Hello, Given a signed Windows portable executable, I want to programmatically verify two things using openssl APIs
1. Verify the digital signature. 2. Confirm that the executable is signed by a specific company using that company's public key. It seems that part (1) can be done by parsing the signedData attribute in the portable executable, extracting the hashing algorithm and digest stored there, re-computing the digest of the executable using the same hashing algorithm and match them. I have following questions. 1. The signData contains messageDigest (unencrypted) and encryptedDigest (encrypted). Is it enough to match messgaeDigest with the computed digest? OR we also need to decrypt the encryptedDigest using the company public key and match that as well? 2. What does PKCS7_Verify exactly do? I looked at https://www.openssl.org/docs/crypto/PKCS7_verify.html and I understand that it verifies certificate chain. However, it's not clear to me as to what exactly it does with respect to signature verification? 3. I am assuming that I require to do both (1) and (2) in order to verify the authenticode signature? 4. What is the best way to verify if the executable is signed by specific company using that company's public key? Any inputs will be greatly appreciated! Thanks. -Prasad
