c/minizip-ng
1
0
Fork 0
mirror of https://github.com/zlib-ng/minizip-ng synced 2025-03-28 21:13:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove signing feature.

Browse Source 
Too much work to maintain and rarely used. Continue to use v3 for that feature.
This commit is contained in:
Nathan Moinvaziri 2023-03-13 08:45:48 -07:00
parent 8d2488c481
commit 3da04514cd
13 changed files with 103 additions and 1081 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
.github/workflows/build.yml vendored
View File

@ -12,7 +12,7 @@ jobs:
os: ubuntu-18.04
compiler: gcc
cxx-compiler: g++
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON
cmake-args: -D MZ_CODE_COVERAGE=ON
version: "4.8"
codecov: ubuntu_18_gcc_48
@ -20,14 +20,14 @@ jobs:
os: ubuntu-18.04
compiler: gcc
cxx-compiler: g++
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON
cmake-args: -D MZ_CODE_COVERAGE=ON
codecov: ubuntu_18_gcc
- name: Ubuntu 18 Clang 3.9
os: ubuntu-18.04
compiler: clang
cxx-compiler: clang++
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON
cmake-args: -D MZ_CODE_COVERAGE=ON
codecov: ubuntu_18_clang_39
version: "3.7"
packages: llvm-3.9
@ -45,7 +45,7 @@ jobs:
os: ubuntu-latest
compiler: gcc
cxx-compiler: g++
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON
cmake-args: -D MZ_CODE_COVERAGE=ON
codecov: ubuntu_gcc
- name: Ubuntu GCC OSB
@ -54,14 +54,14 @@ jobs:
cxx-compiler: g++
build-dir: ../build
build-src-dir: ../minizip-ng
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON
cmake-args: -D MZ_CODE_COVERAGE=ON
codecov: ubuntu_gcc_osb
- name: Ubuntu Clang
os: ubuntu-latest
compiler: clang-14
cxx-compiler: clang++-14
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON
cmake-args: -D MZ_CODE_COVERAGE=ON
codecov: ubuntu_clang
packages: clang-14 llvm-14
gcov-exec: llvm-cov-14 gcov
@ -70,7 +70,7 @@ jobs:
os: ubuntu-latest
compiler: clang-14
cxx-compiler: clang++-14
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON -D MZ_ZLIB=OFF
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_ZLIB=OFF
codecov: ubuntu_clang_no_zlib
packages: clang-14 llvm-14
gcov-exec: llvm-cov-14 gcov
@ -79,7 +79,7 @@ jobs:
os: ubuntu-latest
compiler: clang-14
cxx-compiler: clang++-14
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON -D MZ_BZIP=OFF
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_BZIP=OFF
codecov: ubuntu_clang_no_bzip2
packages: clang-14 llvm-14
gcov-exec: llvm-cov-14 gcov
@ -88,7 +88,7 @@ jobs:
os: ubuntu-latest
compiler: clang-14
cxx-compiler: clang++-14
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON -D MZ_LZMA=OFF
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_LZMA=OFF
codecov: ubuntu_clang_no_lzma
packages: clang-14 llvm-14
gcov-exec: llvm-cov-14 gcov
@ -97,7 +97,7 @@ jobs:
os: ubuntu-latest
compiler: clang-14
cxx-compiler: clang++-14
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON -D MZ_ZSTD=OFF
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_ZSTD=OFF
codecov: ubuntu_clang_no_zstd
packages: clang-14 llvm-14
gcov-exec: llvm-cov-14 gcov
@ -106,7 +106,7 @@ jobs:
os: ubuntu-latest
compiler: clang-14
cxx-compiler: clang++-14
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON -D MZ_PKCRYPT=OFF
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_PKCRYPT=OFF
codecov: ubuntu_clang_no_pkcrypt
packages: clang-14 llvm-14
gcov-exec: llvm-cov-14 gcov
@ -115,7 +115,7 @@ jobs:
os: ubuntu-latest
compiler: clang-14
cxx-compiler: clang++-14
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON -D MZ_WZAES=OFF
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_WZAES=OFF
codecov: ubuntu_clang_no_winzip_aes
packages: clang-14 llvm-14
gcov-exec: llvm-cov-14 gcov
@ -124,7 +124,7 @@ jobs:
os: ubuntu-latest
compiler: clang-14
cxx-compiler: clang++-14
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON -D MZ_PKCRYPT=OFF -D MZ_WZAES=OFF
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_PKCRYPT=OFF -D MZ_WZAES=OFF
codecov: ubuntu_clang_no_encryption
packages: clang-14 llvm-14
gcov-exec: llvm-cov-14 gcov
@ -133,7 +133,7 @@ jobs:
os: ubuntu-latest
compiler: clang-14
cxx-compiler: clang++-14
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON -D MZ_COMPRESS_ONLY=ON
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_COMPRESS_ONLY=ON
codecov: ubuntu_clang_compress_only
packages: clang-14 llvm-14
gcov-exec: llvm-cov-14 gcov
@ -142,7 +142,7 @@ jobs:
os: ubuntu-latest
compiler: clang-14
cxx-compiler: clang++-14
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON -D MZ_DECOMPRESS_ONLY=ON
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_DECOMPRESS_ONLY=ON
codecov: ubuntu_clang_decompress_only
packages: clang-14 llvm-14
gcov-exec: llvm-cov-14 gcov
@ -151,7 +151,7 @@ jobs:
os: ubuntu-latest
compiler: clang-14
cxx-compiler: clang++-14
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON -D MZ_OPENSSL=ON
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_OPENSSL=ON
codecov: ubuntu_clang_openssl
packages: clang-14 llvm-14
gcov-exec: llvm-cov-14 gcov
@ -161,7 +161,7 @@ jobs:
os: windows-latest
compiler: cl
# Don't use find_package for 3rd party libraries which are installed incorrectly on GitHub CI instances
cmake-args: -D MZ_FORCE_FETCH_LIBS=ON -D MZ_SIGNING=ON
cmake-args: -D MZ_FORCE_FETCH_LIBS=ON
deploy: true
deploy-name: windows
@ -170,7 +170,7 @@ jobs:
os: windows-latest
compiler: cl
# Don't use find_package for 3rd party libraries which are installed incorrectly on GitHub CI instances
cmake-args: -D MZ_FORCE_FETCH_LIBS=ON -D MZ_SIGNING=OFF -D MZ_BCRYPT=ON
cmake-args: -D MZ_FORCE_FETCH_LIBS=ON -D MZ_BCRYPT=ON
deploy: true
deploy-name: uwp
@ -179,7 +179,7 @@ jobs:
compiler: gcc
cxx-compiler: g++
# Don't use find_package for 3rd party libraries which are installed incorrectly on GitHub CI instances
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON -D MZ_FORCE_FETCH_LIBS=ON -G Ninja
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_FORCE_FETCH_LIBS=ON -G Ninja
codecov: windows_gcc
# No code coverage on release builds
@ -187,7 +187,7 @@ jobs:
# Use older version of macOS to install test certificate without user interaction
os: macos-10.15
version: "9.4.1"
cmake-args: -D MZ_BUILD_UNIT_TESTS=OFF -D MZ_SIGNING=ON
cmake-args: -D MZ_BUILD_UNIT_TESTS=OFF
deploy: true
deploy-name: macos
@ -204,7 +204,7 @@ jobs:
- name: macOS Xcode OpenSSL
# Use older version of macOS to install test certificate without user interaction
os: macos-10.15
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_SIGNING=ON -D MZ_OPENSSL=ON -D OPENSSL_ROOT_DIR=/usr/local/opt/openssl -D OPENSSL_INCLUDE_DIRS=/usr/local/opt/openssl/include -D OPENSSL_CRYPTO_LIBRARY=/usr/local/opt/openssl/lib/libcrypto.dylib -D OPENSSL_SSL_LIBRARY=/usr/local/opt/openssl/lib/libssl.dylib
cmake-args: -D MZ_CODE_COVERAGE=ON -D MZ_OPENSSL=ON -D OPENSSL_ROOT_DIR=/usr/local/opt/openssl -D OPENSSL_INCLUDE_DIRS=/usr/local/opt/openssl/include -D OPENSSL_CRYPTO_LIBRARY=/usr/local/opt/openssl/lib/libcrypto.dylib -D OPENSSL_SSL_LIBRARY=/usr/local/opt/openssl/lib/libssl.dylib
codecov: macos_xcode_openssl
steps:
@ -244,22 +244,9 @@ jobs:
- name: Compile source code
run: cmake --build ${{ matrix.build-dir || '.' }} --config ${{ matrix.build-config || 'Release' }}
- name: Install test certificate (macOS)
if: runner.os == 'macOS' && contains(matrix.cmake-args, 'MZ_SIGNING=ON')
run: |
sudo security authorizationdb write com.apple.trust-settings.admin allow
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain test/test.pem || true
- name: Install test certificate (Windows)
if: runner.os == 'Windows' && contains(matrix.cmake-args, 'MZ_SIGNING=ON')
run: certutil -addstore -enterprise Root test/test.pem
- name: Run test cases
run: ctest --output-on-failure -C ${{ matrix.build-config || 'Release' }}
working-directory: ${{ matrix.build-dir }}
# Specify test certificate for OpenSSL tests
env:
SSL_CERT_FILE: test.pem
- name: Generate coverage report
shell: bash

