From 2e0af64ac3e11791e3f706439b4fbf063e0d0708 Mon Sep 17 00:00:00 2001
From: n1073645 <n1073645@gmail.com>
Date: Tue, 17 Mar 2020 14:53:05 +0000
Subject: [PATCH] PGP secring signatures and Mac OS X keyring extractor added

---
 src/core/lib/FileSignatures.mjs | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/src/core/lib/FileSignatures.mjs b/src/core/lib/FileSignatures.mjs
index 7ec0af21..84a5858c 100644
--- a/src/core/lib/FileSignatures.mjs
+++ b/src/core/lib/FileSignatures.mjs
@@ -2169,14 +2169,14 @@ export const FILE_SIGNATURES = {
             mime: "application/octet-stream",
             description: "",
             signature: {
-                0: 0x6b, // keych
+                0: 0x6b, // kych
                 1: 0x79,
                 2: 0x63,
                 3: 0x68,
                 4: 0x00,
                 5: 0x01
             },
-            extractor: null
+            extractor: extractMacOSXKeychain
         },
         {
             name: "TCP Packet",
@@ -2327,6 +2327,12 @@ export const FILE_SIGNATURES = {
                     1: 0x03,
                     2: 0xc6,
                     3: 0x04
+                },
+                {
+                    0: 0x95,
+                    1: 0x05,
+                    2: 0x86,
+                    3: 0x04
                 }
             ],
             extractor: null
@@ -3221,6 +3227,27 @@ export function extractPListXML(bytes, offset) {
 }
 
 
+/**
+ * MacOS X Keychain Extactor.
+ *
+ * @param {Uint8Array} bytes
+ * @param {number} offset
+ * @returns {Uint8Array}
+ */
+export function extractMacOSXKeychain(bytes, offset) {
+
+    const stream = new Stream(bytes.slice(offset));
+
+    // Move to size field.
+    stream.moveTo(0x14);
+
+    // Move forwards by size.
+    stream.moveForwardsBy(stream.readInt(4));
+
+    return stream.carve();
+}
+
+
 /**
  * OLE2 extractor.
  *