Changeset 64926 in vbox for trunk/src/VBox/Runtime

Timestamp:

Dec 16, 2016 9:43:08 PM (8 years ago)

Author:

vboxsync

Message:

RTSignTool: Added an --signature-index to the extract-exe-signer-cert command.

File:

• trunk/src/VBox/Runtime/tools/RTSignTool.cpp (modified) (7 diffs)

trunk/src/VBox/Runtime/tools/RTSignTool.cpp

@@ -473 +473 @@
     return RTEXITCODE_FAILURE;
 }
+
+
+
+/**
+ * Worker for recursively searching for MS nested signatures and signer infos.
+ *
+ * @returns Pointer to the signer info corresponding to @a iSignature.  NULL if
+ *          not found.
+ * @param   pSignedData     The signature to search.
+ * @param   piNextSignature Pointer to the variable keeping track of the next
+ *                          signature number.
+ * @param   iReqSignature   The request signature number.
+ * @param   ppSignedData    Where to return the signature data structure.
+ */
+static PRTCRPKCS7SIGNERINFO SignToolPkcs7_FindNestedSignatureByIndexWorker(PRTCRPKCS7SIGNEDDATA pSignedData,
+                                                                           uint32_t *piNextSignature,
+                                                                           uint32_t iReqSignature,
+                                                                           PRTCRPKCS7SIGNEDDATA *ppSignedData)
+{
+    for (uint32_t iSignerInfo = 0; iSignerInfo < pSignedData->SignerInfos.cItems; iSignerInfo++)
+    {
+        /* Match?*/
+        PRTCRPKCS7SIGNERINFO pSignerInfo = pSignedData->SignerInfos.papItems[iSignerInfo];
+        if (*piNextSignature == iReqSignature)
+        {
+            *ppSignedData = pSignedData;
+            return pSignerInfo;
+        }
+        *piNextSignature += 1;
+
+        /* Look for nested signatures. */
+        for (uint32_t iAttrib = 0; iAttrib < pSignerInfo->UnauthenticatedAttributes.cItems; iAttrib++)
+            if (pSignerInfo->UnauthenticatedAttributes.papItems[iAttrib]->enmType == RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE)
+            {
+                PRTCRPKCS7SETOFCONTENTINFOS pCntInfos;
+                pCntInfos = pSignerInfo->UnauthenticatedAttributes.papItems[iAttrib]->uValues.pContentInfos;
+                for (uint32_t iCntInfo = 0; iCntInfo < pCntInfos->cItems; iCntInfo++)
+                {
+                    PRTCRPKCS7CONTENTINFO pCntInfo = pCntInfos->papItems[iCntInfo];
+                    if (RTCrPkcs7ContentInfo_IsSignedData(pCntInfo))
+                    {
+                        PRTCRPKCS7SIGNERINFO pRet;
+                        pRet = SignToolPkcs7_FindNestedSignatureByIndexWorker(pCntInfo->u.pSignedData, piNextSignature,
+                                                                              iReqSignature, ppSignedData);
+                        if (pRet)
+                            return pRet;
+                    }
+                }
+            }
+    }
+    return NULL;
+}
+
+
+/**
+ * Locates the given nested signature.
+ *
+ * @returns Pointer to the signer info corresponding to @a iSignature.  NULL if
+ *          not found.
+ * @param   pThis           The PKCS\#7 structure to search.
+ * @param   iReqSignature   The requested signature number.
+ * @param   ppSignedData    Where to return the pointer to the signed data that
+ *                          the returned signer info belongs to.
+ *
+ * @todo    Move into SPC or PKCS\#7.
+ */
+static PRTCRPKCS7SIGNERINFO SignToolPkcs7_FindNestedSignatureByIndex(PSIGNTOOLPKCS7 pThis, uint32_t iReqSignature,
+                                                                     PRTCRPKCS7SIGNEDDATA *ppSignedData)
+{
+    uint32_t iNextSignature = 0;
+    return SignToolPkcs7_FindNestedSignatureByIndexWorker(pThis->pSignedData, &iNextSignature, iReqSignature, ppSignedData);
+}
+
 
 
@@ -797 +870 @@
 {
     RT_NOREF_PV(enmLevel);
-    RTStrmPrintf(pStrm, "extract-exe-signer-cert [--ber|--cer|--der] [--exe|-e] <exe> [--output|-o] <outfile.cer>\n");
+    RTStrmPrintf(pStrm, "extract-exe-signer-cert [--ber|--cer|--der] [--signature-index|-i <num>] [--exe|-e] <exe> [--output|-o] <outfile.cer>\n");
     return RTEXITCODE_SUCCESS;
 }
@@ -808 +881 @@
     static const RTGETOPTDEF s_aOptions[] =
     {
-        { "--ber",    'b', RTGETOPT_REQ_NOTHING },
-        { "--cer",    'c', RTGETOPT_REQ_NOTHING },
-        { "--der",    'd', RTGETOPT_REQ_NOTHING },
-        { "--exe",    'e', RTGETOPT_REQ_STRING },
-        { "--output", 'o', RTGETOPT_REQ_STRING },
+        { "--ber",              'b', RTGETOPT_REQ_NOTHING },
+        { "--cer",              'c', RTGETOPT_REQ_NOTHING },
+        { "--der",              'd', RTGETOPT_REQ_NOTHING },
+        { "--exe",              'e', RTGETOPT_REQ_STRING  },
+        { "--output",           'o', RTGETOPT_REQ_STRING  },
+        { "--signature-index",  'i', RTGETOPT_REQ_UINT32  },
     };
 
@@ -820 +894 @@
     unsigned    cVerbosity   = 0;
     uint32_t    fCursorFlags = RTASN1CURSOR_FLAGS_DER;
+    uint32_t    iSignature   = 0;
 
     RTGETOPTSTATE GetState;
@@ -835 +910 @@
             case 'c':   fCursorFlags = RTASN1CURSOR_FLAGS_CER; break;
             case 'd':   fCursorFlags = RTASN1CURSOR_FLAGS_DER; break;
+            case 'i':   iSignature = ValueUnion.u32; break;
             case 'V':   return HandleVersion(cArgs, papszArgs);
             case 'h':   return HelpExtractExeSignerCert(g_pStdOut, RTSIGNTOOLHELP_FULL);
@@ -866 +942 @@
     if (rcExit == RTEXITCODE_SUCCESS)
     {
-        /* Find the signing certificate (ASSUMING there's only one signer and that
-           the certificate used is shipped in the set of certificates). */
+        /* Find the signing certificate (ASSUMING that the certificate used is shipped in the set of certificates). */
+        PRTCRPKCS7SIGNEDDATA  pSignedData;
+        PCRTCRPKCS7SIGNERINFO pSignerInfo = SignToolPkcs7_FindNestedSignatureByIndex(&This, iSignature, &pSignedData);
         rcExit = RTEXITCODE_FAILURE;
-        if (This.pSignedData->SignerInfos.cItems == 1)
-        {
-            PCRTCRPKCS7ISSUERANDSERIALNUMBER pISN = &This.pSignedData->SignerInfos.papItems[0]->IssuerAndSerialNumber;
+        if (pSignerInfo)
+        {
+            PCRTCRPKCS7ISSUERANDSERIALNUMBER pISN = &pSignedData->SignerInfos.papItems[0]->IssuerAndSerialNumber;
             PCRTCRX509CERTIFICATE pCert;
-            pCert = RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(&This.pSignedData->Certificates,
+            pCert = RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(&pSignedData->Certificates,
                                                                         &pISN->Name, &pISN->SerialNumber);
             if (pCert)
@@ -910 +987 @@
         }
         else
-            RTMsgError("SignerInfo count: %u", This.pSignedData->SignerInfos.cItems);
-
+            RTMsgError("Could not locate signature #%u!", iSignature);
 
         /* Delete the signature data. */