microsoft · Penguinwizzard · Jul 8, 2019 · Aug 6, 2019 · Aug 7, 2019 · Aug 7, 2019
@@ -35,6 +35,13 @@ set(CMAKE_RUNTIME_OUTPUT_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}/bin")
 set(CMAKE_ARCHIVE_OUTPUT_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}/lib")
 set(CMAKE_LIBRARY_OUTPUT_DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}/lib")
 
+## Require that the target is little endian
+include(TestBigEndian)
+TEST_BIG_ENDIAN(IS_BIG_ENDIAN)
+if(IS_BIG_ENDIAN)
+    message(FATAL_ERROR "Big endian targets are not supported at this time")
+endif()
+
 ## Git (and its revision)
 find_package(Git) # QUIET) # if we don't find git or FindGit.cmake is not on the system we ignore it.
 

@@ -147,6 +147,10 @@ The following native platforms are in development now:
 **Release x64 With Pack**|[![Build Status](https://dev.azure.com/ms/msix-packaging/_apis/build/status/msix-packaging%20Windows%20CI?branchName=master&jobName=Windows&configuration=Windows%20release_64_pack)](https://dev.azure.com/ms/msix-packaging/_build/latest?definitionId=64&branchName=master)|
 **Release x32 Xerces With Pack**|[![Build Status](https://dev.azure.com/ms/msix-packaging/_apis/build/status/msix-packaging%20Windows%20CI?branchName=master&jobName=Windows&configuration=Windows%20release_32_xerces)](https://dev.azure.com/ms/msix-packaging/_build/latest?definitionId=64&branchName=master)|
 **Release x64 Xerces With Pack**|[![Build Status](https://dev.azure.com/ms/msix-packaging/_apis/build/status/msix-packaging%20Windows%20CI?branchName=master&jobName=Windows&configuration=Windows%20release_64_xerces)](https://dev.azure.com/ms/msix-packaging/_build/latest?definitionId=64&branchName=master)|
+**Debug x32 With Pack and OpenSSL**|[![Build Status](https://dev.azure.com/ms/msix-packaging/_apis/build/status/msix-packaging%20Windows%20CI?branchName=master&jobName=Windows&configuration=Windows%20debug_32_sign)](https://dev.azure.com/ms/msix-packaging/_build/latest?definitionId=64&branchName=master)|
+**Debug x64 With Pack and OpenSSL**|[![Build Status](https://dev.azure.com/ms/msix-packaging/_apis/build/status/msix-packaging%20Windows%20CI?branchName=master&jobName=Windows&configuration=Windows%20debug_64_sign)](https://dev.azure.com/ms/msix-packaging/_build/latest?definitionId=64&branchName=master)|
+**Release x32 With Pack and OpenSSL**|[![Build Status](https://dev.azure.com/ms/msix-packaging/_apis/build/status/msix-packaging%20Windows%20CI?branchName=master&jobName=Windows&configuration=Windows%20release_32_sign)](https://dev.azure.com/ms/msix-packaging/_build/latest?definitionId=64&branchName=master)|
+**Release x64 With Pack and OpenSSL**|[![Build Status](https://dev.azure.com/ms/msix-packaging/_apis/build/status/msix-packaging%20Windows%20CI?branchName=master&jobName=Windows&configuration=Windows%20release_64_sign)](https://dev.azure.com/ms/msix-packaging/_build/latest?definitionId=64&branchName=master)|
 
 Built in the Azure Pipelines windows-latest pool. See specifications [here](https://github.com/actions/virtual-environments/blob/main/images/win/Windows2019-Readme.md)
 

