trustbridge: common/binverify.h annotate

annotate common/binverify.h @ 1375:341f79090de2

Notes about using a different certificate for codesigning

author	Andre Heinecke <andre.heinecke@intevation.de>
date	Thu, 04 Dec 2014 13:19:11 +0100
parents	28885e8c891f
children

rev	line source
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	1 /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	2 * Software engineering by Intevation GmbH
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	3 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	4 * This file is Free Software under the GNU GPL (v>=2)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	5 * and comes with ABSOLUTELY NO WARRANTY!
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	6 * See LICENSE.txt for details.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	7 */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	8
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	9 #ifndef BINVERIFY_H
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	10 #define BINVERIFY_H
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	11 /* @file binverify.h
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	12 * @brief Verification of binary files
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	13 */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	14 #include <stdbool.h>
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	15 #include <stddef.h>
1081 edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	16 #include <stdio.h>
1364 28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify Andre Heinecke <andre.heinecke@intevation.de> parents: 1255 diff changeset	17 #include <time.h>
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	18
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	19 #ifdef __cplusplus
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	20 extern "C" {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	21 #endif
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	22
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	23 /**
1081 edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	24 * @enum verify_result
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	25 * @brief Result of a verification
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	26 */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	27 typedef enum {
1255 2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	28 /! Could be read and signature matched /
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	29 VerifyValid = 100,
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	30 /! The expected unexpected /
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	31 VerifyUnknownError = 1,
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	32 /! Signature was invalid /
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	33 VerifyInvalidSignature = 4,
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	34 /! Certificate mismatch /
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	35 VerifyInvalidCertificate = 5,
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	36 /! File exists but could not read the file /
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	37 VerifyReadFailed = 6,
1081 edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	38 } verify_result;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	39
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	40 /**
1255 2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	41 * @struct bin_verify_result
2a1aa9df8f11 (issue133) Improve API documentation Andre Heinecke <andre.heinecke@intevation.de> parents: 1081 diff changeset	42 * @brief A structure containing a verify_result and a reference to the
1081 edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	43 * verified file.
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	44 */
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	45 typedef struct {
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	46 /@{/
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	47 verify_result result; /*< the result of the verification /
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	48 FILE fptr; /*< Pointer to the open file struct of the verified file
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	49 The ptr is only valid if verify_result is VerifyValid
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	50 and needs to be closed by the caller in that case.*/
1364 28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify Andre Heinecke <andre.heinecke@intevation.de> parents: 1255 diff changeset	51 time_t sig_time; /** < Time of the signature. */
1081 edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	52 /@}/
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	53 } bin_verify_result;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	54
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	55 /**
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	56 * @brief verify a binary
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	57 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	58 * This function checks that a binary is signed by a built
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	59 * in certificate.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	60 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	61 * Caution: This function works on file names only which could
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	62 * be modified after this check.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	63 *
771 2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	64 * Windows verification is done using Windows crypto API based on
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	65 * embedded PKCS 7 "authenticode" signatures embedded into the
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	66 * file.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	67 *
904 f89b41fa7048 Fix whitespace errors Andre Heinecke <andre.heinecke@intevation.de> parents: 774 diff changeset	68 * On Linux the file is epxected to and with the pattern of
1053 78798d3af8f0 Fixed doxygen build warnings. Emanuel Schuetze <emanuel@intevation.de> parents: 904 diff changeset	69 * \\r\\nS: (0x0d0a533A) followed by a 3072 Bit Base64 encoded RSA
774 44fa5de02b52 (issue43) Finalize and verify binary verification for linux. Andre Heinecke <andre.heinecke@intevation.de> parents: 771 diff changeset	70 * signature.
771 2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	71 * The signature is verified against the built in codesigning key in
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	72 * the same certificate that is used for windows verification.
774 44fa5de02b52 (issue43) Finalize and verify binary verification for linux. Andre Heinecke <andre.heinecke@intevation.de> parents: 771 diff changeset	73 * If the pattern is not found the verification fails.
771 2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	74 *
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	75 * @param[in] filename absolute null terminated UTF-8 encoded path to the file.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	76 * @param[in] name_len length of the filename.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	77 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	78 * @returns the verification result.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	79 */
586 ecfd77751daf Disambiguate enumerator values and add portable wrapper. Andre Heinecke <aheinecke@intevation.de> parents: 579 diff changeset	80 bin_verify_result verify_binary(const char *filename, size_t name_len);
ecfd77751daf Disambiguate enumerator values and add portable wrapper. Andre Heinecke <aheinecke@intevation.de> parents: 579 diff changeset	81
1081 edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	82 /*@def Max size of a valid binary in byte /
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	83 #define MAX_VALID_BIN_SIZE (32 * 1024 * 1024)
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file Andre Heinecke <andre.heinecke@intevation.de> parents: 1053 diff changeset	84
586 ecfd77751daf Disambiguate enumerator values and add portable wrapper. Andre Heinecke <aheinecke@intevation.de> parents: 579 diff changeset	85 #ifdef WIN32
ecfd77751daf Disambiguate enumerator values and add portable wrapper. Andre Heinecke <aheinecke@intevation.de> parents: 579 diff changeset	86 /**
ecfd77751daf Disambiguate enumerator values and add portable wrapper. Andre Heinecke <aheinecke@intevation.de> parents: 579 diff changeset	87 * @brief windows implementation of verify_binary
ecfd77751daf Disambiguate enumerator values and add portable wrapper. Andre Heinecke <aheinecke@intevation.de> parents: 579 diff changeset	88 */
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	89 bin_verify_result verify_binary_win(const char *filename, size_t name_len);
771 2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	90 #else /* WIN32 */
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	91
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	92 /**
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	93 * @brief linux implementation of verify_binary
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	94 */
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	95 bin_verify_result verify_binary_linux(const char *filename, size_t name_len);
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux Andre Heinecke <andre.heinecke@intevation.de> parents: 629 diff changeset	96 #endif
579 f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	97
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	98 #ifdef __cplusplus
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	99 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	100 #endif
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	101
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows Andre Heinecke <aheinecke@intevation.de> parents: diff changeset	102 #endif /* BINVERIFY_H */

Mercurial > trustbridge

annotate common/binverify.h @ 1375:341f79090de2