From 5e7dc4bc7e946d5b886d97c48f86cdfaf45d0a3ee0406e7fe6d48ed69393b0c2 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 28 Mar 2013 03:56:52 +0000
Subject: [PATCH] Accepting request 161509 from
 home:gary_lin:branches:Base:System

bnc#808594: fix the alignment of the signature list

OBS-URL: https://build.opensuse.org/request/show/161509
OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=16
---
 pesign-bnc808594-align-signatures.patch | 598 ++++++++++++++++++++++++
 pesign.changes                          |   6 +
 pesign.spec                             |   3 +
 3 files changed, 607 insertions(+)
 create mode 100644 pesign-bnc808594-align-signatures.patch

diff --git a/pesign-bnc808594-align-signatures.patch b/pesign-bnc808594-align-signatures.patch
new file mode 100644
index 0000000..c712f8f
--- /dev/null
+++ b/pesign-bnc808594-align-signatures.patch
@@ -0,0 +1,598 @@
+From 21cec8feac92a8cda788eaf3f9e9aee9d1b92672 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 25 Mar 2013 11:34:45 -0400
+Subject: [PATCH 1/8] If the last hunk of the file isn't 16-byte aligned, pad
+ before digesting.
+
+When we (or MS) create a data directory section, we pad it to 16-bytes.
+This means that when you add that and then hash, you'll have that
+0-extension before the data directory (in this case, the cert list) in
+the checksum.
+
+If we do -h without embedding the signature in the binary, we still need
+to take that into account.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/cms_common.c |   24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 9ab2021..306d53e 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -795,6 +795,12 @@ err:
+ 	return -1;
+ }
+ 
++#if 1
++#define dprintf(fmt, ...)
++#else
++#define dprintf(fmt, args...) printf(fmt, ## args)
++#endif
++
+ int
+ generate_digest(cms_context *cms, Pe *pe)
+ {
+@@ -860,6 +866,8 @@ generate_digest(cms_context *cms, Pe *pe)
+ 		cms->log(cms, LOG_ERR, "Pe header is invalid");
+ 		goto error;
+ 	}
++	dprintf("beginning of hash\n");
++	dprintf("digesting %lx + %lx\n", hash_base - map, hash_size);
+ 	generate_digest_step(cms, hash_base, hash_size);
+ 
+ 	/* 5. Skip over the image checksum
+@@ -882,6 +890,7 @@ generate_digest(cms_context *cms, Pe *pe)
+ 		goto error;
+ 	}
+ 	generate_digest_step(cms, hash_base, hash_size);
++	dprintf("digesting %lx + %lx\n", hash_base - map, hash_size);
+ 
+ 	/* 8. Skip over the crt dir
+ 	 * 9. Hash everything up to the end of the image header. */
+@@ -895,6 +904,7 @@ generate_digest(cms_context *cms, Pe *pe)
+ 		goto error;
+ 	}
+ 	generate_digest_step(cms, hash_base, hash_size);
++	dprintf("digesting %lx + %lx\n", hash_base - map, hash_size);
+ 
+ 	/* 10. Set SUM_OF_BYTES_HASHED to the size of the header. */
+ 	hashed_bytes = pe32opthdr ? pe32opthdr->header_size
+@@ -926,6 +936,7 @@ generate_digest(cms_context *cms, Pe *pe)
+ 		}
+ 
+ 		generate_digest_step(cms, hash_base, hash_size);
++		dprintf("digesting %lx + %lx\n", hash_base - map, hash_size);
+ 
+ 		hashed_bytes += hash_size;
+ 	}
+@@ -938,8 +949,19 @@ generate_digest(cms_context *cms, Pe *pe)
+ 			cms->log(cms, LOG_ERR, "Pe has invalid trailing data");
+ 			goto error_shdrs;
+ 		}
+-		generate_digest_step(cms, hash_base, hash_size);
++		if (hash_size % 16 != 0) {
++			size_t tmp_size = hash_size + (16 - (hash_size % 16));
++			uint8_t tmp_array[tmp_size];
++			memset(tmp_array, '\0', tmp_size);
++			memcpy(tmp_array, hash_base, hash_size);
++			generate_digest_step(cms, tmp_array, tmp_size);
++			dprintf("digesting %lx + %lx\n", (unsigned long)tmp_array, tmp_size);
++		} else {
++			generate_digest_step(cms, hash_base, hash_size);
++			dprintf("digesting %lx + %lx\n", hash_base - map, hash_size);
++		}
+ 	}
++	dprintf("end of hash\n");
+ 
+ 	rc = generate_digest_finish(cms);
+ 	if (rc < 0)
+-- 
+1.7.10.4
+
+
+From d07c91cffaeaaa1b0f0a0dbc684e073d976ee9f3 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 25 Mar 2013 12:53:05 -0400
+Subject: [PATCH 2/8] Pad signatures everywhere /except/ -h.
+
+If you run -h, you may be using that hash in a db/dbx variable, in which
+case the padding isn't appropriate.  Everywhere else, it's for
+implanting at some stage.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/cms_common.c |    4 ++--
+ src/cms_common.h |    2 +-
+ src/daemon.c     |    6 +++---
+ src/pesign.c     |   15 ++++++++-------
+ 4 files changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 306d53e..f2ee684 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -802,7 +802,7 @@ err:
+ #endif
+ 
+ int
+-generate_digest(cms_context *cms, Pe *pe)
++generate_digest(cms_context *cms, Pe *pe, int padded)
+ {
+ 	void *hash_base;
+ 	size_t hash_size;
+@@ -949,7 +949,7 @@ generate_digest(cms_context *cms, Pe *pe)
+ 			cms->log(cms, LOG_ERR, "Pe has invalid trailing data");
+ 			goto error_shdrs;
+ 		}
+-		if (hash_size % 16 != 0) {
++		if (hash_size % 16 != 0 && padded) {
+ 			size_t tmp_size = hash_size + (16 - (hash_size % 16));
+ 			uint8_t tmp_array[tmp_size];
+ 			memset(tmp_array, '\0', tmp_size);
+diff --git a/src/cms_common.h b/src/cms_common.h
+index a3848cd..d819aab 100644
+--- a/src/cms_common.h
++++ b/src/cms_common.h
+@@ -105,7 +105,7 @@ extern int generate_spc_link(cms_context *cms, SpcLink *slp,
+ 
+ extern int generate_spc_string(cms_context *cms, SECItem *ssp, char *str,
+ 				int len);
+-extern int generate_digest(cms_context *cms, Pe *pe);
++extern int generate_digest(cms_context *cms, Pe *pe, int padded);
+ extern int generate_signature(cms_context *ctx);
+ extern int unlock_nss_token(cms_context *ctx);
+ extern int find_certificate(cms_context *ctx);
+diff --git a/src/daemon.c b/src/daemon.c
+index 92ae856..69821ba 100644
+--- a/src/daemon.c
++++ b/src/daemon.c
+@@ -433,7 +433,7 @@ malformed:
+ 		if (rc < 0)
+ 			goto finish;
+ 
+-		rc = generate_digest(ctx->cms, outpe);
++		rc = generate_digest(ctx->cms, outpe, 1);
+ 		if (rc < 0) {
+ err_attached:
+ 			pe_end(outpe);
+@@ -448,7 +448,7 @@ err_attached:
+ 		if (sigspace < 0)
+ 			goto err_attached;
+ 		allocate_signature_space(outpe, sigspace);
+-		rc = generate_digest(ctx->cms, outpe);
++		rc = generate_digest(ctx->cms, outpe, 1);
+ 		if (rc < 0)
+ 			goto err_attached;
+ 		rc = generate_signature(ctx->cms);
+@@ -463,7 +463,7 @@ err_attached:
+ 			ctx->cms->log(ctx->cms, ctx->priority|LOG_ERR,
+ 				"pesignd: could not truncate output file: %m");
+ 		}
+-		rc = generate_digest(ctx->cms, inpe);
++		rc = generate_digest(ctx->cms, inpe, 1);
+ 		if (rc < 0) {
+ err_detached:
+ 			if (ftruncate(outfd, 0) != 0) {
+diff --git a/src/pesign.c b/src/pesign.c
+index fcb2dca..81515d2 100644
+--- a/src/pesign.c
++++ b/src/pesign.c
