从可执行文件读取和验证证书 [英] Read and validate certificate from executable
问题描述
我想要验证签名的可执行映像的证书(通过验证,我的意思是告诉签名是否来自MS / Adobe / Oracle等)。 Windows是否为此任务提供api?我应该怎么做,不知道。任何帮助将不胜感激。
我使用Windows和C ++。我想要验证本机可执行映像,而不是.NET程序集或Java jar文件。
I want to validate certificates of signed executable images (by validation, I mean to tell if the signature comes from MS/Adobe/Oracle etc.). Does windows provides api for this task? How should I do that, no idea. Any help would be appreciated. I'm using Windows and C++. I want to validate native executable images, not .NET assemblies or Java jar files.
感谢
UPDATE
好的,我会尝试描述我想要的东西。
Ok, I'll try to describe what I want shortly.
1)验证pe证书。签名是否有效。它应该工作时签名嵌入在pe和当签名在安全目录。 (我在sysinternals论坛上找到了,并且工作正常,所以我不再需要这个了)
1) Validate pe certificate. Is the signature valid or not. It should work when signature is embeded in pe and when the signature is in security catalog. (I found this on sysinternals forum and works fine, so I don't need this one anymore).
2)告诉谁是签名者/ publisher的文件。我知道它可以通过CryptQueryObject(我发现了一个工作示例,虽然它不能与安全目录工作),但不知道如何使用它与安全目录文件。
2) Tell who's the signer/publisher of the file. I know it can be achieved through CryptQueryObject (I found a working example, though it doesn't work with security catalogs), but don't know how to use it with security catalog files.
再次感谢
推荐答案
可以获取并验证可执行文件的签名,以及如何获取所需的其他附加信息。问题是你选择的级别(高级如 WinVerifyTrust )
There are many API and approaches how you can get and verify the signature of the executable and how you can get other additional information which you need. The problem is which level you choose (high level like WinVerifyTrust)
最简单的第一个API,从CAT或EXE文件获取加密上下文是 CryptQueryObject 函数。 KB323809 的代码示例可以帮助您了解如何解码所需的信息。如果使用CAT文件,主要区别是您应该修改 CryptQueryObject 。我建议你只是使用 CERT_QUERY_CONTENT_FLAG_ALL 和 CERT_QUERY_FORMAT_FLAG_ALL 和 CryptQueryObject 将在内部完成所有您需要的内容:
The easiest first API which can be used to get cryptography context from the CAT or EXE file is CryptQueryObject function. The code example from the KB323809 could get you the main idea how to decode information what you need. the main difference if you work with CAT files is that you should modify the some parameters of CryptQueryObject. I recommend you just to use CERT_QUERY_CONTENT_FLAG_ALL and CERT_QUERY_FORMAT_FLAG_ALL and CryptQueryObject will do all what you needs internally:
BOOL bIsSuccess;
DWORD dwEncoding, dwContentType, dwFormatType;
HCERTSTORE hStore = NULL;
HCRYPTMSG hMsg = NULL;
PVOID pvContext = NULL;
// fill szFileName
...
// Get message handle and store handle from the signed file.
bIsSuccess = CryptQueryObject (CERT_QUERY_OBJECT_FILE,
szFileName,
CERT_QUERY_CONTENT_FLAG_ALL,
CERT_QUERY_FORMAT_FLAG_ALL,
0,
&dwEncoding,
&dwContentType,
&dwFormatType,
&hStore,
&hMsg,
&pvContext);
由设置的值将获取有关文件类型的基本信息 dwContentType c $ c> CryptQueryObject szFileName 。在你需要的大多数情况下, pvContext 将是 PCCERT_CONTEXT ,但也可以如果使用.ctl或.crl文件作为输入,则PCCRL_CONTEXT 或 PCCTL_CONTEXT 您将收到来自文件 szFileName 的所有证书的 hStore 。因此,对于 pvContext 和 hStore ,您可以检查包含CryptoAPI的文件。如果你喜欢
低级按摩API,你可以使用 hMsg ,在某些 dwContentType (至少适用于 CERT_QUERY_CONTENT_PKCS7_SIGNED , CERT_QUERY_CONTENT_PKCS7_UNSIGNED , CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED )。
The value dwContentType set by the CryptQueryObject will get you the base information about the type of the file szFileName. The pvContext will be PCCERT_CONTEXT for the most cases which you need, but it can be also PCCRL_CONTEXT or PCCTL_CONTEXT if you use .ctl or .crl file as the input. You will receive the hStore filled with all certificates from the file szFileName. So with respect of pvContext and hStore you can examine the file contain with CryptoAPI. If you do prefer
low-level massages API you can use hMsg which will be additionally set in case of some dwContentType (at least for for CERT_QUERY_CONTENT_PKCS7_SIGNED, CERT_QUERY_CONTENT_PKCS7_UNSIGNED, CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED).
