kurash/pkgresign.c

## pkgresign.c
/*
   (c) 2012-2016 Sassafras Software Inc.
   Provided "as is" under the terms of the MIT license, no warranty, use at your own risk
 */

/*
   to build:
   cc pkgresign.c -framework Security -framework CoreFoundation -lxar -o pkgresign
 */

#include <stdio.h>
#include <unistd.h>
#include <sys/fcntl.h>

#include <CoreFoundation/CoreFoundation.h>
#include <Security/Security.h>
#include <xar/xar.h>


static CFTypeRef sign_pkg (const char *path, off_t *offset);
static CFTypeRef sign_xar (xar_signature_t s);
static SecKeyRef sign_findkey (xar_signature_t s);
static SecCertificateRef sign_cert (xar_signature_t s);


int
main (int argc, char **argv)
{
	CFTypeRef result;
	off_t offset;
	int fd;

	if (argc < 2) {
		fprintf(stderr, "usage: pkgresign installer.pkg\n");
		return(1);
	}

	result = sign_pkg(argv[1], &offset);
	if (result == NULL) {
		fprintf(stderr, "signature failed\n");
		return(1);
	}

	if (CFGetTypeID(result) == CFBooleanGetTypeID())
		return(0);

	if (CFGetTypeID(result) == CFStringGetTypeID()
		|| CFGetTypeID(result) == CFErrorGetTypeID())
	{
		fprintf(stderr, "signature failed:\n");
		CFShow(result);
		return(1);
	}

	fd = open(argv[1], O_RDWR);
	if (fd == -1) {
		fprintf(stderr, "can't open pkg file for writing\n");
		return(1);
	}

	if (lseek(fd, offset, SEEK_SET) == -1) {
		fprintf(stderr, "can't seek to signature offset\n");
		return(1);
	}

	if (write(fd, CFDataGetBytePtr(result), CFDataGetLength(result)) == -1) {
		fprintf(stderr, "failed to write signature\n");
		return(1);
	}

	close(fd);
	return(0);
}

CFTypeRef
sign_pkg (const char *path, off_t *offset)
{
	xar_t x;
	xar_signature_t s;
	CFDataRef result;

	x = xar_open(path, READ);
	if (x == NULL)
		return(CFSTR("can't open pkg file for reading"));

	s = xar_signature_first(x);
	if (s == NULL)
		return(CFSTR("no signatures present"));

	if (offset != NULL) {
		if (xar_signature_copy_signed_data(s, NULL, NULL, NULL, NULL, offset))
			return(CFSTR("signature offset can't be loaded"));
		*offset += xar_get_heap_offset(x);
	}

	result = sign_xar(s);
	xar_close(x);
	return(result);
}

CFTypeRef
sign_xar (xar_signature_t s)
{
	uint8_t *digest, *signed_data;
	uint32_t length, signed_length;
	CFDataRef data;
	SecKeyRef pvtkey;
	SecTransformRef sign;
	CFErrorRef error;
	CFTypeRef result;

	if (xar_signature_copy_signed_data(s, &digest, &length, &signed_data, &signed_length, NULL))
		return(CFSTR("signature can't be loaded"));

	pvtkey = sign_findkey(s);
	if (pvtkey == NULL) {
		result = CFSTR("private key not available");
	} else {
		sign = SecSignTransformCreate(pvtkey, &error);
		if (sign == NULL) {
			result = CFSTR("can't create transform");
		} else {
			data = CFDataCreate(NULL, digest, length);
			if (!SecTransformSetAttribute(sign, kSecTransformInputAttributeName, data, &error)) {
				CFRelease(data);
				if (error)
					result = error;
				else
					result = CFSTR("can't sign data");
			} else {
				CFRelease(data);
				if (!SecTransformSetAttribute(sign, kSecInputIsAttributeName, kSecInputIsDigest, &error)) {
					if (error)
						result = error;
					else
						result = CFSTR("can't sign data");
				} else {
					result = SecTransformExecute(sign, &error);
					if (result == NULL) {
						if (error)
							result = error;
						else
							result = CFSTR("can't sign data");
					} else if (CFDataGetLength(result) != signed_length) {
						CFRelease(result);
						result = NULL;
					} else if (memcmp(CFDataGetBytePtr(result), signed_data, signed_length) == 0) {
						CFRelease(result);
						result = kCFBooleanTrue;
					}
				}
			}
			CFRelease(sign);
		}
		CFRelease(pvtkey);
	}

