def ValidateHashes(self, computed_content_hash):
"""Compares computed against expected hashes.
This method makes sure the chain of hashes is correct. The chain
consists of Authenticode hash of the actual binary payload, as checked
against the hash in SpcInfo to the hash of SpcInfo as stored in the
AuthAttrs, and the hash of EncryptedDigest as stored in the counter-
signature AuthAttrs, if present.
Args:
computed_content_hash: Authenticode hash of binary, as provided by
fingerprinter.
Raises:
Asn1Error: if hash validation fails.
"""
if computed_content_hash != self.spc_info['messageDigest']['digest']:
raise Asn1Error('1: Validation of content hash failed.')
spc_blob = self.signed_data['contentInfo']['content']
# According to RFC2315, 9.3, identifier (tag) and length need to be
# stripped for hashing. We do this by having the parser just strip
# out the SEQUENCE part of the spcIndirectData.
# Alternatively this could be done by re-encoding and concatenating
# the individual elements in spc_value, I _think_.
_, hashable_spc_blob = decoder.decode(spc_blob, recursiveFlag=0)
spc_blob_hash = self.digest_algorithm(str(hashable_spc_blob)).digest()
if spc_blob_hash != self.expected_spc_info_hash:
raise Asn1Error('2: Validation of SpcInfo hash failed.')
# Can't check authAttr hash against encrypted hash, done implicitly in
# M2's pubkey.verify. This can be added by explicit decryption of
# encryptedDigest, if really needed. (See sample code for RSA in
# 'verbose_authenticode_sig.py')
if self.has_countersignature:
# Validates the hash value found in the authenticated attributes of the
# counter signature against the hash of the outer signature.
auth_attr_hash = self.digest_algorithm(self.encrypted_digest).digest()
if auth_attr_hash != self.expected_auth_attrs_hash:
raise Asn1Error('3: Validation of countersignature hash failed.')
评论列表
文章目录
