Mercurial > trustbridge
annotate common/binverify.c @ 824:a511c1f45c70
(Issue47) Drop privileges before executing NSS process.
author | Andre Heinecke <andre.heinecke@intevation.de> |
---|---|
date | Mon, 21 Jul 2014 18:51:34 +0200 |
parents | 44fa5de02b52 |
children | 698b6a9bd75e |
rev | line source |
---|---|
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
1 /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
2 * Software engineering by Intevation GmbH |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
3 * |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
4 * This file is Free Software under the GNU GPL (v>=2) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
5 * and comes with ABSOLUTELY NO WARRANTY! |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
6 * See LICENSE.txt for details. |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
7 */ |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
8 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
9 #include "binverify.h" |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
10 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
11 #include "strhelp.h" |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
12 #include "logging.h" |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
13 #ifdef RELEASE_BUILD |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
14 #include "pubkey-release.h" |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
15 #else |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
16 #include "pubkey-test.h" |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
17 #endif |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
18 |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
19 bin_verify_result |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
20 verify_binary(const char *filename, size_t name_len) { |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
21 if (!filename || !name_len) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
22 return VerifyUnknownError; |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
23 #ifdef WIN32 |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
24 return verify_binary_win(filename, name_len); |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
25 #else |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
26 return verify_binary_linux(filename, name_len); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
27 #endif |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
28 } |
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
29 |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
30 #ifdef WIN32 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
31 |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
32 #include <polarssl/x509_crt.h> |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
33 |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
34 #include <windows.h> |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
35 #include <wincrypt.h> |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
36 #include <wintrust.h> |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
37 #include <stdio.h> |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
38 |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
39 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
40 /** @brief Check if the certificate @a pCCertContext is pinned |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
41 * |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
42 * Compares the certificate's binary data (public key and attributes) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
43 * with each other to validate that the certificate pCCertContext has |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
44 * exactly the same data as the builtin public certificate. |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
45 * |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
46 * @param[in] pCCertContext pointer to the certificate to check |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
47 * |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
48 * @returns true if the certificate matches, false otherwise. |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
49 */ |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
50 static bool |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
51 check_certificate (PCCERT_CONTEXT pCCertContext) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
52 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
53 x509_crt codesign_cert; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
54 int ret = 0; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
55 DWORD dwI = 0; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
56 bool retval = false; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
57 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
58 if (pCCertContext == NULL) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
59 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
60 ERRORPRINTF ("Invalid call to check_certificate"); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
61 return false; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
62 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
63 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
64 x509_crt_init(&codesign_cert); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
65 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
66 /* Parse the pinned certificate */ |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
67 ret = x509_crt_parse(&codesign_cert, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
68 public_key_codesign_pem, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
69 public_key_codesign_pem_size); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
70 if (ret != 0) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
71 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
72 ERRORPRINTF ("x509_crt_parse failed with -0x%04x\n\n", -ret); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
73 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
74 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
75 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
76 if (codesign_cert.raw.len != pCCertContext->cbCertEncoded || |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
77 codesign_cert.raw.len <= 0) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
78 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
79 ERRORPRINTF ("Certificate size mismatch"); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
80 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
81 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
82 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
83 /* Check that the certificate is exactly the same as the pinned one */ |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
84 for (dwI = 0; dwI < pCCertContext->cbCertEncoded; dwI++) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
85 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
86 if (pCCertContext->pbCertEncoded[dwI] != codesign_cert.raw.p[dwI]) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
87 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
88 ERRORPRINTF ("Certificate content mismatch"); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
89 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
90 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
91 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
92 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
93 retval = true; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
94 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
95 done: |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
96 x509_crt_free(&codesign_cert); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
97 return retval; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
98 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
99 |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
100 bin_verify_result |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
101 verify_binary_win(const char *filename, size_t name_len) { |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
102 bin_verify_result retval = VerifyUnknownError; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
103 WCHAR *filenameW = NULL; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
104 BOOL result = FALSE; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
105 DWORD dwEncoding = 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
106 dwContentType = 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
107 dwFormatType = 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
108 dwSignerInfoSize = 0; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
109 HCERTSTORE hStore = NULL; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
110 HCRYPTMSG hMsg = NULL; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
111 PCERT_INFO pSignerCert = NULL; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
112 PCCERT_CONTEXT pSignerCertContext = NULL; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
113 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
114 if (!filename || name_len > MAX_PATH || strlen(filename) != name_len) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
115 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
116 ERRORPRINTF ("Invalid parameters\n"); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
117 return VerifyUnknownError; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
118 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
119 |
591
26a18e3c3db4
Cleanups and coding style.
Andre Heinecke <aheinecke@intevation.de>
parents:
590
diff
changeset
|
120 filenameW = utf8_to_wchar(filename, name_len); |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
121 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
122 result = CryptQueryObject (CERT_QUERY_OBJECT_FILE, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
123 filenameW, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
124 CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
125 CERT_QUERY_FORMAT_FLAG_BINARY, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
126 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
127 &dwEncoding, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
128 &dwContentType, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
129 &dwFormatType, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
130 &hStore, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
131 &hMsg, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
132 NULL); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
133 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
134 if (!result || !hMsg) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
135 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
136 PRINTLASTERROR ("Failed to query crypto object"); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
137 retval = VerifyReadFailed; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
138 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
139 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
140 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
141 /* Get the cert info so that we can look up the signer in the store later */ |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
142 if (CryptMsgGetParam(hMsg, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
143 CMSG_SIGNER_CERT_INFO_PARAM, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
144 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
145 NULL, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
146 &dwSignerInfoSize) && dwSignerInfoSize > 0) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
147 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
148 pSignerCert = xmalloc (dwSignerInfoSize); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
149 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
150 else |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
151 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
152 ERRORPRINTF ("Failed to get signer cert size."); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
153 retval = VerifyUnknownError; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
154 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
155 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
156 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
157 if (!(CryptMsgGetParam(hMsg, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
158 CMSG_SIGNER_CERT_INFO_PARAM, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
159 0, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
160 pSignerCert, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
161 &dwSignerInfoSize))) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
162 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
163 ERRORPRINTF ("Failed to get signer cert."); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
164 retval = VerifyUnknownError; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
165 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
166 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
167 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
168 pSignerCertContext = CertGetSubjectCertificateFromStore( |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
169 hStore, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
170 PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
171 pSignerCert); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
172 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
173 if (!pSignerCertContext) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
174 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
175 ERRORPRINTF ("Failed to find signer cert in store."); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
176 retval = VerifyUnknownError; |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
177 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
178 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
179 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
180 /* Verify that the signature is actually valid */ |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
181 if(!CryptMsgControl(hMsg, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
182 0, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
183 CMSG_CTRL_VERIFY_SIGNATURE, |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
184 pSignerCertContext->pCertInfo)) |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
185 { |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
186 ERRORPRINTF ("The signature is invalid. \n"); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
187 retval = VerifyInvalidSignature; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
188 syslog_error_printf ("Software update embedded signature is invalid."); |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
189 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
190 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
191 |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
192 if(check_certificate(pSignerCertContext)) |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
193 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
194 DEBUGPRINTF ("Valid signature with pinned certificate."); |
586
ecfd77751daf
Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents:
579
diff
changeset
|
195 retval = VerifyValid; |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
196 goto done; |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
197 } |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
198 else |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
199 { |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
200 ERRORPRINTF ("Certificate mismatch. \n"); |
637
be30d50bc4f0
Add remaining tests to check binverify functionality
Andre Heinecke <andre.heinecke@intevation.de>
parents:
629
diff
changeset
|
201 retval = VerifyInvalidCertificate; |
629
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
202 syslog_error_printf ("Software update embedded signature " |
facb13c578f1
Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents:
591
diff
changeset
|
203 "created with wrong certificate."); |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
204 goto done; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
205 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
206 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
207 done: |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
208 xfree(filenameW); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
209 xfree(pSignerCert); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
210 |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
211 if(pSignerCertContext) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
212 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
213 CertFreeCertificateContext(pSignerCertContext); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
214 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
215 if (hStore) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
216 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
217 CertCloseStore(hStore, 0); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
218 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
219 if (hMsg) |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
220 { |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
221 CryptMsgClose(hMsg); |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
222 } |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
223 return retval; |
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
224 } |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
225 #else /* WIN32 */ |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
226 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
227 #include "listutil.h" |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
228 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
229 #pragma GCC diagnostic ignored "-Wconversion" |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
230 /* Polarssl mh.h contains a conversion which gcc warns about */ |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
231 #include <polarssl/pk.h> |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
232 #include <polarssl/base64.h> |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
