diff options
| author |  Josef Micka | 2025-06-07 14:44:57 +0200 |
|---|---|---|
| committer |  Nikias Bassen | 2025-06-07 14:46:22 +0200 |
| commit | c40be2774067703209ec5d3b2a975034b2fb7440 (patch) | |
| tree | 1146af2cff5b90ece24a33721a93b9926eaecf07 | |
| parent | 58baf028aef525e337325c0866b5606f2e3b815c (diff) | |
| download | libimobiledevice-c40be2774067703209ec5d3b2a975034b2fb7440.tar.gz libimobiledevice-c40be2774067703209ec5d3b2a975034b2fb7440.tar.bz2 | |
Use SHA256 signature instead of SHA1 for iOS 4 and newer when creating and signing pairing certificates
| -rw-r--r-- | common/userpref.c | 29 | ||||
| -rw-r--r-- | common/userpref.h | 2 | ||||
| -rw-r--r-- | src/lockdown-cu.c | 2 | ||||
| -rw-r--r-- | src/lockdown.c | 2 |
4 files changed, 18 insertions, 17 deletions
diff --git a/common/userpref.c b/common/userpref.c index 08ab7e2..76945e1 100644 --- a/common/userpref.c +++ b/common/userpref.c | |||
| @@ -77,6 +77,7 @@ | |||
| 77 | #define ETIMEDOUT 138 | 77 | #define ETIMEDOUT 138 |
| 78 | #endif | 78 | #endif |
| 79 | 79 | ||
| 80 | #include <libimobiledevice/libimobiledevice.h> | ||
| 80 | #include <libimobiledevice-glue/utils.h> | 81 | #include <libimobiledevice-glue/utils.h> |
| 81 | 82 | ||
| 82 | #include "userpref.h" | 83 | #include "userpref.h" |
| @@ -419,7 +420,7 @@ static int _mbedtls_x509write_crt_set_basic_constraints_critical(mbedtls_x509wri | |||
| 419 | * | 420 | * |
| 420 | * @return 1 if keys were successfully generated, 0 otherwise | 421 | * @return 1 if keys were successfully generated, 0 otherwise |
| 421 | */ | 422 | */ |
| 422 | userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_data_t public_key) | 423 | userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_data_t public_key, unsigned int device_version) |
| 423 | { | 424 | { |
| 424 | userpref_error_t ret = USERPREF_E_SSL_ERROR; | 425 | userpref_error_t ret = USERPREF_E_SSL_ERROR; |
| 425 | 426 | ||
| @@ -484,7 +485,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da | |||
| 484 | X509_set_pubkey(root_cert, root_pkey); | 485 | X509_set_pubkey(root_cert, root_pkey); |
| 485 | 486 | ||
| 486 | /* sign root cert with root private key */ | 487 | /* sign root cert with root private key */ |
| 487 | X509_sign(root_cert, root_pkey, EVP_sha1()); | 488 | X509_sign(root_cert, root_pkey, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? EVP_sha1() : EVP_sha256()); |
| 488 | } | 489 | } |
| 489 | 490 | ||
| 490 | /* create host certificate */ | 491 | /* create host certificate */ |
| @@ -517,7 +518,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da | |||
| 517 | X509_set_pubkey(host_cert, host_pkey); | 518 | X509_set_pubkey(host_cert, host_pkey); |
| 518 | 519 | ||
| 519 | /* sign host cert with root private key */ | 520 | /* sign host cert with root private key */ |
| 520 | X509_sign(host_cert, root_pkey, EVP_sha1()); | 521 | X509_sign(host_cert, root_pkey, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? EVP_sha1() : EVP_sha256()); |
| 521 | } | 522 | } |
| 522 | 523 | ||
| 523 | if (root_cert && root_pkey && host_cert && host_pkey) { | 524 | if (root_cert && root_pkey && host_cert && host_pkey) { |
| @@ -609,7 +610,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da | |||
| 609 | X509_add_ext_helper(dev_cert, NID_key_usage, (char*)"critical,digitalSignature,keyEncipherment"); | 610 | X509_add_ext_helper(dev_cert, NID_key_usage, (char*)"critical,digitalSignature,keyEncipherment"); |
