0

I am working on an application, where I have to verify that 2 files are signed with the same certificate(with our certificate). If not, then abort the program.

I found in this question, what I should do:

  1. Validate the certificate chain completely to ensure integrity and authenticity of the certificate
  2. Check issuer name
  3. Check subject name
  4. Check key usage field.

So for step 1, I use WinVerifyTrust, then I read the propertys, and compare them with each other.
So far so good, but what if someone creates a certificate, and signs these two files with them? Then it will still work. I know, that if this certificate is not added as Trusted Publisher, then WinVerifyTrust will fail. But let's say, it is added as a Trusted Publisher. Then it works. Obviously I can't write the values like "my company name" in the code, and check if a property has this value.

So how do I check if it is really my certificate? If it is really a certificate which is "Trusted", not only made trusted by me or someone else?

Thanks in advance!

Community
  • 1
  • 1
kampi
  • 2,362
  • 12
  • 52
  • 91
  • possible duplicate of [WinVerifyTrust to check for a specific signature?](http://stackoverflow.com/questions/1072540/winverifytrust-to-check-for-a-specific-signature) – David Grayson Jan 05 '15 at 20:01
  • I would try to check the certificate's hash, or some other number which cannot be easily faked. – David Grayson Jan 05 '15 at 20:02
  • @DavidGrayson: That sounds good, but how do i check the hash? – kampi Jan 05 '15 at 20:28
  • @DavidGrayson: I am able to retrieve the data i need using ´CryptQueryObject´, but how do i ensure, that someone else not signs the files with his/her own certificate. What should i check to ensure that the files are signed with my certificate? The hash sound good. – kampi Jan 05 '15 at 20:36
  • Also a possible duplicate of http://stackoverflow.com/questions/17893039/what-to-use-to-check-for-a-specific-exe-file-signature – David Grayson Jan 05 '15 at 21:25
  • @DavidGrayson: The last answer you posted is what i found too. But how do i compare for example the issuer name? If i "hard code" the issuer name like "my company", the string "my company" will be visible in the binary, and can be edited with a hex editor or something. Or am i wrong? – kampi Jan 05 '15 at 21:34
  • There are a number of ways to obfuscate a string, such as XORing each byte of it with 0xFF or taking its hash, but that is way beyond the scope of your original question. Also I doubt that this new question about binary obfuscation will be useful to you, maybe you could ask that as a separate question and explain why it's important? – David Grayson Jan 05 '15 at 21:41

1 Answers1

0

If you have access to the certificate issuer (just the public key) and you trust that public key (you have acquired it by other means ---it doesn't come with the certificate you are validating, you have it already stored locally or the like--- this is the only reason to have a certificate chain) you have only to verify that the signature is valid to ensure that tha user certificate is valid. The certificate chains are only to ensure that you have one path to ensure certificate validity up to a root certificate you trust in (normally the root certificates that come with software distributions)

subject checking (or other certificate fields) is needed only in case you have different profiles or types of accounts depending on the information stored in the certificate. What use you do on subject format or fields acompanying the certificate is up to the application. Normally, people embedd information about the user account in the certificate so you can use certificates to distribute account info.

Remember that a certificate is only a public key (and some other information for whatever purpose you want it to be used to) signed by a trusted authority (this can be an intermediate certificate or a root certificate) so, once you verify the signature, you get inmediate trust on the contents. The certificate contents cannot be changed without access to the private key of the certificate issuer (to be able to sign it again) so you can trust that data in case the signature verifies ok.

How do you test if a certificate is really yours? Of course it has to be signed by a certificate issuer (this can be you or an issuer you have trust in) and verify that the issuer is that and no other certificate. In case of a corporate application you have to check that one of the signers is a certificate authority (normally for each application or application module, one or different certificate issuers are generated, each one signing user certificates that belong to that module) if you find that issuer in the certificate chain, then you can trust the certificate for the intended use.

Luis Colorado
  • 10,974
  • 1
  • 16
  • 31
  • Thanks for the great answer! The last part is what i want to do, i just don't know how to that.I know i have to call `CertGetCertificateChain` but after that i'm stuck. Maybe you have some code example, how can i do what i want? – kampi Jan 07 '15 at 14:49
  • so if you consider it an valid answer, mark it so. Comments are welcome also :) – Luis Colorado Jan 08 '15 at 08:03
  • I would, i just waited, if you have some code :) My problem is actually codeing it. I know the Logic what i should do, i just don't know how to code it. – kampi Jan 08 '15 at 08:04
  • The rule of thumb is: if you have no useful information embedded in certificate to act upon, just validate the certificate (just follow the certificate chain up to the root certificate searching for one trusted certificate) In case you find a trusted certificate, the presented one is valid and you'll have to allow access, in case it's invalid, you cannot allow access as an invalid certificate must be treated as a piece of rubish and discard the request. If you have interesting info in the certificate, use it **only in case it is valid**. – Luis Colorado Jan 08 '15 at 08:27
  • Please check my other question. Maybe you understand better what i want. http://stackoverflow.com/questions/27802413/how-to-query-the-root-certificate – kampi Jan 08 '15 at 08:32