Improved authenticode.js error handling for #4134

2024-11-26 07:57:56 +03:00 · 2022-06-18 08:38:56 -07:00 · 2022-06-18 08:38:56 -07:00 · bf128a988c
commit bf128a988c
parent 18c11a344c
1 changed files with 83 additions and 65 deletions
--- a/authenticode.js
+++ b/authenticode.js
@ -288,17 +288,33 @@ function createAuthenticodeHandler(path) {
            var derlen = forge.asn1.getBerValueLength(forge.util.createBuffer(pkcs7raw.slice(1, 5))) + 4;
            if (derlen != pkcs7raw.length) { pkcs7raw = pkcs7raw.slice(0, derlen); }

-            // Decode the signature block
-            var pkcs7der = forge.asn1.fromDer(forge.util.createBuffer(pkcs7raw));
-
+            // Decode the signature block and check that it's valid
+            var pkcs7der = null, valid = false;
+            try { pkcs7der = forge.asn1.fromDer(forge.util.createBuffer(pkcs7raw)); } catch (ex) { }
+            try { valid = ((pkcs7der != null) && (forge.asn1.derToOid(pkcs7der.value[1].value[0].value[2].value[0].value) == "1.3.6.1.4.1.311.2.1.4")); } catch (ex) { }
+            if (pkcs7der == null) {
+                // Can't decode the signature
+                obj.header.sigpos = 0;
+                obj.header.siglen = 0;
+                obj.header.signed = false;
+            } else {
                // To work around ForgeJS PKCS#7 limitation, this may break PKCS7 verify if ForgeJS adds support for it in the future
                // Switch content type from "1.3.6.1.4.1.311.2.1.4" to "1.2.840.113549.1.7.1"
                pkcs7der.value[1].value[0].value[2].value[0].value = forge.asn1.oidToDer(forge.pki.oids.data).data;

                // Decode the PKCS7 message
-            var pkcs7 = p7.messageFromAsn1(pkcs7der);
-            var pkcs7content = pkcs7.rawCapture.content.value[0];
+                var pkcs7 = null, pkcs7content = null;
+                try {
+                    pkcs7 = p7.messageFromAsn1(pkcs7der);
+                    pkcs7content = pkcs7.rawCapture.content.value[0];
+                } catch (ex) { }

+                if ((pkcs7 == null) || (pkcs7content == null)) {
+                    // Can't decode the signature
+                    obj.header.sigpos = 0;
+                    obj.header.siglen = 0;
+                    obj.header.signed = false;
+                } else {
                    // Verify a PKCS#7 signature
                    // Verify is not currently supported in node-forge, but if implemented in the future, this code could work.
                    //var caStore = forge.pki.createCaStore();
@ -360,6 +376,8 @@ function createAuthenticodeHandler(path) {
                    // Compute the actual file hash
                    if (obj.fileHashAlgo != null) { obj.fileHashActual = obj.getHash(obj.fileHashAlgo); }
                }
+            }
+        }
        return true;
    }

@ -486,7 +504,7 @@ function createAuthenticodeHandler(path) {
                fs.closeSync(output);

                // Indicate we are done
-                func(null, written);
+                func(null);
            });
        });

@ -1372,7 +1390,7 @@ function createAuthenticodeHandler(path) {

        // Close the file
        fs.closeSync(output);
-        func(null, written);
+        func(null);
    }

    // Save an executable without the signature
@ -1635,7 +1653,7 @@ function createAuthenticodeHandler(path) {
        fs.closeSync(output);

        // Indicate success
-        func(null, written);
+        func(null);
    }

    function writeExecutableEx(output, p7signature, written, func) {
@ -1669,7 +1687,7 @@ function createAuthenticodeHandler(path) {
        fs.closeSync(output);

        // Indicate success
-        func(null, written);
+        func(null);
    }

    // Return null if we could not open the file