pe: make sure authenticode is identical before/after signature

When adding the signature, the last section of the file will be padded to 8-bytes align. We need to make sure the payload we feed to a signer is always padded to 8-bytes. This fixes signature breakage.
m4b · Dec 8, 2023 · 3f6b748 · 3f6b748
1 parent 6d664c0
commit 3f6b748
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/src/pe/authenticode.rs b/src/pe/authenticode.rs
@@ -19,6 +19,7 @@ impl PE<'_> {
         ExcludedSectionsIter {
             pe: self,
             state: IterState::default(),
+            hash_size: 0,
         }
     }
 }
@@ -49,6 +50,7 @@ impl ExcludedSections {
 pub struct ExcludedSectionsIter<'s> {
     pe: &'s PE<'s>,
     state: IterState,
+    hash_size: usize,
 }
 
 #[derive(Debug, PartialEq)]
@@ -57,6 +59,7 @@ enum IterState {
     DatadirEntry(usize),
     CertTable(usize),
     Final(usize),
+    Padding(usize),
     Done,
 }
 
@@ -92,8 +95,17 @@ impl<'s> Iterator for ExcludedSectionsIter<'s> {
                         }
                     }
                     IterState::Final(start) => {
+                        let buf = &bytes[start..];
+                        self.state = IterState::Padding(buf.len());
+                        return Some(buf);
+                    }
+                    IterState::Padding(hash_size) => {
                         self.state = IterState::Done;
-                        return Some(&bytes[start..]);
+
+                        if hash_size % 8 != 0 {
+                            let pad_size = 8 - hash_size % 8;
+                            return Some(&self.pe.authenticode_padding[..pad_size]);
+                        }
                     }
                     IterState::Done => return None,
                 }

diff --git a/src/pe/mod.rs b/src/pe/mod.rs
@@ -40,6 +40,9 @@ use log::debug;
 pub struct PE<'a> {
     /// Underlying bytes
     bytes: &'a [u8],
+    /// Padding authenticode might need
+    authenticode_padding: [u8; 7],
+    /// Sections of the PE to be excluded for authenticode checksum
     authenticode_excluded_sections: Option<authenticode::ExcludedSections>,
     /// The PE header
     pub header: header::Header,
@@ -259,6 +262,7 @@ impl<'a> PE<'a> {
         }
         Ok(PE {
             bytes,
+            authenticode_padding: [0; 7],
             authenticode_excluded_sections,
             header,
             sections,