Added support for RFC5652 types of MS countersignatures (#16)

.github/workflows/cmake.yml

@@ -14,7 +14,7 @@ jobs:
   test-openssl1-1:
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
+        os: [macos-latest, windows-latest]
       # Stops killing other jobs when one fails
       fail-fast: false 
 
@@ -25,20 +25,25 @@ jobs:
 
     - name: Install OpenSSL on MacOS
       if: matrix.os == 'macos-latest'
-      # We want 1.1.1 version max as the 3.0 is default on MacOS otherwise
-      run: brew install [email protected]
-
+      run: |
+        brew uninstall openssl --ignore-dependencies openssl
+        brew install [email protected]
+
     - name: Install OpenSSL on Windows
       if: matrix.os == 'windows-latest'
-      run: choco install openssl
+      run: |
+        rd -r "C:/Program Files/OpenSSL"
+        choco install openssl --version=1.1.1.2100
 
-    - name: Configure CMake
-      if: matrix.os != 'macos-latest'
+#        Copy-Item -Path "C:/Program Files/OpenSSL/lib/VC/x64/MD/*" -Destination "C:/Program Files/OpenSSL/lib/VC" -Recurse
+
+    - name: Configure Windows CMake
+      if: matrix.os == 'windows-latest'
       run: cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DBUILD_TESTS=ON
 
     - name: Configure MacOS CMake
       if: matrix.os == 'macos-latest'
-      run: cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DBUILD_TESTS=ON -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl
+      run: cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DBUILD_TESTS=ON -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl@1.1
 
     - name: Build
       run: cmake --build ${{github.workspace}}/build --config ${{env.BUILD_TYPE}}
@@ -47,18 +52,30 @@ jobs:
       working-directory: ${{github.workspace}}/build
       run: ctest -C ${{env.BUILD_TYPE}} -VV
 
-  test-openssl3-0:
-    runs-on: macos-latest
+  test-openssl3:
+    strategy:
+      matrix:
+        os: [macos-latest, ubuntu-latest]
+      # Stops killing other jobs when one fails
+      fail-fast: false 
+
+    runs-on: ${{ matrix.os }}
 
     steps:
     - uses: actions/checkout@v2
 
     - name: Install OpenSSL on MacOS
+      if: matrix.os == 'macos-latest'
       run: brew install openssl@3
 
     - name: Configure MacOS CMake
+      if: matrix.os == 'macos-latest'
       run: cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DBUILD_TESTS=ON -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl
 
+    - name: Configure Ubuntu CMake
+      if: matrix.os == 'ubuntu-latest'
+      run: cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} -DBUILD_TESTS=ON
+
     - name: Build
       run: cmake --build ${{github.workspace}}/build --config ${{env.BUILD_TYPE}}
 

CMakeLists.txt

@@ -4,6 +4,11 @@ project(authenticode_parser VERSION 1.0.0 LANGUAGES C)
 
 find_package(OpenSSL 1.1.1 REQUIRED)
 
+message(STATUS "SSL library is ${OPENSSL_SSL_LIBRARY}")
+message(STATUS "Crypto library is ${OPENSSL_SSL_LIBRARY}")
+message(STATUS "All openssl libraries are ${OPENSSL_SSL_LIBRARY}")
+message(STATUS "OpenSSL version is ${OPENSSL_SSL_LIBRARY}")
+
 include(GNUInstallDirs)
 
 add_library(authenticode STATIC

authenticode-config.cmake

@@ -1,2 +1,2 @@
-find_package(OpenSSL 1.0.1 REQUIRED)
+find_package(OpenSSL 1.1.1 REQUIRED)
 include(${CMAKE_CURRENT_LIST_DIR}/authenticode-targets.cmake)

dev_scripts.py/dump_pe_signature.py

@@ -0,0 +1,23 @@
+import sys
+import pefile
+
+
+# Function to dump the signature from a PE file for tests
+def dump_signature(path: str):
+    pe = pefile.PE(path)
+    security_directory = pe.OPTIONAL_HEADER.DATA_DIRECTORY[
+        pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_SECURITY"]
+    ]
+    win_certificate = pe.__data__[
+        security_directory.VirtualAddress
+        + 8 : security_directory.VirtualAddress
+        + security_directory.Size
+    ]  # Extract WIN_CERTIFICATE
+    with open("dump.pkcs7.der", "wb") as fp:
+        fp.write(win_certificate)
+
+
+# Use the function
+file_path = sys.argv[1]
+# To convert to ASCII PEM to use in tests, use
+# openssl pkcs7 -inform der -in dump.pkcs7.der -out sig.pem

dev_scripts.py/hex_to_c.py

@@ -0,0 +1,18 @@
+"""Convert hex string like c7fef94e329bd9b66b281539265f989313356cbd9c345df9e670e9c4b6e0edce to C array init"""
+import sys
+
+
+def hex_to_c_array(hex_string: str) -> str:
+    # Split the hex string into bytes
+    bytes = [hex_string[i : i + 2] for i in range(0, len(hex_string), 2)]
+
+    # Format the bytes as a C array
+    c_array = ", ".join("0x" + byte for byte in bytes)
+    c_array = "uint8_t array[] = {" + c_array + "};"
+
+    return c_array
+
+
+# Use the function
+hex_string = sys.argv[1]
+print(hex_to_c_array(hex_string))

examples/authenticode_dumper.c

@@ -69,7 +69,11 @@ void print_authenticode(Authenticode *auth)
     printf("%sDigest Algorithm  : %s\n", indent, auth->digest_alg);
     printf("%sVerify flags      : %d\n", indent, auth->verify_flags);
     printf("%sCertificate count : %ld\n", indent, auth->certs->count);
-    printf("%sCertificates: \n\n", indent);
+    printf("%sCertificates: \n", indent);
+    if (auth->signer->program_name) {
+        printf("%sProgram name      : %s\n", indent, auth->signer->program_name);
+    }
+    printf("\n");
 
     if (auth->certs) {
         for (size_t i = 0; i < auth->certs->count; ++i) {

src/authenticode.c

@@ -22,6 +22,7 @@ SOFTWARE.
 #include <openssl/asn1.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
+#include <openssl/opensslv.h>
 #include <openssl/ossl_typ.h>
 #include <openssl/pkcs7.h>
 #include <openssl/safestack.h>
@@ -274,7 +275,8 @@ static bool authenticode_verify(PKCS7* p7, PKCS7_SIGNER_INFO* si, X509* signCert
 }
 
 /* Creates all the Authenticode objects so we can parse them with OpenSSL, is not thread-safe, needs
- * to be called once before any multi-threading environmentt - https://github.com/openssl/openssl/issues/13524 */
+ * to be called once before any multi-threading environmentt -
+ * https://github.com/openssl/openssl/issues/13524 */
 void initialize_authenticode_parser()
 {
     OBJ_create("1.3.6.1.4.1.311.2.1.12", "spcSpOpusInfo", "SPC_SP_OPUS_INFO_OBJID");
@@ -567,7 +569,8 @@ AuthenticodeArray* parse_authenticode(const uint8_t* pe_data, uint64_t pe_len)
     uint32_t dwLength = letoh32(*(uint32_t*)(pe_data + cert_addr));
     if (pe_len < cert_addr + dwLength)
         return NULL;
-    /* dwLength = offsetof(WIN_CERTIFICATE, bCertificate) + (size of the variable-length binary array contained within bCertificate) */
+    /* dwLength = offsetof(WIN_CERTIFICATE, bCertificate) + (size of the variable-length binary
+     * array contained within bCertificate) */
     AuthenticodeArray* auth_array = authenticode_new(pe_data + cert_addr + 0x8, dwLength - 0x8);
     if (!auth_array)
         return NULL;

src/certificate.c

@@ -24,6 +24,7 @@ SOFTWARE.
 #include <openssl/asn1.h>
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
+#include <openssl/opensslv.h>
 #include <openssl/sha.h>
 #include <openssl/x509.h>
 #include <string.h>