1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
/* SPDX-License-Identifier: MIT
*
* Copyright (C) 2019 WireGuard LLC. All Rights Reserved.
*/
package version
import (
"encoding/asn1"
"os"
"unsafe"
"golang.org/x/sys/windows"
"golang.zx2c4.com/wireguard/windows/version/wintrust"
)
const (
officialCommonName = "WireGuard LLC"
evPolicyOid = "2.23.140.1.3"
policyExtensionOid = "2.5.29.32"
)
type policyQualifierInfo struct {
PolicyQualifierId asn1.ObjectIdentifier
Qualifier asn1.RawValue
}
type policyInformation struct {
Policy asn1.ObjectIdentifier
Qualifiers []policyQualifierInfo `asn1:"optional"`
}
func VerifyAuthenticode(path string) bool {
path16, err := windows.UTF16PtrFromString(path)
if err != nil {
return false
}
file := &wintrust.WinTrustFileInfo{
CbStruct: uint32(unsafe.Sizeof(wintrust.WinTrustFileInfo{})),
FilePath: path16,
}
data := &wintrust.WinTrustData{
CbStruct: uint32(unsafe.Sizeof(wintrust.WinTrustData{})),
UIChoice: wintrust.WTD_UI_NONE,
RevocationChecks: wintrust.WTD_REVOKE_WHOLECHAIN, // Full revocation checking, as this is called with network connectivity.
UnionChoice: wintrust.WTD_CHOICE_FILE,
StateAction: wintrust.WTD_STATEACTION_VERIFY,
FileOrCatalogOrBlobOrSgnrOrCert: uintptr(unsafe.Pointer(file)),
}
return wintrust.WinVerifyTrust(0, &wintrust.WINTRUST_ACTION_GENERIC_VERIFY_V2, data) == nil
}
// This is an easily by-passable check, which doesn't serve a security purpose but mostly just a low-grade
// informational and semantic one.
func IsRunningOfficialVersion() bool {
path, err := os.Executable()
if err != nil {
return false
}
// This is easily circumvented. We don't even verify the chain before hand with WinVerifyTrust.
// False certificates can be appended. But that's okay, as this isn't security related.
certs, err := wintrust.ExtractCertificates(path)
if err != nil {
return false
}
for _, cert := range certs {
if cert.Subject.CommonName == officialCommonName {
return true
}
}
return false
}
func IsRunningEVSigned() bool {
path, err := os.Executable()
if err != nil {
return false
}
// This is easily circumvented. We don't even verify the chain before hand with WinVerifyTrust.
// False certificates can be appended. But that's okay, as this isn't security related.
certs, err := wintrust.ExtractCertificates(path)
if err != nil {
return false
}
for _, cert := range certs {
for _, extension := range cert.Extensions {
if extension.Id.String() == policyExtensionOid {
var policies []policyInformation
if _, err = asn1.Unmarshal(extension.Value, &policies); err != nil {
continue
}
for _, policy := range policies {
if policy.Policy.String() == evPolicyOid {
return true
}
}
}
}
}
return false
}
|