1 /// Implements parsing of pe32's Attribute Certificate Table
3 /// https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only
4 /// https://learn.microsoft.com/en-us/windows/win32/api/wintrust/ns-wintrust-win_certificate
8 use alloc::string::ToString;
12 #[derive(Debug, PartialEq, Copy, Clone)]
13 pub enum AttributeCertificateRevision {
14 /// WIN_CERT_REVISION_1_0
16 /// WIN_CERT_REVISION_2_0
20 impl TryFrom<u16> for AttributeCertificateRevision {
21 type Error = error::Error;
23 fn try_from(value: u16) -> Result<Self, Self::Error> {
25 x if x == AttributeCertificateRevision::Revision1_0 as u16 => {
26 AttributeCertificateRevision::Revision1_0
28 x if x == AttributeCertificateRevision::Revision2_0 as u16 => {
29 AttributeCertificateRevision::Revision2_0
32 return Err(error::Error::Malformed(
33 "Invalid certificate attribute revision".to_string(),
42 pub enum AttributeCertificateType {
43 /// WIN_CERT_TYPE_X509
45 /// WIN_CERT_TYPE_PKCS_SIGNED_DATA
46 PkcsSignedData = 0x0002,
47 /// WIN_CERT_TYPE_RESERVED_1
49 /// WIN_CERT_TYPE_TS_STACK_SIGNED
50 TsStackSigned = 0x0004,
53 impl TryFrom<u16> for AttributeCertificateType {
54 type Error = error::Error;
56 fn try_from(value: u16) -> Result<Self, Self::Error> {
58 x if x == AttributeCertificateType::X509 as u16 => AttributeCertificateType::X509,
59 x if x == AttributeCertificateType::PkcsSignedData as u16 => {
60 AttributeCertificateType::PkcsSignedData
62 x if x == AttributeCertificateType::Reserved1 as u16 => {
63 AttributeCertificateType::Reserved1
65 x if x == AttributeCertificateType::TsStackSigned as u16 => {
66 AttributeCertificateType::TsStackSigned
69 return Err(error::Error::Malformed(
70 "Invalid attribute certificate type".to_string(),
77 #[derive(Clone, Pread)]
78 struct AttributeCertificateHeader {
82 certificate_type: u16,
85 const CERTIFICATE_DATA_OFFSET: u32 = 8;
87 pub struct AttributeCertificate<'a> {
89 pub revision: AttributeCertificateRevision,
90 pub certificate_type: AttributeCertificateType,
91 pub certificate: &'a [u8],
94 impl<'a> AttributeCertificate<'a> {
97 current_offset: &mut usize,
98 ) -> Result<AttributeCertificate<'a>, error::Error> {
99 // `current_offset` is moved sizeof(AttributeCertificateHeader) = 8 bytes further.
100 let header: AttributeCertificateHeader = bytes.gread_with(current_offset, scroll::LE)?;
101 let cert_size = usize::try_from(header.length.saturating_sub(CERTIFICATE_DATA_OFFSET))
103 error::Error::Malformed(
104 "Attribute certificate size do not fit in usize".to_string(),
108 if let Some(bytes) = bytes.get(*current_offset..(*current_offset + cert_size)) {
110 length: header.length,
111 revision: header.revision.try_into()?,
112 certificate_type: header.certificate_type.try_into()?,
115 // Moving past the certificate data.
116 // Prevent the current_offset to wrap and ensure current_offset is strictly increasing.
117 *current_offset = current_offset.saturating_add(cert_size);
118 // Round to the next 8-bytes.
119 *current_offset = (*current_offset + 7) & !7;
122 Err(error::Error::Malformed(format!(
123 "Unable to extract certificate. Probably cert_size:{} is malformed",
130 pub type CertificateDirectoryTable<'a> = Vec<AttributeCertificate<'a>>;
131 pub(crate) fn enumerate_certificates(
133 table_virtual_address: u32,
135 ) -> Result<CertificateDirectoryTable, error::Error> {
136 let table_start_offset = usize::try_from(table_virtual_address).map_err(|_err| {
137 error::Error::Malformed("Certificate table RVA do not fit in a usize".to_string())
139 // Here, we do not want wrapping semantics as it means that a too big table size or table start
140 // offset will provide table_end_offset such that table_end_offset < table_start_offset, which
141 // is not desirable at all.
142 let table_end_offset =
143 table_start_offset.saturating_add(usize::try_from(table_size).map_err(|_err| {
144 error::Error::Malformed("Certificate table size do not fit in a usize".to_string())
146 let mut current_offset = table_start_offset;
147 let mut attrs = vec![];
149 // End offset cannot be further than the binary we have at hand.
150 if table_end_offset > bytes.len() {
151 return Err(error::Error::Malformed(
152 "End of attribute certificates table is after the end of the PE binary".to_string(),
156 // This is guaranteed to terminate, either by a malformed error being returned
157 // or because current_offset >= table_end_offset by virtue of current_offset being strictly
158 // increasing through `AttributeCertificate::parse`.
159 while current_offset < table_end_offset {
160 attrs.push(AttributeCertificate::parse(bytes, &mut current_offset)?);