Verifying digital signature in offline environment

Question

Verifying digital signature in offline environment

NtWriteCode opened this issue 8 months ago · 7 comments

Hi, earlier I had a really similar issue, but now I'm a bit confused again, maybe it would be nice to dedicate a section in the readme to this later :)

So, what I'd like to do is to verify digital signatures of various filetypes. Ideally the same way on linux or windows.
(Off, ps.: I'm planning to include it as part of an open source malware analysis toolset, so this tool sounds just ideal)

It must be able to run in offline environments as well - of course certs can be pre-downloaded. I know, this means I may not have the latest CRL at the moment of verification.

Can you help me how to achieve this?

Ps. the other ticket was: #258

If I try to run the command in an offline environment, I get

`140132927871040:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:285:Verify error:unable to get local issuer certificate
Signature verification: failed`

Answer 1 · 2024-03-12T17:11:46.000Z

What is "the command" you tried to run? Does "the command" include the "-ignore-cdp" parameter?

Answer 2 · 2024-03-12T18:35:38.000Z

Sorry. let me begin with that I'm using a self-compiled linux version. From branch 2.8
By "the command" I mean the one referred in my linked ticket, which is in my case:

./osslsigncode verify -in ccsetup583_x86_be.msi -CAfile MicRooCerAut_2010-06-23.pem -TSA-CAfile MicRooCerAut_2010-06-23.pem

Output:

[root@0377df3c559f test]# ./osslsigncode verify -in ccsetup583_x86_be.msi -CAfile MicRooCerAut_2010-06-23.pem -TSA-CAfile MicRooCerAut_2010-06-23.pem

Signature Index: 0  (Primary Signature)

Message digest algorithm         : SHA1
Current MsiDigitalSignatureEx    : 1090A9CBEE41C5ED405DBEFD223FE6238DC6139A 
Calculated MsiDigitalSignatureEx : 1090A9CBEE41C5ED405DBEFD223FE6238DC6139A 
Current DigitalSignature         : 45C912241EA9FFC7CC3D7C9037CC59596DAFC603 
Calculated DigitalSignature      : 45C912241EA9FFC7CC3D7C9037CC59596DAFC603 
Calculated message digest        : 7DC79078272BBC759D5295B748D8E93B86E8555D 

Signer's certificate:
	------------------
	Signer #0:
		Subject: /C=GB/L=London/O=Piriform Software Ltd/OU=RE 901/CN=Piriform Software Ltd
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
		Serial : 02FA994D660DE659EE9037ECB437D766
		Certificate expiration date:
			notBefore : Oct 14 00:00:00 2019 GMT
			notAfter : Oct 18 12:00:00 2022 GMT

Message digest algorithm: SHA1

Authenticated attributes:
	Microsoft Individual Code Signing purpose
	Message digest: B43CD306C611FBFB2188182D18CFF045AE38B79C 
	URL description: http://www.avast.com

Countersignatures:
	Timestamp time: Jul 16 14:13:58 2021 GMT
	Signing time: Jul 16 14:13:58 2021 GMT
	Hash Algorithm: sha256
	Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
	Serial: 0D424AE0BE3A88FF604021CE1400F0DD

CAfile: MicRooCerAut_2010-06-23.pem
TSA's certificates file: MicRooCerAut_2010-06-23.pem

Timestamp verified using:
	------------------
	Signer #1:
		Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
		Serial : 0AA125D6D6321B7E41E405DA3697C215
		Certificate expiration date:
			notBefore : Jan  7 12:00:00 2016 GMT
			notAfter : Jan  7 12:00:00 2031 GMT

	Error: unable to get local issuer certificate

CMS_verify error

Failed timestamp certificate chain retrieved from the signature:
	------------------
	Signer #0:
		Subject: /C=US/O=DigiCert, Inc./CN=DigiCert Timestamp 2021
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
		Serial : 0D424AE0BE3A88FF604021CE1400F0DD
		Certificate expiration date:
			notBefore : Jan  1 00:00:00 2021 GMT
			notAfter : Jan  6 00:00:00 2031 GMT

	------------------
	Signer #1:
		Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
		Serial : 0409181B5FD5BB66755343B56F955008
		Certificate expiration date:
			notBefore : Oct 22 12:00:00 2013 GMT
			notAfter : Oct 22 12:00:00 2028 GMT

	------------------
	Signer #2:
		Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
		Serial : 0AA125D6D6321B7E41E405DA3697C215
		Certificate expiration date:
			notBefore : Jan  7 12:00:00 2016 GMT
			notAfter : Jan  7 12:00:00 2031 GMT

	------------------
	Signer #3:
		Subject: /C=GB/L=London/O=Piriform Software Ltd/OU=RE 901/CN=Piriform Software Ltd
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
		Serial : 02FA994D660DE659EE9037ECB437D766
		Certificate expiration date:
			notBefore : Oct 14 00:00:00 2019 GMT
			notAfter : Oct 18 12:00:00 2022 GMT

139634911209536:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:crypto/cms/cms_smime.c:253:Verify error:unable to get local issuer certificate
Timestamp Server Signature verification: failed
Signing certificate chain verified using:
	------------------
	Signer #1:
		Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
		Serial : 0409181B5FD5BB66755343B56F955008
		Certificate expiration date:
			notBefore : Oct 22 12:00:00 2013 GMT
			notAfter : Oct 22 12:00:00 2028 GMT

