diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-30 17:34:55 +0100 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-30 22:07:27 +0100 |
| commit | 163beba470f71cd6f68dc17cd9b7fa0035945f25 (patch) | |
| tree | 66a7ebd3bfb78c77b85672ebd093c2741ba69f05 /version/official_windows.go | |
| parent | updater: another attempt at winhttp (diff) | |
| download | wireguard-windows-163beba470f71cd6f68dc17cd9b7fa0035945f25.tar.xz wireguard-windows-163beba470f71cd6f68dc17cd9b7fa0035945f25.zip | |
version: use crypt32 instead of go x509 for cn extraction for file size
Another attempt at trying to remove an asn1 parser.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'version/official_windows.go')
| -rw-r--r-- | version/official_windows.go | 47 |
1 files changed, 11 insertions, 36 deletions
diff --git a/version/official_windows.go b/version/official_windows.go index 2ca33b43..12b95e3b 100644 --- a/version/official_windows.go +++ b/version/official_windows.go @@ -6,11 +6,11 @@ package version import ( - "encoding/asn1" "os" "unsafe" "golang.org/x/sys/windows" + "golang.zx2c4.com/wireguard/windows/version/wintrust" ) @@ -20,16 +20,6 @@ const ( policyExtensionOid = "2.5.29.32" ) -type policyQualifierInfo struct { - PolicyQualifierId asn1.ObjectIdentifier - Qualifier asn1.RawValue -} - -type policyInformation struct { - Policy asn1.ObjectIdentifier - Qualifiers []policyQualifierInfo `asn1:"optional"` -} - func VerifyAuthenticode(path string) bool { path16, err := windows.UTF16PtrFromString(path) if err != nil { @@ -50,23 +40,21 @@ func VerifyAuthenticode(path string) bool { return wintrust.WinVerifyTrust(windows.InvalidHandle, &wintrust.WINTRUST_ACTION_GENERIC_VERIFY_V2, data) == nil } -// This is an easily by-passable check, which doesn't serve a security purpose but mostly just a low-grade -// informational and semantic one. +// These are easily by-passable checks, which do not serve serve security purposes. Do not place security-sensitive +// functions below this line. + func IsRunningOfficialVersion() bool { path, err := os.Executable() if err != nil { return false } - // This is easily circumvented. We don't even verify the chain before hand with WinVerifyTrust. - // False certificates can be appended. But that's okay, as this isn't security related. - - certs, err := wintrust.ExtractCertificates(path) + names, err := wintrust.ExtractCertificateNames(path) if err != nil { return false } - for _, cert := range certs { - if cert.Subject.CommonName == officialCommonName { + for _, name := range names { + if name == officialCommonName { return true } } @@ -79,26 +67,13 @@ func IsRunningEVSigned() bool { return false } - // This is easily circumvented. We don't even verify the chain before hand with WinVerifyTrust. - // False certificates can be appended. But that's okay, as this isn't security related. - - certs, err := wintrust.ExtractCertificates(path) + policies, err := wintrust.ExtractCertificatePolicies(path, policyExtensionOid) if err != nil { return false } - for _, cert := range certs { - for _, extension := range cert.Extensions { - if extension.Id.String() == policyExtensionOid { - var policies []policyInformation - if _, err = asn1.Unmarshal(extension.Value, &policies); err != nil { - continue - } - for _, policy := range policies { - if policy.Policy.String() == evPolicyOid { - return true - } - } - } + for _, policy := range policies { + if policy == evPolicyOid { + return true } } return false |