Fixed adding signing time

2025-04-04 17:00:11 -05:00 · 2024-01-05 14:38:59 +01:00 · 2024-01-05 14:38:59 +01:00 · 5da62de5ef
commit 5da62de5ef
parent 4d08fbb2c1
4 changed files with 27 additions and 26 deletions
--- a/cmake/CMakeTest.cmake
+++ b/cmake/CMakeTest.cmake
@ -276,7 +276,7 @@ foreach(ext ${extensions_all})
 endforeach(ext ${extensions_all})

 # Tests 43-52
-# Attach signature in PEM or DER format
+# Attach a nested signature in PEM or DER format
 # Unsupported command for CAT files
 foreach(ext ${extensions_nocat})
    foreach(format ${formats})
@ -284,7 +284,6 @@ foreach(ext ${extensions_nocat})
            NAME attached_${format}_${ext}
            COMMAND osslsigncode "attach-signature"
            # sign options
-            "-time" "1567296000" # Signing and signature verification time: Sep  1 00:00:00 2019 GMT
            "-require-leaf-hash" "SHA256:${leafhash}"
            "-add-msi-dse"
            "-h" "sha512"
@ -293,6 +292,7 @@ foreach(ext ${extensions_nocat})
            "-in" "${FILES}/signed.${ext}"
            "-out" "${FILES}/attached_${format}.${ext}"
            # verify options
+            "-time" "1567296000" # Signature verification time: Sep  1 00:00:00 2019 GMT
            "-CAfile" "${CERTS}/CACert.pem"
            "-CRLfile" "${CERTS}/CACertCRL.pem")
        set_tests_properties(
@ -323,6 +323,7 @@ endforeach(ext ${extensions_all})

 # Tests 59-64
 # Add the new nested signature instead of replacing the first one
+# APPX files do not support nesting (multiple signature)
 foreach(ext ${extensions_all})
    add_test(
        NAME nested_${ext}
@ -332,7 +333,7 @@ foreach(ext ${extensions_all})
        "-key" "${CERTS}/key.der"
        "-pass" "passme"
        "-ac" "${CERTS}/crosscert.pem"
-        "-time" "1556668800" # Signing time: May  1 00:00:00 2019 GMT
+        "-time" "1556755200" # Signing time: May  2 00:00:00 2019 GMT
        "-add-msi-dse"
        "-comm"
        "-ph"
@ -681,7 +682,6 @@ foreach(ext ${extensions_nocat})
            NAME attached_data_${ext}_${data_format}_${format}
            COMMAND osslsigncode "attach-signature"
            # sign options
-            "-time" "1567296000" # Signing and signature verification time: Sep  1 00:00:00 2019 GMT
            "-require-leaf-hash" "SHA256:${leafhash}"
            "-add-msi-dse"
            "-h" "sha384"
@ -689,6 +689,7 @@ foreach(ext ${extensions_nocat})
            "-in" "${FILES}/unsigned.${ext}"
            "-out" "${FILES}/attached_data_${data_format}_${format}.${ext}"
            # verify options
+            "-time" "1567296000" # Signature verification time: Sep  1 00:00:00 2019 GMT
            "-CAfile" "${CERTS}/CACert.pem"
            "-CRLfile" "${CERTS}/CACertCRL.pem")
        set_tests_properties(
--- a/helpers.c
+++ b/helpers.c
@ -12,6 +12,7 @@
 static SpcSpOpusInfo *spc_sp_opus_info_create(FILE_FORMAT_CTX *ctx);
 static int spc_indirect_data_content_create(u_char **blob, int *len, FILE_FORMAT_CTX *ctx);
 static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
+static int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
 static int pkcs7_signer_info_add_purpose(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
 static STACK_OF(X509) *X509_chain_get_sorted(FILE_FORMAT_CTX *ctx, int signer);
 static int X509_compare(const X509 *const *a, const X509 *const *b);
@ -108,24 +109,6 @@ void unmap_file(char *indata, const size_t size)
 #endif /* WIN32 */
 }

-/*
- * Add a custom, non-trusted time to the PKCS7 structure to prevent OpenSSL
- * adding the _current_ time. This allows to create a deterministic signature
- * when no trusted timestamp server was specified, making osslsigncode
- * behaviour closer to signtool.exe (which doesn't include any non-trusted
- * time in this case.)
- * [in, out] si: PKCS7_SIGNER_INFO structure
- * [in] ctx: structure holds input and output data
- * [returns] 0 on error or 1 on success
- */
-int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx)
-{
-    if (ctx->options->time == INVALID_TIME) /* -time option was not specified */
-        return 1; /* SUCCESS */
-    return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME,
-        ASN1_TIME_adj(NULL, ctx->options->time, 0, 0));
-}
-
 /*
 * Retrieve a decoded PKCS#7 structure corresponding to the signature
 * stored in the "sigin" file
@ -243,7 +226,9 @@ PKCS7 *pkcs7_create(FILE_FORMAT_CTX *ctx)
            return NULL; /* FAILED */
        }
    }
-    pkcs7_signer_info_add_signing_time(si, ctx);
+    if (!pkcs7_signer_info_add_signing_time(si, ctx)) {
+        return NULL; /* FAILED */
+    }
    if (!pkcs7_signer_info_add_purpose(si, ctx)) {
        return NULL; /* FAILED */
    }
@ -689,6 +674,24 @@ static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FO
            V_ASN1_SEQUENCE, astr);
 }

+/*
+ * Add a custom, non-trusted time to the PKCS7 structure to prevent OpenSSL
+ * adding the _current_ time. This allows to create a deterministic signature
+ * when no trusted timestamp server was specified, making osslsigncode
+ * behaviour closer to signtool.exe (which doesn't include any non-trusted
+ * time in this case.)
+ * [in, out] si: PKCS7_SIGNER_INFO structure
+ * [in] ctx: structure holds input and output data
+ * [returns] 0 on error or 1 on success
+ */
+static int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx)
+{
+    if (ctx->options->time == INVALID_TIME) /* -time option was not specified */
+        return 1; /* SUCCESS */
+    return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME,
+        ASN1_TIME_adj(NULL, ctx->options->time, 0, 0));
+}
+
 /*
 * [in, out] si: PKCS7_SIGNER_INFO structure
 * [in] ctx: structure holds input and output data
--- a/helpers.h
+++ b/helpers.h
@ -9,7 +9,6 @@
 uint32_t get_file_size(const char *infile);
 char *map_file(const char *infile, const size_t size);
 void unmap_file(char *indata, const size_t size);
-int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
 PKCS7 *pkcs7_get_sigfile(FILE_FORMAT_CTX *ctx);
 PKCS7 *pkcs7_read_data(char *indata, uint32_t size);
 int data_write_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7);
--- a/osslsigncode.c
+++ b/osslsigncode.c
@ -1085,8 +1085,6 @@ static int cursig_set_nested(PKCS7 *cursig, PKCS7 *p7, FILE_FORMAT_CTX *ctx)
        return 0; /* FAILED */
    i2d_PKCS7(p7, &p);
    p -= len;
-
-    pkcs7_signer_info_add_signing_time(si, ctx);
    if (!X509_attribute_chain_append_signature(&(si->unauth_attr), p, len)) {
        OPENSSL_free(p);
        return 0; /* FAILED */