Verifying the integrity and authenticity of digitally signed libraries
Posted by - NA -, Last modified by Tanner O on 18 October 2017 02:50 PM

Introduction

Microsoft Authenticode technology is used to digitally sign executable and other file formats in order to embed information about the author and to provide a means of verifying the trustworthiness of the author and the integrity of the file to ensure it is safe and has not been altered. A trusted certification authority (CA) issues certificates that are used to sign such files.

Authenticode is often used to sign installers so that the Window's User Account Control (UAC) prompt shows the author's company name as a verified publisher. There are many other potential uses of Authenticode technology, but the focus of this article is on Dynamic-Link Library (DLL) security.

Protection PLUS offers a number of DLLs for accessing the various licensing APIs. Protection PLUS 5 SDK is available is various editions which will have either PLUSManaged.dll and PLUSManagedGui.dll, or PLUSNative.dll. Instant Protection PLUS 3 also has a DLL interface (IP2Lib32.dll and IP2Lib64.dll). Digitally signed versions of these libraries are currently available upon request. Note that the Protection PLUS 5 SDK PLUSManaged libraries are only available as Strong-Named assemblies.

To take advantage of these signed libraries you must add code to your application to verify the signature and to check that we are the publisher that signed the library. Unfortunately, it would not be secure to add functions to do this verification to the libraries themselves. Implementing such signature verification into one's application can help prevent dependent licensing libraries, or any other signed libraries, from being tampered with or faked. Libraries could be altered to always return "SUCCESS" for the licensing routines or proxy DLLs could be used to intercept your sensitive information or to reverse engineer your intellectual property.

For additional security tips, view our blog post: 4 things developers often overlook when securing their software

Implementing Signature Verification

C/C++ applications, as well as other comparable languages that support DLLs, are able to use the Microsoft CryptoAPI's WinTrust library to verify the signature is trusted as well as the integrity of the file. This is all accomplished with the WinVerifyTrust function. .NET applications can call this function using P/Invoke. An example program for "Verifying the Signature of a PE File" can be found at http://msdn.microsoft.com/en-us/library/aa382384(v=VS.85).aspx

Programming languages that support ActiveX, such as Visual Basic (VB6), can use the CryptoAPI's COM interface (CAPICOM). The SignedCode object is used to load and verify the issuer's certificate in the signature is valid. A Visual Basic example follows:

    Dim isValid As Boolean
    Dim codeSignature As New SignedCode
   
    codeSignature .FileName = App.Path & "\PLUSMANAGED.DLL"
    If Not codeSignature .Certificates(4).IsValid Then
        isValid = False
    End If

Implementing Publisher Verification

After the signature has been verified, you must then verify the publisher is whom you believe it is. This is done by manually comparing the publisher information to known values.

C/C++ applications, as well as other comparable languages that support DLLs, are able to use the Microsoft CryptoAPI's "Certificate Verification Functions" to extract the publisher information. An example of "How To Get Information from Authenticode Signed Executables" can be found at http://support.microsoft.com/kb/323809/en-us

Programming languages that support ActiveX, such as Visual Basic (VB6), can use the CryptoAPI's COM interface (CAPICOM). The Certificate object's GetInfo method is used to extract the publisher information. A Visual Basic example follows:

    Dim isValid As Boolean
    Dim codeSignature As New SignedCode
    
    codeSignature .FileName = App.Path & "\PLUSMANAGED.DLL"

    If codeSignature .Certificates(1).GetInfo(CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME) <> "Concept Software Inc." Then
        isValid = False
    End If

.NET applications can use the X509Certificate or X509Certificate2 classes in the System.Security.Cryptography.X509Certificates namespace to extract the publisher information. A C# example follows:

    bool isValid;
    X509Certificate2 cert = new X509Certificate2(fileName);

    if (!cert.Subject.StartsWith("CN=Concept Software Inc.")
    {
        isValid = false;
    }

Other third-party API's may be available for verifying Authenticode signatures or extracting information from the X.509 certificates contained within them.

    If Not code.Certificates(4).IsValid Then
        MsgBox "Invalid Library"
        End
    End If