Add OpenSSL 4 compatibility and modernize CMake build system

CMakeLists.txt

@@ -97,21 +97,41 @@ set_target_properties(osslsigncode PROPERTIES INSTALL_RPATH_USE_LINK_PATH TRUE)
 # testing with CTest
 include(CMakeTest)
 
+# documentation with Pandoc
+include(CMakeDoc)
+
 # installation rules for a project
-set(BINDIR "${CMAKE_INSTALL_PREFIX}/bin")
-install(TARGETS osslsigncode RUNTIME DESTINATION ${BINDIR})
+include(GNUInstallDirs)
+
+install(TARGETS osslsigncode RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR})
+
+install(FILES
+    "${PROJECT_SOURCE_DIR}/README.md"
+    "${PROJECT_SOURCE_DIR}/NEWS.md"
+    DESTINATION "${CMAKE_INSTALL_DOCDIR}")
+
 if(UNIX)
     include(CMakeDist)
 else(UNIX)
     install(
-        DIRECTORY ${PROJECT_BINARY_DIR}/ DESTINATION ${BINDIR}
+        DIRECTORY ${PROJECT_BINARY_DIR}/
+        DESTINATION ${CMAKE_INSTALL_BINDIR}
         FILES_MATCHING
         PATTERN "*.dll"
         PATTERN "vcpkg_installed" EXCLUDE
         PATTERN "CMakeFiles" EXCLUDE
         PATTERN "Testing" EXCLUDE)
 endif(UNIX)
 
+# uninstall target
+configure_file(
+    "${PROJECT_SOURCE_DIR}/cmake/cmake_uninstall.cmake.in"
+    "${PROJECT_BINARY_DIR}/cmake_uninstall.cmake"
+    IMMEDIATE @ONLY)
+
+add_custom_target(uninstall
+    COMMAND ${CMAKE_COMMAND} -P "${PROJECT_BINARY_DIR}/cmake_uninstall.cmake")
+
 #[[
 Local Variables:
     c-basic-offset: 4

appx.c

@@ -470,32 +470,33 @@ static int appx_hash_length_get(FILE_FORMAT_CTX *ctx)
  */
 static int appx_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
 {
-    if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) {
-        ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence;
-        const u_char *p = content_val->data;
-        SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length);
-
-        if (idc) {
-            BIO *hashes;
-            if (!appx_extract_hashes(ctx, idc)) {
-                fprintf(stderr, "Failed to extract hashes from the signature\n");
-                SpcIndirectDataContent_free(idc);
-                return 0; /* FAILED */
-            }
-            hashes = appx_calculate_hashes(ctx);
-            if (!hashes) {
-                SpcIndirectDataContent_free(idc);
-                return 0; /* FAILED */
-            }
-            BIO_free_all(hashes);
-            if (!appx_compare_hashes(ctx)) {
-                fprintf(stderr, "Signature hash verification failed\n");
-                SpcIndirectDataContent_free(idc);
-                return 0; /* FAILED */
-            }
-            SpcIndirectDataContent_free(idc);
-        }
+    SpcIndirectDataContent *idc;
+    BIO *hashes;
+
+    idc = pkcs7_get_indirect_data_content(p7);
+    if (!idc)
+        return 1; /* OK - no SpcIndirectDataContent */
+
+    if (!appx_extract_hashes(ctx, idc)) {
+        fprintf(stderr, "Failed to extract hashes from the signature\n");
+        SpcIndirectDataContent_free(idc);
+        return 0; /* FAILED */
     }
+
+    hashes = appx_calculate_hashes(ctx);
+    if (!hashes) {
+        SpcIndirectDataContent_free(idc);
+        return 0; /* FAILED */
+    }
+    BIO_free_all(hashes);
+
+    if (!appx_compare_hashes(ctx)) {
+        fprintf(stderr, "Signature hash verification failed\n");
+        SpcIndirectDataContent_free(idc);
+        return 0; /* FAILED */
+    }
+
+    SpcIndirectDataContent_free(idc);
     return 1; /* OK */
 }
 
