You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3782 lines
141 KiB
3782 lines
141 KiB
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
// Copyright (C) Microsoft Corporation, 2001
|
|
//
|
|
// File: signtoolactions.cpp
|
|
//
|
|
// Contents: The SignTool console tool action functions
|
|
//
|
|
// History: 4/30/2001 SCoyne Created
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
#include <nt.h>
|
|
#include <ntrtl.h>
|
|
#include <nturtl.h>
|
|
|
|
#ifdef __cplusplus
|
|
} // Matches extern "C" above
|
|
#endif
|
|
|
|
#undef ASSERT
|
|
|
|
#include <afxdisp.h>
|
|
#include <unicode.h>
|
|
#include "signtool.h"
|
|
#include "capicom.h"
|
|
#include "resource.h"
|
|
#include <cryptuiapi.h>
|
|
#include <mscat.h>
|
|
#include <comdef.h>
|
|
#include <objbase.h>
|
|
#include <shlwapi.h>
|
|
#include <softpub.h>
|
|
#include <wow64t.h>
|
|
|
|
|
|
|
|
#ifdef SIGNTOOL_DEBUG
|
|
extern BOOL gDebug;
|
|
#define FormatIErrRet if (gDebug) wprintf(L"%hs (%u):\n", __FILE__, __LINE__); Format_IErrRet
|
|
#else
|
|
#define FormatIErrRet Format_IErrRet
|
|
#endif
|
|
extern HINSTANCE hModule;
|
|
|
|
void PrintCertInfo(ICertificate2 *pICert2);
|
|
void PrintCertChain(IChain *pIChain);
|
|
void PrintCertInfoIndented(ICertificate2 *pICert2, DWORD dwIndent);
|
|
void PrintSignerInfo(HANDLE hWVTStateData);
|
|
BOOL ChainsToRoot(HANDLE hWVTStateData, LPWSTR wszRootName);
|
|
BOOL HasTimestamp(HANDLE hWVTStateData);
|
|
void Format_IErrRet(WCHAR *wszFunc, DWORD dwErr);
|
|
void RegisterCAPICOM();
|
|
BOOL GetProviderType(LPWSTR pwszProvName, LPDWORD pdwProvType);
|
|
|
|
typedef BOOL (WINAPI * FUNC_CRYPTCATADMINREMOVECATALOG)(HCATADMIN, WCHAR *, DWORD);
|
|
|
|
|
|
int SignTool_CatDb(INPUTINFO *InputInfo)
|
|
{
|
|
DWORD dwDone = 0;
|
|
DWORD dwWarnings = 0;
|
|
DWORD dwErrors = 0;
|
|
DWORD dwcFound;
|
|
WIN32_FIND_DATAW FindFileData;
|
|
HANDLE hFind = NULL;
|
|
HRESULT hr;
|
|
PVOID OldWow64Setting;
|
|
WCHAR wszTempFileName[MAX_PATH];
|
|
WCHAR wszCanonicalFileName[MAX_PATH];
|
|
LPWSTR wszTemp;
|
|
int LastSlash;
|
|
HCATADMIN hCatAdmin = NULL;
|
|
HCATINFO hCatInfo = NULL;
|
|
CATALOG_INFO CatInfo;
|
|
HMODULE hModWintrust = NULL;
|
|
FUNC_CRYPTCATADMINREMOVECATALOG fnCryptCATAdminRemoveCatalog = NULL;
|
|
|
|
|
|
|
|
|
|
// Initialization:
|
|
if (!(CryptCATAdminAcquireContext(&hCatAdmin, &InputInfo->CatDbGuid, 0)))
|
|
{
|
|
FormatErrRet(L"CryptCATAdminAcquireContext", GetLastError());
|
|
return 1; // Error
|
|
}
|
|
|
|
switch (InputInfo->CatDbCommand)
|
|
{
|
|
case RemoveCat:
|
|
// Attempt to fill the function pointer dynamically.
|
|
// CryptCATAdminRemoveCatalog was introduced in XP.
|
|
if (hModWintrust = GetModuleHandleA("wintrust.dll"))
|
|
{
|
|
fnCryptCATAdminRemoveCatalog = (FUNC_CRYPTCATADMINREMOVECATALOG)
|
|
GetProcAddress(hModWintrust, "CryptCATAdminRemoveCatalog");
|
|
if (fnCryptCATAdminRemoveCatalog == NULL)
|
|
{
|
|
dwErrors++;
|
|
ResErr(IDS_ERR_REM_CAT_PLATFORM);
|
|
goto CatDbCleanupAndExit;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
dwErrors++;
|
|
FormatErrRet(L"GetModuleHandle", GetLastError());
|
|
goto CatDbCleanupAndExit;
|
|
}
|
|
// Got the function pointer.
|
|
|
|
// Loop over the catalogs to remove
|
|
for (DWORD i=0; i<InputInfo->NumFiles; i++)
|
|
{
|
|
// Check for slashes and wildcards. They are not allowed.
|
|
if (wcspbrk(InputInfo->rgwszFileNames[i], L"/\\*?") != NULL)
|
|
{
|
|
// This won't work, so bail out now with a helpful message
|
|
dwErrors++;
|
|
ResFormatErr(IDS_ERR_CATALOG_NAME, InputInfo->rgwszFileNames[i]);
|
|
continue;
|
|
}
|
|
|
|
if (InputInfo->Verbose)
|
|
{
|
|
ResFormatOut(IDS_INFO_REMOVING_CAT, InputInfo->rgwszFileNames[i]);
|
|
}
|
|
|
|
if (!fnCryptCATAdminRemoveCatalog(hCatAdmin, InputInfo->rgwszFileNames[i], 0))
|
|
{
|
|
dwErrors++;
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
switch (hr = GetLastError())
|
|
{
|
|
case ERROR_NOT_FOUND:
|
|
ResFormatErr(IDS_ERR_CAT_NOT_FOUND, InputInfo->rgwszFileNames[i]);
|
|
break;
|
|
default:
|
|
FormatErrRet(L"CryptCATAdminRemoveCatalog", hr);
|
|
}
|
|
}
|
|
ResFormatErr(IDS_ERR_REMOVING_CAT, InputInfo->rgwszFileNames[i]);
|
|
continue;
|
|
}
|
|
|
|
// Successfully removed the catalog
|
|
dwDone++;
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
ResFormatOut(IDS_INFO_REMOVED_CAT, InputInfo->rgwszFileNames[i]);
|
|
}
|
|
}
|
|
// Done Removing catalogs
|
|
break;
|
|
|
|
case AddUniqueCat:
|
|
case UpdateCat:
|
|
// Check if we are in the 32-bit Emulator on a 64-bit system
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
OldWow64Setting = Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
|
|
// Loop over the files and Add/Update them:
|
|
for (DWORD i=0; i<InputInfo->NumFiles; i++)
|
|
{
|
|
// Find the last slash in the path specification:
|
|
LastSlash = 0;
|
|
for (DWORD s=0; s<wcslen(InputInfo->rgwszFileNames[i]); s++)
|
|
{
|
|
if ((wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L"\\", 1) == 0) ||
|
|
(wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L"/", 1) == 0) ||
|
|
(wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L":", 1) == 0))
|
|
{
|
|
// Set LastSlash to the character after the last slash:
|
|
LastSlash = s + 1;
|
|
}
|
|
}
|
|
wcsncpy(wszTempFileName, InputInfo->rgwszFileNames[i], MAX_PATH);
|
|
wszTempFileName[MAX_PATH-1] = L'\0';
|
|
|
|
dwcFound = 0;
|
|
hFind = FindFirstFileU(InputInfo->rgwszFileNames[i], &FindFileData);
|
|
if (hFind == INVALID_HANDLE_VALUE)
|
|
{
|
|
// No files found matching that name
|
|
dwErrors++;
|
|
ResFormatErr(IDS_ERR_FILE_NOT_FOUND, InputInfo->rgwszFileNames[i]);
|
|
continue;
|
|
}
|
|
do
|
|
{
|
|
if (!(FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))
|
|
{
|
|
dwcFound++; // Increment number of files (not dirs) found
|
|
// matching this filespec
|
|
// Copy the filename on after the last slash:
|
|
wcsncpy(&(wszTempFileName[LastSlash]),
|
|
FindFileData.cFileName, MAX_PATH-LastSlash);
|
|
wszTempFileName[MAX_PATH-1] = L'\0';
|
|
// Canonicalize:
|
|
if (PathIsRelativeW(wszCanonicalFileName))
|
|
{
|
|
// We need to make it an Absolute path for the CAT API.
|
|
WCHAR wszTempFileName2[MAX_PATH];
|
|
if (GetCurrentDirectoryW(MAX_PATH, wszTempFileName2) &&
|
|
PathAppendW(wszTempFileName2, wszTempFileName))
|
|
{
|
|
PathCanonicalizeW(wszCanonicalFileName, wszTempFileName2);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
PathCanonicalizeW(wszCanonicalFileName, wszTempFileName);
|
|
}
|
|
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection for our current file only
|
|
Wow64SetFilesystemRedirectorEx(wszCanonicalFileName);
|
|
}
|
|
|
|
if (InputInfo->Verbose)
|
|
{
|
|
ResFormatOut(IDS_INFO_ADDING_CAT, wszTempFileName);
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
wprintf(L"\tCanonical Filename: %s\n", wszCanonicalFileName);
|
|
wprintf(L"\tFindFile.cFileName: %s\n", FindFileData.cFileName);
|
|
}
|
|
#endif
|
|
}
|
|
|
|
// Add the catalog
|
|
if (InputInfo->CatDbCommand == UpdateCat)
|
|
{
|
|
hCatInfo = CryptCATAdminAddCatalog(hCatAdmin,
|
|
wszCanonicalFileName,
|
|
FindFileData.cFileName,
|
|
0);
|
|
}
|
|
else // CatDbCommand must equal AddUniqueCat
|
|
{
|
|
hCatInfo = CryptCATAdminAddCatalog(hCatAdmin,
|
|
wszCanonicalFileName,
|
|
NULL, // Don't specify the name
|
|
0);
|
|
}
|
|
|
|
// Check for failure
|
|
if (hCatInfo == NULL)
|
|
{
|
|
dwErrors++;
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
switch (hr = GetLastError())
|
|
{
|
|
case ERROR_BAD_FORMAT:
|
|
ResFormatErr(IDS_ERR_CAT_NOT_FOUND, wszTempFileName);
|
|
break;
|
|
default:
|
|
FormatErrRet(L"CryptCATAdminAddCatalog", hr);
|
|
}
|
|
}
|
|
ResFormatErr(IDS_ERR_ADDING_CAT, wszTempFileName);
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
continue;
|
|
}
|
|
|
|
dwDone++;
|
|
|
|
// Print success message
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
if (InputInfo->CatDbCommand == UpdateCat)
|
|
{
|
|
ResFormatOut(IDS_INFO_ADDED_CAT, wszTempFileName);
|
|
}
|
|
else // CatDbCommand must equal AddUniqueCat
|
|
{
|
|
if (CryptCATCatalogInfoFromContext(hCatInfo, &CatInfo, 0))
|
|
{
|
|
wszTemp = wcsstr(CatInfo.wszCatalogFile, L"\\");
|
|
if (wszTemp == NULL)
|
|
{
|
|
wszTemp = CatInfo.wszCatalogFile;
|
|
}
|
|
ResFormatOut(IDS_INFO_ADDED_CAT_AS, wszTempFileName, wszTemp);
|
|
}
|
|
}
|
|
}
|
|
|
|
// Close the Catalog Info Context
|
|
CryptCATAdminReleaseCatalogContext(hCatAdmin, hCatInfo, 0);
|
|
}
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
} while (FindNextFileU(hFind, &FindFileData));
|
|
if (dwcFound == 0) // No files were found matching this filespec
|
|
{ // this will only fire if only directories were found.
|
|
dwErrors++;
|
|
ResFormatErr(IDS_ERR_FILE_NOT_FOUND, InputInfo->rgwszFileNames[i]);
|
|
continue;
|
|
}
|
|
FindClose(hFind);
|
|
hFind = NULL;
|
|
}
|
|
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Re-ensable WOW64 file-system redirection
|
|
Wow64SetFilesystemRedirectorEx(OldWow64Setting);
|
|
}
|
|
// Done Adding/Updating catalogs
|
|
break;
|
|
|
|
default:
|
|
ResErr(IDS_ERR_UNEXPECTED);
|
|
goto CatDbCleanupAndExit;
|
|
}
|
|
|
|
|
|
CatDbCleanupAndExit:
|
|
|
|
//Print Summary Information:
|
|
if (InputInfo->Verbose || (!InputInfo->Quiet && (dwErrors || dwWarnings)))
|
|
{
|
|
wprintf(L"\n");
|
|
if (InputInfo->Verbose || dwDone)
|
|
switch (InputInfo->CatDbCommand)
|
|
{
|
|
case AddUniqueCat:
|
|
case UpdateCat:
|
|
ResFormatOut(IDS_INFO_CATS_ADDED, dwDone);
|
|
break;
|
|
case RemoveCat:
|
|
ResFormatOut(IDS_INFO_CATS_REMOVED, dwDone);
|
|
break;
|
|
default:
|
|
ResErr(IDS_ERR_UNEXPECTED);
|
|
}
|
|
// Commented out because no warnings are possible in this function yet:
|
|
// if (InputInfo->Verbose || dwWarnings)
|
|
// ResFormatOut(IDS_INFO_WARNINGS, dwWarnings);
|
|
if (InputInfo->Verbose || dwErrors)
|
|
ResFormatOut(IDS_INFO_ERRORS, dwErrors);
|
|
}
|
|
|
|
CryptCATAdminReleaseContext(hCatAdmin, 0);
|
|
|
|
if (dwErrors)
|
|
return 1; // Error
|
|
if (dwWarnings)
|
|
return 2; // Warning
|
|
if (dwDone)
|
|
return 0; // Success
|
|
|
|
// One of the above returns should fire, so
|
|
// this should never happen:
|
|
ResErr(IDS_ERR_NO_FILES_DONE);
|
|
ResErr(IDS_ERR_UNEXPECTED);
|
|
return 1; // Error
|
|
}
|
|
|
|
|
|
|
|
int SignTool_Sign(INPUTINFO *InputInfo)
|
|
{
|
|
DWORD dwcFound;
|
|
DWORD dwDone = 0;
|
|
DWORD dwWarnings = 0;
|
|
DWORD dwErrors = 0;
|
|
DWORD dwTemp;
|
|
WIN32_FIND_DATAW FindFileData;
|
|
HANDLE hFind = NULL;
|
|
HCERTSTORE hStore = NULL;
|
|
HRESULT hr;
|
|
WCHAR wszTempFileName[MAX_PATH];
|
|
WCHAR wszSHA1[41];
|
|
ICertificate2 *pICert2Selected = NULL;
|
|
ICertificate2 *pICert2Temp = NULL;
|
|
ICertificates *pICerts = NULL;
|
|
ICertificates2 *pICerts2Original = NULL;
|
|
ICertificates2 *pICerts2Selected = NULL;
|
|
ICertificates2 *pICerts2Temp = NULL;
|
|
ISignedCode *pISignedCode = NULL;
|
|
ISigner2 *pISigner2 = NULL;
|
|
ICSigner *pICSigner = NULL;
|
|
IStore2 *pIStore2 = NULL;
|
|
IStore2 *pIStore2Temp = NULL;
|
|
ICertStore *pICertStore = NULL;
|
|
IPrivateKey *pIPrivateKey = NULL;
|
|
IUtilities *pIUtils = NULL;
|
|
PVOID OldWow64Setting;
|
|
DATE dateBest;
|
|
DATE dateTemp;
|
|
COleDateTime DateTime;
|
|
VARIANT varTemp;
|
|
VARIANT_BOOL boolTemp;
|
|
COleVariant cvarTemp;
|
|
#ifdef SIGNTOOL_DEBUG
|
|
CAPICOM_PROV_TYPE provtypeTemp;
|
|
CAPICOM_KEY_SPEC keyspecTemp;
|
|
#endif
|
|
BSTR bstrTemp;
|
|
BSTR bstrTemp2;
|
|
int LastSlash;
|
|
long longTemp;
|
|
|
|
// Initialize COM:
|
|
if ((hr = CoInitialize(NULL)) != S_OK)
|
|
{
|
|
FormatErrRet(L"CoInitialize", hr);
|
|
return 1; // Error
|
|
}
|
|
VariantInit(&varTemp);
|
|
|
|
|
|
// Create the store object, and check if CAPICOM is installed.
|
|
hr = CoCreateInstance(__uuidof(Store), NULL, CLSCTX_ALL,
|
|
__uuidof(IStore2), (LPVOID*)&pIStore2);
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
// In this case, give it one more chance:
|
|
RegisterCAPICOM();
|
|
hr = CoCreateInstance(__uuidof(Store), NULL, CLSCTX_ALL,
|
|
__uuidof(IStore2), (LPVOID*)&pIStore2);
|
|
}
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"CoCreateInstance", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
|
|
// Open the Store and Original Certificates2 collection
|
|
if (InputInfo->wszCertFile)
|
|
{
|
|
// Get the cert from a file, so open the file as a store:
|
|
if ((bstrTemp = SysAllocString(L"SignToolTemporaryPFXMemoryStore")) == NULL)
|
|
{
|
|
FormatErrRet(L"SysAllocString", ERROR_OUTOFMEMORY);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
hr = pIStore2->Open(CAPICOM_MEMORY_STORE,
|
|
bstrTemp, // Store Name
|
|
CAPICOM_STORE_OPEN_READ_WRITE);
|
|
SysFreeString(bstrTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"IStore2::Open", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
// Set the BSTRs needed for the Load call
|
|
bstrTemp = SysAllocString(InputInfo->wszCertFile);
|
|
if (bstrTemp == NULL)
|
|
{
|
|
FormatErrRet(L"SysAllocString", ERROR_OUTOFMEMORY);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
if (InputInfo->wszPassword)
|
|
{
|
|
bstrTemp2 = SysAllocString(InputInfo->wszPassword);
|
|
}
|
|
else
|
|
{
|
|
bstrTemp2 = SysAllocString(L"");
|
|
}
|
|
if (bstrTemp2 == NULL)
|
|
{
|
|
FormatErrRet(L"SysAllocString", ERROR_OUTOFMEMORY);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
// Load the Cert File into the new Memory Store:
|
|
hr = pIStore2->Load(bstrTemp, // Filename
|
|
bstrTemp2, // Password
|
|
CAPICOM_KEY_STORAGE_DEFAULT);
|
|
if (InputInfo->wszPassword)
|
|
{
|
|
// Wipe both copies of the password. We're done with it.
|
|
SecureZeroMemory(bstrTemp2, wcslen(bstrTemp2) * sizeof(WCHAR));
|
|
SecureZeroMemory(InputInfo->wszPassword,
|
|
wcslen(InputInfo->wszPassword) * sizeof(WCHAR));
|
|
}
|
|
SysFreeString(bstrTemp);
|
|
SysFreeString(bstrTemp2);
|
|
|
|
if (FAILED(hr)) // Check return value of Load command above
|
|
{
|
|
switch (HRESULT_CODE(hr))
|
|
{
|
|
case ERROR_INVALID_PASSWORD:
|
|
ResErr(IDS_ERR_PFX_BAD_PASSWORD);
|
|
break;
|
|
case ERROR_FILE_NOT_FOUND:
|
|
ResFormatErr(IDS_ERR_FILE_NOT_FOUND, InputInfo->wszCertFile);
|
|
break;
|
|
case ERROR_SHARING_VIOLATION:
|
|
ResErr(IDS_ERR_SHARING_VIOLATION);
|
|
break;
|
|
default:
|
|
FormatIErrRet(L"IStore2::Load", hr);
|
|
ResFormatErr(IDS_ERR_CERT_FILE, InputInfo->wszCertFile);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
// The store is Open and Loaded. Now get the Certificates collection:
|
|
hr = pIStore2->get_Certificates(&pICerts);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"IStore2::get_Certificates", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
// And then get the Certificates2 interface:
|
|
hr = pICerts->QueryInterface(__uuidof(ICertificates2),
|
|
(LPVOID*)&pICerts2Original);
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"ICertificates::QueryInterface", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
// Release the Certificates interface:
|
|
pICerts->Release();
|
|
pICerts = NULL;
|
|
}
|
|
else
|
|
{
|
|
// Get the cert from a store, so open the requested store:
|
|
if (InputInfo->wszStoreName)
|
|
{
|
|
bstrTemp = SysAllocString(InputInfo->wszStoreName);
|
|
}
|
|
else
|
|
{
|
|
bstrTemp = SysAllocString(L"My");
|
|
}
|
|
if (bstrTemp == NULL)
|
|
{
|
|
FormatErrRet(L"SysAllocString", ERROR_OUTOFMEMORY);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
hr = pIStore2->Open(InputInfo->OpenMachineStore?
|
|
CAPICOM_LOCAL_MACHINE_STORE:
|
|
CAPICOM_CURRENT_USER_STORE,
|
|
bstrTemp,
|
|
CAPICOM_STORE_OPEN_MODE(
|
|
CAPICOM_STORE_OPEN_READ_ONLY |
|
|
CAPICOM_STORE_OPEN_EXISTING_ONLY));
|
|
if (FAILED(hr))
|
|
{
|
|
switch (HRESULT_CODE(hr))
|
|
{
|
|
case ERROR_FILE_NOT_FOUND:
|
|
case ERROR_INVALID_NAME:
|
|
ResFormatErr(IDS_ERR_STORE_NOT_FOUND, bstrTemp);
|
|
break;
|
|
default:
|
|
FormatIErrRet(L"IStore2::Open", hr);
|
|
ResFormatErr(IDS_ERR_STORE, bstrTemp);
|
|
}
|
|
SysFreeString(bstrTemp);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
SysFreeString(bstrTemp);
|
|
// The store is open. Now get the Certificates collection:
|
|
hr = pIStore2->get_Certificates(&pICerts);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"IStore2::get_Certificates", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
// And then get the Certificates2 interface:
|
|
hr = pICerts->QueryInterface(__uuidof(ICertificates2),
|
|
(LPVOID*)&pICerts2Original);
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"ICertificates::QueryInterface", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
// Release the Certificates interface:
|
|
pICerts->Release();
|
|
pICerts = NULL;
|
|
}
|
|
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
hr = pICerts2Original->get_Count(&longTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::get_Count", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
wprintf(L"\nThe following certificates were considered:\n");
|
|
for (long l=1; l <= longTemp; l++)
|
|
{
|
|
hr = pICerts2Original->get_Item(l, &varTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::get_Item", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
// And then get the Certificate2 interface:
|
|
hr = varTemp.pdispVal->QueryInterface(__uuidof(ICertificate2),
|
|
(LPVOID*)&pICert2Temp);
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"IDispatch::QueryInterface", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
PrintCertInfo(pICert2Temp);
|
|
pICert2Temp->Release();
|
|
pICert2Temp = NULL;
|
|
VariantClear(&varTemp);
|
|
}
|
|
}
|
|
#endif
|
|
|
|
|
|
// We now have an open Cert2 collection in pICerts2Original.
|
|
// Find the certs we want from that Certificates2 collection:
|
|
|
|
// Start by narrowing it down to those with the right EKU:
|
|
// This cannot be bypassed, because we don't want to sign with certs
|
|
// that aren't valid for code signing. The user has to explicitly choose
|
|
// a different EKU if they want to sign with an invalid cert.
|
|
if (InputInfo->wszEKU)
|
|
{
|
|
cvarTemp = InputInfo->wszEKU;
|
|
}
|
|
else
|
|
{
|
|
cvarTemp.SetString(CAPICOM_OID_CODE_SIGNING, VT_BSTR);
|
|
}
|
|
hr = pICerts2Original->Find(CAPICOM_CERTIFICATE_FIND_APPLICATION_POLICY,
|
|
cvarTemp,
|
|
FALSE,
|
|
&pICerts2Selected);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::Find", hr);
|
|
cvarTemp.Clear();
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
cvarTemp.Clear();
|
|
|
|
|
|
|
|
// We now have pICerts2Selected, containing all certs with the right EKU.
|
|
// Now filter based on whatever additional criteria were presented:
|
|
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
hr = pICerts2Selected->get_Count(&longTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::get_Count", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
wprintf(L"After EKU filter, %ld certs were left.\n", longTemp);
|
|
}
|
|
#endif
|
|
|
|
// Filtering on Hash
|
|
if (InputInfo->SHA1.cbData == 20)
|
|
{
|
|
for (DWORD d = 0; d < 20; d++)
|
|
{
|
|
swprintf(&wszSHA1[d*2], L"%02X", InputInfo->SHA1.pbData[d]);
|
|
}
|
|
cvarTemp = wszSHA1;
|
|
hr = pICerts2Selected->Find(CAPICOM_CERTIFICATE_FIND_SHA1_HASH,
|
|
cvarTemp,
|
|
FALSE,
|
|
&pICerts2Temp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::Find", hr);
|
|
cvarTemp.Clear();
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
cvarTemp.Clear();
|
|
pICerts2Selected->Release();
|
|
pICerts2Selected = pICerts2Temp;
|
|
pICerts2Temp = NULL;
|
|
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
hr = pICerts2Selected->get_Count(&longTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::get_Count", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
wprintf(L"After Hash filter, %ld certs were left.\n", longTemp);
|
|
}
|
|
#endif
|
|
}
|
|
|
|
|
|
// Filtering on SubjectName:
|
|
if (InputInfo->wszSubjectName)
|
|
{
|
|
cvarTemp = InputInfo->wszSubjectName;
|
|
hr = pICerts2Selected->Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME,
|
|
cvarTemp,
|
|
FALSE,
|
|
&pICerts2Temp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::Find", hr);
|
|
cvarTemp.Clear();
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
cvarTemp.Clear();
|
|
pICerts2Selected->Release();
|
|
pICerts2Selected = pICerts2Temp;
|
|
pICerts2Temp = NULL;
|
|
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
hr = pICerts2Selected->get_Count(&longTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::get_Count", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
wprintf(L"After Subject Name filter, %ld certs were left.\n", longTemp);
|
|
}
|
|
#endif
|
|
}
|
|
|
|
// Filtering on IssuerName:
|
|
if (InputInfo->wszIssuerName)
|
|
{
|
|
cvarTemp = InputInfo->wszIssuerName;
|
|
hr = pICerts2Selected->Find(CAPICOM_CERTIFICATE_FIND_ISSUER_NAME,
|
|
cvarTemp,
|
|
FALSE,
|
|
&pICerts2Temp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::Find", hr);
|
|
cvarTemp.Clear();
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
cvarTemp.Clear();
|
|
pICerts2Selected->Release();
|
|
pICerts2Selected = pICerts2Temp;
|
|
pICerts2Temp = NULL;
|
|
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
hr = pICerts2Selected->get_Count(&longTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::get_Count", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
wprintf(L"After Issuer Name filter, %ld certs were left.\n", longTemp);
|
|
}
|
|
#endif
|
|
}
|
|
|
|
// Filtering on TemplateName:
|
|
if (InputInfo->wszTemplateName)
|
|
{
|
|
cvarTemp = InputInfo->wszTemplateName;
|
|
hr = pICerts2Selected->Find(CAPICOM_CERTIFICATE_FIND_TEMPLATE_NAME,
|
|
cvarTemp,
|
|
FALSE,
|
|
&pICerts2Temp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::Find", hr);
|
|
cvarTemp.Clear();
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
cvarTemp.Clear();
|
|
pICerts2Selected->Release();
|
|
pICerts2Selected = pICerts2Temp;
|
|
pICerts2Temp = NULL;
|
|
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
hr = pICerts2Selected->get_Count(&longTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::get_Count", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
wprintf(L"After Template Name filter, %ld certs were left.\n", longTemp);
|
|
}
|
|
#endif
|
|
}
|
|
|
|
// Filtering on those with Private Keys.
|
|
if (InputInfo->wszCSP == NULL) // Only if we aren't specifying the key
|
|
{
|
|
cvarTemp = (long)CAPICOM_PROPID_KEY_PROV_INFO;
|
|
hr = pICerts2Selected->Find(CAPICOM_CERTIFICATE_FIND_EXTENDED_PROPERTY,
|
|
cvarTemp,
|
|
FALSE,
|
|
&pICerts2Temp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::Find", hr);
|
|
cvarTemp.Clear();
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
cvarTemp.Clear();
|
|
pICerts2Selected->Release();
|
|
pICerts2Selected = pICerts2Temp;
|
|
pICerts2Temp = NULL;
|
|
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
hr = pICerts2Selected->get_Count(&longTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::get_Count", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
wprintf(L"After Private Key filter, %ld certs were left.\n", longTemp);
|
|
}
|
|
#endif
|
|
}
|
|
|
|
// Filtering on RootName:
|
|
if (InputInfo->wszRootName)
|
|
{
|
|
cvarTemp = InputInfo->wszRootName;
|
|
hr = pICerts2Selected->Find(CAPICOM_CERTIFICATE_FIND_ROOT_NAME,
|
|
cvarTemp,
|
|
FALSE,
|
|
&pICerts2Temp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::Find", hr);
|
|
cvarTemp.Clear();
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
cvarTemp.Clear();
|
|
pICerts2Selected->Release();
|
|
pICerts2Selected = pICerts2Temp;
|
|
pICerts2Temp = NULL;
|
|
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
hr = pICerts2Selected->get_Count(&longTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::get_Count", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
wprintf(L"After Root Name filter, %ld certs were left.\n", longTemp);
|
|
}
|
|
#endif
|
|
}
|
|
|
|
// Make sure we have a single cert:
|
|
hr = pICerts2Selected->get_Count(&longTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::get_Count", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
if (longTemp == 0)
|
|
{
|
|
// No certificates found
|
|
ResErr(IDS_ERR_NO_CERT);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
else if (longTemp == 1)
|
|
{
|
|
// We have exactly one certificate.
|
|
// Get that certificate:
|
|
hr = pICerts2Selected->get_Item(1, &varTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::get_Item", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
// And then get the Certificate2 interface:
|
|
hr = varTemp.pdispVal->QueryInterface(__uuidof(ICertificate2),
|
|
(LPVOID*)&pICert2Selected);
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"IDispatch::QueryInterface", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
VariantClear(&varTemp);
|
|
}
|
|
else if (longTemp > 1)
|
|
{
|
|
// We have too many certs. Maybe we can select automatically
|
|
if (InputInfo->CatDbSelect)
|
|
{
|
|
// Let's select automatically
|
|
dateBest = 0;
|
|
for (long l=1; l <= longTemp; l++)
|
|
{
|
|
if (SUCCEEDED(pICerts2Selected->get_Item(l, &varTemp)))
|
|
{
|
|
hr = varTemp.pdispVal->QueryInterface(__uuidof(ICertificate2),
|
|
(LPVOID*)&pICert2Temp);
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"IDispatch::QueryInterface", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
VariantClear(&varTemp);
|
|
hr = pICert2Temp->get_ValidToDate(&dateTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates2::get_ValidToDate", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
if (dateTemp > dateBest)
|
|
{
|
|
dateBest = dateTemp;
|
|
if (pICert2Selected)
|
|
{
|
|
pICert2Selected->Release();
|
|
}
|
|
pICert2Selected = pICert2Temp;
|
|
pICert2Temp = NULL;
|
|
}
|
|
else
|
|
{
|
|
pICert2Temp->Release();
|
|
pICert2Temp = NULL;
|
|
}
|
|
}
|
|
}
|
|
if ((dateBest == 0) || (pICert2Selected == NULL))
|
|
{
|
|
// Somehow we had at least one certificate,
|
|
// but its date wasn't greater than zero
|
|
// This should never happen.
|
|
ResErr(IDS_ERR_UNEXPECTED);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
// We can't select automatically.
|
|
// Report the Error and list all valid certs:
|
|
ResErr(IDS_ERR_CERT_MULTIPLE);
|
|
for (long l=1; l <= longTemp; l++)
|
|
{
|
|
if (SUCCEEDED(pICerts2Selected->get_Item(l, &varTemp)))
|
|
{
|
|
// Get the Certificate2 interface:
|
|
hr = varTemp.pdispVal->QueryInterface(__uuidof(ICertificate2),
|
|
(LPVOID*)&pICert2Temp);
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"IDispatch::QueryInterface", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
// Print the Certificate Information:
|
|
PrintCertInfo(pICert2Temp);
|
|
pICert2Temp->Release();
|
|
pICert2Temp = NULL;
|
|
VariantClear(&varTemp);
|
|
}
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
// longTemp was negative. This should never happen.
|
|
ResErr(IDS_ERR_UNEXPECTED);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
|
|
|
|
// Our signing certificate is now in pICert2Selected
|
|
|
|
if (InputInfo->Verbose)
|
|
{
|
|
ResOut(IDS_INFO_CERT_SELECTED);
|
|
PrintCertInfo(pICert2Selected);
|
|
}
|
|
|
|
// Check for Private Key info
|
|
if (InputInfo->wszCSP && InputInfo->wszContainerName)
|
|
{
|
|
// We must add the Private Key info to the cert.
|
|
if (!InputInfo->wszCertFile)
|
|
{
|
|
// If we didn't open our certs from a file, we opened a registry
|
|
// store read-only. So that we don't modify that cert, we should
|
|
// create a temporary memory store and copy the cert there
|
|
// before we modify its private key info.
|
|
|
|
// Create a new memory Store:
|
|
hr = CoCreateInstance(__uuidof(Store), NULL, CLSCTX_ALL,
|
|
__uuidof(IStore2), (LPVOID*)&pIStore2Temp);
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"CoCreateInstance", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
bstrTemp = SysAllocString(L"SignToolTemporaryMemoryStore");
|
|
if (bstrTemp == NULL)
|
|
{
|
|
FormatErrRet(L"SysAllocString", ERROR_OUTOFMEMORY);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
hr = pIStore2Temp->Open(CAPICOM_MEMORY_STORE,
|
|
bstrTemp,
|
|
CAPICOM_STORE_OPEN_READ_WRITE);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"IStore2::Open", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
// Add our cert to that store:
|
|
hr = pIStore2Temp->Add(pICert2Selected);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"IStore2::Add", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
// Release our Interface to the Cert in the old Store:
|
|
pICert2Selected->Release();
|
|
pICert2Selected = NULL;
|
|
|
|
// Get the Certificates Collection from the new Store:
|
|
hr = pIStore2Temp->get_Certificates(&pICerts);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"IStore2::get_Certificates", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
// Get the Certificate Object from the Certificates collection:
|
|
hr = pICerts->get_Item(1, &varTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificates::get_Item", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
// Get the Certificate2 interface of our selected Cert in the new Store:
|
|
hr = varTemp.pdispVal->QueryInterface(__uuidof(ICertificate2), (LPVOID*)&pICert2Selected);
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"IDispatch::QueryInterface", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
VariantClear(&varTemp);
|
|
pICerts->Release();
|
|
pICerts = NULL;
|
|
}
|
|
|
|
// Now the Cert is free to be modified.
|
|
|
|
|
|
// Create the Private Key object:
|
|
hr = CoCreateInstance(__uuidof(PrivateKey), NULL, CLSCTX_ALL,
|
|
__uuidof(IPrivateKey), (LPVOID*)&pIPrivateKey);
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"CoCreateInstance", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
// Setup Private Key info:
|
|
bstrTemp = SysAllocString(InputInfo->wszContainerName);
|
|
bstrTemp2 = SysAllocString(InputInfo->wszCSP);
|
|
if ((bstrTemp == NULL) || (bstrTemp2 == NULL))
|
|
{
|
|
FormatErrRet(L"SysAllocString", ERROR_OUTOFMEMORY);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
// Open the specified private key:
|
|
|
|
// First try the RSA_FULL provider type:
|
|
hr = pIPrivateKey->Open(bstrTemp, // Container Name
|
|
bstrTemp2, // CSP
|
|
CAPICOM_PROV_RSA_FULL,
|
|
CAPICOM_KEY_SPEC_SIGNATURE,
|
|
CAPICOM_CURRENT_USER_STORE,
|
|
TRUE);
|
|
if (FAILED(hr) && (hr != NTE_PROV_TYPE_NO_MATCH))
|
|
hr = pIPrivateKey->Open(bstrTemp, // Container Name
|
|
bstrTemp2, // CSP
|
|
CAPICOM_PROV_RSA_FULL,
|
|
CAPICOM_KEY_SPEC_KEYEXCHANGE,
|
|
CAPICOM_CURRENT_USER_STORE,
|
|
TRUE);
|
|
if (FAILED(hr) && (hr != NTE_PROV_TYPE_NO_MATCH))
|
|
hr = pIPrivateKey->Open(bstrTemp, // Container Name
|
|
bstrTemp2, // CSP
|
|
CAPICOM_PROV_RSA_FULL,
|
|
CAPICOM_KEY_SPEC_SIGNATURE,
|
|
CAPICOM_LOCAL_MACHINE_STORE,
|
|
TRUE);
|
|
if (FAILED(hr) && (hr != NTE_PROV_TYPE_NO_MATCH))
|
|
hr = pIPrivateKey->Open(bstrTemp, // Container Name
|
|
bstrTemp2, // CSP
|
|
CAPICOM_PROV_RSA_FULL,
|
|
CAPICOM_KEY_SPEC_KEYEXCHANGE,
|
|
CAPICOM_LOCAL_MACHINE_STORE,
|
|
TRUE);
|
|
|
|
// If the provider type was wrong, then
|
|
// find the right provider type and try again:
|
|
if (hr == NTE_PROV_TYPE_NO_MATCH)
|
|
{
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
wprintf(L"Attempting to find the correct CSP Type...\n");
|
|
#endif
|
|
if (GetProviderType(bstrTemp2, &dwTemp) == FALSE)
|
|
{
|
|
// This will most likely never happen, because in order to
|
|
// get here the CSP must exist, but...
|
|
ResErr(IDS_ERR_BAD_CSP);
|
|
SysFreeString(bstrTemp);
|
|
SysFreeString(bstrTemp2);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
wprintf(L"Provider Type is: %d\n", dwTemp);
|
|
#endif
|
|
hr = pIPrivateKey->Open(bstrTemp, // Container Name
|
|
bstrTemp2, // CSP
|
|
(CAPICOM_PROV_TYPE) dwTemp,
|
|
CAPICOM_KEY_SPEC_SIGNATURE,
|
|
CAPICOM_CURRENT_USER_STORE,
|
|
TRUE);
|
|
if (FAILED(hr))
|
|
hr = pIPrivateKey->Open(bstrTemp, // Container Name
|
|
bstrTemp2, // CSP
|
|
(CAPICOM_PROV_TYPE) dwTemp,
|
|
CAPICOM_KEY_SPEC_KEYEXCHANGE,
|
|
CAPICOM_CURRENT_USER_STORE,
|
|
TRUE);
|
|
if (FAILED(hr))
|
|
hr = pIPrivateKey->Open(bstrTemp, // Container Name
|
|
bstrTemp2, // CSP
|
|
(CAPICOM_PROV_TYPE) dwTemp,
|
|
CAPICOM_KEY_SPEC_SIGNATURE,
|
|
CAPICOM_LOCAL_MACHINE_STORE,
|
|
TRUE);
|
|
if (FAILED(hr))
|
|
hr = pIPrivateKey->Open(bstrTemp, // Container Name
|
|
bstrTemp2, // CSP
|
|
(CAPICOM_PROV_TYPE) dwTemp,
|
|
CAPICOM_KEY_SPEC_KEYEXCHANGE,
|
|
CAPICOM_LOCAL_MACHINE_STORE,
|
|
TRUE);
|
|
}
|
|
SysFreeString(bstrTemp);
|
|
SysFreeString(bstrTemp2);
|
|
if (FAILED(hr))
|
|
{
|
|
switch (hr)
|
|
{
|
|
case NTE_BAD_KEYSET:
|
|
// The CSP replied that the keyset does not exist
|
|
ResErr(IDS_ERR_BAD_KEY_CONTAINER);
|
|
break;
|
|
case NTE_KEYSET_NOT_DEF:
|
|
// The CSP probably doesn't exist
|
|
ResErr(IDS_ERR_BAD_CSP);
|
|
break;
|
|
default:
|
|
FormatIErrRet(L"IPrivateKey::Open", hr);
|
|
ResErr(IDS_ERR_PRIV_KEY);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
// We've got a private key. Now associate it with the Cert:
|
|
hr = pICert2Selected->put_PrivateKey(pIPrivateKey);
|
|
if (FAILED(hr))
|
|
{
|
|
switch (hr)
|
|
{
|
|
case NTE_BAD_PUBLIC_KEY:
|
|
ResErr(IDS_ERR_PRIV_KEY_MISMATCH);
|
|
break;
|
|
case E_ACCESSDENIED:
|
|
default:
|
|
FormatIErrRet(L"ICertificate2::put_PrivateKey", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
pIPrivateKey->Release();
|
|
pIPrivateKey = NULL;
|
|
}
|
|
else
|
|
{
|
|
// We don't have to add Key info, so just check that it's there:
|
|
hr = pICert2Selected->HasPrivateKey(&boolTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertificate2::HasPrivateKey", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
if (boolTemp == FALSE)
|
|
{
|
|
ResErr(IDS_ERR_CERT_NO_PRIV_KEY);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
}
|
|
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
// Print the private key info of the selected cert:
|
|
if (SUCCEEDED(pICert2Selected->get_PrivateKey(&pIPrivateKey)))
|
|
{
|
|
wprintf(L"Private Key Info:\n");
|
|
if (SUCCEEDED(pIPrivateKey->get_ProviderName(&bstrTemp)))
|
|
{
|
|
wprintf(L"\tProvider: %s\n", bstrTemp);
|
|
SysFreeString(bstrTemp);
|
|
}
|
|
if (SUCCEEDED(pIPrivateKey->get_ContainerName(&bstrTemp)))
|
|
{
|
|
wprintf(L"\tContainer: %s\n", bstrTemp);
|
|
SysFreeString(bstrTemp);
|
|
}
|
|
if (SUCCEEDED(pIPrivateKey->get_ProviderType(&provtypeTemp)))
|
|
{
|
|
wprintf(L"\tProvider Type: ");
|
|
switch (provtypeTemp)
|
|
{
|
|
case CAPICOM_PROV_RSA_FULL: wprintf(L"RSA_FULL\n"); break;
|
|
case CAPICOM_PROV_RSA_SIG: wprintf(L"RSA_SIG\n"); break;
|
|
case CAPICOM_PROV_DSS: wprintf(L"DSS\n"); break;
|
|
case CAPICOM_PROV_FORTEZZA: wprintf(L"FORTEZZA\n"); break;
|
|
case CAPICOM_PROV_MS_EXCHANGE: wprintf(L"MS_EXCHANGE\n"); break;
|
|
case CAPICOM_PROV_SSL: wprintf(L"SSL\n"); break;
|
|
case CAPICOM_PROV_RSA_SCHANNEL: wprintf(L"RSA_SCHANNEL\n"); break;
|
|
case CAPICOM_PROV_DSS_DH: wprintf(L"DSS_DH\n"); break;
|
|
case CAPICOM_PROV_EC_ECDSA_SIG: wprintf(L"EC_ECDSA_SIG\n"); break;
|
|
case CAPICOM_PROV_EC_ECNRA_SIG: wprintf(L"EC_ECNRA_SIG\n"); break;
|
|
case CAPICOM_PROV_EC_ECDSA_FULL: wprintf(L"EC_ECDSA_FULL\n"); break;
|
|
case CAPICOM_PROV_EC_ECNRA_FULL: wprintf(L"EC_ECNRA_FULL\n"); break;
|
|
case CAPICOM_PROV_DH_SCHANNEL: wprintf(L"DH_SCHANNEL\n"); break;
|
|
case CAPICOM_PROV_SPYRUS_LYNKS: wprintf(L"SPYRUS_LYNKS\n"); break;
|
|
case CAPICOM_PROV_RNG: wprintf(L"RNG\n"); break;
|
|
case CAPICOM_PROV_INTEL_SEC: wprintf(L"INTEL_SEC\n"); break;
|
|
case CAPICOM_PROV_REPLACE_OWF: wprintf(L"REPLACE_OWF\n"); break;
|
|
case CAPICOM_PROV_RSA_AES: wprintf(L"RSA_AES\n"); break;
|
|
default: wprintf(L"Unrecognized Type (0x%08X)\n", provtypeTemp);
|
|
}
|
|
}
|
|
if (SUCCEEDED(pIPrivateKey->get_KeySpec(&keyspecTemp)))
|
|
{
|
|
wprintf(L"\tKey Spec: ");
|
|
switch (keyspecTemp)
|
|
{
|
|
case CAPICOM_KEY_SPEC_KEYEXCHANGE: wprintf(L"KEYEXCHANGE\n"); break;
|
|
case CAPICOM_KEY_SPEC_SIGNATURE: wprintf(L"SIGNATURE\n"); break;
|
|
default: wprintf(L"Unrecognized (0x%08X)\n", keyspecTemp);
|
|
}
|
|
}
|
|
if (SUCCEEDED(pIPrivateKey->IsMachineKeyset(&boolTemp)))
|
|
{
|
|
wprintf(L"\tKey Set Type: ");
|
|
if (boolTemp)
|
|
wprintf(L"MACHINE\n");
|
|
else
|
|
wprintf(L"USER\n");
|
|
}
|
|
}
|
|
}
|
|
#endif
|
|
|
|
// Create the SignedCode object:
|
|
hr = CoCreateInstance(__uuidof(SignedCode), NULL, CLSCTX_ALL,
|
|
__uuidof(ISignedCode), (LPVOID*)&pISignedCode);
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"CoCreateInstance", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
|
|
// Create and Build the Signer Object:
|
|
hr = CoCreateInstance(__uuidof(Signer), NULL, CLSCTX_ALL,
|
|
__uuidof(ISigner2), (LPVOID*)&pISigner2);
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"CoCreateInstance", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
hr = pISigner2->put_Certificate(pICert2Selected);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ISigner2::put_Certificate", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
hr = pISigner2->put_Options(CAPICOM_CERTIFICATE_INCLUDE_CHAIN_EXCEPT_ROOT);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ISigner2::put_Options", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
// If we opened our cert from a file, add that file to the Signer
|
|
// as an additional cert store for optimal chaining.