233 #include <polarssl/sha256.h> |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
234 #include <polarssl/error.h> |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
235 #include <polarssl/x509_crt.h> |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
236 #pragma GCC diagnostic pop |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
237 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
238 bin_verify_result |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
239 verify_binary_linux(const char *filename, size_t name_len) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
240 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
241 int ret = -1; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
242 const size_t sig_b64_size = TRUSTBRIDGE_RSA_KEY_SIZE / 8 * 4 / 3; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
243 char *data = NULL, |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
244 signature_b64[sig_b64_size + 1]; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
245 size_t data_size = 0, |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
246 sig_size = TRUSTBRIDGE_RSA_KEY_SIZE / 8; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
247 unsigned char signature[sig_size], |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
248 hash[32]; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
249 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
250 bin_verify_result retval = VerifyUnknownError; |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
251 x509_crt codesign_cert; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
252 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
253 if (strnlen(filename, name_len + 1) != name_len || name_len == 0) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
254 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
255 ERRORPRINTF ("Invalid call to verify_binary_linux\n"); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
256 return VerifyUnknownError; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
257 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
258 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
259 ret = read_file(filename, &data, &data_size, MAX_VALID_BIN_SIZE); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
260 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
261 if (ret != 0) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
262 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
263 ERRORPRINTF ("Read file failed with error: %i\n", ret); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
264 return VerifyReadFailed; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
265 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
266 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
267 /* Fetch the signature from the end of data */ |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
268 if (data_size < sig_b64_size + 5) |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
269 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
270 ERRORPRINTF ("File to small to contain a signature.\n"); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
271 retval = VerifyInvalidSignature; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
272 goto done; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
273 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
274 |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
275 if (data[data_size - sig_b64_size - 2] != ':' || |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
276 data[data_size - sig_b64_size - 3] != 'S' || |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
277 data[data_size - sig_b64_size - 4] != '\n'|| |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
278 data[data_size - sig_b64_size - 5] != '\r') |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
279 { |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
280 ERRORPRINTF ("Failed to find valid signature line.\n"); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
281 retval = VerifyInvalidSignature; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
282 goto done; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
283 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
284 |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
285 strncpy(signature_b64, data + (data_size - sig_b64_size - 1), sig_b64_size); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
286 signature_b64[sig_b64_size] = '\0'; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
287 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
288 ret = base64_decode(signature, &sig_size, |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
289 (unsigned char *)signature_b64, sig_b64_size); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
290 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
291 if (ret != 0 || sig_size != TRUSTBRIDGE_RSA_KEY_SIZE / 8) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
292 { |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
293 ERRORPRINTF ("Base 64 decode failed with error: %i\n", ret); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
294 goto done; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
295 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
296 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
297 /* Hash is calculated over the data without the signature at the end. */ |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
298 sha256((unsigned char *)data, data_size - sig_b64_size - 5, hash, 0); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
299 |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
300 x509_crt_init(&codesign_cert); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
301 |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
302 /* Parse the pinned certificate */ |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
303 ret = x509_crt_parse(&codesign_cert, |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
304 public_key_codesign_pem, |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
305 public_key_codesign_pem_size); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
306 if (ret != 0) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
307 { |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
308 char errbuf[1020]; |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
309 polarssl_strerror(ret, errbuf, 1020); |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
310 errbuf[1019] = '\0'; /* Just to be sure */ |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
311 ERRORPRINTF ("x509_crt_parse failed with -0x%04x\n%s\n", -ret, errbuf); |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
312 x509_crt_free(&codesign_cert); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
313 return VerifyUnknownError; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
314 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
315 |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
316 ret = pk_verify(&codesign_cert.pk, POLARSSL_MD_SHA256, hash, 0, |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
317 signature, sig_size); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
318 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
319 if (ret != 0) |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
320 { |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
321 char errbuf[1020]; |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
322 polarssl_strerror(ret, errbuf, 1020); |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
323 errbuf[1019] = '\0'; /* Just to be sure */ |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
324 ERRORPRINTF ("pk_verify failed with -0x%04x\n %s\n", -ret, errbuf); |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
325 x509_crt_free(&codesign_cert); |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
326 retval = VerifyInvalidSignature; |
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
327 goto done; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
328 } |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
329 x509_crt_free(&codesign_cert); |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
330 |
774
44fa5de02b52
(issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents:
771
diff
changeset
|
331 retval = VerifyValid; |
771
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
332 |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
333 done: |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
334 xfree (data); |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
335 return retval; |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
336 } |
2798f1869eee
(issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents:
637
diff
changeset
|
337 |
579
f4ce4eef3b38
Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
338 #endif /* WIN32 */ |