Merge b3e65e4 into ab06ace

ebourg · Dec 18, 2022 · b6661ea · b6661ea
2 parents ab06ace + b3e65e4
commit b6661ea
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/jsign-core/src/main/java/net/jsign/AuthenticodeSigner.java b/jsign-core/src/main/java/net/jsign/AuthenticodeSigner.java
@@ -54,6 +54,7 @@
 import org.bouncycastle.cms.SignerInformationVerifier;
 import org.bouncycastle.cms.jcajce.JcaSignerInfoVerifierBuilder;
 import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
 import org.bouncycastle.operator.DigestCalculatorProvider;
 import org.bouncycastle.operator.OperatorCreationException;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
@@ -428,6 +429,7 @@ public AlgorithmIdentifier findEncryptionAlgorithm(final AlgorithmIdentifier sig
             }
         });
         signerInfoGeneratorBuilder.setSignedAttributeGenerator(attributeTableGenerator);
+        signerInfoGeneratorBuilder.setContentDigest(createContentDigestAlgorithmIdentifier(shaSigner.getAlgorithmIdentifier()));
         SignerInfoGenerator signerInfoGenerator = signerInfoGeneratorBuilder.build(shaSigner, certificate);
 
         AuthenticodeSignedDataGenerator generator = new AuthenticodeSignedDataGenerator();
@@ -515,4 +517,21 @@ protected CMSSignedData addNestedSignature(CMSSignedData primary, CMSSignedData
         signerInformation = SignerInformation.replaceUnsignedAttributes(signerInformation, unsignedAttributes);
         return CMSSignedData.replaceSigners(primary, new SignerInformationStore(signerInformation));
     }
+
+    /**
+     * Create the digest algorithm identifier to use as content digest.
+     * By default looks up the default identifier but also makes sure it includes
+     * the algorithm parameters and if not includes a DER NULL in order to align
+     * with what signtool currently does.
+     * @param signatureAlgorithm to get the corresponding digest algorithm identifier for
+     * @return an AlgorithmIdentifier for the digestAlgorithm and including parameters
+     */
+    protected AlgorithmIdentifier createContentDigestAlgorithmIdentifier(AlgorithmIdentifier signatureAlgorithm) {
+        AlgorithmIdentifier ai = new DefaultDigestAlgorithmIdentifierFinder().find(signatureAlgorithm);
+        if (ai.getParameters() == null) {
+            // Always include parameters to align with what signtool does
+            ai = new AlgorithmIdentifier(ai.getAlgorithm(), DERNull.INSTANCE);
+        }
+        return ai;
+    }
 }