Merge pull request #1478 from val-ms/codesign-fixes-sys_rs

Fix several codesign feature bugs

certs/clamav-beta.crt

@@ -29,125 +29,3 @@ Bd/OoRMlH6aAxOD3W8PR18TkR7wt5++qMEC+hvpTIBfqDzM6q/l1Gv1/xzKtDiFL
 9ZmIM79osXAOPMn/dNAh4hVURBl2n7/69FSRzQbVIBGt2YYlWV9HVfOXquuYJ3py
 pOQCrNNrFjEMFifHqO2ktkn7c8Tsw4dFVnIhKFU=
 -----END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=US, ST=MD, L=Laurel, O=Cisco, OU=Talos, CN=ClamAV BETA Root CA
-        Validity
-            Not Before: Mar 26 21:31:56 2025 GMT
-            Not After : Jul 24 21:31:56 2025 GMT
-        Subject: C=US, ST=MD, O=Cisco, OU=Talos, CN=ClamAV BETA Intermediate Signing CA
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (4096 bit)
-                Modulus:
-                    00:a1:6b:6a:b0:76:70:35:e1:d3:e5:49:1d:3f:e0:
-                    2c:1f:f3:bd:38:cb:cb:7b:ec:e3:f3:20:27:1c:99:
-                    1e:99:89:d0:f4:11:ef:b2:18:6c:1b:25:40:55:18:
-                    b0:c4:e8:03:0a:64:30:11:fa:b2:2b:6f:cb:2b:b8:
-                    aa:0c:29:36:77:6f:cf:12:35:67:14:e9:02:65:ad:
-                    6e:fb:fa:f9:b3:a2:9c:1b:d8:90:70:15:10:d0:29:
-                    2b:9f:49:6b:dc:75:fb:34:36:e8:cf:22:10:03:8d:
-                    7e:97:2c:c6:9c:be:29:33:b8:6b:b8:54:92:a0:28:
-                    92:a0:0c:ef:46:a6:0f:94:7a:c4:51:ef:a9:93:0f:
-                    46:43:63:1d:36:f8:51:4c:be:8f:89:06:a9:05:6f:
-                    e2:40:a9:b4:e3:69:d5:20:48:2d:b0:d8:2b:25:b1:
-                    af:08:3b:a8:a6:18:84:0c:05:54:2d:40:a0:e1:bf:
-                    af:18:22:2d:87:69:83:89:6d:cf:d3:5f:2b:01:7d:
-                    d4:4e:db:2c:80:b2:77:25:5f:55:e1:d4:d4:fe:ad:
-                    7a:7c:2b:b3:ef:32:73:aa:f7:f2:43:4e:ae:d3:25:
-                    69:57:c8:0b:cf:8c:bd:33:d9:05:87:9d:7b:09:e2:
-                    59:3f:01:d2:54:af:c4:8a:97:d7:4b:ce:d9:ad:15:
-                    6f:21:8a:e2:24:27:03:60:2e:6d:1d:dd:be:eb:77:
-                    a3:4d:ac:d6:01:4a:d4:ec:86:b7:b6:9d:02:3d:2a:
-                    7f:e0:5f:02:0f:58:d1:0b:cb:7b:e2:ff:e9:f3:5d:
-                    0f:6f:d1:12:77:5f:80:e7:96:67:dd:d7:13:2e:3c:
-                    cf:b7:d6:36:33:55:6e:e4:f8:67:08:bb:ed:9a:61:
-                    44:27:b0:e2:11:0a:b9:3f:fd:a5:2b:96:e4:7f:5e:
-                    60:c6:7d:8c:d6:19:64:79:ff:02:98:eb:53:db:35:
-                    9f:ac:a7:02:51:92:85:37:9a:23:1e:f3:c4:b6:cb:
-                    0b:7d:65:ed:50:10:94:47:0d:cc:2a:34:a7:65:fd:
-                    de:c0:c1:01:ac:e9:4f:c2:02:2d:b2:eb:c5:f8:e6:
-                    db:cd:aa:87:91:63:94:40:5e:00:0b:f1:08:07:04:
-                    85:79:ce:c8:43:cf:c9:af:66:31:20:e7:58:bf:dd:
-                    6b:cb:d4:a4:89:e2:c0:11:15:02:ca:80:cc:97:2a:
-                    36:f6:7f:9c:78:f2:5c:35:70:c9:58:6f:95:91:25:
-                    88:e3:d7:da:c0:0f:b8:cd:5e:2e:9f:67:d2:14:74:
-                    c7:31:09:91:87:0d:97:9f:30:f3:72:1c:ac:98:c1:
-                    da:f2:b3:8d:9e:36:21:cb:e8:d9:53:4f:98:2e:d8:
-                    ad:44:af
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Extended Key Usage: 
-                OCSP Signing, E-mail Protection
-            Netscape Cert Type: 
-                SSL CA
-    Signature Algorithm: sha256WithRSAEncryption
-         4c:8c:2d:f9:22:a4:de:f6:91:30:8e:50:ad:1b:1c:f8:f1:e0:
-         e5:93:7b:57:1c:75:b4:e1:3b:f1:43:12:c1:af:5a:00:c4:a1:
-         5b:6e:9b:07:74:83:68:01:7c:d4:44:25:41:30:34:7d:79:59:
-         f4:ac:df:4a:44:1c:f0:a2:e2:ac:1d:60:b5:83:48:55:a8:45:
-         66:31:43:9d:2a:0c:df:0e:06:5e:e5:e1:1d:d7:99:2d:33:60:
