RTDECL(int) RTCrX509Certificate_ReadFromFile(PRTCRX509CERTIFICATE pCertificate, const char *pszFilename, uint32_t fFlags,
PCRTASN1ALLOCATORVTABLE pAllocator, PRTERRINFO pErrInfo)
{
AssertReturn(!fFlags, VERR_INVALID_FLAGS);
PCRTCRPEMSECTION pSectionHead;
int rc = RTCrPemReadFile(pszFilename, 0, g_aCertificateMarkers, RT_ELEMENTS(g_aCertificateMarkers), &pSectionHead, pErrInfo);
if (RT_SUCCESS(rc))
{
RTCRX509CERTIFICATE TmpCert;
RTASN1CURSORPRIMARY PrimaryCursor;
RTAsn1CursorInitPrimary(&PrimaryCursor, pSectionHead->pbData, (uint32_t)RT_MIN(pSectionHead->cbData, UINT32_MAX),
pErrInfo, pAllocator, RTASN1CURSOR_FLAGS_DER, RTPathFilename(pszFilename));
rc = RTCrX509Certificate_DecodeAsn1(&PrimaryCursor.Cursor, 0, &TmpCert, "Cert");
if (RT_SUCCESS(rc))
{
rc = RTCrX509Certificate_CheckSanity(&TmpCert, 0, pErrInfo, "Cert");
if (RT_SUCCESS(rc))
{
rc = RTCrX509Certificate_Clone(pCertificate, &TmpCert, &g_RTAsn1DefaultAllocator);
if (RT_SUCCESS(rc))
{
if (pSectionHead->pNext || PrimaryCursor.Cursor.cbLeft)
rc = VINF_ASN1_MORE_DATA;
}
}
RTCrX509Certificate_Delete(&TmpCert);
}
RTCrPemFreeSections(pSectionHead);
}
return rc;
}
static int rtCrStoreAddCertsFromNative(RTCRSTORE hStore, DWORD fStore, PCRTUTF16 pwszStoreName,
PFNCERTOPENSTORE pfnOpenStore, PFNCERTCLOSESTORE pfnCloseStore,
PFNCERTENUMCERTIFICATESINSTORE pfnEnumCerts, int rc, PRTERRINFO pErrInfo)
{
DWORD fOpenStore = CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG;
HCERTSTORE hNativeStore = pfnOpenStore(CERT_STORE_PROV_SYSTEM_W, PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
NULL /* hCryptProv = default */, fStore | fOpenStore, pwszStoreName);
if (hStore)
{
PCCERT_CONTEXT pCurCtx = NULL;
while ((pCurCtx = pfnEnumCerts(hNativeStore, pCurCtx)) != NULL)
{
if (pCurCtx->dwCertEncodingType & X509_ASN_ENCODING)
{
RTERRINFOSTATIC StaticErrInfo;
RTASN1CURSORPRIMARY PrimaryCursor;
RTAsn1CursorInitPrimary(&PrimaryCursor, pCurCtx->pbCertEncoded, pCurCtx->cbCertEncoded,
RTErrInfoInitStatic(&StaticErrInfo),
&g_RTAsn1DefaultAllocator, RTASN1CURSOR_FLAGS_DER, "CurCtx");
RTCRX509CERTIFICATE MyCert;
int rc2 = RTCrX509Certificate_DecodeAsn1(&PrimaryCursor.Cursor, 0, &MyCert, "Cert");
if (RT_SUCCESS(rc2))
{
rc2 = RTCrStoreCertAddEncoded(hStore, RTCRCERTCTX_F_ENC_X509_DER | RTCRCERTCTX_F_ADD_IF_NOT_FOUND,
pCurCtx->pbCertEncoded, pCurCtx->cbCertEncoded,
RTErrInfoInitStatic(&StaticErrInfo));
RTCrX509Certificate_Delete(&MyCert);
}
if (RT_FAILURE(rc2))
{
if (RTErrInfoIsSet(&StaticErrInfo.Core))
RTErrInfoAddF(pErrInfo, -rc2, " %s", StaticErrInfo.Core.pszMsg);
else
RTErrInfoAddF(pErrInfo, -rc2, " %Rrc adding cert", rc2);
rc = -rc2;
}
}
}
pfnCloseStore(hNativeStore, CERT_CLOSE_STORE_CHECK_FLAG);
}
else
{
DWORD uLastErr = GetLastError();
if (uLastErr != ERROR_FILE_NOT_FOUND)
rc = RTErrInfoAddF(pErrInfo, -RTErrConvertFromWin32(uLastErr),
" CertOpenStore(%#x,'%ls') failed: %u", fStore, pwszStoreName);
}
return rc;
}
static RTEXITCODE HandleExtractExeSignerCert(int cArgs, char **papszArgs)
{
/*
* Parse arguments.
*/
static const RTGETOPTDEF s_aOptions[] =
{
{ "--ber", 'b', RTGETOPT_REQ_NOTHING },
{ "--cer", 'c', RTGETOPT_REQ_NOTHING },
{ "--der", 'd', RTGETOPT_REQ_NOTHING },
{ "--exe", 'e', RTGETOPT_REQ_STRING },
{ "--output", 'o', RTGETOPT_REQ_STRING },
};
const char *pszExe = NULL;
const char *pszOut = NULL;
RTLDRARCH enmLdrArch = RTLDRARCH_WHATEVER;
uint32_t fCursorFlags = RTASN1CURSOR_FLAGS_DER;
RTGETOPTSTATE GetState;
int rc = RTGetOptInit(&GetState, cArgs, papszArgs, s_aOptions, RT_ELEMENTS(s_aOptions), 1, RTGETOPTINIT_FLAGS_OPTS_FIRST);
AssertRCReturn(rc, RTEXITCODE_FAILURE);
RTGETOPTUNION ValueUnion;
int ch;
while ((ch = RTGetOpt(&GetState, &ValueUnion)))
{
switch (ch)
{
case 'e': pszExe = ValueUnion.psz; break;
case 'o': pszOut = ValueUnion.psz; break;
case 'b': fCursorFlags = 0; break;
case 'c': fCursorFlags = RTASN1CURSOR_FLAGS_CER; break;
case 'd': fCursorFlags = RTASN1CURSOR_FLAGS_DER; break;
case 'V': return HandleVersion(cArgs, papszArgs);
case 'h': return HelpExtractExeSignerCert(g_pStdOut, RTSIGNTOOLHELP_FULL);
case VINF_GETOPT_NOT_OPTION:
if (!pszExe)
pszExe = ValueUnion.psz;
else if (!pszOut)
pszOut = ValueUnion.psz;
else
return RTMsgErrorExit(RTEXITCODE_FAILURE, "Too many file arguments: %s", ValueUnion.psz);
break;
default:
return RTGetOptPrintError(ch, &ValueUnion);
}
}
if (!pszExe)
return RTMsgErrorExit(RTEXITCODE_FAILURE, "No executable given.");
if (!pszOut)
return RTMsgErrorExit(RTEXITCODE_FAILURE, "No output file given.");
if (RTPathExists(pszOut))
return RTMsgErrorExit(RTEXITCODE_FAILURE, "The output file '%s' exists.", pszOut);
/*
* Do it.
*/
/* Open the executable image and query the PKCS7 info. */
RTLDRMOD hLdrMod;
rc = RTLdrOpen(pszExe, RTLDR_O_FOR_VALIDATION, enmLdrArch, &hLdrMod);
if (RT_FAILURE(rc))
return RTMsgErrorExit(RTEXITCODE_FAILURE, "Error opening executable image '%s': %Rrc", pszExe, rc);
RTEXITCODE rcExit = RTEXITCODE_FAILURE;
#ifdef DEBUG
size_t cbBuf = 64;
#else
size_t cbBuf = _512K;
#endif
void *pvBuf = RTMemAlloc(cbBuf);
size_t cbRet = 0;
rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_PKCS7_SIGNED_DATA, NULL /*pvBits*/, pvBuf, cbBuf, &cbRet);
if (rc == VERR_BUFFER_OVERFLOW && cbRet < _4M && cbRet > 0)
{
RTMemFree(pvBuf);
cbBuf = cbRet;
pvBuf = RTMemAlloc(cbBuf);
rc = RTLdrQueryPropEx(hLdrMod, RTLDRPROP_PKCS7_SIGNED_DATA, NULL /*pvBits*/, pvBuf, cbBuf, &cbRet);
}
if (RT_SUCCESS(rc))
{
static RTERRINFOSTATIC s_StaticErrInfo;
RTErrInfoInitStatic(&s_StaticErrInfo);
/*
* Decode the output.
