|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
security warning in self signed certificateprivate-public key pair of 2048 bits using openssl (version openssl-0.9.8h-1-doc). I used genrsa command of openssl to generate a key pair. Then I used that key pair to generate a self signed certificate of .crt format for my use. I made that self signed certificate using openssl. I converted the .pvk key to pfx by openssl’s pkcs12 option. Then I use this .pfx file with signcode to sign the file. I used the signcode.exe GUI to use signtool.exe (version 6.0.6000.16384). The signing is successful. The file was signed with its signature embedded in it. I also installed my certificate in the “trusted publishersâ€, “personalâ€, “trusted authorities†store. Then I tried to verify my file with the following code. I used visual studio 2003 and am working on windows XP. I have capicom 2.1.0.2 version with me installed using the capicom_dc_sdk 2.1.0.2 version. I verify the signed binary using the cpp code given below: //Code for verification of file: // Exp.cpp : Defines the entry point for the console application. #include "stdafx.h" #include "Exp.h" #ifdef _DEBUG #define new DEBUG_NEW #endif #import "C:\\WINDOWS\\system32\\capicom.dll" #pragma warning (disable : 4192) using namespace CAPICOM; // The one and only application object CWinApp theApp; using namespace std; int _tmain(int argc, TCHAR* argv[], TCHAR* envp[]) { int nRetCode = 0; HRESULT hr = S_OK; // initialize MFC and print and error on failure if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0)) { // error code _tprintf(_T("Fatal Error: MFC initialization failed\n")); nRetCode = 1; } else { // application's behavior. HRESULT result; CoInitialize(0); //error checking is needed - SCP try { ISignedCode* pSignCode = NULL; CLSID signClsid; hr = CLSIDFromProgID(L"CAPICOM.SignedCode.1", &signClsid); if (FAILED(hr)) { //log error throw hr; } hr = CoCreateInstance(signClsid, NULL,CLSCTX_ALL, __uuidof(ISignedCode), (void**)&pSignCode); if (FAILED(hr)) { //log error throw hr; } _bstr_t fname = SysAllocString(L"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"); hr = pSignCode->put_FileName( fname ); if (FAILED(hr)) { //log error throw hr; } hr = pSignCode->Verify(TRUE); if (FAILED(hr)) { //log error throw hr; } } catch (_com_error e) { hr = e.Error(); ATLTRACE(_T("Error [%#x]: %s.\n"), hr, e.ErrorMessage()); } catch (HRESULT hr) { ATLTRACE(_T("Error [%#x]: CAPICOM error.\n"), hr); } catch(...) { ATLTRACE(_T("Unknown error.\n")); } CoUninitialize(); } return nRetCode; } The code given above is successful for verifying winword.exe as it is signed by a valid digital signature by Microsoft. But when we try to verify our binary, it shows security warning. It says that our certificate is not issued by a valid authority. It gives security warning of unknown publisher. When I verify it with signtool.exe in command prompt, it shows successful output with my file. But through this program it shows security warning. Also, can you tell me how to suppress the dialog warning that I get or to add any new dialog in it. If you have any suggestion or information regarding this, please mail me to shalin.cool***@gmail.com.thanks... Did you put the certificate in Trust Root Certificate Authorities?
When you view the cert in the MMC, does the UI show that it chains properly (no errors in trust chain)? It sounds like this is the problem. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net "shalin_cool333" <shalin_cool***@discussions.microsoft.com> wrote in message news:BB2093AA-5580-4909-9A62-1E2F87E25A5E@microsoft.com... > Hi…I m trying to create a digital signature and verify it. I created a > private-public key pair of 2048 bits using openssl (version > openssl-0.9.8h-1-doc). > > I used genrsa command of openssl to generate a key pair. > Then I used that key pair to generate a self signed certificate of .crt > format for my use. I made that self signed certificate using openssl. > > I converted the .pvk key to pfx by openssl’s pkcs12 option. > > Then I use this .pfx file with signcode to sign the file. > > I used the signcode.exe GUI to use signtool.exe (version 6.0.6000.16384). > The signing is successful. The file was signed with its signature embedded > in > it. > > I also installed my certificate in the “trusted publishersâ€, “personalâ€, > “trusted authorities†store. > > Then I tried to verify my file with the following code. I used visual > studio > 2003 and am working on windows XP. I have capicom 2.1.0.2 version with me > installed using the capicom_dc_sdk 2.1.0.2 version. > > I verify the signed binary using the cpp code given below: > > //Code for verification of file: > > // Exp.cpp : Defines the entry point for the console application. > > #include "stdafx.h" > #include "Exp.h" > #ifdef _DEBUG > #define new DEBUG_NEW > #endif > #import "C:\\WINDOWS\\system32\\capicom.dll" > > #pragma warning (disable : 4192) > using namespace CAPICOM; > > // The one and only application object > > CWinApp theApp; > > using namespace std; > > int _tmain(int argc, TCHAR* argv[], TCHAR* envp[]) > { > int nRetCode = 0; > HRESULT hr = S_OK; > > // initialize MFC and print and error on failure > if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0)) > { > // error code > _tprintf(_T("Fatal Error: MFC initialization failed\n")); > nRetCode = 1; > } > else > { > // application's behavior. > HRESULT result; > CoInitialize(0); //error checking is needed - SCP > > try > { > ISignedCode* pSignCode = NULL; > CLSID signClsid; > > hr = CLSIDFromProgID(L"CAPICOM.SignedCode.1", &signClsid); > > if (FAILED(hr)) > { > //log error > throw hr; > } > > hr = CoCreateInstance(signClsid, NULL,CLSCTX_ALL, __uuidof(ISignedCode), > (void**)&pSignCode); > > if (FAILED(hr)) > { > //log error > throw hr; > } > > _bstr_t fname = SysAllocString(L"C:\\Program Files\\Microsoft > Office\\OFFICE11\\WINWORD.EXE"); > > hr = pSignCode->put_FileName( fname ); > > if (FAILED(hr)) > { > //log error > throw hr; > } > > hr = pSignCode->Verify(TRUE); > > if (FAILED(hr)) > { > //log error > throw hr; > } > } > > catch (_com_error e) > { > hr = e.Error(); > ATLTRACE(_T("Error [%#x]: %s.\n"), hr, e.ErrorMessage()); > } > catch (HRESULT hr) > { > ATLTRACE(_T("Error [%#x]: CAPICOM error.\n"), hr); > } > > catch(...) > { > ATLTRACE(_T("Unknown error.\n")); > } > > CoUninitialize(); > } > > return nRetCode; > } > > > The code given above is successful for verifying winword.exe as it is > signed > by a valid digital signature by Microsoft. But when we try to verify our > binary, it shows security warning. It says that our certificate is not > issued > by a valid authority. It gives security warning of unknown publisher. > When I verify it with signtool.exe in command prompt, it shows successful > output with my file. But through this program it shows security warning. > Also, can you tell me how to suppress the dialog warning that I get or to > add > any new dialog in it. > If you have any suggestion or information regarding this, please mail me > to > shalin.cool***@gmail.com.thanks... > hi joe...thanks for the answer.but i tried your solution.i was able to view
the the certificate in the trusted root certificate authorities.but still had the same problem. :( damn... Show quoteHide quote "Joe Kaplan" wrote: > Did you put the certificate in Trust Root Certificate Authorities? > > When you view the cert in the MMC, does the UI show that it chains properly > (no errors in trust chain)? > > It sounds like this is the problem. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > "shalin_cool333" <shalin_cool***@discussions.microsoft.com> wrote in message > news:BB2093AA-5580-4909-9A62-1E2F87E25A5E@microsoft.com... > > Hi…I m trying to create a digital signature and verify it. I created a > > private-public key pair of 2048 bits using openssl (version > > openssl-0.9.8h-1-doc). > > > > I used genrsa command of openssl to generate a key pair. > > Then I used that key pair to generate a self signed certificate of .crt > > format for my use. I made that self signed certificate using openssl. > > > > I converted the .pvk key to pfx by openssl’s pkcs12 option. > > > > Then I use this .pfx file with signcode to sign the file. > > > > I used the signcode.exe GUI to use signtool.exe (version 6.0.6000.16384). > > The signing is successful. The file was signed with its signature embedded > > in > > it. > > > > I also installed my certificate in the “trusted publishersâ€, “personalâ€, > > “trusted authorities†store. > > > > Then I tried to verify my file with the following code. I used visual > > studio > > 2003 and am working on windows XP. I have capicom 2.1.0.2 version with me > > installed using the capicom_dc_sdk 2.1.0.2 version. > > > > I verify the signed binary using the cpp code given below: > > > > //Code for verification of file: > > > > // Exp.cpp : Defines the entry point for the console application. > > > > #include "stdafx.h" > > #include "Exp.h" > > #ifdef _DEBUG > > #define new DEBUG_NEW > > #endif > > #import "C:\\WINDOWS\\system32\\capicom.dll" > > > > #pragma warning (disable : 4192) > > using namespace CAPICOM; > > > > // The one and only application object > > > > CWinApp theApp; > > > > using namespace std; > > > > int _tmain(int argc, TCHAR* argv[], TCHAR* envp[]) > > { > > int nRetCode = 0; > > HRESULT hr = S_OK; > > > > // initialize MFC and print and error on failure > > if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0)) > > { > > // error code > > _tprintf(_T("Fatal Error: MFC initialization failed\n")); > > nRetCode = 1; > > } > > else > > { > > // application's behavior. > > HRESULT result; > > CoInitialize(0); //error checking is needed - SCP > > > > try > > { > > ISignedCode* pSignCode = NULL; > > CLSID signClsid; > > > > hr = CLSIDFromProgID(L"CAPICOM.SignedCode.1", &signClsid); > > > > if (FAILED(hr)) > > { > > //log error > > throw hr; > > } > > > > hr = CoCreateInstance(signClsid, NULL,CLSCTX_ALL, __uuidof(ISignedCode), > > (void**)&pSignCode); > > > > if (FAILED(hr)) > > { > > //log error > > throw hr; > > } > > > > _bstr_t fname = SysAllocString(L"C:\\Program Files\\Microsoft > > Office\\OFFICE11\\WINWORD.EXE"); > > > > hr = pSignCode->put_FileName( fname ); > > > > if (FAILED(hr)) > > { > > //log error > > throw hr; > > } > > > > hr = pSignCode->Verify(TRUE); > > > > if (FAILED(hr)) > > { > > //log error > > throw hr; > > } > > } > > > > catch (_com_error e) > > { > > hr = e.Error(); > > ATLTRACE(_T("Error [%#x]: %s.\n"), hr, e.ErrorMessage()); > > } > > catch (HRESULT hr) > > { > > ATLTRACE(_T("Error [%#x]: CAPICOM error.\n"), hr); > > } > > > > catch(...) > > { > > ATLTRACE(_T("Unknown error.\n")); > > } > > > > CoUninitialize(); > > } > > > > return nRetCode; > > } > > > > > > The code given above is successful for verifying winword.exe as it is > > signed > > by a valid digital signature by Microsoft. But when we try to verify our > > binary, it shows security warning. It says that our certificate is not > > issued > > by a valid authority. It gives security warning of unknown publisher. > > When I verify it with signtool.exe in command prompt, it shows successful > > output with my file. But through this program it shows security warning. > > Also, can you tell me how to suppress the dialog warning that I get or to > > add > > any new dialog in it. > > If you have any suggestion or information regarding this, please mail me > > to > > shalin.cool***@gmail.com.thanks... > > > > Once the cert was placed in trusted roots, did the certificate then show
that it chained properly? What do you mean by "the same problem"? -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net "shalin_cool333" <shalincool***@discussions.microsoft.com> wrote in message news:13FEAC05-1FC4-455A-B71C-0097CB2524FE@microsoft.com... > hi joe...thanks for the answer.but i tried your solution.i was able to > view > the the certificate in the trusted root certificate authorities.but still > had > the same problem. :( damn... > yes joe...once the certificate was placed in trusted roots, it showed that it
is chained properly...but i still get the same security warning when i verify the .exe file that i signed...though i dont get the security warning when i verify winword.exe... Show quoteHide quote "Joe Kaplan" wrote: > Once the cert was placed in trusted roots, did the certificate then show > that it chained properly? What do you mean by "the same problem"? > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > "shalin_cool333" <shalincool***@discussions.microsoft.com> wrote in message > news:13FEAC05-1FC4-455A-B71C-0097CB2524FE@microsoft.com... > > hi joe...thanks for the answer.but i tried your solution.i was able to > > view > > the the certificate in the trusted root certificate authorities.but still > > had > > the same problem. :( damn... > > > >  
Other interesting topics
Digitally sign files from within a web application
how to grant the application the required permission? PGP - recommendations Storing a private key Another StrongNameIdentityPermission/LinkDemand question SIMple SSL question ?? Use of Unrestricted flag ??? Authentication method ?? IIS 5.1 security Client Certifcate Info in Web Service |
|||||||||||||||||||||||
