nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-05 09:08:04 -05:00
Code Issues Projects Releases Wiki Activity

more consistent code formatting and indentation

Browse Source
This commit is contained in:
Michał Trojnara 2018-12-05 22:59:41 +01:00
parent fe89b08e35
commit 642a290343
1 changed files with 210 additions and 191 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

401
osslsigncode.c
View File

@ -36,23 +36,23 @@
* Peter Gutmann's analysis of Authenticode: * Peter Gutmann's analysis of Authenticode:
http://www.cs.auckland.ac.nz/~pgut001/pubs/authenticode.txt http://www.cs.auckland.ac.nz/~pgut001/pubs/authenticode.txt
* MS CAB SDK documentation * MS CAB SDK documentation
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncabsdk/html/cabdl.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncabsdk/html/cabdl.asp
* MS PE/COFF documentation * MS PE/COFF documentation
http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx
* MS Windows Authenticode PE Signature Format * MS Windows Authenticode PE Signature Format
http://msdn.microsoft.com/en-US/windows/hardware/gg463183 http://msdn.microsoft.com/en-US/windows/hardware/gg463183
(Although the part of how the actual checksumming is done is not (Although the part of how the actual checksumming is done is not
how it is done inside Windows. The end result is however the same how it is done inside Windows. The end result is however the same
on all "normal" PE files.) on all "normal" PE files.)
* tail -c, tcpdump, mimencode & openssl asn1parse :) * tail -c, tcpdump, mimencode & openssl asn1parse :)
@ -353,7 +353,6 @@ ASN1_SEQUENCE(TimeStampRequestBlob) = {
IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequestBlob) IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequestBlob)
typedef struct { typedef struct {
ASN1_OBJECT *type; ASN1_OBJECT *type;
TimeStampRequestBlob *blob; TimeStampRequestBlob *blob;
@ -464,7 +463,8 @@ static SpcSpOpusInfo* createOpus(const char *desc, const char *url)
return info; return info;
} }
static unsigned int asn1_simple_hdr_len(const unsigned char *p, unsigned int len) { static unsigned int asn1_simple_hdr_len(const unsigned char *p, unsigned int len)
{
if (len <= 2 || p[0] > 0x31) if (len <= 2 || p[0] > 0x31)
return 0; return 0;
return (p[1]&0x80) ? (2 + (p[1]&0x7f)) : 2; return (p[1]&0x80) ? (2 + (p[1]&0x7f)) : 2;
@ -482,7 +482,7 @@ static int add_unauthenticated_blob(PKCS7 *sig)
{ {
u_char *p = NULL; u_char *p = NULL;
int len = 1024+4; int len = 1024+4;
char prefix[] = "\x0c\x82\x04\x00---BEGIN_BLOB---"; // Length data for ASN1 attribute plus prefix char prefix[] = "\x0c\x82\x04\x00---BEGIN_BLOB---"; /* Length data for ASN1 attribute plus prefix */
char postfix[] = "---END_BLOB---"; char postfix[] = "---END_BLOB---";
PKCS7_SIGNER_INFO *si = sk_PKCS7_SIGNER_INFO_value(sig->d.sign->signer_info, 0); PKCS7_SIGNER_INFO *si = sk_PKCS7_SIGNER_INFO_value(sig->d.sign->signer_info, 0);
@ -496,8 +496,7 @@ static int add_unauthenticated_blob(PKCS7 *sig)
ASN1_STRING_set(astr, p, len); ASN1_STRING_set(astr, p, len);
int nid = OBJ_create("1.3.6.1.4.1.42921.1.2.1", int nid = OBJ_create("1.3.6.1.4.1.42921.1.2.1",
"unauthenticatedData", "unauthenticatedData", "unauthenticatedData");
"unauthenticatedData");
PKCS7_add_attribute (si, nid, V_ASN1_SEQUENCE, astr); PKCS7_add_attribute (si, nid, V_ASN1_SEQUENCE, astr);
@ -512,7 +511,8 @@ static int g_verbose = 0;
#ifdef ENABLE_CURL #ifdef ENABLE_CURL
static int blob_has_nl = 0; static int blob_has_nl = 0;
static size_t curl_write( void *ptr, size_t sz, size_t nmemb, void *stream)
static size_t curl_write(void *ptr, size_t sz, size_t nmemb, void *stream)
{ {
if (sz*nmemb > 0 && !blob_has_nl) { if (sz*nmemb > 0 && !blob_has_nl) {
if (memchr(ptr, '\n', sz*nmemb)) if (memchr(ptr, '\n', sz*nmemb))
@ -523,15 +523,15 @@ static size_t curl_write( void *ptr, size_t sz, size_t nmemb, void *stream)
static void print_timestamp_error(const char *url, long http_code) static void print_timestamp_error(const char *url, long http_code)
{ {
if (http_code != -1) { if (http_code != -1) {
fprintf(stderr, "Failed to convert timestamp reply from %s; " fprintf(stderr, "Failed to convert timestamp reply from %s; "
"HTTP status %ld\n", url, http_code); "HTTP status %ld\n", url, http_code);
} else { } else {
fprintf(stderr, "Failed to convert timestamp reply from %s; " fprintf(stderr, "Failed to convert timestamp reply from %s; "
"no HTTP status available", url); "no HTTP status available", url);
} }
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
} }
/* /*
@ -559,12 +559,12 @@ static void print_timestamp_error(const char *url, long http_code)
<signature> <signature>
.. and it returns a base64 encoded PKCS#7 structure. .. and it returns a base64 encoded PKCS#7 structure.
