Tamping Digital Signature

Yesterday, in the company's code, I saw that the post build step of a VC project will use signtool to add a digital signature to the EXE generated by the project, A part of the EXE code calls the Windows API winverifytrust to verify the digital signature of the exe. Just a few days ago, I started to use digital signatures with curiosity. After a day, I finally learned a little about what digital signatures are like. I also understood the two parts of the company's code, so I made a summary.

First, read the first section of Introduction to algorithms section 31.7 The RSA Public-Key crptosystem: Public-key cryptosystems, you can also search for similar introductory articles on the Internet. You do not need to know any mathematical formulas here, but you need to understand the logic process and design ideas of the entire system, especially the concepts of private keys and public keys: A message is first encoded by the public key and private key, and can be first encoded by the public key or private key. Here I also figured out: Although both encryption and digital signature methods can be based on the same public key cryptography system, but their purpose is different from the workflow-the former is anti-eavesdropping, and the latter is to verify authenticity.

The next step is to use the digital signature tool on Windows. Signtool is a command line tool that comes with Windows SDK. It is used to digitally sign a file, and can also be used to verify the signature in the file and timestamp file. The company's VC project uses the following command to digitally sign the EXE:

Signtool/A <generated EXE>

However, I use the same command to sign an EXE on my computer, but I always get the error "signtool error: no certificates were found that met all the given criteria. It took a long time to know that if you were testing your own, you should first use makecert, cert2spc, and pvk2pfx to create a pfx Certificate file containing both the private key and public key, then, use the pfx file to sign the EXE file, or import the pfx file into the certificate library so that signtool can search for available certificates by itself. Refer to the article makecert digital certificate creation. To simulate a company project, I adopted the import certificate library approach, specifically:

1. Use makecert to create your own root certificate:

E: \ Temp> makecert-n "cn = zzxiangroot"-r-sky signature-SV zzxiangroot. PVK zzxiangroot. Cer
Succeeded

Because I explicitly want to sign the binary file, I need to add the-sky Signature Option. Therefore, two files are generated under the E: \ Temp Directory: the Private Key Certificate zzxiangroot. PVK and the Public Key Certificate zzxiangroot. Cer.

2. Use cert2spc to convert the Public Key Certificate to the software publisher certificate, that is, the SPC file:

E: \ Temp> cert2spc zzxiangroot. Cer zzxiangroot. SPC
Succeeded

3. Use pvk2pfx to combine the Public Key Certificate and private key certificate into a pfx Certificate file:

E: \ Temp> pvk2pfx-PVK zzxiangroot. PVK-SPC zzxiangroot. SPC-pfx zzxiangroot. pfx

4. Double-click zzxiangroot. pfx to import it to the certificate library. In the certificate import wizard, click "Next" until the "Certificate storage" step and select "store all certificates in the following ":

Click Browse. In the displayed dialog box, select personal> OK ".

Why should we select "individual? For details, see the description of the/s option of the sign sub-command of signtool: "specify the storage area to be opened when searching for the certificate. If this option is not specified, enable my storage ." Here "my" is "personal ".

Then you can "Next" all the way to the import. We can go to the computer console to confirm. Search for and run MMC in the Start Menu. On the MMC page, choose File> add or delete snap-in ". In the displayed "Add/delete snap-in" dialog box, select "certificate" in "available snap-in" on the left ":

Click the "add" button in the middle. In the displayed dialog box, select "My User Account" or "Computer User Account", and then click "finish ":

Add the "certificate" node to the "selected management node:

Click "OK" and return to the main interface of the Management Console. In the tree control on the left, expand "Certificate-current user"-> "individual" and select the "certificate" node, you can see the imported zzxiangroot certificate.

Double-click zzxiangroot. The certificate dialog box says "you have a private key corresponding to this certificate ". The dialog box also says "This CA root certificate is untrusted. To enable trust, install the certificate in the 'trusted root certificate authorization' region ". This will be discussed later.

5. Now you can use the signtool command to sign the EXE:

E: \ Temp> signtool sign/A test.exe
Done adding additional store
Successfully signed: test.exe

You can add/V to view more detailed output:

E: \ Temp> signtool sign/A/V test.exe
The following certificate was selected:
Issued to: zzxiangroot
Issued by: zzxiangroot
Expires: Sun Jan 01 07:59:59 2040
Sha1 hash: 3361bbbd415687fd80b201f1346561c6e4936263

Done adding additional store
Successfully signed: test.exe

Number of files successfully signed: 1
Number of Warnings: 0
Number of errors: 0

The next step is to verify the signature of the exe. According to the design idea of the public key and password system, this step can be performed on any machine. Company Code uses the winverifytrust function. In fact, you can continue to use the signtool tool. The command format is

Signtool verify/Pa <EXE to be verified>

Note that the/PA option must be added; otherwise, signtool uses the signature authentication policy for the Windows Driver.

However, if signtool verify/PA test.exe is used directly, the error "signtool error: a certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider" will be returned. This is because the computer used for verification did not add the zzxiangroot Public Key Certificate to the "Trusted Root Certificate Authority" mentioned earlier ". To do this, copy the Public Key Certificate zzxiangroot. Cer to the verification machine, double-click the CER file, and select "Install Certificate" in the displayed certificate dialog box ". The next step is the same as the previous certificate import operation. In the "Certificate storage" step, you must store the certificate in the "Trusted Root Certificate Authority" storage area, instead of in the previous "personal" storage area.

Now you can verify it:

E: \ Temp> signtool verify/PA test.exe

Successfully verified: test.exe

You can also add/V to view more detailed output:

E: \ Temp> signtool verify/pa/V test.exe


Verifying: test.exe
Hash of file (sha1): 8d3c56fbe8bb11fb760b729ff8f801ddba7c3b59


Signing certificate chain:
Issued to: zzxiangroot
Issued by: zzxiangroot
Expires: Sun Jan 01 07:59:59 2040
Sha1 hash: 3361bbbd415687fd80b201f1346561c6e4936263


File is not timestamped.


Successfully verified: test.exe


Number of files successfully verified: 1
Number of Warnings: 0
Number of errors: 0

For more information about how to use the winverifytrust function for verification, see the msdn example. This routine can be directly copied and used, but it should be noted that it should be compiled as a C ++ file, rather than a pure C file, otherwise it will not be compiled.

It's really funny. Although my university claims that it is characteristic of information security, this is the first time I have carefully studied information security-related technologies in the five years after my graduation.