nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-05 01:00:11 -05:00
Code Issues Projects Releases Wiki Activity

APPX support (#303)

Browse Source 
Co-authored-by: Maciej Panek <Maciej.panek@punxworks.com>
Co-authored-by: olszomal <Malgorzata.Olszowka@stunnel.org>
This commit is contained in:
Michał Trojnara 2023-09-19 21:23:32 +02:00 committed by GitHub
parent a6f767f5a3
commit 1700455533
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 2802 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
CMakeLists.txt
View File

@ -30,6 +30,7 @@ set(CMAKE_C_STANDARD_REQUIRED ON)
# load CMake library modules # load CMake library modules
include(FindOpenSSL) include(FindOpenSSL)
include(FindCURL) include(FindCURL)
include(FindZLIB)
# load CMake project modules # load CMake project modules
set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake") set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake")
@ -47,7 +48,7 @@ configure_file(Config.h.in config.h)
target_compile_definitions(osslsigncode PRIVATE HAVE_CONFIG_H=1) target_compile_definitions(osslsigncode PRIVATE HAVE_CONFIG_H=1)
# set sources # set sources
target_sources(osslsigncode PRIVATE osslsigncode.c helpers.c msi.c pe.c cab.c cat.c) target_sources(osslsigncode PRIVATE osslsigncode.c helpers.c msi.c pe.c cab.c cat.c appx.c)
if(NOT UNIX) if(NOT UNIX)
target_sources(osslsigncode PRIVATE applink.c) target_sources(osslsigncode PRIVATE applink.c)
endif(NOT UNIX) endif(NOT UNIX)
@ -72,6 +73,12 @@ else(CURL_FOUND)
message(STATUS "cURL support disabled (library not found)") message(STATUS "cURL support disabled (library not found)")
endif(CURL_FOUND) endif(CURL_FOUND)
if(NOT ZLIB_FOUND)
message(FATAL_ERROR "Zlib library not found")
endif(NOT ZLIB_FOUND)
target_include_directories(osslsigncode PRIVATE ${ZLIB_INCLUDE_DIR})
target_link_libraries(osslsigncode PRIVATE ${ZLIB_LIBRARIES})
# add paths to linker search and installed rpath # add paths to linker search and installed rpath
set_target_properties(osslsigncode PROPERTIES INSTALL_RPATH_USE_LINK_PATH TRUE) set_target_properties(osslsigncode PROPERTIES INSTALL_RPATH_USE_LINK_PATH TRUE)

1
NEWS.md
View File

@ -2,6 +2,7 @@
### 2.7 (unreleased) ### 2.7 (unreleased)
- added APPX support (by Maciej Panek and Małgorzata Olszówka)
- added a built-in TSA response generation (-TSA-certs, -TSA-key - added a built-in TSA response generation (-TSA-certs, -TSA-key
and -TSA-time options) and -TSA-time options)

2684
appx.c Normal file
View File

File diff suppressed because it is too large Load Diff

11
cab.c
View File

@ -43,6 +43,7 @@ struct cab_ctx_st {
/* FILE_FORMAT method prototypes */ /* FILE_FORMAT method prototypes */
static FILE_FORMAT_CTX *cab_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata); static FILE_FORMAT_CTX *cab_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata);
static ASN1_OBJECT *cab_obsolete_link_get(u_char **p, int *plen, FILE_FORMAT_CTX *ctx); static ASN1_OBJECT *cab_obsolete_link_get(u_char **p, int *plen, FILE_FORMAT_CTX *ctx);
static int cab_hash_length_get(FILE_FORMAT_CTX *ctx);
static int cab_check_file(FILE_FORMAT_CTX *ctx, int detached); static int cab_check_file(FILE_FORMAT_CTX *ctx, int detached);
static u_char *cab_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md); static u_char *cab_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md);
static int cab_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7); static int cab_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7);
@ -57,6 +58,7 @@ static void cab_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
FILE_FORMAT file_format_cab = { FILE_FORMAT file_format_cab = {
.ctx_new = cab_ctx_new, .ctx_new = cab_ctx_new,
.data_blob_get = cab_obsolete_link_get, .data_blob_get = cab_obsolete_link_get,
.hash_length_get = cab_hash_length_get,
.check_file = cab_check_file, .check_file = cab_check_file,
.digest_calc = cab_digest_calc, .digest_calc = cab_digest_calc,
.verify_digests = cab_verify_digests, .verify_digests = cab_verify_digests,
@ -149,6 +151,15 @@ static ASN1_OBJECT *cab_obsolete_link_get(u_char **p, int *plen, FILE_FORMAT_CTX
return dtype; /* OK */ return dtype; /* OK */
} }
/*
* [in] ctx: structure holds input and output data
* [returns] the size of the message digest when passed an EVP_MD structure (the size of the hash)
*/
static int cab_hash_length_get(FILE_FORMAT_CTX *ctx)
{
return EVP_MD_size(ctx->options->md);
}
/* /*
* Check if the signature exists. * Check if the signature exists.
* [in, out] ctx: structure holds input and output data * [in, out] ctx: structure holds input and output data

2
cat.c
View File

@ -99,7 +99,7 @@ static FILE_FORMAT_CTX *cat_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *out
if (options->nest) if (options->nest)
/* I've not tried using set_nested_signature as signtool won't do this */ /* I've not tried using set_nested_signature as signtool won't do this */
printf("Warning: CAT files do not support nesting\n"); printf("Warning: CAT files do not support nesting (multiple signature)\n");
if (options->jp >= 0) if (options->jp >= 0)
printf("Warning: -jp option is only valid for CAB files\n"); printf("Warning: -jp option is only valid for CAB files\n");
if (options->pagehash == 1) if (options->pagehash == 1)

