I have created a self generated certificate to sign a DLL. When I load this DLL into my C++ application I am able to validate if the code signing certificate is valid or not by using the WinVerifyTrust api.
But I am not able to find a way to detect that the DLL has been signed by one of my certificates. Even by using the CryptQueryObject api I do not find any useful information.
Does anyone have a idea on how to do this? Or is it event possible?
Thank you
Thank you for your reply.
I am puzzled how the CryptVerifyCertificateSignature function can help me. The MSDN documentation mentioning that this function verifies the signature of a certificate by using the public key and does not require access to a private key.
Here is an example: Say that I have an ABC certificate. I use this certificate to code sign my DLL using signtool. exe Now I have a DLL that has been signed with certificate ABC.
I have an application that need to load this DLL. Before loading the DLL the application must validate that:
-The DLL has been signed and that the signature is valid. I used WinVerifyTrust
-The DLL must have been signed with the ABC certificate provide by me.
Now the part I do not understand: How can CryptVerifyCertificateSignature validate that the DLL has been signed by certificate ABC and that this certificate is legit if it is not using the private key? Anybody could create a certificate ABC and sign his DLL….
I am new to this code signing stuff and maybe I am missing a something here…
Thank you
If you sign a certificate using your private key, it can only be verified with your public key. That's how public-key cryptography works. If you can use a public key to verify the signature, then you know that the corresponding private key must have been used to sign it.