@@ -36,8 +36,12 @@ file( COPY ${OpenSSL_SOURCE_PATH}/include/openssl DESTINATION ${OpenSLL_INCLUDE_
 
 if(WIN32)
     # TODO: Replicate build flags for cl
-    # Flags taken from OpenSSL Configure file for VC-WIN64A target.  More care may be required for other targets.
-    set(TARGET_COMPILE_FLAGS -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE)
+    # Flags taken from OpenSSL Configure file for VC-WIN64A target.  More care may be required for other targets.
+    if ((CMAKE_BUILD_TYPE MATCHES Release) OR (CMAKE_BUILD_TYPE MATCHES MinSizeRel))
+        set(TARGET_COMPILE_FLAGS -O1 -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE)
+    else()
+        set(TARGET_COMPILE_FLAGS -Zi -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE)
+    endif()
 else()
     set( TARGET_COMPILE_FLAGS -fno-rtti -fno-stack-protector -O1 -fno-unwind-tables -fno-asynchronous-unwind-tables
         -fno-math-errno -fno-unroll-loops -fmerge-all-constants)
@@ -84,6 +88,12 @@ endif()
 
 # Begin configure public headers
 file( READ "${MSIX_PROJECT_ROOT}/cmake/openssl/opensslconf.h.cmake" CONF )
+set(CONDITIONAL_CONF "")
+
+if(NOT MSIX_PACK)
+    set(CONDITIONAL_CONF "${CONDITIONAL_CONF}
+#define OPENSSL_NO_DES")
+endif()
 set( CONF "
 #define OPENSSL_NO_GMP
 #define OPENSSL_NO_JPAKE
@@ -100,7 +110,6 @@ set( CONF "
 #define OPENSSL_NO_BF
 #define OPENSSL_NO_IDEA
 #define OPENSSL_NO_ENGINE
-#define OPENSSL_NO_DES
 #define OPENSSL_NO_MDC2
 #define OPENSSL_NO_SEED
 #define OPENSSL_NO_DEPRECATED
@@ -124,6 +133,9 @@ set( CONF "
 #define OPENSSL_NO_CMS
 #define OPENSSL_NO_SRP
 #define OPENSSL_NO_SM2
+
+${CONDITIONAL_CONF}
+
 ${CONF}" )
 file( WRITE "${OpenSLL_INCLUDE_PATH}/openssl/opensslconf.h.cmake" "${CONF}" )
 
@@ -160,4 +172,4 @@ target_compile_definitions( crypto PRIVATE ${TARGET_DEFINES} ${TARGET_DEFINES_PR
 target_compile_options    ( crypto PRIVATE ${TARGET_COMPILE_FLAGS} ${TARGET_COMPILE_FLAGS_PRIVATE})
 target_include_directories( crypto PUBLIC  ${TARGET_INCLUDE_DIRS} ${OpenSLL_INCLUDE_PATH} ${OpenSLL_INCLUDE_PATH}/openssl)
 target_compile_definitions( crypto PUBLIC  ${TARGET_DEFINES} )
-target_compile_options    ( crypto PUBLIC  ${TARGET_COMPILE_FLAGS})
+target_compile_options    ( crypto PUBLIC  ${TARGET_COMPILE_FLAGS})
@@ -77,6 +77,7 @@ list(APPEND XSRC
     ${CRYPTO}/asn1/nsseq.c
     ${CRYPTO}/asn1/p5_pbe.c
     ${CRYPTO}/asn1/p5_pbev2.c
+    ${CRYPTO}/asn1/p5_scrypt.c
     ${CRYPTO}/asn1/p8_pkey.c
     ${CRYPTO}/asn1/t_bitst.c
     ${CRYPTO}/asn1/t_pkey.c
@@ -309,6 +310,7 @@ list(APPEND XSRC
     ${CRYPTO}/pkcs12/p12_npas.c
     ${CRYPTO}/pkcs12/p12_p8d.c
     ${CRYPTO}/pkcs12/p12_p8e.c
+    ${CRYPTO}/pkcs12/p12_sbag.c
     ${CRYPTO}/pkcs12/p12_utl.c
     ${CRYPTO}/pkcs12/pk12err.c
 
@@ -481,6 +483,30 @@ else()
     )
 endif()
 
