This is continuation of my previous post (Understanding BCryptSignHash output signature).
Let me clearly state my problem:
I need to sign a data in windows application level.
I need to verify the same in linux application level and windows driver (that i have wrote).
I tried following:
Using CryptoAPI, i was able to sign in windows application level and verify in the windows driver. In linux, i tried to use simpleECDSA (http://jonasfj.dk/blog/2007/12/simpleecdsa-a-simple-implementation-of-ecdsa-in-c/) to verify the signature (generated using cryptoAPI). I was able to convert the binary key blobs from cryptoAPI in simpleECDSA but could not interpret the signature.
Using Crypto++ library, i was able to sign in windows application level and verify in linux application level but could not use the same to verify in windows driver.
Kindly let me know if there is a library available or a way that i could use the same public/private key and signature across windows application/driver and linux.
Am new to cryptography hence forgive my naiveness.
Thanks,
F
Related
I need a non-windows (linux or FreeBSD) way of signing a boot executable(EFI binaries) in the Authenticode PE format.
Currently there are some tools like pbsign, sbsign, uefisign, osslsigncode on *nix platforms, but the common pattern is they all need access to the private key.
My private key is in a HSM and I have a python tool that can interface with the HSM and get the output of signing a hash, with the private key in the HSM (which from my research is a step that all the PE signing tools do, though with explicit access to the private key).
Currently the HSM folks have a Thales tool for windows which works with the official Microsoft signtool on windows. But this is a lot of setup and non-portable solution. Also we need to maintain Windows Server Licences, etc.
How do I combine these steps (create an Authenticode PE file, but outsource the signing part alone to my python program) into something that can run on a *nix platform?
The HSM and its interface are non-negotiable (basically that choice is out of my hands).
Any pointers/ideas would be nice.
You could try https://github.com/ebourg/jsign which is a pure Java implementation of Authenticode signing.
I know that Windows kernel drivers have to be signed with an EV certificate to run on a 64-bit version of Windows 10. I also know that I can disable driver signing on my test system by running this command:
Bcdedit.exe -set TESTSIGNING ON
My goal is to write a non-production driver for my own system. It will not be installed anywhere else. I don't want to disable driver signing for the entire system, I just want to enable my particular driver to run on this particular system.
I am basically trying to see if I can create a self-signed certificate, add it to the root store and sign my driver with it. (Again, in a non-production environment.)
Can I do this? And if so, then how?
I've a PKCS-11 supported smartcard? I just want to check that my the smartcard is working fine or not. How can check it on Ubuntu? Please guide me. what software I can use? how what steps should I follow?
It is important to understand that PKCS#11 standard just defines the C language API to access smartcards and other types of cryptographic hardware (or even software). It is usually hardware vendor who provides software library (.dll for windows, .so for unix etc.) that implements PKCS#11 API and is able to access the hardware (smartcard in your case). Your application usually loads PKCS#11 library and uses PKCS#11 API functions it provides.
In most cases it is the best to use PKCS#11 library provided by your smartcard vendor but there are also many independent software vendors such as A.E.T. or Aloaha who provide smartcard middleware (software package that usually contains PKCS#11 library) that can access a bunch of widely used smartcards. You can also take a look at OpenSC project which provides an open source PKCS#11 library that supports many popular smartcards and USB tokens.
Now let's get back to your questions:
Do I have a PKCS-11 supported smartcard?
You have to check whether there exists a library (open source or commercial) that implements PKCS#11 API and supports your smartcard. If you can find such a library then the answer is yes.
How can I check it on Ubuntu?
If you already have PKCS#11 library then you can install "opensc" package which provides command line application called "pkcs11-tool". You can use following command to list readers and cards accessible via your PKCS#11 library:
pkcs11-tool --module your_pkcs11_library.so --list-slots
If you want to use PKCS#11 library provided by OpenSC project then just replace "your_pkcs11_library.so" with "opensc-pkcs11.so".
What software I can use?
PKCS#11 is widely supported standard so this question is hard to answer. I guess you would like to use open source applications with your smartcard because you have mentioned Ubuntu so here is the short list of well known applications that support PKCS#11:
Mozilla Firefox - supports digital signature and client authentication
Mozilla Thunderbird - supports digital signing of e-mails
LibreOffice - supports digital signing of documents
TrueCrypt - supports disk encryption
OpenVPN - supports client authentication
OpenSSH - supports client authentication
To verify Ubuntu sees your smartcard reader and identity card:
Install libusb-1.0-0-dev pcsc-lite pcscd pcsc-tools
The following tools will be installed:
pcscd - systemctl status pcscd - sometimes the card reader crashes this daemon, so you may need to restart it.
opensc-explorer - it searches and displays smartcard readers attached
opensc-tool - Options will provide detailed information about your smartcard reader.
pcsc_scan - will show you smartcard reader and its status. It should show your identity card inserted, as well as when you take it out. If it displays waiting on reader - restart the pcscd service and try again.
The following link describes this more in detail and setting up firefox/chrome for certificates
https://cubiclenate.com/linux/applications/utilities/dod-cac-ubuntu-linuxmint/
I have a program and installer that installs a driver on the users system for the program to use. However, it doesn't work on 64 bit systems.
As I understand it, I need to sign the driver to allow it to be installed. I have a code signing certificate.
How do I sign the driver with it?
You need to do cross-signing http://msdn.microsoft.com/en-us/library/windows/hardware/gg487315.aspx
It's the same as signing. Don't let people tell you it has to be Verisign or whatever. It doesn't. But it does have to be a cert on Microsoft's list (see the link).
I need a way to protect a private key on a mobile device.
I know in "Writing Secure Code" chapter "Protecting Secret Data" says "Windows CE" cannot be used in secure environments. But the book is many years old now, 2003.
Is this still the case? Tell me it ain't so. There has to be a way to secure a private key today.
The DPAPI is embodied in a set of Win32 functions, CryptProtectData and CryptUnprotectData. These functions are available on Windows CE and Windows Mobile platforms (see links), although I don't know at what version they added support.
The .NET wrapper for the DPAPI is the ProtectedData class in System.Security.Cryptography namespace (assembly System.Security.dll). However, I don't think .NET Compact Framework implements this yet, so you'll have to use P/Invoke if using .NET.
If the a user has access to a device, then no you can not 100% securely store a key. You can raise the bar but you cannot remove it.
You have to externalize the access to the key, e.g. User entered username and/or password or sent to the device via another method (e.g. asymmetric encryption over a network connection). Which is what the security for Windows Mobile programmers recommends.
Any way you store the key on the device can be reverse engineered. This includes the use of CryptProtectData and CryptUnprotectData API.
What's wrong with using standard encryption algorithms?
http://www.windowsfordevices.com/news/NS5217487259.html?kc=rss
Webcast covers security for Windows Mobile programmers
This looks like it will be good.