diff --git a/.gitignore b/.gitignore index 6fb8b57..fd34917 100644 --- a/.gitignore +++ b/.gitignore @@ -1,24 +1,20 @@ -.deps -Makefile -Makefile.in -aclocal.m4 -autom4te.cache/ -compile +build/ +CMakeFiles/ +_CPack_Packages/ +Testing/ + +CMakeCache.txt +cmake_install.cmake config.h -config.h.in -config.h.in~ -config.log -config.status -configure -depcomp -install-sh +CPackConfig.cmake +CPackSourceConfig.cmake +CTestTestfile.cmake +install_manifest.txt +Makefile missing osslsigncode -osslsigncode.o -msi.o +osslsigncode.exe stamp-h1 -INSTALL -COPYING .#*# .*.bak @@ -26,25 +22,21 @@ COPYING .*.rej .*~ #*# +*.asc *.bak +*.bz2 *.d *.def *.dll -*.exe +*.gz +*.key *.la *.lib *.lo *.orig +*.pc *.pdb *.rej *.u *.rc -*.pc *~ -*.gz -*.bz2 -*.asc - -**/*.log -!myapp.exe -*.pem diff --git a/CMakeLists.txt b/CMakeLists.txt new file mode 100644 index 0000000..4e8ff68 --- /dev/null +++ b/CMakeLists.txt @@ -0,0 +1,50 @@ +# required cmake version +cmake_minimum_required(VERSION 3.6) + +# set the project name and version +project(osslsigncode VERSION 2.4) +set(DEV "-dev") +set(PROJECT_VERSION "${PROJECT_VERSION_MAJOR}.${PROJECT_VERSION_MINOR}${DEV}") +set(PACKAGE_STRING "${PROJECT_NAME} ${PROJECT_VERSION}") +set(PACKAGE_BUGREPORT "Michal.Trojnara@stunnel.org") + +# specify the C++ standard +set(CMAKE_C_STANDARD 11) +set(CMAKE_C_STANDARD_REQUIRED ON) + +# make find modules in cmake dir available +set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake") + +# load CMake project modules +include(SetOptions) +include(FindOpenssl) +include(FindCurl) +include(FindMapping) + +# use config.h +target_compile_definitions(osslsigncode PRIVATE HAVE_CONFIG_H=1) +configure_file(Config.h.in config.h) + +# add include directories to osslsigncode +target_include_directories(osslsigncode PUBLIC "${PROJECT_BINARY_DIR}") + +if(MSVC) + # set output directory + set_target_properties(osslsigncode PROPERTIES + RUNTIME_OUTPUT_DIRECTORY_DEBUG ${PROJECT_BINARY_DIR} + RUNTIME_OUTPUT_DIRECTORY_RELEASE ${PROJECT_BINARY_DIR} + ) + # copy necessary libraries + file(COPY ${OPENSSL_LIBS} ${CURL_LIB} DESTINATION ${PROJECT_BINARY_DIR}) +else() + # set LD_LIBRARY_PATH + set_target_properties(osslsigncode PROPERTIES + INSTALL_RPATH_USE_LINK_PATH TRUE + ) +endif() + +include(CMakeTest) +include(CMakeInstall) +if(NOT MSVC) + include(CMakeDist) +endif() diff --git a/Config.h.in b/Config.h.in new file mode 100644 index 0000000..77fa15b --- /dev/null +++ b/Config.h.in @@ -0,0 +1,12 @@ +/* the configured options and settings for osslsigncode */ +#define VERSION_MAJOR "@osslsigncode_VERSION_MAJOR@" +#define VERSION_MINOR "@osslsigncode_VERSION_MINOR@" +#cmakedefine PACKAGE_STRING "@PACKAGE_STRING@" +#cmakedefine PACKAGE_BUGREPORT "@PACKAGE_BUGREPORT@" +#cmakedefine ENABLE_CURL +#cmakedefine HAVE_TERMIOS_H +#cmakedefine HAVE_GETPASS +#cmakedefine HAVE_SYS_MMAN_H +#cmakedefine HAVE_MMAP +#cmakedefine HAVE_MAPVIEWOFFILE +#cmakedefine _WIN32 diff --git a/INSTALL.W32.md b/INSTALL.W32.md index 291c5d6..3dcd131 100644 --- a/INSTALL.W32.md +++ b/INSTALL.W32.md @@ -93,3 +93,53 @@ OpenSSL 1.1.1k 25 Mar 2021 (Library: OpenSSL 1.1.1k 25 Mar 2021) libcurl/7.78.0 OpenSSL/1.1.1k ``` + +### Building OpenSSL, Curl and osslsigncode sources with Microsoft Visual Studio 64-bit: + +1) Download and install Strawberry Perl from https://strawberryperl.com/ + +2) Run "Open Visual Studio 2022 Tools Command Prompt for targeting x64" + +3) Build and install OpenSSL. +``` + cd openssl-(version) + perl Configure VC-WIN64A --prefix=C:\OpenSSL\vc-win64a --openssldir=C:\OpenSSL\SSL no-asm shared + nmake && nmake install +``` + +4) Build and install curl. +``` + cd curl-(version)\winbuild + nmake /f Makefile.vc mode=dll WITH_PREFIX=C:\curl SSL_PATH=C:\OpenSSL\vc-win64a \ + VC=22 MACHINE=x64 DEBUG=no WITH_SSL=dll ENABLE_NGHTTP2=no ENABLE_SSPI=no \ + ENABLE_IDN=no GEN_PDB=no ENABLE_WINSSL=no USE_ZLIB=no +``` + +5) Build 64-bit Windows osslsigncode. + Navigate to the build directory and run CMake to configure the osslsigncode project + and generate a native build system: +``` + mkdir build && cd build && cmake .. +``` + with specific compile options: +``` + -Denable-strict=ON + -Denable-pedantic=ON + -Dwith-curl=OFF + -Dssl-path=C:\OpenSSL\ + -Dcurl-path=C:\curl\ +``` + Then call that build system to actually compile/link the osslsigncode project: +``` + cmake --build . +``` + +6) Make tests. +``` + ctest -C Release +``` + +5) Make install (with administrator privileges). +``` + cmake --install . --prefix "C:\osslsigncode" +``` diff --git a/LICENSE.txt b/LICENSE.txt index ac2d3fe..bee8331 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -1,7 +1,7 @@ OpenSSL based Authenticode signing for PE/MSI/Java CAB files. Copyright (C) 2005-2014 Per Allansson -Copyright (C) 2018-2019 Michał Trojnara +Copyright (C) 2018-2022 Michał Trojnara This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/Makefile.am b/Makefile.am deleted file mode 100644 index 6c4fc28..0000000 --- a/Makefile.am +++ /dev/null @@ -1,21 +0,0 @@ -AUTOMAKE_OPTIONS = foreign 1.10 -MAINTAINERCLEANFILES = \ - config.log config.status \ - $(srcdir)/Makefile.in \ - $(srcdir)/config.h.in $(srcdir)/config.h.in~ $(srcdir)/configure \ - $(srcdir)/install-sh $(srcdir)/ltmain.sh $(srcdir)/missing \ - $(srcdir)/depcomp $(srcdir)/aclocal.m4 $(srcdir)/ylwrap \ - $(srcdir)/config.guess $(srcdir)/config.sub -EXTRA_DIST = .gitignore COPYING.txt LICENSE.txt INSTALL.W32.md NEWS.md README.md TODO.md - -AM_CFLAGS = $(OPENSSL_CFLAGS) $(OPTIONAL_LIBCURL_CFLAGS) - -bin_PROGRAMS = osslsigncode - -osslsigncode_SOURCES = osslsigncode.c msi.c msi.h -osslsigncode_LDADD = $(OPENSSL_LIBS) $(OPTIONAL_LIBCURL_LIBS) - -# bash completion script -AM_DISTCHECK_CONFIGURE_FLAGS = --with-bashcompdir='$$(datarootdir)/bash-completion/completions' -bashcompdir = @bashcompdir@ -dist_bashcomp_DATA = osslsigncode.bash diff --git a/NEWS.md b/NEWS.md index aceb0e1..2724540 100644 --- a/NEWS.md +++ b/NEWS.md @@ -12,6 +12,7 @@ - remove "-timestamp-expiration" option - disable verification of the Timestamp Server signature ("-ignore-timestamp" option) +- use CMake instead of Makefile ### 2.3 (2022.03.06) diff --git a/README.md b/README.md index 85430c0..b0e0dc1 100644 --- a/README.md +++ b/README.md @@ -29,43 +29,47 @@ supports signature verification, removal and extraction. This section covers building osslsigncode for [Unix-like](https://en.wikipedia.org/wiki/Unix-like) operating systems. See [INSTALL.W32.md](https://github.com/mtrojnar/osslsigncode/blob/master/INSTALL.W32.md) for Windows notes. +We highly recommend downloading a [release tarball](https://github.com/mtrojnar/osslsigncode/releases) instead of cloning from a git repository. -### Generate the ./configure script - -This step is only needed if osslsigncode was cloned from a git repository. -We highly recommend downloading a [release tarball](https://github.com/mtrojnar/osslsigncode/releases) instead. +### Configure, build, make tests and install osslsigncode * Install prerequisites on a Debian-based distributions, such as Ubuntu: ``` - sudo apt update && sudo apt install automake pkg-config + sudo apt update && sudo apt install cmake libssl-dev libcurl4-openssl-dev ``` - -* Install prerequisites on macOS with Homebrew: -``` - brew install automake pkg-config -``` - -* Generate the ./configure script: -``` - ./bootstrap -``` - -### Configure, build and install osslsigncode - -* Install prerequisites on a Debian-based distributions, such as Ubuntu: -``` - sudo apt update && sudo apt install build-essential pkg-config libssl-dev libcurl4-openssl-dev -``` - * Install prerequisites on macOS with Homebrew: ``` brew install pkg-config openssl@1.1 export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig" ``` - -* Configure, build and install osslsigncode: +* Navigate to the build directory and run CMake to configure the osslsigncode project + and generate a native build system: ``` - ./configure && make && sudo make install + mkdir build && cd build && cmake .. +``` + with specific compile options: +``` + -Denable-strict=ON + -Denable-pedantic=ON + -Dssl-path=/opt/openssl-3.0.2/ + -Dcurl-path=/opt/curl-7.82/ + -Dwith-curl=OFF +``` +* Then call that build system to actually compile/link the osslsigncode project (alias `make`): +``` + cmake --build . +``` +* Make test: +``` + ctest -C Release +``` +* Make install: +``` + sudo cmake --install . --prefix "/home/myuser/installdir" +``` +* Make tarball (simulate autotools' `make dist`): +``` + cmake --build . --target package_source ``` ## USAGE diff --git a/bootstrap b/bootstrap deleted file mode 100755 index 4cd22ac..0000000 --- a/bootstrap +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -autoreconf --verbose --install --force diff --git a/cmake/CMakeDist.cmake b/cmake/CMakeDist.cmake new file mode 100644 index 0000000..5e7688f --- /dev/null +++ b/cmake/CMakeDist.cmake @@ -0,0 +1,27 @@ +# make dist +# cmake --build . --target package_source + +set(CPACK_PACKAGE_NAME ${PROJECT_NAME}) +set(CPACK_PACKAGE_VERSION ${PROJECT_VERSION}) +set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "OpenSSL based Authenticode signing for PE, CAB, CAT and MSI files") +set(CPACK_PACKAGE_INSTALL_DIRECTORY ${CPACK_PACKAGE_NAME}) +set(CPACK_RESOURCE_FILE_README "${CMAKE_CURRENT_SOURCE_DIR}/README.md") +set(CPACK_RESOURCE_FILE_LICENSE "${CMAKE_CURRENT_SOURCE_DIR}/COPYING.txt") +set(CPACK_SOURCE_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}") +set(CPACK_SOURCE_GENERATOR "TGZ") +set(CPACK_SOURCE_IGNORE_FILES "\.git/;\.gitignore") +list(APPEND CPACK_SOURCE_IGNORE_FILES "Makefile") +list(APPEND CPACK_SOURCE_IGNORE_FILES "CMakeCache.txt") +list(APPEND CPACK_SOURCE_IGNORE_FILES "CMakeFiles") +list(APPEND CPACK_SOURCE_IGNORE_FILES "CPackConfig.cmake") +list(APPEND CPACK_SOURCE_IGNORE_FILES "CPackSourceConfig.cmake") +list(APPEND CPACK_SOURCE_IGNORE_FILES "CTestTestfile.cmake") +list(APPEND CPACK_SOURCE_IGNORE_FILES "cmake_install.cmake") +list(APPEND CPACK_SOURCE_IGNORE_FILES "config.h") +list(APPEND CPACK_SOURCE_IGNORE_FILES "/CMakeFiles/") +list(APPEND CPACK_SOURCE_IGNORE_FILES "/Testing/") +list(APPEND CPACK_SOURCE_IGNORE_FILES "/_CPack_Packages/") +list(APPEND CPACK_SOURCE_IGNORE_FILES "/build/") + +include(CPack) +add_custom_target(dist COMMAND ${CMAKE_MAKE_PROGRAM} package_source) diff --git a/cmake/CMakeInstall.cmake b/cmake/CMakeInstall.cmake new file mode 100644 index 0000000..20b4dc3 --- /dev/null +++ b/cmake/CMakeInstall.cmake @@ -0,0 +1,29 @@ +# make install +# cmake --install . --prefix "/home/myuser/installdir" + +# installation rules for a project +set(BINDIR "${CMAKE_INSTALL_PREFIX}/bin") +install(TARGETS osslsigncode RUNTIME DESTINATION ${BINDIR}) +if(MSVC) + install(FILES + "${PROJECT_BINARY_DIR}/libcrypto-3-x64.dll" + "${PROJECT_BINARY_DIR}/libssl-3-x64.dll" + "${PROJECT_BINARY_DIR}/libcurl.dll" + DESTINATION ${BINDIR} + ) +endif() + +# install bash completion script +if(NOT MSVC) + find_package(bash-completion QUIET) + if(NOT BASH_COMPLETION_COMPLETIONSDIR) + if(BASH_COMPLETION_COMPATDIR) + set(BASH_COMPLETION_COMPLETIONSDIR ${BASH_COMPLETION_COMPATDIR}) + else() + set(SHAREDIR "${CMAKE_INSTALL_PREFIX}/share") + set(BASH_COMPLETION_COMPLETIONSDIR "${SHAREDIR}/bash-completion/completions") + endif() + endif() + message(STATUS "Using bash completions dir ${BASH_COMPLETION_COMPLETIONSDIR}") + install(FILES "osslsigncode.bash" DESTINATION ${BASH_COMPLETION_COMPLETIONSDIR}) +endif() diff --git a/cmake/CMakeTest.cmake b/cmake/CMakeTest.cmake new file mode 100644 index 0000000..8830c64 --- /dev/null +++ b/cmake/CMakeTest.cmake @@ -0,0 +1,278 @@ +# make test +# ctest -C Release + +include(FindPython3) +enable_testing() + +file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/tests/tsa_server.py" + DESTINATION "${PROJECT_BINARY_DIR}/Testing" +) +file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/tests/files" + "${CMAKE_CURRENT_SOURCE_DIR}/tests/certs" + DESTINATION "${PROJECT_BINARY_DIR}/Testing" +) + +set(FILES "${PROJECT_BINARY_DIR}/Testing/files") +set(CERTS "${PROJECT_BINARY_DIR}/Testing/certs") + +set(priv_p12 "-pkcs12" "${CERTS}/cert.p12" "-readpass" "${CERTS}/password.txt") +set(priv_spc "-certs" "${CERTS}/cert.spc" "-key" "${CERTS}/key.pvk" "-pass" "passme") +set(priv_der "-certs" "${CERTS}/cert.pem" "-key" "${CERTS}/key.der" "-pass" "passme") +set(priv_pkey "-certs" "${CERTS}/cert.pem" "-key" "${CERTS}/keyp.pem" "-pass" "passme") +set(sign_opt "-time" "1556708400" + "-add-msi-dse" "-comm" "-ph" "-jp" "low" + "-h" "sha512" "-i" "https://www.osslsigncode.com/" + "-n" "osslsigncode" "-ac" "${CERTS}/crosscert.pem" +) +execute_process( + COMMAND "${CERTS}/makecerts.sh" + WORKING_DIRECTORY ${CERTS} + OUTPUT_VARIABLE makecerts +) +message(STATUS "makecerts.sh: ${makecerts}") +execute_process( + COMMAND ${CMAKE_COMMAND} -E sha256sum "${CERTS}/cert.der" + OUTPUT_VARIABLE sha256sum +) +string(SUBSTRING ${sha256sum} 0 64 leafhash) +set(verify_opt "-CAfile" "${CERTS}/CACert.pem" + "-CRLfile" "${CERTS}/CACertCRL.pem" + "-TSA-CAfile" "${CERTS}/TSACA.pem" +) +set(extensions_4 "exe" "ex_" "msi" "cat") +set(extensions_3 "exe" "ex_" "msi") +set(files_4 "signed" "nested" "added") +set(files_3 "removed" "attached_pem" "attached_der") +set(sign_formats "pem" "der") +set(pem_certs "cert" "expired" "revoked") +set(failed_certs "expired" "revoked") + +add_test( + NAME version + COMMAND osslsigncode --version +) + +foreach(ext ${extensions_4}) + # Signing time: May 1 00:00:00 2019 GMT + set(sign_${ext} ) + add_test( + NAME signed_${ext} + COMMAND osslsigncode "sign" ${sign_opt} ${priv_p12} + "-in" "${FILES}/unsigned.${ext}" "-out" "${FILES}/signed.${ext}" + ) +endforeach() + +foreach(ext ${extensions_3}) + add_test( + NAME removed_${ext} + COMMAND osslsigncode "remove-signature" + "-in" "${FILES}/signed.${ext}" "-out" "${FILES}/removed.${ext}" + ) +endforeach() + +foreach(ext ${extensions_3}) + add_test( + NAME extract_pem_${ext} + COMMAND osslsigncode "extract-signature" "-pem" + "-in" "${FILES}/signed.${ext}" "-out" "${FILES}/${ext}.pem" + ) +endforeach() + +foreach(ext ${extensions_3}) + add_test( + NAME extract_der_${ext} + COMMAND osslsigncode "extract-signature" + "-in" "${FILES}/signed.${ext}" "-out" "${FILES}/${ext}.der" + ) +endforeach() + +foreach(ext ${extensions_3}) + set_tests_properties(removed_${ext} extract_pem_${ext} extract_der_${ext} + PROPERTIES DEPENDS sign_${ext} + REQUIRED_FILES "${FILES}/signed.${ext}" + ) +endforeach() + +foreach(ext ${extensions_3}) + foreach(format ${sign_formats}) + # Signature verification time: Sep 1 00:00:00 2019 GMT + add_test( + NAME attached_${format}_${ext} + COMMAND osslsigncode "attach-signature" ${verify_opt} + "-time" "1567296000" + "-require-leaf-hash" "SHA256:${leafhash}" + "-add-msi-dse" "-h" "sha512" "-nest" + "-sigin" "${FILES}/${ext}.${format}" + "-in" "${FILES}/signed.${ext}" "-out" "${FILES}/attached_${format}.${ext}" + ) + set_tests_properties(attached_${format}_${ext} PROPERTIES + DEPENDS extract_pem_${ext} + REQUIRED_FILES "${FILES}/signed.${ext}" + REQUIRED_FILES "${FILES}/${ext}.${format}" + ) + endforeach() +endforeach() + +foreach(ext ${extensions_4}) + add_test( + NAME added_${ext} + COMMAND osslsigncode "add" + "-addUnauthenticatedBlob" "-add-msi-dse" "-h" "sha512" + "-in" "${FILES}/signed.${ext}" "-out" "${FILES}/added.${ext}" + ) + set_tests_properties(added_${ext} PROPERTIES + DEPENDS sign_${ext} + REQUIRED_FILES "${FILES}/signed.${ext}" + ) +endforeach() + +foreach(ext ${extensions_4}) + add_test( + NAME nested_${ext} + COMMAND osslsigncode "sign" "-nest" ${sign_opt} ${priv_der} + "-in" "${FILES}/signed.${ext}" "-out" "${FILES}/nested.${ext}" + ) + set_tests_properties(nested_${ext} PROPERTIES + DEPENDS sign_${ext} + REQUIRED_FILES "${FILES}/signed.${ext}" + ) +endforeach() + + +foreach(file ${files_4}) + foreach(ext ${extensions_4}) + # Signature verification time: Sep 1 00:00:00 2019 GMT + add_test( + NAME verify_${file}_${ext} + COMMAND osslsigncode "verify" ${verify_opt} + "-time" "1567296000" + "-require-leaf-hash" "SHA256:${leafhash}" + "-in" "${FILES}/${file}.${ext}" + ) + set_tests_properties(verify_${file}_${ext} PROPERTIES + DEPENDS ${file}_${ext} + REQUIRED_FILES "${FILES}/${file}.${ext}" + ) + endforeach() +endforeach() + +foreach(file ${files_3}) + foreach(ext ${extensions_3}) + # Signature verification time: Sep 1 00:00:00 2019 GMT + add_test( + NAME verify_${file}_${ext} + COMMAND osslsigncode "verify" ${verify_opt} + "-time" "1567296000" + "-require-leaf-hash" "SHA256:${leafhash}" + "-in" "${FILES}/${file}.${ext}" + ) + set_tests_properties(verify_${file}_${ext} PROPERTIES + DEPENDS ${file}_${ext} + REQUIRED_FILES "${FILES}/${file}.${ext}" + ) + endforeach() +endforeach() + +foreach(ext ${extensions_3}) + set_tests_properties(verify_removed_${ext} PROPERTIES + WILL_FAIL TRUE + ) +endforeach() + + +if(Python3_FOUND) + foreach(ext ${extensions_4}) + foreach(cert ${pem_certs}) + add_test( + NAME sign_ts_${cert}_${ext} + COMMAND ${Python3_EXECUTABLE} "${PROJECT_BINARY_DIR}/Testing/tsa_server.py" + "--certs" "${CERTS}/${cert}.pem" "--key" "${CERTS}/key.pem" + "--input" "${FILES}/unsigned.${ext}" "--output" "${FILES}/ts_${cert}.${ext}" + ) + endforeach() + endforeach() + + foreach(ext ${extensions_4}) + # Signature verification time: Sep 1 00:00:00 2019 GMT + add_test( + NAME verify_ts_cert_${ext} + COMMAND osslsigncode "verify" ${verify_opt} + "-time" "1567296000" + "-in" "${FILES}/ts_cert.${ext}" + ) + set_tests_properties(verify_ts_cert_${ext} PROPERTIES + DEPENDS sign_ts_${cert}_${ext} + REQUIRED_FILES "${FILES}/ts_cert.${ext}" + ) + endforeach() + + # Signature verification time: Jan 1 00:00:00 2035 GMT + foreach(ext ${extensions_4}) + add_test( + NAME verify_ts_future_${ext} + COMMAND osslsigncode "verify" ${verify_opt} + "-time" "2051222400" + "-in" "${FILES}/ts_cert.${ext}" + ) + set_tests_properties(verify_ts_future_${ext} PROPERTIES + DEPENDS sign_ts_${cert}_${ext} + REQUIRED_FILES "${FILES}/ts_cert.${ext}" + ) + endforeach() + + # Signature verification time: Jan 1 00:00:00 2035 GMT + # enabled "-ignore-timestamp" option + foreach(ext ${extensions_4}) + add_test( + NAME verify_ts_ignore_${ext} + COMMAND osslsigncode "verify" ${verify_opt} + "-time" "2051222400" + "-ignore-timestamp" + "-in" "${FILES}/ts_cert.${ext}" + ) + set_tests_properties(verify_ts_ignore_${ext} PROPERTIES + DEPENDS sign_ts_${cert}_${ext} + REQUIRED_FILES "${FILES}/ts_cert.${ext}" + WILL_FAIL TRUE + ) + endforeach() + + # Signature verification time: Sep 1 00:00:00 2019 GMT + # Certificate has expired or revoked + foreach(ext ${extensions_4}) + foreach(cert ${failed_certs}) + add_test( + NAME verify_ts_${cert}_${ext} + COMMAND osslsigncode "verify" ${verify_opt} + "-time" "1567296000" + "-in" "${FILES}/ts_${cert}.${ext}" + ) + set_tests_properties(verify_ts_${cert}_${ext} PROPERTIES + DEPENDS sign_ts_${cert}_${ext} + REQUIRED_FILES "${FILES}/ts_${cert}.${ext}" + WILL_FAIL TRUE + ) + endforeach() + endforeach() + +else() + message(STATUS "Python3 was not found, skip timestamping tests") +endif() + +foreach(ext ${extensions_4}) + set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/signed.${ext}") + set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/nested.${ext}") + set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/removed.${ext}") + set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/added.${ext}") + foreach(cert ${pem_certs}) + set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/ts_${cert}.${ext}") + endforeach() + foreach(format ${sign_formats}) + set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/${ext}.${format}") + set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/${ext}.${format}") + set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/attached_${format}.${ext}") + endforeach() + set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jreq.tsq") + set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jresp.tsr") +endforeach() +add_test(NAME remove_files COMMAND ${CMAKE_COMMAND} -E rm -f ${OUTPUT_FILES}) diff --git a/cmake/FindCurl.cmake b/cmake/FindCurl.cmake new file mode 100644 index 0000000..d32b55b --- /dev/null +++ b/cmake/FindCurl.cmake @@ -0,0 +1,47 @@ +# find the native CURL headers and libraries + +if(with-curl) + if(curl-path) + set(CURL_SEARCH_DIR PATHS ${CURL_ROOT} NO_DEFAULT_PATH) + find_path(CURL_INCLUDE_DIRS + NAMES curl/curl.h + PATHS ${CURL_SEARCH_DIR} + PATH_SUFFIXES include + REQUIRED + ) + find_library(CURL_LIBRARIES + NAMES libcurl libcurl.so + PATHS ${CURL_SEARCH_DIR} + PATH_SUFFIXES lib + NO_DEFAULT_PATH + REQUIRED + ) + mark_as_advanced( + CURL_INCLUDE_DIRS + CURL_LIBRARIES + ) + set(CURL_FOUND TRUE) + endif() + + if(CURL_FOUND) + target_link_libraries(osslsigncode PRIVATE ${CURL_LIBRARIES}) + include_directories(${CURL_INCLUDE_DIRS}) + message(STATUS "Link CURL library: ${CURL_LIBRARIES}") + message(STATUS "Include CURL directory: ${CURL_INCLUDE_DIRS}") + set(ENABLE_CURL 1) + else() + MESSAGE(FATAL_ERROR "Could not find the CURL library and development files.") + endif() + + if(MSVC) + find_path(CURL_BIN_DIR + NAMES curl.exe + PATHS ${CURL_SEARCH_DIR} + PATH_SUFFIXES bin + REQUIRED + ) + set(CURL_LIB "${CURL_BIN_DIR}/libcurl.dll") + endif() +else() + message(STATUS "Disable CURL") +endif() diff --git a/cmake/FindMapping.cmake b/cmake/FindMapping.cmake new file mode 100644 index 0000000..ba94fa5 --- /dev/null +++ b/cmake/FindMapping.cmake @@ -0,0 +1,22 @@ +include(CheckIncludeFile) +include(CheckFunctionExists) + +if(NOT MSVC) + check_function_exists(getpass HAVE_GETPASS) + check_include_file(termios.h HAVE_TERMIOS_H) + check_include_file(sys/mman.h HAVE_SYS_MMAN_H) + if(HAVE_SYS_MMAN_H) + check_function_exists(mmap HAVE_MMAP) + if(NOT HAVE_MMAP) + message(FATAL_ERROR "Error: Need mmap to build.") + endif() + endif() +endif() + +# include wincrypt.h in Windows.h +if(MSVC AND NOT CYGWIN) + check_include_file(windows.h HAVE_MAPVIEWOFFILE) + if(NOT (HAVE_MMAP OR HAVE_MAPVIEWOFFILE)) + message(FATAL_ERROR "Error: Need file mapping function to build.") + endif() +endif() diff --git a/cmake/FindOpenssl.cmake b/cmake/FindOpenssl.cmake new file mode 100644 index 0000000..e20d3d6 --- /dev/null +++ b/cmake/FindOpenssl.cmake @@ -0,0 +1,71 @@ +# find the OpenSSL encryption library + +if(ssl-path) + set(OPENSSL_SEARCH_DIR PATHS ${OPENSSL_ROOT} NO_DEFAULT_PATH) + find_path(OPENSSL_INCLUDE_DIR + NAMES openssl/opensslconf.h + PATHS ${OPENSSL_SEARCH_DIR} + PATH_SUFFIXES include + REQUIRED + ) + find_library(OPENSSL_SSL + NAMES libssl libssl.so + PATHS ${OPENSSL_SEARCH_DIR} + PATH_SUFFIXES lib lib64 + NO_DEFAULT_PATH + REQUIRED + ) + find_library(OPENSSL_CRYPTO + NAMES libcrypto libcrypto.so + PATHS ${OPENSSL_SEARCH_DIR} + PATH_SUFFIXES lib lib64 + NO_DEFAULT_PATH + REQUIRED + ) + + if(MSVC) + find_file(OPENSSL_APPLINK_SOURCE + NAMES openssl/applink.c + PATHS ${OPENSSL_INCLUDE_DIR} + NO_DEFAULT_PATH + REQUIRED + ) + else() + set(OPENSSL_APPLINK_SOURCE) + endif() + + set(OPENSSL_LIBRARIES ${OPENSSL_SSL} ${OPENSSL_CRYPTO}) + mark_as_advanced( + OPENSSL_INCLUDE_DIR + OPENSSL_LIBRARIES + OPENSSL_APPLINK_SOURCE + ) + set(OPENSSL_FOUND TRUE) +endif() + +if(OPENSSL_FOUND) + message(STATUS "Link OpenSSL libraries: ${OPENSSL_LIBRARIES}") + message(STATUS "Include OpenSSL directory: ${OPENSSL_INCLUDE_DIR}") + if(MSVC) + message(STATUS "OpenSSL applink source: ${OPENSSL_APPLINK_SOURCE}") + endif() +else() + MESSAGE(FATAL_ERROR "Could not find the OpenSSL library and development files.") +endif() + +if(MSVC) + find_path(OPENSSL_BIN_DIR + NAMES openssl.exe + PATHS ${OPENSSL_SEARCH_DIR} + PATH_SUFFIXES bin + REQUIRED + ) + set(OPENSSL_LIBS "${OPENSSL_BIN_DIR}/libcrypto-3-x64.dll" "${OPENSSL_BIN_DIR}/libssl-3-x64.dll") +endif() + +# add an executable target called "osslsigncode" to be built from the source files +set(SOURCE_FILES osslsigncode.c msi.c ${OPENSSL_APPLINK_SOURCE}) +add_executable(osslsigncode) +target_sources(osslsigncode PRIVATE ${SOURCE_FILES}) +target_link_libraries(osslsigncode PRIVATE ${OPENSSL_LIBRARIES}) +include_directories(${OPENSSL_INCLUDE_DIR}) diff --git a/cmake/SetOptions.cmake b/cmake/SetOptions.cmake new file mode 100644 index 0000000..0a26f29 --- /dev/null +++ b/cmake/SetOptions.cmake @@ -0,0 +1,54 @@ +# add command line options + +# set Release build mode +if(NOT CMAKE_BUILD_TYPE) + set(CMAKE_BUILD_TYPE "Release" CACHE STRING "Choose Release or Debug" FORCE) +endif() + +option(enable-strict "Enable strict compile mode" OFF) +option(enable-pedantic "Enable pedantic compile mode" OFF) +option(with-curl "Enable curl" ON) + +if(MSVC) + set(ssl-path "D:/TEMP/OpenSSL-3.0.2/vc-win64a" CACHE FILEPATH "OpenSSL library path") + set(curl-path "D:/TEMP/curl-7.82.0" CACHE FILEPATH "cURL library path") +else() + option(ssl-path "OpenSSL library path" OFF) + option(curl-path "cURL library path" OFF) +endif() + +if(ssl-path) + set(OPENSSL_ROOT ${ssl-path}) + set(OPENSSL_SEARCH_DIR) +else() + include(FindOpenSSL) +endif() + +if(with-curl) + if(curl-path) + set(CURL_ROOT ${curl-path}) + set(CURL_BIN_DIR) + else() + include(FindCURL) + endif() +endif() + +# enable compile options +if(enable-strict) + message(STATUS "Enable strict compile mode") + if(MSVC) + # Microsoft Visual C warning level + add_compile_options(/Wall) + else() + add_compile_options(-Wall -Wextra) + endif() +endif() + +if(enable-pedantic) + message(STATUS "Enable pedantic compile mode") + if(MSVC) + add_compile_options(/W4) + else() + add_compile_options(-pedantic) + endif() +endif() diff --git a/configure.ac b/configure.ac deleted file mode 100644 index 3afd4db..0000000 --- a/configure.ac +++ /dev/null @@ -1,147 +0,0 @@ -AC_PREREQ(2.60) - -AC_INIT([osslsigncode], [2.4.0-dev], [Michal.Trojnara@stunnel.org]) -AC_CONFIG_AUX_DIR([.]) -AC_CONFIG_HEADERS([config.h]) -AC_CANONICAL_HOST -AM_INIT_AUTOMAKE - -AC_CONFIG_SRCDIR([osslsigncode.c]) - -# bash completion support -AC_ARG_WITH([bashcompdir], - AS_HELP_STRING([--with-bashcompdir=DIR], [directory for bash completions]), , - [PKG_CHECK_VAR([with_bashcompdir], [bash-completion], [completionsdir], , - [with_bashcompdir="${datarootdir}/bash-completion/completions"])]) -AC_MSG_CHECKING([for bashcompdir]) -AC_MSG_RESULT([$with_bashcompdir]) -AC_SUBST([bashcompdir], [$with_bashcompdir]) - -dnl Checks for programs. -AC_PROG_CC -AC_USE_SYSTEM_EXTENSIONS - -AC_ARG_ENABLE( - [strict], - [AS_HELP_STRING([--enable-strict],[enable strict compile mode @<:@disabled@:>@])], - , - [enable_strict="no"] -) - -AC_ARG_ENABLE( - [pedantic], - [AS_HELP_STRING([--enable-pedantic],[enable pedantic compile mode @<:@disabled@:>@])], - , - [enable_pedantic="no"] -) - -AC_ARG_WITH( - [curl], - [AS_HELP_STRING([--with-curl],[enable curl @<:@enabled@:>@])], - , - [with_curl="yes"] -) - -if test "${enable_pedantic}" = "yes"; then - enable_strict="yes"; - CFLAGS="${CFLAGS} -pedantic" -fi -if test "${enable_strict}" = "yes"; then - CFLAGS="${CFLAGS} -Wall -Wextra" -fi - -PKG_PROG_PKG_CONFIG -AC_PROG_CPP -AC_PROG_INSTALL -AC_PROG_LN_S -AC_PROG_MKDIR_P -AC_PROG_SED -AC_PROG_MAKE_SET - -AC_C_CONST -AC_HEADER_STDC -AC_HEADER_TIME -AC_CHECK_HEADERS( - [sys/mman.h], - [AC_CHECK_FUNC( - [mmap], - [AC_DEFINE(HAVE_MMAP, [1], [Define to 1 if you have mmap])], - [AC_MSG_ERROR([Need mmap to build.])] - )], - [have_mmap=no] -) - -case "${host_os}" in - cygwin*) - ;; - *) -AC_CHECK_HEADERS( - [windows.h], - [], - [have_MapViewOfFile=no] -) -esac - -AS_IF([test "x$have_mmap$have_MapViewOfFile" = "xnono"], - [AC_MSG_ERROR([Need file mapping function to buid.])]) - -AC_CHECK_LIB( - [dl], - [dlopen], - [DL_LIBS="-ldl"] -) - -AC_CHECK_HEADERS([termios.h]) -AC_CHECK_FUNCS(getpass) - -PKG_CHECK_MODULES( - [OPENSSL], - [libcrypto >= 1.1.1], - , - [PKG_CHECK_MODULES( - [OPENSSL], - [openssl >= 1.1.1], - , - [AC_CHECK_LIB( - [crypto], - [EVP_MD_CTX_new], - [OPENSSL_LIBS="-lcrypto ${SOCKETS_LIBS} ${DL_LIBS}"], - [AC_MSG_ERROR([OpenSSL 1.1.1 or later is required. https://www.openssl.org/])], - [${DL_LIBS}] - )] - )] -) - -PKG_CHECK_MODULES( - [LIBCURL], - [libcurl >= 7.12.0], - , - [AC_CHECK_LIB( - [curl], - [curl_easy_strerror], - [LIBCURL_LIBS="-lcurl"], - , - [${DL_LIBS}] - )] -) - -if test "${with_curl}" = "yes"; then - test -z "${LIBCURL_LIBS}" && AC_MSG_ERROR(m4_normalize([ - Curl 7.12.0 or later required for timestamping support http://curl.haxx.se/ - m4_newline() or libcurl development package not found, try installing: - m4_newline() * libcurl4-openssl-dev (Debian, Ubuntu) - m4_newline() * libcurl-devel (Fedora, CentOS, RHEL) - m4_newline() * libcurl_dev (Solaris) - ])) - OPTIONAL_LIBCURL_CFLAGS="${LIBCURL_CFLAGS}" - OPTIONAL_LIBCURL_LIBS="${LIBCURL_LIBS}" - AC_DEFINE([ENABLE_CURL], [1], [libcurl is enabled]) -fi - -AC_SUBST([OPTIONAL_LIBCURL_CFLAGS]) -AC_SUBST([OPTIONAL_LIBCURL_LIBS]) - -AC_CONFIG_FILES([Makefile]) -AC_OUTPUT - -# vim: set ts=4 noexpandtab: diff --git a/tests/certs/.gitignore b/tests/certs/.gitignore index 58ba881..ecfce1d 100644 --- a/tests/certs/.gitignore +++ b/tests/certs/.gitignore @@ -4,3 +4,5 @@ *.p12 *.spc *.txt +*.log +tsa-serial diff --git a/tests/certs/makecerts.sh b/tests/certs/makecerts.sh index a9ee839..457f0e0 100755 --- a/tests/certs/makecerts.sh +++ b/tests/certs/makecerts.sh @@ -29,16 +29,18 @@ make_certs() { OPENSSL=openssl fi - mkdir "demoCA/" 2>> "makecerts.log" 1>&2 - touch "demoCA/index.txt" - echo -n "unique_subject = no" > "demoCA/index.txt.attr" - echo 1000 > "demoCA/serial" + mkdir "CA/" 2>> "makecerts.log" 1>&2 + touch "CA/index.txt" + echo -n "unique_subject = no" > "CA/index.txt.attr" + $OPENSSL rand -hex 16 > "CA/serial" + $OPENSSL rand -hex 16 > "tsa-serial" + echo 1001 > "CA/crlnumber" date > "makecerts.log" "$OPENSSL" version 2>> "makecerts.log" 1>&2 echo -n "$password" > "password.txt" printf "\nGenerate root CA certificate\n" >> "makecerts.log" - "$OPENSSL" genrsa -out demoCA/CA.key \ + "$OPENSSL" genrsa -out CA/CA.key \ 2>> "makecerts.log" 1>&2 test_result $? TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c ' @@ -46,20 +48,20 @@ make_certs() { OPENSSL="$0" export LD_LIBRARY_PATH="$1" CONF="${script_path}/openssl_root.cnf" - "$OPENSSL" req -config "$CONF" -new -x509 -days 3600 -key demoCA/CA.key -out tmp/CACert.pem \ + "$OPENSSL" req -config "$CONF" -new -x509 -days 3600 -key CA/CA.key -out tmp/CACert.pem \ -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA" \ 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" test_result $? printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log" - "$OPENSSL" genrsa -out demoCA/intermediate.key \ + "$OPENSSL" genrsa -out CA/intermediate.key \ 2>> "makecerts.log" 1>&2 TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c ' script_path=$(pwd) OPENSSL="$0" export LD_LIBRARY_PATH="$1" CONF="${script_path}/openssl_intermediate.cnf" - "$OPENSSL" req -config "$CONF" -new -key demoCA/intermediate.key -out demoCA/intermediate.csr \ + "$OPENSSL" req -config "$CONF" -new -key CA/intermediate.key -out CA/intermediate.csr \ -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA" \ 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" test_result $? @@ -68,39 +70,39 @@ make_certs() { OPENSSL="$0" export LD_LIBRARY_PATH="$1" CONF="${script_path}/openssl_root.cnf" - "$OPENSSL" ca -config "$CONF" -batch -in demoCA/intermediate.csr -out demoCA/intermediate.cer \ + "$OPENSSL" ca -config "$CONF" -batch -in CA/intermediate.csr -out CA/intermediate.cer \ 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" test_result $? - "$OPENSSL" x509 -in demoCA/intermediate.cer -out tmp/intermediate.pem \ + "$OPENSSL" x509 -in CA/intermediate.cer -out tmp/intermediate.pem \ 2>> "makecerts.log" 1>&2 test_result $? printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log" - "$OPENSSL" genrsa -des3 -out demoCA/private.key -passout pass:"$password" \ + "$OPENSSL" genrsa -des3 -out CA/private.key -passout pass:"$password" \ 2>> "makecerts.log" 1>&2 test_result $? - cat demoCA/private.key >> tmp/keyp.pem 2>> "makecerts.log" + cat CA/private.key >> tmp/keyp.pem 2>> "makecerts.log" test_result $? printf "\nGenerate private RSA decrypted key\n" >> "makecerts.log" - "$OPENSSL" rsa -in demoCA/private.key -passin pass:"$password" -out tmp/key.pem \ + "$OPENSSL" rsa -in CA/private.key -passin pass:"$password" -out tmp/key.pem \ 2>> "makecerts.log" 1>&2 test_result $? printf "\nGenerate a certificate to revoke\n" >> "makecerts.log" - "$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/revoked.csr \ + "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/revoked.csr \ -subj "/C=PL/O=osslsigncode/OU=CSP/CN=Revoked/emailAddress=osslsigncode@example.com" \ 2>> "makecerts.log" 1>&2 test_result $? - "$OPENSSL" ca -config "$CONF" -batch -in demoCA/revoked.csr -out demoCA/revoked.cer \ + "$OPENSSL" ca -config "$CONF" -batch -in CA/revoked.csr -out CA/revoked.cer \ 2>> "makecerts.log" 1>&2 test_result $? - "$OPENSSL" x509 -in demoCA/revoked.cer -out tmp/revoked.pem \ + "$OPENSSL" x509 -in CA/revoked.cer -out tmp/revoked.pem \ 2>> "makecerts.log" 1>&2 test_result $? printf "\nRevoke above certificate\n" >> "makecerts.log" - "$OPENSSL" ca -config "$CONF" -revoke demoCA/revoked.cer \ + "$OPENSSL" ca -config "$CONF" -revoke CA/revoked.cer \ 2>> "makecerts.log" 1>&2 test_result $? @@ -124,27 +126,27 @@ make_certs() { test_result $? printf "\nGenerate CSP Cross-Certificate\n" >> "makecerts.log" - "$OPENSSL" genrsa -out demoCA/cross.key \ + "$OPENSSL" genrsa -out CA/cross.key \ 2>> "makecerts.log" 1>&2 TZ=GMT faketime -f '@2018-01-01 00:00:00' /bin/bash -c ' script_path=$(pwd) OPENSSL="$0" export LD_LIBRARY_PATH="$1" CONF="${script_path}/openssl_intermediate.cnf" - "$OPENSSL" req -config "$CONF" -new -x509 -days 900 -key demoCA/cross.key -out tmp/crosscert.pem \ + "$OPENSSL" req -config "$CONF" -new -x509 -days 900 -key CA/cross.key -out tmp/crosscert.pem \ -subj "/C=PL/O=osslsigncode/OU=CSP/CN=crosscert/emailAddress=osslsigncode@example.com" \ 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" test_result $? printf "\nGenerate code signing certificate\n" >> "makecerts.log" - "$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/cert.csr \ + "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/cert.csr \ -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com" \ 2>> "makecerts.log" 1>&2 test_result $? - "$OPENSSL" ca -config "$CONF" -batch -in demoCA/cert.csr -out demoCA/cert.cer \ + "$OPENSSL" ca -config "$CONF" -batch -in CA/cert.csr -out CA/cert.cer \ 2>> "makecerts.log" 1>&2 test_result $? - "$OPENSSL" x509 -in demoCA/cert.cer -out tmp/cert.pem \ + "$OPENSSL" x509 -in CA/cert.cer -out tmp/cert.pem \ 2>> "makecerts.log" 1>&2 test_result $? @@ -179,14 +181,14 @@ make_certs() { test_result $? printf "\nGenerate expired certificate\n" >> "makecerts.log" - "$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/expired.csr \ + "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/expired.csr \ -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Expired/emailAddress=osslsigncode@example.com" \ 2>> "makecerts.log" 1>&2 test_result $? - "$OPENSSL" ca -config "$CONF" -enddate "190101000000Z" -batch -in demoCA/expired.csr -out demoCA/expired.cer \ + "$OPENSSL" ca -config "$CONF" -enddate "190101000000Z" -batch -in CA/expired.csr -out CA/expired.cer \ 2>> "makecerts.log" 1>&2 test_result $? - "$OPENSSL" x509 -in demoCA/expired.cer -out tmp/expired.pem \ + "$OPENSSL" x509 -in CA/expired.cer -out tmp/expired.pem \ 2>> "makecerts.log" 1>&2 test_result $? @@ -194,23 +196,50 @@ make_certs() { cat tmp/intermediate.pem >> tmp/expired.pem 2>> "makecerts.log" test_result $? + printf "\nGenerate Root CA TSA certificate\n" >> "makecerts.log" + "$OPENSSL" genrsa -out CA/TSACA.key \ + 2>> "makecerts.log" 1>&2 + TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c ' + script_path=$(pwd) + OPENSSL="$0" + export LD_LIBRARY_PATH="$1" + CONF="${script_path}/openssl_tsa_root.cnf" + "$OPENSSL" req -config "$CONF" -new -x509 -days 3600 -key CA/TSACA.key -out tmp/TSACA.pem \ + 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" + test_result $? + + printf "\nGenerate TSA certificate\n" >> "makecerts.log" + CONF="${script_path}/openssl_tsa.cnf" + "$OPENSSL" req -config "$CONF" -new -nodes -keyout tmp/TSA.key -out CA/TSA.csr \ + 2>> "makecerts.log" 1>&2 + test_result $? + CONF="${script_path}/openssl_tsa_root.cnf" + "$OPENSSL" ca -config "$CONF" -batch -in CA/TSA.csr -out CA/TSA.cer \ + 2>> "makecerts.log" 1>&2 + test_result $? + "$OPENSSL" x509 -in CA/TSA.cer -out tmp/TSA.pem \ + 2>> "makecerts.log" 1>&2 + test_result $? + + printf "\nSave the chain to be included in the TSA response\n" >> "makecerts.log" + cat tmp/TSA.pem tmp/TSACA.pem > tmp/tsa-chain.pem 2>> "makecerts.log" + # copy new files if test -s tmp/intermediate.pem -a -s tmp/CACert.pem -a -s tmp/CACertCRL.pem \ -a -s tmp/key.pem -a -s tmp/keyp.pem -a -s tmp/key.der -a -s tmp/key.pvk \ -a -s tmp/cert.pem -a -s tmp/cert.p12 -a -s tmp/cert.der -a -s tmp/cert.spc \ - -a -s tmp/crosscert.pem -a -s tmp/expired.pem -a -s tmp/revoked.pem -a -s tmp/revoked.spc + -a -s tmp/crosscert.pem -a -s tmp/expired.pem -a -s tmp/revoked.pem -a -s tmp/revoked.spc \ + -a -s tmp/TSA.pem -a -s tmp/TSA.key -a -s tmp/tsa-chain.pem then cp tmp/* ./ - printf "%s\n" "keys & certificates successfully generated" - printf "%s\n" "makecerts.sh finished" + printf "%s" "keys & certificates successfully generated" else - printf "%s\n" "makecerts.sh failed" - printf "%s\n" "error logs ${result_path}/makecerts.log" + printf "%s" "error logs ${result_path}/makecerts.log" result=1 fi # remove the working directory - rm -rf "demoCA/" + rm -rf "CA/" rm -rf "tmp/" exit "$result" diff --git a/tests/certs/openssl_intermediate.cnf b/tests/certs/openssl_intermediate.cnf index b99c777..7ba40b1 100644 --- a/tests/certs/openssl_intermediate.cnf +++ b/tests/certs/openssl_intermediate.cnf @@ -1,19 +1,20 @@ # OpenSSL intermediate CA configuration file -[ ca ] +[ default ] +name = intermediate default_ca = CA_default [ CA_default ] # Directory and file locations dir = . -certs = $dir/demoCA -crl_dir = $dir/demoCA -new_certs_dir = $dir/demoCA -database = $dir/demoCA/index.txt -serial = $dir/demoCA/serial +certs = $dir/CA +crl_dir = $dir/CA +new_certs_dir = $dir/CA +database = $dir/CA/index.txt +serial = $dir/CA/serial rand_serial = yes -private_key = $dir/demoCA/intermediate.key -certificate = $dir/tmp/intermediate.pem +private_key = $dir/CA/$name.key +certificate = $dir/tmp/$name.pem crl_extensions = crl_ext default_md = sha256 preserve = no diff --git a/tests/certs/openssl_root.cnf b/tests/certs/openssl_root.cnf index 2622fb5..c653920 100644 --- a/tests/certs/openssl_root.cnf +++ b/tests/certs/openssl_root.cnf @@ -6,13 +6,13 @@ default_ca = CA_default [ CA_default ] # Directory and file locations. dir = . -certs = $dir/demoCA -crl_dir = $dir/demoCA -new_certs_dir = $dir/demoCA -database = $dir/demoCA/index.txt -serial = $dir/demoCA/serial +certs = $dir/CA +crl_dir = $dir/CA +new_certs_dir = $dir/CA +database = $dir/CA/index.txt +serial = $dir/CA/serial rand_serial = yes -private_key = $dir/demoCA/CA.key +private_key = $dir/CA/CA.key certificate = $dir/tmp/CACert.pem crl_extensions = crl_ext default_md = sha256 diff --git a/tests/certs/openssl_tsa.cnf b/tests/certs/openssl_tsa.cnf new file mode 100644 index 0000000..a139088 --- /dev/null +++ b/tests/certs/openssl_tsa.cnf @@ -0,0 +1,46 @@ +# OpenSSL Timestamp Authority configuration file + +oid_section = new_oids + +[ new_oids ] +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +[ req ] +# Options for the `req` tool +default_bits = 2048 +encrypt_key = yes +default_md = sha256 +utf8 = yes +string_mask = utf8only +prompt = no +distinguished_name = ca_distinguished_name + +[ ca_distinguished_name ] +countryName = "PL" +organizationName = "osslsigncode" +organizationalUnitName = "Timestamp Authority" +commonName = "Test TSA" + + +# Time Stamping Authority command "openssl-ts" + +[ tsa ] +default_tsa = tsa_config + +[ tsa_config ] +dir = ./Testing/certs +signer_cert = $dir/TSA.pem +signer_key = $dir/TSA.key +certs = $dir/tsa-chain.pem +serial = $dir/tsa-serial +default_policy = tsa_policy1 +other_policies = tsa_policy2, tsa_policy3 +signer_digest = sha256 +digests = sha256, sha384, sha512 +accuracy = secs:1, millisecs:500, microsecs:100 +ordering = yes +tsa_name = yes +ess_cert_id_chain = yes +ess_cert_id_alg = sha256 diff --git a/tests/certs/openssl_tsa_root.cnf b/tests/certs/openssl_tsa_root.cnf new file mode 100644 index 0000000..e94c2ba --- /dev/null +++ b/tests/certs/openssl_tsa_root.cnf @@ -0,0 +1,83 @@ +# OpenSSL Root Timestamp Authority configuration file + +[ default ] +name = TSACA +domain_suffix = timestampauthority.com +aia_url = http://$name.$domain_suffix/$name.crt +crl_url = http://$name.$domain_suffix/$name.crl +ocsp_url = http://ocsp.$name.$domain_suffix:9080 +name_opt = utf8, esc_ctrl, multiline, lname, align +default_ca = CA_default + +[ CA_default ] +dir = . +certs = $dir/CA +crl_dir = $dir/CA +new_certs_dir = $dir/CA +database = $dir/CA/index.txt +serial = $dir/CA/serial +crlnumber = $dir/CA/crlnumber +rand_serial = yes +private_key = $dir/CA/$name.key +certificate = $dir/tmp/$name.pem +default_md = sha256 +default_days = 3650 +default_crl_days = 365 +policy = policy_match +default_startdate = 20180101000000Z +default_enddate = 20280101000000Z +unique_subject = no +x509_extensions = tsa_extensions + +[ policy_match ] +countryName = match +stateOrProvinceName = optional +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ tsa_extensions ] +basicConstraints = critical, CA:false +extendedKeyUsage = critical, timeStamping +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +authorityInfoAccess = @issuer_info +crlDistributionPoints = @crl_info +nameConstraints = @name_constraints + +[ issuer_info ] +caIssuers;URI.0 = $aia_url +OCSP;URI.0 = $ocsp_url + +[ crl_info ] +URI.0 = $crl_url + +[ name_constraints ] +permitted;DNS.0=test.com +permitted;DNS.1=test.org +excluded;IP.0=0.0.0.0/0.0.0.0 +excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 + +[ req ] +# Options for the `req` tool +default_bits = 2048 +encrypt_key = yes +default_md = sha256 +utf8 = yes +string_mask = utf8only +prompt = no +distinguished_name = ca_distinguished_name +x509_extensions = ca_extensions + +[ ca_distinguished_name ] +countryName = "PL" +organizationName = "osslsigncode" +organizationalUnitName = "Timestamp Authority Root CA" +commonName = "TSA Root CA" + +[ ca_extensions ] +# Extension to add when the -x509 option is used +basicConstraints = critical, CA:true +subjectKeyIdentifier = hash +keyUsage = critical, keyCertSign, cRLSign diff --git a/tests/files/unsigned.cat b/tests/files/unsigned.cat new file mode 100755 index 0000000..23cfbee Binary files /dev/null and b/tests/files/unsigned.cat differ diff --git a/tests/files/unsigned.ex_ b/tests/files/unsigned.ex_ new file mode 100644 index 0000000..88128d7 Binary files /dev/null and b/tests/files/unsigned.ex_ differ diff --git a/tests/files/unsigned.exe b/tests/files/unsigned.exe new file mode 100755 index 0000000..fb3f7b8 Binary files /dev/null and b/tests/files/unsigned.exe differ diff --git a/tests/files/unsigned.msi b/tests/files/unsigned.msi new file mode 100644 index 0000000..678f8ee Binary files /dev/null and b/tests/files/unsigned.msi differ diff --git a/tests/recipes/01_sign_pem b/tests/recipes/01_sign_pem deleted file mode 100644 index 06ad8fe..0000000 --- a/tests/recipes/01_sign_pem +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/sh -# Sign a file with a certificate and a private key in the PEM format. -# -st 1556668800 is the Unix time of May 1 00:00:00 2019 GMT - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=1 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with a certificate and a private key in the PEM format" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "sha256sum" "osslsigncode" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/02_sign_pass b/tests/recipes/02_sign_pass deleted file mode 100644 index 61121a6..0000000 --- a/tests/recipes/02_sign_pass +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/sh -# Sign a file with an encrypted private key in the PEM format. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=2 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with an encrypted private key in the PEM format" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/keyp.pem" \ - -pass passme \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "sha256sum" "osslsigncode" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/03_sign_der b/tests/recipes/03_sign_der deleted file mode 100644 index e066ea8..0000000 --- a/tests/recipes/03_sign_der +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -# Sign a file with an encrypted private key in the DER format. -# Requires OpenSSL 1.0.0 or later - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=3 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with an encrypted private key in the DER format" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \ - -pass passme \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "sha256sum" "osslsigncode" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/04_sign_spc_pvk b/tests/recipes/04_sign_spc_pvk deleted file mode 100644 index 2dac29b..0000000 --- a/tests/recipes/04_sign_spc_pvk +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -# Sign a file with a certificate in the SPC format -# and a private key in the Microsoft Private Key (PVK) format. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=4 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with a SPC certificate and a PVK private key" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -spc "${script_path}/../certs/cert.spc" -key "${script_path}/../certs/key.pvk" \ - -pass passme \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "sha256sum" "osslsigncode" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/05_sign_pkcs12 b/tests/recipes/05_sign_pkcs12 deleted file mode 100644 index 8d98c9f..0000000 --- a/tests/recipes/05_sign_pkcs12 +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/sh -# Sign a file with a certificate and a key stored in a PKCS#12 container. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=5 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with a certificate and a key stored in a PKCS#12 container" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -pkcs12 "${script_path}/../certs/cert.p12" \ - -pass passme \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "sha256sum" "osslsigncode" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/06_test_sha256sum b/tests/recipes/06_test_sha256sum deleted file mode 100644 index d2b88a8..0000000 --- a/tests/recipes/06_test_sha256sum +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh -# Checking SHA256 message digests for 01x-05x tests - -. $(dirname $0)/../test_library -script_path=$(pwd) -result=0 -test_nr=6 - -for file in ${script_path}/../logs/sha256sum/*.* - do - name="${file##*/}" - case $name in - "cat.log") filetype=CAT; format_nr=1 ;; - "msi.log") filetype=MSI; format_nr=2 ;; - "ex_.log") filetype=CAB; format_nr=3 ;; - "exe.log") filetype=PE; format_nr=4 ;; - "ps1.log") filetype=TXT; format_nr=5 ;; - esac - - number="$test_nr$format_nr" - test_name="Checking SHA256 message digests for a $filetype file test" - printf "\n%03d. %s\n" "$number" "$test_name" - - if test $(cat "sha256sum/$name" | cut -d' ' -f1 | uniq | wc -l) -ne 1 - then - result=1 - cat "sha256sum/$name" >> "results.log" - printf "Non-unique SHA256 message digests found\n" >> "results.log" - fi - rm -f "sha256sum/$name" - test_result "$result" "$number" "$test_name" - done - -exit 0 diff --git a/tests/recipes/07_sign_timestamp b/tests/recipes/07_sign_timestamp deleted file mode 100644 index 2428bc8..0000000 --- a/tests/recipes/07_sign_timestamp +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh -# Sign a file with Authenticode timestamping - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=7 - -if ! grep -q "no libcurl available" "results.log"; then - for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with Authenticode timestamping" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -t http://time.certum.pl/ \ - -t http://timestamp.digicert.com/ \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - else - format_nr=0 - number="$test_nr$format_nr" - test_name="Sign a file with Authenticode timestamping" - printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name" - fi - -exit 0 diff --git a/tests/recipes/08_sign_rfc3161 b/tests/recipes/08_sign_rfc3161 deleted file mode 100644 index d004a02..0000000 --- a/tests/recipes/08_sign_rfc3161 +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/sh -# Sign a file with RFC 3161 timestamping -# An RFC3161 timestamp server provides an essential function in protecting -# data records for the long-term. It provides proof that the data existed -# at a particular moment in time and that it has not changed, even by -# a single binary bit, since it was notarized and time-stamped. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=8 - -if ! grep -q "no libcurl available" "results.log"; then - for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with RFC 3161 timestamping" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -ts http://time.certum.pl/ \ - -ts http://timestamp.digicert.com/ \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - else - format_nr=0 - number="$test_nr$format_nr" - test_name="Sign a file with RFC 3161 timestamping" - printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name" - fi - -exit 0 diff --git a/tests/recipes/09_sign_page_hashes b/tests/recipes/09_sign_page_hashes deleted file mode 100644 index d99881d..0000000 --- a/tests/recipes/09_sign_page_hashes +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh -# Generate page hashes for a file - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=9 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "exe") filetype=PE; format_nr=4 ;; - *) continue ;; # Warning: -ph option is only valid for PE files - esac - - number="$test_nr$format_nr" - test_name="Generate page hashes for a $filetype file" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 -ph \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - done - -exit 0 diff --git a/tests/recipes/10_sign_blob b/tests/recipes/10_sign_blob deleted file mode 100644 index 6265b38..0000000 --- a/tests/recipes/10_sign_blob +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/sh -# Sign a file with addUnauthenticatedBlob. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=10 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with addUnauthenticatedBlob" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -addUnauthenticatedBlob \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/11_sign_nest b/tests/recipes/11_sign_nest deleted file mode 100644 index 4b2d94e..0000000 --- a/tests/recipes/11_sign_nest +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh -# Sign a file twice with the "nest" flag in the second time -# in order to add the new signature instead of replacing the first one. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=11 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") continue;; # Warning: CAT files do not support nesting - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") continue;; # Warning: TXT files do not support nesting - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with the nest flag" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "signed_$number.$ext" - ../../osslsigncode sign -h sha512 \ - -nest \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "signed_$number.$ext" -out "test_$number.$ext" - result=$? - - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - done - -exit 0 diff --git a/tests/recipes/12_sign_readpass_pem b/tests/recipes/12_sign_readpass_pem deleted file mode 100644 index 94f73c1..0000000 --- a/tests/recipes/12_sign_readpass_pem +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -# Sign a file with a PEM key and a password read from password.txt file. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=12 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with a PEM key and a password read from password.txt file" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -addUnauthenticatedBlob \ - -readpass "${script_path}/../certs/password.txt" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/keyp.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/13_sign_readpass_pkcs12 b/tests/recipes/13_sign_readpass_pkcs12 deleted file mode 100644 index f958cf6..0000000 --- a/tests/recipes/13_sign_readpass_pkcs12 +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -# Sign a file with the certificate and key stored in a PKCS#12 container -# and a password read from password.txt file. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=13 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with a PKCS#12 container and the file with a password" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -readpass "${script_path}/../certs/password.txt" \ - -pkcs12 "${script_path}/../certs/cert.p12" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/14_sign_descryption b/tests/recipes/14_sign_descryption deleted file mode 100644 index a5e256f..0000000 --- a/tests/recipes/14_sign_descryption +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/sh -# Sign a file with a descryption. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=14 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with a descryption" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -n "DESCRYPTION_TEXT" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "DESCRYPTION_TEXT" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/15_sign_url b/tests/recipes/15_sign_url deleted file mode 100644 index 31a2f0f..0000000 --- a/tests/recipes/15_sign_url +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -# Sign a file with specified URL for expanded description of the signed content -# https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode-signing-of-csps - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=15 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with specified URL" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -i "https://www.osslsigncode.com/" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "https://www.osslsigncode.com/" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/16_sign_comm b/tests/recipes/16_sign_comm deleted file mode 100644 index 4b2d150..0000000 --- a/tests/recipes/16_sign_comm +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/sh -# Sign a file with Microsoft Commercial Code Signing purpose set for SPC_STATEMENT_TYPE_OBJID -# object ID numbers (OIDs) "1.3.6.1.4.1.311.2.1.11" -# changes default Microsoft Individual Code Signing: -# "0x30, 0x0c, x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15" -# sets Microsoft Commercial Code Signing: -# "0x30, 0x0c, x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x16" - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=16 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with the common purpose set" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -comm \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "Microsoft Commercial Code Signing" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/17_sign_crosscertfile b/tests/recipes/17_sign_crosscertfile deleted file mode 100644 index 0476311..0000000 --- a/tests/recipes/17_sign_crosscertfile +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/sh -# Add an additional certificate to the signature block of the file. -# https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode-signing-of-csps -# https://docs.microsoft.com/en-us/windows/win32/seccertenroll/about-cross-certification - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=17 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Add an additional certificate to the signature block of a $filetype$desc file" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -ac "${script_path}/../certs/crosscert.pem" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "crosscert" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/21_sign_hash_md5 b/tests/recipes/21_sign_hash_md5 deleted file mode 100644 index 8c56c10..0000000 --- a/tests/recipes/21_sign_hash_md5 +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh -# Sign a file with MD5 set of cryptographic hash functions. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=21 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with MD5 set of cryptographic hash functions" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h md5 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "MD5" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/22_sign_hash_sha1 b/tests/recipes/22_sign_hash_sha1 deleted file mode 100644 index 7c89f68..0000000 --- a/tests/recipes/22_sign_hash_sha1 +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh -# Sign a file with SHA1 set of cryptographic hash functions. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=22 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with SHA1 set of cryptographic hash functions" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha1 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "SHA1" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/23_sign_hash_sha2 b/tests/recipes/23_sign_hash_sha2 deleted file mode 100644 index 1242c7d..0000000 --- a/tests/recipes/23_sign_hash_sha2 +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh -# Signing a file with SHA2 set of cryptographic hash functions. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=23 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with SHA2 set of cryptographic hash functions" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha2 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "SHA2" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/24_sign_hash_sha384 b/tests/recipes/24_sign_hash_sha384 deleted file mode 100644 index 38fd7dd..0000000 --- a/tests/recipes/24_sign_hash_sha384 +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh -# Sign a file with SHA384 set of cryptographic hash functions. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=24 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with SHA384 set of cryptographic hash functions" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha384 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "SHA384" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/25_sign_hash_sha512 b/tests/recipes/25_sign_hash_sha512 deleted file mode 100644 index b267ca4..0000000 --- a/tests/recipes/25_sign_hash_sha512 +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh -# Sign a file with SHA512 set of cryptographic hash functions. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=25 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with SHA512 set of cryptographic hash functions" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha512 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "SHA512" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/26_extract_signature_pem b/tests/recipes/26_extract_signature_pem deleted file mode 100644 index a47a03b..0000000 --- a/tests/recipes/26_extract_signature_pem +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/sh -# Extract the signature in the PEM format. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=26 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") continue;; # Unsupported command - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Extract the PEM signature from the $filetype$desc file" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha512 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - ../../osslsigncode extract-signature \ - -pem \ - -in "test_$number.$ext" -out "sign_$format_nr.pem" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "sha256sum" "SHA512" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/27_extract_signature_der b/tests/recipes/27_extract_signature_der deleted file mode 100644 index 216429a..0000000 --- a/tests/recipes/27_extract_signature_der +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -# Extract the signature in the DER format. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=27 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") continue;; # Unsupported command - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Extract the DER signature from the $filetype$desc file" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha512 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - ../../osslsigncode extract-signature\ - -in "test_$number.$ext" -out "sign_$format_nr.der" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "sha256sum" "SHA512" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/31_attach_signature_der b/tests/recipes/31_attach_signature_der deleted file mode 100644 index afcad70..0000000 --- a/tests/recipes/31_attach_signature_der +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/sh -# Attach the DER signature to the file. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=31 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") continue;; # Unsupported command - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Attach the DER signature to the $filetype$desc file" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode attach-signature \ - -sigin "sign_$format_nr.der" \ - -CAfile "${script_path}/../certs/CACert.pem" \ - -CRLfile "${script_path}/../certs/CACertCRL.pem" \ - -TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$result" -ne 0; then - cp "sign_$format_nr.der" "sign_$number.der" - fi - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "sha256sum" "SHA512" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/32_attach_signature_pem b/tests/recipes/32_attach_signature_pem deleted file mode 100644 index 7d34603..0000000 --- a/tests/recipes/32_attach_signature_pem +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/sh -# Attach the PEM signature to the file. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=32 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") continue;; # Unsupported command - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Attach the PEM signature to the $filetype$desc file" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode attach-signature \ - -sigin "sign_$format_nr.pem" \ - -CAfile "${script_path}/../certs/CACert.pem" \ - -CRLfile "${script_path}/../certs/CACertCRL.pem" \ - -TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$result" -ne 0; then - cp "sign_$format_nr.der" "sign_$number.der" - fi - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "sha256sum" "SHA512" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/33_attach_signed b/tests/recipes/33_attach_signed deleted file mode 100644 index 2e0147e..0000000 --- a/tests/recipes/33_attach_signed +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/sh -# Attach the signature to the signed file. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=33 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") continue;; # Unsupported command - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Attach the PEM signature to the signed $filetype$desc file" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "signed_$number.$ext" - ../../osslsigncode attach-signature \ - -sigin "sign_$format_nr.pem" \ - -CAfile "${script_path}/../certs/CACert.pem" \ - -CRLfile "${script_path}/../certs/CACertCRL.pem" \ - -TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \ - -in "signed_$number.$ext" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "sha256sum" "SHA512" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/34_attach_nest b/tests/recipes/34_attach_nest deleted file mode 100644 index 87052cb..0000000 --- a/tests/recipes/34_attach_nest +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/sh -# Attach the signature to the signed file with the "nest" flag in order to -# attach the new signature instead of replacing the first one. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=34 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") continue;; # Warning: CAT files do not support nesting - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") continue;; # Warning: TXT files do not support nesting - esac - - number="$test_nr$format_nr" - test_name="Attach the PEM signature to the signed $filetype$desc file with the nest flag" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "signed_$number.$ext" - ../../osslsigncode attach-signature \ - -sigin "sign_$format_nr.pem" \ - -nest \ - -CAfile "${script_path}/../certs/CACert.pem" \ - -CRLfile "${script_path}/../certs/CACertCRL.pem" \ - -TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \ - -in "signed_$number.$ext" -out "test_$number.$ext" - result=$? - - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "SHA512" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - done - -exit 0 diff --git a/tests/recipes/35_remove_signature b/tests/recipes/35_remove_signature deleted file mode 100644 index 8d8a063..0000000 --- a/tests/recipes/35_remove_signature +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -# Remove the signature from the file. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=35 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") continue;; # Unsupported command - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Remove the signature from the $filetype$desc file" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "signed_$number.$ext" - ../../osslsigncode remove-signature \ - -in "signed_$number.$ext" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/36_varia_sha256sum b/tests/recipes/36_varia_sha256sum deleted file mode 100644 index e24988d..0000000 --- a/tests/recipes/36_varia_sha256sum +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh -# Checking SHA256 message digests for "extract" and "attach" tests. - -. $(dirname $0)/../test_library -script_path=$(pwd) -result=0 -test_nr=36 - -for file in ${script_path}/../logs/sha256sum/*.* - do - name="${file##*/}" - case $name in - "cat.log") filetype=CAT; format_nr=1 ;; - "msi.log") filetype=MSI; format_nr=2 ;; - "ex_.log") filetype=CAB; format_nr=3 ;; - "exe.log") filetype=PE; format_nr=4 ;; - "ps1.log") filetype=TXT; format_nr=5 ;; - esac - - number="$test_nr$format_nr" - test_name="Checking SHA256 message digests for a $filetype file test" - printf "\n%03d. %s\n" "$number" "$test_name" - - if test $(cat "sha256sum/$name" | cut -d' ' -f1 | uniq | wc -l) -ne 1 - then - result=1 - cat "sha256sum/$name" >> "results.log" - printf "Non-unique SHA256 message digests found\n" >> "results.log" - fi - rm -f "sha256sum/$name" - test_result "$result" "$number" "$test_name" - done - -exit 0 diff --git a/tests/recipes/37_add_signature_timestamp b/tests/recipes/37_add_signature_timestamp deleted file mode 100644 index 06c392b..0000000 --- a/tests/recipes/37_add_signature_timestamp +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/sh -# Add an authenticode timestamp to the signed file. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=37 - -if ! grep -q "no libcurl available" "results.log"; then - for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Add an authenticode timestamp to the $filetype$desc signed file" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "signed_$number.$ext" - ../../osslsigncode add \ - -t http://time.certum.pl/ \ - -t http://timestamp.digicert.com/ \ - -verbose \ - -in "signed_$number.$ext" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "Timestamp Server Signature" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - else - format_nr=0 - number="$test_nr$format_nr" - test_name="Add an authenticode timestamp to the signed file" - printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name" - fi - -exit 0 diff --git a/tests/recipes/38_add_signature_rfc3161 b/tests/recipes/38_add_signature_rfc3161 deleted file mode 100644 index 1cdbb55..0000000 --- a/tests/recipes/38_add_signature_rfc3161 +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/sh -# Add a RFC 3161 timestamp to the signed file. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=38 - -if ! grep -q "no libcurl available" "results.log"; then - for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Add a RFC 3161 timestamp to the $filetype$desc signed file" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "signed_$number.$ext" - ../../osslsigncode add \ - -ts http://time.certum.pl/ \ - -ts http://timestamp.digicert.com/ \ - -verbose \ - -in "signed_$number.$ext" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "Timestamp Server Signature" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - else - format_nr=0 - number="$test_nr$format_nr" - test_name="Add a RFC 3161 timestamp to the signed file" - printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name" - fi - -exit 0 diff --git a/tests/recipes/39_add_signature_blob b/tests/recipes/39_add_signature_blob deleted file mode 100644 index d8e1fed..0000000 --- a/tests/recipes/39_add_signature_blob +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/sh -# Add an unauthenticated blob to the signed file. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=39 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Add an unauthenticated blob to the $filetype$desc signed file" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "signed_$number.$ext" - ../../osslsigncode add \ - -addUnauthenticatedBlob \ - -in "signed_$number.$ext" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "Unauthenticated Data Blob" "MODIFY" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/40_verify_leaf_hash b/tests/recipes/40_verify_leaf_hash deleted file mode 100644 index b3e9dda..0000000 --- a/tests/recipes/40_verify_leaf_hash +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/sh -# Compare the leaf certificate hash against specified SHA256 message digest for the file - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=40 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Compare the leaf hash against SHA256 message digest for the $filetype$desc file" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_leaf_hash "$result" "$number" "$ext" "@2019-05-01 00:00:00" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/41_sign_add_msi_dse b/tests/recipes/41_sign_add_msi_dse deleted file mode 100644 index 5b7be24..0000000 --- a/tests/recipes/41_sign_add_msi_dse +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh -# Sign a MSI file with the add-msi-dse option. -# MsiDigitalSignatureEx (msi-dse) is an enhanced signature type that can be used -# when signing MSI files. In addition to file content, it also hashes some file metadata, -# specifically file names, file sizes, creation times and modification times. -# https://www.unboundtech.com/docs/UKC/UKC_Code_Signing_IG/HTML/Content/Products/UKC-EKM/UKC_Code_Signing_IG/Sign_Windows_PE_and_msi_Files.htm - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=41 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") continue;; # Warning: -add-msi-dse option is only valid for MSI files - "msi") filetype=MSI; format_nr=2 ;; - "ex_") continue;; # Warning: -add-msi-dse option is only valid for MSI files - "exe") continue;; # Warning: -add-msi-dse option is only valid for MSI files - "ps1") continue;; # Warning: -add-msi-dse option is only valid for MSI files - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with the add-msi-dse option" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -add-msi-dse \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "MsiDigitalSignatureEx" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - done - -exit 0 diff --git a/tests/recipes/42_sign_jp_low b/tests/recipes/42_sign_jp_low deleted file mode 100644 index 12f7192..0000000 --- a/tests/recipes/42_sign_jp_low +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh -# Sign a CAB file with "low" level of permissions in Microsoft Internet Explorer 4.x for CAB files -# https://support.microsoft.com/en-us/help/193877 - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=42 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") continue;; # Warning: -jp option is only valid for CAB files - "msi") continue;; # Warning: -jp option is only valid for CAB files - "ex_") filetype=CAB; format_nr=3 ;; - "exe") continue;; # Warning: -jp option is only valid for CAB files - "ps1") continue;; # Warning: -jp option is only valid for CAB files - esac - - number="$test_nr$format_nr" - test_name="Sign a $filetype$desc file with the jp low option" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -jp low \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "Low level of permissions" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - done - -exit 0 diff --git a/tests/recipes/45_verify_fake_pe b/tests/recipes/45_verify_fake_pe deleted file mode 100644 index 3c329c8..0000000 --- a/tests/recipes/45_verify_fake_pe +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh -# Verify changed file after signing. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=45 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") continue;; # Test is not supported for non-PE files - "msi") continue;; # Test is not supported for non-PE files - "ex_") continue;; # Test is not supported for non-PE files - "exe") filetype=PE; format_nr=4 ;; - "ps1") continue;; # Test is not supported for non-PE files - esac - - number="$test_nr$format_nr" - test_name="Verify changed $filetype$desc file after signing" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "Hello world!" "MODIFY" - test_result "$?" "$number" "$test_name" - done - -exit 0 diff --git a/tests/recipes/46_verify_timestamp b/tests/recipes/46_verify_timestamp deleted file mode 100644 index 0279b30..0000000 --- a/tests/recipes/46_verify_timestamp +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh -# Verify changed file after signing with Authenticode timestamping. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=46 - -if ! grep -q "no libcurl available" "results.log"; then - for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") continue;; # Test is not supported for non-PE files - "msi") continue;; # Test is not supported for non-PE files - "ex_") continue;; # Test is not supported for non-PE files - "exe") filetype=PE; format_nr=4 ;; - "ps1") continue;; # Test is not supported for non-PE files - esac - - number="$test_nr$format_nr" - test_name="Verify changed $filetype$desc file after signing with Authenticode timestamping" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -t http://time.certum.pl/ \ - -t http://timestamp.digicert.com/ \ - -verbose \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "Hello world!" "MODIFY" - test_result "$?" "$number" "$test_name" - done - else - format_nr=0 - number="$test_nr$format_nr" - test_name="Verify changed file after signing with Authenticode timestamping" - printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name" - fi - -exit 0 diff --git a/tests/recipes/47_verify_rfc3161 b/tests/recipes/47_verify_rfc3161 deleted file mode 100755 index fb4daa9..0000000 --- a/tests/recipes/47_verify_rfc3161 +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh -# Verify changed file after signing with RFC 3161 timestamping. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=47 - -if ! grep -q "no libcurl available" "results.log"; then - for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") continue;; # Test is not supported for non-PE files - "msi") continue;; # Test is not supported for non-PE files - "ex_") continue;; # Test is not supported for non-PE files - "exe") filetype=PE; format_nr=4 ;; - "ps1") continue;; # Test is not supported for non-PE files - esac - - number="$test_nr$format_nr" - test_name="Verify changed $filetype$desc file after signing with RFC 3161 timestamping" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -ts http://time.certum.pl/ \ - -ts http://timestamp.digicert.com/ \ - -verbose \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "Hello world!" "MODIFY" - test_result "$?" "$number" "$test_name" - done - else - format_nr=0 - number="$test_nr$format_nr" - test_name="Verify changed file after signing with RFC 3161 timestamping" - printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name" - fi - -exit 0 diff --git a/tests/recipes/51_verify_time b/tests/recipes/51_verify_time deleted file mode 100644 index 8d17ce6..0000000 --- a/tests/recipes/51_verify_time +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh -# Verify a file signed after the cert has been expired. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=51 - -for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Verify $filetype$desc file signed after the cert has been expired" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "fail" "@2025-01-01 12:00:00" \ - "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - -exit 0 diff --git a/tests/recipes/52_verify_timestamp b/tests/recipes/52_verify_timestamp deleted file mode 100644 index f8ecc57..0000000 --- a/tests/recipes/52_verify_timestamp +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/sh -# Verify a file signed with Authenticode timestamping after the cert has been expired. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=52 - -if ! grep -q "no libcurl available" "results.log"; then - for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Verify a $filetype$desc file signed with Authenticode after the cert has been expired" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -t http://time.certum.pl/ \ - -t http://timestamp.digicert.com/ \ - -verbose \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2025-01-01 12:00:00" \ - "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - else - format_nr=0 - number="$test_nr$format_nr" - test_name="Verify a file signed with Authenticode after the cert has been expired" - printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name" - fi - -exit 0 diff --git a/tests/recipes/53_verify_rfc3161 b/tests/recipes/53_verify_rfc3161 deleted file mode 100644 index 1a75992..0000000 --- a/tests/recipes/53_verify_rfc3161 +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/sh -# Verify a file signed with RFC3161 timestamping after the cert has been expired. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=53 - -if ! grep -q "no libcurl available" "results.log"; then - for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Verify a $filetype$desc file signed with RFC3161 after the cert has been expired" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -ts http://time.certum.pl/ \ - -ts http://timestamp.digicert.com/ \ - -verbose \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "success" "@2025-01-01 12:00:00" \ - "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - else - format_nr=0 - number="$test_nr$format_nr" - test_name="Verify a file signed with RFC3161 after the cert has been expired" - printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name" - fi - -exit 0 diff --git a/tests/recipes/54_verify_expired b/tests/recipes/54_verify_expired deleted file mode 100644 index 1d315ae..0000000 --- a/tests/recipes/54_verify_expired +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/sh -# Verify a file signed with the expired cert. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=54 - -if ! grep -q "no libcurl available" "results.log"; then - for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Verify a $filetype$desc file signed with the expired cert" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/expired.pem" -key "${script_path}/../certs/key.pem" \ - -ts http://time.certum.pl/ \ - -ts http://timestamp.digicert.com/ \ - -verbose \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "fail" "@2025-01-01 12:00:00" \ - "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - else - format_nr=0 - number="$test_nr$format_nr" - test_name="Verify a file signed with the expired cert" - printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name" - fi - -exit 0 diff --git a/tests/recipes/55_verify_revoked b/tests/recipes/55_verify_revoked deleted file mode 100644 index 526af24..0000000 --- a/tests/recipes/55_verify_revoked +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/sh -# Verify a file signed with the revoked cert. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=55 - -if ! grep -q "no libcurl available" "results.log"; then - for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") filetype=CAT; format_nr=1 ;; - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") - filetype=TXT - if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then - format_nr=5 - desc=" UTF-16LE(BOM)" - elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then - format_nr=6 - desc=" UTF-8(BOM)" - else - format_nr=7 - desc=" UTF-8" - fi ;; - esac - - number="$test_nr$format_nr" - test_name="Verify a $filetype$desc file signed with the revoked cert" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/revoked.pem" -key "${script_path}/../certs/key.pem" \ - -ts http://time.certum.pl/ \ - -ts http://timestamp.digicert.com/ \ - -verbose \ - -in "notsigned/$name" -out "test_$number.$ext" - result=$? - - if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then - printf "%s\n" "Compare file prefix failed" - test_result "1" "$number" "$test_name" - else - verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - fi - done - else - format_nr=0 - number="$test_nr$format_nr" - test_name="Verify a file signed with the revoked cert" - printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name" - fi - -exit 0 diff --git a/tests/recipes/56_verify_multiple b/tests/recipes/56_verify_multiple deleted file mode 100644 index 745b947..0000000 --- a/tests/recipes/56_verify_multiple +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/sh -# Verify a file signed with the multiple signature. - -. $(dirname $0)/../test_library -script_path=$(pwd) -test_nr=56 - -if ! grep -q "no libcurl available" "results.log"; then - for file in ${script_path}/../logs/notsigned/*.* - do - name="${file##*/}" - ext="${file##*.}" - desc="" - case $ext in - "cat") continue;; # Warning: CAT files do not support nesting - "msi") filetype=MSI; format_nr=2 ;; - "ex_") filetype=CAB; format_nr=3 ;; - "exe") filetype=PE; format_nr=4 ;; - "ps1") continue;; # Warning: TXT files do not support nesting - esac - - number="$test_nr$format_nr" - test_name="Verify a $filetype$desc file signed with the multiple signature" - printf "\n%03d. %s\n" "$number" "$test_name" - - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -certs "${script_path}/../certs/expired.pem" -key "${script_path}/../certs/key.pem" \ - -verbose \ - -in "notsigned/$name" -out "signed1_$number.$ext" - ../../osslsigncode sign -h sha384 \ - -st "1556668800" \ - -nest \ - -certs "${script_path}/../certs/revoked.pem" -key "${script_path}/../certs/key.pem" \ - -t http://time.certum.pl/ \ - -t http://timestamp.digicert.com/ \ - -verbose \ - -in "signed1_$number.$ext" -out "signed2_$number.$ext" - ../../osslsigncode sign -h sha256 \ - -st "1556668800" \ - -nest \ - -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ - -ts http://time.certum.pl/ \ - -ts http://timestamp.digicert.com/ \ - -verbose \ - -in "signed2_$number.$ext" -out "test_$number.$ext" - result=$? - - verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \ - "UNUSED_PATTERN" "SHA384" "UNUSED_PATTERN" - test_result "$?" "$number" "$test_name" - done - else - format_nr=0 - number="$test_nr$format_nr" - test_name="Verify a file signed with the multiple signature" - printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name" - fi - -exit 0 diff --git a/tests/test_library b/tests/test_library deleted file mode 100755 index 70069d4..0000000 --- a/tests/test_library +++ /dev/null @@ -1,174 +0,0 @@ -# this file is a library sourced from recipes/* - -result_path=$(pwd) -cd $(dirname "$0")/../ -script_path=$(pwd) -cd "${result_path}" - -test_result() { -#1 last exit status -#2 test number -#3 test name - - local result=0 - - if test "$1" -eq 0 - then - printf "%s\n" "Test succeeded" - else - printf "%s\n" "Test failed" - printf "%03d. %-90s\t%s\n" "$2" "$3" "failed" 1>&3 - result=1 - fi - return "$result" -} - -modify_blob() { -# $1 test number -# $2 filename extension -# $3 text searched in a binary file - - local result=0 - - initial_blob=$(echo -n "$3" | xxd -p) - modified_blob=$(echo -n "FAKE" | xxd -p) - zero_blob="00000000" - - xxd -p -c 1000 "test_$1.$2" | \ - sed "s/$initial_blob$zero_blob/$initial_blob$modified_blob/" | \ - xxd -p -r > "changed_$1.$2" - - ../../osslsigncode verify -verbose \ - -CAfile "${script_path}/../certs/CACert.pem" \ - -CRLfile "${script_path}/../certs/CACertCRL.pem" \ - -TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \ - -in "changed_$1.$2" 2>> "verify.log" 1>&2 - result=$? - - if test "$result" -ne 0 \ - -o $(grep -e "Calculated DigitalSignature" -e "Calculated message digest" "verify.log" | uniq | wc -l) -gt 1 - then - printf "Failed: verify error or non-unique message digests found\n" 2>> "verify.log" 1>&2 - result=1 - else - rm -f "changed_$1.$2" - fi - - return "$result" -} - -search_pattern() { -# $1 test number -# $2 filename extension -# $3 pattern searched in a binary file or verify.log - - local result=0 - - if ! grep -q "$3" "verify.log" - then - hex_pattern=$(echo -n "$3" | xxd -p) - if ! xxd -p -c 1000 "test_$1.$2" | grep "$hex_pattern" 2>> /dev/null 1>&2 - then - result=1 - printf "Failed: $3 not found\n" - fi - fi - return "$result" -} - -verify_signature() { -# $1 sign exit code -# $2 test number -# $3 filename extension -# $4 expected result -# $5 fake time -# $6 sha256sum requirement -# $7 pattern searched in the verify.log file -# $8 modify requirement - - local result=0 - - printf "" > "verify.log" - if test "$1" -eq 0 - then - cp "test_$2.$3" "test_tmp.tmp" - TZ=GMT faketime -f "$5" /bin/bash -c ' - printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log" - script_path=$(pwd) - ../../osslsigncode verify -verbose \ - -CAfile "${script_path}/../certs/CACert.pem" \ - -CRLfile "${script_path}/../certs/CACertCRL.pem" \ - -TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \ - -in "test_tmp.tmp" 2>> "verify.log" 1>&2' - result=$? - rm -f "test_tmp.tmp" - - if test "$result" -eq 0 -a "$7" != "UNUSED_PATTERN" - then - search_pattern "$2" "$3" "$7" - result=$? - fi - - if test "$result" -eq 0 -a "$8" = "MODIFY" - then - modify_blob "$2" "$3" "$7" - result=$? - fi - - if test "$6" = "sha256sum" - then - sha256sum "test_$2.