithPathAndAttributes(binaryURL, kSecCSDefaultFlags, NULL, &codeRef);
|
||||||
|
|
||||||
CFRelease(binaryURL);
|
CFRelease(binaryURL);
|
||||||
|
|
||||||
if(result != errSecSuccess)
|
if(result != errSecSuccess)
|
||||||
{
|
{
|
||||||
NSLog(@"[getStaticCodeRef] failed to create static code for binary %@", binaryPath);
|
NSLog(@"[getStaticCodeRef] failed to create static code for binary %@", binaryPath);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
return codeRef;
|
return codeRef;
|
||||||
}
|
}
|
||||||
|
|
||||||
NSDictionary* dumpEntitlements(SecStaticCodeRef codeRef)
|
NSDictionary* dumpEntitlements(SecStaticCodeRef codeRef)
|
||||||
{
|
{
|
||||||
if(codeRef == NULL)
|
if(codeRef == NULL)
|
||||||
{
|
{
|
||||||
NSLog(@"[dumpEntitlements] attempting to dump entitlements without a StaticCodeRef");
|
NSLog(@"[dumpEntitlements] attempting to dump entitlements without a StaticCodeRef");
|
||||||
return nil;
|
return nil;
|
||||||
}
|
}
|
||||||
|
|
||||||
CFDictionaryRef signingInfo = NULL;
|
CFDictionaryRef signingInfo = NULL;
|
||||||
OSStatus result;
|
OSStatus result;
|
||||||
|
|
||||||
result = SecCodeCopySigningInformation(codeRef, kSecCSRequirementInformation, &signingInfo);
|
result = SecCodeCopySigningInformation(codeRef, kSecCSRequirementInformation, &signingInfo);
|
||||||
|
|
||||||
if(result != errSecSuccess)
|
if(result != errSecSuccess)
|
||||||
{
|
{
|
||||||
NSLog(@"[dumpEntitlements] failed to copy signing info from static code");
|
NSLog(@"[dumpEntitlements] failed to copy signing info from static code");
|
||||||
return nil;
|
return nil;
|
||||||
}
|
}
|
||||||
|
|
||||||
NSDictionary *entitlementsNSDict = nil;
|
NSDictionary *entitlementsNSDict = nil;
|
||||||
|
|
||||||
CFDictionaryRef entitlements = CFDictionaryGetValue(signingInfo, kSecCodeInfoEntitlementsDict);
|
CFDictionaryRef entitlements = CFDictionaryGetValue(signingInfo, kSecCodeInfoEntitlementsDict);
|
||||||
if(entitlements == NULL)
|
if(entitlements == NULL)
|
||||||
{
|
{
|
||||||
NSLog(@"[dumpEntitlements] no entitlements specified");
|
NSLog(@"[dumpEntitlements] no entitlements specified");
|
||||||
}
|
}
|
||||||
else if(CFGetTypeID(entitlements) != CFDictionaryGetTypeID())
|
else if(CFGetTypeID(entitlements) != CFDictionaryGetTypeID())
|
||||||
{
|
{
|
||||||
NSLog(@"[dumpEntitlements] invalid entitlements");
|
NSLog(@"[dumpEntitlements] invalid entitlements");
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
entitlementsNSDict = (__bridge NSDictionary *)(entitlements);
|
entitlementsNSDict = (__bridge NSDictionary *)(entitlements);
|
||||||
NSLog(@"[dumpEntitlements] dumped %@", entitlementsNSDict);
|
NSLog(@"[dumpEntitlements] dumped %@", entitlementsNSDict);
|
||||||
}
|
}
|
||||||
|
|
||||||
CFRelease(signingInfo);
|
CFRelease(signingInfo);
|
||||||
return entitlementsNSDict;
|
return entitlementsNSDict;
|
||||||
}
|
}
|
||||||
|
|
||||||
NSDictionary* dumpEntitlementsFromBinaryAtPath(NSString *binaryPath)
|
NSDictionary* dumpEntitlementsFromBinaryAtPath(NSString *binaryPath)
|
||||||
{
|
{
|
||||||
// This function is intended for one-shot checks. Main-event functions should retain/release their own SecStaticCodeRefs
|
// This function is intended for one-shot checks. Main-event functions should retain/release their own SecStaticCodeRefs
|
||||||
|
|
||||||
if(binaryPath == nil)
|
if(binaryPath == nil)
|
||||||
{
|
{
|
||||||
return nil;
|
return nil;
|
||||||
}
|
}
|
||||||
|
|
||||||
SecStaticCodeRef codeRef = getStaticCodeRef(binaryPath);
|
SecStaticCodeRef codeRef = getStaticCodeRef(binaryPath);
|
||||||
if(codeRef == NULL)
|
if(codeRef == NULL)
|
||||||
{
|
{
|
||||||
return nil;
|
return nil;
|
||||||
}
|
}
|
||||||
|
|
||||||
NSDictionary *entitlements = dumpEntitlements(codeRef);
|
NSDictionary *entitlements = dumpEntitlements(codeRef);
|
||||||
CFRelease(codeRef);
|
CFRelease(codeRef);
|
||||||
|
|
||||||
return entitlements;
|
return entitlements;
|
||||||
}
|
}
|
||||||
|
|
||||||
BOOL certificateHasDataForExtensionOID(SecCertificateRef certificate, CFStringRef oidString)
