search

ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts
https://ebourg.github.io/jsign
Apache License 2.0
259 stars 108 forks source link

Unknown signature type requested: SHA256WITHEC #105

Closed vatral closed 2 years ago

vatral commented 2 years ago

Hello!

We obtained an EV certificate from ssl.com. Being mostly Linux based I thought it may be a good option to do signing from Linux if possible, but so far it's not working right. I have a Yubikey FIPS and followed SSL.com's certificate installation procedures.

I followed these instructions: https://www.ssl.com/how-to/microsoft-authenticode-code-signing-in-linux-with-jsign/

Here's what happens when I try to sign a test file:

$ jsign --keystore /home/vadim/etoken.cfg  --alias "X.509 Certificate for PIV Authentication" --storetype YUBIKEY --storepass $PASS  --tsaurl http://ts.ssl.com --tsmode RFC3161 nxproxy.exe
Adding Authenticode signature to nxproxy.exe
jsign: Couldn't sign nxproxy.exe
java.lang.IllegalArgumentException: Unknown signature type requested: SHA256WITHEC
    at net.jsign.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder.generate(Unknown Source)
    at net.jsign.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder.find(Unknown Source)
    at net.jsign.bouncycastle.operator.jcajce.JcaContentSignerBuilder.<init>(Unknown Source)
    at net.jsign.AuthenticodeSigner.createSignedDataGenerator(AuthenticodeSigner.java:407)
    at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:370)
    at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:342)
    at net.jsign.SignerHelper.sign(SignerHelper.java:506)
    at net.jsign.JsignCLI.execute(JsignCLI.java:116)
    at net.jsign.JsignCLI.main(JsignCLI.java:40)
Try `jsign --help' for more information.

Experimentation suggests the "WITHEC" gets added somewhere and is unexpected down the chain. For instance trying to use -d "SHA1" results in a "SHA1WITHEC" in the reported error.

I'm running on Fedora 34, and experimented with Java 8, 11 and 17 with no difference in behavior.

ebourg commented 2 years ago

Thank you for the report, could you paste the public key please ? (or send it to ebourg@apache.org)

vatral commented 2 years ago

Public key:


Public-Key: (384 bit)
pub:
    04:d1:93:3a:7b:4f:9c:3c:a3:b0:f2:52:e0:d3:d6:
    94:d4:72:ef:75:99:7d:99:01:32:80:81:3e:bd:76:
    41:7c:cd:a2:a2:7f:ce:56:0d:cc:79:b3:65:33:9e:
    02:d7:16:83:05:87:5a:3f:76:72:d2:db:4f:b6:59:
    51:ca:9a:e1:36:7d:d0:44:7d:1d:87:61:f7:ff:ae:
    92:eb:18:74:a4:e3:95:c8:d9:e1:ff:df:0b:b2:92:
    f0:55:49:c0:81:02:f3
ASN1 OID: secp384r1
NIST CURVE: P-384
writing EC key
-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE0ZM6e0+cPKOw8lLg09aU1HLvdZl9mQEy
gIE+vXZBfM2ion/OVg3MebNlM54C1xaDBYdaP3Zy0ttPtllRyprhNn3QRH0dh2H3
/66S6xh0pOOVyNnh/98LspLwVUnAgQLz
-----END PUBLIC KEY-----
ebourg commented 2 years ago

I have been able to reproduce the issue. It looks like Jsign doesn't set the signature algorithm properly, it should be SHA256withECDSA instead of SHA256withEC.

ebourg commented 2 years ago

@vatral This should be fixed now, could you give it a try please?

vatral commented 2 years ago

Hello! Thanks for the help!

I tried building it, but something isn't quite working for me: https://pastebin.com/raw/KHx9CxWu

Unfortunately I'm not much of a Java dev, so I'm not sure what going wrong there. I'm skipping tests because I get a failure in PESignerTest.testSigningWithYubikey:161 » KeyStore Unable to load the keystore... which I'm guessing may require some particular Yubikey setup.

ebourg commented 2 years ago

You can skip the tests with:

mvn package -DskipTests
vatral commented 2 years ago

Okay, got it to build, thanks. Now I get this:


jsign: Couldn't sign nxproxy.exe
net.jsign.bouncycastle.cms.CMSException: can't create content verifier: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
    at net.jsign.bouncycastle.cms.SignerInformation.doVerify(Unknown Source)
    at net.jsign.bouncycastle.cms.SignerInformation.verify(Unknown Source)
    at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:376)
    at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:342)
    at net.jsign.SignerHelper.sign(SignerHelper.java:506)
    at net.jsign.JsignCLI.execute(JsignCLI.java:116)
    at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: net.jsign.bouncycastle.operator.OperatorCreationException: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
    at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.createSignature(Unknown Source)
    at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.access$300(Unknown Source)
    at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder$2.get(Unknown Source)
    at net.jsign.bouncycastle.cms.SignerInformationVerifier.getContentVerifier(Unknown Source)
    ... 7 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
    at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1303)
    at java.base/java.security.Signature$Delegate.engineInitVerify(Signature.java:1349)
    at java.base/java.security.Signature.initVerify(Signature.java:506)
    ... 11 more
Try `java -jar jsign.jar --help' for more information.