RTDECL(int) RTCrPkcs7VerifySignedData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
PCRTTIMESPEC pValidationTime, PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
PRTERRINFO pErrInfo)
{
/*
* Check the input.
*/
if (pfnVerifyCert)
AssertPtrReturn(pfnVerifyCert, VERR_INVALID_POINTER);
else
pfnVerifyCert = RTCrPkcs7VerifyCertCallbackDefault;
if (!RTCrPkcs7ContentInfo_IsSignedData(pContentInfo))
return RTErrInfoSet(pErrInfo, VERR_CR_PKCS7_NOT_SIGNED_DATA, "Not PKCS #7 SignedData.");
PCRTCRPKCS7SIGNEDDATA pSignedData = pContentInfo->u.pSignedData;
int rc = RTCrPkcs7SignedData_CheckSanity(pSignedData, 0, pErrInfo, "");
if (RT_FAILURE(rc))
return rc;
/*
* Hash the content info.
*/
/* Exactly what the content is, for some stupid reason unnecessarily
complicated. Figure it out here as we'll need it for the OpenSSL code
path as well. */
void const *pvContent = pSignedData->ContentInfo.Content.Asn1Core.uData.pv;
uint32_t cbContent = pSignedData->ContentInfo.Content.Asn1Core.cb;
if (pSignedData->ContentInfo.Content.pEncapsulated)
{
pvContent = pSignedData->ContentInfo.Content.pEncapsulated->uData.pv;
cbContent = pSignedData->ContentInfo.Content.pEncapsulated->cb;
}
/* Check that there aren't too many or too few hash algorithms for our
implementation and purposes. */
RTCRDIGEST ahDigests[2];
uint32_t const cDigests = pSignedData->DigestAlgorithms.cItems;
if (!cDigests) /** @todo we might have to support this... */
return RTErrInfoSetF(pErrInfo, VERR_CR_PKCS7_NO_DIGEST_ALGORITHMS, "No digest algorithms");
if (cDigests > RT_ELEMENTS(ahDigests))
return RTErrInfoSetF(pErrInfo, VERR_CR_PKCS7_TOO_MANY_DIGEST_ALGORITHMS,
"Too many digest algorithm: cAlgorithms=%u", cDigests);
/* Create the message digest calculators. */
rc = VERR_CR_PKCS7_NO_DIGEST_ALGORITHMS;
uint32_t i;
for (i = 0; i < cDigests; i++)
{
rc = RTCrDigestCreateByObjId(&ahDigests[i], &pSignedData->DigestAlgorithms.paItems[i].Algorithm);
if (RT_FAILURE(rc))
{
rc = RTErrInfoSetF(pErrInfo, VERR_CR_PKCS7_DIGEST_CREATE_ERROR, "Error creating digest for '%s': %Rrc",
pSignedData->DigestAlgorithms.paItems[i].Algorithm.szObjId, rc);
break;
}
}
if (RT_SUCCESS(rc))
{
/* Hash the content. */
for (i = 0; i < cDigests && RT_SUCCESS(rc); i++)
{
rc = RTCrDigestUpdate(ahDigests[i], pvContent, cbContent);
if (RT_SUCCESS(rc))
rc = RTCrDigestFinal(ahDigests[i], NULL, 0);
}
if (RT_SUCCESS(rc))
{
/*
* Validate the signed infos.
*/
uint32_t fPrimaryVccFlags = !(fFlags & RTCRPKCS7VERIFY_SD_F_USAGE_TIMESTAMPING)
? RTCRPKCS7VCC_F_SIGNED_DATA : RTCRPKCS7VCC_F_TIMESTAMP;
rc = VERR_CR_PKCS7_NO_SIGNER_INFOS;
for (i = 0; i < pSignedData->SignerInfos.cItems; i++)
{
PCRTCRPKCS7SIGNERINFO pSignerInfo = &pSignedData->SignerInfos.paItems[i];
RTCRDIGEST hThisDigest = NIL_RTCRDIGEST; /* (gcc maybe incredible stupid.) */
rc = rtCrPkcs7VerifyFindDigest(&hThisDigest, pSignedData, pSignerInfo, ahDigests, pErrInfo);
if (RT_FAILURE(rc))
break;
/*
* See if we can find a trusted signing time.
* (Note that while it would make sense splitting up this function,
* we need to carry a lot of arguments around, so better not.)
*/
bool fDone = false;
PCRTCRPKCS7SIGNERINFO pSigningTimeSigner = NULL;
PCRTASN1TIME pSignedTime;
while ( !fDone
&& (pSignedTime = RTCrPkcs7SignerInfo_GetSigningTime(pSignerInfo, &pSigningTimeSigner)) != NULL)
{
RTTIMESPEC ThisValidationTime;
if (RT_LIKELY(RTTimeImplode(&ThisValidationTime, &pSignedTime->Time)))
{
if (pSigningTimeSigner == pSignerInfo)
{
if (fFlags & RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY)
continue;
rc = rtCrPkcs7VerifySignerInfo(pSignerInfo, pSignedData, hThisDigest, fFlags,
hAdditionalCerts, hTrustedCerts, &ThisValidationTime,
pfnVerifyCert, fPrimaryVccFlags | RTCRPKCS7VCC_F_TIMESTAMP,
pvUser, pErrInfo);
}
else
{
rc = VINF_SUCCESS;
if (!(fFlags & RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED))
rc = rtCrPkcs7VerifyCounterSignerInfo(pSigningTimeSigner, pSignerInfo, pSignedData, fFlags,
hAdditionalCerts, hTrustedCerts, &ThisValidationTime,
pfnVerifyCert, RTCRPKCS7VCC_F_TIMESTAMP, pvUser, pErrInfo);
if (RT_SUCCESS(rc))
rc = rtCrPkcs7VerifySignerInfo(pSignerInfo, pSignedData, hThisDigest, fFlags, hAdditionalCerts,
hTrustedCerts, &ThisValidationTime,
pfnVerifyCert, fPrimaryVccFlags, pvUser, pErrInfo);
}
fDone = RT_SUCCESS(rc)
|| (fFlags & RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT);
}
else
{
rc = RTErrInfoSet(pErrInfo, VERR_INTERNAL_ERROR_3, "RTTimeImplode failed");
fDone = true;
}
}
/*
* If not luck, check for microsoft timestamp counter signatures.
*/
if (!fDone && !(fFlags & RTCRPKCS7VERIFY_SD_F_IGNORE_MS_TIMESTAMP))
{
PCRTCRPKCS7CONTENTINFO pSignedTimestamp = NULL;
pSignedTime = RTCrPkcs7SignerInfo_GetMsTimestamp(pSignerInfo, &pSignedTimestamp);
if (pSignedTime)
{
RTTIMESPEC ThisValidationTime;
if (RT_LIKELY(RTTimeImplode(&ThisValidationTime, &pSignedTime->Time)))
{
rc = VINF_SUCCESS;
if (!(fFlags & RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED))
rc = RTCrPkcs7VerifySignedData(pSignedTimestamp,
fFlags | RTCRPKCS7VERIFY_SD_F_IGNORE_MS_TIMESTAMP
| RTCRPKCS7VERIFY_SD_F_USAGE_TIMESTAMPING,
hAdditionalCerts, hTrustedCerts, &ThisValidationTime,
pfnVerifyCert, pvUser, pErrInfo);
if (RT_SUCCESS(rc))
rc = rtCrPkcs7VerifySignerInfo(pSignerInfo, pSignedData, hThisDigest, fFlags, hAdditionalCerts,
hTrustedCerts, &ThisValidationTime,
pfnVerifyCert, fPrimaryVccFlags, pvUser, pErrInfo);
fDone = RT_SUCCESS(rc)
|| (fFlags & RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT);
}
else
{
rc = RTErrInfoSet(pErrInfo, VERR_INTERNAL_ERROR_3, "RTTimeImplode failed");
fDone = true;
}
}
}
/*
* No valid signing time found, use the one specified instead.
*/
if (!fDone)
rc = rtCrPkcs7VerifySignerInfo(pSignerInfo, pSignedData, hThisDigest, fFlags, hAdditionalCerts, hTrustedCerts,
pValidationTime, pfnVerifyCert, fPrimaryVccFlags, pvUser, pErrInfo);
RTCrDigestRelease(hThisDigest);
if (RT_FAILURE(rc))
break;
}
}
else
rc = RTErrInfoSetF(pErrInfo, VERR_CR_PKCS7_DIGEST_CALC_ERROR,
"Hashing content failed unexpectedly (i=%u): %Rrc", i, rc);
/* Clean up digests. */
i = cDigests;
}
while (i-- > 0)
{
int rc2 = RTCrDigestRelease(ahDigests[i]);
AssertRC(rc2);
}
#ifdef IPRT_WITH_OPENSSL
/*
* Verify using OpenSSL and combine the results (should be identical).
*/
/** @todo figure out how to verify MS timstamp signatures using OpenSSL. */
if (fFlags & RTCRPKCS7VERIFY_SD_F_USAGE_TIMESTAMPING)
return rc;
int rcOssl = rtCrPkcs7VerifySignedDataUsingOpenSsl(pContentInfo, fFlags, hAdditionalCerts, hTrustedCerts,
pvContent, cbContent, RT_SUCCESS(rc) ? pErrInfo : NULL);
if (RT_SUCCESS(rcOssl) && RT_SUCCESS(rc))
return rc;
// AssertMsg(RT_FAILURE_NP(rcOssl) && RT_FAILURE_NP(rc), ("%Rrc, %Rrc\n", rcOssl, rc));
if (RT_FAILURE(rc))
return rc;
return rcOssl;
#else
return rc;
#endif
}
static RTEXITCODE HandleExtractExeSignerCert(int cArgs, char **papszArgs)
{
/*
* Parse arguments.
*/
static const RTGETOPTDEF s_aOptions[] =
{
{ "--ber", 'b', RTGETOPT_REQ_NOTHING },
{ "--cer", 'c', RTGETOPT_REQ_NOTHING },
{ "--der", 'd', RTGETOPT_REQ_NOTHING },
{ "--exe", 'e', RTGETOPT_REQ_STRING },
{ "--output", 'o', RTGETOPT_REQ_STRING },
};
const char *pszExe = NULL;
const char *pszOut = NULL;
RTLDRARCH enmLdrArch = RTLDRARCH_WHATEVER;
uint32_t fCursorFlags = RTASN1CURSOR_FLAGS_DER;
RTGETOPTSTATE GetState;
int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
AssertRCReturn(rc, RTEXITCODE_FAILURE);
RTGETOPTUNION ValueUnion;
int ch;
while ((ch = RTGetOpt(&GetState, &ValueUnion)))
{
switch (ch)
{
case 'e': pszExe = ValueUnion.psz; break;
case 'o': pszOut = ValueUnion.psz; break;
case 'b': fCursorFlags = 0; break;
case 'c': fCursorFlags = RTASN1CURSOR_FLAGS_CER; break;
case 'd': fCursorFlags = RTASN1CURSOR_FLAGS_DER; break;
case 'V': return HandleVersion(cArgs, papszArgs);
case 'h': return HelpExtractExeSignerCert(g_pStdOut, RTSIGNTOOLHELP_FULL);
case VINF_GETOPT_NOT_OPTION:
if (!pszExe)
pszExe = ValueUnion.psz;
else if (!pszOut)
pszOut = ValueUnion.psz;
else
return RTMsgErrorExit(RTEXITCODE_FAILURE, "Too many file arguments: %s", ValueUnion.psz);
break;
default:
return RTGetOptPrintError(ch, &ValueUnion);
}
}
if (!pszExe)
return RTMsgErrorExit(RTEXITCODE_FAILURE, "No executable given.");
if (!pszOut)
return RTMsgErrorExit(RTEXITCODE_FAILURE, "No output file given.");
if (RTPathExists(pszOut))
return RTMsgErrorExit(RTEXITCODE_FAILURE, "The output file '%s' exists.", pszOut);
/*
* Do it.
