Rule for untrusted certificates.

If the PKCS#7 signature contains a untrusted certificate, possibly as a means of changing data post signature, fail the rule.

Author: vcsjones

AuthenticodeLint/AuthenticodeLint.csproj

@@ -69,9 +69,11 @@
     <Compile Include="PE\PortableExecutable.cs" />
     <Compile Include="PublisherInformation.cs" />
     <Compile Include="Rfc3161Signature.cs" />
+    <Compile Include="Rules\CertificateChainRuleBase.cs" />
     <Compile Include="Rules\IAuthenticodeRule.cs" />
     <Compile Include="Program.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
+    <Compile Include="Rules\NoUnknownCertificatesRule.cs" />
     <Compile Include="Rules\NoWeakFileDigestAlgorithmsRule.cs" />
     <Compile Include="Rules\PublisherInformationUrlHttpsRule.cs" />
     <Compile Include="Rules\PublisherInformationRule.cs" />
@@ -81,6 +83,7 @@
     <Compile Include="Rules\SigningCertificateDigestAlgorithmRule.cs" />
     <Compile Include="Rules\TimestampedRule.cs" />
     <Compile Include="Rules\TrustedSignatureRule.cs" />
+    <Compile Include="Rules\NoUnknownUnsignedAttibuteRule.cs" />
     <Compile Include="Rules\WinCertificatePaddingRule.cs" />
     <Compile Include="Signature.cs" />
     <Compile Include="SignatureExtractor.cs" />

AuthenticodeLint/CheckEngine.cs

@@ -24,7 +24,9 @@ public IReadOnlyList<IAuthenticodeRule> GetRules()
                 new PublisherInformationUrlHttpsRule(),
                 new SigningCertificateDigestAlgorithmRule(),
                 new TrustedSignatureRule(),
-                new WinCertificatePaddingRule()
+                new WinCertificatePaddingRule(),
+                new NoUnknownUnsignedAttibuteRule(),
+                new NoUnknownCertificatesRule()
             };
         }
 

AuthenticodeLint/Interop/Crypt32.cs

@@ -360,4 +360,14 @@ internal enum SpcLinkChoice : uint
         SPC_MONIKER_LINK_CHOICE = 2,
         SPC_FILE_LINK_CHOICE = 3
     }
+
+    [type: StructLayout(LayoutKind.Sequential)]
+    internal struct CERT_CONTEXT
+    {
+        public EncodingType dwCertEncodingType;
+        public IntPtr pbCertEncoded;
+        public uint cbCertEncoded;
+        public IntPtr pCertInfo;
+        public IntPtr hCertStore;
+    }
 }

AuthenticodeLint/KnownOids.cs

@@ -17,6 +17,8 @@ internal static class KnownOids
         public const string MessageDigest = "1.2.840.113549.1.9.4";
         public const string OpusInfo  = "1.3.6.1.4.1.311.2.1.12";
         public const string CodeSigning = "1.3.6.1.5.5.7.3.3";
+        public const string NestedSignatureOid = "1.3.6.1.4.1.311.2.4.1";
+
 
 
         public const string md5RSA = "1.2.840.113549.1.1.4";

AuthenticodeLint/Rules/CertificateChainRuleBase.cs

@@ -0,0 +1,45 @@
+using System.Security.Cryptography.X509Certificates;
+
+namespace AuthenticodeLint.Rules
+{
+    public abstract class CertificateChainRuleBase : IAuthenticodeRule
+    {
+        public abstract int RuleId { get; }
+        public abstract string RuleName { get; }
+        public abstract string ShortDescription { get; }
+
+        protected abstract bool ValidateChain(Signature signer, X509Chain chain, SignatureLogger verboseWriter);
+
+        public RuleResult Validate(Graph<Signature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration, string file)
+        {
+            var signatures = graph.VisitAll();
+            var result = RuleResult.Pass;
+            foreach (var signature in signatures)
+            {
+                var certificates = signature.AdditionalCertificates;
+                using (var chain = new X509Chain())
+                {
+                    chain.ChainPolicy.ExtraStore.AddRange(certificates);
+                    chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
+                    //The purpose of this check is not to validate the chain, completely.
+                    //The chain is needed so we know which certificate is the root and intermediates so we know which to validate and which not to validate.
+                    //It is possible to have a valid Authenticode signature if the certificate is expired but was
+                    //timestamped while it was valid. In this case we still want to successfully build a chain to perform validation.
+                    chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid;
+                    bool success = chain.Build(signature.SignerInfo.Certificate);
+                    if (!success)
+                    {
+                        verboseWriter.LogSignatureMessage(signature.SignerInfo, $"Cannot build a chain successfully with signing certificate {signature.SignerInfo.Certificate.SerialNumber}.");
+                        result = RuleResult.Fail;
+                        continue;
+                    }
+                    if (!ValidateChain(signature, chain, verboseWriter))
+                    {
+                        result = RuleResult.Fail;
+                    }
+                }
+            }
+            return result;
+        }
+    }
+}

