Uploaded image for project: 'SignServer'
  1. SignServer
  2. DSS-1840

Authenticode signatures with SHA-512 not recognized by Windows (PE files)

    Details

    • Sprint:
      SignServer-Sprint 101, SignServer-Sprint 102

      Description

      During testing in DSSINTER-228 it was discovered that all files signed with a signature algorithm using SHA-512 or using SHA-512 as digest algorithm fails verification on Windows (10).

      Failed test cases:

      RSA 2048, SHA-512, PE  Error: No signature was present in the subject
      RSA 2048, SHA-512, MSI  Error: No signature was present in the subject
      RSA 4096, SHA-512, PE  Error: No signature was present in the subject
      RSA 4096, SHA-512, MSI  Error: No signature was present in the subject

       

      Output from MS signtool (first successfully verifying SHA-256, then failing for SHA-512):

      C:\Program Files (x86)\Windows Kits\10\bin\x64>signtool.exe verify /pa \tmp\HelloPE-RSA2048-SHA256-ts.exe
      File: \tmp\HelloPE-RSA2048-SHA256-ts.exe
      Index Algorithm Timestamp
      ========================================
      0 sha256 RFC3161Successfully verified: \tmp\HelloPE-RSA2048-SHA256-ts.exeC:\Program Files (x86)\Windows Kits\10\bin\x64>signtool.exe verify /pa \tmp\HelloPE-RSA2048-SHA512-ts.exe
      File: \tmp\HelloPE-RSA2048-SHA512-ts.exe
      Index Algorithm Timestamp
      ========================================
      SignTool Error: No signature found.Number of errors: 1C:\Program Files (x86)\Windows Kits\10\bin\x64>signtool.exe verify /pa \tmp\HelloPE-RSA4096-SHA512-ts.exe
      File: \tmp\HelloPE-RSA4096-SHA512-ts.exe
      Index Algorithm Timestamp
      ========================================
      SignTool Error: No signature found.Number of errors: 1C:\Program Files (x86)\Windows Kits\10\bin\x64> 

       

      Successfully signing with MS SignTool:

      C:\Program Files (x86)\Windows Kits\10\bin\x64>signtool.exe sign /fd SHA512 /a /f \primekey\signserver\res\test\dss10\dss10_keystore.p12 /n code00003 /p foo123 \primekey\signserver\res\test\HelloPE.exe
      Done Adding Additional Store
      Successfully signed: \primekey\signserver\res\test\HelloPE.exeC:\Program Files (x86)\Windows Kits\10\bin\x64>signtool.exe verify /pa \primekey\signserver\res\test\HelloPE.exe
      File: \primekey\signserver\res\test\HelloPE.exe
      Index Algorithm Timestamp
      ========================================
      0 sha512 NoneSuccessfully verified: \primekey\signserver\res\test\HelloPE.exeC:\Program Files (x86)\Windows Kits\10\bin\x64>
       

       

       Differences found between SignServer signed file (with SHA-512+SHA512withRSA)+timestamp and SignTool +without timestamp:

      • Checksum (likely due to different signature)
      • CERTIFICATE_ABLE size (likely due to timestamp)
      • Timestamp vs. not time-stamped
      • SignServer adds "<<<Obsolete>>>"
      • SignTool adds a 1.3.6.1.4.1.311.2.1.12
      • SignServer adds 1.2.840.113549.1.9.5 (signingTime)
      • SignServer adds 1.2.840.113549.1.9.52
      • SignServer encoded signature as "1.2.840.113549.1.1.13" (SHA512withRSA) while SignTool sets "1.2.840.113549.1.1.1" (rsaEncryption)

       

       [x] When we have files without time-stamp compare again

      Diffs

       [x] When we also have SignServer and SignTool signed files with SHA-256 or SHA-384 we can also compare those as well as compare inbetween them to check if some clue can be found: sha384-sha512-signsever-signtool-20181130.zip

      SignTool diff between SHA-384 - SHA-512:

      • 2.16.840.1.101.3.4.2.2 vs 2.16.840.1.101.3.4.2.3
      • Octet String[48] vs Octet String[64]
      • 2.16.840.1.101.3.4.2.2 vs 2.16.840.1.101.3.4.2.3

      SignServer diff between SHA-384 - SHA-512:

      • 2.16.840.1.101.3.4.2.2 vs 2.16.840.1.101.3.4.2.3
      • Octet String[48] vs Octet String[64]
      • 2.16.840.1.101.3.4.2.2 vs 2.16.840.1.101.3.4.2.3
      • UTCTime value
      • 2.16.840.1.101.3.4.2.2 vs 2.16.840.1.101.3.4.2.3
      • Octet String[48] vs Octet String[64]
      • 1.2.840.113549.1.1.12 vs 1.2.840.113549.1.1.13

      Conclusions:

      • Basically the same differences but:
      • SignServer has more attributes with algorithm OID and thus more diffs
      • SignServer uses OID for signature algorithm with hash while SignTool uses generic "rsaEncryption"

      Remove differences

      [✔] MK/RB: TODO: We could try to make our signatures more similar to the SignTool ones.

      After fixing the following differences the SHA-512 hash/signature is now accepted:

      • Include SpcSpOpusInfo even if programName and programURL is not set
      • Use an empty string instead of "<<<Obsolete>>>" in SpcLink.

      [✔] MK: Submit patch/PR to Jsign: https://github.com/ebourg/jsign/pull/56

       [✔] Wait for new release or build our own artifacts and publish to Central. Built and published our own.

      [✔] Also add to compliance test to sign with different algorithms.

      [✔] Fix for EXE

      [-] Investigate differences needed for MSI, as the tests are failing: Split out to DSS-1995

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              markus Markus Kilås
              Reporter:
              rammohan.bandi@primekey.com Rammohan Bandi
              Verified by:
              Marcus Lundblad
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 1 day, 4 hours
                  1d 4h
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 2 hours, 55 minutes Time Not Required
                  1d 2h 55m