diff --git a/NEWS.md b/NEWS.md index 22aa019..28b8d66 100644 --- a/NEWS.md +++ b/NEWS.md @@ -2,6 +2,9 @@ ### 2.8 (unreleased) +- added CAT file verification and listing each member of the CAT file + by using the "-verbose" option + ### 2.7 (2023.09.19) - fixed signing CAB files (by Michael Brown) diff --git a/cat.c b/cat.c index cab2b5d..3873190 100644 --- a/cat.c +++ b/cat.c @@ -15,6 +15,22 @@ const u_char pkcs7_signed_data[] = { 0x01, 0x07, 0x02, }; +typedef struct { + ASN1_BMPSTRING *tag; + ASN1_INTEGER *flags; + ASN1_OCTET_STRING *value; +} CatNameValueContent; + +DECLARE_ASN1_FUNCTIONS(CatNameValueContent) + +ASN1_SEQUENCE(CatNameValueContent) = { + ASN1_SIMPLE(CatNameValueContent, tag, ASN1_BMPSTRING), + ASN1_SIMPLE(CatNameValueContent, flags, ASN1_INTEGER), + ASN1_SIMPLE(CatNameValueContent, value, ASN1_OCTET_STRING) +} ASN1_SEQUENCE_END(CatNameValueContent) + +IMPLEMENT_ASN1_FUNCTIONS(CatNameValueContent) + struct cat_ctx_st { uint32_t sigpos; uint32_t siglen; @@ -47,6 +63,11 @@ FILE_FORMAT file_format_cat = { static CAT_CTX *cat_ctx_get(char *indata, uint32_t filesize); static int cat_add_ms_ctl_object(PKCS7 *p7); static int cat_sign_ms_ctl_content(PKCS7 *p7, PKCS7 *contents); +static int cat_list_content(PKCS7 *p7); +static int cat_print_content_member_digest(ASN1_TYPE *content); +static int cat_print_content_member_name(ASN1_TYPE *content); +static void cat_print_base64(ASN1_OCTET_STRING *value); +static void cat_print_utf16_as_ascii(ASN1_OCTET_STRING *value); /* * FILE_FORMAT method definitions @@ -97,7 +118,7 @@ static FILE_FORMAT_CTX *cat_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *out BIO_push(hash, outdata); if (options->cmd == CMD_VERIFY) - printf("Warning: Use -catalog option to verify that a file, listed in catalog file, is signed\n\n"); + printf("Warning: Use -catalog option to verify that a file, listed in catalog file, is signed\n"); if (options->nest) /* I've not tried using set_nested_signature as signtool won't do this */ printf("Warning: CAT files do not support nesting (multiple signature)\n"); @@ -133,6 +154,9 @@ static int cat_check_file(FILE_FORMAT_CTX *ctx, int detached) printf("No signature found\n\n"); return 0; /* FAILED */ } + if (ctx->options->verbose) { + (void)cat_list_content(ctx->cat_ctx->p7); + } return 1; /* OK */ } @@ -335,6 +359,150 @@ static int cat_sign_ms_ctl_content(PKCS7 *p7, PKCS7 *contents) return 1; /* OK */ } +/* + * Print each member of the CAT file by using the "-verbose" option. + * [in, out] p7: catalog file to verify + * [returns] 1 on error or 0 on success + */ +static int cat_list_content(PKCS7 *p7) +{ + MsCtlContent *ctlc; + int i; + + ctlc = ms_ctl_content_get(p7); + if (!ctlc) { + printf("Failed to extract MS_CTL_OBJID data\n"); + return 1; /* FAILED */ + } + printf("\nCatalog members:\n"); + for (i = 0; i < sk_CatalogInfo_num(ctlc->header_attributes); i++) { + int j, found = 0; + CatalogInfo *header_attr = sk_CatalogInfo_value(ctlc->header_attributes, i); + if (header_attr == NULL) + continue; + for (j = 0; j < sk_CatalogAuthAttr_num(header_attr->attributes); j++) { + char object_txt[128]; + CatalogAuthAttr *attribute; + ASN1_TYPE *content; + + attribute = sk_CatalogAuthAttr_value(header_attr->attributes, j); + if (!attribute) + continue; + content = catalog_content_get(attribute); + if (!content) + continue; + object_txt[0] = 0x00; + OBJ_obj2txt(object_txt, sizeof object_txt, attribute->type, 1); + if (!strcmp(object_txt, CAT_NAMEVALUE_OBJID)) { + /* CAT_NAMEVALUE_OBJID OID: 1.3.6.1.4.1.311.12.2.1 */ + found |= cat_print_content_member_name(content); + } else if (!strcmp(object_txt, SPC_INDIRECT_DATA_OBJID)) { + /* SPC_INDIRECT_DATA_OBJID OID: 1.3.6.1.4.1.311.2.1.4 */ + found |= cat_print_content_member_digest(content); + } + ASN1_TYPE_free(content); + } + if (found) + printf("\n"); + } + MsCtlContent_free(ctlc); + ERR_print_errors_fp(stdout); + return 0; /* OK */ +} + +/* + * Print a hash algorithm and a message digest from the SPC_INDIRECT_DATA_OBJID attribute. + * [in] content: catalog file content + * [returns] 0 on error or 1 on success + */ +static int cat_print_content_member_digest(ASN1_TYPE *content) +{ + SpcIndirectDataContent *idc; + u_char mdbuf[EVP_MAX_MD_SIZE]; + const u_char *data ; + int mdtype = -1; + ASN1_STRING *value; + + value = content->value.sequence; + data = ASN1_STRING_get0_data(value); + idc = d2i_SpcIndirectDataContent(NULL, &data, ASN1_STRING_length(value)); + if (!idc) + return 0; /* FAILED */ + if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) { + /* get a digest algorithm a message digest of the file from the content */ + mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm); + memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length); + } + SpcIndirectDataContent_free(idc); + if (mdtype == -1) { + printf("Failed to extract current message digest\n\n"); + return 0; /* FAILED */ + } + printf("\tHash algorithm: %s\n", OBJ_nid2sn(mdtype)); + print_hash("\tMessage digest", "", mdbuf, EVP_MD_size(EVP_get_digestbynid(mdtype))); + return 1; /* OK */ +} + +/* + * Print a file name from the CAT_NAMEVALUE_OBJID attribute. + * [in] content: catalog file content + * [returns] 0 on error or 1 on success + */ +static int cat_print_content_member_name(ASN1_TYPE *content) +{ + CatNameValueContent *nvc; + const u_char *data = NULL; + ASN1_STRING *value; + + value = content->value.sequence; + data = ASN1_STRING_get0_data(value); + nvc = d2i_CatNameValueContent(NULL, &data, ASN1_STRING_length(value)); + if (!nvc) { + return 0; /* FAILED */ + } + printf("\tFile name: "); + if (ASN1_INTEGER_get(nvc->flags) & 0x00020000) { + cat_print_base64(nvc->value); + } else { + cat_print_utf16_as_ascii(nvc->value); + } + printf("\n"); + CatNameValueContent_free(nvc); + return 1; /* OK */ +} + +/* + * Print a CAT_NAMEVALUE_OBJID attribute represented in base-64 encoding. + * [in] value: catalog member file name + * [returns] none + */ +static void cat_print_base64(ASN1_OCTET_STRING *value) +{ + BIO *stdbio, *b64; + stdbio = BIO_new_fp(stdout, BIO_NOCLOSE); + b64 = BIO_new(BIO_f_base64()); + BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); + stdbio = BIO_push(b64, stdbio); + ASN1_STRING_print_ex(stdbio, value, 0); + BIO_free_all(stdbio); +} + +/* + * Print a CAT_NAMEVALUE_OBJID attribute represented in plaintext. + * [in] value: catalog member file name + * [returns] none + */ +static void cat_print_utf16_as_ascii(ASN1_OCTET_STRING *value) +{ + const u_char *data; + int len, i; + + data = ASN1_STRING_get0_data(value); + len = ASN1_STRING_length(value); + for (i = 0; i < len && (data[i] || data[i+1]); i+=2) + putchar(isprint(data[i]) && !data[i+1] ? data[i] : '.'); +} + /* Local Variables: c-basic-offset: 4 diff --git a/helpers.c b/helpers.c index 4256969..c641686 100644 --- a/helpers.c +++ b/helpers.c @@ -411,6 +411,45 @@ int is_content_type(PKCS7 *p7, const char *objid) return ret; } +/* + * [in] p7: new PKCS#7 signature + * [returns] pointer to MsCtlContent structure + */ +MsCtlContent *ms_ctl_content_get(PKCS7 *p7) +{ + ASN1_STRING *value; + const u_char *data; + + if (!is_content_type(p7, MS_CTL_OBJID)) { + printf("Failed to find MS_CTL_OBJID\n"); + return NULL; /* FAILED */ + } + value = p7->d.sign->contents->d.other->value.sequence; + data = ASN1_STRING_get0_data(value); + return d2i_MsCtlContent(NULL, &data, ASN1_STRING_length(value)); +} + +/* + * [in] attribute: catalog attribute + * [returns] catalog content + */ +ASN1_TYPE *catalog_content_get(CatalogAuthAttr *attribute) +{ + ASN1_STRING *value; + STACK_OF(ASN1_TYPE) *contents; + ASN1_TYPE *content; + const u_char *contents_data; + + value = attribute->contents->value.sequence; + contents_data = ASN1_STRING_get0_data(value); + contents = d2i_ASN1_SET_ANY(NULL, &contents_data, ASN1_STRING_length(value)); + if (!contents) + return 0; /* FAILED */ + content = sk_ASN1_TYPE_value(contents, 0); + sk_ASN1_TYPE_free(contents); + return content; +} + /* * PE and CAB format specific * [in] none diff --git a/helpers.h b/helpers.h index 6ea5967..32b8c30 100644 --- a/helpers.h +++ b/helpers.h @@ -19,6 +19,8 @@ int asn1_simple_hdr_len(const u_char *p, int len); int bio_hash_data(BIO *hash, char *indata, size_t idx, size_t fileend); void print_hash(const char *descript1, const char *descript2, const u_char *hashbuf, int length); int is_content_type(PKCS7 *p7, const char *objid); +MsCtlContent *ms_ctl_content_get(PKCS7 *p7); +ASN1_TYPE *catalog_content_get(CatalogAuthAttr *attribute); SpcLink *spc_link_obsolete_get(void); PKCS7 *pkcs7_get(char *indata, uint32_t sigpos, uint32_t siglen); int compare_digests(u_char *mdbuf, u_char *cmdbuf, int mdtype); diff --git a/osslsigncode.c b/osslsigncode.c index b527be3..f8264a8 100644 --- a/osslsigncode.c +++ b/osslsigncode.c @@ -2272,35 +2272,24 @@ out: * The attribute type is SPC_INDIRECT_DATA_OBJID, so get a digest algorithm and a message digest * from the content and compare the message digest against the computed message digest of the file * [in] ctx: structure holds input and output data - * [in] attribute: structure holds input and output data + * [in] content: catalog file content * [returns] 1 on error or 0 on success */ -static int verify_member(FILE_FORMAT_CTX *ctx, CatalogAuthAttr *attribute) +static int verify_content_member_digest(FILE_FORMAT_CTX *ctx, ASN1_TYPE *content) { int mdlen, mdtype = -1; u_char mdbuf[EVP_MAX_MD_SIZE]; SpcIndirectDataContent *idc; const u_char *data; ASN1_STRING *value; - STACK_OF(ASN1_TYPE) *contents; - ASN1_TYPE *content; const EVP_MD *md; u_char *cmdbuf = NULL; - value = attribute->contents->value.sequence; - data = value->data; - contents = d2i_ASN1_SET_ANY(NULL, &data, value->length); - if (contents == NULL) { - return 1; /* FAILED */ - } - content = sk_ASN1_TYPE_value(contents, 0); - sk_ASN1_TYPE_free(contents); value = content->value.sequence; - data = value->data; - idc = d2i_SpcIndirectDataContent(NULL, &data, value->length); + data = ASN1_STRING_get0_data(value); + idc = d2i_SpcIndirectDataContent(NULL, &data, ASN1_STRING_length(value)); if (!idc) { printf("Failed to extract SpcIndirectDataContent data\n"); - ASN1_TYPE_free(content); return 1; /* FAILED */ } if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) { @@ -2308,7 +2297,6 @@ static int verify_member(FILE_FORMAT_CTX *ctx, CatalogAuthAttr *attribute) mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm); memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length); } - ASN1_TYPE_free(content); if (mdtype == -1) { printf("Failed to extract current message digest\n\n"); SpcIndirectDataContent_free(idc); @@ -2356,46 +2344,45 @@ static int verify_member(FILE_FORMAT_CTX *ctx, CatalogAuthAttr *attribute) */ static int verify_content(FILE_FORMAT_CTX *ctx, PKCS7 *p7) { - ASN1_STRING *value; - ASN1_OBJECT *indir_objid; - const u_char *data; MsCtlContent *ctlc; - int i, j; + int i; - if (!is_content_type(p7, MS_CTL_OBJID)) { - printf("Failed to find MS_CTL_OBJID\n"); - return 1; /* FAILED */ - } - value = p7->d.sign->contents->d.other->value.sequence; - data = value->data; - ctlc = d2i_MsCtlContent(NULL, &data, value->length); + ctlc = ms_ctl_content_get(p7); if (!ctlc) { printf("Failed to extract MS_CTL_OBJID data\n"); return 1; /* FAILED */ } - indir_objid = OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1); for (i = 0; i < sk_CatalogInfo_num(ctlc->header_attributes); i++) { - STACK_OF(CatalogAuthAttr) *attributes; + int j; CatalogInfo *header_attr = sk_CatalogInfo_value(ctlc->header_attributes, i); if (header_attr == NULL) continue; - attributes = header_attr->attributes; - for (j = 0; j < sk_CatalogAuthAttr_num(attributes); j++) { - CatalogAuthAttr *attribute = sk_CatalogAuthAttr_value(attributes, j); + for (j = 0; j < sk_CatalogAuthAttr_num(header_attr->attributes); j++) { + char object_txt[128]; + CatalogAuthAttr *attribute; + ASN1_TYPE *content; + + attribute = sk_CatalogAuthAttr_value(header_attr->attributes, j); if (!attribute) continue; - if (OBJ_cmp(attribute->type, indir_objid)) + content = catalog_content_get(attribute); + if (!content) continue; - if (!verify_member(ctx, attribute)) { - /* computed message digest of the file is found in the catalog file */ - MsCtlContent_free(ctlc); - ASN1_OBJECT_free(indir_objid); - return 0; /* OK */ + object_txt[0] = 0x00; + OBJ_obj2txt(object_txt, sizeof object_txt, attribute->type, 1); + if (!strcmp(object_txt, SPC_INDIRECT_DATA_OBJID)) { + /* SPC_INDIRECT_DATA_OBJID OID: 1.3.6.1.4.1.311.2.1.4 */ + if (!verify_content_member_digest(ctx, content)) { + /* computed message digest of the file is found in the catalog file */ + ASN1_TYPE_free(content); + MsCtlContent_free(ctlc); + return 0; /* OK */ + } } + ASN1_TYPE_free(content); } } MsCtlContent_free(ctlc); - ASN1_OBJECT_free(indir_objid); ERR_print_errors_fp(stdout); return 1; /* FAILED */ } diff --git a/osslsigncode.h b/osslsigncode.h index 3a5229d..968c364 100644 --- a/osslsigncode.h +++ b/osslsigncode.h @@ -176,6 +176,8 @@ #define SPC_RFC3161_OBJID "1.3.6.1.4.1.311.3.3.1" /* Microsoft OID Crypto 2.0 */ #define MS_CTL_OBJID "1.3.6.1.4.1.311.10.1" +/* Microsoft OID Catalog */ +#define CAT_NAMEVALUE_OBJID "1.3.6.1.4.1.311.12.2.1" /* Microsoft OID Microsoft_Java */ #define MS_JAVA_SOMETHING "1.3.6.1.4.1.311.15.1" diff --git a/tests/files/unsigned.cat b/tests/files/unsigned.cat index 7e6822b..8160bb7 100644 Binary files a/tests/files/unsigned.cat and b/tests/files/unsigned.cat differ diff --git a/tests/sources/CatalogDefinitionFileName.cdf b/tests/sources/CatalogDefinitionFileName.cdf new file mode 100644 index 0000000..4310f58 --- /dev/null +++ b/tests/sources/CatalogDefinitionFileName.cdf @@ -0,0 +1,48 @@ +# https://learn.microsoft.com/en-us/windows/win32/seccrypto/makecat +# makecat -v CatalogDefinitionFileName.cdf + +# Define information about the entire catalog file. +[CatalogHeader] + +# Name of the catalog file, including its extension. +Name=unsigned.cat + +# Directory where the created unsigned.cat file will be placed. +ResultDir=..\files + +# This option is not supported. Default value 1 is used. +PublicVersion=0x0000001 + +# Catalog version. +# If the version is set to 2, the HashAlgorithms option must contain SHA256. +CatalogVersion=2 + +# Name of the hashing algorithm used. +HashAlgorithms=SHA256 + +# Specifies whether to hash the files listed in the option in the [CatalogFiles] section +PageHashes=true + +# Type of message encoding used. +# The default EncodingType is PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 0x00010001 +EncodingType=0x00010001 + +# Specify an attribute of the catalog file. +# Set 1.3.6.1.4.1.311.12.2.1 CAT_NAMEVALUE_OBJID +# CATATTR1={type}:{oid}:{value} (optional) +# The OSAttr attribute specifies the target Windows version +CATATTR1=0x11010001:OSAttr:2:6.0 + +# Define each member of the catalog file. +[CatalogFiles] + +PEfile=..\files\unsigned.exe +# 0x00010000 Attribute is represented in plaintext. No conversion will be done. +PEfileATTR1=0x11010001:File:unsigned.exe + +MSIfile=..\files\unsigned.msi +# 0x00020000 Attribute is represented in base-64 encoding. +MSIfileATTR1=0x11020001:File:dW5zaWduZWQubXNp + +CABfile=..\files\unsigned.ex_ +CABfileATTR1=0x11010001:File:unsigned.ex_ diff --git a/tests/sources/good.cat b/tests/sources/good.cat deleted file mode 100755 index 23cfbee..0000000 Binary files a/tests/sources/good.cat and /dev/null differ