@@ -1077,21 +1078,21 @@ static int appx_extract_hashes(FILE_FORMAT_CTX *ctx, SpcIndirectDataContent *con
     AppxSpcSipInfo_free(si);
     BIO_free_all(stdbio);
 #endif
-    int length = content->messageDigest->digest->length;
-    uint8_t *data = content->messageDigest->digest->data;
+    int len = ASN1_STRING_length(content->messageDigest->digest);
+    const uint8_t *data = ASN1_STRING_get0_data(content->messageDigest->digest);
     int mdlen = EVP_MD_size(ctx->appx_ctx->md);
     int pos = 4;
 
     /* we are expecting at least 4 hashes + 4 byte header */
-    if (length < 4 * mdlen + 4) {
+    if (len < 4 * mdlen + 4) {
         fprintf(stderr, "Hash too short\n");
         return 0; /* FAILED */
     }
     if (memcmp(data, APPX_SIGNATURE, 4)) {
         fprintf(stderr, "Hash signature does not match\n");
         return 0; /* FAILED */
     }
-    while (pos + mdlen + 4 <= length) {
+    while (pos + mdlen + 4 <= len) {
         if (!memcmp(data + pos, AXPC_SIGNATURE, 4)) {
             ctx->appx_ctx->existingDataHash = OPENSSL_malloc((size_t)mdlen);
             memcpy(ctx->appx_ctx->existingDataHash, data + pos + 4, (size_t)mdlen);

cab.c

@@ -337,20 +337,7 @@ static int cab_verify_digests(FILE_FORMAT_CTX *ctx, PKCS7 *p7)
     u_char mdbuf[EVP_MAX_MD_SIZE];
     u_char *cmdbuf;
 
-    if (is_content_type(p7, SPC_INDIRECT_DATA_OBJID)) {
-        ASN1_STRING *content_val = p7->d.sign->contents->d.other->value.sequence;
-        const u_char *p = content_val->data;
-        SpcIndirectDataContent *idc = d2i_SpcIndirectDataContent(NULL, &p, content_val->length);
-        if (idc) {
-            if (spc_indirect_data_content_get_digest(idc, mdbuf, &mdtype) < 0) {
-                fprintf(stderr, "Failed to extract message digest from signature\n\n");
-                SpcIndirectDataContent_free(idc);
-                return 0; /* FAILED */
-            }
-            SpcIndirectDataContent_free(idc);
-        }
-    }
-    if (mdtype == -1) {
+    if (!pkcs7_get_content_digest(p7, mdbuf, &mdtype)) {
         fprintf(stderr, "Failed to extract current message digest\n\n");
         return 0; /* FAILED */
     }

cat.c

@@ -297,27 +297,39 @@ static int cat_add_content_type(PKCS7 *p7, PKCS7 *cursig)
  */
 static int cat_sign_content(PKCS7 *p7, PKCS7 *contents)
 {
-    u_char *content;
-    int seqhdrlen, content_length;
+    const unsigned char *sequence_data;
+    const unsigned char *content;
+    ASN1_STRING *sequence;
+    int seqhdrlen, sequence_len, content_length;
 
-    if (!contents->d.other || !contents->d.other->value.sequence
-          || !contents->d.other->value.sequence->data) {
+    if (!contents->d.other || !contents->d.other->value.sequence) {
         fprintf(stderr, "Failed to get content value\n");
         return 0; /* FAILED */
     }
-    seqhdrlen = asn1_simple_hdr_len(contents->d.other->value.sequence->data,
-        contents->d.other->value.sequence->length);
-    content = contents->d.other->value.sequence->data + seqhdrlen;
-    content_length = contents->d.other->value.sequence->length - seqhdrlen;
+
+    sequence = contents->d.other->value.sequence;
+    sequence_data = ASN1_STRING_get0_data(sequence);
+    sequence_len = ASN1_STRING_length(sequence);
+
+    if (!sequence_data) {
+        fprintf(stderr, "Failed to get content value\n");
+        return 0; /* FAILED */
+    }
+
+    seqhdrlen = asn1_simple_hdr_len(sequence_data, sequence_len);
+    content = (const unsigned char *)sequence_data + seqhdrlen;
+    content_length = sequence_len - seqhdrlen;
 
     if (!pkcs7_sign_content(p7, content, content_length)) {
         fprintf(stderr, "Failed to sign content\n");
         return 0; /* FAILED */
     }
+
     if (!PKCS7_set_content(p7, PKCS7_dup(contents))) {
         fprintf(stderr, "PKCS7_set_content failed\n");
         return 0; /* FAILED */
     }
+
     return 1; /* OK */
 }
 
@@ -381,23 +393,22 @@ static int cat_print_content_member_digest(ASN1_TYPE *content)
 {
     SpcIndirectDataContent *idc;
     u_char mdbuf[EVP_MAX_MD_SIZE];
-    const u_char *data ;
     int mdtype = -1;
-    ASN1_STRING *value;
 
-    value = content->value.sequence;
-    data = ASN1_STRING_get0_data(value);
-    idc = d2i_SpcIndirectDataContent(NULL, &data, ASN1_STRING_length(value));
+    idc = asn1_type_get_indirect_data_content(content);
     if (!idc)
         return 0; /* FAILED */
+
     if (spc_indirect_data_content_get_digest(idc, mdbuf, &mdtype) < 0) {
         fprintf(stderr, "Failed to extract message digest from signature\n\n");
         SpcIndirectDataContent_free(idc);
         return 0; /* FAILED */
     }
     SpcIndirectDataContent_free(idc);
+
     printf("\tHash algorithm: %s\n", OBJ_nid2sn(mdtype));
     print_hash("\tMessage digest", "", mdbuf, EVP_MD_size(EVP_get_digestbynid(mdtype)));
+
     return 1; /* OK */
 }
 

cmake/CMakeDoc.cmake

@@ -0,0 +1,44 @@
+# documentation with Pandoc
+# cmake --build .
+
+find_program(PANDOC pandoc)
+
+if(NOT PANDOC)
+    message(WARNING "CMakeDoc: pandoc not found, documentation disabled")
+    return()
+endif(NOT PANDOC)
+
+set(DOC_MD "${PROJECT_SOURCE_DIR}/osslsigncode.md")
+
+if(NOT EXISTS "${DOC_MD}")
+    message(WARNING "CMakeDoc: markdown source not found: ${DOC_MD}")
+    return()
+endif(NOT EXISTS "${DOC_MD}")
+
+set(MAN_PAGE "${PROJECT_BINARY_DIR}/osslsigncode.1")
+set(HTML_PAGE "${PROJECT_BINARY_DIR}/osslsigncode.html")
+
+add_custom_command(
+    OUTPUT "${MAN_PAGE}"
+    COMMAND "${PANDOC}" -s "${DOC_MD}" -t man -o "${MAN_PAGE}"
+    DEPENDS "${DOC_MD}"
+    COMMENT "CMakeDoc: generating man page"
+    VERBATIM)
+
+add_custom_command(
+    OUTPUT "${HTML_PAGE}"
+    COMMAND "${PANDOC}" -s --toc --toc-depth=2 "${DOC_MD}" -t html -o "${HTML_PAGE}"
+    DEPENDS "${DOC_MD}"
+    COMMENT "CMakeDoc: generating HTML documentation"
+    VERBATIM)
+
+add_custom_target(docs ALL DEPENDS "${MAN_PAGE}" "${HTML_PAGE}")
+
+#[[
+Local Variables:
+    c-basic-offset: 4
+    tab-width: 4
+    indent-tabs-mode: nil
+End:
+    vim: set ts=4 expandtab:
+]]

cmake/cmake_uninstall.cmake.in

@@ -0,0 +1,24 @@
+# uninstall target
+#
+# CMake does not provide a built-in uninstall target.
+# This target removes files listed in install_manifest.txt,
+# generated by the install step.
+#
+# cmake --build . --target uninstall
+
+if(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt")
+    message(FATAL_ERROR "Cannot find install manifest")
+endif()
+
+file(READ "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt" files)
+string(REPLACE "\n" ";" files "${files}")
+
+foreach(file ${files})
+    message(STATUS "Removing ${file}")
+
+    if(EXISTS "${file}" OR IS_SYMLINK "${file}")
+        file(REMOVE "${file}")
+    else()
+        message(STATUS "File does not exist: ${file}")
+    endif()
+endforeach()