release 2.4

Signed-off-by: Michał Trojnara <Michal.Trojnara@stunnel.org>

.github/workflows/ci.yml

@@ -0,0 +1,131 @@
+name: CI
+
+on:
+  push:
+  pull_request:
+
+env:
+  # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.)
+  BUILD_TYPE: Release
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - triplet: x64-linux
+            os: ubuntu-latest
+            vcpkg_root: /usr/local/share/vcpkg
+          - triplet: x64-osx
+            os: macOS-latest
+            vcpkg_root: /usr/local/share/vcpkg
+            cache: /Users/runner/.cache/vcpkg/archives
+          - triplet: x64-windows
+            arch: x64
+            os: windows-latest
+            vcpkg_root: C:/vcpkg
+            cache: C:/Users/runneradmin/AppData/Local/vcpkg/archives
+          - triplet: x86-windows
+            arch: x86
+            os: windows-latest
+            vcpkg_root: C:/vcpkg
+            cache: C:/Users/runneradmin/AppData/Local/vcpkg/archives
+          - triplet: x64-windows-static
+            arch: x64
+            os: windows-latest
+            vcpkg_root: C:/vcpkg
+            cache: C:/Users/runneradmin/AppData/Local/vcpkg/archives
+
+    runs-on: ${{matrix.os}}
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Cache the vcpkg archives
+      if: matrix.os != 'ubuntu-latest'
+      uses: actions/cache@v3
+      with:
+        path: ${{matrix.cache}}
+        key: ${{matrix.triplet}}-${{hashFiles('vcpkg.json')}}
+        restore-keys: |
+          ${{matrix.triplet}}-${{hashFiles('vcpkg.json')}}
+          ${{matrix.triplet}}-
+
+    - name: Configure VS Toolchain (Windows)
+      if: matrix.os == 'windows-latest'
+      uses: ilammy/msvc-dev-cmd@v1
+      with:
+        arch: ${{matrix.arch}}
+
+    - name: Install apt dependencies (Linux)
+      if: matrix.os == 'ubuntu-latest'
+      run: sudo apt-get install -y libssl-dev libcurl4-openssl-dev faketime
+
+    - name: Setup the oldest supported version of cmake (macOS)
+      if: matrix.os == 'macOS-latest'
+      uses: jwlawson/actions-setup-cmake@v1.12
+      with:
+        cmake-version: '3.17.0'
+
+    - name: Configure CMake (Linux)
+      if: matrix.os == 'ubuntu-latest'
+      run: cmake
+        -S ${{github.workspace}}
+        -B ${{github.workspace}}/build
+        -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}}
+        -DCMAKE_INSTALL_PREFIX=${{github.workspace}}/dist
+
+    - name: Configure CMake (macOS)
+      if: matrix.os == 'macOS-latest'
+      run: cmake
+        -S ${{github.workspace}}
+        -B ${{github.workspace}}/build
+        -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}}
+        -DCMAKE_INSTALL_PREFIX=${{github.workspace}}/dist
+        -DCMAKE_TOOLCHAIN_FILE=${{matrix.vcpkg_root}}/scripts/buildsystems/vcpkg.cmake
+        -DVCPKG_TARGET_TRIPLET=${{matrix.triplet}}
+
+    - name: Configure CMake (Windows)
+      if: matrix.os == 'windows-latest'
+      run: cmake
+        -G Ninja
+        -S ${{github.workspace}}
+        -B ${{github.workspace}}/build
+        -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}}
+        -DCMAKE_INSTALL_PREFIX=${{github.workspace}}/dist
+        -DCMAKE_TOOLCHAIN_FILE=${{matrix.vcpkg_root}}/scripts/buildsystems/vcpkg.cmake
+        -DVCPKG_TARGET_TRIPLET=${{matrix.triplet}}
+
+    - name: Build
+      run: cmake
+        --build ${{github.workspace}}/build
+        --config ${{env.BUILD_TYPE}}
+
+    - name: List files (Linux/macOS)
+      if: matrix.os != 'windows-latest'
+      run: find .. -ls
+
+    - name: List files (Windows)
+      if: matrix.os == 'windows-latest'
+      run: Get-ChildItem -Recurse -Name ..
+
+    - name: Test
+      working-directory: ${{github.workspace}}/build
+      run: ctest -C ${{env.BUILD_TYPE}}
+
+    - name: Upload the errors
+      uses: actions/upload-artifact@v3
+      if: failure()
+      with:
+        name: errors-${{matrix.triplet}}
+        path: ${{github.workspace}}/build/Testing/Temporary/LastTest.log
+
+    - name: Install
+      run: cmake --install ${{github.workspace}}/build
+
+    - name: Upload the executables
+      uses: actions/upload-artifact@v3
+      with:
+        name: osslsigncode-${{matrix.triplet}}
+        path: ${{github.workspace}}/dist

.gitignore

@@ -1,20 +1,20 @@
-.deps
-Makefile
-Makefile.in
-aclocal.m4
-autom4te.cache/
-compile
+build/
+CMakeFiles/
+_CPack_Packages/
+Testing/
+.vs/
+
+CMakeCache.txt
+cmake_install.cmake
 config.h
-config.h.in
-config.h.in~
-config.log
-config.status
-configure
-depcomp
-install-sh
+CPackConfig.cmake
+CPackSourceConfig.cmake
+CTestTestfile.cmake
+install_manifest.txt
+Makefile
 missing
 osslsigncode
-osslsigncode.o
+osslsigncode.exe
 stamp-h1
 
 .#*#
@@ -23,20 +23,20 @@ stamp-h1
 .*.rej
 .*~
 #*#
+*.asc
 *.bak
+*.bz2
 *.d
 *.def
 *.dll
-*.exe
+*.gz
 *.la
 *.lib
 *.lo
 *.orig
+*.pc
 *.pdb
 *.rej
 *.u
 *.rc
-*.pc
 *~
-*.gz
-*.bz2

CMakeLists.txt

@@ -0,0 +1,95 @@
+# required cmake version
+cmake_minimum_required(VERSION 3.17)
+
+# autodetect vcpkg CMAKE_TOOLCHAIN_FILE if VCPKG_ROOT is defined
+# this needs to be configured before the project() directive
+if(DEFINED ENV{VCPKG_ROOT} AND NOT DEFINED CMAKE_TOOLCHAIN_FILE)
+  set(CMAKE_TOOLCHAIN_FILE "$ENV{VCPKG_ROOT}/scripts/buildsystems/vcpkg.cmake"
+    CACHE STRING "")
+endif(DEFINED ENV{VCPKG_ROOT} AND NOT DEFINED CMAKE_TOOLCHAIN_FILE)
+set(BUILTIN_SOCKET ON CACHE BOOL "") # for static Python
+
+# configure basic project information
+project(osslsigncode
+  VERSION 2.4
+  DESCRIPTION "OpenSSL based Authenticode signing for PE, CAB, CAT and MSI files"
+  HOMEPAGE_URL "https://github.com/mtrojnar/osslsigncode"
+  LANGUAGES C)
+
+# force nonstandard version format for development packages
+set(DEV "")
+set(PROJECT_VERSION "${PROJECT_VERSION_MAJOR}.${PROJECT_VERSION_MINOR}${DEV}")
+
+# version and contact information
+set(PACKAGE_STRING "${PROJECT_NAME} ${PROJECT_VERSION}")
+set(PACKAGE_BUGREPORT "Michal.Trojnara@stunnel.org")
+
+# specify the C standard
+set(CMAKE_C_STANDARD 11)
+set(CMAKE_C_STANDARD_REQUIRED ON)
+
+# load CMake library modules
+include(FindOpenSSL)
+include(FindCURL)
+
+# load CMake project modules
+set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake")
+include(SetBashCompletion)
+include(FindHeaders)
+
+# define the target
+add_executable(osslsigncode)
+
+# add compiler/linker flags
+include(SetCompilerFlags)
+
+# create and use config.h
+configure_file(Config.h.in config.h)
+target_compile_definitions(osslsigncode PRIVATE HAVE_CONFIG_H=1)
+
+# set sources
+target_sources(osslsigncode PRIVATE osslsigncode.c msi.c)
+if(WIN32)
+  target_sources(osslsigncode PRIVATE applink.c)
+endif(WIN32)
+
+# set include directories
+target_include_directories(osslsigncode PRIVATE "${PROJECT_BINARY_DIR}")
+
+# set OpenSSL includes/libraries
+if(NOT OPENSSL_FOUND)
+  message(FATAL_ERROR "OpenSSL library not found")
+endif(NOT OPENSSL_FOUND)
+target_include_directories(osslsigncode PRIVATE ${OPENSSL_INCLUDE_DIR})
+target_link_libraries(osslsigncode PRIVATE ${OPENSSL_LIBRARIES})
+
+# set cURL includes/libraries
+if(CURL_FOUND)
+  target_compile_definitions(osslsigncode PRIVATE ENABLE_CURL=1)
+  target_include_directories(osslsigncode PRIVATE ${CURL_INCLUDE_DIRS})
+  target_link_libraries(osslsigncode PRIVATE ${CURL_LIBRARIES})
+  message(STATUS "cURL support enabled")
+else(CURL_FOUND)
+  message(STATUS "cURL support disabled (library not found)")
+endif(CURL_FOUND)
+
+# add paths to linker search and installed rpath
+set_target_properties(osslsigncode PROPERTIES INSTALL_RPATH_USE_LINK_PATH TRUE)
+
+# testing with CTest
+include(CMakeTest)
+
+# installation rules for a project
+install(TARGETS osslsigncode RUNTIME DESTINATION ${CMAKE_INSTALL_PREFIX})
+if(WIN32)
+  install(
+    DIRECTORY ${PROJECT_BINARY_DIR}/ DESTINATION ${CMAKE_INSTALL_PREFIX}
+    FILES_MATCHING
+    PATTERN "*.dll"
+    PATTERN "vcpkg_installed" EXCLUDE
+    PATTERN "CMakeFiles" EXCLUDE
+    PATTERN "Testing" EXCLUDE
+  )
+else(WIN32)
+  include(CMakeDist)
+endif(WIN32)

CMakeSettings.json

@@ -0,0 +1,50 @@
+{
+  "configurations": [
+    {
+      "name": "x86-Debug",
+      "generator": "Ninja",
+      "configurationType": "Debug",
+      "buildRoot": "${projectDir}\\out\\build\\${name}",
+      "installRoot": "${projectDir}\\out\\install\\${name}",
+      "cmakeCommandArgs": "",
+      "buildCommandArgs": "",
+      "ctestCommandArgs": "",
+      "inheritEnvironments": [ "msvc_x86" ]
+    },
+    {
+      "name": "x86-Release",
+      "generator": "Ninja",
+      "configurationType": "RelWithDebInfo",
+      "buildRoot": "${projectDir}\\out\\build\\${name}",
+      "installRoot": "${projectDir}\\out\\install\\${name}",
+      "cmakeCommandArgs": "",
+      "buildCommandArgs": "",
+      "ctestCommandArgs": "",
+      "inheritEnvironments": [ "msvc_x86" ]
+    },
+    {
+      "name": "x64-Debug",
+      "generator": "Ninja",
+      "configurationType": "Debug",
+      "buildRoot": "${projectDir}\\out\\build\\${name}",
+      "installRoot": "${projectDir}\\out\\install\\${name}",
+      "cmakeCommandArgs": "",
+      "buildCommandArgs": "",
+      "ctestCommandArgs": "",
+      "inheritEnvironments": [ "msvc_x64_x64" ],
+      "variables": []
+    },
+    {
+      "name": "x64-Release",
+      "generator": "Ninja",
+      "configurationType": "RelWithDebInfo",
+      "buildRoot": "${projectDir}\\out\\build\\${name}",
+      "installRoot": "${projectDir}\\out\\install\\${name}",
+      "cmakeCommandArgs": "",
+      "buildCommandArgs": "",
+      "ctestCommandArgs": "",
+      "inheritEnvironments": [ "msvc_x64_x64" ],
+      "variables": []
+    }
+  ]
+}

Config.h.in

@@ -0,0 +1,12 @@
+/* the configured options and settings for osslsigncode */
+#define VERSION_MAJOR "@osslsigncode_VERSION_MAJOR@"
+#define VERSION_MINOR "@osslsigncode_VERSION_MINOR@"
+#cmakedefine PACKAGE_STRING "@PACKAGE_STRING@"
+#cmakedefine PACKAGE_BUGREPORT "@PACKAGE_BUGREPORT@"
+#cmakedefine ENABLE_CURL
+#cmakedefine HAVE_TERMIOS_H
+#cmakedefine HAVE_GETPASS
+#cmakedefine HAVE_SYS_MMAN_H
+#cmakedefine HAVE_MMAP
+#cmakedefine HAVE_MAPVIEWOFFILE
+#cmakedefine _WIN32

INSTALL.W32.md

@@ -0,0 +1,122 @@
+# osslsigncode Windows install notes
+
+### Building osslsigncode source with MSYS2 MinGW 64-bit and MSYS2 packages:
+
+1) Download and install MSYS2 from https://msys2.github.io/ and follow installation instructions.
+   Once up and running install even mingw-w64-x86_64-gcc, mingw-w64-x86_64-curl.
+```
+  pacman -S mingw-w64-x86_64-gcc mingw-w64-x86_64-curl
+```
+   mingw-w64-x86_64-openssl and mingw-w64-x86_64-zlib packages are installed with dependencies.
+
+2) Run "MSYS2 MinGW 64-bit" and build 64-bit Windows executables.
+```
+  cd osslsigncode-folder
+  x86_64-w64-mingw32-gcc osslsigncode.c msi.c -o osslsigncode.exe \
+    -lcrypto -lssl -lcurl \
+    -D 'PACKAGE_STRING="osslsigncode x.y"' \
+    -D 'PACKAGE_BUGREPORT="Your.Email@example.com"' \
+    -D ENABLE_CURL
+```
+
+3) Run "Command prompt" and include "c:\msys64\mingw64\bin" folder as part of the path.
+```
+  path=%path%;c:\msys64\mingw64\bin
+  cd osslsigncode-folder
+  osslsigncode.exe -v
+  osslsigncode 2.4, using:
+        OpenSSL 1.1.1g  21 Apr 2020 (Library: OpenSSL 1.1.1g  21 Apr 2020)
+        libcurl/7.70.0 OpenSSL/1.1.1g (Schannel) zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0
+        libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.40.0
+```
+
+
+### Building OpenSSL, Curl and osslsigncode sources with MSYS2 MinGW 64-bit:
+
+1) Download and install MSYS2 from https://msys2.github.io/ and follow installation instructions.
+   Once up and running install even: perl make autoconf automake libtool pkg-config.
+```
+  pacman -S perl make autoconf automake libtool pkg-config
+```
+   Make sure there are no curl, brotli, libpsl, libidn2 and nghttp2 packages installed:
+```
+  pacman -R mingw-w64-x86_64-curl \
+    mingw-w64-x86_64-brotli \
+    mingw-w64-x86_64-libpsl \
+    mingw-w64-x86_64-libidn2 \
+    mingw-w64-x86_64-nghttp2
+```
+
+   Run "MSYS2 MinGW 64-bit" in the administrator mode.
+
+2) Build and install OpenSSL.
+```
+  cd openssl-(version)
+  ./config --prefix='C:/OpenSSL' --openssldir='C:/OpenSSL'
+  make && make install
+```
+ 3) Build and install curl.
+```
+  cd curl-(version)
+  ./buildconf
+  ./configure --prefix='C:/curl' --with-ssl='C:/OpenSSL' \
+    --disable-ftp --disable-tftp --disable-file --disable-dict \
+    --disable-telnet --disable-imap --disable-smb --disable-smtp \
+    --disable-gopher --disable-pop --disable-pop3 --disable-rtsp \
+    --disable-ldap --disable-ldaps --disable-unix-sockets \
+    --disable-pthreads --without-zstd --without-zlib
+  make && make install
+```
+
+3) Build 64-bit Windows executables.
+```
+  cd osslsigncode-folder
+  x86_64-w64-mingw32-gcc osslsigncode.c msi.c -o osslsigncode.exe \
+    -L 'C:/OpenSSL/lib/' -lcrypto -lssl \
+    -I 'C:/OpenSSL/include/' \
+    -L 'C:/curl/lib' -lcurl \
+    -I 'C:/curl/include' \
+    -D 'PACKAGE_STRING="osslsigncode x.y"' \
+    -D 'PACKAGE_BUGREPORT="Your.Email@example.com"' \
+    -D ENABLE_CURL
+```
+
+4) Run "Command prompt" and copy required libraries.
+```
+  cd osslsigncode-folder
+  copy C:\OpenSSL\bin\libssl-1_1-x64.dll
+  copy C:\OpenSSL\bin\libcrypto-1_1-x64.dll
+  copy C:\curl\bin\libcurl-4.dll
+
+  osslsigncode.exe -v
+  osslsigncode 2.4, using:
+        OpenSSL 1.1.1k  25 Mar 2021 (Library: OpenSSL 1.1.1k  25 Mar 2021)
+        libcurl/7.78.0 OpenSSL/1.1.1k
+```
+
+### Building OpenSSL, Curl and osslsigncode sources with Microsoft Visual Studio:
+
+1) Install and integrate vcpkg: https://vcpkg.io/en/getting-started.html
+
+2) Git clone osslsigncode: https://github.com/mtrojnar/osslsigncode/
+
+3) Build osslsigncode with GUI or cmake.
+  Navigate to the build directory and run CMake to configure the osslsigncode project
+  and generate a native build system:
+```
+mkdir build && cd build && cmake -S .. -G Ninja -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=[installation directory] -DCMAKE_TOOLCHAIN_FILE=[path to vcpkg]/scripts/buildsystems/vcpkg.cmake
+```
+  Then call that build system to actually compile/link the osslsigncode project:
+```
+  cmake --build .
+```
+
+4) Make tests.
+```
+  ctest -C Release
+```
+
+5) Make install (with administrative privileges if necessary).
+```
+  cmake --install .
+```

LICENSE.txt

@@ -1,7 +1,7 @@
 OpenSSL based Authenticode signing for PE/MSI/Java CAB files.
 
