Improved authenticode.js error handling for #4134

authenticode.js

@@ -288,17 +288,33 @@ function createAuthenticodeHandler(path) {
             var derlen = forge.asn1.getBerValueLength(forge.util.createBuffer(pkcs7raw.slice(1, 5))) + 4;
             if (derlen != pkcs7raw.length) { pkcs7raw = pkcs7raw.slice(0, derlen); }
 
-            // Decode the signature block
+            // Decode the signature block and check that it's valid
-            var pkcs7der = forge.asn1.fromDer(forge.util.createBuffer(pkcs7raw));
+            var pkcs7der = null, valid = false;
-
+            try { pkcs7der = forge.asn1.fromDer(forge.util.createBuffer(pkcs7raw)); } catch (ex) { }
+            try { valid = ((pkcs7der != null) && (forge.asn1.derToOid(pkcs7der.value[1].value[0].value[2].value[0].value) == "1.3.6.1.4.1.311.2.1.4")); } catch (ex) { }
+            if (pkcs7der == null) {
+                // Can't decode the signature
+                obj.header.sigpos = 0;
+                obj.header.siglen = 0;
+                obj.header.signed = false;
+            } else {
                 // To work around ForgeJS PKCS#7 limitation, this may break PKCS7 verify if ForgeJS adds support for it in the future
                 // Switch content type from "1.3.6.1.4.1.311.2.1.4" to "1.2.840.113549.1.7.1"
                 pkcs7der.value[1].value[0].value[2].value[0].value = forge.asn1.oidToDer(forge.pki.oids.data).data;
 
                 // Decode the PKCS7 message
-            var pkcs7 = p7.messageFromAsn1(pkcs7der);
+                var pkcs7 = null, pkcs7content = null;
-            var pkcs7content = pkcs7.rawCapture.content.value[0];
+                try {
+                    pkcs7 = p7.messageFromAsn1(pkcs7der);
+                    pkcs7content = pkcs7.rawCapture.content.value[0];
+                } catch (ex) { }
 
+                if ((pkcs7 == null) || (pkcs7content == null)) {
+                    // Can't decode the signature
+                    obj.header.sigpos = 0;
+                    obj.header.siglen = 0;
+                    obj.header.signed = false;
+                } else {
                     // Verify a PKCS#7 signature
                     // Verify is not currently supported in node-forge, but if implemented in the future, this code could work.
                     //var caStore = forge.pki.createCaStore();
@@ -360,6 +376,8 @@ function createAuthenticodeHandler(path) {
                     // Compute the actual file hash
                     if (obj.fileHashAlgo != null) { obj.fileHashActual = obj.getHash(obj.fileHashAlgo); }
                 }
+            }
+        }
         return true;
     }
 
@@ -486,7 +504,7 @@ function createAuthenticodeHandler(path) {
                 fs.closeSync(output);
 
                 // Indicate we are done
-                func(null, written);
+                func(null);
             });
         });
 
@@ -1372,7 +1390,7 @@ function createAuthenticodeHandler(path) {
 
         // Close the file
         fs.closeSync(output);
-        func(null, written);
+        func(null);
     }
 
     // Save an executable without the signature
@@ -1635,7 +1653,7 @@ function createAuthenticodeHandler(path) {
         fs.closeSync(output);
 
         // Indicate success
-        func(null, written);
+        func(null);
     }
 
     function writeExecutableEx(output, p7signature, written, func) {
@@ -1669,7 +1687,7 @@ function createAuthenticodeHandler(path) {
         fs.closeSync(output);
 
         // Indicate success
-        func(null, written);
+        func(null);
     }
 
     // Return null if we could not open the file