23
CMakeLists.txt
View File

@ -36,7 +36,6 @@ option(MZ_WZAES "Enables WinZIP AES encryption" ON)
cmake_dependent_option(MZ_OPENSSL "Enables OpenSSL for encryption" ON "UNIX" OFF)
cmake_dependent_option(MZ_BCRYPT "Enables Win32 Crypto API Next Generation" ON "CMAKE_SYSTEM_NAME STREQUAL WindowsStore" OFF)
cmake_dependent_option(MZ_LIBBSD "Builds with libbsd crypto random" ON "UNIX" OFF)
option(MZ_SIGNING "Enables zip signing support" OFF)
# Character conversion options
option(MZ_ICONV "Enables iconv for string encoding conversion" ON)
# Code generation options
@ -434,7 +433,7 @@ if(WIN32)
list(APPEND MINIZIP_DEF -D_CRT_SECURE_NO_DEPRECATE)
list(APPEND MINIZIP_SRC mz_os_win32.c mz_strm_os_win32.c)
if(MZ_PKCRYPT OR MZ_WZAES OR MZ_SIGNING)
if(MZ_PKCRYPT OR MZ_WZAES)
if(MZ_OPENSSL)
list(APPEND MINIZIP_DEP_PKG OpenSSL)
else()
@ -458,7 +457,7 @@ else()
list(APPEND STDLIB_DEF -D_POSIX_C_SOURCE=200809L)
list(APPEND MINIZIP_SRC mz_os_posix.c mz_strm_os_posix.c)
if(MZ_PKCRYPT OR MZ_WZAES OR MZ_SIGNING)
if(MZ_PKCRYPT OR MZ_WZAES)
if(MZ_OPENSSL)
list(APPEND MINIZIP_DEP_PKG OpenSSL)
else()
@ -491,11 +490,6 @@ else()
set(MZ_WZAES OFF)
endif()
if(MZ_SIGNING)
message(STATUS "Signing support requires CommonCrypto or OpenSSL")
set(MZ_SIGNING OFF)
endif()
endif()
else()
list(APPEND MINIZIP_DEF -DMZ_ZIP_NO_CRYPTO)
@ -505,11 +499,6 @@ else()
set(MZ_WZAES OFF)
endif()
if(MZ_SIGNING)
message(STATUS "Signing support requires OpenSSL")
set(MZ_SIGNING OFF)
endif()
endif()
# Check to see which random generation functions we have
@ -597,9 +586,6 @@ endif()
if(NOT MZ_PKCRYPT AND NOT MZ_WZAES)
list(APPEND MINIZIP_DEF -DMZ_ZIP_NO_ENCRYPTION)
endif()
if(MZ_SIGNING)
list(APPEND MINIZIP_DEF -DMZ_ZIP_SIGNING)
endif()
if(MZ_FILE32_API)
list(APPEND MINIZIP_DEF -DMZ_FILE32_API)
endif()
@ -887,10 +873,6 @@ if(MZ_BUILD_TESTS AND MZ_BUILD_UNIT_TESTS)
if(MZ_WZAES)
create_compress_tests("wzaes" "-s;-p;test123")
endif()
if(MZ_SIGNING)
create_compress_tests("signed" "-h;test.p12;-w;test")
create_compress_tests("secure" "-z;-h;test.p12;-w;test")
endif()
# Perform tests on others
if(NOT MZ_COMPRESS_ONLY)
@ -1000,7 +982,6 @@ add_feature_info(MZ_WZAES MZ_WZAES "Enables WinZIP AES encryption")
add_feature_info(MZ_OPENSSL MZ_OPENSSL "Enables OpenSSL for encryption")
add_feature_info(MZ_BCRYPT MZ_BCRYPT "Enables Win32 Crypto API Next Generation (CNG)")
add_feature_info(MZ_LIBBSD MZ_LIBBSD "Builds with libbsd crypto random")
add_feature_info(MZ_SIGNING MZ_SIGNING "Enables zip signing support")
# Character conversion options
add_feature_info(MZ_ICONV MZ_ICONV "Enables iconv string encoding conversion library")
# Code generation options

2
README.md
View File

@ -47,7 +47,6 @@ not been maintained for a long period of time. The code has been largely refacto
+ Support for Apple's compression library ZLIB and XZ implementations.
+ Zero out local file header information.
+ Zip/unzip of central directory to reduce size.
+ Ability to generate and verify CMS signature for each entry.
+ Recover the central directory if it is corrupt or missing.
+ Example minizip and minigzip command line tools.
@ -80,7 +79,6 @@ cmake --build build
| MZ_BCRYPT | Builds with Win32 Crypto API New Generation (CNG) | OFF |
| MZ_OPENSSL | Enables OpenSSL encryption | UNIX |
| MZ_LIBBSD | Builds with libbsd crypto random | UNIX |
| MZ_SIGNING | Enables zip signing support | OFF |
| MZ_ICONV | Enables iconv encoding conversion | ON |
| MZ_COMPRESS_ONLY | Only support compression | OFF |
| MZ_DECOMPRESS_ONLY | Only support decompression | OFF |

2
doc/README.md
View File

@ -47,7 +47,7 @@
### Extrafield Proposals <!-- omit in toc -->
The zip reader and writer interface provides support for extended hash algorithms for zip entries, compression of the central directory, and the adding and verifying of CMS signatures for each entry. In order to add support for these features, extrafields were added and are described in the [minizip extrafield documentation](mz_extrafield.md).
The zip reader and writer interface provides support for extended hash algorithms for zip entries and compression of the central directory. In order to add support for these features, extrafields were added and are described in the [minizip extrafield documentation](mz_extrafield.md).
## Limitations

8
doc/mz_extrafield.md
View File

@ -18,14 +18,6 @@ These are proposals for additional extrafields that are not in the ZIP specifica
By default, the ZIP specification only includes a CRC hash of the uncompressed content. The Hash extrafield allows additional hash digests of the uncompressed content to be stored with the central directory or local file headers. If there are multiple Hash extrafields stored for an entry, they should be sorted in order of most secure to least secure. So that the first Hash extrafield that appears for the entry is always the one considered the most secure and the one used for signing.
## CMS Signature (0x10c5)
|Size|Type|Description|
|-|-|:-|
|*|uint8_t*|Variable-length signature|
Stores a CMS signature whose message is a hash of the uncompressed content of the entry. The hash must correspond to the first Hash (0x1a51) extrafield stored in the entry's extrafield list.
## Central Directory (0xcdcd)
|Size|Type|Description|