 Copyright (C) 2005-2014 Per Allansson <pallansson@gmail.com>
-Copyright (C) 2018 Michał Trojnara <Michal.Trojnara@stunnel.org>
+Copyright (C) 2018-2022 Michał Trojnara <Michal.Trojnara@stunnel.org>
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

Makefile.am

@@ -1,16 +0,0 @@
-AUTOMAKE_OPTIONS = foreign 1.10
-MAINTAINERCLEANFILES = \
-	config.log config.status \
-	$(srcdir)/Makefile.in \
-	$(srcdir)/config.h.in $(srcdir)/config.h.in~ $(srcdir)/configure \
-	$(srcdir)/install-sh $(srcdir)/ltmain.sh $(srcdir)/missing \
-	$(srcdir)/depcomp $(srcdir)/aclocal.m4 $(srcdir)/ylwrap \
-	$(srcdir)/config.guess $(srcdir)/config.sub
-EXTRA_DIST = .gitignore
-
-AM_CFLAGS = $(GSF_CFLAGS) $(OPENSSL_CFLAGS) $(OPTIONAL_LIBCURL_CFLAGS)
-
-bin_PROGRAMS = osslsigncode
-
-osslsigncode_SOURCES = osslsigncode.c
-osslsigncode_LDADD = $(GSF_LIBS) $(OPENSSL_LIBS) $(OPTIONAL_LIBCURL_LIBS)

NEWS.md

@@ -1,3 +1,60 @@
+# osslsigncode change log
+
+### 2.4 (2022.08.02)
+
+- migrated the build system from GNU Autoconf to CMake
+- added the "-h" option to set the cryptographic hash function
+  for the "attach -signature" and "add" commands
+- set the default hash function to "sha256"
+- added the "attach-signature" option to compute and compare the
+  leaf certificate hash for the "add" command
+- renamed the "-st" option "-time" (the old name is accepted for
+  compatibility)
+- updated the "-time" option to also set explicit verification time
+- added the "-ignore-timestamp" option to disable timestamp server
+  signature verification
+- removed the "-timestamp-expiration" option
+- fixed several bugs
+- updated the included documentation
+- enabled additional compiler/linker hardening options
+- added CI based on GitHub Actions
+
+### 2.3 (2022.03.06)
+
+**CRITICAL SECURITY VULNERABILITIES**
+
+This release fixes several critical memory corruption vulnerabilities.
+A malicious attacker could create a file, which, when processed with
+osslsigncode, triggers arbitrary code execution.  Any previous version
+of osslsigncode should be immediately upgraded if the tool is used for
+processing of untrusted files.
+
+- fixed several memory safety issues
+- fixed non-interactive PVK (MSBLOB) key decryption
+- added a bash completion script
+- added CA bundle path auto-detection
+
+### 2.2 (2021.08.15)
+
+- CAT files support (thanks to James McKenzie)
+- MSI support rewritten without libgsf dependency, which allows
+  for handling of all the needed MSI metadata, such as dates
+- "-untrusted" option renamed to "-TSA-CAfile"
+- "-CRLuntrusted" option renamed to "-TSA-CRLfile"
+- numerous bug fixes and improvements
+
+### 2.1 (2020-10-11)
+
+- certificate chain verification support
+- timestamp verification support
+- CRL verification support ("-CRLfile" option)
+- improved CAB signature support
+- nested signatures support
+- user-specified signing time ("-st" option) by vszakats
+- added more tests
+- fixed numerous bugs
+- dropped OpenSSL 1.1.0 support
+
 ### 2.0 (2018-12-04)
 
 - orphaned project adopted by Michał Trojnara

README.md

@@ -1,6 +1,10 @@
 osslsigncode
 ============
 
+## BUILD STATUS
+
+[![CI](https://github.com/mtrojnar/osslsigncode/actions/workflows/ci.yml/badge.svg)](https://github.com/mtrojnar/osslsigncode/actions/workflows/ci.yml)
+
 ## WHAT IS IT?
 
 osslsigncode is a small tool that implements part of the functionality
@@ -19,19 +23,57 @@ tool  would fail. And, so, osslsigncode was born.
 
 ## WHAT CAN IT DO?
 
-It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB and MSI files. It supports
-the equivalent of signtool.exe's "-j javasign.dll -jp low", i.e. add a
-valid signature for a CAB file containing Java files. It supports getting
-the timestamp through a proxy as well. It also supports signature verification,
-removal and extraction.
+It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB, CAT and MSI files.
+It supports the equivalent of signtool.exe's "-j javasign.dll -jp low",
+i.e. add a valid signature for a CAB file containing Java files.
+It supports getting the timestamp through a proxy as well. It also
+supports signature verification, removal and extraction.
 
-## INSTALLATION
+## BUILDING
 
-The usual way:
+This section covers building osslsigncode for [Unix-like](https://en.wikipedia.org/wiki/Unix-like) operating systems.
+See [INSTALL.W32.md](https://github.com/mtrojnar/osslsigncode/blob/master/INSTALL.W32.md) for Windows notes.
+We highly recommend downloading a [release tarball](https://github.com/mtrojnar/osslsigncode/releases) instead of cloning from a git repository.
+
+### Configure, build, make tests and install osslsigncode
+
+* Install prerequisites on a Debian-based distributions, such as Ubuntu:
 ```
-  ./configure
-  make
-  make install
+  sudo apt update && sudo apt install cmake libssl-dev libcurl4-openssl-dev
+```
+* Install prerequisites on macOS with Homebrew:
+```
+  brew install cmake pkg-config openssl@1.1
+  export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig"
+```
+**NOTE:** osslsigncode requires CMake 3.6 or newer.
+
+You may need to use `cmake3` instead of `cmake` to complete the following steps on your system.
+* Navigate to the build directory and run CMake to configure the osslsigncode project
+  and generate a native build system:
+```
+  mkdir build && cd build && cmake ..
+```
+  with specific compile options:
+```
+  -Denable-strict=ON
+  -Denable-pedantic=ON
+```
+* Then call that build system to actually compile/link the osslsigncode project (alias `make`):
+```
+  cmake --build .
+```
+* Make test:
+```
+  ctest -C Release
+```
+* Make install:
+```
+  sudo cmake --install . --prefix "/home/myuser/installdir"
+```
+* Make tarball (simulate autotools' `make dist`):
+```
+  cmake --build . --target package_source
 ```
 
 ## USAGE
@@ -67,7 +109,7 @@ or if you want to add a timestamp as well:
 ```
   osslsigncode sign -certs <cert-file> -key <key-file> \
     -n "Your Application" -i http://www.yourwebsite.com/ \
-    -t http://timestamp.verisign.com/scripts/timstamp.dll \
+    -t http://timestamp.digicert.com \
     -in yourapp.exe -out yourapp-signed.exe
 ```
 You can use a certificate and key stored in a PKCS#12 container:
@@ -85,51 +127,65 @@ To sign a CAB file containing java class files:
 ```
 Only the 'low' parameter is currently supported.
 
+If you want to use PKCS11 token, you should indicate PKCS11 engine and module.
+An example of using osslsigncode with SoftHSM:
+```
+  osslsigncode sign \
+    -pkcs11engine /usr/lib64/engines-1.1/pkcs11.so \
+    -pkcs11module /usr/lib64/pkcs11/libsofthsm2.so \
+    -pkcs11cert 'pkcs11:token=softhsm-token;object=cert' \
+    -key 'pkcs11:token=softhsm-token;object=key' \
+    -in yourapp.exe -out yourapp-signed.exe
+```
+
 You can check that the signed file is correct by right-clicking
 on it in Windows and choose Properties --> Digital Signatures,
 and then choose the signature from the list, and click on
 Details. You should then be presented with a dialog that says
 amongst other things that "This digital signature is OK".
 
-## CONVERTING FROM PVK TO DER
+## UNAUTHENTICATED BLOBS
 
-(This guide was written by Ryan Rubley)
+The "-addUnauthenticatedBlob" parameter adds a 1024-byte unauthenticated blob
+of data to the signature in the same area as the timestamp.  This can be used
+while signing, while timestamping, after a file has been code signed, or by
+itself.  This technique (but not this project) is used by Dropbox, GoToMeeting,
+and Summit Route.
 
-If you've managed to finally find osslsigncode from some searches,
-you're most likely going to have a heck of a time getting your SPC
-and PVK files into the formats osslsigncode wants.
+### Example 1. Sign and add blob to unsigned file
 
-On the computer where you originally purchased your certificate, you
-probably had to use IE to get it. Run IE and select Tools/Internet
-Options from the menu, then under the Content tab, click the Certificates
-button. Under the Personal tab, select your certificate and click the
-Export button. On the second page of the wizard, select the PKCS #7
-Certificate (.P7B) format. This file you export as a *.p7b is what you
-use instead of your *.spc file. It's the same basic thing, in a different format.
-
-For your PVK file, you will need to download a little utility called
-PVK.EXE. This can currently be downloaded at
-
-  http://support.globalsign.net/en/objectsign/PVK.zip
-
-Run:
-```
-  pvk -in foo.pvk -nocrypt -out foo.pem
+```shell
+osslsigncode sign -addUnauthenticatedBlob -pkcs12 yourcert.pfx -pass your_password -n "Your Company" -i https://YourSite.com/ -in srepp.msi -out srepp_added.msi
 ```
 
-This will convert your PVK file to a PEM file.
-From there, you can copy the PEM file to a Linux box, and run:
-```
-  openssl rsa -outform der -in foo.pem -out foo.der
-```
-This will convert your PEM file to a DER file.
+### Example 2. Timestamp and add blob to signed file
 
-You need the *.p7b and *.der files to use osslsigncode, instead of your
-*.spc and *.pvk files.
+```shell
+osslsigncode.exe add -addUnauthenticatedBlob -t http://timestamp.digicert.com -in your_signed_file.exe -out out.exe
+```
+
+### Example 3. Add blob to signed and time-stamped file
+
+```shell
+osslsigncode.exe add -addUnauthenticatedBlob -in your_signed_file.exe -out out.exe
+```
+
+### WARNING
+
+This feature allows for doing dumb things.  Be very careful with what you put
+in the unauthenticated blob, as an attacker could modify this.  Do NOT, under
+any circumstances, put a URL here that you will use to download an additional
+file.  If you do do that, you would need to check the newly downloaded file is
+code signed AND that it has been signed with your cert AND that it is the
+version you expect.  You should consider using asymmetrical encryption for the
+data you put in the blob, such that the executable contains the public key to
+decrypt the data.  Basically, be VERY careful.
 
 ## BUGS, QUESTIONS etc.
 
-Send an email to pallansson@gmail.com
+Check whether your your question or suspected bug was already
+discussed on https://github.com/mtrojnar/osslsigncode/issues.
+Otherwise, open a new issue.
 
 BUT, if you have questions related to generating spc files,
 converting between different formats and so on, *please*

README.unauthblob.md

@@ -1,58 +0,0 @@
-# This is NOT the official repo for osslsigncode
-
-This project was copied from osslsigncode 1.7.1 to apply some patches for compiling with cygwin and being able to add unauthenticated blobs.  The official source for the project is at: http://sourceforge.net/projects/osslsigncode/
-
-## Features added
-
-Adds the argument "-addUnauthenticatedBlob" to add a 1024 byte unauthenticated blob of data to the signature in the same area as the timestamp.  This can be used while signing, while timestamping (new `add` command added to allow just time-stamping, after a file has been code signed, or by itself.
-
-Examples:
-```
-# Example 1. Sign and add blob to unsigned file
-osslsigncode sign -addUnauthenticatedBlob -pkcs12 yourcert.pfx -pass your_password -n "Your Company" -i https://YourSite.com/ -in srepp.msi -out srepp_added.msi
-```
-
-```
-# Example 2. Timestamp and add blob to signed file 
-osslsigncode.exe add -addUnauthenticatedBlob -t http://timestamp.verisign.com/scripts/timstamp.dll -in your_signed_file.exe -out out.exe
-```
-
-```
-# Example 3. Add blob to signed and time-stamped file 
-osslsigncode.exe add -addUnauthenticatedBlob -in your_signed_file.exe -out out.exe
-```
-
-```
-# Example 4. Sign, timestamp, and add blob
-# Technically you can do this, but this would mean your signing certificate 
-# is on a computer that is connected the Internet, 
-# which means you are doing something wrong, 
-# so I'm not going to show how to do that.
-
-```
-
-This technique (but not this project) is used by Dropbox, GoToMeeting, and Summit Route.  You can read more about this technique here:
-
-- https://tech.dropbox.com/2014/08/tech-behind-dropboxs-new-user-experience-for-mobile/
-- http://blogs.msdn.com/b/ieinternals/archive/2014/09/04/personalizing-installers-using-unauthenticated-data-inside-authenticode-signed-binaries.aspx
-
-## WARNING
-
-The capability this adds can allow you to do dumb things.  Be very careful with what you put in the unauthenticated blob, as an attacker could modify this.  Do NOT under any circumstances put a URL here that you will use to download an additional file.  If you do do that, you would need to check the newly downloaded file is code signed AND that it has been signed with your cert AND that it is the version you expect.  You should consider using asymmetrical encryption for the data you put in the blob, such that the executable contains the public key to decrypt the data.  Basically, be VERY careful.
-
-## Compiling under cygwin
-
-- Ensure you install the development libraries for openssl, libgfs, and curl.
-- Install pkg-config
-- Run
-```
-export SHELLOPTS
-set -o igncr
-./configure
-make
-```
-
-## Download
-
-- Compiled binary for cygwin: https://summitroute.com/downloads/osslsigncode.exe
-- Compiled binary plus all the required DLL's (self-extracting exe): https://summitroute.com/downloads/osslsigncode-cygwin_files.exe

TODO.md

@@ -1,8 +1,5 @@
 - signature extraction/removal/verificaton on MSI/CAB files
-- improved signature verification on PE files
 - clean up / untangle code
 - separate timestamping
-- man page
 - remove mmap usage to increase portability
-- tests
 - fix other stuff marked 'XXX'

applink.c

@@ -0,0 +1,145 @@
+/*
+ * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#define APPLINK_STDIN   1
+#define APPLINK_STDOUT  2
+#define APPLINK_STDERR  3
+#define APPLINK_FPRINTF 4
+#define APPLINK_FGETS   5
+#define APPLINK_FREAD   6
+#define APPLINK_FWRITE  7
+#define APPLINK_FSETMOD 8
+#define APPLINK_FEOF    9
+#define APPLINK_FCLOSE  10      /* should not be used */
+
+#define APPLINK_FOPEN   11      /* solely for completeness */
+#define APPLINK_FSEEK   12
+#define APPLINK_FTELL   13
+#define APPLINK_FFLUSH  14
+#define APPLINK_FERROR  15
+#define APPLINK_CLEARERR 16
+#define APPLINK_FILENO  17      /* to be used with below */
+
+#define APPLINK_OPEN    18      /* formally can't be used, as flags can vary */
+#define APPLINK_READ    19
+#define APPLINK_WRITE   20
+#define APPLINK_LSEEK   21
+#define APPLINK_CLOSE   22
+#define APPLINK_MAX     22      /* always same as last macro */
+
+#ifndef APPMACROS_ONLY
+# include <stdio.h>
+# include <io.h>
+# include <fcntl.h>
+
+# ifdef __BORLANDC__
+   /* _lseek in <io.h> is a function-like macro so we can't take its address */
+#  undef _lseek
+#  define _lseek lseek
+# endif
+
+static void *app_stdin(void)
+{
+    return stdin;
+}
+
+static void *app_stdout(void)
+{
+    return stdout;
+}
+
+static void *app_stderr(void)
+{
+    return stderr;
+}
+
+static int app_feof(FILE *fp)
+{
+    return feof(fp);
+}
+
+static int app_ferror(FILE *fp)
+{
+    return ferror(fp);
+}
+
+static void app_clearerr(FILE *fp)
+{
+    clearerr(fp);
+}
+
+static int app_fileno(FILE *fp)
+{
+    return _fileno(fp);
+}
+
+static int app_fsetmod(FILE *fp, char mod)
+{
+    return _setmode(_fileno(fp), mod == 'b' ? _O_BINARY : _O_TEXT);
+}
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+__declspec(dllexport)
+void **
+# if defined(__BORLANDC__)
+/*
+ * __stdcall appears to be the only way to get the name
+ * decoration right with Borland C. Otherwise it works
+ * purely incidentally, as we pass no parameters.
+ */
+__stdcall
+# else
+__cdecl
+# endif
+#pragma warning(push, 2)
+OPENSSL_Applink(void)
+{
+    static int once = 1;
+    static void *OPENSSL_ApplinkTable[APPLINK_MAX + 1] =
+        { (void *)APPLINK_MAX };
+
+    if (once) {
+        OPENSSL_ApplinkTable[APPLINK_STDIN] = app_stdin;
+        OPENSSL_ApplinkTable[APPLINK_STDOUT] = app_stdout;
+        OPENSSL_ApplinkTable[APPLINK_STDERR] = app_stderr;
+        OPENSSL_ApplinkTable[APPLINK_FPRINTF] = fprintf;
+        OPENSSL_ApplinkTable[APPLINK_FGETS] = fgets;
+        OPENSSL_ApplinkTable[APPLINK_FREAD] = fread;
+        OPENSSL_ApplinkTable[APPLINK_FWRITE] = fwrite;
+        OPENSSL_ApplinkTable[APPLINK_FSETMOD] = app_fsetmod;
+        OPENSSL_ApplinkTable[APPLINK_FEOF] = app_feof;
+        OPENSSL_ApplinkTable[APPLINK_FCLOSE] = fclose;
+
+        OPENSSL_ApplinkTable[APPLINK_FOPEN] = fopen;
+        OPENSSL_ApplinkTable[APPLINK_FSEEK] = fseek;
+        OPENSSL_ApplinkTable[APPLINK_FTELL] = ftell;
+        OPENSSL_ApplinkTable[APPLINK_FFLUSH] = fflush;
+        OPENSSL_ApplinkTable[APPLINK_FERROR] = app_ferror;
+        OPENSSL_ApplinkTable[APPLINK_CLEARERR] = app_clearerr;
+        OPENSSL_ApplinkTable[APPLINK_FILENO] = app_fileno;
+
+        OPENSSL_ApplinkTable[APPLINK_OPEN] = _open;
+        OPENSSL_ApplinkTable[APPLINK_READ] = _read;
+        OPENSSL_ApplinkTable[APPLINK_WRITE] = _write;
+        OPENSSL_ApplinkTable[APPLINK_LSEEK] = _lseek;
+        OPENSSL_ApplinkTable[APPLINK_CLOSE] = _close;
+
+        once = 0;
+    }
+
+    return OPENSSL_ApplinkTable;
+}
+#pragma warning(pop)
+#ifdef __cplusplus
+}
+#endif
+#endif

cmake/CMakeDist.cmake

@@ -0,0 +1,27 @@
+# make dist
+# cmake --build . --target package_source
+
+set(CPACK_PACKAGE_NAME ${PROJECT_NAME})
+set(CPACK_PACKAGE_VERSION ${PROJECT_VERSION})
+set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "OpenSSL based Authenticode signing for PE, CAB, CAT and MSI files")
+set(CPACK_PACKAGE_INSTALL_DIRECTORY ${CPACK_PACKAGE_NAME})
+set(CPACK_RESOURCE_FILE_README "${CMAKE_CURRENT_SOURCE_DIR}/README.md")
+set(CPACK_RESOURCE_FILE_LICENSE "${CMAKE_CURRENT_SOURCE_DIR}/COPYING.txt")
+set(CPACK_SOURCE_PACKAGE_FILE_NAME "${CPACK_PACKAGE_NAME}-${CPACK_PACKAGE_VERSION}")
+set(CPACK_SOURCE_GENERATOR "TGZ")
+set(CPACK_SOURCE_IGNORE_FILES "\.git/;\.gitignore")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "Makefile")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "CMakeCache.txt")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "CMakeFiles")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "CPackConfig.cmake")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "CPackSourceConfig.cmake")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "CTestTestfile.cmake")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "cmake_install.cmake")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "config.h")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "/CMakeFiles/")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "/Testing/")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "/_CPack_Packages/")
+list(APPEND CPACK_SOURCE_IGNORE_FILES "/build/")
+
+include(CPack)
+add_custom_target(dist COMMAND ${CMAKE_MAKE_PROGRAM} package_source)

