Index: /trunk/include/iprt/asn1.h =================================================================== --- /trunk/include/iprt/asn1.h (revision 74759) +++ /trunk/include/iprt/asn1.h (revision 74760) @@ -1678,4 +1678,6 @@ /** The allocator virtual method table. */ PCRTASN1ALLOCATORVTABLE pAllocator; + /** Pointer to the first byte. Useful for calculating offsets. */ + uint8_t const *pbFirst; } RTASN1CURSORPRIMARY; typedef RTASN1CURSORPRIMARY *PRTASN1CURSORPRIMARY; @@ -1798,4 +1800,6 @@ * @param pCursor The cursor we're decoding from. * @param pSeqCore The sequence core record. + * @sa RTAsn1CursorCheckSetEnd, RTAsn1CursorCheckOctStrEnd, + * RTAsn1CursorCheckEnd */ RTDECL(int) RTAsn1CursorCheckSeqEnd(PRTASN1CURSOR pCursor, PRTASN1SEQUENCECORE pSeqCore); @@ -1810,6 +1814,26 @@ * @param pCursor The cursor we're decoding from. * @param pSetCore The set core record. + * @sa RTAsn1CursorCheckSeqEnd, RTAsn1CursorCheckOctStrEnd, + * RTAsn1CursorCheckEnd */ RTDECL(int) RTAsn1CursorCheckSetEnd(PRTASN1CURSOR pCursor, PRTASN1SETCORE pSetCore); + +/** + * Specialization of RTAsn1CursorCheckEnd for handling indefinite length + * constructed octet strings. + * + * This function must used when parsing the content of an octet string, like + * for example the Content of a PKCS\#7 ContentInfo structure. It makes sure + * we've reached the end of the data for the cursor, and in case of a an + * indefinite length sets it may adjust set length and the parent cursor. + * + * @returns IPRT status code. + * @param pCursor The cursor we're decoding from. + * @param pOctetString The octet string. + * @sa RTAsn1CursorCheckSeqEnd, RTAsn1CursorCheckSetEnd, + * RTAsn1CursorCheckEnd + */ +RTDECL(int) RTAsn1CursorCheckOctStrEnd(PRTASN1CURSOR pCursor, PRTASN1OCTETSTRING pOctetString); + /** Index: /trunk/include/iprt/crypto/pkcs7.h =================================================================== --- /trunk/include/iprt/crypto/pkcs7.h (revision 74759) +++ /trunk/include/iprt/crypto/pkcs7.h (revision 74760) @@ -512,4 +512,5 @@ * @param pvUser User argument for the callback. * @param pErrInfo Optional error info buffer. + * @sa RTCrPkcs7VerifySignedDataWithExternalData */ RTDECL(int) RTCrPkcs7VerifySignedData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags, @@ -517,4 +518,34 @@ PCRTTIMESPEC pValidationTime, PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser, PRTERRINFO pErrInfo); + + +/** + * Verifies PKCS \#7 SignedData with external data. + * + * For compatability with alternative crypto providers, the user must work on + * the top level PKCS \#7 structure instead directly on the SignedData. + * + * @returns IPRT status code. + * @param pContentInfo PKCS \#7 content info structure. + * @param fFlags RTCRPKCS7VERIFY_SD_F_XXX. + * @param hAdditionalCerts Store containing additional certificates to + * supplement those mentioned in the signed data. + * @param hTrustedCerts Store containing trusted certificates. + * @param pValidationTime The time we're supposed to validate the + * certificates chains at. Ignored for signatures + * with valid signing time attributes. + * @param pfnVerifyCert Callback for checking that a certificate used + * for signing the data is suitable. + * @param pvUser User argument for the callback. + * @param