nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-05 17:08:05 -05:00
Code Issues Projects Releases Wiki Activity

Whitespace/Indentation cleanup

Browse Source
This commit is contained in:
Per Allansson 2013-02-19 21:47:47 +01:00
parent 6aa4280d84
commit af82a27bff
2 changed files with 202 additions and 206 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
README
View File

@ -6,25 +6,25 @@ osslsigncode
osslsigncode is a small tool that implements part of the functionality osslsigncode is a small tool that implements part of the functionality
of the Microsoft tool signcode.exe - more exactly the Authenticode of the Microsoft tool signcode.exe - more exactly the Authenticode
signing and timestamping. But osslsigncode is based on OpenSSL and cURL, signing and timestamping. But osslsigncode is based on OpenSSL and cURL,
and thus should be able to compile on most platforms where these exist. and thus should be able to compile on most platforms where these exist.
== WHY? == WHY?
Why not use signcode.exe? Because I don't want to go to a Windows Why not use signcode.exe? Because I don't want to go to a Windows
machine every time I need to sign a binary - I can compile and build machine every time I need to sign a binary - I can compile and build
the binaries using Wine on my Linux machine, but I can't sign them the binaries using Wine on my Linux machine, but I can't sign them
since the signcode.exe makes good use of the CryptoAPI in Windows, and since the signcode.exe makes good use of the CryptoAPI in Windows, and
these APIs aren't (yet?) fully implemented in Wine, so the signcode.exe these APIs aren't (yet?) fully implemented in Wine, so the signcode.exe
tool would fail. And, so, osslsigncode was born. tool would fail. And, so, osslsigncode was born.
== WHAT CAN IT DO? == WHAT CAN IT DO?
It can sign and timestamp EXE or CAB files. It supports the equivalent It can sign and timestamp EXE or CAB files. It supports the equivalent
of signcode.exe's "-j javasign.dll -jp low", i.e. add a valid signature of signcode.exe's "-j javasign.dll -jp low", i.e. add a valid signature
for a CAB file containing Java files. It supports getting the timestamp for a CAB file containing Java files. It supports getting the timestamp
through a proxy as well. through a proxy as well.
@ -32,7 +32,7 @@ through a proxy as well.
The usual way: The usual way:
./configure ./configure
make make
make install make install
@ -40,7 +40,7 @@ The usual way:
== USAGE == USAGE
Before you can sign a file you need a Software Publishing Before you can sign a file you need a Software Publishing
Certificate (spc) and a corresponding private key. Certificate (spc) and a corresponding private key.
This article provides a good starting point as to how This article provides a good starting point as to how
to do the signing with the Microsoft signcode.exe: to do the signing with the Microsoft signcode.exe:
@ -50,7 +50,7 @@ to do the signing with the Microsoft signcode.exe:
To sign with osslsigncode you need the spc file mentioned To sign with osslsigncode you need the spc file mentioned
in the article above, and you will also need the private in the article above, and you will also need the private
key, but not as a pvk file - it must be a simple key file key, but not as a pvk file - it must be a simple key file
on DER format or in PEM format. You can create a DER file on DER format or in PEM format. You can create a DER file
from the PEM file by doing: from the PEM file by doing:
openssl rsa -passin pass:XXXXX -outform der \ openssl rsa -passin pass:XXXXX -outform der \
@ -102,33 +102,33 @@ amongst other things that "This digital signature is OK".
(This guide was written by Ryan Rubley) (This guide was written by Ryan Rubley)
If you've managed to finally find osslsigncode from some searches, If you've managed to finally find osslsigncode from some searches,
you're most likely going to have a heck of a time getting your SPC you're most likely going to have a heck of a time getting your SPC
and PVK files into the formats osslsigncode wants. and PVK files into the formats osslsigncode wants.
On the computer where you originally purchased your certificate, you On the computer where you originally purchased your certificate, you
probably had to use IE to get it. Run IE and select Tools/Internet probably had to use IE to get it. Run IE and select Tools/Internet
Options from the menu, then under the Content tab, click the Certificates Options from the menu, then under the Content tab, click the Certificates
button. Under the Personal tab, select your certificate and click the button. Under the Personal tab, select your certificate and click the
Export button. On the second page of the wizard, select the PKCS #7 Export button. On the second page of the wizard, select the PKCS #7
Certificate (.P7B) format. This file you export as a *.p7b is what you Certificate (.P7B) format. This file you export as a *.p7b is what you
use instead of your *.spc file. It's the same basic thing, in a different format. use instead of your *.spc file. It's the same basic thing, in a different format.
For your PVK file, you will need to download a little utility called For your PVK file, you will need to download a little utility called
PVK.EXE. This can currently be downloaded at PVK.EXE. This can currently be downloaded at
http://support.globalsign.net/en/objectsign/PVK.zip http://support.globalsign.net/en/objectsign/PVK.zip
Run: pvk -in foo.pvk -nocrypt -out foo.pem Run: pvk -in foo.pvk -nocrypt -out foo.pem
This will convert your PVK file to a PEM file. This will convert your PVK file to a PEM file.
From there, you can copy the PEM file to a Linux box, and run: From there, you can copy the PEM file to a Linux box, and run:
openssl rsa -outform der -in foo.pem -out foo.der openssl rsa -outform der -in foo.pem -out foo.der
This will convert your PEM file to a DER file. This will convert your PEM file to a DER file.
