annotate common/binverify.c @ 1397:5d19ba5b64b0 0.9.11

Added tag 0.9.10 for changeset 05c62ad0c74f
author Andre Heinecke <andre.heinecke@intevation.de>
date Mon, 26 Jan 2015 14:28:21 +0100
parents a2574a029322
children
rev   line source
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
1 /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
2 * Software engineering by Intevation GmbH
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
3 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
4 * This file is Free Software under the GNU GPL (v>=2)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
5 * and comes with ABSOLUTELY NO WARRANTY!
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
6 * See LICENSE.txt for details.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
7 */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
8
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
9 #include "binverify.h"
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
10
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
11 #include "strhelp.h"
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
12 #include "logging.h"
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
13 #include "listutil.h"
1390
f3e2df6b49ba (issue181) Fix hardcoded values for RSA codesigning key size.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1387
diff changeset
14 #include "pubkey.h"
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
15
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
16 bin_verify_result
905
698b6a9bd75e Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents: 774
diff changeset
17 verify_binary(const char *filename, size_t name_len)
698b6a9bd75e Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents: 774
diff changeset
18 {
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
19 if (!filename || !name_len) {
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
20 bin_verify_result retval;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
21 retval.fptr = NULL;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
22 retval.result = VerifyUnknownError;
1364
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
23 retval.sig_time = 0;
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
24 return retval;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
25 }
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
26
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
27 #ifdef WIN32
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
28 return verify_binary_win(filename, name_len);
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
29 #else
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
30 return verify_binary_linux(filename, name_len);
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
31 #endif
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
32 }
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
33
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
34 #ifdef WIN32
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
35
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
36 #include <polarssl/x509_crt.h>
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
37
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
38 #include <windows.h>
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
39 #include <wincrypt.h>
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
40 #include <wintrust.h>
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
41 #include <stdio.h>
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
42
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
43
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
44 /** @brief Check if the certificate @a pCCertContext is pinned
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
45 *
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
46 * Compares the certificate's binary data (public key and attributes)
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
47 * with each other to validate that the certificate pCCertContext has
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
48 * exactly the same data as the builtin public certificate.
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
49 *
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
50 * @param[in] pCCertContext pointer to the certificate to check
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
51 *
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
52 * @returns true if the certificate matches, false otherwise.
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
53 */
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
54 static bool
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
55 check_certificate (PCCERT_CONTEXT pCCertContext)
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
56 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
57 x509_crt codesign_cert;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
58 int ret = 0;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
59 DWORD dwI = 0;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
60 bool retval = false;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
61
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
62 if (pCCertContext == NULL)
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
63 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
64 ERRORPRINTF ("Invalid call to check_certificate");
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
65 return false;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
66 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
67
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
68 x509_crt_init(&codesign_cert);
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
69
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
70 /* Parse the pinned certificate */
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
71 ret = x509_crt_parse(&codesign_cert,
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
72 public_key_codesign_pem,
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
73 public_key_codesign_pem_size);
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
74 if (ret != 0)
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
75 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
76 ERRORPRINTF ("x509_crt_parse failed with -0x%04x\n\n", -ret);
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
77 goto done;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
78 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
79
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
80 if (codesign_cert.raw.len != pCCertContext->cbCertEncoded ||
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
81 codesign_cert.raw.len <= 0)
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
82 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
83 ERRORPRINTF ("Certificate size mismatch");
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
84 goto done;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
85 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
86
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
87 /* Check that the certificate is exactly the same as the pinned one */
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
88 for (dwI = 0; dwI < pCCertContext->cbCertEncoded; dwI++)
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
89 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
90 if (pCCertContext->pbCertEncoded[dwI] != codesign_cert.raw.p[dwI])
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
91 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
92 ERRORPRINTF ("Certificate content mismatch");
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
93 goto done;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
94 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
95 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
96
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
97 retval = true;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
98
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
99 done:
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
100 x509_crt_free(&codesign_cert);
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
101 return retval;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
102 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
103
1364
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
104 time_t
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
105 systemtime_to_time_t (SYSTEMTIME *systemTime)
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
106
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
107 {
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
108 LARGE_INTEGER jan1970FT = {{0}};
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
109 jan1970FT.QuadPart = 116444736000000000LL; // january 1st 1970 well known value
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
110 LARGE_INTEGER utcFT = {{0}};
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
111
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
112 SystemTimeToFileTime(systemTime, (FILETIME*)&utcFT);
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
113
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
114 __int64 utcDosTime = (utcFT.QuadPart - jan1970FT.QuadPart)/10000000;
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
115
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
116 return (time_t)utcDosTime;
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
117 }
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
118
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
119
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
120 time_t
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
121 get_signature_time (HCRYPTMSG hMsg)
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
122 {
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
123 FILETIME lft, ft;
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
124 SYSTEMTIME st;
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
125 DWORD dwData = 0,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
126 n = 0,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
127 dwSignerInfo = 0;
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
128 PCMSG_SIGNER_INFO pSignerInfo = NULL;
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
129
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
130 time_t ret = -1;
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
131
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
132 if (!hMsg)
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
133 {
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
134 return -1;
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
135 }
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
136
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
137 // Get signer information size.