pvData The signed external data. + * @param cbData The size of the signed external data. + * @param pErrInfo Optional error info buffer. + * @sa RTCrPkcs7VerifySignedData + */ +RTDECL(int) RTCrPkcs7VerifySignedDataWithExternalData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags, + RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts, + PCRTTIMESPEC pValidationTime, + PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser, + void const *pvData, size_t cbData, PRTERRINFO pErrInfo); /** @name RTCRPKCS7VERIFY_SD_F_XXX - Flags for RTCrPkcs7VerifySignedData Index: /trunk/include/iprt/err.h =================================================================== --- /trunk/include/iprt/err.h (revision 74759) +++ /trunk/include/iprt/err.h (revision 74760) @@ -2730,4 +2730,6 @@ /** The encrypted digest algorithm does not match the one in the certificate. */ #define VERR_CR_PKCS7_SIGNER_INFO_DIGEST_ENCRYPT_MISMATCH (-22359) +/** The PKCS \#7 content is not data. */ +#define VERR_CR_PKCS7_NOT_DATA (-22360) /** @} */ Index: /trunk/include/iprt/ldr.h =================================================================== --- /trunk/include/iprt/ldr.h (revision 74759) +++ /trunk/include/iprt/ldr.h (revision 74760) @@ -1177,4 +1177,8 @@ * @param pvSignature The signature data. Format given by @a enmSignature. * @param cbSignature The size of the buffer @a pvSignature points to. + * @param pvExternalData Pointer to the signed data, if external. NULL if the + * data is internal to the signature structure. + * @param cbExternalData Size of the signed data, if external. 0 if + * internal to the signature structure. * @param pErrInfo Pointer to an error info buffer, optional. * @param pvUser User argument. @@ -1183,4 +1187,5 @@ typedef DECLCALLBACK(int) FNRTLDRVALIDATESIGNEDDATA(RTLDRMOD hLdrMod, RTLDRSIGNATURETYPE enmSignature, void const *pvSignature, size_t cbSignature, + void const *pvExternalData, size_t cbExternalData, PRTERRINFO pErrInfo, void *pvUser); /** Pointer to a signature verification callback. */ Index: /trunk/include/iprt/mangling.h =================================================================== --- /trunk/include/iprt/mangling.h (revision 74759) +++ /trunk/include/iprt/mangling.h (revision 74760) @@ -2741,4 +2741,5 @@ # define RTAsn1VtDelete RT_MANGLER(RTAsn1VtDelete) # define RTAsn1CursorCheckEnd RT_MANGLER(RTAsn1CursorCheckEnd) +# define RTAsn1CursorCheckOctStrEnd RT_MANGLER(RTAsn1CursorCheckOctStrEnd) # define RTAsn1CursorCheckSeqEnd RT_MANGLER(RTAsn1CursorCheckSeqEnd) # define RTAsn1CursorCheckSetEnd RT_MANGLER(RTAsn1CursorCheckSetEnd) @@ -3256,4 +3257,5 @@ # define RTCrPkcs7VerifyCertCallbackDefault RT_MANGLER(RTCrPkcs7VerifyCertCallbackDefault) # define RTCrPkcs7VerifySignedData RT_MANGLER(RTCrPkcs7VerifySignedData) +# define RTCrPkcs7VerifySignedDataWithExternalData RT_MANGLER(RTCrPkcs7VerifySignedDataWithExternalData) # define RTCrPkcs7Cert_CheckSanity RT_MANGLER(RTCrPkcs7Cert_CheckSanity) # define RTCrPkcs7Cert_Clone RT_MANGLER(RTCrPkcs7Cert_Clone) Index: /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp =================================================================== --- /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp (revision 74759) +++ /trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp (revision 74760) @@ -1053,4 +1053,5 @@ static DECLCALLBACK(int) supHardNtViCallback(RTLDRMOD hLdrMod, RTLDRSIGNATURETYPE enmSignature, void const *pvSignature, size_t cbSignature, + void const *pvExternalData, size_t cbExternalData, PRTERRINFO pErrInfo, void *pvUser) { @@ -1068,4 +1069,6 @@ AssertReturn(pContentInfo->u.pSignedData->SignerInfos.cItems == 1, VERR_INTERNAL_ERROR_5); PCRTCRPKCS7SIGNERINFO pSignerInfo = pContentInfo->u.pSignedData->SignerInfos.papItems[0]; + + AssertReturn(pvExternalData, VERR_INTERNAL_ERROR_5); /* Index: /trunk/src/VBox/Runtime/common/asn1/asn1-cursor.cpp =================================================================== --- /trunk/src/VBox/Runtime/common/asn1/asn1-cursor.cpp (revision 74759) +++ /trunk/src/VBox/Runtime/common/asn1/asn1-cursor.cpp (revision 74760) @@ -75,4 +75,5 @@ pPrimaryCursor->pErrInfo = pErrInfo; pPrimaryCursor->pAllocator = pAllocator; + pPrimaryCursor->pbFirst = (uint8_t const *)pvFirst; return &pPrimaryCursor->Cursor; } @@ -239,43 +240,41 @@ static int rtAsn1CursorCheckSeqOrSetEnd(PRTASN1CURSOR pCursor, PRTASN1CORE pAsn1Core) { - if (pCursor->cbLeft == 0) - return VINF_SUCCESS; - - if (pAsn1Core->fFlags & RTASN1CORE_F_INDEFINITE_LENGTH) - { - if (pCursor->cbLeft >= 2) + if (!(pAsn1Core->fFlags & RTASN1CORE_F_INDEFINITE_LENGTH)) + { + if (pCursor->cbLeft == 0) + return VINF_SUCCESS; + return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END, + "%u (%#x) bytes left over", pCursor->cbLeft, pCursor->cbLeft); + } + + if (pCursor->cbLeft >= 2) + { + if ( pCursor->pbCur[0] == 0 + && pCursor->pbCur[1] == 0) { - if ( pCursor->pbCur[0] == 0 - && pCursor->pbCur[1] == 0) + pAsn1Core->cb = (uint32_t)(pCursor->pbCur - pAsn1Core->uData.pu8); + pCursor->cbLeft -= 2; + pCursor->pbCur += 2; + + PRTASN1CURSOR pParentCursor = pCursor->pUp; + if ( pParentCursor + && (pParentCursor->fFlags & RTASN1CURSOR_FLAGS_INDEFINITE_LENGTH)) { - pAsn1Core->cb = (uint32_t)(pCursor->pbCur - pAsn1Core->uData.pu8); - pCursor->cbLeft -= 2; - pCursor->pbCur += 2; - - PRTASN1CURSOR pParentCursor = pCursor->pUp; - if ( pParentCursor - && (pParentCursor->fFlags & RTASN1CURSOR_FLAGS_INDEFINITE_LENGTH)) - { - pParentCursor->pbCur -= pCursor->cbLeft; - pParentCursor->cbLeft += pCursor->cbLeft; - return VINF_SUCCESS; - } - - if (pCursor->cbLeft == 0) - return VINF_SUCCESS; - - return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END, - "%u (%#x) bytes left over (parent not indefinite length)", pCursor->cbLeft, pCursor->cbLeft); + pParentCursor->pbCur -= pCursor->cbLeft; + pParentCursor->cbLeft += pCursor->cbLeft; + return VINF_SUCCESS; } - return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END, "%u (%#x) bytes left over [indef: %.*Rhxs]", - pCursor->cbLeft, pCursor->cbLeft, RT_MIN(pCursor->cbLeft, 16), pCursor->pbCur); + + if (pCursor->cbLeft == 0) + return VINF_SUCCESS; + + return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END, + "%u (%#x) bytes left over (parent not indefinite length)", pCursor->cbLeft, pCursor->cbLeft); } - return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END, - "1 byte left over, expected two for indefinite length end-of-content sequence"); - } - + return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END, "%u (%#x) bytes left over [indef: %.