Don't panic on empty cert list or unsupported format. #231
Conversation
roblabla
force-pushed
the
dont-panic-weird-cert
branch
from
8830ed5 to
8787549
Compare
|
Fixed the clippy error. |
| Some(cert) | ||
| } else { | ||
| panic!() | ||
| None |
There was a problem hiding this comment.
I think perhaps we should perhaps change the iterator item type to something like Result<&Certificate, CertificateIterError>. Silently skipping over certificates matching CertificateChoices::Other seems like it could lead to incorrect validation against the certificate chain.
There was a problem hiding this comment.
Well if we're going to be changing the signature of the function, we should probably just be returning the CertificateChoice directly in the iterator?
Silently skipping over certificates matching CertificateChoices::Other seems like it could lead to incorrect validation against the certificate chain.
I mean, the worse that can happen is that we fail to validate the chain due to a missing certificate. Which feels fine? And anyways, I'm pretty sure windows skips over certificates it doesn't know how to handle either - though I'll need to double check that (should be as simple as adding an unused Other certificate in the certificate set).
There was a problem hiding this comment.
Good point about returning CertificateChoice directly, let's do that.
I could be convinced that skipping is the right thing to do if we confirm that Windows does that (and add a note about that behavior in the function's docstring).
There was a problem hiding this comment.
Sorry for taking so long to come back to this. I generated some test binaries of the various Certificatechoice possibilities to see how windows dealt with it. So it turns out windows really doesn't like having anything other than the standard "Certificate" in the CertificateChoice. It kinda makes sense since Authenticode used PKCS#7 as a base (and not CMS) when originally spec'd, and that only accepts Certificate or ExtendedCertificate. But even ExtendedCertificate don't seem to be allowed so 🤷 .
Here's an example binary with an Attribute Certificate V2 inside the certificates of the signed data (but not used in the cert chain, ofc):
attribute_cert_in_certs.exe.zip. Explorer doesn't show the Digital Signature tabs, as if the signature didn't even exist. ASN1 signature can be seen here
There was a problem hiding this comment.
Resummarizing the options:
- Silently filter out unsupported certificates. I don't want to do this since I think users of the library should have more of an indication that a signature is "weird"; it should be up to the user to choose how to handle it.
- Change the iterator to return
CertificateChoice. I'm leaning against this since 99% of the time I think a user just wants theCertificate; the user shouldn't have to doif let cms::cert::CertificateChoices::Certificate(cert) = cert { ... }every time. - Change the iterator to return
Result<&Certificate, CertificateIterError>. I think this is what we should do. It keeps the 99% case pretty easy, while still allowing the library user to handle a weird certificate as desired. It's also a bit more future proof, if we later want to add some more validation of certificates.
2 participants
Currently, if the certificate list is missing or contains unsupported cert format, authenticode-rs will panic when calling the certificates function, which is not ideal.