search

mtrojnar / osslsigncode

OpenSSL based Authenticode signing for PE/MSI/Java CAB files
Other
806 stars 131 forks source link

problem with certificates bundle #355

Closed patatetom closed 9 months ago

patatetom commented 9 months ago

hi,

the problem occurs under ArchLinux but not under Ubuntu. osslsigncode is in the same version on both systems, which is not the case for openssl.

osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/MicrosoftRootCertificateAuthority2011.crt.pem

… Number of verified signatures: 1 ✅ Succeeded

(

echo "# MicrosoftRootCertificateAuthority2011" cat test/MicrosoftRootCertificateAuthority2011.crt.pem ) > test/test.pem

osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/test.pem

… Number of verified signatures: 1 ✅ Succeeded

(

echo "# MicrosoftRootCertificateAuthority2010" cat test/MicrosoftRootCertificateAuthority2010.crt.pem ) >> test/test.pem

osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/test.pem

… Number of verified signatures: 1 ❌ Failed


- Ubuntu (22.04 LTS) :

osslsigncode --version

osslsigncode 2.7, using: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16 …

osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/MicrosoftRootCertificateAuthority2011.crt.pem

… Number of verified signatures: 1 ✅ Succeeded

(

echo "# MicrosoftRootCertificateAuthority2011" cat test/MicrosoftRootCertificateAuthority2011.crt.pem ) > test/test.pem

osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/test.pem

… Number of verified signatures: 1 ✅ Succeeded

(

echo "# MicrosoftRootCertificateAuthority2010" cat test/MicrosoftRootCertificateAuthority2010.crt.pem ) >> test/test.pem

osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/test.pem

… Number of verified signatures: 1 ✅ Succeeded



regards, lacsaP.
mtrojnar commented 9 months ago

You have also confirmed this issue against the GitHub master branch of osslsigncode, haven't you? Otherwise, you should have reported this issue to the Arch package maintainer rather than here.

IFAIK osslsigncode only uses the OS certificate bundle when the -CAfile option is not specified. Thus, the issue seems to depend on the OpenSSL version (and unlikely also any patches added by the OS package maintainer) and not the OS certificate bundle. Can you check which OpenSSL versions are affected?

patatetom commented 9 months ago
mtrojnar commented 9 months ago

Use this example:

$ cd ~/src
$ tar -xzf openssl-3.2.1.tar.gz
$ cd openssl-3.2.1
$ ./config --prefix=/opt/openssl-3.2.1
$ make
$ sudo make install
$ cd ~/src/osslsigncode/build
$ LD_LIBRARY_PATH=/opt/openssl-3.2.1/lib64 ./osslsigncode -v

Adjust paths to match your local OS deployment and the tested OpenSSL version. Add your own tests.

mtrojnar commented 9 months ago

I wasn't sure whether my addition would be taken into account

BTW: What do you mean by "my addition" exactly?

patatetom commented 9 months ago

I edited the issue (added an exchange) after it was closed.

mtrojnar commented 9 months ago

Please use the #number format when referencing other issues to ensure clarity for everyone viewing this issue, not just myself. We prefer to dedicate our time to solving technical problems rather than deciphering references to other issues.

Please read How To Ask Questions The Smart Way by Eric S.Raymond and Rick Moen and How to Report Bugs Effectively by Simon Tatham.

patatetom commented 9 months ago

hi,

before I started compiling previous versions of openssl, I started by recompiling versions 2.7 and master/dev of osslsigncode and it seems that the problem has been solved with the development version :

# openssl version 
OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)

# (echo '# 1'; cat test/MicrosoftRootCertificateAuthority2011.crt.pem) > test/test.pem
# (echo '# 2'; cat test/MicrosoftRootCertificateAuthority2011.crt.pem) >> test/test.pem
# (echo '# 3'; cat test/MicrosoftCertificateAuthorityUefi2023.crt.pem) >> test/test.pem
# cat test/test.pem 
# 1
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
…
oijHHKOnNlA8OqTfSm7mhzvO6/DggTedEzxSjr25HTTGHdUKaj2YKXCMiSrRq4IQ
SB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH
-----END CERTIFICATE-----
# 2
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
…
oijHHKOnNlA8OqTfSm7mhzvO6/DggTedEzxSjr25HTTGHdUKaj2YKXCMiSrRq4IQ
SB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH
-----END CERTIFICATE-----
# 3
-----BEGIN CERTIFICATE-----
MIIFqjCCA5KgAwIBAgITMwAAABqIi5gAViKEwQAAAAAAGjANBgkqhkiG9w0BAQsF
ADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
…
wtdq3Idx6qS/72eXnLjHgDYqKlnJwAynRKBztYzPOFqu+LuGlfBErWZ6M+1x5EWH
g+WnzqJA0HLSSAD6+Ro=
-----END CERTIFICATE-----
# unzip osslsigncode-2.7.zip
Archive:  osslsigncode-2.7.zip
9ebd79ad180f4ad47fb645fb22d376fdc7aa061b
   creating: osslsigncode-2.7/
…
  inflating: osslsigncode-2.7/tests/sources/sample.wxs  
  inflating: osslsigncode-2.7/vcpkg.json  
# cd osslsigncode-2.7/
# mkdir build && cd build && cmake -S ..
-- The C compiler identification is GNU 13.2.1
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Found OpenSSL: /usr/lib/libcrypto.so (found version "3.2.0")  
-- Found CURL: /usr/lib/libcurl.so (found version "8.5.0")  
-- Found ZLIB: /usr/lib/libz.so (found version "1.3")  
-- Using bash completions dir /usr/share/bash-completion/completions
-- Looking for getpass
-- Looking for getpass - found
-- Looking for termios.h
-- Looking for termios.h - found
-- Looking for sys/mman.h
-- Looking for sys/mman.h - found
-- Looking for mmap
-- Looking for mmap - found
-- cURL support enabled
-- Found Python3: /usr/bin/python3.11 (found version "3.11.6") found components: Interpreter 
-- HTTP server started, URL http://127.0.0.1:42753
-- faketime not found in $PATH, please install faketime package
-- Default certificates used by cTest
-- Configuring done (3.6s)
-- Generating done (0.0s)
-- Build files have been written to: /root/osslsigncode-2.7/build
# cmake --build .
[ 12%] Building C object CMakeFiles/osslsigncode.dir/osslsigncode.c.o
[ 25%] Building C object CMakeFiles/osslsigncode.dir/helpers.c.o
[ 37%] Building C object CMakeFiles/osslsigncode.dir/msi.c.o
[ 50%] Building C object CMakeFiles/osslsigncode.dir/pe.c.o
[ 62%] Building C object CMakeFiles/osslsigncode.dir/cab.c.o
[ 75%] Building C object CMakeFiles/osslsigncode.dir/cat.c.o
[ 87%] Building C object CMakeFiles/osslsigncode.dir/appx.c.o
[100%] Linking C executable osslsigncode
[100%] Built target osslsigncode

