Handle certificate for authenticode counters.

vcsjones · vcsjones · commit 0277e22a8ff2 · 2016-06-07T19:37:46.000-04:00
Authenicode counter signatures now correctly include their own
certificate. The parent's "additional certificates" actually contain the
chain for authenticode timestamps, so the signature itself must flow through.
diff --git a/AuthenticodeLint/Signature.cs b/AuthenticodeLint/Signature.cs
@@ -115,66 +115,25 @@ internal X509Certificate2Collection GetCertificatesFromMessage(CryptMsgSafeHandl
             return certs;
         }
 
-        public IReadOnlyList<ISignature> GetNestedSignatures()
-        {
-            var list = new List<ISignature>();
-            foreach (var attribute in UnsignedAttributes)
-            {
-                foreach (var value in attribute.Values)
-                {
-                    ISignature signature;
-                    if (attribute.Oid.Value == KnownOids.AuthenticodeCounterSignature)
-                    {
-                        signature = new AuthenticodeSignature(value);
-                    }
-                    else if (attribute.Oid.Value == KnownOids.Rfc3161CounterSignature)
-                    {
-                        signature = new Signature(value, SignatureKind.Rfc3161Signature);
-                    }
-                    else if (attribute.Oid.Value == KnownOids.NestedSignatureOid)
-                    {
-                        signature = new Signature(value, SignatureKind.NestedSignature);
-                    }
-                    else
-                    {
-                        continue;
-                    }
-                    var childAttributes = new CryptographicAttributeObjectCollection();
-                    foreach (var childAttribute in signature.UnsignedAttributes)
-                    {
-                        childAttributes.Add(childAttribute);
-                    }
-                    list.Add(signature);
-                }
-            }
-            return list.AsReadOnly();
-        }
+        public abstract IReadOnlyList<ISignature> GetNestedSignatures();
     }
 
     public class AuthenticodeSignature : SignatureBase
     {
-
         public override Oid DigestAlgorithm { get; protected set; }
         public override Oid HashEncryptionAlgorithm { get; protected set; }
         public override CryptographicAttributeObjectCollection UnsignedAttributes { get; protected set; }
         public override CryptographicAttributeObjectCollection SignedAttributes { get; protected set; }
         public override byte[] SerialNumber { get; protected set; }
         public override X509Certificate2 Certificate { get; protected set; }
         public override SignatureKind Kind { get; } = SignatureKind.AuthenticodeSignature;
-        public override X509Certificate2Collection AdditionalCertificates
-        {
-            get
-            {
-                return new X509Certificate2Collection();
-            }
-
-            protected set
-            {
-            }
-        }
+        public override X509Certificate2Collection AdditionalCertificates { get; protected set; }
+        public ISignature OwningSignature { get; }
 
-        public unsafe AuthenticodeSignature(AsnEncodedData data)
+        public unsafe AuthenticodeSignature(AsnEncodedData data, ISignature owningSignature)
         {
+            OwningSignature = owningSignature;
+            AdditionalCertificates = owningSignature.AdditionalCertificates;
             fixed (byte* dataPtr = data.RawData)
             {
                 uint size = 0;
@@ -189,6 +148,15 @@ public unsafe AuthenticodeSignature(AsnEncodedData data)
                         SerialNumber = ReadBlob(signerInfo.SerialNumber);
                         UnsignedAttributes = ReadAttributes(signerInfo.UnauthAttrs);
                         SignedAttributes = ReadAttributes(signerInfo.AuthAttrs);
+                        var subjectId = new UniversalSubjectIdentifier(signerInfo.Issuer, signerInfo.SerialNumber);
+                        if (subjectId.Type == SubjectIdentifierType.SubjectKeyIdentifier)
+                        {
+                            Certificate = FindCertificate((string)subjectId.Value, OwningSignature.AdditionalCertificates);
+                        }
+                        else if (subjectId.Type == SubjectIdentifierType.IssuerAndSerialNumber)
+                        {
+                            Certificate = FindCertificate((X509IssuerSerial)subjectId.Value, OwningSignature.AdditionalCertificates);
+                        }
                     }
                 }
                 else
@@ -197,6 +165,41 @@ public unsafe AuthenticodeSignature(AsnEncodedData data)
                 }
             }
         }
+
+        public override IReadOnlyList<ISignature> GetNestedSignatures()
+        {
+            var list = new List<ISignature>();
+            foreach (var attribute in UnsignedAttributes)
+            {
+                foreach (var value in attribute.Values)
+                {
+                    ISignature signature;
+                    if (attribute.Oid.Value == KnownOids.AuthenticodeCounterSignature)
+                    {
+                        signature = new AuthenticodeSignature(value, OwningSignature);
+                    }
+                    else if (attribute.Oid.Value == KnownOids.Rfc3161CounterSignature)
+                    {
+                        signature = new Signature(value, SignatureKind.Rfc3161Signature);
+                    }
+                    else if (attribute.Oid.Value == KnownOids.NestedSignatureOid)
+                    {
+                        signature = new Signature(value, SignatureKind.NestedSignature);
+                    }
+                    else
+                    {
+                        continue;
+                    }
+                    var childAttributes = new CryptographicAttributeObjectCollection();
+                    foreach (var childAttribute in signature.UnsignedAttributes)
+                    {
+                        childAttributes.Add(childAttribute);
+                    }
+                    list.Add(signature);
+                }
+            }
+            return list.AsReadOnly();
+        }
     }
 
     public class Signature : SignatureBase
@@ -284,6 +287,41 @@ internal unsafe Signature(AsnEncodedData data, SignatureKind kind)
                 }
             }
         }
+
+        public override IReadOnlyList<ISignature> GetNestedSignatures()
+        {
+            var list = new List<ISignature>();
+            foreach (var attribute in UnsignedAttributes)
+            {
+                foreach (var value in attribute.Values)
+                {
+                    ISignature signature;
+                    if (attribute.Oid.Value == KnownOids.AuthenticodeCounterSignature)
+                    {
+                        signature = new AuthenticodeSignature(value, this);
+                    }
+                    else if (attribute.Oid.Value == KnownOids.Rfc3161CounterSignature)
+                    {
+                        signature = new Signature(value, SignatureKind.Rfc3161Signature);
+                    }
+                    else if (attribute.Oid.Value == KnownOids.NestedSignatureOid)
+                    {
+                        signature = new Signature(value, SignatureKind.NestedSignature);
+                    }
+                    else
+                    {
+                        continue;
+                    }
+                    var childAttributes = new CryptographicAttributeObjectCollection();
+                    foreach (var childAttribute in signature.UnsignedAttributes)
+                    {
+                        childAttributes.Add(childAttribute);
+                    }
+                    list.Add(signature);
+                }
+            }
+            return list.AsReadOnly();
+        }
     }
 
     internal class UniversalSubjectIdentifier
