通过Windows API解码PKCS#7签名? [英] Decode PKCS#7 Signature via Windows API?

问题描述

我希望解析并显示从Window PE二进制文件的安全目录中提取的Authenticode PKCS#7签名的内容.

我可以在命令行上使用"openssl pkcs7 -text -in extracted_signature.pks -inform DER -print_certs"使用OpenSSL进行此操作，但是我需要通过C/C ++和Windows API进行此操作.我不能使用OpenSSL库本身.

使用CryptDecodeObjectEx API，我可以开始解码提取的签名:

CRYPT_CONTENT_INFO * content_info;
DWORD len;

CryptDecodeObjectEx(
    X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
    PKCS_CONTENT_INFO,
    pointer_to_extracted_signature,
    length_of_extracted_signature,
    CRYPT_DECODE_ALLOC_FLAG,
    NULL,
    &content_info,
    &len
);

上述调用成功完成，并且content_info->pszObjId的OID为"1.2.840.113549.1.7.2"(szOID_RSA_signedData)，但是我找不到继续解码所需的结构. 此处列出了CryptDecodeObjectEx的可用OID. .

有人可以建议如何通过Windows API解码Authenticode PKCS#7签名吗?

我发现解码Authenticode PKCS#7签名的正确方法是使用设置了CERT_QUERY_OBJECT_BLOB和CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED标志的CryptQueryObject.下面的代码片段适用于可能需要执行此操作的任何人.

CERT_BLOB cert_blob;
HCERTSTORE cert_store = NULL;
HCRYPTMSG cert_msg    = NULL;

cert_blob.pbData = pointer_to_extracted_signature;
cert_blob.cbData = length_of_extracted_signature;

CryptQueryObject(
    CERT_QUERY_OBJECT_BLOB,
    &cert_blob,
    CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED,
    CERT_QUERY_FORMAT_FLAG_BINARY,
    0,
    NULL,
    NULL,
    NULL,
    &cert_store,
    &cert_msg,
    NULL
);

PCCERT_CONTEXT next_cert = NULL;

while( (next_cert = CertEnumCertificatesInStore( cert_store, next_cert ) ) != NULL )
{
    // process next_cert...
}

I wish to parse and display the contents of an Authenticode PKCS#7 signature as extracted from a Window PE binary's Security Directory.

I can use OpenSSL to do this on the command line with "openssl pkcs7 -text -in extracted_signature.pks -inform DER -print_certs", however I need to do this via C/C++ and the Windows API. I cannot use the OpenSSL library itself.

Using the CryptDecodeObjectEx API I can begin to decode the extracted signature:

CRYPT_CONTENT_INFO * content_info;
DWORD len;

CryptDecodeObjectEx(
    X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
    PKCS_CONTENT_INFO,
    pointer_to_extracted_signature,
    length_of_extracted_signature,
    CRYPT_DECODE_ALLOC_FLAG,
    NULL,
    &content_info,
    &len
);

The above call completes successfully and content_info->pszObjId will have an OID of "1.2.840.113549.1.7.2" (szOID_RSA_signedData) however I am unable to find the structures needed to continue decoding. The available OID's for CryptDecodeObjectEx are listed here.

Can anybody please advise how to decode an Authenticode PKCS#7 signature via the Windows API?

解决方案

I have found the correct way to decode an Authenticode PKCS#7 signature is to use CryptQueryObject with the CERT_QUERY_OBJECT_BLOB and CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED flags set. Code snippit below for anybody who might need to do this.

CERT_BLOB cert_blob;
HCERTSTORE cert_store = NULL;
HCRYPTMSG cert_msg    = NULL;

cert_blob.pbData = pointer_to_extracted_signature;
cert_blob.cbData = length_of_extracted_signature;

CryptQueryObject(
    CERT_QUERY_OBJECT_BLOB,
    &cert_blob,
    CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED,
    CERT_QUERY_FORMAT_FLAG_BINARY,
    0,
    NULL,
    NULL,
    NULL,
    &cert_store,
    &cert_msg,
    NULL
);

PCCERT_CONTEXT next_cert = NULL;

while( (next_cert = CertEnumCertificatesInStore( cert_store, next_cert ) ) != NULL )
{
    // process next_cert...
}

这篇关于通过Windows API解码PKCS#7签名?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！