Changeset 106264 in vbox for trunk/src/VBox/Runtime

Timestamp:

Oct 9, 2024 8:50:12 PM (7 weeks ago)

Author:

vboxsync

Message:

RTSignTool: Extended the extract-exe-signer-cert, extract-timestamp-root and extract-signer-root commands with a --as-c-array=name option that gets all the designated certificate in a form a C compiler can understand. bugref:10771

File:

• trunk/src/VBox/Runtime/tools/RTSignTool.cpp (modified) (19 diffs)

trunk/src/VBox/Runtime/tools/RTSignTool.cpp

@@ -1585 +1585 @@
 
 
+/**
+ * Count the number of signatures, nested or otherwise.
+ *
+ * @returns Number of signatures.
+ * @param   pThis           The PKCS\#7 structure to search.
+ *
+ * @todo    Move into SPC or PKCS\#7.
+ */
+static uint32_t SignToolPkcs7_CountSignatures(PSIGNTOOLPKCS7 pThis)
+{
+    uint32_t             iNextSignature = 0;
+    PRTCRPKCS7SIGNEDDATA pSignedData    = NULL;
+    SignToolPkcs7_FindNestedSignatureByIndexWorker(pThis->pSignedData, &iNextSignature, UINT32_MAX / 2, &pSignedData);
+    return iNextSignature;
+}
+
 
 /**
@@ -3294 +3310 @@
     RT_NOREF_PV(enmLevel);
     RTStrmWrappedPrintf(pStrm, RTSTRMWRAPPED_F_HANGING_INDENT,
-                        "extract-exe-signer-cert [--ber|--cer|--der] [--signature-index|-i <num>] [--input|--exe|-e] <exe> [--output|-o] <outfile.cer>\n");
+                        "extract-exe-signer-cert [--as-c-array=name|--ber|--cer|--der] [--signature-index|-i <num>] [--input|--exe|-e] <exe> [--output|-o] <outfile.cer/h>\n");
     return RTEXITCODE_SUCCESS;
 }
@@ -3331 +3347 @@
 
 
+static void PrintCertAsCArray(PCRTCRX509CERTIFICATE pCert, uint32_t iSignature, const char *pszBaseNm, PRTSTREAM pStrm)
+{
+    uint32_t const        cbCert = pCert->SeqCore.Asn1Core.cbHdr     + pCert->SeqCore.Asn1Core.cb;
+    uint8_t const * const pbCert = pCert->SeqCore.Asn1Core.uData.pu8 - pCert->SeqCore.Asn1Core.cbHdr;
+    if (iSignature == UINT32_MAX)
+        RTStrmPrintf(pStrm,
+                     "uint32_t const g_cb%s = %u;\n"
+                     "uint8_t const  g_ab%s[%u] =\n"
+                     "{",
+                     pszBaseNm, cbCert, pszBaseNm, cbCert);
