Closed marcosdiazr closed 1 year ago
The Microsoft's digital signature verification accepts signatures created with invalid padding. Microsoft has acknowledged the bug, but they are not going to fix it.
I'm not going to introduce the bug either. Consequently, a small fraction of signatures accepted by Microsoft will be rejected by osslsigncode.
Thanks! do you have more info on Microsoft's issue that can lead me to investigate?
when running
osslsigncode verify -in wpbbin.exe -CAfile verisign.cer -TSA-CAfile thawte.cer
files.zip(attached the binary and the root certificates that should validate it)
Expected: to get successful validation Actual:
fullerror.txt
I expect it to pass because If I validate the attached binary with signtool: signtool.exe verify /pa /v .\wpbbin.exe I get successful validation. The root certs I exported from windows itself.
Notes: This is an scenario where both the signing certificates and the timestamp server root certs are expired, signtool validates that, but I tested other binaries and using the -time parameter and it works ok.
This might probably be an issue with this file's signatures plus how openssl validates it but maybe there is something in osslsign code too.
I checked these are the correct certificates because if i change them I get different errors.
This error: 00E4660D7A7F0000:error:1700006B:CMS routines:cms_get_enveloped_type:content type not enveloped data:../crypto/cms/cms_env.c:41: looks like is always generated so probably is something that doesn't gets cleaned in openssl
I original thought that it might be that osslsigncode doesn't pass all the intermediate certs for the timestamp server. But the error is different if it doesn't find the correct cert.
Maybe if you can help me to extract the signature to check with openssl