nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-07-03 19:52:47 -05:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: nhyatt:2.0
Branches Tags
nhyatt:master
nhyatt:2.10 nhyatt:2.9 nhyatt:2.8 nhyatt:2.7 nhyatt:2.6 nhyatt:2.5 nhyatt:2.4 nhyatt:2.3 nhyatt:2.2 nhyatt:2.1 nhyatt:2.0
..
compare: nhyatt:2.2
Branches Tags
nhyatt:master
nhyatt:2.10 nhyatt:2.9 nhyatt:2.8 nhyatt:2.7 nhyatt:2.6 nhyatt:2.5 nhyatt:2.4 nhyatt:2.3 nhyatt:2.2 nhyatt:2.1 nhyatt:2.0

184 Commits
2.0 ... 2.2

Author SHA1 Message Date
Michał Trojnara
8c37b00d83 release 2.2 
Signed-off-by: Michał Trojnara <Michal.Trojnara@stunnel.org>
 2021-08-15 21:42:01 +02:00
aesx86
f2559972f3 fix gcc command line 2021-07-06 08:48:43 +02:00
Michał Trojnara
057d38ee76 Additional test dependency checks 2021-06-27 10:10:01 +02:00
Michał Trojnara
ed8ee4194b typo 2021-06-19 12:29:05 +02:00
Michał Trojnara
c64add388b Separate section for bootstrapping 2021-06-13 21:57:09 +02:00
sebaxakerhtc
2912eb054c missing autoconf for MacOS 2021-06-13 20:47:38 +02:00
olszomal
de05123adc update documentation 2021-06-09 23:36:17 +02:00
olszomal
180b352102 tests improvements 2021-06-09 23:36:17 +02:00
olszomal
72de045151 Add the bootstrap file 2021-06-09 23:36:17 +02:00
olszomal
95d77c9b98 help and version commands return code 0 (success) 2021-06-09 23:34:57 +02:00
olszomal
64e7e26eba free up BIO outdata only for MSI files 2021-05-30 22:14:35 +02:00
olszomal
e26a50a618 clarifying comments 2021-05-30 22:13:34 +02:00
olszomal
d2aa35a7f6 verify the content blob with the type set to OCTET STRING 2021-05-30 22:13:34 +02:00
Michał Trojnara
1c175c4339 Merge pull request #90 from olszomal/style 
Handle unsuccessful termination exit(-1)
 2021-05-04 09:40:12 +02:00
olszomal
3dad092be9 Merge branch 'master' into style 2021-05-04 09:20:12 +02:00
olszomal
de0bf341a5 free up the SIGNATURE structure 2021-05-04 09:02:20 +02:00
olszomal
4d5052c3f4 remove trailing newlines 2021-05-04 08:51:07 +02:00
olszomal
04823393f2 renamed options: 
"-untrusted" --> "-TSA-CAfile"
"-CRLuntrusted" --> "-TSA-CRLfile"
 2021-05-04 08:49:39 +02:00
olszomal
cfb897a902 handle unsuccessful termination exit (-1) 2021-04-26 11:35:19 +02:00
olszomal
8b064ca814 sizeof style 2021-04-26 10:48:53 +02:00
egonk
1bdfcc8940 fix crl nullptr crash in read_certfile 2021-04-25 21:59:36 +02:00
olszomal
bcdc5b7030 fixed width integer types 2021-04-25 21:43:00 +02:00
olszomal
3908e874a4 sizeof style 2021-04-25 21:38:57 +02:00
olszomal
a161efdb25 fix buffer overflow 2021-04-25 21:38:57 +02:00
olszomal
b01a2f5cd7 C89 standard compatibility 2021-04-25 21:38:57 +02:00
olszomal
b6e6165782 moral rights 2021-04-25 21:38:57 +02:00
olszomal
9b3697ad76 update changelog 2021-04-25 21:38:57 +02:00
olszomal
758003156e MSI file signing support 
DIFAT sectors are not supported
 2021-04-25 21:38:57 +02:00
olszomal
4f590989ce remove libgsf library dependency 
MSI file verify and remove-signature support
 2021-04-25 21:38:57 +02:00
olszomal
6df4c12624 verify msi metadata 2021-04-25 21:38:57 +02:00
Michał Trojnara
315357f092 Update a dead link in the documentation 
Closes #84
 2021-04-05 20:32:38 +02:00
olszomal
c0d9569c4f disable GSF_CAN_READ_MSI_METADATA 2021-01-11 21:21:02 +01:00
olszomal
352ef49b3a unicode description support 2021-01-11 21:20:18 +01:00
olszomal
f004aa3f48 new testing framework 2021-01-11 21:20:18 +01:00
olszomal
6edd56bfac Print the message digest algorithm from the signer info structure 2021-01-11 21:20:18 +01:00
olszomal
67e4edfe45 Print authenticated attributes: 
- message digest
- signing time
- URL description
- text description
- level of permissions for CAB files
 2021-01-11 21:20:18 +01:00
olszomal
5ad5260351 update copyright year 2021-01-11 21:20:18 +01:00
tdyer
790abf66da update documentation for timestamp server 
- verisign timestamp server is no longer in service
   update docs to point to alternative service
 2021-01-06 21:25:41 +01:00
olszomal
1dc209baa8 fix the default end date and extended key usage for test certificates 2021-01-06 21:24:40 +01:00
olszomal
2f011cfc31 p11engine and p11module need to be orthogonal (independent of each other) 2021-01-06 21:24:05 +01:00
olszomal
e8fe3e934d code simplification 2021-01-06 21:20:56 +01:00
olszomal
f8849b8048 new option -c specifies the catalog file by name 2021-01-06 21:20:56 +01:00
olszomal
86d593f264 Create a MsCtlContent structure to decode the Microsoft MS_CTL_OBJID object 2021-01-06 21:20:56 +01:00
olszomal
5e064233a3 increase the maximum size of supported CAT files 2020-11-10 04:28:43 +01:00
olszomal
fb1bc06440 CAT file tests 2020-11-02 10:11:10 +01:00
olszomal
80d5948eeb CAT files support 2020-11-02 10:11:10 +01:00
olszomal
0d6d0071d3 sort Microsoft and Generic OIDs 2020-11-02 10:11:10 +01:00
Artem Polishchuk
250521e07f fix(tests): swallows the exit code 2020-10-15 18:15:59 +02:00
Michal Trojnara
6ef01c935a release 2.1 
Signed-off-by: Michal Trojnara <Michal.Trojnara@stunnel.org>
 2020-10-11 21:33:58 +02:00
olszomal
f336130c0d Add timestamp (#60) 
* make authenticode timestamping override any previous timestamp
* simplify add_timestamp()
 2020-10-08 08:33:47 +02:00
olszomal
28904e8d1a fix memory leak 2020-10-04 22:05:28 +02:00
olszomal
85b0eb6fa0 improve maketest 2020-10-04 22:05:28 +02:00
olszomal
858e9031f0 find the signer's certificate in the certificate chain 2020-10-04 22:05:28 +02:00
olszomal
fe028d12f4 additional CRLs (supplied as part of a PKCS#7 structure) support 2020-10-04 22:05:28 +02:00
olszomal
0bb54d9f51 new option -pkcs11cert identifies a certificate in the token 
fix and simplify read_crypto_params()
 2020-10-04 22:05:28 +02:00
olszomal
ddb2dc7b15 fix MSI memory leaks 2020-09-12 14:07:10 +02:00
olszomal
36708d0ee5 fix get_clrdp_url() 2020-09-12 14:07:10 +02:00
olszomal
0f6e0e8523 remove deprecated functions 2020-09-12 14:07:10 +02:00
olszomal
4fa102b5d1 output format 2020-08-22 20:00:58 +02:00
Michał Trojnara
01b3fb5b54 Merge pull request #56 from olszomal/crl 
Fix timestamp and CRL verification
 2020-08-02 20:26:38 +02:00
olszomal
548c78e212 print CRL distribution point 2020-07-24 14:14:00 +02:00
olszomal
44a773401c set the certificate expiration date for CRL verification tests 2020-07-24 14:00:49 +02:00
olszomal
8f56f3d620 fix CRL verification 2020-07-24 14:00:18 +02:00
olszomal
5433770ce5 timestamp verification 2020-07-09 10:25:00 +02:00
olszomal
3b21e54900 code simplification 2020-07-08 22:16:50 +02:00
olszomal
2f5e336b89 new feature: multiple nested signature 2020-07-08 22:16:50 +02:00
olszomal
ff796106ad verify multiple nested signatures 2020-07-08 22:16:50 +02:00
olszomal
293d92b0b0 fixed MSI memory leak 2020-07-08 22:16:50 +02:00
olszomal
9be7753a8f fix error handling 2020-07-08 22:16:50 +02:00
olszomal
c0d65b2441 multiple signature test 2020-07-08 22:16:50 +02:00
olszomal
4f71fefb79 sign with multiple signature 2020-07-08 22:16:50 +02:00
olszomal
cfaa37108d Convert PKCS7 countersignature into CMS_ContentInfo structure 2020-06-21 19:47:34 +02:00
olszomal
e4295cc00c fixed memory leaks 2020-06-21 19:46:03 +02:00
olszomal
48dc052540 initialize crypto params 2020-06-21 19:46:03 +02:00
Michal Trojnara
7dd36a5c24 Initial change log for 2.1 release 2020-06-07 18:34:49 +02:00
Michal Trojnara
0c9f53d30c Simplified ASN1_GetTimeT() 
This commit also drops support for OpenSSL 1.1.0
(end of life for that release was August 31, 2018).
 2020-06-07 17:54:10 +02:00
olszomal
772a878182 CMS structure support 2020-06-07 17:31:10 +02:00
Matt Hauck
1670a07089 Finalize pkcs11 engine 
In order to properly finalize the pkcs11 module, we need to call
ENGINE_finish on the pkcs11 `ENGINE*` object.
 2020-06-03 09:49:03 +02:00
Michał Trojnara
cf331d0064 Merge pull request #41 from olszomal/tests 
Improved tests
 2020-05-18 08:06:21 +02:00
Michał Trojnara
826df059d1 Merge pull request #39 from olszomal/windows 
Windows support
 2020-05-18 08:05:44 +02:00
olszomal
6cb3ae863e print timestamp error 2020-05-08 14:26:27 +02:00
olszomal
8aaa8faf5c enable the verbose option for the add command 2020-05-07 10:54:01 +02:00
olszomal
2c919cce9f more TSA servers in tests 2020-05-07 10:43:57 +02:00
olszomal
8d78e07528 Windows install notes 2020-05-05 14:58:49 +02:00
olszomal
56a1413cb5 how to use PKCS11 token 2020-05-05 14:48:48 +02:00
olszomal
82afda3ef9 msi support for Windows 2020-04-22 10:26:32 +02:00
olszomal
dfad489090 CAfile/untrusted file must exist to verify the signature 2020-04-17 15:41:33 +02:00
olszomal
c786ca873c don't overwrite an existing file 2020-04-17 14:48:32 +02:00
Michal Trojnara
3b9ce00901 Typo 2020-04-16 15:36:46 +02:00
Michal Trojnara
8cafe0a102 Windows workaround for the #9 fix 2020-04-16 14:24:09 +02:00
Michał Trojnara
146b79bd04 Merge pull request #38 from olszomal/cabfiles 
Code cleanup
 2020-04-11 11:19:03 +02:00
olszomal
e59e922d32 last merge error - X509_PURPOSE_ANY 2020-04-09 10:45:25 +02:00
olszomal
e2f984f5c9 attach DER signature 2020-04-08 14:21:53 +02:00
olszomal
cafa23819b more memory leaks fixed 2020-04-07 15:49:00 +02:00
olszomal
235448d839 fixed memory leaks 2020-04-03 15:12:43 +02:00
olszomal
077783aa2a signer extended key usage XKU_CODE_SIGN 2020-04-03 12:31:59 +02:00
olszomal
7c39f73ff6 memory cleanup 2020-04-03 11:44:56 +02:00
olszomal
1e4681980f print osslsigncode version and usage 2020-04-02 12:18:37 +02:00
olszomal
26d35cee40 C89 standard compatibility 2020-04-02 12:03:06 +02:00
olszomal
a79c0c6426 is_indirect_data_signature() 2020-04-01 13:25:58 +02:00
olszomal
3ae025a133 code cleaning 2020-03-31 12:55:09 +02:00
olszomal
6383166189 enable MsiDigitalSignatureEx 2020-03-27 15:00:47 +01:00
olszomal
0692db5ed3 resolved merge conflict by incorporating both suggestions 2020-03-27 14:28:04 +01:00
olszomal
ee2d65d354 msi_calc_MsiDigitalSignatureEx() with GSF_PARAMS struct 2020-03-27 14:04:14 +01:00
olszomal
3635d586fb create pkcs7 object and prepare file to sign 2020-03-27 13:51:59 +01:00
Michał Trojnara
2830ab5795 Merge pull request #36 from olszomal/cabverify 
CAB files support
- Extracting, attaching, removing and verifying the signature
- Signing with the nested signature
- Enable tests for CAB files
 2020-03-27 06:24:48 +01:00
olszomal
ee17261eaf resolved merge conflict 2020-03-26 11:24:24 +01:00
olszomal
77493d5cde input options and input file header validation 2020-03-26 10:38:02 +01:00
olszomal
cdd2a23bf1 check attached data 2020-03-26 09:16:18 +01:00
olszomal
20236fb677 Verification purpose and nested signature (#35) 
- Require "Code Signing" extended key usage for authenticode verification.
 - Only check for the X509_PURPOSE_CRL_SIGN purpose in CRL verification.
 - Only require one valid signature for a nested signature.
 2020-03-25 21:00:47 +01:00
olszomal
18b19cbe5d Update additional data size 2020-03-25 14:06:36 +01:00
olszomal
e570907a59 Append signature to outfile 2020-03-25 13:52:08 +01:00
olszomal
9f6af8becb set_indirect_data_blob() 2020-03-24 14:44:03 +01:00
olszomal
b7f0461311 page hash verification 2020-03-24 14:04:37 +01:00
olszomal
1715a02cd8 get_indirect_data_blob() with options and header structures 2020-03-24 13:59:38 +01:00
olszomal
536cf9670b get_file_type() 2020-03-17 11:17:45 +01:00
olszomal
0f35d25791 CRYPTO_PARAMS struct 2020-03-17 11:01:37 +01:00
olszomal
f93bdc0f98 nturl/ntsurl GLOBAL_OPTIONS related to turl/tsurl 2020-03-16 14:41:21 +01:00
olszomal
6e46f71e69 main_configure() 2020-03-16 14:20:02 +01:00
olszomal
5e0f6e17a9 GLOBAL_OPTIONS struct 2020-03-16 10:32:39 +01:00
olszomal
1281dbccf1 read certificate and key 2020-03-13 12:19:42 +01:00
olszomal
9e670ea7a0 read_password 2020-03-12 15:36:40 +01:00
olszomal
29b138a667 create_new_signature() 2020-03-12 15:03:36 +01:00
olszomal
e7f0577bf3 set_signing_bob 2020-03-12 14:13:26 +01:00
olszomal
f0050d6033 MSI Digital Signatures support 2020-03-12 13:35:30 +01:00
olszomal
ccde20f8e2 FILE_HEADER struct for CAB header support 2020-03-11 09:25:27 +01:00
olszomal
787933ef53 verify_pe_header() 2020-03-10 13:26:20 +01:00
olszomal
7cd0e9d581 add jp/purpose/desc/url attribute functions 2020-03-04 15:35:48 +01:00
olszomal
889679e080 attach_sigfile() 2020-03-04 14:34:51 +01:00
olszomal
47e9a2299b attach-signature tests 2020-03-04 13:31:54 +01:00
olszomal
150d14b57c modify and verify CAB header 2020-03-04 13:28:46 +01:00
olszomal
73cf4e9540 attach to CAB file fixed 
some improvements for PE files
 2020-02-21 16:26:53 +01:00
olszomal
a56aee3c8f CAB file tests 2020-02-21 14:10:21 +01:00
olszomal
94f5e0c1bf CAB file support 2020-02-21 14:07:15 +01:00
olszomal
6bcb95e8fa file format fixes 2020-02-19 10:47:29 +01:00
olszomal
7fcf08ad75 CA bundle install path detection (#32) 2020-02-04 22:44:58 +01:00
olszomal
e7dd72c64d makecerts requirement 2020-01-30 07:09:15 +01:00
Michal Trojnara
2bb573219a Fix invocation without arguments 
Closes #29
 2020-01-25 18:41:47 +01:00
olszomal
7366df707d Help (#27) 2020-01-25 08:37:11 +01:00
olszomal
49f25a1914 CRL support with new CRLfile global option (#28) 2020-01-25 08:25:48 +01:00
olszomal
98910f675a check libcurl availability 2019-12-28 20:34:13 +01:00
olszomal
5b9f65d2f2 more tests requirements 2019-12-28 20:34:13 +01:00
olszomal
7f6ec7607f ifdef ENABLE_CURL mistake 2019-12-28 20:34:13 +01:00
olszomal
d36a10bf09 tests improvements 2019-12-28 20:34:13 +01:00
olszomal
a77ed9c9e1 new verify tests 2019-12-28 20:34:13 +01:00
olszomal
3c45de910f new test library 2019-12-28 20:34:13 +01:00
olszomal
5c0a181436 tests requirements 2019-12-28 20:34:13 +01:00
olszomal
1af321be77 make certs with faketime 2019-12-28 20:34:13 +01:00
olszomal
311f5af395 signature verification 2019-12-28 20:34:13 +01:00
Michał Trojnara
2ffa5a9d69 Signing Time code refactoring 
- Code simplification.
 - Support for the -st option while timestamps are enabled.
 - Fix for a NULL pointer dereference.
 2019-09-10 23:03:35 +02:00
Viktor Szakats
5c51cab171 reword comment 2019-09-10 22:09:45 +02:00
Viktor Szakats
c72434aa08 add option to override non-trusted time in signature 
By default the non-trusted time embedded in the signature is the
current time of the machine. This means that adding a signature
prevents from creating reproducible/deterministic binaries.

