Support more PKCS7 attributes for PE Authenticode

Author: romainthomas

api/python/lief/PE.pyi

@@ -17,6 +17,7 @@ import lief.PE.Header # type: ignore
 import lief.PE.Import # type: ignore
 import lief.PE.LoadConfiguration # type: ignore
 import lief.PE.LoadConfigurationV1 # type: ignore
+import lief.PE.MsCounterSign # type: ignore
 import lief.PE.OptionalHeader # type: ignore
 import lief.PE.Pogo # type: ignore
 import lief.PE.Relocation # type: ignore
@@ -311,12 +312,15 @@ class Attribute(lief.Object):
         CONTENT_TYPE: ClassVar[Attribute.TYPE] = ...
         GENERIC_TYPE: ClassVar[Attribute.TYPE] = ...
         MS_COUNTER_SIGN: ClassVar[Attribute.TYPE] = ...
+        MS_PLATFORM_MANIFEST_BINARY_ID: ClassVar[Attribute.TYPE] = ...
         MS_SPC_NESTED_SIGN: ClassVar[Attribute.TYPE] = ...
         MS_SPC_STATEMENT_TYPE: ClassVar[Attribute.TYPE] = ...
         PKCS9_AT_SEQUENCE_NUMBER: ClassVar[Attribute.TYPE] = ...
         PKCS9_COUNTER_SIGNATURE: ClassVar[Attribute.TYPE] = ...
         PKCS9_MESSAGE_DIGEST: ClassVar[Attribute.TYPE] = ...
         PKCS9_SIGNING_TIME: ClassVar[Attribute.TYPE] = ...
+        SIGNING_CERTIFICATE_V2: ClassVar[Attribute.TYPE] = ...
+        SPC_RELAXED_PE_MARKER_CHECK: ClassVar[Attribute.TYPE] = ...
         SPC_SP_OPUS_INFO: ClassVar[Attribute.TYPE] = ...
         UNKNOWN: ClassVar[Attribute.TYPE] = ...
         __name__: str
@@ -1479,6 +1483,36 @@ class LoadConfigurationV9(LoadConfigurationV8):
     def __init__(self) -> None: ...
     def copy(self) -> lief.PE.LoadConfigurationV9: ...
 
+class MsCounterSign(Attribute):
+    class it_const_crt:
+        def __init__(self, *args, **kwargs) -> None: ...
+        def __getitem__(self, arg: int, /) -> lief.PE.x509: ...
+        def __iter__(self) -> lief.PE.MsCounterSign.it_const_crt: ...
+        def __len__(self) -> int: ...
+        def __next__(self) -> lief.PE.x509: ...
+
+    class it_const_signers_t:
+        def __init__(self, *args, **kwargs) -> None: ...
+        def __getitem__(self, arg: int, /) -> lief.PE.SignerInfo: ...
+        def __iter__(self) -> lief.PE.MsCounterSign.it_const_signers_t: ...
+        def __len__(self) -> int: ...
+        def __next__(self) -> lief.PE.SignerInfo: ...
+    def __init__(self, *args, **kwargs) -> None: ...
+    @property
+    def certificates(self) -> lief.PE.MsCounterSign.it_const_crt: ...
+    @property
+    def content_info(self) -> lief.PE.ContentInfo: ...
+    @property
+    def digest_algorithm(self) -> lief.PE.ALGORITHMS: ...
+    @property
+    def signers(self) -> lief.PE.MsCounterSign.it_const_signers_t: ...
+    @property
+    def version(self) -> int: ...
+
+class MsManifestBinaryID(Attribute):
+    manifest_id: str
+    def __init__(self, *args, **kwargs) -> None: ...
+
 class MsSpcNestedSignature(Attribute):
     def __init__(self, *args, **kwargs) -> None: ...
     @property
@@ -1654,6 +1688,9 @@ class PKCS9SigningTime(Attribute):
     @property
     def time(self) -> list[int]: ...
 
+class PKCS9TSTInfo(ContentInfo.Content):
+    def __init__(self, *args, **kwargs) -> None: ...
+
 class ParserConfig:
     parse_exports: bool
     parse_imports: bool
@@ -2649,6 +2686,9 @@ class SignerInfo(lief.Object):
     @property
     def version(self) -> int: ...
 
+class SigningCertificateV2(Attribute):
+    def __init__(self, *args, **kwargs) -> None: ...
+
 class SpcIndirectData(ContentInfo.Content):
     def __init__(self, *args, **kwargs) -> None: ...
     @property
@@ -2658,6 +2698,11 @@ class SpcIndirectData(ContentInfo.Content):
     @property
     def file(self) -> str: ...
 
+class SpcRelaxedPeMarkerCheck(Attribute):
+    def __init__(self, *args, **kwargs) -> None: ...
+    @property
+    def value(self) -> int: ...
+
 class SpcSpOpusInfo(Attribute):
     def __init__(self, *args, **kwargs) -> None: ...
     @property

api/python/src/PE/enums.cpp

@@ -564,5 +564,6 @@ void init_enums(nb::module_& m) {
     .value(PY_ENUM(ALGORITHMS::SHA_256_ECDSA))
     .value(PY_ENUM(ALGORITHMS::SHA_384_ECDSA))
     .value(PY_ENUM(ALGORITHMS::SHA_512_ECDSA));
+
 }
 }

api/python/src/PE/init.cpp

@@ -34,6 +34,7 @@
 #include "LIEF/PE/resources/LangCodeItem.hpp"
 #include "LIEF/PE/resources/langs.hpp"
 #include "LIEF/PE/signature/attributes.hpp"
+#include "LIEF/PE/signature/PKCS9TSTInfo.hpp"
 #include "LIEF/PE/signature/SpcIndirectData.hpp"
 #include "LIEF/PE/signature/GenericContent.hpp"
 
@@ -99,11 +100,16 @@ void init_signature(nb::module_& m) {
   CREATE(GenericType, m);
   CREATE(MsSpcNestedSignature, m);
   CREATE(MsSpcStatementType, m);
+  CREATE(MsManifestBinaryID, m);
   CREATE(PKCS9AtSequenceNumber, m);
   CREATE(PKCS9CounterSignature, m);
   CREATE(PKCS9MessageDigest, m);
   CREATE(PKCS9SigningTime, m);
   CREATE(SpcSpOpusInfo, m);
+  CREATE(MsCounterSign, m);
+  CREATE(SpcRelaxedPeMarkerCheck, m);
+  CREATE(SigningCertificateV2, m);
+  CREATE(PKCS9TSTInfo, m);
 }
 
 void init_objects(nb::module_& m) {

api/python/src/PE/objects/signature/CMakeLists.txt

@@ -1,13 +1,12 @@
 target_sources(pyLIEF PRIVATE
-  pySignerInfo.cpp
   pyAttribute.cpp
-  pyRsaInfo.cpp
-  pyx509.cpp
   pyContentInfo.cpp
   pyGenericContent.cpp
-  pySpcIndirectData.cpp
+  pyPKCS9TSTInfo.cpp
+  pyRsaInfo.cpp
   pySignature.cpp
+  pySignerInfo.cpp
   pySpcIndirectData.cpp
-  pyGenericContent.cpp
+  pyx509.cpp
 )
 add_subdirectory(attributes)

api/python/src/PE/objects/signature/attributes/CMakeLists.txt

@@ -1,12 +1,15 @@
 target_sources(pyLIEF PRIVATE
-  pyMsCounterSign.cpp
   pyContentType.cpp
   pyGenericType.cpp
-  pySpcSpOpusInfo.cpp
-  pyMsSpcStatementType.cpp
+  pyMsCounterSign.cpp
+  pyMsManifestBinaryID.cpp
   pyMsSpcNestedSignature.cpp
-  pyPKCS9SigningTime.cpp
-  pyPKCS9MessageDigest.cpp
+  pyMsSpcStatementType.cpp
   pyPKCS9AtSequenceNumber.cpp
   pyPKCS9CounterSignature.cpp
+  pyPKCS9MessageDigest.cpp
+  pyPKCS9SigningTime.cpp
+  pySpcRelaxedPeMarkerCheck.cpp
+  pySigningCertificateV2.cpp
+  pySpcSpOpusInfo.cpp
 )

api/python/src/PE/objects/signature/attributes/pyMsCounterSign.cpp

@@ -0,0 +1,53 @@
+/* Copyright 2017 - 2023 R. Thomas
+ * Copyright 2017 - 2023 Quarkslab
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "PE/pyPE.hpp"
+#include "pyIterator.hpp"
+
+#include "LIEF/PE/signature/attributes/MsCounterSign.hpp"
+
+#include <string>
+#include <sstream>
+#include <nanobind/stl/string.h>
+
+namespace LIEF::PE::py {
+
+template<>
+void create<MsCounterSign>(nb::module_& m) {
+  using namespace LIEF::py;
+
+  nb::class_<MsCounterSign, Attribute> CounterSig(m, "MsCounterSign",
+    R"delim(
+    This class exposes the ms-counter-signature.
+    )delim"_doc);
+
+  init_ref_iterator<MsCounterSign::it_certificates>(CounterSig, "it_const_crt");
+  init_ref_iterator<MsCounterSign::it_signers>(CounterSig, "it_const_signers_t");
+
+  CounterSig
+    .def_prop_ro("version", &MsCounterSign::version)
+    .def_prop_ro("digest_algorithm", &MsCounterSign::digest_algorithm)
+    .def_prop_ro("content_info", &MsCounterSign::content_info)
+    .def_prop_ro("certificates",
+        nb::overload_cast<>(&MsCounterSign::certificates),
+        "Return an iterator over " RST_CLASS_REF(lief.PE.x509) " certificates"_doc,
+        nb::keep_alive<0, 1>())
+    .def_prop_ro("signers",
+        nb::overload_cast<>(&MsCounterSign::signers),
+        "Return an iterator over the signers (" RST_CLASS_REF(lief.PE.SignerInfo) ")"_doc,
+        nb::keep_alive<0, 1>());
+}
+
+}

api/python/src/PE/objects/signature/attributes/pyMsManifestBinaryID.cpp

@@ -0,0 +1,49 @@
+/* Copyright 2017 - 2023 R. Thomas
+ * Copyright 2017 - 2023 Quarkslab
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "PE/pyPE.hpp"
+
+#include "LIEF/PE/signature/attributes/MsManifestBinaryID.hpp"
+#include <nanobind/stl/string.h>
+
+#include <string>
+#include <sstream>
+
+namespace LIEF::PE::py {
+
+template<>
+void create<MsManifestBinaryID>(nb::module_& m) {
+  nb::class_<MsManifestBinaryID, Attribute>(m, "MsManifestBinaryID",
+    R"delim(
+    Interface over the structure described by the OID ``1.3.6.1.4.1.311.10.3.28`` (``szOID_PLATFORM_MANIFEST_BINARY_ID``)
+
+    The internal structure is not documented but we can infer the following structure:
+
+    .. code-block:: text
+
+        szOID_PLATFORM_MANIFEST_BINARY_ID ::= SET OF BinaryID
+
+        BinaryID ::= UTF8STRING
+
+    )delim")
+
+    .def_prop_rw("manifest_id",
+        nb::overload_cast<>(&MsManifestBinaryID::manifest_id, nb::const_),
+        nb::overload_cast<const std::string&>(&MsManifestBinaryID::manifest_id),
+        "The manifest id")
+    LIEF_DEFAULT_STR(MsManifestBinaryID);
+}
+
+}

api/python/src/PE/objects/signature/attributes/pySigningCertificateV2.cpp

@@ -0,0 +1,53 @@
+/* Copyright 2017 - 2024 R. Thomas
+ * Copyright 2017 - 2024 Quarkslab
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "PE/pyPE.hpp"
+
+#include "LIEF/PE/signature/attributes/SigningCertificateV2.hpp"
+
+namespace LIEF::PE::py {
+
+template<>
+void create<SigningCertificateV2>(nb::module_& m) {
+  nb::class_<SigningCertificateV2, Attribute>(m, "SigningCertificateV2",
+    R"doc(
+    .. code-block:: text
+
+      SigningCertificateV2 ::= SEQUENCE {
+        certs    SEQUENCE OF ESSCertIDv2,
+        policies SEQUENCE OF PolicyInformation OPTIONAL
+      }
+
+      ESSCertIDv2 ::= SEQUENCE {
+        hashAlgorithm AlgorithmIdentifier DEFAULT {algorithm id-sha256},
+        certHash      OCTET STRING,
+        issuerSerial  IssuerSerial OPTIONAL
+      }
+
+      IssuerSerial ::= SEQUENCE {
+        issuer       GeneralNames,
+        serialNumber CertificateSerialNumber
+      }
+
+      PolicyInformation ::= SEQUENCE {
+        policyIdentifier   OBJECT IDENTIFIER,
+        policyQualifiers   SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL
+      }
+    )doc"_doc
+  )
+  ;
+}
+
+}

api/python/src/PE/objects/signature/attributes/pySpcRelaxedPeMarkerCheck.cpp

@@ -0,0 +1,32 @@
+/* Copyright 2017 - 2024 R. Thomas
+ * Copyright 2017 - 2024 Quarkslab
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "PE/pyPE.hpp"
+
+#include "LIEF/PE/signature/attributes/SpcRelaxedPeMarkerCheck.hpp"
+
+namespace LIEF::PE::py {
+
+template<>
+void create<SpcRelaxedPeMarkerCheck>(nb::module_& m) {
+  nb::class_<SpcRelaxedPeMarkerCheck, Attribute>(m, "SpcRelaxedPeMarkerCheck",
+    R"delim(
+    )delim"_doc
+  )
+    .def_prop_ro("value", nb::overload_cast<>(&SpcRelaxedPeMarkerCheck::value, nb::const_))
+  ;
+}
+
+}

api/python/src/PE/objects/signature/pyAttribute.cpp

@@ -39,6 +39,9 @@ void create<Attribute>(nb::module_& m) {
     ENTRY(MS_COUNTER_SIGN)
     ENTRY(MS_SPC_NESTED_SIGN)
     ENTRY(MS_SPC_STATEMENT_TYPE)
+    ENTRY(SPC_RELAXED_PE_MARKER_CHECK)
+    ENTRY(SIGNING_CERTIFICATE_V2)
+    ENTRY(MS_PLATFORM_MANIFEST_BINARY_ID)
     ENTRY(PKCS9_AT_SEQUENCE_NUMBER)
     ENTRY(PKCS9_COUNTER_SIGNATURE)
     ENTRY(PKCS9_MESSAGE_DIGEST)