cmake/CMakeTest.cmake

@@ -0,0 +1,298 @@
+# make test
+# ctest -C Release
+
+include(FindPython3)
+enable_testing()
+
+set(FILES "${PROJECT_BINARY_DIR}/Testing/files")
+set(CERTS "${PROJECT_BINARY_DIR}/Testing/certs")
+set(CONF "${PROJECT_BINARY_DIR}/Testing/conf")
+
+file(COPY
+  "${CMAKE_CURRENT_SOURCE_DIR}/tests/files"
+  "${CMAKE_CURRENT_SOURCE_DIR}/tests/conf"
+  "${CMAKE_CURRENT_SOURCE_DIR}/tests/tsa_server.py"
+  DESTINATION "${PROJECT_BINARY_DIR}/Testing"
+)
+
+file(COPY
+  "${CMAKE_CURRENT_SOURCE_DIR}/tests/certs/ca-bundle.crt"
+  DESTINATION "${CONF}"
+)
+
+set(priv_p12 "-pkcs12" "${CERTS}/cert.p12" "-readpass" "${CERTS}/password.txt")
+set(priv_spc "-certs" "${CERTS}/cert.spc" "-key" "${CERTS}/key.pvk" "-pass" "passme")
+set(priv_der "-certs" "${CERTS}/cert.pem" "-key" "${CERTS}/key.der" "-pass" "passme")
+set(priv_pkey "-certs" "${CERTS}/cert.pem" "-key" "${CERTS}/keyp.pem" "-pass" "passme")
+set(sign_opt "-time" "1556708400"
+  "-add-msi-dse" "-comm" "-ph" "-jp" "low"
+  "-h" "sha512" "-i" "https://www.osslsigncode.com/"
+  "-n" "osslsigncode" "-ac" "${CERTS}/crosscert.pem"
+)
+
+if(NOT CMAKE_HOST_WIN32)
+  execute_process(
+    COMMAND "${CONF}/makecerts.sh"
+    WORKING_DIRECTORY ${CONF}
+    OUTPUT_VARIABLE makecerts_output
+    RESULT_VARIABLE makecerts_result
+  )
+else()
+  set(makecerts_result 1)
+endif()
+if(makecerts_result)
+  message(STATUS "makecerts.sh failed")
+  if(makecerts_output)
+    message(STATUS "${makecerts_output}")
+  endif()
+  file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/tests/certs"
+    DESTINATION "${PROJECT_BINARY_DIR}/Testing"
+  )
+endif()
+
+execute_process(
+  COMMAND ${CMAKE_COMMAND} -E sha256sum "${CERTS}/cert.der"
+  OUTPUT_VARIABLE sha256sum
+)
+string(SUBSTRING ${sha256sum} 0 64 leafhash)
+set(verify_opt "-CAfile" "${CERTS}/CACert.pem"
+  "-CRLfile" "${CERTS}/CACertCRL.pem"
+  "-TSA-CAfile" "${CERTS}/TSACA.pem"
+)
+set(extensions_4 "exe" "ex_" "msi" "cat")
+set(extensions_3 "exe" "ex_" "msi")
+set(files_4 "signed" "nested" "added")
+set(files_3 "removed" "attached_pem" "attached_der")
+set(sign_formats "pem" "der")
+set(pem_certs "cert" "expired" "revoked")
+set(failed_certs "expired" "revoked")
+
+add_test(
+  NAME version
+  COMMAND osslsigncode --version
+)
+
+foreach(ext ${extensions_4})
+  # Signing time: May  1 00:00:00 2019 GMT
+  set(sign_${ext} )
+  add_test(
+    NAME signed_${ext}
+    COMMAND osslsigncode "sign" ${sign_opt} ${priv_p12}
+      "-in" "${FILES}/unsigned.${ext}" "-out" "${FILES}/signed.${ext}"
+  )
+endforeach()
+
+foreach(ext ${extensions_3})
+  add_test(
+    NAME removed_${ext}
+    COMMAND osslsigncode "remove-signature"
+      "-in" "${FILES}/signed.${ext}" "-out" "${FILES}/removed.${ext}"
+  )
+endforeach()
+
+foreach(ext ${extensions_3})
+  add_test(
+    NAME extract_pem_${ext}
+    COMMAND osslsigncode "extract-signature" "-pem"
+      "-in" "${FILES}/signed.${ext}" "-out" "${FILES}/${ext}.pem"
+  )
+endforeach()
+
+foreach(ext ${extensions_3})
+  add_test(
+    NAME extract_der_${ext}
+    COMMAND osslsigncode "extract-signature"
+      "-in" "${FILES}/signed.${ext}" "-out" "${FILES}/${ext}.der"
+  )
+endforeach()
+
+foreach(ext ${extensions_3})
+  set_tests_properties(removed_${ext} extract_pem_${ext} extract_der_${ext}
+    PROPERTIES DEPENDS sign_${ext}
+    REQUIRED_FILES "${FILES}/signed.${ext}"
+  )
+endforeach()
+
+foreach(ext ${extensions_3})
+  foreach(format ${sign_formats})
+    # Signature verification time: Sep  1 00:00:00 2019 GMT
+    add_test(
+      NAME attached_${format}_${ext}
+      COMMAND osslsigncode "attach-signature" ${verify_opt}
+        "-time" "1567296000"
+        "-require-leaf-hash" "SHA256:${leafhash}"
+        "-add-msi-dse" "-h" "sha512" "-nest"
+        "-sigin" "${FILES}/${ext}.${format}"
+        "-in" "${FILES}/signed.${ext}" "-out" "${FILES}/attached_${format}.${ext}"
+      )
+      set_tests_properties(attached_${format}_${ext} PROPERTIES
+        DEPENDS extract_pem_${ext}
+        REQUIRED_FILES "${FILES}/signed.${ext}"
+        REQUIRED_FILES "${FILES}/${ext}.${format}"
+      )
+  endforeach()
+endforeach()
+
+foreach(ext ${extensions_4})
+  add_test(
+    NAME added_${ext}
+    COMMAND osslsigncode "add"
+      "-addUnauthenticatedBlob" "-add-msi-dse" "-h" "sha512"
+      "-in" "${FILES}/signed.${ext}" "-out" "${FILES}/added.${ext}"
+  )
+  set_tests_properties(added_${ext} PROPERTIES
+    DEPENDS sign_${ext}
+    REQUIRED_FILES "${FILES}/signed.${ext}"
+  )
+endforeach()
+
+foreach(ext ${extensions_4})
+  add_test(
+    NAME nested_${ext}
+    COMMAND osslsigncode "sign" "-nest" ${sign_opt} ${priv_der}
+      "-in" "${FILES}/signed.${ext}" "-out" "${FILES}/nested.${ext}"
+  )
+  set_tests_properties(nested_${ext} PROPERTIES
+    DEPENDS sign_${ext}
+    REQUIRED_FILES "${FILES}/signed.${ext}"
+  )
+endforeach()
+
+
+foreach(file ${files_4})
+  foreach(ext ${extensions_4})
+    # Signature verification time: Sep  1 00:00:00 2019 GMT
+    add_test(
+      NAME verify_${file}_${ext}
+      COMMAND osslsigncode "verify" ${verify_opt}
+        "-time" "1567296000"
+        "-require-leaf-hash" "SHA256:${leafhash}"
+        "-in" "${FILES}/${file}.${ext}"
+    )
+    set_tests_properties(verify_${file}_${ext} PROPERTIES
+      DEPENDS ${file}_${ext}
+      REQUIRED_FILES "${FILES}/${file}.${ext}"
+    )
+  endforeach()
+endforeach()
+
+foreach(file ${files_3})
+  foreach(ext ${extensions_3})
+    # Signature verification time: Sep  1 00:00:00 2019 GMT
+    add_test(
+      NAME verify_${file}_${ext}
+      COMMAND osslsigncode "verify" ${verify_opt}
+        "-time" "1567296000"
+        "-require-leaf-hash" "SHA256:${leafhash}"
+        "-in" "${FILES}/${file}.${ext}"
+    )
+    set_tests_properties(verify_${file}_${ext} PROPERTIES
+      DEPENDS ${file}_${ext}
+      REQUIRED_FILES "${FILES}/${file}.${ext}"
+    )
+  endforeach()
+endforeach()
+
+foreach(ext ${extensions_3})
+  set_tests_properties(verify_removed_${ext} PROPERTIES
+    WILL_FAIL TRUE
+  )
+endforeach()
+
+
+if(Python3_FOUND)
+  foreach(ext ${extensions_4})
+    foreach(cert ${pem_certs})
+      add_test(
+        NAME sign_ts_${cert}_${ext}
+        COMMAND ${Python3_EXECUTABLE} "${PROJECT_BINARY_DIR}/Testing/tsa_server.py"
+          "--certs" "${CERTS}/${cert}.pem" "--key" "${CERTS}/key.pem"
+          "--input" "${FILES}/unsigned.${ext}" "--output" "${FILES}/ts_${cert}.${ext}"
+      )
+    endforeach()
+  endforeach()
+
+  foreach(ext ${extensions_4})
+    # Signature verification time: Sep  1 00:00:00 2019 GMT
+    add_test(
+      NAME verify_ts_cert_${ext}
+      COMMAND osslsigncode "verify" ${verify_opt}
+        "-time" "1567296000"
+        "-in" "${FILES}/ts_cert.${ext}"
+    )
+    set_tests_properties(verify_ts_cert_${ext} PROPERTIES
+      DEPENDS sign_ts_${cert}_${ext}
+      REQUIRED_FILES "${FILES}/ts_cert.${ext}"
+    )
+  endforeach()
+
+  # Signature verification time: Jan  1 00:00:00 2035 GMT
+  foreach(ext ${extensions_4})
+    add_test(
+      NAME verify_ts_future_${ext}
+      COMMAND osslsigncode "verify" ${verify_opt}
+        "-time" "2051222400"
+        "-in" "${FILES}/ts_cert.${ext}"
+    )
+    set_tests_properties(verify_ts_future_${ext} PROPERTIES
+      DEPENDS sign_ts_${cert}_${ext}
+      REQUIRED_FILES "${FILES}/ts_cert.${ext}"
+    )
+  endforeach()
+
+  # Signature verification time: Jan  1 00:00:00 2035 GMT
+  # enabled "-ignore-timestamp" option
+  foreach(ext ${extensions_4})
+    add_test(
+      NAME verify_ts_ignore_${ext}
+      COMMAND osslsigncode "verify" ${verify_opt}
+        "-time" "2051222400"
+        "-ignore-timestamp"
+        "-in" "${FILES}/ts_cert.${ext}"
+    )
+    set_tests_properties(verify_ts_ignore_${ext} PROPERTIES
+      DEPENDS sign_ts_${cert}_${ext}
+      REQUIRED_FILES "${FILES}/ts_cert.${ext}"
+      WILL_FAIL TRUE
+    )
+  endforeach()
+
+  # Signature verification time: Sep  1 00:00:00 2019 GMT
+  # Certificate has expired or revoked
+  foreach(ext ${extensions_4})
+    foreach(cert ${failed_certs})
+      add_test(
+        NAME verify_ts_${cert}_${ext}
+        COMMAND osslsigncode "verify" ${verify_opt}
+          "-time" "1567296000"
+          "-in" "${FILES}/ts_${cert}.${ext}"
+      )
+      set_tests_properties(verify_ts_${cert}_${ext} PROPERTIES
+        DEPENDS sign_ts_${cert}_${ext}
+        REQUIRED_FILES "${FILES}/ts_${cert}.${ext}"
+        WILL_FAIL TRUE
+      )
+    endforeach()
+  endforeach()
+
+else()
+  message(STATUS "Python3 was not found, skip timestamping tests")
+endif()
+
+foreach(ext ${extensions_4})
+  set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/signed.${ext}")
+  set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/nested.${ext}")
+  set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/removed.${ext}")
+  set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/added.${ext}")
+  foreach(cert ${pem_certs})
+    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/ts_${cert}.${ext}")
+  endforeach()
+  foreach(format ${sign_formats})
+    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/${ext}.${format}")
+    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/${ext}.${format}")
+    set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/attached_${format}.${ext}")
+  endforeach()
+  set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jreq.tsq")
+  set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jresp.tsr")
+endforeach()
+add_test(NAME remove_files COMMAND ${CMAKE_COMMAND} -E rm -f ${OUTPUT_FILES})

cmake/FindHeaders.cmake

@@ -0,0 +1,22 @@
+include(CheckIncludeFile)
+include(CheckFunctionExists)
+
+if(NOT MSVC)
+  check_function_exists(getpass HAVE_GETPASS)
+  check_include_file(termios.h HAVE_TERMIOS_H)
+  check_include_file(sys/mman.h HAVE_SYS_MMAN_H)
+  if(HAVE_SYS_MMAN_H)
+    check_function_exists(mmap HAVE_MMAP)
+    if(NOT HAVE_MMAP)
+      message(FATAL_ERROR "Error: Need mmap to build.")
+    endif()
+  endif()
+endif()
+
+# include wincrypt.h in Windows.h
+if(MSVC AND NOT CYGWIN)
+  check_include_file(windows.h HAVE_MAPVIEWOFFILE)
+  if(NOT (HAVE_MMAP OR HAVE_MAPVIEWOFFILE))
+    message(FATAL_ERROR "Error: Need file mapping function to build.")
+  endif()
+endif()

cmake/SetBashCompletion.cmake

@@ -0,0 +1,13 @@
+if(NOT MSVC)
+  find_package(bash-completion QUIET)
+  if(NOT BASH_COMPLETION_COMPLETIONSDIR)
+    if(BASH_COMPLETION_COMPATDIR)
+      set(BASH_COMPLETION_COMPLETIONSDIR ${BASH_COMPLETION_COMPATDIR})
+    else()
+      set(SHAREDIR "${CMAKE_INSTALL_PREFIX}/share")
+      set(BASH_COMPLETION_COMPLETIONSDIR "${SHAREDIR}/bash-completion/completions")
+    endif()
+  endif()
+  message(STATUS "Using bash completions dir ${BASH_COMPLETION_COMPLETIONSDIR}")
+  install(FILES "osslsigncode.bash" DESTINATION ${BASH_COMPLETION_COMPLETIONSDIR})
+endif()

cmake/SetCompilerFlags.cmake

@@ -0,0 +1,111 @@
+include(CheckCCompilerFlag)
+
+set(CMAKE_REQUIRED_QUIET ON)
+
+function(add_debug_flag_if_supported flagname targets)
+  check_c_compiler_flag("${flagname}" HAVE_FLAG_${flagname})
+  if (HAVE_FLAG_${flagname})
+    foreach(target ${targets})
+      target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:${flagname}>)
+    endforeach()
+  endif()
+endfunction()
+
+function(add_compile_flag_to_targets targets)
+  set(CHECKED_DEBUG_FLAGS
+    "-ggdb"
+    "-g"
+    "-O2"
+    "-pedantic"
+    "-Wall"
+    "-Wextra"
+    "-Wno-long-long"
+    "-Wconversion"
+    "-D_FORTIFY_SOURCE=2"
+    "-Wformat=2"
+    "-Wredundant-decls"
+    "-Wcast-qual"
+    "-Wnull-dereference"
+    "-Wno-deprecated-declarations"
+    "-Wmissing-declarations"
+    "-Wmissing-prototypes"
+    "-Wmissing-noreturn"
+    "-Wmissing-braces"
+    "-Wparentheses"
+    "-Wstrict-aliasing=3"
+    "-Wstrict-overflow=2"
+    "-Wlogical-op"
+    "-Wwrite-strings"
+    "-Wcast-align=strict"
+    "-Wdisabled-optimization"
+    "-Wshift-overflow=2"
+    "-Wundef"
+    "-Wshadow"
+    "-Wmisleading-indentation"
+    "-Wabsolute-value"
+    "-Wunused-parameter"
+    "-Wunused-function"
+  )
+  foreach(flag ${CHECKED_DEBUG_FLAGS})
+    add_debug_flag_if_supported(${flag} ${targets})
+  endforeach()
+endfunction()
+
+function(add_compile_flags target)
+  if(MSVC)
+    # Enable parallel builds
+    target_compile_options(${target} PRIVATE /MP)
+    # Use address space layout randomization, generate PIE code for ASLR (default on)
+    target_link_options(${target} PRIVATE /DYNAMICBASE)
+    # Create terminal server aware application (default on)
+    target_link_options(${target} PRIVATE /TSAWARE)
+    # Mark the binary as compatible with Intel Control-flow Enforcement Technology (CET) Shadow Stack
+    target_link_options(${target} PRIVATE /CETCOMPAT)
+    # Enable compiler generation of Control Flow Guard security checks
+    target_compile_options(${target} PRIVATE /guard:cf)
+    target_link_options(${target} PRIVATE /guard:cf)
+    # Buffer Security Check
+    target_compile_options(${target} PRIVATE /GS)
+    # Suppress startup banner
+    target_link_options(${target} PRIVATE /NOLOGO)
+    # Generate debug info
+    target_link_options(${target} PRIVATE /DEBUG)
+    if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
+      # High entropy ASLR for 64 bits targets (default on)
+      target_link_options(${target} PRIVATE /HIGHENTROPYVA)
+      # Enable generation of EH Continuation (EHCONT) metadata by the compiler
+      #target_compile_options(${target} PRIVATE /guard:ehcont)
+      #target_link_options(${target} PRIVATE /guard:ehcont)
+    else()
+      # Can handle addresses larger than 2 gigabytes
+      target_link_options(${target} PRIVATE /LARGEADDRESSAWARE)
+      # Safe structured exception handlers (x86 only)
+      target_link_options(${target} PRIVATE /SAFESEH)
+    endif()
+    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:/D_FORTIFY_SOURCE=2>)
+    # Unrecognized compiler options are errors
+    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:/options:strict>)
+  else()
+    check_c_compiler_flag("-fstack-protector-all"  HAVE_STACK_PROTECTOR_ALL)
+    if(HAVE_STACK_PROTECTOR_ALL)
+      target_link_options(${target} PRIVATE -fstack-protector-all)
+    else()
+      check_c_compiler_flag("-fstack-protector"    HAVE_STACK_PROTECTOR)
+      if(HAVE_STACK_PROTECTOR)
+        target_link_options(${target} PRIVATE -fstack-protector)
+      else()
+        message(WARNING "No stack protection supported")
+      endif()
+    endif()
+    # Support address space layout randomization (ASLR)
+    target_compile_options(${target} PRIVATE $<$<NOT:$<C_COMPILER_ID:AppleClang>>:-fPIE>)
+    target_link_options(${target} PRIVATE $<$<NOT:$<C_COMPILER_ID:AppleClang>>:-fPIE -pie>)
+    target_link_options(${target} PRIVATE $<$<NOT:$<C_COMPILER_ID:AppleClang>>:-Wl,-z,relro>)
+    target_link_options(${target} PRIVATE $<$<NOT:$<C_COMPILER_ID:AppleClang>>:-Wl,-z,now>)
+    target_link_options(${target} PRIVATE $<$<NOT:$<C_COMPILER_ID:AppleClang>>:-Wl,-z,noexecstack>)
+    target_link_options(${target} PRIVATE -fstack-check)
+    add_compile_flag_to_targets(${target})
+  endif()
+endfunction()
+
+add_compile_flags(osslsigncode)

configure.ac

@@ -1,136 +0,0 @@
-AC_PREREQ(2.60)
-
-AC_INIT([osslsigncode], [1.7.1], [pallansson@gmail.com])
-AC_CONFIG_AUX_DIR([.])
-AC_CONFIG_HEADERS([config.h])
-AM_INIT_AUTOMAKE
-
-AC_CONFIG_SRCDIR([osslsigncode.c])
-
-dnl Checks for programs.
-AC_PROG_CC
-AC_USE_SYSTEM_EXTENSIONS
-
-AC_ARG_ENABLE(
-	[strict],
-	[AS_HELP_STRING([--enable-strict],[enable strict compile mode @<:@disabled@:>@])],
-	,
-	[enable_strict="no"]
-)
-
-AC_ARG_ENABLE(
-	[pedantic],
-	[AS_HELP_STRING([--enable-pedantic],[enable pedantic compile mode @<:@disabled@:>@])],
-	,
-	[enable_pedantic="no"]
-)
-
-AC_ARG_WITH(
-	[curl],
-	[AS_HELP_STRING([--with-curl],[enable curl @<:@enabled@:>@])],
-	,
-	[with_curl="yes"]
-)
-
-if test "${enable_pedantic}" = "yes"; then
-	enable_strict="yes";
-	CFLAGS="${CFLAGS} -pedantic"
-fi
-if test "${enable_strict}" = "yes"; then
-	CFLAGS="${CFLAGS} -Wall -Wextra"
-fi
-
-PKG_PROG_PKG_CONFIG
-AC_PROG_CPP
-AC_PROG_INSTALL
-AC_PROG_LN_S
-AC_PROG_MKDIR_P
-AC_PROG_SED
-AC_PROG_MAKE_SET
-
-AC_C_CONST
-AC_HEADER_STDC
-AC_HEADER_TIME
-AC_CHECK_HEADERS(
-	[sys/mman.h],
-	[AC_CHECK_FUNC(
-		[mmap],
-		[AC_DEFINE(HAVE_MMAP, [1], [Define to 1 if you have mmap])],
-		[AC_MSG_ERROR([Need mmap to build.])]
-	)],
-	[have_mmap=no]
-)
-AC_CHECK_HEADERS(
-	[windows.h],
-	[],
-	[have_MapViewOfFile=no]
-)
-AS_IF([test "x$have_mmap$have_MapViewOfFile" = "xnono"],
-	[AC_MSG_ERROR([Need file mapping function to buid.])])
-
-AC_CHECK_LIB(
-	[dl],
-	[dlopen],
-	[DL_LIBS="-ldl"]
-)
-
-AC_CHECK_HEADERS([termios.h])
-AC_CHECK_FUNCS(getpass)
-
-AC_ARG_WITH([gsf],
-        AS_HELP_STRING([--without-gsf], [Ignore presence of libgsf and disable it])
-)
-AS_IF([test "x$with_gsf" != "xno"],
-        [PKG_CHECK_MODULES([GSF], [libgsf-1], [have_gsf=yes], [have_gsf=no])],
-        [have_gsf=no]
-)
-AS_IF([test "x$have_gsf" = "xyes"],
-        [AC_DEFINE([WITH_GSF], 1, [Have libgsf?])],
-        [AS_IF([test "x$with_gsf" = "xyes"],
-                [AC_MSG_ERROR([libgsf requested but not found])])]
-)
-
-
-PKG_CHECK_MODULES(
-	[OPENSSL],
-	[libcrypto >= 1.1.0],
-	,
-	[PKG_CHECK_MODULES(
-		[OPENSSL],
-		[openssl >= 1.1.0],
-		,
-		[AC_CHECK_LIB(
-			[crypto],
-			[RSA_verify],
-			[OPENSSL_LIBS="-lcrypto ${SOCKETS_LIBS} ${DL_LIBS}"],
-			[AC_MSG_ERROR([OpenSSL 1.1.0 or later is required. http://www.openssl.org/])],
-			[${DL_LIBS}]
-		)]
-	)]
-)
-
-PKG_CHECK_MODULES(
-	[LIBCURL],
-	[libcurl >= 7.12.0],
-	,
-	[AC_CHECK_LIB(
-		[curl],
-		[curl_easy_strerror],
-		[LIBCURL_LIBS="-lcurl"],
-		,
-		[${DL_LIBS}]
-	)]
-)
-
-if test "${with_curl}" = "yes"; then
-	test -z "${LIBCURL_LIBS}" && AC_MSG_ERROR([Curl 7.12.0 or later is required for timestamping support. http://curl.haxx.se/])
-	OPTIONAL_LIBCURL_CFLAGS="${LIBCURL_CFLAGS}"
-	OPTIONAL_LIBCURL_LIBS="${LIBCURL_LIBS}"
-	AC_DEFINE([ENABLE_CURL], [1], [libcurl is enabled])
-fi
-
-AC_SUBST([OPTIONAL_LIBCURL_CFLAGS])
-AC_SUBST([OPTIONAL_LIBCURL_LIBS])
-
-AC_CONFIG_FILES([Makefile])
-AC_OUTPUT

msi.h

@@ -0,0 +1,238 @@
+/*
+ * MSI file support library
+ *
+ * Copyright (C) 2021 Michał Trojnara <Michal.Trojnara@stunnel.org>
+ * Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
+ *
+ * Reference specifications:
+ * http://en.wikipedia.org/wiki/Compound_File_Binary_Format
+ * https://msdn.microsoft.com/en-us/library/dd942138.aspx
+ * https://github.com/microsoft/compoundfilereader
+ */
+
+#include <stdint.h>
+#include <openssl/safestack.h>
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+
+#define MAXREGSECT       0xfffffffa   /* maximum regular sector number */
+#define DIFSECT          0xfffffffc   /* specifies a DIFAT sector in the FAT */
+#define FATSECT          0xfffffffd   /* specifies a FAT sector in the FAT */
+#define ENDOFCHAIN       0xfffffffe   /* end of a linked chain of sectors */
+#define NOSTREAM         0xffffffff   /* terminator or empty pointer */
+#define FREESECT         0xffffffff   /* empty unallocated free sectors */
+
+#define DIR_UNKNOWN      0
+#define DIR_STORAGE      1
+#define DIR_STREAM       2
+#define DIR_ROOT         5
+
+#define RED_COLOR        0
+#define BLACK_COLOR      1
+
+#define DIFAT_IN_HEADER             109
+#define MINI_STREAM_CUTOFF_SIZE     0x00001000 /* 4096 bytes */
+#define HEADER_SIZE                 0x200  /* 512 bytes, independent of sector size */
+#define MAX_SECTOR_SIZE             0x1000 /* 4096 bytes */
+
+#define HEADER_SIGNATURE            0x00   /* 0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1 */
+#define HEADER_CLSID                0x08   /* reserved and unused */
+#define HEADER_MINOR_VER            0x18   /* SHOULD be set to 0x003E */
+#define HEADER_MAJOR_VER            0x1a   /* MUST be set to either 0x0003 (version 3) or 0x0004 (version 4) */
+#define HEADER_BYTE_ORDER           0x1c   /* 0xfe 0xff == Intel Little Endian */
+#define HEADER_SECTOR_SHIFT         0x1e   /* MUST be set to 0x0009, or 0x000c */
+#define HEADER_MINI_SECTOR_SHIFT    0x20   /* MUST be set to 0x0006 */
+#define RESERVED                    0x22   /* reserved and unused */
+#define HEADER_DIR_SECTORS_NUM      0x28
+#define HEADER_FAT_SECTORS_NUM      0x2c
+#define HEADER_DIR_SECTOR_LOC       0x30
+#define HEADER_TRANSACTION          0x34
+#define HEADER_MINI_STREAM_CUTOFF   0x38   /* 4096 bytes */
+#define HEADER_MINI_FAT_SECTOR_LOC  0x3c
+#define HEADER_MINI_FAT_SECTORS_NUM 0x40
+#define HEADER_DIFAT_SECTOR_LOC     0x44
+#define HEADER_DIFAT_SECTORS_NUM    0x48
+#define HEADER_DIFAT                0x4c
+
+#define DIRENT_SIZE                 0x80   /* 128 bytes */
+#define DIRENT_MAX_NAME_SIZE        0x40   /* 64 bytes */
+
+#define DIRENT_NAME                 0x00
+#define DIRENT_NAME_LEN             0x40   /* length in bytes incl 0 terminator */
+#define DIRENT_TYPE                 0x42
+#define DIRENT_COLOUR               0x43
+#define DIRENT_LEFT_SIBLING_ID      0x44
+#define DIRENT_RIGHT_SIBLING_ID     0x48
+#define DIRENT_CHILD_ID             0x4c
+#define DIRENT_CLSID                0x50
+#define DIRENT_STATE_BITS           0x60
+#define DIRENT_CREATE_TIME          0x64
+#define DIRENT_MODIFY_TIME          0x6c
+#define DIRENT_START_SECTOR_LOC     0x74
+#define DIRENT_FILE_SIZE            0x78
+
+#define GET_UINT8_LE(p) ((const u_char *)(p))[0]
+
+#define GET_UINT16_LE(p) (uint16_t)(((const u_char *)(p))[0] | \
+                                   (((const u_char *)(p))[1] << 8))
+
+#define GET_UINT32_LE(p) (uint32_t)(((const u_char *)(p))[0] | \
+                                   (((const u_char *)(p))[1] << 8) | \
+			                       (((const u_char *)(p))[2] << 16) | \
+			                       (((const u_char *)(p))[3] << 24))
+
+#define PUT_UINT8_LE(i, p) ((u_char *)(p))[0] = (u_char)((i) & 0xff);
+
+#define PUT_UINT16_LE(i,p) ((u_char *)(p))[0] = (u_char)((i) & 0xff); \
+	                       ((u_char *)(p))[1] = (u_char)(((i) >> 8) & 0xff)
+
+#define PUT_UINT32_LE(i,p) ((u_char *)(p))[0] = (u_char)((i) & 0xff); \
+                           ((u_char *)(p))[1] = (u_char)(((i) >> 8) & 0xff); \
+                           ((u_char *)(p))[2] = (u_char)(((i) >> 16) & 0xff); \
+                           ((u_char *)(p))[3] = (u_char)(((i) >> 24) & 0xff)
+
+#ifndef FALSE
+#define FALSE 0
+#endif
+
+#ifndef TRUE
+#define TRUE 1
+#endif
+
+#define SIZE_64K 65536			/* 2^16 */
+#define SIZE_16M 16777216		/* 2^24 */
+
+typedef unsigned char u_char;
+
+typedef struct {
+	u_char signature[8];      /* 0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1 */
+	u_char unused_clsid[16];  /* reserved and unused */
+	uint16_t minorVersion;
+	uint16_t majorVersion;
+	uint16_t byteOrder;
+	uint16_t sectorShift;     /* power of 2 */
+	uint16_t miniSectorShift; /* power of 2 */
+	u_char reserved[6];       /* reserved and unused */
+	uint32_t numDirectorySector;
+	uint32_t numFATSector;
+	uint32_t firstDirectorySectorLocation;
+	uint32_t transactionSignatureNumber; /* reserved */
+	uint32_t miniStreamCutoffSize;
+	uint32_t firstMiniFATSectorLocation;
+	uint32_t numMiniFATSector;
+	uint32_t firstDIFATSectorLocation;
+	uint32_t numDIFATSector;
+	uint32_t headerDIFAT[DIFAT_IN_HEADER];
+} MSI_FILE_HDR;
+
+typedef struct {
+	u_char name[DIRENT_MAX_NAME_SIZE];
+	uint16_t nameLen;
+	uint8_t type;
+	uint8_t colorFlag;
+	uint32_t leftSiblingID;
+	uint32_t rightSiblingID;
+	uint32_t childID;
+	u_char clsid[16];
+	u_char stateBits[4];
+	u_char creationTime[8];
+	u_char modifiedTime[8];
+	uint32_t startSectorLocation;
+	u_char size[8];
+} MSI_ENTRY;
+
+typedef struct msi_dirent_struct {
+	u_char name[DIRENT_MAX_NAME_SIZE];
+	uint16_t nameLen;
+	uint8_t type;
+	MSI_ENTRY *entry;
+	STACK_OF(MSI_DIRENT) *children;
+	struct msi_dirent_struct *next; /* for cycle detection */
+} MSI_DIRENT;
+
+DEFINE_STACK_OF(MSI_DIRENT)
+
+typedef struct {
+	const u_char *m_buffer;
+	uint32_t m_bufferLen;
+	MSI_FILE_HDR *m_hdr;
+	uint32_t m_sectorSize;
+	uint32_t m_minisectorSize;
+	uint32_t m_miniStreamStartSector;
+} MSI_FILE;
+
+typedef struct {
+	char *header;
+	char *ministream;
+	char *minifat;
+	char *fat;
+	uint32_t dirtreeLen;
+	uint32_t miniStreamLen;
+	uint32_t minifatLen;
+	uint32_t fatLen;
+	uint32_t ministreamsMemallocCount;
+	uint32_t minifatMemallocCount;
+	uint32_t fatMemallocCount;
+	uint32_t dirtreeSectorsCount;
+	uint32_t minifatSectorsCount;
+	uint32_t fatSectorsCount;
+	uint32_t miniSectorNum;
+	uint32_t sectorNum;
+	uint32_t sectorSize;
+} MSI_OUT;
+
+static const u_char msi_magic[] = {
+	0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1
+};
+
+static const u_char digital_signature[] = {
+	0x05, 0x00, 0x44, 0x00, 0x69, 0x00, 0x67, 0x00,
+	0x69, 0x00, 0x74, 0x00, 0x61, 0x00, 0x6C, 0x00,
+	0x53, 0x00, 0x69, 0x00, 0x67, 0x00, 0x6E, 0x00,
+	0x61, 0x00, 0x74, 0x00, 0x75, 0x00, 0x72, 0x00,
+	0x65, 0x00, 0x00, 0x00
+};
+
+static const u_char digital_signature_ex[] = {
+	0x05, 0x00, 0x4D, 0x00, 0x73, 0x00, 0x69, 0x00,
+	0x44, 0x00, 0x69, 0x00, 0x67, 0x00, 0x69, 0x00,
+	0x74, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x53, 0x00,
+	0x69, 0x00, 0x67, 0x00, 0x6E, 0x00, 0x61, 0x00,
+	0x74, 0x00, 0x75, 0x00, 0x72, 0x00, 0x65, 0x00,
+	0x45, 0x00, 0x78, 0x00, 0x00, 0x00
+};
+
+static const u_char msi_root_entry[] = {
+	0x52, 0x00, 0x6F, 0x00, 0x6F, 0x00, 0x74, 0x00,
+	0x20, 0x00, 0x45, 0x00, 0x6E, 0x00, 0x74, 0x00,
+	0x72, 0x00, 0x79, 0x00, 0x00, 0x00
+};
+
+static const u_char msi_zeroes[] = {
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+int msi_file_read(MSI_FILE *msi, MSI_ENTRY *entry, uint32_t offset, char *buffer, uint32_t len);
+MSI_FILE *msi_file_new(char *buffer, uint32_t len);
+void msi_file_free(MSI_FILE *msi);
+MSI_ENTRY *msi_root_entry_get(MSI_FILE *msi);
+int msi_dirent_new(MSI_FILE *msi, MSI_ENTRY *entry, MSI_DIRENT *parent, MSI_DIRENT **ret);
+MSI_ENTRY *msi_signatures_get(MSI_DIRENT *dirent, MSI_ENTRY **dse);
+void msi_dirent_free(MSI_DIRENT *dirent);
+int msi_prehash_dir(MSI_DIRENT *dirent, BIO *hash, int is_root);
+int msi_hash_dir(MSI_FILE *msi, MSI_DIRENT *dirent, BIO *hash, int is_root);
+int msi_calc_digest(char *indata, int mdtype, u_char *mdbuf, uint32_t fileend);
+int msi_dirent_delete(MSI_DIRENT *dirent, const u_char *name, uint16_t nameLen);
+int msi_file_write(MSI_FILE *msi, MSI_DIRENT *dirent, u_char *p, uint32_t len,
+    u_char *p_msiex, uint32_t len_msiex, BIO *outdata);
+
+/*
+Local Variables:
+   c-basic-offset: 4
+   tab-width: 4
+   indent-tabs-mode: t
+End:
+
+  vim: set ts=4 noexpandtab:
+*/

osslsigncode.bash

@@ -0,0 +1,76 @@
+# bash completion for osslsigncode                         -*- shell-script -*-
+# Copyright (C) 2021-2022 Michał Trojnara <Michal.Trojnara@stunnel.org>
+# Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
+
+bind 'set show-all-if-ambiguous on'
+bind 'set completion-ignore-case on'
+COMP_WORDBREAKS=${COMP_WORDBREAKS//:}
+
+_comp_cmd_osslsigncode()
+{
+    local cur prev words cword
+    _init_completion || return
+
+    local commands command options timestamps rfc3161
+
+    commands="--help --version -v
+        sign add attach-signature extract-signature remove-signature verify"
+
+    timestamps="http://timestamp.digicert.com
+        http://time.certum.pl
+        http://timestamp.sectigo.com
+        http://timestamp.globalsign.com/?signature=sha2"
+
+    rfc3161="http://timestamp.digicert.com
+        http://time.certum.pl
+        http://timestamp.entrust.net/TSS/RFC3161sha2TS
+        http://tss.accv.es:8318/tsa
+        http://kstamp.keynectis.com/KSign/
+        http://sha256timestamp.ws.symantec.com/sha256/timestamp"
+
+
+    if ((cword == 1)); then
+        COMPREPLY=($(compgen -W "${commands}" -- ${cur}))
+    else
+        command=${words[1]}
+        case $prev in
+            -ac | -c | -catalog | -certs | -spc | -key | -pkcs12 | -pass | \
+            -readpass | -pkcs11engine | -pkcs11module | -in | -out | -sigin | \
+            -n | -CAfile | -CRLfile  | -TSA-CAfile | -TSA-CRLfile)
+                _filedir
+                return
+                ;;
+            -h | -require-leaf-hash)
+                COMPREPLY=($(compgen -W 'md5 sha1 sha2 sha256 sha384 sha512' \
+                    -- "$cur"))
+                return
+                ;;
+            -jp)
+                COMPREPLY=($(compgen -W 'low medium high' -- "$cur"))
+                return
+                ;;
+            -t)
+                COMPREPLY=($(compgen -W "${timestamps}" -- "$cur"))
+                return
+                ;;
+            -ts)
+                COMPREPLY=($(compgen -W "${rfc3161}" -- "$cur"))
+                return
+                ;;
+            -i | -p)
+                _known_hosts_real -- "$cur"
+                return
+                ;;
+        esac
+
+        if [[ $cur == -* ]]; then
+            # possible options for the command
+            options=$(_parse_help "$1" "$command --help" 2>/dev/null)
+            COMPREPLY=($(compgen -W "${options}" -- ${cur}))
+        fi
+    fi
+
+} &&
+    complete -F _comp_cmd_osslsigncode osslsigncode
+
+# ex: filetype=sh

