Mercurial > trustbridge
annotate common/binverify.c @ 1397:5d19ba5b64b0 0.9.11
Added tag 0.9.10 for changeset 05c62ad0c74f
author | Andre Heinecke <andre.heinecke@intevation.de> |
---|---|
date | Mon, 26 Jan 2015 14:28:21 +0100 |
parents | a2574a029322 |
children |
rev | line source |
---|---|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
1 /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
2 * Software engineering by Intevation GmbH |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
3 * |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
4 * This file is Free Software under the GNU GPL (v>=2) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
5 * and comes with ABSOLUTELY NO WARRANTY! |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
6 * See LICENSE.txt for details. |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
7 */ |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
8 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
9 #include "binverify.h" |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
10 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
11 #include "strhelp.h" |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
12 #include "logging.h" |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
13 #include "listutil.h" |
1390
f3e2df6b49ba
(issue181) Fix hardcoded values for RSA codesigning key size.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1387
diff
changeset
|
14 #include "pubkey.h" |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
15 |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
16 bin_verify_result |
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
17 verify_binary(const char *filename, size_t name_len) |
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
18 { |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
19 if (!filename || !name_len) { |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
20 bin_verify_result retval; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
21 retval.fptr = NULL; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
22 retval.result = VerifyUnknownError; |
1364
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
23 retval.sig_time = 0; |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
24 return retval; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
25 } |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
26 |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
27 #ifdef WIN32 |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
28 return verify_binary_win(filename, name_len); |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
29 #else |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
30 return verify_binary_linux(filename, name_len); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
31 #endif |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
32 } |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
33 |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
34 #ifdef WIN32 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
35 |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
36 #include <polarssl/x509_crt.h> |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
37 |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
38 #include <windows.h> |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
39 #include <wincrypt.h> |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
40 #include <wintrust.h> |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
41 #include <stdio.h> |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
42 |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
43 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
44 /** @brief Check if the certificate @a pCCertContext is pinned |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
45 * |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
46 * Compares the certificate's binary data (public key and attributes) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
47 * with each other to validate that the certificate pCCertContext has |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
48 * exactly the same data as the builtin public certificate. |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
49 * |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
50 * @param[in] pCCertContext pointer to the certificate to check |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
51 * |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
52 * @returns true if the certificate matches, false otherwise. |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
53 */ |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
54 static bool |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
55 check_certificate (PCCERT_CONTEXT pCCertContext) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
56 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
57 x509_crt codesign_cert; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
58 int ret = 0; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
59 DWORD dwI = 0; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
60 bool retval = false; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
61 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
62 if (pCCertContext == NULL) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
63 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
64 ERRORPRINTF ("Invalid call to check_certificate"); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
65 return false; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
66 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
67 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
68 x509_crt_init(&codesign_cert); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
69 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
70 /* Parse the pinned certificate */ |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
71 ret = x509_crt_parse(&codesign_cert, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
72 public_key_codesign_pem, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
73 public_key_codesign_pem_size); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
74 if (ret != 0) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
75 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
76 ERRORPRINTF ("x509_crt_parse failed with -0x%04x\n\n", -ret); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
77 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
78 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
79 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
80 if (codesign_cert.raw.len != pCCertContext->cbCertEncoded || |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
81 codesign_cert.raw.len <= 0) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
82 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
83 ERRORPRINTF ("Certificate size mismatch"); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
84 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
85 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
86 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
87 /* Check that the certificate is exactly the same as the pinned one */ |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
88 for (dwI = 0; dwI < pCCertContext->cbCertEncoded; dwI++) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
89 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
90 if (pCCertContext->pbCertEncoded[dwI] != codesign_cert.raw.p[dwI]) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
91 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
92 ERRORPRINTF ("Certificate content mismatch"); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
93 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
94 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
95 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
96 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
97 retval = true; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
98 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
99 done: |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
100 x509_crt_free(&codesign_cert); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
101 return retval; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
102 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
103 |
1364
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
104 time_t |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