You need the *.p7b and *.der files to use osslsigncode, instead of your You need the *.p7b and *.der files to use osslsigncode, instead of your
*.spc and *.pvk files. *.spc and *.pvk files.
@ -136,10 +136,8 @@ You need the *.p7b and *.der files to use osslsigncode, instead of your
Send an email to mfive@users.sourceforge.net Send an email to mfive@users.sourceforge.net
BUT, if you have questions related to generating spc files, BUT, if you have questions related to generating spc files,
converting between different formats and so on, *please* converting between different formats and so on, *please*
spend a few minutes searching on google for your particular spend a few minutes searching on google for your particular
problem since many people probably already have had your problem since many people probably already have had your
problem and solved it as well. problem and solved it as well.

338
osslsigncode.c
View File

@ -1,5 +1,5 @@
/* /*
OpenSSL based Authenticode signing for PE files and Java CAB's. OpenSSL based Authenticode signing for PE files and Java CAB's.
Copyright (C) 2005-2011 mfive <mfive@users.sourceforge.net> Copyright (C) 2005-2011 mfive <mfive@users.sourceforge.net>
@ -8,12 +8,12 @@
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or the Free Software Foundation; either version 2 of the License, or
(at your option) any later version. (at your option) any later version.
This program is distributed in the hope that it will be useful, This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details. GNU General Public License for more details.
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
@ -26,11 +26,11 @@ static const char *rcsid = "$Id: osslsigncode.c,v 1.4 2011/08/12 11:08:12 mfive
Implemented with good help from: Implemented with good help from:
* Peter Gutmann's analysis of Authenticode: * Peter Gutmann's analysis of Authenticode:
http://www.cs.auckland.ac.nz/~pgut001/pubs/authenticode.txt http://www.cs.auckland.ac.nz/~pgut001/pubs/authenticode.txt
* MS CAB SDK documentation * MS CAB SDK documentation
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncabsdk/html/cabdl.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncabsdk/html/cabdl.asp
* MS PE/COFF documentation * MS PE/COFF documentation
@ -85,8 +85,8 @@ static const char *rcsid = "$Id: osslsigncode.c,v 1.4 2011/08/12 11:08:12 mfive
/* 1.3.6.1.4.1.311.4... MS Crypto 2.0 stuff... */ /* 1.3.6.1.4.1.311.4... MS Crypto 2.0 stuff... */
/* /*
ASN.1 definitions (more or less from official MS Authenticode docs) ASN.1 definitions (more or less from official MS Authenticode docs)
*/ */
typedef struct { typedef struct {
@ -96,7 +96,7 @@ typedef struct {
ASN1_IA5STRING *ascii; ASN1_IA5STRING *ascii;
} value; } value;
} SpcString; } SpcString;
ASN1_CHOICE(SpcString) = { ASN1_CHOICE(SpcString) = {
ASN1_IMP_OPT(SpcString, value.unicode, ASN1_BMPSTRING , 0), ASN1_IMP_OPT(SpcString, value.unicode, ASN1_BMPSTRING , 0),
ASN1_IMP_OPT(SpcString, value.ascii, ASN1_IA5STRING, 1) ASN1_IMP_OPT(SpcString, value.ascii, ASN1_IA5STRING, 1)
@ -114,8 +114,8 @@ ASN1_SEQUENCE(SpcSerializedObject) = {
ASN1_SIMPLE(SpcSerializedObject, classId, ASN1_OCTET_STRING), ASN1_SIMPLE(SpcSerializedObject, classId, ASN1_OCTET_STRING),
ASN1_SIMPLE(SpcSerializedObject, serializedData, ASN1_OCTET_STRING) ASN1_SIMPLE(SpcSerializedObject, serializedData, ASN1_OCTET_STRING)
} ASN1_SEQUENCE_END(SpcSerializedObject) } ASN1_SEQUENCE_END(SpcSerializedObject)
IMPLEMENT_ASN1_FUNCTIONS(SpcSerializedObject) IMPLEMENT_ASN1_FUNCTIONS(SpcSerializedObject)
typedef struct { typedef struct {
@ -135,10 +135,10 @@ ASN1_CHOICE(SpcLink) = {
IMPLEMENT_ASN1_FUNCTIONS(SpcLink) IMPLEMENT_ASN1_FUNCTIONS(SpcLink)
typedef struct { typedef struct {
SpcString *programName; SpcString *programName;
SpcLink *moreInfo; SpcLink *moreInfo;
} SpcSpOpusInfo; } SpcSpOpusInfo;
DECLARE_ASN1_FUNCTIONS(SpcSpOpusInfo) DECLARE_ASN1_FUNCTIONS(SpcSpOpusInfo)
@ -184,12 +184,12 @@ typedef struct {
