1 | /* $Id: RTSignTool.cpp 95690 2022-07-18 00:59:34Z vboxsync $ */
|
---|
2 | /** @file
|
---|
3 | * IPRT - Signing Tool.
|
---|
4 | */
|
---|
5 |
|
---|
6 | /*
|
---|
7 | * Copyright (C) 2006-2022 Oracle Corporation
|
---|
8 | *
|
---|
9 | * This file is part of VirtualBox Open Source Edition (OSE), as
|
---|
10 | * available from http://www.virtualbox.org. This file is free software;
|
---|
11 | * you can redistribute it and/or modify it under the terms of the GNU
|
---|
12 | * General Public License (GPL) as published by the Free Software
|
---|
13 | * Foundation, in version 2 as it comes in the "COPYING" file of the
|
---|
14 | * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
|
---|
15 | * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
|
---|
16 | *
|
---|
17 | * The contents of this file may alternatively be used under the terms
|
---|
18 | * of the Common Development and Distribution License Version 1.0
|
---|
19 | * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
|
---|
20 | * VirtualBox OSE distribution, in which case the provisions of the
|
---|
21 | * CDDL are applicable instead of those of the GPL.
|
---|
22 | *
|
---|
23 | * You may elect to license modified versions of this file under the
|
---|
24 | * terms and conditions of either the GPL or the CDDL or both.
|
---|
25 | */
|
---|
26 |
|
---|
27 |
|
---|
28 | /*********************************************************************************************************************************
|
---|
29 | * Header Files *
|
---|
30 | *********************************************************************************************************************************/
|
---|
31 | #include <iprt/assert.h>
|
---|
32 | #include <iprt/buildconfig.h>
|
---|
33 | #include <iprt/ctype.h>
|
---|
34 | #include <iprt/err.h>
|
---|
35 | #include <iprt/getopt.h>
|
---|
36 | #include <iprt/file.h>
|
---|
37 | #include <iprt/initterm.h>
|
---|
38 | #include <iprt/ldr.h>
|
---|
39 | #include <iprt/message.h>
|
---|
40 | #include <iprt/mem.h>
|
---|
41 | #include <iprt/path.h>
|
---|
42 | #include <iprt/stream.h>
|
---|
43 | #include <iprt/string.h>
|
---|
44 | #ifdef RT_OS_WINDOWS
|
---|
45 | # include <iprt/utf16.h>
|
---|
46 | #endif
|
---|
47 | #include <iprt/uuid.h>
|
---|
48 | #include <iprt/zero.h>
|
---|
49 | #include <iprt/formats/asn1.h>
|
---|
50 | #include <iprt/formats/mach-o.h>
|
---|
51 | #ifndef RT_OS_WINDOWS
|
---|
52 | # include <iprt/formats/pecoff.h>
|
---|
53 | #endif
|
---|
54 | #include <iprt/crypto/applecodesign.h>
|
---|
55 | #include <iprt/crypto/digest.h>
|
---|
56 | #include <iprt/crypto/key.h>
|
---|
57 | #include <iprt/crypto/x509.h>
|
---|
58 | #include <iprt/crypto/pkcs7.h>
|
---|
59 | #include <iprt/crypto/store.h>
|
---|
60 | #include <iprt/crypto/spc.h>
|
---|
61 | #include <iprt/crypto/tsp.h>
|
---|
62 | #include <iprt/cpp/ministring.h>
|
---|
63 | #ifdef VBOX
|
---|
64 | # include <VBox/sup.h> /* Certificates */
|
---|
65 | #endif
|
---|
66 | #ifdef RT_OS_WINDOWS
|
---|
67 | # include <iprt/win/windows.h>
|
---|
68 | # include <iprt/win/imagehlp.h>
|
---|
69 | # include <wincrypt.h>
|
---|
70 | # include <ncrypt.h>
|
---|
71 | #endif
|
---|
72 | #include "internal/ldr.h" /* for IMAGE_XX_SIGNATURE defines */
|
---|
73 |
|
---|
74 |
|
---|
75 | /*********************************************************************************************************************************
|
---|
76 | * Defined Constants And Macros *
|
---|
77 | *********************************************************************************************************************************/
|
---|
78 | #define OPT_OFF_CERT_FILE 0 /**< signtool /f file */
|
---|
79 | #define OPT_OFF_CERT_SHA1 1 /**< signtool /sha1 thumbprint */
|
---|
80 | #define OPT_OFF_CERT_SUBJECT 2 /**< signtool /n name */
|
---|
81 | #define OPT_OFF_CERT_STORE 3 /**< signtool /s store */
|
---|
82 | #define OPT_OFF_CERT_STORE_MACHINE 4 /**< signtool /sm */
|
---|
83 | #define OPT_OFF_KEY_FILE 5 /**< no signtool equivalent, other than maybe /f. */
|
---|
84 | #define OPT_OFF_KEY_PASSWORD 6 /**< signtool /p pass */
|
---|
85 | #define OPT_OFF_KEY_PASSWORD_FILE 7 /**< no signtool equivalent. */
|
---|
86 | #define OPT_OFF_KEY_NAME 8 /**< signtool /kc name */
|
---|
87 | #define OPT_OFF_KEY_PROVIDER 9 /**< signtool /csp name (CSP = cryptographic service provider) */
|
---|
88 |
|
---|
89 | #define OPT_CERT_KEY_SWITCH_CASES(a_Instance, a_uBase, a_chOpt, a_ValueUnion, a_rcExit) \
|
---|
90 | case (a_uBase) + OPT_OFF_CERT_FILE: \
|
---|
91 | case (a_uBase) + OPT_OFF_CERT_SHA1: \
|
---|
92 | case (a_uBase) + OPT_OFF_CERT_SUBJECT: \
|
---|
93 | case (a_uBase) + OPT_OFF_CERT_STORE: \
|
---|
94 | case (a_uBase) + OPT_OFF_CERT_STORE_MACHINE: \
|
---|
95 | case (a_uBase) + OPT_OFF_KEY_FILE: \
|
---|
96 | case (a_uBase) + OPT_OFF_KEY_PASSWORD: \
|
---|
97 | case (a_uBase) + OPT_OFF_KEY_PASSWORD_FILE: \
|
---|
98 | case (a_uBase) + OPT_OFF_KEY_NAME: \
|
---|
99 | case (a_uBase) + OPT_OFF_KEY_PROVIDER: \
|
---|
100 | a_rcExit = a_Instance.handleOption((a_chOpt) - (a_uBase), &(a_ValueUnion)); \
|
---|
101 | break
|
---|
102 |
|
---|
103 | #define OPT_CERT_KEY_GETOPTDEF_ENTRIES(a_szPrefix, a_uBase) \
|
---|
104 | { a_szPrefix "cert-file", (a_uBase) + OPT_OFF_CERT_FILE, RTGETOPT_REQ_STRING }, \
|
---|
105 | { a_szPrefix "cert-sha1", (a_uBase) + OPT_OFF_CERT_SHA1, RTGETOPT_REQ_STRING }, \
|
---|
106 | { a_szPrefix "cert-subject", (a_uBase) + OPT_OFF_CERT_SUBJECT, RTGETOPT_REQ_STRING }, \
|
---|
107 | { a_szPrefix "cert-store", (a_uBase) + OPT_OFF_CERT_STORE, RTGETOPT_REQ_STRING }, \
|
---|
108 | { a_szPrefix "cert-machine-store", (a_uBase) + OPT_OFF_CERT_STORE_MACHINE, RTGETOPT_REQ_NOTHING }, \
|
---|
109 | { a_szPrefix "key-file", (a_uBase) + OPT_OFF_KEY_FILE, RTGETOPT_REQ_STRING }, \
|
---|
110 | { a_szPrefix "key-password", (a_uBase) + OPT_OFF_KEY_PASSWORD, RTGETOPT_REQ_STRING }, \
|
---|
111 | { a_szPrefix "key-password-file", (a_uBase) + OPT_OFF_KEY_PASSWORD_FILE, RTGETOPT_REQ_STRING }, \
|
---|
112 | { a_szPrefix "key-name", (a_uBase) + OPT_OFF_KEY_NAME, RTGETOPT_REQ_STRING }, \
|
---|
113 | { a_szPrefix "key-provider", (a_uBase) + OPT_OFF_KEY_PROVIDER, RTGETOPT_REQ_STRING }
|
---|
114 |
|
---|
115 | #define OPT_CERT_KEY_GETOPTDEF_COMPAT_ENTRIES(a_uBase) \
|
---|
116 | { "/f", (a_uBase) + OPT_OFF_CERT_FILE, RTGETOPT_REQ_STRING }, \
|
---|
117 | { "/sha1", (a_uBase) + OPT_OFF_CERT_SHA1, RTGETOPT_REQ_STRING }, \
|
---|
118 | { "/n", (a_uBase) + OPT_OFF_CERT_SUBJECT, RTGETOPT_REQ_STRING }, \
|
---|
119 | { "/s", (a_uBase) + OPT_OFF_CERT_STORE, RTGETOPT_REQ_STRING }, \
|
---|
120 | { "/sm", (a_uBase) + OPT_OFF_CERT_STORE_MACHINE, RTGETOPT_REQ_NOTHING }, \
|
---|
121 | { "/p", (a_uBase) + OPT_OFF_KEY_PASSWORD, RTGETOPT_REQ_STRING }, \
|
---|
122 | { "/kc", (a_uBase) + OPT_OFF_KEY_NAME, RTGETOPT_REQ_STRING }, \
|
---|
123 | { "/csp", (a_uBase) + OPT_OFF_KEY_PROVIDER, RTGETOPT_REQ_STRING }
|
---|
124 |
|
---|
125 | #define OPT_CERT_KEY_SYNOPSIS(a_szPrefix) \
|
---|
126 | "[" a_szPrefix "cert-file <file.pem|file.crt>] " \
|
---|
127 | "[" a_szPrefix "cert-sha1 <fingerprint>] " \
|
---|
128 | "[" a_szPrefix "cert-subject <part-name>] " \
|
---|
129 | "[" a_szPrefix "cert-store <store>] " \
|
---|
130 | "[" a_szPrefix "cert-machine-store] " \
|
---|
131 | "[" a_szPrefix "key-file <file.pem|file.p12>] " \
|
---|
132 | "[" a_szPrefix "key-password <password>] " \
|
---|
133 | "[" a_szPrefix "key-password-file <file>|stdin] " \
|
---|
134 | "[" a_szPrefix "key-name <name>] " \
|
---|
135 | "[" a_szPrefix "key-provider <csp>] "
|
---|
136 |
|
---|
137 | #define OPT_HASH_PAGES 1040
|
---|
138 | #define OPT_NO_HASH_PAGES 1041
|
---|
139 | #define OPT_ADD_CERT 1042
|
---|
140 | #define OPT_TIMESTAMP_TYPE 1043
|
---|
141 | #define OPT_TIMESTAMP_OVERRIDE 1044
|
---|
142 | #define OPT_NO_SIGNING_TIME 1045
|
---|
143 | #define OPT_FILE_TYPE 1046
|
---|
144 | #define OPT_IGNORED 1047
|
---|
145 |
|
---|
146 |
|
---|
147 | /*********************************************************************************************************************************
|
---|
148 | * Structures and Typedefs *
|
---|
149 | *********************************************************************************************************************************/
|
---|
150 | /** Help detail levels. */
|
---|
151 | typedef enum RTSIGNTOOLHELP
|
---|
152 | {
|
---|
153 | RTSIGNTOOLHELP_USAGE,
|
---|
154 | RTSIGNTOOLHELP_FULL
|
---|
155 | } RTSIGNTOOLHELP;
|
---|
156 |
|
---|
157 |
|
---|
158 | /** Filetypes. */
|
---|
159 | typedef enum RTSIGNTOOLFILETYPE
|
---|
160 | {
|
---|
161 | RTSIGNTOOLFILETYPE_INVALID = 0,
|
---|
162 | RTSIGNTOOLFILETYPE_DETECT,
|
---|
163 | RTSIGNTOOLFILETYPE_EXE,
|
---|
164 | RTSIGNTOOLFILETYPE_CAT,
|
---|
165 | RTSIGNTOOLFILETYPE_UNKNOWN,
|
---|
166 | RTSIGNTOOLFILETYPE_END
|
---|
167 | } RTSIGNTOOLFILETYPE;
|
---|
168 |
|
---|
169 |
|
---|
170 | /**
|
---|
171 | * PKCS\#7 signature data.
|
---|
172 | */
|
---|
173 | typedef struct SIGNTOOLPKCS7
|
---|
174 | {
|
---|
175 | /** The file type. */
|
---|
176 | RTSIGNTOOLFILETYPE enmType;
|
---|
177 | /** The raw signature. */
|
---|
178 | uint8_t *pbBuf;
|
---|
179 | /** Size of the raw signature. */
|
---|
180 | size_t cbBuf;
|
---|
181 | /** The filename. */
|
---|
182 | const char *pszFilename;
|
---|
183 | /** The outer content info wrapper. */
|
---|
184 | RTCRPKCS7CONTENTINFO ContentInfo;
|
---|
185 | /** Pointer to the decoded SignedData inside the ContentInfo member. */
|
---|
186 | PRTCRPKCS7SIGNEDDATA pSignedData;
|
---|
187 |
|
---|
188 | /** Newly encoded raw signature.
|
---|
189 | * @sa SignToolPkcs7_Encode() */
|
---|
190 | uint8_t *pbNewBuf;
|
---|
191 | /** Size of newly encoded raw signature. */
|
---|
192 | size_t cbNewBuf;
|
---|
193 |
|
---|
194 | } SIGNTOOLPKCS7;
|
---|
195 | typedef SIGNTOOLPKCS7 *PSIGNTOOLPKCS7;
|
---|
196 |
|
---|
197 |
|
---|
198 | /**
|
---|
199 | * PKCS\#7 signature data for executable.
|
---|
200 | */
|
---|
201 | typedef struct SIGNTOOLPKCS7EXE : public SIGNTOOLPKCS7
|
---|
202 | {
|
---|
203 | /** The module handle. */
|
---|
204 | RTLDRMOD hLdrMod;
|
---|
205 | } SIGNTOOLPKCS7EXE;
|
---|
206 | typedef SIGNTOOLPKCS7EXE *PSIGNTOOLPKCS7EXE;
|
---|
207 |
|
---|
208 |
|
---|
209 | /**
|
---|
210 | * Data for the show exe (signature) command.
|
---|
211 | */
|
---|
212 | typedef struct SHOWEXEPKCS7 : public SIGNTOOLPKCS7EXE
|
---|
213 | {
|
---|
214 | /** The verbosity. */
|
---|
215 | unsigned cVerbosity;
|
---|
216 | /** The prefix buffer. */
|
---|
217 | char szPrefix[256];
|
---|
218 | /** Temporary buffer. */
|
---|
219 | char szTmp[4096];
|
---|
220 | } SHOWEXEPKCS7;
|
---|
221 | typedef SHOWEXEPKCS7 *PSHOWEXEPKCS7;
|
---|
222 |
|
---|
223 |
|
---|
224 | /*********************************************************************************************************************************
|
---|
225 | * Internal Functions *
|
---|
226 | *********************************************************************************************************************************/
|
---|
227 | static RTEXITCODE HandleHelp(int cArgs, char **papszArgs);
|
---|
228 | static RTEXITCODE HelpHelp(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel);
|
---|
229 | static RTEXITCODE HandleVersion(int cArgs, char **papszArgs);
|
---|
230 | static int HandleShowExeWorkerPkcs7DisplaySignerInfo(PSHOWEXEPKCS7 pThis, size_t offPrefix, PCRTCRPKCS7SIGNERINFO pSignerInfo);
|
---|
231 | static int HandleShowExeWorkerPkcs7Display(PSHOWEXEPKCS7 pThis, PRTCRPKCS7SIGNEDDATA pSignedData, size_t offPrefix,
|
---|
232 | PCRTCRPKCS7CONTENTINFO pContentInfo);
|
---|
233 |
|
---|
234 |
|
---|
235 | /*********************************************************************************************************************************
|
---|
236 | * Certificate and Private Key Handling (options, ++). *
|
---|
237 | *********************************************************************************************************************************/
|
---|
238 | #ifdef RT_OS_WINDOWS
|
---|
239 |
|
---|
240 | /** @todo create a better fake certificate. */
|
---|
241 | const unsigned char g_abFakeCertificate[] =
|
---|
242 | {
|
---|
243 | 0x30, 0x82, 0x03, 0xb2, 0x30, 0x82, 0x02, 0x9a, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x31, /* 0x00000000: 0...0..........1 */
|
---|
244 | 0xba, 0xd6, 0xbc, 0x5d, 0x9a, 0xe0, 0xb0, 0x4e, 0xd4, 0xfa, 0xcc, 0xfb, 0x47, 0x00, 0x5c, 0x30, /* 0x00000010: ...]...N....G.\0 */
|
---|
245 | 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x71, /* 0x00000020: ...*.H........0q */
|
---|
246 | 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x54, 0x69, 0x6d, 0x65, 0x73, /* 0x00000030: 1.0...U....Times */
|
---|
247 | 0x74, 0x61, 0x6d, 0x70, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x32, 0x31, 0x0c, /* 0x00000040: tamp Signing 21. */
|
---|
248 | 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x03, 0x44, 0x65, 0x76, 0x31, 0x15, 0x30, 0x13, /* 0x00000050: 0...U....Dev1.0. */
|
---|
249 | 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x6f, 0x6d, 0x70, /* 0x00000060: ..U....Test Comp */
|
---|
250 | 0x61, 0x6e, 0x79, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x09, 0x53, 0x74, /* 0x00000070: any1.0...U....St */
|
---|
251 | 0x75, 0x74, 0x74, 0x67, 0x61, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, /* 0x00000080: uttgart1.0...U.. */
|
---|
252 | 0x0c, 0x02, 0x42, 0x42, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x44, /* 0x00000090: ..BB1.0...U....D */
|
---|
253 | 0x45, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x30, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x31, 0x30, /* 0x000000a0: E0...00010100010 */
|
---|
254 | 0x31, 0x5a, 0x17, 0x0d, 0x33, 0x36, 0x31, 0x32, 0x33, 0x31, 0x32, 0x32, 0x35, 0x39, 0x35, 0x39, /* 0x000000b0: 1Z..361231225959 */
|
---|
255 | 0x5a, 0x30, 0x71, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x54, 0x69, /* 0x000000c0: Z0q1.0...U....Ti */
|
---|
256 | 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, /* 0x000000d0: mestamp Signing */
|
---|
257 | 0x32, 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x03, 0x44, 0x65, 0x76, 0x31, /* 0x000000e0: 21.0...U....Dev1 */
|
---|
258 | 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0c, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, /* 0x000000f0: .0...U....Test C */
|
---|
259 | 0x6f, 0x6d, 0x70, 0x61, 0x6e, 0x79, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, /* 0x00000100: ompany1.0...U... */
|
---|
260 | 0x09, 0x53, 0x74, 0x75, 0x74, 0x74, 0x67, 0x61, 0x72, 0x74, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, /* 0x00000110: .Stuttgart1.0... */
|
---|
261 | 0x55, 0x04, 0x08, 0x0c, 0x02, 0x42, 0x42, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, /* 0x00000120: U....BB1.0...U.. */
|
---|
262 | 0x13, 0x02, 0x44, 0x45, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, /* 0x00000130: ..DE0.."0...*.H. */
|
---|
263 | 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, /* 0x00000140: ............0... */
|
---|
264 | 0x02, 0x82, 0x01, 0x01, 0x00, 0xdb, 0x18, 0x63, 0x33, 0xf2, 0x08, 0x90, 0x5a, 0xab, 0xda, 0x88, /* 0x00000150: .......c3...Z... */
|
---|
265 | 0x73, 0x86, 0x49, 0xea, 0x8b, 0xaf, 0xcf, 0x67, 0x15, 0xa5, 0x39, 0xe6, 0xa2, 0x94, 0x0c, 0x3f, /* 0x00000160: s.I....g..9....? */
|
---|
266 | 0xa1, 0x2e, 0x6c, 0xd2, 0xdf, 0x01, 0x65, 0x6d, 0xed, 0x6c, 0x4c, 0xac, 0xe7, 0x77, 0x7a, 0x45, /* 0x00000170: ..l...em.lL..wzE */
|
---|
267 | 0x05, 0x6b, 0x24, 0xf3, 0xaf, 0x45, 0x35, 0x6e, 0x64, 0x0a, 0xac, 0x1d, 0x37, 0xe1, 0x33, 0xa4, /* 0x00000180: .k$..E5nd...7.3. */
|
---|
268 | 0x92, 0xec, 0x45, 0xe8, 0x99, 0xc1, 0xde, 0x6f, 0xab, 0x7c, 0xf0, 0xdc, 0xe2, 0xc5, 0x42, 0xa3, /* 0x00000190: ..E....o.|....B. */
|
---|
269 | 0xea, 0xf5, 0x8a, 0xf9, 0x0e, 0xe7, 0xb3, 0x35, 0xa2, 0x75, 0x5e, 0x87, 0xd2, 0x2a, 0xd1, 0x27, /* 0x000001a0: .......5.u^..*.' */
|
---|
270 | 0xa6, 0x79, 0x9e, 0xfe, 0x90, 0xbf, 0x97, 0xa4, 0xa1, 0xd8, 0xf7, 0xd7, 0x05, 0x59, 0x44, 0x27, /* 0x000001b0: .y...........YD' */
|
---|
271 | 0x39, 0x6e, 0x33, 0x01, 0x2e, 0x46, 0x92, 0x47, 0xbe, 0x50, 0x91, 0x26, 0x27, 0xe5, 0x4b, 0x3a, /* 0x000001c0: 9n3..F.G.P.&'.K: */
|
---|
272 | 0x76, 0x26, 0x64, 0x92, 0x0c, 0xa0, 0x54, 0x43, 0x6f, 0x56, 0xcc, 0x7b, 0xd0, 0xe3, 0xd8, 0x39, /* 0x000001d0: v&d...TCoV.{...9 */
|
---|
273 | 0x5f, 0xb9, 0x41, 0xda, 0x1c, 0x62, 0x88, 0x0c, 0x45, 0x03, 0x63, 0xf8, 0xff, 0xe5, 0x3e, 0x87, /* 0x000001e0: _.A..b..E.c...>. */
|
---|
274 | 0x0c, 0x75, 0xc9, 0xdd, 0xa2, 0xc0, 0x1b, 0x63, 0x19, 0xeb, 0x09, 0x9d, 0xa1, 0xbb, 0x0f, 0x63, /* 0x000001f0: .u.....c.......c */
|
---|
275 | 0x67, 0x1c, 0xa3, 0xfd, 0x2f, 0xd1, 0x2a, 0xda, 0xd8, 0x93, 0x66, 0x45, 0x54, 0xef, 0x8b, 0x6d, /* 0x00000200: g.....*...fET..m */
|
---|
276 | 0x12, 0x15, 0x0f, 0xd4, 0xb5, 0x04, 0x17, 0x30, 0x5b, 0xfa, 0x12, 0x96, 0x48, 0x5b, 0x38, 0x65, /* 0x00000210: .......0[...H[8e */
|
---|
277 | 0xfd, 0x8f, 0x0c, 0xa3, 0x11, 0x46, 0x49, 0xe0, 0x62, 0xc3, 0xcc, 0x34, 0xe6, 0xfb, 0xab, 0x51, /* 0x00000220: .....FI.b..4...Q */
|
---|
278 | 0xc3, 0xd4, 0x0b, 0xdc, 0x39, 0x93, 0x87, 0x90, 0x10, 0x9f, 0xce, 0x43, 0x27, 0x31, 0xd5, 0x4e, /* 0x00000230: ....9......C'1.N */
|
---|
279 | 0x52, 0x60, 0xf1, 0x93, 0xd5, 0x06, 0xc4, 0x4e, 0x65, 0xb6, 0x35, 0x4a, 0x64, 0x15, 0xf8, 0xaf, /* 0x00000240: R`.....Ne.5Jd... */
|
---|
280 | 0x71, 0xb2, 0x42, 0x50, 0x89, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x46, 0x30, 0x44, 0x30, 0x0e, /* 0x00000250: q.BP.......F0D0. */
|
---|
281 | 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x13, /* 0x00000260: ..U...........0. */
|
---|
282 | 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, /* 0x00000270: ..U.%..0...+.... */
|
---|
283 | 0x07, 0x03, 0x08, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x52, 0x9d, /* 0x00000280: ...0...U......R. */
|
---|
284 | 0x4d, 0xcd, 0x41, 0xe1, 0xd2, 0x68, 0x22, 0xd3, 0x10, 0x33, 0x01, 0xca, 0xff, 0x00, 0x1d, 0x27, /* 0x00000290: M.A..h"..3.....' */
|
---|
285 | 0xa4, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, /* 0x000002a0: ..0...*.H....... */
|
---|
286 | 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0xc5, 0x5a, 0x51, 0x83, 0x68, 0x3f, 0x06, 0x39, 0x79, 0x13, /* 0x000002b0: .......ZQ.h?.9y. */
|
---|
287 | 0xa6, 0xf0, 0x1a, 0xf9, 0x29, 0x16, 0x2d, 0xa2, 0x07, 0xaa, 0x9b, 0xc3, 0x13, 0x88, 0x39, 0x69, /* 0x000002c0: ....).-.......9i */
|
---|
288 | 0xba, 0xf7, 0x0d, 0xfb, 0xc0, 0x6e, 0x3a, 0x0b, 0x49, 0x10, 0xd1, 0xbe, 0x36, 0x91, 0x3f, 0x9d, /* 0x000002d0: .....n:.I...6.?. */
|
---|
289 | 0xa1, 0xe8, 0xc4, 0x91, 0xf9, 0x02, 0xe1, 0xf1, 0x01, 0x15, 0x09, 0xb7, 0xa1, 0xf1, 0xec, 0x43, /* 0x000002e0: ...............C */
|
---|
290 | 0x0d, 0x73, 0xd1, 0x31, 0x02, 0x4a, 0xce, 0x21, 0xf2, 0xa7, 0x99, 0x7c, 0xee, 0x85, 0x54, 0xc0, /* 0x000002f0: .s.1.J.!...|..T. */
|
---|
291 | 0x55, 0x9b, 0x19, 0x37, 0xe8, 0xcf, 0x94, 0x41, 0x10, 0x6e, 0x67, 0xdd, 0x86, 0xaf, 0xb7, 0xfe, /* 0x00000300: U..7...A.ng..... */
|
---|
292 | 0x50, 0x05, 0xf6, 0xfb, 0x0a, 0xdf, 0x88, 0xb5, 0x59, 0x69, 0x98, 0x27, 0xf8, 0x81, 0x6a, 0x4a, /* 0x00000310: P.......Yi.'..jJ */
|
---|
293 | 0x7c, 0xf3, 0x63, 0xa9, 0x41, 0x78, 0x76, 0x12, 0xdb, 0x0e, 0x94, 0x0a, 0xdb, 0x1d, 0x3c, 0x87, /* 0x00000320: |.c.Axv.......<. */
|
---|
294 | 0x35, 0xca, 0x28, 0xeb, 0xb0, 0x62, 0x27, 0x69, 0xe2, 0xf3, 0x84, 0x48, 0xa2, 0x2d, 0xd7, 0x0e, /* 0x00000330: 5.(..b'i...H.-.. */
|
---|
295 | 0x4b, 0x6d, 0x39, 0xa7, 0x3e, 0x04, 0x94, 0x8e, 0xb6, 0x4b, 0x91, 0x01, 0x68, 0xf9, 0xd2, 0x75, /* 0x00000340: Km9.>....K..h..u */
|
---|
296 | 0x1b, 0xac, 0x42, 0x3b, 0x85, 0xfc, 0x5b, 0x48, 0x3a, 0x13, 0xe7, 0x1c, 0x17, 0xcd, 0x84, 0x89, /* 0x00000350: ..B;..[H:....... */
|
---|
297 | 0x9e, 0x5f, 0xe3, 0x77, 0xc0, 0xae, 0x34, 0xc3, 0x87, 0x76, 0x4a, 0x23, 0x30, 0xa0, 0xe1, 0x45, /* 0x00000360: ._.w..4..vJ#0..E */
|
---|
298 | 0x94, 0x2a, 0x5b, 0x6b, 0x5a, 0xf0, 0x1a, 0x7e, 0xa6, 0xc4, 0xed, 0xe4, 0xac, 0x5d, 0xdf, 0x87, /* 0x00000370: .*[kZ..~.....].. */
|
---|
299 | 0x8f, 0xc5, 0xb4, 0x8c, 0xbc, 0x70, 0xc1, 0xf7, 0xb2, 0x72, 0xbd, 0x73, 0xc9, 0x4e, 0xed, 0x8d, /* 0x00000380: .....p...r.s.N.. */
|
---|
300 | 0x29, 0x33, 0xe9, 0x14, 0xc1, 0x5e, 0xff, 0x39, 0xa8, 0xe7, 0x9a, 0x3b, 0x7a, 0x3c, 0xce, 0x5d, /* 0x00000390: )3...^.9...;z<.] */
|
---|
301 | 0x0f, 0x3c, 0x82, 0x90, 0xff, 0x81, 0x82, 0x00, 0x82, 0x5f, 0xba, 0x08, 0x79, 0xb1, 0x97, 0xc3, /* 0x000003a0: .<......._..y... */
|
---|
302 | 0x09, 0x75, 0xc0, 0x04, 0x9b, 0x67, /* 0x000003b0: .u...g */
|
---|
303 | };
|
---|
304 |
|
---|
305 | const unsigned char g_abFakeRsaKey[] =
|
---|
306 | {
|
---|
307 | 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xdb, 0x18, 0x63, 0x33, /* 0x00000000: 0.............c3 */
|
---|
308 | 0xf2, 0x08, 0x90, 0x5a, 0xab, 0xda, 0x88, 0x73, 0x86, 0x49, 0xea, 0x8b, 0xaf, 0xcf, 0x67, 0x15, /* 0x00000010: ...Z...s.I....g. */
|
---|
309 | 0xa5, 0x39, 0xe6, 0xa2, 0x94, 0x0c, 0x3f, 0xa1, 0x2e, 0x6c, 0xd2, 0xdf, 0x01, 0x65, 0x6d, 0xed, /* 0x00000020: .9....?..l...em. */
|
---|
310 | 0x6c, 0x4c, 0xac, 0xe7, 0x77, 0x7a, 0x45, 0x05, 0x6b, 0x24, 0xf3, 0xaf, 0x45, 0x35, 0x6e, 0x64, /* 0x00000030: lL..wzE.k$..E5nd */
|
---|
311 | 0x0a, 0xac, 0x1d, 0x37, 0xe1, 0x33, 0xa4, 0x92, 0xec, 0x45, 0xe8, 0x99, 0xc1, 0xde, 0x6f, 0xab, /* 0x00000040: ...7.3...E....o. */
|
---|
312 | 0x7c, 0xf0, 0xdc, 0xe2, 0xc5, 0x42, 0xa3, 0xea, 0xf5, 0x8a, 0xf9, 0x0e, 0xe7, 0xb3, 0x35, 0xa2, /* 0x00000050: |....B........5. */
|
---|
313 | 0x75, 0x5e, 0x87, 0xd2, 0x2a, 0xd1, 0x27, 0xa6, 0x79, 0x9e, 0xfe, 0x90, 0xbf, 0x97, 0xa4, 0xa1, /* 0x00000060: u^..*.'.y....... */
|
---|
314 | 0xd8, 0xf7, 0xd7, 0x05, 0x59, 0x44, 0x27, 0x39, 0x6e, 0x33, 0x01, 0x2e, 0x46, 0x92, 0x47, 0xbe, /* 0x00000070: ....YD'9n3..F.G. */
|
---|
315 | 0x50, 0x91, 0x26, 0x27, 0xe5, 0x4b, 0x3a, 0x76, 0x26, 0x64, 0x92, 0x0c, 0xa0, 0x54, 0x43, 0x6f, /* 0x00000080: P.&'.K:v&d...TCo */
|
---|
316 | 0x56, 0xcc, 0x7b, 0xd0, 0xe3, 0xd8, 0x39, 0x5f, 0xb9, 0x41, 0xda, 0x1c, 0x62, 0x88, 0x0c, 0x45, /* 0x00000090: V.{...9_.A..b..E */
|
---|
317 | 0x03, 0x63, 0xf8, 0xff, 0xe5, 0x3e, 0x87, 0x0c, 0x75, 0xc9, 0xdd, 0xa2, 0xc0, 0x1b, 0x63, 0x19, /* 0x000000a0: .c...>..u.....c. */
|
---|
318 | 0xeb, 0x09, 0x9d, 0xa1, 0xbb, 0x0f, 0x63, 0x67, 0x1c, 0xa3, 0xfd, 0x2f, 0xd1, 0x2a, 0xda, 0xd8, /* 0x000000b0: ......cg.....*.. */
|
---|
319 | 0x93, 0x66, 0x45, 0x54, 0xef, 0x8b, 0x6d, 0x12, 0x15, 0x0f, 0xd4, 0xb5, 0x04, 0x17, 0x30, 0x5b, /* 0x000000c0: .fET..m.......0[ */
|
---|
320 | 0xfa, 0x12, 0x96, 0x48, 0x5b, 0x38, 0x65, 0xfd, 0x8f, 0x0c, 0xa3, 0x11, 0x46, 0x49, 0xe0, 0x62, /* 0x000000d0: ...H[8e.....FI.b */
|
---|
321 | 0xc3, 0xcc, 0x34, 0xe6, 0xfb, 0xab, 0x51, 0xc3, 0xd4, 0x0b, 0xdc, 0x39, 0x93, 0x87, 0x90, 0x10, /* 0x000000e0: ..4...Q....9.... */
|
---|
322 | 0x9f, 0xce, 0x43, 0x27, 0x31, 0xd5, 0x4e, 0x52, 0x60, 0xf1, 0x93, 0xd5, 0x06, 0xc4, 0x4e, 0x65, /* 0x000000f0: ..C'1.NR`.....Ne */
|
---|
323 | 0xb6, 0x35, 0x4a, 0x64, 0x15, 0xf8, 0xaf, 0x71, 0xb2, 0x42, 0x50, 0x89, 0x02, 0x03, 0x01, 0x00, /* 0x00000100: .5Jd...q.BP..... */
|
---|
324 | 0x01, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd0, 0x5e, 0x09, 0x3a, 0xc5, 0xdc, 0xcf, 0x2c, 0xec, 0x74, /* 0x00000110: .......^.:...,.t */
|
---|
325 | 0x11, 0x81, 0x8d, 0x1d, 0x8f, 0x2a, 0xfa, 0x31, 0x4d, 0xe0, 0x90, 0x1a, 0xd8, 0xf5, 0x95, 0xc7, /* 0x00000120: .....*.1M....... */
|
---|
326 | 0x70, 0x5c, 0x62, 0x42, 0xac, 0xe9, 0xd9, 0xf2, 0x14, 0xf1, 0xd0, 0x25, 0xbb, 0xeb, 0x06, 0xfe, /* 0x00000130: p\bB.......%.... */
|
---|
327 | 0x09, 0xd6, 0x75, 0x67, 0xd7, 0x39, 0xc1, 0xa0, 0x67, 0x34, 0x4d, 0xd2, 0x12, 0x97, 0xaa, 0x5d, /* 0x00000140: ..ug.9..g4M....] */
|
---|
328 | 0xeb, 0x0e, 0xb0, 0x16, 0x6c, 0x78, 0x8e, 0xa0, 0x75, 0xa3, 0xaa, 0x57, 0x88, 0x3b, 0x43, 0x4f, /* 0x00000150: ....lx..u..W.;CO */
|
---|
329 | 0x75, 0x85, 0x67, 0xb0, 0x9b, 0xdd, 0x49, 0x0e, 0x6e, 0xdb, 0xea, 0xb3, 0xd4, 0x88, 0x54, 0xa0, /* 0x00000160: u.g...I.n.....T. */
|
---|
330 | 0x46, 0x0d, 0x55, 0x6d, 0x98, 0xbd, 0x20, 0xf9, 0x9f, 0x61, 0x2d, 0x6f, 0xc7, 0xd7, 0x16, 0x66, /* 0x00000170: F.Um.. ..a-o...f */
|
---|
331 | 0x72, 0xc7, 0x73, 0xbe, 0x9e, 0x48, 0xdc, 0x65, 0x12, 0x46, 0x35, 0x69, 0x55, 0xd8, 0x6b, 0x81, /* 0x00000180: r.s..H.e.F5iU.k. */
|
---|
332 | 0x78, 0x40, 0x15, 0x93, 0x60, 0x31, 0x4e, 0x87, 0x15, 0x2a, 0x74, 0x74, 0x7b, 0xa0, 0x1f, 0x59, /* 0x00000190: x@..`1N..*tt{..Y */
|
---|
333 | 0x8d, 0xc8, 0x3f, 0xdd, 0xf0, 0x13, 0x88, 0x2a, 0x4a, 0xf2, 0xf5, 0xf1, 0x9e, 0xf3, 0x2d, 0x9c, /* 0x000001a0: ..?....*J.....-. */
|
---|
334 | 0x8e, 0xbc, 0xb1, 0x21, 0x45, 0xc7, 0x44, 0x0c, 0x6a, 0xfe, 0x4c, 0x20, 0xdc, 0x73, 0xda, 0x62, /* 0x000001b0: ...!E.D.j.L .s.b */
|
---|
335 | 0x21, 0xcb, 0xdf, 0x06, 0xfc, 0x90, 0xc2, 0xbd, 0xd6, 0xde, 0xfb, 0xf6, 0x08, 0x69, 0x5d, 0xea, /* 0x000001c0: !............i]. */
|
---|
336 | 0xb3, 0x7f, 0x93, 0x61, 0xf2, 0xc1, 0xd0, 0x61, 0x4f, 0xd5, 0x5b, 0x63, 0xba, 0xb0, 0x3b, 0x07, /* 0x000001d0: ...a...aO.[c..;. */
|
---|
337 | 0x7a, 0x55, 0xcd, 0xa1, 0xae, 0x8a, 0x92, 0x21, 0xcc, 0x2f, 0x5b, 0xf8, 0x40, 0x6a, 0xcd, 0xd5, /* 0x000001e0: zU.....!..[.@j.. */
|
---|
338 | 0x5f, 0x15, 0xf4, 0xb6, 0xbd, 0xe5, 0x91, 0xb9, 0xa8, 0xcc, 0x2a, 0xa8, 0xa6, 0x67, 0x57, 0x2b, /* 0x000001f0: _.........*..gW+ */
|
---|
339 | 0x4b, 0xe9, 0x88, 0xe0, 0xbb, 0x58, 0xac, 0x69, 0x5f, 0x3c, 0x76, 0x28, 0xa6, 0x9d, 0xbc, 0x71, /* 0x00000200: K....X.i_<v(...q */
|
---|
340 | 0x7f, 0xcb, 0x0c, 0xc0, 0xbd, 0x61, 0x02, 0x81, 0x81, 0x00, 0xfc, 0x62, 0x79, 0x5b, 0xac, 0xf6, /* 0x00000210: .....a.....by[.. */
|
---|
341 | 0x9b, 0x8c, 0xaa, 0x76, 0x2a, 0x30, 0x0e, 0xcf, 0x6b, 0x88, 0x72, 0x54, 0x8c, 0xdf, 0xf3, 0x9d, /* 0x00000220: ...v*0..k.rT.... */
|
---|
342 | 0x84, 0xbb, 0xe7, 0x9d, 0xd4, 0x04, 0x29, 0x3c, 0xb5, 0x9d, 0x60, 0x9a, 0xcc, 0x12, 0xf3, 0xfa, /* 0x00000230: ......)<..`..... */
|
---|
343 | 0x64, 0x30, 0x23, 0x47, 0xc6, 0xa4, 0x8b, 0x6c, 0x73, 0x6c, 0x6b, 0x78, 0x82, 0xec, 0x05, 0x19, /* 0x00000240: d0#G...lslkx.... */
|
---|
344 | 0xde, 0xdd, 0xde, 0x52, 0xc5, 0x20, 0xd1, 0x11, 0x58, 0x19, 0x07, 0x5a, 0x90, 0xdd, 0x22, 0x91, /* 0x00000250: ...R. ..X..Z..". */
|
---|
345 | 0x89, 0x22, 0x3f, 0x12, 0x54, 0x1a, 0xb8, 0x79, 0xd8, 0x6c, 0xbc, 0xf5, 0x0d, 0xc7, 0x73, 0x5c, /* 0x00000260: ."?.T..y.l....s\ */
|
---|
346 | 0xed, 0xba, 0x40, 0x2b, 0x72, 0x34, 0x34, 0x97, 0xfa, 0x49, 0xf6, 0x43, 0x7c, 0xbc, 0x61, 0x30, /* 0x00000270: ..@+r44..I.C|.a0 */
|
---|
347 | 0x54, 0x22, 0x21, 0x5f, 0x77, 0x68, 0x6b, 0x83, 0x95, 0xc6, 0x8d, 0xb8, 0x25, 0x3a, 0xd3, 0xb2, /* 0x00000280: T"!_whk.....%:.. */
|
---|
348 | 0xbe, 0x29, 0x94, 0x01, 0x15, 0xf0, 0x36, 0x9d, 0x3e, 0xff, 0x02, 0x81, 0x81, 0x00, 0xde, 0x3b, /* 0x00000290: .)....6.>......; */
|
---|
349 | 0xd6, 0x4b, 0x38, 0x69, 0x9b, 0x71, 0x29, 0x89, 0xd4, 0x6d, 0x8c, 0x41, 0xee, 0xe2, 0x4d, 0xfc, /* 0x000002a0: .K8i.q)..m.A..M. */
|
---|
350 | 0xf0, 0x9a, 0x73, 0xf1, 0x15, 0x94, 0xac, 0x1b, 0x68, 0x5f, 0x79, 0x15, 0x3a, 0x41, 0x55, 0x09, /* 0x000002b0: ..s.....h_y.:AU. */
|
---|
351 | 0xc7, 0x1e, 0xec, 0x27, 0x67, 0xe2, 0xdc, 0x54, 0xa8, 0x09, 0xe6, 0x46, 0x92, 0x92, 0x03, 0x8d, /* 0x000002c0: ...'g..T...F.... */
|
---|
352 | 0xe5, 0x96, 0xfb, 0x1a, 0xdd, 0x59, 0x6f, 0x92, 0xf1, 0xf6, 0x8f, 0x76, 0xb0, 0xc5, 0xe6, 0xd7, /* 0x000002d0: .....Yo....v.... */
|
---|
353 | 0x1b, 0x25, 0xaf, 0x04, 0x9f, 0xd8, 0x71, 0x27, 0x97, 0x99, 0x23, 0x09, 0x7d, 0xef, 0x06, 0x13, /* 0x000002e0: .%....q'..#.}... */
|
---|
354 | 0xab, 0xdc, 0xa2, 0xd8, 0x5f, 0xc5, 0xec, 0xf3, 0x62, 0x20, 0x72, 0x7b, 0xa8, 0xc7, 0x09, 0x24, /* 0x000002f0: ...._...b r{...$ */
|
---|
355 | 0xaf, 0x72, 0xc9, 0xea, 0xb8, 0x2d, 0xda, 0x00, 0xc8, 0xfe, 0xb4, 0x9f, 0x9f, 0xc7, 0xa9, 0xf7, /* 0x00000300: .r...-.......... */
|
---|
356 | 0x1d, 0xce, 0xb1, 0xdb, 0xc5, 0x8a, 0x4e, 0xe8, 0x88, 0x77, 0x68, 0xdd, 0xf8, 0x77, 0x02, 0x81, /* 0x00000310: ......N..wh..w.. */
|
---|
357 | 0x80, 0x5b, 0xa5, 0x8e, 0x98, 0x01, 0xa8, 0xd3, 0x37, 0x33, 0x37, 0x11, 0x7e, 0xbe, 0x02, 0x07, /* 0x00000320: .[......737.~... */
|
---|
358 | 0xf4, 0x56, 0x3f, 0xe9, 0x9f, 0xf1, 0x20, 0xc3, 0xf0, 0x4f, 0xdc, 0xf9, 0xfe, 0x40, 0xd3, 0x30, /* 0x00000330: .V?... ..O...@.0 */
|
---|
359 | 0xc7, 0xe3, 0x2a, 0x92, 0xec, 0x56, 0xf8, 0x17, 0xa5, 0x7b, 0x4a, 0x37, 0x11, 0xcd, 0x27, 0x26, /* 0x00000340: ..*..V...{J7..'& */
|
---|
360 | 0x8a, 0xba, 0x43, 0xda, 0x96, 0xc6, 0x0b, 0x6c, 0xe8, 0x78, 0x30, 0xea, 0x30, 0x4e, 0x7a, 0xd3, /* 0x00000350: ..C....l.x0.0Nz. */
|
---|
361 | 0xd8, 0xd2, 0xd8, 0xca, 0x3d, 0xe2, 0xad, 0xa2, 0x74, 0x73, 0x1e, 0xbe, 0xb7, 0xad, 0x41, 0x61, /* 0x00000360: ....=...ts....Aa */
|
---|
362 | 0x9b, 0xaa, 0xc9, 0xf9, 0xa4, 0xf1, 0x79, 0x4f, 0x42, 0x10, 0xc7, 0x36, 0x03, 0x4b, 0x0d, 0xdc, /* 0x00000370: ......yOB..6.K.. */
|
---|
363 | 0xef, 0x3a, 0xa3, 0xab, 0x09, 0xe4, 0xe8, 0xdd, 0xc4, 0x3f, 0x06, 0x21, 0xa0, 0x23, 0x5a, 0x76, /* 0x00000380: .:.......?.!.#Zv */
|
---|
364 | 0xea, 0xd0, 0xcf, 0x8b, 0x85, 0x5f, 0x16, 0x4b, 0x03, 0x62, 0x21, 0x3a, 0xcc, 0x2d, 0xa8, 0xd0, /* 0x00000390: ....._.K.b!:.-.. */
|
---|
365 | 0x15, 0x02, 0x81, 0x80, 0x51, 0xf6, 0x89, 0xbb, 0xa6, 0x6b, 0xb4, 0xcb, 0xd0, 0xc1, 0x27, 0xda, /* 0x000003a0: ....Q....k....'. */
|
---|
366 | 0xdb, 0x6e, 0xf9, 0xd6, 0xf7, 0x62, 0x81, 0xae, 0xc5, 0x72, 0x36, 0x3e, 0x66, 0x17, 0x99, 0xb0, /* 0x000003b0: .n...b...r6>f... */
|
---|
367 | 0x14, 0xad, 0x52, 0x96, 0x03, 0xf2, 0x1e, 0x41, 0x76, 0x61, 0xb6, 0x3c, 0x02, 0x7d, 0x2a, 0x98, /* 0x000003c0: ..R....Ava.<.}*. */
|
---|
368 | 0xb4, 0x18, 0x75, 0x38, 0x6b, 0x1d, 0x2b, 0x7f, 0x3a, 0xcf, 0x96, 0xb1, 0xc4, 0xa7, 0xd2, 0x9b, /* 0x000003d0: ..u8k.+.:....... */
|
---|
369 | 0xd8, 0x1f, 0xb3, 0x64, 0xda, 0x15, 0x9d, 0xca, 0x91, 0x39, 0x48, 0x67, 0x00, 0x9c, 0xd4, 0x99, /* 0x000003e0: ...d.....9Hg.... */
|
---|
370 | 0xc3, 0x45, 0x5d, 0xf0, 0x09, 0x32, 0xba, 0x21, 0x1e, 0xe2, 0x64, 0xb8, 0x50, 0x03, 0x17, 0xbe, /* 0x000003f0: .E]..2.!..d.P... */
|
---|
371 | 0xd5, 0xda, 0x6b, 0xce, 0x34, 0xbe, 0x16, 0x03, 0x65, 0x1b, 0x2f, 0xa0, 0xa1, 0x95, 0xc6, 0x8b, /* 0x00000400: ..k.4...e....... */
|
---|
372 | 0xc2, 0x3c, 0x59, 0x26, 0xbf, 0xb6, 0x07, 0x85, 0x53, 0x2d, 0xb6, 0x36, 0xa3, 0x91, 0xb9, 0xbb, /* 0x00000410: .<Y&....S-.6.... */
|
---|
373 | 0x28, 0xaf, 0x2d, 0x53, 0x02, 0x81, 0x81, 0x00, 0xd7, 0xbc, 0x70, 0xd8, 0x18, 0x4f, 0x65, 0x8c, /* 0x00000420: (.-S......p..Oe. */
|
---|
374 | 0x68, 0xca, 0x35, 0x77, 0x43, 0x50, 0x9b, 0xa1, 0xa3, 0x9a, 0x0e, 0x2d, 0x7b, 0x38, 0xf8, 0xba, /* 0x00000430: h.5wCP.....-{8.. */
|
---|
375 | 0x14, 0x91, 0x3b, 0xc3, 0x3b, 0x1b, 0xa0, 0x6d, 0x45, 0xe4, 0xa8, 0x28, 0x97, 0xf6, 0x89, 0x13, /* 0x00000440: ..;.;..mE..(.... */
|
---|
376 | 0xb6, 0x16, 0x6d, 0x65, 0x47, 0x8c, 0xa6, 0x21, 0xf8, 0x6a, 0xce, 0x4e, 0x44, 0x5e, 0x81, 0x47, /* 0x00000450: ..meG..!.j.ND^.G */
|
---|
377 | 0xd9, 0xad, 0x8a, 0xb9, 0xd9, 0xe9, 0x3e, 0x33, 0x1e, 0x5f, 0xe9, 0xe9, 0xa7, 0xea, 0x60, 0x75, /* 0x00000460: ......>3._....`u */
|
---|
378 | 0x02, 0x57, 0x71, 0xb5, 0xed, 0x47, 0x77, 0xda, 0x1a, 0x40, 0x38, 0xab, 0x82, 0xd2, 0x0d, 0xf5, /* 0x00000470: .Wq..Gw..@8..... */
|
---|
379 | 0x0e, 0x8e, 0xa9, 0x24, 0xdc, 0x30, 0xc9, 0x98, 0xa2, 0x05, 0xcd, 0xca, 0x01, 0xcf, 0xae, 0x1d, /* 0x00000480: ...$.0.......... */
|
---|
380 | 0xe9, 0x02, 0x47, 0x0e, 0x46, 0x1d, 0x52, 0x02, 0x9a, 0x99, 0x22, 0x23, 0x7f, 0xf8, 0x9e, 0xc2, /* 0x00000490: ..G.F.R..."#.... */
|
---|
381 | 0x16, 0x86, 0xca, 0xa0, 0xa7, 0x34, 0xfb, 0xbc, /* 0x000004a0: .....4.. */
|
---|
382 | };
|
---|
383 |
|
---|
384 | #endif /* RT_OS_WINDOWS */
|
---|
385 |
|
---|
386 |
|
---|
387 | /**
|
---|
388 | * Certificate w/ public key + private key pair for signing.
|
---|
389 | */
|
---|
390 | class SignToolKeyPair
|
---|
391 | {
|
---|
392 | protected:
|
---|
393 | /* Context: */
|
---|
394 | const char *m_pszWhat;
|
---|
395 | bool m_fMandatory;
|
---|
396 |
|
---|
397 | /* Parameters kept till finalizing parsing: */
|
---|
398 | const char *m_pszCertFile;
|
---|
399 | const char *m_pszCertSha1;
|
---|
400 | uint8_t m_abCertSha1[RTSHA1_HASH_SIZE];
|
---|
401 | const char *m_pszCertSubject;
|
---|
402 | const char *m_pszCertStore;
|
---|
403 | bool m_fMachineStore; /**< false = personal store */
|
---|
404 |
|
---|
405 | const char *m_pszKeyFile;
|
---|
406 | const char *m_pszKeyPassword;
|
---|
407 | const char *m_pszKeyName;
|
---|
408 | const char *m_pszKeyProvider;
|
---|
409 |
|
---|
410 | /** String buffer for m_pszKeyPassword when read from file. */
|
---|
411 | RTCString m_strPassword;
|
---|
412 | /** Storage for pCertificate when it's loaded from a file. */
|
---|
413 | RTCRX509CERTIFICATE m_DecodedCert;
|
---|
414 | #ifdef RT_OS_WINDOWS
|
---|
415 | /** For the fake certificate */
|
---|
416 | RTCRX509CERTIFICATE m_DecodedFakeCert;
|
---|
417 | /** The certificate store. */
|
---|
418 | HCERTSTORE m_hStore;
|
---|
419 | /** The windows certificate context. */
|
---|
420 | PCCERT_CONTEXT m_pCertCtx;
|
---|
421 | /** Whether hNCryptPrivateKey/hLegacyPrivateKey needs freeing or not. */
|
---|
422 | BOOL m_fFreePrivateHandle;
|
---|
423 | #endif
|
---|
424 |
|
---|
425 | /** Set if already finalized. */
|
---|
426 | bool m_fFinalized;
|
---|
427 |
|
---|
428 | /** Store containing the intermediate certificates available to the host.
|
---|
429 | * */
|
---|
430 | static RTCRSTORE s_hStoreIntermediate;
|
---|
431 | /** Instance counter for helping cleaning up m_hStoreIntermediate. */
|
---|
432 | static uint32_t s_cInstances;
|
---|
433 |
|
---|
434 | public: /* used to be a struct, thus not prefix either. */
|
---|
435 | /* Result: */
|
---|
436 | PCRTCRX509CERTIFICATE pCertificate;
|
---|
437 | RTCRKEY hPrivateKey;
|
---|
438 | #ifdef RT_OS_WINDOWS
|
---|
439 | PCRTCRX509CERTIFICATE pCertificateReal;
|
---|
440 | NCRYPT_KEY_HANDLE hNCryptPrivateKey;
|
---|
441 | HCRYPTPROV hLegacyPrivateKey;
|
---|
442 | #endif
|
---|
443 |
|
---|
444 | public:
|
---|
445 | SignToolKeyPair(const char *a_pszWhat, bool a_fMandatory = false)
|
---|
446 | : m_pszWhat(a_pszWhat)
|
---|
447 | , m_fMandatory(a_fMandatory)
|
---|
448 | , m_pszCertFile(NULL)
|
---|
449 | , m_pszCertSha1(NULL)
|
---|
450 | , m_pszCertSubject(NULL)
|
---|
451 | , m_pszCertStore("MY")
|
---|
452 | , m_fMachineStore(false)
|
---|
453 | , m_pszKeyFile(NULL)
|
---|
454 | , m_pszKeyPassword(NULL)
|
---|
455 | , m_pszKeyName(NULL)
|
---|
456 | , m_pszKeyProvider(NULL)
|
---|
457 | #ifdef RT_OS_WINDOWS
|
---|
458 | , m_hStore(NULL)
|
---|
459 | , m_pCertCtx(NULL)
|
---|
460 | , m_fFreePrivateHandle(FALSE)
|
---|
461 | #endif
|
---|
462 | , m_fFinalized(false)
|
---|
463 | , pCertificate(NULL)
|
---|
464 | , hPrivateKey(NIL_RTCRKEY)
|
---|
465 | #ifdef RT_OS_WINDOWS
|
---|
466 | , pCertificateReal(NULL)
|
---|
467 | , hNCryptPrivateKey(0)
|
---|
468 | , hLegacyPrivateKey(0)
|
---|
469 | #endif
|
---|
470 | {
|
---|
471 | RT_ZERO(m_DecodedCert);
|
---|
472 | #ifdef RT_OS_WINDOWS
|
---|
473 | RT_ZERO(m_DecodedFakeCert);
|
---|
474 | #endif
|
---|
475 | s_cInstances++;
|
---|
476 | }
|
---|
477 |
|
---|
478 | ~SignToolKeyPair()
|
---|
479 | {
|
---|
480 | if (hPrivateKey != NIL_RTCRKEY)
|
---|
481 | {
|
---|
482 | RTCrKeyRelease(hPrivateKey);
|
---|
483 | hPrivateKey = NIL_RTCRKEY;
|
---|
484 | }
|
---|
485 | if (pCertificate == &m_DecodedCert)
|
---|
486 | {
|
---|
487 | RTCrX509Certificate_Delete(&m_DecodedCert);
|
---|
488 | pCertificate = NULL;
|
---|
489 | }
|
---|
490 | #ifdef RT_OS_WINDOWS
|
---|
491 | if (pCertificate == &m_DecodedFakeCert)
|
---|
492 | {
|
---|
493 | RTCrX509Certificate_Delete(&m_DecodedFakeCert);
|
---|
494 | RTCrX509Certificate_Delete(&m_DecodedCert);
|
---|
495 | pCertificate = NULL;
|
---|
496 | pCertificateReal = NULL;
|
---|
497 | }
|
---|
498 | #endif
|
---|
499 | #ifdef RT_OS_WINDOWS
|
---|
500 | if (m_pCertCtx != NULL)
|
---|
501 | {
|
---|
502 | CertFreeCertificateContext(m_pCertCtx);
|
---|
503 | m_pCertCtx = NULL;
|
---|
504 | }
|
---|
505 | if (m_hStore != NULL)
|
---|
506 | {
|
---|
507 | CertCloseStore(m_hStore, 0);
|
---|
508 | m_hStore = NULL;
|
---|
509 | }
|
---|
510 | #endif
|
---|
511 | s_cInstances--;
|
---|
512 | if (s_cInstances == 0)
|
---|
513 | {
|
---|
514 | RTCrStoreRelease(s_hStoreIntermediate);
|
---|
515 | s_hStoreIntermediate = NIL_RTCRSTORE;
|
---|
516 | }
|
---|
517 | }
|
---|
518 |
|
---|
519 | bool isComplete(void) const
|
---|
520 | {
|
---|
521 | return pCertificate && hPrivateKey != NIL_RTCRKEY;
|
---|
522 | }
|
---|
523 |
|
---|
524 | bool isNull(void) const
|
---|
525 | {
|
---|
526 | return pCertificate == NULL && hPrivateKey == NIL_RTCRKEY;
|
---|
527 | }
|
---|
528 |
|
---|
529 | RTEXITCODE handleOption(unsigned offOpt, PRTGETOPTUNION pValueUnion)
|
---|
530 | {
|
---|
531 | AssertReturn(!m_fFinalized, RTMsgErrorExitFailure("Cannot handle options after finalizeOptions was called!"));
|
---|
532 | switch (offOpt)
|
---|
533 | {
|
---|
534 | case OPT_OFF_CERT_FILE:
|
---|
535 | m_pszCertFile = pValueUnion->psz;
|
---|
536 | m_pszCertSha1 = NULL;
|
---|
537 | m_pszCertSubject = NULL;
|
---|
538 | break;
|
---|
539 | case OPT_OFF_CERT_SHA1:
|
---|
540 | {
|
---|
541 | /* Crude normalization of input separators to colons, since it's likely
|
---|
542 | to use spaces and our conversion function only does colons or nothing. */
|
---|
543 | char szDigest[RTSHA1_DIGEST_LEN * 3 + 1];
|
---|
544 | int rc = RTStrCopy(szDigest, sizeof(szDigest), pValueUnion->psz);
|
---|
545 | if (RT_SUCCESS(rc))
|
---|
546 | {
|
---|
547 | char *pszDigest = RTStrStrip(szDigest);
|
---|
548 | size_t offDst = 0;
|
---|
549 | size_t offSrc = 0;
|
---|
550 | char ch;
|
---|
551 | while ((ch = pszDigest[offSrc++]) != '\0')
|
---|
552 | {
|
---|
553 | if (ch == ' ' || ch == '\t' || ch == ':')
|
---|
554 | {
|
---|
555 | while ((ch = pszDigest[offSrc]) == ' ' || ch == '\t' || ch == ':')
|
---|
556 | offSrc++;
|
---|
557 | ch = ch ? ':' : '\0';
|
---|
558 | }
|
---|
559 | pszDigest[offDst++] = ch;
|
---|
560 | }
|
---|
561 | pszDigest[offDst] = '\0';
|
---|
562 |
|
---|
563 | /** @todo add a more relaxed input mode to RTStrConvertHexBytes that can deal
|
---|
564 | * with spaces as well as multi-byte cluster of inputs. */
|
---|
565 | rc = RTStrConvertHexBytes(pszDigest, m_abCertSha1, RTSHA1_HASH_SIZE, RTSTRCONVERTHEXBYTES_F_SEP_COLON);
|
---|
566 | if (RT_SUCCESS(rc))
|
---|
567 | {
|
---|
568 | m_pszCertFile = NULL;
|
---|
569 | m_pszCertSha1 = pValueUnion->psz;
|
---|
570 | m_pszCertSubject = NULL;
|
---|
571 | break;
|
---|
572 | }
|
---|
573 | }
|
---|
574 | return RTMsgErrorExitFailure("malformed SHA-1 certificate fingerprint (%Rrc): %s", rc, pValueUnion->psz);
|
---|
575 | }
|
---|
576 | case OPT_OFF_CERT_SUBJECT:
|
---|
577 | m_pszCertFile = NULL;
|
---|
578 | m_pszCertSha1 = NULL;
|
---|
579 | m_pszCertSubject = pValueUnion->psz;
|
---|
580 | break;
|
---|
581 | case OPT_OFF_CERT_STORE:
|
---|
582 | m_pszCertStore = pValueUnion->psz;
|
---|
583 | break;
|
---|
584 | case OPT_OFF_CERT_STORE_MACHINE:
|
---|
585 | m_fMachineStore = true;
|
---|
586 | break;
|
---|
587 |
|
---|
588 | case OPT_OFF_KEY_FILE:
|
---|
589 | m_pszKeyFile = pValueUnion->psz;
|
---|
590 | m_pszKeyName = NULL;
|
---|
591 | break;
|
---|
592 | case OPT_OFF_KEY_NAME:
|
---|
593 | m_pszKeyFile = NULL;
|
---|
594 | m_pszKeyName = pValueUnion->psz;
|
---|
595 | break;
|
---|
596 | case OPT_OFF_KEY_PROVIDER:
|
---|
597 | m_pszKeyProvider = pValueUnion->psz;
|
---|
598 | break;
|
---|
599 | case OPT_OFF_KEY_PASSWORD:
|
---|
600 | m_pszKeyPassword = pValueUnion->psz;
|
---|
601 | break;
|
---|
602 | case OPT_OFF_KEY_PASSWORD_FILE:
|
---|
603 | {
|
---|
604 | m_pszKeyPassword = NULL;
|
---|
605 |
|
---|
606 | size_t const cchMax = 512;
|
---|
607 | int rc = m_strPassword.reserveNoThrow(cchMax + 1);
|
---|
608 | if (RT_FAILURE(rc))
|
---|
609 | return RTMsgErrorExitFailure("out of memory");
|
---|
610 |
|
---|
611 | PRTSTREAM pStrm = g_pStdIn;
|
---|
612 | bool const fClose = strcmp(pValueUnion->psz, "stdin") != 0;
|
---|
613 | if (fClose)
|
---|
614 | {
|
---|
615 | rc = RTStrmOpen(pValueUnion->psz, "r", &pStrm);
|
---|
616 | if (RT_FAILURE(rc))
|
---|
617 | return RTMsgErrorExitFailure("Failed to open password file '%s' for reading: %Rrc", pValueUnion->psz, rc);
|
---|
618 | }
|
---|
619 | rc = RTStrmGetLine(pStrm, m_strPassword.mutableRaw(), cchMax);
|
---|
620 | if (fClose)
|
---|
621 | RTStrmClose(pStrm);
|
---|
622 | if (rc == VERR_BUFFER_OVERFLOW || rc == VINF_BUFFER_OVERFLOW)
|
---|
623 | return RTMsgErrorExitFailure("Password from '%s' is too long (max %zu)", pValueUnion->psz, cchMax);
|
---|
624 | if (RT_FAILURE(rc))
|
---|
625 | return RTMsgErrorExitFailure("Error reading password from '%s': %Rrc", pValueUnion->psz, rc);
|
---|
626 |
|
---|
627 | m_strPassword.jolt();
|
---|
628 | m_strPassword.stripRight();
|
---|
629 | m_pszKeyPassword = m_strPassword.c_str();
|
---|
630 | break;
|
---|
631 | }
|
---|
632 | default:
|
---|
633 | AssertFailedReturn(RTMsgErrorExitFailure("Invalid offOpt=%u!\n", offOpt));
|
---|
634 | }
|
---|
635 | return RTEXITCODE_SUCCESS;
|
---|
636 | }
|
---|
637 |
|
---|
638 | RTEXITCODE finalizeOptions(unsigned cVerbosity)
|
---|
639 | {
|
---|
640 | RT_NOREF(cVerbosity);
|
---|
641 |
|
---|
642 | /* Only do this once. */
|
---|
643 | if (m_fFinalized)
|
---|
644 | return RTEXITCODE_SUCCESS;
|
---|
645 | m_fFinalized = true;
|
---|
646 |
|
---|
647 | /*
|
---|
648 | * Got a cert? Is it required?
|
---|
649 | */
|
---|
650 | bool const fHasKey = ( m_pszKeyFile != NULL
|
---|
651 | || m_pszKeyName != NULL);
|
---|
652 | bool const fHasCert = ( m_pszCertFile != NULL
|
---|
653 | || m_pszCertSha1 != NULL
|
---|
654 | || m_pszCertSubject != NULL);
|
---|
655 | if (!fHasCert)
|
---|
656 | {
|
---|
657 | if (m_fMandatory)
|
---|
658 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Specifying a %s certificiate is required.", m_pszWhat);
|
---|
659 | return RTEXITCODE_SUCCESS;
|
---|
660 | }
|
---|
661 |
|
---|
662 | /*
|
---|
663 | * Get the certificate.
|
---|
664 | */
|
---|
665 | RTERRINFOSTATIC ErrInfo;
|
---|
666 | /* From file: */
|
---|
667 | if (m_pszCertFile)
|
---|
668 | {
|
---|
669 | int rc = RTCrX509Certificate_ReadFromFile(&m_DecodedCert, m_pszCertFile, 0, &g_RTAsn1DefaultAllocator,
|
---|
670 | RTErrInfoInitStatic(&ErrInfo));
|
---|
671 | if (RT_FAILURE(rc))
|
---|
672 | return RTMsgErrorExitFailure("Error reading %s certificate from '%s': %Rrc%#RTeim",
|
---|
673 | m_pszWhat, m_pszCertFile, rc, &ErrInfo.Core);
|
---|
674 | pCertificate = &m_DecodedCert;
|
---|
675 | }
|
---|
676 | /* From certificate store by name (substring) or fingerprint: */
|
---|
677 | else
|
---|
678 | {
|
---|
679 | #ifdef RT_OS_WINDOWS
|
---|
680 | m_hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, X509_ASN_ENCODING, NULL,
|
---|
681 | CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG | CERT_STORE_READONLY_FLAG
|
---|
682 | | CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_ENUM_ARCHIVED_FLAG
|
---|
683 | | (m_fMachineStore ? CERT_SYSTEM_STORE_LOCAL_MACHINE : CERT_SYSTEM_STORE_CURRENT_USER),
|
---|
684 | m_pszCertStore);
|
---|
685 | if (m_hStore == NULL)
|
---|
686 | return RTMsgErrorExitFailure("Failed to open %s store '%s': %Rwc (%u)", m_fMachineStore ? "machine" : "user",
|
---|
687 | m_pszCertStore, GetLastError(), GetLastError());
|
---|
688 |
|
---|
689 | CRYPT_HASH_BLOB Thumbprint = { RTSHA1_HASH_SIZE, m_abCertSha1 };
|
---|
690 | PRTUTF16 pwszSubject = NULL;
|
---|
691 | void const *pvFindParam = &Thumbprint;
|
---|
692 | DWORD fFind = CERT_FIND_SHA1_HASH;
|
---|
693 | if (!m_pszCertSha1)
|
---|
694 | {
|
---|
695 | int rc = RTStrToUtf16(m_pszCertSubject, &pwszSubject);
|
---|
696 | if (RT_FAILURE(rc))
|
---|
697 | return RTMsgErrorExitFailure("RTStrToUtf16 failed: %Rrc, input %.*Rhxs",
|
---|
698 | rc, strlen(m_pszCertSubject), m_pszCertSubject);
|
---|
699 | pvFindParam = pwszSubject;
|
---|
700 | fFind = CERT_FIND_SUBJECT_STR;
|
---|
701 | }
|
---|
702 |
|
---|
703 | while ((m_pCertCtx = CertFindCertificateInStore(m_hStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0 /*fFlags*/,
|
---|
704 | fFind, pvFindParam, m_pCertCtx)) != NULL)
|
---|
705 | {
|
---|
706 | if (m_pCertCtx->dwCertEncodingType & X509_ASN_ENCODING)
|
---|
707 | {
|
---|
708 | RTASN1CURSORPRIMARY PrimaryCursor;
|
---|
709 | RTAsn1CursorInitPrimary(&PrimaryCursor, m_pCertCtx->pbCertEncoded, m_pCertCtx->cbCertEncoded,
|
---|
710 | RTErrInfoInitStatic(&ErrInfo),
|
---|
711 | &g_RTAsn1DefaultAllocator, RTASN1CURSOR_FLAGS_DER, "CurCtx");
|
---|
712 | int rc = RTCrX509Certificate_DecodeAsn1(&PrimaryCursor.Cursor, 0, &m_DecodedCert, "Cert");
|
---|
713 | if (RT_SUCCESS(rc))
|
---|
714 | {
|
---|
715 | pCertificate = &m_DecodedCert;
|
---|
716 | break;
|
---|
717 | }
|
---|
718 | RTMsgError("failed to decode certificate %p: %Rrc%#RTeim", m_pCertCtx, rc, &ErrInfo.Core);
|
---|
719 | }
|
---|
720 | }
|
---|
721 |
|
---|
722 | RTUtf16Free(pwszSubject);
|
---|
723 | if (!m_pCertCtx)
|
---|
724 | return RTMsgErrorExitFailure("No certificate found matching %s '%s' (%Rwc / %u)",
|
---|
725 | m_pszCertSha1 ? "thumbprint" : "subject substring",
|
---|
726 | m_pszCertSha1 ? m_pszCertSha1 : m_pszCertSubject, GetLastError(), GetLastError());
|
---|
727 |
|
---|
728 | /* Use this for private key too? */
|
---|
729 | if (!fHasKey)
|
---|
730 | {
|
---|
731 | HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hTmpPrivateKey = 0;
|
---|
732 | DWORD dwKeySpec = 0;
|
---|
733 | if (CryptAcquireCertificatePrivateKey(m_pCertCtx,
|
---|
734 | CRYPT_ACQUIRE_SILENT_FLAG | CRYPT_ACQUIRE_COMPARE_KEY_FLAG
|
---|
735 | | CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG
|
---|
736 | | CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG,
|
---|
737 | NULL, &hTmpPrivateKey, &dwKeySpec, &m_fFreePrivateHandle))
|
---|
738 | {
|
---|
739 | if (cVerbosity > 1)
|
---|
740 | RTMsgInfo("hTmpPrivateKey=%p m_fFreePrivateHandle=%d dwKeySpec=%#x",
|
---|
741 | hTmpPrivateKey, m_fFreePrivateHandle, dwKeySpec);
|
---|
742 | Assert(dwKeySpec == CERT_NCRYPT_KEY_SPEC);
|
---|
743 | if (dwKeySpec == CERT_NCRYPT_KEY_SPEC)
|
---|
744 | hNCryptPrivateKey = hTmpPrivateKey;
|
---|
745 | else
|
---|
746 | hLegacyPrivateKey = hTmpPrivateKey; /** @todo remove or drop CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG */
|
---|
747 | return loadFakePrivateKeyAndCert();
|
---|
748 | }
|
---|
749 | return RTMsgErrorExitFailure("CryptAcquireCertificatePrivateKey failed: %Rwc (%d)", GetLastError(), GetLastError());
|
---|
750 | }
|
---|
751 | #else
|
---|
752 | return RTMsgErrorExitFailure("Certificate store support is missing on this host");
|
---|
753 | #endif
|
---|
754 | }
|
---|
755 |
|
---|
756 | /*
|
---|
757 | * Get hold of the private key (if someone above already did, they'd returned already).
|
---|
758 | */
|
---|
759 | Assert(hPrivateKey == NIL_RTCRKEY);
|
---|
760 | /* Use cert file if nothing else specified. */
|
---|
761 | if (!fHasKey && m_pszCertFile)
|
---|
762 | m_pszKeyFile = m_pszCertFile;
|
---|
763 |
|
---|
764 | /* Load from file:*/
|
---|
765 | if (m_pszKeyFile)
|
---|
766 | {
|
---|
767 | int rc = RTCrKeyCreateFromFile(&hPrivateKey, 0 /*fFlags*/, m_pszKeyFile, m_pszKeyPassword,
|
---|
768 | RTErrInfoInitStatic(&ErrInfo));
|
---|
769 | if (RT_FAILURE(rc))
|
---|
770 | return RTMsgErrorExitFailure("Error reading the %s private key from '%s': %Rrc%#RTeim",
|
---|
771 | m_pszWhat, m_pszKeyFile, rc, &ErrInfo.Core);
|
---|
772 | }
|
---|
773 | /* From key store: */
|
---|
774 | else
|
---|
775 | {
|
---|
776 | return RTMsgErrorExitFailure("Key store support is missing on this host");
|
---|
777 | }
|
---|
778 |
|
---|
779 | return RTEXITCODE_SUCCESS;
|
---|
780 | }
|
---|
781 |
|
---|
782 | /** Returns the real certificate. */
|
---|
783 | PCRTCRX509CERTIFICATE getRealCertificate() const
|
---|
784 | {
|
---|
785 | #ifdef RT_OS_WINDOWS
|
---|
786 | if (pCertificateReal)
|
---|
787 | return pCertificateReal;
|
---|
788 | #endif
|
---|
789 | return pCertificate;
|
---|
790 | }
|
---|
791 |
|
---|
792 | #ifdef RT_OS_WINDOWS
|
---|
793 | RTEXITCODE loadFakePrivateKeyAndCert()
|
---|
794 | {
|
---|
795 | int rc = RTCrX509Certificate_ReadFromBuffer(&m_DecodedFakeCert, g_abFakeCertificate, sizeof(g_abFakeCertificate),
|
---|
796 | 0 /*fFlags*/, &g_RTAsn1DefaultAllocator, NULL, NULL);
|
---|
797 | if (RT_FAILURE(rc))
|
---|
798 | return RTMsgErrorExitFailure("RTCrX509Certificate_ReadFromBuffer/g_abFakeCertificate failed: %Rrc", rc);
|
---|
799 | pCertificateReal = pCertificate;
|
---|
800 | pCertificate = &m_DecodedFakeCert;
|
---|
801 |
|
---|
802 | rc = RTCrKeyCreateFromBuffer(&hPrivateKey, 0 /*fFlags*/, g_abFakeRsaKey, sizeof(g_abFakeRsaKey), NULL, NULL, NULL);
|
---|
803 | if (RT_FAILURE(rc))
|
---|
804 | return RTMsgErrorExitFailure("RTCrKeyCreateFromBuffer/g_abFakeRsaKey failed: %Rrc", rc);
|
---|
805 | return RTEXITCODE_SUCCESS;
|
---|
806 | }
|
---|
807 |
|
---|
808 | #endif
|
---|
809 |
|
---|
810 | /**
|
---|
811 | * Search for intermediate CA.
|
---|
812 | *
|
---|
813 | * Currently this only do a single certificate path, so this may go south if
|
---|
814 | * there are multiple paths available. It may work fine for a cross signing
|
---|
815 | * path, as long as the cross over is at the level immediately below the root.
|
---|
816 | */
|
---|
817 | PCRTCRCERTCTX findNextIntermediateCert(PCRTCRCERTCTX pPrev)
|
---|
818 | {
|
---|
819 | /*
|
---|
820 | * Make sure the store is loaded before we start.
|
---|
821 | */
|
---|
822 | if (s_hStoreIntermediate == NIL_RTCRSTORE)
|
---|
823 | {
|
---|
824 | Assert(!pPrev);
|
---|
825 | RTERRINFOSTATIC ErrInfo;
|
---|
826 | int rc = RTCrStoreCreateSnapshotById(&s_hStoreIntermediate,
|
---|
827 | !m_fMachineStore
|
---|
828 | ? RTCRSTOREID_USER_INTERMEDIATE_CAS : RTCRSTOREID_SYSTEM_INTERMEDIATE_CAS,
|
---|
829 | RTErrInfoInitStatic(&ErrInfo));
|
---|
830 | if (RT_FAILURE(rc))
|
---|
831 | {
|
---|
832 | RTMsgError("RTCrStoreCreateSnapshotById/%s-intermediate-CAs failed: %Rrc%#RTeim",
|
---|
833 | m_fMachineStore ? "user" : "machine", rc, &ErrInfo.Core);
|
---|
834 | return NULL;
|
---|
835 | }
|
---|
836 | }
|
---|
837 |
|
---|
838 | /*
|
---|
839 | * Open the search handle for the parent of the previous/end certificate.
|
---|
840 | *
|
---|
841 | * We don't need to consider RTCRCERTCTX::pTaInfo here as we're not
|
---|
842 | * after trust anchors, only intermediate certificates.
|
---|
843 | */
|
---|
844 | #ifdef RT_OS_WINDOWS
|
---|
845 | PCRTCRX509CERTIFICATE pChildCert = pPrev ? pPrev->pCert : pCertificateReal ? pCertificateReal : pCertificate;
|
---|
846 | #else
|
---|
847 | PCRTCRX509CERTIFICATE pChildCert = pPrev ? pPrev->pCert : pCertificate;
|
---|
848 | #endif
|
---|
849 | AssertReturnStmt(pChildCert, RTCrCertCtxRelease(pPrev), NULL);
|
---|
850 |
|
---|
851 | RTCRSTORECERTSEARCH Search;
|
---|
852 | int rc = RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280(s_hStoreIntermediate, &pChildCert->TbsCertificate.Issuer,
|
---|
853 | &Search);
|
---|
854 | if (RT_FAILURE(rc))
|
---|
855 | {
|
---|
856 | RTMsgError("RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280 failed: %Rrc", rc);
|
---|
857 | return NULL;
|
---|
858 | }
|
---|
859 |
|
---|
860 | /*
|
---|
861 | * We only gave the subject so, we have to check the serial number our selves.
|
---|
862 | */
|
---|
863 | PCRTCRCERTCTX pCertCtx;
|
---|
864 | while ((pCertCtx = RTCrStoreCertSearchNext(s_hStoreIntermediate, &Search)) != NULL)
|
---|
865 | {
|
---|
866 | if ( pCertCtx->pCert
|
---|
867 | && RTAsn1BitString_Compare(&pCertCtx->pCert->TbsCertificate.T1.IssuerUniqueId,
|
---|
868 | &pChildCert->TbsCertificate.T1.IssuerUniqueId) == 0 /* compares presentness too */
|
---|
869 | && !RTCrX509Certificate_IsSelfSigned(pCertCtx->pCert))
|
---|
870 | {
|
---|
871 | break; /** @todo compare valid periode too and keep a best match when outside the desired period? */
|
---|
872 | }
|
---|
873 | RTCrCertCtxRelease(pCertCtx);
|
---|
874 | }
|
---|
875 |
|
---|
876 | RTCrStoreCertSearchDestroy(s_hStoreIntermediate, & Search);
|
---|
877 | RTCrCertCtxRelease(pPrev);
|
---|
878 | return pCertCtx;
|
---|
879 | }
|
---|
880 |
|
---|
881 | /**
|
---|
882 | * Merges the user specified certificates with the signing certificate and any
|
---|
883 | * intermediate CAs we can find in the system store.
|
---|
884 | *
|
---|
885 | * @returns Merged store, NIL_RTCRSTORE on failure (messaged).
|
---|
886 | * @param hUserSpecifiedCertificates The user certificate store.
|
---|
887 | */
|
---|
888 | RTCRSTORE assembleAllAdditionalCertificates(RTCRSTORE hUserSpecifiedCertificates)
|
---|
889 | {
|
---|
890 | RTCRSTORE hRetStore;
|
---|
891 | int rc = RTCrStoreCreateInMemEx(&hRetStore, 0, hUserSpecifiedCertificates);
|
---|
892 | if (RT_SUCCESS(rc))
|
---|
893 | {
|
---|
894 | /* Add the signing certificate: */
|
---|
895 | RTERRINFOSTATIC ErrInfo;
|
---|
896 | rc = RTCrStoreCertAddX509(hRetStore, RTCRCERTCTX_F_ENC_X509_DER | RTCRCERTCTX_F_ADD_IF_NOT_FOUND,
|
---|
897 | #ifdef RT_OS_WINDOWS
|
---|
898 | (PRTCRX509CERTIFICATE)(pCertificateReal ? pCertificateReal : pCertificate),
|
---|
899 | #else
|
---|
900 | (PRTCRX509CERTIFICATE)pCertificate,
|
---|
901 | #endif
|
---|
902 | RTErrInfoInitStatic(&ErrInfo));
|
---|
903 | if (RT_SUCCESS(rc))
|
---|
904 | {
|
---|
905 | /* Add all intermediate CAs certificates we can find. */
|
---|
906 | PCRTCRCERTCTX pInterCaCert = NULL;
|
---|
907 | while ((pInterCaCert = findNextIntermediateCert(pInterCaCert)) != NULL)
|
---|
908 | {
|
---|
909 | rc = RTCrStoreCertAddEncoded(hRetStore, RTCRCERTCTX_F_ENC_X509_DER | RTCRCERTCTX_F_ADD_IF_NOT_FOUND,
|
---|
910 | pInterCaCert->pabEncoded, pInterCaCert->cbEncoded,
|
---|
911 | RTErrInfoInitStatic(&ErrInfo));
|
---|
912 | if (RT_FAILURE(rc))
|
---|
913 | {
|
---|
914 | RTMsgError("RTCrStoreCertAddEncoded/InterCA failed: %Rrc%#RTeim", rc, &ErrInfo.Core);
|
---|
915 | RTCrCertCtxRelease(pInterCaCert);
|
---|
916 | break;
|
---|
917 | }
|
---|
918 | }
|
---|
919 | if (RT_SUCCESS(rc))
|
---|
920 | return hRetStore;
|
---|
921 | }
|
---|
922 | else
|
---|
923 | RTMsgError("RTCrStoreCertAddX509/signer failed: %Rrc%#RTeim", rc, &ErrInfo.Core);
|
---|
924 | RTCrStoreRelease(hRetStore);
|
---|
925 | }
|
---|
926 | else
|
---|
927 | RTMsgError("RTCrStoreCreateInMemEx failed: %Rrc", rc);
|
---|
928 | return NIL_RTCRSTORE;
|
---|
929 | }
|
---|
930 |
|
---|
931 | };
|
---|
932 |
|
---|
933 | /*static*/ RTCRSTORE SignToolKeyPair::s_hStoreIntermediate = NIL_RTCRSTORE;
|
---|
934 | /*static*/ uint32_t SignToolKeyPair::s_cInstances = 0;
|
---|
935 |
|
---|
936 |
|
---|
937 |
|
---|
938 | /*********************************************************************************************************************************
|
---|
939 | * Workers. *
|
---|
940 | *********************************************************************************************************************************/
|
---|
941 |
|
---|
942 |
|
---|
943 | /**
|
---|
944 | * Deletes the structure.
|
---|
945 | *
|
---|
946 | * @param pThis The structure to initialize.
|
---|
947 | */
|
---|
948 | static void SignToolPkcs7_Delete(PSIGNTOOLPKCS7 pThis)
|
---|
949 | {
|
---|
950 | RTCrPkcs7ContentInfo_Delete(&pThis->ContentInfo);
|
---|
951 | pThis->pSignedData = NULL;
|
---|
952 | RTMemFree(pThis->pbBuf);
|
---|
953 | pThis->pbBuf = NULL;
|
---|
954 | pThis->cbBuf = 0;
|
---|
955 | RTMemFree(pThis->pbNewBuf);
|
---|
956 | pThis->pbNewBuf = NULL;
|
---|
957 | pThis->cbNewBuf = 0;
|
---|
958 | }
|
---|
959 |
|
---|
960 |
|
---|
961 | /**
|
---|
962 | * Deletes the structure.
|
---|
963 | *
|
---|
964 | * @param pThis The structure to initialize.
|
---|
965 | */
|
---|
966 | static void SignToolPkcs7Exe_Delete(PSIGNTOOLPKCS7EXE pThis)
|
---|
967 | {
|
---|
968 | if (pThis->hLdrMod != NIL_RTLDRMOD)
|
---|
969 | {
|
---|
970 | int rc2 = RTLdrClose(pThis->hLdrMod);
|
---|
971 | if (RT_FAILURE(rc2))
|
---|
972 | RTMsgError("RTLdrClose failed: %Rrc\n", rc2);
|
---|
973 | pThis->hLdrMod = NIL_RTLDRMOD;
|
---|
974 | }
|
---|
975 | SignToolPkcs7_Delete(pThis);
|
---|
976 | }
|
---|
977 |
|
---|
978 |
|
---|
979 | /**
|
---|
980 | * Decodes the PKCS #7 blob pointed to by pThis->pbBuf.
|
---|
981 | *
|
---|
982 | * @returns IPRT status code (error message already shown on failure).
|
---|
983 | * @param pThis The PKCS\#7 signature to decode.
|
---|
984 | * @param fCatalog Set if catalog file, clear if executable.
|
---|
985 | */
|
---|
986 | static int SignToolPkcs7_Decode(PSIGNTOOLPKCS7 pThis, bool fCatalog)
|
---|
987 | {
|
---|
988 | RTERRINFOSTATIC ErrInfo;
|
---|
989 | RTASN1CURSORPRIMARY PrimaryCursor;
|
---|
990 | RTAsn1CursorInitPrimary(&PrimaryCursor, pThis->pbBuf, (uint32_t)pThis->cbBuf, RTErrInfoInitStatic(&ErrInfo),
|
---|
991 | &g_RTAsn1DefaultAllocator, 0, "WinCert");
|
---|
992 |
|
---|
993 | int rc = RTCrPkcs7ContentInfo_DecodeAsn1(&PrimaryCursor.Cursor, 0, &pThis->ContentInfo, "CI");
|
---|
994 | if (RT_SUCCESS(rc))
|
---|
995 | {
|
---|
996 | if (RTCrPkcs7ContentInfo_IsSignedData(&pThis->ContentInfo))
|
---|
997 | {
|
---|
998 | pThis->pSignedData = pThis->ContentInfo.u.pSignedData;
|
---|
999 |
|
---|
1000 | /*
|
---|
1001 | * Decode the authenticode bits.
|
---|
1002 | */
|
---|
1003 | if (!strcmp(pThis->pSignedData->ContentInfo.ContentType.szObjId, RTCRSPCINDIRECTDATACONTENT_OID))
|
---|
1004 | {
|
---|
1005 | PRTCRSPCINDIRECTDATACONTENT pIndData = pThis->pSignedData->ContentInfo.u.pIndirectDataContent;
|
---|
1006 | Assert(pIndData);
|
---|
1007 |
|
---|
1008 | /*
|
---|
1009 | * Check that things add up.
|
---|
1010 | */
|
---|
1011 | rc = RTCrPkcs7SignedData_CheckSanity(pThis->pSignedData,
|
---|
1012 | RTCRPKCS7SIGNEDDATA_SANITY_F_AUTHENTICODE
|
---|
1013 | | RTCRPKCS7SIGNEDDATA_SANITY_F_ONLY_KNOWN_HASH
|
---|
1014 | | RTCRPKCS7SIGNEDDATA_SANITY_F_SIGNING_CERT_PRESENT,
|
---|
1015 | RTErrInfoInitStatic(&ErrInfo), "SD");
|
---|
1016 | if (RT_SUCCESS(rc))
|
---|
1017 | {
|
---|
1018 | rc = RTCrSpcIndirectDataContent_CheckSanityEx(pIndData,
|
---|
1019 | pThis->pSignedData,
|
---|
1020 | RTCRSPCINDIRECTDATACONTENT_SANITY_F_ONLY_KNOWN_HASH,
|
---|
1021 | RTErrInfoInitStatic(&ErrInfo));
|
---|
1022 | if (RT_FAILURE(rc))
|
---|
1023 | RTMsgError("SPC indirect data content sanity check failed for '%s': %Rrc - %s\n",
|
---|
1024 | pThis->pszFilename, rc, ErrInfo.szMsg);
|
---|
1025 | }
|
---|
1026 | else
|
---|
1027 | RTMsgError("PKCS#7 sanity check failed for '%s': %Rrc - %s\n", pThis->pszFilename, rc, ErrInfo.szMsg);
|
---|
1028 | }
|
---|
1029 | else if (!strcmp(pThis->pSignedData->ContentInfo.ContentType.szObjId, RTCR_PKCS7_DATA_OID))
|
---|
1030 | { /* apple code signing */ }
|
---|
1031 | else if (!fCatalog)
|
---|
1032 | RTMsgError("Unexpected the signed content in '%s': %s (expected %s)", pThis->pszFilename,
|
---|
1033 | pThis->pSignedData->ContentInfo.ContentType.szObjId, RTCRSPCINDIRECTDATACONTENT_OID);
|
---|
1034 | }
|
---|
1035 | else
|
---|
1036 | rc = RTMsgErrorRc(VERR_CR_PKCS7_NOT_SIGNED_DATA,
|
---|
1037 | "PKCS#7 content is inside '%s' is not 'signedData': %s\n",
|
---|
1038 | pThis->pszFilename, pThis->ContentInfo.ContentType.szObjId);
|
---|
1039 | }
|
---|
1040 | else
|
---|
1041 | RTMsgError("RTCrPkcs7ContentInfo_DecodeAsn1 failed on '%s': %Rrc - %s\n", pThis->pszFilename, rc, ErrInfo.szMsg);
|
---|
1042 | return rc;
|
---|
1043 | }
|
---|
1044 |
|
---|
1045 |
|
---|
1046 | /**
|
---|
1047 | * Reads and decodes PKCS\#7 signature from the given cat file.
|
---|
1048 | *
|
---|
1049 | * @returns RTEXITCODE_SUCCESS on success, RTEXITCODE_FAILURE with error message
|
---|
1050 | * on failure.
|
---|
1051 | * @param pThis The structure to initialize.
|
---|
1052 | * @param pszFilename The catalog (or any other DER PKCS\#7) filename.
|
---|
1053 | * @param cVerbosity The verbosity.
|
---|
1054 | */
|
---|
1055 | static RTEXITCODE SignToolPkcs7_InitFromFile(PSIGNTOOLPKCS7 pThis, const char *pszFilename, unsigned cVerbosity)
|
---|
1056 | {
|
---|
1057 | /*
|
---|
1058 | * Init the return structure.
|
---|
1059 | */
|
---|
1060 | RT_ZERO(*pThis);
|
---|
1061 | pThis->pszFilename = pszFilename;
|
---|
1062 | pThis->enmType = RTSIGNTOOLFILETYPE_CAT;
|
---|
1063 |
|
---|
1064 | /*
|
---|
1065 | * Lazy bird uses RTFileReadAll and duplicates the allocation.
|
---|
1066 | */
|
---|
1067 | void *pvFile;
|
---|
1068 | int rc = RTFileReadAll(pszFilename, &pvFile, &pThis->cbBuf);
|
---|
1069 | if (RT_SUCCESS(rc))
|
---|
1070 | {
|
---|
1071 | pThis->pbBuf = (uint8_t *)RTMemDup(pvFile, pThis->cbBuf);
|
---|
1072 | RTFileReadAllFree(pvFile, pThis->cbBuf);
|
---|
1073 | if (pThis->pbBuf)
|
---|
1074 | {
|
---|
1075 | if (cVerbosity > 2)
|
---|
1076 | RTPrintf("PKCS#7 signature: %u bytes\n", pThis->cbBuf);
|
---|
1077 |
|
---|
1078 | /*
|
---|
1079 | * Decode it.
|
---|
1080 | */
|
---|
1081 | rc = SignToolPkcs7_Decode(pThis, true /*fCatalog*/);
|
---|
1082 | if (RT_SUCCESS(rc))
|
---|
1083 | return RTEXITCODE_SUCCESS;
|
---|
1084 | }
|
---|
1085 | else
|
---|
1086 | RTMsgError("Out of memory!");
|
---|
1087 | }
|
---|
1088 | else
|
---|
1089 | RTMsgError("Error reading '%s' into memory: %Rrc", pszFilename, rc);
|
---|
1090 |
|
---|
1091 | SignToolPkcs7_Delete(pThis);
|
---|
1092 | return RTEXITCODE_FAILURE;
|
---|
1093 | }
|
---|
1094 |
|
---|
1095 |
|
---|
1096 | /**
|
---|
1097 | * Encodes the signature into the SIGNTOOLPKCS7::pbNewBuf and
|
---|
1098 | * SIGNTOOLPKCS7::cbNewBuf members.
|
---|
1099 | *
|
---|
1100 | * @returns RTEXITCODE_SUCCESS on success, RTEXITCODE_FAILURE with error message
|
---|
1101 | * on failure.
|
---|
1102 | * @param pThis The signature to encode.
|
---|
1103 | * @param cVerbosity The verbosity.
|
---|
1104 | */
|
---|
1105 | static RTEXITCODE SignToolPkcs7_Encode(PSIGNTOOLPKCS7 pThis, unsigned cVerbosity)
|
---|
1106 | {
|
---|
1107 | RTERRINFOSTATIC StaticErrInfo;
|
---|
1108 | PRTASN1CORE pRoot = RTCrPkcs7ContentInfo_GetAsn1Core(&pThis->ContentInfo);
|
---|
1109 | uint32_t cbEncoded;
|
---|
1110 | int rc = RTAsn1EncodePrepare(pRoot, RTASN1ENCODE_F_DER, &cbEncoded, RTErrInfoInitStatic(&StaticErrInfo));
|
---|
1111 | if (RT_SUCCESS(rc))
|
---|
1112 | {
|
---|
1113 | if (cVerbosity >= 4)
|
---|
1114 | RTAsn1Dump(pRoot, 0, 0, RTStrmDumpPrintfV, g_pStdOut);
|
---|
1115 |
|
---|
1116 | RTMemFree(pThis->pbNewBuf);
|
---|
1117 | pThis->cbNewBuf = cbEncoded;
|
---|
1118 | pThis->pbNewBuf = (uint8_t *)RTMemAllocZ(cbEncoded);
|
---|
1119 | if (pThis->pbNewBuf)
|
---|
1120 | {
|
---|
1121 | rc = RTAsn1EncodeToBuffer(pRoot, RTASN1ENCODE_F_DER, pThis->pbNewBuf, pThis->cbNewBuf,
|
---|
1122 | RTErrInfoInitStatic(&StaticErrInfo));
|
---|
1123 | if (RT_SUCCESS(rc))
|
---|
1124 | {
|
---|
1125 | if (cVerbosity > 1)
|
---|
1126 | RTMsgInfo("Encoded signature to %u bytes", cbEncoded);
|
---|
1127 | return RTEXITCODE_SUCCESS;
|
---|
1128 | }
|
---|
1129 | RTMsgError("RTAsn1EncodeToBuffer failed: %Rrc", rc);
|
---|
1130 |
|
---|
1131 | RTMemFree(pThis->pbNewBuf);
|
---|
1132 | pThis->pbNewBuf = NULL;
|
---|
1133 | }
|
---|
1134 | else
|
---|
1135 | RTMsgError("Failed to allocate %u bytes!", cbEncoded);
|
---|
1136 | }
|
---|
1137 | else
|
---|
1138 | RTMsgError("RTAsn1EncodePrepare failed: %Rrc - %s", rc, StaticErrInfo.szMsg);
|
---|
1139 | return RTEXITCODE_FAILURE;
|
---|
1140 | }
|
---|
1141 |
|
---|
1142 |
|
---|
1143 | /**
|
---|
1144 | * Helper that makes sure the UnauthenticatedAttributes are present in the given
|
---|
1145 | * SignerInfo structure.
|
---|
1146 | *
|
---|
1147 | * Call this before trying to modify the array.
|
---|
1148 | *
|
---|
1149 | * @returns RTEXITCODE_SUCCESS on success, RTEXITCODE_FAILURE with error already
|
---|
1150 | * displayed on failure.
|
---|
1151 | * @param pSignerInfo The SignerInfo structure in question.
|
---|
1152 | */
|
---|
1153 | static RTEXITCODE SignToolPkcs7_EnsureUnauthenticatedAttributesPresent(PRTCRPKCS7SIGNERINFO pSignerInfo)
|
---|
1154 | {
|
---|
1155 | if (pSignerInfo->UnauthenticatedAttributes.cItems == 0)
|
---|
1156 | {
|
---|
1157 | /* HACK ALERT! Invent ASN.1 setters/whatever for members to replace this mess. */
|
---|
1158 |
|
---|
1159 | if (pSignerInfo->AuthenticatedAttributes.cItems == 0)
|
---|
1160 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No authenticated or unauthenticated attributes! Sorry, no can do.");
|
---|
1161 |
|
---|
1162 | Assert(pSignerInfo->UnauthenticatedAttributes.SetCore.Asn1Core.uTag == 0);
|
---|
1163 | int rc = RTAsn1SetCore_Init(&pSignerInfo->UnauthenticatedAttributes.SetCore,
|
---|
1164 | pSignerInfo->AuthenticatedAttributes.SetCore.Asn1Core.pOps);
|
---|
1165 | if (RT_FAILURE(rc))
|
---|
1166 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "RTAsn1SetCore_Init failed: %Rrc", rc);
|
---|
1167 | pSignerInfo->UnauthenticatedAttributes.SetCore.Asn1Core.uTag = 1;
|
---|
1168 | pSignerInfo->UnauthenticatedAttributes.SetCore.Asn1Core.fClass = ASN1_TAGCLASS_CONTEXT | ASN1_TAGFLAG_CONSTRUCTED;
|
---|
1169 | RTAsn1MemInitArrayAllocation(&pSignerInfo->UnauthenticatedAttributes.Allocation,
|
---|
1170 | pSignerInfo->AuthenticatedAttributes.Allocation.pAllocator,
|
---|
1171 | sizeof(**pSignerInfo->UnauthenticatedAttributes.papItems));
|
---|
1172 | }
|
---|
1173 | return RTEXITCODE_SUCCESS;
|
---|
1174 | }
|
---|
1175 |
|
---|
1176 |
|
---|
1177 | /**
|
---|
1178 | * Adds the @a pSrc signature as a nested signature.
|
---|
1179 | *
|
---|
1180 | * @returns RTEXITCODE_SUCCESS on success, RTEXITCODE_FAILURE with error message
|
---|
1181 | * on failure.
|
---|
1182 | * @param pThis The signature to modify.
|
---|
1183 | * @param pSrc The signature to add as nested.
|
---|
1184 | * @param cVerbosity The verbosity.
|
---|
1185 | * @param fPrepend Whether to prepend (true) or append (false) the
|
---|
1186 | * source signature to the nested attribute.
|
---|
1187 | */
|
---|
1188 | static RTEXITCODE SignToolPkcs7_AddNestedSignature(PSIGNTOOLPKCS7 pThis, PSIGNTOOLPKCS7 pSrc,
|
---|
1189 | unsigned cVerbosity, bool fPrepend)
|
---|
1190 | {
|
---|
1191 | PRTCRPKCS7SIGNERINFO pSignerInfo = pThis->pSignedData->SignerInfos.papItems[0];
|
---|
1192 |
|
---|
1193 | /*
|
---|
1194 | * Deal with UnauthenticatedAttributes being absent before trying to append to the array.
|
---|
1195 | */
|
---|
1196 | RTEXITCODE rcExit = SignToolPkcs7_EnsureUnauthenticatedAttributesPresent(pSignerInfo);
|
---|
1197 | if (rcExit != RTEXITCODE_SUCCESS)
|
---|
1198 | return rcExit;
|
---|
1199 |
|
---|
1200 | /*
|
---|
1201 | * Find or add an unauthenticated attribute for nested signatures.
|
---|
1202 | */
|
---|
1203 | int rc = VERR_NOT_FOUND;
|
---|
1204 | PRTCRPKCS7ATTRIBUTE pAttr = NULL;
|
---|
1205 | int32_t iPos = pSignerInfo->UnauthenticatedAttributes.cItems;
|
---|
1206 | while (iPos-- > 0)
|
---|
1207 | if (pSignerInfo->UnauthenticatedAttributes.papItems[iPos]->enmType == RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE)
|
---|
1208 | {
|
---|
1209 | pAttr = pSignerInfo->UnauthenticatedAttributes.papItems[iPos];
|
---|
1210 | rc = VINF_SUCCESS;
|
---|
1211 | break;
|
---|
1212 | }
|
---|
1213 | if (iPos < 0)
|
---|
1214 | {
|
---|
1215 | iPos = RTCrPkcs7Attributes_Append(&pSignerInfo->UnauthenticatedAttributes);
|
---|
1216 | if (iPos >= 0)
|
---|
1217 | {
|
---|
1218 | if (cVerbosity >= 3)
|
---|
1219 | RTMsgInfo("Adding UnauthenticatedAttribute #%u...", iPos);
|
---|
1220 | Assert((uint32_t)iPos < pSignerInfo->UnauthenticatedAttributes.cItems);
|
---|
1221 |
|
---|
1222 | pAttr = pSignerInfo->UnauthenticatedAttributes.papItems[iPos];
|
---|
1223 | rc = RTAsn1ObjId_InitFromString(&pAttr->Type, RTCR_PKCS9_ID_MS_NESTED_SIGNATURE, pAttr->Allocation.pAllocator);
|
---|
1224 | if (RT_SUCCESS(rc))
|
---|
1225 | {
|
---|
1226 | /** @todo Generalize the Type + enmType DYN stuff and generate setters. */
|
---|
1227 | Assert(pAttr->enmType == RTCRPKCS7ATTRIBUTETYPE_NOT_PRESENT);
|
---|
1228 | Assert(pAttr->uValues.pContentInfos == NULL);
|
---|
1229 | pAttr->enmType = RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE;
|
---|
1230 | rc = RTAsn1MemAllocZ(&pAttr->Allocation, (void **)&pAttr->uValues.pContentInfos,
|
---|
1231 | sizeof(*pAttr->uValues.pContentInfos));
|
---|
1232 | if (RT_SUCCESS(rc))
|
---|
1233 | {
|
---|
1234 | rc = RTCrPkcs7SetOfContentInfos_Init(pAttr->uValues.pContentInfos, pAttr->Allocation.pAllocator);
|
---|
1235 | if (!RT_SUCCESS(rc))
|
---|
1236 | RTMsgError("RTCrPkcs7ContentInfos_Init failed: %Rrc", rc);
|
---|
1237 | }
|
---|
1238 | else
|
---|
1239 | RTMsgError("RTAsn1MemAllocZ failed: %Rrc", rc);
|
---|
1240 | }
|
---|
1241 | else
|
---|
1242 | RTMsgError("RTAsn1ObjId_InitFromString failed: %Rrc", rc);
|
---|
1243 | }
|
---|
1244 | else
|
---|
1245 | RTMsgError("RTCrPkcs7Attributes_Append failed: %Rrc", iPos);
|
---|
1246 | }
|
---|
1247 | else if (cVerbosity >= 2)
|
---|
1248 | RTMsgInfo("Found UnauthenticatedAttribute #%u...", iPos);
|
---|
1249 | if (RT_SUCCESS(rc))
|
---|
1250 | {
|
---|
1251 | /*
|
---|
1252 | * Append/prepend the signature.
|
---|
1253 | */
|
---|
1254 | uint32_t iActualPos = UINT32_MAX;
|
---|
1255 | iPos = fPrepend ? 0 : pAttr->uValues.pContentInfos->cItems;
|
---|
1256 | rc = RTCrPkcs7SetOfContentInfos_InsertEx(pAttr->uValues.pContentInfos, iPos, &pSrc->ContentInfo,
|
---|
1257 | pAttr->Allocation.pAllocator, &iActualPos);
|
---|
1258 | if (RT_SUCCESS(rc))
|
---|
1259 | {
|
---|
1260 | if (cVerbosity > 0)
|
---|
1261 | RTMsgInfo("Added nested signature (#%u)", iActualPos);
|
---|
1262 | if (cVerbosity >= 3)
|
---|
1263 | {
|
---|
1264 | RTMsgInfo("SingerInfo dump after change:");
|
---|
1265 | RTAsn1Dump(RTCrPkcs7SignerInfo_GetAsn1Core(pSignerInfo), 0, 2, RTStrmDumpPrintfV, g_pStdOut);
|
---|
1266 | }
|
---|
1267 | return RTEXITCODE_SUCCESS;
|
---|
1268 | }
|
---|
1269 |
|
---|
1270 | RTMsgError("RTCrPkcs7ContentInfos_InsertEx failed: %Rrc", rc);
|
---|
1271 | }
|
---|
1272 | return RTEXITCODE_FAILURE;
|
---|
1273 | }
|
---|
1274 |
|
---|
1275 |
|
---|
1276 | /**
|
---|
1277 | * Writes the signature to the file.
|
---|
1278 | *
|
---|
1279 | * Caller must have called SignToolPkcs7_Encode() prior to this function.
|
---|
1280 | *
|
---|
1281 | * @returns RTEXITCODE_SUCCESS on success, RTEXITCODE_FAILURE with error
|
---|
1282 | * message on failure.
|
---|
1283 | * @param pThis The file which to write.
|
---|
1284 | * @param cVerbosity The verbosity.
|
---|
1285 | */
|
---|
1286 | static RTEXITCODE SignToolPkcs7_WriteSignatureToFile(PSIGNTOOLPKCS7 pThis, const char *pszFilename, unsigned cVerbosity)
|
---|
1287 | {
|
---|
1288 | AssertReturn(pThis->cbNewBuf && pThis->pbNewBuf, RTEXITCODE_FAILURE);
|
---|
1289 |
|
---|
1290 | /*
|
---|
1291 | * Open+truncate file, write new signature, close. Simple.
|
---|
1292 | */
|
---|
1293 | RTFILE hFile;
|
---|
1294 | int rc = RTFileOpen(&hFile, pszFilename, RTFILE_O_WRITE | RTFILE_O_OPEN_CREATE | RTFILE_O_TRUNCATE | RTFILE_O_DENY_WRITE);
|
---|
1295 | if (RT_SUCCESS(rc))
|
---|
1296 | {
|
---|
1297 | rc = RTFileWrite(hFile, pThis->pbNewBuf, pThis->cbNewBuf, NULL);
|
---|
1298 | if (RT_SUCCESS(rc))
|
---|
1299 | {
|
---|
1300 | rc = RTFileClose(hFile);
|
---|
1301 | if (RT_SUCCESS(rc))
|
---|
1302 | {
|
---|
1303 | if (cVerbosity > 0)
|
---|
1304 | RTMsgInfo("Wrote %u bytes to %s", pThis->cbNewBuf, pszFilename);
|
---|
1305 | return RTEXITCODE_SUCCESS;
|
---|
1306 | }
|
---|
1307 |
|
---|
1308 | RTMsgError("RTFileClose failed on %s: %Rrc", pszFilename, rc);
|
---|
1309 | }
|
---|
1310 | else
|
---|
1311 | RTMsgError("Write error on %s: %Rrc", pszFilename, rc);
|
---|
1312 | }
|
---|
1313 | else
|
---|
1314 | RTMsgError("Failed to open %s for writing: %Rrc", pszFilename, rc);
|
---|
1315 | return RTEXITCODE_FAILURE;
|
---|
1316 | }
|
---|
1317 |
|
---|
1318 |
|
---|
1319 |
|
---|
1320 | /**
|
---|
1321 | * Worker for recursively searching for MS nested signatures and signer infos.
|
---|
1322 | *
|
---|
1323 | * @returns Pointer to the signer info corresponding to @a iReqSignature. NULL
|
---|
1324 | * if not found.
|
---|
1325 | * @param pSignedData The signature to search.
|
---|
1326 | * @param piNextSignature Pointer to the variable keeping track of the next
|
---|
1327 | * signature number.
|
---|
1328 | * @param iReqSignature The request signature number.
|
---|
1329 | * @param ppSignedData Where to return the signature data structure.
|
---|
1330 | * Optional.
|
---|
1331 | */
|
---|
1332 | static PRTCRPKCS7SIGNERINFO SignToolPkcs7_FindNestedSignatureByIndexWorker(PRTCRPKCS7SIGNEDDATA pSignedData,
|
---|
1333 | uint32_t *piNextSignature,
|
---|
1334 | uint32_t iReqSignature,
|
---|
1335 | PRTCRPKCS7SIGNEDDATA *ppSignedData)
|
---|
1336 | {
|
---|
1337 | for (uint32_t iSignerInfo = 0; iSignerInfo < pSignedData->SignerInfos.cItems; iSignerInfo++)
|
---|
1338 | {
|
---|
1339 | /* Match?*/
|
---|
1340 | PRTCRPKCS7SIGNERINFO pSignerInfo = pSignedData->SignerInfos.papItems[iSignerInfo];
|
---|
1341 | if (*piNextSignature == iReqSignature)
|
---|
1342 | {
|
---|
1343 | if (ppSignedData)
|
---|
1344 | *ppSignedData = pSignedData;
|
---|
1345 | return pSignerInfo;
|
---|
1346 | }
|
---|
1347 | *piNextSignature += 1;
|
---|
1348 |
|
---|
1349 | /* Look for nested signatures. */
|
---|
1350 | for (uint32_t iAttrib = 0; iAttrib < pSignerInfo->UnauthenticatedAttributes.cItems; iAttrib++)
|
---|
1351 | if (pSignerInfo->UnauthenticatedAttributes.papItems[iAttrib]->enmType == RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE)
|
---|
1352 | {
|
---|
1353 | PRTCRPKCS7SETOFCONTENTINFOS pCntInfos;
|
---|
1354 | pCntInfos = pSignerInfo->UnauthenticatedAttributes.papItems[iAttrib]->uValues.pContentInfos;
|
---|
1355 | for (uint32_t iCntInfo = 0; iCntInfo < pCntInfos->cItems; iCntInfo++)
|
---|
1356 | {
|
---|
1357 | PRTCRPKCS7CONTENTINFO pCntInfo = pCntInfos->papItems[iCntInfo];
|
---|
1358 | if (RTCrPkcs7ContentInfo_IsSignedData(pCntInfo))
|
---|
1359 | {
|
---|
1360 | PRTCRPKCS7SIGNERINFO pRet;
|
---|
1361 | pRet = SignToolPkcs7_FindNestedSignatureByIndexWorker(pCntInfo->u.pSignedData, piNextSignature,
|
---|
1362 | iReqSignature, ppSignedData);
|
---|
1363 | if (pRet)
|
---|
1364 | return pRet;
|
---|
1365 | }
|
---|
1366 | }
|
---|
1367 | }
|
---|
1368 | }
|
---|
1369 | return NULL;
|
---|
1370 | }
|
---|
1371 |
|
---|
1372 |
|
---|
1373 | /**
|
---|
1374 | * Locates the given nested signature.
|
---|
1375 | *
|
---|
1376 | * @returns Pointer to the signer info corresponding to @a iReqSignature. NULL
|
---|
1377 | * if not found.
|
---|
1378 | * @param pThis The PKCS\#7 structure to search.
|
---|
1379 | * @param iReqSignature The requested signature number.
|
---|
1380 | * @param ppSignedData Where to return the pointer to the signed data that
|
---|
1381 | * the returned signer info belongs to.
|
---|
1382 | *
|
---|
1383 | * @todo Move into SPC or PKCS\#7.
|
---|
1384 | */
|
---|
1385 | static PRTCRPKCS7SIGNERINFO SignToolPkcs7_FindNestedSignatureByIndex(PSIGNTOOLPKCS7 pThis, uint32_t iReqSignature,
|
---|
1386 | PRTCRPKCS7SIGNEDDATA *ppSignedData)
|
---|
1387 | {
|
---|
1388 | uint32_t iNextSignature = 0;
|
---|
1389 | return SignToolPkcs7_FindNestedSignatureByIndexWorker(pThis->pSignedData, &iNextSignature, iReqSignature, ppSignedData);
|
---|
1390 | }
|
---|
1391 |
|
---|
1392 |
|
---|
1393 |
|
---|
1394 | /**
|
---|
1395 | * Reads and decodes PKCS\#7 signature from the given executable, if it has one.
|
---|
1396 | *
|
---|
1397 | * @returns RTEXITCODE_SUCCESS on success, RTEXITCODE_FAILURE with error message
|
---|
1398 | * on failure.
|
---|
1399 | * @param pThis The structure to initialize.
|
---|
1400 | * @param pszFilename The executable filename.
|
---|
1401 | * @param cVerbosity The verbosity.
|
---|
1402 | * @param enmLdrArch For FAT binaries.
|
---|
1403 | * @param fAllowUnsigned Whether to allow unsigned binaries.
|
---|
1404 | */
|
---|
1405 | static RTEXITCODE SignToolPkcs7Exe_InitFromFile(PSIGNTOOLPKCS7EXE pThis, const char *pszFilename, unsigned cVerbosity,
|
---|
1406 | RTLDRARCH enmLdrArch = RTLDRARCH_WHATEVER, bool fAllowUnsigned = false)
|
---|
1407 | {
|
---|
1408 | /*
|
---|
1409 | * Init the return structure.
|
---|
1410 | */
|
---|
1411 | RT_ZERO(*pThis);
|
---|
1412 | pThis->hLdrMod = NIL_RTLDRMOD;
|
---|
1413 | pThis->pszFilename = pszFilename;
|
---|
1414 | pThis->enmType = RTSIGNTOOLFILETYPE_EXE;
|
---|
1415 |
|
---|
1416 | /*
|
---|
1417 | * Open the image and check if it's signed.
|
---|
1418 | */
|
---|
1419 | int rc = RTLdrOpen(pszFilename, RTLDR_O_FOR_VALIDATION, enmLdrArch, &pThis->hLdrMod);
|
---|
1420 | if (RT_SUCCESS(rc))
|
---|
1421 | {
|
---|
1422 | bool fIsSigned = false;
|
---|
1423 | rc = RTLdrQueryProp(pThis->hLdrMod, RTLDRPROP_IS_SIGNED, &fIsSigned, sizeof(fIsSigned));
|
---|
1424 | if (RT_SUCCESS(rc) && fIsSigned)
|
---|
1425 | {
|
---|
1426 | /*
|
---|
1427 | * Query the PKCS#7 data (assuming M$ style signing) and hand it to a worker.
|
---|
1428 | */
|
---|
1429 | size_t cbActual = 0;
|
---|
1430 | #ifdef DEBUG
|
---|
1431 | size_t cbBuf = 64;
|
---|
1432 | #else
|
---|
1433 | size_t cbBuf = _512K;
|
---|
1434 | #endif
|
---|
1435 | void *pvBuf = RTMemAllocZ(cbBuf);
|
---|
1436 | if (pvBuf)
|
---|
1437 | {
|
---|
1438 | rc = RTLdrQueryPropEx(pThis->hLdrMod, RTLDRPROP_PKCS7_SIGNED_DATA, NULL /*pvBits*/, pvBuf, cbBuf, &cbActual);
|
---|
1439 | if (rc == VERR_BUFFER_OVERFLOW)
|
---|
1440 | {
|
---|
1441 | RTMemFree(pvBuf);
|
---|
1442 | cbBuf = cbActual;
|
---|
1443 | pvBuf = RTMemAllocZ(cbActual);
|
---|
1444 | if (pvBuf)
|
---|
1445 | rc = RTLdrQueryPropEx(pThis->hLdrMod, RTLDRPROP_PKCS7_SIGNED_DATA, NULL /*pvBits*/,
|
---|
1446 | pvBuf, cbBuf, &cbActual);
|
---|
1447 | else
|
---|
1448 | rc = VERR_NO_MEMORY;
|
---|
1449 | }
|
---|
1450 | }
|
---|
1451 | else
|
---|
1452 | rc = VERR_NO_MEMORY;
|
---|
1453 |
|
---|
1454 | pThis->pbBuf = (uint8_t *)pvBuf;
|
---|
1455 | pThis->cbBuf = cbActual;
|
---|
1456 | if (RT_SUCCESS(rc))
|
---|
1457 | {
|
---|
1458 | if (cVerbosity > 2)
|
---|
1459 | RTPrintf("PKCS#7 signature: %u bytes\n", cbActual);
|
---|
1460 | if (cVerbosity > 3)
|
---|
1461 | RTPrintf("%.*Rhxd\n", cbActual, pvBuf);
|
---|
1462 |
|
---|
1463 | /*
|
---|
1464 | * Decode it.
|
---|
1465 | */
|
---|
1466 | rc = SignToolPkcs7_Decode(pThis, false /*fCatalog*/);
|
---|
1467 | if (RT_SUCCESS(rc))
|
---|
1468 | return RTEXITCODE_SUCCESS;
|
---|
1469 | }
|
---|
1470 | else
|
---|
1471 | RTMsgError("RTLdrQueryPropEx/RTLDRPROP_PKCS7_SIGNED_DATA failed on '%s': %Rrc\n", pszFilename, rc);
|
---|
1472 | }
|
---|
1473 | else if (RT_SUCCESS(rc))
|
---|
1474 | {
|
---|
1475 | if (!fAllowUnsigned || cVerbosity >= 2)
|
---|
1476 | RTMsgInfo("'%s': not signed\n", pszFilename);
|
---|
1477 | if (fAllowUnsigned)
|
---|
1478 | return RTEXITCODE_SUCCESS;
|
---|
1479 | }
|
---|
1480 | else
|
---|
1481 | RTMsgError("RTLdrQueryProp/RTLDRPROP_IS_SIGNED failed on '%s': %Rrc\n", pszFilename, rc);
|
---|
1482 | }
|
---|
1483 | else
|
---|
1484 | RTMsgError("Error opening executable image '%s': %Rrc", pszFilename, rc);
|
---|
1485 |
|
---|
1486 | SignToolPkcs7Exe_Delete(pThis);
|
---|
1487 | return RTEXITCODE_FAILURE;
|
---|
1488 | }
|
---|
1489 |
|
---|
1490 |
|
---|
1491 | /**
|
---|
1492 | * Calculates the checksum of an executable.
|
---|
1493 | *
|
---|
1494 | * @returns Success indicator (errors are reported)
|
---|
1495 | * @param pThis The exe file to checksum.
|
---|
1496 | * @param hFile The file handle.
|
---|
1497 | * @param puCheckSum Where to return the checksum.
|
---|
1498 | */
|
---|
1499 | static bool SignToolPkcs7Exe_CalcPeCheckSum(PSIGNTOOLPKCS7EXE pThis, RTFILE hFile, uint32_t *puCheckSum)
|
---|
1500 | {
|
---|
1501 | #ifdef RT_OS_WINDOWS
|
---|
1502 | /*
|
---|
1503 | * Try use IMAGEHLP!MapFileAndCheckSumW first.
|
---|
1504 | */
|
---|
1505 | PRTUTF16 pwszPath;
|
---|
1506 | int rc = RTStrToUtf16(pThis->pszFilename, &pwszPath);
|
---|
1507 | if (RT_SUCCESS(rc))
|
---|
1508 | {
|
---|
1509 | decltype(MapFileAndCheckSumW) *pfnMapFileAndCheckSumW;
|
---|
1510 | pfnMapFileAndCheckSumW = (decltype(MapFileAndCheckSumW) *)RTLdrGetSystemSymbol("IMAGEHLP.DLL", "MapFileAndCheckSumW");
|
---|
1511 | if (pfnMapFileAndCheckSumW)
|
---|
1512 | {
|
---|
1513 | DWORD uOldSum = UINT32_MAX;
|
---|
1514 | DWORD uCheckSum = UINT32_MAX;
|
---|
1515 | DWORD dwRc = pfnMapFileAndCheckSumW(pwszPath, &uOldSum, &uCheckSum);
|
---|
1516 | if (dwRc == CHECKSUM_SUCCESS)
|
---|
1517 | {
|
---|
1518 | *puCheckSum = uCheckSum;
|
---|
1519 | return true;
|
---|
1520 | }
|
---|
1521 | }
|
---|
1522 | }
|
---|
1523 | #endif
|
---|
1524 |
|
---|
1525 | RT_NOREF(pThis, hFile, puCheckSum);
|
---|
1526 | RTMsgError("Implement check sum calcuation fallback!");
|
---|
1527 | return false;
|
---|
1528 | }
|
---|
1529 |
|
---|
1530 |
|
---|
1531 | /**
|
---|
1532 | * Writes the signature to the file.
|
---|
1533 | *
|
---|
1534 | * This has the side-effect of closing the hLdrMod member. So, it can only be
|
---|
1535 | * called once!
|
---|
1536 | *
|
---|
1537 | * Caller must have called SignToolPkcs7_Encode() prior to this function.
|
---|
1538 | *
|
---|
1539 | * @returns RTEXITCODE_SUCCESS on success, RTEXITCODE_FAILURE with error
|
---|
1540 | * message on failure.
|
---|
1541 | * @param pThis The file which to write.
|
---|
1542 | * @param cVerbosity The verbosity.
|
---|
1543 | */
|
---|
1544 | static RTEXITCODE SignToolPkcs7Exe_WriteSignatureToFile(PSIGNTOOLPKCS7EXE pThis, unsigned cVerbosity)
|
---|
1545 | {
|
---|
1546 | AssertReturn(pThis->cbNewBuf && pThis->pbNewBuf, RTEXITCODE_FAILURE);
|
---|
1547 |
|
---|
1548 | /*
|
---|
1549 | * Get the file header offset and arch before closing the destination handle.
|
---|
1550 | */
|
---|
1551 | uint32_t offNtHdrs;
|
---|
1552 | int rc = RTLdrQueryProp(pThis->hLdrMod, RTLDRPROP_FILE_OFF_HEADER, &offNtHdrs, sizeof(offNtHdrs));
|
---|
1553 | if (RT_SUCCESS(rc))
|
---|
1554 | {
|
---|
1555 | RTLDRARCH enmLdrArch = RTLdrGetArch(pThis->hLdrMod);
|
---|
1556 | if (enmLdrArch != RTLDRARCH_INVALID)
|
---|
1557 | {
|
---|
1558 | RTLdrClose(pThis->hLdrMod);
|
---|
1559 | pThis->hLdrMod = NIL_RTLDRMOD;
|
---|
1560 | unsigned cbNtHdrs = 0;
|
---|
1561 | switch (enmLdrArch)
|
---|
1562 | {
|
---|
1563 | case RTLDRARCH_AMD64:
|
---|
1564 | cbNtHdrs = sizeof(IMAGE_NT_HEADERS64);
|
---|
1565 | break;
|
---|
1566 | case RTLDRARCH_X86_32:
|
---|
1567 | cbNtHdrs = sizeof(IMAGE_NT_HEADERS32);
|
---|
1568 | break;
|
---|
1569 | default:
|
---|
1570 | RTMsgError("Unknown image arch: %d", enmLdrArch);
|
---|
1571 | }
|
---|
1572 | if (cbNtHdrs > 0)
|
---|
1573 | {
|
---|
1574 | if (cVerbosity > 0)
|
---|
1575 | RTMsgInfo("offNtHdrs=%#x cbNtHdrs=%u\n", offNtHdrs, cbNtHdrs);
|
---|
1576 |
|
---|
1577 | /*
|
---|
1578 | * Open the executable file for writing.
|
---|
1579 | */
|
---|
1580 | RTFILE hFile;
|
---|
1581 | rc = RTFileOpen(&hFile, pThis->pszFilename, RTFILE_O_READWRITE | RTFILE_O_OPEN | RTFILE_O_DENY_WRITE);
|
---|
1582 | if (RT_SUCCESS(rc))
|
---|
1583 | {
|
---|
1584 | /* Read the file header and locate the security directory entry. */
|
---|
1585 | union
|
---|
1586 | {
|
---|
1587 | IMAGE_NT_HEADERS32 NtHdrs32;
|
---|
1588 | IMAGE_NT_HEADERS64 NtHdrs64;
|
---|
1589 | } uBuf;
|
---|
1590 | PIMAGE_DATA_DIRECTORY pSecDir = cbNtHdrs == sizeof(IMAGE_NT_HEADERS64)
|
---|
1591 | ? &uBuf.NtHdrs64.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY]
|
---|
1592 | : &uBuf.NtHdrs32.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY];
|
---|
1593 |
|
---|
1594 | rc = RTFileReadAt(hFile, offNtHdrs, &uBuf, cbNtHdrs, NULL);
|
---|
1595 | if ( RT_SUCCESS(rc)
|
---|
1596 | && uBuf.NtHdrs32.Signature == IMAGE_NT_SIGNATURE)
|
---|
1597 | {
|
---|
1598 | /*
|
---|
1599 | * Drop any old signature by truncating the file.
|
---|
1600 | */
|
---|
1601 | if ( pSecDir->Size > 8
|
---|
1602 | && pSecDir->VirtualAddress > offNtHdrs + sizeof(IMAGE_NT_HEADERS32))
|
---|
1603 | {
|
---|
1604 | rc = RTFileSetSize(hFile, pSecDir->VirtualAddress);
|
---|
1605 | if (RT_FAILURE(rc))
|
---|
1606 | RTMsgError("Error truncating file to %#x bytes: %Rrc", pSecDir->VirtualAddress, rc);
|
---|
1607 | }
|
---|
1608 | else if (pSecDir->Size != 0 && pSecDir->VirtualAddress == 0)
|
---|
1609 | rc = RTMsgErrorRc(VERR_BAD_EXE_FORMAT, "Bad security directory entry: VA=%#x Size=%#x",
|
---|
1610 | pSecDir->VirtualAddress, pSecDir->Size);
|
---|
1611 | if (RT_SUCCESS(rc))
|
---|
1612 | {
|
---|
1613 | /*
|
---|
1614 | * Sector align the signature portion.
|
---|
1615 | */
|
---|
1616 | uint32_t const cbWinCert = RT_UOFFSETOF(WIN_CERTIFICATE, bCertificate);
|
---|
1617 | uint64_t offCur = 0;
|
---|
1618 | rc = RTFileQuerySize(hFile, &offCur);
|
---|
1619 | if ( RT_SUCCESS(rc)
|
---|
1620 | && offCur < _2G)
|
---|
1621 | {
|
---|
1622 | if (offCur & 0x1ff)
|
---|
1623 | {
|
---|
1624 | uint32_t cbNeeded = 0x200 - ((uint32_t)offCur & 0x1ff);
|
---|
1625 | rc = RTFileWriteAt(hFile, offCur, g_abRTZero4K, cbNeeded, NULL);
|
---|
1626 | if (RT_SUCCESS(rc))
|
---|
1627 | offCur += cbNeeded;
|
---|
1628 | }
|
---|
1629 | if (RT_SUCCESS(rc))
|
---|
1630 | {
|
---|
1631 | /*
|
---|
1632 | * Write the header followed by the signature data.
|
---|
1633 | */
|
---|
1634 | uint32_t const cbZeroPad = (uint32_t)(RT_ALIGN_Z(pThis->cbNewBuf, 8) - pThis->cbNewBuf);
|
---|
1635 | pSecDir->VirtualAddress = (uint32_t)offCur;
|
---|
1636 | pSecDir->Size = cbWinCert + (uint32_t)pThis->cbNewBuf + cbZeroPad;
|
---|
1637 | if (cVerbosity >= 2)
|
---|
1638 | RTMsgInfo("Writing %u (%#x) bytes of signature at %#x (%u).\n",
|
---|
1639 | pSecDir->Size, pSecDir->Size, pSecDir->VirtualAddress, pSecDir->VirtualAddress);
|
---|
1640 |
|
---|
1641 | WIN_CERTIFICATE WinCert;
|
---|
1642 | WinCert.dwLength = pSecDir->Size;
|
---|
1643 | WinCert.wRevision = WIN_CERT_REVISION_2_0;
|
---|
1644 | WinCert.wCertificateType = WIN_CERT_TYPE_PKCS_SIGNED_DATA;
|
---|
1645 |
|
---|
1646 | rc = RTFileWriteAt(hFile, offCur, &WinCert, cbWinCert, NULL);
|
---|
1647 | if (RT_SUCCESS(rc))
|
---|
1648 | {
|
---|
1649 | offCur += cbWinCert;
|
---|
1650 | rc = RTFileWriteAt(hFile, offCur, pThis->pbNewBuf, pThis->cbNewBuf, NULL);
|
---|
1651 | }
|
---|
1652 | if (RT_SUCCESS(rc) && cbZeroPad)
|
---|
1653 | {
|
---|
1654 | offCur += pThis->cbNewBuf;
|
---|
1655 | rc = RTFileWriteAt(hFile, offCur, g_abRTZero4K, cbZeroPad, NULL);
|
---|
1656 | }
|
---|
1657 | if (RT_SUCCESS(rc))
|
---|
1658 | {
|
---|
1659 | /*
|
---|
1660 | * Reset the checksum (sec dir updated already) and rewrite the header.
|
---|
1661 | */
|
---|
1662 | uBuf.NtHdrs32.OptionalHeader.CheckSum = 0;
|
---|
1663 | offCur = offNtHdrs;
|
---|
1664 | rc = RTFileWriteAt(hFile, offNtHdrs, &uBuf, cbNtHdrs, NULL);
|
---|
1665 | if (RT_SUCCESS(rc))
|
---|
1666 | rc = RTFileFlush(hFile);
|
---|
1667 | if (RT_SUCCESS(rc))
|
---|
1668 | {
|
---|
1669 | /*
|
---|
1670 | * Calc checksum and write out the header again.
|
---|
1671 | */
|
---|
1672 | uint32_t uCheckSum = UINT32_MAX;
|
---|
1673 | if (SignToolPkcs7Exe_CalcPeCheckSum(pThis, hFile, &uCheckSum))
|
---|
1674 | {
|
---|
1675 | uBuf.NtHdrs32.OptionalHeader.CheckSum = uCheckSum;
|
---|
1676 | rc = RTFileWriteAt(hFile, offNtHdrs, &uBuf, cbNtHdrs, NULL);
|
---|
1677 | if (RT_SUCCESS(rc))
|
---|
1678 | rc = RTFileFlush(hFile);
|
---|
1679 | if (RT_SUCCESS(rc))
|
---|
1680 | {
|
---|
1681 | rc = RTFileClose(hFile);
|
---|
1682 | if (RT_SUCCESS(rc))
|
---|
1683 | return RTEXITCODE_SUCCESS;
|
---|
1684 | RTMsgError("RTFileClose failed: %Rrc\n", rc);
|
---|
1685 | return RTEXITCODE_FAILURE;
|
---|
1686 | }
|
---|
1687 | }
|
---|
1688 | }
|
---|
1689 | }
|
---|
1690 | }
|
---|
1691 | if (RT_FAILURE(rc))
|
---|
1692 | RTMsgError("Write error at %#RX64: %Rrc", offCur, rc);
|
---|
1693 | }
|
---|
1694 | else if (RT_SUCCESS(rc))
|
---|
1695 | RTMsgError("File to big: %'RU64 bytes", offCur);
|
---|
1696 | else
|
---|
1697 | RTMsgError("RTFileQuerySize failed: %Rrc", rc);
|
---|
1698 | }
|
---|
1699 | }
|
---|
1700 | else if (RT_SUCCESS(rc))
|
---|
1701 | RTMsgError("Not NT executable header!");
|
---|
1702 | else
|
---|
1703 | RTMsgError("Error reading NT headers (%#x bytes) at %#x: %Rrc", cbNtHdrs, offNtHdrs, rc);
|
---|
1704 | RTFileClose(hFile);
|
---|
1705 | }
|
---|
1706 | else
|
---|
1707 | RTMsgError("Failed to open '%s' for writing: %Rrc", pThis->pszFilename, rc);
|
---|
1708 | }
|
---|
1709 | }
|
---|
1710 | else
|
---|
1711 | RTMsgError("RTLdrGetArch failed!");
|
---|
1712 | }
|
---|
1713 | else
|
---|
1714 | RTMsgError("RTLdrQueryProp/RTLDRPROP_FILE_OFF_HEADER failed: %Rrc", rc);
|
---|
1715 | return RTEXITCODE_FAILURE;
|
---|
1716 | }
|
---|
1717 |
|
---|
1718 | #ifndef IPRT_SIGNTOOL_NO_SIGNING
|
---|
1719 |
|
---|
1720 | static PRTCRPKCS7ATTRIBUTE SignToolPkcs7_AuthAttribAppend(PRTCRPKCS7ATTRIBUTES pAuthAttribs)
|
---|
1721 | {
|
---|
1722 | int32_t iPos = RTCrPkcs7Attributes_Append(pAuthAttribs);
|
---|
1723 | if (iPos >= 0)
|
---|
1724 | return pAuthAttribs->papItems[iPos];
|
---|
1725 | RTMsgError("RTCrPkcs7Attributes_Append failed: %Rrc", iPos);
|
---|
1726 | return NULL;
|
---|
1727 | }
|
---|
1728 |
|
---|
1729 |
|
---|
1730 | static RTEXITCODE SignToolPkcs7_AuthAttribsAddSigningTime(PRTCRPKCS7ATTRIBUTES pAuthAttribs, RTTIMESPEC SigningTime)
|
---|
1731 | {
|
---|
1732 | /*
|
---|
1733 | * Signing time. For the old-style timestamps, Symantec used ASN.1 UTC TIME.
|
---|
1734 | * start -vv vv=ASN1_TAG_UTC_TIME
|
---|
1735 | * 00000187d6a65fd0/23b0: 0d 01 09 05 31 0f 17 0d-31 36 31 30 30 35 30 37 ....1...16100507
|
---|
1736 | * 00000187d6a65fe0/23c0: 35 30 33 30 5a 30 23 06-09 2a 86 48 86 f7 0d 01 5030Z0#..*.H....
|
---|
1737 | * ^^- end 2016-10-05T07:50:30.000000000Z (161005075030Z)
|
---|
1738 | */
|
---|
1739 | PRTCRPKCS7ATTRIBUTE pAttr = SignToolPkcs7_AuthAttribAppend(pAuthAttribs);
|
---|
1740 | if (!pAttr)
|
---|
1741 | return RTEXITCODE_FAILURE;
|
---|
1742 |
|
---|
1743 | int rc = RTCrPkcs7Attribute_SetSigningTime(pAttr, NULL, pAuthAttribs->Allocation.pAllocator);
|
---|
1744 | if (RT_FAILURE(rc))
|
---|
1745 | return RTMsgErrorExitFailure("RTCrPkcs7Attribute_SetSigningTime failed: %Rrc", rc);
|
---|
1746 |
|
---|
1747 | /* Create the timestamp. */
|
---|
1748 | int32_t iPos = RTAsn1SetOfTimes_Append(pAttr->uValues.pSigningTime);
|
---|
1749 | if (iPos < 0)
|
---|
1750 | return RTMsgErrorExitFailure("RTAsn1SetOfTimes_Append failed: %Rrc", iPos);
|
---|
1751 |
|
---|
1752 | PRTASN1TIME pTime = pAttr->uValues.pSigningTime->papItems[iPos];
|
---|
1753 | rc = RTAsn1Time_SetTimeSpec(pTime, pAttr->Allocation.pAllocator, &SigningTime);
|
---|
1754 | if (RT_FAILURE(rc))
|
---|
1755 | return RTMsgErrorExitFailure("RTAsn1Time_SetTimeSpec failed: %Rrc", rc);
|
---|
1756 |
|
---|
1757 | return RTEXITCODE_SUCCESS;
|
---|
1758 | }
|
---|
1759 |
|
---|
1760 |
|
---|
1761 | static RTEXITCODE SignToolPkcs7_AuthAttribsAddSpcOpusInfo(PRTCRPKCS7ATTRIBUTES pAuthAttribs, void *pvInfo)
|
---|
1762 | {
|
---|
1763 | /** @todo The OpusInfo is a structure with an optional SpcString and an
|
---|
1764 | * optional SpcLink (url). The two attributes can be set using the /d and /du
|
---|
1765 | * options of MS signtool.exe, I think. We shouldn't be using them atm. */
|
---|
1766 |
|
---|
1767 | PRTCRPKCS7ATTRIBUTE pAttr = SignToolPkcs7_AuthAttribAppend(pAuthAttribs);
|
---|
1768 | if (!pAttr)
|
---|
1769 | return RTEXITCODE_FAILURE;
|
---|
1770 |
|
---|
1771 | int rc = RTCrPkcs7Attribute_SetMsStatementType(pAttr, NULL, pAuthAttribs->Allocation.pAllocator);
|
---|
1772 | if (RT_FAILURE(rc))
|
---|
1773 | return RTMsgErrorExitFailure("RTCrPkcs7Attribute_SetMsStatementType failed: %Rrc", rc);
|
---|
1774 |
|
---|
1775 | /* Override the ID. */
|
---|
1776 | rc = RTAsn1ObjId_SetFromString(&pAttr->Type, RTCR_PKCS9_ID_MS_SP_OPUS_INFO, pAuthAttribs->Allocation.pAllocator);
|
---|
1777 | if (RT_FAILURE(rc))
|
---|
1778 | return RTMsgErrorExitFailure("RTAsn1ObjId_SetFromString failed: %Rrc", rc);
|
---|
1779 |
|
---|
1780 | /* Add attribute value entry. */
|
---|
1781 | int32_t iPos = RTAsn1SetOfObjIdSeqs_Append(pAttr->uValues.pObjIdSeqs);
|
---|
1782 | if (iPos < 0)
|
---|
1783 | return RTMsgErrorExitFailure("RTAsn1SetOfObjIdSeqs_Append failed: %Rrc", iPos);
|
---|
1784 |
|
---|
1785 | RT_NOREF(pvInfo); Assert(!pvInfo);
|
---|
1786 | return RTEXITCODE_SUCCESS;
|
---|
1787 | }
|
---|
1788 |
|
---|
1789 |
|
---|
1790 | static RTEXITCODE SignToolPkcs7_AuthAttribsAddMsStatementType(PRTCRPKCS7ATTRIBUTES pAuthAttribs, const char *pszTypeId)
|
---|
1791 | {
|
---|
1792 | PRTCRPKCS7ATTRIBUTE pAttr = SignToolPkcs7_AuthAttribAppend(pAuthAttribs);
|
---|
1793 | if (!pAttr)
|
---|
1794 | return RTEXITCODE_FAILURE;
|
---|
1795 |
|
---|
1796 | int rc = RTCrPkcs7Attribute_SetMsStatementType(pAttr, NULL, pAuthAttribs->Allocation.pAllocator);
|
---|
1797 | if (RT_FAILURE(rc))
|
---|
1798 | return RTMsgErrorExitFailure("RTCrPkcs7Attribute_SetMsStatementType failed: %Rrc", rc);
|
---|
1799 |
|
---|
1800 | /* Add attribute value entry. */
|
---|
1801 | int32_t iPos = RTAsn1SetOfObjIdSeqs_Append(pAttr->uValues.pObjIdSeqs);
|
---|
1802 | if (iPos < 0)
|
---|
1803 | return RTMsgErrorExitFailure("RTAsn1SetOfObjIdSeqs_Append failed: %Rrc", iPos);
|
---|
1804 | PRTASN1SEQOFOBJIDS pSeqObjIds = pAttr->uValues.pObjIdSeqs->papItems[iPos];
|
---|
1805 |
|
---|
1806 | /* Add a object id to the value. */
|
---|
1807 | RTASN1OBJID ObjIdValue;
|
---|
1808 | rc = RTAsn1ObjId_InitFromString(&ObjIdValue, pszTypeId, &g_RTAsn1DefaultAllocator);
|
---|
1809 | if (RT_FAILURE(rc))
|
---|
1810 | return RTMsgErrorExitFailure("RTAsn1ObjId_InitFromString/%s failed: %Rrc", pszTypeId, rc);
|
---|
1811 |
|
---|
1812 | rc = RTAsn1SeqOfObjIds_InsertEx(pSeqObjIds, 0 /*iPos*/, &ObjIdValue, &g_RTAsn1DefaultAllocator, NULL);
|
---|
1813 | RTAsn1ObjId_Delete(&ObjIdValue);
|
---|
1814 | if (RT_FAILURE(rc))
|
---|
1815 | return RTMsgErrorExitFailure("RTAsn1SeqOfObjIds_InsertEx failed: %Rrc", rc);
|
---|
1816 |
|
---|
1817 | return RTEXITCODE_SUCCESS;
|
---|
1818 | }
|
---|
1819 |
|
---|
1820 |
|
---|
1821 | static RTEXITCODE SignToolPkcs7_AuthAttribsAddContentType(PRTCRPKCS7ATTRIBUTES pAuthAttribs, const char *pszContentTypeId)
|
---|
1822 | {
|
---|
1823 | PRTCRPKCS7ATTRIBUTE pAttr = SignToolPkcs7_AuthAttribAppend(pAuthAttribs);
|
---|
1824 | if (!pAttr)
|
---|
1825 | return RTEXITCODE_FAILURE;
|
---|
1826 |
|
---|
1827 | int rc = RTCrPkcs7Attribute_SetContentType(pAttr, NULL, pAuthAttribs->Allocation.pAllocator);
|
---|
1828 | if (RT_FAILURE(rc))
|
---|
1829 | return RTMsgErrorExitFailure("RTCrPkcs7Attribute_SetContentType failed: %Rrc", rc);
|
---|
1830 |
|
---|
1831 | /* Add a object id to the value. */
|
---|
1832 | RTASN1OBJID ObjIdValue;
|
---|
1833 | rc = RTAsn1ObjId_InitFromString(&ObjIdValue, pszContentTypeId, pAuthAttribs->Allocation.pAllocator);
|
---|
1834 | if (RT_FAILURE(rc))
|
---|
1835 | return RTMsgErrorExitFailure("RTAsn1ObjId_InitFromString/%s failed: %Rrc", pszContentTypeId, rc);
|
---|
1836 |
|
---|
1837 | rc = RTAsn1SetOfObjIds_InsertEx(pAttr->uValues.pObjIds, 0 /*iPos*/, &ObjIdValue, pAuthAttribs->Allocation.pAllocator, NULL);
|
---|
1838 | RTAsn1ObjId_Delete(&ObjIdValue);
|
---|
1839 | if (RT_FAILURE(rc))
|
---|
1840 | return RTMsgErrorExitFailure("RTAsn1SetOfObjIds_InsertEx failed: %Rrc", rc);
|
---|
1841 |
|
---|
1842 | return RTEXITCODE_SUCCESS;
|
---|
1843 | }
|
---|
1844 |
|
---|
1845 |
|
---|
1846 | static RTEXITCODE SignToolPkcs7_AddAuthAttribsForTimestamp(PRTCRPKCS7ATTRIBUTES pAuthAttribs, bool fTimestampTypeOld,
|
---|
1847 | RTTIMESPEC SigningTime, PCRTCRX509CERTIFICATE pTimestampCert)
|
---|
1848 | {
|
---|
1849 | /*
|
---|
1850 | * Add content type.
|
---|
1851 | */
|
---|
1852 | RTEXITCODE rcExit = SignToolPkcs7_AuthAttribsAddContentType(pAuthAttribs,
|
---|
1853 | fTimestampTypeOld ? RTCR_PKCS7_DATA_OID : RTCRTSPTSTINFO_OID);
|
---|
1854 | if (rcExit != RTEXITCODE_SUCCESS)
|
---|
1855 | return rcExit;
|
---|
1856 |
|
---|
1857 | /*
|
---|
1858 | * Add signing time.
|
---|
1859 | */
|
---|
1860 | rcExit = SignToolPkcs7_AuthAttribsAddSigningTime(pAuthAttribs, SigningTime);
|
---|
1861 | if (rcExit != RTEXITCODE_SUCCESS)
|
---|
1862 | return rcExit;
|
---|
1863 |
|
---|
1864 | /*
|
---|
1865 | * More later if we want to support fTimestampTypeOld = false perhaps?
|
---|
1866 | */
|
---|
1867 | Assert(fTimestampTypeOld);
|
---|
1868 | RT_NOREF(fTimestampTypeOld, pTimestampCert);
|
---|
1869 |
|
---|
1870 | return RTEXITCODE_SUCCESS;
|
---|
1871 | }
|
---|
1872 |
|
---|
1873 |
|
---|
1874 | static RTEXITCODE SignToolPkcs7_AddAuthAttribsForImageOrCatSignature(PRTCRPKCS7ATTRIBUTES pAuthAttribs, RTTIMESPEC SigningTime,
|
---|
1875 | bool fNoSigningTime, const char *pszContentTypeId)
|
---|
1876 | {
|
---|
1877 | /*
|
---|
1878 | * Add SpcOpusInfo. No attribute values.
|
---|
1879 | * SEQ start -vv vv- Type ObjId
|
---|
1880 | * 1c60: 0e 03 02 1a 05 00 a0 70-30 10 06 0a 2b 06 01 04 .......p0...+...
|
---|
1881 | * 1c70: 01 82 37 02 01 0c 31 02-30 00 30 19 06 09 2a 86 ..7...1.0.0...*.
|
---|
1882 | * Set Of -^^ ^^- Empty Sequence.
|
---|
1883 | */
|
---|
1884 | RTEXITCODE rcExit = SignToolPkcs7_AuthAttribsAddSpcOpusInfo(pAuthAttribs, NULL /*pvInfo - none*/);
|
---|
1885 | if (rcExit != RTEXITCODE_SUCCESS)
|
---|
1886 | return rcExit;
|
---|
1887 |
|
---|
1888 | /*
|
---|
1889 | * Add ContentType = Ms-SpcIndirectDataContext?
|
---|
1890 | * SEQ start -vv vv- Type ObjId
|
---|
1891 | * 1c70: 01 82 37 02 01 0c 31 02-30 00 30 19 06 09 2a 86 ..7...1.0.0...*.
|
---|
1892 | * 1c80: 48 86 f7 0d 01 09 03 31-0c 06 0a 2b 06 01 04 01 H......1...+....
|
---|
1893 | * 1c90: 82 37 02 01 04 ^^- ^^- ObjId
|
---|
1894 | * ^- Set Of
|
---|
1895 | */
|
---|
1896 | rcExit = SignToolPkcs7_AuthAttribsAddContentType(pAuthAttribs, pszContentTypeId);
|
---|
1897 | if (rcExit != RTEXITCODE_SUCCESS)
|
---|
1898 | return rcExit;
|
---|
1899 |
|
---|
1900 | /*
|
---|
1901 | * Add Ms-SpcStatementType = Ms-SpcIndividualCodeSigning.
|
---|
1902 | * SEQ start -vv vv- Type ObjId
|
---|
1903 | * 1c90: 82 37 02 01 04 30 1c 06-0a 2b 06 01 04 01 82 37 .7...0...+.....7
|
---|
1904 | * 1ca0: 02 01 0b 31 0e 30 0c 06-0a 2b 06 01 04 01 82 37 ...1.0...+.....7
|
---|
1905 | * 1cb0: 02 01 15 ^^ ^^ ^^- ObjId
|
---|
1906 | * Set Of -^^ ^^- Sequence Of
|
---|
1907 | */
|
---|
1908 | rcExit = SignToolPkcs7_AuthAttribsAddMsStatementType(pAuthAttribs, RTCRSPC_STMT_TYPE_INDIVIDUAL_CODE_SIGNING);
|
---|
1909 | if (rcExit != RTEXITCODE_SUCCESS)
|
---|
1910 | return rcExit;
|
---|
1911 |
|
---|
1912 | /*
|
---|
1913 | * Add signing time. We add this, even if signtool.exe, since OpenSSL will always do it otherwise.
|
---|
1914 | */
|
---|
1915 | if (!fNoSigningTime) /** @todo requires disabling the code in do_pkcs7_signed_attrib that adds it when absent */
|
---|
1916 | {
|
---|
1917 | rcExit = SignToolPkcs7_AuthAttribsAddSigningTime(pAuthAttribs, SigningTime);
|
---|
1918 | if (rcExit != RTEXITCODE_SUCCESS)
|
---|
1919 | return rcExit;
|
---|
1920 | }
|
---|
1921 |
|
---|
1922 | /** @todo more? Some certificate stuff? */
|
---|
1923 |
|
---|
1924 | return RTEXITCODE_SUCCESS;
|
---|
1925 | }
|
---|
1926 |
|
---|
1927 |
|
---|
1928 | static RTEXITCODE SignToolPkcs7_PrependCounterSignature(PRTCRPKCS7SIGNERINFO pSignerInfo,
|
---|
1929 | PCRTCRPKCS7SIGNERINFO pCounterSignerInfo, unsigned cVerbosity)
|
---|
1930 | {
|
---|
1931 | /* Make sure the UnauthenticatedAttributes member is there. */
|
---|
1932 | RTEXITCODE rcExit = SignToolPkcs7_EnsureUnauthenticatedAttributesPresent(pSignerInfo);
|
---|
1933 | if (rcExit != RTEXITCODE_SUCCESS)
|
---|
1934 | return rcExit;
|
---|
1935 |
|
---|
1936 | /* Append an entry to UnauthenticatedAttributes. */
|
---|
1937 | uint32_t iPos;
|
---|
1938 | int rc = RTCrPkcs7Attributes_InsertEx(&pSignerInfo->UnauthenticatedAttributes, 0 /*iPosition*/, NULL /*pToClone*/,
|
---|
1939 | &g_RTAsn1DefaultAllocator, &iPos);
|
---|
1940 | if (RT_FAILURE(rc))
|
---|
1941 | return RTMsgErrorExitFailure("RTCrPkcs7Attributes_Append failed: %Rrc", rc);
|
---|
1942 | Assert(iPos < pSignerInfo->UnauthenticatedAttributes.cItems); Assert(iPos == 0);
|
---|
1943 | PRTCRPKCS7ATTRIBUTE pAttr = pSignerInfo->UnauthenticatedAttributes.papItems[iPos];
|
---|
1944 |
|
---|
1945 | if (cVerbosity >= 2)
|
---|
1946 | RTMsgInfo("Adding UnauthenticatedAttribute #%u...", iPos);
|
---|
1947 |
|
---|
1948 | /* Create the attrib and its sub-set of counter signatures. */
|
---|
1949 | rc = RTCrPkcs7Attribute_SetCounterSignatures(pAttr, NULL, pAttr->Allocation.pAllocator);
|
---|
1950 | if (RT_FAILURE(rc))
|
---|
1951 | return RTMsgErrorExitFailure("RTCrPkcs7Attribute_SetCounterSignatures failed: %Rrc", rc);
|
---|
1952 |
|
---|
1953 | /* Insert the counter signature. */
|
---|
1954 | rc = RTCrPkcs7SignerInfos_InsertEx(pAttr->uValues.pCounterSignatures, 0 /*iPosition*/, pCounterSignerInfo,
|
---|
1955 | pAttr->Allocation.pAllocator, NULL);
|
---|
1956 | if (RT_FAILURE(rc))
|
---|
1957 | return RTMsgErrorExitFailure("RTCrPkcs7SignerInfos_InsertEx failed: %Rrc", rc);
|
---|
1958 |
|
---|
1959 | return RTEXITCODE_SUCCESS;
|
---|
1960 | }
|
---|
1961 |
|
---|
1962 |
|
---|
1963 | static RTEXITCODE SignToolPkcs7_AppendCertificate(PRTCRPKCS7SIGNEDDATA pSignedData, PCRTCRX509CERTIFICATE pCertToAppend)
|
---|
1964 | {
|
---|
1965 | if (pSignedData->Certificates.cItems == 0 && !RTCrPkcs7SetOfCerts_IsPresent(&pSignedData->Certificates))
|
---|
1966 | return RTMsgErrorExitFailure("PKCS#7 signature includes no certificates! Didn't expect that");
|
---|
1967 |
|
---|
1968 | /* Already there? */
|
---|
1969 | PCRTCRX509CERTIFICATE pExisting
|
---|
1970 | = RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(&pSignedData->Certificates, &pCertToAppend->TbsCertificate.Issuer,
|
---|
1971 | &pCertToAppend->TbsCertificate.SerialNumber);
|
---|
1972 | if (!pExisting || RTCrX509Certificate_Compare(pExisting, pCertToAppend) != 0)
|
---|
1973 | {
|
---|
1974 | /* Prepend a RTCRPKCS7CERT entry. */
|
---|
1975 | uint32_t iPos;
|
---|
1976 | int rc = RTCrPkcs7SetOfCerts_InsertEx(&pSignedData->Certificates, 0 /*iPosition*/, NULL /*pToClone*/,
|
---|
1977 | &g_RTAsn1DefaultAllocator, &iPos);
|
---|
1978 | if (RT_FAILURE(rc))
|
---|
1979 | return RTMsgErrorExitFailure("RTCrPkcs7SetOfCerts_Append failed: %Rrc", rc);
|
---|
1980 | PRTCRPKCS7CERT pCertEntry = pSignedData->Certificates.papItems[iPos];
|
---|
1981 |
|
---|
1982 | /* Set (clone) the certificate. */
|
---|
1983 | rc = RTCrPkcs7Cert_SetX509Cert(pCertEntry, pCertToAppend, pCertEntry->Allocation.pAllocator);
|
---|
1984 | if (RT_FAILURE(rc))
|
---|
1985 | return RTMsgErrorExitFailure("RTCrPkcs7Cert_X509Cert failed: %Rrc", rc);
|
---|
1986 | }
|
---|
1987 | return RTEXITCODE_SUCCESS;
|
---|
1988 | }
|
---|
1989 |
|
---|
1990 | #ifdef RT_OS_WINDOWS
|
---|
1991 |
|
---|
1992 | static PCRTUTF16 GetBCryptNameFromCrDigest(RTCRDIGEST hDigest)
|
---|
1993 | {
|
---|
1994 | switch (RTCrDigestGetType(hDigest))
|
---|
1995 | {
|
---|
1996 | case RTDIGESTTYPE_MD2: return BCRYPT_MD2_ALGORITHM;
|
---|
1997 | case RTDIGESTTYPE_MD4: return BCRYPT_MD4_ALGORITHM;
|
---|
1998 | case RTDIGESTTYPE_SHA1: return BCRYPT_SHA1_ALGORITHM;
|
---|
1999 | case RTDIGESTTYPE_SHA256: return BCRYPT_SHA256_ALGORITHM;
|
---|
2000 | case RTDIGESTTYPE_SHA384: return BCRYPT_SHA384_ALGORITHM;
|
---|
2001 | case RTDIGESTTYPE_SHA512: return BCRYPT_SHA512_ALGORITHM;
|
---|
2002 | default:
|
---|
2003 | RTMsgError("No BCrypt translation for %s/%d!", RTCrDigestGetAlgorithmOid(hDigest), RTCrDigestGetType(hDigest));
|
---|
2004 | return L"No BCrypt translation";
|
---|
2005 | }
|
---|
2006 | }
|
---|
2007 |
|
---|
2008 | static RTEXITCODE
|
---|
2009 | SignToolPkcs7_Pkcs7SignStuffAgainWithReal(const char *pszWhat, SignToolKeyPair *pCertKeyPair, unsigned cVerbosity,
|
---|
2010 | PRTCRPKCS7CONTENTINFO pContentInfo, void **ppvSigned, size_t *pcbSigned)
|
---|
2011 |
|
---|
2012 | {
|
---|
2013 | RT_NOREF(cVerbosity);
|
---|
2014 |
|
---|
2015 | /*
|
---|
2016 | * First remove the fake certificate from the PKCS7 structure and insert the real one.
|
---|
2017 | */
|
---|
2018 | PRTCRPKCS7SIGNEDDATA pSignedData = pContentInfo->u.pSignedData;
|
---|
2019 | unsigned iCert = pSignedData->Certificates.cItems;
|
---|
2020 | unsigned cErased = 0;
|
---|
2021 | while (iCert-- > 0)
|
---|
2022 | {
|
---|
2023 | PCRTCRPKCS7CERT pCert = pSignedData->Certificates.papItems[iCert];
|
---|
2024 | if ( pCert->enmChoice == RTCRPKCS7CERTCHOICE_X509
|
---|
2025 | && RTCrX509Certificate_MatchIssuerAndSerialNumber(pCert->u.pX509Cert,
|
---|
2026 | &pCertKeyPair->pCertificate->TbsCertificate.Issuer,
|
---|
2027 | &pCertKeyPair->pCertificate->TbsCertificate.SerialNumber))
|
---|
2028 | {
|
---|
2029 | RTCrPkcs7SetOfCerts_Erase(&pSignedData->Certificates, iCert);
|
---|
2030 | cErased++;
|
---|
2031 | }
|
---|
2032 | }
|
---|
2033 | if (cErased == 0)
|
---|
2034 | return RTMsgErrorExitFailure("(%s) Failed to find temporary signing certificate in PKCS#7 from OpenSSL: %u certs",
|
---|
2035 | pszWhat, pSignedData->Certificates.cItems);
|
---|
2036 |
|
---|
2037 | /* Then insert the real signing certificate. */
|
---|
2038 | PCRTCRX509CERTIFICATE const pRealCertificate = pCertKeyPair->getRealCertificate();
|
---|
2039 | RTEXITCODE rcExit = SignToolPkcs7_AppendCertificate(pSignedData, pRealCertificate);
|
---|
2040 | if (rcExit != RTEXITCODE_SUCCESS)
|
---|
2041 | return rcExit;
|
---|
2042 |
|
---|
2043 | /*
|
---|
2044 | * Modify the signer info to reflect the real certificate.
|
---|
2045 | */
|
---|
2046 | PRTCRPKCS7SIGNERINFO pSignerInfo = pSignedData->SignerInfos.papItems[0];
|
---|
2047 | RTCrX509Name_Delete(&pSignerInfo->IssuerAndSerialNumber.Name);
|
---|
2048 | int rc = RTCrX509Name_Clone(&pSignerInfo->IssuerAndSerialNumber.Name,
|
---|
2049 | &pRealCertificate->TbsCertificate.Issuer, &g_RTAsn1DefaultAllocator);
|
---|
2050 | if (RT_FAILURE(rc))
|
---|
2051 | return RTMsgErrorExitFailure("(%s) RTCrX509Name_Clone failed: %Rrc", pszWhat, rc);
|
---|
2052 |
|
---|
2053 | RTAsn1Integer_Delete(&pSignerInfo->IssuerAndSerialNumber.SerialNumber);
|
---|
2054 | rc = RTAsn1Integer_Clone(&pSignerInfo->IssuerAndSerialNumber.SerialNumber,
|
---|
2055 | &pRealCertificate->TbsCertificate.SerialNumber, &g_RTAsn1DefaultAllocator);
|
---|
2056 | if (RT_FAILURE(rc))
|
---|
2057 | return RTMsgErrorExitFailure("(%s) RTAsn1Integer_Clone failed: %Rrc", pszWhat, rc);
|
---|
2058 |
|
---|
2059 | /* There shouldn't be anything in the authenticated attributes that
|
---|
2060 | we need to modify... */
|
---|
2061 |
|
---|
2062 | /*
|
---|
2063 | * Now a create a new signature using the real key. Since we haven't modified
|
---|
2064 | * the authenticated attributes, we can just hash them as-is.
|
---|
2065 | */
|
---|
2066 | /* Create the hash to sign. */
|
---|
2067 | RTCRDIGEST hDigest;
|
---|
2068 | rc = RTCrDigestCreateByObjId(&hDigest, &pSignerInfo->DigestAlgorithm.Algorithm);
|
---|
2069 | if (RT_FAILURE(rc))
|
---|
2070 | return RTMsgErrorExitFailure("(%s) RTCrDigestCreateByObjId failed on '%s': %Rrc",
|
---|
2071 | pszWhat, pSignerInfo->DigestAlgorithm.Algorithm.szObjId, rc);
|
---|
2072 |
|
---|
2073 | rcExit = RTEXITCODE_FAILURE;
|
---|
2074 | RTERRINFOSTATIC ErrInfo;
|
---|
2075 | rc = RTCrPkcs7Attributes_HashAttributes(&pSignerInfo->AuthenticatedAttributes, hDigest, RTErrInfoInitStatic(&ErrInfo));
|
---|
2076 | if (RT_SUCCESS(rc))
|
---|
2077 | {
|
---|
2078 | BCRYPT_PKCS1_PADDING_INFO PaddingInfo = { GetBCryptNameFromCrDigest(hDigest) };
|
---|
2079 | DWORD cbSignature = 0;
|
---|
2080 | SECURITY_STATUS rcNCrypt = NCryptSignHash(pCertKeyPair->hNCryptPrivateKey, &PaddingInfo,
|
---|
2081 | (PBYTE)RTCrDigestGetHash(hDigest), RTCrDigestGetHashSize(hDigest),
|
---|
2082 | NULL, 0, &cbSignature, NCRYPT_SILENT_FLAG | BCRYPT_PAD_PKCS1);
|
---|
2083 | if (rcNCrypt == ERROR_SUCCESS)
|
---|
2084 | {
|
---|
2085 | if (cVerbosity)
|
---|
2086 | RTMsgInfo("PaddingInfo: '%ls' cb=%#x, was %#zx\n",
|
---|
2087 | PaddingInfo.pszAlgId, cbSignature, pSignerInfo->EncryptedDigest.Asn1Core.cb);
|
---|
2088 |
|
---|
2089 | rc = RTAsn1OctetString_AllocContent(&pSignerInfo->EncryptedDigest, NULL /*pvSrc*/, cbSignature,
|
---|
2090 | &g_RTAsn1DefaultAllocator);
|
---|
2091 | if (RT_SUCCESS(rc))
|
---|
2092 | {
|
---|
2093 | Assert(pSignerInfo->EncryptedDigest.Asn1Core.uData.pv);
|
---|
2094 | rcNCrypt = NCryptSignHash(pCertKeyPair->hNCryptPrivateKey, &PaddingInfo,
|
---|
2095 | (PBYTE)RTCrDigestGetHash(hDigest), RTCrDigestGetHashSize(hDigest),
|
---|
2096 | (PBYTE)pSignerInfo->EncryptedDigest.Asn1Core.uData.pv, cbSignature, &cbSignature,
|
---|
2097 | /*NCRYPT_SILENT_FLAG |*/ BCRYPT_PAD_PKCS1);
|
---|
2098 | if (rcNCrypt == ERROR_SUCCESS)
|
---|
2099 | {
|
---|
2100 | /*
|
---|
2101 | * Now we need to re-encode the whole thing and decode it again.
|
---|
2102 | */
|
---|
2103 | PRTASN1CORE pRoot = RTCrPkcs7ContentInfo_GetAsn1Core(pContentInfo);
|
---|
2104 | uint32_t cbRealSigned;
|
---|
2105 | rc = RTAsn1EncodePrepare(pRoot, RTASN1ENCODE_F_DER, &cbRealSigned, RTErrInfoInitStatic(&ErrInfo));
|
---|
2106 | if (RT_SUCCESS(rc))
|
---|
2107 | {
|
---|
2108 | void *pvRealSigned = RTMemAllocZ(cbRealSigned);
|
---|
2109 | if (pvRealSigned)
|
---|
2110 | {
|
---|
2111 | rc = RTAsn1EncodeToBuffer(pRoot, RTASN1ENCODE_F_DER, pvRealSigned, cbRealSigned,
|
---|
2112 | RTErrInfoInitStatic(&ErrInfo));
|
---|
2113 | if (RT_SUCCESS(rc))
|
---|
2114 | {
|
---|
2115 | /* Decode it */
|
---|
2116 | RTCrPkcs7ContentInfo_Delete(pContentInfo);
|
---|
2117 |
|
---|
2118 | RTASN1CURSORPRIMARY PrimaryCursor;
|
---|
2119 | RTAsn1CursorInitPrimary(&PrimaryCursor, pvRealSigned, cbRealSigned, RTErrInfoInitStatic(&ErrInfo),
|
---|
2120 | &g_RTAsn1DefaultAllocator, 0, pszWhat);
|
---|
2121 | rc = RTCrPkcs7ContentInfo_DecodeAsn1(&PrimaryCursor.Cursor, 0, pContentInfo, "CI");
|
---|
2122 | if (RT_SUCCESS(rc))
|
---|
2123 | {
|
---|
2124 | Assert(RTCrPkcs7ContentInfo_IsSignedData(pContentInfo));
|
---|
2125 |
|
---|
2126 | /* Almost done! Just replace output buffer. */
|
---|
2127 | RTMemFree(*ppvSigned);
|
---|
2128 | *ppvSigned = pvRealSigned;
|
---|
2129 | *pcbSigned = cbRealSigned;
|
---|
2130 | pvRealSigned = NULL;
|
---|
2131 | rcExit = RTEXITCODE_SUCCESS;
|
---|
2132 | }
|
---|
2133 | else
|
---|
2134 | RTMsgError("(%s) RTCrPkcs7ContentInfo_DecodeAsn1 failed: %Rrc%#RTeim",
|
---|
2135 | pszWhat, rc, &ErrInfo.Core);
|
---|
2136 | }
|
---|
2137 | else
|
---|
2138 | RTMsgError("(%s) RTAsn1EncodeToBuffer failed: %Rrc%#RTeim", pszWhat, rc, &ErrInfo.Core);
|
---|
2139 |
|
---|
2140 | RTMemFree(pvRealSigned);
|
---|
2141 | }
|
---|
2142 | else
|
---|
2143 | RTMsgError("(%s) Failed to allocate %u bytes!", pszWhat, cbRealSigned);
|
---|
2144 | }
|
---|
2145 | else
|
---|
2146 | RTMsgError("(%s) RTAsn1EncodePrepare failed: %Rrc%#RTeim", pszWhat, rc, &ErrInfo.Core);
|
---|
2147 | }
|
---|
2148 | else
|
---|
2149 | RTMsgError("(%s) NCryptSignHash/2 failed: %Rwc %#x (%u)", pszWhat, rcNCrypt, rcNCrypt, rcNCrypt);
|
---|
2150 | }
|
---|
2151 | else
|
---|
2152 | RTMsgError("(%s) RTAsn1OctetString_AllocContent(,,%#x) failed: %Rrc", pszWhat, cbSignature, rc);
|
---|
2153 | }
|
---|
2154 | else
|
---|
2155 | RTMsgError("(%s) NCryptSignHash/1 failed: %Rwc %#x (%u)", pszWhat, rcNCrypt, rcNCrypt, rcNCrypt);
|
---|
2156 | }
|
---|
2157 | else
|
---|
2158 | RTMsgError("(%s) RTCrPkcs7Attributes_HashAttributes failed: %Rrc%#RTeim", pszWhat, rc, &ErrInfo.Core);
|
---|
2159 | RTCrDigestRelease(hDigest);
|
---|
2160 | return rcExit;
|
---|
2161 | }
|
---|
2162 |
|
---|
2163 | #endif /* RT_OS_WINDOWS */
|
---|
2164 |
|
---|
2165 | static RTEXITCODE SignToolPkcs7_Pkcs7SignStuffInner(const char *pszWhat, const void *pvToDataToSign, size_t cbToDataToSign,
|
---|
2166 | PCRTCRPKCS7ATTRIBUTES pAuthAttribs, RTCRSTORE hAdditionalCerts,
|
---|
2167 | uint32_t fExtraFlags, RTDIGESTTYPE enmDigestType,
|
---|
2168 | SignToolKeyPair *pCertKeyPair, unsigned cVerbosity,
|
---|
2169 | void **ppvSigned, size_t *pcbSigned, PRTCRPKCS7CONTENTINFO pContentInfo,
|
---|
2170 | PRTCRPKCS7SIGNEDDATA *ppSignedData)
|
---|
2171 | {
|
---|
2172 | *ppvSigned = NULL;
|
---|
2173 | if (pcbSigned)
|
---|
2174 | *pcbSigned = 0;
|
---|
2175 | if (ppSignedData)
|
---|
2176 | *ppSignedData = NULL;
|
---|
2177 |
|
---|
2178 | /* Figure out how large the signature will be. */
|
---|
2179 | uint32_t const fSignFlags = RTCRPKCS7SIGN_SD_F_USE_V1 | RTCRPKCS7SIGN_SD_F_NO_SMIME_CAP | fExtraFlags;
|
---|
2180 | size_t cbSigned = 1024;
|
---|
2181 | RTERRINFOSTATIC ErrInfo;
|
---|
2182 | int rc = RTCrPkcs7SimpleSignSignedData(fSignFlags, pCertKeyPair->pCertificate, pCertKeyPair->hPrivateKey,
|
---|
2183 | pvToDataToSign, cbToDataToSign,enmDigestType, hAdditionalCerts, pAuthAttribs,
|
---|
2184 | NULL, &cbSigned, RTErrInfoInitStatic(&ErrInfo));
|
---|
2185 | if (rc != VERR_BUFFER_OVERFLOW)
|
---|
2186 | return RTMsgErrorExitFailure("(%s) RTCrPkcs7SimpleSignSignedData failed: %Rrc%#RTeim", pszWhat, rc, &ErrInfo.Core);
|
---|
2187 |
|
---|
2188 | /* Allocate memory for it and do the actual signing. */
|
---|
2189 | void *pvSigned = RTMemAllocZ(cbSigned);
|
---|
2190 | if (!pvSigned)
|
---|
2191 | return RTMsgErrorExitFailure("(%s) Failed to allocate %#zx bytes for %s signature", pszWhat, cbSigned, pszWhat);
|
---|
2192 | rc = RTCrPkcs7SimpleSignSignedData(fSignFlags, pCertKeyPair->pCertificate, pCertKeyPair->hPrivateKey,
|
---|
2193 | pvToDataToSign, cbToDataToSign, enmDigestType, hAdditionalCerts, pAuthAttribs,
|
---|
2194 | pvSigned, &cbSigned, RTErrInfoInitStatic(&ErrInfo));
|
---|
2195 | if (RT_SUCCESS(rc))
|
---|
2196 | {
|
---|
2197 | if (cVerbosity > 2)
|
---|
2198 | RTMsgInfo("%s signature: %#zx bytes\n%.*Rhxd\n", pszWhat, cbSigned, cbSigned, pvSigned);
|
---|
2199 |
|
---|
2200 | /*
|
---|
2201 | * Decode the signature and check that it is SignedData.
|
---|
2202 | */
|
---|
2203 | RTASN1CURSORPRIMARY PrimaryCursor;
|
---|
2204 | RTAsn1CursorInitPrimary(&PrimaryCursor, pvSigned, (uint32_t)cbSigned, RTErrInfoInitStatic(&ErrInfo),
|
---|
2205 | &g_RTAsn1DefaultAllocator, 0, pszWhat);
|
---|
2206 | rc = RTCrPkcs7ContentInfo_DecodeAsn1(&PrimaryCursor.Cursor, 0, pContentInfo, "CI");
|
---|
2207 | if (RT_SUCCESS(rc))
|
---|
2208 | {
|
---|
2209 | if (RTCrPkcs7ContentInfo_IsSignedData(pContentInfo))
|
---|
2210 | {
|
---|
2211 | #ifdef RT_OS_WINDOWS
|
---|
2212 | /*
|
---|
2213 | * If we're using a fake key+cert, we now have to re-do the signing using the real
|
---|
2214 | * key+cert and the windows crypto API. This kludge is necessary because we can't
|
---|
2215 | * typically get that the encoded private key, so it isn't possible to feed it to
|
---|
2216 | * openssl.
|
---|
2217 | */
|
---|
2218 | RTEXITCODE rcExit = RTEXITCODE_SUCCESS;
|
---|
2219 | if (pCertKeyPair->pCertificateReal)
|
---|
2220 | rcExit = SignToolPkcs7_Pkcs7SignStuffAgainWithReal(pszWhat, pCertKeyPair, cVerbosity, pContentInfo,
|
---|
2221 | &pvSigned, &cbSigned);
|
---|
2222 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
2223 | #endif
|
---|
2224 | {
|
---|
2225 | /*
|
---|
2226 | * Set returns and maybe display the result before returning.
|
---|
2227 | */
|
---|
2228 | *ppvSigned = pvSigned;
|
---|
2229 | if (pcbSigned)
|
---|
2230 | *pcbSigned = cbSigned;
|
---|
2231 | if (ppSignedData)
|
---|
2232 | *ppSignedData = pContentInfo->u.pSignedData;
|
---|
2233 |
|
---|
2234 | if (cVerbosity)
|
---|
2235 | {
|
---|
2236 | SHOWEXEPKCS7 ShowExe;
|
---|
2237 | RT_ZERO(ShowExe);
|
---|
2238 | ShowExe.cVerbosity = cVerbosity;
|
---|
2239 | HandleShowExeWorkerPkcs7Display(&ShowExe, pContentInfo->u.pSignedData, 0, pContentInfo);
|
---|
2240 | }
|
---|
2241 | return RTEXITCODE_SUCCESS;
|
---|
2242 | }
|
---|
2243 | }
|
---|
2244 |
|
---|
2245 | RTMsgError("(%s) RTCrPkcs7SimpleSignSignedData did not create SignedData: %s",
|
---|
2246 | pszWhat, pContentInfo->ContentType.szObjId);
|
---|
2247 | }
|
---|
2248 | else
|
---|
2249 | RTMsgError("(%s) RTCrPkcs7ContentInfo_DecodeAsn1 failed: %Rrc%#RTeim", pszWhat, rc, &ErrInfo.Core);
|
---|
2250 | RTCrPkcs7ContentInfo_Delete(pContentInfo);
|
---|
2251 | }
|
---|
2252 | RTMemFree(pvSigned);
|
---|
2253 | return RTEXITCODE_FAILURE;
|
---|
2254 | }
|
---|
2255 |
|
---|
2256 |
|
---|
2257 | static RTEXITCODE SignToolPkcs7_Pkcs7SignStuff(const char *pszWhat, const void *pvToDataToSign, size_t cbToDataToSign,
|
---|
2258 | PCRTCRPKCS7ATTRIBUTES pAuthAttribs, RTCRSTORE hAdditionalCerts,
|
---|
2259 | uint32_t fExtraFlags, RTDIGESTTYPE enmDigestType, SignToolKeyPair *pCertKeyPair,
|
---|
2260 | unsigned cVerbosity, void **ppvSigned, size_t *pcbSigned,
|
---|
2261 | PRTCRPKCS7CONTENTINFO pContentInfo, PRTCRPKCS7SIGNEDDATA *ppSignedData)
|
---|
2262 | {
|
---|
2263 | /*
|
---|
2264 | * Gather all additional certificates before doing the actual work.
|
---|
2265 | */
|
---|
2266 | RTCRSTORE hAllAdditionalCerts = pCertKeyPair->assembleAllAdditionalCertificates(hAdditionalCerts);
|
---|
2267 | if (hAllAdditionalCerts == NIL_RTCRSTORE)
|
---|
2268 | return RTEXITCODE_FAILURE;
|
---|
2269 | RTEXITCODE rcExit = SignToolPkcs7_Pkcs7SignStuffInner(pszWhat, pvToDataToSign, cbToDataToSign, pAuthAttribs,
|
---|
2270 | hAllAdditionalCerts, fExtraFlags, enmDigestType, pCertKeyPair,
|
---|
2271 | cVerbosity, ppvSigned, pcbSigned, pContentInfo, ppSignedData);
|
---|
2272 | RTCrStoreRelease(hAllAdditionalCerts);
|
---|
2273 | return rcExit;
|
---|
2274 | }
|
---|
2275 |
|
---|
2276 |
|
---|
2277 | static RTEXITCODE SignToolPkcs7_AddTimestampSignatureEx(PRTCRPKCS7SIGNERINFO pSignerInfo, PRTCRPKCS7SIGNEDDATA pSignedData,
|
---|
2278 | unsigned cVerbosity, bool fReplaceExisting, bool fTimestampTypeOld,
|
---|
2279 | RTTIMESPEC SigningTime, SignToolKeyPair *pTimestampPair)
|
---|
2280 | {
|
---|
2281 | AssertReturn(fTimestampTypeOld, RTMsgErrorExitFailure("New style signatures not supported yet"));
|
---|
2282 |
|
---|
2283 | /*
|
---|
2284 | * Create a set of attributes we need to include in the AuthenticatedAttributes
|
---|
2285 | * of the timestamp signature.
|
---|
2286 | */
|
---|
2287 | RTCRPKCS7ATTRIBUTES AuthAttribs;
|
---|
2288 | int rc = RTCrPkcs7Attributes_Init(&AuthAttribs, &g_RTAsn1DefaultAllocator);
|
---|
2289 | if (RT_FAILURE(rc))
|
---|
2290 | return RTMsgErrorExitFailure("RTCrPkcs7SetOfAttributes_Init failed: %Rrc", rc);
|
---|
2291 |
|
---|
2292 | RTEXITCODE rcExit = SignToolPkcs7_AddAuthAttribsForTimestamp(&AuthAttribs, fTimestampTypeOld, SigningTime,
|
---|
2293 | pTimestampPair->getRealCertificate());
|
---|
2294 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
2295 | {
|
---|
2296 | /*
|
---|
2297 | * Now create a PKCS#7 signature of the encrypted signature from the selected signer info.
|
---|
2298 | */
|
---|
2299 | void *pvSigned = NULL;
|
---|
2300 | PRTCRPKCS7SIGNEDDATA pTsSignedData = NULL;
|
---|
2301 | RTCRPKCS7CONTENTINFO TsContentInfo;
|
---|
2302 | rcExit = SignToolPkcs7_Pkcs7SignStuffInner("timestamp", pSignerInfo->EncryptedDigest.Asn1Core.uData.pv,
|
---|
2303 | pSignerInfo->EncryptedDigest.Asn1Core.cb, &AuthAttribs,
|
---|
2304 | NIL_RTCRSTORE /*hAdditionalCerts*/, RTCRPKCS7SIGN_SD_F_DEATCHED,
|
---|
2305 | RTDIGESTTYPE_SHA1, pTimestampPair, cVerbosity,
|
---|
2306 | &pvSigned, NULL /*pcbSigned*/, &TsContentInfo, &pTsSignedData);
|
---|
2307 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
2308 | {
|
---|
2309 |
|
---|
2310 | /*
|
---|
2311 | * If we're replacing existing timestamp signatures, remove old ones now.
|
---|
2312 | */
|
---|
2313 | if ( fReplaceExisting
|
---|
2314 | && RTCrPkcs7Attributes_IsPresent(&pSignerInfo->UnauthenticatedAttributes))
|
---|
2315 | {
|
---|
2316 | uint32_t iItem = pSignerInfo->UnauthenticatedAttributes.cItems;
|
---|
2317 | while (iItem-- > 0)
|
---|
2318 | {
|
---|
2319 | PRTCRPKCS7ATTRIBUTE pAttr = pSignerInfo->UnauthenticatedAttributes.papItems[iItem];
|
---|
2320 | if (pAttr->enmType == RTCRPKCS7ATTRIBUTETYPE_COUNTER_SIGNATURES) /* ASSUMES all counter sigs are timstamps */
|
---|
2321 | {
|
---|
2322 | if (cVerbosity > 1)
|
---|
2323 | RTMsgInfo("Removing counter signature in attribute #%u\n", iItem);
|
---|
2324 | rc = RTCrPkcs7Attributes_Erase(&pSignerInfo->UnauthenticatedAttributes, iItem);
|
---|
2325 | if (RT_FAILURE(rc))
|
---|
2326 | rcExit = RTMsgErrorExitFailure("RTCrPkcs7Attributes_Erase failed on #%u: %Rrc", iItem, rc);
|
---|
2327 | }
|
---|
2328 | }
|
---|
2329 | }
|
---|
2330 |
|
---|
2331 | /*
|
---|
2332 | * Add the new one.
|
---|
2333 | */
|
---|
2334 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
2335 | rcExit = SignToolPkcs7_PrependCounterSignature(pSignerInfo, pTsSignedData->SignerInfos.papItems[0], cVerbosity);
|
---|
2336 |
|
---|
2337 | /*
|
---|
2338 | * Make sure the signing certificate is included.
|
---|
2339 | */
|
---|
2340 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
2341 | {
|
---|
2342 | rcExit = SignToolPkcs7_AppendCertificate(pSignedData, pTimestampPair->getRealCertificate());
|
---|
2343 |
|
---|
2344 | PCRTCRCERTCTX pInterCaCtx = NULL;
|
---|
2345 | while ((pInterCaCtx = pTimestampPair->findNextIntermediateCert(pInterCaCtx)) != NULL)
|
---|
2346 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
2347 | rcExit = SignToolPkcs7_AppendCertificate(pSignedData, pInterCaCtx->pCert);
|
---|
2348 | }
|
---|
2349 |
|
---|
2350 | /*
|
---|
2351 | * Clean up.
|
---|
2352 | */
|
---|
2353 | RTCrPkcs7ContentInfo_Delete(&TsContentInfo);
|
---|
2354 | RTMemFree(pvSigned);
|
---|
2355 | }
|
---|
2356 | }
|
---|
2357 | RTCrPkcs7Attributes_Delete(&AuthAttribs);
|
---|
2358 | return rcExit;
|
---|
2359 | }
|
---|
2360 |
|
---|
2361 |
|
---|
2362 | static RTEXITCODE SignToolPkcs7_AddTimestampSignature(SIGNTOOLPKCS7EXE *pThis, unsigned cVerbosity, unsigned iSignature,
|
---|
2363 | bool fReplaceExisting, bool fTimestampTypeOld, RTTIMESPEC SigningTime,
|
---|
2364 | SignToolKeyPair *pTimestampPair)
|
---|
2365 | {
|
---|
2366 | AssertReturn(fTimestampTypeOld, RTMsgErrorExitFailure("New style signatures not supported yet"));
|
---|
2367 |
|
---|
2368 | /*
|
---|
2369 | * Locate the signature specified by iSignature and add a timestamp to it.
|
---|
2370 | */
|
---|
2371 | PRTCRPKCS7SIGNEDDATA pSignedData = NULL;
|
---|
2372 | PRTCRPKCS7SIGNERINFO pSignerInfo = SignToolPkcs7_FindNestedSignatureByIndex(pThis, iSignature, &pSignedData);
|
---|
2373 | if (!pSignerInfo)
|
---|
2374 | return RTMsgErrorExitFailure("No signature #%u in %s", iSignature, pThis->pszFilename);
|
---|
2375 |
|
---|
2376 | return SignToolPkcs7_AddTimestampSignatureEx(pSignerInfo, pSignedData, cVerbosity, fReplaceExisting, fTimestampTypeOld,
|
---|
2377 | SigningTime, pTimestampPair);
|
---|
2378 | }
|
---|
2379 |
|
---|
2380 |
|
---|
2381 | typedef enum SIGNDATATWEAK
|
---|
2382 | {
|
---|
2383 | kSignDataTweak_NoTweak = 1,
|
---|
2384 | kSignDataTweak_RootIsParent
|
---|
2385 | } SIGNDATATWEAK;
|
---|
2386 |
|
---|
2387 | static RTEXITCODE SignToolPkcs7_SignData(SIGNTOOLPKCS7 *pThis, PRTASN1CORE pToSignRoot, SIGNDATATWEAK enmTweak,
|
---|
2388 | const char *pszContentTypeId, unsigned cVerbosity, uint32_t fExtraFlags,
|
---|
2389 | RTDIGESTTYPE enmSigType, bool fReplaceExisting, bool fNoSigningTime,
|
---|
2390 | SignToolKeyPair *pSigningCertKey, RTCRSTORE hAddCerts,
|
---|
2391 | bool fTimestampTypeOld, RTTIMESPEC SigningTime, SignToolKeyPair *pTimestampCertKey)
|
---|
2392 | {
|
---|
2393 | /*
|
---|
2394 | * Encode it.
|
---|
2395 | */
|
---|
2396 | RTERRINFOSTATIC ErrInfo;
|
---|
2397 | uint32_t cbEncoded = 0;
|
---|
2398 | int rc = RTAsn1EncodePrepare(pToSignRoot, RTASN1ENCODE_F_DER, &cbEncoded, RTErrInfoInitStatic(&ErrInfo));
|
---|
2399 | if (RT_FAILURE(rc))
|
---|
2400 | return RTMsgErrorExitFailure("RTAsn1EncodePrepare failed: %Rrc%RTeim", rc, &ErrInfo.Core);
|
---|
2401 |
|
---|
2402 | if (cVerbosity >= 4)
|
---|
2403 | RTAsn1Dump(pToSignRoot, 0, 0, RTStrmDumpPrintfV, g_pStdOut);
|
---|
2404 |
|
---|
2405 | uint8_t *pbEncoded = (uint8_t *)RTMemTmpAllocZ(cbEncoded );
|
---|
2406 | if (!pbEncoded)
|
---|
2407 | return RTMsgErrorExitFailure("Failed to allocate %#z bytes for encoding data we're signing (%s)",
|
---|
2408 | cbEncoded, pszContentTypeId);
|
---|
2409 |
|
---|
2410 | RTEXITCODE rcExit = RTEXITCODE_FAILURE;
|
---|
2411 | rc = RTAsn1EncodeToBuffer(pToSignRoot, RTASN1ENCODE_F_DER, pbEncoded, cbEncoded, RTErrInfoInitStatic(&ErrInfo));
|
---|
2412 | if (RT_SUCCESS(rc))
|
---|
2413 | {
|
---|
2414 | size_t const cbToSign = cbEncoded - (enmTweak == kSignDataTweak_RootIsParent ? pToSignRoot->cbHdr : 0);
|
---|
2415 | void const *pvToSign = pbEncoded + (enmTweak == kSignDataTweak_RootIsParent ? pToSignRoot->cbHdr : 0);
|
---|
2416 |
|
---|
2417 | /*
|
---|
2418 | * Create additional authenticated attributes.
|
---|
2419 | */
|
---|
2420 | RTCRPKCS7ATTRIBUTES AuthAttribs;
|
---|
2421 | rc = RTCrPkcs7Attributes_Init(&AuthAttribs, &g_RTAsn1DefaultAllocator);
|
---|
2422 | if (RT_SUCCESS(rc))
|
---|
2423 | {
|
---|
2424 | rcExit = SignToolPkcs7_AddAuthAttribsForImageOrCatSignature(&AuthAttribs, SigningTime, fNoSigningTime,
|
---|
2425 | pszContentTypeId);
|
---|
2426 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
2427 | {
|
---|
2428 | /*
|
---|
2429 | * Ditch the old signature if so desired.
|
---|
2430 | * (It is okay to do this in the CAT case too, as we've already
|
---|
2431 | * encoded the data and won't touch pToSignRoot any more.)
|
---|
2432 | */
|
---|
2433 | pToSignRoot = NULL; /* (may become invalid if replacing) */
|
---|
2434 | if (fReplaceExisting && pThis->pSignedData)
|
---|
2435 | {
|
---|
2436 | RTCrPkcs7ContentInfo_Delete(&pThis->ContentInfo);
|
---|
2437 | pThis->pSignedData = NULL;
|
---|
2438 | RTMemFree(pThis->pbBuf);
|
---|
2439 | pThis->pbBuf = NULL;
|
---|
2440 | pThis->cbBuf = 0;
|
---|
2441 | }
|
---|
2442 |
|
---|
2443 | /*
|
---|
2444 | * Do the actual signing.
|
---|
2445 | */
|
---|
2446 | SIGNTOOLPKCS7 Src = { RTSIGNTOOLFILETYPE_DETECT, NULL, 0, NULL };
|
---|
2447 | PSIGNTOOLPKCS7 pSigDst = !pThis->pSignedData ? pThis : &Src;
|
---|
2448 | rcExit = SignToolPkcs7_Pkcs7SignStuff("image", pvToSign, cbToSign, &AuthAttribs, hAddCerts,
|
---|
2449 | fExtraFlags | RTCRPKCS7SIGN_SD_F_NO_DATA_ENCAP, enmSigType /** @todo ?? */,
|
---|
2450 | pSigningCertKey, cVerbosity,
|
---|
2451 | (void **)&pSigDst->pbBuf, &pSigDst->cbBuf,
|
---|
2452 | &pSigDst->ContentInfo, &pSigDst->pSignedData);
|
---|
2453 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
2454 | {
|
---|
2455 | /*
|
---|
2456 | * Add a timestamp signature if requested.
|
---|
2457 | */
|
---|
2458 | if (pTimestampCertKey->isComplete())
|
---|
2459 | rcExit = SignToolPkcs7_AddTimestampSignatureEx(pSigDst->pSignedData->SignerInfos.papItems[0],
|
---|
2460 | pSigDst->pSignedData,
|
---|
2461 | cVerbosity, false /*fReplaceExisting*/,
|
---|
2462 | fTimestampTypeOld, SigningTime, pTimestampCertKey);
|
---|
2463 |
|
---|
2464 | /*
|
---|
2465 | * Append the signature to the existing one, if that's what we're doing.
|
---|
2466 | */
|
---|
2467 | if (rcExit == RTEXITCODE_SUCCESS && pSigDst == &Src)
|
---|
2468 | rcExit = SignToolPkcs7_AddNestedSignature(pThis, &Src, cVerbosity, true /*fPrepend*/); /** @todo prepend/append option */
|
---|
2469 |
|
---|
2470 | /* cleanup */
|
---|
2471 | if (pSigDst == &Src)
|
---|
2472 | SignToolPkcs7_Delete(&Src);
|
---|
2473 | }
|
---|
2474 |
|
---|
2475 | }
|
---|
2476 | RTCrPkcs7Attributes_Delete(&AuthAttribs);
|
---|
2477 | }
|
---|
2478 | else
|
---|
2479 | RTMsgError("RTCrPkcs7SetOfAttributes_Init failed: %Rrc", rc);
|
---|
2480 | }
|
---|
2481 | else
|
---|
2482 | RTMsgError("RTAsn1EncodeToBuffer failed: %Rrc", rc);
|
---|
2483 | RTMemTmpFree(pbEncoded);
|
---|
2484 | return rcExit;
|
---|
2485 | }
|
---|
2486 |
|
---|
2487 |
|
---|
2488 | static RTEXITCODE SignToolPkcs7_SpcCompleteWithoutPageHashes(RTCRSPCINDIRECTDATACONTENT *pSpcIndData)
|
---|
2489 | {
|
---|
2490 | PCRTASN1ALLOCATORVTABLE const pAllocator = &g_RTAsn1DefaultAllocator;
|
---|
2491 | PRTCRSPCPEIMAGEDATA const pPeImage = pSpcIndData->Data.uValue.pPeImage;
|
---|
2492 | Assert(pPeImage);
|
---|
2493 |
|
---|
2494 | /*
|
---|
2495 | * Set it to File with an empty name.
|
---|
2496 | * RTCRSPCPEIMAGEDATA::Flags -vv
|
---|
2497 | * RTCRSPCPEIMAGEDATA::SeqCore -vv T0 -vv vv- pT2/CtxTag2
|
---|
2498 | * 0040: 04 01 82 37 02 01 0f 30-09 03 01 00 a0 04 a2 02 ...7...0........
|
---|
2499 | * 0050: 80 00 30 21 30 09 06 05-2b 0e 03 02 1a 05 00 04 ..0!0...+.......
|
---|
2500 | * ^^- pUcs2 / empty string
|
---|
2501 | */
|
---|
2502 |
|
---|
2503 | /* Create an empty BMP string. */
|
---|
2504 | RTASN1STRING EmptyStr;
|
---|
2505 | int rc = RTAsn1BmpString_Init(&EmptyStr, pAllocator);
|
---|
2506 | if (RT_FAILURE(rc))
|
---|
2507 | return RTMsgErrorExitFailure("RTAsn1BmpString_Init/Ucs2 failed: %Rrc", rc);
|
---|
2508 |
|
---|
2509 | /* Create an SPC string and use the above empty string with the Ucs2 setter. */
|
---|
2510 | RTEXITCODE rcExit = RTEXITCODE_FAILURE;
|
---|
2511 | RTCRSPCSTRING SpcString;
|
---|
2512 | rc = RTCrSpcString_Init(&SpcString, pAllocator);
|
---|
2513 | if (RT_SUCCESS(rc))
|
---|
2514 | {
|
---|
2515 | rc = RTCrSpcString_SetUcs2(&SpcString, &EmptyStr, pAllocator);
|
---|
2516 | if (RT_SUCCESS(rc))
|
---|
2517 | {
|
---|
2518 | /* Create a temporary SpcLink with the empty SpcString. */
|
---|
2519 | RTCRSPCLINK SpcLink;
|
---|
2520 | rc = RTCrSpcLink_Init(&SpcLink, pAllocator);
|
---|
2521 | if (RT_SUCCESS(rc))
|
---|
2522 | {
|
---|
2523 | /* Use the setter on the SpcLink object to copy the SpcString to it. */
|
---|
2524 | rc = RTCrSpcLink_SetFile(&SpcLink, &SpcString, pAllocator);
|
---|
2525 | if (RT_SUCCESS(rc))
|
---|
2526 | {
|
---|
2527 | /* Use the setter to copy SpcLink to the PeImage structure. */
|
---|
2528 | rc = RTCrSpcPeImageData_SetFile(pPeImage, &SpcLink, pAllocator);
|
---|
2529 | if (RT_SUCCESS(rc))
|
---|
2530 | rcExit = RTEXITCODE_SUCCESS;
|
---|
2531 | else
|
---|
2532 | RTMsgError("RTCrSpcPeImageData_SetFile failed: %Rrc", rc);
|
---|
2533 | }
|
---|
2534 | else
|
---|
2535 | RTMsgError("RTCrSpcLink_SetFile failed: %Rrc", rc);
|
---|
2536 | RTCrSpcLink_Delete(&SpcLink);
|
---|
2537 | }
|
---|
2538 | else
|
---|
2539 | RTMsgError("RTCrSpcLink_Init failed: %Rrc", rc);
|
---|
2540 | }
|
---|
2541 | else
|
---|
2542 | RTMsgError("RTCrSpcString_SetUcs2 failed: %Rrc", rc);
|
---|
2543 | RTCrSpcString_Delete(&SpcString);
|
---|
2544 | }
|
---|
2545 | else
|
---|
2546 | RTMsgError("RTCrSpcString_Init failed: %Rrc", rc);
|
---|
2547 | RTAsn1BmpString_Delete(&EmptyStr);
|
---|
2548 | return rcExit;
|
---|
2549 | }
|
---|
2550 |
|
---|
2551 |
|
---|
2552 | static RTEXITCODE SignToolPkcs7_SpcAddImagePageHashes(SIGNTOOLPKCS7EXE *pThis, RTCRSPCINDIRECTDATACONTENT *pSpcIndData,
|
---|
2553 | RTDIGESTTYPE enmSigType)
|
---|
2554 | {
|
---|
2555 | PCRTASN1ALLOCATORVTABLE const pAllocator = &g_RTAsn1DefaultAllocator;
|
---|
2556 | PRTCRSPCPEIMAGEDATA const pPeImage = pSpcIndData->Data.uValue.pPeImage;
|
---|
2557 | Assert(pPeImage);
|
---|
2558 |
|
---|
2559 | /*
|
---|
2560 | * The hashes are stored in the 'Moniker' attribute.
|
---|
2561 | */
|
---|
2562 | /* Create a temporary SpcLink with a default moniker. */
|
---|
2563 | RTCRSPCLINK SpcLink;
|
---|
2564 | int rc = RTCrSpcLink_Init(&SpcLink, pAllocator);
|
---|
2565 | if (RT_FAILURE(rc))
|
---|
2566 | return RTMsgErrorExitFailure("RTCrSpcLink_Init failed: %Rrc", rc);
|
---|
2567 | rc = RTCrSpcLink_SetMoniker(&SpcLink, NULL, pAllocator);
|
---|
2568 | if (RT_SUCCESS(rc))
|
---|
2569 | {
|
---|
2570 | /* Use the setter to copy SpcLink to the PeImage structure. */
|
---|
2571 | rc = RTCrSpcPeImageData_SetFile(pPeImage, &SpcLink, pAllocator);
|
---|
2572 | if (RT_FAILURE(rc))
|
---|
2573 | RTMsgError("RTCrSpcLink_SetFile failed: %Rrc", rc);
|
---|
2574 | }
|
---|
2575 | else
|
---|
2576 | RTMsgError("RTCrSpcLink_SetMoniker failed: %Rrc", rc);
|
---|
2577 | RTCrSpcLink_Delete(&SpcLink);
|
---|
2578 | if (RT_FAILURE(rc))
|
---|
2579 | return RTEXITCODE_FAILURE;
|
---|
2580 |
|
---|
2581 | /*
|
---|
2582 | * Now go to work on the moniker. It doesn't have any autogenerated
|
---|
2583 | * setters, so we must do stuff manually.
|
---|
2584 | */
|
---|
2585 | PRTCRSPCSERIALIZEDOBJECT pMoniker = pPeImage->T0.File.u.pMoniker;
|
---|
2586 | RTUUID Uuid;
|
---|
2587 | rc = RTUuidFromStr(&Uuid, RTCRSPCSERIALIZEDOBJECT_UUID_STR);
|
---|
2588 | if (RT_FAILURE(rc))
|
---|
2589 | return RTMsgErrorExitFailure("RTUuidFromStr failed: %Rrc", rc);
|
---|
2590 |
|
---|
2591 | rc = RTAsn1OctetString_AllocContent(&pMoniker->Uuid, &Uuid, sizeof(Uuid), pAllocator);
|
---|
2592 | if (RT_FAILURE(rc))
|
---|
2593 | return RTMsgErrorExitFailure("RTAsn1String_InitWithValue/UUID failed: %Rrc", rc);
|
---|
2594 |
|
---|
2595 | /* Create a new set of attributes and associate this with the SerializedData member. */
|
---|
2596 | PRTCRSPCSERIALIZEDOBJECTATTRIBUTES pSpcAttribs;
|
---|
2597 | rc = RTAsn1MemAllocZ(&pMoniker->SerializedData.EncapsulatedAllocation,
|
---|
2598 | (void **)&pSpcAttribs, sizeof(*pSpcAttribs));
|
---|
2599 | if (RT_FAILURE(rc))
|
---|
2600 | return RTMsgErrorExitFailure("RTAsn1MemAllocZ/pSpcAttribs failed: %Rrc", rc);
|
---|
2601 | pMoniker->SerializedData.pEncapsulated = RTCrSpcSerializedObjectAttributes_GetAsn1Core(pSpcAttribs);
|
---|
2602 | pMoniker->enmType = RTCRSPCSERIALIZEDOBJECTTYPE_ATTRIBUTES;
|
---|
2603 | pMoniker->u.pData = pSpcAttribs;
|
---|
2604 |
|
---|
2605 | rc = RTCrSpcSerializedObjectAttributes_Init(pSpcAttribs, pAllocator);
|
---|
2606 | if (RT_FAILURE(rc))
|
---|
2607 | return RTMsgErrorExitFailure("RTCrSpcSerializedObjectAttributes_Init failed: %Rrc", rc);
|
---|
2608 |
|
---|
2609 | /*
|
---|
2610 | * Add a single attribute to the set that we'll use for page hashes.
|
---|
2611 | */
|
---|
2612 | int32_t iPos = RTCrSpcSerializedObjectAttributes_Append(pSpcAttribs);
|
---|
2613 | if (iPos < 0)
|
---|
2614 | return RTMsgErrorExitFailure("RTCrSpcSerializedObjectAttributes_Append failed: %Rrc", iPos);
|
---|
2615 | PRTCRSPCSERIALIZEDOBJECTATTRIBUTE pSpcObjAttr = pSpcAttribs->papItems[iPos];
|
---|
2616 |
|
---|
2617 | if (enmSigType == RTDIGESTTYPE_SHA1)
|
---|
2618 | rc = RTCrSpcSerializedObjectAttribute_SetV1Hashes(pSpcObjAttr, NULL, pAllocator);
|
---|
2619 | else if (enmSigType == RTDIGESTTYPE_SHA256)
|
---|
2620 | rc = RTCrSpcSerializedObjectAttribute_SetV2Hashes(pSpcObjAttr, NULL, pAllocator);
|
---|
2621 | else
|
---|
2622 | rc = VERR_CR_DIGEST_NOT_SUPPORTED;
|
---|
2623 | if (RT_FAILURE(rc))
|
---|
2624 | return RTMsgErrorExitFailure("RTCrSpcSerializedObjectAttribute_SetV1Hashes/SetV2Hashes failed: %Rrc", rc);
|
---|
2625 | PRTCRSPCSERIALIZEDPAGEHASHES pSpcPageHashes = pSpcObjAttr->u.pPageHashes;
|
---|
2626 | Assert(pSpcPageHashes);
|
---|
2627 |
|
---|
2628 | /*
|
---|
2629 | * Now ask the loader for the number of pages in the page hash table
|
---|
2630 | * and calculate its size.
|
---|
2631 | */
|
---|
2632 | uint32_t cPages = 0;
|
---|
2633 | rc = RTLdrQueryPropEx(pThis->hLdrMod, RTLDRPROP_HASHABLE_PAGES, NULL, &cPages, sizeof(cPages), NULL);
|
---|
2634 | if (RT_FAILURE(rc))
|
---|
2635 | return RTMsgErrorExitFailure("RTLdrQueryPropEx/RTLDRPROP_HASHABLE_PAGES failed: %Rrc", rc);
|
---|
2636 |
|
---|
2637 | uint32_t const cbHash = RTCrDigestTypeToHashSize(enmSigType);
|
---|
2638 | AssertReturn(cbHash > 0, RTMsgErrorExitFailure("Invalid value: enmSigType=%d", enmSigType));
|
---|
2639 | uint32_t const cbTable = (sizeof(uint32_t) + cbHash) * cPages;
|
---|
2640 |
|
---|
2641 | /*
|
---|
2642 | * Allocate memory in the octect string.
|
---|
2643 | */
|
---|
2644 | rc = RTAsn1ContentAllocZ(&pSpcPageHashes->RawData.Asn1Core, cbTable, pAllocator);
|
---|
2645 | if (RT_FAILURE(rc))
|
---|
2646 | return RTMsgErrorExitFailure("RTAsn1ContentAllocZ failed to allocate %#x bytes for page hashes: %Rrc", cbTable, rc);
|
---|
2647 | pSpcPageHashes->pData = (PCRTCRSPCPEIMAGEPAGEHASHES)pSpcPageHashes->RawData.Asn1Core.uData.pu8;
|
---|
2648 |
|
---|
2649 | RTLDRPROP enmLdrProp;
|
---|
2650 | switch (enmSigType)
|
---|
2651 | {
|
---|
2652 | case RTDIGESTTYPE_SHA1: enmLdrProp = RTLDRPROP_SHA1_PAGE_HASHES; break;
|
---|
2653 | case RTDIGESTTYPE_SHA256: enmLdrProp = RTLDRPROP_SHA256_PAGE_HASHES; break;
|
---|
2654 | default: AssertFailedReturn(RTMsgErrorExitFailure("Invalid value: enmSigType=%d", enmSigType));
|
---|
2655 |
|
---|
2656 | }
|
---|
2657 | rc = RTLdrQueryPropEx(pThis->hLdrMod, enmLdrProp, NULL, (void *)pSpcPageHashes->RawData.Asn1Core.uData.pv, cbTable, NULL);
|
---|
2658 | if (RT_FAILURE(rc))
|
---|
2659 | return RTMsgErrorExitFailure("RTLdrQueryPropEx/RTLDRPROP_SHA?_PAGE_HASHES/%#x failed: %Rrc", cbTable, rc);
|
---|
2660 |
|
---|
2661 | return RTEXITCODE_SUCCESS;
|
---|
2662 | }
|
---|
2663 |
|
---|
2664 |
|
---|
2665 | static RTEXITCODE SignToolPkcs7_SpcAddImageHash(SIGNTOOLPKCS7EXE *pThis, RTCRSPCINDIRECTDATACONTENT *pSpcIndData,
|
---|
2666 | RTDIGESTTYPE enmSigType)
|
---|
2667 | {
|
---|
2668 | uint32_t const cbHash = RTCrDigestTypeToHashSize(enmSigType);
|
---|
2669 | const char * const pszAlgId = RTCrDigestTypeToAlgorithmOid(enmSigType);
|
---|
2670 |
|
---|
2671 | /*
|
---|
2672 | * Ask the loader for the hash.
|
---|
2673 | */
|
---|
2674 | uint8_t abHash[RTSHA512_HASH_SIZE];
|
---|
2675 | int rc = RTLdrHashImage(pThis->hLdrMod, enmSigType, abHash, sizeof(abHash));
|
---|
2676 | if (RT_FAILURE(rc))
|
---|
2677 | return RTMsgErrorExitFailure("RTLdrHashImage/%s failed: %Rrc", RTCrDigestTypeToName(enmSigType), rc);
|
---|
2678 |
|
---|
2679 | /*
|
---|
2680 | * Set it.
|
---|
2681 | */
|
---|
2682 | /** @todo no setter, this should be okay, though... */
|
---|
2683 | rc = RTAsn1ObjId_InitFromString(&pSpcIndData->DigestInfo.DigestAlgorithm.Algorithm, pszAlgId, &g_RTAsn1DefaultAllocator);
|
---|
2684 | if (RT_FAILURE(rc))
|
---|
2685 | return RTMsgErrorExitFailure("RTAsn1ObjId_InitFromString/%s failed: %Rrc", pszAlgId, rc);
|
---|
2686 | RTAsn1DynType_SetToNull(&pSpcIndData->DigestInfo.DigestAlgorithm.Parameters); /* ASSUMES RSA or similar */
|
---|
2687 |
|
---|
2688 | rc = RTAsn1ContentDup(&pSpcIndData->DigestInfo.Digest.Asn1Core, abHash, cbHash, &g_RTAsn1DefaultAllocator);
|
---|
2689 | if (RT_FAILURE(rc))
|
---|
2690 | return RTMsgErrorExitFailure("RTAsn1ContentDup/%#x failed: %Rrc", cbHash, rc);
|
---|
2691 |
|
---|
2692 | return RTEXITCODE_SUCCESS;
|
---|
2693 | }
|
---|
2694 |
|
---|
2695 |
|
---|
2696 | static RTEXITCODE SignToolPkcs7_AddOrReplaceSignature(SIGNTOOLPKCS7EXE *pThis, unsigned cVerbosity, RTDIGESTTYPE enmSigType,
|
---|
2697 | bool fReplaceExisting, bool fHashPages, bool fNoSigningTime,
|
---|
2698 | SignToolKeyPair *pSigningCertKey,
|
---|
2699 | RTCRSTORE hAddCerts, bool fTimestampTypeOld,
|
---|
2700 | RTTIMESPEC SigningTime, SignToolKeyPair *pTimestampCertKey)
|
---|
2701 | {
|
---|
2702 | AssertReturn(fTimestampTypeOld || pTimestampCertKey->isNull(),
|
---|
2703 | RTMsgErrorExitFailure("New style signatures not supported yet"));
|
---|
2704 |
|
---|
2705 | /*
|
---|
2706 | * We must construct the data to be packed into the PKCS#7 signature
|
---|
2707 | * and signed.
|
---|
2708 | */
|
---|
2709 | PCRTASN1ALLOCATORVTABLE const pAllocator = &g_RTAsn1DefaultAllocator;
|
---|
2710 | RTCRSPCINDIRECTDATACONTENT SpcIndData;
|
---|
2711 | int rc = RTCrSpcIndirectDataContent_Init(&SpcIndData, pAllocator);
|
---|
2712 | if (RT_FAILURE(rc))
|
---|
2713 | return RTMsgErrorExitFailure("RTCrSpcIndirectDataContent_Init failed: %Rrc", rc);
|
---|
2714 |
|
---|
2715 | /* Set the data to PE image. */
|
---|
2716 | /** @todo Generalize the Type + enmType DYN stuff and generate setters. */
|
---|
2717 | Assert(SpcIndData.Data.enmType == RTCRSPCAAOVTYPE_NOT_PRESENT);
|
---|
2718 | Assert(SpcIndData.Data.uValue.pPeImage == NULL);
|
---|
2719 | RTEXITCODE rcExit;
|
---|
2720 | rc = RTAsn1ObjId_SetFromString(&SpcIndData.Data.Type, RTCRSPCPEIMAGEDATA_OID, pAllocator);
|
---|
2721 | if (RT_SUCCESS(rc))
|
---|
2722 | {
|
---|
2723 | SpcIndData.Data.enmType = RTCRSPCAAOVTYPE_PE_IMAGE_DATA;
|
---|
2724 | rc = RTAsn1MemAllocZ(&SpcIndData.Data.Allocation, (void **)&SpcIndData.Data.uValue.pPeImage,
|
---|
2725 | sizeof(*SpcIndData.Data.uValue.pPeImage));
|
---|
2726 | if (RT_SUCCESS(rc))
|
---|
2727 | {
|
---|
2728 | rc = RTCrSpcPeImageData_Init(SpcIndData.Data.uValue.pPeImage, pAllocator);
|
---|
2729 | if (RT_SUCCESS(rc))
|
---|
2730 | {
|
---|
2731 | /* Old (SHA1) signatures has a Flags member, it's zero bits, though. */
|
---|
2732 | if (enmSigType == RTDIGESTTYPE_SHA1)
|
---|
2733 | {
|
---|
2734 | uint8_t bFlags = 0;
|
---|
2735 | RTASN1BITSTRING Flags;
|
---|
2736 | rc = RTAsn1BitString_InitWithData(&Flags, &bFlags, 0, pAllocator);
|
---|
2737 | if (RT_SUCCESS(rc))
|
---|
2738 | {
|
---|
2739 | rc = RTCrSpcPeImageData_SetFlags(SpcIndData.Data.uValue.pPeImage, &Flags, pAllocator);
|
---|
2740 | RTAsn1BitString_Delete(&Flags);
|
---|
2741 | if (RT_FAILURE(rc))
|
---|
2742 | rcExit = RTMsgErrorExitFailure("RTCrSpcPeImageData_SetFlags failed: %Rrc", rc);
|
---|
2743 | }
|
---|
2744 | else
|
---|
2745 | rcExit = RTMsgErrorExitFailure("RTAsn1BitString_InitWithData failed: %Rrc", rc);
|
---|
2746 | }
|
---|
2747 |
|
---|
2748 | /*
|
---|
2749 | * Add the hashes.
|
---|
2750 | */
|
---|
2751 | rcExit = SignToolPkcs7_SpcAddImageHash(pThis, &SpcIndData, enmSigType);
|
---|
2752 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
2753 | {
|
---|
2754 | if (fHashPages)
|
---|
2755 | rcExit = SignToolPkcs7_SpcAddImagePageHashes(pThis, &SpcIndData, enmSigType);
|
---|
2756 | else
|
---|
2757 | rcExit = SignToolPkcs7_SpcCompleteWithoutPageHashes(&SpcIndData);
|
---|
2758 |
|
---|
2759 | /*
|
---|
2760 | * Encode and sign the SPC data, timestamp it, and line it up for adding to the executable.
|
---|
2761 | */
|
---|
2762 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
2763 | rcExit = SignToolPkcs7_SignData(pThis, RTCrSpcIndirectDataContent_GetAsn1Core(&SpcIndData),
|
---|
2764 | kSignDataTweak_NoTweak, RTCRSPCINDIRECTDATACONTENT_OID, cVerbosity, 0,
|
---|
2765 | enmSigType, fReplaceExisting, fNoSigningTime, pSigningCertKey, hAddCerts,
|
---|
2766 | fTimestampTypeOld, SigningTime, pTimestampCertKey);
|
---|
2767 | }
|
---|
2768 | }
|
---|
2769 | else
|
---|
2770 | rcExit = RTMsgErrorExitFailure("RTCrPkcs7SignerInfos_Init failed: %Rrc", rc);
|
---|
2771 | }
|
---|
2772 | else
|
---|
2773 | rcExit = RTMsgErrorExitFailure("RTAsn1MemAllocZ failed for RTCRSPCPEIMAGEDATA: %Rrc", rc);
|
---|
2774 | }
|
---|
2775 | else
|
---|
2776 | rcExit = RTMsgErrorExitFailure("RTAsn1ObjId_SetWithString/SpcPeImageData failed: %Rrc", rc);
|
---|
2777 |
|
---|
2778 | RTCrSpcIndirectDataContent_Delete(&SpcIndData);
|
---|
2779 | return rcExit;
|
---|
2780 | }
|
---|
2781 |
|
---|
2782 |
|
---|
2783 | static RTEXITCODE SignToolPkcs7_AddOrReplaceCatSignature(SIGNTOOLPKCS7 *pThis, unsigned cVerbosity, RTDIGESTTYPE enmSigType,
|
---|
2784 | bool fReplaceExisting, bool fNoSigningTime,
|
---|
2785 | SignToolKeyPair *pSigningCertKey,
|
---|
2786 | RTCRSTORE hAddCerts, bool fTimestampTypeOld,
|
---|
2787 | RTTIMESPEC SigningTime, SignToolKeyPair *pTimestampCertKey)
|
---|
2788 | {
|
---|
2789 | AssertReturn(fTimestampTypeOld || pTimestampCertKey->isNull(),
|
---|
2790 | RTMsgErrorExitFailure("New style signatures not supported yet"));
|
---|
2791 | AssertReturn(pThis->pSignedData, RTMsgErrorExitFailure("pSignedData is NULL!"));
|
---|
2792 |
|
---|
2793 | /*
|
---|
2794 | * Figure out what to sign first.
|
---|
2795 | */
|
---|
2796 | uint32_t fExtraFlags = 0;
|
---|
2797 | PRTASN1CORE pToSign = &pThis->pSignedData->ContentInfo.Content.Asn1Core;
|
---|
2798 | const char *pszType = pThis->pSignedData->ContentInfo.ContentType.szObjId;
|
---|
2799 |
|
---|
2800 | if (!fReplaceExisting && pThis->pSignedData->SignerInfos.cItems == 0)
|
---|
2801 | fReplaceExisting = true;
|
---|
2802 | if (!fReplaceExisting)
|
---|
2803 | {
|
---|
2804 | pszType = RTCR_PKCS7_DATA_OID;
|
---|
2805 | fExtraFlags |= RTCRPKCS7SIGN_SD_F_DEATCHED;
|
---|
2806 | }
|
---|
2807 |
|
---|
2808 | /*
|
---|
2809 | * Do the signing.
|
---|
2810 | */
|
---|
2811 | RTEXITCODE rcExit = SignToolPkcs7_SignData(pThis, pToSign, kSignDataTweak_RootIsParent,
|
---|
2812 | pszType, cVerbosity, fExtraFlags, enmSigType, fReplaceExisting,
|
---|
2813 | fNoSigningTime, pSigningCertKey, hAddCerts,
|
---|
2814 | fTimestampTypeOld, SigningTime, pTimestampCertKey);
|
---|
2815 |
|
---|
2816 | /* probably need to clean up stuff related to nested signatures here later... */
|
---|
2817 | return rcExit;
|
---|
2818 | }
|
---|
2819 |
|
---|
2820 | #endif /* !IPRT_SIGNTOOL_NO_SIGNING */
|
---|
2821 |
|
---|
2822 |
|
---|
2823 | /*********************************************************************************************************************************
|
---|
2824 | * The 'extract-exe-signer-cert' command. *
|
---|
2825 | *********************************************************************************************************************************/
|
---|
2826 |
|
---|
2827 | static RTEXITCODE HelpExtractExeSignerCert(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
2828 | {
|
---|
2829 | RT_NOREF_PV(enmLevel);
|
---|
2830 | RTStrmWrappedPrintf(pStrm, RTSTRMWRAPPED_F_HANGING_INDENT,
|
---|
2831 | "extract-exe-signer-cert [--ber|--cer|--der] [--signature-index|-i <num>] [--exe|-e] <exe> [--output|-o] <outfile.cer>\n");
|
---|
2832 | return RTEXITCODE_SUCCESS;
|
---|
2833 | }
|
---|
2834 |
|
---|
2835 | static RTEXITCODE HandleExtractExeSignerCert(int cArgs, char **papszArgs)
|
---|
2836 | {
|
---|
2837 | /*
|
---|
2838 | * Parse arguments.
|
---|
2839 | */
|
---|
2840 | static const RTGETOPTDEF s_aOptions[] =
|
---|
2841 | {
|
---|
2842 | { "--ber", 'b', RTGETOPT_REQ_NOTHING },
|
---|
2843 | { "--cer", 'c', RTGETOPT_REQ_NOTHING },
|
---|
2844 | { "--der", 'd', RTGETOPT_REQ_NOTHING },
|
---|
2845 | { "--exe", 'e', RTGETOPT_REQ_STRING },
|
---|
2846 | { "--output", 'o', RTGETOPT_REQ_STRING },
|
---|
2847 | { "--signature-index", 'i', RTGETOPT_REQ_UINT32 },
|
---|
2848 | { "--force", 'f', RTGETOPT_REQ_NOTHING },
|
---|
2849 | };
|
---|
2850 |
|
---|
2851 | const char *pszExe = NULL;
|
---|
2852 | const char *pszOut = NULL;
|
---|
2853 | RTLDRARCH enmLdrArch = RTLDRARCH_WHATEVER;
|
---|
2854 | unsigned cVerbosity = 0;
|
---|
2855 | uint32_t fCursorFlags = RTASN1CURSOR_FLAGS_DER;
|
---|
2856 | uint32_t iSignature = 0;
|
---|
2857 | bool fForce = false;
|
---|
2858 |
|
---|
2859 | RTGETOPTSTATE GetState;
|
---|
2860 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
2861 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
2862 | RTGETOPTUNION ValueUnion;
|
---|
2863 | int ch;
|
---|
2864 | while ((ch = RTGetOpt(&GetState, &ValueUnion)))
|
---|
2865 | {
|
---|
2866 | switch (ch)
|
---|
2867 | {
|
---|
2868 | case 'e': pszExe = ValueUnion.psz; break;
|
---|
2869 | case 'o': pszOut = ValueUnion.psz; break;
|
---|
2870 | case 'b': fCursorFlags = 0; break;
|
---|
2871 | case 'c': fCursorFlags = RTASN1CURSOR_FLAGS_CER; break;
|
---|
2872 | case 'd': fCursorFlags = RTASN1CURSOR_FLAGS_DER; break;
|
---|
2873 | case 'f': fForce = true; break;
|
---|
2874 | case 'i': iSignature = ValueUnion.u32; break;
|
---|
2875 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
2876 | case 'h': return HelpExtractExeSignerCert(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
2877 |
|
---|
2878 | case VINF_GETOPT_NOT_OPTION:
|
---|
2879 | if (!pszExe)
|
---|
2880 | pszExe = ValueUnion.psz;
|
---|
2881 | else if (!pszOut)
|
---|
2882 | pszOut = ValueUnion.psz;
|
---|
2883 | else
|
---|
2884 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Too many file arguments: %s", ValueUnion.psz);
|
---|
2885 | break;
|
---|
2886 |
|
---|
2887 | default:
|
---|
2888 | return RTGetOptPrintError(ch, &ValueUnion);
|
---|
2889 | }
|
---|
2890 | }
|
---|
2891 | if (!pszExe)
|
---|
2892 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No executable given.");
|
---|
2893 | if (!pszOut)
|
---|
2894 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No output file given.");
|
---|
2895 | if (!fForce && RTPathExists(pszOut))
|
---|
2896 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "The output file '%s' exists.", pszOut);
|
---|
2897 |
|
---|
2898 | /*
|
---|
2899 | * Do it.
|
---|
2900 | */
|
---|
2901 | /* Read & decode the PKCS#7 signature. */
|
---|
2902 | SIGNTOOLPKCS7EXE This;
|
---|
2903 | RTEXITCODE rcExit = SignToolPkcs7Exe_InitFromFile(&This, pszExe, cVerbosity, enmLdrArch);
|
---|
2904 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
2905 | {
|
---|
2906 | /* Find the signing certificate (ASSUMING that the certificate used is shipped in the set of certificates). */
|
---|
2907 | PRTCRPKCS7SIGNEDDATA pSignedData;
|
---|
2908 | PCRTCRPKCS7SIGNERINFO pSignerInfo = SignToolPkcs7_FindNestedSignatureByIndex(&This, iSignature, &pSignedData);
|
---|
2909 | rcExit = RTEXITCODE_FAILURE;
|
---|
2910 | if (pSignerInfo)
|
---|
2911 | {
|
---|
2912 | PCRTCRPKCS7ISSUERANDSERIALNUMBER pISN = &pSignedData->SignerInfos.papItems[0]->IssuerAndSerialNumber;
|
---|
2913 | PCRTCRX509CERTIFICATE pCert;
|
---|
2914 | pCert = RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(&pSignedData->Certificates,
|
---|
2915 | &pISN->Name, &pISN->SerialNumber);
|
---|
2916 | if (pCert)
|
---|
2917 | {
|
---|
2918 | /*
|
---|
2919 | * Write it out.
|
---|
2920 | */
|
---|
2921 | RTFILE hFile;
|
---|
2922 | rc = RTFileOpen(&hFile, pszOut,
|
---|
2923 | RTFILE_O_WRITE | RTFILE_O_DENY_WRITE | (fForce ? RTFILE_O_CREATE_REPLACE : RTFILE_O_CREATE));
|
---|
2924 | if (RT_SUCCESS(rc))
|
---|
2925 | {
|
---|
2926 | uint32_t cbCert = pCert->SeqCore.Asn1Core.cbHdr + pCert->SeqCore.Asn1Core.cb;
|
---|
2927 | rc = RTFileWrite(hFile, pCert->SeqCore.Asn1Core.uData.pu8 - pCert->SeqCore.Asn1Core.cbHdr,
|
---|
2928 | cbCert, NULL);
|
---|
2929 | if (RT_SUCCESS(rc))
|
---|
2930 | {
|
---|
2931 | rc = RTFileClose(hFile);
|
---|
2932 | if (RT_SUCCESS(rc))
|
---|
2933 | {
|
---|
2934 | hFile = NIL_RTFILE;
|
---|
2935 | rcExit = RTEXITCODE_SUCCESS;
|
---|
2936 | RTMsgInfo("Successfully wrote %u bytes to '%s'", cbCert, pszOut);
|
---|
2937 | }
|
---|
2938 | else
|
---|
2939 | RTMsgError("RTFileClose failed: %Rrc", rc);
|
---|
2940 | }
|
---|
2941 | else
|
---|
2942 | RTMsgError("RTFileWrite failed: %Rrc", rc);
|
---|
2943 | RTFileClose(hFile);
|
---|
2944 | }
|
---|
2945 | else
|
---|
2946 | RTMsgError("Error opening '%s' for writing: %Rrc", pszOut, rc);
|
---|
2947 | }
|
---|
2948 | else
|
---|
2949 | RTMsgError("Certificate not found.");
|
---|
2950 | }
|
---|
2951 | else
|
---|
2952 | RTMsgError("Could not locate signature #%u!", iSignature);
|
---|
2953 |
|
---|
2954 | /* Delete the signature data. */
|
---|
2955 | SignToolPkcs7Exe_Delete(&This);
|
---|
2956 | }
|
---|
2957 | return rcExit;
|
---|
2958 | }
|
---|
2959 |
|
---|
2960 |
|
---|
2961 | /*********************************************************************************************************************************
|
---|
2962 | * The 'extract-exe-signature' command. *
|
---|
2963 | *********************************************************************************************************************************/
|
---|
2964 |
|
---|
2965 | static RTEXITCODE HelpExtractExeSignature(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
2966 | {
|
---|
2967 | RT_NOREF_PV(enmLevel);
|
---|
2968 | RTStrmWrappedPrintf(pStrm, RTSTRMWRAPPED_F_HANGING_INDENT,
|
---|
2969 | "extract-exe-signerature [--exe|-e] <exe> [--output|-o] <outfile.pkcs7>\n");
|
---|
2970 | return RTEXITCODE_SUCCESS;
|
---|
2971 | }
|
---|
2972 |
|
---|
2973 | static RTEXITCODE HandleExtractExeSignature(int cArgs, char **papszArgs)
|
---|
2974 | {
|
---|
2975 | /*
|
---|
2976 | * Parse arguments.
|
---|
2977 | */
|
---|
2978 | static const RTGETOPTDEF s_aOptions[] =
|
---|
2979 | {
|
---|
2980 | { "--exe", 'e', RTGETOPT_REQ_STRING },
|
---|
2981 | { "--output", 'o', RTGETOPT_REQ_STRING },
|
---|
2982 | { "--force", 'f', RTGETOPT_REQ_NOTHING },
|
---|
2983 | };
|
---|
2984 |
|
---|
2985 | const char *pszExe = NULL;
|
---|
2986 | const char *pszOut = NULL;
|
---|
2987 | RTLDRARCH enmLdrArch = RTLDRARCH_WHATEVER;
|
---|
2988 | unsigned cVerbosity = 0;
|
---|
2989 | bool fForce = false;
|
---|
2990 |
|
---|
2991 | RTGETOPTSTATE GetState;
|
---|
2992 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
2993 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
2994 | RTGETOPTUNION ValueUnion;
|
---|
2995 | int ch;
|
---|
2996 | while ((ch = RTGetOpt(&GetState, &ValueUnion)))
|
---|
2997 | {
|
---|
2998 | switch (ch)
|
---|
2999 | {
|
---|
3000 | case 'e': pszExe = ValueUnion.psz; break;
|
---|
3001 | case 'o': pszOut = ValueUnion.psz; break;
|
---|
3002 | case 'f': fForce = true; break;
|
---|
3003 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
3004 | case 'h': return HelpExtractExeSignerCert(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
3005 |
|
---|
3006 | case VINF_GETOPT_NOT_OPTION:
|
---|
3007 | if (!pszExe)
|
---|
3008 | pszExe = ValueUnion.psz;
|
---|
3009 | else if (!pszOut)
|
---|
3010 | pszOut = ValueUnion.psz;
|
---|
3011 | else
|
---|
3012 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Too many file arguments: %s", ValueUnion.psz);
|
---|
3013 | break;
|
---|
3014 |
|
---|
3015 | default:
|
---|
3016 | return RTGetOptPrintError(ch, &ValueUnion);
|
---|
3017 | }
|
---|
3018 | }
|
---|
3019 | if (!pszExe)
|
---|
3020 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No executable given.");
|
---|
3021 | if (!pszOut)
|
---|
3022 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No output file given.");
|
---|
3023 | if (!fForce && RTPathExists(pszOut))
|
---|
3024 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "The output file '%s' exists.", pszOut);
|
---|
3025 |
|
---|
3026 | /*
|
---|
3027 | * Do it.
|
---|
3028 | */
|
---|
3029 | /* Read & decode the PKCS#7 signature. */
|
---|
3030 | SIGNTOOLPKCS7EXE This;
|
---|
3031 | RTEXITCODE rcExit = SignToolPkcs7Exe_InitFromFile(&This, pszExe, cVerbosity, enmLdrArch);
|
---|
3032 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
3033 | {
|
---|
3034 | /*
|
---|
3035 | * Write out the PKCS#7 signature.
|
---|
3036 | */
|
---|
3037 | RTFILE hFile;
|
---|
3038 | rc = RTFileOpen(&hFile, pszOut,
|
---|
3039 | RTFILE_O_WRITE | RTFILE_O_DENY_WRITE | (fForce ? RTFILE_O_CREATE_REPLACE : RTFILE_O_CREATE));
|
---|
3040 | if (RT_SUCCESS(rc))
|
---|
3041 | {
|
---|
3042 | rc = RTFileWrite(hFile, This.pbBuf, This.cbBuf, NULL);
|
---|
3043 | if (RT_SUCCESS(rc))
|
---|
3044 | {
|
---|
3045 | rc = RTFileClose(hFile);
|
---|
3046 | if (RT_SUCCESS(rc))
|
---|
3047 | {
|
---|
3048 | hFile = NIL_RTFILE;
|
---|
3049 | RTMsgInfo("Successfully wrote %u bytes to '%s'", This.cbBuf, pszOut);
|
---|
3050 | rcExit = RTEXITCODE_SUCCESS;
|
---|
3051 | }
|
---|
3052 | else
|
---|
3053 | RTMsgError("RTFileClose failed: %Rrc", rc);
|
---|
3054 | }
|
---|
3055 | else
|
---|
3056 | RTMsgError("RTFileWrite failed: %Rrc", rc);
|
---|
3057 | RTFileClose(hFile);
|
---|
3058 | }
|
---|
3059 | else
|
---|
3060 | RTMsgError("Error opening '%s' for writing: %Rrc", pszOut, rc);
|
---|
3061 |
|
---|
3062 | /* Delete the signature data. */
|
---|
3063 | SignToolPkcs7Exe_Delete(&This);
|
---|
3064 | }
|
---|
3065 | return rcExit;
|
---|
3066 | }
|
---|
3067 |
|
---|
3068 |
|
---|
3069 | /*********************************************************************************************************************************
|
---|
3070 | * The 'add-nested-exe-signature' command. *
|
---|
3071 | *********************************************************************************************************************************/
|
---|
3072 |
|
---|
3073 | static RTEXITCODE HelpAddNestedExeSignature(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
3074 | {
|
---|
3075 | RT_NOREF_PV(enmLevel);
|
---|
3076 | RTStrmWrappedPrintf(pStrm, RTSTRMWRAPPED_F_HANGING_INDENT,
|
---|
3077 | "add-nested-exe-signature [-v|--verbose] [-d|--debug] [-p|--prepend] <destination-exe> <source-exe>\n");
|
---|
3078 | if (enmLevel == RTSIGNTOOLHELP_FULL)
|
---|
3079 | RTStrmWrappedPrintf(pStrm, 0,
|
---|
3080 | "\n"
|
---|
3081 | "The --debug option allows the source-exe to be omitted in order to test the "
|
---|
3082 | "encoding and PE file modification.\n"
|
---|
3083 | "\n"
|
---|
3084 | "The --prepend option puts the nested signature first rather than appending it "
|
---|
3085 | "to the end of of the nested signature set. Windows reads nested signatures in "
|
---|
3086 | "reverse order, so --prepend will logically putting it last.\n");
|
---|
3087 | return RTEXITCODE_SUCCESS;
|
---|
3088 | }
|
---|
3089 |
|
---|
3090 |
|
---|
3091 | static RTEXITCODE HandleAddNestedExeSignature(int cArgs, char **papszArgs)
|
---|
3092 | {
|
---|
3093 | /*
|
---|
3094 | * Parse arguments.
|
---|
3095 | */
|
---|
3096 | static const RTGETOPTDEF s_aOptions[] =
|
---|
3097 | {
|
---|
3098 | { "--prepend", 'p', RTGETOPT_REQ_NOTHING },
|
---|
3099 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
3100 | { "--debug", 'd', RTGETOPT_REQ_NOTHING },
|
---|
3101 | };
|
---|
3102 |
|
---|
3103 | const char *pszDst = NULL;
|
---|
3104 | const char *pszSrc = NULL;
|
---|
3105 | unsigned cVerbosity = 0;
|
---|
3106 | bool fDebug = false;
|
---|
3107 | bool fPrepend = false;
|
---|
3108 |
|
---|
3109 | RTGETOPTSTATE GetState;
|
---|
3110 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
3111 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
3112 | RTGETOPTUNION ValueUnion;
|
---|
3113 | int ch;
|
---|
3114 | while ((ch = RTGetOpt(&GetState, &ValueUnion)))
|
---|
3115 | {
|
---|
3116 | switch (ch)
|
---|
3117 | {
|
---|
3118 | case 'v': cVerbosity++; break;
|
---|
3119 | case 'd': fDebug = pszSrc == NULL; break;
|
---|
3120 | case 'p': fPrepend = true; break;
|
---|
3121 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
3122 | case 'h': return HelpAddNestedExeSignature(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
3123 |
|
---|
3124 | case VINF_GETOPT_NOT_OPTION:
|
---|
3125 | if (!pszDst)
|
---|
3126 | pszDst = ValueUnion.psz;
|
---|
3127 | else if (!pszSrc)
|
---|
3128 | {
|
---|
3129 | pszSrc = ValueUnion.psz;
|
---|
3130 | fDebug = false;
|
---|
3131 | }
|
---|
3132 | else
|
---|
3133 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Too many file arguments: %s", ValueUnion.psz);
|
---|
3134 | break;
|
---|
3135 |
|
---|
3136 | default:
|
---|
3137 | return RTGetOptPrintError(ch, &ValueUnion);
|
---|
3138 | }
|
---|
3139 | }
|
---|
3140 | if (!pszDst)
|
---|
3141 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No destination executable given.");
|
---|
3142 | if (!pszSrc && !fDebug)
|
---|
3143 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No source executable file given.");
|
---|
3144 |
|
---|
3145 | /*
|
---|
3146 | * Do it.
|
---|
3147 | */
|
---|
3148 | /* Read & decode the source PKCS#7 signature. */
|
---|
3149 | SIGNTOOLPKCS7EXE Src;
|
---|
3150 | RTEXITCODE rcExit = pszSrc ? SignToolPkcs7Exe_InitFromFile(&Src, pszSrc, cVerbosity) : RTEXITCODE_SUCCESS;
|
---|
3151 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
3152 | {
|
---|
3153 | /* Ditto for the destination PKCS#7 signature. */
|
---|
3154 | SIGNTOOLPKCS7EXE Dst;
|
---|
3155 | rcExit = SignToolPkcs7Exe_InitFromFile(&Dst, pszDst, cVerbosity);
|
---|
3156 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
3157 | {
|
---|
3158 | /* Do the signature manipulation. */
|
---|
3159 | if (pszSrc)
|
---|
3160 | rcExit = SignToolPkcs7_AddNestedSignature(&Dst, &Src, cVerbosity, fPrepend);
|
---|
3161 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
3162 | rcExit = SignToolPkcs7_Encode(&Dst, cVerbosity);
|
---|
3163 |
|
---|
3164 | /* Update the destination executable file. */
|
---|
3165 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
3166 | rcExit = SignToolPkcs7Exe_WriteSignatureToFile(&Dst, cVerbosity);
|
---|
3167 |
|
---|
3168 | SignToolPkcs7Exe_Delete(&Dst);
|
---|
3169 | }
|
---|
3170 | if (pszSrc)
|
---|
3171 | SignToolPkcs7Exe_Delete(&Src);
|
---|
3172 | }
|
---|
3173 |
|
---|
3174 | return rcExit;
|
---|
3175 | }
|
---|
3176 |
|
---|
3177 |
|
---|
3178 | /*********************************************************************************************************************************
|
---|
3179 | * The 'add-nested-cat-signature' command. *
|
---|
3180 | *********************************************************************************************************************************/
|
---|
3181 |
|
---|
3182 | static RTEXITCODE HelpAddNestedCatSignature(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
3183 | {
|
---|
3184 | RT_NOREF_PV(enmLevel);
|
---|
3185 | RTStrmWrappedPrintf(pStrm, RTSTRMWRAPPED_F_HANGING_INDENT,
|
---|
3186 | "add-nested-cat-signature [-v|--verbose] [-d|--debug] [-p|--prepend] <destination-cat> <source-cat>\n");
|
---|
3187 | if (enmLevel == RTSIGNTOOLHELP_FULL)
|
---|
3188 | RTStrmWrappedPrintf(pStrm, 0,
|
---|
3189 | "\n"
|
---|
3190 | "The --debug option allows the source-cat to be omitted in order to test the "
|
---|
3191 | "ASN.1 re-encoding of the destination catalog file.\n"
|
---|
3192 | "\n"
|
---|
3193 | "The --prepend option puts the nested signature first rather than appending it "
|
---|
3194 | "to the end of of the nested signature set. Windows reads nested signatures in "
|
---|
3195 | "reverse order, so --prepend will logically putting it last.\n");
|
---|
3196 | return RTEXITCODE_SUCCESS;
|
---|
3197 | }
|
---|
3198 |
|
---|
3199 |
|
---|
3200 | static RTEXITCODE HandleAddNestedCatSignature(int cArgs, char **papszArgs)
|
---|
3201 | {
|
---|
3202 | /*
|
---|
3203 | * Parse arguments.
|
---|
3204 | */
|
---|
3205 | static const RTGETOPTDEF s_aOptions[] =
|
---|
3206 | {
|
---|
3207 | { "--prepend", 'p', RTGETOPT_REQ_NOTHING },
|
---|
3208 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
3209 | { "--debug", 'd', RTGETOPT_REQ_NOTHING },
|
---|
3210 | };
|
---|
3211 |
|
---|
3212 | const char *pszDst = NULL;
|
---|
3213 | const char *pszSrc = NULL;
|
---|
3214 | unsigned cVerbosity = 0;
|
---|
3215 | bool fDebug = false;
|
---|
3216 | bool fPrepend = false;
|
---|
3217 |
|
---|
3218 | RTGETOPTSTATE GetState;
|
---|
3219 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
3220 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
3221 | RTGETOPTUNION ValueUnion;
|
---|
3222 | int ch;
|
---|
3223 | while ((ch = RTGetOpt(&GetState, &ValueUnion)))
|
---|
3224 | {
|
---|
3225 | switch (ch)
|
---|
3226 | {
|
---|
3227 | case 'v': cVerbosity++; break;
|
---|
3228 | case 'd': fDebug = pszSrc == NULL; break;
|
---|
3229 | case 'p': fPrepend = true; break;
|
---|
3230 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
3231 | case 'h': return HelpAddNestedCatSignature(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
3232 |
|
---|
3233 | case VINF_GETOPT_NOT_OPTION:
|
---|
3234 | if (!pszDst)
|
---|
3235 | pszDst = ValueUnion.psz;
|
---|
3236 | else if (!pszSrc)
|
---|
3237 | {
|
---|
3238 | pszSrc = ValueUnion.psz;
|
---|
3239 | fDebug = false;
|
---|
3240 | }
|
---|
3241 | else
|
---|
3242 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Too many file arguments: %s", ValueUnion.psz);
|
---|
3243 | break;
|
---|
3244 |
|
---|
3245 | default:
|
---|
3246 | return RTGetOptPrintError(ch, &ValueUnion);
|
---|
3247 | }
|
---|
3248 | }
|
---|
3249 | if (!pszDst)
|
---|
3250 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No destination catalog file given.");
|
---|
3251 | if (!pszSrc && !fDebug)
|
---|
3252 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No source catalog file given.");
|
---|
3253 |
|
---|
3254 | /*
|
---|
3255 | * Do it.
|
---|
3256 | */
|
---|
3257 | /* Read & decode the source PKCS#7 signature. */
|
---|
3258 | SIGNTOOLPKCS7 Src;
|
---|
3259 | RTEXITCODE rcExit = pszSrc ? SignToolPkcs7_InitFromFile(&Src, pszSrc, cVerbosity) : RTEXITCODE_SUCCESS;
|
---|
3260 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
3261 | {
|
---|
3262 | /* Ditto for the destination PKCS#7 signature. */
|
---|
3263 | SIGNTOOLPKCS7EXE Dst;
|
---|
3264 | rcExit = SignToolPkcs7_InitFromFile(&Dst, pszDst, cVerbosity);
|
---|
3265 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
3266 | {
|
---|
3267 | /* Do the signature manipulation. */
|
---|
3268 | if (pszSrc)
|
---|
3269 | rcExit = SignToolPkcs7_AddNestedSignature(&Dst, &Src, cVerbosity, fPrepend);
|
---|
3270 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
3271 | rcExit = SignToolPkcs7_Encode(&Dst, cVerbosity);
|
---|
3272 |
|
---|
3273 | /* Update the destination executable file. */
|
---|
3274 | if (rcExit == RTEXITCODE_SUCCESS)
|
---|
3275 | rcExit = SignToolPkcs7_WriteSignatureToFile(&Dst, pszDst, cVerbosity);
|
---|
3276 |
|
---|
3277 | SignToolPkcs7_Delete(&Dst);
|
---|
3278 | }
|
---|
3279 | if (pszSrc)
|
---|
3280 | SignToolPkcs7_Delete(&Src);
|
---|
3281 | }
|
---|
3282 |
|
---|
3283 | return rcExit;
|
---|
3284 | }
|
---|
3285 |
|
---|
3286 |
|
---|
3287 | /*********************************************************************************************************************************
|
---|
3288 | * Option handlers shared by 'sign-exe', 'sign-cat', 'add-timestamp-exe-signature' and others. *
|
---|
3289 | *********************************************************************************************************************************/
|
---|
3290 | #ifndef IPRT_SIGNTOOL_NO_SIGNING
|
---|
3291 |
|
---|
3292 | static RTEXITCODE HandleOptAddCert(PRTCRSTORE phStore, const char *pszFile)
|
---|
3293 | {
|
---|
3294 | if (*phStore == NIL_RTCRSTORE)
|
---|
3295 | {
|
---|
3296 | int rc = RTCrStoreCreateInMem(phStore, 2);
|
---|
3297 | if (RT_FAILURE(rc))
|
---|
3298 | return RTMsgErrorExitFailure("RTCrStoreCreateInMem(,2) failed: %Rrc", rc);
|
---|
3299 | }
|
---|
3300 | RTERRINFOSTATIC ErrInfo;
|
---|
3301 | int rc = RTCrStoreCertAddFromFile(*phStore, RTCRCERTCTX_F_ADD_IF_NOT_FOUND, pszFile, RTErrInfoInitStatic(&ErrInfo));
|
---|
3302 | if (RT_FAILURE(rc))
|
---|
3303 | return RTMsgErrorExitFailure("Error reading certificate from '%s': %Rrc%#RTeim", pszFile, rc, &ErrInfo.Core);
|
---|
3304 | return RTEXITCODE_SUCCESS;
|
---|
3305 | }
|
---|
3306 |
|
---|
3307 | static RTEXITCODE HandleOptSignatureType(RTDIGESTTYPE *penmSigType, const char *pszType)
|
---|
3308 | {
|
---|
3309 | if ( RTStrICmpAscii(pszType, "sha1") == 0
|
---|
3310 | || RTStrICmpAscii(pszType, "sha-1") == 0)
|
---|
3311 | *penmSigType = RTDIGESTTYPE_SHA1;
|
---|
3312 | else if ( RTStrICmpAscii(pszType, "sha256") == 0
|
---|
3313 | || RTStrICmpAscii(pszType, "sha-256") == 0)
|
---|
3314 | *penmSigType = RTDIGESTTYPE_SHA256;
|
---|
3315 | else
|
---|
3316 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Unknown signature type: %s (expected sha1 or sha256)", pszType);
|
---|
3317 | return RTEXITCODE_SUCCESS;
|
---|
3318 | }
|
---|
3319 |
|
---|
3320 |
|
---|
3321 | static RTEXITCODE HandleOptTimestampType(bool *pfOldType, const char *pszType)
|
---|
3322 | {
|
---|
3323 | if (strcmp(pszType, "old") == 0)
|
---|
3324 | *pfOldType = true;
|
---|
3325 | else if (strcmp(pszType, "new") == 0)
|
---|
3326 | *pfOldType = false;
|
---|
3327 | else
|
---|
3328 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Unknown timestamp type: %s", pszType);
|
---|
3329 | return RTEXITCODE_SUCCESS;
|
---|
3330 | }
|
---|
3331 |
|
---|
3332 | static RTEXITCODE HandleOptTimestampOverride(PRTTIMESPEC pSigningTime, const char *pszPartialTs)
|
---|
3333 | {
|
---|
3334 | /*
|
---|
3335 | * First try use it as-is.
|
---|
3336 | */
|
---|
3337 | if (RTTimeSpecFromString(pSigningTime, pszPartialTs) != NULL)
|
---|
3338 | return RTEXITCODE_SUCCESS;
|
---|
3339 |
|
---|
3340 | /* Check the input against a pattern, making sure we've got something that
|
---|
3341 | makes sense before trying to merge. */
|
---|
3342 | size_t const cchPartialTs = strlen(pszPartialTs);
|
---|
3343 | static char s_szPattern[] = "0000-00-00T00:00:";
|
---|
3344 | if (cchPartialTs > sizeof(s_szPattern) - 1) /* It is not a partial timestamp if we've got the seconds component. */
|
---|
3345 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Invalid timestamp: %s", pszPartialTs);
|
---|
3346 |
|
---|
3347 | for (size_t off = 0; off < cchPartialTs; off++)
|
---|
3348 | switch (s_szPattern[off])
|
---|
3349 | {
|
---|
3350 | case '0':
|
---|
3351 | if (!RT_C_IS_DIGIT(pszPartialTs[off]))
|
---|
3352 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Invalid timestamp, expected digit at position %u: %s",
|
---|
3353 | off + 1, pszPartialTs);
|
---|
3354 | break;
|
---|
3355 | case '-':
|
---|
3356 | case ':':
|
---|
3357 | if (pszPartialTs[off] != s_szPattern[off])
|
---|
3358 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Invalid timestamp, expected '%c' at position %u: %s",
|
---|
3359 | s_szPattern[off], off + 1, pszPartialTs);
|
---|
3360 | break;
|
---|
3361 | case 'T':
|
---|
3362 | if ( pszPartialTs[off] != 'T'
|
---|
3363 | && pszPartialTs[off] != 't'
|
---|
3364 | && pszPartialTs[off] != ' ')
|
---|
3365 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Invalid timestamp, expected 'T' or space at position %u: %s",
|
---|
3366 | off + 1, pszPartialTs);
|
---|
3367 | break;
|
---|
3368 | default:
|
---|
3369 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Internal error");
|
---|
3370 | }
|
---|
3371 |
|
---|
3372 | if (RT_C_IS_DIGIT(s_szPattern[cchPartialTs]) && RT_C_IS_DIGIT(s_szPattern[cchPartialTs - 1]))
|
---|
3373 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Incomplete timstamp component: %s", pszPartialTs);
|
---|
3374 |
|
---|
3375 | /*
|
---|
3376 | * Take the current time and merge in the components from pszPartialTs.
|
---|
3377 | */
|
---|
3378 | char szSigningTime[RTTIME_STR_LEN];
|
---|
3379 | RTTIMESPEC Now;
|
---|
3380 | RTTimeSpecToString(RTTimeNow(&Now), szSigningTime, sizeof(szSigningTime));
|
---|
3381 | memcpy(szSigningTime, pszPartialTs, cchPartialTs);
|
---|
3382 | szSigningTime[4+1+2+1+2] = 'T';
|
---|
3383 |
|
---|
3384 | /* Fix 29th for non-leap override: */
|
---|
3385 | if (memcmp(&szSigningTime[5], RT_STR_TUPLE("02-29")) == 0)
|
---|
3386 | {
|
---|
3387 | if (!RTTimeIsLeapYear(RTStrToUInt32(szSigningTime)))
|
---|
3388 | szSigningTime[9] = '8';
|
---|
3389 | }
|
---|
3390 | if (RTTimeSpecFromString(pSigningTime, szSigningTime) == NULL)
|
---|
3391 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Invalid timestamp: %s (%s)", pszPartialTs, szSigningTime);
|
---|
3392 |
|
---|
3393 | return RTEXITCODE_SUCCESS;
|
---|
3394 | }
|
---|
3395 |
|
---|
3396 | static RTEXITCODE HandleOptFileType(RTSIGNTOOLFILETYPE *penmFileType, const char *pszType)
|
---|
3397 | {
|
---|
3398 | if (strcmp(pszType, "detect") == 0 || strcmp(pszType, "auto") == 0)
|
---|
3399 | *penmFileType = RTSIGNTOOLFILETYPE_DETECT;
|
---|
3400 | else if (strcmp(pszType, "exe") == 0)
|
---|
3401 | *penmFileType = RTSIGNTOOLFILETYPE_EXE;
|
---|
3402 | else if (strcmp(pszType, "cat") == 0)
|
---|
3403 | *penmFileType = RTSIGNTOOLFILETYPE_CAT;
|
---|
3404 | else
|
---|
3405 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Unknown forced file type: %s", pszType);
|
---|
3406 | return RTEXITCODE_SUCCESS;
|
---|
3407 | }
|
---|
3408 |
|
---|
3409 | /**
|
---|
3410 | * Detects the type of files @a pszFile is (by reading from it).
|
---|
3411 | *
|
---|
3412 | * @returns The file type, or RTSIGNTOOLFILETYPE_UNKNOWN (error displayed).
|
---|
3413 | * @param enmForceFileType Usually set to RTSIGNTOOLFILETYPE_DETECT, but if
|
---|
3414 | * not we'll return this without probing the file.
|
---|
3415 | * @param pszFile The name of the file to detect the type of.
|
---|
3416 | */
|
---|
3417 | static RTSIGNTOOLFILETYPE DetectFileType(RTSIGNTOOLFILETYPE enmForceFileType, const char *pszFile)
|
---|
3418 | {
|
---|
3419 | /*
|
---|
3420 | * Forced?
|
---|
3421 | */
|
---|
3422 | if (enmForceFileType != RTSIGNTOOLFILETYPE_DETECT)
|
---|
3423 | return enmForceFileType;
|
---|
3424 |
|
---|
3425 | /*
|
---|
3426 | * Read the start of the file.
|
---|
3427 | */
|
---|
3428 | RTFILE hFile = NIL_RTFILE;
|
---|
3429 | int rc = RTFileOpen(&hFile, pszFile, RTFILE_O_READ | RTFILE_O_OPEN | RTFILE_O_DENY_WRITE);
|
---|
3430 | if (RT_FAILURE(rc))
|
---|
3431 | {
|
---|
3432 | RTMsgError("Error opening '%s' for reading: %Rrc", pszFile, rc);
|
---|
3433 | return RTSIGNTOOLFILETYPE_UNKNOWN;
|
---|
3434 | }
|
---|
3435 |
|
---|
3436 | union
|
---|
3437 | {
|
---|
3438 | uint8_t ab[256];
|
---|
3439 | uint16_t au16[256/2];
|
---|
3440 | uint32_t au32[256/4];
|
---|
3441 | } uBuf;
|
---|
3442 | RT_ZERO(uBuf);
|
---|
3443 |
|
---|
3444 | size_t cbRead = 0;
|
---|
3445 | rc = RTFileRead(hFile, &uBuf, sizeof(uBuf), &cbRead);
|
---|
3446 | if (RT_FAILURE(rc))
|
---|
3447 | RTMsgError("Error reading from '%s': %Rrc", pszFile, rc);
|
---|
3448 |
|
---|
3449 | uint64_t cbFile;
|
---|
3450 | int rcSize = RTFileQuerySize(hFile, &cbFile);
|
---|
3451 | if (RT_FAILURE(rcSize))
|
---|
3452 | RTMsgError("Error querying size of '%s': %Rrc", pszFile, rc);
|
---|
3453 |
|
---|
3454 | RTFileClose(hFile);
|
---|
3455 | if (RT_FAILURE(rc) || RT_FAILURE(rcSize))
|
---|
3456 | return RTSIGNTOOLFILETYPE_UNKNOWN;
|
---|
3457 |
|
---|
3458 | /*
|
---|
3459 | * Try guess the kind of file.
|
---|
3460 | */
|
---|
3461 | /* All the executable magics we know: */
|
---|
3462 | if ( uBuf.au16[0] == RT_H2LE_U16_C(IMAGE_DOS_SIGNATURE)
|
---|
3463 | || uBuf.au16[0] == RT_H2LE_U16_C(IMAGE_NE_SIGNATURE)
|
---|
3464 | || uBuf.au16[0] == RT_H2LE_U16_C(IMAGE_LX_SIGNATURE)
|
---|
3465 | || uBuf.au16[0] == RT_H2LE_U16_C(IMAGE_LE_SIGNATURE)
|
---|
3466 | || uBuf.au32[0] == RT_H2LE_U32_C(IMAGE_NT_SIGNATURE)
|
---|
3467 | || uBuf.au32[0] == RT_H2LE_U32_C(IMAGE_ELF_SIGNATURE)
|
---|
3468 | || uBuf.au32[0] == IMAGE_FAT_SIGNATURE
|
---|
3469 | || uBuf.au32[0] == IMAGE_FAT_SIGNATURE_OE
|
---|
3470 | || uBuf.au32[0] == IMAGE_MACHO32_SIGNATURE
|
---|
3471 | || uBuf.au32[0] == IMAGE_MACHO32_SIGNATURE_OE
|
---|
3472 | || uBuf.au32[0] == IMAGE_MACHO64_SIGNATURE
|
---|
3473 | || uBuf.au32[0] == IMAGE_MACHO64_SIGNATURE_OE)
|
---|
3474 | return RTSIGNTOOLFILETYPE_EXE;
|
---|
3475 |
|
---|
3476 | /*
|
---|
3477 | * Catalog files are PKCS#7 SignedData and starts with a ContentInfo, i.e.:
|
---|
3478 | * SEQUENCE {
|
---|
3479 | * contentType OBJECT IDENTIFIER,
|
---|
3480 | * content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
|
---|
3481 | * }
|
---|
3482 | *
|
---|
3483 | * We ASSUME that it's DER encoded and doesn't use an indefinite length form
|
---|
3484 | * at the start and that contentType is signedData (1.2.840.113549.1.7.2).
|
---|
3485 | *
|
---|
3486 | * Example of a 10353 (0x2871) byte long file:
|
---|
3487 | * vv-------- contentType -------vv
|
---|
3488 | * 00000000 30 82 28 6D 06 09 2A 86 48 86 F7 0D 01 07 02 A0
|
---|
3489 | * 00000010 82 28 5E 30 82 28 5A 02 01 01 31 0B 30 09 06 05
|
---|
3490 | */
|
---|
3491 | if ( uBuf.ab[0] == (ASN1_TAG_SEQUENCE | ASN1_TAGFLAG_CONSTRUCTED)
|
---|
3492 | && uBuf.ab[1] != 0x80 /* not indefinite form */
|
---|
3493 | && uBuf.ab[1] > 0x30)
|
---|
3494 | {
|
---|
3495 | size_t off = 1;
|
---|
3496 | uint32_t cbRec = uBuf.ab[1];
|
---|
3497 | if (cbRec & 0x80)
|
---|
3498 | {
|
---|
3499 | cbRec &= 0x7f;
|
---|
3500 | off += cbRec;
|
---|
3501 | switch (cbRec)
|
---|
3502 | {
|
---|
3503 | case 1: cbRec = uBuf.ab[2]; break;
|
---|
3504 | case 2: cbRec = RT_MAKE_U16( uBuf.ab[3], uBuf.ab[2]); break;
|
---|
3505 | case 3: cbRec = RT_MAKE_U32_FROM_U8(uBuf.ab[4], uBuf.ab[3], uBuf.ab[2], 0); break;
|
---|
3506 | case 4: cbRec = RT_MAKE_U32_FROM_U8(uBuf.ab[5], uBuf.ab[4], uBuf.ab[3], uBuf.ab[2]); break;
|
---|
3507 | default: cbRec = UINT32_MAX; break;
|
---|
3508 | }
|
---|
3509 | }
|
---|
3510 | if (off <= 5)
|
---|
3511 | {
|
---|
3512 | off++;
|
---|
3513 | if (off + cbRec == cbFile)
|
---|
3514 | {
|
---|
3515 | /* If the contentType is signedData we're going to treat it as a catalog file,
|
---|
3516 | we don't currently much care about the signed content of a cat file. */
|
---|
3517 | static const uint8_t s_abSignedDataOid[] =
|
---|
3518 | { ASN1_TAG_OID, 9 /*length*/, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02 };
|
---|
3519 | if (memcmp(&uBuf.ab[off], s_abSignedDataOid, sizeof(s_abSignedDataOid)) == 0)
|
---|
3520 | return RTSIGNTOOLFILETYPE_CAT;
|
---|
3521 | }
|
---|
3522 | }
|
---|
3523 | }
|
---|
3524 |
|
---|
3525 | RTMsgError("Unable to detect type of '%s'", pszFile);
|
---|
3526 | return RTSIGNTOOLFILETYPE_UNKNOWN;
|
---|
3527 | }
|
---|
3528 |
|
---|
3529 | #endif /* !IPRT_SIGNTOOL_NO_SIGNING */
|
---|
3530 |
|
---|
3531 |
|
---|
3532 | /*********************************************************************************************************************************
|
---|
3533 | * The 'add-timestamp-exe-signature' command. *
|
---|
3534 | *********************************************************************************************************************************/
|
---|
3535 | #ifndef IPRT_SIGNTOOL_NO_SIGNING
|
---|
3536 |
|
---|
3537 | static RTEXITCODE HelpAddTimestampExeSignature(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
3538 | {
|
---|
3539 | RT_NOREF_PV(enmLevel);
|
---|
3540 |
|
---|
3541 | RTStrmWrappedPrintf(pStrm, RTSTRMWRAPPED_F_HANGING_INDENT,
|
---|
3542 | "add-timestamp-exe-signature [-v|--verbose] [--signature-index|-i <num>] "
|
---|
3543 | OPT_CERT_KEY_SYNOPSIS("--timestamp-")
|
---|
3544 | "[--timestamp-type old|new] "
|
---|
3545 | "[--timestamp-override <partial-isots>] "
|
---|
3546 | "[--replace-existing|-r] "
|
---|
3547 | "<exe>\n");
|
---|
3548 | if (enmLevel == RTSIGNTOOLHELP_FULL)
|
---|
3549 | RTStrmWrappedPrintf(pStrm, 0,
|
---|
3550 | "This is mainly to test timestamp code.\n"
|
---|
3551 | "\n"
|
---|
3552 | "The --timestamp-override option can take a partial or full ISO timestamp. It is merged "
|
---|
3553 | "with the current time if partial.\n"
|
---|
3554 | "\n");
|
---|
3555 | return RTEXITCODE_SUCCESS;
|
---|
3556 | }
|
---|
3557 |
|
---|
3558 | static RTEXITCODE HandleAddTimestampExeSignature(int cArgs, char **papszArgs)
|
---|
3559 | {
|
---|
3560 | /*
|
---|
3561 | * Parse arguments.
|
---|
3562 | */
|
---|
3563 | static const RTGETOPTDEF s_aOptions[] =
|
---|
3564 | {
|
---|
3565 | { "--signature-index", 'i', RTGETOPT_REQ_UINT32 },
|
---|
3566 | OPT_CERT_KEY_GETOPTDEF_ENTRIES("--timestamp-", 1000),
|
---|
3567 | { "--timestamp-type", OPT_TIMESTAMP_TYPE, RTGETOPT_REQ_STRING },
|
---|
3568 | { "--timestamp-override", OPT_TIMESTAMP_OVERRIDE, RTGETOPT_REQ_STRING },
|
---|
3569 | { "--replace-existing", 'r', RTGETOPT_REQ_NOTHING },
|
---|
3570 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
3571 | };
|
---|
3572 |
|
---|
3573 | unsigned cVerbosity = 0;
|
---|
3574 | unsigned iSignature = 0;
|
---|
3575 | bool fReplaceExisting = false;
|
---|
3576 | bool fTimestampTypeOld = true;
|
---|
3577 | SignToolKeyPair TimestampCertKey("timestamp", true);
|
---|
3578 | RTTIMESPEC SigningTime;
|
---|
3579 | RTTimeNow(&SigningTime);
|
---|
3580 |
|
---|
3581 | RTGETOPTSTATE GetState;
|
---|
3582 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
3583 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
3584 |
|
---|
3585 | RTEXITCODE rcExit = RTEXITCODE_SUCCESS;
|
---|
3586 | RTGETOPTUNION ValueUnion;
|
---|
3587 | int ch;
|
---|
3588 | while ((ch = RTGetOpt(&GetState, &ValueUnion)))
|
---|
3589 | {
|
---|
3590 | RTEXITCODE rcExit2 = RTEXITCODE_SUCCESS;
|
---|
3591 | switch (ch)
|
---|
3592 | {
|
---|
3593 | OPT_CERT_KEY_SWITCH_CASES(TimestampCertKey, 1000, ch, ValueUnion, rcExit2);
|
---|
3594 | case 'i': iSignature = ValueUnion.u32; break;
|
---|
3595 | case OPT_TIMESTAMP_TYPE: rcExit2 = HandleOptTimestampType(&fTimestampTypeOld, ValueUnion.psz); break;
|
---|
3596 | case OPT_TIMESTAMP_OVERRIDE: rcExit2 = HandleOptTimestampOverride(&SigningTime, ValueUnion.psz); break;
|
---|
3597 | case 'r': fReplaceExisting = true; break;
|
---|
3598 | case 'v': cVerbosity++; break;
|
---|
3599 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
3600 | case 'h': return HelpAddTimestampExeSignature(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
3601 |
|
---|
3602 | case VINF_GETOPT_NOT_OPTION:
|
---|
3603 | /* Do final certificate and key option processing (first file only). */
|
---|
3604 | rcExit2 = TimestampCertKey.finalizeOptions(cVerbosity);
|
---|
3605 | if (rcExit2 == RTEXITCODE_SUCCESS)
|
---|
3606 | {
|
---|
3607 | /* Do the work: */
|
---|
3608 | SIGNTOOLPKCS7EXE Exe;
|
---|
3609 | rcExit2 = SignToolPkcs7Exe_InitFromFile(&Exe, ValueUnion.psz, cVerbosity);
|
---|
3610 | if (rcExit2 == RTEXITCODE_SUCCESS)
|
---|
3611 | {
|
---|
3612 | rcExit2 = SignToolPkcs7_AddTimestampSignature(&Exe, cVerbosity, iSignature, fReplaceExisting,
|
---|
3613 | fTimestampTypeOld, SigningTime, &TimestampCertKey);
|
---|
3614 | if (rcExit2 == RTEXITCODE_SUCCESS)
|
---|
3615 | rcExit2 = SignToolPkcs7_Encode(&Exe, cVerbosity);
|
---|
3616 | if (rcExit2 == RTEXITCODE_SUCCESS)
|
---|
3617 | rcExit2 = SignToolPkcs7Exe_WriteSignatureToFile(&Exe, cVerbosity);
|
---|
3618 | SignToolPkcs7Exe_Delete(&Exe);
|
---|
3619 | }
|
---|
3620 | if (rcExit2 != RTEXITCODE_SUCCESS && rcExit == RTEXITCODE_SUCCESS)
|
---|
3621 | rcExit = rcExit2;
|
---|
3622 | rcExit2 = RTEXITCODE_SUCCESS;
|
---|
3623 | }
|
---|
3624 | break;
|
---|
3625 |
|
---|
3626 | default:
|
---|
3627 | return RTGetOptPrintError(ch, &ValueUnion);
|
---|
3628 | }
|
---|
3629 |
|
---|
3630 | if (rcExit2 != RTEXITCODE_SUCCESS)
|
---|
3631 | {
|
---|
3632 | rcExit = rcExit2;
|
---|
3633 | break;
|
---|
3634 | }
|
---|
3635 | }
|
---|
3636 | return rcExit;
|
---|
3637 | }
|
---|
3638 |
|
---|
3639 | #endif /*!IPRT_SIGNTOOL_NO_SIGNING */
|
---|
3640 |
|
---|
3641 |
|
---|
3642 | /*********************************************************************************************************************************
|
---|
3643 | * The 'sign-exe' command. *
|
---|
3644 | *********************************************************************************************************************************/
|
---|
3645 | #ifndef IPRT_SIGNTOOL_NO_SIGNING
|
---|
3646 |
|
---|
3647 | static RTEXITCODE HelpSign(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
3648 | {
|
---|
3649 | RT_NOREF_PV(enmLevel);
|
---|
3650 |
|
---|
3651 | RTStrmWrappedPrintf(pStrm, RTSTRMWRAPPED_F_HANGING_INDENT,
|
---|
3652 | "sign [-v|--verbose] "
|
---|
3653 | "[--file-type exe|cat] "
|
---|
3654 | "[--type|/fd sha1|sha256] "
|
---|
3655 | "[--hash-pages|/ph] "
|
---|
3656 | "[--no-hash-pages|/nph] "
|
---|
3657 | "[--append/as] "
|
---|
3658 | "[--no-signing-time] "
|
---|
3659 | "[--add-cert <file>] "
|
---|
3660 | "[--timestamp-type old|new] "
|
---|
3661 | "[--timestamp-override <partial-isots>] "
|
---|
3662 | "[--verbose|/debug|-v] "
|
---|
3663 | OPT_CERT_KEY_SYNOPSIS("--")
|
---|
3664 | OPT_CERT_KEY_SYNOPSIS("--timestamp-")
|
---|
3665 | "<exe>\n");
|
---|
3666 | if (enmLevel == RTSIGNTOOLHELP_FULL)
|
---|
3667 | RTStrmWrappedPrintf(pStrm, 0,
|
---|
3668 | "\n"
|
---|
3669 | "Create a new code signature for an executable or catalog.\n"
|
---|
3670 | "\n"
|
---|
3671 | "Options:\n"
|
---|
3672 | " --append, /as\n"
|
---|
3673 | " Append the signature if one already exists. The default is to replace any existing signature.\n"
|
---|
3674 | " --type sha1|sha256, /fd sha1|sha256\n"
|
---|
3675 | " Signature type, SHA-1 or SHA-256.\n"
|
---|
3676 | " --hash-pages, /ph, --no-page-hashes, /nph\n"
|
---|
3677 | " Enables or disables page hashing. Ignored for catalog files. Default: --no-page-hashes\n"
|
---|
3678 | " --add-cert <file>, /ac <file>\n"
|
---|
3679 | " Adds (first) certificate from the file to the signature. Both PEM and DER (binary) encodings "
|
---|
3680 | "are accepted. Repeat to add more certiifcates.\n"
|
---|
3681 | " --timestamp-override <partial-iso-timestamp>\n"
|
---|
3682 | " This specifies the signing time as a ISO timestamp. Partial timestamps are merged with the "
|
---|
3683 | "current time. This is applied to any timestamp signature as well as the signingTime attribute of "
|
---|
3684 | "main signature. Higher resolution than seconds is not supported. Default: Current time.\n"
|
---|
3685 | " --no-signing-time\n"
|
---|
3686 | " Don't set the signing time on the main signature, only on the timestamp one. Unfortunately, "
|
---|
3687 | "this doesn't work without modifying OpenSSL a little.\n"
|
---|
3688 | " --timestamp-type old|new\n"
|
---|
3689 | " Selects the timstamp type. 'old' is the old style /t <url> stuff from signtool.exe. "
|
---|
3690 | "'new' means a RTC-3161 timstamp - currently not implemented. Default: old\n"
|
---|
3691 | "\n"
|
---|
3692 | "Certificate and Key Options (--timestamp-cert-name etc for timestamps):\n"
|
---|
3693 | " --cert-subject <partial name>, /n <partial name>\n"
|
---|
3694 | " Locate the main signature signing certificate and key, unless anything else is given, "
|
---|
3695 | "by the given name substring. Overrides any previous --cert-sha1 and --cert-file options.\n"
|
---|
3696 | " --cert-sha1 <hex bytes>, /sha1 <hex bytes>\n"
|
---|
3697 | " Locate the main signature signing certificate and key, unless anything else is given, "
|
---|
3698 | "by the given thumbprint. The hex bytes can be space separated, colon separated, just "
|
---|
3699 | "bunched together, or a mix of these. This overrids any previous --cert-name and --cert-file "
|
---|
3700 | "options.\n"
|
---|
3701 | " --cert-store <name>, /s <store>\n"
|
---|
3702 | " Certificate store to search when using --cert-name or --cert-sha1. Default: MY\n"
|
---|
3703 | " --cert-machine-store, /sm\n"
|
---|
3704 | " Use the machine store rather the ones of the current user.\n"
|
---|
3705 | " --cert-file <file>, /f <file>\n"
|
---|
3706 | " Load the certificate and key, unless anything else is given, from given file. Both PEM and "
|
---|
3707 | "DER (binary) encodings are supported. Keys file can be RSA or PKCS#12 formatted.\n"
|
---|
3708 | " --key-file <file>\n"
|
---|
3709 | " Load the private key from the given file. Support RSA and PKCS#12 formatted files.\n"
|
---|
3710 | " --key-password <password>, /p <password>\n"
|
---|
3711 | " Password to use to decrypt a PKCS#12 password file.\n"
|
---|
3712 | " --key-password-file <file>|stdin\n"
|
---|
3713 | " Load password to decrypt the password file from the given file or from stdin.\n"
|
---|
3714 | " --key-name <name>, /kc <name>\n"
|
---|
3715 | " The private key container name. Not implemented.\n"
|
---|
3716 | " --key-provider <name>, /csp <name>\n"
|
---|
3717 | " The name of the crypto provider where the private key conatiner specified via --key-name "
|
---|
3718 | "can be found.\n"
|
---|
3719 | );
|
---|
3720 |
|
---|
3721 | return RTEXITCODE_SUCCESS;
|
---|
3722 | }
|
---|
3723 |
|
---|
3724 |
|
---|
3725 | static RTEXITCODE HandleSign(int cArgs, char **papszArgs)
|
---|
3726 | {
|
---|
3727 | /*
|
---|
3728 | * Parse arguments.
|
---|
3729 | */
|
---|
3730 | static const RTGETOPTDEF s_aOptions[] =
|
---|
3731 | {
|
---|
3732 | { "--append", 'A', RTGETOPT_REQ_NOTHING },
|
---|
3733 | { "/as", 'A', RTGETOPT_REQ_NOTHING },
|
---|
3734 | { "/a", OPT_IGNORED, RTGETOPT_REQ_NOTHING }, /* select best cert automatically */
|
---|
3735 | { "--type", 't', RTGETOPT_REQ_STRING },
|
---|
3736 | { "/fd", 't', RTGETOPT_REQ_STRING },
|
---|
3737 | { "--hash-pages", OPT_HASH_PAGES, RTGETOPT_REQ_NOTHING },
|
---|
3738 | { "/ph", OPT_HASH_PAGES, RTGETOPT_REQ_NOTHING },
|
---|
3739 | { "--no-hash-pages", OPT_NO_HASH_PAGES, RTGETOPT_REQ_NOTHING },
|
---|
3740 | { "/nph", OPT_NO_HASH_PAGES, RTGETOPT_REQ_NOTHING },
|
---|
3741 | { "--add-cert", OPT_ADD_CERT, RTGETOPT_REQ_STRING },
|
---|
3742 | { "/ac", OPT_ADD_CERT, RTGETOPT_REQ_STRING },
|
---|
3743 | { "--description", 'd', RTGETOPT_REQ_STRING },
|
---|
3744 | { "--desc", 'd', RTGETOPT_REQ_STRING },
|
---|
3745 | { "/d", 'd', RTGETOPT_REQ_STRING },
|
---|
3746 | { "--description-url", 'D', RTGETOPT_REQ_STRING },
|
---|
3747 | { "--desc-url", 'D', RTGETOPT_REQ_STRING },
|
---|
3748 | { "/du", 'D', RTGETOPT_REQ_STRING },
|
---|
3749 | { "--no-signing-time", OPT_NO_SIGNING_TIME, RTGETOPT_REQ_NOTHING },
|
---|
3750 | OPT_CERT_KEY_GETOPTDEF_ENTRIES("--", 1000),
|
---|
3751 | OPT_CERT_KEY_GETOPTDEF_COMPAT_ENTRIES( 1000),
|
---|
3752 | OPT_CERT_KEY_GETOPTDEF_ENTRIES("--timestamp-", 1020),
|
---|
3753 | { "--timestamp-type", OPT_TIMESTAMP_TYPE, RTGETOPT_REQ_STRING },
|
---|
3754 | { "--timestamp-override", OPT_TIMESTAMP_OVERRIDE, RTGETOPT_REQ_STRING },
|
---|
3755 | { "--file-type", OPT_FILE_TYPE, RTGETOPT_REQ_STRING },
|
---|
3756 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
3757 | { "/v", 'v', RTGETOPT_REQ_NOTHING },
|
---|
3758 | { "/debug", 'v', RTGETOPT_REQ_NOTHING },
|
---|
3759 | };
|
---|
3760 |
|
---|
3761 | unsigned cVerbosity = 0;
|
---|
3762 | RTDIGESTTYPE enmSigType = RTDIGESTTYPE_SHA1;
|
---|
3763 | bool fReplaceExisting = true;
|
---|
3764 | bool fHashPages = false;
|
---|
3765 | bool fNoSigningTime = false;
|
---|
3766 | RTSIGNTOOLFILETYPE enmForceFileType = RTSIGNTOOLFILETYPE_DETECT;
|
---|
3767 | SignToolKeyPair SigningCertKey("signing", true);
|
---|
3768 | RTCRSTORE hAddCerts = NIL_RTCRSTORE; /* leaked if returning directly (--help, --version) */
|
---|
3769 | const char *pszDescription = NULL; /** @todo implement putting descriptions into the OpusInfo stuff. */
|
---|
3770 | const char *pszDescriptionUrl = NULL;
|
---|
3771 | bool fTimestampTypeOld = true;
|
---|
3772 | SignToolKeyPair TimestampCertKey("timestamp");
|
---|
3773 | RTTIMESPEC SigningTime;
|
---|
3774 | RTTimeNow(&SigningTime);
|
---|
3775 |
|
---|
3776 | RTGETOPTSTATE GetState;
|
---|
3777 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
3778 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
3779 |
|
---|
3780 | RTEXITCODE rcExit = RTEXITCODE_SUCCESS;
|
---|
3781 | RTGETOPTUNION ValueUnion;
|
---|
3782 | int ch;
|
---|
3783 | while ((ch = RTGetOpt(&GetState, &ValueUnion)))
|
---|
3784 | {
|
---|
3785 | RTEXITCODE rcExit2 = RTEXITCODE_SUCCESS;
|
---|
3786 | switch (ch)
|
---|
3787 | {
|
---|
3788 | OPT_CERT_KEY_SWITCH_CASES(SigningCertKey, 1000, ch, ValueUnion, rcExit2);
|
---|
3789 | OPT_CERT_KEY_SWITCH_CASES(TimestampCertKey, 1020, ch, ValueUnion, rcExit2);
|
---|
3790 | case 't': rcExit2 = HandleOptSignatureType(&enmSigType, ValueUnion.psz); break;
|
---|
3791 | case 'A': fReplaceExisting = false; break;
|
---|
3792 | case 'd': pszDescription = ValueUnion.psz; break;
|
---|
3793 | case 'D': pszDescriptionUrl = ValueUnion.psz; break;
|
---|
3794 | case OPT_HASH_PAGES: fHashPages = true; break;
|
---|
3795 | case OPT_NO_HASH_PAGES: fHashPages = false; break;
|
---|
3796 | case OPT_NO_SIGNING_TIME: fNoSigningTime = true; break;
|
---|
3797 | case OPT_ADD_CERT: rcExit2 = HandleOptAddCert(&hAddCerts, ValueUnion.psz); break;
|
---|
3798 | case OPT_TIMESTAMP_TYPE: rcExit2 = HandleOptTimestampType(&fTimestampTypeOld, ValueUnion.psz); break;
|
---|
3799 | case OPT_TIMESTAMP_OVERRIDE: rcExit2 = HandleOptTimestampOverride(&SigningTime, ValueUnion.psz); break;
|
---|
3800 | case OPT_FILE_TYPE: rcExit2 = HandleOptFileType(&enmForceFileType, ValueUnion.psz); break;
|
---|
3801 | case OPT_IGNORED: break;
|
---|
3802 | case 'v': cVerbosity++; break;
|
---|
3803 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
3804 | case 'h': return HelpSign(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
3805 |
|
---|
3806 | case VINF_GETOPT_NOT_OPTION:
|
---|
3807 | /*
|
---|
3808 | * Do final certificate and key option processing (first file only).
|
---|
3809 | */
|
---|
3810 | rcExit2 = SigningCertKey.finalizeOptions(cVerbosity);
|
---|
3811 | if (rcExit2 == RTEXITCODE_SUCCESS)
|
---|
3812 | rcExit2 = TimestampCertKey.finalizeOptions(cVerbosity);
|
---|
3813 | if (rcExit2 == RTEXITCODE_SUCCESS)
|
---|
3814 | {
|
---|
3815 | /*
|
---|
3816 | * Detect file type.
|
---|
3817 | */
|
---|
3818 | RTSIGNTOOLFILETYPE enmFileType = DetectFileType(enmForceFileType, ValueUnion.psz);
|
---|
3819 | if (enmFileType == RTSIGNTOOLFILETYPE_EXE)
|
---|
3820 | {
|
---|
3821 | /*
|
---|
3822 | * Sign executable image.
|
---|
3823 | */
|
---|
3824 | SIGNTOOLPKCS7EXE Exe;
|
---|
3825 | rcExit2 = SignToolPkcs7Exe_InitFromFile(&Exe, ValueUnion.psz, cVerbosity,
|
---|
3826 | RTLDRARCH_WHATEVER, true /*fAllowUnsigned*/);
|
---|
3827 | if (rcExit2 == RTEXITCODE_SUCCESS)
|
---|
3828 | {
|
---|
3829 | rcExit2 = SignToolPkcs7_AddOrReplaceSignature(&Exe, cVerbosity, enmSigType, fReplaceExisting,
|
---|
3830 | fHashPages, fNoSigningTime, &SigningCertKey, hAddCerts,
|
---|
3831 | fTimestampTypeOld, SigningTime, &TimestampCertKey);
|
---|
3832 | if (rcExit2 == RTEXITCODE_SUCCESS)
|
---|
3833 | rcExit2 = SignToolPkcs7_Encode(&Exe, cVerbosity);
|
---|
3834 | if (rcExit2 == RTEXITCODE_SUCCESS)
|
---|
3835 | rcExit2 = SignToolPkcs7Exe_WriteSignatureToFile(&Exe, cVerbosity);
|
---|
3836 | SignToolPkcs7Exe_Delete(&Exe);
|
---|
3837 | }
|
---|
3838 | }
|
---|
3839 | else if (enmFileType == RTSIGNTOOLFILETYPE_CAT)
|
---|
3840 | {
|
---|
3841 | /*
|
---|
3842 | * Sign catalog file.
|
---|
3843 | */
|
---|
3844 | SIGNTOOLPKCS7 Cat;
|
---|
3845 | rcExit2 = SignToolPkcs7_InitFromFile(&Cat, ValueUnion.psz, cVerbosity);
|
---|
3846 | if (rcExit2 == RTEXITCODE_SUCCESS)
|
---|
3847 | {
|
---|
3848 | rcExit2 = SignToolPkcs7_AddOrReplaceCatSignature(&Cat, cVerbosity, enmSigType, fReplaceExisting,
|
---|
3849 | fNoSigningTime, &SigningCertKey, hAddCerts,
|
---|
3850 | fTimestampTypeOld, SigningTime, &TimestampCertKey);
|
---|
3851 | if (rcExit2 == RTEXITCODE_SUCCESS)
|
---|
3852 | rcExit2 = SignToolPkcs7_Encode(&Cat, cVerbosity);
|
---|
3853 | if (rcExit2 == RTEXITCODE_SUCCESS)
|
---|
3854 | rcExit2 = SignToolPkcs7_WriteSignatureToFile(&Cat, ValueUnion.psz, cVerbosity);
|
---|
3855 | SignToolPkcs7_Delete(&Cat);
|
---|
3856 | }
|
---|
3857 | }
|
---|
3858 | else
|
---|
3859 | rcExit2 = RTEXITCODE_FAILURE;
|
---|
3860 | if (rcExit2 != RTEXITCODE_SUCCESS && rcExit == RTEXITCODE_SUCCESS)
|
---|
3861 | rcExit = rcExit2;
|
---|
3862 | rcExit2 = RTEXITCODE_SUCCESS;
|
---|
3863 | }
|
---|
3864 | break;
|
---|
3865 |
|
---|
3866 | default:
|
---|
3867 | return RTGetOptPrintError(ch, &ValueUnion);
|
---|
3868 | }
|
---|
3869 | if (rcExit2 != RTEXITCODE_SUCCESS)
|
---|
3870 | {
|
---|
3871 | rcExit = rcExit2;
|
---|
3872 | break;
|
---|
3873 | }
|
---|
3874 | }
|
---|
3875 |
|
---|
3876 | if (hAddCerts != NIL_RTCRSTORE)
|
---|
3877 | RTCrStoreRelease(hAddCerts);
|
---|
3878 | return rcExit;
|
---|
3879 | }
|
---|
3880 |
|
---|
3881 | #endif /*!IPRT_SIGNTOOL_NO_SIGNING */
|
---|
3882 |
|
---|
3883 |
|
---|
3884 | /*********************************************************************************************************************************
|
---|
3885 | * The 'verify-exe' command. *
|
---|
3886 | *********************************************************************************************************************************/
|
---|
3887 | #ifndef IPRT_IN_BUILD_TOOL
|
---|
3888 |
|
---|
3889 | static RTEXITCODE HelpVerifyExe(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
3890 | {
|
---|
3891 | RT_NOREF_PV(enmLevel);
|
---|
3892 | RTStrmWrappedPrintf(pStrm, RTSTRMWRAPPED_F_HANGING_INDENT,
|
---|
3893 | "verify-exe [--verbose|--quiet] [--kernel] [--root <root-cert.der>] [--additional <supp-cert.der>] "
|
---|
3894 | "[--type <win|osx>] <exe1> [exe2 [..]]\n");
|
---|
3895 | return RTEXITCODE_SUCCESS;
|
---|
3896 | }
|
---|
3897 |
|
---|
3898 | typedef struct VERIFYEXESTATE
|
---|
3899 | {
|
---|
3900 | RTCRSTORE hRootStore;
|
---|
3901 | RTCRSTORE hKernelRootStore;
|
---|
3902 | RTCRSTORE hAdditionalStore;
|
---|
3903 | bool fKernel;
|
---|
3904 | int cVerbose;
|
---|
3905 | enum { kSignType_Windows, kSignType_OSX } enmSignType;
|
---|
3906 | RTLDRARCH enmLdrArch;
|
---|
3907 | uint32_t cBad;
|
---|
3908 | uint32_t cOkay;
|
---|
3909 | const char *pszFilename;
|
---|
3910 | RTTIMESPEC ValidationTime;
|
---|
3911 | } VERIFYEXESTATE;
|
---|
3912 |
|
---|
3913 | # ifdef VBOX
|
---|
3914 | /** Certificate store load set.
|
---|
3915 | * Declared outside HandleVerifyExe because of braindead gcc visibility crap. */
|
---|
3916 | struct STSTORESET
|
---|
3917 | {
|
---|
3918 | RTCRSTORE hStore;
|
---|
3919 | PCSUPTAENTRY paTAs;
|
---|
3920 | unsigned cTAs;
|
---|
3921 | };
|
---|
3922 | # endif
|
---|
3923 |
|
---|
3924 | /**
|
---|
3925 | * @callback_method_impl{FNRTCRPKCS7VERIFYCERTCALLBACK,
|
---|
3926 | * Standard code signing. Use this for Microsoft SPC.}
|
---|
3927 | */
|
---|
3928 | static DECLCALLBACK(int) VerifyExecCertVerifyCallback(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths, uint32_t fFlags,
|
---|
3929 | void *pvUser, PRTERRINFO pErrInfo)
|
---|
3930 | {
|
---|
3931 | VERIFYEXESTATE *pState = (VERIFYEXESTATE *)pvUser;
|
---|
3932 | uint32_t cPaths = RTCrX509CertPathsGetPathCount(hCertPaths);
|
---|
3933 |
|
---|
3934 | /*
|
---|
3935 | * Dump all the paths.
|
---|
3936 | */
|
---|
3937 | if (pState->cVerbose > 0)
|
---|
3938 | {
|
---|
3939 | for (uint32_t iPath = 0; iPath < cPaths; iPath++)
|
---|
3940 | {
|
---|
3941 | RTPrintf("---\n");
|
---|
3942 | RTCrX509CertPathsDumpOne(hCertPaths, iPath, pState->cVerbose, RTStrmDumpPrintfV, g_pStdOut);
|
---|
3943 | *pErrInfo->pszMsg = '\0';
|
---|
3944 | }
|
---|
3945 | RTPrintf("---\n");
|
---|
3946 | }
|
---|
3947 |
|
---|
3948 | /*
|
---|
3949 | * Test signing certificates normally doesn't have all the necessary
|
---|
3950 | * features required below. So, treat them as special cases.
|
---|
3951 | */
|
---|
3952 | if ( hCertPaths == NIL_RTCRX509CERTPATHS
|
---|
3953 | && RTCrX509Name_Compare(&pCert->TbsCertificate.Issuer, &pCert->TbsCertificate.Subject) == 0)
|
---|
3954 | {
|
---|
3955 | RTMsgInfo("Test signed.\n");
|
---|
3956 | return VINF_SUCCESS;
|
---|
3957 | }
|
---|
3958 |
|
---|
3959 | if (hCertPaths == NIL_RTCRX509CERTPATHS)
|
---|
3960 | RTMsgInfo("Signed by trusted certificate.\n");
|
---|
3961 |
|
---|
3962 | /*
|
---|
3963 | * Standard code signing capabilites required.
|
---|
3964 | */
|
---|
3965 | int rc = RTCrPkcs7VerifyCertCallbackCodeSigning(pCert, hCertPaths, fFlags, NULL, pErrInfo);
|
---|
3966 | if ( RT_SUCCESS(rc)
|
---|
3967 | && (fFlags & RTCRPKCS7VCC_F_SIGNED_DATA))
|
---|
3968 | {
|
---|
3969 | /*
|
---|
3970 | * If windows kernel signing, a valid certificate path must be anchored
|
---|
3971 | * by the microsoft kernel signing root certificate. The only
|
---|
3972 | * alternative is test signing.
|
---|
3973 | */
|
---|
3974 | if ( pState->fKernel
|
---|
3975 | && hCertPaths != NIL_RTCRX509CERTPATHS
|
---|
3976 | && pState->enmSignType == VERIFYEXESTATE::kSignType_Windows)
|
---|
3977 | {
|
---|
3978 | uint32_t cFound = 0;
|
---|
3979 | uint32_t cValid = 0;
|
---|
3980 | for (uint32_t iPath = 0; iPath < cPaths; iPath++)
|
---|
3981 | {
|
---|
3982 | bool fTrusted;
|
---|
3983 | PCRTCRX509NAME pSubject;
|
---|
3984 | PCRTCRX509SUBJECTPUBLICKEYINFO pPublicKeyInfo;
|
---|
3985 | int rcVerify;
|
---|
3986 | rc = RTCrX509CertPathsQueryPathInfo(hCertPaths, iPath, &fTrusted, NULL /*pcNodes*/, &pSubject, &pPublicKeyInfo,
|
---|
3987 | NULL, NULL /*pCertCtx*/, &rcVerify);
|
---|
3988 | AssertRCBreak(rc);
|
---|
3989 |
|
---|
3990 | if (RT_SUCCESS(rcVerify))
|
---|
3991 | {
|
---|
3992 | Assert(fTrusted);
|
---|
3993 | cValid++;
|
---|
3994 |
|
---|
3995 | /* Search the kernel signing root store for a matching anchor. */
|
---|
3996 | RTCRSTORECERTSEARCH Search;
|
---|
3997 | rc = RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280(pState->hKernelRootStore, pSubject, &Search);
|
---|
3998 | AssertRCBreak(rc);
|
---|
3999 | PCRTCRCERTCTX pCertCtx;
|
---|
4000 | while ((pCertCtx = RTCrStoreCertSearchNext(pState->hKernelRootStore, &Search)) != NULL)
|
---|
4001 | {
|
---|
4002 | PCRTCRX509SUBJECTPUBLICKEYINFO pPubKeyInfo;
|
---|
4003 | if (pCertCtx->pCert)
|
---|
4004 | pPubKeyInfo = &pCertCtx->pCert->TbsCertificate.SubjectPublicKeyInfo;
|
---|
4005 | else if (pCertCtx->pTaInfo)
|
---|
4006 | pPubKeyInfo = &pCertCtx->pTaInfo->PubKey;
|
---|
4007 | else
|
---|
4008 | pPubKeyInfo = NULL;
|
---|
4009 | if (RTCrX509SubjectPublicKeyInfo_Compare(pPubKeyInfo, pPublicKeyInfo) == 0)
|
---|
4010 | cFound++;
|
---|
4011 | RTCrCertCtxRelease(pCertCtx);
|
---|
4012 | }
|
---|
4013 |
|
---|
4014 | int rc2 = RTCrStoreCertSearchDestroy(pState->hKernelRootStore, &Search); AssertRC(rc2);
|
---|
4015 | }
|
---|
4016 | }
|
---|
4017 | if (RT_SUCCESS(rc) && cFound == 0)
|
---|
4018 | rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, "Not valid kernel code signature.");
|
---|
4019 | if (RT_SUCCESS(rc) && cValid != 2)
|
---|
4020 | RTMsgWarning("%u valid paths, expected 2", cValid);
|
---|
4021 | }
|
---|
4022 | /*
|
---|
4023 | * For Mac OS X signing, check for special developer ID attributes.
|
---|
4024 | */
|
---|
4025 | else if (pState->enmSignType == VERIFYEXESTATE::kSignType_OSX)
|
---|
4026 | {
|
---|
4027 | uint32_t cDevIdApp = 0;
|
---|
4028 | uint32_t cDevIdKext = 0;
|
---|
4029 | uint32_t cDevIdMacDev = 0;
|
---|
4030 | for (uint32_t i = 0; i < pCert->TbsCertificate.T3.Extensions.cItems; i++)
|
---|
4031 | {
|
---|
4032 | PCRTCRX509EXTENSION pExt = pCert->TbsCertificate.T3.Extensions.papItems[i];
|
---|
4033 | if (RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCR_APPLE_CS_DEVID_APPLICATION_OID) == 0)
|
---|
4034 | {
|
---|
4035 | cDevIdApp++;
|
---|
4036 | if (!pExt->Critical.fValue)
|
---|
4037 | rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
|
---|
4038 | "Dev ID Application certificate extension is not flagged critical");
|
---|
4039 | }
|
---|
4040 | else if (RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCR_APPLE_CS_DEVID_KEXT_OID) == 0)
|
---|
4041 | {
|
---|
4042 | cDevIdKext++;
|
---|
4043 | if (!pExt->Critical.fValue)
|
---|
4044 | rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
|
---|
4045 | "Dev ID kext certificate extension is not flagged critical");
|
---|
4046 | }
|
---|
4047 | else if (RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCR_APPLE_CS_DEVID_MAC_SW_DEV_OID) == 0)
|
---|
4048 | {
|
---|
4049 | cDevIdMacDev++;
|
---|
4050 | if (!pExt->Critical.fValue)
|
---|
4051 | rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
|
---|
4052 | "Dev ID Mac SW dev certificate extension is not flagged critical");
|
---|
4053 | }
|
---|
4054 | }
|
---|
4055 | if (cDevIdApp == 0)
|
---|
4056 | {
|
---|
4057 | if (cDevIdMacDev == 0)
|
---|
4058 | rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
|
---|
4059 | "Certificate is missing the 'Dev ID Application' extension");
|
---|
4060 | else
|
---|
4061 | RTMsgWarning("Mac SW dev certificate used to sign code.");
|
---|
4062 | }
|
---|
4063 | if (cDevIdKext == 0 && pState->fKernel)
|
---|
4064 | {
|
---|
4065 | if (cDevIdMacDev == 0)
|
---|
4066 | rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE,
|
---|
4067 | "Certificate is missing the 'Dev ID kext' extension");
|
---|
4068 | else
|
---|
4069 | RTMsgWarning("Mac SW dev certificate used to sign kernel code.");
|
---|
4070 | }
|
---|
4071 | }
|
---|
4072 | }
|
---|
4073 |
|
---|
4074 | return rc;
|
---|
4075 | }
|
---|
4076 |
|
---|
4077 | /** @callback_method_impl{FNRTLDRVALIDATESIGNEDDATA} */
|
---|
4078 | static DECLCALLBACK(int) VerifyExeCallback(RTLDRMOD hLdrMod, PCRTLDRSIGNATUREINFO pInfo, PRTERRINFO pErrInfo, void *pvUser)
|
---|
4079 | {
|
---|
4080 | VERIFYEXESTATE *pState = (VERIFYEXESTATE *)pvUser;
|
---|
4081 | RT_NOREF_PV(hLdrMod);
|
---|
4082 |
|
---|
4083 | switch (pInfo->enmType)
|
---|
4084 | {
|
---|
4085 | case RTLDRSIGNATURETYPE_PKCS7_SIGNED_DATA:
|
---|
4086 | {
|
---|
4087 | PCRTCRPKCS7CONTENTINFO pContentInfo = (PCRTCRPKCS7CONTENTINFO)pInfo->pvSignature;
|
---|
4088 |
|
---|
4089 | /*
|
---|
4090 | * Dump the signed data if so requested and it's the first one, assuming that
|
---|
4091 | * additional signatures in contained wihtin the same ContentInfo structure.
|
---|
4092 | */
|
---|
4093 | if (pState->cVerbose && pInfo->iSignature == 0)
|
---|
4094 | RTAsn1Dump(&pContentInfo->SeqCore.Asn1Core, 0, 0, RTStrmDumpPrintfV, g_pStdOut);
|
---|
4095 |
|
---|
4096 | /*
|
---|
4097 | * We'll try different alternative timestamps here.
|
---|
4098 | */
|
---|
4099 | struct { RTTIMESPEC TimeSpec; const char *pszDesc; } aTimes[3];
|
---|
4100 | unsigned cTimes = 0;
|
---|
4101 |
|
---|
4102 | /* The specified timestamp. */
|
---|
4103 | if (RTTimeSpecGetSeconds(&pState->ValidationTime) != 0)
|
---|
4104 | {
|
---|
4105 | aTimes[cTimes].TimeSpec = pState->ValidationTime;
|
---|
4106 | aTimes[cTimes].pszDesc = "validation time";
|
---|
4107 | cTimes++;
|
---|
4108 | }
|
---|
4109 |
|
---|
4110 | /* Linking timestamp: */
|
---|
4111 | uint64_t uLinkingTime = 0;
|
---|
4112 | int rc = RTLdrQueryProp(hLdrMod, RTLDRPROP_TIMESTAMP_SECONDS, &uLinkingTime, sizeof(uLinkingTime));
|
---|
4113 | if (RT_SUCCESS(rc))
|
---|
4114 | {
|
---|
4115 | RTTimeSpecSetSeconds(&aTimes[cTimes].TimeSpec, uLinkingTime);
|
---|
4116 | aTimes[cTimes].pszDesc = "at link time";
|
---|
4117 | cTimes++;
|
---|
4118 | }
|
---|
4119 | else if (rc != VERR_NOT_FOUND)
|
---|
4120 | RTMsgError("RTLdrQueryProp/RTLDRPROP_TIMESTAMP_SECONDS failed on '%s': %Rrc\n", pState->pszFilename, rc);
|
---|
4121 |
|
---|
4122 | /* Now: */
|
---|
4123 | RTTimeNow(&aTimes[cTimes].TimeSpec);
|
---|
4124 | aTimes[cTimes].pszDesc = "now";
|
---|
4125 | cTimes++;
|
---|
4126 |
|
---|
4127 | /*
|
---|
4128 | * Do the actual verification.
|
---|
4129 | */
|
---|
4130 | for (unsigned iTime = 0; iTime < cTimes; iTime++)
|
---|
4131 | {
|
---|
4132 | if (pInfo->pvExternalData)
|
---|
4133 | rc = RTCrPkcs7VerifySignedDataWithExternalData(pContentInfo,
|
---|
4134 | RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY
|
---|
4135 | | RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT
|
---|
4136 | | RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT
|
---|
4137 | | RTCRPKCS7VERIFY_SD_F_CHECK_TRUST_ANCHORS,
|
---|
4138 | pState->hAdditionalStore, pState->hRootStore,
|
---|
4139 | &aTimes[iTime].TimeSpec,
|
---|
4140 | VerifyExecCertVerifyCallback, pState,
|
---|
4141 | pInfo->pvExternalData, pInfo->cbExternalData, pErrInfo);
|
---|
4142 | else
|
---|
4143 | rc = RTCrPkcs7VerifySignedData(pContentInfo,
|
---|
4144 | RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY
|
---|
4145 | | RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT
|
---|
4146 | | RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT
|
---|
4147 | | RTCRPKCS7VERIFY_SD_F_CHECK_TRUST_ANCHORS,
|
---|
4148 | pState->hAdditionalStore, pState->hRootStore,
|
---|
4149 | &aTimes[iTime].TimeSpec,
|
---|
4150 | VerifyExecCertVerifyCallback, pState, pErrInfo);
|
---|
4151 | if (RT_SUCCESS(rc))
|
---|
4152 | {
|
---|
4153 | Assert(rc == VINF_SUCCESS || rc == VINF_CR_DIGEST_DEPRECATED);
|
---|
4154 | const char *pszNote = rc == VINF_CR_DIGEST_DEPRECATED ? " (deprecated digest)" : "";
|
---|
4155 | if (pInfo->cSignatures == 1)
|
---|
4156 | RTMsgInfo("'%s' is valid %s%s.\n", pState->pszFilename, aTimes[iTime].pszDesc, pszNote);
|
---|
4157 | else
|
---|
4158 | RTMsgInfo("'%s' signature #%u is valid %s%s.\n",
|
---|
4159 | pState->pszFilename, pInfo->iSignature + 1, aTimes[iTime].pszDesc, pszNote);
|
---|
4160 | pState->cOkay++;
|
---|
4161 | return VINF_SUCCESS;
|
---|
4162 | }
|
---|
4163 | if (rc != VERR_CR_X509_CPV_NOT_VALID_AT_TIME)
|
---|
4164 | {
|
---|
4165 | if (pInfo->cSignatures == 1)
|
---|
4166 | RTMsgError("%s: Failed to verify signature: %Rrc%#RTeim\n", pState->pszFilename, rc, pErrInfo);
|
---|
4167 | else
|
---|
4168 | RTMsgError("%s: Failed to verify signature #%u: %Rrc%#RTeim\n",
|
---|
4169 | pState->pszFilename, pInfo->iSignature + 1, rc, pErrInfo);
|
---|
4170 | pState->cBad++;
|
---|
4171 | return VINF_SUCCESS;
|
---|
4172 | }
|
---|
4173 | }
|
---|
4174 |
|
---|
4175 | if (pInfo->cSignatures == 1)
|
---|
4176 | RTMsgError("%s: Signature is not valid at present or link time.\n", pState->pszFilename);
|
---|
4177 | else
|
---|
4178 | RTMsgError("%s: Signature #%u is not valid at present or link time.\n",
|
---|
4179 | pState->pszFilename, pInfo->iSignature + 1);
|
---|
4180 | pState->cBad++;
|
---|
4181 | return VINF_SUCCESS;
|
---|
4182 | }
|
---|
4183 |
|
---|
4184 | default:
|
---|
4185 | return RTErrInfoSetF(pErrInfo, VERR_NOT_SUPPORTED, "Unsupported signature type: %d", pInfo->enmType);
|
---|
4186 | }
|
---|
4187 | }
|
---|
4188 |
|
---|
4189 | /**
|
---|
4190 | * Worker for HandleVerifyExe.
|
---|
4191 | */
|
---|
4192 | static RTEXITCODE HandleVerifyExeWorker(VERIFYEXESTATE *pState, const char *pszFilename, PRTERRINFOSTATIC pStaticErrInfo)
|
---|
4193 | {
|
---|
4194 | /*
|
---|
4195 | * Open the executable image and verify it.
|
---|
4196 | */
|
---|
4197 | RTLDRMOD hLdrMod;
|
---|
4198 | int rc = RTLdrOpen(pszFilename, RTLDR_O_FOR_VALIDATION, pState->enmLdrArch, &hLdrMod);
|
---|
4199 | if (RT_FAILURE(rc))
|
---|
4200 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Error opening executable image '%s': %Rrc", pszFilename, rc);
|
---|
4201 |
|
---|
4202 | /* Reset the state. */
|
---|
4203 | pState->cBad = 0;
|
---|
4204 | pState->cOkay = 0;
|
---|
4205 | pState->pszFilename = pszFilename;
|
---|
4206 |
|
---|
4207 | rc = RTLdrVerifySignature(hLdrMod, VerifyExeCallback, pState, RTErrInfoInitStatic(pStaticErrInfo));
|
---|
4208 | if (RT_FAILURE(rc))
|
---|
4209 | RTMsgError("RTLdrVerifySignature failed on '%s': %Rrc - %s\n", pszFilename, rc, pStaticErrInfo->szMsg);
|
---|
4210 |
|
---|
4211 | int rc2 = RTLdrClose(hLdrMod);
|
---|
4212 | if (RT_FAILURE(rc2))
|
---|
4213 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "RTLdrClose failed: %Rrc\n", rc2);
|
---|
4214 | if (RT_FAILURE(rc))
|
---|
4215 | return rc != VERR_LDRVI_NOT_SIGNED ? RTEXITCODE_FAILURE : RTEXITCODE_SKIPPED;
|
---|
4216 |
|
---|
4217 | return pState->cOkay > 0 ? RTEXITCODE_SUCCESS : RTEXITCODE_FAILURE;
|
---|
4218 | }
|
---|
4219 |
|
---|
4220 |
|
---|
4221 | static RTEXITCODE HandleVerifyExe(int cArgs, char **papszArgs)
|
---|
4222 | {
|
---|
4223 | RTERRINFOSTATIC StaticErrInfo;
|
---|
4224 |
|
---|
4225 | /* Note! This code does not try to clean up the crypto stores on failure.
|
---|
4226 | This is intentional as the code is only expected to be used in a
|
---|
4227 | one-command-per-process environment where we do exit() upon
|
---|
4228 | returning from this function. */
|
---|
4229 |
|
---|
4230 | /*
|
---|
4231 | * Parse arguments.
|
---|
4232 | */
|
---|
4233 | static const RTGETOPTDEF s_aOptions[] =
|
---|
4234 | {
|
---|
4235 | { "--kernel", 'k', RTGETOPT_REQ_NOTHING },
|
---|
4236 | { "--root", 'r', RTGETOPT_REQ_STRING },
|
---|
4237 | { "--additional", 'a', RTGETOPT_REQ_STRING },
|
---|
4238 | { "--add", 'a', RTGETOPT_REQ_STRING },
|
---|
4239 | { "--type", 't', RTGETOPT_REQ_STRING },
|
---|
4240 | { "--validation-time", 'T', RTGETOPT_REQ_STRING },
|
---|
4241 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
4242 | { "--quiet", 'q', RTGETOPT_REQ_NOTHING },
|
---|
4243 | };
|
---|
4244 |
|
---|
4245 | VERIFYEXESTATE State =
|
---|
4246 | {
|
---|
4247 | NIL_RTCRSTORE, NIL_RTCRSTORE, NIL_RTCRSTORE, false, 0,
|
---|
4248 | VERIFYEXESTATE::kSignType_Windows, RTLDRARCH_WHATEVER,
|
---|
4249 | 0, 0, NULL
|
---|
4250 | };
|
---|
4251 | int rc = RTCrStoreCreateInMem(&State.hRootStore, 0);
|
---|
4252 | if (RT_SUCCESS(rc))
|
---|
4253 | rc = RTCrStoreCreateInMem(&State.hKernelRootStore, 0);
|
---|
4254 | if (RT_SUCCESS(rc))
|
---|
4255 | rc = RTCrStoreCreateInMem(&State.hAdditionalStore, 0);
|
---|
4256 | if (RT_FAILURE(rc))
|
---|
4257 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Error creating in-memory certificate store: %Rrc", rc);
|
---|
4258 | RTTimeSpecSetSeconds(&State.ValidationTime, 0);
|
---|
4259 |
|
---|
4260 | RTGETOPTSTATE GetState;
|
---|
4261 | rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
4262 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
4263 | RTGETOPTUNION ValueUnion;
|
---|
4264 | int ch;
|
---|
4265 | while ((ch = RTGetOpt(&GetState, &ValueUnion)) && ch != VINF_GETOPT_NOT_OPTION)
|
---|
4266 | {
|
---|
4267 | switch (ch)
|
---|
4268 | {
|
---|
4269 | case 'r': case 'a':
|
---|
4270 | rc = RTCrStoreCertAddFromFile(ch == 'r' ? State.hRootStore : State.hAdditionalStore,
|
---|
4271 | RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR,
|
---|
4272 | ValueUnion.psz, RTErrInfoInitStatic(&StaticErrInfo));
|
---|
4273 | if (RT_FAILURE(rc))
|
---|
4274 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Error loading certificate '%s': %Rrc - %s",
|
---|
4275 | ValueUnion.psz, rc, StaticErrInfo.szMsg);
|
---|
4276 | if (RTErrInfoIsSet(&StaticErrInfo.Core))
|
---|
4277 | RTMsgWarning("Warnings loading certificate '%s': %s", ValueUnion.psz, StaticErrInfo.szMsg);
|
---|
4278 | break;
|
---|
4279 |
|
---|
4280 | case 't':
|
---|
4281 | if (!strcmp(ValueUnion.psz, "win") || !strcmp(ValueUnion.psz, "windows"))
|
---|
4282 | State.enmSignType = VERIFYEXESTATE::kSignType_Windows;
|
---|
4283 | else if (!strcmp(ValueUnion.psz, "osx") || !strcmp(ValueUnion.psz, "apple"))
|
---|
4284 | State.enmSignType = VERIFYEXESTATE::kSignType_OSX;
|
---|
4285 | else
|
---|
4286 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Unknown signing type: '%s'", ValueUnion.psz);
|
---|
4287 | break;
|
---|
4288 |
|
---|
4289 | case 'T':
|
---|
4290 | if (!RTTimeSpecFromString(&State.ValidationTime, ValueUnion.psz))
|
---|
4291 | return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Invalid validation time (%s): %Rrc", ValueUnion.psz, rc);
|
---|
4292 | break;
|
---|
4293 |
|
---|
4294 | case 'k': State.fKernel = true; break;
|
---|
4295 | case 'v': State.cVerbose++; break;
|
---|
4296 | case 'q': State.cVerbose = 0; break;
|
---|
4297 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
4298 | case 'h': return HelpVerifyExe(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
4299 | default: return RTGetOptPrintError(ch, &ValueUnion);
|
---|
4300 | }
|
---|
4301 | }
|
---|
4302 | if (ch != VINF_GETOPT_NOT_OPTION)
|
---|
4303 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No executable given.");
|
---|
4304 |
|
---|
4305 | /*
|
---|
4306 | * Populate the certificate stores according to the signing type.
|
---|
4307 | */
|
---|
4308 | # ifdef VBOX
|
---|
4309 | unsigned cSets = 0;
|
---|
4310 | struct STSTORESET aSets[6];
|
---|
4311 | switch (State.enmSignType)
|
---|
4312 | {
|
---|
4313 | case VERIFYEXESTATE::kSignType_Windows:
|
---|
4314 | aSets[cSets].hStore = State.hRootStore;
|
---|
4315 | aSets[cSets].paTAs = g_aSUPTimestampTAs;
|
---|
4316 | aSets[cSets].cTAs = g_cSUPTimestampTAs;
|
---|
4317 | cSets++;
|
---|
4318 | aSets[cSets].hStore = State.hRootStore;
|
---|
4319 | aSets[cSets].paTAs = g_aSUPSpcRootTAs;
|
---|
4320 | aSets[cSets].cTAs = g_cSUPSpcRootTAs;
|
---|
4321 | cSets++;
|
---|
4322 | aSets[cSets].hStore = State.hRootStore;
|
---|
4323 | aSets[cSets].paTAs = g_aSUPNtKernelRootTAs;
|
---|
4324 | aSets[cSets].cTAs = g_cSUPNtKernelRootTAs;
|
---|
4325 | cSets++;
|
---|
4326 | aSets[cSets].hStore = State.hKernelRootStore;
|
---|
4327 | aSets[cSets].paTAs = g_aSUPNtKernelRootTAs;
|
---|
4328 | aSets[cSets].cTAs = g_cSUPNtKernelRootTAs;
|
---|
4329 | cSets++;
|
---|
4330 | break;
|
---|
4331 |
|
---|
4332 | case VERIFYEXESTATE::kSignType_OSX:
|
---|
4333 | aSets[cSets].hStore = State.hRootStore;
|
---|
4334 | aSets[cSets].paTAs = g_aSUPAppleRootTAs;
|
---|
4335 | aSets[cSets].cTAs = g_cSUPAppleRootTAs;
|
---|
4336 | cSets++;
|
---|
4337 | break;
|
---|
4338 | }
|
---|
4339 | for (unsigned i = 0; i < cSets; i++)
|
---|
4340 | for (unsigned j = 0; j < aSets[i].cTAs; j++)
|
---|
4341 | {
|
---|
4342 | rc = RTCrStoreCertAddEncoded(aSets[i].hStore, RTCRCERTCTX_F_ENC_TAF_DER, aSets[i].paTAs[j].pch,
|
---|
4343 | aSets[i].paTAs[j].cb, RTErrInfoInitStatic(&StaticErrInfo));
|
---|
4344 | if (RT_FAILURE(rc))
|
---|
4345 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "RTCrStoreCertAddEncoded failed (%u/%u): %s",
|
---|
4346 | i, j, StaticErrInfo.szMsg);
|
---|
4347 | }
|
---|
4348 | # endif /* VBOX */
|
---|
4349 |
|
---|
4350 | /*
|
---|
4351 | * Do it.
|
---|
4352 | */
|
---|
4353 | RTEXITCODE rcExit;
|
---|
4354 | for (;;)
|
---|
4355 | {
|
---|
4356 | rcExit = HandleVerifyExeWorker(&State, ValueUnion.psz, &StaticErrInfo);
|
---|
4357 | if (rcExit != RTEXITCODE_SUCCESS)
|
---|
4358 | break;
|
---|
4359 |
|
---|
4360 | /*
|
---|
4361 | * Next file
|
---|
4362 | */
|
---|
4363 | ch = RTGetOpt(&GetState, &ValueUnion);
|
---|
4364 | if (ch == 0)
|
---|
4365 | break;
|
---|
4366 | if (ch != VINF_GETOPT_NOT_OPTION)
|
---|
4367 | {
|
---|
4368 | rcExit = RTGetOptPrintError(ch, &ValueUnion);
|
---|
4369 | break;
|
---|
4370 | }
|
---|
4371 | }
|
---|
4372 |
|
---|
4373 | /*
|
---|
4374 | * Clean up.
|
---|
4375 | */
|
---|
4376 | uint32_t cRefs;
|
---|
4377 | cRefs = RTCrStoreRelease(State.hRootStore); Assert(cRefs == 0);
|
---|
4378 | cRefs = RTCrStoreRelease(State.hKernelRootStore); Assert(cRefs == 0);
|
---|
4379 | cRefs = RTCrStoreRelease(State.hAdditionalStore); Assert(cRefs == 0);
|
---|
4380 |
|
---|
4381 | return rcExit;
|
---|
4382 | }
|
---|
4383 |
|
---|
4384 | #endif /* !IPRT_IN_BUILD_TOOL */
|
---|
4385 |
|
---|
4386 | /*
|
---|
4387 | * common code for show-exe and show-cat:
|
---|
4388 | */
|
---|
4389 |
|
---|
4390 | /**
|
---|
4391 | * Display an object ID.
|
---|
4392 | *
|
---|
4393 | * @returns IPRT status code.
|
---|
4394 | * @param pThis The show exe instance data.
|
---|
4395 | * @param pObjId The object ID to display.
|
---|
4396 | * @param pszLabel The field label (prefixed by szPrefix).
|
---|
4397 | * @param pszPost What to print after the ID (typically newline).
|
---|
4398 | */
|
---|
4399 | static void HandleShowExeWorkerDisplayObjId(PSHOWEXEPKCS7 pThis, PCRTASN1OBJID pObjId, const char *pszLabel, const char *pszPost)
|
---|
4400 | {
|
---|
4401 | int rc = RTAsn1QueryObjIdName(pObjId, pThis->szTmp, sizeof(pThis->szTmp));
|
---|
4402 | if (RT_SUCCESS(rc))
|
---|
4403 | {
|
---|
4404 | if (pThis->cVerbosity > 1)
|
---|
4405 | RTPrintf("%s%s%s (%s)%s", pThis->szPrefix, pszLabel, pThis->szTmp, pObjId->szObjId, pszPost);
|
---|
4406 | else
|
---|
4407 | RTPrintf("%s%s%s%s", pThis->szPrefix, pszLabel, pThis->szTmp, pszPost);
|
---|
4408 | }
|
---|
4409 | else
|
---|
4410 | RTPrintf("%s%s%s%s", pThis->szPrefix, pszLabel, pObjId->szObjId, pszPost);
|
---|
4411 | }
|
---|
4412 |
|
---|
4413 |
|
---|
4414 | /**
|
---|
4415 | * Display an object ID, without prefix and label
|
---|
4416 | *
|
---|
4417 | * @returns IPRT status code.
|
---|
4418 | * @param pThis The show exe instance data.
|
---|
4419 | * @param pObjId The object ID to display.
|
---|
4420 | * @param pszPost What to print after the ID (typically newline).
|
---|
4421 | */
|
---|
4422 | static void HandleShowExeWorkerDisplayObjIdSimple(PSHOWEXEPKCS7 pThis, PCRTASN1OBJID pObjId, const char *pszPost)
|
---|
4423 | {
|
---|
4424 | int rc = RTAsn1QueryObjIdName(pObjId, pThis->szTmp, sizeof(pThis->szTmp));
|
---|
4425 | if (RT_SUCCESS(rc))
|
---|
4426 | {
|
---|
4427 | if (pThis->cVerbosity > 1)
|
---|
4428 | RTPrintf("%s (%s)%s", pThis->szTmp, pObjId->szObjId, pszPost);
|
---|
4429 | else
|
---|
4430 | RTPrintf("%s%s", pThis->szTmp, pszPost);
|
---|
4431 | }
|
---|
4432 | else
|
---|
4433 | RTPrintf("%s%s", pObjId->szObjId, pszPost);
|
---|
4434 | }
|
---|
4435 |
|
---|
4436 |
|
---|
4437 | /**
|
---|
4438 | * Display a signer info attribute.
|
---|
4439 | *
|
---|
4440 | * @returns IPRT status code.
|
---|
4441 | * @param pThis The show exe instance data.
|
---|
4442 | * @param offPrefix The current prefix offset.
|
---|
4443 | * @param pAttr The attribute to display.
|
---|
4444 | */
|
---|
4445 | static int HandleShowExeWorkerPkcs7DisplayAttrib(PSHOWEXEPKCS7 pThis, size_t offPrefix, PCRTCRPKCS7ATTRIBUTE pAttr)
|
---|
4446 | {
|
---|
4447 | HandleShowExeWorkerDisplayObjId(pThis, &pAttr->Type, "", ":\n");
|
---|
4448 | if (pThis->cVerbosity > 4 && pAttr->SeqCore.Asn1Core.uData.pu8)
|
---|
4449 | RTPrintf("%s uData.pu8=%p cb=%#x\n", pThis->szPrefix, pAttr->SeqCore.Asn1Core.uData.pu8, pAttr->SeqCore.Asn1Core.cb);
|
---|
4450 |
|
---|
4451 | int rc = VINF_SUCCESS;
|
---|
4452 | switch (pAttr->enmType)
|
---|
4453 | {
|
---|
4454 | case RTCRPKCS7ATTRIBUTETYPE_UNKNOWN:
|
---|
4455 | if (pAttr->uValues.pCores->cItems <= 1)
|
---|
4456 | RTPrintf("%s %u bytes\n", pThis->szPrefix,pAttr->uValues.pCores->SetCore.Asn1Core.cb);
|
---|
4457 | else
|
---|
4458 | RTPrintf("%s %u bytes divided by %u items\n", pThis->szPrefix, pAttr->uValues.pCores->SetCore.Asn1Core.cb, pAttr->uValues.pCores->cItems);
|
---|
4459 | break;
|
---|
4460 |
|
---|
4461 | /* Object IDs, use pObjIds. */
|
---|
4462 | case RTCRPKCS7ATTRIBUTETYPE_OBJ_IDS:
|
---|
4463 | if (pAttr->uValues.pObjIds->cItems != 1)
|
---|
4464 | RTPrintf("%s%u object IDs:", pThis->szPrefix, pAttr->uValues.pObjIds->cItems);
|
---|
4465 | for (unsigned i = 0; i < pAttr->uValues.pObjIds->cItems; i++)
|
---|
4466 | {
|
---|
4467 | if (pAttr->uValues.pObjIds->cItems == 1)
|
---|
4468 | RTPrintf("%s ", pThis->szPrefix);
|
---|
4469 | else
|
---|
4470 | RTPrintf("%s ObjId[%u]: ", pThis->szPrefix, i);
|
---|
4471 | HandleShowExeWorkerDisplayObjIdSimple(pThis, pAttr->uValues.pObjIds->papItems[i], "\n");
|
---|
4472 | }
|
---|
4473 | break;
|
---|
4474 |
|
---|
4475 | /* Sequence of object IDs, use pObjIdSeqs. */
|
---|
4476 | case RTCRPKCS7ATTRIBUTETYPE_MS_STATEMENT_TYPE:
|
---|
4477 | if (pAttr->uValues.pObjIdSeqs->cItems != 1)
|
---|
4478 | RTPrintf("%s%u object IDs:", pThis->szPrefix, pAttr->uValues.pObjIdSeqs->cItems);
|
---|
4479 | for (unsigned i = 0; i < pAttr->uValues.pObjIdSeqs->cItems; i++)
|
---|
4480 | {
|
---|
4481 | uint32_t const cObjIds = pAttr->uValues.pObjIdSeqs->papItems[i]->cItems;
|
---|
4482 | for (unsigned j = 0; j < cObjIds; j++)
|
---|
4483 | {
|
---|
4484 | if (pAttr->uValues.pObjIdSeqs->cItems == 1)
|
---|
4485 | RTPrintf("%s ", pThis->szPrefix);
|
---|
4486 | else
|
---|
4487 | RTPrintf("%s ObjIdSeq[%u]: ", pThis->szPrefix, i);
|
---|
4488 | if (cObjIds != 1)
|
---|
4489 | RTPrintf(" ObjId[%u]: ", j);
|
---|
4490 | HandleShowExeWorkerDisplayObjIdSimple(pThis, pAttr->uValues.pObjIdSeqs->papItems[i]->papItems[i], "\n");
|
---|
4491 | }
|
---|
4492 | }
|
---|
4493 | break;
|
---|
4494 |
|
---|
4495 | /* Octet strings, use pOctetStrings. */
|
---|
4496 | case RTCRPKCS7ATTRIBUTETYPE_OCTET_STRINGS:
|
---|
4497 | if (pAttr->uValues.pOctetStrings->cItems != 1)
|
---|
4498 | RTPrintf("%s%u octet strings:", pThis->szPrefix, pAttr->uValues.pOctetStrings->cItems);
|
---|
4499 | for (unsigned i = 0; i < pAttr->uValues.pOctetStrings->cItems; i++)
|
---|
4500 | {
|
---|
4501 | PCRTASN1OCTETSTRING pOctetString = pAttr->uValues.pOctetStrings->papItems[i];
|
---|
4502 | uint32_t cbContent = pOctetString->Asn1Core.cb;
|
---|
4503 | if (cbContent > 0 && (cbContent <= 128 || pThis->cVerbosity >= 2))
|
---|
4504 | {
|
---|
4505 | uint8_t const *pbContent = pOctetString->Asn1Core.uData.pu8;
|
---|
4506 | uint32_t off = 0;
|
---|
4507 | while (off < cbContent)
|
---|
4508 | {
|
---|
4509 | uint32_t cbNow = RT_MIN(cbContent - off, 16);
|
---|
4510 | if (pAttr->uValues.pOctetStrings->cItems == 1)
|
---|
4511 | RTPrintf("%s %#06x: %.*Rhxs\n", pThis->szPrefix, off, cbNow, &pbContent[off]);
|
---|
4512 | else
|
---|
4513 | RTPrintf("%s OctetString[%u]: %#06x: %.*Rhxs\n", pThis->szPrefix, i, off, cbNow, &pbContent[off]);
|
---|
4514 | off += cbNow;
|
---|
4515 | }
|
---|
4516 | }
|
---|
4517 | else
|
---|
4518 | RTPrintf("%s: OctetString[%u]: %u bytes\n", pThis->szPrefix, i, pOctetString->Asn1Core.cb);
|
---|
4519 | }
|
---|
4520 | break;
|
---|
4521 |
|
---|
4522 | /* Counter signatures (PKCS \#9), use pCounterSignatures. */
|
---|
4523 | case RTCRPKCS7ATTRIBUTETYPE_COUNTER_SIGNATURES:
|
---|
4524 | RTPrintf("%s%u counter signatures, %u bytes in total\n", pThis->szPrefix,
|
---|
4525 | pAttr->uValues.pCounterSignatures->cItems, pAttr->uValues.pCounterSignatures->SetCore.Asn1Core.cb);
|
---|
4526 | for (uint32_t i = 0; i < pAttr->uValues.pCounterSignatures->cItems; i++)
|
---|
4527 | {
|
---|
4528 | size_t offPrefix2 = offPrefix;
|
---|
4529 | if (pAttr->uValues.pContentInfos->cItems > 1)
|
---|
4530 | offPrefix2 += RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix, "CounterSig[%u]: ", i);
|
---|
4531 | else
|
---|
4532 | offPrefix2 += RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix, " ");
|
---|
4533 |
|
---|
4534 | int rc2 = HandleShowExeWorkerPkcs7DisplaySignerInfo(pThis, offPrefix2,
|
---|
4535 | pAttr->uValues.pCounterSignatures->papItems[i]);
|
---|
4536 | if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
|
---|
4537 | rc = rc2;
|
---|
4538 | }
|
---|
4539 | break;
|
---|
4540 |
|
---|
4541 | /* Signing time (PKCS \#9), use pSigningTime. */
|
---|
4542 | case RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME:
|
---|
4543 | for (uint32_t i = 0; i < pAttr->uValues.pSigningTime->cItems; i++)
|
---|
4544 | {
|
---|
4545 | PCRTASN1TIME pTime = pAttr->uValues.pSigningTime->papItems[i];
|
---|
4546 | char szTS[RTTIME_STR_LEN];
|
---|
4547 | RTTimeToString(&pTime->Time, szTS, sizeof(szTS));
|
---|
4548 | if (pAttr->uValues.pSigningTime->cItems == 1)
|
---|
4549 | RTPrintf("%s %s (%.*s)\n", pThis->szPrefix, szTS, pTime->Asn1Core.cb, pTime->Asn1Core.uData.pch);
|
---|
4550 | else
|
---|
4551 | RTPrintf("%s #%u: %s (%.*s)\n", pThis->szPrefix, i, szTS, pTime->Asn1Core.cb, pTime->Asn1Core.uData.pch);
|
---|
4552 | }
|
---|
4553 | break;
|
---|
4554 |
|
---|
4555 | /* Microsoft timestamp info (RFC-3161) signed data, use pContentInfo. */
|
---|
4556 | case RTCRPKCS7ATTRIBUTETYPE_MS_TIMESTAMP:
|
---|
4557 | case RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE:
|
---|
4558 | if (pAttr->uValues.pContentInfos->cItems > 1)
|
---|
4559 | RTPrintf("%s%u nested signatures, %u bytes in total\n", pThis->szPrefix,
|
---|
4560 | pAttr->uValues.pContentInfos->cItems, pAttr->uValues.pContentInfos->SetCore.Asn1Core.cb);
|
---|
4561 | for (unsigned i = 0; i < pAttr->uValues.pContentInfos->cItems; i++)
|
---|
4562 | {
|
---|
4563 | size_t offPrefix2 = offPrefix;
|
---|
4564 | if (pAttr->uValues.pContentInfos->cItems > 1)
|
---|
4565 | offPrefix2 += RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix, "NestedSig[%u]: ", i);
|
---|
4566 | else
|
---|
4567 | offPrefix2 += RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix, " ");
|
---|
4568 | // offPrefix2 += RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix, "NestedSig: ", i);
|
---|
4569 | PCRTCRPKCS7CONTENTINFO pContentInfo = pAttr->uValues.pContentInfos->papItems[i];
|
---|
4570 | int rc2;
|
---|
4571 | if (RTCrPkcs7ContentInfo_IsSignedData(pContentInfo))
|
---|
4572 | rc2 = HandleShowExeWorkerPkcs7Display(pThis, pContentInfo->u.pSignedData, offPrefix2, pContentInfo);
|
---|
4573 | else
|
---|
4574 | rc2 = RTMsgErrorRc(VERR_ASN1_UNEXPECTED_OBJ_ID, "%sPKCS#7 content in nested signature is not 'signedData': %s",
|
---|
4575 | pThis->szPrefix, pContentInfo->ContentType.szObjId);
|
---|
4576 | if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
|
---|
4577 | rc = rc2;
|
---|
4578 | }
|
---|
4579 | break;
|
---|
4580 |
|
---|
4581 | case RTCRPKCS7ATTRIBUTETYPE_APPLE_MULTI_CD_PLIST:
|
---|
4582 | if (pAttr->uValues.pContentInfos->cItems != 1)
|
---|
4583 | RTPrintf("%s%u plists, expected only 1.\n", pThis->szPrefix, pAttr->uValues.pOctetStrings->cItems);
|
---|
4584 | for (unsigned i = 0; i < pAttr->uValues.pOctetStrings->cItems; i++)
|
---|
4585 | {
|
---|
4586 | PCRTASN1OCTETSTRING pOctetString = pAttr->uValues.pOctetStrings->papItems[i];
|
---|
4587 | size_t cbContent = pOctetString->Asn1Core.cb;
|
---|
4588 | char const *pchContent = pOctetString->Asn1Core.uData.pch;
|
---|
4589 | rc = RTStrValidateEncodingEx(pchContent, cbContent, RTSTR_VALIDATE_ENCODING_EXACT_LENGTH);
|
---|
4590 | if (RT_SUCCESS(rc))
|
---|
4591 | {
|
---|
4592 | while (cbContent > 0)
|
---|
4593 | {
|
---|
4594 | const char *pchNewLine = (const char *)memchr(pchContent, '\n', cbContent);
|
---|
4595 | size_t cchToWrite = pchNewLine ? pchNewLine - pchContent : cbContent;
|
---|
4596 | if (pAttr->uValues.pOctetStrings->cItems == 1)
|
---|
4597 | RTPrintf("%s %.*s\n", pThis->szPrefix, cchToWrite, pchContent);
|
---|
4598 | else
|
---|
4599 | RTPrintf("%s plist[%u]: %.*s\n", pThis->szPrefix, i, cchToWrite, pchContent);
|
---|
4600 | if (!pchNewLine)
|
---|
4601 | break;
|
---|
4602 | pchContent = pchNewLine + 1;
|
---|
4603 | cbContent -= cchToWrite + 1;
|
---|
4604 | }
|
---|
4605 | }
|
---|
4606 | else
|
---|
4607 | {
|
---|
4608 | if (pAttr->uValues.pContentInfos->cItems != 1)
|
---|
4609 | RTPrintf("%s: plist[%u]: Invalid UTF-8: %Rrc\n", pThis->szPrefix, i, rc);
|
---|
4610 | else
|
---|
4611 | RTPrintf("%s: Invalid UTF-8: %Rrc\n", pThis->szPrefix, rc);
|
---|
4612 | for (uint32_t off = 0; off < cbContent; off += 16)
|
---|
4613 | {
|
---|
4614 | size_t cbNow = RT_MIN(cbContent - off, 16);
|
---|
4615 | if (pAttr->uValues.pOctetStrings->cItems == 1)
|
---|
4616 | RTPrintf("%s %#06x: %.*Rhxs\n", pThis->szPrefix, off, cbNow, &pchContent[off]);
|
---|
4617 | else
|
---|
4618 | RTPrintf("%s plist[%u]: %#06x: %.*Rhxs\n", pThis->szPrefix, i, off, cbNow, &pchContent[off]);
|
---|
4619 | }
|
---|
4620 | }
|
---|
4621 | }
|
---|
4622 | break;
|
---|
4623 |
|
---|
4624 | case RTCRPKCS7ATTRIBUTETYPE_INVALID:
|
---|
4625 | RTPrintf("%sINVALID!\n", pThis->szPrefix);
|
---|
4626 | break;
|
---|
4627 | case RTCRPKCS7ATTRIBUTETYPE_NOT_PRESENT:
|
---|
4628 | RTPrintf("%sNOT PRESENT!\n", pThis->szPrefix);
|
---|
4629 | break;
|
---|
4630 | default:
|
---|
4631 | RTPrintf("%senmType=%d!\n", pThis->szPrefix, pAttr->enmType);
|
---|
4632 | break;
|
---|
4633 | }
|
---|
4634 | return rc;
|
---|
4635 | }
|
---|
4636 |
|
---|
4637 |
|
---|
4638 | /**
|
---|
4639 | * Displays a SignerInfo structure.
|
---|
4640 | *
|
---|
4641 | * @returns IPRT status code.
|
---|
4642 | * @param pThis The show exe instance data.
|
---|
4643 | * @param offPrefix The current prefix offset.
|
---|
4644 | * @param pSignerInfo The structure to display.
|
---|
4645 | */
|
---|
4646 | static int HandleShowExeWorkerPkcs7DisplaySignerInfo(PSHOWEXEPKCS7 pThis, size_t offPrefix, PCRTCRPKCS7SIGNERINFO pSignerInfo)
|
---|
4647 | {
|
---|
4648 | int rc = RTAsn1Integer_ToString(&pSignerInfo->IssuerAndSerialNumber.SerialNumber,
|
---|
4649 | pThis->szTmp, sizeof(pThis->szTmp), 0 /*fFlags*/, NULL);
|
---|
4650 | if (RT_FAILURE(rc))
|
---|
4651 | RTStrPrintf(pThis->szTmp, sizeof(pThis->szTmp), "%Rrc", rc);
|
---|
4652 | RTPrintf("%s Serial No: %s\n", pThis->szPrefix, pThis->szTmp);
|
---|
4653 |
|
---|
4654 | rc = RTCrX509Name_FormatAsString(&pSignerInfo->IssuerAndSerialNumber.Name, pThis->szTmp, sizeof(pThis->szTmp), NULL);
|
---|
4655 | if (RT_FAILURE(rc))
|
---|
4656 | RTStrPrintf(pThis->szTmp, sizeof(pThis->szTmp), "%Rrc", rc);
|
---|
4657 | RTPrintf("%s Issuer: %s\n", pThis->szPrefix, pThis->szTmp);
|
---|
4658 |
|
---|
4659 | const char *pszType = RTCrDigestTypeToName(RTCrX509AlgorithmIdentifier_QueryDigestType(&pSignerInfo->DigestAlgorithm));
|
---|
4660 | if (!pszType)
|
---|
4661 | pszType = pSignerInfo->DigestAlgorithm.Algorithm.szObjId;
|
---|
4662 | RTPrintf("%s Digest Algorithm: %s", pThis->szPrefix, pszType);
|
---|
4663 | if (pThis->cVerbosity > 1)
|
---|
4664 | RTPrintf(" (%s)\n", pSignerInfo->DigestAlgorithm.Algorithm.szObjId);
|
---|
4665 | else
|
---|
4666 | RTPrintf("\n");
|
---|
4667 |
|
---|
4668 | HandleShowExeWorkerDisplayObjId(pThis, &pSignerInfo->DigestEncryptionAlgorithm.Algorithm,
|
---|
4669 | "Digest Encryption Algorithm: ", "\n");
|
---|
4670 |
|
---|
4671 | if (pSignerInfo->AuthenticatedAttributes.cItems == 0)
|
---|
4672 | RTPrintf("%s Authenticated Attributes: none\n", pThis->szPrefix);
|
---|
4673 | else
|
---|
4674 | {
|
---|
4675 | RTPrintf("%s Authenticated Attributes: %u item%s\n", pThis->szPrefix,
|
---|
4676 | pSignerInfo->AuthenticatedAttributes.cItems, pSignerInfo->AuthenticatedAttributes.cItems > 1 ? "s" : "");
|
---|
4677 | for (unsigned j = 0; j < pSignerInfo->AuthenticatedAttributes.cItems; j++)
|
---|
4678 | {
|
---|
4679 | PRTCRPKCS7ATTRIBUTE pAttr = pSignerInfo->AuthenticatedAttributes.papItems[j];
|
---|
4680 | size_t offPrefix3 = offPrefix+ RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix,
|
---|
4681 | " AuthAttrib[%u]: ", j);
|
---|
4682 | HandleShowExeWorkerPkcs7DisplayAttrib(pThis, offPrefix3, pAttr);
|
---|
4683 | }
|
---|
4684 | pThis->szPrefix[offPrefix] = '\0';
|
---|
4685 | }
|
---|
4686 |
|
---|
4687 | if (pSignerInfo->UnauthenticatedAttributes.cItems == 0)
|
---|
4688 | RTPrintf("%s Unauthenticated Attributes: none\n", pThis->szPrefix);
|
---|
4689 | else
|
---|
4690 | {
|
---|
4691 | RTPrintf("%s Unauthenticated Attributes: %u item%s\n", pThis->szPrefix,
|
---|
4692 | pSignerInfo->UnauthenticatedAttributes.cItems, pSignerInfo->UnauthenticatedAttributes.cItems > 1 ? "s" : "");
|
---|
4693 | for (unsigned j = 0; j < pSignerInfo->UnauthenticatedAttributes.cItems; j++)
|
---|
4694 | {
|
---|
4695 | PRTCRPKCS7ATTRIBUTE pAttr = pSignerInfo->UnauthenticatedAttributes.papItems[j];
|
---|
4696 | size_t offPrefix3 = offPrefix + RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix,
|
---|
4697 | " UnauthAttrib[%u]: ", j);
|
---|
4698 | HandleShowExeWorkerPkcs7DisplayAttrib(pThis, offPrefix3, pAttr);
|
---|
4699 | }
|
---|
4700 | pThis->szPrefix[offPrefix] = '\0';
|
---|
4701 | }
|
---|
4702 |
|
---|
4703 | /** @todo show the encrypted stuff (EncryptedDigest)? */
|
---|
4704 | return rc;
|
---|
4705 | }
|
---|
4706 |
|
---|
4707 |
|
---|
4708 | /**
|
---|
4709 | * Displays a Microsoft SPC indirect data structure.
|
---|
4710 | *
|
---|
4711 | * @returns IPRT status code.
|
---|
4712 | * @param pThis The show exe instance data.
|
---|
4713 | * @param offPrefix The current prefix offset.
|
---|
4714 | * @param pIndData The indirect data to display.
|
---|
4715 | */
|
---|
4716 | static int HandleShowExeWorkerPkcs7DisplaySpcIdirectDataContent(PSHOWEXEPKCS7 pThis, size_t offPrefix,
|
---|
4717 | PCRTCRSPCINDIRECTDATACONTENT pIndData)
|
---|
4718 | {
|
---|
4719 | /*
|
---|
4720 | * The image hash.
|
---|
4721 | */
|
---|
4722 | RTDIGESTTYPE const enmDigestType = RTCrX509AlgorithmIdentifier_QueryDigestType(&pIndData->DigestInfo.DigestAlgorithm);
|
---|
4723 | const char *pszDigestType = RTCrDigestTypeToName(enmDigestType);
|
---|
4724 | RTPrintf("%s Digest Type: %s", pThis->szPrefix, pszDigestType);
|
---|
4725 | if (pThis->cVerbosity > 1)
|
---|
4726 | RTPrintf(" (%s)\n", pIndData->DigestInfo.DigestAlgorithm.Algorithm.szObjId);
|
---|
4727 | else
|
---|
4728 | RTPrintf("\n");
|
---|
4729 | RTPrintf("%s Digest: %.*Rhxs\n",
|
---|
4730 | pThis->szPrefix, pIndData->DigestInfo.Digest.Asn1Core.cb, pIndData->DigestInfo.Digest.Asn1Core.uData.pu8);
|
---|
4731 |
|
---|
4732 | /*
|
---|
4733 | * The data/file/url.
|
---|
4734 | */
|
---|
4735 | switch (pIndData->Data.enmType)
|
---|
4736 | {
|
---|
4737 | case RTCRSPCAAOVTYPE_PE_IMAGE_DATA:
|
---|
4738 | {
|
---|
4739 | RTPrintf("%s Data Type: PE Image Data\n", pThis->szPrefix);
|
---|
4740 | PRTCRSPCPEIMAGEDATA pPeImage = pIndData->Data.uValue.pPeImage;
|
---|
4741 | /** @todo display "Flags". */
|
---|
4742 |
|
---|
4743 | switch (pPeImage->T0.File.enmChoice)
|
---|
4744 | {
|
---|
4745 | case RTCRSPCLINKCHOICE_MONIKER:
|
---|
4746 | {
|
---|
4747 | PRTCRSPCSERIALIZEDOBJECT pMoniker = pPeImage->T0.File.u.pMoniker;
|
---|
4748 | if (RTCrSpcSerializedObject_IsPresent(pMoniker))
|
---|
4749 | {
|
---|
4750 | if (RTUuidCompareStr(pMoniker->Uuid.Asn1Core.uData.pUuid, RTCRSPCSERIALIZEDOBJECT_UUID_STR) == 0)
|
---|
4751 | {
|
---|
4752 | RTPrintf("%s Moniker: SpcSerializedObject (%RTuuid)\n",
|
---|
4753 | pThis->szPrefix, pMoniker->Uuid.Asn1Core.uData.pUuid);
|
---|
4754 |
|
---|
4755 | PCRTCRSPCSERIALIZEDOBJECTATTRIBUTES pData = pMoniker->u.pData;
|
---|
4756 | if (pData)
|
---|
4757 | for (uint32_t i = 0; i < pData->cItems; i++)
|
---|
4758 | {
|
---|
4759 | RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix,
|
---|
4760 | "MonikerAttrib[%u]: ", i);
|
---|
4761 |
|
---|
4762 | switch (pData->papItems[i]->enmType)
|
---|
4763 | {
|
---|
4764 | case RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_PAGE_HASHES_V2:
|
---|
4765 | case RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_PAGE_HASHES_V1:
|
---|
4766 | {
|
---|
4767 | PCRTCRSPCSERIALIZEDPAGEHASHES pPgHashes = pData->papItems[i]->u.pPageHashes;
|
---|
4768 | uint32_t const cbHash = pData->papItems[i]->enmType
|
---|
4769 | == RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_PAGE_HASHES_V1
|
---|
4770 | ? 160/8 /*SHA-1*/ : 256/8 /*SHA-256*/;
|
---|
4771 | uint32_t const cPages = pPgHashes->RawData.Asn1Core.cb / (cbHash + sizeof(uint32_t));
|
---|
4772 |
|
---|
4773 | RTPrintf("%sPage Hashes version %u - %u pages (%u bytes total)\n", pThis->szPrefix,
|
---|
4774 | pData->papItems[i]->enmType
|
---|
4775 | == RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_PAGE_HASHES_V1 ? 1 : 2,
|
---|
4776 | cPages, pPgHashes->RawData.Asn1Core.cb);
|
---|
4777 | if (pThis->cVerbosity > 0)
|
---|
4778 | {
|
---|
4779 | PCRTCRSPCPEIMAGEPAGEHASHES pPg = pPgHashes->pData;
|
---|
4780 | for (unsigned iPg = 0; iPg < cPages; iPg++)
|
---|
4781 | {
|
---|
4782 | uint32_t offHash = 0;
|
---|
4783 | do
|
---|
4784 | {
|
---|
4785 | if (offHash == 0)
|
---|
4786 | RTPrintf("%.*s Page#%04u/%#08x: ",
|
---|
4787 | offPrefix, pThis->szPrefix, iPg, pPg->Generic.offFile);
|
---|
4788 | else
|
---|
4789 | RTPrintf("%.*s ", offPrefix, pThis->szPrefix);
|
---|
4790 | uint32_t cbLeft = cbHash - offHash;
|
---|
4791 | if (cbLeft > 24)
|
---|
4792 | cbLeft = 16;
|
---|
4793 | RTPrintf("%.*Rhxs\n", cbLeft, &pPg->Generic.abHash[offHash]);
|
---|
4794 | offHash += cbLeft;
|
---|
4795 | } while (offHash < cbHash);
|
---|
4796 | pPg = (PCRTCRSPCPEIMAGEPAGEHASHES)&pPg->Generic.abHash[cbHash];
|
---|
4797 | }
|
---|
4798 |
|
---|
4799 | if (pThis->cVerbosity > 3)
|
---|
4800 | RTPrintf("%.*Rhxd\n",
|
---|
4801 | pPgHashes->RawData.Asn1Core.cb,
|
---|
4802 | pPgHashes->RawData.Asn1Core.uData.pu8);
|
---|
4803 | }
|
---|
4804 | break;
|
---|
4805 | }
|
---|
4806 |
|
---|
4807 | case RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_UNKNOWN:
|
---|
4808 | HandleShowExeWorkerDisplayObjIdSimple(pThis, &pData->papItems[i]->Type, "\n");
|
---|
4809 | break;
|
---|
4810 | case RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_NOT_PRESENT:
|
---|
4811 | RTPrintf("%sNot present!\n", pThis->szPrefix);
|
---|
4812 | break;
|
---|
4813 | default:
|
---|
4814 | RTPrintf("%senmType=%d!\n", pThis->szPrefix, pData->papItems[i]->enmType);
|
---|
4815 | break;
|
---|
4816 | }
|
---|
4817 | pThis->szPrefix[offPrefix] = '\0';
|
---|
4818 | }
|
---|
4819 | else
|
---|
4820 | RTPrintf("%s pData is NULL!\n", pThis->szPrefix);
|
---|
4821 | }
|
---|
4822 | else
|
---|
4823 | RTPrintf("%s Moniker: Unknown UUID: %RTuuid\n",
|
---|
4824 | pThis->szPrefix, pMoniker->Uuid.Asn1Core.uData.pUuid);
|
---|
4825 | }
|
---|
4826 | else
|
---|
4827 | RTPrintf("%s Moniker: not present\n", pThis->szPrefix);
|
---|
4828 | break;
|
---|
4829 | }
|
---|
4830 |
|
---|
4831 | case RTCRSPCLINKCHOICE_URL:
|
---|
4832 | {
|
---|
4833 | const char *pszUrl = NULL;
|
---|
4834 | int rc = pPeImage->T0.File.u.pUrl
|
---|
4835 | ? RTAsn1String_QueryUtf8(pPeImage->T0.File.u.pUrl, &pszUrl, NULL)
|
---|
4836 | : VERR_NOT_FOUND;
|
---|
4837 | if (RT_SUCCESS(rc))
|
---|
4838 | RTPrintf("%s URL: '%s'\n", pThis->szPrefix, pszUrl);
|
---|
4839 | else
|
---|
4840 | RTPrintf("%s URL: rc=%Rrc\n", pThis->szPrefix, rc);
|
---|
4841 | break;
|
---|
4842 | }
|
---|
4843 |
|
---|
4844 | case RTCRSPCLINKCHOICE_FILE:
|
---|
4845 | {
|
---|
4846 | const char *pszFile = NULL;
|
---|
4847 | int rc = pPeImage->T0.File.u.pT2 && pPeImage->T0.File.u.pT2->File.u.pAscii
|
---|
4848 | ? RTAsn1String_QueryUtf8(pPeImage->T0.File.u.pT2->File.u.pAscii, &pszFile, NULL)
|
---|
4849 | : VERR_NOT_FOUND;
|
---|
4850 | if (RT_SUCCESS(rc))
|
---|
4851 | RTPrintf("%s File: '%s'\n", pThis->szPrefix, pszFile);
|
---|
4852 | else
|
---|
4853 | RTPrintf("%s File: rc=%Rrc\n", pThis->szPrefix, rc);
|
---|
4854 | if (pThis->cVerbosity > 4 && pPeImage->T0.File.u.pT2 == NULL)
|
---|
4855 | RTPrintf("%s pT2=NULL\n", pThis->szPrefix);
|
---|
4856 | else if (pThis->cVerbosity > 4)
|
---|
4857 | {
|
---|
4858 | PCRTASN1STRING pStr = pPeImage->T0.File.u.pT2->File.u.pAscii;
|
---|
4859 | RTPrintf("%s pT2=%p/%p LB %#x fFlags=%#x pOps=%p (%s)\n"
|
---|
4860 | "%s enmChoice=%d pStr=%p/%p LB %#x fFlags=%#x\n",
|
---|
4861 | pThis->szPrefix,
|
---|
4862 | pPeImage->T0.File.u.pT2,
|
---|
4863 | pPeImage->T0.File.u.pT2->CtxTag2.Asn1Core.uData.pu8,
|
---|
4864 | pPeImage->T0.File.u.pT2->CtxTag2.Asn1Core.cb,
|
---|
4865 | pPeImage->T0.File.u.pT2->CtxTag2.Asn1Core.fFlags,
|
---|
4866 | pPeImage->T0.File.u.pT2->CtxTag2.Asn1Core.pOps,
|
---|
4867 | pPeImage->T0.File.u.pT2->CtxTag2.Asn1Core.pOps
|
---|
4868 | ? pPeImage->T0.File.u.pT2->CtxTag2.Asn1Core.pOps->pszName : "",
|
---|
4869 | pThis->szPrefix,
|
---|
4870 | pPeImage->T0.File.u.pT2->File.enmChoice,
|
---|
4871 | pStr,
|
---|
4872 | pStr ? pStr->Asn1Core.uData.pu8 : NULL,
|
---|
4873 | pStr ? pStr->Asn1Core.cb : 0,
|
---|
4874 | pStr ? pStr->Asn1Core.fFlags : 0);
|
---|
4875 | }
|
---|
4876 | break;
|
---|
4877 | }
|
---|
4878 |
|
---|
4879 | case RTCRSPCLINKCHOICE_NOT_PRESENT:
|
---|
4880 | RTPrintf("%s File not present!\n", pThis->szPrefix);
|
---|
4881 | break;
|
---|
4882 | default:
|
---|
4883 | RTPrintf("%s enmChoice=%d!\n", pThis->szPrefix, pPeImage->T0.File.enmChoice);
|
---|
4884 | break;
|
---|
4885 | }
|
---|
4886 | break;
|
---|
4887 | }
|
---|
4888 |
|
---|
4889 | case RTCRSPCAAOVTYPE_UNKNOWN:
|
---|
4890 | HandleShowExeWorkerDisplayObjId(pThis, &pIndData->Data.Type, " Data Type: ", "\n");
|
---|
4891 | break;
|
---|
4892 | case RTCRSPCAAOVTYPE_NOT_PRESENT:
|
---|
4893 | RTPrintf("%s Data Type: Not present!\n", pThis->szPrefix);
|
---|
4894 | break;
|
---|
4895 | default:
|
---|
4896 | RTPrintf("%s Data Type: enmType=%d!\n", pThis->szPrefix, pIndData->Data.enmType);
|
---|
4897 | break;
|
---|
4898 | }
|
---|
4899 |
|
---|
4900 | return VINF_SUCCESS;
|
---|
4901 | }
|
---|
4902 |
|
---|
4903 |
|
---|
4904 | /**
|
---|
4905 | * Display an PKCS#7 signed data instance.
|
---|
4906 | *
|
---|
4907 | * @returns IPRT status code.
|
---|
4908 | * @param pThis The show exe instance data.
|
---|
4909 | * @param pSignedData The signed data to display.
|
---|
4910 | * @param offPrefix The current prefix offset.
|
---|
4911 | * @param pContentInfo The content info structure (for the size).
|
---|
4912 | */
|
---|
4913 | static int HandleShowExeWorkerPkcs7Display(PSHOWEXEPKCS7 pThis, PRTCRPKCS7SIGNEDDATA pSignedData, size_t offPrefix,
|
---|
4914 | PCRTCRPKCS7CONTENTINFO pContentInfo)
|
---|
4915 | {
|
---|
4916 | pThis->szPrefix[offPrefix] = '\0';
|
---|
4917 | RTPrintf("%sPKCS#7 signature: %u (%#x) bytes\n", pThis->szPrefix,
|
---|
4918 | RTASN1CORE_GET_RAW_ASN1_SIZE(&pContentInfo->SeqCore.Asn1Core),
|
---|
4919 | RTASN1CORE_GET_RAW_ASN1_SIZE(&pContentInfo->SeqCore.Asn1Core));
|
---|
4920 |
|
---|
4921 | /*
|
---|
4922 | * Display list of signing algorithms.
|
---|
4923 | */
|
---|
4924 | RTPrintf("%sDigestAlgorithms: ", pThis->szPrefix);
|
---|
4925 | if (pSignedData->DigestAlgorithms.cItems == 0)
|
---|
4926 | RTPrintf("none");
|
---|
4927 | for (unsigned i = 0; i < pSignedData->DigestAlgorithms.cItems; i++)
|
---|
4928 | {
|
---|
4929 | PCRTCRX509ALGORITHMIDENTIFIER pAlgoId = pSignedData->DigestAlgorithms.papItems[i];
|
---|
4930 | const char *pszDigestType = RTCrDigestTypeToName(RTCrX509AlgorithmIdentifier_QueryDigestType(pAlgoId));
|
---|
4931 | if (!pszDigestType)
|
---|
4932 | pszDigestType = pAlgoId->Algorithm.szObjId;
|
---|
4933 | RTPrintf(i == 0 ? "%s" : ", %s", pszDigestType);
|
---|
4934 | if (pThis->cVerbosity > 1)
|
---|
4935 | RTPrintf(" (%s)", pAlgoId->Algorithm.szObjId);
|
---|
4936 | }
|
---|
4937 | RTPrintf("\n");
|
---|
4938 |
|
---|
4939 | /*
|
---|
4940 | * Display the signed data content.
|
---|
4941 | */
|
---|
4942 | if (RTAsn1ObjId_CompareWithString(&pSignedData->ContentInfo.ContentType, RTCRSPCINDIRECTDATACONTENT_OID) == 0)
|
---|
4943 | {
|
---|
4944 | RTPrintf("%s ContentType: SpcIndirectDataContent (" RTCRSPCINDIRECTDATACONTENT_OID ")\n", pThis->szPrefix);
|
---|
4945 | size_t offPrefix2 = RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix, " SPC Ind Data: ");
|
---|
4946 | HandleShowExeWorkerPkcs7DisplaySpcIdirectDataContent(pThis, offPrefix2 + offPrefix,
|
---|
4947 | pSignedData->ContentInfo.u.pIndirectDataContent);
|
---|
4948 | pThis->szPrefix[offPrefix] = '\0';
|
---|
4949 | }
|
---|
4950 | else
|
---|
4951 | {
|
---|
4952 | HandleShowExeWorkerDisplayObjId(pThis, &pSignedData->ContentInfo.ContentType, " ContentType: ", " - not implemented.\n");
|
---|
4953 | RTPrintf("%s %u (%#x) bytes\n", pThis->szPrefix,
|
---|
4954 | pSignedData->ContentInfo.Content.Asn1Core.cb, pSignedData->ContentInfo.Content.Asn1Core.cb);
|
---|
4955 | }
|
---|
4956 |
|
---|
4957 | /*
|
---|
4958 | * Display certificates (Certificates).
|
---|
4959 | */
|
---|
4960 | if (pSignedData->Certificates.cItems > 0)
|
---|
4961 | {
|
---|
4962 | RTPrintf("%s Certificates: %u\n", pThis->szPrefix, pSignedData->Certificates.cItems);
|
---|
4963 | for (uint32_t i = 0; i < pSignedData->Certificates.cItems; i++)
|
---|
4964 | {
|
---|
4965 | PCRTCRPKCS7CERT pCert = pSignedData->Certificates.papItems[i];
|
---|
4966 | if (i != 0 && pThis->cVerbosity >= 2)
|
---|
4967 | RTPrintf("\n");
|
---|
4968 | switch (pCert->enmChoice)
|
---|
4969 | {
|
---|
4970 | case RTCRPKCS7CERTCHOICE_X509:
|
---|
4971 | {
|
---|
4972 | PCRTCRX509CERTIFICATE pX509Cert = pCert->u.pX509Cert;
|
---|
4973 | int rc2 = RTAsn1QueryObjIdName(&pX509Cert->SignatureAlgorithm.Algorithm, pThis->szTmp, sizeof(pThis->szTmp));
|
---|
4974 | RTPrintf("%s Certificate #%u: %s\n", pThis->szPrefix, i,
|
---|
4975 | RT_SUCCESS(rc2) ? pThis->szTmp : pX509Cert->SignatureAlgorithm.Algorithm.szObjId);
|
---|
4976 |
|
---|
4977 | rc2 = RTCrX509Name_FormatAsString(&pX509Cert->TbsCertificate.Subject,
|
---|
4978 | pThis->szTmp, sizeof(pThis->szTmp), NULL);
|
---|
4979 | if (RT_FAILURE(rc2))
|
---|
4980 | RTStrPrintf(pThis->szTmp, sizeof(pThis->szTmp), "%Rrc", rc2);
|
---|
4981 | RTPrintf("%s Subject: %s\n", pThis->szPrefix, pThis->szTmp);
|
---|
4982 |
|
---|
4983 | rc2 = RTCrX509Name_FormatAsString(&pX509Cert->TbsCertificate.Issuer,
|
---|
4984 | pThis->szTmp, sizeof(pThis->szTmp), NULL);
|
---|
4985 | if (RT_FAILURE(rc2))
|
---|
4986 | RTStrPrintf(pThis->szTmp, sizeof(pThis->szTmp), "%Rrc", rc2);
|
---|
4987 | RTPrintf("%s Issuer: %s\n", pThis->szPrefix, pThis->szTmp);
|
---|
4988 |
|
---|
4989 |
|
---|
4990 | char szNotAfter[RTTIME_STR_LEN];
|
---|
4991 | RTPrintf("%s Valid: %s thru %s\n", pThis->szPrefix,
|
---|
4992 | RTTimeToString(&pX509Cert->TbsCertificate.Validity.NotBefore.Time,
|
---|
4993 | pThis->szTmp, sizeof(pThis->szTmp)),
|
---|
4994 | RTTimeToString(&pX509Cert->TbsCertificate.Validity.NotAfter.Time,
|
---|
4995 | szNotAfter, sizeof(szNotAfter)));
|
---|
4996 | break;
|
---|
4997 | }
|
---|
4998 |
|
---|
4999 | default:
|
---|
5000 | RTPrintf("%s Certificate #%u: Unsupported type\n", pThis->szPrefix, i);
|
---|
5001 | break;
|
---|
5002 | }
|
---|
5003 |
|
---|
5004 |
|
---|
5005 | if (pThis->cVerbosity >= 2)
|
---|
5006 | RTAsn1Dump(RTCrPkcs7Cert_GetAsn1Core(pSignedData->Certificates.papItems[i]), 0,
|
---|
5007 | ((uint32_t)offPrefix + 9) / 2, RTStrmDumpPrintfV, g_pStdOut);
|
---|
5008 | }
|
---|
5009 |
|
---|
5010 | /** @todo display certificates properly. */
|
---|
5011 | }
|
---|
5012 |
|
---|
5013 | if (pSignedData->Crls.cb > 0)
|
---|
5014 | RTPrintf("%s CRLs: %u bytes\n", pThis->szPrefix, pSignedData->Crls.cb);
|
---|
5015 |
|
---|
5016 | /*
|
---|
5017 | * Show signatures (SignerInfos).
|
---|
5018 | */
|
---|
5019 | unsigned const cSigInfos = pSignedData->SignerInfos.cItems;
|
---|
5020 | if (cSigInfos != 1)
|
---|
5021 | RTPrintf("%s SignerInfos: %u signers\n", pThis->szPrefix, cSigInfos);
|
---|
5022 | else
|
---|
5023 | RTPrintf("%s SignerInfos:\n", pThis->szPrefix);
|
---|
5024 | int rc = VINF_SUCCESS;
|
---|
5025 | for (unsigned i = 0; i < cSigInfos; i++)
|
---|
5026 | {
|
---|
5027 | size_t offPrefix2 = offPrefix;
|
---|
5028 | if (cSigInfos != 1)
|
---|
5029 | offPrefix2 += RTStrPrintf(&pThis->szPrefix[offPrefix], sizeof(pThis->szPrefix) - offPrefix, "SignerInfo[%u]: ", i);
|
---|
5030 |
|
---|
5031 | int rc2 = HandleShowExeWorkerPkcs7DisplaySignerInfo(pThis, offPrefix2, pSignedData->SignerInfos.papItems[i]);
|
---|
5032 | if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
|
---|
5033 | rc = rc2;
|
---|
5034 | }
|
---|
5035 | pThis->szPrefix[offPrefix] = '\0';
|
---|
5036 |
|
---|
5037 | return rc;
|
---|
5038 | }
|
---|
5039 |
|
---|
5040 |
|
---|
5041 | /*
|
---|
5042 | * The 'show-exe' command.
|
---|
5043 | */
|
---|
5044 | static RTEXITCODE HelpShowExe(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
5045 | {
|
---|
5046 | RT_NOREF_PV(enmLevel);
|
---|
5047 | RTStrmWrappedPrintf(pStrm, RTSTRMWRAPPED_F_HANGING_INDENT, "show-exe [--verbose|-v] [--quiet|-q] <exe1> [exe2 [..]]\n");
|
---|
5048 | return RTEXITCODE_SUCCESS;
|
---|
5049 | }
|
---|
5050 |
|
---|
5051 |
|
---|
5052 | static RTEXITCODE HandleShowExe(int cArgs, char **papszArgs)
|
---|
5053 | {
|
---|
5054 | /*
|
---|
5055 | * Parse arguments.
|
---|
5056 | */
|
---|
5057 | static const RTGETOPTDEF s_aOptions[] =
|
---|
5058 | {
|
---|
5059 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
5060 | { "--quiet", 'q', RTGETOPT_REQ_NOTHING },
|
---|
5061 | };
|
---|
5062 |
|
---|
5063 | unsigned cVerbosity = 0;
|
---|
5064 | RTLDRARCH enmLdrArch = RTLDRARCH_WHATEVER;
|
---|
5065 |
|
---|
5066 | RTGETOPTSTATE GetState;
|
---|
5067 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
5068 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
5069 | RTGETOPTUNION ValueUnion;
|
---|
5070 | int ch;
|
---|
5071 | while ((ch = RTGetOpt(&GetState, &ValueUnion)) && ch != VINF_GETOPT_NOT_OPTION)
|
---|
5072 | {
|
---|
5073 | switch (ch)
|
---|
5074 | {
|
---|
5075 | case 'v': cVerbosity++; break;
|
---|
5076 | case 'q': cVerbosity = 0; break;
|
---|
5077 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
5078 | case 'h': return HelpShowExe(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
5079 | default: return RTGetOptPrintError(ch, &ValueUnion);
|
---|
5080 | }
|
---|
5081 | }
|
---|
5082 | if (ch != VINF_GETOPT_NOT_OPTION)
|
---|
5083 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No executable given.");
|
---|
5084 |
|
---|
5085 | /*
|
---|
5086 | * Do it.
|
---|
5087 | */
|
---|
5088 | unsigned iFile = 0;
|
---|
5089 | RTEXITCODE rcExit = RTEXITCODE_SUCCESS;
|
---|
5090 | do
|
---|
5091 | {
|
---|
5092 | RTPrintf(iFile == 0 ? "%s:\n" : "\n%s:\n", ValueUnion.psz);
|
---|
5093 |
|
---|
5094 | SHOWEXEPKCS7 This;
|
---|
5095 | RT_ZERO(This);
|
---|
5096 | This.cVerbosity = cVerbosity;
|
---|
5097 |
|
---|
5098 | RTEXITCODE rcExitThis = SignToolPkcs7Exe_InitFromFile(&This, ValueUnion.psz, cVerbosity, enmLdrArch);
|
---|
5099 | if (rcExitThis == RTEXITCODE_SUCCESS)
|
---|
5100 | {
|
---|
5101 | rc = HandleShowExeWorkerPkcs7Display(&This, This.pSignedData, 0, &This.ContentInfo);
|
---|
5102 | if (RT_FAILURE(rc))
|
---|
5103 | rcExit = RTEXITCODE_FAILURE;
|
---|
5104 | SignToolPkcs7Exe_Delete(&This);
|
---|
5105 | }
|
---|
5106 | if (rcExitThis != RTEXITCODE_SUCCESS && rcExit == RTEXITCODE_SUCCESS)
|
---|
5107 | rcExit = rcExitThis;
|
---|
5108 |
|
---|
5109 | iFile++;
|
---|
5110 | } while ((ch = RTGetOpt(&GetState, &ValueUnion)) == VINF_GETOPT_NOT_OPTION);
|
---|
5111 | if (ch != 0)
|
---|
5112 | return RTGetOptPrintError(ch, &ValueUnion);
|
---|
5113 |
|
---|
5114 | return rcExit;
|
---|
5115 | }
|
---|
5116 |
|
---|
5117 |
|
---|
5118 | /*
|
---|
5119 | * The 'show-cat' command.
|
---|
5120 | */
|
---|
5121 | static RTEXITCODE HelpShowCat(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
5122 | {
|
---|
5123 | RT_NOREF_PV(enmLevel);
|
---|
5124 | RTStrmWrappedPrintf(pStrm, RTSTRMWRAPPED_F_HANGING_INDENT, "show-cat [--verbose|-v] [--quiet|-q] <cat1> [cat2 [..]]\n");
|
---|
5125 | return RTEXITCODE_SUCCESS;
|
---|
5126 | }
|
---|
5127 |
|
---|
5128 |
|
---|
5129 | static RTEXITCODE HandleShowCat(int cArgs, char **papszArgs)
|
---|
5130 | {
|
---|
5131 | /*
|
---|
5132 | * Parse arguments.
|
---|
5133 | */
|
---|
5134 | static const RTGETOPTDEF s_aOptions[] =
|
---|
5135 | {
|
---|
5136 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
5137 | { "--quiet", 'q', RTGETOPT_REQ_NOTHING },
|
---|
5138 | };
|
---|
5139 |
|
---|
5140 | unsigned cVerbosity = 0;
|
---|
5141 |
|
---|
5142 | RTGETOPTSTATE GetState;
|
---|
5143 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
5144 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
5145 | RTGETOPTUNION ValueUnion;
|
---|
5146 | int ch;
|
---|
5147 | while ((ch = RTGetOpt(&GetState, &ValueUnion)) && ch != VINF_GETOPT_NOT_OPTION)
|
---|
5148 | {
|
---|
5149 | switch (ch)
|
---|
5150 | {
|
---|
5151 | case 'v': cVerbosity++; break;
|
---|
5152 | case 'q': cVerbosity = 0; break;
|
---|
5153 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
5154 | case 'h': return HelpShowCat(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
5155 | default: return RTGetOptPrintError(ch, &ValueUnion);
|
---|
5156 | }
|
---|
5157 | }
|
---|
5158 | if (ch != VINF_GETOPT_NOT_OPTION)
|
---|
5159 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No executable given.");
|
---|
5160 |
|
---|
5161 | /*
|
---|
5162 | * Do it.
|
---|
5163 | */
|
---|
5164 | unsigned iFile = 0;
|
---|
5165 | RTEXITCODE rcExit = RTEXITCODE_SUCCESS;
|
---|
5166 | do
|
---|
5167 | {
|
---|
5168 | RTPrintf(iFile == 0 ? "%s:\n" : "\n%s:\n", ValueUnion.psz);
|
---|
5169 |
|
---|
5170 | SHOWEXEPKCS7 This;
|
---|
5171 | RT_ZERO(This);
|
---|
5172 | This.cVerbosity = cVerbosity;
|
---|
5173 |
|
---|
5174 | RTEXITCODE rcExitThis = SignToolPkcs7_InitFromFile(&This, ValueUnion.psz, cVerbosity);
|
---|
5175 | if (rcExitThis == RTEXITCODE_SUCCESS)
|
---|
5176 | {
|
---|
5177 | This.hLdrMod = NIL_RTLDRMOD;
|
---|
5178 |
|
---|
5179 | rc = HandleShowExeWorkerPkcs7Display(&This, This.pSignedData, 0, &This.ContentInfo);
|
---|
5180 | if (RT_FAILURE(rc))
|
---|
5181 | rcExit = RTEXITCODE_FAILURE;
|
---|
5182 | SignToolPkcs7Exe_Delete(&This);
|
---|
5183 | }
|
---|
5184 | if (rcExitThis != RTEXITCODE_SUCCESS && rcExit == RTEXITCODE_SUCCESS)
|
---|
5185 | rcExit = rcExitThis;
|
---|
5186 |
|
---|
5187 | iFile++;
|
---|
5188 | } while ((ch = RTGetOpt(&GetState, &ValueUnion)) == VINF_GETOPT_NOT_OPTION);
|
---|
5189 | if (ch != 0)
|
---|
5190 | return RTGetOptPrintError(ch, &ValueUnion);
|
---|
5191 |
|
---|
5192 | return rcExit;
|
---|
5193 | }
|
---|
5194 |
|
---|
5195 |
|
---|
5196 | /*
|
---|
5197 | * The 'make-tainfo' command.
|
---|
5198 | */
|
---|
5199 | static RTEXITCODE HelpMakeTaInfo(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
5200 | {
|
---|
5201 | RT_NOREF_PV(enmLevel);
|
---|
5202 | RTStrmWrappedPrintf(pStrm, RTSTRMWRAPPED_F_HANGING_INDENT,
|
---|
5203 | "make-tainfo [--verbose|--quiet] [--cert <cert.der>] [-o|--output] <tainfo.der>\n");
|
---|
5204 | return RTEXITCODE_SUCCESS;
|
---|
5205 | }
|
---|
5206 |
|
---|
5207 |
|
---|
5208 | typedef struct MAKETAINFOSTATE
|
---|
5209 | {
|
---|
5210 | int cVerbose;
|
---|
5211 | const char *pszCert;
|
---|
5212 | const char *pszOutput;
|
---|
5213 | } MAKETAINFOSTATE;
|
---|
5214 |
|
---|
5215 |
|
---|
5216 | /** @callback_method_impl{FNRTASN1ENCODEWRITER} */
|
---|
5217 | static DECLCALLBACK(int) handleMakeTaInfoWriter(const void *pvBuf, size_t cbToWrite, void *pvUser, PRTERRINFO pErrInfo)
|
---|
5218 | {
|
---|
5219 | RT_NOREF_PV(pErrInfo);
|
---|
5220 | return RTStrmWrite((PRTSTREAM)pvUser, pvBuf, cbToWrite);
|
---|
5221 | }
|
---|
5222 |
|
---|
5223 |
|
---|
5224 | static RTEXITCODE HandleMakeTaInfo(int cArgs, char **papszArgs)
|
---|
5225 | {
|
---|
5226 | /*
|
---|
5227 | * Parse arguments.
|
---|
5228 | */
|
---|
5229 | static const RTGETOPTDEF s_aOptions[] =
|
---|
5230 | {
|
---|
5231 | { "--cert", 'c', RTGETOPT_REQ_STRING },
|
---|
5232 | { "--output", 'o', RTGETOPT_REQ_STRING },
|
---|
5233 | { "--verbose", 'v', RTGETOPT_REQ_NOTHING },
|
---|
5234 | { "--quiet", 'q', RTGETOPT_REQ_NOTHING },
|
---|
5235 | };
|
---|
5236 |
|
---|
5237 | MAKETAINFOSTATE State = { 0, NULL, NULL };
|
---|
5238 |
|
---|
5239 | RTGETOPTSTATE GetState;
|
---|
5240 | int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
|
---|
5241 | AssertRCReturn(rc, RTEXITCODE_FAILURE);
|
---|
5242 | RTGETOPTUNION ValueUnion;
|
---|
5243 | int ch;
|
---|
5244 | while ((ch = RTGetOpt(&GetState, &ValueUnion)) != 0)
|
---|
5245 | {
|
---|
5246 | switch (ch)
|
---|
5247 | {
|
---|
5248 | case 'c':
|
---|
5249 | if (State.pszCert)
|
---|
5250 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "The --cert option can only be used once.");
|
---|
5251 | State.pszCert = ValueUnion.psz;
|
---|
5252 | break;
|
---|
5253 |
|
---|
5254 | case 'o':
|
---|
5255 | case VINF_GETOPT_NOT_OPTION:
|
---|
5256 | if (State.pszOutput)
|
---|
5257 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Multiple output files specified.");
|
---|
5258 | State.pszOutput = ValueUnion.psz;
|
---|
5259 | break;
|
---|
5260 |
|
---|
5261 | case 'v': State.cVerbose++; break;
|
---|
5262 | case 'q': State.cVerbose = 0; break;
|
---|
5263 | case 'V': return HandleVersion(cArgs, papszArgs);
|
---|
5264 | case 'h': return HelpMakeTaInfo(g_pStdOut, RTSIGNTOOLHELP_FULL);
|
---|
5265 | default: return RTGetOptPrintError(ch, &ValueUnion);
|
---|
5266 | }
|
---|
5267 | }
|
---|
5268 | if (!State.pszCert)
|
---|
5269 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No input certificate was specified.");
|
---|
5270 | if (!State.pszOutput)
|
---|
5271 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "No output file was specified.");
|
---|
5272 |
|
---|
5273 | /*
|
---|
5274 | * Read the certificate.
|
---|
5275 | */
|
---|
5276 | RTERRINFOSTATIC StaticErrInfo;
|
---|
5277 | RTCRX509CERTIFICATE Certificate;
|
---|
5278 | rc = RTCrX509Certificate_ReadFromFile(&Certificate, State.pszCert, 0, &g_RTAsn1DefaultAllocator,
|
---|
5279 | RTErrInfoInitStatic(&StaticErrInfo));
|
---|
5280 | if (RT_FAILURE(rc))
|
---|
5281 | return RTMsgErrorExit(RTEXITCODE_FAILURE, "Error reading certificate from %s: %Rrc - %s",
|
---|
5282 | State.pszCert, rc, StaticErrInfo.szMsg);
|
---|
5283 | /*
|
---|
5284 | * Construct the trust anchor information.
|
---|
5285 | */
|
---|
5286 | RTCRTAFTRUSTANCHORINFO TrustAnchor;
|
---|
5287 | rc = RTCrTafTrustAnchorInfo_Init(&TrustAnchor, &g_RTAsn1DefaultAllocator);
|
---|
5288 | if (RT_SUCCESS(rc))
|
---|
5289 | {
|
---|
5290 | /* Public key. */
|
---|
5291 | Assert(RTCrX509SubjectPublicKeyInfo_IsPresent(&TrustAnchor.PubKey));
|
---|
5292 | RTCrX509SubjectPublicKeyInfo_Delete(&TrustAnchor.PubKey);
|
---|
5293 | rc = RTCrX509SubjectPublicKeyInfo_Clone(&TrustAnchor.PubKey, &Certificate.TbsCertificate.SubjectPublicKeyInfo,
|
---|
5294 | &g_RTAsn1DefaultAllocator);
|
---|
5295 | if (RT_FAILURE(rc))
|
---|
5296 | RTMsgError("RTCrX509SubjectPublicKeyInfo_Clone failed: %Rrc", rc);
|
---|
5297 | RTAsn1Core_ResetImplict(RTCrX509SubjectPublicKeyInfo_GetAsn1Core(&TrustAnchor.PubKey)); /* temporary hack. */
|
---|
5298 |
|
---|
5299 | /* Key Identifier. */
|
---|
5300 | PCRTASN1OCTETSTRING pKeyIdentifier = NULL;
|
---|
5301 | if (Certificate.TbsCertificate.T3.fFlags & RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_KEY_IDENTIFIER)
|
---|
5302 | pKeyIdentifier = Certificate.TbsCertificate.T3.pSubjectKeyIdentifier;
|
---|
5303 | else if ( (Certificate.TbsCertificate.T3.fFlags & RTCRX509TBSCERTIFICATE_F_PRESENT_AUTHORITY_KEY_IDENTIFIER)
|
---|
5304 | && RTCrX509Certificate_IsSelfSigned(&Certificate)
|
---|
5305 | && RTAsn1OctetString_IsPresent(&Certificate.TbsCertificate.T3.pAuthorityKeyIdentifier->KeyIdentifier) )
|
---|
5306 | pKeyIdentifier = &Certificate.TbsCertificate.T3.pAuthorityKeyIdentifier->KeyIdentifier;
|
---|
5307 | else if ( (Certificate.TbsCertificate.T3.fFlags & RTCRX509TBSCERTIFICATE_F_PRESENT_OLD_AUTHORITY_KEY_IDENTIFIER)
|
---|
5308 | && RTCrX509Certificate_IsSelfSigned(&Certificate)
|
---|
5309 | && RTAsn1OctetString_IsPresent(&Certificate.TbsCertificate.T3.pOldAuthorityKeyIdentifier->KeyIdentifier) )
|
---|
5310 | pKeyIdentifier = &Certificate.TbsCertificate.T3.pOldAuthorityKeyIdentifier->KeyIdentifier;
|
---|
5311 | if (pKeyIdentifier && pKeyIdentifier->Asn1Core.cb > 0)
|
---|
5312 | {
|
---|
5313 | Assert(RTAsn1OctetString_IsPresent(&TrustAnchor.KeyIdentifier));
|
---|
5314 | RTAsn1OctetString_Delete(&TrustAnchor.KeyIdentifier);
|
---|
5315 | rc = RTAsn1OctetString_Clone(&TrustAnchor.KeyIdentifier, pKeyIdentifier, &g_RTAsn1DefaultAllocator);
|
---|
5316 | if (RT_FAILURE(rc))
|
---|
5317 | RTMsgError("RTAsn1OctetString_Clone failed: %Rrc", rc);
|
---|
5318 | RTAsn1Core_ResetImplict(RTAsn1OctetString_GetAsn1Core(&TrustAnchor.KeyIdentifier)); /* temporary hack. */
|
---|
5319 | }
|
---|
5320 | else
|
---|
5321 | RTMsgWarning("No key identifier found or has zero length.");
|
---|
5322 |
|
---|
5323 | /* Subject */
|
---|
5324 | if (RT_SUCCESS(rc))
|
---|
5325 | {
|
---|
5326 | Assert(!RTCrTafCertPathControls_IsPresent(&TrustAnchor.CertPath));
|
---|
5327 | rc = RTCrTafCertPathControls_Init(&TrustAnchor.CertPath, &g_RTAsn1DefaultAllocator);
|
---|
5328 | if (RT_SUCCESS(rc))
|
---|
5329 | {
|
---|
5330 | Assert(RTCrX509Name_IsPresent(&TrustAnchor.CertPath.TaName));
|
---|
5331 | RTCrX509Name_Delete(&TrustAnchor.CertPath.TaName);
|
---|
5332 | rc = RTCrX509Name_Clone(&TrustAnchor.CertPath.TaName, &Certificate.TbsCertificate.Subject,
|
---|
5333 | &g_RTAsn1DefaultAllocator);
|
---|
5334 | if (RT_SUCCESS(rc))
|
---|
5335 | {
|
---|
5336 | RTAsn1Core_ResetImplict(RTCrX509Name_GetAsn1Core(&TrustAnchor.CertPath.TaName)); /* temporary hack. */
|
---|
5337 | rc = RTCrX509Name_RecodeAsUtf8(&TrustAnchor.CertPath.TaName, &g_RTAsn1DefaultAllocator);
|
---|
5338 | if (RT_FAILURE(rc))
|
---|
5339 | RTMsgError("RTCrX509Name_RecodeAsUtf8 failed: %Rrc", rc);
|
---|
5340 | }
|
---|
5341 | else
|
---|
5342 | RTMsgError("RTCrX509Name_Clone failed: %Rrc", rc);
|
---|
5343 | }
|
---|
5344 | else
|
---|
5345 | RTMsgError("RTCrTafCertPathControls_Init failed: %Rrc", rc);
|
---|
5346 | }
|
---|
5347 |
|
---|
5348 | /* Check that what we've constructed makes some sense. */
|
---|
5349 | if (RT_SUCCESS(rc))
|
---|
5350 | {
|
---|
5351 | rc = RTCrTafTrustAnchorInfo_CheckSanity(&TrustAnchor, 0, RTErrInfoInitStatic(&StaticErrInfo), "TAI");
|
---|
5352 | if (RT_FAILURE(rc))
|
---|
5353 | RTMsgError("RTCrTafTrustAnchorInfo_CheckSanity failed: %Rrc - %s", rc, StaticErrInfo.szMsg);
|
---|
5354 | }
|
---|
5355 |
|
---|
5356 | if (RT_SUCCESS(rc))
|
---|
5357 | {
|
---|
5358 | /*
|
---|
5359 | * Encode it and write it to the output file.
|
---|
5360 | */
|
---|
5361 | uint32_t cbEncoded;
|
---|
5362 | rc = RTAsn1EncodePrepare(RTCrTafTrustAnchorInfo_GetAsn1Core(&TrustAnchor), RTASN1ENCODE_F_DER, &cbEncoded,
|
---|
5363 | RTErrInfoInitStatic(&StaticErrInfo));
|
---|
5364 | if (RT_SUCCESS(rc))
|
---|
5365 | {
|
---|
5366 | if (State.cVerbose >= 1)
|
---|
5367 | RTAsn1Dump(RTCrTafTrustAnchorInfo_GetAsn1Core(&TrustAnchor), 0, 0, RTStrmDumpPrintfV, g_pStdOut);
|
---|
5368 |
|
---|
5369 | PRTSTREAM pStrm;
|
---|
5370 | rc = RTStrmOpen(State.pszOutput, "wb", &pStrm);
|
---|
5371 | if (RT_SUCCESS(rc))
|
---|
5372 | {
|
---|
5373 | rc = RTAsn1EncodeWrite(RTCrTafTrustAnchorInfo_GetAsn1Core(&TrustAnchor), RTASN1ENCODE_F_DER,
|
---|
5374 | handleMakeTaInfoWriter, pStrm, RTErrInfoInitStatic(&StaticErrInfo));
|
---|
5375 | if (RT_SUCCESS(rc))
|
---|
5376 | {
|
---|
5377 | rc = RTStrmClose(pStrm);
|
---|
5378 | if (RT_SUCCESS(rc))
|
---|
5379 | RTMsgInfo("Successfully wrote TrustedAnchorInfo to '%s'.", State.pszOutput);
|
---|
5380 | else
|
---|
5381 | RTMsgError("RTStrmClose failed: %Rrc", rc);
|
---|
5382 | }
|
---|
5383 | else
|
---|
5384 | {
|
---|
5385 | RTMsgError("RTAsn1EncodeWrite failed: %Rrc - %s", rc, StaticErrInfo.szMsg);
|
---|
5386 | RTStrmClose(pStrm);
|
---|
5387 | }
|
---|
5388 | }
|
---|
5389 | else
|
---|
5390 | RTMsgError("Error opening '%s' for writing: %Rrcs", State.pszOutput, rc);
|
---|
5391 | }
|
---|
5392 | else
|
---|
5393 | RTMsgError("RTAsn1EncodePrepare failed: %Rrc - %s", rc, StaticErrInfo.szMsg);
|
---|
5394 | }
|
---|
5395 |
|
---|
5396 | RTCrTafTrustAnchorInfo_Delete(&TrustAnchor);
|
---|
5397 | }
|
---|
5398 | else
|
---|
5399 | RTMsgError("RTCrTafTrustAnchorInfo_Init failed: %Rrc", rc);
|
---|
5400 |
|
---|
5401 | RTCrX509Certificate_Delete(&Certificate);
|
---|
5402 | return RT_SUCCESS(rc) ? RTEXITCODE_SUCCESS : RTEXITCODE_FAILURE;
|
---|
5403 | }
|
---|
5404 |
|
---|
5405 |
|
---|
5406 |
|
---|
5407 | /*
|
---|
5408 | * The 'version' command.
|
---|
5409 | */
|
---|
5410 | static RTEXITCODE HelpVersion(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
5411 | {
|
---|
5412 | RT_NOREF_PV(enmLevel);
|
---|
5413 | RTStrmPrintf(pStrm, "version\n");
|
---|
5414 | return RTEXITCODE_SUCCESS;
|
---|
5415 | }
|
---|
5416 |
|
---|
5417 | static RTEXITCODE HandleVersion(int cArgs, char **papszArgs)
|
---|
5418 | {
|
---|
5419 | RT_NOREF_PV(cArgs); RT_NOREF_PV(papszArgs);
|
---|
5420 | #ifndef IN_BLD_PROG /* RTBldCfgVersion or RTBldCfgRevision in build time IPRT lib. */
|
---|
5421 | RTPrintf("%s\n", RTBldCfgVersion());
|
---|
5422 | return RTEXITCODE_SUCCESS;
|
---|
5423 | #else
|
---|
5424 | return RTEXITCODE_FAILURE;
|
---|
5425 | #endif
|
---|
5426 | }
|
---|
5427 |
|
---|
5428 |
|
---|
5429 |
|
---|
5430 | /**
|
---|
5431 | * Command mapping.
|
---|
5432 | */
|
---|
5433 | static struct
|
---|
5434 | {
|
---|
5435 | /** The command. */
|
---|
5436 | const char *pszCmd;
|
---|
5437 | /**
|
---|
5438 | * Handle the command.
|
---|
5439 | * @returns Program exit code.
|
---|
5440 | * @param cArgs Number of arguments.
|
---|
5441 | * @param papszArgs The argument vector, starting with the command name.
|
---|
5442 | */
|
---|
5443 | RTEXITCODE (*pfnHandler)(int cArgs, char **papszArgs);
|
---|
5444 | /**
|
---|
5445 | * Produce help.
|
---|
5446 | * @returns RTEXITCODE_SUCCESS to simplify handling '--help' in the handler.
|
---|
5447 | * @param pStrm Where to send help text.
|
---|
5448 | * @param enmLevel The level of the help information.
|
---|
5449 | */
|
---|
5450 | RTEXITCODE (*pfnHelp)(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel);
|
---|
5451 | }
|
---|
5452 | /** Mapping commands to handler and helper functions. */
|
---|
5453 | const g_aCommands[] =
|
---|
5454 | {
|
---|
5455 | { "extract-exe-signer-cert", HandleExtractExeSignerCert, HelpExtractExeSignerCert },
|
---|
5456 | { "extract-exe-signature", HandleExtractExeSignature, HelpExtractExeSignature },
|
---|
5457 | { "add-nested-exe-signature", HandleAddNestedExeSignature, HelpAddNestedExeSignature },
|
---|
5458 | { "add-nested-cat-signature", HandleAddNestedCatSignature, HelpAddNestedCatSignature },
|
---|
5459 | #ifndef IPRT_SIGNTOOL_NO_SIGNING
|
---|
5460 | { "add-timestamp-exe-signature", HandleAddTimestampExeSignature, HelpAddTimestampExeSignature },
|
---|
5461 | { "sign", HandleSign, HelpSign },
|
---|
5462 | #endif
|
---|
5463 | #ifndef IPRT_IN_BUILD_TOOL
|
---|
5464 | { "verify-exe", HandleVerifyExe, HelpVerifyExe },
|
---|
5465 | #endif
|
---|
5466 | { "show-exe", HandleShowExe, HelpShowExe },
|
---|
5467 | { "show-cat", HandleShowCat, HelpShowCat },
|
---|
5468 | { "make-tainfo", HandleMakeTaInfo, HelpMakeTaInfo },
|
---|
5469 | { "help", HandleHelp, HelpHelp },
|
---|
5470 | { "--help", HandleHelp, NULL },
|
---|
5471 | { "-h", HandleHelp, NULL },
|
---|
5472 | { "version", HandleVersion, HelpVersion },
|
---|
5473 | { "--version", HandleVersion, NULL },
|
---|
5474 | { "-V", HandleVersion, NULL },
|
---|
5475 | };
|
---|
5476 |
|
---|
5477 |
|
---|
5478 | /*
|
---|
5479 | * The 'help' command.
|
---|
5480 | */
|
---|
5481 | static RTEXITCODE HelpHelp(PRTSTREAM pStrm, RTSIGNTOOLHELP enmLevel)
|
---|
5482 | {
|
---|
5483 | RT_NOREF_PV(enmLevel);
|
---|
5484 | RTStrmPrintf(pStrm, "help [cmd-patterns]\n");
|
---|
5485 | return RTEXITCODE_SUCCESS;
|
---|
5486 | }
|
---|
5487 |
|
---|
5488 | static RTEXITCODE HandleHelp(int cArgs, char **papszArgs)
|
---|
5489 | {
|
---|
5490 | RTSIGNTOOLHELP enmLevel = cArgs <= 1 ? RTSIGNTOOLHELP_USAGE : RTSIGNTOOLHELP_FULL;
|
---|
5491 | uint32_t cShowed = 0;
|
---|
5492 | uint32_t cchWidth;
|
---|
5493 | if (RT_FAILURE(RTStrmQueryTerminalWidth(g_pStdOut, &cchWidth)))
|
---|
5494 | cchWidth = 80;
|
---|
5495 | for (uint32_t iCmd = 0; iCmd < RT_ELEMENTS(g_aCommands); iCmd++)
|
---|
5496 | {
|
---|
5497 | if (g_aCommands[iCmd].pfnHelp)
|
---|
5498 | {
|
---|
5499 | bool fShow = false;
|
---|
5500 | if (cArgs <= 1)
|
---|
5501 | fShow = true;
|
---|
5502 | else
|
---|
5503 | for (int iArg = 1; iArg < cArgs; iArg++)
|
---|
5504 | if (RTStrSimplePatternMultiMatch(papszArgs[iArg], RTSTR_MAX, g_aCommands[iCmd].pszCmd, RTSTR_MAX, NULL))
|
---|
5505 | {
|
---|
5506 | fShow = true;
|
---|
5507 | break;
|
---|
5508 | }
|
---|
5509 | if (fShow)
|
---|
5510 | {
|
---|
5511 | if (cShowed && enmLevel == RTSIGNTOOLHELP_FULL)
|
---|
5512 | RTPrintf("%.*s\n", RT_MIN(cchWidth, 100),
|
---|
5513 | "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ");
|
---|
5514 | g_aCommands[iCmd].pfnHelp(g_pStdOut, enmLevel);
|
---|
5515 | cShowed++;
|
---|
5516 | }
|
---|
5517 | }
|
---|
5518 | }
|
---|
5519 | return cShowed ? RTEXITCODE_SUCCESS : RTEXITCODE_FAILURE;
|
---|
5520 | }
|
---|
5521 |
|
---|
5522 |
|
---|
5523 |
|
---|
5524 | int main(int argc, char **argv)
|
---|
5525 | {
|
---|
5526 | int rc = RTR3InitExe(argc, &argv, 0);
|
---|
5527 | if (RT_FAILURE(rc))
|
---|
5528 | return RTMsgInitFailure(rc);
|
---|
5529 |
|
---|
5530 | /*
|
---|
5531 | * Parse global arguments.
|
---|
5532 | */
|
---|
5533 | int iArg = 1;
|
---|
5534 | /* none presently. */
|
---|
5535 |
|
---|
5536 | /*
|
---|
5537 | * Command dispatcher.
|
---|
5538 | */
|
---|
5539 | if (iArg < argc)
|
---|
5540 | {
|
---|
5541 | const char *pszCmd = argv[iArg];
|
---|
5542 | uint32_t i = RT_ELEMENTS(g_aCommands);
|
---|
5543 | while (i-- > 0)
|
---|
5544 | if (!strcmp(g_aCommands[i].pszCmd, pszCmd))
|
---|
5545 | return g_aCommands[i].pfnHandler(argc - iArg, &argv[iArg]);
|
---|
5546 | RTMsgError("Unknown command '%s'.", pszCmd);
|
---|
5547 | }
|
---|
5548 | else
|
---|
5549 | RTMsgError("No command given. (try --help)");
|
---|
5550 |
|
---|
5551 | return RTEXITCODE_SYNTAX;
|
---|
5552 | }
|
---|
5553 |
|
---|