+    else
+        RTStrmPrintf(pStrm, "static uint8_t const g_ab%sCert%u[%u] =\n{", pszBaseNm, iSignature, cbCert);
+    for (uint32_t off = 0; off < cbCert; off++)
+    {
+        if (off % 16 == 0)
+            RTStrmPrintf(pStrm, "\n   ");
+        RTStrmPrintf(pStrm, " %#04x,", pbCert[off]);
+    }
+    RTStrmPrintf(pStrm, "\n};\n\n");
+}
+
+
+static void PrintCertTableAsC(uint32_t cSignatures, const char *pszBaseNm, PRTSTREAM pStrm)
+{
+    RTStrmPrintf(pStrm,
+                 "uint32_t const g_c%s = %u;\n"
+                 "struct { uint8_t const *pbCert; size_t cbCert; } const g_a%s[%u] =\n"
+                 "{\n"
+                 , pszBaseNm, cSignatures, pszBaseNm, cSignatures ? cSignatures : 1);
+    for (uint32_t iSignature = 0; iSignature < cSignatures; iSignature++)
+        RTStrmPrintf(pStrm, "    { g_ab%sCert%u, sizeof(g_ab%sCert%u) },\n",
+                     pszBaseNm, iSignature, pszBaseNm, iSignature);
+    if (!cSignatures)
+        RTStrmPrintf(pStrm, "    { NULL, 0 } /* dummy */ \n");
+    RTStrmPrintf(pStrm, "};\n");
+}
+
+
+static RTEXITCODE WriteCertToFileAsC(PCRTCRX509CERTIFICATE pCert, const char *pszFilename, bool fForce, const char *pszBaseNm)
+{
+    RTEXITCODE rcExit;
+    PRTSTREAM  pStrm  = NULL;
+    int rc = RTStrmOpen(pszFilename, fForce ? "wt+" : "wtx", &pStrm);
+    if (RT_SUCCESS(rc))
+    {
+        PrintCertAsCArray(pCert, UINT32_MAX, pszBaseNm, pStrm);
+        rc = RTStrmClose(pStrm);
+        if (RT_SUCCESS(rc))
+            rcExit = RTEXITCODE_SUCCESS;
+        else
+            rcExit = RTMsgErrorExitFailure("Error writing/closing '%s': %Rrc", pszFilename, rc);
+    }
+    else
+        rcExit = RTMsgErrorExitFailure("Failed to open '%s' for writing: %Rrc", pszFilename, rc);
+    return rcExit;
+}
+
+
+
 static RTEXITCODE HandleExtractExeSignerCert(int cArgs, char **papszArgs)
 {
@@ -3346 +3421 @@
         { "--signature-index",  'i', RTGETOPT_REQ_UINT32  },
         { "--force",            'f', RTGETOPT_REQ_NOTHING },
+        { "--as-c-array",       'C', RTGETOPT_REQ_STRING  },
     };
 
@@ -3354 +3430 @@
     uint32_t    fCursorFlags = RTASN1CURSOR_FLAGS_DER;
     uint32_t    iSignature   = 0;
+    const char *pszCArrayNm  = NULL;
     bool        fForce       = false;
 
@@ -3375 +3452 @@
             case 'h':   return HelpExtractExeSignerCert(g_pStdOut, RTSIGNTOOLHELP_FULL);
 
+            case 'C':
+                pszCArrayNm = *ValueUnion.psz ? ValueUnion.psz : NULL;
+                if (pszCArrayNm)
+                    iSignature = UINT32_MAX;
+                break;
+
             case VINF_GETOPT_NOT_OPTION:
                 if (!pszExe)
@@ -3403 +3486 @@
     if (rcExit == RTEXITCODE_SUCCESS)
     {
-        /* Find the signing certificate (ASSUMING that the certificate used is shipped in the set of certificates). */
-        PRTCRPKCS7SIGNEDDATA  pSignedData;
-        PCRTCRPKCS7SIGNERINFO pSignerInfo = SignToolPkcs7_FindNestedSignatureByIndex(&This, iSignature, &pSignedData);
-        rcExit = RTEXITCODE_FAILURE;
-        if (pSignerInfo)
-        {
-            PCRTCRPKCS7ISSUERANDSERIALNUMBER pISN = &pSignedData->SignerInfos.papItems[0]->IssuerAndSerialNumber;
-            PCRTCRX509CERTIFICATE pCert;
-            pCert = RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(&pSignedData->Certificates,
-                                                                        &pISN->Name, &pISN->SerialNumber);
-            if (pCert)
+        if (pszCArrayNm == NULL || iSignature != UINT32_MAX)
+        {
+            /* Find the signing certificate (ASSUMING that the certificate used is shipped in the set of certificates). */
+            PRTCRPKCS7SIGNEDDATA  pSignedData;
+            PCRTCRPKCS7SIGNERINFO pSignerInfo = SignToolPkcs7_FindNestedSignatureByIndex(&This, iSignature, &pSignedData);
+            rcExit = RTEXITCODE_FAILURE;
+            if (pSignerInfo)
             {
-                /*
-                 * Write it out.
-                 */
-                rcExit = WriteCertToFile(pCert, pszOut, fForce);
+                PCRTCRPKCS7ISSUERANDSERIALNUMBER pISN = &pSignedData->SignerInfos.papItems[0]->IssuerAndSerialNumber;
+                PCRTCRX509CERTIFICATE pCert;
+                pCert = RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(&pSignedData->Certificates,
+                                                                            &pISN->Name, &pISN->SerialNumber);
+                if (pCert)
+                {
+                    /*
+                     * Write it out.
+                     */
+                    if (pszCArrayNm == NULL)
+                        rcExit = WriteCertToFile(pCert, pszOut, fForce);
+                    else
+                        rcExit = WriteCertToFileAsC(pCert, pszOut, fForce, pszCArrayNm);
+                }
+                else
+                    RTMsgError("Certificate not found.");
             }
             else
-                RTMsgError("Certificate not found.");
+                RTMsgError("Could not locate signature #%u!", iSignature);
         }
         else
-            RTMsgError("Could not locate signature #%u!", iSignature);
+        {
+            uint32_t const cSignatures = SignToolPkcs7_CountSignatures(&This);
+            if (cSignatures)
+            {
+                PRTSTREAM pStrm = NULL;
+                rc = RTStrmOpen(pszOut, fForce ? "wt+" : "wtx", &pStrm);
+                if (RT_SUCCESS(rc))
+                {
+                    for (iSignature = 0; iSignature < cSignatures; iSignature++)
+                    {
+                        PRTCRPKCS7SIGNEDDATA  pSignedData;
+                        PCRTCRPKCS7SIGNERINFO pSignerInfo = SignToolPkcs7_FindNestedSignatureByIndex(&This, iSignature, &pSignedData);
+                        if (!pSignerInfo)
+                        {
+                            rcExit = RTMsgErrorExitFailure("Could not locate signature #%u out of %u!", iSignature, cSignatures);
+                            break;
+                        }
+                        PCRTCRPKCS7ISSUERANDSERIALNUMBER pISN = &pSignedData->SignerInfos.papItems[0]->IssuerAndSerialNumber;
+                        PCRTCRX509CERTIFICATE pCert;
+                        pCert = RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(&pSignedData->Certificates,
+                                                                                    &pISN->Name, &pISN->SerialNumber);
+                        if (pCert)
+                            PrintCertAsCArray(pCert, iSignature, pszCArrayNm, pStrm);
+                        else
+                        {
+                            rcExit = RTMsgErrorExitFailure("Could not locate certificate for signature #%u (out of %u)!",
+                                                           iSignature, cSignatures);
+                            break;
+                        }
+                    }
+
+                    PrintCertTableAsC(iSignature, pszCArrayNm, pStrm);
+
+                    rc = RTStrmClose(pStrm);
+                    if (RT_FAILURE(rc))
+                        rcExit = RTMsgErrorExitFailure("Error writing/closing '%s': %Rrc", pszOut, rc);
+                }
+                else
+                    rcExit = RTMsgErrorExitFailure("Failed to open '%s' for writing: %Rrc", pszOut, rc);
+            }
+            else
+                rcExit = RTMsgErrorExitFailure("No signatures found!");
+        }
 
         /* Delete the signature data. */
@@ -3447 +3580 @@
     /** Timestamp or main signature. */
     bool const  fTimestamp;
+    const char *pszBaseNm;
 
     BaseExtractState(bool a_fTimestamp)
@@ -3456 +3590 @@
         , fForce(false)
         , fTimestamp(a_fTimestamp)
+        , pszBaseNm(NULL)
     {
     }
@@ -3494 +3629 @@
  * Locates the target signature and certificate collection.
  */
-static PRTCRPKCS7SIGNERINFO BaseExtractFindSignerInfo(SIGNTOOLPKCS7 *pThis, BaseExtractState *pState,
+static PRTCRPKCS7SIGNERINFO BaseExtractFindSignerInfo(SIGNTOOLPKCS7 *pThis, BaseExtractState *pState, bool fOptional,
                                                       PRTCRPKCS7SIGNEDDATA  *ppSignedData, PCRTCRPKCS7SETOFCERTS *ppCerts)
 {
@@ -3557 +3692 @@
                 }
             }
-            RTMsgError("Cound not find a timestamp signature associated with signature #%u!", pState->iSignature);
+            if (!fOptional)
+                RTMsgError("Cound not find a timestamp signature associated with signature #%u!", pState->iSignature);
             pSignerInfo = NULL;
         }
@@ -3566 +3702 @@
         }
     }
-    else
+    else if (!fOptional)
         RTMsgError("Could not locate signature #%u!", pState->iSignature);
     return pSignerInfo;
@@ -3580 +3716 @@
 
 
-static RTEXITCODE RootExtractWorker2(SIGNTOOLPKCS7 *pThis, RootExtractState *pState, PRTERRINFOSTATIC pStaticErrInfo)
+static RTEXITCODE RootExtractWorker3(SIGNTOOLPKCS7 *pThis, RootExtractState *pState, PRTSTREAM pStrm, uint32_t *pidxCert,
+                                     PRTERRINFOSTATIC pStaticErrInfo)
 {
     /*
      * Locate the target signature.
      */
+    bool const            fOptional = pidxCert != NULL && pStrm != NULL && pState->fTimestamp /*fOptional*/;
     PRTCRPKCS7SIGNEDDATA  pSignedData;
     PCRTCRPKCS7SETOFCERTS pCerts;
-    PCRTCRPKCS7SIGNERINFO pSignerInfo = BaseExtractFindSignerInfo(pThis,pState, &pSignedData, &pCerts);
+    PCRTCRPKCS7SIGNERINFO pSignerInfo = BaseExtractFindSignerInfo(pThis, pState, fOptional, &pSignedData, &pCerts);
     if (!pSignerInfo)
-        return RTMsgErrorExitFailure("Could not locate signature #%u!", pState->iSignature);
+    {
+        if (!fOptional)
+            return RTMsgErrorExitFailure("Could not locate signature #%u!", pState->iSignature);
+        return RTEXITCODE_SUCCESS;
+    }
+
 
     /* The next bit is modelled on first half of rtCrPkcs7VerifySignerInfo. */
@@ -3678 +3821 @@
                                          * Now copy out the certificate.
                                          */
-                                        rcExit = WriteCertToFile(pRootCert, pState->pszOut, pState->fForce);
+                                        if (!pState->pszBaseNm)
+                                            rcExit = WriteCertToFile(pRootCert, pState->pszOut, pState->fForce);
+                                        else if (!pStrm)
+                                            rcExit = WriteCertToFileAsC(pRootCert, pState->pszOut, pState->fForce,
+                                                                        pState->pszBaseNm);
+                                        else
+                                        {
+                                            PrintCertAsCArray(pRootCert, *pidxCert, pState->pszBaseNm, pStrm);
+                                            *pidxCert += 1;
+                                            rcExit = RTEXITCODE_SUCCESS;
+                                        }
                                         break;
                                     }
@@ -3717 +3870 @@
 
 
+static RTEXITCODE RootExtractWorker2(SIGNTOOLPKCS7 *pThis, RootExtractState *pState, PRTERRINFOSTATIC pStaticErrInfo)
+{
+    if (!pState->pszBaseNm || pState->iSignature != UINT32_MAX)
+        return RootExtractWorker3(pThis, pState, NULL, NULL, pStaticErrInfo);
+
+    /*
+     * Dump all these certificates.
+     */
+    uint32_t const cSignatures = SignToolPkcs7_CountSignatures(pThis);
+    if (!cSignatures)
+        return RTMsgErrorExitFailure("No signatures found!");
+
+    PRTSTREAM pStrm = NULL;
+    int rc = RTStrmOpen(pState->pszOut, pState->fForce ? "wt+" : "wtx", &pStrm);
+    if (RT_FAILURE(rc))
+        return RTMsgErrorExitFailure("Failed to open '%s' for writing: %Rrc", pState->pszOut, rc);
+
+    uint32_t   idxCert = 0; /* tracking separately, as we ignore missing timestamp chains. */
+    RTEXITCODE rcExit  = RTEXITCODE_SUCCESS;
+    for (uint32_t iSignature = 0; iSignature < cSignatures && rcExit == RTEXITCODE_SUCCESS; iSignature++)
+    {
+        pState->iSignature = iSignature;
+        rcExit = RootExtractWorker3(pThis, pState, pStrm, &idxCert, pStaticErrInfo);
+    }
+
+    PrintCertTableAsC(idxCert, pState->pszBaseNm, pStrm);
+
+    rc = RTStrmClose(pStrm);
+    if (RT_FAILURE(rc))
+        rcExit = RTMsgErrorExitFailure("Error writing/closing '%s': %Rrc", pState->pszOut, rc);
+    return rcExit;
+}
+
+
 static RTEXITCODE RootExtractWorker(RootExtractState *pState, PRTERRINFOSTATIC pStaticErrInfo)
 {
@@ -3765 +3952 @@
     RT_NOREF_PV(enmLevel);
     RTStrmWrappedPrintf(pStrm, RTSTRMWRAPPED_F_HANGING_INDENT,
-                        "extract-%s-root [-v|--verbose] [-q|--quiet] [--signature-index|-i <num>] [--root <root-cert.der>] "
-                        "[--self-signed-roots-from-system] [--additional <supp-cert.der>] [--intermediate-certs-from-system] "
-                        "[--input] <signed-file> [-f|--force] [--output|-o] <outfile.cer>\n",
+                        "extract-%s-root [-v|--verbose] [-q|--quiet] [--as-c-array <name>] [--signature-index|-i <num>] "
+                        "[--root <root-cert.der>] [--self-signed-roots-from-system] [--additional <supp-cert.der>] "
+                        "[--intermediate-certs-from-system] [--input] <signed-file> "
+                        "[-f|--force] [--output|-o] <outfile.cer/h>\n",
                         fTimestamp ? "timestamp" : "signer");
     if (enmLevel == RTSIGNTOOLHELP_FULL)
@@ -3783 +3971 @@
                             "    Controls the noise level.  The '-v' options are accumlative while '-q' is absolute.\n"
                             "    Default: -q\n"
+                            "  -C <name>, --as-c-array <name>\n"
+                            "    Output a C header file containing the roots of all signatures (or a selected one if"
+                            "--signature-index is used again after this option.\n"
+                            "    Default: Output one binary certificate.\n"
                             "  -i <num>, --signature-index <num>\n"
                             "    Zero-based index of the signature to extract the root for.\n"
@@ -3831 +4023 @@
         { "--verbose",                       'v', RTGETOPT_REQ_NOTHING },
         { "--quiet",                         'q', RTGETOPT_REQ_NOTHING },
+        { "--as-c-array",                    'C', RTGETOPT_REQ_STRING  },
     };
     RTERRINFOSTATIC  StaticErrInfo;
@@ -3873 +4066 @@
             case 'V':   return HandleVersion(cArgs, papszArgs);
             case 'h':   return HelpExtractRootCommon(g_pStdOut, RTSIGNTOOLHELP_FULL, fTimestamp);
+
+            case 'C':
+                State.pszBaseNm = *ValueUnion.psz ? ValueUnion.psz : NULL;
+                if (State.pszBaseNm)
+                    State.iSignature = UINT32_MAX;
+                break;
 
             case VINF_GETOPT_NOT_OPTION: