Index: /trunk/src/VBox/Runtime/tools/RTSignTool.cpp =================================================================== --- /trunk/src/VBox/Runtime/tools/RTSignTool.cpp (revision 64925) +++ /trunk/src/VBox/Runtime/tools/RTSignTool.cpp (revision 64926) @@ -473,4 +473,77 @@ return RTEXITCODE_FAILURE; } + + + +/** + * Worker for recursively searching for MS nested signatures and signer infos. + * + * @returns Pointer to the signer info corresponding to @a iSignature. NULL if + * not found. + * @param pSignedData The signature to search. + * @param piNextSignature Pointer to the variable keeping track of the next + * signature number. + * @param iReqSignature The request signature number. + * @param ppSignedData Where to return the signature data structure. + */ +static PRTCRPKCS7SIGNERINFO SignToolPkcs7_FindNestedSignatureByIndexWorker(PRTCRPKCS7SIGNEDDATA pSignedData, + uint32_t *piNextSignature, + uint32_t iReqSignature, + PRTCRPKCS7SIGNEDDATA *ppSignedData) +{ + for (uint32_t iSignerInfo = 0; iSignerInfo < pSignedData->SignerInfos.cItems; iSignerInfo++) + { + /* Match?*/ + PRTCRPKCS7SIGNERINFO pSignerInfo = pSignedData->SignerInfos.papItems[iSignerInfo]; + if (*piNextSignature == iReqSignature) + { + *ppSignedData = pSignedData; + return pSignerInfo; + } + *piNextSignature += 1; + + /* Look for nested signatures. */ + for (uint32_t iAttrib = 0; iAttrib < pSignerInfo->UnauthenticatedAttributes.cItems; iAttrib++) + if (pSignerInfo->UnauthenticatedAttributes.papItems[iAttrib]->enmType == RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE) + { + PRTCRPKCS7SETOFCONTENTINFOS pCntInfos; + pCntInfos = pSignerInfo->UnauthenticatedAttributes.papItems[iAttrib]->uValues.pContentInfos; + for (uint32_t iCntInfo = 0; iCntInfo < pCntInfos->cItems; iCntInfo++) + { + PRTCRPKCS7CONTENTINFO pCntInfo = pCntInfos->papItems[iCntInfo]; + if (RTCrPkcs7ContentInfo_IsSignedData(pCntInfo)) + { + PRTCRPKCS7SIGNERINFO pRet; + pRet = SignToolPkcs7_FindNestedSignatureByIndexWorker(pCntInfo->u.pSignedData, piNextSignature, + iReqSignature, ppSignedData); + if (pRet) + return pRet; + } + } + } + } + return NULL; +} + + +/** + * Locates the given nested signature. + * + * @returns Pointer to the signer info corresponding to @a iSignature. NULL if + * not found. + * @param pThis The PKCS\#7 structure to search. + * @param iReqSignature The requested signature number. + * @param ppSignedData Where to return the pointer to the signed data that + * the returned signer info belongs to. + * + * @todo Move into SPC or PKCS\#7. + */ +static PRTCRPKCS7SIGNERINFO SignToolPkcs7_FindNestedSignatureByIndex(PSIGNTOOLPKCS7 pThis, uint32_t iReqSignature, + PRTCRPKCS7SIGNEDDATA *ppSignedData) +{ + uint32_t iNextSignature = 0; + return SignToolPkcs7_FindNestedSignatureByIndexWorker(pThis->pSignedData, &iNextSignature, iReqSignature, ppSignedData); +} + @@ -797,5 +870,5 @@ { RT_NOREF_PV(enmLevel); - RTStrmPrintf(pStrm, "extract-exe-signer-cert [--ber|--cer|--der] [--exe|-e] [--output|-o] \n"); + RTStrmPrintf(pStrm, "extract-exe-signer-cert [--ber|--cer|--der] [--signature-index|-i ] [--exe|-e] [--output|-o] \n"); return RTEXITCODE_SUCCESS; } @@ -808,9 +881,10 @@ static const RTGETOPTDEF s_aOptions[] = { - { "--ber", 'b', RTGETOPT_REQ_NOTHING }, - { "--cer", 'c', RTGETOPT_REQ_NOTHING }, - { "--der", 'd', RTGETOPT_REQ_NOTHING }, - { "--exe", 'e', RTGETOPT_REQ_STRING }, - { "--output", 'o', RTGETOPT_REQ_STRING }, + { "--ber", 'b', RTGETOPT_REQ_NOTHING }, + { "--cer", 'c', RTGETOPT_REQ_NOTHING }, + { "--der", 'd', RTGETOPT_REQ_NOTHING }, + { "--exe", 'e', RTGETOPT_REQ_STRING }, + { "--output", 'o', RTGETOPT_REQ_STRING }, + { "--signature-index", 'i', RTGETOPT_REQ_UINT32 }, }; @@ -820,4 +894,5 @@ unsigned cVerbosity = 0; uint32_t fCursorFlags = RTASN1CURSOR_FLAGS_DER; + uint32_t iSignature = 0; RTGETOPTSTATE GetState; @@ -835,4 +910,5 @@ case 'c': fCursorFlags = RTASN1CURSOR_FLAGS_CER; break; case 'd': fCursorFlags = RTASN1CURSOR_FLAGS_DER; break; + case 'i': iSignature = ValueUnion.u32; break; case 'V': return HandleVersion(cArgs, papszArgs); case 'h': return HelpExtractExeSignerCert(g_pStdOut, RTSIGNTOOLHELP_FULL); @@ -866,12 +942,13 @@ if (rcExit == RTEXITCODE_SUCCESS) { - /* Find the signing certificate (ASSUMING there's only one signer and that - the certificate used is shipped in the set of certificates). */ + /* Find the signing certificate (ASSUMING that the certificate used is shipped in the set of certificates). */ + PRTCRPKCS7SIGNEDDATA pSignedData; + PCRTCRPKCS7SIGNERINFO pSignerInfo = SignToolPkcs7_FindNestedSignatureByIndex(&This, iSignature, &pSignedData); rcExit = RTEXITCODE_FAILURE; - if (This.pSignedData->SignerInfos.cItems == 1) - { - PCRTCRPKCS7ISSUERANDSERIALNUMBER pISN = &This.pSignedData->SignerInfos.papItems[0]->IssuerAndSerialNumber; + if (pSignerInfo) + { + PCRTCRPKCS7ISSUERANDSERIALNUMBER pISN = &pSignedData->SignerInfos.papItems[0]->IssuerAndSerialNumber; PCRTCRX509CERTIFICATE pCert; - pCert = RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(&This.pSignedData->Certificates, + pCert = RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(&pSignedData->Certificates, &pISN->Name, &pISN->SerialNumber); if (pCert) @@ -910,6 +987,5 @@ } else - RTMsgError("SignerInfo count: %u", This.pSignedData->SignerInfos.cItems); - + RTMsgError("Could not locate signature #%u!", iSignature); /* Delete the signature data. */