lib: Add support to parse MS Catalog files

Signed-off-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug  9 19:57:02 CEST 2018 on sn-devel-144

lib/mscat/dumpmscat.c

@@ -0,0 +1,188 @@
+/*
+ * Copyright (c) 2016      Andreas Schneider <asn@samba.org>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <errno.h>
+#include <stdbool.h>
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdio.h>
+
+#include <talloc.h>
+
+#include <libtasn1.h>
+#include <gnutls/pkcs7.h>
+
+#include "mscat.h"
+
+static const char *mac_to_string(enum mscat_mac_algorithm algo) {
+	switch(algo) {
+		case MSCAT_MAC_NULL:
+			return "NULL";
+		case MSCAT_MAC_MD5:
+			return "MD5";
+		case MSCAT_MAC_SHA1:
+			return "SHA1";
+		case MSCAT_MAC_SHA256:
+			return "SHA256";
+		case MSCAT_MAC_SHA512:
+			return "SHA512";
+		case MSCAT_MAC_UNKNOWN:
+			return "UNKNOWN";
+	}
+
+	return "UNKNOWN";
+}
+
+int main(int argc, char *argv[]) {
+	TALLOC_CTX *mem_ctx;
+	const char *filename = NULL;
+	const char *ca_file = NULL;
+	struct mscat_pkcs7 *cat_pkcs7;
+	struct mscat_ctl *msctl;
+	unsigned int member_count = 0;
+	unsigned int attribute_count = 0;
+	unsigned int i;
+	int rc;
+
+	if (argc < 1) {
+		return -1;
+	}
+	filename = argv[1];
+
+	if (filename == NULL || filename[0] == '\0') {
+		return -1;
+	}
+
+	mem_ctx = talloc_init("dumpmscat");
+	if (mem_ctx == NULL) {
+		fprintf(stderr, "Failed to initialize talloc\n");
+		exit(1);
+	}
+
+	/* READ MS ROOT CERTIFICATE */
+
+	cat_pkcs7 = mscat_pkcs7_init(mem_ctx);
+	if (cat_pkcs7 == NULL) {
+		exit(1);
+	}
+
+	rc = mscat_pkcs7_import_catfile(cat_pkcs7,
+					filename);
+	if (rc != 0) {
+		exit(1);
+	}
+
+	if (argc >= 2) {
+		ca_file = argv[2];
+	}
+
+	rc = mscat_pkcs7_verify(cat_pkcs7, ca_file);
+	if (rc != 0) {
+		printf("FAILED TO VERIFY CATALOG FILE!\n");
+		exit(1);
+	}
+	printf("CATALOG FILE VERIFIED!\n\n");
+
+	msctl = mscat_ctl_init(mem_ctx);
+	if (msctl == NULL) {
+		exit(1);
+	}
+
+	rc = mscat_ctl_import(msctl, cat_pkcs7);
+	if (rc != 0) {
+		exit(1);
+	}
+
+	member_count = mscat_ctl_get_member_count(msctl);
+	printf("CATALOG MEMBER COUNT=%d\n", member_count);
+
+	for (i = 0; i < member_count; i++) {
+		struct mscat_ctl_member *m;
+		size_t j;
+
+		rc = mscat_ctl_get_member(msctl,
+					  mem_ctx,
+					  i + 1,
+					  &m);
+		if (rc != 0) {
+			exit(1);
+		}
+
+		printf("CATALOG MEMBER\n");
+		if (m->checksum.type == MSCAT_CHECKSUM_STRING) {
+			printf("  CHECKSUM: %s\n", m->checksum.string);
+		} else if (m->checksum.type == MSCAT_CHECKSUM_BLOB) {
+			printf("  CHECKSUM: ");
+			for (j = 0; j < m->checksum.size; j++) {
+				printf("%X", m->checksum.blob[j]);
+			}
+			printf("\n");
+		}
+		printf("\n");
+
+		if (m->file.name != NULL) {
+			printf("  FILE: %s, FLAGS=0x%08x\n",
+			       m->file.name,
+			       m->file.flags);
+		}
+
+		if (m->info.guid != NULL) {
+			printf("  GUID: %s, ID=0x%08x\n",
+			       m->info.guid,
+			       m->info.id);
+		}
+
+		if (m->osattr.value != NULL) {
+			printf("  OSATTR: %s, FLAGS=0x%08x\n",
+			       m->osattr.value,
+			       m->osattr.flags);
+		}
+
+		if (m->mac.type != MSCAT_MAC_UNKNOWN) {
+			printf("  MAC: %s, DIGEST: ",
+			       mac_to_string(m->mac.type));
+			for (j = 0; j < m->mac.digest_size; j++) {
+				printf("%X", m->mac.digest[j]);
+			}
+			printf("\n");
+		}
+		printf("\n");
+	}
+	printf("\n");
+
+	attribute_count = mscat_ctl_get_attribute_count(msctl);
+	printf("CATALOG ATTRIBUTE COUNT=%d\n", attribute_count);
+
+	for (i = 0; i < attribute_count; i++) {
+		struct mscat_ctl_attribute *a;
+
+		rc = mscat_ctl_get_attribute(msctl,
+					     mem_ctx,
+					     i + 1,
+					     &a);
+		if (rc != 0) {
+			exit(1);
+		}
+
+		printf("  NAME=%s, FLAGS=0x%08x, VALUE=%s\n",
+		       a->name,
+		       a->flags,
+		       a->value);
+	}
+	talloc_free(mem_ctx);
+	return 0;
+}

lib/mscat/mscat.asn

@@ -0,0 +1,136 @@
+--
+--  ASN.1 Description for Microsoft Catalog Files
+--
+--    Copyright 2016 Andreas Schneider <asn@samba.org>
+--    Copyright 2016 Nikos Mavrogiannopoulos <nmav@redhat.com>
+--
+--  This program is free software: you can redistribute it and/or modify
+--  it under the terms of the GNU Lesser General Public License as published
+--  by the Free Software Foundation, either version 3 of the License, or
+--  (at your option) any later version.
+--
+--  This program is distributed in the hope that it will be useful,
+--  but WITHOUT ANY WARRANTY; without even the implied warranty of
+--  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+--  GNU Lesser General Public License for more details.
+--
+--  You should have received a copy of the GNU Lesser General Public License
+--  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+--
+CATALOG {}
+DEFINITIONS IMPLICIT TAGS ::= -- assuming implicit tags, should try explicit too
+
+BEGIN
+
+-- CATALOG_NAME_VALUE
+CatalogNameValue ::= SEQUENCE { -- 180
+    name       BMPString,
+    flags      INTEGER, -- 10010001
+    value      OCTET STRING -- UTF-16-LE
+}
+
+-- CATALOG_MEMBER_INFO
+CatalogMemberInfo ::= SEQUENCE {
+    name       BMPString,
+    id         INTEGER -- 0200
+}
+
+CatalogMemberInfo2 ::= SEQUENCE {
+    memId       OBJECT IDENTIFIER,
+    unknown     SET OF SpcLink
+}
+
+-- SPC_INDIRECT_DATA
+SpcIndirectData ::= SEQUENCE {
+    data        SpcAttributeTypeAndOptionalValue,
+    messageDigest DigestInfo
+}
+
+SpcAttributeTypeAndOptionalValue ::= SEQUENCE {
+    type        OBJECT IDENTIFIER,
+    value       ANY DEFINED BY type OPTIONAL
+}
+
+DigestInfo ::= SEQUENCE {
+    digestAlgorithm AlgorithmIdentifier,
+    digest OCTET STRING
+}
+
+AlgorithmIdentifier ::=  SEQUENCE  {
+    algorithm   OBJECT IDENTIFIER,
+    parameters  ANY DEFINED BY algorithm OPTIONAL
+                -- contains a value of the type
+}
+
+-- SPC_PE_IMAGE_DATA
+SpcPEImageData ::= SEQUENCE {
+    flags       SpcPeImageFlags DEFAULT includeResources,
+    link        [0] EXPLICIT SpcLink OPTIONAL
+}
+
+SpcPeImageFlags ::= BIT STRING {
+    includeResources            (0),
+    includeDebugInfo            (1),
+    includeImportAddressTable   (2)
+}
+
+SpcLink ::= CHOICE {
+    url         [0]    IMPLICIT IA5String,
+    moniker     [1]    IMPLICIT SpcSerializedObject,
+    file        [2]    EXPLICIT SpcString
+}
+
+SpcSerializedObject ::= SEQUENCE {
+    classId     OCTET STRING, -- GUID
+    data        OCTET STRING  -- Binary structure
+}
+
+SpcString ::= CHOICE {
+    unicode     [0] IMPLICIT BMPString,
+    ascii       [1] IMPLICIT IA5String
+}
+
+-- SPC_IMAGE_DATA_FILE
+SpcImageDataFile ::= SEQUENCE {
+    flags       BIT STRING,
+    file        SpcLink
+}
+
+-----------------------------------------------------------
+-- CERT_TRUST_LIST STRUCTURE
+-----------------------------------------------------------
+
+CatalogListId ::= SEQUENCE {
+    oid OBJECT IDENTIFIER
+}
+
+CatalogListMemberId ::= SEQUENCE {
+    oid OBJECT IDENTIFIER,
+    optional NULL
+}
+
+MemberAttribute ::= SEQUENCE {
+    contentType OBJECT IDENTIFIER,
+    content SET OF ANY DEFINED BY contentType
+}
+
+CatalogListMember ::= SEQUENCE {
+    checksum OCTET STRING, -- The member checksum (e.g. SHA1)
+    attributes SET OF MemberAttribute OPTIONAL
+}
+
+CatalogAttribute ::= SEQUENCE {
+    dataId OBJECT IDENTIFIER,
+    encapsulated_data OCTET STRING -- encapsulates CatNameValue or SpcPeImageData
+}
+
+CertTrustList ::= SEQUENCE {
+    catalogListId CatalogListId,
+    unknownString OCTET STRING, -- 16 bytes MD5 hash?
+    trustUtcTime UTCTime,
+    catalogListMemberId CatalogListMemberId,
+    members SEQUENCE OF CatalogListMember,
+    attributes [0] EXPLICIT SEQUENCE OF CatalogAttribute OPTIONAL
+}
+
+END

