nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-07-02 19:22:47 -05:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: nhyatt:2.5
Branches Tags
nhyatt:master
nhyatt:2.10 nhyatt:2.9 nhyatt:2.8 nhyatt:2.7 nhyatt:2.6 nhyatt:2.5 nhyatt:2.4 nhyatt:2.3 nhyatt:2.2 nhyatt:2.1 nhyatt:2.0
...
compare: nhyatt:2.7
Branches Tags
nhyatt:master
nhyatt:2.10 nhyatt:2.9 nhyatt:2.8 nhyatt:2.7 nhyatt:2.6 nhyatt:2.5 nhyatt:2.4 nhyatt:2.3 nhyatt:2.2 nhyatt:2.1 nhyatt:2.0

122 Commits
2.5 ... 2.7

Author SHA1 Message Date
Michał Trojnara
9ebd79ad18 Release 2.7 
Signed-off-by: Michał Trojnara <Michal.Trojnara@stunnel.org>
 2023-09-19 21:51:05 +02:00
Michał Trojnara
1700455533 APPX support (#303) 
Co-authored-by: Maciej Panek <Maciej.panek@punxworks.com>
Co-authored-by: olszomal <Malgorzata.Olszowka@stunnel.org>
 2023-09-19 21:23:32 +02:00
Michał Trojnara
a6f767f5a3 Mark the result as not tainted 2023-09-08 14:09:53 +02:00
olszomal
4c5b329bc4 fixed mixed declarations and code 2023-09-08 11:51:20 +02:00
olszomal
5626482e82 fixed a function declaration with a void parameter 2023-09-08 11:51:20 +02:00
olszomal
2d21a2121c squash gcc debugger warnings 
remove nsections>UINT16_MAX check
 2023-09-08 11:51:20 +02:00
Michał Trojnara
5d2bf2c80f Fix insufficient MSI_ENTRY comparison 2023-09-04 16:10:25 +02:00
Michael Brown
5b8376ce32 Fix construction of signed CAB header 
Commit 0f51a06 ("Separate common and format-dependent functions")
performed a substantial amount of refactoring.  Within the CFFOLDER
header construction loop in cab_add_header(), the line

   tmp = GET_UINT32_LE(indata + i);

seems to have been accidentally deleted, instead of being refactored
to become

   tmp = GET_UINT32_LE(ctx->options->indata + i);

with the result that adding a signature to a .cab file will currently
produce an invalid .cab file.

Fix by adding back in the missing line of code.

Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
 2023-08-31 12:27:01 +02:00
Michał Trojnara
1fc2c937f2 Secrets are not available in PRs 2023-08-25 09:49:10 +02:00
olszomal
2ed54490a6 Use TS_TST_INFO struct 2023-07-31 17:46:01 +02:00
olszomal
a096aa8a33 Set signing digest to generate RFC3161 response 2023-07-31 17:46:01 +02:00
olszomal
aa08566a63 Use TS_REQ struct 2023-07-31 17:46:01 +02:00
Małgorzata Olszówka (she/her)
c04b229ce2 Built-in TSA response generation (#281) 2023-07-28 16:03:04 +02:00
Michał Trojnara
adcfd9a33f Apply suggestions from code review 
Added more detailed error messages.
Fixed formatting and indentation.

Co-authored-by: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
 2023-07-21 11:44:55 +02:00
Maxim Bagryantsev
f2f3a8891c Fixed validation of supported command 2023-07-21 11:44:55 +02:00
olszomal
29eedf9059 Fixed DIFAT sectors writing 2023-06-30 11:30:02 +02:00
fanquake
d6f94d71f7 doc: correct minimum CMake version in README.md 
It's 3.17, not 3.6.
 2023-06-01 19:43:42 +02:00
Michał Trojnara
a509a66c65 Initial 2.7-dev commit 2023-05-30 17:23:46 +02:00
Michał Trojnara
7bf4c92d83 Fixed CI version 2023-05-29 23:25:42 +02:00
Michał Trojnara
0a0fdfe96a Release 2.6 
Signed-off-by: Michał Trojnara <Michal.Trojnara@stunnel.org>
 2023-05-29 23:10:39 +02:00
olszomal
199f2b4586 Check X509_ATTRIBUTE_get0_data() return value 2023-05-26 15:07:03 +02:00
olszomal
a92c4a5522 Do not return corrupted CMS_ContentInfo 2023-05-26 15:07:03 +02:00
olszomal
dc44ed5f5b Fix CFFOLDER hashing 2023-05-26 15:07:03 +02:00
olszomal
c6990878c2 Check the length of the attribute certificate entry 2023-05-25 15:45:52 +02:00
olszomal
abbbfabdc7 Move some functions from common to main code 2023-05-23 19:07:00 +02:00
olszomal
2a4b75842a Add connection logging 2023-05-23 19:07:00 +02:00
yjh-styx
56e7a72e8a Fix timestamping nested signatures (#266) 2023-05-14 22:32:56 +02:00
Max Bagryantsev
b61bcaac2e Added DIFAT sectors support (#265) 2023-05-14 20:33:57 +02:00
olszomal
924af9e783 Remove duplicated CURLcode error code 2023-05-09 21:14:19 +02:00
olszomal
cb80c7d188 Initialize indata variable 2023-05-09 21:14:19 +02:00
olszomal
76bb06bf7e Squash unused parameter warning 2023-05-09 21:14:19 +02:00
olszomal
4b6027a4f7 Fix CURLINFO_RESPONSE_CODE 2023-05-09 21:14:19 +02:00
olszomal
de6a65cc67 Fix github workflows 2023-05-09 21:14:19 +02:00
olszomal
c90166ba8d Fix cTest script 2023-05-09 21:14:19 +02:00
olszomal
b00ceee310 Tests: add port argument to python HTTP server 2023-05-09 21:14:19 +02:00
olszomal
54e61cb76a New CMakeTest script 2023-05-01 11:59:06 +02:00
olszomal
fb731f2b5e Use indentations 2023-05-01 11:59:06 +02:00
olszomal
eec5a0755d Tests: new HTTP server and client 2023-05-01 11:59:06 +02:00
olszomal
41d98c3917 Tests: fix openssl configuration files and makecerts bash script to set X509v3 CRL Distribution Points extension 2023-05-01 11:59:06 +02:00
olszomal
7fa0b21ddd Tests: new certificates with X509v3 CRL Distribution Points extension 2023-05-01 11:59:06 +02:00
yjh-styx
e0eb331baf Postpone stripping old signature after it is extracted (#260) 2023-04-28 11:59:07 +02:00
olszomal
7bb21c3539 Tests: generate new certificates and keys 2023-04-16 10:43:24 +02:00
olszomal
edcb18d63f Tests: use TSA-CRLfile 2023-04-16 10:43:24 +02:00
olszomal
3d7b8d2a21 Get Certificate Revocation List from a CRL distribution point 2023-04-16 10:43:24 +02:00
olszomal
7bfe3b5db9 Fix update_data_size() 2023-03-30 20:57:38 +02:00
olszomal
dd365d68c4 Calculate padding length 2023-03-30 20:57:38 +02:00
olszomal
09555e8c05 Inspect PE attribute certificate table 2023-03-30 20:57:38 +02:00
olszomal
e4aa06f0c0 Check PE checksum 2023-03-30 20:57:38 +02:00
olszomal
46e9ee447f Fix pagehash resource leak, CID 1536895 2023-03-29 08:51:01 +02:00
olszomal
3e7247d9dc Fix pe_page_hash_get(), CID 1536895, 1536897 2023-03-28 21:02:12 +02:00
olszomal
d2f1b9c035 Fix leafhash resource leak, CID 1536899 2023-03-28 21:00:42 +02:00
olszomal
4199310cdf Fix indata resource leak, CID 1536896 2023-03-28 20:59:57 +02:00
Michał Trojnara
0204d04a25 Stop using tabs for indentation 2023-03-25 23:39:52 +01:00
olszomal
246f0abbfc Optional CMake parameters 2023-03-25 20:34:25 +01:00
Małgorzata Olszówka
0f51a06b8f Separate common and format-dependent functions (#241) 2023-03-25 20:32:58 +01:00
Charles Duffy
44a6768089 Avoid link failures on Darwin when AppleClang not matched (#246) 2023-03-14 14:37:24 +01:00
olszomal
93f5f800d6 Fix resource leak, CID 1535262 2023-02-28 08:27:46 +01:00
olszomal
4db6ed0cad Fix memory leak 2023-02-26 21:12:07 +01:00
olszomal
32b65659be Use big/little-endian conversion in pe_calc_realchecksum() 2023-02-26 21:12:07 +01:00
olszomal
8e74a05b40 msi_calc_digest() with FILE_HEADER parameter 2023-02-26 21:12:07 +01:00
olszomal
83e47e0252 Specify the maximum NumberOfSections value 2023-02-26 21:12:07 +01:00
olszomal
41e6042c26 Specify the maximum SizeOfOptionalHeader value 2023-02-26 21:12:07 +01:00
olszomal
33c1fdaa85 Remove wrong type casting 2023-02-26 21:12:07 +01:00
olszomal
11eb76d4f3 Use bio_hash_data() to compute a message digest value of a CAB file 2023-02-26 21:12:07 +01:00
olszomal
b0391244a6 New function bio_hash_data() 2023-02-26 21:12:07 +01:00
olszomal
83f6ceeaea Fix compiler warnings 2023-02-26 21:12:07 +01:00
olszomal
b96a7a2232 Use BIO_f_md instead of EVP_MD_CTX to compute a message digest value of the PE and CAB file 2023-02-26 21:12:07 +01:00
olszomal
ff8034af2e Use BIO_f_md instead of EVP_MD_CTX to compute a message digest value of the MSI file 2023-02-26 21:12:07 +01:00
olszomal
bde67ec1e2 Use BIO_f_md instead of EVP_MD_CTX to calculate timestamp, page hash and leaf hash 2023-02-26 21:12:07 +01:00
Julien Cristau
c5ad70d31a Fix asn1_get_time_t timezone offset 
mktime takes an input in local time, but what we have is UTC.  timegm
does the right thing but is a nonstandard GNU and BSD extension, while
Windows has _mkgmtime.
 2023-02-24 11:03:08 +01:00
Michał Trojnara
27a2a2bfa3 Install Xcode 2023-02-22 16:38:32 +01:00
olszomal
827f167f8b Fix default command "sign" 2023-02-22 15:40:18 +01:00
Michał Trojnara
4098a5efc7 Install missing "make" in the CI on macOS (#236) 2023-02-22 15:39:03 +01:00
Michał Trojnara
e88bc1ca14 Remove an automake dependency 2023-01-24 10:09:35 +01:00
olszomal
dd2aaf0804 Provide a non-zero divisor, CID 1519382 2023-01-23 18:04:37 +01:00
olszomal
08113a08cb Check pagesize upper bound, CID 1519382 2023-01-23 14:13:43 +01:00
olszomal
29843ccf40 Fix resource leak, CID 1530764, 1530765 2023-01-23 11:14:06 +01:00
olszomal
5fef4faf47 Check PE header value ranges, CID 1519382 2023-01-20 15:26:18 +01:00
olszomal
5981c740c9 Check signature length, CID 1519389 2023-01-20 15:20:52 +01:00
olszomal
f3af509973 Unsupported input file type to use with -catalog option 2023-01-20 10:53:49 +01:00
olszomal
c29e14e697 Reset calculated message digest, CID 1519395 2023-01-20 10:53:49 +01:00
olszomal
4da5526c05 Unmap a file in case of error, CID 1519391 2023-01-19 17:52:28 +01:00
olszomal
4ec23dbaa5 Fix resource leak, CID 1519397 2023-01-19 17:51:35 +01:00
olszomal
d9979c4bc6 Check a value range, CID 1519382 2023-01-19 17:51:08 +01:00
olszomal
695892b8bf Check sector location, CID 1519384 2023-01-19 17:50:27 +01:00
olszomal
192ff59916 Fix use after free null url, CID 1530710 2023-01-19 17:48:39 +01:00
Michał Trojnara
506daf84ac Discover engine ID if full path was specified 
Fix #180
 2023-01-19 11:58:52 +01:00
olszomal
bb6322e378 Close a file descriptor, CID 1208035 2023-01-18 21:19:35 +01:00
olszomal
b0eaa96d45 Squash the uninitialized pointer read warning, CID 1519385, 1519387 2023-01-18 21:17:50 +01:00
olszomal
fade782e58 Fix memory leak in stream_handle(), CID 1519397, 1519388, 1519402, 1519403 2023-01-18 21:16:34 +01:00
olszomal
199a852c12 Check DigitalSignature and MsiDigitalSignatureEx stream lengths, CID 1519400, 1519381, 1519386 2023-01-18 21:05:00 +01:00
olszomal
95a8a9d9c1 Check stream data length, CID 1519393 2023-01-18 21:03:16 +01:00
olszomal
c197d7727c close file and file mapping handles 2023-01-15 22:37:45 +01:00
olszomal
efbe570f27 Fix out-of-bounds read, CID 1519383 2023-01-15 22:35:48 +01:00
olszomal
fef65536f6 remove warning 2023-01-15 22:34:34 +01:00
olszomal
1155a9c338 False positive CID 1519394: Operands don't affect result 2023-01-15 22:33:15 +01:00
olszomal
f67ca8aac5 Fix unchecked return value, CID 1519390 2023-01-15 22:29:57 +01:00
olszomal
d59601f2b9 Fix CRL distribution point memory leak, CID 1519398 2023-01-15 22:24:56 +01:00
olszomal
7f87f930f7 Unmap a mapped view of a file , CID 1519391 2023-01-15 22:21:23 +01:00
olszomal
dadca2516d Fix memory leak, CID 1519392 2023-01-15 22:20:20 +01:00
Michał Trojnara
a862378280 Reduce expression complexity 2023-01-15 22:09:08 +01:00
olszomal
c4ec6debe5 Squash the unchecked return value from CURL library warning, CID 1519399 2023-01-15 21:57:15 +01:00
olszomal
08c205a02f Remove reduplicated checking for outdata file exists, CID 1519404 2023-01-15 21:54:16 +01:00
olszomal
acfece2c26 Fix dereference before null check, CID 1519396 2023-01-13 12:42:24 +01:00
olszomal
61cf89f26f typo 2023-01-11 12:24:26 +01:00
Michał Trojnara
07a927f34a Update the APT package database 2023-01-10 17:56:48 +01:00
olszomal
257cb1fb08 Add missing parentheses 2023-01-10 17:40:09 +01:00
olszomal
c48a6cdef0 Legacy pkcs12 ciphers tests 
Use legacy PKCS#12 container with RC2-40-CBC private key and certificate encryption algorithm
 2023-01-10 17:39:53 +01:00
olszomal
8bba4496c0 Legacy pkcs12 ciphers support 2023-01-10 17:39:53 +01:00
olszomal
dfc13c9bf8 simplify bash completion 2023-01-10 17:38:58 +01:00
olszomal
f57b469c29 Add an option override the autodetected directory for installing bash completions 2023-01-10 17:38:58 +01:00
olszomal
c718882ffb Fix macro redefinition 2022-11-29 13:40:06 +01:00
Michał Trojnara
3109bdf0ab Add makecerts.log to CI error artifacts 2022-11-28 17:52:44 +01:00
olszomal
7aca21b481 Use big/little-endian conversion. 
Improve checksum calculation.
 2022-11-28 09:26:00 +01:00
olszomal
8c113b3a86 Fix generating timestamp query 
The TSA is expected to include its signing certificate in the response
 2022-11-28 09:26:00 +01:00
olszomal
f3a5ecce9c fix resource leaks 2022-11-23 11:44:02 +01:00
Jon Turney
1c678bf926 Don't use ELF-specific linker options on Cygwin, either 2022-11-22 16:55:29 +01:00
olszomal
454e15326d large CAB file support 2022-11-22 16:50:45 +01:00
olszomal
db556d0a2d large PE file support 2022-11-22 16:50:45 +01:00
Michał Trojnara
8bdd22c183 Remove a deprecated testing platform 2022-09-22 14:58:14 +02:00
olszomal
cc4e5a5076 fix year 2038 problem 2022-09-21 10:41:51 +02:00
Michał Trojnara
b8cb44fa47 initial 2.6 commit 2022-08-12 22:09:34 +02:00
65 changed files with 14005 additions and 8073 deletions
Expand all files Collapse all files

43
.github/workflows/ci.yml vendored
View File

@ -7,7 +7,7 @@ on:
env:
# Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.)
BUILD_TYPE: Release
version: osslsigncode-2.5
version: osslsigncode-2.7
jobs:
build:
@ -27,12 +27,6 @@ jobs:
os: ubuntu-20.04
generator: Unix Makefiles
vcpkg_root:
- id: ubuntu-18.04
triplet: x64-linux
compiler: gcc
os: ubuntu-18.04
generator: Unix Makefiles
vcpkg_root:
- id: macOS
triplet: x64-osx
compiler: clang
@ -98,7 +92,15 @@ jobs:
- name: Install apt dependencies (Linux)
if: runner.os == 'Linux'
run: sudo apt-get install -y libssl-dev libcurl4-openssl-dev faketime
run: |
sudo apt-get update
sudo apt-get install -y libssl-dev libcurl4-openssl-dev faketime
- name: Install Xcode (macOS)
if: runner.os == 'macOS'
uses: maxim-lobanov/setup-xcode@v1
with:
xcode-version: latest-stable
- name: Setup the oldest supported version of cmake (macOS)
if: runner.os == 'macOS'
@ -123,6 +125,25 @@ jobs:
--build ${{github.workspace}}/build
--config ${{env.BUILD_TYPE}}
- name: Start HTTP server (macOS)
working-directory: ${{github.workspace}}/build
if: runner.os == 'macOS'
run: |
python3 --version
python3 ./Testing/server_http.py --port 19254
while test ! -s ./Testing/logs/port.log; do sleep 1; done
- name: Start HTTP server (Windows)
working-directory: ${{github.workspace}}\build
if: runner.os == 'Windows'
run: |
python.exe --version
$Args = '.\Testing\server_http.pyw --port 19254'
$File = '.\Testing\logs\port.log'
Start-Process -FilePath pythonw.exe -ArgumentList $Args
while(-not(Test-Path -Path $File -PathType Leaf) -or [String]::IsNullOrWhiteSpace((Get-Content $File))) {Start-Sleep -Seconds 1}
Get-Content '.\Testing\logs\server.log'
- name: List files (Linux/macOS)
if: runner.os != 'Windows'
run: find .. -ls
@ -140,7 +161,11 @@ jobs:
if: failure()
with:
name: errors-${{matrix.id}}
path: ${{github.workspace}}/build/Testing/Temporary/LastTest.log
path: |
${{github.workspace}}/build/Testing/Temporary/LastTest.log
${{github.workspace}}/build/Testing/conf/makecerts.log
${{github.workspace}}/build/Testing/logs/server.log
${{github.workspace}}/build/Testing/logs/port.log
- name: Install
run: cmake --install ${{github.workspace}}/build

3
.github/workflows/coverity.yml vendored
View File

@ -2,7 +2,7 @@ name: Coverity Scan
on:
push:
pull_request:
workflow_dispatch:
jobs:
coverity:
@ -15,6 +15,7 @@ jobs:
- name: Get ready for scanning
if: env.token
run: |
sudo apt-get update
sudo apt-get install -y libssl-dev libcurl4-openssl-dev
cmake -S ${{github.workspace}} -B ${{github.workspace}}/build
- uses: vapier/coverity-scan-action@v1

1
.gitignore vendored
View File

@ -12,7 +12,6 @@ CPackSourceConfig.cmake
CTestTestfile.cmake
install_manifest.txt
Makefile
missing
osslsigncode
osslsigncode.exe
stamp-h1

59
CMakeLists.txt
View File

@ -4,16 +4,16 @@ cmake_minimum_required(VERSION 3.17)
# autodetect vcpkg CMAKE_TOOLCHAIN_FILE if VCPKG_ROOT is defined
# this needs to be configured before the project() directive
if(DEFINED ENV{VCPKG_ROOT} AND NOT $ENV{VCPKG_ROOT} STREQUAL "" AND NOT DEFINED CMAKE_TOOLCHAIN_FILE)
set(CMAKE_TOOLCHAIN_FILE "$ENV{VCPKG_ROOT}/scripts/buildsystems/vcpkg.cmake" CACHE STRING "")
set(CMAKE_TOOLCHAIN_FILE "$ENV{VCPKG_ROOT}/scripts/buildsystems/vcpkg.cmake" CACHE STRING "")
endif(DEFINED ENV{VCPKG_ROOT} AND NOT $ENV{VCPKG_ROOT} STREQUAL "" AND NOT DEFINED CMAKE_TOOLCHAIN_FILE)
set(BUILTIN_SOCKET ON CACHE BOOL "") # for static Python
# configure basic project information
project(osslsigncode
VERSION 2.5
DESCRIPTION "OpenSSL based Authenticode signing for PE, CAB, CAT and MSI files"
HOMEPAGE_URL "https://github.com/mtrojnar/osslsigncode"
LANGUAGES C)
VERSION 2.7
DESCRIPTION "OpenSSL based Authenticode signing for PE, CAB, CAT and MSI files"
HOMEPAGE_URL "https://github.com/mtrojnar/osslsigncode"
LANGUAGES C)
# force nonstandard version format for development packages
set(DEV "")
@ -30,6 +30,7 @@ set(CMAKE_C_STANDARD_REQUIRED ON)
# load CMake library modules
include(FindOpenSSL)
include(FindCURL)
include(FindZLIB)
# load CMake project modules
set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake")
@ -47,9 +48,9 @@ configure_file(Config.h.in config.h)
target_compile_definitions(osslsigncode PRIVATE HAVE_CONFIG_H=1)
# set sources
target_sources(osslsigncode PRIVATE osslsigncode.c msi.c)
target_sources(osslsigncode PRIVATE osslsigncode.c helpers.c msi.c pe.c cab.c cat.c appx.c)
if(NOT UNIX)
target_sources(osslsigncode PRIVATE applink.c)
target_sources(osslsigncode PRIVATE applink.c)
endif(NOT UNIX)
# set include directories
@ -57,21 +58,27 @@ target_include_directories(osslsigncode PRIVATE "${PROJECT_BINARY_DIR}")
# set OpenSSL includes/libraries
if(NOT OPENSSL_FOUND)
message(FATAL_ERROR "OpenSSL library not found")
message(FATAL_ERROR "OpenSSL library not found")
endif(NOT OPENSSL_FOUND)
target_include_directories(osslsigncode PRIVATE ${OPENSSL_INCLUDE_DIR})
target_link_libraries(osslsigncode PRIVATE ${OPENSSL_LIBRARIES})
# set cURL includes/libraries
if(CURL_FOUND)
target_compile_definitions(osslsigncode PRIVATE ENABLE_CURL=1)
target_include_directories(osslsigncode PRIVATE ${CURL_INCLUDE_DIRS})
target_link_libraries(osslsigncode PRIVATE ${CURL_LIBRARIES})
message(STATUS "cURL support enabled")
target_compile_definitions(osslsigncode PRIVATE ENABLE_CURL=1)
target_include_directories(osslsigncode PRIVATE ${CURL_INCLUDE_DIRS})
target_link_libraries(osslsigncode PRIVATE ${CURL_LIBRARIES})
message(STATUS "cURL support enabled")
else(CURL_FOUND)
message(STATUS "cURL support disabled (library not found)")
message(STATUS "cURL support disabled (library not found)")
endif(CURL_FOUND)
if(NOT ZLIB_FOUND)
message(FATAL_ERROR "Zlib library not found")
endif(NOT ZLIB_FOUND)
target_include_directories(osslsigncode PRIVATE ${ZLIB_INCLUDE_DIR})
target_link_libraries(osslsigncode PRIVATE ${ZLIB_LIBRARIES})
# add paths to linker search and installed rpath
set_target_properties(osslsigncode PROPERTIES INSTALL_RPATH_USE_LINK_PATH TRUE)
@ -82,14 +89,22 @@ include(CMakeTest)
set(BINDIR "${CMAKE_INSTALL_PREFIX}/bin")
install(TARGETS osslsigncode RUNTIME DESTINATION ${BINDIR})
if(UNIX)
include(CMakeDist)
include(CMakeDist)
else(UNIX)
install(
DIRECTORY ${PROJECT_BINARY_DIR}/ DESTINATION ${BINDIR}
FILES_MATCHING
PATTERN "*.dll"
PATTERN "vcpkg_installed" EXCLUDE
PATTERN "CMakeFiles" EXCLUDE
PATTERN "Testing" EXCLUDE
)
install(
DIRECTORY ${PROJECT_BINARY_DIR}/ DESTINATION ${BINDIR}
FILES_MATCHING
PATTERN "*.dll"
PATTERN "vcpkg_installed" EXCLUDE
PATTERN "CMakeFiles" EXCLUDE
PATTERN "Testing" EXCLUDE)
endif(UNIX)
#[[
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: nil
End:
vim: set ts=4 expandtab:
]]

17
NEWS.md
View File

@ -1,5 +1,22 @@
# osslsigncode change log
### 2.7 (2023.09.19)
- fixed signing CAB files (by Michael Brown)
- fixed handling of unsupported commands (by Maxim Bagryantsev)
- fixed writing DIFAT sectors
- added APPX support (by Maciej Panek and Małgorzata Olszówka)
- added a built-in TSA response generation (-TSA-certs, -TSA-key
and -TSA-time options)
### 2.6 (2023.05.29)
- modular architecture implemented to simplify adding file formats
- added verification of CRLs specified in the signing certificate
- added MSI DIFAT sectors support (by Max Bagryantsev)
- added legacy provider support for OpenSSL 3.0.0 and later
- fixed numerous bugs
### 2.5 (2022.08.12)
- fixed the Unix executable install path