|
BOOL certificateHasDataForExtensionOID(SecCertificateRef certificate, CFStringRef oidString)
|
||||||
{
|
{
|
||||||
if(certificate == NULL || oidString == NULL)
|
if(certificate == NULL || oidString == NULL)
|
||||||
{
|
{
|
||||||
NSLog(@"[certificateHasDataForExtensionOID] attempted to check null certificate or OID");
|
NSLog(@"[certificateHasDataForExtensionOID] attempted to check null certificate or OID");
|
||||||
return NO;
|
return NO;
|
||||||
}
|
}
|
||||||
|
|
||||||
CFDataRef extensionData = SecCertificateCopyExtensionValue(certificate, oidString, NULL);
|
CFDataRef extensionData = SecCertificateCopyExtensionValue(certificate, oidString, NULL);
|
||||||
if(extensionData != NULL)
|
if(extensionData != NULL)
|
||||||
{
|
{
|
||||||
CFRelease(extensionData);
|
CFRelease(extensionData);
|
||||||
return YES;
|
return YES;
|
||||||
}
|
}
|
||||||
|
|
||||||
return NO;
|
return NO;
|
||||||
}
|
}
|
||||||
|
|
||||||
BOOL codeCertChainContainsFakeAppStoreExtensions(SecStaticCodeRef codeRef)
|
BOOL codeCertChainContainsFakeAppStoreExtensions(SecStaticCodeRef codeRef)
|
||||||
{
|
{
|
||||||
if(codeRef == NULL)
|
if(codeRef == NULL)
|
||||||
{
|
{
|
||||||
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] attempted to check cert chain of null static code object");
|
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] attempted to check cert chain of null static code object");
|
||||||
return NO;
|
return NO;
|
||||||
}
|
}
|
||||||
|
|
||||||
CFDictionaryRef signingInfo = NULL;
|
CFDictionaryRef signingInfo = NULL;
|
||||||
OSStatus result;
|
OSStatus result;
|
||||||
|
|
||||||
result = SecCodeCopySigningInformation(codeRef, kSecCSSigningInformation, &signingInfo);
|
result = SecCodeCopySigningInformation(codeRef, kSecCSSigningInformation, &signingInfo);
|
||||||
|
|
||||||
if(result != errSecSuccess)
|
if(result != errSecSuccess)
|
||||||
{
|
{
|
||||||
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] failed to copy signing info from static code");
|
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] failed to copy signing info from static code");
|
||||||
return NO;
|
return NO;
|
||||||
}
|
}
|
||||||
|
|
||||||
CFArrayRef certificates = CFDictionaryGetValue(signingInfo, kSecCodeInfoCertificates);
|
CFArrayRef certificates = CFDictionaryGetValue(signingInfo, kSecCodeInfoCertificates);
|
||||||
if(certificates == NULL || CFArrayGetCount(certificates) == 0)
|
if(certificates == NULL || CFArrayGetCount(certificates) == 0)
|
||||||
{
|
{
|
||||||
return NO;
|
return NO;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If we match the standard Apple policy, we are signed properly, but we haven't been deliberately signed with a custom root
|
// If we match the standard Apple policy, we are signed properly, but we haven't been deliberately signed with a custom root
|
||||||
|
|
||||||
SecPolicyRef appleAppStorePolicy = SecPolicyCreateWithProperties(kSecPolicyAppleiPhoneApplicationSigning, NULL);
|
SecPolicyRef appleAppStorePolicy = SecPolicyCreateWithProperties(kSecPolicyAppleiPhoneApplicationSigning, NULL);
|
||||||
|
|
||||||
SecTrustRef trust = NULL;
|
SecTrustRef trust = NULL;
|
||||||
SecTrustCreateWithCertificates(certificates, appleAppStorePolicy, &trust);
|
SecTrustCreateWithCertificates(certificates, appleAppStorePolicy, &trust);
|
||||||
|
|
||||||
if(SecTrustEvaluateWithError(trust, nil))
|
if(SecTrustEvaluateWithError(trust, nil))
|
||||||
{
|
{
|
||||||
CFRelease(trust);
|
CFRelease(trust);
|
||||||
CFRelease(appleAppStorePolicy);
|
CFRelease(appleAppStorePolicy);
|
||||||
CFRelease(signingInfo);
|
CFRelease(signingInfo);
|
||||||
|
|
||||||
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] found certificate extension, but was issued by Apple (App Store)");
|
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] found certificate extension, but was issued by Apple (App Store)");
|
||||||
return NO;
|
return NO;
|
||||||
}
|
}
|
||||||
|
|
||||||
// We haven't matched Apple, so keep going. Is the app profile signed?
