From 3645ba73571d6a022d71ad3dbc2bfe8665f159ae Mon Sep 17 00:00:00 2001 From: olszomal Date: Sat, 13 Jul 2019 11:41:03 +0200 Subject: [PATCH] New tests for osslsigncode (#11) --- .gitignore | 4 + tests/certs/.gitignore | 6 + tests/certs/makecerts.sh | 105 ++++++++++++++++ tests/certs/openssltest.cnf | 59 +++++++++ tests/myapp.c | 6 + tests/recipes/01_sign_pem | 54 +++++++++ tests/recipes/02_sign_pass | 57 +++++++++ tests/recipes/03_sign_der | 58 +++++++++ tests/recipes/04_sign_pvk_spc | 58 +++++++++ tests/recipes/05_sign_pkcs12 | 56 +++++++++ tests/recipes/06_test_sha256sum | 60 +++++++++ tests/recipes/07_sign_timestamp | 57 +++++++++ tests/recipes/08_sign_rfc3161 | 61 ++++++++++ tests/recipes/09_sign_page_hashes | 28 +++++ tests/recipes/10_sign_blob | 57 +++++++++ tests/recipes/11_sign_readpass_pem | 57 +++++++++ tests/recipes/12_sign_readpass_pvk | 59 +++++++++ tests/recipes/13_sign_readpass_pkcs12 | 58 +++++++++ tests/recipes/14_sign_descryption | 57 +++++++++ tests/recipes/15_sign_url | 58 +++++++++ tests/recipes/16_sign_comm | 60 +++++++++ tests/recipes/17_sign_crosscertfile | 59 +++++++++ tests/recipes/21_sign_hash_md5 | 26 ++++ tests/recipes/22_sign_hash_sha1 | 26 ++++ tests/recipes/23_sign_hash_sha2 | 26 ++++ tests/recipes/24_sign_hash_sha384 | 26 ++++ tests/recipes/25_sign_hash_sha512 | 26 ++++ tests/recipes/31_extract_signature | 45 +++++++ tests/recipes/32_attach_signature | 39 ++++++ tests/recipes/33_remove_signature | 45 +++++++ tests/recipes/34_add_signature | 47 +++++++ tests/recipes/35_varia_sha256sum | 46 +++++++ tests/recipes/36_add_signature_blob | 49 ++++++++ tests/recipes/37_verify_leaf_hash | 50 ++++++++ tests/recipes/41_sign_add_msi_dse | 34 ++++++ tests/recipes/51_sign_jp_low | 30 +++++ tests/recipes/52_sign_jp_medium | 31 +++++ tests/recipes/53_sign_jp_high | 31 +++++ tests/sample.wxs | 33 +++++ tests/test_library | 168 ++++++++++++++++++++++++++ tests/testall.sh | 39 ++++++ 41 files changed, 1951 insertions(+) create mode 100644 tests/certs/.gitignore create mode 100755 tests/certs/makecerts.sh create mode 100644 tests/certs/openssltest.cnf create mode 100644 tests/myapp.c create mode 100644 tests/recipes/01_sign_pem create mode 100644 tests/recipes/02_sign_pass create mode 100644 tests/recipes/03_sign_der create mode 100644 tests/recipes/04_sign_pvk_spc create mode 100644 tests/recipes/05_sign_pkcs12 create mode 100644 tests/recipes/06_test_sha256sum create mode 100644 tests/recipes/07_sign_timestamp create mode 100644 tests/recipes/08_sign_rfc3161 create mode 100644 tests/recipes/09_sign_page_hashes create mode 100644 tests/recipes/10_sign_blob create mode 100644 tests/recipes/11_sign_readpass_pem create mode 100644 tests/recipes/12_sign_readpass_pvk create mode 100644 tests/recipes/13_sign_readpass_pkcs12 create mode 100644 tests/recipes/14_sign_descryption create mode 100644 tests/recipes/15_sign_url create mode 100644 tests/recipes/16_sign_comm create mode 100644 tests/recipes/17_sign_crosscertfile create mode 100644 tests/recipes/21_sign_hash_md5 create mode 100644 tests/recipes/22_sign_hash_sha1 create mode 100644 tests/recipes/23_sign_hash_sha2 create mode 100644 tests/recipes/24_sign_hash_sha384 create mode 100644 tests/recipes/25_sign_hash_sha512 create mode 100644 tests/recipes/31_extract_signature create mode 100644 tests/recipes/32_attach_signature create mode 100644 tests/recipes/33_remove_signature create mode 100644 tests/recipes/34_add_signature create mode 100644 tests/recipes/35_varia_sha256sum create mode 100644 tests/recipes/36_add_signature_blob create mode 100644 tests/recipes/37_verify_leaf_hash create mode 100644 tests/recipes/41_sign_add_msi_dse create mode 100644 tests/recipes/51_sign_jp_low create mode 100644 tests/recipes/52_sign_jp_medium create mode 100644 tests/recipes/53_sign_jp_high create mode 100644 tests/sample.wxs create mode 100755 tests/test_library create mode 100755 tests/testall.sh diff --git a/.gitignore b/.gitignore index 7287d4c..7e1b6d9 100644 --- a/.gitignore +++ b/.gitignore @@ -40,3 +40,7 @@ stamp-h1 *~ *.gz *.bz2 + +**/*.log +!myapp.exe +*.pem diff --git a/tests/certs/.gitignore b/tests/certs/.gitignore new file mode 100644 index 0000000..58ba881 --- /dev/null +++ b/tests/certs/.gitignore @@ -0,0 +1,6 @@ +*.der +*.pem +*.pvk +*.p12 +*.spc +*.txt diff --git a/tests/certs/makecerts.sh b/tests/certs/makecerts.sh new file mode 100755 index 0000000..5ac3311 --- /dev/null +++ b/tests/certs/makecerts.sh @@ -0,0 +1,105 @@ +#!/bin/sh + +ddays=1461 + +result_path=$(pwd) +cd $(dirname "$0") +script_path=$(pwd) +cd "${result_path}" + +test_result() { +if [ $1 == 0 ] + then + printf "Succeeded\n" >> "makecerts.log" + else + printf "Failed\n" >> "makecerts.log" + fi +} + +mkdir "tmp/" + +# OpenSSL settings +CONF="${script_path}/openssltest.cnf" + +if test -n "$1"; then + OPENSSL="$2/bin/openssl" + LD_LIBRARY_PATH="$2/lib" +else + OPENSSL=openssl +fi + +mkdir "demoCA/" +touch "demoCA/index.txt" +touch "demoCA/index.txt.attr" +echo 1000 > "demoCA/serial" +date > "makecerts.log" + +printf "\nGenerate root CA certificate\n" >> "makecerts.log" +$OPENSSL genrsa -out demoCA/CA.key 1>&2 2>> "makecerts.log" +$OPENSSL req -config $CONF -new -x509 -days $ddays -key demoCA/CA.key -out tmp/CACert.pem \ + -subj "/C=PL/O=osslsigncode/OU=Root CA/CN=CA/emailAddress=CA@example.com" \ + 2>> "makecerts.log" 1>&2 +test_result $? + +printf "\nGenerate CSP Cross-Certificate\n" >> "makecerts.log" +$OPENSSL genrsa -out demoCA/cross.key 1>&2 2>> "makecerts.log" +$OPENSSL req -config $CONF -new -x509 -days $ddays -key demoCA/cross.key -out tmp/crosscert.pem \ + -subj "/C=PL/O=osslsigncode/OU=CSP/CN=crosscert/emailAddress=CA@example.com" \ + 2>> "makecerts.log" 1>&2 +test_result $? + +printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log" +$OPENSSL genrsa -des3 -out demoCA/private.key -passout pass:passme 1>&2 2>> "makecerts.log" +test_result $? +cat demoCA/private.key >> tmp/keyp.pem 2>> "makecerts.log" + +printf "\nGenerate private RSA decrypted key\n" >> "makecerts.log" +$OPENSSL rsa -in demoCA/private.key -passin pass:passme -out tmp/key.pem 1>&2 2>> "makecerts.log" +test_result $? + +printf "\nGenerate code signing certificate\n" >> "makecerts.log" +$OPENSSL req -config $CONF -new -key demoCA/private.key -passin pass:passme -out demoCA/cert.csr \ + -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CA/CN=localhost/emailAddress=osslsigncode@example.com" \ + 2>> "makecerts.log" 1>&2 +test_result $? +$OPENSSL ca -config $CONF -batch -days $ddays -in demoCA/cert.csr -out demoCA/cert.cer 1>&2 2>> "makecerts.log" +test_result $? +$OPENSSL x509 -in demoCA/cert.cer -out tmp/cert.pem 1>&2 2>> "makecerts.log" + +printf "\nConverting the key to DER format\n" >> "makecerts.log" +$OPENSSL rsa -in tmp/key.pem -outform DER -out tmp/key.der -passout pass:passme 2>> "makecerts.log" 1>&2 +test_result $? +printf "\nConverting the key to PVK format\n" >> "makecerts.log" +$OPENSSL rsa -in tmp/key.pem -outform PVK -pvk-strong -out tmp/key.pvk -passout pass:passme 2>> "makecerts.log" 1>&2 +test_result $? +echo "passme" > "password.txt" + +printf "\nConverting the certificate to SPC format\n" >> "makecerts.log" +$OPENSSL crl2pkcs7 -nocrl -certfile tmp/cert.pem -outform DER -out tmp/cert.spc 2>> "makecerts.log" 1>&2 +test_result $? + +printf "\nConverting the certificate to DER format\n" >> "makecerts.log" +openssl x509 -in tmp/cert.pem -outform DER -out tmp/cert.der +test_result $? + +printf "\nConverting the certificate and the key into a PKCS#12 container\n" >> "makecerts.log" +$OPENSSL pkcs12 -export -in tmp/cert.pem -inkey tmp/key.pem -out tmp/cert.p12 -passout pass:passme 2>> "makecerts.log" 1>&2 +test_result $? + +# copy new files +if [ -s tmp/CACert.pem ] && [ -s tmp/crosscert.pem ] && [ -s tmp/cert.pem ] && \ + [ -s tmp/key.pem ] && [ -s tmp/keyp.pem ] && [ -s tmp/key.der ] && [ -s tmp/cert.der ] && \ + [ -s tmp/key.pvk ] && [ -s tmp/cert.spc ] && [ -s tmp/cert.p12 ] + then + cp tmp/* ./ + printf "%s\n" "keys & certificates successfully generated" + printf "%s\n" "./makecerts.sh finished" + rm -f "makecerts.log" + else + printf "%s\n" "./makecerts.sh failed" + printf "%s\n" "error logs ${result_path}/makecerts.log" + fi + +# remove the working directory +rm -rf "demoCA/" +rm -rf "tmp/" diff --git a/tests/certs/openssltest.cnf b/tests/certs/openssltest.cnf new file mode 100644 index 0000000..dd97517 --- /dev/null +++ b/tests/certs/openssltest.cnf @@ -0,0 +1,59 @@ +# OpenSSL root CA configuration file + +[ ca ] +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = . +certs = $dir/demoCA +crl_dir = $dir/demoCA +new_certs_dir = $dir/demoCA +database = $dir/demoCA/index.txt +serial = $dir/demoCA/serial +crl_extensions = crl_ext +default_md = sha256 +preserve = no +policy = policy_match +x509_extensions = usr_cert +private_key = $dir/demoCA/CA.key +certificate = $dir/tmp/CACert.pem + +[ req ] +encrypt_key = no +default_bits = 2048 +default_md = sha256 +string_mask = utf8only +x509_extensions = ca_extensions +distinguished_name = req_distinguished_name + +[ crl_ext ] +authorityKeyIdentifier = keyid:always + +[ usr_cert ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer +extendedKeyUsage = codeSigning + +[ ca_extensions ] +basicConstraints = critical, CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ policy_match ] +countryName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address diff --git a/tests/myapp.c b/tests/myapp.c new file mode 100644 index 0000000..4df7814 --- /dev/null +++ b/tests/myapp.c @@ -0,0 +1,6 @@ +#include + +void main(void) +{ + printf("Hello world!\n"); +} diff --git a/tests/recipes/01_sign_pem b/tests/recipes/01_sign_pem new file mode 100644 index 0000000..e444184 --- /dev/null +++ b/tests/recipes/01_sign_pem @@ -0,0 +1,54 @@ +#!/bin/sh +# Signing a PE/CAB/MSI file with the certificate and private key files in the PEM format. + +. $(dirname $0)/../test_library + +# PE file +test_name="011. Signing a PE file with the certificate and private key files in the PEM format" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_011.exe"' + verify_signature "$?" "011" "exe" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="012. Signing a CAB file with the certificate and private key files in the PEM format" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.ex_" -out "test_012.ex_"' + verify_text "$?" "012" "ex_" "osslsigncode" "ASCII" "sha256sum" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="013. Signing a MSI file with the certificate and private key files in the PEM format" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "sample.msi" -out "test_013.msi"' + verify_signature "$?" "013" "msi" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/02_sign_pass b/tests/recipes/02_sign_pass new file mode 100644 index 0000000..a4c6f20 --- /dev/null +++ b/tests/recipes/02_sign_pass @@ -0,0 +1,57 @@ +#!/bin/sh +# Signing a PE/CAB/MSI file with the encrypted private key file in the PEM format. + +. $(dirname $0)/../test_library + +# PE file +test_name="021. Signing a PE file with the encrypted private key file in the PEM format" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/keyp.pem" \ + -pass passme \ + -in "test.exe" -out "test_021.exe"' + verify_signature "$?" "021" "exe" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="022. Signing a CAB file with the encrypted private key file in the PEM format" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/keyp.pem" \ + -pass passme \ + -in "test.ex_" -out "test_022.ex_"' + verify_text "$?" "022" "ex_" "osslsigncode" "ASCII" "sha256sum" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="023. Signing a MSI file with the encrypted private key file in the PEM format" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/keyp.pem" \ + -pass passme \ + -in "sample.msi" -out "test_023.msi"' + verify_signature "$?" "023" "msi" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/03_sign_der b/tests/recipes/03_sign_der new file mode 100644 index 0000000..2fa0d42 --- /dev/null +++ b/tests/recipes/03_sign_der @@ -0,0 +1,58 @@ +#!/bin/sh +# Signing a PE/CAB/MSI file with the encrypted private key file in the DER format. +# Requires OpenSSL 1.0.0 or later + +. $(dirname $0)/../test_library + +# PE file +test_name="031. Signing a PE file with the encrypted private key file in the DER format" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \ + -pass passme \ + -in "test.exe" -out "test_031.exe"' + verify_signature "$?" "031" "exe" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="032. Signing a CAB file with the encrypted private key file in the DER format" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \ + -pass passme \ + -in "test.ex_" -out "test_032.ex_"' + verify_text "$?" "032" "ex_" "osslsigncode" "ASCII" "sha256sum" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="033. Signing a MSI file with the encrypted private key file in the DER format" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \ + -pass passme \ + -in "sample.msi" -out "test_033.msi"' + verify_signature "$?" "033" "msi" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/04_sign_pvk_spc b/tests/recipes/04_sign_pvk_spc new file mode 100644 index 0000000..3147a5d --- /dev/null +++ b/tests/recipes/04_sign_pvk_spc @@ -0,0 +1,58 @@ +#!