search

avast / authenticode-parser

Authenticode-parser is a simple C library for Authenticode format parsing using OpenSSL.
MIT License
16 stars 8 forks source link

PE CounterSignatures not parsed correctly in Microsoft signed drivers #16

Closed antonioCoco closed 9 months ago

antonioCoco commented 11 months ago

Hi,

it seems there is a bug in the library when parsing the countersignatures on Microsoft signed drivers.

If you try to run the authenticode_dumper code from your examples on a Microsoft signed driver, e.g. procexp.sys, you will get the following output:

C:\Users\user\authenticode-parser\examples\build\Debug>authenticode_dumper.exe procexp.sys
Signature count: 1
Signatures: 1
    PKCS7 Signature:
      Version           : 1
      Digest            : c7fef94e329bd9b66b281539265f989313356cbd9c345df9e670e9c4b6e0edce
      File Digest       : c7fef94e329bd9b66b281539265f989313356cbd9c345df9e670e9c4b6e0edce
      Digest Algorithm  : sha256
      Verify flags      : 0
      Certificate count : 2
      Certificates:

        Certificate 0:
              Version             : 2
              Subject             : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Hardware Compatibility Publisher
              Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Third Party Component CA 2012
              Serial              : 33:00:00:00:b2:0f:9a:d8:67:94:f3:22:f6:00:00:00:00:00:b2
              Not After           : 1638483330
              Not Before          : 1608070530
              SHA1                : 92d7192a7c3180912ff8414f790973a05c28f8b0
              SHA256              : f437f71e6c0028d7b4e4a371144e746735bdf478a410d9091a3751f2d1c14da0
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha256WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmfDL4fe7NfjXUg7jEEJhT/FiX2oUbbVl8zrItfdS5vC4FeB3NQ5adsXD+VVRxaP7fVSZ9Rg8yXGuL7JG3ggFEo8fty1YWTJ5DN2AdnctFq8h9ZYmyQ+VEiTVZ6amiQceJWjw/gb2Q3BjvjEpS+AA5Y3tqtWAqL/Zujm97XwlQ5DkgqzdUZuYFk3ZhkGVZf8yiKvzDtd96neBDy3xVsHjnjQ5JysNjxtVn4Mj9a8S7jzD80xdyLT79zNwdvCRkEsWCi1T+tAalU0miwcn5EEUMN91J495zKyBBVtG2v/epuqa106/Nv0t/l8FtTw5wtBispZ8UcZnjmzNCDIDKEcthwIDAQAB
        Certificate 1:
              Version             : 2
              Subject             : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Third Party Component CA 2012
              Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
              Serial              : 61:0b:aa:c1:00:00:00:00:00:09
              Not After           : 1808092718
              Not Before          : 1334792918
              SHA1                : 77a10ebf07542725218cd83a01b521c57bc67f73
              SHA256              : 9d08973e4d108da40a1a0b274180e17371134b4dd1621fa5c1f131b739b4b823