# cd
# ln -s osslsigncode-2.7/build/osslsigncode
# ./osslsigncode --version
osslsigncode 2.7, using:
    OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
    libcurl/8.5.0 OpenSSL/3.2.0 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.11.0 nghttp2/1.58.0
…
# ./osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/test.pem 
PE checksum   : 003B0CC8
…
Number of verified signatures: 1
❌ Failed
# unzip osslsigncode-master.zip 
Archive:  osslsigncode-master.zip
42e97339167282cb1e9b55c4d3b4e6485fed13ea
   creating: osslsigncode-master/
…
  inflating: osslsigncode-master/utf.h  
  inflating: osslsigncode-master/vcpkg.json  
# cd osslsigncode-master/
# mkdir build && cd build && cmake -S ..
-- The C compiler identification is GNU 13.2.1
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Found OpenSSL: /usr/lib/libcrypto.so (found version "3.2.0")  
-- Found CURL: /usr/lib/libcurl.so (found version "8.5.0")  
-- Found ZLIB: /usr/lib/libz.so (found version "1.3")  
-- Using bash completions dir /usr/share/bash-completion/completions
-- Looking for getpass
-- Looking for getpass - found
-- Looking for termios.h
-- Looking for termios.h - found
-- Looking for sys/mman.h
-- Looking for sys/mman.h - found
-- Looking for mmap
-- Looking for mmap - found
-- cURL support enabled
-- Found Python3: /usr/bin/python3.11 (found version "3.11.6") found components: Interpreter 
-- HTTP server started, URL http://127.0.0.1:38129
-- faketime not found in $PATH, please install faketime package
-- Default certificates used by cTest
-- Configuring done (3.5s)
-- Generating done (0.0s)
-- Build files have been written to: /root/osslsigncode-master/build
# cmake --build .
[ 10%] Building C object CMakeFiles/osslsigncode.dir/osslsigncode.c.o
[ 20%] Building C object CMakeFiles/osslsigncode.dir/helpers.c.o
[ 30%] Building C object CMakeFiles/osslsigncode.dir/utf.c.o
[ 40%] Building C object CMakeFiles/osslsigncode.dir/msi.c.o
[ 50%] Building C object CMakeFiles/osslsigncode.dir/pe.c.o
[ 60%] Building C object CMakeFiles/osslsigncode.dir/cab.c.o
[ 70%] Building C object CMakeFiles/osslsigncode.dir/cat.c.o
[ 80%] Building C object CMakeFiles/osslsigncode.dir/appx.c.o
[ 90%] Building C object CMakeFiles/osslsigncode.dir/script.c.o
[100%] Linking C executable osslsigncode
[100%] Built target osslsigncode

# cd 
# ln -sf osslsigncode-master/build/osslsigncode
# ./osslsigncode --version
osslsigncode 2.8-dev, using:
    OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
    libcurl/8.5.0 OpenSSL/3.2.0 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.11.0 nghttp2/1.58.0
Default -CAfile location: /etc/ssl/certs/ca-certificates.crt
…
# ./osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/test.pem 
PE checksum   : 003B0CC8
…
Number of verified signatures: 1
✅ Succeeded

if it helps to find the bundle problem, I'd add that it occurs with version 2.7 when the bundle is made up of different certificates, but not if it is made up of the same certificate several times :

# (echo '# 1'; cat test/MicrosoftRootCertificateAuthority2011.crt.pem) > test/test.pem
# (echo '# 2'; cat test/MicrosoftRootCertificateAuthority2011.crt.pem) >> test/test.pem
# cat test/test.pem 
# 1
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
…
oijHHKOnNlA8OqTfSm7mhzvO6/DggTedEzxSjr25HTTGHdUKaj2YKXCMiSrRq4IQ
SB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH
-----END CERTIFICATE-----
# 2
-----BEGIN CERTIFICATE-----
MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
…
oijHHKOnNlA8OqTfSm7mhzvO6/DggTedEzxSjr25HTTGHdUKaj2YKXCMiSrRq4IQ
SB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH
-----END CERTIFICATE-----

# ln -sf osslsigncode-2.7/build/osslsigncode
# ./osslsigncode --version
osslsigncode 2.7, using:
    OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
    libcurl/8.5.0 OpenSSL/3.2.0 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.11.0 nghttp2/1.58.0
…
# ./osslsigncode verify -ignore-timestamp -in test/msedge.exe -CAfile test/test.pem 
PE checksum   : 003B0CC8
…
Number of verified signatures: 1
✅ Succeeded

version 2.8, which is currently in preparation, solves my problem.

the addition of the signature chain for the revocation list is very welcome. thank you very much and congratulations for this wonderful tool.

regards, lacsaP.

mtrojnar commented 9 months ago

The first sentence of my first response to this issue 3 days ago was:

You have also confirmed this issue against the GitHub master branch of osslsigncode, haven't you?

I'm glad you got it working.