/bin/sh +# Signing a PE/CAB/MSI file with the certificate file in the SPC format +# and the private key file in the PVK format. + +. $(dirname $0)/../test_library + +# PE file +test_name="041. Signing a PE file a SPC certificate file and a PVK key file" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.spc" -key "${script_path}/../certs/key.pvk" \ + -pass passme \ + -in "test.exe" -out "test_041.exe"' + verify_signature "$?" "041" "exe" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="042. Signing a CAB file a SPC certificate file and a PVK key file" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.spc" -key "${script_path}/../certs/key.pvk" \ + -pass passme \ + -in "test.ex_" -out "test_042.ex_"' + verify_text "$?" "042" "ex_" "osslsigncode" "ASCII" "sha256sum" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="043. Signing a MSI file a SPC certificate file and a PVK key file" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.spc" -key "${script_path}/../certs/key.pvk" \ + -pass passme \ + -in "sample.msi" -out "test_043.msi"' + verify_signature "$?" "043" "msi" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/05_sign_pkcs12 b/tests/recipes/05_sign_pkcs12 new file mode 100644 index 0000000..bb99a85 --- /dev/null +++ b/tests/recipes/05_sign_pkcs12 @@ -0,0 +1,56 @@ +#!/bin/sh +# Signing a PE/CAB/MSI file with the certificate and key stored in a PKCS#12 container. + +. $(dirname $0)/../test_library + +# PE file +test_name="051. Signing a PE file with a certificate and key stored in a PKCS#12 container" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -pkcs12 "${script_path}/../certs/cert.p12" -pass passme \ + -in "test.exe" -out "test_051.exe"' + verify_signature "$?" "051" "exe" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="052. Signing a CAB file with a certificate and key stored in a PKCS#12 container" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -pkcs12 "${script_path}/../certs/cert.p12" \ + -pass passme \ + -in "test.ex_" -out "test_052.ex_"' + verify_text "$?" "052" "ex_" "osslsigncode" "ASCII" "sha256sum" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="053. Signing a MSI file with a certificate and key stored in a PKCS#12 container" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -pkcs12 "${script_path}/../certs/cert.p12" \ + -pass passme \ + -in "sample.msi" -out "test_053.msi"' + verify_signature "$?" "053" "msi" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/06_test_sha256sum b/tests/recipes/06_test_sha256sum new file mode 100644 index 0000000..6578719 --- /dev/null +++ b/tests/recipes/06_test_sha256sum @@ -0,0 +1,60 @@ +#!/bin/sh +# Checking SHA256 message digests for 01x-05x tests + +. $(dirname $0)/../test_library +res=0 +skip=0 +test_name="061. Checking SHA256 message digests for 01x-05x tests" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + if [ $(cat "sha256sum_exe.log" | cut -d' ' -f1 | uniq | wc -l) -ne 1 ] + then + res=1 + cat "sha256sum_exe.log" >> "results.log" + printf "Non-unique SHA256 message digests found\n" >> "results.log" + else + rm -f test_0[1-5]*[1-3]*.exe + fi + rm -f "sha256sum_exe.log" + else + skip=$($skip+1) + fi + +if [ -s "test.ex_" ] + then + if [ $(cat "sha256sum_ex_.log" | cut -d' ' -f1 | uniq | wc -l) -ne 1 ] + then + res=1 + cat "sha256sum_ex_.log" >> "results.log" + printf "Non-unique SHA256 message digests found\n" >> "results.log" + else + rm -f test_0[1-5]*[1-3]*.ex_ + fi + rm -f "sha256sum_ex_.log" + else + skip=$($skip+1) + fi + +if [ -s "sample.msi" ] + then + if [ $(cat "sha256sum_msi.log" | cut -d' ' -f1 | uniq | wc -l) -ne 1 ] + then + res=1 + cat "sha256sum_msi.log" >> "results.log" + printf "Non-unique SHA256 message digests found\n" >> "results.log" + else + rm -f test_0[1-5]*[1-3]*.msi + fi + rm -f "sha256sum_msi.log" + else + skip=$(($skip+1)) + fi + +if [ $skip -lt 3 ] + then + test_result "$res" "$test_name" + else + printf "Test skipped\n" + fi +exit 0 diff --git a/tests/recipes/07_sign_timestamp b/tests/recipes/07_sign_timestamp new file mode 100644 index 0000000..ed215bd --- /dev/null +++ b/tests/recipes/07_sign_timestamp @@ -0,0 +1,57 @@ +#!/bin/sh +# Signing a PE/CAB/MSI file with Authenticode timestamping + +. $(dirname $0)/../test_library + +# PE file +test_name="071. Signing a PE file with Authenticode timestamping" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -t http://time.certum.pl/ \ + -in "test.exe" -out "test_071.exe" 2>> "results.log" 1>&2' + verify_signature "$?" "071" "exe" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="072. Signing a CAB file with Authenticode timestamping" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -t http://time.certum.pl/ \ + -in "test.ex_" -out "test_072.ex_" 2>> "results.log" 1>&2' + verify_text "$?" "072" "ex_" "Unizeto" "ASCII" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="073. Signing a MSI file with Authenticode timestamping" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -t http://time.certum.pl/ \ + -in "sample.msi" -out "test_073.msi"' + verify_signature "$?" "073" "msi" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/08_sign_rfc3161 b/tests/recipes/08_sign_rfc3161 new file mode 100644 index 0000000..0ec53ee --- /dev/null +++ b/tests/recipes/08_sign_rfc3161 @@ -0,0 +1,61 @@ +#!/bin/sh +# Signing a PE/CAB/MSI file with RFC 3161 timestamping +# An RFC3161 timestamp server provides an essential function in protecting +# data records for the long-term. It provides proof that the data existed +# at a particular moment in time and that it has not changed, even by +# a single binary bit, since it was notarized and time-stamped. + +. $(dirname $0)/../test_library + +# PE file +test_name="081. Signing a PE file with RFC 3161 timestamping" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -ts http://time.certum.pl/ \ + -in "test.exe" -out "test_081.exe"' + verify_signature "$?" "081" "exe" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="082. Signing a CAB file with RFC 3161 timestamping" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -ts http://time.certum.pl/ \ + -in "test.ex_" -out "test_082.ex_"' + verify_text "$?" "082" "ex_" "Unizeto" "ASCII" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="083. Signing a MSI file with RFC 3161 timestamping" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -ts http://time.certum.pl/ \ + -in "sample.msi" -out "test_083.msi"' + verify_signature "$?" "083" "msi" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/09_sign_page_hashes b/tests/recipes/09_sign_page_hashes new file mode 100644 index 0000000..ab6d722 --- /dev/null +++ b/tests/recipes/09_sign_page_hashes @@ -0,0 +1,28 @@ +#!