Mercurial > trustbridge
annotate common/binverify.c @ 773:2c69298b4188
WIP start with tests for Linux binary verification
author | Andre Heinecke <andre.heinecke@intevation.de> |
---|---|
date | Thu, 10 Jul 2014 19:16:21 +0200 |
parents | 2798f1869eee |
children | 44fa5de02b52 |
rev | line source |
---|---|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
1 /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
2 * Software engineering by Intevation GmbH |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
3 * |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
4 * This file is Free Software under the GNU GPL (v>=2) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
5 * and comes with ABSOLUTELY NO WARRANTY! |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
6 * See LICENSE.txt for details. |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
7 */ |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
8 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
9 #include "binverify.h" |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
10 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
11 #include "strhelp.h" |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
12 #include "logging.h" |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
13 |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
14 #ifdef RELEASE_BUILD |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
15 #include "pubkey-release.h" |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
16 #else |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
17 #include "pubkey-test.h" |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
18 #endif |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
19 |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
20 bin_verify_result |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
21 verify_binary(const char *filename, size_t name_len) { |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
22 if (!filename || !name_len) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
23 return VerifyUnknownError; |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
24 #ifdef WIN32 |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
25 return verify_binary_win(filename, name_len); |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
26 #else |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
27 return verify_binary_linux(filename, name_len); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
28 #endif |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
29 } |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
30 |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
31 #ifdef WIN32 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
32 |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
33 #include <polarssl/x509_crt.h> |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
34 |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
35 #include <windows.h> |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
36 #include <wincrypt.h> |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
37 #include <wintrust.h> |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
38 #include <stdio.h> |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
39 |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
40 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
41 /** @brief Check if the certificate @a pCCertContext is pinned |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
42 * |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
43 * Compares the certificate's binary data (public key and attributes) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
44 * with each other to validate that the certificate pCCertContext has |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
45 * exactly the same data as the builtin public certificate. |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
46 * |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
47 * @param[in] pCCertContext pointer to the certificate to check |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
48 * |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
49 * @returns true if the certificate matches, false otherwise. |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
50 */ |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
51 static bool |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
52 check_certificate (PCCERT_CONTEXT pCCertContext) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
53 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
54 x509_crt codesign_cert; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
55 int ret = 0; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
56 DWORD dwI = 0; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
57 bool retval = false; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
58 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
59 if (pCCertContext == NULL) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
60 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
61 ERRORPRINTF ("Invalid call to check_certificate"); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
62 return false; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
63 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
64 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
65 x509_crt_init(&codesign_cert); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
66 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
67 /* Parse the pinned certificate */ |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
68 ret = x509_crt_parse(&codesign_cert, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
69 public_key_codesign_pem, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
70 public_key_codesign_pem_size); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
71 if (ret != 0) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
72 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
73 ERRORPRINTF ("x509_crt_parse failed with -0x%04x\n\n", -ret); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
74 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
75 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
76 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
77 if (codesign_cert.raw.len != pCCertContext->cbCertEncoded || |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
78 codesign_cert.raw.len <= 0) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
79 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
80 ERRORPRINTF ("Certificate size mismatch"); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
81 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
82 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
83 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
84 /* Check that the certificate is exactly the same as the pinned one */ |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
85 for (dwI = 0; dwI < pCCertContext->cbCertEncoded; dwI++) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
86 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
87 if (pCCertContext->pbCertEncoded[dwI] != codesign_cert.raw.p[dwI]) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
88 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
89 ERRORPRINTF ("Certificate content mismatch"); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
90 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
91 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
92 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
93 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
94 retval = true; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
95 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
96 done: |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
97 x509_crt_free(&codesign_cert); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
98 return retval; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
99 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
100 |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
101 bin_verify_result |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
102 verify_binary_win(const char *filename, size_t name_len) { |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
103 bin_verify_result retval = VerifyUnknownError; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
104 WCHAR *filenameW = NULL; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
105 BOOL result = FALSE; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
106 DWORD dwEncoding = 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
107 dwContentType = 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
108 dwFormatType = 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
109 dwSignerInfoSize = 0; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
110 HCERTSTORE hStore = NULL; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
111 HCRYPTMSG hMsg = NULL; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
112 PCERT_INFO pSignerCert = NULL; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
113 PCCERT_CONTEXT pSignerCertContext = NULL; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
114 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
115 if (!filename || name_len > MAX_PATH || strlen(filename) != name_len) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
116 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
117 ERRORPRINTF ("Invalid parameters\n"); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
118 return VerifyUnknownError; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
119 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
120 |
591
26a18e3c3db4
Cleanups and coding style.
Andre Heinecke <aheinecke@intevation.de>
parents:
590
diff
changeset
|
121 filenameW = utf8_to_wchar(filename, name_len); |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
122 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
123 result = CryptQueryObject (CERT_QUERY_OBJECT_FILE, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
124 filenameW, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
125 CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
126 CERT_QUERY_FORMAT_FLAG_BINARY, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
127 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
128 &dwEncoding, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
129 &dwContentType, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
130 &dwFormatType, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
131 &hStore, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
132 &hMsg, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
133 NULL); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
134 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
135 if (!result || !hMsg) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
136 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
137 PRINTLASTERROR ("Failed to query crypto object"); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
138 retval = VerifyReadFailed; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
139 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
140 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
141 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
142 /* Get the cert info so that we can look up the signer in the store later */ |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
143 if (CryptMsgGetParam(hMsg, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
144 CMSG_SIGNER_CERT_INFO_PARAM, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
145 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
146 NULL, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
147 &dwSignerInfoSize) && dwSignerInfoSize > 0) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
148 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
149 pSignerCert = xmalloc (dwSignerInfoSize); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
150 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
151 else |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
152 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
153 ERRORPRINTF ("Failed to get signer cert size."); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
154 retval = VerifyUnknownError; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
155 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
156 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
157 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
158 if (!(CryptMsgGetParam(hMsg, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
159 CMSG_SIGNER_CERT_INFO_PARAM, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
160 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
161 pSignerCert, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
162 &dwSignerInfoSize))) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
163 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
164 ERRORPRINTF ("Failed to get signer cert."); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
165 retval = VerifyUnknownError; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
166 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
167 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
168 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
169 pSignerCertContext = CertGetSubjectCertificateFromStore( |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
170 hStore, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
171 PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
172 pSignerCert); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
173 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
174 if (!pSignerCertContext) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
175 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
176 ERRORPRINTF ("Failed to find signer cert in store."); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
177 retval = VerifyUnknownError; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
178 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
179 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
180 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
181 /* Verify that the signature is actually valid */ |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
182 if(!CryptMsgControl(hMsg, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
183 0, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
184 CMSG_CTRL_VERIFY_SIGNATURE, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
185 pSignerCertContext->pCertInfo)) |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
186 { |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
187 ERRORPRINTF ("The signature is invalid. \n"); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
188 retval = VerifyInvalidSignature; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
189 syslog_error_printf ("Software update embedded signature is invalid."); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
190 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
191 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
192 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
193 if(check_certificate(pSignerCertContext)) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
194 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
195 DEBUGPRINTF ("Valid signature with pinned certificate."); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
196 retval = VerifyValid; |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
197 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
198 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
199 else |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
200 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
201 ERRORPRINTF ("Certificate mismatch. \n"); |
637
be30d50bc4f0
Add remaining tests to check binverify functionality
Andre Heinecke <andre.heinecke@intevation.de>
parents:
629
diff
changeset
|
202 retval = VerifyInvalidCertificate; |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
203 syslog_error_printf ("Software update embedded signature " |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
204 "created with wrong certificate."); |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
205 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
206 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
207 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
208 done: |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
209 xfree(filenameW); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
210 xfree(pSignerCert); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
211 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
212 if(pSignerCertContext) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
213 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
214 CertFreeCertificateContext(pSignerCertContext); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
215 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
216 if (hStore) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
217 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
218 CertCloseStore(hStore, 0); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
219 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
220 if (hMsg) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
221 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
222 CryptMsgClose(hMsg); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
223 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
224 return retval; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
225 } |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