225
doc/mz_zip_rw.md
View File

@ -3,97 +3,94 @@
The _mz_zip_reader_ and _mz_zip_writer_ objects allows you to easily extract or create zip files.
- [Reader Callbacks](#reader-callbacks)
- [mz_zip_reader_overwrite_cb](#mz_zip_reader_overwrite_cb)
- [mz_zip_reader_password_cb](#mz_zip_reader_password_cb)
- [mz_zip_reader_progress_cb](#mz_zip_reader_progress_cb)
- [mz_zip_reader_entry_cb](#mz_zip_reader_entry_cb)
- [mz\_zip\_reader\_overwrite\_cb](#mz_zip_reader_overwrite_cb)
- [mz\_zip\_reader\_password\_cb](#mz_zip_reader_password_cb)
- [mz\_zip\_reader\_progress\_cb](#mz_zip_reader_progress_cb)
- [mz\_zip\_reader\_entry\_cb](#mz_zip_reader_entry_cb)
- [Reader Open/Close](#reader-openclose)
- [mz_zip_reader_is_open](#mz_zip_reader_is_open)
- [mz_zip_reader_open](#mz_zip_reader_open)
- [mz_zip_reader_open_file](#mz_zip_reader_open_file)
- [mz_zip_reader_open_file_in_memory](#mz_zip_reader_open_file_in_memory)
- [mz_zip_reader_open_buffer](#mz_zip_reader_open_buffer)
- [mz_zip_reader_close](#mz_zip_reader_close)
- [mz\_zip\_reader\_is\_open](#mz_zip_reader_is_open)
- [mz\_zip\_reader\_open](#mz_zip_reader_open)
- [mz\_zip\_reader\_open\_file](#mz_zip_reader_open_file)
- [mz\_zip\_reader\_open\_file\_in\_memory](#mz_zip_reader_open_file_in_memory)
- [mz\_zip\_reader\_open\_buffer](#mz_zip_reader_open_buffer)
- [mz\_zip\_reader\_close](#mz_zip_reader_close)
- [Reader Entry Enumeration](#reader-entry-enumeration)
- [mz_zip_reader_goto_first_entry](#mz_zip_reader_goto_first_entry)
- [mz_zip_reader_goto_next_entry](#mz_zip_reader_goto_next_entry)
- [mz_zip_reader_locate_entry](#mz_zip_reader_locate_entry)
- [mz\_zip\_reader\_goto\_first\_entry](#mz_zip_reader_goto_first_entry)
- [mz\_zip\_reader\_goto\_next\_entry](#mz_zip_reader_goto_next_entry)
- [mz\_zip\_reader\_locate\_entry](#mz_zip_reader_locate_entry)
- [Reader Entry](#reader-entry)
- [mz_zip_reader_entry_open](#mz_zip_reader_entry_open)
- [mz_zip_reader_entry_close](#mz_zip_reader_entry_close)
- [mz_zip_reader_entry_read](#mz_zip_reader_entry_read)
- [mz_zip_reader_entry_has_sign](#mz_zip_reader_entry_has_sign)
- [mz_zip_reader_entry_sign_verify](#mz_zip_reader_entry_sign_verify)
- [mz_zip_reader_entry_get_hash](#mz_zip_reader_entry_get_hash)
- [mz_zip_reader_entry_get_first_hash](#mz_zip_reader_entry_get_first_hash)
- [mz_zip_reader_entry_get_info](#mz_zip_reader_entry_get_info)
- [mz_zip_reader_entry_is_dir](#mz_zip_reader_entry_is_dir)
- [mz_zip_reader_entry_save](#mz_zip_reader_entry_save)
- [mz_zip_reader_entry_save_process](#mz_zip_reader_entry_save_process)
- [mz_zip_reader_entry_save_file](#mz_zip_reader_entry_save_file)
- [mz_zip_reader_entry_save_buffer](#mz_zip_reader_entry_save_buffer)
- [mz_zip_reader_entry_save_buffer_length](#mz_zip_reader_entry_save_buffer_length)
- [mz\_zip\_reader\_entry\_open](#mz_zip_reader_entry_open)
- [mz\_zip\_reader\_entry\_close](#mz_zip_reader_entry_close)
- [mz\_zip\_reader\_entry\_read](#mz_zip_reader_entry_read)
- [mz\_zip\_reader\_entry\_get\_hash](#mz_zip_reader_entry_get_hash)
- [mz\_zip\_reader\_entry\_get\_first\_hash](#mz_zip_reader_entry_get_first_hash)
- [mz\_zip\_reader\_entry\_get\_info](#mz_zip_reader_entry_get_info)
- [mz\_zip\_reader\_entry\_is\_dir](#mz_zip_reader_entry_is_dir)
- [mz\_zip\_reader\_entry\_save](#mz_zip_reader_entry_save)
- [mz\_zip\_reader\_entry\_save\_process](#mz_zip_reader_entry_save_process)
- [mz\_zip\_reader\_entry\_save\_file](#mz_zip_reader_entry_save_file)
- [mz\_zip\_reader\_entry\_save\_buffer](#mz_zip_reader_entry_save_buffer)
- [mz\_zip\_reader\_entry\_save\_buffer\_length](#mz_zip_reader_entry_save_buffer_length)
- [Reader Bulk Extract](#reader-bulk-extract)
- [mz_zip_reader_save_all](#mz_zip_reader_save_all)
- [mz\_zip\_reader\_save\_all](#mz_zip_reader_save_all)
- [Reader Object](#reader-object)
- [mz_zip_reader_set_pattern](#mz_zip_reader_set_pattern)
- [mz_zip_reader_set_password](#mz_zip_reader_set_password)
- [mz_zip_reader_set_raw](#mz_zip_reader_set_raw)
- [mz_zip_reader_get_raw](#mz_zip_reader_get_raw)
- [mz_zip_reader_get_zip_cd](#mz_zip_reader_get_zip_cd)
- [mz_zip_reader_get_comment](#mz_zip_reader_get_comment)
- [mz_zip_reader_set_recover](#mz_zip_reader_set_recover)
- [mz_zip_reader_set_encoding](#mz_zip_reader_set_encoding)
- [mz_zip_reader_set_sign_required](#mz_zip_reader_set_sign_required)
- [mz_zip_reader_set_overwrite_cb](#mz_zip_reader_set_overwrite_cb)
- [mz_zip_reader_set_password_cb](#mz_zip_reader_set_password_cb)
- [mz_zip_reader_set_progress_cb](#mz_zip_reader_set_progress_cb)
- [mz_zip_reader_set_progress_interval](#mz_zip_reader_set_progress_interval)
- [mz_zip_reader_set_entry_cb](#mz_zip_reader_set_entry_cb)
- [mz_zip_reader_get_zip_handle](#mz_zip_reader_get_zip_handle)
- [mz_zip_reader_create](#mz_zip_reader_create)
- [mz_zip_reader_delete](#mz_zip_reader_delete)
- [mz\_zip\_reader\_set\_pattern](#mz_zip_reader_set_pattern)
- [mz\_zip\_reader\_set\_password](#mz_zip_reader_set_password)
- [mz\_zip\_reader\_set\_raw](#mz_zip_reader_set_raw)
- [mz\_zip\_reader\_get\_raw](#mz_zip_reader_get_raw)
- [mz\_zip\_reader\_get\_zip\_cd](#mz_zip_reader_get_zip_cd)
- [mz\_zip\_reader\_get\_comment](#mz_zip_reader_get_comment)
- [mz\_zip\_reader\_set\_recover](#mz_zip_reader_set_recover)
- [mz\_zip\_reader\_set\_encoding](#mz_zip_reader_set_encoding)
- [mz\_zip\_reader\_set\_overwrite\_cb](#mz_zip_reader_set_overwrite_cb)
- [mz\_zip\_reader\_set\_password\_cb](#mz_zip_reader_set_password_cb)
- [mz\_zip\_reader\_set\_progress\_cb](#mz_zip_reader_set_progress_cb)
- [mz\_zip\_reader\_set\_progress\_interval](#mz_zip_reader_set_progress_interval)
- [mz\_zip\_reader\_set\_entry\_cb](#mz_zip_reader_set_entry_cb)
- [mz\_zip\_reader\_get\_zip\_handle](#mz_zip_reader_get_zip_handle)
- [mz\_zip\_reader\_create](#mz_zip_reader_create)
- [mz\_zip\_reader\_delete](#mz_zip_reader_delete)
- [Writer Callbacks](#writer-callbacks)
- [mz_zip_writer_overwrite_cb](#mz_zip_writer_overwrite_cb)
- [mz_zip_writer_password_cb](#mz_zip_writer_password_cb)
- [mz_zip_writer_progress_cb](#mz_zip_writer_progress_cb)
- [mz_zip_writer_entry_cb](#mz_zip_writer_entry_cb)
- [mz\_zip\_writer\_overwrite\_cb](#mz_zip_writer_overwrite_cb)
- [mz\_zip\_writer\_password\_cb](#mz_zip_writer_password_cb)
- [mz\_zip\_writer\_progress\_cb](#mz_zip_writer_progress_cb)
- [mz\_zip\_writer\_entry\_cb](#mz_zip_writer_entry_cb)
- [Writer Open/Close](#writer-openclose)
- [mz_zip_writer_is_open](#mz_zip_writer_is_open)
- [mz_zip_writer_open](#mz_zip_writer_open)
- [mz_zip_writer_open_file](#mz_zip_writer_open_file)
- [mz_zip_writer_open_file_in_memory](#mz_zip_writer_open_file_in_memory)
- [mz_zip_writer_close](#mz_zip_writer_close)
- [mz\_zip\_writer\_is\_open](#mz_zip_writer_is_open)
- [mz\_zip\_writer\_open](#mz_zip_writer_open)
- [mz\_zip\_writer\_open\_file](#mz_zip_writer_open_file)
- [mz\_zip\_writer\_open\_file\_in\_memory](#mz_zip_writer_open_file_in_memory)
- [mz\_zip\_writer\_close](#mz_zip_writer_close)
- [Writer Entry](#writer-entry)
- [mz_zip_writer_entry_open](#mz_zip_writer_entry_open)
- [mz_zip_writer_entry_close](#mz_zip_writer_entry_close)
- [mz_zip_writer_entry_write](#mz_zip_writer_entry_write)
- [mz\_zip\_writer\_entry\_open](#mz_zip_writer_entry_open)
- [mz\_zip\_writer\_entry\_close](#mz_zip_writer_entry_close)
- [mz\_zip\_writer\_entry\_write](#mz_zip_writer_entry_write)
- [Writer Add/Compress](#writer-addcompress)
- [mz_zip_writer_add](#mz_zip_writer_add)
- [mz_zip_writer_add_process](#mz_zip_writer_add_process)
- [mz_zip_writer_add_info](#mz_zip_writer_add_info)
- [mz_zip_writer_add_buffer](#mz_zip_writer_add_buffer)
- [mz_zip_writer_add_file](#mz_zip_writer_add_file)
- [mz_zip_writer_add_path](#mz_zip_writer_add_path)
- [mz_zip_writer_copy_from_reader](#mz_zip_writer_copy_from_reader)
- [mz\_zip\_writer\_add](#mz_zip_writer_add)
- [mz\_zip\_writer\_add\_process](#mz_zip_writer_add_process)
- [mz\_zip\_writer\_add\_info](#mz_zip_writer_add_info)
- [mz\_zip\_writer\_add\_buffer](#mz_zip_writer_add_buffer)
- [mz\_zip\_writer\_add\_file](#mz_zip_writer_add_file)
- [mz\_zip\_writer\_add\_path](#mz_zip_writer_add_path)
- [mz\_zip\_writer\_copy\_from\_reader](#mz_zip_writer_copy_from_reader)
- [Writer Object](#writer-object)
- [mz_zip_writer_set_password](#mz_zip_writer_set_password)
- [mz_zip_writer_set_comment](#mz_zip_writer_set_comment)
- [mz_zip_writer_set_raw](#mz_zip_writer_set_raw)
- [mz_zip_writer_get_raw](#mz_zip_writer_get_raw)
- [mz_zip_writer_set_aes](#mz_zip_writer_set_aes)
- [mz_zip_writer_set_compress_method](#mz_zip_writer_set_compress_method)
- [mz_zip_writer_set_compress_level](#mz_zip_writer_set_compress_level)
- [mz_zip_writer_set_zip_cd](#mz_zip_writer_set_zip_cd)
- [mz_zip_writer_set_certificate](#mz_zip_writer_set_certificate)
- [mz_zip_writer_set_overwrite_cb](#mz_zip_writer_set_overwrite_cb)
- [mz_zip_writer_set_password_cb](#mz_zip_writer_set_password_cb)
- [mz_zip_writer_set_progress_cb](#mz_zip_writer_set_progress_cb)
- [mz_zip_writer_set_progress_interval](#mz_zip_writer_set_progress_interval)
- [mz_zip_writer_set_entry_cb](#mz_zip_writer_set_entry_cb)
- [mz_zip_writer_get_zip_handle](#mz_zip_writer_get_zip_handle)
- [mz_zip_writer_create](#mz_zip_writer_create)
- [mz_zip_writer_delete](#mz_zip_writer_delete)
- [mz\_zip\_writer\_set\_password](#mz_zip_writer_set_password)
- [mz\_zip\_writer\_set\_comment](#mz_zip_writer_set_comment)
- [mz\_zip\_writer\_set\_raw](#mz_zip_writer_set_raw)
- [mz\_zip\_writer\_get\_raw](#mz_zip_writer_get_raw)
- [mz\_zip\_writer\_set\_aes](#mz_zip_writer_set_aes)
- [mz\_zip\_writer\_set\_compress\_method](#mz_zip_writer_set_compress_method)
- [mz\_zip\_writer\_set\_compress\_level](#mz_zip_writer_set_compress_level)
- [mz\_zip\_writer\_set\_zip\_cd](#mz_zip_writer_set_zip_cd)
- [mz\_zip\_writer\_set\_certificate](#mz_zip_writer_set_certificate)
- [mz\_zip\_writer\_set\_overwrite\_cb](#mz_zip_writer_set_overwrite_cb)
- [mz\_zip\_writer\_set\_password\_cb](#mz_zip_writer_set_password_cb)
- [mz\_zip\_writer\_set\_progress\_cb](#mz_zip_writer_set_progress_cb)
- [mz\_zip\_writer\_set\_progress\_interval](#mz_zip_writer_set_progress_interval)
- [mz\_zip\_writer\_set\_entry\_cb](#mz_zip_writer_set_entry_cb)
- [mz\_zip\_writer\_get\_zip\_handle](#mz_zip_writer_get_zip_handle)
- [mz\_zip\_writer\_create](#mz_zip_writer_create)
- [mz\_zip\_writer\_delete](#mz_zip_writer_delete)
## Reader Callbacks
@ -516,52 +513,6 @@ if (mz_zip_reader_goto_first_entry(zip_reader) == MZ_OK) {
}
```
### mz_zip_reader_entry_has_sign
Checks to see if the entry has a signature.
**Arguments**
|Type|Name|Description|
|-|-|-|
|void *|handle|_mz_zip_reader_ instance|
**Return**
|Type|Description|
|-|-|
|int32_t|[MZ_ERROR](mz_error.md) code, MZ_OK if has signature.|
**Example**
```
if (mz_zip_reader_entry_has_sign(zip_reader) == MZ_OK)
printf("Entry has signature attached\n");
```
### mz_zip_reader_entry_sign_verify
Verifies a signature stored with the entry.
**Arguments**
|Type|Name|Description|
|-|-|-|
|void *|handle|_mz_zip_reader_ instance|
**Return**
|Type|Description|
|-|-|
|int32_t|[MZ_ERROR](mz_error.md) code, MZ_OK if signature is valid.|
**Example**
```
if (mz_zip_reader_entry_has_sign(zip_reader) == MZ_OK) {
printf("Entry has signature attached\n");
if (mz_zip_reader_entry_sign_verify(zip_reader) == MZ_OK) {
printf("Entry signature is valid\n);
} else {
printf("Entry signature is invalid\n");
}
}
```
### mz_zip_reader_entry_get_hash
Gets a hash algorithm from the entry's extra field.
@ -1017,26 +968,6 @@ Sets whether or not it should support a special character encoding in zip file n
mz_zip_reader_set_encoding(zip_reader, MZ_ENCODING_CODEPAGE_437);
```
### mz_zip_reader_set_sign_required
Sets whether or not it a signature is required. If enabled, it will prevent extraction of zip entries that do not have verified signatures.
**Arguments**
|Type|Name|Description|
|-|-|-|
|void *|handle|_mz_zip_reader_ instance|
|uint8_t|sign_required|Valid CMS signatures are required if 1|
**Return**
|Type|Description|
|-|-|
|void|No return|
**Example**
```
mz_zip_reader_set_sign_required(zip_reader, 1);
```
### mz_zip_reader_set_overwrite_cb
Sets the callback for what to do when a file is about to be overwritten.

20
minizip.c
View File

@ -86,8 +86,6 @@ int32_t minizip_help(void) {
" -z Zip central directory\n" \
" -p Encryption password\n" \
" -s AES encryption\n" \
" -h PKCS12 certificate path\n" \
" -w PKCS12 certificate password\n" \
" -b BZIP2 compression\n" \
" -m LZMA compression\n" \
" -n XZ compression\n" \
@ -593,23 +591,7 @@ int main(int argc, const char *argv[]) {
#else
err = MZ_SUPPORT_ERROR;
#endif
else if (((c == 'h') || (c == 'H')) && (i + 1 < argc)) {
#ifdef MZ_ZIP_SIGNING
options.cert_path = argv[i + 1];
printf("%s ", argv[i + 1]);
#else
err = MZ_SUPPORT_ERROR;
#endif
i += 1;
} else if (((c == 'w') || (c == 'W')) && (i + 1 < argc)) {
#ifdef MZ_ZIP_SIGNING
options.cert_pwd = argv[i + 1];
printf("%s ", argv[i + 1]);
#else
err = MZ_SUPPORT_ERROR;
#endif
i += 1;
} else if (((c == 'c') || (c == 'C')) && (i + 1 < argc)) {
else if (((c == 'c') || (c == 'C')) && (i + 1 < argc)) {
options.encoding = (int32_t)atoi(argv[i + 1]);
i += 1;
} else if (((c == 'k') || (c == 'K')) && (i + 1 < argc)) {

