Churn Digital Signature

Yesterday in the company's code, saw a VC project post build step will use SignTool to the project generated EXE to add a digital signature, and EXE of a block of code will call WinVerifyTrust this Windows API to verify the EXE's own digital signature. Just these days a little leisure time, under the drive of curiosity began to ramming the digital signature. After a day finally a little harvest, a general understanding of how digital signature is the same thing, but also the company code of the two pieces of the place to understand, so do a summary.

First of all, read the introduction to the algorithm, section 31.7, the RSA Public-key Crptosystem, the first section: Public-key cryptosystems, the public key cryptography framework to understand, of course, you can also search the Internet for similar introductory articles. There is no need to know any mathematical formula, but to understand the logic flow and design of the whole system, especially to understand the concept of private key, public key, and to know: a message by the public key and the private key two times encoding or the message itself, and can either be encoded with the public key, or can be encoded with the private key first. Here I also understand: although both encryption and digital signature can be based on the same public key cryptography system, but their purpose and workflow is not the same-the former is anti-eavesdropping, the latter is the authenticity of the test.

The next step is to churn the digital signature tool on Windows and practice it. SignTool is a command-line tool that comes with the Windows SDK to digitally sign files or to validate signatures in file and timestamp files. The VC project of the company uses the following command to digitally sign the EXE:

signtool/a < generated exe>

But I used the same command on my home computer to give an EXE signature, but always get "SignTool error:no certificates were found that met all the given criteria" error. After a long time to know, if it is their own test, you have to use MakeCert, CERT2SPC and pvk2pfx to make a certificate file containing both the private key and the public key in PFX format, and then use the PFX file to sign EXE, or import PFX into the certificate store, Ask SignTool to search for the available certificates on its own. can refer to the "MakeCert digital certificate" this article. In order to simulate a company project, I adopted the practice of importing a certificate library, specifically:

1. Make your own root certificate with MakeCert:

E:\temp>makecert-n "Cn=zzxiangroot"-r-sky signature-sv zzxiangroot.pvk zzxiangroot.cer

Succeeded

Because I definitely want to make a signature for the binaries, so add the-sky signature option. The E:\Temp directory then generates two files: a private key certificate zzxiangroot.pvk and a public key certificate Zzxiangroot.cer.

2. Use CERT2SPC to convert the public key certificate to the software publisher certificate, which is the SPC file:

E:\TEMP>CERT2SPC Zzxiangroot.cer ZZXIANGROOT.SPC
Succeeded

3. Use pvk2pfx to merge the public key certificate and the private key certificate into a certificate file in a PFX format:

E:\TEMP>PVK2PFX-PVK ZZXIANGROOT.PVK-SPC zzxiangroot.spc-pfx zzxiangroot.pfx

4. Double-click zzxiangroot.pfx to import it into the certificate store. In the Certificate Import Wizard, click Next until the certificate store step, select Put all certificates in the following store:

Click "Browse" and select "Personal" and "OK" in the dialog box that pops up.

Why choose "Personal"? You can see the description of the/s option for the signtool SIGN subcommand: "Specifies the store to open when searching for certificates. If this option is not specified, the My store is opened. "My" Here is "personal".

Then you can "next" all the way to the import finished. We can check the computer's management console. In the Start menu, search for and run MMC. In the MMC interface, choose File, add Delete snap-in. In the Add Delete snap-in dialog box that pops up, select Certificates in the available snap-in on the left:

Click the "Add" button in the middle, select "My user account" or "Computer user account" in the popup dialog box, then click "Finish":

The Certificates node is added to the selected management node:

Click "OK", go back to the Admin console main interface, expand "Certificates-Current User", "personal" in the tree control on the left, select the "Certificates" node, you can see the imported Zzxiangroot certificate.

Double-click Zzxiangroot to see the Certificate dialog box that says "You have a private key corresponding to the certificate". The dialog box also says "This CA root certificate is not trusted." To enable trust, install the certificate to the trusted Root Certification Authorities store. This will be the point later.

5. You can now use the SignTool command to sign EXE:

E:\temp>signtool sign/a Test.exe
Done Adding Additional Store
Successfully Signed:Test.exe

You can add/V to view more detailed output:

E:\temp>signtool sign/a/V Test.exe
The following certificate was selected:
Issued To:zzxiangroot
Issued By:zzxiangroot
Expires:sun Jan 01 07:59:59 2040
SHA1 hash:3361bbbd366687fd80b201f1346561c6e4936263

Done Adding Additional Store
Successfully Signed:Test.exe

Number of files successfully signed:1
Number of warnings:0
Number of errors:0

The next step is to verify the EXE's signature. In accordance with the design of public key cryptography system, this step can be done on any machine. The company code is using the WinVerifyTrust function. In fact, you can also continue to use the SignTool tool, the command format is

SignTool Verify/pa < need to verify the exe>

Note You must add the/PA option, otherwise signtool will use the signature validation policy for Windows drivers.

But now directly with SignTool Verify/pa Test.exe words, will get "SignTool ERROR:A certificate chain processed, but terminated in A root certific Ate which isn't trusted by the trust provider "error. This is because the authenticating computer did not add the Zzxiangroot public key certificate to the previously mentioned trusted root certification authorities. To do this, copy the public key certificate Zzxiangroot.cer to the verification machine, double-click the CER file, and in the Certificate dialog box that appears, select Install Certificate. Next, as with the previous import certificate operation, just in the certificate store step, you need to choose to store the certificate in the Trusted Root Certification Authorities store, not in the previous personal store.

It is now possible to verify:

E:\temp>signtool verify/pa Test.exe

Successfully verified:Test.exe

 

can also Add/V To view more granular output:

e:\temp>signtool verify/pa/v Test.exe

Verifying:Test.exe
Hash of File (SHA1): 8d3c56fbe8bb11fb760b729ff8f801ddba7c3b59

Signing Certificate Chain:
    Issued to:zzxiangroot
    Issued by:zzxiangroot
    Expires:   Sun Jan 07:59:59 2040
    SHA1 hash:3361bbbd366687fd80b201f1346561c6e4936263
Br>file is not timestamped.
successfully verified:Test.exe

Number of files successfully verified:1
Number of warnings:0
number of errors:0

  methods for validating using WinVerifyTrust functions can be found in the This example of MSDN

That's really funny. Although my university claims to be information security, it is the first time that I have studied information security-related technologies for five years after graduating from college.

Reference: http://blog.csdn.net/zzxiang1985/article/details/9156191

https://msdn.microsoft.com/en-us/library/windows/desktop/aa382384 (v=vs.85). aspx

----------------------------------------------------------------------------------------

Several of the commands mentioned above are in the system, and when you open cmd, the input command does not find the path by default.

Script settings need to be executed:

A:\Program Files (x86) \microsoft Visual Studio 10.0\vc\bin\vcvars32.bat

A:\Program Files (x86) \microsoft Visual Studio 10.0\vc\bin\amd64\vcvars64.bat

A:\Program Files (x86) \microsoft Visual Studio 10.0\vc\vcvarsall.bat

You can build a init.bat content in the current directory as follows:

"A:\Program Files (x86) \microsoft Visual Studio 10.0\vc\bin\vcvars32.bat"

Churn Digital Signature