nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-05 01:00:11 -05:00
Code Issues Projects Releases Wiki Activity

Listing each member of the CAT file

Browse Source
This commit is contained in:
olszomal 2023-11-20 15:10:24 +01:00 committed by Michał Trojnara
parent f9ad19d4a2
commit 0db17be606
9 changed files with 289 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
NEWS.md
View File

@ -2,6 +2,9 @@
### 2.8 (unreleased) ### 2.8 (unreleased)
- added CAT file verification and listing each member of the CAT file
by using the "-verbose" option
### 2.7 (2023.09.19) ### 2.7 (2023.09.19)
- fixed signing CAB files (by Michael Brown) - fixed signing CAB files (by Michael Brown)

170
cat.c
View File

@ -15,6 +15,22 @@ const u_char pkcs7_signed_data[] = {
0x01, 0x07, 0x02, 0x01, 0x07, 0x02,
}; };
typedef struct {
ASN1_BMPSTRING *tag;
ASN1_INTEGER *flags;
ASN1_OCTET_STRING *value;
} CatNameValueContent;
DECLARE_ASN1_FUNCTIONS(CatNameValueContent)
ASN1_SEQUENCE(CatNameValueContent) = {
ASN1_SIMPLE(CatNameValueContent, tag, ASN1_BMPSTRING),
ASN1_SIMPLE(CatNameValueContent, flags, ASN1_INTEGER),
ASN1_SIMPLE(CatNameValueContent, value, ASN1_OCTET_STRING)
} ASN1_SEQUENCE_END(CatNameValueContent)
IMPLEMENT_ASN1_FUNCTIONS(CatNameValueContent)
struct cat_ctx_st { struct cat_ctx_st {
uint32_t sigpos; uint32_t sigpos;
uint32_t siglen; uint32_t siglen;
@ -47,6 +63,11 @@ FILE_FORMAT file_format_cat = {
static CAT_CTX *cat_ctx_get(char *indata, uint32_t filesize); static CAT_CTX *cat_ctx_get(char *indata, uint32_t filesize);
static int cat_add_ms_ctl_object(PKCS7 *p7); static int cat_add_ms_ctl_object(PKCS7 *p7);
static int cat_sign_ms_ctl_content(PKCS7 *p7, PKCS7 *contents); static int cat_sign_ms_ctl_content(PKCS7 *p7, PKCS7 *contents);
static int cat_list_content(PKCS7 *p7);
static int cat_print_content_member_digest(ASN1_TYPE *content);
static int cat_print_content_member_name(ASN1_TYPE *content);
static void cat_print_base64(ASN1_OCTET_STRING *value);
static void cat_print_utf16_as_ascii(ASN1_OCTET_STRING *value);
/* /*
* FILE_FORMAT method definitions * FILE_FORMAT method definitions
@ -97,7 +118,7 @@ static FILE_FORMAT_CTX *cat_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *out
BIO_push(hash, outdata); BIO_push(hash, outdata);
if (options->cmd == CMD_VERIFY) if (options->cmd == CMD_VERIFY)
printf("Warning: Use -catalog option to verify that a file, listed in catalog file, is signed\n\n"); printf("Warning: Use -catalog option to verify that a file, listed in catalog file, is signed\n");
if (options->nest) if (options->nest)
/* I've not tried using set_nested_signature as signtool won't do this */ /* I've not tried using set_nested_signature as signtool won't do this */
printf("Warning: CAT files do not support nesting (multiple signature)\n"); printf("Warning: CAT files do not support nesting (multiple signature)\n");
@ -133,6 +154,9 @@ static int cat_check_file(FILE_FORMAT_CTX *ctx, int detached)
printf("No signature found\n\n"); printf("No signature found\n\n");
return 0; /* FAILED */ return 0; /* FAILED */
} }
if (ctx->options->verbose) {
(void)cat_list_content(ctx->cat_ctx->p7);
}
return 1; /* OK */ return 1; /* OK */
} }
@ -335,6 +359,150 @@ static int cat_sign_ms_ctl_content(PKCS7 *p7, PKCS7 *contents)
return 1; /* OK */ return 1; /* OK */
} }
/*
* Print each member of the CAT file by using the "-verbose" option.
* [in, out] p7: catalog file to verify
* [returns] 1 on error or 0 on success
*/
static int cat_list_content(PKCS7 *p7)
{
MsCtlContent *ctlc;
int i;
ctlc = ms_ctl_content_get(p7);
if (!ctlc) {
printf("Failed to extract MS_CTL_OBJID data\n");
return 1; /* FAILED */
}
printf("\nCatalog members:\n");