-         2f:f2:39:f0:3c:1f:c3:a8:ff:85:34:75:dd:27:35:d2:a2:f3:
-         36:bc:17:80:ce:60:89:29:66:0c:ee:8e:1d:82:df:a6:33:2b:
-         47:a9:fc:2a:e3:82:b2:07:e2:8a:3a:df:ed:3c:4e:61:d5:c3:
-         f8:df:d2:d3:c6:f4:d7:b9:a7:71:32:bf:42:e9:d2:99:25:ef:
-         0d:8d:7e:0f:2c:17:2b:b2:c6:e0:31:7f:06:85:af:ae:52:e9:
-         b3:4c:06:7f:1a:9d:ee:21:f2:e1:53:94:73:cd:7c:96:5d:c0:
-         b7:1a:55:55:72:c8:13:4f:b0:c6:ca:6a:46:75:aa:f9:1c:9d:
-         74:94:d5:87:50:39:36:4a:41:eb:4e:78:c9:b6:9d:ce:ef:68:
-         57:76:e6:89:a6:82:b9:eb:69:84:8e:24:e2:62:6d:3f:4d:02:
-         ea:2a:5d:cf:a0:74:6a:0a:0c:b5:31:5c:54:61:96:86:c9:07:
-         c0:f4:b5:e0:66:25:63:28:9e:3e:ec:63:a6:04:aa:03:dd:30:
-         40:7f:74:e5:8c:55:79:1f:41:6d:52:72:ce:92:ed:9a:13:ae:
-         30:68:80:04:86:5d:bb:42:e3:f6:63:20:e2:86:f5:72:78:30:
-         34:91:58:35:1d:db:68:02:7a:61:de:61:73:e2:5e:df:96:c7:
-         5a:02:13:8f:66:df:9d:05:99:71:e9:ef:6d:a9:cf:28:83:40:
-         8e:48:d3:8f:6a:37:b5:f0:a6:13:63:28:76:8d:3f:3d:35:94:
-         d8:ef:3a:15:bc:ac:5c:63:0a:ae:60:fa:78:6f:1e:67:0d:7d:
-         22:b4:60:3d:95:10:93:5a:49:ee:30:58:81:e3:5c:07:65:46:
-         b2:02:76:32:6c:2e:2c:79:0c:f7:d9:c1:4f:5a:e4:20:53:08:
-         d7:68:79:36:a8:59:e2:ce:7a:8f:50:32:20:a7:b6:6a:ba:33:
-         55:b6:bd:a6:e8:91:c3:36:b1:3b:ab:1f:ee:d7:d4:d4:dd:28:
-         98:53:d5:18:f7:44:dd:e8:dd:61:88:20:39:9e:1c:53:ab:6c:
-         92:2b:7c:08:6a:8f:98:8b:9d:33:ac:12:b1:c6:ba:7b:45:57:
-         a0:9d:9b:0c:46:a1:22:e1
------BEGIN CERTIFICATE-----
-MIIFoTCCA4mgAwIBAgIBADANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJVUzEL
-MAkGA1UECAwCTUQxDzANBgNVBAcMBkxhdXJlbDEOMAwGA1UECgwFQ2lzY28xDjAM
-BgNVBAsMBVRhbG9zMRwwGgYDVQQDDBNDbGFtQVYgQkVUQSBSb290IENBMB4XDTI1
-MDMyNjIxMzE1NloXDTI1MDcyNDIxMzE1NlowaDELMAkGA1UEBhMCVVMxCzAJBgNV
-BAgMAk1EMQ4wDAYDVQQKDAVDaXNjbzEOMAwGA1UECwwFVGFsb3MxLDAqBgNVBAMM
-I0NsYW1BViBCRVRBIEludGVybWVkaWF0ZSBTaWduaW5nIENBMIICIjANBgkqhkiG
-9w0BAQEFAAOCAg8AMIICCgKCAgEAoWtqsHZwNeHT5UkdP+AsH/O9OMvLe+zj8yAn
-HJkemYnQ9BHvshhsGyVAVRiwxOgDCmQwEfqyK2/LK7iqDCk2d2/PEjVnFOkCZa1u
-+/r5s6KcG9iQcBUQ0Ckrn0lr3HX7NDbozyIQA41+lyzGnL4pM7hruFSSoCiSoAzv
-RqYPlHrEUe+pkw9GQ2MdNvhRTL6PiQapBW/iQKm042nVIEgtsNgrJbGvCDuophiE
-DAVULUCg4b+vGCIth2mDiW3P018rAX3UTtssgLJ3JV9V4dTU/q16fCuz7zJzqvfy
-Q06u0yVpV8gLz4y9M9kFh517CeJZPwHSVK/EipfXS87ZrRVvIYriJCcDYC5tHd2+
-63ejTazWAUrU7Ia3tp0CPSp/4F8CD1jRC8t74v/p810Pb9ESd1+A55Zn3dcTLjzP
-t9Y2M1Vu5PhnCLvtmmFEJ7DiEQq5P/2lK5bkf15gxn2M1hlkef8CmOtT2zWfrKcC
-UZKFN5ojHvPEtssLfWXtUBCURw3MKjSnZf3ewMEBrOlPwgItsuvF+ObbzaqHkWOU
-QF4AC/EIBwSFec7IQ8/Jr2YxIOdYv91ry9SkieLAERUCyoDMlyo29n+cePJcNXDJ
-WG+VkSWI49fawA+4zV4un2fSFHTHMQmRhw2XnzDzchysmMHa8rONnjYhy+jZU0+Y
-LtitRK8CAwEAAaNVMFMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
-HQYDVR0lBBYwFAYIKwYBBQUHAwkGCCsGAQUFBwMEMBEGCWCGSAGG+EIBAQQEAwIC
-BDANBgkqhkiG9w0BAQsFAAOCAgEATIwt+SKk3vaRMI5QrRsc+PHg5ZN7Vxx1tOE7
-8UMSwa9aAMShW26bB3SDaAF81EQlQTA0fXlZ9KzfSkQc8KLirB1gtYNIVahFZjFD
-nSoM3w4GXuXhHdeZLTNgL/I58Dwfw6j/hTR13Sc10qLzNrwXgM5giSlmDO6OHYLf
-pjMrR6n8KuOCsgfiijrf7TxOYdXD+N/S08b017mncTK/QunSmSXvDY1+DywXK7LG
-4DF/BoWvrlLps0wGfxqd7iHy4VOUc818ll3AtxpVVXLIE0+wxspqRnWq+RyddJTV
-h1A5NkpB6054ybadzu9oV3bmiaaCuetphI4k4mJtP00C6ipdz6B0agoMtTFcVGGW
-hskHwPS14GYlYyiePuxjpgSqA90wQH905YxVeR9BbVJyzpLtmhOuMGiABIZdu0Lj
-9mMg4ob1cngwNJFYNR3baAJ6Yd5hc+Je35bHWgITj2bfnQWZcenvbanPKINAjkjT
-j2o3tfCmE2Modo0/PTWU2O86FbysXGMKrmD6eG8eZw19IrRgPZUQk1pJ7jBYgeNc
-B2VGsgJ2MmwuLHkM99nBT1rkIFMI12h5NqhZ4s56j1AyIKe2arozVba9puiRwzax
-O6sf7tfU1N0omFPVGPdE3ejdYYggOZ4cU6tskit8CGqPmIudM6wSsca6e0VXoJ2b
-DEahIuE=
------END CERTIFICATE-----

libclamav_rust/Cargo.toml

@@ -29,7 +29,7 @@ delharc = "0.6"
 clam-sigutil = { git = "https://github.com/Cisco-Talos/clamav-signature-util", tag = "1.2.0" }
 tar = "0.4.43"
 md5 = "0.7.0"
-openssl = "0.10.68"
+openssl = "0.10.70"
 glob = "0.3.1"
 
 [features]

libclamav_rust/src/codesign.rs

@@ -115,42 +115,45 @@ pub unsafe extern "C" fn codesign_sign_file(
     let signature_file_path_str = validate_str_param!(signature_file_path_str);
     let signature_file_path = Path::new(signature_file_path_str);
 
-    let cert_path_strs: &[*const i8] = std::slice::from_raw_parts(cert_paths_str, cert_paths_len);
+    let cert_path_strs: &[*const c_char] =
+        std::slice::from_raw_parts(cert_paths_str, cert_paths_len);
 
     // now convert the cert_path_strs to a Vec<&Path>
-    let cert_paths: Vec<PathBuf> = cert_path_strs
-        .iter()
-        .filter_map(|&path_str| -> Option<PathBuf> {
-            let path_str = if path_str.is_null() {
-                warn!("Intermiediate path string is NULL");
-                return None;
-            } else {
-                #[allow(unused_unsafe)]
-                match unsafe { CStr::from_ptr(path_str) }.to_str() {
-                    Err(e) => {
-                        warn!("Intermediate path string is not valid unicode: {}", e);
-                        return None;
-                    }
-                    Ok(s) => Some(s),
-                }
-            };
-
-            if let Some(path_str) = path_str {
-                match Path::new(path_str).canonicalize() {
-                    Ok(path) => Some(path),
-                    Err(e) => {
-                        warn!(
-                            "Invalid intermediate certificate path: '{}' {}",
-                            path_str, e
-                        );
-                        None
-                    }
-                }
-            } else {
-                None
+    let mut cert_paths: Vec<PathBuf> = Vec::with_capacity(cert_paths_len);
+
+    for &path_str in cert_path_strs {
+        if path_str.is_null() {
+            return ffi_error!(
+                err = err,
+                Error::SignFailed("Intermediate certificate path is NULL".to_string())
+            );
+        }
+
+        #[allow(unused_unsafe)]
+        let path_str = CStr::from_ptr(path_str)
+            .to_str()
+            .map_err(|e| {
+                warn!("Intermediate path string is not valid unicode: {e}");
+                ffi_error!(
+                    err = err,
+                    Error::SignFailed("Intermediate certificate path is NULL".to_string())
+                )
+            })
+            .unwrap();
+
+        match Path::new(path_str).canonicalize() {
+            Ok(path) => cert_paths.push(path),
+            Err(e) => {
+                warn!("Invalid intermediate certificate path: '{path_str}' {e}",);
+                return ffi_error!(
+                    err = err,
+                    Error::SignFailed(format!(
+                        "Invalid intermediate certificate path: '{path_str}': {e}",
+                    ))
+                );
             }
-        })
-        .collect();
+        }
+    }
 
     let signing_key_path_str = validate_str_param!(signing_key_path_str);
     let signing_key_path = match Path::new(signing_key_path_str).canonicalize() {
@@ -159,8 +162,7 @@ pub unsafe extern "C" fn codesign_sign_file(
             return ffi_error!(
                 err = err,
                 Error::SignFailed(format!(
-                    "Invalid signing key path '{}': {}",
-                    signing_key_path_str, e
+                    "Invalid signing key path '{signing_key_path_str}': {e}",
                 ))
             );
         }
@@ -372,7 +374,6 @@ pub unsafe extern "C" fn codesign_verifier_new(
 #[export_name = "codesign_verifier_free"]
 pub unsafe extern "C" fn codesign_verifier_free(verifier: *mut c_void) {
     if verifier.is_null() {
-        return;
     } else {
         let _ = unsafe { Box::from_raw(verifier as *mut Verifier) };
     }

libclamav_rust/src/sys.rs

@@ -384,36 +384,37 @@ pub const cli_file_CL_TYPE_EGG: cli_file = 553;
 pub const cli_file_CL_TYPE_ONENOTE: cli_file = 554;
 pub const cli_file_CL_TYPE_PYTHON_COMPILED: cli_file = 555;
 pub const cli_file_CL_TYPE_LHA_LZH: cli_file = 556;
-pub const cli_file_CL_TYPE_PART_ANY: cli_file = 557;
-pub const cli_file_CL_TYPE_PART_HFSPLUS: cli_file = 558;
-pub const cli_file_CL_TYPE_MBR: cli_file = 559;
-pub const cli_file_CL_TYPE_HTML: cli_file = 560;
-pub const cli_file_CL_TYPE_MAIL: cli_file = 561;
-pub const cli_file_CL_TYPE_SFX: cli_file = 562;
-pub const cli_file_CL_TYPE_ZIPSFX: cli_file = 563;
-pub const cli_file_CL_TYPE_RARSFX: cli_file = 564;
-pub const cli_file_CL_TYPE_7ZSFX: cli_file = 565;
-pub const cli_file_CL_TYPE_CABSFX: cli_file = 566;
-pub const cli_file_CL_TYPE_ARJSFX: cli_file = 567;
-pub const cli_file_CL_TYPE_EGGSFX: cli_file = 568;
-pub const cli_file_CL_TYPE_NULSFT: cli_file = 569;
-pub const cli_file_CL_TYPE_AUTOIT: cli_file = 570;
-pub const cli_file_CL_TYPE_ISHIELD_MSI: cli_file = 571;
-pub const cli_file_CL_TYPE_ISO9660: cli_file = 572;
-pub const cli_file_CL_TYPE_DMG: cli_file = 573;
-pub const cli_file_CL_TYPE_GPT: cli_file = 574;
-pub const cli_file_CL_TYPE_APM: cli_file = 575;
-pub const cli_file_CL_TYPE_XDP: cli_file = 576;
-pub const cli_file_CL_TYPE_XML_WORD: cli_file = 577;
-pub const cli_file_CL_TYPE_XML_XL: cli_file = 578;
-pub const cli_file_CL_TYPE_XML_HWP: cli_file = 579;
-pub const cli_file_CL_TYPE_HWPOLE2: cli_file = 580;
-pub const cli_file_CL_TYPE_MHTML: cli_file = 581;
-pub const cli_file_CL_TYPE_LNK: cli_file = 582;
-pub const cli_file_CL_TYPE_UDF: cli_file = 583;
-pub const cli_file_CL_TYPE_ALZ: cli_file = 584;
-pub const cli_file_CL_TYPE_OTHER: cli_file = 585;
-pub const cli_file_CL_TYPE_IGNORED: cli_file = 586;
+pub const cli_file_CL_TYPE_AI_MODEL: cli_file = 557;
+pub const cli_file_CL_TYPE_PART_ANY: cli_file = 558;
+pub const cli_file_CL_TYPE_PART_HFSPLUS: cli_file = 559;
+pub const cli_file_CL_TYPE_MBR: cli_file = 560;
+pub const cli_file_CL_TYPE_HTML: cli_file = 561;
+pub const cli_file_CL_TYPE_MAIL: cli_file = 562;
+pub const cli_file_CL_TYPE_SFX: cli_file = 563;
+pub const cli_file_CL_TYPE_ZIPSFX: cli_file = 564;
+pub const cli_file_CL_TYPE_RARSFX: cli_file = 565;
+pub const cli_file_CL_TYPE_7ZSFX: cli_file = 566;
+pub const cli_file_CL_TYPE_CABSFX: cli_file = 567;
+pub const cli_file_CL_TYPE_ARJSFX: cli_file = 568;
+pub const cli_file_CL_TYPE_EGGSFX: cli_file = 569;
+pub const cli_file_CL_TYPE_NULSFT: cli_file = 570;
+pub const cli_file_CL_TYPE_AUTOIT: cli_file = 571;
+pub const cli_file_CL_TYPE_ISHIELD_MSI: cli_file = 572;
+pub const cli_file_CL_TYPE_ISO9660: cli_file = 573;
+pub const cli_file_CL_TYPE_DMG: cli_file = 574;
+pub const cli_file_CL_TYPE_GPT: cli_file = 575;
+pub const cli_file_CL_TYPE_APM: cli_file = 576;
+pub const cli_file_CL_TYPE_XDP: cli_file = 577;
+pub const cli_file_CL_TYPE_XML_WORD: cli_file = 578;
+pub const cli_file_CL_TYPE_XML_XL: cli_file = 579;
+pub const cli_file_CL_TYPE_XML_HWP: cli_file = 580;
+pub const cli_file_CL_TYPE_HWPOLE2: cli_file = 581;
+pub const cli_file_CL_TYPE_MHTML: cli_file = 582;
+pub const cli_file_CL_TYPE_LNK: cli_file = 583;
+pub const cli_file_CL_TYPE_UDF: cli_file = 584;
+pub const cli_file_CL_TYPE_ALZ: cli_file = 585;
+pub const cli_file_CL_TYPE_OTHER: cli_file = 586;
+pub const cli_file_CL_TYPE_IGNORED: cli_file = 587;
 pub type cli_file = ::std::os::raw::c_uint;
 pub use self::cli_file as cli_file_t;
 #[repr(C)]

sigtool/sigtool.c

@@ -980,7 +980,7 @@ static int sign(const struct optstruct *opts)
     if (NULL == target) {
         mprintf(LOGG_ERROR, "sign: No target file specified.\n");
         mprintf(LOGG_ERROR, "To sign a file with sigtool, you must specify a target file and use the --key and --cert options.\n");
-        mprintf(LOGG_ERROR, "For example:  sigtool --sign myfile.cvd --key /path/to/private.key --cert /path/to/public.pem --cert /path/to/intermediate.pem --cert /path/to/root-ca.pem\n");
+        mprintf(LOGG_ERROR, "For example:  sigtool --sign myfile.cvd --key /path/to/private.key --cert /path/to/public.crt --cert /path/to/intermediate.crt --cert /path/to/root-ca.crt\n");
         goto done;
     }
 
@@ -994,7 +994,7 @@ static int sign(const struct optstruct *opts)
     if (NULL == target) {
         mprintf(LOGG_ERROR, "sign: No private key specified.\n");
         mprintf(LOGG_ERROR, "To sign a file with sigtool, you must specify a target file and use the --key and --cert options.\n");
-        mprintf(LOGG_ERROR, "For example:  sigtool --sign myfile.cvd --key /path/to/private.key --cert /path/to/public.pem --cert /path/to/intermediate.pem --cert /path/to/root-ca.pem\n");
+        mprintf(LOGG_ERROR, "For example:  sigtool --sign myfile.cvd --key /path/to/private.key --cert /path/to/public.crt --cert /path/to/intermediate.crt --cert /path/to/root-ca.crt\n");
         goto done;
     }
 
@@ -1002,7 +1002,7 @@ static int sign(const struct optstruct *opts)
     if (NULL == opt) {
         mprintf(LOGG_ERROR, "sign: No signing or intermediate certificates specified.\n");
         mprintf(LOGG_ERROR, "To sign a file with sigtool, you must specify a target file and use the --key and --cert options.\n");
-        mprintf(LOGG_ERROR, "For example:  sigtool --sign myfile.cvd --key /path/to/private.key --cert /path/to/public.pem --cert /path/to/intermediate.pem --cert /path/to/root-ca.pem\n");
+        mprintf(LOGG_ERROR, "For example:  sigtool --sign myfile.cvd --key /path/to/private.key --cert /path/to/public.crt --cert /path/to/intermediate.crt --cert /path/to/root-ca.crt\n");
         goto done;
     }
 
@@ -1010,7 +1010,7 @@ static int sign(const struct optstruct *opts)
         if (!opt->strarg) {
             mprintf(LOGG_ERROR, "sign: The --cert option requires a path value to a signing or intermediate certificate.\n");
             mprintf(LOGG_ERROR, "To sign a file with sigtool, you must specify a target file and use the --key and --cert options.\n");
-            mprintf(LOGG_ERROR, "For example:  sigtool --sign myfile.cvd --key /path/to/private.key --cert /path/to/public.pem --cert /path/to/intermediate.pem --cert /path/to/root-ca.pem\n");
+            mprintf(LOGG_ERROR, "For example:  sigtool --sign myfile.cvd --key /path/to/private.key --cert /path/to/public.crt --cert /path/to/intermediate.crt --cert /path/to/root-ca.crt\n");
             goto done;
         }
 

unit_tests/CMakeLists.txt

@@ -264,7 +264,7 @@ set(ENVIRONMENT
     CK_DEFAULT_TIMEOUT=300
     LD_LIBRARY_PATH=${LD_LIBRARY_PATH}
     DYLD_LIBRARY_PATH=${LD_LIBRARY_PATH}
-    CVD_CERTS_DIR=${CMAKE_SOURCE_DIR}/unit_tests/input/signing/public
+    CVD_CERTS_DIR=${CMAKE_SOURCE_DIR}/unit_tests/input/signing/verify
     PATH=${NEW_PATH}
     LIBSSL=${LIBSSL}
     LIBCRYPTO=${LIBCRYPTO}

unit_tests/input/CMakeLists.txt

@@ -57,7 +57,7 @@ set(ENCRYPTED_TESTFILES
     clamav_hdb_scanfiles/clam.exe.2007.one
     clamav_hdb_scanfiles/clam.exe.2010.one
     clamav_hdb_scanfiles/clam.exe.webapp-export.one
-    signing/private/signing-test.key
+    signing/sign/signing-test.key
 )
 
 if(ENABLE_UNRAR)
@@ -69,7 +69,7 @@ endif()
 
 add_custom_target(tgt_build_unit_tests_directories ALL
     COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_CURRENT_BINARY_DIR}/clamav_hdb_scanfiles
-    COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_CURRENT_BINARY_DIR}/signing/private
+    COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_CURRENT_BINARY_DIR}/signing/sign
 )
 
 # Decrypt test file

unit_tests/input/signing/sign/intermediate-test.crt

@@ -1,34 +1,3 @@
------BEGIN CERTIFICATE-----
-MIIFWTCCA0ECFE2pmfv8w11dekWvzh/bw7eQEp99MA0GCSqGSIb3DQEBCwUAMGkx
-CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNRDEPMA0GA1UEBwwGTGF1cmVsMQ4wDAYD
-VQQKDAVDaXNjbzEOMAwGA1UECwwFVGFsb3MxHDAaBgNVBAMME0NsYW1BViBURVNU
-IFJvb3QgQ0EwHhcNMjUwMzI2MTc1NjMyWhcNMjcwMzI2MTc1NjMyWjBpMQswCQYD
-VQQGEwJVUzELMAkGA1UECAwCTUQxDzANBgNVBAcMBkxhdXJlbDEOMAwGA1UECgwF
-Q2lzY28xDjAMBgNVBAsMBVRhbG9zMRwwGgYDVQQDDBNDbGFtQVYgVEVTVCBSb290
-IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1ARsUmzhLiv2scny
-9viNJPeROHSrZ8pPG4weMyjDdDhbrrCjPoBXMFYDqLGt853W20gWpbBq9wdZbbaS
-kqgv5DMy5FAtZcplx68Ern5TbbJkD5KiE9FA1FPAGL9Cq6JXKerSxj0njX6U8K+d
-FqOUXqyWRk1HMD8UiynrpwDD6tpsfevOTIlbLpwvi3xb79EAXq2vHoyH2bkiY/+H
-QzezYkBVRxRDt1q4XiklPpoX/2vnROQ9n8yQ0CH/bC0SSwQNHBXOTmTDsKtCfEhD
-mGCY62dfBlotZiJTKj/mCZZ1/Yb3UCRm1yqhuDJFnubAyHsTL1KScN73ICI2JA8b
-jiqHr5Cl8Q2olgd4iQs+HdzxXObZUGoaG+3mOG5SRq9CWyjGn37HZpTQsll3jlld
-kRWVliVDfwTSqp8R2aqd8cDrjtzKqUkCAVgLswTLybpFvlIvY+VDyCvlszFxxvVY
-9qKn9IBXaT33zO4oAgxQGsnXLpL6lM86n81Dl6Yvb2r8SY5mMIvuMQYm16fKCf9C
-2ZCV7pQcOgaUKk3/eqqwu4Bvt4Y2wtG5ABSoboAMixOdE2XUPzBKcKxdNN/PcD5P
-Hb3ogTCeUM44o3onhD2xaMR7tOtZtGT2AdA4zhVfuJi7MsU7ia/oCA2/Om6LUYL1
-H7YXGl4/FKz9OTZqGtnn6qt1lPkCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAMAQQ
-i6IgsNzSijrtykLCs0Ocjzjr1vGEY9gs0z+InleRD+SOPnS9/aa7ZlvduR3pPlMp
-/roV8+GSEwV6tgvxF5V5KYXpAl1hmeZnx6p/BtPtaTkq6uKJOoErrQuC2KkHn8Dp
-olb4N9IkDNkVmPYupSDTy4ZX2GRFkCOvPnUVP+pXY7IVVuR6LEAQ9bm+Rwfyd+TZ
-bdKA3wnNLmTAyLjS2UNTBlXAf6iKi/k/UEfbriCEDaXafx860DX2iTdhNUlBL5ba
-GpW/AZpCEsLGAQ6wFOXpmGFjjKgND3B83MRAiaH5iINrDB2c2+pNU/5QXhOGEkDq
-/I7jRq/t96fYH+xpyCg5gNlKfQznvvS01GrssNblGZ1sdDuRMp9TCZ31WS09BM01
-6hXM85CSnoYXdv77bapx3v9bAupo5hUyY5pGDJu6GRJZ6u/xd7c4CJv/NlKMeKX4
-H51VoTZiU47DZ9uplnDB5fXsgsf6gutdQrr8DmKeEhS7YhBdRhoQOt4FRwknlS76
-bFMAGSxH/XPJDqOFXXR2arhZNP/s//suaNVSWF4gLgVSmmzLB5I2RzG/klW6b1GT
-46tsFUOLkEWnMKOvHfo3zPstS8u/W9CYf0xCqLaSINXmaNXver/dXugixu9M15bc
-72CWJ5EESQkTUCIuJIR6uLWu73rKPEy+0LOkDDQ=
------END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)

unit_tests/input/signing/verify/clamav-test.crt

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFWTCCA0ECFE2pmfv8w11dekWvzh/bw7eQEp99MA0GCSqGSIb3DQEBCwUAMGkx
+CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNRDEPMA0GA1UEBwwGTGF1cmVsMQ4wDAYD
+VQQKDAVDaXNjbzEOMAwGA1UECwwFVGFsb3MxHDAaBgNVBAMME0NsYW1BViBURVNU
+IFJvb3QgQ0EwHhcNMjUwMzI2MTc1NjMyWhcNMjcwMzI2MTc1NjMyWjBpMQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCTUQxDzANBgNVBAcMBkxhdXJlbDEOMAwGA1UECgwF
+Q2lzY28xDjAMBgNVBAsMBVRhbG9zMRwwGgYDVQQDDBNDbGFtQVYgVEVTVCBSb290
+IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1ARsUmzhLiv2scny
+9viNJPeROHSrZ8pPG4weMyjDdDhbrrCjPoBXMFYDqLGt853W20gWpbBq9wdZbbaS
+kqgv5DMy5FAtZcplx68Ern5TbbJkD5KiE9FA1FPAGL9Cq6JXKerSxj0njX6U8K+d
+FqOUXqyWRk1HMD8UiynrpwDD6tpsfevOTIlbLpwvi3xb79EAXq2vHoyH2bkiY/+H
+QzezYkBVRxRDt1q4XiklPpoX/2vnROQ9n8yQ0CH/bC0SSwQNHBXOTmTDsKtCfEhD
+mGCY62dfBlotZiJTKj/mCZZ1/Yb3UCRm1yqhuDJFnubAyHsTL1KScN73ICI2JA8b
+jiqHr5Cl8Q2olgd4iQs+HdzxXObZUGoaG+3mOG5SRq9CWyjGn37HZpTQsll3jlld
+kRWVliVDfwTSqp8R2aqd8cDrjtzKqUkCAVgLswTLybpFvlIvY+VDyCvlszFxxvVY
+9qKn9IBXaT33zO4oAgxQGsnXLpL6lM86n81Dl6Yvb2r8SY5mMIvuMQYm16fKCf9C
+2ZCV7pQcOgaUKk3/eqqwu4Bvt4Y2wtG5ABSoboAMixOdE2XUPzBKcKxdNN/PcD5P
+Hb3ogTCeUM44o3onhD2xaMR7tOtZtGT2AdA4zhVfuJi7MsU7ia/oCA2/Om6LUYL1
+H7YXGl4/FKz9OTZqGtnn6qt1lPkCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAMAQQ
+i6IgsNzSijrtykLCs0Ocjzjr1vGEY9gs0z+InleRD+SOPnS9/aa7ZlvduR3pPlMp
+/roV8+GSEwV6tgvxF5V5KYXpAl1hmeZnx6p/BtPtaTkq6uKJOoErrQuC2KkHn8Dp
+olb4N9IkDNkVmPYupSDTy4ZX2GRFkCOvPnUVP+pXY7IVVuR6LEAQ9bm+Rwfyd+TZ
+bdKA3wnNLmTAyLjS2UNTBlXAf6iKi/k/UEfbriCEDaXafx860DX2iTdhNUlBL5ba
+GpW/AZpCEsLGAQ6wFOXpmGFjjKgND3B83MRAiaH5iINrDB2c2+pNU/5QXhOGEkDq
+/I7jRq/t96fYH+xpyCg5gNlKfQznvvS01GrssNblGZ1sdDuRMp9TCZ31WS09BM01
+6hXM85CSnoYXdv77bapx3v9bAupo5hUyY5pGDJu6GRJZ6u/xd7c4CJv/NlKMeKX4
+H51VoTZiU47DZ9uplnDB5fXsgsf6gutdQrr8DmKeEhS7YhBdRhoQOt4FRwknlS76
+bFMAGSxH/XPJDqOFXXR2arhZNP/s//suaNVSWF4gLgVSmmzLB5I2RzG/klW6b1GT
+46tsFUOLkEWnMKOvHfo3zPstS8u/W9CYf0xCqLaSINXmaNXver/dXugixu9M15bc
+72CWJ5EESQkTUCIuJIR6uLWu73rKPEy+0LOkDDQ=
+-----END CERTIFICATE-----

unit_tests/input/verify/clamav.crt

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFWTCCA0ECFE2pmfv8w11dekWvzh/bw7eQEp99MA0GCSqGSIb3DQEBCwUAMGkx
+CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNRDEPMA0GA1UEBwwGTGF1cmVsMQ4wDAYD
+VQQKDAVDaXNjbzEOMAwGA1UECwwFVGFsb3MxHDAaBgNVBAMME0NsYW1BViBURVNU
+IFJvb3QgQ0EwHhcNMjUwMzI2MTc1NjMyWhcNMjcwMzI2MTc1NjMyWjBpMQswCQYD
+VQQGEwJVUzELMAkGA1UECAwCTUQxDzANBgNVBAcMBkxhdXJlbDEOMAwGA1UECgwF
+Q2lzY28xDjAMBgNVBAsMBVRhbG9zMRwwGgYDVQQDDBNDbGFtQVYgVEVTVCBSb290
+IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1ARsUmzhLiv2scny
+9viNJPeROHSrZ8pPG4weMyjDdDhbrrCjPoBXMFYDqLGt853W20gWpbBq9wdZbbaS
+kqgv5DMy5FAtZcplx68Ern5TbbJkD5KiE9FA1FPAGL9Cq6JXKerSxj0njX6U8K+d
+FqOUXqyWRk1HMD8UiynrpwDD6tpsfevOTIlbLpwvi3xb79EAXq2vHoyH2bkiY/+H
+QzezYkBVRxRDt1q4XiklPpoX/2vnROQ9n8yQ0CH/bC0SSwQNHBXOTmTDsKtCfEhD
+mGCY62dfBlotZiJTKj/mCZZ1/Yb3UCRm1yqhuDJFnubAyHsTL1KScN73ICI2JA8b
+jiqHr5Cl8Q2olgd4iQs+HdzxXObZUGoaG+3mOG5SRq9CWyjGn37HZpTQsll3jlld
+kRWVliVDfwTSqp8R2aqd8cDrjtzKqUkCAVgLswTLybpFvlIvY+VDyCvlszFxxvVY
+9qKn9IBXaT33zO4oAgxQGsnXLpL6lM86n81Dl6Yvb2r8SY5mMIvuMQYm16fKCf9C
+2ZCV7pQcOgaUKk3/eqqwu4Bvt4Y2wtG5ABSoboAMixOdE2XUPzBKcKxdNN/PcD5P
+Hb3ogTCeUM44o3onhD2xaMR7tOtZtGT2AdA4zhVfuJi7MsU7ia/oCA2/Om6LUYL1
+H7YXGl4/FKz9OTZqGtnn6qt1lPkCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAMAQQ
+i6IgsNzSijrtykLCs0Ocjzjr1vGEY9gs0z+InleRD+SOPnS9/aa7ZlvduR3pPlMp
+/roV8+GSEwV6tgvxF5V5KYXpAl1hmeZnx6p/BtPtaTkq6uKJOoErrQuC2KkHn8Dp
+olb4N9IkDNkVmPYupSDTy4ZX2GRFkCOvPnUVP+pXY7IVVuR6LEAQ9bm+Rwfyd+TZ
+bdKA3wnNLmTAyLjS2UNTBlXAf6iKi/k/UEfbriCEDaXafx860DX2iTdhNUlBL5ba
+GpW/AZpCEsLGAQ6wFOXpmGFjjKgND3B83MRAiaH5iINrDB2c2+pNU/5QXhOGEkDq
+/I7jRq/t96fYH+xpyCg5gNlKfQznvvS01GrssNblGZ1sdDuRMp9TCZ31WS09BM01
+6hXM85CSnoYXdv77bapx3v9bAupo5hUyY5pGDJu6GRJZ6u/xd7c4CJv/NlKMeKX4
+H51VoTZiU47DZ9uplnDB5fXsgsf6gutdQrr8DmKeEhS7YhBdRhoQOt4FRwknlS76
+bFMAGSxH/XPJDqOFXXR2arhZNP/s//suaNVSWF4gLgVSmmzLB5I2RzG/klW6b1GT
+46tsFUOLkEWnMKOvHfo3zPstS8u/W9CYf0xCqLaSINXmaNXver/dXugixu9M15bc
+72CWJ5EESQkTUCIuJIR6uLWu73rKPEy+0LOkDDQ=
+-----END CERTIFICATE-----

unit_tests/sigtool_test.py

@@ -167,11 +167,12 @@ class TC(testcase.TestCase):
 
         self.log.warning('VG: {}'.format(os.getenv("VG")))
 
-        command = '{valgrind} {valgrind_args} {sigtool} --sign {input} --key {key} --cert {cert}'.format(
+        command = '{valgrind} {valgrind_args} {sigtool} --sign {input} --key {signing_key} --cert {signing_cert} --cert {intermediate_cert}'.format(
             valgrind=TC.valgrind, valgrind_args=TC.valgrind_args, sigtool=TC.sigtool,
             input=TC.path_tmp / 'file_to_sign',
-            key=TC.path_build / 'unit_tests' / 'input' / 'signing' / 'private' / 'signing-test.key',
-            cert=TC.path_source / 'unit_tests' / 'input' / 'signing' / 'private' / 'signing-test.crt'
+            signing_key=TC.path_build / 'unit_tests' / 'input' / 'signing' / 'sign' / 'signing-test.key',
+            signing_cert=TC.path_source / 'unit_tests' / 'input' / 'signing' / 'sign' / 'signing-test.crt',
+            intermediate_cert=TC.path_source / 'unit_tests' / 'input' / 'signing' / 'sign' / 'intermediate-test.crt'
         )
         output = self.execute_command(command)
 
@@ -182,7 +183,7 @@ class TC(testcase.TestCase):
         command = '{valgrind} {valgrind_args} {sigtool} --verify {input} --cvdcertsdir {cvdcertsdir}'.format(
             valgrind=TC.valgrind, valgrind_args=TC.valgrind_args, sigtool=TC.sigtool,
             input=TC.path_tmp / 'file_to_sign',
-            cvdcertsdir=TC.path_source / 'unit_tests' / 'input' / 'signing' / 'public'
+            cvdcertsdir=TC.path_source / 'unit_tests' / 'input' / 'signing' / 'verify'
         )
         output = self.execute_command(command)
 
@@ -203,7 +204,7 @@ class TC(testcase.TestCase):
         command = '{valgrind} {valgrind_args} {sigtool} --verify {input} --cvdcertsdir {cvdcertsdir}'.format(
             valgrind=TC.valgrind, valgrind_args=TC.valgrind_args, sigtool=TC.sigtool,
             input=TC.path_tmp / 'file_to_sign',
-            cvdcertsdir=TC.path_source / 'unit_tests' / 'input' / 'signing' / 'public'
+            cvdcertsdir=TC.path_source / 'unit_tests' / 'input' / 'signing' / 'verify'
         )
         output = self.execute_command(command)