nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-05 01:00:11 -05:00
Code Issues Projects Releases Wiki Activity

Fixed adding signing time

Browse Source
This commit is contained in:
olszomal 2024-01-05 14:38:59 +01:00 committed by Michał Trojnara
parent 4d08fbb2c1
commit 5da62de5ef
4 changed files with 27 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cmake/CMakeTest.cmake
View File

@ -276,7 +276,7 @@ foreach(ext ${extensions_all})
endforeach(ext ${extensions_all}) endforeach(ext ${extensions_all})
# Tests 43-52 # Tests 43-52
# Attach signature in PEM or DER format # Attach a nested signature in PEM or DER format
# Unsupported command for CAT files # Unsupported command for CAT files
foreach(ext ${extensions_nocat}) foreach(ext ${extensions_nocat})
foreach(format ${formats}) foreach(format ${formats})
@ -284,7 +284,6 @@ foreach(ext ${extensions_nocat})
NAME attached_${format}_${ext} NAME attached_${format}_${ext}
COMMAND osslsigncode "attach-signature" COMMAND osslsigncode "attach-signature"
# sign options # sign options
"-time" "1567296000" # Signing and signature verification time: Sep 1 00:00:00 2019 GMT
"-require-leaf-hash" "SHA256:${leafhash}" "-require-leaf-hash" "SHA256:${leafhash}"
"-add-msi-dse" "-add-msi-dse"
"-h" "sha512" "-h" "sha512"
@ -293,6 +292,7 @@ foreach(ext ${extensions_nocat})
"-in" "${FILES}/signed.${ext}" "-in" "${FILES}/signed.${ext}"
"-out" "${FILES}/attached_${format}.${ext}" "-out" "${FILES}/attached_${format}.${ext}"
# verify options # verify options
"-time" "1567296000" # Signature verification time: Sep 1 00:00:00 2019 GMT
"-CAfile" "${CERTS}/CACert.pem" "-CAfile" "${CERTS}/CACert.pem"
"-CRLfile" "${CERTS}/CACertCRL.pem") "-CRLfile" "${CERTS}/CACertCRL.pem")
set_tests_properties( set_tests_properties(
@ -323,6 +323,7 @@ endforeach(ext ${extensions_all})
# Tests 59-64 # Tests 59-64
# Add the new nested signature instead of replacing the first one # Add the new nested signature instead of replacing the first one
# APPX files do not support nesting (multiple signature)
foreach(ext ${extensions_all}) foreach(ext ${extensions_all})
add_test( add_test(
NAME nested_${ext} NAME nested_${ext}
@ -332,7 +333,7 @@ foreach(ext ${extensions_all})
"-key" "${CERTS}/key.der" "-key" "${CERTS}/key.der"
"-pass" "passme" "-pass" "passme"
"-ac" "${CERTS}/crosscert.pem" "-ac" "${CERTS}/crosscert.pem"
"-time" "1556668800" # Signing time: May 1 00:00:00 2019 GMT "-time" "1556755200" # Signing time: May 2 00:00:00 2019 GMT
"-add-msi-dse" "-add-msi-dse"
"-comm" "-comm"
"-ph" "-ph"
@ -681,7 +682,6 @@ foreach(ext ${extensions_nocat})
NAME attached_data_${ext}_${data_format}_${format} NAME attached_data_${ext}_${data_format}_${format}
COMMAND osslsigncode "attach-signature" COMMAND osslsigncode "attach-signature"
# sign options # sign options
"-time" "1567296000" # Signing and signature verification time: Sep 1 00:00:00 2019 GMT
"-require-leaf-hash" "SHA256:${leafhash}" "-require-leaf-hash" "SHA256:${leafhash}"
"-add-msi-dse" "-add-msi-dse"
"-h" "sha384" "-h" "sha384"
@ -689,6 +689,7 @@ foreach(ext ${extensions_nocat})
"-in" "${FILES}/unsigned.${ext}" "-in" "${FILES}/unsigned.${ext}"
"-out" "${FILES}/attached_data_${data_format}_${format}.${ext}" "-out" "${FILES}/attached_data_${data_format}_${format}.${ext}"
# verify options # verify options
"-time" "1567296000" # Signature verification time: Sep 1 00:00:00 2019 GMT
"-CAfile" "${CERTS}/CACert.pem" "-CAfile" "${CERTS}/CACert.pem"
"-CRLfile" "${CERTS}/CACertCRL.pem") "-CRLfile" "${CERTS}/CACertCRL.pem")
set_tests_properties( set_tests_properties(

