verifyinghasher: extend ParsedCodeDirectory and VerifyingHasher::Result

- ParsedCodeDirectory: add `cd_bytes` span over the picked CD's blob
  bytes; populated on every successful parse.
- VerifyingHasher::Result: add optional cdhash, signing_id, team_id,
  cd_bytes (owning copy), and cs_blob_size fields. Populated only on
  kMatchCDHash / kMatchSidTidDrift.
- New hw_entitled fixture (Mach-O with XML + DER entitlement slots
  and a real CMS signature). New testdata/README documents
  regeneration recipes for the package's four fixtures.
- ParseCodeSignature refactored to accumulate fields into a local
  and assign to `out` via a single move at the end on success.

Adds tests for the new fields, the drift-path population, and the
parser's output contract.

Author: mlw

Source/common/verifyinghasher/BUILD

@@ -130,9 +130,8 @@ objc_library(
     ],
 )
 
-# Single source of truth for the multi-CD ad-hoc-signed test fixture.
-# Testing/Fuzzing references this via cross-package filegroup rather than
-# holding its own copy.
+# Mach-O test fixtures. Regeneration procedures: testdata/README.md.
+
 filegroup(
     name = "hw_universal_fixture",
     srcs = ["testdata/hw_universal"],
@@ -142,35 +141,24 @@ filegroup(
     ],
 )
 
-# Team-signed counterpart used to exercise positive drift detection
-# (kMatchSidTidDrift requires a non-empty team_id). Generated via:
-#   cp testdata/hw_universal testdata/hw_team_signed
-#   codesign --force --sign <ApplicationDevelopmentIdentity> testdata/hw_team_signed
-# Update kHwTeamSignedSigningID + kHwTeamSignedTeamID in VerifyingHasherTest.mm
-# if regenerated with a different identity.
 filegroup(
     name = "hw_team_signed_fixture",
     srcs = ["testdata/hw_team_signed"],
     visibility = ["//Source/common/verifyinghasher:__pkg__"],
 )
 
-# Single source of truth for the unsigned Mach-O test fixture used to
-# exercise Expected::Unsigned semantics. Generated via:
-#   cat > /tmp/hw_unsigned_build/main.c <<'EOF'
-#   int main(void) { return 0; }
-#   EOF
-#   clang -arch arm64 -Wl,-no_adhoc_codesign -o hw_unsigned /tmp/hw_unsigned_build/main.c
-# `-Wl,-no_adhoc_codesign` suppresses the linker's default ad-hoc signing
-# so the produced Mach-O has no LC_CODE_SIGNATURE / no CS blob.
-# DO NOT regenerate without also updating kHwUnsignedSha256 in
-# VerifyingHasherTest.mm — the hash changes whenever the toolchain or
-# the source byte sequence changes.
 filegroup(
     name = "hw_unsigned_fixture",
     srcs = ["testdata/hw_unsigned"],
     visibility = ["//Source/common/verifyinghasher:__pkg__"],
 )
 
+filegroup(
+    name = "hw_entitled_fixture",
+    srcs = ["testdata/hw_entitled"],
+    visibility = ["//Source/common/verifyinghasher:__pkg__"],
+)
+
 santa_unit_test(
     name = "VerifyingHasherCoreTest",
     srcs = ["VerifyingHasherCoreTest.mm"],

Source/common/verifyinghasher/CodeSignatureParser.h

@@ -41,6 +41,11 @@ struct ParsedCodeDirectory {
   uint64_t code_limit = 0;
   uint32_t page_count = 0;
   std::span<const uint8_t> slot_hashes;  // page_count * hash_size bytes
+  // Full CodeDirectory blob bytes (header + identifier + team_id + slot
+  // hash table). H_hashType(cd_bytes) truncated to CS_CDHASH_LEN equals
+  // cdhash. Non-owning view into the blob passed to ParseCodeSignature();
+  // shares its lifetime. Populated on every successful parse.
+  std::span<const uint8_t> cd_bytes;
   // 20-byte truncated cdhash of this CodeDirectory blob, computed using
   // its own hashType (matches xnu's cs_cd_hash and es_cdhash_t).
   uint8_t cdhash[CS_CDHASH_LEN] = {};

Source/common/verifyinghasher/CodeSignatureParser.mm

@@ -88,13 +88,14 @@ uint8_t HashSizeFor(uint8_t hash_type) {
 
 bool ParseCodeSignature(std::span<const uint8_t> blob, uint64_t slice_size,
                         ParsedCodeDirectory& out, std::string& err) {
-  // Reset output up front so callers reusing a ParsedCodeDirectory across
-  // parses don't leak stale strings/spans/hashes from a prior successful
-  // call through the conditionally-overwritten fields (identifier,
-  // team_id) on the next parse, and so every early-return path leaves
-  // a clean output.
+  // All-or-nothing semantics: accumulate every field into `tmp`, commit
+  // to `out` only when every check has passed. `out` is reset on entry
+  // so failure paths leave the caller's struct in a clean default state
+  // — never a partially-populated one — regardless of where validation
+  // bailed.
   out = ParsedCodeDirectory{};
   err.clear();
+  ParsedCodeDirectory tmp;
 
   if (blob.size() < sizeof(CS_SuperBlob)) {
     err = "code signature blob too small for SuperBlob";
@@ -228,13 +229,14 @@ bool ParseCodeSignature(std::span<const uint8_t> blob, uint64_t slice_size,
   // picked CD's bytes.
 
   const CS_CodeDirectory* cd = picked->cd;
-  out.hash_type = cd->hashType;
-  out.hash_size = HashSizeFor(cd->hashType);
-  if (out.hash_size == 0) {
+  tmp.hash_type = cd->hashType;
+  tmp.cd_bytes = std::span<const uint8_t>(picked->blob_base, picked->blob_len);
+  tmp.hash_size = HashSizeFor(cd->hashType);
+  if (tmp.hash_size == 0) {
     err = "CodeDirectory unsupported hashType slipped through";
     return false;
   }
-  if (cd->hashSize != out.hash_size) {
+  if (cd->hashSize != tmp.hash_size) {
     err = "CodeDirectory hashSize mismatch";
     return false;
   }
@@ -259,7 +261,7 @@ bool ParseCodeSignature(std::span<const uint8_t> blob, uint64_t slice_size,
     err = "CodeDirectory pageSize unsupported (must be 12..18)";
     return false;
   }
-  out.page_size = 1u << cd->pageSize;
+  tmp.page_size = 1u << cd->pageSize;
 
   const uint32_t version = OSSwapBigToHostInt32(cd->version);
 
@@ -282,11 +284,11 @@ bool ParseCodeSignature(std::span<const uint8_t> blob, uint64_t slice_size,
 
   const uint32_t cl32 = OSSwapBigToHostInt32(cd->codeLimit);
   if (version >= CS_SUPPORTSCODELIMIT64 && cd->codeLimit64 != 0) {
-    out.code_limit = OSSwapBigToHostInt64(cd->codeLimit64);
+    tmp.code_limit = OSSwapBigToHostInt64(cd->codeLimit64);
   } else {
-    out.code_limit = cl32;
+    tmp.code_limit = cl32;
   }
-  if (out.code_limit > slice_size) {
+  if (tmp.code_limit > slice_size) {
     err = "CodeDirectory codeLimit exceeds slice size";
     return false;
   }
@@ -309,11 +311,11 @@ bool ParseCodeSignature(std::span<const uint8_t> blob, uint64_t slice_size,
   // (large codeLimit, small page_size) lets nCodeSlots match a truncated
   // value and PageVerifier walks past the slot table at runtime.
   uint64_t numerator;
-  if (os_add_overflow(out.code_limit, static_cast<uint64_t>(out.page_size) - 1, &numerator)) {
+  if (os_add_overflow(tmp.code_limit, static_cast<uint64_t>(tmp.page_size) - 1, &numerator)) {
     err = "CodeDirectory codeLimit + page_size overflows";
     return false;
   }
-  const uint64_t expected_pages_u64 = numerator / out.page_size;
+  const uint64_t expected_pages_u64 = numerator / tmp.page_size;
   if (expected_pages_u64 > UINT32_MAX) {
     err = "CodeDirectory page count exceeds UINT32_MAX";
     return false;
@@ -325,7 +327,7 @@ bool ParseCodeSignature(std::span<const uint8_t> blob, uint64_t slice_size,
   // the xnu invariant on the full claim so a CD that overstates nCodeSlots
   // beyond what fits gets rejected with the same verdict xnu would give.
   if (hash_offset > picked->blob_len ||
-      (picked->blob_len - hash_offset) / out.hash_size < n_code_slots) {
+      (picked->blob_len - hash_offset) / tmp.hash_size < n_code_slots) {
     err = "CodeDirectory nCodeSlots does not fit in blob";
     return false;
   }
@@ -353,9 +355,9 @@ bool ParseCodeSignature(std::span<const uint8_t> blob, uint64_t slice_size,
     err = "CodeDirectory has fewer slot hashes than codeLimit/pageSize requires";
     return false;
   }
-  out.page_count = expected_pages;
+  tmp.page_count = expected_pages;
 
