// Copyright 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "chrome/app/signature_validator_win.h" #include <atlstr.h> #include <softpub.h> #include <wincrypt.h> #include <windows.h> #include <wintrust.h> #include <algorithm> #include "base/files/file_path.h" #include "base/strings/string_number_conversions.h" #include "base/strings/string_util.h" #include "base/strings/utf_string_conversions.h" #include "base/time/time.h" #include "base/win/scoped_handle.h" #include "crypto/sha2.h" namespace { bool ExtractPublicKeyHash(const CERT_CONTEXT* cert_context, std::string* public_key_hash) { public_key_hash->clear(); CRYPT_BIT_BLOB crypt_blob = cert_context->pCertInfo->SubjectPublicKeyInfo.PublicKey; // Key blobs that are not an integral number of bytes are unsupported. if (crypt_blob.cUnusedBits != 0) return false; uint8 hash[crypto::kSHA256Length] = {}; base::StringPiece key_bytes(reinterpret_cast<char*>( crypt_blob.pbData), crypt_blob.cbData); crypto::SHA256HashString(key_bytes, hash, crypto::kSHA256Length); *public_key_hash = StringToLowerASCII(base::HexEncode(hash, arraysize(hash))); return true; } // The traits class for HCERTSTORE handles that can be closed via // CertCloseStore() API. class CertStoreHandleTraits { public: typedef HCERTSTORE Handle; // Closes the handle. static bool CloseHandle(HCERTSTORE handle) { return CertCloseStore(handle, 0) != FALSE; } // Returns true if the handle value is valid. static bool IsHandleValid(HCERTSTORE handle) { return handle != NULL; } // Returns NULL handle value. static HANDLE NullHandle() { return NULL; } private: DISALLOW_IMPLICIT_CONSTRUCTORS(CertStoreHandleTraits); }; typedef base::win::GenericScopedHandle<CertStoreHandleTraits, base::win::DummyVerifierTraits> ScopedCertStoreHandle; // Class: CertInfo // // CertInfo holds all sensible details of a certificate. During verification of // a signature, one CertInfo object is made for each certificate encountered in // the signature. class CertInfo { public: explicit CertInfo(const CERT_CONTEXT* given_cert_context) : cert_context_(NULL) { if (given_cert_context) { // CertDuplicateCertificateContext just increases reference count of a // given CERT_CONTEXT. cert_context_ = CertDuplicateCertificateContext(given_cert_context); not_valid_before_ = cert_context_->pCertInfo->NotBefore; not_valid_after_ = cert_context_->pCertInfo->NotAfter; ExtractPublicKeyHash(cert_context_, &public_key_hash_); } } ~CertInfo() { // Decrement reference count, if needed. if (cert_context_) { CertFreeCertificateContext(cert_context_); cert_context_ = NULL; } } // IsValidNow() functions returns true if this certificate is valid at this // moment, based on the validity period specified in the certificate. bool IsValidNow() const { // we cannot directly get current time in FILETIME format. // so first get it in SYSTEMTIME format and convert it into FILETIME. base::Time now = base::Time::NowFromSystemTime(); FILETIME filetime_now = now.ToFileTime(); // CompareFileTime() is a windows function return ((CompareFileTime(&filetime_now, ¬_valid_before_) > 0) && (CompareFileTime(&filetime_now, ¬_valid_after_) < 0)); } std::string public_key_hash() const { return public_key_hash_; } private: // cert_context structure, defined by Crypto API, contains all the info // about the certificate. const CERT_CONTEXT* cert_context_; // Lower-case hex SHA-256 hash of the certificate subject's public key. std::string public_key_hash_; // Validity period start-date FILETIME not_valid_before_; // Validity period end-date FILETIME not_valid_after_; }; } // namespace bool VerifyAuthenticodeSignature(const base::FilePath& signed_file) { // Don't pop up any windows const HWND window_mode = reinterpret_cast<HWND>(INVALID_HANDLE_VALUE); // Verify file & certificates using the Microsoft Authenticode Policy // Provider. GUID verification_type = WINTRUST_ACTION_GENERIC_VERIFY_V2; // Info for the file we're going to verify. WINTRUST_FILE_INFO file_info = {}; file_info.cbStruct = sizeof(file_info); file_info.pcwszFilePath = signed_file.value().c_str(); // Info for request to WinVerifyTrust. WINTRUST_DATA trust_data = {}; trust_data.cbStruct = sizeof(trust_data); trust_data.dwUIChoice = WTD_UI_NONE; // no graphics trust_data.fdwRevocationChecks = WTD_REVOKE_NONE; // no revocation checking trust_data.dwUnionChoice = WTD_CHOICE_FILE; // check a file trust_data.pFile = &file_info; // check this file trust_data.dwProvFlags = WTD_REVOCATION_CHECK_NONE; // From the WinVerifyTrust documentation: // http://msdn2.microsoft.com/en-us/library/aa388208.aspx: // "If the trust provider verifies that the subject is trusted // for the specified action, the return value is zero. No other // value besides zero should be considered a successful return." LONG result = WinVerifyTrust(window_mode, &verification_type, &trust_data); return !result; } bool VerifySignerIsGoogle(const base::FilePath& signed_file, const std::string& subject_name, const std::vector<std::string>& expected_hashes) { if (signed_file.empty()) return false; // If successful, cert_store will be populated by a store containing all the // certificates related to the file signature. HCERTSTORE cert_store = NULL; BOOL succeeded = CryptQueryObject( CERT_QUERY_OBJECT_FILE, signed_file.value().c_str(), CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED_EMBED, CERT_QUERY_FORMAT_FLAG_ALL, 0, // Reserved: must be 0. NULL, NULL, NULL, &cert_store, NULL, // Do not return the message. NULL); // Do not return additional context. ScopedCertStoreHandle scoped_cert_store(cert_store); if (!succeeded || !scoped_cert_store.IsValid()) return false; PCCERT_CONTEXT cert_context_ptr = NULL; cert_context_ptr = CertFindCertificateInStore( cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR, base::UTF8ToWide(subject_name).c_str(), cert_context_ptr); // No cert found with this subject, so stop here. if (!cert_context_ptr) return false; CertInfo cert_info(cert_context_ptr); CertFreeCertificateContext(cert_context_ptr); cert_context_ptr = NULL; // Check the hashes to make sure subject isn't being faked, and the time // to make sure the cert is current. std::vector<std::string>::const_iterator it = std::find( expected_hashes.begin(), expected_hashes.end(), cert_info.public_key_hash()); if (it == expected_hashes.end() || !cert_info.IsValidNow()) return false; return true; }