nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-05-20 18:34:29 -05:00
Code Issues Projects Releases Wiki Activity

resolved merge conflict

Browse Source
This commit is contained in:
olszomal 2020-03-26 11:24:24 +01:00
commit ee17261eaf
1 changed files with 87 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
osslsigncode.c
View File

@ -185,6 +185,9 @@ typedef unsigned char u_char;
*/ */
#define FLAG_RESERVE_PRESENT 0x0004 #define FLAG_RESERVE_PRESENT 0x0004
#define INVALID_TIME ((time_t)-1)
/* /*
ASN.1 definitions (more or less from official MS Authenticode docs) ASN.1 definitions (more or less from official MS Authenticode docs)
*/ */
@ -547,7 +550,7 @@ static size_t asn1_simple_hdr_len(const unsigned char *p, size_t len)
*/ */
static int pkcs7_add_signing_time(PKCS7_SIGNER_INFO *si, time_t signing_time) static int pkcs7_add_signing_time(PKCS7_SIGNER_INFO *si, time_t signing_time)
{ {
if (signing_time == (time_t)-1) /* -st option was not specified */ if (signing_time == INVALID_TIME) /* -st option was not specified */
return 1; /* success */ return 1; /* success */
return PKCS7_add_signed_attribute(si, return PKCS7_add_signed_attribute(si,
NID_pkcs9_signingTime, V_ASN1_UTCTIME, NID_pkcs9_signingTime, V_ASN1_UTCTIME,
@ -1566,25 +1569,24 @@ static int print_cert(X509 *cert, int i)
return 1; /* OK */ return 1; /* OK */
} }
static int find_signers(PKCS7 *p7, char *leafhash, int *leafok) static int find_signer(PKCS7 *p7, char *leafhash, int *leafok)
{ {
STACK_OF(X509) *signers; STACK_OF(X509) *signers;
X509 *cert; X509 *cert;
int i, count;
/* retrieve the signer's certificates from p7 */ /*
* retrieve the signer's certificate from p7,
* search only internal certificates if it was requested
*/
signers = PKCS7_get0_signers(p7, NULL, 0); signers = PKCS7_get0_signers(p7, NULL, 0);
if (signers == NULL) if (!signers || sk_X509_num(signers) != 1)
return 0; /* FAILED */ return 0; /* FAILED */
count = sk_X509_num(signers); printf("Signer's certificate:\n");
printf("Number of signers: %d\n", count); cert = sk_X509_value(signers, 0);
for (i=0; i<count; i++) { if ((cert == NULL) || (!print_cert(cert, 0)))
cert = sk_X509_value(signers, i); return 0; /* FAILED */
if ((cert == NULL) || (!print_cert(cert, i))) if (leafhash != NULL && *leafok == 0) {
return 0; /* FAILED */ *leafok = verify_leaf_hash(cert, leafhash) == 0;
if (leafhash != NULL && *leafok == 0) {
*leafok = verify_leaf_hash(cert, leafhash) == 0;
}
} }
sk_X509_free(signers); sk_X509_free(signers);
return 1; /* OK */ return 1; /* OK */
@ -1632,7 +1634,32 @@ static ASN1_UTCTIME *get_signing_time(PKCS7_SIGNER_INFO *si)
return time; return time;
} }
static int load_file_lookup(X509_STORE *store, char *certs, char *crl, int purpose) static int load_crlfile_lookup(X509_STORE *store, char *crl)
{
X509_LOOKUP *lookup;
X509_VERIFY_PARAM *param;
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (!lookup)
return 0; /* FAILED */
if (!X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM)) {
