version: add beginnings of authenticode checking

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

1 files changed, 48 insertions, 0 deletions

diff --git a/version/official_windows.go b/version/official_windows.go
new file mode 100644
index 00000000..745c2ba6
--- /dev/null
+++ b/version/official_windows.go
@@ -0,0 +1,48 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019 WireGuard LLC. All Rights Reserved.
+ */
+
+package version
+
+import (
+	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/windows/version/wintrust"
+	"os"
+	"unsafe"
+)
+
+func IsOfficialPath(path string) bool {
+	path16, err := windows.UTF16PtrFromString(path)
+	if err != nil {
+		return false
+	}
+	file := &wintrust.WinTrustFileInfo{
+		CbStruct: uint32(unsafe.Sizeof(wintrust.WinTrustFileInfo{})),
+		FilePath: path16,
+	}
+	data := &wintrust.WinTrustData{
+		CbStruct:                        uint32(unsafe.Sizeof(wintrust.WinTrustData{})),
+		UIChoice:                        wintrust.WTD_UI_NONE,
+		RevocationChecks:                wintrust.WTD_REVOKE_NONE,
+		UnionChoice:                     wintrust.WTD_CHOICE_FILE,
+		StateAction:                     wintrust.WTD_STATEACTION_VERIFY,
+		FileOrCatalogOrBlobOrSgnrOrCert: uintptr(unsafe.Pointer(file)),
+	}
+	err = wintrust.WinVerifyTrust(0, &wintrust.WINTRUST_ACTION_GENERIC_VERIFY_V2, data)
+	if err != nil {
+		return false
+	}
+
+	//TODO: check that the certificate actually belongs to us
+
+	return true
+}
+
+func IsOfficial() bool {
+	path, err := os.Executable()
+	if err != nil {
+		return false
+	}
+	return IsOfficialPath(path)
+}