nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-04 08:50:12 -05:00
Code Issues Projects Releases Wiki Activity

use CMake instead of Makefile

Browse Source
This commit is contained in:
olszomal 2022-04-12 12:42:02 +02:00 committed by Michał Trojnara
parent b96717506c
commit 60fe5d15fe
76 changed files with 1036 additions and 3026 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
.gitignore vendored
View File

@ -1,24 +1,20 @@
.deps build/
Makefile CMakeFiles/
Makefile.in _CPack_Packages/
aclocal.m4 Testing/
autom4te.cache/
compile CMakeCache.txt
cmake_install.cmake
config.h config.h
config.h.in CPackConfig.cmake
config.h.in~ CPackSourceConfig.cmake
config.log CTestTestfile.cmake
config.status install_manifest.txt
configure Makefile
depcomp
install-sh
missing missing
osslsigncode osslsigncode
osslsigncode.o osslsigncode.exe
msi.o
stamp-h1 stamp-h1
INSTALL
COPYING
.#*# .#*#
.*.bak .*.bak
@ -26,25 +22,21 @@ COPYING
.*.rej .*.rej
.*~ .*~
#*# #*#
*.asc
*.bak *.bak
*.bz2
*.d *.d
*.def *.def
*.dll *.dll
*.exe *.gz
*.key
*.la *.la
*.lib *.lib
*.lo *.lo
*.orig *.orig
*.pc
*.pdb *.pdb
*.rej *.rej
*.u *.u
*.rc *.rc
*.pc
*~ *~
*.gz
*.bz2
*.asc
**/*.log
!myapp.exe
*.pem

50
CMakeLists.txt Normal file
View File

@ -0,0 +1,50 @@
# required cmake version
cmake_minimum_required(VERSION 3.6)
# set the project name and version
project(osslsigncode VERSION 2.4)
set(DEV "-dev")
set(PROJECT_VERSION "${PROJECT_VERSION_MAJOR}.${PROJECT_VERSION_MINOR}${DEV}")
set(PACKAGE_STRING "${PROJECT_NAME} ${PROJECT_VERSION}")
set(PACKAGE_BUGREPORT "Michal.Trojnara@stunnel.org")
# specify the C++ standard
set(CMAKE_C_STANDARD 11)
set(CMAKE_C_STANDARD_REQUIRED ON)
# make find modules in cmake dir available
set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake")
# load CMake project modules
include(SetOptions)
include(FindOpenssl)
include(FindCurl)
include(FindMapping)
# use config.h
target_compile_definitions(osslsigncode PRIVATE HAVE_CONFIG_H=1)
configure_file(Config.h.in config.h)
# add include directories to osslsigncode
target_include_directories(osslsigncode PUBLIC "${PROJECT_BINARY_DIR}")
if(MSVC)
# set output directory
set_target_properties(osslsigncode PROPERTIES
RUNTIME_OUTPUT_DIRECTORY_DEBUG ${PROJECT_BINARY_DIR}
RUNTIME_OUTPUT_DIRECTORY_RELEASE ${PROJECT_BINARY_DIR}
)
# copy necessary libraries
file(COPY ${OPENSSL_LIBS} ${CURL_LIB} DESTINATION ${PROJECT_BINARY_DIR})
else()
# set LD_LIBRARY_PATH
set_target_properties(osslsigncode PROPERTIES
INSTALL_RPATH_USE_LINK_PATH TRUE
)
endif()
include(CMakeTest)
include(CMakeInstall)
if(NOT MSVC)
include(CMakeDist)
endif()

12
Config.h.in Normal file
View File

@ -0,0 +1,12 @@
/* the configured options and settings for osslsigncode */
#define VERSION_MAJOR "@osslsigncode_VERSION_MAJOR@"
#define VERSION_MINOR "@osslsigncode_VERSION_MINOR@"
#cmakedefine PACKAGE_STRING "@PACKAGE_STRING@"
#cmakedefine PACKAGE_BUGREPORT "@PACKAGE_BUGREPORT@"
#cmakedefine ENABLE_CURL
#cmakedefine HAVE_TERMIOS_H
#cmakedefine HAVE_GETPASS
#cmakedefine HAVE_SYS_MMAN_H
#cmakedefine HAVE_MMAP
#cmakedefine HAVE_MAPVIEWOFFILE
#cmakedefine _WIN32

50
INSTALL.W32.md
View File

@ -93,3 +93,53 @@
OpenSSL 1.1.1k 25 Mar 2021 (Library: OpenSSL 1.1.1k 25 Mar 2021) OpenSSL 1.1.1k 25 Mar 2021 (Library: OpenSSL 1.1.1k 25 Mar 2021)
libcurl/7.78.0 OpenSSL/1.1.1k libcurl/7.78.0 OpenSSL/1.1.1k
``` ```
### Building OpenSSL, Curl and osslsigncode sources with Microsoft Visual Studio 64-bit:
1) Download and install Strawberry Perl from https://strawberryperl.com/
2) Run "Open Visual Studio 2022 Tools Command Prompt for targeting x64"
3) Build and install OpenSSL.
```
cd openssl-(version)
perl Configure VC-WIN64A --prefix=C:\OpenSSL\vc-win64a --openssldir=C:\OpenSSL\SSL no-asm shared
nmake && nmake install
```
4) Build and install curl.
```
cd curl-(version)\winbuild
nmake /f Makefile.vc mode=dll WITH_PREFIX=C:\curl SSL_PATH=C:\OpenSSL\vc-win64a \
VC=22 MACHINE=x64 DEBUG=no WITH_SSL=dll ENABLE_NGHTTP2=no ENABLE_SSPI=no \
ENABLE_IDN=no GEN_PDB=no ENABLE_WINSSL=no USE_ZLIB=no
```
5) Build 64-bit Windows osslsigncode.
Navigate to the build directory and run CMake to configure the osslsigncode project
and generate a native build system:
```
mkdir build && cd build && cmake ..
```
with specific compile options:
```
-Denable-strict=ON
-Denable-pedantic=ON
-Dwith-curl=OFF
-Dssl-path=C:\OpenSSL\
-Dcurl-path=C:\curl\
```
Then call that build system to actually compile/link the osslsigncode project:
```
cmake --build .
```
6) Make tests.
```
ctest -C Release
```
5) Make install (with administrator privileges).
```
cmake --install . --prefix "C:\osslsigncode"
```

2
LICENSE.txt
View File

@ -1,7 +1,7 @@
OpenSSL based Authenticode signing for PE/MSI/Java CAB files. OpenSSL based Authenticode signing for PE/MSI/Java CAB files.
Copyright (C) 2005-2014 Per Allansson <pallansson@gmail.com> Copyright (C) 2005-2014 Per Allansson <pallansson@gmail.com>
Copyright (C) 2018-2019 Michał Trojnara <Michal.Trojnara@stunnel.org> Copyright (C) 2018-2022 Michał Trojnara <Michal.Trojnara@stunnel.org>
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by

21
Makefile.am
View File

@ -1,21 +0,0 @@
AUTOMAKE_OPTIONS = foreign 1.10
MAINTAINERCLEANFILES = \
config.log config.status \
$(srcdir)/Makefile.in \
$(srcdir)/config.h.in $(srcdir)/config.h.in~ $(srcdir)/configure \
$(srcdir)/install-sh $(srcdir)/ltmain.sh $(srcdir)/missing \
$(srcdir)/depcomp $(srcdir)/aclocal.m4 $(srcdir)/ylwrap \
$(srcdir)/config.guess $(srcdir)/config.sub
EXTRA_DIST = .gitignore COPYING.txt LICENSE.txt INSTALL.W32.md NEWS.md README.md TODO.md
AM_CFLAGS = $(OPENSSL_CFLAGS) $(OPTIONAL_LIBCURL_CFLAGS)
bin_PROGRAMS = osslsigncode
osslsigncode_SOURCES = osslsigncode.c msi.c msi.h
osslsigncode_LDADD = $(OPENSSL_LIBS) $(OPTIONAL_LIBCURL_LIBS)
# bash completion script
AM_DISTCHECK_CONFIGURE_FLAGS = --with-bashcompdir='$$(datarootdir)/bash-completion/completions'
bashcompdir = @bashcompdir@
dist_bashcomp_DATA = osslsigncode.bash

1
NEWS.md
View File

@ -12,6 +12,7 @@
- remove "-timestamp-expiration" option - remove "-timestamp-expiration" option
- disable verification of the Timestamp Server signature - disable verification of the Timestamp Server signature
("-ignore-timestamp" option) ("-ignore-timestamp" option)
- use CMake instead of Makefile
### 2.3 (2022.03.06) ### 2.3 (2022.03.06)

56
README.md
View File

@ -29,43 +29,47 @@ supports signature verification, removal and extraction.
This section covers building osslsigncode for [Unix-like](https://en.wikipedia.org/wiki/Unix-like) operating systems. This section covers building osslsigncode for [Unix-like](https://en.wikipedia.org/wiki/Unix-like) operating systems.
See [INSTALL.W32.md](https://github.com/mtrojnar/osslsigncode/blob/master/INSTALL.W32.md) for Windows notes. See [INSTALL.W32.md](https://github.com/mtrojnar/osslsigncode/blob/master/INSTALL.W32.md) for Windows notes.
We highly recommend downloading a [release tarball](https://github.com/mtrojnar/osslsigncode/releases) instead of cloning from a git repository.
### Generate the ./configure script ### Configure, build, make tests and install osslsigncode
This step is only needed if osslsigncode was cloned from a git repository.
We highly recommend downloading a [release tarball](https://github.com/mtrojnar/osslsigncode/releases) instead.
* Install prerequisites on a Debian-based distributions, such as Ubuntu: * Install prerequisites on a Debian-based distributions, such as Ubuntu:
``` ```
sudo apt update && sudo apt install automake pkg-config sudo apt update && sudo apt install cmake libssl-dev libcurl4-openssl-dev
``` ```
* Install prerequisites on macOS with Homebrew:
```
brew install automake pkg-config
```
* Generate the ./configure script:
```
./bootstrap
```
### Configure, build and install osslsigncode
* Install prerequisites on a Debian-based distributions, such as Ubuntu:
```
sudo apt update && sudo apt install build-essential pkg-config libssl-dev libcurl4-openssl-dev
```
* Install prerequisites on macOS with Homebrew: * Install prerequisites on macOS with Homebrew:
``` ```
brew install pkg-config openssl@1.1 brew install pkg-config openssl@1.1
export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig" export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig"
``` ```
* Navigate to the build directory and run CMake to configure the osslsigncode project
* Configure, build and install osslsigncode: and generate a native build system:
``` ```
./configure && make && sudo make install mkdir build && cd build && cmake ..
```
with specific compile options:
```
-Denable-strict=ON
-Denable-pedantic=ON
-Dssl-path=/opt/openssl-3.0.2/
-Dcurl-path=/opt/curl-7.82/
-Dwith-curl=OFF
```
* Then call that build system to actually compile/link the osslsigncode project (alias `make`):
```
cmake --build .