*/ */
static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const EVP_MD *md, int verbose, int noverifypeer) static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161,
const EVP_MD *md, int verbose, int noverifypeer)
{ {
CURL *curl; CURL *curl;
struct curl_slist *slist = NULL; struct curl_slist *slist = NULL;
@ -589,7 +589,7 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const
} }
curl_easy_setopt(curl, CURLOPT_URL, url); curl_easy_setopt(curl, CURLOPT_URL, url);
/* curl_easy_setopt(curl, CURLOPT_VERBOSE, 42); */ /* curl_easy_setopt(curl, CURLOPT_VERBOSE, 42); */
if (noverifypeer) if (noverifypeer)
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE);
@ -761,9 +761,8 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const
astr = ASN1_STRING_new(); astr = ASN1_STRING_new();
ASN1_STRING_set(astr, p, len); ASN1_STRING_set(astr, p, len);
OPENSSL_free(p); OPENSSL_free(p);
PKCS7_add_attribute PKCS7_add_attribute(si, NID_pkcs9_countersignature,
(si, NID_pkcs9_countersignature, V_ASN1_SEQUENCE, astr);
V_ASN1_SEQUENCE, astr);
PKCS7_free(p7); PKCS7_free(p7);
} }
@ -775,7 +774,8 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy, int rfc3161, const
return (int)c; return (int)c;
} }
static int add_timestamp_authenticode(PKCS7 *sig, char **url, int nurls, char *proxy, int noverifypeer) static int add_timestamp_authenticode(PKCS7 *sig, char **url, int nurls,
char *proxy, int noverifypeer)
{ {
int i; int i;
for (i=0; i<nurls; i++) { for (i=0; i<nurls; i++) {
@ -785,7 +785,8 @@ static int add_timestamp_authenticode(PKCS7 *sig, char **url, int nurls, char *p
return -1; return -1;
} }
static int add_timestamp_rfc3161(PKCS7 *sig, char **url, int nurls, char *proxy, const EVP_MD *md, int noverifypeer) static int add_timestamp_rfc3161(PKCS7 *sig, char **url, int nurls,
char *proxy, const EVP_MD *md, int noverifypeer)
{ {
int i; int i;
for (i=0; i<nurls; i++) { for (i=0; i<nurls; i++) {
@ -809,12 +810,12 @@ static void cleanup_lib_state(void)
#endif #endif
OBJ_cleanup(); OBJ_cleanup();
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup(); ENGINE_cleanup();
#endif #endif
EVP_cleanup(); EVP_cleanup();
CONF_modules_free(); CONF_modules_free();
CRYPTO_cleanup_all_ex_data(); CRYPTO_cleanup_all_ex_data();
ERR_free_strings(); ERR_free_strings();
} }
static void usage(const char *argv0) static void usage(const char *argv0)
@ -840,8 +841,10 @@ static void usage(const char *argv0)
"\t\t[ -addUnauthenticatedBlob ]\n\n" "\t\t[ -addUnauthenticatedBlob ]\n\n"
"\t\t[ -nest ]\n\n" "\t\t[ -nest ]\n\n"
"\t\t[ -verbose ]\n\n" "\t\t[ -verbose ]\n\n"
#ifdef WITH_GSF
"\t\tMSI specific:\n" "\t\tMSI specific:\n"
"\t\t[ -add-msi-dse ]\n\n" "\t\t[ -add-msi-dse ]\n\n"
#endif
"\t\t[ -in ] <infile> [-out ] <outfile>\n\n" "\t\t[ -in ] <infile> [-out ] <outfile>\n\n"
"\textract-signature [ -pem ] [ -in ] <infile> [ -out ] <outfile>\n\n" "\textract-signature [ -pem ] [ -in ] <infile> [ -out ] <outfile>\n\n"
"\tremove-signature [ -in ] <infile> [ -out ] <outfile>\n\n" "\tremove-signature [ -in ] <infile> [ -out ] <outfile>\n\n"
@ -917,14 +920,15 @@ static const unsigned char classid_page_hash[] = {
0xAE, 0x05, 0xA2, 0x17, 0xDA, 0x8E, 0x60, 0xD6 0xAE, 0x05, 0xA2, 0x17, 0xDA, 0x8E, 0x60, 0xD6
}; };
static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe32plus, static unsigned char *calc_page_hash(char *indata, unsigned int peheader,
unsigned int sigpos, int phtype, unsigned int *phlen); int pe32plus, unsigned int sigpos, int phtype, unsigned int *phlen);
DEFINE_STACK_OF(ASN1_OCTET_STRING) DEFINE_STACK_OF(ASN1_OCTET_STRING)
DEFINE_STACK_OF(SpcAttributeTypeAndOptionalValue) DEFINE_STACK_OF(SpcAttributeTypeAndOptionalValue)
static SpcLink *get_page_hash_link(int phtype, char *indata, unsigned int peheader, int pe32plus, unsigned int sigpos) static SpcLink *get_page_hash_link(int phtype, char *indata,
unsigned int peheader, int pe32plus, unsigned int sigpos)
{ {
unsigned int phlen; unsigned int phlen;
unsigned char *ph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &phlen); unsigned char *ph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &phlen);
@ -974,9 +978,9 @@ static SpcLink *get_page_hash_link(int phtype, char *indata, unsigned int pehead
return link; return link;
} }
static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, file_type_t type, static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md,
int pagehash, char *indata, unsigned int peheader, int pe32plus, file_type_t type, int pagehash, char *indata, unsigned int peheader,
unsigned int sigpos) int pe32plus, unsigned int sigpos)
{ {
static const unsigned char msistr[] = { static const unsigned char msistr[] = {
0xf1, 0x10, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf1, 0x10, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00,
@ -1099,7 +1103,8 @@ static void recalc_pe_checksum(BIO *bio, unsigned int peheader)
BIO_write(bio, buf, 4); BIO_write(bio, buf, 4);
} }
static unsigned char nib2val(unsigned char c) { static unsigned char nib2val(unsigned char c)
{
if (c >= '0' && c <= '9') { if (c >= '0' && c <= '9') {
return c - '0'; return c - '0';
} else if (c >= 'a' && c <= 'f') { } else if (c >= 'a' && c <= 'f') {
@ -1112,7 +1117,8 @@ static unsigned char nib2val(unsigned char c) {
return 0; return 0;
} }
static int verify_leaf_hash(X509 *leaf, const char *leafhash) { static int verify_leaf_hash(X509 *leaf, const char *leafhash)
{
char *lhdup = NULL; char *lhdup = NULL;
char *orig = NULL; char *orig = NULL;
char *mdid = NULL; char *mdid = NULL;
@ -1195,16 +1201,19 @@ out:
return ret; return ret;
} }
// pkcs7_get_nested_signature exctracts a nested signature from p7. /*
// The caller is responsible for freeing the returned object. * pkcs7_get_nested_signature exctracts a nested signature from p7.
// * The caller is responsible for freeing the returned object.
// If has_sig is provided, it will be set to either 1 if there is a *
// SPC_NESTED_SIGNATURE attribute in p7 at all or 0 if not. * If has_sig is provided, it will be set to either 1 if there is a
// This allows has_sig to be used to distinguish two possible scenarios * SPC_NESTED_SIGNATURE attribute in p7 at all or 0 if not.
// when the functon returns NULL: if has_sig is 1, it means d2i_PKCS7 * This allows has_sig to be used to distinguish two possible scenarios
// failed to decode the nested signature. However, if has_sig is 0, it * when the functon returns NULL: if has_sig is 1, it means d2i_PKCS7
// simply means the given p7 does not have a nested signature. * failed to decode the nested signature. However, if has_sig is 0, it
static PKCS7 *pkcs7_get_nested_signature(PKCS7 *p7, int *has_sig) { * simply means the given p7 does not have a nested signature.
*/
static PKCS7 *pkcs7_get_nested_signature(PKCS7 *p7, int *has_sig)
{
PKCS7 *ret = NULL; PKCS7 *ret = NULL;
PKCS7_SIGNER_INFO *si = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0); PKCS7_SIGNER_INFO *si = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0);
ASN1_TYPE *nestedSignature = PKCS7_get_attribute(si, OBJ_txt2nid(SPC_NESTED_SIGNATURE_OBJID)); ASN1_TYPE *nestedSignature = PKCS7_get_attribute(si, OBJ_txt2nid(SPC_NESTED_SIGNATURE_OBJID));
@ -1218,9 +1227,12 @@ static PKCS7 *pkcs7_get_nested_signature(PKCS7 *p7, int *has_sig) {
return ret; return ret;
} }
// pkcs7_set_nested_signature adds the p7nest signature to p7 /*
// as a nested signature (SPC_NESTED_SIGNATURE). * pkcs7_set_nested_signature adds the p7nest signature to p7
static int pkcs7_set_nested_signature(PKCS7 *p7, PKCS7 *p7nest) { * as a nested signature (SPC_NESTED_SIGNATURE).
*/
static int pkcs7_set_nested_signature(PKCS7 *p7, PKCS7 *p7nest)
{
u_char *p = NULL; u_char *p = NULL;
int len = 0; int len = 0;
@ -1334,7 +1346,7 @@ static GSList *msi_sorted_infile_children(GsfInfile *infile)
continue; continue;
if (!g_strcmp0(decoded, "\05MsiDigitalSignatureEx")) if (!g_strcmp0(decoded, "\05MsiDigitalSignatureEx"))
continue; continue;
sorted = g_slist_insert_sorted(sorted, (gpointer)name, (GCompareFunc)msi_cmp); sorted = g_slist_insert_sorted(sorted, (gpointer)name, (GCompareFunc)msi_cmp);
} }
@ -1394,9 +1406,9 @@ static gboolean msi_prehash(GsfInfile *infile, gchar *dirname, BIO *hash)
* Creation time and modification time for the root directory. * Creation time and modification time for the root directory.
* These are always zero. The ctime and mtime of the actual * These are always zero. The ctime and mtime of the actual
* file itself takes precedence. * file itself takes precedence.
*/ */
BIO_write(hash, zeroes, 8); // ctime as Windows FILETIME. BIO_write(hash, zeroes, 8); /* ctime as Windows FILETIME */
BIO_write(hash, zeroes, 8); // mtime as Windows FILETIME. BIO_write(hash, zeroes, 8); /* mtime as Windows FILETIME */
} }
sorted = msi_sorted_infile_children(infile); sorted = msi_sorted_infile_children(infile);
@ -1434,8 +1446,8 @@ static gboolean msi_prehash(GsfInfile *infile, gchar *dirname, BIO *hash)
* zeroed, because libgsf doesn't seem * zeroed, because libgsf doesn't seem
* to support outputting them. * to support outputting them.
*/ */
BIO_write(hash, zeroes, 8); // ctime as a Windows FILETIME BIO_write(hash, zeroes, 8); /* ctime as Windows FILETIME */
BIO_write(hash, zeroes, 8); // mtime as a Windows FILETIME BIO_write(hash, zeroes, 8); /* mtime as Windows FILETIME */
} }
} }
@ -1506,7 +1518,10 @@ static gboolean msi_handle_dir(GsfInfile *infile, GsfOutfile *outole, BIO *hash)
* msi_verify_pkcs7 is a helper function for msi_verify_file. * msi_verify_pkcs7 is a helper function for msi_verify_file.
* It exists to make it easier to implement verification of nested signatures. * It exists to make it easier to implement verification of nested signatures.
*/ */
static int msi_verify_pkcs7(PKCS7 *p7, GsfInfile *infile, unsigned char *exdata, unsigned int exlen, char *leafhash, int allownest) { static int msi_verify_pkcs7(PKCS7 *p7, GsfInfile *infile,
unsigned char *exdata, unsigned int exlen, char *leafhash,
int allownest)
{
int i = 0; int i = 0;
int ret = 0; int ret = 0;
X509_STORE *store = NULL; X509_STORE *store = NULL;
@ -1618,9 +1633,9 @@ static int msi_verify_pkcs7(PKCS7 *p7, GsfInfile *infile, unsigned char *exdata,
printf("\n"); printf("\n");
int seqhdrlen = asn1_simple_hdr_len(p7->d.sign->contents->d.other->value.sequence->data, int seqhdrlen = asn1_simple_hdr_len(p7->d.sign->contents->d.other->value.sequence->data,
p7->d.sign->contents->d.other->value.sequence->length); p7->d.sign->contents->d.other->value.sequence->length);
bio = BIO_new_mem_buf(p7->d.sign->contents->d.other->value.sequence->data + seqhdrlen, bio = BIO_new_mem_buf(p7->d.sign->contents->d.other->value.sequence->data + seqhdrlen,
p7->d.sign->contents->d.other->value.sequence->length - seqhdrlen); p7->d.sign->contents->d.other->value.sequence->length - seqhdrlen);
store = X509_STORE_new(); store = X509_STORE_new();
int verok = PKCS7_verify(p7, p7->d.sign->cert, store, bio, NULL, PKCS7_NOVERIFY); int verok = PKCS7_verify(p7, p7->d.sign->cert, store, bio, NULL, PKCS7_NOVERIFY);
BIO_free(bio); BIO_free(bio);
@ -1656,7 +1671,7 @@ static int msi_verify_pkcs7(PKCS7 *p7, GsfInfile *infile, unsigned char *exdata,
printf("\tCert #%d:\n\t\tSubject : %s\n\t\tIssuer : %s\n", i, subject, issuer); printf("\tCert #%d:\n\t\tSubject : %s\n\t\tIssuer : %s\n", i, subject, issuer);
OPENSSL_free(subject); OPENSSL_free(subject);
OPENSSL_free(issuer); OPENSSL_free(issuer);
} }
printf("\n"); printf("\n");
@ -1678,10 +1693,12 @@ static int msi_verify_pkcs7(PKCS7 *p7, GsfInfile *infile, unsigned char *exdata,
} else if (!p7nest && has_sig) { } else if (!p7nest && has_sig) {
printf("\nFailed to decode nested signature!\n"); printf("\nFailed to decode nested signature!\n");
ret = 1; ret = 1;
} else } else {
printf("\n"); printf("\n");
} else }
} else {
printf("\n"); printf("\n");
}
out: out:
if (store) if (store)
@ -1693,7 +1710,8 @@ out:
/* /*
* msi_verify_file checks whether or not the signature of infile is valid. * msi_verify_file checks whether or not the signature of infile is valid.
*/ */
static int msi_verify_file(GsfInfile *infile, char *leafhash) { static int msi_verify_file(GsfInfile *infile, char *leafhash)
{
GsfInput *sig = NULL; GsfInput *sig = NULL;
GsfInput *exsig = NULL; GsfInput *exsig = NULL;
unsigned char *exdata = NULL; unsigned char *exdata = NULL;
@ -1749,7 +1767,9 @@ out:
return ret; return ret;
} }
static int msi_extract_dse(GsfInfile *infile, unsigned char **dsebuf, unsigned long *dselen, int *has_dse) { static int msi_extract_dse(GsfInfile *infile, unsigned char **dsebuf,
unsigned long *dselen, int *has_dse)
{
GsfInput *exsig = NULL; GsfInput *exsig = NULL;
gchar decoded[0x40]; gchar decoded[0x40];
u_char *buf = NULL; u_char *buf = NULL;
@ -1795,7 +1815,8 @@ out:
* msi_extract_signature_to_file extracts the MSI DigitalSignaure from infile * msi_extract_signature_to_file extracts the MSI DigitalSignaure from infile
* to a file at the path given by outfile. * to a file at the path given by outfile.
*/ */
static int msi_extract_signature_to_file(GsfInfile *infile, char *outfile) { static int msi_extract_signature_to_file(GsfInfile *infile, char *outfile)
{
unsigned char hexbuf[EVP_MAX_MD_SIZE*2+1]; unsigned char hexbuf[EVP_MAX_MD_SIZE*2+1];
GsfInput *sig = NULL; GsfInput *sig = NULL;
GsfInput *exsig = NULL; GsfInput *exsig = NULL;
@ -1862,7 +1883,8 @@ out:
return ret; return ret;
} }
static PKCS7 *msi_extract_signature_to_pkcs7(GsfInfile *infile) { static PKCS7 *msi_extract_signature_to_pkcs7(GsfInfile *infile)
{
GsfInput *sig = NULL; GsfInput *sig = NULL;
gchar decoded[0x40]; gchar decoded[0x40];
PKCS7 *p7 = NULL; PKCS7 *p7 = NULL;
@ -1898,7 +1920,7 @@ out:
#endif #endif
static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf, static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf,
unsigned int peheader, int pe32plus, unsigned int fileend) unsigned int peheader, int pe32plus, unsigned int fileend)
{ {
static unsigned char bfb[16*1024*1024]; static unsigned char bfb[16*1024*1024];
EVP_MD_CTX *mdctx; EVP_MD_CTX *mdctx;
@ -1932,9 +1954,8 @@ static void calc_pe_digest(BIO *bio, const EVP_MD *md, unsigned char *mdbuf,
EVP_MD_CTX_free(mdctx); EVP_MD_CTX_free(mdctx);
} }
static void extract_page_hash (SpcAttributeTypeAndOptionalValue *obj, static void extract_page_hash (SpcAttributeTypeAndOptionalValue *obj,
unsigned char **ph, unsigned int *phlen, int *phtype) unsigned char **ph, unsigned int *phlen, int *phtype)
{ {
*phlen = 0; *phlen = 0;
@ -1987,8 +2008,8 @@ static void extract_page_hash (SpcAttributeTypeAndOptionalValue *obj,
SpcAttributeTypeAndOptionalValue_free(obj); SpcAttributeTypeAndOptionalValue_free(obj);
} }
static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe32plus, static unsigned char *calc_page_hash(char *indata, unsigned int peheader,
unsigned int sigpos, int phtype, unsigned int *rphlen) int pe32plus, unsigned int sigpos, int phtype, unsigned int *rphlen)
{ {
unsigned short nsections = GET_UINT16_LE(indata + peheader + 6); unsigned short nsections = GET_UINT16_LE(indata + peheader + 6);
unsigned int pagesize = GET_UINT32_LE(indata + peheader + 56); unsigned int pagesize = GET_UINT32_LE(indata + peheader + 56);
@ -2040,9 +2061,9 @@ static unsigned char *calc_page_hash(char *indata, unsigned int peheader, int pe
return res; return res;
} }
static int verify_pe_pkcs7(PKCS7 *p7, char *indata, unsigned int peheader, int pe32plus, static int verify_pe_pkcs7(PKCS7 *p7, char *indata, unsigned int peheader,
unsigned int sigpos, unsigned int siglen, char *leafhash, int pe32plus, unsigned int sigpos, unsigned int siglen,
int allownest) char *leafhash, int allownest)
{ {
int ret = 0; int ret = 0;
int mdtype = -1, phtype = -1; int mdtype = -1, phtype = -1;
@ -2098,15 +2119,15 @@ static int verify_pe_pkcs7(PKCS7 *p7, char *indata, unsigned int peheader, int p
unsigned char *cph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &cphlen); unsigned char *cph = calc_page_hash(indata, peheader, pe32plus, sigpos, phtype, &cphlen);
tohex(cph, hexbuf, (cphlen < 32) ? cphlen : 32); tohex(cph, hexbuf, (cphlen < 32) ? cphlen : 32);
printf("Calculated page hash : %s ...%s\n\n", hexbuf, printf("Calculated page hash : %s ...%s\n\n", hexbuf,
((phlen != cphlen) || memcmp(ph, cph, phlen)) ? " MISMATCH!!!":""); ((phlen != cphlen) || memcmp(ph, cph, phlen)) ? " MISMATCH!!!":"");
free(ph); free(ph);
free(cph); free(cph);
} }
int seqhdrlen = asn1_simple_hdr_len(p7->d.sign->contents->d.other->value.sequence->data, int seqhdrlen = asn1_simple_hdr_len(p7->d.sign->contents->d.other->value.sequence->data,
p7->d.sign->contents->d.other->value.sequence->length); p7->d.sign->contents->d.other->value.sequence->length);
bio = BIO_new_mem_buf(p7->d.sign->contents->d.other->value.sequence->data + seqhdrlen, bio = BIO_new_mem_buf(p7->d.sign->contents->d.other->value.sequence->data + seqhdrlen,
p7->d.sign->contents->d.other->value.sequence->length - seqhdrlen); p7->d.sign->contents->d.other->value.sequence->length - seqhdrlen);
X509_STORE *store = X509_STORE_new(); X509_STORE *store = X509_STORE_new();
int verok = PKCS7_verify(p7, p7->d.sign->cert, store, bio, NULL, PKCS7_NOVERIFY); int verok = PKCS7_verify(p7, p7->d.sign->cert, store, bio, NULL, PKCS7_NOVERIFY);
BIO_free(bio); BIO_free(bio);
@ -2130,7 +2151,7 @@ static int verify_pe_pkcs7(PKCS7 *p7, char *indata, unsigned int peheader, int p
if (i > 0) if (i > 0)
printf("\t------------------\n"); printf("\t------------------\n");
printf("\tSigner #%d:\n\t\tSubject: %s\n\t\tIssuer : %s\n\t\tSerial : %s\n", printf("\tSigner #%d:\n\t\tSubject: %s\n\t\tIssuer : %s\n\t\tSerial : %s\n",
i, subject, issuer, serial); i, subject, issuer, serial);
OPENSSL_free(subject); OPENSSL_free(subject);
OPENSSL_free(issuer); OPENSSL_free(issuer);
OPENSSL_free(serial); OPENSSL_free(serial);
@ -2152,7 +2173,7 @@ static int verify_pe_pkcs7(PKCS7 *p7, char *indata, unsigned int peheader, int p
if (i > 0) if (i > 0)
printf("\t------------------\n"); printf("\t------------------\n");
printf("\tCert #%d:\n\t\tSubject: %s\n\t\tIssuer : %s\n\t\tSerial : %s\n", printf("\tCert #%d:\n\t\tSubject: %s\n\t\tIssuer : %s\n\t\tSerial : %s\n",
i, subject, issuer, serial); i, subject, issuer, serial);
OPENSSL_free(subject); OPENSSL_free(subject);
OPENSSL_free(issuer); OPENSSL_free(issuer);
OPENSSL_free(serial); OPENSSL_free(serial);
@ -2177,10 +2198,12 @@ static int verify_pe_pkcs7(PKCS7 *p7, char *indata, unsigned int peheader, int p
} else if (!p7nest && has_sig) { } else if (!p7nest && has_sig) {
printf("\nFailed to decode nested signature!\n"); printf("\nFailed to decode nested signature!\n");
ret = 1; ret = 1;
} else } else {
printf("\n"); printf("\n");
} else }
} else {
printf("\n"); printf("\n");
}
X509_STORE_free(store); X509_STORE_free(store);
@ -2188,7 +2211,7 @@ static int verify_pe_pkcs7(PKCS7 *p7, char *indata, unsigned int peheader, int p
} }
static int verify_pe_file(char *indata, unsigned int peheader, int pe32plus, static int verify_pe_file(char *indata, unsigned int peheader, int pe32plus,
unsigned int sigpos, unsigned int siglen, char *leafhash) unsigned int sigpos, unsigned int siglen, char *leafhash)
{ {
int ret = 0; int ret = 0;
unsigned int pe_checksum = GET_UINT32_LE(indata + peheader + 88); unsigned int pe_checksum = GET_UINT32_LE(indata + peheader + 88);
@ -2200,7 +2223,7 @@ static int verify_pe_file(char *indata, unsigned int peheader, int pe32plus,
if (pe_checksum && pe_checksum != real_pe_checksum) if (pe_checksum && pe_checksum != real_pe_checksum)
ret = 1; ret = 1;
printf("Calculated PE checksum: %08X%s\n\n", real_pe_checksum, printf("Calculated PE checksum: %08X%s\n\n", real_pe_checksum,
ret ? " MISMATCH!!!!" : ""); ret ? " MISMATCH!!!!" : "");
if (siglen == 0) { if (siglen == 0) {
printf("No signature found.\n\n"); printf("No signature found.\n\n");
return ret; return ret;
@ -2232,10 +2255,12 @@ static int verify_pe_file(char *indata, unsigned int peheader, int pe32plus,
return ret; return ret;
} }
// extract_existing_pe_pkcs7 retreives a decoded PKCS7 struct corresponding to the /*
// existing signature of the PE file. * extract_existing_pe_pkcs7 retreives a decoded PKCS7 struct
static PKCS7 *extract_existing_pe_pkcs7(char *indata, unsigned int peheader, int pe32plus, * corresponding to the existing signature of the PE file.
unsigned int sigpos, unsigned int siglen) */
static PKCS7 *extract_existing_pe_pkcs7(char *indata, unsigned int peheader,
int pe32plus, unsigned int sigpos, unsigned int siglen)
{ {
unsigned int pos = 0; unsigned int pos = 0;
PKCS7 *p7 = NULL; PKCS7 *p7 = NULL;
@ -2289,8 +2314,7 @@ static off_t get_file_size(const char *infile)
struct stat st; struct stat st;
ret = stat(infile, &st); ret = stat(infile, &st);
#endif #endif
if (ret) if (ret) {
{
fprintf(stderr, "Failed to open file: %s\n", infile); fprintf(stderr, "Failed to open file: %s\n", infile);
return 0; return 0;
} }
@ -2326,33 +2350,33 @@ static char* map_file(const char *infile, const off_t size)
} }
#ifdef PROVIDE_ASKPASS #ifdef PROVIDE_ASKPASS
char *getpassword(const char *prompt) static char *getpassword(const char *prompt)
{ {
#ifdef HAVE_TERMIOS_H #ifdef HAVE_TERMIOS_H
struct termios ofl, nfl; struct termios ofl, nfl;
char *p, passbuf[1024]; char *p, passbuf[1024];
fputs(prompt, stdout); fputs(prompt, stdout);
tcgetattr(fileno(stdin), &ofl); tcgetattr(fileno(stdin), &ofl);
nfl = ofl; nfl = ofl;
nfl.c_lflag &= ~ECHO; nfl.c_lflag &= ~ECHO;
nfl.c_lflag |= ECHONL; nfl.c_lflag |= ECHONL;
if (tcsetattr(fileno(stdin), TCSANOW, &nfl) != 0) { if (tcsetattr(fileno(stdin), TCSANOW, &nfl) != 0) {
fprintf(stderr, "Failed to set terminal attributes\n"); fprintf(stderr, "Failed to set terminal attributes\n");
return NULL; return NULL;
} }
p = fgets(passbuf, sizeof(passbuf), stdin); p = fgets(passbuf, sizeof(passbuf), stdin);
if (tcsetattr(fileno(stdin), TCSANOW, &ofl) != 0) if (tcsetattr(fileno(stdin), TCSANOW, &ofl) != 0)
fprintf(stderr, "Failed to restore terminal attributes\n"); fprintf(stderr, "Failed to restore terminal attributes\n");
if (!p) { if (!p) {
fprintf(stderr, "Failed to read password\n"); fprintf(stderr, "Failed to read password\n");
return NULL; return NULL;
} }
passbuf[strlen(passbuf)-1] = 0x00; passbuf[strlen(passbuf)-1] = 0x00;
char *pass = strdup(passbuf); char *pass = strdup(passbuf);
@ -2364,8 +2388,7 @@ char *getpassword(const char *prompt)
} }
#endif #endif
int main(int argc, char **argv) int main(int argc, char **argv) {
{
BIO *btmp, *sigbio, *hash, *outdata; BIO *btmp, *sigbio, *hash, *outdata;
PKCS12 *p12; PKCS12 *p12;
PKCS7 *p7 = NULL, *cursig = NULL, *outsig = NULL, *sig, *p7x = NULL; PKCS7 *p7 = NULL, *cursig = NULL, *outsig = NULL, *sig, *p7x = NULL;
@ -2389,13 +2412,15 @@ int main(int argc, char **argv)
int noverifypeer = 0; int noverifypeer = 0;
#endif #endif
int nest = 0; int nest = 0;
#ifdef WITH_GSF
int add_msi_dse = 0; int add_msi_dse = 0;
#endif
int nturl = 0, ntsurl = 0; int nturl = 0, ntsurl = 0;
int addBlob = 0; int addBlob = 0;
u_char *p = NULL; u_char *p = NULL;
int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0, pagehash = 0; int ret = 0, i, len = 0, jp = -1, pe32plus = 0, comm = 0, pagehash = 0;
unsigned int tmp, peheader = 0, padlen = 0; unsigned int tmp, peheader = 0, padlen = 0;
off_t filesize, fileend, sigfilesize, sigfileend, outdatasize; off_t filesize, fileend, sigfilesize, outdatasize;