ASN1_SEQUENCE(DigestInfo) = { ASN1_SEQUENCE(DigestInfo) = {
ASN1_SIMPLE(DigestInfo, digestAlgorithm, AlgorithmIdentifier), ASN1_SIMPLE(DigestInfo, digestAlgorithm, AlgorithmIdentifier),
ASN1_SIMPLE(DigestInfo, digest, ASN1_OCTET_STRING) ASN1_SIMPLE(DigestInfo, digest, ASN1_OCTET_STRING)
} ASN1_SEQUENCE_END(DigestInfo) } ASN1_SEQUENCE_END(DigestInfo)
IMPLEMENT_ASN1_FUNCTIONS(DigestInfo) IMPLEMENT_ASN1_FUNCTIONS(DigestInfo)
typedef struct { typedef struct {
SpcAttributeTypeAndOptionalValue *data; SpcAttributeTypeAndOptionalValue *data;
DigestInfo *messageDigest; DigestInfo *messageDigest;
} SpcIndirectDataContent; } SpcIndirectDataContent;
@ -197,7 +197,7 @@ ASN1_SEQUENCE(SpcIndirectDataContent) = {
ASN1_SIMPLE(SpcIndirectDataContent, data, SpcAttributeTypeAndOptionalValue), ASN1_SIMPLE(SpcIndirectDataContent, data, SpcAttributeTypeAndOptionalValue),
ASN1_SIMPLE(SpcIndirectDataContent, messageDigest, DigestInfo) ASN1_SIMPLE(SpcIndirectDataContent, messageDigest, DigestInfo)
} ASN1_SEQUENCE_END(SpcIndirectDataContent) } ASN1_SEQUENCE_END(SpcIndirectDataContent)
IMPLEMENT_ASN1_FUNCTIONS(SpcIndirectDataContent) IMPLEMENT_ASN1_FUNCTIONS(SpcIndirectDataContent)
typedef struct { typedef struct {
@ -247,7 +247,7 @@ IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequest)
#endif /* ENABLE_CURL */ #endif /* ENABLE_CURL */
static SpcSpOpusInfo* createOpus(const char *desc, const char *url) static SpcSpOpusInfo* createOpus(const char *desc, const char *url)
{ {
SpcSpOpusInfo *info = SpcSpOpusInfo_new(); SpcSpOpusInfo *info = SpcSpOpusInfo_new();
@ -287,27 +287,27 @@ static size_t curl_write( void *ptr, size_t sz, size_t nmemb, void *stream)
User-Agent: Transport User-Agent: Transport
Host: ... Host: ...
Cache-Control: no-cache Cache-Control: no-cache
<base64encoded blob> <base64encoded blob>
.. and the blob has the following ASN1 structure: .. and the blob has the following ASN1 structure:
0:d=0 hl=4 l= 291 cons: SEQUENCE 0:d=0 hl=4 l= 291 cons: SEQUENCE
4:d=1 hl=2 l= 10 prim: OBJECT :1.3.6.1.4.1.311.3.2.1 4:d=1 hl=2 l= 10 prim: OBJECT :1.3.6.1.4.1.311.3.2.1
16:d=1 hl=4 l= 275 cons: SEQUENCE 16:d=1 hl=4 l= 275 cons: SEQUENCE
20:d=2 hl=2 l= 9 prim: OBJECT :pkcs7-data 20:d=2 hl=2 l= 9 prim: OBJECT :pkcs7-data
31:d=2 hl=4 l= 260 cons: cont [ 0 ] 31:d=2 hl=4 l= 260 cons: cont [ 0 ]
35:d=3 hl=4 l= 256 prim: OCTET STRING 35:d=3 hl=4 l= 256 prim: OCTET STRING
<signature> <signature>
.. and it returns a base64 encoded PKCS#7 structure. .. and it returns a base64 encoded PKCS#7 structure.
*/ */
static int add_timestamp(PKCS7 *sig, char *url, char *proxy) static int add_timestamp(PKCS7 *sig, char *url, char *proxy)
{ {
CURL *curl; CURL *curl;
struct curl_slist *slist = NULL; struct curl_slist *slist = NULL;
@ -316,20 +316,20 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy)
u_char *p; u_char *p;
int len; int len;
TimeStampRequest *req; TimeStampRequest *req;
PKCS7_SIGNER_INFO *si = PKCS7_SIGNER_INFO *si =
sk_PKCS7_SIGNER_INFO_value sk_PKCS7_SIGNER_INFO_value
(sig->d.sign->signer_info, 0); (sig->d.sign->signer_info, 0);
if (!url) return -1; if (!url) return -1;
curl = curl_easy_init(); curl = curl_easy_init();
if (proxy) { if (proxy) {
curl_easy_setopt(curl, CURLOPT_PROXY, proxy); curl_easy_setopt(curl, CURLOPT_PROXY, proxy);
if (!strncmp("http:", proxy, 5)) if (!strncmp("http:", proxy, 5))
curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTP); curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);
if (!strncmp("socks:", proxy, 6)) if (!strncmp("socks:", proxy, 6))
curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5); curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
} }
curl_easy_setopt(curl, CURLOPT_URL, url); curl_easy_setopt(curl, CURLOPT_URL, url);
@ -376,40 +376,40 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy)
BIO_free_all(bout); BIO_free_all(bout);
if (c) { if (c) {
fprintf(stderr, "CURL failure: %s\n", curl_easy_strerror(c)); fprintf(stderr, "CURL failure: %s\n", curl_easy_strerror(c));
} else { } else {
PKCS7 *p7; PKCS7 *p7;
int i; int i;
PKCS7_SIGNER_INFO *info; PKCS7_SIGNER_INFO *info;
ASN1_STRING *astr; ASN1_STRING *astr;
(void)BIO_flush(bin); (void)BIO_flush(bin);
b64 = BIO_new(BIO_f_base64()); b64 = BIO_new(BIO_f_base64());
bin = BIO_push(b64, bin); bin = BIO_push(b64, bin);
p7 = d2i_PKCS7_bio(bin, NULL); p7 = d2i_PKCS7_bio(bin, NULL);
if (p7 == NULL) { if (p7 == NULL) {
fprintf(stderr, "Failed to convert timestamp reply\n"); fprintf(stderr, "Failed to convert timestamp reply\n");
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
return -1; return -1;
} }
for(i = sk_X509_num(p7->d.sign->cert)-1; i>=0; i--) for(i = sk_X509_num(p7->d.sign->cert)-1; i>=0; i--)
PKCS7_add_certificate(sig, sk_X509_value(p7->d.sign->cert, i)); PKCS7_add_certificate(sig, sk_X509_value(p7->d.sign->cert, i));
info = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0); info = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0);
if (((len = i2d_PKCS7_SIGNER_INFO(info, NULL)) <= 0) || if (((len = i2d_PKCS7_SIGNER_INFO(info, NULL)) <= 0) ||
(p = OPENSSL_malloc(len)) == NULL) { (p = OPENSSL_malloc(len)) == NULL) {
fprintf(stderr, "Failed to convert signer info: %d\n", len); fprintf(stderr, "Failed to convert signer info: %d\n", len);
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
return -1; return -1;
} }
len = i2d_PKCS7_SIGNER_INFO(info, &p); len = i2d_PKCS7_SIGNER_INFO(info, &p);
p -= len; p -= len;
astr = ASN1_STRING_new(); astr = ASN1_STRING_new();
ASN1_STRING_set(astr, p, len); ASN1_STRING_set(astr, p, len);
PKCS7_add_attribute PKCS7_add_attribute
(si, NID_pkcs9_countersignature, (si, NID_pkcs9_countersignature,
V_ASN1_SEQUENCE, astr); V_ASN1_SEQUENCE, astr);
} }
BIO_free_all(bin); BIO_free_all(bin);
@ -420,9 +420,9 @@ static int add_timestamp(PKCS7 *sig, char *url, char *proxy)
#endif /* ENABLE_CURL */ #endif /* ENABLE_CURL */
static void usage(const char *argv0) static void usage(const char *argv0)
{ {
fprintf(stderr, fprintf(stderr,
"Usage: %s [ --version | -v ]\n" "Usage: %s [ --version | -v ]\n"
"\t( -spc <spcfile> -key <keyfile> |\n" "\t( -spc <spcfile> -key <keyfile> |\n"
"\t -pkcs12 <pkcs12file> )\n" "\t -pkcs12 <pkcs12file> )\n"
@ -430,9 +430,9 @@ static void usage(const char *argv0)
"\t[ -h {md5,sha1,sha2} ]\n" "\t[ -h {md5,sha1,sha2} ]\n"
"\t[ -n <desc> ] [ -i <url> ] [ -jp <level> ] [ -comm ]\n" "\t[ -n <desc> ] [ -i <url> ] [ -jp <level> ] [ -comm ]\n"
#ifdef ENABLE_CURL #ifdef ENABLE_CURL
"\t[ -t <timestampurl> [ -p <proxy> ]]\n" "\t[ -t <timestampurl> [ -p <proxy> ]]\n"
#endif #endif
"\t-in <infile> -out <outfile>\n", "\t-in <infile> -out <outfile>\n",
argv0); argv0);
exit(-1); exit(-1);
} }
@ -442,33 +442,33 @@ static void usage(const char *argv0)
#define GET_UINT16_LE(p) (((u_char*)(p))[0] | (((u_char*)(p))[1]<<8)) #define GET_UINT16_LE(p) (((u_char*)(p))[0] | (((u_char*)(p))[1]<<8))
#define GET_UINT32_LE(p) (((u_char*)(p))[0] | (((u_char*)(p))[1]<<8) | \ #define GET_UINT32_LE(p) (((u_char*)(p))[0] | (((u_char*)(p))[1]<<8) | \
(((u_char*)(p))[2]<<16) | (((u_char*)(p))[3]<<24)) (((u_char*)(p))[2]<<16) | (((u_char*)(p))[3]<<24))
#define PUT_UINT32_LE(i,p) \ #define PUT_UINT32_LE(i,p) \
((u_char*)(p))[0] = (i) & 0xff; \ ((u_char*)(p))[0] = (i) & 0xff; \
((u_char*)(p))[1] = ((i)>>8) & 0xff; \ ((u_char*)(p))[1] = ((i)>>8) & 0xff; \
((u_char*)(p))[2] = ((i)>>16) & 0xff; \ ((u_char*)(p))[2] = ((i)>>16) & 0xff; \
((u_char*)(p))[3] = ((i)>>24) & 0xff ((u_char*)(p))[3] = ((i)>>24) & 0xff
#ifdef HACK_OPENSSL #ifdef HACK_OPENSSL
ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid) ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid)
/* ARGSUSED */ /* ARGSUSED */
{ {
/* Ehhhm. Hack. The PKCS7 sign method adds NID_pkcs9_signingTime if /* Ehhhm. Hack. The PKCS7 sign method adds NID_pkcs9_signingTime if
it isn't there. But we don't want it since M$ barfs on it. it isn't there. But we don't want it since M$ barfs on it.