|
// We haven't matched Apple, so keep going. Is the app profile signed?
|
||||||
|
|
||||||
CFRelease(appleAppStorePolicy);
|
CFRelease(appleAppStorePolicy);
|
||||||
|
|
||||||
SecPolicyRef appleProfileSignedPolicy = SecPolicyCreateWithProperties(kSecPolicyAppleiPhoneProfileApplicationSigning, NULL);
|
SecPolicyRef appleProfileSignedPolicy = SecPolicyCreateWithProperties(kSecPolicyAppleiPhoneProfileApplicationSigning, NULL);
|
||||||
if(SecTrustSetPolicies(trust, appleProfileSignedPolicy) != errSecSuccess)
|
if(SecTrustSetPolicies(trust, appleProfileSignedPolicy) != errSecSuccess)
|
||||||
{
|
{
|
||||||
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] error replacing trust policy to check for profile-signed app");
|
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] error replacing trust policy to check for profile-signed app");
|
||||||
CFRelease(trust);
|
CFRelease(trust);
|
||||||
CFRelease(signingInfo);
|
CFRelease(signingInfo);
|
||||||
return NO;
|
return NO;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(SecTrustEvaluateWithError(trust, nil))
|
if(SecTrustEvaluateWithError(trust, nil))
|
||||||
{
|
{
|
||||||
CFRelease(trust);
|
CFRelease(trust);
|
||||||
CFRelease(appleProfileSignedPolicy);
|
CFRelease(appleProfileSignedPolicy);
|
||||||
CFRelease(signingInfo);
|
CFRelease(signingInfo);
|
||||||
|
|
||||||
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] found certificate extension, but was issued by Apple (profile-signed)");
|
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] found certificate extension, but was issued by Apple (profile-signed)");
|
||||||
return NO;
|
return NO;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Still haven't matched Apple. Are we using a custom root that would take the App Store fastpath?
|
// Still haven't matched Apple. Are we using a custom root that would take the App Store fastpath?
|
||||||
CFRelease(appleProfileSignedPolicy);
|
CFRelease(appleProfileSignedPolicy);
|
||||||
|
|
||||||
// Cert chain should be of length 3
|
// Cert chain should be of length 3
|
||||||
if(CFArrayGetCount(certificates) != 3)
|
if(CFArrayGetCount(certificates) != 3)
|
||||||
{
|
{
|
||||||
CFRelease(signingInfo);
|
CFRelease(signingInfo);
|
||||||
|
|
||||||
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] certificate chain length != 3");
|
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] certificate chain length != 3");
|
||||||
return NO;
|
return NO;
|
||||||
}
|
}
|
||||||
|
|
||||||
// AppleCodeSigning only checks for the codeSigning EKU by default
|
// AppleCodeSigning only checks for the codeSigning EKU by default
|
||||||
SecPolicyRef customRootPolicy = SecPolicyCreateWithProperties(kSecPolicyAppleCodeSigning, NULL);
|
SecPolicyRef customRootPolicy = SecPolicyCreateWithProperties(kSecPolicyAppleCodeSigning, NULL);
|
||||||
SecPolicySetOptionsValue(customRootPolicy, CFSTR("LeafMarkerOid"), CFSTR("1.2.840.113635.100.6.1.3"));
|
SecPolicySetOptionsValue(customRootPolicy, CFSTR("LeafMarkerOid"), CFSTR("1.2.840.113635.100.6.1.3"));
|
||||||
|
|
||||||
if(SecTrustSetPolicies(trust, customRootPolicy) != errSecSuccess)
|
if(SecTrustSetPolicies(trust, customRootPolicy) != errSecSuccess)
|
||||||
{
|
{
|
||||||
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] error replacing trust policy to check for custom root");
|
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] error replacing trust policy to check for custom root");
|
||||||
CFRelease(trust);
|
CFRelease(trust);
|
||||||
CFRelease(signingInfo);
|
CFRelease(signingInfo);
|
||||||
return NO;
|
return NO;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Need to add our certificate chain to the anchor as it is expected to be a self-signed root
|
// Need to add our certificate chain to the anchor as it is expected to be a self-signed root
|
||||||
SecTrustSetAnchorCertificates(trust, certificates);