file_type_t type; file_type_t type;
cmd_type_t cmd = CMD_SIGN; cmd_type_t cmd = CMD_SIGN;
char *failarg = NULL; char *failarg = NULL;
@ -2449,7 +2474,7 @@ int main(int argc, char **argv)
} else if (!strcmp(argv[1], "attach-signature")) { } else if (!strcmp(argv[1], "attach-signature")) {
cmd = CMD_ATTACH; cmd = CMD_ATTACH;
argv++; argv++;
argc--; argc--;
} else if (!strcmp(argv[1], "remove-signature")) { } else if (!strcmp(argv[1], "remove-signature")) {
cmd = CMD_REMOVE; cmd = CMD_REMOVE;
argv++; argv++;
@ -2494,7 +2519,7 @@ int main(int argc, char **argv)
p11engine = *(++argv); p11engine = *(++argv);
} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs11module")) { } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs11module")) {
if (--argc < 1) usage(argv0); if (--argc < 1) usage(argv0);
p11module = *(++argv); p11module = *(++argv);
} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pass")) { } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pass")) {
if (askpass || readpass) usage(argv0); if (askpass || readpass) usage(argv0);
if (--argc < 1) usage(argv0); if (--argc < 1) usage(argv0);
@ -2554,33 +2579,35 @@ int main(int argc, char **argv)
nest = 1; nest = 1;
} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-verbose")) { } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-verbose")) {
g_verbose = 1; g_verbose = 1;
#ifdef WITH_GSF
} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-add-msi-dse")) { } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-add-msi-dse")) {
add_msi_dse = 1; add_msi_dse = 1;
#endif
} else if ((cmd == CMD_VERIFY) && !strcmp(*argv, "-require-leaf-hash")) { } else if ((cmd == CMD_VERIFY) && !strcmp(*argv, "-require-leaf-hash")) {
if (--argc < 1) usage(argv0); if (--argc < 1) usage(argv0);
leafhash = (*++argv); leafhash = (*++argv);
} else if (!strcmp(*argv, "-v") || !strcmp(*argv, "--version")) { } else if (!strcmp(*argv, "-v") || !strcmp(*argv, "--version")) {
printf(PACKAGE_STRING ", using:\n\t%s\n\t%s\n", printf(PACKAGE_STRING ", using:\n\t%s\n\t%s\n",
SSLeay_version(SSLEAY_VERSION), SSLeay_version(SSLEAY_VERSION),
#ifdef ENABLE_CURL #ifdef ENABLE_CURL
curl_version() curl_version()
#else #else
"no libcurl available" "no libcurl available"
#endif #endif
); );
printf( printf(
#ifdef WITH_GSF #ifdef WITH_GSF
"\tlibgsf %d.%d.%d\n", "\tlibgsf %d.%d.%d\n",
libgsf_major_version, libgsf_major_version,
libgsf_minor_version, libgsf_minor_version,
libgsf_micro_version libgsf_micro_version
#else #else
"\tno libgsf available\n" "\tno libgsf available\n"
#endif #endif
); );
printf("\nPlease send bug-reports to " printf("\nPlease send bug-reports to "
PACKAGE_BUGREPORT PACKAGE_BUGREPORT
"\n\n"); "\n\n");
} else if (!strcmp(*argv, "-jp")) { } else if (!strcmp(*argv, "-jp")) {
char *ap; char *ap;
@ -2672,45 +2699,45 @@ int main(int argc, char **argv)
DO_EXIT_1("Failed to read certificate file: %s\n", certfile); DO_EXIT_1("Failed to read certificate file: %s\n", certfile);
BIO_free(btmp); BIO_free(btmp);
if ((btmp = BIO_new_file(pvkfile, "rb")) == NULL || if ((btmp = BIO_new_file(pvkfile, "rb")) == NULL ||
( (pkey = b2i_PVK_bio(btmp, NULL, pass ? pass : "")) == NULL && ((pkey = b2i_PVK_bio(btmp, NULL, pass ? pass : "")) == NULL &&
(BIO_seek(btmp, 0) == 0) && (BIO_seek(btmp, 0) == 0) &&
(pkey = b2i_PVK_bio(btmp, NULL, NULL)) == NULL)) (pkey = b2i_PVK_bio(btmp, NULL, NULL)) == NULL))
DO_EXIT_1("Failed to read PVK file: %s\n", pvkfile); DO_EXIT_1("Failed to read PVK file: %s\n", pvkfile);
BIO_free(btmp); BIO_free(btmp);
} else if (p11engine != NULL && p11module != NULL) { } else if (p11engine != NULL && p11module != NULL) {
const int CMD_MANDATORY = 0; const int CMD_MANDATORY = 0;
ENGINE_load_dynamic(); ENGINE_load_dynamic();
ENGINE * dyn = ENGINE_by_id( "dynamic" ); ENGINE * dyn = ENGINE_by_id("dynamic");
if ( ! dyn ) if (!dyn)
DO_EXIT_0( "Failed to load 'dynamic' engine"); DO_EXIT_0("Failed to load 'dynamic' engine");
if ( 1 != ENGINE_ctrl_cmd_string( dyn, "SO_PATH", p11engine, CMD_MANDATORY ) ) if (1 != ENGINE_ctrl_cmd_string(dyn, "SO_PATH", p11engine, CMD_MANDATORY))
DO_EXIT_1( "Failed to set dyn SO_PATH to '%s'", p11engine); DO_EXIT_1("Failed to set dyn SO_PATH to '%s'", p11engine);
if ( 1 != ENGINE_ctrl_cmd_string( dyn, "ID", "pkcs11", CMD_MANDATORY ) ) if (1 != ENGINE_ctrl_cmd_string(dyn, "ID", "pkcs11", CMD_MANDATORY))
DO_EXIT_0( "Failed to set dyn ID to 'pkcs11'" ); DO_EXIT_0("Failed to set dyn ID to 'pkcs11'");
if ( 1 != ENGINE_ctrl_cmd( dyn, "LIST_ADD", 1, NULL, NULL, CMD_MANDATORY ) ) if (1 != ENGINE_ctrl_cmd(dyn, "LIST_ADD", 1, NULL, NULL, CMD_MANDATORY))
DO_EXIT_0( "Failed to set dyn LIST_ADD to '1'" ); DO_EXIT_0("Failed to set dyn LIST_ADD to '1'");
if ( 1 != ENGINE_ctrl_cmd( dyn, "LOAD", 1, NULL, NULL, CMD_MANDATORY ) ) if (1 != ENGINE_ctrl_cmd(dyn, "LOAD", 1, NULL, NULL, CMD_MANDATORY))
DO_EXIT_0( "Failed to set dyn LOAD to '1'" ); DO_EXIT_0("Failed to set dyn LOAD to '1'");
ENGINE * pkcs11 = ENGINE_by_id( "pkcs11" ); ENGINE * pkcs11 = ENGINE_by_id("pkcs11");
if ( ! pkcs11 ) if (!pkcs11)
DO_EXIT_0( "Failed to find and load pkcs11 engine" ); DO_EXIT_0("Failed to find and load pkcs11 engine");
if ( 1 != ENGINE_ctrl_cmd_string( pkcs11, "MODULE_PATH", p11module, CMD_MANDATORY ) ) if (1 != ENGINE_ctrl_cmd_string(pkcs11, "MODULE_PATH", p11module, CMD_MANDATORY))
DO_EXIT_1( "Failed to set pkcs11 engine MODULE_PATH to '%s'", p11module ); DO_EXIT_1("Failed to set pkcs11 engine MODULE_PATH to '%s'", p11module);
if (pass != NULL) { if (pass != NULL) {
if ( 1 != ENGINE_ctrl_cmd_string( pkcs11, "PIN", pass, CMD_MANDATORY ) ) if (1 != ENGINE_ctrl_cmd_string(pkcs11, "PIN", pass, CMD_MANDATORY))
DO_EXIT_0( "Failed to set pkcs11 PIN" ); DO_EXIT_0("Failed to set pkcs11 PIN");
} }
if ( 1 != ENGINE_init( pkcs11 ) ) if (1 != ENGINE_init(pkcs11))
DO_EXIT_0( "Failed to initialized pkcs11 engine" ); DO_EXIT_0("Failed to initialized pkcs11 engine");
pkey = ENGINE_load_private_key( pkcs11, keyfile, NULL, NULL ); pkey = ENGINE_load_private_key(pkcs11, keyfile, NULL, NULL);
if (pkey == NULL) if (pkey == NULL)
DO_EXIT_1("Failed to load private key %s", keyfile); DO_EXIT_1("Failed to load private key %s", keyfile);
if ((btmp = BIO_new_file(certfile, "rb")) == NULL || if ((btmp = BIO_new_file(certfile, "rb")) == NULL ||
@ -2725,7 +2752,7 @@ int main(int argc, char **argv)
DO_EXIT_1("Failed to read certificate file: %s\n", certfile); DO_EXIT_1("Failed to read certificate file: %s\n", certfile);
BIO_free(btmp); BIO_free(btmp);
if ((btmp = BIO_new_file(keyfile, "rb")) == NULL || if ((btmp = BIO_new_file(keyfile, "rb")) == NULL ||
( (pkey = d2i_PrivateKey_bio(btmp, NULL)) == NULL && ((pkey = d2i_PrivateKey_bio(btmp, NULL)) == NULL &&
(BIO_seek(btmp, 0) == 0) && (BIO_seek(btmp, 0) == 0) &&
(pkey = PEM_read_bio_PrivateKey(btmp, NULL, NULL, pass ? pass : "")) == NULL && (pkey = PEM_read_bio_PrivateKey(btmp, NULL, NULL, pass ? pass : "")) == NULL &&
(BIO_seek(btmp, 0) == 0) && (BIO_seek(btmp, 0) == 0) &&
@ -2745,7 +2772,7 @@ int main(int argc, char **argv)
if (pass) { if (pass) {
memset (pass, 0, strlen(pass)); memset (pass, 0, strlen(pass));
pass = NULL; pass = NULL;
} }
} }
if (certs == NULL && p7 != NULL) if (certs == NULL && p7 != NULL)
@ -2808,7 +2835,7 @@ int main(int argc, char **argv)
ole = gsf_infile_msole_new(src, NULL); ole = gsf_infile_msole_new(src, NULL);
if (cmd == CMD_EXTRACT) { if (cmd == CMD_EXTRACT) {
if(output_pkcs7) { if (output_pkcs7) {
sig = msi_extract_signature_to_pkcs7(ole); sig = msi_extract_signature_to_pkcs7(ole);
if (!sig) if (!sig)
DO_EXIT_0("Unable to extract existing signature."); DO_EXIT_0("Unable to extract existing signature.");
@ -2817,19 +2844,21 @@ int main(int argc, char **argv)
DO_EXIT_1("Unable to open %s\n\n", outfile); DO_EXIT_1("Unable to open %s\n\n", outfile);
ret = !PEM_write_bio_PKCS7(outdata, sig); ret = !PEM_write_bio_PKCS7(outdata, sig);
BIO_free_all(outdata); BIO_free_all(outdata);
} } else {
else
ret = msi_extract_signature_to_file(ole, outfile); ret = msi_extract_signature_to_file(ole, outfile);
}
goto skip_signing; goto skip_signing;
} else if (cmd == CMD_VERIFY) { } else if (cmd == CMD_VERIFY) {
ret = msi_verify_file(ole, leafhash); ret = msi_verify_file(ole, leafhash);
goto skip_signing; goto skip_signing;
} else if (cmd == CMD_SIGN || cmd == CMD_ADD || cmd == CMD_ATTACH) { } else if (cmd == CMD_SIGN || cmd == CMD_ADD || cmd == CMD_ATTACH) {
if (nest || cmd == CMD_ADD) { if (nest || cmd == CMD_ADD) {
// Perform a sanity check for the MsiDigitalSignatureEx section. /*
// If the file we're attempting to sign has an MsiDigitalSignatureEx * Perform a sanity check for the MsiDigitalSignatureEx section.
// section, we can't add a nested signature of a different MD type * If the file we're attempting to sign has an MsiDigitalSignatureEx
// without breaking the initial signature. * section, we can't add a nested signature of a different MD type
* without breaking the initial signature.
*/
{ {
unsigned long dselen = 0; unsigned long dselen = 0;
int has_dse = 0; int has_dse = 0;
@ -2840,8 +2869,8 @@ int main(int argc, char **argv)
int mdlen = EVP_MD_size(md); int mdlen = EVP_MD_size(md);
if (dselen != (unsigned long)mdlen) { if (dselen != (unsigned long)mdlen) {
DO_EXIT_0("Unable to add nested signature with a different MD type (-h parameter) " DO_EXIT_0("Unable to add nested signature with a different MD type (-h parameter) "
"than what exists in the MSI file already. This is due to the presence of " "than what exists in the MSI file already. This is due to the presence of "
"MsiDigitalSigantureEx (-add-msi-dse parameter).\n"); "MsiDigitalSigantureEx (-add-msi-dse parameter).\n");
} }
} }
} }
@ -2882,10 +2911,10 @@ int main(int argc, char **argv)
* It iterates over the files in the MSI in the same order as the * It iterates over the files in the MSI in the same order as the
* file content hashing method would - but it only processes the * file content hashing method would - but it only processes the
* metadata. * metadata.
* *
* Once the pre-hash is calculated, a new hash is created for * Once the pre-hash is calculated, a new hash is created for
* calculating the hash of the file content. The output of the * calculating the hash of the file content. The output of the
* pre-hash is added as the first element of the file content hash. * pre-hash is added as the first element of the file content hash.
* *
* After the pre-hash is written, what follows is the "regular" * After the pre-hash is written, what follows is the "regular"
* stream of data that would normally be written when performing * stream of data that would normally be written when performing
@ -3017,14 +3046,14 @@ int main(int argc, char **argv)
if (cmd == CMD_EXTRACT) { if (cmd == CMD_EXTRACT) {
/* A lil' bit of ugliness. Reset stream, write signature and skip forward */ /* A lil' bit of ugliness. Reset stream, write signature and skip forward */
(void)BIO_reset(outdata); (void)BIO_reset(outdata);
if(output_pkcs7) { if (output_pkcs7) {
sig = extract_existing_pe_pkcs7(indata, peheader, pe32plus, sigpos ? sigpos : fileend, siglen); sig = extract_existing_pe_pkcs7(indata, peheader, pe32plus, sigpos ? sigpos : fileend, siglen);
if (!sig) if (!sig)
DO_EXIT_0("Unable to extract existing signature."); DO_EXIT_0("Unable to extract existing signature.");
PEM_write_bio_PKCS7(outdata, sig); PEM_write_bio_PKCS7(outdata, sig);
} } else {
else
BIO_write(outdata, indata + sigpos, siglen); BIO_write(outdata, indata + sigpos, siglen);
}
goto skip_signing; goto skip_signing;
} }
@ -3073,32 +3102,28 @@ int main(int argc, char **argv)
if (cmd == CMD_ADD) if (cmd == CMD_ADD)
goto add_only; goto add_only;
if(cmd == CMD_ATTACH) if (cmd == CMD_ATTACH) {
{
const char pemhdr[] = "-----BEGIN PKCS7-----"; const char pemhdr[] = "-----BEGIN PKCS7-----";
sigfilesize = get_file_size(sigfile); sigfilesize = get_file_size(sigfile);
if(!sigfilesize) if (!sigfilesize)
goto err_cleanup; goto err_cleanup;
insigdata = map_file(sigfile, sigfilesize); insigdata = map_file(sigfile, sigfilesize);
if (insigdata == NULL) if (insigdata == NULL)
DO_EXIT_1("Failed to open file: %s\n", infile); DO_EXIT_1("Failed to open file: %s\n", infile);
if (sigfilesize >= sizeof(pemhdr) && !memcmp(insigdata, pemhdr, sizeof(pemhdr)-1)) if (sigfilesize >= sizeof(pemhdr) && !memcmp(insigdata, pemhdr, sizeof(pemhdr)-1)) {
{
sigbio = BIO_new_mem_buf(insigdata, sigfilesize); sigbio = BIO_new_mem_buf(insigdata, sigfilesize);
sig = PEM_read_bio_PKCS7(sigbio, NULL, NULL, NULL); sig = PEM_read_bio_PKCS7(sigbio, NULL, NULL, NULL);
BIO_free_all(sigbio); BIO_free_all(sigbio);
} } else {
else {
if (type == FILE_TYPE_PE) { if (type == FILE_TYPE_PE) {
sig = extract_existing_pe_pkcs7(insigdata, peheader, pe32plus, 0, sigfilesize); sig = extract_existing_pe_pkcs7(insigdata, peheader, pe32plus, 0, sigfilesize);
} } else if (type == FILE_TYPE_MSI) {
else if (type == FILE_TYPE_MSI) {
#ifdef WITH_GSF #ifdef WITH_GSF
const unsigned char *p = (unsigned char*)insigdata; const unsigned char *p = (unsigned char*)insigdata;
sig = d2i_PKCS7(NULL, &p, sigfilesize); sig = d2i_PKCS7(NULL, &p, sigfilesize);
#else #else
DO_EXIT_1("libgsf is not available, msi support is disabled: %s\n", infile); DO_EXIT_1("libgsf is not available, msi support is disabled: %s\n", infile);
#endif #endif
} }
} }
@ -3130,9 +3155,8 @@ int main(int argc, char **argv)
if (si == NULL) if (si == NULL)
DO_EXIT_0("Signing failed(PKCS7_add_signature)\n"); DO_EXIT_0("Signing failed(PKCS7_add_signature)\n");
PKCS7_add_signed_attribute PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
(si, NID_pkcs9_contentType, V_ASN1_OBJECT, OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1));
V_ASN1_OBJECT, OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1));
if (type == FILE_TYPE_CAB && jp >= 0) { if (type == FILE_TYPE_CAB && jp >= 0) {
const u_char *attrs = NULL; const u_char *attrs = NULL;
@ -3156,9 +3180,8 @@ int main(int argc, char **argv)
if (attrs) { if (attrs) {
astr = ASN1_STRING_new(); astr = ASN1_STRING_new();
ASN1_STRING_set(astr, attrs, len); ASN1_STRING_set(astr, attrs, len);
PKCS7_add_signed_attribute PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_MS_JAVA_SOMETHING),
(si, OBJ_txt2nid(SPC_MS_JAVA_SOMETHING), V_ASN1_SEQUENCE, astr);
V_ASN1_SEQUENCE, astr);
} }
} }
@ -3169,7 +3192,7 @@ int main(int argc, char **argv)
ASN1_STRING_set(astr, purpose_ind, sizeof(purpose_ind)); ASN1_STRING_set(astr, purpose_ind, sizeof(purpose_ind));
} }
PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_STATEMENT_TYPE_OBJID), PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_STATEMENT_TYPE_OBJID),
V_ASN1_SEQUENCE, astr); V_ASN1_SEQUENCE, astr);
if (desc || url) { if (desc || url) {
SpcSpOpusInfo *opus = createOpus(desc, url); SpcSpOpusInfo *opus = createOpus(desc, url);
@ -3183,7 +3206,7 @@ int main(int argc, char **argv)
OPENSSL_free(p); OPENSSL_free(p);
PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_SP_OPUS_INFO_OBJID), PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_SP_OPUS_INFO_OBJID),
V_ASN1_SEQUENCE, astr); V_ASN1_SEQUENCE, astr);
SpcSpOpusInfo_free(opus); SpcSpOpusInfo_free(opus);
} }
@ -3362,9 +3385,7 @@ skip_signing:
if (ret) { if (ret) {
DO_EXIT_0("Signature mismatch.\n"); DO_EXIT_0("Signature mismatch.\n");
} }
} } else if (type == FILE_TYPE_MSI) {
else if (type == FILE_TYPE_MSI)
{
#ifdef WITH_GSF #ifdef WITH_GSF
GsfInput *src; GsfInput *src;
GsfInfile *ole; GsfInfile *ole;
@ -3382,15 +3403,13 @@ skip_signing:
#else #else
DO_EXIT_1("libgsf is not available, msi support is disabled: %s\n", infile); DO_EXIT_1("libgsf is not available, msi support is disabled: %s\n", infile);
#endif #endif
} } else {
else
{
DO_EXIT_1("Unknown input type for file: %s\n", infile); DO_EXIT_1("Unknown input type for file: %s\n", infile);
} }
printf("Signature successfully attached.\n"); printf("Signature successfully attached.\n");
} } else {
else
printf(ret ? "Failed\n" : "Succeeded\n"); printf(ret ? "Failed\n" : "Succeeded\n");
}
cleanup_lib_state(); cleanup_lib_state();
return ret; return ret;
@ -3429,5 +3448,5 @@ Local Variables:
indent-tabs-mode: t indent-tabs-mode: t
End: End:
vim: set ts=4 : vim: set ts=4 noexpandtab:
*/ */