lib/mscat/mscat.h

@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 2016      Andreas Schneider <asn@samba.org>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _MSCAT_H
+#define _MSCAT_H
+
+#include <stdbool.h>
+#include <talloc.h>
+#include <gnutls/pkcs7.h>
+#include <libtasn1.h>
+
+enum mscat_mac_algorithm {
+	MSCAT_MAC_UNKNOWN,
+	MSCAT_MAC_NULL,
+	MSCAT_MAC_MD5,
+	MSCAT_MAC_SHA1,
+	MSCAT_MAC_SHA256,
+	MSCAT_MAC_SHA512
+};
+
+struct mscat_pkcs7;
+
+struct mscat_pkcs7 *mscat_pkcs7_init(TALLOC_CTX *mem_ctx);
+
+int mscat_pkcs7_import_catfile(struct mscat_pkcs7 *mp7,
+			       const char *catfile);
+
+int mscat_pkcs7_verify(struct mscat_pkcs7 *mp7,
+		       const char *ca_file);
+
+struct mscat_ctl;
+
+struct mscat_ctl *mscat_ctl_init(TALLOC_CTX *mem_ctx);
+
+int mscat_ctl_import(struct mscat_ctl *ctl,
+		     struct mscat_pkcs7 *pkcs7);
+
+int mscat_ctl_get_member_count(struct mscat_ctl *ctl);
+
+enum mscat_checksum_type {
+	MSCAT_CHECKSUM_STRING = 1,
+	MSCAT_CHECKSUM_BLOB
+};
+
+struct mscat_ctl_member {
+	struct {
+		enum mscat_checksum_type type;
+		union {
+			const char *string;
+			uint8_t *blob;
+		};
+		size_t size;
+	} checksum;
+	struct {
+		const char *name;
+		uint32_t flags;
+	} file;
+	struct {
+		const char *value;
+		uint32_t flags;
+	} osattr;
+	struct {
+		const char *guid;
+		uint32_t id;
+	} info;
+	struct {
+		enum mscat_mac_algorithm type;
+		uint8_t *digest;
+		size_t digest_size;
+	} mac;
+};
+
+int mscat_ctl_get_member(struct mscat_ctl *ctl,
+			 TALLOC_CTX *mem_ctx,
+			 unsigned int idx,
+			 struct mscat_ctl_member **member);
+
+int mscat_ctl_get_attribute_count(struct mscat_ctl *ctl);
+
+struct mscat_ctl_attribute {
+	const char *name;
+	uint32_t flags;
+	const char *value;
+};
+
+int mscat_ctl_get_attribute(struct mscat_ctl *ctl,
+			    TALLOC_CTX *mem_ctx,
+			    unsigned int idx,
+			    struct mscat_ctl_attribute **pattribute);
+
+#endif /* _MSCAT_H */

lib/mscat/mscat_pkcs7.c

@@ -0,0 +1,284 @@
+/*
+ * Copyright (c) 2016      Andreas Schneider <asn@samba.org>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <errno.h>
+#include <stdint.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include <util/debug.h>
+#include <util/data_blob.h>
+
+#include "mscat.h"
+#include "mscat_private.h"
+
+#define PKCS7_CTL_OBJID                "1.3.6.1.4.1.311.10.1"
+
+static int mscat_pkcs7_cleanup(struct mscat_pkcs7 *mp7)
+{
+	if (mp7->c != NULL) {
+		gnutls_pkcs7_deinit(mp7->c);
+	}
+
+	return 0;
+}
+
+struct mscat_pkcs7 *mscat_pkcs7_init(TALLOC_CTX *mem_ctx)
+{
+	struct mscat_pkcs7 *pkcs7;
+	int rc;
+
+	pkcs7 = talloc_zero(mem_ctx, struct mscat_pkcs7);
+	if (pkcs7 == NULL) {
+		return NULL;
+	}
+	talloc_set_destructor(pkcs7, mscat_pkcs7_cleanup);
+
+	rc = gnutls_pkcs7_init(&pkcs7->c);
+	if (rc != 0) {
+		talloc_free(pkcs7);
+		return NULL;
+	}
+
+	return pkcs7;
+}
+
+static int mscat_read_file(TALLOC_CTX *mem_ctx,
+			   const char *filename,
+			   DATA_BLOB *pblob)
+{
+	struct stat sb = {0};
+	size_t alloc_size;
+	size_t count;
+	DATA_BLOB blob;
+	FILE *fp;
+	int rc;
+
+	fp = fopen(filename, "r");
+	if (fp == NULL) {
+		return -1;
+	}
+
+	rc = fstat(fileno(fp), &sb);
+	if (rc != 0) {
+		goto error;
+	}
+
+	if (!S_ISREG(sb.st_mode)) {
+		errno = EINVAL;
+		goto error;
+	}
+	if (SIZE_MAX - 1 < (unsigned long)sb.st_size) {
+		errno = ENOMEM;
+		goto error;
+	}
+	alloc_size = sb.st_size + 1;
+
+	blob = data_blob_talloc_zero(mem_ctx, alloc_size);
+	if (blob.data == NULL) {
+		goto error;
+	}
+
+	count = fread(blob.data, 1, blob.length, fp);
+	if (count != blob.length) {
+		if (ferror(fp)) {
+			goto error;
+		}
+	}
+	blob.data[count] = '\0';
+	blob.length = count;
+	fclose(fp);
+
+	*pblob = blob;
+
+	return 0;
+error:
+	data_blob_free(&blob);
+	fclose(fp);
+	return rc;
+}
+
+int mscat_pkcs7_import_catfile(struct mscat_pkcs7 *mp7,
+			       const char *catfile)
+{
+	TALLOC_CTX *tmp_ctx;
+	gnutls_datum_t mscat_data = {
+		.size = 0,
+	};
+	DATA_BLOB blob;
+	int rc;
+
+	tmp_ctx = talloc_new(mp7);
+	if (tmp_ctx == NULL) {
+		return -1;
+	}
+
+	rc = mscat_read_file(tmp_ctx,
+			     catfile,
+			     &blob);
+	if (rc == -1) {
+		DBG_ERR("Failed to read catalog file '%s' - %s",
+			catfile,
+			strerror(errno));
+		goto done;
+	}
+
+	mscat_data.data = blob.data;
+	mscat_data.size = blob.length;
+
+	rc = gnutls_pkcs7_import(mp7->c,
+				 &mscat_data,
+				 GNUTLS_X509_FMT_DER);
+	if (rc < 0) {
+		DBG_ERR("Failed to import PKCS7 from '%s' - %s",
+			catfile,
+			gnutls_strerror(rc));
+		goto done;
+	}
+
+	rc = 0;
+done:
+	talloc_free(tmp_ctx);
+	return rc;
+}
+
+int mscat_pkcs7_verify(struct mscat_pkcs7 *mp7,
+		       const char *ca_file)
+{
+	TALLOC_CTX *tmp_ctx = NULL;
+	gnutls_x509_trust_list_t tl = NULL;
