Jump to content
  • Advertisement
Sign in to follow this  
irreversible

Verifying a digital signature (a bit triciker than using WinVerifyTrust() )

This topic is 4372 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I need to verify the digital signature of a DLL without the use of WinVerifyTrust() (reasons below). I understand the CryptXXX() (the MS CryptoAPI) functions are the tools for the job. Thus far, though, I've had some trouble coming up with the neccessary code. First off, why I need this: 1) while WinVerifyTrust() works splendidly in asking the user whether the signature in the DLL can be trusted, it is a bit of a disappointment when I choose to not display the user interface (you know - the dialog that asks the user if they really want to run this or that). It appears that the return value is expectable if the dialog is shown, but if it's not then WinVerifyTrust() always returns true. Not something I want. 2) I need to check the trustworthiness of a module that's already loaded into memory. No can do with WinVerifyTrust(). I know how to enumerate through all the available certificates and I think I know how to use them - this is not the problem. What I can't figure out is how to get the certificate blob from a library in memory. That is - I need to load the blob manually; to do that I need to know where it is and how big it is (in the DLL binary). From there on, I think it's possible to verify the blob using CryptoAPI: CryptHashData() seems to be able to nicely generate the hash value from memory. What I don't know: 1) how to get the public key (do I need one? I should need one, shouldn't I...) 2) how to extract the encrypted certificate blob 3) how to match it with a system-specific certificate issuer without trying each one of them (given that I could enumerate more than one or two hundred (anyway, I lost count) of them on my system, this could be quite time-consuming) 4) if my disillusionment about the problem has clouded my judgement and I'm undable to think straight (a day in the world of cryptography is not much unlike hanging head first from the ceiling for a fortnight) I must say I'm more than moderately confused right now, so I might be talking jibberish :)

Share this post


Link to post
Share on other sites
Advertisement
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

Participate in the game development conversation and more when you create an account on GameDev.net!

Sign me up!