118
mz_crypt_apple.c
View File

@ -406,121 +406,3 @@ void mz_crypt_hmac_delete(void **handle) {
}
*handle = NULL;
}
/***************************************************************************/
#if defined(MZ_ZIP_SIGNING)
int32_t mz_crypt_sign(uint8_t *message, int32_t message_size, uint8_t *cert_data, int32_t cert_data_size,
const char *cert_pwd, uint8_t **signature, int32_t *signature_size) {
CFStringRef password_ref = NULL;
CFDictionaryRef options_dict = NULL;
CFDictionaryRef identity_trust = NULL;
CFDataRef signature_out = NULL;
CFDataRef pkcs12_data = NULL;
CFArrayRef items = 0;
SecIdentityRef identity = NULL;
SecTrustRef trust = NULL;
OSStatus status = noErr;
const void *options_key[2] = {kSecImportExportPassphrase, kSecReturnRef};
const void *options_values[2] = {0, kCFBooleanTrue};
int32_t err = MZ_SIGN_ERROR;
if (!message || !cert_data || !signature || !signature_size)
return MZ_PARAM_ERROR;
*signature = NULL;
*signature_size = 0;
password_ref = CFStringCreateWithCString(0, cert_pwd, kCFStringEncodingUTF8);
options_values[0] = password_ref;
options_dict = CFDictionaryCreate(0, options_key, options_values, 2, 0, 0);
if (options_dict)
pkcs12_data = CFDataCreate(0, cert_data, cert_data_size);
if (pkcs12_data)
status = SecPKCS12Import(pkcs12_data, options_dict, &items);
if (status == noErr)
identity_trust = CFArrayGetValueAtIndex(items, 0);
if (identity_trust)
identity = (SecIdentityRef)CFDictionaryGetValue(identity_trust, kSecImportItemIdentity);
if (identity)
trust = (SecTrustRef)CFDictionaryGetValue(identity_trust, kSecImportItemTrust);
if (trust) {
status = CMSEncodeContent(identity, NULL, NULL, FALSE, 0, message, message_size, &signature_out);
if (status == errSecSuccess) {
*signature_size = CFDataGetLength(signature_out);
*signature = (uint8_t *)malloc(*signature_size);
memcpy(*signature, CFDataGetBytePtr(signature_out), *signature_size);
err = MZ_OK;
}
}
if (signature_out)
CFRelease(signature_out);
if (items)
CFRelease(items);
if (pkcs12_data)
CFRelease(pkcs12_data);
if (options_dict)
CFRelease(options_dict);
if (password_ref)
CFRelease(password_ref);
return err;
}
int32_t mz_crypt_sign_verify(uint8_t *message, int32_t message_size, uint8_t *signature, int32_t signature_size) {
CMSDecoderRef decoder = NULL;
CMSSignerStatus signer_status = 0;
CFDataRef message_out = NULL;
SecPolicyRef trust_policy = NULL;
OSStatus status = noErr;
OSStatus verify_status = noErr;
size_t signer_count = 0;
size_t i = 0;
int32_t err = MZ_SIGN_ERROR;
if (!message || !signature)
return MZ_PARAM_ERROR;
status = CMSDecoderCreate(&decoder);
if (status == errSecSuccess)
status = CMSDecoderUpdateMessage(decoder, signature, signature_size);
if (status == errSecSuccess)
status = CMSDecoderFinalizeMessage(decoder);
if (status == errSecSuccess)
trust_policy = SecPolicyCreateBasicX509();
if (status == errSecSuccess && trust_policy) {
CMSDecoderGetNumSigners(decoder, &signer_count);
if (signer_count > 0)
err = MZ_OK;
for (i = 0; i < signer_count; i += 1) {
status = CMSDecoderCopySignerStatus(decoder, i, trust_policy, TRUE, &signer_status, NULL, &verify_status);
if (status != errSecSuccess || verify_status != 0 || signer_status != kCMSSignerValid) {
err = MZ_SIGN_ERROR;
break;
}
}
}
if (err == MZ_OK) {
status = CMSDecoderCopyContent(decoder, &message_out);
if ((status != errSecSuccess) ||
(CFDataGetLength(message_out) != message_size) ||
(memcmp(message, CFDataGetBytePtr(message_out), message_size) != 0))
err = MZ_SIGN_ERROR;
}
if (trust_policy)
CFRelease(trust_policy);
if (decoder)
CFRelease(decoder);
return err;
}
#endif

183
mz_crypt_openssl.c
View File

@ -488,186 +488,3 @@ void mz_crypt_hmac_delete(void **handle) {
}
*handle = NULL;
}
/***************************************************************************/
#if defined(MZ_ZIP_SIGNING)
int32_t mz_crypt_sign(uint8_t *message, int32_t message_size, uint8_t *cert_data, int32_t cert_data_size,
const char *cert_pwd, uint8_t **signature, int32_t *signature_size) {
PKCS12 *p12 = NULL;
EVP_PKEY *evp_pkey = NULL;
BUF_MEM *buf_mem = NULL;
BIO *cert_bio = NULL;
BIO *message_bio = NULL;
BIO *signature_bio = NULL;
CMS_ContentInfo *cms = NULL;
CMS_SignerInfo *signer_info = NULL;
STACK_OF(X509) *ca_stack = NULL;
X509 *cert = NULL;
int32_t result = 0;
int32_t err = MZ_OK;
if (!message || !cert_data || !signature || !signature_size)
return MZ_PARAM_ERROR;
mz_crypt_init();
*signature = NULL;
*signature_size = 0;
cert_bio = BIO_new_mem_buf(cert_data, cert_data_size);
if (!d2i_PKCS12_bio(cert_bio, &p12))
err = MZ_SIGN_ERROR;
if (err == MZ_OK)
result = PKCS12_parse(p12, cert_pwd, &evp_pkey, &cert, &ca_stack);
if (result) {
cms = CMS_sign(NULL, NULL, ca_stack, NULL, CMS_BINARY | CMS_PARTIAL);
if (cms)
signer_info = CMS_add1_signer(cms, cert, evp_pkey, EVP_sha256(), 0);
if (!signer_info) {
err = MZ_SIGN_ERROR;
} else {
message_bio = BIO_new_mem_buf(message, message_size);
signature_bio = BIO_new(BIO_s_mem());
result = CMS_final(cms, message_bio, NULL, CMS_BINARY);
if (result)
result = i2d_CMS_bio(signature_bio, cms);
if (result) {
BIO_flush(signature_bio);
BIO_get_mem_ptr(signature_bio, &buf_mem);
*signature_size = buf_mem->length;
*signature = malloc(buf_mem->length);
memcpy(*signature, buf_mem->data, buf_mem->length);
}
#if 0
BIO *yy = BIO_new_file("xyz", "wb");
BIO_write(yy, *signature, *signature_size);
BIO_flush(yy);
BIO_free(yy);
#endif
}
}
if (!result)
err = MZ_SIGN_ERROR;
if (cms)
CMS_ContentInfo_free(cms);
if (signature_bio)
BIO_free(signature_bio);
if (cert_bio)
BIO_free(cert_bio);
if (message_bio)
BIO_free(message_bio);
if (p12)
PKCS12_free(p12);
if (err != MZ_OK && *signature) {
free(*signature);
*signature = NULL;
*signature_size = 0;
}
return err;
}
int32_t mz_crypt_sign_verify(uint8_t *message, int32_t message_size, uint8_t *signature, int32_t signature_size) {
CMS_ContentInfo *cms = NULL;
STACK_OF(X509) *signers = NULL;
STACK_OF(X509) *intercerts = NULL;
X509_STORE *cert_store = NULL;
X509_LOOKUP *lookup = NULL;
X509_STORE_CTX *store_ctx = NULL;
BIO *message_bio = NULL;
BIO *signature_bio = NULL;
BUF_MEM *buf_mem = NULL;
int32_t signer_count = 0;
int32_t result = 0;
int32_t i = 0;
int32_t err = MZ_SIGN_ERROR;
if (!message || !message_size || !signature || !signature_size)
return MZ_PARAM_ERROR;
mz_crypt_init();
cert_store = X509_STORE_new();
X509_STORE_load_locations(cert_store, "cacert.pem", NULL);
X509_STORE_set_default_paths(cert_store);
#if 0
BIO *yy = BIO_new_file("xyz", "wb");
BIO_write(yy, signature, signature_size);
BIO_flush(yy);
BIO_free(yy);
#endif
lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_file());
if (lookup)
X509_LOOKUP_load_file(lookup, "cacert.pem", X509_FILETYPE_PEM);
lookup = X509_STORE_add_lookup(cert_store, X509_LOOKUP_hash_dir());
if (lookup)
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
signature_bio = BIO_new_mem_buf(signature, signature_size);
message_bio = BIO_new(BIO_s_mem());
cms = d2i_CMS_bio(signature_bio, NULL);
if (cms) {
result = CMS_verify(cms, NULL, cert_store, NULL, message_bio, CMS_NO_SIGNER_CERT_VERIFY | CMS_BINARY);
if (result)
signers = CMS_get0_signers(cms);
if (signers)
intercerts = CMS_get1_certs(cms);
if (intercerts) {
/* Verify signer certificates */
signer_count = sk_X509_num(signers);
if (signer_count > 0)
err = MZ_OK;
for (i = 0; i < signer_count; i++) {
store_ctx = X509_STORE_CTX_new();
X509_STORE_CTX_init(store_ctx, cert_store, sk_X509_value(signers, i), intercerts);
result = X509_verify_cert(store_ctx);
if (store_ctx)
X509_STORE_CTX_free(store_ctx);
if (!result) {
err = MZ_SIGN_ERROR;
break;
}
}
}
BIO_get_mem_ptr(message_bio, &buf_mem);
if (err == MZ_OK) {
/* Verify the message */
if (((int32_t)buf_mem->length != message_size) ||
(memcmp(buf_mem->data, message, message_size) != 0))
err = MZ_SIGN_ERROR;
}
}
#if 0
if (!result)
printf(ERR_error_string(ERR_get_error(), NULL));
#endif
if (cms)
CMS_ContentInfo_free(cms);
if (message_bio)
BIO_free(message_bio);
if (signature_bio)
BIO_free(signature_bio);
if (cert_store)
X509_STORE_free(cert_store);
return err;
}
#endif