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
138 if (!CryptMsgGetParam(hMsg,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
139 CMSG_SIGNER_INFO_PARAM,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
140 0,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
141 NULL,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
142 &dwSignerInfo))
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
143 {
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
144 ERRORPRINTF ("Failed to get signer info size.");
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
145 return -1;
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
146 }
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
147 pSignerInfo = xmalloc (dwSignerInfo);
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
148
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
149 if (!CryptMsgGetParam(hMsg,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
150 CMSG_SIGNER_INFO_PARAM,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
151 0,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
152 (PVOID)pSignerInfo,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
153 &dwSignerInfo))
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
154 {
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
155 ERRORPRINTF ("Failed to get signer info.");
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
156 goto done;
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
157 }
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
158
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
159
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
160 // Loop through authenticated attributes and find
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
161 // szOID_RSA_signingTime OID.
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
162 for (n = 0; n < pSignerInfo->AuthAttrs.cAttr; n++)
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
163 {
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
164 if (lstrcmpA(szOID_RSA_signingTime,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
165 pSignerInfo->AuthAttrs.rgAttr[n].pszObjId) == 0)
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
166 {
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
167 dwData = sizeof(ft);
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
168 if (!CryptDecodeObject((X509_ASN_ENCODING | PKCS_7_ASN_ENCODING),
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
169 szOID_RSA_signingTime,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
170 pSignerInfo->AuthAttrs.rgAttr[n].rgValue[0].pbData,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
171 pSignerInfo->AuthAttrs.rgAttr[n].rgValue[0].cbData,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
172 0,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
173 (PVOID)&ft,
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
174 &dwData))
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
175 {
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
176 PRINTLASTERROR ("Failed to decode time: ");
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
177 break;
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
178 }
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
179
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
180 // Convert to local time.
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
181 FileTimeToLocalFileTime(&ft, &lft);
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
182 FileTimeToSystemTime(&lft, &st);
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
183
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
184 ret = systemtime_to_time_t(&st);
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
185 break;
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
186 }
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
187 }
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
188
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
189 done:
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
190 xfree(pSignerInfo);
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
191
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
192 return ret;
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
193 }
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
194
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
195 bin_verify_result
905
698b6a9bd75e Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents: 774
diff changeset
196 verify_binary_win(const char *filename, size_t name_len)
698b6a9bd75e Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents: 774
diff changeset
197 {
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
198 bin_verify_result retval;
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
199 WCHAR *filenameW = NULL;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
200 BOOL result = FALSE;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
201 DWORD dwEncoding = 0,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
202 dwContentType = 0,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
203 dwFormatType = 0,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
204 dwSignerInfoSize = 0;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
205 HCERTSTORE hStore = NULL;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
206 HCRYPTMSG hMsg = NULL;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
207 PCERT_INFO pSignerCert = NULL;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
208 PCCERT_CONTEXT pSignerCertContext = NULL;
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
209 FILE *fptr = NULL;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
210 size_t data_size = 0;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
211 char *data = NULL;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
212 int ret = -1;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
213 CRYPT_INTEGER_BLOB blob;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
214
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
215 retval.result = VerifyUnknownError;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
216 retval.fptr = NULL;
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
217
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
218 if (!filename || name_len > MAX_PATH || strlen(filename) != name_len)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
219 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
220 ERRORPRINTF ("Invalid parameters\n");
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
221 return retval;
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
222 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
223
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
224 ret = read_file(filename, &data, &data_size, MAX_VALID_BIN_SIZE, &fptr);
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
225
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
226 if (ret != 0)
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
227 {
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
228 ERRORPRINTF ("Read file failed with error: %i\n", ret);
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
229 retval.result = VerifyReadFailed;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
230 return retval;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
231 }
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
232 blob.cbData = (DWORD) data_size;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
233 blob.pbData = (PBYTE) data;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
234
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
235 result = CryptQueryObject (CERT_QUERY_OBJECT_BLOB,
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
236 &blob,
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
237 CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
238 CERT_QUERY_FORMAT_FLAG_BINARY,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
239 0,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
