|
Chilkat • HOME • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi DLL • Go • Java • Node.js • Objective-C • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(Tcl) Verify Authenticode Signature of EXE or DLLSee more Code Signing ExamplesDemonstrates how to verify an Authenticode signed EXE or DLL.Note: Chilkat's code signing class was added in v9.5.0.97
load ./chilkat.dll # This example requires the Chilkat API to have been previously unlocked. # See Global Unlock Sample for sample code. # You can verify a signed DLL or EXE. set path "c:/someDir/something.dll" # The verify method returns an overall indicator of whether # the EXE or DLL can be trusted or not. # The details of the signature are emitted to the JSON object # passed in the last argument. set json [new_CkJsonObject] CkJsonObject_put_EmitCompact $json 0 set validator [new_CkCodeSign] set valid [CkCodeSign_VerifySignature $validator $path $json] if {$valid == 0} then { # Validation failed. puts [CkCodeSign_lastErrorText $validator] # You can also examine the details of the validation (see below) puts [CkJsonObject_emit $json] delete_CkJsonObject $json delete_CkCodeSign $validator exit } # Examine the details of the Authenticode signature # println json.Emit(); # An example of the JSON details of an authenticode signature, with selected parsing code, is shown below. # # Use this online tool to generate parsing code from sample JSON: # Generate Parsing Code from JSON # { # "pkcs7": { # "verify": { # "peFile": { # "hashOid": "2.16.840.1.101.3.4.2.1", # "hash": "q9tzWEcea8f8kaMXG8LpWNPe9JIW7aKccYWuL3mrCBw=" # }, # "certs": [ # { # "issuerCN": "AAA Certificate Services", # "serial": "48FC93B46055948D36A7C98A89D69416" # }, # { # "issuerCN": "Sectigo Public Code Signing Root R46", # "serial": "621D6D0C52019E3B9079152089211C0A" # }, # { # "issuerCN": "Sectigo Public Code Signing CA R36", # "serial": "3FF5B69109BFD4046C92CC0D18EE23C2" # } # ], # "digestAlgorithms": [ # "sha256" # ], # "signerInfo": [ # { # "cert": { # "serialNumber": "3FF5B69109BFD4046C92CC0D18EE23C2", # "issuerCN": "Sectigo Public Code Signing CA R36", # "digestAlgOid": "2.16.840.1.101.3.4.2.1", # "digestAlgName": "SHA256" # }, # "contentType": "1.3.6.1.4.1.311.2.1.4", # "messageDigest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=", # "signingAlgOid": "1.2.840.113549.1.1.1", # "signingAlgName": "RSA-PKCSV-1_5", # "authAttr": { # "1.3.6.1.4.1.311.2.1.12": { # "der": "MAA=" # }, # "1.2.840.113549.1.9.3": { # "name": "contentType", # "oid": "1.3.6.1.4.1.311.2.1.4" # }, # "1.3.6.1.4.1.311.2.1.11": { # "der": "MAwGCisGAQQBgjcCARU=" # }, # "1.2.840.113549.1.9.4": { # "name": "messageDigest", # "digest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=" # } # }, # "unauthAttr": { # "1.3.6.1.4.1.311.3.3.1": { # "name": "timestampToken", # "der": "MIIXJwY ... QZej", # "verify": { # "digestAlgorithms": [ # "sha256" # ], # "signerInfo": [ # { # "cert": { # "serialNumber": "0544AFF3949D0839A6BFDB3F5FE56116", # "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", # "digestAlgOid": "2.16.840.1.101.3.4.2.1", # "digestAlgName": "SHA256" # }, # "contentType": "1.2.840.113549.1.9.16.1.4", # "signingTime": "240117124047Z", # "messageDigest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=", # "signingAlgOid": "1.2.840.113549.1.1.1", # "signingAlgName": "RSA-PKCSV-1_5", # "authAttr": { # "1.2.840.113549.1.9.3": { # "name": "contentType", # "oid": "1.2.840.113549.1.9.16.1.4" # }, # "1.2.840.113549.1.9.5": { # "name": "signingTime", # "utctime": "240117124047Z" # }, # "1.2.840.113549.1.9.16.2.12": { # "name": "signingCertificate", # "der": "MBowGDAWBBRm8CsywsLJD4JdzqqKycZPGZzPQA==" # }, # "1.2.840.113549.1.9.4": { # "name": "messageDigest", # "digest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=" # }, # "1.2.840.113549.1.9.16.2.47": { # "name": "signingCertificateV2", # "der": "MCYwJDAiBCDS9uRt7XQizNHUQFdoQTZvgoraVZquMxavTRqa1Ax4KA==" # } # } # } # ], # "uncommonOptions": "NO_SIGCERTV2_OID,NoSigningCertV2IssuerSerial" # }, # "timestampSignatureVerified": true, # "tstInfo": { # "tsaPolicyId": "2.16.840.1.114412.7.1", # "messageImprint": { # "hashAlg": "sha256", # "digest": "JqY7U+30qScMnRQwnDfUYEikZwOLHMhKX0oo5zo4ils=", # "digestMatches": true # }, # "serialNumber": "6E4597E574BC909213565DAEBC0E4888", # "genTime": "20240117124047Z" # } # } # } # } # ], # "pkcs7": { # "verify": { # "certs": [ # { # "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", # "serial": "0544AFF3949D0839A6BFDB3F5FE56116" # }, # { # "issuerCN": "DigiCert Trusted Root G4", # "serial": "073637B724547CD847ACFD28662A5E5B" # }, # { # "issuerCN": "DigiCert Assured ID Root CA", # "serial": "0E9B188EF9D02DE7EFDB50E20840185A" # } # ] # } # } # } # } # } set genTime [new_CkDtObj] set dt [new_CkDateTime] # Show the certificates embedded in the PKCS7 signature. puts "Certificates contained in the PKCS7 signature:" set i 0 set count_i [CkJsonObject_SizeOfArray $json "pkcs7.verify.certs"] while {$i < $count_i} { CkJsonObject_put_I $json $i set issuerCN [CkJsonObject_stringOf $json "pkcs7.verify.certs[i].issuerCN"] set serial [CkJsonObject_stringOf $json "pkcs7.verify.certs[i].serial"] puts "$issuerCN, $serial" set i [expr $i + 1] } # Show details about the signing certificate(s) set numSigners [CkJsonObject_SizeOfArray $json "pkcs7.verify.signerInfo"] set i 0 while {$i < $numSigners} { CkJsonObject_put_I $json $i puts "---- Signing Certificate ----" puts "serial number: [CkJsonObject_stringOf $json {pkcs7.verify.signerInfo[i].cert.serialNumber}]" puts "issuerCN: [CkJsonObject_stringOf $json {pkcs7.verify.signerInfo[i].cert.issuerCN}]" puts "hash algorithm: [CkJsonObject_stringOf $json {pkcs7.verify.signerInfo[i].cert.digestAlgName}]" puts "signing algorithm: [CkJsonObject_stringOf $json {pkcs7.verify.signerInfo[i].signingAlgName}]" # If this signature includes a timestamp token, get information about it. if {[CkJsonObject_HasMember $json "pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\""] == 1} then { # We're going to assume the timestamp token had only 1 signer.. puts "--- Timestamp Token ----" puts "TS hash algorithm: [CkJsonObject_stringOf $json {pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.digestAlgorithms[0]}]" puts "TS certificate serial: [CkJsonObject_stringOf $json {pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.signerInfo[0].cert.serialNumber}]" puts "TS certificate issuerCN: [CkJsonObject_stringOf $json {pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.signerInfo[0].cert.issuerCN}]" puts "timestamp signature verified: [CkJsonObject_BoolOf $json {pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".timestampSignatureVerified}]" CkJsonObject_DtOf $json "pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".tstInfo.genTime" 0 $genTime CkDateTime_SetFromDtObj $dt $genTime puts "timestamp date/time: [CkDateTime_getAsRfc822 $dt 1]" } set i [expr $i + 1] } puts "The Authenticode signature is valid." # Sample output: # Certificates contained in the PKCS7 signature: # AAA Certificate Services, 48FC93B46055948D36A7C98A89D69416 # Sectigo Public Code Signing Root R46, 621D6D0C52019E3B9079152089211C0A # Sectigo Public Code Signing CA R36, 3FF5B69109BFD4046C92CC0D18EE23C2 # ---- Signing Certificate ---- # serial number: 3FF5B69109BFD4046C92CC0D18EE23C2 # issuerCN: Sectigo Public Code Signing CA R36 # hash algorithm: SHA256 # signing algorithm: RSA-PKCSV-1_5 # --- Timestamp Token ---- # TS hash algorithm: sha256 # TS certificate serial: 0544AFF3949D0839A6BFDB3F5FE56116 # TS certificate issuerCN: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA # timestamp signature verified: True # timestamp date/time: Wed, 17 Jan 2024 06:40:47 -0600 # The Authenticode signature is valid. delete_CkJsonObject $json delete_CkCodeSign $validator delete_CkDtObj $genTime delete_CkDateTime $dt |
||||
© 2000-2025 Chilkat Software, Inc. All Rights Reserved.