|
Chilkat • HOME • .NET Core C# • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi ActiveX • Delphi DLL • Go • Java • Lianja • Mono C# • Node.js • Objective-C • PHP ActiveX • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift 2 • Swift 3,4,5... • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(Delphi DLL) Verify Authenticode Signature of EXE or DLLSee more Code Signing ExamplesDemonstrates how to verify an Authenticode signed EXE or DLL. Note: Chilkat's code signing class was added in v9.5.0.97
uses Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics, Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls, CodeSign, DtObj, JsonObject, CkDateTime; ... procedure TForm1.Button1Click(Sender: TObject); var path: PWideChar; json: HCkJsonObject; validator: HCkCodeSign; valid: Boolean; issuerCN: PWideChar; serial: PWideChar; genTime: HCkDtObj; dt: HCkDateTime; i: Integer; count_i: Integer; numSigners: Integer; begin // This example requires the Chilkat API to have been previously unlocked. // See Global Unlock Sample for sample code. // You can verify a signed DLL or EXE. path := 'c:/someDir/something.dll'; // The verify method returns an overall indicator of whether // the EXE or DLL can be trusted or not. // The details of the signature are emitted to the JSON object // passed in the last argument. json := CkJsonObject_Create(); CkJsonObject_putEmitCompact(json,False); validator := CkCodeSign_Create(); valid := CkCodeSign_VerifySignature(validator,path,json); if (valid = False) then begin // Validation failed. Memo1.Lines.Add(CkCodeSign__lastErrorText(validator)); // You can also examine the details of the validation (see below) Memo1.Lines.Add(CkJsonObject__emit(json)); Exit; end; // Examine the details of the Authenticode signature // println json.Emit(); // An example of the JSON details of an authenticode signature, with selected parsing code, is shown below. // // Use this online tool to generate parsing code from sample JSON: // Generate Parsing Code from JSON // { // "pkcs7": { // "verify": { // "peFile": { // "hashOid": "2.16.840.1.101.3.4.2.1", // "hash": "q9tzWEcea8f8kaMXG8LpWNPe9JIW7aKccYWuL3mrCBw=" // }, // "certs": [ // { // "issuerCN": "AAA Certificate Services", // "serial": "48FC93B46055948D36A7C98A89D69416" // }, // { // "issuerCN": "Sectigo Public Code Signing Root R46", // "serial": "621D6D0C52019E3B9079152089211C0A" // }, // { // "issuerCN": "Sectigo Public Code Signing CA R36", // "serial": "3FF5B69109BFD4046C92CC0D18EE23C2" // } // ], // "digestAlgorithms": [ // "sha256" // ], // "signerInfo": [ // { // "cert": { // "serialNumber": "3FF5B69109BFD4046C92CC0D18EE23C2", // "issuerCN": "Sectigo Public Code Signing CA R36", // "digestAlgOid": "2.16.840.1.101.3.4.2.1", // "digestAlgName": "SHA256" // }, // "contentType": "1.3.6.1.4.1.311.2.1.4", // "messageDigest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=", // "signingAlgOid": "1.2.840.113549.1.1.1", // "signingAlgName": "RSA-PKCSV-1_5", // "authAttr": { // "1.3.6.1.4.1.311.2.1.12": { // "der": "MAA=" // }, // "1.2.840.113549.1.9.3": { // "name": "contentType", // "oid": "1.3.6.1.4.1.311.2.1.4" // }, // "1.3.6.1.4.1.311.2.1.11": { // "der": "MAwGCisGAQQBgjcCARU=" // }, // "1.2.840.113549.1.9.4": { // "name": "messageDigest", // "digest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=" // } // }, // "unauthAttr": { // "1.3.6.1.4.1.311.3.3.1": { // "name": "timestampToken", // "der": "MIIXJwY ... QZej", // "verify": { // "digestAlgorithms": [ // "sha256" // ], // "signerInfo": [ // { // "cert": { // "serialNumber": "0544AFF3949D0839A6BFDB3F5FE56116", // "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", // "digestAlgOid": "2.16.840.1.101.3.4.2.1", // "digestAlgName": "SHA256" // }, // "contentType": "1.2.840.113549.1.9.16.1.4", // "signingTime": "240117124047Z", // "messageDigest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=", // "signingAlgOid": "1.2.840.113549.1.1.1", // "signingAlgName": "RSA-PKCSV-1_5", // "authAttr": { // "1.2.840.113549.1.9.3": { // "name": "contentType", // "oid": "1.2.840.113549.1.9.16.1.4" // }, // "1.2.840.113549.1.9.5": { // "name": "signingTime", // "utctime": "240117124047Z" // }, // "1.2.840.113549.1.9.16.2.12": { // "name": "signingCertificate", // "der": "MBowGDAWBBRm8CsywsLJD4JdzqqKycZPGZzPQA==" // }, // "1.2.840.113549.1.9.4": { // "name": "messageDigest", // "digest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=" // }, // "1.2.840.113549.1.9.16.2.47": { // "name": "signingCertificateV2", // "der": "MCYwJDAiBCDS9uRt7XQizNHUQFdoQTZvgoraVZquMxavTRqa1Ax4KA==" // } // } // } // ], // "uncommonOptions": "NO_SIGCERTV2_OID,NoSigningCertV2IssuerSerial" // }, // "timestampSignatureVerified": true, // "tstInfo": { // "tsaPolicyId": "2.16.840.1.114412.7.1", // "messageImprint": { // "hashAlg": "sha256", // "digest": "JqY7U+30qScMnRQwnDfUYEikZwOLHMhKX0oo5zo4ils=", // "digestMatches": true // }, // "serialNumber": "6E4597E574BC909213565DAEBC0E4888", // "genTime": "20240117124047Z" // } // } // } // } // ], // "pkcs7": { // "verify": { // "certs": [ // { // "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", // "serial": "0544AFF3949D0839A6BFDB3F5FE56116" // }, // { // "issuerCN": "DigiCert Trusted Root G4", // "serial": "073637B724547CD847ACFD28662A5E5B" // }, // { // "issuerCN": "DigiCert Assured ID Root CA", // "serial": "0E9B188EF9D02DE7EFDB50E20840185A" // } // ] // } // } // } // } // } genTime := CkDtObj_Create(); dt := CkDateTime_Create(); // Show the certificates embedded in the PKCS7 signature. Memo1.Lines.Add('Certificates contained in the PKCS7 signature:'); i := 0; count_i := CkJsonObject_SizeOfArray(json,'pkcs7.verify.certs'); while i < count_i do begin CkJsonObject_putI(json,i); issuerCN := CkJsonObject__stringOf(json,'pkcs7.verify.certs[i].issuerCN'); serial := CkJsonObject__stringOf(json,'pkcs7.verify.certs[i].serial'); Memo1.Lines.Add(issuerCN + ', ' + serial); i := i + 1; end; // Show details about the signing certificate(s) numSigners := CkJsonObject_SizeOfArray(json,'pkcs7.verify.signerInfo'); i := 0; while i < numSigners do begin CkJsonObject_putI(json,i); Memo1.Lines.Add('---- Signing Certificate ----'); Memo1.Lines.Add('serial number: ' + CkJsonObject__stringOf(json,'pkcs7.verify.signerInfo[i].cert.serialNumber')); Memo1.Lines.Add('issuerCN: ' + CkJsonObject__stringOf(json,'pkcs7.verify.signerInfo[i].cert.issuerCN')); Memo1.Lines.Add('hash algorithm: ' + CkJsonObject__stringOf(json,'pkcs7.verify.signerInfo[i].cert.digestAlgName')); Memo1.Lines.Add('signing algorithm: ' + CkJsonObject__stringOf(json,'pkcs7.verify.signerInfo[i].signingAlgName')); // If this signature includes a timestamp token, get information about it. if (CkJsonObject_HasMember(json,'pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1"') = True) then begin // We're going to assume the timestamp token had only 1 signer.. Memo1.Lines.Add('--- Timestamp Token ----'); Memo1.Lines.Add('TS hash algorithm: ' + CkJsonObject__stringOf(json,'pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".verify.digestAlgorithms[0]')); Memo1.Lines.Add('TS certificate serial: ' + CkJsonObject__stringOf(json,'pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".verify.signerInfo[0].cert.serialNumber')); Memo1.Lines.Add('TS certificate issuerCN: ' + CkJsonObject__stringOf(json,'pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".verify.signerInfo[0].cert.issuerCN')); Memo1.Lines.Add('timestamp signature verified: ' + IntToStr(Ord(CkJsonObject_BoolOf(json,'pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".timestampSignatureVerified')))); CkJsonObject_DtOf(json,'pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".tstInfo.genTime',False,genTime); CkDateTime_SetFromDtObj(dt,genTime); Memo1.Lines.Add('timestamp date/time: ' + CkDateTime__getAsRfc822(dt,True)); end; i := i + 1; end; Memo1.Lines.Add('The Authenticode signature is valid.'); // Sample output: // Certificates contained in the PKCS7 signature: // AAA Certificate Services, 48FC93B46055948D36A7C98A89D69416 // Sectigo Public Code Signing Root R46, 621D6D0C52019E3B9079152089211C0A // Sectigo Public Code Signing CA R36, 3FF5B69109BFD4046C92CC0D18EE23C2 // ---- Signing Certificate ---- // serial number: 3FF5B69109BFD4046C92CC0D18EE23C2 // issuerCN: Sectigo Public Code Signing CA R36 // hash algorithm: SHA256 // signing algorithm: RSA-PKCSV-1_5 // --- Timestamp Token ---- // TS hash algorithm: sha256 // TS certificate serial: 0544AFF3949D0839A6BFDB3F5FE56116 // TS certificate issuerCN: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA // timestamp signature verified: True // timestamp date/time: Wed, 17 Jan 2024 06:40:47 -0600 // The Authenticode signature is valid. CkJsonObject_Dispose(json); CkCodeSign_Dispose(validator); CkDtObj_Dispose(genTime); CkDateTime_Dispose(dt); end; |
||||
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.