Added the '-blobFile' option to specify a file containing the blob content

NEWS.md

@@ -2,6 +2,9 @@
 
 ### 2.10 (unreleased)
 
+- improved unauthenticated blob support (thanks to Asger Hautop Drewsen)
+- added the '-blobFile' option to specify a file containing the blob content
+
 ### 2.9 (2024.06.29)
 
 - added a 64 bit long pseudo-random NONCE in the TSA request

appx.c

@@ -29,11 +29,6 @@
 #endif /* _MSC_VER */
 #endif /* PRIX64 */
 
-#if defined(_MSC_VER)
-#define fseeko _fseeki64
-#define ftello _ftelli64
-#endif /* _MSC_VER */
-
 #define EOCDR_SIZE 22
 #define ZIP64_EOCD_LOCATOR_SIZE 20
 #define ZIP64_HEADER 0x01

cmake/CMakeTest.cmake

@@ -219,6 +219,7 @@ if(Python3_FOUND AND NOT cryptography_error)
         add_test(NAME "added_${ext}"
             COMMAND ${Python3_EXECUTABLE} ${EXEC} ${OSSLSIGNCODE} "add"
             "-addUnauthenticatedBlob"
+            "-blobFile" "${FILES}/unsigned.exe"
             "-add-msi-dse" "-h" "sha512"
             "-in" "${FILES}/signed.${ext}"
             "-out" "${FILES}/added.${ext}")

osslsigncode.c

@@ -1312,40 +1312,117 @@ out:
 }
 
 /*
- * If successful the unauthenticated blob will be written into
+ * Add an unauthenticated blob as an unauthenticated attribute - cont[1]
- * the PKCS7 SignerInfo structure as an unauthenticated attribute - cont[1]:
+ * to the PKCS7 SignerInfo structure: p7->d.sign->signer_info->unauth_attr
- * p7->d.sign->signer_info->unauth_attr
  * [in, out] p7: new PKCS#7 signature
+ * [in] blob_file: optional, path to the file containing the blob
  * [returns] 0 on error or 1 on success
  */
-static int add_unauthenticated_blob(PKCS7 *p7)
+static int add_unauthenticated_blob(PKCS7 *p7, const char *blob_file)
 {
+    u_char *p = NULL, *buffer = NULL;
+    int blob_len, len;
+    ASN1_UTF8STRING *value;
     PKCS7_SIGNER_INFO *si;
-    STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
+    STACK_OF(PKCS7_SIGNER_INFO) *signer_info = PKCS7_get_signer_info(p7);
-    u_char *p = NULL;
-    int len = 1024+4;
-    /* Length data for ASN1 attribute plus prefix */
-    const char prefix[] = "\x0c\x82\x04\x00---BEGIN_BLOB---";
-    const char postfix[] = "---END_BLOB---";
 
