如何验证我的组织是否签署了受信任的 Windows 二进制文件?
这是问题 1072540“WinVerifyTrust 检查特定签名?”的后续问题。 '。
我想编写一个 C++ 函数,我们将其命名为 TrustedByUs,其形式如下:
bool TrustedByUs(std::string pathToBinary, std::string pathToPublicKey)
我们的想法是,我们为该函数提供一个指向已使用数字签名签名的二进制 .dll 或 .exe 文件的路径。 pathToPublicKey 字符串是我们特定签名证书的公钥的路径。
使用 http://support.microsoft.com/kb/323809 中的代码非常简单转发以验证 pathToBinary 文件确实受到操作系统的信任。
现在我与问题 1072540 的作者处于同一位置,我知道操作系统信任该二进制文件的签名者,但我想知道我的组织的 RSA 密钥是否是签署该二进制文件的密钥。
KB323809 展示了如何从二进制文件中嵌入的证书中提取字符串。此示例展示了如何在其 GetProgAndPublisherInfo 函数中从签名证书中提取字符串,但我对使用字符串匹配来验证证书感到不舒服。
我想做的是从嵌入的签名中提取公钥,并将其与最初签署我的二进制文件的私钥对应的公钥进行比较。
CryptMsgGetParam 的文档表示 CMSG_SIGNER_CERT_ID_PARAM 参数“返回识别签名者公钥所需的消息签名者信息”。我成功地用这个密钥获取了证书的序列号。我的代码如下所示:
// Get message handle and store handle from the signed file.
fResult = CryptQueryObject(CERT_QUERY_OBJECT_FILE,
L"C:\\Program Files\\MySignedProgram.exe",
CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED,
CERT_QUERY_FORMAT_FLAG_BINARY,
0, &dwEncoding, &dwContentType, &dwFormatType, &hStore, &hMsg, NULL);
// Get the public key information about the signer
// First get the size
DWORD dwCertIdSize(0);
fResult = CryptMsgGetParam(hMsg, CMSG_SIGNER_CERT_ID_PARAM,
0, NULL, &dwCertIdSize);
BYTE* pCertId = new BYTE(dwCertIdSize);
::ZeroMemory(pCertId,dwCertIdSize);
// Now get the cert info
fResult = CryptMsgGetParam(hMsg, CMSG_SIGNER_CERT_ID_PARAM,
0, (PVOID)pCertId, &dwCertIdSize);
if(fResult)
{
CERT_ID* pId = (CERT_ID*)pCertId;
pId->HashId;
pId->dwIdChoice;
pId->IssuerSerialNumber; // Valid serial number (reversed)
pId->KeyId;
_tprintf("pid\n");
}
这与我想要的很接近,但实际上我想使用签名证书的公钥来验证目标签名的二进制文件实际上是使用我的特定公钥/私钥对创建的。
使用 CMSG_ENCRYPTED_DIGEST 标志此代码成功:
// Get digest which was encrypted with the private key
DWORD digestSize(0);
fResult = CryptMsgGetParam(hMsg, CMSG_ENCRYPTED_DIGEST, 0, NULL, &digestSize);
BYTE* pDigest = new BYTE[digestSize];
// Next CryptMsgGetParam call succeds,
// pDigest looks valid, can I use this to confirm my public key
// was used to sign MySignedProgram.exe ?
fResult = CryptMsgGetParam(hMsg, CMSG_ENCRYPTED_DIGEST, 0, pDigest, &digestSize);
底线问题:鉴于 CryptQueryObject 发现的证书信息,我应该使用什么技术来确保目标文件实际上是使用与执行上述代码时可用的公钥相对应的私钥进行签名的?
This is a followup question to question 1072540, 'WinVerifyTrust to check for a specific signature?'.
I want to write a C++ function Lets call it TrustedByUs of the form:
bool TrustedByUs(std::string pathToBinary, std::string pathToPublicKey)
The idea is that we give this function a path to a binary .dll or .exe file that has been signed with a digital signature. The pathToPublicKey string is the path to a public key of our particular signing certificate.
Using the code in http://support.microsoft.com/kb/323809 it's pretty straight forward to verify that the pathToBinary file is in fact trusted by the operating system.
Now I'm in the same place as the writer of question 1072540, I know the OS trusts the signer of this binary, but I want to know if my organization's RSA key is the one that signed the binary.
The KB323809 shows how to extract the strings from certificate embedded in our binary file. This example shows how to extract strings from the signing certificate in its GetProgAndPublisherInfo function, but I'm uncomfortable using a string match to verfiy the certificate.
What I would like to do is extract the public key from the embedded signature and compare it to the public key that corresponds with the private key that signed my binary file in the first place.
The documentation for CryptMsgGetParam says that the CMSG_SIGNER_CERT_ID_PARAM
parameter 'Returns information on a message signer needed to identify the signer's public key'. I succeed in getting the certificate's serial number with this key. My code looks like this:
// Get message handle and store handle from the signed file.
fResult = CryptQueryObject(CERT_QUERY_OBJECT_FILE,
L"C:\\Program Files\\MySignedProgram.exe",
CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED,
CERT_QUERY_FORMAT_FLAG_BINARY,
0, &dwEncoding, &dwContentType, &dwFormatType, &hStore, &hMsg, NULL);
// Get the public key information about the signer
// First get the size
DWORD dwCertIdSize(0);
fResult = CryptMsgGetParam(hMsg, CMSG_SIGNER_CERT_ID_PARAM,
0, NULL, &dwCertIdSize);
BYTE* pCertId = new BYTE(dwCertIdSize);
::ZeroMemory(pCertId,dwCertIdSize);
// Now get the cert info
fResult = CryptMsgGetParam(hMsg, CMSG_SIGNER_CERT_ID_PARAM,
0, (PVOID)pCertId, &dwCertIdSize);
if(fResult)
{
CERT_ID* pId = (CERT_ID*)pCertId;
pId->HashId;
pId->dwIdChoice;
pId->IssuerSerialNumber; // Valid serial number (reversed)
pId->KeyId;
_tprintf("pid\n");
}
This is close to what I want, but really I'd like to use the signing certificate's public key to verify that the target signed binary file was in fact created with my particular public/private key pair.
Using the CMSG_ENCRYPTED_DIGEST flag this code succeeds:
// Get digest which was encrypted with the private key
DWORD digestSize(0);
fResult = CryptMsgGetParam(hMsg, CMSG_ENCRYPTED_DIGEST, 0, NULL, &digestSize);
BYTE* pDigest = new BYTE[digestSize];
// Next CryptMsgGetParam call succeds,
// pDigest looks valid, can I use this to confirm my public key
// was used to sign MySignedProgram.exe ?
fResult = CryptMsgGetParam(hMsg, CMSG_ENCRYPTED_DIGEST, 0, pDigest, &digestSize);
Bottom line question: Given the certificate information discovered by CryptQueryObject, what technique should I used to ensure that the target file was in fact signed using the private key that corresponds to the public key that is available to me when the above code executes?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您需要使用
CMSG_SIGNER_INFO_PARAM。您可以使用它通过在
CryptQueryObject返回的证书存储中查找证书来获取整个证书:You want the
CMSG_SIGNER_INFO_PARAMinstead.You can use this to get the entire certificate by looking up the certificate in the certificate store returned by
CryptQueryObject: