tests: Add test for PE/COFF cert table header validity
Add a test to check the validity of the certificate table header, ensuring that parsing the header gives us the valid certificate. Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
This commit is contained in:
Jeremy Kerr
parent
bf7e97bd1c
commit
1614a6e0f1
2 changed files with 73 additions and 1 deletions
|
|
@ -43,7 +43,8 @@ TESTS = sign-verify.sh \
|
||||||
sign-missing-key.sh \
|
sign-missing-key.sh \
|
||||||
verify-missing-image.sh \
|
verify-missing-image.sh \
|
||||||
verify-missing-cert.sh \
|
verify-missing-cert.sh \
|
||||||
sign-invalidattach-verify.sh
|
sign-invalidattach-verify.sh \
|
||||||
|
cert-table-header.sh
|
||||||
|
|
||||||
EXTRA_DIST = $(test_lds) test.S $(TESTS) $(check_SCRIPTS)
|
EXTRA_DIST = $(test_lds) test.S $(TESTS) $(check_SCRIPTS)
|
||||||
CLEANFILES = $(test_key) $(test_cert) $(test_image)
|
CLEANFILES = $(test_key) $(test_cert) $(test_image)
|
||||||
|
|
|
||||||
71
tests/cert-table-header.sh
Executable file
71
tests/cert-table-header.sh
Executable file
|
|
@ -0,0 +1,71 @@
|
||||||
|
#!/bin/bash -e
|
||||||
|
|
||||||
|
. "$srcdir/common.sh"
|
||||||
|
|
||||||
|
# Parse the data directory of a PE/COFF file and returns two hex values:
|
||||||
|
# the file offset and size of the signature table.
|
||||||
|
function sigtable_params() {
|
||||||
|
filename="$1"
|
||||||
|
objdump -p "$filename" | awk '/^Entry 4/ {print "0x"$3 " " "0x"$4}'
|
||||||
|
}
|
||||||
|
|
||||||
|
# Extract the signature from a file containing a signature table,
|
||||||
|
# and write to stdout
|
||||||
|
function extract_sig() {
|
||||||
|
filename="$1"
|
||||||
|
cert_table_header_size=8
|
||||||
|
|
||||||
|
params=($(hexdump -n$cert_table_header_size \
|
||||||
|
-e '/4 "%u " /2 "%04x " /2 "%04x\n"' \
|
||||||
|
"$filename"))
|
||||||
|
cert_size=${params[0]}
|
||||||
|
cert_revision=${params[1]}
|
||||||
|
cert_type=${params[2]}
|
||||||
|
|
||||||
|
# check type & revision
|
||||||
|
[ "$cert_revision" -eq '0200' ]
|
||||||
|
[ "$cert_type" -eq '0002' ]
|
||||||
|
|
||||||
|
dd if="$filename" bs=1 skip=$cert_table_header_size \
|
||||||
|
count=$(($cert_size - $cert_table_header_size)) 2>/dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
function repeat() {
|
||||||
|
str=$1
|
||||||
|
count=$2
|
||||||
|
for (( i = 0; $i < $count; i++ ))
|
||||||
|
do
|
||||||
|
echo -n "$str"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
cert="test.cert"
|
||||||
|
signed="test.signed"
|
||||||
|
|
||||||
|
for i in {1..8}
|
||||||
|
do
|
||||||
|
# generate a variable-length parameter for the certificate subject
|
||||||
|
subj="/CN=$(repeat 'x' $i)"
|
||||||
|
|
||||||
|
# create a temporary cert, and sign the image with it
|
||||||
|
openssl req -x509 -sha256 -subj "$subj" -new -key "$key" -out "$cert"
|
||||||
|
"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image"
|
||||||
|
|
||||||
|
# extract the sigtable
|
||||||
|
params=($(sigtable_params "$signed"))
|
||||||
|
|
||||||
|
# split and convert to base-10
|
||||||
|
sigtable_offset=$((${params[0]}))
|
||||||
|
sigtable_size=$((${params[1]}))
|
||||||
|
|
||||||
|
# check that we have a correctly-padded sigtable
|
||||||
|
[ $(($sigtable_size % 8)) -eq 0 ]
|
||||||
|
|
||||||
|
sigtable='test.sigtable'
|
||||||
|
|
||||||
|
dd if="$signed" bs=1 skip=$sigtable_offset count=$sigtable_size \
|
||||||
|
of=$sigtable 2>/dev/null
|
||||||
|
|
||||||
|
# extract sig, and feed to openssl's PKCS7 parser
|
||||||
|
extract_sig "$sigtable" | openssl pkcs7 -inform DER -noout
|
||||||
|
done
|
||||||
Loading…
Reference in a new issue