Mercurial > trustbridge
annotate common/binverify.c @ 1119:5349e2354c48
(issue54) Merge branch runafterinstall
There is now an NSIS Plugin that executes the Software after
installation using COM in the shell of the current user.
With the way over the shell there is no inheritance /
token management required. As it is impossible to
drop all privileges of a token granted by UAC and
still be able to reelevate the Token again with another
RunAs call later this round trip over the Shell was
necessary.
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Tue, 16 Sep 2014 19:48:22 +0200 |
| parents | edbf5e5e88f4 |
| children | 3cd8dd706aaa |
| rev | line source |
|---|---|
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
1 /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
2 * Software engineering by Intevation GmbH |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
3 * |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
4 * This file is Free Software under the GNU GPL (v>=2) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
5 * and comes with ABSOLUTELY NO WARRANTY! |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
6 * See LICENSE.txt for details. |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
7 */ |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
8 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
9 #include "binverify.h" |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
10 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
11 #include "strhelp.h" |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
12 #include "logging.h" |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
13 #include "listutil.h" |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
14 #ifdef RELEASE_BUILD |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
15 #include "pubkey-release.h" |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
16 #else |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
17 #include "pubkey-test.h" |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
18 #endif |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
19 |
|
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
20 bin_verify_result |
|
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
21 verify_binary(const char *filename, size_t name_len) |
|
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
22 { |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
23 if (!filename || !name_len) { |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
24 bin_verify_result retval; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
25 retval.fptr = NULL; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
26 retval.result = VerifyUnknownError; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
27 return retval; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
28 } |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
29 |
|
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
30 #ifdef WIN32 |
|
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
31 return verify_binary_win(filename, name_len); |
|
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
32 #else |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
33 return verify_binary_linux(filename, name_len); |
|
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
34 #endif |
|
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
35 } |
|
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
36 |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
37 #ifdef WIN32 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
38 |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
39 #include <polarssl/x509_crt.h> |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
40 |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
41 #include <windows.h> |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
42 #include <wincrypt.h> |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
43 #include <wintrust.h> |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
44 #include <stdio.h> |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
45 |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
46 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
47 /** @brief Check if the certificate @a pCCertContext is pinned |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
48 * |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
49 * Compares the certificate's binary data (public key and attributes) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
50 * with each other to validate that the certificate pCCertContext has |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
51 * exactly the same data as the builtin public certificate. |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
52 * |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
53 * @param[in] pCCertContext pointer to the certificate to check |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
54 * |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
55 * @returns true if the certificate matches, false otherwise. |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
56 */ |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
57 static bool |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
58 check_certificate (PCCERT_CONTEXT pCCertContext) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
59 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
60 x509_crt codesign_cert; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
61 int ret = 0; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
62 DWORD dwI = 0; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
63 bool retval = false; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
64 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
65 if (pCCertContext == NULL) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
66 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
67 ERRORPRINTF ("Invalid call to check_certificate"); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
68 return false; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
69 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
70 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
71 x509_crt_init(&codesign_cert); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
72 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
73 /* Parse the pinned certificate */ |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
74 ret = x509_crt_parse(&codesign_cert, |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
75 public_key_codesign_pem, |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
76 public_key_codesign_pem_size); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
77 if (ret != 0) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
78 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
79 ERRORPRINTF ("x509_crt_parse failed with -0x%04x\n\n", -ret); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
80 goto done; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
81 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
82 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
83 if (codesign_cert.raw.len != pCCertContext->cbCertEncoded || |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
84 codesign_cert.raw.len <= 0) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
85 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
86 ERRORPRINTF ("Certificate size mismatch"); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
87 goto done; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
88 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
89 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
90 /* Check that the certificate is exactly the same as the pinned one */ |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
91 for (dwI = 0; dwI < pCCertContext->cbCertEncoded; dwI++) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
92 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
93 if (pCCertContext->pbCertEncoded[dwI] != codesign_cert.raw.p[dwI]) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
94 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
95 ERRORPRINTF ("Certificate content mismatch"); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
96 goto done; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
97 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
98 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
99 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
100 retval = true; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
101 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
102 done: |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
103 x509_crt_free(&codesign_cert); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
104 return retval; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
105 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
106 |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
107 bin_verify_result |
|
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
108 verify_binary_win(const char *filename, size_t name_len) |
|
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
109 { |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
110 bin_verify_result retval; |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
111 WCHAR *filenameW = NULL; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
112 BOOL result = FALSE; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
113 DWORD dwEncoding = 0, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
114 dwContentType = 0, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
115 dwFormatType = 0, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
116 dwSignerInfoSize = 0; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
117 HCERTSTORE hStore = NULL; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
118 HCRYPTMSG hMsg = NULL; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
119 PCERT_INFO pSignerCert = NULL; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
120 PCCERT_CONTEXT pSignerCertContext = NULL; |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
121 FILE *fptr = NULL; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
122 size_t data_size = 0; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