This patch resolves that by introducing the -st <unix-time> option
where a custom time can be supplied and which will be used in the
signature. By using a point in time bound to the package (e.g.
release date or timestamp of a specific file in the source package
- or just 0 to suppress the current time), it makes it possible to
create signed binaries with reproducible/deterministic, IOW
identical signatures, regardless of when the build was done. It
also makes osslsigncode behaviour closer to signtool.exe, which by
default creates deterministic signatures (by include no
non-trusted time at all.)

The patch has been used live for the last year to build curl-for-win
binaries:
  https://github.com/curl/curl-for-win/blob/master/osslsigncode.patch

It also resolves this osslsigncode bug:
  https://sourceforge.net/p/osslsigncode/bugs/8/#a59a
 2019-09-10 22:09:45 +02:00
olszomal
18810b7e0b change test for add-msi-dse option 2019-07-28 14:19:08 +02:00
olszomal
b512aa534c some options warnings 2019-07-28 14:19:08 +02:00
olszomal
de4e85f35a remove jp_medium and jp_high tests 2019-07-28 14:19:08 +02:00
olszomal
97b7002547 required packages 2019-07-28 14:15:23 +02:00
Randy Fay
dc0b2d7273 Improve build instructions for osslsigncode, fixes #12 (#15) 
fixes #12

* Switch to using PKG_CONFIG_PATH instead of LDFLAGS and CPPFLAGS
 2019-07-28 14:11:53 +02:00
Michał Trojnara
764fec5bd1 Fix password tests 2019-07-20 14:38:12 +02:00
Michał Trojnara
f39ac9caee Fixed "add" tests 
The "add" command was never supposed to copy a signature.
See afd5c5177d for details.
 2019-07-20 14:17:41 +02:00
Michał Trojnara
1121713d48 Typo 2019-07-20 13:53:50 +02:00
olszomal
00290bc363 Test improvements (#14) 
* removed pvk keys tests
* new 11_sign_nest test
* improved verify_signature()
* new tests of timestamping with the add command
 2019-07-20 12:54:46 +02:00
olszomal
62e8ffd0c9 allow timestamping with the add command 2019-07-20 12:51:23 +02:00
Michał Trojnara
891887a974 Never overwrite or unlink an existing file 
Fixes #9

The code uses the "x" file access mode flag introduced by the C11
standard (ISO/IEC 9899:2011).  It may be unsupported on Windows.
 2019-07-13 15:25:41 +02:00
olszomal
3645ba7357 New tests for osslsigncode (#11) 2019-07-13 11:41:03 +02:00
Michał Trojnara
4c44cfdd76 Fix double free 2019-07-11 20:20:47 +02:00
Jemmy Wang
6c8ec4427a Fix segmentation fault 2019-07-01 22:02:17 +02:00
Jemmy Wang
c740b097df Fix SpcPageHashLink generation 
The orginal code handles ASN1_SET improperly, which results in INVALID
page hash SpcLink.
This commit fixes the bug. osslsigncode can now generate valid
signatures with -ph (page hash) option.
 2019-07-01 22:02:17 +02:00
Reimar Döffinger
0bea1ac8f6 Ensure variable is initialized. 
It seem unnecessarily risky to leave it
uninitialized when PKCS7_free is called
on it unconditionally at the end of the
function.
 2019-04-25 00:02:33 +02:00
Michał Trojnara
12966f611a Consistent DO_EXIT_n interface 2019-04-24 06:54:44 +02:00
Reimar Döffinger
044861b323 Make -pkcs11engine option optional. (#5) 
If not specified, load all builtin engines,
most likely the pkcs11 one will be among them.
This makes the pkcs11module option much easier
to use in the most common use-cases.
 2019-04-24 06:47:53 +02:00
Michał Trojnara
bed25dcb7d Error formatting fixes 
closes #3
 2019-04-24 06:17:31 +02:00
Reimar Döffinger
8c82f76905 Remove unused Authenticode object IDs. 2019-04-23 22:55:57 +02:00
barrybingo
342518fcbe Minorfixes (#2) 
Replace legacy function
 2019-04-02 13:52:25 +02:00
Michał Trojnara
fe08daaa4f use OpenSSL memory allocation 2018-12-09 23:30:20 +01:00
Michał Trojnara
5a01658434 use tohex() for bin2hex conversion 2018-12-09 23:05:13 +01:00
Michał Trojnara
d007c03bb6 signed/unsigned conversion fixes 2018-12-09 22:51:15 +01:00
Michał Trojnara
a935479e7f fixed a few typos 2018-12-08 22:06:36 +01:00
Michał Trojnara
db559c4769 code simplification 
Avoid re-implementing common library functions.
 2018-12-08 21:55:15 +01:00
Michał Trojnara
693ac8c476 new bug reporting procedure 2018-12-08 17:07:25 +01:00
Michał Trojnara
2e9113cd41 code deduplication and cleanup 2018-12-08 16:56:29 +01:00
Michał Trojnara
a7c624d0a9 fixed OpenSSL 1.1 check to fail with OpenSSL 1.0 
closes #1
 2018-12-08 09:55:04 +01:00
Michał Trojnara
c9396c4be9 configure.ac indentation 2018-12-08 09:49:11 +01:00
Michał Trojnara
6da2a23d1f version number bump 2018-12-05 23:02:08 +01:00
Michał Trojnara
642a290343 more consistent code formatting and indentation 2018-12-05 22:59:41 +01:00
74 changed files with 9918 additions and 4235 deletions
Expand all files Collapse all files

7
.gitignore vendored
View File

@ -15,7 +15,10 @@ install-sh
missing missing
osslsigncode osslsigncode
osslsigncode.o osslsigncode.o
msi.o
stamp-h1 stamp-h1
INSTALL
COPYING
.#*# .#*#
.*.bak .*.bak
@ -40,3 +43,7 @@ stamp-h1
*~ *~
*.gz *.gz
*.bz2 *.bz2
**/*.log
!myapp.exe
*.pem

