search

mtrojnar / osslsigncode

OpenSSL based Authenticode signing for PE/MSI/Java CAB files
Other
801 stars 131 forks source link

Compatibility issue with openssl@3.2.0 #325

Closed AlexanderOMara closed 11 months ago

AlexanderOMara commented 12 months ago

I'm not sure where this compatibility issue lies exactly, but when Homebrew updated from openssl from 3.1.4 to 3.2.0, osslsigncode verify started failing with CMS_verify and PKCS7_verify errors "self-signed certificate in certificate chain".

Homebrew issue: https://github.com/Homebrew/homebrew-core/issues/155744

For example, with Firefox Setup 115.5.0esr.exe

$ osslsigncode verify Firefox\ Setup\ 115.5.0esr.exe
Current PE checksum   : 0365D3BF
Calculated PE checksum: 036596C5
Warning: invalid PE checksum

Message digest algorithm  : SHA256
Current message digest    : F3A5F2AC1A507C992B23F742FD4B59FF3BB8D10BA72E69D45666C4D548AB4683
Calculated message digest : F3A5F2AC1A507C992B23F742FD4B59FF3BB8D10BA72E69D45666C4D548AB4683

Signature Index: 0  (Primary Signature)
Signer's certificate:
    Signer #0:
        Subject: /C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Firefox Engineering Operations/CN=Mozilla Corporation
        Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
        Serial : 0C1CD3EEA47EDDA7A032573B014D0AFD
        Certificate expiration date:
            notBefore : Apr  9 00:00:00 2021 GMT
            notAfter : Jun 19 23:59:59 2024 GMT

Number of certificates: 7
    Signer #0:
        Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
        Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
        Serial : 0CE7E0E517D846FE8FE560FC1BF03039
        Certificate expiration date:
            notBefore : Nov 10 00:00:00 2006 GMT
            notAfter : Nov 10 00:00:00 2031 GMT
    ------------------
    Signer #1:
        Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
        Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
        Serial : 0409181B5FD5BB66755343B56F955008
        Certificate expiration date:
            notBefore : Oct 22 12:00:00 2013 GMT
            notAfter : Oct 22 12:00:00 2028 GMT
    ------------------
    Signer #2:
        Subject: /C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Firefox Engineering Operations/CN=Mozilla Corporation
        Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
        Serial : 0C1CD3EEA47EDDA7A032573B014D0AFD
        Certificate expiration date:
            notBefore : Apr  9 00:00:00 2021 GMT
            notAfter : Jun 19 23:59:59 2024 GMT
    ------------------
    Signer #3:
        Subject: /CN=Dummy
        Issuer : /CN=Dummy
        Serial : 7E89B9DF006BD1AA4C48D865039634CA
        Certificate expiration date:
            notBefore : Jan  1 07:00:00 2013 GMT
            notAfter : Jan  2 07:00:00 2013 GMT
    ------------------
    Signer #4:
        Subject: /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
        Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4
        Serial : 073637B724547CD847ACFD28662A5E5B
        Certificate expiration date:
            notBefore : Mar 23 00:00:00 2022 GMT
            notAfter : Mar 22 23:59:59 2037 GMT
    ------------------
    Signer #5:
        Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4
        Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
        Serial : 0E9B188EF9D02DE7EFDB50E20840185A
        Certificate expiration date:
            notBefore : Aug  1 00:00:00 2022 GMT
            notAfter : Nov  9 23:59:59 2031 GMT
    ------------------
    Signer #6:
        Subject: /C=US/O=DigiCert, Inc./CN=DigiCert Timestamp 2023
        Issuer : /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
        Serial : 0544AFF3949D0839A6BFDB3F5FE56116
        Certificate expiration date:
            notBefore : Jul 14 00:00:00 2023 GMT
            notAfter : Oct 13 23:59:59 2034 GMT

Message digest algorithm: SHA256

Authenticated attributes:
    Signing time: Nov 13 17:54:46 2023 GMT
    Microsoft Individual Code Signing purpose
    URL description: https://mozilla.org
    Message digest: E8FC34AA43A132963A4C6F6F2BE941A2E254C06F013B5AADDFDA9230CC7C02CF

The signature is timestamped: Nov 13 17:54:46 2023 GMT
Hash Algorithm: sha256
Timestamp Verified by:
        Issuer : /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
        Serial : 0544AFF3949D0839A6BFDB3F5FE56116

CAfile: /etc/ssl/certs/ca-certificates.crt
TSA's certificates file: /etc/ssl/certs/ca-certificates.crt

CMS_verify error
C0CFAEB0827F0000:error:17000064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:crypto/cms/cms_smime.c:289:Verify error: self-signed certificate in certificate chain
Timestamp Server Signature verification: failed

PKCS7_verify error
C0CFAEB0827F0000:error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:296:Verify error: self-signed certificate in certificate chain
Signature verification: failed

Number of verified signatures: 1
Failed

If I downgrade back to openssl 3.1.4 none of those errors happen.

AlexanderOMara commented 11 months ago

I've come to believe this is caused by a regression I believe I have identified in openssl 3.2.0

https://github.com/openssl/openssl/issues/22895

olszomal commented 11 months ago

This is fixed in PR https://github.com/openssl/openssl/issues/22885