+if(MSIX_PACK)
+    # Enable better error reporting in signing scenarios
+    list(APPEND XSRC
+    ${CRYPTO}/ocsp/ocsp_err.c
+    )
+
+    # Added for DES support
+    list(APPEND XSRC
+    ${CRYPTO}/evp/e_des.c
+    ${CRYPTO}/evp/e_des3.c
+    ${CRYPTO}/evp/e_xcbc_d.c
+    ${CRYPTO}/des/cfb_enc.c
+    ${CRYPTO}/des/ecb_enc.c
+    ${CRYPTO}/des/cfb64enc.c
+    ${CRYPTO}/des/cfb64ede.c
+    ${CRYPTO}/des/ofb64enc.c
+    ${CRYPTO}/des/ofb64ede.c
+    ${CRYPTO}/des/ecb3_enc.c
+    ${CRYPTO}/des/des_enc.c
+    ${CRYPTO}/des/xcbc_enc.c
+    ${CRYPTO}/des/set_key.c
+    )
+endif()
+
 if( WIN32 )
     list(APPEND XSRC
     ${CRYPTO}/async/arch/async_win.c

@@ -47,6 +47,18 @@ jobs:
       debug_64_pack:
         _arguments: x64 -d --pack
         _artifact: WIN32-x64chk-pack
+      release_32_sign:
+        _arguments: x86 --pack -co
+        _artifact: WIN32-sign
+      release_64_sign:
+        _arguments: x64 --pack -co
+        _artifact: WIN32-x64-sign
+      debug_32_sign:
+        _arguments: x86 -d --pack -co
+        _artifact: WIN32chk-sign
+      debug_64_sign:
+        _arguments: x64 -d --pack -co
+        _artifact: WIN32-x64chk-sign
 
   steps:
   - task: BatchScript@1

@@ -38,6 +38,8 @@ class IPackage : public IUnknown
 public:
     virtual void Unpack(MSIX_PACKUNPACK_OPTION options, const MSIX::ComPtr<IDirectoryObject>& to) = 0;
     virtual std::vector<std::string>& GetFootprintFiles() = 0;
+    virtual MSIX::ComPtr<IMsixFactory> GetFactory() = 0;
+    virtual MSIX::ComPtr<IStorageObject> GetUnderlyingStorageObject() = 0;
 };
 MSIX_INTERFACE(IPackage, 0x51b2c456,0xaaa9,0x46d6,0x8e,0xc9,0x29,0x82,0x20,0x55,0x91,0x89);
 
@@ -108,6 +110,8 @@ namespace MSIX {
         // internal IPackage methods
         void Unpack(MSIX_PACKUNPACK_OPTION options, const ComPtr<IDirectoryObject>& to) override;
         std::vector<std::string>& GetFootprintFiles() override { return m_footprintFiles; }
+        MSIX::ComPtr<IMsixFactory> GetFactory() override { return m_factory; }
+        MSIX::ComPtr<IStorageObject> GetUnderlyingStorageObject() override { return m_container; }
 
         // IAppxPackageReader
         HRESULT STDMETHODCALLTYPE GetBlockMap(IAppxBlockMapReader** blockMapReader) noexcept override;

@@ -10,6 +10,8 @@
 #include "AppxBlockMapWriter.hpp"
 #include "ContentTypeWriter.hpp"
 #include "ZipObjectWriter.hpp"
+#include "AppxPackageObject.hpp"
+#include "Signing.hpp"
 
 #include <map>
 #include <memory>
@@ -28,6 +30,12 @@ class IPackageWriter : public IUnknown
 public:
     // TODO: add options if needed
     virtual void PackPayloadFiles(const MSIX::ComPtr<IDirectoryObject>& from) = 0;
+    // Custom Close used to finish out the signing process
+    virtual void Close(
+        MSIX_CERTIFICATE_FORMAT signingCertificateFormat,
+        IStream* signingCertificate,
+        const char* pass,
+        IStream* privateKey) = 0;
 };
 MSIX_INTERFACE(IPackageWriter, 0x32e89da5,0x7cbb,0x4443,0x8c,0xf0,0xb8,0x4e,0xed,0xb5,0x1d,0x0a);
 
@@ -37,10 +45,16 @@ namespace MSIX {
     {
     public:
         AppxPackageWriter(IMsixFactory* factory, const ComPtr<IZipWriter>& zip, bool enableFileHash);
+        AppxPackageWriter(IPackage* packageToSign, std::unique_ptr<SignatureAccumulator>&& accumulator);
         ~AppxPackageWriter() {};
 
