-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsign.go
More file actions
65 lines (61 loc) · 2.16 KB
/
sign.go
File metadata and controls
65 lines (61 loc) · 2.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
package authenticode
import (
"crypto"
"crypto/x509"
"errors"
"fmt"
)
// Signer is a signing key bundled with the certificate (and the rest
// of the chain) that asserts its public key. hsm.Key from
// github.com/KarpelesLab/hsm v0.2.5+ satisfies it directly — an
// IDPrime smart-card key plugs in without conversion.
//
// CertificateChain must return the chain leaf-first; intermediates
// and (optionally) the root follow. When the slice is empty Sign
// falls back to Certificate() and signs with a single-element chain.
type Signer interface {
crypto.Signer
Certificate() *x509.Certificate
CertificateChain() []*x509.Certificate
}
// Sign produces a Microsoft Authenticode signature over the given PE
// image, embeds it as a WIN_CERTIFICATE in the file, and returns the
// new bytes. The signing key + cert chain are supplied through
// Signer. If opts.TSAURL is set, an RFC 3161 timestamp from that
// authority is fetched and embedded in the SignerInfo's unsigned
// attributes.
//
// The input slice is not modified.
func Sign(pe []byte, signer Signer, opts SignOptions) ([]byte, error) {
chain := signer.CertificateChain()
if len(chain) == 0 {
leaf := signer.Certificate()
if leaf == nil {
return nil, errors.New("authenticode: signer has neither certificate nor chain")
}
chain = []*x509.Certificate{leaf}
}
return SignWithChain(pe, signer, chain, opts)
}
// SignWithChain is the lower-level entry point: pass a raw
// crypto.Signer plus the certificate chain explicitly (leaf first).
// Useful when the chain comes from somewhere other than the Signer.
func SignWithChain(pe []byte, signer crypto.Signer, chain []*x509.Certificate, opts SignOptions) ([]byte, error) {
if opts.Hash == 0 {
opts.Hash = crypto.SHA256
}
p, err := Parse(pe)
if err != nil {
return nil, fmt.Errorf("parse PE: %w", err)
}
peDigest := p.AuthenticodeDigest(opts.Hash.New())
spc, err := BuildSpcIndirectDataContent(peDigest, opts.Hash)
if err != nil {
return nil, fmt.Errorf("build SpcIndirectDataContent: %w", err)
}
cms, err := BuildSignedData(spc, signer, chain, opts)
if err != nil {
return nil, fmt.Errorf("build SignedData: %w", err)
}
return p.EmbedSignature(cms), nil
}