annotate common/binverify.c @ 726:3777482dc306

Merged
author Sascha Wilde <wilde@intevation.de>
date Wed, 02 Jul 2014 19:32:16 +0200
parents be30d50bc4f0
children 2798f1869eee
rev   line source
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
1 /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
2 * Software engineering by Intevation GmbH
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
3 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
4 * This file is Free Software under the GNU GPL (v>=2)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
5 * and comes with ABSOLUTELY NO WARRANTY!
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
6 * See LICENSE.txt for details.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
7 */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
8
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
9 #include "binverify.h"
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
10
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
11 #include "strhelp.h"
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
12 #include "logging.h"
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
13
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
14 #ifdef RELEASE_BUILD
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
15 #include "pubkey-release.h"
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
16 #else
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
17 #include "pubkey-test.h"
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
18 #endif
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
19
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
20 bin_verify_result
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
21 verify_binary(const char *filename, size_t name_len) {
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
22 #ifdef WIN32
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
23 return verify_binary_win(filename, name_len);
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
24 #else
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
25 /* TODO */
590
c93730ef2a3a Fix Linux build (unused variables)
Andre Heinecke <aheinecke@intevation.de>
parents: 586
diff changeset
26 if (filename && name_len)
c93730ef2a3a Fix Linux build (unused variables)
Andre Heinecke <aheinecke@intevation.de>
parents: 586
diff changeset
27 return VerifyValid;
c93730ef2a3a Fix Linux build (unused variables)
Andre Heinecke <aheinecke@intevation.de>
parents: 586
diff changeset
28 return VerifyUnknownError;
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
29 #endif
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
30 }
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
31
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
32 #ifdef WIN32
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
33
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
34 #include <polarssl/x509_crt.h>
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
35
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
36 #include <windows.h>
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
37 #include <wincrypt.h>
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
38 #include <wintrust.h>
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
39 #include <stdio.h>
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
40
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
41
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
42 /** @brief Check if the certificate @a pCCertContext is pinned
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
43 *
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
44 * Compares the certificate's binary data (public key and attributes)
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
45 * with each other to validate that the certificate pCCertContext has
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
46 * exactly the same data as the builtin public certificate.
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
47 *
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
48 * @param[in] pCCertContext pointer to the certificate to check
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
49 *
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
50 * @returns true if the certificate matches, false otherwise.
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
51 */
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
52 static bool
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
53 check_certificate (PCCERT_CONTEXT pCCertContext)
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
54 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
55 x509_crt codesign_cert;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
56 int ret = 0;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
57 DWORD dwI = 0;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
58 bool retval = false;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
59
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
60 if (pCCertContext == NULL)
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
61 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
62 ERRORPRINTF ("Invalid call to check_certificate");
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
63 return false;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
64 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
65
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
66 x509_crt_init(&codesign_cert);
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
67
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
68 /* Parse the pinned certificate */
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
69 ret = x509_crt_parse(&codesign_cert,
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
70 public_key_codesign_pem,
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
71 public_key_codesign_pem_size);
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
72 if (ret != 0)
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
73 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
74 ERRORPRINTF ("x509_crt_parse failed with -0x%04x\n\n", -ret);
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
75 goto done;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
76 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
77
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
78 if (codesign_cert.raw.len != pCCertContext->cbCertEncoded ||
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
79 codesign_cert.raw.len <= 0)
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
80 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
81 ERRORPRINTF ("Certificate size mismatch");
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
82 goto done;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
83 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
84
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
85 /* Check that the certificate is exactly the same as the pinned one */
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
86 for (dwI = 0; dwI < pCCertContext->cbCertEncoded; dwI++)
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
87 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
88 if (pCCertContext->pbCertEncoded[dwI] != codesign_cert.raw.p[dwI])
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
89 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
90 ERRORPRINTF ("Certificate content mismatch");
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
91 goto done;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
92 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
93 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
94
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
95 retval = true;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
96
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
97 done:
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
98 x509_crt_free(&codesign_cert);
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
99 return retval;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
100 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
101
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
102 bin_verify_result
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
103 verify_binary_win(const char *filename, size_t name_len) {
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
104 bin_verify_result retval = VerifyUnknownError;
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
105 WCHAR *filenameW = NULL;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
106 BOOL result = FALSE;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
107 DWORD dwEncoding = 0,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
108 dwContentType = 0,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
109 dwFormatType = 0,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
110 dwSignerInfoSize = 0;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
111 HCERTSTORE hStore = NULL;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
112 HCRYPTMSG hMsg = NULL;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
113 PCERT_INFO pSignerCert = NULL;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
114 PCCERT_CONTEXT pSignerCertContext = NULL;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
115
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
116 if (!filename || name_len > MAX_PATH || strlen(filename) != name_len)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
117 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
118 ERRORPRINTF ("Invalid parameters\n");
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
119 return VerifyUnknownError;
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
120 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
121
591
26a18e3c3db4 Cleanups and coding style.
Andre Heinecke <aheinecke@intevation.de>
parents: 590
diff changeset
122 filenameW = utf8_to_wchar(filename, name_len);
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
123
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
124 result = CryptQueryObject (CERT_QUERY_OBJECT_FILE,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
125 filenameW,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
126 CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
127 CERT_QUERY_FORMAT_FLAG_BINARY,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
128 0,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
129 &dwEncoding,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
130 &dwContentType,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
131 &dwFormatType,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
132 &hStore,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
133 &hMsg,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
134 NULL);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
135
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
136 if (!result || !hMsg)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
137 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
138 PRINTLASTERROR ("Failed to query crypto object");
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
139 retval = VerifyReadFailed;
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
140 goto done;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
141 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
142
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
143 /* Get the cert info so that we can look up the signer in the store later */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
144 if (CryptMsgGetParam(hMsg,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
145 CMSG_SIGNER_CERT_INFO_PARAM,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
146 0,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
147 NULL,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
148 &dwSignerInfoSize) && dwSignerInfoSize > 0)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
149 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
150 pSignerCert = xmalloc (dwSignerInfoSize);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
151 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
152 else
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
153 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
154 ERRORPRINTF ("Failed to get signer cert size.");
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
155 retval = VerifyUnknownError;
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
156 goto done;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
157 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
158
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
159 if (!(CryptMsgGetParam(hMsg,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
160 CMSG_SIGNER_CERT_INFO_PARAM,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
161 0,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
162 pSignerCert,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
163 &dwSignerInfoSize)))
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
164 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
165 ERRORPRINTF ("Failed to get signer cert.");
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
166 retval = VerifyUnknownError;
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
167 goto done;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
168 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
169
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
170 pSignerCertContext = CertGetSubjectCertificateFromStore(
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
171 hStore,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
172 PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
173 pSignerCert);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
174
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
175 if (!pSignerCertContext)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
176 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
177 ERRORPRINTF ("Failed to find signer cert in store.");
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
178 retval = VerifyUnknownError;
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
179 goto done;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
180 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
181
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
182 /* Verify that the signature is actually valid */
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
183 if(!CryptMsgControl(hMsg,
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
184 0,
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
185 CMSG_CTRL_VERIFY_SIGNATURE,
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
186 pSignerCertContext->pCertInfo))
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
187 {
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
188 ERRORPRINTF ("The signature is invalid. \n");
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
189 retval = VerifyInvalidSignature;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
190 syslog_error_printf ("Software update embedded signature is invalid.");
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
191 goto done;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
192 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
193
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
194 if(check_certificate(pSignerCertContext))
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
195 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
196 DEBUGPRINTF ("Valid signature with pinned certificate.");
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
197 retval = VerifyValid;
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
198 goto done;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
199 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
200 else
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
201 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
202 ERRORPRINTF ("Certificate mismatch. \n");
637
be30d50bc4f0 Add remaining tests to check binverify functionality
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
203 retval = VerifyInvalidCertificate;
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
204 syslog_error_printf ("Software update embedded signature "
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
205 "created with wrong certificate.");
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
206 goto done;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
207 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
208
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
209 done:
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
210 xfree(filenameW);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
211 xfree(pSignerCert);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
212
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
213 if(pSignerCertContext)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
214 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
215 CertFreeCertificateContext(pSignerCertContext);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
216 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
217 if (hStore)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
218 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
219 CertCloseStore(hStore, 0);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
220 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
221 if (hMsg)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
222 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
223 CryptMsgClose(hMsg);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
224 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
225 return retval;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
226 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
227 #endif /* WIN32 */

http://wald.intevation.org/projects/trustbridge/