Merge pull request #14 from vcsjones/RefactorInterface

Tests and timestamp fixes

Author: vcsjones

AuthenticodeLint/AuthenticodeLint.csproj

@@ -57,6 +57,7 @@
     <Compile Include="CheckEngine.cs" />
     <Compile Include="CommandLineParser.cs" />
     <Compile Include="ConfigurationValidator.cs" />
+    <Compile Include="GraphBuilders.cs" />
     <Compile Include="Interop\CertStoreSafeHandle.cs" />
     <Compile Include="Interop\Crypt32.cs" />
     <Compile Include="Interop\CryptMsgSafeHandle.cs" />

AuthenticodeLint/CheckEngine.cs

@@ -1,5 +1,7 @@
 using System.Collections.Generic;
 using AuthenticodeLint.Rules;
+using System;
+using System.Linq;
 
 namespace AuthenticodeLint
 {
@@ -14,20 +16,12 @@ static CheckEngine()
 
         public IReadOnlyList<IAuthenticodeRule> GetRules()
         {
-            return new List<IAuthenticodeRule>
-            {
-                new Sha1PrimarySignatureRule(),
-                new Sha2SignatureExistsRule(),
-                new NoWeakFileDigestAlgorithmsRule(),
-                new TimestampedRule(),
-                new PublisherInformationPresentRule(),
-                new PublisherInformationUrlHttpsRule(),
-                new SigningCertificateDigestAlgorithmRule(),
-                new TrustedSignatureRule(),
-                new WinCertificatePaddingRule(),
-                new NoUnknownUnsignedAttibuteRule(),
-                new NoUnknownCertificatesRule()
-            };
+            return (from type in typeof(IAuthenticodeRule).Assembly.GetExportedTypes()
+                    where typeof(IAuthenticodeRule).IsAssignableFrom(type) && type.GetConstructor(Type.EmptyTypes) != null
+                    let instance = (IAuthenticodeRule)Activator.CreateInstance(type)
+                    orderby instance.RuleId
+                    select instance
+                    ).ToList();
         }
 
         public RuleEngineResult RunAllRules(string file, Graph<Signature> signatures, List<IRuleResultCollector> collectors, CheckConfiguration configuration)
@@ -40,7 +34,7 @@ public RuleEngineResult RunAllRules(string file, Graph<Signature> signatures, Li
             foreach(var rule in rules)
             {
                 RuleResult result;
-                var verboseWriter = verbose ? new VerboseSignatureLogger() : SignatureLogger.Null;
+                var verboseWriter = verbose ? new MemorySignatureLogger() : SignatureLogger.Null;
                 if (signatures.Items.Count == 0)
                 {
                     result = RuleResult.Fail;
@@ -52,9 +46,17 @@ public RuleEngineResult RunAllRules(string file, Graph<Signature> signatures, Li
                     {
                         result = RuleResult.Skip;
                     }
+                    else if (rule is IAuthenticodeFileRule)
+                    {
+                        result = ((IAuthenticodeFileRule)rule).Validate(file, verboseWriter, configuration);
+                    }
+                    else if (rule is IAuthenticodeSignatureRule)
+                    {
+                        result = ((IAuthenticodeSignatureRule)rule).Validate(signatures, verboseWriter, configuration);
+                    }
                     else
                     {
-                        result = rule.Validate(signatures, verboseWriter, configuration, file);
+                        throw new NotSupportedException("Rule type is not supported.");
                     }
                 }
                 if (result != RuleResult.Pass)

