nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-05 09:08:04 -05:00
Code Issues Projects Releases Wiki Activity

Merge pull request #39 from olszomal/windows

Browse Source 
Windows support
This commit is contained in:
Michał Trojnara 2020-05-18 08:05:44 +02:00 committed by GitHub
commit 826df059d1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 179 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
INSTALL.W32.md Normal file
View File

@ -0,0 +1,101 @@
# osslsigncode Windows install notes
### Building osslsigncode source with MSYS2 MinGW 64-bit and MSYS2 packages:
1) Download and install MSYS2 from https://msys2.github.io/ and follow installation instructions.
Once up and running install even mingw-w64-x86_64-gcc, mingw-w64-x86_64-curl, mingw-w64-x86_64-libgsf.
```
pacman -S mingw-w64-x86_64-gcc mingw-w64-x86_64-curl mingw-w64-x86_64-libgsf
```
mingw-w64-x86_64-openssl and mingw-w64-x86_64-zlib packages are installed with dependencies.
2) Run "MSYS2 MinGW 64-bit" and build 64-bit Windows executables.
```
cd osslsigncode-folder
x86_64-w64-mingw32-gcc osslsigncode.c -o osslsigncode.exe \
-lcrypto -lssl -lcurl -lgsf-1 -lgobject-2.0 -lglib-2.0 -lxml2 \
-I 'C:/msys64/mingw64/include/libgsf-1' \
-I 'C:/msys64/mingw64/include/glib-2.0' \
-I 'C:/msys64/mingw64/lib/glib-2.0/include' \
-D 'PACKAGE_STRING="osslsigncode 2.1.0"' \
-D 'PACKAGE_BUGREPORT="Michal.Trojnara@stunnel.org"' \
-D ENABLE_CURL \
-D WITH_GSF
```
3) Run "Command prompt" and include "c:\msys64\mingw64\bin" folder as part of the path.
```
path=%path%;c:\msys64\mingw64\bin
cd osslsigncode-folder
osslsigncode.exe -v
osslsigncode 2.1.0, using:
OpenSSL 1.1.1g 21 Apr 2020
libcurl/7.70.0 OpenSSL/1.1.1g (Schannel) zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0
libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.40.0 libgsf 1.14.46
```
### Building OpenSSL, Curl and osslsigncode sources with MSYS2 MinGW 64-bit:
1) Download and install MSYS2 from https://msys2.github.io/ and follow installation instructions.
Once up and running install even: perl make autoconf automake libtool pkg-config.
```
pacman -S perl make autoconf automake libtool pkg-config
```
Make sure there are no curl, brotli, libpsl, libidn2 and nghttp2 packages installed:
```
pacman -R mingw-w64-x86_64-curl \
mingw-w64-x86_64-brotli \
mingw-w64-x86_64-libpsl \
mingw-w64-x86_64-libidn2 \
mingw-w64-x86_64-nghttp2
```
Run "MSYS2 MinGW 64-bit" in the administrator mode.
2) Build and install OpenSSL.
```
cd openssl-(version)
./config --prefix='C:/OpenSSL' --openssldir='C:/OpenSSL'
make && make install
```
3) Build and install curl.
```
cd curl-(version)
./buildconf
./configure --prefix='C:/curl' --with-ssl='C:/OpenSSL' \
--disable-ftp --disable-tftp --disable-file --disable-dict \
--disable-telnet --disable-imap --disable-smb --disable-smtp \
--disable-gopher --disable-pop --disable-pop3 --disable-rtsp \
--disable-ldap --disable-ldaps --disable-unix-sockets --disable-pthreads
make && make install
```
3) Build 64-bit Windows executables.
```
cd osslsigncode-folder
x86_64-w64-mingw32-gcc osslsigncode.c -o osslsigncode.exe \
-L 'C:/OpenSSL/lib/' -lcrypto -lssl \
-I 'C:/OpenSSL/include/' \
-L 'C:/curl/lib' -lcurl \
-I 'C:/curl/include' \
-D 'PACKAGE_STRING="osslsigncode 2.1.0"' \
-D 'PACKAGE_BUGREPORT="Michal.Trojnara@stunnel.org"' \
-D ENABLE_CURL
```
4) Run "Command prompt" and copy required libraries.
```
cd osslsigncode-folder
copy C:\OpenSSL\bin\libssl-1_1-x64.dll
copy C:\OpenSSL\bin\libcrypto-1_1-x64.dll
copy C:\curl\bin\libcurl-4.dll
copy C:\msys64\mingw64\bin\zlib1.dll
osslsigncode.exe -v
osslsigncode 2.1.0, using:
OpenSSL 1.1.1g 21 Apr 2020
libcurl/7.70.0 OpenSSL/1.1.1g zlib/1.2.11
no libgsf available
```

12
README.md
View File

@ -93,6 +93,18 @@ To sign a CAB file containing java class files:
``` ```
Only the 'low' parameter is currently supported. Only the 'low' parameter is currently supported.