/bin/sh +# Generating page hashes for a PE file + +. $(dirname $0)/../test_library + +# PE file +test_name="091. Generating page hashes for a PE file" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 -ph \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_091.exe"' + verify_signature "$?" "091" "exe" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +# Command is not supported for non-PE files + +# MSI file +# Command is not supported for non-PE files + +exit 0 diff --git a/tests/recipes/10_sign_blob b/tests/recipes/10_sign_blob new file mode 100644 index 0000000..69e22b7 --- /dev/null +++ b/tests/recipes/10_sign_blob @@ -0,0 +1,57 @@ +#!/bin/sh +# Signing a PE/CAB/MSI file with addUnauthenticatedBlob. + +. $(dirname $0)/../test_library + +# PE file +test_name="101. Signing a PE file with addUnauthenticatedBlob" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -addUnauthenticatedBlob \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_101.exe" 2>> "results.log" 1>&2' + verify_text "$?" "101" "exe" "BEGIN_BLOB" "ASCII" "UNUSED_PATTERN" "MODIFY" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="102. Signing a CAB file with addUnauthenticatedBlob" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -addUnauthenticatedBlob \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.ex_" -out "test_102.ex_" 2>> "results.log" 1>&2' + verify_text "$?" "102" "ex_" "BEGIN_BLOB" "ASCII" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="103. Signing a MSI file with addUnauthenticatedBlob" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -addUnauthenticatedBlob \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "sample.msi" -out "test_103.msi" 2>> "results.log" 1>&2' + verify_text "$?" "103" "msi" "BEGIN_BLOB" "ASCII" "UNUSED_PATTERN" "MODIFY" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/11_sign_readpass_pem b/tests/recipes/11_sign_readpass_pem new file mode 100644 index 0000000..693b08a --- /dev/null +++ b/tests/recipes/11_sign_readpass_pem @@ -0,0 +1,57 @@ +#!/bin/sh +# Signing a PE/CAB/MSI file with a PEM key file with a password together with a PEM certificate. + +. $(dirname $0)/../test_library + +# PE file +test_name="111. Signing a PE file with a PEM key file with a password read from password.txt file" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -readpass "${script_path}/../certs/password.txt" \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_111.exe"' + verify_signature "$?" "111" "exe" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="112. Signing a CAB file with a PEM key file with a password read from password.txt file" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -readpass "${script_path}/../certs/password.txt" \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.ex_" -out "test_112.ex_"' + verify_text "$?" "112" "ex_" "osslsigncode" "ASCII" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="113. Signing a MSI file with a PEM key file with a password read from password.txt file" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -readpass "${script_path}/../certs/password.txt" \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "sample.msi" -out "test_113.msi"' + verify_signature "$?" "113" "msi" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/12_sign_readpass_pvk b/tests/recipes/12_sign_readpass_pvk new file mode 100644 index 0000000..71c773a --- /dev/null +++ b/tests/recipes/12_sign_readpass_pvk @@ -0,0 +1,59 @@ +#!/bin/sh +# Signing a PE/CAB/MSI file with a PVK key file with a password together with a PEM certificate. + +. $(dirname $0)/../test_library + +printf "The readpass option does'n work correctly with PVK key file - press enter\n" 1>&3 + +# PE file +test_name="121. Signing a PE file with a PVK key file with a password read from password.txt file" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -readpass "${script_path}/../certs/password.txt" \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pvk" \ + -in "test.exe" -out "test_121.exe"' + verify_signature "$?" "121" "exe" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="122. Signing a CAB file with a PVK key file with a password read from password.txt file" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -readpass "${script_path}/../certs/password.txt" \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pvk" \ + -in "test.ex_" -out "test_122.ex_"' + verify_text "$?" "122" "ex_" "osslsigncode" "ASCII" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="123. Signing a MSI file with a PVK key file with a password read from password.txt file" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -readpass "${script_path}/../certs/password.txt" \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pvk" \ + -in "sample.msi" -out "test_123.msi"' + verify_signature "$?" "123" "msi" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/13_sign_readpass_pkcs12 b/tests/recipes/13_sign_readpass_pkcs12 new file mode 100644 index 0000000..df90111 --- /dev/null +++ b/tests/recipes/13_sign_readpass_pkcs12 @@ -0,0 +1,58 @@ +#!/bin/sh +# Signing a PE/CAB/MSI file with the certificate and key stored in a PKCS#12 container +# and a password read from password.txt file. + +. $(dirname $0)/../test_library + +# PE file +test_name="131. Signing a PE file with a PKCS#12 container and a password read from password.txt file" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -readpass "${script_path}/../certs/password.txt" \ + -pkcs12 "${script_path}/../certs/cert.p12" \ + -in "test.exe" -out "test_131.exe"' + verify_signature "$?" "131" "exe" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="132. Signing a CAB file with a PKCS#12 container and a password read from password.txt file" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -readpass "${script_path}/../certs/password.txt" \ + -pkcs12 "${script_path}/../certs/cert.p12" \ + -in "test.ex_" -out "test_132.ex_"' + verify_text "$?" "132" "ex_" "osslsigncode" "ASCII" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="133. Signing a MSI file with a PKCS#12 container and a password read from password.txt file" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -readpass "${script_path}/../certs/password.txt" \ + -pkcs12 "${script_path}/../certs/cert.p12" \ + -in "sample.msi" -out "test_133.msi"' + verify_signature "$?" "133" "msi" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/14_sign_descryption b/tests/recipes/14_sign_descryption new file mode 100644 index 0000000..2f68e42 --- /dev/null +++ b/tests/recipes/14_sign_descryption @@ -0,0 +1,57 @@ +#!