Microsoft Security Catalog Format Documentation an

2020-03-04 03:37发布

问题:

I'm looking for any documentation on the API for working with Microsoft Security Catalogs, or in lieu of that, information on the file format so that I may write my own parser.

In short, I have some .cat files that I need to be able to work with. Looking at the file in a hex editor, they obviously have different regions, which are delimited somehow (looks like typical binary saved structs). I need to get certain information out of them, and ignore other information.

I could probably reverse engineer the format and parse out what I need, but I'd prefer to do that either through the Win32 API, or at least write my parser to be correct for the format, instead of just "able to do what I need it to do".

MSCAT32.DLL seems to be the signficant one, but I'm not sure it has exports to do what I need... It's a bit cryptic (no pun intended).

Any information at all would be helpful.

Just to toss a few more keywords in here...

The MIME type is: application/vnd.ms-pki.seccat The magic header bytes are: 30 80 09 06 The field delimiters in the file seem to be: EOT (04) and € (80) A program that generates them is: MakeCat.exe

回答1:

Here is a definition of the wintrust calls that are used by makecat Look under Catalog Definition Functions Catalog Functions which are made up of certificate trust list (CTL) A predefined list of items that have been signed by a trusted entity. A CTL can be anything, such as a list of hashes of certificates, or a list of file names. All the items in the list are authenticated (approved) by the signing entity.

which in turn are composed on pkcs#7 blobs



回答2:

Microsoft Security Catalogs are nothing more than binary files, coded in ASN.1 DER format. Inside the file is PKCS#7 signed data with additional fields for Microsoft specific stuff (coded with Microsoft OIDs). A list of these OIDs can be found here: https://support.microsoft.com/en-us/kb/287547

If you want to decode ASN.1 DER, use for example this JavaScript based encoder: http://lapo.it/asn1js/

By the way: 30 80 09 06 is not the file magic, but means there is a constructive SEQUENCE with unknown length starting there. ASN.1 DER Files do not have any magic, but start with a SEQUENCE (which is coded in DER as 0x30 in many cases.