Sooooo... let's pretend it's here. */ Sooooo... let's pretend it's here. */
return (ASN1_TYPE*)0xdeadbeef; return (ASN1_TYPE*)0xdeadbeef;
} }
#endif #endif
static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, int isjava) static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, int isjava)
{ {
static const unsigned char obsolete[] = { static const unsigned char obsolete[] = {
0x00, 0x3c, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x4f, 0x00, 0x62, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x4f, 0x00, 0x62,
0x00, 0x73, 0x00, 0x6f, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x74, 0x00, 0x73, 0x00, 0x6f, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x74,
0x00, 0x65, 0x00, 0x3e, 0x00, 0x3e, 0x00, 0x3e 0x00, 0x65, 0x00, 0x3e, 0x00, 0x3e, 0x00, 0x3e
}; };
@ -491,7 +491,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, in
idc->data->value->type = V_ASN1_SEQUENCE; idc->data->value->type = V_ASN1_SEQUENCE;
idc->data->value->value.sequence = ASN1_STRING_new(); idc->data->value->value.sequence = ASN1_STRING_new();
if (isjava) { if (isjava) {
l = i2d_SpcLink(link, NULL); l = i2d_SpcLink(link, NULL);
p = OPENSSL_malloc(l); p = OPENSSL_malloc(l);
i2d_SpcLink(link, &p); i2d_SpcLink(link, &p);
p -= l; p -= l;
@ -515,7 +515,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, in
idc->messageDigest->digest = M_ASN1_OCTET_STRING_new(); idc->messageDigest->digest = M_ASN1_OCTET_STRING_new();
hashlen = EVP_MD_size(md); hashlen = EVP_MD_size(md);
hash = OPENSSL_malloc(hashlen); hash = OPENSSL_malloc(hashlen);
memset(hash, 0, hashlen); memset(hash, 0, hashlen);
M_ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen); M_ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen);
@ -525,7 +525,7 @@ static void get_indirect_data_blob(u_char **blob, int *len, const EVP_MD *md, in
i2d_SpcIndirectDataContent(idc, &p); i2d_SpcIndirectDataContent(idc, &p);
} }
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
BIO *btmp, *sigdata, *hash, *outdata; BIO *btmp, *sigdata, *hash, *outdata;
PKCS12 *p12; PKCS12 *p12;
@ -537,12 +537,12 @@ int main(int argc, char **argv)
ASN1_TYPE dummy; ASN1_TYPE dummy;
ASN1_STRING *astr; ASN1_STRING *astr;
const EVP_MD *md = EVP_sha1(); const EVP_MD *md = EVP_sha1();
const char *argv0 = argv[0]; const char *argv0 = argv[0];
static char buf[64*1024]; static char buf[64*1024];
char *spcfile, *keyfile, *pkcs12file, *infile, *outfile, *desc, *url, *indata; char *spcfile, *keyfile, *pkcs12file, *infile, *outfile, *desc, *url, *indata;
char *pass = ""; char *pass = "";
#ifdef ENABLE_CURL #ifdef ENABLE_CURL
char *turl = NULL, *proxy = NULL; char *turl = NULL, *proxy = NULL;
#endif #endif
u_char *p; u_char *p;
@ -552,50 +552,50 @@ int main(int argc, char **argv)
#if 0 #if 0
static u_char spcIndirectDataContext_blob_cab[] = { static u_char spcIndirectDataContext_blob_cab[] = {
0x30, 0x50, 0x30, 0x50,
0x30, 0x2c, 0x30, 0x2c,
0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x19, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x19,
0xa2, 0x1e, 0x80, 0x1c, 0xa2, 0x1e, 0x80, 0x1c,
0x00, 0x3c, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x4f, 0x00, 0x62, 0x00, 0x73, 0x00, 0x6f, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x4f, 0x00, 0x62, 0x00, 0x73, 0x00, 0x6f, 0x00, 0x6c, 0x00, 0x65,
0x00, 0x74, 0x00, 0x65, 0x00, 0x3e, 0x00, 0x3e, 0x00, 0x3e, 0x00, 0x74, 0x00, 0x65, 0x00, 0x3e, 0x00, 0x3e, 0x00, 0x3e,
0x30, 0x20, 0x30, 0x20,
0x30, 0x0c, 0x30, 0x0c,
0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05,
0x05, 0x00, 0x05, 0x00,
0x04, 0x10 /* + hash */ 0x04, 0x10 /* + hash */
}; };
static u_char spcIndirectDataContext_blob_pe[] = { static u_char spcIndirectDataContext_blob_pe[] = {
0x30, 0x57, 0x30, 0x57,
0x30, 0x33, 0x30, 0x33,
0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f,
0x30, 0x25, 0x03, 0x01, 0x00, 0x30, 0x25, 0x03, 0x01, 0x00,
0xa0, 0x20, 0xa2, 0x1e, 0x80, 0x1c, 0xa0, 0x20, 0xa2, 0x1e, 0x80, 0x1c,
