diff --git a/cmake/CMakeTest.cmake b/cmake/CMakeTest.cmake index f4aac33..e54f269 100644 --- a/cmake/CMakeTest.cmake +++ b/cmake/CMakeTest.cmake @@ -276,7 +276,7 @@ foreach(ext ${extensions_all}) endforeach(ext ${extensions_all}) # Tests 43-52 -# Attach signature in PEM or DER format +# Attach a nested signature in PEM or DER format # Unsupported command for CAT files foreach(ext ${extensions_nocat}) foreach(format ${formats}) @@ -284,7 +284,6 @@ foreach(ext ${extensions_nocat}) NAME attached_${format}_${ext} COMMAND osslsigncode "attach-signature" # sign options - "-time" "1567296000" # Signing and signature verification time: Sep 1 00:00:00 2019 GMT "-require-leaf-hash" "SHA256:${leafhash}" "-add-msi-dse" "-h" "sha512" @@ -293,6 +292,7 @@ foreach(ext ${extensions_nocat}) "-in" "${FILES}/signed.${ext}" "-out" "${FILES}/attached_${format}.${ext}" # verify options + "-time" "1567296000" # Signature verification time: Sep 1 00:00:00 2019 GMT "-CAfile" "${CERTS}/CACert.pem" "-CRLfile" "${CERTS}/CACertCRL.pem") set_tests_properties( @@ -323,6 +323,7 @@ endforeach(ext ${extensions_all}) # Tests 59-64 # Add the new nested signature instead of replacing the first one +# APPX files do not support nesting (multiple signature) foreach(ext ${extensions_all}) add_test( NAME nested_${ext} @@ -332,7 +333,7 @@ foreach(ext ${extensions_all}) "-key" "${CERTS}/key.der" "-pass" "passme" "-ac" "${CERTS}/crosscert.pem" - "-time" "1556668800" # Signing time: May 1 00:00:00 2019 GMT + "-time" "1556755200" # Signing time: May 2 00:00:00 2019 GMT "-add-msi-dse" "-comm" "-ph" @@ -681,7 +682,6 @@ foreach(ext ${extensions_nocat}) NAME attached_data_${ext}_${data_format}_${format} COMMAND osslsigncode "attach-signature" # sign options - "-time" "1567296000" # Signing and signature verification time: Sep 1 00:00:00 2019 GMT "-require-leaf-hash" "SHA256:${leafhash}" "-add-msi-dse" "-h" "sha384" @@ -689,6 +689,7 @@ foreach(ext ${extensions_nocat}) "-in" "${FILES}/unsigned.${ext}" "-out" "${FILES}/attached_data_${data_format}_${format}.${ext}" # verify options + "-time" "1567296000" # Signature verification time: Sep 1 00:00:00 2019 GMT "-CAfile" "${CERTS}/CACert.pem" "-CRLfile" "${CERTS}/CACertCRL.pem") set_tests_properties( diff --git a/helpers.c b/helpers.c index 2ad6d88..a1490ee 100644 --- a/helpers.c +++ b/helpers.c @@ -12,6 +12,7 @@ static SpcSpOpusInfo *spc_sp_opus_info_create(FILE_FORMAT_CTX *ctx); static int spc_indirect_data_content_create(u_char **blob, int *len, FILE_FORMAT_CTX *ctx); static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx); +static int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx); static int pkcs7_signer_info_add_purpose(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx); static STACK_OF(X509) *X509_chain_get_sorted(FILE_FORMAT_CTX *ctx, int signer); static int X509_compare(const X509 *const *a, const X509 *const *b); @@ -108,24 +109,6 @@ void unmap_file(char *indata, const size_t size) #endif /* WIN32 */ } -/* - * Add a custom, non-trusted time to the PKCS7 structure to prevent OpenSSL - * adding the _current_ time. This allows to create a deterministic signature - * when no trusted timestamp server was specified, making osslsigncode - * behaviour closer to signtool.exe (which doesn't include any non-trusted - * time in this case.) - * [in, out] si: PKCS7_SIGNER_INFO structure - * [in] ctx: structure holds input and output data - * [returns] 0 on error or 1 on success - */ -int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx) -{ - if (ctx->options->time == INVALID_TIME) /* -time option was not specified */ - return 1; /* SUCCESS */ - return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME, - ASN1_TIME_adj(NULL, ctx->options->time, 0, 0)); -} - /* * Retrieve a decoded PKCS#7 structure corresponding to the signature * stored in the "sigin" file @@ -243,7 +226,9 @@ PKCS7 *pkcs7_create(FILE_FORMAT_CTX *ctx) return NULL; /* FAILED */ } } - pkcs7_signer_info_add_signing_time(si, ctx); + if (!pkcs7_signer_info_add_signing_time(si, ctx)) { + return NULL; /* FAILED */ + } if (!pkcs7_signer_info_add_purpose(si, ctx)) { return NULL; /* FAILED */ } @@ -689,6 +674,24 @@ static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FO V_ASN1_SEQUENCE, astr); } +/* + * Add a custom, non-trusted time to the PKCS7 structure to prevent OpenSSL + * adding the _current_ time. This allows to create a deterministic signature + * when no trusted timestamp server was specified, making osslsigncode + * behaviour closer to signtool.exe (which doesn't include any non-trusted + * time in this case.) + * [in, out] si: PKCS7_SIGNER_INFO structure + * [in] ctx: structure holds input and output data + * [returns] 0 on error or 1 on success + */ +static int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx) +{ + if (ctx->options->time == INVALID_TIME) /* -time option was not specified */ + return 1; /* SUCCESS */ + return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME, + ASN1_TIME_adj(NULL, ctx->options->time, 0, 0)); +} + /* * [in, out] si: PKCS7_SIGNER_INFO structure * [in] ctx: structure holds input and output data diff --git a/helpers.h b/helpers.h index 983e09c..0736f4b 100644 --- a/helpers.h +++ b/helpers.h @@ -9,7 +9,6 @@ uint32_t get_file_size(const char *infile); char *map_file(const char *infile, const size_t size); void unmap_file(char *indata, const size_t size); -int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx); PKCS7 *pkcs7_get_sigfile(FILE_FORMAT_CTX *ctx); PKCS7 *pkcs7_read_data(char *indata, uint32_t size); int data_write_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7); diff --git a/osslsigncode.c b/osslsigncode.c index 708cef6..af6fe9d 100644 --- a/osslsigncode.c +++ b/osslsigncode.c @@ -1085,8 +1085,6 @@ static int cursig_set_nested(PKCS7 *cursig, PKCS7 *p7, FILE_FORMAT_CTX *ctx) return 0; /* FAILED */ i2d_PKCS7(p7, &p); p -= len; - - pkcs7_signer_info_add_signing_time(si, ctx); if (!X509_attribute_chain_append_signature(&(si->unauth_attr), p, len)) { OPENSSL_free(p); return 0; /* FAILED */