C ++ macOS - 以编程方式检索代码签名证书信息

Question

在Windows上，可以使用CryptQueryObject获取.exe / .dll代码签名证书。

是否有任何c ++（或objective-c）替代方法可以检索用于代码签名的。主题名称和序列号 .app在macOS上？

使用xcode对我的.app进行代码签名没有问题，当我在终端时，我能够看到我的代码已使用正确的证书进行签名。

修改

我的想法是获得类似这个命令行的东西，但是在C ++中。

codesign -v --extract-certificates MyApp.app/ 
| openssl x509 -inform DER -in codesign0 -text 
| grep "Serial" -A 1

Answer 1

这个答案现在可能不是最优的，需要大量的重构，特别是因为我不是macOS开发者，为什么我混合了太多的c / c ++ / objective-c。

请随时编辑此代码，特别是如果内存泄漏，我不知道我有什么CFRelease。

因此，基于不同的来源，我提出了一个解决方案，以编程方式从macOS bundle / app / executable中提取主题公用名（CN）和证书的序列号。以下是基于我的代码的源代码：

• Apple codesign source code to extract-certificates
• An example of how to read SecCertificateRef data
• An example of how to read certificate from bytes using openSSL

这里是代码：

#include <Foundation/Foundation.h>
#include <CoreFoundation/CoreFoundation.h>
#include <Security/Security.h>

#include <openssl/bio.h>
#include <openssl/x509.h>
#include <openssl/pem.h>

int main(int argc, const char * argv[]) {    

    NSURL* url = [NSURL URLWithString:@"/Path/To/Your/Codesign/MyApp.app"];
    CFURLRef path = (__bridge CFURLRef)url;

    SecStaticCodeRef codeRef;
    SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &codeRef);      

    SecCSFlags flags = kSecCSInternalInformation
    | kSecCSSigningInformation
    | kSecCSRequirementInformation
    | kSecCSInternalInformation;

    CFDictionaryRef api;
    SecCodeCopySigningInformation(codeRef, flags, &api);

    CFArrayRef certChain = (CFArrayRef)CFDictionaryGetValue(api, kSecCodeInfoCertificates);

    // Get the first certificate from the .app 
    // use the CFIndex count = CFArrayGetCount(certChain); 
    // If you want to process all certificates in a loop (same to codesign source code).
    SecCertificateRef cert = SecCertificateRef(CFArrayGetValueAtIndex(certChain, 0));
    CFDataRef der = SecCertificateCopyData(cert);

    // Use solution from the example or using NSData*.
    //const unsigned char* data = CFDataGetBytePtr(der);    
    //int len = CFDataGetLength(der);
    NSData* data = (__bridge NSData*)der;    

    BIO* bio = BIO_new_mem_buf((void *)[data bytes], (int)[data length]);
    X509* certssl = NULL;
    X509_NAME* subName = NULL;
    X509_NAME_ENTRY* entry = NULL;
    unsigned char* subjectStr;    

    // Read certificate from the BIO 
    // Note that SecCertificateRef is in DER format
    if ( !( certssl = d2i_X509_bio(bio, NULL)))
        return -1;    

    // Get Subject common name (CN)
    if( !( subName= X509_get_subject_name(certssl)))
        return -1;   

    if( !( entry = X509_NAME_get_entry(subName, X509_NAME_get_index_by_NID(subName, NID_commonName, -1))))
        return -1;   

    ASN1_STRING_to_UTF8(&subjectStr, X509_NAME_ENTRY_get_data(entry));    

    // Extract the certificate's serial number.
    ASN1_INTEGER* asn1_serial = X509_get_serialNumber(certssl);
    if (asn1_serial == NULL)
        return -1;    

    // Convert serial number into a char buffer.
    BIGNUM* bnser = ASN1_INTEGER_to_BN(asn1_serial, NULL);
    char* serialStr = BN_bn2hex(bnser);    

    X509_free(certssl);
    BIO_free_all(bio);
    return 0;
}