/bin/sh +# Signing a PE/CAB/MSI file with a descryption + +. $(dirname $0)/../test_library + +# PE file +test_name="141. Signing a PE file with a descryption" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -n "DESCRYPTION_TEXT" \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_141.exe"' + verify_text "$?" "141" "exe" "DESCRYPTION_TEXT" "ASCII" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="142. Signing a CAB file with a descryption" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -n "DESCRYPTION_TEXT" \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.ex_" -out "test_142.ex_"' + verify_text "$?" "142" "ex_" "DESCRYPTION_TEXT" "ASCII" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="143. Signing a MSI file with a descryption" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -n "DESCRYPTION_TEXT" \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "sample.msi" -out "test_143.msi"' + verify_text "$?" "143" "msi" "DESCRYPTION_TEXT" "ASCII" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/15_sign_url b/tests/recipes/15_sign_url new file mode 100644 index 0000000..c1c3efd --- /dev/null +++ b/tests/recipes/15_sign_url @@ -0,0 +1,58 @@ +#!/bin/sh +# Signing a PE/CAB/MSI file with specified URL for expanded description of the signed content +# https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode-signing-of-csps + +. $(dirname $0)/../test_library + +# PE file +test_name="151. Signing a PE file with specified URL" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -i "https://www.osslsigncode.com/" \ + -in "test.exe" -out "test_151.exe"' + verify_text "$?" "151" "exe" "https://www.osslsigncode.com/" "ASCII" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="152. Signing a CAB file with specified URL" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -i "https://www.osslsigncode.com/" \ + -in "test.ex_" -out "test_152.ex_"' + verify_text "$?" "152" "ex_" "https://www.osslsigncode.com/" "ASCII" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="153. Signing a MSI file with specified URL" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -i "https://www.osslsigncode.com/" \ + -in "sample.msi" -out "test_153.msi"' + verify_text "$?" "153" "msi" "https://www.osslsigncode.com/" "ASCII" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/16_sign_comm b/tests/recipes/16_sign_comm new file mode 100644 index 0000000..7113e95 --- /dev/null +++ b/tests/recipes/16_sign_comm @@ -0,0 +1,60 @@ +#!/bin/sh +# Signing a PE/CAB/MSI file with the commercial purpose set for SPC_STATEMENT_TYPE_OBJID +# object ID numbers (OIDs) "1.3.6.1.4.1.311.2.1.11" +# changes default Individual Code Signing: "0x30, 0x0c, x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15" +# sets Commercial Code Signing: "0x30, 0x0c, x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x16" + +. $(dirname $0)/../test_library + +# PE file +test_name="161. Signing a PE file with the common purpose set" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -comm \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_161.exe"' + verify_text "$?" "161" "exe" "300c060a2b060104018237020116" "HEX" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="162. Signing a CAB file with the common purpose set" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -comm \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.ex_" -out "test_162.ex_"' + verify_text "$?" "162" "ex_" "300c060a2b060104018237020116" "HEX" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="163. Signing a MSI file with the common purpose set" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -comm \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "sample.msi" -out "test_163.msi"' + verify_text "$?" "163" "msi" "300c060a2b060104018237020116" "HEX" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/17_sign_crosscertfile b/tests/recipes/17_sign_crosscertfile new file mode 100644 index 0000000..99c5afe --- /dev/null +++ b/tests/recipes/17_sign_crosscertfile @@ -0,0 +1,59 @@ +#!/bin/sh +# Adding an additional certificate to the signature block of the PE/CAB/MSI file. +# https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode-signing-of-csps +# https://docs.microsoft.com/en-us/windows/win32/seccertenroll/about-cross-certification + +. $(dirname $0)/../test_library + +# PE file +test_name="171. Adding an additional certificate to the signature block of the PE file" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -ac "${script_path}/../certs/crosscert.pem" \ + -in "test.exe" -out "test_171.exe"' + verify_signature "$?" "171" "exe" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +test_name="172. Adding an additional certificate to the signature block of the CAB file" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -ac "${script_path}/../certs/crosscert.pem" \ + -in "test.ex_" -out "test_172.ex_"' + verify_text "$?" "172" "ex_" "crosscert" "ASCII" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +test_name="173. Adding an additional certificate to the signature block of the MSI file" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -ac "${script_path}/../certs/crosscert.pem" \ + -in "sample.msi" -out "test_173.msi"' + verify_signature "$?" "173" "msi" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/21_sign_hash_md5 b/tests/recipes/21_sign_hash_md5 new file mode 100644 index 0000000..042c6e2 --- /dev/null +++ b/tests/recipes/21_sign_hash_md5 @@ -0,0 +1,26 @@ +#!/bin/sh +# Signing a PE file with md5 set of cryptographic hash functions. + +. $(dirname $0)/../test_library + +# PE file +test_name="211. Signing a PE file with md5 set of cryptographic hash functions" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h md5 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_211.exe"' + verify_signature "$?" "211" "exe" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file + +# MSI file + +exit 0 diff --git a/tests/recipes/22_sign_hash_sha1 b/tests/recipes/22_sign_hash_sha1 new file mode 100644 index 0000000..dd7c75f --- /dev/null +++ b/tests/recipes/22_sign_hash_sha1 @@ -0,0 +1,26 @@ +#!/bin/sh +# Signing a PE file with sha1 set of cryptographic hash functions. + +. $(dirname $0)/../test_library + +# PE file +test_name="221. Signing a PE file with sha1 set of cryptographic hash functions" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha1 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_221.exe"' + verify_signature "$?" "221" "exe" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file + +# MSI file + +exit 0 diff --git a/tests/recipes/23_sign_hash_sha2 b/tests/recipes/23_sign_hash_sha2 new file mode 100644 index 0000000..19ecfb1 --- /dev/null +++ b/tests/recipes/23_sign_hash_sha2 @@ -0,0 +1,26 @@ +#!/bin/sh +# Signing a PE file with sha2 set of cryptographic hash functions. + +. $(dirname $0)/../test_library + +# PE file +test_name="231. Signing a PE file with sha2 set of cryptographic hash functions" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha2 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_231.exe"' + verify_signature "$?" "231" "exe" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file + +# MSI file + +exit 0 diff --git a/tests/recipes/24_sign_hash_sha384 b/tests/recipes/24_sign_hash_sha384 new file mode 100644 index 0000000..dc521e5 --- /dev/null +++ b/tests/recipes/24_sign_hash_sha384 @@ -0,0 +1,26 @@ +#!/bin/sh +# Signing a PE file with sha384 set of cryptographic hash functions. + +. $(dirname $0)/../test_library + +# PE file +test_name="241. Signing a PE file with sha384 set of cryptographic hash functions" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha384 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_241.exe"' + verify_signature "$?" "241" "exe" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file + +# MSI file + +exit 0 diff --git a/tests/recipes/25_sign_hash_sha512 b/tests/recipes/25_sign_hash_sha512 new file mode 100644 index 0000000..862da3c --- /dev/null +++ b/tests/recipes/25_sign_hash_sha512 @@ -0,0 +1,26 @@ +#!/bin/sh +# Signing a PE file with sha512 set of cryptographic hash functions. + +. $(dirname $0)/../test_library + +# PE file +test_name="251. Signing a PE file with sha512 set of cryptographic hash functions" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha512 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_251.exe"' + verify_signature "$?" "251" "exe" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file + +# MSI file + +exit 0 diff --git a/tests/recipes/31_extract_signature b/tests/recipes/31_extract_signature new file mode 100644 index 0000000..366d597 --- /dev/null +++ b/tests/recipes/31_extract_signature @@ -0,0 +1,45 @@ +#!/bin/sh +# Extracting the signature from the PE/MSI file. + +. $(dirname $0)/../test_library + +# PE file +test_name="311. Extracting the signature from the PE file" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_311.exe" && \ + ../../osslsigncode extract-signature -pem \ + -in "test_311.exe" -out "sign_pe.pem"' + verify_signature "$?" "311" "exe" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +# Command is not supported for non-PE + +# MSI file +test_name="312. Extracting the signature from the MSI file" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "sample.msi" -out "test_312.msi" && \ + ../../osslsigncode extract-signature -pem \ + -in "test_312.msi" -out "sign_msi.pem"' + verify_signature "$?" "312" "msi" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/32_attach_signature b/tests/recipes/32_attach_signature new file mode 100644 index 0000000..1ee0704 --- /dev/null +++ b/tests/recipes/32_attach_signature @@ -0,0 +1,39 @@ +#!/bin/sh +# Attaching the signature to the PE/MSI file. + +. $(dirname $0)/../test_library + +# PE file +test_name="321. Attaching the signature to the PE file" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode attach-signature -sigin "sign_pe.pem" \ + -in "test.exe" -out "test_321.exe"' + verify_signature "$?" "321" "exe" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +# Command is not supported for non-PE + +# MSI file +test_name="322. Attaching the signature to the MSI file" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode attach-signature -sigin "sign_msi.pem" \ + -in "sample.msi" -out "test_322.msi"' + verify_signature "$?" "322" "msi" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/33_remove_signature b/tests/recipes/33_remove_signature new file mode 100644 index 0000000..938bb2b --- /dev/null +++ b/tests/recipes/33_remove_signature @@ -0,0 +1,45 @@ +#!/bin/sh +# Removing the signature from the PE/MSI file. + +. $(dirname $0)/../test_library + +# PE file +test_name="331. Removing the signature from the PE file" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_331_signed.exe" && \ + ../../osslsigncode remove-signature \ + -in "test_331_signed.exe" -out "test_331.exe"' + verify_no_signature "$?" "331" "exe" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +# Command is not supported for non-PE + +# MSI file +test_name="332. Removing the signature from the MSI file" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "sample.msi" -out "test_332_signed.msi" && \ + ../../osslsigncode remove-signature \ + -in "test_332_signed.msi" -out "test_332.msi"' + verify_no_signature "$?" "332" "msi" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/34_add_signature b/tests/recipes/34_add_signature new file mode 100644 index 0000000..9b25005 --- /dev/null +++ b/tests/recipes/34_add_signature @@ -0,0 +1,47 @@ +#!/bin/sh +# Moving the authenticode signing to the PE/MSI file. + +. $(dirname $0)/../test_library + +# PE file +test_name="341. Moving the authenticode signing to the PE file" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + cp "test.exe" "test_341.exe" + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_341_signed.exe" && \ + ../../osslsigncode add \ + -in "test_341_signed.exe" -out "test_341.exe"' + verify_signature "$?" "341" "exe" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +# Command is not supported for non-PE + +# MSI file +test_name="342. Moving the authenticode signing to the MSI file" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + cp "sample.msi" "test_342.msi" + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "sample.msi" -out "test_342_signed.msi" && \ + ../../osslsigncode add \ + -in "test_342_signed.msi" -out "test_342.msi"' + verify_signature "$?" "342" "msi" "sha256sum" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/35_varia_sha256sum b/tests/recipes/35_varia_sha256sum new file mode 100644 index 0000000..7017a64 --- /dev/null +++ b/tests/recipes/35_varia_sha256sum @@ -0,0 +1,46 @@ +#!/bin/sh +# Checking SHA256 message digests for 31x-34x tests. + +. $(dirname $0)/../test_library +res=0 +res=0 +skip=0 +test_name="351. Checking SHA256 message digests for 31x-34x tests" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + if [ $(cat "sha256sum_exe.log" | cut -d' ' -f1 | uniq | wc -l) -ne 1 ] + then + res=1 + cat "sha256sum_exe.log" >> "results.log" + printf "Non-unique SHA256 message digests found\n" >> "results.log" + else + rm -f test_3[1-4]*[1-2]*.exe + fi + rm -f "sha256sum_exe.log" + else + skip=$($skip+1) + fi + +if [ -s "sample.msi" ] + then + if [ $(cat "sha256sum_msi.log" | cut -d' ' -f1 | uniq | wc -l) -ne 1 ] + then + res=1 + cat "sha256sum_msi.log" >> "results.log" + printf "Non-unique SHA256 message digests found\n" >> "results.log" + else + rm -f test_3[1-4]*[1-2]*.msi + fi + rm -f "sha256sum_msi.log" + else + skip=$(($skip+1)) + fi + +if [ $skip -lt 2 ] + then + test_result "$res" "$test_name" + else + printf "Test skipped\n" + fi +exit 0 diff --git a/tests/recipes/36_add_signature_blob b/tests/recipes/36_add_signature_blob new file mode 100644 index 0000000..15bd96d --- /dev/null +++ b/tests/recipes/36_add_signature_blob @@ -0,0 +1,49 @@ +#!/bin/sh +# Moving the authenticode signing with addUnauthenticatedBlob to the PE/MSI file. + +. $(dirname $0)/../test_library + +# PE file +test_name="361. Moving the authenticode signing with addUnauthenticatedBlob to the PE file" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + cat "test.exe" > "test_361.exe" + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.exe" -out "test_361_signed.exe" && \ + ../../osslsigncode add \ + -addUnauthenticatedBlob \ + -in "test_361_signed.exe" -out "test_361.exe"' + verify_text "$?" "361" "exe" "BEGIN_BLOB" "ASCII" "UNUSED_PATTERN" "MODIFY" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# CAB file +# Command is not supported for non-PE + +# MSI file +test_name="362. Moving the authenticode signing with addUnauthenticatedBlob to the MSI file" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + cat "sample.msi" > "test_362.msi" + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "sample.msi" -out "test_362_signed.msi" && \ + ../../osslsigncode add \ + -addUnauthenticatedBlob \ + -in "test_362_signed.msi" -out "test_362.msi"' + verify_text "$?" "362" "msi" "BEGIN_BLOB" "ASCII" "UNUSED_PATTERN" "MODIFY" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/37_verify_leaf_hash b/tests/recipes/37_verify_leaf_hash new file mode 100644 index 0000000..5dd6c53 --- /dev/null +++ b/tests/recipes/37_verify_leaf_hash @@ -0,0 +1,50 @@ +#!/bin/sh +# Comparing the leaf certificate hash against specified SHA256 message digest for the PE/MSI file + +. $(dirname $0)/../test_library +script_path=$(pwd) + +# PE file +test_name="371. Comparing the leaf certificate hash against specified SHA256 message digest for the PE file" +printf "\n%s\n" "$test_name" +if [ -s "test.exe" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \ + -in "test.exe" -out "test_371.exe"' + ../../osslsigncode verify -in "test_371.exe" \ + -require-leaf-hash SHA256:$(sha256sum "${script_path}/../certs/cert.der" | cut -d' ' -f1) + if test_result "$?" "$test_name" + then + rm -f "test_371.exe" + fi + else + printf "Test skipped\n" + fi + +# CAB file +# Command is not supported for non-PE + +# MSI file +test_name="372. Comparing the leaf certificate hash against specified SHA256 message digest for the MSI file" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \ + -in "test.exe" -out "test_372.exe"' + ../../osslsigncode verify -in "test_372.exe" \ + -require-leaf-hash SHA256:$(sha256sum "${script_path}/../certs/cert.der" | cut -d' ' -f1) + if test_result "$?" "$test_name" + then + rm -f "test_372.exe" + fi + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/41_sign_add_msi_dse b/tests/recipes/41_sign_add_msi_dse new file mode 100644 index 0000000..fbd42aa --- /dev/null +++ b/tests/recipes/41_sign_add_msi_dse @@ -0,0 +1,34 @@ +#!/bin/sh +# Signing a MSI file with a PEM key file. +# MsiDigitalSignatureEx (msi-dse) is an enhanced signature type that can be used +# when signing MSI files. In addition to file content, it also hashes some file metadata, +# specifically file names, file sizes, creation times and modification times. +# https://www.unboundtech.com/docs/UKC/UKC_Code_Signing_IG/HTML/Content/Products/UKC-EKM/UKC_Code_Signing_IG/Sign_Windows_PE_and_msi_Files.htm + +. $(dirname $0)/../test_library + +# PE file +# + +# CAB file +# + +# MSI file +test_name="411. Signing a MSI file with the MsiDigitalSignatureEx option" +printf "\n%s\n" "$test_name" +if [ -s "sample.msi" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -add-msi-dse \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/keyp.pem" \ + -pass passme \ + -in "sample.msi" -out "test_411.msi"' + verify_text "$?" "411" "msi" "osslsigncode" "ASCII" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +exit 0 diff --git a/tests/recipes/51_sign_jp_low b/tests/recipes/51_sign_jp_low new file mode 100644 index 0000000..1da6f98 --- /dev/null +++ b/tests/recipes/51_sign_jp_low @@ -0,0 +1,30 @@ +#!/bin/sh +# Signing a CAB file with "jp low" option +# https://support.microsoft.com/en-us/help/193877 + +. $(dirname $0)/../test_library + +# PE file +# + +# CAB file +test_name="511. Signing a CAB file with jp low option" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -jp low \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.ex_" -out "test_511.ex_"' + verify_text "$?" "511" "ex_" "3006030200013000" "HEX" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +# + +exit 0 diff --git a/tests/recipes/52_sign_jp_medium b/tests/recipes/52_sign_jp_medium new file mode 100644 index 0000000..63483e9 --- /dev/null +++ b/tests/recipes/52_sign_jp_medium @@ -0,0 +1,31 @@ +#!