tests/certs/.gitignore

@@ -0,0 +1 @@
+*.log

tests/certs/CACert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoTCCAomgAwIBAgIUOK8lwJ8A1Oqw8jDAb3TF06ve+PcwDQYJKoZIhvcNAQEL
+BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MTcwMTAxMDAwMDAwWhcNMjYxMTEwMDAwMDAwWjBYMQswCQYDVQQGEwJQTDEVMBMG
+A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAKzObJwYq4t9Y/OOQLqUNLU8RDXq284L8zQgRLkvApF87FNN7kozIgC9
+/HAgJSho/Lup5lzkCWa3fjkYm1EBrL+JihesSaCxxe7LOg6tRaY+WxikwMUnlkNE
+s3R+DogeGVsla4q0FEcICiz3FHTfSAUVmrN3Nj1ll7npJXrqmXxfCuO3slgjUkHq
+tdZ5t1rSWwbiUhGIQKLzo3/uw2XoOI28qpoOw+0/y8AyjWs8My3u8GrYFr+qh5fx
+Y0Zp0EhhAJo23Xd43XmeVKjuKIOaHu3JiM8sp9K1WFsTvFNAO27TBRn/X0mJCeDX
+T117dQxhWOCcQ/uRGuXICT4ign8MLtUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB
+/zAdBgNVHQ4EFgQU6ewx3DIpbR8OptEmDFlYNELRqP4wHwYDVR0jBBgwFoAU6ewx
+3DIpbR8OptEmDFlYNELRqP4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA
+A4IBAQAhRMun0IzPmHVFM+SOfSCPVAgogWpqR5XlBAFlS+Aen6v3ukQAQjEhfBbE
+dZG6ye9i0ebf9qXYTvSq5wfaqP7FGb2/Z96uPXNMXPi796KjLW2CG578DitORPb7
+x1eV3UGrQX2bMQ0JbGkBU+DIdIRBqDfad/kjLtm5eHyCbaodSWdaZO4LSUIy3MBx
+2UeBj2qD4RTA0Dt7hG7RA5QdTxHlZyLIk8HX3krZ+il5RmSbOnQs/XqK5DJp4J5p
+122sIO4Y9ki+Wewzx8f3/7mcVbcMo67GwRHo8bk3GjWE74pczyrzfP68vDQ4tn85
+NcLPeLClfSziJD09z+Iyp94EQeKX
+-----END CERTIFICATE-----

tests/certs/CACertCRL.pem

@@ -0,0 +1,13 @@
+-----BEGIN X509 CRL-----
+MIIB9zCB4AIBATANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJQTDEVMBMGA1UE
+CgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
+eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBFw0xOTAxMDEwMDAwMDBaFw00MzAx
+MDEwMDAwMDBaMCcwJQIUOpY5wp7DtqsdxII7sxculedk0PYXDTIyMDcyNjEzMDk1
+NlqgIzAhMB8GA1UdIwQYMBaAFJ4FrAtb4UB/ag702URPiid97ziLMA0GCSqGSIb3
+DQEBCwUAA4IBAQA4Kw0vEJrtjjMam16iN/stOMxJDgkp1IQzA3narxr9fEjX5Ynk
+JztuEExtowPIDOLGWCySXNEMmxCzXNAMvlUq+UQvnWrwgHQ9R7TBYIcAY+VRmzKz
+T4PXvDSL2WMuJ1dLWoIcL2D0wEdti7YMvAnCrOC8HAPGgke5QcOgSfMSAYSAtpiw
+PZAFgcuo53AodlCw9J+CPcHPYw+C2QExOy8s8q6d8Xgjg+Ge7v3RxLWy74sNPl0u
+uZ79vcLNEeqEXxKaw5abqDqIDcUKIT3b62KsSxkak9IGNMLcTASw1V+YaKVLSYNW
+NTuc5WJblfZi/q7WUMKkmRERzvdg2rf0CSH1
+-----END X509 CRL-----

tests/certs/TSA.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCivbbTCnbOqPoV
+7VVP/KJzgslx8yfX9laGwTsvzqStQtG8j40ljR85WD/bgy3I5duebudg7JhOVH2f
+aSqbh8SCzP4YNDFcseDIuHdoXi54POgW3S/wbe8l8P7g3btcBgnlXh/izhUlEMib
+Q/8G8UZj0n/MgKMLzcXc4t2eQ4Pzw7xAPqoXBZ20Fg2rFBfUsDDLc5F7lpO5t1WQ
+dXTYmF0oAL/HLmd+HKe5Xgp9jJ6XacesjWLnhRdZ06uUP9cgo+Jem4QZxeFhOtMe
+KAf7JH3Juz2Gi0a+4dMSNzES4m8RAlf6pXh4kAh7EhMNb/Ir6ZpY8uKM7dtn38mh
+1f59EKc9AgMBAAECggEAK5zB0P695hYcpyGqOjxO4LvM9m+eXt7SQ1ynWuF6+j+s
+62ZhAg42rux6eH5IF82ZtHSuJyhgjKVR4RWS6IlS3WbINX5PODMnNUNSJLMQqwJP
+hEkUXs9nRni2JVbmrfukTUaTLvnhasR7rjhjsN2Z6ohv3UMf7rrfapmVoKMhSoLd
+jqvZ2ZoaT5mfTiK/5PDyWqrt/vmvE4VlipAsvudwozG5vQDEsCNDNUTg5OTGnPUU
+i0xeQTioqzCcweIlEaWhj/eMHx/eAeZ6V0Evid/YwTDlbTqVDWZGLJ/phOnKJs3V
+j+eOv7E2d1ga7149SPDIv5Y0YZ91v3M06ICk5o66gQKBgQDSM+YyR5YOJTSAuAcI
+uKTc33wwCbPiJF/F1zLJDdPp2IamZQbuNIX/8fOG3Gho+OnfNAykMcr3rFrug2vi
+9GhWDQqguYGh16xos+2zNan6P/s0/rQ4OfPIsTEGC8X3fJeMzZUNMvnyN/FXzzus
+020o29gu59esEfGHEsvAupC3IQKBgQDGMqGLgrU4oW/5mmm4BZlwwkZJNMmFH49u
+Qe4Ylj87SQduExJMmTfrmANqQXu7RXG0IxLcvhwMLVCCYAkvuBv1awsbg2yfP1Pn
+Wb/K+5CaHaxnpwSpRiGaN6fnAPDl8PnALMVXtQGru2MMcISxOIFQ9slHth0lmaMo
+odIPIL1YnQKBgAOSskUEhn5zD3NorWXujY7blabTY2VirOYWBFz6iTGeZpuJeBaw
+ed6h5DvUn0m5gXAz2EsqNYMEQP9w6HKRKPzdd+LHhHaVze5xsIatUNhaIhECi1mx
+Un2E1Yp+xLyyN3lDPVdeGHWPkeCmOyNy7JYXNpOFiVr5axuarC/4e+FBAoGAeuRR
+/mshaufOwnnYK15tcdlEM4gjnAOhr7/5ng0rT9tMXBg/NHeckNxE4dGQouHASu2k
+eHL4eSRv0ycxCwGhdF7XGEw5QdTGdaDUp0ussaLMj8ijv0HY/AKefUG8HRd6BIq+
+Ik/9pTofhEsQO8LJjCY5T9m/4NyOqlcMJI0sWpECgYBvPLnutbBXYONVAE3jL05K
+hWwenKpv5Aaa11ahqzhil2Tj+VOMtmvhsSc5loSG83qp5LtN4LxyR0Vn9AGN7Z+d
+Ut6LHeZ/DMW3/RPT+1MIKm6WLNxgk5YvuCxprdpfE5tTmV9/t+t3Uao7TRsLPl2o
+qAKz8Fvq0el5RW3EtAgd4A==
+-----END PRIVATE KEY-----

tests/certs/TSA.pem

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEzTCCA7WgAwIBAgIUfRjXKciCGA4XbhbhxbAwfpcLGmowDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEkMCIGA1UE
+CwwbVGltZXN0YW1wIEF1dGhvcml0eSBSb290IENBMRQwEgYDVQQDDAtUU0EgUm9v
+dCBDQTAeFw0xODAxMDEwMDAwMDBaFw0yODAxMDEwMDAwMDBaMFUxCzAJBgNVBAYT
+AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxHDAaBgNVBAsME1RpbWVzdGFtcCBB
+dXRob3JpdHkxETAPBgNVBAMMCFRlc3QgVFNBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAor220wp2zqj6Fe1VT/yic4LJcfMn1/ZWhsE7L86krULRvI+N
+JY0fOVg/24MtyOXbnm7nYOyYTlR9n2kqm4fEgsz+GDQxXLHgyLh3aF4ueDzoFt0v
+8G3vJfD+4N27XAYJ5V4f4s4VJRDIm0P/BvFGY9J/zICjC83F3OLdnkOD88O8QD6q
+FwWdtBYNqxQX1LAwy3ORe5aTubdVkHV02JhdKAC/xy5nfhynuV4KfYyel2nHrI1i
+54UXWdOrlD/XIKPiXpuEGcXhYTrTHigH+yR9ybs9hotGvuHTEjcxEuJvEQJX+qV4
+eJAIexITDW/yK+maWPLijO3bZ9/JodX+fRCnPQIDAQABo4IBiDCCAYQwDAYDVR0T
+AQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAdBgNVHQ4EFgQUKWCqogni
+6SseJ/P6LXo0M2cK++QwHwYDVR0jBBgwFoAU/5nNuG4Tm4v2y9uKf428/4fVQesw
+gYQGCCsGAQUFBwEBBHgwdjA5BggrBgEFBQcwAoYtaHR0cDovL1RTQUNBLnRpbWVz
+dGFtcGF1dGhvcml0eS5jb20vVFNBQ0EuY3J0MDkGCCsGAQUFBzABhi1odHRwOi8v
+b2NzcC5UU0FDQS50aW1lc3RhbXBhdXRob3JpdHkuY29tOjkwODAwPgYDVR0fBDcw
+NTAzoDGgL4YtaHR0cDovL1RTQUNBLnRpbWVzdGFtcGF1dGhvcml0eS5jb20vVFNB
+Q0EuY3JsMFUGA1UdHgROMEygGDAKggh0ZXN0LmNvbTAKggh0ZXN0Lm9yZ6EwMAqH
+CAAAAAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMA0G
+CSqGSIb3DQEBCwUAA4IBAQB4YXa5nVWUzWSsUDMfYFTEETOe8boUErwfrDNBuj6z
+B5en20FhI49i6PCYEfNq3vrAtPOEFJj+KPomN3C46VLxbUEvqWLdq6EyzWvVVmXK
+VLeC0qV0m6CFM8GplaWzZdfFTQaaLUhgY08ZU2gp4QsoS2YjAosxlZrNSm6pBbv3
+q+Og1KeSK8gKS0V89k+6e3LOEF6KaNWKSkoz5xDniQY//mTjiDcNmYUh0KhHfhdU
+eO92M82uJSaDqnRs5HsWPs6z6qdfpuvj++OtQ1VCM2p5SEH2sEomdeN3YYChuG4h
+yzn0mYAdbTyGJHlFm17AH+SQRbVqCKYdHDaqsMb+fWzi
+-----END CERTIFICATE-----

tests/certs/TSACA.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkDCCAnigAwIBAgIUJ0nfE+EVsIThltlY2LHVWMJVIq4wDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEkMCIGA1UE
+CwwbVGltZXN0YW1wIEF1dGhvcml0eSBSb290IENBMRQwEgYDVQQDDAtUU0EgUm9v
+dCBDQTAeFw0xNzAxMDEwMDAwMDBaFw0yNjExMTAwMDAwMDBaMGAxCzAJBgNVBAYT
+AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxJDAiBgNVBAsMG1RpbWVzdGFtcCBB
+dXRob3JpdHkgUm9vdCBDQTEUMBIGA1UEAwwLVFNBIFJvb3QgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGOTX1f9dmtUiyzlsUInRIGfRMya338SVx
+vYGeOwdpTSSGlYUVwR9AuFewQF5+klelstCJe+SoUG0AdzS30mRWlQrhip4UdvdW
+T2gkNKbSn6DQzlWoQej9izqRLxAsbuszgkvnLOBEmPaLimDsCgu0bAN95Hp0Hls9
+O/fVmzh8VuV4iscxc7q13ZB7CylWgwd55CFEGd/jpJ6kMwSHbOLoBWp4GQ3KxR+c
+ASAo0FapU2WSZB2EYWszRiyq91X+AvIYN4ypTv7RccgfUvnZ2qFykJAkf/wgkynu
+Qg7rCUNfUEpDc7jlqtDWR7iLrtHBkA17C3IU8ymmKQYWfw3ZyBwvAgMBAAGjQjBA
+MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP+ZzbhuE5uL9svbin+NvP+H1UHr
+MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAbj3aFwIUxvzwgywO
+gj01JM8GNbw1E4MGdkaNI8rgeY8ay15ZXhR9NpRWWb6Y7IXPq5XhuEktVte5Z4Kf
+XLBrr7Xe9VVqJL9zd1tMzOEM/zG77rZf/iXBTZLkCtQc/GOEY4TTWKNEl5hiWVE0
+po97GX5XHoeyHlWQ75sd9z6MxFxmvdp9/uyYD700e9sd5gcD8LGvHw2DNy8vntYV
+ia9h95N9i1umffxU460o8W5GoIcsD13B3YftvnWhGSXqovBRFgcPAQZ4eW9Qh/zA
+4zQBQrRvmREPihXVdgtWVpbRchP99oSZBrYr7Hh/P69rycklquqxJl1ol1wbT6dK
+S5Gmng==
+-----END CERTIFICATE-----

tests/certs/ca-bundle.crt

@@ -0,0 +1,47 @@
+# Certum Trusted Network CA
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM
+MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D
+ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU
+cnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkxMjMxMTIwNzM3
+WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg
+Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIw
+IAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rH
+UV+rpDKmYYe2bg+G0jACl/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LM
+TXPb865Px1bVWqeWifrzq2jUI4ZZJ88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVU
+BBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4fOQtf/WsX+sWn7Et0brM
+kUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0cvW0QM8x
+AcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNV
+HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15y
+sHhE49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfL
+I9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8
+J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qY
+VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI
+03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw=
+-----END CERTIFICATE-----
+
+# DigiCert Assured ID Root CA
+-----BEGIN CERTIFICATE-----
+MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
+b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG
+EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
+cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c
+JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP
+mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+
+wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4
+VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/
+AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB
+AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun
+pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC
+dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf
+fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm
+NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx
+H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
++o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==
+-----END CERTIFICATE-----

tests/certs/cert.pem

@@ -0,0 +1,46 @@
+-----BEGIN CERTIFICATE-----
+MIID7jCCAtagAwIBAgIUdLInHjkevRVCr7I78r5++6eSrZ0wDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVybWVkaWF0
+ZSBDQTAeFw0xODAxMDEwMDAwMDBaFw0yNDEyMzEwMDAwMDBaMIGdMQswCQYDVQQG
+EwJQTDEZMBcGA1UECAwQTWF6b3ZpYSBQcm92aW5jZTEPMA0GA1UEBwwGV2Fyc2F3
+MRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxDDAKBgNVBAsMA0NTUDEUMBIGA1UEAwwL
+Q2VydGlmaWNhdGUxJzAlBgkqhkiG9w0BCQEWGG9zc2xzaWduY29kZUBleGFtcGxl
+LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJLJ3Vty2lgJw+5
+ouAV4ZqkIwvfWPcE7zD1CfQIL2802jVuCSTkN9cfFVYMKFEPJxQWJAKoCzr/Ux8z
+Yt9BXO5o39+z7umLKmc6pfrZJ6kG4msrMjZv36LsCQyfjUc1O9H1aiOQEvRQY2pF
+2v5dfqRMrAqH1ESQHCggUBjElWj9oMFax8jyO7JxTzuttOb6mhDmqz4q2u4LwZGH
+lBofgOAB54Mlv41x7dDh85i/jayXuYYmsjRwCuBAn14+D2zImyPDx5UaUJJMzujo
+QriOZ4KU2dHRgy0+vd7ZbrL1kRY1axyNQ+jBk7UHnlZZ2CCkhBoZIM6ez3ljPwgr
+cpg0RtcCAwEAAaNiMGAwCQYDVR0TBAIwADAdBgNVHQ4EFgQUBxPEs09WXDxGqb+D
+WTFgcUQd0AEwHwYDVR0jBBgwFoAUngWsC1vhQH9qDvTZRE+KJ33vOIswEwYDVR0l
+BAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBAKK2e1s1puUFbNjglopi
+mKZ4Pks2zb6LVUGG6Q4XQ1dWe25ovt68jWv56HFyCMI1N+L8q0+Ku2eOfLObS7Ej
+FFRUWEIXDgipryDTGzoWRM380fuYpL/j7Rt1/xmIHWTFibf/6gK/naRXsFH3dEbb
+7DDWQ5pAd2d60dB+ThUEIZQTQd/926Kuk5oESvP08fXMYTuiYARypG1gmiuvxQ9N
+mDJP6CHxyJR/LB4tb0RAqnLkVsXVBDnRYWdEvkuhoqTtbhVzVbL3mPeEmVYypxxd
+NdrHpU5zmxFSin2T3F0TneNcT+MDV+dQcWyTGNYs/fnmo85LsiakJixGv1qx8PTs
+8iE=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIUUPCDF21g2spK7557HZUhqSxBltMwDQYJKoZIhvcNAQEL
+BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBgMQswCQYDVQQGEwJQTDEVMBMG
+A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAyMs1XoC0NUT5YgydibOrE5SWBKk5C47B6tv6gA4t3zZJ
+wejaiPkj+aTIU3Ww5DO/Gpz0GuqCHNBczIw92Cfvv8kyWzUy46bRkpBJLFav0JXS
+B3xQaPlHWeXqMfVAGuM5ExT4CjjYKFsrgV1Q300thCHBhvr8TPekDIf+6J7NSz1P
+062pYgypfqsA8OwKaQbgOL9v4QRmHoolnEDc1dK/FS4f3p9dlifl7kcSVGQK0yit
+7Uncn250icCxMxS3MOE2NfuplUOSN6h6poWNGUsx00O7Dy9nUndUwJRpFfKXTV3v
+GtlmFLNoho+ss/usnxjxggWBcRtKhqd8nGSJUlzs0wIDAQABo2YwZDASBgNVHRMB
+Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBSeBawLW+FAf2oO9NlET4onfe84izAfBgNV
+HSMEGDAWgBTp7DHcMiltHw6m0SYMWVg0QtGo/jAOBgNVHQ8BAf8EBAMCAYYwDQYJ
+KoZIhvcNAQELBQADggEBAD/FBa4stJGd/Acg2E2soI071B/l9B7FiqIRpCFuLVC4
+1m7TIcjioIpZrxXwE1Egf8A9/6D/kKZtWnOljcxtPBEb+1/gB61M381RIgoMQ/Pf
+7XX2yakk6mscUjbSTR//Mj1sYOs2r6ueZBp0whzF9nVvA43G6WMpf6XZqmhlg/oV
+ynytW1Iu1SPoru3y8dX/lsukvKCak7MAp1eBcuUJxS56DnKcV9xgC30m3g+CErI3
+qsOJ7lcfDP6fDjy7MfBsZBiY64MqwlDjjn7+Pleo69JedMwurHLhKnfm07DBPy8X
++EnQk61xHEjQtTsddXyQGQV3yjqylOF2AgsAf256uuA=
+-----END CERTIFICATE-----

tests/certs/crosscert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzjCCAragAwIBAgIUGjZdQYlcAtlqZOsQ7eWRimQ9PIcwDQYJKoZIhvcNAQEL
+BQAwbzELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEMMAoGA1UE
+CwwDQ1NQMRIwEAYDVQQDDAljcm9zc2NlcnQxJzAlBgkqhkiG9w0BCQEWGG9zc2xz
+aWduY29kZUBleGFtcGxlLmNvbTAeFw0xODAxMDEwMDAwMDBaFw0yMDA2MTkwMDAw
+MDBaMG8xCzAJBgNVBAYTAlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxDDAKBgNV
+BAsMA0NTUDESMBAGA1UEAwwJY3Jvc3NjZXJ0MScwJQYJKoZIhvcNAQkBFhhvc3Ns
+c2lnbmNvZGVAZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDJU6WNMOEoErLYb5Qc7jsvVgruPM7DJTZ4vUpJNYAyprSDHciaKSa4SiYS
+84Mxc6tzBoJvKOAwpxzzONOqPVWUd5J244urgvfHgSGWsbA8bakiIYlETopnecFk
+B3ZELR33CPqIbpYYMYujhPGFa1xxZxFykJ1iBhZ8Gh3W4wHi/2kW6hTQkihMtUPP
+Xxc2XWACj/tz22OSdgNZcIfhXiy2HOuPch+0UlDR4UmlJIR5aet1y832hHoeeevo
+qfhfGOm9rRf9nyxKDwTyaN7JVOb7A1k6KJEJoe1zfIwT56mgoA433iUWFMLB6hKU
+be3zV1vGjk77Kk7atcvEMTRq+rwHAgMBAAGjYjBgMAkGA1UdEwQCMAAwHQYDVR0O
+BBYEFEXgglEcDh+8oCCvjlxrN/Y7C4YwMB8GA1UdIwQYMBaAFEXgglEcDh+8oCCv
+jlxrN/Y7C4YwMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IB
+AQBo8UqUEjxGQCVU/IgphwKA8Rb/uAyBYm+AjqFDs82lA6ze0n08Bj+eciVkxscA
+0deivOC1sDD88QkLzSQ9CPk4e7+m7nx5SFUnUWY+o3ln+cTbGSM0jW9hme0LtHXX
+QxDSKDBhQonRQk7lQ+TwFR7ol+y5SdZy7YQ+v/25qO6MMQgSPykJIa4vF7lwrYhu
+qL+1MJx/ryTbCUExcKNNkWHZJRc9ZvtdWEHYpBSZl5xmJdKMLnHAu5uv8N2pezzp
+PfujldZky7bnERaTM+bf/LvKXS8RfQGrCLu9QjgPVa6ysZV6gXTsEtwYh64vucjS
+s7IhdLxfiT0xYkK4JWrRLc38
+-----END CERTIFICATE-----

tests/certs/expired.pem

@@ -0,0 +1,45 @@
+-----BEGIN CERTIFICATE-----
+MIID6jCCAtKgAwIBAgIUdtBZJAw8/6JVNMiQpN3PEROI8rowDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVybWVkaWF0
+ZSBDQTAeFw0xODAxMDEwMDAwMDBaFw0xOTAxMDEwMDAwMDBaMIGZMQswCQYDVQQG
+EwJQTDEZMBcGA1UECAwQTWF6b3ZpYSBQcm92aW5jZTEPMA0GA1UEBwwGV2Fyc2F3
+MRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxDDAKBgNVBAsMA0NTUDEQMA4GA1UEAwwH
+RXhwaXJlZDEnMCUGCSqGSIb3DQEJARYYb3NzbHNpZ25jb2RlQGV4YW1wbGUuY29t
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsksndW3LaWAnD7mi4BXh
+mqQjC99Y9wTvMPUJ9AgvbzTaNW4JJOQ31x8VVgwoUQ8nFBYkAqgLOv9THzNi30Fc
+7mjf37Pu6YsqZzql+tknqQbiaysyNm/fouwJDJ+NRzU70fVqI5AS9FBjakXa/l1+
+pEysCofURJAcKCBQGMSVaP2gwVrHyPI7snFPO6205vqaEOarPira7gvBkYeUGh+A
+4AHngyW/jXHt0OHzmL+NrJe5hiayNHAK4ECfXj4PbMibI8PHlRpQkkzO6OhCuI5n
+gpTZ0dGDLT693tlusvWRFjVrHI1D6MGTtQeeVlnYIKSEGhkgzp7PeWM/CCtymDRG
+1wIDAQABo2IwYDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQHE8SzT1ZcPEapv4NZMWBx
+RB3QATAfBgNVHSMEGDAWgBSeBawLW+FAf2oO9NlET4onfe84izATBgNVHSUEDDAK
+BggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAX1Ar7jRAXdcA0Wu37yRi58QN
+hpa1VLXadqfB+i5Y4e3DzqnMbpkLWsFzreC1AG0RjLe52s4PRUE6boGlpUeAyfFC
+Qu2Gl/REVWwMCYV8bq3vQZkYQjklAXCQLWFk5TrzuDmBcV8+fY518nWw+xmcYwW5
+5oehLsvB4nxoBzlHgcdDwS5b2dmpCKCbZFLU9aA9DjAVvY/9B8emyj7Sh2sEK0Yf
+xwHlATTVq5O0/9tvVZQmYsbpS0iCRGBM+spTEhDT4WGsaRO6wP+Ucgp6Ym3ahMvz
+tHME3uUanKWVoDb69sguGZ6KlnZZZdIX1AJ3dlTXCrzEO9xsoAzqzsxVJGrraQ==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIUUPCDF21g2spK7557HZUhqSxBltMwDQYJKoZIhvcNAQEL
+BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBgMQswCQYDVQQGEwJQTDEVMBMG
+A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAyMs1XoC0NUT5YgydibOrE5SWBKk5C47B6tv6gA4t3zZJ
+wejaiPkj+aTIU3Ww5DO/Gpz0GuqCHNBczIw92Cfvv8kyWzUy46bRkpBJLFav0JXS
+B3xQaPlHWeXqMfVAGuM5ExT4CjjYKFsrgV1Q300thCHBhvr8TPekDIf+6J7NSz1P
+062pYgypfqsA8OwKaQbgOL9v4QRmHoolnEDc1dK/FS4f3p9dlifl7kcSVGQK0yit
+7Uncn250icCxMxS3MOE2NfuplUOSN6h6poWNGUsx00O7Dy9nUndUwJRpFfKXTV3v
+GtlmFLNoho+ss/usnxjxggWBcRtKhqd8nGSJUlzs0wIDAQABo2YwZDASBgNVHRMB
+Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBSeBawLW+FAf2oO9NlET4onfe84izAfBgNV
+HSMEGDAWgBTp7DHcMiltHw6m0SYMWVg0QtGo/jAOBgNVHQ8BAf8EBAMCAYYwDQYJ
+KoZIhvcNAQELBQADggEBAD/FBa4stJGd/Acg2E2soI071B/l9B7FiqIRpCFuLVC4
+1m7TIcjioIpZrxXwE1Egf8A9/6D/kKZtWnOljcxtPBEb+1/gB61M381RIgoMQ/Pf
+7XX2yakk6mscUjbSTR//Mj1sYOs2r6ueZBp0whzF9nVvA43G6WMpf6XZqmhlg/oV
+ynytW1Iu1SPoru3y8dX/lsukvKCak7MAp1eBcuUJxS56DnKcV9xgC30m3g+CErI3
+qsOJ7lcfDP6fDjy7MfBsZBiY64MqwlDjjn7+Pleo69JedMwurHLhKnfm07DBPy8X
++EnQk61xHEjQtTsddXyQGQV3yjqylOF2AgsAf256uuA=
+-----END CERTIFICATE-----

tests/certs/intermediate.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIUUPCDF21g2spK7557HZUhqSxBltMwDQYJKoZIhvcNAQEL
+BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBgMQswCQYDVQQGEwJQTDEVMBMG
+A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAyMs1XoC0NUT5YgydibOrE5SWBKk5C47B6tv6gA4t3zZJ
+wejaiPkj+aTIU3Ww5DO/Gpz0GuqCHNBczIw92Cfvv8kyWzUy46bRkpBJLFav0JXS
+B3xQaPlHWeXqMfVAGuM5ExT4CjjYKFsrgV1Q300thCHBhvr8TPekDIf+6J7NSz1P
+062pYgypfqsA8OwKaQbgOL9v4QRmHoolnEDc1dK/FS4f3p9dlifl7kcSVGQK0yit
+7Uncn250icCxMxS3MOE2NfuplUOSN6h6poWNGUsx00O7Dy9nUndUwJRpFfKXTV3v
+GtlmFLNoho+ss/usnxjxggWBcRtKhqd8nGSJUlzs0wIDAQABo2YwZDASBgNVHRMB
+Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBSeBawLW+FAf2oO9NlET4onfe84izAfBgNV
+HSMEGDAWgBTp7DHcMiltHw6m0SYMWVg0QtGo/jAOBgNVHQ8BAf8EBAMCAYYwDQYJ
+KoZIhvcNAQELBQADggEBAD/FBa4stJGd/Acg2E2soI071B/l9B7FiqIRpCFuLVC4
+1m7TIcjioIpZrxXwE1Egf8A9/6D/kKZtWnOljcxtPBEb+1/gB61M381RIgoMQ/Pf
+7XX2yakk6mscUjbSTR//Mj1sYOs2r6ueZBp0whzF9nVvA43G6WMpf6XZqmhlg/oV
+ynytW1Iu1SPoru3y8dX/lsukvKCak7MAp1eBcuUJxS56DnKcV9xgC30m3g+CErI3
+qsOJ7lcfDP6fDjy7MfBsZBiY64MqwlDjjn7+Pleo69JedMwurHLhKnfm07DBPy8X
++EnQk61xHEjQtTsddXyQGQV3yjqylOF2AgsAf256uuA=
+-----END CERTIFICATE-----

tests/certs/key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAsksndW3LaWAnD7mi4BXhmqQjC99Y9wTvMPUJ9AgvbzTaNW4J
+JOQ31x8VVgwoUQ8nFBYkAqgLOv9THzNi30Fc7mjf37Pu6YsqZzql+tknqQbiaysy
+Nm/fouwJDJ+NRzU70fVqI5AS9FBjakXa/l1+pEysCofURJAcKCBQGMSVaP2gwVrH
+yPI7snFPO6205vqaEOarPira7gvBkYeUGh+A4AHngyW/jXHt0OHzmL+NrJe5hiay
+NHAK4ECfXj4PbMibI8PHlRpQkkzO6OhCuI5ngpTZ0dGDLT693tlusvWRFjVrHI1D
+6MGTtQeeVlnYIKSEGhkgzp7PeWM/CCtymDRG1wIDAQABAoIBACR/jgxT9ZgUvupR
+Li6BTDXD9AiyKBwpPm3fO7JhGpTBVQorBGQw891t14hN5NLzLyTFg4mnrOTe770r
+X8okL0n+3hWFWBsnCf8n2mKHob7QUfluVlEehcFsYE3dO6agFybb/mZZUAgDjNZs
+hnAb45juuSlOtP10Is90DfGEDLH5IeY1xjzc7Qv/CFxCffIAC8QmQYUTihJ2m5aE
+7Hvs79oEcSvbRJDYbykzrJ0eeIaEvfOxkWJnnJHrhiONzb8qgj3DLiZdX1qeo1Ao
+ldNxEG9n3Axd6M0nhajz0qbDV11S8YiKfP10XRQh5xv7lZi7MjvrRxFTFYpSrXwi
+YYyFNoECgYEA6YnIYg1nIe3qaI3Me1RQQTGRl8M/dQc2d98Pz5mez9vN3TIW6nEs
+QYw/9OKG1ercbD+YnuaV+1izuAcA3mNlSDReTtzInAotJjTH1V3WYqvBTVUZSb6T
+5qSBfRDC3AULFvHeX5c5wqgfB3U9KLDfVBfaHnMerg6dAGsYZPhPMrkCgYEAw3Eg
+5BRTzbqG0WXF25rycTeHCcylMZRjI+TVcIa8AGqNSCK4HgAWp89XPIV3WceVqe2R
+Lyn1jtA2MgGGcMBDFlOWF+h9j2/j27Z+pyIbBF9LAraJuBOG6dezd50y5Ur6HK/f
+e5lnjvElIYdz+RX+rmw8NFcIUbSAfE7rGinDvg8CgYBDx86VzsgJC/FFySn4/X6R
+fV6BSpTHVYGUhvQiz7ZNI8F7GoeWIaSznY4OeBSkT5cL/+U+8TPEkHkQx0+UPArw
+Suq4PtImn7l85kK9hY+scacX18QQKDTq8wH2F4BGtVwDm81rtwt3mK3wzzEh9zvK
+P2X6AnV8FReyQGMDIyJxWQKBgD6nu9WitqMTkzj6GY4nhGXLWV1I4ASe/5F4QPzM
+FOVFQ3nGt6PWf2zYyay7VOHRXCeX451tJC3ejiFF3+WxnVBBB7Muc2JSiofbX4sR
+Ifwq2I9MGaaLjArXfc9w8+oSOVCNCWZEbbCjmjW/iOxnorgkNsDIzf/zj+VKH5DJ
+ptj9AoGAUpB6nPES3Nnj8DsbpHCnShYMl/rFxzxg2pJJosXzuS/ttuBT2DlT5eiY
+aZcL1DGSp2CD4QXbVuDHPkQMPzVfZzKAuCZlotEMR9byK46aYIkQueym45e0PGZP
+djKZm+cxF+W55jBkBBhV6wSOLNRWCUYiIIq3RmwWjkopNvSlwY4=
+-----END RSA PRIVATE KEY-----

tests/certs/keyp.pem

@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,6DB255395263EDD5
+
+A83CH4mv7u89RbT8Tpz4gxImKGBw69Zr3LstRXlliGYobby5YBx/YimkA9wFCZK/
+B1eitWwy0F6axDZQYHKi+yvUJDPB9arXtClvYknMhwrHV1GHLSYeqb9oZJeqNyDZ
+Qd3lxTbUtkMVJgJNrl2kOezm6/srnAw4uA7NyAvrs2vEzB48q4VlysrJq+f9mLXj
+vCmrfUwY999lSifRmoxqeWlqNUQ2tgHHXYMNagpvxYXsfe1UvEH9aa6+UsO9S0py
+7dyfSu95QpWyVNqkWi1VAtNbo2VpjJ6NJLAk+dy/rNqN3a4KnWeIzkYssWTsKB08
+VyHrRLePPx5qdarsczZtf+M2PxhHHnl/09+Nrp5BUcMV31j3v3VSM0K+CHEucAk7
+95rUtSUNywKUQeSgXrG1eLX7kXwRQ7PPCz3sPtvmJRIvQlGgLiTbKPsG52m3kAIw
+zgXPcH2lYb3855occznl72jMUucxXq8gq0bC4xbEg/yJV8p1IuUEFhLGI9s9T4JV
+cO9NKwmSjpHFo1ULhB7o6uMmV2rYDK+5GbQHxZgHj3ES+i53eFMWGubPEEOmqSh3
+9K7gtW9y971tNfhp9ba8RnYXT6xW2nMTM4koO9b4ptdwRo5bMKFvWY8eecXfsDAG
+OJ+aXkDr8jsn1Xauq1m4TM71wn2wUx95KaCpL55UNBEn7aH9qlNFfxdyzXMPYS36
+zgWK44BV3PTSIGgW61NVwHwzi3bFfymortVxGpelzy2dggWVvI3uzKocLFQ8f4oe
+Y0HWSmGVPF3uFHNCZtCB/Tpbz6YwP/YYStqAcryeS5Yo9Hdkh8pBVnYiKdTFEUW2
+RbClgeB2MV+zttsqvmodfkviS4BjWgoIV5szxWOePnO8kQAHA/Ml3CyDPOX6rqI5
+lDKiUojEMLgir/3YWWcmigEIgRsyF3CL1s+kTR3S8e9QRe8RiliRUKW5gXrLEa6j
+eUjs4kgCrvmQvwyZYJjWl+r7ycmk+yB/EZs8P39KRR/pfeZDUCZIOx8vkJBt57hC
+oTNJ5llFzRcmEraElXmDOAuvmj3Lx/4qzY545rtzll3mFHJEX4qITslIX1ksZz1p
+DncuqgIECzmZIeHPbnw7Nkv6EkoPzTOlccqnCH/SumFr2fhctv9x13gGcO4kSsqO
+63yZCFHjMz/mos3l51aIAizj5wQO3BOo+RyKoSQohvPzVtSgjhYMZsAPzXKxF0/H
+9VH0DekEb1WwPSbGZw8kpx9ePlglGqOBinTL6QW8YmFPbjy9RDd1di+fxh4Qe024
+8gERZpdSsMoZ+NP0nr/TSbDISFPqcLzzMpC+V8Fc/QkNvSkR1GLlNQrxLoyfK0VX
+0evysXDxqIWK9+TH7hIS1lf3i2gMkLMppMso1v2Cqf0zRj1oM3MI743QE9XTXKRz
+iAwaEDDPZWS/00T9fqNrHgtSPNpsbeYZQPYaC2lq1kTIEOlUfZZvMy5lxVPVZ8y2
+foit+0DewZsqLDJwbjZ3wYMERVEY7KagoInQa3A1ZC9SkFiCb4fNEbRF13gfjrSz
+muRbKAhEhkzJDFRocIaTKZPIWdvC73tAW66v1Zha74mxuckgnQPPqQ==
+-----END RSA PRIVATE KEY-----

