annotate common/binverify.h @ 1328:18211dce3106

Do not free cert context after deletion CertDeleteCertificateFromStore already frees the context.
author Andre Heinecke <andre.heinecke@intevation.de>
date Wed, 15 Oct 2014 13:17:02 +0200
parents 2a1aa9df8f11
children 28885e8c891f
rev   line source
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
1 /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
2 * Software engineering by Intevation GmbH
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
3 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
4 * This file is Free Software under the GNU GPL (v>=2)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
5 * and comes with ABSOLUTELY NO WARRANTY!
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
6 * See LICENSE.txt for details.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
7 */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
8
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
9 #ifndef BINVERIFY_H
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
10 #define BINVERIFY_H
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
11 /* @file binverify.h
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
12 * @brief Verification of binary files
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
13 */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
14 #include <stdbool.h>
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
15 #include <stddef.h>
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
16 #include <stdio.h>
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
17
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
18 #ifdef __cplusplus
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
19 extern "C" {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
20 #endif
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
21
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
22 /**
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
23 * @enum verify_result
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
24 * @brief Result of a verification
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
25 */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
26 typedef enum {
1255
2a1aa9df8f11 (issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
27 /*! Could be read and signature matched */
2a1aa9df8f11 (issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
28 VerifyValid = 100,
2a1aa9df8f11 (issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
29 /*! The expected unexpected */
2a1aa9df8f11 (issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
30 VerifyUnknownError = 1,
2a1aa9df8f11 (issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
31 /*! Signature was invalid */
2a1aa9df8f11 (issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
32 VerifyInvalidSignature = 4,
2a1aa9df8f11 (issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
33 /*! Certificate mismatch */
2a1aa9df8f11 (issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
34 VerifyInvalidCertificate = 5,
2a1aa9df8f11 (issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
35 /*! File exists but could not read the file */
2a1aa9df8f11 (issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
36 VerifyReadFailed = 6,
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
37 } verify_result;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
38
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
39 /**
1255
2a1aa9df8f11 (issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
40 * @struct bin_verify_result
2a1aa9df8f11 (issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
41 * @brief A structure containing a verify_result and a reference to the
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
42 * verified file.
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
43 */
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
44 typedef struct {
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
45 /*@{*/
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
46 verify_result result; /**< the result of the verification */
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
47 FILE *fptr; /**< Pointer to the open file struct of the verified file
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
48 The ptr is only valid if verify_result is VerifyValid
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
49 and needs to be closed by the caller in that case.*/
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
50 /*@}*/
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
51 } bin_verify_result;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
52
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
53 /**
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
54 * @brief verify a binary
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
55 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
56 * This function checks that a binary is signed by a built
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
57 * in certificate.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
58 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
59 * Caution: This function works on file names only which could
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
60 * be modified after this check.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
61 *
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
62 * Windows verification is done using Windows crypto API based on
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
63 * embedded PKCS 7 "authenticode" signatures embedded into the
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
64 * file.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
65 *
904
f89b41fa7048 Fix whitespace errors
Andre Heinecke <andre.heinecke@intevation.de>
parents: 774
diff changeset
66 * On Linux the file is epxected to and with the pattern of
1053
78798d3af8f0 Fixed doxygen build warnings.
Emanuel Schuetze <emanuel@intevation.de>
parents: 904
diff changeset
67 * \\r\\nS: (0x0d0a533A) followed by a 3072 Bit Base64 encoded RSA
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
68 * signature.
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
69 * The signature is verified against the built in codesigning key in
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
70 * the same certificate that is used for windows verification.
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
71 * If the pattern is not found the verification fails.
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
72 *
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
73 * @param[in] filename absolute null terminated UTF-8 encoded path to the file.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
74 * @param[in] name_len length of the filename.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
75 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
76 * @returns the verification result.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
77 */
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
78 bin_verify_result verify_binary(const char *filename, size_t name_len);
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
79
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
80 /**@def Max size of a valid binary in byte */
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
81 #define MAX_VALID_BIN_SIZE (32 * 1024 * 1024)
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1053
diff changeset
82
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
83 #ifdef WIN32
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
84 /**
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
85 * @brief windows implementation of verify_binary
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
86 */
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
87 bin_verify_result verify_binary_win(const char *filename, size_t name_len);
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
88 #else /* WIN32 */
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
89
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
90 /**
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
91 * @brief linux implementation of verify_binary
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
92 */
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
93 bin_verify_result verify_binary_linux(const char *filename, size_t name_len);
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
94 #endif
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
95
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
96 #ifdef __cplusplus
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
97 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
98 #endif
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
99
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
100 #endif /* BINVERIFY_H */

http://wald.intevation.org/projects/trustbridge/