-    signer_info = PKCS7_get_signer_info(p7);
     if (!signer_info) {
         fprintf(stderr, "Failed to obtain PKCS#7 signer info list\n");
         return 0; /* FAILED */
     }
     si = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0);
-    if (!si)
+    if (!si) {
+        fprintf(stderr, "Failed to obtain signer info from PKCS#7 structure\n");
         return 0; /* FAILED */
-    if ((p = OPENSSL_malloc((size_t)len)) == NULL)
+    }
+    if (blob_file == NULL) {
+        /* Generate a placeholder blob */
+        const char prefix[] = "---BEGIN_BLOB---";
+        const char postfix[] = "---END_BLOB---";
+        size_t prefix_len = strlen(prefix);
+        size_t postfix_len = strlen(postfix);
+
+        blob_len = (int)(prefix_len + 1024 + postfix_len);
+        buffer = OPENSSL_zalloc((size_t)blob_len);
+        if (!buffer) {
+            fprintf(stderr, "Memory allocation failed\n");
             return 0; /* FAILED */
-    memset(p, 0, (size_t)len);
+        }
-    memcpy(p, prefix, sizeof prefix);
+        memcpy(buffer, prefix, sizeof prefix);
-    memcpy(p + len - sizeof postfix, postfix, sizeof postfix);
+        memcpy(buffer + prefix_len + 1024, postfix, postfix_len);
+    } else {
+        /* Copy blob content from the specified file */
+        int64_t file_size;
+        size_t size;
+        FILE *file = fopen(blob_file, "rb");
+
+        if (!file) {
+            fprintf(stderr, "Failed to open blob file: %s\n", blob_file);
+            return 0; /* FAILED */
+        }
+        if (fseeko(file, 0, SEEK_END) < 0
+                || (file_size = ftello(file)) < 0
+                || fseeko(file, 0, SEEK_SET) < 0) {
+            fprintf(stderr, "Failed to seek in blob file: %s\n", blob_file);
+            fclose(file);
+            return 0; /* FAILED */
+        }
+        /* New unauthenticated attribute creation: X509_ATTRIBUTE_create_by_NID()
+         * or X509_ATTRIBUTE_set1_data() function accepts data of up to INT_MAX
+         * length, as the 'len' parameter is an 'int' */
+        if (file_size > INT_MAX) {
+            fprintf(stderr, "Blob file is too large: %s\n", blob_file);
+            fclose(file);
+            return 0; /* FAILED */
+        }
+        blob_len = (int)file_size;
+        if (blob_len < 1024) {
+            /* Ensure minimum size for the blob */
+            blob_len = 1024;
+        }
+        buffer = OPENSSL_zalloc((size_t)blob_len);
+        if (!buffer) {
+            fprintf(stderr, "Memory allocation failed\n");
+            fclose(file);
+            return 0; /* FAILED */
+        }
+        size = fread(buffer, 1, (size_t)file_size, file);
+        fclose(file);
+        if (size != (size_t)file_size) {
+            OPENSSL_free(buffer);
+            return 0; /* FAILED */
+        }
+    }
+    value = ASN1_UTF8STRING_new();
+    if (!value) {
+        fprintf(stderr, "Failed to create ASN1_UTF8STRING object\n");
+        OPENSSL_free(buffer);
+        return 0;
+    }
+    if (!ASN1_STRING_set(value, buffer, blob_len)) {
+        fprintf(stderr, "Failed to set ASN1_UTF8STRING value\n");
+        ASN1_UTF8STRING_free(value);
+        OPENSSL_free(buffer);
+        return 0;
+    }
+    OPENSSL_free(buffer);
+    len = i2d_ASN1_UTF8STRING(value, NULL);
+    p = OPENSSL_malloc((size_t)len);
+    if (!p) {
+        fprintf(stderr, "Memory allocation failed\n");
+        ASN1_UTF8STRING_free(value);
+        return 0; /* FAILED */
+    }
+    len = i2d_ASN1_UTF8STRING(value, &p);
+    p -= len;
     if (!X509_attribute_chain_append_object(&(si->unauth_attr), p, len, SPC_UNAUTHENTICATED_DATA_BLOB_OBJID)) {
+        fprintf(stderr, "Failed to append unauthenticated blob to signer info\n");
         OPENSSL_free(p);
-        return 1; /* FAILED */
+        ASN1_UTF8STRING_free(value);
+        return 0; /* FAILED */
     }
     OPENSSL_free(p);
+    ASN1_UTF8STRING_free(value);
     return 1; /* OK */
 }
 
@@ -1372,7 +1449,7 @@ static int add_timestamp_and_blob(PKCS7 *p7, FILE_FORMAT_CTX *ctx)
         fprintf(stderr, "Built-in timestamping failed\n");
         return 1; /* FAILED */
     }
-    if (ctx->options->addBlob && !add_unauthenticated_blob(p7)) {
+    if (ctx->options->addBlob && !add_unauthenticated_blob(p7, ctx->options->blob_file)) {
         fprintf(stderr, "Adding unauthenticated blob failed\n");
         return 1; /* FAILED */
     }
@@ -3403,7 +3480,7 @@ static void usage(const char *argv0, const char *cmd)
         printf("%12s[ -HTTPS-CAfile <infile> ]\n", "");
         printf("%12s[ -HTTPS-CRLfile <infile> ]\n", "");
         printf("%12s[ -time <unix-time> ]\n", "");
-        printf("%12s[ -addUnauthenticatedBlob ]\n", "");
+        printf("%12s[ -addUnauthenticatedBlob [ -blobFile <blobfile> ] ]\n", "");
         printf("%12s[ -nest ]\n", "");
         printf("%12s[ -verbose ]\n", "");
         printf("%12s[ -add-msi-dse ]\n", "");
@@ -3418,7 +3495,7 @@ static void usage(const char *argv0, const char *cmd)
         printf("%12s[ -in ] <infile> [ -out ] <datafile>\n\n", "");
     }
     if (on_list(cmd, cmds_add)) {
-        printf("%1sadd [-addUnauthenticatedBlob]\n", "");
+        printf("%1sadd [ -addUnauthenticatedBlob [ -blobFile <blobfile> ] ]\n", "");
         printf("%12s[ -t <timestampurl> [ -t ... ] [ -p <proxy> ] [ -noverifypeer  ]\n", "");
         printf("%12s[ -ts <timestampurl> [ -ts ... ] [ -p <proxy> ] [ -noverifypeer ] ]\n", "");
         printf("%12s[ -TSA-certs <TSA-certfile> ] [ -TSA-key <TSA-keyfile> ]\n", "");
@@ -3596,8 +3673,10 @@ static void help_for(const char *argv0, const char *cmd)
         printf("%-24s= additional certificates to be added to the signature block\n", "-ac");
     if (on_list(cmd, cmds_add_msi_dse))
         printf("%-24s= sign a MSI file with the add-msi-dse option\n", "-add-msi-dse");
-    if (on_list(cmd, cmds_addUnauthenticatedBlob))
+    if (on_list(cmd, cmds_addUnauthenticatedBlob)) {
         printf("%-24s= add an unauthenticated blob to the PE/MSI file\n", "-addUnauthenticatedBlob");
+        printf("%-24s= copy blob content from the specified file\n", "-blobFile");
+    }
 #ifdef PROVIDE_ASKPASS
     if (on_list(cmd, cmds_askpass))
         printf("%-24s= ask for the private key password\n", "-askpass");
@@ -4576,6 +4655,16 @@ static int main_configure(int argc, char **argv, GLOBAL_OPTIONS *options)
             options->noverifypeer = 1;
         } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) {
             options->addBlob = 1;
+        } else if (options->addBlob && !strcmp(*argv, "-blobFile")) {
+            if (--argc < 1) {
+                usage(argv0, "all");
+                return 0; /* FAILED */
+            }
+            options->blob_file = *(++argv);
+            if (!file_exists(options->blob_file)) {
+                fprintf(stderr, "File does not exist: %s\n", options->blob_file);
+                return 0; /* FAILED */
+            }
         } else if ((cmd == CMD_SIGN || cmd == CMD_ATTACH) && !strcmp(*argv, "-nest")) {
             options->nest = 1;
         } else if ((cmd == CMD_ADD || cmd == CMD_VERIFY) && !strcmp(*argv, "-index")) {

osslsigncode.h

@@ -90,7 +90,9 @@
 #ifdef _MSC_VER
 /* not WIN32, because strcasecmp exists in MinGW */
 #define strcasecmp _stricmp
-#endif
+#define fseeko _fseeki64
+#define ftello _ftelli64
+#endif /* _MSC_VER */
 
 #ifdef WIN32
 #define remove_file(filename) _unlink(filename)
@@ -274,6 +276,7 @@ typedef struct {
     char *proxy;
     int noverifypeer;
     int addBlob;
+    const char *blob_file;
     int nest;
     int index;
     int ignore_timestamp;