9
README.md
View File

@ -46,7 +46,7 @@ We highly recommend downloading a [release tarball](https://github.com/mtrojnar/
brew install cmake pkg-config openssl@1.1
export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig"
```
**NOTE:** osslsigncode requires CMake 3.6 or newer.
**NOTE:** osslsigncode requires CMake 3.17 or newer.
You may need to use `cmake3` instead of `cmake` to complete the following steps on your system.
* Navigate to the build directory and run CMake to configure the osslsigncode project
@ -54,12 +54,13 @@ You may need to use `cmake3` instead of `cmake` to complete the following steps
```
mkdir build && cd build && cmake -S ..
```
with specific compile options:
optional CMake parameters:
```
-DCMAKE_BUILD_TYPE=Debug
-DCMAKE_C_COMPILER=clang
-DCMAKE_PREFIX_PATH=[openssl directory];[curl directory]
-DCMAKE_INSTALL_PREFIX=[installation directory]
-DBASH_COMPLETION_USER_DIR=[bash completion installation directory]
```
* Then call that build system to actually compile/link the osslsigncode project (alias `make`):
@ -180,9 +181,7 @@ in the unauthenticated blob, as an attacker could modify this. Do NOT, under
any circumstances, put a URL here that you will use to download an additional
file. If you do do that, you would need to check the newly downloaded file is
code signed AND that it has been signed with your cert AND that it is the
version you expect. You should consider using asymmetrical encryption for the
data you put in the blob, such that the executable contains the public key to
decrypt the data. Basically, be VERY careful.
version you expect.
## BUGS, QUESTIONS etc.

2684
appx.c Normal file
View File

File diff suppressed because it is too large Load Diff

942
cab.c Normal file
View File

@ -0,0 +1,942 @@
/*
* CAB file support library
*
* Copyright (C) 2021-2023 Michał Trojnara <Michal.Trojnara@stunnel.org>
* Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
*
* Reference specifications:
* https://www.file-recovery.com/cab-signature-format.htm
* https://learn.microsoft.com/en-us/previous-versions/ms974336(v=msdn.10)
*/
#include "osslsigncode.h"
#include "helpers.h"
/*
* FLAG_PREV_CABINET is set if the cabinet file is not the first in a set
* of cabinet files. When this bit is set, the szCabinetPrev and szDiskPrev
* fields are present in this CFHEADER.
*/
#define FLAG_PREV_CABINET 0x0001
/*
* FLAG_NEXT_CABINET is set if the cabinet file is not the last in a set of
* cabinet files. When this bit is set, the szCabinetNext and szDiskNext
* fields are present in this CFHEADER.
*/
#define FLAG_NEXT_CABINET 0x0002
/*
* FLAG_RESERVE_PRESENT is set if the cabinet file contains any reserved
* fields. When this bit is set, the cbCFHeader, cbCFFolder, and cbCFData
* fields are present in this CFHEADER.
*/
#define FLAG_RESERVE_PRESENT 0x0004
struct cab_ctx_st {
uint32_t header_size;
uint32_t sigpos;
uint32_t siglen;
uint32_t fileend;
uint16_t flags;
};
/* FILE_FORMAT method prototypes */
static FILE_FORMAT_CTX *cab_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata);
static ASN1_OBJECT *cab_obsolete_link_get(u_char **p, int *plen, FILE_FORMAT_CTX *ctx);
static int cab_hash_length_get(FILE_FORMAT_CTX *ctx);
static int cab_check_file(FILE_FORMAT_CTX *ctx, int detached);
static u_char *cab_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md);
static int cab_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7);
static PKCS7 *cab_pkcs7_extract(FILE_FORMAT_CTX *ctx);
static int cab_remove_pkcs7(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
static PKCS7 *cab_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
static int cab_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7);
static void cab_update_data_size(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7);
static BIO *cab_bio_free(BIO *hash, BIO *outdata);
static void cab_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
FILE_FORMAT file_format_cab = {
.ctx_new = cab_ctx_new,
.data_blob_get = cab_obsolete_link_get,
.hash_length_get = cab_hash_length_get,
.check_file = cab_check_file,
.digest_calc = cab_digest_calc,
.verify_digests = cab_verify_digests,
.pkcs7_extract = cab_pkcs7_extract,
.remove_pkcs7 = cab_remove_pkcs7,
.pkcs7_prepare = cab_pkcs7_prepare,
.append_pkcs7 = cab_append_pkcs7,
.update_data_size = cab_update_data_size,
.bio_free = cab_bio_free,
.ctx_cleanup = cab_ctx_cleanup
};
/* Prototypes */
static CAB_CTX *cab_ctx_get(char *indata, uint32_t filesize);
static int cab_add_jp_attribute(PKCS7 *p7, int jp);
static size_t cab_write_optional_names(BIO *outdata, char *indata, size_t len, uint16_t flags);
static int cab_modify_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
static int cab_add_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
/*
* FILE_FORMAT method definitions
*/
/*
* Allocate and return a CAB file format context.
* [in, out] options: structure holds the input data
* [out] hash: message digest BIO
* [in] outdata: outdata file BIO
* [returns] pointer to CAB file format context
*/
static FILE_FORMAT_CTX *cab_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata)
{
FILE_FORMAT_CTX *ctx;
CAB_CTX *cab_ctx;
uint32_t filesize;
filesize = get_file_size(options->infile);
if (filesize == 0)
return NULL; /* FAILED */
options->indata = map_file(options->infile, filesize);
if (!options->indata) {
return NULL; /* FAILED */
}
if (memcmp(options->indata, "MSCF", 4)) {
unmap_file(options->infile, filesize);
return NULL; /* FAILED */
}
cab_ctx = cab_ctx_get(options->indata, filesize);
if (!cab_ctx) {
unmap_file(options->infile, filesize);
return NULL; /* FAILED */
}
ctx = OPENSSL_malloc(sizeof(FILE_FORMAT_CTX));
ctx->format = &file_format_cab;
ctx->options = options;
ctx->cab_ctx = cab_ctx;
/* Push hash on outdata, if hash is NULL the function does nothing */
BIO_push(hash, outdata);
if (options->pagehash == 1)
printf("Warning: -ph option is only valid for PE files\n");
if (options->add_msi_dse == 1)
printf("Warning: -add-msi-dse option is only valid for MSI files\n");
return ctx;
}
/*
* Allocate and return SpcLink object.
* [out] p: SpcLink data
* [out] plen: SpcLink data length
* [in] ctx: structure holds input and output data (unused)
* [returns] pointer to ASN1_OBJECT structure corresponding to SPC_CAB_DATA_OBJID
*/
static ASN1_OBJECT *cab_obsolete_link_get(u_char **p, int *plen, FILE_FORMAT_CTX *ctx)
{
ASN1_OBJECT *dtype;
SpcLink *link = spc_link_obsolete_get();
/* squash the unused parameter warning */
(void)ctx;
*plen = i2d_SpcLink(link, NULL);
*p = OPENSSL_malloc((size_t)*plen);
i2d_SpcLink(link, p);
*p -= *plen;
dtype = OBJ_txt2obj(SPC_CAB_DATA_OBJID, 1);
SpcLink_free(link);
return dtype; /* OK */
}
/*
* [in] ctx: structure holds input and output data
* [returns] the size of the message digest when passed an EVP_MD structure (the size of the hash)
*/
static int cab_hash_length_get(FILE_FORMAT_CTX *ctx)
{
return EVP_MD_size(ctx->options->md);
}
/*
* Check if the signature exists.
* [in, out] ctx: structure holds input and output data
* [in] detached: embedded/detached PKCS#7 signature switch
* [returns] 0 on error or 1 on success
*/
static int cab_check_file(FILE_FORMAT_CTX *ctx, int detached)
{
if (!ctx) {
printf("Init error\n\n");
return 0; /* FAILED */
}
if (detached) {
printf("Checking the specified catalog file\n\n");
return 1; /* OK */
}
if (ctx->cab_ctx->header_size != 20) {
printf("No signature found\n\n");
return 0; /* FAILED */
}
if (ctx->cab_ctx->sigpos == 0 || ctx->cab_ctx->siglen == 0
|| ctx->cab_ctx->sigpos > ctx->cab_ctx->fileend) {
printf("No signature found\n\n");
return 0; /* FAILED */
}
return 1; /* OK */
}
/*
* Compute a message digest value of the signed or unsigned CAB file.
* [in] ctx: structure holds input and output data
* [in] md: message digest algorithm
* [returns] pointer to calculated message digest
*/
static u_char *cab_digest_calc(FILE_FORMAT_CTX *ctx, const EVP_MD *md)
{
uint32_t idx, fileend, coffFiles;
u_char *mdbuf = NULL;
BIO *bhash = BIO_new(BIO_f_md());
if (!BIO_set_md(bhash, md)) {
printf("Unable to set the message digest of BIO\n");
BIO_free_all(bhash);
return 0; /* FAILED */
}
BIO_push(bhash, BIO_new(BIO_s_null()));
/* u1 signature[4] 4643534D MSCF: 0-3 */
BIO_write(bhash, ctx->options->indata, 4);
/* u4 reserved1 00000000: 4-7 skipped */
if (ctx->cab_ctx->sigpos) {
uint16_t nfolders, flags;
/*
* u4 cbCabinet - size of this cabinet file in bytes: 8-11
* u4 reserved2 00000000: 12-15
*/
BIO_write(bhash, ctx->options->indata + 8, 8);
/* u4 coffFiles - offset of the first CFFILE entry: 16-19 */
coffFiles = GET_UINT32_LE(ctx->options->indata + 16);
BIO_write(bhash, ctx->options->indata + 16, 4);
/*
* u4 reserved3 00000000: 20-23
* u1 versionMinor 03: 24
* u1 versionMajor 01: 25
*/
BIO_write(bhash, ctx->options->indata + 20, 6);
/* u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27 */
nfolders = GET_UINT16_LE(ctx->options->indata + 26);
BIO_write(bhash, ctx->options->indata + 26, 2);
/* u2 cFiles - number of CFFILE entries in this cabinet: 28-29 */
BIO_write(bhash, ctx->options->indata + 28, 2);
/* u2 flags: 30-31 */
flags = GET_UINT16_LE(ctx->options->indata + 30);
BIO_write(bhash, ctx->options->indata + 30, 2);
/* u2 setID must be the same for all cabinets in a set: 32-33 */
BIO_write(bhash, ctx->options->indata + 32, 2);
/*
* u2 iCabinet - number of this cabinet file in a set: 34-35 skipped
* u2 cbCFHeader: 36-37 skipped
* u1 cbCFFolder: 38 skipped
* u1 cbCFData: 39 skipped
* u22 abReserve: 40-55 skipped
* - Additional data offset: 44-47 skipped
* - Additional data size: 48-51 skipped
*/
/* u22 abReserve: 56-59 */
BIO_write(bhash, ctx->options->indata + 56, 4);
idx = 60;
fileend = ctx->cab_ctx->sigpos;
/* TODO */
if (flags & FLAG_PREV_CABINET) {
uint8_t byte;
/* szCabinetPrev */
do {
byte = GET_UINT8_LE(ctx->options->indata + idx);
BIO_write(bhash, ctx->options->indata + idx, 1);
idx++;
} while (byte && idx < fileend);
/* szDiskPrev */
do {
byte = GET_UINT8_LE(ctx->options->indata + idx);
BIO_write(bhash, ctx->options->indata + idx, 1);
idx++;
} while (byte && idx < fileend);
}
if (flags & FLAG_NEXT_CABINET) {
uint8_t byte;
/* szCabinetNext */
do {
byte = GET_UINT8_LE(ctx->options->indata + idx);
BIO_write(bhash, ctx->options->indata + idx, 1);
idx++;
} while (byte && idx < fileend);
/* szDiskNext */
do {
byte = GET_UINT8_LE(ctx->options->indata + idx);
BIO_write(bhash, ctx->options->indata + idx, 1);
idx++;
} while (byte && idx < fileend);
}
/*
* (u8 * cFolders) CFFOLDER - structure contains information about
* one of the folders or partial folders stored in this cabinet file
*/
while (nfolders && idx < fileend) {
BIO_write(bhash, ctx->options->indata + idx, 8);
idx += 8;
nfolders--;
}
if (idx != coffFiles) {
printf("Corrupt coffFiles value: 0x%08X\n", coffFiles);
BIO_free_all(bhash);
return 0; /* FAILED */
}
} else {
/* read what's left of the unsigned CAB file */
idx = 8;
fileend = ctx->cab_ctx->fileend;
}
/* (variable) ab - the compressed data bytes */
if (!bio_hash_data(bhash, ctx->options->indata, idx, fileend)) {
printf("Unable to calculate digest\n");
BIO_free_all(bhash);
return 0; /* FAILED */
}
mdbuf = OPENSSL_malloc((size_t)EVP_MD_size(md));
BIO_gets(bhash, (char*)mdbuf, EVP_MD_size(md));
BIO_free_all(bhash);
return mdbuf; /* OK */
}
/*
* Calculate message digest and compare to value retrieved from PKCS#7 signedData.
* [in] ctx: structure holds input and output data
* [in] p7: PKCS#7 signature
* [returns] 0 on error or 1 on success
*/
static int cab_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
{
int mdtype = -1;
const EVP_MD *md;
u_char mdbuf[EVP_MAX_MD_SIZE];
u_char *cmdbuf;
if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) {
ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence;
const u_char *p = content_val->data;
SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length);
if (idc) {
if (idc->messageDigest && idc->messageDigest->digest && idc->messageDigest->digestAlgorithm) {
mdtype = OBJ_obj2nid(idc->messageDigest->digestAlgorithm->algorithm);
memcpy(mdbuf, idc->messageDigest->digest->data, (size_t)idc->messageDigest->digest->length);
}
SpcIndirectDataContent_free(idc);
}
}
if (mdtype == -1) {
printf("Failed to extract current message digest\n\n");
return 0; /* FAILED */
}
md = EVP_get_digestbynid(mdtype);
cmdbuf = cab_digest_calc(ctx, md);
if (!cmdbuf) {
printf("Failed to calculate message digest\n\n");
return 0; /* FAILED */
}
if (!compare_digests(mdbuf, cmdbuf, mdtype)) {
printf("Signature verification: failed\n\n");
OPENSSL_free(cmdbuf);
return 0; /* FAILED */
}
OPENSSL_free(cmdbuf);
return 1; /* OK */
}
/*
* Extract existing signature in DER format.
* [in] ctx: structure holds input and output data
* pointer to PKCS#7 structure
*/
static PKCS7 *cab_pkcs7_extract(FILE_FORMAT_CTX *ctx)
{
if (ctx->cab_ctx->sigpos == 0 || ctx->cab_ctx->siglen == 0
|| ctx->cab_ctx->sigpos > ctx->cab_ctx->fileend) {
return NULL; /* FAILED */
}
return pkcs7_get(ctx->options->indata, ctx->cab_ctx->sigpos, ctx->cab_ctx->siglen);
}
/*
* Remove existing signature.
* [in, out] ctx: structure holds input and output data
* [out] hash: message digest BIO (unused)
* [out] outdata: outdata file BIO
* [returns] 1 on error or 0 on success
*/
static int cab_remove_pkcs7(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata)
{
size_t i, written, len;
uint32_t tmp;
uint16_t nfolders, flags;
char *buf = OPENSSL_malloc(SIZE_64K);
/* squash the unused parameter warning */
(void)hash;
/*
* u1 signature[4] 4643534D MSCF: 0-3
* u4 reserved1 00000000: 4-7
*/
BIO_write(outdata, ctx->options->indata, 8);
/* u4 cbCabinet - size of this cabinet file in bytes: 8-11 */
tmp = GET_UINT32_LE(ctx->options->indata + 8) - 24;
PUT_UINT32_LE(tmp, buf);
BIO_write(outdata, buf, 4);
/* u4 reserved2 00000000: 12-15 */
BIO_write(outdata, ctx->options->indata + 12, 4);
/* u4 coffFiles - offset of the first CFFILE entry: 16-19 */
tmp = GET_UINT32_LE(ctx->options->indata + 16) - 24;
PUT_UINT32_LE(tmp, buf);
BIO_write(outdata, buf, 4);
/*
* u4 reserved3 00000000: 20-23
* u1 versionMinor 03: 24
* u1 versionMajor 01: 25
* u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27
* u2 cFiles - number of CFFILE entries in this cabinet: 28-29
*/
BIO_write(outdata, ctx->options->indata + 20, 10);
/* u2 flags: 30-31 */
flags = GET_UINT16_LE(ctx->options->indata + 30);
/* coverity[result_independent_of_operands] only least significant byte is affected */
PUT_UINT16_LE(flags & (FLAG_PREV_CABINET | FLAG_NEXT_CABINET), buf);
BIO_write(outdata, buf, 2);
/*
* u2 setID must be the same for all cabinets in a set: 32-33
* u2 iCabinet - number of this cabinet file in a set: 34-35
*/
BIO_write(outdata, ctx->options->indata + 32, 4);
i = cab_write_optional_names(outdata, ctx->options->indata, 60, flags);
/*
* (u8 * cFolders) CFFOLDER - structure contains information about
* one of the folders or partial folders stored in this cabinet file
*/
nfolders = GET_UINT16_LE(ctx->options->indata + 26);
while (nfolders) {
tmp = GET_UINT32_LE(ctx->options->indata + i);
tmp -= 24;
PUT_UINT32_LE(tmp, buf);
BIO_write(outdata, buf, 4);
BIO_write(outdata, ctx->options->indata + i + 4, 4);
i+=8;
nfolders--;
}
OPENSSL_free(buf);
/* Write what's left - the compressed data bytes */
len = ctx->cab_ctx->fileend - ctx->cab_ctx->siglen - i;
while (len > 0) {
if (!BIO_write_ex(outdata, ctx->options->indata + i, len, &written))
return 1; /* FAILED */
len -= written;
i += written;
}
return 0; /* OK */
}
/*
* Obtain an existing signature or create a new one.
* [in, out] ctx: structure holds input and output data
* [out] hash: message digest BIO
* [out] outdata: outdata file BIO
* [returns] pointer to PKCS#7 structure
*/
static PKCS7 *cab_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata)
{
PKCS7 *cursig = NULL, *p7 = NULL;
/* Strip current signature and modify header */
if (ctx->cab_ctx->header_size == 20) {
if (!cab_modify_header(ctx, hash, outdata))
return NULL; /* FAILED */
} else {
if (!cab_add_header(ctx, hash, outdata))
return NULL; /* FAILED */
}
/* Obtain a current signature from previously-signed file */
if ((ctx->options->cmd == CMD_SIGN && ctx->options->nest)
|| (ctx->options->cmd == CMD_ATTACH && ctx->options->nest)
|| ctx->options->cmd == CMD_ADD) {
cursig = pkcs7_get(ctx->options->indata, ctx->cab_ctx->sigpos, ctx->cab_ctx->siglen);
if (!cursig) {
printf("Unable to extract existing signature\n");
return NULL; /* FAILED */
}
if (ctx->options->cmd == CMD_ADD)
p7 = cursig;
}
if (ctx->options->cmd == CMD_ATTACH) {
/* Obtain an existing PKCS#7 signature */
p7 = pkcs7_get_sigfile(ctx);
if (!p7) {
printf("Unable to extract valid signature\n");
PKCS7_free(cursig);
return NULL; /* FAILED */
}
} else if (ctx->options->cmd == CMD_SIGN) {
/* Create a new PKCS#7 signature */
p7 = pkcs7_create(ctx);
if (!p7) {
printf("Creating a new signature failed\n");
return NULL; /* FAILED */
}
if (ctx->options->jp >= 0 && !cab_add_jp_attribute(p7, ctx->options->jp)) {
printf("Adding jp attribute failed\n");
PKCS7_free(p7);
return NULL; /* FAILED */
}
if (!add_indirect_data_object(p7, hash, ctx)) {
printf("Adding SPC_INDIRECT_DATA_OBJID failed\n");
PKCS7_free(p7);
return NULL; /* FAILED */
}
}
if (ctx->options->nest)
ctx->options->prevsig = cursig;
return p7;
}
/*
* Append signature to the outfile.
* [in, out] ctx: structure holds input and output data (unused)
* [out] outdata: outdata file BIO
* [in] p7: PKCS#7 signature
* [returns] 1 on error or 0 on success
*/
static int cab_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7)
{
u_char *p = NULL;
int len; /* signature length */
int padlen; /* signature padding length */
/* squash the unused parameter warning */
(void)ctx;
if (((len = i2d_PKCS7(p7, NULL)) <= 0)
|| (p = OPENSSL_malloc((size_t)len)) == NULL) {
printf("i2d_PKCS memory allocation failed: %d\n", len);
return 1; /* FAILED */
}
i2d_PKCS7(p7, &p);
p -= len;
padlen = len % 8 ? 8 - len % 8 : 0;
BIO_write(outdata, p, len);
/* pad (with 0's) asn1 blob to 8 byte boundary */
if (padlen > 0) {
memset(p, 0, (size_t)padlen);
BIO_write(outdata, p, padlen);
}
OPENSSL_free(p);
return 0; /* OK */
}
/*
* Update additional data size.
* Additional data size is located at offset 0x30 (from file beginning)
* and consist of 4 bytes (little-endian order).
* [in, out] ctx: structure holds input and output data
* [out] outdata: outdata file BIO
* [in] p7: PKCS#7 signature
* [returns] none
*/
static void cab_update_data_size(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7)
{
int len, padlen;
u_char buf[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
/* squash the unused parameter warning */
(void)ctx;
if (!p7) {
/* CMD_REMOVE
* additional header does not exist so additional data size is unused */
return;
}
(void)BIO_seek(outdata, 0x30);
len = i2d_PKCS7(p7, NULL);
padlen = len % 8 ? 8 - len % 8 : 0;
PUT_UINT32_LE(len + padlen, buf);
BIO_write(outdata, buf, 4);
}
/*
* Free up an entire message digest BIO chain.
* [out] hash: message digest BIO
* [out] outdata: outdata file BIO (unused)
* [returns] none
*/
static BIO *cab_bio_free(BIO *hash, BIO *outdata)
{
/* squash the unused parameter warning */
(void)outdata;
BIO_free_all(hash);
return NULL;
}
/*
* Deallocate a FILE_FORMAT_CTX structure and CAB format specific structure,
* unmap indata file, unlink outfile.
* [in, out] ctx: structure holds input and output data
* [out] hash: message digest BIO
* [in] outdata: outdata file BIO
* [returns] none
*/
static void cab_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata)
{
if (outdata) {
BIO_free_all(hash);
if (ctx->options->outfile) {
#ifdef WIN32
_unlink(ctx->options->outfile);
#else
unlink(ctx->options->outfile);
#endif /* WIN32 */
}
}
unmap_file(ctx->options->indata, ctx->cab_ctx->fileend);
OPENSSL_free(ctx->cab_ctx);
OPENSSL_free(ctx);
}
/*
* CAB helper functions
*/
/*
* Verify mapped CAB file and create CAB format specific structure.
* [in] indata: mapped CAB file
* [in] filesize: size of CAB file
* [returns] pointer to CAB format specific structure
*/
static CAB_CTX *cab_ctx_get(char *indata, uint32_t filesize)
{
CAB_CTX *cab_ctx;
uint32_t reserved, header_size = 0, sigpos = 0, siglen = 0;
uint16_t flags;
if (filesize < 44) {
printf("CAB file is too short\n");
return NULL; /* FAILED */
}
reserved = GET_UINT32_LE(indata + 4);
if (reserved) {
printf("Reserved1: 0x%08X\n", reserved);
return NULL; /* FAILED */
}
/* flags specify bit-mapped values that indicate the presence of optional data */
flags = GET_UINT16_LE(indata + 30);
if (flags & FLAG_PREV_CABINET) {
/* FLAG_NEXT_CABINET works */
printf("Multivolume cabinet file is unsupported: flags 0x%04X\n", flags);
return NULL; /* FAILED */
}
if (flags & FLAG_RESERVE_PRESENT) {
/*
* Additional headers is located at offset 36 (cbCFHeader, cbCFFolder, cbCFData);
* size of header (4 bytes, little-endian order) must be 20 (checkpoint).
*/
header_size = GET_UINT32_LE(indata + 36);
if (header_size != 20) {
printf("Additional header size: 0x%08X\n", header_size);
return NULL; /* FAILED */
}
reserved = GET_UINT32_LE(indata + 40);
if (reserved != 0x00100000) {
printf("abReserved: 0x%08X\n", reserved);
return NULL; /* FAILED */
}
/*
* File size is defined at offset 8, however if additional header exists, this size is not valid.
* sigpos - additional data offset is located at offset 44 (from file beginning)
* and consist of 4 bytes (little-endian order)
* siglen - additional data size is located at offset 48 (from file beginning)
* and consist of 4 bytes (little-endian order)
* If there are additional headers, size of the CAB archive file is calcualted
* as additional data offset plus additional data size.
*/
sigpos = GET_UINT32_LE(indata + 44);
siglen = GET_UINT32_LE(indata + 48);
if ((sigpos < filesize && sigpos + siglen != filesize) || (sigpos >= filesize)) {
printf("Additional data offset:\t%u bytes\nAdditional data size:\t%u bytes\n",
sigpos, siglen);
printf("File size:\t\t%u bytes\n", filesize);
return NULL; /* FAILED */
}
if ((sigpos > 0 && siglen == 0) || (sigpos == 0 && siglen > 0)) {
printf("Corrupt signature\n");
return NULL; /* FAILED */
}
}
cab_ctx = OPENSSL_zalloc(sizeof(CAB_CTX));
cab_ctx->header_size = header_size;
cab_ctx->sigpos = sigpos;
cab_ctx->siglen = siglen;
cab_ctx->fileend = filesize;
cab_ctx->flags = flags;
return cab_ctx; /* OK */
}
/*
* Add level of permissions in Microsoft Internet Explorer 4.x for CAB files,
* only low level is supported.
* [in, out] p7: PKCS#7 signature
* [in] jp: low (0) level
* [returns] 0 on error or 1 on success
*/
static int cab_add_jp_attribute(PKCS7 *p7, int jp)
{
STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
PKCS7_SIGNER_INFO *si;
ASN1_STRING *astr;
const u_char *attrs = NULL;
const u_char java_attrs_low[] = {
0x30, 0x06, 0x03, 0x02, 0x00, 0x01, 0x30, 0x00
};
signer_info = PKCS7_get_signer_info(p7);
if (!signer_info)
return 0; /* FAILED */
si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
if (!si)
return 0; /* FAILED */
switch (jp) {
case 0:
attrs = java_attrs_low;
break;
case 1:
/* XXX */
case 2:
/* XXX */
default:
break;
}
if (attrs) {
astr = ASN1_STRING_new();
ASN1_STRING_set(astr, attrs, sizeof java_attrs_low);
return PKCS7_add_signed_attribute(si, OBJ_txt2nid(MS_JAVA_SOMETHING),
V_ASN1_SEQUENCE, astr);
}
return 1; /* OK */
}
/*
* Write name of previous and next cabinet file.
* Multivolume cabinet file is unsupported TODO.
* [out] outdata: outdata file BIO
* [in] indata: mapped CAB file
* [in] len: offset
* [in] flags: FLAG_PREV_CABINET, FLAG_NEXT_CABINET
* [returns] offset
*/
static size_t cab_write_optional_names(BIO *outdata, char *indata, size_t i, uint16_t flags)
{
if (flags & FLAG_PREV_CABINET) {
/* szCabinetPrev */
while (GET_UINT8_LE(indata + i)) {
BIO_write(outdata, indata + i, 1);
i++;
}
BIO_write(outdata, indata + i, 1);
i++;
/* szDiskPrev */
while (GET_UINT8_LE(indata + i)) {
BIO_write(outdata, indata + i, 1);
i++;
}
BIO_write(outdata, indata + i, 1);
i++;
}
if (flags & FLAG_NEXT_CABINET) {
/* szCabinetNext */
while (GET_UINT8_LE(indata + i)) {
BIO_write(outdata, indata + i, 1);
i++;
}
BIO_write(outdata, indata + i, 1);
i++;
/* szDiskNext */
while (GET_UINT8_LE(indata + i)) {
BIO_write(outdata, indata + i, 1);
i++;
}
BIO_write(outdata, indata + i, 1);
i++;
}
return i;
}
/*
* Modify CAB header.
* [in, out] ctx: structure holds input and output data
* [out] hash: message digest BIO
* [out] outdata: outdata file BIO
* [returns] 0 on error or 1 on success
*/
static int cab_modify_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata)
{
size_t i, written, len;
uint16_t nfolders, flags;
u_char buf[] = {0x00, 0x00};
/* u1 signature[4] 4643534D MSCF: 0-3 */
BIO_write(hash, ctx->options->indata, 4);
/* u4 reserved1 00000000: 4-7 */
BIO_write(outdata, ctx->options->indata + 4, 4);
/*
* u4 cbCabinet - size of this cabinet file in bytes: 8-11
* u4 reserved2 00000000: 12-15
* u4 coffFiles - offset of the first CFFILE entry: 16-19
* u4 reserved3 00000000: 20-23
* u1 versionMinor 03: 24
* u1 versionMajor 01: 25
* u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27
* u2 cFiles - number of CFFILE entries in this cabinet: 28-29
*/
BIO_write(hash, ctx->options->indata + 8, 22);
/* u2 flags: 30-31 */
flags = GET_UINT16_LE(ctx->options->indata + 30);
PUT_UINT16_LE(flags, buf);
BIO_write(hash, buf, 2);
/* u2 setID must be the same for all cabinets in a set: 32-33 */
BIO_write(hash, ctx->options->indata + 32, 2);
/*
* u2 iCabinet - number of this cabinet file in a set: 34-35
* u2 cbCFHeader: 36-37
* u1 cbCFFolder: 38
* u1 cbCFData: 39
* u16 abReserve: 40-55
* - Additional data offset: 44-47
* - Additional data size: 48-51
*/
BIO_write(outdata, ctx->options->indata + 34, 22);
/* u4 abReserve: 56-59 */
BIO_write(hash, ctx->options->indata + 56, 4);
i = cab_write_optional_names(outdata, ctx->options->indata, 60, flags);
/*
* (u8 * cFolders) CFFOLDER - structure contains information about
* one of the folders or partial folders stored in this cabinet file
*/
nfolders = GET_UINT16_LE(ctx->options->indata + 26);
while (nfolders) {
BIO_write(hash, ctx->options->indata + i, 8);
i += 8;
nfolders--;
}
/* Write what's left - the compressed data bytes */
len = ctx->cab_ctx->sigpos - i;
while (len > 0) {
if (!BIO_write_ex(hash, ctx->options->indata + i, len, &written))
return 0; /* FAILED */
len -= written;
i += written;
}
return 1; /* OK */
}
/*
* Add signed CAB header.
* [in, out] ctx: structure holds input and output data
* [out] hash: message digest BIO
* [out] outdata: outdata file BIO
* [returns] 0 on error or 1 on success
*/
static int cab_add_header(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata)
{
size_t i, written, len;
uint32_t tmp;
uint16_t nfolders, flags;
u_char cabsigned[] = {
0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
0xde, 0xad, 0xbe, 0xef, /* size of cab file */
0xde, 0xad, 0xbe, 0xef, /* size of asn1 blob */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
char *buf = OPENSSL_malloc(SIZE_64K);
memset(buf, 0, SIZE_64K);
/* u1 signature[4] 4643534D MSCF: 0-3 */
BIO_write(hash, ctx->options->indata, 4);
/* u4 reserved1 00000000: 4-7 */
BIO_write(outdata, ctx->options->indata + 4, 4);
/* u4 cbCabinet - size of this cabinet file in bytes: 8-11 */
tmp = GET_UINT32_LE(ctx->options->indata + 8) + 24;
PUT_UINT32_LE(tmp, buf);
BIO_write(hash, buf, 4);
/* u4 reserved2 00000000: 12-15 */
BIO_write(hash, ctx->options->indata + 12, 4);
/* u4 coffFiles - offset of the first CFFILE entry: 16-19 */
tmp = GET_UINT32_LE(ctx->options->indata + 16) + 24;
PUT_UINT32_LE(tmp, buf + 4);
BIO_write(hash, buf + 4, 4);
/*
* u4 reserved3 00000000: 20-23
* u1 versionMinor 03: 24
* u1 versionMajor 01: 25
* u2 cFolders - number of CFFOLDER entries in this cabinet: 26-27
* u2 cFiles - number of CFFILE entries in this cabinet: 28-29
*/
memcpy(buf + 4, ctx->options->indata + 20, 10);
flags = GET_UINT16_LE(ctx->options->indata + 30);
buf[4+10] = (char)flags | FLAG_RESERVE_PRESENT;
/* u2 setID must be the same for all cabinets in a set: 32-33 */
memcpy(buf + 16, ctx->options->indata + 32, 2);
BIO_write(hash, buf + 4, 14);
/* u2 iCabinet - number of this cabinet file in a set: 34-35 */
BIO_write(outdata, ctx->options->indata + 34, 2);
memcpy(cabsigned + 8, buf, 4);
BIO_write(outdata, cabsigned, 20);
BIO_write(hash, cabsigned+20, 4);
i = cab_write_optional_names(outdata, ctx->options->indata, 36, flags);
/*
* (u8 * cFolders) CFFOLDER - structure contains information about
* one of the folders or partial folders stored in this cabinet file
*/