| 610 | 611 | ||
| 611 | /* sign device certificate with root private key */ | 612 | /* sign device certificate with root private key */ |
| 612 | if (X509_sign(dev_cert, root_pkey, EVP_sha1())) { | 613 | if (X509_sign(dev_cert, root_pkey, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? EVP_sha1() : EVP_sha256())) { |
| 613 | /* if signing succeeded, export in PEM format */ | 614 | /* if signing succeeded, export in PEM format */ |
| 614 | BIO* membp = BIO_new(BIO_s_mem()); | 615 | BIO* membp = BIO_new(BIO_s_mem()); |
| 615 | if (PEM_write_bio_X509(membp, dev_cert) > 0) { | 616 | if (PEM_write_bio_X509(membp, dev_cert) > 0) { |
| @@ -661,7 +662,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da | |||
| 661 | gnutls_x509_crt_set_ca_status(root_cert, 1); | 662 | gnutls_x509_crt_set_ca_status(root_cert, 1); |
| 662 | gnutls_x509_crt_set_activation_time(root_cert, time(NULL)); | 663 | gnutls_x509_crt_set_activation_time(root_cert, time(NULL)); |
| 663 | gnutls_x509_crt_set_expiration_time(root_cert, time(NULL) + (60 * 60 * 24 * 365 * 10)); | 664 | gnutls_x509_crt_set_expiration_time(root_cert, time(NULL) + (60 * 60 * 24 * 365 * 10)); |
| 664 | gnutls_x509_crt_sign2(root_cert, root_cert, root_privkey, GNUTLS_DIG_SHA1, 0); | 665 | gnutls_x509_crt_sign2(root_cert, root_cert, root_privkey, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? GNUTLS_DIG_SHA1 : GNUTLS_DIG_SHA256, 0); |
| 665 | 666 | ||
| 666 | gnutls_x509_crt_set_key(host_cert, host_privkey); | 667 | gnutls_x509_crt_set_key(host_cert, host_privkey); |
| 667 | gnutls_x509_crt_set_serial(host_cert, "\x01", 1); | 668 | gnutls_x509_crt_set_serial(host_cert, "\x01", 1); |
| @@ -670,7 +671,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da | |||
| 670 | gnutls_x509_crt_set_key_usage(host_cert, GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_DIGITAL_SIGNATURE); | 671 | gnutls_x509_crt_set_key_usage(host_cert, GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_DIGITAL_SIGNATURE); |
| 671 | gnutls_x509_crt_set_activation_time(host_cert, time(NULL)); | 672 | gnutls_x509_crt_set_activation_time(host_cert, time(NULL)); |
| 672 | gnutls_x509_crt_set_expiration_time(host_cert, time(NULL) + (60 * 60 * 24 * 365 * 10)); | 673 | gnutls_x509_crt_set_expiration_time(host_cert, time(NULL) + (60 * 60 * 24 * 365 * 10)); |
| 673 | gnutls_x509_crt_sign2(host_cert, root_cert, root_privkey, GNUTLS_DIG_SHA1, 0); | 674 | gnutls_x509_crt_sign2(host_cert, root_cert, root_privkey, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? GNUTLS_DIG_SHA1 : GNUTLS_DIG_SHA256, 0); |
| 674 | 675 | ||
| 675 | /* export to PEM format */ | 676 | /* export to PEM format */ |
| 676 | size_t root_key_export_size = 0; | 677 | size_t root_key_export_size = 0; |
| @@ -768,17 +769,17 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da | |||
| 768 | gnutls_x509_crt_set_expiration_time(dev_cert, time(NULL) + (60 * 60 * 24 * 365 * 10)); | 769 | gnutls_x509_crt_set_expiration_time(dev_cert, time(NULL) + (60 * 60 * 24 * 365 * 10)); |
| 769 | 770 | ||
| 770 | /* use custom hash generation for compatibility with the "Apple ecosystem" */ | 771 | /* use custom hash generation for compatibility with the "Apple ecosystem" */ |
| 771 | const gnutls_digest_algorithm_t dig_sha1 = GNUTLS_DIG_SHA1; | 772 | const gnutls_digest_algorithm_t dig_sha = (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? GNUTLS_DIG_SHA1 : GNUTLS_DIG_SHA256; |
