From 85bcfe470f9485f24a0e1f2e39d1153828525075 Mon Sep 17 00:00:00 2001 From: olszomal Date: Mon, 28 Mar 2022 15:45:33 +0200 Subject: [PATCH] disable verification of the Timestamp Server signature --- osslsigncode.c | 66 ++++++++++++++++++++++++-------------------------- 1 file changed, 31 insertions(+), 35 deletions(-) diff --git a/osslsigncode.c b/osslsigncode.c index 550b0c5..4db4e8e 100644 --- a/osslsigncode.c +++ b/osslsigncode.c @@ -238,7 +238,7 @@ typedef struct { #endif /* ENABLE_CURL */ int addBlob; int nest; - int timestamp_expiration; + int ignore_timestamp; int verbose; int add_msi_dse; char *catalog; @@ -1227,9 +1227,9 @@ static void usage(const char *argv0, const char *cmd) printf("%12s[ -CRLfile ]\n", ""); printf("%12s[ -TSA-CAfile ]\n", ""); printf("%12s[ -TSA-CRLfile ]\n", ""); + printf("%12s[ -ignore_timestamp ]\n", ""); printf("%12s[ -time ]\n", ""); printf("%12s[ -require-leaf-hash {md5,sha1,sha2(56),sha384,sha512}:XXXXXXXXXXXX... ]\n", ""); - printf("%12s[ -timestamp-expiration ]\n", ""); printf("%12s[ -verbose ]\n\n", ""); } } @@ -1280,7 +1280,7 @@ static void help_for(const char *argv0, const char *cmd) const char *cmds_require_leaf_hash[] = {"attach-signature", "verify", NULL}; const char *cmds_sigin[] = {"attach-signature", NULL}; const char *cmds_time[] = {"attach-signature", "sign", "verify", NULL}; - const char *cmds_timestamp_expiration[] = {"verify", NULL}; + const char *cmds_ignore_timestamp[] = {"verify", NULL}; #ifdef ENABLE_CURL const char *cmds_t[] = {"add", "sign", NULL}; const char *cmds_ts[] = {"add", "sign", NULL}; @@ -1412,8 +1412,8 @@ static void help_for(const char *argv0, const char *cmd) } if (on_list(cmd, cmds_sigin)) printf("%-24s= a file containing the signature to be attached\n", "-sigin"); - if (on_list(cmd, cmds_timestamp_expiration)) - printf("%-24s= verify a finite lifetime of the TSA private key\n", "-timestamp-expiration"); + if (on_list(cmd, cmds_ignore_timestamp)) + printf("%-24s= disable verification of the Timestamp Server signature\n", "-ignore-timestamp"); #ifdef ENABLE_CURL if (on_list(cmd, cmds_t)) { printf("%-24s= specifies that the digital signature will be timestamped\n", "-t"); @@ -2719,22 +2719,14 @@ static int verify_timestamp(SIGNATURE *signature, GLOBAL_OPTIONS *options) if (!store) goto out; if (load_file_lookup(store, options->tsa_cafile)) { - /* - * The TSA signing key MUST be of a sufficient length to allow for a sufficiently - * long lifetime. Even if this is done, the key will have a finite lifetime. - * Thus, any token signed by the TSA SHOULD be time-stamped again or notarized - * at a later date to renew the trust that exists in the TSA's signature. - * https://tools.ietf.org/html/rfc3161 - */ - if (!options->timestamp_expiration) - /* verify timestamp against the time of its creation */ - if (!set_store_time(store, signature->time)) { - printf("Failed to set store time\n"); - X509_STORE_free(store); - goto out; - } + /* verify timestamp against the time of its creation */ + if (!set_store_time(store, signature->time)) { + printf("Failed to set store time\n"); + X509_STORE_free(store); + goto out; + } } else { - printf("Use the \"-TSA-CAfile\" option to add the Time-Stamp Authority certificates bundle to verify timestamp server.\n"); + printf("Use the \"-TSA-CAfile\" option to add the Time-Stamp Authority certificates bundle to verify the Timestamp Server.\n"); X509_STORE_free(store); goto out; } @@ -2807,15 +2799,7 @@ static int verify_authenticode(SIGNATURE *signature, GLOBAL_OPTIONS *options, X5 X509_STORE_free(store); goto out; } - if (options->time != INVALID_TIME) { - printf("Signature verification time: "); - print_time_t(options->time); - if (!set_store_time(store, options->time)) { - printf("Failed to set verifying time\n"); - X509_STORE_free(store); - goto out; - } - } else if (signature->time != INVALID_TIME) { + if (signature->time != INVALID_TIME) { printf("Signature verification time: "); print_time_t(signature->time); if (!set_store_time(store, signature->time)) { @@ -2823,8 +2807,15 @@ static int verify_authenticode(SIGNATURE *signature, GLOBAL_OPTIONS *options, X5 X509_STORE_free(store); goto out; } + } else if (options->time != INVALID_TIME) { + printf("Signature verification time: "); + print_time_t(options->time); + if (!set_store_time(store, options->time)) { + printf("Failed to set verifying time\n"); + X509_STORE_free(store); + goto out; + } } - /* verify a PKCS#7 signedData structure */ if (signature->p7->d.sign->contents->d.other->type == V_ASN1_SEQUENCE) { /* only verify the contents of the sequence */ @@ -2908,9 +2899,14 @@ static int verify_signature(SIGNATURE *signature, GLOBAL_OPTIONS *options) } if (signature->timestamp) { - int timeok = verify_timestamp(signature, options); - printf("Timestamp Server Signature verification: %s\n", timeok ? "ok" : "failed"); - if (!timeok) { + if (!options->ignore_timestamp) { + int timeok = verify_timestamp(signature, options); + printf("Timestamp Server Signature verification: %s\n", timeok ? "ok" : "failed"); + if (!timeok) { + signature->time = INVALID_TIME; + } + } else { + printf("\nTimestamp Server Signature verification is disabled\n\n"); signature->time = INVALID_TIME; } } else @@ -5796,8 +5792,8 @@ static int main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTIONS options->addBlob = 1; } else if ((*cmd == CMD_SIGN || *cmd == CMD_ATTACH) && !strcmp(*argv, "-nest")) { options->nest = 1; - } else if ((*cmd == CMD_VERIFY) && !strcmp(*argv, "-timestamp-expiration")) { - options->timestamp_expiration = 1; + } else if ((*cmd == CMD_VERIFY) && !strcmp(*argv, "-ignore-timestamp")) { + options->ignore_timestamp = 1; } else if ((*cmd == CMD_SIGN || *cmd == CMD_ADD || *cmd == CMD_VERIFY) && !strcmp(*argv, "-verbose")) { options->verbose = 1; } else if ((*cmd == CMD_SIGN || *cmd == CMD_ADD || *cmd == CMD_ATTACH) && !strcmp(*argv, "-add-msi-dse")) {