Print name of authenticode certificate revocation entry when in debug mode

12 years ago · 0f418a13cc
parent 251175261f
commit 0f418a13cc
4 changed files with 17 additions and 3 deletions
--- a/libclamav/asn1.c
+++ b/libclamav/asn1.c
@ -860,8 +860,10 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg
            }

 		    if(parent) {
-                if (parent->isBlacklisted)
+                if (parent->isBlacklisted) {
                    isBlacklisted = 1;
+                    cli_dbgmsg_internal("asn1_parse_mscat: Authenticode certificate %s is revoked. Flagging sample as virus.\n", (parent->name ? parent->name : "(no name)"));
+                }

 			x509->codeSign &= parent->codeSign;
 			x509->timeSign &= parent->timeSign;
@ -1299,7 +1301,6 @@ static int asn1_parse_mscat(fmap_t *map, size_t offset, unsigned int size, crtmg

 	cli_dbgmsg("asn1_parse_mscat: catalog succesfully parsed\n");
    if (isBlacklisted) {
-        cli_dbgmsg("asn1_parse_mscat: executable containes revoked cert.\n");
        return 1;
    }
 	return 0;
--- a/libclamav/crtmgr.c
+++ b/libclamav/crtmgr.c
@ -31,6 +31,7 @@ int cli_crt_init(cli_crt *x509) {
 	cli_errmsg("cli_crt_init: mp_init_multi failed with %d\n", ret);
 	return 1;
    }
+    x509->name = NULL;
    x509->isBlacklisted = 0;
    x509->not_before = x509->not_after = 0;
    x509->prev = x509->next = NULL;
@ -53,7 +54,7 @@ cli_crt *crtmgr_lookup(crtmgr *m, cli_crt *x509) {
 	   !memcmp(x509->subject, i->subject, sizeof(i->subject)) &&
 	   !memcmp(x509->serial, i->serial, sizeof(i->serial)) &&
 	   !mp_cmp(&x509->n, &i->n) &&
-	   !mp_cmp(&x509->e, &i->e)) {
+	   !mp_cmp(&x509->e, &i->e) && !(i->isBlacklisted)) {
 	    return i;
 	}
    }
@ -120,6 +121,12 @@ int crtmgr_add(crtmgr *m, cli_crt *x509) {
 	free(i);
 	return 1;
    }
+
+    if ((x509->name))
+        i->name = strdup(x509->name);
+    else
+        i->name = NULL;
+
    memcpy(i->subject, x509->subject, sizeof(i->subject));
    memcpy(i->serial, x509->serial, sizeof(i->serial));
    memcpy(i->issuer, x509->issuer, sizeof(i->issuer));
--- a/libclamav/crtmgr.h
+++ b/libclamav/crtmgr.h
@ -30,6 +30,7 @@ typedef enum { CLI_SHA1RSA, CLI_MD5RSA } cli_crt_hashtype;
 typedef enum {VRFY_CODE, VRFY_TIME} cli_vrfy_type;

 typedef struct cli_crt_t {
+    char *name;
    uint8_t subject[SHA1_HASH_SIZE];
    uint8_t issuer[SHA1_HASH_SIZE];
    uint8_t tbshash[SHA1_HASH_SIZE];
--- a/libclamav/readdb.c
+++ b/libclamav/readdb.c
@ -2510,6 +2510,11 @@ static int cli_loadcrt(FILE *fs, struct cl_engine *engine, struct cli_dbio *dbio
                goto end;
        }

+        if (strlen(tokens[0]))
+            ca.name = tokens[0];
+        else
+            ca.name = NULL;
+
        if (strlen(tokens[9]))
            ca.not_before = atoi(tokens[8]);
        ca.not_after = (-1U)>>1;