0x00, 0x3c, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x4f, 0x00, 0x62, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x4f, 0x00, 0x62,
0x00, 0x73, 0x00, 0x6f, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x74, 0x00, 0x73, 0x00, 0x6f, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x74,
0x00, 0x65, 0x00, 0x3e, 0x00, 0x3e, 0x00, 0x3e, 0x00, 0x65, 0x00, 0x3e, 0x00, 0x3e, 0x00, 0x3e,
0x30, 0x20, 0x30, 0x20,
0x30, 0x0c, 0x30, 0x0c,
0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05,
0x05, 0x00, 0x05, 0x00,
0x04, 0x10 /* + hash */ 0x04, 0x10 /* + hash */
}; };
#endif #endif
static u_char purpose_ind[] = { static u_char purpose_ind[] = {
0x30, 0x0c, 0x30, 0x0c,
0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15
}; };
static u_char purpose_comm[] = { static u_char purpose_comm[] = {
0x30, 0x0c, 0x30, 0x0c,
0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x16 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x16
}; };
spcfile = keyfile = pkcs12file = infile = outfile = desc = url = NULL; spcfile = keyfile = pkcs12file = infile = outfile = desc = url = NULL;
hash = outdata = NULL; hash = outdata = NULL;
@ -608,10 +608,10 @@ int main(int argc, char **argv)
keyfile = *(++argv); keyfile = *(++argv);
} else if (!strcmp(*argv, "-pkcs12")) { } else if (!strcmp(*argv, "-pkcs12")) {
if (--argc < 1) usage(argv0); if (--argc < 1) usage(argv0);
pkcs12file = *(++argv); pkcs12file = *(++argv);
} else if (!strcmp(*argv, "-pass")) { } else if (!strcmp(*argv, "-pass")) {
if (--argc < 1) usage(argv0); if (--argc < 1) usage(argv0);
pass = *(++argv); pass = *(++argv);
} else if (!strcmp(*argv, "-comm")) { } else if (!strcmp(*argv, "-comm")) {
comm = 1; comm = 1;
} else if (!strcmp(*argv, "-n")) { } else if (!strcmp(*argv, "-n")) {
@ -669,7 +669,7 @@ int main(int argc, char **argv)
} else if (!strcmp(ap, "high")) { } else if (!strcmp(ap, "high")) {
jp = 2; jp = 2;
} }
if (jp != 0) usage(argv0); /* XXX */ if (jp != 0) usage(argv0); /* XXX */
} else { } else {
fprintf(stderr, "Unknown option: %s\n", *argv); fprintf(stderr, "Unknown option: %s\n", *argv);
usage(argv0); usage(argv0);
@ -689,15 +689,15 @@ int main(int argc, char **argv)
(p12 = d2i_PKCS12_bio(btmp, NULL)) == NULL) (p12 = d2i_PKCS12_bio(btmp, NULL)) == NULL)
DO_EXIT_1("Failed to read PKCS#12 file: %s\n", pkcs12file); DO_EXIT_1("Failed to read PKCS#12 file: %s\n", pkcs12file);
BIO_free(btmp); BIO_free(btmp);
if (!PKCS12_parse(p12, pass, &pkey, &cert, &certs)) if (!PKCS12_parse(p12, pass, &pkey, &cert, &certs))
DO_EXIT_1("Failed to parse PKCS#12 file: %s (Wrong password?)\n", pkcs12file); DO_EXIT_1("Failed to parse PKCS#12 file: %s (Wrong password?)\n", pkcs12file);
PKCS12_free(p12); PKCS12_free(p12);
} else { } else {
if ((btmp = BIO_new_file(spcfile, "rb")) == NULL || if ((btmp = BIO_new_file(spcfile, "rb")) == NULL ||
(p7 = d2i_PKCS7_bio(btmp, NULL)) == NULL) (p7 = d2i_PKCS7_bio(btmp, NULL)) == NULL)
DO_EXIT_1("Failed to read DER-encoded spc file: %s\n", spcfile); DO_EXIT_1("Failed to read DER-encoded spc file: %s\n", spcfile);
BIO_free(btmp); BIO_free(btmp);
if ((btmp = BIO_new_file(keyfile, "rb")) == NULL || if ((btmp = BIO_new_file(keyfile, "rb")) == NULL ||
( (pkey = d2i_PrivateKey_bio(btmp, NULL)) == NULL && ( (pkey = d2i_PrivateKey_bio(btmp, NULL)) == NULL &&
(pkey = PEM_read_bio_PrivateKey(btmp, NULL, NULL, pass)) == NULL && (pkey = PEM_read_bio_PrivateKey(btmp, NULL, NULL, pass)) == NULL &&
@ -706,14 +706,14 @@ int main(int argc, char **argv)
BIO_free(btmp); BIO_free(btmp);
certs = p7->d.sign->cert; certs = p7->d.sign->cert;
} }
/* Check if indata is cab or pe */ /* Check if indata is cab or pe */
if (stat(infile, &st)) if (stat(infile, &st))
DO_EXIT_1("Failed to open file: %s\n", infile); DO_EXIT_1("Failed to open file: %s\n", infile);
if (st.st_size < 4) if (st.st_size < 4)
DO_EXIT_1("Unrecognized file type - file is too short: %s\n", infile); DO_EXIT_1("Unrecognized file type - file is too short: %s\n", infile);
if ((fd = open(infile, O_RDONLY)) < 0) if ((fd = open(infile, O_RDONLY)) < 0)
DO_EXIT_1("Failed to open file: %s\n", infile); DO_EXIT_1("Failed to open file: %s\n", infile);
@ -745,16 +745,16 @@ int main(int argc, char **argv)
outdata = BIO_new_file(outfile, "wb"); outdata = BIO_new_file(outfile, "wb");
if (outdata == NULL) if (outdata == NULL)
DO_EXIT_1("Failed to create file: %s\n", outfile); DO_EXIT_1("Failed to create file: %s\n", outfile);
hash = BIO_new(BIO_f_md()); hash = BIO_new(BIO_f_md());
BIO_set_md(hash, md); BIO_set_md(hash, md);
BIO_push(hash, outdata); BIO_push(hash, outdata);
if (is_cabinet) { if (is_cabinet) {
unsigned short nfolders; unsigned short nfolders;
u_char cabsigned[] = { u_char cabsigned[] = {
0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
0xde, 0xad, 0xbe, 0xef, /* size of cab file */ 0xde, 0xad, 0xbe, 0xef, /* size of cab file */
0xde, 0xad, 0xbe, 0xef, /* size of asn1 blob */ 0xde, 0xad, 0xbe, 0xef, /* size of asn1 blob */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
@ -795,38 +795,38 @@ int main(int argc, char **argv)
/* Write what's left */ /* Write what's left */
BIO_write(hash, indata+i, st.st_size-i); BIO_write(hash, indata+i, st.st_size-i);
} else { } else {
if (jp >= 0) if (jp >= 0)
fprintf(stderr, "Warning: -jp option is only valid " fprintf(stderr, "Warning: -jp option is only valid "
"for CAB files.\n"); "for CAB files.\n");
pe32plus = GET_UINT16_LE(indata + peheader + 24) == 0x20b ? 1 : 0; pe32plus = GET_UINT16_LE(indata + peheader + 24) == 0x20b ? 1 : 0;
/* If the file has been signed already, this will let us pretend the file we are signing is /* If the file has been signed already, this will let us pretend the file we are signing is
* only as big as the portion that exists before the signed data at the end of the file. * only as big as the portion that exists before the signed data at the end of the file.
* This prevents adding more and more data to the end of the file with each signing. * This prevents adding more and more data to the end of the file with each signing.
*/ */
i = GET_UINT32_LE(indata + peheader + 152 + pe32plus*16); i = GET_UINT32_LE(indata + peheader + 152 + pe32plus*16);
if( i > 0 ) st.st_size = i; if( i > 0 ) st.st_size = i;
BIO_write(hash, indata, peheader + 88); BIO_write(hash, indata, peheader + 88);
i = peheader + 88; i = peheader + 88;
memset(buf, 0, 4); memset(buf, 0, 4);
BIO_write(outdata, buf, 4); /* zero out checksum */ BIO_write(outdata, buf, 4); /* zero out checksum */
i += 4; i += 4;
BIO_write(hash, indata + i, 60+pe32plus*16); BIO_write(hash, indata + i, 60+pe32plus*16);
i += 60+pe32plus*16; i += 60+pe32plus*16;
BIO_write(outdata, indata + i, 8); BIO_write(outdata, indata + i, 8);
i += 8; i += 8;
BIO_write(hash, indata + i, st.st_size - i); BIO_write(hash, indata + i, st.st_size - i);
/* pad (with 0's) pe file to 8 byte boundary */ /* pad (with 0's) pe file to 8 byte boundary */
len = 8 - st.st_size % 8; len = 8 - st.st_size % 8;
if (len > 0 && len != 8) { if (len > 0 && len != 8) {
memset(buf, 0, len); memset(buf, 0, len);
BIO_write(hash, buf, len); BIO_write(hash, buf, len);
st.st_size += len; st.st_size += len;
} }
} }
sig = PKCS7_new(); sig = PKCS7_new();
PKCS7_set_type(sig, NID_pkcs7_signed); PKCS7_set_type(sig, NID_pkcs7_signed);
@ -842,19 +842,19 @@ int main(int argc, char **argv)
if (si != NULL) break; if (si != NULL) break;
} }
} }
if (si == NULL) if (si == NULL)
DO_EXIT_0("Signing failed(PKCS7_add_signature)\n"); DO_EXIT_0("Signing failed(PKCS7_add_signature)\n");
/* create some MS Authenticode OIDS we need later on */ /* create some MS Authenticode OIDS we need later on */
if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) || if (!OBJ_create(SPC_STATEMENT_TYPE_OBJID, NULL, NULL) ||
!OBJ_create(SPC_MS_JAVA_SOMETHING, NULL, NULL) || !OBJ_create(SPC_MS_JAVA_SOMETHING, NULL, NULL) ||
!OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL)) !OBJ_create(SPC_SP_OPUS_INFO_OBJID, NULL, NULL))
DO_EXIT_0("Failed to add objects\n"); DO_EXIT_0("Failed to add objects\n");
PKCS7_add_signed_attribute PKCS7_add_signed_attribute