232
mz_crypt_win32.c
View File

@ -685,235 +685,3 @@ void mz_crypt_hmac_delete(void **handle) {
}
*handle = NULL;
}
/***************************************************************************/
#if defined(MZ_ZIP_SIGNING)
int32_t mz_crypt_sign(uint8_t *message, int32_t message_size, uint8_t *cert_data, int32_t cert_data_size,
const char *cert_pwd, uint8_t **signature, int32_t *signature_size) {
CRYPT_SIGN_MESSAGE_PARA sign_params;
CRYPT_DATA_BLOB cert_data_blob;
PCCERT_CONTEXT cert_context = NULL;
HCERTSTORE cert_store = 0;
wchar_t *password_wide = NULL;
int32_t result = 0;
int32_t err = MZ_OK;
uint32_t messages_sizes[1];
uint8_t *messages[1];
if (!message || !cert_data || !signature || !signature_size)
return MZ_PARAM_ERROR;
*signature = NULL;
*signature_size = 0;
cert_data_blob.pbData = cert_data;
cert_data_blob.cbData = cert_data_size;
password_wide = mz_os_unicode_string_create(cert_pwd, MZ_ENCODING_UTF8);
if (password_wide) {
cert_store = PFXImportCertStore(&cert_data_blob, password_wide, 0);
mz_os_unicode_string_delete(&password_wide);
}
if (!cert_store)
cert_store = PFXImportCertStore(&cert_data_blob, L"", 0);
if (!cert_store)
cert_store = PFXImportCertStore(&cert_data_blob, NULL, 0);
if (!cert_store)
return MZ_PARAM_ERROR;
if (err == MZ_OK) {
cert_context = CertFindCertificateInStore(cert_store,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_HAS_PRIVATE_KEY, NULL, NULL);
if (!cert_context)
err = MZ_PARAM_ERROR;
}
if (err == MZ_OK) {
memset(&sign_params, 0, sizeof(sign_params));
sign_params.cbSize = sizeof(sign_params);
sign_params.dwMsgEncodingType = PKCS_7_ASN_ENCODING | X509_ASN_ENCODING;
sign_params.pSigningCert = cert_context;
sign_params.HashAlgorithm.pszObjId = szOID_NIST_sha256;
sign_params.cMsgCert = 1;
sign_params.rgpMsgCert = &cert_context;
messages[0] = message;
messages_sizes[0] = message_size;
#if 0 /* Timestamp support */
CRYPT_ATTR_BLOB crypt_blob;
CRYPT_TIMESTAMP_CONTEXT *ts_context = NULL;
CRYPT_ATTRIBUTE unauth_attribs[1];
wchar_t *timestamp_url_wide = NULL;
const char *timestamp_url = NULL;
if (timestamp_url)
timestamp_url_wide = mz_os_unicode_string_create(timestamp_url);
if (timestamp_url_wide) {
result = CryptRetrieveTimeStamp(timestamp_url_wide,
TIMESTAMP_NO_AUTH_RETRIEVAL | TIMESTAMP_VERIFY_CONTEXT_SIGNATURE, 0, szOID_NIST_sha256,
NULL, message, message_size, &ts_context, NULL, NULL);
mz_os_unicode_string_delete(&timestamp_url_wide);
if (result && ts_context) {
crypt_blob.cbData = ts_context->cbEncoded;
crypt_blob.pbData = ts_context->pbEncoded;
unauth_attribs[0].pszObjId = "1.2.840.113549.1.9.16.2.14"; //id-smime-aa-timeStampToken
unauth_attribs[0].cValue = 1;
unauth_attribs[0].rgValue = &crypt_blob;
sign_params.rgUnauthAttr = &unauth_attribs[0];
sign_params.cUnauthAttr = 1;
}
}
if (ts_context)
CryptMemFree(ts_context);
if (result)
#endif
result = CryptSignMessage(&sign_params, FALSE, 1, (const BYTE **)messages, (DWORD *)messages_sizes,
NULL, (DWORD *)signature_size);
if (result && *signature_size > 0)
*signature = (uint8_t *)malloc(*signature_size);
if (result && *signature)
result = CryptSignMessage(&sign_params, FALSE, 1, (const BYTE **)messages, (DWORD *)messages_sizes,
*signature, (DWORD *)signature_size);
if (!result)
err = MZ_SIGN_ERROR;
}
if (cert_context)
CertFreeCertificateContext(cert_context);
if (cert_store)
CertCloseStore(cert_store, 0);
return err;
}
int32_t mz_crypt_sign_verify(uint8_t *message, int32_t message_size, uint8_t *signature, int32_t signature_size) {
CRYPT_VERIFY_MESSAGE_PARA verify_params;
CERT_CONTEXT *signer_cert = NULL;
CERT_CHAIN_PARA chain_para;
CERT_CHAIN_CONTEXT *chain_context = NULL;
CERT_CHAIN_POLICY_PARA chain_policy;
CERT_CHAIN_POLICY_STATUS chain_policy_status;
HCRYPTMSG crypt_msg = 0;
int32_t result = 0;
int32_t err = MZ_SIGN_ERROR;
uint8_t *decoded = NULL;
int32_t decoded_size = 0;
memset(&verify_params, 0, sizeof(verify_params));
verify_params.cbSize = sizeof(verify_params);
verify_params.dwMsgAndCertEncodingType = PKCS_7_ASN_ENCODING | X509_ASN_ENCODING;
result = CryptVerifyMessageSignature(&verify_params, 0, signature, signature_size,
NULL, (DWORD *)&decoded_size, NULL);
if (result && decoded_size > 0)
decoded = (uint8_t *)malloc(decoded_size);
if (result && decoded)
result = CryptVerifyMessageSignature(&verify_params, 0, signature, signature_size,
decoded, (DWORD *)&decoded_size, (const CERT_CONTEXT **)&signer_cert);
/* Get and validate certificate chain */
memset(&chain_para, 0, sizeof(chain_para));
if (result && signer_cert)
result = CertGetCertificateChain(NULL, signer_cert, NULL, NULL, &chain_para,
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT, NULL, (const CERT_CHAIN_CONTEXT **)&chain_context);
memset(&chain_policy, 0, sizeof(chain_policy));
chain_policy.cbSize = sizeof(CERT_CHAIN_POLICY_PARA);
memset(&chain_policy_status, 0, sizeof(chain_policy_status));
chain_policy_status.cbSize = sizeof(CERT_CHAIN_POLICY_STATUS);
if (result && chain_context)
result = CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_BASE, chain_context,
&chain_policy, &chain_policy_status);
if (chain_policy_status.dwError != S_OK)
result = 0;
#if 0
crypt_msg = CryptMsgOpenToDecode(PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 0, 0, 0, NULL, NULL);
if (crypt_msg) {
/* Timestamp support */
PCRYPT_ATTRIBUTES unauth_attribs = NULL;
HCRYPTMSG ts_msg = 0;
uint8_t *ts_content = NULL;
int32_t ts_content_size = 0;
uint8_t *ts_signature = NULL;
int32_t ts_signature_size = 0;
result = CryptMsgUpdate(crypt_msg, signature, signature_size, 1);
if (result)
CryptMsgGetParam(crypt_msg, CMSG_SIGNER_UNAUTH_ATTR_PARAM, 0, NULL, &ts_signature_size);
if (result && ts_signature_size > 0)
ts_signature = (uint8_t *)malloc(ts_signature_size);
if (result && ts_signature) {
result = CryptMsgGetParam(crypt_msg, CMSG_SIGNER_UNAUTH_ATTR_PARAM, 0, ts_signature,
&ts_signature_size);
if (result)
{
unauth_attribs = (PCRYPT_ATTRIBUTES)ts_signature;
if ((unauth_attribs->cAttr > 0) && (unauth_attribs->rgAttr[0].cValue > 0))
{
ts_content = unauth_attribs->rgAttr[0].rgValue->pbData;
ts_content_size = unauth_attribs->rgAttr[0].rgValue->cbData;
}
}
if (result && ts_content)
result = CryptVerifyTimeStampSignature(ts_content, ts_content_size, decoded,
decoded_size, 0, &crypt_context, NULL, NULL);
if (result)
err = MZ_OK;
}
if (ts_signature)
free(ts_signature);
if (crypt_context)
CryptMemFree(crypt_context);
} else {
result = 0;
}
#endif
if (result && decoded && decoded_size == message_size) {
/* Verify cms message with our stored message */
if (memcmp(decoded, message, message_size) == 0)
err = MZ_OK;
}
if (chain_context)
CertFreeCertificateChain(chain_context);
if (signer_cert)
CertFreeCertificateContext(signer_cert);
if (crypt_msg)
CryptMsgClose(crypt_msg);
if (decoded)
free(decoded);
return err;
}
#endif

