nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-07-02 19:22:47 -05:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: nhyatt:2.2
Branches Tags
nhyatt:master
nhyatt:2.10 nhyatt:2.9 nhyatt:2.8 nhyatt:2.7 nhyatt:2.6 nhyatt:2.5 nhyatt:2.4 nhyatt:2.3 nhyatt:2.2 nhyatt:2.1 nhyatt:2.0
...
compare: nhyatt:2.3
Branches Tags
nhyatt:master
nhyatt:2.10 nhyatt:2.9 nhyatt:2.8 nhyatt:2.7 nhyatt:2.6 nhyatt:2.5 nhyatt:2.4 nhyatt:2.3 nhyatt:2.2 nhyatt:2.1 nhyatt:2.0

37 Commits
2.2 ... 2.3

Author SHA1 Message Date
Michał Trojnara
73d7cf011e release 2.3 
Signed-off-by: Michał Trojnara <Michal.Trojnara@stunnel.org>
 2022-03-06 20:11:25 +01:00
Michał Trojnara
7affd85c46 Fix non-interactive PVK (MSBLOB) key decryption 
Fix #130
 2022-03-06 18:54:51 +01:00
Michał Trojnara
d8a182614c remove trailing tabulators 2022-03-06 17:41:36 +01:00
olszomal
ac672640be Clean up arrays (#139) 
- move large arrays to the heap
 - use the `const` type qualifier with constant arrays
 2022-03-06 16:50:23 +01:00
olszomal
5d68e8699a update change log 2022-02-28 19:50:39 +01:00
olszomal
b48458499b fix pe_calc_checksum bufor 
revert part of 45fedd9e50
 2022-02-28 19:50:39 +01:00
olszomal
4731667c35 msi const names 2022-02-25 21:42:24 +01:00
olszomal
85594d9fb2 fix memory leak 2022-02-25 21:42:24 +01:00
olszomal
5f60cc6563 use msi_dirent_free() when failed to parse the MSI_DIRENT structure 2022-02-25 21:42:24 +01:00
olszomal
77b2b30d1f check Root Directory Entry's Name 2022-02-25 21:42:24 +01:00
olszomal
e0d652b987 timestamp error 2022-02-24 23:08:24 +01:00
Michał Trojnara
b774a56aa9 Floyd's cycle-finding algorithm 2022-02-23 22:35:40 +01:00
Michał Trojnara
6eaf0d9368 fixed MSI recursion loop detection 2022-02-22 18:56:20 +01:00
olszomal
d471b51db5 add only a non-stream child to the tree 2022-02-22 18:16:21 +01:00
olszomal
7b12abf21f NOSTREAM error handling 2022-02-22 18:16:21 +01:00
olszomal
f248286d6f verify corrupted SpcPeImageData struct 2022-02-22 18:16:21 +01:00
olszomal
5db237f242 Revert "verbose msi file verification errors" 
This reverts commit 4eeeec32b4.
 2022-02-22 18:16:21 +01:00
Michał Trojnara
95c5a4451b simplify MSI parsing recursion 2022-02-22 10:08:15 +01:00
olszomal
f0207411b9 fix parse MSI_FILE_HDR struct 2022-02-21 19:24:32 +01:00
Michał Trojnara
aef958f880 modelines 2022-02-19 17:07:51 +01:00
Michał Trojnara
a6d3be739e detect recursion loop 2022-02-18 22:33:03 +01:00
olszomal
4eeeec32b4 verbose msi file verification errors 2022-02-18 18:54:48 +01:00
olszomal
ce196ce147 improve cab files verification 2022-02-18 18:54:48 +01:00
olszomal
289c345280 fix double free in msi_dirent_new() 2022-02-18 18:54:48 +01:00
olszomal
bdea1d1c2a fixed MSI_DIRENT structure parsing 2022-02-17 15:37:15 +01:00
olszomal
45fedd9e50 Fix more fuzzer errors 2022-02-11 23:32:27 +01:00
olszomal
e177ded9a5 Fix some fuzzer errors and VS2022 compiler warnings and errors 2022-02-04 17:35:46 +01:00
olszomal
5a2d0affc1 validate both header->sigpos and header->siglen 2022-01-30 22:14:21 +01:00
olszomal
5afafecc23 check a signature length in the WIN_CERTIFICATE structure 2022-01-30 22:14:21 +01:00
olszomal
07bf24911d Add bash completion script (#125) 2022-01-11 20:46:52 +01:00
Stephen Kitt
357747d2fc Typo fix: Errror 
Signed-off-by: Stephen Kitt <steve@sk2.org>
 2021-12-26 22:00:53 +01:00
olszomal
28f6ffbc42 Return the number of failed tests from make_tests 2021-12-26 21:58:44 +01:00
olszomal
fb75eee385 Put the pkcs11cert option in the usage syntax 2021-12-26 21:58:04 +01:00
olszomal
6e2fb03b7b Edit Windows install notes 2021-12-26 21:58:04 +01:00
olszomal
46d43d70b3 Test certificates support requirements of openssl 3.0: 
- AES-256-CBC encryption algorithm for PKCS#12 files
- required configuration file options
Export LD_LIBRARY_PATH
 2021-12-26 21:58:04 +01:00
olszomal
407579ca58 CA bundle auto-detection 2021-12-26 21:57:07 +01:00
olszomal
96df1a709f libcurl development package availability 2021-12-21 20:07:10 +01:00
14 changed files with 1151 additions and 661 deletions
Expand all files Collapse all files

39
INSTALL.W32.md
View File

@ -3,36 +3,31 @@
### Building osslsigncode source with MSYS2 MinGW 64-bit and MSYS2 packages:
1) Download and install MSYS2 from https://msys2.github.io/ and follow installation instructions.
Once up and running install even mingw-w64-x86_64-gcc, mingw-w64-x86_64-curl, mingw-w64-x86_64-libgsf.
Once up and running install even mingw-w64-x86_64-gcc, mingw-w64-x86_64-curl.
```
pacman -S mingw-w64-x86_64-gcc mingw-w64-x86_64-curl mingw-w64-x86_64-libgsf
pacman -S mingw-w64-x86_64-gcc mingw-w64-x86_64-curl
```
mingw-w64-x86_64-openssl and mingw-w64-x86_64-zlib packages are installed with dependencies.
2) Run "MSYS2 MinGW 64-bit" and build 64-bit Windows executables.
```
cd osslsigncode-folder
x86_64-w64-mingw32-gcc osslsigncode.c msi.c -o osslsigncode.exe \
-lcrypto -lssl -lcurl -lgsf-1 -lgobject-2.0 -lglib-2.0 -lxml2 \
-I 'C:/msys64/mingw64/include/libgsf-1' \
-I 'C:/msys64/mingw64/include/glib-2.0' \
-I 'C:/msys64/mingw64/lib/glib-2.0/include' \
-D 'PACKAGE_STRING="osslsigncode 2.1.0"' \
x86_64-w64-mingw32-gcc osslsigncode.c msi.c msi.h -o osslsigncode.exe \
-lcrypto -lssl -lcurl \
-D 'PACKAGE_STRING="osslsigncode 2.3"' \
-D 'PACKAGE_BUGREPORT="Michal.Trojnara@stunnel.org"' \
-D ENABLE_CURL \
-D WITH_GSF
-D ENABLE_CURL
```
3) Run "Command prompt" and include "c:\msys64\mingw64\bin" folder as part of the path.
```
path=%path%;c:\msys64\mingw64\bin
cd osslsigncode-folder
osslsigncode.exe -v
osslsigncode 2.1.0, using:
OpenSSL 1.1.1g 21 Apr 2020
libcurl/7.70.0 OpenSSL/1.1.1g (Schannel) zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0
libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.40.0 libgsf 1.14.46
osslsigncode 2.3, using:
OpenSSL 1.1.1g 21 Apr 2020 (Library: OpenSSL 1.1.1g 21 Apr 2020)
libcurl/7.70.0 OpenSSL/1.1.1g (Schannel) zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0
libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.40.0
```
@ -68,19 +63,20 @@
--disable-ftp --disable-tftp --disable-file --disable-dict \
--disable-telnet --disable-imap --disable-smb --disable-smtp \
--disable-gopher --disable-pop --disable-pop3 --disable-rtsp \
--disable-ldap --disable-ldaps --disable-unix-sockets --disable-pthreads
--disable-ldap --disable-ldaps --disable-unix-sockets \
--disable-pthreads --without-zstd
make && make install
```
3) Build 64-bit Windows executables.
```
cd osslsigncode-folder
x86_64-w64-mingw32-gcc osslsigncode.c -o osslsigncode.exe \
x86_64-w64-mingw32-gcc osslsigncode.c msi.c msi.h -o osslsigncode.exe \
-L 'C:/OpenSSL/lib/' -lcrypto -lssl \
-I 'C:/OpenSSL/include/' \
-L 'C:/curl/lib' -lcurl \
-I 'C:/curl/include' \
-D 'PACKAGE_STRING="osslsigncode 2.1.0"' \
-D 'PACKAGE_STRING="osslsigncode 2.3"' \
-D 'PACKAGE_BUGREPORT="Michal.Trojnara@stunnel.org"' \
-D ENABLE_CURL
```
@ -94,8 +90,7 @@
copy C:\msys64\mingw64\bin\zlib1.dll
osslsigncode.exe -v
osslsigncode 2.1.0, using:
OpenSSL 1.1.1g 21 Apr 2020
libcurl/7.70.0 OpenSSL/1.1.1g zlib/1.2.11
no libgsf available
osslsigncode 2.3, using:
OpenSSL 1.1.1k 25 Mar 2021 (Library: OpenSSL 1.1.1k 25 Mar 2021)
libcurl/7.78.0 OpenSSL/1.1.1k zlib/1.2.11
```

5
Makefile.am
View File

@ -14,3 +14,8 @@ bin_PROGRAMS = osslsigncode
osslsigncode_SOURCES = osslsigncode.c msi.c msi.h
osslsigncode_LDADD = $(OPENSSL_LIBS) $(OPTIONAL_LIBCURL_LIBS)
# bash completion script
AM_DISTCHECK_CONFIGURE_FLAGS = --with-bashcompdir='$$(datarootdir)/bash-completion/completions'
bashcompdir = @bashcompdir@
dist_bashcomp_DATA = osslsigncode.bash

17
NEWS.md
View File

@ -1,3 +1,20 @@
# osslsigncode change log
### 2.3 (2022.03.06)
**CRITICAL SECURITY VULNERABILITIES**
This release fixes several critical memory corruption vulnerabilities.
A malicious attacker could create a file, which, when processed with
osslsigncode, triggers arbitrary code execution. Any previous version
of osslsigncode should be immediately upgraded if the tool is used for
processing of untrusted files.
- fixed several memory safety issues
- fixed non-interactive PVK (MSBLOB) key decryption
- added a bash completion script
- added CA bundle path auto-detection
### 2.2 (2021.08.15)
- CAT files support (thanks to James McKenzie)

21
configure.ac
View File

@ -1,12 +1,21 @@
AC_PREREQ(2.60)
AC_INIT([osslsigncode], [2.2.0], [Michal.Trojnara@stunnel.org])
AC_INIT([osslsigncode], [2.3.0], [Michal.Trojnara@stunnel.org])
AC_CONFIG_AUX_DIR([.])
AC_CONFIG_HEADERS([config.h])
AM_INIT_AUTOMAKE
AC_CONFIG_SRCDIR([osslsigncode.c])
# bash completion support
AC_ARG_WITH([bashcompdir],
AS_HELP_STRING([--with-bashcompdir=DIR], [directory for bash completions]), ,
[PKG_CHECK_VAR([with_bashcompdir], [bash-completion], [completionsdir], ,
[with_bashcompdir="${datarootdir}/bash-completion/completions"])])
AC_MSG_CHECKING([for bashcompdir])
AC_MSG_RESULT([$with_bashcompdir])
AC_SUBST([bashcompdir], [$with_bashcompdir])
dnl Checks for programs.
AC_PROG_CC
AC_USE_SYSTEM_EXTENSIONS
@ -109,7 +118,13 @@ PKG_CHECK_MODULES(
)
if test "${with_curl}" = "yes"; then
test -z "${LIBCURL_LIBS}" && AC_MSG_ERROR([Curl 7.12.0 or later is required for timestamping support. http://curl.haxx.se/])
test -z "${LIBCURL_LIBS}" && AC_MSG_ERROR(m4_normalize([
Curl 7.12.0 or later required for timestamping support http://curl.haxx.se/
m4_newline() or libcurl development package not found, try installing:
m4_newline() * libcurl4-openssl-dev (Debian, Ubuntu)
m4_newline() * libcurl-devel (Fedora, CentOS, RHEL)
m4_newline() * libcurl_dev (Solaris)
]))
OPTIONAL_LIBCURL_CFLAGS="${LIBCURL_CFLAGS}"
OPTIONAL_LIBCURL_LIBS="${LIBCURL_LIBS}"
AC_DEFINE([ENABLE_CURL], [1], [libcurl is enabled])
@ -118,8 +133,6 @@ fi
AC_SUBST([OPTIONAL_LIBCURL_CFLAGS])
AC_SUBST([OPTIONAL_LIBCURL_LIBS])
AC_DEFINE_UNQUOTED([CA_BUNDLE_PATH], ["$(curl-config --ca 2>/dev/null)"], [CA bundle install path])
AC_CONFIG_FILES([Makefile])
AC_OUTPUT