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha256WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo5wwhAmnYy7PCkfw6iT5ozAgD15XMSaBmjEHslDUzmcJCGUKWqVLrtXtEC7npZm1n2gvmItYAqwgtCnEcb0oHKX9PJtk5MXr32ElvPDuaL/Rp8t+KgKBTmRcDFOGeVcZN2G3mPkMoE4iWZv5Gy1nPCc8VpBm4/1/ZX0Phr01R+iKzPTajulqTqunVeyiiR7VM0VTy/med73NLPkFuH90AR3o+xjhQ9EN6arcN2+9/rgP7R1NAUZOCqz8gujsVoMTjjoB7RRkdOpksmYQtmhtyHAAfVBILj1D7uAklcbNjsf9uOSVz91++5VeoQHNQ7EH16Qw7puGGipuwQtZonRviwIDAQAB
      Signer Info:
        Digest       : 16efc5250c4d4a99a00ed2ad9a0e3d8fbc21da5be95ac35ad33b3d9c3f3719a1
        Digest Algo  : sha256
        Program name : Procexp
        Chain size   : 2
        Chain:
            Certificate 0:
                Version             : 2
                Subject             : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Hardware Compatibility Publisher
                Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Third Party Component CA 2012
                Serial              : 33:00:00:00:b2:0f:9a:d8:67:94:f3:22:f6:00:00:00:00:00:b2
                Not After           : 1638483330
                Not Before          : 1608070530
                SHA1                : 92d7192a7c3180912ff8414f790973a05c28f8b0
                SHA256              : f437f71e6c0028d7b4e4a371144e746735bdf478a410d9091a3751f2d1c14da0
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha256WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmfDL4fe7NfjXUg7jEEJhT/FiX2oUbbVl8zrItfdS5vC4FeB3NQ5adsXD+VVRxaP7fVSZ9Rg8yXGuL7JG3ggFEo8fty1YWTJ5DN2AdnctFq8h9ZYmyQ+VEiTVZ6amiQceJWjw/gb2Q3BjvjEpS+AA5Y3tqtWAqL/Zujm97XwlQ5DkgqzdUZuYFk3ZhkGVZf8yiKvzDtd96neBDy3xVsHjnjQ5JysNjxtVn4Mj9a8S7jzD80xdyLT79zNwdvCRkEsWCi1T+tAalU0miwcn5EEUMN91J495zKyBBVtG2v/epuqa106/Nv0t/l8FtTw5wtBispZ8UcZnjmzNCDIDKEcthwIDAQAB
            Certificate 1:
                Version             : 2
                Subject             : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Third Party Component CA 2012
                Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2010
                Serial              : 61:0b:aa:c1:00:00:00:00:00:09
                Not After           : 1808092718
                Not Before          : 1334792918
                SHA1                : 77a10ebf07542725218cd83a01b521c57bc67f73
                SHA256              : 9d08973e4d108da40a1a0b274180e17371134b4dd1621fa5c1f131b739b4b823
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha256WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo5wwhAmnYy7PCkfw6iT5ozAgD15XMSaBmjEHslDUzmcJCGUKWqVLrtXtEC7npZm1n2gvmItYAqwgtCnEcb0oHKX9PJtk5MXr32ElvPDuaL/Rp8t+KgKBTmRcDFOGeVcZN2G3mPkMoE4iWZv5Gy1nPCc8VpBm4/1/ZX0Phr01R+iKzPTajulqTqunVeyiiR7VM0VTy/med73NLPkFuH90AR3o+xjhQ9EN6arcN2+9/rgP7R1NAUZOCqz8gujsVoMTjjoB7RRkdOpksmYQtmhtyHAAfVBILj1D7uAklcbNjsf9uOSVz91++5VeoQHNQ7EH16Qw7puGGipuwQtZonRviwIDAQAB