|
|
if (InputInfo->wszCertFile)
|
|
{
|
|
// Get the ICertStore interface:
|
|
hr = pIStore2->QueryInterface(__uuidof(ICertStore),
|
|
(LPVOID*)&pICertStore);
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"ISigner2::QueryInterface", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
// Get the HCERTSTORE of the store:
|
|
hr = pICertStore->get_StoreHandle((LONG*) &hStore);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertStore::get_StoreHandle", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
// Get the ICSigner interface:
|
|
hr = pISigner2->QueryInterface(__uuidof(ICSigner),
|
|
(LPVOID*)&pICSigner);
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"ISigner2::QueryInterface", hr);
|
|
}
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
// Add the HCERTSTORE handle to the Signer:
|
|
hr = pICSigner->put_AdditionalStore((LONG) hStore);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ICertStore::get_StoreHandle", hr);
|
|
dwErrors++;
|
|
goto SignCleanupAndExit;
|
|
}
|
|
|
|
//CertCloseStore(hStore, 0);
|
|
//hStore = NULL;
|
|
printf("Done Adding Additional Store\n");
|
|
}
|
|
|
|
|
|
// Check if we are in the 32-bit Emulator on a 64-bit system
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
OldWow64Setting = Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
|
|
// Loop over the files and sign them:
|
|
for (DWORD i=0; i<InputInfo->NumFiles; i++)
|
|
{
|
|
|
|
// Find the last slash in the path specification:
|
|
LastSlash = 0;
|
|
for (DWORD s=0; s<wcslen(InputInfo->rgwszFileNames[i]); s++)
|
|
{
|
|
if ((wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L"\\", 1) == 0) ||
|
|
(wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L"/", 1) == 0) ||
|
|
(wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L":", 1) == 0))
|
|
{
|
|
// Set LastSlash to the character after the last slash:
|
|
LastSlash = s + 1;
|
|
}
|
|
}
|
|
wcsncpy(wszTempFileName, InputInfo->rgwszFileNames[i], MAX_PATH);
|
|
wszTempFileName[MAX_PATH-1] = L'\0';
|
|
|
|
dwcFound = 0;
|
|
hFind = FindFirstFileU(InputInfo->rgwszFileNames[i], &FindFileData);
|
|
if (hFind == INVALID_HANDLE_VALUE)
|
|
{
|
|
// No files found matching that name
|
|
dwErrors++;
|
|
ResFormatErr(IDS_ERR_FILE_NOT_FOUND, InputInfo->rgwszFileNames[i]);
|
|
continue;
|
|
}
|
|
do
|
|
{
|
|
if (!(FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))
|
|
{
|
|
dwcFound++; // Increment number of files (not dirs) found
|
|
// matching this filespec
|
|
// Copy the filename on after the last slash:
|
|
wcsncpy(&(wszTempFileName[LastSlash]),
|
|
FindFileData.cFileName, MAX_PATH-LastSlash);
|
|
wszTempFileName[MAX_PATH-1] = L'\0';
|
|
if (InputInfo->Verbose)
|
|
{
|
|
ResFormatOut(IDS_INFO_SIGN_ATTEMPT, wszTempFileName);
|
|
}
|
|
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection for our current file only
|
|
Wow64SetFilesystemRedirectorEx(wszTempFileName);
|
|
}
|
|
|
|
// Set the filename in the SignedCode object:
|
|
if ((bstrTemp = SysAllocString(wszTempFileName)) != NULL)
|
|
{
|
|
hr = pISignedCode->put_FileName(bstrTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ISignedCode::put_FileName", hr);
|
|
dwErrors++;
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
continue;
|
|
}
|
|
SysFreeString(bstrTemp);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"SysAllocString", ERROR_OUTOFMEMORY);
|
|
dwErrors++;
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
continue;
|
|
}
|
|
|
|
// Set the Description:
|
|
if (InputInfo->wszDescription)
|
|
{
|
|
if ((bstrTemp = SysAllocString(InputInfo->wszDescription)) != NULL)
|
|
{
|
|
hr = pISignedCode->put_Description(bstrTemp);
|
|
SysFreeString(bstrTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ISignedCode::put_Description", hr);
|
|
dwErrors++;
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
continue;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"SysAllocString", ERROR_OUTOFMEMORY);
|
|
dwErrors++;
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
continue;
|
|
}
|
|
}
|
|
|
|
// Set the Description URL:
|
|
if (InputInfo->wszDescURL)
|
|
{
|
|
if ((bstrTemp = SysAllocString(InputInfo->wszDescURL)) != NULL)
|
|
{
|
|
hr = pISignedCode->put_DescriptionURL(bstrTemp);
|
|
SysFreeString(bstrTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ISignedCode::put_DescriptionURL", hr);
|
|
dwErrors++;
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
continue;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"SysAllocString", ERROR_OUTOFMEMORY);
|
|
dwErrors++;
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
continue;
|
|
}
|
|
}
|
|
|
|
// Sign the file:
|
|
hr = pISignedCode->Sign(pISigner2);
|
|
|
|
if (SUCCEEDED(hr))
|
|
{
|
|
if (InputInfo->wszTimeStampURL)
|
|
{
|
|
bstrTemp = SysAllocString(InputInfo->wszTimeStampURL);
|
|
if (bstrTemp == NULL)
|
|
{
|
|
FormatErrRet(L"SysAllocString", ERROR_OUTOFMEMORY);
|
|
dwErrors++;
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
continue;
|
|
}
|
|
|
|
hr = pISignedCode->Timestamp(bstrTemp);
|
|
if (SUCCEEDED(hr))
|
|
{
|
|
// Signing and Timestamping succeeded
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
ResFormatOut(IDS_INFO_SIGN_SUCCESS_T,
|
|
wszTempFileName);
|
|
}
|
|
SysFreeString(bstrTemp);
|
|
dwDone++;
|
|
}
|
|
else
|
|
{
|
|
// Signing succeeded, but timestamping failed
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
switch (hr)
|
|
{
|
|
case CAPICOM_E_CODE_NOT_SIGNED:
|
|
ResErr(IDS_ERR_TIMESTAMP_NO_SIG);
|
|
break;
|
|
|
|
case CAPICOM_E_CODE_INVALID_TIMESTAMP_URL:
|
|
case CRYPT_E_ASN1_BADTAG:
|
|
ResErr(IDS_ERR_TIMESTAMP_BAD_URL);
|
|
break;
|
|
|
|
default:
|
|
FormatIErrRet(L"ISignedCode::Timestamp", hr);
|
|
}
|
|
}
|
|
ResFormatErr(IDS_WARN_SIGN_NO_TIMESTAMP,
|
|
wszTempFileName);
|
|
SysFreeString(bstrTemp);
|
|
dwWarnings++;
|
|
dwDone++;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
// Signing succeeded
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
ResFormatOut(IDS_INFO_SIGN_SUCCESS,
|
|
wszTempFileName);
|
|
}
|
|
dwDone++;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
// Signing Failed
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
switch (hr)
|
|
{
|
|
case TRUST_E_SUBJECT_FORM_UNKNOWN:
|
|
ResErr(IDS_ERR_SIGN_FILE_FORMAT);
|
|
break;
|
|
case E_ACCESSDENIED:
|
|
ResErr(IDS_ERR_ACCESS_DENIED);
|
|
break;
|
|
case 0x80070020: // ERROR_SHARING_VIOLATION
|
|
ResErr(IDS_ERR_SHARING_VIOLATION);
|
|
break;
|
|
case 0x800703EE: // STATUS_MAPPED_FILE_SIZE_ZERO
|
|
ResErr(IDS_ERR_FILE_SIZE_ZERO);
|
|
break;
|
|
default:
|
|
FormatIErrRet(L"ISignedCode::Sign", hr);
|
|
}
|
|
}
|
|
ResFormatErr(IDS_ERR_SIGN, wszTempFileName);
|
|
dwErrors++;
|
|
}
|
|
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
}
|
|
} while (FindNextFileU(hFind, &FindFileData));
|
|
if (dwcFound == 0) // No files were found matching this filespec
|
|
{ // this will only fire if only directories were found.
|
|
|
|
dwErrors++;
|
|
ResFormatErr(IDS_ERR_FILE_NOT_FOUND, InputInfo->rgwszFileNames[i]);
|
|
continue;
|
|
}
|
|
FindClose(hFind);
|
|
hFind = NULL;
|
|
}
|
|
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Re-ensable WOW64 file-system redirection
|
|
Wow64SetFilesystemRedirectorEx(OldWow64Setting);
|
|
}
|
|
|
|
SignCleanupAndExit:
|
|
|
|
//Print Summary Information:
|
|
if (InputInfo->Verbose || (!InputInfo->Quiet && (dwErrors || dwWarnings)))
|
|
{
|
|
wprintf(L"\n");
|
|
if (InputInfo->Verbose || dwDone)
|
|
ResFormatOut(IDS_INFO_SIGNED, dwDone);
|
|
if (InputInfo->Verbose || dwWarnings)
|
|
ResFormatOut(IDS_INFO_WARNINGS, dwWarnings);
|
|
if (InputInfo->Verbose || dwErrors)
|
|
ResFormatOut(IDS_INFO_ERRORS, dwErrors);
|
|
}
|
|
|
|
if (pISigner2)
|
|
pISigner2->Release();
|
|
if (pICSigner)
|
|
pICSigner->Release();
|
|
if (pISignedCode)
|
|
pISignedCode->Release();
|
|
if (pIPrivateKey)
|
|
pIPrivateKey->Release();
|
|
if (pICert2Selected)
|
|
pICert2Selected->Release();
|
|
if (pICert2Temp)
|
|
pICert2Temp->Release();
|
|
if (pICerts)
|
|
pICerts->Release();
|
|
if (pICerts2Original)
|
|
pICerts2Original->Release();
|
|
if (pICerts2Selected)
|
|
pICerts2Selected->Release();
|
|
if (pICerts2Temp)
|
|
pICerts2Temp->Release();
|
|
if (hStore)
|
|
CertCloseStore(hStore, 0);
|
|
if (pICertStore)
|
|
pICertStore->Release();
|
|
if (pIStore2Temp)
|
|
pIStore2Temp->Release();
|
|
if (pIStore2)
|
|
pIStore2->Release();
|
|
|
|
CoUninitialize();
|
|
|
|
if (dwErrors)
|
|
return 1; // Error
|
|
if (dwWarnings)
|
|
return 2; // Warning
|
|
if (dwDone)
|
|
return 0; // Success
|
|
|
|
// One of the above returns should fire, so
|
|
// this should never happen:
|
|
ResErr(IDS_ERR_NO_FILES_DONE);
|
|
ResErr(IDS_ERR_UNEXPECTED);
|
|
return 1; // Error
|
|
}
|
|
|
|
|
|
int SignTool_SignWizard(INPUTINFO *InputInfo)
|
|
{
|
|
DWORD dwcFound;
|
|
DWORD dwDone = 0;
|
|
DWORD dwWarnings = 0;
|
|
DWORD dwErrors = 0;
|
|
WIN32_FIND_DATAW FindFileData;
|
|
HANDLE hFind = NULL;
|
|
HRESULT hr;
|
|
PVOID OldWow64Setting;
|
|
WCHAR wszTempFileName[MAX_PATH];
|
|
int LastSlash;
|
|
CRYPTUI_WIZ_DIGITAL_SIGN_INFO DigitalSignInfo;
|
|
|
|
|
|
// If no files were specified, launch the wizard without parameters:
|
|
if (InputInfo->rgwszFileNames == NULL)
|
|
{
|
|
// Set up the Wizard's struct:
|
|
ZeroMemory(&DigitalSignInfo, sizeof(CRYPTUI_WIZ_DIGITAL_SIGN_INFO));
|
|
DigitalSignInfo.dwSize = sizeof(CRYPTUI_WIZ_DIGITAL_SIGN_INFO);
|
|
|
|
if (InputInfo->Verbose)
|
|
{
|
|
ResFormatOut(IDS_INFO_SIGNWIZARD_ATTEMPT, L"<>");
|
|
}
|
|
|
|
// Invoke the Wizard:
|
|
if (CryptUIWizDigitalSign(0,
|
|
NULL,
|
|
NULL,
|
|
&DigitalSignInfo,
|
|
NULL))
|
|
{
|
|
// Success
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
ResFormatOut(IDS_INFO_SIGNWIZARD_SUCCESS, L"<>");
|
|
}
|
|
dwDone++;
|
|
}
|
|
else
|
|
{
|
|
// Failure
|
|
if (InputInfo->Verbose)
|
|
{
|
|
FormatErrRet(L"CryptUIWizDigitalSign", GetLastError());
|
|
}
|
|
ResFormatErr(IDS_ERR_SIGNWIZARD, L"<>");
|
|
dwErrors++;
|
|
}
|
|
goto SignWizardCleanupAndExit;
|
|
}
|
|
|
|
// Check if we are in the 32-bit Emulator on a 64-bit system
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
OldWow64Setting = Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
|
|
// Loop over the files and send them to the signing wizard:
|
|
for (DWORD i=0; i<InputInfo->NumFiles; i++)
|
|
{
|
|
// Find the last slash in the path specification:
|
|
LastSlash = 0;
|
|
for (DWORD s=0; s<wcslen(InputInfo->rgwszFileNames[i]); s++)
|
|
{
|
|
if ((wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L"\\", 1) == 0) ||
|
|
(wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L"/", 1) == 0) ||
|
|
(wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L":", 1) == 0))
|
|
{
|
|
// Set LastSlash to the character after the last slash:
|
|
LastSlash = s + 1;
|
|
}
|
|
}
|
|
wcsncpy(wszTempFileName, InputInfo->rgwszFileNames[i], MAX_PATH);
|
|
wszTempFileName[MAX_PATH-1] = L'\0';
|
|
|
|
dwcFound = 0;
|
|
hFind = FindFirstFileU(InputInfo->rgwszFileNames[i], &FindFileData);
|
|
if (hFind == INVALID_HANDLE_VALUE)
|
|
{
|
|
// No files found matching that name
|
|
dwErrors++;
|
|
ResFormatErr(IDS_ERR_FILE_NOT_FOUND, InputInfo->rgwszFileNames[i]);
|
|
continue;
|
|
}
|
|
do
|
|
{
|
|
if (!(FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))
|
|
{
|
|
dwcFound++; // Increment number of files (not dirs) found
|
|
// matching this filespec
|
|
// Copy the filename on after the last slash:
|
|
wcsncpy(&(wszTempFileName[LastSlash]),
|
|
FindFileData.cFileName, MAX_PATH-LastSlash);
|
|
wszTempFileName[MAX_PATH-1] = L'\0';
|
|
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection for our current file only
|
|
Wow64SetFilesystemRedirectorEx(wszTempFileName);
|
|
}
|
|
|
|
if (InputInfo->Verbose)
|
|
{
|
|
ResFormatOut(IDS_INFO_SIGNWIZARD_ATTEMPT, wszTempFileName);
|
|
}
|
|
|
|
// Set up the Wizard's struct:
|
|
ZeroMemory(&DigitalSignInfo, sizeof(CRYPTUI_WIZ_DIGITAL_SIGN_INFO));
|
|
DigitalSignInfo.dwSize = sizeof(CRYPTUI_WIZ_DIGITAL_SIGN_INFO);
|
|
DigitalSignInfo.dwSubjectChoice = CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_FILE;
|
|
DigitalSignInfo.pwszFileName = wszTempFileName;
|
|
|
|
// Invoke the Wizard:
|
|
if (CryptUIWizDigitalSign(0,
|
|
NULL,
|
|
NULL,
|
|
&DigitalSignInfo,
|
|
NULL))
|
|
{
|
|
// Success
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
ResFormatOut(IDS_INFO_SIGNWIZARD_SUCCESS,
|
|
wszTempFileName);
|
|
}
|
|
dwDone++;
|
|
}
|
|
else
|
|
{
|
|
// Failure
|
|
if (InputInfo->Verbose)
|
|
{
|
|
FormatErrRet(L"CryptUIWizDigitalSign", GetLastError());
|
|
}
|
|
ResFormatErr(IDS_ERR_SIGNWIZARD, wszTempFileName);
|
|
dwErrors++;
|
|
}
|
|
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
}
|
|
} while (FindNextFileU(hFind, &FindFileData));
|
|
if (dwcFound == 0) // No files were found matching this filespec
|
|
{ // this will only fire if only directories were found.