463
msi.c
View File

@ -15,19 +15,22 @@
#define MIN(a,b) ((a) < (b) ? a : b)
static int recurse_entry(MSI_FILE *msi, uint32_t entryID, MSI_DIRENT *parent);
/* Get absolute address from sector and offset */
static const u_char *sector_offset_to_address(MSI_FILE *msi, size_t sector, size_t offset)
static const u_char *sector_offset_to_address(MSI_FILE *msi, uint32_t sector, uint32_t offset)
{
if (sector >= MAXREGSECT || offset >= msi->m_sectorSize ||
msi->m_bufferLen <= msi->m_sectorSize * sector + msi->m_sectorSize + offset) {
if (sector >= MAXREGSECT || offset >= msi->m_sectorSize
|| (msi->m_bufferLen - offset) / msi->m_sectorSize <= sector) {
printf("Corrupted file\n");
return NULL; /* FAILED */
}
return msi->m_buffer + msi->m_sectorSize + msi->m_sectorSize * sector + offset;
return msi->m_buffer + (sector + 1) * msi->m_sectorSize + offset;
}
static size_t get_fat_sector_location(MSI_FILE *msi, size_t fatSectorNumber)
static uint32_t get_fat_sector_location(MSI_FILE *msi, uint32_t fatSectorNumber)
{
size_t entriesPerSector, difatSectorLocation;
uint32_t entriesPerSector, difatSectorLocation;
const u_char *address;
if (fatSectorNumber < DIFAT_IN_HEADER) {
@ -39,40 +42,68 @@ static size_t get_fat_sector_location(MSI_FILE *msi, size_t fatSectorNumber)
while (fatSectorNumber >= entriesPerSector) {
fatSectorNumber -= entriesPerSector;
address = sector_offset_to_address(msi, difatSectorLocation, msi->m_sectorSize - 4);
if (!address) {
printf("Failed to get a next sector address\n");
return NOSTREAM; /* FAILED */
}
difatSectorLocation = GET_UINT32_LE(address);
}
return GET_UINT32_LE(sector_offset_to_address(msi, difatSectorLocation, fatSectorNumber * 4));
address = sector_offset_to_address(msi, difatSectorLocation, fatSectorNumber * 4);
if (!address) {
printf("Failed to get a next sector address\n");
return NOSTREAM; /* FAILED */
}
return GET_UINT32_LE(address);
}
}
/* Lookup FAT */
static size_t get_next_sector(MSI_FILE *msi, size_t sector)
static uint32_t get_next_sector(MSI_FILE *msi, uint32_t sector)
{
size_t entriesPerSector = msi->m_sectorSize / 4;
size_t fatSectorNumber = sector / entriesPerSector;
size_t fatSectorLocation = get_fat_sector_location(msi, fatSectorNumber);
return GET_UINT32_LE(sector_offset_to_address(msi, fatSectorLocation, sector % entriesPerSector * 4));
const u_char *address;
uint32_t entriesPerSector = msi->m_sectorSize / 4;
uint32_t fatSectorNumber = sector / entriesPerSector;
uint32_t fatSectorLocation = get_fat_sector_location(msi, fatSectorNumber);
if (fatSectorLocation == NOSTREAM) {
printf("Failed to get a fat sector location\n");
return NOSTREAM; /* FAILED */
}
address = sector_offset_to_address(msi, fatSectorLocation, sector % entriesPerSector * 4);
if (!address) {
printf("Failed to get a next sector address\n");
return NOSTREAM; /* FAILED */
}
return GET_UINT32_LE(address);
}
/* Locate the final sector/offset when original offset expands multiple sectors */
static void locate_final_sector(MSI_FILE *msi, size_t sector, size_t offset, size_t *finalSector, size_t *finalOffset)
static int locate_final_sector(MSI_FILE *msi, uint32_t sector, uint32_t offset, uint32_t *finalSector, uint32_t *finalOffset)
{
while (offset >= msi->m_sectorSize) {
offset -= msi->m_sectorSize;
sector = get_next_sector(msi, sector);
if (sector == NOSTREAM) {
printf("Failed to get a next sector\n");
return 0; /* FAILED */
}
}
*finalSector = sector;
*finalOffset = offset;
return 1; /* OK */
}
/* Get absolute address from mini sector and offset */
static const u_char *mini_sector_offset_to_address(MSI_FILE *msi, size_t sector, size_t offset)
static const u_char *mini_sector_offset_to_address(MSI_FILE *msi, uint32_t sector, uint32_t offset)
{
if (sector >= MAXREGSECT || offset >= msi->m_minisectorSize ||
msi->m_bufferLen <= msi->m_minisectorSize * sector + offset) {
(msi->m_bufferLen - offset) / msi->m_minisectorSize <= sector) {
printf("Corrupted file\n");
return NULL; /* FAILED */
}
if (!locate_final_sector(msi, msi->m_miniStreamStartSector, sector * msi->m_minisectorSize + offset, &sector, &offset)) {
printf("Failed to locate a final sector\n");
return NULL; /* FAILED */
}
locate_final_sector(msi, msi->m_miniStreamStartSector, sector * msi->m_minisectorSize + offset, &sector, &offset);
return sector_offset_to_address(msi, sector, offset);
}
@ -80,66 +111,109 @@ static const u_char *mini_sector_offset_to_address(MSI_FILE *msi, size_t sector,
* Copy as many as possible in each step
* copylen typically iterate as: msi->m_sectorSize - offset --> msi->m_sectorSize --> msi->m_sectorSize --> ... --> remaining
*/
static int read_stream(MSI_FILE *msi, size_t sector, size_t offset, char *buffer, size_t len)
static int read_stream(MSI_FILE *msi, uint32_t sector, uint32_t offset, char *buffer, uint32_t len)
{
locate_final_sector(msi, sector, offset, &sector, &offset);
if (!locate_final_sector(msi, sector, offset, &sector, &offset)) {
printf("Failed to locate a final sector\n");
return 0; /* FAILED */
}
while (len > 0) {
const u_char *address = sector_offset_to_address(msi, sector, offset);
size_t copylen = MIN(len, msi->m_sectorSize - offset);
const u_char *address;
uint32_t copylen;
address = sector_offset_to_address(msi, sector, offset);
if (!address) {
printf("Failed to get a next sector address\n");
return 0; /* FAILED */
}
copylen = MIN(len, msi->m_sectorSize - offset);
if (msi->m_buffer + msi->m_bufferLen < address + copylen) {
printf("Corrupted file\n");
return 0; /* FAILED */
}
memcpy(buffer, address, copylen);
buffer += copylen;
len -= copylen;
sector = get_next_sector(msi, sector);
if (sector == 0) {
printf("Failed to get a next sector\n");
return 0; /* FAILED */
}
offset = 0;
}
return 1;
return 1; /* OK */
}
/* Lookup miniFAT */
static size_t get_next_mini_sector(MSI_FILE *msi, size_t miniSector)
static uint32_t get_next_mini_sector(MSI_FILE *msi, uint32_t miniSector)
{
size_t sector, offset;
locate_final_sector(msi, msi->m_hdr->firstMiniFATSectorLocation, miniSector * 4, &sector, &offset);
return GET_UINT32_LE(sector_offset_to_address(msi, sector, offset));
uint32_t sector, offset;
const u_char *address;
if (!locate_final_sector(msi, msi->m_hdr->firstMiniFATSectorLocation, miniSector * 4, &sector, &offset)) {
printf("Failed to locate a final sector\n");
return NOSTREAM; /* FAILED */
}
address = sector_offset_to_address(msi, sector, offset);
if (!address) {
printf("Failed to get a next mini sector address\n");
return NOSTREAM; /* FAILED */
}
return GET_UINT32_LE(address);
}
static void locate_final_mini_sector(MSI_FILE *msi, size_t sector, size_t offset, size_t *finalSector, size_t *finalOffset)
static int locate_final_mini_sector(MSI_FILE *msi, uint32_t sector, uint32_t offset, uint32_t *finalSector, uint32_t *finalOffset)
{
while (offset >= msi->m_minisectorSize) {
offset -= msi->m_minisectorSize;
sector = get_next_mini_sector(msi, sector);
if (sector == NOSTREAM) {
printf("Failed to get a next mini sector\n");
return 0; /* FAILED */
}
}
*finalSector = sector;
*finalOffset = offset;
return 1; /* OK */
}
/* Same logic as "read_stream" except that use mini stream functions instead */
static int read_mini_stream(MSI_FILE *msi, size_t sector, size_t offset, char *buffer, size_t len)
static int read_mini_stream(MSI_FILE *msi, uint32_t sector, uint32_t offset, char *buffer, uint32_t len)
{
locate_final_mini_sector(msi, sector, offset, &sector, &offset);
if (!locate_final_mini_sector(msi, sector, offset, &sector, &offset)) {
printf("Failed to locate a final mini sector\n");
return 0; /* FAILED */
}
while (len > 0) {
const u_char *address = mini_sector_offset_to_address(msi, sector, offset);
size_t copylen = MIN(len, msi->m_minisectorSize - offset);
if (!address || msi->m_buffer + msi->m_bufferLen < address + copylen) {
const u_char *address;
uint32_t copylen;
address = mini_sector_offset_to_address(msi, sector, offset);
if (!address) {
printf("Failed to get a next mini sector address\n");
return 0; /* FAILED */
}
copylen = MIN(len, msi->m_minisectorSize - offset);
if (msi->m_buffer + msi->m_bufferLen < address + copylen) {
printf("Corrupted file\n");
return 0; /* FAILED */
}
memcpy(buffer, address, copylen);
buffer += copylen;
len -= copylen;
sector = get_next_mini_sector(msi, sector);
if (sector == NOSTREAM) {
printf("Failed to get a next mini sector\n");
return 0; /* FAILED */
}
offset = 0;
}
return 1;
return 1; /* OK */
}
/*
* Get file (stream) data start with "offset".
* The buffer must have enough space to store "len" bytes. Typically "len" is derived by the steam length.
*/
int msi_file_read(MSI_FILE *msi, MSI_ENTRY *entry, size_t offset, char *buffer, size_t len)
int msi_file_read(MSI_FILE *msi, MSI_ENTRY *entry, uint32_t offset, char *buffer, uint32_t len)
{
if (len < msi->m_hdr->miniStreamCutoffSize) {
if (!read_mini_stream(msi, entry->startSectorLocation, offset, buffer, len))
@ -148,43 +222,108 @@ int msi_file_read(MSI_FILE *msi, MSI_ENTRY *entry, size_t offset, char *buffer,
if (!read_stream(msi, entry->startSectorLocation, offset, buffer, len))
return 0; /* FAILED */
}
return 1;
return 1; /* OK */
}
/* Parse MSI_FILE_HDR struct */
static MSI_FILE_HDR *parse_header(char *data)
{
MSI_FILE_HDR *header = (MSI_FILE_HDR *)OPENSSL_malloc(HEADER_SIZE);
if (!data) {
/* initialise 512 bytes */
memset(header, 0, sizeof(MSI_FILE_HDR));
} else {
memcpy(header->signature, data + HEADER_SIGNATURE, sizeof header->signature);
header->minorVersion = GET_UINT16_LE(data + HEADER_MINOR_VER);
header->majorVersion = GET_UINT16_LE(data + HEADER_MAJOR_VER);
header->byteOrder = GET_UINT16_LE(data + HEADER_BYTE_ORDER);
header->sectorShift = GET_UINT16_LE(data + HEADER_SECTOR_SHIFT);
header->miniSectorShift = GET_UINT16_LE(data + HEADER_MINI_SECTOR_SHIFT);
header->numDirectorySector = GET_UINT32_LE(data + HEADER_DIR_SECTORS_NUM);
header->numFATSector = GET_UINT32_LE(data + HEADER_FAT_SECTORS_NUM);
header->firstDirectorySectorLocation = GET_UINT32_LE(data + HEADER_DIR_SECTOR_LOC);
header->transactionSignatureNumber = GET_UINT32_LE(data + HEADER_TRANSACTION);
header->miniStreamCutoffSize = GET_UINT32_LE(data + HEADER_MINI_STREAM_CUTOFF);
header->firstMiniFATSectorLocation = GET_UINT32_LE(data + HEADER_MINI_FAT_SECTOR_LOC);
header->numMiniFATSector = GET_UINT32_LE(data + HEADER_MINI_FAT_SECTORS_NUM);
header->firstDIFATSectorLocation = GET_UINT32_LE(data + HEADER_DIFAT_SECTOR_LOC);
header->numDIFATSector = GET_UINT32_LE(data + HEADER_DIFAT_SECTORS_NUM);
memcpy(header->headerDIFAT, data + HEADER_DIFAT, sizeof header->headerDIFAT);
/* initialise 512 bytes */
memset(header, 0, sizeof(MSI_FILE_HDR));
memcpy(header->signature, data + HEADER_SIGNATURE, sizeof header->signature);
/* Minor Version field SHOULD be set to 0x003E. */
header->minorVersion = GET_UINT16_LE(data + HEADER_MINOR_VER);
if (header->minorVersion !=0x003E ) {
printf("Warning: Minor Version field SHOULD be 0x003E, but is: 0x%04X\n", header->minorVersion);
}
/* Major Version field MUST be set to either 0x0003 (version 3) or 0x0004 (version 4). */
header->majorVersion = GET_UINT16_LE(data + HEADER_MAJOR_VER);
if (header->majorVersion != 0x0003 && header->majorVersion != 0x0004) {
printf("Unknown Major Version: 0x%04X\n", header->majorVersion);
OPENSSL_free(header);
return NULL; /* FAILED */
}
/* Byte Order field MUST be set to 0xFFFE, specifies little-endian byte order. */
header->byteOrder = GET_UINT16_LE(data + HEADER_BYTE_ORDER);
if (header->byteOrder != 0xFFFE) {
printf("Unknown Byte Order: 0x%04X\n", header->byteOrder);
OPENSSL_free(header);
return NULL; /* FAILED */
}
/* Sector Shift field MUST be set to 0x0009, or 0x000c, depending on the Major Version field.
* This field specifies the sector size of the compound file as a power of 2. */
header->sectorShift = GET_UINT16_LE(data + HEADER_SECTOR_SHIFT);
if ((header->majorVersion == 0x0003 && header->sectorShift != 0x0009) ||
(header->majorVersion == 0x0004 && header->sectorShift != 0x000C)) {
printf("Unknown Sector Shift: 0x%04X\n", header->sectorShift);
OPENSSL_free(header);
return NULL; /* FAILED */
}
/* Mini Sector Shift field MUST be set to 0x0006.
* This field specifies the sector size of the Mini Stream as a power of 2.
* The sector size of the Mini Stream MUST be 64 bytes. */
header->miniSectorShift = GET_UINT16_LE(data + HEADER_MINI_SECTOR_SHIFT);
if (header->miniSectorShift != 0x0006) {
printf("Unknown Mini Sector Shift: 0x%04X\n", header->miniSectorShift);
OPENSSL_free(header);
return NULL; /* FAILED */
}
/* Number of Directory Sectors field contains the count of the number
* of directory sectors in the compound file.
* If Major Version is 3, the Number of Directory Sectors MUST be zero. */
header->numDirectorySector = GET_UINT32_LE(data + HEADER_DIR_SECTORS_NUM);
if (header->majorVersion == 0x0003 && header->numDirectorySector != 0x00000000) {
printf("Unsupported Number of Directory Sectors: 0x%08X\n", header->numDirectorySector);
OPENSSL_free(header);
return NULL; /* FAILED */
}
header->numFATSector = GET_UINT32_LE(data + HEADER_FAT_SECTORS_NUM);
header->firstDirectorySectorLocation = GET_UINT32_LE(data + HEADER_DIR_SECTOR_LOC);
header->transactionSignatureNumber = GET_UINT32_LE(data + HEADER_TRANSACTION);
/* Mini Stream Cutoff Size field MUST be set to 0x00001000.
* This field specifies the maximum size of a user-defined data stream that is allocated
* from the mini FAT and mini stream, and that cutoff is 4,096 bytes.
* Any user-defined data stream that is greater than or equal to this cutoff size
* must be allocated as normal sectors from the FAT. */
header->miniStreamCutoffSize = GET_UINT32_LE(data + HEADER_MINI_STREAM_CUTOFF);
if (header->miniStreamCutoffSize != 0x00001000) {
printf("Unsupported Mini Stream Cutoff Size: 0x%08X\n", header->miniStreamCutoffSize);
OPENSSL_free(header);
return NULL; /* FAILED */
}
header->firstMiniFATSectorLocation = GET_UINT32_LE(data + HEADER_MINI_FAT_SECTOR_LOC);
header->numMiniFATSector = GET_UINT32_LE(data + HEADER_MINI_FAT_SECTORS_NUM);
header->firstDIFATSectorLocation = GET_UINT32_LE(data + HEADER_DIFAT_SECTOR_LOC);
header->numDIFATSector = GET_UINT32_LE(data + HEADER_DIFAT_SECTORS_NUM);
memcpy(header->headerDIFAT, data + HEADER_DIFAT, sizeof header->headerDIFAT);
return header;
}
/* Parse MSI_ENTRY struct */
static MSI_ENTRY *parse_entry(const u_char *data)
static MSI_ENTRY *parse_entry(MSI_FILE *msi, const u_char *data, int is_root)
{
uint32_t inlen;
MSI_ENTRY *entry = (MSI_ENTRY *)OPENSSL_malloc(sizeof(MSI_ENTRY));
/* initialise 128 bytes */
memset(entry, 0, sizeof(MSI_ENTRY));
entry->nameLen = GET_UINT16_LE(data + DIRENT_NAME_LEN);
/* This length MUST NOT exceed 64, the maximum size of the Directory Entry Name field */
if (entry->nameLen == 0 || entry->nameLen > 64) {
printf("Corrupted Directory Entry Name Length\n");
OPENSSL_free(entry);
return NULL; /* FAILED */
}
memcpy(entry->name, data + DIRENT_NAME, entry->nameLen);
/* The root directory entry's Name field MUST contain the null-terminated
* string "Root Entry" in Unicode UTF-16. */
if (is_root && memcmp(entry->name, msi_root_entry, entry->nameLen)) {
printf("Corrupted Root Directory Entry's Name\n");
OPENSSL_free(entry);
return NULL; /* FAILED */
}
entry->type = GET_UINT8_LE(data + DIRENT_TYPE);
entry->colorFlag = GET_UINT8_LE(data + DIRENT_COLOUR);
entry->leftSiblingID = GET_UINT32_LE(data + DIRENT_LEFT_SIBLING_ID);
@ -193,9 +332,25 @@ static MSI_ENTRY *parse_entry(const u_char *data)
memcpy(entry->clsid, data + DIRENT_CLSID, 16);
memcpy(entry->stateBits, data + DIRENT_STATE_BITS, 4);
memcpy(entry->creationTime, data + DIRENT_CREATE_TIME, 8);
/* The Creation Time field in the root storage directory entry MUST be all zeroes
but the Modified Time field in the root storage directory entry MAY be all zeroes */
if (is_root && memcmp(entry->creationTime, msi_zeroes, 8)) {
printf("Corrupted Root Directory Entry's Creation Time\n");
OPENSSL_free(entry);
return NULL; /* FAILED */
}
memcpy(entry->modifiedTime, data + DIRENT_MODIFY_TIME, 8);
entry->startSectorLocation = GET_UINT32_LE(data + DIRENT_START_SECTOR_LOC);
memcpy(entry->size, data + DIRENT_FILE_SIZE, 8);
/* For a version 3 compound file 512-byte sector size, the value of this field
MUST be less than or equal to 0x80000000 */
inlen = GET_UINT32_LE(entry->size);
if ((msi->m_sectorSize == 0x0200 && inlen > 0x80000000)
|| (msi->m_bufferLen <= inlen)) {
printf("Corrupted Stream Size 0x%08X\n", inlen);
OPENSSL_free(entry);
return NULL; /* FAILED */
}
return entry;
}
@ -204,63 +359,86 @@ static MSI_ENTRY *parse_entry(const u_char *data)
* Pass "0" to get the root directory entry. -- This is the start point to navigate the compound file.
* Use the returned object to access child entries.
*/
static MSI_ENTRY *get_entry(MSI_FILE *msi, size_t entryID)
static MSI_ENTRY *get_entry(MSI_FILE *msi, uint32_t entryID, int is_root)
{
size_t sector = 0;
size_t offset = 0;
uint32_t sector = 0;
uint32_t offset = 0;
const u_char *address;
/* The special value NOSTREAM (0xFFFFFFFF) is used as a terminator */
if (entryID == NOSTREAM) {
/* Corrupted file */
if (!is_root && entryID == 0) {
printf("Corrupted entryID\n");
return NULL; /* FAILED */
}
if (msi->m_bufferLen / sizeof(MSI_ENTRY) <= entryID) {
printf("Invalid argument entryID\n");
return NULL; /* FAILED */
}
locate_final_sector(msi, msi->m_hdr->firstDirectorySectorLocation, entryID * sizeof(MSI_ENTRY), &sector, &offset);
/* The first entry in the first sector of the directory chain is known as
the root directory entry so it can not contain the directory stream */
if (msi->m_hdr->firstDirectorySectorLocation == 0 && entryID == 0) {
printf("Corrupted First Directory Sector Location\n");
return NULL; /* FAILED */
}
if (!locate_final_sector(msi, msi->m_hdr->firstDirectorySectorLocation,
entryID * sizeof(MSI_ENTRY), &sector, &offset)) {
printf("Failed to locate a final sector\n");
return NULL; /* FAILED */
}
address = sector_offset_to_address(msi, sector, offset);
return parse_entry(address);
if (!address) {
printf("Failed to get a final address\n");
return NULL; /* FAILED */
}
return parse_entry(msi, address, is_root);
}
MSI_ENTRY *msi_root_entry_get(MSI_FILE *msi)
{
return get_entry(msi, 0);
return get_entry(msi, 0, TRUE);
}
/* Parse MSI_FILE struct */
MSI_FILE *msi_file_new(char *buffer, size_t len)
MSI_FILE *msi_file_new(char *buffer, uint32_t len)
{
MSI_FILE *msi;
MSI_ENTRY *root;
MSI_FILE_HDR *header;
if (buffer == NULL || len == 0) {
printf("Invalid argument\n");
return NULL; /* FAILED */
}
header = parse_header(buffer);
if (!header) {
printf("Failed to parse MSI_FILE_HDR struct\n");
return NULL; /* FAILED */
}
msi = (MSI_FILE *)OPENSSL_malloc(sizeof(MSI_FILE));
msi->m_buffer = (const u_char *)(buffer);
msi->m_bufferLen = len;
msi->m_hdr = parse_header(buffer);
msi->m_sectorSize = 1 << msi->m_hdr->sectorShift;;
msi->m_hdr = header;
msi->m_sectorSize = 1 << msi->m_hdr->sectorShift;
msi->m_minisectorSize = 1 << msi->m_hdr->miniSectorShift;
msi->m_miniStreamStartSector = 0;
if (msi->m_bufferLen < sizeof *(msi->m_hdr) ||
memcmp(msi->m_hdr->signature, msi_magic, sizeof msi_magic)) {
printf("Wrong file format\n");
msi_file_free(msi);
return NULL; /* FAILED */
}
msi->m_sectorSize = msi->m_hdr->majorVersion == 3 ? 512 : 4096;
/* The file must contains at least 3 sectors */
if (msi->m_bufferLen < msi->m_sectorSize * 3) {
printf("The file must contains at least 3 sectors\n");
msi_file_free(msi);
return NULL; /* FAILED */
}
root = msi_root_entry_get(msi);
if (root == NULL) {
printf("File corrupted\n");
if (!root) {
printf("Failed to get msi root entry\n");
msi_file_free(msi);
return NULL; /* FAILED */
}
msi->m_miniStreamStartSector = root->startSectorLocation;