90
cmake/CMakeTest.cmake
View File

@ -123,8 +123,9 @@ string(SUBSTRING ${sha256sum} 0 64 leafhash)
enable_testing() enable_testing()
set(extensions_4 "exe" "ex_" "msi" "cat") set(extensions_all "exe" "ex_" "msi" "256appx" "512appx" "cat")
set(extensions_3 "exe" "ex_" "msi") set(extensions_nocat "exe" "ex_" "msi" "256appx" "512appx")
set(extensions_nocatappx "exe" "ex_" "msi")
# Test 1 # Test 1
# Print osslsigncode version # Print osslsigncode version
@ -135,7 +136,7 @@ add_test(NAME version
# Tests 2-5 # Tests 2-5
# Sign with PKCS#12 container with legacy RC2-40-CBC private key and certificate encryption algorithm # Sign with PKCS#12 container with legacy RC2-40-CBC private key and certificate encryption algorithm
foreach(ext ${extensions_4}) foreach(ext ${extensions_all})
add_test( add_test(
NAME legacy_${ext} NAME legacy_${ext}
COMMAND osslsigncode "sign" COMMAND osslsigncode "sign"
@ -151,7 +152,7 @@ foreach(ext ${extensions_4})
"-n" "osslsigncode" "-n" "osslsigncode"
"-in" "${FILES}/unsigned.${ext}" "-in" "${FILES}/unsigned.${ext}"
"-out" "${FILES}/legacy.${ext}") "-out" "${FILES}/legacy.${ext}")
endforeach(ext ${extensions_4}) endforeach(ext ${extensions_all})
# Tests 6-9 # Tests 6-9
# Sign with PKCS#12 container with legacy RC2-40-CBC private key and certificate encryption algorithm # Sign with PKCS#12 container with legacy RC2-40-CBC private key and certificate encryption algorithm
@ -159,7 +160,7 @@ endforeach(ext ${extensions_4})
# Option "-nolegacy" requires OpenSSL 3.0.0 or later # Option "-nolegacy" requires OpenSSL 3.0.0 or later
# This tests are expected to fail # This tests are expected to fail
if(OPENSSL_VERSION VERSION_GREATER_EQUAL 3.0.0) if(OPENSSL_VERSION VERSION_GREATER_EQUAL 3.0.0)
foreach(ext ${extensions_4}) foreach(ext ${extensions_all})
add_test( add_test(
NAME nolegacy_${ext} NAME nolegacy_${ext}
COMMAND osslsigncode "sign" COMMAND osslsigncode "sign"
@ -180,12 +181,12 @@ if(OPENSSL_VERSION VERSION_GREATER_EQUAL 3.0.0)
nolegacy_${ext} nolegacy_${ext}
PROPERTIES PROPERTIES
WILL_FAIL TRUE) WILL_FAIL TRUE)
endforeach(ext ${extensions_4}) endforeach(ext ${extensions_all})
endif(OPENSSL_VERSION VERSION_GREATER_EQUAL 3.0.0) endif(OPENSSL_VERSION VERSION_GREATER_EQUAL 3.0.0)
# Tests 10-13 # Tests 10-13
# Sign with PKCS#12 container with AES-256-CBC private key and certificate encryption algorithm # Sign with PKCS#12 container with AES-256-CBC private key and certificate encryption algorithm
foreach(ext ${extensions_4}) foreach(ext ${extensions_all})
add_test( add_test(
NAME signed_${ext} NAME signed_${ext}
COMMAND osslsigncode "sign" COMMAND osslsigncode "sign"
@ -201,11 +202,11 @@ foreach(ext ${extensions_4})
"-n" "osslsigncode" "-n" "osslsigncode"
"-in" "${FILES}/unsigned.${ext}" "-in" "${FILES}/unsigned.${ext}"
"-out" "${FILES}/signed.${ext}") "-out" "${FILES}/signed.${ext}")
endforeach(ext ${extensions_4}) endforeach(ext ${extensions_all})
# Tests 14-17 # Tests 14-17
# Sign with revoked certificate # Sign with revoked certificate
foreach(ext ${extensions_4}) foreach(ext ${extensions_all})
add_test( add_test(
NAME revoked_${ext} NAME revoked_${ext}
COMMAND osslsigncode "sign" COMMAND osslsigncode "sign"
@ -222,12 +223,12 @@ foreach(ext ${extensions_4})
"-n" "osslsigncode" "-n" "osslsigncode"
"-in" "${FILES}/unsigned.${ext}" "-in" "${FILES}/unsigned.${ext}"
"-out" "${FILES}/revoked.${ext}") "-out" "${FILES}/revoked.${ext}")
endforeach(ext ${extensions_4}) endforeach(ext ${extensions_all})
# Tests 18-20 # Tests 18-20
# Remove signature # Remove signature
# Unsupported command for CAT files # Unsupported command for CAT files
foreach(ext ${extensions_3}) foreach(ext ${extensions_nocat})
add_test( add_test(
NAME removed_${ext} NAME removed_${ext}
COMMAND osslsigncode "remove-signature" COMMAND osslsigncode "remove-signature"
@ -238,11 +239,11 @@ foreach(ext ${extensions_3})
PROPERTIES PROPERTIES
DEPENDS "signed_${ext}" DEPENDS "signed_${ext}"
REQUIRED_FILES "${FILES}/signed.${ext}") REQUIRED_FILES "${FILES}/signed.${ext}")
endforeach(ext ${extensions_3}) endforeach(ext ${extensions_nocat})
# Tests 21-24 # Tests 21-24
# Extract PKCS#7 signature in PEM format # Extract PKCS#7 signature in PEM format
foreach(ext ${extensions_4}) foreach(ext ${extensions_all})
add_test( add_test(
NAME extract_pem_${ext} NAME extract_pem_${ext}
COMMAND osslsigncode "extract-signature" COMMAND osslsigncode "extract-signature"
@ -254,11 +255,11 @@ foreach(ext ${extensions_4})
PROPERTIES PROPERTIES
DEPENDS "signed_${ext}" DEPENDS "signed_${ext}"
REQUIRED_FILES "${FILES}/signed.${ext}") REQUIRED_FILES "${FILES}/signed.${ext}")
endforeach(ext ${extensions_4}) endforeach(ext ${extensions_all})
# Tests 25-28 # Tests 25-28
# Extract PKCS#7 signature in default DER format # Extract PKCS#7 signature in default DER format
foreach(ext ${extensions_4}) foreach(ext ${extensions_all})
add_test( add_test(
NAME extract_der_${ext} NAME extract_der_${ext}
COMMAND osslsigncode "extract-signature" COMMAND osslsigncode "extract-signature"
@ -269,13 +270,13 @@ foreach(ext ${extensions_4})
PROPERTIES PROPERTIES
DEPENDS "signed_${ext}" DEPENDS "signed_${ext}"
REQUIRED_FILES "${FILES}/signed.${ext}") REQUIRED_FILES "${FILES}/signed.${ext}")
endforeach(ext ${extensions_4}) endforeach(ext ${extensions_all})
# Tests 29-34 # Tests 29-34
# Attach signature in PEM or DER format # Attach signature in PEM or DER format
# Unsupported command for CAT files # Unsupported command for CAT files
set(formats "pem" "der") set(formats "pem" "der")
foreach(ext ${extensions_3}) foreach(ext ${extensions_nocat})
foreach(format ${formats}) foreach(format ${formats})
add_test( add_test(
NAME attached_${format}_${ext} NAME attached_${format}_${ext}
@ -299,11 +300,11 @@ foreach(ext ${extensions_3})
REQUIRED_FILES "${FILES}/signed.${ext}" REQUIRED_FILES "${FILES}/signed.${ext}"
REQUIRED_FILES "${FILES}/${ext}.${format}") REQUIRED_FILES "${FILES}/${ext}.${format}")
endforeach(format ${formats}) endforeach(format ${formats})
endforeach(ext ${extensions_3}) endforeach(ext ${extensions_nocat})
# Tests 35-38 # Tests 35-38
# Add an unauthenticated blob to a previously-signed file # Add an unauthenticated blob to a previously-signed file
foreach(ext ${extensions_4}) foreach(ext ${extensions_all})
add_test( add_test(
NAME added_${ext} NAME added_${ext}
COMMAND osslsigncode "add" COMMAND osslsigncode "add"
@ -316,11 +317,11 @@ foreach(ext ${extensions_4})
PROPERTIES PROPERTIES
DEPENDS "signed_${ext}" DEPENDS "signed_${ext}"
REQUIRED_FILES "${FILES}/signed.${ext}") REQUIRED_FILES "${FILES}/signed.${ext}")
endforeach(ext ${extensions_4}) endforeach(ext ${extensions_all})
# Tests 39-42 # Tests 39-42
# Add the new nested signature instead of replacing the first one # Add the new nested signature instead of replacing the first one
foreach(ext ${extensions_4}) foreach(ext ${extensions_all})
add_test( add_test(
NAME nested_${ext} NAME nested_${ext}
COMMAND osslsigncode "sign" COMMAND osslsigncode "sign"
@ -344,14 +345,15 @@ foreach(ext ${extensions_4})
PROPERTIES PROPERTIES
DEPENDS "signed_${ext}" DEPENDS "signed_${ext}"
REQUIRED_FILES "${FILES}/signed.${ext}") REQUIRED_FILES "${FILES}/signed.${ext}")
endforeach(ext ${extensions_4}) endforeach(ext ${extensions_all})
### Verify signature ### ### Verify signature ###
# Tests 43-45 # Tests 43-45
# Verify PE/MSI/CAB files signed in the catalog file # Verify PE/MSI/CAB files signed in the catalog file
foreach(ext ${extensions_3}) # APPX does not support detached PKCS#7 signature
foreach(ext ${extensions_nocatappx})
add_test( add_test(
NAME verify_catalog_${ext} NAME verify_catalog_${ext}
COMMAND osslsigncode "verify" COMMAND osslsigncode "verify"
@ -367,13 +369,13 @@ foreach(ext ${extensions_3})
DEPENDS "signed_${ext}" DEPENDS "signed_${ext}"
REQUIRED_FILES "${FILES}/signed.cat" REQUIRED_FILES "${FILES}/signed.cat"
REQUIRED_FILES "${FILES}/unsigned.${ext}") REQUIRED_FILES "${FILES}/unsigned.${ext}")
endforeach(ext ${extensions_3}) endforeach(ext ${extensions_nocatappx})
# Tests 46-69 # Tests 46-69
# Verify signature # Verify signature
set(files "legacy" "signed" "nested" "added" "removed" "revoked" "attached_pem" "attached_der") set(files "legacy" "signed" "nested" "added" "removed" "revoked" "attached_pem" "attached_der")
foreach(file ${files}) foreach(file ${files})
foreach(ext ${extensions_3}) foreach(ext ${extensions_nocat})
