Skip to content

Commit 55f1d51

Browse files
author
Kevin Jones
committed
Lots of work.
* Support for rulesets. * Minor refactorings. * Upgrade to SDK project files. * Drop dual signing requirement.
1 parent fc23c94 commit 55f1d51

34 files changed

+151
-268
lines changed
Lines changed: 11 additions & 111 deletions
Original file line numberDiff line numberDiff line change
@@ -1,114 +1,14 @@
1-
<?xml version="1.0" encoding="utf-8"?>
2-
<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3-
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
4-
<PropertyGroup>
5-
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
6-
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
7-
<ProjectGuid>{FF77FAED-3274-4C0E-BDA0-98D8A5FA831E}</ProjectGuid>
8-
<OutputType>Exe</OutputType>
9-
<AppDesignerFolder>Properties</AppDesignerFolder>
10-
<RootNamespace>AuthenticodeLint</RootNamespace>
11-
<AssemblyName>authlint</AssemblyName>
12-
<TargetFrameworkVersion>v4.6.1</TargetFrameworkVersion>
13-
<FileAlignment>512</FileAlignment>
14-
<AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
15-
<Deterministic>true</Deterministic>
16-
</PropertyGroup>
17-
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
18-
<PlatformTarget>AnyCPU</PlatformTarget>
19-
<DebugSymbols>true</DebugSymbols>
20-
<DebugType>full</DebugType>
21-
<Optimize>false</Optimize>
22-
<OutputPath>bin\Debug\</OutputPath>
23-
<DefineConstants>DEBUG;TRACE</DefineConstants>
24-
<ErrorReport>prompt</ErrorReport>
25-
<WarningLevel>4</WarningLevel>
26-
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
27-
<Prefer32Bit>false</Prefer32Bit>
28-
<UseVSHostingProcess>true</UseVSHostingProcess>
29-
</PropertyGroup>
30-
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
31-
<PlatformTarget>AnyCPU</PlatformTarget>
32-
<DebugType>pdbonly</DebugType>
33-
<Optimize>true</Optimize>
34-
<OutputPath>bin\Release\</OutputPath>
35-
<DefineConstants>TRACE</DefineConstants>
36-
<ErrorReport>prompt</ErrorReport>
37-
<WarningLevel>4</WarningLevel>
38-
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
39-
<Prefer32Bit>false</Prefer32Bit>
40-
</PropertyGroup>
41-
<PropertyGroup>
42-
<ApplicationManifest>app.manifest</ApplicationManifest>
43-
</PropertyGroup>
1+
<Project Sdk="Microsoft.NET.Sdk">
2+
<PropertyGroup>
3+
<OutputType>Exe</OutputType>
4+
<AssemblyName>authlint</AssemblyName>
5+
<TargetFrameworks>net461</TargetFrameworks>
6+
<VersionPrefix>0.10.0</VersionPrefix>
7+
<Authors>Kevin Jones</Authors>
8+
<LangVersion>latest</LangVersion>
9+
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
10+
</PropertyGroup>
4411
<ItemGroup>
45-
<Reference Include="System" />
46-
<Reference Include="System.Core" />
4712
<Reference Include="System.Security" />
48-
<Reference Include="System.Xml.Linq" />
49-
<Reference Include="System.Data.DataSetExtensions" />
50-
<Reference Include="Microsoft.CSharp" />
51-
<Reference Include="System.Data" />
52-
<Reference Include="System.Net.Http" />
53-
<Reference Include="System.Xml" />
54-
</ItemGroup>
55-
<ItemGroup>
56-
<Compile Include="BitStrengthCalculator.cs" />
57-
<Compile Include="CertificatePaddingExtractor.cs" />
58-
<Compile Include="CheckEngine.cs" />
59-
<Compile Include="CommandLineParser.cs" />
60-
<Compile Include="ConfigurationValidator.cs" />
61-
<Compile Include="Extraction.cs" />
62-
<Compile Include="Interop\CertStoreSafeHandle.cs" />
63-
<Compile Include="Interop\Crypt32.cs" />
64-
<Compile Include="Interop\CryptMsgSafeHandle.cs" />
65-
<Compile Include="Interop\LocalBufferSafeHandle.cs" />
66-
<Compile Include="Interop\Pe.cs" />
67-
<Compile Include="Interop\Wintrust.cs" />
68-
<Compile Include="IRuleResultCollector.cs" />
69-
<Compile Include="ISignature.cs" />
70-
<Compile Include="KnownGuids.cs" />
71-
<Compile Include="KnownOids.cs" />
72-
<Compile Include="OidParser.cs" />
73-
<Compile Include="PE\PortableExecutable.cs" />
74-
<Compile Include="PublisherInformation.cs" />
75-
<Compile Include="Signature.cs" />
76-
<Compile Include="Rules\10013-MaxKeyLengthRule.cs" />
77-
<Compile Include="Rules\10011-StrongKeyLengthRule.cs" />
78-
<Compile Include="Rules\10012-RsaDsaPrimarySignatureRule.cs" />
79-
<Compile Include="Rules\CertificateChainRuleBase.cs" />
80-
<Compile Include="Rules\IAuthenticodeRule.cs" />
81-
<Compile Include="Program.cs" />
82-
<Compile Include="Properties\AssemblyInfo.cs" />
83-
<Compile Include="Rules\10010-NoUnknownCertificatesRule.cs" />
84-
<Compile Include="Rules\10002-NoWeakFileDigestAlgorithmsRule.cs" />
85-
<Compile Include="Rules\10005-PublisherInformationUrlHttpsRule.cs" />
86-
<Compile Include="Rules\10004-PublisherInformationRule.cs" />
87-
<Compile Include="Rules\RuleResult.cs" />
88-
<Compile Include="Rules\10000-Sha1PrimarySignatureRule.cs" />
89-
<Compile Include="Rules\10001-Sha2SignatureExistsRule.cs" />
90-
<Compile Include="Rules\10006-SigningCertificateDigestAlgorithmRule.cs" />
91-
<Compile Include="Rules\10003-TimestampedRule.cs" />
92-
<Compile Include="Rules\10007-TrustedSignatureRule.cs" />
93-
<Compile Include="Rules\10009-NoUnknownUnsignedAttibuteRule.cs" />
94-
<Compile Include="Rules\10008-WinCertificatePaddingRule.cs" />
95-
<Compile Include="SignatureExtensions.cs" />
96-
<Compile Include="SignatureExtractor.cs" />
97-
<Compile Include="SignatureHasher.cs" />
98-
<Compile Include="SignerInfoExtensions.cs" />
99-
<Compile Include="StdOutRuleResultCollector.cs" />
100-
<Compile Include="VerboseSignatureTextWriter.cs" />
101-
<Compile Include="XmlRuleResultCollector.cs" />
102-
</ItemGroup>
103-
<ItemGroup>
104-
<None Include="app.manifest" />
105-
</ItemGroup>
106-
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
107-
<!-- To modify your build process, add your task inside one of the targets below and uncomment it.
108-
Other similar extension points exist, see Microsoft.Common.targets.
109-
<Target Name="BeforeBuild">
110-
</Target>
111-
<Target Name="AfterBuild">
112-
</Target>
113-
-->
13+
</ItemGroup>
11414
</Project>

AuthenticodeLint/CheckEngine.cs

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -46,17 +46,23 @@ public RuleEngineResult RunAllRules(string file, IReadOnlyList<ISignature> signa
4646
{
4747
result = RuleResult.Skip;
4848
}
49-
else if (rule is IAuthenticodeFileRule)
49+
else if ((rule.RuleSet & configuration.RuleSet) == 0)
5050
{
51-
result = ((IAuthenticodeFileRule)rule).Validate(file, verboseWriter, configuration);
52-
}
53-
else if (rule is IAuthenticodeSignatureRule)
54-
{
55-
result = ((IAuthenticodeSignatureRule)rule).Validate(signatures, verboseWriter, configuration);
51+
result = RuleResult.Excluded;
5652
}
5753
else
5854
{
59-
throw new NotSupportedException("Rule type is not supported.");
55+
switch (rule)
56+
{
57+
case IAuthenticodeFileRule fileRule:
58+
result = fileRule.Validate(file, verboseWriter, configuration);
59+
break;
60+
case IAuthenticodeSignatureRule sigRule:
61+
result = sigRule.Validate(signatures, verboseWriter, configuration);
62+
break;
63+
default:
64+
throw new NotSupportedException("Rule type is not supported.");
65+
}
6066
}
6167
}
6268
if (result == RuleResult.Fail)

AuthenticodeLint/ConfigurationValidator.cs

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,8 +13,9 @@ public class CheckConfiguration
1313
public bool Verbose { get; }
1414
public RevocationChecking RevocationMode {get;}
1515
public string ExtractPath { get; }
16+
public RuleSet RuleSet { get; }
1617

17-
public CheckConfiguration(IReadOnlyList<string> inputPaths, string reportPath, bool quiet, HashSet<int> suppressErrorIDs, bool verbose, RevocationChecking revocationMode, string extract)
18+
public CheckConfiguration(IReadOnlyList<string> inputPaths, string reportPath, bool quiet, HashSet<int> suppressErrorIDs, bool verbose, RevocationChecking revocationMode, string extract, RuleSet ruleSet)
1819
{
1920
InputPaths = inputPaths;
2021
ReportPath = reportPath;
@@ -23,6 +24,7 @@ public CheckConfiguration(IReadOnlyList<string> inputPaths, string reportPath, b
2324
Verbose = verbose;
2425
RevocationMode = revocationMode;
2526
ExtractPath = extract;
27+
RuleSet = ruleSet;
2628
}
2729
}
2830

AuthenticodeLint/KnownOids.cs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,8 @@ public static class EccCurves
3030
public const string OpusInfo = "1.3.6.1.4.1.311.2.1.12";
3131
public const string CodeSigning = "1.3.6.1.5.5.7.3.3";
3232
public const string NestedSignatureOid = "1.3.6.1.4.1.311.2.4.1";
33+
public const string SealingSignature = "1.3.6.1.4.1.311.2.4.3";
34+
public const string SealingTimestamp = "1.3.6.1.4.1.311.2.4.4";
3335
public const string KeyId = "1.3.6.1.4.1.311.10.7.1";
3436

3537

AuthenticodeLint/Program.cs

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ static int Main(string[] args)
3535
string report = null;
3636
string extract = null;
3737
var revocation = RevocationChecking.None;
38+
var ruleSet = RuleSet.Modern;
3839
foreach(var parameter in parsedCommandLine)
3940
{
4041
if (parameter.Name == "in")
@@ -121,6 +122,19 @@ static int Main(string[] args)
121122
return ExitCodes.InvalidInputOrConfig;
122123
}
123124
}
125+
else if (parameter.Name == "ruleset")
126+
{
127+
if (string.IsNullOrWhiteSpace(parameter.Value))
128+
{
129+
Console.Error.WriteLine($"-{parameter.Name} requires a value if specified.");
130+
return ExitCodes.InvalidInputOrConfig;
131+
}
132+
if (!Enum.TryParse(parameter.Value, true, out ruleSet) || parameter.Value.Equals("all", StringComparison.OrdinalIgnoreCase))
133+
{
134+
Console.Error.WriteLine($"-{parameter.Value} is an unrecognized ruleset.");
135+
return ExitCodes.InvalidInputOrConfig;
136+
}
137+
}
124138
else
125139
{
126140
Console.Error.WriteLine($"-{parameter.Name} is an unknown parameter.");
@@ -132,7 +146,7 @@ static int Main(string[] args)
132146
Console.Error.WriteLine("Input is expected. See -help for usage.");
133147
return ExitCodes.InvalidInputOrConfig;
134148
}
135-
var configuration = new CheckConfiguration(inputs, report, quiet, suppress, verbose, revocation, extract);
149+
var configuration = new CheckConfiguration(inputs, report, quiet, suppress, verbose, revocation, extract, ruleSet);
136150

137151
if (!ConfigurationValidator.ValidateAndPrint(configuration, Console.Error))
138152
{
@@ -178,6 +192,8 @@ Checks the Authenticode signature of your binaries.
178192
-verbose: Show verbose output. Cannot be combined with -quiet.
179193
-revocation: Specify how revocation checking is done. Valid values are none, offline, online. None is the default.
180194
-extract: Extracts all signature information to the specified directory.
195+
-ruleset: A set of rules to run. By intended behavior, such as modern signing, or compatibility.
196+
Possible values are ""compat"" and ""modern"", where the default is ""modern"". Optional.
181197
182198
Exit codes:
183199

AuthenticodeLint/Properties/AssemblyInfo.cs

Lines changed: 0 additions & 16 deletions
This file was deleted.
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
{
2+
"profiles": {
3+
"AuthenticodeLint": {
4+
"commandName": "Project",
5+
"commandLineArgs": "-in \"C:\\dev\\Personal\\AuthenticodeLint\\out\\authlint.exe\""
6+
}
7+
}
8+
}

AuthenticodeLint/RuleSet.cs

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
using System;
2+
3+
namespace AuthenticodeLint
4+
{
5+
[Flags]
6+
public enum RuleSet : byte
7+
{
8+
Modern = 0x01,
9+
Compat = 0x02,
10+
All = 0xFF
11+
}
12+
}

AuthenticodeLint/Rules/10000-Sha1PrimarySignatureRule.cs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ public class Sha1PrimarySignatureRule : IAuthenticodeSignatureRule
1111

1212
public string ShortDescription { get; } = "Primary signature should be SHA1.";
1313

14+
public RuleSet RuleSet { get; } = RuleSet.Compat;
15+
1416
public RuleResult Validate(IReadOnlyList<ISignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
1517
{
1618
if (graph.Count == 0)

AuthenticodeLint/Rules/10001-Sha2SignatureExistsRule.cs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ public class Sha2SignatureExistsRule : IAuthenticodeSignatureRule
1313

1414
public string ShortDescription { get; } = "A SHA2 signature should exist.";
1515

16+
public RuleSet RuleSet { get; } = RuleSet.All;
17+
1618
public RuleResult Validate(IReadOnlyList<ISignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
1719
{
1820
var signatures = graph.VisitAll(SignatureKind.AnySignature);

0 commit comments

Comments
 (0)