226 #else /* WIN32 */ |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
227 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
228 #include "listutil.h" |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
229 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
230 #pragma GCC diagnostic ignored "-Wconversion" |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
231 /* Polarssl mh.h contains a conversion which gcc warns about */ |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
232 #include <polarssl/pk.h> |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
233 #include <polarssl/base64.h> |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
234 #include <polarssl/sha256.h> |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
235 #pragma GCC diagnostic pop |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
236 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
237 bin_verify_result |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
238 verify_binary_linux(const char *filename, size_t name_len) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
239 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
240 int ret = -1; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
241 const size_t sig_b64_size = TRUSTBRIDGE_RSA_KEY_SIZE / 8 * 4 / 3; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
242 char *data = NULL, |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
243 signature_b64[sig_b64_size + 1]; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
244 size_t data_size = 0, |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
245 sig_size = TRUSTBRIDGE_RSA_KEY_SIZE / 8; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
246 unsigned char signature[sig_size], |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
247 hash[32]; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
248 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
249 bin_verify_result retval = VerifyUnknownError; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
250 pk_context pub_key_ctx; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
251 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
252 if (strnlen(filename, name_len + 1) != name_len || name_len == 0) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
253 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
254 ERRORPRINTF ("Invalid call to verify_binary_linux\n"); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
255 return VerifyUnknownError; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
256 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
257 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
258 ret = read_file(filename, &data, &data_size, MAX_VALID_BIN_SIZE); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
259 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
260 if (ret != 0) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
261 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
262 ERRORPRINTF ("Read file failed with error: %i\n", ret); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
263 return VerifyReadFailed; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
264 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
265 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
266 /* Fetch the signature from the end of data */ |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
267 if (data_size < sig_b64_size + 4) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
268 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
269 ERRORPRINTF ("File to small to contain a signature.\n"); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
270 retval = VerifyInvalidSignature; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
271 goto done; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
272 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
273 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
274 if (data[data_size - sig_b64_size - 1] != ':' || |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
275 data[data_size - sig_b64_size - 2] != 'S' || |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
276 data[data_size - sig_b64_size - 3] != '\n'|| |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
277 data[data_size - sig_b64_size - 4] != '\r') |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
278 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
279 ERRORPRINTF ("Failed to find valid signature line.\n"); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
280 retval = VerifyInvalidSignature; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
281 goto done; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
282 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
283 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
284 strncpy(signature_b64, data - sig_b64_size, sig_b64_size); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
285 signature_b64[sig_b64_size] = '\0'; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
286 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
287 ret = base64_decode(signature, &sig_size, |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
288 (unsigned char *)signature_b64, sig_b64_size); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
289 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
290 if (ret != 0 || sig_size != TRUSTBRIDGE_RSA_KEY_SIZE / 8) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
291 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
292 goto done; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
293 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
294 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
295 /* Hash is calculated over the data without the signature at the end. */ |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
296 sha256((unsigned char *)data, data_size - sig_b64_size - 4, hash, 0); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
297 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
298 pk_init(&pub_key_ctx); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
299 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
300 ret = pk_parse_public_key(&pub_key_ctx, public_key_codesign_pem, |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
301 public_key_codesign_pem_size); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
302 if (ret != 0) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
303 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
304 ERRORPRINTF ("pk_parse_public_key failed with -0x%04x\n\n", -ret); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
305 pk_free(&pub_key_ctx); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
306 return VerifyUnknownError; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
307 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
308 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
309 ret = pk_verify(&pub_key_ctx, POLARSSL_MD_SHA256, hash, 0, |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
310 signature, sig_size); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
311 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
312 if (ret != 0) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
313 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
314 ERRORPRINTF ("pk_verify failed with -0x%04x\n\n", -ret); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
315 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
316 pk_free(&pub_key_ctx); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
317 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
318 return VerifyValid; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
319 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
320 done: |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
321 xfree (data); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
322 return retval; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
323 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
324 |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
325 #endif /* WIN32 */ |