add_test( add_test(
NAME verify_${file}_${ext} NAME verify_${file}_${ext}
COMMAND osslsigncode "verify" COMMAND osslsigncode "verify"
@ -386,18 +388,18 @@ foreach(file ${files})
PROPERTIES PROPERTIES
DEPENDS "${file}_${ext}" DEPENDS "${file}_${ext}"
REQUIRED_FILES "${FILES}/${file}.${ext}") REQUIRED_FILES "${FILES}/${file}.${ext}")
endforeach(ext ${extensions_3}) endforeach(ext ${extensions_nocat})
endforeach(file ${files}) endforeach(file ${files})
# "Removed" and "revoked" tests are expected to fail # "Removed" and "revoked" tests are expected to fail
set(files "removed" "revoked") set(files "removed" "revoked")
foreach(file ${files}) foreach(file ${files})
foreach(ext ${extensions_3}) foreach(ext ${extensions_nocat})
set_tests_properties( set_tests_properties(
verify_${file}_${ext} verify_${file}_${ext}
PROPERTIES PROPERTIES
WILL_FAIL TRUE) WILL_FAIL TRUE)
endforeach(ext ${extensions_3}) endforeach(ext ${extensions_nocat})
endforeach(file ${files}) endforeach(file ${files})
if(Python3_FOUND OR server_error) if(Python3_FOUND OR server_error)
@ -409,7 +411,7 @@ if(Python3_FOUND OR server_error)
# Use "cert" "expired" "revoked" without X509v3 CRL Distribution Points extension # Use "cert" "expired" "revoked" without X509v3 CRL Distribution Points extension
# and "cert_crldp" "revoked_crldp" contain X509v3 CRL Distribution Points extension # and "cert_crldp" "revoked_crldp" contain X509v3 CRL Distribution Points extension
set(pem_certs "cert" "expired" "revoked" "cert_crldp" "revoked_crldp") set(pem_certs "cert" "expired" "revoked" "cert_crldp" "revoked_crldp")
foreach(ext ${extensions_4}) foreach(ext ${extensions_all})
foreach(cert ${pem_certs}) foreach(cert ${pem_certs})
add_test( add_test(
NAME sign_ts_${cert}_${ext} NAME sign_ts_${cert}_${ext}
@ -432,14 +434,14 @@ if(Python3_FOUND OR server_error)
PROPERTIES PROPERTIES
REQUIRED_FILES "${LOGS}/port.log") REQUIRED_FILES "${LOGS}/port.log")
endforeach(cert ${pem_certs}) endforeach(cert ${pem_certs})
endforeach(ext ${extensions_4}) endforeach(ext ${extensions_all})
### Verify Time-Stamp Authority ### ### Verify Time-Stamp Authority ###
# Tests 90-92 # Tests 90-92
# Signature verification time: Sep 1 00:00:00 2019 GMT # Signature verification time: Sep 1 00:00:00 2019 GMT
foreach(ext ${extensions_3}) foreach(ext ${extensions_nocat})
add_test( add_test(
NAME verify_ts_cert_${ext} NAME verify_ts_cert_${ext}
COMMAND osslsigncode "verify" COMMAND osslsigncode "verify"
@ -453,11 +455,11 @@ if(Python3_FOUND OR server_error)
DEPENDS "sign_ts_cert_${ext}" DEPENDS "sign_ts_cert_${ext}"
REQUIRED_FILES "${FILES}/ts_cert.${ext}" REQUIRED_FILES "${FILES}/ts_cert.${ext}"
REQUIRED_FILES "${LOGS}/port.log") REQUIRED_FILES "${LOGS}/port.log")
endforeach(ext ${extensions_3}) endforeach(ext ${extensions_nocat})
# Tests 93-95 # Tests 93-95
# Signature verification time: Jan 1 00:00:00 2035 GMT # Signature verification time: Jan 1 00:00:00 2035 GMT
foreach(ext ${extensions_3}) foreach(ext ${extensions_nocat})
add_test( add_test(
NAME verify_ts_future_${ext} NAME verify_ts_future_${ext}
COMMAND osslsigncode "verify" COMMAND osslsigncode "verify"
@ -471,12 +473,12 @@ if(Python3_FOUND OR server_error)
DEPENDS "sign_ts_cert_${ext}" DEPENDS "sign_ts_cert_${ext}"
REQUIRED_FILES "${FILES}/ts_cert.${ext}" REQUIRED_FILES "${FILES}/ts_cert.${ext}"
REQUIRED_FILES "${LOGS}/port.log") REQUIRED_FILES "${LOGS}/port.log")
endforeach(ext ${extensions_3}) endforeach(ext ${extensions_nocat})
# Tests 96-98 # Tests 96-98
# Verify with ignored timestamp # Verify with ignored timestamp
# This tests are expected to fail # This tests are expected to fail
foreach(ext ${extensions_3}) foreach(ext ${extensions_nocat})
add_test( add_test(
NAME verify_ts_ignore_${ext} NAME verify_ts_ignore_${ext}
COMMAND osslsigncode "verify" COMMAND osslsigncode "verify"
@ -492,7 +494,7 @@ if(Python3_FOUND OR server_error)
REQUIRED_FILES "${FILES}/ts_cert.${ext}" REQUIRED_FILES "${FILES}/ts_cert.${ext}"
REQUIRED_FILES "${LOGS}/port.log" REQUIRED_FILES "${LOGS}/port.log"
WILL_FAIL TRUE) WILL_FAIL TRUE)
endforeach(ext ${extensions_3}) endforeach(ext ${extensions_nocat})