tests/certs/password.txt

@@ -0,0 +1 @@
+passme

tests/certs/revoked.pem

@@ -0,0 +1,45 @@
+-----BEGIN CERTIFICATE-----
+MIIDvTCCAqWgAwIBAgIUOpY5wp7DtqsdxII7sxculedk0PYwDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVybWVkaWF0
+ZSBDQTAeFw0xODAxMDEwMDAwMDBaFw0yNDEyMzEwMDAwMDBaMG0xCzAJBgNVBAYT
+AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxDDAKBgNVBAsMA0NTUDEQMA4GA1UE
+AwwHUmV2b2tlZDEnMCUGCSqGSIb3DQEJARYYb3NzbHNpZ25jb2RlQGV4YW1wbGUu
+Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsksndW3LaWAnD7mi
+4BXhmqQjC99Y9wTvMPUJ9AgvbzTaNW4JJOQ31x8VVgwoUQ8nFBYkAqgLOv9THzNi
+30Fc7mjf37Pu6YsqZzql+tknqQbiaysyNm/fouwJDJ+NRzU70fVqI5AS9FBjakXa
+/l1+pEysCofURJAcKCBQGMSVaP2gwVrHyPI7snFPO6205vqaEOarPira7gvBkYeU
+Gh+A4AHngyW/jXHt0OHzmL+NrJe5hiayNHAK4ECfXj4PbMibI8PHlRpQkkzO6OhC
+uI5ngpTZ0dGDLT693tlusvWRFjVrHI1D6MGTtQeeVlnYIKSEGhkgzp7PeWM/CCty
+mDRG1wIDAQABo2IwYDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQHE8SzT1ZcPEapv4NZ
+MWBxRB3QATAfBgNVHSMEGDAWgBSeBawLW+FAf2oO9NlET4onfe84izATBgNVHSUE
+DDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAYVJiPrkACW/tK487fYS/
+gYzU3fYVCTfHpAv3njarNzy8UBNqBYr0kDg0DLoOWqGV7ogTtlbQP4IIjAQI/kW6
+cEreW8yU5VxO+kxDo+7oG9VEbR85i6kQW2ubJsXV6yBtf5aAbXEqImYrtjh7UObb
+BbQiUI1ll2dXWqvZGxr3Fz1uz8nPMYlBpVjpCh6JF8otdWwABmxRnqUvoLO6BZbH
+/gdUkouXfio9BlWkWaJXJGXMW8B7ozpjuCHSHyfvGKDA3YIfa7++A1BIKxW72jIF
+jRJDw/rwnV59tiEcBWmp2T6vV+rD8yaS+LotRPYD/ck/jEj/mV+N077KLmuZpdJF
+ag==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDrDCCApSgAwIBAgIUUPCDF21g2spK7557HZUhqSxBltMwDQYJKoZIhvcNAQEL
+BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
+CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
+MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBgMQswCQYDVQQGEwJQTDEVMBMG
+A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAyMs1XoC0NUT5YgydibOrE5SWBKk5C47B6tv6gA4t3zZJ
+wejaiPkj+aTIU3Ww5DO/Gpz0GuqCHNBczIw92Cfvv8kyWzUy46bRkpBJLFav0JXS
+B3xQaPlHWeXqMfVAGuM5ExT4CjjYKFsrgV1Q300thCHBhvr8TPekDIf+6J7NSz1P
+062pYgypfqsA8OwKaQbgOL9v4QRmHoolnEDc1dK/FS4f3p9dlifl7kcSVGQK0yit
+7Uncn250icCxMxS3MOE2NfuplUOSN6h6poWNGUsx00O7Dy9nUndUwJRpFfKXTV3v
+GtlmFLNoho+ss/usnxjxggWBcRtKhqd8nGSJUlzs0wIDAQABo2YwZDASBgNVHRMB
+Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBSeBawLW+FAf2oO9NlET4onfe84izAfBgNV
+HSMEGDAWgBTp7DHcMiltHw6m0SYMWVg0QtGo/jAOBgNVHQ8BAf8EBAMCAYYwDQYJ
+KoZIhvcNAQELBQADggEBAD/FBa4stJGd/Acg2E2soI071B/l9B7FiqIRpCFuLVC4
+1m7TIcjioIpZrxXwE1Egf8A9/6D/kKZtWnOljcxtPBEb+1/gB61M381RIgoMQ/Pf
+7XX2yakk6mscUjbSTR//Mj1sYOs2r6ueZBp0whzF9nVvA43G6WMpf6XZqmhlg/oV
+ynytW1Iu1SPoru3y8dX/lsukvKCak7MAp1eBcuUJxS56DnKcV9xgC30m3g+CErI3
+qsOJ7lcfDP6fDjy7MfBsZBiY64MqwlDjjn7+Pleo69JedMwurHLhKnfm07DBPy8X
++EnQk61xHEjQtTsddXyQGQV3yjqylOF2AgsAf256uuA=
+-----END CERTIFICATE-----

tests/certs/tsa-chain.pem

@@ -0,0 +1,50 @@
+-----BEGIN CERTIFICATE-----
+MIIEzTCCA7WgAwIBAgIUfRjXKciCGA4XbhbhxbAwfpcLGmowDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEkMCIGA1UE
+CwwbVGltZXN0YW1wIEF1dGhvcml0eSBSb290IENBMRQwEgYDVQQDDAtUU0EgUm9v
+dCBDQTAeFw0xODAxMDEwMDAwMDBaFw0yODAxMDEwMDAwMDBaMFUxCzAJBgNVBAYT
+AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxHDAaBgNVBAsME1RpbWVzdGFtcCBB
+dXRob3JpdHkxETAPBgNVBAMMCFRlc3QgVFNBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAor220wp2zqj6Fe1VT/yic4LJcfMn1/ZWhsE7L86krULRvI+N
+JY0fOVg/24MtyOXbnm7nYOyYTlR9n2kqm4fEgsz+GDQxXLHgyLh3aF4ueDzoFt0v
+8G3vJfD+4N27XAYJ5V4f4s4VJRDIm0P/BvFGY9J/zICjC83F3OLdnkOD88O8QD6q
+FwWdtBYNqxQX1LAwy3ORe5aTubdVkHV02JhdKAC/xy5nfhynuV4KfYyel2nHrI1i
+54UXWdOrlD/XIKPiXpuEGcXhYTrTHigH+yR9ybs9hotGvuHTEjcxEuJvEQJX+qV4
+eJAIexITDW/yK+maWPLijO3bZ9/JodX+fRCnPQIDAQABo4IBiDCCAYQwDAYDVR0T
+AQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAdBgNVHQ4EFgQUKWCqogni
+6SseJ/P6LXo0M2cK++QwHwYDVR0jBBgwFoAU/5nNuG4Tm4v2y9uKf428/4fVQesw
+gYQGCCsGAQUFBwEBBHgwdjA5BggrBgEFBQcwAoYtaHR0cDovL1RTQUNBLnRpbWVz
+dGFtcGF1dGhvcml0eS5jb20vVFNBQ0EuY3J0MDkGCCsGAQUFBzABhi1odHRwOi8v
+b2NzcC5UU0FDQS50aW1lc3RhbXBhdXRob3JpdHkuY29tOjkwODAwPgYDVR0fBDcw
+NTAzoDGgL4YtaHR0cDovL1RTQUNBLnRpbWVzdGFtcGF1dGhvcml0eS5jb20vVFNB
+Q0EuY3JsMFUGA1UdHgROMEygGDAKggh0ZXN0LmNvbTAKggh0ZXN0Lm9yZ6EwMAqH
+CAAAAAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMA0G
+CSqGSIb3DQEBCwUAA4IBAQB4YXa5nVWUzWSsUDMfYFTEETOe8boUErwfrDNBuj6z
+B5en20FhI49i6PCYEfNq3vrAtPOEFJj+KPomN3C46VLxbUEvqWLdq6EyzWvVVmXK
+VLeC0qV0m6CFM8GplaWzZdfFTQaaLUhgY08ZU2gp4QsoS2YjAosxlZrNSm6pBbv3
+q+Og1KeSK8gKS0V89k+6e3LOEF6KaNWKSkoz5xDniQY//mTjiDcNmYUh0KhHfhdU
+eO92M82uJSaDqnRs5HsWPs6z6qdfpuvj++OtQ1VCM2p5SEH2sEomdeN3YYChuG4h
+yzn0mYAdbTyGJHlFm17AH+SQRbVqCKYdHDaqsMb+fWzi
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDkDCCAnigAwIBAgIUJ0nfE+EVsIThltlY2LHVWMJVIq4wDQYJKoZIhvcNAQEL
+BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEkMCIGA1UE
+CwwbVGltZXN0YW1wIEF1dGhvcml0eSBSb290IENBMRQwEgYDVQQDDAtUU0EgUm9v
+dCBDQTAeFw0xNzAxMDEwMDAwMDBaFw0yNjExMTAwMDAwMDBaMGAxCzAJBgNVBAYT
+AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxJDAiBgNVBAsMG1RpbWVzdGFtcCBB
+dXRob3JpdHkgUm9vdCBDQTEUMBIGA1UEAwwLVFNBIFJvb3QgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGOTX1f9dmtUiyzlsUInRIGfRMya338SVx
+vYGeOwdpTSSGlYUVwR9AuFewQF5+klelstCJe+SoUG0AdzS30mRWlQrhip4UdvdW
+T2gkNKbSn6DQzlWoQej9izqRLxAsbuszgkvnLOBEmPaLimDsCgu0bAN95Hp0Hls9
+O/fVmzh8VuV4iscxc7q13ZB7CylWgwd55CFEGd/jpJ6kMwSHbOLoBWp4GQ3KxR+c
+ASAo0FapU2WSZB2EYWszRiyq91X+AvIYN4ypTv7RccgfUvnZ2qFykJAkf/wgkynu
+Qg7rCUNfUEpDc7jlqtDWR7iLrtHBkA17C3IU8ymmKQYWfw3ZyBwvAgMBAAGjQjBA
+MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP+ZzbhuE5uL9svbin+NvP+H1UHr
+MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAbj3aFwIUxvzwgywO
+gj01JM8GNbw1E4MGdkaNI8rgeY8ay15ZXhR9NpRWWb6Y7IXPq5XhuEktVte5Z4Kf
+XLBrr7Xe9VVqJL9zd1tMzOEM/zG77rZf/iXBTZLkCtQc/GOEY4TTWKNEl5hiWVE0
+po97GX5XHoeyHlWQ75sd9z6MxFxmvdp9/uyYD700e9sd5gcD8LGvHw2DNy8vntYV
+ia9h95N9i1umffxU460o8W5GoIcsD13B3YftvnWhGSXqovBRFgcPAQZ4eW9Qh/zA
+4zQBQrRvmREPihXVdgtWVpbRchP99oSZBrYr7Hh/P69rycklquqxJl1ol1wbT6dK
+S5Gmng==
+-----END CERTIFICATE-----

tests/conf/makecerts.sh

@@ -0,0 +1,260 @@
+#!/bin/sh
+
+result=0
+
+test_result() {
+  if test "$1" -eq 0
+    then
+      printf "Succeeded\n" >> "makecerts.log"
+    else
+      printf "Failed\n" >> "makecerts.log"
+    fi
+}
+
+make_certs() {
+  password=passme
+  result_path=$(pwd)
+  cd $(dirname "$0")
+  script_path=$(pwd)
+  cd "${result_path}"
+  mkdir "tmp/"
+  rm -rf "../certs"
+
+# OpenSSL settings
+  CONF="${script_path}/openssl_intermediate.cnf"
+  if test -n "$1"
+    then
+      OPENSSL="$1/bin/openssl"
+      export LD_LIBRARY_PATH="$1/lib:$1/lib64"
+    else
+      OPENSSL=openssl
+    fi
+
+  mkdir "CA/" 2>> "makecerts.log" 1>&2
+  touch "CA/index.txt"
+  echo -n "unique_subject = no" > "CA/index.txt.attr"
+  $OPENSSL rand -hex 16 > "CA/serial"
+  $OPENSSL rand -hex 16 > "tsa-serial"
+  echo 1001 > "CA/crlnumber"
+  date > "makecerts.log"
+  "$OPENSSL" version 2>> "makecerts.log" 1>&2
+  echo -n "$password" > tmp/password.txt
+
+  printf "\nGenerate root CA certificate\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -out CA/CA.key \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_root.cnf"
+    "$OPENSSL" req -config "$CONF" -new -x509 -days 3600 -key CA/CA.key -out tmp/CACert.pem \
+        -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA" \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+
+  printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -out CA/intermediate.key \
+        2>> "makecerts.log" 1>&2
+    TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_intermediate.cnf"
+    "$OPENSSL" req -config "$CONF" -new -key CA/intermediate.key -out CA/intermediate.csr \
+        -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA" \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+  TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_root.cnf"
+    "$OPENSSL" ca -config "$CONF" -batch -in CA/intermediate.csr -out CA/intermediate.cer \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+  "$OPENSSL" x509 -in CA/intermediate.cer -out tmp/intermediate.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -des3 -out CA/private.key -passout pass:"$password" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  cat CA/private.key >> tmp/keyp.pem 2>> "makecerts.log"
+  test_result $?
+
+  printf "\nGenerate private RSA decrypted key\n" >> "makecerts.log"
+  "$OPENSSL" rsa -in CA/private.key -passin pass:"$password" -out tmp/key.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate a certificate to revoke\n" >> "makecerts.log"
+  "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/revoked.csr \
+      -subj "/C=PL/O=osslsigncode/OU=CSP/CN=Revoked/emailAddress=osslsigncode@example.com" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" ca -config "$CONF" -batch -in CA/revoked.csr -out CA/revoked.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in CA/revoked.cer -out tmp/revoked.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nRevoke above certificate\n" >> "makecerts.log"
+  "$OPENSSL" ca -config "$CONF" -revoke CA/revoked.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nAttach intermediate certificate to revoked certificate\n" >> "makecerts.log"
+  cat tmp/intermediate.pem >> tmp/revoked.pem 2>> "makecerts.log"
+  test_result $?
+
+  printf "\nGenerate CRL file\n" >> "makecerts.log"
+  TZ=GMT faketime -f '@2019-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_intermediate.cnf"
+    "$OPENSSL" ca -config "$CONF" -gencrl -crldays 8766 -out tmp/CACertCRL.pem \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+
+  printf "\nConvert revoked certificate to SPC format\n" >> "makecerts.log"
+  "$OPENSSL" crl2pkcs7 -in tmp/CACertCRL.pem -certfile tmp/revoked.pem -outform DER -out tmp/revoked.spc \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate CSP Cross-Certificate\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -out CA/cross.key \
+      2>> "makecerts.log" 1>&2
+  TZ=GMT faketime -f '@2018-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_intermediate.cnf"
+    "$OPENSSL" req -config "$CONF" -new -x509 -days 900 -key CA/cross.key -out tmp/crosscert.pem \
+       -subj "/C=PL/O=osslsigncode/OU=CSP/CN=crosscert/emailAddress=osslsigncode@example.com" \
+       2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+
+  printf "\nGenerate code signing certificate\n" >> "makecerts.log"
+  "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/cert.csr \
+      -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" ca -config "$CONF" -batch -in CA/cert.csr -out CA/cert.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in CA/cert.cer -out tmp/cert.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nConvert the key to DER format\n" >> "makecerts.log"
+  "$OPENSSL" rsa -in tmp/key.pem -outform DER -out tmp/key.der -passout pass:"$password" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nConvert the key to PVK format\n" >> "makecerts.log"
+  "$OPENSSL" rsa -in tmp/key.pem -outform PVK -out tmp/key.pvk -pvk-none \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nConvert the certificate to DER format\n" >> "makecerts.log"
+  "$OPENSSL" x509 -in tmp/cert.pem -outform DER -out tmp/cert.der \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nAttach intermediate certificate to code signing certificate\n" >> "makecerts.log"
+  cat tmp/intermediate.pem >> tmp/cert.pem 2>> "makecerts.log"
+  test_result $?
+
+  printf "\nConvert the certificate to SPC format\n" >> "makecerts.log"
+  "$OPENSSL" crl2pkcs7 -nocrl -certfile tmp/cert.pem -outform DER -out tmp/cert.spc \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nConvert the certificate and the key into a PKCS#12 container\n" >> "makecerts.log"
+  "$OPENSSL" pkcs12 -export -in tmp/cert.pem -inkey tmp/key.pem -out tmp/cert.p12 -passout pass:"$password" \
+      -keypbe aes-256-cbc -certpbe aes-256-cbc \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate expired certificate\n" >> "makecerts.log"
+  "$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/expired.csr \
+      -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Expired/emailAddress=osslsigncode@example.com" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" ca -config "$CONF" -enddate "190101000000Z" -batch -in CA/expired.csr -out CA/expired.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in CA/expired.cer -out tmp/expired.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nAttach intermediate certificate to expired certificate\n" >> "makecerts.log"
+  cat tmp/intermediate.pem >> tmp/expired.pem 2>> "makecerts.log"
+  test_result $?
+
+  printf "\nGenerate Root CA TSA certificate\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -out CA/TSACA.key \
+      2>> "makecerts.log" 1>&2
+  TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_tsa_root.cnf"
+    "$OPENSSL" req -config "$CONF" -new -x509 -days 3600 -key CA/TSACA.key -out tmp/TSACA.pem \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+
+  printf "\nGenerate TSA certificate\n" >> "makecerts.log"
+  CONF="${script_path}/openssl_tsa.cnf"
+  "$OPENSSL" req -config "$CONF" -new -nodes -keyout tmp/TSA.key -out CA/TSA.csr \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  CONF="${script_path}/openssl_tsa_root.cnf"
+  "$OPENSSL" ca -config "$CONF" -batch -in CA/TSA.csr -out CA/TSA.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in CA/TSA.cer -out tmp/TSA.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nSave the chain to be included in the TSA response\n" >> "makecerts.log"
+  cat tmp/TSA.pem tmp/TSACA.pem > tmp/tsa-chain.pem 2>> "makecerts.log"
+
+# copy new files
+  if test -s tmp/intermediate.pem -a -s tmp/CACert.pem -a -s tmp/CACertCRL.pem \
+      -a -s tmp/key.pem -a -s tmp/keyp.pem -a -s tmp/key.der -a -s tmp/key.pvk \
+      -a -s tmp/cert.pem -a -s tmp/cert.p12 -a -s tmp/cert.der -a -s tmp/cert.spc \
+      -a -s tmp/crosscert.pem -a -s tmp/expired.pem -a -s tmp/revoked.pem -a -s tmp/revoked.spc \
+      -a -s tmp/TSA.pem -a -s tmp/TSA.key -a -s tmp/tsa-chain.pem
+  then
+    mkdir "../certs"
+    cp tmp/* ../certs
+    printf "%s" "keys & certificates successfully generated"
+  else
+    printf "%s" "error logs ${result_path}/makecerts.log"
+    result=1
+  fi
+
+# remove the working directory
+  rm -rf "CA/"
+  rm -rf "tmp/"
+
+  exit "$result"
+}
+
+# Tests requirement
+if test -n "$(command -v faketime)"
+  then
+    make_certs "$1"
+    result=$?
+  else
+    printf "%s" "faketime not found in \$PATH, please install faketime package"
+    result=1
+  fi
+
+exit "$result"