| 772 | size_t hash_size = gnutls_hash_get_len(dig_sha1); | 773 | size_t hash_size = gnutls_hash_get_len(dig_sha); |
| 773 | unsigned char hash[hash_size]; | 774 | unsigned char hash[hash_size]; |
| 774 | if (gnutls_hash_fast(dig_sha1, der_pub_key.data, der_pub_key.size, (unsigned char*)&hash) < 0) { | 775 | if (gnutls_hash_fast(dig_sha, der_pub_key.data, der_pub_key.size, (unsigned char*)&hash) < 0) { |
| 775 | debug_info("ERROR: Failed to generate SHA1 for public key"); | 776 | debug_info("ERROR: Failed to generate SHA for public key"); |
| 776 | } else { | 777 | } else { |
| 777 | gnutls_x509_crt_set_subject_key_id(dev_cert, hash, hash_size); | 778 | gnutls_x509_crt_set_subject_key_id(dev_cert, hash, hash_size); |
| 778 | } | 779 | } |
| 779 | 780 | ||
| 780 | gnutls_x509_crt_set_key_usage(dev_cert, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT); | 781 | gnutls_x509_crt_set_key_usage(dev_cert, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT); |
| 781 | gnutls_error = gnutls_x509_crt_sign2(dev_cert, root_cert, root_privkey, GNUTLS_DIG_SHA1, 0); | 782 | gnutls_error = gnutls_x509_crt_sign2(dev_cert, root_cert, root_privkey, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? GNUTLS_DIG_SHA1 : GNUTLS_DIG_SHA256, 0); |
| 782 | if (GNUTLS_E_SUCCESS == gnutls_error) { | 783 | if (GNUTLS_E_SUCCESS == gnutls_error) { |
| 783 | /* if everything went well, export in PEM format */ | 784 | /* if everything went well, export in PEM format */ |
| 784 | size_t export_size = 0; | 785 | size_t export_size = 0; |
| @@ -872,7 +873,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da | |||
| 872 | 873 | ||
| 873 | /* sign root cert with root private key */ | 874 | /* sign root cert with root private key */ |
| 874 | mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey); | 875 | mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey); |
| 875 | mbedtls_x509write_crt_set_md_alg(&cert, MBEDTLS_MD_SHA1); | 876 | mbedtls_x509write_crt_set_md_alg(&cert, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? MBEDTLS_MD_SHA1 : MBEDTLS_MD_SHA256); |
| 876 | 877 | ||
| 877 | unsigned char outbuf[16384]; | 878 | unsigned char outbuf[16384]; |
| 878 | 879 | ||
| @@ -931,7 +932,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da | |||
| 931 | 932 | ||
| 932 | /* sign host cert with root private key */ | 933 | /* sign host cert with root private key */ |
| 933 | mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey); | 934 | mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey); |
| 934 | mbedtls_x509write_crt_set_md_alg(&cert, MBEDTLS_MD_SHA1); | 935 | mbedtls_x509write_crt_set_md_alg(&cert, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? MBEDTLS_MD_SHA1 : MBEDTLS_MD_SHA256); |
| 935 | 936 | ||
| 936 | /* write host private key */ | 937 | /* write host private key */ |
| 937 | mbedtls_pk_write_key_pem(&host_pkey, outbuf, sizeof(outbuf)); | 938 | mbedtls_pk_write_key_pem(&host_pkey, outbuf, sizeof(outbuf)); |
| @@ -991,7 +992,7 @@ userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_da | |||
| 991 | 992 | ||
| 992 | /* sign device certificate with root private key */ | 993 | /* sign device certificate with root private key */ |
| 993 | mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey); | 994 | mbedtls_x509write_crt_set_issuer_key(&cert, &root_pkey); |
| 994 | mbedtls_x509write_crt_set_md_alg(&cert, MBEDTLS_MD_SHA1); | 995 | mbedtls_x509write_crt_set_md_alg(&cert, (device_version < IDEVICE_DEVICE_VERSION(4,0,0)) ? MBEDTLS_MD_SHA1 : MBEDTLS_MD_SHA256); |
| 995 | 996 | ||
| 996 | /* write device certificate */ | 997 | /* write device certificate */ |
| 997 | mbedtls_x509write_crt_pem(&cert, outbuf, sizeof(outbuf), mbedtls_ctr_drbg_random, &ctr_drbg); | 998 | mbedtls_x509write_crt_pem(&cert, outbuf, sizeof(outbuf), mbedtls_ctr_drbg_random, &ctr_drbg); |
diff --git a/common/userpref.h b/common/userpref.h index 75bb8b7..9a1832c 100644 --- a/common/userpref.h +++ b/common/userpref.h | |||
| @@ -68,7 +68,7 @@ userpref_error_t userpref_read_pair_record(const char *udid, plist_t *pair_recor | |||
| 68 | userpref_error_t userpref_save_pair_record(const char *udid, uint32_t device_id, plist_t pair_record); | 68 | userpref_error_t userpref_save_pair_record(const char *udid, uint32_t device_id, plist_t pair_record); |
| 69 | userpref_error_t userpref_delete_pair_record(const char *udid); | 69 | userpref_error_t userpref_delete_pair_record(const char *udid); |
| 70 | 70 | ||
| 71 | userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_data_t public_key); | 71 | userpref_error_t pair_record_generate_keys_and_certs(plist_t pair_record, key_data_t public_key, unsigned int device_version); |
| 72 | #if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS) | 72 | #if defined(HAVE_OPENSSL) || defined(HAVE_MBEDTLS) |
| 73 | userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const char* name, key_data_t* key); | 73 | userpref_error_t pair_record_import_key_with_name(plist_t pair_record, const char* name, key_data_t* key); |
| 74 | userpref_error_t pair_record_import_crt_with_name(plist_t pair_record, const char* name, key_data_t* cert); | 74 | userpref_error_t pair_record_import_crt_with_name(plist_t pair_record, const char* name, key_data_t* cert); |
diff --git a/src/lockdown-cu.c b/src/lockdown-cu.c index 30eec99..11c70c5 100644 --- a/src/lockdown-cu.c +++ b/src/lockdown-cu.c | |||
| @@ -1132,7 +1132,7 @@ lockdownd_error_t lockdownd_pair_cu(lockdownd_client_t client) | |||
| 1132 | plist_free(pubkey); | 1132 | plist_free(pubkey); |
| 1133 | 1133 | ||
| 1134 | plist_t pair_record_plist = plist_new_dict(); | 1134 | plist_t pair_record_plist = plist_new_dict(); |
| 1135 | pair_record_generate_keys_and_certs(pair_record_plist, public_key); | 1135 | pair_record_generate_keys_and_certs(pair_record_plist, public_key, client->device->version); |
| 1136 | 1136 | ||
| 1137 | char* host_id = NULL; | 1137 | char* host_id = NULL; |
| 1138 | char* system_buid = NULL; | 1138 | char* system_buid = NULL; |
diff --git a/src/lockdown.c b/src/lockdown.c index d28316a..1edb99b 100644 --- a/src/lockdown.c +++ b/src/lockdown.c | |||
| @@ -839,7 +839,7 @@ static lockdownd_error_t pair_record_generate(lockdownd_client_t client, plist_t | |||
| 839 | 839 | ||
| 840 | /* generate keys and certificates into pair record */ | 840 | /* generate keys and certificates into pair record */ |
| 841 | userpref_error_t uret = USERPREF_E_SUCCESS; | 841 | userpref_error_t uret = USERPREF_E_SUCCESS; |
| 842 | uret = pair_record_generate_keys_and_certs(*pair_record, public_key); | 842 | uret = pair_record_generate_keys_and_certs(*pair_record, public_key, client->device->version); |
| 843 | switch(uret) { | 843 | switch(uret) { |
| 844 | case USERPREF_E_INVALID_ARG: | 844 | case USERPREF_E_INVALID_ARG: |
| 845 | ret = LOCKDOWN_E_INVALID_ARG; | 845 | ret = LOCKDOWN_E_INVALID_ARG; |