Update code to use the new MOLCodesignChecker interfaces for codesign…

…ing info.
google · Apr 5, 2024 · a706f5f · a706f5f
1 parent 7d58665
commit a706f5f
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 30 deletions.
diff --git a/Source/common/SNTXPCControlInterface.m b/Source/common/SNTXPCControlInterface.m
@@ -34,8 +34,7 @@ + (NSString *)serviceID {
 #else
   MOLCodesignChecker *cs = [[MOLCodesignChecker alloc] initWithSelf];
   // "teamid.com.google.santa.daemon.xpc"
-  NSString *t = cs.signingInformation[@"teamid"];
-  return [NSString stringWithFormat:@"%@.%@.xpc", t, kBundleID];
+  return [NSString stringWithFormat:@"%@.%@.xpc", cs.teamID, kBundleID];
 #endif
 }
 

diff --git a/Source/santactl/Commands/SNTCommandFileInfo.m b/Source/santactl/Commands/SNTCommandFileInfo.m
@@ -380,21 +380,16 @@ - (SNTAttributeBlock)rule {
     NSError *err;
     MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:&err];
 
-    NSString *cdhash =
-      [csc.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoUnique];
-    NSString *teamID =
-      [csc.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoTeamIdentifier];
-    NSString *identifier =
-      [csc.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoIdentifier];
+    NSString *cdhash = csc.cdhash;
+    NSString *teamID = csc.teamID;
+    NSString *identifier = csc.signingID;
 
     NSString *signingID;
     if (identifier) {
       if (teamID) {
         signingID = [NSString stringWithFormat:@"%@:%@", teamID, identifier];
       } else {
-        id platformID =
-          [csc.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoPlatformIdentifier];
-        if ([platformID isKindOfClass:[NSNumber class]] && [platformID intValue] != 0) {
+        if (csc.platformBinary) {
           signingID = [NSString stringWithFormat:@"platform:%@", identifier];
         }
       }
@@ -522,21 +517,21 @@ - (SNTAttributeBlock)universalSigningChain {
 - (SNTAttributeBlock)teamID {
   return ^id(SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
     MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:NULL];
-    return [csc.signingInformation valueForKey:@"teamid"];
+    return csc.teamID;
   };
 }
 
 - (SNTAttributeBlock)signingID {
   return ^id(SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
     MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:NULL];
-    return [csc.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoIdentifier];
+    return csc.signingID;
   };
 }
 
 - (SNTAttributeBlock)cdhash {
   return ^id(SNTCommandFileInfo *cmd, SNTFileInfo *fileInfo) {
     MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:NULL];
-    return [csc.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoUnique];
+    return csc.cdhash;
   };
 }
 

diff --git a/Source/santactl/Commands/SNTCommandRule.m b/Source/santactl/Commands/SNTCommandRule.m
@@ -259,8 +259,7 @@ - (void)runWithArguments:(NSArray *)arguments {
       newRule.identifier = cs.leafCertificate.SHA256;
     } else if (newRule.type == SNTRuleTypeCDHash) {
       MOLCodesignChecker *cs = [fi codesignCheckerWithError:NULL];
-      newRule.identifier =
-        [cs.signingInformation objectForKey:(__bridge NSString *)kSecCodeInfoIdentifier];
+      newRule.identifier = cs.signingID;
     } else if (newRule.type == SNTRuleTypeTeamID || newRule.type == SNTRuleTypeSigningID) {
       // noop
     }
@@ -439,6 +438,30 @@ - (void)printStateOfRule:(SNTRule *)rule daemonConnection:(MOLXPCConnection *)da
   exit(0);
 }
 