41
helpers.c
View File

@ -12,6 +12,7 @@
static SpcSpOpusInfo *spc_sp_opus_info_create(FILE_FORMAT_CTX *ctx); static SpcSpOpusInfo *spc_sp_opus_info_create(FILE_FORMAT_CTX *ctx);
static int spc_indirect_data_content_create(u_char **blob, int *len, FILE_FORMAT_CTX *ctx); static int spc_indirect_data_content_create(u_char **blob, int *len, FILE_FORMAT_CTX *ctx);
static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx); static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
static int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
static int pkcs7_signer_info_add_purpose(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx); static int pkcs7_signer_info_add_purpose(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
static STACK_OF(X509) *X509_chain_get_sorted(FILE_FORMAT_CTX *ctx, int signer); static STACK_OF(X509) *X509_chain_get_sorted(FILE_FORMAT_CTX *ctx, int signer);
static int X509_compare(const X509 *const *a, const X509 *const *b); static int X509_compare(const X509 *const *a, const X509 *const *b);
@ -108,24 +109,6 @@ void unmap_file(char *indata, const size_t size)
#endif /* WIN32 */ #endif /* WIN32 */
} }
/*
* Add a custom, non-trusted time to the PKCS7 structure to prevent OpenSSL
* adding the _current_ time. This allows to create a deterministic signature
* when no trusted timestamp server was specified, making osslsigncode
* behaviour closer to signtool.exe (which doesn't include any non-trusted
* time in this case.)
* [in, out] si: PKCS7_SIGNER_INFO structure
* [in] ctx: structure holds input and output data
* [returns] 0 on error or 1 on success
*/
int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx)
{
if (ctx->options->time == INVALID_TIME) /* -time option was not specified */
return 1; /* SUCCESS */
return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME,
ASN1_TIME_adj(NULL, ctx->options->time, 0, 0));
}
/* /*
* Retrieve a decoded PKCS#7 structure corresponding to the signature * Retrieve a decoded PKCS#7 structure corresponding to the signature
* stored in the "sigin" file * stored in the "sigin" file
@ -243,7 +226,9 @@ PKCS7 *pkcs7_create(FILE_FORMAT_CTX *ctx)
return NULL; /* FAILED */ return NULL; /* FAILED */
} }
} }
pkcs7_signer_info_add_signing_time(si, ctx); if (!pkcs7_signer_info_add_signing_time(si, ctx)) {
return NULL; /* FAILED */
}
if (!pkcs7_signer_info_add_purpose(si, ctx)) { if (!pkcs7_signer_info_add_purpose(si, ctx)) {
return NULL; /* FAILED */ return NULL; /* FAILED */
} }
@ -689,6 +674,24 @@ static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FO
V_ASN1_SEQUENCE, astr); V_ASN1_SEQUENCE, astr);
} }
/*
* Add a custom, non-trusted time to the PKCS7 structure to prevent OpenSSL
* adding the _current_ time. This allows to create a deterministic signature
* when no trusted timestamp server was specified, making osslsigncode
* behaviour closer to signtool.exe (which doesn't include any non-trusted
* time in this case.)
* [in, out] si: PKCS7_SIGNER_INFO structure
* [in] ctx: structure holds input and output data
* [returns] 0 on error or 1 on success
*/
static int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx)
{
if (ctx->options->time == INVALID_TIME) /* -time option was not specified */
return 1; /* SUCCESS */
return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME,
ASN1_TIME_adj(NULL, ctx->options->time, 0, 0));
}
/* /*
* [in, out] si: PKCS7_SIGNER_INFO structure * [in, out] si: PKCS7_SIGNER_INFO structure
* [in] ctx: structure holds input and output data * [in] ctx: structure holds input and output data

1
helpers.h
View File

@ -9,7 +9,6 @@
uint32_t get_file_size(const char *infile); uint32_t get_file_size(const char *infile);
char *map_file(const char *infile, const size_t size); char *map_file(const char *infile, const size_t size);
void unmap_file(char *indata, const size_t size); void unmap_file(char *indata, const size_t size);
int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
PKCS7 *pkcs7_get_sigfile(FILE_FORMAT_CTX *ctx); PKCS7 *pkcs7_get_sigfile(FILE_FORMAT_CTX *ctx);
PKCS7 *pkcs7_read_data(char *indata, uint32_t size); PKCS7 *pkcs7_read_data(char *indata, uint32_t size);
int data_write_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7); int data_write_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7);

2
osslsigncode.c
View File

@ -1085,8 +1085,6 @@ static int cursig_set_nested(PKCS7 *cursig, PKCS7 *p7, FILE_FORMAT_CTX *ctx)
return 0; /* FAILED */ return 0; /* FAILED */
i2d_PKCS7(p7, &p); i2d_PKCS7(p7, &p);
p -= len; p -= len;
pkcs7_signer_info_add_signing_time(si, ctx);
if (!X509_attribute_chain_append_signature(&(si->unauth_attr), p, len)) { if (!X509_attribute_chain_append_signature(&(si->unauth_attr), p, len)) {
OPENSSL_free(p); OPENSSL_free(p);
return 0; /* FAILED */ return 0; /* FAILED */