0

I am receiving a pointer to memory which contains a file and I need to check if the file has an embedded certificate (digital signature) and that it is valid. In the past I used winverifytrust for checking this with the WINTRUST_ACTION_GENERIC_VERIFY_V2 flag but that is only for files on disk (I am getting the pointer to the memory from the driver before it is being written to the disk). I thought of using the winverifytrust with the WINTRUST_BLOB_INFO structure which according to this:

is used when calling WinVerifyTrust to verify a memory BLOB.

But unfortunately the documentation states:

Note This structure is not currently supported for the following Inbox file formats. There may be other formats besides these that are not supported. Portable executable (such as .exe, .dll, .ocx) Cab files (.cab) Catalog files (.cat)

I was able to get the Certificate of the file using the X509Certificate(byte[]) constructor in C# and even check the chain using the X509chain.Build(X509Certificate2) function but there are more verifications that winverifytrust does that aren't included in that check (for example: check if the file was tampered with since it was signed).

TBD
  • 509
  • 7
  • 15
  • A certificate is meant to be sent securely and and cannot be checked for tampering. You can validate the encryption mode and if key is valid for the algorithm, but that is about it A(see example : https://learn.microsoft.com/en-us/previous-versions/windows/desktop/adrms_sdk/machine-certificate-xml-example). check what are you real requirements. TLS 1.0 and TLS 1.0 are not longer being used and only TLS 1.2 and TLS 1.3 are used. The encryption modes have to be compatible with TLS 1.2 and 1.3. So if you have a certificate that is using wrong encryption mode it is bad, – jdweng Dec 08 '20 at 18:03
  • For valid encryption modes see Wiki : See : https://en.wikipedia.org/wiki/Transport_Layer_Security – jdweng Dec 08 '20 at 18:04
  • @jdweng I am talking about certificate embedded in the PE file (thanks to your comment I edited my original post to specify that). The checks I am interested are specifically the checks mentioned in the "Certificate Processing" and "Calculating PE Image Hash" sections in this document: Windows Authenticode portable executable signature format http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/authenticode_pe.docx – TBD Dec 09 '20 at 10:25
  • What is an embedded certificate? Do you mean a signed document.? A certificate contains a private key so embedding a key in a certificate is like giving a thief the key to your house. – jdweng Dec 09 '20 at 10:59
  • Yes, the digital signature of a file – TBD Dec 15 '20 at 14:13
  • Use the verify method. The verify method does a virtual connection (creates a server) to test certificate and then creates a client to connect to the server using the certificate. See : https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.verify?view=net-5.0 It will laso check if the TLS version is compatible since the virtual connection will use HTTPS and TLS. – jdweng Dec 15 '20 at 14:24
  • I've seen in my searches that Verify is not robust enough and it is recommended to check using WinverifyTrust. see here for example (he brings also other references as well) https://blog.devsecurity.eu/en/blog/Authenticode-verification-vulnerability-pattern-CreateFromSignedFile – TBD Dec 15 '20 at 16:34
  • The flaw is not in the Verify method. The flaw is with the CreateFromSignedFile where it doesn't when that the data being encrypted has been modified. Which means if I took an executable and send it to somebody in a signed certificate it doesn't mean the original unexcitable executable was tampered. So a hacker could of put a virus into the unencrypted executable and the virus would not get detected. – jdweng Dec 15 '20 at 16:59

0 Answers0