Mercurial > trustbridge
annotate common/binverify.c @ 1310:60e481aa75ca
(issue152) Do not return CryptUIDlgViewContext's return value
The return value is false if the user cancels the dialog.
But as the certificate has been shown this is not really an
error.
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Mon, 13 Oct 2014 14:13:05 +0200 |
| parents | 3cd8dd706aaa |
| children | 28885e8c891f |
| rev | line source |
|---|---|
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
1 /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
2 * Software engineering by Intevation GmbH |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
3 * |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
4 * This file is Free Software under the GNU GPL (v>=2) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
5 * and comes with ABSOLUTELY NO WARRANTY! |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
6 * See LICENSE.txt for details. |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
7 */ |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
8 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
9 #include "binverify.h" |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
10 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
11 #include "strhelp.h" |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
12 #include "logging.h" |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
13 #include "listutil.h" |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
14 #ifdef RELEASE_BUILD |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
15 #include "pubkey-release.h" |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
16 #else |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
17 #include "pubkey-test.h" |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
18 #endif |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
19 |
|
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
20 bin_verify_result |
|
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
21 verify_binary(const char *filename, size_t name_len) |
|
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
22 { |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
23 if (!filename || !name_len) { |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
24 bin_verify_result retval; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
25 retval.fptr = NULL; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
26 retval.result = VerifyUnknownError; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
27 return retval; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
28 } |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
29 |
|
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
30 #ifdef WIN32 |
|
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
31 return verify_binary_win(filename, name_len); |
|
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
32 #else |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
33 return verify_binary_linux(filename, name_len); |
|
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
34 #endif |
|
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
35 } |
|
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
36 |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
37 #ifdef WIN32 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
38 |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
39 #include <polarssl/x509_crt.h> |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
40 |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
41 #include <windows.h> |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
42 #include <wincrypt.h> |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
43 #include <wintrust.h> |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
44 #include <stdio.h> |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
45 |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
46 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
47 /** @brief Check if the certificate @a pCCertContext is pinned |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
48 * |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
49 * Compares the certificate's binary data (public key and attributes) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
50 * with each other to validate that the certificate pCCertContext has |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
51 * exactly the same data as the builtin public certificate. |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
52 * |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
53 * @param[in] pCCertContext pointer to the certificate to check |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
54 * |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
55 * @returns true if the certificate matches, false otherwise. |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
56 */ |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
57 static bool |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
58 check_certificate (PCCERT_CONTEXT pCCertContext) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
59 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
60 x509_crt codesign_cert; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
61 int ret = 0; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
62 DWORD dwI = 0; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
63 bool retval = false; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
64 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
65 if (pCCertContext == NULL) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
66 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
67 ERRORPRINTF ("Invalid call to check_certificate"); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
68 return false; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
69 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
70 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
71 x509_crt_init(&codesign_cert); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
72 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
73 /* Parse the pinned certificate */ |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
74 ret = x509_crt_parse(&codesign_cert, |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
75 public_key_codesign_pem, |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
76 public_key_codesign_pem_size); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
77 if (ret != 0) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
78 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
79 ERRORPRINTF ("x509_crt_parse failed with -0x%04x\n\n", -ret); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
80 goto done; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
81 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
82 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
83 if (codesign_cert.raw.len != pCCertContext->cbCertEncoded || |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
84 codesign_cert.raw.len <= 0) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
85 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
86 ERRORPRINTF ("Certificate size mismatch"); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
87 goto done; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
88 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
89 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
90 /* Check that the certificate is exactly the same as the pinned one */ |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
91 for (dwI = 0; dwI < pCCertContext->cbCertEncoded; dwI++) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
92 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
93 if (pCCertContext->pbCertEncoded[dwI] != codesign_cert.raw.p[dwI]) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
94 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
95 ERRORPRINTF ("Certificate content mismatch"); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
96 goto done; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
97 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
98 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
99 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
100 retval = true; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
101 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
102 done: |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
103 x509_crt_free(&codesign_cert); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
104 return retval; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
105 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
106 |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
107 bin_verify_result |
|
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
108 verify_binary_win(const char *filename, size_t name_len) |
|
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
109 { |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
110 bin_verify_result retval; |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
111 WCHAR *filenameW = NULL; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
112 BOOL result = FALSE; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
113 DWORD dwEncoding = 0, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
114 dwContentType = 0, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
115 dwFormatType = 0, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
116 dwSignerInfoSize = 0; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
117 HCERTSTORE hStore = NULL; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
118 HCRYPTMSG hMsg = NULL; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
119 PCERT_INFO pSignerCert = NULL; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
120 PCCERT_CONTEXT pSignerCertContext = NULL; |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
121 FILE *fptr = NULL; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
122 size_t data_size = 0; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
123 char *data = NULL; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
124 int ret = -1; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
125 CRYPT_INTEGER_BLOB blob; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
126 |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
127 retval.result = VerifyUnknownError; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
128 retval.fptr = NULL; |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
129 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
130 if (!filename || name_len > MAX_PATH || strlen(filename) != name_len) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
131 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
132 ERRORPRINTF ("Invalid parameters\n"); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
133 return retval; |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
134 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
135 |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
136 ret = read_file(filename, &data, &data_size, MAX_VALID_BIN_SIZE, &fptr); |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
137 |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
138 if (ret != 0) |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
139 { |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
140 ERRORPRINTF ("Read file failed with error: %i\n", ret); |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
141 retval.result = VerifyReadFailed; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
142 return retval; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
143 } |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
144 blob.cbData = (DWORD) data_size; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
145 blob.pbData = (PBYTE) data; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
146 |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
147 result = CryptQueryObject (CERT_QUERY_OBJECT_BLOB, |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
148 &blob, |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
149 CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
150 CERT_QUERY_FORMAT_FLAG_BINARY, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
151 0, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
152 &dwEncoding, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
153 &dwContentType, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
154 &dwFormatType, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
155 &hStore, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
156 &hMsg, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
157 NULL); |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
158 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
159 if (!result || !hMsg) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
160 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
161 PRINTLASTERROR ("Failed to query crypto object"); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
162 retval.result = VerifyReadFailed; |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
163 goto done; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
164 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
165 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
166 /* Get the cert info so that we can look up the signer in the store later */ |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
167 if (CryptMsgGetParam(hMsg, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
168 CMSG_SIGNER_CERT_INFO_PARAM, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
169 0, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
170 NULL, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
171 &dwSignerInfoSize) && dwSignerInfoSize > 0) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
172 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
173 pSignerCert = xmalloc (dwSignerInfoSize); |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
174 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
175 else |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
176 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
177 ERRORPRINTF ("Failed to get signer cert size."); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
178 retval.result = VerifyUnknownError; |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
179 goto done; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
180 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
181 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
182 if (!(CryptMsgGetParam(hMsg, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
183 CMSG_SIGNER_CERT_INFO_PARAM, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
184 0, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
185 pSignerCert, |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
186 &dwSignerInfoSize))) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
187 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
188 ERRORPRINTF ("Failed to get signer cert."); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
189 retval.result = VerifyUnknownError; |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
190 goto done; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
191 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
192 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
193 pSignerCertContext = CertGetSubjectCertificateFromStore( |
|
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
194 hStore, |
|
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
195 PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, |
|
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
196 pSignerCert); |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
197 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
198 if (!pSignerCertContext) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
199 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
200 ERRORPRINTF ("Failed to find signer cert in store."); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
201 retval.result = VerifyUnknownError; |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
202 goto done; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
203 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
204 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
205 /* Verify that the signature is actually valid */ |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
206 if(!CryptMsgControl(hMsg, |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
207 0, |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
208 CMSG_CTRL_VERIFY_SIGNATURE, |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
209 pSignerCertContext->pCertInfo)) |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
210 { |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
211 ERRORPRINTF ("The signature is invalid. \n"); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
212 retval.result = VerifyInvalidSignature; |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
213 syslog_error_printf ("Software update embedded signature is invalid."); |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
214 goto done; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
215 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
216 |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
217 if(check_certificate(pSignerCertContext)) |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
218 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
219 DEBUGPRINTF ("Valid signature with pinned certificate."); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
220 retval.result = VerifyValid; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
221 retval.fptr = fptr; |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
222 goto done; |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
223 } |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
224 else |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
225 { |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
226 ERRORPRINTF ("Certificate mismatch. \n"); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
227 retval.result = VerifyInvalidCertificate; |
|
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
228 syslog_error_printf ("Software update embedded signature " |
|
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
229 "created with wrong certificate."); |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
230 goto done; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
231 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
232 |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
233 done: |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
234 xfree(data); |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
235 xfree(filenameW); |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
236 xfree(pSignerCert); |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
237 |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
238 if (retval.result != VerifyValid) |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
239 { |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
240 fclose(fptr); |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
241 } |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
242 |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
243 if(pSignerCertContext) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
244 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
245 CertFreeCertificateContext(pSignerCertContext); |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
246 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
247 if (hStore) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
248 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
249 CertCloseStore(hStore, 0); |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
250 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
251 if (hMsg) |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
252 { |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
253 CryptMsgClose(hMsg); |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
254 } |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
255 return retval; |
|
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
256 } |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
257 #else /* WIN32 */ |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
258 |
|
1264
3cd8dd706aaa
Add possibility to build with CLANG and document it.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
259 #ifndef __clang__ |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
260 #pragma GCC diagnostic ignored "-Wconversion" |
|
1264
3cd8dd706aaa
Add possibility to build with CLANG and document it.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
261 #endif |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
262 /* Polarssl mh.h contains a conversion which gcc warns about */ |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
263 #include <polarssl/pk.h> |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
264 #include <polarssl/base64.h> |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
265 #include <polarssl/sha256.h> |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
266 #include <polarssl/error.h> |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
267 #include <polarssl/x509_crt.h> |
|
1264
3cd8dd706aaa
Add possibility to build with CLANG and document it.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
268 #ifndef __clang__ |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
269 #pragma GCC diagnostic pop |
|
1264
3cd8dd706aaa
Add possibility to build with CLANG and document it.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
1081
diff
changeset
|
270 #endif |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
271 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
272 bin_verify_result |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
273 verify_binary_linux(const char *filename, size_t name_len) |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
274 { |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
275 int ret = -1; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
276 const size_t sig_b64_size = TRUSTBRIDGE_RSA_KEY_SIZE / 8 * 4 / 3; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
277 char *data = NULL, |
|
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
278 signature_b64[sig_b64_size + 1]; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
279 size_t data_size = 0, |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
280 sig_size = TRUSTBRIDGE_RSA_KEY_SIZE / 8; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
281 unsigned char signature[sig_size], |
|
905
698b6a9bd75e
Fix coding style for C code
Andre Heinecke <andre.heinecke@intevation.de>
parents:
774
diff
changeset
|
282 hash[32]; |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
283 FILE *fptr = NULL; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
284 |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
285 bin_verify_result retval; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
286 retval.result = VerifyUnknownError; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
287 retval.fptr = NULL; |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
288 x509_crt codesign_cert; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
289 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
290 if (strnlen(filename, name_len + 1) != name_len || name_len == 0) |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
291 { |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