105 systemtime_to_time_t (SYSTEMTIME *systemTime) |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
106 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
107 { |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
108 LARGE_INTEGER jan1970FT = {{0}}; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
109 jan1970FT.QuadPart = 116444736000000000LL; // january 1st 1970 well known value |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
110 LARGE_INTEGER utcFT = {{0}}; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
111 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
112 SystemTimeToFileTime(systemTime, (FILETIME*)&utcFT); |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
113 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
114 __int64 utcDosTime = (utcFT.QuadPart - jan1970FT.QuadPart)/10000000; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
115 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
116 return (time_t)utcDosTime; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
117 } |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
118 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
119 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
120 time_t |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
121 get_signature_time (HCRYPTMSG hMsg) |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
122 { |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
123 FILETIME lft, ft; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
124 SYSTEMTIME st; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
125 DWORD dwData = 0, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
126 n = 0, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
127 dwSignerInfo = 0; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
128 PCMSG_SIGNER_INFO pSignerInfo = NULL; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
129 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
130 time_t ret = -1; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
131 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
132 if (!hMsg) |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
133 { |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
134 return -1; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
135 } |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
136 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
137 // Get signer information size. |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
138 if (!CryptMsgGetParam(hMsg, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
139 CMSG_SIGNER_INFO_PARAM, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
140 0, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
141 NULL, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
142 &dwSignerInfo)) |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
143 { |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
144 ERRORPRINTF ("Failed to get signer info size."); |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
145 return -1; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
146 } |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
147 pSignerInfo = xmalloc (dwSignerInfo); |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
148 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
149 if (!CryptMsgGetParam(hMsg, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
150 CMSG_SIGNER_INFO_PARAM, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
151 0, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
152 (PVOID)pSignerInfo, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
153 &dwSignerInfo)) |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
154 { |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
155 ERRORPRINTF ("Failed to get signer info."); |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
156 goto done; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
157 } |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
158 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
159 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
160 // Loop through authenticated attributes and find |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
161 // szOID_RSA_signingTime OID. |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
162 for (n = 0; n < pSignerInfo->AuthAttrs.cAttr; n++) |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
163 { |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
164 if (lstrcmpA(szOID_RSA_signingTime, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
165 pSignerInfo->AuthAttrs.rgAttr[n].pszObjId) == 0) |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
166 { |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
167 dwData = sizeof(ft); |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
168 if (!CryptDecodeObject((X509_ASN_ENCODING | PKCS_7_ASN_ENCODING), |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
169 szOID_RSA_signingTime, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
170 pSignerInfo->AuthAttrs.rgAttr[n].rgValue[0].pbData, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
171 pSignerInfo->AuthAttrs.rgAttr[n].rgValue[0].cbData, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
172 0, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
173 (PVOID)&ft, |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
174 &dwData)) |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
175 { |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
176 PRINTLASTERROR ("Failed to decode time: "); |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
177 break; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
178 } |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
179 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
180 // Convert to local time. |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
181 FileTimeToLocalFileTime(&ft, &lft); |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
182 FileTimeToSystemTime(&lft, &st); |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
183 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
184 ret = systemtime_to_time_t(&st); |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
185 break; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
186 } |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
187 } |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
188 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
189 done: |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
190 xfree(pSignerInfo); |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
191 |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
192 return ret; |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
193 } |
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
194 |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
195 bin_verify_result |
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
196 verify_binary_win(const char *filename, size_t name_len) |
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
197 { |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
198 bin_verify_result retval; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
199 WCHAR *filenameW = NULL; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
200 BOOL result = FALSE; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
201 DWORD dwEncoding = 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
202 dwContentType = 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
203 dwFormatType = 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
204 dwSignerInfoSize = 0; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
205 HCERTSTORE hStore = NULL; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
206 HCRYPTMSG hMsg = NULL; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
207 PCERT_INFO pSignerCert = NULL; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
208 PCCERT_CONTEXT pSignerCertContext = NULL; |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
209 FILE *fptr = NULL; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
210 size_t data_size = 0; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
211 char *data = NULL; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
212 int ret = -1; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
213 CRYPT_INTEGER_BLOB blob; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
214 |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
215 retval.result = VerifyUnknownError; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
216 retval.fptr = NULL; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
217 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
218 if (!filename || name_len > MAX_PATH || strlen(filename) != name_len) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
219 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
220 ERRORPRINTF ("Invalid parameters\n"); |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
221 return retval; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
222 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
223 |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
224 ret = read_file(filename, &data, &data_size, MAX_VALID_BIN_SIZE, &fptr); |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
225 |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
226 if (ret != 0) |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
227 { |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
228 ERRORPRINTF ("Read file failed with error: %i\n", ret); |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
229 retval.result = VerifyReadFailed; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
230 return retval; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
231 } |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
232 blob.cbData = (DWORD) data_size; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
233 blob.pbData = (PBYTE) data; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
234 |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
235 result = CryptQueryObject (CERT_QUERY_OBJECT_BLOB, |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
236 &blob, |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
237 CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
238 CERT_QUERY_FORMAT_FLAG_BINARY, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
239 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
240 &dwEncoding, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
241 &dwContentType, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
242 &dwFormatType, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
243 &hStore, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
244 &hMsg, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
245 NULL); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
246 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
247 if (!result || !hMsg) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
248 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
249 PRINTLASTERROR ("Failed to query crypto object"); |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
250 retval.result = VerifyReadFailed; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
251 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
252 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
253 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
254 /* Get the cert info so that we can look up the signer in the store later */ |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
255 if (CryptMsgGetParam(hMsg, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
256 CMSG_SIGNER_CERT_INFO_PARAM, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
257 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
258 NULL, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
259 &dwSignerInfoSize) && dwSignerInfoSize > 0) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
260 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
261 pSignerCert = xmalloc (dwSignerInfoSize); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
262 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
263 else |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
264 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
265 ERRORPRINTF ("Failed to get signer cert size."); |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
266 retval.result = VerifyUnknownError; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
267 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
268 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
269 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
270 if (!(CryptMsgGetParam(hMsg, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
271 CMSG_SIGNER_CERT_INFO_PARAM, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
272 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
273 pSignerCert, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
274 &dwSignerInfoSize))) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
275 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
276 ERRORPRINTF ("Failed to get signer cert."); |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
277 retval.result = VerifyUnknownError; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
278 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
279 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
280 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
281 pSignerCertContext = CertGetSubjectCertificateFromStore( |
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
282 hStore, |
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
283 PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, |
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
284 pSignerCert); |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
285 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
286 if (!pSignerCertContext) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
287 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
288 ERRORPRINTF ("Failed to find signer cert in store."); |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
289 retval.result = VerifyUnknownError; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
290 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
291 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
292 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
293 /* Verify that the signature is actually valid */ |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
294 if(!CryptMsgControl(hMsg, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
295 0, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
296 CMSG_CTRL_VERIFY_SIGNATURE, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
297 pSignerCertContext->pCertInfo)) |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
298 { |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
299 ERRORPRINTF ("The signature is invalid. \n"); |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
300 retval.result = VerifyInvalidSignature; |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
301 syslog_error_printf ("Software update embedded signature is invalid."); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
302 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
303 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
304 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
305 if(check_certificate(pSignerCertContext)) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
306 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
307 DEBUGPRINTF ("Valid signature with pinned certificate."); |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
308 retval.result = VerifyValid; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
309 retval.fptr = fptr; |
1364
28885e8c891f
(issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1264
diff
changeset
|
310 retval.sig_time = get_signature_time (hMsg); |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
311 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
312 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
313 else |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
314 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
315 ERRORPRINTF ("Certificate mismatch. \n"); |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
316 retval.result = VerifyInvalidCertificate; |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
317 syslog_error_printf ("Software update embedded signature " |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
318 "created with wrong certificate."); |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
319 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
320 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
321 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
322 done: |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
323 xfree(data); |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
324 xfree(filenameW); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