|
|
|
|
dwErrors++;
|
|
ResFormatErr(IDS_ERR_FILE_NOT_FOUND, InputInfo->rgwszFileNames[i]);
|
|
continue;
|
|
}
|
|
FindClose(hFind);
|
|
hFind = NULL;
|
|
}
|
|
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Re-ensable WOW64 file-system redirection
|
|
Wow64SetFilesystemRedirectorEx(OldWow64Setting);
|
|
}
|
|
|
|
SignWizardCleanupAndExit:
|
|
|
|
if (dwErrors)
|
|
return 1; // Error
|
|
if (dwWarnings)
|
|
return 2; // Warning
|
|
if (dwDone)
|
|
return 0; // Success
|
|
|
|
// One of the above returns should fire, so
|
|
// this should never happen:
|
|
ResErr(IDS_ERR_NO_FILES_DONE);
|
|
ResErr(IDS_ERR_UNEXPECTED);
|
|
return 1; // Error
|
|
}
|
|
|
|
|
|
int SignTool_Timestamp(INPUTINFO *InputInfo)
|
|
{
|
|
DWORD dwcFound;
|
|
DWORD dwDone = 0;
|
|
DWORD dwWarnings = 0;
|
|
DWORD dwErrors = 0;
|
|
WIN32_FIND_DATAW FindFileData;
|
|
HANDLE hFind = NULL;
|
|
HRESULT hr;
|
|
PVOID OldWow64Setting;
|
|
WCHAR wszTempFileName[MAX_PATH];
|
|
ISignedCode *pISignedCode = NULL;
|
|
BSTR bstrTemp;
|
|
int LastSlash;
|
|
|
|
|
|
// Initialize COM:
|
|
if ((hr = CoInitialize(NULL)) != S_OK)
|
|
{
|
|
FormatErrRet(L"CoInitialize", hr);
|
|
return 1; // Error
|
|
}
|
|
|
|
if (InputInfo->wszTimeStampURL == NULL)
|
|
{
|
|
ResErr(IDS_ERR_UNEXPECTED);
|
|
dwErrors++;
|
|
goto TimestampCleanupAndExit;
|
|
}
|
|
|
|
// Create the SignedCode object:
|
|
hr = CoCreateInstance(__uuidof(SignedCode), NULL, CLSCTX_ALL,
|
|
__uuidof(ISignedCode), (LPVOID*)&pISignedCode);
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
// In this case, give it one more chance:
|
|
RegisterCAPICOM();
|
|
hr = CoCreateInstance(__uuidof(SignedCode), NULL, CLSCTX_ALL,
|
|
__uuidof(ISignedCode), (LPVOID*)&pISignedCode);
|
|
}
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"CoCreateInstance", hr);
|
|
}
|
|
dwErrors++;
|
|
goto TimestampCleanupAndExit;
|
|
}
|
|
|
|
|
|
// Check if we are in the 32-bit Emulator on a 64-bit system
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
OldWow64Setting = Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
|
|
|
|
// Loop over the files and timestamp them:
|
|
for (DWORD i=0; i<InputInfo->NumFiles; i++)
|
|
{
|
|
// Find the last slash in the path specification:
|
|
LastSlash = 0;
|
|
for (DWORD s=0; s<wcslen(InputInfo->rgwszFileNames[i]); s++)
|
|
{
|
|
if ((wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L"\\", 1) == 0) ||
|
|
(wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L"/", 1) == 0) ||
|
|
(wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L":", 1) == 0))
|
|
{
|
|
// Set LastSlash to the character after the last slash:
|
|
LastSlash = s + 1;
|
|
}
|
|
}
|
|
wcsncpy(wszTempFileName, InputInfo->rgwszFileNames[i], MAX_PATH);
|
|
wszTempFileName[MAX_PATH-1] = L'\0';
|
|
|
|
dwcFound = 0;
|
|
hFind = FindFirstFileU(InputInfo->rgwszFileNames[i], &FindFileData);
|
|
if (hFind == INVALID_HANDLE_VALUE)
|
|
{
|
|
// No files found matching that name
|
|
dwErrors++;
|
|
ResFormatErr(IDS_ERR_FILE_NOT_FOUND, InputInfo->rgwszFileNames[i]);
|
|
continue;
|
|
}
|
|
do
|
|
{
|
|
if (!(FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))
|
|
{
|
|
dwcFound++; // Increment number of files (not dirs) found
|
|
// matching this filespec
|
|
// Copy the filename on after the last slash:
|
|
wcsncpy(&(wszTempFileName[LastSlash]),
|
|
FindFileData.cFileName, MAX_PATH-LastSlash);
|
|
wszTempFileName[MAX_PATH-1] = L'\0';
|
|
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection for our current file only
|
|
Wow64SetFilesystemRedirectorEx(wszTempFileName);
|
|
}
|
|
|
|
if (InputInfo->Verbose)
|
|
{
|
|
ResFormatOut(IDS_INFO_TIMESTAMP_ATTEMPT, wszTempFileName);
|
|
}
|
|
// Set the filename in the SignedCode object:
|
|
if ((bstrTemp = SysAllocString(wszTempFileName)) != NULL)
|
|
{
|
|
hr = pISignedCode->put_FileName(bstrTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatIErrRet(L"ISignedCode::put_FileName", hr);
|
|
SysFreeString(bstrTemp);
|
|
dwErrors++;
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
continue;
|
|
}
|
|
SysFreeString(bstrTemp);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"SysAllocString", ERROR_OUTOFMEMORY);
|
|
dwErrors++;
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
continue;
|
|
}
|
|
|
|
bstrTemp = SysAllocString(InputInfo->wszTimeStampURL);
|
|
if (bstrTemp == NULL)
|
|
{
|
|
FormatErrRet(L"SysAllocString", ERROR_OUTOFMEMORY);
|
|
dwErrors++;
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
continue;
|
|
}
|
|
|
|
// Timestamp the file:
|
|
hr = pISignedCode->Timestamp(bstrTemp);
|
|
|
|
if (SUCCEEDED(hr))
|
|
{
|
|
// Timestamping succeeded
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
ResFormatOut(IDS_INFO_TIMESTAMP_SUCCESS,
|
|
wszTempFileName);
|
|
}
|
|
dwDone++;
|
|
}
|
|
else
|
|
{
|
|
// Timestamping Failed
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
switch (hr)
|
|
{
|
|
case CAPICOM_E_CODE_NOT_SIGNED:
|
|
ResErr(IDS_ERR_TIMESTAMP_NO_SIG);
|
|
break;
|
|
case CAPICOM_E_CODE_INVALID_TIMESTAMP_URL:
|
|
case CRYPT_E_ASN1_BADTAG:
|
|
ResErr(IDS_ERR_TIMESTAMP_BAD_URL);
|
|
break;
|
|
case E_ACCESSDENIED:
|
|
ResErr(IDS_ERR_ACCESS_DENIED);
|
|
break;
|
|
case 0x80070020: // ERROR_SHARING_VIOLATION
|
|
ResErr(IDS_ERR_SHARING_VIOLATION);
|
|
break;
|
|
case 0x800703EE: // STATUS_MAPPED_FILE_SIZE_ZERO
|
|
ResErr(IDS_ERR_FILE_SIZE_ZERO);
|
|
break;
|
|
default:
|
|
FormatIErrRet(L"ISignedCode::Timestamp", hr);
|
|
}
|
|
}
|
|
ResFormatErr(IDS_ERR_TIMESTAMP, wszTempFileName);
|
|
dwErrors++;
|
|
}
|
|
SysFreeString(bstrTemp);
|
|
}
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
} while (FindNextFileU(hFind, &FindFileData));
|
|
if (dwcFound == 0) // No files were found matching this filespec
|
|
{ // this will only fire if only directories were found.
|
|
|
|
dwErrors++;
|
|
ResFormatErr(IDS_ERR_FILE_NOT_FOUND, InputInfo->rgwszFileNames[i]);
|
|
continue;
|
|
}
|
|
FindClose(hFind);
|
|
hFind = NULL;
|
|
}
|
|
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Re-ensable WOW64 file-system redirection
|
|
Wow64SetFilesystemRedirectorEx(OldWow64Setting);
|
|
}
|
|
|
|
TimestampCleanupAndExit:
|
|
|
|
//Print Summary Information:
|
|
if (InputInfo->Verbose || (!InputInfo->Quiet && (dwErrors || dwWarnings)))
|
|
{
|
|
wprintf(L"\n");
|
|
if (InputInfo->Verbose || dwDone)
|
|
ResFormatOut(IDS_INFO_TIMESTAMPED, dwDone);
|
|
// Commented out because no warnings are possible in this function yet:
|
|
// if (InputInfo->Verbose || dwWarnings)
|
|
// ResFormatOut(IDS_INFO_WARNINGS, dwWarnings);
|
|
if (InputInfo->Verbose || dwErrors)
|
|
ResFormatOut(IDS_INFO_ERRORS, dwErrors);
|
|
}
|
|
|
|
if (pISignedCode)
|
|
pISignedCode->Release();
|
|
|
|
CoUninitialize();
|
|
|
|
if (dwErrors)
|
|
return 1; // Error
|
|
if (dwWarnings)
|
|
return 2; // Warning
|
|
if (dwDone)
|
|
return 0; // Success
|
|
|
|
// One of the above returns should fire, so
|
|
// this should never happen:
|
|
ResErr(IDS_ERR_NO_FILES_DONE);
|
|
ResErr(IDS_ERR_UNEXPECTED);
|
|
return 1; // Error
|
|
}
|
|
|
|
|
|
void Format_IErrRet(WCHAR *wszFunc, DWORD dwErr)
|
|
{
|
|
BSTR bstrTemp;
|
|
IErrorInfo *pIErrorInfo;
|
|
|
|
if (SUCCEEDED(GetErrorInfo(0, &pIErrorInfo)))
|
|
{
|
|
if (SUCCEEDED(pIErrorInfo->GetDescription(&bstrTemp)))
|
|
{
|
|
ResFormat_Err(IDS_ERR_FUNCTION, wszFunc, dwErr, bstrTemp);
|
|
SysFreeString(bstrTemp);
|
|
}
|
|
else
|
|
{
|
|
Format_ErrRet(wszFunc, dwErr);
|
|
}
|
|
pIErrorInfo->Release();
|
|
}
|
|
else
|
|
{
|
|
Format_ErrRet(wszFunc, dwErr);
|
|
}
|
|
}
|
|
|
|
|
|
void RegisterCAPICOM()
|
|
{
|
|
typedef HRESULT (STDAPICALLTYPE *PFN_DLL_REGISTER_SERVER) (void);
|
|
|
|
WCHAR wszPath[MAX_PATH+1];
|
|
HMODULE hLib = NULL;
|
|
PFN_DLL_REGISTER_SERVER pRegFunc;
|
|
HRESULT hr;
|
|
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
wprintf(L"Attempting to register CAPICOM\n");
|
|
hr = E_UNEXPECTED; // Initialize to an Error
|
|
}
|
|
#endif
|
|
|
|
if (GetModuleFileNameU(hModule, wszPath, MAX_PATH) &&
|
|
PathRemoveFileSpecW(wszPath) &&
|
|
(wcslen(wszPath) < (MAX_PATH-12)) &&
|
|
PathAppendW(wszPath, L"\\capicom.dll"))
|
|
{
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
wprintf(L"Looking in: %s\n", wszPath);
|
|
}
|
|
#endif
|
|
hLib = LoadLibraryU(wszPath);
|
|
|
|
if (hLib != NULL)
|
|
{
|
|
pRegFunc = (PFN_DLL_REGISTER_SERVER)
|
|
GetProcAddress(hLib, "DllRegisterServer");
|
|
|
|
if (pRegFunc != NULL)
|
|
{
|
|
hr = pRegFunc();
|
|
}
|
|
#ifdef SIGNTOOL_DEBUG
|
|
else
|
|
{
|
|
wprintf(L"GetProcAddress Failed with error: 0x%08X\n", GetLastError());
|
|
}
|
|
#endif
|
|
FreeLibrary(hLib);
|
|
}
|
|
#ifdef SIGNTOOL_DEBUG
|
|
else
|
|
{
|
|
wprintf(L"LoadLibrary Failed with error: 0x%08X\n", GetLastError());
|
|
}
|
|
#endif
|
|
}
|
|
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
if (SUCCEEDED(hr))
|
|
wprintf(L"Successfully registered CAPICOM\n");
|
|
else
|
|
wprintf(L"Failed to register CAPICOM\n");
|
|
}
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
BOOL GetProviderType(LPWSTR pwszProvName, LPDWORD pdwProvType)
|
|
{
|
|
WCHAR rgProvName [MAX_PATH * sizeof(WCHAR)];
|
|
DWORD cb = sizeof(rgProvName);
|
|
DWORD dwIndex = 0;
|
|
|
|
memset(rgProvName, 0, sizeof(rgProvName));
|
|
|
|
while (CryptEnumProvidersU(
|
|
dwIndex,
|
|
NULL,
|
|
0,
|
|
pdwProvType,
|
|
rgProvName,
|
|
&cb))
|
|
{
|
|
if (0 == wcscmp(rgProvName, pwszProvName))
|
|
{
|
|
return TRUE;
|
|
}
|
|
else
|
|
{
|
|
dwIndex++;
|
|
cb = sizeof(rgProvName);
|
|
}
|
|
}
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
BOOL ChainsToRoot(HANDLE hWVTStateData, LPWSTR wszRootName)
|
|
{
|
|
CRYPT_PROVIDER_DATA *pCryptProvData;
|
|
CRYPT_PROVIDER_SGNR *pCryptProvSgnr;
|
|
ICertificates *pICerts = NULL;
|
|
ICertificate2 *pICert2 = NULL;
|
|
IChain2 *pIChain2 = NULL;
|
|
IChainContext *pIChainContext = NULL;
|
|
HRESULT hr;
|
|
LONG longRootTemp;
|
|
BSTR bstrTemp;
|
|
VARIANT varTemp;
|
|
|
|
VariantInit(&varTemp);
|
|
|
|
if (hWVTStateData == NULL)
|
|
{
|
|
ResErr(IDS_ERR_UNEXPECTED);
|
|
return FALSE; // Unexpected Error
|
|
}
|
|
|
|
pCryptProvData = WTHelperProvDataFromStateData(hWVTStateData);
|
|
if (pCryptProvData == NULL)
|
|
{
|
|
ResErr(IDS_ERR_UNEXPECTED);
|
|
return FALSE; // Unexpected Error
|
|
}
|
|
|
|
pCryptProvSgnr = WTHelperGetProvSignerFromChain(pCryptProvData, 0, FALSE, 0);
|
|
if (pCryptProvSgnr == NULL)
|
|
{
|
|
ResErr(IDS_ERR_UNEXPECTED);
|
|
return FALSE; // Unexpected Error
|
|
}
|
|
|
|
hr = CoCreateInstance(__uuidof(Chain), NULL, CLSCTX_ALL,
|
|
__uuidof(IChainContext), (LPVOID*)&pIChainContext);
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
// In this case, give it one more chance:
|
|
RegisterCAPICOM();
|
|
hr = CoCreateInstance(__uuidof(Chain), NULL, CLSCTX_ALL,
|
|
__uuidof(IChainContext), (LPVOID*)&pIChainContext);
|
|
}
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"CoCreateInstance", hr);
|
|
}
|
|
goto ErrorCleanup;
|
|
}
|
|
|
|
// fill in the pIChain2 with the Signer:
|
|
pIChainContext->put_ChainContext((LONG)pCryptProvSgnr->pChainContext);
|
|
// This will not compile on 64-bit architechtures.
|
|
// Neither will CAPICOM, which is requiring this stupid typecast.
|
|
|
|
// And then get the Chain2 interface:
|
|
hr = pIChainContext->QueryInterface(__uuidof(IChain2),
|
|
(LPVOID*)&pIChain2);
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
// In this case, give it one more chance:
|
|
RegisterCAPICOM();
|
|
hr = pIChainContext->QueryInterface(__uuidof(IChain2),
|
|
(LPVOID*)&pIChain2);
|
|
}
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"IChainContext::QueryInterface", hr);
|
|
}
|
|
goto ErrorCleanup;
|
|
}
|
|
|
|
// Release the ChainContext interface:
|
|
pIChainContext->Release();
|
|
pIChainContext = NULL;
|
|
|
|
// Get the Certs collection from the Chain:
|
|
hr = pIChain2->get_Certificates(&pICerts);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatErrRet(L"IChain2::get_Certificates", hr);
|
|
goto ErrorCleanup;
|
|
}
|
|
pIChain2->Release();
|
|
pIChain2 = NULL;
|
|
|
|
// Get the Count in the Chain Certs list:
|
|
hr = pICerts->get_Count(&longRootTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatErrRet(L"IChain2::get_Count", hr);
|
|
goto ErrorCleanup;
|
|
}
|
|
|
|
// Sanity check:
|
|
if (longRootTemp < 1)
|
|
goto ErrorCleanup;
|
|
|
|
// Get the last cert in the chain (the Root);
|
|
hr = pICerts->get_Item(longRootTemp, &varTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatErrRet(L"IChain2::get_Item", hr);
|
|
goto ErrorCleanup;
|
|
}
|
|
pICerts->Release();
|
|
pICerts = NULL;
|
|
|
|
// Get the Certificate2 Interface:
|
|
hr = varTemp.pdispVal->QueryInterface(__uuidof(ICertificate2),
|
|
(LPVOID*)&pICert2);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatErrRet(L"ICertificate::QueryInterface", hr);
|
|
goto ErrorCleanup;
|
|
}
|
|
VariantClear(&varTemp);
|
|
|
|
// Get the Name of the Root Cert:
|
|
hr = pICert2->get_SubjectName(&bstrTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
FormatErrRet(L"ICertificate2::get_SubjectName", hr);
|
|
goto ErrorCleanup;
|
|
}
|
|
pICert2->Release();
|
|
pICert2 = NULL;
|
|
_wcslwr(bstrTemp); // The Root name passed in must also be lowercased.
|
|
if (wcsstr(bstrTemp, wszRootName) == NULL)
|
|
{
|
|
// Then this is the wrong Root Cert.
|
|
// It failed. Report Error:
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
wprintf(L"Root subject name does not match: %s\n", bstrTemp);
|
|
}
|
|
#endif
|
|
SysFreeString(bstrTemp);
|
|
return FALSE;
|
|
}
|
|
else
|
|
{
|
|
// It matched. Success.
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
wprintf(L"Root subject name matches: %s\n", bstrTemp);
|
|
}
|
|
#endif
|
|
SysFreeString(bstrTemp);
|
|
return TRUE;
|
|
}
|
|
|
|
ErrorCleanup:
|
|
if (pICert2)
|
|
pICert2->Release();
|
|
if (pICerts)
|
|
pICerts->Release();
|
|
if (pIChain2)
|
|
pIChain2->Release();
|
|
if (pIChainContext)
|
|
pIChainContext->Release();
|
|
return FALSE;
|
|
}
|
|
|
|
BOOL HasTimestamp(HANDLE hWVTStateData)
|
|
{
|
|
CRYPT_PROVIDER_DATA *pCryptProvData;
|
|
CRYPT_PROVIDER_SGNR *pCryptProvSgnr;
|
|
|
|
if (hWVTStateData == NULL)
|
|
return FALSE; // Unexpected Error
|
|
|
|
pCryptProvData = WTHelperProvDataFromStateData(hWVTStateData);
|
|
if (pCryptProvData == NULL)
|
|
return FALSE; // Unexpected Error
|
|
|
|
|
|
pCryptProvSgnr = WTHelperGetProvSignerFromChain(pCryptProvData, 0, FALSE, 0);
|
|
if (pCryptProvSgnr == NULL)
|
|
return FALSE; // Unexpected Error
|
|
|
|
return(pCryptProvSgnr->csCounterSigners == 1); // Valid result
|
|
}
|
|
|
|
|
|
void PrintSignerInfo(HANDLE hWVTStateData)
|
|
{
|
|
CRYPT_PROVIDER_DATA *pCryptProvData;
|
|
CRYPT_PROVIDER_SGNR *pCryptProvSgnr;
|
|
WCHAR wcsTemp[200];
|
|
IChain2 *pIChain2 = NULL;
|
|
IChainContext *pIChainContext = NULL;
|
|
COleDateTime DateTime;
|
|
HRESULT hr;
|
|
|
|
if (hWVTStateData == NULL)
|
|
goto Cleanup;
|
|
|
|
pCryptProvData = WTHelperProvDataFromStateData(hWVTStateData);
|
|
if (pCryptProvData == NULL)
|
|
goto Cleanup;
|
|
|
|
pCryptProvSgnr = WTHelperGetProvSignerFromChain(pCryptProvData, 0, FALSE, 0);
|
|
if (pCryptProvSgnr == NULL)
|
|
goto Cleanup;
|
|
|
|
hr = CoCreateInstance(__uuidof(Chain), NULL, CLSCTX_ALL,
|
|
__uuidof(IChainContext), (LPVOID*)&pIChainContext);
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
// In this case, give it one more chance:
|
|
RegisterCAPICOM();
|
|
hr = CoCreateInstance(__uuidof(Chain), NULL, CLSCTX_ALL,
|
|
__uuidof(IChainContext), (LPVOID*)&pIChainContext);
|
|
}
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"CoCreateInstance", hr);
|
|
}
|
|
goto Cleanup;
|
|
}
|
|
|
|
// fill in the pIChain2 with the Signer:
|
|
pIChainContext->put_ChainContext((LONG)pCryptProvSgnr->pChainContext);
|
|
// This will not compile on 64-bit architechtures.
|
|
// Neither will CAPICOM, which is requiring this stupid typecast.
|
|
|
|
// And then get the Chain2 interface:
|
|
hr = pIChainContext->QueryInterface(__uuidof(IChain2),
|
|
(LPVOID*)&pIChain2);
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
// In this case, give it one more chance:
|
|
RegisterCAPICOM();
|
|
hr = pIChainContext->QueryInterface(__uuidof(IChain2),
|
|
(LPVOID*)&pIChain2);
|
|
}
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"IChainContext::QueryInterface", hr);
|
|
}
|
|
goto Cleanup;
|
|
}
|
|
|
|
// Release the ChainContext interface:
|
|
pIChainContext->Release();
|
|
pIChainContext = NULL;
|
|
|
|
// Print the Signer chain
|
|
ResOut(IDS_INFO_VERIFY_SIGNER);
|
|
PrintCertChain(pIChain2);
|
|
pIChain2->Release();
|
|
pIChain2 = NULL;
|
|
|
|
|
|
if (pCryptProvSgnr->csCounterSigners == 1)
|
|
{
|
|
// Then it's timestamped.
|
|
DateTime = pCryptProvSgnr->sftVerifyAsOf;
|
|
if (MultiByteToWideChar(CP_THREAD_ACP, 0,
|
|
DateTime.Format(0, LANG_USER_DEFAULT), -1,
|
|
wcsTemp, 199) == 0)
|
|
{
|
|
// Try again with ANSI codepage:
|
|
MultiByteToWideChar(CP_ACP, 0,
|
|
DateTime.Format(0, LANG_USER_DEFAULT), -1,
|
|
wcsTemp, 199);
|
|
}
|
|
wcsTemp[199] = L'\0';
|
|
ResFormatOut(IDS_INFO_VERIFY_TIME, wcsTemp);
|
|
|
|
ResOut(IDS_INFO_VERIFY_TIMESTAMP);
|
|
|
|
// Build and print the timestamp chain:
|
|
pCryptProvSgnr = WTHelperGetProvSignerFromChain(pCryptProvData, 0, TRUE, 0);
|
|
|
|
if (pCryptProvSgnr == NULL)
|
|
goto Cleanup;
|
|
|
|
hr = CoCreateInstance(__uuidof(Chain), NULL, CLSCTX_ALL,
|
|
__uuidof(IChainContext), (LPVOID*)&pIChainContext);
|
|
if (FAILED(hr))
|
|
goto Cleanup;
|
|
|
|
// fill in the pIChainContext with the Timestamper:
|
|
pIChainContext->put_ChainContext((LONG)pCryptProvSgnr->pChainContext);
|
|
// This will not compile on 64-bit architechtures.
|
|
// Neither will CAPICOM, which is requiring this stupid typecast.
|
|
|
|
// And then get the Chain2 interface:
|
|
hr = pIChainContext->QueryInterface(__uuidof(IChain2),
|
|
(LPVOID*)&pIChain2);
|
|
if (FAILED(hr))
|
|
{
|
|
if ((hr == REGDB_E_CLASSNOTREG) || (hr == E_NOINTERFACE) || (hr == 0x8007007E))
|
|
{
|
|
ResErr(IDS_ERR_CAPICOM_NOT_REG);
|
|
}
|
|
else
|
|
{
|
|
FormatErrRet(L"ICertificates::QueryInterface", hr);
|
|
}
|
|
goto Cleanup;
|
|
}
|
|
// Release the ChainContext interface:
|
|
pIChainContext->Release();
|
|
pIChainContext = NULL;
|
|
|
|
// Print the Timestamper chain
|
|
PrintCertChain(pIChain2);
|
|
pIChain2->Release();
|
|
pIChain2 = NULL;
|
|
}
|
|
else
|
|
{
|
|
ResOut(IDS_INFO_VERIFY_NO_TIMESTAMP);
|
|
}
|
|
|
|
Cleanup:
|
|
if (pIChain2)
|
|
pIChain2->Release();
|
|
if (pIChainContext)
|
|
pIChainContext->Release();
|
|
}
|
|
|
|
|
|
void _indent(DWORD dwIndent)
|
|
{
|
|
for (DWORD i=0; i<dwIndent; i++)
|
|
wprintf(L" ");
|
|
}
|
|
|
|
|
|
void PrintCertInfo(ICertificate2 *pICert2)
|
|
{
|
|
PrintCertInfoIndented(pICert2, 4);
|
|
}
|
|
|
|
|
|
void PrintCertInfoIndented(ICertificate2 *pICert2, DWORD dwIndent)
|
|
{
|
|
BSTR bstrTemp;
|
|
DATE dateTemp;
|
|
COleDateTime DateTime;
|
|
WCHAR wcsTemp[200];
|
|
|
|
if (pICert2 == NULL)
|
|
{
|
|
return;
|
|
}
|
|
|
|
// Issued to:
|
|
if (pICert2->GetInfo(CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME, &bstrTemp) == S_OK)
|
|
{
|
|
_indent(dwIndent);
|
|
ResFormatOut(IDS_INFO_CERT_NAME, bstrTemp);
|
|
SysFreeString(bstrTemp);
|
|
}
|
|
|
|
// Issued by:
|
|
if (pICert2->GetInfo(CAPICOM_CERT_INFO_ISSUER_SIMPLE_NAME, &bstrTemp) == S_OK)
|
|
{
|
|
_indent(dwIndent);
|
|
ResFormatOut(IDS_INFO_CERT_ISSUER, bstrTemp);
|
|
SysFreeString(bstrTemp);
|
|
}
|
|
|
|
// Expiration date:
|
|
if (pICert2->get_ValidToDate(&dateTemp) == S_OK)
|
|
{
|
|
DateTime = dateTemp;
|
|
if (MultiByteToWideChar(CP_THREAD_ACP, 0,
|
|
DateTime.Format(0, LANG_USER_DEFAULT), -1,
|
|
wcsTemp, 199) == 0)
|
|
{
|
|
// Try again with ANSI codepage:
|
|
MultiByteToWideChar(CP_ACP, 0,
|
|
DateTime.Format(0, LANG_USER_DEFAULT), -1,
|
|
wcsTemp, 199);
|
|
}
|
|
_indent(dwIndent);
|
|
wcsTemp[199] = L'\0';
|
|
ResFormatOut(IDS_INFO_CERT_EXPIRE, wcsTemp);
|
|
}
|
|
|
|
// SHA1 hash:
|
|
if (pICert2->get_Thumbprint(&bstrTemp) == S_OK)
|
|
{
|
|
_indent(dwIndent);
|
|
ResFormatOut(IDS_INFO_CERT_SHA1, bstrTemp);
|
|
SysFreeString(bstrTemp);
|
|
}
|
|
|
|
wprintf(L"\n");
|
|
}
|
|
|
|
|
|
void PrintCertChain(IChain *pIChain)
|
|
{
|
|
ICertificates *pICerts = NULL;
|
|
ICertificate *pICert = NULL;
|
|
ICertificate2 *pICert2 = NULL;
|
|
HRESULT hr;
|
|
VARIANT varTemp;
|
|
long longTemp;
|
|
long l;
|
|
|
|
VariantInit(&varTemp);
|
|
|
|
hr = pIChain->get_Certificates(&pICerts);
|
|
if (FAILED(hr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
hr = pICerts->get_Count(&longTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (longTemp < 1)
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
for (l=longTemp; l>0; l--)
|
|
{
|
|
hr = pICerts->get_Item(l, &varTemp);
|
|
if (FAILED(hr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
hr = varTemp.pdispVal->QueryInterface(__uuidof(ICertificate2),
|
|
(LPVOID*)&pICert2);
|
|
if (FAILED(hr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
VariantClear(&varTemp);
|
|
|
|
PrintCertInfoIndented(pICert2, 4*(1+longTemp-l));
|
|
pICert2->Release();
|
|
pICert2 = NULL;
|
|
}
|
|
|
|
Cleanup:
|
|
|
|
if (pICerts)
|
|
pICerts->Release();
|
|
if (pICert)
|
|
pICert->Release();
|
|
if (pICert2)
|
|
pICert2->Release();
|
|
}
|
|
|
|
|
|
int SignTool_Verify(INPUTINFO *InputInfo)
|
|
{
|
|
WIN32_FIND_DATAW FindFileData;
|
|
HRESULT hr;
|
|
HANDLE hFind;
|
|
HANDLE hFile;
|
|
HANDLE hCat = NULL;
|
|
HCATADMIN hCatAdmin = NULL;
|
|
HCATINFO hCatInfo = NULL;
|
|
CATALOG_INFO CatInfo;
|
|
CRYPTCATMEMBER *pCatMember;
|
|
WINTRUST_DATA WVTData;
|
|
WINTRUST_FILE_INFO_ WVTFile;
|
|
WINTRUST_CATALOG_INFO_ WVTCat;
|
|
GUID WVTGenericActionID = WINTRUST_ACTION_GENERIC_VERIFY_V2;
|
|
GUID WVTDriverActionID = DRIVER_ACTION_VERIFY;
|
|
DRIVER_VER_INFO DriverInfo;
|
|
PVOID OldWow64Setting;
|
|
DWORD dwcFound;
|
|
DWORD dwDone = 0;
|
|
DWORD dwWarnings = 0;
|
|
DWORD dwErrors = 0;
|
|
DWORD dwTemp;
|
|
WCHAR wszTempFileName[MAX_PATH];
|
|
WCHAR wszSHA1[41];
|
|
int LastSlash;
|
|
|
|
|
|
// Initialize COM:
|
|
if ((hr = CoInitialize(NULL)) != S_OK)
|
|
{
|
|
FormatErrRet(L"CoInitialize", hr);
|
|
return 1; // Error
|
|
}
|
|
|
|
// Check if we are in the 32-bit Emulator on a 64-bit system
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
OldWow64Setting = Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
|
|
// Loop over the files and verify them:
|
|
for (DWORD i=0; i<InputInfo->NumFiles; i++)
|
|
{
|
|
// Find the last slash in the path specification:
|
|
LastSlash = 0;
|
|
for (DWORD s=0; s<wcslen(InputInfo->rgwszFileNames[i]); s++)
|
|
{
|
|
if ((wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L"\\", 1) == 0) ||
|
|
(wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L"/", 1) == 0) ||
|
|
(wcsncmp(&(InputInfo->rgwszFileNames[i][s]), L":", 1) == 0))
|
|
{
|
|
// Set LastSlash to the character after the last slash:
|
|
LastSlash = s + 1;
|
|
}
|
|
}
|
|
wcsncpy(wszTempFileName, InputInfo->rgwszFileNames[i], MAX_PATH);
|
|
wszTempFileName[MAX_PATH-1] = L'\0';
|
|
|
|
dwcFound = 0;
|
|
hFind = FindFirstFileU(InputInfo->rgwszFileNames[i], &FindFileData);
|
|
if (hFind == INVALID_HANDLE_VALUE)
|
|
{
|
|
// No files found matching that name
|
|
dwErrors++;
|
|
ResFormatErr(IDS_ERR_FILE_NOT_FOUND, InputInfo->rgwszFileNames[i]);
|
|
continue;
|
|
}
|
|
do
|
|
{
|
|
if (!(FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))
|
|
{
|
|
dwcFound++; // Increment number of files (not dirs) found
|
|
// matching this filespec
|
|
|
|
// For each file reset the WVT data to prevent contamination:
|
|
memset(&WVTData, 0, sizeof(WINTRUST_DATA));
|
|
WVTData.cbStruct = sizeof(WINTRUST_DATA);
|
|
WVTData.dwUIChoice = WTD_UI_NONE;
|
|
WVTData.fdwRevocationChecks = WTD_REVOKE_NONE;
|
|
memset(&WVTFile, 0, sizeof(WINTRUST_FILE_INFO_));
|
|
WVTFile.cbStruct = sizeof(WINTRUST_FILE_INFO_);
|
|
memset(&WVTCat, 0, sizeof(WINTRUST_CATALOG_INFO_));
|
|
WVTCat.cbStruct = sizeof(WINTRUST_CATALOG_INFO_);
|
|
memset(&DriverInfo, 0, sizeof(DRIVER_VER_INFO));
|
|
DriverInfo.cbStruct = sizeof(DRIVER_VER_INFO);
|
|
if (InputInfo->wszVersion)
|
|
{
|
|
DriverInfo.dwPlatform = InputInfo->dwPlatform;
|
|
DriverInfo.sOSVersionHigh.dwMajor = DriverInfo.sOSVersionLow.dwMajor = InputInfo->dwMajorVersion;
|
|
DriverInfo.sOSVersionHigh.dwMinor = DriverInfo.sOSVersionLow.dwMinor = InputInfo->dwMinorVersion;
|
|
DriverInfo.dwBuildNumberHigh = DriverInfo.dwBuildNumberLow = InputInfo->dwBuildNumber;
|
|
}
|
|
else
|
|
{
|
|
WVTData.dwProvFlags = WTD_USE_DEFAULT_OSVER_CHECK;
|
|
}
|
|
|
|
// Copy the filename on after the last slash:
|
|
wcsncpy(&(wszTempFileName[LastSlash]),
|
|
FindFileData.cFileName, MAX_PATH-LastSlash);
|
|
wszTempFileName[MAX_PATH-1] = L'\0';
|
|
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection for our current file only
|
|
Wow64SetFilesystemRedirectorEx(wszTempFileName);
|
|
}
|
|
|
|
// Perform the action:
|
|
// Start by opening the catalog database, or skipping
|
|
// catalogs altogether:
|
|
|
|
if (InputInfo->wszCatFile)
|
|
{
|
|
if (hCat == NULL) // Only open this on the first pass.
|
|
{
|
|
hCat = CryptCATOpen(InputInfo->wszCatFile,
|
|
CRYPTCAT_OPEN_EXISTING,
|
|
NULL, NULL, NULL);
|
|
if ((hCat == NULL) || (hCat == INVALID_HANDLE_VALUE))
|
|
{
|
|
switch (GetLastError())
|
|
{
|
|
case ERROR_ACCESS_DENIED:
|
|
ResErr(IDS_ERR_ACCESS_DENIED);
|
|
break;
|
|
case ERROR_SHARING_VIOLATION:
|
|
ResErr(IDS_ERR_SHARING_VIOLATION);
|
|
break;
|
|
case ERROR_NOT_FOUND:
|
|
ResFormatErr(IDS_ERR_FILE_NOT_FOUND, InputInfo->wszCatFile);
|
|
break;
|
|
default:
|
|
FormatErrRet(L"CryptCATOpen", GetLastError());
|
|
}
|
|
ResFormatErr(IDS_ERR_VERIFY_CAT_OPEN,
|
|
InputInfo->wszCatFile);
|
|
hCat = NULL;
|
|
dwErrors++;
|
|
goto VerifyCleanupAndExit;
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
switch (InputInfo->CatDbSelect)
|
|
{
|
|
case NoCatDb:
|
|
if (InputInfo->Verbose)
|
|
{
|
|
ResFormatOut(IDS_INFO_VERIFY_ATTEMPT, wszTempFileName);
|
|
}
|
|
goto SkipCatalogs;
|
|
break;
|
|
case FullAutoCatDb:
|
|
if (hCatAdmin == NULL)
|
|
{
|
|
CryptCATAdminAcquireContext(&hCatAdmin, NULL, NULL);
|
|
}
|
|
break;
|
|
case SystemCatDb:
|
|
case DefaultCatDb:
|
|
case GuidCatDb:
|
|
if (hCatAdmin == NULL)
|
|
{
|
|
CryptCATAdminAcquireContext(&hCatAdmin, &InputInfo->CatDbGuid, NULL);
|
|
}
|
|
break;
|
|
default:
|
|
// This should never happen because there are no other
|
|
// legal values for Auto.
|
|
ResFormatErr(IDS_ERR_UNEXPECTED);
|
|
return 1; // Error
|
|
}
|
|
}
|
|
|
|
// At this point we are dealing with catalog issues only.
|
|
if (InputInfo->Verbose)
|
|
{
|
|
ResFormatOut(IDS_INFO_VERIFY_ATTEMPT, wszTempFileName);
|
|
}
|
|
|
|
// Create the hash for catalog lookup:
|
|
if (InputInfo->SHA1.cbData == 0)
|
|
{
|
|
InputInfo->SHA1.pbData = (BYTE*)malloc(20);
|
|
if (InputInfo->SHA1.pbData)
|
|
{
|
|
InputInfo->SHA1.cbData = 20;
|
|
}
|
|
else
|
|
{
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
FormatErrRet(L"malloc", GetLastError());
|
|
}
|
|
ResFormatErr(IDS_ERR_VERIFY, wszTempFileName);
|
|
dwErrors++;
|
|
goto VerifyNextFile;
|
|
}
|
|
}
|
|
hFile = CreateFileU(wszTempFileName,
|
|
GENERIC_READ,
|
|
FILE_SHARE_READ,
|
|
NULL,
|
|
OPEN_EXISTING,
|
|
FILE_ATTRIBUTE_NORMAL,
|
|
NULL);
|
|
if (!hFile)
|
|
{
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
switch (GetLastError())
|
|
{
|
|
case ERROR_ACCESS_DENIED:
|
|
ResErr(IDS_ERR_ACCESS_DENIED);
|
|
break;
|
|
case ERROR_SHARING_VIOLATION:
|
|
ResErr(IDS_ERR_SHARING_VIOLATION);
|
|
break;
|
|
default:
|
|
FormatErrRet(L"CreateFile", GetLastError());
|
|
}
|
|
}
|
|
ResFormatErr(IDS_ERR_VERIFY, wszTempFileName);
|
|
dwErrors++;
|
|
goto VerifyNextFile;
|
|
}
|
|
if (!CryptCATAdminCalcHashFromFileHandle(hFile,
|
|
&InputInfo->SHA1.cbData,
|
|
InputInfo->SHA1.pbData,
|
|
NULL))
|
|
{
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
switch (GetLastError())
|
|
{
|
|
case ERROR_FILE_INVALID:
|
|
ResErr(IDS_ERR_FILE_SIZE_ZERO);
|
|
break;
|
|
default:
|
|
FormatErrRet(L"CryptCATAdminCalcHashFromFileHandle", GetLastError());
|
|
}
|
|
}
|
|
ResFormatErr(IDS_ERR_VERIFY, wszTempFileName);
|
|
CloseHandle(hFile);
|
|
dwErrors++;
|
|
goto VerifyNextFile;
|
|
}
|
|
CloseHandle(hFile);
|
|
for (DWORD j = 0; j<InputInfo->SHA1.cbData; j++)
|
|
{ // Print the hash to a string:
|
|
swprintf(&(wszSHA1[j*2]), L"%02X", InputInfo->SHA1.pbData[j]);
|
|
}
|
|
#ifdef SIGNTOOL_DEBUG
|
|
if (gDebug)
|
|
{
|
|
wprintf(L"SHA1 hash of file: %s\n", wszSHA1);
|
|
}
|
|
#endif
|
|
// Finished calculating the hash.
|
|
|
|
|
|
// If the catalog was specifically selected
|
|
if (InputInfo->wszCatFile)
|
|
{
|
|
// Then make sure the hash we found is in the catalog:
|
|
pCatMember = CryptCATGetMemberInfo(hCat, wszSHA1);
|
|
if (pCatMember) // Is the hash found in the catalog?
|
|
{
|
|
if (InputInfo->Verbose)
|
|
{
|
|
ResFormatOut(IDS_INFO_VERIFY_CAT, InputInfo->wszCatFile);
|
|
}
|
|
CatInfo.cbStruct = sizeof(CATALOG_INFO);
|
|
wcsncpy(CatInfo.wszCatalogFile, InputInfo->wszCatFile, MAX_PATH);
|
|
CatInfo.wszCatalogFile[MAX_PATH-1] = L'\0';
|
|
|
|
// Now verify the catalog:
|
|
// Set up the rest of the WVT structure:
|
|
WVTCat.pcwszCatalogFilePath = CatInfo.wszCatalogFile;
|
|
WVTCat.pcwszMemberFilePath = wszTempFileName;
|
|
WVTCat.pcwszMemberTag = wszSHA1;
|
|
WVTCat.cbCalculatedFileHash = InputInfo->SHA1.cbData;
|
|
WVTCat.pbCalculatedFileHash = InputInfo->SHA1.pbData;
|
|
WVTData.dwUnionChoice = WTD_CHOICE_CATALOG;
|
|
WVTData.pCatalog = &WVTCat;
|
|
if (InputInfo->Verbose || InputInfo->TSWarn || InputInfo->wszRootName ||
|
|
(InputInfo->Policy != SystemDriver))
|
|
{
|
|
WVTData.dwStateAction = WTD_STATEACTION_VERIFY;
|
|
}
|
|
else
|
|
{
|
|
WVTData.dwStateAction = WTD_STATEACTION_AUTO_CACHE;
|
|
}
|
|
// Call WinVerifyTrust to do the real work:
|
|
switch (InputInfo->Policy)
|
|
{
|
|
case SystemDriver:
|
|
WVTData.pPolicyCallbackData = &DriverInfo;
|
|
hr = WinVerifyTrust(NULL, &WVTDriverActionID, &WVTData);
|
|
break;
|
|
case DefaultAuthenticode:
|
|
hr = WinVerifyTrust(NULL, &WVTGenericActionID, &WVTData);
|
|
break;
|
|
case GuidActionID:
|
|
hr = WinVerifyTrust(NULL, &InputInfo->PolicyGuid, &WVTData);
|
|
break;
|
|
default:
|
|
// This should never happen because there are no other
|
|
// legal values for Policy.
|
|
ResFormatErr(IDS_ERR_UNEXPECTED);
|
|
goto VerifyCleanupAndExit;
|
|
}
|
|
switch (hr)
|
|
{
|
|
case ERROR_SUCCESS:
|
|
// Print the Signer information:
|
|
if (InputInfo->Verbose)
|
|
{
|
|
PrintSignerInfo(WVTData.hWVTStateData);
|
|
}
|
|
// Check for Timestamp:
|
|
if (InputInfo->TSWarn && !HasTimestamp(WVTData.hWVTStateData))
|
|
{
|
|
ResFormatErr(IDS_WARN_VERIFY_NO_TS, wszTempFileName);
|
|
dwWarnings++;
|
|
}
|
|
// Check Root Name:
|
|
if (InputInfo->wszRootName &&
|
|
!ChainsToRoot(WVTData.hWVTStateData, InputInfo->wszRootName))
|
|
{
|
|
ResErr(IDS_ERR_VERIFY_ROOT);
|
|
break;
|
|
}
|
|
// Print Success message
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
ResFormatOut(IDS_INFO_VERIFY_SUCCESS, wszTempFileName);
|
|
}
|
|
// Close Verify State Data:
|
|
WVTData.dwStateAction = WTD_STATEACTION_CLOSE;
|
|
switch (InputInfo->Policy)
|
|
{
|
|
case SystemDriver:
|
|
hr = WinVerifyTrust(NULL, &WVTDriverActionID, &WVTData);
|
|
WVTData.pPolicyCallbackData = NULL;
|
|
if (DriverInfo.pcSignerCertContext)
|
|
{
|
|
CertFreeCertificateContext(DriverInfo.pcSignerCertContext);
|
|
}
|
|
break;
|
|
case DefaultAuthenticode:
|
|
hr = WinVerifyTrust(NULL, &WVTGenericActionID, &WVTData);
|
|
break;
|
|
case GuidActionID:
|
|
hr = WinVerifyTrust(NULL, &InputInfo->PolicyGuid, &WVTData);
|
|
break;
|
|
default:
|
|
// This should never happen because there are no other
|
|
// legal values for Policy.
|
|
ResFormatErr(IDS_ERR_UNEXPECTED);
|
|
goto VerifyCleanupAndExit;
|
|
}
|
|
dwDone++;
|
|
goto VerifyNextFile;
|
|
case ERROR_APP_WRONG_OS:
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
if (InputInfo->wszVersion)
|
|
{
|
|
// Failed to verify against user-specified OS version.
|
|
ResFormatErr(IDS_ERR_VERIFY_VERSION);
|
|
}
|
|
else
|
|
{
|
|
// Failed to verify against current OS version
|
|
ResFormatErr(IDS_ERR_VERIFY_CUR_VERSION);
|
|
}
|
|
}
|
|
break;
|
|
case CERT_E_WRONG_USAGE:
|
|
ResErr(IDS_ERR_BAD_USAGE);
|
|
if (InputInfo->Policy != DefaultAuthenticode)
|
|
ResErr(IDS_ERR_TRY_OTHER_POLICY);
|
|
break;
|
|
|
|
case TRUST_E_NOSIGNATURE:
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
ResErr(IDS_ERR_NOT_SIGNED);
|
|
}
|
|
break;
|
|
default:
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
FormatErrRet(L"WinVerifyTrust", hr);
|
|
}
|
|
if (InputInfo->Verbose)
|
|
{
|
|
PrintSignerInfo(WVTData.hWVTStateData);
|
|
}
|
|
}
|
|
// Close Verify State Data:
|
|
WVTData.dwStateAction = WTD_STATEACTION_CLOSE;
|
|
switch (InputInfo->Policy)
|
|
{
|
|
case SystemDriver:
|
|
hr = WinVerifyTrust(NULL, &WVTDriverActionID, &WVTData);
|
|
WVTData.pPolicyCallbackData = NULL;
|
|
if (DriverInfo.pcSignerCertContext)
|
|
{
|
|
CertFreeCertificateContext(DriverInfo.pcSignerCertContext);
|
|
}
|
|
break;
|
|
case DefaultAuthenticode:
|
|
hr = WinVerifyTrust(NULL, &WVTGenericActionID, &WVTData);
|
|
break;
|
|
case GuidActionID:
|
|
hr = WinVerifyTrust(NULL, &InputInfo->PolicyGuid, &WVTData);
|
|
break;
|
|
default:
|
|
// This should never happen because there are no other
|
|
// legal values for Policy.
|
|
ResFormatErr(IDS_ERR_UNEXPECTED);
|
|
goto VerifyCleanupAndExit;
|
|
}
|
|
WVTData.dwStateAction = WTD_STATEACTION_VERIFY;
|
|
}
|
|
else
|
|
{
|
|
// The file was not found in the specified catalog.
|
|
ResErr(IDS_ERR_VERIFY_NOT_IN_CAT);
|
|
}
|
|
// Then we failed to verify it using specified catalog.
|
|
dwErrors++;
|
|
ResFormatErr(IDS_ERR_VERIFY_INVALID, wszTempFileName);
|
|
goto VerifyNextFile;
|
|
}
|
|
else
|
|
{
|
|
// Or else we should look up the catalog in the Cat DB:
|
|
if (hCatInfo != NULL)
|
|
{
|
|
CryptCATAdminReleaseCatalogContext(hCatAdmin, hCatInfo, 0);
|
|
hCatInfo = NULL;
|
|
}
|
|
memset(&CatInfo, 0, sizeof(CATALOG_INFO));
|
|
CatInfo.cbStruct = sizeof(CATALOG_INFO);
|
|
hr = ERROR_SUCCESS;
|
|
while ((hCatInfo = CryptCATAdminEnumCatalogFromHash(hCatAdmin,
|
|
InputInfo->SHA1.pbData,
|
|
InputInfo->SHA1.cbData,
|
|
0,
|
|
&hCatInfo)) != NULL)
|
|
{
|
|
if (!(CryptCATCatalogInfoFromContext(hCatInfo, &CatInfo, 0)))
|
|
{
|
|
ResErr(IDS_ERR_UNEXPECTED);
|
|
continue;
|
|
}
|
|
if (InputInfo->Verbose)
|
|
{
|
|
ResFormatOut(IDS_INFO_VERIFY_CAT, CatInfo.wszCatalogFile);
|
|
}
|
|
// Now verify the catalog:
|
|
// Set up the rest of the WVT structure:
|
|
WVTCat.pcwszCatalogFilePath = CatInfo.wszCatalogFile;
|
|
WVTCat.pcwszMemberFilePath = wszTempFileName;
|
|
WVTCat.pcwszMemberTag = wszSHA1;
|
|
WVTCat.cbCalculatedFileHash = InputInfo->SHA1.cbData;
|
|
WVTCat.pbCalculatedFileHash = InputInfo->SHA1.pbData;
|
|
WVTData.dwUnionChoice = WTD_CHOICE_CATALOG;
|
|
WVTData.pCatalog = &WVTCat;
|
|
if (InputInfo->Verbose || InputInfo->TSWarn || InputInfo->wszRootName ||
|
|
(InputInfo->Policy != SystemDriver))
|
|
{
|
|
WVTData.dwStateAction = WTD_STATEACTION_VERIFY;
|
|
}
|
|
else
|
|
{
|
|
WVTData.dwStateAction = WTD_STATEACTION_AUTO_CACHE;
|
|
}
|
|
// Call WinVerifyTrust to do the real work:
|
|
switch (InputInfo->Policy)
|
|
{
|
|
case SystemDriver:
|
|
WVTData.pPolicyCallbackData = &DriverInfo;
|
|
hr = WinVerifyTrust(NULL, &WVTDriverActionID, &WVTData);
|
|
break;
|
|
case DefaultAuthenticode:
|
|
hr = WinVerifyTrust(NULL, &WVTGenericActionID, &WVTData);
|
|
break;
|
|
case GuidActionID:
|
|
hr = WinVerifyTrust(NULL, &InputInfo->PolicyGuid, &WVTData);
|
|
break;
|
|
default:
|
|
// This should never happen because there are no other
|
|
// legal values for Policy.