+	gnutls_datum_t ca_data;
+	DATA_BLOB blob;
+	uint32_t flags = 0;
+	const char *oid;
+	int count;
+	int cmp;
+	int rc;
+	int i;
+
+	oid = gnutls_pkcs7_get_embedded_data_oid(mp7->c);
+	if (oid == NULL) {
+		DBG_ERR("Failed to get oid - %s",
+			gnutls_strerror(errno));
+		return -1;
+	}
+
+	cmp = strcmp(oid, PKCS7_CTL_OBJID);
+	if (cmp != 0) {
+		DBG_ERR("Invalid oid in catalog file! oid: %s, expected: %s",
+			oid,
+			PKCS7_CTL_OBJID);
+		return -1;
+	}
+
+	tmp_ctx = talloc_new(mp7);
+	if (tmp_ctx == NULL) {
+		return -1;
+	}
+
+	rc = gnutls_x509_trust_list_init(&tl,
+					 0); /* default size */
+	if (rc != 0) {
+		DBG_ERR("Failed to create trust list - %s",
+			gnutls_strerror(rc));
+		goto done;
+	}
+
+
+	/* Load the system trust list */
+	rc = gnutls_x509_trust_list_add_system_trust(tl, 0, 0);
+	if (rc < 0) {
+		DBG_ERR("Failed to add system trust list - %s",
+			gnutls_strerror(rc));
+		goto done;
+	}
+	DBG_INFO("Loaded %d CAs", rc);
+
+	if (ca_file != NULL) {
+		rc = mscat_read_file(tmp_ctx,
+				     ca_file,
+				     &blob);
+		if (rc != 0) {
+			DBG_ERR("Failed to read CA file '%s' - %s",
+				ca_file,
+				strerror(errno));
+			goto done;
+		}
+
+		ca_data.data = blob.data;
+		ca_data.size = blob.length;
+
+		rc = gnutls_x509_trust_list_add_trust_mem(tl,
+							  &ca_data,
+							  NULL, /* crls */
+							  GNUTLS_X509_FMT_DER,
+							  0, /* tl_flags */
+							  0); /* tl_vflags */
+		if (rc < 0) {
+			DBG_ERR("Failed to add '%s' to trust list - %s (%d)",
+				ca_file,
+				gnutls_strerror(rc),
+				rc);
+			goto done;
+		}
+		DBG_INFO("Loaded %d additional CAs", rc);
+	}
+
+	/*
+	 * Drivers often exist for quite some time, so it is possible that one
+	 * of the certificates in the trust list expired.
+	 * This is not a big deal, but we need to disable the time checks
+	 * or the verification will fail.
+	 */
+	flags = GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS|
+		GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
+
+#if GNUTLS_VERSION_NUMBER >= 0x030600
+	/* The "Microsoft Root Authority" certificate uses SHA1 */
+	flags |= GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1;
+#endif
+
+	count = gnutls_pkcs7_get_signature_count(mp7->c);
+	if (count == 0) {
+		DBG_ERR("Failed to verify catalog file, no signatures found");
+		goto done;
+	}
+
+	for (i = 0; i < count; i++) {
+		rc = gnutls_pkcs7_verify(mp7->c,
+					 tl,
+					 NULL, /* vdata */
+					 0,    /* vdata_size */
+					 i,    /* index */
+					 NULL, /* data */
+					 flags);   /* flags */
+		if (rc < 0) {
+			DBG_ERR("Failed to verify catalog file - %s (%d)",
+				gnutls_strerror(rc),
+				rc);
+			goto done;
+		}
+	}
+
+	rc = 0;
+done:
+	gnutls_x509_trust_list_deinit(tl, 1);
+	talloc_free(tmp_ctx);
+	return rc;
+}

