Calling WinVerifyTrust and Authenticating Files

ID: Q165021

The information in this article applies to:
  • Microsoft Internet Explorer (Programming) versions 3.0, 4.0, 4.01, 5

SUMMARY

VFiles.exe is a sample that demonstrates how to programmatically authenticate files using the WinVerifyTrust function. This allows a programmer to verify whether a file is signed and allows a user to trust or not trust the signing authority.


MORE INFORMATION

The following file is available for download from the Microsoft Download Center. Click the file name below to download the file:

VFiles.exe
For more information about how to download files from the Microsoft Download Center, please visit the Download Center at the following Web address
http://www.microsoft.com/downloads/search.asp
and then click How to use the Microsoft Download Center. This sample is written with visual C++ 4.2b and requires the supporting MFC DLLs.

If you do not want to install and run the sample, the following function is all that you really need to illustrate how to call the WinVerifyTrust function. If you are not using MFC, you need to substitute several small details (CString, method of obtaining file name, etc.) with code appropriate to your framework. 

   #include <afxpriv.h> // Needed for CONVERSION macros.

   void CGetHttpFileView::OnGitAndVerify()
   {
       USES_CONVERSION;

       CString message;

       typedef HRESULT
           (WINAPI *WINVERIFYTRUST)
               (HWND hwnd, GUID *ActionID, LPVOID ActionData);

       #define WINTRUST "wintrust.dll"

       WINVERIFYTRUST pwvt = NULL;
       HINSTANCE hinst;

       // Load wintrust.dll and locate the WinVerifyTrust function.

       if(hinst = LoadLibrary(WINTRUST))
           pwvt = (WINVERIFYTRUST)GetProcAddress(hinst,
   _T("WinVerifyTrust"));
       else
           return;

       if(NULL == pwvt)
       {
           FreeLibrary(hinst);
           return;
       }

       // Get the name of the file (m_strHttpFile) to test from the dialog
       // box.
       UpdateData(TRUE);

       TCHAR lpFileName[MAX_PATH];

       m_ctlStatusEdit.SetWindowText(_T("Loading File"));

       // It would make sense to put a Cancel button on the form to abort
       // long downloads. In fact, URLDownloadToCacheFile is a blocking
       // call so the button would be dead until the download is complete.

       // It is not necessary to use URLDownloadToCacheFile to
       // download the file.

       HRESULT hr = URLDownloadToCacheFile(NULL, m_strHttpFile,
         lpFileName, MAX_PATH, 0, m_pBindStatusCallback);

       if(FAILED(hr))
       {
           message.Format("Failed to Locate file.  Error: %X", hr);
           m_ctlStatusEdit.SetWindowText(message);
           FreeLibrary(hinst);
           return;
       }

       // Now verify the file.

       // For now, it is necessary to define this.
       #define WIN_SPUB_ACTION_PUBLISHED_SOFTWARE_NOBADUI         {
   0xc6b2e8d0, 0xe005, 0x11cf,             { 0xa1, 0x34, 0x0, 0xc0, 0x4f,
   0xd7, 0xbf, 0x43 } }

       GUID PublishedSoftware =
               WIN_SPUB_ACTION_PUBLISHED_SOFTWARE;
       GUID PublishedSoftwareNoBadUI =
               WIN_SPUB_ACTION_PUBLISHED_SOFTWARE_NOBADUI;

       // See winbase.h for available Subject Type Identifiers.
       GUID SubjectPeImage = WIN_TRUST_SUBJTYPE_PE_IMAGE;
       GUID SubjectCAB      = WIN_TRUST_SUBJTYPE_CABINET;
       GUID SubjectJava    = WIN_TRUST_SUBJTYPE_JAVA_CLASS;

       GUID * ActionGUID;

       if(0 == m_nUIOnBadVerification)
           ActionGUID = &PublishedSoftware;
       else
           ActionGUID = &PublishedSoftwareNoBadUI;

       WIN_TRUST_SUBJECT_FILE Subject;

       Subject.lpPath = T2OLE(lpFileName);
       // If hFile is set to the value INVALID_HANDLE_VALUE (defined in
       // WINBASE.H), then the trust provider will open the subject using
       // the lpPath field.
       Subject.hFile = INVALID_HANDLE_VALUE;

       // For now, WIN_TRUST_ACTDATA_SUBJECT_ONLY is not used.
       WIN_TRUST_ACTDATA_CONTEXT_WITH_SUBJECT ActionData;

       ActionData.Subject = &Subject;
       ActionData.hClientToken = NULL;

       switch(m_nFileType)
       {
       case 0:
           ActionData.SubjectType = &SubjectPeImage;
           break;
       case 1:
           ActionData.SubjectType = &SubjectJava;
           break;
       case 2:
           ActionData.SubjectType = &SubjectCAB;
       }

       hr =  pwvt( 0, ActionGUID, &ActionData);

       // hr will tell you if the user accepted the certificate.
       // return codes include S_OK (user accepted),
       // TRUST_E_NOSIGNATURE (no certificate at all -- includes test
       // certificates!), etc.

       message.Format("WinVerifyTrust Returned Error: %X", hr);
       m_ctlStatusEdit.SetWindowText(message);

       FreeLibrary(hinst);
       return;
   }
(c) Microsoft Corporation Robert Duke, All Rights Reserved. Contributions by 1996, Microsoft Corporation.

Additional query words: URLDownloadToCacheFile WIN_SPUB_ACTION_PUBLISHED_SOFTWARE_NOBADUI wintrust.dll

Keywords : kbfile kbprg kbsample kbCodeDownload kbIE500 AXSDKCodeSign kbIEFAQ
Version : WINDOWS:3.0,4.0,4.01,5
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: January 27, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.