/bin/sh +# Signing a CAB file with "jp medium" option +# There is no implementation: +# https://github.com/mtrojnar/osslsigncode/blob/0bea1ac8f6d61ed42dd154305a4d5b8c27478ad0/osslsigncode.c#L2555-L2562 + +. $(dirname $0)/../test_library + +# PE file +# + +# CAB file +test_name="521. Signing a CAB file with jp medium option" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -jp medium \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.ex_" -out "test_521.ex_"' + verify_text "$?" "521" "ex_" "3006030200013000" "HEX" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +# + +exit 0 diff --git a/tests/recipes/53_sign_jp_high b/tests/recipes/53_sign_jp_high new file mode 100644 index 0000000..9521eb4 --- /dev/null +++ b/tests/recipes/53_sign_jp_high @@ -0,0 +1,31 @@ +#!/bin/sh +# Signing a CAB file with "jp high" option +# There is no implementation: +# https://github.com/mtrojnar/osslsigncode/blob/0bea1ac8f6d61ed42dd154305a4d5b8c27478ad0/osslsigncode.c#L2555-L2562 + +. $(dirname $0)/../test_library + +# PE file +# + +# CAB file +test_name="531. Signing a CAB file with jp high option" +printf "\n%s\n" "$test_name" +if [ -s "test.ex_" ] + then + faketime -f '@2019-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + ../../osslsigncode sign -h sha256 \ + -jp high \ + -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ + -in "test.ex_" -out "test_531.ex_"' + verify_text "$?" "531" "ex_" "3006030200013000" "HEX" "UNUSED_PATTERN" "UNUSED_PATTERN" + test_result "$?" "$test_name" + else + printf "Test skipped\n" + fi + +# MSI file +# + +exit 0 diff --git a/tests/sample.wxs b/tests/sample.wxs new file mode 100644 index 0000000..0512cb8 --- /dev/null +++ b/tests/sample.wxs @@ -0,0 +1,33 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tests/test_library b/tests/test_library new file mode 100755 index 0000000..067f302 --- /dev/null +++ b/tests/test_library @@ -0,0 +1,168 @@ +# this file is a library sourced from recipes/* + +result_path=$(pwd) +cd $(dirname "$0")/../ +script_path=$(pwd) +cd "${result_path}" + +test_result() { +#1 last exit status +#2 test name + + local result=0 + + if [ $1 -eq 0 ] + then + printf "%s\n" "Test succeeded" + else + printf "%s\n" "Test failed" + printf "%-100s\t%s\n" "$2" "failed" 1>&3 + result=1 + fi + return $result +} + +verify_signature() { +# $1 sign exit code +# $2 test number +# $3 filename extension +# $4 sha256sum requirement + + local result=0 + + if [ "$1" -eq 0 ] + then + ../../osslsigncode verify -in "test_$2.$3" 2> "verify.log" 1>&2 + result=$? + if [ "$result" -ne 0 ] || grep -q "No signature found" "verify.log" + then + cat "verify.log" >> "results.log" + elif [ "$4" = "sha256sum" ] + then + sha256sum "test_$2.$3" 2>> "sha256sum_$3.log" 1>&2 + if [ -s "test_$2_signed.$3" ] + then + sha256sum "test_$2_signed.$3" 2>> "sha256sum_$3.log" 1>&2 + fi + else + rm -f "test_$2.$3" "test_$2_signed.$3" + fi + else + result=1 + fi + return $result +} + +verify_no_signature() { +# $1 sign exit code +# $2 test number +# $3 filename extension +# $4 sha256sum requirement + + local result=0 + + if [ "$1" -eq 0 ] + then + ../../osslsigncode verify -in "test_$2.$3" 2> "verify.log" 1>&2 + if grep -q -e "No signature found" -e "MSI file has no signature" "verify.log" + then + sha256sum "test_$2_signed.$3" 2>> "sha256sum_$3.log" 1>&2 + else + result=1 + cat "verify.log" >> "results.log" + printf "Faild: the signature was found\n" + fi + else + result=1 + fi + return $result +} + +modify_blob() { +# $1 test number +# $2 filename extension + + local result=0 + + begin_blob=$(echo -n "---BEGIN_BLOB---" | xxd -p) + modify_blob=$(echo -n "---MODIFIED_BLOB---" | xxd -p) + zero_blob="00000000000000000000000000000000000000" + xxd -p -c 1000 "test_$1.$2" | \ + sed "s/$begin_blob$zero_blob/$begin_blob$modify_blob/" | \ + xxd -p -r > "test_$1_modifed.$2" + ../../osslsigncode verify -in "test_$1_modifed.$2" 2>> "verify.log" 1>&2 + result=$? + if [ "$result" -ne 0 ] || \ + [ $(grep -e "Calculated DigitalSignature" -e "Calculated message digest" "verify.log" | uniq | wc -l) -ne 1 ] + then + result=1 + cat "verify.log" >> "results.log" + printf "Faild: verify error or non-unique message digests were found\n" + else + rm -f "test_$1_modifed.$2" + fi + return $result +} + +verify_text() { +# $1 sign exit code +# $2 test number +# $3 filename extension +# $4 searched text +# $5 ASCII od HEX format +# $6 sha256sum requirement +# $7 modify requirement + + local result=0 + + if [ "$1" -eq 0 ] + then + if [ "$3" != "ex_" ] + then + ../../osslsigncode verify -in "test_$2.$3" 2> "verify.log" 1>&2 + result=$? + fi + if [ "$result" -ne 0 ] || grep -q "No signature found" "verify.log" + then + result=1 + cat "verify.log" >> "results.log" + else + if [ "$5" = "ASCII" ] + then + searched_text=$(echo -n "$4" | xxd -p) + else + searched_text=$4 + fi + if ! xxd -p -c 1000 "test_$2.$3" | grep $searched_text 2>> /dev/null 1>&2 + then + result=1 + printf "Faild: $4 not found\n" + elif [ "$7" = "MODIFY" ] + then + modify_blob $2 $3 + result=$? + fi + if [ "$result" -eq 0 ] + then + if [ "$6" = "sha256sum" ] + then + sha256sum "test_$2.$3" 2>> "sha256sum_$3.log" 1>&2 + if [ -s "test_$2_signed.$3" ] + then + sha256sum "test_$2_signed.$3" 2>> "sha256sum_$3.log" 1>&2 + fi + else + rm -f "test_$2.$3" "test_$2_signed.$3" + fi + fi + if [ "$result" -eq 0 ] && [ "$2" = "401" ] + then + printf "Faild: unhashed file metadata was found\n" + result=1 + fi + fi + else + result=1 + fi + return $result +} diff --git a/tests/testall.sh b/tests/testall.sh new file mode 100755 index 0000000..fde0eb6 --- /dev/null +++ b/tests/testall.sh @@ -0,0 +1,39 @@ +#!/bin/sh +# requires mingw64-gcc, gcab, msitools, libgsf, libgsf-devel + +result=0 + +result_path=$(pwd) +cd $(dirname "$0") +script_path=$(pwd) +result_path="${result_path}/logs" + +rm -rf "${result_path}" +mkdir "${result_path}" +cd "${result_path}" + +date > "results.log" +touch FoobarAppl10.exe +cp "../sample.wxs" "sample.wxs" 2>> "results.log" 1>&2 + +x86_64-w64-mingw32-gcc "../myapp.c" -o "test.exe" 2>> "results.log" 1>&2 +gcab -c "test.ex_" "test.exe" 2>> "results.log" 1>&2 +wixl -v "sample.wxs" 2>> "results.log" 1>&2 + +for plik in ${script_path}/recipes/* + do + /bin/sh $plik 3>&1 2>> "results.log" 1>&2 + done +count=$(grep -c "Test succeeded" "results.log") +if [ $count -ne 0 ] + then + skip=$(grep -c "Test skipped" "results.log") + fail=$(grep -c "Test failed" "results.log") + printf "%s\n" "./newtest.sh finished" + printf "%s\n" "summary: success $count, skip $skip, fail $fail" + else # no test was done + result=1 + fi +rm -f "test.exe" "test.ex_" "sample.msi" "sample.wxs" "FoobarAppl10.exe" +rm -f "sign_pe.pem" "sign_msi.pem" "verify.log" +exit $result