101
INSTALL.W32.md Normal file
View File

@ -0,0 +1,101 @@
# osslsigncode Windows install notes
### Building osslsigncode source with MSYS2 MinGW 64-bit and MSYS2 packages:
1) Download and install MSYS2 from https://msys2.github.io/ and follow installation instructions.
Once up and running install even mingw-w64-x86_64-gcc, mingw-w64-x86_64-curl, mingw-w64-x86_64-libgsf.
```
pacman -S mingw-w64-x86_64-gcc mingw-w64-x86_64-curl mingw-w64-x86_64-libgsf
```
mingw-w64-x86_64-openssl and mingw-w64-x86_64-zlib packages are installed with dependencies.
2) Run "MSYS2 MinGW 64-bit" and build 64-bit Windows executables.
```
cd osslsigncode-folder
x86_64-w64-mingw32-gcc osslsigncode.c msi.c -o osslsigncode.exe \
-lcrypto -lssl -lcurl -lgsf-1 -lgobject-2.0 -lglib-2.0 -lxml2 \
-I 'C:/msys64/mingw64/include/libgsf-1' \
-I 'C:/msys64/mingw64/include/glib-2.0' \
-I 'C:/msys64/mingw64/lib/glib-2.0/include' \
-D 'PACKAGE_STRING="osslsigncode 2.1.0"' \
-D 'PACKAGE_BUGREPORT="Michal.Trojnara@stunnel.org"' \
-D ENABLE_CURL \
-D WITH_GSF
```
3) Run "Command prompt" and include "c:\msys64\mingw64\bin" folder as part of the path.
```
path=%path%;c:\msys64\mingw64\bin
cd osslsigncode-folder
osslsigncode.exe -v
osslsigncode 2.1.0, using:
OpenSSL 1.1.1g 21 Apr 2020
libcurl/7.70.0 OpenSSL/1.1.1g (Schannel) zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0
libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.40.0 libgsf 1.14.46
```
### Building OpenSSL, Curl and osslsigncode sources with MSYS2 MinGW 64-bit:
1) Download and install MSYS2 from https://msys2.github.io/ and follow installation instructions.
Once up and running install even: perl make autoconf automake libtool pkg-config.
```
pacman -S perl make autoconf automake libtool pkg-config
```
Make sure there are no curl, brotli, libpsl, libidn2 and nghttp2 packages installed:
```
pacman -R mingw-w64-x86_64-curl \
mingw-w64-x86_64-brotli \
mingw-w64-x86_64-libpsl \
mingw-w64-x86_64-libidn2 \
mingw-w64-x86_64-nghttp2
```
Run "MSYS2 MinGW 64-bit" in the administrator mode.
2) Build and install OpenSSL.
```
cd openssl-(version)
./config --prefix='C:/OpenSSL' --openssldir='C:/OpenSSL'
make && make install
```
3) Build and install curl.
```
cd curl-(version)
./buildconf
./configure --prefix='C:/curl' --with-ssl='C:/OpenSSL' \
--disable-ftp --disable-tftp --disable-file --disable-dict \
--disable-telnet --disable-imap --disable-smb --disable-smtp \
--disable-gopher --disable-pop --disable-pop3 --disable-rtsp \
--disable-ldap --disable-ldaps --disable-unix-sockets --disable-pthreads
make && make install
```
3) Build 64-bit Windows executables.
```
cd osslsigncode-folder
x86_64-w64-mingw32-gcc osslsigncode.c -o osslsigncode.exe \
-L 'C:/OpenSSL/lib/' -lcrypto -lssl \
-I 'C:/OpenSSL/include/' \
-L 'C:/curl/lib' -lcurl \
-I 'C:/curl/include' \
-D 'PACKAGE_STRING="osslsigncode 2.1.0"' \
-D 'PACKAGE_BUGREPORT="Michal.Trojnara@stunnel.org"' \
-D ENABLE_CURL
```
4) Run "Command prompt" and copy required libraries.
```
cd osslsigncode-folder
copy C:\OpenSSL\bin\libssl-1_1-x64.dll
copy C:\OpenSSL\bin\libcrypto-1_1-x64.dll
copy C:\curl\bin\libcurl-4.dll
copy C:\msys64\mingw64\bin\zlib1.dll
osslsigncode.exe -v
osslsigncode 2.1.0, using:
OpenSSL 1.1.1g 21 Apr 2020
libcurl/7.70.0 OpenSSL/1.1.1g zlib/1.2.11
no libgsf available
```

2
LICENSE.txt
View File

@ -1,7 +1,7 @@
OpenSSL based Authenticode signing for PE/MSI/Java CAB files. OpenSSL based Authenticode signing for PE/MSI/Java CAB files.
Copyright (C) 2005-2014 Per Allansson <pallansson@gmail.com> Copyright (C) 2005-2014 Per Allansson <pallansson@gmail.com>
Copyright (C) 2018 Michał Trojnara <Michal.Trojnara@stunnel.org> Copyright (C) 2018-2019 Michał Trojnara <Michal.Trojnara@stunnel.org>
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by

6
Makefile.am
View File

@ -8,9 +8,9 @@ MAINTAINERCLEANFILES = \
$(srcdir)/config.guess $(srcdir)/config.sub $(srcdir)/config.guess $(srcdir)/config.sub
EXTRA_DIST = .gitignore EXTRA_DIST = .gitignore
AM_CFLAGS = $(GSF_CFLAGS) $(OPENSSL_CFLAGS) $(OPTIONAL_LIBCURL_CFLAGS) AM_CFLAGS = $(OPENSSL_CFLAGS) $(OPTIONAL_LIBCURL_CFLAGS)
bin_PROGRAMS = osslsigncode bin_PROGRAMS = osslsigncode
osslsigncode_SOURCES = osslsigncode.c osslsigncode_SOURCES = osslsigncode.c msi.c msi.h
osslsigncode_LDADD = $(GSF_LIBS) $(OPENSSL_LIBS) $(OPTIONAL_LIBCURL_LIBS) osslsigncode_LDADD = $(OPENSSL_LIBS) $(OPTIONAL_LIBCURL_LIBS)

21
CHANGELOG.md → NEWS.md
View File

@ -1,3 +1,24 @@
### 2.2 (2021.08.15)
- CAT files support (thanks to James McKenzie)
- MSI support rewritten without libgsf dependency, which allows
for handling of all the needed MSI metadata, such as dates
- "-untrusted" option renamed to "-TSA-CAfile"
- "-CRLuntrusted" option renamed to "-TSA-CRLfile"
- numerous bug fixes and improvements
### 2.1 (2020-10-11)
- certificate chain verification support
- timestamp verification support
- CRL verification support ("-CRLfile" option)
- improved CAB signature support
- nested signatures support
- user-specified signing time ("-st" option) by vszakats
- added more tests
- fixed numerous bugs
- dropped OpenSSL 1.1.0 support
### 2.0 (2018-12-04) ### 2.0 (2018-12-04)
- orphaned project adopted by Michał Trojnara - orphaned project adopted by Michał Trojnara

73
README.md
View File

@ -19,19 +19,53 @@ tool would fail. And, so, osslsigncode was born.
## WHAT CAN IT DO? ## WHAT CAN IT DO?
It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB and MSI files. It supports It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB, CAT and MSI files.
the equivalent of signtool.exe's "-j javasign.dll -jp low", i.e. add a It supports the equivalent of signtool.exe's "-j javasign.dll -jp low",
valid signature for a CAB file containing Java files. It supports getting i.e. add a valid signature for a CAB file containing Java files.
the timestamp through a proxy as well. It also supports signature verification, It supports getting the timestamp through a proxy as well. It also
removal and extraction. supports signature verification, removal and extraction.
## INSTALLATION ## BUILDING
The usual way: This section covers building osslsigncode for [Unix-like](https://en.wikipedia.org/wiki/Unix-like) operating systems.
See [INSTALL.W32.md](https://github.com/mtrojnar/osslsigncode/blob/master/INSTALL.W32.md) for Windows notes.
### Generate the ./configure script
This step is only needed if osslsigncode was cloned from a git repository.
We highly recommend downloading a [release tarball](https://github.com/mtrojnar/osslsigncode/releases) instead.
* Install prerequisites on a Debian-based distributions, such as Ubuntu:
``` ```
./configure sudo apt update && sudo apt install automake pkg-config
make ```
make install
* Install prerequisites on macOS with Homebrew:
```
brew install automake pkg-config
```
* Generate the ./configure script:
```
./bootstrap
```
### Configure, build and install osslsigncode
* Install prerequisites on a Debian-based distributions, such as Ubuntu:
```
sudo apt update && sudo apt install build-essential pkg-config libssl-dev libcurl4-openssl-dev
```
* Install prerequisites on macOS with Homebrew:
```
brew install pkg-config openssl@1.1
export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig"
```
* Configure, build and install osslsigncode:
```
./configure && make && sudo make install
``` ```
## USAGE ## USAGE
@ -67,7 +101,7 @@ or if you want to add a timestamp as well:
``` ```
osslsigncode sign -certs <cert-file> -key <key-file> \ osslsigncode sign -certs <cert-file> -key <key-file> \
-n "Your Application" -i http://www.yourwebsite.com/ \ -n "Your Application" -i http://www.yourwebsite.com/ \
-t http://timestamp.verisign.com/scripts/timstamp.dll \ -t http://timestamp.digicert.com \
-in yourapp.exe -out yourapp-signed.exe -in yourapp.exe -out yourapp-signed.exe
``` ```
You can use a certificate and key stored in a PKCS#12 container: You can use a certificate and key stored in a PKCS#12 container:
@ -85,6 +119,17 @@ To sign a CAB file containing java class files:
``` ```
Only the 'low' parameter is currently supported. Only the 'low' parameter is currently supported.
If you want to use PKCS11 token, you should indicate PKCS11 engine and module.
An example of using osslsigncode with SoftHSM:
```
osslsigncode sign \
-pkcs11engine /usr/lib64/engines-1.1/pkcs11.so \
-pkcs11module /usr/lib64/pkcs11/libsofthsm2.so \
-pkcs11cert 'pkcs11:token=softhsm-token;object=cert' \
-key 'pkcs11:token=softhsm-token;object=key' \
-in yourapp.exe -out yourapp-signed.exe
```
You can check that the signed file is correct by right-clicking You can check that the signed file is correct by right-clicking
on it in Windows and choose Properties --> Digital Signatures, on it in Windows and choose Properties --> Digital Signatures,
and then choose the signature from the list, and click on and then choose the signature from the list, and click on
@ -110,7 +155,7 @@ use instead of your *.spc file. It's the same basic thing, in a different format
For your PVK file, you will need to download a little utility called For your PVK file, you will need to download a little utility called
PVK.EXE. This can currently be downloaded at PVK.EXE. This can currently be downloaded at
http://support.globalsign.net/en/objectsign/PVK.zip https://www.globalsign.com/support/code-signing/PVK.zip
Run: Run:
``` ```
@ -129,7 +174,9 @@ You need the *.p7b and *.der files to use osslsigncode, instead of your
## BUGS, QUESTIONS etc. ## BUGS, QUESTIONS etc.
Send an email to pallansson@gmail.com Check whether your your question or suspected bug was already
discussed on https://github.com/mtrojnar/osslsigncode/issues.
Otherwise, open a new issue.
BUT, if you have questions related to generating spc files, BUT, if you have questions related to generating spc files,
converting between different formats and so on, *please* converting between different formats and so on, *please*

2
README.unauthblob.md
View File

@ -14,7 +14,7 @@ osslsigncode sign -addUnauthenticatedBlob -pkcs12 yourcert.pfx -pass your_passwo
``` ```
# Example 2. Timestamp and add blob to signed file # Example 2. Timestamp and add blob to signed file
osslsigncode.exe add -addUnauthenticatedBlob -t http://timestamp.verisign.com/scripts/timstamp.dll -in your_signed_file.exe -out out.exe osslsigncode.exe add -addUnauthenticatedBlob -t http://timestamp.digicert.com -in your_signed_file.exe -out out.exe
``` ```
``` ```

3
TODO.md
View File

@ -1,8 +1,5 @@
- signature extraction/removal/verificaton on MSI/CAB files - signature extraction/removal/verificaton on MSI/CAB files
- improved signature verification on PE files
- clean up / untangle code - clean up / untangle code
- separate timestamping - separate timestamping
- man page
- remove mmap usage to increase portability - remove mmap usage to increase portability
- tests
- fix other stuff marked 'XXX' - fix other stuff marked 'XXX'