      Countersignature:
        Digest           :         Digest Algorithm : (null)
        Signing Time     : 0
        Verify flags     : 1

As you can see the Verify Flags is set to COUNTERSIGNATURE_VFY_CANT_PARSE in the parsed countersignature. BTW this bug happens with any drivers signed by Microsoft, you can pick any drivers with a signature in the C:\Windows\System32\drivers directory and the same unwanted behavior happens.

When using the "Digital Signatures" tab from explorer in Windows, you can see that it correctly parses the countersignature from Microsoft-signed drivers. Below example for the procexp.sys driver:

286248831-4b06dad9-4de6-4b78-9064-1dc825439fbd

Instead, the parsing of countersignatures from drivers non-Microsoft signed works properly, e.g. kprocesshacker.sys:

C:\Users\user\authenticode-parser\examples\build\Debug>authenticode_dumper.exe kprocesshacker.sys
Signature count: 2
Signatures: 2
    PKCS7 Signature:
      Version           : 1
      Digest            : c2b8c1b34f09a91efe196f646ef7f9a11190fb8e
      File Digest       : c2b8c1b34f09a91efe196f646ef7f9a11190fb8e
      Digest Algorithm  : sha1
      Verify flags      : 0
      Certificate count : 5
      Certificates:

        Certificate 0:
              Version             : 2
              Subject             : /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
              Serial              : 0f:f1:ef:66:bd:62:1c:65:b7:4b:4d:e4:14:25:71:7f
              Not After           : 1483531200
              Not Before          : 1383091200
              SHA1                : 32387aec09eb287f202e98398189b460f4c61a0d
              SHA256              : e0e85619eef45fce4421e4ba581060e43bbbf25911cd757dd081da425dd1db51
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha1WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzC6hUkkJzCLvNEPcQaaYoB8PaRozspKlcyZOHbniq8RG4T75JML2HAB73BzZrlqp5IZR8sD7LRqUy74TqMb3g2MeJxk/lTa/QJg4I1Ky+cfiFG7+MdVvxtEPCkVUnHpsv7QCSDEKwmztSsFpGpv3PgXjAZlKqQ9wNpSjuuUPr3acok+heA7wotXwbZ8MM0zDuab7DbWHAAjxOGsfHbDu6MSNiUPJCBAqkqOH7hcnJKMSGxG8jBWaCIrXOl7tBKDg5u3vNG0sU7+QCd59WR9TnNS3uRlyFpU9/3lw/0ZenDNoSgbT7Gy0x6N9jYSENjwS1Zf77E2HnXPE4q8vhEgYuwIDAQAB
        Certificate 1:
              Version             : 2
              Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
              Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Verification Root
              Serial              : 61:20:4d:b4:00:00:00:00:00:27
              Not After           : 1618516533
              Not Before          : 1302896733
              SHA1                : 2f2513af3992db0a3f79709ff8143b3f7bd2d143
              SHA256              : 766e3fdc0bc1fd22dd9aafecf8248760e50375fdad3d8959b2a6d487a8a05fca
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha1WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/lgT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC90qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhLywIDAQAB
        Certificate 2:
              Version             : 2
              Subject             : /C=US/O=DigiCert/CN=DigiCert Timestamp Responder
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
              Serial              : 03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
              Not After           : 1729555200
              Not Before          : 1413936000
              SHA1                : 614d271d9102e30169822487fde5de00a352b01d
              SHA256              : 34bb219c2589b1d7658503e1246b013606d00f6b00310e7a4087ea2098832596
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha1WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo2Rd/Hyz4II14OD2xirmSXU7zG7gU6mfH2RZ5nxrf2uMnVX4kuOe1VpjWwJJUNmDzm9m7t3LhelfpfnUh3SIRDsZyeX1kZ/GFDmsJOqoSyyRicxeKPRktlC39RKzc5YKZ6O+YZ+u8/0SeHUOplsU/UUjjoZEVX0YhgWMVYd5SEb3yg6Np95OX+Koti1ZAmGIYXIYaLm4fO7m5zQvMXeBMB+7NgGN7yfj95rwTDFkjePr+hmHqH7P7IwMNlt6wXq4eMfJBi5GEMiN6ARg27xzdPpO2P6qQPGyznBGg+naQKFZOtkVCVeZVjCT88lhzNAIzGvsYkKRrALA76TwiRGPdwIDAQAB
        Certificate 3:
              Version             : 2
              Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
              Serial              : 02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5f
              Not After           : 1770724800
              Not Before          : 1297425600
              SHA1                : e308f829dc77e80af15edd4151ea47c59399ab46
              SHA256              : 007d2c8b15786232bac0eaa31f60aae06dc572921bad0d46c77107d8c2dca4b3
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha1WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxfkj5pQnxIAUpIAyX0CjjW9wwOU2cXE6daSqGpKUiV6sI3HLTmd9QT+q40u3e76dwag4j2kvOiTpd1kSx2YEQ8INJoKJQBnyLOrnTOd8BRq4/4gJTyY37zqk+iJsiMlKG2HyrhBeb7zReZtZGGDl7im1AyqkzvGDGU9pBXMoCfsiEJMioJAZGkwx8tMr2IRDrzxj/5jbINIJK1TB6v1qg+cQoxJx9dbX4RJ61eBWWs7qAVtoZVvBP1hSM6k1YU4iy4HKNqMSywbWzxtNGH65krkSz0Am2Jo2hbMVqkeThGsHu7zVs94lABGJAGjBKTzqPi3uUKvXHDAGeDylECNnkQIDAQAB
        Certificate 4:
              Version             : 2
              Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
              Serial              : 06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
              Not After           : 1636502400
              Not Before          : 1163116800
              SHA1                : 19a09b5a36f4dd99727df783c17a51231a56c117
              SHA256              : 425e72c87ff22855d9908b71ab4c64b0d2f248287097690c62fe733f631de38f
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha1WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6IItmfnKwkKVpYBzQHDSnlZUXKnE0kEGj8kz/E1FkVyBn+0snPgWWd+etSQVwpi5tHdJ3InECtqvy15r7a2wcTHrzzpADEZNk+yLejYIA6sMNP4YSYL+x8cxSIB8HqIPkg5QycaH6zY/2DDD/6b3+6LNb3Mj/qxWBZDwMiEWicZwiPkFl32jx0PdAug7Pe2xQaPtP77blUjE7h6z8rwMK5nQxl0SQoHhg26Ccz8mSxSQrllmCsSNvtLOBq6thG9IhJtPQLnxTPKvmPv2zkBdXPao8S+v7Iki8msYZbHBc63X8djPHgp0XEK4aH631XcKJ1Z8D2KkPzIUYJX9BwSiCQIDAQAB
      Signer Info:
        Digest       : 9bb6c4bf0a838bf7ea75e48e9e82581deb6d48ed
        Digest Algo  : sha1
        Program name : (null)
        Chain size   : 3
        Chain:
            Certificate 0:
                Version             : 2
                Subject             : /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
                Serial              : 0f:f1:ef:66:bd:62:1c:65:b7:4b:4d:e4:14:25:71:7f
                Not After           : 1483531200
                Not Before          : 1383091200
                SHA1                : 32387aec09eb287f202e98398189b460f4c61a0d
                SHA256              : e0e85619eef45fce4421e4ba581060e43bbbf25911cd757dd081da425dd1db51
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha1WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzC6hUkkJzCLvNEPcQaaYoB8PaRozspKlcyZOHbniq8RG4T75JML2HAB73BzZrlqp5IZR8sD7LRqUy74TqMb3g2MeJxk/lTa/QJg4I1Ky+cfiFG7+MdVvxtEPCkVUnHpsv7QCSDEKwmztSsFpGpv3PgXjAZlKqQ9wNpSjuuUPr3acok+heA7wotXwbZ8MM0zDuab7DbWHAAjxOGsfHbDu6MSNiUPJCBAqkqOH7hcnJKMSGxG8jBWaCIrXOl7tBKDg5u3vNG0sU7+QCd59WR9TnNS3uRlyFpU9/3lw/0ZenDNoSgbT7Gy0x6N9jYSENjwS1Zf77E2HnXPE4q8vhEgYuwIDAQAB
            Certificate 1:
                Version             : 2
                Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
                Serial              : 02:c4:d1:e5:8a:4a:68:0c:56:8d:a3:04:7e:7e:4d:5f
                Not After           : 1770724800
                Not Before          : 1297425600
                SHA1                : e308f829dc77e80af15edd4151ea47c59399ab46
                SHA256              : 007d2c8b15786232bac0eaa31f60aae06dc572921bad0d46c77107d8c2dca4b3
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha1WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxfkj5pQnxIAUpIAyX0CjjW9wwOU2cXE6daSqGpKUiV6sI3HLTmd9QT+q40u3e76dwag4j2kvOiTpd1kSx2YEQ8INJoKJQBnyLOrnTOd8BRq4/4gJTyY37zqk+iJsiMlKG2HyrhBeb7zReZtZGGDl7im1AyqkzvGDGU9pBXMoCfsiEJMioJAZGkwx8tMr2IRDrzxj/5jbINIJK1TB6v1qg+cQoxJx9dbX4RJ61eBWWs7qAVtoZVvBP1hSM6k1YU4iy4HKNqMSywbWzxtNGH65krkSz0Am2Jo2hbMVqkeThGsHu7zVs94lABGJAGjBKTzqPi3uUKvXHDAGeDylECNnkQIDAQAB
            Certificate 2:
                Version             : 2
                Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
                Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Verification Root
                Serial              : 61:20:4d:b4:00:00:00:00:00:27
                Not After           : 1618516533
                Not Before          : 1302896733
                SHA1                : 2f2513af3992db0a3f79709ff8143b3f7bd2d143
                SHA256              : 766e3fdc0bc1fd22dd9aafecf8248760e50375fdad3d8959b2a6d487a8a05fca
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha1WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/lgT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC90qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhLywIDAQAB

      Countersignature:
        Digest           : e0e1b26a21dda2a4d57236182a51cd3162e502fa
        Digest Algorithm : sha1
        Signing Time     : 1459189265
        Verify flags     : 0
        Chain size       : 2
        Chain:
            Certificate 0:
                Version             : 2
                Subject             : /C=US/O=DigiCert/CN=DigiCert Timestamp Responder
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
                Serial              : 03:01:9a:02:3a:ff:58:b1:6b:d6:d5:ea:e6:17:f0:66
                Not After           : 1729555200
                Not Before          : 1413936000
                SHA1                : 614d271d9102e30169822487fde5de00a352b01d
                SHA256              : 34bb219c2589b1d7658503e1246b013606d00f6b00310e7a4087ea2098832596
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha1WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo2Rd/Hyz4II14OD2xirmSXU7zG7gU6mfH2RZ5nxrf2uMnVX4kuOe1VpjWwJJUNmDzm9m7t3LhelfpfnUh3SIRDsZyeX1kZ/GFDmsJOqoSyyRicxeKPRktlC39RKzc5YKZ6O+YZ+u8/0SeHUOplsU/UUjjoZEVX0YhgWMVYd5SEb3yg6Np95OX+Koti1ZAmGIYXIYaLm4fO7m5zQvMXeBMB+7NgGN7yfj95rwTDFkjePr+hmHqH7P7IwMNlt6wXq4eMfJBi5GEMiN6ARg27xzdPpO2P6qQPGyznBGg+naQKFZOtkVCVeZVjCT88lhzNAIzGvsYkKRrALA76TwiRGPdwIDAQAB
            Certificate 1:
                Version             : 2
                Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
                Serial              : 06:fd:f9:03:96:03:ad:ea:00:0a:eb:3f:27:bb:ba:1b
                Not After           : 1636502400
                Not Before          : 1163116800
                SHA1                : 19a09b5a36f4dd99727df783c17a51231a56c117
                SHA256              : 425e72c87ff22855d9908b71ab4c64b0d2f248287097690c62fe733f631de38f
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha1WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6IItmfnKwkKVpYBzQHDSnlZUXKnE0kEGj8kz/E1FkVyBn+0snPgWWd+etSQVwpi5tHdJ3InECtqvy15r7a2wcTHrzzpADEZNk+yLejYIA6sMNP4YSYL+x8cxSIB8HqIPkg5QycaH6zY/2DDD/6b3+6LNb3Mj/qxWBZDwMiEWicZwiPkFl32jx0PdAug7Pe2xQaPtP77blUjE7h6z8rwMK5nQxl0SQoHhg26Ccz8mSxSQrllmCsSNvtLOBq6thG9IhJtPQLnxTPKvmPv2zkBdXPao8S+v7Iki8msYZbHBc63X8djPHgp0XEK4aH631XcKJ1Z8D2KkPzIUYJX9BwSiCQIDAQAB
    PKCS7 Signature:
      Version           : 1
      Digest            : 4ee2a56c1592ff0e951b452c0de064eba05b7c98e3add04c8aa3b4a84eb797a5
      File Digest       : 4ee2a56c1592ff0e951b452c0de064eba05b7c98e3add04c8aa3b4a84eb797a5
      Digest Algorithm  : sha256
      Verify flags      : 0
      Certificate count : 5
      Certificates:

        Certificate 0:
              Version             : 2
              Subject             : /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Code Signing CA
              Serial              : 04:0c:b4:1e:4f:b3:70:c4:5c:43:44:76:51:62:58:2f
              Not After           : 1483531200
              Not Before          : 1383091200
              SHA1                : 190d956129dde6972d46f46ef98bd86b982e6633
              SHA256              : 389084bb9e1f6785a7b7da4cb87872738ab2f92cd88b286f2690bd46e3912bdf
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha256WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6jor1kqBfPVDjZm64mVUho73UESY7KBufTQyz3fffWb8VU1wJsKrjn27djaWN2rDsrOst7e8P2dbXcenQWuUeYCJ42kwkMvKwfPBAsAoEZdYRP2o7arvQSz5Lainr2U1pXPKLvZX9z7BixSAD1jbGT4aMoCWh8luBzVr267EWHA9XKXMsFmr0G4e1mw2uVbmyXbVrRE/FJfREA7X7ACN1PRn5aloKVHhxnIPaZbkQUBsdQAlhQxgASK4KajpTIxkjcak4Xasel57Bq7pho0x3CALYrWiTjTjFSuboY9OsVJ1nJ7t5S2a+7w0HARwvCiXdiHXEekfo42KdVkz0l5hQIDAQAB
        Certificate 1:
              Version             : 2
              Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
              Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Verification Root
              Serial              : 61:20:4d:b4:00:00:00:00:00:27
              Not After           : 1618516533
              Not Before          : 1302896733
              SHA1                : 2f2513af3992db0a3f79709ff8143b3f7bd2d143
              SHA256              : 766e3fdc0bc1fd22dd9aafecf8248760e50375fdad3d8959b2a6d487a8a05fca
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha1WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/lgT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC90qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhLywIDAQAB
        Certificate 2:
              Version             : 2
              Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Code Signing CA
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
              Serial              : 0b:7e:10:90:3c:38:49:0f:fa:2f:67:9a:87:a1:a7:b9
              Not After           : 1855828800
              Not Before          : 1382443200
              SHA1                : f7e0f449f1a2594f88856c0758f8e6f627e5f5a2
              SHA256              : c51b83a0de49a201a5fbe947032c04702f8ca7c2d02adf28b73d42c8acd1c362
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha256WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtEpefQcPQd7E9XYWNr1x/88/T3NLnNEN/krLV1hehRbdAhVUmfCPPC9NAngQaMjYNUs/wfdnzpgcrjO5LR2kClSTxIWi3zWx9fE8p7M0+11IyUbJYkS8SJnrKElTwz2PwA7eNZjpYlHfPWtAYe4EQdrPp1xWltH5TLdEhIeYaeWCuRPmVb/IknCSCjFvf4syq89rWp9ixD7uvu1ZpFN/C/FSiIp7Cmcky5DN7NJNNEyw4bWfnMb2byzN5spTdAGfZzXeOEktzu05RIIZeU4asrX7u3jwSWanz/pclnWSixpy2f9QklPMPsJDMgkahhNpPPuBMjMyZHVzKCYdCDA7BwIDAQAB
        Certificate 3:
              Version             : 2
              Subject             : /C=US/O=DigiCert, Inc./CN=DigiCert SHA2 Timestamp Responder
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
              Serial              : 02:ce:42:94:59:02:a4:f3:c0:40:b0:ff:77:93:d1:4f
              Not After           : 1736208000
              Not Before          : 1450915200
              SHA1                : c636f4dda87cee3d8263bf9a2514b4533468d75e
              SHA256              : 20e260ee55c80a37fca0c7fdeef8577a3a6391bc3e5234b5f3d492d0c37b3a9c
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha256WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAytybsxHNriB6ZXIsNS/eOfkoJJHRlOWg1B5eaAw4KLd4vZ6f8fKl3hDMoDgBAal6F7CAgS2wwYQCFv0QduxHLE1ulijQZQQRXXjIFx+MTodXHSHr7BznzH80+OGvK6xmrgopN+3WBY+8DdxrmS4chK5ww2q3LlhLEcemUDr7FhvwBjnwmos4IQ9iXiodhej3h8r9xxfYrlgnRxZGdPA7efnBqHMotvkM38WK8c7AnPjLRR9+Gyr8+94epelj3Sp/vJdCIhPwVAvQSlxLCB7s/+det0fbot9TvhmeR82C49Z4NiQGLEI+BuQGb7xcx0/bItXlyKqerRfIz/XT1uR2gQIDAQAB
        Certificate 4:
              Version             : 2
              Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
              Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
              Serial              : 0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
              Not After           : 1925553600
              Not Before          : 1452168000
              SHA1                : 3ba63a6e4841355772debef9cdcf4d5af353a297
              SHA256              : ca8d0f4736454aecbec5deec80998c9ebf41d06c728f3c76cca24151bc62d463
              Key Algorithm       : rsaEncryption
              Signature Algorithm : sha256WithRSAEncryption
              Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvdAy7kvNj3/dqbqCmcU5VChXtiNKxA4HRTNREH3Q+X1NaH7ntqD0jbOI5Je/YyGQmL8TvFfTw+F+CNZqFAA49y4eO+7MpvYyWf5fZT/gm+vjRkcGGlV+Cyd+wKL1oODeIj8O/36V+/OjuiI+GKwR5PCZA207hXwJ0+5dyJoLVOOoCXFr4M8iEA91z3FyTgqt30A6XLdR4aF5FMZNJCMwXbzsPGBqrC8HzP3w6kfZiFBe/WZuVmEnKYmEUeaC50ZQ/ZQqLKfkdT66mA+Ef58xFNat1fJky3seBdCEGXIX8RcG7z3N1k3vBkL9olMqT4UdxB08r8/arBD13ays6Vb/kwIDAQAB
      Signer Info:
        Digest       : 1939ad5ec9ec5c1ac5b360973aadb5b2308b8e98f36f9684bc874b56b67d6657
        Digest Algo  : sha256
        Program name : (null)
        Chain size   : 3
        Chain:
            Certificate 0:
                Version             : 2
                Subject             : /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Code Signing CA
                Serial              : 04:0c:b4:1e:4f:b3:70:c4:5c:43:44:76:51:62:58:2f
                Not After           : 1483531200
                Not Before          : 1383091200
                SHA1                : 190d956129dde6972d46f46ef98bd86b982e6633
                SHA256              : 389084bb9e1f6785a7b7da4cb87872738ab2f92cd88b286f2690bd46e3912bdf
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha256WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl6jor1kqBfPVDjZm64mVUho73UESY7KBufTQyz3fffWb8VU1wJsKrjn27djaWN2rDsrOst7e8P2dbXcenQWuUeYCJ42kwkMvKwfPBAsAoEZdYRP2o7arvQSz5Lainr2U1pXPKLvZX9z7BixSAD1jbGT4aMoCWh8luBzVr267EWHA9XKXMsFmr0G4e1mw2uVbmyXbVrRE/FJfREA7X7ACN1PRn5aloKVHhxnIPaZbkQUBsdQAlhQxgASK4KajpTIxkjcak4Xasel57Bq7pho0x3CALYrWiTjTjFSuboY9OsVJ1nJ7t5S2a+7w0HARwvCiXdiHXEekfo42KdVkz0l5hQIDAQAB
            Certificate 1:
                Version             : 2
                Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Code Signing CA
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
                Serial              : 0b:7e:10:90:3c:38:49:0f:fa:2f:67:9a:87:a1:a7:b9
                Not After           : 1855828800
                Not Before          : 1382443200
                SHA1                : f7e0f449f1a2594f88856c0758f8e6f627e5f5a2
                SHA256              : c51b83a0de49a201a5fbe947032c04702f8ca7c2d02adf28b73d42c8acd1c362
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha256WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtEpefQcPQd7E9XYWNr1x/88/T3NLnNEN/krLV1hehRbdAhVUmfCPPC9NAngQaMjYNUs/wfdnzpgcrjO5LR2kClSTxIWi3zWx9fE8p7M0+11IyUbJYkS8SJnrKElTwz2PwA7eNZjpYlHfPWtAYe4EQdrPp1xWltH5TLdEhIeYaeWCuRPmVb/IknCSCjFvf4syq89rWp9ixD7uvu1ZpFN/C/FSiIp7Cmcky5DN7NJNNEyw4bWfnMb2byzN5spTdAGfZzXeOEktzu05RIIZeU4asrX7u3jwSWanz/pclnWSixpy2f9QklPMPsJDMgkahhNpPPuBMjMyZHVzKCYdCDA7BwIDAQAB
            Certificate 2:
                Version             : 2
                Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
                Issuer              : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Verification Root
                Serial              : 61:20:4d:b4:00:00:00:00:00:27
                Not After           : 1618516533
                Not Before          : 1302896733
                SHA1                : 2f2513af3992db0a3f79709ff8143b3f7bd2d143
                SHA256              : 766e3fdc0bc1fd22dd9aafecf8248760e50375fdad3d8959b2a6d487a8a05fca
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha1WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/lgT/JzSVJtnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC90qlUxI47vNJbXGRfmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ceg1v01yCT2+OjhQW3cxG42zxyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGhJR6HXRpQCyASzEG7bgtROLhLywIDAQAB

      Countersignature:
        Digest           : 8d2adfc11c43947d5ea6b7e81429acf0429930be60fd70c41c26e8e7c5b17aee
        Digest Algorithm : sha256
        Signing Time     : 1459189265
        Verify flags     : 0
        Chain size       : 2
        Chain:
            Certificate 0:
                Version             : 2
                Subject             : /C=US/O=DigiCert, Inc./CN=DigiCert SHA2 Timestamp Responder
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
                Serial              : 02:ce:42:94:59:02:a4:f3:c0:40:b0:ff:77:93:d1:4f
                Not After           : 1736208000
                Not Before          : 1450915200
                SHA1                : c636f4dda87cee3d8263bf9a2514b4533468d75e
                SHA256              : 20e260ee55c80a37fca0c7fdeef8577a3a6391bc3e5234b5f3d492d0c37b3a9c
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha256WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAytybsxHNriB6ZXIsNS/eOfkoJJHRlOWg1B5eaAw4KLd4vZ6f8fKl3hDMoDgBAal6F7CAgS2wwYQCFv0QduxHLE1ulijQZQQRXXjIFx+MTodXHSHr7BznzH80+OGvK6xmrgopN+3WBY+8DdxrmS4chK5ww2q3LlhLEcemUDr7FhvwBjnwmos4IQ9iXiodhej3h8r9xxfYrlgnRxZGdPA7efnBqHMotvkM38WK8c7AnPjLRR9+Gyr8+94epelj3Sp/vJdCIhPwVAvQSlxLCB7s/+det0fbot9TvhmeR82C49Z4NiQGLEI+BuQGb7xcx0/bItXlyKqerRfIz/XT1uR2gQIDAQAB
            Certificate 1:
                Version             : 2
                Subject             : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
                Issuer              : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
                Serial              : 0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
                Not After           : 1925553600
                Not Before          : 1452168000
                SHA1                : 3ba63a6e4841355772debef9cdcf4d5af353a297
                SHA256              : ca8d0f4736454aecbec5deec80998c9ebf41d06c728f3c76cca24151bc62d463
                Key Algorithm       : rsaEncryption
                Signature Algorithm : sha256WithRSAEncryption
                Public key          : MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvdAy7kvNj3/dqbqCmcU5VChXtiNKxA4HRTNREH3Q+X1NaH7ntqD0jbOI5Je/YyGQmL8TvFfTw+F+CNZqFAA49y4eO+7MpvYyWf5fZT/gm+vjRkcGGlV+Cyd+wKL1oODeIj8O/36V+/OjuiI+GKwR5PCZA207hXwJ0+5dyJoLVOOoCXFr4M8iEA91z3FyTgqt30A6XLdR4aF5FMZNJCMwXbzsPGBqrC8HzP3w6kfZiFBe/WZuVmEnKYmEUeaC50ZQ/ZQqLKfkdT66mA+Ef58xFNat1fJky3seBdCEGXIX8RcG7z3N1k3vBkL9olMqT4UdxB08r8/arBD13ays6Vb/kwIDAQAB

I debugged a bit the issue and it seems the failure is here --> https://github.com/avast/authenticode-parser/blob/master/src/countersignature.c#L187 It seems that the openssl function d2i_PKCS7 is not able to parse the data from the unauthenticated attribute.

Also, i have a suspect that this bug is causing an issue in the parsing of countersignature in the "pe" module of yara in which i opened already an issue here --> https://github.com/VirusTotal/yara/issues/2012

Thanks,

Antonio Cocomazzi

metthal commented 10 months ago

Hi. Sorry for the late response. The first working version has been implemented in PR #17. It might need a little bit more extensive testing before merging though. Let me know if you run into any issues with the PR revision if you have a chance to test it out.

antonioCoco commented 10 months ago

@metthal tested your fix and works well with all MS drivers i was able to test. Well done! :thumbsup:

metthal commented 9 months ago

Fixed with #17