@ -268,37 +446,90 @@ MSI_FILE *msi_file_new(char *buffer, size_t len)
return msi;
}
MSI_FILE_HDR *msi_header_get(MSI_FILE *msi)
{
return msi->m_hdr;
}
/* Recursively parse MSI_DIRENT struct */
MSI_DIRENT *msi_dirent_new(MSI_FILE *msi, MSI_ENTRY *entry, MSI_DIRENT *parent)
/* Recursively create a tree of MSI_DIRENT structures */
int msi_dirent_new(MSI_FILE *msi, MSI_ENTRY *entry, MSI_DIRENT *parent, MSI_DIRENT **ret)
{
MSI_DIRENT *dirent;
static int cnt;
static MSI_DIRENT *tortoise, *hare;
if (!entry) {
return NULL;
return 1; /* OK */
}
if (entry->nameLen == 0 || entry->nameLen > 64) {
printf("Corrupted Directory Entry Name Length\n");
return 0; /* FAILED */
}
/* detect cycles in previously visited entries (parents, siblings) */
if (!ret) { /* initialized (non-root entry) */
if ((entry->leftSiblingID != NOSTREAM && tortoise->entry->leftSiblingID == entry->leftSiblingID)
|| (entry->rightSiblingID != NOSTREAM && tortoise->entry->rightSiblingID == entry->rightSiblingID)
|| (entry->childID != NOSTREAM && tortoise->entry->childID == entry->childID)) {
printf("MSI_ENTRY cycle detected at level %d\n", cnt);
OPENSSL_free(entry);
return 0; /* FAILED */
}
}
dirent = (MSI_DIRENT *)OPENSSL_malloc(sizeof(MSI_DIRENT));
memcpy(dirent->name, entry->name, entry->nameLen);
dirent->nameLen = entry->nameLen;
dirent->type = entry->type;
dirent->entry = entry;
dirent->children = sk_MSI_DIRENT_new_null();
dirent->next = NULL; /* fail-safe */
if (parent != NULL) {
sk_MSI_DIRENT_push(parent->children, dirent);
/* Floyd's cycle-finding algorithm */
if (!ret) { /* initialized (non-root entry) */
if (cnt++ & 1) /* move the tortoise every other invocation of msi_dirent_new() */
tortoise = tortoise->next;
hare->next = dirent; /* build a linked list of visited entries */
hare = dirent; /* move the hare every time */
} else { /* initialization needed (root entry) */
cnt = 0;
tortoise = dirent;
hare = dirent;
}
/* NOTE : These links are a tree, not a linked list */
msi_dirent_new(msi, get_entry(msi, entry->leftSiblingID), parent);
msi_dirent_new(msi, get_entry(msi, entry->rightSiblingID), parent);
if (entry->type != DIR_STREAM) {
msi_dirent_new(msi, get_entry(msi, entry->childID), dirent);
if (parent && !sk_MSI_DIRENT_push(parent->children, dirent)) {
printf("Failed to insert MSI_DIRENT\n");
return 0; /* FAILED */
}
return dirent;
if (ret)
*ret = dirent;
if (!recurse_entry(msi, entry->leftSiblingID, parent)
|| !recurse_entry(msi, entry->rightSiblingID, parent)
|| !recurse_entry(msi, entry->childID, dirent)) {
printf("Failed to add a sibling or a child to the tree\n");
return 0; /* FAILED */
}
return 1; /* OK */
}
/* Add a sibling or a child to the tree */
/* NOTE: These links are a tree, not a linked list */
static int recurse_entry(MSI_FILE *msi, uint32_t entryID, MSI_DIRENT *parent)
{
MSI_ENTRY *node;
/* The special NOSTREAM (0xFFFFFFFF) value is used as a terminator */
if (entryID == NOSTREAM) /* stop condition */
return 1; /* OK */
node = get_entry(msi, entryID, FALSE);
if (!node) {
printf("Corrupted ID: 0x%08X\n", entryID);
return 0; /* FAILED */
}
if (!msi_dirent_new(msi, node, parent, NULL)) {
return 0; /* FAILED */
}
return 1; /* OK */
}
/* Return DigitalSignature and MsiDigitalSignatureEx */
@ -456,7 +687,8 @@ int msi_hash_dir(MSI_FILE *msi, MSI_DIRENT *dirent, BIO *hash, int is_root)
}
indata = (char *)OPENSSL_malloc(inlen);
if (!msi_file_read(msi, child->entry, 0, indata, inlen)) {
printf("Read stream data error\n\n");
printf("Failed to read stream data\n");
OPENSSL_free(indata);
goto out;
}
BIO_write(hash, indata, inlen);
@ -464,6 +696,7 @@ int msi_hash_dir(MSI_FILE *msi, MSI_DIRENT *dirent, BIO *hash, int is_root)
}
if (child->type == DIR_STORAGE) {
if (!msi_hash_dir(msi, child, hash, 0)) {
printf("Failed to hash a MSI storage\n");
goto out;
}
}
@ -476,15 +709,19 @@ out:
}
/* Compute a simple sha1/sha256 message digest of the MSI file */
void msi_calc_digest(char *indata, const EVP_MD *md, u_char *mdbuf, size_t fileend)
int msi_calc_digest(char *indata, const EVP_MD *md, u_char *mdbuf, uint32_t fileend)
{
BIO *bio = NULL;
EVP_MD_CTX *mdctx;
size_t n;
uint32_t n;
int ret = 0;
bio = BIO_new_mem_buf(indata, fileend);
mdctx = EVP_MD_CTX_new();
EVP_DigestInit(mdctx, md);
if (!EVP_DigestInit(mdctx, md)) {
printf("Unable to set up the digest context\n");
goto out;
}
memset(mdbuf, 0, EVP_MAX_MD_SIZE);
(void)BIO_seek(bio, 0);
@ -492,7 +729,7 @@ void msi_calc_digest(char *indata, const EVP_MD *md, u_char *mdbuf, size_t filee
while (n < fileend) {
int l;
static u_char bfb[16*1024*1024];
size_t want = fileend - n;
uint32_t want = fileend - n;
if (want > sizeof bfb)
want = sizeof bfb;
l = BIO_read(bio, bfb, want);
@ -502,13 +739,16 @@ void msi_calc_digest(char *indata, const EVP_MD *md, u_char *mdbuf, size_t filee
n += l;
}
EVP_DigestFinal(mdctx, mdbuf, NULL);
ret = 1; /* OK */
out:
EVP_MD_CTX_free(mdctx);
BIO_free(bio);
return ret;
}
static void ministream_append(MSI_OUT *out, char *buf, int len)
{
int needSectors = (len + out->sectorSize - 1) / out->sectorSize;
uint32_t needSectors = (len + out->sectorSize - 1) / out->sectorSize;
if (out->miniStreamLen + len >= out->ministreamsMemallocCount * out->sectorSize) {
out->ministreamsMemallocCount += needSectors;
out->ministream = OPENSSL_realloc(out->ministream, out->ministreamsMemallocCount * out->sectorSize);
@ -626,7 +866,7 @@ static int stream_read(MSI_FILE *msi, MSI_ENTRY *entry, u_char *p_msi, int len_m
inlen = len_msiex;
} else {
if (!msi_file_read(msi, entry, 0, *indata, inlen)) {
printf("Read stream data error\n");
printf("Failed to read stream data\n");
return 0; /* FAILED */
}
}
@ -665,7 +905,7 @@ static int stream_handle(MSI_FILE *msi, MSI_DIRENT *dirent, u_char *p_msi, int l
/* set the size of the user-defined data if this is a stream object */
PUT_UINT32_LE(inlen, buf);
memcpy(child->entry->size, buf, sizeof child->entry->size);
if (inlen < MINI_STREAM_CUTOFF_SIZE) {
/* set the index into the mini FAT to track the chain of sectors through the mini stream */
child->entry->startSectorLocation = out->miniSectorNum;
@ -680,7 +920,7 @@ static int stream_handle(MSI_FILE *msi, MSI_DIRENT *dirent, u_char *p_msi, int l
out->miniSectorNum += 1;
PUT_UINT32_LE(out->miniSectorNum, buf);
minifat_append(out, buf, 4);
inlen -= msi->m_minisectorSize;
inlen -= (uint32_t)msi->m_minisectorSize;
}
PUT_UINT32_LE(ENDOFCHAIN, buf);
minifat_append(out, buf, 4);
@ -701,7 +941,7 @@ static int stream_handle(MSI_FILE *msi, MSI_DIRENT *dirent, u_char *p_msi, int l
out->sectorNum += 1;
PUT_UINT32_LE(out->sectorNum, buf);
fat_append(out, buf, 4);
inlen -= out->sectorSize;
inlen -= (uint32_t)out->sectorSize;
}
PUT_UINT32_LE(ENDOFCHAIN, buf);
fat_append(out, buf, 4);
@ -746,7 +986,7 @@ static void minifat_save(BIO *outdata, MSI_OUT *out)
{
char buf[MAX_SECTOR_SIZE];
int i,remain;
/* set Mini FAT Starting Sector Location in the header */
if (out->minifatLen == 0) {
PUT_UINT32_LE(ENDOFCHAIN, buf);
@ -849,22 +1089,22 @@ static int dirents_save(MSI_DIRENT *dirent, BIO *outdata, MSI_OUT *out, int *str
} else { /* DIR_ROOT */
dirent->entry->rightSiblingID = NOSTREAM;
}
dirent->entry->childID = *streamId + 1;
dirent->entry->childID = *streamId + 1;
entry = msi_dirent_get(dirent->entry);
BIO_write(outdata, entry, DIRENT_SIZE);
OPENSSL_free(entry);
out->dirtreeLen += DIRENT_SIZE;
for (i = 0; i < childenNum; i++) {
MSI_DIRENT *child = sk_MSI_DIRENT_value(children, i);
int last = i == childenNum - 1 ? 1 : 0;
int last_dir = i == childenNum - 1 ? 1 : 0;
*streamId += 1;
if (child->type == DIR_STORAGE) {
count += dirents_save(child, outdata, out, streamId, count, last);
count += dirents_save(child, outdata, out, streamId, count, last_dir);
} else { /* DIR_STREAM */
count = 0;
child->entry->colorFlag = BLACK_COLOR;
child->entry->leftSiblingID = NOSTREAM;
if (last) {
if (last_dir) {
child->entry->rightSiblingID = NOSTREAM;
} else {
child->entry->rightSiblingID = *streamId + 1;
@ -924,7 +1164,7 @@ static int fat_save(BIO *outdata, MSI_OUT *out)
{
char buf[MAX_SECTOR_SIZE];
int i, remain;
remain = (out->fatLen + out->sectorSize - 1) / out->sectorSize;
out->fatSectorsCount = (out->fatLen + remain * 4 + out->sectorSize - 1) / out->sectorSize;
@ -1002,7 +1242,7 @@ static char *header_new(MSI_FILE_HDR *hdr, MSI_OUT *out)
} else {
PUT_UINT16_LE(0x0003, buf);
}
memcpy(data + HEADER_MAJOR_VER, buf, 2);
memcpy(data + HEADER_MAJOR_VER, buf, 2);
PUT_UINT16_LE(hdr->byteOrder, buf);
memcpy(data + HEADER_BYTE_ORDER, buf, 2);
PUT_UINT16_LE(hdr->sectorShift, buf);
@ -1035,7 +1275,6 @@ static char *header_new(MSI_FILE_HDR *hdr, MSI_OUT *out)
static int msiout_set(MSI_FILE *msi, int len_msi, int len_msiex, MSI_OUT *out)
{
MSI_FILE_HDR *hdr = msi_header_get(msi);
int msi_size, msiex_size;
out->sectorSize = msi->m_sectorSize;
@ -1057,9 +1296,9 @@ static int msiout_set(MSI_FILE *msi, int len_msi, int len_msiex, MSI_OUT *out)
printf("DIFAT sectors are not supported\n");
return 0;/* FAILED */
}
out->header = header_new(hdr, out);
out->minifatMemallocCount = hdr->numMiniFATSector;
out->fatMemallocCount = hdr->numFATSector;
out->header = header_new(msi->m_hdr, out);
out->minifatMemallocCount = msi->m_hdr->numMiniFATSector;
out->fatMemallocCount = msi->m_hdr->numFATSector;
out->ministream = NULL;
out->minifat = OPENSSL_malloc(out->minifatMemallocCount * out->sectorSize);
out->fat = OPENSSL_malloc(out->fatMemallocCount * out->sectorSize);
@ -1074,7 +1313,7 @@ int msi_file_write(MSI_FILE *msi, MSI_DIRENT *dirent, u_char *p_msi, int len_msi
MSI_OUT out;
int ret = 0;
memset(&out, 0, sizeof(MSI_OUT));
memset(&out, 0, sizeof(MSI_OUT));
if (!msiout_set(msi, len_msi, len_msiex, &out)) {
goto out; /* FAILED */
}
@ -1097,3 +1336,13 @@ out:
OPENSSL_free(out.minifat);
return ret;
}
/*
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: t
End:
vim: set ts=4 noexpandtab:
*/

61
msi.h
View File

@ -74,14 +74,14 @@
#define GET_UINT8_LE(p) ((u_char*)(p))[0]
#define GET_UINT16_LE(p) (((u_char*)(p))[0] | (((u_char*)(p))[1]<<8))
#define GET_UINT16_LE(p) (uint16_t)(((u_char*)(p))[0] | (((u_char*)(p))[1]<<8))
#define GET_UINT32_LE(p) (((u_char*)(p))[0] | (((u_char*)(p))[1]<<8) | \
#define GET_UINT32_LE(p) (uint32_t)(((u_char*)(p))[0] | (((u_char*)(p))[1]<<8) | \
(((u_char*)(p))[2]<<16) | (((u_char*)(p))[3]<<24))
#define PUT_UINT8_LE(i,p) \
((u_char*)(p))[0] = (i) & 0xff;
#define PUT_UINT16_LE(i,p) \
((u_char*)(p))[0] = (i) & 0xff; \
((u_char*)(p))[1] = ((i)>>8) & 0xff
@ -92,6 +92,17 @@
((u_char*)(p))[2] = ((i)>>16) & 0xff; \
((u_char*)(p))[3] = ((i)>>24) & 0xff
#ifndef FALSE
#define FALSE 0
#endif
#ifndef TRUE
#define TRUE 1
#endif
#define SIZE_64K 65536 /* 2^16 */
#define SIZE_16M 16777216 /* 2^24 */
typedef unsigned char u_char;
typedef struct {
@ -131,23 +142,24 @@ typedef struct {
u_char size[8];
} MSI_ENTRY;
typedef struct {
typedef struct msi_dirent_struct {
u_char name[DIRENT_MAX_NAME_SIZE];
uint16_t nameLen;
uint8_t type;
MSI_ENTRY *entry;
STACK_OF(MSI_DIRENT) *children;
struct msi_dirent_struct *next; /* for cycle detection */
} MSI_DIRENT;
DEFINE_STACK_OF(MSI_DIRENT)
typedef struct {
const u_char *m_buffer;
size_t m_bufferLen;
uint32_t m_bufferLen;
MSI_FILE_HDR *m_hdr;
size_t m_sectorSize;
size_t m_minisectorSize;
size_t m_miniStreamStartSector;
uint32_t m_sectorSize;
uint32_t m_minisectorSize;
uint32_t m_miniStreamStartSector;
} MSI_FILE;
typedef struct {
@ -167,10 +179,10 @@ typedef struct {
int fatSectorsCount;
int miniSectorNum;
int sectorNum;
size_t sectorSize;
uint32_t sectorSize;
} MSI_OUT;
static u_char msi_magic[] = {
static const u_char msi_magic[] = {
0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1
};
@ -191,16 +203,35 @@ static const u_char digital_signature_ex[] = {
0x45, 0x00, 0x78, 0x00, 0x00, 0x00
};
int msi_file_read(MSI_FILE *msi, MSI_ENTRY *entry, size_t offset, char *buffer, size_t len);
MSI_FILE *msi_file_new(char *buffer, size_t len);
static const u_char msi_root_entry[] = {
0x52, 0x00, 0x6F, 0x00, 0x6F, 0x00, 0x74, 0x00,
0x20, 0x00, 0x45, 0x00, 0x6E, 0x00, 0x74, 0x00,
0x72, 0x00, 0x79, 0x00, 0x00, 0x00
};
static const u_char msi_zeroes[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
int msi_file_read(MSI_FILE *msi, MSI_ENTRY *entry, uint32_t offset, char *buffer, uint32_t len);
MSI_FILE *msi_file_new(char *buffer, uint32_t len);
void msi_file_free(MSI_FILE *msi);
MSI_ENTRY *msi_root_entry_get(MSI_FILE *msi);
MSI_DIRENT *msi_dirent_new(MSI_FILE *msi, MSI_ENTRY *entry, MSI_DIRENT *parent);
int msi_dirent_new(MSI_FILE *msi, MSI_ENTRY *entry, MSI_DIRENT *parent, MSI_DIRENT **ret);
MSI_ENTRY *msi_signatures_get(MSI_DIRENT *dirent, MSI_ENTRY **dse);
void msi_dirent_free(MSI_DIRENT *dirent);
MSI_FILE_HDR *msi_header_get(MSI_FILE *msi);
int msi_prehash_dir(MSI_DIRENT *dirent, BIO *hash, int is_root);
int msi_hash_dir(MSI_FILE *msi, MSI_DIRENT *dirent, BIO *hash, int is_root);
void msi_calc_digest(char *indata, const EVP_MD *md, u_char *mdbuf, size_t fileend);
int msi_calc_digest(char *indata, const EVP_MD *md, u_char *mdbuf, uint32_t fileend);
int msi_dirent_delete(MSI_DIRENT *dirent, const u_char *name, uint16_t nameLen);
int msi_file_write(MSI_FILE *msi, MSI_DIRENT *dirent, u_char *p, int len, u_char *p_msiex, int len_msiex, BIO *outdata);
/*
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: t
End:
vim: set ts=4 noexpandtab:
*/

76
osslsigncode.bash Normal file
View File

@ -0,0 +1,76 @@
# bash completion for osslsigncode -*- shell-script -*-
# Copyright (C) 2021-2022 Michał Trojnara <Michal.Trojnara@stunnel.org>
# Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
bind 'set show-all-if-ambiguous on'
bind 'set completion-ignore-case on'
COMP_WORDBREAKS=${COMP_WORDBREAKS//:}
_comp_cmd_osslsigncode()
{
local cur prev words cword
_init_completion || return
local commands command options timestamps rfc3161
commands="--help --version -v
sign add attach-signature extract-signature remove-signature verify"
timestamps="http://timestamp.digicert.com
http://time.certum.pl
http://timestamp.sectigo.com
http://timestamp.globalsign.com/?signature=sha2"
rfc3161="http://timestamp.digicert.com
http://time.certum.pl
http://timestamp.entrust.net/TSS/RFC3161sha2TS
http://tss.accv.es:8318/tsa
http://kstamp.keynectis.com/KSign/
http://sha256timestamp.ws.symantec.com/sha256/timestamp"
if ((cword == 1)); then
COMPREPLY=($(compgen -W "${commands}" -- ${cur}))
else
command=${words[1]}
case $prev in
-ac | -c | -catalog | -certs | -spc | -key | -pkcs12 | -pass | \
-readpass | -pkcs11engine | -pkcs11module | -in | -out | -sigin | \
-n | -CAfile | -CRLfile | -TSA-CAfile | -TSA-CRLfile)
_filedir
return
;;
-h | -require-leaf-hash)
COMPREPLY=($(compgen -W 'md5 sha1 sha2 sha256 sha384 sha512' \
-- "$cur"))
return
;;
-jp)
COMPREPLY=($(compgen -W 'low medium high' -- "$cur"))
return
;;
-t)
COMPREPLY=($(compgen -W "${timestamps}" -- "$cur"))
return
;;
-ts)
COMPREPLY=($(compgen -W "${rfc3161}" -- "$cur"))
return
;;
-i | -p)
_known_hosts_real -- "$cur"
return
;;
esac
if [[ $cur == -* ]]; then
# possible options for the command
options=$(_parse_help "$1" "$command --help" 2>/dev/null)
COMPREPLY=($(compgen -W "${options}" -- ${cur}))
fi
fi
} &&
complete -F _comp_cmd_osslsigncode osslsigncode
# ex: filetype=sh

928
osslsigncode.c
View File

File diff suppressed because it is too large Load Diff

114
tests/certs/makecerts.sh
View File

@ -21,162 +21,178 @@ make_certs() {
# OpenSSL settings
CONF="${script_path}/openssl_intermediate.cnf"
TEMP_LD_LIBRARY_PATH=$LD_LIBRARY_PATH
if test -n "$1"
then
OPENSSL="$1/bin/openssl"
LD_LIBRARY_PATH="$1/lib"
export LD_LIBRARY_PATH="$1/lib:$1/lib64"
else
OPENSSL=openssl
fi
mkdir "demoCA/" 2>> "makecerts.log" 1>&2
touch "demoCA/index.txt"
touch "demoCA/index.txt.attr"
echo -n "unique_subject = no" > "demoCA/index.txt.attr"
echo 1000 > "demoCA/serial"
date > "makecerts.log"
$OPENSSL version 2>> "makecerts.log" 1>&2
"$OPENSSL" version 2>> "makecerts.log" 1>&2
echo -n "$password" > "password.txt"
printf "\nGenerate root CA certificate\n" >> "makecerts.log"
$OPENSSL genrsa -out demoCA/CA.key \
"$OPENSSL" genrsa -out demoCA/CA.key \
2>> "makecerts.log" 1>&2
test_result $?
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL=openssl
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_root.cnf"
$OPENSSL req -config $CONF -new -x509 -days 3600 -key demoCA/CA.key -out tmp/CACert.pem \
"$OPENSSL" req -config "$CONF" -new -x509 -days 3600 -key demoCA/CA.key -out tmp/CACert.pem \
-subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA" \
2>> "makecerts.log" 1>&2'
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log"
$OPENSSL genrsa -out demoCA/intermediate.key \
"$OPENSSL" genrsa -out demoCA/intermediate.key \
2>> "makecerts.log" 1>&2
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL=openssl
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_intermediate.cnf"
$OPENSSL req -config $CONF -new -key demoCA/intermediate.key -out demoCA/intermediate.csr \
"$OPENSSL" req -config "$CONF" -new -key demoCA/intermediate.key -out demoCA/intermediate.csr \
-subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA" \
2>> "makecerts.log" 1>&2'
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL=openssl
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_root.cnf"
$OPENSSL ca -config $CONF -batch -in demoCA/intermediate.csr -out demoCA/intermediate.cer \
2>> "makecerts.log" 1>&2'
"$OPENSSL" ca -config "$CONF" -batch -in demoCA/intermediate.csr -out demoCA/intermediate.cer \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
$OPENSSL x509 -in demoCA/intermediate.cer -out tmp/intermediate.pem \
"$OPENSSL" x509 -in demoCA/intermediate.cer -out tmp/intermediate.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log"
$OPENSSL genrsa -des3 -out demoCA/private.key -passout pass:$password \
"$OPENSSL" genrsa -des3 -out demoCA/private.key -passout pass:"$password" \
2>> "makecerts.log" 1>&2
test_result $?
cat demoCA/private.key >> tmp/keyp.pem 2>> "makecerts.log"
test_result $?
printf "\nGenerate private RSA decrypted key\n" >> "makecerts.log"
$OPENSSL rsa -in demoCA/private.key -passin pass:$password -out tmp/key.pem \
"$OPENSSL" rsa -in demoCA/private.key -passin pass:"$password" -out tmp/key.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate a certificate to revoke\n" >> "makecerts.log"
$OPENSSL req -config $CONF -new -key demoCA/private.key -passin pass:$password -out demoCA/revoked.csr \
"$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/revoked.csr \
-subj "/C=PL/O=osslsigncode/OU=CSP/CN=Revoked/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2
$OPENSSL ca -config $CONF -batch -in demoCA/revoked.csr -out demoCA/revoked.cer \
test_result $?
"$OPENSSL" ca -config "$CONF" -batch -in demoCA/revoked.csr -out demoCA/revoked.cer \
2>> "makecerts.log" 1>&2
$OPENSSL x509 -in demoCA/revoked.cer -out tmp/revoked.pem \
test_result $?
"$OPENSSL" x509 -in demoCA/revoked.cer -out tmp/revoked.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nRevoke above certificate\n" >> "makecerts.log"
$OPENSSL ca -config $CONF -revoke demoCA/1001.pem \
"$OPENSSL" ca -config "$CONF" -revoke demoCA/revoked.cer \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nAttach intermediate certificate to revoked certificate\n" >> "makecerts.log"
cat tmp/intermediate.pem >> tmp/revoked.pem
cat tmp/intermediate.pem >> tmp/revoked.pem 2>> "makecerts.log"
test_result $?
printf "\nGenerate CRL file\n" >> "makecerts.log"
TZ=GMT faketime -f '@2019-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL=openssl
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_intermediate.cnf"
$OPENSSL ca -config $CONF -gencrl -crldays 8766 -out tmp/CACertCRL.pem \
2>> "makecerts.log" 1>&2'
"$OPENSSL" ca -config "$CONF" -gencrl -crldays 8766 -out tmp/CACertCRL.pem \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
printf "\nConvert revoked certificate to SPC format\n" >> "makecerts.log"
$OPENSSL crl2pkcs7 -in tmp/CACertCRL.pem -certfile tmp/revoked.pem -outform DER -out tmp/revoked.spc \
"$OPENSSL" crl2pkcs7 -in tmp/CACertCRL.pem -certfile tmp/revoked.pem -outform DER -out tmp/revoked.spc \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate CSP Cross-Certificate\n" >> "makecerts.log"
$OPENSSL genrsa -out demoCA/cross.key \
"$OPENSSL" genrsa -out demoCA/cross.key \
2>> "makecerts.log" 1>&2
TZ=GMT faketime -f '@2018-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL=openssl
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_intermediate.cnf"
$OPENSSL req -config $CONF -new -x509 -days 900 -key demoCA/cross.key -out tmp/crosscert.pem \
"$OPENSSL" req -config "$CONF" -new -x509 -days 900 -key demoCA/cross.key -out tmp/crosscert.pem \
-subj "/C=PL/O=osslsigncode/OU=CSP/CN=crosscert/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2'
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
printf "\nGenerate code signing certificate\n" >> "makecerts.log"
$OPENSSL req -config $CONF -new -key demoCA/private.key -passin pass:$password -out demoCA/cert.csr \
"$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/cert.csr \
-subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2
test_result $?
$OPENSSL ca -config $CONF -batch -in demoCA/cert.csr -out demoCA/cert.cer \
"$OPENSSL" ca -config "$CONF" -batch -in demoCA/cert.csr -out demoCA/cert.cer \
2>> "makecerts.log" 1>&2
test_result $?
$OPENSSL x509 -in demoCA/cert.cer -out tmp/cert.pem \
"$OPENSSL" x509 -in demoCA/cert.cer -out tmp/cert.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert the key to DER format\n" >> "makecerts.log"
$OPENSSL rsa -in tmp/key.pem -outform DER -out tmp/key.der -passout pass:$password \
"$OPENSSL" rsa -in tmp/key.pem -outform DER -out tmp/key.der -passout pass:"$password" \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert the key to PVK format\n" >> "makecerts.log"
$OPENSSL rsa -in tmp/key.pem -outform PVK -out tmp/key.pvk -pvk-none \
"$OPENSSL" rsa -in tmp/key.pem -outform PVK -out tmp/key.pvk -pvk-none \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert the certificate to DER format\n" >> "makecerts.log"
$OPENSSL x509 -in tmp/cert.pem -outform DER -out tmp/cert.der \
"$OPENSSL" x509 -in tmp/cert.pem -outform DER -out tmp/cert.der \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nAttach intermediate certificate to code signing certificate\n" >> "makecerts.log"
cat tmp/intermediate.pem >> tmp/cert.pem
cat tmp/intermediate.pem >> tmp/cert.pem 2>> "makecerts.log"
test_result $?
printf "\nConvert the certificate to SPC format\n" >> "makecerts.log"
$OPENSSL crl2pkcs7 -nocrl -certfile tmp/cert.pem -outform DER -out tmp/cert.spc \
"$OPENSSL" crl2pkcs7 -nocrl -certfile tmp/cert.pem -outform DER -out tmp/cert.spc \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert the certificate and the key into a PKCS#12 container\n" >> "makecerts.log"
$OPENSSL pkcs12 -export -in tmp/cert.pem -inkey tmp/key.pem -out tmp/cert.p12 -passout pass:$password \
"$OPENSSL" pkcs12 -export -in tmp/cert.pem -inkey tmp/key.pem -out tmp/cert.p12 -passout pass:"$password" \
-keypbe aes-256-cbc -certpbe aes-256-cbc \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate expired certificate\n" >> "makecerts.log"
$OPENSSL req -config $CONF -new -key demoCA/private.key -passin pass:$password -out demoCA/expired.csr \
"$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/expired.csr \
-subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Expired/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2
test_result $?
$OPENSSL ca -config $CONF -enddate "190101000000Z" -batch -in demoCA/expired.csr -out demoCA/expired.cer \
"$OPENSSL" ca -config "$CONF" -enddate "190101000000Z" -batch -in demoCA/expired.csr -out demoCA/expired.cer \
2>> "makecerts.log" 1>&2
test_result $?
$OPENSSL x509 -in demoCA/expired.cer -out tmp/expired.pem \
"$OPENSSL" x509 -in demoCA/expired.cer -out tmp/expired.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nAttach intermediate certificate to expired certificate\n" >> "makecerts.log"
cat tmp/intermediate.pem >> tmp/expired.pem
cat tmp/intermediate.pem >> tmp/expired.pem 2>> "makecerts.log"
test_result $?
# copy new files
if test -s tmp/intermediate.pem -a -s tmp/CACert.pem -a -s tmp/CACertCRL.pem \
@ -187,7 +203,6 @@ make_certs() {
cp tmp/* ./
printf "%s\n" "keys & certificates successfully generated"
printf "%s\n" "makecerts.sh finished"
rm -f "makecerts.log"
else
printf "%s\n" "makecerts.sh failed"
printf "%s\n" "error logs ${result_path}/makecerts.log"
@ -198,16 +213,13 @@ make_certs() {
rm -rf "demoCA/"
rm -rf "tmp/"
# restore settings
LD_LIBRARY_PATH=$TEMP_LD_LIBRARY_PATH
exit $result
exit "$result"
}
# Tests requirement
if test -n "$(command -v faketime)"
then
make_certs $1
make_certs "$1"
result=$?
else
printf "%s\n" "faketime not found in \$PATH"
@ -215,4 +227,4 @@ if test -n "$(command -v faketime)"
result=1
fi
exit $result
exit "$result"

3
tests/certs/openssl_intermediate.cnf
View File

@ -11,6 +11,7 @@ crl_dir = $dir/demoCA
new_certs_dir = $dir/demoCA
database = $dir/demoCA/index.txt
serial = $dir/demoCA/serial
rand_serial = yes
private_key = $dir/demoCA/intermediate.key
certificate = $dir/tmp/intermediate.pem
crl_extensions = crl_ext
@ -20,6 +21,8 @@ policy = policy_loose
default_startdate = 180101000000Z
default_enddate = 241231000000Z
x509_extensions = v3_req
email_in_dn = yes
default_days = 2200
[ req ]
# Options for the `req` tool

4
tests/certs/openssl_root.cnf
View File

@ -11,6 +11,7 @@ crl_dir = $dir/demoCA
new_certs_dir = $dir/demoCA
database = $dir/demoCA/index.txt
serial = $dir/demoCA/serial
rand_serial = yes
private_key = $dir/demoCA/CA.key
certificate = $dir/tmp/CACert.pem
crl_extensions = crl_ext
@ -20,6 +21,9 @@ policy = policy_match
default_startdate = 180101000000Z
default_enddate = 260101000000Z
x509_extensions = v3_intermediate_ca
email_in_dn = yes
default_days = 3000
unique_subject = no
[ req ]
# Options for the `req` tool

61
tests/certs/openssltest.cnf
View File

@ -1,61 +0,0 @@
# OpenSSL root CA configuration file
[ ca ]
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = .
certs = $dir/demoCA
crl_dir = $dir/demoCA
new_certs_dir = $dir/demoCA
database = $dir/demoCA/index.txt
serial = $dir/demoCA/serial
crl_extensions = crl_ext
default_md = sha256
preserve = no
policy = policy_match
x509_extensions = usr_cert
private_key = $dir/demoCA/CA.key
certificate = $dir/tmp/CACert.pem
default_startdate = 180101000000Z
default_enddate = 210101000000Z
[ req ]
encrypt_key = no
default_bits = 2048
default_md = sha256
string_mask = utf8only
x509_extensions = ca_extensions
distinguished_name = req_distinguished_name
[ crl_ext ]
authorityKeyIdentifier = keyid:always
[ usr_cert ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
extendedKeyUsage = codeSigning
[ ca_extensions ]
basicConstraints = critical, CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ policy_match ]
countryName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address

6
tests/test_library
View File

@ -38,7 +38,7 @@ modify_blob() {
sed "s/$initial_blob$zero_blob/$initial_blob$modified_blob/" | \
xxd -p -r > "changed_$1.$2"
../../osslsigncode verify \
../../osslsigncode verify -verbose \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
@ -95,7 +95,7 @@ verify_signature() {
TZ=GMT faketime -f "$5" /bin/bash -c '
printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log"
script_path=$(pwd)
../../osslsigncode verify \
../../osslsigncode verify -verbose \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
@ -153,7 +153,7 @@ verify_leaf_hash() {
TZ=GMT faketime -f "$4" /bin/bash -c '
printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log"
script_path=$(pwd)
../../osslsigncode verify \
../../osslsigncode verify -verbose \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \

14
tests/testall.sh
View File

@ -19,15 +19,11 @@ make_tests() {
/bin/sh $plik 3>&1 2>> "results.log" 1>&2
done
count=$(grep -c "Test succeeded" "results.log")
if test $count -ne 0
then
skip=$(grep -c "Test skipped" "results.log")
fail=$(grep -c "Test failed" "results.log")
printf "%s\n" "testall.sh finished"
printf "%s\n" "summary: success $count, skip $skip, fail $fail"
else # no test was done
result=1
fi
skip=$(grep -c "Test skipped" "results.log")
fail=$(grep -c "Test failed" "results.log")
printf "%s\n" "testall.sh finished"
printf "%s\n" "summary: success $count, skip $skip, fail $fail"
return $fail
}
rm -rf "${result_path}"