240
mz_crypt_winrt.c
View File

@ -654,243 +654,3 @@ void mz_crypt_hmac_delete(void **handle) {
}
*handle = NULL;
}
/***************************************************************************/
#if defined(MZ_ZIP_SIGNING)
int32_t mz_crypt_sign(uint8_t *message, int32_t message_size, uint8_t *cert_data, int32_t cert_data_size,
const char *cert_pwd, uint8_t **signature, int32_t *signature_size) {
return MZ_SIGN_ERROR;
#if 0
HCRYPTPROV_OR_NCRYPT_KEY_HANDLE private_key = 0;
uint32_t private_key_spec = 0;
BOOL release_private_key = FALSE;
CRYPT_DATA_BLOB cert_data_blob;
PCCERT_CONTEXT cert_context = NULL;
HCERTSTORE cert_store = 0;
BCRYPT_PKCS1_PADDING_INFO pad_info;
wchar_t *password_wide = NULL;
int32_t result = 0;
int32_t err = MZ_OK;
if (!message || !cert_data || !signature || !signature_size)
return MZ_PARAM_ERROR;
*signature = NULL;
*signature_size = 0;
pad_info.pszAlgId = BCRYPT_SHA256_ALGORITHM;
cert_data_blob.pbData = cert_data;
cert_data_blob.cbData = cert_data_size;
password_wide = mz_os_unicode_string_create(cert_pwd, MZ_ENCODING_UTF8);
if (password_wide) {
cert_store = PFXImportCertStore(&cert_data_blob, password_wide, 0);
mz_os_unicode_string_delete(&password_wide);
}
if (!cert_store)
cert_store = PFXImportCertStore(&cert_data_blob, L"", 0);
if (!cert_store)
cert_store = PFXImportCertStore(&cert_data_blob, NULL, 0);
if (!cert_store)
return MZ_PARAM_ERROR;
if (err == MZ_OK) {
cert_context = CertFindCertificateInStore(cert_store,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_HAS_PRIVATE_KEY, NULL, NULL);
if (!cert_context)
err = MZ_PARAM_ERROR;
}
if (err == MZ_OK) {
if (!CryptAcquireCertificatePrivateKey(cert_context, CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG, NULL, &private_key,
&private_key_spec, &release_private_key)) {
err = MZ_PARAM_ERROR;
}
}
if (err == MZ_OK) {
#if 0 /* Timestamp support */
CRYPT_ATTR_BLOB crypt_blob;
CRYPT_TIMESTAMP_CONTEXT *ts_context = NULL;
CRYPT_ATTRIBUTE unauth_attribs[1];
wchar_t *timestamp_url_wide = NULL;
const char *timestamp_url = NULL;
if (timestamp_url)
timestamp_url_wide = mz_os_unicode_string_create(timestamp_url);
if (timestamp_url_wide) {
result = CryptRetrieveTimeStamp(timestamp_url_wide,
TIMESTAMP_NO_AUTH_RETRIEVAL | TIMESTAMP_VERIFY_CONTEXT_SIGNATURE, 0, szOID_NIST_sha256,
NULL, message, message_size, &ts_context, NULL, NULL);
mz_os_unicode_string_delete(&timestamp_url_wide);
if (result && ts_context) {
crypt_blob.cbData = ts_context->cbEncoded;
crypt_blob.pbData = ts_context->pbEncoded;
unauth_attribs[0].pszObjId = "1.2.840.113549.1.9.16.2.14"; //id-smime-aa-timeStampToken
unauth_attribs[0].cValue = 1;
unauth_attribs[0].rgValue = &crypt_blob;
sign_params.rgUnauthAttr = &unauth_attribs[0];
sign_params.cUnauthAttr = 1;
}
}
if (ts_context)
CryptMemFree(ts_context);
if (result)
#endif
result = !NCryptSignHash(private_key, &pad_info, message, message_size, NULL, 0, signature_size,
BCRYPT_PAD_PKCS1 | NCRYPT_SILENT_FLAG);
if (result && *signature_size > 0)
*signature = (uint8_t *)malloc(*signature_size);
if (result && *signature) {
result = !NCryptSignHash(private_key, &pad_info, message, message_size, *signature, *signature_size,
signature_size, BCRYPT_PAD_PKCS1 | NCRYPT_SILENT_FLAG);
}
if (release_private_key) {
if (private_key_spec == CERT_NCRYPT_KEY_SPEC)
NCryptFreeObject(private_key);
else
CryptReleaseContext(private_key, 0);
}
if (!result)
err = MZ_SIGN_ERROR;
}
if (cert_context)
CertFreeCertificateContext(cert_context);
if (cert_store)
CertCloseStore(cert_store, 0);
return err;
#endif
}
int32_t mz_crypt_sign_verify(uint8_t *message, int32_t message_size, uint8_t *signature, int32_t signature_size) {
return MZ_SIGN_ERROR;
#if 0
CRYPT_VERIFY_MESSAGE_PARA verify_params;
CERT_CONTEXT *signer_cert = NULL;
CERT_CHAIN_PARA chain_para;
CERT_CHAIN_CONTEXT *chain_context = NULL;
CERT_CHAIN_POLICY_PARA chain_policy;
CERT_CHAIN_POLICY_STATUS chain_policy_status;
HCRYPTMSG crypt_msg = 0;
int32_t result = 0;
int32_t err = MZ_SIGN_ERROR;
uint8_t *decoded = NULL;
int32_t decoded_size = 0;
memset(&verify_params, 0, sizeof(verify_params));
verify_params.cbSize = sizeof(verify_params);
verify_params.dwMsgAndCertEncodingType = PKCS_7_ASN_ENCODING | X509_ASN_ENCODING;
result = CryptVerifyMessageSignature(&verify_params, 0, signature, signature_size,
NULL, (DWORD *)&decoded_size, NULL);
if (result && decoded_size > 0)
decoded = (uint8_t *)malloc(decoded_size);
if (result && decoded)
result = CryptVerifyMessageSignature(&verify_params, 0, signature, signature_size,
decoded, (DWORD *)&decoded_size, (const CERT_CONTEXT **)&signer_cert);
/* Get and validate certificate chain */
memset(&chain_para, 0, sizeof(chain_para));
if (result && signer_cert)
result = CertGetCertificateChain(NULL, signer_cert, NULL, NULL, &chain_para,
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT, NULL, (const CERT_CHAIN_CONTEXT **)&chain_context);
memset(&chain_policy, 0, sizeof(chain_policy));
chain_policy.cbSize = sizeof(CERT_CHAIN_POLICY_PARA);
memset(&chain_policy_status, 0, sizeof(chain_policy_status));
chain_policy_status.cbSize = sizeof(CERT_CHAIN_POLICY_STATUS);
if (result && chain_context)
result = CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_BASE, chain_context,
&chain_policy, &chain_policy_status);
if (chain_policy_status.dwError != S_OK)
result = 0;
#if 0
crypt_msg = CryptMsgOpenToDecode(PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 0, 0, 0, NULL, NULL);
if (crypt_msg) {
/* Timestamp support */
PCRYPT_ATTRIBUTES unauth_attribs = NULL;
HCRYPTMSG ts_msg = 0;
uint8_t *ts_content = NULL;
int32_t ts_content_size = 0;
uint8_t *ts_signature = NULL;
int32_t ts_signature_size = 0;
result = CryptMsgUpdate(crypt_msg, signature, signature_size, 1);
if (result)
CryptMsgGetParam(crypt_msg, CMSG_SIGNER_UNAUTH_ATTR_PARAM, 0, NULL, &ts_signature_size);
if (result && ts_signature_size > 0)
ts_signature = (uint8_t *)malloc(ts_signature_size);
if (result && ts_signature) {
result = CryptMsgGetParam(crypt_msg, CMSG_SIGNER_UNAUTH_ATTR_PARAM, 0, ts_signature,
&ts_signature_size);
if (result)
{
unauth_attribs = (PCRYPT_ATTRIBUTES)ts_signature;
if ((unauth_attribs->cAttr > 0) && (unauth_attribs->rgAttr[0].cValue > 0))
{
ts_content = unauth_attribs->rgAttr[0].rgValue->pbData;
ts_content_size = unauth_attribs->rgAttr[0].rgValue->cbData;
}
}
if (result && ts_content)
result = CryptVerifyTimeStampSignature(ts_content, ts_content_size, decoded,
decoded_size, 0, &crypt_context, NULL, NULL);
if (result)
err = MZ_OK;
}
if (ts_signature)
free(ts_signature);
if (crypt_context)
CryptMemFree(crypt_context);
} else {
result = 0;
}
#endif
if (result && decoded && decoded_size == message_size) {
/* Verify cms message with our stored message */
if (memcmp(decoded, message, message_size) == 0)
err = MZ_OK;
}
if (chain_context)
CertFreeCertificateChain(chain_context);
if (signer_cert)
CertFreeCertificateContext(signer_cert);
if (crypt_msg)
CryptMsgClose(crypt_msg);
if (decoded)
free(decoded);
return err;
#endif
}
#endif