1578
autogen.sh
View File

File diff suppressed because it is too large Load Diff

2
bootstrap Executable file
View File

@ -0,0 +1,2 @@
#!/bin/sh
autoreconf --verbose --install --force

28
configure.ac
View File

@ -1,6 +1,6 @@
AC_PREREQ(2.60) AC_PREREQ(2.60)
AC_INIT([osslsigncode], [1.7.1], [pallansson@gmail.com]) AC_INIT([osslsigncode], [2.2.0], [Michal.Trojnara@stunnel.org])
AC_CONFIG_AUX_DIR([.]) AC_CONFIG_AUX_DIR([.])
AC_CONFIG_HEADERS([config.h]) AC_CONFIG_HEADERS([config.h])
AM_INIT_AUTOMAKE AM_INIT_AUTOMAKE
@ -77,33 +77,19 @@ AC_CHECK_LIB(
AC_CHECK_HEADERS([termios.h]) AC_CHECK_HEADERS([termios.h])
AC_CHECK_FUNCS(getpass) AC_CHECK_FUNCS(getpass)
AC_ARG_WITH([gsf],
AS_HELP_STRING([--without-gsf], [Ignore presence of libgsf and disable it])
)
AS_IF([test "x$with_gsf" != "xno"],
[PKG_CHECK_MODULES([GSF], [libgsf-1], [have_gsf=yes], [have_gsf=no])],
[have_gsf=no]
)
AS_IF([test "x$have_gsf" = "xyes"],
[AC_DEFINE([WITH_GSF], 1, [Have libgsf?])],
[AS_IF([test "x$with_gsf" = "xyes"],
[AC_MSG_ERROR([libgsf requested but not found])])]
)
PKG_CHECK_MODULES( PKG_CHECK_MODULES(
[OPENSSL], [OPENSSL],
[libcrypto >= 1.1.0], [libcrypto >= 1.1.1],
, ,
[PKG_CHECK_MODULES( [PKG_CHECK_MODULES(
[OPENSSL], [OPENSSL],
[openssl >= 1.1.0], [openssl >= 1.1.1],
, ,
[AC_CHECK_LIB( [AC_CHECK_LIB(
[crypto], [crypto],
[RSA_verify], [EVP_MD_CTX_new],
[OPENSSL_LIBS="-lcrypto ${SOCKETS_LIBS} ${DL_LIBS}"], [OPENSSL_LIBS="-lcrypto ${SOCKETS_LIBS} ${DL_LIBS}"],
[AC_MSG_ERROR([OpenSSL 1.1.0 or later is required. http://www.openssl.org/])], [AC_MSG_ERROR([OpenSSL 1.1.1 or later is required. https://www.openssl.org/])],
[${DL_LIBS}] [${DL_LIBS}]
)] )]
)] )]
@ -132,5 +118,9 @@ fi
AC_SUBST([OPTIONAL_LIBCURL_CFLAGS]) AC_SUBST([OPTIONAL_LIBCURL_CFLAGS])
AC_SUBST([OPTIONAL_LIBCURL_LIBS]) AC_SUBST([OPTIONAL_LIBCURL_LIBS])
AC_DEFINE_UNQUOTED([CA_BUNDLE_PATH], ["$(curl-config --ca 2>/dev/null)"], [CA bundle install path])
AC_CONFIG_FILES([Makefile]) AC_CONFIG_FILES([Makefile])
AC_OUTPUT AC_OUTPUT
# vim: set ts=4 noexpandtab:

1099
msi.c Normal file
View File

File diff suppressed because it is too large Load Diff

206
msi.h Normal file
View File

@ -0,0 +1,206 @@
/*
* MSI file support library
*
* Copyright (C) 2021 Michał Trojnara <Michal.Trojnara@stunnel.org>
* Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
*
* Reference specifications:
* http://en.wikipedia.org/wiki/Compound_File_Binary_Format
* https://msdn.microsoft.com/en-us/library/dd942138.aspx
* https://github.com/microsoft/compoundfilereader
*/
#include <stdint.h>
#include <openssl/safestack.h>
#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#define MAXREGSECT 0xfffffffa /* maximum regular sector number */
#define DIFSECT 0xfffffffc /* specifies a DIFAT sector in the FAT */
#define FATSECT 0xfffffffd /* specifies a FAT sector in the FAT */
#define ENDOFCHAIN 0xfffffffe /* end of a linked chain of sectors */
#define NOSTREAM 0xffffffff /* terminator or empty pointer */
#define FREESECT 0xffffffff /* empty unallocated free sectors */
#define DIR_UNKNOWN 0
#define DIR_STORAGE 1
#define DIR_STREAM 2
#define DIR_ROOT 5
#define RED_COLOR 0
#define BLACK_COLOR 1
#define DIFAT_IN_HEADER 109
#define MINI_STREAM_CUTOFF_SIZE 0x00001000 /* 4096 bytes */
#define HEADER_SIZE 0x200 /* 512 bytes, independent of sector size */
#define MAX_SECTOR_SIZE 0x1000 /* 4096 bytes */
#define HEADER_SIGNATURE 0x00 /* 0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1 */
#define HEADER_CLSID 0x08 /* reserved and unused */
#define HEADER_MINOR_VER 0x18 /* SHOULD be set to 0x003E */
#define HEADER_MAJOR_VER 0x1a /* MUST be set to either 0x0003 (version 3) or 0x0004 (version 4) */
#define HEADER_BYTE_ORDER 0x1c /* 0xfe 0xff == Intel Little Endian */
#define HEADER_SECTOR_SHIFT 0x1e /* MUST be set to 0x0009, or 0x000c */
#define HEADER_MINI_SECTOR_SHIFT 0x20 /* MUST be set to 0x0006 */
#define RESERVED 0x22 /* reserved and unused */
#define HEADER_DIR_SECTORS_NUM 0x28
#define HEADER_FAT_SECTORS_NUM 0x2c
#define HEADER_DIR_SECTOR_LOC 0x30
#define HEADER_TRANSACTION 0x34
#define HEADER_MINI_STREAM_CUTOFF 0x38 /* 4096 bytes */
#define HEADER_MINI_FAT_SECTOR_LOC 0x3c
#define HEADER_MINI_FAT_SECTORS_NUM 0x40
#define HEADER_DIFAT_SECTOR_LOC 0x44
#define HEADER_DIFAT_SECTORS_NUM 0x48
#define HEADER_DIFAT 0x4c
#define DIRENT_SIZE 0x80 /* 128 bytes */
#define DIRENT_MAX_NAME_SIZE 0x40 /* 64 bytes */
#define DIRENT_NAME 0x00
#define DIRENT_NAME_LEN 0x40 /* length in bytes incl 0 terminator */
#define DIRENT_TYPE 0x42
#define DIRENT_COLOUR 0x43
#define DIRENT_LEFT_SIBLING_ID 0x44
#define DIRENT_RIGHT_SIBLING_ID 0x48
#define DIRENT_CHILD_ID 0x4c
#define DIRENT_CLSID 0x50
#define DIRENT_STATE_BITS 0x60
#define DIRENT_CREATE_TIME 0x64
#define DIRENT_MODIFY_TIME 0x6c
#define DIRENT_START_SECTOR_LOC 0x74
#define DIRENT_FILE_SIZE 0x78
#define GET_UINT8_LE(p) ((u_char*)(p))[0]
#define GET_UINT16_LE(p) (((u_char*)(p))[0] | (((u_char*)(p))[1]<<8))
#define GET_UINT32_LE(p) (((u_char*)(p))[0] | (((u_char*)(p))[1]<<8) | \
(((u_char*)(p))[2]<<16) | (((u_char*)(p))[3]<<24))
#define PUT_UINT8_LE(i,p) \
((u_char*)(p))[0] = (i) & 0xff;
#define PUT_UINT16_LE(i,p) \
((u_char*)(p))[0] = (i) & 0xff; \
((u_char*)(p))[1] = ((i)>>8) & 0xff
#define PUT_UINT32_LE(i,p) \
((u_char*)(p))[0] = (i) & 0xff; \
((u_char*)(p))[1] = ((i)>>8) & 0xff; \
((u_char*)(p))[2] = ((i)>>16) & 0xff; \
((u_char*)(p))[3] = ((i)>>24) & 0xff
typedef unsigned char u_char;
typedef struct {
u_char signature[8]; /* 0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1 */
u_char unused_clsid[16]; /* reserved and unused */
uint16_t minorVersion;
uint16_t majorVersion;
uint16_t byteOrder;
uint16_t sectorShift; /* power of 2 */
uint16_t miniSectorShift; /* power of 2 */
u_char reserved[6]; /* reserved and unused */
uint32_t numDirectorySector;
uint32_t numFATSector;
uint32_t firstDirectorySectorLocation;
uint32_t transactionSignatureNumber; /* reserved */
uint32_t miniStreamCutoffSize;
uint32_t firstMiniFATSectorLocation;
uint32_t numMiniFATSector;
uint32_t firstDIFATSectorLocation;
uint32_t numDIFATSector;
uint32_t headerDIFAT[DIFAT_IN_HEADER];
} MSI_FILE_HDR;
typedef struct {
u_char name[DIRENT_MAX_NAME_SIZE];
uint16_t nameLen;
uint8_t type;
uint8_t colorFlag;
uint32_t leftSiblingID;
uint32_t rightSiblingID;
uint32_t childID;
u_char clsid[16];
u_char stateBits[4];
u_char creationTime[8];
u_char modifiedTime[8];
uint32_t startSectorLocation;
u_char size[8];
} MSI_ENTRY;
typedef struct {
u_char name[DIRENT_MAX_NAME_SIZE];
uint16_t nameLen;
uint8_t type;
MSI_ENTRY *entry;
STACK_OF(MSI_DIRENT) *children;
} MSI_DIRENT;
DEFINE_STACK_OF(MSI_DIRENT)
typedef struct {
const u_char *m_buffer;
size_t m_bufferLen;
MSI_FILE_HDR *m_hdr;
size_t m_sectorSize;
size_t m_minisectorSize;
size_t m_miniStreamStartSector;
} MSI_FILE;
typedef struct {
char *header;
char *ministream;
char *minifat;
char *fat;
uint32_t dirtreeLen;
uint32_t miniStreamLen;
uint32_t minifatLen;
uint32_t fatLen;
int ministreamsMemallocCount;
int minifatMemallocCount;
int fatMemallocCount;
int dirtreeSectorsCount;
int minifatSectorsCount;
int fatSectorsCount;
int miniSectorNum;
int sectorNum;
size_t sectorSize;
} MSI_OUT;
static u_char msi_magic[] = {
0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1
};
static const u_char digital_signature[] = {
0x05, 0x00, 0x44, 0x00, 0x69, 0x00, 0x67, 0x00,
0x69, 0x00, 0x74, 0x00, 0x61, 0x00, 0x6C, 0x00,
0x53, 0x00, 0x69, 0x00, 0x67, 0x00, 0x6E, 0x00,
0x61, 0x00, 0x74, 0x00, 0x75, 0x00, 0x72, 0x00,
0x65, 0x00, 0x00, 0x00
};
static const u_char digital_signature_ex[] = {
0x05, 0x00, 0x4D, 0x00, 0x73, 0x00, 0x69, 0x00,
0x44, 0x00, 0x69, 0x00, 0x67, 0x00, 0x69, 0x00,
0x74, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x53, 0x00,
0x69, 0x00, 0x67, 0x00, 0x6E, 0x00, 0x61, 0x00,
0x74, 0x00, 0x75, 0x00, 0x72, 0x00, 0x65, 0x00,
0x45, 0x00, 0x78, 0x00, 0x00, 0x00
};
int msi_file_read(MSI_FILE *msi, MSI_ENTRY *entry, size_t offset, char *buffer, size_t len);
MSI_FILE *msi_file_new(char *buffer, size_t len);
void msi_file_free(MSI_FILE *msi);
MSI_ENTRY *msi_root_entry_get(MSI_FILE *msi);
MSI_DIRENT *msi_dirent_new(MSI_FILE *msi, MSI_ENTRY *entry, MSI_DIRENT *parent);
MSI_ENTRY *msi_signatures_get(MSI_DIRENT *dirent, MSI_ENTRY **dse);
void msi_dirent_free(MSI_DIRENT *dirent);
MSI_FILE_HDR *msi_header_get(MSI_FILE *msi);
int msi_prehash_dir(MSI_DIRENT *dirent, BIO *hash, int is_root);
int msi_hash_dir(MSI_FILE *msi, MSI_DIRENT *dirent, BIO *hash, int is_root);
void msi_calc_digest(char *indata, const EVP_MD *md, u_char *mdbuf, size_t fileend);
int msi_dirent_delete(MSI_DIRENT *dirent, const u_char *name, uint16_t nameLen);
int msi_file_write(MSI_FILE *msi, MSI_DIRENT *dirent, u_char *p, int len, u_char *p_msiex, int len_msiex, BIO *outdata);

7804
osslsigncode.c
View File

File diff suppressed because it is too large Load Diff

6
tests/certs/.gitignore vendored Normal file
View File

@ -0,0 +1,6 @@
*.der
*.pem
*.pvk
*.p12
*.spc
*.txt

47
tests/certs/ca-bundle.crt Normal file
View File

@ -0,0 +1,47 @@
# Certum Trusted Network CA
-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM
MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D
ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU
cnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkxMjMxMTIwNzM3
WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg
Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIw
IAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rH
UV+rpDKmYYe2bg+G0jACl/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LM
TXPb865Px1bVWqeWifrzq2jUI4ZZJ88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVU
BBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4fOQtf/WsX+sWn7Et0brM
kUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0cvW0QM8x
AcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNV
HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15y
sHhE49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfL
I9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8
J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qY
VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI
03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw=
-----END CERTIFICATE-----
# DigiCert Assured ID Root CA
-----BEGIN CERTIFICATE-----
MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c
JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP
mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+
wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4
VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/
AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB
AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun
pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC
dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf
fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm
NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx
H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==
-----END CERTIFICATE-----

218
tests/certs/makecerts.sh Executable file
View File

@ -0,0 +1,218 @@
#!/bin/sh
result=0
test_result() {
if test "$1" -eq 0
then
printf "Succeeded\n" >> "makecerts.log"
else
printf "Failed\n" >> "makecerts.log"
fi
}
make_certs() {
password=passme
result_path=$(pwd)
cd $(dirname "$0")
script_path=$(pwd)
cd "${result_path}"
mkdir "tmp/"
# OpenSSL settings
CONF="${script_path}/openssl_intermediate.cnf"
TEMP_LD_LIBRARY_PATH=$LD_LIBRARY_PATH
if test -n "$1"
then
OPENSSL="$1/bin/openssl"
LD_LIBRARY_PATH="$1/lib"
else
OPENSSL=openssl
fi
mkdir "demoCA/" 2>> "makecerts.log" 1>&2
touch "demoCA/index.txt"
touch "demoCA/index.txt.attr"
echo 1000 > "demoCA/serial"
date > "makecerts.log"
$OPENSSL version 2>> "makecerts.log" 1>&2
echo -n "$password" > "password.txt"
printf "\nGenerate root CA certificate\n" >> "makecerts.log"
$OPENSSL genrsa -out demoCA/CA.key \
2>> "makecerts.log" 1>&2
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL=openssl
CONF="${script_path}/openssl_root.cnf"
$OPENSSL req -config $CONF -new -x509 -days 3600 -key demoCA/CA.key -out tmp/CACert.pem \
-subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA" \
2>> "makecerts.log" 1>&2'
test_result $?
printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log"
$OPENSSL genrsa -out demoCA/intermediate.key \
2>> "makecerts.log" 1>&2
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL=openssl
CONF="${script_path}/openssl_intermediate.cnf"
$OPENSSL req -config $CONF -new -key demoCA/intermediate.key -out demoCA/intermediate.csr \
-subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA" \
2>> "makecerts.log" 1>&2'
test_result $?
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL=openssl
CONF="${script_path}/openssl_root.cnf"
$OPENSSL ca -config $CONF -batch -in demoCA/intermediate.csr -out demoCA/intermediate.cer \
2>> "makecerts.log" 1>&2'
test_result $?
$OPENSSL x509 -in demoCA/intermediate.cer -out tmp/intermediate.pem \
2>> "makecerts.log" 1>&2
printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log"
$OPENSSL genrsa -des3 -out demoCA/private.key -passout pass:$password \
2>> "makecerts.log" 1>&2
test_result $?
cat demoCA/private.key >> tmp/keyp.pem 2>> "makecerts.log"
printf "\nGenerate private RSA decrypted key\n" >> "makecerts.log"
$OPENSSL rsa -in demoCA/private.key -passin pass:$password -out tmp/key.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate a certificate to revoke\n" >> "makecerts.log"
$OPENSSL req -config $CONF -new -key demoCA/private.key -passin pass:$password -out demoCA/revoked.csr \
-subj "/C=PL/O=osslsigncode/OU=CSP/CN=Revoked/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2
$OPENSSL ca -config $CONF -batch -in demoCA/revoked.csr -out demoCA/revoked.cer \
2>> "makecerts.log" 1>&2
$OPENSSL x509 -in demoCA/revoked.cer -out tmp/revoked.pem \
2>> "makecerts.log" 1>&2
printf "\nRevoke above certificate\n" >> "makecerts.log"
$OPENSSL ca -config $CONF -revoke demoCA/1001.pem \
2>> "makecerts.log" 1>&2
printf "\nAttach intermediate certificate to revoked certificate\n" >> "makecerts.log"
cat tmp/intermediate.pem >> tmp/revoked.pem
printf "\nGenerate CRL file\n" >> "makecerts.log"
TZ=GMT faketime -f '@2019-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL=openssl
CONF="${script_path}/openssl_intermediate.cnf"
$OPENSSL ca -config $CONF -gencrl -crldays 8766 -out tmp/CACertCRL.pem \
2>> "makecerts.log" 1>&2'
printf "\nConvert revoked certificate to SPC format\n" >> "makecerts.log"
$OPENSSL crl2pkcs7 -in tmp/CACertCRL.pem -certfile tmp/revoked.pem -outform DER -out tmp/revoked.spc \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate CSP Cross-Certificate\n" >> "makecerts.log"
$OPENSSL genrsa -out demoCA/cross.key \
2>> "makecerts.log" 1>&2
TZ=GMT faketime -f '@2018-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL=openssl
CONF="${script_path}/openssl_intermediate.cnf"
$OPENSSL req -config $CONF -new -x509 -days 900 -key demoCA/cross.key -out tmp/crosscert.pem \
-subj "/C=PL/O=osslsigncode/OU=CSP/CN=crosscert/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2'
test_result $?
printf "\nGenerate code signing certificate\n" >> "makecerts.log"
$OPENSSL req -config $CONF -new -key demoCA/private.key -passin pass:$password -out demoCA/cert.csr \
-subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2
test_result $?
$OPENSSL ca -config $CONF -batch -in demoCA/cert.csr -out demoCA/cert.cer \
2>> "makecerts.log" 1>&2
test_result $?
$OPENSSL x509 -in demoCA/cert.cer -out tmp/cert.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert the key to DER format\n" >> "makecerts.log"
$OPENSSL rsa -in tmp/key.pem -outform DER -out tmp/key.der -passout pass:$password \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert the key to PVK format\n" >> "makecerts.log"
$OPENSSL rsa -in tmp/key.pem -outform PVK -out tmp/key.pvk -pvk-none \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert the certificate to DER format\n" >> "makecerts.log"
$OPENSSL x509 -in tmp/cert.pem -outform DER -out tmp/cert.der \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nAttach intermediate certificate to code signing certificate\n" >> "makecerts.log"
cat tmp/intermediate.pem >> tmp/cert.pem
printf "\nConvert the certificate to SPC format\n" >> "makecerts.log"
$OPENSSL crl2pkcs7 -nocrl -certfile tmp/cert.pem -outform DER -out tmp/cert.spc \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert the certificate and the key into a PKCS#12 container\n" >> "makecerts.log"
$OPENSSL pkcs12 -export -in tmp/cert.pem -inkey tmp/key.pem -out tmp/cert.p12 -passout pass:$password \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate expired certificate\n" >> "makecerts.log"
$OPENSSL req -config $CONF -new -key demoCA/private.key -passin pass:$password -out demoCA/expired.csr \
-subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Expired/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2
test_result $?
$OPENSSL ca -config $CONF -enddate "190101000000Z" -batch -in demoCA/expired.csr -out demoCA/expired.cer \
2>> "makecerts.log" 1>&2
test_result $?
$OPENSSL x509 -in demoCA/expired.cer -out tmp/expired.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nAttach intermediate certificate to expired certificate\n" >> "makecerts.log"
cat tmp/intermediate.pem >> tmp/expired.pem
# copy new files
if test -s tmp/intermediate.pem -a -s tmp/CACert.pem -a -s tmp/CACertCRL.pem \
-a -s tmp/key.pem -a -s tmp/keyp.pem -a -s tmp/key.der -a -s tmp/key.pvk \
-a -s tmp/cert.pem -a -s tmp/cert.p12 -a -s tmp/cert.der -a -s tmp/cert.spc \
-a -s tmp/crosscert.pem -a -s tmp/expired.pem -a -s tmp/revoked.pem -a -s tmp/revoked.spc
then
cp tmp/* ./
printf "%s\n" "keys & certificates successfully generated"
printf "%s\n" "makecerts.sh finished"
rm -f "makecerts.log"
else
printf "%s\n" "makecerts.sh failed"
printf "%s\n" "error logs ${result_path}/makecerts.log"
result=1
fi
# remove the working directory
rm -rf "demoCA/"
rm -rf "tmp/"
# restore settings
LD_LIBRARY_PATH=$TEMP_LD_LIBRARY_PATH
exit $result
}
# Tests requirement
if test -n "$(command -v faketime)"
then
make_certs $1
result=$?
else
printf "%s\n" "faketime not found in \$PATH"
printf "%s\n" "tests skipped, please install faketime package"
result=1
fi
exit $result

68
tests/certs/openssl_intermediate.cnf Normal file
View File

@ -0,0 +1,68 @@
# OpenSSL intermediate CA configuration file
[ ca ]
default_ca = CA_default
[ CA_default ]
# Directory and file locations
dir = .
certs = $dir/demoCA
crl_dir = $dir/demoCA
new_certs_dir = $dir/demoCA
database = $dir/demoCA/index.txt
serial = $dir/demoCA/serial
private_key = $dir/demoCA/intermediate.key
certificate = $dir/tmp/intermediate.pem
crl_extensions = crl_ext
default_md = sha256
preserve = no
policy = policy_loose
default_startdate = 180101000000Z
default_enddate = 241231000000Z
x509_extensions = v3_req
[ req ]
# Options for the `req` tool
encrypt_key = no
default_bits = 2048
default_md = sha256
string_mask = utf8only
distinguished_name = req_distinguished_name
x509_extensions = usr_extensions
[ crl_ext ]
# Extension for CRLs
authorityKeyIdentifier = keyid:always
[ usr_extensions ]
# Extension to add when the -x509 option is used
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
extendedKeyUsage = codeSigning
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
extendedKeyUsage = codeSigning
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address

61
tests/certs/openssl_root.cnf Normal file
View File

@ -0,0 +1,61 @@
# OpenSSL root CA configuration file
[ ca ]
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = .
certs = $dir/demoCA
crl_dir = $dir/demoCA
new_certs_dir = $dir/demoCA
database = $dir/demoCA/index.txt
serial = $dir/demoCA/serial
private_key = $dir/demoCA/CA.key
certificate = $dir/tmp/CACert.pem
crl_extensions = crl_ext
default_md = sha256
preserve = no
policy = policy_match
default_startdate = 180101000000Z
default_enddate = 260101000000Z
x509_extensions = v3_intermediate_ca
[ req ]
# Options for the `req` tool
encrypt_key = no
default_bits = 2048
default_md = sha256
string_mask = utf8only
x509_extensions = ca_extensions
distinguished_name = req_distinguished_name
[ ca_extensions ]
# Extension to add when the -x509 option is used
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`)
basicConstraints = critical, CA:true, pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ policy_match ]
countryName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address

61
tests/certs/openssltest.cnf Normal file
View File

@ -0,0 +1,61 @@
# OpenSSL root CA configuration file
[ ca ]
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = .
certs = $dir/demoCA
crl_dir = $dir/demoCA
new_certs_dir = $dir/demoCA
database = $dir/demoCA/index.txt
serial = $dir/demoCA/serial
crl_extensions = crl_ext
default_md = sha256
preserve = no
policy = policy_match
x509_extensions = usr_cert
private_key = $dir/demoCA/CA.key
certificate = $dir/tmp/CACert.pem
default_startdate = 180101000000Z
default_enddate = 210101000000Z
[ req ]
encrypt_key = no
default_bits = 2048
default_md = sha256
string_mask = utf8only
x509_extensions = ca_extensions
distinguished_name = req_distinguished_name
[ crl_ext ]
authorityKeyIdentifier = keyid:always
[ usr_cert ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
extendedKeyUsage = codeSigning
[ ca_extensions ]
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ policy_match ]
countryName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address