```
* Make test:
```
ctest -C Release
```
* Make install:
```
sudo cmake --install . --prefix "/home/myuser/installdir"
```
* Make tarball (simulate autotools' `make dist`):
```
cmake --build . --target package_source
``` ```
## USAGE ## USAGE

2
bootstrap
View File

@ -1,2 +0,0 @@
#!/bin/sh
autoreconf --verbose --install --force

27
cmake/CMakeDist.cmake Normal file
View File

@ -0,0 +1,27 @@
# make dist
# cmake --build . --target package_source
set(CPACK_PACKAGE_NAME ${PROJECT_NAME})
set(CPACK_PACKAGE_VERSION ${PROJECT_VERSION})
set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "OpenSSL based Authenticode signing for PE, CAB, CAT and MSI files")
set(CPACK_PACKAGE_INSTALL_DIRECTORY ${CPACK_PACKAGE_NAME})
set(CPACK_RESOURCE_FILE_README "${CMAKE_CURRENT_SOURCE_DIR}/README.md")
set(CPACK_RESOURCE_FILE_LICENSE "${CMAKE_CURRENT_SOURCE_DIR}/COPYING.txt")
set(CPACK_SOURCE_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}")
set(CPACK_SOURCE_GENERATOR "TGZ")
set(CPACK_SOURCE_IGNORE_FILES "\.git/;\.gitignore")
list(APPEND CPACK_SOURCE_IGNORE_FILES "Makefile")
list(APPEND CPACK_SOURCE_IGNORE_FILES "CMakeCache.txt")
list(APPEND CPACK_SOURCE_IGNORE_FILES "CMakeFiles")
list(APPEND CPACK_SOURCE_IGNORE_FILES "CPackConfig.cmake")
list(APPEND CPACK_SOURCE_IGNORE_FILES "CPackSourceConfig.cmake")
list(APPEND CPACK_SOURCE_IGNORE_FILES "CTestTestfile.cmake")
list(APPEND CPACK_SOURCE_IGNORE_FILES "cmake_install.cmake")
list(APPEND CPACK_SOURCE_IGNORE_FILES "config.h")
list(APPEND CPACK_SOURCE_IGNORE_FILES "/CMakeFiles/")
list(APPEND CPACK_SOURCE_IGNORE_FILES "/Testing/")
list(APPEND CPACK_SOURCE_IGNORE_FILES "/_CPack_Packages/")
list(APPEND CPACK_SOURCE_IGNORE_FILES "/build/")
include(CPack)
add_custom_target(dist COMMAND ${CMAKE_MAKE_PROGRAM} package_source)

29
cmake/CMakeInstall.cmake Normal file
View File

@ -0,0 +1,29 @@
# make install
# cmake --install . --prefix "/home/myuser/installdir"
# installation rules for a project
set(BINDIR "${CMAKE_INSTALL_PREFIX}/bin")
install(TARGETS osslsigncode RUNTIME DESTINATION ${BINDIR})
if(MSVC)
install(FILES
"${PROJECT_BINARY_DIR}/libcrypto-3-x64.dll"
"${PROJECT_BINARY_DIR}/libssl-3-x64.dll"
"${PROJECT_BINARY_DIR}/libcurl.dll"
DESTINATION ${BINDIR}
)
endif()
# install bash completion script
if(NOT MSVC)
find_package(bash-completion QUIET)
if(NOT BASH_COMPLETION_COMPLETIONSDIR)
if(BASH_COMPLETION_COMPATDIR)
set(BASH_COMPLETION_COMPLETIONSDIR ${BASH_COMPLETION_COMPATDIR})
else()
set(SHAREDIR "${CMAKE_INSTALL_PREFIX}/share")
set(BASH_COMPLETION_COMPLETIONSDIR "${SHAREDIR}/bash-completion/completions")
endif()
endif()
message(STATUS "Using bash completions dir ${BASH_COMPLETION_COMPLETIONSDIR}")
install(FILES "osslsigncode.bash" DESTINATION ${BASH_COMPLETION_COMPLETIONSDIR})
endif()

278
cmake/CMakeTest.cmake Normal file
View File

@ -0,0 +1,278 @@
# make test
# ctest -C Release
include(FindPython3)
enable_testing()
file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/tests/tsa_server.py"
DESTINATION "${PROJECT_BINARY_DIR}/Testing"
)
file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/tests/files"
"${CMAKE_CURRENT_SOURCE_DIR}/tests/certs"
DESTINATION "${PROJECT_BINARY_DIR}/Testing"
)
set(FILES "${PROJECT_BINARY_DIR}/Testing/files")
set(CERTS "${PROJECT_BINARY_DIR}/Testing/certs")
set(priv_p12 "-pkcs12" "${CERTS}/cert.p12" "-readpass" "${CERTS}/password.txt")
set(priv_spc "-certs" "${CERTS}/cert.spc" "-key" "${CERTS}/key.pvk" "-pass" "passme")
set(priv_der "-certs" "${CERTS}/cert.pem" "-key" "${CERTS}/key.der" "-pass" "passme")
set(priv_pkey "-certs" "${CERTS}/cert.pem" "-key" "${CERTS}/keyp.pem" "-pass" "passme")
set(sign_opt "-time" "1556708400"
"-add-msi-dse" "-comm" "-ph" "-jp" "low"
"-h" "sha512" "-i" "https://www.osslsigncode.com/"
"-n" "osslsigncode" "-ac" "${CERTS}/crosscert.pem"
)
execute_process(
COMMAND "${CERTS}/makecerts.sh"
WORKING_DIRECTORY ${CERTS}
OUTPUT_VARIABLE makecerts
)
message(STATUS "makecerts.sh: ${makecerts}")
execute_process(
COMMAND ${CMAKE_COMMAND} -E sha256sum "${CERTS}/cert.der"
OUTPUT_VARIABLE sha256sum
)
string(SUBSTRING ${sha256sum} 0 64 leafhash)
set(verify_opt "-CAfile" "${CERTS}/CACert.pem"
"-CRLfile" "${CERTS}/CACertCRL.pem"
"-TSA-CAfile" "${CERTS}/TSACA.pem"
)
set(extensions_4 "exe" "ex_" "msi" "cat")
set(extensions_3 "exe" "ex_" "msi")
set(files_4 "signed" "nested" "added")
set(files_3 "removed" "attached_pem" "attached_der")
set(sign_formats "pem" "der")
set(pem_certs "cert" "expired" "revoked")
set(failed_certs "expired" "revoked")
add_test(
NAME version
COMMAND osslsigncode --version
)
foreach(ext ${extensions_4})
# Signing time: May 1 00:00:00 2019 GMT
set(sign_${ext} )
add_test(
NAME signed_${ext}
COMMAND osslsigncode "sign" ${sign_opt} ${priv_p12}
"-in" "${FILES}/unsigned.${ext}" "-out" "${FILES}/signed.${ext}"
)
endforeach()
foreach(ext ${extensions_3})
add_test(
NAME removed_${ext}
COMMAND osslsigncode "remove-signature"
"-in" "${FILES}/signed.${ext}" "-out" "${FILES}/removed.${ext}"
)
endforeach()
foreach(ext ${extensions_3})
add_test(
NAME extract_pem_${ext}
COMMAND osslsigncode "extract-signature" "-pem"
"-in" "${FILES}/signed.${ext}" "-out" "${FILES}/${ext}.pem"
)
endforeach()
foreach(ext ${extensions_3})
add_test(
NAME extract_der_${ext}
COMMAND osslsigncode "extract-signature"
"-in" "${FILES}/signed.${ext}" "-out" "${FILES}/${ext}.der"
)
endforeach()
foreach(ext ${extensions_3})
set_tests_properties(removed_${ext} extract_pem_${ext} extract_der_${ext}
PROPERTIES DEPENDS sign_${ext}
REQUIRED_FILES "${FILES}/signed.${ext}"
)
endforeach()
foreach(ext ${extensions_3})
foreach(format ${sign_formats})
# Signature verification time: Sep 1 00:00:00 2019 GMT
add_test(
NAME attached_${format}_${ext}
COMMAND osslsigncode "attach-signature" ${verify_opt}
"-time" "1567296000"
"-require-leaf-hash" "SHA256:${leafhash}"
"-add-msi-dse" "-h" "sha512" "-nest"
"-sigin" "${FILES}/${ext}.${format}"
"-in" "${FILES}/signed.${ext}" "-out" "${FILES}/attached_${format}.${ext}"
)
set_tests_properties(attached_${format}_${ext} PROPERTIES
DEPENDS extract_pem_${ext}
REQUIRED_FILES "${FILES}/signed.${ext}"
REQUIRED_FILES "${FILES}/${ext}.${format}"
)
endforeach()
endforeach()
foreach(ext ${extensions_4})
add_test(
NAME added_${ext}
COMMAND osslsigncode "add"
"-addUnauthenticatedBlob" "-add-msi-dse" "-h" "sha512"
"-in" "${FILES}/signed.${ext}" "-out" "${FILES}/added.${ext}"
)
set_tests_properties(added_${ext} PROPERTIES
DEPENDS sign_${ext}
REQUIRED_FILES "${FILES}/signed.${ext}"
)
endforeach()
foreach(ext ${extensions_4})
add_test(
NAME nested_${ext}
COMMAND osslsigncode "sign" "-nest" ${sign_opt} ${priv_der}
"-in" "${FILES}/signed.${ext}" "-out" "${FILES}/nested.${ext}"
)
set_tests_properties(nested_${ext} PROPERTIES
DEPENDS sign_${ext}
REQUIRED_FILES "${FILES}/signed.${ext}"
)
endforeach()
foreach(file ${files_4})
foreach(ext ${extensions_4})
# Signature verification time: Sep 1 00:00:00 2019 GMT
add_test(
NAME verify_${file}_${ext}
COMMAND osslsigncode "verify" ${verify_opt}
"-time" "1567296000"
"-require-leaf-hash" "SHA256:${leafhash}"
"-in" "${FILES}/${file}.${ext}"
)
set_tests_properties(verify_${file}_${ext} PROPERTIES
DEPENDS ${file}_${ext}
REQUIRED_FILES "${FILES}/${file}.${ext}"
)
endforeach()
endforeach()
foreach(file ${files_3})
foreach(ext ${extensions_3})
# Signature verification time: Sep 1 00:00:00 2019 GMT
add_test(
NAME verify_${file}_${ext}
COMMAND osslsigncode "verify" ${verify_opt}
"-time" "1567296000"
"-require-leaf-hash" "SHA256:${leafhash}"
"-in" "${FILES}/${file}.${ext}"
)
set_tests_properties(verify_${file}_${ext} PROPERTIES
DEPENDS ${file}_${ext}
REQUIRED_FILES "${FILES}/${file}.${ext}"
)
endforeach()
endforeach()
foreach(ext ${extensions_3})
set_tests_properties(verify_removed_${ext} PROPERTIES
WILL_FAIL TRUE
)
endforeach()
if(Python3_FOUND)
foreach(ext ${extensions_4})
foreach(cert ${pem_certs})
add_test(
NAME sign_ts_${cert}_${ext}
COMMAND ${Python3_EXECUTABLE} "${PROJECT_BINARY_DIR}/Testing/tsa_server.py"
"--certs" "${CERTS}/${cert}.pem" "--key" "${CERTS}/key.pem"
"--input" "${FILES}/unsigned.${ext}" "--output" "${FILES}/ts_${cert}.${ext}"