         // IPackageWriter
         void PackPayloadFiles(const ComPtr<IDirectoryObject>& from) override;
+        void Close(
+            MSIX_CERTIFICATE_FORMAT signingCertificateFormat,
+            IStream* signingCertificate,
+            const char* pass,
+            IStream* privateKey) override;
 
         // IAppxPackageWriter
         HRESULT STDMETHODCALLTYPE AddPayloadFile(LPCWSTR fileName, LPCWSTR contentType,
@@ -72,15 +86,16 @@ namespace MSIX {
             APPX_COMPRESSION_OPTION compressionOpt, const char* contentType);
 
         void AddFileToPackage(const std::string& name, IStream* stream, bool toCompress,
-            bool addToBlockMap, const char* contentType, bool forceContentTypeOverride = false);
+            bool addToBlockMap, const char* contentType, bool forceContentTypeOverride = false, bool forceDataDescriptor = true);
 
         void ValidateCompressionOption(APPX_COMPRESSION_OPTION compressionOpt);
 
-        WriterState m_state;
+        WriterState m_state = WriterState::Open;
         ComPtr<IMsixFactory> m_factory;
         ComPtr<IZipWriter> m_zipWriter;
         BlockMapWriter m_blockMapWriter;
         ContentTypeWriter m_contentTypeWriter;
+        std::unique_ptr<SignatureAccumulator> m_signatureAccumulator;
     };
 }
 
@@ -32,6 +32,11 @@ namespace MSIX {
     // APPX-specific header placed in the P7X file, before the actual signature
     const DWORD P7X_FILE_ID = 0x58434b50;
 
+    // APPX-SIP default version
+    const DWORD APPX_SIP_DEFAULT_VERSION = 0x01010000;
+
+#define APPX_SIP_GUID_BYTES 0x4B, 0xDF, 0xC5, 0x0A, 0x07, 0xCE, 0xE2, 0x4D, 0xB7, 0x6E, 0x23, 0xC8, 0x39, 0xA0, 0x9F, 0xD1
+
     enum class DigestName : std::uint32_t
     {
         HEAD = 0x58505041, // APPX
@@ -60,8 +65,10 @@ namespace MSIX {
     class AppxSignatureObject final : public ComClass<AppxSignatureObject, IVerifierObject>
     {
     public:
+        // Used in signing; we create an empty object to fill with digests.
+        AppxSignatureObject() = default;
 
-        AppxSignatureObject(IMsixFactory* factory, MSIX_VALIDATION_OPTION validationOptions,const ComPtr<IStream>& stream);
+        AppxSignatureObject(IMsixFactory* factory, MSIX_VALIDATION_OPTION validationOptions, const ComPtr<IStream>& stream);
 
         // IVerifierObject
         const std::string& GetPublisher() override  { return m_publisher; }

@@ -9,6 +9,7 @@
 #include "ComHelper.hpp"
 
 #include <map>
+#include <string>
 
 namespace MSIX {
 
@@ -17,15 +18,25 @@ namespace MSIX {
     public:
         ContentTypeWriter();
 
+        // Used for editing an existing content type file, but only in the very specific case of signing.
+        // Creates a copy and sets the cursor to the end of the existing elements stream.
+        ContentTypeWriter(IStream* stream);
+
         void AddContentType(const std::string& name, const std::string& contentType, bool forceOverride = false);
         void Close();
         ComPtr<IStream> GetStream() { return m_xmlWriter.GetStream(); }
 
     protected:
         void AddDefault(const std::string& ext, const std::string& contentType);
         void AddOverride(const std::string& file, const std::string& contentType);
-
+
+        static std::string GetPartNameSearchString(const std::string& fileName);
+
         std::map<std::string, std::string> m_defaultExtensions;
         XmlWriter m_xmlWriter;
+
+        // For the signing scenario, we need to know if the signature files are already present.
+        bool m_hasSignatureOverride = false;
+        bool m_hasCIOverride = false;
     };
 }