53
tests/recipes/01_sign_pem Normal file
View File

@ -0,0 +1,53 @@
#!/bin/sh
# Sign a file with a certificate and a private key in the PEM format.
# -st 1556668800 is the Unix time of May 1 00:00:00 2019 GMT
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=1
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with a certificate and a private key in the PEM format"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

53
tests/recipes/02_sign_pass Normal file
View File

@ -0,0 +1,53 @@
#!/bin/sh
# Sign a file with an encrypted private key in the PEM format.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=2
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with an encrypted private key in the PEM format"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/keyp.pem" \
-pass passme \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

54
tests/recipes/03_sign_der Normal file
View File

@ -0,0 +1,54 @@
#!/bin/sh
# Sign a file with an encrypted private key in the DER format.
# Requires OpenSSL 1.0.0 or later
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=3
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with an encrypted private key in the DER format"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \
-pass passme \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

54
tests/recipes/04_sign_spc_pvk Normal file
View File

@ -0,0 +1,54 @@
#!/bin/sh
# Sign a file with a certificate in the SPC format
# and a private key in the Microsoft Private Key (PVK) format.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=4
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with a SPC certificate and a PVK private key"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-spc "${script_path}/../certs/cert.spc" -key "${script_path}/../certs/key.pvk" \
-pass passme \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

53
tests/recipes/05_sign_pkcs12 Normal file
View File

@ -0,0 +1,53 @@
#!/bin/sh
# Sign a file with a certificate and a key stored in a PKCS#12 container.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=5
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with a certificate and a key stored in a PKCS#12 container"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-pkcs12 "${script_path}/../certs/cert.p12" \
-pass passme \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

34
tests/recipes/06_test_sha256sum Normal file
View File

@ -0,0 +1,34 @@
#!/bin/sh
# Checking SHA256 message digests for 01x-05x tests
. $(dirname $0)/../test_library
script_path=$(pwd)
result=0
test_nr=6
for file in ${script_path}/../logs/sha256sum/*.*
do
name="${file##*/}"
case $name in
"cat.log") filetype=CAT; format_nr=1 ;;
"msi.log") filetype=MSI; format_nr=2 ;;
"ex_.log") filetype=CAB; format_nr=3 ;;
"exe.log") filetype=PE; format_nr=4 ;;
"ps1.log") filetype=TXT; format_nr=5 ;;
esac
number="$test_nr$format_nr"
test_name="Checking SHA256 message digests for a $filetype file test"
printf "\n%03d. %s\n" "$number" "$test_name"
if test $(cat "sha256sum/$name" | cut -d' ' -f1 | uniq | wc -l) -ne 1
then
result=1
cat "sha256sum/$name" >> "results.log"
printf "Non-unique SHA256 message digests found\n" >> "results.log"
fi
rm -f "sha256sum/$name"
test_result "$result" "$number" "$test_name"
done
exit 0

61
tests/recipes/07_sign_timestamp Normal file
View File

@ -0,0 +1,61 @@
#!/bin/sh
# Sign a file with Authenticode timestamping
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=7
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with Authenticode timestamping"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-t http://time.certum.pl/ \
-t http://timestamp.digicert.com/ \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Sign a file with Authenticode timestamping"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

65
tests/recipes/08_sign_rfc3161 Normal file
View File

@ -0,0 +1,65 @@
#!/bin/sh
# Sign a file with RFC 3161 timestamping
# An RFC3161 timestamp server provides an essential function in protecting
# data records for the long-term. It provides proof that the data existed
# at a particular moment in time and that it has not changed, even by
# a single binary bit, since it was notarized and time-stamped.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=8
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with RFC 3161 timestamping"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-ts http://timestamp.digicert.com/ \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Sign a file with RFC 3161 timestamping"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

33
tests/recipes/09_sign_page_hashes Normal file
View File

@ -0,0 +1,33 @@
#!/bin/sh
# Generate page hashes for a file
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=9
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"exe") filetype=PE; format_nr=4 ;;
*) continue ;; # Warning: -ph option is only valid for PE files
esac
number="$test_nr$format_nr"
test_name="Generate page hashes for a $filetype file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 -ph \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
done
exit 0

53
tests/recipes/10_sign_blob Normal file
View File

@ -0,0 +1,53 @@
#!/bin/sh
# Sign a file with addUnauthenticatedBlob.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=10
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with addUnauthenticatedBlob"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-addUnauthenticatedBlob \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

42
tests/recipes/11_sign_nest Normal file
View File

@ -0,0 +1,42 @@
#!/bin/sh
# Sign a file twice with the "nest" flag in the second time
# in order to add the new signature instead of replacing the first one.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=11
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Warning: CAT files do not support nesting
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1") continue;; # Warning: TXT files do not support nesting
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with the nest flag"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "signed_$number.$ext"
../../osslsigncode sign -h sha512 \
-nest \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "signed_$number.$ext" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
done
exit 0

54
tests/recipes/12_sign_readpass_pem Normal file
View File

@ -0,0 +1,54 @@
#!/bin/sh
# Sign a file with a PEM key and a password read from password.txt file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=12
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with a PEM key and a password read from password.txt file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-addUnauthenticatedBlob \
-readpass "${script_path}/../certs/password.txt" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/keyp.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

54
tests/recipes/13_sign_readpass_pkcs12 Normal file
View File

@ -0,0 +1,54 @@
#!/bin/sh
# Sign a file with the certificate and key stored in a PKCS#12 container
# and a password read from password.txt file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=13
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with a PKCS#12 container and the file with a password"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-readpass "${script_path}/../certs/password.txt" \
-pkcs12 "${script_path}/../certs/cert.p12" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

53
tests/recipes/14_sign_descryption Normal file
View File

@ -0,0 +1,53 @@
#!/bin/sh
# Sign a file with a descryption.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=14
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with a descryption"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-n "DESCRYPTION_TEXT" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "DESCRYPTION_TEXT" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

54
tests/recipes/15_sign_url Normal file
View File

@ -0,0 +1,54 @@
#!/bin/sh
# Sign a file with specified URL for expanded description of the signed content
# https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode-signing-of-csps
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=15
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with specified URL"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-i "https://www.osslsigncode.com/" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "https://www.osslsigncode.com/" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

58
tests/recipes/16_sign_comm Normal file
View File

@ -0,0 +1,58 @@
#!/bin/sh
# Sign a file with Microsoft Commercial Code Signing purpose set for SPC_STATEMENT_TYPE_OBJID
# object ID numbers (OIDs) "1.3.6.1.4.1.311.2.1.11"
# changes default Microsoft Individual Code Signing:
# "0x30, 0x0c, x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15"
# sets Microsoft Commercial Code Signing:
# "0x30, 0x0c, x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x16"
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=16
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with the common purpose set"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-comm \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Microsoft Commercial Code Signing" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

55
tests/recipes/17_sign_crosscertfile Normal file
View File

@ -0,0 +1,55 @@
#!/bin/sh
# Add an additional certificate to the signature block of the file.
# https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode-signing-of-csps
# https://docs.microsoft.com/en-us/windows/win32/seccertenroll/about-cross-certification
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=17
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Add an additional certificate to the signature block of a $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-ac "${script_path}/../certs/crosscert.pem" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "crosscert" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

52
tests/recipes/21_sign_hash_md5 Normal file
View File

@ -0,0 +1,52 @@
#!/bin/sh
# Sign a file with MD5 set of cryptographic hash functions.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=21
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with MD5 set of cryptographic hash functions"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h md5 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "MD5" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

52
tests/recipes/22_sign_hash_sha1 Normal file
View File

@ -0,0 +1,52 @@
#!/bin/sh
# Sign a file with SHA1 set of cryptographic hash functions.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=22
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with SHA1 set of cryptographic hash functions"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha1 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "SHA1" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

52
tests/recipes/23_sign_hash_sha2 Normal file
View File

@ -0,0 +1,52 @@
#!/bin/sh
# Signing a file with SHA2 set of cryptographic hash functions.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=23
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with SHA2 set of cryptographic hash functions"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha2 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "SHA2" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

52
tests/recipes/24_sign_hash_sha384 Normal file
View File

@ -0,0 +1,52 @@
#!/bin/sh
# Sign a file with SHA384 set of cryptographic hash functions.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=24
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with SHA384 set of cryptographic hash functions"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha384 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "SHA384" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

52
tests/recipes/25_sign_hash_sha512 Normal file
View File

@ -0,0 +1,52 @@
#!/bin/sh
# Sign a file with SHA512 set of cryptographic hash functions.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=25
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with SHA512 set of cryptographic hash functions"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha512 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

55
tests/recipes/26_extract_signature_pem Normal file
View File

@ -0,0 +1,55 @@
#!/bin/sh
# Extract the signature in the PEM format.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=26
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Unsupported command
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Extract the PEM signature from the $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha512 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
../../osslsigncode extract-signature \
-pem \
-in "test_$number.$ext" -out "sign_$format_nr.pem"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

54
tests/recipes/27_extract_signature_der Normal file
View File

@ -0,0 +1,54 @@
#!/bin/sh
# Extract the signature in the DER format.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=27
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Unsupported command
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Extract the DER signature from the $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha512 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
../../osslsigncode extract-signature\
-in "test_$number.$ext" -out "sign_$format_nr.der"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

58
tests/recipes/31_attach_signature_der Normal file
View File

@ -0,0 +1,58 @@
#!/bin/sh
# Attach the DER signature to the file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=31
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Unsupported command
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Attach the DER signature to the $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode attach-signature \
-sigin "sign_$format_nr.der" \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$result" -ne 0; then
cp "sign_$format_nr.der" "sign_$number.der"
fi
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

58
tests/recipes/32_attach_signature_pem Normal file
View File

@ -0,0 +1,58 @@
#!/bin/sh
# Attach the PEM signature to the file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=32
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Unsupported command
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Attach the PEM signature to the $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode attach-signature \
-sigin "sign_$format_nr.pem" \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$result" -ne 0; then
cp "sign_$format_nr.der" "sign_$number.der"
fi
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

58
tests/recipes/33_attach_signed Normal file
View File

@ -0,0 +1,58 @@
#!/bin/sh
# Attach the signature to the signed file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=33
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Unsupported command
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Attach the PEM signature to the signed $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "signed_$number.$ext"
../../osslsigncode attach-signature \
-sigin "sign_$format_nr.pem" \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
-in "signed_$number.$ext" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"sha256sum" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

44
tests/recipes/34_attach_nest Normal file
View File

@ -0,0 +1,44 @@
#!/bin/sh
# Attach the signature to the signed file with the "nest" flag in order to
# attach the new signature instead of replacing the first one.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=34
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Warning: CAT files do not support nesting
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1") continue;; # Warning: TXT files do not support nesting
esac
number="$test_nr$format_nr"
test_name="Attach the PEM signature to the signed $filetype$desc file with the nest flag"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "signed_$number.$ext"
../../osslsigncode attach-signature \
-sigin "sign_$format_nr.pem" \
-nest \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
-in "signed_$number.$ext" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
done
exit 0

54
tests/recipes/35_remove_signature Normal file
View File

@ -0,0 +1,54 @@
#!/bin/sh
# Remove the signature from the file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=35
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Unsupported command
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Remove the signature from the $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "signed_$number.$ext"
../../osslsigncode remove-signature \
-in "signed_$number.$ext" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

34
tests/recipes/36_varia_sha256sum Normal file
View File

@ -0,0 +1,34 @@
#!/bin/sh
# Checking SHA256 message digests for "extract" and "attach" tests.
. $(dirname $0)/../test_library
script_path=$(pwd)
result=0
test_nr=36
for file in ${script_path}/../logs/sha256sum/*.*
do
name="${file##*/}"
case $name in
"cat.log") filetype=CAT; format_nr=1 ;;
"msi.log") filetype=MSI; format_nr=2 ;;
"ex_.log") filetype=CAB; format_nr=3 ;;
"exe.log") filetype=PE; format_nr=4 ;;
"ps1.log") filetype=TXT; format_nr=5 ;;
esac
number="$test_nr$format_nr"
test_name="Checking SHA256 message digests for a $filetype file test"
printf "\n%03d. %s\n" "$number" "$test_name"
if test $(cat "sha256sum/$name" | cut -d' ' -f1 | uniq | wc -l) -ne 1
then
result=1
cat "sha256sum/$name" >> "results.log"
printf "Non-unique SHA256 message digests found\n" >> "results.log"
fi
rm -f "sha256sum/$name"
test_result "$result" "$number" "$test_name"
done
exit 0

64
tests/recipes/37_add_signature_timestamp Normal file
View File

@ -0,0 +1,64 @@
#!/bin/sh
# Add an authenticode timestamp to the signed file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=37
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Add an authenticode timestamp to the $filetype$desc signed file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "signed_$number.$ext"
../../osslsigncode add \
-t http://time.certum.pl/ \
-t http://timestamp.digicert.com/ \
-verbose \
-in "signed_$number.$ext" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Timestamp Server Signature" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Add an authenticode timestamp to the signed file"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

64
tests/recipes/38_add_signature_rfc3161 Normal file
View File

@ -0,0 +1,64 @@
#!/bin/sh
# Add a RFC 3161 timestamp to the signed file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=38
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Add a RFC 3161 timestamp to the $filetype$desc signed file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "signed_$number.$ext"
../../osslsigncode add \
-ts http://time.certum.pl/ \
-ts http://timestamp.digicert.com/ \
-verbose \
-in "signed_$number.$ext" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Timestamp Server Signature" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Add a RFC 3161 timestamp to the signed file"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

55
tests/recipes/39_add_signature_blob Normal file
View File

@ -0,0 +1,55 @@
#!/bin/sh
# Add an unauthenticated blob to the signed file.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=39
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Add an unauthenticated blob to the $filetype$desc signed file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "signed_$number.$ext"
../../osslsigncode add \
-addUnauthenticatedBlob \
-in "signed_$number.$ext" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Unauthenticated Data Blob" "MODIFY"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

51
tests/recipes/40_verify_leaf_hash Normal file
View File

@ -0,0 +1,51 @@
#!/bin/sh
# Compare the leaf certificate hash against specified SHA256 message digest for the file
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=40
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Compare the leaf hash against SHA256 message digest for the $filetype$desc file"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_leaf_hash "$result" "$number" "$ext" "@2019-05-01 00:00:00"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

41
tests/recipes/41_sign_add_msi_dse Normal file
View File

@ -0,0 +1,41 @@
#!/bin/sh
# Sign a MSI file with the add-msi-dse option.
# MsiDigitalSignatureEx (msi-dse) is an enhanced signature type that can be used
# when signing MSI files. In addition to file content, it also hashes some file metadata,
# specifically file names, file sizes, creation times and modification times.
# https://www.unboundtech.com/docs/UKC/UKC_Code_Signing_IG/HTML/Content/Products/UKC-EKM/UKC_Code_Signing_IG/Sign_Windows_PE_and_msi_Files.htm
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=41
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Warning: -add-msi-dse option is only valid for MSI files
"msi") filetype=MSI; format_nr=2 ;;
"ex_") continue;; # Warning: -add-msi-dse option is only valid for MSI files
"exe") continue;; # Warning: -add-msi-dse option is only valid for MSI files
"ps1") continue;; # Warning: -add-msi-dse option is only valid for MSI files
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with the add-msi-dse option"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-add-msi-dse \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "MsiDigitalSignatureEx" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
done
exit 0

38
tests/recipes/42_sign_jp_low Normal file
View File

@ -0,0 +1,38 @@
#!/bin/sh
# Sign a CAB file with "low" level of permissions in Microsoft Internet Explorer 4.x for CAB files
# https://support.microsoft.com/en-us/help/193877
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=42
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Warning: -jp option is only valid for CAB files
"msi") continue;; # Warning: -jp option is only valid for CAB files
"ex_") filetype=CAB; format_nr=3 ;;
"exe") continue;; # Warning: -jp option is only valid for CAB files
"ps1") continue;; # Warning: -jp option is only valid for CAB files
esac
number="$test_nr$format_nr"
test_name="Sign a $filetype$desc file with the jp low option"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-jp low \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Low level of permissions" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
done
exit 0

36
tests/recipes/45_verify_fake_pe Normal file
View File

@ -0,0 +1,36 @@
#!/bin/sh
# Verify changed file after signing.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=45
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Test is not supported for non-PE files
"msi") continue;; # Test is not supported for non-PE files
"ex_") continue;; # Test is not supported for non-PE files
"exe") filetype=PE; format_nr=4 ;;
"ps1") continue;; # Test is not supported for non-PE files
esac
number="$test_nr$format_nr"
test_name="Verify changed $filetype$desc file after signing"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Hello world!" "MODIFY"
test_result "$?" "$number" "$test_name"
done
exit 0

46
tests/recipes/46_verify_timestamp Normal file
View File

@ -0,0 +1,46 @@
#!/bin/sh
# Verify changed file after signing with Authenticode timestamping.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=46
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Test is not supported for non-PE files
"msi") continue;; # Test is not supported for non-PE files
"ex_") continue;; # Test is not supported for non-PE files
"exe") filetype=PE; format_nr=4 ;;
"ps1") continue;; # Test is not supported for non-PE files
esac
number="$test_nr$format_nr"
test_name="Verify changed $filetype$desc file after signing with Authenticode timestamping"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-t http://time.certum.pl/ \
-t http://timestamp.digicert.com/ \
-verbose \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Hello world!" "MODIFY"
test_result "$?" "$number" "$test_name"
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Verify changed file after signing with Authenticode timestamping"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

46
tests/recipes/47_verify_rfc3161 Executable file
View File

@ -0,0 +1,46 @@
#!/bin/sh
# Verify changed file after signing with RFC 3161 timestamping.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=47
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Test is not supported for non-PE files
"msi") continue;; # Test is not supported for non-PE files
"ex_") continue;; # Test is not supported for non-PE files
"exe") filetype=PE; format_nr=4 ;;
"ps1") continue;; # Test is not supported for non-PE files
esac
number="$test_nr$format_nr"
test_name="Verify changed $filetype$desc file after signing with RFC 3161 timestamping"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-ts http://timestamp.digicert.com/ \
-verbose \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "Hello world!" "MODIFY"
test_result "$?" "$number" "$test_name"
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Verify changed file after signing with RFC 3161 timestamping"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

52
tests/recipes/51_verify_time Normal file
View File

@ -0,0 +1,52 @@
#!/bin/sh
# Verify a file signed after the cert has been expired.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=51
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Verify $filetype$desc file signed after the cert has been expired"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "fail" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
exit 0

62
tests/recipes/52_verify_timestamp Normal file
View File

@ -0,0 +1,62 @@
#!/bin/sh
# Verify a file signed with Authenticode timestamping after the cert has been expired.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=52
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Verify a $filetype$desc file signed with Authenticode after the cert has been expired"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-t http://time.certum.pl/ \
-t http://timestamp.digicert.com/ \
-verbose \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Verify a file signed with Authenticode after the cert has been expired"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

62
tests/recipes/53_verify_rfc3161 Normal file
View File

@ -0,0 +1,62 @@
#!/bin/sh
# Verify a file signed with RFC3161 timestamping after the cert has been expired.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=53
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Verify a $filetype$desc file signed with RFC3161 after the cert has been expired"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-ts http://timestamp.digicert.com/ \
-verbose \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "success" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Verify a file signed with RFC3161 after the cert has been expired"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

62
tests/recipes/54_verify_expired Normal file
View File

@ -0,0 +1,62 @@
#!/bin/sh
# Verify a file signed with the expired cert.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=54
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Verify a $filetype$desc file signed with the expired cert"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/expired.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-ts http://timestamp.digicert.com/ \
-verbose \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "fail" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Verify a file signed with the expired cert"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

62
tests/recipes/55_verify_revoked Normal file
View File

@ -0,0 +1,62 @@
#!/bin/sh
# Verify a file signed with the revoked cert.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=55
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") filetype=CAT; format_nr=1 ;;
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1")
filetype=TXT
if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
format_nr=5
desc=" UTF-16LE(BOM)"
elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
format_nr=6
desc=" UTF-8(BOM)"
else
format_nr=7
desc=" UTF-8"
fi ;;
esac
number="$test_nr$format_nr"
test_name="Verify a $filetype$desc file signed with the revoked cert"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/revoked.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-ts http://timestamp.digicert.com/ \
-verbose \
-in "notsigned/$name" -out "test_$number.$ext"
result=$?
if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
printf "%s\n" "Compare file prefix failed"
test_result "1" "$number" "$test_name"
else
verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
fi
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Verify a file signed with the revoked cert"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

60
tests/recipes/56_verify_multiple Normal file
View File

@ -0,0 +1,60 @@
#!/bin/sh
# Verify a file signed with the multiple signature.
. $(dirname $0)/../test_library
script_path=$(pwd)
test_nr=56
if ! grep -q "no libcurl available" "results.log"; then
for file in ${script_path}/../logs/notsigned/*.*
do
name="${file##*/}"
ext="${file##*.}"
desc=""
case $ext in
"cat") continue;; # Warning: CAT files do not support nesting
"msi") filetype=MSI; format_nr=2 ;;
"ex_") filetype=CAB; format_nr=3 ;;
"exe") filetype=PE; format_nr=4 ;;
"ps1") continue;; # Warning: TXT files do not support nesting
esac
number="$test_nr$format_nr"
test_name="Verify a $filetype$desc file signed with the multiple signature"
printf "\n%03d. %s\n" "$number" "$test_name"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/expired.pem" -key "${script_path}/../certs/key.pem" \
-verbose \
-in "notsigned/$name" -out "signed1_$number.$ext"
../../osslsigncode sign -h sha384 \
-st "1556668800" \
-nest \
-certs "${script_path}/../certs/revoked.pem" -key "${script_path}/../certs/key.pem" \
-t http://time.certum.pl/ \
-t http://timestamp.digicert.com/ \
-verbose \
-in "signed1_$number.$ext" -out "signed2_$number.$ext"
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-nest \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-ts http://timestamp.digicert.com/ \
-verbose \
-in "signed2_$number.$ext" -out "test_$number.$ext"
result=$?
verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "SHA384" "UNUSED_PATTERN"
test_result "$?" "$number" "$test_name"
done
else
format_nr=0
number="$test_nr$format_nr"
test_name="Verify a file signed with the multiple signature"
printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
fi
exit 0

1
tests/sources/a Normal file
View File

@ -0,0 +1 @@
aaa

1
tests/sources/b Normal file
View File

@ -0,0 +1 @@
bbb

1
tests/sources/c Normal file
View File

@ -0,0 +1 @@
ccc

BIN
tests/sources/good.cat Executable file
View File

Binary file not shown.