-  const size_t slots_bytes = static_cast<size_t>(out.page_count) * out.hash_size;
+  const size_t slots_bytes = static_cast<size_t>(tmp.page_count) * tmp.hash_size;
   // Note: hashOffset < sizeof(CS_CodeDirectory) is intentionally accepted.
   // xnu's cs_validate_codedirectory only checks `length < hashOffset`,
   // not against the CD header size:
@@ -370,13 +372,13 @@ bool ParseCodeSignature(std::span<const uint8_t> blob, uint64_t slice_size,
     err = "CodeDirectory slot hashes out of bounds";
     return false;
   }
-  out.slot_hashes = std::span<const uint8_t>(picked->blob_base + hash_offset, slots_bytes);
+  tmp.slot_hashes = std::span<const uint8_t>(picked->blob_base + hash_offset, slots_bytes);
 
   // Compute the cdhash of the picked CD: H_picked(cd_blob[0, blob_len)),
   // truncated to CS_CDHASH_LEN. Matches xnu's cs_cd_hash.
   {
     uint8_t full[CC_SHA384_DIGEST_LENGTH];  // largest supported
-    switch (out.hash_type) {
+    switch (tmp.hash_type) {
       case CS_HASHTYPE_SHA1: {
         Sha1Traits::Ctx c;
         Sha1Traits::Init(&c);
@@ -408,7 +410,7 @@ bool ParseCodeSignature(std::span<const uint8_t> blob, uint64_t slice_size,
     }
     static_assert(CS_CDHASH_LEN <= CC_SHA1_DIGEST_LENGTH,
                   "all supported hash digests must be at least CS_CDHASH_LEN");
-    std::memcpy(out.cdhash, full, CS_CDHASH_LEN);
+    std::memcpy(tmp.cdhash, full, CS_CDHASH_LEN);
   }
 
   // Read the null-terminated identifier string at cd_blob_base + identOffset.
@@ -419,7 +421,7 @@ bool ParseCodeSignature(std::span<const uint8_t> blob, uint64_t slice_size,
       const uint8_t* p = picked->blob_base + ident_off;
       size_t max_len = picked->blob_len - ident_off;
       size_t actual_len = strnlen(reinterpret_cast<const char*>(p), max_len);
-      out.identifier.assign(reinterpret_cast<const char*>(p), actual_len);
+      tmp.identifier.assign(reinterpret_cast<const char*>(p), actual_len);
     }
   }
 
@@ -431,10 +433,12 @@ bool ParseCodeSignature(std::span<const uint8_t> blob, uint64_t slice_size,
       const uint8_t* p = picked->blob_base + team_off;
       size_t max_len = picked->blob_len - team_off;
       size_t actual_len = strnlen(reinterpret_cast<const char*>(p), max_len);
-      out.team_id.assign(reinterpret_cast<const char*>(p), actual_len);
+      tmp.team_id.assign(reinterpret_cast<const char*>(p), actual_len);
     }
   }
 
+  // All checks passed. Commit the fully-populated tmp to out in one move.
+  out = std::move(tmp);
   return true;
 }
 

Source/common/verifyinghasher/CodeSignatureParserTest.mm

@@ -398,6 +398,71 @@ - (void)testCdHashZeroedOnMalformed {
   XCTAssertEqual(0, std::memcmp(parsed.cdhash, zero, CS_CDHASH_LEN));
 }
 
