VirtualBox

Browse Source

Changeset 74760 in vbox

Timestamp:

Oct 11, 2018 11:25:24 AM (6 years ago)

Author:

vboxsync

Message:

IPRT/ldr/asn1/pkcs7: Ironed out issues in decoding indefinite ASN.1 length records and successfully verified the first Mach-O signature. bugref:9232

Location:

Files:

: 13 edited

include/iprt/asn1.h (modified) (3 diffs)
include/iprt/crypto/pkcs7.h (modified) (2 diffs)
include/iprt/err.h (modified) (1 diff)
include/iprt/ldr.h (modified) (2 diffs)
include/iprt/mangling.h (modified) (2 diffs)
src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp (modified) (2 diffs)
src/VBox/Runtime/common/asn1/asn1-cursor.cpp (modified) (4 diffs)
src/VBox/Runtime/common/crypto/pkcs7-asn1-decoder.cpp (modified) (1 diff)
src/VBox/Runtime/common/crypto/pkcs7-verify.cpp (modified) (7 diffs)
src/VBox/Runtime/common/ldr/ldrMachO.cpp (modified) (1 diff)
src/VBox/Runtime/common/ldr/ldrPE.cpp (modified) (1 diff)
src/VBox/Runtime/testcase/tstRTLdrVerifyPeImage.cpp (modified) (1 diff)
src/VBox/Runtime/tools/RTSignTool.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/include/iprt/asn1.h

-              r74672
+              r74760
     /** The allocator virtual method table. */
     PCRTASN1ALLOCATORVTABLE     pAllocator;
+    /** Pointer to the first byte.  Useful for calculating offsets. */
+    uint8_t const              *pbFirst;
 } RTASN1CURSORPRIMARY;
 typedef RTASN1CURSORPRIMARY *PRTASN1CURSORPRIMARY;
 …
  * @param   pCursor             The cursor we're decoding from.
  * @param   pSeqCore            The sequence core record.
+ * @sa      RTAsn1CursorCheckSetEnd, RTAsn1CursorCheckOctStrEnd,
+ *          RTAsn1CursorCheckEnd
  */
 RTDECL(int) RTAsn1CursorCheckSeqEnd(PRTASN1CURSOR pCursor, PRTASN1SEQUENCECORE pSeqCore);
 …
  * @param   pCursor             The cursor we're decoding from.
  * @param   pSetCore            The set core record.
+ * @sa      RTAsn1CursorCheckSeqEnd, RTAsn1CursorCheckOctStrEnd,
+ *          RTAsn1CursorCheckEnd
  */
 RTDECL(int) RTAsn1CursorCheckSetEnd(PRTASN1CURSOR pCursor, PRTASN1SETCORE pSetCore);
+/**
+ * Specialization of RTAsn1CursorCheckEnd for handling indefinite length
+ * constructed octet strings.
+ *
+ * This function must used when parsing the content of an octet string, like
+ * for example the Content of a PKCS\#7 ContentInfo structure.  It makes sure
+ * we've reached the end of the data for the cursor, and in case of a an
+ * indefinite length sets it may adjust set length and the parent cursor.
+ *
+ * @returns IPRT status code.
+ * @param   pCursor             The cursor we're decoding from.
+ * @param   pOctetString        The octet string.
+ * @sa      RTAsn1CursorCheckSeqEnd, RTAsn1CursorCheckSetEnd,
+ *          RTAsn1CursorCheckEnd
+ */
+RTDECL(int) RTAsn1CursorCheckOctStrEnd(PRTASN1CURSOR pCursor, PRTASN1OCTETSTRING pOctetString);
 /**