### Verify CRL Distribution Points ### ### Verify CRL Distribution Points ###
@ -501,7 +503,7 @@ if(Python3_FOUND OR server_error)
# Verify file signed with X509v3 CRL Distribution Points extension # Verify file signed with X509v3 CRL Distribution Points extension
# Signature verification time: Sep 1 00:00:00 2019 GMT # Signature verification time: Sep 1 00:00:00 2019 GMT
# Check X509v3 CRL Distribution Points extension, don't use "-CRLfile" and "-TSA-CRLfile" options # Check X509v3 CRL Distribution Points extension, don't use "-CRLfile" and "-TSA-CRLfile" options
foreach(ext ${extensions_3}) foreach(ext ${extensions_nocat})
add_test( add_test(
NAME verify_ts_cert_crldp_${ext} NAME verify_ts_cert_crldp_${ext}
COMMAND osslsigncode "verify" COMMAND osslsigncode "verify"
@ -515,13 +517,13 @@ if(Python3_FOUND OR server_error)
DEPENDS "sign_ts_cert_crldp_${ext}" DEPENDS "sign_ts_cert_crldp_${ext}"
REQUIRED_FILES "${FILES}/ts_cert_crldp.${ext}" REQUIRED_FILES "${FILES}/ts_cert_crldp.${ext}"
REQUIRED_FILES "${LOGS}/port.log") REQUIRED_FILES "${LOGS}/port.log")
endforeach(ext ${extensions_3}) endforeach(ext ${extensions_nocat})
# Tests 102-107 # Tests 102-107
# Verify with expired or revoked certificate without X509v3 CRL Distribution Points extension # Verify with expired or revoked certificate without X509v3 CRL Distribution Points extension
# This tests are expected to fail # This tests are expected to fail
set(failed_certs "expired" "revoked") set(failed_certs "expired" "revoked")
foreach(ext ${extensions_3}) foreach(ext ${extensions_nocat})
foreach(cert ${failed_certs}) foreach(cert ${failed_certs})
add_test( add_test(
NAME verify_ts_${cert}_${ext} NAME verify_ts_${cert}_${ext}
@ -539,13 +541,13 @@ if(Python3_FOUND OR server_error)
REQUIRED_FILES "${LOGS}/port.log" REQUIRED_FILES "${LOGS}/port.log"
WILL_FAIL TRUE) WILL_FAIL TRUE)
endforeach(cert ${failed_certs}) endforeach(cert ${failed_certs})
endforeach(ext ${extensions_3}) endforeach(ext ${extensions_nocat})
# Tests 108-110 # Tests 108-110
# Verify with revoked certificate contains X509v3 CRL Distribution Points extension # Verify with revoked certificate contains X509v3 CRL Distribution Points extension
# Check X509v3 CRL Distribution Points extension, don't use "-CRLfile" and "-TSA-CRLfile" options # Check X509v3 CRL Distribution Points extension, don't use "-CRLfile" and "-TSA-CRLfile" options
# This test is expected to fail # This test is expected to fail
foreach(ext ${extensions_3}) foreach(ext ${extensions_nocat})
add_test( add_test(
NAME verify_ts_revoked_crldp_${ext} NAME verify_ts_revoked_crldp_${ext}
COMMAND osslsigncode "verify" COMMAND osslsigncode "verify"
@ -560,7 +562,7 @@ if(Python3_FOUND OR server_error)
REQUIRED_FILES "${FILES}/ts_revoked_crldp.${ext}" REQUIRED_FILES "${FILES}/ts_revoked_crldp.${ext}"
REQUIRED_FILES "${LOGS}/port.log" REQUIRED_FILES "${LOGS}/port.log"
WILL_FAIL TRUE) WILL_FAIL TRUE)
endforeach(ext ${extensions_3}) endforeach(ext ${extensions_nocat})
### Cleanup ### ### Cleanup ###
@ -585,7 +587,7 @@ endif(Python3_FOUND OR server_error)
# Test 112 # Test 112
# Delete test files # Delete test files
foreach(ext ${extensions_4}) foreach(ext ${extensions_all})
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/legacy.${ext}") set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/legacy.${ext}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/signed.${ext}") set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/signed.${ext}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/signed_crldp.${ext}") set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/signed_crldp.${ext}")
@ -603,7 +605,7 @@ foreach(ext ${extensions_4})
endforeach(format ${formats}) endforeach(format ${formats})
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jreq.tsq") set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jreq.tsq")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jresp.tsr") set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jresp.tsr")
endforeach(ext ${extensions_4}) endforeach(ext ${extensions_all})
add_test(NAME remove_files add_test(NAME remove_files
COMMAND ${CMAKE_COMMAND} -E rm -f ${OUTPUT_FILES}) COMMAND ${CMAKE_COMMAND} -E rm -f ${OUTPUT_FILES})

32
helpers.c
View File

@ -12,7 +12,7 @@
static int pkcs7_set_content_blob(PKCS7 *sig, PKCS7 *cursig); static int pkcs7_set_content_blob(PKCS7 *sig, PKCS7 *cursig);
static SpcSpOpusInfo *spc_sp_opus_info_create(FILE_FORMAT_CTX *ctx); static SpcSpOpusInfo *spc_sp_opus_info_create(FILE_FORMAT_CTX *ctx);
static int spc_indirect_data_content_get(u_char **blob, int *len, FILE_FORMAT_CTX *ctx); static int spc_indirect_data_content_get(u_char **blob, int *len, FILE_FORMAT_CTX *ctx);
static int pkcs7_set_spc_indirect_data_content(PKCS7 *p7, BIO *hash, u_char *buf, int len); static int pkcs7_set_spc_indirect_data_content(PKCS7 *p7, BIO *hash, u_char *buf, int len, FILE_FORMAT_CTX *ctx);
static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx); static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
static int pkcs7_signer_info_add_purpose(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx); static int pkcs7_signer_info_add_purpose(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
@ -298,6 +298,7 @@ PKCS7 *pkcs7_create(FILE_FORMAT_CTX *ctx)
/* /*
* [in, out] p7: new PKCS#7 signature * [in, out] p7: new PKCS#7 signature
* [in] hash: message digest BIO * [in] hash: message digest BIO
* [in] ctx: structure holds input and output data
* [returns] 0 on error or 1 on success * [returns] 0 on error or 1 on success
*/ */
int add_indirect_data_object(PKCS7 *p7, BIO *hash, FILE_FORMAT_CTX *ctx) int add_indirect_data_object(PKCS7 *p7, BIO *hash, FILE_FORMAT_CTX *ctx)
@ -471,7 +472,7 @@ int pkcs7_set_data_content(PKCS7 *p7, BIO *hash, FILE_FORMAT_CTX *ctx)
buf = OPENSSL_malloc(SIZE_64K); buf = OPENSSL_malloc(SIZE_64K);
memcpy(buf, p, (size_t)len); memcpy(buf, p, (size_t)len);
OPENSSL_free(p); OPENSSL_free(p);
if (!pkcs7_set_spc_indirect_data_content(p7, hash, buf, len)) { if (!pkcs7_set_spc_indirect_data_content(p7, hash, buf, len, ctx)) {
OPENSSL_free(buf); OPENSSL_free(buf);
return 0; /* FAILED */ return 0; /* FAILED */
} }
@ -573,6 +574,7 @@ static int spc_indirect_data_content_get(u_char **blob, int *len, FILE_FORMAT_CT
{ {
u_char *p = NULL; u_char *p = NULL;
int hashlen, l = 0; int hashlen, l = 0;
int mdtype = EVP_MD_nid(ctx->options->md);
void *hash; void *hash;
SpcIndirectDataContent *idc = SpcIndirectDataContent_new(); SpcIndirectDataContent *idc = SpcIndirectDataContent_new();
@ -582,13 +584,12 @@ static int spc_indirect_data_content_get(u_char **blob, int *len, FILE_FORMAT_CT
idc->data->type = ctx->format->data_blob_get(&p, &l, ctx); idc->data->type = ctx->format->data_blob_get(&p, &l, ctx);
idc->data->value->value.sequence->data = p; idc->data->value->value.sequence->data = p;
idc->data->value->value.sequence->length = l; idc->data->value->value.sequence->length = l;
idc->messageDigest->digestAlgorithm->algorithm = OBJ_nid2obj(EVP_MD_nid(ctx->options->md)); idc->messageDigest->digestAlgorithm->algorithm = OBJ_nid2obj(mdtype);
idc->messageDigest->digestAlgorithm->parameters = ASN1_TYPE_new(); idc->messageDigest->digestAlgorithm->parameters = ASN1_TYPE_new();
idc->messageDigest->digestAlgorithm->parameters->type = V_ASN1_NULL; idc->messageDigest->digestAlgorithm->parameters->type = V_ASN1_NULL;
hashlen = EVP_MD_size(ctx->options->md); hashlen = ctx->format->hash_length_get(ctx);
hash = OPENSSL_malloc((size_t)hashlen); hash = OPENSSL_zalloc((size_t)hashlen);
memset(hash, 0, (size_t)hashlen);
ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen);
OPENSSL_free(hash); OPENSSL_free(hash);
@ -597,7 +598,7 @@ static int spc_indirect_data_content_get(u_char **blob, int *len, FILE_FORMAT_CT
p = *blob; p = *blob;
i2d_SpcIndirectDataContent(idc, &p); i2d_SpcIndirectDataContent(idc, &p);
SpcIndirectDataContent_free(idc); SpcIndirectDataContent_free(idc);
*len -= EVP_MD_size(ctx->options->md); *len -= hashlen;
return 1; /* OK */ return 1; /* OK */
} }
@ -607,17 +608,24 @@ static int spc_indirect_data_content_get(u_char **blob, int *len, FILE_FORMAT_CT
* [in] hash: message digest BIO * [in] hash: message digest BIO
* [in] blob: SpcIndirectDataContent data * [in] blob: SpcIndirectDataContent data
* [in] len: SpcIndirectDataContent data length * [in] len: SpcIndirectDataContent data length
* [in] ctx: FILE_FORMAT_CTX structure
* [returns] 0 on error or 1 on success * [returns] 0 on error or 1 on success
*/ */
static int pkcs7_set_spc_indirect_data_content(PKCS7 *p7, BIO *hash, u_char *buf, int len) static int pkcs7_set_spc_indirect_data_content(PKCS7 *p7, BIO *hash, u_char *buf, int len, FILE_FORMAT_CTX *ctx)
{ {
u_char mdbuf[EVP_MAX_MD_SIZE]; u_char mdbuf[5 * EVP_MAX_MD_SIZE + 24];
int mdlen, seqhdrlen; int mdlen, seqhdrlen, hashlen;
BIO *bio; BIO *bio;
PKCS7 *td7; PKCS7 *td7;
hashlen = ctx->format->hash_length_get(ctx);
if (hashlen > EVP_MAX_MD_SIZE) {
/* APPX format specific */
mdlen = BIO_read(hash, (char*)mdbuf, hashlen);
} else {
mdlen = BIO_gets(hash, (char*)mdbuf, EVP_MAX_MD_SIZE); mdlen = BIO_gets(hash, (char*)mdbuf, EVP_MAX_MD_SIZE);
memcpy(buf+len, mdbuf, (size_t)mdlen); }
memcpy(buf + len, mdbuf, (size_t)mdlen);
seqhdrlen = asn1_simple_hdr_len(buf, len); seqhdrlen = asn1_simple_hdr_len(buf, len);
if ((bio = PKCS7_dataInit(p7, NULL)) == NULL) { if ((bio = PKCS7_dataInit(p7, NULL)) == NULL) {
@ -638,7 +646,7 @@ static int pkcs7_set_spc_indirect_data_content(PKCS7 *p7, BIO *hash, u_char *buf
td7->d.other = ASN1_TYPE_new(); td7->d.other = ASN1_TYPE_new();
td7->d.other->type = V_ASN1_SEQUENCE; td7->d.other->type = V_ASN1_SEQUENCE;
td7->d.other->value.sequence = ASN1_STRING_new(); td7->d.other->value.sequence = ASN1_STRING_new();
ASN1_STRING_set(td7->d.other->value.sequence, buf, len+mdlen); ASN1_STRING_set(td7->d.other->value.sequence, buf, len + mdlen);
if (!PKCS7_set_content(p7, td7)) { if (!PKCS7_set_content(p7, td7)) {
PKCS7_free(td7); PKCS7_free(td7);
printf("PKCS7_set_content failed\n"); printf("PKCS7_set_content failed\n");

11
msi.c
View File

@ -215,6 +215,7 @@ struct msi_ctx_st {
/* FILE_FORMAT method prototypes */ /* FILE_FORMAT method prototypes */
static FILE_FORMAT_CTX *msi_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata); static FILE_FORMAT_CTX *msi_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata);
static ASN1_OBJECT *msi_spc_sip_info_get(u_char **p, int *plen, FILE_FORMAT_CTX *ctx); static ASN1_OBJECT *msi_spc_sip_info_get(u_char **p, int *plen, FILE_FORMAT_CTX *ctx);
static int msi_hash_length_get(FILE_FORMAT_CTX *ctx);
static int msi_check_file(FILE_FORMAT_CTX *ctx, int detached); static int msi_check_file(FILE_FORMAT_CTX *ctx, int detached);
static u_char *msi_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md); static u_char *msi_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md);
static int msi_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7); static int msi_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7);
@ -228,6 +229,7 @@ static void msi_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
FILE_FORMAT file_format_msi = { FILE_FORMAT file_format_msi = {
.ctx_new = msi_ctx_new, .ctx_new = msi_ctx_new,
.data_blob_get = msi_spc_sip_info_get, .data_blob_get = msi_spc_sip_info_get,
.hash_length_get = msi_hash_length_get,
.check_file = msi_check_file, .check_file = msi_check_file,
.digest_calc = msi_digest_calc, .digest_calc = msi_digest_calc,
.verify_digests = msi_verify_digests, .verify_digests = msi_verify_digests,
@ -346,6 +348,15 @@ static ASN1_OBJECT *msi_spc_sip_info_get(u_char **p, int *plen, FILE_FORMAT_CTX
return dtype; /* OK */ return dtype; /* OK */
} }
/*
* [in] ctx: structure holds input and output data
* [returns] the size of the message digest when passed an EVP_MD structure (the size of the hash)
*/
static int msi_hash_length_get(FILE_FORMAT_CTX *ctx)
{
return EVP_MD_size(ctx->options->md);
}
/* /*
* Get DigitalSignature and MsiDigitalSignatureEx streams, * Get DigitalSignature and MsiDigitalSignatureEx streams,
* check if the signature exists. * check if the signature exists.

4
osslsigncode.c
View File

@ -2571,6 +2571,8 @@ static int check_attached_data(GLOBAL_OPTIONS *options)
ctx = file_format_pe.ctx_new(tmp_options, NULL, NULL); ctx = file_format_pe.ctx_new(tmp_options, NULL, NULL);
if (!ctx) if (!ctx)
ctx = file_format_cab.ctx_new(tmp_options, NULL, NULL); ctx = file_format_cab.ctx_new(tmp_options, NULL, NULL);
if (!ctx)
ctx = file_format_appx.ctx_new(tmp_options, NULL, NULL);
if (!ctx) if (!ctx)
ctx = file_format_cat.ctx_new(tmp_options, NULL, NULL); ctx = file_format_cat.ctx_new(tmp_options, NULL, NULL);
if (!ctx) { if (!ctx) {
@ -3994,6 +3996,8 @@ int main(int argc, char **argv)
ctx = file_format_pe.ctx_new(&options, hash, outdata); ctx = file_format_pe.ctx_new(&options, hash, outdata);
if (!ctx) if (!ctx)
ctx = file_format_cab.ctx_new(&options, hash, outdata); ctx = file_format_cab.ctx_new(&options, hash, outdata);
if (!ctx)
ctx = file_format_appx.ctx_new(&options, hash, outdata);
if (!ctx) if (!ctx)
ctx = file_format_cat.ctx_new(&options, hash, outdata); ctx = file_format_cat.ctx_new(&options, hash, outdata);
if (!ctx) { if (!ctx) {

4
osslsigncode.h
View File

@ -466,6 +466,7 @@ typedef struct msi_ctx_st MSI_CTX;
typedef struct pe_ctx_st PE_CTX; typedef struct pe_ctx_st PE_CTX;
typedef struct cab_ctx_st CAB_CTX; typedef struct cab_ctx_st CAB_CTX;
typedef struct cat_ctx_st CAT_CTX; typedef struct cat_ctx_st CAT_CTX;
typedef struct appx_ctx_st APPX_CTX;
typedef struct { typedef struct {
FILE_FORMAT *format; FILE_FORMAT *format;
@ -475,6 +476,7 @@ typedef struct {
PE_CTX *pe_ctx; PE_CTX *pe_ctx;
CAB_CTX *cab_ctx; CAB_CTX *cab_ctx;
CAT_CTX *cat_ctx; CAT_CTX *cat_ctx;
APPX_CTX *appx_ctx;
}; };
} FILE_FORMAT_CTX; } FILE_FORMAT_CTX;
@ -482,10 +484,12 @@ extern FILE_FORMAT file_format_msi;
extern FILE_FORMAT file_format_pe; extern FILE_FORMAT file_format_pe;
extern FILE_FORMAT file_format_cab; extern FILE_FORMAT file_format_cab;
extern FILE_FORMAT file_format_cat; extern FILE_FORMAT file_format_cat;
extern FILE_FORMAT file_format_appx;
struct file_format_st { struct file_format_st {
FILE_FORMAT_CTX *(*ctx_new) (GLOBAL_OPTIONS *option, BIO *hash, BIO *outdata); FILE_FORMAT_CTX *(*ctx_new) (GLOBAL_OPTIONS *option, BIO *hash, BIO *outdata);
ASN1_OBJECT *(*data_blob_get) (u_char **p, int *plen, FILE_FORMAT_CTX *ctx); ASN1_OBJECT *(*data_blob_get) (u_char **p, int *plen, FILE_FORMAT_CTX *ctx);
int (*hash_length_get) (FILE_FORMAT_CTX *ctx);
int (*check_file) (FILE_FORMAT_CTX *ctx, int detached); int (*check_file) (FILE_FORMAT_CTX *ctx, int detached);
u_char *(*digest_calc) (FILE_FORMAT_CTX *ctx, const EVP_MD *md); u_char *(*digest_calc) (FILE_FORMAT_CTX *ctx, const EVP_MD *md);
int (*verify_digests) (FILE_FORMAT_CTX *ctx, PKCS7 *p7); int (*verify_digests) (FILE_FORMAT_CTX *ctx, PKCS7 *p7);

12
pe.c
View File

@ -44,6 +44,7 @@ struct pe_ctx_st {
/* FILE_FORMAT method prototypes */ /* FILE_FORMAT method prototypes */
static FILE_FORMAT_CTX *pe_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata); static FILE_FORMAT_CTX *pe_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata);
static ASN1_OBJECT *pe_spc_image_data_get(u_char **p, int *plen, FILE_FORMAT_CTX *ctx); static ASN1_OBJECT *pe_spc_image_data_get(u_char **p, int *plen, FILE_FORMAT_CTX *ctx);
static int pe_hash_length_get(FILE_FORMAT_CTX *ctx);
static int pe_check_file(FILE_FORMAT_CTX *ctx, int detached); static int pe_check_file(FILE_FORMAT_CTX *ctx, int detached);
static u_char *pe_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md); static u_char *pe_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md);
static int pe_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7); static int pe_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7);
@ -59,6 +60,7 @@ static void pe_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
FILE_FORMAT file_format_pe = { FILE_FORMAT file_format_pe = {
.ctx_new = pe_ctx_new, .ctx_new = pe_ctx_new,
.data_blob_get = pe_spc_image_data_get, .data_blob_get = pe_spc_image_data_get,
.hash_length_get = pe_hash_length_get,
.check_file = pe_check_file, .check_file = pe_check_file,
.digest_calc = pe_digest_calc, .digest_calc = pe_digest_calc,
.verify_digests = pe_verify_digests, .verify_digests = pe_verify_digests,
@ -168,6 +170,15 @@ static ASN1_OBJECT *pe_spc_image_data_get(u_char **p, int *plen, FILE_FORMAT_CTX
return dtype; /* OK */ return dtype; /* OK */
} }
/*
* [in] ctx: structure holds input and output data
* [returns] the size of the message digest when passed an EVP_MD structure (the size of the hash)
*/
static int pe_hash_length_get(FILE_FORMAT_CTX *ctx)
{
return EVP_MD_size(ctx->options->md);
}
/* /*
* Print current and calculated PE checksum, * Print current and calculated PE checksum,
* check if the signature exists. * check if the signature exists.
@ -918,7 +929,6 @@ static u_char *pe_page_hash_calc(int *rphlen, FILE_FORMAT_CTX *ctx, int phtype)
/* NumberOfSections indicates the size of the section table, /* NumberOfSections indicates the size of the section table,
* which immediately follows the headers, can be up to 65535 under Vista and later */ * which immediately follows the headers, can be up to 65535 under Vista and later */
/* coverity[byte_swapping] */
nsections = GET_UINT16_LE(ctx->options->indata + ctx->pe_ctx->header_size + 6); nsections = GET_UINT16_LE(ctx->options->indata + ctx->pe_ctx->header_size + 6);
if (nsections == 0) { if (nsections == 0) {
printf("Corrupted number of sections: 0x%08X\n", nsections); printf("Corrupted number of sections: 0x%08X\n", nsections);

BIN
tests/files/unsigned.256appx Executable file
View File

Binary file not shown.

BIN
tests/files/unsigned.512appx Executable file
View File

Binary file not shown.