From 3a8e25e5bbf87ea5b57bbd426db2b52dfa69cd8f Mon Sep 17 00:00:00 2001 From: olszomal Date: Mon, 16 Dec 2024 12:58:20 +0100 Subject: [PATCH] Added support for multiple OID types in signer info attribute --- cat.c | 37 ++++++++++++++++++++++++++----------- helpers.c | 2 +- 2 files changed, 27 insertions(+), 12 deletions(-) diff --git a/cat.c b/cat.c index 391a0a3..17c0553 100644 --- a/cat.c +++ b/cat.c @@ -55,8 +55,8 @@ FILE_FORMAT file_format_cat = { /* Prototypes */ static CAT_CTX *cat_ctx_get(char *indata, uint32_t filesize); -static int cat_add_ms_ctl_object(PKCS7 *p7); -static int cat_sign_ms_ctl_content(PKCS7 *p7, PKCS7 *contents); +static int cat_add_content_type(PKCS7 *p7, PKCS7 *cursig); +static int cat_sign_content(PKCS7 *p7, PKCS7 *contents); static int cat_list_content(PKCS7 *p7); static int cat_print_content_member_digest(ASN1_TYPE *content); static int cat_print_content_member_name(ASN1_TYPE *content); @@ -161,17 +161,17 @@ static PKCS7 *cat_pkcs7_signature_new(FILE_FORMAT_CTX *ctx, BIO *hash) fprintf(stderr, "Creating a new signature failed\n"); return NULL; /* FAILED */ } - if (!cat_add_ms_ctl_object(p7)) { - fprintf(stderr, "Adding MS_CTL_OBJID failed\n"); + if (!ctx->cat_ctx->p7 || !ctx->cat_ctx->p7->d.sign || !ctx->cat_ctx->p7->d.sign->contents) { + fprintf(stderr, "Failed to get content\n"); PKCS7_free(p7); return NULL; /* FAILED */ } - if (!ctx->cat_ctx->p7 || !ctx->cat_ctx->p7->d.sign || !ctx->cat_ctx->p7->d.sign->contents) { - fprintf(stderr, "Failed to get content\n"); + if (!cat_add_content_type(p7, ctx->cat_ctx->p7)) { + fprintf(stderr, "Adding content type failed\n"); PKCS7_free(p7); return NULL; /* FAILED */ } - if (!cat_sign_ms_ctl_content(p7, ctx->cat_ctx->p7->d.sign->contents)) { + if (!cat_sign_content(p7, ctx->cat_ctx->p7->d.sign->contents)) { fprintf(stderr, "Failed to set signed content\n"); PKCS7_free(p7); return NULL; /* FAILED */ @@ -251,15 +251,30 @@ static CAT_CTX *cat_ctx_get(char *indata, uint32_t filesize) } /* - * Add "1.3.6.1.4.1.311.10.1" MS_CTL_OBJID signed attribute + * Add a content type OID to the PKCS#7 signature structure. + * The content type can be: + * - "1.3.6.1.4.1.311.10.1" (MS_CTL_OBJID) for Certificate Trust Lists (CTL), + * - "1.3.6.1.4.1.311.2.1.4" (SPC_INDIRECT_DATA_OBJID) for Authenticode data. * [in, out] p7: new PKCS#7 signature + * [in] cursig: current PKCS#7 signature to determine content type * [returns] 0 on error or 1 on success */ -static int cat_add_ms_ctl_object(PKCS7 *p7) +static int cat_add_content_type(PKCS7 *p7, PKCS7 *cursig) { + const char *content_type; STACK_OF(PKCS7_SIGNER_INFO) *signer_info; PKCS7_SIGNER_INFO *si; + if (is_content_type(cursig, SPC_INDIRECT_DATA_OBJID)) { + /* Authenticode content */ + content_type = SPC_INDIRECT_DATA_OBJID; + } else if (is_content_type(cursig, MS_CTL_OBJID)) { + /* Certificate Trust List (CTL) */ + content_type = MS_CTL_OBJID; + } else { + fprintf(stderr, "Unsupported content type\n"); + return 0; /* FAILED */ + } signer_info = PKCS7_get_signer_info(p7); if (!signer_info) return 0; /* FAILED */ @@ -267,7 +282,7 @@ static int cat_add_ms_ctl_object(PKCS7 *p7) if (!si) return 0; /* FAILED */ if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, - V_ASN1_OBJECT, OBJ_txt2obj(MS_CTL_OBJID, 1))) + V_ASN1_OBJECT, OBJ_txt2obj(content_type, 1))) return 0; /* FAILED */ return 1; /* OK */ } @@ -280,7 +295,7 @@ static int cat_add_ms_ctl_object(PKCS7 *p7) * [in] contents: Certificate Trust List (CTL) * [returns] 0 on error or 1 on success */ -static int cat_sign_ms_ctl_content(PKCS7 *p7, PKCS7 *contents) +static int cat_sign_content(PKCS7 *p7, PKCS7 *contents) { u_char *content; int seqhdrlen, content_length; diff --git a/helpers.c b/helpers.c index d64b249..15dd6b0 100644 --- a/helpers.c +++ b/helpers.c @@ -461,7 +461,7 @@ void print_hash(const char *descript1, const char *descript2, const u_char *mdbu } /* - * [in] p7: new PKCS#7 signature + * [in] p7: PKCS#7 signature * [in] objid: Microsoft OID Authenticode * [returns] 0 on error or 1 on success */