325 xfree(pSignerCert); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
326 |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
327 if (retval.result != VerifyValid) |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
328 { |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
329 fclose(fptr); |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
330 } |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
331 |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
332 if(pSignerCertContext) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
333 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
334 CertFreeCertificateContext(pSignerCertContext); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
335 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
336 if (hStore) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
337 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
338 CertCloseStore(hStore, 0); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
339 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
340 if (hMsg) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
341 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
342 CryptMsgClose(hMsg); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
343 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
344 return retval; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
345 } |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
346 #else /* WIN32 */ |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
347 |
1264
3cd8dd706aaa
Add possibility to build with CLANG and document it.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
348 #ifndef __clang__ |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
349 #pragma GCC diagnostic ignored "-Wconversion" |
1264
3cd8dd706aaa
Add possibility to build with CLANG and document it.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
350 #endif |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
351 /* Polarssl mh.h contains a conversion which gcc warns about */ |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
352 #include <polarssl/pk.h> |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
353 #include <polarssl/base64.h> |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
354 #include <polarssl/sha256.h> |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
355 #include <polarssl/error.h> |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
356 #include <polarssl/x509_crt.h> |
1264
3cd8dd706aaa
Add possibility to build with CLANG and document it.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
357 #ifndef __clang__ |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
358 #pragma GCC diagnostic pop |
1264
3cd8dd706aaa
Add possibility to build with CLANG and document it.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
359 #endif |
1369
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
360 #include <stdlib.h> |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
361 |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
362 #define SIG_DT_MARKER "\r\nS_DT:" |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
363 |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
364 /** This function is only intended to be used on well formatted input |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
365 * after verifification as it makes some hard assumptions what |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
366 * follows the SIG_DT_MARKER*/ |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
367 time_t |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
368 get_signature_time (char *data, size_t data_size) |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
369 { |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
370 char *p = NULL, |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
371 *end = NULL, |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
372 *buf = NULL; |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
373 long lSigTime = 0; |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
374 size_t len = 0; |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
375 |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
376 |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
377 /** Look for a DOS linebreak followed by an S_DT: */ |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
378 size_t marker_len = strlen(SIG_DT_MARKER); |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
379 for (p = data + data_size - 1; p > data; p--) |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
380 { |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
381 if (!memcmp(SIG_DT_MARKER, p, marker_len)) |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
382 break; |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
383 } |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
384 |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
385 if (!p || p == data) |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
386 { |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
387 ERRORPRINTF ("Failed to find signature timestamp.\n"); |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
388 return 0; |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
389 } |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
390 p = strchr (p, ':'); |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
391 end = strchr (p, '\r'); |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
392 if (!end) |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
393 { |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
394 return 0; |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
395 } |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
396 if (end - p <= 0) |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
397 { |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
398 // Should never happen but we check to ensure that |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
399 // the following cast is valid which makes a size_t |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
400 ERRORPRINTF ("Signature timestamp does not compute.\n"); |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
401 return 0; |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
402 } |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
403 len = (size_t) (end - p); |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
404 |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
405 buf = xstrndup (p + 1, len); |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
406 |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
407 lSigTime = strtol (buf, NULL, 10); |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
408 xfree (buf); |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
409 return (time_t) lSigTime; |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
410 } |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
411 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
412 bin_verify_result |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
413 verify_binary_linux(const char *filename, size_t name_len) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
414 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
415 int ret = -1; |
1395
a2574a029322
Fix Base 64 signature size calculation.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1390
diff
changeset
|
416 const size_t sig_b64_size = TRUSTBRIDGE_RSA_CODESIGN_B64_SIZE; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
417 char *data = NULL, |
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
418 signature_b64[sig_b64_size + 1]; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
419 size_t data_size = 0, |
1387
c64b6c56ce96
(issue95) Change keys for release build. Fix release build usage.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1369
diff
changeset
|
420 sig_size = TRUSTBRIDGE_RSA_CODESIGN_SIZE / 8; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
421 unsigned char signature[sig_size], |
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
422 hash[32]; |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
423 FILE *fptr = NULL; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
424 |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
425 bin_verify_result retval; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
426 retval.result = VerifyUnknownError; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
427 retval.fptr = NULL; |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