)
endforeach()
endforeach()
foreach(ext ${extensions_4})
# Signature verification time: Sep 1 00:00:00 2019 GMT
add_test(
NAME verify_ts_cert_${ext}
COMMAND osslsigncode "verify" ${verify_opt}
"-time" "1567296000"
"-in" "${FILES}/ts_cert.${ext}"
)
set_tests_properties(verify_ts_cert_${ext} PROPERTIES
DEPENDS sign_ts_${cert}_${ext}
REQUIRED_FILES "${FILES}/ts_cert.${ext}"
)
endforeach()
# Signature verification time: Jan 1 00:00:00 2035 GMT
foreach(ext ${extensions_4})
add_test(
NAME verify_ts_future_${ext}
COMMAND osslsigncode "verify" ${verify_opt}
"-time" "2051222400"
"-in" "${FILES}/ts_cert.${ext}"
)
set_tests_properties(verify_ts_future_${ext} PROPERTIES
DEPENDS sign_ts_${cert}_${ext}
REQUIRED_FILES "${FILES}/ts_cert.${ext}"
)
endforeach()
# Signature verification time: Jan 1 00:00:00 2035 GMT
# enabled "-ignore-timestamp" option
foreach(ext ${extensions_4})
add_test(
NAME verify_ts_ignore_${ext}
COMMAND osslsigncode "verify" ${verify_opt}
"-time" "2051222400"
"-ignore-timestamp"
"-in" "${FILES}/ts_cert.${ext}"
)
set_tests_properties(verify_ts_ignore_${ext} PROPERTIES
DEPENDS sign_ts_${cert}_${ext}
REQUIRED_FILES "${FILES}/ts_cert.${ext}"
WILL_FAIL TRUE
)
endforeach()
# Signature verification time: Sep 1 00:00:00 2019 GMT
# Certificate has expired or revoked
foreach(ext ${extensions_4})
foreach(cert ${failed_certs})
add_test(
NAME verify_ts_${cert}_${ext}
COMMAND osslsigncode "verify" ${verify_opt}
"-time" "1567296000"
"-in" "${FILES}/ts_${cert}.${ext}"
)
set_tests_properties(verify_ts_${cert}_${ext} PROPERTIES
DEPENDS sign_ts_${cert}_${ext}
REQUIRED_FILES "${FILES}/ts_${cert}.${ext}"
WILL_FAIL TRUE
)
endforeach()
endforeach()
else()
message(STATUS "Python3 was not found, skip timestamping tests")
endif()
foreach(ext ${extensions_4})
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/signed.${ext}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/nested.${ext}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/removed.${ext}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/added.${ext}")
foreach(cert ${pem_certs})
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/ts_${cert}.${ext}")
endforeach()
foreach(format ${sign_formats})
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/${ext}.${format}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/${ext}.${format}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/attached_${format}.${ext}")
endforeach()
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jreq.tsq")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jresp.tsr")
endforeach()
add_test(NAME remove_files COMMAND ${CMAKE_COMMAND} -E rm -f ${OUTPUT_FILES})

47
cmake/FindCurl.cmake Normal file
View File

@ -0,0 +1,47 @@
# find the native CURL headers and libraries
if(with-curl)
if(curl-path)
set(CURL_SEARCH_DIR PATHS ${CURL_ROOT} NO_DEFAULT_PATH)
find_path(CURL_INCLUDE_DIRS
NAMES curl/curl.h
PATHS ${CURL_SEARCH_DIR}
PATH_SUFFIXES include
REQUIRED
)
find_library(CURL_LIBRARIES
NAMES libcurl libcurl.so
PATHS ${CURL_SEARCH_DIR}
PATH_SUFFIXES lib
NO_DEFAULT_PATH
REQUIRED
)
mark_as_advanced(
CURL_INCLUDE_DIRS
CURL_LIBRARIES
)
set(CURL_FOUND TRUE)
endif()
if(CURL_FOUND)
target_link_libraries(osslsigncode PRIVATE ${CURL_LIBRARIES})
include_directories(${CURL_INCLUDE_DIRS})
message(STATUS "Link CURL library: ${CURL_LIBRARIES}")
message(STATUS "Include CURL directory: ${CURL_INCLUDE_DIRS}")
set(ENABLE_CURL 1)
else()
MESSAGE(FATAL_ERROR "Could not find the CURL library and development files.")
endif()
if(MSVC)
find_path(CURL_BIN_DIR
NAMES curl.exe
PATHS ${CURL_SEARCH_DIR}
PATH_SUFFIXES bin
REQUIRED
)
set(CURL_LIB "${CURL_BIN_DIR}/libcurl.dll")
endif()
else()
message(STATUS "Disable CURL")
endif()

22
cmake/FindMapping.cmake Normal file
View File

@ -0,0 +1,22 @@
include(CheckIncludeFile)
include(CheckFunctionExists)
if(NOT MSVC)
check_function_exists(getpass HAVE_GETPASS)
check_include_file(termios.h HAVE_TERMIOS_H)
check_include_file(sys/mman.h HAVE_SYS_MMAN_H)
if(HAVE_SYS_MMAN_H)
check_function_exists(mmap HAVE_MMAP)
if(NOT HAVE_MMAP)
message(FATAL_ERROR "Error: Need mmap to build.")
endif()
endif()
endif()
# include wincrypt.h in Windows.h
if(MSVC AND NOT CYGWIN)
check_include_file(windows.h HAVE_MAPVIEWOFFILE)
if(NOT (HAVE_MMAP OR HAVE_MAPVIEWOFFILE))
message(FATAL_ERROR "Error: Need file mapping function to build.")
endif()
endif()

71
cmake/FindOpenssl.cmake Normal file
View File

@ -0,0 +1,71 @@
# find the OpenSSL encryption library
if(ssl-path)
set(OPENSSL_SEARCH_DIR PATHS ${OPENSSL_ROOT} NO_DEFAULT_PATH)
find_path(OPENSSL_INCLUDE_DIR
NAMES openssl/opensslconf.h
PATHS ${OPENSSL_SEARCH_DIR}
PATH_SUFFIXES include
REQUIRED
)
find_library(OPENSSL_SSL
NAMES libssl libssl.so
PATHS ${OPENSSL_SEARCH_DIR}
PATH_SUFFIXES lib lib64
NO_DEFAULT_PATH
REQUIRED
)
find_library(OPENSSL_CRYPTO
NAMES libcrypto libcrypto.so
PATHS ${OPENSSL_SEARCH_DIR}
PATH_SUFFIXES lib lib64
NO_DEFAULT_PATH
REQUIRED
)
if(MSVC)
find_file(OPENSSL_APPLINK_SOURCE
NAMES openssl/applink.c
PATHS ${OPENSSL_INCLUDE_DIR}
NO_DEFAULT_PATH
REQUIRED
)
else()
set(OPENSSL_APPLINK_SOURCE)
endif()
set(OPENSSL_LIBRARIES ${OPENSSL_SSL} ${OPENSSL_CRYPTO})
mark_as_advanced(
OPENSSL_INCLUDE_DIR
OPENSSL_LIBRARIES
OPENSSL_APPLINK_SOURCE
)
set(OPENSSL_FOUND TRUE)
endif()
if(OPENSSL_FOUND)
message(STATUS "Link OpenSSL libraries: ${OPENSSL_LIBRARIES}")
message(STATUS "Include OpenSSL directory: ${OPENSSL_INCLUDE_DIR}")
if(MSVC)
message(STATUS "OpenSSL applink source: ${OPENSSL_APPLINK_SOURCE}")
endif()
else()
MESSAGE(FATAL_ERROR "Could not find the OpenSSL library and development files.")
endif()
if(MSVC)
find_path(OPENSSL_BIN_DIR
NAMES openssl.exe
PATHS ${OPENSSL_SEARCH_DIR}
PATH_SUFFIXES bin
REQUIRED
)
set(OPENSSL_LIBS "${OPENSSL_BIN_DIR}/libcrypto-3-x64.dll" "${OPENSSL_BIN_DIR}/libssl-3-x64.dll")
endif()
# add an executable target called "osslsigncode" to be built from the source files
set(SOURCE_FILES osslsigncode.c msi.c ${OPENSSL_APPLINK_SOURCE})
add_executable(osslsigncode)
target_sources(osslsigncode PRIVATE ${SOURCE_FILES})
target_link_libraries(osslsigncode PRIVATE ${OPENSSL_LIBRARIES})
include_directories(${OPENSSL_INCLUDE_DIR})

54
cmake/SetOptions.cmake Normal file
View File

@ -0,0 +1,54 @@
# add command line options
# set Release build mode
if(NOT CMAKE_BUILD_TYPE)
set(CMAKE_BUILD_TYPE "Release" CACHE STRING "Choose Release or Debug" FORCE)
endif()
option(enable-strict "Enable strict compile mode" OFF)
option(enable-pedantic "Enable pedantic compile mode" OFF)
option(with-curl "Enable curl" ON)
if(MSVC)
set(ssl-path "D:/TEMP/OpenSSL-3.0.2/vc-win64a" CACHE FILEPATH "OpenSSL library path")
set(curl-path "D:/TEMP/curl-7.82.0" CACHE FILEPATH "cURL library path")
else()
option(ssl-path "OpenSSL library path" OFF)
option(curl-path "cURL library path" OFF)
endif()
if(ssl-path)
set(OPENSSL_ROOT ${ssl-path})
set(OPENSSL_SEARCH_DIR)
else()
include(FindOpenSSL)
endif()
if(with-curl)
if(curl-path)
set(CURL_ROOT ${curl-path})
set(CURL_BIN_DIR)
else()
include(FindCURL)
endif()
endif()
# enable compile options
if(enable-strict)
message(STATUS "Enable strict compile mode")
if(MSVC)
# Microsoft Visual C warning level
add_compile_options(/Wall)
else()
add_compile_options(-Wall -Wextra)
endif()
endif()
if(enable-pedantic)
message(STATUS "Enable pedantic compile mode")
if(MSVC)
add_compile_options(/W4)
else()
add_compile_options(-pedantic)
endif()
endif()

147
configure.ac
View File

@ -1,147 +0,0 @@
AC_PREREQ(2.60)
AC_INIT([osslsigncode], [2.4.0-dev], [Michal.Trojnara@stunnel.org])
AC_CONFIG_AUX_DIR([.])
AC_CONFIG_HEADERS([config.h])
AC_CANONICAL_HOST
AM_INIT_AUTOMAKE
AC_CONFIG_SRCDIR([osslsigncode.c])
# bash completion support
AC_ARG_WITH([bashcompdir],
AS_HELP_STRING([--with-bashcompdir=DIR], [directory for bash completions]), ,
[PKG_CHECK_VAR([with_bashcompdir], [bash-completion], [completionsdir], ,
[with_bashcompdir="${datarootdir}/bash-completion/completions"])])
AC_MSG_CHECKING([for bashcompdir])
AC_MSG_RESULT([$with_bashcompdir])
AC_SUBST([bashcompdir], [$with_bashcompdir])
dnl Checks for programs.
