Friday, June 22, 2007

Digital signing of code for unsigned components

Hello guys,

This article of mine explains how to sign a code without the need to buy the digital
signature for Microsoft Trusted Certificate Authorities. Please note that this
would be helpful for test purposes only since it requires you to install the
certificate in all client browser using the application. Eventually, a
certificate from Trusted Root CA like Verisign, Thawte. Etc has to be bought
for insuring that your CAB/ActiveX component is available for use to all
without security issues. It even makes
code signing easier, which needs only signcode.exe utility along with the spc
file and private key provided by the CA.

For the list for Microsoft trusted CA’s , click the link below:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/rootcertprog.asp

The article uses Ascertia as the CA to obtain the free digital certificate.

Steps for Signing Code

Some of the utilities provided in the process of signing the
code are part of the Microsoft SDK. So we would be having them if we
have any version of .NET installed on our machine.
This works
like a charm if the steps are followed correctly. We just need to execute all
the utilities one by one.

Following is the Procedure for code signing:

1.
Downloading the certificate from Ascertia website

http://www.ascertia.com/onlineCA/Issuer/default.aspx?action=login

This requires the user to register for an account and provide some
information so as to embed it into the certificate.


Please note that the "Name" that you enter will be the name seen on the certificate. When the information
is provided, a prompt will be asked to add the certificate into the
browser's certificate root store. Add the certificate in the "Trusted
Root Certification Authorities" store.

2. Generation of Software Publishing Certificate (spc)

Run certmgr.exe. This

would display the certificate installed in the previous step along with other
certificates. Select the option to export without the private key and in DER
encoded binary. This should produce a certificate file with .cer
extension. Put it in a folder and at a path, which is not cumbersome. E.g.
c:\<foldername>. Put all the utility files in this folder too.


Now convert the certificate file to spc file - Software
Publishing Certificate with the following utility


cert2spc <insert cer file path>
<insert new spc file path>


This is the file, which is provided by the Verisign along
with a private key. We will generate a private key later in this stage.
3.

3. Generation of Personal Information Exchange file (pfx)

Run certmgr.exe again. Select the same certificate, and
export again.


This time export the private key. Make sure "Include all certificates in
the certification if possible" is checked and "Delete the
private key if the export is successful" is unchecked.

This will export a pfx file. (Make sure to remember the password you set.)

4. Installation of OpenSSL

This is available from
the following link for Windows Version.
http://www.shininglightpro.com/products/Win32OpenSSL.html

Execute the following code

openssl pkcs12 -in <insert pfx
file path> -nocerts -nodes -out <insert new pem file path>

This will create a *.pem file.

The pfx password will be asked.


5. Generation of Private Key

Transform the *.pem file to a *.pvk file. This pvk
file will be our private key. Along with the spc, it will be used to sign
our CAB file.

Download the pvk transform utility. This file can be found at http://support.globalsign.net/en/objectsign/PVK.zip.

pvk
-in <insert pem file path> -topvk -out <insert new pvk file path>

This is what we require. We only need the spc and pvk
files, so we can delete the other data files if we want.

6. Sign the Code

Now we sign the code using the signcode.exe utility with the
help of spc and pvk files.

The following can be
kept in batch file and executed

set
Product=Picis Ftp

set File=PicisActiveX.CAB

set TimeURL=http://timestamp.verisign.com/scripts/timstamp.dll

signcode.exe
-spc <insert spc file> -v <insert pvk file> -n
"%Product%" -t "%TimeURL%" "%File%"

We can verify the signature by opening
the properties of the signed file, and clicking the Digital Signatures tab. If
there is no Digital Signatures tab, then there is something wrong that we
have done in our procedure.


If everything goes right,
then we have our code digitally signed by Ascertia CA and we can go and use our
activeX to install in our IE 6 and IE 7 browsers.

It really proved helpful to me to test my ActiveX Component for IE 7 Browser. Hope it proves useful to you guys too.