I know that Microsoft now requires certain important OS components to be signed with Extended Validation (or EV) code-signing certificates (vs. Standard, or OV certs.)
I'm trying to see how to tell those two apart on a signed binary file?
My goal is to do it programmatically (for my own reporting tool.) So I found CertVerifyCertificateChainPolicy
function that has CERT_CHAIN_POLICY_EV
parameter. And absolutely no documentation on how to call it.
PS. But as a side question, apart from a programmatic way of telling them apart, is there a way to even do it in Windows Explorer? (Just for testing purposes.)
So this is the code that I came up with:
//No error checks for brevity!
HCERTSTORE hStore = NULL;
HCRYPTMSG hMsg = NULL;
CryptQueryObject(CERT_QUERY_OBJECT_FILE,
pBinaryFilePath,
CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED,
CERT_QUERY_FORMAT_FLAG_BINARY,
0,
NULL,
NULL,
NULL,
&hStore,
&hMsg,
NULL);
DWORD dwcbSz;
CryptMsgGetParam(hMsg, CMSG_SIGNER_INFO_PARAM, 0, NULL, &dwcbSz);
PCMSG_SIGNER_INFO pSignerInfo = (PCMSG_SIGNER_INFO)new (std::nothrow) BYTE[dwcbSz];
CryptMsgGetParam(hMsg, CMSG_SIGNER_INFO_PARAM, 0, pSignerInfo, &dwcbSz);
CERT_INFO ci = {0};
ci.Issuer = pSignerInfo->Issuer;
ci.SerialNumber = pSignerInfo->SerialNumber;
PCCERT_CONTEXT pCertContext = CertFindCertificateInStore(hStore,
ENCODING, 0, CERT_FIND_SUBJECT_CERT,
(PVOID)&ci, pCertContext);
//Check for EV cert
const char* usagesEV[] = { szOID_PKIX_KP_CODE_SIGNING };
CERT_CHAIN_PARA paramsEV = { 0 };
paramsEV.cbSize = sizeof(paramsEV);
paramsEV.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
paramsEV.RequestedUsage.Usage.cUsageIdentifier = _countof(usagesEV);
paramsEV.RequestedUsage.Usage.rgpszUsageIdentifier = (LPSTR*)usagesEV;
PCCERT_CHAIN_CONTEXT pChainEV = NULL;
if(CertGetCertificateChain(NULL, pCertContext, NULL, NULL, ¶msEV,
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT, NULL, &pChainEV))
{
EV_EXTRA_CERT_CHAIN_POLICY_PARA extraPolocyRV = {0};
extraPolocyRV.cbSize = sizeof(extraPolocyRV);
extraPolocyRV.dwRootProgramQualifierFlags = CERT_ROOT_PROGRAM_FLAG_ADDRESS;
CERT_CHAIN_POLICY_PARA paramsPolicyEV = {0};
paramsPolicyEV.cbSize = sizeof(paramsPolicyEV);
paramsPolicyEV.pvExtraPolicyPara = &extraPolocyRV;
CERT_CHAIN_POLICY_STATUS policyStatusEV = {0};
policyStatusEV.cbSize = sizeof(policyStatusEV);
if(CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_EV, pChainEV,
¶msPolicyEV, (PCERT_CHAIN_POLICY_STATUS)&policyStatusEV))
{
//I'm always getting here with 'policyStatusEV.dwError' being 0x800b0110
policyStatusEV.dwError;
....
}
else
{
//Did not verify for EV -- but my code never gets here
}
}
CertFreeCertificateContext(pCertContext);
delete[] pSignerInfo;
CertCloseStore(hStore, 0);
CryptMsgClose(hMsg);
Unfortunately I'm probably not calling the EV part with the correct parameters, so it returns the same result. (See comments in the code.)
User contributions licensed under CC BY-SA 3.0