How to tell apart EV from OV code-signing certificates programmatically?

0

I know that Microsoft now requires certain important OS components to be signed with Extended Validation (or EV) code-signing certificates (vs. Standard, or OV certs.)

I'm trying to see how to tell those two apart on a signed binary file?

My goal is to do it programmatically (for my own reporting tool.) So I found CertVerifyCertificateChainPolicy function that has CERT_CHAIN_POLICY_EV parameter. And absolutely no documentation on how to call it.

PS. But as a side question, apart from a programmatic way of telling them apart, is there a way to even do it in Windows Explorer? (Just for testing purposes.)

So this is the code that I came up with:

//No error checks for brevity!

HCERTSTORE hStore = NULL;
HCRYPTMSG hMsg = NULL;

CryptQueryObject(CERT_QUERY_OBJECT_FILE,
    pBinaryFilePath,
    CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED,
    CERT_QUERY_FORMAT_FLAG_BINARY,
    0,
    NULL,
    NULL,
    NULL,
    &hStore,
    &hMsg,
    NULL);

DWORD dwcbSz;
CryptMsgGetParam(hMsg, CMSG_SIGNER_INFO_PARAM, 0, NULL, &dwcbSz);

PCMSG_SIGNER_INFO pSignerInfo = (PCMSG_SIGNER_INFO)new (std::nothrow) BYTE[dwcbSz];
CryptMsgGetParam(hMsg, CMSG_SIGNER_INFO_PARAM, 0, pSignerInfo, &dwcbSz);

CERT_INFO ci = {0};
ci.Issuer = pSignerInfo->Issuer;
ci.SerialNumber = pSignerInfo->SerialNumber;

PCCERT_CONTEXT pCertContext = CertFindCertificateInStore(hStore,
        ENCODING, 0, CERT_FIND_SUBJECT_CERT,
        (PVOID)&ci, pCertContext);


//Check for EV cert
const char* usagesEV[] = { szOID_PKIX_KP_CODE_SIGNING };

CERT_CHAIN_PARA paramsEV = { 0 };
paramsEV.cbSize = sizeof(paramsEV);
paramsEV.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
paramsEV.RequestedUsage.Usage.cUsageIdentifier = _countof(usagesEV);
paramsEV.RequestedUsage.Usage.rgpszUsageIdentifier = (LPSTR*)usagesEV;

PCCERT_CHAIN_CONTEXT pChainEV = NULL;
if(CertGetCertificateChain(NULL, pCertContext, NULL, NULL, &paramsEV, 
    CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT, NULL, &pChainEV))
{
    EV_EXTRA_CERT_CHAIN_POLICY_PARA extraPolocyRV = {0};
    extraPolocyRV.cbSize = sizeof(extraPolocyRV);
    extraPolocyRV.dwRootProgramQualifierFlags = CERT_ROOT_PROGRAM_FLAG_ADDRESS;

    CERT_CHAIN_POLICY_PARA paramsPolicyEV = {0};
    paramsPolicyEV.cbSize = sizeof(paramsPolicyEV);
    paramsPolicyEV.pvExtraPolicyPara = &extraPolocyRV;

    CERT_CHAIN_POLICY_STATUS policyStatusEV = {0};
    policyStatusEV.cbSize = sizeof(policyStatusEV);

    if(CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_EV, pChainEV, 
        &paramsPolicyEV, (PCERT_CHAIN_POLICY_STATUS)&policyStatusEV))
    {
        //I'm always getting here with 'policyStatusEV.dwError' being 0x800b0110
        policyStatusEV.dwError;

        ....
    }
    else
    {
        //Did not verify for EV -- but my code never gets here
    }
}


CertFreeCertificateContext(pCertContext);
delete[] pSignerInfo;
CertCloseStore(hStore, 0);
CryptMsgClose(hMsg);

Unfortunately I'm probably not calling the EV part with the correct parameters, so it returns the same result. (See comments in the code.)

c++
winapi
code-signing
authenticode
asked on Stack Overflow Jun 26, 2018 by MikeF

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0