AuthenticodeLint/Rules/NoUnknownCertificatesRule.cs

@@ -0,0 +1,74 @@
+using AuthenticodeLint.Interop;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Runtime.InteropServices;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+
+namespace AuthenticodeLint.Rules
+{
+    public class NoUnknownCertificatesRule : IAuthenticodeRule
+    {
+        public int RuleId { get; } = 10010;
+
+        public string RuleName { get; } = "No Unknown Certificates";
+
+        public string ShortDescription { get; } = "Checks for unknown embedded certificates.";
+
+        public RuleResult Validate(Graph<Signature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration, string file)
+        {
+            var result = RuleResult.Pass;
+            var signatures = graph.VisitAll();
+            foreach(var signature in signatures)
+            {
+                var allEmbeddedCertificates = signature.AdditionalCertificates.Cast<X509Certificate2>().ToList();
+                var certificatesRequiringEliminiation = new HashSet<X509Certificate2>(allEmbeddedCertificates, new CertificateThumbprintComparer());
+                foreach(var certificate in allEmbeddedCertificates)
+                {
+                    if (!certificatesRequiringEliminiation.Contains(certificate))
+                    {
+                        //This certificate was already eliminated because it was part of a previous chain.
+                        continue;
+                    }
+                    using (var chain = new X509Chain())
+                    {
+                        chain.ChainPolicy.ExtraStore.AddRange(signature.AdditionalCertificates);
+                        chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
+                        chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
+                        //All we care is that we can even find an authority.
+                        chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags & ~X509VerificationFlags.AllowUnknownCertificateAuthority;
+                        if(chain.Build(certificate))
+                        {
+                            certificatesRequiringEliminiation.ExceptWith(chain.ChainElements.Cast<X509ChainElement>().Select(c => c.Certificate));
+                        }
+                    }
+                }
+                if (certificatesRequiringEliminiation.Count > 0)
+                {
+                    foreach(var certificate in certificatesRequiringEliminiation)
+                    {
+                        verboseWriter.LogSignatureMessage(signature.SignerInfo, $"Signature contained untrusted certificate \"{certificate.Subject}\" ({certificate.Thumbprint}).");
+                    }
+                    result = RuleResult.Fail;
+                }
+            }
+            return result;
+        }
+
+
+
+        private class CertificateThumbprintComparer : IEqualityComparer<X509Certificate2>
+        {
+            public bool Equals(X509Certificate2 x, X509Certificate2 y)
+            {
+                return x.Thumbprint == y.Thumbprint;
+            }
+
+            public int GetHashCode(X509Certificate2 obj)
+            {
+                return obj.Thumbprint.GetHashCode();
+            }
+        }
+    }
+}