240 &dwEncoding,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
241 &dwContentType,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
242 &dwFormatType,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
243 &hStore,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
244 &hMsg,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
245 NULL);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
246
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
247 if (!result || !hMsg)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
248 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
249 PRINTLASTERROR ("Failed to query crypto object");
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
250 retval.result = VerifyReadFailed;
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
251 goto done;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
252 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
253
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
254 /* Get the cert info so that we can look up the signer in the store later */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
255 if (CryptMsgGetParam(hMsg,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
256 CMSG_SIGNER_CERT_INFO_PARAM,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
257 0,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
258 NULL,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
259 &dwSignerInfoSize) && dwSignerInfoSize > 0)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
260 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
261 pSignerCert = xmalloc (dwSignerInfoSize);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
262 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
263 else
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
264 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
265 ERRORPRINTF ("Failed to get signer cert size.");
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
266 retval.result = VerifyUnknownError;
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
267 goto done;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
268 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
269
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
270 if (!(CryptMsgGetParam(hMsg,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
271 CMSG_SIGNER_CERT_INFO_PARAM,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
272 0,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
273 pSignerCert,
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
274 &dwSignerInfoSize)))
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
275 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
276 ERRORPRINTF ("Failed to get signer cert.");
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
277 retval.result = VerifyUnknownError;
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
278 goto done;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
279 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
280
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
281 pSignerCertContext = CertGetSubjectCertificateFromStore(
905
698b6a9bd75e Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents: 774
diff changeset
282 hStore,
698b6a9bd75e Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents: 774
diff changeset
283 PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
698b6a9bd75e Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents: 774
diff changeset
284 pSignerCert);
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
285
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
286 if (!pSignerCertContext)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
287 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
288 ERRORPRINTF ("Failed to find signer cert in store.");
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
289 retval.result = VerifyUnknownError;
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
290 goto done;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
291 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
292
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
293 /* Verify that the signature is actually valid */
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
294 if(!CryptMsgControl(hMsg,
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
295 0,
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
296 CMSG_CTRL_VERIFY_SIGNATURE,
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
297 pSignerCertContext->pCertInfo))
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
298 {
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
299 ERRORPRINTF ("The signature is invalid. \n");
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
300 retval.result = VerifyInvalidSignature;
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
301 syslog_error_printf ("Software update embedded signature is invalid.");
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
302 goto done;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
303 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
304
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
305 if(check_certificate(pSignerCertContext))
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
306 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
307 DEBUGPRINTF ("Valid signature with pinned certificate.");
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
308 retval.result = VerifyValid;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
309 retval.fptr = fptr;
1364
28885e8c891f (issue177) Read signature time from PKCS#7 object in selftest and binverify
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1264
diff changeset
310 retval.sig_time = get_signature_time (hMsg);
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
311 goto done;
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
312 }
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
313 else
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
314 {
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
315 ERRORPRINTF ("Certificate mismatch. \n");
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
316 retval.result = VerifyInvalidCertificate;
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
317 syslog_error_printf ("Software update embedded signature "
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 591
diff changeset
318 "created with wrong certificate.");
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
319 goto done;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
320 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
321
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
322 done:
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
323 xfree(data);
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
324 xfree(filenameW);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
325 xfree(pSignerCert);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
326
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
327 if (retval.result != VerifyValid)
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
328 {
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
329 fclose(fptr);
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
330 }
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
331
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
332 if(pSignerCertContext)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
333 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
334 CertFreeCertificateContext(pSignerCertContext);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
335 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
336 if (hStore)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
337 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
338 CertCloseStore(hStore, 0);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
339 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
340 if (hMsg)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
341 {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
342 CryptMsgClose(hMsg);
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
343 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
344 return retval;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
345 }
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
346 #else /* WIN32 */
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
347
1264
3cd8dd706aaa Add possibility to build with CLANG and document it.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
348 #ifndef __clang__
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
349 #pragma GCC diagnostic ignored "-Wconversion"
1264
3cd8dd706aaa Add possibility to build with CLANG and document it.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
350 #endif
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
351 /* Polarssl mh.h contains a conversion which gcc warns about */
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
352 #include <polarssl/pk.h>
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
353 #include <polarssl/base64.h>
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
354 #include <polarssl/sha256.h>
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
355 #include <polarssl/error.h>
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
356 #include <polarssl/x509_crt.h>
1264
3cd8dd706aaa Add possibility to build with CLANG and document it.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
357 #ifndef __clang__
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
358 #pragma GCC diagnostic pop
1264
3cd8dd706aaa Add possibility to build with CLANG and document it.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1081
diff changeset
359 #endif
1369
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
360 #include <stdlib.h>
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
361
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
362 #define SIG_DT_MARKER "\r\nS_DT:"
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
363
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
364 /** This function is only intended to be used on well formatted input
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
365 * after verifification as it makes some hard assumptions what
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
366 * follows the SIG_DT_MARKER*/
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
367 time_t
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
368 get_signature_time (char *data, size_t data_size)
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
369 {
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
370 char *p = NULL,
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
371 *end = NULL,
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
372 *buf = NULL;
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
373 long lSigTime = 0;
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
374 size_t len = 0;
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
375
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
376
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
377 /** Look for a DOS linebreak followed by an S_DT: */
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
378 size_t marker_len = strlen(SIG_DT_MARKER);
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
379 for (p = data + data_size - 1; p > data; p--)
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
380 {
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
381 if (!memcmp(SIG_DT_MARKER, p, marker_len))
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
382 break;
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
383 }
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
384
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
385 if (!p || p == data)
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
386 {
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
387 ERRORPRINTF ("Failed to find signature timestamp.\n");
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
388 return 0;
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
389 }
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
390 p = strchr (p, ':');
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
391 end = strchr (p, '\r');
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
392 if (!end)
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
393 {
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
394 return 0;
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
395 }
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
396 if (end - p <= 0)
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
397 {
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
398 // Should never happen but we check to ensure that
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
399 // the following cast is valid which makes a size_t
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
400 ERRORPRINTF ("Signature timestamp does not compute.\n");
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
401 return 0;
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
402 }
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
403 len = (size_t) (end - p);
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
404
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
405 buf = xstrndup (p + 1, len);
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
406
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
407 lSigTime = strtol (buf, NULL, 10);
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
408 xfree (buf);
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
409 return (time_t) lSigTime;
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
410 }
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
411
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
412 bin_verify_result
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
413 verify_binary_linux(const char *filename, size_t name_len)
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
414 {
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
415 int ret = -1;
1395
a2574a029322 Fix Base 64 signature size calculation.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1390
diff changeset
416 const size_t sig_b64_size = TRUSTBRIDGE_RSA_CODESIGN_B64_SIZE;
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
417 char *data = NULL,
905
698b6a9bd75e Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents: 774
diff changeset
418 signature_b64[sig_b64_size + 1];
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
419 size_t data_size = 0,
1387
c64b6c56ce96 (issue95) Change keys for release build. Fix release build usage.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1369
diff changeset
420 sig_size = TRUSTBRIDGE_RSA_CODESIGN_SIZE / 8;
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
421 unsigned char signature[sig_size],
905
698b6a9bd75e Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents: 774
diff changeset
422 hash[32];
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
423 FILE *fptr = NULL;
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
424
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
425 bin_verify_result retval;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
426 retval.result = VerifyUnknownError;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
427 retval.fptr = NULL;
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
428 x509_crt codesign_cert;
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
429
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
430 if (strnlen(filename, name_len + 1) != name_len || name_len == 0)
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
431 {
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
432 ERRORPRINTF ("Invalid call to verify_binary_linux\n");
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
433 retval.result = VerifyUnknownError;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
434 return retval;
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
435 }
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
436
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
437 ret = read_file(filename, &data, &data_size, MAX_VALID_BIN_SIZE, &fptr);
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
438
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
439 if (ret != 0)
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
440 {
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
441 ERRORPRINTF ("Read file failed with error: %i\n", ret);
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
442 retval.result = VerifyReadFailed;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
443 return retval;
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
444 }
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
445
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
446 /* Fetch the signature from the end of data */
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
447 if (data_size < sig_b64_size + 5)
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
448 {
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
449 ERRORPRINTF ("File to small to contain a signature.\n");
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
450 retval.result = VerifyInvalidSignature;
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
451 goto done;
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
452 }
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
453
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
454 if (data[data_size - sig_b64_size - 2] != ':' ||
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
455 data[data_size - sig_b64_size - 3] != 'S' ||
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
456 data[data_size - sig_b64_size - 4] != '\n'||
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
457 data[data_size - sig_b64_size - 5] != '\r')
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
458 {
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
459 ERRORPRINTF ("Failed to find valid signature line.\n");
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
460 retval.result = VerifyInvalidSignature;
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
461 goto done;
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
462 }
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
463
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
464 strncpy(signature_b64, data + (data_size - sig_b64_size - 1), sig_b64_size);
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
465 signature_b64[sig_b64_size] = '\0';
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
466
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
467 ret = base64_decode(signature, &sig_size,
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
468 (unsigned char *)signature_b64, sig_b64_size);
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
469
1387
c64b6c56ce96 (issue95) Change keys for release build. Fix release build usage.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1369
diff changeset
470 if (ret != 0 || sig_size != TRUSTBRIDGE_RSA_CODESIGN_SIZE / 8)
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
471 {
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
472 ERRORPRINTF ("Base 64 decode failed with error: %i\n", ret);
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
473 goto done;
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
474 }
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
475
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
476 /* Hash is calculated over the data without the signature at the end. */
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
477 sha256((unsigned char *)data, data_size - sig_b64_size - 5, hash, 0);
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
478
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
479 x509_crt_init(&codesign_cert);
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
480
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
481 /* Parse the pinned certificate */
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
482 ret = x509_crt_parse(&codesign_cert,
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
483 public_key_codesign_pem,
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
484 public_key_codesign_pem_size);
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
485 if (ret != 0)
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
486 {
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
487 char errbuf[1020];
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
488 polarssl_strerror(ret, errbuf, 1020);
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
489 errbuf[1019] = '\0'; /* Just to be sure */
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
490 ERRORPRINTF ("x509_crt_parse failed with -0x%04x\n%s\n", -ret, errbuf);
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
491 x509_crt_free(&codesign_cert);
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
492 retval.result = VerifyUnknownError;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
493 goto done;
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
494 }
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
495
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
496 ret = pk_verify(&codesign_cert.pk, POLARSSL_MD_SHA256, hash, 0,
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
497 signature, sig_size);
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
498
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
499 if (ret != 0)
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
500 {
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
501 char errbuf[1020];
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
502 polarssl_strerror(ret, errbuf, 1020);
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
503 errbuf[1019] = '\0'; /* Just to be sure */
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
504 ERRORPRINTF ("pk_verify failed with -0x%04x\n %s\n", -ret, errbuf);
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
505 x509_crt_free(&codesign_cert);
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
506 retval.result = VerifyInvalidSignature;
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
507 goto done;
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
508 }
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
509 x509_crt_free(&codesign_cert);
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
510
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
511 retval.result = VerifyValid;
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
512 retval.fptr = fptr;
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
513
1369
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
514 /** We know know that the signature is valid we can trust the data content. */
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
515 retval.sig_time = get_signature_time (data, data_size);
948f03bb5254 Add signature time extraction for Linux and test for it in binverifytest
Andre Heinecke <andre.heinecke@intevation.de>
parents: 1364
diff changeset
516
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
517 done:
1081
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
518 if (retval.result != VerifyValid)
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
519 {
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
520 if (fptr)
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
521 {
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
522 fclose(fptr);
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
523 }
edbf5e5e88f4 (issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents: 905
diff changeset
524 }
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
525 xfree (data);
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
526 return retval;
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
527 }
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 637
diff changeset
528
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
529 #endif /* WIN32 */

http://wald.intevation.org/projects/trustbridge/