Skip to content

Commit

Permalink
add option to disable cert validation (#59)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ayoubfaouzi
ayoubfaouzi authored Jan 13, 2023
1 parent cf5346f commit 662883d
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 24 deletions.
11 changes: 7 additions & 4 deletions file.go
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2022 Saferwall. All rights reserved.
// Copyright 2018 Saferwall. All rights reserved.
// Use of this source code is governed by Apache v2 license
// license that can be found in the LICENSE file.

Expand Down Expand Up @@ -60,19 +60,22 @@ type Options struct {
// Maximum relocations to parse.
MaxRelocEntriesCount uint32

// Disable certificate validation.
DisableCertValidation bool

// A custom logger.
Logger log.Logger
}

// New instaniates a file instance with options given a file name.
// New instantiates a file instance with options given a file name.
func New(name string, opts *Options) (*File, error) {

f, err := os.Open(name)
if err != nil {
return nil, err
}

// Memory map the file insead of using read/write.
// Memory map the file instead of using read/write.
data, err := mmap.Map(f, mmap.RDONLY, 0)
if err != nil {
f.Close()
Expand Down Expand Up @@ -108,7 +111,7 @@ func New(name string, opts *Options) (*File, error) {
return &file, nil
}

// NewBytes instaniates a file instance with options given a memory buffer.
// NewBytes instantiates a file instance with options given a memory buffer.
func NewBytes(data []byte, opts *Options) (*File, error) {

file := File{}
Expand Down
42 changes: 22 additions & 20 deletions security.go
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2022 Saferwall. All rights reserved.
// Copyright 2018 Saferwall. All rights reserved.
// Use of this source code is governed by Apache v2 license
// license that can be found in the LICENSE file.

Expand Down Expand Up @@ -219,9 +219,9 @@ func (pe *File) parseLocations() (map[string]*RelRange, error) {

// Authentihash generates the pe image file hash.
// The relevant sections to exclude during hashing are:
// - The location of the checksum
// - The location of the entry of the Certificate Table in the Data Directory
// - The location of the Certificate Table.
// - The location of the checksum
// - The location of the entry of the Certificate Table in the Data Directory
// - The location of the Certificate Table.
func (pe *File) Authentihash() []byte {

locationMap, err := pe.parseLocations()
Expand Down Expand Up @@ -305,7 +305,7 @@ func (pe *File) parseSecurityDirectory(rva, size uint32) error {

// The pkcs7.PKCS7 structure contains many fields that we are not
// interested to, so create another structure, similar to _CERT_INFO
// structure which contains only the imporant information.
// structure which contains only the important information.
serialNumber := pkcs.Signers[0].IssuerAndSerialNumber.SerialNumber
for _, cert := range pkcs.Certificates {
if !reflect.DeepEqual(cert.SerialNumber, serialNumber) {
Expand Down Expand Up @@ -357,21 +357,23 @@ func (pe *File) parseSecurityDirectory(rva, size uint32) error {
pe.IsSigned = true

// Let's load the system root certs.
var certPool *x509.CertPool
if runtime.GOOS == "windows" {
certPool, err = loadSystemRoots()
} else {
certPool, err = x509.SystemCertPool()
}
if !pe.opts.DisableCertValidation {
var certPool *x509.CertPool
if runtime.GOOS == "windows" {
certPool, err = loadSystemRoots()
} else {
certPool, err = x509.SystemCertPool()
}

// Verify the signature. This will also verify the chain of trust of the
// the end-entity signer cert to one of the root in the truststore.
if err == nil {
err = pkcs.VerifyWithChain(certPool)
// Verify the signature. This will also verify the chain of trust of the
// the end-entity signer cert to one of the root in the trust store.
if err == nil {
isValid = true
} else {
isValid = false
err = pkcs.VerifyWithChain(certPool)
if err == nil {
isValid = true
} else {
isValid = false
}
}
}

Expand All @@ -398,11 +400,11 @@ func (pe *File) parseSecurityDirectory(rva, size uint32) error {
// loadSystemsRoots manually downloads all the trusted root certificates
// in Windows by spawning certutil then adding root certs individually
// to the cert pool. Initially, when running in windows, go SystemCertPool()
// used to enumerate all the ceritificate in the Windows store using
// used to enumerate all the certificate in the Windows store using
// (CertEnumCertificatesInStore). Unfortunately, Windows does not ship
// with all of its root certificates installed. Instead, it downloads them
// on-demand. As a consequence, this behavior leads to a non-deterministic
// results. Go team then disabled loadding Windows root certs.
// results. Go team then disabled the loading Windows root certs.
func loadSystemRoots() (*x509.CertPool, error) {

needSync := true
Expand Down

0 comments on commit 662883d

Please sign in to comment.