From f39585f492ac468a70a656ba1995f2cf7725c1de Mon Sep 17 00:00:00 2001
From: houndthe <houndthe@protonmail.com>
Date: Fri, 28 Jan 2022 12:54:07 +0100
Subject: [PATCH] Add missing algorithm_oid from PE module

---
 modules/module_pe.json      |  8 +++++++-
 tests/cpp/parser_tests.cpp  | 18 ++++++++++++++++++
 tests/python/test_parser.py | 21 +++++++++++++++++++++
 3 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/modules/module_pe.json b/modules/module_pe.json
index e066263a..aafc6742 100644
--- a/modules/module_pe.json
+++ b/modules/module_pe.json
@@ -1950,7 +1950,13 @@
                     {
                         "kind": "value",
                         "name": "algorithm",
-                        "documentation": "Algorithm used for this signature. Usually \"sha1WithRSAEncryption\".",
+                        "documentation": "String representation of the algorithm used for this signature. Usually \"sha1WithRSAEncryption\". It depends on the X.509 and PKCS#7 implementationss and possibly their versions, consider using algorithm_oid instead.",
+                        "type": "s"
+                    },
+                    {
+                        "kind": "value",
+                        "name": "algorithm_oid",
+                        "documentation": "Object ID of the algorithm used for this signature, expressed in numeric ASN.1 dot notation. The name contained in algorithm is derived from this value. The object id is expected to be stable across X.509 and PKCS#7 implementations and their versions.",
                         "type": "s"
                     },
                     {
diff --git a/tests/cpp/parser_tests.cpp b/tests/cpp/parser_tests.cpp
index 5310124d..207ae900 100644
--- a/tests/cpp/parser_tests.cpp
+++ b/tests/cpp/parser_tests.cpp
@@ -7336,5 +7336,23 @@ rule iequals_expr
 	EXPECT_EQ(input_text, driver.getParsedFile().getTextFormatted());
 }
 
+TEST_F(ParserTests,
+ParsePeSignaturesXAlgorithmOID) {
+	prepareInput(
+R"(import "pe"
+
+rule test_rule
+{
+	condition:
+		pe.signatures[0].algorithm_oid == "1.2.840.113549.1.1.11"
+}
+)");
+
+	EXPECT_TRUE(driver.parse(input));
+	ASSERT_EQ(1u, driver.getParsedFile().getRules().size());
+
+	EXPECT_EQ(input_text, driver.getParsedFile().getTextFormatted());
+}
+
 }
 }
diff --git a/tests/python/test_parser.py b/tests/python/test_parser.py
index d65ac7bb..79d6555f 100644
--- a/tests/python/test_parser.py
+++ b/tests/python/test_parser.py
@@ -1986,3 +1986,24 @@ def test_include_file_and_import_in_regular_mode(self):
 }
 '''
         self.assertEqual(expected, yara_file.text_formatted)
+
+
+    def test_parse_pe_signatures_x_algorithm_oid(self):
+        yara_file = yaramod.Yaramod().parse_string(parser_mode=yaramod.ParserMode.Regular, str=r'''import "pe"
+
+rule test_rule {
+    condition:
+        pe.signatures[0].algorithm_oid == "1.2.840.113549.1.1.11"
+}
+''')
+
+        expected = r'''import "pe"
+
+rule test_rule
+{
+	condition:
+		pe.signatures[0].algorithm_oid == "1.2.840.113549.1.1.11"
+}
+'''
+
+        self.assertEqual(expected, yara_file.text_formatted)