search

vcsjones / OpenOpcSignTool

An open-source implementation of VsixSignTool.
MIT License
37 stars 24 forks source link

Can’t pass VsixSignTool’s verify command when timetamped #75

Closed scott-xu closed 1 year ago

scott-xu commented 4 years ago

Steps to reproduce:

  1. Sign an OPC file with timestamp using OpenOpcSignTool
  2. Verify the signed OPC file using the official VsixSignTool Expected: pass the verification Actual: failed to verify
scott-xu commented 4 years ago

The error is "ASN1 bad tag value met."

habbes commented 4 years ago

How's the progress on this task? I'm also experiencing a similar error when signing a vsix.

gix commented 2 years ago

This is a bug in VsixSignTool. The signature part XML for the timestamp looks like this (without formatting, and with UTF-8 BOM):

Signed with VsixSignTool:

<Object xmlns="http://www.w3.org/2000/09/xmldsig#">
  <TimeStamp Id="idSignatureTimestamp" xmlns="http://schemas.openxmlformats.org/package/2006/digital-signature">
    <Comment>Timestamp got from the time stamp server</Comment>
    <EncodedTime>...

Signed with OpenVsixSignTool:

<Object xmlns="http://www.w3.org/2000/09/xmldsig#">
  <TimeStamp Id="idSignatureTimestamp" xmlns="http://schemas.openxmlformats.org/package/2006/digital-signature">
    <Comment></Comment>
    <EncodedTime>...

Note that VsixSignTool adds a comment.

When extracting the <EncodedTime> value, VsixSignTool does not parse the XML, but reads the string starting at the fixed offset 236. Without the comment, this offset is in the middle of the value, and subsequently CryptVerifyTimeStampSignature complains about bad input.

OpenVsixSignTool could add the (useless) comment for compat. But really Microsoft should fix their tool. VSIXInstaller works fine anyway.