mirror of
https://github.com/mtrojnar/osslsigncode.git
synced 2025-04-06 09:28:05 -05:00
Michał Trojnara
parent
8c82f76905
commit
bed25dcb7d
@ -1864,21 +1864,21 @@ static int msi_extract_signature_to_file(GsfInfile *infile, char *outfile)
|
|||||||
if (exsig != NULL) {
|
if (exsig != NULL) {
|
||||||
exlen = (unsigned long) gsf_input_remaining(exsig);
|
exlen = (unsigned long) gsf_input_remaining(exsig);
|
||||||
if (exlen > EVP_MAX_MD_SIZE) {
|
if (exlen > EVP_MAX_MD_SIZE) {
|
||||||
printf("MsiDigitalSignatureEx is larger than EVP_MAX_MD_SIZE. Aborting...\n\n");
|
printf("MsiDigitalSignatureEx is larger than EVP_MAX_MD_SIZE\n");
|
||||||
ret = 1;
|
ret = 1;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
exdata = OPENSSL_malloc(exlen);
|
exdata = OPENSSL_malloc(exlen);
|
||||||
if (gsf_input_read(exsig, exlen, exdata) == NULL) {
|
if (gsf_input_read(exsig, exlen, exdata) == NULL) {
|
||||||
printf("Unable to read MsiDigitalSignatureEx\n\n");
|
printf("Unable to read MsiDigitalSignatureEx\n");
|
||||||
ret = 1;
|
ret = 1;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
tohex(exdata, hexbuf, exlen);
|
tohex(exdata, hexbuf, exlen);
|
||||||
printf("Note: MSI includes a MsiDigitalSignatureEx section.\n");
|
printf("Note: MSI includes a MsiDigitalSignatureEx section\n");
|
||||||
printf("MsiDigitalSignatureEx pre-hash: %s\n\n", hexbuf);
|
printf("MsiDigitalSignatureEx pre-hash: %s\n", hexbuf);
|
||||||
}
|
}
|
||||||
|
|
||||||
out:
|
out:
|
||||||
@ -2647,37 +2647,37 @@ int main(int argc, char **argv) {
|
|||||||
ENGINE_load_dynamic();
|
ENGINE_load_dynamic();
|
||||||
ENGINE * dyn = ENGINE_by_id("dynamic");
|
ENGINE * dyn = ENGINE_by_id("dynamic");
|
||||||
if (!dyn)
|
if (!dyn)
|
||||||
DO_EXIT_0("Failed to load 'dynamic' engine");
|
DO_EXIT_0("Failed to load 'dynamic' engine\n");
|
||||||
if (1 != ENGINE_ctrl_cmd_string(dyn, "SO_PATH", p11engine, CMD_MANDATORY))
|
if (1 != ENGINE_ctrl_cmd_string(dyn, "SO_PATH", p11engine, CMD_MANDATORY))
|
||||||
DO_EXIT_1("Failed to set dyn SO_PATH to '%s'", p11engine);
|
DO_EXIT_1("Failed to set dyn SO_PATH to '%s'\n", p11engine);
|
||||||
|
|
||||||
if (1 != ENGINE_ctrl_cmd_string(dyn, "ID", "pkcs11", CMD_MANDATORY))
|
if (1 != ENGINE_ctrl_cmd_string(dyn, "ID", "pkcs11", CMD_MANDATORY))
|
||||||
DO_EXIT_0("Failed to set dyn ID to 'pkcs11'");
|
DO_EXIT_0("Failed to set dyn ID to 'pkcs11'\n");
|
||||||
|
|
||||||
if (1 != ENGINE_ctrl_cmd(dyn, "LIST_ADD", 1, NULL, NULL, CMD_MANDATORY))
|
if (1 != ENGINE_ctrl_cmd(dyn, "LIST_ADD", 1, NULL, NULL, CMD_MANDATORY))
|
||||||
DO_EXIT_0("Failed to set dyn LIST_ADD to '1'");
|
DO_EXIT_0("Failed to set dyn LIST_ADD to '1'\n");
|
||||||
|
|
||||||
if (1 != ENGINE_ctrl_cmd(dyn, "LOAD", 1, NULL, NULL, CMD_MANDATORY))
|
