Changeset 95678 in vbox for trunk/src/VBox

Timestamp:

Jul 17, 2022 11:50:03 AM (2 years ago)

Author:

vboxsync

Message:

RTSignTool: Nested .cat file signatures. bugref:8691

File:

• trunk/src/VBox/Runtime/tools/RTSignTool.cpp (modified) (9 diffs)

trunk/src/VBox/Runtime/tools/RTSignTool.cpp

@@ -172 +172 @@
 typedef struct SIGNTOOLPKCS7
 {
+    /** The file type. */
+    RTSIGNTOOLFILETYPE          enmType;
     /** The raw signature. */
     uint8_t                    *pbBuf;
@@ -908 +910 @@
     RT_ZERO(*pThis);
     pThis->pszFilename = pszFilename;
+    pThis->enmType     = RTSIGNTOOLFILETYPE_CAT;
 
     /*
@@ -1257 +1260 @@
      */
     RT_ZERO(*pThis);
-    pThis->hLdrMod = NIL_RTLDRMOD;
+    pThis->hLdrMod     = NIL_RTLDRMOD;
     pThis->pszFilename = pszFilename;
+    pThis->enmType     = RTSIGNTOOLFILETYPE_EXE;
 
     /*
@@ -2196 +2200 @@
 
 static RTEXITCODE SignToolPkcs7_SignData(SIGNTOOLPKCS7 *pThis, PRTASN1CORE pToSignRoot, SIGNDATATWEAK enmTweak,
-                                         const char *pszContentTypeId, unsigned cVerbosity, RTDIGESTTYPE enmSigType,
-                                         bool fReplaceExisting, bool fNoSigningTime,
+                                         const char *pszContentTypeId, unsigned cVerbosity, uint32_t fExtraFlags,
+                                         RTDIGESTTYPE enmSigType, bool fReplaceExisting, bool fNoSigningTime,
                                          SignToolKeyPair *pSigningCertKey, RTCRSTORE hAddCerts,
                                          bool fTimestampTypeOld, RTTIMESPEC SigningTime, SignToolKeyPair *pTimestampCertKey)
@@ -2238 +2242 @@
                 /*
                  * Ditch the old signature if so desired.
+                 * (It is okay to do this in the CAT case too, as we've already
+                 * encoded the data and won't touch pToSignRoot any more.)
                  */
+                pToSignRoot = NULL; /* (may become invalid if replacing) */
                 if (fReplaceExisting && pThis->pSignedData)
                 {
@@ -2251 +2258 @@
                  * Do the actual signing.
                  */
-                SIGNTOOLPKCS7  Src     = { NULL, 0, NULL };
+                SIGNTOOLPKCS7  Src     = { RTSIGNTOOLFILETYPE_DETECT, NULL, 0, NULL };
                 PSIGNTOOLPKCS7 pSigDst = !pThis->pSignedData ? pThis : &Src;
                 rcExit = SignToolPkcs7_Pkcs7SignStuff("image", pvToSign, cbToSign, &AuthAttribs, hAddCerts,
-                                                      RTCRPKCS7SIGN_SD_F_NO_DATA_ENCAP, enmSigType /** @todo ?? */,
+                                                      fExtraFlags | RTCRPKCS7SIGN_SD_F_NO_DATA_ENCAP, enmSigType /** @todo ?? */,
                                                       pSigningCertKey, cVerbosity,
                                                       (void **)&pSigDst->pbBuf, &pSigDst->cbBuf,
@@ -2569 +2576 @@
                     if (rcExit == RTEXITCODE_SUCCESS)
                         rcExit = SignToolPkcs7_SignData(pThis, RTCrSpcIndirectDataContent_GetAsn1Core(&SpcIndData),
-                                                        kSignDataTweak_NoTweak, RTCRSPCINDIRECTDATACONTENT_OID, cVerbosity,
+                                                        kSignDataTweak_NoTweak, RTCRSPCINDIRECTDATACONTENT_OID, cVerbosity, 0,
                                                         enmSigType, fReplaceExisting, fNoSigningTime, pSigningCertKey, hAddCerts,
                                                         fTimestampTypeOld, SigningTime, pTimestampCertKey);
@@ -2601 +2608 @@
      * Figure out what to sign first.
      */
-    PRTASN1CORE pToSign = &pThis->pSignedData->ContentInfo.Content.Asn1Core;
-    const char *pszType = pThis->pSignedData->ContentInfo.ContentType.szObjId;
+    uint32_t    fExtraFlags = 0;
+    PRTASN1CORE pToSign     = &pThis->pSignedData->ContentInfo.Content.Asn1Core;
+    const char *pszType     = pThis->pSignedData->ContentInfo.ContentType.szObjId;
+
+    if (!fReplaceExisting && pThis->pSignedData->SignerInfos.cItems == 0)
+        fReplaceExisting = true;
     if (!fReplaceExisting)
     {
-        if (pThis->pSignedData->SignerInfos.cItems == 0)
-            fReplaceExisting = false;
-        else
-        {
-            /** @todo figure out nested catalog signatures... It's marked as
-             * pkcs7-data and seems to be empty, i.e. it's detached. */
-            //pszType = RTCR_PKCS7_SIGNED_DATA_OID;
-            AssertFailedReturn(RTMsgErrorExitFailure("nested cat signing not implemented"));
-        }
+        pszType      = RTCR_PKCS7_DATA_OID;
+        fExtraFlags |= RTCRPKCS7SIGN_SD_F_DEATCHED;
     }
 
@@ -2620 +2624 @@
      */
     RTEXITCODE rcExit = SignToolPkcs7_SignData(pThis, pToSign, kSignDataTweak_RootIsParent,
-                                               pszType, cVerbosity, enmSigType, fReplaceExisting,
+                                               pszType, cVerbosity, fExtraFlags, enmSigType, fReplaceExisting,
                                                fNoSigningTime, pSigningCertKey, hAddCerts,
                                                fTimestampTypeOld, SigningTime, pTimestampCertKey);