Opened 15 months ago

Closed 3 weeks ago

#29614 closed defect (fixed)

Use SHA-256 algorithm for Windows timestamping

Reported by: gk Owned by: gk
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-sign, tbb-security, tbb-9.5a12, GeorgKoppen202004, TorBrowserTeam202004R
Cc: tbb-team Actual Points:
Parent ID: #33168 Points:
Reviewer: Sponsor:

Description

We switched to using SHA-256 for the authenticode signature but we should use that hash algo for the timestamp as well (currently that's still SHA-1)

Child Tickets

Change History (21)

comment:1 Changed 15 months ago by gk

Should be not too hard to adapt our timestamping script, see: https://sourceforge.net/p/osslsigncode/support-requests/9/.

comment:2 Changed 15 months ago by gk

Keywords: TorBrowserTeam201903 added; TorBrowserTeam201902 removed

Moving my tickets to March.

comment:3 Changed 15 months ago by gk

Keywords: GeorgKoppen201903 added; GeorgKoppen201902 removed

Now for my keyword.

comment:4 Changed 15 months ago by gk

Keywords: tbb-8.5 added

Tickets on our radar for 8.5

comment:5 in reply to:  1 Changed 14 months ago by gk

Replying to gk:

Should be not too hard to adapt our timestamping script, see: https://sourceforge.net/p/osslsigncode/support-requests/9/.

Unfortunately, this did not work. I'll need to look again at the code and our patch do decouple the signing from the timestamping to figure out what goes wrong here.

comment:6 Changed 14 months ago by gk

Not to self: we likely need to adapt my patch for osslsigncode so that the -h option is available for the add command as well.

comment:7 Changed 14 months ago by gk

Keywords: TorBrowserTeam201904 added; TorBrowserTeam201903 removed

Moving tickets to April.

comment:8 Changed 14 months ago by gk

Keywords: GeorgKoppen201904 added; GeorgKoppen201903 removed

Moving my tickets for April

comment:9 Changed 13 months ago by gk

Keywords: TorBrowserTeam201905 added; TorBrowserTeam201904 removed

Moving tickets to May

comment:10 Changed 13 months ago by gk

Keywords: GeorgKoppen201905 added; GeorgKoppen201904 removed

Move my tickets.

comment:11 Changed 12 months ago by gk

Keywords: TorBrowserTeam201906 added; TorBrowserTeam201905 removed

Moving tickets to June

comment:12 Changed 12 months ago by gk

Keywords: GeorgKoppen201906 added; GeorgKoppen201905 removed

Moving my tickets to June

comment:13 Changed 11 months ago by gk

Keywords: GeorgKoppen201907 added; GeorgKoppen201906 removed

Moving my tickets to July.

comment:14 Changed 11 months ago by gk

Keywords: TorBrowserTeam201907 added; TorBrowserTeam201906 removed

Moving tickets to July

comment:16 Changed 4 months ago by gk

Cc: tbb-team added
Keywords: tbb-sign GeorgKoppen202004 added; GeorgKoppen201907 removed
Owner: changed from tbb-team to gk
Parent ID: #33168
Status: newassigned

Gonna do this while dealing with the new authenticode cert.

comment:17 in reply to:  6 Changed 5 weeks ago by gk

Keywords: TorBrowserTeam202004R added; TorBrowserTeam201907 removed
Status: assignedneeds_review

Replying to gk:

Not to self: we likely need to adapt my patch for osslsigncode so that the -h option is available for the add command as well.

Yes, that is needed (among other things). It took me longer to figure this issue out because I got confused. While osslsigncode verify shows the certs in the SHA-1 Authenticode scenario it does not show them when switching to RFC 3161 mode with SHA-256 which sent me digging into wrong direction. Not sure if that's an osslsigncode bug or not.

Either way, one can extract the signature with osslsigncode extract-signature and then inspect the nitty-gritty details with openssl pkcs7 and the SHA-256 timestamp is visible. I uploaded a test file for further inspection if needed:

https://people.torproject.org/~gk/testbuilds/29614_test_sha2.exe
https://people.torproject.org/~gk/testbuilds/29614_test_sha2.exe.asc

bug_29614 (https://gitweb.torproject.org/user/gk/tor-browser-spec.git/commit/?h=bug_29614&id=26d833f346d9d7bf795fe1cec819555595d739f1) in my public tor-browser-spec repo contains the updated documentation/patch.

comment:18 Changed 5 weeks ago by cypherpunks

Works on Windows 7 and later.
Note: besides changing SHA-1 to SHA-256, you also change Authenticode timestamping to RFC 3161 timestamping (see https://sectigo.com/resources/time-stamping-server).

comment:19 Changed 5 weeks ago by gk

Summary: Use SHA-256 algorithm for Windows authenticode timestampingUse SHA-256 algorithm for Windows timestamping

comment:20 Changed 3 weeks ago by sysrqb

Okay, we're making progress on this. After misreading comment:17, gk walked me through the details of this process.