fprintf(stderr, "Error: no CRL found in %s\n", crl);
return 0; /* FAILED */
}
param = X509_STORE_get0_param(store);
if (param == NULL)
return 0; /* FAILED */
if (!X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK))
return 0; /* FAILED */
if (!X509_VERIFY_PARAM_set_purpose(param, X509_PURPOSE_CRL_SIGN))
return 0; /* FAILED */
if (!X509_STORE_set1_param(store, param))
return 0; /* FAILED */
return 1; /* OK */
}
static int load_file_lookup(X509_STORE *store, char *certs, int purpose)
{ {
X509_LOOKUP *lookup; X509_LOOKUP *lookup;
X509_VERIFY_PARAM *param; X509_VERIFY_PARAM *param;
@ -1644,15 +1671,9 @@ static int load_file_lookup(X509_STORE *store, char *certs, char *crl, int purpo
fprintf(stderr, "Error: no certificate found in %s\n", certs); fprintf(stderr, "Error: no certificate found in %s\n", certs);
return 0; /* FAILED */ return 0; /* FAILED */
} }
if (crl && !X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM)) {
fprintf(stderr, "Error: no CRL found in %s\n", crl);
return 0; /* FAILED */
}
param = X509_STORE_get0_param(store); param = X509_STORE_get0_param(store);
if (param == NULL) if (param == NULL)
return 0; /* FAILED */ return 0; /* FAILED */
if (crl && !X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK))
return 0; /* FAILED */
if (!X509_VERIFY_PARAM_set_purpose(param, purpose)) if (!X509_VERIFY_PARAM_set_purpose(param, purpose))
return 0; /* FAILED */ return 0; /* FAILED */
if (!X509_STORE_set1_param(store, param)) if (!X509_STORE_set1_param(store, param))
@ -1932,26 +1953,27 @@ static int verify_timestamp(PKCS7 *p7, PKCS7 *tmstamp_p7, char *untrusted)
{ {
X509_STORE *store = NULL; X509_STORE *store = NULL;
PKCS7_SIGNER_INFO *si; PKCS7_SIGNER_INFO *si;
int ret = 0, verok; int ret = 1, verok = 0;
printf("TSA's certificates file: %s\n", untrusted); printf("TSA's certificates file: %s\n", untrusted);
store = X509_STORE_new(); store = X509_STORE_new();
if (!load_file_lookup(store, untrusted, NULL, X509_PURPOSE_TIMESTAMP_SIGN)) { if (!load_file_lookup(store, untrusted, X509_PURPOSE_TIMESTAMP_SIGN)) {
printf("\nUse the \"-untrusted\" option to add the CA cert bundle to verify timestamp server.\n"); printf("\nUse the \"-untrusted\" option to add the CA cert bundle to verify timestamp server.\n");
ret = 1; /* FAILED */ ret = 0; /* FAILED */
} }
verok = PKCS7_verify(tmstamp_p7, tmstamp_p7->d.sign->cert, store, 0, NULL, 0); if (ret)
verok = PKCS7_verify(tmstamp_p7, NULL, store, 0, NULL, 0);
printf("\nTimestamp Server Signature verification: %s\n", verok ? "ok" : "failed"); printf("\nTimestamp Server Signature verification: %s\n", verok ? "ok" : "failed");
if (!verok) { if (!verok) {
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
ret = 1; /* FAILED */ ret = 0; /* FAILED */
} }
/* verify the hash provided from the trusted timestamp */ /* verify the hash provided from the trusted timestamp */
si = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0); si = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0);
verok = TST_verify(tmstamp_p7, si); verok = TST_verify(tmstamp_p7, si);
if (!verok) { if (!verok) {
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
ret = 1; /* FAILED */ ret = 0; /* FAILED */
} }
X509_STORE_free(store); X509_STORE_free(store);
@ -1961,18 +1983,24 @@ static int verify_timestamp(PKCS7 *p7, PKCS7 *tmstamp_p7, char *untrusted)
static int verify_authenticode(PKCS7 *p7, ASN1_UTCTIME *timestamp_time, char *cafile, char *crlfile) static int verify_authenticode(PKCS7 *p7, ASN1_UTCTIME *timestamp_time, char *cafile, char *crlfile)
{ {
X509_STORE *store = NULL; X509_STORE *store = NULL;
int ret = 0, verok; int ret = 0, verok = 0;
size_t seqhdrlen; size_t seqhdrlen;
BIO *bio = NULL; BIO *bio = NULL;
int day, sec; int day, sec;
time_t time; time_t time = INVALID_TIME;
STACK_OF(X509) *signers;
seqhdrlen = asn1_simple_hdr_len(p7->d.sign->contents->d.other->value.sequence->data,
p7->d.sign->contents->d.other->value.sequence->length);
bio = BIO_new_mem_buf(p7->d.sign->contents->d.other->value.sequence->data + seqhdrlen,
p7->d.sign->contents->d.other->value.sequence->length - seqhdrlen);
store = X509_STORE_new(); store = X509_STORE_new();
if (!load_file_lookup(store, cafile, crlfile, X509_PURPOSE_CRL_SIGN)) { if (!load_file_lookup(store, cafile, X509_PURPOSE_ANY)) {
fprintf(stderr, "Failed to add store lookup file\n"); fprintf(stderr, "Failed to add store lookup file\n");
ret = 1; /* FAILED */ ret = 1; /* FAILED */
} }
if (timestamp_time != NULL) { if (timestamp_time) {
if (!ASN1_TIME_diff(&day, &sec, ASN1_TIME_set(NULL, 0), timestamp_time)) if (!ASN1_TIME_diff(&day, &sec, ASN1_TIME_set(NULL, 0), timestamp_time))
ret = 1; /* FAILED */ ret = 1; /* FAILED */
time = 86400*day+sec; time = 86400*day+sec;
@ -1981,17 +2009,33 @@ static int verify_authenticode(PKCS7 *p7, ASN1_UTCTIME *timestamp_time, char *ca
ret = 1; /* FAILED */ ret = 1; /* FAILED */
} }
} }
seqhdrlen = asn1_simple_hdr_len(p7->d.sign->contents->d.other->value.sequence->data,
p7->d.sign->contents->d.other->value.sequence->length);
bio = BIO_new_mem_buf(p7->d.sign->contents->d.other->value.sequence->data + seqhdrlen,
p7->d.sign->contents->d.other->value.sequence->length - seqhdrlen);
verok = PKCS7_verify(p7, p7->d.sign->cert, store, bio, NULL, 0); /* check extended key usage flag XKU_CODE_SIGN */
signers = PKCS7_get0_signers(p7, NULL, 0);
if (!signers || sk_X509_num(signers) != 1)
ret = 1; /* FAILED */
if (!(X509_get_extension_flags(sk_X509_value(signers, 0)) && XKU_CODE_SIGN)) {
fprintf(stderr, "Unsupported Signer's certificate purpose\n");
ret = 1; /* FAILED */
}
if (!ret) {
verok = PKCS7_verify(p7, NULL, store, bio, NULL, 0);
if (crlfile) {
if (!load_crlfile_lookup(store, crlfile)) {
fprintf(stderr, "Failed to add store lookup file\n");
ret = 1; /* FAILED */
}
if (!ret)
verok = PKCS7_verify(p7, NULL, store, bio, NULL, 0);
printf("CRL verification: %s\n", verok ? "ok" : "failed");
}
}
printf("Signature verification: %s\n", verok ? "ok" : "failed"); printf("Signature verification: %s\n", verok ? "ok" : "failed");
if (!verok) { if (!verok) {
ERR_print_errors_fp(stdout); ERR_print_errors_fp(stdout);
ret = 1; /* FAILED */ ret = 1; /* FAILED */
} }
BIO_free(bio); BIO_free(bio);
X509_STORE_free(store); X509_STORE_free(store);
@ -2004,7 +2048,7 @@ static int verify_pkcs7(PKCS7 *p7, char *leafhash, char *cafile, char *crlfile,
ASN1_UTCTIME *timestamp_time = NULL; ASN1_UTCTIME *timestamp_time = NULL;
int ret = 0, leafok = 0; int ret = 0, leafok = 0;
if (!find_signers(p7, leafhash, &leafok)) if (!find_signer(p7, leafhash, &leafok))
printf("Find signers error"); /* FAILED */ printf("Find signers error"); /* FAILED */
if (!print_certs(p7)) if (!print_certs(p7))
printf("Print certs error"); /* FAILED */ printf("Print certs error"); /* FAILED */
@ -2018,12 +2062,11 @@ static int verify_pkcs7(PKCS7 *p7, char *leafhash, char *cafile, char *crlfile,
printf("\nCAfile: %s\n", cafile); printf("\nCAfile: %s\n", cafile);
if (crlfile) if (crlfile)
printf("CRLfile: %s\n", crlfile); printf("CRLfile: %s\n", crlfile);
if (tmstamp_p7) if (!tmstamp_p7)
ret |= verify_timestamp(p7, tmstamp_p7, untrusted);
else
printf("\nFile is not timestamped\n"); printf("\nFile is not timestamped\n");
if (ret == 1) else if (!verify_timestamp(p7, tmstamp_p7, untrusted))
timestamp_time = NULL; timestamp_time = NULL;
ret |= verify_authenticode(p7, timestamp_time, cafile, crlfile); ret |= verify_authenticode(p7, timestamp_time, cafile, crlfile);
if (tmstamp_p7) { if (tmstamp_p7) {
@ -2418,7 +2461,7 @@ static int msi_verify_pkcs7(PKCS7 *p7, GsfInfile *infile,
PKCS7 *p7nest = pkcs7_get_nested_signature(p7, &has_sig); PKCS7 *p7nest = pkcs7_get_nested_signature(p7, &has_sig);
if (p7nest) { if (p7nest) {
int nest_ret = msi_verify_pkcs7(p7nest, infile, exdata, exlen, leafhash, 0, cafile, crlfile, untrusted); int nest_ret = msi_verify_pkcs7(p7nest, infile, exdata, exlen, leafhash, 0, cafile, crlfile, untrusted);
if (ret == 0) if (ret)
ret = nest_ret; ret = nest_ret;
PKCS7_free(p7nest); PKCS7_free(p7nest);
} else if (!p7nest && has_sig) { } else if (!p7nest && has_sig) {
@ -2804,7 +2847,7 @@ static int verify_pe_pkcs7(PKCS7 *p7, char *indata, size_t peheader,
PKCS7 *p7nest = pkcs7_get_nested_signature(p7, &has_sig); PKCS7 *p7nest = pkcs7_get_nested_signature(p7, &has_sig);
if (p7nest) { if (p7nest) {
int nest_ret = verify_pe_pkcs7(p7nest, indata, peheader, pe32plus, sigpos, siglen, leafhash, 0, cafile, crlfile, untrusted); int nest_ret = verify_pe_pkcs7(p7nest, indata, peheader, pe32plus, sigpos, siglen, leafhash, 0, cafile, crlfile, untrusted);
if (ret == 0) if (ret)
ret = nest_ret; ret = nest_ret;
PKCS7_free(p7nest); PKCS7_free(p7nest);
} else if (!p7nest && has_sig) { } else if (!p7nest && has_sig) {
@ -3593,7 +3636,7 @@ int main(int argc, char **argv) {
PKCS7_SIGNER_INFO *si; PKCS7_SIGNER_INFO *si;
ASN1_STRING *astr; ASN1_STRING *astr;
const EVP_MD *md; const EVP_MD *md;
time_t signing_time = (time_t)-1; time_t signing_time = INVALID_TIME;
const char *argv0 = argv[0]; const char *argv0 = argv[0];
static char buf[64*1024]; static char buf[64*1024];