annotate common/binverify.h @ 914:dcb6ed6ad594

Disable curl by default for Windows This needs to be reevaluated once we have a working curl in mxe
author Andre Heinecke <andre.heinecke@intevation.de>
date Wed, 20 Aug 2014 16:52:44 +0200
parents f89b41fa7048
children 78798d3af8f0
rev   line source
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
1 /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
2 * Software engineering by Intevation GmbH
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
3 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
4 * This file is Free Software under the GNU GPL (v>=2)
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
5 * and comes with ABSOLUTELY NO WARRANTY!
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
6 * See LICENSE.txt for details.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
7 */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
8
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
9 #ifndef BINVERIFY_H
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
10 #define BINVERIFY_H
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
11 /* @file binverify.h
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
12 * @brief Verification of binary files
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
13 */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
14 #include <stdbool.h>
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
15 #include <stddef.h>
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
16
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
17 #ifdef __cplusplus
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
18 extern "C" {
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
19 #endif
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
20
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
21 /**
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
22 * @enum bin_verify_result
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
23 * @brief Result of a verification
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
24 */
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
25 typedef enum {
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
26 VerifyValid = 100, /*! Could be read and signature matched */
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
27 VerifyUnknownError = 1, /*! The expected unexpected */
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
28 VerifyInvalidSignature = 4, /*! Signature was invalid */
629
facb13c578f1 Add certificate pinning to verify_binary_win
Andre Heinecke <andre.heinecke@intevation.de>
parents: 586
diff changeset
29 VerifyInvalidCertificate = 5, /*! Certificate mismatch */
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
30 VerifyReadFailed = 6, /*! File exists but could not read the file */
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
31 } bin_verify_result;
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
32
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
33 /**
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
34 * @brief verify a binary
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
35 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
36 * This function checks that a binary is signed by a built
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
37 * in certificate.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
38 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
39 * Caution: This function works on file names only which could
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
40 * be modified after this check.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
41 *
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
42 * Windows verification is done using Windows crypto API based on
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
43 * embedded PKCS 7 "authenticode" signatures embedded into the
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
44 * file.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
45 *
904
f89b41fa7048 Fix whitespace errors
Andre Heinecke <andre.heinecke@intevation.de>
parents: 774
diff changeset
46 * On Linux the file is epxected to and with the pattern of
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
47 * \r\nS: (0x0d0a533A) followed by a 3072 Bit Base64 encoded RSA
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
48 * signature.
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
49 * The signature is verified against the built in codesigning key in
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
50 * the same certificate that is used for windows verification.
774
44fa5de02b52 (issue43) Finalize and verify binary verification for linux.
Andre Heinecke <andre.heinecke@intevation.de>
parents: 771
diff changeset
51 * If the pattern is not found the verification fails.
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
52 *
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
53 * @param[in] filename absolute null terminated UTF-8 encoded path to the file.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
54 * @param[in] name_len length of the filename.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
55 *
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
56 * @returns the verification result.
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
57 */
586
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
58 bin_verify_result verify_binary(const char *filename, size_t name_len);
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
59
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
60 #ifdef WIN32
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
61 /**
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
62 * @brief windows implementation of verify_binary
ecfd77751daf Disambiguate enumerator values and add portable wrapper.
Andre Heinecke <aheinecke@intevation.de>
parents: 579
diff changeset
63 */
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
64 bin_verify_result verify_binary_win(const char *filename, size_t name_len);
771
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
65 #else /* WIN32 */
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
66 /**@def Max size of a valid binary in byte */
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
67 #define MAX_VALID_BIN_SIZE (32 * 1024 * 1024)
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
68
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
69 /**
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
70 * @brief linux implementation of verify_binary
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
71 */
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
72 bin_verify_result verify_binary_linux(const char *filename, size_t name_len);
2798f1869eee (issue43) Add first draft of signature verification for GNU/Linux
Andre Heinecke <andre.heinecke@intevation.de>
parents: 629
diff changeset
73 #endif
579
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
74
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
75 #ifdef __cplusplus
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
76 }
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
77 #endif
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
78
f4ce4eef3b38 Implement PKCS#7 embedded signature verfification for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
diff changeset
79 #endif /* BINVERIFY_H */

http://wald.intevation.org/projects/trustbridge/