|
SecTrustSetAnchorCertificates(trust, certificates);
|
||||||
|
|
||||||
BOOL evaluatesToCustomAnchor = SecTrustEvaluateWithError(trust, nil);
|
BOOL evaluatesToCustomAnchor = SecTrustEvaluateWithError(trust, nil);
|
||||||
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] app signed with non-Apple certificate %@ using valid custom certificates", evaluatesToCustomAnchor ? @"IS" : @"is NOT");
|
NSLog(@"[codeCertChainContainsFakeAppStoreExtensions] app signed with non-Apple certificate %@ using valid custom certificates", evaluatesToCustomAnchor ? @"IS" : @"is NOT");
|
||||||
|
|
||||||
CFRelease(trust);
|
CFRelease(trust);
|
||||||
CFRelease(customRootPolicy);
|
CFRelease(customRootPolicy);
|
||||||
CFRelease(signingInfo);
|
CFRelease(signingInfo);
|
||||||
|
|
||||||
return evaluatesToCustomAnchor;
|
return evaluatesToCustomAnchor;
|
||||||
}
|
}
|
||||||
|
|
||||||
BOOL signApp(NSString* appPath, NSError** error)
|
BOOL signApp(NSString* appPath, NSError** error)
|
||||||
|
@ -421,32 +421,32 @@ BOOL signApp(NSString* appPath, NSError** error)
|
||||||
|
|
||||||
if(![[NSFileManager defaultManager] fileExistsAtPath:executablePath]) return NO;
|
if(![[NSFileManager defaultManager] fileExistsAtPath:executablePath]) return NO;
|
||||||
|
|
||||||
NSObject *tsBundleIsPreSigned = appInfoDict[@"TSBundlePreSigned"];
|
NSObject *tsBundleIsPreSigned = appInfoDict[@"TSBundlePreSigned"];
|
||||||
if([tsBundleIsPreSigned isKindOfClass:[NSNumber class]])
|
if([tsBundleIsPreSigned isKindOfClass:[NSNumber class]])
|
||||||
{
|
{
|
||||||
|
|
||||||
// if TSBundlePreSigned = YES, this bundle has been externally signed so we can skip over signing it now
|
// if TSBundlePreSigned = YES, this bundle has been externally signed so we can skip over signing it now
|
||||||
NSNumber *tsBundleIsPreSignedNum = (NSNumber *)tsBundleIsPreSigned;
|
NSNumber *tsBundleIsPreSignedNum = (NSNumber *)tsBundleIsPreSigned;
|
||||||
if([tsBundleIsPreSignedNum boolValue] == YES)
|
if([tsBundleIsPreSignedNum boolValue] == YES)
|
||||||
{
|
{
|
||||||
NSLog(@"[signApp] taking fast path for app which declares it has already been signed (%@)", executablePath);
|
NSLog(@"[signApp] taking fast path for app which declares it has already been signed (%@)", executablePath);
|
||||||
return YES;
|
return YES;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
SecStaticCodeRef codeRef = getStaticCodeRef(executablePath);
|
SecStaticCodeRef codeRef = getStaticCodeRef(executablePath);
|
||||||
if(codeRef != NULL)
|
if(codeRef != NULL)
|
||||||
{
|
{
|
||||||
if(codeCertChainContainsFakeAppStoreExtensions(codeRef))
|
if(codeCertChainContainsFakeAppStoreExtensions(codeRef))
|
||||||
{
|
{
|
||||||
NSLog(@"[signApp] taking fast path for app signed using a custom root certificate (%@)", executablePath);
|
NSLog(@"[signApp] taking fast path for app signed using a custom root certificate (%@)", executablePath);
|
||||||
CFRelease(codeRef);
|
CFRelease(codeRef);
|
||||||
return YES;
|
return YES;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
NSLog(@"[signApp] failed to get static code, can't derive entitlements from %@, continuing anways...", executablePath);
|
NSLog(@"[signApp] failed to get static code, can't derive entitlements from %@, continuing anways...", executablePath);
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!isLdidInstalled()) return NO;
|
if(!isLdidInstalled()) return NO;
|
||||||
|
@ -456,8 +456,8 @@ BOOL signApp(NSString* appPath, NSError** error)
|
||||||
NSString* errorOutput;
|
NSString* errorOutput;
|
||||||
int ldidRet;
|
int ldidRet;
|
||||||
|
|
||||||
NSDictionary* entitlements = dumpEntitlements(codeRef);
|
NSDictionary* entitlements = dumpEntitlements(codeRef);
|
||||||
CFRelease(codeRef);
|
CFRelease(codeRef);
|
||||||
|
|
||||||
if(!entitlements)
|
if(!entitlements)
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in New Issue