*/
/* Open the executable image and query the PKCS7 info. */
RTLDRMOD hLdrMod;
rc = RTLdrOpen(pszExe, RTLDR_O_FOR_VALIDATION, enmLdrArch, &hLdrMod);
if (RT_FAILURE(rc))
return RTMsgErrorExit(RTEXITCODE_FAILURE, "Error opening executable image '%s': %Rrc", pszExe, rc);
RTEXITCODE rcExit = RTEXITCODE_FAILURE;
#ifdef DEBUG
size_t cbBuf = 64;
#else
size_t cbBuf = _512K;
#endif
void *pvBuf = RTMemAlloc(cbBuf);
size_t cbRet = 0;
rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_PKCS7_SIGNED_DATA, NULL /*pvBits*/, pvBuf, cbBuf, &cbRet);
if (rc == VERR_BUFFER_OVERFLOW && cbRet < _4M && cbRet > 0)
{
RTMemFree(pvBuf);
cbBuf = cbRet;
pvBuf = RTMemAlloc(cbBuf);
rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_PKCS7_SIGNED_DATA, NULL /*pvBits*/, pvBuf, cbBuf, &cbRet);
}
if (RT_SUCCESS(rc))
{
static RTERRINFOSTATIC s_StaticErrInfo;
RTErrInfoInitStatic(&s_StaticErrInfo);
/*
* Decode the output.
*/
RTASN1CURSORPRIMARY PrimaryCursor;
RTAsn1CursorInitPrimary(&PrimaryCursor, pvBuf, (uint32_t)cbRet, &s_StaticErrInfo.Core,
&g_RTAsn1DefaultAllocator, fCursorFlags, "exe");
RTCRPKCS7CONTENTINFO Pkcs7Ci;
rc = RTCrPkcs7ContentInfo_DecodeAsn1(&PrimaryCursor.Cursor, 0, &Pkcs7Ci, "pkcs7");
if (RT_SUCCESS(rc))
{
if (RTCrPkcs7ContentInfo_IsSignedData(&Pkcs7Ci))
{
PCRTCRPKCS7SIGNEDDATA pSd = Pkcs7Ci.u.pSignedData;
if (pSd->SignerInfos.cItems == 1)
{
PCRTCRPKCS7ISSUERANDSERIALNUMBER pISN = &pSd->SignerInfos.paItems[0].IssuerAndSerialNumber;
PCRTCRX509CERTIFICATE pCert;
pCert = RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(&pSd->Certificates,
&pISN->Name, &pISN->SerialNumber);
if (pCert)
{
/*
* Write it out.
*/
RTFILE hFile;
rc = RTFileOpen(&hFile, pszOut, RTFILE_O_WRITE | RTFILE_O_DENY_WRITE | RTFILE_O_CREATE);
if (RT_SUCCESS(rc))
{
uint32_t cbCert = pCert->SeqCore.Asn1Core.cbHdr + pCert->SeqCore.Asn1Core.cb;
rc = RTFileWrite(hFile, pCert->SeqCore.Asn1Core.uData.pu8 - pCert->SeqCore.Asn1Core.cbHdr,
cbCert, NULL);
if (RT_SUCCESS(rc))
{
rc = RTFileClose(hFile);
if (RT_SUCCESS(rc))
{
hFile = NIL_RTFILE;
rcExit = RTEXITCODE_SUCCESS;
RTMsgInfo("Successfully wrote %u bytes to '%s'", cbCert, pszOut);
}
else
RTMsgError("RTFileClose failed: %Rrc", rc);
}
else
RTMsgError("RTFileWrite failed: %Rrc", rc);
RTFileClose(hFile);
}
else
RTMsgError("Error opening '%s': %Rrc", pszOut, rc);
}
else
RTMsgError("Certificate not found.");
}
else
RTMsgError("SignerInfo count: %u", pSd->SignerInfos.cItems);
}
else
RTMsgError("No PKCS7 content: ContentType=%s", Pkcs7Ci.ContentType.szObjId);
RTAsn1VtDelete(&Pkcs7Ci.SeqCore.Asn1Core);
}
else
RTMsgError("RTPkcs7ContentInfoDecodeAsn1 failed: %Rrc - %s", rc, s_StaticErrInfo.szMsg);
}
else
RTMsgError("RTLDRPROP_PKCS7_SIGNED_DATA failed on '%s': %Rrc", pszExe, rc);
RTMemFree(pvBuf);
rc = RTLdrClose(hLdrMod);
if (RT_FAILURE(rc))
rcExit = RTMsgErrorExit(RTEXITCODE_FAILURE, "RTLdrClose failed: %Rrc\n", rc);
return rcExit;
}