123 char *data = NULL; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
124 int ret = -1; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
125 CRYPT_INTEGER_BLOB blob; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
126 |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
127 retval.result = VerifyUnknownError; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
128 retval.fptr = NULL; |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
129 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
130 if (!filename || name_len > MAX_PATH || strlen(filename) != name_len) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
131 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
132 ERRORPRINTF ("Invalid parameters\n"); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
133 return retval; |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
134 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
135 |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
136 ret = read_file(filename, &data, &data_size, MAX_VALID_BIN_SIZE, &fptr); |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
137 |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
138 if (ret != 0) |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
139 { |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
140 ERRORPRINTF ("Read file failed with error: %i\n", ret); |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
141 retval.result = VerifyReadFailed; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
142 return retval; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
143 } |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
144 blob.cbData = (DWORD) data_size; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
145 blob.pbData = (PBYTE) data; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
146 |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
147 result = CryptQueryObject (CERT_QUERY_OBJECT_BLOB, |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
148 &blob, |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
149 CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
150 CERT_QUERY_FORMAT_FLAG_BINARY, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
151 0, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
152 &dwEncoding, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
153 &dwContentType, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
154 &dwFormatType, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
155 &hStore, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
156 &hMsg, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
157 NULL); |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
158 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
159 if (!result || !hMsg) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
160 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
161 PRINTLASTERROR ("Failed to query crypto object"); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
162 retval.result = VerifyReadFailed; |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
163 goto done; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
164 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
165 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
166 /* Get the cert info so that we can look up the signer in the store later */ |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
167 if (CryptMsgGetParam(hMsg, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
168 CMSG_SIGNER_CERT_INFO_PARAM, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
169 0, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
170 NULL, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
171 &dwSignerInfoSize) && dwSignerInfoSize > 0) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
172 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
173 pSignerCert = xmalloc (dwSignerInfoSize); |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
174 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
175 else |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
176 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
177 ERRORPRINTF ("Failed to get signer cert size."); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
178 retval.result = VerifyUnknownError; |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
179 goto done; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
180 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
181 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
182 if (!(CryptMsgGetParam(hMsg, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
183 CMSG_SIGNER_CERT_INFO_PARAM, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
184 0, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
185 pSignerCert, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
186 &dwSignerInfoSize))) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
187 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
188 ERRORPRINTF ("Failed to get signer cert."); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
189 retval.result = VerifyUnknownError; |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
190 goto done; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
191 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
192 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
193 pSignerCertContext = CertGetSubjectCertificateFromStore( |
|
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
194 hStore, |
|
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
195 PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, |
|
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
196 pSignerCert); |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
197 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
198 if (!pSignerCertContext) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
199 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
200 ERRORPRINTF ("Failed to find signer cert in store."); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
201 retval.result = VerifyUnknownError; |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
202 goto done; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
203 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
204 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
205 /* Verify that the signature is actually valid */ |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
206 if(!CryptMsgControl(hMsg, |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
207 0, |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
208 CMSG_CTRL_VERIFY_SIGNATURE, |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
209 pSignerCertContext->pCertInfo)) |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
210 { |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
211 ERRORPRINTF ("The signature is invalid. \n"); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
212 retval.result = VerifyInvalidSignature; |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
213 syslog_error_printf ("Software update embedded signature is invalid."); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
214 goto done; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
215 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
216 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
217 if(check_certificate(pSignerCertContext)) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
218 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
219 DEBUGPRINTF ("Valid signature with pinned certificate."); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
220 retval.result = VerifyValid; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
221 retval.fptr = fptr; |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
222 goto done; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
223 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
224 else |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
225 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
226 ERRORPRINTF ("Certificate mismatch. \n"); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
227 retval.result = VerifyInvalidCertificate; |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
228 syslog_error_printf ("Software update embedded signature " |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
229 "created with wrong certificate."); |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
230 goto done; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
231 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
232 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
233 done: |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
234 xfree(data); |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
235 xfree(filenameW); |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
236 xfree(pSignerCert); |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
237 |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
238 if (retval.result != VerifyValid) |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
239 { |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
240 fclose(fptr); |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
241 } |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
242 |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
243 if(pSignerCertContext) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
244 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
245 CertFreeCertificateContext(pSignerCertContext); |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
246 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
247 if (hStore) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
248 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
249 CertCloseStore(hStore, 0); |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
250 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
251 if (hMsg) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
252 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
253 CryptMsgClose(hMsg); |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
254 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
255 return retval; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
256 } |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
257 #else /* WIN32 */ |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
258 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
259 #pragma GCC diagnostic ignored "-Wconversion" |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
260 /* Polarssl mh.h contains a conversion which gcc warns about */ |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
261 #include <polarssl/pk.h> |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
262 #include <polarssl/base64.h> |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
263 #include <polarssl/sha256.h> |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
264 #include <polarssl/error.h> |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
265 #include <polarssl/x509_crt.h> |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
266 #pragma GCC diagnostic pop |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
267 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
268 bin_verify_result |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
269 verify_binary_linux(const char *filename, size_t name_len) |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
270 { |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
271 int ret = -1; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
272 const size_t sig_b64_size = TRUSTBRIDGE_RSA_KEY_SIZE / 8 * 4 / 3; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
273 char *data = NULL, |
|
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
274 signature_b64[sig_b64_size + 1]; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
275 size_t data_size = 0, |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
276 sig_size = TRUSTBRIDGE_RSA_KEY_SIZE / 8; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
277 unsigned char signature[sig_size], |
|
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
278 hash[32]; |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
279 FILE *fptr = NULL; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
280 |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
281 bin_verify_result retval; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
282 retval.result = VerifyUnknownError; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
283 retval.fptr = NULL; |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
284 x509_crt codesign_cert; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
285 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
286 if (strnlen(filename, name_len + 1) != name_len || name_len == 0) |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
287 { |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
288 ERRORPRINTF ("Invalid call to verify_binary_linux\n"); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
289 retval.result = VerifyUnknownError; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
290 return retval; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
291 } |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
292 |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
293 ret = read_file(filename, &data, &data_size, MAX_VALID_BIN_SIZE, &fptr); |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
294 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
295 if (ret != 0) |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
296 { |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
297 ERRORPRINTF ("Read file failed with error: %i\n", ret); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
298 retval.result = VerifyReadFailed; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
299 return retval; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
300 } |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
301 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
302 /* Fetch the signature from the end of data */ |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
303 if (data_size < sig_b64_size + 5) |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
304 { |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
305 ERRORPRINTF ("File to small to contain a signature.\n"); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
306 retval.result = VerifyInvalidSignature; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
307 goto done; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
308 } |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
309 |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
310 if (data[data_size - sig_b64_size - 2] != ':' || |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
311 data[data_size - sig_b64_size - 3] != 'S' || |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
312 data[data_size - sig_b64_size - 4] != '\n'|| |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
313 data[data_size - sig_b64_size - 5] != '\r') |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
314 { |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
315 ERRORPRINTF ("Failed to find valid signature line.\n"); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
316 retval.result = VerifyInvalidSignature; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
317 goto done; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
318 } |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
319 |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
320 strncpy(signature_b64, data + (data_size - sig_b64_size - 1), sig_b64_size); |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
321 signature_b64[sig_b64_size] = '\0'; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
322 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
323 ret = base64_decode(signature, &sig_size, |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
324 (unsigned char *)signature_b64, sig_b64_size); |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
325 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
326 if (ret != 0 || sig_size != TRUSTBRIDGE_RSA_KEY_SIZE / 8) |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
327 { |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
328 ERRORPRINTF ("Base 64 decode failed with error: %i\n", ret); |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
329 goto done; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
330 } |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
331 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
332 /* Hash is calculated over the data without the signature at the end. */ |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
333 sha256((unsigned char *)data, data_size - sig_b64_size - 5, hash, 0); |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
334 |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
335 x509_crt_init(&codesign_cert); |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
336 |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
337 /* Parse the pinned certificate */ |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
338 ret = x509_crt_parse(&codesign_cert, |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
339 public_key_codesign_pem, |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
340 public_key_codesign_pem_size); |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
341 if (ret != 0) |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
342 { |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
343 char errbuf[1020]; |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
344 polarssl_strerror(ret, errbuf, 1020); |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
345 errbuf[1019] = '\0'; /* Just to be sure */ |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
346 ERRORPRINTF ("x509_crt_parse failed with -0x%04x\n%s\n", -ret, errbuf); |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
347 x509_crt_free(&codesign_cert); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
348 retval.result = VerifyUnknownError; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
349 goto done; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
350 } |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
351 |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
352 ret = pk_verify(&codesign_cert.pk, POLARSSL_MD_SHA256, hash, 0, |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
353 signature, sig_size); |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
354 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
355 if (ret != 0) |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
356 { |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
357 char errbuf[1020]; |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
358 polarssl_strerror(ret, errbuf, 1020); |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
359 errbuf[1019] = '\0'; /* Just to be sure */ |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
360 ERRORPRINTF ("pk_verify failed with -0x%04x\n %s\n", -ret, errbuf); |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
361 x509_crt_free(&codesign_cert); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
362 retval.result = VerifyInvalidSignature; |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
363 goto done; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
364 } |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
365 x509_crt_free(&codesign_cert); |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
366 |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
367 retval.result = VerifyValid; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
368 retval.fptr = fptr; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
369 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
370 done: |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
371 if (retval.result != VerifyValid) |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
372 { |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
373 if (fptr) |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
374 { |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
375 fclose(fptr); |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
376 } |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
377 } |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
378 xfree (data); |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
379 return retval; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
380 } |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
381 |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
382 #endif /* WIN32 */ |