CRL support with new CRLfile global option (mtrojnar#28)

Author: olszomal

TODO.md

@@ -1,8 +1,5 @@
 - signature extraction/removal/verificaton on MSI/CAB files
-- improved signature verification on PE files
 - clean up / untangle code
 - separate timestamping
-- man page
 - remove mmap usage to increase portability
-- tests
 - fix other stuff marked 'XXX'

osslsigncode.c

@@ -47,6 +47,38 @@ TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
       2>> "makecerts.log" 1>&2'
 test_result $?
 
+printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log"
+$OPENSSL genrsa -des3 -out demoCA/private.key -passout pass:$password \
+    2>> "makecerts.log" 1>&2
+test_result $?
+cat demoCA/private.key >> tmp/keyp.pem 2>> "makecerts.log"
+
+printf "\nGenerate private RSA decrypted key\n" >> "makecerts.log"
+$OPENSSL rsa -in demoCA/private.key -passin pass:$password -out tmp/key.pem \
+    2>> "makecerts.log" 1>&2
+test_result $?
+
+printf "\nGenerate a certificate to revoke\n" >> "makecerts.log"
+$OPENSSL req -config $CONF -new -key demoCA/private.key -passin pass:$password -out demoCA/revoked.csr \
+    -subj "/C=PL/O=osslsigncode/OU=CA/CN=revoked/emailAddress=revoked@example.com" \
+    2>> "makecerts.log" 1>&2
+$OPENSSL ca -config $CONF -batch -in demoCA/revoked.csr -out demoCA/revoked.cer \
+    2>> "makecerts.log" 1>&2
+$OPENSSL x509 -in demoCA/revoked.cer -out tmp/revoked.pem \
+    2>> "makecerts.log" 1>&2
+
+printf "\nRevoke above certificate\n" >> "makecerts.log"
+$OPENSSL ca -config $CONF -revoke demoCA/1000.pem \
+    2>> "makecerts.log" 1>&2
+
+printf "\nGenerate CRL file\n" >> "makecerts.log"
+TZ=GMT faketime -f '@2019-01-01 00:00:00' /bin/bash -c '
+  script_path=$(pwd)
+  OPENSSL=openssl
+  CONF="${script_path}/openssltest.cnf"
+  $OPENSSL ca -config $CONF -gencrl -crldays 8766 -out tmp/CACertCRL.pem \
+      2>> "makecerts.log" 1>&2'
+
 printf "\nGenerate CSP Cross-Certificate\n" >> "makecerts.log"
 $OPENSSL genrsa -out demoCA/cross.key \
     2>> "makecerts.log" 1>&2
@@ -59,17 +91,6 @@ $OPENSSL req -config $CONF -new -x509 -days 900 -key demoCA/cross.key -out tmp/c
     2>> "makecerts.log" 1>&2'
 test_result $?
 
-printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log"
-$OPENSSL genrsa -des3 -out demoCA/private.key -passout pass:$password \
-    2>> "makecerts.log" 1>&2
-test_result $?
-cat demoCA/private.key >> tmp/keyp.pem 2>> "makecerts.log"
-
-printf "\nGenerate private RSA decrypted key\n" >> "makecerts.log"
-$OPENSSL rsa -in demoCA/private.key -passin pass:$password -out tmp/key.pem \
-    2>> "makecerts.log" 1>&2
-test_result $?
-
 printf "\nGenerate code signing certificate\n" >> "makecerts.log"
 $OPENSSL req -config $CONF -new -key demoCA/private.key -passin pass:$password -out demoCA/cert.csr \
     -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CA/CN=localhost/emailAddress=osslsigncode@example.com" \
@@ -116,6 +137,7 @@ test_result $?
 
 # copy new files
 if [ -s tmp/CACert.pem ] && [ -s tmp/crosscert.pem ] && [ -s tmp/expired.pem ] && [ -s tmp/cert.pem ] && \
+    [ -s tmp/CACertCRL.pem ] && [ -s tmp/revoked.pem ] && \
     [ -s tmp/key.pem ] && [ -s tmp/keyp.pem ] && [ -s tmp/key.der ] && \
     [ -s tmp/cert.der ] && [ -s tmp/cert.spc ] && [ -s tmp/cert.p12 ]
   then

tests/certs/makecerts.sh

@@ -11,6 +11,7 @@ if [ -s "test.exe" ]
   then
     ../../osslsigncode attach-signature -sigin "sign_pe.pem" \
         -CAfile "${script_path}/../certs/CACert.pem" \
+        -CRLfile "${script_path}/../certs/CACertCRL.pem" \
         -in "test.exe" -out "test_321.exe"
     verify_signature "$?" "321" "exe" "success" "@2019-09-01 12:00:00" \
 	"sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN"
@@ -29,6 +30,7 @@ if [ -s "sample.msi" ]
   then
     ../../osslsigncode attach-signature -sigin "sign_msi.pem" \
         -CAfile "${script_path}/../certs/CACert.pem" \
+        -CRLfile "${script_path}/../certs/CACertCRL.pem" \
         -in "sample.msi" -out "test_322.msi"
     verify_signature "$?" "322" "msi" "success" "@2019-09-01 12:00:00" \
 	"sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN"

tests/recipes/32_attach_signature

@@ -13,15 +13,8 @@ if [ -s "test.exe" ]
         -st "1556668800" \
         -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \
         -in "test.exe" -out "test_401.exe"
-    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
-        printf "Verify time: " && date && printf "\n"
-        script_path=$(pwd)
-        ../../osslsigncode verify -CAfile "${script_path}/../certs/CACert.pem" -in "test_401.exe" \
-            -require-leaf-hash SHA256:$(sha256sum "${script_path}/../certs/cert.der" | cut -d" " -f1)'
-    if test_result "$?" "$test_name"
-      then
-        rm -f "test_401.exe"
-      fi
+    verify_leaf_hash "$?" "401" "exe" "@2019-05-01 00:00:00"
+    test_result "$?" "$test_name"
   else
     printf "Test skipped\n"
   fi
@@ -30,23 +23,16 @@ if [ -s "test.exe" ]
 # Command is not supported for non-PE/non-MSI files
 
 # MSI file
-test_name="402. Compare the leaf certificate hash against specified SHA256 message digest for the MSI file"
+test_name="403. Compare the leaf certificate hash against specified SHA256 message digest for the MSI file"
 printf "\n%s\n" "$test_name"
 if [ -s "sample.msi" ]
   then
     ../../osslsigncode sign -h sha256 \
         -st "1556668800" \
         -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \
-        -in "sample.msi" -out "test_402.msi"
-    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
-        printf "Verify time: " && date && printf "\n"
-        script_path=$(pwd)
-        ../../osslsigncode verify -CAfile "${script_path}/../certs/CACert.pem" -in "test_402.msi" \
-            -require-leaf-hash SHA256:$(sha256sum "${script_path}/../certs/cert.der" | cut -d" " -f1)'
-    if test_result "$?" "$test_name"
-      then
-        rm -f "test_402.msi"
-      fi
+        -in "sample.msi" -out "test_403.msi"
+    verify_leaf_hash "$?" "403" "msi" "@2019-05-01 00:00:00"
+    test_result "$?" "$test_name"
   else
     printf "Test skipped\n"
   fi

tests/recipes/40_verify_leaf_hash

@@ -0,0 +1,45 @@
+#!/bin/sh
+# Verify PE/MSI file signed with the revoked cert.
+
+. $(dirname $0)/../test_library
+
+# PE file
+test_name="551. Verify PE file signed with the revoked cert"
+printf "\n%s\n" "$test_name"
+if [ -s "test.exe" ] && ! grep -q "no libcurl available" "results.log"
+  then
+    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
+        script_path=$(pwd)
+        ../../osslsigncode sign -h sha256 \
+            -certs "${script_path}/../certs/revoked.pem" -key "${script_path}/../certs/key.pem" \
+            -ts http://time.certum.pl/ \
+            -in "test.exe" -out "test_551.exe" 2>> "results.log" 1>&2'
+    verify_signature "$?" "551" "exe" "fail" "@2019-09-01 12:00:00" \
+	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+    test_result "$?" "$test_name"
+  else
+    printf "Test skipped\n"
+  fi
+
+# CAB file
+# Command is not supported for non-PE/non-MSI files
+
+# MSI file
+test_name="553. Verify MSI file signed with the revoked cert"
+printf "\n%s\n" "$test_name"
+if [ -s "sample.msi" ] && ! grep -q "no libcurl available" "results.log"
+  then
+    TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
+        script_path=$(pwd)
+        ../../osslsigncode sign -h sha256 \
+            -certs "${script_path}/../certs/revoked.pem" -key "${script_path}/../certs/key.pem" \
+            -ts http://time.certum.pl/ \
+            -in "sample.msi" -out "test_553.msi"'
+    verify_signature "$?" "553" "msi" "fail" "@2019-09-01 12:00:00" \
+	"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+    test_result "$?" "$test_name"
+  else
+    printf "Test skipped\n"
+  fi
+
+exit 0

tests/recipes/55_verify_revoked

@@ -35,7 +35,9 @@ modify_blob() {
   xxd -p -c 1000 "test_$1.$2" | \
       sed "s/$initial_blob$zero_blob/$initial_blob$modified_blob/" | \
       xxd -p -r > "test_$1_changed.$2"
-  ../../osslsigncode verify -CAfile "${script_path}/../certs/CACert.pem" \
+  ../../osslsigncode verify \
+      -CAfile "${script_path}/../certs/CACert.pem" \
+      -CRLfile "${script_path}/../certs/CACertCRL.pem" \
       -in "test_$1_changed.$2" 2>> "verify.log" 1>&2
   result=$?
   if [ "$result" -ne 0 ] || \
@@ -96,21 +98,25 @@ verify_signature() {
 # $9 modify requirement
 
   local result=0
-
+  printf "" > "verify.log"
   if [ "$1" -eq 0 ]
     then
       if [ "$3" != "ex_" ]
         then
           cp "test_$2.$3" "test_tmp.tmp"
           TZ=GMT faketime -f "$5" /bin/bash -c '
-              printf "Verify time: " > "verify.log" && date > "verify.log" && printf "\n" > "verify.log"
+              printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log"
               script_path=$(pwd)
-              ../../osslsigncode verify -CAfile "${script_path}/../certs/CACert.pem" \
-                  -in "test_tmp.tmp" 2> "verify.log" 1>&2'
+              ../../osslsigncode verify \
+                  -CAfile "${script_path}/../certs/CACert.pem" \
+                  -CRLfile "${script_path}/../certs/CACertCRL.pem" \
+                  -in "test_tmp.tmp" 2>> "verify.log" 1>&2'
           result=$?
           rm -f "test_tmp.tmp"
+        else
+           printf "VERIFY is not supported for CAB files\n"
         fi
-      if [ "$7" != "UNUSED_PATTERN" ] && [ "$8" != "UNUSED_PATTERN" ]
+      if [ "$result" -eq 0 ] && [ "$7" != "UNUSED_PATTERN" ] && [ "$8" != "UNUSED_PATTERN" ]
         then
           search_pattern "$2" "$3" "$7" "$8" "$9"
           result=$?
@@ -124,17 +130,59 @@ verify_signature() {
               sha256sum "test_$2.$3" 2>> "sha256sum_$3.log" 1>&2
             fi
         fi
-      if ([ "$4" = "success" ] && [ "$result" -eq 0 ]) || ([ "$4" = "fail" ] && [ "$result" -eq 1 ])
+      if [ "$4" = "success" ] && [ "$result" -eq 0 ]
         then
           rm -f "test_$2.$3" "test_$2_signed.$3" "test_$2_modifed.$3" "test_$2_changed.$3"
           result=0
+        elif [ "$4" = "fail" ] && [ "$result" -eq 1 ]
+          then
+            rm -f "test_$2.$3" "test_$2_signed.$3" "test_$2_modifed.$3" "test_$2_changed.$3"
+            cat "verify.log" >> "results.log"
+            result=0
         else
           cat "verify.log" >> "results.log"
           result=1
         fi
     else
       result=1
     fi
+  return "$result"
+}
 
+verify_leaf_hash() {
+# $1 sign exit code
+# $2 test number
+# $3 filename extension
+# $4 fake time
+
+  local result=0
+  printf "" > "verify.log"
+  if [ "$1" -eq 0 ]
+    then
+      if [ "$3" != "ex_" ]
+        then
+          cp "test_$2.$3" "test_tmp.tmp"
+          TZ=GMT faketime -f "$4" /bin/bash -c '
+              printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log"
+              script_path=$(pwd)
+              ../../osslsigncode verify \
+                  -CAfile "${script_path}/../certs/CACert.pem" \
+                  -CRLfile "${script_path}/../certs/CACertCRL.pem" \
+                  -require-leaf-hash SHA256:$(sha256sum "${script_path}/../certs/cert.der" | cut -d" " -f1) \
+                  -in "test_tmp.tmp" 2>> "verify.log" 1>&2'
+          result=$?
+          rm -f "test_tmp.tmp"
+        else
+           printf "VERIFY is not supported for CAB files\n"
+        fi
+      if [ "$result" -eq 0 ]
+        then
+          rm -f "test_$2.$3"
+        else
+          cat "verify.log" >> "results.log"
+        fi
+    else
+      result=1
+    fi
   return "$result"
 }