nfolders = GET_UINT16_LE(ctx->options->indata + 26);
while (nfolders) {
tmp = GET_UINT32_LE(ctx->options->indata + i);
tmp += 24;
PUT_UINT32_LE(tmp, buf);
BIO_write(hash, buf, 4);
BIO_write(hash, ctx->options->indata + i + 4, 4);
i += 8;
nfolders--;
}
OPENSSL_free(buf);
/* Write what's left - the compressed data bytes */
len = ctx->cab_ctx->fileend - i;
while (len > 0) {
if (!BIO_write_ex(hash, ctx->options->indata + i, len, &written))
return 0; /* FAILED */
len -= written;
i += written;
}
return 1; /* OK */
}
/*
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: nil
End:
vim: set ts=4 expandtab:
*/

263
cat.c Normal file
View File

@ -0,0 +1,263 @@
/*
* CAT file support library
*
* Copyright (C) 2021-2023 Michał Trojnara <Michal.Trojnara@stunnel.org>
* Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
*
* Catalog files are a bit odd, in that they are only a PKCS7 blob.
*/
#include "osslsigncode.h"
#include "helpers.h"
const u_char pkcs7_signed_data[] = {
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x07, 0x02,
};
struct cat_ctx_st {
uint32_t sigpos;
uint32_t siglen;
uint32_t fileend;
};
/* FILE_FORMAT method prototypes */
static FILE_FORMAT_CTX *cat_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata);
static PKCS7 *cat_pkcs7_extract(FILE_FORMAT_CTX *ctx);
static PKCS7 *cat_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
static int cat_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7);
static BIO *cat_bio_free(BIO *hash, BIO *outdata);
static void cat_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
FILE_FORMAT file_format_cat = {
.ctx_new = cat_ctx_new,
.pkcs7_extract = cat_pkcs7_extract,
.pkcs7_prepare = cat_pkcs7_prepare,
.append_pkcs7 = cat_append_pkcs7,
.bio_free = cat_bio_free,
.ctx_cleanup = cat_ctx_cleanup,
};
/* Prototypes */
static CAT_CTX *cat_ctx_get(char *indata, uint32_t filesize);
/*
* FILE_FORMAT method definitions
*/
/*
* Allocate and return a CAT file format context.
* [in, out] options: structure holds the input data
* [out] hash: message digest BIO (unused)
* [in] outdata: outdata file BIO (unused)
* [returns] pointer to CAT file format context
*/
static FILE_FORMAT_CTX *cat_ctx_new(GLOBAL_OPTIONS *options, BIO *hash, BIO *outdata)
{
FILE_FORMAT_CTX *ctx;
CAT_CTX *cat_ctx;
uint32_t filesize;
/* squash unused parameter warnings */
(void)outdata;
(void)hash;
if (options->cmd == CMD_REMOVE || options->cmd==CMD_ATTACH) {
printf("Unsupported command\n");
return NULL; /* FAILED */
}
if (options->cmd == CMD_VERIFY) {
printf("Use -catalog option\n");
return NULL; /* FAILED */
}
filesize = get_file_size(options->infile);
if (filesize == 0)
return NULL; /* FAILED */
options->indata = map_file(options->infile, filesize);
if (!options->indata) {
return NULL; /* FAILED */
}
/* the maximum size of a supported cat file is (2^24 -1) bytes */
if (memcmp(options->indata + ((GET_UINT8_LE(options->indata+1) == 0x82) ? 4 : 5),
pkcs7_signed_data, sizeof pkcs7_signed_data)) {
unmap_file(options->infile, filesize);
return NULL; /* FAILED */
}
cat_ctx = cat_ctx_get(options->indata, filesize);
if (!cat_ctx) {
unmap_file(options->infile, filesize);
return NULL; /* FAILED */
}
ctx = OPENSSL_malloc(sizeof(FILE_FORMAT_CTX));
ctx->format = &file_format_cat;
ctx->options = options;
ctx->cat_ctx = cat_ctx;
/* Push hash on outdata, if hash is NULL the function does nothing */
BIO_push(hash, outdata);
if (options->nest)
/* I've not tried using set_nested_signature as signtool won't do this */
printf("Warning: CAT files do not support nesting (multiple signature)\n");
if (options->jp >= 0)
printf("Warning: -jp option is only valid for CAB files\n");
if (options->pagehash == 1)
printf("Warning: -ph option is only valid for PE files\n");
if (options->add_msi_dse == 1)
printf("Warning: -add-msi-dse option is only valid for MSI files\n");
return ctx;
}
/*
* Extract existing signature in DER format.
* [in] ctx: structure holds input and output data
* [returns] pointer to PKCS#7 structure
*/
static PKCS7 *cat_pkcs7_extract(FILE_FORMAT_CTX *ctx)
{
return pkcs7_get(ctx->options->indata, ctx->cat_ctx->sigpos, ctx->cat_ctx->siglen);
}
/*
* Obtain an existing signature or create a new one.
* [in, out] ctx: structure holds input and output data
* [out] hash: message digest BIO (unused)
* [out] outdata: outdata file BIO (unused)
* [returns] pointer to PKCS#7 structure
*/
static PKCS7 *cat_pkcs7_prepare(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata)
{
PKCS7 *cursig = NULL, *p7 = NULL;
/* squash unused parameter warnings */
(void)outdata;
(void)hash;
/* Obtain an existing signature */
cursig = pkcs7_get(ctx->options->indata, ctx->cat_ctx->sigpos, ctx->cat_ctx->siglen);
if (!cursig) {
printf("Unable to extract existing signature\n");
return NULL; /* FAILED */
}
if (ctx->options->cmd == CMD_ADD || ctx->options->cmd == CMD_ATTACH) {
p7 = cursig;
} else if (ctx->options->cmd == CMD_SIGN) {
/* Create a new signature */
p7 = pkcs7_create(ctx);
if (!p7) {
printf("Creating a new signature failed\n");
PKCS7_free(cursig);
return NULL; /* FAILED */
}
if (!add_ms_ctl_object(p7, cursig)) {
printf("Adding MS_CTL_OBJID failed\n");
PKCS7_free(p7);
PKCS7_free(cursig);
return NULL; /* FAILED */
}
PKCS7_free(cursig);
}
return p7; /* OK */
}
/*
* Append signature to the outfile.
* [in, out] ctx: structure holds input and output data (unused)
* [out] outdata: outdata file BIO
* [in] p7: PKCS#7 signature
* [returns] 1 on error or 0 on success
*/
static int cat_append_pkcs7(FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7)
{
u_char *p = NULL;
int len; /* signature length */
/* squash the unused parameter warning */
(void)ctx;
if (((len = i2d_PKCS7(p7, NULL)) <= 0)
|| (p = OPENSSL_malloc((size_t)len)) == NULL) {
printf("i2d_PKCS memory allocation failed: %d\n", len);
return 1; /* FAILED */
}
i2d_PKCS7(p7, &p);
p -= len;
i2d_PKCS7_bio(outdata, p7);
OPENSSL_free(p);
return 0; /* OK */
}
/*
* Free up an entire message digest BIO chain.
* [out] hash: message digest BIO
* [out] outdata: outdata file BIO (unused)
* [returns] none
*/
static BIO *cat_bio_free(BIO *hash, BIO *outdata)
{
/* squash the unused parameter warning */
(void)outdata;
BIO_free_all(hash);
return NULL;
}
/*
* Deallocate a FILE_FORMAT_CTX structure and CAT format specific structure,
* unmap indata file, unlink outfile.
* [in, out] ctx: structure holds all input and output data
* [out] hash: message digest BIO
* [in] outdata: outdata file BIO
* [returns] none
*/
static void cat_ctx_cleanup(FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata)
{
if (outdata) {
BIO_free_all(hash);
if (ctx->options->outfile) {
#ifdef WIN32
_unlink(ctx->options->outfile);
#else
unlink(ctx->options->outfile);
#endif /* WIN32 */
}
}
unmap_file(ctx->options->indata, ctx->cat_ctx->fileend);
OPENSSL_free(ctx->cat_ctx);
OPENSSL_free(ctx);
}
/*
* CAT helper functions
*/
/*
* Verify mapped CAT file TODO and create CAT format specific structure.
* [in] indata: mapped CAT file (unused)
* [in] filesize: size of CAT file
* [returns] pointer to CAT format specific structure
*/
static CAT_CTX *cat_ctx_get(char *indata, uint32_t filesize)
{
CAT_CTX *cat_ctx;
/* squash the unused parameter warning */
(void)indata;
cat_ctx = OPENSSL_zalloc(sizeof(CAT_CTX));
cat_ctx->sigpos = 0;
cat_ctx->siglen = filesize;
cat_ctx->fileend = filesize;
return cat_ctx; /* OK */
}
/*
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: nil
End:
vim: set ts=4 expandtab:
*/

9
cmake/CMakeDist.cmake
View File

@ -25,3 +25,12 @@ list(APPEND CPACK_SOURCE_IGNORE_FILES "/build/")
include(CPack)
add_custom_target(dist COMMAND ${CMAKE_MAKE_PROGRAM} package_source)
#[[
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: nil
End:
vim: set ts=4 expandtab:
]]

874
cmake/CMakeTest.cmake
View File

@ -1,298 +1,620 @@
# make test
# ctest -C Release
########## Configure ##########
option(STOP_SERVER "Stop HTTP server after tests" ON)
include(FindPython3)
set(TEST_DIR "${PROJECT_BINARY_DIR}/Testing")
file(COPY
"${CMAKE_CURRENT_SOURCE_DIR}/tests/files"
"${CMAKE_CURRENT_SOURCE_DIR}/tests/conf"
"${CMAKE_CURRENT_SOURCE_DIR}/tests/client_http.py"
DESTINATION "${TEST_DIR}/")
file(MAKE_DIRECTORY "${TEST_DIR}/logs")
set(FILES "${TEST_DIR}/files")
set(CERTS "${TEST_DIR}/certs")
set(CONF "${TEST_DIR}/conf")
set(LOGS "${TEST_DIR}/logs")
set(CLIENT_HTTP "${TEST_DIR}/client_http.py")
if(UNIX)
file(COPY
"${CMAKE_CURRENT_SOURCE_DIR}/tests/server_http.py"
DESTINATION "${TEST_DIR}/")
set(SERVER_HTTP "${TEST_DIR}/server_http.py")
else(UNIX)
file(COPY
"${CMAKE_CURRENT_SOURCE_DIR}/tests/server_http.pyw"
DESTINATION "${TEST_DIR}/")
set(SERVER_HTTP "${TEST_DIR}/server_http.pyw")
endif(UNIX)
file(COPY
"${CMAKE_CURRENT_SOURCE_DIR}/tests/certs/ca-bundle.crt"
DESTINATION "${CONF}")
if(WIN32 OR APPLE)
if(WIN32)
message(STATUS "Use pythonw to start HTTP server: \"pythonw.exe Testing\\server_http.pyw\"")
else(WIN32)
message(STATUS "Use python3 to start HTTP server: \"python3 Testing/server_http.py --port 19254\"")
endif(WIN32)
set(default_certs 1)
else(WIN32 OR APPLE)
if(Python3_FOUND)
if(EXISTS ${LOGS}/port.log)
# Stop HTTP server if running
message(STATUS "Try to kill HTTP server")
execute_process(
COMMAND ${Python3_EXECUTABLE} "${CLIENT_HTTP}"
WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
OUTPUT_VARIABLE client_output
RESULT_VARIABLE client_result)
if(NOT client_result)
# Successfully closed
message(STATUS "${client_output}")
endif(NOT client_result)
endif(EXISTS ${LOGS}/port.log)
# Start Time Stamping Authority and CRL distribution point HTTP server
execute_process(
COMMAND ${Python3_EXECUTABLE} "${SERVER_HTTP}"
WORKING_DIRECTORY ${PROJECT_BINARY_DIR}
OUTPUT_FILE ${LOGS}/server.log
ERROR_FILE ${LOGS}/server.log
RESULT_VARIABLE server_error)
if(server_error)
message(STATUS "HTTP server failed: ${server_error}")
else(server_error)
# Check if file exists and is no-empty
while(NOT EXISTS ${LOGS}/port.log)
execute_process(COMMAND sleep 1)
endwhile(NOT EXISTS ${LOGS}/port.log)
file(READ ${LOGS}/port.log PORT)
while(NOT PORT)
execute_process(COMMAND sleep 1)
file(READ ${LOGS}/port.log PORT)
endwhile(NOT PORT)
file(STRINGS ${LOGS}/server.log server_log)
message(STATUS "${server_log}")
# Generate new cTest certificates
if(NOT SED_EXECUTABLE)
find_program(SED_EXECUTABLE sed)
mark_as_advanced(SED_EXECUTABLE)
endif(NOT SED_EXECUTABLE)
execute_process(
COMMAND ${SED_EXECUTABLE}
-i.bak s/:19254/:${PORT}/ "${CONF}/openssl_intermediate_crldp.cnf"
COMMAND ${SED_EXECUTABLE}
-i.bak s/:19254/:${PORT}/ "${CONF}/openssl_tsa_root.cnf")
execute_process(
COMMAND "${CONF}/makecerts.sh"
WORKING_DIRECTORY ${CONF}
OUTPUT_VARIABLE makecerts_output
RESULT_VARIABLE default_certs)
message(STATUS "${makecerts_output}")
endif(server_error)
endif(Python3_FOUND)
endif(WIN32 OR APPLE)
# Copy the set of default certificates
if(default_certs)
message(STATUS "Default certificates used by cTest")
set(PORT 19254)
file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/tests/certs"
DESTINATION "${TEST_DIR}")
endif(default_certs)
# Compute a SHA256 hash of the leaf certificate (in DER form)
execute_process(
COMMAND ${CMAKE_COMMAND} -E sha256sum "${CERTS}/cert.der"
OUTPUT_VARIABLE sha256sum)
string(SUBSTRING ${sha256sum} 0 64 leafhash)
########## Testing ##########
enable_testing()
set(FILES "${PROJECT_BINARY_DIR}/Testing/files")
set(CERTS "${PROJECT_BINARY_DIR}/Testing/certs")
set(CONF "${PROJECT_BINARY_DIR}/Testing/conf")
set(extensions_all "exe" "ex_" "msi" "256appx" "512appx" "cat")
set(extensions_nocat "exe" "ex_" "msi" "256appx" "512appx")
set(extensions_nocatappx "exe" "ex_" "msi")
file(COPY
"${CMAKE_CURRENT_SOURCE_DIR}/tests/files"
"${CMAKE_CURRENT_SOURCE_DIR}/tests/conf"
"${CMAKE_CURRENT_SOURCE_DIR}/tests/tsa_server.py"
DESTINATION "${PROJECT_BINARY_DIR}/Testing"
)
# Test 1
# Print osslsigncode version
add_test(NAME version
COMMAND osslsigncode --version)
file(COPY
"${CMAKE_CURRENT_SOURCE_DIR}/tests/certs/ca-bundle.crt"
DESTINATION "${CONF}"
)
### Sign ###
set(priv_p12 "-pkcs12" "${CERTS}/cert.p12" "-readpass" "${CERTS}/password.txt")
set(priv_spc "-certs" "${CERTS}/cert.spc" "-key" "${CERTS}/key.pvk" "-pass" "passme")
set(priv_der "-certs" "${CERTS}/cert.pem" "-key" "${CERTS}/key.der" "-pass" "passme")
set(priv_pkey "-certs" "${CERTS}/cert.pem" "-key" "${CERTS}/keyp.pem" "-pass" "passme")
set(sign_opt "-time" "1556708400"
"-add-msi-dse" "-comm" "-ph" "-jp" "low"
"-h" "sha512" "-i" "https://www.osslsigncode.com/"
"-n" "osslsigncode" "-ac" "${CERTS}/crosscert.pem"
)
if(CMAKE_HOST_UNIX)
execute_process(
COMMAND "${CONF}/makecerts.sh"
WORKING_DIRECTORY ${CONF}
OUTPUT_VARIABLE makecerts_output
RESULT_VARIABLE makecerts_result
)
else()
set(makecerts_result 1)
endif()
if(makecerts_result)
message(STATUS "makecerts.sh failed")
if(makecerts_output)
message(STATUS "${makecerts_output}")
endif()
file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/tests/certs"
DESTINATION "${PROJECT_BINARY_DIR}/Testing"
)
endif()
execute_process(
COMMAND ${CMAKE_COMMAND} -E sha256sum "${CERTS}/cert.der"
OUTPUT_VARIABLE sha256sum
)
string(SUBSTRING ${sha256sum} 0 64 leafhash)
set(verify_opt "-CAfile" "${CERTS}/CACert.pem"
"-CRLfile" "${CERTS}/CACertCRL.pem"
"-TSA-CAfile" "${CERTS}/TSACA.pem"
)
set(extensions_4 "exe" "ex_" "msi" "cat")
set(extensions_3 "exe" "ex_" "msi")
set(files_4 "signed" "nested" "added")
set(files_3 "removed" "attached_pem" "attached_der")
set(sign_formats "pem" "der")
set(pem_certs "cert" "expired" "revoked")
set(failed_certs "expired" "revoked")
add_test(
NAME version
COMMAND osslsigncode --version
)
foreach(ext ${extensions_4})
# Signing time: May 1 00:00:00 2019 GMT
set(sign_${ext} )
add_test(
NAME signed_${ext}
COMMAND osslsigncode "sign" ${sign_opt} ${priv_p12}
"-in" "${FILES}/unsigned.${ext}" "-out" "${FILES}/signed.${ext}"
)
endforeach()
foreach(ext ${extensions_3})
add_test(
NAME removed_${ext}
COMMAND osslsigncode "remove-signature"
"-in" "${FILES}/signed.${ext}" "-out" "${FILES}/removed.${ext}"
)
endforeach()
foreach(ext ${extensions_3})
add_test(
NAME extract_pem_${ext}
COMMAND osslsigncode "extract-signature" "-pem"
"-in" "${FILES}/signed.${ext}" "-out" "${FILES}/${ext}.pem"
)
endforeach()
foreach(ext ${extensions_3})
add_test(
NAME extract_der_${ext}
COMMAND osslsigncode "extract-signature"
"-in" "${FILES}/signed.${ext}" "-out" "${FILES}/${ext}.der"
)
endforeach()
foreach(ext ${extensions_3})
set_tests_properties(removed_${ext} extract_pem_${ext} extract_der_${ext}
PROPERTIES DEPENDS sign_${ext}
REQUIRED_FILES "${FILES}/signed.${ext}"
)
endforeach()
foreach(ext ${extensions_3})
foreach(format ${sign_formats})
# Signature verification time: Sep 1 00:00:00 2019 GMT
# Tests 2-5
# Sign with PKCS#12 container with legacy RC2-40-CBC private key and certificate encryption algorithm
foreach(ext ${extensions_all})
add_test(
NAME attached_${format}_${ext}
COMMAND osslsigncode "attach-signature" ${verify_opt}
"-time" "1567296000"
"-require-leaf-hash" "SHA256:${leafhash}"
"-add-msi-dse" "-h" "sha512" "-nest"
"-sigin" "${FILES}/${ext}.${format}"
"-in" "${FILES}/signed.${ext}" "-out" "${FILES}/attached_${format}.${ext}"
)
set_tests_properties(attached_${format}_${ext} PROPERTIES
DEPENDS extract_pem_${ext}
REQUIRED_FILES "${FILES}/signed.${ext}"
REQUIRED_FILES "${FILES}/${ext}.${format}"
)
endforeach()
endforeach()
NAME legacy_${ext}
COMMAND osslsigncode "sign"
"-pkcs12" "${CERTS}/legacy.p12"
"-readpass" "${CERTS}/password.txt"
"-ac" "${CERTS}/crosscert.pem"
"-time" "1556668800" # Signing time: May 1 00:00:00 2019 GMT
"-add-msi-dse"
"-comm"
"-ph"
"-jp" "low"
"-h" "sha512" "-i" "https://www.osslsigncode.com/"
"-n" "osslsigncode"
"-in" "${FILES}/unsigned.${ext}"
"-out" "${FILES}/legacy.${ext}")
endforeach(ext ${extensions_all})
foreach(ext ${extensions_4})
add_test(
NAME added_${ext}
COMMAND osslsigncode "add"
"-addUnauthenticatedBlob" "-add-msi-dse" "-h" "sha512"
"-in" "${FILES}/signed.${ext}" "-out" "${FILES}/added.${ext}"
)
set_tests_properties(added_${ext} PROPERTIES
DEPENDS sign_${ext}
REQUIRED_FILES "${FILES}/signed.${ext}"
)
endforeach()
# Tests 6-9
# Sign with PKCS#12 container with legacy RC2-40-CBC private key and certificate encryption algorithm
# Disable legacy mode and don't automatically load the legacy provider
# Option "-nolegacy" requires OpenSSL 3.0.0 or later
# This tests are expected to fail
if(OPENSSL_VERSION VERSION_GREATER_EQUAL 3.0.0)
foreach(ext ${extensions_all})
add_test(
NAME nolegacy_${ext}
COMMAND osslsigncode "sign"
"-pkcs12" "${CERTS}/legacy.p12"
"-readpass" "${CERTS}/password.txt"
"-nolegacy" # Disable legacy mode
"-ac" "${CERTS}/crosscert.pem"
"-time" "1556668800" # Signing time: May 1 00:00:00 2019 GMT
"-add-msi-dse"
"-comm"
"-ph"
"-jp" "low"
"-h" "sha512" "-i" "https://www.osslsigncode.com/"
"-n" "osslsigncode"
"-in" "${FILES}/unsigned.${ext}"
"-out" "${FILES}/nolegacy.${ext}")
set_tests_properties(
nolegacy_${ext}
PROPERTIES
WILL_FAIL TRUE)
endforeach(ext ${extensions_all})
endif(OPENSSL_VERSION VERSION_GREATER_EQUAL 3.0.0)
foreach(ext ${extensions_4})
add_test(
NAME nested_${ext}
COMMAND osslsigncode "sign" "-nest" ${sign_opt} ${priv_der}
"-in" "${FILES}/signed.${ext}" "-out" "${FILES}/nested.${ext}"
)
set_tests_properties(nested_${ext} PROPERTIES
DEPENDS sign_${ext}
REQUIRED_FILES "${FILES}/signed.${ext}"
)
endforeach()
foreach(file ${files_4})
foreach(ext ${extensions_4})
# Signature verification time: Sep 1 00:00:00 2019 GMT
# Tests 10-13
# Sign with PKCS#12 container with AES-256-CBC private key and certificate encryption algorithm
foreach(ext ${extensions_all})
add_test(
NAME verify_${file}_${ext}
COMMAND osslsigncode "verify" ${verify_opt}
"-time" "1567296000"
"-require-leaf-hash" "SHA256:${leafhash}"
"-in" "${FILES}/${file}.${ext}"
)
set_tests_properties(verify_${file}_${ext} PROPERTIES
DEPENDS ${file}_${ext}
REQUIRED_FILES "${FILES}/${file}.${ext}"
)
endforeach()
endforeach()
NAME signed_${ext}
COMMAND osslsigncode "sign"
"-pkcs12" "${CERTS}/cert.p12"
"-readpass" "${CERTS}/password.txt"
"-ac" "${CERTS}/crosscert.pem"
"-time" "1556668800" # Signing time: May 1 00:00:00 2019 GMT
"-add-msi-dse"
"-comm"
"-ph"
"-jp" "low"
"-h" "sha512" "-i" "https://www.osslsigncode.com/"
"-n" "osslsigncode"
"-in" "${FILES}/unsigned.${ext}"
"-out" "${FILES}/signed.${ext}")
endforeach(ext ${extensions_all})
foreach(file ${files_3})
foreach(ext ${extensions_3})
# Signature verification time: Sep 1 00:00:00 2019 GMT
# Tests 14-17
# Sign with revoked certificate
foreach(ext ${extensions_all})
add_test(
NAME verify_${file}_${ext}
COMMAND osslsigncode "verify" ${verify_opt}
"-time" "1567296000"
NAME revoked_${ext}
COMMAND osslsigncode "sign"
"-certs" "${CERTS}/revoked.pem"
"-key" "${CERTS}/keyp.pem"
"-readpass" "${CERTS}/password.txt"
"-ac" "${CERTS}/crosscert.pem"
"-time" "1556668800" # Signing time: May 1 00:00:00 2019 GMT
"-add-msi-dse"
"-comm"
"-ph"
"-jp" "low"
"-h" "sha512" "-i" "https://www.osslsigncode.com/"
"-n" "osslsigncode"
"-in" "${FILES}/unsigned.${ext}"
"-out" "${FILES}/revoked.${ext}")
endforeach(ext ${extensions_all})
# Tests 18-20
# Remove signature
# Unsupported command for CAT files
foreach(ext ${extensions_nocat})
add_test(
NAME removed_${ext}
COMMAND osslsigncode "remove-signature"
"-in" "${FILES}/signed.${ext}"
"-out" "${FILES}/removed.${ext}")
set_tests_properties(
removed_${ext}
PROPERTIES
DEPENDS "signed_${ext}"
REQUIRED_FILES "${FILES}/signed.${ext}")
endforeach(ext ${extensions_nocat})
# Tests 21-24
# Extract PKCS#7 signature in PEM format
foreach(ext ${extensions_all})
add_test(
NAME extract_pem_${ext}
COMMAND osslsigncode "extract-signature"
"-pem" # PEM format
"-in" "${FILES}/signed.${ext}"
"-out" "${FILES}/${ext}.pem")
set_tests_properties(
extract_pem_${ext}
PROPERTIES
DEPENDS "signed_${ext}"
REQUIRED_FILES "${FILES}/signed.${ext}")
endforeach(ext ${extensions_all})
# Tests 25-28
# Extract PKCS#7 signature in default DER format
foreach(ext ${extensions_all})
add_test(
NAME extract_der_${ext}
COMMAND osslsigncode "extract-signature"
"-in" "${FILES}/signed.${ext}"
"-out" "${FILES}/${ext}.der")
set_tests_properties(
extract_der_${ext}
PROPERTIES
DEPENDS "signed_${ext}"
REQUIRED_FILES "${FILES}/signed.${ext}")
endforeach(ext ${extensions_all})
# Tests 29-34
# Attach signature in PEM or DER format
# Unsupported command for CAT files
set(formats "pem" "der")
foreach(ext ${extensions_nocat})
foreach(format ${formats})
add_test(
NAME attached_${format}_${ext}
COMMAND osslsigncode "attach-signature"
# sign options
"-time" "1567296000" # Signing and signature verification time: Sep 1 00:00:00 2019 GMT
"-require-leaf-hash" "SHA256:${leafhash}"
"-add-msi-dse"
"-h" "sha512"
"-nest"
"-sigin" "${FILES}/${ext}.${format}"
"-in" "${FILES}/signed.${ext}"
"-out" "${FILES}/attached_${format}.${ext}"
# verify options
"-CAfile" "${CERTS}/CACert.pem"
"-CRLfile" "${CERTS}/CACertCRL.pem")
set_tests_properties(
attached_${format}_${ext}
PROPERTIES
DEPENDS "signed_${ext}:extract_${format}_${ext}"
REQUIRED_FILES "${FILES}/signed.${ext}"
REQUIRED_FILES "${FILES}/${ext}.${format}")
endforeach(format ${formats})
endforeach(ext ${extensions_nocat})
# Tests 35-38
# Add an unauthenticated blob to a previously-signed file
foreach(ext ${extensions_all})
add_test(
NAME added_${ext}
COMMAND osslsigncode "add"
"-addUnauthenticatedBlob"
"-add-msi-dse" "-h" "sha512"
"-in" "${FILES}/signed.${ext}"
"-out" "${FILES}/added.${ext}")
set_tests_properties(
added_${ext}
PROPERTIES
DEPENDS "signed_${ext}"
REQUIRED_FILES "${FILES}/signed.${ext}")
endforeach(ext ${extensions_all})
# Tests 39-42
# Add the new nested signature instead of replacing the first one
foreach(ext ${extensions_all})
add_test(
NAME nested_${ext}
COMMAND osslsigncode "sign"
"-nest"
"-certs" "${CERTS}/cert.pem"
"-key" "${CERTS}/key.der"
"-pass" "passme"
"-ac" "${CERTS}/crosscert.pem"
"-time" "1556668800" # Signing time: May 1 00:00:00 2019 GMT
"-add-msi-dse"
"-comm"
"-ph"
"-jp" "low"
"-h" "sha512"
"-i" "https://www.osslsigncode.com/"
"-n" "osslsigncode"
"-in" "${FILES}/signed.${ext}"
"-out" "${FILES}/nested.${ext}")
set_tests_properties(
nested_${ext}
PROPERTIES
DEPENDS "signed_${ext}"
REQUIRED_FILES "${FILES}/signed.${ext}")
endforeach(ext ${extensions_all})
### Verify signature ###
# Tests 43-45
# Verify PE/MSI/CAB files signed in the catalog file
# APPX does not support detached PKCS#7 signature
foreach(ext ${extensions_nocatappx})
add_test(
NAME verify_catalog_${ext}
COMMAND osslsigncode "verify"
"-catalog" "${FILES}/signed.cat" # catalog file
"-time" "1567296000" # Signature verification time: Sep 1 00:00:00 2019 GMT
"-require-leaf-hash" "SHA256:${leafhash}"
"-in" "${FILES}/${file}.${ext}"
)
set_tests_properties(verify_${file}_${ext} PROPERTIES
DEPENDS ${file}_${ext}
REQUIRED_FILES "${FILES}/${file}.${ext}"
)
endforeach()
endforeach()
"-CAfile" "${CERTS}/CACert.pem"
"-CRLfile" "${CERTS}/CACertCRL.pem"
"-in" "${FILES}/unsigned.${ext}")
set_tests_properties(
verify_catalog_${ext}
PROPERTIES
DEPENDS "signed_${ext}"
REQUIRED_FILES "${FILES}/signed.cat"
REQUIRED_FILES "${FILES}/unsigned.${ext}")
endforeach(ext ${extensions_nocatappx})
foreach(ext ${extensions_3})
set_tests_properties(verify_removed_${ext} PROPERTIES
WILL_FAIL TRUE
)
endforeach()
# Tests 46-69
# Verify signature
set(files "legacy" "signed" "nested" "added" "removed" "revoked" "attached_pem" "attached_der")
foreach(file ${files})
foreach(ext ${extensions_nocat})
add_test(
NAME verify_${file}_${ext}
COMMAND osslsigncode "verify"
"-time" "1567296000" # Signature verification time: Sep 1 00:00:00 2019 GMT
"-CAfile" "${CERTS}/CACert.pem"
"-CRLfile" "${CERTS}/CACertCRL.pem"
"-in" "${FILES}/${file}.${ext}")
set_tests_properties(
verify_${file}_${ext}
PROPERTIES
DEPENDS "${file}_${ext}"
REQUIRED_FILES "${FILES}/${file}.${ext}")
endforeach(ext ${extensions_nocat})
endforeach(file ${files})
# "Removed" and "revoked" tests are expected to fail
set(files "removed" "revoked")
foreach(file ${files})
foreach(ext ${extensions_nocat})
set_tests_properties(
verify_${file}_${ext}
PROPERTIES
WILL_FAIL TRUE)
endforeach(ext ${extensions_nocat})
endforeach(file ${files})
if(Python3_FOUND OR server_error)
### Sign with Time-Stamp Authority ###
# Tests 70-89
# Sign with the RFC3161 Time-Stamp Authority
# Use "cert" "expired" "revoked" without X509v3 CRL Distribution Points extension
# and "cert_crldp" "revoked_crldp" contain X509v3 CRL Distribution Points extension
set(pem_certs "cert" "expired" "revoked" "cert_crldp" "revoked_crldp")
foreach(ext ${extensions_all})
foreach(cert ${pem_certs})
add_test(
NAME sign_ts_${cert}_${ext}
COMMAND osslsigncode "sign"
"-certs" "${CERTS}/${cert}.pem"
"-key" "${CERTS}/key.pem"
"-ac" "${CERTS}/crosscert.pem"
"-comm"
"-ph"
"-jp" "low"
"-h" "sha384"
"-i" "https://www.osslsigncode.com/"
"-n" "osslsigncode"
"-time" "1556668800" # Signing time: May 1 00:00:00 2019 GMT
"-ts" "http://127.0.0.1:${PORT}"
"-in" "${FILES}/unsigned.${ext}"
"-out" "${FILES}/ts_${cert}.${ext}")
set_tests_properties(
sign_ts_${cert}_${ext}
PROPERTIES
REQUIRED_FILES "${LOGS}/port.log")
endforeach(cert ${pem_certs})
endforeach(ext ${extensions_all})
if(Python3_FOUND)
foreach(ext ${extensions_4})
### Verify Time-Stamp Authority ###
# Tests 90-92
# Signature verification time: Sep 1 00:00:00 2019 GMT
foreach(ext ${extensions_nocat})
add_test(
NAME verify_ts_cert_${ext}
COMMAND osslsigncode "verify"
"-time" "1567296000" # Signature verification time: Sep 1 00:00:00 2019 GMT
"-CAfile" "${CERTS}/CACert.pem"
"-TSA-CAfile" "${CERTS}/TSACA.pem"
"-in" "${FILES}/ts_cert.${ext}")
set_tests_properties(
verify_ts_cert_${ext}
PROPERTIES
DEPENDS "sign_ts_cert_${ext}"
REQUIRED_FILES "${FILES}/ts_cert.${ext}"
REQUIRED_FILES "${LOGS}/port.log")
endforeach(ext ${extensions_nocat})
# Tests 93-95
# Signature verification time: Jan 1 00:00:00 2035 GMT
foreach(ext ${extensions_nocat})
add_test(
NAME verify_ts_future_${ext}
COMMAND osslsigncode "verify"
"-time" "2051222400" # Signature verification time: Jan 1 00:00:00 2035 GMT
"-CAfile" "${CERTS}/CACert.pem"
"-TSA-CAfile" "${CERTS}/TSACA.pem"
"-in" "${FILES}/ts_cert.${ext}")
set_tests_properties(
verify_ts_future_${ext}
PROPERTIES
DEPENDS "sign_ts_cert_${ext}"
REQUIRED_FILES "${FILES}/ts_cert.${ext}"
REQUIRED_FILES "${LOGS}/port.log")
endforeach(ext ${extensions_nocat})
# Tests 96-98
# Verify with ignored timestamp
# This tests are expected to fail
foreach(ext ${extensions_nocat})
add_test(
NAME verify_ts_ignore_${ext}
COMMAND osslsigncode "verify"
"-time" "2051222400" # Signature verification time: Jan 1 00:00:00 2035 GMT
"-ignore-timestamp"
"-CAfile" "${CERTS}/CACert.pem"
"-TSA-CAfile" "${CERTS}/TSACA.pem"
"-in" "${FILES}/ts_cert.${ext}")
set_tests_properties(
verify_ts_ignore_${ext}
PROPERTIES
DEPENDS "sign_ts_cert_${ext}"
REQUIRED_FILES "${FILES}/ts_cert.${ext}"
REQUIRED_FILES "${LOGS}/port.log"
WILL_FAIL TRUE)
endforeach(ext ${extensions_nocat})
### Verify CRL Distribution Points ###
# Tests 99-101
# Verify file signed with X509v3 CRL Distribution Points extension
# Signature verification time: Sep 1 00:00:00 2019 GMT
# Check X509v3 CRL Distribution Points extension, don't use "-CRLfile" and "-TSA-CRLfile" options
foreach(ext ${extensions_nocat})
add_test(
NAME verify_ts_cert_crldp_${ext}
COMMAND osslsigncode "verify"
"-time" "1567296000" # Signature verification time: Sep 1 00:00:00 2019 GMT
"-CAfile" "${CERTS}/CACert.pem"
"-TSA-CAfile" "${CERTS}/TSACA.pem"
"-in" "${FILES}/ts_cert_crldp.${ext}")
set_tests_properties(
verify_ts_cert_crldp_${ext}
PROPERTIES
DEPENDS "sign_ts_cert_crldp_${ext}"
REQUIRED_FILES "${FILES}/ts_cert_crldp.${ext}"
REQUIRED_FILES "${LOGS}/port.log")
endforeach(ext ${extensions_nocat})
# Tests 102-107
# Verify with expired or revoked certificate without X509v3 CRL Distribution Points extension
# This tests are expected to fail
set(failed_certs "expired" "revoked")
foreach(ext ${extensions_nocat})
foreach(cert ${failed_certs})
add_test(
NAME verify_ts_${cert}_${ext}
COMMAND osslsigncode "verify"
"-time" "1567296000" # Signature verification time: Sep 1 00:00:00 2019 GMT
"-CAfile" "${CERTS}/CACert.pem"
"-CRLfile" "${CERTS}/CACertCRL.pem"
"-TSA-CAfile" "${CERTS}/TSACA.pem"
"-in" "${FILES}/ts_${cert}.${ext}")
set_tests_properties(
verify_ts_${cert}_${ext}
PROPERTIES
DEPENDS "sign_ts_${cert}_${ext}"
REQUIRED_FILES "${FILES}/ts_${cert}.${ext}"
REQUIRED_FILES "${LOGS}/port.log"
WILL_FAIL TRUE)
endforeach(cert ${failed_certs})
endforeach(ext ${extensions_nocat})