AuthenticodeLint/Rules/NoUnknownUnsignedAttibuteRule.cs

@@ -0,0 +1,41 @@
+using System;
+using System.Linq;
+
+namespace AuthenticodeLint.Rules
+{
+    public class NoUnknownUnsignedAttibuteRule : IAuthenticodeRule
+    {
+        public int RuleId { get; } = 10009;
+
+        public string RuleName { get; } = "No Unknown Unsigned Attributes";
+
+        public string ShortDescription { get; } = "Checks for the presence of unsigned attributes with unknown an OID.";
+
+        private static string[] _trustedUnsignedAttributes = new[]
+        {
+            KnownOids.AuthenticodeCounterSignature,
+            KnownOids.Rfc3161CounterSignature,
+            KnownOids.NestedSignatureOid
+        };
+
+        public RuleResult Validate(Graph<Signature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration, string file)
+        {
+            var signatures = graph.VisitAll();
+            var result = RuleResult.Pass;
+            foreach(var signature in signatures)
+            {
+                var signer = signature.SignerInfo;
+                foreach(var attribute in signer.UnsignedAttributes)
+                {
+                    if (!_trustedUnsignedAttributes.Contains(attribute.Oid.Value))
+                    {
+                        result = RuleResult.Fail;
+                        var displayName = attribute.Oid.FriendlyName ?? "<no friendly name>";
+                        verboseWriter.LogSignatureMessage(signer, $"Signature contains unknown unsigned attribute {displayName} ({attribute.Oid.Value}).");
+                    }
+                }
+            }
+            return result;
+        }
+    }
+}

AuthenticodeLint/Rules/SigningCertificateDigestAlgorithmRule.cs

@@ -3,45 +3,17 @@
 
 namespace AuthenticodeLint.Rules
 {
-    public class SigningCertificateDigestAlgorithmRule : IAuthenticodeRule
+    public class SigningCertificateDigestAlgorithmRule : CertificateChainRuleBase
     {
-        public int RuleId { get; } = 10006;
+        public override int RuleId { get; } = 10006;
 
-        public string RuleName { get; } = "SHA2 Certificate Chain";
+        public override string RuleName { get; } = "SHA2 Certificate Chain";
 
-        public string ShortDescription { get; } = "Checks the signing certificate's and chain's signature algorithm.";
+        public override string ShortDescription { get; } = "Checks the signing certificate's and chain's signature algorithm.";
 
-        public RuleResult Validate(Graph<Signature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration, string file)
+        protected override bool ValidateChain(Signature signer, X509Chain chain, SignatureLogger verboseWriter)
         {
-            var signatures = graph.VisitAll();
-            var result = RuleResult.Pass;
-            foreach(var signature in signatures)
-            {
-                var certificates = signature.AdditionalCertificates;
-                using (var chain = new X509Chain())
-                {
-                    chain.ChainPolicy.ExtraStore.AddRange(certificates);
-                    chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
-                    //The purpose of this check is not to validate the chain, completely.
-                    //The chain is needed so we know which certificate is the root and intermediates so we know which to validate and which not to validate.
-                    //It is possible to have a valid Authenticode signature if the certificate is expired but was
-                    //timestamped while it was valid. In this case we still want to successfully build a chain to perform validation.
-                    chain.ChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid;
-                    bool success = chain.Build(signature.SignerInfo.Certificate);
-                    if (!success)
-                    {
-                        verboseWriter.LogSignatureMessage(signature.SignerInfo, $"Cannot build a chain successfully with signing certificate {signature.SignerInfo.Certificate.SerialNumber}.");
-                        result = RuleResult.Fail;
-                        continue;
-                    }
-                    var chainResult = ValidateSha2Chain(signature.SignerInfo, chain, verboseWriter);
-                    if (!chainResult)
-                    {
-                        result = RuleResult.Fail;
-                    }
-                }
-            }
-            return result;
+            return ValidateSha2Chain(signer.SignerInfo, chain, verboseWriter);
         }
 
         private static bool ValidateSha2Chain(SignerInfo signatureInfo, X509Chain chain, SignatureLogger verboseWriter)

AuthenticodeLint/SignatureExtractor.cs

@@ -60,7 +60,6 @@ private unsafe Graph<Signature> GetSignatures(CryptMsgSafeHandle messageHandle)
 
         public static Graph<Signature> RecursiveSigner(IList<byte[]> cmsData)
         {
-            const string nestedSignatureOid = "1.3.6.1.4.1.311.2.4.1";
             var graphItems = new List<GraphItem<Signature>>();
             foreach (var data in cmsData)
             {
@@ -71,7 +70,7 @@ public static Graph<Signature> RecursiveSigner(IList<byte[]> cmsData)
                     var childCms = new List<byte[]>();
                     foreach (var attribute in signer.UnsignedAttributes)
                     {
-                        if (attribute.Oid.Value == nestedSignatureOid)
+                        if (attribute.Oid.Value == KnownOids.NestedSignatureOid)
                         {
                             foreach (var value in attribute.Values)
                             {