RE: Validate signed executables via the certificate



I think your samples may help me. Thank you. Ill just use the
WinVerifyTrust function directly to do the verification, however I will do an
additional step. I do not want to know if it is just a valid cert, but is it
OUR valid cert? So after the chain of trust is verified Ill just read the
subject lines and make sure it is our cert, not just any cert.

Between your two examples, I think that is covered.

"Mounir IDRASSI" wrote:

Hi,

Concerning the warning on MSDN, it has been there for years now but this API
is still available (XP, Vista and Windows 7) and it behaves the same under
all these operating systems. Actually, many real-life products use it to
ensure the integrity of software components.

For WIN_CERTIFICATE, there is no pCert field on this structure so I don't
understand your question.
As I explained before, the bCertificate field of WIN_CERTIFICATE is pointing
to a PKCS#7 byte array. This array contains the signature and the associated
certificates. It's normal that you get an error if you try to pass it to
certificate function because it is not an X509 certificate byte array.
In order to retrieve the certificates, you have to use CertOpenStore with
the flag CERT_STORE_PROV_PKCS7 and call CertFindCertificateInStore. I have
written a sample that demonstrate how you can do that. Here is the link :
http://www.idrix.fr/Root/Samples/GetExeCertificates.cpp

After this, you have to compute the digest of the correct parts of the PE
file and verify the signature contained inside the PKCS#7 data against it.
Did you manage to implement this part of the verification? I have never
implemented my self since WinVerifyTrust do the job more easily and I am
interested in knowing the steps involved (certainly starting with
ImageGetDigestStream)

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

To reach me: mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

.



Relevant Pages

  • Re: Slightly OT: SSL certs - best practice?
    ... Thus, I have created several certificates for Apache SSL hosts plus certificates for mail serving, etc. ... I'll probably get some "officially" signed certs. ... certificates signed by a CA that does not do a "real" verification of the requesting person by which I mean that you probably don't need to go somewhere and show some official ID to prove that you are in fact you. ... using an anon "class 1" root. ...
    (FreeBSD-Security)
  • Digital Certificates
    ... Consider what purpose you wish to use your certificates. ... Certificate Server is to be identified on the Internet. ... The instructions for modifying your CA for its Internet ... verification service ...
    (microsoft.public.windows.server.sbs)
  • Re: Secure ssl connection with wrap_socket
    ... specified for verification of other-side certificates.> ... Also specify some root certificates to use in verifying the peer's ...
    (comp.lang.python)
  • Unknown (garbled name) certificates shown as invalid - Are they safe?
    ... I noticed under the "Certificates - Current User -> ... REQUEST -> Certificates" node that about a dozen certificates were ... Can I delete these supposedly invalid certificates? ... verified (because Outlook has problems with verification if the CA ...
    (microsoft.public.win2000.security)