uthenticode.h

Go to the documentation of this file.

#pragma once
 
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <pe-parse/parse.h>
 
#include <cstdint>
#include <exception>
#include <memory>
#include <optional>
#include <vector>
 
namespace uthenticode {
 
namespace impl {
typedef struct {
  ASN1_OBJECT *type;
  ASN1_TYPE *value;
} Authenticode_SpcAttributeTypeAndOptionalValue;
 
typedef struct {
  X509_ALGOR *digestAlgorithm;
  ASN1_OCTET_STRING *digest;
} Authenticode_DigestInfo;
 
typedef struct {
  Authenticode_SpcAttributeTypeAndOptionalValue *data;
  Authenticode_DigestInfo *messageDigest;
} Authenticode_SpcIndirectDataContent;
 
/* Custom ASN.1 insanity is quarantined to the impl namespace.
 */
DECLARE_ASN1_FUNCTIONS(Authenticode_SpcAttributeTypeAndOptionalValue)
DECLARE_ASN1_FUNCTIONS(Authenticode_DigestInfo)
DECLARE_ASN1_FUNCTIONS(Authenticode_SpcIndirectDataContent)
 
/* OpenSSL defines OPENSSL_free as a macro, which we can't use with decltype.
 * So we wrap it here for use with unique_ptr.
 */
void OpenSSL_free(void *ptr);
 
/* Since OpenSSL 3.0.0 SK_X509_free is defined as a macro, which we can't use with decltype.
 * So we wrap it here for use with unique_ptr.
 */
void SK_X509_free(stack_st_X509 *ptr);
 
/* Convenient self-releasing aliases for libcrypto and custom ASN.1 types.
 */
using BIO_ptr = std::unique_ptr<BIO, decltype(&BIO_free)>;
using ASN1_OBJECT_ptr = std::unique_ptr<ASN1_OBJECT, decltype(&ASN1_OBJECT_free)>;
using ASN1_TYPE_ptr = std::unique_ptr<ASN1_TYPE, decltype(&ASN1_TYPE_free)>;
using OpenSSL_ptr = std::unique_ptr<char, decltype(&OpenSSL_free)>;
using BN_ptr = std::unique_ptr<BIGNUM, decltype(&BN_free)>;
using STACK_OF_X509_ptr = std::unique_ptr<STACK_OF(X509), decltype(&SK_X509_free)>;
 
using SectionList = std::vector<const peparse::bounded_buffer *>;
 
constexpr auto SPC_INDIRECT_DATA_OID = "1.3.6.1.4.1.311.2.1.4";
constexpr auto SPC_NESTED_SIGNATURE_OID = "1.3.6.1.4.1.311.2.4.1";
}  // namespace impl
 
enum class certificate_revision : std::uint16_t {
  CERT_REVISION_1_0 = 0x0100, 
  CERT_REVISION_2_0 = 0x0200, 
};
 
enum class certificate_type : std::uint16_t {
  CERT_TYPE_X509 = 0x0001,             
  CERT_TYPE_PKCS_SIGNED_DATA = 0x0002, 
  CERT_TYPE_RESERVED_1 = 0x0003,       
  CERT_TYPE_PKCS1_SIGN = 0x0009,       
};
 
enum class checksum_kind : std::uint8_t {
  UNKNOWN, 
  MD5,     
  SHA1,    
  SHA256,  
};
 
std::ostream &operator<<(std::ostream &os, checksum_kind kind);
 
using Checksum = std::tuple<checksum_kind, std::string>;
 
struct FormatError : public std::runtime_error {
 public:
  FormatError(const char *msg) : std::runtime_error(msg) {
  }
};
 
class Certificate {
 public:
  friend class SignedData;
 
  const std::string &get_subject() const {
    return subject_;
  }
 
  const std::string &get_issuer() const {
    return issuer_;
  }
 
  const std::string &get_serial_number() const {
    return serial_number_;
  }
 
  /* TODO: Maybe add data_ and get_data(), with data_ populated from i2d_X509.
   */
 
 private:
  Certificate(X509 *cert);
  std::string subject_;
  std::string issuer_;
  std::string serial_number_;
};
 
class SignedData {
 public:
  SignedData(std::vector<std::uint8_t> cert_buf);
  SignedData(SignedData &&s) noexcept;
  SignedData(const SignedData &) = delete;
  ~SignedData();
 
  bool verify_signature() const;
 
  Checksum get_checksum() const;
 
  std::vector<Certificate> get_signers() const;
 
  std::vector<Certificate> get_certificates() const;
 
  std::optional<SignedData> get_nested_signed_data() const;
 
 private:
  impl::Authenticode_SpcIndirectDataContent *get_indirect_data() const;
 
  std::vector<std::uint8_t> cert_buf_;
  PKCS7 *p7_{nullptr};
  impl::Authenticode_SpcIndirectDataContent *indirect_data_{nullptr};
};
 
class WinCert {
 public:
  WinCert(certificate_revision revision, certificate_type type, std::vector<std::uint8_t> cert_buf)
      : revision_(revision), type_(type), cert_buf_(cert_buf) {
  }
 
  std::size_t get_length() const {
    return cert_buf_.size();
  }
 
  certificate_revision get_revision() const {
    return revision_;
  }
 
  certificate_type get_type() const {
    return type_;
  }
 
  std::optional<SignedData> as_signed_data() const;
 
 private:
  certificate_revision revision_;
  certificate_type type_;
  std::vector<std::uint8_t> cert_buf_;
};
 
std::vector<WinCert> read_certs(peparse::parsed_pe *pe);
 
std::vector<Checksum> get_checksums(peparse::parsed_pe *pe);
 
std::optional<std::string> calculate_checksum(peparse::parsed_pe *pe, checksum_kind kind);
 
bool verify(peparse::parsed_pe *pe);
 
}  // namespace uthenticode