Add CMS Implimentation and support of Windows Autheticode Code Signing #83
Conversation
- Remove hardcoded sha256 hash alog in into_win_certificate func - Intermediate certificate is a signer certificate - SignedData::certificates should contain leaf and any intermediate certificates, but doesn't contain the root certificate - Add support of default Certificate::version field processing while deserializing and serializing - Replace SpcLink::File AplicationTag2 with ContextTag2 - Add new_rsa_encypthion_with_sha func to AlgorithmIdentifier
- Add padding processing to the WinCertificate::certificat vector - Add ApplicationTag0 to SpcImageData::SpcLink as otherwise Authenticode singature is invalid - Documentation and general renaming according to the CMS RFC
RRRadicalEdward
force-pushed
the
authenticode
branch
from
bb9bc91
to
8ccabc8
Compare
picky-asn1/src/restricted_string.rs
Outdated
| @@ -285,4 +305,14 @@ mod tests { | |||
| fn valid_utf8_string() { | |||
| Utf8String::from_str("1224na÷日本語はむずかちー−×—«BUeisuteurnt").expect("invalid string"); | |||
| } | |||
|
|
|||
| #[test] | |||
| fn valid_unicode_string() { | |||
There was a problem hiding this comment.
| fn valid_unicode_string() { | |
| fn valid_bmp_string() { |
picky-asn1/src/restricted_string.rs
Outdated
| } | ||
|
|
||
| #[test] | ||
| fn invalid_unicode_string() { |
There was a problem hiding this comment.
| fn invalid_unicode_string() { | |
| fn invalid_bmp_string() { |
picky-asn1-x509/Cargo.toml
Outdated
| @@ -21,6 +21,7 @@ serde = { version = "1.0", features = ["derive"] } | |||
| oid = { version = "0.2", features = ["serde_support"] } | |||
| base64 = "0.13" | |||
| num-bigint-dig = { version = "0.7", optional = true } | |||
| widestring = "0.4.3" | |||
There was a problem hiding this comment.
Disable unused features:
| widestring = "0.4.3" | |
| widestring = { version = "0.4", default-features = false } |
(also we don't specify patch version number in this repo)
picky-asn1-x509/Cargo.toml
Outdated
| @@ -21,6 +21,7 @@ serde = { version = "1.0", features = ["derive"] } | |||
| oid = { version = "0.2", features = ["serde_support"] } | |||
| base64 = "0.13" | |||
| num-bigint-dig = { version = "0.7", optional = true } | |||
| widestring = "0.4.3" | |||
There was a problem hiding this comment.
Put this behind a pkcs7 feature for now
picky-asn1-x509/src/oids.rs
Outdated
| PKCS7 => pkcs7 => "1.2.840.113549.1.7.1", | ||
| SIGNED_DATA => signed_data => "1.2.840.113549.1.7.2", | ||
| CONTENT_TYPE => content_type => "1.2.840.113549.1.9.3", | ||
| MESSAGE_DIGEST => message_digest => "1.2.840.113549.1.9.4", |
There was a problem hiding this comment.
Move this under the // RSADSI comment in increasing order
| /// SpcAttributeTypeAndOptionalValue ::= SEQUENCE { | ||
| /// type ObjectID, | ||
| /// value [0] EXPLICIT ANY OPTIONAL | ||
| /// } |
There was a problem hiding this comment.
This should be the docstring of SpcAttributeAndOptionalValue
| /// SpcLink ::= CHOICE { | ||
| /// url [0] IMPLICIT IA5STRING, | ||
| /// moniker [1] IMPLICIT SpcSerializedObject, | ||
| /// file [2] EXPLICIT SpcString | ||
| /// } --#public-- |
| /// SpcString ::= CHOICE { | ||
| /// unicode [0] IMPLICIT BMPSTRING, | ||
| /// ascii [1] IMPLICIT IA5STRING | ||
| /// } |
| /// SpcPeImageFlags ::= BIT STRING { | ||
| /// includeResources (0), | ||
| /// includeDebugInfo (1), | ||
| /// includeImportAddressTable (2) | ||
| /// } |
There was a problem hiding this comment.
In SpcPeImageFlags's docstring.
picky-asn1-x509/src/pkcs7/crls.rs
Outdated
| /// RevocationInfoChoice ::= CHOICE { | ||
| /// crl CertificateList, | ||
| /// other [1] IMPLICIT OtherRevocationInfoFormat } | ||
| /// | ||
| /// OtherRevocationInfoFormat ::= SEQUENCE { | ||
| /// otherRevInfoFormat OBJECT IDENTIFIER, | ||
| /// otherRevInfo ANY DEFINED BY otherRevInfoFormat } | ||
| /// ``` |
picky-asn1/src/restricted_string.rs
Outdated
| let buffer = data | ||
| .chunks_exact(2) | ||
| .into_iter() | ||
| .map(|elem| u16::from_be_bytes([elem[1], elem[0]])) | ||
| .collect::<Vec<u16>>(); | ||
|
|
||
| String::from_utf16(buffer.as_ref()).is_ok() |
There was a problem hiding this comment.
Oops, I didn't realize it got stabilized recently. I'll update wayk-builders so it builds, no problem.
| /// TBSCertList ::= SEQUENCE { | ||
| /// version Version OPTIONAL, | ||
| /// -- if present, MUST be v2 | ||
| /// signature AlgorithmIdentifier, | ||
| /// issuer Name, | ||
| /// thisUpdate Time, | ||
| /// nextUpdate Time OPTIONAL, | ||
| /// revokedCertificates SEQUENCE OF SEQUENCE { | ||
| /// userCertificate CertificateSerialNumber, | ||
| /// revocationDate Time, | ||
| /// crlEntryExtensions Extensions OPTIONAL | ||
| /// -- if present, version MUST be v2 | ||
| /// } OPTIONAL, | ||
| /// crlExtensions [0] EXPLICIT Extensions OPTIONAL | ||
| /// -- if present, version MUST be v2 | ||
| /// } | ||
| /// ``` |
There was a problem hiding this comment.
Sorry, maybe I missed in the first review, but this one should be in the docstring of TBSCertList
| /// DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier | ||
| /// | ||
| /// SignerInfos ::= SET OF SignerInfo |
| /// SignerIdentifier ::= CHOICE { | ||
| /// issuerAndSerialNumber IssuerAndSerialNumber, | ||
| /// subjectKeyIdentifier [0] SubjectKeyIdentifier } | ||
| /// | ||
| /// SignedAttributes ::= SET SIZE (1..MAX) OF Attribute | ||
| /// | ||
| /// UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute | ||
| /// | ||
| /// SignatureValue ::= OCTET STRING |
There was a problem hiding this comment.
Same as above (if we define a type)
| @@ -29,6 +47,39 @@ impl From<HashAlgorithm> for rsa::Hash { | |||
| } | |||
| } | |||
| } | |||
| impl TryFrom<HashAlgorithm> for SHAVariant { | |||
There was a problem hiding this comment.
| impl TryFrom<HashAlgorithm> for SHAVariant { | |
| impl TryFrom<HashAlgorithm> for SHAVariant { |
| @@ -126,6 +126,11 @@ | |||
| //!# Ok(()) | |||
| //!# } | |||
| //! ``` | |||
| #[cfg(feature = "pkcs7")] | |||
There was a problem hiding this comment.
| #[cfg(feature = "pkcs7")] | |
| #[cfg(feature = "pkcs7")] |
picky/src/pem.rs
Outdated
| #[cfg(not(windows))] | ||
| // This test should not run on Windows. writeln! add `/r` ending character to Pem in String format on Windows targets. |
There was a problem hiding this comment.
| #[cfg(not(windows))] | |
| // This test should not run on Windows. writeln! add `/r` ending character to Pem in String format on Windows targets. | |
| // This test should not run on Windows. writeln! add `/r` ending character to Pem in String format on Windows targets. | |
| #[cfg(not(windows))] |
picky/src/x509/pkcs7.rs
Outdated
| pub const AUTHENTICODE_ATTRIBUTES_COUNT: usize = 3; | ||
|
|
There was a problem hiding this comment.
We probably don't need that at all? Is that something you use in consumer code?
| pub const AUTHENTICODE_ATTRIBUTES_COUNT: usize = 3; |
There was a problem hiding this comment.
Yes, We don't need it. I forget to remove it.
| #[error("Certificates must contain at least Leaf and Intermediate certificates, but got no certificates")] | ||
| NoCertificates, | ||
| } | ||
| const PKCS7_PEM_LABEL: &str = "PKCS7"; |
There was a problem hiding this comment.
| const PKCS7_PEM_LABEL: &str = "PKCS7"; | |
| const PKCS7_PEM_LABEL: &str = "PKCS7"; |
|
@CBenoit I resolved the latest issues. Is there still something that blocks the merging that I missed? 🙂 |
Thank you for the review. picky is awesome. |
|
@awakecoding Could you approve this PR? |
|
@CBenoit Could you merge it? Seems like I cannot merge because of falling CI checks. |
|
@RRRadicalEdward Benoit has been working on fixing the CI with the Rust update, it should be updated soon |
|
CI is green! |
References: