nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-04 17:00:11 -05:00
Code Issues Projects Releases Wiki Activity

Set the NONCE field in a TSA request

Browse Source
This commit is contained in:
olszomal 2024-03-08 08:35:47 +01:00 committed by Michał Trojnara
parent b294f5d18f
commit c73f82b558
3 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
NEWS.md
View File

@ -2,6 +2,8 @@
### 2.9 (unreleased) ### 2.9 (unreleased)
- added a 64 bit long pseudo-random NONCE in the TSA request
### 2.8 (2024.03.03) ### 2.8 (2024.03.03)
- Microsoft PowerShell signing sponsored by Cisco Systems, Inc. - Microsoft PowerShell signing sponsored by Cisco Systems, Inc.

39
osslsigncode.c
View File

@ -207,6 +207,7 @@ ASN1_SEQUENCE(MsCtlContent) = {
IMPLEMENT_ASN1_FUNCTIONS(MsCtlContent) IMPLEMENT_ASN1_FUNCTIONS(MsCtlContent)
/* Prototypes */ /* Prototypes */
static ASN1_INTEGER *create_nonce(int bits);
static time_t time_t_get_asn1_time(const ASN1_TIME *s); static time_t time_t_get_asn1_time(const ASN1_TIME *s);
static time_t time_t_get_si_time(PKCS7_SIGNER_INFO *si); static time_t time_t_get_si_time(PKCS7_SIGNER_INFO *si);
static ASN1_UTCTIME *asn1_time_get_si_time(PKCS7_SIGNER_INFO *si); static ASN1_UTCTIME *asn1_time_get_si_time(PKCS7_SIGNER_INFO *si);
@ -262,6 +263,7 @@ static BIO *bio_encode_rfc3161_request(PKCS7 *p7, const EVP_MD *md)
PKCS7_SIGNER_INFO *si; PKCS7_SIGNER_INFO *si;
u_char mdbuf[EVP_MAX_MD_SIZE]; u_char mdbuf[EVP_MAX_MD_SIZE];
TS_MSG_IMPRINT *msg_imprint = NULL; TS_MSG_IMPRINT *msg_imprint = NULL;
ASN1_INTEGER *nonce = NULL;
X509_ALGOR *alg = NULL; X509_ALGOR *alg = NULL;
TS_REQ *req = NULL; TS_REQ *req = NULL;
BIO *bout = NULL, *bhash = NULL; BIO *bout = NULL, *bhash = NULL;
@ -306,6 +308,12 @@ static BIO *bio_encode_rfc3161_request(PKCS7 *p7, const EVP_MD *md)
goto out; goto out;
if (!TS_REQ_set_msg_imprint(req, msg_imprint)) if (!TS_REQ_set_msg_imprint(req, msg_imprint))
goto out; goto out;
/* Setting nonce */
nonce = create_nonce(NONCE_LENGTH);
if (!nonce)
goto out;
if (!TS_REQ_set_nonce(req, nonce))
goto out;
/* TSA is expected to include its signing certificate in the response, flag 0xFF */ /* TSA is expected to include its signing certificate in the response, flag 0xFF */
if (!TS_REQ_set_cert_req(req, 1)) if (!TS_REQ_set_cert_req(req, 1))
goto out; goto out;
@ -322,6 +330,7 @@ static BIO *bio_encode_rfc3161_request(PKCS7 *p7, const EVP_MD *md)
out: out:
BIO_free_all(bhash); BIO_free_all(bhash);
ASN1_INTEGER_free(nonce);
TS_MSG_IMPRINT_free(msg_imprint); TS_MSG_IMPRINT_free(msg_imprint);
X509_ALGOR_free(alg); X509_ALGOR_free(alg);
TS_REQ_free(req); TS_REQ_free(req);
@ -329,6 +338,36 @@ out:
return bout; return bout;
} }
static ASN1_INTEGER *create_nonce(int bits)
{
unsigned char buf[20];
ASN1_INTEGER *nonce = NULL;
int len = (bits - 1) / 8 + 1;
int i;
if (len > (int)sizeof(buf)) {
printf("Invalid nonce size\n");
return NULL;
}
if (RAND_bytes(buf, len) <= 0) {
printf("Random nonce generation failed\n");
return NULL;
}
/* Find the first non-zero byte and creating ASN1_INTEGER object. */
for (i = 0; i < len && !buf[i]; ++i) {
}
nonce = ASN1_INTEGER_new();
if (!nonce) {
printf("Could not create nonce\n");
return NULL;
}
OPENSSL_free(nonce->data);
nonce->length = len - i;
nonce->data = OPENSSL_malloc((size_t)nonce->length + 1);
memcpy(nonce->data, buf + i, (size_t)nonce->length);
return nonce;
}
/* /*
* Encode authenticode timestamp request and write it into BIO * Encode authenticode timestamp request and write it into BIO
* [in] p7: new PKCS#7 signature * [in] p7: new PKCS#7 signature

2
osslsigncode.h
View File

@ -76,6 +76,8 @@
#include <curl/curl.h> #include <curl/curl.h>
#endif /* ENABLE_CURL */ #endif /* ENABLE_CURL */
/* Request nonce length, in bits (must be a multiple of 8). */
#define NONCE_LENGTH 64
#define MAX_TS_SERVERS 256 #define MAX_TS_SERVERS 256
#if defined (HAVE_TERMIOS_H) || defined (HAVE_GETPASS) #if defined (HAVE_TERMIOS_H) || defined (HAVE_GETPASS)