tests/conf/openssl_intermediate.cnf

@@ -0,0 +1,72 @@
+# OpenSSL intermediate CA configuration file
+
+[ default ]
+name                            = intermediate
+default_ca                      = CA_default
+
+[ CA_default ]
+# Directory and file locations
+dir                             = .
+certs                           = $dir/CA
+crl_dir                         = $dir/CA
+new_certs_dir                   = $dir/CA
+database                        = $dir/CA/index.txt
+serial                          = $dir/CA/serial
+rand_serial                     = yes
+private_key                     = $dir/CA/$name.key
+certificate                     = $dir/tmp/$name.pem
+crl_extensions                  = crl_ext
+default_md                      = sha256
+preserve                        = no
+policy                          = policy_loose
+default_startdate               = 180101000000Z
+default_enddate                 = 241231000000Z
+x509_extensions                 = v3_req
+email_in_dn                     = yes
+default_days                    = 2200
+
+[ req ]
+# Options for the `req` tool
+encrypt_key                     = no
+default_bits                    = 2048
+default_md                      = sha256
+string_mask                     = utf8only
+distinguished_name              = req_distinguished_name
+x509_extensions                 = usr_extensions
+
+[ crl_ext ]
+# Extension for CRLs
+authorityKeyIdentifier          = keyid:always
+
+[ usr_extensions ]
+# Extension to add when the -x509 option is used
+basicConstraints                = CA:FALSE
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer
+extendedKeyUsage                = codeSigning
+
+[ v3_req ]
+basicConstraints                = CA:FALSE
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer
+extendedKeyUsage                = codeSigning
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName                     = optional
+stateOrProvinceName             = optional
+localityName                    = optional
+organizationName                = optional
+organizationalUnitName          = optional
+commonName                      = supplied
+emailAddress                    = optional
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address

tests/conf/openssl_root.cnf

@@ -0,0 +1,65 @@
+# OpenSSL root CA configuration file
+
+[ ca ]
+default_ca                      = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir                             = .
+certs                           = $dir/CA
+crl_dir                         = $dir/CA
+new_certs_dir                   = $dir/CA
+database                        = $dir/CA/index.txt
+serial                          = $dir/CA/serial
+rand_serial                     = yes
+private_key                     = $dir/CA/CA.key
+certificate                     = $dir/tmp/CACert.pem
+crl_extensions                  = crl_ext
+default_md                      = sha256
+preserve                        = no
+policy                          = policy_match
+default_startdate               = 180101000000Z
+default_enddate                 = 260101000000Z
+x509_extensions                 = v3_intermediate_ca
+email_in_dn                     = yes
+default_days                    = 3000
+unique_subject                  = no
+
+[ req ]
+# Options for the `req` tool
+encrypt_key                     = no
+default_bits                    = 2048
+default_md                      = sha256
+string_mask                     = utf8only
+x509_extensions                 = ca_extensions
+distinguished_name              = req_distinguished_name
+
+[ ca_extensions ]
+# Extension to add when the -x509 option is used
+basicConstraints                = critical, CA:true
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid:always,issuer
+keyUsage                        = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`)
+basicConstraints                = critical, CA:true, pathlen:0
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid:always,issuer
+keyUsage                        = critical, digitalSignature, cRLSign, keyCertSign
+
+[ policy_match ]
+countryName                     = match
+organizationName                = match
+organizationalUnitName          = optional
+commonName                      = supplied
+emailAddress                    = optional
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address

tests/conf/openssl_tsa.cnf

@@ -0,0 +1,46 @@
+# OpenSSL Timestamp Authority configuration file
+
+oid_section                     = new_oids
+
+[ new_oids ]
+tsa_policy1                     = 1.2.3.4.1
+tsa_policy2                     = 1.2.3.4.5.6
+tsa_policy3                     = 1.2.3.4.5.7
+
+[ req ]
+# Options for the `req` tool
+default_bits                    = 2048
+encrypt_key                     = yes
+default_md                      = sha256
+utf8                            = yes
+string_mask                     = utf8only
+prompt                          = no
+distinguished_name              = ca_distinguished_name
+
+[ ca_distinguished_name ]
+countryName                     = "PL"
+organizationName                = "osslsigncode"
+organizationalUnitName          = "Timestamp Authority"
+commonName                      = "Test TSA"
+
+
+# Time Stamping Authority command "openssl-ts"
+
+[ tsa ]
+default_tsa                     = tsa_config
+
+[ tsa_config ]
+dir                             = ./Testing/certs
+signer_cert                     = $dir/TSA.pem
+signer_key                      = $dir/TSA.key
+certs                           = $dir/tsa-chain.pem
+serial                          = $dir/tsa-serial
+default_policy                  = tsa_policy1
+other_policies                  = tsa_policy2, tsa_policy3
+signer_digest                   = sha256
+digests                         = sha256, sha384, sha512
+accuracy                        = secs:1, millisecs:500, microsecs:100
+ordering                        = yes
+tsa_name                        = yes
+ess_cert_id_chain               = yes
+ess_cert_id_alg                 = sha256

tests/conf/openssl_tsa_root.cnf

@@ -0,0 +1,83 @@
+# OpenSSL Root Timestamp Authority configuration file
+
+[ default ]
+name                            = TSACA
+domain_suffix                   = timestampauthority.com
+aia_url                         = http://$name.$domain_suffix/$name.crt
+crl_url                         = http://$name.$domain_suffix/$name.crl
+ocsp_url                        = http://ocsp.$name.$domain_suffix:9080
+name_opt                        = utf8, esc_ctrl, multiline, lname, align
+default_ca                      = CA_default
+
+[ CA_default ]
+dir                             = .
+certs                           = $dir/CA
+crl_dir                         = $dir/CA
+new_certs_dir                   = $dir/CA
+database                        = $dir/CA/index.txt
+serial                          = $dir/CA/serial
+crlnumber                       = $dir/CA/crlnumber
+rand_serial                     = yes
+private_key                     = $dir/CA/$name.key
+certificate                     = $dir/tmp/$name.pem
+default_md                      = sha256
+default_days                    = 3650
+default_crl_days                = 365
+policy                          = policy_match
+default_startdate               = 20180101000000Z
+default_enddate                 = 20280101000000Z
+unique_subject                  = no
+x509_extensions                 = tsa_extensions
+
+[ policy_match ]
+countryName                     = match
+stateOrProvinceName             = optional
+organizationName                = match
+organizationalUnitName          = optional
+commonName                      = supplied
+emailAddress                    = optional
+
+[ tsa_extensions ]
+basicConstraints                = critical, CA:false
+extendedKeyUsage                = critical, timeStamping
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid:always
+authorityInfoAccess             = @issuer_info
+crlDistributionPoints           = @crl_info
+nameConstraints                 = @name_constraints
+
+[ issuer_info ]
+caIssuers;URI.0                 = $aia_url
+OCSP;URI.0                      = $ocsp_url
+
+[ crl_info ]
+URI.0                           = $crl_url
+
+[ name_constraints ]
+permitted;DNS.0=test.com
+permitted;DNS.1=test.org
+excluded;IP.0=0.0.0.0/0.0.0.0
+excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
+
+[ req ]
+# Options for the `req` tool
+default_bits                    = 2048
+encrypt_key                     = yes
+default_md                      = sha256
+utf8                            = yes
+string_mask                     = utf8only
+prompt                          = no
+distinguished_name              = ca_distinguished_name
+x509_extensions                 = ca_extensions
+
+[ ca_distinguished_name ]
+countryName                     = "PL"
+organizationName                = "osslsigncode"
+organizationalUnitName          = "Timestamp Authority Root CA"
+commonName                      = "TSA Root CA"
+
+[ ca_extensions ]
+# Extension to add when the -x509 option is used
+basicConstraints                = critical, CA:true
+subjectKeyIdentifier            = hash
+keyUsage                        = critical, keyCertSign, cRLSign

tests/sources/a

@@ -0,0 +1 @@
+aaa

tests/sources/b

@@ -0,0 +1 @@
+bbb

tests/sources/c

@@ -0,0 +1 @@
+ccc

tests/sources/myapp.c

@@ -0,0 +1,6 @@
+#include <stdio.h>
+
+void main(void)
+{
+    printf("Hello world!");
+}

tests/sources/sample.wxs

@@ -0,0 +1,33 @@
+<?xml version='1.0' encoding='windows-1252'?>
+<!--https://wiki.gnome.org/msitools/HowTo/CreateMSI-->
+<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
+  <Product Name='Foobar 1.0' Id='ABCDDCBA-86C7-4D14-AEC0-86416A69ABDE' UpgradeCode='ABCDDCBA-7349-453F-94F6-BCB5110BA4FD'
+    Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
+
+    <Package Id='*' Keywords='Installer' Description="Acme's Foobar 1.0 Installer"
+      Comments='Foobar is a registered trademark of Acme Ltd.' Manufacturer='Acme Ltd.'
+      InstallerVersion='100' Languages='1033' Compressed='yes' SummaryCodepage='1252' />
+
+    <Media Id='1' Cabinet='Sample.cab' EmbedCab='yes' DiskPrompt="CD-ROM #1" />
+    <Property Id='DiskPrompt' Value="Acme's Foobar 1.0 Installation [1]" />
+
+    <Directory Id='TARGETDIR' Name='SourceDir'>
+      <Directory Id='ProgramFilesFolder' Name='PFiles'>
+        <Directory Id='Acme' Name='Acme'>
+          <Directory Id='INSTALLDIR' Name='Foobar 1.0'>
+
+            <Component Id='MainExecutable' Guid='ABCDDCBA-83F1-4F22-985B-FDB3C8ABD471'>
+              <File Id='FoobarEXE' Name='FoobarAppl10.exe' DiskId='1' Source='FoobarAppl10.exe' KeyPath='yes'/>
+            </Component>
+
+          </Directory>
+        </Directory>
+      </Directory>
+    </Directory>
+
+    <Feature Id='Complete' Level='1'>
+      <ComponentRef Id='MainExecutable' />
+    </Feature>
+
+  </Product>
+</Wix>

tests/testsign.sh

@@ -1,74 +0,0 @@
-#!/bin/sh
-
-rm -f putty*.exe
-
-PUTTY_URL="http://the.earth.li/~sgtatham/putty/0.64/x86/putty.exe"
-[ -f putty.exe ] || wget -q -O putty.exe $PUTTY_URL
-[ -f putty.exe ] || curl -o putty.exe $PUTTY_URL
-
-if [ ! -f putty.exe ]; then
-    echo "FAIL: Couldn't download putty.exe"
-    exit 1
-fi
-
-rm -f cert.pem cert.spc key.der key.p12 key.pem key.pvk keyp.pem
-
-keytool -genkey \
-	-alias selfsigned -keysize 2048 -keyalg RSA -keypass passme -storepass passme -keystore key.ks << EOF
-John Doe
-ACME In
-ACME
-Springfield
-LaLaLand
-SE
-yes
-EOF
-
-
-echo "Converting key/cert to PKCS12 container"
-keytool -importkeystore \
-	-srckeystore key.ks -srcstoretype JKS -srckeypass passme -srcstorepass passme -srcalias selfsigned \
-	-destkeystore key.p12 -deststoretype PKCS12 -destkeypass passme -deststorepass passme
-
-rm -f key.ks
-
-echo "Converting key to PEM format"
-openssl pkcs12 -in key.p12 -passin pass:passme -nocerts -nodes -out key.pem
-echo "Converting key to PEM format (with password)"
-openssl rsa -in key.pem -out keyp.pem -passout pass:passme
-echo "Converting key to DER format"
-openssl rsa -in key.pem -outform DER -out key.der -passout pass:passme
-echo "Converting key to PVK format"
-openssl rsa -in key.pem -outform PVK -pvk-strong -out key.pvk -passout pass:passme
-
-echo "Converting cert to PEM format"
-openssl pkcs12 -in key.p12 -passin pass:passme -nokeys -out cert.pem
-echo "Converting cert to SPC format"
-openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out cert.spc
-
-
-../osslsigncode sign -spc cert.spc -key key.pem putty.exe putty1.exe
-../osslsigncode sign -certs cert.spc -key keyp.pem -pass passme putty.exe putty2.exe
-../osslsigncode sign -certs cert.pem -key keyp.pem -pass passme putty.exe putty3.exe
-../osslsigncode sign -certs cert.spc -key key.der putty.exe putty4.exe
-../osslsigncode sign -pkcs12 key.p12 -pass passme putty.exe putty5.exe
-../osslsigncode sign -certs cert.spc -key key.pvk -pass passme putty.exe putty6.exe
-
-rm -f cert.pem cert.spc key.der key.p12 key.pem key.pvk keyp.pem
-
-echo ""
-echo ""
-
-check=`sha1sum putty[1-9]*.exe | cut -d' ' -f1 | uniq | wc -l`
-cmp putty1.exe putty2.exe && \
-	cmp putty2.exe putty3.exe && \
-	cmp putty3.exe putty4.exe && \
-	cmp putty4.exe putty5.exe && \
-	cmp putty5.exe putty6.exe
-if [ $? -ne 0 ]; then
-	echo "Failure is not an option."
-else
-	echo "Yes, it works."
-fi
-
-

tests/tsa_server.py

@@ -0,0 +1,151 @@
+"""Implementation of a Time Stamping Authority HTTP server"""
+
+import argparse
+import contextlib
+import os
+import pathlib
+import subprocess
+import sys
+import threading
+from http.server import BaseHTTPRequestHandler, HTTPServer
+
+RESULT_PATH = os.getcwd()
+FILES_PATH = os.path.join(RESULT_PATH, "./Testing/files/")
+CERTS_PATH = os.path.join(RESULT_PATH, "./Testing/certs/")
+CONF_PATH = os.path.join(RESULT_PATH, "./Testing/conf/")
+DEFAULT_IN = os.path.join(FILES_PATH, "./unsigned.exe")
+DEFAULT_OUT = os.path.join(FILES_PATH, "./ts.exe")
+DEFAULT_CERT = os.path.join(CERTS_PATH, "./cert.pem")
+DEFAULT_KEY = os.path.join(CERTS_PATH, "./key.pem")
+DEFAULT_CROSSCERT = os.path.join(CERTS_PATH, "./crosscert.pem")
+OPENSSL_CONF = os.path.join(CONF_PATH, "./openssl_tsa.cnf")
+REQUEST = os.path.join(FILES_PATH, "./jreq.tsq")
+RESPONS = os.path.join(FILES_PATH, "./jresp.tsr")
+
+if os.path.exists(os.path.join(RESULT_PATH, "./Release/")):
+    OSSLSIGNCODE_FILE = os.path.join(RESULT_PATH, "./Release/osslsigncode")
+elif os.path.exists(os.path.join(RESULT_PATH, "./Debug/")):
+    OSSLSIGNCODE_FILE = os.path.join(RESULT_PATH, "./Debug/osslsigncode")
+else:
+    OSSLSIGNCODE_FILE = os.path.join(RESULT_PATH, "./osslsigncode")
+
+DEFAULT_OPENSSL = ["openssl", "ts",
+    "-reply", "-config", OPENSSL_CONF,
+    "-passin", "pass:passme",
+    "-queryfile", REQUEST,
+    "-out", RESPONS]
+
+
+class RequestHandler(BaseHTTPRequestHandler):
+    """Handle the HTTP POST request that arrive at the server"""
+
+    def do_POST(self):
+        """"Serves the POST request type"""
+        try:
+            content_length = int(self.headers['Content-Length'])
+            post_data = self.rfile.read(content_length)
+            with open(REQUEST, mode="wb") as file:
+                file.write(post_data)
+            openssl = subprocess.run(DEFAULT_OPENSSL, check=True, text=True)
+            openssl.check_returncode()
+            self.send_response(200)
+            self.send_header("Content-type", "application/timestamp-reply")
+            self.end_headers()
+            resp_data = None
+            with open(RESPONS, mode="rb") as file:
+                resp_data = file.read()
+            self.wfile.write(resp_data)
+        except Exception as err: # pylint: disable=broad-except
+            print(f"HTTP POST request error: {err}")
+
+
+class HttpServerThread():
+    """TSA server thread handler"""
+
+    def __init__(self):
+        self.server = None
+        self.server_thread = None
+
+    def start_server(self) -> (str, int):
+        """Starting TSA server on localhost and a first available port"""
+        self.server = HTTPServer(("127.0.0.1", 0), RequestHandler)
+        self.server_thread = threading.Thread(target=self.server.serve_forever)
+        self.server_thread.start()
+        hostname, port = self.server.server_address[:2]
+        print(f"Timestamp server started, URL: http://{hostname}:{port}")
+        return hostname, port
+
+    def shut_down(self):
+        """Shutting down the server"""
+        if self.server:
+            self.server.shutdown()
+            self.server_thread.join()
+        print("Server is down")
+
+
+def parse_args() -> str:
+    """Parse the command-line arguments."""
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "--input",
+        type=pathlib.Path,
+        default=DEFAULT_IN,
+        help="input file"
+    )
+    parser.add_argument(
+        "--output",
+        type=pathlib.Path,
+        default=DEFAULT_OUT,
+        help="output file"
+    )
+    parser.add_argument(
+        "--certs",
+        type=pathlib.Path,
+        default=DEFAULT_CERT,
+        help="signing certificate"
+    )
+    parser.add_argument(
+        "--key",
+        type=pathlib.Path,
+        default=DEFAULT_KEY,
+        help="private key"
+    )
+    parser.add_argument(
+        "--crosscert",
+        type=pathlib.Path,
+        default=DEFAULT_CROSSCERT,
+        help="additional certificates"
+    )
+    args = parser.parse_args()
+    program = [OSSLSIGNCODE_FILE, "sign", "-in", args.input, "-out", args.output,
+        "-certs", args.certs, "-key", args.key,
+        "-addUnauthenticatedBlob", "-add-msi-dse", "-comm", "-ph", "-jp", "low",
+        "-h", "sha384", "-time", "1556668800", "-i", "https://www.osslsigncode.com/",
+        "-n", "osslsigncode", "-ac", args.crosscert, "-ts"]
+    return program
+
+def main() -> None:
+    """Main program"""
+    ret = 0
+    program = parse_args()
+    server = HttpServerThread()
+    hostname, port = server.start_server()
+    program.append(f"{hostname}:{port}")
+    try:
+        osslsigncode = subprocess.run(program, check=True, text=True)
+        osslsigncode.check_returncode()
+    except subprocess.CalledProcessError as err:
+        ret = err.returncode
+    except OSError as err:
+        print(f"OSError: {err}")
+        ret = err.errno
+    except Exception as err: # pylint: disable=broad-except
+        print(f"osslsigncode error: {err}")
+        ret = 1
+    finally:
+        server.shut_down()
+        sys.exit(ret)
+
+
+if __name__ == '__main__':
+    main()

vcpkg.json

@@ -0,0 +1,12 @@
+{
+    "name": "osslsigncode",
+    "version-string": "2.4",
+    "dependencies": [
+        "openssl",
+        "curl",
+        {
+            "name": "python3",
+            "platform": "!(windows & static) & !osx"
+        }
+    ]
+}