lib/mscat/mscat_private.h

@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) 2016      Andreas Schneider <asn@samba.org>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef _MSCAT_PRIVATE_H
+#define _MSCAT_PRIVATE_H
+
+#include <gnutls/pkcs7.h>
+
+struct mscat_pkcs7 {
+	gnutls_pkcs7_t c;
+};
+
+#endif /* _MSCAT_PRIVATE_H */

lib/mscat/wscript

@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+
+import os
+import Logs
+import sys
+
+def configure(conf):
+    pkg_name = 'libtasn1'
+    pkg_minversion = '3.8'
+
+    if conf.CHECK_BUNDLED_SYSTEM_PKG(pkg_name, minversion=pkg_minversion):
+        if not conf.find_program('asn1Parser', var='ASN1PARSER'):
+            Logs.warn('WARNING: ans1Parser hasn\'t been found! Please install it (e.g. libtasn1-bin)')
+
+    conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls')
+
+def build(bld):
+    if (bld.CONFIG_SET('HAVE_LIBTASN1') and
+        bld.env.ASN1PARSER and
+        bld.CONFIG_SET('HAVE_GNUTLS_PKCS7_GET_EMBEDDED_DATA_OID')):
+
+        bld.SAMBA_GENERATOR('MSCAT_PARSER',
+                            source='mscat.asn',
+                            target='mscat_asn1_tab.c',
+                            rule='${ASN1PARSER} --output ${TGT} ${SRC}',
+                            group='build_source')
+
+        bld.SAMBA_LIBRARY('mscat',
+                          source='''
+                                 mscat_asn1_tab.c
+                                 mscat_ctl.c
+                                 mscat_pkcs7.c
+                                 ''',
+                          deps='''
+                               talloc
+                               gnutls
+                               libtasn1
+                               samba-util
+                               ''',
+                          private_library=True)
+
+        bld.SAMBA_BINARY('dumpmscat',
+                         source='dumpmscat.c',
+                         deps='mscat')

wscript

@@ -279,6 +279,7 @@ def configure(conf):
     if conf.env.with_ctdb:
         conf.RECURSE('ctdb')
     conf.RECURSE('lib/socket')
+    conf.RECURSE('lib/mscat')
     conf.RECURSE('packaging')
 
     conf.SAMBA_CHECK_UNDEFINED_SYMBOL_FLAGS()

wscript_build

@@ -117,6 +117,7 @@ bld.RECURSE('libcli/echo')
 bld.RECURSE('libcli/dns')
 bld.RECURSE('libcli/samsync')
 bld.RECURSE('libcli/registry')
+bld.RECURSE('lib/mscat')
 bld.RECURSE('source4/lib/policy')
 bld.RECURSE('libcli/named_pipe_auth')
 if bld.CONFIG_GET('ENABLE_SELFTEST'):