+@@ -473,7 +473,8 @@ main(int argc, char *argv[])
+ 			"force overwriting of output file", NULL },
+ 		{"sign", 's', POPT_ARG_VAL, &ctxp->sign, 1,
+ 			"create a new signature", NULL },
+-		{"hash", 'h', POPT_ARG_VAL, &ctxp->hash, 1, "hash binary", NULL },
++		{"hash", 'h', POPT_ARG_VAL, &ctxp->hash, 1,
++			"hash binary", NULL },
+ 		{"digest_type", 'd', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
+ 			&digest_name, 0, "digest type to use for pe hash" },
+ 		{"import-signed-certificate", 'm',
+@@ -669,7 +670,7 @@ main(int argc, char *argv[])
+ 			open_input(ctxp);
+ 			open_output(ctxp);
+ 			close_input(ctxp);
+-			generate_digest(ctxp->cms_ctx, ctxp->outpe);
++			generate_digest(ctxp->cms_ctx, ctxp->outpe, 1);
+ 			sigspace = calculate_signature_space(ctxp->cms_ctx,
+ 								ctxp->outpe);
+ 			allocate_signature_space(ctxp->outpe, sigspace);
+@@ -683,7 +684,7 @@ main(int argc, char *argv[])
+ 		case EXPORT_SATTRS:
+ 			open_input(ctxp);
+ 			open_sattr_output(ctxp);
+-			generate_digest(ctxp->cms_ctx, ctxp->inpe);
++			generate_digest(ctxp->cms_ctx, ctxp->inpe, 1);
+ 			generate_sattr_blob(ctxp);
+ 			close_sattr_output(ctxp);
+ 			close_input(ctxp);
+@@ -779,7 +780,7 @@ main(int argc, char *argv[])
+ 			break;
+ 		case GENERATE_DIGEST|PRINT_DIGEST:
+ 			open_input(ctxp);
+-			generate_digest(ctxp->cms_ctx, ctxp->inpe);
++			generate_digest(ctxp->cms_ctx, ctxp->inpe, 0);
+ 			print_digest(ctxp);
+ 			break;
+ 		/* generate a signature and save it in a separate file */
+@@ -793,7 +794,7 @@ main(int argc, char *argv[])
+ 			}
+ 			open_input(ctxp);
+ 			open_sig_output(ctxp);
+-			generate_digest(ctxp->cms_ctx, ctxp->inpe);
++			generate_digest(ctxp->cms_ctx, ctxp->inpe, 1);
+ 			generate_signature(ctxp->cms_ctx);
+ 			export_signature(ctxp->cms_ctx, ctxp->outsigfd, ctxp->ascii);
+ 			break;
+@@ -814,11 +815,11 @@ main(int argc, char *argv[])
+ 			open_input(ctxp);
+ 			open_output(ctxp);
+ 			close_input(ctxp);
+-			generate_digest(ctxp->cms_ctx, ctxp->outpe);
++			generate_digest(ctxp->cms_ctx, ctxp->outpe, 1);
+ 			sigspace = calculate_signature_space(ctxp->cms_ctx,
+ 							     ctxp->outpe);
+ 			allocate_signature_space(ctxp->outpe, sigspace);
+-			generate_digest(ctxp->cms_ctx, ctxp->outpe);
++			generate_digest(ctxp->cms_ctx, ctxp->outpe, 1);
+ 			generate_signature(ctxp->cms_ctx);
+ 			insert_signature(ctxp->cms_ctx, ctxp->signum);
+ 			finalize_signatures(ctxp->cms_ctx->signatures,
+-- 
+1.7.10.4
+
+
+From 29a593849964bb89c29bb40dd6a1f4bb5a90e675 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 21 Mar 2013 11:02:43 -0400
+Subject: [PATCH 3/8] Deal with PE-COFF 8.2+ alignment restrictions for the
+ certificate list.
+
+PE-COFF 8.2 and newer finally specify the certificate list as a proper
+array, but they kindly made a new rule that each entry has to be 8-byte
+aligned.  So align them now :/
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/wincert.c |   22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/src/wincert.c b/src/wincert.c
+index 4197a87..3686918 100644
+--- a/src/wincert.c
++++ b/src/wincert.c
+@@ -42,6 +42,11 @@ generate_cert_list(SECItem **signatures, int num_signatures,
+ 	*cert_list_size = cl_size;
+ 
+ 	for (int i = 0; i < num_signatures; i++) {
++		/* pe-coff 8.2 adds some text that says each cert list
++		 * entry is 8-byte aligned, so that means we need to align
++		 * them here. */
++		if ((intptr_t)data % 8 != 0)
++			data = (uint8_t *)((intptr_t)data + (8 - ((intptr_t)data % 8)));
+ 		struct cert_list_entry *cle = (struct cert_list_entry *)data;
+ 		cle->wc.length = signatures[i]->len +
+ 			sizeof (win_certificate);
+@@ -170,6 +175,11 @@ done:
+ 
+ 		iter->n += sizeof (*tmpcert) + length;
+ 
++		/* each cert list entry must be aligned to an 8-byte
++		 * boundary */
++		if (iter->n % 8 != 0)
++			iter->n += 8 - (iter->n % 8);
++
+ 		return 1;
+ 	}
+ }
+@@ -208,8 +218,13 @@ size_t
+ get_reserved_sig_space(cms_context *cms, Pe *pe)
+ {
+ 	size_t ret = 0;
+-	for (int i = 0; i < cms->num_signatures; i++)
++	for (int i = 0; i < cms->num_signatures; i++) {
+ 		ret += cms->signatures[i]->len + sizeof (win_certificate);
++		/* each certificate list entry must be 8-byte aligned,
++		 * so we need to account for that in our space calculation */
++		if (ret % 8 != 0)
++			ret += 8 - (ret % 8);
++	}
+ 	return ret;
+ }
+ 
+@@ -238,6 +253,11 @@ err:
+ 
+ 	size_t res = get_reserved_sig_space(cms, pe);
+ 
++	/* pe-coff 8.2 adds some text that says each cert list entry is
++	 * 8-byte aligned, so that means we need alignment space here. */
++	if (res % 8 != 0)
++		res += 8 - (res % 8);
++
+ 	ssize_t ret = res + sig.len + sizeof(win_certificate) -
+ 						available_cert_space(pe);
+ 
+-- 
+1.7.10.4
+
+
+From 731aa2ac9012a39fd4ccee813c77a9e75235606c Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 22 Mar 2013 09:56:23 -0400
+Subject: [PATCH 4/8] More certificate list alignment fixups (based on work by
+ Gary Lin)
+
+There was still some chance the first entry wasn't aligned right, and
+doing it ad-hoc every time wasn't that great.  So fix that.
