Fix bug with multiple signatures. (#940)

* Fix bug with multiple signatures.

* Don't use BIO interface, use d2i instead. Fix some other small bugs and don't recurse forever when parsing nested signatures.

* Walk the X509 attributes looking for nested signatures.

* Move variable declarations out of loop.

* Move nested signature checking out of the loop.

Move the nested signature checking out of the main certificate parsing loop. The
nested signatures are on the PKCS7 structure, not the certificate. Also, make
the loop better by not processing the same attribute over and over.

These were suggested by Andrew Williams.

* If the nested signature is NULL, break early.

If the nested signature is ever NULL, break early because it will always be
NULL. Also, tighten up the the checks for MAX_PE_CERTS. We aren't likely to ever
see a PE that hits the case where it has multiple certs in a single PKCS7 blob,
but it can't hurt to check in the loop too.

Author: wxsBSD

libyara/include/yara/pe.h

@@ -464,6 +464,8 @@ typedef struct _VERSION_INFO {
 } VERSION_INFO, *PVERSION_INFO;
 
 
+#define MAX_PE_CERTS 16
+
 #define WIN_CERT_REVISION_1_0 0x0100
 #define WIN_CERT_REVISION_2_0 0x0200
 
@@ -481,6 +483,8 @@ typedef struct _WIN_CERTIFICATE {
     BYTE  Certificate[0];
 } WIN_CERTIFICATE, *PWIN_CERTIFICATE;
 
+#define SPC_NESTED_SIGNATURE_OBJID  "1.3.6.1.4.1.311.2.4.1"
+
 
 //
 // Rich signature.