From 3e97269d4e0f6d921166cf18f5f7470ca5f6a729 Mon Sep 17 00:00:00 2001
From: Per Allansson <pallansson@gmail.com>
Date: Mon, 11 Mar 2013 22:06:41 +0100
Subject: [PATCH] working RFC3161 timestamping

---
 ChangeLog      |  1 +
 TODO           |  1 -
 osslsigncode.c | 18 +++++++++++++-----
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ac6cf9f..44b38d0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,7 @@
 - added support for signing MSI files (patch from Marc-André Lureau)
 - calculate correct PE checksum instead of setting it to 0
 	 (patch from Roland Schwingel)
+- added support for RFC3161 timestamping (-ts option)
 - added support for extracting/removing/verifying signature on PE files
 - fixed problem with not being able to decode timestamps with no newlines
 - added stricter checks for PE file validity
diff --git a/TODO b/TODO
index f06d961..e2fce43 100644
--- a/TODO
+++ b/TODO
@@ -1,5 +1,4 @@
 - page hashing support
-- RFC3161 timestamping
 - signature extraction/removal/verificaton on MSI/CAB files
 - improved signature verification on PE files
 - clean up / untangle code
diff --git a/osslsigncode.c b/osslsigncode.c
index 04f437d..7288022 100644
--- a/osslsigncode.c
+++ b/osslsigncode.c
@@ -423,7 +423,7 @@ static size_t curl_write( void *ptr, size_t sz, size_t nmemb, void *stream)
 
 */
 
-static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const EVP_MD *md, unsigned char *mdbuf)
+static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const EVP_MD *md)
 {
 	CURL *curl;
 	struct curl_slist *slist = NULL;
@@ -462,6 +462,14 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const
 	curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist);
 
 	if (rfc3161) {
+		unsigned char mdbuf[EVP_MAX_MD_SIZE];
+		EVP_MD_CTX mdctx;
+
+		EVP_MD_CTX_init(&mdctx);
+		EVP_DigestInit(&mdctx, md);
+		EVP_DigestUpdate(&mdctx, si->enc_digest->data, si->enc_digest->length);
+		EVP_DigestFinal(&mdctx, mdbuf, NULL);
+
 		TimeStampReq *req = TimeStampReq_new();
 		req->version = ASN1_INTEGER_new();
 		ASN1_INTEGER_set(req->version, 1);
@@ -611,12 +619,12 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const
 
 static int add_timestamp_authenticode(PKCS7 *sig, char *url, char *proxy)
 {
-	return add_timestamp(sig, url, proxy, 0, NULL, NULL);
+	return add_timestamp(sig, url, proxy, 0, NULL);
 }
 
-static int add_timestamp_rfc3161(PKCS7 *sig, char *url, char *proxy, const EVP_MD *md, unsigned char *mdbuf)
+static int add_timestamp_rfc3161(PKCS7 *sig, char *url, char *proxy, const EVP_MD *md)
 {
-	return add_timestamp(sig, url, proxy, 1, md, mdbuf);
+	return add_timestamp(sig, url, proxy, 1, md);
 }
 
 #endif /* ENABLE_CURL */
@@ -1747,7 +1755,7 @@ int main(int argc, char **argv)
 	/* add counter-signature/timestamp */
 	if (turl && add_timestamp_authenticode(sig, turl, proxy))
 		DO_EXIT_0("authenticode timestamping failed\n");
-	if (tsurl && add_timestamp_rfc3161(sig, tsurl, proxy, md, mdbuf))
+	if (tsurl && add_timestamp_rfc3161(sig, tsurl, proxy, md))
 		DO_EXIT_0("RFC 3161 timestamping failed\n");
 #endif