Add cryptographic verification to authenticode_transplant.py

[Flickdm]

This commit adds comprehensive cryptographic validation to the Authenticode signature combining tool, bringing the same verification capabilities from auth_var_tool.py to PE file signature operations.

Key changes:

• Added cryptographic signature verification using the 'cryptography' library
• Implemented SpcIndirectDataContent parsing to extract embedded PE hashes
• Added certificate extraction and display from PKCS#7 signatures
• Compute Authenticode hashes using the algorithm specified in the signature
• Verify signatures mathematically using signer's public key (RSA/ECDSA)
• Validate that computed PE hash matches the hash in SpcIndirectDataContent

New functions:

• _get_hash_algorithm_from_oid(): Maps OID strings to hash algorithms
• _extract_pe_hash_from_spc_indirect_data(): Parses SPC structure for hash
• _extract_certificates_from_pkcs7(): Extracts X.509 certificates
• _verify_pkcs7_signature(): Performs full cryptographic verification
• compute_authenticode_hash(): Flexible hash computation with configurable algorithm

Enhanced functions:

• validate_pkcs7_signatures(): Now performs cryptographic verification
• main_verify(): Displays certificate details and verification status
• main_combine(): Validates signatures cryptographically before combining

Bug fixes:

• Removed incorrect 8-byte padding from Authenticode hash calculation (padding only applies to WIN_CERTIFICATE structure alignment, not hash data)
• Consolidated duplicate hash functions into single implementation

Code improvements:

• Named constants for all magic numbers in SPC parsing
• Better documentation and inline comments
• Proper type annotations with Optional types

Testing:

• Verified against Microsoft-signed bootmgfw.efi files
• Hash computation now matches Windows AppLocker and UEFI firmware
• Both multi-signature and nested signature modes validated
• All test cases pass with cryptographic verification

Follows Microsoft Authenticode PE specification v1.1

Description

• Impacts functionality?
• Impacts security?
• Breaking change?
• Includes tests?
• Includes documentation?

How This Was Tested

Ran it against copies of bootmgfw.efi and hellouefi.efi that were both singly signed and

Integration Instructions

N/A

[Copilot]

Pull request overview

This PR adds comprehensive cryptographic verification capabilities to the Authenticode signature tool, enabling validation of PE file signatures using the cryptography library. The changes introduce hash extraction from SPC structures, certificate parsing, and full signature verification against PE files.

Key changes:

• Added cryptographic signature verification using new helper functions for OID mapping, certificate extraction, and PKCS7 verification
• Enhanced compute_authenticode_hash() to support multiple hash algorithms (SHA1/256/384/512) and removed incorrect padding logic
• Updated validate_pkcs7_signatures() and verification commands to perform cryptographic validation before accepting signatures

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.