67
mz_zip_rw.c
View File

@ -392,16 +392,6 @@ int32_t mz_zip_reader_entry_open(void *handle) {
if (err == MZ_OK)
mz_crypt_sha_begin(reader->hash);
#ifdef MZ_ZIP_SIGNING
if (err == MZ_OK) {
if (mz_zip_reader_entry_has_sign(handle) == MZ_OK) {
err = mz_zip_reader_entry_sign_verify(handle);
if (err == MZ_OK)
reader->entry_verified = 1;
} else if (reader->sign_required && !reader->cd_verified)
err = MZ_SIGN_ERROR;
}
#endif
} else if (reader->sign_required && !reader->cd_verified)
err = MZ_SIGN_ERROR;
#endif
@ -450,58 +440,6 @@ int32_t mz_zip_reader_entry_read(void *handle, void *buf, int32_t len) {
return read;
}
int32_t mz_zip_reader_entry_has_sign(void *handle) {
mz_zip_reader *reader = (mz_zip_reader *)handle;
if (!reader || mz_zip_entry_is_open(reader->zip_handle) != MZ_OK)
return MZ_PARAM_ERROR;
return mz_zip_extrafield_contains(reader->file_info->extrafield,
reader->file_info->extrafield_size, MZ_ZIP_EXTENSION_SIGN, NULL);
}
#if !defined(MZ_ZIP_NO_CRYPTO) && defined(MZ_ZIP_SIGNING)
int32_t mz_zip_reader_entry_sign_verify(void *handle) {
mz_zip_reader *reader = (mz_zip_reader *)handle;
void *file_extra_stream = NULL;
int32_t err = MZ_OK;
uint8_t *signature = NULL;
uint16_t signature_size = 0;
uint8_t hash[MZ_HASH_MAX_SIZE];
if (!reader || mz_zip_entry_is_open(reader->zip_handle) != MZ_OK)
return MZ_PARAM_ERROR;
mz_stream_mem_create(&file_extra_stream);
mz_stream_mem_set_buffer(file_extra_stream, (void *)reader->file_info->extrafield,
reader->file_info->extrafield_size);
err = mz_zip_extrafield_find(file_extra_stream, MZ_ZIP_EXTENSION_SIGN, INT32_MAX, &signature_size);
if ((err == MZ_OK) && (signature_size > 0)) {
signature = (uint8_t *)malloc(signature_size);
if (mz_stream_read(file_extra_stream, signature, signature_size) != signature_size)
err = MZ_READ_ERROR;
}
mz_stream_mem_delete(&file_extra_stream);
if (err == MZ_OK) {
/* Get most secure hash to verify signature against */
err = mz_zip_reader_entry_get_hash(handle, reader->hash_algorithm, hash, reader->hash_digest_size);
}
if (err == MZ_OK) {
/* Verify the pkcs signature */
err = mz_crypt_sign_verify(hash, reader->hash_digest_size, signature, signature_size);
}
if (signature)
free(signature);
return err;
}
#endif
int32_t mz_zip_reader_entry_get_hash(void *handle, uint16_t algorithm, uint8_t *digest, int32_t digest_size) {
mz_zip_reader *reader = (mz_zip_reader *)handle;
void *file_extra_stream = NULL;
@ -932,11 +870,6 @@ void mz_zip_reader_set_encoding(void *handle, int32_t encoding) {
reader->encoding = encoding;
}
void mz_zip_reader_set_sign_required(void *handle, uint8_t sign_required) {
mz_zip_reader *reader = (mz_zip_reader *)handle;
reader->sign_required = sign_required;
}
void mz_zip_reader_set_overwrite_cb(void *handle, void *userdata, mz_zip_reader_overwrite_cb cb) {
mz_zip_reader *reader = (mz_zip_reader *)handle;
reader->overwrite_cb = cb;

9
mz_zip_rw.h
View File

@ -67,12 +67,6 @@ int32_t mz_zip_reader_entry_close(void *handle);
int32_t mz_zip_reader_entry_read(void *handle, void *buf, int32_t len);
/* Reads and entry after being opened */
int32_t mz_zip_reader_entry_has_sign(void *handle);
/* Checks to see if the entry has a signature */
int32_t mz_zip_reader_entry_sign_verify(void *handle);
/* Verifies a signature stored with the entry */
int32_t mz_zip_reader_entry_get_hash(void *handle, uint16_t algorithm, uint8_t *digest, int32_t digest_size);
/* Gets a hash algorithm from the entry's extra field */
@ -131,9 +125,6 @@ int32_t mz_zip_reader_set_recover(void *handle, uint8_t recover);
void mz_zip_reader_set_encoding(void *handle, int32_t encoding);
/* Sets whether or not it should support a special character encoding in zip file names. */
void mz_zip_reader_set_sign_required(void *handle, uint8_t sign_required);
/* Sets whether or not it a signature is required */
void mz_zip_reader_set_overwrite_cb(void *handle, void *userdata, mz_zip_reader_overwrite_cb cb);
/* Callback for what to do when a file is being overwritten */