This is a followup question to question 1072540, 'WinVerifyTrust to check for a specific signature?'.
I want to write a C++ function Lets call it TrustedByUs
of the form:
bool TrustedByUs(std::string pathToBinary, std::string pathToPublicKey)
The idea is that we give this function a path to a binary .dll or .exe file that has been signed with a digital signature. The pathToPublicKey
string is the path to a public key of our particular signing certificate.
Using the code in http://support.microsoft.com/kb/323809 it's pretty straight forward to verify that the pathToBinary
file is in fact trusted by the operating system.
Now I'm in the same place as the writer of question 1072540, I know the OS trusts the signer of this binary, but I want to know if my organization's RSA key is the one that signed the binary.
The KB323809 shows how to extract the strings from certificate embedded in our binary file. This example shows how to extract strings from the signing certificate in its GetProgAndPublisherInfo
function, but I'm uncomfortable using a string match to verfiy the certificate.
What I would like to do is extract the public key from the embedded signature and compare it to the public key that corresponds with the private key that signed my binary file in the first place.
The documentation for CryptMsgGetParam
says that the CMSG_SIGNER_CERT_ID_PARAM
parameter 'Returns information on a message signer needed to identify the signer's public key'. I succeed in getting the certificate's serial number with this key. My code looks like this:
// Get message handle and store handle from the signed file.
fResult = CryptQueryObject(CERT_QUERY_OBJECT_FILE,
L"C:\\Program Files\\MySignedProgram.exe",
CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED,
CERT_QUERY_FORMAT_FLAG_BINARY,
0, &dwEncoding, &dwContentType, &dwFormatType, &hStore, &hMsg, NULL);
// Get the public key information about the signer
// First get the size
DWORD dwCertIdSize(0);
fResult = CryptMsgGetParam(hMsg, CMSG_SIGNER_CERT_ID_PARAM,
0, NULL, &dwCertIdSize);
BYTE* pCertId = new BYTE(dwCertIdSize);
::ZeroMemory(pCertId,dwCertIdSize);
// Now get the cert info
fResult = CryptMsgGetParam(hMsg, CMSG_SIGNER_CERT_ID_PARAM,
0, (PVOID)pCertId, &dwCertIdSize);
if(fResult)
{
CERT_ID* pId = (CERT_ID*)pCertId;
pId->HashId;
pId->dwIdChoice;
pId->IssuerSerialNumber; // Valid serial number (reversed)
pId->KeyId;
_tprintf("pid\n");
}
This is close to what I want, but really I'd like to use the signing certificate's public key to verify that the target signed binary file was in fact created with my particular public/private key pair.
Using the CMSG_ENCRYPTED_DIGEST
flag this code succeeds:
// Get digest which was encrypted with the private key
DWORD digestSize(0);
fResult = CryptMsgGetParam(hMsg, CMSG_ENCRYPTED_DIGEST, 0, NULL, &digestSize);
BYTE* pDigest = new BYTE[digestSize];
// Next CryptMsgGetParam call succeds,
// pDigest looks valid, can I use this to confirm my public key
// was used to sign MySignedProgram.exe ?
fResult = CryptMsgGetParam(hMsg, CMSG_ENCRYPTED_DIGEST, 0, pDigest, &digestSize);
Bottom line question: Given the certificate information discovered by CryptQueryObject
, what technique should I used to ensure that the target file was in fact signed using the private key that corresponds to the public key that is available to me when the above code executes?
Is a binary signed? Windows users can easily determine if a binary is signed by simply looking at the Explorer GUI: Right click on the binary and select “Properties” and the “Digital Signatures” tab.
Check the signature on an EXE or MSI fileRight-click the EXE or MSI file and select Properties. Click the Digital Signatures tab to check the signature.
You want the CMSG_SIGNER_INFO_PARAM
instead.
You can use this to get the entire certificate by looking up the certificate in the certificate store returned by CryptQueryObject
:
CryptMsgGetParam(hMsg,
CMSG_SIGNER_INFO_PARAM,
0,
NULL,
&dwSignerInfo);
PCMSG_SIGNER_INFO pSignerInfo = (PCMSG_SIGNER_INFO) malloc(dwSignerInfo);
CryptMsgGetParam(hMsg,
CMSG_SIGNER_INFO_PARAM,
0,
pSignerInfo,
&dwSignerInfo);
PCCERT_CONTEXT pCertContext = CertFindCertificateInStore(hStore,
ENCODING,
0,
CERT_FIND_SUBJECT_CERT,
(PVOID)pSignerInfo,
NULL);
// Compare with your certificate:
// - check pCertContext->pbCertEncoded (length is pCertContext->cbCertEncoded)
// *OR*
// Compare with your public-key:
// - check pCertContext->pCertInfo->SubjectPublicKeyInfo.Algorithm and
// pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With