+- (void)printStateOfRuleAsJSON:(SNTRule *)rule daemonConnection:(MOLXPCConnection *)daemonConn {
+  id<SNTDaemonControlXPC> rop = [daemonConn synchronousRemoteObjectProxy];
+  __block NSString *output;
+
+  struct RuleIdentifiers identifiers = {
+    .cdhash = (rule.type == SNTRuleTypeCDHash) ? rule.identifier : nil,
+    .binarySHA256 = (rule.type == SNTRuleTypeBinary) ? rule.identifier : nil,
+    .certificateSHA256 = (rule.type == SNTRuleTypeCertificate) ? rule.identifier : nil,
+    .teamID = (rule.type == SNTRuleTypeTeamID) ? rule.identifier : nil,
+    .signingID = (rule.type == SNTRuleTypeSigningID) ? rule.identifier : nil,
+  };
+
+  [rop databaseRuleForIdentifiers:[[SNTRuleIdentifiers alloc] initWithRuleIdentifiers:identifiers]
+                            reply:^(SNTRule *r) {
+                              output = [SNTCommandRule stringifyRule:r
+                                                           withColor:(isatty(STDOUT_FILENO) == 1)];
+                            }];
+
+  printf("%s\n", output.UTF8String);
+  exit(0);
+}
+
+
+
 - (void)importJSONFile:(NSString *)jsonFilePath with:(SNTRuleCleanup)cleanupType {
   // If the file exists parse it and then add the rules one at a time.
   NSError *error;

diff --git a/Source/santad/SNTExecutionControllerTest.mm b/Source/santad/SNTExecutionControllerTest.mm
@@ -387,9 +387,7 @@ - (void)testSigningIDBlockRule {
 }
 
 - (void)testTeamIDAllowRule {
-  OCMStub([self.mockCodesignChecker signingInformation]).andReturn((@{
-    (__bridge NSString *)kSecCodeInfoTeamIdentifier : @(kExampleTeamID),
-  }));
+  OCMStub([self.mockCodesignChecker teamID]).andReturn(@(kExampleTeamID));
 
   SNTRule *rule = [[SNTRule alloc] init];
   rule.state = SNTRuleStateAllow;
@@ -405,9 +403,7 @@ - (void)testTeamIDAllowRule {
 }
 
 - (void)testTeamIDBlockRule {
-  OCMStub([self.mockCodesignChecker signingInformation]).andReturn((@{
-    (__bridge NSString *)kSecCodeInfoTeamIdentifier : @(kExampleTeamID),
-  }));
+  OCMStub([self.mockCodesignChecker teamID]).andReturn(@(kExampleTeamID));
 
   SNTRule *rule = [[SNTRule alloc] init];
   rule.state = SNTRuleStateBlock;

diff --git a/Source/santad/SNTPolicyProcessor.m b/Source/santad/SNTPolicyProcessor.m
@@ -90,22 +90,17 @@ - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileIn
       cd.certSHA256 = csInfo.leafCertificate.SHA256;
       cd.certCommonName = csInfo.leafCertificate.commonName;
       cd.certChain = csInfo.certificates;
-      cd.teamID = teamID
-                    ?: [csInfo.signingInformation
-                         objectForKey:(__bridge NSString *)kSecCodeInfoTeamIdentifier];
+      cd.teamID = teamID ?: csInfo.teamID;
 
       // Ensure that if no teamID exists that the signing info confirms it is a
       // platform binary. If not, remove the signingID.
       if (!cd.teamID && cd.signingID) {
-        id platformID = [csInfo.signingInformation
-          objectForKey:(__bridge NSString *)kSecCodeInfoPlatformIdentifier];
-        if (![platformID isKindOfClass:[NSNumber class]] || [platformID intValue] == 0) {
+        if (!csInfo.platformBinary) {
           cd.signingID = nil;
         }
       }
 
-      NSDictionary *entitlements =
-        csInfo.signingInformation[(__bridge NSString *)kSecCodeInfoEntitlementsDict];
+      NSDictionary *entitlements = csInfo.entitlements;
 
       if (entitlementsFilterCallback) {
         cd.entitlements = entitlementsFilterCallback(entitlements);