| September 1, 2018 | ||
|---|---|---|
 |
View 604cc8e
Allow the countersignature to exist anywhere in unauthAttrsAndrew authored on 2018/09/01 06:02:51 |
|
|
View a2bb4cd
Add support for signatures without unauthAttr section and add more dbg msgsAndrew authored on 2018/09/01 03:02:40 |
|
| August 31, 2018 | ||
|---|---|---|
|
View d3440d8
Add more support for SHA384-based certificatesAndrew authored on 2018/08/31 06:58:09 |
|
|
View 50873c8
Replace tabs with spaces in pe.c and crtmgr.c, move debug messageAndrew authored on 2018/08/31 04:17:37 |
|
| August 30, 2018 | ||
|---|---|---|
|
View b851a64
Skip invalid x509 certificates instead of bailing out completely In my sample set of 2,000 signed binaries, there were 69 with x509 certificates included that didn't seem to comply with the spec. These weren't in the actual certificate chain used to verify the binary, though, and the Windows verification API had no problems with it, so we shouldn't either. The specific errors varied. Specifically: - 54 - expected NULL following RSA OID - For some binaries this was due to an old "DUMMY CERTIFICATE" included for some reason. - 8 - module has got an unsupported length (392) - Binaries from one company include 392-bit RSA keys for some reason - 7 - expected [0] version container in TBSCertificate - Some really older certificates don't seem to include the version number (maybe the RFC didn't include one at the time?)Andrew authored on 2018/08/30 01:12:22 |
|
| August 29, 2018 | ||
|---|---|---|
|
View 5130fdd
Allow signature whitelisting for binaries that violate MS13-098Andrew authored on 2018/08/29 04:43:30 |
|
|
View e1a08b6
Fix authenticode hash computation regression (must hash data not contained in a section)Andrew authored on 2018/08/29 02:25:28 |
|
| August 28, 2018 | ||
|---|---|---|
|
View 18a813a
Update PE parsing code related to Authenticode verification The following changes were made - The code to calculate the authenticode hash was not properly accounting for the case where a PE had sections that either overlapped with each other or overlapped with the PE header. One common case for this is UPX-packed binaries, where the first section with data on disk starts at offset 0x400, which overlaps with the specified PE header by 0xC00 bytes. - The code didn't wrap accesses to fields in the Security DataDirectory with EC32(), so it seems likely that authenticode parsing always encountered issues on big endian systems. I think I fixed all of the accesses in cli_checkfp_pe, but there might still be issues here. I'll test this further. - We parse the authenticode data header to better ensure that it's PCKS7 we are trying to parse, and not one of the other types - cli_checkfp_pe should now finish faster in the case where there is no authenticode data and we don't want to compute the section hashes. - Fixed a potential memory leak in one cli_checkfp_pe failure caseAndrew authored on 2018/08/28 11:53:23 |
|
|
View 0a2492d
Add more debugging messages for fail cases in Authenticode ASN1 parsingAndrew authored on 2018/08/28 07:34:37 |
|
| August 24, 2018 | ||
|---|---|---|
|
View 144148f
Add minimal support for parsing MD2RSA, RSA, and SHA512RSA certsAndrew authored on 2018/08/24 22:58:57 |
|
|
View 4cd3d28
Add minimal support for parsing SHA384-based certificatesAndrew authored on 2018/08/24 12:19:47 |
|
|
View 5ee2fc5
[WIP] Add support for SHA256 signatures I think that's all of it, but there might still be some unsupported casesAndrew authored on 2018/08/24 10:26:31 |
|
|
View 8df3fab
Fix an issue causing the public key to be incorrectly printed with --dumpcerts sometimesAndrew authored on 2018/08/24 00:44:13 |
|
|
View 7438ffd
Fix issue where certificate verification fails if nested sigs presentAndrew authored on 2018/08/24 00:40:23 |
|
|
View 1b5c9f7
[WIP] Add support for SHA256 signaturesAndrew authored on 2018/08/24 00:37:40 |
|