AuthenticodeLint/GraphBuilders.cs

@@ -0,0 +1,70 @@
+using System.Collections.Generic;
+using System.Security.Cryptography;
+using System.Security.Cryptography.Pkcs;
+
+namespace AuthenticodeLint
+{
+    public static class GraphBuilder
+    {
+        public static Graph<Signature> ExplodeGraph(byte[] entireMessage, string nestedOidType) => WalkGraph(new List<byte[]> { entireMessage }, nestedOidType);
+
+        public static Graph<ICounterSignature> WalkCounterSignatures(Signature signature) => WalkCounterSignatures(signature.SignerInfo.UnsignedAttributes);
+
+        private static Graph<ICounterSignature> WalkCounterSignatures(CryptographicAttributeObjectCollection attributes)
+        {
+            var graphItems = new List<GraphItem<ICounterSignature>>();
+            foreach (var attribute in attributes)
+            {
+                foreach(var value in attribute.Values)
+                {
+                    ICounterSignature signature;
+                    if (attribute.Oid.Value == KnownOids.AuthenticodeCounterSignature)
+                    {
+                        signature = new AuthenticodeSignature(value);
+                    }
+                    else if (attribute.Oid.Value == KnownOids.Rfc3161CounterSignature)
+                    {
+                        signature = new Rfc3161Signature(value);
+                    }
+                    else
+                    {
+                        continue;
+                    }
+                    var childAttributes = new CryptographicAttributeObjectCollection();
+                    foreach(var childAttribute in signature.UnsignedAttributes)
+                    {
+                        childAttributes.Add(childAttribute);
+                    }
+                    graphItems.Add(new GraphItem<ICounterSignature>(signature, WalkCounterSignatures(childAttributes)));
+                }
+            }
+            return new Graph<ICounterSignature>(graphItems);
+        }
+
+        private static Graph<Signature> WalkGraph(IList<byte[]> cmsData, string nestedOidType)
+        {
+            var graphItems = new List<GraphItem<Signature>>();
+            foreach (var data in cmsData)
+            {
+                var cms = new SignedCms();
+                cms.Decode(data);
+                foreach (var signer in cms.SignerInfos)
+                {
+                    var childCms = new List<byte[]>();
+                    foreach (var attribute in signer.UnsignedAttributes)
+                    {
+                        if (attribute.Oid.Value == nestedOidType)
+                        {
+                            foreach (var value in attribute.Values)
+                            {
+                                childCms.Add(value.RawData);
+                            }
+                        }
+                    }
+                    graphItems.Add(new GraphItem<Signature>(new Signature(signer, cms.Certificates), WalkGraph(childCms, nestedOidType)));
+                }
+            }
+            return new Graph<Signature>(graphItems);
+        }
+    }
+}

AuthenticodeLint/Interop/Crypt32.cs

@@ -297,7 +297,7 @@ internal struct CRYPT_ALGORITHM_IDENTIFIER
         public CRYPTOAPI_BLOB Parameters;
     }
 
-    [type: StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+    [type: StructLayout(LayoutKind.Sequential)]
     internal struct CMSG_SIGNER_INFO
     {
         public uint dwVersion;
@@ -370,4 +370,12 @@ internal struct CERT_CONTEXT
         public IntPtr pCertInfo;
         public IntPtr hCertStore;
     }
+
+    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
+    internal struct CRYPT_ATTRIBUTE
+    {
+        public string pszObjId;
+        public uint cValue;
+        public IntPtr rgValue;
+    }
 }

AuthenticodeLint/Rfc3161Signature.cs

@@ -6,58 +6,82 @@
 
 namespace AuthenticodeLint
 {
-    public abstract class SignatureBase : IDisposable
+    public interface ICounterSignature
     {
-        internal CMSG_SIGNER_INFO _signerInfo;
-
-
-        protected SignatureBase(AsnEncodedData data)
+        Oid Oid { get; }
+        Oid DigestAlgorithm { get; }
+        Oid HashEncryptionAlgorithm { get; }
+        CryptographicAttributeObjectCollection UnsignedAttributes { get; }
+        CryptographicAttributeObjectCollection SignedAttributes { get; }
+    }
+    public abstract class CounterSignatureBase : ICounterSignature
+    {
+        
+        protected CounterSignatureBase(AsnEncodedData data)
         {
-
+            Oid = data.Oid;
         }
 
-        public Oid DigestAlgorithm => new Oid(_signerInfo.HashAlgorithm.pszObjId);
-        public Oid HashEncryptionAlgorithm => new Oid(_signerInfo.HashEncryptionAlgorithm.pszObjId);
-
-        public byte[] SerialNumber
-        {
-            get
-            {
-                var buffer = new byte[_signerInfo.SerialNumber.cbData];
-                Marshal.Copy(_signerInfo.SerialNumber.pbData, buffer, 0, buffer.Length);
-                return buffer;
-            }
-        }
+        public Oid Oid { get; }
 
-        public void Dispose()
-        {
-            Dispose(true);
-            GC.SuppressFinalize(this);
-        }
+        public abstract Oid DigestAlgorithm { get; }
+        public abstract Oid HashEncryptionAlgorithm { get; }
+        public abstract CryptographicAttributeObjectCollection UnsignedAttributes { get; }
+        public abstract CryptographicAttributeObjectCollection SignedAttributes { get; }
+        public abstract byte[] SerialNumber { get; }
 
-        public virtual void Dispose(bool disposing)
+        internal byte[] ReadBlob(CRYPTOAPI_BLOB blob)
         {
+            var buffer = new byte[blob.cbData];
+            Marshal.Copy(blob.pbData, buffer, 0, buffer.Length);
+            return buffer;
         }
 
-        ~SignatureBase()
+        internal unsafe CryptographicAttributeObjectCollection ReadAttributes(CRYPT_ATTRIBUTES attributes)
         {
-            Dispose(false);
+            var collection = new CryptographicAttributeObjectCollection();
+            var attributeSize = Marshal.SizeOf<CRYPT_ATTRIBUTE>();
+            var blobSize = Marshal.SizeOf<CRYPTOAPI_BLOB>();
+            for (var i = 0; i < attributes.cAttr; i++)
+            {
+                var structure = Marshal.PtrToStructure<CRYPT_ATTRIBUTE>(attributes.rgAttr + (i * attributeSize));
+                var asnValues = new AsnEncodedDataCollection();
+                for(var j = 0; j < structure.cValue; j++)
+                {
+                    var blob = Marshal.PtrToStructure<CRYPTOAPI_BLOB>(structure.rgValue + j * blobSize);
+                    asnValues.Add(new AsnEncodedData(structure.pszObjId, ReadBlob(blob)));
+                }
+                collection.Add(new CryptographicAttributeObject(new Oid(structure.pszObjId), asnValues));
+            }
+            return collection;
         }
     }
 
-    public class AuthenticodeSignature : SignatureBase
+    public class AuthenticodeSignature : CounterSignatureBase
     {
+
+        public override Oid DigestAlgorithm { get; }
+        public override Oid HashEncryptionAlgorithm { get; }
+        public override CryptographicAttributeObjectCollection UnsignedAttributes { get; }
+        public override CryptographicAttributeObjectCollection SignedAttributes { get; }
+        public override byte[] SerialNumber { get; }
+
         public unsafe AuthenticodeSignature(AsnEncodedData data) : base(data)
         {
             fixed (byte* dataPtr = data.RawData)
             {
-                LocalBufferSafeHandle ptr;
                 uint size = 0;
-                if (Crypt32.CryptDecodeObjectEx(EncodingType.PKCS_7_ASN_ENCODING | EncodingType.X509_ASN_ENCODING, (IntPtr)500, new IntPtr(dataPtr), (uint)data.RawData.Length, CryptDecodeFlags.CRYPT_DECODE_ALLOC_FLAG, IntPtr.Zero, out ptr, ref size))
+                LocalBufferSafeHandle localBuffer;
+                if (Crypt32.CryptDecodeObjectEx(EncodingType.PKCS_7_ASN_ENCODING | EncodingType.X509_ASN_ENCODING, (IntPtr)500, new IntPtr(dataPtr), (uint)data.RawData.Length, CryptDecodeFlags.CRYPT_DECODE_ALLOC_FLAG, IntPtr.Zero, out localBuffer, ref size))
                 {
-                    using (ptr)
+                    using (localBuffer)
                     {
-                        _signerInfo = Marshal.PtrToStructure<CMSG_SIGNER_INFO>(ptr.DangerousGetHandle());
+                        var signerInfo = Marshal.PtrToStructure<CMSG_SIGNER_INFO>(localBuffer.DangerousGetHandle());
+                        DigestAlgorithm = new Oid(signerInfo.HashAlgorithm.pszObjId);
+                        HashEncryptionAlgorithm = new Oid(signerInfo.HashEncryptionAlgorithm.pszObjId);
+                        SerialNumber = ReadBlob(signerInfo.SerialNumber);
+                        UnsignedAttributes = ReadAttributes(signerInfo.UnauthAttrs);
+                        SignedAttributes = ReadAttributes(signerInfo.AuthAttrs);
                     }
                 }
                 else
@@ -68,10 +92,14 @@ public unsafe AuthenticodeSignature(AsnEncodedData data) : base(data)
         }
     }
 
-    public class Rfc3161Signature : SignatureBase
+    public class Rfc3161Signature : CounterSignatureBase
     {
-        private readonly X509Store _certificates;
-        private readonly CryptMsgSafeHandle _messageHandle;
+        public override Oid DigestAlgorithm { get; }
+        public override Oid HashEncryptionAlgorithm { get; }
+        public override CryptographicAttributeObjectCollection UnsignedAttributes { get; }
+        public override CryptographicAttributeObjectCollection SignedAttributes { get; }
+        public override byte[] SerialNumber { get; }
+        public X509Store Certificates { get; }
 
         public unsafe Rfc3161Signature(AsnEncodedData data) : base(data)
         {
@@ -111,39 +139,36 @@ public unsafe Rfc3161Signature(AsnEncodedData data) : base(data)
                 }
                 try
                 {
-                    _certificates = new X509Store(store.DangerousGetHandle());
-                    _messageHandle = msgHandle;
+                    Certificates = new X509Store(store.DangerousGetHandle());
                     var size = 0u;
-                    if (!Crypt32.CryptMsgGetParam(_messageHandle, CryptMsgParamType.CMSG_SIGNER_INFO_PARAM, 0, LocalBufferSafeHandle.Zero, ref size))
+                    if (!Crypt32.CryptMsgGetParam(msgHandle, CryptMsgParamType.CMSG_SIGNER_INFO_PARAM, 0, LocalBufferSafeHandle.Zero, ref size))
+                    {
+                        Certificates.Dispose();
+                        throw new InvalidOperationException("Unable to read signer information.");
+                    }
+                    var localBuffer = LocalBufferSafeHandle.Alloc(size);
+                    if (!Crypt32.CryptMsgGetParam(msgHandle, CryptMsgParamType.CMSG_SIGNER_INFO_PARAM, 0, localBuffer, ref size))
                     {
-                        _messageHandle.Dispose();
+                        Certificates.Dispose();
+                        localBuffer.Dispose();
                         throw new InvalidOperationException("Unable to read signer information.");
                     }
-                    using (var localBuffer = LocalBufferSafeHandle.Alloc(size))
+                    using (localBuffer)
                     {
-                        if (!Crypt32.CryptMsgGetParam(_messageHandle, CryptMsgParamType.CMSG_SIGNER_INFO_PARAM, 0, localBuffer, ref size))
-                        {
-                            _messageHandle.Dispose();
-                            throw new InvalidOperationException("Unable to read signer information.");
-                        }
-                        _signerInfo = Marshal.PtrToStructure<CMSG_SIGNER_INFO>(localBuffer.DangerousGetHandle());
+                        var signerInfo = Marshal.PtrToStructure<CMSG_SIGNER_INFO>(localBuffer.DangerousGetHandle());
+                        DigestAlgorithm = new Oid(signerInfo.HashAlgorithm.pszObjId);
+                        HashEncryptionAlgorithm = new Oid(signerInfo.HashEncryptionAlgorithm.pszObjId);
+                        SerialNumber = ReadBlob(signerInfo.SerialNumber);
+                        UnsignedAttributes = ReadAttributes(signerInfo.UnauthAttrs);
+                        SignedAttributes = ReadAttributes(signerInfo.AuthAttrs);
                     }
                 }
                 finally
                 {
+                    msgHandle.Dispose();
                     store.Dispose();
                 }
             }
         }
-
-
-        public override void Dispose(bool disposing)
-        {
-            if (disposing)
-            {
-                _messageHandle.Dispose();
-                _certificates.Dispose();
-            }
-        }
     }
 }

AuthenticodeLint/Rules/CertificateChainRuleBase.cs

@@ -2,15 +2,15 @@
 
 namespace AuthenticodeLint.Rules
 {
-    public abstract class CertificateChainRuleBase : IAuthenticodeRule
+    public abstract class CertificateChainRuleBase : IAuthenticodeSignatureRule
     {
         public abstract int RuleId { get; }
         public abstract string RuleName { get; }
         public abstract string ShortDescription { get; }
 
         protected abstract bool ValidateChain(Signature signer, X509Chain chain, SignatureLogger verboseWriter);
 
-        public RuleResult Validate(Graph<Signature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration, string file)
+        public RuleResult Validate(Graph<Signature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
         {
             var signatures = graph.VisitAll();
             var result = RuleResult.Pass;

AuthenticodeLint/Rules/IAuthenticodeRule.cs

@@ -5,6 +5,15 @@ public interface IAuthenticodeRule
         int RuleId { get; }
         string ShortDescription { get; }
         string RuleName { get; }
-        RuleResult Validate(Graph<Signature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration, string file);
+    }
+
+    public interface IAuthenticodeSignatureRule : IAuthenticodeRule
+    {
+        RuleResult Validate(Graph<Signature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration);
+    }
+
+    public interface IAuthenticodeFileRule : IAuthenticodeRule
+    {
+        RuleResult Validate(string file, SignatureLogger verboseWriter, CheckConfiguration configuration);
     }
 }