zhuowei · October 1, 2023 04:28
diff --git a/more_coretrust_notes.txt b/more_coretrust_notes.txt
 Also see https://github.com/zhuowei/CoreTrustDemo/blob/main/littlemis.txt for my previous notes

 first time X509ChainCheckPathWithOptions, param3 (options) is null
 second time X509ChainCheckPathWithOptions, param3 (options) is set
 -> This is the call out of CTEvaluateAMFICodeSignatureCMS_MaxDigestType, and is the one that sets the flags

 struct ContentInfoSignedData {
  int always4; // 0x0
  void* someBufferFromCTParseContentInfoSignedDataArg6; // 0x8
  // ?
  int initially0; // 0x18
  int* pointsToInitially0; // 0x20
  // These are read by CMSParseSignerInfos
  void* signerInfoBlobs; // 0x28, points to the root of the first signerInfo blob
  size_t signerInfoBlobsSize; // 0x30? 
  SignerInfo* signerInfo; // 0x38 - points to fee20 above; the pointed SignerInfo is populated in CMSParseSignerInfos after validateSignerInfoAndChain callback
  size_t signerInfoCount; // 0x40 - always set to 1 by CTParseSignerInfos
 // more stuff
  void* detachedOrAttachedData; // 0x48 // could be either attached or detached pkcs7
  long detachedOrAttachedDataLen; // 0x50
  // something
  int param7FromCTParseContentInfoSignedData; // 0x60 - 0 for normal, 0x10 for PubKey - maxDigestType? compared with find_digest
  uint64 something68FromValidateSignerInfo; // cached hash for detachedOrAttachedData
  uint64 something70FromValidateSignerInfo; // hash length for detachedOrAttachedData
 } // 0x78

 // All of this is populated by CMSParseSignerInfos
 struct SignerInfo {
  int something; // 3 and 1 are checked in CMSBuildPath
  CTAsn1Item partOfTheLastCertChainAuthorityMaybe; // 0x8
  CTAsn1Item someOid; // 0x18
  CTAsn1Item someOtherPartLastCert; // 0x28
  CTAsn1Item someOid; // 0x38
  // 0x10 blank 0x48 - ????
  CTAsn1Item anotherCertificatePart; // 0x58
  int hashTypeMaybe; // 0x68 - 4; written inside validateSigner
  CTAsn1Item theHash; // 0x70
  // 0x10 blank 0x80; written at end of validateSignerInfo
 // 0x80, 0x88: signerHash, signerHashLength
  // NEWLY ADDED BY PATCH - moved from thePath
  // struct Certificate* pathChain; // 0x90
  // struct Certificate* pathChainEnd; // 0x90
  // int lastError; // 0xa0
 }; // 0x90

 struct ThePath {
  struct Certificate* certificate; // 0x0 // REMOVED BY PATCH
  struct Certificate* certificateEnd; // 0x8 // REMOVED BY PATCH
  int lastError; // 0x10 // REMOVED BY PATCH
  X509Policy* x509Policy; // 0x18
  int validateSignerInfoFlagsSomething; // 0x20
 }; // 0x28

 CTParseContentInfoSignedData(struct ContentInfoSignedData* arg1, void* cmsData, size_t cmsLen, void* detachedData, size_t detachedDataLen, void* someBuffer, int arg7);

 0x70002: CMSAttributeParseMessageDigest actual data hash and SignedData hash don't match

 validateSignerInfoAndChain actually returns 0 and only sets the lastError on thePath
 CMSParseSignerInfos also returns 0
 CTParseSignerInfos is the only one that actually returns the error

 but it always overwrites with the LAST one, eh.

 0 is only written to the lastError if X509CertificateCheckSignatureDigest returns 0
 CTParseSignerInfos(struct ContentInfoSignedData* something, SignerInfo* signerInfoOutput, ThePath* thePath, X509Policy* policyForValidateSignerInfoAndChain, int flagsMaybeForValidateSignerInfo);
 somethingelse is size 0x90, memset to 0 - SignerInfoBuf - output of CMSParseSignerInfos, I guess?
 This ThePath is passed into validateSignerInfoAndChain as param1 and is the path in that one's X509ChainCheckPath
 ThePath's certificate is written in X509ChainResetChain <- CMSBuildPath <- validateSignerInfo, X509ChainBuildPathPartial

 -> so validateSignerInfo calls builds the final path that we use to get flags, and then validateSignerInfoAndChain uses the path immediately?

 validateSignerInfo is the only thing that actually checks if the blob is actually signed: validateSignerInfo via the ccdigest call.

 -> So if you can have validateSignerInfo call X509ChainCheckPathWithOptions with one set of certs (since this doesn't check policy at all), but use something different for the other X509ChainCheckPathWithOptions call?

 validateSignerInfoAndChain(ThePath* param1, struct ContentInfoSignedData* something, int theArg3);

 ... so we need validateSignerInfo to populate param1 wrong?

 signerInfoOutput is actually populated by 


 validateSignerInfoAndChain(ThePath* thePath, struct ContentInfoSignedData* something, SignerInfo* what); // ?????
 If validateSignerInfoAndChain succeeds, this signerInfo is then copied back to CTParseSignerInfos's signerInfoOutput by CTParseSignerInfos

 patch moves the certificates + lastError into SignerInfo

 _validateSignerInfo can return 0x5001e (digest length invalid)  which will skip to the next one

 if none of them worked, CTParseSignerInfos returns 0x70001 (the error set initially)

 CMSEncoderAddSigners
 last signer wins

 openssl cms -cmsout -in ../cmsblob.der -inform der -print
 X509CertificateCheckSignatureDigest(int something, struct Certificate* theCert, CTAsn1Item theHash, CTAsn1Item someOidFromSignerInfo, CTAsn1Item anotherCertificatePartFromSignerInfo);
 theHash here is the hash of the signed data (the cdblob)

 so:
 - last SignerInfo wins for both the output cert chain and the SignerInfo output struct
 - each SignerInfo needs to validate correctly
 - except for the lastError: this one gets overwritten so as long as the last one validates correctly, it's fine
 - CMSBuildPath writes directly to the output cert chain
 - CMSBuildPath and X509CertificateCheckSignatureDigest is run every time, so if I want to have it set lastError to 0 it needs to rebuild the path and validate the digest to be equal

 0x80008 and 0x80009 are in X509ChainBuildPathPartial
	Also see https://github.com/zhuowei/CoreTrustDemo/blob/main/littlemis.txt for my previous notes

	first time X509ChainCheckPathWithOptions, param3 (options) is null
	second time X509ChainCheckPathWithOptions, param3 (options) is set
	-> This is the call out of CTEvaluateAMFICodeSignatureCMS_MaxDigestType, and is the one that sets the flags

	struct ContentInfoSignedData {
	int always4; // 0x0
	void* someBufferFromCTParseContentInfoSignedDataArg6; // 0x8
	// ?
	int initially0; // 0x18
	int* pointsToInitially0; // 0x20
	// These are read by CMSParseSignerInfos
	void* signerInfoBlobs; // 0x28, points to the root of the first signerInfo blob
	size_t signerInfoBlobsSize; // 0x30?
	SignerInfo* signerInfo; // 0x38 - points to fee20 above; the pointed SignerInfo is populated in CMSParseSignerInfos after validateSignerInfoAndChain callback
	size_t signerInfoCount; // 0x40 - always set to 1 by CTParseSignerInfos
	// more stuff
	void* detachedOrAttachedData; // 0x48 // could be either attached or detached pkcs7
	long detachedOrAttachedDataLen; // 0x50
	// something
	int param7FromCTParseContentInfoSignedData; // 0x60 - 0 for normal, 0x10 for PubKey - maxDigestType? compared with find_digest
	uint64 something68FromValidateSignerInfo; // cached hash for detachedOrAttachedData
	uint64 something70FromValidateSignerInfo; // hash length for detachedOrAttachedData
	} // 0x78

	// All of this is populated by CMSParseSignerInfos
	struct SignerInfo {
	int something; // 3 and 1 are checked in CMSBuildPath
	CTAsn1Item partOfTheLastCertChainAuthorityMaybe; // 0x8
	CTAsn1Item someOid; // 0x18
	CTAsn1Item someOtherPartLastCert; // 0x28
	CTAsn1Item someOid; // 0x38
	// 0x10 blank 0x48 - ????
	CTAsn1Item anotherCertificatePart; // 0x58
	int hashTypeMaybe; // 0x68 - 4; written inside validateSigner
	CTAsn1Item theHash; // 0x70
	// 0x10 blank 0x80; written at end of validateSignerInfo
	// 0x80, 0x88: signerHash, signerHashLength
	// NEWLY ADDED BY PATCH - moved from thePath
	// struct Certificate* pathChain; // 0x90
	// struct Certificate* pathChainEnd; // 0x90
	// int lastError; // 0xa0
	}; // 0x90

	struct ThePath {
	struct Certificate* certificate; // 0x0 // REMOVED BY PATCH
	struct Certificate* certificateEnd; // 0x8 // REMOVED BY PATCH
	int lastError; // 0x10 // REMOVED BY PATCH
	X509Policy* x509Policy; // 0x18
	int validateSignerInfoFlagsSomething; // 0x20
	}; // 0x28

	CTParseContentInfoSignedData(struct ContentInfoSignedData* arg1, void* cmsData, size_t cmsLen, void* detachedData, size_t detachedDataLen, void* someBuffer, int arg7);

	0x70002: CMSAttributeParseMessageDigest actual data hash and SignedData hash don't match

	validateSignerInfoAndChain actually returns 0 and only sets the lastError on thePath
	CMSParseSignerInfos also returns 0
	CTParseSignerInfos is the only one that actually returns the error

	but it always overwrites with the LAST one, eh.

	0 is only written to the lastError if X509CertificateCheckSignatureDigest returns 0
	CTParseSignerInfos(struct ContentInfoSignedData* something, SignerInfo* signerInfoOutput, ThePath* thePath, X509Policy* policyForValidateSignerInfoAndChain, int flagsMaybeForValidateSignerInfo);
	somethingelse is size 0x90, memset to 0 - SignerInfoBuf - output of CMSParseSignerInfos, I guess?
	This ThePath is passed into validateSignerInfoAndChain as param1 and is the path in that one's X509ChainCheckPath
	ThePath's certificate is written in X509ChainResetChain <- CMSBuildPath <- validateSignerInfo, X509ChainBuildPathPartial

	-> so validateSignerInfo calls builds the final path that we use to get flags, and then validateSignerInfoAndChain uses the path immediately?

	validateSignerInfo is the only thing that actually checks if the blob is actually signed: validateSignerInfo via the ccdigest call.

	-> So if you can have validateSignerInfo call X509ChainCheckPathWithOptions with one set of certs (since this doesn't check policy at all), but use something different for the other X509ChainCheckPathWithOptions call?

	validateSignerInfoAndChain(ThePath* param1, struct ContentInfoSignedData* something, int theArg3);

	... so we need validateSignerInfo to populate param1 wrong?

	signerInfoOutput is actually populated by


	validateSignerInfoAndChain(ThePath* thePath, struct ContentInfoSignedData* something, SignerInfo* what); // ?????
	If validateSignerInfoAndChain succeeds, this signerInfo is then copied back to CTParseSignerInfos's signerInfoOutput by CTParseSignerInfos

	patch moves the certificates + lastError into SignerInfo

	_validateSignerInfo can return 0x5001e (digest length invalid) which will skip to the next one

	if none of them worked, CTParseSignerInfos returns 0x70001 (the error set initially)

	CMSEncoderAddSigners
	last signer wins

	openssl cms -cmsout -in ../cmsblob.der -inform der -print
	X509CertificateCheckSignatureDigest(int something, struct Certificate* theCert, CTAsn1Item theHash, CTAsn1Item someOidFromSignerInfo, CTAsn1Item anotherCertificatePartFromSignerInfo);
	theHash here is the hash of the signed data (the cdblob)

	so:
	- last SignerInfo wins for both the output cert chain and the SignerInfo output struct
	- each SignerInfo needs to validate correctly
	- except for the lastError: this one gets overwritten so as long as the last one validates correctly, it's fine
	- CMSBuildPath writes directly to the output cert chain
	- CMSBuildPath and X509CertificateCheckSignatureDigest is run every time, so if I want to have it set lastError to 0 it needs to rebuild the path and validate the digest to be equal

	0x80008 and 0x80009 are in X509ChainBuildPathPartial