+// All-or-nothing contract: on `false` return, every parsed-out field
+// must be in its default-initialized state — never a mix of stale
+// caller data and partial parser writes. Builds a CD that passes the
+// early candidate-selection structural checks but fails a later gate
+// (insufficient nCodeSlots). Pre-populates `parsed` with sentinel
+// values to prove both halves of the contract: reset-on-entry wipes
+// caller state, and no field gets re-written before the all-checks-pass
+// commit at the bottom of the parser.
+- (void)testAllOrNothingOutputOnLateFailure {
+  constexpr uint32_t kCodeLimit = 8192;  // 2 pages at 4 KiB
+  constexpr uint32_t kHashSize = 32;
+  constexpr uint32_t kClaimed = 1;  // underclaim — fails fewer-slot-hashes gate
+  const size_t cd_off = sizeof(CS_SuperBlob) + sizeof(CS_BlobIndex);
+  const size_t cd_sz = sizeof(CS_CodeDirectory) + kClaimed * kHashSize;
+  const size_t total = cd_off + cd_sz;
+  std::vector<uint8_t> blob(total, 0);
+
+  auto* sb = reinterpret_cast<CS_SuperBlob*>(blob.data());
+  sb->magic = OSSwapHostToBigInt32(CSMAGIC_EMBEDDED_SIGNATURE);
+  sb->length = OSSwapHostToBigInt32(static_cast<uint32_t>(total));
+  sb->count = OSSwapHostToBigInt32(1);
+
+  auto* idx = reinterpret_cast<CS_BlobIndex*>(blob.data() + sizeof(CS_SuperBlob));
+  idx->type = OSSwapHostToBigInt32(CSSLOT_CODEDIRECTORY);
+  idx->offset = OSSwapHostToBigInt32(static_cast<uint32_t>(cd_off));
+
+  auto* cd = reinterpret_cast<CS_CodeDirectory*>(blob.data() + cd_off);
+  cd->magic = OSSwapHostToBigInt32(CSMAGIC_CODEDIRECTORY);
+  cd->length = OSSwapHostToBigInt32(static_cast<uint32_t>(cd_sz));
+  cd->version = 0;
+  cd->hashOffset = OSSwapHostToBigInt32(static_cast<uint32_t>(sizeof(CS_CodeDirectory)));
+  cd->codeLimit = OSSwapHostToBigInt32(kCodeLimit);
+  cd->nCodeSlots = OSSwapHostToBigInt32(kClaimed);
+  cd->hashSize = kHashSize;
+  cd->hashType = CS_HASHTYPE_SHA256;
+  cd->pageSize = 12;
+
+  // Pre-populate with sentinels so a regression that skips the reset
+  // or leaks partial writes is observable.
+  ParsedCodeDirectory parsed;
+  parsed.hash_type = 0xAB;
+  parsed.hash_size = 0xCD;
+  parsed.page_size = 0xEF;
+  parsed.code_limit = 0x1234;
+  parsed.page_count = 0x5678;
+  parsed.identifier = "stale";
+  parsed.team_id = "stale";
+  std::memset(parsed.cdhash, 0xFF, CS_CDHASH_LEN);
+
+  std::string err;
+  XCTAssertFalse(ParseCodeSignature(blob, /*slice_size=*/kCodeLimit, parsed, err));
+
+  ParsedCodeDirectory fresh;
+  XCTAssertEqual(parsed.hash_type, fresh.hash_type);
+  XCTAssertEqual(parsed.hash_size, fresh.hash_size);
+  XCTAssertEqual(parsed.page_size, fresh.page_size);
+  XCTAssertEqual(parsed.code_limit, fresh.code_limit);
+  XCTAssertEqual(parsed.page_count, fresh.page_count);
+  XCTAssertTrue(parsed.slot_hashes.empty());
+  XCTAssertTrue(parsed.cd_bytes.empty());
+  XCTAssertEqual(0, std::memcmp(parsed.cdhash, fresh.cdhash, CS_CDHASH_LEN));
+  XCTAssertTrue(parsed.identifier.empty());
+  XCTAssertTrue(parsed.team_id.empty());
+}
+
 - (void)testParsesRealCsBlob {
   uint64_t slice_size = 0;
   auto blob = ExtractCsBlob("/usr/bin/yes", &slice_size);
@@ -1249,4 +1314,39 @@ - (void)testRejectsMalformedAlternateWithValidCanonical {
                 @"expected 'wrong magic' error, got: %s", err.c_str());
 }
 