*/
RTASN1CURSORPRIMARY PrimaryCursor;
RTAsn1CursorInitPrimary(&PrimaryCursor, pvBuf, (uint32_t)cbRet, &s_StaticErrInfo.Core,
&g_RTAsn1DefaultAllocator, fCursorFlags, "exe");
RTCRPKCS7CONTENTINFO Pkcs7Ci;
rc = RTCrPkcs7ContentInfo_DecodeAsn1(&PrimaryCursor.Cursor, 0, &Pkcs7Ci, "pkcs7");
if (RT_SUCCESS(rc))
{
if (RTCrPkcs7ContentInfo_IsSignedData(&Pkcs7Ci))
{
PCRTCRPKCS7SIGNEDDATA pSd = Pkcs7Ci.u.pSignedData;
if (pSd->SignerInfos.cItems == 1)
{
PCRTCRPKCS7ISSUERANDSERIALNUMBER pISN = &pSd->SignerInfos.paItems[0].IssuerAndSerialNumber;
PCRTCRX509CERTIFICATE pCert;
pCert = RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(&pSd->Certificates,
&pISN->Name, &pISN->SerialNumber);
if (pCert)
{
/*
* Write it out.
*/
RTFILE hFile;
rc = RTFileOpen(&hFile, pszOut, RTFILE_O_WRITE | RTFILE_O_DENY_WRITE | RTFILE_O_CREATE);
if (RT_SUCCESS(rc))
{
uint32_t cbCert = pCert->SeqCore.Asn1Core.cbHdr + pCert->SeqCore.Asn1Core.cb;
rc = RTFileWrite(hFile, pCert->SeqCore.Asn1Core.uData.pu8 - pCert->SeqCore.Asn1Core.cbHdr,
cbCert, NULL);
if (RT_SUCCESS(rc))
{
rc = RTFileClose(hFile);
if (RT_SUCCESS(rc))
{
hFile = NIL_RTFILE;
rcExit = RTEXITCODE_SUCCESS;
RTMsgInfo("Successfully wrote %u bytes to '%s'", cbCert, pszOut);
}
else
RTMsgError("RTFileClose failed: %Rrc", rc);
}
else
RTMsgError("RTFileWrite failed: %Rrc", rc);
RTFileClose(hFile);
}
else
RTMsgError("Error opening '%s': %Rrc", pszOut, rc);
}
else
RTMsgError("Certificate not found.");
}
else
RTMsgError("SignerInfo count: %u", pSd->SignerInfos.cItems);
}
else
RTMsgError("No PKCS7 content: ContentType=%s", Pkcs7Ci.ContentType.szObjId);
RTAsn1VtDelete(&Pkcs7Ci.SeqCore.Asn1Core);
}
else
RTMsgError("RTPkcs7ContentInfoDecodeAsn1 failed: %Rrc - %s", rc, s_StaticErrInfo.szMsg);
}
else
RTMsgError("RTLDRPROP_PKCS7_SIGNED_DATA failed on '%s': %Rrc", pszExe, rc);
RTMemFree(pvBuf);
rc = RTLdrClose(hLdrMod);
if (RT_FAILURE(rc))
rcExit = RTMsgErrorExit(RTEXITCODE_FAILURE, "RTLdrClose failed: %Rrc\n", rc);
return rcExit;
}