	Error: unable to get local issuer certificate

PKCS7_verify error

Failed signing certificate chain retrieved from the signature:
	------------------
	Signer #0:
		Subject: /C=US/O=DigiCert, Inc./CN=DigiCert Timestamp 2021
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
		Serial : 0D424AE0BE3A88FF604021CE1400F0DD
		Certificate expiration date:
			notBefore : Jan  1 00:00:00 2021 GMT
			notAfter : Jan  6 00:00:00 2031 GMT

	------------------
	Signer #1:
		Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
		Serial : 0409181B5FD5BB66755343B56F955008
		Certificate expiration date:
			notBefore : Oct 22 12:00:00 2013 GMT
			notAfter : Oct 22 12:00:00 2028 GMT

	------------------
	Signer #2:
		Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
		Serial : 0AA125D6D6321B7E41E405DA3697C215
		Certificate expiration date:
			notBefore : Jan  7 12:00:00 2016 GMT
			notAfter : Jan  7 12:00:00 2031 GMT

	------------------
	Signer #3:
		Subject: /C=GB/L=London/O=Piriform Software Ltd/OU=RE 901/CN=Piriform Software Ltd
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Code Signing CA
		Serial : 02FA994D660DE659EE9037ECB437D766
		Certificate expiration date:
			notBefore : Oct 14 00:00:00 2019 GMT
			notAfter : Oct 18 12:00:00 2022 GMT

139634911209536:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:285:Verify error:unable to get local issuer certificate
Signature verification: failed

Number of verified signatures: 1
Failed

I also tried to call it as:
./osslsigncode verify -in ccsetup583_x86_be.msi -ignore-cdp -CAfile MicRooCerAut_2010-06-23.pem -TSA-CAfile MicRooCerAut_2010-06-23.pem

and

./osslsigncode verify -in ccsetup583_x86_be.msi -ignore-cdp -ignore-timestamp -CAfile MicRooCerAut_2010-06-23.pem -TSA-CAfile MicRooCerAut_2010-06-23.pem

and

./osslsigncode verify -in ccsetup583_x86_be.msi -ignore-cdp -ignore-timestamp -CAfile MicRooCerAut_2010-06-23.pem

Both gave the same output. Am I missing something? For the test file I use a signed MSI from here: https://support.ccleaner.com/s/article/business-edition-msi-installers?language=en_US

Answer 3 · 2024-03-12T18:44:58.000Z

Also note that in my example I know I'm not even using CRLs, but I'm a bit confused between all these certs and what to use for what and in what format it's allowed :) Of course I'm googling around and trying to find out more and more about the topic in the meanwhile.

(Just throwing the things I'm not perfectly understading here, maybe if you have some energy, you can better explain it:

_So, I need a CAfile, which describes what is trusted and what not. Is it always enough to define the 2010-06-23 CAFile only? :O There are at least 2 similar certs on the MS page I was linked in the other ticket. It was said I need the Microsoft Root Certificate Authority 2010, but what about the 2011 file? _
Also I kinda don't understand anything regarding the timestamp server thingie, how and why is that needed?
I saw I can also provide a CRL-->revoked certs list, but I'm a bin unsure where to get it from, which is always up to date. I saw that there's a dedicated column on the MS website, but I'm not sure if that's up to date, it says 2010-ish, which is pretty weird.

But of course I don't want to bother you and waste your time by teaching basic stuffs to random people, so feel free to omit answering these questions if you feel like)

Thank you very much in advance :)

Answer 4 · 2024-03-12T18:47:44.000Z

Timestamp verified using:
	------------------
	Signer #1:
		Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
		Serial : 0AA125D6D6321B7E41E405DA3697C215
		Certificate expiration date:
			notBefore : Jan  7 12:00:00 2016 GMT
			notAfter : Jan  7 12:00:00 2031 GMT

	Error: unable to get local issuer certificate

CMS_verify error

Does your MicRooCerAut_2010-06-23.pem file contain the DigiCert Assured ID Root CA certificate? Consider using the new -TSA-CAfile option to configure the CAs trusted for timestamp verification.

Answer 5 · 2024-03-12T19:00:04.000Z

Most probably I'm doing something stupid, but what I've been doing to the steps in the previousy mentioned ticket, quoting:

Download CA certificate file Microsoft Root Certificate Authority 2010 from [PKI Repository - Microsoft PKI Services](https://www.microsoft.com/pkiops/docs/repository.htm)

Convert it from DER to PEM format:

openssl x509 -inform DER -in MicRooCerAut_2010-06-23.crt -outform PEM -out MicRooCerAut_2010-06-23.pem

So the content of the PEM is just the following:

I'm more than sure this does not contain embedded other certs, thus I must be doing something wrong. Just tried to use some online decode tool, but that also just confirmed it's "just" the root CA of Microsoft.

Does this mean I have to somehow gather all the potential root CAs and download from somewhere in order to be able to verify them all?

Answer 6 · 2024-03-12T19:08:15.000Z

ca-certs.pem.gz

Answer 7 · 2024-03-13T09:28:33.000Z

Before opening issues in a GitHub repository to report a problem, please make sure you have consulted books and internet resources to grasp the basics. This practice helps keep the repository dedicated to solving actual issues.