Decode PKCS#7 Signature via Windows API?

Question

I wish to parse and display the contents of an Authenticode PKCS#7 signature as extracted from a Window PE binary's Security Directory.

I can use OpenSSL to do this on the command line with "openssl pkcs7 -text -in extracted_signature.pks -inform DER -print_certs", however I need to do this via C/C++ and the Windows API. I cannot use the OpenSSL library itself.

Using the CryptDecodeObjectEx API I can begin to decode the extracted signature:

CRYPT_CONTENT_INFO * content_info;
DWORD len;

CryptDecodeObjectEx(
    X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
    PKCS_CONTENT_INFO,
    pointer_to_extracted_signature,
    length_of_extracted_signature,
    CRYPT_DECODE_ALLOC_FLAG,
    NULL,
    &content_info,
    &len
);

The above call completes successfully and content_info->pszObjId will have an OID of "1.2.840.113549.1.7.2" (szOID_RSA_signedData) however I am unable to find the structures needed to continue decoding. The available OID's for CryptDecodeObjectEx are listed here.

Can anybody please advise how to decode an Authenticode PKCS#7 signature via the Windows API?

Answer 1

I have found the correct way to decode an Authenticode PKCS#7 signature is to use CryptQueryObject with the CERT_QUERY_OBJECT_BLOB and CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED flags set. Code snippit below for anybody who might need to do this.

CERT_BLOB cert_blob;
HCERTSTORE cert_store = NULL;
HCRYPTMSG cert_msg    = NULL;

cert_blob.pbData = pointer_to_extracted_signature;
cert_blob.cbData = length_of_extracted_signature;

CryptQueryObject(
    CERT_QUERY_OBJECT_BLOB,
    &cert_blob,
    CERT_QUERY_CONTENT_FLAG_PKCS7_SIGNED,
    CERT_QUERY_FORMAT_FLAG_BINARY,
    0,
    NULL,
    NULL,
    NULL,
    &cert_store,
    &cert_msg,
    NULL
);

PCCERT_CONTEXT next_cert = NULL;

while( (next_cert = CertEnumCertificatesInStore( cert_store, next_cert ) ) != NULL )
{
    // process next_cert...
}