Additionnal signatures not properly parsed

[mtartare]

When using uthenticode to parse the signatures of a PE that contains two signatures with the same certificate and different digest algorithms only the first signature is processed. PE executable signed using both SHA1 and SHA256 digest algorithms are quite common.

To reproduce the issue, with any PE with two signatures, using the svcli example and comparing with osslsigncode output: svcli ./PE.exe # only one signature is processed (the second -nested- signature is not) osslsigncode verify ./PE.exe # the two signatures are processed

Parsing nested signatures requires parsing OID 1.3.6.1.4.1.311.2.4.1 (Ms-SpcNestedSignature). See for example https://github.com/develar/osslsigncode/blob/master/osslsigncode.c#L1220

(uthenticode build from rev. 8b875741269cac25030543c4fb95a47640b1a94f)

[woodruffw]

Thanks for the report! Do you have a sample PE I could test with? If not, I can contrive one and attempt to repro.

[mtartare]

Of course, you can test with ProcessHacker.exe from https://github.com/processhacker/processhacker/releases/download/v2.39/processhacker-2.39-bin.zip

[woodruffw]

Thanks!

[woodruffw]

Confirmed locally, will attempt to fix today or tomorrow.

[woodruffw]

For future reference, the full osslsigncode output:

Current PE checksum   : 001B2B53
Calculated PE checksum: 001B2B53

Message digest algorithm  : SHA1
Current message digest    : 9253A6F72EE0E3970D5457E0F061FDB40B484F18
Calculated message digest : 9253A6F72EE0E3970D5457E0F061FDB40B484F18

Signature verification: ok

Number of signers: 1
    Signer #0:
        Subject: /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
        Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
        Serial : 0FF1EF66BD621C65B74B4DE41425717F

Number of certificates: 4
    Cert #0:
        Subject: /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
        Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
        Serial : 0FF1EF66BD621C65B74B4DE41425717F
    ------------------
    Cert #1:
        Subject: /C=US/O=DigiCert/CN=DigiCert Timestamp Responder
        Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
        Serial : 03019A023AFF58B16BD6D5EAE617F066
    ------------------
    Cert #2:
        Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
        Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
        Serial : 02C4D1E58A4A680C568DA3047E7E4D5F
    ------------------
    Cert #3:
        Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
        Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
        Serial : 06FDF9039603ADEA000AEB3F27BBBA1B

Message digest algorithm  : SHA256
Current message digest    : 33A755311B428C2063F983058DBF9E1648D00D5FEC4ADF00E0A34DDEE639F68B
Calculated message digest : 33A755311B428C2063F983058DBF9E1648D00D5FEC4ADF00E0A34DDEE639F68B

Signature verification: ok

Number of signers: 1
    Signer #0:
        Subject: /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
        Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Code Signing CA
        Serial : 040CB41E4FB370C45C4344765162582F

Number of certificates: 2
    Cert #0:
        Subject: /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
        Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Code Signing CA
        Serial : 040CB41E4FB370C45C4344765162582F
    ------------------
    Cert #1:
        Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Code Signing CA
        Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
        Serial : 0B7E10903C38490FFA2F679A87A1A7B9

Succeeded

...and svcli's output:

This PE is verified!

../ProcessHacker.exe has 1 certificate entries

Calculated checksums:
   MD5: ccd846e32538576d7118ce26db4581
  SHA1: 9253a6f72ee0e397d5457e0f061fdb4b484f18
SHA256: 33a755311b428c2063f98358dbf9e1648d0d5fec4adf0e0a34ddee639f68b

SignedData entry:
    Embedded checksum: 9253a6f72ee0e397d5457e0f061fdb4b484f18

    Signers:
        Subject: /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
        Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
        Serial: 0FF1EF66BD621C65B74B4DE41425717F

    Certificates:
        Subject: /C=AU/ST=New South Wales/L=Sydney/O=Wen Jia Liu/CN=Wen Jia Liu
        Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
        Serial: 0FF1EF66BD621C65B74B4DE41425717F

        Subject: /C=US/O=DigiCert/CN=DigiCert Timestamp Responder
        Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
        Serial: 03019A023AFF58B16BD6D5EAE617F066

        Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance Code Signing CA-1
        Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
        Serial: 02C4D1E58A4A680C568DA3047E7E4D5F

        Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
        Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
        Serial: 06FDF9039603ADEA000AEB3F27BBBA1B

    This SignedData is valid!

[woodruffw]

31 should fix this! The public API is SignedData::get_nested_signed_data().

[mtartare]

Perfect, thanks for the quick fix!

[woodruffw]

No problem, thanks for the report and sample!