diff --git a/lib/src/modules/pe/authenticode.rs b/lib/src/modules/pe/authenticode.rs index d4474e35f..e2ff9f02d 100644 --- a/lib/src/modules/pe/authenticode.rs +++ b/lib/src/modules/pe/authenticode.rs @@ -345,13 +345,26 @@ impl AuthenticodeParser { countersignature.digest_alg = oid_to_str(tst.hash_algorithm.oid()); countersignature.digest = tst.hashed_message; + let cs_si_digest = match cs_si + .get_signed_attr(&rfc5911::ID_MESSAGE_DIGEST) + .map(|value| value.data.as_bytes()) + { + Some(md) => md, + None => return Err(ParseError::MissingAuthenticodeDigest), + }; + countersignature.verified = verify_message_digest( &tst.hash_algorithm, si.signature, tst.hashed_message, + ) && verify_message_digest( + &cs_si.digest_algorithm, + sd.content_info.content.as_bytes(), + cs_si_digest, ) && verify_signer_info(cs_si, certificates.as_slice()); + countersignatures.push(countersignature); } diff --git a/lib/src/modules/pe/tests/testdata/130f9b2e65bfceae8d9e7cbe205471fc8ee34c3d9996f77baa3c3ab47a3b3068.out b/lib/src/modules/pe/tests/testdata/130f9b2e65bfceae8d9e7cbe205471fc8ee34c3d9996f77baa3c3ab47a3b3068.out index 1378a711a..5c83a1f35 100644 --- a/lib/src/modules/pe/tests/testdata/130f9b2e65bfceae8d9e7cbe205471fc8ee34c3d9996f77baa3c3ab47a3b3068.out +++ b/lib/src/modules/pe/tests/testdata/130f9b2e65bfceae8d9e7cbe205471fc8ee34c3d9996f77baa3c3ab47a3b3068.out @@ -689,7 +689,7 @@ signatures: not_before: 1513987200 # 2017-12-23 00:00:00 UTC not_after: 1868918399 # 2029-03-22 23:59:59 UTC countersignatures: - - verified: true + - verified: false sign_time: 1634237249 # 2021-10-14 18:47:29 UTC digest: "a6d56d546fb347a798239820467f4871bdd4c2f331548f4fdf5ab961a46c5c45" digest_alg: "sha256"