if (1 != ENGINE_ctrl_cmd(dyn, "LOAD", 1, NULL, NULL, CMD_MANDATORY))
|
||||||
DO_EXIT_0("Failed to set dyn LOAD to '1'");
|
DO_EXIT_0("Failed to set dyn LOAD to '1'\n");
|
||||||
|
|
||||||
ENGINE * pkcs11 = ENGINE_by_id("pkcs11");
|
ENGINE * pkcs11 = ENGINE_by_id("pkcs11");
|
||||||
if (!pkcs11)
|
if (!pkcs11)
|
||||||
DO_EXIT_0("Failed to find and load pkcs11 engine");
|
DO_EXIT_0("Failed to find and load pkcs11 engine\n");
|
||||||
|
|
||||||
if (1 != ENGINE_ctrl_cmd_string(pkcs11, "MODULE_PATH", p11module, CMD_MANDATORY))
|
if (1 != ENGINE_ctrl_cmd_string(pkcs11, "MODULE_PATH", p11module, CMD_MANDATORY))
|
||||||
DO_EXIT_1("Failed to set pkcs11 engine MODULE_PATH to '%s'", p11module);
|
DO_EXIT_1("Failed to set pkcs11 engine MODULE_PATH to '%s'\n", p11module);
|
||||||
|
|
||||||
if (pass != NULL) {
|
if (pass != NULL) {
|
||||||
if (1 != ENGINE_ctrl_cmd_string(pkcs11, "PIN", pass, CMD_MANDATORY))
|
if (1 != ENGINE_ctrl_cmd_string(pkcs11, "PIN", pass, CMD_MANDATORY))
|
||||||
DO_EXIT_0("Failed to set pkcs11 PIN");
|
DO_EXIT_0("Failed to set pkcs11 PIN\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (1 != ENGINE_init(pkcs11))
|
if (1 != ENGINE_init(pkcs11))
|
||||||
DO_EXIT_0("Failed to initialized pkcs11 engine");
|
DO_EXIT_0("Failed to initialized pkcs11 engine\n");
|
||||||
|
|
||||||
pkey = ENGINE_load_private_key(pkcs11, keyfile, NULL, NULL);
|
pkey = ENGINE_load_private_key(pkcs11, keyfile, NULL, NULL);
|
||||||
if (pkey == NULL)
|
if (pkey == NULL)
|
||||||
DO_EXIT_1("Failed to load private key %s", keyfile);
|
DO_EXIT_1("Failed to load private key %s\n", keyfile);
|
||||||
if ((btmp = BIO_new_file(certfile, "rb")) == NULL ||
|
if ((btmp = BIO_new_file(certfile, "rb")) == NULL ||
|
||||||
((p7 = d2i_PKCS7_bio(btmp, NULL)) == NULL &&
|
((p7 = d2i_PKCS7_bio(btmp, NULL)) == NULL &&
|
||||||
(certs = PEM_read_certs(btmp, "")) == NULL))
|
(certs = PEM_read_certs(btmp, "")) == NULL))
|
||||||
@ -2769,17 +2769,17 @@ int main(int argc, char **argv) {
|
|||||||
|
|
||||||
src = gsf_input_stdio_new(infile, NULL);
|
src = gsf_input_stdio_new(infile, NULL);
|
||||||
if (!src)
|
if (!src)
|
||||||
DO_EXIT_1("Error opening file %s", infile);
|
DO_EXIT_1("Error opening file %s\n", infile);
|
||||||
ole = gsf_infile_msole_new(src, NULL);
|
ole = gsf_infile_msole_new(src, NULL);
|
||||||
|
|
||||||
if (cmd == CMD_EXTRACT) {
|
if (cmd == CMD_EXTRACT) {
|
||||||
if (output_pkcs7) {
|
if (output_pkcs7) {
|
||||||
sig = msi_extract_signature_to_pkcs7(ole);
|
sig = msi_extract_signature_to_pkcs7(ole);
|
||||||
if (!sig)
|
if (!sig)
|
||||||
DO_EXIT_0("Unable to extract existing signature.");
|
DO_EXIT_0("Unable to extract existing signature\n");
|
||||||
outdata = BIO_new_file(outfile, "w+b");
|
outdata = BIO_new_file(outfile, "w+b");
|
||||||
if (outdata == NULL)
|
if (outdata == NULL)
|
||||||
DO_EXIT_1("Unable to open %s\n\n", outfile);
|
DO_EXIT_1("Unable to open %s\n", outfile);
|
||||||
ret = !PEM_write_bio_PKCS7(outdata, sig);
|
ret = !PEM_write_bio_PKCS7(outdata, sig);
|
||||||
BIO_free_all(outdata);
|
BIO_free_all(outdata);
|
||||||
} else {
|
} else {
|
||||||
@ -2801,7 +2801,7 @@ int main(int argc, char **argv) {
|
|||||||
unsigned long dselen = 0;
|
unsigned long dselen = 0;
|
||||||
int has_dse = 0;
|
int has_dse = 0;
|
||||||
if (msi_extract_dse(ole, NULL, &dselen, &has_dse) != 0 && has_dse) {
|
if (msi_extract_dse(ole, NULL, &dselen, &has_dse) != 0 && has_dse) {
|
||||||
DO_EXIT_0("Unable to extract MsiDigitalSigantureEx section.\n");
|
DO_EXIT_0("Unable to extract MsiDigitalSigantureEx section\n");
|
||||||
}
|
}
|
||||||
if (has_dse) {
|
if (has_dse) {
|
||||||
int mdlen = EVP_MD_size(md);
|
int mdlen = EVP_MD_size(md);
|
||||||
@ -2815,7 +2815,7 @@ int main(int argc, char **argv) {
|
|||||||
|
|
||||||
cursig = msi_extract_signature_to_pkcs7(ole);
|
cursig = msi_extract_signature_to_pkcs7(ole);
|
||||||
if (cursig == NULL) {
|
if (cursig == NULL) {
|
||||||
DO_EXIT_0("Unable to extract existing signature in -nest mode");
|
DO_EXIT_0("Unable to extract existing signature in -nest mode\n");
|
||||||
}
|
}
|
||||||
if (cmd == CMD_ADD) {
|
if (cmd == CMD_ADD) {
|
||||||
sig = cursig;
|
sig = cursig;
|
||||||
@ -2825,7 +2825,7 @@ int main(int argc, char **argv) {
|
|||||||
|
|
||||||
sink = gsf_output_stdio_new(outfile, NULL);
|
sink = gsf_output_stdio_new(outfile, NULL);
|
||||||
if (!sink)
|
if (!sink)
|
||||||
DO_EXIT_1("Error opening output file %s", outfile);
|
DO_EXIT_1("Error opening output file %s\n", outfile);
|
||||||
outole = gsf_outfile_msole_new(sink);
|
outole = gsf_outfile_msole_new(sink);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -2874,7 +2874,7 @@ int main(int argc, char **argv) {
|
|||||||
BIO_push(prehash, BIO_new(BIO_s_null()));
|
BIO_push(prehash, BIO_new(BIO_s_null()));
|
||||||
|
|
||||||
if (!msi_prehash(ole, NULL, prehash))
|
if (!msi_prehash(ole, NULL, prehash))
|
||||||
DO_EXIT_0("unable to calculate MSI pre-hash ('metadata') hash.\n");
|
DO_EXIT_0("Unable to calculate MSI pre-hash ('metadata') hash\n");
|
||||||
|
|
||||||
p_msiex = malloc(EVP_MAX_MD_SIZE);
|
p_msiex = malloc(EVP_MAX_MD_SIZE);
|
||||||
len_msiex = BIO_gets(prehash, (char*)p_msiex, EVP_MAX_MD_SIZE);
|
len_msiex = BIO_gets(prehash, (char*)p_msiex, EVP_MAX_MD_SIZE);
|
||||||
@ -2883,7 +2883,7 @@ int main(int argc, char **argv) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!msi_handle_dir(ole, outole, hash)) {
|
if (!msi_handle_dir(ole, outole, hash)) {
|
||||||
DO_EXIT_0("unable to msi_handle_dir()\n");
|
DO_EXIT_0("Unable to msi_handle_dir()\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (cmd == CMD_REMOVE) {
|
if (cmd == CMD_REMOVE) {
|
||||||
@ -2956,8 +2956,7 @@ int main(int argc, char **argv) {
|
|||||||
unsigned short magic;
|
unsigned short magic;
|
||||||
|
|
||||||
if (jp >= 0)
|
if (jp >= 0)
|
||||||
fprintf(stderr, "Warning: -jp option is only valid "
|
fprintf(stderr, "Warning: -jp option is only valid for CAB files\n");
|
||||||
"for CAB files.\n");
|
|
||||||
|
|
||||||
magic = GET_UINT16_LE(indata + peheader + 24);
|
magic = GET_UINT16_LE(indata + peheader + 24);
|
||||||
if (magic == 0x20b) {
|
if (magic == 0x20b) {
|
||||||
@ -2989,7 +2988,7 @@ int main(int argc, char **argv) {
|
|||||||
if (output_pkcs7) {
|
if (output_pkcs7) {
|
||||||
sig = extract_existing_pe_pkcs7(indata, sigpos ? sigpos : fileend, siglen);
|
sig = extract_existing_pe_pkcs7(indata, sigpos ? sigpos : fileend, siglen);
|
||||||
if (!sig)
|
if (!sig)
|
||||||
DO_EXIT_0("Unable to extract existing signature.");
|
DO_EXIT_0("Unable to extract existing signature\n");
|
||||||
PEM_write_bio_PKCS7(outdata, sig);
|
PEM_write_bio_PKCS7(outdata, sig);
|
||||||
} else {
|
} else {
|
||||||
BIO_write(outdata, indata + sigpos, siglen);
|
BIO_write(outdata, indata + sigpos, siglen);
|
||||||
@ -3000,7 +2999,7 @@ int main(int argc, char **argv) {
|
|||||||
if ((cmd == CMD_SIGN && nest) || (cmd == CMD_ATTACH && nest) || cmd == CMD_ADD) {
|
if ((cmd == CMD_SIGN && nest) || (cmd == CMD_ATTACH && nest) || cmd == CMD_ADD) {
|
||||||
cursig = extract_existing_pe_pkcs7(indata, sigpos ? sigpos : fileend, siglen);
|
cursig = extract_existing_pe_pkcs7(indata, sigpos ? sigpos : fileend, siglen);
|
||||||
if (cursig == NULL) {
|
if (cursig == NULL) {
|
||||||
DO_EXIT_0("Unable to extract existing signature in -nest mode");
|
DO_EXIT_0("Unable to extract existing signature in -nest mode\n");
|
||||||
}
|
}
|
||||||
if (cmd == CMD_ADD) {
|
if (cmd == CMD_ADD) {
|
||||||
sig = cursig;
|
sig = cursig;
|
||||||
@ -3068,7 +3067,7 @@ int main(int argc, char **argv) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (!sig)
|
if (!sig)
|
||||||
DO_EXIT_0("No valid signature found.");
|
DO_EXIT_0("No valid signature found\n");
|
||||||
goto add_only;
|
goto add_only;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3215,7 +3214,7 @@ add_only:
|
|||||||
#ifdef ENABLE_CURL
|
#ifdef ENABLE_CURL
|
||||||
/* add counter-signature/timestamp */
|
/* add counter-signature/timestamp */
|
||||||
if (nturl && add_timestamp_authenticode(sig, turl, nturl, proxy, noverifypeer))
|
if (nturl && add_timestamp_authenticode(sig, turl, nturl, proxy, noverifypeer))
|
||||||
DO_EXIT_0("authenticode timestamping failed\n");
|
DO_EXIT_0("Authenticode timestamping failed\n");
|
||||||
if (ntsurl && add_timestamp_rfc3161(sig, tsurl, ntsurl, proxy, md, noverifypeer))