trunk/include/iprt/crypto/pkcs7.h

-              r74716
+              r74760
  * @param   pvUser              User argument for the callback.
  * @param   pErrInfo            Optional error info buffer.
+ * @sa      RTCrPkcs7VerifySignedDataWithExternalData
  */
 RTDECL(int) RTCrPkcs7VerifySignedData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
 …
                                       PCRTTIMESPEC pValidationTime, PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
                                       PRTERRINFO pErrInfo);
+/**
+ * Verifies PKCS \#7 SignedData with external data.
+ *
+ * For compatability with alternative crypto providers, the user must work on
+ * the top level PKCS \#7 structure instead directly on the SignedData.
+ *
+ * @returns IPRT status code.
+ * @param   pContentInfo        PKCS \#7 content info structure.
+ * @param   fFlags              RTCRPKCS7VERIFY_SD_F_XXX.
+ * @param   hAdditionalCerts    Store containing additional certificates to
+ *                              supplement those mentioned in the signed data.
+ * @param   hTrustedCerts       Store containing trusted certificates.
+ * @param   pValidationTime     The time we're supposed to validate the
+ *                              certificates chains at.  Ignored for signatures
+ *                              with valid signing time attributes.
+ * @param   pfnVerifyCert       Callback for checking that a certificate used
+ *                              for signing the data is suitable.
+ * @param   pvUser              User argument for the callback.
+ * @param   pvData              The signed external data.
+ * @param   cbData              The size of the signed external data.
+ * @param   pErrInfo            Optional error info buffer.
+ * @sa      RTCrPkcs7VerifySignedData
+ */
+RTDECL(int) RTCrPkcs7VerifySignedDataWithExternalData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
+                                                      RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
+                                                      PCRTTIMESPEC pValidationTime,
+                                                      PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
+                                                      void const *pvData, size_t cbData, PRTERRINFO pErrInfo);
 /** @name RTCRPKCS7VERIFY_SD_F_XXX - Flags for RTCrPkcs7VerifySignedData

trunk/include/iprt/err.h

r74656	r74760
2730	2730	/** The encrypted digest algorithm does not match the one in the certificate. */
2731	2731	#define VERR_CR_PKCS7_SIGNER_INFO_DIGEST_ENCRYPT_MISMATCH (-22359)
	2732	/** The PKCS \#7 content is not data. */
	2733	#define VERR_CR_PKCS7_NOT_DATA (-22360)
2732	2734	/** @} */
2733	2735

trunk/include/iprt/ldr.h

-              r74707
+              r74760
  * @param   pvSignature     The signature data. Format given by @a enmSignature.
  * @param   cbSignature     The size of the buffer @a pvSignature points to.
+ * @param   pvExternalData  Pointer to the signed data, if external. NULL if the
+ *                          data is internal to the signature structure.
+ * @param   cbExternalData Size of the signed data, if external.  0 if
+ *                          internal to the signature structure.
  * @param   pErrInfo        Pointer to an error info buffer, optional.
  * @param   pvUser          User argument.
 …
 typedef DECLCALLBACK(int) FNRTLDRVALIDATESIGNEDDATA(RTLDRMOD hLdrMod, RTLDRSIGNATURETYPE enmSignature,
                                                     void const *pvSignature, size_t cbSignature,
+                                                    void const *pvExternalData, size_t cbExternalData,
                                                     PRTERRINFO pErrInfo, void *pvUser);
 /** Pointer to a signature verification callback. */

trunk/include/iprt/mangling.h

-              r74672
+              r74760
 # define RTAsn1VtDelete                                 RT_MANGLER(RTAsn1VtDelete)
 # define RTAsn1CursorCheckEnd                           RT_MANGLER(RTAsn1CursorCheckEnd)
+# define RTAsn1CursorCheckOctStrEnd                     RT_MANGLER(RTAsn1CursorCheckOctStrEnd)
 # define RTAsn1CursorCheckSeqEnd                        RT_MANGLER(RTAsn1CursorCheckSeqEnd)
 # define RTAsn1CursorCheckSetEnd                        RT_MANGLER(RTAsn1CursorCheckSetEnd)
 …
 # define RTCrPkcs7VerifyCertCallbackDefault             RT_MANGLER(RTCrPkcs7VerifyCertCallbackDefault)
 # define RTCrPkcs7VerifySignedData                      RT_MANGLER(RTCrPkcs7VerifySignedData)
+# define RTCrPkcs7VerifySignedDataWithExternalData      RT_MANGLER(RTCrPkcs7VerifySignedDataWithExternalData)
 # define RTCrPkcs7Cert_CheckSanity                      RT_MANGLER(RTCrPkcs7Cert_CheckSanity)
 # define RTCrPkcs7Cert_Clone                            RT_MANGLER(RTCrPkcs7Cert_Clone)

