Add parsing of the PE Authenticode format

include/retdec/fileformat/types/certificate_table/certificate.h

@@ -1,7 +1,7 @@
 /**
  * @file include/retdec/fileformat/types/certificate_table/certificate.h
  * @brief Class for one certificate.
- * @copyright (c) 2017 Avast Software, licensed under the MIT license
+ * @copyright (c) 2021 Avast Software, licensed under the MIT license
  */
 
 #ifndef RETDEC_FILEFORMAT_TYPES_CERTIFICATE_TABLE_CERTIFICATE_H

include/retdec/fileformat/types/certificate_table/certificate_table.h

@@ -1,7 +1,7 @@
 /**
  * @file include/retdec/fileformat/types/certificate_table/certificate_table.h
  * @brief Class for certificate table.
- * @copyright (c) 2017 Avast Software, licensed under the MIT license
+ * @copyright (c) 2021 Avast Software, licensed under the MIT license
  */
 
 #ifndef RETDEC_FILEFORMAT_TYPES_CERTIFICATE_TABLE_CERTIFICATE_TABLE_H
@@ -14,51 +14,47 @@
 namespace retdec {
 namespace fileformat {
 
+struct Signer
+{
+	std::vector<Certificate> chain;
+	/*
+	"A countersignature, since it has type SignerInfo, can itself
+	contain a countersignature attribute.  Thus it is possible to
+	construct arbitrarily long series of countersignatures.""
+	https://tools.ietf.org/html/rfc2985
+	*/
+	std::string signingTime; /* Timestamp counter signatures will have this set */
+	std::string digest;
+	std::string digestAlgorithm;
+	std::vector<std::string> warnings; /* warning messages about the content validity */
+	std::vector<Signer> counterSigners;
+};
+
+/* naming - "Signature" was already taken by unpackers */
+struct DigitalSignature
+{
+	std::string fileDigest;
+	std::string signedDigest;
+	std::string digestAlgorithm;
+	std::string programName;
+	std::vector<Certificate> certificates;
+	std::vector<std::string> warnings; /* warning messages about the content validity */
+	Signer signer;
+};
+
 /**
  * Table of certificates
+ * Currently PE - Authenticode specific structure (PKCS7)
  */
 class CertificateTable
 {
-	private:
-		using certificatesIterator = std::vector<Certificate>::const_iterator;
-		/// flag indicating whether signer is present
-		bool hasSigner = false;
-		/// flag indicating whether counter signer is present
-		bool hasCounterSigner = false;
-		/// index of certificate of the signer
-		std::size_t signerIndex = 0;
-		/// index of certificate of the counter-signer
-		std::size_t counterSignerIndex = 0;
-		/// stored certificates
-		std::vector<Certificate> certificates;
-	public:
-		/// @name Getters
-		/// @{
-		std::size_t getNumberOfCertificates() const;
-		std::size_t getSignerCertificateIndex() const;
-		std::size_t getCounterSignerCertificateIndex() const;
-		const Certificate* getCertificate(std::size_t certIndex) const;
-		/// @}
-
-		/// @name Setters
-		/// @{
-		void setSignerCertificateIndex(std::size_t certIndex);
-		void setCounterSignerCertificateIndex(std::size_t certIndex);
-		/// @}
-
-		/// @name Iterators
-		/// @{
-		certificatesIterator begin() const;
-		certificatesIterator end() const;
-		/// @}
+public:
+	std::vector<DigitalSignature> signatures;
 
-		/// @name Other methods
-		/// @{
-		bool hasSignerCertificate() const;
-		bool hasCounterSignerCertificate() const;
-		void addCertificate(const Certificate &certificate);
-		bool empty() const;
-		/// @}
+	CertificateTable(std::vector<DigitalSignature> signatures);
+	CertificateTable() = default;
+	std::size_t signatureCount() const { return signatures.size(); }
+	bool empty() const;
 };
 
 } // namespace fileformat

src/fileformat/CMakeLists.txt

@@ -70,6 +70,13 @@ add_library(fileformat STATIC
 	types/tls_info/tls_info.cpp
 	file_format/pe/pe_format.cpp
 	file_format/pe/pe_dll_list.cpp
+	file_format/pe/authenticode/authenticode.cpp
+	file_format/pe/authenticode/pkcs9_counter_signature.cpp
+	file_format/pe/authenticode/ms_counter_signature.cpp
+	file_format/pe/authenticode/pkcs7_signature.cpp
+	file_format/pe/authenticode/x509_certificate.cpp
+	file_format/pe/authenticode/helper.cpp
+	file_format/pe/authenticode/authenticode_structs.cpp
 	file_format/coff/coff_format.cpp
 	file_format/intel_hex/intel_hex_parser/intel_hex_tokenizer.cpp
 	file_format/intel_hex/intel_hex_parser/intel_hex_parser.cpp

src/fileformat/file_format/pe/authenticode/authenticode.cpp

@@ -0,0 +1,18 @@
+/**
+ * @file src/fileformat/file_format/pe/authenticode/authenticode.cpp
+ * @brief Class that parses PE Authenticode data
+ * @copyright (c) 2021 Avast Software, licensed under the MIT license
+ */
+
+#include "authenticode.h"
+
+namespace authenticode {
+Authenticode::Authenticode(const std::vector<unsigned char>& data)
+	: pkcs7(data) {}
+
+std::vector<DigitalSignature> Authenticode::getSignatures(const retdec::fileformat::PeFormat* peFile) const
+{
+	return pkcs7.getSignatures(peFile);
+}
+
+} // namespace authenticode

src/fileformat/file_format/pe/authenticode/authenticode.h

@@ -0,0 +1,42 @@
+/**
+ * @file src/fileformat/file_format/pe/authenticode/authenticode.h
+ * @brief Class that parses PE Authenticode data
+ * @copyright (c) 2021 Avast Software, licensed under the MIT license
+ */
+
+#pragma once
+
+#include "retdec/fileformat/types/certificate_table/certificate_table.h"
+
+#include "authenticode_structs.h"
+#include "pkcs7_signature.h"
+
+#include <openssl/bn.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/ocsp.h>
+#include <openssl/pkcs7.h>
+#include <openssl/ts.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#include <vector>
+#include <string>
+#include <cstdint>
+#include <ctime>
+
+using retdec::fileformat::DigitalSignature;
+
+namespace authenticode {
+
+class Authenticode
+{
+private:
+	Pkcs7Signature pkcs7;
+
+public:
+	Authenticode(const std::vector<unsigned char>& data);
+	std::vector<DigitalSignature> getSignatures(const retdec::fileformat::PeFormat* peFile) const;
+};
+
+} // namespace authenticode

src/fileformat/file_format/pe/authenticode/authenticode_structs.cpp

@@ -0,0 +1,72 @@
+/**
+ * @file src/fileformat/file_format/pe/authenticode/authenticode_structs.cpp
+ * @brief Defines custom OpenSSL objects and functions
+ * @copyright (c) 2021 Avast Software, licensed under the MIT license
+ * @author Marek Milkovič - metthal
+ */
+
+/* Author #Metthal */
+
+#include "authenticode_structs.h"
+
+/* 
+   These are types from "Windows Authenticode Portable Executable Signature Format"
+   https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx
+   Some of them are changed a little bit because the documentation did not reflect the reality
+*/
+
+ASN1_CHOICE(SpcString) = {
+	ASN1_IMP_OPT(SpcString, value.unicode, ASN1_BMPSTRING, 0),
+	ASN1_IMP_OPT(SpcString, value.ascii, ASN1_IA5STRING, 1)
+} ASN1_CHOICE_END(SpcString)
+
+ASN1_SEQUENCE(SpcSerializedObject) = {
+	ASN1_SIMPLE(SpcSerializedObject, classId, ASN1_OCTET_STRING),
+	ASN1_SIMPLE(SpcSerializedObject, serializedData, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(SpcSerializedObject)
+
+ASN1_CHOICE(SpcLink) = {
+	ASN1_IMP_OPT(SpcLink, value.url, ASN1_IA5STRING, 0),
+	ASN1_IMP_OPT(SpcLink, value.moniker, SpcSerializedObject, 1),
+	ASN1_EXP_OPT(SpcLink, value.file, SpcString, 2)
+} ASN1_CHOICE_END(SpcLink)
+
+ASN1_SEQUENCE(SpcAttributeTypeAndOptionalValue) = {
+	ASN1_SIMPLE(SpcAttributeTypeAndOptionalValue, type, ASN1_OBJECT),
+	ASN1_OPT(SpcAttributeTypeAndOptionalValue, value, ASN1_ANY)
+} ASN1_SEQUENCE_END(SpcAttributeTypeAndOptionalValue)
+
+ASN1_SEQUENCE(SpcPeImageData) = {
+	ASN1_SIMPLE(SpcPeImageData, flags, ASN1_BIT_STRING),
+	ASN1_EXP_OPT(SpcPeImageData, file, SpcLink, 0)
+} ASN1_SEQUENCE_END(SpcPeImageData)
+
+ASN1_SEQUENCE(AlgorithmIdentifier) = {
+	ASN1_SIMPLE(AlgorithmIdentifier, algorithm, ASN1_OBJECT),
+	ASN1_OPT(AlgorithmIdentifier, parameters, ASN1_ANY)
+} ASN1_SEQUENCE_END(AlgorithmIdentifier)
+
+ASN1_SEQUENCE(DigestInfo) = {
+	ASN1_SIMPLE(DigestInfo, digestAlgorithm, AlgorithmIdentifier),
+	ASN1_SIMPLE(DigestInfo, digest, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(DigestInfo)
+
+ASN1_SEQUENCE(SpcIndirectDataContent) = {
+	ASN1_SIMPLE(SpcIndirectDataContent, data, SpcAttributeTypeAndOptionalValue),
+	ASN1_SIMPLE(SpcIndirectDataContent, messageDigest, DigestInfo)
+} ASN1_SEQUENCE_END(SpcIndirectDataContent)
+
+ASN1_SEQUENCE(SpcSpOpusInfo) = {
+	ASN1_EXP_OPT(SpcSpOpusInfo, programName, SpcString, 0),
+	ASN1_EXP_OPT(SpcSpOpusInfo, moreInfo, SpcLink, 1)
+} ASN1_SEQUENCE_END(SpcSpOpusInfo)
+
+IMPLEMENT_ASN1_FUNCTIONS(SpcString)
+IMPLEMENT_ASN1_FUNCTIONS(SpcSerializedObject)
+IMPLEMENT_ASN1_FUNCTIONS(SpcLink)
+IMPLEMENT_ASN1_FUNCTIONS(SpcAttributeTypeAndOptionalValue)
+IMPLEMENT_ASN1_FUNCTIONS(SpcPeImageData)
+IMPLEMENT_ASN1_FUNCTIONS(AlgorithmIdentifier)
+IMPLEMENT_ASN1_FUNCTIONS(DigestInfo)
+IMPLEMENT_ASN1_FUNCTIONS(SpcIndirectDataContent)
+IMPLEMENT_ASN1_FUNCTIONS(SpcSpOpusInfo)

src/fileformat/file_format/pe/authenticode/authenticode_structs.h

@@ -0,0 +1,95 @@
+/**
+ * @file src/fileformat/file_format/pe/authenticode/authenticode_structs.h
+ * @brief Declares custom OpenSSL objects and functions
+ * @copyright (c) 2021 Avast Software, licensed under the MIT license
+ * @author Marek Milkovič - metthal
+ */
+
+#pragma once
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/ossl_typ.h>
+#include <openssl/x509v3.h>
+
+/* 
+   These are types from "Windows Authenticode Portable Executable Signature Format"
+   https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx
+   Some of them are changed a little bit because the documentation did not reflect the reality
+*/
+struct SpcString
+{
+	int type;
+	union {
+		ASN1_BMPSTRING* unicode;
+		ASN1_IA5STRING* ascii;
+	} value;
+};
+
+struct SpcSerializedObject
+{
+	ASN1_OCTET_STRING* classId;
+	ASN1_OCTET_STRING* serializedData;
+};
+
+struct SpcLink
+{
+	int type;
+	union {
+		ASN1_IA5STRING* url;
+		SpcSerializedObject* moniker;
+		SpcString* file;
+	} value;
+};
+
+struct SpcAttributeTypeAndOptionalValue
+{
+	ASN1_OBJECT* type;
+	ASN1_TYPE* value;
+};
+
+struct SpcPeImageData
+{
+	ASN1_BIT_STRING* flags;
+	SpcLink* file;
+};
+
+struct AlgorithmIdentifier
+{
+	ASN1_OBJECT* algorithm;
+	ASN1_TYPE* parameters;
+};
+
+struct DigestInfo
+{
+	AlgorithmIdentifier* digestAlgorithm;
+	ASN1_OCTET_STRING* digest;
+};
+
+struct SpcIndirectDataContent
+{
+	SpcAttributeTypeAndOptionalValue* data;
+	DigestInfo* messageDigest;
+};
+
+struct SpcContentInfo
+{
+	ASN1_OBJECT* contentType;
+	SpcIndirectDataContent* content;
+};
+struct SpcSpOpusInfo
+{
+	SpcString* programName;
+	SpcLink* moreInfo;
+};
+
+DECLARE_ASN1_FUNCTIONS(SpcString)
+DECLARE_ASN1_FUNCTIONS(SpcSerializedObject)
+DECLARE_ASN1_FUNCTIONS(SpcLink)
+DECLARE_ASN1_FUNCTIONS(SpcAttributeTypeAndOptionalValue)
+DECLARE_ASN1_FUNCTIONS(SpcPeImageData)
+DECLARE_ASN1_FUNCTIONS(AlgorithmIdentifier)
+DECLARE_ASN1_FUNCTIONS(DigestInfo)
+DECLARE_ASN1_FUNCTIONS(SpcIndirectDataContent)
+DECLARE_ASN1_FUNCTIONS(SpcSpOpusInfo)
+DECLARE_ASN1_FUNCTIONS(SpcContentInfo)