292 ERRORPRINTF ("Invalid call to verify_binary_linux\n"); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
293 retval.result = VerifyUnknownError; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
294 return retval; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
295 } |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
296 |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
297 ret = read_file(filename, &data, &data_size, MAX_VALID_BIN_SIZE, &fptr); |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
298 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
299 if (ret != 0) |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
300 { |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
301 ERRORPRINTF ("Read file failed with error: %i\n", ret); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
302 retval.result = VerifyReadFailed; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
303 return retval; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
304 } |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
305 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
306 /* Fetch the signature from the end of data */ |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
307 if (data_size < sig_b64_size + 5) |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
308 { |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
309 ERRORPRINTF ("File to small to contain a signature.\n"); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
310 retval.result = VerifyInvalidSignature; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
311 goto done; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
312 } |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
313 |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
314 if (data[data_size - sig_b64_size - 2] != ':' || |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
315 data[data_size - sig_b64_size - 3] != 'S' || |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
316 data[data_size - sig_b64_size - 4] != '\n'|| |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
317 data[data_size - sig_b64_size - 5] != '\r') |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
318 { |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
319 ERRORPRINTF ("Failed to find valid signature line.\n"); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
320 retval.result = VerifyInvalidSignature; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
321 goto done; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
322 } |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
323 |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
324 strncpy(signature_b64, data + (data_size - sig_b64_size - 1), sig_b64_size); |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
325 signature_b64[sig_b64_size] = '\0'; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
326 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
327 ret = base64_decode(signature, &sig_size, |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
328 (unsigned char *)signature_b64, sig_b64_size); |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
329 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
330 if (ret != 0 || sig_size != TRUSTBRIDGE_RSA_KEY_SIZE / 8) |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
331 { |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
332 ERRORPRINTF ("Base 64 decode failed with error: %i\n", ret); |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
333 goto done; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
334 } |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
335 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
336 /* Hash is calculated over the data without the signature at the end. */ |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
337 sha256((unsigned char *)data, data_size - sig_b64_size - 5, hash, 0); |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
338 |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
339 x509_crt_init(&codesign_cert); |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
340 |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
341 /* Parse the pinned certificate */ |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
342 ret = x509_crt_parse(&codesign_cert, |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
343 public_key_codesign_pem, |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
344 public_key_codesign_pem_size); |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
345 if (ret != 0) |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
346 { |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
347 char errbuf[1020]; |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
348 polarssl_strerror(ret, errbuf, 1020); |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
349 errbuf[1019] = '\0'; /* Just to be sure */ |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
350 ERRORPRINTF ("x509_crt_parse failed with -0x%04x\n%s\n", -ret, errbuf); |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
351 x509_crt_free(&codesign_cert); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
352 retval.result = VerifyUnknownError; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
353 goto done; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
354 } |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
355 |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
356 ret = pk_verify(&codesign_cert.pk, POLARSSL_MD_SHA256, hash, 0, |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
357 signature, sig_size); |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
358 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
359 if (ret != 0) |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
360 { |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
361 char errbuf[1020]; |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
362 polarssl_strerror(ret, errbuf, 1020); |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
363 errbuf[1019] = '\0'; /* Just to be sure */ |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
364 ERRORPRINTF ("pk_verify failed with -0x%04x\n %s\n", -ret, errbuf); |
|
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
365 x509_crt_free(&codesign_cert); |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
366 retval.result = VerifyInvalidSignature; |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
367 goto done; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
368 } |
|
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
369 x509_crt_free(&codesign_cert); |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
370 |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
371 retval.result = VerifyValid; |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
372 retval.fptr = fptr; |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
373 |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
374 done: |
|
1081
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
375 if (retval.result != VerifyValid) |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
376 { |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
377 if (fptr) |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
378 { |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
379 fclose(fptr); |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
380 } |
|
edbf5e5e88f4
(issue118) Extend verify_binary to carry an open file
Andre Heinecke <andre.heinecke@intevation.de>
parents:
905
diff
changeset
|
381 } |
|
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
382 xfree (data); |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
383 return retval; |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
384 } |
|
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
385 |
|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
386 #endif /* WIN32 */ |