+// cd_bytes contract: must be a non-empty view inside the input blob, and
+// H_hashType(cd_bytes) truncated to CS_CDHASH_LEN must equal parsed.cdhash.
+// Exercised on a real signed binary to cover the integration path.
+- (void)testParseCodeSignaturePopulatesCdBytes {
+  uint64_t slice_size = 0;
+  auto blob = ExtractCsBlob("/usr/bin/yes", &slice_size);
+  XCTAssertFalse(blob.empty());
+
+  ParsedCodeDirectory parsed;
+  std::string err;
+  XCTAssertTrue(ParseCodeSignature(blob, slice_size, parsed, err), @"ParseCodeSignature: %s",
+                err.c_str());
+
+  XCTAssertFalse(parsed.cd_bytes.empty());
+  XCTAssertGreaterThanOrEqual(parsed.cd_bytes.data(), blob.data());
+  XCTAssertLessThanOrEqual(parsed.cd_bytes.data() + parsed.cd_bytes.size(),
+                           blob.data() + blob.size());
+
+  uint8_t digest[CC_SHA384_DIGEST_LENGTH];
+  switch (parsed.hash_type) {
+    case CS_HASHTYPE_SHA256:
+    case CS_HASHTYPE_SHA256_TRUNCATED:
+      CC_SHA256(parsed.cd_bytes.data(), static_cast<CC_LONG>(parsed.cd_bytes.size()), digest);
+      break;
+    case CS_HASHTYPE_SHA1:
+      CC_SHA1(parsed.cd_bytes.data(), static_cast<CC_LONG>(parsed.cd_bytes.size()), digest);
+      break;
+    case CS_HASHTYPE_SHA384:
+      CC_SHA384(parsed.cd_bytes.data(), static_cast<CC_LONG>(parsed.cd_bytes.size()), digest);
+      break;
+    default: XCTFail(@"unexpected hash_type %u", parsed.hash_type); return;
+  }
+  XCTAssertEqual(0, std::memcmp(digest, parsed.cdhash, CS_CDHASH_LEN));
+}
+
 @end

Source/common/verifyinghasher/VerifyingHasher.h

@@ -17,14 +17,22 @@
 
 #include <CommonCrypto/CommonDigest.h>
 #include <mach/machine.h>
+#include <sys/cdefs.h>
 #include <sys/types.h>
 
+__BEGIN_DECLS
+#include <Kernel/kern/cs_blobs.h>  // CS_CDHASH_LEN
+__END_DECLS
+
 #include <array>
+#include <cstddef>
 #include <cstdint>
 #include <ctime>
 #include <optional>
 #include <span>
+#include <string>
 #include <string_view>
+#include <vector>
 
 namespace santa {
 
@@ -91,6 +99,24 @@ class VerifyingHasher {
     // (no .value()) instead of silently consuming an unverified or
     // unfinalized digest.
     std::optional<std::array<uint8_t, CC_SHA256_DIGEST_LENGTH>> sha256;
+
+    // CD-resident fields surfaced from the parsed CodeDirectory for
+    // BinaryAttestation consumption. Populated only when Run() reaches
+    // a verified signed-path outcome — i.e., kMatchCDHash or
+    // kMatchSidTidDrift. nullopt on every other status, including
+    // kNoMatch (we parsed a CD but the caller asked for one we didn't
+    // ultimately accept).
+    std::optional<std::array<uint8_t, CS_CDHASH_LEN>> cdhash;
+    std::optional<std::string> signing_id;
+    std::optional<std::string> team_id;
+    // Owning copy of the picked CodeDirectory blob bytes (header + ids +
+    // slot hash table). Used by BinaryAttestation as CMSDecoder's
+    // detached content. Owning rather than view because Core's
+    // cs_blob_buf_ does not outlive Run().
+    std::optional<std::vector<uint8_t>> cd_bytes;
+    // Total embedded code-signature blob size (LC_CODE_SIGNATURE.datasize).
+    // Used by KernelCsBlob::Fetch as a one-syscall sizing hint.
+    std::optional<size_t> cs_blob_size;
   };
 
   struct RunOptions {

Source/common/verifyinghasher/VerifyingHasher.mm

@@ -111,6 +111,22 @@ bool StatMatches(const struct stat& st, const VerifyingHasher::StatTuple& exp) {
   } else {
     r.status = Status::kNoMatch;
   }
+
+  // Surface VH-side fields for downstream BinaryAttestation consumption.
+  // Populated only when we actually accepted a CD as a verified match.
+  if (r.status == Status::kMatchCDHash || r.status == Status::kMatchSidTidDrift) {
+    if (computed_cdhash.size() == CS_CDHASH_LEN) {
+      std::array<uint8_t, CS_CDHASH_LEN> arr;
+      std::copy(computed_cdhash.begin(), computed_cdhash.end(), arr.begin());
+      r.cdhash = arr;
+    }
+    if (!parsed.identifier.empty()) r.signing_id = parsed.identifier;
+    if (!parsed.team_id.empty()) r.team_id = parsed.team_id;
+    if (!parsed.cd_bytes.empty()) {
+      r.cd_bytes = std::vector<uint8_t>(parsed.cd_bytes.begin(), parsed.cd_bytes.end());
+    }
+    r.cs_blob_size = static_cast<size_t>(core.Slice().cs_blob_size);
+  }
   return r;
 }