If you want to use PKCS11 token, you should indicate PKCS11 engine and module.
An example of using osslsigncode with SoftHSM:
```
osslsigncode sign \
-pkcs11engine /usr/lib64/engines-1.1/pkcs11.so \
-pkcs11module /usr/lib64/pkcs11/libsofthsm2.so \
-certs <cert-file> \
-key 'pkcs11:token=softhsm-token;object=key' \
-in yourapp.exe -out yourapp-signed.exe
```
osslsigncode currently does not support reading certificates from engines.
You can check that the signed file is correct by right-clicking You can check that the signed file is correct by right-clicking
on it in Windows and choose Properties --> Digital Signatures, on it in Windows and choose Properties --> Digital Signatures,
and then choose the signature from the list, and click on and then choose the signature from the list, and click on

86
osslsigncode.c
View File

@ -58,6 +58,10 @@
*/ */
#ifdef __MINGW32__
#define HAVE_WINDOWS_H
#endif /* __MINGW32__ */
#ifdef HAVE_CONFIG_H #ifdef HAVE_CONFIG_H
#include "config.h" #include "config.h"
#endif /* HAVE_CONFIG_H */ #endif /* HAVE_CONFIG_H */
@ -1795,7 +1799,7 @@ static int load_file_lookup(X509_STORE *store, char *certs, int purpose)
if (!lookup) if (!lookup)
return 0; /* FAILED */ return 0; /* FAILED */
if (!X509_load_cert_file(lookup, certs, X509_FILETYPE_PEM)) { if (!X509_load_cert_file(lookup, certs, X509_FILETYPE_PEM)) {
fprintf(stderr, "Error: no certificate found in %s\n", certs); fprintf(stderr, "\nError: no certificate found\n");
return 0; /* FAILED */ return 0; /* FAILED */
} }
param = X509_STORE_get0_param(store); param = X509_STORE_get0_param(store);
@ -1944,8 +1948,11 @@ static int pkcs7_print_attributes(PKCS7_SIGNED *p7_signed, PKCS7 **tmstamp_p7,
if (value == NULL) if (value == NULL)
return 0; /* FAILED */ return 0; /* FAILED */
*tmstamp_p7 = find_countersignature(p7_signed, value->data, value->length, timestamp_time); *tmstamp_p7 = find_countersignature(p7_signed, value->data, value->length, timestamp_time);
if (tmstamp_p7 == NULL) if (*tmstamp_p7 == NULL) {
printf("Error: Authenticode Timestamp could not be decoded correctly\n");
ERR_print_errors_fp(stdout);
return 0; /* FAILED */ return 0; /* FAILED */
}
} else if (!strcmp(object_txt, SPC_RFC3161_OBJID)) { } else if (!strcmp(object_txt, SPC_RFC3161_OBJID)) {
/* 1.3.6.1.4.1.311.3.3.1 */ /* 1.3.6.1.4.1.311.3.3.1 */
printf("\nRFC3161 Timestamp\nPolicy OID: %s\n", object_txt); printf("\nRFC3161 Timestamp\nPolicy OID: %s\n", object_txt);
@ -1953,8 +1960,11 @@ static int pkcs7_print_attributes(PKCS7_SIGNED *p7_signed, PKCS7 **tmstamp_p7,
if (value == NULL) if (value == NULL)
return 0; /* FAILED */ return 0; /* FAILED */
*tmstamp_p7 = find_rfc3161(value->data, value->length, timestamp_time); *tmstamp_p7 = find_rfc3161(value->data, value->length, timestamp_time);
if (tmstamp_p7 == NULL) if (*tmstamp_p7 == NULL) {
printf("Error: RFC3161 Timestamp could not be decoded correctly\n");
ERR_print_errors_fp(stdout);
return 0; /* FAILED */ return 0; /* FAILED */
}
} else if (!strcmp(object_txt, SPC_UNAUTHENTICATED_DATA_BLOB_OBJID)) { } else if (!strcmp(object_txt, SPC_UNAUTHENTICATED_DATA_BLOB_OBJID)) {
/* 1.3.6.1.4.1.42921.1.2.1 */ /* 1.3.6.1.4.1.42921.1.2.1 */
printf("\nUnauthenticated Data Blob\nPolicy OID: %s\n", object_txt); printf("\nUnauthenticated Data Blob\nPolicy OID: %s\n", object_txt);
@ -2088,10 +2098,11 @@ static int verify_timestamp(PKCS7 *p7, PKCS7 *tmstamp_p7, GLOBAL_OPTIONS *option
PKCS7_SIGNER_INFO *si; PKCS7_SIGNER_INFO *si;
int ret = 1, verok = 0; int ret = 1, verok = 0;
printf("TSA's certificates file: %s\n", options->untrusted);
store = X509_STORE_new(); store = X509_STORE_new();
if (!load_file_lookup(store, options->untrusted, X509_PURPOSE_TIMESTAMP_SIGN)) { if (load_file_lookup(store, options->untrusted, X509_PURPOSE_TIMESTAMP_SIGN))
printf("\nUse the \"-untrusted\" option to add the CA cert bundle to verify timestamp server.\n"); printf("TSA's certificates file: %s\n", options->untrusted);
else {
printf("Use the \"-untrusted\" option to add the CA cert bundle to verify timestamp server.\n");
ret = 0; /* FAILED */ ret = 0; /* FAILED */
} }
if (ret) if (ret)
@ -2183,11 +2194,11 @@ static int verify_pkcs7(PKCS7 *p7, GLOBAL_OPTIONS *options)
int ret = 0, leafok = 0; int ret = 0, leafok = 0;
if (!find_signer(p7, options->leafhash, &leafok)) if (!find_signer(p7, options->leafhash, &leafok))
printf("Find signers error"); /* FAILED */ printf("Find signers error\n");
if (!print_certs(p7)) if (!print_certs(p7))
printf("Print certs error"); /* FAILED */ printf("Print certs error\n");
if (!pkcs7_print_attributes(p7->d.sign, &tmstamp_p7, &timestamp_time, options->verbose)) if (!pkcs7_print_attributes(p7->d.sign, &tmstamp_p7, &timestamp_time, options->verbose))
ret = 1; /* FAILED */ printf("Print attributes error\n");
if (options->leafhash != NULL) { if (options->leafhash != NULL) {
printf("Leaf hash match: %s\n", leafok ? "ok" : "failed"); printf("Leaf hash match: %s\n", leafok ? "ok" : "failed");
if (!leafok) if (!leafok)
@ -2197,7 +2208,7 @@ static int verify_pkcs7(PKCS7 *p7, GLOBAL_OPTIONS *options)
if (options->crlfile) if (options->crlfile)
printf("CRLfile: %s\n", options->crlfile); printf("CRLfile: %s\n", options->crlfile);
if (!tmstamp_p7) if (!tmstamp_p7)
printf("\nFile is not timestamped\n"); printf("\nTimestamp is not available\n");
else if (!verify_timestamp(p7, tmstamp_p7, options)) else if (!verify_timestamp(p7, tmstamp_p7, options))
timestamp_time = NULL; timestamp_time = NULL;
@ -2683,7 +2694,7 @@ out:
* msi_extract_signature_to_file extracts the MSI DigitalSignaure from infile * msi_extract_signature_to_file extracts the MSI DigitalSignaure from infile
* to a file at the path given by outfile. * to a file at the path given by outfile.
*/ */
static int msi_extract_signature_to_file(GsfInfile *infile, char *outfile) static int msi_extract_signature_to_file(GsfInfile *infile, GLOBAL_OPTIONS *options)
{ {
char hexbuf[EVP_MAX_MD_SIZE*2+1]; char hexbuf[EVP_MAX_MD_SIZE*2+1];
GsfInput *sig = NULL; GsfInput *sig = NULL;
@ -2708,10 +2719,18 @@ static int msi_extract_signature_to_file(GsfInfile *infile, char *outfile)
ret = 1; ret = 1;
goto out; goto out;
} }
/* Create outdata file */ /* Create outdata DER file */
outdata = BIO_new_file(outfile, FILE_CREATE_MODE); #ifdef WIN32
if (!access(options->outfile, R_OK)) {
/* outdata file exists */
printf("Failed to create file: %s\n", options->outfile);
ret = 1;
goto out;
}
#endif
outdata = BIO_new_file(options->outfile, FILE_CREATE_MODE);
if (outdata == NULL) { if (outdata == NULL) {
printf("Unable to create %s\n\n", outfile); printf("Failed to create file: %s\n", options->outfile);
ret = 1; ret = 1;
goto out; goto out;
} }
@ -2790,15 +2809,23 @@ static int msi_extract_file(GsfInfile *ole, GLOBAL_OPTIONS *options)
fprintf(stderr, "Unable to extract existing signature\n"); fprintf(stderr, "Unable to extract existing signature\n");
return 1; /* FAILED */ return 1; /* FAILED */
} }
/* Create outdata PEM file */
#ifdef WIN32
if (!access(options->outfile, R_OK)) {
/* outdata file exists */
fprintf(stderr, "Failed to create file: %s\n", options->outfile);
return 1; /* FAILED */
}
#endif
outdata = BIO_new_file(options->outfile, FILE_CREATE_MODE); outdata = BIO_new_file(options->outfile, FILE_CREATE_MODE);
if (outdata == NULL) { if (outdata == NULL) {
fprintf(stderr, "Unable to create %s\n", options->outfile); fprintf(stderr, "Failed to create file: %s\n", options->outfile);
return 1; /* FAILED */ return 1; /* FAILED */
} }
ret = !PEM_write_bio_PKCS7(outdata, sig); ret = !PEM_write_bio_PKCS7(outdata, sig);
BIO_free_all(outdata); BIO_free_all(outdata);
} else } else
ret = msi_extract_signature_to_file(ole, options->outfile); ret = msi_extract_signature_to_file(ole, options);
return ret; return ret;
} }
@ -4575,9 +4602,15 @@ static PKCS7 *msi_presign_file(file_type_t type, cmd_type_t cmd, FILE_HEADER *he
if (cmd == CMD_ADD) if (cmd == CMD_ADD)
sig = *cursig; sig = *cursig;
} }
/* Create outdata MSI file */
if (!access(options->outfile, R_OK)) {
/* outdata file exists */
fprintf(stderr, "Failed to create file: %s\n", options->outfile);
return NULL; /* FAILED */
}
gsfparams->sink = gsf_output_stdio_new(options->outfile, NULL); gsfparams->sink = gsf_output_stdio_new(options->outfile, NULL);
if (!gsfparams->sink) { if (!gsfparams->sink) {
fprintf(stderr, "Error opening output file %s\n", options->outfile); fprintf(stderr, "Failed to create file: %s\n", options->outfile);
return NULL; /* FAILED */ return NULL; /* FAILED */
} }
gsfparams->outole = gsf_outfile_msole_new(gsfparams->sink); gsfparams->outole = gsf_outfile_msole_new(gsfparams->sink);
@ -4699,7 +4732,7 @@ static cmd_type_t get_command(char **argv)
return CMD_SIGN; return CMD_SIGN;
} }
static void main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTIONS *options) static int main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTIONS *options)
{ {
int i; int i;
char *failarg = NULL; char *failarg = NULL;
@ -4717,7 +4750,7 @@ static void main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTION
options->signing_time = INVALID_TIME; options->signing_time = INVALID_TIME;
options->jp = -1; options->jp = -1;
if ((*cmd == CMD_VERIFY || *cmd == CMD_ATTACH)) { if (*cmd == CMD_VERIFY || *cmd == CMD_ATTACH) {
options->cafile = get_cafile(); options->cafile = get_cafile();
options->untrusted = get_cafile(); options->untrusted = get_cafile();
} }
@ -4887,6 +4920,13 @@ static void main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTION
fprintf(stderr, "Unknown option: %s\n", failarg); fprintf(stderr, "Unknown option: %s\n", failarg);
usage(argv0, "all"); usage(argv0, "all");
} }
if ((*cmd == CMD_VERIFY || *cmd == CMD_ATTACH) && access(options->cafile, R_OK)) {
printf("Use the \"-CAfile\" option to add one or more trusted CA certificates to verify the signature.\n");
return 0; /* FAILED */
}
return 1;
} }
int main(int argc, char **argv) int main(int argc, char **argv)
@ -4917,7 +4957,8 @@ int main(int argc, char **argv)
DO_EXIT_0("Failed to add objects\n"); DO_EXIT_0("Failed to add objects\n");
/* commands and options initialization */ /* commands and options initialization */
main_configure(argc, argv, &cmd, &options); if (!main_configure(argc, argv, &cmd, &options))
goto err_cleanup;
if (!read_password(&options)) if (!read_password(&options))
goto err_cleanup; goto err_cleanup;
/* read key and certificates */ /* read key and certificates */
@ -4981,6 +5022,11 @@ int main(int argc, char **argv)
if ((type == FILE_TYPE_CAB || type == FILE_TYPE_PE) && (cmd != CMD_VERIFY)) { if ((type == FILE_TYPE_CAB || type == FILE_TYPE_PE) && (cmd != CMD_VERIFY)) {
/* Create outdata file */ /* Create outdata file */
#ifdef WIN32
if (!access(options.outfile, R_OK))
/* outdata file exists */
DO_EXIT_1("Failed to create file: %s\n", options.outfile);
#endif
outdata = BIO_new_file(options.outfile, FILE_CREATE_MODE); outdata = BIO_new_file(options.outfile, FILE_CREATE_MODE);
if (outdata == NULL) if (outdata == NULL)
DO_EXIT_1("Failed to create file: %s\n", options.outfile); DO_EXIT_1("Failed to create file: %s\n", options.outfile);