trustbridge: common/binverify.h annotate

annotate common/binverify.h @ 1371:23df332b2a4c

(issue179) Read install signature timestamp from config This also changes the way the sigDt is propgated to the MainWindow. It no longer uses the settings but hands it over as a parameter directly.

author	Andre Heinecke <andre.heinecke@intevation.de>
date	Mon, 24 Nov 2014 15:48:49 +0100
parents	28885e8c891f
children

rev	line source
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	1 /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	2 * Software engineering by Intevation GmbH
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	3 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	4 * This file is Free Software under the GNU GPL (v>=2)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	5 * and comes with ABSOLUTELY NO WARRANTY!
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	6 * See LICENSE.txt for details.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	7 */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	8
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	9 #ifndef BINVERIFY_H
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	10 #define BINVERIFY_H
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	11 /* @file binverify.h
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	12 * @brief Verification of binary files
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	13 */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	14 #include <stdbool.h>
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	15 #include <stddef.h>
1081 edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	16 #include <stdio.h>
1364 28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify Andre Heinecke <andre.heinecke@intevation.de> parents: 1255 diff changeset	17 #include <time.h>
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	18
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	19 #ifdef __cplusplus
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	20 extern "C" {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	21 #endif
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	22
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	23 /**
1081 edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	24 * @enum verify_result
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	25 * @brief Result of a verification
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	26 */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	27 typedef enum {
1255 2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	28 /! Could be read and signature matched /
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	29 VerifyValid = 100,
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	30 /! The expected unexpected /
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	31 VerifyUnknownError = 1,
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	32 /! Signature was invalid /
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	33 VerifyInvalidSignature = 4,
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	34 /! Certificate mismatch /
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	35 VerifyInvalidCertificate = 5,
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	36 /! File exists but could not read the file /
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	37 VerifyReadFailed = 6,
1081 edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	38 } verify_result;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	39
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	40 /**
1255 2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	41 * @struct bin_verify_result
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	42 * @brief A structure containing a verify_result and a reference to the
1081 edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	43 * verified file.
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	44 */
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	45 typedef struct {
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	46 /@{/
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	47 verify_result result; /*< the result of the verification /
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	48 FILE fptr; /*< Pointer to the open file struct of the verified file
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	49 The ptr is only valid if verify_result is VerifyValid
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	50 and needs to be closed by the caller in that case.*/
1364 28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify Andre Heinecke <andre.heinecke@intevation.de> parents: 1255 diff changeset	51 time_t sig_time; /** < Time of the signature. */
1081 edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	52 /@}/
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	53 } bin_verify_result;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	54
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	55 /**
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	56 * @brief verify a binary
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	57 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	58 * This function checks that a binary is signed by a built
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	59 * in certificate.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	60 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	61 * Caution: This function works on file names only which could
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	62 * be modified after this check.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	63 *
771 2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	64 * Windows verification is done using Windows crypto API based on
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	65 * embedded PKCS 7 "authenticode" signatures embedded into the
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	66 * file.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	67 *
904 f89b41fa7048 Fix whitespace errors Andre Heinecke <andre.heinecke@intevation.de> parents: 774 diff changeset	68 * On Linux the file is epxected to and with the pattern of
1053 78798d3af8f0 Fixed doxygen build warnings. Emanuel Schuetze <emanuel@intevation.de> parents: 904 diff changeset	69 * \\r\\nS: (0x0d0a533A) followed by a 3072 Bit Base64 encoded RSA
774 44fa5de02b52 (issue43) Finalize and verify binary verification for linux. Andre Heinecke <andre.heinecke@intevation.de> parents: 771 diff changeset	70 * signature.
771 2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	71 * The signature is verified against the built in codesigning key in
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	72 * the same certificate that is used for windows verification.
774 44fa5de02b52 (issue43) Finalize and verify binary verification for linux. Andre Heinecke <andre.heinecke@intevation.de> parents: 771 diff changeset	73 * If the pattern is not found the verification fails.
771 2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	74 *
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	75 * @param[in] filename absolute null terminated UTF-8 encoded path to the file.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	76 * @param[in] name_len length of the filename.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	77 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	78 * @returns the verification result.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	79 */
586 ecfd77751daf Disambiguate enumerator values and add portable wrapper. Andre Heinecke <aheinecke@intevation.de> parents: 579 diff changeset	80 bin_verify_result verify_binary(const char *filename, size_t name_len);
ecfd77751daf Disambiguate enumerator values and add portable wrapper. Andre Heinecke <aheinecke@intevation.de> parents: 579 diff changeset	81
1081 edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	82 /*@def Max size of a valid binary in byte /
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	83 #define MAX_VALID_BIN_SIZE (32 * 1024 * 1024)
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	84
586 ecfd77751daf Disambiguate enumerator values and add portable wrapper. Andre Heinecke <aheinecke@intevation.de> parents: 579 diff changeset	85 #ifdef WIN32
ecfd77751daf Disambiguate enumerator values and add portable wrapper. Andre Heinecke <aheinecke@intevation.de> parents: 579 diff changeset	86 /**
ecfd77751daf Disambiguate enumerator values and add portable wrapper. Andre Heinecke <aheinecke@intevation.de> parents: 579 diff changeset	87 * @brief windows implementation of verify_binary
ecfd77751daf Disambiguate enumerator values and add portable wrapper. Andre Heinecke <aheinecke@intevation.de> parents: 579 diff changeset	88 */
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	89 bin_verify_result verify_binary_win(const char *filename, size_t name_len);
771 2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	90 #else /* WIN32 */
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	91
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	92 /**
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	93 * @brief linux implementation of verify_binary
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	94 */
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	95 bin_verify_result verify_binary_linux(const char *filename, size_t name_len);
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	96 #endif
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	97
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	98 #ifdef __cplusplus
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	99 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	100 #endif
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	101
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	102 #endif /* BINVERIFY_H */

Mercurial > trustbridge

annotate common/binverify.h @ 1371:23df332b2a4c