For comparison, when using Authenticode Timestamping (with SHA-1), osslsigncode verify output something like:

$ osslsigncode verify torbrowser-install-win64-9.5a12_cs.exe

Signature verification: ok

Number of signers: 1
	Signer #0:
		Subject: /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Washington/serialNumber=39070/street=#203/street=80 S Washington St/postalCode=98104/C=US/ST=Washington/L=Seattle/O=The Tor Project, Inc./CN=The Tor Project, Inc.
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
		Serial : 0F622EF31D0F1EF94E520DBD7A43E58C

Number of certificates: 4
	Cert #0:
		Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
		Serial : 03F1B4E15F3A82F1149678B3D7D8475C
	------------------
	Cert #1:
		Subject: /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Washington/serialNumber=39070/street=#203/street=80 S Washington St/postalCode=98104/C=US/ST=Washington/L=Seattle/O=The Tor Project, Inc./CN=The Tor Project, Inc.
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
		Serial : 0F622EF31D0F1EF94E520DBD7A43E58C
	------------------
	Cert #2:
		Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
		Serial : 06FDF9039603ADEA000AEB3F27BBBA1B
	------------------
	Cert #3:
		Subject: /C=US/O=DigiCert/CN=DigiCert Timestamp Responder
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID CA-1
		Serial : 03019A023AFF58B16BD6D5EAE617F066

Now, with RFC 3161 Timestamping (using any hashing algorithm, but in this case using SHA-256), osslsigncode verify only prints the code signing certificates (as gk described). This makes sense, because the RFC 2161 timestamp is appended onto the pkcs7 structure embedded in the PE file, and timestamping does not result in a new and independent cert chain.

Signature verification: ok

Number of signers: 1
	Signer #0:
		Subject: /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Washington/serialNumber=39070/street=#203/street=80 S Washington St/postalCode=98104/C=US/ST=Washington/L=Seattle/O=The Tor Project, Inc./CN=The Tor Project, Inc.
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
		Serial : 0F622EF31D0F1EF94E520DBD7A43E58C

Number of certificates: 2
	Cert #0:
		Subject: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
		Serial : 03F1B4E15F3A82F1149678B3D7D8475C
	------------------
	Cert #1:
		Subject: /businessCategory=Private Organization/jurisdictionC=US/jurisdictionST=Washington/serialNumber=39070/street=#203/street=80 S Washington St/postalCode=98104/C=US/ST=Washington/L=Seattle/O=The Tor Project, Inc./CN=The Tor Project, Inc.
		Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert EV Code Signing CA (SHA2)
		Serial : 0F622EF31D0F1EF94E520DBD7A43E58C

Succeeded

Using openssl pkcs7, as gk described, we can see the asn.1 object appended within the unauthenticated portion. First, we must extract the signatures from the file, then we can parse the resulting pkcs7 object:

$ osslsigncode extract-signature -pem -in torbrowser-install-win64-9.5a12_cs.exe -out torbrowser-install-win64-9.5a12_cs.exe.sigs
$ openssl pkcs7 -print -in torbrowser-install-win64-9.5a12_cs.exe.sigs
        unauth_attr:
            object: undefined (1.3.6.1.4.1.311.3.3.1)
            set:
              SEQUENCE:
    0:d=0  hl=4 l=3761 cons: SEQUENCE          
    4:d=1  hl=2 l=   9 prim:  OBJECT            :pkcs7-signedData
   15:d=1  hl=4 l=3746 cons:  cont [ 0 ]        
   19:d=2  hl=4 l=3742 cons:   SEQUENCE          
   23:d=3  hl=2 l=   1 prim:    INTEGER           :03
   26:d=3  hl=2 l=  15 cons:    SET               
   28:d=4  hl=2 l=  13 cons:     SEQUENCE          
   30:d=5  hl=2 l=   9 prim:      OBJECT            :sha256
   41:d=5  hl=2 l=   0 prim:      NULL              
   43:d=3  hl=2 l= 120 cons:    SEQUENCE          
   45:d=4  hl=2 l=  11 prim:     OBJECT            :id-smime-ct-TSTInfo
[snip]
  282:d=8  hl=2 l=  47 cons:         SEQUENCE          
  284:d=9  hl=2 l=   3 prim:          OBJECT            :commonName
  289:d=9  hl=2 l=  40 prim:          PRINTABLESTRING   :DigiCert SHA2 Assured ID Timestamping CA
  331:d=6  hl=2 l=  30 cons:       SEQUENCE          
  333:d=7  hl=2 l=  13 prim:        UTCTIME           :191001000000Z
  348:d=7  hl=2 l=  13 prim:        UTCTIME           :301017000000Z
  363:d=6  hl=2 l=  76 cons:       SEQUENCE          
  365:d=7  hl=2 l=  11 cons:        SET               
  367:d=8  hl=2 l=   9 cons:         SEQUENCE          
  369:d=9  hl=2 l=   3 prim:          OBJECT            :countryName
  374:d=9  hl=2 l=   2 prim:          PRINTABLESTRING   :US
  378:d=7  hl=2 l=  23 cons:        SET               
  380:d=8  hl=2 l=  21 cons:         SEQUENCE          
  382:d=9  hl=2 l=   3 prim:          OBJECT            :organizationName
  387:d=9  hl=2 l=  14 prim:          PRINTABLESTRING   :DigiCert, Inc.
  403:d=7  hl=2 l=  36 cons:        SET               
  405:d=8  hl=2 l=  34 cons:         SEQUENCE          
  407:d=9  hl=2 l=   3 prim:          OBJECT            :commonName
  412:d=9  hl=2 l=  27 prim:          PRINTABLESTRING   :TIMESTAMP-SHA256-2019-10-15
[snip]

comment:21 Changed 3 weeks ago by sysrqb

Keywords: tbb-9.5a12 added; tbb-8.5 removed
Resolution: fixed
Status: needs_reviewclosed

Okay, all of the installers for Windows were timestamped using SHA-256 in 9.5a12.

I merged the spec patch with commit f07e8109ef72e895fd87b83413743828cfa180cc.

I think we're done here. Thanks for figuring this out, gk!

Note: See TracTickets for help on using tickets.