Changeset 95671 in vbox for trunk/src/VBox/Runtime/tools/RTSignTool.cpp
- Timestamp:
- Jul 16, 2022 1:51:17 PM (2 years ago)
- File:
-
- 1 edited
-
trunk/src/VBox/Runtime/tools/RTSignTool.cpp (modified) (35 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/Runtime/tools/RTSignTool.cpp
r95670 r95671 134 134 #define OPT_NO_HASH_PAGES 1041 135 135 #define OPT_ADD_CERT 1042 136 137 136 #define OPT_TIMESTAMP_TYPE 1043 138 137 #define OPT_TIMESTAMP_OVERRIDE 1044 138 #define OPT_NO_SIGNING_TIME 1045 139 139 140 140 … … 1340 1340 if (pfnMapFileAndCheckSumW) 1341 1341 { 1342 DWORD u HeaderSum= UINT32_MAX;1343 DWORD uCheckSum 1344 DWORD dwRc = pfnMapFileAndCheckSumW(pwszPath, &u HeaderSum, &uCheckSum);1342 DWORD uOldSum = UINT32_MAX; 1343 DWORD uCheckSum = UINT32_MAX; 1344 DWORD dwRc = pfnMapFileAndCheckSumW(pwszPath, &uOldSum, &uCheckSum); 1345 1345 if (dwRc == CHECKSUM_SUCCESS) 1346 1346 { … … 1702 1702 1703 1703 static RTEXITCODE SignToolPkcs7_AddAuthAttribsForImageOrCatSignature(PRTCRPKCS7ATTRIBUTES pAuthAttribs, RTTIMESPEC SigningTime, 1704 const char *pszContentTypeId)1704 bool fNoSigningTime, const char *pszContentTypeId) 1705 1705 { 1706 1706 /* … … 1742 1742 * Add signing time. We add this, even if signtool.exe, since OpenSSL will always do it otherwise. 1743 1743 */ 1744 rcExit = SignToolPkcs7_AuthAttribsAddSigningTime(pAuthAttribs, SigningTime); 1745 if (rcExit != RTEXITCODE_SUCCESS) 1746 return rcExit; 1744 if (!fNoSigningTime) /** @todo requires disabling the code in do_pkcs7_signed_attrib that adds it when absent */ 1745 { 1746 rcExit = SignToolPkcs7_AuthAttribsAddSigningTime(pAuthAttribs, SigningTime); 1747 if (rcExit != RTEXITCODE_SUCCESS) 1748 return rcExit; 1749 } 1747 1750 1748 1751 /** @todo more? Some certificate stuff? */ … … 2171 2174 static RTEXITCODE SignToolPkcs7_SignData(SIGNTOOLPKCS7 *pThis, PRTASN1CORE pToSignRoot, bool fIsRootsParent, 2172 2175 const char *pszContentTypeId, unsigned cVerbosity, RTDIGESTTYPE enmSigType, 2173 bool fReplaceExisting, SignToolKeyPair *pSigningCertKey, RTCRSTORE hAddCerts, 2176 bool fReplaceExisting, bool fNoSigningTime, 2177 SignToolKeyPair *pSigningCertKey, RTCRSTORE hAddCerts, 2174 2178 bool fTimestampTypeOld, RTTIMESPEC SigningTime, SignToolKeyPair *pTimestampCertKey) 2175 2179 { … … 2205 2209 if (RT_SUCCESS(rc)) 2206 2210 { 2207 rcExit = SignToolPkcs7_AddAuthAttribsForImageOrCatSignature(&AuthAttribs, SigningTime, pszContentTypeId); 2211 rcExit = SignToolPkcs7_AddAuthAttribsForImageOrCatSignature(&AuthAttribs, SigningTime, fNoSigningTime, 2212 pszContentTypeId); 2208 2213 if (rcExit == RTEXITCODE_SUCCESS) 2209 2214 { … … 2474 2479 2475 2480 static RTEXITCODE SignToolPkcs7_AddOrReplaceSignature(SIGNTOOLPKCS7EXE *pThis, unsigned cVerbosity, RTDIGESTTYPE enmSigType, 2476 bool fReplaceExisting, bool fHashPages, SignToolKeyPair *pSigningCertKey, 2481 bool fReplaceExisting, bool fHashPages, bool fNoSigningTime, 2482 SignToolKeyPair *pSigningCertKey, 2477 2483 RTCRSTORE hAddCerts, bool fTimestampTypeOld, 2478 2484 RTTIMESPEC SigningTime, SignToolKeyPair *pTimestampCertKey) … … 2541 2547 rcExit = SignToolPkcs7_SignData(pThis, RTCrSpcIndirectDataContent_GetAsn1Core(&SpcIndData), false, 2542 2548 RTCRSPCINDIRECTDATACONTENT_OID, cVerbosity, 2543 enmSigType, fReplaceExisting, pSigningCertKey, hAddCerts,2549 enmSigType, fReplaceExisting, fNoSigningTime, pSigningCertKey, hAddCerts, 2544 2550 fTimestampTypeOld, SigningTime, pTimestampCertKey); 2545 2551 } … … 2560 2566 2561 2567 static RTEXITCODE SignToolPkcs7_AddOrReplaceCatSignature(SIGNTOOLPKCS7 *pThis, unsigned cVerbosity, RTDIGESTTYPE enmSigType, 2562 bool fReplaceExisting, SignToolKeyPair *pSigningCertKey, 2568 bool fReplaceExisting, bool fNoSigningTime, 2569 SignToolKeyPair *pSigningCertKey, 2563 2570 RTCRSTORE hAddCerts, bool fTimestampTypeOld, 2564 2571 RTTIMESPEC SigningTime, SignToolKeyPair *pTimestampCertKey) … … 2590 2597 */ 2591 2598 RTEXITCODE rcExit = SignToolPkcs7_SignData(pThis, pToSign, true, pszType, cVerbosity, enmSigType, fReplaceExisting, 2592 pSigningCertKey, hAddCerts, fTimestampTypeOld, SigningTime, pTimestampCertKey); 2599 fNoSigningTime, pSigningCertKey, hAddCerts, 2600 fTimestampTypeOld, SigningTime, pTimestampCertKey); 2593 2601 2594 2602 /* probably need to clean up stuff related to nested signatures here later... */ … … 2624 2632 { "--output", 'o', RTGETOPT_REQ_STRING }, 2625 2633 { "--signature-index", 'i', RTGETOPT_REQ_UINT32 }, 2634 { "--force", 'f', RTGETOPT_REQ_NOTHING }, 2626 2635 }; 2627 2636 … … 2632 2641 uint32_t fCursorFlags = RTASN1CURSOR_FLAGS_DER; 2633 2642 uint32_t iSignature = 0; 2643 bool fForce = false; 2634 2644 2635 2645 RTGETOPTSTATE GetState; … … 2647 2657 case 'c': fCursorFlags = RTASN1CURSOR_FLAGS_CER; break; 2648 2658 case 'd': fCursorFlags = RTASN1CURSOR_FLAGS_DER; break; 2659 case 'f': fForce = true; break; 2649 2660 case 'i': iSignature = ValueUnion.u32; break; 2650 2661 case 'V': return HandleVersion(cArgs, papszArgs); … … 2668 2679 if (!pszOut) 2669 2680 return RTMsgErrorExit(RTEXITCODE_FAILURE, "No output file given."); 2670 if ( RTPathExists(pszOut))2681 if (!fForce && RTPathExists(pszOut)) 2671 2682 return RTMsgErrorExit(RTEXITCODE_FAILURE, "The output file '%s' exists.", pszOut); 2672 2683 … … 2695 2706 */ 2696 2707 RTFILE hFile; 2697 rc = RTFileOpen(&hFile, pszOut, RTFILE_O_WRITE | RTFILE_O_DENY_WRITE | RTFILE_O_CREATE); 2708 rc = RTFileOpen(&hFile, pszOut, 2709 RTFILE_O_WRITE | RTFILE_O_DENY_WRITE | (fForce ? RTFILE_O_CREATE_REPLACE : RTFILE_O_CREATE)); 2698 2710 if (RT_SUCCESS(rc)) 2699 2711 { … … 2754 2766 { "--exe", 'e', RTGETOPT_REQ_STRING }, 2755 2767 { "--output", 'o', RTGETOPT_REQ_STRING }, 2768 { "--force", 'f', RTGETOPT_REQ_NOTHING }, 2756 2769 }; 2757 2770 … … 2760 2773 RTLDRARCH enmLdrArch = RTLDRARCH_WHATEVER; 2761 2774 unsigned cVerbosity = 0; 2775 bool fForce = false; 2762 2776 2763 2777 RTGETOPTSTATE GetState; … … 2772 2786 case 'e': pszExe = ValueUnion.psz; break; 2773 2787 case 'o': pszOut = ValueUnion.psz; break; 2788 case 'f': fForce = true; break; 2774 2789 case 'V': return HandleVersion(cArgs, papszArgs); 2775 2790 case 'h': return HelpExtractExeSignerCert(g_pStdOut, RTSIGNTOOLHELP_FULL); … … 2792 2807 if (!pszOut) 2793 2808 return RTMsgErrorExit(RTEXITCODE_FAILURE, "No output file given."); 2794 if ( RTPathExists(pszOut))2809 if (!fForce && RTPathExists(pszOut)) 2795 2810 return RTMsgErrorExit(RTEXITCODE_FAILURE, "The output file '%s' exists.", pszOut); 2796 2811 … … 2807 2822 */ 2808 2823 RTFILE hFile; 2809 rc = RTFileOpen(&hFile, pszOut, RTFILE_O_WRITE | RTFILE_O_DENY_WRITE | RTFILE_O_CREATE); 2824 rc = RTFileOpen(&hFile, pszOut, 2825 RTFILE_O_WRITE | RTFILE_O_DENY_WRITE | (fForce ? RTFILE_O_CREATE_REPLACE : RTFILE_O_CREATE)); 2810 2826 if (RT_SUCCESS(rc)) 2811 2827 { … … 3299 3315 "[--timestamp-date <fake-isots>] " 3300 3316 "[--timestamp-year <fake-year>] " 3301 "[--replace-existing|-r] "3302 3317 "<exe>\n"); 3303 3318 if (enmLevel == RTSIGNTOOLHELP_FULL) … … 3329 3344 { "--add-cert", OPT_ADD_CERT, RTGETOPT_REQ_STRING }, 3330 3345 { "/ac", OPT_ADD_CERT, RTGETOPT_REQ_STRING }, 3346 { "--no-signing-time", OPT_NO_SIGNING_TIME, RTGETOPT_REQ_NOTHING }, 3331 3347 OPT_CERT_KEY_GETOPTDEF_ENTRIES("--", 1000), 3332 3348 OPT_CERT_KEY_GETOPTDEF_COMPAT_ENTRIES( 1000), … … 3343 3359 bool fReplaceExisting = true; 3344 3360 bool fHashPages = false; 3361 bool fNoSigningTime = false; 3345 3362 SignToolKeyPair SigningCertKey("signing", true); 3346 3363 RTCRSTORE hAddCerts = NIL_RTCRSTORE; /* leaked if returning directly (--help, --version) */ … … 3368 3385 case OPT_HASH_PAGES: fHashPages = true; break; 3369 3386 case OPT_NO_HASH_PAGES: fHashPages = false; break; 3387 case OPT_NO_SIGNING_TIME: fNoSigningTime = true; break; 3370 3388 case OPT_ADD_CERT: rcExit2 = HandleOptAddCert(&hAddCerts, ValueUnion.psz); break; 3371 3389 case OPT_TIMESTAMP_TYPE: rcExit2 = HandleOptTimestampType(&fTimestampTypeOld, ValueUnion.psz); break; … … 3389 3407 { 3390 3408 rcExit2 = SignToolPkcs7_AddOrReplaceSignature(&Exe, cVerbosity, enmSigType, fReplaceExisting, fHashPages, 3391 &SigningCertKey, hAddCerts,3409 fNoSigningTime, &SigningCertKey, hAddCerts, 3392 3410 fTimestampTypeOld, SigningTime, &TimestampCertKey); 3393 3411 if (rcExit2 == RTEXITCODE_SUCCESS) … … 3466 3484 { "--add-cert", OPT_ADD_CERT, RTGETOPT_REQ_STRING }, 3467 3485 { "/ac", OPT_ADD_CERT, RTGETOPT_REQ_STRING }, 3486 { "--no-signing-time", OPT_NO_SIGNING_TIME, RTGETOPT_REQ_NOTHING }, 3468 3487 OPT_CERT_KEY_GETOPTDEF_ENTRIES("--", 1000), 3469 3488 OPT_CERT_KEY_GETOPTDEF_COMPAT_ENTRIES( 1000), … … 3479 3498 RTDIGESTTYPE enmSigType = RTDIGESTTYPE_SHA1; 3480 3499 bool fReplaceExisting = true; 3500 bool fNoSigningTime = false; 3481 3501 SignToolKeyPair SigningCertKey("signing", true); 3482 3502 RTCRSTORE hAddCerts = NIL_RTCRSTORE; /* leaked if returning directly (--help, --version) */ … … 3502 3522 case 't': rcExit2 = HandleOptSignatureType(&enmSigType, ValueUnion.psz); break; 3503 3523 case 'a': fReplaceExisting = false; break; 3524 case OPT_NO_SIGNING_TIME: fNoSigningTime = true; break; 3504 3525 case OPT_ADD_CERT: rcExit2 = HandleOptAddCert(&hAddCerts, ValueUnion.psz); break; 3505 3526 case OPT_TIMESTAMP_TYPE: rcExit2 = HandleOptTimestampType(&fTimestampTypeOld, ValueUnion.psz); break; … … 3522 3543 { 3523 3544 rcExit2 = SignToolPkcs7_AddOrReplaceCatSignature(&Cat, cVerbosity, enmSigType, fReplaceExisting, 3524 &SigningCertKey, hAddCerts,3545 fNoSigningTime, &SigningCertKey, hAddCerts, 3525 3546 fTimestampTypeOld, SigningTime, &TimestampCertKey); 3526 3547 if (rcExit2 == RTEXITCODE_SUCCESS) … … 3580 3601 uint32_t cOkay; 3581 3602 const char *pszFilename; 3603 RTTIMESPEC ValidationTime; 3582 3604 } VERIFYEXESTATE; 3583 3605 … … 3768 3790 * We'll try different alternative timestamps here. 3769 3791 */ 3770 struct { RTTIMESPEC TimeSpec; const char *pszDesc; } aTimes[ 2];3792 struct { RTTIMESPEC TimeSpec; const char *pszDesc; } aTimes[3]; 3771 3793 unsigned cTimes = 0; 3794 3795 /* The specified timestamp. */ 3796 if (RTTimeSpecGetSeconds(&pState->ValidationTime) != 0) 3797 { 3798 aTimes[cTimes].TimeSpec = pState->ValidationTime; 3799 aTimes[cTimes].pszDesc = "validation time"; 3800 cTimes++; 3801 } 3772 3802 3773 3803 /* Linking timestamp: */ … … 3776 3806 if (RT_SUCCESS(rc)) 3777 3807 { 3778 RTTimeSpecSetSeconds(&aTimes[ 0].TimeSpec, uLinkingTime);3779 aTimes[ 0].pszDesc = "at link time";3808 RTTimeSpecSetSeconds(&aTimes[cTimes].TimeSpec, uLinkingTime); 3809 aTimes[cTimes].pszDesc = "at link time"; 3780 3810 cTimes++; 3781 3811 } … … 3896 3926 static const RTGETOPTDEF s_aOptions[] = 3897 3927 { 3898 { "--kernel", 'k', RTGETOPT_REQ_NOTHING }, 3899 { "--root", 'r', RTGETOPT_REQ_STRING }, 3900 { "--additional", 'a', RTGETOPT_REQ_STRING }, 3901 { "--add", 'a', RTGETOPT_REQ_STRING }, 3902 { "--type", 't', RTGETOPT_REQ_STRING }, 3903 { "--verbose", 'v', RTGETOPT_REQ_NOTHING }, 3904 { "--quiet", 'q', RTGETOPT_REQ_NOTHING }, 3928 { "--kernel", 'k', RTGETOPT_REQ_NOTHING }, 3929 { "--root", 'r', RTGETOPT_REQ_STRING }, 3930 { "--additional", 'a', RTGETOPT_REQ_STRING }, 3931 { "--add", 'a', RTGETOPT_REQ_STRING }, 3932 { "--type", 't', RTGETOPT_REQ_STRING }, 3933 { "--validation-time", 'T', RTGETOPT_REQ_STRING }, 3934 { "--verbose", 'v', RTGETOPT_REQ_NOTHING }, 3935 { "--quiet", 'q', RTGETOPT_REQ_NOTHING }, 3905 3936 }; 3906 3937 … … 3918 3949 if (RT_FAILURE(rc)) 3919 3950 return RTMsgErrorExit(RTEXITCODE_FAILURE, "Error creating in-memory certificate store: %Rrc", rc); 3951 RTTimeSpecSetSeconds(&State.ValidationTime, 0); 3920 3952 3921 3953 RTGETOPTSTATE GetState; … … 3946 3978 else 3947 3979 return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Unknown signing type: '%s'", ValueUnion.psz); 3980 break; 3981 3982 case 'T': 3983 if (!RTTimeSpecFromString(&State.ValidationTime, ValueUnion.psz)) 3984 return RTMsgErrorExit(RTEXITCODE_SYNTAX, "Invalid validation time (%s): %Rrc", ValueUnion.psz, rc); 3948 3985 break; 3949 3986
Note:
See TracChangeset
for help on using the changeset viewer.
