tags:

views:

914

answers:

3

I have created a self generated certificate to sign a DLL. When I load this DLL into my C++ application I am able to validate if the code signing certificate is valid or not by using the WinVerifyTrust api.

But I am not able to find a way to detect that the DLL has been signed by one of my certificates. Even by using the CryptQueryObject api I do not find any useful information.

Does anyone have a idea on how to do this? Or is it event possible?

Thank you

+1  A: 

CryptVerifyCertificateSignature isn't what you want?

Bill Zeller
+1  A: 

Thank you for your reply.

I am puzzled how the CryptVerifyCertificateSignature function can help me. The MSDN documentation mentioning that this function verifies the signature of a certificate by using the public key and does not require access to a private key.

Here is an example: Say that I have an ABC certificate. I use this certificate to code sign my DLL using signtool. exe Now I have a DLL that has been signed with certificate ABC.

I have an application that need to load this DLL. Before loading the DLL the application must validate that:

-The DLL has been signed and that the signature is valid. I used WinVerifyTrust

-The DLL must have been signed with the ABC certificate provide by me.

Now the part I do not understand: How can CryptVerifyCertificateSignature validate that the DLL has been signed by certificate ABC and that this certificate is legit if it is not using the private key? Anybody could create a certificate ABC and sign his DLL….

I am new to this code signing stuff and maybe I am missing a something here…

Thank you

Arkonis
I'm not familiar with the details of signtool, but you should be signing the key with your private key and verifying it with a public key. That way, only you can sign (because you have the private key) and anyone can verify the certificate.
Bill Zeller
A: 

If you sign a certificate using your private key, it can only be verified with your public key. That's how public-key cryptography works. If you can use a public key to verify the signature, then you know that the corresponding private key must have been used to sign it.

Graeme Perrow