|
|
ResFormatErr(IDS_ERR_UNEXPECTED);
|
|
goto VerifyCleanupAndExit;
|
|
}
|
|
switch (hr)
|
|
{
|
|
case ERROR_SUCCESS:
|
|
// Print the Signer information:
|
|
if (InputInfo->Verbose)
|
|
{
|
|
PrintSignerInfo(WVTData.hWVTStateData);
|
|
}
|
|
// Check for Timestamp:
|
|
if (InputInfo->TSWarn && !HasTimestamp(WVTData.hWVTStateData))
|
|
{
|
|
ResFormatErr(IDS_WARN_VERIFY_NO_TS, wszTempFileName);
|
|
dwWarnings++;
|
|
}
|
|
// Check Root Name:
|
|
if (InputInfo->wszRootName &&
|
|
!ChainsToRoot(WVTData.hWVTStateData, InputInfo->wszRootName))
|
|
{
|
|
ResErr(IDS_ERR_VERIFY_ROOT);
|
|
break;
|
|
}
|
|
// Print Success message
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
ResFormatOut(IDS_INFO_VERIFY_SUCCESS, wszTempFileName);
|
|
}
|
|
// Close Verify State Data:
|
|
WVTData.dwStateAction = WTD_STATEACTION_CLOSE;
|
|
switch (InputInfo->Policy)
|
|
{
|
|
case SystemDriver:
|
|
hr = WinVerifyTrust(NULL, &WVTDriverActionID, &WVTData);
|
|
WVTData.pPolicyCallbackData = NULL;
|
|
if (DriverInfo.pcSignerCertContext)
|
|
{
|
|
CertFreeCertificateContext(DriverInfo.pcSignerCertContext);
|
|
}
|
|
break;
|
|
case DefaultAuthenticode:
|
|
hr = WinVerifyTrust(NULL, &WVTGenericActionID, &WVTData);
|
|
break;
|
|
case GuidActionID:
|
|
hr = WinVerifyTrust(NULL, &InputInfo->PolicyGuid, &WVTData);
|
|
break;
|
|
default:
|
|
// This should never happen because there are no other
|
|
// legal values for Policy.
|
|
ResFormatErr(IDS_ERR_UNEXPECTED);
|
|
goto VerifyCleanupAndExit;
|
|
}
|
|
dwDone++;
|
|
goto VerifyNextFile;
|
|
case ERROR_APP_WRONG_OS:
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
if (InputInfo->wszVersion)
|
|
{
|
|
// Failed to verify against user-specified OS version.
|
|
ResFormatErr(IDS_ERR_VERIFY_VERSION);
|
|
}
|
|
else
|
|
{
|
|
// Failed to verify against current OS version
|
|
ResFormatErr(IDS_ERR_VERIFY_CUR_VERSION);
|
|
}
|
|
}
|
|
break;
|
|
case CERT_E_WRONG_USAGE:
|
|
ResErr(IDS_ERR_BAD_USAGE);
|
|
if (InputInfo->Policy != DefaultAuthenticode)
|
|
ResErr(IDS_ERR_TRY_OTHER_POLICY);
|
|
break;
|
|
case TRUST_E_NOSIGNATURE:
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
ResErr(IDS_ERR_NOT_SIGNED);
|
|
}
|
|
break;
|
|
|
|
default:
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
FormatErrRet(L"WinVerifyTrust", hr);
|
|
}
|
|
if (InputInfo->Verbose)
|
|
{
|
|
PrintSignerInfo(WVTData.hWVTStateData);
|
|
}
|
|
}
|
|
// Close Verify State Data:
|
|
WVTData.dwStateAction = WTD_STATEACTION_CLOSE;
|
|
switch (InputInfo->Policy)
|
|
{
|
|
case SystemDriver:
|
|
hr = WinVerifyTrust(NULL, &WVTDriverActionID, &WVTData);
|
|
WVTData.pPolicyCallbackData = NULL;
|
|
if (DriverInfo.pcSignerCertContext)
|
|
{
|
|
CertFreeCertificateContext(DriverInfo.pcSignerCertContext);
|
|
}
|
|
break;
|
|
case DefaultAuthenticode:
|
|
hr = WinVerifyTrust(NULL, &WVTGenericActionID, &WVTData);
|
|
break;
|
|
case GuidActionID:
|
|
hr = WinVerifyTrust(NULL, &InputInfo->PolicyGuid, &WVTData);
|
|
break;
|
|
default:
|
|
// This should never happen because there are no other
|
|
// legal values for Policy.
|
|
ResFormatErr(IDS_ERR_UNEXPECTED);
|
|
goto VerifyCleanupAndExit;
|
|
}
|
|
WVTData.dwStateAction = WTD_STATEACTION_VERIFY;
|
|
}
|
|
// Failed to verify using the catalog DB.
|
|
dwTemp = GetLastError();
|
|
if ((InputInfo->Verbose) &&
|
|
(dwTemp != ERROR_NOT_FOUND))
|
|
{
|
|
FormatErrRet(L"CryptCATAdminEnumCatalogFromHash", dwTemp);
|
|
}
|
|
|
|
// If we are on full auto, try direct signature. Otherwise
|
|
// it's an error.
|
|
if ((InputInfo->CatDbSelect == FullAutoCatDb) && (hr != ERROR_APP_WRONG_OS))
|
|
{
|
|
if (InputInfo->Verbose)
|
|
{
|
|
ResOut(IDS_INFO_VERIFY_BADCAT);
|
|
}
|
|
// Reset the driver structure:
|
|
memset(&DriverInfo, 0, sizeof(DRIVER_VER_INFO));
|
|
DriverInfo.cbStruct = sizeof(DRIVER_VER_INFO);
|
|
if (InputInfo->wszVersion)
|
|
{
|
|
DriverInfo.dwPlatform = InputInfo->dwPlatform;
|
|
DriverInfo.sOSVersionHigh.dwMajor = DriverInfo.sOSVersionLow.dwMajor = InputInfo->dwMajorVersion;
|
|
DriverInfo.sOSVersionHigh.dwMinor = DriverInfo.sOSVersionLow.dwMinor = InputInfo->dwMinorVersion;
|
|
DriverInfo.dwBuildNumberHigh = DriverInfo.dwBuildNumberLow = InputInfo->dwBuildNumber;
|
|
}
|
|
else
|
|
{
|
|
WVTData.dwProvFlags = WTD_USE_DEFAULT_OSVER_CHECK;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
hr = 0;
|
|
ResFormatErr(IDS_ERR_VERIFY_INVALID, wszTempFileName);
|
|
dwErrors++;
|
|
goto VerifyNextFile;
|
|
}
|
|
}
|
|
|
|
// Unable to verify using a catalog.
|
|
|
|
// Done with all catalog stuff.
|
|
SkipCatalogs:
|
|
// Now try to verify if it is signed directly:
|
|
memset(&WVTData, 0, sizeof(WINTRUST_DATA));
|
|
WVTData.cbStruct = sizeof(WINTRUST_DATA);
|
|
WVTData.dwStateAction = WTD_STATEACTION_VERIFY;
|
|
WVTData.dwUIChoice = WTD_UI_NONE;
|
|
WVTData.fdwRevocationChecks = WTD_REVOKE_NONE;
|
|
|
|
memset(&WVTFile, 0, sizeof(WINTRUST_FILE_INFO_));
|
|
WVTFile.cbStruct = sizeof(WINTRUST_FILE_INFO_);
|
|
WVTFile.pcwszFilePath = wszTempFileName;
|
|
WVTData.dwUnionChoice = WTD_CHOICE_FILE;
|
|
WVTData.pFile = &WVTFile;
|
|
//WVTData.pPolicyCallbackData = &DriverInfo;
|
|
WVTData.pPolicyCallbackData = NULL;
|
|
switch (InputInfo->Policy)
|
|
{
|
|
case SystemDriver:
|
|
hr = WinVerifyTrust(NULL, &WVTDriverActionID, &WVTData);
|
|
break;
|
|
case DefaultAuthenticode:
|
|
hr = WinVerifyTrust(NULL, &WVTGenericActionID, &WVTData);
|
|
break;
|
|
case GuidActionID:
|
|
hr = WinVerifyTrust(NULL, &InputInfo->PolicyGuid, &WVTData);
|
|
break;
|
|
default:
|
|
// This should never happen because there are no other
|
|
// legal values for Policy.
|
|
ResFormatErr(IDS_ERR_UNEXPECTED);
|
|
goto VerifyCleanupAndExit;
|
|
}
|
|
|
|
if (hr == ERROR_SUCCESS)
|
|
{
|
|
// Print the Signer information:
|
|
if (InputInfo->Verbose)
|
|
{
|
|
PrintSignerInfo(WVTData.hWVTStateData);
|
|
}
|
|
// Check for Timestamp:
|
|
if (InputInfo->TSWarn && !HasTimestamp(WVTData.hWVTStateData))
|
|
{
|
|
ResFormatErr(IDS_WARN_VERIFY_NO_TS, wszTempFileName);
|
|
dwWarnings++;
|
|
}
|
|
// Check Root Name:
|
|
if (InputInfo->wszRootName &&
|
|
!ChainsToRoot(WVTData.hWVTStateData, InputInfo->wszRootName))
|
|
{
|
|
ResErr(IDS_ERR_VERIFY_ROOT);
|
|
ResFormatErr(IDS_ERR_VERIFY_INVALID, wszTempFileName);
|
|
dwErrors++;
|
|
}
|
|
else
|
|
{
|
|
// Print Success message
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
ResFormatOut(IDS_INFO_VERIFY_SUCCESS, wszTempFileName);
|
|
}
|
|
dwDone++;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if (!InputInfo->Quiet)
|
|
{
|
|
switch (hr)
|
|
{
|
|
case ERROR_SUCCESS:
|
|
break;
|
|
case TRUST_E_SUBJECT_FORM_UNKNOWN:
|
|
ResErr(IDS_ERR_VERIFY_FILE_FORMAT);
|
|
break;
|
|
case E_ACCESSDENIED:
|
|
ResErr(IDS_ERR_ACCESS_DENIED);
|
|
break;
|
|
case 0x80070020: // ERROR_SHARING_VIOLATION
|
|
ResErr(IDS_ERR_SHARING_VIOLATION);
|
|
break;
|
|
case 0x800703EE: // STATUS_MAPPED_FILE_SIZE_ZERO
|
|
ResErr(IDS_ERR_FILE_SIZE_ZERO);
|
|
break;
|
|
case CERT_E_WRONG_USAGE:
|
|
ResErr(IDS_ERR_BAD_USAGE);
|
|
if (InputInfo->Policy != DefaultAuthenticode)
|
|
ResErr(IDS_ERR_TRY_OTHER_POLICY);
|
|
break;
|
|
case TRUST_E_NOSIGNATURE:
|
|
ResErr(IDS_ERR_NOT_SIGNED);
|
|
break;
|
|
case CERT_E_UNTRUSTEDROOT:
|
|
ResErr(IDS_ERR_UNTRUSTED_ROOT);
|
|
break;
|
|
default:
|
|
FormatErrRet(L"WinVerifyTrust", hr);
|
|
}
|
|
}
|
|
if (InputInfo->Verbose)
|
|
{
|
|
PrintSignerInfo(WVTData.hWVTStateData);
|
|
}
|
|
ResFormatErr(IDS_ERR_VERIFY_INVALID, wszTempFileName);
|
|
dwErrors++;
|
|
}
|
|
// Close Verify State Data:
|
|
WVTData.dwStateAction = WTD_STATEACTION_CLOSE;
|
|
switch (InputInfo->Policy)
|
|
{
|
|
case SystemDriver:
|
|
hr = WinVerifyTrust(NULL, &WVTDriverActionID, &WVTData);
|
|
break;
|
|
case DefaultAuthenticode:
|
|
hr = WinVerifyTrust(NULL, &WVTGenericActionID, &WVTData);
|
|
break;
|
|
case GuidActionID:
|
|
hr = WinVerifyTrust(NULL, &InputInfo->PolicyGuid, &WVTData);
|
|
break;
|
|
default:
|
|
// This should never happen because there are no other
|
|
// legal values for Policy.
|
|
ResFormatErr(IDS_ERR_UNEXPECTED);
|
|
goto VerifyCleanupAndExit;
|
|
}
|
|
|
|
VerifyNextFile:;
|
|
if (InputInfo->fIsWow64Process)
|
|
{
|
|
// Disable WOW64 file-system redirection entirely for our FindFirst/NextFile
|
|
Wow64SetFilesystemRedirectorEx(WOW64_FILE_SYSTEM_DISABLE_REDIRECT_LEGACY);
|
|
}
|
|
}
|
|
} while (FindNextFileU(hFind, &FindFileData));
|
|
if (dwcFound == 0) // No files were found matching this filespec
|
|
{ // this will only fire if only directories were found.
|
|
dwErrors++;
|
|
ResFormatErr(IDS_ERR_FILE_NOT_FOUND, InputInfo->rgwszFileNames[i]);
|
|
continue;
|
|
}
|
|
FindClose(hFind);
|
|
hFind = NULL;
|
|
}
|
|
|
|
VerifyCleanupAndExit:
|
|
|
|
//Print Summary Information:
|
|
if (InputInfo->Verbose || (!InputInfo->Quiet && (dwErrors || dwWarnings)))
|
|
{
|
|
wprintf(L"\n");
|
|
if (InputInfo->Verbose || dwDone)
|
|
ResFormatOut(IDS_INFO_VERIFIED, dwDone);
|
|
if (InputInfo->Verbose || dwWarnings)
|
|
ResFormatOut(IDS_INFO_WARNINGS, dwWarnings);
|
|
if (InputInfo->Verbose || dwErrors)
|
|
ResFormatOut(IDS_INFO_ERRORS, dwErrors);
|
|
}
|
|
|
|
if (InputInfo->fIsWow64Process)
|
|
Wow64SetFilesystemRedirectorEx(OldWow64Setting);
|
|
|
|
if (hCatInfo)
|
|
CryptCATAdminReleaseCatalogContext(hCatAdmin, hCatInfo, 0);
|
|
|
|
if (hCatAdmin)
|
|
CryptCATAdminReleaseContext(hCatAdmin, NULL);
|
|
|
|
if (hCat)
|
|
CryptCATClose(hCat);
|
|
|
|
if ((InputInfo->SHA1.cbData == 20) && (InputInfo->SHA1.pbData))
|
|
{
|
|
free(InputInfo->SHA1.pbData);
|
|
InputInfo->SHA1.cbData = 0;
|
|
InputInfo->SHA1.pbData = NULL;
|
|
}
|
|
|
|
CoUninitialize();
|
|
|
|
if (dwErrors)
|
|
return 1; // Error
|
|
if (dwWarnings)
|
|
return 2; // Warning
|
|
if (dwDone)
|
|
return 0; // Success
|
|
|
|
// One of the above returns should fire, so
|
|
// this should never happen:
|
|
ResErr(IDS_ERR_NO_FILES_DONE);
|
|
ResErr(IDS_ERR_UNEXPECTED);
|
|
return 1; // Error
|
|
}
|
|
|