Log code signing information for critical system binaries (#143)

This PR adds code signing information for critical system binaries. It
fixes #140.

---------

Signed-off-by: Pete Markowsky <[email protected]>
Co-authored-by: Russell Hancox <[email protected]>

Source/santad/BUILD

@@ -34,6 +34,7 @@ objc_library(
         "//Source/common:SNTLogging",
         "//Source/common:SNTRule",
         "//Source/common:SNTRuleIdentifiers",
+        "//Source/common:SigningIDHelpers",
         "@MOLCertificate",
         "@MOLCodesignChecker",
     ],
@@ -954,6 +955,7 @@ santa_unit_test(
         "//Source/common:SNTLogging",
         "//Source/common:SNTRule",
         "//Source/common:SNTRuleIdentifiers",
+        "//Source/common:SigningIDHelpers",
         "@FMDB",
         "@MOLCertificate",
         "@MOLCodesignChecker",

Source/santad/DataLayer/SNTRuleTable.m

@@ -24,6 +24,7 @@
 #import "Source/common/SNTFileInfo.h"
 #import "Source/common/SNTLogging.h"
 #import "Source/common/SNTRule.h"
+#import "Source/common/SigningIDHelpers.h"
 
 static const uint32_t kRuleTableCurrentVersion = 7;
 
@@ -156,8 +157,14 @@ - (void)setupSystemCriticalBinaries {
     cd.decision = SNTEventStateAllowBinary;
     cd.decisionExtra = systemBin ? @"critical system binary" : @"santa binary";
     cd.sha256 = binInfo.SHA256;
-
-    // Not needed, but nice for logging.
+    cd.signingID = FormatSigningID(csInfo);
+    cd.cdhash = csInfo.cdhash;
+    // Normalized by the FormatSigningID function so this will always have a
+    // prefix.
+    cd.teamID = [cd.signingID componentsSeparatedByString:@":"].firstObject;
+
+    // Not needed, but nice for logging and events.
+    cd.certChain = csInfo.certificates;
     cd.certSHA256 = csInfo.leafCertificate.SHA256;
     cd.certCommonName = csInfo.leafCertificate.commonName;
 

Source/santad/DataLayer/SNTRuleTableTest.m

@@ -17,9 +17,12 @@
 #import <OCMock/OCMock.h>
 #import <XCTest/XCTest.h>
 
+#import "Source/common/SNTCachedDecision.h"
 #import "Source/common/SNTConfigurator.h"
+#import "Source/common/SNTFileInfo.h"
 #import "Source/common/SNTRule.h"
 #import "Source/common/SNTRuleIdentifiers.h"
+#import "Source/common/SigningIDHelpers.h"
 #import "Source/santad/DataLayer/SNTRuleTable.h"
 
 /// This test case actually tests SNTRuleTable and SNTRule
@@ -513,4 +516,21 @@ - (void)testAddedRulesShouldFlushDecisionCacheWithRemoveRule {
   XCTAssertEqual(YES, [self.sut addedRulesShouldFlushDecisionCache:@[ r ]]);
 }
 
+- (void)testCriticalBinariesProduceFullSigningInformation {
+  // Get the hash of the critical binary
+  SNTFileInfo *fi = [[SNTFileInfo alloc] initWithPath:@"/usr/libexec/trustd"];
+  MOLCodesignChecker *csInfo = [fi codesignCheckerWithError:nil];
+
+  SNTCachedDecision *cd = self.sut.criticalSystemBinaries[fi.SHA256];
+
+  XCTAssertEqualObjects(fi.SHA256, cd.sha256, @"hashes should match");
+  XCTAssertEqualObjects(csInfo.leafCertificate.SHA256, cd.certSHA256, @"cert hashes should match");
+  XCTAssertEqualObjects(csInfo.cdhash, cd.cdhash, @"cdhashes should match");
+  XCTAssertEqualObjects(csInfo.certificates, cd.certChain, @"cert chains should match");
+  NSString *signingID = FormatSigningID(csInfo);
+  NSString *teamID = [signingID componentsSeparatedByString:@":"][0];
+  XCTAssertEqualObjects(signingID, cd.signingID, @"signing IDs should match");
+  XCTAssertEqualObjects(teamID, cd.teamID, @"team IDs should match");
+}
+
 @end