要验证文件的签名,我建议您使用CertGetCertificateChain 和 cc.c证书有效,但是它(或其所有父对象)对于authentode有效( szOID_PKIX_KP_CODE_SIGNING )。 CertGetCertificateChain 可用于不同的撤销方案。您应该使用 CERT_CHAIN_POLICY_AUTHENTICODE 和 CERT_CHAIN_POLICY_AUTHENTICODE_TS 执行两次单独的调用,以验证Authenticode链接策略和Authenticode时间戳链接策略有效。
To verify the signature of the file I would recommend you to use CertGetCertificateChain and CertVerifyCertificateChainPolicy to verify not only that the certificate is valid in general, but that it (or all its parents) is valid for authenticode (szOID_PKIX_KP_CODE_SIGNING). CertGetCertificateChain can be used for different revocation scenarios. You should do two separate calls with CERT_CHAIN_POLICY_AUTHENTICODE and CERT_CHAIN_POLICY_AUTHENTICODE_TS to verify that both Authenticode chain policy and Authenticode Time Stamp chain policy are valid.
UPDATED :我重新读取了您当前的问题(更新部分)。您当前的问题是如何获取文件的签名者/发布者。所以我只回答这个问题。
UPDATED: I reread your current question (the Updated part). Your current problem is how to get the signer/publisher of the file. So I answer only on the question.
如果您使用来自sysinternal的代码用于签名验证您应该搜索
If you use the code from sysinternal for the signature verification you should just search for the line
if ( !CryptCATCatalogInfoFromContext(CatalogContext, &InfoStruct, 0) )
语句sill set InfoStruct 的字段,以防该文件是系统窗口文件,其中相对于某些.cat文件验证了该签名。字段 InfoStruct.wszCatalogFile 将为您提供.cat文件。
The statement sill set the fields of the InfoStruct in case that that file is system windows file which signature is verified with respect of some .cat file. The field InfoStruct.wszCatalogFile will get you the name of the .cat file.
例如在我的Windows 7上,如果我尝试验证 C:\Windows \explorer的数字签名。 exe 文件,可以找到其散列的.cat C:\Windows \system32\CatRoot\ {F750E6C3-38EE-11D1-85E5-00C04FC295EE} \Package_1_for_KB2515325〜31bf3856ad364e35〜amd64 ~~ 6.1.1.0.cat 。
For example on my Windows 7 if I try to verify the digital signature of the C:\Windows\explorer.exe file, the .cat where its hash could be found is C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1_for_KB2515325~31bf3856ad364e35~amd64~~6.1.1.0.cat.
如果您要使用KB323809 与上述 CryptQueryObject 的参数,您将解码 (见函数 C:\Windows \system32\CatRoot\ {F750E6C3-38EE-11D1}的SPC_SP_OPUS_INFO_OBJID (1.3.6.1.4.1.311.2.1.12)属性-85E5-00C04FC295EE} \Package_1_for_KB2515325〜31bf3856ad364e35〜amd64 ~~ 6.1.1.0.cat GetProgAndPublisherInfo ),你会知道
If you would use code from KB323809 with described above parameters of CryptQueryObject you will decode the SPC_SP_OPUS_INFO_OBJID ("1.3.6.1.4.1.311.2.1.12") attribute of the C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1_for_KB2515325~31bf3856ad364e35~amd64~~6.1.1.0.cat (see the function GetProgAndPublisherInfo) and you will know
pwszProgramName: "Windows Express Security Catalogs"
pPublisherInfo: NULL
pMoreInfo->dwLinkChoice: SPC_URL_LINK_CHOICE
pMoreInfo->pwszUrl "http://www.microsoft.com"
特殊发布者信息包括在文件中。如果你检查目录的签名者,你会发现:
So no special publisher information are included for the file. If you examine the signer of the the catalog you will find out that:
The signer of the .cat file: "Microsoft Windows"
The signer signed it with the certificate:
Serial Number: 0x6115230F00000000000A
Issuer Name: Microsoft Windows Verification PCA
Full Issuer Name:
CN = Microsoft Windows Verification PCA
O = Microsoft Corporation
L = Redmond
S = Washington
C = US
Subject Name: Microsoft Windows
Full Subject Name:
CN = Microsoft Windows
OU = MOPR
O = Microsoft Corporation
L = Redmond
S = Washington
C = US
The Date of TimeStamp : 28.02.2011 21:16:36
TimeStamp Certificate:
Serial Number: 0x6103DCF600000000000C
Issuer Name: Microsoft Time-Stamp PCA
Subject Name: Microsoft Time-Stamp Service
因此,您应该只使用.cat文件的签名者,因为没有其他签名者 explorer.exe 。
So you should use just the signer of the .cat file, because there are no other signer of explorer.exe.
这篇关于从可执行文件读取和验证证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