(si, NID_pkcs9_contentType, (si, NID_pkcs9_contentType,
V_ASN1_OBJECT, OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1)); V_ASN1_OBJECT, OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1));
if (is_cabinet && jp >= 0) { if (is_cabinet && jp >= 0) {
const u_char *attrs = NULL; const u_char *attrs = NULL;
@ -879,8 +879,8 @@ int main(int argc, char **argv)
astr = ASN1_STRING_new(); astr = ASN1_STRING_new();
ASN1_STRING_set(astr, attrs, len); ASN1_STRING_set(astr, attrs, len);
PKCS7_add_signed_attribute PKCS7_add_signed_attribute
(si, OBJ_txt2nid(SPC_MS_JAVA_SOMETHING), (si, OBJ_txt2nid(SPC_MS_JAVA_SOMETHING),
V_ASN1_SEQUENCE, astr); V_ASN1_SEQUENCE, astr);
} }
} }
@ -890,20 +890,20 @@ int main(int argc, char **argv)
} else { } else {
ASN1_STRING_set(astr, purpose_ind, sizeof(purpose_ind)); ASN1_STRING_set(astr, purpose_ind, sizeof(purpose_ind));
} }
PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_STATEMENT_TYPE_OBJID), PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_STATEMENT_TYPE_OBJID),
V_ASN1_SEQUENCE, astr); V_ASN1_SEQUENCE, astr);
if (desc || url) { if (desc || url) {
SpcSpOpusInfo *opus = createOpus(desc, url); SpcSpOpusInfo *opus = createOpus(desc, url);
if ((len = i2d_SpcSpOpusInfo(opus, NULL)) <= 0 || if ((len = i2d_SpcSpOpusInfo(opus, NULL)) <= 0 ||
(p = OPENSSL_malloc(len)) == NULL) (p = OPENSSL_malloc(len)) == NULL)
DO_EXIT_0("Couldn't allocate memory for opus info\n"); DO_EXIT_0("Couldn't allocate memory for opus info\n");
i2d_SpcSpOpusInfo(opus, &p); i2d_SpcSpOpusInfo(opus, &p);
p -= len; p -= len;
astr = ASN1_STRING_new(); astr = ASN1_STRING_new();
ASN1_STRING_set(astr, p, len); ASN1_STRING_set(astr, p, len);
PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_SP_OPUS_INFO_OBJID), PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_SP_OPUS_INFO_OBJID),
V_ASN1_SEQUENCE, astr); V_ASN1_SEQUENCE, astr);
} }
@ -918,7 +918,7 @@ int main(int argc, char **argv)
for(i = sk_X509_num(certs)-1; i>=0; i--) for(i = sk_X509_num(certs)-1; i>=0; i--)
PKCS7_add_certificate(sig, sk_X509_value(certs, i)); PKCS7_add_certificate(sig, sk_X509_value(certs, i));
#endif #endif
if ((sigdata = PKCS7_dataInit(sig, NULL)) == NULL) if ((sigdata = PKCS7_dataInit(sig, NULL)) == NULL)
DO_EXIT_0("Signing failed(PKCS7_dataInit)\n"); DO_EXIT_0("Signing failed(PKCS7_dataInit)\n");
@ -931,7 +931,7 @@ int main(int argc, char **argv)
if (!PKCS7_dataFinal(sig, sigdata)) if (!PKCS7_dataFinal(sig, sigdata))
DO_EXIT_0("Signing failed(PKCS7_dataFinal)\n"); DO_EXIT_0("Signing failed(PKCS7_dataFinal)\n");
/* replace the data part with the MS Authenticode /* replace the data part with the MS Authenticode
spcIndirectDataContext blob */ spcIndirectDataContext blob */
astr = ASN1_STRING_new(); astr = ASN1_STRING_new();
ASN1_STRING_set(astr, buf, len+i); ASN1_STRING_set(astr, buf, len+i);
@ -942,12 +942,12 @@ int main(int argc, char **argv)
#ifdef ENABLE_CURL #ifdef ENABLE_CURL
/* add counter-signature/timestamp */ /* add counter-signature/timestamp */
if (turl && add_timestamp(sig, turl, proxy)) if (turl && add_timestamp(sig, turl, proxy))
DO_EXIT_0("timestamping failed\n"); DO_EXIT_0("timestamping failed\n");
#endif #endif
#if 0 #if 0
if (!PEM_write_PKCS7(stdout, sig)) if (!PEM_write_PKCS7(stdout, sig))
DO_EXIT_0("PKCS7 output failed\n"); DO_EXIT_0("PKCS7 output failed\n");
#endif #endif
@ -964,7 +964,7 @@ int main(int argc, char **argv)
0x00, 0x02, 0x02, 0x00 0x00, 0x02, 0x02, 0x00
}; };
PUT_UINT32_LE(len+8+padlen, buf); PUT_UINT32_LE(len+8+padlen, buf);
BIO_write(outdata, buf, 4); BIO_write(outdata, buf, 4);
BIO_write(outdata, magic, sizeof(magic)); BIO_write(outdata, magic, sizeof(magic));
} }
@ -995,7 +995,7 @@ int main(int argc, char **argv)
return 0; return 0;
err_cleanup: err_cleanup:
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
if (hash != NULL) if (hash != NULL)
BIO_free_all(hash); BIO_free_all(hash);
@ -1003,5 +1003,3 @@ int main(int argc, char **argv)
fprintf(stderr, "\nFailed\n"); fprintf(stderr, "\nFailed\n");
return -1; return -1;
} }