From 1614a6e0f144c07f4566a19edc366763faa1448f Mon Sep 17 00:00:00 2001 From: Jeremy Kerr Date: Thu, 28 Jun 2012 12:38:34 +0800 Subject: [PATCH] tests: Add test for PE/COFF cert table header validity Add a test to check the validity of the certificate table header, ensuring that parsing the header gives us the valid certificate. Signed-off-by: Jeremy Kerr --- tests/Makefile.am | 3 +- tests/cert-table-header.sh | 71 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+), 1 deletion(-) create mode 100755 tests/cert-table-header.sh diff --git a/tests/Makefile.am b/tests/Makefile.am index c1bccd4..a2e80cc 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -43,7 +43,8 @@ TESTS = sign-verify.sh \ sign-missing-key.sh \ verify-missing-image.sh \ verify-missing-cert.sh \ - sign-invalidattach-verify.sh + sign-invalidattach-verify.sh \ + cert-table-header.sh EXTRA_DIST = $(test_lds) test.S $(TESTS) $(check_SCRIPTS) CLEANFILES = $(test_key) $(test_cert) $(test_image) diff --git a/tests/cert-table-header.sh b/tests/cert-table-header.sh new file mode 100755 index 0000000..60cb7c0 --- /dev/null +++ b/tests/cert-table-header.sh @@ -0,0 +1,71 @@ +#!/bin/bash -e + +. "$srcdir/common.sh" + +# Parse the data directory of a PE/COFF file and returns two hex values: +# the file offset and size of the signature table. +function sigtable_params() { + filename="$1" + objdump -p "$filename" | awk '/^Entry 4/ {print "0x"$3 " " "0x"$4}' +} + +# Extract the signature from a file containing a signature table, +# and write to stdout +function extract_sig() { + filename="$1" + cert_table_header_size=8 + + params=($(hexdump -n$cert_table_header_size \ + -e '/4 "%u " /2 "%04x " /2 "%04x\n"' \ + "$filename")) + cert_size=${params[0]} + cert_revision=${params[1]} + cert_type=${params[2]} + + # check type & revision + [ "$cert_revision" -eq '0200' ] + [ "$cert_type" -eq '0002' ] + + dd if="$filename" bs=1 skip=$cert_table_header_size \ + count=$(($cert_size - $cert_table_header_size)) 2>/dev/null +} + +function repeat() { + str=$1 + count=$2 + for (( i = 0; $i < $count; i++ )) + do + echo -n "$str" + done +} + +cert="test.cert" +signed="test.signed" + +for i in {1..8} +do + # generate a variable-length parameter for the certificate subject + subj="/CN=$(repeat 'x' $i)" + + # create a temporary cert, and sign the image with it + openssl req -x509 -sha256 -subj "$subj" -new -key "$key" -out "$cert" + "$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" + + # extract the sigtable + params=($(sigtable_params "$signed")) + + # split and convert to base-10 + sigtable_offset=$((${params[0]})) + sigtable_size=$((${params[1]})) + + # check that we have a correctly-padded sigtable + [ $(($sigtable_size % 8)) -eq 0 ] + + sigtable='test.sigtable' + + dd if="$signed" bs=1 skip=$sigtable_offset count=$sigtable_size \ + of=$sigtable 2>/dev/null + + # extract sig, and feed to openssl's PKCS7 parser + extract_sig "$sigtable" | openssl pkcs7 -inform DER -noout +done