for (i = 0; i < sk_CatalogInfo_num(ctlc->header_attributes); i++) {
int j, found = 0;
CatalogInfo *header_attr = sk_CatalogInfo_value(ctlc->header_attributes, i);
if (header_attr == NULL)
continue;
for (j = 0; j < sk_CatalogAuthAttr_num(header_attr->attributes); j++) {
char object_txt[128];
CatalogAuthAttr *attribute;
ASN1_TYPE *content;
attribute = sk_CatalogAuthAttr_value(header_attr->attributes, j);
if (!attribute)
continue;
content = catalog_content_get(attribute);
if (!content)
continue;
object_txt[0] = 0x00;
OBJ_obj2txt(object_txt, sizeof object_txt, attribute->type, 1);
if (!strcmp(object_txt, CAT_NAMEVALUE_OBJID)) {
/* CAT_NAMEVALUE_OBJID OID: 1.3.6.1.4.1.311.12.2.1 */
found |= cat_print_content_member_name(content);
} else if (!strcmp(object_txt, SPC_INDIRECT_DATA_OBJID)) {
/* SPC_INDIRECT_DATA_OBJID OID: 1.3.6.1.4.1.311.2.1.4 */
found |= cat_print_content_member_digest(content);
}
ASN1_TYPE_free(content);
}
if (found)
printf("\n");
}
MsCtlContent_free(ctlc);
ERR_print_errors_fp(stdout);
return 0; /* OK */
}
/*
* Print a hash algorithm and a message digest from the SPC_INDIRECT_DATA_OBJID attribute.
* [in] content: catalog file content
* [returns] 0 on error or 1 on success
*/
static int cat_print_content_member_digest(ASN1_TYPE *content)
{
SpcIndirectDataContent *idc;
u_char mdbuf[EVP_MAX_MD_SIZE];
const u_char *data ;
int mdtype = -1;
ASN1_STRING *value;
value = content->value.sequence;
data = ASN1_STRING_get0_data(value);
idc = d2i_SpcIndirectDataContent(NULL, &data, ASN1_STRING_length(value));
if (!idc)
return 0; /* FAILED */
if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
/* get a digest algorithm a message digest of the file from the content */
mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length);
}
SpcIndirectDataContent_free(idc);
if (mdtype == -1) {
printf("Failed to extract current message digest\n\n");
return 0; /* FAILED */
}
printf("\tHash algorithm: %s\n", OBJ_nid2sn(mdtype));
print_hash("\tMessage digest", "", mdbuf, EVP_MD_size(EVP_get_digestbynid(mdtype)));
return 1; /* OK */
}
/*
* Print a file name from the CAT_NAMEVALUE_OBJID attribute.
* [in] content: catalog file content
* [returns] 0 on error or 1 on success
*/
static int cat_print_content_member_name(ASN1_TYPE *content)
{
CatNameValueContent *nvc;
const u_char *data = NULL;
ASN1_STRING *value;
value = content->value.sequence;
data = ASN1_STRING_get0_data(value);
nvc = d2i_CatNameValueContent(NULL, &data, ASN1_STRING_length(value));
if (!nvc) {
return 0; /* FAILED */
}
printf("\tFile name: ");
if (ASN1_INTEGER_get(nvc->flags) & 0x00020000) {
cat_print_base64(nvc->value);
} else {
cat_print_utf16_as_ascii(nvc->value);
}
printf("\n");
CatNameValueContent_free(nvc);
return 1; /* OK */
}
/*
* Print a CAT_NAMEVALUE_OBJID attribute represented in base-64 encoding.
* [in] value: catalog member file name
* [returns] none
*/
static void cat_print_base64(ASN1_OCTET_STRING *value)
{
BIO *stdbio, *b64;
stdbio = BIO_new_fp(stdout, BIO_NOCLOSE);
b64 = BIO_new(BIO_f_base64());
BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
stdbio = BIO_push(b64, stdbio);
ASN1_STRING_print_ex(stdbio, value, 0);
BIO_free_all(stdbio);
}
/*
* Print a CAT_NAMEVALUE_OBJID attribute represented in plaintext.
* [in] value: catalog member file name
* [returns] none
*/
static void cat_print_utf16_as_ascii(ASN1_OCTET_STRING *value)
{
const u_char *data;
int len, i;
data = ASN1_STRING_get0_data(value);
len = ASN1_STRING_length(value);
for (i = 0; i < len && (data[i] || data[i+1]); i+=2)
putchar(isprint(data[i]) && !data[i+1] ? data[i] : '.');
}
/* /*
Local Variables: Local Variables:
c-basic-offset: 4 c-basic-offset: 4

39
helpers.c
View File

@ -411,6 +411,45 @@ int is_content_type(PKCS7 *p7, const char *objid)
return ret; return ret;
} }
/*
* [in] p7: new PKCS#7 signature
* [returns] pointer to MsCtlContent structure
*/
MsCtlContent *ms_ctl_content_get(PKCS7 *p7)
{
ASN1_STRING *value;
const u_char *data;
if (!is_content_type(p7, MS_CTL_OBJID)) {
printf("Failed to find MS_CTL_OBJID\n");
return NULL; /* FAILED */
}
value = p7->d.sign->contents->d.other->value.sequence;
data = ASN1_STRING_get0_data(value);
return d2i_MsCtlContent(NULL, &data, ASN1_STRING_length(value));
}
/*
* [in] attribute: catalog attribute
* [returns] catalog content
*/
ASN1_TYPE *catalog_content_get(CatalogAuthAttr *attribute)
{
ASN1_STRING *value;
STACK_OF(ASN1_TYPE) *contents;
ASN1_TYPE *content;
const u_char *contents_data;
value = attribute->contents->value.sequence;
contents_data = ASN1_STRING_get0_data(value);
contents = d2i_ASN1_SET_ANY(NULL, &contents_data, ASN1_STRING_length(value));
if (!contents)
return 0; /* FAILED */
content = sk_ASN1_TYPE_value(contents, 0);
sk_ASN1_TYPE_free(contents);
return content;
}
/* /*
* PE and CAB format specific * PE and CAB format specific
* [in] none * [in] none

2
helpers.h
View File

@ -19,6 +19,8 @@ int asn1_simple_hdr_len(const u_char *p, int len);
int bio_hash_data(BIO *hash, char *indata, size_t idx, size_t fileend); int bio_hash_data(BIO *hash, char *indata, size_t idx, size_t fileend);
void print_hash(const char *descript1, const char *descript2, const u_char *hashbuf, int length); void print_hash(const char *descript1, const char *descript2, const u_char *hashbuf, int length);
int is_content_type(PKCS7 *p7, const char *objid); int is_content_type(PKCS7 *p7, const char *objid);
MsCtlContent *ms_ctl_content_get(PKCS7 *p7);
ASN1_TYPE *catalog_content_get(CatalogAuthAttr *attribute);
SpcLink *spc_link_obsolete_get(void); SpcLink *spc_link_obsolete_get(void);
PKCS7 *pkcs7_get(char *indata, uint32_t sigpos, uint32_t siglen); PKCS7 *pkcs7_get(char *indata, uint32_t sigpos, uint32_t siglen);
int compare_digests(u_char *mdbuf, u_char *cmdbuf, int mdtype); int compare_digests(u_char *mdbuf, u_char *cmdbuf, int mdtype);

65
osslsigncode.c
View File

@ -2272,35 +2272,24 @@ out:
* The attribute type is SPC_INDIRECT_DATA_OBJID, so get a digest algorithm and a message digest * The attribute type is SPC_INDIRECT_DATA_OBJID, so get a digest algorithm and a message digest
* from the content and compare the message digest against the computed message digest of the file * from the content and compare the message digest against the computed message digest of the file
* [in] ctx: structure holds input and output data * [in] ctx: structure holds input and output data
* [in] attribute: structure holds input and output data * [in] content: catalog file content
* [returns] 1 on error or 0 on success * [returns] 1 on error or 0 on success
*/ */
static int verify_member(FILE_FORMAT_CTX *ctx, CatalogAuthAttr *attribute) static int verify_content_member_digest(FILE_FORMAT_CTX *ctx, ASN1_TYPE *content)
{ {
int mdlen, mdtype = -1; int mdlen, mdtype = -1;
u_char mdbuf[EVP_MAX_MD_SIZE]; u_char mdbuf[EVP_MAX_MD_SIZE];
SpcIndirectDataContent *idc; SpcIndirectDataContent *idc;
const u_char *data; const u_char *data;
ASN1_STRING *value; ASN1_STRING *value;
STACK_OF(ASN1_TYPE) *contents;
ASN1_TYPE *content;
const EVP_MD *md; const EVP_MD *md;
u_char *cmdbuf = NULL; u_char *cmdbuf = NULL;
value = attribute->contents->value.sequence;
data = value->data;
contents = d2i_ASN1_SET_ANY(NULL, &data, value->length);
if (contents == NULL) {
return 1; /* FAILED */
}
content = sk_ASN1_TYPE_value(contents, 0);
sk_ASN1_TYPE_free(contents);
value = content->value.sequence; value = content->value.sequence;
data = value->data; data = ASN1_STRING_get0_data(value);
idc = d2i_SpcIndirectDataContent(NULL, &data, value->length); idc = d2i_SpcIndirectDataContent(NULL, &data, ASN1_STRING_length(value));
if (!idc) { if (!idc) {
printf("Failed to extract SpcIndirectDataContent data\n"); printf("Failed to extract SpcIndirectDataContent data\n");
ASN1_TYPE_free(content);
return 1; /* FAILED */ return 1; /* FAILED */
} }
if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) { if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
@ -2308,7 +2297,6 @@ static int verify_member(FILE_FORMAT_CTX *ctx, CatalogAuthAttr *attribute)
mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm); mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length); memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length);
} }
ASN1_TYPE_free(content);
if (mdtype == -1) { if (mdtype == -1) {
printf("Failed to extract current message digest\n\n"); printf("Failed to extract current message digest\n\n");
SpcIndirectDataContent_free(idc); SpcIndirectDataContent_free(idc);
@ -2356,46 +2344,45 @@ static int verify_member(FILE_FORMAT_CTX *ctx, CatalogAuthAttr *attribute)
*/ */
static int verify_content(FILE_FORMAT_CTX *ctx, PKCS7 *p7) static int verify_content(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
{ {
ASN1_STRING *value;
ASN1_OBJECT *indir_objid;
const u_char *data;
MsCtlContent *ctlc; MsCtlContent *ctlc;
int i, j; int i;
if (!is_content_type(p7, MS_CTL_OBJID)) { ctlc = ms_ctl_content_get(p7);
printf("Failed to find MS_CTL_OBJID\n");
return 1; /* FAILED */
}
value = p7->d.sign->contents->d.other->value.sequence;
data = value->data;
ctlc = d2i_MsCtlContent(NULL, &data, value->length);
if (!ctlc) { if (!ctlc) {
printf("Failed to extract MS_CTL_OBJID data\n"); printf("Failed to extract MS_CTL_OBJID data\n");
return 1; /* FAILED */ return 1; /* FAILED */
} }
indir_objid = OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1);
for (i = 0; i < sk_CatalogInfo_num(ctlc->header_attributes); i++) { for (i = 0; i < sk_CatalogInfo_num(ctlc->header_attributes); i++) {
STACK_OF(CatalogAuthAttr) *attributes; int j;
CatalogInfo *header_attr = sk_CatalogInfo_value(ctlc->header_attributes, i); CatalogInfo *header_attr = sk_CatalogInfo_value(ctlc->header_attributes, i);
if (header_attr == NULL) if (header_attr == NULL)
continue; continue;
attributes = header_attr->attributes; for (j = 0; j < sk_CatalogAuthAttr_num(header_attr->attributes); j++) {
for (j = 0; j < sk_CatalogAuthAttr_num(attributes); j++) { char object_txt[128];
CatalogAuthAttr *attribute = sk_CatalogAuthAttr_value(attributes, j); CatalogAuthAttr *attribute;
ASN1_TYPE *content;
attribute = sk_CatalogAuthAttr_value(header_attr->attributes, j);
if (!attribute) if (!attribute)
continue; continue;
if (OBJ_cmp(attribute->type, indir_objid)) content = catalog_content_get(attribute);
if (!content)
continue; continue;
if (!verify_member(ctx, attribute)) { object_txt[0] = 0x00;
/* computed message digest of the file is found in the catalog file */ OBJ_obj2txt(object_txt, sizeof object_txt, attribute->type, 1);
MsCtlContent_free(ctlc); if (!strcmp(object_txt, SPC_INDIRECT_DATA_OBJID)) {
ASN1_OBJECT_free(indir_objid); /* SPC_INDIRECT_DATA_OBJID OID: 1.3.6.1.4.1.311.2.1.4 */
return 0; /* OK */ if (!verify_content_member_digest(ctx, content)) {
/* computed message digest of the file is found in the catalog file */
ASN1_TYPE_free(content);
MsCtlContent_free(ctlc);
return 0; /* OK */
}
} }
ASN1_TYPE_free(content);
} }
} }
MsCtlContent_free(ctlc); MsCtlContent_free(ctlc);
ASN1_OBJECT_free(indir_objid);
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
return 1; /* FAILED */ return 1; /* FAILED */
} }

2
osslsigncode.h
View File

@ -176,6 +176,8 @@
#define SPC_RFC3161_OBJID "1.3.6.1.4.1.311.3.3.1" #define SPC_RFC3161_OBJID "1.3.6.1.4.1.311.3.3.1"
/* Microsoft OID Crypto 2.0 */ /* Microsoft OID Crypto 2.0 */
#define MS_CTL_OBJID "1.3.6.1.4.1.311.10.1" #define MS_CTL_OBJID "1.3.6.1.4.1.311.10.1"
/* Microsoft OID Catalog */
#define CAT_NAMEVALUE_OBJID "1.3.6.1.4.1.311.12.2.1"
/* Microsoft OID Microsoft_Java */ /* Microsoft OID Microsoft_Java */
#define MS_JAVA_SOMETHING "1.3.6.1.4.1.311.15.1" #define MS_JAVA_SOMETHING "1.3.6.1.4.1.311.15.1"

BIN
tests/files/unsigned.cat
View File

Binary file not shown.

48
tests/sources/CatalogDefinitionFileName.cdf Normal file
View File

@ -0,0 +1,48 @@
# https://learn.microsoft.com/en-us/windows/win32/seccrypto/makecat
# makecat -v CatalogDefinitionFileName.cdf
# Define information about the entire catalog file.
[CatalogHeader]
# Name of the catalog file, including its extension.
Name=unsigned.cat
# Directory where the created unsigned.cat file will be placed.
ResultDir=..\files
# This option is not supported. Default value 1 is used.
PublicVersion=0x0000001
# Catalog version.
# If the version is set to 2, the HashAlgorithms option must contain SHA256.
CatalogVersion=2
# Name of the hashing algorithm used.
HashAlgorithms=SHA256
# Specifies whether to hash the files listed in the <HASH> option in the [CatalogFiles] section
PageHashes=true
# Type of message encoding used.
# The default EncodingType is PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 0x00010001
EncodingType=0x00010001
# Specify an attribute of the catalog file.
# Set 1.3.6.1.4.1.311.12.2.1 CAT_NAMEVALUE_OBJID
# CATATTR1={type}:{oid}:{value} (optional)
# The OSAttr attribute specifies the target Windows version
CATATTR1=0x11010001:OSAttr:2:6.0
# Define each member of the catalog file.
[CatalogFiles]
<HASH>PEfile=..\files\unsigned.exe
# 0x00010000 Attribute is represented in plaintext. No conversion will be done.
<HASH>PEfileATTR1=0x11010001:File:unsigned.exe
<HASH>MSIfile=..\files\unsigned.msi
# 0x00020000 Attribute is represented in base-64 encoding.
<HASH>MSIfileATTR1=0x11020001:File:dW5zaWduZWQubXNp
<HASH>CABfile=..\files\unsigned.ex_
<HASH>CABfileATTR1=0x11010001:File:unsigned.ex_

BIN
tests/sources/good.cat
View File

Binary file not shown.