6
tests/sources/myapp.c Normal file
View File

@ -0,0 +1,6 @@
#include <stdio.h>
void main(void)
{
printf("Hello world!");
}

33
tests/sources/sample.wxs Normal file
View File

@ -0,0 +1,33 @@
<?xml version='1.0' encoding='windows-1252'?>
<!--https://wiki.gnome.org/msitools/HowTo/CreateMSI-->
<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
<Product Name='Foobar 1.0' Id='ABCDDCBA-86C7-4D14-AEC0-86416A69ABDE' UpgradeCode='ABCDDCBA-7349-453F-94F6-BCB5110BA4FD'
Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
<Package Id='*' Keywords='Installer' Description="Acme's Foobar 1.0 Installer"
Comments='Foobar is a registered trademark of Acme Ltd.' Manufacturer='Acme Ltd.'
InstallerVersion='100' Languages='1033' Compressed='yes' SummaryCodepage='1252' />
<Media Id='1' Cabinet='Sample.cab' EmbedCab='yes' DiskPrompt="CD-ROM #1" />
<Property Id='DiskPrompt' Value="Acme's Foobar 1.0 Installation [1]" />
<Directory Id='TARGETDIR' Name='SourceDir'>
<Directory Id='ProgramFilesFolder' Name='PFiles'>
<Directory Id='Acme' Name='Acme'>
<Directory Id='INSTALLDIR' Name='Foobar 1.0'>
<Component Id='MainExecutable' Guid='ABCDDCBA-83F1-4F22-985B-FDB3C8ABD471'>
<File Id='FoobarEXE' Name='FoobarAppl10.exe' DiskId='1' Source='FoobarAppl10.exe' KeyPath='yes'/>
</Component>
</Directory>
</Directory>
</Directory>
</Directory>
<Feature Id='Complete' Level='1'>
<ComponentRef Id='MainExecutable' />
</Feature>
</Product>
</Wix>

174
tests/test_library Executable file
View File

@ -0,0 +1,174 @@
# this file is a library sourced from recipes/*
result_path=$(pwd)
cd $(dirname "$0")/../
script_path=$(pwd)
cd "${result_path}"
test_result() {
#1 last exit status
#2 test number
#3 test name
local result=0
if test "$1" -eq 0
then
printf "%s\n" "Test succeeded"
else
printf "%s\n" "Test failed"
printf "%03d. %-90s\t%s\n" "$2" "$3" "failed" 1>&3
result=1
fi
return "$result"
}
modify_blob() {
# $1 test number
# $2 filename extension
# $3 text searched in a binary file
local result=0
initial_blob=$(echo -n "$3" | xxd -p)
modified_blob=$(echo -n "FAKE" | xxd -p)
zero_blob="00000000"
xxd -p -c 1000 "test_$1.$2" | \
sed "s/$initial_blob$zero_blob/$initial_blob$modified_blob/" | \
xxd -p -r > "changed_$1.$2"
../../osslsigncode verify \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
-in "changed_$1.$2" 2>> "verify.log" 1>&2
result=$?
if test "$result" -ne 0 \
-o $(grep -e "Calculated DigitalSignature" -e "Calculated message digest" "verify.log" | uniq | wc -l) -gt 1
then
printf "Failed: verify error or non-unique message digests found\n" 2>> "verify.log" 1>&2
result=1
else
rm -f "changed_$1.$2"
fi
return "$result"
}
search_pattern() {
# $1 test number
# $2 filename extension
# $3 pattern searched in a binary file or verify.log
local result=0
if ! grep -q "$3" "verify.log"
then
hex_pattern=$(echo -n "$3" | xxd -p)
if ! xxd -p -c 1000 "test_$1.$2" | grep "$hex_pattern" 2>> /dev/null 1>&2
then
result=1
printf "Failed: $3 not found\n"
fi
fi
return "$result"
}
verify_signature() {
# $1 sign exit code
# $2 test number
# $3 filename extension
# $4 expected result
# $5 fake time
# $6 sha256sum requirement
# $7 pattern searched in the verify.log file
# $8 modify requirement
local result=0
printf "" > "verify.log"
if test "$1" -eq 0
then
cp "test_$2.$3" "test_tmp.tmp"
TZ=GMT faketime -f "$5" /bin/bash -c '
printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log"
script_path=$(pwd)
../../osslsigncode verify \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
-in "test_tmp.tmp" 2>> "verify.log" 1>&2'
result=$?
rm -f "test_tmp.tmp"
if test "$result" -eq 0 -a "$7" != "UNUSED_PATTERN"
then
search_pattern "$2" "$3" "$7"
result=$?
fi
if test "$result" -eq 0 -a "$8" = "MODIFY"
then
modify_blob "$2" "$3" "$7"
result=$?
fi
if test "$6" = "sha256sum"
then
sha256sum "test_$2.$3" 2>> "sha256sum/$3.log" 1>&2
fi
if test "$4" = "success" -a "$result" -eq 0
then
rm -f "test_$2.$3" "signed_$2.$3" "signed1_$2.$3" "signed2_$2.$3"
elif test "$4" = "fail" -a "$result" -eq 1
then
rm -f "test_$2.$3" "signed_$2.$3" "signed1_$2.$3" "signed2_$2.$3"
rm -f "changed_$2.$3"
cat "verify.log" >> "results.log"
result=0
else
cat "verify.log" >> "results.log"
result=1
fi
else
result=1
fi
return "$result"
}
verify_leaf_hash() {
# $1 sign exit code
# $2 test number
# $3 filename extension
# $4 fake time
local result=0
printf "" > "verify.log"
if test "$1" -eq 0
then
cp "test_$2.$3" "test_tmp.tmp"
TZ=GMT faketime -f "$4" /bin/bash -c '
printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log"
script_path=$(pwd)
../../osslsigncode verify \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
-require-leaf-hash SHA256:$(sha256sum "${script_path}/../certs/cert.der" | cut -d" " -f1) \
-in "test_tmp.tmp" 2>> "verify.log" 1>&2'
result=$?
rm -f "test_tmp.tmp"
if test "$result" -eq 0
then
rm -f "test_$2.$3"
else
cat "verify.log" >> "results.log"
fi
else
result=1
fi
return "$result"
}

139
tests/testall.sh Executable file
View File

@ -0,0 +1,139 @@
#!/bin/sh
# mingw64-gcc, gcab, msitools, libgsf, libgsf-devel
# vim-common, libfaketime packages are required
result=0
count=0
skip=0
fail=0
result_path=$(pwd)
cd $(dirname "$0")
script_path=$(pwd)
result_path="${result_path}/logs"
certs_path="${script_path}/certs"
make_tests() {
for plik in ${script_path}/recipes/*
do
/bin/sh $plik 3>&1 2>> "results.log" 1>&2
done
count=$(grep -c "Test succeeded" "results.log")
if test $count -ne 0
then
skip=$(grep -c "Test skipped" "results.log")
fail=$(grep -c "Test failed" "results.log")
printf "%s\n" "testall.sh finished"
printf "%s\n" "summary: success $count, skip $skip, fail $fail"
else # no test was done
result=1
fi
}
rm -rf "${result_path}"
mkdir "${result_path}"
cd "${result_path}"
mkdir "notsigned" "sha256sum"
date > "results.log"
../../osslsigncode -v >> "results.log" 2>/dev/null
cd ${certs_path}
if test -s CACert.pem -a -s crosscert.pem -a -s expired.pem -a -s cert.pem \
-a -s CACertCRL.pem -a -s revoked.pem -a -s key.pem -a -s keyp.pem \
-a -s key.der -a -s cert.der -a -s cert.spc -a -s cert.p12
then
printf "%s\n" "keys & certificates path: ${certs_path}"
else
./makecerts.sh $1
result=$?
fi
cd "${result_path}"
if test "$result" -ne 0
then
exit $result
fi
# PE files support
if test -n "$(command -v x86_64-w64-mingw32-gcc)"
then
x86_64-w64-mingw32-gcc "../sources/myapp.c" -o "notsigned/test.exe" 2>> "results.log" 1>&2
else
printf "%s\n" "x86_64-w64-mingw32-gcc not found in \$PATH"
printf "%s\n" "tests for PE files skipped, please install mingw64-gcc package"
fi
# CAB files support
if test -n "$(command -v gcab)"
then
gcab -c "notsigned/test.ex_" "../sources/a" "../sources/b" "../sources/c" 2>> "results.log" 1>&2
else
printf "%s\n" "gcab not found in \$PATH"
printf "%s\n" "tests for CAB files skipped, please install gcab package"
fi
# MSI files support
if grep -q "no libgsf available" "results.log"
then
printf "%s\n" "signing MSI files requires libgsf/libgsf-devel packages and reconfiguration osslsigncode"
else
if test -n "$(command -v wixl)"
then
touch FoobarAppl10.exe
cp "../sources/sample.wxs" "notsigned/sample.wxs" 2>> "results.log" 1>&2
wixl -v "notsigned/sample.wxs" 2>> "results.log" 1>&2
rm -f "notsigned/sample.wxs"
rm -f "FoobarAppl10.exe"
else
printf "%s\n" "wixl not found in \$PATH"
printf "%s\n" "tests for MSI files skipped, please install wixl or msitools package depending on your OS"
fi
fi
# CAT files support
if test -s "../sources/good.cat"
then
cp "../sources/good.cat" "notsigned/good.cat"
fi
# TXT files support
if test -s "../sources/utf8.ps1"
then
cp "../sources/utf8.ps1" "notsigned/utf8.ps1"
fi
if test -s "../sources/utf8bom.ps1"
then
cp "../sources/utf8bom.ps1" "notsigned/utf8bom.ps1"
fi
if test -s "../sources/utf16le.ps1"
then
cp "../sources/utf16le.ps1" "notsigned/utf16le.ps1"
fi
# Timestamping support
if grep -q "no libcurl available" "results.log"
then
printf "%s\n" "configure --with-curl is required for timestamping support"
fi
# Tests requirements
if test -n "$(command -v faketime)"
then
if test -n "$(command -v xxd)"
then
make_tests
result=$?
rm -r -f "notsigned/" "sha256sum/"
rm -f sign_[1-9].pem sign_[1-9].der
rm -f "verify.log"
else
printf "%s\n" "xxd not found in \$PATH"
printf "%s\n" "tests skipped, please install vim-common package"
fi
else
printf "%s\n" "faketime not found in \$PATH"
printf "%s\n" "tests skipped, please install faketime package"
fi
exit $result

44
tests/testsign.sh
View File

@ -1,5 +1,11 @@
#!/bin/sh #!/bin/sh
if [ -z "$(command -v keytool)" ]; then
printf "%s\n" "keytool was not found in the \$PATH"
printf "%s\n" "Please install the default-jre-headless package"
exit 1
fi
rm -f putty*.exe rm -f putty*.exe
PUTTY_URL="http://the.earth.li/~sgtatham/putty/0.64/x86/putty.exe" PUTTY_URL="http://the.earth.li/~sgtatham/putty/0.64/x86/putty.exe"
@ -14,7 +20,12 @@ fi
rm -f cert.pem cert.spc key.der key.p12 key.pem key.pvk keyp.pem rm -f cert.pem cert.spc key.der key.p12 key.pem key.pvk keyp.pem
keytool -genkey \ keytool -genkey \
-alias selfsigned -keysize 2048 -keyalg RSA -keypass passme -storepass passme -keystore key.ks << EOF -alias selfsigned \
-keysize 2048 \
-keyalg RSA \
-keypass passme \
-storepass passme \
-keystore key.ks << EOF
John Doe John Doe
ACME In ACME In
ACME ACME
@ -24,11 +35,17 @@ SE
yes yes
EOF EOF
echo "Converting key/cert to PKCS12 container" echo "Converting key/cert to PKCS12 container"
keytool -importkeystore \ keytool -importkeystore \
-srckeystore key.ks -srcstoretype JKS -srckeypass passme -srcstorepass passme -srcalias selfsigned \ -srckeystore key.ks \
-destkeystore key.p12 -deststoretype PKCS12 -destkeypass passme -deststorepass passme -srcstoretype JKS \
-srckeypass passme \
-srcstorepass passme \
-srcalias selfsigned \
-destkeystore key.p12 \
-deststoretype PKCS12 \
-destkeypass passme \
-deststorepass passme
rm -f key.ks rm -f key.ks
@ -46,7 +63,7 @@ openssl pkcs12 -in key.p12 -passin pass:passme -nokeys -out cert.pem
echo "Converting cert to SPC format" echo "Converting cert to SPC format"
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out cert.spc openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out cert.spc
make -C ..
../osslsigncode sign -spc cert.spc -key key.pem putty.exe putty1.exe ../osslsigncode sign -spc cert.spc -key key.pem putty.exe putty1.exe
../osslsigncode sign -certs cert.spc -key keyp.pem -pass passme putty.exe putty2.exe ../osslsigncode sign -certs cert.spc -key keyp.pem -pass passme putty.exe putty2.exe
../osslsigncode sign -certs cert.pem -key keyp.pem -pass passme putty.exe putty3.exe ../osslsigncode sign -certs cert.pem -key keyp.pem -pass passme putty.exe putty3.exe
@ -56,19 +73,18 @@ openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out cert.spc
rm -f cert.pem cert.spc key.der key.p12 key.pem key.pvk keyp.pem rm -f cert.pem cert.spc key.der key.p12 key.pem key.pvk keyp.pem
echo "" echo
echo ""
check=`sha1sum putty[1-9]*.exe | cut -d' ' -f1 | uniq | wc -l` check=`sha1sum putty[1-9]*.exe | cut -d' ' -f1 | uniq | wc -l`
cmp putty1.exe putty2.exe && \ cmp putty1.exe putty2.exe && \
cmp putty2.exe putty3.exe && \ cmp putty2.exe putty3.exe && \
cmp putty3.exe putty4.exe && \ cmp putty3.exe putty4.exe && \
cmp putty4.exe putty5.exe && \ cmp putty4.exe putty5.exe && \
cmp putty5.exe putty6.exe cmp putty5.exe putty6.exe
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Failure is not an option." echo "Failure is not an option."
exit 1
else else
echo "Yes, it works." echo "Yes, it works."
fi fi