	free(digest);
	free(signed_data);

	return(result);
}

SecKeyRef
sign_findkey (xar_signature_t s)
{
	SecCertificateRef cert;
	SecIdentityRef identity;
	SecKeyRef key;
	OSStatus err;

	key = NULL;
	cert = sign_cert(s);
	if (cert != NULL) {
		err = SecIdentityCreateWithCertificate(NULL, cert, &identity);
		if (err == 0) {
			err = SecIdentityCopyPrivateKey(identity, &key);
			CFRelease(identity);
		}
		CFRelease(cert);
	}
	return(key);
}

SecCertificateRef
sign_cert (xar_signature_t s)
{
	int32_t i, count;
	uint32_t cert_len;
	const uint8_t *cert_data;
	CFDataRef data;
	SecCertificateRef cert;

	count = xar_signature_get_x509certificate_count(s);
	if (count <= 0)
		return(NULL);

	for (i = 0; i < count; i++) {
		if (xar_signature_get_x509certificate_data(s, i, &cert_data, &cert_len) != 0
			|| cert_len == 0)
		{
			break;
		}
		data = CFDataCreate(NULL, cert_data, cert_len);
		if (data == NULL)
			break;

		cert = SecCertificateCreateWithData(NULL, data);
		CFRelease(data);
		if (cert != NULL)
			return(cert);
	}

	return(NULL);
}
	/*
	(c) 2012-2016 Sassafras Software Inc.
	Provided "as is" under the terms of the MIT license, no warranty, use at your own risk
	*/

	/*
	to build:
	cc pkgresign.c -framework Security -framework CoreFoundation -lxar -o pkgresign
	*/

	#include <stdio.h>
	#include <unistd.h>
	#include <sys/fcntl.h>

	#include <CoreFoundation/CoreFoundation.h>
	#include <Security/Security.h>
	#include <xar/xar.h>


	static CFTypeRef sign_pkg (const char path, off_t offset);
	static CFTypeRef sign_xar (xar_signature_t s);
	static SecKeyRef sign_findkey (xar_signature_t s);
	static SecCertificateRef sign_cert (xar_signature_t s);


	int
	main (int argc, char **argv)
	{
	CFTypeRef result;
	off_t offset;
	int fd;

	if (argc < 2) {
	fprintf(stderr, "usage: pkgresign installer.pkg\n");
	return(1);
	}

	result = sign_pkg(argv[1], &offset);
	if (result == NULL) {
	fprintf(stderr, "signature failed\n");
	return(1);
	}

	if (CFGetTypeID(result) == CFBooleanGetTypeID())
	return(0);

	if (CFGetTypeID(result) == CFStringGetTypeID()
	\|\| CFGetTypeID(result) == CFErrorGetTypeID())
	{
	fprintf(stderr, "signature failed:\n");
	CFShow(result);
	return(1);
	}

	fd = open(argv[1], O_RDWR);
	if (fd == -1) {
	fprintf(stderr, "can't open pkg file for writing\n");
	return(1);
	}

	if (lseek(fd, offset, SEEK_SET) == -1) {
	fprintf(stderr, "can't seek to signature offset\n");
	return(1);
	}

	if (write(fd, CFDataGetBytePtr(result), CFDataGetLength(result)) == -1) {
	fprintf(stderr, "failed to write signature\n");
	return(1);
	}

	close(fd);
	return(0);
	}

	CFTypeRef
	sign_pkg (const char path, off_t offset)
	{
	xar_t x;
	xar_signature_t s;
	CFDataRef result;

	x = xar_open(path, READ);
	if (x == NULL)
	return(CFSTR("can't open pkg file for reading"));

	s = xar_signature_first(x);
	if (s == NULL)
	return(CFSTR("no signatures present"));

	if (offset != NULL) {
	if (xar_signature_copy_signed_data(s, NULL, NULL, NULL, NULL, offset))
	return(CFSTR("signature offset can't be loaded"));
	*offset += xar_get_heap_offset(x);
	}

	result = sign_xar(s);
	xar_close(x);
	return(result);
	}

	CFTypeRef
	sign_xar (xar_signature_t s)
	{
	uint8_t digest, signed_data;
	uint32_t length, signed_length;
	CFDataRef data;
	SecKeyRef pvtkey;
	SecTransformRef sign;
	CFErrorRef error;
	CFTypeRef result;

	if (xar_signature_copy_signed_data(s, &digest, &length, &signed_data, &signed_length, NULL))
	return(CFSTR("signature can't be loaded"));

	pvtkey = sign_findkey(s);
	if (pvtkey == NULL) {
	result = CFSTR("private key not available");
	} else {
	sign = SecSignTransformCreate(pvtkey, &error);
	if (sign == NULL) {
	result = CFSTR("can't create transform");
	} else {
	data = CFDataCreate(NULL, digest, length);
	if (!SecTransformSetAttribute(sign, kSecTransformInputAttributeName, data, &error)) {
	CFRelease(data);
	if (error)
	result = error;
	else
	result = CFSTR("can't sign data");
	} else {
	CFRelease(data);
	if (!SecTransformSetAttribute(sign, kSecInputIsAttributeName, kSecInputIsDigest, &error)) {
	if (error)
	result = error;
	else
	result = CFSTR("can't sign data");
	} else {
	result = SecTransformExecute(sign, &error);
	if (result == NULL) {
	if (error)
	result = error;
	else
	result = CFSTR("can't sign data");
	} else if (CFDataGetLength(result) != signed_length) {
	CFRelease(result);
	result = NULL;
	} else if (memcmp(CFDataGetBytePtr(result), signed_data, signed_length) == 0) {
	CFRelease(result);
	result = kCFBooleanTrue;
	}
	}
	}
	CFRelease(sign);
	}
	CFRelease(pvtkey);
	}

	free(digest);
	free(signed_data);

	return(result);
	}

	SecKeyRef
	sign_findkey (xar_signature_t s)
	{
	SecCertificateRef cert;
	SecIdentityRef identity;
	SecKeyRef key;
	OSStatus err;

	key = NULL;
	cert = sign_cert(s);
	if (cert != NULL) {
	err = SecIdentityCreateWithCertificate(NULL, cert, &identity);
	if (err == 0) {
	err = SecIdentityCopyPrivateKey(identity, &key);
	CFRelease(identity);
	}
	CFRelease(cert);
	}
	return(key);
	}

	SecCertificateRef
	sign_cert (xar_signature_t s)
	{
	int32_t i, count;
	uint32_t cert_len;
	const uint8_t *cert_data;
	CFDataRef data;
	SecCertificateRef cert;

	count = xar_signature_get_x509certificate_count(s);
	if (count <= 0)
	return(NULL);

	for (i = 0; i < count; i++) {
	if (xar_signature_get_x509certificate_data(s, i, &cert_data, &cert_len) != 0
	\|\| cert_len == 0)
	{
	break;
	}
	data = CFDataCreate(NULL, cert_data, cert_len);
	if (data == NULL)
	break;

	cert = SecCertificateCreateWithData(NULL, data);
	CFRelease(data);
	if (cert != NULL)
	return(cert);
	}

	return(NULL);
	}