+
+This is really all Gary's work, I've just reformatted it a little bit.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ libdpe/common.h        |    2 ++
+ libdpe/pe_allocspace.c |    4 ++--
+ src/wincert.c          |   24 ++++++++++--------------
+ 3 files changed, 14 insertions(+), 16 deletions(-)
+
+diff --git a/libdpe/common.h b/libdpe/common.h
+index 5d379e8..be42738 100644
+--- a/libdpe/common.h
++++ b/libdpe/common.h
+@@ -31,6 +31,8 @@
+ 
+ #define is_64_bit(pe) ((pe)->flags & IMAGE_FILE_32BIT_MACHINE)
+ 
++#define ALIGNMENT_PADDING(address, align) ((align - (address % align)) % align)
++
+ #define xfree(x) ({if (x) { free(x); x = NULL; }})
+ #define xmunmap(addr, size) ({if (addr) { munmap(addr,size); addr = NULL; }})
+ 
+diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c
+index 0ae1f5d..716373c 100644
+--- a/libdpe/pe_allocspace.c
++++ b/libdpe/pe_allocspace.c
+@@ -86,7 +86,7 @@ pe_extend_file(Pe *pe, size_t size, uint32_t *new_space, int align)
+ 	void *new = NULL;
+ 
+ 	if (align)
+-		align = (pe->maximum_size + size) % align;
++		align = ALIGNMENT_PADDING(pe->maximum_size, align);
+ 	int extra = size + align;
+ 
+ 	int rc = ftruncate(pe->fildes, pe->maximum_size + extra);
+@@ -119,7 +119,7 @@ pe_allocspace(Pe *pe, size_t size, uint32_t *offset)
+ 
+ 	/* XXX PJFIX TODO: this should try to find space in the already
+ 	 * mapped regions. */
+-	rc = pe_extend_file(pe, size, offset, 0);
++	rc = pe_extend_file(pe, size, offset, 8);
+ 	if (rc < 0)
+ 		return -1;
+ 	return 0;
+diff --git a/src/wincert.c b/src/wincert.c
+index 3686918..cc612b6 100644
+--- a/src/wincert.c
++++ b/src/wincert.c
+@@ -19,6 +19,8 @@
+ 
+ #include "pesign.h"
+ 
++#define ALIGNMENT_PADDING(address, align) ((align - (address % align)) % align)
++
+ struct cert_list_entry {
+ 	win_certificate wc;
+ 	uint8_t data[];
+@@ -32,6 +34,7 @@ generate_cert_list(SECItem **signatures, int num_signatures,
+ 	for (int i = 0; i < num_signatures; i++) {
+ 		cl_size += sizeof (win_certificate);
+ 		cl_size += signatures[i]->len;
++		cl_size += ALIGNMENT_PADDING(cl_size, 8);
+ 	}
+ 
+ 	uint8_t *data = malloc(cl_size);
+@@ -45,16 +48,16 @@ generate_cert_list(SECItem **signatures, int num_signatures,
+ 		/* pe-coff 8.2 adds some text that says each cert list
+ 		 * entry is 8-byte aligned, so that means we need to align
+ 		 * them here. */
+-		if ((intptr_t)data % 8 != 0)
+-			data = (uint8_t *)((intptr_t)data + (8 - ((intptr_t)data % 8)));
+ 		struct cert_list_entry *cle = (struct cert_list_entry *)data;
+ 		cle->wc.length = signatures[i]->len +
++			ALIGNMENT_PADDING(signatures[i]->len, 8) +
+ 			sizeof (win_certificate);
+ 		cle->wc.revision = WIN_CERT_REVISION_2_0;
+ 		cle->wc.cert_type = WIN_CERT_TYPE_PKCS_SIGNED_DATA;
+ 		memcpy(&cle->data[0], signatures[i]->data,
+ 					signatures[i]->len);
+ 		data += sizeof (win_certificate) + signatures[i]->len;
++		data += ALIGNMENT_PADDING(signatures[i]->len, 8);
+ 	}
+ 
+ 	return 0;
+@@ -175,11 +178,6 @@ done:
+ 
+ 		iter->n += sizeof (*tmpcert) + length;
+ 
+-		/* each cert list entry must be aligned to an 8-byte
+-		 * boundary */
+-		if (iter->n % 8 != 0)
+-			iter->n += 8 - (iter->n % 8);
+-
+ 		return 1;
+ 	}
+ }
+@@ -222,8 +220,7 @@ get_reserved_sig_space(cms_context *cms, Pe *pe)
+ 		ret += cms->signatures[i]->len + sizeof (win_certificate);
+ 		/* each certificate list entry must be 8-byte aligned,
+ 		 * so we need to account for that in our space calculation */
+-		if (ret % 8 != 0)
+-			ret += 8 - (ret % 8);
++		ret += ALIGNMENT_PADDING(ret, 8);
+ 	}
+ 	return ret;
+ }
+@@ -253,14 +250,13 @@ err:
+ 
+ 	size_t res = get_reserved_sig_space(cms, pe);
+ 
+-	/* pe-coff 8.2 adds some text that says each cert list entry is
+-	 * 8-byte aligned, so that means we need alignment space here. */
+-	if (res % 8 != 0)
+-		res += 8 - (res % 8);
+-
+ 	ssize_t ret = res + sig.len + sizeof(win_certificate) -
+ 						available_cert_space(pe);
+ 
++	/* pe-coff 8.2 adds some text that says each cert list entry is
++	 * 8-byte aligned, so that means we need alignment space here. */
++	ret += ALIGNMENT_PADDING(ret, 8);
++
+ 	//free(sig.data);
+ 
+ 	return ret;
+-- 
+1.7.10.4
+
+
+From 12595de05a873712a76e6118f00f324fd257d0f6 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Tue, 26 Mar 2013 11:28:57 +0800
+Subject: [PATCH 5/8] Pad the file to be 16-byte aligned, instead of 8-byte
+
+---
+ libdpe/pe_allocspace.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c
+index 716373c..8b09153 100644
+--- a/libdpe/pe_allocspace.c
++++ b/libdpe/pe_allocspace.c
+@@ -119,7 +119,7 @@ pe_allocspace(Pe *pe, size_t size, uint32_t *offset)
+ 
+ 	/* XXX PJFIX TODO: this should try to find space in the already
+ 	 * mapped regions. */
+-	rc = pe_extend_file(pe, size, offset, 8);
++	rc = pe_extend_file(pe, size, offset, 16);
+ 	if (rc < 0)
+ 		return -1;
+ 	return 0;
+-- 
+1.7.10.4
+
+
+From deb5811f7e718d8d0d9c41ad18d2302876334e7a Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Tue, 26 Mar 2013 11:34:33 +0800
+Subject: [PATCH 6/8] Add an option, -padding, for -h to pad signatures
+
+We are using "-h" to check the integrity of the file after inserting
+a raw signature. Add this option to make the digests consistent.
+---
+ src/pesign.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/pesign.c b/src/pesign.c
+index 81515d2..57fe96e 100644
+--- a/src/pesign.c
++++ b/src/pesign.c
+@@ -440,6 +440,7 @@ main(int argc, char *argv[])
+ 	int remove = 0;
+ 	int daemon = 0;
+ 	int fork = 1;
++	int padding = 0;
+ 
+ 	char *digest_name = "sha256";
+ 	char *tokenname = "NSS Certificate DB";
+@@ -518,6 +519,8 @@ main(int argc, char *argv[])
+ 			"run as a daemon process", NULL },
+ 		{"nofork", 'N', POPT_ARG_VAL, &fork, 0,
+ 			"don't fork when daemonizing", NULL },
++		{"padding", 'P', POPT_ARG_VAL|POPT_ARGFLAG_DOC_HIDDEN,
++			&padding, 1, "pad data section", NULL },
+ 		POPT_AUTOALIAS
+ 		POPT_AUTOHELP
+ 		POPT_TABLEEND
+@@ -780,7 +783,7 @@ main(int argc, char *argv[])
+ 			break;
+ 		case GENERATE_DIGEST|PRINT_DIGEST:
+ 			open_input(ctxp);
+-			generate_digest(ctxp->cms_ctx, ctxp->inpe, 0);
++			generate_digest(ctxp->cms_ctx, ctxp->inpe, padding);
+ 			print_digest(ctxp);
+ 			break;
+ 		/* generate a signature and save it in a separate file */
+-- 
+1.7.10.4
+
+
+From 63221e01d0a857ce844b4b17798b5da1ea6a6be1 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Tue, 26 Mar 2013 18:30:58 +0800
+Subject: [PATCH 7/8] Clear the space for the certificate list
+
+Make sure the aligned bytes are '\0'
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ src/wincert.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/wincert.c b/src/wincert.c
+index cc612b6..75fdceb 100644
+--- a/src/wincert.c
++++ b/src/wincert.c
+@@ -37,7 +37,7 @@ generate_cert_list(SECItem **signatures, int num_signatures,
+ 		cl_size += ALIGNMENT_PADDING(cl_size, 8);
+ 	}
+ 
+-	uint8_t *data = malloc(cl_size);
++	uint8_t *data = calloc(1, cl_size);
+ 	if (!data)
+ 		return -1;
+ 
+-- 
+1.7.10.4
+
+
+From 18080ba4acb235fd3b2e679f0308992255e6ca52 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <chingpang@gmail.com>
+Date: Wed, 27 Mar 2013 10:49:38 +0800
+Subject: [PATCH 8/8] The file should be 8-byte aligned, actually...
+
+---
+ libdpe/pe_allocspace.c |    2 +-
+ src/cms_common.c       |    4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c
+index 8b09153..716373c 100644
+--- a/libdpe/pe_allocspace.c
++++ b/libdpe/pe_allocspace.c
+@@ -119,7 +119,7 @@ pe_allocspace(Pe *pe, size_t size, uint32_t *offset)
+ 
+ 	/* XXX PJFIX TODO: this should try to find space in the already
+ 	 * mapped regions. */
+-	rc = pe_extend_file(pe, size, offset, 16);
++	rc = pe_extend_file(pe, size, offset, 8);
+ 	if (rc < 0)
+ 		return -1;
+ 	return 0;
+diff --git a/src/cms_common.c b/src/cms_common.c
+index f2ee684..2c998d9 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -949,8 +949,8 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
+ 			cms->log(cms, LOG_ERR, "Pe has invalid trailing data");
+ 			goto error_shdrs;
+ 		}
+-		if (hash_size % 16 != 0 && padded) {
+-			size_t tmp_size = hash_size + (16 - (hash_size % 16));
++		if (hash_size % 8 != 0 && padded) {
++			size_t tmp_size = hash_size + (8 - (hash_size % 8));
+ 			uint8_t tmp_array[tmp_size];
+ 			memset(tmp_array, '\0', tmp_size);
+ 			memcpy(tmp_array, hash_base, hash_size);
+-- 
+1.7.10.4
+
diff --git a/pesign.changes b/pesign.changes
index 7cfb788..2500fa3 100644
--- a/pesign.changes
+++ b/pesign.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Mar 26 06:21:15 UTC 2013 - glin@suse.com
+
+- Add pesign-bnc808594-align-signatures.patch to align signatures
+  (bnc#808594, bnc#811325)
+
 -------------------------------------------------------------------
 Fri Mar  1 03:04:35 UTC 2013 - glin@suse.com
 
diff --git a/pesign.spec b/pesign.spec
index e8aad53..9885da5 100644
--- a/pesign.spec
+++ b/pesign.spec
@@ -45,6 +45,8 @@ Patch10:        pesign-privkey_unneeded.diff
 Patch11:        pesign-no-set-image-size.patch
 # PATCH-FIX-UPSTREAM pesign-bnc805166-fix-signature-list.patch bnc#805166 glin@suse.com -- Fix the broken signature list when inserting a new signature into a signed EFI binary.
 Patch12:        pesign-bnc805166-fix-signature-list.patch
+# PATCH-FIX-UPSTREAM pesign-bnc808594-align-signatures.patch bnc#808594,bnc#811325 glin@suse.com -- Align the signatures to 8-bytes
+Patch13:        pesign-bnc808594-align-signatures.patch
 BuildRequires:  mozilla-nss-devel
 BuildRequires:  pkg-config
 BuildRequires:  popt-devel
@@ -80,6 +82,7 @@ Authors:
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
 
 %build
 make OPTFLAGS="$RPM_OPT_FLAGS"