AC_PROG_CC
AC_USE_SYSTEM_EXTENSIONS
AC_ARG_ENABLE(
[strict],
[AS_HELP_STRING([--enable-strict],[enable strict compile mode @<:@disabled@:>@])],
,
[enable_strict="no"]
)
AC_ARG_ENABLE(
[pedantic],
[AS_HELP_STRING([--enable-pedantic],[enable pedantic compile mode @<:@disabled@:>@])],
,
[enable_pedantic="no"]
)
AC_ARG_WITH(
[curl],
[AS_HELP_STRING([--with-curl],[enable curl @<:@enabled@:>@])],
,
[with_curl="yes"]
)
if test "${enable_pedantic}" = "yes"; then
enable_strict="yes";
CFLAGS="${CFLAGS} -pedantic"
fi
if test "${enable_strict}" = "yes"; then
CFLAGS="${CFLAGS} -Wall -Wextra"
fi
PKG_PROG_PKG_CONFIG
AC_PROG_CPP
AC_PROG_INSTALL
AC_PROG_LN_S
AC_PROG_MKDIR_P
AC_PROG_SED
AC_PROG_MAKE_SET
AC_C_CONST
AC_HEADER_STDC
AC_HEADER_TIME
AC_CHECK_HEADERS(
[sys/mman.h],
[AC_CHECK_FUNC(
[mmap],
[AC_DEFINE(HAVE_MMAP, [1], [Define to 1 if you have mmap])],
[AC_MSG_ERROR([Need mmap to build.])]
)],
[have_mmap=no]
)
case "${host_os}" in
cygwin*)
;;
*)
AC_CHECK_HEADERS(
[windows.h],
[],
[have_MapViewOfFile=no]
)
esac
AS_IF([test "x$have_mmap$have_MapViewOfFile" = "xnono"],
[AC_MSG_ERROR([Need file mapping function to buid.])])
AC_CHECK_LIB(
[dl],
[dlopen],
[DL_LIBS="-ldl"]
)
AC_CHECK_HEADERS([termios.h])
AC_CHECK_FUNCS(getpass)
PKG_CHECK_MODULES(
[OPENSSL],
[libcrypto >= 1.1.1],
,
[PKG_CHECK_MODULES(
[OPENSSL],
[openssl >= 1.1.1],
,
[AC_CHECK_LIB(
[crypto],
[EVP_MD_CTX_new],
[OPENSSL_LIBS="-lcrypto ${SOCKETS_LIBS} ${DL_LIBS}"],
[AC_MSG_ERROR([OpenSSL 1.1.1 or later is required. https://www.openssl.org/])],
[${DL_LIBS}]
)]
)]
)
PKG_CHECK_MODULES(
[LIBCURL],
[libcurl >= 7.12.0],
,
[AC_CHECK_LIB(
[curl],
[curl_easy_strerror],
[LIBCURL_LIBS="-lcurl"],
,
[${DL_LIBS}]
)]
)
if test "${with_curl}" = "yes"; then
test -z "${LIBCURL_LIBS}" && AC_MSG_ERROR(m4_normalize([
Curl 7.12.0 or later required for timestamping support http://curl.haxx.se/
m4_newline() or libcurl development package not found, try installing:
m4_newline() * libcurl4-openssl-dev (Debian, Ubuntu)
m4_newline() * libcurl-devel (Fedora, CentOS, RHEL)
m4_newline() * libcurl_dev (Solaris)
]))
OPTIONAL_LIBCURL_CFLAGS="${LIBCURL_CFLAGS}"
OPTIONAL_LIBCURL_LIBS="${LIBCURL_LIBS}"
AC_DEFINE([ENABLE_CURL], [1], [libcurl is enabled])
fi
AC_SUBST([OPTIONAL_LIBCURL_CFLAGS])
AC_SUBST([OPTIONAL_LIBCURL_LIBS])
AC_CONFIG_FILES([Makefile])
AC_OUTPUT
# vim: set ts=4 noexpandtab:

2
tests/certs/.gitignore vendored
View File

@ -4,3 +4,5 @@
*.p12 *.p12
*.spc *.spc
*.txt *.txt
*.log
tsa-serial

91
tests/certs/makecerts.sh
View File

@ -29,16 +29,18 @@ make_certs() {
OPENSSL=openssl OPENSSL=openssl
fi fi
mkdir "demoCA/" 2>> "makecerts.log" 1>&2 mkdir "CA/" 2>> "makecerts.log" 1>&2
touch "demoCA/index.txt" touch "CA/index.txt"
echo -n "unique_subject = no" > "demoCA/index.txt.attr" echo -n "unique_subject = no" > "CA/index.txt.attr"
echo 1000 > "demoCA/serial" $OPENSSL rand -hex 16 > "CA/serial"
$OPENSSL rand -hex 16 > "tsa-serial"
echo 1001 > "CA/crlnumber"
date > "makecerts.log" date > "makecerts.log"
"$OPENSSL" version 2>> "makecerts.log" 1>&2 "$OPENSSL" version 2>> "makecerts.log" 1>&2
echo -n "$password" > "password.txt" echo -n "$password" > "password.txt"
printf "\nGenerate root CA certificate\n" >> "makecerts.log" printf "\nGenerate root CA certificate\n" >> "makecerts.log"
"$OPENSSL" genrsa -out demoCA/CA.key \ "$OPENSSL" genrsa -out CA/CA.key \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c ' TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
@ -46,20 +48,20 @@ make_certs() {
OPENSSL="$0" OPENSSL="$0"
export LD_LIBRARY_PATH="$1" export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_root.cnf" CONF="${script_path}/openssl_root.cnf"
"$OPENSSL" req -config "$CONF" -new -x509 -days 3600 -key demoCA/CA.key -out tmp/CACert.pem \ "$OPENSSL" req -config "$CONF" -new -x509 -days 3600 -key CA/CA.key -out tmp/CACert.pem \
-subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA" \ -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA" \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $? test_result $?
printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log" printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log"
"$OPENSSL" genrsa -out demoCA/intermediate.key \ "$OPENSSL" genrsa -out CA/intermediate.key \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c ' TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd) script_path=$(pwd)
OPENSSL="$0" OPENSSL="$0"
export LD_LIBRARY_PATH="$1" export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_intermediate.cnf" CONF="${script_path}/openssl_intermediate.cnf"
"$OPENSSL" req -config "$CONF" -new -key demoCA/intermediate.key -out demoCA/intermediate.csr \ "$OPENSSL" req -config "$CONF" -new -key CA/intermediate.key -out CA/intermediate.csr \
-subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA" \ -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA" \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $? test_result $?
@ -68,39 +70,39 @@ make_certs() {
OPENSSL="$0" OPENSSL="$0"
export LD_LIBRARY_PATH="$1" export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_root.cnf" CONF="${script_path}/openssl_root.cnf"
"$OPENSSL" ca -config "$CONF" -batch -in demoCA/intermediate.csr -out demoCA/intermediate.cer \ "$OPENSSL" ca -config "$CONF" -batch -in CA/intermediate.csr -out CA/intermediate.cer \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $? test_result $?
"$OPENSSL" x509 -in demoCA/intermediate.cer -out tmp/intermediate.pem \ "$OPENSSL" x509 -in CA/intermediate.cer -out tmp/intermediate.pem \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log" printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log"
"$OPENSSL" genrsa -des3 -out demoCA/private.key -passout pass:"$password" \ "$OPENSSL" genrsa -des3 -out CA/private.key -passout pass:"$password" \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
cat demoCA/private.key >> tmp/keyp.pem 2>> "makecerts.log" cat CA/private.key >> tmp/keyp.pem 2>> "makecerts.log"
test_result $? test_result $?
printf "\nGenerate private RSA decrypted key\n" >> "makecerts.log" printf "\nGenerate private RSA decrypted key\n" >> "makecerts.log"
"$OPENSSL" rsa -in demoCA/private.key -passin pass:"$password" -out tmp/key.pem \ "$OPENSSL" rsa -in CA/private.key -passin pass:"$password" -out tmp/key.pem \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
printf "\nGenerate a certificate to revoke\n" >> "makecerts.log" printf "\nGenerate a certificate to revoke\n" >> "makecerts.log"
"$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/revoked.csr \ "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/revoked.csr \
-subj "/C=PL/O=osslsigncode/OU=CSP/CN=Revoked/emailAddress=osslsigncode@example.com" \ -subj "/C=PL/O=osslsigncode/OU=CSP/CN=Revoked/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
"$OPENSSL" ca -config "$CONF" -batch -in demoCA/revoked.csr -out demoCA/revoked.cer \ "$OPENSSL" ca -config "$CONF" -batch -in CA/revoked.csr -out CA/revoked.cer \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
"$OPENSSL" x509 -in demoCA/revoked.cer -out tmp/revoked.pem \ "$OPENSSL" x509 -in CA/revoked.cer -out tmp/revoked.pem \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
printf "\nRevoke above certificate\n" >> "makecerts.log" printf "\nRevoke above certificate\n" >> "makecerts.log"
"$OPENSSL" ca -config "$CONF" -revoke demoCA/revoked.cer \ "$OPENSSL" ca -config "$CONF" -revoke CA/revoked.cer \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
@ -124,27 +126,27 @@ make_certs() {
test_result $? test_result $?
printf "\nGenerate CSP Cross-Certificate\n" >> "makecerts.log" printf "\nGenerate CSP Cross-Certificate\n" >> "makecerts.log"
"$OPENSSL" genrsa -out demoCA/cross.key \ "$OPENSSL" genrsa -out CA/cross.key \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
TZ=GMT faketime -f '@2018-01-01 00:00:00' /bin/bash -c ' TZ=GMT faketime -f '@2018-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd) script_path=$(pwd)
OPENSSL="$0" OPENSSL="$0"
export LD_LIBRARY_PATH="$1" export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_intermediate.cnf" CONF="${script_path}/openssl_intermediate.cnf"
"$OPENSSL" req -config "$CONF" -new -x509 -days 900 -key demoCA/cross.key -out tmp/crosscert.pem \ "$OPENSSL" req -config "$CONF" -new -x509 -days 900 -key CA/cross.key -out tmp/crosscert.pem \
-subj "/C=PL/O=osslsigncode/OU=CSP/CN=crosscert/emailAddress=osslsigncode@example.com" \ -subj "/C=PL/O=osslsigncode/OU=CSP/CN=crosscert/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH" 2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $? test_result $?
printf "\nGenerate code signing certificate\n" >> "makecerts.log" printf "\nGenerate code signing certificate\n" >> "makecerts.log"
"$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/cert.csr \ "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/cert.csr \
-subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com" \ -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
"$OPENSSL" ca -config "$CONF" -batch -in demoCA/cert.csr -out demoCA/cert.cer \ "$OPENSSL" ca -config "$CONF" -batch -in CA/cert.csr -out CA/cert.cer \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
"$OPENSSL" x509 -in demoCA/cert.cer -out tmp/cert.pem \ "$OPENSSL" x509 -in CA/cert.cer -out tmp/cert.pem \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
@ -179,14 +181,14 @@ make_certs() {
test_result $? test_result $?
printf "\nGenerate expired certificate\n" >> "makecerts.log" printf "\nGenerate expired certificate\n" >> "makecerts.log"
"$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/expired.csr \ "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/expired.csr \
-subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Expired/emailAddress=osslsigncode@example.com" \ -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Expired/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
"$OPENSSL" ca -config "$CONF" -enddate "190101000000Z" -batch -in demoCA/expired.csr -out demoCA/expired.cer \ "$OPENSSL" ca -config "$CONF" -enddate "190101000000Z" -batch -in CA/expired.csr -out CA/expired.cer \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
"$OPENSSL" x509 -in demoCA/expired.cer -out tmp/expired.pem \ "$OPENSSL" x509 -in CA/expired.cer -out tmp/expired.pem \
2>> "makecerts.log" 1>&2 2>> "makecerts.log" 1>&2
test_result $? test_result $?
@ -194,23 +196,50 @@ make_certs() {
cat tmp/intermediate.pem >> tmp/expired.pem 2>> "makecerts.log" cat tmp/intermediate.pem >> tmp/expired.pem 2>> "makecerts.log"
test_result $? test_result $?
printf "\nGenerate Root CA TSA certificate\n" >> "makecerts.log"
"$OPENSSL" genrsa -out CA/TSACA.key \
2>> "makecerts.log" 1>&2
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_tsa_root.cnf"
"$OPENSSL" req -config "$CONF" -new -x509 -days 3600 -key CA/TSACA.key -out tmp/TSACA.pem \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
printf "\nGenerate TSA certificate\n" >> "makecerts.log"
CONF="${script_path}/openssl_tsa.cnf"
"$OPENSSL" req -config "$CONF" -new -nodes -keyout tmp/TSA.key -out CA/TSA.csr \
2>> "makecerts.log" 1>&2
test_result $?
CONF="${script_path}/openssl_tsa_root.cnf"
"$OPENSSL" ca -config "$CONF" -batch -in CA/TSA.csr -out CA/TSA.cer \
2>> "makecerts.log" 1>&2
test_result $?
"$OPENSSL" x509 -in CA/TSA.cer -out tmp/TSA.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nSave the chain to be included in the TSA response\n" >> "makecerts.log"
cat tmp/TSA.pem tmp/TSACA.pem > tmp/tsa-chain.pem 2>> "makecerts.log"
# copy new files # copy new files
if test -s tmp/intermediate.pem -a -s tmp/CACert.pem -a -s tmp/CACertCRL.pem \ if test -s tmp/intermediate.pem -a -s tmp/CACert.pem -a -s tmp/CACertCRL.pem \
-a -s tmp/key.pem -a -s tmp/keyp.pem -a -s tmp/key.der -a -s tmp/key.pvk \ -a -s tmp/key.pem -a -s tmp/keyp.pem -a -s tmp/key.der -a -s tmp/key.pvk \
-a -s tmp/cert.pem -a -s tmp/cert.p12 -a -s tmp/cert.der -a -s tmp/cert.spc \ -a -s tmp/cert.pem -a -s tmp/cert.p12 -a -s tmp/cert.der -a -s tmp/cert.spc \
-a -s tmp/crosscert.pem -a -s tmp/expired.pem -a -s tmp/revoked.pem -a -s tmp/revoked.spc -a -s tmp/crosscert.pem -a -s tmp/expired.pem -a -s tmp/revoked.pem -a -s tmp/revoked.spc \
-a -s tmp/TSA.pem -a -s tmp/TSA.key -a -s tmp/tsa-chain.pem
then then
cp tmp/* ./ cp tmp/* ./
printf "%s\n" "keys & certificates successfully generated" printf "%s" "keys & certificates successfully generated"
printf "%s\n" "makecerts.sh finished"
else else
printf "%s\n" "makecerts.sh failed" printf "%s" "error logs ${result_path}/makecerts.log"
printf "%s\n" "error logs ${result_path}/makecerts.log"
result=1 result=1
fi fi
# remove the working directory # remove the working directory
rm -rf "demoCA/" rm -rf "CA/"
rm -rf "tmp/" rm -rf "tmp/"
exit "$result" exit "$result"

17
tests/certs/openssl_intermediate.cnf
View File

@ -1,19 +1,20 @@
# OpenSSL intermediate CA configuration file # OpenSSL intermediate CA configuration file
[ ca ] [ default ]
name = intermediate
default_ca = CA_default default_ca = CA_default
[ CA_default ] [ CA_default ]
# Directory and file locations # Directory and file locations
dir = . dir = .
certs = $dir/demoCA certs = $dir/CA
crl_dir = $dir/demoCA crl_dir = $dir/CA
new_certs_dir = $dir/demoCA new_certs_dir = $dir/CA
database = $dir/demoCA/index.txt database = $dir/CA/index.txt
serial = $dir/demoCA/serial serial = $dir/CA/serial
rand_serial = yes rand_serial = yes
private_key = $dir/demoCA/intermediate.key private_key = $dir/CA/$name.key
certificate = $dir/tmp/intermediate.pem certificate = $dir/tmp/$name.pem
crl_extensions = crl_ext crl_extensions = crl_ext
default_md = sha256 default_md = sha256
preserve = no preserve = no

12
tests/certs/openssl_root.cnf
View File

@ -6,13 +6,13 @@ default_ca = CA_default
[ CA_default ] [ CA_default ]
# Directory and file locations. # Directory and file locations.
dir = . dir = .
certs = $dir/demoCA certs = $dir/CA
crl_dir = $dir/demoCA crl_dir = $dir/CA
new_certs_dir = $dir/demoCA new_certs_dir = $dir/CA
database = $dir/demoCA/index.txt database = $dir/CA/index.txt
serial = $dir/demoCA/serial serial = $dir/CA/serial
rand_serial = yes rand_serial = yes
private_key = $dir/demoCA/CA.key private_key = $dir/CA/CA.key
certificate = $dir/tmp/CACert.pem certificate = $dir/tmp/CACert.pem
crl_extensions = crl_ext crl_extensions = crl_ext
default_md = sha256 default_md = sha256

46
tests/certs/openssl_tsa.cnf Normal file
View File

@ -0,0 +1,46 @@
# OpenSSL Timestamp Authority configuration file
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ req ]
# Options for the `req` tool
default_bits = 2048
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_distinguished_name
[ ca_distinguished_name ]
countryName = "PL"
organizationName = "osslsigncode"
organizationalUnitName = "Timestamp Authority"
commonName = "Test TSA"
# Time Stamping Authority command "openssl-ts"
[ tsa ]
default_tsa = tsa_config
[ tsa_config ]
dir = ./Testing/certs
signer_cert = $dir/TSA.pem
signer_key = $dir/TSA.key
certs = $dir/tsa-chain.pem
serial = $dir/tsa-serial
default_policy = tsa_policy1
other_policies = tsa_policy2, tsa_policy3
signer_digest = sha256
digests = sha256, sha384, sha512
accuracy = secs:1, millisecs:500, microsecs:100
ordering = yes
tsa_name = yes
ess_cert_id_chain = yes
ess_cert_id_alg = sha256

83
tests/certs/openssl_tsa_root.cnf Normal file
View File

@ -0,0 +1,83 @@
# OpenSSL Root Timestamp Authority configuration file
[ default ]
name = TSACA
domain_suffix = timestampauthority.com
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9080
name_opt = utf8, esc_ctrl, multiline, lname, align
default_ca = CA_default
[ CA_default ]
dir = .
certs = $dir/CA
crl_dir = $dir/CA
new_certs_dir = $dir/CA
database = $dir/CA/index.txt
serial = $dir/CA/serial
crlnumber = $dir/CA/crlnumber
rand_serial = yes
private_key = $dir/CA/$name.key
certificate = $dir/tmp/$name.pem
default_md = sha256
default_days = 3650
default_crl_days = 365
policy = policy_match
default_startdate = 20180101000000Z
default_enddate = 20280101000000Z
unique_subject = no
x509_extensions = tsa_extensions
[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ tsa_extensions ]
basicConstraints = critical, CA:false
extendedKeyUsage = critical, timeStamping
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess = @issuer_info
crlDistributionPoints = @crl_info
nameConstraints = @name_constraints
[ issuer_info ]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[ crl_info ]
URI.0 = $crl_url
[ name_constraints ]
permitted;DNS.0=test.com
permitted;DNS.1=test.org
excluded;IP.0=0.0.0.0/0.0.0.0
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
[ req ]
# Options for the `req` tool
default_bits = 2048
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
[ ca_distinguished_name ]
countryName = "PL"
organizationName = "osslsigncode"
organizationalUnitName = "Timestamp Authority Root CA"
commonName = "TSA Root CA"
[ ca_extensions ]
# Extension to add when the -x509 option is used
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
keyUsage = critical, keyCertSign, cRLSign

BIN
tests/files/unsigned.cat Executable file
View File

Binary file not shown.

BIN
tests/files/unsigned.ex_ Normal file
View File

Binary file not shown.

BIN
tests/files/unsigned.exe Executable file
View File

Binary file not shown.

BIN
tests/files/unsigned.msi Normal file
View File

Binary file not shown.

53
tests/recipes/01_sign_pem
View File

@ -1,53 +0,0 @@
#!/bin/sh
# Sign a file with a certificate and a private key in the PEM format.
# -st 1556668800 is the Unix time of May 1 00:00:00 2019 GMT
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=1
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with a certificate and a private key in the PEM format"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

53
tests/recipes/02_sign_pass
View File

@ -1,53 +0,0 @@
#!/bin/sh
# Sign a file with an encrypted private key in the PEM format.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=2
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with an encrypted private key in the PEM format"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/keyp.pem" \
-pass passme \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

54
tests/recipes/03_sign_der
View File

@ -1,54 +0,0 @@
#!/bin/sh
# Sign a file with an encrypted private key in the DER format.
# Requires OpenSSL 1.0.0 or later
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=3
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with an encrypted private key in the DER format"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \
-pass passme \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

54
tests/recipes/04_sign_spc_pvk
View File

@ -1,54 +0,0 @@
#!/bin/sh
# Sign a file with a certificate in the SPC format
# and a private key in the Microsoft Private Key (PVK) format.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=4
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with a SPC certificate and a PVK private key"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-spc "${script_path}/../certs/cert.spc" -key "${script_path}/../certs/key.pvk" \
-pass passme \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

53
tests/recipes/05_sign_pkcs12
View File

@ -1,53 +0,0 @@
#!/bin/sh
# Sign a file with a certificate and a key stored in a PKCS#12 container.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=5
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with a certificate and a key stored in a PKCS#12 container"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-pkcs12 "${script_path}/../certs/cert.p12" \
-pass passme \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

34
tests/recipes/06_test_sha256sum
View File

@ -1,34 +0,0 @@
#!/bin/sh
# Checking SHA256 message digests for 01x-05x tests
. $(dirname $0)/../test_library
script_path=$(pwd)
result=0
test_nr=6
for file in ${script_path}/../logs/sha256sum/*.*
do
name="${file##*/}"
case $name in
"cat.log") filetype=CAT; format_nr=1 ;;
"msi.log") filetype=MSI; format_nr=2 ;;
"ex_.log") filetype=CAB; format_nr=3 ;;
"exe.log") filetype=PE; format_nr=4 ;;
"ps1.log") filetype=TXT; format_nr=5 ;;
esac
number="$test_nr$format_nr"
test_name="Checking SHA256 message digests for a $filetype file test"
printf "\n%03d. %s\n" "$number" "$test_name"
if test $(cat "sha256sum/$name" | cut -d' ' -f1 | uniq | wc -l) -ne 1
then
result=1
cat "sha256sum/$name" >> "results.log"
printf "Non-unique SHA256 message digests found\n" >> "results.log"
fi
rm -f "sha256sum/$name"
test_result "$result" "$number" "$test_name"
done
exit 0

61
tests/recipes/07_sign_timestamp
View File

@ -1,61 +0,0 @@
#!/bin/sh
# Sign a file with Authenticode timestamping
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=7
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with Authenticode timestamping"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-t http://time.certum.pl/ \
-t http://timestamp.digicert.com/ \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Sign a file with Authenticode timestamping"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

65
tests/recipes/08_sign_rfc3161
View File

@ -1,65 +0,0 @@
#!/bin/sh
# Sign a file with RFC 3161 timestamping
# An RFC3161 timestamp server provides an essential function in protecting
# data records for the long-term. It provides proof that the data existed
# at a particular moment in time and that it has not changed, even by
# a single binary bit, since it was notarized and time-stamped.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=8
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with RFC 3161 timestamping"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-ts http://timestamp.digicert.com/ \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Sign a file with RFC 3161 timestamping"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

33
tests/recipes/09_sign_page_hashes
View File

@ -1,33 +0,0 @@
#!/bin/sh
# Generate page hashes for a file
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=9
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"exe") filetype=PE; format_nr=4 ;;
*) continue ;; # Warning: -ph option is only valid for PE files
esac
number="$test_nr$format_nr"
test_name="Generate page hashes for a $filetype file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 -ph \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
done
exit 0

53
tests/recipes/10_sign_blob
View File

@ -1,53 +0,0 @@
#!/bin/sh
# Sign a file with addUnauthenticatedBlob.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=10
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with addUnauthenticatedBlob"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-addUnauthenticatedBlob \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

42
tests/recipes/11_sign_nest
View File

@ -1,42 +0,0 @@
#!/bin/sh
# Sign a file twice with the "nest" flag in the second time
# in order to add the new signature instead of replacing the first one.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=11
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Warning: CAT files do not support nesting
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1") continue;; # Warning: TXT files do not support nesting
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with the nest flag"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "signed_$number.$ext"
../../osslsigncode sign -h sha512 \
-nest \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "signed_$number.$ext" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
done
exit 0

54
tests/recipes/12_sign_readpass_pem
View File

@ -1,54 +0,0 @@
#!/bin/sh
# Sign a file with a PEM key and a password read from password.txt file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=12
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with a PEM key and a password read from password.txt file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-addUnauthenticatedBlob \
-readpass "${script_path}/../certs/password.txt" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/keyp.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

54
tests/recipes/13_sign_readpass_pkcs12
View File

@ -1,54 +0,0 @@
#!/bin/sh
# Sign a file with the certificate and key stored in a PKCS#12 container
# and a password read from password.txt file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=13
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with a PKCS#12 container and the file with a password"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-readpass "${script_path}/../certs/password.txt" \
-pkcs12 "${script_path}/../certs/cert.p12" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

53
tests/recipes/14_sign_descryption
View File

@ -1,53 +0,0 @@
#!/bin/sh
# Sign a file with a descryption.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=14
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with a descryption"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-n "DESCRYPTION_TEXT" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "DESCRYPTION_TEXT" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

54
tests/recipes/15_sign_url
View File

@ -1,54 +0,0 @@
#!/bin/sh
# Sign a file with specified URL for expanded description of the signed content
# https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode-signing-of-csps
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=15
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with specified URL"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-i "https://www.osslsigncode.com/" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "https://www.osslsigncode.com/" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

58
tests/recipes/16_sign_comm
View File

@ -1,58 +0,0 @@
#!/bin/sh
# Sign a file with Microsoft Commercial Code Signing purpose set for SPC_STATEMENT_TYPE_OBJID
# object ID numbers (OIDs) "1.3.6.1.4.1.311.2.1.11"
# changes default Microsoft Individual Code Signing:
# "0x30, 0x0c, x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15"
# sets Microsoft Commercial Code Signing:
# "0x30, 0x0c, x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x16"
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=16
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with the common purpose set"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-comm \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Microsoft Commercial Code Signing" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

55
tests/recipes/17_sign_crosscertfile
View File

@ -1,55 +0,0 @@
#!/bin/sh
# Add an additional certificate to the signature block of the file.
# https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode-signing-of-csps
# https://docs.microsoft.com/en-us/windows/win32/seccertenroll/about-cross-certification
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=17
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Add an additional certificate to the signature block of a $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-ac "${script_path}/../certs/crosscert.pem" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "crosscert" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

52
tests/recipes/21_sign_hash_md5
View File

@ -1,52 +0,0 @@
#!/bin/sh
# Sign a file with MD5 set of cryptographic hash functions.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=21
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with MD5 set of cryptographic hash functions"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h md5 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "MD5" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

52
tests/recipes/22_sign_hash_sha1
View File

@ -1,52 +0,0 @@
#!/bin/sh
# Sign a file with SHA1 set of cryptographic hash functions.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=22
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with SHA1 set of cryptographic hash functions"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha1 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "SHA1" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

52
tests/recipes/23_sign_hash_sha2
View File

@ -1,52 +0,0 @@
#!/bin/sh
# Signing a file with SHA2 set of cryptographic hash functions.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=23
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with SHA2 set of cryptographic hash functions"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha2 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "SHA2" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

52
tests/recipes/24_sign_hash_sha384
View File

@ -1,52 +0,0 @@
#!/bin/sh
# Sign a file with SHA384 set of cryptographic hash functions.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=24
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with SHA384 set of cryptographic hash functions"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha384 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "SHA384" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

52
tests/recipes/25_sign_hash_sha512
View File

@ -1,52 +0,0 @@
#!/bin/sh
# Sign a file with SHA512 set of cryptographic hash functions.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=25
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with SHA512 set of cryptographic hash functions"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha512 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

55
tests/recipes/26_extract_signature_pem
View File

@ -1,55 +0,0 @@
#!/bin/sh
# Extract the signature in the PEM format.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=26
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Unsupported command
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Extract the PEM signature from the $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha512 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
../../osslsigncode extract-signature \
-pem \
-in "test_$number.$ext" -out "sign_$format_nr.pem"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

54
tests/recipes/27_extract_signature_der
View File

@ -1,54 +0,0 @@
#!/bin/sh
# Extract the signature in the DER format.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=27
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Unsupported command
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Extract the DER signature from the $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha512 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
../../osslsigncode extract-signature\
-in "test_$number.$ext" -out "sign_$format_nr.der"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

58
tests/recipes/31_attach_signature_der
View File

@ -1,58 +0,0 @@
#!/bin/sh
# Attach the DER signature to the file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=31
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Unsupported command
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Attach the DER signature to the $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode attach-signature \
-sigin "sign_$format_nr.der" \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$result" -ne 0; then
cp "sign_$format_nr.der" "sign_$number.der"
fi
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

58
tests/recipes/32_attach_signature_pem
View File

@ -1,58 +0,0 @@
#!/bin/sh
# Attach the PEM signature to the file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=32
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Unsupported command
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Attach the PEM signature to the $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode attach-signature \
-sigin "sign_$format_nr.pem" \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$result" -ne 0; then
cp "sign_$format_nr.der" "sign_$number.der"
fi
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

58
tests/recipes/33_attach_signed
View File

@ -1,58 +0,0 @@
#!/bin/sh
# Attach the signature to the signed file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=33
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Unsupported command
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Attach the PEM signature to the signed $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "signed_$number.$ext"
../../osslsigncode attach-signature \
-sigin "sign_$format_nr.pem" \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
-in "signed_$number.$ext" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

44
tests/recipes/34_attach_nest
View File

@ -1,44 +0,0 @@
#!/bin/sh
# Attach the signature to the signed file with the "nest" flag in order to
# attach the new signature instead of replacing the first one.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=34
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Warning: CAT files do not support nesting
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1") continue;; # Warning: TXT files do not support nesting
esac
number="$test_nr$format_nr"
test_name="Attach the PEM signature to the signed $filetype$desc file with the nest flag"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "signed_$number.$ext"
../../osslsigncode attach-signature \
-sigin "sign_$format_nr.pem" \
-nest \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
-in "signed_$number.$ext" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
done
exit 0

54
tests/recipes/35_remove_signature
View File

@ -1,54 +0,0 @@
#!/bin/sh
# Remove the signature from the file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=35
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Unsupported command
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Remove the signature from the $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "signed_$number.$ext"
../../osslsigncode remove-signature \
-in "signed_$number.$ext" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

34
tests/recipes/36_varia_sha256sum
View File

@ -1,34 +0,0 @@
#!/bin/sh
# Checking SHA256 message digests for "extract" and "attach" tests.
. $(dirname $0)/../test_library
script_path=$(pwd)
result=0
test_nr=36
for file in ${script_path}/../logs/sha256sum/*.*
do
name="${file##*/}"
case $name in
"cat.log") filetype=CAT; format_nr=1 ;;
"msi.log") filetype=MSI; format_nr=2 ;;
"ex_.log") filetype=CAB; format_nr=3 ;;
"exe.log") filetype=PE; format_nr=4 ;;
"ps1.log") filetype=TXT; format_nr=5 ;;
esac
number="$test_nr$format_nr"
test_name="Checking SHA256 message digests for a $filetype file test"
printf "\n%03d. %s\n" "$number" "$test_name"
if test $(cat "sha256sum/$name" | cut -d' ' -f1 | uniq | wc -l) -ne 1
then
result=1
cat "sha256sum/$name" >> "results.log"
printf "Non-unique SHA256 message digests found\n" >> "results.log"
fi
rm -f "sha256sum/$name"
test_result "$result" "$number" "$test_name"
done
exit 0

64
tests/recipes/37_add_signature_timestamp
View File

@ -1,64 +0,0 @@
#!/bin/sh
# Add an authenticode timestamp to the signed file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=37
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Add an authenticode timestamp to the $filetype$desc signed file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "signed_$number.$ext"
../../osslsigncode add \
-t http://time.certum.pl/ \
-t http://timestamp.digicert.com/ \
-verbose \
-in "signed_$number.$ext" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Timestamp Server Signature" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Add an authenticode timestamp to the signed file"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

64
tests/recipes/38_add_signature_rfc3161
View File

@ -1,64 +0,0 @@
#!/bin/sh
# Add a RFC 3161 timestamp to the signed file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=38
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Add a RFC 3161 timestamp to the $filetype$desc signed file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "signed_$number.$ext"
../../osslsigncode add \
-ts http://time.certum.pl/ \
-ts http://timestamp.digicert.com/ \
-verbose \
-in "signed_$number.$ext" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Timestamp Server Signature" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Add a RFC 3161 timestamp to the signed file"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

55
tests/recipes/39_add_signature_blob
View File

@ -1,55 +0,0 @@
#!/bin/sh
# Add an unauthenticated blob to the signed file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=39
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Add an unauthenticated blob to the $filetype$desc signed file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "signed_$number.$ext"
../../osslsigncode add \
-addUnauthenticatedBlob \
-in "signed_$number.$ext" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Unauthenticated Data Blob" "MODIFY"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

51
tests/recipes/40_verify_leaf_hash
View File

@ -1,51 +0,0 @@
#!/bin/sh
# Compare the leaf certificate hash against specified SHA256 message digest for the file
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=40
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Compare the leaf hash against SHA256 message digest for the $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_leaf_hash "$result" "$number" "$ext" "@2019-05-01 00:00:00"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

41
tests/recipes/41_sign_add_msi_dse
View File

@ -1,41 +0,0 @@
#!/bin/sh
# Sign a MSI file with the add-msi-dse option.
# MsiDigitalSignatureEx (msi-dse) is an enhanced signature type that can be used
# when signing MSI files. In addition to file content, it also hashes some file metadata,
# specifically file names, file sizes, creation times and modification times.
# https://www.unboundtech.com/docs/UKC/UKC_Code_Signing_IG/HTML/Content/Products/UKC-EKM/UKC_Code_Signing_IG/Sign_Windows_PE_and_msi_Files.htm
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=41
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Warning: -add-msi-dse option is only valid for MSI files
"msi") filetype=MSI; format_nr=2 ;;
"ex_") continue;; # Warning: -add-msi-dse option is only valid for MSI files
"exe") continue;; # Warning: -add-msi-dse option is only valid for MSI files
"ps1") continue;; # Warning: -add-msi-dse option is only valid for MSI files
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with the add-msi-dse option"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-add-msi-dse \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "MsiDigitalSignatureEx" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
done
exit 0

38
tests/recipes/42_sign_jp_low
View File

@ -1,38 +0,0 @@
#!/bin/sh
# Sign a CAB file with "low" level of permissions in Microsoft Internet Explorer 4.x for CAB files
# https://support.microsoft.com/en-us/help/193877
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=42
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Warning: -jp option is only valid for CAB files
"msi") continue;; # Warning: -jp option is only valid for CAB files
"ex_") filetype=CAB; format_nr=3 ;;
"exe") continue;; # Warning: -jp option is only valid for CAB files
"ps1") continue;; # Warning: -jp option is only valid for CAB files
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with the jp low option"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-jp low \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Low level of permissions" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
done
exit 0

36
tests/recipes/45_verify_fake_pe
View File

@ -1,36 +0,0 @@
#!/bin/sh
# Verify changed file after signing.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=45
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Test is not supported for non-PE files
"msi") continue;; # Test is not supported for non-PE files
"ex_") continue;; # Test is not supported for non-PE files
"exe") filetype=PE; format_nr=4 ;;
"ps1") continue;; # Test is not supported for non-PE files
esac
number="$test_nr$format_nr"
test_name="Verify changed $filetype$desc file after signing"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Hello world!" "MODIFY"
test_result "$?" "$number" "$test_name"
done
exit 0

46
tests/recipes/46_verify_timestamp
View File

@ -1,46 +0,0 @@
#!/bin/sh
# Verify changed file after signing with Authenticode timestamping.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=46
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Test is not supported for non-PE files
"msi") continue;; # Test is not supported for non-PE files
"ex_") continue;; # Test is not supported for non-PE files
"exe") filetype=PE; format_nr=4 ;;
"ps1") continue;; # Test is not supported for non-PE files
esac
number="$test_nr$format_nr"
test_name="Verify changed $filetype$desc file after signing with Authenticode timestamping"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-t http://time.certum.pl/ \
-t http://timestamp.digicert.com/ \
-verbose \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Hello world!" "MODIFY"
test_result "$?" "$number" "$test_name"
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Verify changed file after signing with Authenticode timestamping"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

46
tests/recipes/47_verify_rfc3161
View File

@ -1,46 +0,0 @@
#!/bin/sh
# Verify changed file after signing with RFC 3161 timestamping.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=47
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Test is not supported for non-PE files
"msi") continue;; # Test is not supported for non-PE files
"ex_") continue;; # Test is not supported for non-PE files
"exe") filetype=PE; format_nr=4 ;;
"ps1") continue;; # Test is not supported for non-PE files
esac
number="$test_nr$format_nr"
test_name="Verify changed $filetype$desc file after signing with RFC 3161 timestamping"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-ts http://timestamp.digicert.com/ \
-verbose \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Hello world!" "MODIFY"
test_result "$?" "$number" "$test_name"
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Verify changed file after signing with RFC 3161 timestamping"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

52
tests/recipes/51_verify_time
View File

@ -1,52 +0,0 @@
#!/bin/sh
# Verify a file signed after the cert has been expired.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=51
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Verify $filetype$desc file signed after the cert has been expired"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "fail" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

62
tests/recipes/52_verify_timestamp
View File

@ -1,62 +0,0 @@
#!/bin/sh
# Verify a file signed with Authenticode timestamping after the cert has been expired.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=52
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Verify a $filetype$desc file signed with Authenticode after the cert has been expired"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-t http://time.certum.pl/ \
-t http://timestamp.digicert.com/ \
-verbose \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Verify a file signed with Authenticode after the cert has been expired"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

62
tests/recipes/53_verify_rfc3161
View File

@ -1,62 +0,0 @@
#!/bin/sh
# Verify a file signed with RFC3161 timestamping after the cert has been expired.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=53
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Verify a $filetype$desc file signed with RFC3161 after the cert has been expired"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-ts http://timestamp.digicert.com/ \
-verbose \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Verify a file signed with RFC3161 after the cert has been expired"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

62
tests/recipes/54_verify_expired
View File

@ -1,62 +0,0 @@
#!/bin/sh
# Verify a file signed with the expired cert.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=54
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Verify a $filetype$desc file signed with the expired cert"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/expired.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-ts http://timestamp.digicert.com/ \
-verbose \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "fail" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Verify a file signed with the expired cert"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

62
tests/recipes/55_verify_revoked
View File

@ -1,62 +0,0 @@
#!/bin/sh
# Verify a file signed with the revoked cert.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=55
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Verify a $filetype$desc file signed with the revoked cert"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/revoked.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-ts http://timestamp.digicert.com/ \
-verbose \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Verify a file signed with the revoked cert"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

60
tests/recipes/56_verify_multiple
View File

@ -1,60 +0,0 @@
#!/bin/sh
# Verify a file signed with the multiple signature.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=56
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Warning: CAT files do not support nesting
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1") continue;; # Warning: TXT files do not support nesting
esac
number="$test_nr$format_nr"
test_name="Verify a $filetype$desc file signed with the multiple signature"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/expired.pem" -key "${script_path}/../certs/key.pem" \
-verbose \
-in "notsigned/$name" -out "signed1_$number.$ext"
../../osslsigncode sign -h sha384 \
-st "1556668800" \
-nest \
-certs "${script_path}/../certs/revoked.pem" -key "${script_path}/../certs/key.pem" \
-t http://time.certum.pl/ \
-t http://timestamp.digicert.com/ \
-verbose \
-in "signed1_$number.$ext" -out "signed2_$number.$ext"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-nest \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-ts http://timestamp.digicert.com/ \
-verbose \
-in "signed2_$number.$ext" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "SHA384" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Verify a file signed with the multiple signature"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

174
tests/test_library
View File

@ -1,174 +0,0 @@
# this file is a library sourced from recipes/*
result_path=$(pwd)
cd $(dirname "$0")/../
script_path=$(pwd)
cd "${result_path}"
test_result() {
#1 last exit status
#2 test number
#3 test name
local result=0
if test "$1" -eq 0
then
printf "%s\n" "Test succeeded"
else
printf "%s\n" "Test failed"
printf "%03d. %-90s\t%s\n" "$2" "$3" "failed" 1>&3
result=1
fi
return "$result"
}
modify_blob() {
# $1 test number
# $2 filename extension
# $3 text searched in a binary file
local result=0
initial_blob=$(echo -n "$3" | xxd -p)
modified_blob=$(echo -n "FAKE" | xxd -p)
zero_blob="00000000"
xxd -p -c 1000 "test_$1.$2" | \
sed "s/$initial_blob$zero_blob/$initial_blob$modified_blob/" | \
xxd -p -r > "changed_$1.$2"
../../osslsigncode verify -verbose \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
-in "changed_$1.$2" 2>> "verify.log" 1>&2
result=$?
if test "$result" -ne 0 \
-o $(grep -e "Calculated DigitalSignature" -e "Calculated message digest" "verify.log" | uniq | wc -l) -gt 1
then
printf "Failed: verify error or non-unique message digests found\n" 2>> "verify.log" 1>&2
result=1
else
rm -f "changed_$1.$2"
fi
return "$result"
}
search_pattern() {
# $1 test number
# $2 filename extension
# $3 pattern searched in a binary file or verify.log
local result=0
if ! grep -q "$3" "verify.log"
then
hex_pattern=$(echo -n "$3" | xxd -p)
if ! xxd -p -c 1000 "test_$1.$2" | grep "$hex_pattern" 2>> /dev/null 1>&2
then
result=1
printf "Failed: $3 not found\n"
fi
fi
return "$result"
}
verify_signature() {
# $1 sign exit code
# $2 test number
# $3 filename extension
# $4 expected result
# $5 fake time
# $6 sha256sum requirement
# $7 pattern searched in the verify.log file
# $8 modify requirement
local result=0
printf "" > "verify.log"
if test "$1" -eq 0
then
cp "test_$2.$3" "test_tmp.tmp"
TZ=GMT faketime -f "$5" /bin/bash -c '
printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log"
script_path=$(pwd)
../../osslsigncode verify -verbose \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
-in "test_tmp.tmp" 2>> "verify.log" 1>&2'
result=$?
rm -f "test_tmp.tmp"
if test "$result" -eq 0 -a "$7" != "UNUSED_PATTERN"
then
search_pattern "$2" "$3" "$7"
result=$?
fi
if test "$result" -eq 0 -a "$8" = "MODIFY"
then
modify_blob "$2" "$3" "$7"
result=$?
fi
if test "$6" = "sha256sum"
then
sha256sum "test_$2.$3" 2>> "sha256sum/$3.log" 1>&2
fi
if test "$4" = "success" -a "$result" -eq 0
then
rm -f "test_$2.$3" "signed_$2.$3" "signed1_$2.$3" "signed2_$2.$3"
elif test "$4" = "fail" -a "$result" -eq 1
then
rm -f "test_$2.$3" "signed_$2.$3" "signed1_$2.$3" "signed2_$2.$3"
rm -f "changed_$2.$3"
cat "verify.log" >> "results.log"
result=0
else
cat "verify.log" >> "results.log"
result=1
fi
else
result=1
fi
return "$result"
}
verify_leaf_hash() {
# $1 sign exit code
# $2 test number
# $3 filename extension
# $4 fake time
local result=0
printf "" > "verify.log"
if test "$1" -eq 0
then
cp "test_$2.$3" "test_tmp.tmp"
TZ=GMT faketime -f "$4" /bin/bash -c '
printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log"
script_path=$(pwd)
../../osslsigncode verify -verbose \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
-require-leaf-hash SHA256:$(sha256sum "${script_path}/../certs/cert.der" | cut -d" " -f1) \
-in "test_tmp.tmp" 2>> "verify.log" 1>&2'
result=$?
rm -f "test_tmp.tmp"
if test "$result" -eq 0
then
rm -f "test_$2.$3"
else
cat "verify.log" >> "results.log"
fi
else
result=1
fi
return "$result"
}

135
tests/testall.sh
View File

@ -1,135 +0,0 @@
#!/bin/sh
# mingw64-gcc, gcab, msitools, libgsf, libgsf-devel
# vim-common, libfaketime packages are required
result=0
count=0
skip=0
fail=0
result_path=$(pwd)
cd $(dirname "$0")
script_path=$(pwd)
result_path="${result_path}/logs"
certs_path="${script_path}/certs"
make_tests() {
for plik in ${script_path}/recipes/*
do
/bin/sh $plik 3>&1 2>> "results.log" 1>&2
done
count=$(grep -c "Test succeeded" "results.log")
skip=$(grep -c "Test skipped" "results.log")
fail=$(grep -c "Test failed" "results.log")
printf "%s\n" "testall.sh finished"
printf "%s\n" "summary: success $count, skip $skip, fail $fail"
return $fail
}
rm -rf "${result_path}"
mkdir "${result_path}"
cd "${result_path}"
mkdir "notsigned" "sha256sum"
date > "results.log"
../../osslsigncode -v >> "results.log" 2>/dev/null
cd ${certs_path}
if test -s CACert.pem -a -s crosscert.pem -a -s expired.pem -a -s cert.pem \
-a -s CACertCRL.pem -a -s revoked.pem -a -s key.pem -a -s keyp.pem \
-a -s key.der -a -s cert.der -a -s cert.spc -a -s cert.p12
then
printf "%s\n" "keys & certificates path: ${certs_path}"
else
./makecerts.sh $1
result=$?
fi
cd "${result_path}"
if test "$result" -ne 0
then
exit $result
fi
# PE files support
if test -n "$(command -v x86_64-w64-mingw32-gcc)"
then
x86_64-w64-mingw32-gcc "../sources/myapp.c" -o "notsigned/test.exe" 2>> "results.log" 1>&2
else
printf "%s\n" "x86_64-w64-mingw32-gcc not found in \$PATH"
printf "%s\n" "tests for PE files skipped, please install mingw64-gcc package"
fi
# CAB files support
if test -n "$(command -v gcab)"
then
gcab -c "notsigned/test.ex_" "../sources/a" "../sources/b" "../sources/c" 2>> "results.log" 1>&2
else
printf "%s\n" "gcab not found in \$PATH"
printf "%s\n" "tests for CAB files skipped, please install gcab package"
fi
# MSI files support
if grep -q "no libgsf available" "results.log"
then
printf "%s\n" "signing MSI files requires libgsf/libgsf-devel packages and reconfiguration osslsigncode"
else
if test -n "$(command -v wixl)"
then
touch FoobarAppl10.exe
cp "../sources/sample.wxs" "notsigned/sample.wxs" 2>> "results.log" 1>&2
wixl -v "notsigned/sample.wxs" 2>> "results.log" 1>&2
rm -f "notsigned/sample.wxs"
rm -f "FoobarAppl10.exe"
else
printf "%s\n" "wixl not found in \$PATH"
printf "%s\n" "tests for MSI files skipped, please install wixl or msitools package depending on your OS"
fi
fi
# CAT files support
if test -s "../sources/good.cat"
then
cp "../sources/good.cat" "notsigned/good.cat"
fi
# TXT files support
if test -s "../sources/utf8.ps1"
then
cp "../sources/utf8.ps1" "notsigned/utf8.ps1"
fi
if test -s "../sources/utf8bom.ps1"
then
cp "../sources/utf8bom.ps1" "notsigned/utf8bom.ps1"
fi
if test -s "../sources/utf16le.ps1"
then
cp "../sources/utf16le.ps1" "notsigned/utf16le.ps1"
fi
# Timestamping support
if grep -q "no libcurl available" "results.log"
then
printf "%s\n" "configure --with-curl is required for timestamping support"
fi
# Tests requirements
if test -n "$(command -v faketime)"
then
if test -n "$(command -v xxd)"
then
make_tests
result=$?
rm -r -f "notsigned/" "sha256sum/"
rm -f sign_[1-9].pem sign_[1-9].der
rm -f "verify.log"
else
printf "%s\n" "xxd not found in \$PATH"
printf "%s\n" "tests skipped, please install vim-common package"
fi
else
printf "%s\n" "faketime not found in \$PATH"
printf "%s\n" "tests skipped, please install faketime package"
fi
exit $result

90
tests/testsign.sh
View File

@ -1,90 +0,0 @@
#!/bin/sh
if [ -z "$(command -v keytool)" ]; then
printf "%s\n" "keytool was not found in the \$PATH"
printf "%s\n" "Please install the default-jre-headless package"
exit 1
fi
rm -f putty*.exe
PUTTY_URL="http://the.earth.li/~sgtatham/putty/0.64/x86/putty.exe"
[ -f putty.exe ] || wget -q -O putty.exe $PUTTY_URL
[ -f putty.exe ] || curl -o putty.exe $PUTTY_URL
if [ ! -f putty.exe ]; then
echo "FAIL: Couldn't download putty.exe"
exit 1
fi
rm -f cert.pem cert.spc key.der key.p12 key.pem key.pvk keyp.pem
keytool -genkey \
-alias selfsigned \
-keysize 2048 \
-keyalg RSA \
-keypass passme \
-storepass passme \
-keystore key.ks << EOF
John Doe
ACME In
ACME
Springfield
LaLaLand
SE
yes
EOF
echo "Converting key/cert to PKCS12 container"
keytool -importkeystore \
-srckeystore key.ks \
-srcstoretype JKS \
-srckeypass passme \
-srcstorepass passme \
-srcalias selfsigned \
-destkeystore key.p12 \
-deststoretype PKCS12 \
-destkeypass passme \
-deststorepass passme
rm -f key.ks
echo "Converting key to PEM format"
openssl pkcs12 -in key.p12 -passin pass:passme -nocerts -nodes -out key.pem
echo "Converting key to PEM format (with password)"
openssl rsa -in key.pem -out keyp.pem -passout pass:passme
echo "Converting key to DER format"
openssl rsa -in key.pem -outform DER -out key.der -passout pass:passme
echo "Converting key to PVK format"
openssl rsa -in key.pem -outform PVK -pvk-strong -out key.pvk -passout pass:passme
echo "Converting cert to PEM format"
openssl pkcs12 -in key.p12 -passin pass:passme -nokeys -out cert.pem
echo "Converting cert to SPC format"
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out cert.spc
make -C ..
../osslsigncode sign -spc cert.spc -key key.pem putty.exe putty1.exe
../osslsigncode sign -certs cert.spc -key keyp.pem -pass passme putty.exe putty2.exe
../osslsigncode sign -certs cert.pem -key keyp.pem -pass passme putty.exe putty3.exe
../osslsigncode sign -certs cert.spc -key key.der putty.exe putty4.exe
../osslsigncode sign -pkcs12 key.p12 -pass passme putty.exe putty5.exe
../osslsigncode sign -certs cert.spc -key key.pvk -pass passme putty.exe putty6.exe
rm -f cert.pem cert.spc key.der key.p12 key.pem key.pvk keyp.pem
echo
check=`sha1sum putty[1-9]*.exe | cut -d' ' -f1 | uniq | wc -l`
cmp putty1.exe putty2.exe && \
cmp putty2.exe putty3.exe && \
cmp putty3.exe putty4.exe && \
cmp putty4.exe putty5.exe && \
cmp putty5.exe putty6.exe
if [ $? -ne 0 ]; then
echo "Failure is not an option."
exit 1
else
echo "Yes, it works."
fi

140
tests/tsa_server.py Normal file
View File

@ -0,0 +1,140 @@
"""Implementation of a Time Stamping Authority HTTP server"""
import argparse
import contextlib
import os
import pathlib
import subprocess
import sys
import threading
from http.server import BaseHTTPRequestHandler, HTTPServer
RESULT_PATH = os.getcwd()
FILES_PATH = os.path.join(RESULT_PATH, "./Testing/files/")
CERTS_PATH = os.path.join(RESULT_PATH, "./Testing/certs/")
DEFAULT_PATH = os.path.join(RESULT_PATH, "./osslsigncode")
DEFAULT_IN = os.path.join(FILES_PATH, "./unsigned.exe")
DEFAULT_OUT = os.path.join(FILES_PATH, "./ts.exe")
DEFAULT_CERT = os.path.join(CERTS_PATH, "./cert.pem")
DEFAULT_KEY = os.path.join(CERTS_PATH, "./key.pem")
DEFAULT_CROSSCERT = os.path.join(CERTS_PATH, "./crosscert.pem")
OPENSSL_CONF = os.path.join(CERTS_PATH, "./openssl_tsa.cnf")
REQUEST = os.path.join(FILES_PATH, "./jreq.tsq")
RESPONS = os.path.join(FILES_PATH, "./jresp.tsr")
DEFAULT_OPENSSL = ["openssl", "ts",
"-reply", "-config", OPENSSL_CONF,
"-passin", "pass:passme",
"-queryfile", REQUEST,
"-out", RESPONS]
class RequestHandler(BaseHTTPRequestHandler):
"""Handle the HTTP POST request that arrive at the server"""
def do_POST(self):
""""Serves the POST request type"""
try:
content_length = int(self.headers['Content-Length'])
post_data = self.rfile.read(content_length)
with open(REQUEST, mode="wb") as file:
file.write(post_data)
openssl = subprocess.run(DEFAULT_OPENSSL, check=True, text=True)
openssl.check_returncode()
self.send_response(200)
self.send_header("Content-type", "application/timestamp-reply")
self.end_headers()
resp_data = None
with open(RESPONS, mode="rb") as file:
resp_data = file.read()
self.wfile.write(resp_data)
except Exception as err: # pylint: disable=broad-except
print(f"HTTP POST request error: {err}")
class HttpServerThread():
"""TSA server thread handler"""
def __init__(self):
self.server = None
self.server_thread = None
def start_server(self) -> (str, int):
"""Starting TSA server on localhost and a first available port"""
self.server = HTTPServer(("127.0.0.1", 0), RequestHandler)
self.server_thread = threading.Thread(target=self.server.serve_forever)
self.server_thread.start()
hostname, port = self.server.server_address[:2]
print(f"Timestamp server started, URL: http://{hostname}:{port}")
return hostname, port
def shut_down(self):
"""Shutting down the server"""
if self.server:
self.server.shutdown()
self.server_thread.join()
print("Server is down")
def parse_args() -> str:
"""Parse the command-line arguments."""
parser = argparse.ArgumentParser()
parser.add_argument(
"--input",
type=pathlib.Path,
default=DEFAULT_IN,
help="input file"
)
parser.add_argument(
"--output",
type=pathlib.Path,
default=DEFAULT_OUT,
help="output file"
)
parser.add_argument(
"--certs",
type=pathlib.Path,
default=DEFAULT_CERT,
help="signing certificate"
)
parser.add_argument(
"--key",
type=pathlib.Path,
default=DEFAULT_KEY,
help="private key"
)
parser.add_argument(
"--crosscert",
type=pathlib.Path,
default=DEFAULT_CROSSCERT,
help="additional certificates"
)
args = parser.parse_args()
program = [DEFAULT_PATH, "sign", "-in", args.input, "-out", args.output,
"-certs", args.certs, "-key", args.key,
"-addUnauthenticatedBlob", "-add-msi-dse", "-comm", "-ph", "-jp", "low",
"-h", "sha384", "-st", "1556668800", "-i", "https://www.osslsigncode.com/",
"-n", "osslsigncode", "-ac", args.crosscert, "-ts"]
return program
def main() -> None:
"""Main program"""
ret = 0
program = parse_args()
server = HttpServerThread()
hostname, port = server.start_server()
program.append(f"{hostname}:{port}")
try:
osslsigncode = subprocess.run(program, check=True, text=True)
osslsigncode.check_returncode()
except subprocess.CalledProcessError as err:
ret = err.returncode
except Exception as err: # pylint: disable=broad-except
print(f"osslsigncode error: {err}")
finally:
server.shut_down()
sys.exit(ret)
if __name__ == '__main__':
main()