428 x509_crt codesign_cert; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
429 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
430 if (strnlen(filename, name_len + 1) != name_len || name_len == 0) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
431 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
432 ERRORPRINTF ("Invalid call to verify_binary_linux\n"); |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
433 retval.result = VerifyUnknownError; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
434 return retval; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
435 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
436 |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
437 ret = read_file(filename, &data, &data_size, MAX_VALID_BIN_SIZE, &fptr); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
438 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
439 if (ret != 0) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
440 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
441 ERRORPRINTF ("Read file failed with error: %i\n", ret); |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
442 retval.result = VerifyReadFailed; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
443 return retval; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
444 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
445 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
446 /* Fetch the signature from the end of data */ |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
447 if (data_size < sig_b64_size + 5) |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
448 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
449 ERRORPRINTF ("File to small to contain a signature.\n"); |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
450 retval.result = VerifyInvalidSignature; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
451 goto done; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
452 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
453 |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
454 if (data[data_size - sig_b64_size - 2] != ':' || |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
455 data[data_size - sig_b64_size - 3] != 'S' || |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
456 data[data_size - sig_b64_size - 4] != '\n'|| |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
457 data[data_size - sig_b64_size - 5] != '\r') |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
458 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
459 ERRORPRINTF ("Failed to find valid signature line.\n"); |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
460 retval.result = VerifyInvalidSignature; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
461 goto done; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
462 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
463 |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
464 strncpy(signature_b64, data + (data_size - sig_b64_size - 1), sig_b64_size); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
465 signature_b64[sig_b64_size] = '\0'; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
466 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
467 ret = base64_decode(signature, &sig_size, |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
468 (unsigned char *)signature_b64, sig_b64_size); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
469 |
1387
c64b6c56ce96
(issue95) Change keys for release build. Fix release build usage.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1369
diff
changeset
|
470 if (ret != 0 || sig_size != TRUSTBRIDGE_RSA_CODESIGN_SIZE / 8) |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
471 { |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
472 ERRORPRINTF ("Base 64 decode failed with error: %i\n", ret); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
473 goto done; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
474 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
475 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
476 /* Hash is calculated over the data without the signature at the end. */ |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
477 sha256((unsigned char *)data, data_size - sig_b64_size - 5, hash, 0); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
478 |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
479 x509_crt_init(&codesign_cert); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
480 |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
481 /* Parse the pinned certificate */ |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
482 ret = x509_crt_parse(&codesign_cert, |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
483 public_key_codesign_pem, |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
484 public_key_codesign_pem_size); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
485 if (ret != 0) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
486 { |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
487 char errbuf[1020]; |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
488 polarssl_strerror(ret, errbuf, 1020); |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
489 errbuf[1019] = '\0'; /* Just to be sure */ |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
490 ERRORPRINTF ("x509_crt_parse failed with -0x%04x\n%s\n", -ret, errbuf); |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
491 x509_crt_free(&codesign_cert); |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
492 retval.result = VerifyUnknownError; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
493 goto done; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
494 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
495 |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
496 ret = pk_verify(&codesign_cert.pk, POLARSSL_MD_SHA256, hash, 0, |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
497 signature, sig_size); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
498 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
499 if (ret != 0) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
500 { |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
501 char errbuf[1020]; |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
502 polarssl_strerror(ret, errbuf, 1020); |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
503 errbuf[1019] = '\0'; /* Just to be sure */ |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
504 ERRORPRINTF ("pk_verify failed with -0x%04x\n %s\n", -ret, errbuf); |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
505 x509_crt_free(&codesign_cert); |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
506 retval.result = VerifyInvalidSignature; |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
507 goto done; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
508 } |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
509 x509_crt_free(&codesign_cert); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
510 |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
511 retval.result = VerifyValid; |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
512 retval.fptr = fptr; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
513 |
1369
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
514 /** We know know that the signature is valid we can trust the data content. */ |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
515 retval.sig_time = get_signature_time (data, data_size); |
948f03bb5254
Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1364
diff
changeset
|
516 |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
517 done: |
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
518 if (retval.result != VerifyValid) |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
519 { |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
520 if (fptr) |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
521 { |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
522 fclose(fptr); |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
523 } |
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
524 } |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
525 xfree (data); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
526 return retval; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
527 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
528 |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
529 #endif /* WIN32 */ |