$3" 2>> "sha256sum/$3.log" 1>&2 - fi - - if test "$4" = "success" -a "$result" -eq 0 - then - rm -f "test_$2.$3" "signed_$2.$3" "signed1_$2.$3" "signed2_$2.$3" - elif test "$4" = "fail" -a "$result" -eq 1 - then - rm -f "test_$2.$3" "signed_$2.$3" "signed1_$2.$3" "signed2_$2.$3" - rm -f "changed_$2.$3" - cat "verify.log" >> "results.log" - result=0 - else - cat "verify.log" >> "results.log" - result=1 - fi - else - result=1 - fi - return "$result" -} - -verify_leaf_hash() { -# $1 sign exit code -# $2 test number -# $3 filename extension -# $4 fake time - - local result=0 - printf "" > "verify.log" - if test "$1" -eq 0 - then - cp "test_$2.$3" "test_tmp.tmp" - TZ=GMT faketime -f "$4" /bin/bash -c ' - printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log" - script_path=$(pwd) - ../../osslsigncode verify -verbose \ - -CAfile "${script_path}/../certs/CACert.pem" \ - -CRLfile "${script_path}/../certs/CACertCRL.pem" \ - -TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \ - -require-leaf-hash SHA256:$(sha256sum "${script_path}/../certs/cert.der" | cut -d" " -f1) \ - -in "test_tmp.tmp" 2>> "verify.log" 1>&2' - result=$? - rm -f "test_tmp.tmp" - if test "$result" -eq 0 - then - rm -f "test_$2.$3" - else - cat "verify.log" >> "results.log" - fi - else - result=1 - fi - return "$result" -} diff --git a/tests/testall.sh b/tests/testall.sh deleted file mode 100755 index 1b72674..0000000 --- a/tests/testall.sh +++ /dev/null @@ -1,135 +0,0 @@ -#!/bin/sh -# mingw64-gcc, gcab, msitools, libgsf, libgsf-devel -# vim-common, libfaketime packages are required - -result=0 -count=0 -skip=0 -fail=0 - -result_path=$(pwd) -cd $(dirname "$0") -script_path=$(pwd) -result_path="${result_path}/logs" -certs_path="${script_path}/certs" - -make_tests() { - for plik in ${script_path}/recipes/* - do - /bin/sh $plik 3>&1 2>> "results.log" 1>&2 - done - count=$(grep -c "Test succeeded" "results.log") - skip=$(grep -c "Test skipped" "results.log") - fail=$(grep -c "Test failed" "results.log") - printf "%s\n" "testall.sh finished" - printf "%s\n" "summary: success $count, skip $skip, fail $fail" - return $fail -} - -rm -rf "${result_path}" -mkdir "${result_path}" -cd "${result_path}" -mkdir "notsigned" "sha256sum" - -date > "results.log" -../../osslsigncode -v >> "results.log" 2>/dev/null - -cd ${certs_path} -if test -s CACert.pem -a -s crosscert.pem -a -s expired.pem -a -s cert.pem \ - -a -s CACertCRL.pem -a -s revoked.pem -a -s key.pem -a -s keyp.pem \ - -a -s key.der -a -s cert.der -a -s cert.spc -a -s cert.p12 - then - printf "%s\n" "keys & certificates path: ${certs_path}" - else - ./makecerts.sh $1 - result=$? - fi -cd "${result_path}" - -if test "$result" -ne 0 - then - exit $result - fi - -# PE files support -if test -n "$(command -v x86_64-w64-mingw32-gcc)" - then - x86_64-w64-mingw32-gcc "../sources/myapp.c" -o "notsigned/test.exe" 2>> "results.log" 1>&2 - else - printf "%s\n" "x86_64-w64-mingw32-gcc not found in \$PATH" - printf "%s\n" "tests for PE files skipped, please install mingw64-gcc package" - fi - -# CAB files support -if test -n "$(command -v gcab)" - then - gcab -c "notsigned/test.ex_" "../sources/a" "../sources/b" "../sources/c" 2>> "results.log" 1>&2 - else - printf "%s\n" "gcab not found in \$PATH" - printf "%s\n" "tests for CAB files skipped, please install gcab package" - fi - -# MSI files support -if grep -q "no libgsf available" "results.log" - then - printf "%s\n" "signing MSI files requires libgsf/libgsf-devel packages and reconfiguration osslsigncode" - else - if test -n "$(command -v wixl)" - then - touch FoobarAppl10.exe - cp "../sources/sample.wxs" "notsigned/sample.wxs" 2>> "results.log" 1>&2 - wixl -v "notsigned/sample.wxs" 2>> "results.log" 1>&2 - rm -f "notsigned/sample.wxs" - rm -f "FoobarAppl10.exe" - else - printf "%s\n" "wixl not found in \$PATH" - printf "%s\n" "tests for MSI files skipped, please install wixl or msitools package depending on your OS" - fi - fi - -# CAT files support -if test -s "../sources/good.cat" - then - cp "../sources/good.cat" "notsigned/good.cat" - fi - -# TXT files support -if test -s "../sources/utf8.ps1" - then - cp "../sources/utf8.ps1" "notsigned/utf8.ps1" - fi -if test -s "../sources/utf8bom.ps1" - then - cp "../sources/utf8bom.ps1" "notsigned/utf8bom.ps1" - fi -if test -s "../sources/utf16le.ps1" - then - cp "../sources/utf16le.ps1" "notsigned/utf16le.ps1" - fi - -# Timestamping support -if grep -q "no libcurl available" "results.log" - then - printf "%s\n" "configure --with-curl is required for timestamping support" - fi - -# Tests requirements -if test -n "$(command -v faketime)" - then - if test -n "$(command -v xxd)" - then - make_tests - result=$? - rm -r -f "notsigned/" "sha256sum/" - rm -f sign_[1-9].pem sign_[1-9].der - rm -f "verify.log" - else - printf "%s\n" "xxd not found in \$PATH" - printf "%s\n" "tests skipped, please install vim-common package" - fi - else - printf "%s\n" "faketime not found in \$PATH" - printf "%s\n" "tests skipped, please install faketime package" - fi - -exit $result diff --git a/tests/testsign.sh b/tests/testsign.sh deleted file mode 100755 index 21b34f1..0000000 --- a/tests/testsign.sh +++ /dev/null @@ -1,90 +0,0 @@ -#!/bin/sh - -if [ -z "$(command -v keytool)" ]; then - printf "%s\n" "keytool was not found in the \$PATH" - printf "%s\n" "Please install the default-jre-headless package" - exit 1 -fi - -rm -f putty*.exe - -PUTTY_URL="http://the.earth.li/~sgtatham/putty/0.64/x86/putty.exe" -[ -f putty.exe ] || wget -q -O putty.exe $PUTTY_URL -[ -f putty.exe ] || curl -o putty.exe $PUTTY_URL - -if [ ! -f putty.exe ]; then - echo "FAIL: Couldn't download putty.exe" - exit 1 -fi - -rm -f cert.pem cert.spc key.der key.p12 key.pem key.pvk keyp.pem - -keytool -genkey \ - -alias selfsigned \ - -keysize 2048 \ - -keyalg RSA \ - -keypass passme \ - -storepass passme \ - -keystore key.ks << EOF -John Doe -ACME In -ACME -Springfield -LaLaLand -SE -yes -EOF - -echo "Converting key/cert to PKCS12 container" -keytool -importkeystore \ - -srckeystore key.ks \ - -srcstoretype JKS \ - -srckeypass passme \ - -srcstorepass passme \ - -srcalias selfsigned \ - -destkeystore key.p12 \ - -deststoretype PKCS12 \ - -destkeypass passme \ - -deststorepass passme - -rm -f key.ks - -echo "Converting key to PEM format" -openssl pkcs12 -in key.p12 -passin pass:passme -nocerts -nodes -out key.pem -echo "Converting key to PEM format (with password)" -openssl rsa -in key.pem -out keyp.pem -passout pass:passme -echo "Converting key to DER format" -openssl rsa -in key.pem -outform DER -out key.der -passout pass:passme -echo "Converting key to PVK format" -openssl rsa -in key.pem -outform PVK -pvk-strong -out key.pvk -passout pass:passme - -echo "Converting cert to PEM format" -openssl pkcs12 -in key.p12 -passin pass:passme -nokeys -out cert.pem -echo "Converting cert to SPC format" -openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out cert.spc - -make -C .. -../osslsigncode sign -spc cert.spc -key key.pem putty.exe putty1.exe -../osslsigncode sign -certs cert.spc -key keyp.pem -pass passme putty.exe putty2.exe -../osslsigncode sign -certs cert.pem -key keyp.pem -pass passme putty.exe putty3.exe -../osslsigncode sign -certs cert.spc -key key.der putty.exe putty4.exe -../osslsigncode sign -pkcs12 key.p12 -pass passme putty.exe putty5.exe -../osslsigncode sign -certs cert.spc -key key.pvk -pass passme putty.exe putty6.exe - -rm -f cert.pem cert.spc key.der key.p12 key.pem key.pvk keyp.pem - -echo - -check=`sha1sum putty[1-9]*.exe | cut -d' ' -f1 | uniq | wc -l` -cmp putty1.exe putty2.exe && \ - cmp putty2.exe putty3.exe && \ - cmp putty3.exe putty4.exe && \ - cmp putty4.exe putty5.exe && \ - cmp putty5.exe putty6.exe -if [ $? -ne 0 ]; then - echo "Failure is not an option." - exit 1 -else - echo "Yes, it works." -fi - diff --git a/tests/tsa_server.py b/tests/tsa_server.py new file mode 100644 index 0000000..20fd326 --- /dev/null +++ b/tests/tsa_server.py @@ -0,0 +1,140 @@ +"""Implementation of a Time Stamping Authority HTTP server""" + +import argparse +import contextlib +import os +import pathlib +import subprocess +import sys +import threading +from http.server import BaseHTTPRequestHandler, HTTPServer + +RESULT_PATH = os.getcwd() +FILES_PATH = os.path.join(RESULT_PATH, "./Testing/files/") +CERTS_PATH = os.path.join(RESULT_PATH, "./Testing/certs/") +DEFAULT_PATH = os.path.join(RESULT_PATH, "./osslsigncode") +DEFAULT_IN = os.path.join(FILES_PATH, "./unsigned.exe") +DEFAULT_OUT = os.path.join(FILES_PATH, "./ts.exe") +DEFAULT_CERT = os.path.join(CERTS_PATH, "./cert.pem") +DEFAULT_KEY = os.path.join(CERTS_PATH, "./key.pem") +DEFAULT_CROSSCERT = os.path.join(CERTS_PATH, "./crosscert.pem") +OPENSSL_CONF = os.path.join(CERTS_PATH, "./openssl_tsa.cnf") +REQUEST = os.path.join(FILES_PATH, "./jreq.tsq") +RESPONS = os.path.join(FILES_PATH, "./jresp.tsr") + +DEFAULT_OPENSSL = ["openssl", "ts", + "-reply", "-config", OPENSSL_CONF, + "-passin", "pass:passme", + "-queryfile", REQUEST, + "-out", RESPONS] + + +class RequestHandler(BaseHTTPRequestHandler): + """Handle the HTTP POST request that arrive at the server""" + + def do_POST(self): + """"Serves the POST request type""" + try: + content_length = int(self.headers['Content-Length']) + post_data = self.rfile.read(content_length) + with open(REQUEST, mode="wb") as file: + file.write(post_data) + openssl = subprocess.run(DEFAULT_OPENSSL, check=True, text=True) + openssl.check_returncode() + self.send_response(200) + self.send_header("Content-type", "application/timestamp-reply") + self.end_headers() + resp_data = None + with open(RESPONS, mode="rb") as file: + resp_data = file.read() + self.wfile.write(resp_data) + except Exception as err: # pylint: disable=broad-except + print(f"HTTP POST request error: {err}") + + +class HttpServerThread(): + """TSA server thread handler""" + + def __init__(self): + self.server = None + self.server_thread = None + + def start_server(self) -> (str, int): + """Starting TSA server on localhost and a first available port""" + self.server = HTTPServer(("127.0.0.1", 0), RequestHandler) + self.server_thread = threading.Thread(target=self.server.serve_forever) + self.server_thread.start() + hostname, port = self.server.server_address[:2] + print(f"Timestamp server started, URL: http://{hostname}:{port}") + return hostname, port + + def shut_down(self): + """Shutting down the server""" + if self.server: + self.server.shutdown() + self.server_thread.join() + print("Server is down") + + +def parse_args() -> str: + """Parse the command-line arguments.""" + parser = argparse.ArgumentParser() + parser.add_argument( + "--input", + type=pathlib.Path, + default=DEFAULT_IN, + help="input file" + ) + parser.add_argument( + "--output", + type=pathlib.Path, + default=DEFAULT_OUT, + help="output file" + ) + parser.add_argument( + "--certs", + type=pathlib.Path, + default=DEFAULT_CERT, + help="signing certificate" + ) + parser.add_argument( + "--key", + type=pathlib.Path, + default=DEFAULT_KEY, + help="private key" + ) + parser.add_argument( + "--crosscert", + type=pathlib.Path, + default=DEFAULT_CROSSCERT, + help="additional certificates" + ) + args = parser.parse_args() + program = [DEFAULT_PATH, "sign", "-in", args.input, "-out", args.output, + "-certs", args.certs, "-key", args.key, + "-addUnauthenticatedBlob", "-add-msi-dse", "-comm", "-ph", "-jp", "low", + "-h", "sha384", "-st", "1556668800", "-i", "https://www.osslsigncode.com/", + "-n", "osslsigncode", "-ac", args.crosscert, "-ts"] + return program + +def main() -> None: + """Main program""" + ret = 0 + program = parse_args() + server = HttpServerThread() + hostname, port = server.start_server() + program.append(f"{hostname}:{port}") + try: + osslsigncode = subprocess.run(program, check=True, text=True) + osslsigncode.check_returncode() + except subprocess.CalledProcessError as err: + ret = err.returncode + except Exception as err: # pylint: disable=broad-except + print(f"osslsigncode error: {err}") + finally: + server.shut_down() + sys.exit(ret) + + +if __name__ == '__main__': + main()