Microsoft has a tool for self signing, signtool.exe. As a kernel developer, most of us starts using it since Vista early test versions from 2006, because kernel drivers for Windows operating system 64bit edition are enforced of digital signature checking since that.
First of all, signtool.exe is a very easy use tool. however, it may not satisfy nowadays’ enterprise security requirements. We can not simply give certificates to all staffs who need to build product, we need to store these certificates in a trusted environment, and the process of signing should be controllable, traceable. and for most productive, the process should be scriptable.
To satisfy all above requirements, we need:
1. a signing client can generate the same output as signtool.exe, it does hashing, and report any necessary info to a signing system server, and assemble all info into the final binary file.
2. a signing server can manage user accounts, certificates, generate proper signature according configurations.
Before we can start coding, we have to know, what API from windows operating system can do this job. by analyzing of signtool.exe, I found it acutally using these api SignerSign/SignerSignEx/SignerSignEx2 which exists in Mssign32.dll. However, you need to pass cert info and file info to this api, if so, the cert must exist with the file you want to sign at certain time. It can not satisfy our security requirements.
According some documents from Microsoft, the signature structure can be described in openssl, a great tool/lib. The followings are some key points of code siging.
1. hashing: how to hash a PE file(windows executable file format). actually it contains two parts, one for signature hashing, one for windows PE file checksum.
2. signing: how to generate a signature according the file info and hash that we have got from previous steps. and how to attach a signature into orginal PE file, including replace old signatures if exists.
After a few days of work. I’ve succeeded to solve the above points. and next, we need to convert these code pieces into a final product, signing system.
at last the system has three roles for most security and reliablity.
1. a signing client: it accepts user input, calcs file hash, send necessary info to signing server, and attach the signature from sigin server to the input files.
2. a connection server for the signing server: it provide ssl/tls support for general tcp server. so a hack may attack this, however, due to packet length limit, and process seperation, he can not reach the main server behind this. it accepts connections from a sign client, and maintenance a number of connections to main server for fast data delivery.
3. a signing server: it encrypts all traffic in xtea algotherm which is very fast. it contains cert management, user management, session management.
so the traffic between an end user to our system is in ssl+xtea, the traffic between connection server to main server is in xtea.
followings are what I used in this product.
1. boost: an essential toolkit
a. smart pointer: for object life cycle management
b. asio: a great abstraction of io model.
c. program options: a handy tool to manage command line
d. thread: for thread management
2. openssl: the key role of this task, for certificate management, signature generation. did a slight patch to let it generate the same binary as signtool.exe from Microsoft.
3. google protocol buffer: a handy tool for network protocol abstraction
4. libcurl: a tool for http/https request, which is employed when adding timestamp in signature
5. rapidxml: a light tool for xml parsing, use it to parse configuration files, like user defination, cert defination.
6. crashreport(UnhandledExceptionFilter): this is the windows builtin support for exceptions, use it for a better exception recovery.
7. logging module: to log info according log level level
8. soci/mysql: I added this for db support, however, not enabled so far.
9. at last but not least, a windows service wrapper class to turn connection server, main server into windows service. so the system can auto recovery even after a power failure.
and this is a brief introduction on how to use the sign system
1. a system administrator should setup this system in a security environment to avoid physical attack. add certs according the documents, add users according applications
2. a user can sign files in a trusted network, using command line like this. signclient –sign –user sample-user –passwprd sample-pass -cert a-cert-assigned-by-admin -server a-ip-or-domain –port aport –file path-1 –file path-2 –file path-n .
Finally, It’s easy to replace the current signtool, the whole release flow is almost the same, and the end user of a cert no longer to worry about certificate installation, expiration, just sign with a user account!