# Tests 108-110
# Verify with revoked certificate contains X509v3 CRL Distribution Points extension
# Check X509v3 CRL Distribution Points extension, don't use "-CRLfile" and "-TSA-CRLfile" options
# This test is expected to fail
foreach(ext ${extensions_nocat})
add_test(
NAME verify_ts_revoked_crldp_${ext}
COMMAND osslsigncode "verify"
"-time" "1567296000" # Signature verification time: Sep 1 00:00:00 2019 GMT
"-CAfile" "${CERTS}/CACert.pem"
"-TSA-CAfile" "${CERTS}/TSACA.pem"
"-in" "${FILES}/ts_revoked_crldp.${ext}")
set_tests_properties(
verify_ts_revoked_crldp_${ext}
PROPERTIES
DEPENDS "sign_ts_revoked_crldp_${ext}"
REQUIRED_FILES "${FILES}/ts_revoked_crldp.${ext}"
REQUIRED_FILES "${LOGS}/port.log"
WILL_FAIL TRUE)
endforeach(ext ${extensions_nocat})
### Cleanup ###
# Test 111
# Stop HTTP server
if(STOP_SERVER)
add_test(NAME stop_server
COMMAND ${Python3_EXECUTABLE} "${CLIENT_HTTP}")
set_tests_properties(
stop_server
PROPERTIES
REQUIRED_FILES "${LOGS}/port.log")
else(STOP_SERVER)
message(STATUS "Keep HTTP server after tests")
endif(STOP_SERVER)
else(Python3_FOUND OR server_error)
message(STATUS "CTest skips some tests")
endif(Python3_FOUND OR server_error)
# Test 112
# Delete test files
foreach(ext ${extensions_all})
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/legacy.${ext}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/signed.${ext}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/signed_crldp.${ext}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/nested.${ext}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/revoked.${ext}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/removed.${ext}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/added.${ext}")
foreach(cert ${pem_certs})
add_test(
NAME sign_ts_${cert}_${ext}
COMMAND ${Python3_EXECUTABLE} "${PROJECT_BINARY_DIR}/Testing/tsa_server.py"
"--certs" "${CERTS}/${cert}.pem" "--key" "${CERTS}/key.pem"
"--input" "${FILES}/unsigned.${ext}" "--output" "${FILES}/ts_${cert}.${ext}"
)
endforeach()
endforeach()
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/ts_${cert}.${ext}")
endforeach(cert ${pem_certs})
foreach(format ${formats})
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/${ext}.${format}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/${ext}.${format}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/attached_${format}.${ext}")
endforeach(format ${formats})
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jreq.tsq")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jresp.tsr")
endforeach(ext ${extensions_all})
foreach(ext ${extensions_4})
# Signature verification time: Sep 1 00:00:00 2019 GMT
add_test(
NAME verify_ts_cert_${ext}
COMMAND osslsigncode "verify" ${verify_opt}
"-time" "1567296000"
"-in" "${FILES}/ts_cert.${ext}"
)
set_tests_properties(verify_ts_cert_${ext} PROPERTIES
DEPENDS sign_ts_${cert}_${ext}
REQUIRED_FILES "${FILES}/ts_cert.${ext}"
)
endforeach()
add_test(NAME remove_files
COMMAND ${CMAKE_COMMAND} -E rm -f ${OUTPUT_FILES})
# Signature verification time: Jan 1 00:00:00 2035 GMT
foreach(ext ${extensions_4})
add_test(
NAME verify_ts_future_${ext}
COMMAND osslsigncode "verify" ${verify_opt}
"-time" "2051222400"
"-in" "${FILES}/ts_cert.${ext}"
)
set_tests_properties(verify_ts_future_${ext} PROPERTIES
DEPENDS sign_ts_${cert}_${ext}
REQUIRED_FILES "${FILES}/ts_cert.${ext}"
)
endforeach()
# Signature verification time: Jan 1 00:00:00 2035 GMT
# enabled "-ignore-timestamp" option
foreach(ext ${extensions_4})
add_test(
NAME verify_ts_ignore_${ext}
COMMAND osslsigncode "verify" ${verify_opt}
"-time" "2051222400"
"-ignore-timestamp"
"-in" "${FILES}/ts_cert.${ext}"
)
set_tests_properties(verify_ts_ignore_${ext} PROPERTIES
DEPENDS sign_ts_${cert}_${ext}
REQUIRED_FILES "${FILES}/ts_cert.${ext}"
WILL_FAIL TRUE
)
endforeach()
# Signature verification time: Sep 1 00:00:00 2019 GMT
# Certificate has expired or revoked
foreach(ext ${extensions_4})
foreach(cert ${failed_certs})
add_test(
NAME verify_ts_${cert}_${ext}
COMMAND osslsigncode "verify" ${verify_opt}
"-time" "1567296000"
"-in" "${FILES}/ts_${cert}.${ext}"
)
set_tests_properties(verify_ts_${cert}_${ext} PROPERTIES
DEPENDS sign_ts_${cert}_${ext}
REQUIRED_FILES "${FILES}/ts_${cert}.${ext}"
WILL_FAIL TRUE
)
endforeach()
endforeach()
else()
message(STATUS "Python3 was not found, skip timestamping tests")
endif()
foreach(ext ${extensions_4})
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/signed.${ext}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/nested.${ext}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/removed.${ext}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/added.${ext}")
foreach(cert ${pem_certs})
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/ts_${cert}.${ext}")
endforeach()
foreach(format ${sign_formats})
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/${ext}.${format}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/${ext}.${format}")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/attached_${format}.${ext}")
endforeach()
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jreq.tsq")
set(OUTPUT_FILES ${OUTPUT_FILES} "${FILES}/jresp.tsr")
endforeach()
add_test(NAME remove_files COMMAND ${CMAKE_COMMAND} -E rm -f ${OUTPUT_FILES})
#[[
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: nil
End:
vim: set ts=4 expandtab:
]]

25
cmake/FindHeaders.cmake
View File

@ -2,16 +2,25 @@ include(CheckIncludeFile)
include(CheckFunctionExists)
if(UNIX)
check_function_exists(getpass HAVE_GETPASS)
check_include_file(termios.h HAVE_TERMIOS_H)
check_include_file(sys/mman.h HAVE_SYS_MMAN_H)
if(HAVE_SYS_MMAN_H)
check_function_exists(mmap HAVE_MMAP)
endif(HAVE_SYS_MMAN_H)
check_function_exists(getpass HAVE_GETPASS)
check_include_file(termios.h HAVE_TERMIOS_H)
check_include_file(sys/mman.h HAVE_SYS_MMAN_H)
if(HAVE_SYS_MMAN_H)
check_function_exists(mmap HAVE_MMAP)
endif(HAVE_SYS_MMAN_H)
else(UNIX)
check_include_file(windows.h HAVE_MAPVIEWOFFILE)
check_include_file(windows.h HAVE_MAPVIEWOFFILE)
endif(UNIX)
if(NOT (HAVE_MMAP OR HAVE_MAPVIEWOFFILE))
message(FATAL_ERROR "Error: Need file mapping function to build.")
message(FATAL_ERROR "Error: Need file mapping function to build.")
endif(NOT (HAVE_MMAP OR HAVE_MAPVIEWOFFILE))
#[[
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: nil
End:
vim: set ts=4 expandtab:
]]

43
cmake/SetBashCompletion.cmake
View File

@ -1,13 +1,32 @@
# This list describes the default variables included in the bash-completion package:
# BASH_COMPLETION_VERSION "@VERSION@"
# BASH_COMPLETION_PREFIX "@prefix@"
# BASH_COMPLETION_COMPATDIR "@sysconfdir@/bash_completion.d"
# BASH_COMPLETION_COMPLETIONSDIR "@datadir@/@PACKAGE@/completions"
# BASH_COMPLETION_HELPERSDIR "@datadir@/@PACKAGE@/helpers"
# BASH_COMPLETION_FOUND "TRUE"
# https://github.com/scop/bash-completion/blob/master/bash-completion-config.cmake.in
if(NOT MSVC)
find_package(bash-completion QUIET)
if(NOT BASH_COMPLETION_COMPLETIONSDIR)
if(BASH_COMPLETION_COMPATDIR)
set(BASH_COMPLETION_COMPLETIONSDIR ${BASH_COMPLETION_COMPATDIR})
else()
set(SHAREDIR "${CMAKE_INSTALL_PREFIX}/share")
set(BASH_COMPLETION_COMPLETIONSDIR "${SHAREDIR}/bash-completion/completions")
endif()
endif()
message(STATUS "Using bash completions dir ${BASH_COMPLETION_COMPLETIONSDIR}")
install(FILES "osslsigncode.bash" DESTINATION ${BASH_COMPLETION_COMPLETIONSDIR})
endif()
if(BASH_COMPLETION_USER_DIR)
set(BASH_COMPLETION_COMPLETIONSDIR "${BASH_COMPLETION_USER_DIR}/bash-completion/completions")
else(BASH_COMPLETION_USER_DIR)
find_package(bash-completion QUIET)
if(NOT BASH_COMPLETION_FOUND)
set(SHAREDIR "${CMAKE_INSTALL_PREFIX}/share")
set(BASH_COMPLETION_COMPLETIONSDIR "${SHAREDIR}/bash-completion/completions")
endif(NOT BASH_COMPLETION_FOUND)
endif(BASH_COMPLETION_USER_DIR)
message(STATUS "Using bash completions dir ${BASH_COMPLETION_COMPLETIONSDIR}")
install(FILES "osslsigncode.bash" DESTINATION ${BASH_COMPLETION_COMPLETIONSDIR})
endif(NOT MSVC)
#[[
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: nil
End:
vim: set ts=4 expandtab:
]]

214
cmake/SetCompilerFlags.cmake
View File

@ -3,111 +3,121 @@ include(CheckCCompilerFlag)
set(CMAKE_REQUIRED_QUIET ON)
function(add_debug_flag_if_supported flagname targets)
check_c_compiler_flag("${flagname}" HAVE_FLAG_${flagname})
if (HAVE_FLAG_${flagname})
foreach(target ${targets})
target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:${flagname}>)
endforeach()
endif()
endfunction()
check_c_compiler_flag("${flagname}" HAVE_FLAG_${flagname})
if (HAVE_FLAG_${flagname})
foreach(target ${targets})
target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:${flagname}>)
endforeach(target ${targets})
endif(HAVE_FLAG_${flagname})
endfunction(add_debug_flag_if_supported flagname targets)
function(add_compile_flag_to_targets targets)
set(CHECKED_DEBUG_FLAGS
"-ggdb"
"-g"
"-O2"
"-pedantic"
"-Wall"
"-Wextra"
"-Wno-long-long"
"-Wconversion"
"-D_FORTIFY_SOURCE=2"
"-Wformat=2"
"-Wredundant-decls"
"-Wcast-qual"
"-Wnull-dereference"
"-Wno-deprecated-declarations"
"-Wmissing-declarations"
"-Wmissing-prototypes"
"-Wmissing-noreturn"
"-Wmissing-braces"
"-Wparentheses"
"-Wstrict-aliasing=3"
"-Wstrict-overflow=2"
"-Wlogical-op"
"-Wwrite-strings"
"-Wcast-align=strict"
"-Wdisabled-optimization"
"-Wshift-overflow=2"
"-Wundef"
"-Wshadow"
"-Wmisleading-indentation"
"-Wabsolute-value"
"-Wunused-parameter"
"-Wunused-function"
)
foreach(flag ${CHECKED_DEBUG_FLAGS})
add_debug_flag_if_supported(${flag} ${targets})
endforeach()
endfunction()
set(CHECKED_DEBUG_FLAGS
"-ggdb"
"-g"
"-O2"
"-pedantic"
"-Wall"
"-Wextra"
"-Wno-long-long"
"-Wconversion"
"-D_FORTIFY_SOURCE=2"
"-Wformat=2"
"-Wredundant-decls"
"-Wcast-qual"
"-Wnull-dereference"
"-Wno-deprecated-declarations"
"-Wmissing-declarations"
"-Wmissing-prototypes"
"-Wmissing-noreturn"
"-Wmissing-braces"
"-Wparentheses"
"-Wstrict-aliasing=3"
"-Wstrict-overflow=2"
"-Wlogical-op"
"-Wwrite-strings"
"-Wcast-align=strict"
"-Wdisabled-optimization"
"-Wshift-overflow=2"
"-Wundef"
"-Wshadow"
"-Wmisleading-indentation"
"-Wabsolute-value"
"-Wunused-parameter"
"-Wunused-function")
foreach(flag ${CHECKED_DEBUG_FLAGS})
add_debug_flag_if_supported(${flag} ${targets})
endforeach(flag ${CHECKED_DEBUG_FLAGS})
endfunction(add_compile_flag_to_targets targets)
function(add_compile_flags target)
if(MSVC)
# Enable parallel builds
target_compile_options(${target} PRIVATE /MP)
# Use address space layout randomization, generate PIE code for ASLR (default on)
target_link_options(${target} PRIVATE /DYNAMICBASE)
# Create terminal server aware application (default on)
target_link_options(${target} PRIVATE /TSAWARE)
# Mark the binary as compatible with Intel Control-flow Enforcement Technology (CET) Shadow Stack
target_link_options(${target} PRIVATE /CETCOMPAT)
# Enable compiler generation of Control Flow Guard security checks
target_compile_options(${target} PRIVATE /guard:cf)
target_link_options(${target} PRIVATE /guard:cf)
# Buffer Security Check
target_compile_options(${target} PRIVATE /GS)
# Suppress startup banner
target_link_options(${target} PRIVATE /NOLOGO)
# Generate debug info
target_link_options(${target} PRIVATE /DEBUG)
if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
# High entropy ASLR for 64 bits targets (default on)
target_link_options(${target} PRIVATE /HIGHENTROPYVA)
# Enable generation of EH Continuation (EHCONT) metadata by the compiler
#target_compile_options(${target} PRIVATE /guard:ehcont)
#target_link_options(${target} PRIVATE /guard:ehcont)
else()
# Can handle addresses larger than 2 gigabytes
target_link_options(${target} PRIVATE /LARGEADDRESSAWARE)
# Safe structured exception handlers (x86 only)
target_link_options(${target} PRIVATE /SAFESEH)
endif()
target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:/D_FORTIFY_SOURCE=2>)
# Unrecognized compiler options are errors
target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:/options:strict>)
else(MSVC)
check_c_compiler_flag("-fstack-protector-all" HAVE_STACK_PROTECTOR_ALL)
if(HAVE_STACK_PROTECTOR_ALL)
target_link_options(${target} PRIVATE -fstack-protector-all)
else()
check_c_compiler_flag("-fstack-protector" HAVE_STACK_PROTECTOR)
if(HAVE_STACK_PROTECTOR)
target_link_options(${target} PRIVATE -fstack-protector)
else()
message(WARNING "No stack protection supported")
endif()
endif()
# Support address space layout randomization (ASLR)
if(NOT (MINGW OR CMAKE_C_COMPILER_ID STREQUAL "AppleClang"))
target_compile_options(${target} PRIVATE -fPIE)
target_link_options(${target} PRIVATE -fPIE -pie)
target_link_options(${target} PRIVATE -Wl,-z,relro)
target_link_options(${target} PRIVATE -Wl,-z,now)
target_link_options(${target} PRIVATE -Wl,-z,noexecstack)
endif(NOT (MINGW OR CMAKE_C_COMPILER_ID STREQUAL "AppleClang"))
target_link_options(${target} PRIVATE -fstack-check)
add_compile_flag_to_targets(${target})
endif(MSVC)
endfunction()
if(MSVC)
# Enable parallel builds
target_compile_options(${target} PRIVATE /MP)
# Use address space layout randomization, generate PIE code for ASLR (default on)
target_link_options(${target} PRIVATE /DYNAMICBASE)
# Create terminal server aware application (default on)
target_link_options(${target} PRIVATE /TSAWARE)
# Mark the binary as compatible with Intel Control-flow Enforcement Technology (CET) Shadow Stack
target_link_options(${target} PRIVATE /CETCOMPAT)
# Enable compiler generation of Control Flow Guard security checks
target_compile_options(${target} PRIVATE /guard:cf)
target_link_options(${target} PRIVATE /guard:cf)
# Buffer Security Check
target_compile_options(${target} PRIVATE /GS)
# Suppress startup banner
target_link_options(${target} PRIVATE /NOLOGO)
# Generate debug info
target_link_options(${target} PRIVATE /DEBUG)
if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
# High entropy ASLR for 64 bits targets (default on)
target_link_options(${target} PRIVATE /HIGHENTROPYVA)
# Enable generation of EH Continuation (EHCONT) metadata by the compiler
#target_compile_options(${target} PRIVATE /guard:ehcont)
#target_link_options(${target} PRIVATE /guard:ehcont)
else("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
# Can handle addresses larger than 2 gigabytes
target_link_options(${target} PRIVATE /LARGEADDRESSAWARE)
# Safe structured exception handlers (x86 only)
target_link_options(${target} PRIVATE /SAFESEH)
endif("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:/D_FORTIFY_SOURCE=2>)
# Unrecognized compiler options are errors
target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:/options:strict>)
else(MSVC)
check_c_compiler_flag("-fstack-protector-all" HAVE_STACK_PROTECTOR_ALL)
if(HAVE_STACK_PROTECTOR_ALL)
target_link_options(${target} PRIVATE -fstack-protector-all)
else(HAVE_STACK_PROTECTOR_ALL)
check_c_compiler_flag("-fstack-protector" HAVE_STACK_PROTECTOR)
if(HAVE_STACK_PROTECTOR)
target_link_options(${target} PRIVATE -fstack-protector)
else(HAVE_STACK_PROTECTOR)
message(WARNING "No stack protection supported")
endif(HAVE_STACK_PROTECTOR)
endif(HAVE_STACK_PROTECTOR_ALL)
# Support address space layout randomization (ASLR)
if(NOT (MINGW OR CYGWIN OR CMAKE_C_COMPILER_ID STREQUAL "AppleClang"
OR ((CMAKE_SYSTEM_NAME MATCHES Darwin) AND (CMAKE_C_COMPILER_ID MATCHES Clang))))
target_compile_options(${target} PRIVATE -fPIE)
target_link_options(${target} PRIVATE -fPIE -pie)
target_link_options(${target} PRIVATE -Wl,-z,relro)
target_link_options(${target} PRIVATE -Wl,-z,now)
target_link_options(${target} PRIVATE -Wl,-z,noexecstack)
endif(NOT (MINGW OR CYGWIN OR CMAKE_C_COMPILER_ID STREQUAL "AppleClang"
OR ((CMAKE_SYSTEM_NAME MATCHES Darwin) AND (CMAKE_C_COMPILER_ID MATCHES Clang))))
target_link_options(${target} PRIVATE -fstack-check)
add_compile_flag_to_targets(${target})
endif(MSVC)
endfunction(add_compile_flags target)
add_compile_flags(osslsigncode)
#[[
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: nil
End:
vim: set ts=4 expandtab:
]]

666
helpers.c Normal file
View File

@ -0,0 +1,666 @@
/*
* osslsigncode support library
*
* Copyright (C) 2021-2023 Michał Trojnara <Michal.Trojnara@stunnel.org>
* Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
*/
#include "osslsigncode.h"
#include "helpers.h"
/* Prototypes */
static int pkcs7_set_content_blob(PKCS7 *sig, PKCS7 *cursig);
static SpcSpOpusInfo *spc_sp_opus_info_create(FILE_FORMAT_CTX *ctx);
static int spc_indirect_data_content_get(u_char **blob, int *len, FILE_FORMAT_CTX *ctx);
static int pkcs7_set_spc_indirect_data_content(PKCS7 *p7, BIO *hash, u_char *buf, int len, FILE_FORMAT_CTX *ctx);
static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
static int pkcs7_signer_info_add_purpose(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
/*
* Common functions
*/
/*
* [in] infile
* [returns] file size
*/
uint32_t get_file_size(const char *infile)
{
int ret;
#ifdef _WIN32
struct _stat64 st;
ret = _stat64(infile, &st);
#else
struct stat st;
ret = stat(infile, &st);
#endif
if (ret) {
printf("Failed to open file: %s\n", infile);
return 0;
}
if (st.st_size < 4) {
printf("Unrecognized file type - file is too short: %s\n", infile);
return 0;
}
if (st.st_size > UINT32_MAX) {
printf("Unsupported file - too large: %s\n", infile);
return 0;
}
return (uint32_t)st.st_size;
}
/*
* [in] infile: starting address for the new mapping
* [returns] pointer to the mapped area
*/
char *map_file(const char *infile, const size_t size)
{
char *indata = NULL;
#ifdef WIN32
HANDLE fhandle, fmap;
(void)size;
fhandle = CreateFile(infile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
if (fhandle == INVALID_HANDLE_VALUE) {
return NULL;
}
fmap = CreateFileMapping(fhandle, NULL, PAGE_READONLY, 0, 0, NULL);
CloseHandle(fhandle);
if (fmap == NULL) {
return NULL;
}
indata = (char *)MapViewOfFile(fmap, FILE_MAP_READ, 0, 0, 0);
CloseHandle(fmap);
#else
#ifdef HAVE_SYS_MMAN_H
int fd = open(infile, O_RDONLY);
if (fd < 0) {
return NULL;
}
indata = mmap(0, size, PROT_READ, MAP_PRIVATE, fd, 0);
if (indata == MAP_FAILED) {
close(fd);
return NULL;
}
close(fd);
#else
printf("No file mapping function\n");
return NULL;
#endif /* HAVE_SYS_MMAN_H */
#endif /* WIN32 */
return indata;
}
/*
* [in] indata: starting address space
* [in] size: mapped area length
* [returns] none
*/
void unmap_file(char *indata, const size_t size)
{
if (!indata)
return;
#ifdef WIN32
(void)size;
UnmapViewOfFile(indata);
#else
munmap(indata, size);
#endif /* WIN32 */
}
/*
* [in, out] si: PKCS7_SIGNER_INFO structure
* [in] ctx: FILE_FORMAT_CTX structure
* [returns] 0 on error or 1 on success
*/
static int pkcs7_signer_info_add_spc_sp_opus_info(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx)
{
SpcSpOpusInfo *opus;
ASN1_STRING *astr;
int len;
u_char *p = NULL;
opus = spc_sp_opus_info_create(ctx);
if ((len = i2d_SpcSpOpusInfo(opus, NULL)) <= 0
|| (p = OPENSSL_malloc((size_t)len)) == NULL) {
SpcSpOpusInfo_free(opus);
return 0; /* FAILED */
}
i2d_SpcSpOpusInfo(opus, &p);
p -= len;
astr = ASN1_STRING_new();
ASN1_STRING_set(astr, p, len);
OPENSSL_free(p);
SpcSpOpusInfo_free(opus);
return PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_SP_OPUS_INFO_OBJID),
V_ASN1_SEQUENCE, astr);
}
/*
* [in, out] si: PKCS7_SIGNER_INFO structure
* [in] ctx: structure holds input and output data
* [returns] 0 on error or 1 on success
*/
static int pkcs7_signer_info_add_purpose(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx)
{
static const u_char purpose_ind[] = {
0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04,
0x01, 0x82, 0x37, 0x02, 0x01, 0x15
};
static const u_char purpose_comm[] = {
0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04,
0x01, 0x82, 0x37, 0x02, 0x01, 0x16
};
ASN1_STRING *purpose = ASN1_STRING_new();
if (ctx->options->comm) {
ASN1_STRING_set(purpose, purpose_comm, sizeof purpose_comm);
} else {
ASN1_STRING_set(purpose, purpose_ind, sizeof purpose_ind);
}
return PKCS7_add_signed_attribute(si, OBJ_txt2nid(SPC_STATEMENT_TYPE_OBJID),
V_ASN1_SEQUENCE, purpose);
}
/*
* Add a custom, non-trusted time to the PKCS7 structure to prevent OpenSSL
* adding the _current_ time. This allows to create a deterministic signature
* when no trusted timestamp server was specified, making osslsigncode
* behaviour closer to signtool.exe (which doesn't include any non-trusted
* time in this case.)
* [in, out] si: PKCS7_SIGNER_INFO structure
* [in] ctx: structure holds input and output data
* [returns] 0 on error or 1 on success
*/
int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx)
{
if (ctx->options->time == INVALID_TIME) /* -time option was not specified */
return 1; /* SUCCESS */
return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME,
ASN1_TIME_adj(NULL, ctx->options->time, 0, 0));
}
/*
* Retrieve a decoded PKCS#7 structure corresponding to the signature
* stored in the "sigin" file
* CMD_ATTACH command specific
* [in] ctx: structure holds input and output data
* [returns] pointer to PKCS#7 structure
*/
PKCS7 *pkcs7_get_sigfile(FILE_FORMAT_CTX *ctx)
{
PKCS7 *p7 = NULL;
uint32_t filesize;
char *indata;
BIO *bio;
const char pemhdr[] = "-----BEGIN PKCS7-----";
filesize = get_file_size(ctx->options->sigfile);
if (!filesize) {
return NULL; /* FAILED */
}
indata = map_file(ctx->options->sigfile, filesize);
if (!indata) {
printf("Failed to open file: %s\n", ctx->options->sigfile);
return NULL; /* FAILED */
}
bio = BIO_new_mem_buf(indata, (int)filesize);
if (filesize >= sizeof pemhdr && !memcmp(indata, pemhdr, sizeof pemhdr - 1)) {
/* PEM format */
p7 = PEM_read_bio_PKCS7(bio, NULL, NULL, NULL);
} else { /* DER format */
p7 = d2i_PKCS7_bio(bio, NULL);
}
BIO_free_all(bio);
unmap_file(indata, filesize);
return p7;
}
/*
* Allocate, set type, add content and return a new PKCS#7 signature
* [in] ctx: structure holds input and output data
* [returns] pointer to PKCS#7 structure
*/
PKCS7 *pkcs7_create(FILE_FORMAT_CTX *ctx)
{
int i, signer = -1;
PKCS7 *p7;
PKCS7_SIGNER_INFO *si = NULL;
p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signed);
if (ctx->options->cert != NULL) {
/*
* the private key and corresponding certificate are parsed from the PKCS12
* structure or loaded from the security token, so we may omit to check
* the consistency of a private key with the public key in an X509 certificate
*/
si = PKCS7_add_signature(p7, ctx->options->cert, ctx->options->pkey,
ctx->options->md);
if (si == NULL)
return NULL; /* FAILED */
} else {
/* find the signer's certificate located somewhere in the whole certificate chain */
for (i=0; i<sk_X509_num(ctx->options->certs); i++) {
X509 *signcert = sk_X509_value(ctx->options->certs, i);
if (X509_check_private_key(signcert, ctx->options->pkey)) {
si = PKCS7_add_signature(p7, signcert, ctx->options->pkey, ctx->options->md);
signer = i;
break;
}
}
if (si == NULL) {
printf("Failed to checking the consistency of a private key: %s\n",
ctx->options->keyfile);
printf(" with a public key in any X509 certificate: %s\n\n",
ctx->options->certfile);
return NULL; /* FAILED */
}
}
pkcs7_signer_info_add_signing_time(si, ctx);
if (!pkcs7_signer_info_add_purpose(si, ctx))
return NULL; /* FAILED */
if ((ctx->options->desc || ctx->options->url) &&
!pkcs7_signer_info_add_spc_sp_opus_info(si, ctx)) {
printf("Couldn't allocate memory for opus info\n");
return NULL; /* FAILED */
}
PKCS7_content_new(p7, NID_pkcs7_data);
/* add the signer's certificate */
if (ctx->options->cert != NULL)
PKCS7_add_certificate(p7, ctx->options->cert);
if (signer != -1)
PKCS7_add_certificate(p7, sk_X509_value(ctx->options->certs, signer));
/* add the certificate chain */
for (i=0; i<sk_X509_num(ctx->options->certs); i++) {
if (i == signer)
continue;
PKCS7_add_certificate(p7, sk_X509_value(ctx->options->certs, i));
}
/* add all cross certificates */
if (ctx->options->xcerts) {
for (i=0; i<sk_X509_num(ctx->options->xcerts); i++)
PKCS7_add_certificate(p7, sk_X509_value(ctx->options->xcerts, i));
}
/* add crls */
if (ctx->options->crls) {
for (i=0; i<sk_X509_CRL_num(ctx->options->crls); i++)
PKCS7_add_crl(p7, sk_X509_CRL_value(ctx->options->crls, i));
}
return p7; /* OK */
}
/*
* [in, out] p7: new PKCS#7 signature
* [in] hash: message digest BIO
* [in] ctx: structure holds input and output data
* [returns] 0 on error or 1 on success
*/
int add_indirect_data_object(PKCS7 *p7, BIO *hash, FILE_FORMAT_CTX *ctx)
{
STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
PKCS7_SIGNER_INFO *si;
signer_info = PKCS7_get_signer_info(p7);
if (!signer_info)
return 0; /* FAILED */
si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
if (!si)
return 0; /* FAILED */
if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
V_ASN1_OBJECT, OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1)))
return 0; /* FAILED */
if (!pkcs7_set_data_content(p7, hash, ctx)) {
printf("Signing failed\n");
return 0; /* FAILED */
}
return 1; /* OK */
}
/*
* [in, out] p7: new PKCS#7 signature
* [in] cursig: current PKCS#7 signature
* [returns] 0 on error or 1 on success
*/
int add_ms_ctl_object(PKCS7 *p7, PKCS7 *cursig)
{
STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
PKCS7_SIGNER_INFO *si;
signer_info = PKCS7_get_signer_info(p7);
if (!signer_info)
return 0; /* FAILED */
si = sk_PKCS7_SIGNER_INFO_value(signer_info, 0);
if (!si)
return 0; /* FAILED */
if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
V_ASN1_OBJECT, OBJ_txt2obj(MS_CTL_OBJID, 1)))
return 0; /* FAILED */
if (!pkcs7_set_content_blob(p7, cursig)) {
printf("Signing failed\n");
return 0; /* FAILED */
}
return 1; /* OK */
}
static int pkcs7_set_content_blob(PKCS7 *sig, PKCS7 *cursig)
{
PKCS7 *contents;
u_char *content;
int seqhdrlen, content_length;
BIO *sigbio;
contents = cursig->d.sign->contents;
seqhdrlen = asn1_simple_hdr_len(contents->d.other->value.sequence->data,
contents->d.other->value.sequence->length);
content = contents->d.other->value.sequence->data + seqhdrlen;
content_length = contents->d.other->value.sequence->length - seqhdrlen;
if ((sigbio = PKCS7_dataInit(sig, NULL)) == NULL) {
printf("PKCS7_dataInit failed\n");
return 0; /* FAILED */
}
BIO_write(sigbio, content, content_length);
(void)BIO_flush(sigbio);
if (!PKCS7_dataFinal(sig, sigbio)) {
printf("PKCS7_dataFinal failed\n");
return 0; /* FAILED */
}
BIO_free_all(sigbio);
if (!PKCS7_set_content(sig, PKCS7_dup(contents))) {
printf("PKCS7_set_content failed\n");
return 0; /* FAILED */
}
return 1; /* OK */
}
/* Return the header length (tag and length octets) of the ASN.1 type
* [in] p: ASN.1 data
* [in] len: ASN.1 data length
* [returns] header length
*/
int asn1_simple_hdr_len(const u_char *p, int len)
{
if (len <= 2 || p[0] > 0x31)
return 0;
return (p[1]&0x80) ? (2 + (p[1]&0x7f)) : 2;
}
/*
* [in, out] hash: BIO with message digest method
* [in] indata: starting address space
* [in] idx: offset
* [in] fileend: the length of the hashed area
* [returns] 0 on error or 1 on success
*/
int bio_hash_data(BIO *hash, char *indata, size_t idx, size_t fileend)
{
while (idx < fileend) {
size_t want, written;
want = fileend - idx;
if (want > SIZE_64K)
want = SIZE_64K;
if (!BIO_write_ex(hash, indata + idx, want, &written))
return 0; /* FAILED */
idx += written;
}
return 1; /* OK */
}
/*
* [in] descript1, descript2: descriptions
* [in] mdbuf: message digest
* [in] len: message digest length
* [returns] none
*/
void print_hash(const char *descript1, const char *descript2, const u_char *mdbuf, int len)
{
char *hexbuf = NULL;
int size, i, j = 0;
size = 2 * len + 1;
hexbuf = OPENSSL_malloc((size_t)size);
for (i = 0; i < len; i++) {
#ifdef WIN32
j += sprintf_s(hexbuf + j, size - j, "%02X", mdbuf[i]);
#else
j += sprintf(hexbuf + j, "%02X", mdbuf[i]);
#endif /* WIN32 */
}
printf("%s: %s %s\n", descript1, hexbuf, descript2);
OPENSSL_free(hexbuf);
}
/*
* [in] p7: new PKCS#7 signature
* [in] objid: Microsoft OID Authenticode
* [returns] 0 on error or 1 on success
*/
int is_content_type(PKCS7 *p7, const char *objid)
{
ASN1_OBJECT *indir_objid;
int ret;
indir_objid = OBJ_txt2obj(objid, 1);
ret = p7 && PKCS7_type_is_signed(p7) &&
!OBJ_cmp(p7->d.sign->contents->type, indir_objid) &&
(p7->d.sign->contents->d.other->type == V_ASN1_SEQUENCE ||
p7->d.sign->contents->d.other->type == V_ASN1_OCTET_STRING);
ASN1_OBJECT_free(indir_objid);
return ret;
}
/*
* [out] p7: new PKCS#7 signature
* [in] hash: message digest BIO
* [in] ctx: structure holds input and output data
* [returns] 0 on error or 1 on success
*/
int pkcs7_set_data_content(PKCS7 *p7, BIO *hash, FILE_FORMAT_CTX *ctx)
{
u_char *p = NULL;
int len = 0;
u_char *buf;
if (!spc_indirect_data_content_get(&p, &len, ctx))
return 0; /* FAILED */
buf = OPENSSL_malloc(SIZE_64K);
memcpy(buf, p, (size_t)len);
OPENSSL_free(p);
if (!pkcs7_set_spc_indirect_data_content(p7, hash, buf, len, ctx)) {
OPENSSL_free(buf);
return 0; /* FAILED */
}
OPENSSL_free(buf);
return 1; /* OK */
}
/*
* PE and CAB format specific
* [in] none
* [returns] pointer to SpcLink
*/
SpcLink *spc_link_obsolete_get(void)
{
const u_char obsolete[] = {
0x00, 0x3c, 0x00, 0x3c, 0x00, 0x3c, 0x00, 0x4f,
0x00, 0x62, 0x00, 0x73, 0x00, 0x6f, 0x00, 0x6c,
0x00, 0x65, 0x00, 0x74, 0x00, 0x65, 0x00, 0x3e,
0x00, 0x3e, 0x00, 0x3e
};
SpcLink *link = SpcLink_new();
link->type = 2;
link->value.file = SpcString_new();
link->value.file->type = 0;
link->value.file->value.unicode = ASN1_BMPSTRING_new();
ASN1_STRING_set(link->value.file->value.unicode, obsolete, sizeof obsolete);
return link;
}
/*
* Retrieve a decoded PKCS#7 structure
* [in] indata: mapped file
* [in] sigpos: signature data offset
* [in] siglen: signature data size
* [returns] pointer to PKCS#7 structure
*/
PKCS7 *pkcs7_get(char *indata, uint32_t sigpos, uint32_t siglen)
{
PKCS7 *p7 = NULL;
const u_char *blob;
blob = (u_char *)indata + sigpos;
p7 = d2i_PKCS7(NULL, &blob, siglen);
return p7;
}
/*
* [in] mdbuf, cmdbuf: message digests
* [in] mdtype: message digest algorithm type
* [returns] 0 on error or 1 on success
*/
int compare_digests(u_char *mdbuf, u_char *cmdbuf, int mdtype)
{
int mdlen = EVP_MD_size(EVP_get_digestbynid(mdtype));
int mdok = !memcmp(mdbuf, cmdbuf, (size_t)mdlen);
printf("Message digest algorithm : %s\n", OBJ_nid2sn(mdtype));
print_hash("Current message digest ", "", mdbuf, mdlen);
print_hash("Calculated message digest ", mdok ? "\n" : " MISMATCH!!!\n", cmdbuf, mdlen);
return mdok;
}
/*
* Helper functions
*/
/*
* [in] ctx: FILE_FORMAT_CTX structure
* [returns] pointer to SpcSpOpusInfo structure
*/
static SpcSpOpusInfo *spc_sp_opus_info_create(FILE_FORMAT_CTX *ctx)
{
SpcSpOpusInfo *info = SpcSpOpusInfo_new();
if (ctx->options->desc) {
info->programName = SpcString_new();
info->programName->type = 1;
info->programName->value.ascii = ASN1_IA5STRING_new();
ASN1_STRING_set((ASN1_STRING *)info->programName->value.ascii,
ctx->options->desc, (int)strlen(ctx->options->desc));
}
if (ctx->options->url) {
info->moreInfo = SpcLink_new();
info->moreInfo->type = 0;
info->moreInfo->value.url = ASN1_IA5STRING_new();
ASN1_STRING_set((ASN1_STRING *)info->moreInfo->value.url,
ctx->options->url, (int)strlen(ctx->options->url));
}
return info;
}
/*
* [out] blob: SpcIndirectDataContent data
* [out] len: SpcIndirectDataContent data length
* [in] ctx: FILE_FORMAT_CTX structure
* [returns] 0 on error or 1 on success
*/
static int spc_indirect_data_content_get(u_char **blob, int *len, FILE_FORMAT_CTX *ctx)
{
u_char *p = NULL;
int hashlen, l = 0;
int mdtype = EVP_MD_nid(ctx->options->md);
void *hash;
SpcIndirectDataContent *idc = SpcIndirectDataContent_new();
idc->data->value = ASN1_TYPE_new();
idc->data->value->type = V_ASN1_SEQUENCE;
idc->data->value->value.sequence = ASN1_STRING_new();
idc->data->type = ctx->format->data_blob_get(&p, &l, ctx);
idc->data->value->value.sequence->data = p;
idc->data->value->value.sequence->length = l;
idc->messageDigest->digestAlgorithm->algorithm = OBJ_nid2obj(mdtype);
idc->messageDigest->digestAlgorithm->parameters = ASN1_TYPE_new();
idc->messageDigest->digestAlgorithm->parameters->type = V_ASN1_NULL;
hashlen = ctx->format->hash_length_get(ctx);
hash = OPENSSL_zalloc((size_t)hashlen);
ASN1_OCTET_STRING_set(idc->messageDigest->digest, hash, hashlen);
OPENSSL_free(hash);
*len = i2d_SpcIndirectDataContent(idc, NULL);
*blob = OPENSSL_malloc((size_t)*len);
p = *blob;
i2d_SpcIndirectDataContent(idc, &p);
SpcIndirectDataContent_free(idc);
*len -= hashlen;
return 1; /* OK */
}
/*
* Replace the data part with the MS Authenticode spcIndirectDataContent blob
* [out] p7: new PKCS#7 signature
* [in] hash: message digest BIO
* [in] blob: SpcIndirectDataContent data
* [in] len: SpcIndirectDataContent data length
* [in] ctx: FILE_FORMAT_CTX structure
* [returns] 0 on error or 1 on success
*/
static int pkcs7_set_spc_indirect_data_content(PKCS7 *p7, BIO *hash, u_char *buf, int len, FILE_FORMAT_CTX *ctx)
{
u_char mdbuf[5 * EVP_MAX_MD_SIZE + 24];
int mdlen, seqhdrlen, hashlen;
BIO *bio;
PKCS7 *td7;
hashlen = ctx->format->hash_length_get(ctx);
if (hashlen > EVP_MAX_MD_SIZE) {
/* APPX format specific */
mdlen = BIO_read(hash, (char*)mdbuf, hashlen);
} else {
mdlen = BIO_gets(hash, (char*)mdbuf, EVP_MAX_MD_SIZE);
}
memcpy(buf + len, mdbuf, (size_t)mdlen);
seqhdrlen = asn1_simple_hdr_len(buf, len);
if ((bio = PKCS7_dataInit(p7, NULL)) == NULL) {
printf("PKCS7_dataInit failed\n");
return 0; /* FAILED */
}
BIO_write(bio, buf + seqhdrlen, len - seqhdrlen + mdlen);
(void)BIO_flush(bio);
if (!PKCS7_dataFinal(p7, bio)) {
printf("PKCS7_dataFinal failed\n");
return 0; /* FAILED */
}
BIO_free_all(bio);
td7 = PKCS7_new();
td7->type = OBJ_txt2obj(SPC_INDIRECT_DATA_OBJID, 1);
td7->d.other = ASN1_TYPE_new();
td7->d.other->type = V_ASN1_SEQUENCE;
td7->d.other->value.sequence = ASN1_STRING_new();
ASN1_STRING_set(td7->d.other->value.sequence, buf, len + mdlen);
if (!PKCS7_set_content(p7, td7)) {
PKCS7_free(td7);
printf("PKCS7_set_content failed\n");
return 0; /* FAILED */
}
return 1; /* OK */
}
/*
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: nil
End:
vim: set ts=4 expandtab:
*/

35
helpers.h Normal file
View File

@ -0,0 +1,35 @@
/*
* osslsigncode support library
*
* Copyright (C) 2021-2023 Michał Trojnara <Michal.Trojnara@stunnel.org>
* Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
*/
/* Common functions */
uint32_t get_file_size(const char *infile);
char *map_file(const char *infile, const size_t size);
void unmap_file(char *indata, const size_t size);
int pkcs7_signer_info_add_signing_time(PKCS7_SIGNER_INFO *si, FILE_FORMAT_CTX *ctx);
PKCS7 *pkcs7_get_sigfile(FILE_FORMAT_CTX *ctx);
PKCS7 *pkcs7_create(FILE_FORMAT_CTX *ctx);
void add_content_type(PKCS7 *p7);
int add_indirect_data_object(PKCS7 *p7, BIO *hash, FILE_FORMAT_CTX *ctx);
int add_ms_ctl_object(PKCS7 *p7, PKCS7 *cursig);
int asn1_simple_hdr_len(const u_char *p, int len);
int bio_hash_data(BIO *hash, char *indata, size_t idx, size_t fileend);
void print_hash(const char *descript1, const char *descript2, const u_char *hashbuf, int length);
int is_content_type(PKCS7 *p7, const char *objid);
int pkcs7_set_data_content(PKCS7 *sig, BIO *hash, FILE_FORMAT_CTX *ctx);
SpcLink *spc_link_obsolete_get(void);
PKCS7 *pkcs7_get(char *indata, uint32_t sigpos, uint32_t siglen);
int compare_digests(u_char *mdbuf, u_char *cmdbuf, int mdtype);
/*
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: nil
End:
vim: set ts=4 expandtab:
*/

3052
msi.c
View File

File diff suppressed because it is too large Load Diff

238
msi.h
View File

@ -1,238 +0,0 @@
/*
* MSI file support library
*
* Copyright (C) 2021 Michał Trojnara <Michal.Trojnara@stunnel.org>
* Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
*
* Reference specifications:
* http://en.wikipedia.org/wiki/Compound_File_Binary_Format
* https://msdn.microsoft.com/en-us/library/dd942138.aspx
* https://github.com/microsoft/compoundfilereader
*/
#include <stdint.h>
#include <openssl/safestack.h>
#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#define MAXREGSECT 0xfffffffa /* maximum regular sector number */
#define DIFSECT 0xfffffffc /* specifies a DIFAT sector in the FAT */
#define FATSECT 0xfffffffd /* specifies a FAT sector in the FAT */
#define ENDOFCHAIN 0xfffffffe /* end of a linked chain of sectors */
#define NOSTREAM 0xffffffff /* terminator or empty pointer */
#define FREESECT 0xffffffff /* empty unallocated free sectors */
#define DIR_UNKNOWN 0
#define DIR_STORAGE 1
#define DIR_STREAM 2
#define DIR_ROOT 5
#define RED_COLOR 0
#define BLACK_COLOR 1
#define DIFAT_IN_HEADER 109
#define MINI_STREAM_CUTOFF_SIZE 0x00001000 /* 4096 bytes */
#define HEADER_SIZE 0x200 /* 512 bytes, independent of sector size */
#define MAX_SECTOR_SIZE 0x1000 /* 4096 bytes */
#define HEADER_SIGNATURE 0x00 /* 0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1 */
#define HEADER_CLSID 0x08 /* reserved and unused */
#define HEADER_MINOR_VER 0x18 /* SHOULD be set to 0x003E */
#define HEADER_MAJOR_VER 0x1a /* MUST be set to either 0x0003 (version 3) or 0x0004 (version 4) */
#define HEADER_BYTE_ORDER 0x1c /* 0xfe 0xff == Intel Little Endian */
#define HEADER_SECTOR_SHIFT 0x1e /* MUST be set to 0x0009, or 0x000c */
#define HEADER_MINI_SECTOR_SHIFT 0x20 /* MUST be set to 0x0006 */
#define RESERVED 0x22 /* reserved and unused */
#define HEADER_DIR_SECTORS_NUM 0x28
#define HEADER_FAT_SECTORS_NUM 0x2c
#define HEADER_DIR_SECTOR_LOC 0x30
#define HEADER_TRANSACTION 0x34
#define HEADER_MINI_STREAM_CUTOFF 0x38 /* 4096 bytes */
#define HEADER_MINI_FAT_SECTOR_LOC 0x3c
#define HEADER_MINI_FAT_SECTORS_NUM 0x40
#define HEADER_DIFAT_SECTOR_LOC 0x44
#define HEADER_DIFAT_SECTORS_NUM 0x48
#define HEADER_DIFAT 0x4c
#define DIRENT_SIZE 0x80 /* 128 bytes */
#define DIRENT_MAX_NAME_SIZE 0x40 /* 64 bytes */
#define DIRENT_NAME 0x00
#define DIRENT_NAME_LEN 0x40 /* length in bytes incl 0 terminator */
#define DIRENT_TYPE 0x42
#define DIRENT_COLOUR 0x43
#define DIRENT_LEFT_SIBLING_ID 0x44
#define DIRENT_RIGHT_SIBLING_ID 0x48
#define DIRENT_CHILD_ID 0x4c
#define DIRENT_CLSID 0x50
#define DIRENT_STATE_BITS 0x60
#define DIRENT_CREATE_TIME 0x64
#define DIRENT_MODIFY_TIME 0x6c
#define DIRENT_START_SECTOR_LOC 0x74
#define DIRENT_FILE_SIZE 0x78
#define GET_UINT8_LE(p) ((const u_char *)(p))[0]
#define GET_UINT16_LE(p) (uint16_t)(((const u_char *)(p))[0] | \
(((const u_char *)(p))[1] << 8))
#define GET_UINT32_LE(p) (uint32_t)(((const u_char *)(p))[0] | \
(((const u_char *)(p))[1] << 8) | \
(((const u_char *)(p))[2] << 16) | \
(((const u_char *)(p))[3] << 24))
#define PUT_UINT8_LE(i, p) ((u_char *)(p))[0] = (u_char)((i) & 0xff);
#define PUT_UINT16_LE(i,p) ((u_char *)(p))[0] = (u_char)((i) & 0xff); \
((u_char *)(p))[1] = (u_char)(((i) >> 8) & 0xff)
#define PUT_UINT32_LE(i,p) ((u_char *)(p))[0] = (u_char)((i) & 0xff); \
((u_char *)(p))[1] = (u_char)(((i) >> 8) & 0xff); \
((u_char *)(p))[2] = (u_char)(((i) >> 16) & 0xff); \
((u_char *)(p))[3] = (u_char)(((i) >> 24) & 0xff)
#ifndef FALSE
#define FALSE 0
#endif
#ifndef TRUE
#define TRUE 1
#endif
#define SIZE_64K 65536 /* 2^16 */
#define SIZE_16M 16777216 /* 2^24 */
typedef unsigned char u_char;
typedef struct {
u_char signature[8]; /* 0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1 */
u_char unused_clsid[16]; /* reserved and unused */
uint16_t minorVersion;
uint16_t majorVersion;
uint16_t byteOrder;
uint16_t sectorShift; /* power of 2 */
uint16_t miniSectorShift; /* power of 2 */
u_char reserved[6]; /* reserved and unused */
uint32_t numDirectorySector;
uint32_t numFATSector;
uint32_t firstDirectorySectorLocation;
uint32_t transactionSignatureNumber; /* reserved */
uint32_t miniStreamCutoffSize;
uint32_t firstMiniFATSectorLocation;
uint32_t numMiniFATSector;
uint32_t firstDIFATSectorLocation;
uint32_t numDIFATSector;
uint32_t headerDIFAT[DIFAT_IN_HEADER];
} MSI_FILE_HDR;
typedef struct {
u_char name[DIRENT_MAX_NAME_SIZE];
uint16_t nameLen;
uint8_t type;
uint8_t colorFlag;
uint32_t leftSiblingID;
uint32_t rightSiblingID;
uint32_t childID;
u_char clsid[16];
u_char stateBits[4];
u_char creationTime[8];
u_char modifiedTime[8];
uint32_t startSectorLocation;
u_char size[8];
} MSI_ENTRY;
typedef struct msi_dirent_struct {
u_char name[DIRENT_MAX_NAME_SIZE];
uint16_t nameLen;
uint8_t type;
MSI_ENTRY *entry;
STACK_OF(MSI_DIRENT) *children;
struct msi_dirent_struct *next; /* for cycle detection */
} MSI_DIRENT;
DEFINE_STACK_OF(MSI_DIRENT)
typedef struct {
const u_char *m_buffer;
uint32_t m_bufferLen;
MSI_FILE_HDR *m_hdr;
uint32_t m_sectorSize;
uint32_t m_minisectorSize;
uint32_t m_miniStreamStartSector;
} MSI_FILE;
typedef struct {
char *header;
char *ministream;
char *minifat;
char *fat;
uint32_t dirtreeLen;
uint32_t miniStreamLen;
uint32_t minifatLen;
uint32_t fatLen;
uint32_t ministreamsMemallocCount;
uint32_t minifatMemallocCount;
uint32_t fatMemallocCount;
uint32_t dirtreeSectorsCount;
uint32_t minifatSectorsCount;
uint32_t fatSectorsCount;
uint32_t miniSectorNum;
uint32_t sectorNum;
uint32_t sectorSize;
} MSI_OUT;
static const u_char msi_magic[] = {
0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1
};
static const u_char digital_signature[] = {
0x05, 0x00, 0x44, 0x00, 0x69, 0x00, 0x67, 0x00,
0x69, 0x00, 0x74, 0x00, 0x61, 0x00, 0x6C, 0x00,
0x53, 0x00, 0x69, 0x00, 0x67, 0x00, 0x6E, 0x00,
0x61, 0x00, 0x74, 0x00, 0x75, 0x00, 0x72, 0x00,
0x65, 0x00, 0x00, 0x00
};
static const u_char digital_signature_ex[] = {
0x05, 0x00, 0x4D, 0x00, 0x73, 0x00, 0x69, 0x00,
0x44, 0x00, 0x69, 0x00, 0x67, 0x00, 0x69, 0x00,
0x74, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x53, 0x00,
0x69, 0x00, 0x67, 0x00, 0x6E, 0x00, 0x61, 0x00,
0x74, 0x00, 0x75, 0x00, 0x72, 0x00, 0x65, 0x00,
0x45, 0x00, 0x78, 0x00, 0x00, 0x00
};
static const u_char msi_root_entry[] = {
0x52, 0x00, 0x6F, 0x00, 0x6F, 0x00, 0x74, 0x00,
0x20, 0x00, 0x45, 0x00, 0x6E, 0x00, 0x74, 0x00,
0x72, 0x00, 0x79, 0x00, 0x00, 0x00
};
static const u_char msi_zeroes[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
int msi_file_read(MSI_FILE *msi, MSI_ENTRY *entry, uint32_t offset, char *buffer, uint32_t len);
MSI_FILE *msi_file_new(char *buffer, uint32_t len);
void msi_file_free(MSI_FILE *msi);
MSI_ENTRY *msi_root_entry_get(MSI_FILE *msi);
int msi_dirent_new(MSI_FILE *msi, MSI_ENTRY *entry, MSI_DIRENT *parent, MSI_DIRENT **ret);
MSI_ENTRY *msi_signatures_get(MSI_DIRENT *dirent, MSI_ENTRY **dse);
void msi_dirent_free(MSI_DIRENT *dirent);
int msi_prehash_dir(MSI_DIRENT *dirent, BIO *hash, int is_root);
int msi_hash_dir(MSI_FILE *msi, MSI_DIRENT *dirent, BIO *hash, int is_root);
int msi_calc_digest(char *indata, int mdtype, u_char *mdbuf, uint32_t fileend);
int msi_dirent_delete(MSI_DIRENT *dirent, const u_char *name, uint16_t nameLen);
int msi_file_write(MSI_FILE *msi, MSI_DIRENT *dirent, u_char *p, uint32_t len,
u_char *p_msiex, uint32_t len_msiex, BIO *outdata);
/*
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: t
End:
vim: set ts=4 noexpandtab:
*/

9543
osslsigncode.c
View File

File diff suppressed because it is too large Load Diff

514
osslsigncode.h Normal file
View File

@ -0,0 +1,514 @@
/*
* Copyright (C) 2021-2023 Michał Trojnara <Michal.Trojnara@stunnel.org>
* Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
*/
#define OPENSSL_API_COMPAT 0x10100000L
#define OPENSSL_NO_DEPRECATED
#if defined(_MSC_VER) || defined(__MINGW32__)
#define HAVE_WINDOWS_H
#endif /* _MSC_VER || __MINGW32__ */
#ifdef HAVE_WINDOWS_H
#define NOCRYPT
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#endif /* HAVE_WINDOWS_H */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif /* HAVE_CONFIG_H */
#include <ctype.h>
#include <fcntl.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#ifndef _WIN32
#include <unistd.h>
#ifdef HAVE_SYS_MMAN_H
#include <sys/mman.h>
#endif /* HAVE_SYS_MMAN_H */
#ifdef HAVE_TERMIOS_H
#include <termios.h>
#endif /* HAVE_TERMIOS_H */
#endif /* _WIN32 */
#include <sys/types.h>
#include <sys/stat.h>
#include <openssl/asn1t.h>
#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/cms.h>
#include <openssl/conf.h>
#include <openssl/crypto.h>
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif /* OPENSSL_NO_ENGINE */
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/pem.h>
#include <openssl/pkcs7.h>
#include <openssl/pkcs12.h>
#if OPENSSL_VERSION_NUMBER>=0x30000000L
#include <openssl/provider.h>
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
#include <openssl/rand.h>
#include <openssl/safestack.h>
#include <openssl/ts.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h> /* X509_PURPOSE */
#ifdef ENABLE_CURL
#ifdef __CYGWIN__
#ifndef SOCKET
#define SOCKET UINT_PTR
#endif /* SOCKET */
#endif /* __CYGWIN__ */
#include <curl/curl.h>
#define MAX_TS_SERVERS 256
#endif /* ENABLE_CURL */
#if defined (HAVE_TERMIOS_H) || defined (HAVE_GETPASS)
#define PROVIDE_ASKPASS 1
#endif
#ifdef _WIN32
#define FILE_CREATE_MODE "w+b"
#else
#define FILE_CREATE_MODE "w+bx"
#endif
#define GET_UINT8_LE(p) ((const u_char *)(p))[0]
#define GET_UINT16_LE(p) (uint16_t)(((const u_char *)(p))[0] | \
(((const u_char *)(p))[1] << 8))
#define GET_UINT32_LE(p) (uint32_t)(((const u_char *)(p))[0] | \
(((const u_char *)(p))[1] << 8) | \
(((const u_char *)(p))[2] << 16) | \
(((const u_char *)(p))[3] << 24))
#define PUT_UINT8_LE(i, p) ((u_char *)(p))[0] = (u_char)((i) & 0xff);
#define PUT_UINT16_LE(i,p) ((u_char *)(p))[0] = (u_char)((i) & 0xff); \
((u_char *)(p))[1] = (u_char)(((i) >> 8) & 0xff)
#define PUT_UINT32_LE(i,p) ((u_char *)(p))[0] = (u_char)((i) & 0xff); \
((u_char *)(p))[1] = (u_char)(((i) >> 8) & 0xff); \
((u_char *)(p))[2] = (u_char)(((i) >> 16) & 0xff); \
((u_char *)(p))[3] = (u_char)(((i) >> 24) & 0xff)
#ifndef FALSE
#define FALSE 0
#endif
#ifndef TRUE
#define TRUE 1
#endif
#define SIZE_64K 65536 /* 2^16 */
#define SIZE_16M 16777216 /* 2^24 */
/*
* Macro names:
* linux: __BYTE_ORDER == __LITTLE_ENDIAN | __BIG_ENDIAN
* BYTE_ORDER == LITTLE_ENDIAN | BIG_ENDIAN
* bsd: _BYTE_ORDER == _LITTLE_ENDIAN | _BIG_ENDIAN
* BYTE_ORDER == LITTLE_ENDIAN | BIG_ENDIAN
* solaris: _LITTLE_ENDIAN | _BIG_ENDIAN
*/
#ifndef BYTE_ORDER
#define LITTLE_ENDIAN 1234
#define BIG_ENDIAN 4321
#define BYTE_ORDER LITTLE_ENDIAN
#endif /* BYTE_ORDER */
#if !defined(BYTE_ORDER) || !defined(LITTLE_ENDIAN) || !defined(BIG_ENDIAN)
#error "Cannot determine the endian-ness of this platform"
#endif
#ifndef LOWORD
#define LOWORD(x) ((x) & 0xFFFF)
#endif /* LOWORD */
#ifndef HIWORD
#define HIWORD(x) (((x) >> 16) & 0xFFFF)
#endif /* HIWORD */
#if BYTE_ORDER == BIG_ENDIAN
#define LE_UINT16(x) ((((x) >> 8) & 0x00FF) | \
(((x) << 8) & 0xFF00))
#define LE_UINT32(x) (((x) >> 24) | \
(((x) & 0x00FF0000) >> 8) | \
(((x) & 0x0000FF00) << 8) | \
((x) << 24))
#else
#define LE_UINT16(x) (x)
#define LE_UINT32(x) (x)
#endif /* BYTE_ORDER == BIG_ENDIAN */
#define MIN(a,b) ((a) < (b) ? a : b)
#define INVALID_TIME ((time_t)-1)
/* Microsoft OID Authenticode */
#define SPC_INDIRECT_DATA_OBJID "1.3.6.1.4.1.311.2.1.4"
#define SPC_STATEMENT_TYPE_OBJID "1.3.6.1.4.1.311.2.1.11"
#define SPC_SP_OPUS_INFO_OBJID "1.3.6.1.4.1.311.2.1.12"
#define SPC_PE_IMAGE_DATA_OBJID "1.3.6.1.4.1.311.2.1.15"
#define SPC_CAB_DATA_OBJID "1.3.6.1.4.1.311.2.1.25"
#define SPC_SIPINFO_OBJID "1.3.6.1.4.1.311.2.1.30"
#define SPC_PE_IMAGE_PAGE_HASHES_V1 "1.3.6.1.4.1.311.2.3.1" /* SHA1 */
#define SPC_PE_IMAGE_PAGE_HASHES_V2 "1.3.6.1.4.1.311.2.3.2" /* SHA256 */
#define SPC_NESTED_SIGNATURE_OBJID "1.3.6.1.4.1.311.2.4.1"
/* Microsoft OID Time Stamping */
#define SPC_TIME_STAMP_REQUEST_OBJID "1.3.6.1.4.1.311.3.2.1"
#define SPC_RFC3161_OBJID "1.3.6.1.4.1.311.3.3.1"
/* Microsoft OID Crypto 2.0 */
#define MS_CTL_OBJID "1.3.6.1.4.1.311.10.1"
/* Microsoft OID Microsoft_Java */
#define MS_JAVA_SOMETHING "1.3.6.1.4.1.311.15.1"
#define SPC_UNAUTHENTICATED_DATA_BLOB_OBJID "1.3.6.1.4.1.42921.1.2.1"
/* Public Key Cryptography Standards PKCS#9 */
#define PKCS9_MESSAGE_DIGEST "1.2.840.113549.1.9.4"
#define PKCS9_SIGNING_TIME "1.2.840.113549.1.9.5"
#define PKCS9_COUNTER_SIGNATURE "1.2.840.113549.1.9.6"
/* WIN_CERTIFICATE structure declared in Wintrust.h */
#define WIN_CERT_REVISION_2_0 0x0200
#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
/*
* FLAG_PREV_CABINET is set if the cabinet file is not the first in a set
* of cabinet files. When this bit is set, the szCabinetPrev and szDiskPrev
* fields are present in this CFHEADER.
*/
#define FLAG_PREV_CABINET 0x0001
/*
* FLAG_NEXT_CABINET is set if the cabinet file is not the last in a set of
* cabinet files. When this bit is set, the szCabinetNext and szDiskNext
* fields are present in this CFHEADER.
*/
#define FLAG_NEXT_CABINET 0x0002
/*
* FLAG_RESERVE_PRESENT is set if the cabinet file contains any reserved
* fields. When this bit is set, the cbCFHeader, cbCFFolder, and cbCFData
* fields are present in this CFHEADER.
*/
#define FLAG_RESERVE_PRESENT 0x0004
#define DO_EXIT_0(x) { printf(x); goto err_cleanup; }
#define DO_EXIT_1(x, y) { printf(x, y); goto err_cleanup; }
#define DO_EXIT_2(x, y, z) { printf(x, y, z); goto err_cleanup; }
/* Default policy if request did not specify it. */
#define TSA_POLICY1 "1.2.3.4.1"
typedef enum {
CMD_SIGN,
CMD_EXTRACT,
CMD_REMOVE,
CMD_VERIFY,
CMD_ADD,
CMD_ATTACH,
CMD_HELP,
CMD_DEFAULT
} cmd_type_t;
typedef unsigned char u_char;
typedef struct {
char *infile;
char *outfile;
char *sigfile;
char *certfile;
char *xcertfile;
char *keyfile;
char *pvkfile;
char *pkcs12file;
int output_pkcs7;
#ifndef OPENSSL_NO_ENGINE
char *p11engine;
char *p11module;
char *p11cert;
#endif /* OPENSSL_NO_ENGINE */
int askpass;
char *readpass;
char *pass;
int comm;
int pagehash;
char *desc;
const EVP_MD *md;
char *url;
time_t time;
#ifdef ENABLE_CURL
char *turl[MAX_TS_SERVERS];
int nturl;
char *tsurl[MAX_TS_SERVERS];
int ntsurl;
char *proxy;
int noverifypeer;
#endif /* ENABLE_CURL */
int addBlob;
int nest;
int ignore_timestamp;
int verbose;
int add_msi_dse;
char *catalog;
char *cafile;
char *crlfile;
char *tsa_cafile;
char *tsa_crlfile;
char *leafhash;
int jp;
#if OPENSSL_VERSION_NUMBER>=0x30000000L
int legacy;
#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
EVP_PKEY *pkey;
X509 *cert;
STACK_OF(X509) *certs;
STACK_OF(X509) *xcerts;
STACK_OF(X509_CRL) *crls;
cmd_type_t cmd;
char *indata;
PKCS7 *prevsig;
char *tsa_certfile;
char *tsa_keyfile;
time_t tsa_time;
} GLOBAL_OPTIONS;
/*
* ASN.1 definitions (more or less from official MS Authenticode docs)
*/
typedef struct {
int type;
union {
ASN1_BMPSTRING *unicode;
ASN1_IA5STRING *ascii;
} value;
} SpcString;
DECLARE_ASN1_FUNCTIONS(SpcString)
typedef struct {
ASN1_OCTET_STRING *classId;
ASN1_OCTET_STRING *serializedData;
} SpcSerializedObject;
DECLARE_ASN1_FUNCTIONS(SpcSerializedObject)
typedef struct {
int type;
union {
ASN1_IA5STRING *url;
SpcSerializedObject *moniker;
SpcString *file;
} value;
} SpcLink;
DECLARE_ASN1_FUNCTIONS(SpcLink)
typedef struct {
SpcString *programName;
SpcLink *moreInfo;
} SpcSpOpusInfo;
DECLARE_ASN1_FUNCTIONS(SpcSpOpusInfo)
typedef struct {
ASN1_OBJECT *type;
ASN1_TYPE *value;
} SpcAttributeTypeAndOptionalValue;
DECLARE_ASN1_FUNCTIONS(SpcAttributeTypeAndOptionalValue)
typedef struct {
ASN1_OBJECT *algorithm;
ASN1_TYPE *parameters;
} AlgorithmIdentifier;
DECLARE_ASN1_FUNCTIONS(AlgorithmIdentifier)
typedef struct {
AlgorithmIdentifier *digestAlgorithm;
ASN1_OCTET_STRING *digest;
} DigestInfo;
DECLARE_ASN1_FUNCTIONS(DigestInfo)
typedef struct {
SpcAttributeTypeAndOptionalValue *data;
DigestInfo *messageDigest;
} SpcIndirectDataContent;
DECLARE_ASN1_FUNCTIONS(SpcIndirectDataContent)
typedef struct CatalogAuthAttr_st {
ASN1_OBJECT *type;
ASN1_TYPE *contents;
} CatalogAuthAttr;
DEFINE_STACK_OF(CatalogAuthAttr)
DECLARE_ASN1_FUNCTIONS(CatalogAuthAttr)
typedef struct {
AlgorithmIdentifier *digestAlgorithm;
ASN1_OCTET_STRING *digest;
} MessageImprint;
DECLARE_ASN1_FUNCTIONS(MessageImprint)
#ifdef ENABLE_CURL
typedef struct {
ASN1_OBJECT *type;
ASN1_OCTET_STRING *signature;
} TimeStampRequestBlob;
DECLARE_ASN1_FUNCTIONS(TimeStampRequestBlob)
typedef struct {
ASN1_OBJECT *type;
TimeStampRequestBlob *blob;
} TimeStampRequest;
DECLARE_ASN1_FUNCTIONS(TimeStampRequest)
/* RFC3161 Time stamping */
typedef struct {
ASN1_INTEGER *status;
STACK_OF(ASN1_UTF8STRING) *statusString;
ASN1_BIT_STRING *failInfo;
} PKIStatusInfo;
DECLARE_ASN1_FUNCTIONS(PKIStatusInfo)
typedef struct {
PKIStatusInfo *status;
PKCS7 *token;
} TimeStampResp;
DECLARE_ASN1_FUNCTIONS(TimeStampResp)
typedef struct {
ASN1_INTEGER *version;
MessageImprint *messageImprint;
ASN1_OBJECT *reqPolicy;
ASN1_INTEGER *nonce;
ASN1_BOOLEAN certReq;
STACK_OF(X509_EXTENSION) *extensions;
} TimeStampReq;
DECLARE_ASN1_FUNCTIONS(TimeStampReq)
#endif /* ENABLE_CURL */
typedef struct {
ASN1_INTEGER *seconds;
ASN1_INTEGER *millis;
ASN1_INTEGER *micros;
} TimeStampAccuracy;
DECLARE_ASN1_FUNCTIONS(TimeStampAccuracy)
typedef struct {
ASN1_INTEGER *version;
ASN1_OBJECT *policy_id;
MessageImprint *messageImprint;
ASN1_INTEGER *serial;
ASN1_GENERALIZEDTIME *time;
TimeStampAccuracy *accuracy;
ASN1_BOOLEAN ordering;
ASN1_INTEGER *nonce;
GENERAL_NAME *tsa;
STACK_OF(X509_EXTENSION) *extensions;
} TimeStampToken;
DECLARE_ASN1_FUNCTIONS(TimeStampToken)
typedef struct {
ASN1_OCTET_STRING *digest;
STACK_OF(CatalogAuthAttr) *attributes;
} CatalogInfo;
DEFINE_STACK_OF(CatalogInfo)
DECLARE_ASN1_FUNCTIONS(CatalogInfo)
typedef struct {
/* 1.3.6.1.4.1.311.12.1.1 MS_CATALOG_LIST */
SpcAttributeTypeAndOptionalValue *type;
ASN1_OCTET_STRING *identifier;
ASN1_UTCTIME *time;
/* 1.3.6.1.4.1.311.12.1.2 CatalogVersion = 1
* 1.3.6.1.4.1.311.12.1.3 CatalogVersion = 2 */
SpcAttributeTypeAndOptionalValue *version;
STACK_OF(CatalogInfo) *header_attributes;
/* 1.3.6.1.4.1.311.12.2.1 CAT_NAMEVALUE_OBJID */
ASN1_TYPE *filename;
} MsCtlContent;
DECLARE_ASN1_FUNCTIONS(MsCtlContent)
typedef struct file_format_st FILE_FORMAT;
typedef struct msi_ctx_st MSI_CTX;
typedef struct pe_ctx_st PE_CTX;
typedef struct cab_ctx_st CAB_CTX;
typedef struct cat_ctx_st CAT_CTX;
typedef struct appx_ctx_st APPX_CTX;
typedef struct {
FILE_FORMAT *format;
GLOBAL_OPTIONS *options;
union {
MSI_CTX *msi_ctx;
PE_CTX *pe_ctx;
CAB_CTX *cab_ctx;
CAT_CTX *cat_ctx;
APPX_CTX *appx_ctx;
};
} FILE_FORMAT_CTX;
extern FILE_FORMAT file_format_msi;
extern FILE_FORMAT file_format_pe;
extern FILE_FORMAT file_format_cab;
extern FILE_FORMAT file_format_cat;
extern FILE_FORMAT file_format_appx;
struct file_format_st {
FILE_FORMAT_CTX *(*ctx_new) (GLOBAL_OPTIONS *option, BIO *hash, BIO *outdata);
ASN1_OBJECT *(*data_blob_get) (u_char **p, int *plen, FILE_FORMAT_CTX *ctx);
int (*hash_length_get) (FILE_FORMAT_CTX *ctx);
int (*check_file) (FILE_FORMAT_CTX *ctx, int detached);
u_char *(*digest_calc) (FILE_FORMAT_CTX *ctx, const EVP_MD *md);
int (*verify_digests) (FILE_FORMAT_CTX *ctx, PKCS7 *p7);
int (*verify_indirect_data) (FILE_FORMAT_CTX *ctx, SpcAttributeTypeAndOptionalValue *obj);
PKCS7 *(*pkcs7_extract) (FILE_FORMAT_CTX *ctx);
int (*remove_pkcs7) (FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
PKCS7 *(*pkcs7_prepare) (FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
int (*append_pkcs7) (FILE_FORMAT_CTX *ctx, BIO *outdata, PKCS7 *p7);
void (*update_data_size) (FILE_FORMAT_CTX *data, BIO *outdata, PKCS7 *p7);
BIO *(*bio_free) (BIO *hash, BIO *outdata);
void (*ctx_cleanup) (FILE_FORMAT_CTX *ctx, BIO *hash, BIO *outdata);
};
/*
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: nil
End:
vim: set ts=4 expandtab:
*/

1183
pe.c Normal file
View File

File diff suppressed because it is too large Load Diff

30
tests/certs/CACert.pem
View File

@ -1,22 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDoTCCAomgAwIBAgIUOK8lwJ8A1Oqw8jDAb3TF06ve+PcwDQYJKoZIhvcNAQEL
MIIDoTCCAomgAwIBAgIUfuEVHNA/1VLDJI9mhANrBndIj6swDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
MTcwMTAxMDAwMDAwWhcNMjYxMTEwMDAwMDAwWjBYMQswCQYDVQQGEwJQTDEVMBMG
A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTEQMA4GA1UEAwwHUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKzObJwYq4t9Y/OOQLqUNLU8RDXq284L8zQgRLkvApF87FNN7kozIgC9
/HAgJSho/Lup5lzkCWa3fjkYm1EBrL+JihesSaCxxe7LOg6tRaY+WxikwMUnlkNE
s3R+DogeGVsla4q0FEcICiz3FHTfSAUVmrN3Nj1ll7npJXrqmXxfCuO3slgjUkHq
tdZ5t1rSWwbiUhGIQKLzo3/uw2XoOI28qpoOw+0/y8AyjWs8My3u8GrYFr+qh5fx
Y0Zp0EhhAJo23Xd43XmeVKjuKIOaHu3JiM8sp9K1WFsTvFNAO27TBRn/X0mJCeDX
T117dQxhWOCcQ/uRGuXICT4ign8MLtUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQU6ewx3DIpbR8OptEmDFlYNELRqP4wHwYDVR0jBBgwFoAU6ewx
3DIpbR8OptEmDFlYNELRqP4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA
A4IBAQAhRMun0IzPmHVFM+SOfSCPVAgogWpqR5XlBAFlS+Aen6v3ukQAQjEhfBbE
dZG6ye9i0ebf9qXYTvSq5wfaqP7FGb2/Z96uPXNMXPi796KjLW2CG578DitORPb7
x1eV3UGrQX2bMQ0JbGkBU+DIdIRBqDfad/kjLtm5eHyCbaodSWdaZO4LSUIy3MBx
2UeBj2qD4RTA0Dt7hG7RA5QdTxHlZyLIk8HX3krZ+il5RmSbOnQs/XqK5DJp4J5p
122sIO4Y9ki+Wewzx8f3/7mcVbcMo67GwRHo8bk3GjWE74pczyrzfP68vDQ4tn85
NcLPeLClfSziJD09z+Iyp94EQeKX
AQoCggEBAMRykK9mZCSpkVUbCq1r12OXvIDkcjj+g4JpyZOrmPpz5RvmLvYBBgeV
IsUcqHm3/uSLpOFu/pwFJ2CBZVPJ1d49Y9DVnNR1dUbneWX9tE7A6NV9IG1kVagM
veI/ANLuRi0H51aAZS9L8c6WxlR4+pxJoCZp1tyTGmfjxzBEXUWvyUrIMrW/r9TH
u5gGgR6k86EbH7q71XRLhLeEi9QGCG24gobngYNZa5mb8DgLCkUeFtRsrYGEUT0G
HTpAGXUrpAb3U7+4LkGaS6mc0NPTW4lz06Z3VhyYwwAbgU2DZQjMpqYWv6UctOP+
5elPDc/PrTAdHAgbOhgvt1HUlqgn7lUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQUWIpzlJI+vefcJwcNGHwwRms/2ncwHwYDVR0jBBgwFoAUWIpz
lJI+vefcJwcNGHwwRms/2ncwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA
A4IBAQAl+G1nXXW5u3notmAG5y8kwufFqNi5Jn1HVbT08w4IiteWMw3D9GEOCueM
g5A03bC/Xv1PRvMatXQSARRvvVl3y1l98sA+97SP/FFUla3W5Rn91OsWd4qkcXhv
CtPKHpz0SCjKLv3HG/C7fBJPG9XHMgkGZarM2KsQUlkn7DjdBccYcp/zJvtvm+be
nR5ZqE6LI52WCXg0w/KlJlildU5LE/bvHbfmRUVm/4GhUNN8ko8eG67ueuftkeTD
banKmnuSay02I42A0th2w8Hz7oaOUEpl8S9TfqeFuqLhtUP0FzUNMPAg0o5YTpe4
xAArbPbFvH2l3plEaYccKYvbAGT/
-----END CERTIFICATE-----

BIN
tests/certs/CACertCRL.der Normal file
View File

Binary file not shown.

18
tests/certs/CACertCRL.pem
View File

@ -1,13 +1,13 @@
-----BEGIN X509 CRL-----
MIIB9zCB4AIBATANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJQTDEVMBMGA1UE
MIICBDCB7QIBATANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJQTDEVMBMGA1UE
CgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBFw0xOTAxMDEwMDAwMDBaFw00MzAx
MDEwMDAwMDBaMCcwJQIUOpY5wp7DtqsdxII7sxculedk0PYXDTIyMDcyNjEzMDk1
NlqgIzAhMB8GA1UdIwQYMBaAFJ4FrAtb4UB/ag702URPiid97ziLMA0GCSqGSIb3
DQEBCwUAA4IBAQA4Kw0vEJrtjjMam16iN/stOMxJDgkp1IQzA3narxr9fEjX5Ynk
JztuEExtowPIDOLGWCySXNEMmxCzXNAMvlUq+UQvnWrwgHQ9R7TBYIcAY+VRmzKz
T4PXvDSL2WMuJ1dLWoIcL2D0wEdti7YMvAnCrOC8HAPGgke5QcOgSfMSAYSAtpiw
PZAFgcuo53AodlCw9J+CPcHPYw+C2QExOy8s8q6d8Xgjg+Ge7v3RxLWy74sNPl0u
uZ79vcLNEeqEXxKaw5abqDqIDcUKIT3b62KsSxkak9IGNMLcTASw1V+YaKVLSYNW
NTuc5WJblfZi/q7WUMKkmRERzvdg2rf0CSH1
MDEwMDAwMDBaMCcwJQIUSXAaPeUatfheDTFo77LnMBHgyeMXDTIzMDQyODEyMzMz
OVqgMDAuMB8GA1UdIwQYMBaAFOP6v42ECbVR/AiLDZ7f2WKtYXILMAsGA1UdFAQE
AgIQATANBgkqhkiG9w0BAQsFAAOCAQEARMWBcG6sanX3nwoSPGcUNEkYG2+qB8/w
wlcWWY7RfOGQWVHqbVvklJdTYFDw+mA6RuATMOd5S6hXa8tms4L2YQUmYyfNOyJu
+INPDnqueQshFZ8PqBTaP6O/NRI/LOLpcIIohgemwfPYPrbd/JqcLlQ2Vbgb9Lnb
CYZWGOF7AKC0ugTTvLuWr9LPwmWFdORtmm3UJfFOPDX6zmHPAPhBUuyrxl8UoNZB
ZPvgeBjbyQy3MaJsbaniwoOahmT+MbYV/0/YRwI5XDxjiOdJSBz3Wd5YDNDozvG6
zZMHtF9TkUZjmLUe3Jm0GnS33gU8SB6YdYpnnPg+Up4w5sye90pk9A==
-----END X509 CRL-----

14
tests/certs/CACertCRL_crldp.pem Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN X509 CRL-----
MIICMzCCARsCAQEwDQYJKoZIhvcNAQELBQAwZzELMAkGA1UEBhMCUEwxFTATBgNV
BAoMDG9zc2xzaWduY29kZTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBBdXRob3Jp
dHkxHzAdBgNVBAMMFkludGVybWVkaWF0ZSBDQSBDUkwgRFAXDTE5MDEwMTAwMDAw
MFoXDTQzMDEwMTAwMDAwMFowTjAlAhQxdzwUXgMSEn/RzOwbdKtxlLgYJhcNMjMw
NDI4MTIzMzQwWjAlAhRJcBo95Rq1+F4NMWjvsucwEeDJ4xcNMjMwNDI4MTIzMzM5
WqAwMC4wHwYDVR0jBBgwFoAUYbtAOknHjmiu3l8ONAUY387kFi8wCwYDVR0UBAQC
AhACMA0GCSqGSIb3DQEBCwUAA4IBAQBOPbjiBQ1jOEjfQ1Q3/DBfzFKxeL7Cdoiq
6l1psqamZRTmU0a+1qRH/qokB0gA1XeeYIZRcruthHDk87F+WZPCKIr5cqfH2RFA
xjDEkwgA8OZSdSMh+ZhBLBoGjZhFdnX/FknMcA23cLnzuv4RmsbiokwWrysebDNY
DbTQpa/OFvqmHmgXbhrBqUinF7gl1ppzXs/d+FjSg1aAre/lx3KEXCgc126kldS9
9+c//UPmltYB17ipVWBmVOyVHNphnHtqPElD9Gz1DooVZ1opsqRBh0APu7fqmm6A
5d/lvNlPrlu835/fgUF3YmyU+w4x5sQCBjprTD6QIbIzCXDXfpBj
-----END X509 CRL-----

52
tests/certs/TSA.key
View File

@ -1,28 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCivbbTCnbOqPoV
7VVP/KJzgslx8yfX9laGwTsvzqStQtG8j40ljR85WD/bgy3I5duebudg7JhOVH2f
aSqbh8SCzP4YNDFcseDIuHdoXi54POgW3S/wbe8l8P7g3btcBgnlXh/izhUlEMib
Q/8G8UZj0n/MgKMLzcXc4t2eQ4Pzw7xAPqoXBZ20Fg2rFBfUsDDLc5F7lpO5t1WQ
dXTYmF0oAL/HLmd+HKe5Xgp9jJ6XacesjWLnhRdZ06uUP9cgo+Jem4QZxeFhOtMe
KAf7JH3Juz2Gi0a+4dMSNzES4m8RAlf6pXh4kAh7EhMNb/Ir6ZpY8uKM7dtn38mh
1f59EKc9AgMBAAECggEAK5zB0P695hYcpyGqOjxO4LvM9m+eXt7SQ1ynWuF6+j+s
62ZhAg42rux6eH5IF82ZtHSuJyhgjKVR4RWS6IlS3WbINX5PODMnNUNSJLMQqwJP
hEkUXs9nRni2JVbmrfukTUaTLvnhasR7rjhjsN2Z6ohv3UMf7rrfapmVoKMhSoLd
jqvZ2ZoaT5mfTiK/5PDyWqrt/vmvE4VlipAsvudwozG5vQDEsCNDNUTg5OTGnPUU
i0xeQTioqzCcweIlEaWhj/eMHx/eAeZ6V0Evid/YwTDlbTqVDWZGLJ/phOnKJs3V
j+eOv7E2d1ga7149SPDIv5Y0YZ91v3M06ICk5o66gQKBgQDSM+YyR5YOJTSAuAcI
uKTc33wwCbPiJF/F1zLJDdPp2IamZQbuNIX/8fOG3Gho+OnfNAykMcr3rFrug2vi
9GhWDQqguYGh16xos+2zNan6P/s0/rQ4OfPIsTEGC8X3fJeMzZUNMvnyN/FXzzus
020o29gu59esEfGHEsvAupC3IQKBgQDGMqGLgrU4oW/5mmm4BZlwwkZJNMmFH49u
Qe4Ylj87SQduExJMmTfrmANqQXu7RXG0IxLcvhwMLVCCYAkvuBv1awsbg2yfP1Pn
Wb/K+5CaHaxnpwSpRiGaN6fnAPDl8PnALMVXtQGru2MMcISxOIFQ9slHth0lmaMo
odIPIL1YnQKBgAOSskUEhn5zD3NorWXujY7blabTY2VirOYWBFz6iTGeZpuJeBaw
ed6h5DvUn0m5gXAz2EsqNYMEQP9w6HKRKPzdd+LHhHaVze5xsIatUNhaIhECi1mx
Un2E1Yp+xLyyN3lDPVdeGHWPkeCmOyNy7JYXNpOFiVr5axuarC/4e+FBAoGAeuRR
/mshaufOwnnYK15tcdlEM4gjnAOhr7/5ng0rT9tMXBg/NHeckNxE4dGQouHASu2k
eHL4eSRv0ycxCwGhdF7XGEw5QdTGdaDUp0ussaLMj8ijv0HY/AKefUG8HRd6BIq+
Ik/9pTofhEsQO8LJjCY5T9m/4NyOqlcMJI0sWpECgYBvPLnutbBXYONVAE3jL05K
hWwenKpv5Aaa11ahqzhil2Tj+VOMtmvhsSc5loSG83qp5LtN4LxyR0Vn9AGN7Z+d
Ut6LHeZ/DMW3/RPT+1MIKm6WLNxgk5YvuCxprdpfE5tTmV9/t+t3Uao7TRsLPl2o
qAKz8Fvq0el5RW3EtAgd4A==
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDhMfTdugKYNDCN
opsz9rTpYF710kq3fDN3JdmEFPoZfhZ58CBm+iZBJRCc8KoXMbKAgAZsFaUyU63M
07fYIxJeu3CTOi7kFQRy5bfGrEOnTBMKUqR+KcOZNeNYtfkv4eca25AtTyziJeBV
TOqDoVG5x75ad0+Ab4xA9bhbN4+7m5jS1aJeHtj8eDBkJOIOKGbZ0WEstffAIzWO
qCC+YFqxsXLO2hOxRgxgpsY9Va4bynn6HW0FZUcUQGEDH0Y17o2KInSyYASad7VI
F5jjiJnAzzvU701URZ7kjJFGbT9W7523Ljytl/Mvg+5qTG5JNQjVDsWHte6j1Kq8
bAHpZ6NjAgMBAAECggEBAKDpXmv1FxeE61C5aSc3WMwNxaznZ+Y2RFwV2phrmM4Q
b6UP9Uc/5YfVIUrTGObb5w207WHcEZ+ldWIPwqUZYm34h5dcEtd9QSGMjcXTn7/y
NwTASrOvygk3HU1tMjKJu+ZQD3Sgx5SMtgCdplEKO2iBlr3z1QYULubX7bSYPgcx
7sOOpEpITayd8HdOkqkqUvLKxAW5xhL2AzBQHaJiGL/zaW0uKEoOVuTrhNw4+Lnw
2IYGrdXpGLAd6hno4kOg2ZkJKWA4Yd+adroeV3BjJ2G1hLJAbPDtS/uB4ZnT1zQx
OlkqiPgnoH+16I+aLOs7MvIwQ7VRdF46Exk/9qIdHEECgYEA/sUoOQya1/JgPpbd
QeAViTvu9vCFJCnJMkyobG/CVHRDIsNwE/CpaQE+vCn/LpUeKD1KCHIjTOvLF4HM
CHt9SECApJESIdexKGP6DVoW+xnomojN/k0YW1JkrnXqmvDw5u/nvFz/JPncKZzB
+Ahx6ocORz+t10V8IRn6SlN0E4MCgYEA4khANwZ0Ys0CwVJkx5+mX3ukgXGsLDcB
p1bGrnXhbZOiZxxeWjbR/7b4PyAzsoqxiC/F3RGnU5TEPGnUUeGWv8UFsVsgd8tG
QvTOC5iEio6fs/IPZK4Asy4a5ByX6bXjbqSnypN+vf+9lFOvI/+yZ9zKejdoD5Xw
k150XRhWyqECfzDDi+9fekPbIJDaT39MZNLfpd2eK93AIcJ+6b3XplqD5lXBErK+
Xa67jkZ1w2InKJ6LHKCBOECA4V6eeW8mM9Sgg/77xXy0zDPu7u2fUMa/LsZlaQhD
uWXBX4QFDeKaO4H4aWKkajGpoXpVhsry0tsQ/qqkhaGuqxOq5T1Uu+MCgYEAhz2J
a5mm+9ntmJ9m7kxDwnOCWX8X2QEzMtFRQ7nedoAzIw84cRCsp/myGwBjBYWRH4T1
6+9+Ix0Zv8W8iQeb8peNlHeTSyWpo6DueM26AZnGZ2T3wEOi1XRrzAQu4xa7jEhK
pG9M47+yjbEKTyimdx7lwO/WeOIze9CLGYzPaqECgYBfgaE2HpG0SYKfDy0ipyxe
p5ZoGQUXksi7WHSWSTl3tA/0NTtYKCHKb1/hRezjmdRgTuqBaV3y2nF1XmlKw9EX
nYx/xAfhnyh9K7EZEMtDP2zL6tV1sp6b4Jd7sbFvM/bMJBY6KtKx59Y0u4nkgcH2
gt3jad7Axl6C3faOfjzeyw==
-----END PRIVATE KEY-----

39
tests/certs/TSA.pem
View File

@ -1,28 +1,25 @@
-----BEGIN CERTIFICATE-----
MIIEzTCCA7WgAwIBAgIUfRjXKciCGA4XbhbhxbAwfpcLGmowDQYJKoZIhvcNAQEL
MIIEMzCCAxugAwIBAgIUBxGrWWn+gk2O0nxUeOQvpcu0HUQwDQYJKoZIhvcNAQEL
BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEkMCIGA1UE
CwwbVGltZXN0YW1wIEF1dGhvcml0eSBSb290IENBMRQwEgYDVQQDDAtUU0EgUm9v
dCBDQTAeFw0xODAxMDEwMDAwMDBaFw0yODAxMDEwMDAwMDBaMFUxCzAJBgNVBAYT
AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxHDAaBgNVBAsME1RpbWVzdGFtcCBB
dXRob3JpdHkxETAPBgNVBAMMCFRlc3QgVFNBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAor220wp2zqj6Fe1VT/yic4LJcfMn1/ZWhsE7L86krULRvI+N
JY0fOVg/24MtyOXbnm7nYOyYTlR9n2kqm4fEgsz+GDQxXLHgyLh3aF4ueDzoFt0v
8G3vJfD+4N27XAYJ5V4f4s4VJRDIm0P/BvFGY9J/zICjC83F3OLdnkOD88O8QD6q
FwWdtBYNqxQX1LAwy3ORe5aTubdVkHV02JhdKAC/xy5nfhynuV4KfYyel2nHrI1i
54UXWdOrlD/XIKPiXpuEGcXhYTrTHigH+yR9ybs9hotGvuHTEjcxEuJvEQJX+qV4
eJAIexITDW/yK+maWPLijO3bZ9/JodX+fRCnPQIDAQABo4IBiDCCAYQwDAYDVR0T
AQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAdBgNVHQ4EFgQUKWCqogni
6SseJ/P6LXo0M2cK++QwHwYDVR0jBBgwFoAU/5nNuG4Tm4v2y9uKf428/4fVQesw
gYQGCCsGAQUFBwEBBHgwdjA5BggrBgEFBQcwAoYtaHR0cDovL1RTQUNBLnRpbWVz
dGFtcGF1dGhvcml0eS5jb20vVFNBQ0EuY3J0MDkGCCsGAQUFBzABhi1odHRwOi8v
b2NzcC5UU0FDQS50aW1lc3RhbXBhdXRob3JpdHkuY29tOjkwODAwPgYDVR0fBDcw
NTAzoDGgL4YtaHR0cDovL1RTQUNBLnRpbWVzdGFtcGF1dGhvcml0eS5jb20vVFNB
Q0EuY3JsMFUGA1UdHgROMEygGDAKggh0ZXN0LmNvbTAKggh0ZXN0Lm9yZ6EwMAqH
CAAAAAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMA0G
CSqGSIb3DQEBCwUAA4IBAQB4YXa5nVWUzWSsUDMfYFTEETOe8boUErwfrDNBuj6z
B5en20FhI49i6PCYEfNq3vrAtPOEFJj+KPomN3C46VLxbUEvqWLdq6EyzWvVVmXK
VLeC0qV0m6CFM8GplaWzZdfFTQaaLUhgY08ZU2gp4QsoS2YjAosxlZrNSm6pBbv3
q+Og1KeSK8gKS0V89k+6e3LOEF6KaNWKSkoz5xDniQY//mTjiDcNmYUh0KhHfhdU
eO92M82uJSaDqnRs5HsWPs6z6qdfpuvj++OtQ1VCM2p5SEH2sEomdeN3YYChuG4h
yzn0mYAdbTyGJHlFm17AH+SQRbVqCKYdHDaqsMb+fWzi
AQ8AMIIBCgKCAQEA4TH03boCmDQwjaKbM/a06WBe9dJKt3wzdyXZhBT6GX4WefAg
ZvomQSUQnPCqFzGygIAGbBWlMlOtzNO32CMSXrtwkzou5BUEcuW3xqxDp0wTClKk
finDmTXjWLX5L+HnGtuQLU8s4iXgVUzqg6FRuce+WndPgG+MQPW4WzePu5uY0tWi
Xh7Y/HgwZCTiDihm2dFhLLX3wCM1jqggvmBasbFyztoTsUYMYKbGPVWuG8p5+h1t
BWVHFEBhAx9GNe6NiiJ0smAEmne1SBeY44iZwM871O9NVEWe5IyRRm0/Vu+dty48
rZfzL4PuakxuSTUI1Q7Fh7Xuo9SqvGwB6WejYwIDAQABo4HvMIHsMAwGA1UdEwEB
/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwHQYDVR0OBBYEFHnEl41jHza4
2tqVE1fctzcQRFMNMB8GA1UdIwQYMBaAFE6fD2uX/Q6n9KjFBO5tB++jGixmMC0G
A1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly8xMjcuMC4wLjE6MTkyNTQvVFNBQ0EwVQYD
VR0eBE4wTKAYMAqCCHRlc3QuY29tMAqCCHRlc3Qub3JnoTAwCocIAAAAAAAAAAAw
IocgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDQYJKoZIhvcNAQEL
BQADggEBAKMnM+tX2AM6g9SSAbgAz25vHRs+/hzZN2EMZOz+ZsNZufRwRbDH4eC5
mm+s9PKw99vk/67vJk+IxfOLsZSleRX6h7DqXKhh5j8S/IPfOuIxWUfQGMlnfHNt
IdePg1vIQCwcj998e0NIdnioSnGrKRay0A1Y+7zY+9B8/sRCAamyAFyqjG5UG70q
NOZcuG52+ZHYfA3poW4MTBWTi+k9tK786RpRWj+I1ORBAJIFZ1SRzPQ5QL4XqE14
iKowHAJbo1/X6Xr/SW2B+oC+p5jmONRi/rwHnUEqWbkbi+CKWdlI+7HTApncofLi
JVHLUWz0r6IIp0mHrMwoI94yZBVXje0=
-----END CERTIFICATE-----

30
tests/certs/TSACA.pem
View File

@ -1,22 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDkDCCAnigAwIBAgIUJ0nfE+EVsIThltlY2LHVWMJVIq4wDQYJKoZIhvcNAQEL
MIIDkDCCAnigAwIBAgIUf2df9lAckuBxsAT7UktJTpH8H3EwDQYJKoZIhvcNAQEL
BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEkMCIGA1UE
CwwbVGltZXN0YW1wIEF1dGhvcml0eSBSb290IENBMRQwEgYDVQQDDAtUU0EgUm9v
dCBDQTAeFw0xNzAxMDEwMDAwMDBaFw0yNjExMTAwMDAwMDBaMGAxCzAJBgNVBAYT
AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxJDAiBgNVBAsMG1RpbWVzdGFtcCBB
dXRob3JpdHkgUm9vdCBDQTEUMBIGA1UEAwwLVFNBIFJvb3QgQ0EwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGOTX1f9dmtUiyzlsUInRIGfRMya338SVx
vYGeOwdpTSSGlYUVwR9AuFewQF5+klelstCJe+SoUG0AdzS30mRWlQrhip4UdvdW
T2gkNKbSn6DQzlWoQej9izqRLxAsbuszgkvnLOBEmPaLimDsCgu0bAN95Hp0Hls9
O/fVmzh8VuV4iscxc7q13ZB7CylWgwd55CFEGd/jpJ6kMwSHbOLoBWp4GQ3KxR+c
ASAo0FapU2WSZB2EYWszRiyq91X+AvIYN4ypTv7RccgfUvnZ2qFykJAkf/wgkynu
Qg7rCUNfUEpDc7jlqtDWR7iLrtHBkA17C3IU8ymmKQYWfw3ZyBwvAgMBAAGjQjBA
MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP+ZzbhuE5uL9svbin+NvP+H1UHr
MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAbj3aFwIUxvzwgywO
gj01JM8GNbw1E4MGdkaNI8rgeY8ay15ZXhR9NpRWWb6Y7IXPq5XhuEktVte5Z4Kf
XLBrr7Xe9VVqJL9zd1tMzOEM/zG77rZf/iXBTZLkCtQc/GOEY4TTWKNEl5hiWVE0
po97GX5XHoeyHlWQ75sd9z6MxFxmvdp9/uyYD700e9sd5gcD8LGvHw2DNy8vntYV
ia9h95N9i1umffxU460o8W5GoIcsD13B3YftvnWhGSXqovBRFgcPAQZ4eW9Qh/zA
4zQBQrRvmREPihXVdgtWVpbRchP99oSZBrYr7Hh/P69rycklquqxJl1ol1wbT6dK
S5Gmng==
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDH7Zl2oFIq75eVCHtPSH5apYifPyFvIAnB
J8D3/ylM+Ll5X0/mBkyU5yR7CN0T+WsroWmkkGLuDbrqRrGG30Zs6/DIgHnLn25l
rM/6C4B3TApIoBPLqLWaYd0EUwn5hyh5vJdolzCwZtr3swS1BZ23WlPXXWIO8F+m
E5QZiFWqjufoHWECyoa3OwJ+U/UcR+Tr/HnlBXaZswTJdr91R9imWZgAE6EF6qM5
ZnzNqgsjKPIN62FIcL3SD57CcR8fYvOAHGlY9r/CoDMuAs64wp/+oovC4J8WHvqV
xg/z32V7osNq4ko9IArTDESj1ZlL33uVGy/GnTAMZv1CKFMrCfMNAgMBAAGjQjBA
MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFE6fD2uX/Q6n9KjFBO5tB++jGixm
MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEArE8W97mfL9a8NcaX
UmJwiBsoA8zGQ1uWV051JHuW+YbC1az2pRR0kXOLkXeCNhwHfxb8pvEjOToa341K
5NYFSRPJVkR09AaF7KjuLzZO821roxbZPPbS8GsFGJ5GbLe6F8EW06rCyLN03Y2q
bOAQvAof421193HIO0baBWE13QsLk2wQEYyB/Yld3919ub9plQLxapojRdK2s+cY
Juftt8hE3UDlfQkpnVbIpU4Q/LFtPztfxkcd9rkz/kujH+juBd2UnirjK3n86ReU
1MM2QvtnMlXyZiXHujrOkWGS57KaYdkDAV98zWk9Bx7g6K97cy0JPdBq2cnucUJw
0mCOiQ==
-----END CERTIFICATE-----

BIN
tests/certs/TSACertCRL.der Normal file
View File

Binary file not shown.

15
tests/certs/TSACertCRL.pem Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN X509 CRL-----
MIICUzCCATsCAQEwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCUEwxFTATBgNV
BAoMDG9zc2xzaWduY29kZTEkMCIGA1UECwwbVGltZXN0YW1wIEF1dGhvcml0eSBS
b290IENBMRQwEgYDVQQDDAtUU0EgUm9vdCBDQRcNMTkwMTAxMDAwMDAwWhcNNDMw
MTAxMDAwMDAwWjB1MCUCFDF3PBReAxISf9HM7Bt0q3GUuBgmFw0yMzA0MjgxMjMz
NDBaMCUCFElwGj3lGrX4Xg0xaO+y5zAR4MnjFw0yMzA0MjgxMjMzMzlaMCUCFFcV
Ys5TRUZVMGFWN3Et/yQQme62Fw0yMzA0MjgxMjMzNDBaoDAwLjAfBgNVHSMEGDAW
gBROnw9rl/0Op/SoxQTubQfvoxosZjALBgNVHRQEBAICEAMwDQYJKoZIhvcNAQEL
BQADggEBAEu9tNvUMHJ69vCPdJH3FUuGPHuTyC32aLBoV/g/t9OD+95fDwwijKbX
QcypdgGEp4KEH4WQQ8JyhScgxd3gjnNoB9ITIZ14eZ9uslIZPaQztMDqvzLZcsLf
PXWWvCs8GO1K30VVqVual+OT8ojWBAgF49rg2OZX4JUAhXyaP360MtWEWVNghRwk
FhK7q6HOaNtxrIar1ZuDkvqEvmaEexJ/3HOGAM0DWmhneO2hIpCAfpYnGic66I69
17FQWE6WLTS+Hjc8qQEDPeGsSK3NWhGiOKDr1Zpjae5PknghxzfxE8u56t6pMBHj
DWYGMc57TpovDpTdla7YipkVxSrTkhI=
-----END X509 CRL-----

28
tests/certs/TSA_revoked.key Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDPPtqTsdzCK99B
5zSNIiu429Tbc/S4Aa9eSsbjcefTy7NkCPankl8QeBIvQ75P98qH828iDlSH2u3N
Rp121r9wjEaM3qmkkyP0oWwjoK0du6y3hI59rHhOt3FqO0ec40Rf1yxrCKE+pCMd
TI+Ifozlxe/T7FhwxLjOIBIt4gDF6sOn06ToTC1CoVi/nd9E5vgKjuQW0F1Y7Hey
Ft64YStUXxvLB03mw8+bciZI3BQGrgOD9CCTWZVK7OO147qc8TEoQle1xKISM5wh
vaHbNUuhMRJG4qVyrZ54BICRW7r5cJZBBDVc5i1XD50Nup4wIjJtBAnPZDAwEwac
XZ53hHAPAgMBAAECggEAeGmume3XtEHFYAcz82SNPsULcc53u4nPGNwdnv0Jk3dh
bZf/p/FVpr384tVbeB8i38bDJWhqGN1NGd4Tk37GkGAQhbzBmEudsn8v06uBqirm
+WHdYIubAzF2hiCXRUKO8ZiVyEKlXT4E4Psg0k+lEcPlyp4h7LOAJNNhfKM5i8QF
3K7Pp/VcFqtwJSmu0vSycJOJWyUfqRLxgWS95r2EG1rwD46KFBCoHOa50kiZFdiI
q2h1XOiXtdaG1yn6HRS75gV4CR+MCGkczs9onSl4IpwNlq595NMCujhFcHjjKzwV
F4E/83ehtj7WruyNFwrFbabNAvLSY8nVBHabn/3L4QKBgQDrYHKn0njihjbaPT5v
1yoJyz/1eX/fscvDhQFvhQoirk/A3iSwOd1jszGvvYxRnfRnLDOszTCq/+CRSv09
sU7ECDcJPFJY8GzDMLjoBJRDtHdsFjU6tliHgyXFVpu46sIt0Z03Wglowyytc9ws
9e5uf3xolNbhdLTWfovoRp5LJwKBgQDhZ2qWOyGkVyuPn0GSVJVnOgK/PUd9b7Ze
R77i/P6sgp9d3eAXK46oYJM+6TPnQwZYE9CHUMMqHmtCm2iHqCEitZ9mvZgPt6p+
sR8HxJ/JAowDB8mOQ8usd/1S0M5e8SwSpuRajkYw0cndvwn+ezAlKsZyCN6sm73B
3ruQvVjk2QKBgAJG6pUJCjZWyg0Obp4yXKu/lZzQUhZd5/S6QqtLhC+VtBvPildS
F/ww7Zgfo03e01B0MwPG8GOXGhsNuKlyH6rx0WZ7eOh3WvYAcKl98dk907Ht/RHW
VcDp2eGw1szRKJO85WJ1soWa7cG3zzd4IZhcD14LopCHyoAQtVXH6RwdAoGAddQM
yNnCXVlgIST8LxVeQGb31qae/3htWd2hcKEWNHHYA0agBRy051oMvv9DLapA37wD
7yiNzS+3nEsHGpsOL0nIOPn1SooVa0MF2Ja1fGuDa3Yfq+nOx6q11xvmNYVXJ6zs
hFYJZS3Vm8Bo5gnZgiRZNnViidKkIHthi2kf1gkCgYBzaNgT4fbNPpgia/Vz3rd9
UIYpVzMEP6HkTVYXQH+qLzRpjl4HG6LanMbxtf/0MBHBwtEyVftKopgvkcJCDUCS
Ls+BYieF547/2W+pnV7lbz7eD6w2o7zNPNj/l+RB2PXgBZGQv1N4HgLsz+yk7eyI
s3UnnC/9NhgSMwB82OPX3g==
-----END PRIVATE KEY-----

25
tests/certs/TSA_revoked.pem Normal file
View File

@ -0,0 +1,25 @@
-----BEGIN CERTIFICATE-----
MIIEIjCCAwqgAwIBAgIUVxVizlNFRlUwYVY3cS3/JBCZ7rYwDQYJKoZIhvcNAQEL
BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEkMCIGA1UE
CwwbVGltZXN0YW1wIEF1dGhvcml0eSBSb290IENBMRQwEgYDVQQDDAtUU0EgUm9v
dCBDQTAeFw0xODAxMDEwMDAwMDBaFw0yODAxMDEwMDAwMDBaMEQxCzAJBgNVBAYT
AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxDDAKBgNVBAsMA1RTQTEQMA4GA1UE
AwwHUmV2b2tlZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM8+2pOx
3MIr30HnNI0iK7jb1Ntz9LgBr15KxuNx59PLs2QI9qeSXxB4Ei9Dvk/3yofzbyIO
VIfa7c1GnXbWv3CMRozeqaSTI/ShbCOgrR27rLeEjn2seE63cWo7R5zjRF/XLGsI
oT6kIx1Mj4h+jOXF79PsWHDEuM4gEi3iAMXqw6fTpOhMLUKhWL+d30Tm+AqO5BbQ
XVjsd7IW3rhhK1RfG8sHTebDz5tyJkjcFAauA4P0IJNZlUrs47XjupzxMShCV7XE
ohIznCG9ods1S6ExEkbipXKtnngEgJFbuvlwlkEENVzmLVcPnQ26njAiMm0ECc9k
MDATBpxdnneEcA8CAwEAAaOB7zCB7DAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQM
MAoGCCsGAQUFBwMIMB0GA1UdDgQWBBRWRawwlcW57baAiuBVmi0WFKIZqjAfBgNV
HSMEGDAWgBROnw9rl/0Op/SoxQTubQfvoxosZjAtBgNVHR8EJjAkMCKgIKAehhxo
dHRwOi8vMTI3LjAuMC4xOjE5MjU0L1RTQUNBMFUGA1UdHgROMEygGDAKggh0ZXN0
LmNvbTAKggh0ZXN0Lm9yZ6EwMAqHCAAAAAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAMA0GCSqGSIb3DQEBCwUAA4IBAQCQbgXQtFr5lWjs
tzlGJAuZfIq1f1arWWrJNSHrha9RUtm6uMoh2aMYByfEcopB9StqMo8QH4yS4LGZ
/6B81EF+dugIIb9BrE00ASgXxZ6aGGAe79VwqdG8DXp+VgRbBQA87S2KeSN8wfm+
G2AGRZF0JWS4iW5kGgrqeC14IN1FajHklrh7rOIwo/h7uVIOINWtQnHyBjlCQ6N4
OTFFgtIOY5KXtYM1A+Gx2nt3uZnEh/U/ZxHslUb55O017Qfkbf11JXFil4+ZfqMx
QuRuwMAWlyEg+1UfNae4Sg3XqPheshBzZ7ykwKGZZPeA/8kKfbXoE6Kdy5HmT/El
8e7rP/mN
-----END CERTIFICATE-----

BIN
tests/certs/cert.der
View File

Binary file not shown.

BIN
tests/certs/cert.p12
View File

Binary file not shown.

62
tests/certs/cert.pem
View File

@ -1,46 +1,46 @@
-----BEGIN CERTIFICATE-----
MIID7jCCAtagAwIBAgIUdLInHjkevRVCr7I78r5++6eSrZ0wDQYJKoZIhvcNAQEL
MIID7jCCAtagAwIBAgIULWwn/gLcPMAO/7oGqx5A306mxckwDQYJKoZIhvcNAQEL
BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVybWVkaWF0
ZSBDQTAeFw0xODAxMDEwMDAwMDBaFw0yNDEyMzEwMDAwMDBaMIGdMQswCQYDVQQG
EwJQTDEZMBcGA1UECAwQTWF6b3ZpYSBQcm92aW5jZTEPMA0GA1UEBwwGV2Fyc2F3
MRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxDDAKBgNVBAsMA0NTUDEUMBIGA1UEAwwL
Q2VydGlmaWNhdGUxJzAlBgkqhkiG9w0BCQEWGG9zc2xzaWduY29kZUBleGFtcGxl
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJLJ3Vty2lgJw+5
ouAV4ZqkIwvfWPcE7zD1CfQIL2802jVuCSTkN9cfFVYMKFEPJxQWJAKoCzr/Ux8z
Yt9BXO5o39+z7umLKmc6pfrZJ6kG4msrMjZv36LsCQyfjUc1O9H1aiOQEvRQY2pF
2v5dfqRMrAqH1ESQHCggUBjElWj9oMFax8jyO7JxTzuttOb6mhDmqz4q2u4LwZGH
lBofgOAB54Mlv41x7dDh85i/jayXuYYmsjRwCuBAn14+D2zImyPDx5UaUJJMzujo
QriOZ4KU2dHRgy0+vd7ZbrL1kRY1axyNQ+jBk7UHnlZZ2CCkhBoZIM6ez3ljPwgr
cpg0RtcCAwEAAaNiMGAwCQYDVR0TBAIwADAdBgNVHQ4EFgQUBxPEs09WXDxGqb+D
WTFgcUQd0AEwHwYDVR0jBBgwFoAUngWsC1vhQH9qDvTZRE+KJ33vOIswEwYDVR0l
BAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBAKK2e1s1puUFbNjglopi
mKZ4Pks2zb6LVUGG6Q4XQ1dWe25ovt68jWv56HFyCMI1N+L8q0+Ku2eOfLObS7Ej
FFRUWEIXDgipryDTGzoWRM380fuYpL/j7Rt1/xmIHWTFibf/6gK/naRXsFH3dEbb
7DDWQ5pAd2d60dB+ThUEIZQTQd/926Kuk5oESvP08fXMYTuiYARypG1gmiuvxQ9N
mDJP6CHxyJR/LB4tb0RAqnLkVsXVBDnRYWdEvkuhoqTtbhVzVbL3mPeEmVYypxxd
NdrHpU5zmxFSin2T3F0TneNcT+MDV+dQcWyTGNYs/fnmo85LsiakJixGv1qx8PTs
8iE=
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64qSULdxvTp7A4
2dl/JbLq7GJ4ZcPbtfUyvVTB5WuntN08bpgnxljON0Ig9lFpN2OOlms/SnodlE6Z
O8GY8kYu/aK3zHIHp3EykzRP1glf7ukcCMpcSaS5VUho0QQ9PVvvMHVNtaQ00r2i
34m8DbGj4aRUNI5eA6Xlzz8QnhvCgtRTVbp5ZRjxo1ZNq2eEZxa6UnFshlx6i0/o
kYPrdKTIvUv2zoRFd9H/7+B2Xwse+qppcZe0BiKSa4l6PrL2iHteYE29ggLLSqe+
zavGN7Ev7jP+bZLU/5eq58SBy8uFBDkh1FvZEPAnJ2X/vwNzySi6KTliCPc9Jf5G
wSJr+5MCAwEAAaNiMGAwCQYDVR0TBAIwADAdBgNVHQ4EFgQUVeUILLpF5PWz5rAD
iWzV/2oEP3UwHwYDVR0jBBgwFoAU4/q/jYQJtVH8CIsNnt/ZYq1hcgswEwYDVR0l
BAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBAHckjLcj9mswr08aF7MV
EZTKKh0IOaHj7oh6vLR5Yg2n+E+9Gog/+ulbKXNe/5A9QU2R1NdwZKEeUeSuF4qW
P3JB79BepgR6/VYKyVWH7St4ixy1GtNEFrHWsID212Jd0Rr3+kc9OJUO0aw3nvg7
Apsr1dztjwlUN2ugLzVoDJ2wMqlu5ZQW8pINIYet127cX5knW/acPCPcqPVD7jmm
C40xgqeKD2a6OafSS5hjO4UeCoeHnXlJ4Sep8wz8VDlu39Hr4dwFm8v9MuvBusCr
/sdwzTRAc6mhBL/4PyJrBRhibbTxSaDKBHeWcKpmNp4DIk1vc8h6yhDUb1fgafgX
7nI=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgIUUPCDF21g2spK7557HZUhqSxBltMwDQYJKoZIhvcNAQEL
MIIDrDCCApSgAwIBAgIUXhcDbb/3vPpWoFCmesKw0dazbzIwDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBgMQswCQYDVQQGEwJQTDEVMBMG
A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAyMs1XoC0NUT5YgydibOrE5SWBKk5C47B6tv6gA4t3zZJ
wejaiPkj+aTIU3Ww5DO/Gpz0GuqCHNBczIw92Cfvv8kyWzUy46bRkpBJLFav0JXS
B3xQaPlHWeXqMfVAGuM5ExT4CjjYKFsrgV1Q300thCHBhvr8TPekDIf+6J7NSz1P
062pYgypfqsA8OwKaQbgOL9v4QRmHoolnEDc1dK/FS4f3p9dlifl7kcSVGQK0yit
7Uncn250icCxMxS3MOE2NfuplUOSN6h6poWNGUsx00O7Dy9nUndUwJRpFfKXTV3v
GtlmFLNoho+ss/usnxjxggWBcRtKhqd8nGSJUlzs0wIDAQABo2YwZDASBgNVHRMB
Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBSeBawLW+FAf2oO9NlET4onfe84izAfBgNV
HSMEGDAWgBTp7DHcMiltHw6m0SYMWVg0QtGo/jAOBgNVHQ8BAf8EBAMCAYYwDQYJ
KoZIhvcNAQELBQADggEBAD/FBa4stJGd/Acg2E2soI071B/l9B7FiqIRpCFuLVC4
1m7TIcjioIpZrxXwE1Egf8A9/6D/kKZtWnOljcxtPBEb+1/gB61M381RIgoMQ/Pf
7XX2yakk6mscUjbSTR//Mj1sYOs2r6ueZBp0whzF9nVvA43G6WMpf6XZqmhlg/oV
ynytW1Iu1SPoru3y8dX/lsukvKCak7MAp1eBcuUJxS56DnKcV9xgC30m3g+CErI3
qsOJ7lcfDP6fDjy7MfBsZBiY64MqwlDjjn7+Pleo69JedMwurHLhKnfm07DBPy8X
+EnQk61xHEjQtTsddXyQGQV3yjqylOF2AgsAf256uuA=
AAOCAQ8AMIIBCgKCAQEA3FMSnznxLiZh2qZ2M4/Y3FcqzNy9XxE1DG5ahUoRifCe
LWPGvREPG599ds55MesKqAPo1xAyd7hpQmd+IWzQhvDQntR4BkCQv6PoHQ2WO9co
CfQ59U5h4pie82IROPHMg31PNYF7MVt2cjBtQco2wvL7XLroYo5nmi20qvsNh53S
nJ0vGsIhdBd5UVn7S5NghHYF03cmFiZVuSvN3ovFl1k0iIH+eJdfYXBiTqtcUCAc
0+ngTui3LWd18QB6M6HYdT1a0MihGs1g0RE7ni2C5iwBn4FOe+eHzZOq5AcWVGR4
ZSvDc+6O22sy0esBYsPElJBnQLOPyIRwd4B8MO6PewIDAQABo2YwZDASBgNVHRMB
Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBTj+r+NhAm1UfwIiw2e39lirWFyCzAfBgNV
HSMEGDAWgBRYinOUkj6959wnBw0YfDBGaz/adzAOBgNVHQ8BAf8EBAMCAYYwDQYJ
KoZIhvcNAQELBQADggEBACn3BOVCATol6TC31cKPvh9hOOq9uvgREGG1paTmZNhe
JsrIUkD2KZN7dpAJEJF7uu2LaCm0F5VqQUj3SdYHD3neHiOeO8jzgM4BWgqZ3lZc
FQfGbNoR4QQMADMJYKJ/LCRjBKUrHDvkvuQHkb+y8yUg1UtNpeH3cFty2/eo7VWD
Su5Jd1vVIo4XkQDBPr5UR9LVSMfhvhX4pcvijmETTEYn3ZZ2KeF1q5JC1Le+322Q
xwgVhiJak3GUh06mYQf6qFSRanu78Jeyw8IlsS+o8V9W+dqYYDOENDYNJGB5MaS/
yAA20r1RAb2RmPPbpiPjR2FKzNDxu7nHd4EecbSevdE=
-----END CERTIFICATE-----

BIN
tests/certs/cert.spc
View File

Binary file not shown.

47
tests/certs/cert_crldp.pem Normal file
View File

@ -0,0 +1,47 @@
-----BEGIN CERTIFICATE-----
MIIEPTCCAyWgAwIBAgIUZp72ahjzVryMA56ev7+Z8Rxyo2kwDQYJKoZIhvcNAQEL
BQAwZzELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxHzAdBgNVBAMMFkludGVybWVkaWF0
ZSBDQSBDUkwgRFAwHhcNMTgwMTAxMDAwMDAwWhcNMjQxMjMxMDAwMDAwWjCBqzEL
MAkGA1UEBhMCUEwxGTAXBgNVBAgMEE1hem92aWEgUHJvdmluY2UxDzANBgNVBAcM
BldhcnNhdzEVMBMGA1UECgwMb3NzbHNpZ25jb2RlMQwwCgYDVQQLDANDU1AxIjAg
BgNVBAMMGUNlcnRpZmljYXRlIFg1MDl2MyBDUkwgRFAxJzAlBgkqhkiG9w0BCQEW
GG9zc2xzaWduY29kZUBleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAL64qSULdxvTp7A42dl/JbLq7GJ4ZcPbtfUyvVTB5WuntN08bpgn
xljON0Ig9lFpN2OOlms/SnodlE6ZO8GY8kYu/aK3zHIHp3EykzRP1glf7ukcCMpc
SaS5VUho0QQ9PVvvMHVNtaQ00r2i34m8DbGj4aRUNI5eA6Xlzz8QnhvCgtRTVbp5
ZRjxo1ZNq2eEZxa6UnFshlx6i0/okYPrdKTIvUv2zoRFd9H/7+B2Xwse+qppcZe0
BiKSa4l6PrL2iHteYE29ggLLSqe+zavGN7Ev7jP+bZLU/5eq58SBy8uFBDkh1FvZ
EPAnJ2X/vwNzySi6KTliCPc9Jf5GwSJr+5MCAwEAAaOBmzCBmDAJBgNVHRMEAjAA
MB0GA1UdDgQWBBRV5QgsukXk9bPmsAOJbNX/agQ/dTAfBgNVHSMEGDAWgBRhu0A6
SceOaK7eXw40BRjfzuQWLzATBgNVHSUEDDAKBggrBgEFBQcDAzA2BgNVHR8ELzAt
MCugKaAnhiVodHRwOi8vMTI3LjAuMC4xOjE5MjU0L2ludGVybWVkaWF0ZUNBMA0G
CSqGSIb3DQEBCwUAA4IBAQC2yNGXw1VZqBWY7cnJtiZpupKYCifRC1dEFlKcozpd
dhWHDKpGDCzqaL/WKpqFjOIrCbG6gsfB+nu2VQv4nE8lwwelMgpeVB+v197A1SvE
wLl71R5a7sxF0x5aBdUyWeCTeBLu6KuWQrpPcZVM3uMqhqCJ8CiSUtS1cKn1K1K0
KRSgFTs4AFUc0rOa3wYvytps4cw/TyDXArlvGVMlDHNLffEsx3vElZafaGvyEK0J
TsBM2dakcpP/ceuJU1gd8hLadzjfKOFml7z+qHfUa/mky+veK2M5vKn1ph55qYHc
WtEY/wwBjgqE2VseqMLb06J3tXmTKgESGXISAnqoau+t
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDszCCApugAwIBAgIUdUqeYLe6em9A4BIXcQhE2lS8KTUwDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBnMQswCQYDVQQGEwJQTDEVMBMG
A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTEfMB0GA1UEAwwWSW50ZXJtZWRpYXRlIENBIENSTCBEUDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANoHRxZ1qxQKLm8MLYswvTf9FBq05unFxE9j
nea4njWqBkg3cT/jZo2sDHlkN+q3BFEL/K+mej0/LqfW6eXrskHj6OLyXas2/HR4
UYsby8djwazvt4LLiMS5yfo3GlRv5p44F1ruYu7/km7J/6pUxQMB+lTXKA4TzUWe
n/xa2xGm0ZDXvQC1GlPJ1mD/fm0JeS6g8iMdTfvKPKKFMArz+wGWBiqbAKnmuDfp
J3j64nWyRCArH+tGgvOmqkXAUBh9A0T1AfdF1Q5kFKzFq38zKI6lPELo0qEio9SO
W+aOVVDtknTXmqKtawFyhn2e3UEzISYmFv2Wfc/dLnmBzRLNR9cCAwEAAaNmMGQw
EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUYbtAOknHjmiu3l8ONAUY387k
Fi8wHwYDVR0jBBgwFoAUWIpzlJI+vefcJwcNGHwwRms/2ncwDgYDVR0PAQH/BAQD
AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQBJ69rsOHP4qKnu/wRS/D3fV/voLHB624Rg
RpC4RshZMPVL60LaouJo1GMHj3IwyHVHGFkTxGYP0IIgcMUCnkmpSfX1tahYU+kB
4fSCxheLg79g2y3Z1jTQxFOvRjn5t4BIk4Rq4o9E7n1x+8jcaCBSjmna9j6i5lgA
QjazvdXrhhgrkvvMtk2wtk1laiHUHFgb9zxzNhhZFzy+QXwQv+Zj1N0swKfTP2gK
Rxls7e47SnMdvthINZpdvUwT5pBZnMKHqgQK6YbWcopBpuw7zOTJp6Ghqzqzwa4d
CwUtEB7f0e7dWeG7DFJ2cNPcpXaigNtvfdRR3W1RduX9FCODihFF
-----END CERTIFICATE-----

30
tests/certs/crosscert.pem
View File

@ -1,23 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDzjCCAragAwIBAgIUGjZdQYlcAtlqZOsQ7eWRimQ9PIcwDQYJKoZIhvcNAQEL
MIIDzjCCAragAwIBAgIUKUVnRllbtypXICoznroWil39jU4wDQYJKoZIhvcNAQEL
BQAwbzELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEMMAoGA1UE
CwwDQ1NQMRIwEAYDVQQDDAljcm9zc2NlcnQxJzAlBgkqhkiG9w0BCQEWGG9zc2xz
aWduY29kZUBleGFtcGxlLmNvbTAeFw0xODAxMDEwMDAwMDBaFw0yMDA2MTkwMDAw
MDBaMG8xCzAJBgNVBAYTAlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxDDAKBgNV
BAsMA0NTUDESMBAGA1UEAwwJY3Jvc3NjZXJ0MScwJQYJKoZIhvcNAQkBFhhvc3Ns
c2lnbmNvZGVAZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDJU6WNMOEoErLYb5Qc7jsvVgruPM7DJTZ4vUpJNYAyprSDHciaKSa4SiYS
84Mxc6tzBoJvKOAwpxzzONOqPVWUd5J244urgvfHgSGWsbA8bakiIYlETopnecFk
B3ZELR33CPqIbpYYMYujhPGFa1xxZxFykJ1iBhZ8Gh3W4wHi/2kW6hTQkihMtUPP
Xxc2XWACj/tz22OSdgNZcIfhXiy2HOuPch+0UlDR4UmlJIR5aet1y832hHoeeevo
qfhfGOm9rRf9nyxKDwTyaN7JVOb7A1k6KJEJoe1zfIwT56mgoA433iUWFMLB6hKU
be3zV1vGjk77Kk7atcvEMTRq+rwHAgMBAAGjYjBgMAkGA1UdEwQCMAAwHQYDVR0O
BBYEFEXgglEcDh+8oCCvjlxrN/Y7C4YwMB8GA1UdIwQYMBaAFEXgglEcDh+8oCCv
jlxrN/Y7C4YwMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IB
AQBo8UqUEjxGQCVU/IgphwKA8Rb/uAyBYm+AjqFDs82lA6ze0n08Bj+eciVkxscA
0deivOC1sDD88QkLzSQ9CPk4e7+m7nx5SFUnUWY+o3ln+cTbGSM0jW9hme0LtHXX
QxDSKDBhQonRQk7lQ+TwFR7ol+y5SdZy7YQ+v/25qO6MMQgSPykJIa4vF7lwrYhu
qL+1MJx/ryTbCUExcKNNkWHZJRc9ZvtdWEHYpBSZl5xmJdKMLnHAu5uv8N2pezzp
PfujldZky7bnERaTM+bf/LvKXS8RfQGrCLu9QjgPVa6ysZV6gXTsEtwYh64vucjS
s7IhdLxfiT0xYkK4JWrRLc38
AoIBAQDFCjBrTLeh9wyMb6tJi1SMz+Pe6Eb8SCg4+soxBAu1EEVo4Ao810j2NVdc
aoQ2Ki097hl9LHcA0DMT8AFRHfXMXHSSHoYHsPcwHO6RJHXcDE4fSgkl41GtCnf+
qUOA+QZUqNNKNOELUHboydFMytNGjuSaO29BObkiHCRB8gnfKuqGZn9YrfU8AoGu
xv7RzKgD+uC/dTZSONAW+h7TuRn4/qtqTqfk5SnmTeEDbW3lyYLToRRKUKcYR68a
lT/IZ2cHCrZMqvykR2cCMCARbTyI8ZQ6ogzXS/tncJYu/RTtEoKiN1EweG5R0cgU
G0xQISw5RXMUSgWkWUL8rYpFcmahAgMBAAGjYjBgMAkGA1UdEwQCMAAwHQYDVR0O
BBYEFBt9u2LhSzaQrQLcja2QtFexM2tKMB8GA1UdIwQYMBaAFBt9u2LhSzaQrQLc
ja2QtFexM2tKMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IB
AQATfeXQ2kj+97IHUOtFZTjcIH47U6k8Po11WD+Af4PRmacOKaSv+rlmgpgHfQJV
nM90mxUvKzaoJeId/yR++U86rcu8a87njHoyDzx2HMcc47P/2VkErT9W4gyJE0Ws
JyIR0k0XZiYJ+pJOSjnd7SY2gs1oBT3+Go5TyClAfzAP+U10fK52q802XNPw5MY0
LEyRqCH4QYb71Hd4kGqROVy1EPv18d26apD9vK/zZuvOsbz23l0mdochYrtmfAA0
LuNwefIgxzki22+bZe7lJyuV5WsqSNGVty+fvqmw9JUfzeOpIzVK/SxqANJnZBBI
kapgFmTwk4JEfB3n2WTmbs9C
-----END CERTIFICATE-----

60
tests/certs/expired.pem
View File

@ -1,45 +1,45 @@
-----BEGIN CERTIFICATE-----
MIID6jCCAtKgAwIBAgIUdtBZJAw8/6JVNMiQpN3PEROI8rowDQYJKoZIhvcNAQEL
MIID6jCCAtKgAwIBAgIUW4SefwoiLUfTBaHpZyd8knsGVBswDQYJKoZIhvcNAQEL
BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVybWVkaWF0
ZSBDQTAeFw0xODAxMDEwMDAwMDBaFw0xOTAxMDEwMDAwMDBaMIGZMQswCQYDVQQG
EwJQTDEZMBcGA1UECAwQTWF6b3ZpYSBQcm92aW5jZTEPMA0GA1UEBwwGV2Fyc2F3
MRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxDDAKBgNVBAsMA0NTUDEQMA4GA1UEAwwH
RXhwaXJlZDEnMCUGCSqGSIb3DQEJARYYb3NzbHNpZ25jb2RlQGV4YW1wbGUuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsksndW3LaWAnD7mi4BXh
mqQjC99Y9wTvMPUJ9AgvbzTaNW4JJOQ31x8VVgwoUQ8nFBYkAqgLOv9THzNi30Fc
7mjf37Pu6YsqZzql+tknqQbiaysyNm/fouwJDJ+NRzU70fVqI5AS9FBjakXa/l1+
pEysCofURJAcKCBQGMSVaP2gwVrHyPI7snFPO6205vqaEOarPira7gvBkYeUGh+A
4AHngyW/jXHt0OHzmL+NrJe5hiayNHAK4ECfXj4PbMibI8PHlRpQkkzO6OhCuI5n
gpTZ0dGDLT693tlusvWRFjVrHI1D6MGTtQeeVlnYIKSEGhkgzp7PeWM/CCtymDRG
1wIDAQABo2IwYDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQHE8SzT1ZcPEapv4NZMWBx
RB3QATAfBgNVHSMEGDAWgBSeBawLW+FAf2oO9NlET4onfe84izATBgNVHSUEDDAK
BggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAX1Ar7jRAXdcA0Wu37yRi58QN
hpa1VLXadqfB+i5Y4e3DzqnMbpkLWsFzreC1AG0RjLe52s4PRUE6boGlpUeAyfFC
Qu2Gl/REVWwMCYV8bq3vQZkYQjklAXCQLWFk5TrzuDmBcV8+fY518nWw+xmcYwW5
5oehLsvB4nxoBzlHgcdDwS5b2dmpCKCbZFLU9aA9DjAVvY/9B8emyj7Sh2sEK0Yf
xwHlATTVq5O0/9tvVZQmYsbpS0iCRGBM+spTEhDT4WGsaRO6wP+Ucgp6Ym3ahMvz
tHME3uUanKWVoDb69sguGZ6KlnZZZdIX1AJ3dlTXCrzEO9xsoAzqzsxVJGrraQ==
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvripJQt3G9OnsDjZ2X8l
sursYnhlw9u19TK9VMHla6e03TxumCfGWM43QiD2UWk3Y46Waz9Keh2UTpk7wZjy
Ri79orfMcgencTKTNE/WCV/u6RwIylxJpLlVSGjRBD09W+8wdU21pDTSvaLfibwN
saPhpFQ0jl4DpeXPPxCeG8KC1FNVunllGPGjVk2rZ4RnFrpScWyGXHqLT+iRg+t0
pMi9S/bOhEV30f/v4HZfCx76qmlxl7QGIpJriXo+svaIe15gTb2CAstKp77Nq8Y3
sS/uM/5tktT/l6rnxIHLy4UEOSHUW9kQ8CcnZf+/A3PJKLopOWII9z0l/kbBImv7
kwIDAQABo2IwYDAJBgNVHRMEAjAAMB0GA1UdDgQWBBRV5QgsukXk9bPmsAOJbNX/
agQ/dTAfBgNVHSMEGDAWgBTj+r+NhAm1UfwIiw2e39lirWFyCzATBgNVHSUEDDAK
BggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAp06uHnxO63Ecn+knaXkfrNGg
pr+4WCc0onXYOE37+IwsCFaUqCIr1UsnnKWSzSlSR07FHI+VaV9r3knT6VPMVsUU
L89jHC2vLUvyJJOtuTpuOVGIzzCquYWvYRZrp2wmTceMSNhLcO1VGs28uwQojWEQ
ZsEdFvkYeWFInUQ1mF0dLnfQjh7RcTxMJ0CxZblJ086j3AbyzM6ZF6XAVPAqBH/S
gsBfLVGnZnMOwvKwsxViG1ikRusO6GtcIy6yxmNCUhWbIL+R59EYy++x3xLVUU90
YnScDN+xM9A2wHO1hQpLK6DIiHpbAzAgll5xD0JWh+efRWHEtGN5JTybowG9yA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgIUUPCDF21g2spK7557HZUhqSxBltMwDQYJKoZIhvcNAQEL
MIIDrDCCApSgAwIBAgIUXhcDbb/3vPpWoFCmesKw0dazbzIwDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBgMQswCQYDVQQGEwJQTDEVMBMG
A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAyMs1XoC0NUT5YgydibOrE5SWBKk5C47B6tv6gA4t3zZJ
wejaiPkj+aTIU3Ww5DO/Gpz0GuqCHNBczIw92Cfvv8kyWzUy46bRkpBJLFav0JXS
B3xQaPlHWeXqMfVAGuM5ExT4CjjYKFsrgV1Q300thCHBhvr8TPekDIf+6J7NSz1P
062pYgypfqsA8OwKaQbgOL9v4QRmHoolnEDc1dK/FS4f3p9dlifl7kcSVGQK0yit
7Uncn250icCxMxS3MOE2NfuplUOSN6h6poWNGUsx00O7Dy9nUndUwJRpFfKXTV3v
GtlmFLNoho+ss/usnxjxggWBcRtKhqd8nGSJUlzs0wIDAQABo2YwZDASBgNVHRMB
Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBSeBawLW+FAf2oO9NlET4onfe84izAfBgNV
HSMEGDAWgBTp7DHcMiltHw6m0SYMWVg0QtGo/jAOBgNVHQ8BAf8EBAMCAYYwDQYJ
KoZIhvcNAQELBQADggEBAD/FBa4stJGd/Acg2E2soI071B/l9B7FiqIRpCFuLVC4
1m7TIcjioIpZrxXwE1Egf8A9/6D/kKZtWnOljcxtPBEb+1/gB61M381RIgoMQ/Pf
7XX2yakk6mscUjbSTR//Mj1sYOs2r6ueZBp0whzF9nVvA43G6WMpf6XZqmhlg/oV
ynytW1Iu1SPoru3y8dX/lsukvKCak7MAp1eBcuUJxS56DnKcV9xgC30m3g+CErI3
qsOJ7lcfDP6fDjy7MfBsZBiY64MqwlDjjn7+Pleo69JedMwurHLhKnfm07DBPy8X
+EnQk61xHEjQtTsddXyQGQV3yjqylOF2AgsAf256uuA=
AAOCAQ8AMIIBCgKCAQEA3FMSnznxLiZh2qZ2M4/Y3FcqzNy9XxE1DG5ahUoRifCe
LWPGvREPG599ds55MesKqAPo1xAyd7hpQmd+IWzQhvDQntR4BkCQv6PoHQ2WO9co
CfQ59U5h4pie82IROPHMg31PNYF7MVt2cjBtQco2wvL7XLroYo5nmi20qvsNh53S
nJ0vGsIhdBd5UVn7S5NghHYF03cmFiZVuSvN3ovFl1k0iIH+eJdfYXBiTqtcUCAc
0+ngTui3LWd18QB6M6HYdT1a0MihGs1g0RE7ni2C5iwBn4FOe+eHzZOq5AcWVGR4
ZSvDc+6O22sy0esBYsPElJBnQLOPyIRwd4B8MO6PewIDAQABo2YwZDASBgNVHRMB
Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBTj+r+NhAm1UfwIiw2e39lirWFyCzAfBgNV
HSMEGDAWgBRYinOUkj6959wnBw0YfDBGaz/adzAOBgNVHQ8BAf8EBAMCAYYwDQYJ
KoZIhvcNAQELBQADggEBACn3BOVCATol6TC31cKPvh9hOOq9uvgREGG1paTmZNhe
JsrIUkD2KZN7dpAJEJF7uu2LaCm0F5VqQUj3SdYHD3neHiOeO8jzgM4BWgqZ3lZc
FQfGbNoR4QQMADMJYKJ/LCRjBKUrHDvkvuQHkb+y8yUg1UtNpeH3cFty2/eo7VWD
Su5Jd1vVIo4XkQDBPr5UR9LVSMfhvhX4pcvijmETTEYn3ZZ2KeF1q5JC1Le+322Q
xwgVhiJak3GUh06mYQf6qFSRanu78Jeyw8IlsS+o8V9W+dqYYDOENDYNJGB5MaS/
yAA20r1RAb2RmPPbpiPjR2FKzNDxu7nHd4EecbSevdE=
-----END CERTIFICATE-----

22
tests/certs/intermediate.pem
View File

@ -1,22 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgIUUPCDF21g2spK7557HZUhqSxBltMwDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBgMQswCQYDVQQGEwJQTDEVMBMG
A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAyMs1XoC0NUT5YgydibOrE5SWBKk5C47B6tv6gA4t3zZJ
wejaiPkj+aTIU3Ww5DO/Gpz0GuqCHNBczIw92Cfvv8kyWzUy46bRkpBJLFav0JXS
B3xQaPlHWeXqMfVAGuM5ExT4CjjYKFsrgV1Q300thCHBhvr8TPekDIf+6J7NSz1P
062pYgypfqsA8OwKaQbgOL9v4QRmHoolnEDc1dK/FS4f3p9dlifl7kcSVGQK0yit
7Uncn250icCxMxS3MOE2NfuplUOSN6h6poWNGUsx00O7Dy9nUndUwJRpFfKXTV3v
GtlmFLNoho+ss/usnxjxggWBcRtKhqd8nGSJUlzs0wIDAQABo2YwZDASBgNVHRMB
Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBSeBawLW+FAf2oO9NlET4onfe84izAfBgNV
HSMEGDAWgBTp7DHcMiltHw6m0SYMWVg0QtGo/jAOBgNVHQ8BAf8EBAMCAYYwDQYJ
KoZIhvcNAQELBQADggEBAD/FBa4stJGd/Acg2E2soI071B/l9B7FiqIRpCFuLVC4
1m7TIcjioIpZrxXwE1Egf8A9/6D/kKZtWnOljcxtPBEb+1/gB61M381RIgoMQ/Pf
7XX2yakk6mscUjbSTR//Mj1sYOs2r6ueZBp0whzF9nVvA43G6WMpf6XZqmhlg/oV
ynytW1Iu1SPoru3y8dX/lsukvKCak7MAp1eBcuUJxS56DnKcV9xgC30m3g+CErI3
qsOJ7lcfDP6fDjy7MfBsZBiY64MqwlDjjn7+Pleo69JedMwurHLhKnfm07DBPy8X
+EnQk61xHEjQtTsddXyQGQV3yjqylOF2AgsAf256uuA=
-----END CERTIFICATE-----

22
tests/certs/intermediateCA.pem Normal file
View File

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgIUXhcDbb/3vPpWoFCmesKw0dazbzIwDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBgMQswCQYDVQQGEwJQTDEVMBMG
A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA3FMSnznxLiZh2qZ2M4/Y3FcqzNy9XxE1DG5ahUoRifCe
LWPGvREPG599ds55MesKqAPo1xAyd7hpQmd+IWzQhvDQntR4BkCQv6PoHQ2WO9co
CfQ59U5h4pie82IROPHMg31PNYF7MVt2cjBtQco2wvL7XLroYo5nmi20qvsNh53S
nJ0vGsIhdBd5UVn7S5NghHYF03cmFiZVuSvN3ovFl1k0iIH+eJdfYXBiTqtcUCAc
0+ngTui3LWd18QB6M6HYdT1a0MihGs1g0RE7ni2C5iwBn4FOe+eHzZOq5AcWVGR4
ZSvDc+6O22sy0esBYsPElJBnQLOPyIRwd4B8MO6PewIDAQABo2YwZDASBgNVHRMB
Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBTj+r+NhAm1UfwIiw2e39lirWFyCzAfBgNV
HSMEGDAWgBRYinOUkj6959wnBw0YfDBGaz/adzAOBgNVHQ8BAf8EBAMCAYYwDQYJ
KoZIhvcNAQELBQADggEBACn3BOVCATol6TC31cKPvh9hOOq9uvgREGG1paTmZNhe
JsrIUkD2KZN7dpAJEJF7uu2LaCm0F5VqQUj3SdYHD3neHiOeO8jzgM4BWgqZ3lZc
FQfGbNoR4QQMADMJYKJ/LCRjBKUrHDvkvuQHkb+y8yUg1UtNpeH3cFty2/eo7VWD
Su5Jd1vVIo4XkQDBPr5UR9LVSMfhvhX4pcvijmETTEYn3ZZ2KeF1q5JC1Le+322Q
xwgVhiJak3GUh06mYQf6qFSRanu78Jeyw8IlsS+o8V9W+dqYYDOENDYNJGB5MaS/
yAA20r1RAb2RmPPbpiPjR2FKzNDxu7nHd4EecbSevdE=
-----END CERTIFICATE-----

22
tests/certs/intermediateCA_crldp.pem Normal file
View File

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDszCCApugAwIBAgIUdUqeYLe6em9A4BIXcQhE2lS8KTUwDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBnMQswCQYDVQQGEwJQTDEVMBMG
A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTEfMB0GA1UEAwwWSW50ZXJtZWRpYXRlIENBIENSTCBEUDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANoHRxZ1qxQKLm8MLYswvTf9FBq05unFxE9j
nea4njWqBkg3cT/jZo2sDHlkN+q3BFEL/K+mej0/LqfW6eXrskHj6OLyXas2/HR4
UYsby8djwazvt4LLiMS5yfo3GlRv5p44F1ruYu7/km7J/6pUxQMB+lTXKA4TzUWe
n/xa2xGm0ZDXvQC1GlPJ1mD/fm0JeS6g8iMdTfvKPKKFMArz+wGWBiqbAKnmuDfp
J3j64nWyRCArH+tGgvOmqkXAUBh9A0T1AfdF1Q5kFKzFq38zKI6lPELo0qEio9SO
W+aOVVDtknTXmqKtawFyhn2e3UEzISYmFv2Wfc/dLnmBzRLNR9cCAwEAAaNmMGQw
EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUYbtAOknHjmiu3l8ONAUY387k
Fi8wHwYDVR0jBBgwFoAUWIpzlJI+vefcJwcNGHwwRms/2ncwDgYDVR0PAQH/BAQD
AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQBJ69rsOHP4qKnu/wRS/D3fV/voLHB624Rg
RpC4RshZMPVL60LaouJo1GMHj3IwyHVHGFkTxGYP0IIgcMUCnkmpSfX1tahYU+kB
4fSCxheLg79g2y3Z1jTQxFOvRjn5t4BIk4Rq4o9E7n1x+8jcaCBSjmna9j6i5lgA
QjazvdXrhhgrkvvMtk2wtk1laiHUHFgb9zxzNhhZFzy+QXwQv+Zj1N0swKfTP2gK
Rxls7e47SnMdvthINZpdvUwT5pBZnMKHqgQK6YbWcopBpuw7zOTJp6Ghqzqzwa4d
CwUtEB7f0e7dWeG7DFJ2cNPcpXaigNtvfdRR3W1RduX9FCODihFF
-----END CERTIFICATE-----

BIN
tests/certs/key.der
View File

Binary file not shown.

50
tests/certs/key.pem
View File

@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAsksndW3LaWAnD7mi4BXhmqQjC99Y9wTvMPUJ9AgvbzTaNW4J
JOQ31x8VVgwoUQ8nFBYkAqgLOv9THzNi30Fc7mjf37Pu6YsqZzql+tknqQbiaysy
Nm/fouwJDJ+NRzU70fVqI5AS9FBjakXa/l1+pEysCofURJAcKCBQGMSVaP2gwVrH
yPI7snFPO6205vqaEOarPira7gvBkYeUGh+A4AHngyW/jXHt0OHzmL+NrJe5hiay
NHAK4ECfXj4PbMibI8PHlRpQkkzO6OhCuI5ngpTZ0dGDLT693tlusvWRFjVrHI1D
6MGTtQeeVlnYIKSEGhkgzp7PeWM/CCtymDRG1wIDAQABAoIBACR/jgxT9ZgUvupR
Li6BTDXD9AiyKBwpPm3fO7JhGpTBVQorBGQw891t14hN5NLzLyTFg4mnrOTe770r
X8okL0n+3hWFWBsnCf8n2mKHob7QUfluVlEehcFsYE3dO6agFybb/mZZUAgDjNZs
hnAb45juuSlOtP10Is90DfGEDLH5IeY1xjzc7Qv/CFxCffIAC8QmQYUTihJ2m5aE
7Hvs79oEcSvbRJDYbykzrJ0eeIaEvfOxkWJnnJHrhiONzb8qgj3DLiZdX1qeo1Ao
ldNxEG9n3Axd6M0nhajz0qbDV11S8YiKfP10XRQh5xv7lZi7MjvrRxFTFYpSrXwi
YYyFNoECgYEA6YnIYg1nIe3qaI3Me1RQQTGRl8M/dQc2d98Pz5mez9vN3TIW6nEs
QYw/9OKG1ercbD+YnuaV+1izuAcA3mNlSDReTtzInAotJjTH1V3WYqvBTVUZSb6T
5qSBfRDC3AULFvHeX5c5wqgfB3U9KLDfVBfaHnMerg6dAGsYZPhPMrkCgYEAw3Eg
5BRTzbqG0WXF25rycTeHCcylMZRjI+TVcIa8AGqNSCK4HgAWp89XPIV3WceVqe2R
Lyn1jtA2MgGGcMBDFlOWF+h9j2/j27Z+pyIbBF9LAraJuBOG6dezd50y5Ur6HK/f
e5lnjvElIYdz+RX+rmw8NFcIUbSAfE7rGinDvg8CgYBDx86VzsgJC/FFySn4/X6R
fV6BSpTHVYGUhvQiz7ZNI8F7GoeWIaSznY4OeBSkT5cL/+U+8TPEkHkQx0+UPArw
Suq4PtImn7l85kK9hY+scacX18QQKDTq8wH2F4BGtVwDm81rtwt3mK3wzzEh9zvK
P2X6AnV8FReyQGMDIyJxWQKBgD6nu9WitqMTkzj6GY4nhGXLWV1I4ASe/5F4QPzM
FOVFQ3nGt6PWf2zYyay7VOHRXCeX451tJC3ejiFF3+WxnVBBB7Muc2JSiofbX4sR
Ifwq2I9MGaaLjArXfc9w8+oSOVCNCWZEbbCjmjW/iOxnorgkNsDIzf/zj+VKH5DJ
ptj9AoGAUpB6nPES3Nnj8DsbpHCnShYMl/rFxzxg2pJJosXzuS/ttuBT2DlT5eiY
aZcL1DGSp2CD4QXbVuDHPkQMPzVfZzKAuCZlotEMR9byK46aYIkQueym45e0PGZP
djKZm+cxF+W55jBkBBhV6wSOLNRWCUYiIIq3RmwWjkopNvSlwY4=
MIIEpAIBAAKCAQEAvripJQt3G9OnsDjZ2X8lsursYnhlw9u19TK9VMHla6e03Txu
mCfGWM43QiD2UWk3Y46Waz9Keh2UTpk7wZjyRi79orfMcgencTKTNE/WCV/u6RwI
ylxJpLlVSGjRBD09W+8wdU21pDTSvaLfibwNsaPhpFQ0jl4DpeXPPxCeG8KC1FNV
unllGPGjVk2rZ4RnFrpScWyGXHqLT+iRg+t0pMi9S/bOhEV30f/v4HZfCx76qmlx
l7QGIpJriXo+svaIe15gTb2CAstKp77Nq8Y3sS/uM/5tktT/l6rnxIHLy4UEOSHU
W9kQ8CcnZf+/A3PJKLopOWII9z0l/kbBImv7kwIDAQABAoIBAQCEsjqNWcLPi53a
kFOSblKuf6FkidxUP2QEa/8rH5UeKBtA6rEQEGyCkUgFLKX00r4E+MpTaD/LYxUy
8o6PDnlSt5MlSbhnhkfMDKI6/WkwMJ0rd6PuF/PtNj3OGY+D4Y/1jSAsHZtJ2q7d
3pqlXEAy3pE6IpRGkcb8AD8H4+n96U4sNnytll6//5uD55PRbxZwB0mmNJOVoZJK
+CbW0wV3rKS0UslFot/b/jNvmCQym3UmWz3elShRTZTA7cdQt2YtKaFO5zFxbbh/
L0+Rija2tVyUPswSbeGxiyfF2RRt++91S6RONfc9B0JKwkNkbQEcM+dPIfIe/nIc
8CgSCUThAoGBAOUMBWLhxE6QW1KeR59d00wtnWzN7x1CQ43LciIRMz3C8BQLpRmX
DmTDASxy9B19tEhdVHzYhq/+1x+vM7TWiPeLg2IhvFZEhpIdN7J1n0iUI3P08dHn
KmvHSu1XGQfngIMT/Ey9xdMpAxsZVJsScuT3sUxnUKxzFpCvTuiCP4ibAoGBANUq
FyAywSsGCrl77BaQh9GDsrL3i67owfpWMs6JjywfEFdpfGZnJTCvlfKtv/Jrp4jB
p5PM5IOil63RqQXa8/pv9pQr2DUGmKegNhDGgflK5+BcbTpkAYIcGHekhoTy2TXU
BnlKaNy5Te80yEFVfFRejK1rQ2ZqHqZP3WtzBBxpAoGBAOGhAOFSg13dKIjvcKCV
/aLKQIzBJG6PKxrQMeNLTE3n7TXh7saRnlU2H77Yko9GmES845CEf9F5WhNVNLtM
puor3cXac7wLjwD6lTZQVhNaEr6UqW5bqNc5IB9DMF4v99Gn617xhqGnge68+jI0
b0gMk/QuxjLKwIzQlQvH2qxHAoGAaFYXx6zQHAzzBuL/JfRMZmK9/xdniY9oEu5K
JAn0yDXUO9ToDP+Dlpb7IDOndjL3Z9rR+WgamcvlzjCHONR5AyX2XYQwaZP2+GVU
0VU4nRrq8EiNNj1o95Rk7XrcVQrBArXrDUc8mH0jBmihdEkxd+JnnSKZdPGQWvtQ
d51ub7ECgYBHbn8uyl4sHLj6y5L2KjsVFpLJp7OFNv3UUN9TrY+rd+CjmTFBSE52
XaV7v8Ul5nDRom5D5R/z8iFK+3Nx7PJq+WesEAPfNPc+BJFkRdJW6ysp/jHnpRV/
rUTaWgQp5/em1GAvBHa8KAoPAS5WAY/lxByruBSTbUSNuC5gz52xzg==
-----END RSA PRIVATE KEY-----

BIN
tests/certs/key.pvk
View File

Binary file not shown.

52
tests/certs/keyp.pem
View File

@ -1,30 +1,30 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,6DB255395263EDD5
DEK-Info: DES-EDE3-CBC,B9C24663685D6009
A83CH4mv7u89RbT8Tpz4gxImKGBw69Zr3LstRXlliGYobby5YBx/YimkA9wFCZK/
B1eitWwy0F6axDZQYHKi+yvUJDPB9arXtClvYknMhwrHV1GHLSYeqb9oZJeqNyDZ
Qd3lxTbUtkMVJgJNrl2kOezm6/srnAw4uA7NyAvrs2vEzB48q4VlysrJq+f9mLXj
vCmrfUwY999lSifRmoxqeWlqNUQ2tgHHXYMNagpvxYXsfe1UvEH9aa6+UsO9S0py
7dyfSu95QpWyVNqkWi1VAtNbo2VpjJ6NJLAk+dy/rNqN3a4KnWeIzkYssWTsKB08
VyHrRLePPx5qdarsczZtf+M2PxhHHnl/09+Nrp5BUcMV31j3v3VSM0K+CHEucAk7
95rUtSUNywKUQeSgXrG1eLX7kXwRQ7PPCz3sPtvmJRIvQlGgLiTbKPsG52m3kAIw
zgXPcH2lYb3855occznl72jMUucxXq8gq0bC4xbEg/yJV8p1IuUEFhLGI9s9T4JV
cO9NKwmSjpHFo1ULhB7o6uMmV2rYDK+5GbQHxZgHj3ES+i53eFMWGubPEEOmqSh3
9K7gtW9y971tNfhp9ba8RnYXT6xW2nMTM4koO9b4ptdwRo5bMKFvWY8eecXfsDAG
OJ+aXkDr8jsn1Xauq1m4TM71wn2wUx95KaCpL55UNBEn7aH9qlNFfxdyzXMPYS36
zgWK44BV3PTSIGgW61NVwHwzi3bFfymortVxGpelzy2dggWVvI3uzKocLFQ8f4oe
Y0HWSmGVPF3uFHNCZtCB/Tpbz6YwP/YYStqAcryeS5Yo9Hdkh8pBVnYiKdTFEUW2
RbClgeB2MV+zttsqvmodfkviS4BjWgoIV5szxWOePnO8kQAHA/Ml3CyDPOX6rqI5
lDKiUojEMLgir/3YWWcmigEIgRsyF3CL1s+kTR3S8e9QRe8RiliRUKW5gXrLEa6j
eUjs4kgCrvmQvwyZYJjWl+r7ycmk+yB/EZs8P39KRR/pfeZDUCZIOx8vkJBt57hC
oTNJ5llFzRcmEraElXmDOAuvmj3Lx/4qzY545rtzll3mFHJEX4qITslIX1ksZz1p
DncuqgIECzmZIeHPbnw7Nkv6EkoPzTOlccqnCH/SumFr2fhctv9x13gGcO4kSsqO
63yZCFHjMz/mos3l51aIAizj5wQO3BOo+RyKoSQohvPzVtSgjhYMZsAPzXKxF0/H
9VH0DekEb1WwPSbGZw8kpx9ePlglGqOBinTL6QW8YmFPbjy9RDd1di+fxh4Qe024
8gERZpdSsMoZ+NP0nr/TSbDISFPqcLzzMpC+V8Fc/QkNvSkR1GLlNQrxLoyfK0VX
0evysXDxqIWK9+TH7hIS1lf3i2gMkLMppMso1v2Cqf0zRj1oM3MI743QE9XTXKRz
iAwaEDDPZWS/00T9fqNrHgtSPNpsbeYZQPYaC2lq1kTIEOlUfZZvMy5lxVPVZ8y2
foit+0DewZsqLDJwbjZ3wYMERVEY7KagoInQa3A1ZC9SkFiCb4fNEbRF13gfjrSz
muRbKAhEhkzJDFRocIaTKZPIWdvC73tAW66v1Zha74mxuckgnQPPqQ==
GMA8W6sGC+xtNYoPzX2j0driKlngRIbmABYMbm8TSac8du7/S8uBcG2i6z/d0Plu
pHr06uIcZDjCN0iWkhMGS7ai40ddBjxjDS/f9ppUZdOtTX4MzGfqb/d9LGVi1P8W
zYSuz7BI0B2ttcbpmMIhxdGMtRz8A/MDPm8eBnEmIYjRiW/ES2HfHlrm7CFlrd72
vgiAmFPtx9P5AE+KMFiSJDkSVMKX52yvLfBQAeBU2aQI7z5BTfwIpGgVKBT5qhq4
EwL24FrEJ1+20Q/Resd/nfqv6lzNPl6SQLhCgY25Yz0Ke9u8Xnhn1aoz1BCDtw8u
fnzmaqexf6w70rC1qX+CyrHLxO19lRUn5wChyPYaU2oAt3a0iKktQWdqHUIAGi+d
Q3DpgsXlQXuXHDeBh5KKePz6g1f7pjacpjH8t8Y3VqurQop8Ku5KiVln+WyVklbS
9ipr4Btf8NnWWD+kAvdo01ObRRGYxZwj/mlr9ePQ2d2vd9wNLe8zS0FZSzBE7cZH
OPMuZnjU9Ruub0GJpHzsNBhMNIl6M6c2DSphrUTZBG6Sogx/aVSxe3Z5sojULfNT
aifhUP/qR94nFokwRs77zXwWJlIF02g6caL8P/fPAcxIaItl+Q3DFo0wEZOzDI2X
7ijPoEj/TReVajulxCcISJs5F6gaPKhNW8FKxvFH+3LnMLW/BeHNSGgnIFftkI3Z
GqwcLN+X76qhPzS1UFF12fW9wYXjhMnR6bvVaadP6+XadZonyE+eGdRjZH0M2IIF
Jv6si9Zxw+sesmmFXzjU0jzv825rD0NtPpYKWaCdtX1x5fkk+A4T28Yu1uLWfJcs
4LhEkfhgILjLY02idjX4OKmwKm4w+QqBeajBCZiGTl6Fk2mvC0wCy53AEH3UTu8I
KRkEAcl1CxsYAHZb9B00ymk3iyGTQ/1luLZfPkGS6CMJPXjSjR0i8NmOaYa+Xhe7
bsCPYWeGT1ttJh+A5Dh39K00lSrIuQS9m3lKzdlHhZ8YL8DdeUAMBM6JKI3p8V9s
xeb/w9Vf7iZRLsL6yDqj4zm5HFifRpFDpD/E2rC6zpUvdFiy2p6J7Xpo2cu3wMIV
QL1te4aHVQhWsijV7LoaS3452NOnknxiNxXFWk2POwPHL1i6rmS7MlQwqDlLBilj
O2R4YZGjmRg69zr9xJJGQQnroFEagKdhedSJ2y+lqwxl1Kb+Lp0+SOVesxfjfoeZ
y0ctY7IJZksM0htETT6fhfJKSbMfM2uRL3FJkv1QyexnIlwmZxZgUyYAJemTZJBY
BbAhhmTRswhp5FWdfFbYez7cV9AIhtNCoGcNQuQ+wL9OmIQbmZjFUqLIcHVyX1xA
Zj5Jh6aybmnJTdXyIwUP3RdkHrD5JW8+d/0xMm1G89PtDJ6Q2+D3drtTB7A3ruUD
uyDhYtpyY9m940miAsvByK2jIUlA0hLb+9+1oiWcWarl7IwxpjP8CUG6nAF7BU6v
J/Hbikx0XMfycYp1EsQYUP4ku+S/PoJsMNU4bt248E+dDALxoyQN1Z41sYILBz4Y
ga6z4zCA5+66ug8z2yMbC4bCo0FZxuJLcw+Ok05+PT0fW9Z3egpybXVwwY4wc6vs
-----END RSA PRIVATE KEY-----

BIN
tests/certs/legacy.p12 Normal file
View File

Binary file not shown.

62
tests/certs/revoked.pem
View File

@ -1,45 +1,45 @@
-----BEGIN CERTIFICATE-----
MIIDvTCCAqWgAwIBAgIUOpY5wp7DtqsdxII7sxculedk0PYwDQYJKoZIhvcNAQEL
MIIDvTCCAqWgAwIBAgIUSXAaPeUatfheDTFo77LnMBHgyeMwDQYJKoZIhvcNAQEL
BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGDAWBgNVBAMMD0ludGVybWVkaWF0
ZSBDQTAeFw0xODAxMDEwMDAwMDBaFw0yNDEyMzEwMDAwMDBaMG0xCzAJBgNVBAYT
AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxDDAKBgNVBAsMA0NTUDEQMA4GA1UE
AwwHUmV2b2tlZDEnMCUGCSqGSIb3DQEJARYYb3NzbHNpZ25jb2RlQGV4YW1wbGUu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsksndW3LaWAnD7mi
4BXhmqQjC99Y9wTvMPUJ9AgvbzTaNW4JJOQ31x8VVgwoUQ8nFBYkAqgLOv9THzNi
30Fc7mjf37Pu6YsqZzql+tknqQbiaysyNm/fouwJDJ+NRzU70fVqI5AS9FBjakXa
/l1+pEysCofURJAcKCBQGMSVaP2gwVrHyPI7snFPO6205vqaEOarPira7gvBkYeU
Gh+A4AHngyW/jXHt0OHzmL+NrJe5hiayNHAK4ECfXj4PbMibI8PHlRpQkkzO6OhC
uI5ngpTZ0dGDLT693tlusvWRFjVrHI1D6MGTtQeeVlnYIKSEGhkgzp7PeWM/CCty
mDRG1wIDAQABo2IwYDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQHE8SzT1ZcPEapv4NZ
MWBxRB3QATAfBgNVHSMEGDAWgBSeBawLW+FAf2oO9NlET4onfe84izATBgNVHSUE
DDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAYVJiPrkACW/tK487fYS/
gYzU3fYVCTfHpAv3njarNzy8UBNqBYr0kDg0DLoOWqGV7ogTtlbQP4IIjAQI/kW6
cEreW8yU5VxO+kxDo+7oG9VEbR85i6kQW2ubJsXV6yBtf5aAbXEqImYrtjh7UObb
BbQiUI1ll2dXWqvZGxr3Fz1uz8nPMYlBpVjpCh6JF8otdWwABmxRnqUvoLO6BZbH
/gdUkouXfio9BlWkWaJXJGXMW8B7ozpjuCHSHyfvGKDA3YIfa7++A1BIKxW72jIF
jRJDw/rwnV59tiEcBWmp2T6vV+rD8yaS+LotRPYD/ck/jEj/mV+N077KLmuZpdJF
ag==
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvripJQt3G9OnsDjZ
2X8lsursYnhlw9u19TK9VMHla6e03TxumCfGWM43QiD2UWk3Y46Waz9Keh2UTpk7
wZjyRi79orfMcgencTKTNE/WCV/u6RwIylxJpLlVSGjRBD09W+8wdU21pDTSvaLf
ibwNsaPhpFQ0jl4DpeXPPxCeG8KC1FNVunllGPGjVk2rZ4RnFrpScWyGXHqLT+iR
g+t0pMi9S/bOhEV30f/v4HZfCx76qmlxl7QGIpJriXo+svaIe15gTb2CAstKp77N
q8Y3sS/uM/5tktT/l6rnxIHLy4UEOSHUW9kQ8CcnZf+/A3PJKLopOWII9z0l/kbB
Imv7kwIDAQABo2IwYDAJBgNVHRMEAjAAMB0GA1UdDgQWBBRV5QgsukXk9bPmsAOJ
bNX/agQ/dTAfBgNVHSMEGDAWgBTj+r+NhAm1UfwIiw2e39lirWFyCzATBgNVHSUE
DDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAK/bCZPrxN+5HGQjZLIQg
jKfjTRL5xwBGs8+VW4i+xnaA14pyZjDlYzASmCE/ZiryVSMJ7fuQ0TVXGtz3N7PM
v9pRgtcohs62NJZ5dIrq4f/Op1bii29pAA8+2EHPJUyFBt23vyvlI/dBpkgQG6mi
OUEsXQ+Q2LUD4OOJffkc/gowXcB4WFjrtFAUuu9HeZUNzV5Mm5FQTGm9nCnWsDIb
b7Yx08hMy+6jtvkNPCDcFnos2bsipmVN4fCXkm5LPZNyMFoWReDbIKWASXaao2hN
gzWhwWsPlAGAlBPMVWEo3k2Cz/entbAijoyqS2koN4mZABy7m5+vfzFw/yvh1/lu
8w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgIUUPCDF21g2spK7557HZUhqSxBltMwDQYJKoZIhvcNAQEL
MIIDrDCCApSgAwIBAgIUXhcDbb/3vPpWoFCmesKw0dazbzIwDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBgMQswCQYDVQQGEwJQTDEVMBMG
A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAyMs1XoC0NUT5YgydibOrE5SWBKk5C47B6tv6gA4t3zZJ
wejaiPkj+aTIU3Ww5DO/Gpz0GuqCHNBczIw92Cfvv8kyWzUy46bRkpBJLFav0JXS
B3xQaPlHWeXqMfVAGuM5ExT4CjjYKFsrgV1Q300thCHBhvr8TPekDIf+6J7NSz1P
062pYgypfqsA8OwKaQbgOL9v4QRmHoolnEDc1dK/FS4f3p9dlifl7kcSVGQK0yit
7Uncn250icCxMxS3MOE2NfuplUOSN6h6poWNGUsx00O7Dy9nUndUwJRpFfKXTV3v
GtlmFLNoho+ss/usnxjxggWBcRtKhqd8nGSJUlzs0wIDAQABo2YwZDASBgNVHRMB
Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBSeBawLW+FAf2oO9NlET4onfe84izAfBgNV
HSMEGDAWgBTp7DHcMiltHw6m0SYMWVg0QtGo/jAOBgNVHQ8BAf8EBAMCAYYwDQYJ
KoZIhvcNAQELBQADggEBAD/FBa4stJGd/Acg2E2soI071B/l9B7FiqIRpCFuLVC4
1m7TIcjioIpZrxXwE1Egf8A9/6D/kKZtWnOljcxtPBEb+1/gB61M381RIgoMQ/Pf
7XX2yakk6mscUjbSTR//Mj1sYOs2r6ueZBp0whzF9nVvA43G6WMpf6XZqmhlg/oV
ynytW1Iu1SPoru3y8dX/lsukvKCak7MAp1eBcuUJxS56DnKcV9xgC30m3g+CErI3
qsOJ7lcfDP6fDjy7MfBsZBiY64MqwlDjjn7+Pleo69JedMwurHLhKnfm07DBPy8X
+EnQk61xHEjQtTsddXyQGQV3yjqylOF2AgsAf256uuA=
AAOCAQ8AMIIBCgKCAQEA3FMSnznxLiZh2qZ2M4/Y3FcqzNy9XxE1DG5ahUoRifCe
LWPGvREPG599ds55MesKqAPo1xAyd7hpQmd+IWzQhvDQntR4BkCQv6PoHQ2WO9co
CfQ59U5h4pie82IROPHMg31PNYF7MVt2cjBtQco2wvL7XLroYo5nmi20qvsNh53S
nJ0vGsIhdBd5UVn7S5NghHYF03cmFiZVuSvN3ovFl1k0iIH+eJdfYXBiTqtcUCAc
0+ngTui3LWd18QB6M6HYdT1a0MihGs1g0RE7ni2C5iwBn4FOe+eHzZOq5AcWVGR4
ZSvDc+6O22sy0esBYsPElJBnQLOPyIRwd4B8MO6PewIDAQABo2YwZDASBgNVHRMB
Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBTj+r+NhAm1UfwIiw2e39lirWFyCzAfBgNV
HSMEGDAWgBRYinOUkj6959wnBw0YfDBGaz/adzAOBgNVHQ8BAf8EBAMCAYYwDQYJ
KoZIhvcNAQELBQADggEBACn3BOVCATol6TC31cKPvh9hOOq9uvgREGG1paTmZNhe
JsrIUkD2KZN7dpAJEJF7uu2LaCm0F5VqQUj3SdYHD3neHiOeO8jzgM4BWgqZ3lZc
FQfGbNoR4QQMADMJYKJ/LCRjBKUrHDvkvuQHkb+y8yUg1UtNpeH3cFty2/eo7VWD
Su5Jd1vVIo4XkQDBPr5UR9LVSMfhvhX4pcvijmETTEYn3ZZ2KeF1q5JC1Le+322Q
xwgVhiJak3GUh06mYQf6qFSRanu78Jeyw8IlsS+o8V9W+dqYYDOENDYNJGB5MaS/
yAA20r1RAb2RmPPbpiPjR2FKzNDxu7nHd4EecbSevdE=
-----END CERTIFICATE-----

BIN
tests/certs/revoked.spc
View File

Binary file not shown.

46
tests/certs/revoked_crldp.pem Normal file
View File

@ -0,0 +1,46 @@
-----BEGIN CERTIFICATE-----
MIIEDDCCAvSgAwIBAgIUMXc8FF4DEhJ/0czsG3SrcZS4GCYwDQYJKoZIhvcNAQEL
BQAwZzELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxHzAdBgNVBAMMFkludGVybWVkaWF0
ZSBDQSBDUkwgRFAwHhcNMTgwMTAxMDAwMDAwWhcNMjQxMjMxMDAwMDAwWjB7MQsw
CQYDVQQGEwJQTDEVMBMGA1UECgwMb3NzbHNpZ25jb2RlMQwwCgYDVQQLDANDU1Ax
HjAcBgNVBAMMFVJldm9rZWQgWDUwOXYzIENSTCBEUDEnMCUGCSqGSIb3DQEJARYY
b3NzbHNpZ25jb2RlQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAvripJQt3G9OnsDjZ2X8lsursYnhlw9u19TK9VMHla6e03TxumCfG
WM43QiD2UWk3Y46Waz9Keh2UTpk7wZjyRi79orfMcgencTKTNE/WCV/u6RwIylxJ
pLlVSGjRBD09W+8wdU21pDTSvaLfibwNsaPhpFQ0jl4DpeXPPxCeG8KC1FNVunll
GPGjVk2rZ4RnFrpScWyGXHqLT+iRg+t0pMi9S/bOhEV30f/v4HZfCx76qmlxl7QG
IpJriXo+svaIe15gTb2CAstKp77Nq8Y3sS/uM/5tktT/l6rnxIHLy4UEOSHUW9kQ
8CcnZf+/A3PJKLopOWII9z0l/kbBImv7kwIDAQABo4GbMIGYMAkGA1UdEwQCMAAw
HQYDVR0OBBYEFFXlCCy6ReT1s+awA4ls1f9qBD91MB8GA1UdIwQYMBaAFGG7QDpJ
x45ort5fDjQFGN/O5BYvMBMGA1UdJQQMMAoGCCsGAQUFBwMDMDYGA1UdHwQvMC0w
K6ApoCeGJWh0dHA6Ly8xMjcuMC4wLjE6MTkyNTQvaW50ZXJtZWRpYXRlQ0EwDQYJ
KoZIhvcNAQELBQADggEBALwDivFFBjB7AkLO1jPJFyJnq8C0gadoYq0Dq5roAFMq
Lirl0LGsdFTrZ2ljKOzNrFVfw4EQHedDCsKCtsgOXG1xxLQczwsuBcIaWGzSdW15
iNz+IKjHXSNOLEUvVcO6N6s1rt5U15lynaXFSdskBgJYA7vq6uA8RTWzhQC7aCv8
n3Tbpe8c7j6/y5NThffBu/YZypMoraZvPohCDfMZoFNT5GYXNWSeq7gipxtaCHcK
OdWBi5yajIZL05hg29y7r677KBbvo07EykhxQ10zEnskzuqc7hCCsuDrXbmt5brv
REYpeGvJAu0YrFg9yLSl8FJwk/XUzGvxa2MLPyL/sj4=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDszCCApugAwIBAgIUdUqeYLe6em9A4BIXcQhE2lS8KTUwDQYJKoZIhvcNAQEL
BQAwWDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEgMB4GA1UE
CwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcN
MTgwMTAxMDAwMDAwWhcNMjYwMTAxMDAwMDAwWjBnMQswCQYDVQQGEwJQTDEVMBMG
A1UECgwMb3NzbHNpZ25jb2RlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTEfMB0GA1UEAwwWSW50ZXJtZWRpYXRlIENBIENSTCBEUDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANoHRxZ1qxQKLm8MLYswvTf9FBq05unFxE9j
nea4njWqBkg3cT/jZo2sDHlkN+q3BFEL/K+mej0/LqfW6eXrskHj6OLyXas2/HR4
UYsby8djwazvt4LLiMS5yfo3GlRv5p44F1ruYu7/km7J/6pUxQMB+lTXKA4TzUWe
n/xa2xGm0ZDXvQC1GlPJ1mD/fm0JeS6g8iMdTfvKPKKFMArz+wGWBiqbAKnmuDfp
J3j64nWyRCArH+tGgvOmqkXAUBh9A0T1AfdF1Q5kFKzFq38zKI6lPELo0qEio9SO
W+aOVVDtknTXmqKtawFyhn2e3UEzISYmFv2Wfc/dLnmBzRLNR9cCAwEAAaNmMGQw
EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUYbtAOknHjmiu3l8ONAUY387k
Fi8wHwYDVR0jBBgwFoAUWIpzlJI+vefcJwcNGHwwRms/2ncwDgYDVR0PAQH/BAQD
AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQBJ69rsOHP4qKnu/wRS/D3fV/voLHB624Rg
RpC4RshZMPVL60LaouJo1GMHj3IwyHVHGFkTxGYP0IIgcMUCnkmpSfX1tahYU+kB
4fSCxheLg79g2y3Z1jTQxFOvRjn5t4BIk4Rq4o9E7n1x+8jcaCBSjmna9j6i5lgA
QjazvdXrhhgrkvvMtk2wtk1laiHUHFgb9zxzNhhZFzy+QXwQv+Zj1N0swKfTP2gK
Rxls7e47SnMdvthINZpdvUwT5pBZnMKHqgQK6YbWcopBpuw7zOTJp6Ghqzqzwa4d
CwUtEB7f0e7dWeG7DFJ2cNPcpXaigNtvfdRR3W1RduX9FCODihFF
-----END CERTIFICATE-----

69
tests/certs/tsa-chain.pem
View File

@ -1,50 +1,47 @@
-----BEGIN CERTIFICATE-----
MIIEzTCCA7WgAwIBAgIUfRjXKciCGA4XbhbhxbAwfpcLGmowDQYJKoZIhvcNAQEL
MIIEMzCCAxugAwIBAgIUBxGrWWn+gk2O0nxUeOQvpcu0HUQwDQYJKoZIhvcNAQEL
BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEkMCIGA1UE
CwwbVGltZXN0YW1wIEF1dGhvcml0eSBSb290IENBMRQwEgYDVQQDDAtUU0EgUm9v
dCBDQTAeFw0xODAxMDEwMDAwMDBaFw0yODAxMDEwMDAwMDBaMFUxCzAJBgNVBAYT
AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxHDAaBgNVBAsME1RpbWVzdGFtcCBB
dXRob3JpdHkxETAPBgNVBAMMCFRlc3QgVFNBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAor220wp2zqj6Fe1VT/yic4LJcfMn1/ZWhsE7L86krULRvI+N
JY0fOVg/24MtyOXbnm7nYOyYTlR9n2kqm4fEgsz+GDQxXLHgyLh3aF4ueDzoFt0v
8G3vJfD+4N27XAYJ5V4f4s4VJRDIm0P/BvFGY9J/zICjC83F3OLdnkOD88O8QD6q
FwWdtBYNqxQX1LAwy3ORe5aTubdVkHV02JhdKAC/xy5nfhynuV4KfYyel2nHrI1i
54UXWdOrlD/XIKPiXpuEGcXhYTrTHigH+yR9ybs9hotGvuHTEjcxEuJvEQJX+qV4
eJAIexITDW/yK+maWPLijO3bZ9/JodX+fRCnPQIDAQABo4IBiDCCAYQwDAYDVR0T
AQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAdBgNVHQ4EFgQUKWCqogni
6SseJ/P6LXo0M2cK++QwHwYDVR0jBBgwFoAU/5nNuG4Tm4v2y9uKf428/4fVQesw
gYQGCCsGAQUFBwEBBHgwdjA5BggrBgEFBQcwAoYtaHR0cDovL1RTQUNBLnRpbWVz
dGFtcGF1dGhvcml0eS5jb20vVFNBQ0EuY3J0MDkGCCsGAQUFBzABhi1odHRwOi8v
b2NzcC5UU0FDQS50aW1lc3RhbXBhdXRob3JpdHkuY29tOjkwODAwPgYDVR0fBDcw
NTAzoDGgL4YtaHR0cDovL1RTQUNBLnRpbWVzdGFtcGF1dGhvcml0eS5jb20vVFNB
Q0EuY3JsMFUGA1UdHgROMEygGDAKggh0ZXN0LmNvbTAKggh0ZXN0Lm9yZ6EwMAqH
CAAAAAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMA0G
CSqGSIb3DQEBCwUAA4IBAQB4YXa5nVWUzWSsUDMfYFTEETOe8boUErwfrDNBuj6z
B5en20FhI49i6PCYEfNq3vrAtPOEFJj+KPomN3C46VLxbUEvqWLdq6EyzWvVVmXK
VLeC0qV0m6CFM8GplaWzZdfFTQaaLUhgY08ZU2gp4QsoS2YjAosxlZrNSm6pBbv3
q+Og1KeSK8gKS0V89k+6e3LOEF6KaNWKSkoz5xDniQY//mTjiDcNmYUh0KhHfhdU
eO92M82uJSaDqnRs5HsWPs6z6qdfpuvj++OtQ1VCM2p5SEH2sEomdeN3YYChuG4h
yzn0mYAdbTyGJHlFm17AH+SQRbVqCKYdHDaqsMb+fWzi
AQ8AMIIBCgKCAQEA4TH03boCmDQwjaKbM/a06WBe9dJKt3wzdyXZhBT6GX4WefAg
ZvomQSUQnPCqFzGygIAGbBWlMlOtzNO32CMSXrtwkzou5BUEcuW3xqxDp0wTClKk
finDmTXjWLX5L+HnGtuQLU8s4iXgVUzqg6FRuce+WndPgG+MQPW4WzePu5uY0tWi
Xh7Y/HgwZCTiDihm2dFhLLX3wCM1jqggvmBasbFyztoTsUYMYKbGPVWuG8p5+h1t
BWVHFEBhAx9GNe6NiiJ0smAEmne1SBeY44iZwM871O9NVEWe5IyRRm0/Vu+dty48
rZfzL4PuakxuSTUI1Q7Fh7Xuo9SqvGwB6WejYwIDAQABo4HvMIHsMAwGA1UdEwEB
/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwHQYDVR0OBBYEFHnEl41jHza4
2tqVE1fctzcQRFMNMB8GA1UdIwQYMBaAFE6fD2uX/Q6n9KjFBO5tB++jGixmMC0G
A1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly8xMjcuMC4wLjE6MTkyNTQvVFNBQ0EwVQYD
VR0eBE4wTKAYMAqCCHRlc3QuY29tMAqCCHRlc3Qub3JnoTAwCocIAAAAAAAAAAAw
IocgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDQYJKoZIhvcNAQEL
BQADggEBAKMnM+tX2AM6g9SSAbgAz25vHRs+/hzZN2EMZOz+ZsNZufRwRbDH4eC5
mm+s9PKw99vk/67vJk+IxfOLsZSleRX6h7DqXKhh5j8S/IPfOuIxWUfQGMlnfHNt
IdePg1vIQCwcj998e0NIdnioSnGrKRay0A1Y+7zY+9B8/sRCAamyAFyqjG5UG70q
NOZcuG52+ZHYfA3poW4MTBWTi+k9tK786RpRWj+I1ORBAJIFZ1SRzPQ5QL4XqE14
iKowHAJbo1/X6Xr/SW2B+oC+p5jmONRi/rwHnUEqWbkbi+CKWdlI+7HTApncofLi
JVHLUWz0r6IIp0mHrMwoI94yZBVXje0=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDkDCCAnigAwIBAgIUJ0nfE+EVsIThltlY2LHVWMJVIq4wDQYJKoZIhvcNAQEL
MIIDkDCCAnigAwIBAgIUf2df9lAckuBxsAT7UktJTpH8H3EwDQYJKoZIhvcNAQEL
BQAwYDELMAkGA1UEBhMCUEwxFTATBgNVBAoMDG9zc2xzaWduY29kZTEkMCIGA1UE
CwwbVGltZXN0YW1wIEF1dGhvcml0eSBSb290IENBMRQwEgYDVQQDDAtUU0EgUm9v
dCBDQTAeFw0xNzAxMDEwMDAwMDBaFw0yNjExMTAwMDAwMDBaMGAxCzAJBgNVBAYT
AlBMMRUwEwYDVQQKDAxvc3Nsc2lnbmNvZGUxJDAiBgNVBAsMG1RpbWVzdGFtcCBB
dXRob3JpdHkgUm9vdCBDQTEUMBIGA1UEAwwLVFNBIFJvb3QgQ0EwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGOTX1f9dmtUiyzlsUInRIGfRMya338SVx
vYGeOwdpTSSGlYUVwR9AuFewQF5+klelstCJe+SoUG0AdzS30mRWlQrhip4UdvdW
T2gkNKbSn6DQzlWoQej9izqRLxAsbuszgkvnLOBEmPaLimDsCgu0bAN95Hp0Hls9
O/fVmzh8VuV4iscxc7q13ZB7CylWgwd55CFEGd/jpJ6kMwSHbOLoBWp4GQ3KxR+c
ASAo0FapU2WSZB2EYWszRiyq91X+AvIYN4ypTv7RccgfUvnZ2qFykJAkf/wgkynu
Qg7rCUNfUEpDc7jlqtDWR7iLrtHBkA17C3IU8ymmKQYWfw3ZyBwvAgMBAAGjQjBA
MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP+ZzbhuE5uL9svbin+NvP+H1UHr
MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAbj3aFwIUxvzwgywO
gj01JM8GNbw1E4MGdkaNI8rgeY8ay15ZXhR9NpRWWb6Y7IXPq5XhuEktVte5Z4Kf
XLBrr7Xe9VVqJL9zd1tMzOEM/zG77rZf/iXBTZLkCtQc/GOEY4TTWKNEl5hiWVE0
po97GX5XHoeyHlWQ75sd9z6MxFxmvdp9/uyYD700e9sd5gcD8LGvHw2DNy8vntYV
ia9h95N9i1umffxU460o8W5GoIcsD13B3YftvnWhGSXqovBRFgcPAQZ4eW9Qh/zA
4zQBQrRvmREPihXVdgtWVpbRchP99oSZBrYr7Hh/P69rycklquqxJl1ol1wbT6dK
S5Gmng==
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDH7Zl2oFIq75eVCHtPSH5apYifPyFvIAnB
J8D3/ylM+Ll5X0/mBkyU5yR7CN0T+WsroWmkkGLuDbrqRrGG30Zs6/DIgHnLn25l
rM/6C4B3TApIoBPLqLWaYd0EUwn5hyh5vJdolzCwZtr3swS1BZ23WlPXXWIO8F+m
E5QZiFWqjufoHWECyoa3OwJ+U/UcR+Tr/HnlBXaZswTJdr91R9imWZgAE6EF6qM5
ZnzNqgsjKPIN62FIcL3SD57CcR8fYvOAHGlY9r/CoDMuAs64wp/+oovC4J8WHvqV
xg/z32V7osNq4ko9IArTDESj1ZlL33uVGy/GnTAMZv1CKFMrCfMNAgMBAAGjQjBA
MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFE6fD2uX/Q6n9KjFBO5tB++jGixm
MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEArE8W97mfL9a8NcaX
UmJwiBsoA8zGQ1uWV051JHuW+YbC1az2pRR0kXOLkXeCNhwHfxb8pvEjOToa341K
5NYFSRPJVkR09AaF7KjuLzZO821roxbZPPbS8GsFGJ5GbLe6F8EW06rCyLN03Y2q
bOAQvAof421193HIO0baBWE13QsLk2wQEYyB/Yld3919ub9plQLxapojRdK2s+cY
Juftt8hE3UDlfQkpnVbIpU4Q/LFtPztfxkcd9rkz/kujH+juBd2UnirjK3n86ReU
1MM2QvtnMlXyZiXHujrOkWGS57KaYdkDAV98zWk9Bx7g6K97cy0JPdBq2cnucUJw
0mCOiQ==
-----END CERTIFICATE-----

1
tests/certs/tsa-serial Normal file
View File

@ -0,0 +1 @@
55c4d523e595564af0ab635fd1e3aaba

50
tests/client_http.py Normal file
View File

@ -0,0 +1,50 @@
"""Implementation of a HTTP client"""
import os
import sys
import http.client
RESULT_PATH = os.getcwd()
LOGS_PATH = os.path.join(RESULT_PATH, "./Testing/logs/")
PORT_LOG = os.path.join(LOGS_PATH, "./port.log")
def main() -> None:
"""Creating a POST Request"""
ret = 0
try:
with open(PORT_LOG, 'r') as file:
port = file.readline()
conn = http.client.HTTPConnection('localhost', port)
conn.request('POST', '/kill_server')
response = conn.getresponse()
print("HTTP status code:", response.getcode(), end=', ')
try:
text = response.read()
print(text.decode("UTF-8"), end='', flush=True)
except OSError as err:
print(f"Warning: {err}")
conn.close()
except OSError as err:
print(f"OSError: {err}")
ret = err.errno
except Exception as err: # pylint: disable=broad-except
print(f"HTTP client error: {err}")
ret = err
finally:
sys.exit(ret)
if __name__ == '__main__':
main()
# pylint: disable=pointless-string-statement
"""
Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: nil
End:
vim: set ts=4 expandtab:
"""

0
tests/certs/.gitignore → tests/conf/.gitignore vendored
View File

274
tests/conf/makecerts.sh
View File

@ -1,4 +1,4 @@
#!/bin/sh
#!/bin/bash
result=0
@ -18,10 +18,11 @@ make_certs() {
script_path=$(pwd)
cd "${result_path}"
mkdir "tmp/"
rm -rf "../certs"
################################################################################
# OpenSSL settings
CONF="${script_path}/openssl_intermediate.cnf"
################################################################################
if test -n "$1"
then
OPENSSL="$1/bin/openssl"
@ -34,12 +35,16 @@ make_certs() {
touch "CA/index.txt"
echo -n "unique_subject = no" > "CA/index.txt.attr"
$OPENSSL rand -hex 16 > "CA/serial"
$OPENSSL rand -hex 16 > "tsa-serial"
$OPENSSL rand -hex 16 > "tmp/tsa-serial"
echo 1001 > "CA/crlnumber"
date > "makecerts.log"
"$OPENSSL" version 2>> "makecerts.log" 1>&2
echo -n "$password" > tmp/password.txt
################################################################################
# Root CA certificate
################################################################################
printf "\nGenerate root CA certificate\n" >> "makecerts.log"
"$OPENSSL" genrsa -out CA/CA.key \
2>> "makecerts.log" 1>&2
@ -54,29 +59,9 @@ make_certs() {
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log"
"$OPENSSL" genrsa -out CA/intermediate.key \
2>> "makecerts.log" 1>&2
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_intermediate.cnf"
"$OPENSSL" req -config "$CONF" -new -key CA/intermediate.key -out CA/intermediate.csr \
-subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA" \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_root.cnf"
"$OPENSSL" ca -config "$CONF" -batch -in CA/intermediate.csr -out CA/intermediate.cer \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
"$OPENSSL" x509 -in CA/intermediate.cer -out tmp/intermediate.pem \
2>> "makecerts.log" 1>&2
test_result $?
################################################################################
# Private RSA keys
################################################################################
printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log"
"$OPENSSL" genrsa -des3 -out CA/private.key -passout pass:"$password" \
@ -90,6 +75,46 @@ make_certs() {
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert the key to DER format\n" >> "makecerts.log"
"$OPENSSL" rsa -in tmp/key.pem -outform DER -out tmp/key.der -passout pass:"$password" \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert the key to PVK format\n" >> "makecerts.log"
"$OPENSSL" rsa -in tmp/key.pem -outform PVK -out tmp/key.pvk -pvk-none \
2>> "makecerts.log" 1>&2
test_result $?
################################################################################
# Intermediate CA certificates
################################################################################
CONF="${script_path}/openssl_intermediate.cnf"
printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log"
"$OPENSSL" genrsa -out CA/intermediateCA.key \
2>> "makecerts.log" 1>&2
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_intermediate.cnf"
"$OPENSSL" req -config "$CONF" -new -key CA/intermediateCA.key -out CA/intermediateCA.csr \
-subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA" \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_root.cnf"
"$OPENSSL" ca -config "$CONF" -batch -in CA/intermediateCA.csr -out CA/intermediateCA.cer \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
"$OPENSSL" x509 -in CA/intermediateCA.cer -out tmp/intermediateCA.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate a certificate to revoke\n" >> "makecerts.log"
"$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/revoked.csr \
-subj "/C=PL/O=osslsigncode/OU=CSP/CN=Revoked/emailAddress=osslsigncode@example.com" \
@ -108,7 +133,7 @@ make_certs() {
test_result $?
printf "\nAttach intermediate certificate to revoked certificate\n" >> "makecerts.log"
cat tmp/intermediate.pem >> tmp/revoked.pem 2>> "makecerts.log"
cat tmp/intermediateCA.pem >> tmp/revoked.pem 2>> "makecerts.log"
test_result $?
printf "\nGenerate CRL file\n" >> "makecerts.log"
@ -121,11 +146,6 @@ make_certs() {
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
printf "\nConvert revoked certificate to SPC format\n" >> "makecerts.log"
"$OPENSSL" crl2pkcs7 -in tmp/CACertCRL.pem -certfile tmp/revoked.pem -outform DER -out tmp/revoked.spc \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate CSP Cross-Certificate\n" >> "makecerts.log"
"$OPENSSL" genrsa -out CA/cross.key \
2>> "makecerts.log" 1>&2
@ -151,23 +171,13 @@ make_certs() {
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert the key to DER format\n" >> "makecerts.log"
"$OPENSSL" rsa -in tmp/key.pem -outform DER -out tmp/key.der -passout pass:"$password" \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert the key to PVK format\n" >> "makecerts.log"
"$OPENSSL" rsa -in tmp/key.pem -outform PVK -out tmp/key.pvk -pvk-none \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert the certificate to DER format\n" >> "makecerts.log"
"$OPENSSL" x509 -in tmp/cert.pem -outform DER -out tmp/cert.der \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nAttach intermediate certificate to code signing certificate\n" >> "makecerts.log"
cat tmp/intermediate.pem >> tmp/cert.pem 2>> "makecerts.log"
cat tmp/intermediateCA.pem >> tmp/cert.pem 2>> "makecerts.log"
test_result $?
printf "\nConvert the certificate to SPC format\n" >> "makecerts.log"
@ -175,7 +185,25 @@ make_certs() {
2>> "makecerts.log" 1>&2
test_result $?
printf "\nConvert the certificate and the key into a PKCS#12 container\n" >> "makecerts.log"
ssl_version=$("$OPENSSL" version)
if test "${ssl_version:8:1}" -eq 3
then
printf "\nConvert the certificate and the key into legacy PKCS#12 container with\
RC2-40-CBC private key and certificate encryption algorithm\n" >> "makecerts.log"
"$OPENSSL" pkcs12 -export -in tmp/cert.pem -inkey tmp/key.pem -out tmp/legacy.p12 -passout pass:"$password" \
-keypbe rc2-40-cbc -certpbe rc2-40-cbc -legacy \
2>> "makecerts.log" 1>&2
else
printf "\nConvert the certificate and the key into legacy PKCS#12 container with\
RC2-40-CBC private key and certificate encryption algorithm\n" >> "makecerts.log"
"$OPENSSL" pkcs12 -export -in tmp/cert.pem -inkey tmp/key.pem -out tmp/legacy.p12 -passout pass:"$password" \
-keypbe rc2-40-cbc -certpbe rc2-40-cbc \
2>> "makecerts.log" 1>&2
fi
test_result $?
printf "\nConvert the certificate and the key into a PKCS#12 container with\
AES-256-CBC private key and certificate encryption algorithm\n" >> "makecerts.log"
"$OPENSSL" pkcs12 -export -in tmp/cert.pem -inkey tmp/key.pem -out tmp/cert.p12 -passout pass:"$password" \
-keypbe aes-256-cbc -certpbe aes-256-cbc \
2>> "makecerts.log" 1>&2
@ -194,9 +222,95 @@ make_certs() {
test_result $?
printf "\nAttach intermediate certificate to expired certificate\n" >> "makecerts.log"
cat tmp/intermediate.pem >> tmp/expired.pem 2>> "makecerts.log"
cat tmp/intermediateCA.pem >> tmp/expired.pem 2>> "makecerts.log"
test_result $?
################################################################################
# Intermediate CA certificates with CRL distribution point
################################################################################
CONF="${script_path}/openssl_intermediate_crldp.cnf"
printf "\nGenerate intermediate CA certificate with CRL distribution point\n" >> "makecerts.log"
"$OPENSSL" genrsa -out CA/intermediateCA_crldp.key \
2>> "makecerts.log" 1>&2
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_intermediate_crldp.cnf"
"$OPENSSL" req -config "$CONF" -new -key CA/intermediateCA_crldp.key -out CA/intermediateCA_crldp.csr \
-subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA CRL DP" \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_root.cnf"
"$OPENSSL" ca -config "$CONF" -batch -in CA/intermediateCA_crldp.csr -out CA/intermediateCA_crldp.cer \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
"$OPENSSL" x509 -in CA/intermediateCA_crldp.cer -out tmp/intermediateCA_crldp.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate a certificate with X509v3 CRL Distribution Points extension to revoke\n" >> "makecerts.log"
"$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/revoked_crldp.csr \
-subj "/C=PL/O=osslsigncode/OU=CSP/CN=Revoked X509v3 CRL DP/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2
test_result $?
"$OPENSSL" ca -config "$CONF" -batch -in CA/revoked_crldp.csr -out CA/revoked_crldp.cer \
2>> "makecerts.log" 1>&2
test_result $?
"$OPENSSL" x509 -in CA/revoked_crldp.cer -out tmp/revoked_crldp.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nRevoke above certificate\n" >> "makecerts.log"
"$OPENSSL" ca -config "$CONF" -revoke CA/revoked_crldp.cer \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nAttach intermediate certificate to revoked certificate\n" >> "makecerts.log"
cat tmp/intermediateCA_crldp.pem >> tmp/revoked_crldp.pem 2>> "makecerts.log"
test_result $?
printf "\nGenerate CRL file\n" >> "makecerts.log"
TZ=GMT faketime -f '@2019-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_intermediate_crldp.cnf"
"$OPENSSL" ca -config "$CONF" -gencrl -crldays 8766 -out tmp/CACertCRL_crldp.pem \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
printf "\nConvert CRL file from PEM to DER (for CRL Distribution Points server to use) \n" >> "makecerts.log"
"$OPENSSL" crl -in tmp/CACertCRL_crldp.pem -inform PEM -out tmp/CACertCRL.der -outform DER \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate code signing certificate with X509v3 CRL Distribution Points extension\n" >> "makecerts.log"
"$OPENSSL" req -config "$CONF" -new -key CA/private.key -passin pass:"$password" -out CA/cert_crldp.csr \
-subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate X509v3 CRL DP/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2
test_result $?
"$OPENSSL" ca -config "$CONF" -batch -in CA/cert_crldp.csr -out CA/cert_crldp.cer \
2>> "makecerts.log" 1>&2
test_result $?
"$OPENSSL" x509 -in CA/cert_crldp.cer -out tmp/cert_crldp.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nAttach intermediate certificate to code signing certificate\n" >> "makecerts.log"
cat tmp/intermediateCA_crldp.pem >> tmp/cert_crldp.pem 2>> "makecerts.log"
test_result $?
################################################################################
# Time Stamp Authority certificates
################################################################################
printf "\nGenerate Root CA TSA certificate\n" >> "makecerts.log"
"$OPENSSL" genrsa -out CA/TSACA.key \
2>> "makecerts.log" 1>&2
@ -209,6 +323,40 @@ make_certs() {
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
printf "\nGenerate TSA certificate to revoke\n" >> "makecerts.log"
CONF="${script_path}/openssl_tsa_root.cnf"
"$OPENSSL" req -config "$CONF" -new -nodes -keyout tmp/TSA_revoked.key -out CA/TSA_revoked.csr \
-subj "/C=PL/O=osslsigncode/OU=TSA/CN=Revoked/emailAddress=osslsigncode@example.com" \
2>> "makecerts.log" 1>&2
test_result $?
CONF="${script_path}/openssl_tsa_root.cnf"
"$OPENSSL" ca -config "$CONF" -batch -in CA/TSA_revoked.csr -out CA/TSA_revoked.cer \
2>> "makecerts.log" 1>&2
test_result $?
"$OPENSSL" x509 -in CA/TSA_revoked.cer -out tmp/TSA_revoked.pem \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nRevoke above certificate\n" >> "makecerts.log"
"$OPENSSL" ca -config "$CONF" -revoke CA/TSA_revoked.cer \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate TSA CRL file\n" >> "makecerts.log"
TZ=GMT faketime -f '@2019-01-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
OPENSSL="$0"
export LD_LIBRARY_PATH="$1"
CONF="${script_path}/openssl_tsa_root.cnf"
"$OPENSSL" ca -config "$CONF" -gencrl -crldays 8766 -out tmp/TSACertCRL.pem \
2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
test_result $?
printf "\nConvert TSA CRL file from PEM to DER (for CRL Distribution Points server to use)\n" >> "makecerts.log"
"$OPENSSL" crl -in tmp/TSACertCRL.pem -inform PEM -out tmp/TSACertCRL.der -outform DER \
2>> "makecerts.log" 1>&2
test_result $?
printf "\nGenerate TSA certificate\n" >> "makecerts.log"
CONF="${script_path}/openssl_tsa.cnf"
"$OPENSSL" req -config "$CONF" -new -nodes -keyout tmp/TSA.key -out CA/TSA.csr \
@ -225,29 +373,45 @@ make_certs() {
printf "\nSave the chain to be included in the TSA response\n" >> "makecerts.log"
cat tmp/TSA.pem tmp/TSACA.pem > tmp/tsa-chain.pem 2>> "makecerts.log"
# copy new files
if test -s tmp/intermediate.pem -a -s tmp/CACert.pem -a -s tmp/CACertCRL.pem \
################################################################################
# Copy new files
################################################################################
if test -s tmp/CACert.pem \
-a -s tmp/intermediateCA.pem -a -s tmp/intermediateCA_crldp.pem \
-a -s tmp/CACertCRL.pem -a -s tmp/CACertCRL.der \
-a -s tmp/TSACertCRL.pem -a -s tmp/TSACertCRL.der \
-a -s tmp/key.pem -a -s tmp/keyp.pem -a -s tmp/key.der -a -s tmp/key.pvk \
-a -s tmp/cert.pem -a -s tmp/cert.p12 -a -s tmp/cert.der -a -s tmp/cert.spc \
-a -s tmp/crosscert.pem -a -s tmp/expired.pem -a -s tmp/revoked.pem -a -s tmp/revoked.spc \
-a -s tmp/cert.pem -a -s tmp/cert.der -a -s tmp/cert.spc \
-a -s tmp/cert.p12 -a -s tmp/legacy.p12 -a -s tmp/cert_crldp.pem\
-a -s tmp/crosscert.pem -a -s tmp/expired.pem \
-a -s tmp/revoked.pem -a -s tmp/revoked_crldp.pem \
-a -s tmp/TSA_revoked.pem \
-a -s tmp/TSA.pem -a -s tmp/TSA.key -a -s tmp/tsa-chain.pem
then
mkdir "../certs"
mkdir -p "../certs"
cp tmp/* ../certs
printf "%s" "keys & certificates successfully generated"
printf "%s" "Keys & certificates successfully generated"
else
printf "%s" "error logs ${result_path}/makecerts.log"
printf "%s" "Error logs ${result_path}/makecerts.log"
result=1
fi
# remove the working directory
################################################################################
# Remove the working directory
################################################################################
rm -rf "CA/"
rm -rf "tmp/"
exit "$result"
}
# Tests requirement
################################################################################
# Tests requirement and make certs
################################################################################
if test -n "$(command -v faketime)"
then
make_certs "$1"

3
tests/conf/openssl_intermediate.cnf
View File

@ -1,7 +1,7 @@
# OpenSSL intermediate CA configuration file
[ default ]
name = intermediate
name = intermediateCA
default_ca = CA_default
[ CA_default ]
@ -15,6 +15,7 @@ serial = $dir/CA/serial
rand_serial = yes
private_key = $dir/CA/$name.key
certificate = $dir/tmp/$name.pem
crlnumber = $dir/CA/crlnumber
crl_extensions = crl_ext
default_md = sha256
preserve = no

79
tests/conf/openssl_intermediate_crldp.cnf Normal file
View File

@ -0,0 +1,79 @@
# OpenSSL intermediate CA configuration file
[ default ]
name = intermediateCA
default_ca = CA_default
crl_url = http://127.0.0.1:19254/$name
[ CA_default ]
# Directory and file locations
dir = .
certs = $dir/CA
crl_dir = $dir/CA
new_certs_dir = $dir/CA
database = $dir/CA/index.txt
serial = $dir/CA/serial
rand_serial = yes
private_key = $dir/CA/$name\_crldp.key
certificate = $dir/tmp/$name\_crldp.pem
crlnumber = $dir/CA/crlnumber
crl_extensions = crl_ext
default_md = sha256
preserve = no
policy = policy_loose
default_startdate = 180101000000Z
default_enddate = 241231000000Z
x509_extensions = v3_req
email_in_dn = yes
default_days = 2200
[ req ]
# Options for the `req` tool
encrypt_key = no
default_bits = 2048
default_md = sha256
string_mask = utf8only
distinguished_name = req_distinguished_name
x509_extensions = usr_extensions
[ crl_ext ]
# Extension for CRLs
authorityKeyIdentifier = keyid:always
[ usr_extensions ]
# Extension to add when the -x509 option is used
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
extendedKeyUsage = codeSigning
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid, issuer
extendedKeyUsage = codeSigning
crlDistributionPoints = @crl_info
[ crl_info ]
# X509v3 CRL Distribution Points extension
URI.0 = $crl_url
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address

18
tests/conf/openssl_tsa_root.cnf
View File

@ -2,10 +2,8 @@
[ default ]
name = TSACA
domain_suffix = timestampauthority.com
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9080
domain_suffix = timestampauthority
crl_url = http://127.0.0.1:19254/$name
name_opt = utf8, esc_ctrl, multiline, lname, align
default_ca = CA_default
@ -17,6 +15,7 @@ new_certs_dir = $dir/CA
database = $dir/CA/index.txt
serial = $dir/CA/serial
crlnumber = $dir/CA/crlnumber
crl_extensions = crl_ext
rand_serial = yes
private_key = $dir/CA/$name.key
certificate = $dir/tmp/$name.pem
@ -27,6 +26,7 @@ policy = policy_match
default_startdate = 20180101000000Z
default_enddate = 20280101000000Z
unique_subject = no
email_in_dn = no
x509_extensions = tsa_extensions
[ policy_match ]
@ -42,17 +42,17 @@ basicConstraints = critical, CA:false
extendedKeyUsage = critical, timeStamping
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess = @issuer_info
crlDistributionPoints = @crl_info
nameConstraints = @name_constraints
[ issuer_info ]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[ crl_info ]
# X509v3 CRL Distribution Points extension
URI.0 = $crl_url
[ crl_ext ]
# Extension for CRLs
authorityKeyIdentifier = keyid:always
[ name_constraints ]
permitted;DNS.0=test.com
permitted;DNS.1=test.org

BIN
tests/files/unsigned.256appx Executable file
View File

Binary file not shown.

BIN
tests/files/unsigned.512appx Executable file
View File

Binary file not shown.

BIN
tests/files/unsigned.cat Executable file → Normal file
View File

Binary file not shown.

0
tests/files/unsigned.exe Executable file → Normal file
View File

156
tests/server_http.py Normal file
View File

@ -0,0 +1,156 @@
"""Implementation of a HTTP server"""
import argparse
import os
import subprocess
import sys
import threading
from urllib.parse import urlparse
from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer
RESULT_PATH = os.getcwd()
FILES_PATH = os.path.join(RESULT_PATH, "./Testing/files/")
CERTS_PATH = os.path.join(RESULT_PATH, "./Testing/certs/")
CONF_PATH = os.path.join(RESULT_PATH, "./Testing/conf/")
LOGS_PATH = os.path.join(RESULT_PATH, "./Testing/logs/")
REQUEST = os.path.join(FILES_PATH, "./jreq.tsq")
RESPONS = os.path.join(FILES_PATH, "./jresp.tsr")
CACRL = os.path.join(CERTS_PATH, "./CACertCRL.der")
TSACRL = os.path.join(CERTS_PATH, "./TSACertCRL.der")
OPENSSL_CONF = os.path.join(CONF_PATH, "./openssl_tsa.cnf")
PORT_LOG = os.path.join(LOGS_PATH, "./port.log")
OPENSSL_TS = ["openssl", "ts",
"-reply", "-config", OPENSSL_CONF,
"-passin", "pass:passme",
"-queryfile", REQUEST,
"-out", RESPONS]
class RequestHandler(SimpleHTTPRequestHandler):
"""Handle the HTTP POST request that arrive at the server"""
def __init__(self, request, client_address, server):
# Save the server handle
self.server = server
SimpleHTTPRequestHandler.__init__(self, request, client_address, server)
def do_GET(self): # pylint: disable=invalid-name
""""Serves the GET request type"""
try:
url = urlparse(self.path)
self.send_response(200)
self.send_header("Content-type", "application/crl")
self.end_headers()
# Read the file and send the contents
if url.path == "/intermediateCA":
with open(CACRL, 'rb') as file:
resp_data = file.read()
if url.path == "/TSACA":
with open(TSACRL, 'rb') as file:
resp_data = file.read()
self.wfile.write(resp_data)
except Exception as err: # pylint: disable=broad-except
print(f"HTTP GET request error: {err}")
def do_POST(self): # pylint: disable=invalid-name
""""Serves the POST request type"""
try:
url = urlparse(self.path)
self.send_response(200)
if url.path == "/kill_server":
self.log_message(f"Deleting file: {PORT_LOG}")
os.remove(f"{PORT_LOG}")
self.send_header('Content-type', 'text/plain')
self.end_headers()
self.wfile.write(bytes('Shutting down HTTP server', 'utf-8'))
self.server.shutdown()
else:
content_length = int(self.headers['Content-Length'])
post_data = self.rfile.read(content_length)
with open(REQUEST, mode="wb") as file:
file.write(post_data)
openssl = subprocess.run(OPENSSL_TS,
check=True, universal_newlines=True)
openssl.check_returncode()
self.send_header("Content-type", "application/timestamp-reply")
self.end_headers()
resp_data = None
with open(RESPONS, mode="rb") as file:
resp_data = file.read()
self.wfile.write(resp_data)
except Exception as err: # pylint: disable=broad-except
print(f"HTTP POST request error: {err}")
class HttpServerThread():
"""TSA server thread handler"""
# pylint: disable=too-few-public-methods
def __init__(self):
self.server = None
self.server_thread = None
def start_server(self, port) -> (int):
"""Starting HTTP server on localhost and a random available port for binding"""
self.server = ThreadingHTTPServer(('localhost', port), RequestHandler)
self.server_thread = threading.Thread(target=self.server.serve_forever)
self.server_thread.start()
hostname, port = self.server.server_address[:2]
print(f"HTTP server started, URL http://{hostname}:{port}")
return port
def main() -> None:
"""Start HTTP server"""
ret = 0
parser = argparse.ArgumentParser()
parser.add_argument(
"--port",
type=int,
default=0,
help="port number"
)
args = parser.parse_args()
try:
server = HttpServerThread()
port = server.start_server(args.port)
with open(PORT_LOG, mode="w") as file:
file.write("{}".format(port))
except OSError as err:
print(f"OSError: {err}")
ret = err.errno
finally:
sys.exit(ret)
if __name__ == '__main__':
try:
fpid = os.fork()
if fpid > 0:
sys.exit(0)
except OSError as ferr:
print(f"Fork #1 failed: {ferr.errno} {ferr.strerror}")
sys.exit(1)
try:
fpid = os.fork()
if fpid > 0:
sys.exit(0)
except OSError as ferr:
print(f"Fork #2 failed: {ferr.errno} {ferr.strerror}")
sys.exit(1)
# Start the daemon main loop
main()
# pylint: disable=pointless-string-statement
"""Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: nil
End:
vim: set ts=4 expandtab:
"""

133
tests/server_http.pyw Normal file
View File

@ -0,0 +1,133 @@
"""Windows: Implementation of a HTTP server"""
import os
import subprocess
import sys
import threading
from urllib.parse import urlparse
from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer
RESULT_PATH = os.getcwd()
FILES_PATH = os.path.join(RESULT_PATH, "./Testing/files/")
CERTS_PATH = os.path.join(RESULT_PATH, "./Testing/certs/")
CONF_PATH = os.path.join(RESULT_PATH, "./Testing/conf/")
LOGS_PATH = os.path.join(RESULT_PATH, "./Testing/logs/")
REQUEST = os.path.join(FILES_PATH, "./jreq.tsq")
RESPONS = os.path.join(FILES_PATH, "./jresp.tsr")
CACRL = os.path.join(CERTS_PATH, "./CACertCRL.der")
TSACRL = os.path.join(CERTS_PATH, "./TSACertCRL.der")
OPENSSL_CONF = os.path.join(CONF_PATH, "./openssl_tsa.cnf")
SERVER_LOG = os.path.join(LOGS_PATH, "./server.log")
PORT_LOG = os.path.join(LOGS_PATH, "./port.log")
OPENSSL_TS = ["openssl", "ts",
"-reply", "-config", OPENSSL_CONF,
"-passin", "pass:passme",
"-queryfile", REQUEST,
"-out", RESPONS]
class RequestHandler(SimpleHTTPRequestHandler):
"""Handle the HTTP POST request that arrive at the server"""
def __init__(self, request, client_address, server):
# Save the server handle
self.server = server
SimpleHTTPRequestHandler.__init__(self, request, client_address, server)
def do_GET(self): # pylint: disable=invalid-name
""""Serves the GET request type"""
try:
url = urlparse(self.path)
self.send_response(200)
self.send_header("Content-type", "application/crl")
self.end_headers()
# Read the file and send the contents
if url.path == "/intermediateCA":
with open(CACRL, 'rb') as file:
resp_data = file.read()
if url.path == "/TSACA":
with open(TSACRL, 'rb') as file:
resp_data = file.read()
self.wfile.write(resp_data)
except Exception as err: # pylint: disable=broad-except
print(f"HTTP GET request error: {err}")
def do_POST(self): # pylint: disable=invalid-name
""""Serves the POST request type"""
try:
url = urlparse(self.path)
self.send_response(200)
if url.path == "/kill_server":
self.log_message(f"Deleting file: {PORT_LOG}")
os.remove(f"{PORT_LOG}")
self.send_header('Content-type', 'text/plain')
self.end_headers()
self.wfile.write(bytes('Shutting down HTTP server', 'utf-8'))
self.server.shutdown()
else:
content_length = int(self.headers['Content-Length'])
post_data = self.rfile.read(content_length)
with open(REQUEST, mode="wb") as file:
file.write(post_data)
openssl = subprocess.run(OPENSSL_TS,
check=True, universal_newlines=True)
openssl.check_returncode()
self.send_header("Content-type", "application/timestamp-reply")
self.end_headers()
resp_data = None
with open(RESPONS, mode="rb") as file:
resp_data = file.read()
self.wfile.write(resp_data)
except Exception as err: # pylint: disable=broad-except
print(f"HTTP POST request error: {err}")
class HttpServerThread():
"""TSA server thread handler"""
# pylint: disable=too-few-public-methods
def __init__(self):
self.server = None
self.server_thread = None
def start_server(self) -> (int):
"""Starting HTTP server on localhost and a random available port for binding"""
self.server = ThreadingHTTPServer(('localhost', 19254), RequestHandler)
self.server_thread = threading.Thread(target=self.server.serve_forever)
self.server_thread.start()
hostname, port = self.server.server_address[:2]
print(f"HTTP server started, URL http://{hostname}:{port}")
return port
def main() -> None:
"""Start HTTP server"""
ret = 0
try:
sys.stdout = open(SERVER_LOG, "w")
sys.stderr = open(SERVER_LOG, "a")
server = HttpServerThread()
port = server.start_server()
with open(PORT_LOG, mode="w") as file:
file.write("{}".format(port))
except OSError as err:
print(f"OSError: {err}")
ret = err.errno
finally:
sys.exit(ret)
if __name__ == '__main__':
main()
# pylint: disable=pointless-string-statement
"""Local Variables:
c-basic-offset: 4
tab-width: 4
indent-tabs-mode: nil
End:
vim: set ts=4 expandtab:
"""

152
tests/tsa_server.py
View File

@ -1,152 +0,0 @@
"""Implementation of a Time Stamping Authority HTTP server"""
import argparse
import contextlib
import os
import pathlib
import subprocess
import sys
import threading
from http.server import BaseHTTPRequestHandler, HTTPServer
RESULT_PATH = os.getcwd()
FILES_PATH = os.path.join(RESULT_PATH, "./Testing/files/")
CERTS_PATH = os.path.join(RESULT_PATH, "./Testing/certs/")
CONF_PATH = os.path.join(RESULT_PATH, "./Testing/conf/")
DEFAULT_IN = os.path.join(FILES_PATH, "./unsigned.exe")
DEFAULT_OUT = os.path.join(FILES_PATH, "./ts.exe")
DEFAULT_CERT = os.path.join(CERTS_PATH, "./cert.pem")
DEFAULT_KEY = os.path.join(CERTS_PATH, "./key.pem")
DEFAULT_CROSSCERT = os.path.join(CERTS_PATH, "./crosscert.pem")
OPENSSL_CONF = os.path.join(CONF_PATH, "./openssl_tsa.cnf")
REQUEST = os.path.join(FILES_PATH, "./jreq.tsq")
RESPONS = os.path.join(FILES_PATH, "./jresp.tsr")
if os.path.exists(os.path.join(RESULT_PATH, "./Release/")):
OSSLSIGNCODE_FILE = os.path.join(RESULT_PATH, "./Release/osslsigncode")
elif os.path.exists(os.path.join(RESULT_PATH, "./Debug/")):
OSSLSIGNCODE_FILE = os.path.join(RESULT_PATH, "./Debug/osslsigncode")
else:
OSSLSIGNCODE_FILE = os.path.join(RESULT_PATH, "./osslsigncode")
DEFAULT_OPENSSL = ["openssl", "ts",
"-reply", "-config", OPENSSL_CONF,
"-passin", "pass:passme",
"-queryfile", REQUEST,
"-out", RESPONS]
class RequestHandler(BaseHTTPRequestHandler):
"""Handle the HTTP POST request that arrive at the server"""
def do_POST(self):
""""Serves the POST request type"""
try:
content_length = int(self.headers['Content-Length'])
post_data = self.rfile.read(content_length)
with open(REQUEST, mode="wb") as file:
file.write(post_data)
openssl = subprocess.run(DEFAULT_OPENSSL,
check=True, universal_newlines=True)
openssl.check_returncode()
self.send_response(200)
self.send_header("Content-type", "application/timestamp-reply")
self.end_headers()
resp_data = None
with open(RESPONS, mode="rb") as file:
resp_data = file.read()
self.wfile.write(resp_data)
except Exception as err: # pylint: disable=broad-except
print(f"HTTP POST request error: {err}")
class HttpServerThread():
"""TSA server thread handler"""
def __init__(self):
self.server = None
self.server_thread = None
def start_server(self) -> (str, int):
"""Starting TSA server on localhost and a first available port"""
self.server = HTTPServer(("127.0.0.1", 0), RequestHandler)
self.server_thread = threading.Thread(target=self.server.serve_forever)
self.server_thread.start()
hostname, port = self.server.server_address[:2]
print(f"Timestamp server started, URL: http://{hostname}:{port}")
return hostname, port
def shut_down(self):
"""Shutting down the server"""
if self.server:
self.server.shutdown()
self.server_thread.join()
print("Server is down")
def parse_args() -> str:
"""Parse the command-line arguments."""
parser = argparse.ArgumentParser()
parser.add_argument(
"--input",
type=pathlib.Path,
default=DEFAULT_IN,
help="input file"
)
parser.add_argument(
"--output",
type=pathlib.Path,
default=DEFAULT_OUT,
help="output file"
)
parser.add_argument(
"--certs",
type=pathlib.Path,
default=DEFAULT_CERT,
help="signing certificate"
)
parser.add_argument(
"--key",
type=pathlib.Path,
default=DEFAULT_KEY,
help="private key"
)
parser.add_argument(
"--crosscert",
type=pathlib.Path,
default=DEFAULT_CROSSCERT,
help="additional certificates"
)
args = parser.parse_args()
program = [OSSLSIGNCODE_FILE, "sign", "-in", args.input, "-out", args.output,
"-certs", args.certs, "-key", args.key,
"-addUnauthenticatedBlob", "-add-msi-dse", "-comm", "-ph", "-jp", "low",
"-h", "sha384", "-time", "1556668800", "-i", "https://www.osslsigncode.com/",
"-n", "osslsigncode", "-ac", args.crosscert, "-ts"]
return program
def main() -> None:
"""Main program"""
ret = 0
program = parse_args()
server = HttpServerThread()
hostname, port = server.start_server()
program.append(f"{hostname}:{port}")
try:
osslsigncode = subprocess.run(program, check=True, universal_newlines=True)
osslsigncode.check_returncode()
except subprocess.CalledProcessError as err:
ret = err.returncode
except OSError as err:
print(f"OSError: {err}")
ret = err.errno
except Exception as err: # pylint: disable=broad-except
print(f"osslsigncode error: {err}")
ret = 1
finally:
server.shut_down()
sys.exit(ret)
if __name__ == '__main__':
main()