*Rhxs]", + pCursor->cbLeft, pCursor->cbLeft, RT_MIN(pCursor->cbLeft, 16), pCursor->pbCur); + } return RTAsn1CursorSetInfo(pCursor, VERR_ASN1_CURSOR_NOT_AT_END, - "%u (%#x) bytes left over", pCursor->cbLeft, pCursor->cbLeft); - + "1 byte left over, expected two for indefinite length end-of-content sequence"); } @@ -290,4 +289,10 @@ { return rtAsn1CursorCheckSeqOrSetEnd(pCursor, &pSetCore->Asn1Core); +} + + +RTDECL(int) RTAsn1CursorCheckOctStrEnd(PRTASN1CURSOR pCursor, PRTASN1OCTETSTRING pOctetString) +{ + return rtAsn1CursorCheckSeqOrSetEnd(pCursor, &pOctetString->Asn1Core); } @@ -426,5 +431,5 @@ pCursor->fFlags |= RTASN1CURSOR_FLAGS_INDEFINITE_LENGTH; pAsn1Core->fFlags |= RTASN1CORE_F_INDEFINITE_LENGTH; - cb = pCursor->cbLeft - 2; /* tentatively for sequences and sets, definite for others */ + cb = pCursor->cbLeft; /* Start out with the whole sequence, adjusted later upon reach the end. */ } } Index: /trunk/src/VBox/Runtime/common/crypto/pkcs7-asn1-decoder.cpp =================================================================== --- /trunk/src/VBox/Runtime/common/crypto/pkcs7-asn1-decoder.cpp (revision 74759) +++ /trunk/src/VBox/Runtime/common/crypto/pkcs7-asn1-decoder.cpp (revision 74760) @@ -144,5 +144,5 @@ } if (RT_SUCCESS(rc)) - rc = RTAsn1CursorCheckEnd(&ContentCursor); + rc = RTAsn1CursorCheckOctStrEnd(&ContentCursor, &pThis->Content); if (RT_SUCCESS(rc)) return VINF_SUCCESS; Index: /trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp =================================================================== --- /trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp (revision 74759) +++ /trunk/src/VBox/Runtime/common/crypto/pkcs7-verify.cpp (revision 74760) @@ -52,15 +52,17 @@ static int rtCrPkcs7VerifySignedDataUsingOpenSsl(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags, RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts, - void const *pvContent, uint32_t cbContent, PRTERRINFO pErrInfo) + void const *pvContent, size_t cbContent, PRTERRINFO pErrInfo) { RT_NOREF_PV(fFlags); /* - * Verify using OpenSSL. + * Verify using OpenSSL. ERR_PUT_error */ int rcOssl; unsigned char const *pbRawContent = RTASN1CORE_GET_RAW_ASN1_PTR(&pContentInfo->SeqCore.Asn1Core); + uint32_t cbRawContent = RTASN1CORE_GET_RAW_ASN1_SIZE(&pContentInfo->SeqCore.Asn1Core) + + (pContentInfo->SeqCore.Asn1Core.fFlags & RTASN1CORE_F_INDEFINITE_LENGTH ? 2 : 0); PKCS7 *pOsslPkcs7 = NULL; - if (d2i_PKCS7(&pOsslPkcs7, &pbRawContent, RTASN1CORE_GET_RAW_ASN1_SIZE(&pContentInfo->SeqCore.Asn1Core)) == pOsslPkcs7) + if (d2i_PKCS7(&pOsslPkcs7, &pbRawContent, cbRawContent) != NULL) { STACK_OF(X509) *pAddCerts = NULL; @@ -78,5 +80,4 @@ if (pCerts->papItems[i]->enmChoice == RTCRPKCS7CERTCHOICE_X509) rtCrOpenSslAddX509CertToStack(pAddCerts, pCerts->papItems[i]->u.pX509Cert); - X509_STORE *pTrustedCerts = NULL; @@ -87,5 +88,5 @@ rtCrOpenSslInit(); - BIO *pBioContent = BIO_new_mem_buf((void *)pvContent, cbContent); + BIO *pBioContent = BIO_new_mem_buf((void *)pvContent, (int)cbContent); if (pBioContent) { @@ -115,5 +116,9 @@ } else + { rcOssl = RTErrInfoSet(pErrInfo, VERR_CR_PKCS7_OSSL_D2I_FAILED, "d2i_PKCS7 failed"); + if (pErrInfo) + ERR_print_errors_cb(rtCrOpenSslErrInfoCallback, pErrInfo); + } return rcOssl; @@ -575,11 +580,15 @@ -RTDECL(int) RTCrPkcs7VerifySignedData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags, - RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts, - PCRTTIMESPEC pValidationTime, PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser, - PRTERRINFO pErrInfo) -{ - /* - * Check the input. +/** + * Worker. + */ +static int rtCrPkcs7VerifySignedDataEx(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags, + RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts, + PCRTTIMESPEC pValidationTime, + PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser, + void const *pvContent, size_t cbContent, PRTERRINFO pErrInfo) +{ + /* + * Check and adjust the input. */ if (pfnVerifyCert) @@ -598,15 +607,4 @@ * Hash the content info. */ - /* Exactly what the content is, for some stupid reason unnecessarily - complicated. Figure it out here as we'll need it for the OpenSSL code - path as well. */ - void const *pvContent = pSignedData->ContentInfo.Content.Asn1Core.uData.pv; - uint32_t cbContent = pSignedData->ContentInfo.Content.Asn1Core.cb; - if (pSignedData->ContentInfo.Content.pEncapsulated) - { - pvContent = pSignedData->ContentInfo.Content.pEncapsulated->uData.pv; - cbContent = pSignedData->ContentInfo.Content.pEncapsulated->cb; - } - /* Check that there aren't too many or too few hash algorithms for our implementation and purposes. */ @@ -784,2 +782,52 @@ } + +RTDECL(int) RTCrPkcs7VerifySignedData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags, + RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts, + PCRTTIMESPEC pValidationTime, PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser, + PRTERRINFO pErrInfo) +{ + /* + * Find the content and pass it on to common worker. + */ + if (!RTCrPkcs7ContentInfo_IsSignedData(pContentInfo)) + return RTErrInfoSet(pErrInfo, VERR_CR_PKCS7_NOT_SIGNED_DATA, "Not PKCS #7 SignedData."); + + /* Exactly what the content is, is for some stupid reason unnecessarily complicated. */ + PCRTCRPKCS7SIGNEDDATA pSignedData = pContentInfo->u.pSignedData; + void const *pvContent = pSignedData->ContentInfo.Content.Asn1Core.uData.pv; + uint32_t cbContent = pSignedData->ContentInfo.Content.Asn1Core.cb; + if (pSignedData->ContentInfo.Content.pEncapsulated) + { + pvContent = pSignedData->ContentInfo.Content.pEncapsulated->uData.pv; + cbContent = pSignedData->ContentInfo.Content.pEncapsulated->cb; + } + + return rtCrPkcs7VerifySignedDataEx(pContentInfo, fFlags, hAdditionalCerts, hTrustedCerts, pValidationTime, + pfnVerifyCert, pvUser, pvContent, cbContent, pErrInfo); +} + + +RTDECL(int) RTCrPkcs7VerifySignedDataWithExternalData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags, + RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts, + PCRTTIMESPEC pValidationTime, + PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser, + void const *pvData, size_t cbData, PRTERRINFO pErrInfo) +{ + /* + * Require 'data' as inner content type. + */ + if (!RTCrPkcs7ContentInfo_IsSignedData(pContentInfo)) + return RTErrInfoSet(pErrInfo, VERR_CR_PKCS7_NOT_SIGNED_DATA, "Not PKCS #7 SignedData."); + PCRTCRPKCS7SIGNEDDATA pSignedData = pContentInfo->u.pSignedData; + + if (RTAsn1ObjId_CompareWithString(&pSignedData->ContentInfo.ContentType, RTCR_PKCS7_DATA_OID) != 0) + return RTErrInfoSetF(pErrInfo, VERR_CR_PKCS7_NOT_DATA, + "The signedData content type is %s, expected 'data' (%s)", + pSignedData->ContentInfo.ContentType.szObjId, RTCR_PKCS7_DATA_OID); + + return rtCrPkcs7VerifySignedDataEx(pContentInfo, fFlags, hAdditionalCerts, hTrustedCerts, pValidationTime, + pfnVerifyCert, pvUser, pvData, cbData, pErrInfo); +} + + Index: /trunk/src/VBox/Runtime/common/ldr/ldrMachO.cpp =================================================================== --- /trunk/src/VBox/Runtime/common/ldr/ldrMachO.cpp (revision 74759) +++ /trunk/src/VBox/Runtime/common/ldr/ldrMachO.cpp (revision 74760) @@ -4849,4 +4849,5 @@ rc = pfnCallback(&pThis->Core, RTLDRSIGNATURETYPE_PKCS7_SIGNED_DATA, &pSignature->ContentInfo, sizeof(pSignature->ContentInfo), + pSignature->aCodeDirs[0].pCodeDir, pSignature->aCodeDirs[0].cb, pErrInfo, pvUser); } Index: /trunk/src/VBox/Runtime/common/ldr/ldrPE.cpp =================================================================== --- /trunk/src/VBox/Runtime/common/ldr/ldrPE.cpp (revision 74759) +++ /trunk/src/VBox/Runtime/common/ldr/ldrPE.cpp (revision 74760) @@ -2899,4 +2899,5 @@ rc = pfnCallback(&pModPe->Core, RTLDRSIGNATURETYPE_PKCS7_SIGNED_DATA, &pSignature->ContentInfo, sizeof(pSignature->ContentInfo), + NULL /*pvExternalData*/, 0 /*cbExternalData*/, pErrInfo, pvUser); } Index: /trunk/src/VBox/Runtime/testcase/tstRTLdrVerifyPeImage.cpp =================================================================== --- /trunk/src/VBox/Runtime/testcase/tstRTLdrVerifyPeImage.cpp (revision 74759) +++ /trunk/src/VBox/Runtime/testcase/tstRTLdrVerifyPeImage.cpp (revision 74760) @@ -44,8 +44,9 @@ static DECLCALLBACK(int) TestCallback(RTLDRMOD hLdrMod, RTLDRSIGNATURETYPE enmSignature, void const *pvSignature, size_t cbSignature, + void const *pvExternalData, size_t cbExternalData, PRTERRINFO pErrInfo, void *pvUser) { RT_NOREF_PV(hLdrMod); RT_NOREF_PV(enmSignature); RT_NOREF_PV(pvSignature); RT_NOREF_PV(cbSignature); - RT_NOREF_PV(pErrInfo); RT_NOREF_PV(pvUser); + RT_NOREF_PV(pErrInfo); RT_NOREF_PV(pvUser); RT_NOREF_PV(pvExternalData); RT_NOREF_PV(cbExternalData); return VINF_SUCCESS; } Index: /trunk/src/VBox/Runtime/tools/RTSignTool.cpp =================================================================== --- /trunk/src/VBox/Runtime/tools/RTSignTool.cpp (revision 74759) +++ /trunk/src/VBox/Runtime/tools/RTSignTool.cpp (revision 74760) @@ -1371,4 +1371,5 @@ static DECLCALLBACK(int) VerifyExeCallback(RTLDRMOD hLdrMod, RTLDRSIGNATURETYPE enmSignature, void const *pvSignature, size_t cbSignature, + void const *pvExternalData, size_t cbExternalData, PRTERRINFO pErrInfo, void *pvUser) { @@ -1396,4 +1397,12 @@ * the authenticode policies into account. */ + if (pvExternalData) + return RTCrPkcs7VerifySignedDataWithExternalData(pContentInfo, + RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY + | RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT + | RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT, + pState->hAdditionalStore, pState->hRootStore, &ValidationTime, + VerifyExecCertVerifyCallback, pState, + pvExternalData, cbExternalData, pErrInfo); return RTCrPkcs7VerifySignedData(pContentInfo, RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY