Mercurial > trustbridge
annotate common/binverify.h @ 1289:34c92dbfee7e
(issue44) Do not ask the user to confirm start on update
author | Andre Heinecke <andre.heinecke@intevation.de> |
---|---|
date | Mon, 29 Sep 2014 13:34:19 +0200 |
parents | 2a1aa9df8f11 |
children | 28885e8c891f |
rev | line source |
---|---|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
1 /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
2 * Software engineering by Intevation GmbH |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
3 * |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
4 * This file is Free Software under the GNU GPL (v>=2) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
5 * and comes with ABSOLUTELY NO WARRANTY! |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
6 * See LICENSE.txt for details. |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
7 */ |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
8 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
9 #ifndef BINVERIFY_H |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
10 #define BINVERIFY_H |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
11 /* @file binverify.h |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
12 * @brief Verification of binary files |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
13 */ |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
14 #include <stdbool.h> |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
15 #include <stddef.h> |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
16 #include <stdio.h> |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
17 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
18 #ifdef __cplusplus |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
19 extern "C" { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
20 #endif |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
21 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
22 /** |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
23 * @enum verify_result |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
24 * @brief Result of a verification |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
25 */ |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
26 typedef enum { |
1255
2a1aa9df8f11
(issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
27 /*! Could be read and signature matched */ |
2a1aa9df8f11
(issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
28 VerifyValid = 100, |
2a1aa9df8f11
(issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
29 /*! The expected unexpected */ |
2a1aa9df8f11
(issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
30 VerifyUnknownError = 1, |
2a1aa9df8f11
(issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
31 /*! Signature was invalid */ |
2a1aa9df8f11
(issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
32 VerifyInvalidSignature = 4, |
2a1aa9df8f11
(issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
33 /*! Certificate mismatch */ |
2a1aa9df8f11
(issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
34 VerifyInvalidCertificate = 5, |
2a1aa9df8f11
(issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
35 /*! File exists but could not read the file */ |
2a1aa9df8f11
(issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
36 VerifyReadFailed = 6, |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
37 } verify_result; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
38 |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
39 /** |
1255
2a1aa9df8f11
(issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
40 * @struct bin_verify_result |
2a1aa9df8f11
(issue133) Improve API documentation
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
41 * @brief A structure containing a verify_result and a reference to the |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
42 * verified file. |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
43 */ |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
44 typedef struct { |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
45 /*@{*/ |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
46 verify_result result; /**< the result of the verification */ |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
47 FILE *fptr; /**< Pointer to the open file struct of the verified file |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
48 The ptr is only valid if verify_result is VerifyValid |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
49 and needs to be closed by the caller in that case.*/ |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
50 /*@}*/ |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
51 } bin_verify_result; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
52 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
53 /** |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
54 * @brief verify a binary |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
55 * |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
56 * This function checks that a binary is signed by a built |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
57 * in certificate. |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
58 * |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
59 * Caution: This function works on file names only which could |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
60 * be modified after this check. |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
61 * |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
629
diff
changeset
|
62 * Windows verification is done using Windows crypto API based on |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
63 * embedded PKCS 7 "authenticode" signatures embedded into the |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
64 * file. |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
65 * |
904
f89b41fa7048
Fix whitespace errors
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
66 * On Linux the file is epxected to and with the pattern of |
1053
78798d3af8f0
Fixed doxygen build warnings.
Emanuel Schuetze <emanuel@intevation.de>
parents:
904
diff
changeset
|
67 * \\r\\nS: (0x0d0a533A) followed by a 3072 Bit Base64 encoded RSA |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
68 * signature. |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
629
diff
changeset
|
69 * The signature is verified against the built in codesigning key in |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
629
diff
changeset
|
70 * the same certificate that is used for windows verification. |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
71 * If the pattern is not found the verification fails. |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
629
diff
changeset
|
72 * |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
73 * @param[in] filename absolute null terminated UTF-8 encoded path to the file. |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
74 * @param[in] name_len length of the filename. |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
75 * |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
76 * @returns the verification result. |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
77 */ |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
78 bin_verify_result verify_binary(const char *filename, size_t name_len); |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
79 |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
80 /**@def Max size of a valid binary in byte */ |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
81 #define MAX_VALID_BIN_SIZE (32 * 1024 * 1024) |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1053
diff
changeset
|
82 |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
83 #ifdef WIN32 |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
84 /** |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
85 * @brief windows implementation of verify_binary |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
86 */ |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
87 bin_verify_result verify_binary_win(const char *filename, size_t name_len); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
629
diff
changeset
|
88 #else /* WIN32 */ |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
629
diff
changeset
|
89 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
629
diff
changeset
|
90 /** |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
629
diff
changeset
|
91 * @brief linux implementation of verify_binary |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
629
diff
changeset
|
92 */ |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
629
diff
changeset
|
93 bin_verify_result verify_binary_linux(const char *filename, size_t name_len); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
629
diff
changeset
|
94 #endif |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
95 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
96 #ifdef __cplusplus |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
97 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
98 #endif |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
99 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
100 #endif /* BINVERIFY_H */ |