|
if (ntsurl && add_timestamp_rfc3161(sig, tsurl, ntsurl, proxy, md, noverifypeer))
|
||||||
DO_EXIT_0("RFC 3161 timestamping failed\n");
|
DO_EXIT_0("RFC 3161 timestamping failed\n");
|
||||||
#endif
|
#endif
|
||||||
@ -3230,11 +3229,10 @@ add_only:
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (nest) {
|
if (nest) {
|
||||||
if (cursig == NULL) {
|
if (cursig == NULL)
|
||||||
DO_EXIT_0("no 'cursig' was extracted. this points to a bug in the code. aborting...\n")
|
DO_EXIT_0("Internal error: No 'cursig' was extracted\n")
|
||||||
}
|
|
||||||
if (pkcs7_set_nested_signature(cursig, sig) == 0)
|
if (pkcs7_set_nested_signature(cursig, sig) == 0)
|
||||||
DO_EXIT_0("unable to append the nested signature to the current signature\n");
|
DO_EXIT_0("Unable to append the nested signature to the current signature\n");
|
||||||
outsig = cursig;
|
outsig = cursig;
|
||||||
} else {
|
} else {
|
||||||
outsig = sig;
|
outsig = sig;
|
||||||
@ -3243,7 +3241,7 @@ add_only:
|
|||||||
/* Append signature to outfile */
|
/* Append signature to outfile */
|
||||||
if (((len = i2d_PKCS7(outsig, NULL)) <= 0) ||
|
if (((len = i2d_PKCS7(outsig, NULL)) <= 0) ||
|
||||||
(p = OPENSSL_malloc(len)) == NULL)
|
(p = OPENSSL_malloc(len)) == NULL)
|
||||||
DO_EXIT_1("i2d_PKCS - memory allocation failed: %d\n", len);
|
DO_EXIT_1("i2d_PKCS memory allocation failed: %d\n", len);
|
||||||
i2d_PKCS7(outsig, &p);
|
i2d_PKCS7(outsig, &p);
|
||||||
p -= len;
|
p -= len;
|
||||||
padlen = (8 - len%8) % 8;
|
padlen = (8 - len%8) % 8;
|
||||||
@ -3269,13 +3267,13 @@ add_only:
|
|||||||
if (cmd == CMD_SIGN || cmd == CMD_ADD || cmd == CMD_ATTACH) {
|
if (cmd == CMD_SIGN || cmd == CMD_ADD || cmd == CMD_ATTACH) {
|
||||||
GsfOutput *child = gsf_outfile_new_child(outole, "\05DigitalSignature", FALSE);
|
GsfOutput *child = gsf_outfile_new_child(outole, "\05DigitalSignature", FALSE);
|
||||||
if (!gsf_output_write(child, len, p))
|
if (!gsf_output_write(child, len, p))
|
||||||
DO_EXIT_1("Failed to write MSI 'DigitalSignature' signature to %s", infile);
|
DO_EXIT_1("Failed to write MSI 'DigitalSignature' signature to %s\n", infile);
|
||||||
gsf_output_close(child);
|
gsf_output_close(child);
|
||||||
|
|
||||||
if (p_msiex != NULL) {
|
if (p_msiex != NULL) {
|
||||||
child = gsf_outfile_new_child(outole, "\05MsiDigitalSignatureEx", FALSE);
|
child = gsf_outfile_new_child(outole, "\05MsiDigitalSignatureEx", FALSE);
|
||||||
if (!gsf_output_write(child, len_msiex, p_msiex)) {
|
if (!gsf_output_write(child, len_msiex, p_msiex)) {
|
||||||
DO_EXIT_1("Failed to write MSI 'MsiDigitalSignatureEx' signature to %s", infile);
|
DO_EXIT_1("Failed to write MSI 'MsiDigitalSignatureEx' signature to %s\n", infile);
|
||||||
}
|
}
|
||||||
gsf_output_close(child);
|
gsf_output_close(child);
|
||||||
}
|
}
|
||||||
@ -3315,15 +3313,15 @@ skip_signing:
|
|||||||
if (type == FILE_TYPE_PE) {
|
if (type == FILE_TYPE_PE) {
|
||||||
outdatasize = get_file_size(outfile);
|
outdatasize = get_file_size(outfile);
|
||||||
if (!outdatasize)
|
if (!outdatasize)
|
||||||
DO_EXIT_0("Error verifying result.\n");
|
DO_EXIT_0("Error verifying result\n");
|
||||||
outdataverify = map_file(outfile, outdatasize);
|
outdataverify = map_file(outfile, outdatasize);
|
||||||
if (!outdataverify)
|
if (!outdataverify)
|
||||||
DO_EXIT_0("Error verifying result.\n");
|
DO_EXIT_0("Error verifying result\n");
|
||||||
int sigpos = GET_UINT32_LE(outdataverify + peheader + 152 + pe32plus*16);
|
int sigpos = GET_UINT32_LE(outdataverify + peheader + 152 + pe32plus*16);
|
||||||
int siglen = GET_UINT32_LE(outdataverify + peheader + 152 + pe32plus*16 + 4);
|
int siglen = GET_UINT32_LE(outdataverify + peheader + 152 + pe32plus*16 + 4);
|
||||||
ret = verify_pe_file(outdataverify, peheader, pe32plus, sigpos, siglen, leafhash);
|
ret = verify_pe_file(outdataverify, peheader, pe32plus, sigpos, siglen, leafhash);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
DO_EXIT_0("Signature mismatch.\n");
|
DO_EXIT_0("Signature mismatch\n");
|
||||||
}
|
}
|
||||||
} else if (type == FILE_TYPE_MSI) {
|
} else if (type == FILE_TYPE_MSI) {
|
||||||
#ifdef WITH_GSF
|
#ifdef WITH_GSF
|
||||||
@ -3332,13 +3330,13 @@ skip_signing:
|
|||||||
|
|
||||||
src = gsf_input_stdio_new(outfile, NULL);
|
src = gsf_input_stdio_new(outfile, NULL);
|
||||||
if (!src)
|
if (!src)
|
||||||
DO_EXIT_1("Error opening file %s", outfile);
|
DO_EXIT_1("Error opening file %s\n", outfile);
|
||||||
ole = gsf_infile_msole_new(src, NULL);
|
ole = gsf_infile_msole_new(src, NULL);
|
||||||
g_object_unref(src);
|
g_object_unref(src);
|
||||||
ret = msi_verify_file(ole, leafhash);
|
ret = msi_verify_file(ole, leafhash);
|
||||||
g_object_unref(ole);
|
g_object_unref(ole);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
DO_EXIT_0("Signature mismatch.\n");
|
DO_EXIT_0("Signature mismatch\n");
|
||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
DO_EXIT_1("libgsf is not available, msi support is disabled: %s\n", infile);
|
DO_EXIT_1("libgsf is not available, msi support is disabled: %s\n", infile);
|
||||||
@ -3346,7 +3344,7 @@ skip_signing:
|
|||||||
} else {
|
} else {
|
||||||
DO_EXIT_1("Unknown input type for file: %s\n", infile);
|
DO_EXIT_1("Unknown input type for file: %s\n", infile);
|
||||||
}
|
}
|
||||||
printf("Signature successfully attached.\n");
|
printf("Signature successfully attached\n");
|
||||||
} else {
|
} else {
|
||||||
printf(ret ? "Failed\n" : "Succeeded\n");
|
printf(ret ? "Failed\n" : "Succeeded\n");
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user