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp

-              r69500
+              r74760
 static DECLCALLBACK(int) supHardNtViCallback(RTLDRMOD hLdrMod, RTLDRSIGNATURETYPE enmSignature,
                                              void const *pvSignature, size_t cbSignature,
+                                             void const *pvExternalData, size_t cbExternalData,
                                              PRTERRINFO pErrInfo, void *pvUser)
+{
 …
     AssertReturn(pContentInfo->u.pSignedData->SignerInfos.cItems == 1, VERR_INTERNAL_ERROR_5);
     PCRTCRPKCS7SIGNERINFO pSignerInfo = pContentInfo->u.pSignedData->SignerInfos.papItems[0];
+    AssertReturn(pvExternalData, VERR_INTERNAL_ERROR_5);
     /*

trunk/src/VBox/Runtime/common/asn1/asn1-cursor.cpp

-              r74672
+              r74760
     pPrimaryCursor->pErrInfo                = pErrInfo;
     pPrimaryCursor->pAllocator              = pAllocator;
+    pPrimaryCursor->pbFirst                 = (uint8_t const *)pvFirst;
     return &pPrimaryCursor->Cursor;
+}
 …
 static int rtAsn1CursorCheckSeqOrSetEnd(PRTASN1CURSOR pCursor, PRTASN1CORE pAsn1Core)
+{
+    if (pCursor->cbLeft == 0)
+        return VINF_SUCCESS;
+    if (pAsn1Core->fFlags & RTASN1CORE_F_INDEFINITE_LENGTH)
+    {
+        if (pCursor->cbLeft >= 2)
+    if (!(pAsn1Core->fFlags & RTASN1CORE_F_INDEFINITE_LENGTH))
+    {
+        if (pCursor->cbLeft == 0)
+            return VINF_SUCCESS;
+        return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END,
+                                   "%u (%#x) bytes left over", pCursor->cbLeft, pCursor->cbLeft);
+    }
+    if (pCursor->cbLeft >= 2)
+    {
+        if (   pCursor->pbCur[0] == 0
+            && pCursor->pbCur[1] == 0)
+        {
+            if (   pCursor->pbCur[0] == 0
+                && pCursor->pbCur[1] == 0)
+            pAsn1Core->cb = (uint32_t)(pCursor->pbCur - pAsn1Core->uData.pu8);
+            pCursor->cbLeft -= 2;
+            pCursor->pbCur  += 2;
+            PRTASN1CURSOR pParentCursor = pCursor->pUp;
+            if (   pParentCursor
+                && (pParentCursor->fFlags & RTASN1CURSOR_FLAGS_INDEFINITE_LENGTH))
+            {
+                pAsn1Core->cb = (uint32_t)(pCursor->pbCur - pAsn1Core->uData.pu8);
+                pCursor->cbLeft -= 2;
+                pCursor->pbCur  += 2;
+                PRTASN1CURSOR pParentCursor = pCursor->pUp;
+                if (   pParentCursor
+                    && (pParentCursor->fFlags & RTASN1CURSOR_FLAGS_INDEFINITE_LENGTH))
+                {
+                    pParentCursor->pbCur  -= pCursor->cbLeft;
+                    pParentCursor->cbLeft += pCursor->cbLeft;
+                    return VINF_SUCCESS;
+                }
+                if (pCursor->cbLeft == 0)
+                    return VINF_SUCCESS;
+                return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END,
+                                           "%u (%#x) bytes left over (parent not indefinite length)", pCursor->cbLeft, pCursor->cbLeft);
+                pParentCursor->pbCur  -= pCursor->cbLeft;
+                pParentCursor->cbLeft += pCursor->cbLeft;
+                return VINF_SUCCESS;
+            }
+            return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END, "%u (%#x) bytes left over [indef: %.*Rhxs]",
+                                       pCursor->cbLeft, pCursor->cbLeft, RT_MIN(pCursor->cbLeft, 16), pCursor->pbCur);
+            if (pCursor->cbLeft == 0)
+                return VINF_SUCCESS;
+            return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END,
+                                       "%u (%#x) bytes left over (parent not indefinite length)", pCursor->cbLeft, pCursor->cbLeft);
+        }
+        return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END,
+                                   "1 byte left over, expected two for indefinite length end-of-content sequence");
+    }
+        return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END, "%u (%#x) bytes left over [indef: %.*Rhxs]",
+                                   pCursor->cbLeft, pCursor->cbLeft, RT_MIN(pCursor->cbLeft, 16), pCursor->pbCur);
+    }
     return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END,
+                               "%u (%#x) bytes left over", pCursor->cbLeft, pCursor->cbLeft);
+                               "1 byte left over, expected two for indefinite length end-of-content sequence");
+}
 …
+{
     return rtAsn1CursorCheckSeqOrSetEnd(pCursor, &pSetCore->Asn1Core);
+}
+RTDECL(int) RTAsn1CursorCheckOctStrEnd(PRTASN1CURSOR pCursor, PRTASN1OCTETSTRING pOctetString)
+{
+    return rtAsn1CursorCheckSeqOrSetEnd(pCursor, &pOctetString->Asn1Core);
+}
 …
                 pCursor->fFlags   |= RTASN1CURSOR_FLAGS_INDEFINITE_LENGTH;
                 pAsn1Core->fFlags |= RTASN1CORE_F_INDEFINITE_LENGTH;
                 cb = pCursor->cbLeft - 2; /* tentatively for sequences and sets, definite for others */
+                cb = pCursor->cbLeft; /* Start out with the whole sequence, adjusted later upon reach the end. */
+            }
+        }

trunk/src/VBox/Runtime/common/crypto/pkcs7-asn1-decoder.cpp

r74672	r74760
144	144	}
145	145	if (RT_SUCCESS(rc))
146		rc = RTAsn1CursorCheck~~End(&ContentCursor~~);
	146	rc = RTAsn1CursorCheckOctStrEnd(&ContentCursor, &pThis->Content);
147	147	if (RT_SUCCESS(rc))
148	148	return VINF_SUCCESS;

trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp

-              r73665
+              r74760
 static int rtCrPkcs7VerifySignedDataUsingOpenSsl(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
                                                  RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
                                                  void const *pvContent, uint32_t cbContent, PRTERRINFO pErrInfo)
+                                                 void const *pvContent, size_t cbContent, PRTERRINFO pErrInfo)
+{
     RT_NOREF_PV(fFlags);
     /*
      * Verify using OpenSSL.
+     * Verify using OpenSSL.          ERR_PUT_error
      */
     int rcOssl;
     unsigned char const *pbRawContent = RTASN1CORE_GET_RAW_ASN1_PTR(&pContentInfo->SeqCore.Asn1Core);
+    uint32_t             cbRawContent = RTASN1CORE_GET_RAW_ASN1_SIZE(&pContentInfo->SeqCore.Asn1Core)
+                                      + (pContentInfo->SeqCore.Asn1Core.fFlags & RTASN1CORE_F_INDEFINITE_LENGTH ? 2 : 0);
     PKCS7 *pOsslPkcs7 = NULL;
     if (d2i_PKCS7(&pOsslPkcs7, &pbRawContent, RTASN1CORE_GET_RAW_ASN1_SIZE(&pContentInfo->SeqCore.Asn1Core)) == pOsslPkcs7)
+    if (d2i_PKCS7(&pOsslPkcs7, &pbRawContent, cbRawContent) != NULL)
+    {
         STACK_OF(X509) *pAddCerts = NULL;
 …
                 if (pCerts->papItems[i]->enmChoice == RTCRPKCS7CERTCHOICE_X509)
                     rtCrOpenSslAddX509CertToStack(pAddCerts, pCerts->papItems[i]->u.pX509Cert);
             X509_STORE *pTrustedCerts = NULL;
 …
                 rtCrOpenSslInit();
                 BIO *pBioContent = BIO_new_mem_buf((void *)pvContent, cbContent);
+                BIO *pBioContent = BIO_new_mem_buf((void *)pvContent, (int)cbContent);
                 if (pBioContent)
+                {
 …
+    }
     else
+    {
         rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKCS7_OSSL_D2I_FAILED, "d2i_PKCS7 failed");
+        if (pErrInfo)
+            ERR_print_errors_cb(rtCrOpenSslErrInfoCallback, pErrInfo);
+    }
     return rcOssl;
 …
+RTDECL(int) RTCrPkcs7VerifySignedData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
+                                      RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
+                                      PCRTTIMESPEC pValidationTime, PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
+                                      PRTERRINFO pErrInfo)
+{
+    /*
+     * Check the input.
+/**
+ * Worker.
+ */
+static int rtCrPkcs7VerifySignedDataEx(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
+                                       RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
+                                       PCRTTIMESPEC pValidationTime,
+                                       PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
+                                       void const *pvContent, size_t cbContent, PRTERRINFO pErrInfo)
+{
+    /*
+     * Check and adjust the input.
      */
     if (pfnVerifyCert)
 …
      * Hash the content info.
      */
-    /* Exactly what the content is, for some stupid reason unnecessarily
-       complicated.  Figure it out here as we'll need it for the OpenSSL code
-       path as well. */
-    void const *pvContent = pSignedData->ContentInfo.Content.Asn1Core.uData.pv;
-    uint32_t    cbContent = pSignedData->ContentInfo.Content.Asn1Core.cb;
-    if (pSignedData->ContentInfo.Content.pEncapsulated)
+    {
-        pvContent = pSignedData->ContentInfo.Content.pEncapsulated->uData.pv;
-        cbContent = pSignedData->ContentInfo.Content.pEncapsulated->cb;
+    }
     /* Check that there aren't too many or too few hash algorithms for our
        implementation and purposes. */
 …
+}
+RTDECL(int) RTCrPkcs7VerifySignedData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
+                                      RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
+                                      PCRTTIMESPEC pValidationTime, PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
+                                      PRTERRINFO pErrInfo)
+{
+    /*
+     * Find the content and pass it on to common worker.
+     */
+    if (!RTCrPkcs7ContentInfo_IsSignedData(pContentInfo))
+        return RTErrInfoSet(pErrInfo, VERR_CR_PKCS7_NOT_SIGNED_DATA, "Not PKCS #7 SignedData.");
+    /* Exactly what the content is, is for some stupid reason unnecessarily complicated. */
+    PCRTCRPKCS7SIGNEDDATA pSignedData = pContentInfo->u.pSignedData;
+    void const *pvContent = pSignedData->ContentInfo.Content.Asn1Core.uData.pv;
+    uint32_t    cbContent = pSignedData->ContentInfo.Content.Asn1Core.cb;
+    if (pSignedData->ContentInfo.Content.pEncapsulated)
+    {
+        pvContent = pSignedData->ContentInfo.Content.pEncapsulated->uData.pv;
+        cbContent = pSignedData->ContentInfo.Content.pEncapsulated->cb;
+    }
+    return rtCrPkcs7VerifySignedDataEx(pContentInfo, fFlags, hAdditionalCerts, hTrustedCerts, pValidationTime,
+                                       pfnVerifyCert, pvUser, pvContent, cbContent, pErrInfo);
+}
+RTDECL(int) RTCrPkcs7VerifySignedDataWithExternalData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
+                                                      RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
+                                                      PCRTTIMESPEC pValidationTime,
+                                                      PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
+                                                      void const *pvData, size_t cbData, PRTERRINFO pErrInfo)
+{
+    /*
+     * Require 'data' as inner content type.
+     */
+    if (!RTCrPkcs7ContentInfo_IsSignedData(pContentInfo))
+        return RTErrInfoSet(pErrInfo, VERR_CR_PKCS7_NOT_SIGNED_DATA, "Not PKCS #7 SignedData.");
+    PCRTCRPKCS7SIGNEDDATA pSignedData = pContentInfo->u.pSignedData;
+    if (RTAsn1ObjId_CompareWithString(&pSignedData->ContentInfo.ContentType, RTCR_PKCS7_DATA_OID) != 0)
+        return RTErrInfoSetF(pErrInfo, VERR_CR_PKCS7_NOT_DATA,
+                             "The signedData content type is %s, expected 'data' (%s)",
+                             pSignedData->ContentInfo.ContentType.szObjId, RTCR_PKCS7_DATA_OID);
+    return rtCrPkcs7VerifySignedDataEx(pContentInfo, fFlags, hAdditionalCerts, hTrustedCerts, pValidationTime,
+                                       pfnVerifyCert, pvUser, pvData, cbData, pErrInfo);
+}

trunk/src/VBox/Runtime/common/ldr/ldrMachO.cpp

r74750	r74760
4849	4849	rc = pfnCallback(&pThis->Core, RTLDRSIGNATURETYPE_PKCS7_SIGNED_DATA,
4850	4850	&pSignature->ContentInfo, sizeof(pSignature->ContentInfo),
	4851	pSignature->aCodeDirs[0].pCodeDir, pSignature->aCodeDirs[0].cb,
4851	4852	pErrInfo, pvUser);
4852	4853	}

trunk/src/VBox/Runtime/common/ldr/ldrPE.cpp

r74721	r74760
2899	2899	rc = pfnCallback(&pModPe->Core, RTLDRSIGNATURETYPE_PKCS7_SIGNED_DATA,
2900	2900	&pSignature->ContentInfo, sizeof(pSignature->ContentInfo),
	2901	NULL /pvExternalData/, 0 /cbExternalData/,
2901	2902	pErrInfo, pvUser);
2902	2903	}

trunk/src/VBox/Runtime/testcase/tstRTLdrVerifyPeImage.cpp

-              r69111
+              r74760
 static DECLCALLBACK(int) TestCallback(RTLDRMOD hLdrMod, RTLDRSIGNATURETYPE enmSignature,
                                       void const *pvSignature, size_t cbSignature,
+                                      void const *pvExternalData, size_t cbExternalData,
                                       PRTERRINFO pErrInfo, void *pvUser)
+{
     RT_NOREF_PV(hLdrMod); RT_NOREF_PV(enmSignature); RT_NOREF_PV(pvSignature); RT_NOREF_PV(cbSignature);
     RT_NOREF_PV(pErrInfo); RT_NOREF_PV(pvUser);
+    RT_NOREF_PV(pErrInfo); RT_NOREF_PV(pvUser); RT_NOREF_PV(pvExternalData); RT_NOREF_PV(cbExternalData);
     return VINF_SUCCESS;
+}

trunk/src/VBox/Runtime/tools/RTSignTool.cpp

-              r74716
+              r74760
 static DECLCALLBACK(int) VerifyExeCallback(RTLDRMOD hLdrMod, RTLDRSIGNATURETYPE enmSignature,
                                            void const *pvSignature, size_t cbSignature,
+                                           void const *pvExternalData, size_t cbExternalData,
                                            PRTERRINFO pErrInfo, void *pvUser)
+{
 …
              * the authenticode policies into account.
              */
+            if (pvExternalData)
+                return RTCrPkcs7VerifySignedDataWithExternalData(pContentInfo,
+                                                                 RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY
+                                                                 | RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT
+                                                                 | RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT,
+                                                                 pState->hAdditionalStore, pState->hRootStore, &ValidationTime,
+                                                                 VerifyExecCertVerifyCallback, pState,
+                                                                 pvExternalData, cbExternalData, pErrInfo);
             return RTCrPkcs7VerifySignedData(pContentInfo,
                                              RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats:

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette