1 | /* $Id: RTSignTool.cpp 69434 2017-10-27 15:48:25Z vboxsync $ */
|
---|
2 | /** @file
|
---|
3 | * IPRT - Signing Tool.
|
---|
4 | */
|
---|
5 |
|
---|
6 | /*
|
---|
7 | * Copyright (C) 2006-2017 Oracle Corporation
|
---|
8 | *
|
---|
9 | * This file is part of VirtualBox Open Source Edition (OSE), as
|
---|
10 | * available from http://www.virtualbox.org. This file is free software;
|
---|
11 | * you can redistribute it and/or modify it under the terms of the GNU
|
---|
12 | * General Public License (GPL) as published by the Free Software
|
---|
13 | * Foundation, in version 2 as it comes in the "COPYING" file of the
|
---|
14 | * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
|
---|
15 | * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
|
---|
16 | *
|
---|
17 | * The contents of this file may alternatively be used under the terms
|
---|
18 | * of the Common Development and Distribution License Version 1.0
|
---|
19 | * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
|
---|
20 | * VirtualBox OSE distribution, in which case the provisions of the
|
---|
21 | * CDDL are applicable instead of those of the GPL.
|
---|
22 | *
|
---|
23 | * You may elect to license modified versions of this file under the
|
---|
24 | * terms and conditions of either the GPL or the CDDL or both.
|
---|
25 | */
|
---|
26 |
|
---|
27 |
|
---|
28 | /*********************************************************************************************************************************
|
---|
29 | * Header Files *
|
---|
30 | *********************************************************************************************************************************/
|
---|
31 | #include <iprt/assert.h>
|
---|
32 | #include <iprt/buildconfig.h>
|
---|
33 | #include <iprt/err.h>
|
---|
34 | #include <iprt/getopt.h>
|
---|
35 | #include <iprt/file.h>
|
---|
36 | #include <iprt/initterm.h>
|
---|
37 | #include <iprt/ldr.h>
|
---|
38 | #include <iprt/message.h>
|
---|
39 | #include <iprt/mem.h>
|
---|
40 | #include <iprt/path.h>
|
---|
41 | #include <iprt/stream.h>
|
---|
42 | #include <iprt/string.h>
|
---|
43 | #include <iprt/uuid.h>
|
---|
44 | #include <iprt/zero.h>
|
---|
45 | #ifndef RT_OS_WINDOWS
|
---|
46 | # include <iprt/formats/pecoff.h>
|
---|
47 | #endif
|
---|
48 | #include <iprt/crypto/digest.h>
|
---|
49 | #include <iprt/crypto/x509.h>
|
---|
50 | #include <iprt/crypto/pkcs7.h>
|
---|
51 | #include <iprt/crypto/store.h>
|
---|
52 | #include <iprt/crypto/spc.h>
|
---|
53 | #ifdef VBOX
|
---|
54 | # include <VBox/sup.h> /* Certificates */
|
---|
55 | #endif
|
---|
56 | #ifdef RT_OS_WINDOWS
|
---|
57 | # include <iprt/win/windows.h>
|
---|
58 | # include <ImageHlp.h>
|
---|
59 | #endif
|
---|
60 |
|
---|
61 |
|
---|
62 | /*********************************************************************************************************************************
|
---|
63 | * Structures and Typedefs *
|
---|
64 | *********************************************************************************************************************************/
|
---|
65 | /** Help detail levels. */
|
---|
66 | typedef enum RTSIGNTOOLHELP
|
---|
67 | {
|
---|
68 | RTSIGNTOOLHELP_USAGE,
|
---|
69 | RTSIGNTOOLHELP_FULL
|
---|
70 | } RTSIGNTOOLHELP;
|
---|
71 |
|
---|
72 |
|
---|
73 | /**
|
---|
74 | * PKCS\#7 signature data.
|
---|
75 | */
|
---|
76 | typedef struct SIGNTOOLPKCS7
|
---|
77 | {
|
---|
78 | /** The raw signature. */
|
---|
79 | uint8_t *pbBuf;
|
---|
80 | /** Size of the raw signature. */
|
---|
81 | size_t cbBuf;
|
---|
82 | /** The filename. */
|
---|
83 | const char *pszFilename;
|
---|
84 | /** The outer content info wrapper. */
|
---|
85 | RTCRPKCS7CONTENTINFO ContentInfo;
|
---|
86 | /** Pointer to the decoded SignedData inside the ContentInfo member. */
|
---|
87 | PRTCRPKCS7SIGNEDDATA pSignedData;
|
---|
88 | /** Pointer to the indirect data content. */
|
---|
89 | PRTCRSPCINDIRECTDATACONTENT pIndData;
|
---|
90 |
|
---|
91 | /** Newly encoded raw signature.
|
---|
92 | * @sa SignToolPkcs7_Encode() */
|
---|
93 | uint8_t *pbNewBuf;
|
---|
94 | /** Size of newly encoded raw signature. */
|
---|
95 | size_t cbNewBuf;
|
---|
96 |
|
---|
97 | } SIGNTOOLPKCS7;
|
---|
98 | typedef SIGNTOOLPKCS7 *PSIGNTOOLPKCS7;
|
---|
99 |
|
---|
100 |
|
---|
101 | /**
|
---|
102 | * PKCS\#7 signature data for executable.
|
---|
103 | */
|
---|
104 | typedef struct SIGNTOOLPKCS7EXE : public SIGNTOOLPKCS7
|
---|
105 | {
|
---|
106 | /** The module handle. */
|
---|
107 | RTLDRMOD hLdrMod;
|
---|
108 | } SIGNTOOLPKCS7EXE;
|
---|
109 | typedef SIGNTOOLPKCS7EXE *PSIGNTOOLPKCS7EXE;
|
---|
110 |
|
---|
111 |
|
---|
112 | /**
|
---|
113 | * Data for the show exe (signature) command.
|
---|
114 | */
|
---|
115 | typedef struct SHOWEXEPKCS7 : public SIGNTOOLPKCS7EXE
|
---|
116 | {
|
---|
117 | /** The verbosity. */
|
---|
118 | unsigned cVerbosity;
|
---|
119 | /** The prefix buffer. */
|
---|
120 | char szPrefix[256];
|
---|
121 | /** Temporary buffer. */
|
---|
122 | char szTmp[4096];
|
---|
123 | } SHOWEXEPKCS7;
|
---|
124 | typedef SHOWEXEPKCS7 *PSHOWEXEPKCS7;
|
---|
125 |
|
---|
126 |
|
---|
127 | /*********************************************************************************************************************************
|
---|
128 | * Internal Functions *
|
---|
129 | *********************************************************************************************************************************/
|
---|
130 | static RTEXITCODE HandleHelp(int cArgs, char **papszArgs);
|
---|
131 | static RTEXITCODE HelpHelp(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel);
|
---|
132 | static RTEXITCODE HandleVersion(int cArgs, char **papszArgs);
|
---|
133 | static int HandleShowExeWorkerPkcs7Display(PSHOWEXEPKCS7 pThis, PRTCRPKCS7SIGNEDDATA pSignedData, size_t offPrefix,
|
---|
134 | PCRTCRPKCS7CONTENTINFO pContentInfo);
|
---|
135 |
|
---|
136 |
|
---|
137 | /**
|
---|
138 | * Deletes the structure.
|
---|
139 | *
|
---|
140 | * @param pThis The structure to initialize.
|
---|
141 | */
|
---|
142 | static void SignToolPkcs7_Delete(PSIGNTOOLPKCS7 pThis)
|
---|
143 | {
|
---|
144 | RTCrPkcs7ContentInfo_Delete(&pThis->ContentInfo);
|
---|
145 | pThis->pIndData = NULL;
|
---|
146 | pThis->pSignedData = NULL;
|
---|
147 | pThis->pIndData = NULL;
|
---|
148 | RTMemFree(pThis->pbBuf);
|
---|
149 | pThis->pbBuf = NULL;
|
---|
150 | pThis->cbBuf = 0;
|
---|
151 | RTMemFree(pThis->pbNewBuf);
|
---|
152 | pThis->pbNewBuf = NULL;
|
---|
153 | pThis->cbNewBuf = 0;
|
---|
154 | }
|
---|
155 |
|
---|
156 |
|
---|
157 | /**
|
---|
158 | * Deletes the structure.
|
---|
159 | *
|
---|
160 | * @param pThis The structure to initialize.
|
---|
161 | */
|
---|
162 | static void SignToolPkcs7Exe_Delete(PSIGNTOOLPKCS7EXE pThis)
|
---|
163 | {
|
---|
164 | if (pThis->hLdrMod != NIL_RTLDRMOD)
|
---|
165 | {
|
---|
166 | int rc2 = RTLdrClose(pThis->hLdrMod);
|
---|
167 | if (RT_FAILURE(rc2))
|
---|
168 | RTMsgError("RTLdrClose failed: %Rrc\n", rc2);
|
---|
169 | pThis->hLdrMod = NIL_RTLDRMOD;
|
---|
170 | }
|
---|
171 | SignToolPkcs7_Delete(pThis);
|
---|
172 | }
|
---|
173 |
|
---|
174 |
|
---|
175 | /**
|
---|
176 | * Decodes the PKCS #7 blob pointed to by pThis->pbBuf.
|
---|
177 | *
|
---|
178 | * @returns IPRT status code (error message already shown on failure).
|
---|
179 | * @param pThis The PKCS\#7 signature to decode.
|
---|
180 | * @param fCatalog Set if catalog file, clear if executable.
|
---|
181 | */
|
---|
182 | static int SignToolPkcs7_Decode(PSIGNTOOLPKCS7 pThis, bool fCatalog)
|
---|
183 | {
|
---|
184 | RTERRINFOSTATIC ErrInfo;
|
---|
185 | RTASN1CURSORPRIMARY PrimaryCursor;
|
---|
186 | RTAsn1CursorInitPrimary(&PrimaryCursor, pThis->pbBuf, (uint32_t)pThis->cbBuf, RTErrInfoInitStatic(&ErrInfo),
|
---|
187 | &g_RTAsn1DefaultAllocator, 0, "WinCert");
|
---|
188 |
|
---|
189 | int rc = RTCrPkcs7ContentInfo_DecodeAsn1(&PrimaryCursor.Cursor, 0, &pThis->ContentInfo, "CI");
|
---|
190 | if (RT_SUCCESS(rc))
|
---|
191 | {
|
---|
192 | if (RTCrPkcs7ContentInfo_IsSignedData(&pThis->ContentInfo))
|
---|
193 | {
|
---|
194 | pThis->pSignedData = pThis->ContentInfo.u.pSignedData;
|
---|
195 |
|
---|
196 | /*
|
---|
197 | * Decode the authenticode bits.
|
---|
198 | */
|
---|
199 | if (!strcmp(pThis->pSignedData->ContentInfo.ContentType.szObjId, RTCRSPCINDIRECTDATACONTENT_OID))
|
---|
200 | {
|
---|
201 | pThis->pIndData = pThis->pSignedData->ContentInfo.u.pIndirectDataContent;
|
---|
202 | Assert(pThis->pIndData);
|
---|
203 |
|
---|
204 | /*
|
---|
205 | * Check that things add up.
|
---|
206 | */
|
---|
207 | rc = RTCrPkcs7SignedData_CheckSanity(pThis->pSignedData,
|
---|
208 | RTCRPKCS7SIGNEDDATA_SANITY_F_AUTHENTICODE
|
---|
209 | | RTCRPKCS7SIGNEDDATA_SANITY_F_ONLY_KNOWN_HASH
|
---|
210 | | RTCRPKCS7SIGNEDDATA_SANITY_F_SIGNING_CERT_PRESENT,
|
---|
211 | RTErrInfoInitStatic(&ErrInfo), "SD");
|
---|
212 | if (RT_SUCCESS(rc))
|
---|
213 | {
|
---|
214 | rc = RTCrSpcIndirectDataContent_CheckSanityEx(pThis->pIndData,
|
---|
215 | pThis->pSignedData,
|
---|
216 | RTCRSPCINDIRECTDATACONTENT_SANITY_F_ONLY_KNOWN_HASH,
|
---|
217 | RTErrInfoInitStatic(&ErrInfo));
|
---|
218 | if (RT_FAILURE(rc))
|
---|
219 | RTMsgError("SPC indirect data content sanity check failed for '%s': %Rrc - %s\n",
|
---|
220 | pThis->pszFilename, rc, ErrInfo.szMsg);
|
---|
221 | }
|
---|
222 | else
|
---|
223 | RTMsgError("PKCS#7 sanity check failed for '%s': %Rrc - %s\n", pThis->pszFilename, rc, ErrInfo.szMsg);
|
---|
224 | }
|
---|
225 | else if (!fCatalog)
|
---|
226 | RTMsgError("Unexpected the signed content in '%s': %s (expected %s)", pThis->pszFilename,
|
---|
227 | pThis->pSignedData->ContentInfo.ContentType.szObjId, RTCRSPCINDIRECTDATACONTENT_OID);
|
---|
228 | }
|
---|
229 | else
|
---|
230 | rc = RTMsgErrorRc(VERR_CR_PKCS7_NOT_SIGNED_DATA,
|
---|
231 | "PKCS#7 content is inside '%s' is not 'signedData': %s\n",
|
---|
232 | pThis->pszFilename, pThis->ContentInfo.ContentType.szObjId);
|
---|
233 | }
|
---|
234 | else
|
---|
235 | RTMsgError("RTCrPkcs7ContentInfo_DecodeAsn1 failed on '%s': %Rrc - %s\n", pThis->pszFilename, rc, ErrInfo.szMsg);
|
---|
236 | return rc;
|
---|
237 | }
|
---|
238 |
|
---|
239 |
|
---|
240 | /**
|
---|
241 | * Reads and decodes PKCS\#7 signature from the given cat file.
|
---|
242 | *
|
---|
243 | * @returns RTEXITCODE_SUCCESS on success, RTEXITCODE_FAILURE with error message
|
---|
244 | * on failure.
|
---|
245 | * @param pThis The structure to initialize.
|
---|
246 | * @param pszFilename The catalog (or any other DER PKCS\#7) filename.
|
---|
247 | * @param cVerbosity The verbosity.
|
---|
248 | */
|
---|
249 | static RTEXITCODE SignToolPkcs7_InitFromFile(PSIGNTOOLPKCS7 pThis, const char *pszFilename, unsigned cVerbosity)
|
---|
250 | {
|
---|
251 | /*
|
---|
252 | * Init the return structure.
|
---|
253 | */
|
---|
254 | RT_ZERO(*pThis);
|
---|
255 | pThis->pszFilename = pszFilename;
|
---|
256 |
|
---|
257 | /*
|
---|
258 | * Lazy bird uses RTFileReadAll and duplicates the allocation.
|
---|
259 | */
|
---|
260 | void *pvFile;
|
---|
261 | int rc = RTFileReadAll(pszFilename, &pvFile, &pThis->cbBuf);
|
---|
262 | if (RT_SUCCESS(rc))
|
---|
263 | {
|
---|
264 | pThis->pbBuf = (uint8_t *)RTMemDup(pvFile, pThis->cbBuf);
|
---|
265 | RTFileReadAllFree(pvFile, pThis->cbBuf);
|
---|
266 | if (pThis->pbBuf)
|
---|
267 | {
|
---|
268 | if (cVerbosity > 2)
|
---|
269 | RTPrintf("PKCS#7 signature: %u bytes\n", pThis->cbBuf);
|
---|
270 |
|
---|
271 | /*
|
---|
272 | * Decode it.
|
---|
273 | */
|
---|
274 | rc = SignToolPkcs7_Decode(pThis, true /*fCatalog*/);
|
---|
275 | if (RT_SUCCESS(rc))
|
---|
276 | return RTEXITCODE_SUCCESS;
|
---|
277 | }
|
---|
278 | else
|
---|
279 | RTMsgError("Out of memory!");
|
---|
280 | }
|
---|
281 | else
|
---|
282 | RTMsgError("Error reading '%s' into memory: %Rrc", pszFilename, rc);
|
---|
283 |
|
---|
284 | SignToolPkcs7_Delete(pThis);
|
---|
285 | return RTEXITCODE_FAILURE;
|
---|
286 | }
|
---|
287 |
|
---|
288 |
|
---|
289 | /**
|
---|
290 | * Encodes the signature into the SIGNTOOLPKCS7::pbNewBuf and
|
---|
291 | * SIGNTOOLPKCS7::cbNewBuf members.
|
---|
292 | *
|
---|
293 | * @returns RTEXITCODE_SUCCESS on success, RTEXITCODE_FAILURE with error message
|
---|
294 | * on failure.
|
---|
295 | * @param pThis The signature to encode.
|
---|
296 | * @param cVerbosity The verbosity.
|
---|
297 | */
|
---|
298 | static RTEXITCODE SignToolPkcs7_Encode(PSIGNTOOLPKCS7 pThis, unsigned cVerbosity)
|
---|
299 | {
|
---|
300 | RTERRINFOSTATIC StaticErrInfo;
|
---|
301 | PRTASN1CORE pRoot = RTCrPkcs7ContentInfo_GetAsn1Core(&pThis->ContentInfo);
|
---|
302 | uint32_t cbEncoded;
|
---|
303 | int rc = RTAsn1EncodePrepare(pRoot, RTASN1ENCODE_F_DER, &cbEncoded, RTErrInfoInitStatic(&StaticErrInfo));
|
---|
304 | if (RT_SUCCESS(rc))
|
---|
305 | {
|
---|
306 | if (cVerbosity >= 4)
|
---|
307 | RTAsn1Dump(pRoot, 0, 0, RTStrmDumpPrintfV, g_pStdOut);
|
---|
308 |
|
---|
309 | RTMemFree(pThis->pbNewBuf);
|
---|
310 | pThis->cbNewBuf = cbEncoded;
|
---|
311 | pThis->pbNewBuf = (uint8_t *)RTMemAllocZ(cbEncoded);
|
---|
312 | if (pThis->pbNewBuf)
|
---|
313 | {
|
---|
314 | rc = RTAsn1EncodeToBuffer(pRoot, RTASN1ENCODE_F_DER, pThis->pbNewBuf, pThis->cbNewBuf,
|
---|
315 | RTErrInfoInitStatic(&StaticErrInfo));
|
---|
316 | if (RT_SUCCESS(rc))
|
---|
317 | {
|
---|
318 | if (cVerbosity > 1)
|
---|
319 | RTMsgInfo("Encoded signature to %u bytes", cbEncoded);
|
---|
320 | return RTEXITCODE_SUCCESS;
|
---|
321 | }
|
---|
322 | RTMsgError("RTAsn1EncodeToBuffer failed: %Rrc", rc);
|
---|
323 |
|
---|
324 | RTMemFree(pThis->pbNewBuf);
|
---|
325 | pThis->pbNewBuf = NULL;
|
---|
326 | }
|
---|
327 | else
|
---|
328 | RTMsgError("Failed to allocate %u bytes!", cbEncoded);
|
---|
329 | }
|
---|
330 | else
|
---|
331 | RTMsgError("RTAsn1EncodePrepare failed: %Rrc - %s", rc, StaticErrInfo.szMsg);
|
---|
332 | return RTEXITCODE_FAILURE;
|
---|
333 | }
|
---|
334 |
|
---|
335 |
|
---|
336 | /**
|
---|
337 | * Adds the @a pSrc signature as a nested signature.
|
---|
338 | *
|
---|
339 | * @returns RTEXITCODE_SUCCESS on success, RTEXITCODE_FAILURE with error message
|
---|
340 | * on failure.
|
---|
341 | * @param pThis The signature to modify.
|
---|
342 | * @param pSrc The signature to add as nested.
|
---|
343 | * @param cVerbosity The verbosity.
|
---|
344 | */
|
---|
345 | static RTEXITCODE SignToolPkcs7_AddNestedSignature(PSIGNTOOLPKCS7 pThis, PSIGNTOOLPKCS7 pSrc, unsigned cVerbosity)
|
---|
346 | {
|
---|
347 | PRTCRPKCS7SIGNERINFO pSignerInfo = pThis->pSignedData->SignerInfos.papItems[0];
|
---|
348 | int rc;
|
---|
349 |
|
---|
350 | /*
|
---|
351 | * Deal with UnauthenticatedAttributes being absent before trying to append to the array.
|
---|
352 | */
|
---|
353 | if (pSignerInfo->UnauthenticatedAttributes.cItems == 0)
|
---|
354 | {
|
---|
355 | /* HACK ALERT! Invent ASN.1 setters/whatever for members to replace this mess. */
|
---|
356 |
|
---|
357 | if (pSignerInfo->AuthenticatedAttributes.cItems == 0)
|
---|
358 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No authenticated or unauthenticated attributes! Sorry, no can do.");
|
---|
359 |
|
---|
360 | Assert(pSignerInfo->UnauthenticatedAttributes.SetCore.Asn1Core.uTag == 0);
|
---|
361 | rc = RTAsn1SetCore_Init(&pSignerInfo->UnauthenticatedAttributes.SetCore,
|
---|
362 | pSignerInfo->AuthenticatedAttributes.SetCore.Asn1Core.pOps);
|
---|
363 | if (RT_FAILURE(rc))
|
---|
364 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "RTAsn1SetCore_Init failed: %Rrc", rc);
|
---|
365 | pSignerInfo->UnauthenticatedAttributes.SetCore.Asn1Core.uTag = 1;
|
---|
366 | pSignerInfo->UnauthenticatedAttributes.SetCore.Asn1Core.fClass = ASN1_TAGCLASS_CONTEXT | ASN1_TAGFLAG_CONSTRUCTED;
|
---|
367 | RTAsn1MemInitArrayAllocation(&pSignerInfo->UnauthenticatedAttributes.Allocation,
|
---|
368 | pSignerInfo->AuthenticatedAttributes.Allocation.pAllocator,
|
---|
369 | sizeof(**pSignerInfo->UnauthenticatedAttributes.papItems));
|
---|
370 | }
|
---|
371 |
|
---|
372 | int32_t iPos = RTCrPkcs7Attributes_Append(&pSignerInfo->UnauthenticatedAttributes);
|
---|
373 | if (iPos >= 0)
|
---|
374 | {
|
---|
375 | if (cVerbosity >= 3)
|
---|
376 | RTMsgInfo("Adding UnauthenticatedAttribute #%u...", iPos);
|
---|
377 | Assert((uint32_t)iPos < pSignerInfo->UnauthenticatedAttributes.cItems);
|
---|
378 |
|
---|
379 | PRTCRPKCS7ATTRIBUTE pAttr = pSignerInfo->UnauthenticatedAttributes.papItems[iPos];
|
---|
380 | rc = RTAsn1ObjId_InitFromString(&pAttr->Type, RTCR_PKCS9_ID_MS_NESTED_SIGNATURE, pAttr->Allocation.pAllocator);
|
---|
381 | if (RT_SUCCESS(rc))
|
---|
382 | {
|
---|
383 | /** @todo Generalize the Type + enmType DYN stuff and generate setters. */
|
---|
384 | Assert(pAttr->enmType == RTCRPKCS7ATTRIBUTETYPE_NOT_PRESENT);
|
---|
385 | Assert(pAttr->uValues.pContentInfos == NULL);
|
---|
386 | pAttr->enmType = RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE;
|
---|
387 | rc = RTAsn1MemAllocZ(&pAttr->Allocation, (void **)&pAttr->uValues.pContentInfos,
|
---|
388 | sizeof(*pAttr->uValues.pContentInfos));
|
---|
389 | if (RT_SUCCESS(rc))
|
---|
390 | {
|
---|
391 | rc = RTCrPkcs7SetOfContentInfos_Init(pAttr->uValues.pContentInfos, pAttr->Allocation.pAllocator);
|
---|
392 | if (RT_SUCCESS(rc))
|
---|
393 | {
|
---|
394 | iPos = RTCrPkcs7SetOfContentInfos_Append(pAttr->uValues.pContentInfos);
|
---|
395 | Assert(iPos == 0);
|
---|
396 | if (iPos >= 0)
|
---|
397 | {
|
---|
398 | PRTCRPKCS7CONTENTINFO pCntInfo = pAttr->uValues.pContentInfos->papItems[iPos];
|
---|
399 | rc = RTCrPkcs7ContentInfo_Clone(pCntInfo, &pSrc->ContentInfo, pAttr->Allocation.pAllocator);
|
---|
400 | if (RT_SUCCESS(rc))
|
---|
401 | {
|
---|
402 | if (cVerbosity > 0)
|
---|
403 | RTMsgInfo("Added nested signature");
|
---|
404 | if (cVerbosity >= 3)
|
---|
405 | {
|
---|
406 | RTMsgInfo("SingerInfo dump after change:");
|
---|
407 | RTAsn1Dump(RTCrPkcs7SignerInfo_GetAsn1Core(pSignerInfo), 0, 2, RTStrmDumpPrintfV, g_pStdOut);
|
---|
408 | }
|
---|
409 |
|
---|
410 | return RTEXITCODE_SUCCESS;
|
---|
411 | }
|
---|
412 |
|
---|
413 | RTMsgError("RTCrPkcs7ContentInfo_Clone failed: %Rrc", iPos);
|
---|
414 | }
|
---|
415 | else
|
---|
416 | RTMsgError("RTCrPkcs7ContentInfos_Append failed: %Rrc", iPos);
|
---|
417 | }
|
---|
418 | else
|
---|
419 | RTMsgError("RTCrPkcs7ContentInfos_Init failed: %Rrc", rc);
|
---|
420 | }
|
---|
421 | else
|
---|
422 | RTMsgError("RTAsn1MemAllocZ failed: %Rrc", rc);
|
---|
423 | }
|
---|
424 | else
|
---|
425 | RTMsgError("RTAsn1ObjId_InitFromString failed: %Rrc", rc);
|
---|
426 | }
|
---|
427 | else
|
---|
428 | RTMsgError("RTCrPkcs7Attributes_Append failed: %Rrc", iPos);
|
---|
429 | NOREF(cVerbosity);
|
---|
430 | return RTEXITCODE_FAILURE;
|
---|
431 | }
|
---|
432 |
|
---|
433 |
|
---|
434 | /**
|
---|
435 | * Writes the signature to the file.
|
---|
436 | *
|
---|
437 | * Caller must have called SignToolPkcs7_Encode() prior to this function.
|
---|
438 | *
|
---|
439 | * @returns RTEXITCODE_SUCCESS on success, RTEXITCODE_FAILURE with error
|
---|
440 | * message on failure.
|
---|
441 | * @param pThis The file which to write.
|
---|
442 | * @param cVerbosity The verbosity.
|
---|
443 | */
|
---|
444 | static RTEXITCODE SignToolPkcs7_WriteSignatureToFile(PSIGNTOOLPKCS7 pThis, const char *pszFilename, unsigned cVerbosity)
|
---|
445 | {
|
---|
446 | AssertReturn(pThis->cbNewBuf && pThis->pbNewBuf, RTEXITCODE_FAILURE);
|
---|
447 |
|
---|
448 | /*
|
---|
449 | * Open+truncate file, write new signature, close. Simple.
|
---|
450 | */
|
---|
451 | RTFILE hFile;
|
---|
452 | int rc = RTFileOpen(&hFile, pszFilename, RTFILE_O_WRITE | RTFILE_O_OPEN_CREATE | RTFILE_O_TRUNCATE | RTFILE_O_DENY_WRITE);
|
---|
453 | if (RT_SUCCESS(rc))
|
---|
454 | {
|
---|
455 | rc = RTFileWrite(hFile, pThis->pbNewBuf, pThis->cbNewBuf, NULL);
|
---|
456 | if (RT_SUCCESS(rc))
|
---|
457 | {
|
---|
458 | rc = RTFileClose(hFile);
|
---|
459 | if (RT_SUCCESS(rc))
|
---|
460 | {
|
---|
461 | if (cVerbosity > 0)
|
---|
462 | RTMsgInfo("Wrote %u bytes to %s", pThis->cbNewBuf, pszFilename);
|
---|
463 | return RTEXITCODE_SUCCESS;
|
---|
464 | }
|
---|
465 |
|
---|
466 | RTMsgError("RTFileClose failed on %s: %Rrc", pszFilename, rc);
|
---|
467 | }
|
---|
468 | else
|
---|
469 | RTMsgError("Write error on %s: %Rrc", pszFilename, rc);
|
---|
470 | }
|
---|
471 | else
|
---|
472 | RTMsgError("Failed to open %s for writing: %Rrc", pszFilename, rc);
|
---|
473 | return RTEXITCODE_FAILURE;
|
---|
474 | }
|
---|
475 |
|
---|
476 |
|
---|
477 |
|
---|
478 | /**
|
---|
479 | * Worker for recursively searching for MS nested signatures and signer infos.
|
---|
480 | *
|
---|
481 | * @returns Pointer to the signer info corresponding to @a iSignature. NULL if
|
---|
482 | * not found.
|
---|
483 | * @param pSignedData The signature to search.
|
---|
484 | * @param piNextSignature Pointer to the variable keeping track of the next
|
---|
485 | * signature number.
|
---|
486 | * @param iReqSignature The request signature number.
|
---|
487 | * @param ppSignedData Where to return the signature data structure.
|
---|
488 | */
|
---|
489 | static PRTCRPKCS7SIGNERINFO SignToolPkcs7_FindNestedSignatureByIndexWorker(PRTCRPKCS7SIGNEDDATA pSignedData,
|
---|
490 | uint32_t *piNextSignature,
|
---|
491 | uint32_t iReqSignature,
|
---|
492 | PRTCRPKCS7SIGNEDDATA *ppSignedData)
|
---|
493 | {
|
---|
494 | for (uint32_t iSignerInfo = 0; iSignerInfo < pSignedData->SignerInfos.cItems; iSignerInfo++)
|
---|
495 | {
|
---|
496 | /* Match?*/
|
---|
497 | PRTCRPKCS7SIGNERINFO pSignerInfo = pSignedData->SignerInfos.papItems[iSignerInfo];
|
---|
498 | if (*piNextSignature == iReqSignature)
|
---|
499 | {
|
---|
500 | *ppSignedData = pSignedData;
|
---|
501 | return pSignerInfo;
|
---|
502 | }
|
---|
503 | *piNextSignature += 1;
|
---|
504 |
|
---|
505 | /* Look for nested signatures. */
|
---|
506 | for (uint32_t iAttrib = 0; iAttrib < pSignerInfo->UnauthenticatedAttributes.cItems; iAttrib++)
|
---|
507 | if (pSignerInfo->UnauthenticatedAttributes.papItems[iAttrib]->enmType == RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE)
|
---|
508 | {
|
---|
509 | PRTCRPKCS7SETOFCONTENTINFOS pCntInfos;
|
---|
510 | pCntInfos = pSignerInfo->UnauthenticatedAttributes.papItems[iAttrib]->uValues.pContentInfos;
|
---|
511 | for (uint32_t iCntInfo = 0; iCntInfo < pCntInfos->cItems; iCntInfo++)
|
---|
512 | {
|
---|
513 | PRTCRPKCS7CONTENTINFO pCntInfo = pCntInfos->papItems[iCntInfo];
|
---|
514 | if (RTCrPkcs7ContentInfo_IsSignedData(pCntInfo))
|
---|
515 | {
|
---|
516 | PRTCRPKCS7SIGNERINFO pRet;
|
---|
517 | pRet = SignToolPkcs7_FindNestedSignatureByIndexWorker(pCntInfo->u.pSignedData, piNextSignature,
|
---|
518 | iReqSignature, ppSignedData);
|
---|
519 | if (pRet)
|
---|
520 | return pRet;
|
---|
521 | }
|
---|
522 | }
|
---|
523 | }
|
---|
524 | }
|
---|
525 | return NULL;
|
---|
526 | }
|
---|
527 |
|
---|
528 |
|
---|
529 | /**
|
---|
530 | * Locates the given nested signature.
|
---|
531 | *
|
---|
532 | * @returns Pointer to the signer info corresponding to @a iSignature. NULL if
|
---|
533 | * not found.
|
---|
534 | * @param pThis The PKCS\#7 structure to search.
|
---|
535 | * @param iReqSignature The requested signature number.
|
---|
536 | * @param ppSignedData Where to return the pointer to the signed data that
|
---|
537 | * the returned signer info belongs to.
|
---|
538 | *
|
---|
539 | * @todo Move into SPC or PKCS\#7.
|
---|
540 | */
|
---|
541 | static PRTCRPKCS7SIGNERINFO SignToolPkcs7_FindNestedSignatureByIndex(PSIGNTOOLPKCS7 pThis, uint32_t iReqSignature,
|
---|
542 | PRTCRPKCS7SIGNEDDATA *ppSignedData)
|
---|
543 | {
|
---|
544 | uint32_t iNextSignature = 0;
|
---|
545 | return SignToolPkcs7_FindNestedSignatureByIndexWorker(pThis->pSignedData, &iNextSignature, iReqSignature, ppSignedData);
|
---|
546 | }
|
---|
547 |
|
---|
548 |
|
---|
549 |
|
---|
550 | /**
|
---|
551 | * Reads and decodes PKCS\#7 signature from the given executable.
|
---|
552 | *
|
---|
553 | * @returns RTEXITCODE_SUCCESS on success, RTEXITCODE_FAILURE with error message
|
---|
554 | * on failure.
|
---|
555 | * @param pThis The structure to initialize.
|
---|
556 | * @param pszFilename The executable filename.
|
---|
557 | * @param cVerbosity The verbosity.
|
---|
558 | * @param enmLdrArch For FAT binaries.
|
---|
559 | */
|
---|
560 | static RTEXITCODE SignToolPkcs7Exe_InitFromFile(PSIGNTOOLPKCS7EXE pThis, const char *pszFilename,
|
---|
561 | unsigned cVerbosity, RTLDRARCH enmLdrArch = RTLDRARCH_WHATEVER)
|
---|
562 | {
|
---|
563 | /*
|
---|
564 | * Init the return structure.
|
---|
565 | */
|
---|
566 | RT_ZERO(*pThis);
|
---|
567 | pThis->hLdrMod = NIL_RTLDRMOD;
|
---|
568 | pThis->pszFilename = pszFilename;
|
---|
569 |
|
---|
570 | /*
|
---|
571 | * Open the image and check if it's signed.
|
---|
572 | */
|
---|
573 | int rc = RTLdrOpen(pszFilename, RTLDR_O_FOR_VALIDATION, enmLdrArch, &pThis->hLdrMod);
|
---|
574 | if (RT_SUCCESS(rc))
|
---|
575 | {
|
---|
576 | bool fIsSigned = false;
|
---|
577 | rc = RTLdrQueryProp(pThis->hLdrMod, RTLDRPROP_IS_SIGNED, &fIsSigned, sizeof(fIsSigned));
|
---|
578 | if (RT_SUCCESS(rc) && fIsSigned)
|
---|
579 | {
|
---|
580 | /*
|
---|
581 | * Query the PKCS#7 data (assuming M$ style signing) and hand it to a worker.
|
---|
582 | */
|
---|
583 | size_t cbActual = 0;
|
---|
584 | #ifdef DEBUG
|
---|
585 | size_t cbBuf = 64;
|
---|
586 | #else
|
---|
587 | size_t cbBuf = _512K;
|
---|
588 | #endif
|
---|
589 | void *pvBuf = RTMemAllocZ(cbBuf);
|
---|
590 | if (pvBuf)
|
---|
591 | {
|
---|
592 | rc = RTLdrQueryPropEx(pThis->hLdrMod, RTLDRPROP_PKCS7_SIGNED_DATA, NULL /*pvBits*/, pvBuf, cbBuf, &cbActual);
|
---|
593 | if (rc == VERR_BUFFER_OVERFLOW)
|
---|
594 | {
|
---|
595 | RTMemFree(pvBuf);
|
---|
596 | cbBuf = cbActual;
|
---|
597 | pvBuf = RTMemAllocZ(cbActual);
|
---|
598 | if (pvBuf)
|
---|
599 | rc = RTLdrQueryPropEx(pThis->hLdrMod, RTLDRPROP_PKCS7_SIGNED_DATA, NULL /*pvBits*/,
|
---|
600 | pvBuf, cbBuf, &cbActual);
|
---|
601 | else
|
---|
602 | rc = VERR_NO_MEMORY;
|
---|
603 | }
|
---|
604 | }
|
---|
605 | else
|
---|
606 | rc = VERR_NO_MEMORY;
|
---|
607 |
|
---|
608 | pThis->pbBuf = (uint8_t *)pvBuf;
|
---|
609 | pThis->cbBuf = cbActual;
|
---|
610 | if (RT_SUCCESS(rc))
|
---|
611 | {
|
---|
612 | if (cVerbosity > 2)
|
---|
613 | RTPrintf("PKCS#7 signature: %u bytes\n", cbActual);
|
---|
614 |
|
---|
615 | /*
|
---|
616 | * Decode it.
|
---|
617 | */
|
---|
618 | rc = SignToolPkcs7_Decode(pThis, false /*fCatalog*/);
|
---|
619 | if (RT_SUCCESS(rc))
|
---|
620 | return RTEXITCODE_SUCCESS;
|
---|
621 | }
|
---|
622 | else
|
---|
623 | RTMsgError("RTLdrQueryPropEx/RTLDRPROP_PKCS7_SIGNED_DATA failed on '%s': %Rrc\n", pszFilename, rc);
|
---|
624 | }
|
---|
625 | else if (RT_SUCCESS(rc))
|
---|
626 | RTMsgInfo("'%s': not signed\n", pszFilename);
|
---|
627 | else
|
---|
628 | RTMsgError("RTLdrQueryProp/RTLDRPROP_IS_SIGNED failed on '%s': %Rrc\n", pszFilename, rc);
|
---|
629 | }
|
---|
630 | else
|
---|
631 | RTMsgError("Error opening executable image '%s': %Rrc", pszFilename, rc);
|
---|
632 |
|
---|
633 | SignToolPkcs7Exe_Delete(pThis);
|
---|
634 | return RTEXITCODE_FAILURE;
|
---|
635 | }
|
---|
636 |
|
---|
637 |
|
---|
638 | /**
|
---|
639 | * Calculates the checksum of an executable.
|
---|
640 | *
|
---|
641 | * @returns Success indicator (errors are reported)
|
---|
642 | * @param pThis The exe file to checksum.
|
---|
643 | * @param hFile The file handle.
|
---|
644 | * @param puCheckSum Where to return the checksum.
|
---|
645 | */
|
---|
646 | static bool SignToolPkcs7Exe_CalcPeCheckSum(PSIGNTOOLPKCS7EXE pThis, RTFILE hFile, uint32_t *puCheckSum)
|
---|
647 | {
|
---|
648 | #ifdef RT_OS_WINDOWS
|
---|
649 | /*
|
---|
650 | * Try use IMAGEHLP!MapFileAndCheckSumW first.
|
---|
651 | */
|
---|
652 | PRTUTF16 pwszPath;
|
---|
653 | int rc = RTStrToUtf16(pThis->pszFilename, &pwszPath);
|
---|
654 | if (RT_SUCCESS(rc))
|
---|
655 | {
|
---|
656 | decltype(MapFileAndCheckSumW) *pfnMapFileAndCheckSumW;
|
---|
657 | pfnMapFileAndCheckSumW = (decltype(MapFileAndCheckSumW) *)RTLdrGetSystemSymbol("IMAGEHLP.DLL", "MapFileAndCheckSumW");
|
---|
658 | if (pfnMapFileAndCheckSumW)
|
---|
659 | {
|
---|
660 | DWORD uHeaderSum = UINT32_MAX;
|
---|
661 | DWORD uCheckSum = UINT32_MAX;
|
---|
662 | DWORD dwRc = pfnMapFileAndCheckSumW(pwszPath, &uHeaderSum, &uCheckSum);
|
---|
663 | if (dwRc == CHECKSUM_SUCCESS)
|
---|
664 | {
|
---|
665 | *puCheckSum = uCheckSum;
|
---|
666 | return true;
|
---|
667 | }
|
---|
668 | }
|
---|
669 | }
|
---|
670 | #endif
|
---|
671 |
|
---|
672 | RT_NOREF(pThis, hFile, puCheckSum);
|
---|
673 | RTMsgError("Implement check sum calcuation fallback!");
|
---|
674 | return false;
|
---|
675 | }
|
---|
676 |
|
---|
677 |
|
---|
678 | /**
|
---|
679 | * Writes the signature to the file.
|
---|
680 | *
|
---|
681 | * This has the side-effect of closing the hLdrMod member. So, it can only be
|
---|
682 | * called once!
|
---|
683 | *
|
---|
684 | * Caller must have called SignToolPkcs7_Encode() prior to this function.
|
---|
685 | *
|
---|
686 | * @returns RTEXITCODE_SUCCESS on success, RTEXITCODE_FAILURE with error
|
---|
687 | * message on failure.
|
---|
688 | * @param pThis The file which to write.
|
---|
689 | * @param cVerbosity The verbosity.
|
---|
690 | */
|
---|
691 | static RTEXITCODE SignToolPkcs7Exe_WriteSignatureToFile(PSIGNTOOLPKCS7EXE pThis, unsigned cVerbosity)
|
---|
692 | {
|
---|
693 | AssertReturn(pThis->cbNewBuf && pThis->pbNewBuf, RTEXITCODE_FAILURE);
|
---|
694 |
|
---|
695 | /*
|
---|
696 | * Get the file header offset and arch before closing the destination handle.
|
---|
697 | */
|
---|
698 | uint32_t offNtHdrs;
|
---|
699 | int rc = RTLdrQueryProp(pThis->hLdrMod, RTLDRPROP_FILE_OFF_HEADER, &offNtHdrs, sizeof(offNtHdrs));
|
---|
700 | if (RT_SUCCESS(rc))
|
---|
701 | {
|
---|
702 | RTLDRARCH enmLdrArch = RTLdrGetArch(pThis->hLdrMod);
|
---|
703 | if (enmLdrArch != RTLDRARCH_INVALID)
|
---|
704 | {
|
---|
705 | RTLdrClose(pThis->hLdrMod);
|
---|
706 | pThis->hLdrMod = NIL_RTLDRMOD;
|
---|
707 | unsigned cbNtHdrs = 0;
|
---|
708 | switch (enmLdrArch)
|
---|
709 | {
|
---|
710 | case RTLDRARCH_AMD64:
|
---|
711 | cbNtHdrs = sizeof(IMAGE_NT_HEADERS64);
|
---|
712 | break;
|
---|
713 | case RTLDRARCH_X86_32:
|
---|
714 | cbNtHdrs = sizeof(IMAGE_NT_HEADERS32);
|
---|
715 | break;
|
---|
716 | default:
|
---|
717 | RTMsgError("Unknown image arch: %d", enmLdrArch);
|
---|
718 | }
|
---|
719 | if (cbNtHdrs > 0)
|
---|
720 | {
|
---|
721 | if (cVerbosity > 0)
|
---|
722 | RTMsgInfo("offNtHdrs=%#x cbNtHdrs=%u\n", offNtHdrs, cbNtHdrs);
|
---|
723 |
|
---|
724 | /*
|
---|
725 | * Open the executable file for writing.
|
---|
726 | */
|
---|
727 | RTFILE hFile;
|
---|
728 | rc = RTFileOpen(&hFile, pThis->pszFilename, RTFILE_O_READWRITE | RTFILE_O_OPEN | RTFILE_O_DENY_WRITE);
|
---|
729 | if (RT_SUCCESS(rc))
|
---|
730 | {
|
---|
731 | /* Read the file header and locate the security directory entry. */
|
---|
732 | union
|
---|
733 | {
|
---|
734 | IMAGE_NT_HEADERS32 NtHdrs32;
|
---|
735 | IMAGE_NT_HEADERS64 NtHdrs64;
|
---|
736 | } uBuf;
|
---|
737 | PIMAGE_DATA_DIRECTORY pSecDir = cbNtHdrs == sizeof(IMAGE_NT_HEADERS64)
|
---|
738 | ? &uBuf.NtHdrs64.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY]
|
---|
739 | : &uBuf.NtHdrs32.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY];
|
---|
740 |
|
---|
741 | rc = RTFileReadAt(hFile, offNtHdrs, &uBuf, cbNtHdrs, NULL);
|
---|
742 | if ( RT_SUCCESS(rc)
|
---|
743 | && uBuf.NtHdrs32.Signature == IMAGE_NT_SIGNATURE)
|
---|
744 | {
|
---|
745 | /*
|
---|
746 | * Drop any old signature by truncating the file.
|
---|
747 | */
|
---|
748 | if ( pSecDir->Size > 8
|
---|
749 | && pSecDir->VirtualAddress > offNtHdrs + sizeof(IMAGE_NT_HEADERS32))
|
---|
750 | {
|
---|
751 | rc = RTFileSetSize(hFile, pSecDir->VirtualAddress);
|
---|
752 | if (RT_FAILURE(rc))
|
---|
753 | RTMsgError("Error truncating file to %#x bytes: %Rrc", pSecDir->VirtualAddress, rc);
|
---|
754 | }
|
---|
755 | else
|
---|
756 | rc = RTMsgErrorRc(VERR_BAD_EXE_FORMAT, "Bad security directory entry: VA=%#x Size=%#x",
|
---|
757 | pSecDir->VirtualAddress, pSecDir->Size);
|
---|
758 | if (RT_SUCCESS(rc))
|
---|
759 | {
|
---|
760 | /*
|
---|
761 | * Sector align the signature portion.
|
---|
762 | */
|
---|
763 | uint32_t const cbWinCert = RT_OFFSETOF(WIN_CERTIFICATE, bCertificate);
|
---|
764 | uint64_t offCur = 0;
|
---|
765 | rc = RTFileGetSize(hFile, &offCur);
|
---|
766 | if ( RT_SUCCESS(rc)
|
---|
767 | && offCur < _2G)
|
---|
768 | {
|
---|
769 | if (offCur & 0x1ff)
|
---|
770 | {
|
---|
771 | uint32_t cbNeeded = 0x200 - ((uint32_t)offCur & 0x1ff);
|
---|
772 | rc = RTFileWriteAt(hFile, offCur, g_abRTZero4K, cbNeeded, NULL);
|
---|
773 | if (RT_SUCCESS(rc))
|
---|
774 | offCur += cbNeeded;
|
---|
775 | }
|
---|
776 | if (RT_SUCCESS(rc))
|
---|
777 | {
|
---|
778 | /*
|
---|
779 | * Write the header followed by the signature data.
|
---|
780 | */
|
---|
781 | uint32_t const cbZeroPad = (uint32_t)(RT_ALIGN_Z(pThis->cbNewBuf, 8) - pThis->cbNewBuf);
|
---|
782 | pSecDir->VirtualAddress = (uint32_t)offCur;
|
---|
783 | pSecDir->Size = cbWinCert + (uint32_t)pThis->cbNewBuf + cbZeroPad;
|
---|
784 | if (cVerbosity >= 2)
|
---|
785 | RTMsgInfo("Writing %u (%#x) bytes of signature at %#x (%u).\n",
|
---|
786 | pSecDir->Size, pSecDir->Size, pSecDir->VirtualAddress, pSecDir->VirtualAddress);
|
---|
787 |
|
---|
788 | WIN_CERTIFICATE WinCert;
|
---|
789 | WinCert.dwLength = pSecDir->Size;
|
---|
790 | WinCert.wRevision = WIN_CERT_REVISION_2_0;
|
---|
791 | WinCert.wCertificateType = WIN_CERT_TYPE_PKCS_SIGNED_DATA;
|
---|
792 |
|
---|
793 | rc = RTFileWriteAt(hFile, offCur, &WinCert, cbWinCert, NULL);
|
---|
794 | if (RT_SUCCESS(rc))
|
---|
795 | {
|
---|
796 | offCur += cbWinCert;
|
---|
797 | rc = RTFileWriteAt(hFile, offCur, pThis->pbNewBuf, pThis->cbNewBuf, NULL);
|
---|
798 | }
|
---|
799 | if (RT_SUCCESS(rc) && cbZeroPad)
|
---|
800 | {
|
---|
801 | offCur += pThis->cbNewBuf;
|
---|
802 | rc = RTFileWriteAt(hFile, offCur, g_abRTZero4K, cbZeroPad, NULL);
|
---|
803 | }
|
---|
804 | if (RT_SUCCESS(rc))
|
---|
805 | {
|
---|
806 | /*
|
---|
807 | * Reset the checksum (sec dir updated already) and rewrite the header.
|
---|
808 | */
|
---|
809 | uBuf.NtHdrs32.OptionalHeader.CheckSum = 0;
|
---|
810 | offCur = offNtHdrs;
|
---|
811 | rc = RTFileWriteAt(hFile, offNtHdrs, &uBuf, cbNtHdrs, NULL);
|
---|
812 | if (RT_SUCCESS(rc))
|
---|
813 | rc = RTFileFlush(hFile);
|
---|
814 | if (RT_SUCCESS(rc))
|
---|
815 | {
|
---|
816 | /*
|
---|
817 | * Calc checksum and write out the header again.
|
---|
818 | */
|
---|
819 | uint32_t uCheckSum = UINT32_MAX;
|
---|
820 | if (SignToolPkcs7Exe_CalcPeCheckSum(pThis, hFile, &uCheckSum))
|
---|
821 | {
|
---|
822 | uBuf.NtHdrs32.OptionalHeader.CheckSum = uCheckSum;
|
---|
823 | rc = RTFileWriteAt(hFile, offNtHdrs, &uBuf, cbNtHdrs, NULL);
|
---|
824 | if (RT_SUCCESS(rc))
|
---|
825 | rc = RTFileFlush(hFile);
|
---|
826 | if (RT_SUCCESS(rc))
|
---|
827 | {
|
---|
828 | rc = RTFileClose(hFile);
|
---|
829 | if (RT_SUCCESS(rc))
|
---|
830 | return RTEXITCODE_SUCCESS;
|
---|
831 | RTMsgError("RTFileClose failed: %Rrc\n", rc);
|
---|
832 | return RTEXITCODE_FAILURE;
|
---|
833 | }
|
---|
834 | }
|
---|
835 | }
|
---|
836 | }
|
---|
837 | }
|
---|
838 | if (RT_FAILURE(rc))
|
---|
839 | RTMsgError("Write error at %#RX64: %Rrc", offCur, rc);
|
---|
840 | }
|
---|
841 | else if (RT_SUCCESS(rc))
|
---|
842 | RTMsgError("File to big: %'RU64 bytes", offCur);
|
---|
843 | else
|
---|
844 | RTMsgError("RTFileGetSize failed: %Rrc", rc);
|
---|
845 | }
|
---|
846 | }
|
---|
847 | else if (RT_SUCCESS(rc))
|
---|
848 | RTMsgError("Not NT executable header!");
|
---|
849 | else
|
---|
850 | RTMsgError("Error reading NT headers (%#x bytes) at %#x: %Rrc", cbNtHdrs, offNtHdrs, rc);
|
---|
851 | RTFileClose(hFile);
|
---|
852 | }
|
---|
853 | else
|
---|
854 | RTMsgError("Failed to open '%s' for writing: %Rrc", pThis->pszFilename, rc);
|
---|
855 | }
|
---|
856 | }
|
---|
857 | else
|
---|
858 | RTMsgError("RTLdrGetArch failed!");
|
---|
859 | }
|
---|
860 | else
|
---|
861 | RTMsgError("RTLdrQueryProp/RTLDRPROP_FILE_OFF_HEADER failed: %Rrc", rc);
|
---|
862 | return RTEXITCODE_FAILURE;
|
---|
863 | }
|
---|
864 |
|
---|
865 |
|
---|
866 |
|
---|
867 | /*
|
---|
868 | * The 'extract-exe-signer-cert' command.
|
---|
869 | */
|
---|
870 | static RTEXITCODE HelpExtractExeSignerCert(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
871 | {
|
---|
872 | RT_NOREF_PV(enmLevel);
|
---|
873 | RTStrmPrintf(pStrm, "extract-exe-signer-cert [--ber|--cer|--der] [--signature-index|-i <num>] [--exe|-e] <exe> [--output|-o] <outfile.cer>\n");
|
---|
874 | return RTEXITCODE_SUCCESS;
|
---|
875 | }
|
---|
876 |
|
---|
877 | static RTEXITCODE HandleExtractExeSignerCert(int cArgs, char **papszArgs)
|
---|
878 | {
|
---|
879 | /*
|
---|
880 | * Parse arguments.
|
---|
881 | */
|
---|
882 | static const RTGETOPTDEF s_aOptions[] =
|
---|
883 | {
|
---|
884 | { "--ber", 'b', RTGETOPT_REQ_NOTHING },
|
---|
885 | { "--cer", 'c', RTGETOPT_REQ_NOTHING },
|
---|
886 | { "--der", 'd', RTGETOPT_REQ_NOTHING },
|
---|
887 | { "--exe", 'e', RTGETOPT_REQ_STRING },
|
---|
888 | { "--output", 'o', RTGETOPT_REQ_STRING },
|
---|
889 | { "--signature-index", 'i', RTGETOPT_REQ_UINT32 },
|
---|
890 | };
|
---|
891 |
|
---|
892 | const char *pszExe = NULL;
|
---|
893 | const char *pszOut = NULL;
|
---|
894 | RTLDRARCH enmLdrArch = RTLDRARCH_WHATEVER;
|
---|
895 | unsigned cVerbosity = 0;
|
---|
896 | uint32_t fCursorFlags = RTASN1CURSOR_FLAGS_DER;
|
---|
897 | uint32_t iSignature = 0;
|
---|
898 |
|
---|
899 | RTGETOPTSTATE GetState;
|
---|
900 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
901 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
902 | RTGETOPTUNION ValueUnion;
|
---|
903 | int ch;
|
---|
904 | while ((ch = RTGetOpt(&GetState, &ValueUnion)))
|
---|
905 | {
|
---|
906 | switch (ch)
|
---|
907 | {
|
---|
908 | case 'e': pszExe = ValueUnion.psz; break;
|
---|
909 | case 'o': pszOut = ValueUnion.psz; break;
|
---|
910 | case 'b': fCursorFlags = 0; break;
|
---|
911 | case 'c': fCursorFlags = RTASN1CURSOR_FLAGS_CER; break;
|
---|
912 | case 'd': fCursorFlags = RTASN1CURSOR_FLAGS_DER; break;
|
---|
913 | case 'i': iSignature = ValueUnion.u32; break;
|
---|
914 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
915 | case 'h': return HelpExtractExeSignerCert(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
916 |
|
---|
917 | case VINF_GETOPT_NOT_OPTION:
|
---|
918 | if (!pszExe)
|
---|
919 | pszExe = ValueUnion.psz;
|
---|
920 | else if (!pszOut)
|
---|
921 | pszOut = ValueUnion.psz;
|
---|
922 | else
|
---|
923 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Too many file arguments: %s", ValueUnion.psz);
|
---|
924 | break;
|
---|
925 |
|
---|
926 | default:
|
---|
927 | return RTGetOptPrintError(ch, &ValueUnion);
|
---|
928 | }
|
---|
929 | }
|
---|
930 | if (!pszExe)
|
---|
931 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No executable given.");
|
---|
932 | if (!pszOut)
|
---|
933 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No output file given.");
|
---|
934 | if (RTPathExists(pszOut))
|
---|
935 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "The output file '%s' exists.", pszOut);
|
---|
936 |
|
---|
937 | /*
|
---|
938 | * Do it.
|
---|
939 | */
|
---|
940 | /* Read & decode the PKCS#7 signature. */
|
---|
941 | SIGNTOOLPKCS7EXE This;
|
---|
942 | RTEXITCODE rcExit = SignToolPkcs7Exe_InitFromFile(&This, pszExe, cVerbosity, enmLdrArch);
|
---|
943 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
944 | {
|
---|
945 | /* Find the signing certificate (ASSUMING that the certificate used is shipped in the set of certificates). */
|
---|
946 | PRTCRPKCS7SIGNEDDATA pSignedData;
|
---|
947 | PCRTCRPKCS7SIGNERINFO pSignerInfo = SignToolPkcs7_FindNestedSignatureByIndex(&This, iSignature, &pSignedData);
|
---|
948 | rcExit = RTEXITCODE_FAILURE;
|
---|
949 | if (pSignerInfo)
|
---|
950 | {
|
---|
951 | PCRTCRPKCS7ISSUERANDSERIALNUMBER pISN = &pSignedData->SignerInfos.papItems[0]->IssuerAndSerialNumber;
|
---|
952 | PCRTCRX509CERTIFICATE pCert;
|
---|
953 | pCert = RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(&pSignedData->Certificates,
|
---|
954 | &pISN->Name, &pISN->SerialNumber);
|
---|
955 | if (pCert)
|
---|
956 | {
|
---|
957 | /*
|
---|
958 | * Write it out.
|
---|
959 | */
|
---|
960 | RTFILE hFile;
|
---|
961 | rc = RTFileOpen(&hFile, pszOut, RTFILE_O_WRITE | RTFILE_O_DENY_WRITE | RTFILE_O_CREATE);
|
---|
962 | if (RT_SUCCESS(rc))
|
---|
963 | {
|
---|
964 | uint32_t cbCert = pCert->SeqCore.Asn1Core.cbHdr + pCert->SeqCore.Asn1Core.cb;
|
---|
965 | rc = RTFileWrite(hFile, pCert->SeqCore.Asn1Core.uData.pu8 - pCert->SeqCore.Asn1Core.cbHdr,
|
---|
966 | cbCert, NULL);
|
---|
967 | if (RT_SUCCESS(rc))
|
---|
968 | {
|
---|
969 | rc = RTFileClose(hFile);
|
---|
970 | if (RT_SUCCESS(rc))
|
---|
971 | {
|
---|
972 | hFile = NIL_RTFILE;
|
---|
973 | rcExit = RTEXITCODE_SUCCESS;
|
---|
974 | RTMsgInfo("Successfully wrote %u bytes to '%s'", cbCert, pszOut);
|
---|
975 | }
|
---|
976 | else
|
---|
977 | RTMsgError("RTFileClose failed: %Rrc", rc);
|
---|
978 | }
|
---|
979 | else
|
---|
980 | RTMsgError("RTFileWrite failed: %Rrc", rc);
|
---|
981 | RTFileClose(hFile);
|
---|
982 | }
|
---|
983 | else
|
---|
984 | RTMsgError("Error opening '%s' for writing: %Rrc", pszOut, rc);
|
---|
985 | }
|
---|
986 | else
|
---|
987 | RTMsgError("Certificate not found.");
|
---|
988 | }
|
---|
989 | else
|
---|
990 | RTMsgError("Could not locate signature #%u!", iSignature);
|
---|
991 |
|
---|
992 | /* Delete the signature data. */
|
---|
993 | SignToolPkcs7Exe_Delete(&This);
|
---|
994 | }
|
---|
995 | return rcExit;
|
---|
996 | }
|
---|
997 |
|
---|
998 |
|
---|
999 | /*
|
---|
1000 | * The 'add-nested-exe-signature' command.
|
---|
1001 | */
|
---|
1002 | static RTEXITCODE HelpAddNestedExeSignature(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
1003 | {
|
---|
1004 | RT_NOREF_PV(enmLevel);
|
---|
1005 | RTStrmPrintf(pStrm, "add-nested-exe-signature [-v|--verbose] [-d|--debug] <destination-exe> <source-exe>\n");
|
---|
1006 | if (enmLevel == RTSIGNTOOLHELP_FULL)
|
---|
1007 | RTStrmPrintf(pStrm,
|
---|
1008 | "\n"
|
---|
1009 | "The --debug option allows the source-exe to be omitted in order to test the\n"
|
---|
1010 | "encoding and PE file modification.\n");
|
---|
1011 | return RTEXITCODE_SUCCESS;
|
---|
1012 | }
|
---|
1013 |
|
---|
1014 |
|
---|
1015 | static RTEXITCODE HandleAddNestedExeSignature(int cArgs, char **papszArgs)
|
---|
1016 | {
|
---|
1017 | /*
|
---|
1018 | * Parse arguments.
|
---|
1019 | */
|
---|
1020 | static const RTGETOPTDEF s_aOptions[] =
|
---|
1021 | {
|
---|
1022 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
1023 | { "--debug", 'd', RTGETOPT_REQ_NOTHING },
|
---|
1024 | };
|
---|
1025 |
|
---|
1026 | const char *pszDst = NULL;
|
---|
1027 | const char *pszSrc = NULL;
|
---|
1028 | unsigned cVerbosity = 0;
|
---|
1029 | bool fDebug = false;
|
---|
1030 |
|
---|
1031 | RTGETOPTSTATE GetState;
|
---|
1032 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
1033 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
1034 | RTGETOPTUNION ValueUnion;
|
---|
1035 | int ch;
|
---|
1036 | while ((ch = RTGetOpt(&GetState, &ValueUnion)))
|
---|
1037 | {
|
---|
1038 | switch (ch)
|
---|
1039 | {
|
---|
1040 | case 'v': cVerbosity++; break;
|
---|
1041 | case 'd': fDebug = pszSrc == NULL; break;
|
---|
1042 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
1043 | case 'h': return HelpAddNestedExeSignature(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
1044 |
|
---|
1045 | case VINF_GETOPT_NOT_OPTION:
|
---|
1046 | if (!pszDst)
|
---|
1047 | pszDst = ValueUnion.psz;
|
---|
1048 | else if (!pszSrc)
|
---|
1049 | {
|
---|
1050 | pszSrc = ValueUnion.psz;
|
---|
1051 | fDebug = false;
|
---|
1052 | }
|
---|
1053 | else
|
---|
1054 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Too many file arguments: %s", ValueUnion.psz);
|
---|
1055 | break;
|
---|
1056 |
|
---|
1057 | default:
|
---|
1058 | return RTGetOptPrintError(ch, &ValueUnion);
|
---|
1059 | }
|
---|
1060 | }
|
---|
1061 | if (!pszDst)
|
---|
1062 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No destination executable given.");
|
---|
1063 | if (!pszSrc && !fDebug)
|
---|
1064 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No source executable file given.");
|
---|
1065 |
|
---|
1066 | /*
|
---|
1067 | * Do it.
|
---|
1068 | */
|
---|
1069 | /* Read & decode the source PKCS#7 signature. */
|
---|
1070 | SIGNTOOLPKCS7EXE Src;
|
---|
1071 | RTEXITCODE rcExit = pszSrc ? SignToolPkcs7Exe_InitFromFile(&Src, pszSrc, cVerbosity) : RTEXITCODE_SUCCESS;
|
---|
1072 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
1073 | {
|
---|
1074 | /* Ditto for the destination PKCS#7 signature. */
|
---|
1075 | SIGNTOOLPKCS7EXE Dst;
|
---|
1076 | rcExit = SignToolPkcs7Exe_InitFromFile(&Dst, pszDst, cVerbosity);
|
---|
1077 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
1078 | {
|
---|
1079 | /* Do the signature manipulation. */
|
---|
1080 | if (pszSrc)
|
---|
1081 | rcExit = SignToolPkcs7_AddNestedSignature(&Dst, &Src, cVerbosity);
|
---|
1082 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
1083 | rcExit = SignToolPkcs7_Encode(&Dst, cVerbosity);
|
---|
1084 |
|
---|
1085 | /* Update the destination executable file. */
|
---|
1086 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
1087 | rcExit = SignToolPkcs7Exe_WriteSignatureToFile(&Dst, cVerbosity);
|
---|
1088 |
|
---|
1089 | SignToolPkcs7Exe_Delete(&Dst);
|
---|
1090 | }
|
---|
1091 | if (pszSrc)
|
---|
1092 | SignToolPkcs7Exe_Delete(&Src);
|
---|
1093 | }
|
---|
1094 |
|
---|
1095 | return rcExit;
|
---|
1096 | }
|
---|
1097 |
|
---|
1098 |
|
---|
1099 | /*
|
---|
1100 | * The 'add-nested-cat-signature' command.
|
---|
1101 | */
|
---|
1102 | static RTEXITCODE HelpAddNestedCatSignature(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
1103 | {
|
---|
1104 | RT_NOREF_PV(enmLevel);
|
---|
1105 | RTStrmPrintf(pStrm, "add-nested-cat-signature [-v|--verbose] <destination-cat> <source-cat>\n");
|
---|
1106 | if (enmLevel == RTSIGNTOOLHELP_FULL)
|
---|
1107 | RTStrmPrintf(pStrm,
|
---|
1108 | "\n"
|
---|
1109 | "The --debug option allows the source-cat to be omitted in order to test the\n"
|
---|
1110 | "ASN.1 re-encoding of the destination catalog file.\n");
|
---|
1111 | return RTEXITCODE_SUCCESS;
|
---|
1112 | }
|
---|
1113 |
|
---|
1114 |
|
---|
1115 | static RTEXITCODE HandleAddNestedCatSignature(int cArgs, char **papszArgs)
|
---|
1116 | {
|
---|
1117 | /*
|
---|
1118 | * Parse arguments.
|
---|
1119 | */
|
---|
1120 | static const RTGETOPTDEF s_aOptions[] =
|
---|
1121 | {
|
---|
1122 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
1123 | { "--debug", 'd', RTGETOPT_REQ_NOTHING },
|
---|
1124 | };
|
---|
1125 |
|
---|
1126 | const char *pszDst = NULL;
|
---|
1127 | const char *pszSrc = NULL;
|
---|
1128 | unsigned cVerbosity = 0;
|
---|
1129 | bool fDebug = false;
|
---|
1130 |
|
---|
1131 | RTGETOPTSTATE GetState;
|
---|
1132 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
1133 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
1134 | RTGETOPTUNION ValueUnion;
|
---|
1135 | int ch;
|
---|
1136 | while ((ch = RTGetOpt(&GetState, &ValueUnion)))
|
---|
1137 | {
|
---|
1138 | switch (ch)
|
---|
1139 | {
|
---|
1140 | case 'v': cVerbosity++; break;
|
---|
1141 | case 'd': fDebug = pszSrc == NULL; break;
|
---|
1142 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
1143 | case 'h': return HelpAddNestedCatSignature(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
1144 |
|
---|
1145 | case VINF_GETOPT_NOT_OPTION:
|
---|
1146 | if (!pszDst)
|
---|
1147 | pszDst = ValueUnion.psz;
|
---|
1148 | else if (!pszSrc)
|
---|
1149 | {
|
---|
1150 | pszSrc = ValueUnion.psz;
|
---|
1151 | fDebug = false;
|
---|
1152 | }
|
---|
1153 | else
|
---|
1154 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Too many file arguments: %s", ValueUnion.psz);
|
---|
1155 | break;
|
---|
1156 |
|
---|
1157 | default:
|
---|
1158 | return RTGetOptPrintError(ch, &ValueUnion);
|
---|
1159 | }
|
---|
1160 | }
|
---|
1161 | if (!pszDst)
|
---|
1162 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No destination catalog file given.");
|
---|
1163 | if (!pszSrc && !fDebug)
|
---|
1164 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No source catalog file given.");
|
---|
1165 |
|
---|
1166 | /*
|
---|
1167 | * Do it.
|
---|
1168 | */
|
---|
1169 | /* Read & decode the source PKCS#7 signature. */
|
---|
1170 | SIGNTOOLPKCS7 Src;
|
---|
1171 | RTEXITCODE rcExit = pszSrc ? SignToolPkcs7_InitFromFile(&Src, pszSrc, cVerbosity) : RTEXITCODE_SUCCESS;
|
---|
1172 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
1173 | {
|
---|
1174 | /* Ditto for the destination PKCS#7 signature. */
|
---|
1175 | SIGNTOOLPKCS7EXE Dst;
|
---|
1176 | rcExit = SignToolPkcs7_InitFromFile(&Dst, pszDst, cVerbosity);
|
---|
1177 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
1178 | {
|
---|
1179 | /* Do the signature manipulation. */
|
---|
1180 | if (pszSrc)
|
---|
1181 | rcExit = SignToolPkcs7_AddNestedSignature(&Dst, &Src, cVerbosity);
|
---|
1182 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
1183 | rcExit = SignToolPkcs7_Encode(&Dst, cVerbosity);
|
---|
1184 |
|
---|
1185 | /* Update the destination executable file. */
|
---|
1186 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
1187 | rcExit = SignToolPkcs7_WriteSignatureToFile(&Dst, pszDst, cVerbosity);
|
---|
1188 |
|
---|
1189 | SignToolPkcs7_Delete(&Dst);
|
---|
1190 | }
|
---|
1191 | if (pszSrc)
|
---|
1192 | SignToolPkcs7_Delete(&Src);
|
---|
1193 | }
|
---|
1194 |
|
---|
1195 | return rcExit;
|
---|
1196 | }
|
---|
1197 |
|
---|
1198 | #ifndef IPRT_IN_BUILD_TOOL
|
---|
1199 |
|
---|
1200 | /*
|
---|
1201 | * The 'verify-exe' command.
|
---|
1202 | */
|
---|
1203 | static RTEXITCODE HelpVerifyExe(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
1204 | {
|
---|
1205 | RT_NOREF_PV(enmLevel);
|
---|
1206 | RTStrmPrintf(pStrm,
|
---|
1207 | "verify-exe [--verbose|--quiet] [--kernel] [--root <root-cert.der>] [--additional <supp-cert.der>]\n"
|
---|
1208 | " [--type <win|osx>] <exe1> [exe2 [..]]\n");
|
---|
1209 | return RTEXITCODE_SUCCESS;
|
---|
1210 | }
|
---|
1211 |
|
---|
1212 | typedef struct VERIFYEXESTATE
|
---|
1213 | {
|
---|
1214 | RTCRSTORE hRootStore;
|
---|
1215 | RTCRSTORE hKernelRootStore;
|
---|
1216 | RTCRSTORE hAdditionalStore;
|
---|
1217 | bool fKernel;
|
---|
1218 | int cVerbose;
|
---|
1219 | enum { kSignType_Windows, kSignType_OSX } enmSignType;
|
---|
1220 | uint64_t uTimestamp;
|
---|
1221 | RTLDRARCH enmLdrArch;
|
---|
1222 | } VERIFYEXESTATE;
|
---|
1223 |
|
---|
1224 | # ifdef VBOX
|
---|
1225 | /** Certificate store load set.
|
---|
1226 | * Declared outside HandleVerifyExe because of braindead gcc visibility crap. */
|
---|
1227 | struct STSTORESET
|
---|
1228 | {
|
---|
1229 | RTCRSTORE hStore;
|
---|
1230 | PCSUPTAENTRY paTAs;
|
---|
1231 | unsigned cTAs;
|
---|
1232 | };
|
---|
1233 | # endif
|
---|
1234 |
|
---|
1235 | /**
|
---|
1236 | * @callback_method_impl{FNRTCRPKCS7VERIFYCERTCALLBACK,
|
---|
1237 | * Standard code signing. Use this for Microsoft SPC.}
|
---|
1238 | */
|
---|
1239 | static DECLCALLBACK(int) VerifyExecCertVerifyCallback(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths, uint32_t fFlags,
|
---|
1240 | void *pvUser, PRTERRINFO pErrInfo)
|
---|
1241 | {
|
---|
1242 | VERIFYEXESTATE *pState = (VERIFYEXESTATE *)pvUser;
|
---|
1243 | uint32_t cPaths = hCertPaths != NIL_RTCRX509CERTPATHS ? RTCrX509CertPathsGetPathCount(hCertPaths) : 0;
|
---|
1244 |
|
---|
1245 | /*
|
---|
1246 | * Dump all the paths.
|
---|
1247 | */
|
---|
1248 | if (pState->cVerbose > 0)
|
---|
1249 | {
|
---|
1250 | for (uint32_t iPath = 0; iPath < cPaths; iPath++)
|
---|
1251 | {
|
---|
1252 | RTPrintf("---\n");
|
---|
1253 | RTCrX509CertPathsDumpOne(hCertPaths, iPath, pState->cVerbose, RTStrmDumpPrintfV, g_pStdOut);
|
---|
1254 | *pErrInfo->pszMsg = '\0';
|
---|
1255 | }
|
---|
1256 | RTPrintf("---\n");
|
---|
1257 | }
|
---|
1258 |
|
---|
1259 | /*
|
---|
1260 | * Test signing certificates normally doesn't have all the necessary
|
---|
1261 | * features required below. So, treat them as special cases.
|
---|
1262 | */
|
---|
1263 | if ( hCertPaths == NIL_RTCRX509CERTPATHS
|
---|
1264 | && RTCrX509Name_Compare(&pCert->TbsCertificate.Issuer, &pCert->TbsCertificate.Subject) == 0)
|
---|
1265 | {
|
---|
1266 | RTMsgInfo("Test signed.\n");
|
---|
1267 | return VINF_SUCCESS;
|
---|
1268 | }
|
---|
1269 |
|
---|
1270 | if (hCertPaths == NIL_RTCRX509CERTPATHS)
|
---|
1271 | RTMsgInfo("Signed by trusted certificate.\n");
|
---|
1272 |
|
---|
1273 | /*
|
---|
1274 | * Standard code signing capabilites required.
|
---|
1275 | */
|
---|
1276 | int rc = RTCrPkcs7VerifyCertCallbackCodeSigning(pCert, hCertPaths, fFlags, NULL, pErrInfo);
|
---|
1277 | if ( RT_SUCCESS(rc)
|
---|
1278 | && (fFlags & RTCRPKCS7VCC_F_SIGNED_DATA))
|
---|
1279 | {
|
---|
1280 | /*
|
---|
1281 | * If kernel signing, a valid certificate path must be anchored by the
|
---|
1282 | * microsoft kernel signing root certificate. The only alternative is
|
---|
1283 | * test signing.
|
---|
1284 | */
|
---|
1285 | if (pState->fKernel && hCertPaths != NIL_RTCRX509CERTPATHS)
|
---|
1286 | {
|
---|
1287 | uint32_t cFound = 0;
|
---|
1288 | uint32_t cValid = 0;
|
---|
1289 | for (uint32_t iPath = 0; iPath < cPaths; iPath++)
|
---|
1290 | {
|
---|
1291 | bool fTrusted;
|
---|
1292 | PCRTCRX509NAME pSubject;
|
---|
1293 | PCRTCRX509SUBJECTPUBLICKEYINFO pPublicKeyInfo;
|
---|
1294 | int rcVerify;
|
---|
1295 | rc = RTCrX509CertPathsQueryPathInfo(hCertPaths, iPath, &fTrusted, NULL /*pcNodes*/, &pSubject, &pPublicKeyInfo,
|
---|
1296 | NULL, NULL /*pCertCtx*/, &rcVerify);
|
---|
1297 | AssertRCBreak(rc);
|
---|
1298 |
|
---|
1299 | if (RT_SUCCESS(rcVerify))
|
---|
1300 | {
|
---|
1301 | Assert(fTrusted);
|
---|
1302 | cValid++;
|
---|
1303 |
|
---|
1304 | /* Search the kernel signing root store for a matching anchor. */
|
---|
1305 | RTCRSTORECERTSEARCH Search;
|
---|
1306 | rc = RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280(pState->hKernelRootStore, pSubject, &Search);
|
---|
1307 | AssertRCBreak(rc);
|
---|
1308 | PCRTCRCERTCTX pCertCtx;
|
---|
1309 | while ((pCertCtx = RTCrStoreCertSearchNext(pState->hKernelRootStore, &Search)) != NULL)
|
---|
1310 | {
|
---|
1311 | PCRTCRX509SUBJECTPUBLICKEYINFO pPubKeyInfo;
|
---|
1312 | if (pCertCtx->pCert)
|
---|
1313 | pPubKeyInfo = &pCertCtx->pCert->TbsCertificate.SubjectPublicKeyInfo;
|
---|
1314 | else if (pCertCtx->pTaInfo)
|
---|
1315 | pPubKeyInfo = &pCertCtx->pTaInfo->PubKey;
|
---|
1316 | else
|
---|
1317 | pPubKeyInfo = NULL;
|
---|
1318 | if (RTCrX509SubjectPublicKeyInfo_Compare(pPubKeyInfo, pPublicKeyInfo) == 0)
|
---|
1319 | cFound++;
|
---|
1320 | RTCrCertCtxRelease(pCertCtx);
|
---|
1321 | }
|
---|
1322 |
|
---|
1323 | int rc2 = RTCrStoreCertSearchDestroy(pState->hKernelRootStore, &Search); AssertRC(rc2);
|
---|
1324 | }
|
---|
1325 | }
|
---|
1326 | if (RT_SUCCESS(rc) && cFound == 0)
|
---|
1327 | rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, "Not valid kernel code signature.");
|
---|
1328 | if (RT_SUCCESS(rc) && cValid != 2)
|
---|
1329 | RTMsgWarning("%u valid paths, expected 2", cValid);
|
---|
1330 | }
|
---|
1331 | }
|
---|
1332 |
|
---|
1333 | return rc;
|
---|
1334 | }
|
---|
1335 |
|
---|
1336 |
|
---|
1337 | /** @callback_method_impl{FNRTLDRVALIDATESIGNEDDATA} */
|
---|
1338 | static DECLCALLBACK(int) VerifyExeCallback(RTLDRMOD hLdrMod, RTLDRSIGNATURETYPE enmSignature,
|
---|
1339 | void const *pvSignature, size_t cbSignature,
|
---|
1340 | PRTERRINFO pErrInfo, void *pvUser)
|
---|
1341 | {
|
---|
1342 | VERIFYEXESTATE *pState = (VERIFYEXESTATE *)pvUser;
|
---|
1343 | RT_NOREF_PV(hLdrMod); RT_NOREF_PV(cbSignature);
|
---|
1344 |
|
---|
1345 | switch (enmSignature)
|
---|
1346 | {
|
---|
1347 | case RTLDRSIGNATURETYPE_PKCS7_SIGNED_DATA:
|
---|
1348 | {
|
---|
1349 | PCRTCRPKCS7CONTENTINFO pContentInfo = (PCRTCRPKCS7CONTENTINFO)pvSignature;
|
---|
1350 |
|
---|
1351 | RTTIMESPEC ValidationTime;
|
---|
1352 | RTTimeSpecSetSeconds(&ValidationTime, pState->uTimestamp);
|
---|
1353 |
|
---|
1354 | /*
|
---|
1355 | * Dump the signed data if so requested.
|
---|
1356 | */
|
---|
1357 | if (pState->cVerbose)
|
---|
1358 | RTAsn1Dump(&pContentInfo->SeqCore.Asn1Core, 0, 0, RTStrmDumpPrintfV, g_pStdOut);
|
---|
1359 |
|
---|
1360 |
|
---|
1361 | /*
|
---|
1362 | * Do the actual verification. Will have to modify this so it takes
|
---|
1363 | * the authenticode policies into account.
|
---|
1364 | */
|
---|
1365 | return RTCrPkcs7VerifySignedData(pContentInfo,
|
---|
1366 | RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY
|
---|
1367 | | RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT
|
---|
1368 | | RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT,
|
---|
1369 | pState->hAdditionalStore, pState->hRootStore, &ValidationTime,
|
---|
1370 | VerifyExecCertVerifyCallback, pState, pErrInfo);
|
---|
1371 | }
|
---|
1372 |
|
---|
1373 | default:
|
---|
1374 | return RTErrInfoSetF(pErrInfo, VERR_NOT_SUPPORTED, "Unsupported signature type: %d", enmSignature);
|
---|
1375 | }
|
---|
1376 | }
|
---|
1377 |
|
---|
1378 | /** Worker for HandleVerifyExe. */
|
---|
1379 | static RTEXITCODE HandleVerifyExeWorker(VERIFYEXESTATE *pState, const char *pszFilename, PRTERRINFOSTATIC pStaticErrInfo)
|
---|
1380 | {
|
---|
1381 | /*
|
---|
1382 | * Open the executable image and verify it.
|
---|
1383 | */
|
---|
1384 | RTLDRMOD hLdrMod;
|
---|
1385 | int rc = RTLdrOpen(pszFilename, RTLDR_O_FOR_VALIDATION, pState->enmLdrArch, &hLdrMod);
|
---|
1386 | if (RT_FAILURE(rc))
|
---|
1387 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Error opening executable image '%s': %Rrc", pszFilename, rc);
|
---|
1388 |
|
---|
1389 |
|
---|
1390 | rc = RTLdrQueryProp(hLdrMod, RTLDRPROP_TIMESTAMP_SECONDS, &pState->uTimestamp, sizeof(pState->uTimestamp));
|
---|
1391 | if (RT_SUCCESS(rc))
|
---|
1392 | {
|
---|
1393 | rc = RTLdrVerifySignature(hLdrMod, VerifyExeCallback, pState, RTErrInfoInitStatic(pStaticErrInfo));
|
---|
1394 | if (RT_SUCCESS(rc))
|
---|
1395 | RTMsgInfo("'%s' is valid.\n", pszFilename);
|
---|
1396 | else if (rc == VERR_CR_X509_CPV_NOT_VALID_AT_TIME)
|
---|
1397 | {
|
---|
1398 | RTTIMESPEC Now;
|
---|
1399 | pState->uTimestamp = RTTimeSpecGetSeconds(RTTimeNow(&Now));
|
---|
1400 | rc = RTLdrVerifySignature(hLdrMod, VerifyExeCallback, pState, RTErrInfoInitStatic(pStaticErrInfo));
|
---|
1401 | if (RT_SUCCESS(rc))
|
---|
1402 | RTMsgInfo("'%s' is valid now, but not at link time.\n", pszFilename);
|
---|
1403 | }
|
---|
1404 | if (RT_FAILURE(rc))
|
---|
1405 | RTMsgError("RTLdrVerifySignature failed on '%s': %Rrc - %s\n", pszFilename, rc, pStaticErrInfo->szMsg);
|
---|
1406 | }
|
---|
1407 | else
|
---|
1408 | RTMsgError("RTLdrQueryProp/RTLDRPROP_TIMESTAMP_SECONDS failed on '%s': %Rrc\n", pszFilename, rc);
|
---|
1409 |
|
---|
1410 | int rc2 = RTLdrClose(hLdrMod);
|
---|
1411 | if (RT_FAILURE(rc2))
|
---|
1412 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "RTLdrClose failed: %Rrc\n", rc2);
|
---|
1413 | if (RT_FAILURE(rc))
|
---|
1414 | return rc != VERR_LDRVI_NOT_SIGNED ? RTEXITCODE_FAILURE : RTEXITCODE_SKIPPED;
|
---|
1415 |
|
---|
1416 | return RTEXITCODE_SUCCESS;
|
---|
1417 | }
|
---|
1418 |
|
---|
1419 |
|
---|
1420 | static RTEXITCODE HandleVerifyExe(int cArgs, char **papszArgs)
|
---|
1421 | {
|
---|
1422 | RTERRINFOSTATIC StaticErrInfo;
|
---|
1423 |
|
---|
1424 | /* Note! This code does not try to clean up the crypto stores on failure.
|
---|
1425 | This is intentional as the code is only expected to be used in a
|
---|
1426 | one-command-per-process environment where we do exit() upon
|
---|
1427 | returning from this function. */
|
---|
1428 |
|
---|
1429 | /*
|
---|
1430 | * Parse arguments.
|
---|
1431 | */
|
---|
1432 | static const RTGETOPTDEF s_aOptions[] =
|
---|
1433 | {
|
---|
1434 | { "--kernel", 'k', RTGETOPT_REQ_NOTHING },
|
---|
1435 | { "--root", 'r', RTGETOPT_REQ_STRING },
|
---|
1436 | { "--additional", 'a', RTGETOPT_REQ_STRING },
|
---|
1437 | { "--add", 'a', RTGETOPT_REQ_STRING },
|
---|
1438 | { "--type", 't', RTGETOPT_REQ_STRING },
|
---|
1439 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
1440 | { "--quiet", 'q', RTGETOPT_REQ_NOTHING },
|
---|
1441 | };
|
---|
1442 |
|
---|
1443 | VERIFYEXESTATE State =
|
---|
1444 | {
|
---|
1445 | NIL_RTCRSTORE, NIL_RTCRSTORE, NIL_RTCRSTORE, false, false,
|
---|
1446 | VERIFYEXESTATE::kSignType_Windows, 0, RTLDRARCH_WHATEVER
|
---|
1447 | };
|
---|
1448 | int rc = RTCrStoreCreateInMem(&State.hRootStore, 0);
|
---|
1449 | if (RT_SUCCESS(rc))
|
---|
1450 | rc = RTCrStoreCreateInMem(&State.hKernelRootStore, 0);
|
---|
1451 | if (RT_SUCCESS(rc))
|
---|
1452 | rc = RTCrStoreCreateInMem(&State.hAdditionalStore, 0);
|
---|
1453 | if (RT_FAILURE(rc))
|
---|
1454 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Error creating in-memory certificate store: %Rrc", rc);
|
---|
1455 |
|
---|
1456 | RTGETOPTSTATE GetState;
|
---|
1457 | rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
1458 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
1459 | RTGETOPTUNION ValueUnion;
|
---|
1460 | int ch;
|
---|
1461 | while ((ch = RTGetOpt(&GetState, &ValueUnion)) && ch != VINF_GETOPT_NOT_OPTION)
|
---|
1462 | {
|
---|
1463 | switch (ch)
|
---|
1464 | {
|
---|
1465 | case 'r': case 'a':
|
---|
1466 | rc = RTCrStoreCertAddFromFile(ch == 'r' ? State.hRootStore : State.hAdditionalStore,
|
---|
1467 | RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR,
|
---|
1468 | ValueUnion.psz, RTErrInfoInitStatic(&StaticErrInfo));
|
---|
1469 | if (RT_FAILURE(rc))
|
---|
1470 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Error loading certificate '%s': %Rrc - %s",
|
---|
1471 | ValueUnion.psz, rc, StaticErrInfo.szMsg);
|
---|
1472 | if (RTErrInfoIsSet(&StaticErrInfo.Core))
|
---|
1473 | RTMsgWarning("Warnings loading certificate '%s': %s", ValueUnion.psz, StaticErrInfo.szMsg);
|
---|
1474 | break;
|
---|
1475 |
|
---|
1476 | case 't':
|
---|
1477 | if (!strcmp(ValueUnion.psz, "win") || !strcmp(ValueUnion.psz, "windows"))
|
---|
1478 | State.enmSignType = VERIFYEXESTATE::kSignType_Windows;
|
---|
1479 | else if (!strcmp(ValueUnion.psz, "osx") || !strcmp(ValueUnion.psz, "apple"))
|
---|
1480 | State.enmSignType = VERIFYEXESTATE::kSignType_OSX;
|
---|
1481 | else
|
---|
1482 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Unknown signing type: '%s'", ValueUnion.psz);
|
---|
1483 | break;
|
---|
1484 |
|
---|
1485 | case 'k': State.fKernel = true; break;
|
---|
1486 | case 'v': State.cVerbose++; break;
|
---|
1487 | case 'q': State.cVerbose = 0; break;
|
---|
1488 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
1489 | case 'h': return HelpVerifyExe(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
1490 | default: return RTGetOptPrintError(ch, &ValueUnion);
|
---|
1491 | }
|
---|
1492 | }
|
---|
1493 | if (ch != VINF_GETOPT_NOT_OPTION)
|
---|
1494 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No executable given.");
|
---|
1495 |
|
---|
1496 | /*
|
---|
1497 | * Populate the certificate stores according to the signing type.
|
---|
1498 | */
|
---|
1499 | #ifdef VBOX
|
---|
1500 | unsigned cSets = 0;
|
---|
1501 | struct STSTORESET aSets[6];
|
---|
1502 | #endif
|
---|
1503 |
|
---|
1504 | switch (State.enmSignType)
|
---|
1505 | {
|
---|
1506 | case VERIFYEXESTATE::kSignType_Windows:
|
---|
1507 | #ifdef VBOX
|
---|
1508 | aSets[cSets].hStore = State.hRootStore;
|
---|
1509 | aSets[cSets].paTAs = g_aSUPTimestampTAs;
|
---|
1510 | aSets[cSets].cTAs = g_cSUPTimestampTAs;
|
---|
1511 | cSets++;
|
---|
1512 | aSets[cSets].hStore = State.hRootStore;
|
---|
1513 | aSets[cSets].paTAs = g_aSUPSpcRootTAs;
|
---|
1514 | aSets[cSets].cTAs = g_cSUPSpcRootTAs;
|
---|
1515 | cSets++;
|
---|
1516 | aSets[cSets].hStore = State.hRootStore;
|
---|
1517 | aSets[cSets].paTAs = g_aSUPNtKernelRootTAs;
|
---|
1518 | aSets[cSets].cTAs = g_cSUPNtKernelRootTAs;
|
---|
1519 | cSets++;
|
---|
1520 | aSets[cSets].hStore = State.hKernelRootStore;
|
---|
1521 | aSets[cSets].paTAs = g_aSUPNtKernelRootTAs;
|
---|
1522 | aSets[cSets].cTAs = g_cSUPNtKernelRootTAs;
|
---|
1523 | cSets++;
|
---|
1524 | #endif
|
---|
1525 | break;
|
---|
1526 |
|
---|
1527 | case VERIFYEXESTATE::kSignType_OSX:
|
---|
1528 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Mac OS X executable signing is not implemented.");
|
---|
1529 | }
|
---|
1530 |
|
---|
1531 | #ifdef VBOX
|
---|
1532 | for (unsigned i = 0; i < cSets; i++)
|
---|
1533 | for (unsigned j = 0; j < aSets[i].cTAs; j++)
|
---|
1534 | {
|
---|
1535 | rc = RTCrStoreCertAddEncoded(aSets[i].hStore, RTCRCERTCTX_F_ENC_TAF_DER, aSets[i].paTAs[j].pch,
|
---|
1536 | aSets[i].paTAs[j].cb, RTErrInfoInitStatic(&StaticErrInfo));
|
---|
1537 | if (RT_FAILURE(rc))
|
---|
1538 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "RTCrStoreCertAddEncoded failed (%u/%u): %s",
|
---|
1539 | i, j, StaticErrInfo.szMsg);
|
---|
1540 | }
|
---|
1541 | #endif
|
---|
1542 |
|
---|
1543 | /*
|
---|
1544 | * Do it.
|
---|
1545 | */
|
---|
1546 | RTEXITCODE rcExit;
|
---|
1547 | for (;;)
|
---|
1548 | {
|
---|
1549 | rcExit = HandleVerifyExeWorker(&State, ValueUnion.psz, &StaticErrInfo);
|
---|
1550 | if (rcExit != RTEXITCODE_SUCCESS)
|
---|
1551 | break;
|
---|
1552 |
|
---|
1553 | /*
|
---|
1554 | * Next file
|
---|
1555 | */
|
---|
1556 | ch = RTGetOpt(&GetState, &ValueUnion);
|
---|
1557 | if (ch == 0)
|
---|
1558 | break;
|
---|
1559 | if (ch != VINF_GETOPT_NOT_OPTION)
|
---|
1560 | {
|
---|
1561 | rcExit = RTGetOptPrintError(ch, &ValueUnion);
|
---|
1562 | break;
|
---|
1563 | }
|
---|
1564 | }
|
---|
1565 |
|
---|
1566 | /*
|
---|
1567 | * Clean up.
|
---|
1568 | */
|
---|
1569 | uint32_t cRefs;
|
---|
1570 | cRefs = RTCrStoreRelease(State.hRootStore); Assert(cRefs == 0);
|
---|
1571 | cRefs = RTCrStoreRelease(State.hKernelRootStore); Assert(cRefs == 0);
|
---|
1572 | cRefs = RTCrStoreRelease(State.hAdditionalStore); Assert(cRefs == 0);
|
---|
1573 |
|
---|
1574 | return rcExit;
|
---|
1575 | }
|
---|
1576 |
|
---|
1577 | #endif /* !IPRT_IN_BUILD_TOOL */
|
---|
1578 |
|
---|
1579 | /*
|
---|
1580 | * common code for show-exe and show-cat:
|
---|
1581 | */
|
---|
1582 |
|
---|
1583 | /**
|
---|
1584 | * Display an object ID.
|
---|
1585 | *
|
---|
1586 | * @returns IPRT status code.
|
---|
1587 | * @param pThis The show exe instance data.
|
---|
1588 | * @param pObjId The object ID to display.
|
---|
1589 | * @param pszLabel The field label (prefixed by szPrefix).
|
---|
1590 | * @param pszPost What to print after the ID (typically newline).
|
---|
1591 | */
|
---|
1592 | static void HandleShowExeWorkerDisplayObjId(PSHOWEXEPKCS7 pThis, PCRTASN1OBJID pObjId, const char *pszLabel, const char *pszPost)
|
---|
1593 | {
|
---|
1594 | int rc = RTAsn1QueryObjIdName(pObjId, pThis->szTmp, sizeof(pThis->szTmp));
|
---|
1595 | if (RT_SUCCESS(rc))
|
---|
1596 | {
|
---|
1597 | if (pThis->cVerbosity > 1)
|
---|
1598 | RTPrintf("%s%s%s (%s)%s", pThis->szPrefix, pszLabel, pThis->szTmp, pObjId->szObjId, pszPost);
|
---|
1599 | else
|
---|
1600 | RTPrintf("%s%s%s%s", pThis->szPrefix, pszLabel, pThis->szTmp, pszPost);
|
---|
1601 | }
|
---|
1602 | else
|
---|
1603 | RTPrintf("%s%s%s%s", pThis->szPrefix, pszLabel, pObjId->szObjId, pszPost);
|
---|
1604 | }
|
---|
1605 |
|
---|
1606 |
|
---|
1607 | /**
|
---|
1608 | * Display an object ID, without prefix and label
|
---|
1609 | *
|
---|
1610 | * @returns IPRT status code.
|
---|
1611 | * @param pThis The show exe instance data.
|
---|
1612 | * @param pObjId The object ID to display.
|
---|
1613 | * @param pszPost What to print after the ID (typically newline).
|
---|
1614 | */
|
---|
1615 | static void HandleShowExeWorkerDisplayObjIdSimple(PSHOWEXEPKCS7 pThis, PCRTASN1OBJID pObjId, const char *pszPost)
|
---|
1616 | {
|
---|
1617 | int rc = RTAsn1QueryObjIdName(pObjId, pThis->szTmp, sizeof(pThis->szTmp));
|
---|
1618 | if (RT_SUCCESS(rc))
|
---|
1619 | {
|
---|
1620 | if (pThis->cVerbosity > 1)
|
---|
1621 | RTPrintf("%s (%s)%s", pThis->szTmp, pObjId->szObjId, pszPost);
|
---|
1622 | else
|
---|
1623 | RTPrintf("%s%s", pThis->szTmp, pszPost);
|
---|
1624 | }
|
---|
1625 | else
|
---|
1626 | RTPrintf("%s%s", pObjId->szObjId, pszPost);
|
---|
1627 | }
|
---|
1628 |
|
---|
1629 |
|
---|
1630 | /**
|
---|
1631 | * Display a signer info attribute.
|
---|
1632 | *
|
---|
1633 | * @returns IPRT status code.
|
---|
1634 | * @param pThis The show exe instance data.
|
---|
1635 | * @param offPrefix The current prefix offset.
|
---|
1636 | * @param pAttr The attribute to display.
|
---|
1637 | */
|
---|
1638 | static int HandleShowExeWorkerPkcs7DisplayAttrib(PSHOWEXEPKCS7 pThis, size_t offPrefix, PCRTCRPKCS7ATTRIBUTE pAttr)
|
---|
1639 | {
|
---|
1640 | HandleShowExeWorkerDisplayObjId(pThis, &pAttr->Type, "", ":\n");
|
---|
1641 |
|
---|
1642 | int rc = VINF_SUCCESS;
|
---|
1643 | switch (pAttr->enmType)
|
---|
1644 | {
|
---|
1645 | case RTCRPKCS7ATTRIBUTETYPE_UNKNOWN:
|
---|
1646 | if (pAttr->uValues.pCores->cItems <= 1)
|
---|
1647 | RTPrintf("%s %u bytes\n", pThis->szPrefix,pAttr->uValues.pCores->SetCore.Asn1Core.cb);
|
---|
1648 | else
|
---|
1649 | RTPrintf("%s %u bytes divided by %u items\n", pThis->szPrefix, pAttr->uValues.pCores->SetCore.Asn1Core.cb, pAttr->uValues.pCores->cItems);
|
---|
1650 | break;
|
---|
1651 |
|
---|
1652 | /* Object IDs, use pObjIds. */
|
---|
1653 | case RTCRPKCS7ATTRIBUTETYPE_OBJ_IDS:
|
---|
1654 | if (pAttr->uValues.pObjIds->cItems != 1)
|
---|
1655 | RTPrintf("%s%u object IDs:", pThis->szPrefix, pAttr->uValues.pObjIds->cItems);
|
---|
1656 | for (unsigned i = 0; i < pAttr->uValues.pObjIds->cItems; i++)
|
---|
1657 | {
|
---|
1658 | if (pAttr->uValues.pObjIds->cItems == 1)
|
---|
1659 | RTPrintf("%s ", pThis->szPrefix);
|
---|
1660 | else
|
---|
1661 | RTPrintf("%s ObjId[%u]: ", pThis->szPrefix, i);
|
---|
1662 | HandleShowExeWorkerDisplayObjIdSimple(pThis, pAttr->uValues.pObjIds->papItems[i], "\n");
|
---|
1663 | }
|
---|
1664 | break;
|
---|
1665 |
|
---|
1666 | /* Sequence of object IDs, use pObjIdSeqs. */
|
---|
1667 | case RTCRPKCS7ATTRIBUTETYPE_MS_STATEMENT_TYPE:
|
---|
1668 | if (pAttr->uValues.pObjIdSeqs->cItems != 1)
|
---|
1669 | RTPrintf("%s%u object IDs:", pThis->szPrefix, pAttr->uValues.pObjIdSeqs->cItems);
|
---|
1670 | for (unsigned i = 0; i < pAttr->uValues.pObjIdSeqs->cItems; i++)
|
---|
1671 | {
|
---|
1672 | uint32_t const cObjIds = pAttr->uValues.pObjIdSeqs->papItems[i]->cItems;
|
---|
1673 | for (unsigned j = 0; j < cObjIds; j++)
|
---|
1674 | {
|
---|
1675 | if (pAttr->uValues.pObjIdSeqs->cItems == 1)
|
---|
1676 | RTPrintf("%s ", pThis->szPrefix);
|
---|
1677 | else
|
---|
1678 | RTPrintf("%s ObjIdSeq[%u]: ", pThis->szPrefix, i);
|
---|
1679 | if (cObjIds != 1)
|
---|
1680 | RTPrintf(" ObjId[%u]: ", j);
|
---|
1681 | HandleShowExeWorkerDisplayObjIdSimple(pThis, pAttr->uValues.pObjIdSeqs->papItems[i]->papItems[i], "\n");
|
---|
1682 | }
|
---|
1683 | }
|
---|
1684 | break;
|
---|
1685 |
|
---|
1686 | /* Octet strings, use pOctetStrings. */
|
---|
1687 | case RTCRPKCS7ATTRIBUTETYPE_OCTET_STRINGS:
|
---|
1688 | if (pAttr->uValues.pOctetStrings->cItems != 1)
|
---|
1689 | RTPrintf("%s%u octet strings:", pThis->szPrefix, pAttr->uValues.pOctetStrings->cItems);
|
---|
1690 | for (unsigned i = 0; i < pAttr->uValues.pOctetStrings->cItems; i++)
|
---|
1691 | {
|
---|
1692 | PCRTASN1OCTETSTRING pOctetString = pAttr->uValues.pOctetStrings->papItems[i];
|
---|
1693 | uint32_t cbContent = pOctetString->Asn1Core.cb;
|
---|
1694 | if (cbContent > 0 && (cbContent <= 128 || pThis->cVerbosity >= 2))
|
---|
1695 | {
|
---|
1696 | uint8_t const *pbContent = pOctetString->Asn1Core.uData.pu8;
|
---|
1697 | uint32_t off = 0;
|
---|
1698 | while (off < cbContent)
|
---|
1699 | {
|
---|
1700 | uint32_t cbNow = RT_MIN(cbContent - off, 16);
|
---|
1701 | if (pAttr->uValues.pOctetStrings->cItems == 1)
|
---|
1702 | RTPrintf("%s %#06x: %.*Rhxs\n", pThis->szPrefix, off, cbNow, &pbContent[off]);
|
---|
1703 | else
|
---|
1704 | RTPrintf("%s OctetString[%u]: %#06x: %.*Rhxs\n", pThis->szPrefix, i, off, cbNow, &pbContent[off]);
|
---|
1705 | off += cbNow;
|
---|
1706 | }
|
---|
1707 | }
|
---|
1708 | else
|
---|
1709 | RTPrintf("%s: OctetString[%u]: %u bytes\n", pThis->szPrefix, i, pOctetString->Asn1Core.cb);
|
---|
1710 | }
|
---|
1711 | break;
|
---|
1712 |
|
---|
1713 | /* Counter signatures (PKCS \#9), use pCounterSignatures. */
|
---|
1714 | case RTCRPKCS7ATTRIBUTETYPE_COUNTER_SIGNATURES:
|
---|
1715 | RTPrintf("%sTODO: RTCRPKCS7ATTRIBUTETYPE_COUNTER_SIGNATURES! %u bytes\n",
|
---|
1716 | pThis->szPrefix, pAttr->uValues.pCounterSignatures->SetCore.Asn1Core.cb);
|
---|
1717 | break;
|
---|
1718 |
|
---|
1719 | /* Signing time (PKCS \#9), use pSigningTime. */
|
---|
1720 | case RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME:
|
---|
1721 | RTPrintf("%sTODO: RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME! %u bytes\n",
|
---|
1722 | pThis->szPrefix, pAttr->uValues.pSigningTime->SetCore.Asn1Core.cb);
|
---|
1723 | break;
|
---|
1724 |
|
---|
1725 | /* Microsoft timestamp info (RFC-3161) signed data, use pContentInfo. */
|
---|
1726 | case RTCRPKCS7ATTRIBUTETYPE_MS_TIMESTAMP:
|
---|
1727 | case RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE:
|
---|
1728 | if (pAttr->uValues.pContentInfos->cItems > 1)
|
---|
1729 | RTPrintf("%s%u nested signatures, %u bytes in total\n", pThis->szPrefix,
|
---|
1730 | pAttr->uValues.pContentInfos->cItems, pAttr->uValues.pContentInfos->SetCore.Asn1Core.cb);
|
---|
1731 | for (unsigned i = 0; i < pAttr->uValues.pContentInfos->cItems; i++)
|
---|
1732 | {
|
---|
1733 | size_t offPrefix2 = offPrefix;
|
---|
1734 | if (pAttr->uValues.pContentInfos->cItems > 1)
|
---|
1735 | offPrefix2 += RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix, "NestedSig[%u]: ", i);
|
---|
1736 | else
|
---|
1737 | offPrefix2 += RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix, " ");
|
---|
1738 | // offPrefix2 += RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix, "NestedSig: ", i);
|
---|
1739 | PCRTCRPKCS7CONTENTINFO pContentInfo = pAttr->uValues.pContentInfos->papItems[i];
|
---|
1740 | int rc2;
|
---|
1741 | if (RTCrPkcs7ContentInfo_IsSignedData(pContentInfo))
|
---|
1742 | rc2 = HandleShowExeWorkerPkcs7Display(pThis, pContentInfo->u.pSignedData, offPrefix2, pContentInfo);
|
---|
1743 | else
|
---|
1744 | rc2 = RTMsgErrorRc(VERR_ASN1_UNEXPECTED_OBJ_ID, "%sPKCS#7 content in nested signature is not 'signedData': %s",
|
---|
1745 | pThis->szPrefix, pContentInfo->ContentType.szObjId);
|
---|
1746 | if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
|
---|
1747 | rc = rc2;
|
---|
1748 | }
|
---|
1749 | break;
|
---|
1750 |
|
---|
1751 | case RTCRPKCS7ATTRIBUTETYPE_INVALID:
|
---|
1752 | RTPrintf("%sINVALID!\n", pThis->szPrefix);
|
---|
1753 | break;
|
---|
1754 | case RTCRPKCS7ATTRIBUTETYPE_NOT_PRESENT:
|
---|
1755 | RTPrintf("%sNOT PRESENT!\n", pThis->szPrefix);
|
---|
1756 | break;
|
---|
1757 | default:
|
---|
1758 | RTPrintf("%senmType=%d!\n", pThis->szPrefix, pAttr->enmType);
|
---|
1759 | break;
|
---|
1760 | }
|
---|
1761 | return rc;
|
---|
1762 | }
|
---|
1763 |
|
---|
1764 |
|
---|
1765 | /**
|
---|
1766 | * Displays a Microsoft SPC indirect data structure.
|
---|
1767 | *
|
---|
1768 | * @returns IPRT status code.
|
---|
1769 | * @param pThis The show exe instance data.
|
---|
1770 | * @param offPrefix The current prefix offset.
|
---|
1771 | * @param pIndData The indirect data to display.
|
---|
1772 | */
|
---|
1773 | static int HandleShowExeWorkerPkcs7DisplaySpcIdirectDataContent(PSHOWEXEPKCS7 pThis, size_t offPrefix,
|
---|
1774 | PCRTCRSPCINDIRECTDATACONTENT pIndData)
|
---|
1775 | {
|
---|
1776 | /*
|
---|
1777 | * The image hash.
|
---|
1778 | */
|
---|
1779 | RTDIGESTTYPE const enmDigestType = RTCrX509AlgorithmIdentifier_QueryDigestType(&pIndData->DigestInfo.DigestAlgorithm);
|
---|
1780 | const char *pszDigestType = RTCrDigestTypeToName(enmDigestType);
|
---|
1781 | RTPrintf("%s Digest Type: %s", pThis->szPrefix, pszDigestType);
|
---|
1782 | if (pThis->cVerbosity > 1)
|
---|
1783 | RTPrintf(" (%s)\n", pIndData->DigestInfo.DigestAlgorithm.Algorithm.szObjId);
|
---|
1784 | else
|
---|
1785 | RTPrintf("\n");
|
---|
1786 | RTPrintf("%s Digest: %.*Rhxs\n",
|
---|
1787 | pThis->szPrefix, pIndData->DigestInfo.Digest.Asn1Core.cb, pIndData->DigestInfo.Digest.Asn1Core.uData.pu8);
|
---|
1788 |
|
---|
1789 | /*
|
---|
1790 | * The data/file/url.
|
---|
1791 | */
|
---|
1792 | switch (pIndData->Data.enmType)
|
---|
1793 | {
|
---|
1794 | case RTCRSPCAAOVTYPE_PE_IMAGE_DATA:
|
---|
1795 | {
|
---|
1796 | RTPrintf("%s Data Type: PE Image Data\n", pThis->szPrefix);
|
---|
1797 | PRTCRSPCPEIMAGEDATA pPeImage = pIndData->Data.uValue.pPeImage;
|
---|
1798 | /** @todo display "Flags". */
|
---|
1799 |
|
---|
1800 | switch (pPeImage->T0.File.enmChoice)
|
---|
1801 | {
|
---|
1802 | case RTCRSPCLINKCHOICE_MONIKER:
|
---|
1803 | {
|
---|
1804 | PRTCRSPCSERIALIZEDOBJECT pMoniker = pPeImage->T0.File.u.pMoniker;
|
---|
1805 | if (RTCrSpcSerializedObject_IsPresent(pMoniker))
|
---|
1806 | {
|
---|
1807 | if (RTUuidCompareStr(pMoniker->Uuid.Asn1Core.uData.pUuid, RTCRSPCSERIALIZEDOBJECT_UUID_STR) == 0)
|
---|
1808 | {
|
---|
1809 | RTPrintf("%s Moniker: SpcSerializedObject (%RTuuid)\n",
|
---|
1810 | pThis->szPrefix, pMoniker->Uuid.Asn1Core.uData.pUuid);
|
---|
1811 |
|
---|
1812 | PCRTCRSPCSERIALIZEDOBJECTATTRIBUTES pData = pMoniker->u.pData;
|
---|
1813 | if (pData)
|
---|
1814 | for (uint32_t i = 0; i < pData->cItems; i++)
|
---|
1815 | {
|
---|
1816 | RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix,
|
---|
1817 | "MonikerAttrib[%u]: ", i);
|
---|
1818 |
|
---|
1819 | switch (pData->papItems[i]->enmType)
|
---|
1820 | {
|
---|
1821 | case RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_PAGE_HASHES_V2:
|
---|
1822 | case RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_PAGE_HASHES_V1:
|
---|
1823 | {
|
---|
1824 | PCRTCRSPCSERIALIZEDPAGEHASHES pPgHashes = pData->papItems[i]->u.pPageHashes;
|
---|
1825 | uint32_t const cbHash = pData->papItems[i]->enmType
|
---|
1826 | == RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_PAGE_HASHES_V1
|
---|
1827 | ? 160/8 /*SHA-1*/ : 256/8 /*SHA-256*/;
|
---|
1828 | uint32_t const cPages = pPgHashes->RawData.Asn1Core.cb / (cbHash + sizeof(uint32_t));
|
---|
1829 |
|
---|
1830 | RTPrintf("%sPage Hashes version %u - %u pages (%u bytes total)\n", pThis->szPrefix,
|
---|
1831 | pData->papItems[i]->enmType
|
---|
1832 | == RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_PAGE_HASHES_V1 ? 1 : 2,
|
---|
1833 | cPages, pPgHashes->RawData.Asn1Core.cb);
|
---|
1834 | if (pThis->cVerbosity > 0)
|
---|
1835 | {
|
---|
1836 | PCRTCRSPCPEIMAGEPAGEHASHES pPg = pPgHashes->pData;
|
---|
1837 | for (unsigned iPg = 0; iPg < cPages; iPg++)
|
---|
1838 | {
|
---|
1839 | uint32_t offHash = 0;
|
---|
1840 | do
|
---|
1841 | {
|
---|
1842 | if (offHash == 0)
|
---|
1843 | RTPrintf("%.*s Page#%04u/%#08x: ",
|
---|
1844 | offPrefix, pThis->szPrefix, iPg, pPg->Generic.offFile);
|
---|
1845 | else
|
---|
1846 | RTPrintf("%.*s ", offPrefix, pThis->szPrefix);
|
---|
1847 | uint32_t cbLeft = cbHash - offHash;
|
---|
1848 | if (cbLeft > 24)
|
---|
1849 | cbLeft = 16;
|
---|
1850 | RTPrintf("%.*Rhxs\n", cbLeft, &pPg->Generic.abHash[offHash]);
|
---|
1851 | offHash += cbLeft;
|
---|
1852 | } while (offHash < cbHash);
|
---|
1853 | pPg = (PCRTCRSPCPEIMAGEPAGEHASHES)&pPg->Generic.abHash[cbHash];
|
---|
1854 | }
|
---|
1855 |
|
---|
1856 | if (pThis->cVerbosity > 3)
|
---|
1857 | RTPrintf("%.*Rhxd\n",
|
---|
1858 | pPgHashes->RawData.Asn1Core.cb,
|
---|
1859 | pPgHashes->RawData.Asn1Core.uData.pu8);
|
---|
1860 | }
|
---|
1861 | break;
|
---|
1862 | }
|
---|
1863 |
|
---|
1864 | case RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_UNKNOWN:
|
---|
1865 | HandleShowExeWorkerDisplayObjIdSimple(pThis, &pData->papItems[i]->Type, "\n");
|
---|
1866 | break;
|
---|
1867 | case RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_NOT_PRESENT:
|
---|
1868 | RTPrintf("%sNot present!\n", pThis->szPrefix);
|
---|
1869 | break;
|
---|
1870 | default:
|
---|
1871 | RTPrintf("%senmType=%d!\n", pThis->szPrefix, pData->papItems[i]->enmType);
|
---|
1872 | break;
|
---|
1873 | }
|
---|
1874 | pThis->szPrefix[offPrefix] = '\0';
|
---|
1875 | }
|
---|
1876 | else
|
---|
1877 | RTPrintf("%s pData is NULL!\n", pThis->szPrefix);
|
---|
1878 | }
|
---|
1879 | else
|
---|
1880 | RTPrintf("%s Moniker: Unknown UUID: %RTuuid\n",
|
---|
1881 | pThis->szPrefix, pMoniker->Uuid.Asn1Core.uData.pUuid);
|
---|
1882 | }
|
---|
1883 | else
|
---|
1884 | RTPrintf("%s Moniker: not present\n", pThis->szPrefix);
|
---|
1885 | break;
|
---|
1886 | }
|
---|
1887 |
|
---|
1888 | case RTCRSPCLINKCHOICE_URL:
|
---|
1889 | {
|
---|
1890 | const char *pszUrl = NULL;
|
---|
1891 | int rc = pPeImage->T0.File.u.pUrl
|
---|
1892 | ? RTAsn1String_QueryUtf8(pPeImage->T0.File.u.pUrl, &pszUrl, NULL)
|
---|
1893 | : VERR_NOT_FOUND;
|
---|
1894 | if (RT_SUCCESS(rc))
|
---|
1895 | RTPrintf("%s URL: '%s'\n", pThis->szPrefix, pszUrl);
|
---|
1896 | else
|
---|
1897 | RTPrintf("%s URL: rc=%Rrc\n", pThis->szPrefix, rc);
|
---|
1898 | break;
|
---|
1899 | }
|
---|
1900 |
|
---|
1901 | case RTCRSPCLINKCHOICE_FILE:
|
---|
1902 | {
|
---|
1903 | const char *pszFile = NULL;
|
---|
1904 | int rc = pPeImage->T0.File.u.pT2 && pPeImage->T0.File.u.pT2->File.u.pAscii
|
---|
1905 | ? RTAsn1String_QueryUtf8(pPeImage->T0.File.u.pT2->File.u.pAscii, &pszFile, NULL)
|
---|
1906 | : VERR_NOT_FOUND;
|
---|
1907 | if (RT_SUCCESS(rc))
|
---|
1908 | RTPrintf("%s File: '%s'\n", pThis->szPrefix, pszFile);
|
---|
1909 | else
|
---|
1910 | RTPrintf("%s File: rc=%Rrc\n", pThis->szPrefix, rc);
|
---|
1911 | break;
|
---|
1912 | }
|
---|
1913 |
|
---|
1914 | case RTCRSPCLINKCHOICE_NOT_PRESENT:
|
---|
1915 | RTPrintf("%s File not present!\n", pThis->szPrefix);
|
---|
1916 | break;
|
---|
1917 | default:
|
---|
1918 | RTPrintf("%s enmChoice=%d!\n", pThis->szPrefix, pPeImage->T0.File.enmChoice);
|
---|
1919 | break;
|
---|
1920 | }
|
---|
1921 | break;
|
---|
1922 | }
|
---|
1923 |
|
---|
1924 | case RTCRSPCAAOVTYPE_UNKNOWN:
|
---|
1925 | HandleShowExeWorkerDisplayObjId(pThis, &pIndData->Data.Type, " Data Type: ", "\n");
|
---|
1926 | break;
|
---|
1927 | case RTCRSPCAAOVTYPE_NOT_PRESENT:
|
---|
1928 | RTPrintf("%s Data Type: Not present!\n", pThis->szPrefix);
|
---|
1929 | break;
|
---|
1930 | default:
|
---|
1931 | RTPrintf("%s Data Type: enmType=%d!\n", pThis->szPrefix, pIndData->Data.enmType);
|
---|
1932 | break;
|
---|
1933 | }
|
---|
1934 |
|
---|
1935 | return VINF_SUCCESS;
|
---|
1936 | }
|
---|
1937 |
|
---|
1938 |
|
---|
1939 | /**
|
---|
1940 | * Display an PKCS#7 signed data instance.
|
---|
1941 | *
|
---|
1942 | * @returns IPRT status code.
|
---|
1943 | * @param pThis The show exe instance data.
|
---|
1944 | * @param pSignedData The signed data to display.
|
---|
1945 | * @param offPrefix The current prefix offset.
|
---|
1946 | * @param pContentInfo The content info structure (for the size).
|
---|
1947 | */
|
---|
1948 | static int HandleShowExeWorkerPkcs7Display(PSHOWEXEPKCS7 pThis, PRTCRPKCS7SIGNEDDATA pSignedData, size_t offPrefix,
|
---|
1949 | PCRTCRPKCS7CONTENTINFO pContentInfo)
|
---|
1950 | {
|
---|
1951 | pThis->szPrefix[offPrefix] = '\0';
|
---|
1952 | RTPrintf("%sPKCS#7 signature: %u (%#x) bytes\n", pThis->szPrefix,
|
---|
1953 | RTASN1CORE_GET_RAW_ASN1_SIZE(&pContentInfo->SeqCore.Asn1Core),
|
---|
1954 | RTASN1CORE_GET_RAW_ASN1_SIZE(&pContentInfo->SeqCore.Asn1Core));
|
---|
1955 |
|
---|
1956 | /*
|
---|
1957 | * Display list of signing algorithms.
|
---|
1958 | */
|
---|
1959 | RTPrintf("%sDigestAlgorithms: ", pThis->szPrefix);
|
---|
1960 | if (pSignedData->DigestAlgorithms.cItems == 0)
|
---|
1961 | RTPrintf("none");
|
---|
1962 | for (unsigned i = 0; i < pSignedData->DigestAlgorithms.cItems; i++)
|
---|
1963 | {
|
---|
1964 | PCRTCRX509ALGORITHMIDENTIFIER pAlgoId = pSignedData->DigestAlgorithms.papItems[i];
|
---|
1965 | const char *pszDigestType = RTCrDigestTypeToName(RTCrX509AlgorithmIdentifier_QueryDigestType(pAlgoId));
|
---|
1966 | if (!pszDigestType)
|
---|
1967 | pszDigestType = pAlgoId->Algorithm.szObjId;
|
---|
1968 | RTPrintf(i == 0 ? "%s" : ", %s", pszDigestType);
|
---|
1969 | if (pThis->cVerbosity > 1)
|
---|
1970 | RTPrintf(" (%s)", pAlgoId->Algorithm.szObjId);
|
---|
1971 | }
|
---|
1972 | RTPrintf("\n");
|
---|
1973 |
|
---|
1974 | /*
|
---|
1975 | * Display the signed data content.
|
---|
1976 | */
|
---|
1977 | if (RTAsn1ObjId_CompareWithString(&pSignedData->ContentInfo.ContentType, RTCRSPCINDIRECTDATACONTENT_OID) == 0)
|
---|
1978 | {
|
---|
1979 | RTPrintf("%s ContentType: SpcIndirectDataContent (" RTCRSPCINDIRECTDATACONTENT_OID ")\n", pThis->szPrefix);
|
---|
1980 | size_t offPrefix2 = RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix, " SPC Ind Data: ");
|
---|
1981 | HandleShowExeWorkerPkcs7DisplaySpcIdirectDataContent(pThis, offPrefix2 + offPrefix,
|
---|
1982 | pSignedData->ContentInfo.u.pIndirectDataContent);
|
---|
1983 | pThis->szPrefix[offPrefix] = '\0';
|
---|
1984 | }
|
---|
1985 | else
|
---|
1986 | HandleShowExeWorkerDisplayObjId(pThis, &pSignedData->ContentInfo.ContentType, " ContentType: ", " - not implemented.\n");
|
---|
1987 |
|
---|
1988 | /*
|
---|
1989 | * Display certificates (Certificates).
|
---|
1990 | */
|
---|
1991 | if (pSignedData->Certificates.cItems > 0)
|
---|
1992 | {
|
---|
1993 | RTPrintf("%s Certificates: %u\n", pThis->szPrefix, pSignedData->Certificates.cItems);
|
---|
1994 | if (pThis->cVerbosity >= 2)
|
---|
1995 | {
|
---|
1996 | for (uint32_t i = 0; i < pSignedData->Certificates.cItems; i++)
|
---|
1997 | {
|
---|
1998 | if (i != 0)
|
---|
1999 | RTPrintf("\n");
|
---|
2000 | RTPrintf("%s Certificate #%u:\n", pThis->szPrefix, i);
|
---|
2001 | RTAsn1Dump(RTCrPkcs7Cert_GetAsn1Core(pSignedData->Certificates.papItems[i]), 0,
|
---|
2002 | ((uint32_t)offPrefix + 9) / 2, RTStrmDumpPrintfV, g_pStdOut);
|
---|
2003 | }
|
---|
2004 | }
|
---|
2005 | /** @todo display certificates properly. */
|
---|
2006 | }
|
---|
2007 |
|
---|
2008 | if (pSignedData->Crls.cb > 0)
|
---|
2009 | RTPrintf("%s CRLs: %u bytes\n", pThis->szPrefix, pSignedData->Crls.cb);
|
---|
2010 |
|
---|
2011 | /*
|
---|
2012 | * Show signatures (SignerInfos).
|
---|
2013 | */
|
---|
2014 | unsigned const cSigInfos = pSignedData->SignerInfos.cItems;
|
---|
2015 | if (cSigInfos != 1)
|
---|
2016 | RTPrintf("%s SignerInfos: %u signers\n", pThis->szPrefix, cSigInfos);
|
---|
2017 | else
|
---|
2018 | RTPrintf("%s SignerInfos:\n", pThis->szPrefix);
|
---|
2019 | for (unsigned i = 0; i < cSigInfos; i++)
|
---|
2020 | {
|
---|
2021 | PRTCRPKCS7SIGNERINFO pSigInfo = pSignedData->SignerInfos.papItems[i];
|
---|
2022 | size_t offPrefix2 = offPrefix;
|
---|
2023 | if (cSigInfos != 1)
|
---|
2024 | offPrefix2 += RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix, "SignerInfo[%u]: ", i);
|
---|
2025 |
|
---|
2026 | int rc = RTAsn1Integer_ToString(&pSigInfo->IssuerAndSerialNumber.SerialNumber,
|
---|
2027 | pThis->szTmp, sizeof(pThis->szTmp), 0 /*fFlags*/, NULL);
|
---|
2028 | if (RT_FAILURE(rc))
|
---|
2029 | RTStrPrintf(pThis->szTmp, sizeof(pThis->szTmp), "%Rrc", rc);
|
---|
2030 | RTPrintf("%s Serial No: %s\n", pThis->szPrefix, pThis->szTmp);
|
---|
2031 |
|
---|
2032 | rc = RTCrX509Name_FormatAsString(&pSigInfo->IssuerAndSerialNumber.Name, pThis->szTmp, sizeof(pThis->szTmp), NULL);
|
---|
2033 | if (RT_FAILURE(rc))
|
---|
2034 | RTStrPrintf(pThis->szTmp, sizeof(pThis->szTmp), "%Rrc", rc);
|
---|
2035 | RTPrintf("%s Issuer: %s\n", pThis->szPrefix, pThis->szTmp);
|
---|
2036 |
|
---|
2037 | const char *pszType = RTCrDigestTypeToName(RTCrX509AlgorithmIdentifier_QueryDigestType(&pSigInfo->DigestAlgorithm));
|
---|
2038 | if (!pszType)
|
---|
2039 | pszType = pSigInfo->DigestAlgorithm.Algorithm.szObjId;
|
---|
2040 | RTPrintf("%s Digest Algorithm: %s", pThis->szPrefix, pszType);
|
---|
2041 | if (pThis->cVerbosity > 1)
|
---|
2042 | RTPrintf(" (%s)\n", pSigInfo->DigestAlgorithm.Algorithm.szObjId);
|
---|
2043 | else
|
---|
2044 | RTPrintf("\n");
|
---|
2045 |
|
---|
2046 | HandleShowExeWorkerDisplayObjId(pThis, &pSigInfo->DigestEncryptionAlgorithm.Algorithm,
|
---|
2047 | "Digest Encryption Algorithm: ", "\n");
|
---|
2048 |
|
---|
2049 | if (pSigInfo->AuthenticatedAttributes.cItems == 0)
|
---|
2050 | RTPrintf("%s Authenticated Attributes: none\n", pThis->szPrefix);
|
---|
2051 | else
|
---|
2052 | {
|
---|
2053 | RTPrintf("%s Authenticated Attributes: %u item%s\n", pThis->szPrefix,
|
---|
2054 | pSigInfo->AuthenticatedAttributes.cItems, pSigInfo->AuthenticatedAttributes.cItems > 1 ? "s" : "");
|
---|
2055 | for (unsigned j = 0; j < pSigInfo->AuthenticatedAttributes.cItems; j++)
|
---|
2056 | {
|
---|
2057 | PRTCRPKCS7ATTRIBUTE pAttr = pSigInfo->AuthenticatedAttributes.papItems[j];
|
---|
2058 | size_t offPrefix3 = offPrefix2 + RTStrPrintf(&pThis->szPrefix[offPrefix2], sizeof(pThis->szPrefix) - offPrefix2,
|
---|
2059 | " AuthAttrib[%u]: ", j);
|
---|
2060 | HandleShowExeWorkerPkcs7DisplayAttrib(pThis, offPrefix3, pAttr);
|
---|
2061 | }
|
---|
2062 | pThis->szPrefix[offPrefix2] = '\0';
|
---|
2063 | }
|
---|
2064 |
|
---|
2065 | if (pSigInfo->UnauthenticatedAttributes.cItems == 0)
|
---|
2066 | RTPrintf("%s Unauthenticated Attributes: none\n", pThis->szPrefix);
|
---|
2067 | else
|
---|
2068 | {
|
---|
2069 | RTPrintf("%s Unauthenticated Attributes: %u item%s\n", pThis->szPrefix,
|
---|
2070 | pSigInfo->UnauthenticatedAttributes.cItems, pSigInfo->UnauthenticatedAttributes.cItems > 1 ? "s" : "");
|
---|
2071 | for (unsigned j = 0; j < pSigInfo->UnauthenticatedAttributes.cItems; j++)
|
---|
2072 | {
|
---|
2073 | PRTCRPKCS7ATTRIBUTE pAttr = pSigInfo->UnauthenticatedAttributes.papItems[j];
|
---|
2074 | size_t offPrefix3 = offPrefix2 + RTStrPrintf(&pThis->szPrefix[offPrefix2], sizeof(pThis->szPrefix) - offPrefix2,
|
---|
2075 | " UnauthAttrib[%u]: ", j);
|
---|
2076 | HandleShowExeWorkerPkcs7DisplayAttrib(pThis, offPrefix3, pAttr);
|
---|
2077 | }
|
---|
2078 | pThis->szPrefix[offPrefix2] = '\0';
|
---|
2079 | }
|
---|
2080 |
|
---|
2081 | /** @todo show the encrypted stuff (EncryptedDigest)? */
|
---|
2082 | }
|
---|
2083 | pThis->szPrefix[offPrefix] = '\0';
|
---|
2084 |
|
---|
2085 | return VINF_SUCCESS;
|
---|
2086 | }
|
---|
2087 |
|
---|
2088 |
|
---|
2089 | /*
|
---|
2090 | * The 'show-exe' command.
|
---|
2091 | */
|
---|
2092 | static RTEXITCODE HelpShowExe(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
2093 | {
|
---|
2094 | RT_NOREF_PV(enmLevel);
|
---|
2095 | RTStrmPrintf(pStrm,
|
---|
2096 | "show-exe [--verbose|-v] [--quiet|-q] <exe1> [exe2 [..]]\n");
|
---|
2097 | return RTEXITCODE_SUCCESS;
|
---|
2098 | }
|
---|
2099 |
|
---|
2100 |
|
---|
2101 | static RTEXITCODE HandleShowExe(int cArgs, char **papszArgs)
|
---|
2102 | {
|
---|
2103 | /*
|
---|
2104 | * Parse arguments.
|
---|
2105 | */
|
---|
2106 | static const RTGETOPTDEF s_aOptions[] =
|
---|
2107 | {
|
---|
2108 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
2109 | { "--quiet", 'q', RTGETOPT_REQ_NOTHING },
|
---|
2110 | };
|
---|
2111 |
|
---|
2112 | unsigned cVerbosity = 0;
|
---|
2113 | RTLDRARCH enmLdrArch = RTLDRARCH_WHATEVER;
|
---|
2114 |
|
---|
2115 | RTGETOPTSTATE GetState;
|
---|
2116 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
2117 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
2118 | RTGETOPTUNION ValueUnion;
|
---|
2119 | int ch;
|
---|
2120 | while ((ch = RTGetOpt(&GetState, &ValueUnion)) && ch != VINF_GETOPT_NOT_OPTION)
|
---|
2121 | {
|
---|
2122 | switch (ch)
|
---|
2123 | {
|
---|
2124 | case 'v': cVerbosity++; break;
|
---|
2125 | case 'q': cVerbosity = 0; break;
|
---|
2126 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
2127 | case 'h': return HelpShowExe(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
2128 | default: return RTGetOptPrintError(ch, &ValueUnion);
|
---|
2129 | }
|
---|
2130 | }
|
---|
2131 | if (ch != VINF_GETOPT_NOT_OPTION)
|
---|
2132 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No executable given.");
|
---|
2133 |
|
---|
2134 | /*
|
---|
2135 | * Do it.
|
---|
2136 | */
|
---|
2137 | unsigned iFile = 0;
|
---|
2138 | RTEXITCODE rcExit = RTEXITCODE_SUCCESS;
|
---|
2139 | do
|
---|
2140 | {
|
---|
2141 | RTPrintf(iFile == 0 ? "%s:\n" : "\n%s:\n", ValueUnion.psz);
|
---|
2142 |
|
---|
2143 | SHOWEXEPKCS7 This;
|
---|
2144 | RT_ZERO(This);
|
---|
2145 | This.cVerbosity = cVerbosity;
|
---|
2146 |
|
---|
2147 | RTEXITCODE rcExitThis = SignToolPkcs7Exe_InitFromFile(&This, ValueUnion.psz, cVerbosity, enmLdrArch);
|
---|
2148 | if (rcExitThis == RTEXITCODE_SUCCESS)
|
---|
2149 | {
|
---|
2150 | rc = HandleShowExeWorkerPkcs7Display(&This, This.pSignedData, 0, &This.ContentInfo);
|
---|
2151 | if (RT_FAILURE(rc))
|
---|
2152 | rcExit = RTEXITCODE_FAILURE;
|
---|
2153 | SignToolPkcs7Exe_Delete(&This);
|
---|
2154 | }
|
---|
2155 | if (rcExitThis != RTEXITCODE_SUCCESS && rcExit == RTEXITCODE_SUCCESS)
|
---|
2156 | rcExit = rcExitThis;
|
---|
2157 |
|
---|
2158 | iFile++;
|
---|
2159 | } while ((ch = RTGetOpt(&GetState, &ValueUnion)) == VINF_GETOPT_NOT_OPTION);
|
---|
2160 | if (ch != 0)
|
---|
2161 | return RTGetOptPrintError(ch, &ValueUnion);
|
---|
2162 |
|
---|
2163 | return rcExit;
|
---|
2164 | }
|
---|
2165 |
|
---|
2166 |
|
---|
2167 | /*
|
---|
2168 | * The 'show-cat' command.
|
---|
2169 | */
|
---|
2170 | static RTEXITCODE HelpShowCat(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
2171 | {
|
---|
2172 | RT_NOREF_PV(enmLevel);
|
---|
2173 | RTStrmPrintf(pStrm,
|
---|
2174 | "show-cat [--verbose|-v] [--quiet|-q] <cat1> [cat2 [..]]\n");
|
---|
2175 | return RTEXITCODE_SUCCESS;
|
---|
2176 | }
|
---|
2177 |
|
---|
2178 |
|
---|
2179 | static RTEXITCODE HandleShowCat(int cArgs, char **papszArgs)
|
---|
2180 | {
|
---|
2181 | /*
|
---|
2182 | * Parse arguments.
|
---|
2183 | */
|
---|
2184 | static const RTGETOPTDEF s_aOptions[] =
|
---|
2185 | {
|
---|
2186 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
2187 | { "--quiet", 'q', RTGETOPT_REQ_NOTHING },
|
---|
2188 | };
|
---|
2189 |
|
---|
2190 | unsigned cVerbosity = 0;
|
---|
2191 |
|
---|
2192 | RTGETOPTSTATE GetState;
|
---|
2193 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
2194 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
2195 | RTGETOPTUNION ValueUnion;
|
---|
2196 | int ch;
|
---|
2197 | while ((ch = RTGetOpt(&GetState, &ValueUnion)) && ch != VINF_GETOPT_NOT_OPTION)
|
---|
2198 | {
|
---|
2199 | switch (ch)
|
---|
2200 | {
|
---|
2201 | case 'v': cVerbosity++; break;
|
---|
2202 | case 'q': cVerbosity = 0; break;
|
---|
2203 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
2204 | case 'h': return HelpShowCat(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
2205 | default: return RTGetOptPrintError(ch, &ValueUnion);
|
---|
2206 | }
|
---|
2207 | }
|
---|
2208 | if (ch != VINF_GETOPT_NOT_OPTION)
|
---|
2209 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No executable given.");
|
---|
2210 |
|
---|
2211 | /*
|
---|
2212 | * Do it.
|
---|
2213 | */
|
---|
2214 | unsigned iFile = 0;
|
---|
2215 | RTEXITCODE rcExit = RTEXITCODE_SUCCESS;
|
---|
2216 | do
|
---|
2217 | {
|
---|
2218 | RTPrintf(iFile == 0 ? "%s:\n" : "\n%s:\n", ValueUnion.psz);
|
---|
2219 |
|
---|
2220 | SHOWEXEPKCS7 This;
|
---|
2221 | RT_ZERO(This);
|
---|
2222 | This.cVerbosity = cVerbosity;
|
---|
2223 |
|
---|
2224 | RTEXITCODE rcExitThis = SignToolPkcs7_InitFromFile(&This, ValueUnion.psz, cVerbosity);
|
---|
2225 | if (rcExitThis == RTEXITCODE_SUCCESS)
|
---|
2226 | {
|
---|
2227 | This.hLdrMod = NIL_RTLDRMOD;
|
---|
2228 |
|
---|
2229 | rc = HandleShowExeWorkerPkcs7Display(&This, This.pSignedData, 0, &This.ContentInfo);
|
---|
2230 | if (RT_FAILURE(rc))
|
---|
2231 | rcExit = RTEXITCODE_FAILURE;
|
---|
2232 | SignToolPkcs7Exe_Delete(&This);
|
---|
2233 | }
|
---|
2234 | if (rcExitThis != RTEXITCODE_SUCCESS && rcExit == RTEXITCODE_SUCCESS)
|
---|
2235 | rcExit = rcExitThis;
|
---|
2236 |
|
---|
2237 | iFile++;
|
---|
2238 | } while ((ch = RTGetOpt(&GetState, &ValueUnion)) == VINF_GETOPT_NOT_OPTION);
|
---|
2239 | if (ch != 0)
|
---|
2240 | return RTGetOptPrintError(ch, &ValueUnion);
|
---|
2241 |
|
---|
2242 | return rcExit;
|
---|
2243 | }
|
---|
2244 |
|
---|
2245 |
|
---|
2246 | /*
|
---|
2247 | * The 'make-tainfo' command.
|
---|
2248 | */
|
---|
2249 | static RTEXITCODE HelpMakeTaInfo(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
2250 | {
|
---|
2251 | RT_NOREF_PV(enmLevel);
|
---|
2252 | RTStrmPrintf(pStrm,
|
---|
2253 | "make-tainfo [--verbose|--quiet] [--cert <cert.der>] [-o|--output] <tainfo.der>\n");
|
---|
2254 | return RTEXITCODE_SUCCESS;
|
---|
2255 | }
|
---|
2256 |
|
---|
2257 |
|
---|
2258 | typedef struct MAKETAINFOSTATE
|
---|
2259 | {
|
---|
2260 | int cVerbose;
|
---|
2261 | const char *pszCert;
|
---|
2262 | const char *pszOutput;
|
---|
2263 | } MAKETAINFOSTATE;
|
---|
2264 |
|
---|
2265 |
|
---|
2266 | /** @callback_method_impl{FNRTASN1ENCODEWRITER} */
|
---|
2267 | static DECLCALLBACK(int) handleMakeTaInfoWriter(const void *pvBuf, size_t cbToWrite, void *pvUser, PRTERRINFO pErrInfo)
|
---|
2268 | {
|
---|
2269 | RT_NOREF_PV(pErrInfo);
|
---|
2270 | return RTStrmWrite((PRTSTREAM)pvUser, pvBuf, cbToWrite);
|
---|
2271 | }
|
---|
2272 |
|
---|
2273 |
|
---|
2274 | static RTEXITCODE HandleMakeTaInfo(int cArgs, char **papszArgs)
|
---|
2275 | {
|
---|
2276 | /*
|
---|
2277 | * Parse arguments.
|
---|
2278 | */
|
---|
2279 | static const RTGETOPTDEF s_aOptions[] =
|
---|
2280 | {
|
---|
2281 | { "--cert", 'c', RTGETOPT_REQ_STRING },
|
---|
2282 | { "--output", 'o', RTGETOPT_REQ_STRING },
|
---|
2283 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
2284 | { "--quiet", 'q', RTGETOPT_REQ_NOTHING },
|
---|
2285 | };
|
---|
2286 |
|
---|
2287 | MAKETAINFOSTATE State = { 0, NULL, NULL };
|
---|
2288 |
|
---|
2289 | RTGETOPTSTATE GetState;
|
---|
2290 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
2291 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
2292 | RTGETOPTUNION ValueUnion;
|
---|
2293 | int ch;
|
---|
2294 | while ((ch = RTGetOpt(&GetState, &ValueUnion)) != 0)
|
---|
2295 | {
|
---|
2296 | switch (ch)
|
---|
2297 | {
|
---|
2298 | case 'c':
|
---|
2299 | if (State.pszCert)
|
---|
2300 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "The --cert option can only be used once.");
|
---|
2301 | State.pszCert = ValueUnion.psz;
|
---|
2302 | break;
|
---|
2303 |
|
---|
2304 | case 'o':
|
---|
2305 | case VINF_GETOPT_NOT_OPTION:
|
---|
2306 | if (State.pszOutput)
|
---|
2307 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Multiple output files specified.");
|
---|
2308 | State.pszOutput = ValueUnion.psz;
|
---|
2309 | break;
|
---|
2310 |
|
---|
2311 | case 'v': State.cVerbose++; break;
|
---|
2312 | case 'q': State.cVerbose = 0; break;
|
---|
2313 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
2314 | case 'h': return HelpMakeTaInfo(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
2315 | default: return RTGetOptPrintError(ch, &ValueUnion);
|
---|
2316 | }
|
---|
2317 | }
|
---|
2318 | if (!State.pszCert)
|
---|
2319 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No input certificate was specified.");
|
---|
2320 | if (!State.pszOutput)
|
---|
2321 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No output file was specified.");
|
---|
2322 |
|
---|
2323 | /*
|
---|
2324 | * Read the certificate.
|
---|
2325 | */
|
---|
2326 | RTERRINFOSTATIC StaticErrInfo;
|
---|
2327 | RTCRX509CERTIFICATE Certificate;
|
---|
2328 | rc = RTCrX509Certificate_ReadFromFile(&Certificate, State.pszCert, 0, &g_RTAsn1DefaultAllocator,
|
---|
2329 | RTErrInfoInitStatic(&StaticErrInfo));
|
---|
2330 | if (RT_FAILURE(rc))
|
---|
2331 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Error reading certificate from %s: %Rrc - %s",
|
---|
2332 | State.pszCert, rc, StaticErrInfo.szMsg);
|
---|
2333 | /*
|
---|
2334 | * Construct the trust anchor information.
|
---|
2335 | */
|
---|
2336 | RTCRTAFTRUSTANCHORINFO TrustAnchor;
|
---|
2337 | rc = RTCrTafTrustAnchorInfo_Init(&TrustAnchor, &g_RTAsn1DefaultAllocator);
|
---|
2338 | if (RT_SUCCESS(rc))
|
---|
2339 | {
|
---|
2340 | /* Public key. */
|
---|
2341 | Assert(RTCrX509SubjectPublicKeyInfo_IsPresent(&TrustAnchor.PubKey));
|
---|
2342 | RTCrX509SubjectPublicKeyInfo_Delete(&TrustAnchor.PubKey);
|
---|
2343 | rc = RTCrX509SubjectPublicKeyInfo_Clone(&TrustAnchor.PubKey, &Certificate.TbsCertificate.SubjectPublicKeyInfo,
|
---|
2344 | &g_RTAsn1DefaultAllocator);
|
---|
2345 | if (RT_FAILURE(rc))
|
---|
2346 | RTMsgError("RTCrX509SubjectPublicKeyInfo_Clone failed: %Rrc", rc);
|
---|
2347 | RTAsn1Core_ResetImplict(RTCrX509SubjectPublicKeyInfo_GetAsn1Core(&TrustAnchor.PubKey)); /* temporary hack. */
|
---|
2348 |
|
---|
2349 | /* Key Identifier. */
|
---|
2350 | PCRTASN1OCTETSTRING pKeyIdentifier = NULL;
|
---|
2351 | if (Certificate.TbsCertificate.T3.fFlags & RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_KEY_IDENTIFIER)
|
---|
2352 | pKeyIdentifier = Certificate.TbsCertificate.T3.pSubjectKeyIdentifier;
|
---|
2353 | else if ( (Certificate.TbsCertificate.T3.fFlags & RTCRX509TBSCERTIFICATE_F_PRESENT_AUTHORITY_KEY_IDENTIFIER)
|
---|
2354 | && RTCrX509Certificate_IsSelfSigned(&Certificate)
|
---|
2355 | && RTAsn1OctetString_IsPresent(&Certificate.TbsCertificate.T3.pAuthorityKeyIdentifier->KeyIdentifier) )
|
---|
2356 | pKeyIdentifier = &Certificate.TbsCertificate.T3.pAuthorityKeyIdentifier->KeyIdentifier;
|
---|
2357 | else if ( (Certificate.TbsCertificate.T3.fFlags & RTCRX509TBSCERTIFICATE_F_PRESENT_OLD_AUTHORITY_KEY_IDENTIFIER)
|
---|
2358 | && RTCrX509Certificate_IsSelfSigned(&Certificate)
|
---|
2359 | && RTAsn1OctetString_IsPresent(&Certificate.TbsCertificate.T3.pOldAuthorityKeyIdentifier->KeyIdentifier) )
|
---|
2360 | pKeyIdentifier = &Certificate.TbsCertificate.T3.pOldAuthorityKeyIdentifier->KeyIdentifier;
|
---|
2361 | if (pKeyIdentifier && pKeyIdentifier->Asn1Core.cb > 0)
|
---|
2362 | {
|
---|
2363 | Assert(RTAsn1OctetString_IsPresent(&TrustAnchor.KeyIdentifier));
|
---|
2364 | RTAsn1OctetString_Delete(&TrustAnchor.KeyIdentifier);
|
---|
2365 | rc = RTAsn1OctetString_Clone(&TrustAnchor.KeyIdentifier, pKeyIdentifier, &g_RTAsn1DefaultAllocator);
|
---|
2366 | if (RT_FAILURE(rc))
|
---|
2367 | RTMsgError("RTAsn1OctetString_Clone failed: %Rrc", rc);
|
---|
2368 | RTAsn1Core_ResetImplict(RTAsn1OctetString_GetAsn1Core(&TrustAnchor.KeyIdentifier)); /* temporary hack. */
|
---|
2369 | }
|
---|
2370 | else
|
---|
2371 | RTMsgWarning("No key identifier found or has zero length.");
|
---|
2372 |
|
---|
2373 | /* Subject */
|
---|
2374 | if (RT_SUCCESS(rc))
|
---|
2375 | {
|
---|
2376 | Assert(!RTCrTafCertPathControls_IsPresent(&TrustAnchor.CertPath));
|
---|
2377 | rc = RTCrTafCertPathControls_Init(&TrustAnchor.CertPath, &g_RTAsn1DefaultAllocator);
|
---|
2378 | if (RT_SUCCESS(rc))
|
---|
2379 | {
|
---|
2380 | Assert(RTCrX509Name_IsPresent(&TrustAnchor.CertPath.TaName));
|
---|
2381 | RTCrX509Name_Delete(&TrustAnchor.CertPath.TaName);
|
---|
2382 | rc = RTCrX509Name_Clone(&TrustAnchor.CertPath.TaName, &Certificate.TbsCertificate.Subject,
|
---|
2383 | &g_RTAsn1DefaultAllocator);
|
---|
2384 | if (RT_SUCCESS(rc))
|
---|
2385 | {
|
---|
2386 | RTAsn1Core_ResetImplict(RTCrX509Name_GetAsn1Core(&TrustAnchor.CertPath.TaName)); /* temporary hack. */
|
---|
2387 | rc = RTCrX509Name_RecodeAsUtf8(&TrustAnchor.CertPath.TaName, &g_RTAsn1DefaultAllocator);
|
---|
2388 | if (RT_FAILURE(rc))
|
---|
2389 | RTMsgError("RTCrX509Name_RecodeAsUtf8 failed: %Rrc", rc);
|
---|
2390 | }
|
---|
2391 | else
|
---|
2392 | RTMsgError("RTCrX509Name_Clone failed: %Rrc", rc);
|
---|
2393 | }
|
---|
2394 | else
|
---|
2395 | RTMsgError("RTCrTafCertPathControls_Init failed: %Rrc", rc);
|
---|
2396 | }
|
---|
2397 |
|
---|
2398 | /* Check that what we've constructed makes some sense. */
|
---|
2399 | if (RT_SUCCESS(rc))
|
---|
2400 | {
|
---|
2401 | rc = RTCrTafTrustAnchorInfo_CheckSanity(&TrustAnchor, 0, RTErrInfoInitStatic(&StaticErrInfo), "TAI");
|
---|
2402 | if (RT_FAILURE(rc))
|
---|
2403 | RTMsgError("RTCrTafTrustAnchorInfo_CheckSanity failed: %Rrc - %s", rc, StaticErrInfo.szMsg);
|
---|
2404 | }
|
---|
2405 |
|
---|
2406 | if (RT_SUCCESS(rc))
|
---|
2407 | {
|
---|
2408 | /*
|
---|
2409 | * Encode it and write it to the output file.
|
---|
2410 | */
|
---|
2411 | uint32_t cbEncoded;
|
---|
2412 | rc = RTAsn1EncodePrepare(RTCrTafTrustAnchorInfo_GetAsn1Core(&TrustAnchor), RTASN1ENCODE_F_DER, &cbEncoded,
|
---|
2413 | RTErrInfoInitStatic(&StaticErrInfo));
|
---|
2414 | if (RT_SUCCESS(rc))
|
---|
2415 | {
|
---|
2416 | if (State.cVerbose >= 1)
|
---|
2417 | RTAsn1Dump(RTCrTafTrustAnchorInfo_GetAsn1Core(&TrustAnchor), 0, 0, RTStrmDumpPrintfV, g_pStdOut);
|
---|
2418 |
|
---|
2419 | PRTSTREAM pStrm;
|
---|
2420 | rc = RTStrmOpen(State.pszOutput, "wb", &pStrm);
|
---|
2421 | if (RT_SUCCESS(rc))
|
---|
2422 | {
|
---|
2423 | rc = RTAsn1EncodeWrite(RTCrTafTrustAnchorInfo_GetAsn1Core(&TrustAnchor), RTASN1ENCODE_F_DER,
|
---|
2424 | handleMakeTaInfoWriter, pStrm, RTErrInfoInitStatic(&StaticErrInfo));
|
---|
2425 | if (RT_SUCCESS(rc))
|
---|
2426 | {
|
---|
2427 | rc = RTStrmClose(pStrm);
|
---|
2428 | if (RT_SUCCESS(rc))
|
---|
2429 | RTMsgInfo("Successfully wrote TrustedAnchorInfo to '%s'.", State.pszOutput);
|
---|
2430 | else
|
---|
2431 | RTMsgError("RTStrmClose failed: %Rrc", rc);
|
---|
2432 | }
|
---|
2433 | else
|
---|
2434 | {
|
---|
2435 | RTMsgError("RTAsn1EncodeWrite failed: %Rrc - %s", rc, StaticErrInfo.szMsg);
|
---|
2436 | RTStrmClose(pStrm);
|
---|
2437 | }
|
---|
2438 | }
|
---|
2439 | else
|
---|
2440 | RTMsgError("Error opening '%s' for writing: %Rrcs", State.pszOutput, rc);
|
---|
2441 | }
|
---|
2442 | else
|
---|
2443 | RTMsgError("RTAsn1EncodePrepare failed: %Rrc - %s", rc, StaticErrInfo.szMsg);
|
---|
2444 | }
|
---|
2445 |
|
---|
2446 | RTCrTafTrustAnchorInfo_Delete(&TrustAnchor);
|
---|
2447 | }
|
---|
2448 | else
|
---|
2449 | RTMsgError("RTCrTafTrustAnchorInfo_Init failed: %Rrc", rc);
|
---|
2450 |
|
---|
2451 | RTCrX509Certificate_Delete(&Certificate);
|
---|
2452 | return RT_SUCCESS(rc) ? RTEXITCODE_SUCCESS : RTEXITCODE_FAILURE;
|
---|
2453 | }
|
---|
2454 |
|
---|
2455 |
|
---|
2456 |
|
---|
2457 | /*
|
---|
2458 | * The 'version' command.
|
---|
2459 | */
|
---|
2460 | static RTEXITCODE HelpVersion(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
2461 | {
|
---|
2462 | RT_NOREF_PV(enmLevel);
|
---|
2463 | RTStrmPrintf(pStrm, "version\n");
|
---|
2464 | return RTEXITCODE_SUCCESS;
|
---|
2465 | }
|
---|
2466 |
|
---|
2467 | static RTEXITCODE HandleVersion(int cArgs, char **papszArgs)
|
---|
2468 | {
|
---|
2469 | RT_NOREF_PV(cArgs); RT_NOREF_PV(papszArgs);
|
---|
2470 | #ifndef IN_BLD_PROG /* RTBldCfgVersion or RTBldCfgRevision in build time IPRT lib. */
|
---|
2471 | RTPrintf("%s\n", RTBldCfgVersion());
|
---|
2472 | return RTEXITCODE_SUCCESS;
|
---|
2473 | #else
|
---|
2474 | return RTEXITCODE_FAILURE;
|
---|
2475 | #endif
|
---|
2476 | }
|
---|
2477 |
|
---|
2478 |
|
---|
2479 |
|
---|
2480 | /**
|
---|
2481 | * Command mapping.
|
---|
2482 | */
|
---|
2483 | static struct
|
---|
2484 | {
|
---|
2485 | /** The command. */
|
---|
2486 | const char *pszCmd;
|
---|
2487 | /**
|
---|
2488 | * Handle the command.
|
---|
2489 | * @returns Program exit code.
|
---|
2490 | * @param cArgs Number of arguments.
|
---|
2491 | * @param papszArgs The argument vector, starting with the command name.
|
---|
2492 | */
|
---|
2493 | RTEXITCODE (*pfnHandler)(int cArgs, char **papszArgs);
|
---|
2494 | /**
|
---|
2495 | * Produce help.
|
---|
2496 | * @returns RTEXITCODE_SUCCESS to simplify handling '--help' in the handler.
|
---|
2497 | * @param pStrm Where to send help text.
|
---|
2498 | * @param enmLevel The level of the help information.
|
---|
2499 | */
|
---|
2500 | RTEXITCODE (*pfnHelp)(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel);
|
---|
2501 | }
|
---|
2502 | /** Mapping commands to handler and helper functions. */
|
---|
2503 | const g_aCommands[] =
|
---|
2504 | {
|
---|
2505 | { "extract-exe-signer-cert", HandleExtractExeSignerCert, HelpExtractExeSignerCert },
|
---|
2506 | { "add-nested-exe-signature", HandleAddNestedExeSignature, HelpAddNestedExeSignature },
|
---|
2507 | { "add-nested-cat-signature", HandleAddNestedCatSignature, HelpAddNestedCatSignature },
|
---|
2508 | #ifndef IPRT_IN_BUILD_TOOL
|
---|
2509 | { "verify-exe", HandleVerifyExe, HelpVerifyExe },
|
---|
2510 | #endif
|
---|
2511 | { "show-exe", HandleShowExe, HelpShowExe },
|
---|
2512 | { "show-cat", HandleShowCat, HelpShowCat },
|
---|
2513 | { "make-tainfo", HandleMakeTaInfo, HelpMakeTaInfo },
|
---|
2514 | { "help", HandleHelp, HelpHelp },
|
---|
2515 | { "--help", HandleHelp, NULL },
|
---|
2516 | { "-h", HandleHelp, NULL },
|
---|
2517 | { "version", HandleVersion, HelpVersion },
|
---|
2518 | { "--version", HandleVersion, NULL },
|
---|
2519 | { "-V", HandleVersion, NULL },
|
---|
2520 | };
|
---|
2521 |
|
---|
2522 |
|
---|
2523 | /*
|
---|
2524 | * The 'help' command.
|
---|
2525 | */
|
---|
2526 | static RTEXITCODE HelpHelp(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
2527 | {
|
---|
2528 | RT_NOREF_PV(enmLevel);
|
---|
2529 | RTStrmPrintf(pStrm, "help [cmd-patterns]\n");
|
---|
2530 | return RTEXITCODE_SUCCESS;
|
---|
2531 | }
|
---|
2532 |
|
---|
2533 | static RTEXITCODE HandleHelp(int cArgs, char **papszArgs)
|
---|
2534 | {
|
---|
2535 | RTSIGNTOOLHELP enmLevel = cArgs <= 1 ? RTSIGNTOOLHELP_USAGE : RTSIGNTOOLHELP_FULL;
|
---|
2536 | uint32_t cShowed = 0;
|
---|
2537 | for (uint32_t iCmd = 0; iCmd < RT_ELEMENTS(g_aCommands); iCmd++)
|
---|
2538 | {
|
---|
2539 | if (g_aCommands[iCmd].pfnHelp)
|
---|
2540 | {
|
---|
2541 | bool fShow = false;
|
---|
2542 | if (cArgs <= 1)
|
---|
2543 | fShow = true;
|
---|
2544 | else
|
---|
2545 | {
|
---|
2546 | for (int iArg = 1; iArg < cArgs; iArg++)
|
---|
2547 | if (RTStrSimplePatternMultiMatch(papszArgs[iArg], RTSTR_MAX, g_aCommands[iCmd].pszCmd, RTSTR_MAX, NULL))
|
---|
2548 | {
|
---|
2549 | fShow = true;
|
---|
2550 | break;
|
---|
2551 | }
|
---|
2552 | }
|
---|
2553 | if (fShow)
|
---|
2554 | {
|
---|
2555 | g_aCommands[iCmd].pfnHelp(g_pStdOut, enmLevel);
|
---|
2556 | cShowed++;
|
---|
2557 | }
|
---|
2558 | }
|
---|
2559 | }
|
---|
2560 | return cShowed ? RTEXITCODE_SUCCESS : RTEXITCODE_FAILURE;
|
---|
2561 | }
|
---|
2562 |
|
---|
2563 |
|
---|
2564 |
|
---|
2565 | int main(int argc, char **argv)
|
---|
2566 | {
|
---|
2567 | int rc = RTR3InitExe(argc, &argv, 0);
|
---|
2568 | if (RT_FAILURE(rc))
|
---|
2569 | return RTMsgInitFailure(rc);
|
---|
2570 |
|
---|
2571 | /*
|
---|
2572 | * Parse global arguments.
|
---|
2573 | */
|
---|
2574 | int iArg = 1;
|
---|
2575 | /* none presently. */
|
---|
2576 |
|
---|
2577 | /*
|
---|
2578 | * Command dispatcher.
|
---|
2579 | */
|
---|
2580 | if (iArg < argc)
|
---|
2581 | {
|
---|
2582 | const char *pszCmd = argv[iArg];
|
---|
2583 | uint32_t i = RT_ELEMENTS(g_aCommands);
|
---|
2584 | while (i-- > 0)
|
---|
2585 | if (!strcmp(g_aCommands[i].pszCmd, pszCmd))
|
---|
2586 | return g_aCommands[i].pfnHandler(argc - iArg, &argv[iArg]);
|
---|
2587 | RTMsgError("Unknown command '%s'.", pszCmd);
|
---|
2588 | }
|
---|
2589 | else
|
---|
2590 | RTMsgError("No command given. (try --help)");
|
---|
2591 |
|
---|
2592 | return RTEXITCODE_SYNTAX;
|
---|
2593 | }
|
---|
2594 |
|
---|