Menu
I have a binary 'api.dll' which uses another binary 'helper.dll'. I want to validate the authenticity of each DLL using digital signatures, but I'm not sure the correct way to go about it. For context, the DLLs are being built using visual studio 2010, and are linked via the dependencies tab. The linkage occurs via a stub helper.lib, so I don't explicitly call LoadLibrary in the api.dll code. Part of the problem with this is I don't know exactly where helper.dll is loaded from. My initial thought is to:
Is this the best way to go about this?
Second, based on my somewhat hazy understanding of digital signatures/certificates, it seems to me the validation requires a connection to the certificate authority, or the certificate needs to be already listed as trusted on the machine. How is this usually handled when outside connections are either frowned upon or explicitly disallowed? Would it be something that is 'installed' with the application? Or would another less-secure method of validation be required in such cases?
668
When you send this certificate to a receiver, the receiver performs two steps to verify your identity: Uses your public key that comes with the certificate to check your digital signature. Verifies that the CA that issued your certificate is legitimate and trustworthy.
Open the properties sheet for the . dll from Windows Explorer. If a tab "Digital Signatures" is shown, it's a signed assembly. If the tab is missing, it's unsigned.
Signing your dlls makes most sense when you yourself verify those signatures before loading them. This ensures the integrity of all dlls at runtime. It is a recommended secure practice to sign all binaries that you ship and validate their signatures at runtime.
Right click the .exe of the program in question and select Properties. Select Digital Signatures. Under Signature List, select the Signature, and click Details. You will see information regarding the Code Signing certificate that was used to sign the executable.
You want to verify signatures before you've loaded the DLLs. Once they are loaded, they have already had time to run arbitrary code in your process (see DllMain), and you've lost.
You might want to delay-load the DLLs. This way, you don't need to manually do LoadLibrary/GetProcAddress for every function, but you still get a chance to run some code before the DLLs are loaded, and bail out if verification fails.
No, WinVerifyTrust doesn't need a live Internet connection. Every Windows machine has a list of trusted root certificates. What verification does is it extracts the signature and the certificates attached to the binary, verifies that the signature is valid (the file contents actually match what was signed), and that the certificates form a valid chain that leads to one of the trusted roots.
Note that WinVerifyTrust doesn't verify that the file is signed by your company - just that it is signed by someone who bought a certificate from one of the known CAs, and has not been tampered with afterwards. If you want to confirm that the file is actually yours, additional steps need to be taken.
152
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
