From b1259b7c1f68000c9bb566d092a8cf7408773fe7 Mon Sep 17 00:00:00 2001 From: bhoehl Date: Tue, 7 Jan 2025 13:54:11 +0100 Subject: [PATCH] add support for spc link / urls in spc indirect data --- include/LIEF/PE/signature/SpcIndirectData.hpp | 5 ++ src/PE/signature/SignatureParser.cpp | 57 ++++++++++++------- 2 files changed, 43 insertions(+), 19 deletions(-) diff --git a/include/LIEF/PE/signature/SpcIndirectData.hpp b/include/LIEF/PE/signature/SpcIndirectData.hpp index 5776d9ac0..cb65d91a8 100644 --- a/include/LIEF/PE/signature/SpcIndirectData.hpp +++ b/include/LIEF/PE/signature/SpcIndirectData.hpp @@ -61,6 +61,10 @@ class LIEF_API SpcIndirectData : public ContentInfo::Content { return file_; } + const std::string& url() const { + return url_; + } + void print(std::ostream& os) const override; void accept(Visitor& visitor) const override; @@ -78,6 +82,7 @@ class LIEF_API SpcIndirectData : public ContentInfo::Content { private: std::string file_; + std::string url_; uint8_t flags_ = 0; ALGORITHMS digest_algorithm_ = ALGORITHMS::UNKNOWN; std::vector digest_; diff --git a/src/PE/signature/SignatureParser.cpp b/src/PE/signature/SignatureParser.cpp index 42ab685d3..f1ac70cbe 100644 --- a/src/PE/signature/SignatureParser.cpp +++ b/src/PE/signature/SignatureParser.cpp @@ -459,34 +459,53 @@ SignatureParser::parse_spc_indirect_data(BinaryStream& stream, range_t& range) { } const std::string& spc_attr_type_str = spc_attr_type.value(); LIEF_DEBUG("spc-attribute-type-and-optional-value.type: {}", oid_to_string(spc_attr_type_str)); - if (spc_attr_type_str != /* SPC_PE_IMAGE_DATA */ "1.3.6.1.4.1.311.2.1.15") { - LIEF_WARN("Expecting OID SPC_PE_IMAGE_DATA at {:d} but got {}", - stream.pos(), oid_to_string(spc_attr_type_str)); - return make_error_code(lief_errors::read_error); - } - + if (spc_attr_type_str == /* SPC_PE_IMAGE_DATA */ "1.3.6.1.4.1.311.2.1.15") { + tag = asn1r.read_tag(/* SpcPeImageData ::= SEQUENCE */ + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); - tag = asn1r.read_tag(/* SpcPeImageData ::= SEQUENCE */ - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + if (!tag) { + LIEF_INFO("Wrong tag: {} (pos: {:d})", asn1r.get_str_tag(), stream.pos()); + return make_error_code(tag.error()); + } - if (!tag) { - LIEF_INFO("Wrong tag: {} (pos: {:d})", asn1r.get_str_tag(), stream.pos()); - return make_error_code(tag.error()); + /* SpcPeImageData */ { + const size_t length = tag.value(); + SpanStream spc_data_stream{ stream.p(), length }; + stream.increment_pos(spc_data_stream.size()); + if (auto spc_data = parse_spc_pe_image_data(spc_data_stream)) { + const SpcPeImageData& spc_data_value = *spc_data; + indirect_data->file_ = spc_data_value.file; + indirect_data->flags_ = spc_data_value.flags; + } + else { + LIEF_INFO("Can't parse SpcPeImageData"); + } + } } + else if (spc_attr_type_str == /* SPC_LINK_(TYPE_2) */ "1.3.6.1.4.1.311.2.1.25" || + spc_attr_type_str == /* SPC_LINK_(TYPE_3) */ "1.3.6.1.4.1.311.2.1.28") { - /* SpcPeImageData */ { + tag = asn1r.read_tag(/* SpcLink / URL ::= STRING */ + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_INTEGER); + + if (!tag) { + LIEF_INFO("Wrong tag: {} (pos: {:d})", asn1r.get_str_tag(), stream.pos()); + return make_error_code(tag.error()); + } const size_t length = tag.value(); - SpanStream spc_data_stream{stream.p(), length}; + SpanStream spc_data_stream{ stream.p(), length }; stream.increment_pos(spc_data_stream.size()); - - if (auto spc_data = parse_spc_pe_image_data(spc_data_stream)) { - const SpcPeImageData& spc_data_value = *spc_data; - indirect_data->file_ = spc_data_value.file; - indirect_data->flags_ = spc_data_value.flags; + if (auto link = parse_spc_link(spc_data_stream)) { + indirect_data->url_ = link.value(); } else { - LIEF_INFO("Can't parse SpcPeImageData"); + LIEF_INFO("CanĀ“t parse SpcLink"); } } + else { + LIEF_WARN("Expecting OID SPC_PE_IMAGE_DATA or SPC_LINK at {:d} but got {}", + stream.pos(), oid_to_string(spc_attr_type_str)); + return make_error_code(lief_errors::read_error); + } // ================================================ // DigestInfo ::= SEQUENCE