nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-07-03 19:52:47 -05:00
Code Issues Projects Releases Wiki Activity

CAB file tests

Browse Source
This commit is contained in:
olszomal
2020-02-21 14:10:21 +01:00
parent 94f5e0c1bf
commit a56aee3c8f
21 changed files with 297 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
tests/recipes/11_sign_nest
View File

@ -27,7 +27,25 @@ if test -s "test.exe"
fi
# CAB file
# Error: -nest option is only valid for PE/MSI files
test_name="112. Sign a CAB file with the nest flag"
printf "\n%s\n" "$test_name"
if test -s "test.ex_"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test.ex_" -out "test_112_signed.ex_"
../../osslsigncode sign -h sha512 \
-nest \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test_112_signed.ex_" -out "test_112.ex_"
verify_signature "$?" "112" "ex_" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "ASCII" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file
test_name="113. Sign a MSI file with the nest flag"

27
tests/recipes/31_extract_signature
View File

@ -1,5 +1,5 @@
#!/bin/sh
# Extract the signature from the PE/MSI file.
# Extract the signature from the PE/CAB/MSI file.
. $(dirname $0)/../test_library
script_path=$(pwd)
@ -23,20 +23,35 @@ if test -s "test.exe"
fi
# CAB file
# Command is not supported for non-PE/non-MSI files
test_name="312. Extract the signature from the CAB file"
printf "\n%s\n" "$test_name"
if [ -s "test.ex_" ]
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test.ex_" -out "test_312.ex_" && \
../../osslsigncode extract-signature -pem \
-in "test_312.ex_" -out "sign_cab.pem"
verify_signature "$?" "312" "ex_" "success" "@2019-09-01 12:00:00" \
"sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file
test_name="312. Extract the signature from the MSI file"
test_name="313. Extract the signature from the MSI file"
printf "\n%s\n" "$test_name"
if test -s "sample.msi"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "sample.msi" -out "test_312.msi" && \
-in "sample.msi" -out "test_313.msi" && \
../../osslsigncode extract-signature -pem \
-in "test_312.msi" -out "sign_msi.pem"
verify_signature "$?" "312" "msi" "success" "@2019-09-01 12:00:00" \
-in "test_313.msi" -out "sign_msi.pem"
verify_signature "$?" "313" "msi" "success" "@2019-09-01 12:00:00" \
"sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else

23
tests/recipes/32_attach_signature
View File

@ -1,5 +1,5 @@
#!/bin/sh
# Attach the signature to the PE/MSI file.
# Attach the signature to the PE/CAB/MSI file.
. $(dirname $0)/../test_library
script_path=$(pwd)
@ -21,18 +21,31 @@ if test -s "test.exe"
fi
# CAB file
# Command is not supported for non-PE/non-MSI files
test_name="322. Attach the signature to the CAB file"
printf "\n%s\n" "$test_name"
if [ -s "test.ex_" ]
then
../../osslsigncode attach-signature -sigin "sign_cab.pem" \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-in "test.ex_" -out "test_322.ex_"
verify_signature "$?" "322" "ex_" "success" "@2019-09-01 12:00:00" \
"sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file
test_name="322. Attach the signature to the MSI file"
test_name="323. Attach the signature to the MSI file"
printf "\n%s\n" "$test_name"
if test -s "sample.msi"
then
../../osslsigncode attach-signature -sigin "sign_msi.pem" \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-in "sample.msi" -out "test_322.msi"
verify_signature "$?" "322" "msi" "success" "@2019-09-01 12:00:00" \
-in "sample.msi" -out "test_323.msi"
verify_signature "$?" "323" "msi" "success" "@2019-09-01 12:00:00" \
"sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else

27
tests/recipes/33_remove_signature
View File

@ -1,5 +1,5 @@
#!/bin/sh
# Remove the signature from the PE/MSI file.
# Remove the signature from the PE/CAB/MSI file.
. $(dirname $0)/../test_library
script_path=$(pwd)
@ -23,20 +23,35 @@ if test -s "test.exe"
fi
# CAB file
# Command is not supported for non-PE/non-MSI files
test_name="332. Remove the signature from the CAB file"
printf "\n%s\n" "$test_name"
if [ -s "test.ex_" ]
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test.ex_" -out "test_332_signed.ex_" && \
../../osslsigncode remove-signature \
-in "test_332_signed.ex_" -out "test_332.ex_"
verify_signature "$?" "332" "ex_" "fail" "@2019-09-01 12:00:00" \
"sha256sum" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file
test_name="332. Remove the signature from the MSI file"
test_name="333. Remove the signature from the MSI file"
printf "\n%s\n" "$test_name"
if test -s "sample.msi"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "sample.msi" -out "test_332_signed.msi" && \
-in "sample.msi" -out "test_333_signed.msi" && \
../../osslsigncode remove-signature \
-in "test_332_signed.msi" -out "test_332.msi"
verify_signature "$?" "332" "msi" "fail" "@2019-09-01 12:00:00" \
-in "test_333_signed.msi" -out "test_333.msi"
verify_signature "$?" "333" "msi" "fail" "@2019-09-01 12:00:00" \
"sha256sum" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else

15
tests/recipes/35_varia_sha256sum
View File

@ -22,6 +22,21 @@ if test -s "test.exe"
skip=$(($skip+1))
fi
if test -s "test.ex_"
then
if test $(cat "sha256sum_ex_.log" | cut -d' ' -f1 | uniq | wc -l) -ne 1
then
res=1
cat "sha256sum_ex_.log" >> "results.log"
printf "Non-unique SHA256 message digests found\n" >> "results.log"
else
rm -f test_3[1-4]*[1-2]*.ex_
fi
rm -f "sha256sum_ex_.log"
else
skip=$(($skip+1))
fi
if test -s "sample.msi"
then
if test $(cat "sha256sum_msi.log" | cut -d' ' -f1 | uniq | wc -l) -ne 1

28
tests/recipes/36_add_signature_blob
View File

@ -1,5 +1,5 @@
#!/bin/sh
# Add an unauthenticated blob to the PE/MSI file.
# Add an unauthenticated blob to the PE/CAB/MSI file.
. $(dirname $0)/../test_library
script_path=$(pwd)
@ -24,21 +24,37 @@ if test -s "test.exe"
fi
# CAB file
# Command is not supported for non-PE/non-MSI files
test_name="362. Add an unauthenticated blob to the CAB file"
printf "\n%s\n" "$test_name"
if test -s "test.ex_"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test.ex_" -out "test_362_signed.ex_"
../../osslsigncode add \
-addUnauthenticatedBlob \
-in "test_362_signed.ex_" -out "test_362.ex_"
verify_signature "$?" "362" "ex_" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "ASCII" "BEGIN_BLOB" "MODIFY"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file
test_name="362. Add an unauthenticated blob to the MSI file"
test_name="363. Add an unauthenticated blob to the MSI file"
printf "\n%s\n" "$test_name"
if test -s "sample.msi"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "sample.msi" -out "test_362_signed.msi"
-in "sample.msi" -out "test_363_signed.msi"
../../osslsigncode add \
-addUnauthenticatedBlob \
-in "test_362_signed.msi" -out "test_362.msi"
verify_signature "$?" "362" "msi" "success" "@2019-09-01 12:00:00" \
-in "test_363_signed.msi" -out "test_363.msi"
verify_signature "$?" "363" "msi" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "ASCII" "BEGIN_BLOB" "MODIFY"
test_result "$?" "$test_name"
else

28
tests/recipes/37_add_signature_timestamp
View File

@ -1,5 +1,5 @@
#!/bin/sh
# Add an authenticode timestamp to the PE/MSI file.
# Add an authenticode timestamp to the PE/CAB/MSI file.
. $(dirname $0)/../test_library
script_path=$(pwd)
@ -24,21 +24,37 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
fi
# CAB file
# Command is not supported for non-PE/non-MSI files
test_name="372. Add an authenticode timestamp to the CAB file"
printf "\n%s\n" "$test_name"
if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test.ex_" -out "test_372_signed.ex_" && \
../../osslsigncode add \
-t http://time.certum.pl/ \
-in "test_372_signed.ex_" -out "test_372.ex_"
verify_signature "$?" "372" "ex_" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "ASCII" "Unizeto" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file
test_name="372. Add an authenticode timestamp to the MSI file"
test_name="373. Add an authenticode timestamp to the MSI file"
printf "\n%s\n" "$test_name"
if test -s "sample.msi" && ! grep -q "no libcurl available" "results.log"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "sample.msi" -out "test_372_signed.msi" && \
-in "sample.msi" -out "test_373_signed.msi" && \
../../osslsigncode add \
-t http://time.certum.pl/ \
-in "test_372_signed.msi" -out "test_372.msi"
verify_signature "$?" "372" "msi" "success" "@2019-09-01 12:00:00" \
-in "test_373_signed.msi" -out "test_373.msi"
verify_signature "$?" "373" "msi" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "ASCII" "Unizeto" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else

28
tests/recipes/38_add_signature_rfc3161
View File

@ -1,5 +1,5 @@
#!/bin/sh
# Add an RFC 3161 timestamp to signed PE/MSI file.
# Add an RFC 3161 timestamp to signed PE/CAB/MSI file.
. $(dirname $0)/../test_library
script_path=$(pwd)
@ -24,21 +24,37 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
fi
# CAB file
# Command is not supported for non-PE/non-MSI files
test_name="382. Add RFC 3161 timestamp to signed CAB file"
printf "\n%s\n" "$test_name"
if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test.ex_" -out "test_382_signed.ex_"
../../osslsigncode add \
-ts http://time.certum.pl/ \
-in "test_382_signed.ex_" -out "test_382.ex_"
verify_signature "$?" "382" "ex_" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "ASCII" "Unizeto" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file
test_name="382. Add RFC 3161 timestamp to signed MSI file"
test_name="383. Add RFC 3161 timestamp to signed MSI file"
printf "\n%s\n" "$test_name"
if test -s "sample.msi" && ! grep -q "no libcurl available" "results.log"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "sample.msi" -out "test_382_signed.msi"
-in "sample.msi" -out "test_383_signed.msi"
../../osslsigncode add \
-ts http://time.certum.pl/ \
-in "test_382_signed.msi" -out "test_382.msi"
verify_signature "$?" "382" "msi" "success" "@2019-09-01 12:00:00" \
-in "test_383_signed.msi" -out "test_383.msi"
verify_signature "$?" "383" "msi" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "ASCII" "Unizeto" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else

16
tests/recipes/40_verify_leaf_hash
View File

@ -1,5 +1,5 @@
#!/bin/sh
# Compare the leaf certificate hash against specified SHA256 message digest for the PE/MSI file
# Compare the leaf certificate hash against specified SHA256 message digest for the PE/CAB/MSI file
. $(dirname $0)/../test_library
script_path=$(pwd)
@ -20,7 +20,19 @@ if test -s "test.exe"
fi
# CAB file
# Command is not supported for non-PE/non-MSI files
test_name="402. Compare the leaf certificate hash against specified SHA256 message digest for the CAB file"
printf "\n%s\n" "$test_name"
if test -s "test.ex_"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \
-in "test.ex_" -out "test_402.ex_"
verify_leaf_hash "$?" "402" "ex_" "@2019-05-01 00:00:00"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file
test_name="403. Compare the leaf certificate hash against specified SHA256 message digest for the MSI file"

18
tests/recipes/51_verify_time
View File

@ -1,5 +1,5 @@
#!/bin/sh
# Verify PE/MSI file signature after the cert has been expired.
# Verify PE/CAB/MSI file signature after the cert has been expired.
. $(dirname $0)/../test_library
@ -21,7 +21,21 @@ if test -s "test.exe"
fi
# CAB file
# Command is not supported for non-PE/non-MSI files
test_name="512. Verify CAB file signature after the cert has been expired"
printf "\n%s\n" "$test_name"
if test -s "test.ex_"
then
TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
../../osslsigncode sign -h sha256 \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test.ex_" -out "test_512.ex_" 2>> "results.log" 1>&2'
verify_signature "$?" "512" "ex_" "fail" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file
test_name="513. Verify MSI file signature after the cert has been expired"

19
tests/recipes/52_verify_timestamp
View File

@ -1,5 +1,5 @@
#!/bin/sh
# Verify PE/MSI file signature with Authenticode timestamping after the cert has been expired.
# Verify PE/CAB/MSI file signature with Authenticode timestamping after the cert has been expired.
. $(dirname $0)/../test_library
@ -22,7 +22,22 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
fi
# CAB file
# Command is not supported for non-PE/non-MSI files
test_name="522. Verify CAB file signature with timestamping after the cert has been expired"
printf "\n%s\n" "$test_name"
if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
then
TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
../../osslsigncode sign -h sha256 \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-t http://time.certum.pl/ \
-in "test.ex_" -out "test_522.ex_" 2>> "results.log" 1>&2'
verify_signature "$?" "522" "ex_" "success" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file
test_name="523. Verify MSI file signature with timestamping after the cert has been expired"

19
tests/recipes/53_verify_rfc3161
View File

@ -1,5 +1,5 @@
#!/bin/sh
# Verify PE/MSI file signature with RFC3161 timestamping after the cert has been expired.
# Verify PE/CAB/MSI file signature with RFC3161 timestamping after the cert has been expired.
. $(dirname $0)/../test_library
@ -22,7 +22,22 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
fi
# CAB file
# Command is not supported for non-PE/non-MSI files
test_name="532. Verify CAB file signature with RFC3161 after the cert has been expired"
printf "\n%s\n" "$test_name"
if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
then
TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
../../osslsigncode sign -h sha256 \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-in "test.ex_" -out "test_532.ex_" 2>> "results.log" 1>&2'
verify_signature "$?" "532" "ex_" "success" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file
test_name="533. Verify MSI file signature with RFC3161 after the cert has been expired"

19
tests/recipes/54_verify_expired
View File

@ -1,5 +1,5 @@
#!/bin/sh
# Verify PE/MSI file signed with the expired cert.
# Verify PE/CAB/MSI file signed with the expired cert.
. $(dirname $0)/../test_library
@ -22,7 +22,22 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
fi
# CAB file
# Command is not supported for non-PE/non-MSI files
test_name="542. Verify CAB file signed with the expired cert"
printf "\n%s\n" "$test_name"
if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
then
TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
../../osslsigncode sign -h sha256 \
-certs "${script_path}/../certs/expired.pem" -key "${script_path}/../certs/key.pem" \
-t http://time.certum.pl/ \
-in "test.ex_" -out "test_542.ex_" 2>> "results.log" 1>&2'
verify_signature "$?" "542" "ex_" "fail" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file
test_name="543. Verify MSI file signed with the expired cert"

19
tests/recipes/55_verify_revoked
View File

@ -1,5 +1,5 @@
#!/bin/sh
# Verify PE/MSI file signed with the revoked cert.
# Verify PE/CAB/MSI file signed with the revoked cert.
. $(dirname $0)/../test_library
@ -22,7 +22,22 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
fi
# CAB file
# Command is not supported for non-PE/non-MSI files
test_name="552. Verify CAB file signed with the revoked cert"
printf "\n%s\n" "$test_name"
if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
then
TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
../../osslsigncode sign -h sha256 \
-certs "${script_path}/../certs/revoked.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-in "test.ex_" -out "test_552.ex_" 2>> "results.log" 1>&2'
verify_signature "$?" "552" "ex_" "fail" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file
test_name="553. Verify MSI file signed with the revoked cert"